1 /*
2 * Abstract: a simple telnet 'daemon' for Windows hosts.
3 *
4 * Compiled & run successfully using MSVC 5.0 under Windows95 (requires
5 * Winsock2 update) and Windows98 and MSVC 6.0 under WindowsNT4
6 *
7 * Compiler options : no special options needed
8 * Linker options : add wsock32.lib or ws2_32.lib
9 *
10 * Written by fred.van.lieshout 'at' zonnet.nl
11 * Use freely, no copyrights.
12 * Use Linux.
13 *
14 * Parts Copyright Steven Edwards
15 * Public Domain
16 *
17 * TODO:
18 * - access control
19 * - will/won't handshake
20 * - Unify Debugging output and return StatusCodes
21 */
22
23 #include "telnetd.h"
24
25 #define telnetd_printf printf
26 #if 0
27 static inline int telnetd_printf(const char *format, ...);
28 {
29 printf(format,...);
30 syslog (6, format);
31 }
32 #endif
33
34 /* Local data */
35
36 static BOOLEAN bShutdown = 0;
37 static BOOLEAN bSocketInterfaceInitialised = 0;
38 static int sock;
39
40 /* In the future, some options might be passed here to handle
41 * authentication options in the registry or command line
42 * options passed to the service
43 *
44 * Once you are ready to turn on the service
45 * rename this function
46 * int kickoff_telnetd(void)
47 */
kickoff_telnetd(void)48 int kickoff_telnetd(void)
49 {
50 printf("Attempting to start Simple TelnetD\n");
51
52 // DetectPlatform();
53 SetConsoleCtrlHandler(Cleanup, 1);
54
55 if (!StartSocketInterface())
56 ErrorExit("Unable to start socket interface\n");
57
58 CreateSocket();
59
60 while(!bShutdown) {
61 WaitForConnect();
62 }
63
64 WSACleanup();
65 return 0;
66 }
67
68 /* Cleanup */
Cleanup(DWORD dwControlType)69 static BOOL WINAPI Cleanup(DWORD dwControlType)
70 {
71 if (bSocketInterfaceInitialised) {
72 telnetd_printf("Cleanup...\n");
73 WSACleanup();
74 }
75 return 0;
76 }
77
78 /* StartSocketInterface */
StartSocketInterface(void)79 static BOOLEAN StartSocketInterface(void)
80 {
81 WORD wVersionRequested;
82 WSADATA wsaData;
83 int err;
84
85 wVersionRequested = MAKEWORD( 2, 0 );
86 err = WSAStartup(wVersionRequested, &wsaData);
87 if (err != 0) {
88 telnetd_printf("requested winsock version not supported\n");
89 return 0;
90 }
91
92 bSocketInterfaceInitialised = 1; /* for ErrorExit function */
93
94 if ( wsaData.wVersion != wVersionRequested)
95 ErrorExit("requested winsock version not supported\n");
96
97 telnetd_printf("TelnetD, using %s\n", wsaData.szDescription);
98 return 1;
99 }
100
101 /* CreateSocket */
CreateSocket(void)102 static void CreateSocket(void)
103 {
104 struct sockaddr_in sa;
105
106 sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
107 if (sock < 0)
108 ErrorExit("Cannot create socket");
109
110 memset(&sa, 0, sizeof(sa));
111 sa.sin_family = AF_INET;
112 sa.sin_addr.s_addr = INADDR_ANY;
113 sa.sin_port = htons(TELNET_PORT);
114
115 if (bind(sock, (struct sockaddr*) &sa, sizeof(sa)) != 0)
116 ErrorExit("Cannot bind address to socket");
117 }
118
119 /* WaitForConnect */
WaitForConnect(void)120 static void WaitForConnect(void)
121 {
122 struct sockaddr_in sa;
123 int new_sock;
124
125 if (listen(sock, 1) < 0)
126 ErrorExit("Cannot listen on socket");
127
128 if ((new_sock = accept(sock, (struct sockaddr*) &sa, NULL)) < 0) {
129 fprintf(stderr, "Failed to accept incoming call\n");
130 } else {
131 telnetd_printf("user connected on socket %d, port %d, address %lx\n", new_sock,
