📄 5.html
字号:
{<br>
/* XXX: suffices? */<br>
if (kill(1, SIGCONT) < 0)<br>
return 0;<br>
return 1;<br>
}<p>
<br>
int try_bind()<br>
{<br>
struct sockaddr_in sin;<br>
int r, fd = socket(PF_INET, SOCK_STREAM, 0);<br>
if (fd < 0)<br>
return 0;<br>
memset(&sin, 0, sizeof(sin));<br>
sin.sin_family = AF_INET;<br>
sin.sin_port = htons(666);<p>
if (bind(fd, (struct sockaddr*)&sin, sizeof(sin)) < 0)<br>
r = 0;<br>
else<br>
r = 1;<p>
close(fd);<br>
return r;<br>
}<p>
int try_net_raw()<br>
{<br>
int fd = socket(PF_INET, SOCK_RAW, 0);<p>
if (fd >= 0) {<br>
close(fd);<br>
return 1;<br>
}<br>
return 0;<br>
}<p>
<br>
int try_nice()<br>
{<br>
return (nice(-1) == 0);<br>
}<p>
<br>
extern caddr_t create_module(const char *, size_t);<p>
int try_module()<br>
{<br>
errno = 0;<br>
create_module("adore", 1234);<br>
delete_module("adore");<br>
return (errno == 0);<br>
}<p>
<br>
int try_chroot()<br>
{<br>
int r;<br>
if (fork() == 0) {<br>
if (chroot("/tmp") < 0)<br>
exit(0);<br>
else<br>
exit(1);<br>
}<br>
wait(&r);<br>
return r != 0;<br>
}<p>
<br>
int try_rawio()<br>
{<br>
int fd = open("/dev/kmem", O_RDONLY);<br>
if (fd < 0)<br>
return 0;<br>
close(fd);<br>
return 1;<br>
}<p>
<br>
int try_admin()<br>
{<br>
char h[1024];<br>
memset(h, 0, sizeof(h));<br>
gethostname(h, sizeof(h));<br>
if (sethostname("hola!", 5) < 0)<br>
return 0;<br>
sethostname(h, strlen(h));<br>
return 1;<br>
}<p>
<br>
int try_net_admin()<br>
{<br>
int sock;<br>
struct ifreq ifr;<p>
strcpy(ifr.ifr_name, "lo");<p>
if ((sock = socket(PF_INET, SOCK_DGRAM, 0)) < 0)<br>
return 0;<p>
if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0)<br>
return 0;<p>
ifr.ifr_flags &= ~IFF_UP;<br>
if (ioctl(sock, SIOCSIFFLAGS, &ifr) < 0)<br>
return 0;<p>
ifr.ifr_flags |= IFF_UP;<br>
ioctl(sock, SIOCSIFFLAGS, &ifr);<br>
close(sock);<br>
return 1;<br>
}<p>
<br>
int try_ptrace()<br>
{<br>
int child, r = 0;<p>
if ((child = fork()) == 0) {<br>
sleep(10);<br>
exit(0);<br>
}<br>
if (ptrace(PTRACE_ATTACH, child, 0, 0) < 0)<br>
r = 0;<br>
else<br>
r = 1;<br>
kill(child, SIGKILL);<br>
wait(NULL);<br>
return r;<br>
}<p>
<br>
int try_mknod()<br>
{<br>
unlink("/tmp/fd0");<br>
if (mknod("/tmp/fd0", 0600|S_IFCHR, 2<<8) < 0)<br>
return 0;<br>
unlink("/tmp/fd0");<br>
return 1;<br>
}<p>
<br>
struct {<br>
int value;<br>
char *name;<br>
int (*try)();<br>
} caps[] = {<br>
{0, "CAP_CHOWN", try_chown},<br>
{1, "CAP_DAC_OVERRIDE", NULL},<br>
{2, "CAP_DAC_READ_SEARCH", NULL},<br>
{3, "CAP_FOWNER", NULL},<br>
{4, "CAP_FSETID", NULL},<br>
{5, "CAP_KILL", try_kill},<br>
{6, "CAP_SETGID", try_setgid},<br>
{7, "CAP_SETUID", try_setuid},<br>
{8, "CAP_SETPCAP", NULL},<br>
{9, "CAP_LINUX_IMMUTABLE", NULL},<br>
{10, "CAP_NET_BIND_SERVICE", try_bind},<br>
{11, "CAP_NET_BROADCAST", NULL},<br>
{12, "CAP_NET_ADMIN", try_net_admin},<br>
{13, "CAP_NET_RAW", try_net_raw},<br>
{14, "CAP_IPC_LOCK", NULL},<br>
{15, "CAP_IPC_OWNER", NULL},<br>
{16, "CAP_SYS_MODULE", try_module},<br>
{17, "CAP_SYS_RAWIO", try_rawio},<br>
{18, "CAP_SYS_CHROOT", try_chroot},<br>
