==Phrack Inc.== Volume 0x0e, Issue 0x43, Phile #0x01 of 0x10 |=----------------------------------------------------------------------=| |=--------------------------=[ Introduction ]=--------------------------=| |=----------------------------------------------------------------------=| |=----------------------=[ By The Phrack Staff ]=-----------------------=| |=----------------------------------------------------------------------=| |=----------------------=[ November 17, 2010 ]=-----------------------=| |=----------------------------------------------------------------------=| "The greatest trick the Devil ever pulled was convincing the world he didn't exist" --- Verbal Kint It's 1.00 a.m., nobody hits this secondary road. Heck, I'm almost sure half of it doesn't have a line to remind you that you should share it with upcoming cars. It's raining, but not too hard. I'm going home. It's Tuesday. What the hell am I doing out here, half an hour from home, slowly driving under the rain? It's 1.05 a.m., I know this road, I know this feeling, I recognize the shivering. I let it flow. Turn off the music, I want silence. It's 2.00 a.m., nobody hits this machine at this time of the day. Logs track me, but I'll clean them. I know this road, I know this feeling, I recognize the shivering. Turn on the music, the game is on. I'm sure someone else is around here, someone else has seen this # before. "I'll fuck you if you don't fuck me first, sir". Fair enough, this is the rule. I'll go to sleep afterwards. I'm meeting some friends and I've to take a train tomorrow. I'll sleep on the couch of someone I've never seen before, yet I know him well. It's 1.00 a.m., 10 years later. It's a GPG email from the guy that once offered me a couch. Then another time. I can count the times I've seen him in person on two hands, but I would overflow a 'short' counting the words we exchanged. We meet again, thought you disappeared. Things change, indeed. Life gave us something to lose and we are holding on it. We lost people, money, opportunities, that's why we hold on. Once a hacker, forever a hacker, right? Let's finish this code. Let's visit this city. It's 2.00 a.m., today. Nothing in this story, in this Intro, is real. I wasn't there, this is not me. This is just a stream of ASCII characters. Someone out there pulled a great trick and convinced the world that security was a cool business. Someone is pulling even greater tricks and makes money out of his ignorance living on others slightly bigger ignorance. Somewhere, a crackdown on some kids proves to be necessary to keep the 'mistery' alive, to keep the bandwagon going. Someone spies on former fellow friends, 'cause that's worth millions. Everybody is happy and we slowly fade away. Away, towards a new Underground. "I'll fuck you if you don't fuck me first, sir". If you are shivering, if you have been there, if you feel it, you know what I mean. PHRACK may die. Groups may die. Things as we know today may die. The great trick might actually seem to work -- goodbye Underground, welcome Security Industry. Not too fast. "Once a hacker, forever a hacker, right?" The Game is on. -----( Phrack Issue #67 )----- It's with incredible pleasure that we present you our newly released issue: ______ _ _ ______ _______ _______ _ _ _ _ _______ ______ (_____ \(_) (_|_____ \(_______|_______|_) | | _| U |_(_______|______) _____) )_______ _____) )_______ _ _____| | (_ _)______ _ | ____/| ___ | __ /| ___ | | | _ _) _| O |_| ___ \ / ) | | | | | | | \ \| | | | |_____| | \ \ (_ _) |___) ) / / |_| |_| |_|_| |_|_| |_|\______)_| \_) |_n_| |______/ (_/ - By the community, for the community. - But wait ... the release date ... it sounds familiar ... OMFG!!! \\\ , \ `| ) ( .