Win2000 Vulnerability (1) - Green Corps's articles, simply cool

zhaozj2021-02-08  259

Win2000 vulnerability (1)

Add time: 01-1-7 11:40:01

CPU overload on Windows 2000 remote server

Send a series of binary 0 characters that can reach any of Windows 2000, which may cause the Utilization of the CPU to 100%. Such a port package

These ports of the TCP have a port number of 7, 9, 21, 23, 7778 and UDP are 53, 67, 68, 135, 500, 1812, 1813, 2535, 3456.

Vulnerability of DOS operating system on Windows 2000 remote server

Remote access is controlled as a remote console as a remote console as a remote console as an operating platform. A remote attacker has sent a series of servers to the server.

Attacker code makes the server failure. After that, if the system continues to work, then a lot of attacks have caused remote servers.

Continuous restart until the frequency of restart exceeds the system's ability to afford, the system crashes.

In addition:

1.

If you have a normal user account, there is a very simple method to get NT Administrator account:

First rename the logon.scr under C: / Winnt / System32 to logon.old backup

Then rename usrmgr.exe to logon.scr

Then restart

Logon.scr is the program loaded at startup, after restarting, there will be no previous login password input interface, but the user manager

At this time, he has permission to add himself to the Administrator group.

Don't forget to change the file name!

2.

The following techniques apply to websites that do not pay attention to NT network security.

Some HTTP technology can also be given more advanced personnel

Entering the Win2K network can take the steps:

Because NT's IIS Server's FTP is generally allowed anonymous anonymous account to enter, some Anonymous accounts also have UPLOAD permissions, we will attack this

Class site. Because if an anonymous account is not allowed, it may cause a plain text password to transfer online. Use TCPSPY tools to intercept these passwords. Don't talk about this now

Comparative advanced technology.

Because it is allowed to set up the anonymous account FTP to log in, it also brings us a chance to break through NT Server. We log in with FTP a NT Server, ratio

Such as: xxx.xxx.xxx.xxx (sample name):

FTP xxx.xxx.xxx.xxx

Connected to xxx.xxx.xxx.xxx

220 2000SVR Microsoft FTP Service (Version 5.0).

2000svr This thing exposes its NetBIOS name, then in the background of IIS, there will be an iUser_2000svr user account, which belongs to the Domain User group.

We will use the authority of Administrator in this account.

User (xxx.xxx.xxx.xxx none): anonymous

331 Anonymous Access ALOWED, Send Identity (E-mail name) AS Password.

Password: Enter Guest @ or GUEST

For administrators lacking network security, many people do not disable guest accounts or have no passwords. Then the Guest account is an available positive

Indeed by the user account, although only Domain guest group

In this case we can enter the NT Server's FTP.

Now, start to find the cgi-bin directory (or scripts directory), after entering,

Put the cmd.execopy to CGI-BIN under Winnt to CGI-BIN.

Then enter: http://www.xxx.com/cgi-bin/getadmin.exe? IUSR_SATURN

After about more than ten seconds, the screen is displayed:

CGI Error

At this time, 90% may be: You have upgraded iuser_2000svr to Administrator, which is anyone who visits the web station is an administrator Windows 2000 buffer overflow gate.

I have read many articles about buffers overflow on the Internet. The vast majority of them are based on the * NIX operating system platform. Later, I was fortunate.

IPXODI's "Stack Overflow under Windows System" (already published in the Green League Network Security Monthly 2000 "Third? 谥 谥   銮 的 的 的

"Windows NT Buffer Overflow's from Start to Finish", benefited from a lot. During the translation of Mr. Jason's article, due to my machine installation

Windows 2000 Server, discovers the details slightly when debugging the original text. Therefore, the relevant source programs, dynamic link libraries, and offset provided herein are

I am debugging on my machine. (For different versions of dynamic link libraries, the programmer needs to be debugged.)

This article should be entry level. Although it is relatively simple, the buffer overflow under the Windows system has certain versatility. For example, stack overflow address

Determine, the search and use of the jump instruction, overflow the writing of the execution code, and so on. Just find that there is a program where the buffer overflow vulnerability is present under the Windows system, basics

You can attack the attack test through these steps. But as IPXODI is pointed out, because the version of the dynamic link library in Windows is updated quickly, be sure to program

The actual platform is commissioned. In the release of such security leaks?  婊蛞 绯 セ鞒 セ鞒 蚴 蚴    搿 ⑾ 称 称 教 投 投    投 姹 姹 姹 姹 姹 投 姹 投 姹 姹 姹 姹 姹 姹 姹 姹 姹 姹 姹 姹

Strict star    虮 虮 说 说 魇 鹄 鹄 鹄 芑 芑 嵬 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱 芾骱

Microsoft Visual C 6.0

Microsoft Windows 2000 Server (Chinese, internal version number: 2195)

- [debugging, testing process

First, write an application where there is a buffer overflow vulnerability. The program can read the content of the file so that we can make the content that is read by modifying the read file.

