Printable View
env TERM='`cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh`' change-pass
What in the world does this command mean? it would be great if someone could break down each little thing like for example the '` part for example, just decrypt the whole line to lamens terms please, thanks !
-xposed
your enviormental variable TERM is now set to first cp /bin/sh then chownership so that root -owns /tmp/sh and then runs change-pass as the user root,
Looks like something copied from an exploit
how does that gain you root access?
I only tinker in *nix, but it looks like that is described here.
I think the basic idea is that the TERM variable is set to a string of commands which are then executed when the script is run. Because the script has SUID status, the script has the permissions of the script owner, not the script user, therefore the attacker runs those commands as root...
Yep, it's code from an exploit. This is usually a method that crackers resort to when the buffer they are trying to overflow isn't big enough to hole the code that they want to execute. Instead of passing the code to the buffer you run the code straight from an environment variable. The catch is that, for this to work, you need to have an account on the box before you can try this so you can read/set environment variables. So basically it's used to elevate privilidges.
hi ...some body can helpme ? i wann learn about take over channel and i wann try with my chennl.thanks
Idiot Alert.Quote:
Originally posted here by antioperator
hi ...some body can helpme ? i wann learn about take over channel and i wann try with my chennl.thanks
The thing that throws me there is the "chmod 4755" chmod lets you change ownership of files it should be something like this right? chmod 777 777 777 which is total ownership.
No, the chmod command uses octal notation (when used with numbers). So chmod 777 is full access, chmod 700 is full access to owner and no access to group and others and so on. The first digit is for owner, the second for group and the third for others. Hope that clears things up.
Cheers,
cgkanchi
O ya thats right <badmonkey slaps the **** out of himself> now I remember.
Thanks cgkanchi! :)
And talking about the SUID (and GUID?) bit would take a whole thread in and of itself...
Ok, in my above post, I never really explained what this little hack actaully does. So here's the explaination:Quote:
env TERM='`cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh`' change-pass
What in the world does this command mean? it would be great if someone could break down each little thing like for example the '` part for example, just decrypt the whole line to lamens terms please, thanks !
If we had a setuid script called change-pass with the source code.It could be exploited with the line:Code:#!/bin/csh -b
set user = $1
passwd $user
env TERM='`cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh`' change-pass
This is because C shell scripts are vulnerable to environment variable "exploits". The TERM environment variable tells the application/script that is about to be run what type of console the user is using (usually xterm or vt100). This variable is passed to all subshells of the user's shell.
The `` quotes are commonly used in scripting languages to execute system commands. For example:would store the listing of the current directory in the variable $ls.Code:$ls = `ls`;
The '' quotes just let you set an environment variable to a string that contains spaces. If you don't use the single quotes, the environment variable will get "chopped off" after the first space.
So the above line will actually execute the system command:
cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh
This is actually several *nix commands put on the same line. A semicolon acts like a newline character. So what we're actually doing is the commands:
cp /bin/sh /tmp/sh # copies the sh binary to /tmp
chown root /tmp/sh # changes the owner of the /tmp/sh binary to root
chmod 4755/tmp/sh # sets the /tmp/sh binary's permissions to executable + setuid
Then we run the passwd command via the dodgy C shell script. Because we don't give $1 a value, passwd defaults to superuser. You should now be prompted to change the root password. Bingo, the box has been owned.
Note: This exploit also assumes that the user has full access to chown and chmod.
Thx Terr,
for the link... That was educational. As simple as it (now) seems to be, I never would have thought of it... I tried slight variations of this on my BSD box and the system wouldn't let me use the chown or chmod for files that my "testdummy" logon had no business changing, so I'm cool... for now NEway...
It is kind of freaky that SUID shell scripts can be used to change passwd like that (or any other file for that matter)... Definately something to be aware of.
Peace
Rev