-""-. | | /_ { '. | | (/ `\ } ) | | ^/ ^`} { \ \ \= ( { ) \ \ '-, { {{ \ \_.' ) } ) \.-' ( ( /'-.'_. ) ( } \_( { _/\ ) '--' `-;\ \ _.-' / / / <\/>_.' .' / / <\/>/. ' /<\// / _ |\`- _ . -/| - _- ` _.-'`_/- | \ - - - - \\\ }`<\/> <\/>`{ { -<\/>_<\/>_<\/>- } } { <\/>. <\/> {`<\/> <\/>`} } -<\/>_<\/>_<\/>_<\/>- { { } } } { H A P P Y { } } { 25th { <\/> <\/> B I R T H D A Y `<\/> <\/>' jgs -<\/>_<\/>_<\/>_<\/>_<\/>- Yes. That's right friends. This 67th issue is the celebration of Phrack's 25th birthday. Happy birthday Phrack! -----( Coming from the past )----- Once upon a midnight dreary, while I pondered, weak and weary, over many a quaint and curious volume of forgotten lore... Hello Cyberpals. It's your old friend Mike Schiffman AKA route AKA daemon9. *Cyberhug!* It sure has been a long time! Well I'll be! You guys all look the same, young and eager and hungry... Me? I'm still here, just older and grayer and bit less conspicuous. Ok, I'll say it -- I'm downright honored that you crazy rascals still remember me. It sure has been many a fortnight that I've been in this business. I mean, back in 1994, when I started poking around the scene in I was just a little dork who use to work out a lot and bleach my hair white. Sure I was probably the first muscle-bound white-haired guy with giant computer chip tattoo on his back who had this tireless thirst for computers and hacking and writing all sorts of Usenet posts and papers -- but there would legions more to come... Now in 2010 I'm a much bigger and more experienced dork. It's more than 16 years later. I have many more tattoos and the hair is getting white all by itself. And I reminisce... I look back and reflect on those days. Some of the stuff I use to do... My comp.security Usenet posts. "The Infinity Concept" e-zine, the precursor to my Phrack editorial days. My netcom.com .plan file. The PGP Attack FAQ. I remember getting owned. I remember the first time my phones got done up and you miscreants forwarded my calls to bridge and told people I had died of AIDS. I remember my girlfriend at the time being scared shitless of what was next. I remember my dox getting dumped to #phrack. I remember u4ea threatening to insert my SSN into the NCIC. I remember Bane and u4ea calling my house repeatedly. I also remember pictures of u4ea cross-dressing. I remember Bane getting backhanded by Synapse at Defcon 4. I remember Special Agent Peter Trahon and his partner who looked and sounded like Sargent Slaughter from GI JOE both from the San Francisco FBI Computer Crime task force picking me in a late model Crown Victoria and taking me to Max's Opera Cafe in Walnut Creek, CA and shaking me down for dirt on other cyber-dorks they were investigating... I remember teardrop. I remember Loki. I remember TQBF telling me that I had better be real careful in releasing the technique/code of ICMP covert channel tunneling as I was "stepping on active people's toes"... I remember hooking an old landline phone up to my neighbor's wiring to call him and discuss it... I remember Carolyn Meinel... And her daughter Virginia at Defcon 5. I remember Eric Bloodaxe tapping me