#!/usr/local/bin/perl # -- -*-perl-*- # ########################################################################## # phf perl script used to try to find out as much info from the person # calling the script as possible. Only reason for using phf on the # system is to exploit a bug to execute commands. # # contribitors: # Ray W. Hiltbrand Jul 17 1996 Ray.W.Hiltbrand@Eng.Auburn.EDU # Doug Hughes doug@Eng.Auburn.EDU # Paul Danckaert pauld@lemur.org # Pierre Beyssac pb@hsc.fr # # # Comments and orig source can be found at: # http://www.eng.auburn.edu/users/rayh/software/phf.html # ftp://ftp.eng.auburn.edu/pub/rayh/security/phf # # All rights reserved. 1996 # # Email comments, changes, enhancements to Ray.W.Hiltbrand@Eng.Auburn.EDU # # Change Log: # 19960715 Created # 19960717 Added Ident support and safe_finger support # 19960926 Added support for builtin finger or safe_finger # Added ability to turn off parts of script # (ie finger, ident, fake) # Added fake PHF HTML code # From:Paul Danckaert # Added additional return type for fake PHF # From:Paul Danckaert # ########################################################################## require 'sys/socket.ph'; # #Set this to the email address that will receive alert. $SECUREADDRESS="someone\@somesite.com"; # # This should match the mail program on your system. $mailprog = '/usr/lib/sendmail'; # # Location of safe_finger or call builtin finger # Comment out $finger if you want to use the builtin finger. # Define $finger for location of finger. Ex below. # Set $finger to NONE if you don't wish to use finger. #$finger="/etc/local/safe_finger -l"; # # # Uncomment if you do not want ident support #$ident="NONE"; # # Need netstat to find the port of the remote address $netstat="/usr/bin/netstat -a -f inet"; # # Need a grep to look for remote addres (This is lazy man way) $grep="/usr/bin/fgrep"; # # Real name of machine web server running $web_server="machinename"; # # Port web server runs on $web_port="80"; # # Uncomment if you do not want fakephf support. #$fakephf="NONE"; #####End Configuration Section################################ #(nothing below should need to be changed) # #Setup socket stuff so we can use finger later # if ( "$finger" eq "" ) { # Setting for use of Builtin finger $finger_sockaddr ='S n a4 x8'; ($fa, $fb, $fproto) = getprotobyname('tcp'); ($fo1, $fo2, $fo3, $fo4) = split(/\./, $ENV{'REMOTE_ADDR'}); $finger_addr = pack('CCCC', $fo1, $fo2, $fo3, $fo4); $finger_this = pack($finger_sockaddr, &AF_INET, 0, "\0\0\0\0"); $finger_that = pack($finger_sockaddr, &AF_INET, 79, $finger_addr); } # Call the fake PHF now if ( "$fakephf" ne "NONE" ) { $query = $ENV{'QUERY_STRING'}; do FakePHF(); } # # #Setup socket stuff so we can use ident later # if ( "$ident" ne "NONE" ) { $sockaddr ='S n a4 x8'; ($a, $b, $proto) = getprotobyname('tcp'); ($o1, $o2, $o3, $o4) = split(/\./, $ENV{'REMOTE_ADDR'}); $addr = pack('CCCC', $o1, $o2, $o3, $o4); $this = pack($sockaddr, &AF_INET, 0, "\0\0\0\0"); $that = pack($sockaddr, &AF_INET, 113, $addr); } # #Initalize mail message to secureaddres # open (MAIL, "|$mailprog $SECUREADDRESS") || die "Can't open $mailprog!\n"; print MAIL "To: $SECUREADDRESS\n"; print MAIL "From: $SECUREADDRESS\n"; print MAIL "Subject: $ENV{'REMOTE_HOST'} phf access $action\n\n"; print MAIL "\n"; print MAIL "------------------------------------------------------------\n"; # #Send basic information # print MAIL "Remote host: $ENV{'REMOTE_HOST'}\n"; print MAIL "Remote IP address: $ENV{'REMOTE_ADDR'}\n"; print MAIL "Query String: $ENV{'QUERY_STRING'}\n"; print MAIL "Action Type: $action\n"; # #Try to finger the host so we can try to get a list of users # on the machine doing the probe # if ( "$finger" ne "NONE" ) { print MAIL "Finger info: \n"; if ("$finger" ne "") { $fingerinfo = `$finger \@$ENV{'REMOTE_ADDR'}`; print MAIL "$fingerinfo\n"; } else { #use builtin finger $finger_sendstr = "\n\@$ENV{'REMOTE_ADDR'}"; socket(F_S, &PF_INET, &SOCK_STREAM, $fproto) || print MAIL "Couldn't open finger socket$!\n"; bind(F_S, $finger_this) || print MAIL "Couldn't bind service $!\n"; if (connect(F_S, $finger_that)) { send(F_S, $finger_sendstr, length($finger_sendstr)) || print MAIL "sending data: $!\n"; recv(F_S, $finger_recvstr, 4098, 0) || print MAIL "receiving data: $!\n"; print MAIL "$finger_recvstr\n"; } else { print MAIL "no finger info\n"; } } } # #Now lets check to see if system is ident capable. This takes # a little time. # if ( "$ident" ne "NONE") { print MAIL "Ident: \n"; $remport=`$netstat | $grep $ENV{'REMOTE_HOST'}`; $remport =~ s/$web_server\.$web_port.*$ENV{'REMOTE_HOST'}\.([0-9]*).*$/\1/; $sendstr = "$remport , $web_port\r"; socket(S, &PF_INET, &SOCK_STREAM, $proto) || print MAIL "Couldn't open socket $!\n"; bind(S, $this) || print MAIL "Couldn't bind service $!\n"; if (connect(S, $that)) { send(S, $sendstr, length($sendstr), 0) || print MAIL "sending data: $!\n"; recv(S, $recvstr, 180, 0) || print MAIL "receiving data: $!\n"; print MAIL "$recvstr\n"; } else { print MAIL "no ident info\n"; } } print MAIL "\n------------------------------------------------------------\n"; close (MAIL); exit 0; sub FakePHF { # Pseudo-Phf - A not-quite-real phf replacement that provides a warning # against attacks, as well as presenting false # information to the attacker. # # Paul Danckaert (pauld@lemur.org) # # Extended with fake "id" and "uname" info. # ### print "Content-type: text/html\n\n"; $action = "Submitted Form"; if ($query =~ /cat.*(\/|%2f)passwd/i) { do ShowBadPass(); $action = "Attempted Password Grab"; } if ($query =~ /whoami/i) { print "root\n"; $action = "Attempted WHOAMI Command"; } if ($query =~ /(\/|%2f|%0a)id/i) { print "uid=0(root) gid=0(sys)\n"; $action = "Attempted ID Command"; } if ($query =~ /xterm/i) { print "Command not found.\n"; $action = "Attempted XTERM Command"; } # # Print Error Message to the users request. # print <<"EOF";

