/* * File: TelnetD.c * * Abstract: a simple telnet 'daemon' for Windows hosts. * * Compiled & run successfully using MSVC 5.0 under Windows95 (requires * Winsock2 update) and Windows98 and MSVC 6.0 under WindowsNT4 * * Compiler options : no special options needed * Linker options : add wsock32.lib or ws2_32.lib * * Written by fred.van.lieshout 'at' zonnet.nl * Use freely, no copyrights. * Use Linux. * * TODO: * - access control * - will/won't handshake * - (run as) Windows NT service */ #include #include /* ** macro definitions */ #define TELNET_PORT (23) #define BUFSIZE (4096) #define USERID_SIZE (64) #define CTRLC (3) #define BS (8) #define CR (13) #define LF (10) #define DEL (127) #define IAC (255) #define DONT (254) #define WONT (253) #define DO (252) #define WILL (251) #define ECHO (1) #define HANDSHAKE_TIMEOUT (3) /* ** types */ typedef struct client_s { char userID[USERID_SIZE]; int socket; BOOLEAN bTerminate; BOOLEAN bReadFromPipe; BOOLEAN bWriteToPipe; HANDLE hProcess; DWORD dwProcessId; HANDLE hChildStdinWr; HANDLE hChildStdoutRd; } client_t; typedef enum { NoEcho = 0, Echo = 1, Password = 2 } EchoMode; /* ** Local data */ static BOOLEAN bShutdown = 0; static BOOLEAN bSocketInterfaceInitialised = 0; static int sock; /* ** Forward function declarations */ static BOOL WINAPI Cleanup(DWORD dwControlType); static void WaitForConnect(void); static BOOLEAN StartSocketInterface(void); static void CreateSocket(void); static void UserLogin(int client_socket); static DWORD WINAPI UserLoginThread(LPVOID); static int DoTelnetHandshake(int sock); static int ReceiveLine(int sock, char *buffer, int len, EchoMode echo); static void RunShell(client_t *client); static BOOL CreateChildProcess(const char *); static DWORD WINAPI MonitorChildThread(LPVOID); static DWORD WINAPI WriteToPipeThread(LPVOID); static DWORD WINAPI ReadFromPipeThread(LPVOID); static void TerminateShell(client_t *client); static VOID ErrorExit(LPTSTR); /* ** main */ DWORD telnetd_main() { SetConsoleCtrlHandler(Cleanup, 1); if (!StartSocketInterface()) { ErrorExit("Unable to start socket interface\n"); } CreateSocket(); while(!bShutdown) { WaitForConnect(); } WSACleanup(); return 0; } /* ** Cleanup */ static BOOL WINAPI Cleanup(DWORD dwControlType) { if (bSocketInterfaceInitialised) { printf("Cleanup...\n"); WSACleanup(); } return 0; } /* ** StartSocketInterface */ static BOOLEAN StartSocketInterface(void) { WORD wVersionRequested; WSADATA wsaData; int err; wVersionRequested = MAKEWORD( 2, 0 ); err = WSAStartup(wVersionRequested, &wsaData); if (err != 0) { printf("requested winsock version not supported\n"); return 0; } bSocketInterfaceInitialised = 1; /* for ErrorExit function */ if ( wsaData.wVersion != wVersionRequested) { printf("requested winsock version not supported\n"); return 0; } printf("TelnetD, using %s\n", wsaData.szDescription); return 1; } /* ** CreateSocket */ static void CreateSocket(void) { struct sockaddr_in sa; sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) { ErrorExit("Cannot create socket"); } memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = INADDR_ANY; sa.sin_port = htons(TELNET_PORT); if (bind(sock, (struct sockaddr*) &sa, sizeof(sa)) != 0) { ErrorExit("Cannot bind address to socket"); } } /* ** WaitForConnect */ static void WaitForConnect(void) { struct sockaddr_in sa; int new_sock; if (listen(sock, 1) < 0) { ErrorExit("Cannot listen on socket"); } if ((new_sock = accept(sock, (struct sockaddr*) &sa, NULL)) < 0) { fprintf(stderr, "Failed to accept incoming call\n"); } else { printf("user