Scribd Logo
Upload

Welcome to Scribd!

  • Cum Sa Faci Exploit

    Uploaded by

    bony_keysey
    69 views3 pages
    ponturi, sfaturi, how to, hacker, cracker

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ponturi, sfaturi, how to, hacker, cracker

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    69 views3 pages

    Cum Sa Faci Exploit

    Uploaded by

    bony_keysey
    ponturi, sfaturi, how to, hacker, cracker

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Difficulty: Medium

    Learn how to achieve simple exploits on UNIX based systems


    Creator: m!
    In computer terms" an exploit is a process that can be followed
    to #ain elevated privled#es with #araunteed results$ Under
    unix based systems" %root% is the hi#hest level of access"
    havin# access to anythin# and everythin# a user lo##ed into
    this account wishes$ &n exploit does not necessarily re'uire
    this level of access tho" it may (ust ta)e you from a level of
    access li)e world readable access #iven by a httpd daemon to
    a standard shell access account$ In other words you could #o
    from only bein# able to loo) at the computers web pa#e" to
    bein# able to traverse the file system and loo) at the
    administrators hidden porn collection$ In #eneral cases" an
    exploit will either be used to #ain access to the passwd and
    shadow files" or to directly #ain a %root% shell$
    *irstly lets (ust examine how a simple exploit may wor)$ Lets
    say we find a pro#ram in %+var+bin% that is called %system% and
    by luc) this pro#ram is ,etUID root" which basically means"
    when you run the pro#ram your user is temporarily made to
    be root until the pro#ram has finished runnin#$ Now by
    examinin# the pro#ram a little further we find the pro#ram
    reads a confi# file %+var+bin+system$conf% and shows the
    contents in the options menu$ -y typin# %strin#s system% we
    find that there is indeed a strin# that directly refers to
    %+var+bin+system$conf% so we decide to exploit this$ *irst we
    remove the confi# file with the followin# command %rm .rf
    +var+bin+system$conf% Now that is done we shall create a
    symbolic lin) to %+etc+passwd% to read the system passwords$
    %ln .s +etc+passwd +var+bin+system$conf% /his creates the lin)"
    now what the lin) does is basically refers anythin# that as)s
    for %+var+bin+system$conf% to %+etc+passwd% so in theory when
    our pro#ram tries to load %+var+bin+system$conf% it will be
    referenced to %+etc+passwd% and show us the contents of the
    file$ ,o now %+var+bin+system% is executed and sure enou#h we
    are shown the password hashes contained in %+etc+passwd%
    /his is a very simple example" and shows extremely poor
    pro#rammin# of the pro#ram" similar exploits may occur tho"
    for example the pro#ram may call %more% to show a text file
    durin# execution$ Under %more% a simple %0cat +etc+passwd% will
    execute %cat +etc+passwd%
    I*, can be a very interestin# tool" what it basically does is sets
    what seperates commands in the shell" usually (ust %0% and
    %enter% are used" but this variable can be set$ *or example with
    I*, set as default %+bin+ls 0 mail% will be brea)en down into two
    commands %+bin+ls% and %mail% Now if I*, were say set to %+%
    then the command would be split up into %bin%"%ls 0 mail% /his
    can lead to some pretty useful implementations$ If for example
    our pro#ram %system% were to execute %+bin+ls% durin# its
    execution" by typin# %export I*,12+2% I*, would be set to %+%
    and we could create a file in the current directory called %bin%"
    place some code in it to show us the passwd file" %chmod 344
    bin% to ma)e it executable" and %system% could be made to
    execute our commands as %root%
    *or simple exploits li)e these" it is normally possible to %strin#s
    file% to find out what it may execute or do$ & %5ace Condition%
    may come in handy if a pro#ram is made to chec) whether a
    file that is writen to" or read contains a symbolic lin)$ -asically
    by executin# two pro#rams at once" after the pro#ram chec)s
    for the existance of the lin)" the other pro#ram is made to
    remove the file that would be used" and lin) it to another file
    such as %+etc+passwd% &n example of this is:
    +usr+bin+ps6 7
    rm .rf +var+tmp6+ps6$tmp
    ln .s +home+hac)er+exploit +var+tmp6+ps6
    /his would execute %+usr+bin+ps6% and while it is still runnin#
    remove its temp file and replace it with our own file$
    & symbolic lin) can also be turned into a %Denial of ,ervice%
    most of the time with little effort" an example of this with
    %Xfree 8$$6% is:
    cd +tmp
    rm .f +tmp+$tX!.loc)
    ln .s +dev+hd! +tmp+$tX!.loc)
    startx
    /his would ma)e %X% write data directly over the raw data on
    hard drive !" althou#h I stron#ly condemn the use of thin#s
    such as %Do,% or %DDo,% attac)s" in the case of a retaliation to a
    prior attac) on your own system" it may be useful$
    /here are many more types of exploits out there" these are
    (ust the simpler ones" I will later deal with basic -uffer
    9verflow attac)s" the more prominent of attac)s these days$$$

    You might also like