
                     The hhp presents...

                 The hhp-pine remote exploit.
                           6/22/99
             By: elaich aka LoopHole of the hhp.
             Probs/Bugs/Etc. -> hhp@hhp.hemp.net
                     (Email if hiring.)
#---------------------------------------------------------#

           Versions effected: ALL to Current 4.10

            This package contains the following...
            1) psite.sh      (Script  #1.)
            2) Infect.c      (Program #2.)
            3) cleanup.c     (Clean-up script.)


  This  exploit  was  made  about 4 months ago and I almost
totally  forgot  about  it untill recently.  Now lets think
back  about  4  months ago when a few posts to bugtraq were
sent  about  a  charset=``commands...``  bug.  The  problem
wasnt  to  big because ALOT of characters could not be used
in  attacking  this  problem.  The main chars that would be
needed to do some harmfull damage are ; : > < / @ " ` ' \ =
%  -  and | which are all not allowed besides | and - which
cant  be  used  in any ways wouthout the others.  Theres no
way  to  possibly  echo  to  a file, send an xterm, or rm a
system  without  / and >.  So "pfft" you said and got along
with  your admining.  This exploit will show you how to run
remote  commands and exploit the system all with only the |
and  -  characters.  Now  you  say "how is that possible?".
Well its called uudecode which decodes a uuencoded file and
sets the mode defined on the top line of the .uue file when
its  decoded.  So now, we know how to do the file part, but
then  you  say "But  how  do  we get the file on the remote
server  for  christs  sake?".  Thats easy too, all with the
help  of lynx on the target server.  All you do is go get a
domain  like  www.blah.com which CANNOT be a user directory
like  www.blah.com/user because we cant use the / character
in  the  charset.   So  it  HAS  to  be  a www.blah.com  or 
whatever.  Then  this  is  where you have to follow what im
saying  really  close.  We  are  going to uuencode psite.sh
and  name  the uuencoded file '...' (three dots) which will
be the index.html of your domain.  This is how you do this:
[root@hhp]# uuencode psite.sh ... > index.html
Then  you  need  to  edit the index.html and change the top
line  to make sure the mode is 777 (Defualt is usually like
644  or  655 (it varries)).  Then  save  the index.html and
then  go  look  at your website and make sure it is comming
up in your browser.

  A suggestion is to go to www.freeservers.com and register
a  free  domain.  Then  uuencode  the file, then change the
mode  to  777, and  THEN  since they automatically add that
banner  to  your  website,  add  <PRE>  to  the  top of the
uuencoded  file and </PRE> to the  bottom and it will allow
it to work with that banner still there.

The next step is to compile Infect.c like...
[root@hhp]# gcc Infect.c -o Infect

  The  only wierd thing  about  this  is  when  root or a
non-root  user  reads the email it will scroll the screen
with  errors  as  if  the  contents  of the script is not
working.  But  it seriously did work, you can test it out
yourself.  A  good  feature the exploit has is that after
the  email  is read, it will delete the evil charset from
the  email  so  if  they  decide to read it again(As most
people would) it wont re-infect the server.

  Remember, this can be used on non-root users too.  What
it  does  is  log  them  out  of  their shell making them
relogin  which  then  we grab their login/passwd and then
it  emails them to you at the defined address in psite.sh

  NOTE: They have to be running pine AND lynx.  If anyone
can  think  of a way without lynx(I doubt it), I would be
interested  to hear the way.  We've already thought about
putting  the uuencoded file in a finger plan, but we cant
use the '@' character.

  Most  all  operating systems are vulnerable if they run
pine  and  lynx.  You can change some of the scripting in
script  #1  for  that  particular  os... like the killall
command  and  the  path of the user mail.  Tested on BSD,
Linux, IRIX, AIX, SCO and SunOS.

  Pine patches were  made, but a new version has not been
released.  I suggest you get the patch if you are running
any version of pine.

-elaich

-----------------------------------------
elaich of the hhp.            hhp-1999(c)
Email:  hhp@hhp.hemp.net
Web:    http://hhp.hemp.net/
Phone:  713-451-6972
hhp-ms: hhp.hemp.net, port:7777, pass:hhp
-----------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.0 for non-commercial use <www.pgp.com>
mQGiBDcl8CwRBAD7xCp+A5ORiRzMLS4mPstL1aJadSCXSGyNKEZZ6kZwdO3YhLCf
2vkeJF0OGe8KRfd8LRxP0f/3syg7lfH77m0OP8NXeoOHD48T8K4Mabp2WEJmUW0r
J6op94LjFUwqNqYuOa+bVULrotZY6iWlxBWunltu9wrqgP22RVtKAu0PVwCg/2SS
rYoDCNTH4dlzNcVcza5XuhMEALbmuKISbjeOqsVETYYMdQfr0M/m1YfztjJ2tDS7
bGfOCFpQUFLyCUt/FHHmlInXQWUSVCgjkp0/giFoY9dX+4IB8wLgfu68BOZM5fft
I5mxI0vyBSke2kHQTqf3vQ5Yveg6gIB8WW9Pi+MAwLMS3+Hmrar+4GCUOqe9w3yi
u1q3BADcAM3VkORpkifjK8pWex1fdfvGmLBX5PBuCexl5dpeXdVC+Ktncis9u4yh
5f/PI/g/Uk4T2D/nF5PA4tSkNvRJaPVZCXjFRfc4K+rzQxuYRePwXFgaHSk9cDnd
XBq5JM6iXLBGFIJpbbwWkftuFOaJLXdP/DqDaXkjbWXLbH9nN7QhZWxhaWNoIG9m
IGhocC4gPGhocEBoaHAuaGVtcC5uZXQ+iQBLBBARAgALBQI3JfAsBAsDAgEACgkQ
bSmqkM1thIxvkQCeIEUYJTwF5nC+T9DUcUqStqpwtiQAoIzw9fqSB026Q+w0CGWe
BPX9LD5ruQINBDcl8DMQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB
p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh
V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr
5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4
XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf
q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/oCoABrcAodA+Qw
0QOzptm6arxtaRte4a6ZQs+N4Y63+S5oKBz4/atHGGIqgcxCUaaPCxfcqRMoz6Tw
ZhxOKe3/xKA+qPRfLP19P3nHcTLZqa/orvohDu235OQHBd5Mi6sr2MUcUL1WfsU7
fPZEjwu6d3MuXpjJUeFzNezJzIbXNzqFAVQawVH6lV+xGfqjD0zceGFGALvvGVxL
ANdmCzqjE1LFbqf1Zdd04lKYKSglX4PFz3Ly/jzi22GFxMuGf6ud4R80wUC0zBKO
RZHX3jPqjrqfbY9dq1vpBNDEugOYPqv3/lNlkoxUzKhJCZLPUcbQQs+BuNUUcRW9
dEkl71kuiQBGBBgRAgAGBQI3JfAzAAoJEG0pqpDNbYSMFgIAoMUE0SGIfqg0oj9e
oY9AHDAScmZtAKDgKF7STtRwB4KJ6/Q9HC3gUgGBbA==
=GJ0e
-----END PGP PUBLIC KEY BLOCK-----
