more targets

[ctfpwner]

Do you mind sharing your approach to find the target? Or let me know how do you set the env with all the multiple backslashes before calling sudoedit? I understand the exploit, but I don't know how to set the env for multiple \ (I mean from C yes, but for manual gdb invocation not really). Thank you.

[blasty]

Finding target can't be trivially explained in a comment. I suggest reading this excellent writeup https://www.kalmarunionen.dk/writeups/sudo/ as it covers the same exploitation strategy as this exploit. As far as setting environment variables in gdb goes, you can use set env NAME VALUE in gdb. To set a env var FOO with a backslash in it you could do: set env FOO '\'. Also, you can start gdb with env -i gdb.. to start with an empty environment)

[wereii]

I have been using set exec-wrapper env -i 'K=V' so that I can have different env vars for gdb/target.

(I have been pondering the libnss overwrite for a while now, the writeup is exactly what I was looking for thx:)

[bl4ckh0l3z]

Finding target can't be trivially explained in a comment. I suggest reading this excellent writeup https://www.kalmarunionen.dk/writeups/sudo/ as it covers the same exploitation strategy as this exploit. As far as setting environment variables in gdb goes, you can use set env NAME VALUE in gdb. To set a env var FOO with a backslash in it you could do: set env FOO '\'. Also, you can start gdb with env -i gdb.. to start with an empty environment)

Not so easy...especially if tcache is not supported by the glibc version in use. Introduce fastbins abuse will be valuable and appreciated. Thanks in advance