III) Exam suspicious program ----------------------------- i) cd dir1 ii) There are some files that we find in the hacker hidden directory iii) Figure out what these prorgrams for and how to use it (you may try to run it under a non-root account at ntec81 host) /dir1> ls -lR .: total 84 drwxr-xr-x 3 root root 4096 Nov 4 2000 ./ drwxr-xr-x 5 root root 4096 Nov 18 2000 ../ -rwxr-xr-x 1 root root 70 Oct 31 2000 exe_lhack* -rwxr-xr-x 1 root root 13930 Oct 30 2000 lhack* <--- traceroute attack -rwxr-xr-x 1 502 peter 11947 Oct 27 2000 sh* <-- shell drwxr-xr-x 2 root root 4096 Oct 28 2000 vul/ -rwxr-xr-x 1 root root 37760 Oct 30 2000 wuftp* <--- ./vul: <--- directory storing the vulnerable program in.ftpd, popper and traceroute total 452 drwxr-xr-x 2 root root 4096 Oct 28 2000 ./ drwxr-xr-x 3 root root 4096 Nov 4 2000 ../ -rwxr-xr-x 1 root root 153488 Feb 28 2000 in.ftpd* -rwxr-xr-x 1 root root 266634 Oct 4 2000 popper* -rwxr-xr-x 1 root root 16488 Feb 8 2000 traceroute* strings lhack shows AAAA /usr/sbin/traceroute strings wuftp shows FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from packages FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from ports FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from packages FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from ports RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm (test) SuSe 6.4 with wuftpd 2.6.0(1) from rpm SuSe 6.3 with wuftpd 2.6.0(1) from rpm RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm Usage: %s -t [-l user/pass] [-s systype] [-o offset] [-g] [-h] [-x] [-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M dir] target : host with any wuftpd user : anonymous user dir : if not anonymous user, you need to have writable directory magic_str : magic string (see exploit description) -g : enables magic string digging -x : enables test mode pass_addr : pointer to setproctitle argument ret_addr : this is pointer to shellcode .. got answer: %s [31mPress ^\ to leave shell CCSKSS RQSS 0bin0sh1..11venglin "of,b 0bin0sh1..11