5.html

介绍linux下文件和设备编程

return 0;<br>
memset(&amp;sin, 0, sizeof(sin));<br>
sin.sin_family = AF_INET;<br>
sin.sin_port = htons(666);<p>
if (bind(fd, (struct sockaddr*)&amp;sin, sizeof(sin)) &lt; 0)<br>
r = 0;<br>
else<br>
r = 1;<p>
close(fd);<br>
return r;<br>
}<p>
int try_net_raw()<br>
{<br>
int fd = socket(PF_INET, SOCK_RAW, 0);<p>
if (fd &gt;= 0) {<br>
close(fd);<br>
return 1;<br>
}<br>
return 0;<br>
}<p>
<br>
int try_nice()<br>
{<br>
return (nice(-1) == 0);<br>
}<p>
<br>
extern caddr_t create_module(const char *, size_t);<p>
int try_module()<br>
{<br>
errno = 0;<br>
create_module(&quot;adore&quot;, 1234);<br>
delete_module(&quot;adore&quot;);<br>
return (errno == 0);<br>
}<p>
<br>
int try_chroot()<br>
{<br>
int r;<br>
if (fork() == 0) {<br>
if (chroot(&quot;/tmp&quot;) &lt; 0)<br>
exit(0);<br>
else<br>
exit(1);<br>
}<br>
wait(&amp;r);<br>
return r != 0;<br>
}<p>
<br>
int try_rawio()<br>
{<br>
int fd = open(&quot;/dev/kmem&quot;, O_RDONLY);<br>
if (fd &lt; 0)<br>
return 0;<br>
close(fd);<br>
return 1;<br>
}<p>
<br>
int try_admin()<br>
{<br>
char h[1024];<br>
memset(h, 0, sizeof(h));<br>
gethostname(h, sizeof(h));<br>
if (sethostname(&quot;hola!&quot;, 5) &lt; 0)<br>
return 0;<br>
sethostname(h, strlen(h));<br>
return 1;<br>
}<p>
<br>
int try_net_admin()<br>
{<br>
int sock;<br>
struct ifreq ifr;<p>
strcpy(ifr.ifr_name, &quot;lo&quot;);<p>
if ((sock = socket(PF_INET, SOCK_DGRAM, 0)) &lt; 0)<br>
return 0;<p>
if (ioctl(sock, SIOCGIFFLAGS, &amp;ifr) &lt; 0)<br>
return 0;<p>
ifr.ifr_flags &amp;= ~IFF_UP;<br>
if (ioctl(sock, SIOCSIFFLAGS, &amp;ifr) &lt; 0)<br>
return 0;<p>
ifr.ifr_flags |= IFF_UP;<br>
ioctl(sock, SIOCSIFFLAGS, &amp;ifr);<br>
close(sock);<br>
return 1;<br>
}<p>
<br>
int try_ptrace()<br>
{<br>
int child, r = 0;<p>
if ((child = fork()) == 0) {<br>
sleep(10);<br>
exit(0);<br>
}<br>
if (ptrace(PTRACE_ATTACH, child, 0, 0) &lt; 0)<br>
r = 0;<br>
else<br>
r = 1;<br>
kill(child, SIGKILL);<br>
wait(NULL);<br>
return r;<br>
}<p>
<br>
int try_mknod()<br>
{<br>
unlink(&quot;/tmp/fd0&quot;);<br>
if (mknod(&quot;/tmp/fd0&quot;, 0600|S_IFCHR, 2&lt;&lt;8) &lt; 0)<br>
return 0;<br>
unlink(&quot;/tmp/fd0&quot;);<br>
return 1;<br>
}<p>
<br>
struct {<br>
int value;<br>
char *name;<br>
int (*try)();<br>
} caps[] = {<br>
{0, &quot;CAP_CHOWN&quot;, try_chown},<br>
{1, &quot;CAP_DAC_OVERRIDE&quot;, NULL},<br>
{2, &quot;CAP_DAC_READ_SEARCH&quot;, NULL},<br>
