INTRODUCTION: Gday. This tar file contains a number of files that will allow you to get root access to between 40% to 70% of all Unix machines.
It does this by exploiting a hole/feature in telnetd where environment variables are passed from the calling telnet client, to the recieving telnet daemon. These are normal env variables, such as TERM and TZ. However, there are a few which affect the runtime linker/loader (ld.so). These variables affect how ld.so finds and uses shared libraries. EXPLANATION: Most programs are written and compiled and only contain code the author has written. Standard functions such as printf and strncpy are stored in runtime libraries. When the program is initiated, a runtime linker adds in these little bits of code. The main benefit is that lots of work is saved. An author doesn't need to re-write printf every program he writes. These libraries of pre-written functions are called shared object libraries. When a program is written to use these, that program is called a dynamically linked program. That is it will dynamically load functions as and when it need them. We can exploit this hole in ld.so by specifying our own library functions. In fact, this code replaces two standard C library functions, openlog and getpass. getpass is used when a program wants a password to be entered, without echoing to the display. openlog was added because some systems have a different way of initiating logins. The main crux is that both of these functions are executed when login (which is called when telnetd finds an incoming connection) is running as root. Any code which is executed then will be executed as root. My two trojan functions simply execute /bin/sh as uid 0. getpass is used in a normal /bin/login and is called after you enter your login name. Some systems that use shadow passwording will find (if you examine the source) that getpass isn't used. To circumvent this, we add openlog which, if a site is shadowed is probably going to be compiled in. This is the default with the shadow setups I've seen. METHOD: Method One (If you have an account on the machine you want root on. Try this first.) (1) gunzip and untar the source into a directory, eg /home/squidge/lib_hack (2) compile the programs by typing make all (3) wait (4) you will have a file /tmp/.libroot.so (5) type telnet (6) at the telnet> prompt, type env def LD_PRELOAD /tmp/.libroot.so This tells telnet to pass the environment variable LD_PRELOAD to the target machine. LD_PRELOAD points to our trojan library. (7) type open localhost (8) If you don't get a prompt bash#, but get login: type something like test You should now be greeted with bash#. Type id and see you are root. Note that telnetd will time you out, so make some attempt at a backdoor. Method Two (If you have no account on the target machine) (1) as above (2) as above, if you are running the same hardware as the target. If you are on different processors, try compiling on a different machine. If you know what you are doing, try changing the target architecture used by gcc and ld. it is the -m flag with ld. (3) assuming you have the correct binary, open an ftp connection to the target (4) using bin mode, upload your trojan library to the targets incoming directory. (5) switch back to your machine, start telnet and specify the path of the targets ftp directory as your LD_PRELOAD. On linux this is normally /home/ftp/incoming. On others generally /var/ftp/incoming or /etc/ftp/incoming. (6) as number 8 above. If you opt for method 2, you will need a pretty good idea of what is going on. It is not for the fainthearted. If demand is high, I may release a new set of .o files for different architectures. There should be no need. I can compile for Sun(SPARC), M68 and x86 on my linux box. So can you. HOW TO PROTECT: There are a few ways. If you have a statically linked login, then you are safe. setuid programs ignore LD_PRELOAD so one you have logged in, you cannot subvert the system. You can patch telnetd to wipe all but a few env variables. There are many widely pieces of available code to demonstrate this. FINALLY: Thats all I can think of. If you have any questions, email firstname.lastname@example.org (The Guild homesite)