TheZ3ro
commented
3 years ago I gave a look into this (Debian 9, sudo 1.8.19p1, standard default installation)
Putting a breakpoint in __libc_dlopen_mode reveal the execution of libnss_compat, libnss_nis and libnss_files.
libnss_systemd doesn't seem to be loaded.
Searching in the heap for systemd after hitting the first breakpoint report zero findings.
Apparently we can overflow the heap only after the loading of the 3 aforementioned lib so I think this exploit strategy isn't really doable on Debian9 but take my words with a grain of salt.
Maybe in some configuration it does load libnss_systemd indeed
Hi, testing in my LAB with a debian9 stretch, the bruteforce seems not working correctly
Sudo version 1.8.19p1 Sudoers policy plugin version 1.8.19p1 Sudoers file grammar version 45 Sudoers I/O plugin version 1.8.19p1 libc version 2.24-11+deb9u4
Tried with "brute.sh 90 120 50 70 150 300" and also other range, without success. Does anybody is able to make this working for debian9?
Thanks a lot.