标题: sshd for dos 有待测试 [打印本页]
作者: soso 时间: 2016-10-17 22:52 标题: sshd for dos 有待测试
我在网上找到一份ssh服务端的软件,用go语言编写的。
我编译了一份,苦于没有配置好网络,无法测试,现在上传到论坛,供大家测试。
同时问一下各位大神,dos远程控制有什么好的方法。
程序:
http://upload.cn-dos.net/img/2275.7z
源码:
http://upload.cn-dos.net/img/2274.7z
作者: zzz19760225 时间: 2016-10-21 23:20 标题: 2274.7z_gitignore_1~7
id_rsa
id_rsa.pub
### Go ###
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
*.a
*.so
# Folders
_obj
_test
# Architecture specific extensions/prefixes
*.[568vq]
[568vq].out
*.cgo1.go
*.cgo2.c
_cgo_defun.c
_cgo_gotypes.go
_cgo_export.*
_testmain.go
*.exe
*.test
*.prof
### Windows ###
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msm
*.msp
### Linux ###
*~
# KDE directory preferences
.directory
作者: zzz19760225 时间: 2016-10-21 23:22 标题: 2274.7z_data_2~7
package main
import (
"fmt"
)
func VESAtoVT100(code byte) string {
colors := []int{0, 4, 2, 6, 1, 5, 3, 7, 0, 4, 2, 6, 1, 5, 3, 7}
bg := colors[(code&0xF0)>>4]
fg := colors[code&0x0F]
return fmt.Sprintf("\x1B[4%d;3%dm", bg, fg)
/*
Set Display Attributes
Set Attribute Mode <ESC>[{attr1};...;{attrn}m
Sets multiple display attribute settings. The following lists standard attributes:
0 Reset all attributes
1 Bright
2 Dim
4 Underscore
5 Blink
7 Reverse
8 Hidden
Foreground Colours
30 Black
31 Red
32 Green
33 Yellow
34 Blue
35 Magenta
36 Cyan
37 White
Background Colours
40 Black
41 Red
42 Green
43 Yellow
44 Blue
45 Magenta
46 Cyan
47 White
*/
}
func CorrectBadChars(in byte) string {
data := []string{" ", "鈽?, "鈽?, "鈾?, "鈾?, "鈾?, "鈾?, "鈥?, "鈼?,
"鈼?, "鈼?, "鈾?, "鈾€", "鈾?, "鈾?, "鈽?, "鈻?, "鈼?, "鈫?, "鈥?, "露", "搂",
"鈻?, "鈫?, "鈫?, "鈫?, "鈫?, "鈫?, "鈭?, "鈫?, "鈻?, "鈻?, " ", "!", "\"",
"#", "$", "%", "&", "'", "(", ")", "*", "+", ",", "-", ".", "/",
"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", ":", ";", "<",
"=", ">", "?", "@", "A", "B", "C", "D", "E", "F", "G", "H", "I",
"J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V",
"W", "X", "Y", "Z", "[", "\\", "]", "^", "_", "`", "a", "b", "c",
"d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p",
"q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "{", "|", "}",
"~", "鈱?, "脟", "眉", "茅", "芒", "盲", "脿", "氓", "莽", "锚", "毛", "猫",
"茂", "卯", "矛", "脛", "脜", "脡", "忙", "脝", "么", "枚", "貌", "没", "霉",
"每", "脰", "脺", "垄", "拢", "楼", "鈧?, "茠", "谩", "铆", "贸", "煤", "帽",
"脩", "陋", "潞", "驴", "鈱?, "卢", "陆", "录", "隆", "芦", "禄", "鈻?, "鈻?,
"鈻?, "鈹?, "鈹?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?,
"鈹?, "鈹?, "鈹?, "鈹?, "鈹?, "鈹€", "鈹?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?,
"鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?, "鈺?,
"鈹?, "鈹?, "鈻?, "鈻?, "鈻?, "鈻?, "鈻€", "伪", "脽", "螕", "蟺", "危", "蟽",
"碌", "蟿", "桅", "螛", "惟", "未", "鈭?, "蠁", "蔚", "鈭?, "鈮?, "卤", "鈮?,
"鈮?, "鈱?, "鈱?, "梅", "鈮?, "掳", "鈭?, "路", "鈭?, "鈦?, "虏", "鈻?, "\n", " "}
return data[uint8(in)]
}
作者: zzz19760225 时间: 2016-10-21 23:23 标题: 2274.7z_gdb_hacks_3~7
package main
import (
"encoding/hex"
"log"
"net"
"strings"
"sync"
"time"
)
var gfb []byte
var UpdateScreenNow chan bool
var Pulling sync.Mutex
func StartPollingGDB() {
UpdateScreenNow = make(chan bool)
gfb = make([]byte, 0)
nic, err := net.Dial("tcp", "localhost:1234")
LazyHandle(err)
for {
select {
case <-time.After(time.Second):
Poll(nic)
case <-UpdateScreenNow:
Poll(nic)
}
}
}
func Poll(nic net.Conn) {
Pulling.Lock()
SendCMD(nic, "$g#67")
for i := 0; i < 2; i++ {
if i == 0 {
SendCMD(nic, "$mb8000,800#5b") // BIOS Framebuffer ranges
} else {
SendCMD(nic, "$mb8800,7a0#93") // BIOS Framebuffer ranges
}
time.Sleep(time.Millisecond * 100) // You may be able to lower this
}
SendCMD(nic, "$k#6b")
Pulling.Unlock()
}
func SendCMD(nic net.Conn, payload string) {
buffer := make([]byte, 25565)
_, err := nic.Write([]byte(payload))
LazyHandle(err)
in, err := nic.Read(buffer)
LazyHandle(err)
// Because I can't seem to figure out WHEN GDB is going to send stuff
// I have to do what you are seeing below, Because the other commands
// I am executing don't go above 1000 bytes output, I can presume that
// anything above 1000 chars is the results of my memory dump. This
// does mean however that we can get a out of order terminal, and that
// does suck, but until I can figure out how to get a consistant output
// it will have to stay like this.