to be a Phrack editor a long with Voyager and Redragon. I remember overshadowing them and bringing my own editorial team onboard... I remember how awesome it was to be a Phrack Editor. I remember how awesome Phrack was. How amazing it still is. Kudos to the current editorial team for keeping it alive, and here's to another 25 years. Come find me then, and prophile me. XOXO Scene, MS AKA Route AKA daemon9 -----( What you were waiting for )----- Telling you that we're proud to release this issue would be an euphemism for many reasons including, and that is the most important, the pleasure you will have while reading it. Oh and by the way, we apologize for the wait ... 08:21 | --->| su [~su@201.6.x.y] #phrack 08:23 | --->| arr[][] [arr@fledge.z.org] #phrack 08:29 | su | halfdead, are you having trouble in man gcc this time? is that why phrack's issue is so late? 08:30 | Dreg | wtf 08:30 | @bab00n | hoho Double. No. Triple private joke. You may have waited a long time but at least we made it before ZF #06 ;> $ cat p67/index.txt <--------------------------( Table of Contents )--------------------------> 0x01 Introduction ....................................... Phrack Staff 0x02 Phrack Prophile on punk ............................ Phrack Staff 0x03 Phrack World News .................................. EL ZILCHO 0x04 Loopback (is back) ................................. Phrack Staff 0x05 How to make it in Prison ........................... TAp 0x06 Kernel instrumentation using kprobes ............... ElfMaster 0x07 ProFTPD with mod_sql pre-authentication ............ FelineMenace 0x08 The House Of Lore: Reloaded ........................ blackngel 0x09 A Eulogy for Format Strings ........................ Captain Planet 0x0a Dynamic Program Analysis and Software Exploitation . BSDaemon 0x0b Exploiting memory corruptions in Fortran programs .. Magma under UNIX/VMS 0x0c PHRACKERZ: Two Tales ............................... Antipeace & The Analog Kid 0x0d Scraps of notes on remote stack overflow ........... pi3 exploitation 0x0e Notes Concerning the Security, Design and .......... The Philosopher Administration of Siemens DCO-CS Digital Switching Systems 0x0f Hacking the mind for fun and profit ................ lvxferis 0x10 International Scenes ............................... various <-------------------------------------------------------------------------> Have you ever noticed how some issues seemed to have a thematic? Consider for example p66. There are 4 papers dealing with heap exploitation. Now take p63. 5 papers are about (anti)reverse engineering and binary manipulation techniques and p62 clearly has a Windows color. Weird, isn't it? Coincidence? Bias in the uniform distribution of hacking playgrounds? I'll let you draw your own conclusions. For this issue, with no doubts, the focus is on userland exploitation. Did you really think that you had seen everything? Well how about debugging some heap? While FelineMenace gives you tricks using an usual practical case (hint: don't miss the source code), blackngel explains in detail the House Of Lore technique. Having troubles with fortify? Go read Captain Planet's excellent paper on format bugs as well as pi3's notes about cookies. It might be handy. Exploiting bugs is cool but finding them is de facto mandatory. That's when BSDaemon's paper comes to play. Read it and learn about how to instrument programs. Now what about a new playground? Discover the joy of Fortran hacking with Magma. Oh btw he may just have lost it you know... Missing kernel fun? Why not reading ElfMaster's paper. You'll certainly learn a bit of useful things, truly. Missing the good old phreaking days? Thank The Philosopher for his contribution (you made us crazy man !