Learn how to achieve simple exploits on UNIX based systems
Creator: m! In computer terms" an exploit is a process that can be followed to #ain elevated privled#es with #araunteed results$ Under unix based systems" %root% is the hi#hest level of access" havin# access to anythin# and everythin# a user lo##ed into this account wishes$ &n exploit does not necessarily re'uire this level of access tho" it may (ust ta)e you from a level of access li)e world readable access #iven by a httpd daemon to a standard shell access account$ In other words you could #o from only bein# able to loo) at the computers web pa#e" to bein# able to traverse the file system and loo) at the administrators hidden porn collection$ In #eneral cases" an exploit will either be used to #ain access to the passwd and shadow files" or to directly #ain a %root% shell$ *irstly lets (ust examine how a simple exploit may wor)$ Lets say we find a pro#ram in %+var+bin% that is called %system% and by luc) this pro#ram is ,etUID root" which basically means" when you run the pro#ram your user is temporarily made to be root until the pro#ram has finished runnin#$ Now by examinin# the pro#ram a little further we find the pro#ram reads a confi# file %+var+bin+system$conf% and shows the contents in the options menu$ -y typin# %strin#s system% we find that there is indeed a strin# that directly refers to %+var+bin+system$conf% so we decide to exploit this$ *irst we remove the confi# file with the followin# command %rm .rf +var+bin+system$conf% Now that is done we shall create a symbolic lin) to %+etc+passwd% to read the system passwords$ %ln .s +etc+passwd +var+bin+system$conf% /his creates the lin)" now what the lin) does is basically refers anythin# that as)s for %+var+bin+system$conf% to %+etc+passwd% so in theory when our pro#ram tries to load %+var+bin+system$conf% it will be referenced to %+etc+passwd% and show us the contents of the file$ ,o now %+var+bin+system% is executed and sure enou#h we are shown the password hashes contained in %+etc+passwd% /his is a very simple example" and shows extremely poor pro#rammin# of the pro#ram" similar exploits may occur tho" for example the pro#ram may call %more% to show a text file durin# execution$ Under %more% a simple %0cat +etc+passwd% will execute %cat +etc+passwd% I*, can be a very interestin# tool" what it basically does is sets what seperates commands in the shell" usually (ust %0% and %enter% are used" but this variable can be set$ *or example with I*, set as default %+bin+ls 0 mail% will be brea)en down into two commands %+bin+ls% and %mail% Now if I*, were say set to %+% then the command would be split up into %bin%"%ls 0 mail% /his can lead to some pretty useful implementations$ If for example our pro#ram %system% were to execute %+bin+ls% durin# its execution" by typin# %export I*,12+2% I*, would be set to %+% and we could create a file in the current directory called %bin%" place some code in it to show us the passwd file" %chmod 344 bin% to ma)e it executable" and %system% could be made to execute our commands as %root% *or simple exploits li)e these" it is normally possible to %strin#s file% to find out what it may execute or do$ & %5ace Condition% may come in handy if a pro#ram is made to chec) whether a file that is writen to" or read contains a symbolic lin)$ -asically by executin# two pro#rams at once" after the pro#ram chec)s for the existance of the lin)" the other pro#ram is made to remove the file that would be used" and lin) it to another file such as %+etc+passwd% &n example of this is: +usr+bin+ps6 7 rm .rf +var+tmp6+ps6$tmp ln .s +home+hac)er+exploit +var+tmp6+ps6 /his would execute %+usr+bin+ps6% and while it is still runnin# remove its temp file and replace it with our own file$ & symbolic lin) can also be turned into a %Denial of ,ervice% most of the time with little effort" an example of this with %Xfree 8$$6% is: cd +tmp rm .f +tmp+$tX!.loc) ln .s +dev+hd! +tmp+$tX!.loc) startx /his would ma)e %X% write data directly over the raw data on hard drive !" althou#h I stron#ly condemn the use of thin#s such as %Do,% or %DDo,% attac)s" in the case of a retaliation to a prior attac) on your own system" it may be useful$ /here are many more types of exploits out there" these are (ust the simpler ones" I will later deal with basic -uffer 9verflow attac)s" the more prominent of attac)s these days$$$