132 htons(sa.sin_port), sa.sin_addr.s_addr);
133 UserLogin(new_sock);
134 }
135 }
136
137 /* Function: UserLogin */
UserLogin(int client_socket)138 static void UserLogin(int client_socket)
139 {
140 HANDLE threadHandle;
141 client_t *client = malloc(sizeof(client_t));
142
143 if (client == NULL)
144 ErrorExit("failed to allocate memory for client");
145
146 client->socket = client_socket;
147 threadHandle = CreateThread(NULL, 0, UserLoginThread, client, 0, NULL);
148 if (threadHandle == NULL)
149 free(client);
150 else
151 CloseHandle(threadHandle);
152 }
153
154 /* Function: UserLoginThread */
UserLoginThread(LPVOID data)155 static DWORD WINAPI UserLoginThread(LPVOID data)
156 {
157 client_t *client = (client_t *) data;
158 char welcome[256];
159 char hostname[64] = "Unknown";
160 char *pwdPrompt = "\r\npass:";
161 //char *logonPrompt = "\r\nLogin OK, please wait...";
162 //char *byebye = "\r\nWrong! bye bye...\r\n";
163 char userID[USERID_SIZE];
164 char password[USERID_SIZE];
165 int received;
166 char *terminator;
167
168 if (DoTelnetHandshake(client->socket)) {
169 closesocket(client->socket);
170 free(client);
171 return 0;
172 }
173
174 gethostname(hostname, sizeof(hostname));
175 sprintf(welcome, "\r\nWelcome to %s, please identify yourself\r\n\r\nuser:", hostname);
176
177 if (send(client->socket, welcome, strlen(welcome), 0) < 0) {
178 closesocket(client->socket);
179 free(client);
180 return 0;
181 }
182 received = ReceiveLine(client->socket, userID, sizeof(userID), Echo );
183 if (received < 0) {
184 closesocket(client->socket);
185 free(client);
186 return 0;
187 } else if (received) {
188 if ((terminator = strchr(userID, CR)) != NULL) {
189 *terminator = '\0';
190 }
191 }
192
193 if (send(client->socket, pwdPrompt, strlen(pwdPrompt), 0) < 0) {
194 closesocket(client->socket);
195 free(client);
196 return 0;
197 }
198 received = ReceiveLine(client->socket, password, sizeof(password), Password );
199
200 #if 0
201 if (received < 0) {
202 closesocket(client->socket);
203 free(client);
204 return 0;
205 } else if (received) {
206 if ((terminator = strchr(password, CR)) != NULL) {
207 *terminator = '\0';
208 }
209 }
210 #endif
211
212 /* TODO: do authentication here */
213
214
215 telnetd_printf("User '%p' logged on\n", userID);
216 #if 0
217 strcpy(client->userID, userID);
218 if (send(client->socket, logonPrompt, strlen(logonPrompt), 0) < 0) {
219 closesocket(client->socket);
220 free(client);
221 return 0;
222 }
223 #endif
224 RunShell(client);
225 return 0;
226 }
227
228 /* Function: DoTelnetHandshake */
DoTelnetHandshake(int sock)229 static int DoTelnetHandshake(int sock)
230 {
231 int retval;
232 int received;
233 fd_set set;
234 struct timeval timeout = { HANDSHAKE_TIMEOUT, 0 };
235
236 char will_echo[]=
237 IAC DONT ECHO
238 IAC WILL ECHO
239 IAC WILL NAWS
240 IAC WILL SUPPRESS_GO_AHEAD
241 IAC DO SUPPRESS_GO_AHEAD
242 IAC DONT NEWENVIRON
243 IAC WONT NEWENVIRON
244 IAC WONT LINEMODE
245 IAC DO NAWS
246 IAC SB TERMINAL_TYPE "\x01" IAC SE
247 ;
248
249 unsigned char client_reply[256];
250
251 if (send(sock, will_echo, sizeof(will_echo), 0) < 0) {
252 return -1;
253 }
254
255 /* Now wait for client response (and ignore it) */
256 FD_ZERO(&set);
257 FD_SET(sock, &set);
258
259 do {