@#) and go learning about old school DCO-CS hacking. The best for the end. We have the luck to have no more than 4 non technical papers for this issue. You don't care? Fucking idiot, go away. Though we already thanked them, let us highlight EL ZILCHO, TAp, Antipeace, The Analog Kid, lvxferis & the anonymous contributors of the "International Scenes" phile. Phrack is without a doubt one of the most technical source of knowledge of the whole hacking scene thanks to its writers. But the most important aspect is not the technical one. Nowadays there are lots of impressive sources of information (blogs, books, conferences) freely available on Internet. However they all lack a soul. Phrack has a spirit and that's its true power. Now as a demonstration of the so-called spirit, we have the brilliant work of EL ZILCHO. Tired of the crap published on zdnet? Then have a taste of the Phrack World News. Eager to learn about life experiences? TAp is your man with one of the most fascinating papers of this issue. You should also consider alternative literature with lvxferis' paper. Ahah. Oh and if you're just passing by, attracted by the hacking culture but not yet ready/able to embrace it then Phrackerz paper is for you. It should bring you answers. -- The Phrack Staff Ps: Oops sorry to forget o_O. It came to our attention after Pipacs' profile publication in p66 that whitehats profile were the most wanted one. Unfortunately Theo was already on holidays [1] when we needed to start the interview. Sorry guyz ;> Have fun anyway with punk! [1] http://kerneltrap.org/mailarchive/openbsd-misc/2010/8/13/6186 -----( GreetZ for issue #67 )----- As always and because our staff would have done nothing but shit without them, we'd like to thank (in no particular order)... - route/daemon9: still able to make a kickass intro ;) - The Analog Kid: the spirited kid - nullcon guyz: nice people, visit their great country! - EL ZILCHO: fuck1ng great job! - TAp: peace bro :> - ElfMaster: yet another kernel hax0r ;) - lvxferis: who is this guy??? - FelineMenace: the LOLCats team counterattacks ;-) - spacewalker: supportive & gifted belgian bro - blackngel: malloc's worse enemy - Captain Planet: fmt bugs' worse enemy (lake of inspiration detected) - argp & huku: kudos for kickass answers in no time - BSDaemon: oi. Tudo bom? - punk: the whitehat k1ll3r - the VX scene: thanks for the support & various exchanges over past months. Special thanks to izee, herm1t and EOF writers. - Magma: take your pills gramps - The Philosopher: well done - antipeace: ~_o - pi3: Hi bulba! (oops wrong one) - spy: our IRC bot - halfdead: su said you contributed on IRC ;) - the circle: kudos for your past work. ...for their contributions and support. Touching isn't it? But so true :-) -----( Phrack Magazine's policy )----- phrack:~# head -20 /usr/include/std-disclaimer.h /* * All information in Phrack Magazine is, to the best of the ability of * the editors and contributors, truthful and accurate. When possible, * all facts are checked, all code is compiled. However, we are not * omniscient (hell, we don't even get paid). It is entirely