webshell using the udev vulnerability to mention the right-vulnerability warning-the black bar safety net

ID MYHACK58:62200923472
Type myhack58
Reporter 佚名
Modified 2009-06-07T00:00:00


Source pixel buns

A lot of friends old reminders I wrote a webshell+udev localroot article. This weekend a little free time, crunching a bit. Open the udev exploit two. One is kcope wrote the SHELL version, one is for jon to write the C version.

the shell version of the implementation up a bit of a problem, obviously has to root the identity of the executing sh-c chown root:root /tmp/suid; chmod +s /tmp/suid command, but the/tmp/suid of the owner or vtune, and this time the cpu load is very high. So take advantage of this vulnerability, to observe the system's CPU load.

Confirmation is already obtained root access, and kill it off.

[vtune@RHEL5 ~]$ killall sh sh(1 7 8 7): Operation not permitted sh(1 8 5 4): Operation not permitted sh: no process killed

Repeatedly overflows after, it is possible to also didn't return to the root shell, this time do not be discouraged, look at the/tmp/suid of the owner is not root, if root, the direct implementation of you can get root access.

[vtune@RHEL5 tmp]$ ls-l /tmp/suid -rwsrwsr-x 1 root root 4 9 4 5 Jun 6 1 6:1 4 /tmp/suid

c version. I'm not successful, I also exp the authors validated the gentoo tested, whether in redhat or gentoo, strace returns the following information.

bind(3, {sa_family=AF_NETLINK, pid=1 0 8 3 6, groups=0 0 0 0 0 0 0 0}, 1 2) = -1 EADDRINUSE (Address already in use)doubt is here out of the question.

From the exp code point of view, the C version of exp is more suitable in the webshell in the offer right, look at jon's blog, turned out to be Dr. also do not expect he can pointing one or two, continue to try to lower the shell version.

In the virtual machine lane a php shell, then turned a bind shell try a few times, turned out successful.。。。。 Sequelae is the sh process occupied the CPU 1 0 0%, This rehabilitation process it can be. Why so many people are saying webshell. unable to successfully provide the right-_-