Unix Source Code Hacks

Sorted alphabetically by name

arnudp.c

Source code demonstrates how to send a single UDP packet with the source/destination address/port set to arbitrary values.

block.c

Prevents a user from logging in by monitoring utmp and closing down his tty port as soon as it appears in the system.

esniff.c

Source for a basic ethernet sniffer. Originally came from an article in Phrack, I think.

hide.c

Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively.

identd.c

A modified identd that tests for the queue-file bug which is present in Sendmail versions earlier than 8.6.10 and possibly some versions of 5.x.

listhosts.c

Requests a DNS name server to do a zone transfer and list the hosts it knows about.

mnt

This program demonstrates how to exploit a security hole in the HP-UX 9 rpc.mountd program. Essentially, it shows how to steal NFS file handles which will allow access from clients which do not normally have privileges.

NFS-Bug

Demonstrates a bug in NFS which allows non-clients to access any NFS served partition. AIX & HPUX patches included.

NFS Shell

A shell which will access NFS disks. Very useful if you have located an insecure NFS server.

RootKit

A suite of programs like ps, ls, & du which have been modified to prevent display of certain files & processes in order to hide an intruder. Modified Berkeley source code.

rpc_chk.sh

Bourne shell script to get a list of hosts from a DNS nameserver for a given domain and return a list of hosts running rexd orypserve.

seq_number.c

Code to exploit the TCP Sequence Number Generator bug. An brief but clear explanation of the bug can be found in Steve Bellovin's sequence number comment. Note that this code won't compile as-is because it is missing a library that does some of the low-level work. This is how the source was released by Mike Neuman, the author.

Socket Demon v1.3

Daemon to sit on a specified IP port and provide passworded shell access.

Solaris Sniffer

A version of E-Sniff modified for Solaris 2.

telnetd Exploit

This tarfile contains source code to the getpass() and openlog() library routines which /bin/login can be made to link at runtime due to a feature of telnetd's environment variable passing. Root anyone? The fix is to make sure your /bin/login is statically linked.

ttysurf.c

A simple program to camp out on the /dev/tty of your choice and capture logins & passwords when users log into that tty.

xcrowbar.c

Source code demonstrates how to get a pointer to an X Display Screen, allowing access to a display even after "xhost -" has disabled acess. Note that access must be present to read the pointer in the first place! (Originally posted to USENET'scomp.unix.security.)

xghostwriter-1.0b

xghostwriter takes a string, or message, and ensures that this string is "typed" from the keyboard, no matter what keys are actually pressed. Useful for injecting keypress commands into an X session. More info from the auther is here in his USENET post.

xkey.c

Attach to any X server you have perms to and watch the user's keyboard.

xspy-1.0c

xspy is mostly useful for spying on people; it was written on a challenge, to trick X into giving up passwords from the xdm login window or xterm secure-mode. More info from the auther is here in his USENET post.

xwatchwin

If you have access permission to a host's X server, XWatchWin will connect via a network socket and display the window on your X server.

YPX

YP/NIS is a horrible example of "security through obscurity." YPX attempts to guess NIS domain names, which is all that's needed to extract passwd maps from the NIS server. If you already know the domain name, ypx will extract the maps directly, without configuring a host to live in the target NIS domain. (GZip'd Bourne Shell Archive)

ypsnarf.c

Exercise security holes in YP / NIS.