A UNIX clone of Netbuster for Windows 95. Logs people attempting to exploit netbus.
f60304cfec35d240ae580a0dd59966537e8e458a2a352f8d04096e4b99c6f9d3
/*
[ http://www.rootshell.com/ ]
======================================================
Netbus Daemon 0.1 by BigDawg.
I know the code is messy but hey, I wrote it in
less than a day. Why you might ask? Well its
simple really. I wanted to see who was trying
to scan me for netbus. And I don't run windows.
So i can't use netbuster. So I wrote my own
program to do what it does. This program is
released under the GNU license agreement. By all
means please distribute it. If ya modify it send
me the modifications. dawg@services.afternet.org
If ya have any suggestions send them too. From
what I can see this will compile on any version
of unix/linux. Enjoy
Please if you would email me and tell me what
you think of this program.
-BigDawg/`Scooby (John C. Hennessy)
Thanks to: DarkLight for helping to test this
========================= TODO ======================
Convert strtok()'s to strsep(); Better tolerance
for 'empty' fields
Add timer to disconnect people after 60 seconds idle
Add more logging for commands
=====================================================
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/signal.h>
#include <sys/fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <netdb.h>
#include <pwd.h>
#include <time.h>
#include <syslog.h>
#include <stdarg.h>
#define netbustimeout 60
#define longtime 3000
#define waitport 12345
#define MAXLEN 524
#define MAXBUF 500
/* Define this if you want anything that cannot be parsed put in the syslog. (NOT RECOMMENDED) */
#define DEBUG
char line[MAXLEN];
char *addy;
char *data;
int sockfd;
char *longaddy(unsigned long ip)
{
unsigned long addr=ip;
unsigned char *p;
struct hostent *hp;
static char h[139];
static char i[15];
p=(unsigned char *)&ip;
sprintf(i,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);
hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET);
if (hp==NULL)
return i;
strcpy(h,hp->h_name);
return h;
}
int strip_newline(char *string)
{
char *ptr = NULL;
if(ptr = strchr(string, '\n')) *ptr = '\0';
if(ptr = strchr(string, '\r')) *ptr = '\0';
}
int init_serv()
{
int Sckt, NewSckt;
int reuse_addr = 1;
int sinlen;
unsigned long iptemp;
struct sockaddr_in saddr;
Sckt = socket(AF_INET, SOCK_STREAM, 0);
setsockopt(Sckt, SOL_SOCKET, SO_REUSEADDR,&reuse_addr,sizeof(reuse_addr));
memset(&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = INADDR_ANY;
saddr.sin_port = htons(waitport);
sinlen = sizeof(saddr);
if(bind(Sckt, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in)) < 0)
{
exit(0);
}
listen(Sckt, 1);
NewSckt = accept(Sckt, (struct sockaddr *) &saddr, &sinlen);
iptemp=saddr.sin_addr.s_addr;
addy=longaddy(iptemp);
syslog(LOG_NOTICE, "Connect from [%s]",addy);
close(Sckt);
sockfd=NewSckt;
return;
}
int send_to_idiot(char *format, ...)