if in > 1000 {
printtext(buffer, in)
}
_, err = nic.Write([]byte("+"))
LazyHandle(err)
}
func LazyHandle(err error) {
if err != nil {
log.Fatalln(err.Error())
}
}
var fbcount int = 0
func printtext(dump []byte, in int) {
realdata := dump[2 : in-3]
GDBSplit := strings.Split(string(realdata), "#")
bin, err := hex.DecodeString(string(GDBSplit[0]))
if err == nil {
for i := 0; i < len(bin); i++ {
gfb = append(gfb, bin[i])
}
}
fbcount++
if fbcount == 2 {
fbcount = 0
log.Println("Sent FB out")
FrameBufferUpdate <- gfb
gfb = []byte{}
}
}
作者: zzz19760225 时间: 2016-10-21 23:24 标题: 2274.7z_README.md_4~7
dos_ssh
=======
Use BIOS ram hacks to make a SSH server out of any INT 10 13h app (MS-DOS is one of those)
You can find a demo Youtube Video here below:
[](http://www.youtube.com/watch?v=2JrugnykXmg)
How to run
=========
* Get a DOS compatible floppy disk image (e.g. from here: http://www.allbootdisks.com/download/dos.html)
* Install golang and qemu, e.g. `sudo apt-get install qemu golang`
* Compile dos_ssh: `go get; go build`
* Start qemu with this image: `qemu-system-i386 -fda Dos6.22.img -boot a -vnc :0 -s`
* Run dos_ssh: `./dos_ssh`
* Connect to ssh server: `ssh localhost -p 2222`
作者: zzz19760225 时间: 2016-10-21 23:25 标题: 2274.7z_server_5~7
package main
import (
"golang.org/x/crypto/ssh"
"github.com/mitchellh/go-vnc"
"log"
"net"
"time"
)
var Keyin chan string // Used to take keys from connections into the VNC connection
func main() {
// Setup the chans
FrameBufferUpdate = make(chan []byte)
Keyin = make(chan string, 100)
FrameBufferSubscribers = make(map[string]chan []byte)
// Start the hub that broadcasts framebuffer updates
go MessageHub(FrameBufferUpdate, FrameBufferSubscribers)
log.Println("Starting GDB client")
go StartPollingGDB()
log.Println("Starting VNC client")
go VNCKeyIn(Keyin)
log.Println("Starting SSH server")
StartSSH()
}
func ServeDOSTerm(channel ssh.Channel) {
go ReadSSHIn(channel)
MyID := randSeq(5)
FBIN := make(chan []byte)
FrameBufferSubscribers[MyID] = FBIN
defer delete(FrameBufferSubscribers, MyID) // Unsubscribe when dead
FB := make([]byte, 0)
for {
FB = <-FBIN
if len(FB) != 4000 {
continue
}
channel.Write([]byte("\x1B[0;0H")) // Reset the cursor to 0,0
outbound := ""
ptr := 0
for ptr < len(FB) {
outbound = outbound + VESAtoVT100(FB[ptr+1])
outbound = outbound + CorrectBadChars(FB[ptr])
ptr = ptr + 2
}
_, err := channel.Write([]byte(outbound))
if err != nil {
return
}
}
}
func ReadSSHIn(channel ssh.Channel) {
buffer := make([]byte, 2)
for {
_, err := channel.Read(buffer)
if err != nil {
return
}
Keyin <- string(buffer[0])
time.Sleep(time.Millisecond * 10)
UpdateScreenNow <- true
time.Sleep(time.Millisecond * 200)
}
}
func VNCKeyIn(Presses chan string) {
vncnic, err := net.Dial("tcp", "localhost:5900")
LazyHandle(err)
vncconn, err := vnc.Client(vncnic, &vnc.ClientConfig{})
LazyHandle(err)
for in := range Keyin {
// We lock here to ensure that we are not about to lock over the key input
Pulling.Lock()
if in == "\r" || in == "\n" { // Enter
vncconn.KeyEvent(uint32(0xFF0D), true)
vncconn.KeyEvent(uint32(0xFF0D), false)
} else if uint8([]byte(in)[0]) == 127 { // Backspace
vncconn.KeyEvent(uint32(0xFF08), true)
vncconn.KeyEvent(uint32(0xFF08), false)
} else {
vncconn.KeyEvent(uint32([]byte(in)[0]), true)
