Home    Training    Downloads    Tutorials    Arbitary    Get Fate    Proxy Info
Training session 10: Basic UNIX Exploits
Difficulty: Medium
Learn how to achieve simple exploits on UNIX based systems
Creator: m101

In computer terms, an exploit is a process that can be followed to gain elevated privledges with garaunteed results. Under unix based systems, 'root' is the highest level of access, having access to anything and everything a user logged into this account wishes. An exploit does not necessarily require this level of access tho, it may just take you from a level of access like world readable access given by a httpd daemon to a standard shell access account. In other words you could go from only being able to look at the computers web page, to being able to traverse the file system and look at the administrators hidden porn collection. In general cases, an exploit will either be used to gain access to the passwd and shadow files, or to directly gain a 'root' shell.

Firstly lets just examine how a simple exploit may work. Lets say we find a program in '/var/bin' that is called 'system' and by luck this program is SetUID root, which basically means, when you run the program your user is temporarily made to be root until the program has finished running. Now by examining the program a little further we find the program reads a config file '/var/bin/system.conf' and shows the contents in the options menu. By typing 'strings system' we find that there is indeed a string that directly refers to '/var/bin/system.conf' so we decide to exploit this. First we remove the config file with the following command 'rm -rf /var/bin/system.conf' Now that is done we shall create a symbolic link to '/etc/passwd' to read the system passwords. 'ln -s /etc/passwd /var/bin/system.conf' This creates the link, now what the link does is basically refers anything that asks for '/var/bin/system.conf' to '/etc/passwd' so in theory when our program tries to load '/var/bin/system.conf' it will be referenced to '/etc/passwd' and show us the contents of the file. So now '/var/bin/system' is executed and sure enough we are shown the password hashes contained in '/etc/passwd'

This is a very simple example, and shows extremely poor programming of the program, similar exploits may occur tho, for example the program may call 'more' to show a text file during execution. Under 'more' a simple ';cat /etc/passwd' will execute 'cat /etc/passwd'

IFS can be a very interesting tool, what it basically does is sets what seperates commands in the shell, usually just ';' and 'enter' are used, but this variable can be set. For example with IFS set as default '/bin/ls ; mail' will be breaken down into two commands '/bin/ls' and 'mail' Now if IFS were say set to '/' then the command would be split up into 'bin','ls ; mail' This can lead to some pretty useful implementations. If for example our program 'system' were to execute '/bin/ls' during its execution, by typing 'export IFS="/"' IFS would be set to '/' and we could create a file in the current directory called 'bin', place some code in it to show us the passwd file, 'chmod 755 bin' to make it executable, and 'system' could be made to execute our commands as 'root'

For simple exploits like these, it is normally possible to 'strings file' to find out what it may execute or do. A 'Race Condition' may come in handy if a program is made to check whether a file that is writen to, or read contains a symbolic link. Basically by executing two programs at once, after the program checks for the existance of the link, the other program is made to remove the file that would be used, and link it to another file such as '/etc/passwd' An example of this is:

/usr/bin/ps2 &
rm -rf /var/tmp2/ps2.tmp
ln -s /home/hacker/exploit /var/tmp2/ps2

This would execute '/usr/bin/ps2' and while it is still running remove its temp file and replace it with our own file.

A symbolic link can also be turned into a 'Denial of Service' most of the time with little effort, an example of this with 'Xfree 3.1.2' is:

cd /tmp
rm -f /tmp/.tX0-lock
ln -s /dev/hd0 /tmp/.tX0-lock

This would make 'X' write data directly over the raw data on hard drive 0, although I strongly condemn the use of things such as 'DoS' or 'DDoS' attacks, in the case of a retaliation to a prior attack on your own system, it may be useful.

There are many more types of exploits out there, these are just the simpler ones, I will later deal with basic Buffer Overflow attacks, the more prominent of attacks these days...

URL or Email