c - 在“ACK”数据包中将 shell 命令传递给 RSH 守护进程

Question

在 C 上编写程序，使用 libnet 和 libpcap 模拟 RSH 客户端并将我自己的命令注入到运行 RSHD 的服务器机器上。

据我了解，该命令应该在 ACK 数据包的“有效载荷”中，但格式为 RSHD 会将其传递给外壳。

我应该如何组装数据包来实现这一点？

Answer 1

尝试从普通 rsh 客户端获取网络数据包的转储（使用 tcpdump、tshark 等）。

Answer 2

To whom it may concern.

After establishing the connection(syn-syn,ack-ack) via the rsh, the connection comes to the ESTABLISH state, and all the requests will be moved to another port(so the rshd can further handle more connections).

My problem was on how to pass the command in the last "ack" packet. The "ack" packet is itself a data packet so the command can be transfered in the "payload" field.

a bit of quotes from "man rshd":

      The server reads characters from the socket up to a NUL (`\0') byte.
      The resultant string is interpreted as an ASCII number, base 10.

 3.   If the number received in step 2 is non-zero, it is interpreted as
      the port number of a secondary stream to be used for the stderr.  A
      second connection is then created to the specified port on the
      client's machine.
      ...
 5.   A null terminated user name of at most 16 characters is retrieved on
      the initial socket.  This user name is interpreted as the user iden-
      tity on the client's machine.

 6.   A null terminated user name of at most 16 characters is retrieved on
      the initial socket.  This user name is interpreted as a user iden-
      tity to use on the server's machine.

 7.   A null terminated command to be passed to a shell is retrieved on
      the initial socket.  The length of the command is limited by the
      upper bound on the size of the system's argument list.

So. In #3 it is said that the first characters up to a NUL byte are interpreted as port number for secondary connection. But I didn't need the secondary connection, so I put "0\0" in the beginning of the command. Next #5 and #6 specify the usernames of the client's machine and the server's machine, separated by NUL's. So I put "0\0username1\0username1\0" And in the #7 it is said that there a null terminated command can be, so my command in the end was "0\0username1\0username2\0command\0".