{3, &quot;CAP_FOWNER&quot;, NULL},<br>
{4, &quot;CAP_FSETID&quot;, NULL},<br>
{5, &quot;CAP_KILL&quot;, try_kill},<br>
{6, &quot;CAP_SETGID&quot;, try_setgid},<br>
{7, &quot;CAP_SETUID&quot;, try_setuid},<br>
{8, &quot;CAP_SETPCAP&quot;, NULL},<br>
{9, &quot;CAP_LINUX_IMMUTABLE&quot;, NULL},<br>
{10, &quot;CAP_NET_BIND_SERVICE&quot;, try_bind},<br>
{11, &quot;CAP_NET_BROADCAST&quot;, NULL},<br>
{12, &quot;CAP_NET_ADMIN&quot;, try_net_admin},<br>
{13, &quot;CAP_NET_RAW&quot;, try_net_raw},<br>
{14, &quot;CAP_IPC_LOCK&quot;, NULL},<br>
{15, &quot;CAP_IPC_OWNER&quot;, NULL},<br>
{16, &quot;CAP_SYS_MODULE&quot;, try_module},<br>
{17, &quot;CAP_SYS_RAWIO&quot;, try_rawio},<br>
{18, &quot;CAP_SYS_CHROOT&quot;, try_chroot},<br>
{19, &quot;CAP_SYS_PTRACE&quot;, try_ptrace},<br>
{20, &quot;CAP_SYS_PACCT&quot;, NULL},<br>
{21, &quot;CAP_SYS_ADMIN&quot;, try_admin},<br>
{22, &quot;CAP_SYS_BOOT&quot;, NULL},//haha :&gt;<br>
{23, &quot;CAP_SYS_NICE&quot;, try_nice},<br>
{24, &quot;CAP_SYS_RESOURCE&quot;, NULL},<br>
{25, &quot;CAP_SYS_TIME&quot;, NULL},<br>
{26, &quot;CAP_SYS_TTY_CONFIG&quot;, NULL},<br>
{27, &quot;CAP_MKNOD&quot;, try_mknod},<br>
{28, &quot;CAP_LEASE&quot;, NULL},<br>
{-1, (void*)0}<br>
};<p>
<br>
/* if (capable(d.cap_effective, CAP_SYS_MODULE)<br>
* ...<br>
*/<br>
int capable(int cap, int flag)<br>
{<br>
return (cap &amp; (1&lt;&lt;flag));<br>
}<p>
<br>
int print_cap(cap_user_data_t new, cap_user_data_t old)<br>
{<br>
int i = 0;<br>
FILE *f;<p>
if (!new || !old)<br>
return -1;<p>
f = fopen(&quot;/dev/tty&quot;, &quot;w+&quot;);<br>
if (!f)<br>
return -1;<p>
fprintf(f, &quot;nE %x nI %x nP %x\n&quot;<br>
&quot;oE %x oI %x oP %x\n\n&quot;,<br>
new-&gt;effective, new-&gt;inheritable, new-&gt;permitted,<br>
old-&gt;effective, old-&gt;inheritable, old-&gt;permitted);<p>
<br>
/* Print New's advanced (effective) caps over old ones */<br>
/* HACK! This is left here due to a private version of capcan */<br>
for (i = 0; caps[i].value != -1; ++i) {<br>
if (capable(new-&gt;effective, caps[i].value) &amp;&amp;<br>
!capable(old-&gt;effective, caps[i].value))<br>
fprintf(f, &quot;e %d %s\n&quot;, caps[i].value, caps[i].name);<br>
}<p>
printf(&quot;\n&quot;);<p>
/* Print New's advanced (inhertiable) caps over old ones */<br>
for (i = 0; caps[i].value != -1; ++i) {<br>
if (capable(new-&gt;inheritable, caps[i].value) &amp;&amp;<br>