Query Results

/usr/local/bin/ph - Command not found 


EOF

}

sub ShowForm {

print <<"EOF";
Form for CSO PH query

Form for CSO PH query

This form will send a PH query to the specified ph server.






PH Server:



At least one of these fields must be specified:
    

  • Alias

  • Name

  • E-mail Address

  • Nickname

  • Office Phone Number

  • HAM Callsign

  • Proxy

  • High School

  • SLIP Address



Show additional fields to narrow query




Return more than default fields









Questions, comments to: Jim Browne


EOF

}

sub ShowBadId {
        print "uid=0(root) gid=0(wheel)\n";
}

sub ShowBadUname {
        print "FreeBSD ns.mysite.org 2.1.0-RELEASE FreeBSD 2.1.0-RELEASE #0: Sun May 26 22:17:58 MET DST 1996     root\@ns.mysite.org:/usr/src/sys/compile/VALERIAN  i386\n";
}

sub ShowBadPass {

print <<"EOF";
root:9IDv/CqdFuqWo:0:0:Super User:/:/bin/csh
sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh
diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh
daemon:*:1:1:daemons:/:/dev/null
bin:*:2:2:System Tools Owner:/bin:/dev/null
uucp:*:3:5:UUCP Owner:/usr/lib/uucp:/bin/csh
fax:*:3:10:Fax:/var/spool/fax:/bin/sh
sys:*:4:0:System Activity Owner:/var/adm:/bin/sh
adm:*:5:3:Accounting Files Owner:/var/adm:/bin/sh
lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico
auditor:*:11:0:Audit Activity Owner:/auditor:/bin/sh
dbadmin:*:12:0:Security Database Owner:/dbadmin:/bin/sh
rfindd:*:66:1:Rfind Daemon and Fsdump:/var/rfindd:/bin/sh
EZsetup:*:992:998:System Setup:/usr/Cadmin:/bin/csh
demos::993:997:Demonstration User:/usr/demos:/bin/csh
tutor::994:997:Tutorial User:/usr/tutor:/bin/csh
OutOfBox::995:997:Out of Box Experience:/usr/people/tour:/bin/csh
guest::998:998:Guest Account:/usr/adm/guest:/bin/csh
4Dgifts::999:998:4Dgifts Account:/usr/people/4Dgifts:/bin/csh
nobody:*:60001:60001:Nobody:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null
www:*:20:10:The Web Slinger:/web/www:/bin/csh
webadmin:ecKu77KmsNALs:0:0:Sysadmin web account:/:/bin/sh
testact::1000:10:Test Account:/:/bin/sh
ftp:*:60001:60001:FTP ACCOUNT:/ftp:/dev/null
EOF

}