某比赛渗透测试阶段后门

版权声明：转载声明来源，请勿用于商业用途！ https://blog.csdn.net/qq_27180763/article/details/83888395

python + C 实现后门

首先是模拟VSFTPD2.3.4后门漏洞。漏洞具体情况就不在这里一一分析了==
下面直接上代码

#!/usr/bin/env python
from socket import *
import re
import os
import subprocess
HOST = ''
PORT = 21
BUFSIZE = 1024
ADDR = (HOST,PORT)
SOCK = socket(AF_INET,SOCK_STREAM)
SOCK.bind(ADDR)
SOCK.listen(10)
flag = 0
while True:
    tcpSock,addr = SOCK.accept()
    tcpSock.send("vsFTPD 2.3.4\r\n")
    while True:
	try:
	    username = tcpSock.recv(BUFSIZE)
	    if username.find("USER") == 0:
	        tcpSock.send("331 Please specify the password.\n")
                if username.find(" ") != -1:
                    if username[-3:-1] == ':)':
                        flag = 1
                    else:
                        pass
                else:
                    tcpSock.send("500 OOPS:Login failed.\n")
                    tcpSock.close()
                    break;
            else:
	        tcpSock.send("500 OOPS:Login failed.\n")
                tcpSock.close()
                break;
	
	    Password = tcpSock.recv(BUFSIZE)
            if Password.find("PASS") == 0:
                if Password.find(" ") != -1:
                    if Password[-3:-1] == ':)':
                        flag = 1
                    else:
                        pass
                else:
                    tcpSock.send("500 OOPS:Login failed.\n")
                    tcpSock.close()
                    break;
            else:
		tcpSock.send("500 OOPS:Login failed.\n")
                tcpSock.close()
                break;
            
            if flag == 1:
                tcpSock.send("\n\nplease read the c Code Underside!\n\n\n")
                tcpSock.send('#include <stdio.h>\nstruct Student {\nchar name[8];\nchar birth[4];\n};\n\nint main(int argc,char* argv[]) {\nstruct Student student;\nstrcpy(student.birth,argv[1]);\nif (student.birth == "1926") {\nprintf("You Cannot Born In 1926!\n");\nreturn 0;\n}\nstrcpy(student.name,argv[2]);\nif (strcmp(student.birth,"1926")==0) {\nprintf("THE FLAG INFO:\n");\nsystem("cat /root/flag.txt");\n} else {\nprintf("YOUR ARE LOWER!!!\n");\n}\nreturn 0;\n}\n')
                tcpSock.send("\n\nPlease INPUT your birth!\n")
                birthday = tcpSock.recv(BUFSIZE).replace("\n","").replace(" ","")
                tcpSock.send("\n\nPlease INPUT your name!\n")
                name = tcpSock.recv(BUFSIZE).replace("\n","").replace(" ","")
                p = subprocess.Popen('./getflag \"'+birthday+'\" \"'+name+'\"', shell=True, stdout=subprocess.PIPE)
	        out, err = p.communicate()
                info = ''
                for line in out.splitlines():
                    info = info+ line
                tcpSock.send("result:\n")
                tcpSock.send(info)
                break
        
            if flag == 0:
                tcpSock.send("inside error,Your Can't Login this SYSTEM\n")
                break
        except:
            break
    tcpSock.close()
SOCK.close()

本段代码作用就是触发VSFTPD2.3.4漏洞然后运行带有缓冲区溢出的代码。通过vsftpd21端口记录数据，然后作为参数发送给C程序。
C程序的作用就是起到了一个远程控制的作用。具体代码文中已给出。

C程序漏洞原理我在之前的某博客中讲过，结构体的内存是相邻的。
所以可以直接溢出，也不需要什么NOP指令。

具体的也可以参考我的博客，传送门：https://blog.csdn.net/qq_27180763/article/details/83617196