As a learning exercise, I have a weakness in the following code snippet to gain access to the executable owner. I'm trying to find
geteuid (), geteuid (), gateuid ()); System ("/ usr / bin / id"); FWI, I can not see anybody, I know Setresuid will set the file owner to UID, but I can not change the owner to anyone, but myself. I tried to redirect the path and redirect the id command, but since it uses a full path, that move does not work. It is possible to take advantage of an obscure (and now compromise) issue related to the use of signals. << / p>
-
Linux 2.6 and later,
setresuid ()may fail if the process is aRLIMIT_NPROC(which is, with a limit on the number of processes defined byulimit -n), there will be a lot more process in the target UID if thesetresuid ( )Got the fruitHowever, under Linux 3.1 and later, a flag determines the process of failing
setresuid (), such asexecve ()Call will failsetresuid ()Once the failed,system ()can be stopped from running on any modern Linux. -
As long as some large references that have been omitted, they may be possible to set environment variables (e.g.,
LD_PRELOAD), which Causes the insertion of code/ usr / bin / idThese variables are ignored for set execution capabilities, but by a set executable running here > The executable to be launched will not be ignored.
If you are on a weak system (Linux 2.6 to 3.0), then you can use this variable to set the environment variable and setresuid () May be able to take advantage, so that / usr / bin / id runs the user-specified code in the form of a root.
No comments:
Post a Comment