sebeksniff.c

一款经典的lkm后门

//--------------------------------------------------------------------
//----- $Header: /home/cvsroot/sebek/sniff/sebeksniff.c,v 1.7 2002/09/08 22:48:57 cvs Exp $
//--------------------------------------------------------------------
/*
 * Copyright (C) 2001/2002 The Honeynet Project.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *      This product includes software developed by The Honeynet Project.
 * 4. The name "The Honeynet Project" may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */


#include <stdio.h>
#include <unistd.h>

#ifdef FREEBSD
#include <pcap.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <sys/socket.h>
#include <netinet/if_ether.h>
#else
#include <pcap/pcap.h>
#include <arpa/inet.h>
#include <netinet/ether.h>
#endif

#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>

#include <openssl/md5.h>
#include <openssl/blowfish.h>


char ethdump, ipdump, tcpdump, udpdump, icmpdump, arpdump;
char ethlen, iplen, tcplen, udplen, icmplen, arplen;
FILE *f;
BF_KEY key;
//----- need to check for better setting but, buff was too small and dropped
//----- pkts
u_char buff[24000];
u_char digest[16];
u_char sched[8];
int static_port = 0;
int syslog=0;
int sebek=0;
int magic = 7777;

void handler (char *, const struct pcap_pkthdr *, const u_char *);
void help (void);

int main(int argc, char **argv)
{

	int buffsize = 65535;	
	int promisc = 1;
	int timeout = 1000;		
	char pcap_err[PCAP_ERRBUF_SIZE];
	u_char buffer[255];	
	char i,c;
	char *dev="eth0";
	struct in_addr net, mask;
	pcap_t *pcap_nic;
	char pass[70];
	char *lfile="logfile";

	ethdump = 0;
	ipdump = 0;
	icmpdump = 0;
	tcpdump = 0;
	udpdump = 0;
	arpdump = 0;

	ethlen = sizeof(struct ether_header);

#ifdef FREEBSD
	iplen = sizeof(struct ip);
	icmplen = sizeof(struct icmp);
#else
	iplen = sizeof(struct iphdr);
	icmplen = sizeof(struct icmphdr);
#endif


	tcplen = sizeof(struct tcphdr);
	udplen = sizeof(struct udphdr);
       	arplen = sizeof(struct ether_arp);

	while ((c = getopt(argc,argv,"Shd:p:s:m:")) != EOF) {
			switch(c){
				case 'd':
				dev = optarg;
				break;
				case 'p':
				static_port = atoi(optarg);
				break;
				case 'h':
				help();
				break;
				case 'S':
				syslog = 1;
				break;
				case 'm':
				magic = atoi(optarg);
				break;
				case 's':
				strncpy(pass,optarg,64);
				if(strlen(pass) < 4){
					printf("Invalid symmetric key\n");
					return;}
				sebek = 1;
				break;
				}
        }

				udpdump = 1;

	/*if (!(dev = pcap_lookupdev(pcap_err))) {
		perror(pcap_err);
		exit(-1);
	}*/

	if ((pcap_nic = pcap_open_live(dev, buffsize, promisc, timeout, pcap_err)) == NULL) {
		perror(pcap_err);
		exit(-1);
	}

/*	if (pcap_lookupnet(dev, &net.s_addr, &mask.s_addr, pcap_err) == 
-1) {
		perror(pcap_err);
		exit(-1);
	}*/
        f = fopen(lfile,"a");
	 
	if(static_port == 0){
         printf("Device: %s\nMagic: %i\n",dev,magic);}
	else{
         printf("Device: %s\nPort: %i\n",dev,static_port);}

	if(sebek){
		printf("Sebek monitoring enabled\n");
		printf("Sebek symmetric key: %s\n",pass);}


	if(syslog){
		printf("Syslog grab enabled\n");}
   
       MD5(pass,strlen(pass),digest);
       BF_set_key(&key,sizeof(digest),digest);


	while (pcap_loop(pcap_nic, -1, (pcap_handler)handler, buffer))
		;
}

void handler (char *usr, const struct pcap_pkthdr *header, const u_char *pkt) {
	
	struct ether_header *ethheader;
#ifdef FREEBSD
	struct ip *ipheader;
	struct icmp *icmpheader;
#else
	struct iphdr *ipheader;
	struct icmphdr *icmpheader;
#endif
	struct udphdr *udpheader;
	struct tcphdr *tcpheader;
	struct ether_arp *arppkt;
	struct in_addr source, dest;
	int y,spt,size,dpt;
	int num =0;

	char fname[16];

	struct in_addr address;

	u_int32_t id;

        const u_char *tmp=pkt+ethlen+iplen+udplen;
	u_char *string[256];	
	ethheader = (struct ether_header *) pkt;
	
	bzero(buff,sizeof(buff));
	if (ethheader->ether_type == 0x0008) {

#ifdef FREEBSD
		ipheader = (struct ip *) (pkt+ethlen);
		if (udpdump && (ipheader->ip_p == 0x11)) {
		  udpheader = (struct udphdr *) (pkt+ethlen+iplen);
		  spt = ntohs(udpheader->uh_sport);
		  dpt = ntohs(udpheader->uh_dport);
		  
#else
		ipheader = (struct iphdr *) (pkt+ethlen);
		if (udpdump && (ipheader->protocol == 0x11)) {
		  udpheader = (struct udphdr *) (pkt+ethlen+iplen);
		  spt = ntohs(udpheader->source);
		  dpt = ntohs(udpheader->dest);
#endif
		  udpheader = (struct udphdr *) (pkt+ethlen+iplen);


		//Log Syslog packets
		if( dpt == 514 && syslog == 1){
			//---  07/29 edb butchering
			//size = header->caplen - ethlen - iplen - udplen;
		    	
			//memcpy(&source,&ipheader->saddr,sizeof(source));
			//if = fopen(inet_ntoa(source),"a");
			//fwrite(tmp,1,size,f);
			//fflush(f);		
		        //fclose(f);

		} // End If
		  
		  //Check if the ports add up
		if(sebek){
		  if( (spt + dpt) == magic || dpt == static_port){
		    size = header->caplen - ethlen - iplen - udplen;
		    memset(sched,0,sizeof(sched));
		    //Decrypt
		    
		    BF_cfb64_encrypt(tmp,buff,size,&key,sched,&num,BF_DECRYPT);
		    
		    //----- get the ID, and use that for the filename
			  //----- surely opening and closing the file for each pkt
			  //----- isnt the most efficient idea.
		    memcpy(&id,buff,sizeof(id));
		    
		    if(id != 0x00000000){
		      address.s_addr = ntohl(id);
		      f = fopen((const char *)inet_ntoa(address),"a");
		      printf("write %s:  %u bytes\n",inet_ntoa(address),size - sizeof(id));
		      fwrite(buff + sizeof(id),1,size - sizeof(id),f);
		      fflush(f);		
		      fclose(f);
		    }
		    
		  }
		  }
		}	
	}
	return;
}



void help(){

printf("Sebek Sniffer\n");
printf("  -d <device>\n");
printf("  -S log syslog packets\n");
printf("  -p <dest port to look for>\n");
printf("  -m  <MAGIC number>\n");
printf("  -s <symmetric key> enable sebek monitoring\n");
printf("  -h  This screen\n");

exit(0);

}