vncconn.KeyEvent(uint32([]byte(in)[0]), false)
}
time.Sleep(time.Millisecond * 25) // Time I would take to wait for input and other stuff
Pulling.Unlock()
}
}
[ Last edited by zzz19760225 on 2016-10-21 at 23:26 ]
作者: zzz19760225 时间: 2016-10-21 23:27 标题: 2274.7z_ssh_6~7
package main
import (
"golang.org/x/crypto/ssh"
"log"
"net"
"time"
)
var FrameBufferUpdate chan []byte
var FrameBufferSubscribers map[string]chan []byte
// Start listening for SSH connections
func StartSSH() {
PEM_KEY := LoadPrivKeyFromFile("./id_rsa")
private, err := ssh.ParsePrivateKey(PEM_KEY)
if err != nil {
log.Fatal("Key failed to parse.")
}
SSHConfig := &ssh.ServerConfig{
PasswordCallback: func(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
perms := ssh.Permissions{}
return &perms, nil
},
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
perms := ssh.Permissions{}
return &perms, nil
},
}
SSHConfig.AddHostKey(private)
listener, err := net.Listen("tcp", "0.0.0.0:2222")
if err != nil {
log.Fatalln("Could not start TCP listening on 0.0.0.0:2222")
}
log.Println("Waiting for TCP conns on 0.0.0.0:2222")
for {
nConn, err := listener.Accept()
if err != nil {
log.Println("WARNING - Failed to Accept TCP conn. RSN: %s / %s", err.Error(), err)
continue
}
go HandleIncomingSSHConn(nConn, SSHConfig)
}
}
// Wait 10 seconds before closing the connection (To stop dead connections)
func TimeoutConnection(Done chan bool, nConn net.Conn) {
select {
case <-Done:
return
case <-time.After(time.Second * 10):
nConn.Close()
}
}
func HandleIncomingSSHConn(nConn net.Conn, config *ssh.ServerConfig) {
DoneCh := make(chan bool)
go TimeoutConnection(DoneCh, nConn)
_, chans, reqs, err := ssh.NewServerConn(nConn, config)
if err == nil {
DoneCh <- true
}
// Right now that we are out of annoying people land.
defer nConn.Close()
go HandleSSHrequests(reqs)
for newChannel := range chans {
if newChannel.ChannelType() != "session" {
newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
log.Printf("WARNING - Rejecting %s Because they asked for a chan type %s that I don't have", nConn.RemoteAddr().String(), newChannel.ChannelType())
continue
}
channel, requests, err := newChannel.Accept()
if err != nil {
log.Printf("WARNING - Was unable to Accept channel with %s", nConn.RemoteAddr().String())
return
}
go HandleSSHrequests(requests)
go ServeDOSTerm(channel)
}
}
func HandleSSHrequests(in <-chan *ssh.Request) {
for req := range in {
if req.WantReply {
// Ensure that the other end does not panic that we don't offer terminals
if req.Type == "shell" || req.Type == "pty-req" {
req.Reply(true, nil)
} else {
req.Reply(false, nil)
}
}
}
}
作者: zzz19760225 时间: 2016-10-21 23:28 标题: 2274.7z_util_7~7
package main
import (
"io/ioutil"
"log"
"math/rand"
)
func LoadPrivKeyFromFile(file string) []byte {
privateBytes, err := ioutil.ReadFile(file)
if err != nil {
log.Fatalln("Failed to load private key")
}
return privateBytes
}
func MessageHub(Input chan []byte, Clients map[string]chan []byte) {
for {
inbound := <-Input
for _, v := range Clients {
v <- inbound
}
}
}
var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
func randSeq(n int) string {
b := make([]rune, n)
for i := range b {
b[i] = letters[rand.Intn(len(letters))]
}
return string(b)
}
作者: zzz19760225 时间: 2016-10-21 23:29
在网吧顺便贴一下,莫要谢我。