connected on socket %d, port %d, address %lx\n", new_sock, htons(sa.sin_port), sa.sin_addr.s_addr); UserLogin(new_sock); } } /* ** Function: UserLogin */ static void UserLogin(int client_socket) { DWORD threadID; client_t *client = malloc(sizeof(client_t)); if (client == NULL) { ErrorExit("failed to allocate memory for client"); } client->socket = client_socket; CreateThread(NULL, 0, UserLoginThread, client, 0, &threadID); } /* ** Function: UserLoginThread */ static DWORD WINAPI UserLoginThread(LPVOID data) { client_t *client = (client_t *) data; char welcome[256]; char hostname[64] = "Unknown"; char *pwdPrompt = "\r\npass:"; char *logonPrompt = "\r\nLogin OK, please wait..."; char *byebye = "\r\nWrong! bye bye...\r\n"; char userID[USERID_SIZE]; char password[USERID_SIZE]; int received; char *terminator; if (DoTelnetHandshake(client->socket)) { closesocket(client->socket); free(client); return 0; } gethostname(hostname, sizeof(hostname)); sprintf(welcome, "\r\nWelcome to %s, please identify yourself\r\n\r\nuser:", hostname); if (send(client->socket, welcome, strlen(welcome), 0) < 0) { closesocket(client->socket); free(client); return 0; } received = ReceiveLine(client->socket, userID, sizeof(userID), Echo ); if (received < 0) { closesocket(client->socket); free(client); return 0; } else if (received) { if ((terminator = strchr(userID, CR)) != NULL) { *terminator = '\0'; } } if (send(client->socket, pwdPrompt, strlen(pwdPrompt), 0) < 0) { closesocket(client->socket); free(client); return 0; } received = ReceiveLine(client->socket, password, sizeof(password), Password ); if (received < 0) { closesocket(client->socket); free(client); return 0; } else if (received) { if ((terminator = strchr(password, CR)) != NULL) { *terminator = '\0'; } } /* TODO: do authentication here */ printf("User '%s' logged on\n", userID); strcpy(client->userID, userID); if (send(client->socket, logonPrompt, strlen(logonPrompt), 0) < 0) { closesocket(client->socket); free(client); return 0; } RunShell(client); return 0; } /* ** Function: DoTelnetHandshake */ static int DoTelnetHandshake(int sock) { int retval; int received; fd_set set; struct timeval timeout = { HANDSHAKE_TIMEOUT, 0 }; unsigned char will_echo[3] = { IAC, WILL, ECHO }; unsigned char client_reply[256]; if (send(sock, (const char *) will_echo, sizeof(will_echo), 0) < 0) { return -1; } /* Now wait for client response (and ignore it) */ FD_ZERO(&set); FD_SET(sock, &set); do { retval = select(0, &set, NULL, NULL, &timeout); /* check for error */ if (retval < 0) { return -1; /* check for timeout */ } else if (retval == 0) { return 0; } /* no error and no timeout, we have data in our sock */ received = recv(sock, client_reply, sizeof(client_reply), 0); if (received <= 0) { return -1; } } while (retval); return 0; } /* ** Function: ReceiveLine ** ** Abstract: receive until timeout or CR ** In : sock, len ** Out : buffer ** Result : int ** Pre : 'sock' must be valid socket ** Post : (result = the number of bytes read into 'buffer') ** OR (result = -1 and error) */ static int ReceiveLine(int sock, char *buffer, int len, EchoMode echo) { int i = 0; int retval; fd_set set; struct timeval timeout = { 0, 100000 }; char del[3] = { BS, ' ', BS }; char asterisk[1] = { '*' }; FD_ZERO(&set); FD_SET(sock, &set); memset(buffer, '\0', len); do { /* When we're in echo mode, we do not need a timeout */ retval = select(0, &set, NULL, NULL, (echo ? NULL : &timeout) ); /* check for error */ if (retval < 0) { return -1; /* check for timeout */ } else if (retval == 