☆ RUSERSPROC_NAMES相关通信报文 rusers服务会泄露所在主机上的在线用户信息。如果攻击者不调用RUSERSPROC_NAMES, 而是调用RUSERSPROC_ALLNAMES的话,还有可能泄露其他用户信息以及更多敏感信息。 -------------------------------------------------------------------------- UDP: ----- UDP Header ----- UDP: UDP: Source port = 34087 UDP: Destination port = 32774 UDP: Length = 48 UDP: Checksum = 04E6 (correct) UDP: [40 byte(s) of data] UDP: RPC: C XID=1305017869 PROG=Remote Users VERS=3 PROC=2(?) RPC: Transaction id = 1305017869 RPC: Type = 0 (Call) RPC: RPC version = 2 RPC: Program = 100002 (Remote Users), version = 3 RPC: Procedure = 2 (?) RPC: Credentials: authorization flavor = 0 (Null) RPC: [Credentials: 0 byte(s) of authorization data] RPC: Verifier: authorization flavor = 0 (Null) RPC: [Verifier: 0 byte(s) of authorization data] RPC: [0 bytes of data present] RPC: ADDR HEX ASCII 0020: 4d c8 fe 0d 00 00 | ...... 0030: 00 00 00 00 00 02 00 01 86 a2 00 00 00 03 00 00 | ................ 0040: 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050: 00 00 | .. UDP: ----- UDP Header ----- UDP: UDP: Source port = 32774 UDP: Destination port = 34087 UDP: Length = 116 UDP: Checksum = 3184 (correct) UDP: [108 byte(s) of data] UDP: RPC: R XID=1305017869 (Reply to 11) RPC: Transaction id = 1305017869 RPC: Type = 1 (Reply) RPC: Status = 0 (Accepted) RPC: Verifier: authorization flavor = 0 (Null) RPC: [Verifier: 0 byte(s) of authorization data] RPC: Accept status = 0 (Success) RPC: [84 bytes of data present] RPC: ADDR HEX ASCII 0020: 4d c8 fe 0d 00 00 | ...... 0030: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0040: 00 00 00 00 00 02 00 00 00 04 72 6f 6f 74 00 00 | ..........root.. 0050: 00 05 70 74 73 2f 34 00 00 00 00 00 00 02 77 33 | ..pts/4.......w3 0060: 00 00 00 00 00 07 3c 08 a2 de 00 00 00 00 00 00 | ......<.⑥...... 0070: 00 03 73 63 7a 00 00 00 00 05 70 74 73 2f 33 00 | ..scz.....pts/3. 0080: 00 00 00 00 00 03 73 63 7a 00 00 00 00 07 3c 05 | ......scz.....<. 0090: dc 49 00 00 00 00 | ...... -------------------------------------------------------------------------- Sniffer Pro 4.70.564以及Ethereal 0.10.13均未对rusers协议解码,回头得像hume 那样写个Ethereal解码插件来干这件事,现在先手工解码如下: -------------------------------------------------------------------------- RUSERSPROC_NAMES响应报文 /* * 数组元素个数,网络字节序,2表示后面有两个rusers_utmp结构 */ 0x00, 0x00, 0x00, 0x02, // +0x000 utmp_array_len /* * ut_user: root */ 0x00, 0x00, 0x00, 0x04, // length: 4 0x72, 0x6F, 0x6F, 0x74, // contents: root /* * ut_line: pts/4 */ 0x00, 0x00, 0x00, 0x05, // length: 5 0x70, 0x74, 0x73, 0x2F, 0x34, // contents: pts/4 0x00, 0x00, 0x00, // fill bytes: opaque data /* * 该字段要求对齐在四字节边界上,前面有填充字节。 * * ut_host: w3 */ 0x00, 0x00, 0x00, 0x02, // length: 2 0x77, 0x33, // contents: w3 0x00, 0x00, // fill bytes: opaque data 0x00, 0x00, 0x00, 0x07, // ut_type: USER_PROCESS(7) /* * 自Unix纪元以来的秒数 */ 0x3C, 0x08, 0xA2, 0xDE, // ut_time: Sat Dec 1 17:29:02 2001 /* * 以分钟为单位 */ 0x00, 0x00, 0x00, 0x00, // ut_idle: 0(minutes) /* * ut_user: scz */ 0x00, 0x00, 0x00, 0x03, // length: 3 0x73, 0x63, 0x7A, // contents: scz 0x00, // fill bytes: opaque data /* * ut_line: pts/3 */ 0x00, 0x00, 0x00, 0x05, // length: 5 0x70, 0x74, 0x73, 0x2F, 0x33, // contents: pts/3 0x00, 0x00, 0x00, // fill bytes: opaque data /* * ut_host: scz */ 0x00, 0x00, 0x00, 0x03, // length: 3 0x73, 0x63, 0x7A, // contents: scz 0x00, // fill bytes: opaque data 0x00, 0x00, 0x00, 0x07, // ut_type: USER_PROCESS(7) /* * 用ctime()、ctime_r()将该值转换成可读形式 */ 0x3C, 0x05, 0xDC, 0x49, // ut_time: Thu Nov 29 14:57:13 2001 0x00, 0x00, 0x00, 0x00, // ut_idle: 0(minutes) -------------------------------------------------------------------------- RUSERSPROC_ALLNAMES响应报文的解码与RUSERSPROC_NAMES完全一样,不再手工演示。