python + C 实现后门
首先是模拟VSFTPD2.3.4后门漏洞。漏洞具体情况就不在这里一一分析了==
下面直接上代码
#!/usr/bin/env python
from socket import *
import re
import os
import subprocess
HOST = ''
PORT = 21
BUFSIZE = 1024
ADDR = (HOST,PORT)
SOCK = socket(AF_INET,SOCK_STREAM)
SOCK.bind(ADDR)
SOCK.listen(10)
flag = 0
while True:
tcpSock,addr = SOCK.accept()
tcpSock.send("vsFTPD 2.3.4\r\n")
while True:
try:
username = tcpSock.recv(BUFSIZE)
if username.find("USER") == 0:
tcpSock.send("331 Please specify the password.\n")
if username.find(" ") != -1:
if username[-3:-1] == ':)':
flag = 1
else:
pass
else:
tcpSock.send("500 OOPS:Login failed.\n")
tcpSock.close()
break;
else:
tcpSock.send("500 OOPS:Login failed.\n")
tcpSock.close()
break;
Password = tcpSock.recv(BUFSIZE)
if Password.find("PASS") == 0:
if Password.find(" ") != -1:
if Password[-3:-1] == ':)':
flag = 1
else:
pass
else:
tcpSock.send("500 OOPS:Login failed.\n")
tcpSock.close()
break;
else:
tcpSock.send("500 OOPS:Login failed.\n")
tcpSock.close()
break;
if flag == 1:
tcpSock.send("\n\nplease read the c Code Underside!\n\n\n")
tcpSock.send('#include <stdio.h>\nstruct Student {\nchar name[8];\nchar birth[4];\n};\n\nint main(int argc,char* argv[]) {\nstruct Student student;\nstrcpy(student.birth,argv[1]);\nif (student.birth == "1926") {\nprintf("You Cannot Born In 1926!\n");\nreturn 0;\n}\nstrcpy(student.name,argv[2]);\nif (strcmp(student.birth,"1926")==0) {\nprintf("THE FLAG INFO:\n");\nsystem("cat /root/flag.txt");\n} else {\nprintf("YOUR ARE LOWER!!!\n");\n}\nreturn 0;\n}\n')
tcpSock.send("\n\nPlease INPUT your birth!\n")
birthday = tcpSock.recv(BUFSIZE).replace("\n","").replace(" ","")
tcpSock.send("\n\nPlease INPUT your name!\n")
name = tcpSock.recv(BUFSIZE).replace("\n","").replace(" ","")
p = subprocess.Popen(["./getflag",birthday,name],stdout=subprocess.PIPE)
info = p.stdout.readline()
tcpSock.send("result:\n")
tcpSock.send(info)
break
if flag == 0:
tcpSock.send("inside error,Your Can't Login this SYSTEM\n")
break
except:
break
tcpSock.close()
SOCK.close()
本段代码作用就是触发VSFTPD2.3.4漏洞然后运行带有缓冲区溢出的代码。通过vsftpd21端口记录数据,然后作为参数发送给C程序。
C程序的作用就是起到了一个远程控制的作用。具体代码文中已给出。
C程序漏洞原理我在之前的某博客中讲过,结构体的内存是相邻的。
所以可以直接溢出,也不需要什么NOP指令。