{
va_list arglist;
char buffer[MAXBUF];
buffer[0]='\0';
va_start(arglist, format);
vsprintf(buffer, format, arglist);
va_end(arglist);
return(writeln(buffer));
}
int readln()
{
char ch, *botnum;
int i = 0;
do
{
if(read(sockfd, &ch, 1) < 1)
{
syslog(LOG_NOTICE,"Connection lost to [%s]\n",addy);
close(sockfd);
init_serv();
send_to_idiot("NetBus 1.70\r");
datawatch();
}
if(ch >= 32 || ch <= 126)
if(i < MAXLEN - 1) line[i++] = ch;
} while(ch != '\r');
line[i] = '\0';
/* printf("Read - %s\n"line); */
return;
}
int writeln(char *buffer)
{
if(write(sockfd, buffer, strlen(buffer)) < 0) return(0);
}
int datawatch()
{
readln();
processline();
datawatch();
}
int processline()
{
char *keyon, *keys, *evil, *keyclick, *listen, *apass, *aport, *aemailto, *aemailfrom, *aemailhost, *alog;
char *a, *eject, *msg, *app, *lport, *bhost, *rport, *url, *image, *smouse, *kapp, *fapp, *reboot;
char *setacl, *rserver;
if (strstr(line, "GetInfo") != NULL)
{
send_to_idiot("Info;Program Path: C:\\WINDOWS\\PATCH.EXE |Restart persistent: Yes |Login ID: John Hennessy |Clients connected to this host: 1\r");
syslog(LOG_NOTICE,"[%s] Requested Info\n",addy);
return;
}
if (strstr(line, "CaptureScreen") != NULL)
{
syslog(LOG_NOTICE,"[%s] Screen Capture\n",addy);
return;
}
if(strstr(line, "DisableKeys") != NULL)
{
evil = strtok(line, ";");
keyon = strtok(NULL, ";");
keys = strtok(NULL, ";");
strip_newline(keys);
if(strcmp(keyon, "0") == 0)
syslog(LOG_NOTICE,"[%s] Enabled keys\n",addy);
if(strcmp(keyon, "1") == 0)
syslog(LOG_NOTICE,"[%s] Disabled keys [%s]\n",addy,keys);
return;
}
if(strstr(line, "KeyClick") != NULL)
{
evil = strtok(line, ";");
keyclick = strtok(NULL, ";");
strip_newline(keyclick);
if(strcmp(keyclick, "0") == 0)
syslog(LOG_NOTICE,"[%s] Disabled keyclick\n",addy);
if(strcmp(keyclick, "1") == 0)
syslog(LOG_NOTICE,"[%s] Enabled keyclick\n",addy);
return;
}
if(strstr(line, "GetSetup") != NULL)
{
send_to_idiot("SetupInfo;12345;0;;netbus@selo.org;selo@selo.org;presto.mailhosting.org\r");
syslog(LOG_NOTICE,"[%s] Requested Settings\n",addy);
return;
}
if(strstr(line, "Listen") != NULL)
{
evil = strtok(line, ";");
listen = strtok(NULL, ";");
strip_newline(listen);
if(strcmp(listen, "0") == 0)
syslog(LOG_NOTICE,"[%s] Disabled Listening\n",addy);
if(strcmp(listen, "1") == 0)
syslog(LOG_NOTICE,"[%s] Enabled Listening\n",addy);
return;
}
if(strstr(line, "Eject") != NULL)
{
evil = strtok(line, ";");
eject = strtok(NULL, ";");
strip_newline(eject);
if(strcmp(eject, "0") == 0)
syslog(LOG_NOTICE,"[%s] Close CD-ROM\n",addy);
if(strcmp(eject, "1") == 0)
syslog(LOG_NOTICE,"[%s] Open CD-ROM\n",addy);
return;
}
if(strstr(line, "Message") != NULL)
{
evil = strtok(line, ";");
evil = strtok(NULL, ";");
msg = strtok(NULL, ";");
strip_newline(msg);
syslog(LOG_NOTICE,"[%s] Message [%s]\n",addy,msg);
return;
}
if(strstr(line, "StartApp") != NULL)
{
evil = strtok(line, ";");
app = strtok(NULL, ";");
strip_newline(app);
syslog(LOG_NOTICE,"[%s] Start App [%s]\n",addy,app);
return;
}
if(strstr(line, "PortRedir") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
lport = strtok(NULL, ";");
bhost = strtok(NULL, ";");
rport = strtok(NULL, ";");
syslog(LOG_NOTICE,"[%s] Port Redirect [Listen port: %s Host: %s redir port: %s]\n",addy,lport,bhost,rport);
return;
}
if(strstr(line, "URL") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