260 retval = select(0, &set, NULL, NULL, &timeout);
261 /* check for error */
262 if (retval < 0) {
263 return -1;
264 /* check for timeout */
265 } else if (retval == 0) {
266 return 0;
267 }
268 /* no error and no timeout, we have data in our sock */
269 received = recv(sock, (char *) client_reply, sizeof(client_reply), 0);
270 if (received <= 0) {
271 return -1;
272 }
273 } while (retval);
274
275 return 0;
276 }
277
278 /*
279 ** Function: ReceiveLine
280 **
281 ** Abstract: receive until timeout or CR
282 ** In : sock, len
283 ** Out : buffer
284 ** Result : int
285 ** Pre : 'sock' must be valid socket
286 ** Post : (result = the number of bytes read into 'buffer')
287 ** OR (result = -1 and error)
288 */
ReceiveLine(int sock,char * buffer,int len,EchoMode echo)289 static int ReceiveLine(int sock, char *buffer, int len, EchoMode echo)
290 {
291 int i = 0;
292 int retval;
293 fd_set set;
294 struct timeval timeout = { 0, 100000 };
295 char del[3] = { BS, ' ', BS };
296 char asterisk[1] = { '*' };
297
298 FD_ZERO(&set);
299 FD_SET(sock, &set);
300
301 memset(buffer, '\0', len);
302
303 do {
304 /* When we're in echo mode, we do not need a timeout */
305 retval = select(0, &set, NULL, NULL, (echo ? NULL : &timeout) );
306 /* check for error */
307 if (retval < 0) {
308 return -1;
309 /* check for timeout */
310 } else if (retval == 0) {
311 /* return number of characters received so far */
312 return i;
313 }
314 /* no error and no timeout, we have data in our sock */
315 if (recv(sock, &buffer[i], 1, 0) <= 0) {
316 return -1;
317 }
318 if ((buffer[i] == '\0') || (buffer[i] == LF)) {
319 /* ignore null characters and linefeeds from DOS telnet clients */
320 buffer[i] = '\0';
321 } else if ((buffer[i] == DEL) || (buffer[i] == BS)) {
322 /* handle delete and backspace */
323 buffer[i] = '\0';
324 if (echo) {
325 if (i > 0) {
326 i--;
327 buffer[i] = '\0';
328 if (send(sock, del, sizeof(del), 0) < 0) {
329 return -1;
330 }
331 }
332 } else {
333 buffer[i] = BS; /* Let shell process handle it */
334 i++;
335 }
336 } else {
337 /* echo typed characters */
338 if (echo == Echo && send(sock, &buffer[i], 1, 0) < 0) {
339 return -1;
340 } else if (echo == Password && send(sock, asterisk, sizeof(asterisk), 0) < 0) {
341 return -1;
342 }
343 if (buffer[i] == CR) {
344 i++;
345 buffer[i] = LF; /* append LF for DOS command processor */
346 i++;
347 return i;
348 }
349
350 i++;
351 }
352 } while (i < len);
353
354 return i;
355 }
356
357 /*
358 ** Function: RunShell
359 */
RunShell(client_t * client)360 static void RunShell(client_t *client)
361 {
362 HANDLE threadHandle;
363 HANDLE hChildStdinRd;
364 HANDLE hChildStdinWr;
365 HANDLE hChildStdoutRd;
366 HANDLE hChildStdoutWr;
367 STARTUPINFO si;
368 PROCESS_INFORMATION piProcInfo;
369 SECURITY_ATTRIBUTES saAttr;
370 char cmd_path[MAX_PATH];
371
372 if (!GetEnvironmentVariableA("COMSPEC", cmd_path, ARRAYSIZE(cmd_path)))
373 {
374 if (GetSystemDirectoryA(cmd_path, ARRAYSIZE(cmd_path)))
375 {
376 StringCchCatA(cmd_path, ARRAYSIZE(cmd_path), "\\cmd.exe");
377 }
378 else
379 {
380 ErrorExit("GetSystemDirectoryA failed\n");
381 }
382 }
383
384 saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
385 saAttr.bInheritHandle = TRUE;
386 saAttr.lpSecurityDescriptor = NULL;
387
388 // Create a pipe for the child process's STDOUT.
