Linux中本地提权
1、1 什么是本地提权?
本地提权是指攻击者在已经取得文件访问权限的进程上下文中,利用该进程的权限来提升自己的权限,这种攻击方式通常发生在具有较高权限的进程中,例如root用户。
1、2 本地提权的原理
本地提权的原理是利用进程间的信息传递,将攻击者的代码注入到目标进程中,从而实现对目标进程的控制,这种攻击方式通常利用了程序运行时的环境,例如系统调用、库函数等。
1、3 本地提权的方法
常见的本地提权方法有:
使用C库函数setuid和setgid实现权限提升;
利用系统调用如open、read、write等实现代码注入;
利用动态链接库加载技术实现代码注入;
利用内存共享技术实现代码注入。
EXP(Execute and Read)利用
2、1 什么是EXP?
EXP是一种基于Linux内核漏洞的攻击手段,通过执行恶意代码并读取受影响的进程内存来实现对系统的控制,EXP利用了Linux内核中的一个设计缺陷,即某些系统调用允许任意进程执行任意代码。
2、2 EXP利用的原理
EXP利用的原理是利用Linux内核中的EXP(Execute and Read)漏洞,通过发送特制的系统调用参数,使目标进程执行恶意代码,一旦恶意代码成功执行,攻击者就可以进一步利用目标进程的权限进行其他操作。
2、3 EXP利用的方法
常见的EXP利用方法有:
构造特制的系统调用参数,使目标进程执行恶意代码;
在恶意代码中添加后门,以便在后续攻击中继续控制目标进程;
利用目标进程的内存空间存储敏感数据,以便后续攻击。
示例分析
3、1 示例一:使用setuid和setgid实现本地提权
include <unistd.h> include <sys/types.h> include <sys/stat.h> include <fcntl.h> include <stdio.h> include <stdlib.h> include <string.h> include <sys/ptrace.h> include <sys/wait.h> include <errno.h> include <sys/user.h> include <sys/reg.h> include <linux/seccomp.h> include <sys/capability.h> include <sys/prctl.h> include <sys/types.h> include <sys/xattr.h> include <sys/time.h> include <sys/resource.h> include <sys/socket.h> include <netinet/in.h> include <arpa/inet.h> include <netdb.h> include <ifaddrs.h> include <netinet/tcp.h> include <signal.h> include <ulimit.h> include <locale.h> include <dirent.h> include <pwd.h> include <grp.h> define AT_FDCWD (-100) /* file descriptor for current working directory */ /* see fcntl(2) */ /* POSIX.1-2001 */ /* removed in POSIX.1-2008 */ /* replaced by AT_SYMLINK_NOFOLLOW (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_SYMLINK_NOFOLLOW (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_SYMLINK_NOFOLLOW (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_SYMLINK_NOFOLLOW (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX.1-2008 */ /* replaced by AT_REMOVEDIR (since Linux 2.6.24) */ /* added in POSIX.1-2008 */ /* removed in POSIX
原创文章,作者:酷盾叔,如若转载,请注明出处:https://www.kdun.com/ask/115605.html
微信扫一扫