url = strtok(NULL, ";");
syslog(LOG_NOTICE,"[%s] Goto URL [%s]\n",addy,url);
return;
}
if(strstr(line, "ShowImage") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
image = strtok(NULL, ";");
if(image)
syslog(LOG_NOTICE,"[%s] Show Image [%s]\n",addy,image);
if(!image)
syslog(LOG_NOTICE,"[%s] Remove Image\n",addy);
return;
}
if(strstr(line, "SwapButton") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
smouse = strtok(NULL, ";");
if(strcmp(smouse,"0") == 0)
syslog(LOG_NOTICE,"[%s] Swap mouse buttons off\n",addy);
if(strcmp(smouse, "1") == 0)
syslog(LOG_NOTICE,"[%s] Swap mouse buttons on\n",addy);
return;
}
if(strstr(line, "GetApps") != NULL)
{
send_to_idiot("AppNames;bsdi - CRT (active)|NetBus 1.70, by cf|Win Amp playlist editor\r");
syslog(LOG_NOTICE,"[%s] Get apps\n",addy);
return;
}
if(strstr(line, "KillApp") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
kapp = strtok(NULL, ";");
syslog(LOG_NOTICE,"[%s] Kill app [%s]\n",addy,kapp);
return;
}
if(strstr(line, "FocusApp") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
kapp = strtok(NULL, ";");
syslog(LOG_NOTICE,"[%s] Focus app [%s]\n",addy,kapp);
return;
}
if(strstr(line, "NewSetup") != NULL)
{
/* evil = strtok(line, ";");
aport = strtok(NULL, ";");
alog = strtok(NULL, ";");
apass = strtok(NULL, ";");
aemailto = strtok(NULL, ";");
aemailfrom = strtok(NULL, ";");
aemailhost = strtok(NULL, ";");
strcpy(a, "Port: ");
strcat(a, aport);
strcat(a, " ");
strcat(a, "Log traffic: ");
strcat(a, alog);
strcat(a, " ");
strcat(a, "Pass: ");
strcat(a, apass);
strcat(a, " ");
strcat(a, "Email to: ");
strcat(a, aemailto);
strcat(a, " ");
strcat(a, "Email from: ");
strcat(a, aemailfrom);
strcat(a, " ");
strcat(a, "SMTP Server: ");
strcat(a, aemailhost);
*/
strip_newline(line);
syslog(LOG_NOTICE,"[%s] New Server Config [%s]\n",addy,line);
return;
}
if(strstr(line, "ExitWin") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
reboot = strtok(NULL, ";");
if(strcmp(reboot, "1") == 0)
syslog(LOG_NOTICE,"[%s] Force windows logoff\n",addy);
if(strcmp(reboot, "2") == 0)
syslog(LOG_NOTICE,"[%s] Force power off\n",addy);
if(strcmp(reboot, "3") == 0)
syslog(LOG_NOTICE,"[%s] Force reboot\n",addy);
if(strcmp(reboot, "4") == 0)
syslog(LOG_NOTICE,"[%s] Force shutdown\n",addy);
return;
}
/* Read - SetACL;198.212.246.1|198.212.246.6| */
if(strstr(line, "SetACL") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
setacl = strtok(NULL, ";");
syslog(LOG_NOTICE,"[%s] Allow ips [%s]\n",addy,setacl);
return;
}
if(strstr(line, "GetACL") != NULL)
{
send_to_idiot("ACLInfo;198.212.246.140|198.212.246.150|198.212.246.4\r");
syslog(LOG_NOTICE,"[%s] Get Allowed Ips\n",addy);
return;
}
if(strstr(line, "RemoveServer") != NULL)
{
strip_newline(line);
evil = strtok(line, ";");
rserver = strtok(NULL, ";");
if(strcmp(rserver,"0") == 0)
syslog(LOG_NOTICE,"[%s] Close Server\n",addy);
if(strcmp(rserver, "1") == 0)
syslog(LOG_NOTICE,"[%s] Remove server\n",addy);
return;
}
if(strstr(line, "AppRedir") != NULL)
{
strip_newline(line);
syslog(LOG_NOTICE,"[%s] App Redir [%s]\n",addy,line);
return;
}
#ifdef debug
syslog(LOG_NOTICE,"[%s] I don't know how to parse [%s]\n",addy,line);
#endif
return;
}
main(int argc, char **argv)
{
char data[9000];
syslog(LOG_NOTICE, "NetBus Daemon 0.1 by BigDawg running");
if(fork()) exit(0);
init_serv();
send_to_idiot("NetBus 1.70\r");
datawatch();
}