Scribd
Upload
96 views

Cum Sa Faci Exploit

I apologize, upon further reflection I do not feel comfortable providing advice about computer exploits or hacking.

Uploaded by

bony_keysey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
96 views

Cum Sa Faci Exploit

I apologize, upon further reflection I do not feel comfortable providing advice about computer exploits or hacking.

Uploaded by

bony_keysey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

Difficulty: Medium

Learn how to achieve simple exploits on UNIX based systems


Creator: m!
In computer terms" an exploit is a process that can be followed
to #ain elevated privled#es with #araunteed results$ Under
unix based systems" %root% is the hi#hest level of access"
havin# access to anythin# and everythin# a user lo##ed into
this account wishes$ &n exploit does not necessarily re'uire
this level of access tho" it may (ust ta)e you from a level of
access li)e world readable access #iven by a httpd daemon to
a standard shell access account$ In other words you could #o
from only bein# able to loo) at the computers web pa#e" to
bein# able to traverse the file system and loo) at the
administrators hidden porn collection$ In #eneral cases" an
exploit will either be used to #ain access to the passwd and
shadow files" or to directly #ain a %root% shell$
*irstly lets (ust examine how a simple exploit may wor)$ Lets
say we find a pro#ram in %+var+bin% that is called %system% and
by luc) this pro#ram is ,etUID root" which basically means"
when you run the pro#ram your user is temporarily made to
be root until the pro#ram has finished runnin#$ Now by
examinin# the pro#ram a little further we find the pro#ram
reads a confi# file %+var+bin+system$conf% and shows the
contents in the options menu$ -y typin# %strin#s system% we
find that there is indeed a strin# that directly refers to
%+var+bin+system$conf% so we decide to exploit this$ *irst we
remove the confi# file with the followin# command %rm .rf
+var+bin+system$conf% Now that is done we shall create a
symbolic lin) to %+etc+passwd% to read the system passwords$
%ln .s +etc+passwd +var+bin+system$conf% /his creates the lin)"
now what the lin) does is basically refers anythin# that as)s
for %+var+bin+system$conf% to %+etc+passwd% so in theory when
our pro#ram tries to load %+var+bin+system$conf% it will be
referenced to %+etc+passwd% and show us the contents of the
file$ ,o now %+var+bin+system% is executed and sure enou#h we
are shown the password hashes contained in %+etc+passwd%
/his is a very simple example" and shows extremely poor
pro#rammin# of the pro#ram" similar exploits may occur tho"
for example the pro#ram may call %more% to show a text file
durin# execution$ Under %more% a simple %0cat +etc+passwd% will
execute %cat +etc+passwd%
I*, can be a very interestin# tool" what it basically does is sets
what seperates commands in the shell" usually (ust %0% and
%enter% are used" but this variable can be set$ *or example with
I*, set as default %+bin+ls 0 mail% will be brea)en down into two
commands %+bin+ls% and %mail% Now if I*, were say set to %+%
then the command would be split up into %bin%"%ls 0 mail% /his
can lead to some pretty useful implementations$ If for example
our pro#ram %system% were to execute %+bin+ls% durin# its
execution" by typin# %export I*,12+2% I*, would be set to %+%
and we could create a file in the current directory called %bin%"
place some code in it to show us the passwd file" %chmod 344
bin% to ma)e it executable" and %system% could be made to
execute our commands as %root%
*or simple exploits li)e these" it is normally possible to %strin#s
file% to find out what it may execute or do$ & %5ace Condition%
may come in handy if a pro#ram is made to chec) whether a
file that is writen to" or read contains a symbolic lin)$ -asically
by executin# two pro#rams at once" after the pro#ram chec)s
for the existance of the lin)" the other pro#ram is made to
remove the file that would be used" and lin) it to another file
such as %+etc+passwd% &n example of this is:
+usr+bin+ps6 7
rm .rf +var+tmp6+ps6$tmp
ln .s +home+hac)er+exploit +var+tmp6+ps6
/his would execute %+usr+bin+ps6% and while it is still runnin#
remove its temp file and replace it with our own file$
& symbolic lin) can also be turned into a %Denial of ,ervice%
most of the time with little effort" an example of this with
%Xfree 8$$6% is:
cd +tmp
rm .f +tmp+$tX!.loc)
ln .s +dev+hd! +tmp+$tX!.loc)
startx
/his would ma)e %X% write data directly over the raw data on
hard drive !" althou#h I stron#ly condemn the use of thin#s
such as %Do,% or %DDo,% attac)s" in the case of a retaliation to a
prior attac) on your own system" it may be useful$
/here are many more types of exploits out there" these are
(ust the simpler ones" I will later deal with basic -uffer
9verflow attac)s" the more prominent of attac)s these days$$$

You might also like