How to Program a C Backdoor (And Infect Any PC with an USB Key, and Three Seconds) PART III


How to Program a C Backdoor (And Infect Any PC with an USB Key, and Three Seconds) PART III

 


Third party guys !V) EXPLOITATION
To exploit the backdoor you'll need the righ client. Netcat wont be useful, neither do Telnet or ssh.
You'll need the right client ! (kind of security...
Here's the source :
http://pastebin.com/AUESwa8Y
Have fun but be careful.
This is a Windows source, but i'll release the linux source soon.
You can code it yourself too, but you'll have to follow the same "schema" of send/recv calls.
Modify the source to use the right IP adress. Or improve it using [argv]

VI) INFECTION IN THREE SECONDS WITH AN USB STICKThis is the "easy part".
1) Create a folder
2) Get a copy of curl for Windows : http://curl.haxx.se/download.html
3) Copy/Paste curl.exe AND ITS DLL in the folder
4) Copy/Paste your server.exe (post 1) in the folder
5) Copy/Paste your "launcher.exe" (post 2) in the folder
6) Copy/Paste your xml files (post2) in the folder
7) Copy/Paste your keylogger (post3) in the folder
8) Plug your usb sitck to a victim PC
9) Right click on "launcher.exe" and execute as admin
10) PWNED.
VII) Fap Fap Fap

VIII) WARNINGYou might wanna create botnets or things like this, but never forget this is illegal so stay safe. ALWAYS stay safe. Remember, once you pressed enter you can't get back.
And theres no card like this :

IX ADDITIONAL INFOSThe backdoor's code in my fisrt post wasn't really commented cause, It such a pen in the ... to post code up here.
Oh and please, if and admin ( OTW ?) reads this, please can you improve the editor's code ?
So here's more infos :
Sorry for the "uncommented code", it's really a pen in the ass to paste code up here ^^
Here's some précisions :
  • main function : Uses hwnd functions (Windows API) to hide the console window (runs in background)
  • backdoor function :
  • SOCKET and sockaddr are structures that defines the socket (Google it htere's a lot of parameters according to your needs)
  • We initialise WSA (Windows API) then our socket
  • Then we set up our sockets options (which are defined in sockadrr...):
sin.addr... this allows us to specify Ports/Type of socket/Ip adress of server if needed
  • htons() is a cnverting function. It means host-to-network-short. Needed in networking (related to little-endian/big-endian)
  • We bind our newly created socket to a port, so it will use it for outgoing/incomming trafic.
  • Then we told it to listen for incommming connection (server), up to 3 clients
  • Once someone tries to connect, we accept it.
  • We enter an infinite loop !
  • All printf calls are debugging infos in case you want to see them, just delete the "hwnd calls" in main.
  • We receve the commands sent by the client.
  • If it is "chdir" : refer to my third post : we change the backdoor's working directory as system() won't change our backoor's directory but only the system call thread.
  • Then there's some send()/recv() to communicate with client, to know where to chdir
  • Else, we just execute the command. In the client code (cf post 3 to pastebin) the command is concatenated to "> cmd.txt" so once the command is executed on the server, its output is saved to a file (cmd.txt)
  • If this output is Null, it means the command is incorect so we send an error message
  • If it's correct (ret !=0) we read the "cmd.txt" and we send its content to the client so it can read the command output.
For other "bizzare loops" : ex: for(clean=0...), i saw that sometimes the received output was "weird" as it printed the whole buffer and not only the output of my command. It was because the sent/received string was not terminated by the '\0' character. So i manually put it.
And by IP logging service i mean anything that allows you to save the ip of incomming connection : an a php scirpt on a server or just type (ip logger) on gogle, and some servers allows you to save the IP of who clicked your link.
This isn't really a how to, but i'll give a link to a keylogger code i stole womewhere (i dont remeber where, sorry for the author)
Here's the code pasted on... Pastebin ;)
http://pastebin.com/1UayEAyu
Oh and this should be used with the installig program I gave in part two.
XI)EVEN MORE INFOS
  • We get the "system" call output by piping it to "cmd.txt". Then the backdoor read it, and send it to you.
  • BUT there's some issues and sometimes, for ex, "ping command" i don't have a full output
  • Tree command works better than DIR (for the output)
  • Security ? Can anone acess your backdoor ? Yes but it needs the right client (code below)
XII) CHANGE CURRENT DIRECTORY /READ CAREFULLY\
  • This backdoor use the C "system" call. It launch a new thread, then closes when the command ends. So if you use "cd" to change your working directory, this won't work, as the change of directory is only during your thread lifetimes, and it DOES NOT THE WORKING DIRECTORY OF THE BACKDOOR'S PROCESS.
  • So how to change it ?
If you read carefully the code and you also read this article, this means that you're no script kiddie. So you'll see that, to change the process directory I used CHDIR() function wich is a C function AND NOT A SYSTEM CALL. So to change your directory use :
"chdir"
then type your directory

XIII) IDEAS TO IMPROVE THE BACKDOOR
  • Windows' shell is well... limited. There's not as much as possibilites as in a *Nix shell, but you stiill have a big control on the system.
  • You can for example develop VBScripts to have an extended control on the system (like meterpreter one's but it's in ruby)

Aucun commentaire:

Publier un commentaire