pwndbg> info breakpoints

2. Workstation

A vuln lab without the right environment is like fuzzing blind. To reproduce and exploit Baron Samedit reliably, we need a workstation tuned with the right binary + libc combo.

2.1. Target Stack

  • GLIBC: 2.27
    • Glibc 2.27 is stable, widely used. We just need to choose a library version that supports tcache (introduced in 2.26)
    • Tough later glibc versions (≥ 2.32) introduce stricter heap integrity checks in tcache, they won't stop our exploit—thus you can take any other choice.
  • Base OS: Ubuntu 18.04.6 LTS (x64)
    • Ships with glibc 2.27 out-of-the-box.
    • Bundles sudo 1.8.21p2 by default—patched.

2.2. OS Installation

Spin up a VM or a base-metal machine with Ubuntu 18.04.6 LTS as the base.

My go-to pwn lab recipe:

Bash
# Fix apt source list
sudo mv /etc/apt/sources.list /etc/apt/sources.list.bak
sudo vi /etc/apt/sources.list
# 	Patch with main Ubuntu archive
sudo tee /etc/apt/sources.list > /dev/null << 'EOF'
deb http://archive.ubuntu.com/ubuntu bionic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu bionic-security main restricted universe multiverse
EOF
# 	Update apt
sudo apt update
sudo apt clean
sudo apt update --fix-missing
sudo apt install -f

# Install essential tools
sudo apt install -y build-essential gdb git curl wget unzip tmux htop net-tools vim zsh \
                		python3 python3-pip python3-venv python3-ipython \
                		openssh-client openssh-server

# Install Rust 
curl https://sh.rustup.rs -sSf | sh -s -- -y
source $HOME/.cargo/env
# 	Install required build tools
sudo apt install -y build-essential python3-dev libffi-dev libssl-dev
# 	Install setuptools-rust for pip to build bcrypt
pip3 install --upgrade pip setuptools setuptools-rust wheel

# Install Python pwn stuff
pip3 install pwntools ropper ROPGadget

# Ruby
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
cd ~/.rbenv && src/configure && make -C src
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' | tea -a ~/.zshrc
echo 'eval "$(rbenv init - zsh)"' | tea -a ~/.zshrc
source ~/.zshrc
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
#	Required dependencies
sudo apt install -y libyaml-dev libreadline-dev libncurses5-dev
# 	Install Ruby 3.2.2 (or newer)
rbenv install 3.2.2
rbenv global 3.2.2
#	Install Ruby pwn stuff
gem install one_gadget seccomp-tools

# Pwndbg 
mkdir -p ~/pwn && cd ~/pwn
git clone -b ubuntu18.04-final https://github.com/pwndbg/pwndbg.git
cd pwndbg
./setup.sh

# Install Debug Symbols for GDB
#	Enable the ddebs repository
sudo apt install -y ubuntu-dbgsym-keyring
echo "deb http://ddebs.ubuntu.com bionic main restricted universe multiverse
deb http://ddebs.ubuntu.com bionic-updates main restricted universe multiverse" | \
sudo tee /etc/apt/sources.list.d/ddebs.list
sudo apt update
# 	Install debug symbol
sudo apt install libc6-dbg

# AFLplusplus
makedir -p ~/fuzz/tools && cd ~/fuzz/tools
# 	llvm15 for lto
wget https://apt.llvm.org/llvm.sh
sudo bash llvm.sh 15
sudo ln -s /usr/bin/llvm-config-15 /usr/local/bin/llvm-config
# 	AFL++
git clone https://github.com/AFLplusplus/AFLplusplus.git
cd AFLplusplus
#	Install dependencies
sudo apt install -y ninja-build automake autoconf libtool libglib2.0-dev pkg-config gpg
git submodule update --init --recursive
#	Install modern cmake (required by unicornafl)
wget -qO - https://apt.kitware.com/keys/kitware-archive-latest.asc | sudo gpg --dearmor -o /usr/share/keyrings/kitware-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/kitware-archive-keyring.gpg] https://apt.kitware.com/ubuntu/ bionic main' | sudo tee /etc/apt/sources.list.d/kitware.list
sudo apt update
sudo apt install -y cmake
#	Compile 
LLVM_CONFIG=llvm-config make distrib -j"$(nproc)"
# 	Fix unicornafl for afl-showmap, if failed
cd ~/fuzz/tools/AFLplusplus/unicorn_mode
sudo python3 setup.py install --force                                                                                          
# 	System-wide install
sudo make install
Expand

2.2. Glibc Source

For deep heap analysis we want the exact Ubuntu-patched glibc 2.27. This avoids mismatches with GNU upstream and ensures our workstation mirrors what ships in Ubuntu 18.04.

Pull it straight from the Ubuntu source archive:

Bash
mkdir -p ~/source && cd ~/source

wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.27-3ubuntu1.6.dsc
wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.27.orig.tar.xz
wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/glibc_2.27-3ubuntu1.6.debian.tar.xz

dpkg-source -x glibc_2.27-3ubuntu1.6.dsc

This is the exact glibc version for Ubuntu (slightly different from the GNU release one).

2.3. Compilation

Next, grab the target sudo release:

Bash
mkdir -p ~/source && cd ~/source
git clone https://github.com/sudo-project/sudo.git
git checkout v1.9.5p1

I kept two copies: one pristine for code audits, one instrumented for fuzzing:

Bash
mkdir -p ~/fuzz/proj
cp -r ~/source/sudo ~/source/sudo-1.9.5p1
cp -r ~/source/sudo ~/fuzz/proj/sudo-1.9.5p1/src

Build the fuzzing target with a local install prefix:

Bash
cd ~/fuzz/proj/sudo-1.9.5p1/src

# To install it to a local directory
mkdir -p ~/fuzz/proj/sudo-1.9.5p1/install
./autogen.sh
./configure --prefix=$HOME/fuzz/proj/sudo-1.9.5p1/install --disable-shared 
make -j$(nproc)
sudo make install

Gotcha: on some setups, compilation fails in logsrvd/Makefile.in because libsudo_util.la isn't linked. Fix it by adding at line 45:

Makefile
LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la \
      	  $(top_builddir)/lib/eventlog/libsudo_eventlog.la \
      	  $(top_builddir)/lib/logsrv/liblogsrv.la \
      	  $(top_builddir)/lib/util/libsudo_util.la

We add the last line /lib/util/libsudo_util.la to fix it with our environment.

Then re-run:

Bash
make clean && make -j$(nproc)

At this point you've got:

  • A clean sudo-1.9.5p1 tree for static/dynamic audits.
  • A fuzz-ready binary installed under ~/fuzz/proj/sudo-1.9.5p1/install.
Pages: 1 2 3 4 5 6 7 8 9 10 11