!capable(old-&gt;inheritable, caps[i].value))<br>
fprintf(f, &quot;i %d %s\n&quot;, caps[i].value, caps[i].name);<br>
}<p>
<br>
/* No news */<br>
if (new-&gt;effective == new-&gt;permitted)<br>
return 0;<p>
printf(&quot;\n&quot;);<p>
/* Print New's advanced permitted caps */<br>
for (i = 0; caps[i].value != -1; ++i) {<br>
if (capable(new-&gt;permitted, caps[i].value) &amp;&amp;<br>
!capable(old-&gt;permitted, caps[i].value))<br>
fprintf(f, &quot;p %d %s\n&quot;, caps[i].value, caps[i].name);<br>
}<p>
fclose(f);<br>
return 0;<br>
}<p>
int brute_caps()<br>
{<br>
int i = 0;<p>
for (; caps[i].value != -1; ++i) {<br>
if (caps[i].try) {<br>
if (caps[i].try()) {<br>
printf(&quot;b %d %s\n&quot;, caps[i].value,<br>
caps[i].name);<br>
}<br>
}<br>
}<br>
return 0;<br>
}<br>
---------------------------------------------------------------------------------<br>
#capscan.c<br>
---------------------------------------------------------------------------------<br>
#include &lt;stdio.h&gt;<br>
#include &lt;errno.h&gt;<br>
#include &lt;sys/types.h&gt;<br>
#include &lt;string.h&gt;<br>
#include &lt;unistd.h&gt;<br>
#include &lt;sys/stat.h&gt;<br>
#include &lt;dirent.h&gt;<br>
#include &lt;fcntl.h&gt;<br>
#include &quot;cap.h&quot;<p>
<br>
extern pid_t wait(int *);<p>
void die(const char *s)<br>
{<br>
perror(s);<br>
exit(errno);<br>
}<p>
<br>
int main(int argc, char **argv)<br>
{<br>
cap_user_header h;<br>
cap_user_data d, we;<p>
h.version = _LINUX_CAPABILITY_VERSION;<br>
h.pid = 0;<p>
if (argc &lt; 2) {<br>
fprintf(stderr, &quot;Usage: %s [-w] [-b]\n&quot;, *argv);<br>
exit(1);<br>
}<p>
/* Just print the caps we have yet */<br>
if (argv[1][1] == 'w') {<br>
if (capget(&amp;h, &amp;we) &lt; 0)<br>
die(&quot;capget&quot;);<p>
memset(&amp;d, 0, sizeof(d));<br>
print_cap(&amp;we, &amp;d);<p>
} else if (argv[1][1] == 'b') {<br>
brute_caps();<br>
}<br>
return 0;<br>
}<br>



<center><A HREF="#Content">[目录]</A></center>
<hr><br><A NAME="I713" ID="I713"></A><center><b><font size=+2>原理分析</font></b></center><br>
　　随着Internet上的Linux主机的增加，越来越多的安全漏洞在当前的GNU/Linux系统上发现。你也许在Internet上听说过在Linux下发现Bug，它会导致系统很容易的被黑客攻击。<p>
　　因为Linux是一个开放源代码的系统，漏洞很容易发现，并且也会很快的有补丁出来。但是当漏洞没有公布的时候，并且管理员很懒，没有去打补丁。黑客就会很容易的攻击这个系统，取得root权限，在现有的GNU/Linux下，他就可以做任何他想做的事情。现在你可以问，我们现在到底可以做些什么呢？<p>
1、现在的GNU/Linux错误在哪里？<p>
　　超级用户会滥用职权，他能够做所有他要做的事情。作为root。他会改变所有的东西。<br>
　　许多系统文件很容易被更改。这些文件可能是很重要的文件，如/bin/login，如果一个黑客进入，他可以上传一个login程序来覆