# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

import sys

from . import RtaMetadata, common

metadata = RtaMetadata(
    uuid="da35cb80-dad9-4995-ac11-6a408843cd12",
    platforms=["linux", "macos"],
    endpoint=[
        {"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "95718a3c-edc7-46ef-978b-77891ca6198f"},
    ],
    siem=[{"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8"}],
    techniques=["T1068", "T1059"],
)


@common.requires_os(*metadata.platforms)
def main() -> None:
    common.log(
        "Executing command to simulate attempted use of a heap-based buffer overflow vulnerability for the "
        "Sudo binary in Unix-like systems(CVE-2021-3156)",
    )
    # The exploit reproduction is available
    # https://www.sudo.ws/security/advisories/unescape_overflow/
    # https://blog.aquasec.com/cve-2021-3156-sudo-vulnerability-allows-root-privileges

    masquerade = "/tmp/sudo"
    if common.CURRENT_OS == "macos":
        common.create_macos_masquerade(masquerade)
    else:
        source = common.get_path("bin", "linux.ditto_and_spawn")
        common.copy_file(source, masquerade)

    common.log("Launching fake xargs command to execute Sudo Heap-Based Buffer Overflow Attempt")
    common.execute([masquerade, "-s", "sudoedit", "*\\\\"], timeout=10, kill=True)

    # cleanup
    common.remove_file(masquerade)


if __name__ == "__main__":
    sys.exit(main())