0) { /* return number of characters received so far */ return i; } /* no error and no timeout, we have data in our sock */ if (recv(sock, &buffer[i], 1, 0) <= 0) { return -1; } if ((buffer[i] == '\0') || (buffer[i] == LF)) { /* ignore null characters and linefeeds from DOS telnet clients */ buffer[i] = '\0'; } else if ((buffer[i] == DEL) || (buffer[i] == BS)) { /* handle delete and backspace */ buffer[i] = '\0'; if (echo) { if (i > 0) { i--; buffer[i] = '\0'; if (send(sock, del, sizeof(del), 0) < 0) { return -1; } } } else { buffer[i] = BS; /* Let shell process handle it */ i++; } } else { /* echo typed characters */ if (echo == Echo && send(sock, &buffer[i], 1, 0) < 0) { return -1; } else if (echo == Password && send(sock, asterisk, sizeof(asterisk), 0) < 0) { return -1; } if (buffer[i] == CR) { i++; buffer[i] = LF; /* append LF for DOS command processor */ i++; return i; } i++; } } while (i < len); return i; } /* ** Function: RunShell */ static void RunShell(client_t *client) { DWORD threadID; HANDLE hChildStdinRd; HANDLE hChildStdinWr; HANDLE hChildStdoutRd; HANDLE hChildStdoutWr; STARTUPINFO si; PROCESS_INFORMATION piProcInfo; SECURITY_ATTRIBUTES saAttr; const char *name = "c:\\windows\\system32\\cmd.exe"; const char *cmd = NULL; //const char *name = "d:\\cygwin\\bin\\bash.exe"; //const char *cmd = "d:\\cygwin\\bin\\bash.exe --login -i"; saAttr.nLength = sizeof(SECURITY_ATTRIBUTES); saAttr.bInheritHandle = TRUE; saAttr.lpSecurityDescriptor = NULL; // Create a pipe for the child process's STDOUT. if (! CreatePipe(&hChildStdoutRd, &hChildStdoutWr, &saAttr, 0)) ErrorExit("Stdout pipe creation failed\n"); if (! CreatePipe(&hChildStdinRd, &hChildStdinWr, &saAttr, 0)) ErrorExit("Stdin pipe creation failed\n"); client->bTerminate = FALSE; client->bWriteToPipe = TRUE; client->bReadFromPipe = TRUE; client->hChildStdinWr = hChildStdinWr; client->hChildStdoutRd = hChildStdoutRd; // Create the child process (the shell) printf("Creating child process...\n"); ZeroMemory( &si, sizeof(STARTUPINFO) ); si.cb = sizeof(STARTUPINFO); si.dwFlags = STARTF_USESTDHANDLES; si.hStdInput = hChildStdinRd; si.hStdOutput = hChildStdoutWr; si.hStdError = hChildStdoutWr; //si.dwFlags |= STARTF_USESHOWWINDOW; //si.wShowWindow = SW_SHOW; if (!CreateProcess((LPSTR) name, // executable module (LPSTR) cmd, // command line NULL, // process security attributes NULL, // primary thread security attributes TRUE, // handles are inherited //DETACHED_PROCESS + // creation flags CREATE_NEW_PROCESS_GROUP, NULL, // use parent's environment NULL, // use parent's current directory &si, // startup info &piProcInfo)) { ErrorExit("Create process failed"); } client->hProcess = piProcInfo.hProcess; client->dwProcessId = piProcInfo.dwProcessId; printf("New child created (groupid=%lu)\n", client->dwProcessId); // No longer need these in the parent... if (!CloseHandle(hChildStdoutWr)) ErrorExit("Closing handle failed"); if (!CloseHandle(hChildStdinRd)) ErrorExit("Closing handle failed"); CreateThread(NULL, 0, WriteToPipeThread, client, 0, &threadID); CreateThread(NULL, 0, ReadFromPipeThread, client, 0, &threadID); CreateThread(NULL, 0, MonitorChildThread, client, 0, &threadID); } /* ** Function: MonitorChildThread ** ** Abstract: Monitor the child (shell) process */ static DWORD WINAPI MonitorChildThread(LPVOID data) { DWORD exitCode; client_t *client = (client_t *) data; printf("Monitor thread running...