389 if (! CreatePipe(&hChildStdoutRd, &hChildStdoutWr, &saAttr, 0))
390 ErrorExit("Stdout pipe creation failed\n");
391
392 if (! CreatePipe(&hChildStdinRd, &hChildStdinWr, &saAttr, 0))
393 ErrorExit("Stdin pipe creation failed\n");
394
395
396 client->bTerminate = FALSE;
397 client->bWriteToPipe = TRUE;
398 client->bReadFromPipe = TRUE;
399 client->hChildStdinWr = hChildStdinWr;
400 client->hChildStdoutRd = hChildStdoutRd;
401
402
403 // Create the child process (the shell)
404 telnetd_printf("Creating child process...\n");
405
406 ZeroMemory( &si, sizeof(STARTUPINFO) );
407 si.cb = sizeof(STARTUPINFO);
408
409 si.dwFlags = STARTF_USESTDHANDLES;
410 si.hStdInput = hChildStdinRd;
411 si.hStdOutput = hChildStdoutWr;
412 si.hStdError = hChildStdoutWr;
413
414 //si.dwFlags |= STARTF_USESHOWWINDOW;
415 //si.wShowWindow = SW_SHOW;
416
417 if (!CreateProcess(cmd_path, // executable module
418 NULL, // command line
419 NULL, // process security attributes
420 NULL, // primary thread security attributes
421 TRUE, // handles are inherited
422 DETACHED_PROCESS + // creation flags
423 CREATE_NEW_PROCESS_GROUP,
424 NULL, // use parent's environment
425 NULL, // use parent's current directory
426 &si, // startup info
427 &piProcInfo)) {
428 ErrorExit("Create process failed");
429 }
430
431 client->hProcess = piProcInfo.hProcess;
432 client->dwProcessId = piProcInfo.dwProcessId;
433
434 telnetd_printf("New child created (groupid=%lu)\n", client->dwProcessId);
435
436 // No longer need these in the parent...
437 if (!CloseHandle(hChildStdoutWr))
438 ErrorExit("Closing handle failed");
439
440 if (!CloseHandle(hChildStdinRd))
441 ErrorExit("Closing handle failed");
442
443 threadHandle = CreateThread(NULL, 0, WriteToPipeThread, client, 0, NULL);
444 if (threadHandle != NULL)
445 CloseHandle(threadHandle);
446
447 threadHandle = CreateThread(NULL, 0, ReadFromPipeThread, client, 0, NULL);
448 if (threadHandle != NULL)
449 CloseHandle(threadHandle);
450
451 threadHandle = CreateThread(NULL, 0, MonitorChildThread, client, 0, NULL);
452 if (threadHandle != NULL)
453 CloseHandle(threadHandle);
454 }
455
456 /*
457 * Function: MonitorChildThread
458 *
459 * Abstract: Monitor the child (shell) process
460 */
MonitorChildThread(LPVOID data)461 static DWORD WINAPI MonitorChildThread(LPVOID data)
462 {
463 DWORD exitCode;
464 client_t *client = (client_t *) data;
465
466 telnetd_printf("Monitor thread running...\n");
467
468 WaitForSingleObject(client->hProcess, INFINITE);
469
470 GetExitCodeProcess(client->hProcess, &exitCode);
471 telnetd_printf("Child process terminated with code %lx\n", exitCode);
472
473 /* signal the other threads to give up */
474 client->bTerminate = TRUE;
475
476 Sleep(500);
477
478 CloseHandle(client->hChildStdoutRd);
479 CloseHandle(client->hChildStdinWr);
480 CloseHandle(client->hProcess);
481
482 closesocket(client->socket);
483
484 telnetd_printf("Waiting for all threads to give up..\n");
485
486 while (client->bWriteToPipe || client->bReadFromPipe) {
487 telnetd_printf(".");
488 fflush(stdout);
489 Sleep(1000);
490 }
491
492 telnetd_printf("Cleanup for user '%s'\n", client->userID);
493 free(client);
494 return 0;
495 }
496
497 /*
498 * Function: WriteToPipeThread
499 *
500 * Abstract: read data from the telnet client socket
501 * and pass it on to the shell process.
502 */
WriteToPipeThread(LPVOID data)503 static DWORD WINAPI WriteToPipeThread(LPVOID data)
504 {
505 int iRead;
506 DWORD dwWritten;
507 CHAR chBuf[BUFSIZE];
508 client_t *client = (client_t *) data;
509
510 while (!client->bTerminate) {
511 iRead = ReceiveLine(client->socket, chBuf, BUFSIZE, FALSE);
512 if (iRead < 0) {
513 telnetd_printf("Client disconnect\n");
514 break;
515 } else if (iRead > 0) {
516 if (strchr(chBuf, CTRLC)) {
517 GenerateConsoleCtrlEvent(CTRL_C_EVENT, client->dwProcessId);
518 }
519 if (send(client->socket, chBuf, iRead, 0) < 0) {
520 telnetd_printf("error writing to socket\n");
521 break;
522 }
523 if (! WriteFile(client->hChildStdinWr, chBuf, (DWORD) iRead, &dwWritten, NULL)) {
524 telnetd_printf("Error writing to pipe\n");
525 break;
526 }
527 }
528 }
529
530 if (!client->bTerminate)
531 TerminateShell(client);
532
533 telnetd_printf("WriteToPipeThread terminated\n");
534
535 client->bWriteToPipe = FALSE;
536 return 0;
537 }
538
539 /*
540 * Function: ReadFromPipeThread
541 *
542 * Abstract: Read data from the shell's stdout handle and
543 * pass it on to the telnet client socket.
