Shellcode 作为缓冲区溢出(或其他)漏洞的有效负载以 root 身份执行?
当我使用 此处* 作为某些易受攻击程序的有效负载,shell 如何以 root 身份执行?我想问一下如何提升root权限? shellcode 似乎没有调用 setuid 或任何更改用户的内容。
* http://www.tenouk.com/Bufferoverflowc/Bufferoverflow5.html
When I use shellcode such as the ones provided here* as payload to some vulnerable program, how is the shell executed as root? I am asking about how the privileges are elevated to root? The shellcode doesn't seem to call setuid or anything to change user.
* http://www.tenouk.com/Bufferoverflowc/Bufferoverflow5.html
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这些示例包括以下内容:
因此,他们使用
setreuid(2)系统调用,该系统调用设置进程的真实用户 ID 和有效用户 ID:Those examples include the following:
So they're using the
setreuid(2)syscall, which sets both the real and effective user IDs of the process:为了执行 shellcode,您需要像缓冲区溢出这样的漏洞。 shellcode 拥有与运行进程一样的所有权限。因此,如果您利用 setuid root 的二进制文件(如 passwd 命令)或以 root 身份运行(如 cupsd 守护进程进程),则攻击者将拥有 root 访问权限。内核也可能遭受缓冲区溢出的影响,并且也可以通过这种方式获得根访问权限。
In order to execute shellcode you need a vulnerability like a buffer overflow. The shellcode has all of the rights as the running process. So if you exploit a binary that is setuid root like the
passwdcommand or otherwise running as root such as thecupsddaemon process then the attacker will have root access. The kernel can also suffer from a buffer overflow, and root access can be obtained this way as well.首先,您需要授予程序 root 权限(使用 chown 和 chmod 作为 root)。并且您需要 setreuid() 作为您的有效负载。如果您可以由其他用户利用该程序,那么您将获得 root 权限。
first you need to giving the program as root privileges (use chown and chmod as root). and you need setreuid() for your payload. that's would give you root, if you can exploit the program by other user.
当然,如果你的 vuln 程序有一个所有者
root并且你的 shellcode 有一个setuid(0)系统调用,你可以执行/bin/sh作为根Of course, if your vuln program has an owner
rootand your shellcode have asetuid(0)syscall, you can execute/bin/shasroot