{19, "CAP_SYS_PTRACE", try_ptrace},<br>
{20, "CAP_SYS_PACCT", NULL},<br>
{21, "CAP_SYS_ADMIN", try_admin},<br>
{22, "CAP_SYS_BOOT", NULL},//haha :><br>
{23, "CAP_SYS_NICE", try_nice},<br>
{24, "CAP_SYS_RESOURCE", NULL},<br>
{25, "CAP_SYS_TIME", NULL},<br>
{26, "CAP_SYS_TTY_CONFIG", NULL},<br>
{27, "CAP_MKNOD", try_mknod},<br>
{28, "CAP_LEASE", NULL},<br>
{-1, (void*)0}<br>
};<p>
<br>
/* if (capable(d.cap_effective, CAP_SYS_MODULE)<br>
* ...<br>
*/<br>
int capable(int cap, int flag)<br>
{<br>
return (cap & (1<<flag));<br>
}<p>
<br>
int print_cap(cap_user_data_t new, cap_user_data_t old)<br>
{<br>
int i = 0;<br>
FILE *f;<p>
if (!new || !old)<br>
return -1;<p>
f = fopen("/dev/tty", "w+");<br>
if (!f)<br>
return -1;<p>
fprintf(f, "nE %x nI %x nP %x\n"<br>
"oE %x oI %x oP %x\n\n",<br>
new->effective, new->inheritable, new->permitted,<br>
old->effective, old->inheritable, old->permitted);<p>
<br>
/* Print New's advanced (effective) caps over old ones */<br>
/* HACK! This is left here due to a private version of capcan */<br>
for (i = 0; caps[i].value != -1; ++i) {<br>
if (capable(new->effective, caps[i].value) &&<br>
!capable(old->effective, caps[i].value))<br>
fprintf(f, "e %d %s\n", caps[i].value, caps[i].name);<br>
}<p>
printf("\n");<p>
/* Print New's advanced (inhertiable) caps over old ones */<br>
for (i = 0; caps[i].value != -1; ++i) {<br>
if (capable(new->inheritable, caps[i].value) &&<br>
!capable(old->inheritable, caps[i].value))<br>
fprintf(f, "i %d %s\n", caps[i].value, caps[i].name);<br>
}<p>
<br>
/* No news */<br>
if (new->effective == new->permitted)<br>
return 0;<p>
printf("\n");<p>
/* Print New's advanced permitted caps */<br>
for (i = 0; caps[i].value != -1; ++i) {<br>
if (capable(new->permitted, caps[i].value) &&<br>
!capable(old->permitted, caps[i].value))<br>
fprintf(f, "p %d %s\n", caps[i].value, caps[i].name);<br>
}<p>
fclose(f);<br>
return 0;<br>
}<p>
int brute_caps()<br>
{<br>
int i = 0;<p>
for (; caps[i].value != -1; ++i) {<br>
if (caps[i].try) {<br>
if (caps[i].try()) {<br>
printf("b %d %s\n", caps[i].value,<br>
caps[i].name);<br>
}<br>
}<br>
}<br>
return 0;<br>
}<br>
---------------------------------------------------------------------------------<br>
#capscan.c<br>
---------------------------------------------------------------------------------<br>
#include <stdio.h><br>
#include <errno.h><br>
#include <sys/types.h><br>
#include <string.h><br>
#include <unistd.h><br>
#include <sys/stat.h><br>
#include <dirent.h><br>
#include <fcntl.h><br>
#include "cap.h"<p>
<br>
extern pid_t wait(int *);<p>
void die(const char *s)<br>
{<br>
perror(s);<br>
exit(errno);<br>
}<p>
<br>
int main(int argc, char **argv)<br>
{<br>
cap_user_header h;<br>
cap_user_data d, we;<p>
h.version = _LINUX_CAPABILITY_VERSION;<br>
h.pid = 0;<p>
if (argc < 2) {<br>
fprintf(stderr, "Usage: %s [-w] [-b]\n", *argv);<br>
exit(1);<br>
}<p>
/* Just print the caps we have yet */<br>
if (argv[1][1] == 'w') {<br>
if (capget(&h, &we⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -