## https://sploitus.com/exploit?id=C6EB7E1A-A308-58FC-B1FF-95F63B890A34
Analysis of the CVE-2019-18634 (https://www.exploit-db.com/exploits/47995)
Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)
Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting
their password. For each key press, an asterisk is printed. This option was added in
response to user confusion over how the standard Password: prompt disables the echoing
of key presses. While pwfeedback is not enabled by default in the upstream version of sudo,
some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.
Analysis
Sudo buffer overflow tryhackme writeup
Analysis of the CVE-2019-18634
First we log in to the tryhackme instance via SSH
The vulnerability happens because of the pwfeedback function being vulnerable to a heap buffer overflow, to exploit this vulnerability we first verify that the machine has the vulnerable version of sudo(sudo <1.8.26) present by running the sudo –version command
Analysis of the CVE-2019-18634
First we log in to the tryhackme instance via SSH
The vulnerability happens because of the pwfeedback function being vulnerable to a heap buffer overflow, to exploit this vulnerability we first verify that the machine has the vulnerable version of sudo(sudo <1.8.26) present by running the sudo –version command

confirm ing that the machine has a vulnerable version of sudo we now verify that owfeedback function is present, this can be done 2 ways, by invoking sudo and typing anything into the password prompt, which should display “*” as you type in characters for the password, and the second and more technical way of doing so is by using the sudo -l command, but this will also require the user to have proper permissions that allow them to view information regarding sudo or being able to concatenate the sudoers file

We will now confirm that a buffer overflow is possible by using the test case use on exploit-db
https://www.exploit-db.com/exploits/47995
perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
^^The line of code above goes as follows:
Add 100 A characters and pipe it into the sudo command which will then end up in the pwfeedback heap buffer.

Sudo will then spit out a segmentation fault as it is not sure how to continue the sudo process
This happens because once a static heap buffer is flooded, it will begin to flood CPU registers and the instruction pointer, which maintains the flow of the next instruction.
We can run the exploit, which will cause a buffer overflow and give us root access to the system
https://www.exploit-db.com/exploits/47995