544 */
ReadFromPipeThread(LPVOID data)545 static DWORD WINAPI ReadFromPipeThread(LPVOID data)
546 {
547 DWORD dwRead;
548 DWORD dwAvail;
549 CHAR chBuf[BUFSIZE];
550 CHAR txBuf[BUFSIZE*2];
551 DWORD from,to;
552 //char warning[] = "warning: rl_prep_terminal: cannot get terminal settings";
553
554 client_t *client = (client_t *) data;
555
556 while (!client->bTerminate && client->bWriteToPipe) {
557 // Since we do not want to block, first peek...
558 if (PeekNamedPipe(client->hChildStdoutRd, NULL, 0, NULL, &dwAvail, NULL) == 0) {
559 telnetd_printf("Failed to peek in pipe\n");
560 break;
561 }
562 if (dwAvail) {
563 if( ! ReadFile( client->hChildStdoutRd, chBuf, BUFSIZE, &dwRead, NULL) ||
564 dwRead == 0) {
565 telnetd_printf("Failed to read from pipe\n");
566 break;
567 }
568 for (from=0, to=0; from<dwRead; from++, to++) {
569 txBuf[to] = chBuf[from];
570 if (txBuf[to] == '\n') {
571 txBuf[to] = '\r';
572 to++;
573 txBuf[to] = '\n';
574 }
575 }
576 if (send(client->socket, txBuf, to, 0) < 0) {
577 telnetd_printf("error writing to socket\n");
578 break;
579 }
580 }
581 Sleep(100); /* Hmmm, oh well... what the heck! */
582 }
583
584 if (!client->bTerminate)
585 TerminateShell(client);
586
587 telnetd_printf("ReadFromPipeThread terminated\n");
588
589 client->bReadFromPipe = FALSE;
590 return 0;
591 }
592
593 /* TerminateShell */
TerminateShell(client_t * client)594 static void TerminateShell(client_t *client)
595 {
596 DWORD exitCode;
597 DWORD dwWritten;
598 char stop[] = "\003\r\nexit\r\n"; /* Ctrl-C + exit */
599
600 GetExitCodeProcess(client->hProcess, &exitCode);
601
602 if (exitCode == STILL_ACTIVE)
603 {
604 HANDLE hEvent = NULL;
605 DWORD dwWaitResult;
606
607 telnetd_printf("user shell still active, send Ctrl-Break to group-id %lu\n", client->dwProcessId );
608
609 hEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
610
611 if (hEvent == NULL)
612 printf("CreateEvent error\n");
613
614 if (!GenerateConsoleCtrlEvent( CTRL_BREAK_EVENT, client->dwProcessId ))
615 telnetd_printf("Failed to send Ctrl_break\n");
616
617 if (!GenerateConsoleCtrlEvent( CTRL_C_EVENT, client->dwProcessId ))
618 telnetd_printf("Failed to send Ctrl_C\n");
619
620 if (!WriteFile(client->hChildStdinWr, stop, sizeof(stop), &dwWritten, NULL))
621 telnetd_printf("Error writing to pipe\n");
622
623 /* wait for our handler to be called */
624 dwWaitResult=WaitForSingleObject(hEvent, 500);
625
626 if (WAIT_FAILED==dwWaitResult)
627 telnetd_printf("WaitForSingleObject failed\n");
628
629 GetExitCodeProcess(client->hProcess, &exitCode);
630 if (exitCode == STILL_ACTIVE)
631 {
632 telnetd_printf("user shell still active, attempt to terminate it now...\n");
633
634 if (hEvent != NULL)
635 {
636 if (!CloseHandle(hEvent))
637 telnetd_printf("CloseHandle");
638 }
639 TerminateProcess(client->hProcess, 0);
640 }
641 TerminateProcess(client->hProcess, 0);
642 }
643 TerminateProcess(client->hProcess, 0);
644 }
645
646 /* ErrorExit */
ErrorExit(LPTSTR lpszMessage)647 static VOID ErrorExit (LPTSTR lpszMessage)
648 {
649 fprintf(stderr, "%s\n", lpszMessage);
650 if (bSocketInterfaceInitialised) {
651 telnetd_printf("WSAGetLastError=%d\n", WSAGetLastError());
652 WSACleanup();
653 }
654 ExitProcess(0);
655 }
656
657