Program overflow. ;-) Create a new console application in the Visual C development environment, select "An Application That Supports MFC" and

Click Finish. (Note: In fact, it is not necessarily that the MFC application is not, it is just my own habit .;-))) Add to this application

Add some necessary code as follows:

CWINAPPPP;

Using namespace std;

Void overflow (char * buff);

Void Overflow (Char * BUFF)

{

CFILE FILE;

CfileException ER;

If (! file.open (_t ("overflow.txt"), cfile :: moderad, & er))

{

Er.ReportError ();

Return;

}

INT x = file.getlength ();

File.read (BUFF, X);

}

INT_Tmain (int Argc, tchar * argv [], tchar * envp [])

{

INT nretcode = 0;

// Initialize MFC and Print and Error On Failure

IF (! Afxwininit (:: getModuleHandle (Null), NULL, :: getcommandline (), 0))

{

// Todo: Change Error Code To Suit your Needs

CERR <<_T ("Fatal Error: MFC Initialization Failed) << Endl; Nretcode = 1;

}

Else

{

CHAR BUFF [10];

Overflow (BUFF);

}

Return nretcode;

}

Now let's analyze the above C code, find a vulnerability. This is an MFC console application, "main" function and other program

Some different, but the working mechanism is basically consistent. We mainly analyze the "else" code in this function. The first is the first line "char buff [10]", definition

A 10-character local variable. We all know that the memory space of local variables is assigned in the stack. (If you don't even know this, it is recommended not to

Continue to look down. :)) Then call the buff variable as the parameter to call the overflow function. Ok, let us analyze the Overflow function. First of all, one

CFILE object, then a cfileException object. Next, try to open the file "Overflow.txt" in the current directory by reading permissions. If you open

Success, put all the "谌 荻" of the file in the UFF array variable. Discover the problem? BUFF variables are only 10 characters long. If you read the contents of the file

What happens when the length is 100? Yes, "buffer overflow"! And the buffer overflows occurred in the stack. Can see in the latter test

When we use this vulnerability to do something! ;) Now let's create a text file "overflow.txt" and put it in this application's Project

Under contents.

Let us discuss the memory structure of Windows NT / 2000 before proceeding. Every process of NT / 2000 is allocated at startup 4GB

(0xFffffFFF) virtual memory. Some of these parts are actually shared by all processes, such as cores, and device driver areas. But they will be

Map to each process? Penang 刂 刂 刂 淅铩 导 导 厦 厦 厦   涞 涞 涞 涞 涞 涞 物 物 物 物 物 物 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内 内So every one

The process has its own 4GB virtual memory, and the address range is from 0x00000000 to 0xFffffFFF. Among them, 0x00000000-0x0000FFFF? Patient ULL pointer assignment

reserved. Accessing the area memory will result in an "illegal access" error. 0x00010000-0x7ffefff is a user's process space. The image of the EXE file is loaded.

(Start address 0x00400000), DLL (Dynamic Link Library) is also loaded to this? The code of H 绻鹯 LL or EXE is loaded into some places in this range.

The location can be executed. Access to this area has no code loaded in this area will result in an "illegal access" error. 0x7fff0000-0x7fffffff is a reserved area,

Any visits to this area will be guided by the lynger ǚ ǚ 省 省 寨? X80000000-0xFffffFF is only for operating system. Used to load device drivers and their

Its core class code. Accessing from user-level applications (Ring 3) will result in an "illegal access" error.

Now return to the "overflow.txt" file. Now we will constantly add characters to this text file until the system dialogue that the application is illegally accessed.

frame. Here, it is important to populate what character is important (the reason will be known). I chose lowercase letters "a"? The puncture of the talents is frightened

 挥 0 characters long, then fill 11 characters first. (Note: Compiling applications in DEBUG, otherwise the result may vary.) no response. We continue to fill characters ... until 18 characters apply to crash. But this crash is not much for us. Continue to fill! When the string length

At 24, the program is run and the pop-up dialog information is observed: "0x61616161" memory referenced by "0x61616161" instruction. This memory cannot be "

"I? I? 蠹 蠹 加  馈 馈? ω 蠹 蠹??? 所;;;;;;;;;; 安装

The button can debug the app. After entering the debugging environment, select the "View" menu - "Debug Windows" - "Registers"

Open the register window. If you are not in charge of compilation, it is recommended to make a pure-to-the-style T 诩 诩 诩 鞔 鞔 锘 绋 绋 绋 绋 绋 绋 绋 绋 绋

Rong. EIP is of course the most important. The content of the EIP is the process. 蛳蛳 剿   兄 畹 畹 刂 刂 ⒁ ⒁ 绋 绋 绋 绋 未 未 未 未 未 未 未 刂

About our buff variables are not far away. Next, we need to find out how the value of the ESP is processed.

转载请注明原文地址:https://www.9cbs.com/read-3098.html

New Post(0)