\n"); WaitForSingleObject(client->hProcess, INFINITE); GetExitCodeProcess(client->hProcess, &exitCode); printf("Child process terminated with code %d\n", exitCode); /* signal the other threads to give up */ client->bTerminate = TRUE; Sleep(500); CloseHandle(client->hChildStdoutRd); CloseHandle(client->hChildStdinWr); CloseHandle(client->hProcess); closesocket(client->socket); printf("Waiting for all threads to give up..\n"); while (client->bWriteToPipe || client->bReadFromPipe) { printf("."); fflush(stdout); Sleep(1000); } printf("Cleanup for user '%s'\n", client->userID); free(client); return 0; } /* ** Function: WriteToPipeThread ** ** Abstract: read data from the telnet client socket ** and pass it on to the shell process. */ static DWORD WINAPI WriteToPipeThread(LPVOID data) { int iRead; DWORD dwWritten; CHAR chBuf[BUFSIZE]; client_t *client = (client_t *) data; while (!client->bTerminate) { iRead = ReceiveLine(client->socket, chBuf, BUFSIZE, FALSE); if (iRead < 0) { printf("Client disconnect\n"); break; } else if (iRead > 0) { if (strchr(chBuf, CTRLC)) { GenerateConsoleCtrlEvent(CTRL_C_EVENT, client->dwProcessId); } if (send(client->socket, chBuf, iRead, 0) < 0) { printf("error writing to socket\n"); break; } if (! WriteFile(client->hChildStdinWr, chBuf, (DWORD) iRead, &dwWritten, NULL)) { printf("Error writing to pipe\n"); break; } } } if (!client->bTerminate) { TerminateShell(client); } printf("WriteToPipeThread terminated\n"); client->bWriteToPipe = FALSE; return 0; } /* ** Function: ReadFromPipeThread ** ** Abstract: Read data from the shell's stdout handle and ** pass it on to the telnet client socket. */ static DWORD WINAPI ReadFromPipeThread(LPVOID data) { DWORD dwRead; DWORD dwAvail; CHAR chBuf[BUFSIZE]; CHAR txBuf[BUFSIZE*2]; DWORD from,to; char warning[] = "warning: rl_prep_terminal: cannot get terminal settings"; client_t *client = (client_t *) data; while (!client->bTerminate && client->bWriteToPipe) { // Since we do not want to block, first peek... if (PeekNamedPipe(client->hChildStdoutRd, NULL, 0, NULL, &dwAvail, NULL) == 0) { printf("Failed to peek in pipe\n"); break; } if (dwAvail) { if( ! ReadFile( client->hChildStdoutRd, chBuf, BUFSIZE, &dwRead, NULL) || dwRead == 0) { printf("Failed to read from pipe\n"); break; } for (from=0, to=0; fromsocket, txBuf, to, 0) < 0) { printf("error writing to socket\n"); break; } } Sleep(100); /* Hmmm, oh well... what the heck! */ } if (!client->bTerminate) { TerminateShell(client); } printf("ReadFromPipeThread terminated\n"); client->bReadFromPipe = FALSE; return 0; } /* ** TerminateShell */ static void TerminateShell(client_t *client) { DWORD exitCode; DWORD dwWritten; char stop[] = "\003\r\nexit\r\n"; /* Ctrl-C + exit */ GetExitCodeProcess(client->hProcess, &exitCode); if (exitCode == STILL_ACTIVE) { printf("user shell still active, send Ctrl-Break to group-id %lu\n", client->dwProcessId ); if (!GenerateConsoleCtrlEvent( CTRL_BREAK_EVENT, client->dwProcessId )) { printf("Failed to send Ctrl_break\n"); } Sleep(500); if (!GenerateConsoleCtrlEvent( CTRL_C_EVENT, client->dwProcessId )) { printf("Failed to send Ctrl_C\n"); } Sleep(500); if (! WriteFile(client->hChildStdinWr, stop, sizeof(stop), &dwWritten, NULL)) { printf("Error writing to pipe\n"); } Sleep(500); GetExitCodeProcess(client->hProcess, &exitCode); if (exitCode == STILL_ACTIVE) { printf("user shell still active, attempt to terminate it now...\n"); TerminateProcess(client->hProcess, 0); } } } /* ** ErrorExit */ static VOID ErrorExit (LPTSTR lpszMessage) { fprintf(stderr, "%s\n", lpszMessage); if (bSocketInterfaceInitialised) { printf("WSAGetLastError=%d\n", WSAGetLastError()); WSACleanup(); } ExitProcess(0); }