possible * something contained within this publication is incorrect in some way. * If this is the case, please drop us some email so that we can correct * it in a future issue. * * * Also, keep in mind that Phrack Magazine accepts no responsibility for * the entirely stupid (or illegal) things people may do with the * information contained herein. Phrack is a compendium of knowledge, * wisdom, wit, and sass. We neither advocate, condone nor participate * in any sort of illicit behavior. But we will sit back and watch. * * * Lastly, it bears mentioning that the opinions that may be expressed in * the articles of Phrack Magazine are intellectual property of their * authors. * These opinions do not necessarily represent those of the Phrack Staff. */ -----( Contact Phrack Magazine )----- < Editors : staff[at]phrack{dot}org > > Submissions : staff[at]phrack{dot}org < < Commentary : loopback[@]phrack{dot}org > > Phrack World News : pwned[at]phrack{dot}org < Submissions may be encrypted with the following PGP key: (Hint: Always use the PGP key from the latest issue) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PHRACK mQGiBEucoWIRBACFnpCCYMYBX0ygl3LrH+WWMl/g6WZxxwLM2IT65gXCuvOEbLHR /OdZ5T7Z6sO4O5b0EWkk5pa1Z8egNp44+Fn+ExI78cv7ML9ffw1WEAS+raQwvN2w 0WUsfztWHZqPf4HMefX92pv+1kVcio/b0aRT5lRbvD7IdYLrtYb0V7RYGwCgi6Or dJ5iN+YVDMx8lkUICI8kPxcD/1aHZqCzFx7lI//4OtZQN0ndP1OEH+C7GDfYWi4P DcLNlF812h1qyJf3QCs93PQR+fu7XWAIyyo5rLHpFfuU29ZZH1Oe0VR6pLJTas2Z zXNdU48Bhj1uf4Xv0NaAYlQ5ffIJ4a37uIKYRn28sOwH/7P8VGD7K7EZn3MMyewo aPPsA/4ylQtKkaPB9iTKUlimy5ZZorPwzhNliEbIanCGfePgPz02QMG8gnId40/o luE0YK1GnUbIMOb6LzI2A5EuQxzGrWzDGOM3uLDLzJtBCg8oKFrUoRVu1dnPEqc/ NQzRYjRK8R8DoDa/QZgyn19pXx4oQ3tAldI4dAQ022ajUhEoobQfUGhyYWNrIFN0 YWZmIDxzdGFmZkBwaHJhY2sub3JnPohgBBMRAgAgBQJLnKFiAhsDBgsJCAcDAgQV AggDBBYCAwECHgECF4AACgkQxgxUfYgthE7RagCeL/XirVrcUzgKBrJGcvo0xjIE YlkAoIBqC2GuYJrXxPO/KaJtXglJjd7zuQQNBEucoWIQEADrU+2GAZbWbTElblRp /MyoUNHm0gxOo7afqVdQe8epub/waQD1bnE+VucI7ncmQWUdD0qkkyzaXlFDlvId LYh/dMu4/h+nTyuCLNqoycqvf1k8Dax6QOADq0BZlM5lGTL6VOBnCitWCvgYCmLO aPO1bacJlNx0/cpWKe+YELlZss7Q+o4SBvDOyX8B78eEs62dbRAudubFQ/tjQd3z cXZOSli9Du9DAa2vzk8tq1c6RAs0NY4KxBu+6VW/lxvGt3iNRlFQAdya6Kx3fhog zVjkt3OOgNDJ6u/9zYbMbtjtoFqSIJDR4DhZ9NbS57nuTkJqh0GDVOtxfKcc8QxH wyYiH47M9znHFtHHvT0PzGc2Fl8s3EUFvlXZUW3ikcFbkyqTgnseqv5k9YQ8FDHX IvBVpj8nqLi3CBADy8z2gy5r4TryV3sfOlTT40r0GtiG3Weeb0wuMj5+hr303zgN /aH+ps8JvL0TeyXjsDMcTCF1fHSIxPJouSWjOkFMrumAg/rikdn3+dPCCowcLKvQ isYC60yKEhcYvUDiKKzXrGyM/38Kp/73RA9ZLQ3VjCSX550UCU46hF6u6Qzbd5Jk T8WesPYqz4jpPzlF1MbaVki4+g5myTR8y1IIarX08mk6l+1YZyjjzmlhKyhdaIiI QY4uv3EYYFDHiyd0/3ZBfkz62wADBQ//bVf698IFhoLHeCG3USyl/rHyjVUatsCx ZCwPlWEGzR+RP3XdqwoeFZNA4hXYy3Qr1vJSytbCRDYOK2Rp3Eos1Gncqp3KbUhQ ZRBxGNbhskZ7VHOvBHIIZ7QU3TDnWLDlWs9oha8zv9XWEmaBmCjBtmRwunphwdv2 O7JpqLbW45l/WAas6CuRi+VxXllQPM2nKX9JwzyWlvnU3QayO+JJwH5bfeW0Wz53 wqMBJz9hvVaClfAzwEnPnWQxxgA6j7S9AuEv7NRLZsC6nHyGwB7vFfL4dCKt4cer gYOk5RjhHVNuLJSLhVWRfcxymPRKg07harb9adrPcjJ7fCKXN1oPCcacG0O6vcTb k58MTzs3CShJ58iqVczU6ssGiVNFmfnTrYiHXXvo/+36c+TizwoXJD7CNGDc+8C0 IxKsZbxgvpFuyRRwrzr3PpecY0I2cWZ7wN3WtFZkDi5OtsIKTXHOozmddhAwxqGK eURB/yI/4L7t2Kh2EaVOyRbXNa4hwPbqbFiofihjKQ1fFsYCUUW0CAOaXu14QrrC IepRMQ2tabrYCfyNuLL3JwUFKinXs6SrFcSiWkr9Cpay7Ozx5QosV8YKpn6ojejE H3Xc0RNF/wjYczOSA6547AzrnS8jkVTV2WIJ5g1ExvSxIozlHU5Dcyn5faftz++y ZMHT0Ds1FMGISQQYEQIACQUCS5yhYgIbDAAKCRDGDFR9iC2ETsN0AJ9D3ArYTLnd lvUoDsu23bN4bf7gHwCfUGDsUSAWE/G7xQaBuB50qXecJPo= =cK7U -----END PGP PUBLIC KEY BLOCK-----