IO::Socket for System Administration of windows 2003 server

Phalanx1 · Feb 19, 2004

Hello all I am finally back online and can finally ask questions.
so i've put together(amalgamated) my own Windows Script Component
using PerlScript and VBscript the perlScript creates a socket or a
port for incoming telnet connections and does commands
based on the interpretation of buffer or sez back
to you what doesn't match a command. it also keeps
processes open and has many bugs in html hta asp jsp it
only causes a problem when you try to shut it down.

Now it doesn't have a problem with perl.exe through perl eighther
.pl's or .plx's, WScript.exe invoked through vbscript
or JScript\JavaScript.

The Documentation for the COM Component is included
inside of it and is avaible through the GHelp Command when you are
connected to it.

IT OPENs PORT 8008 now without authentication on the loopback
so that only you can connect to it.it cannot be communicated
with over the internet, unless you make it so.a hacker couldn't access
it like this through PerlScript

<html><body>
<script language="PerlScript">
$window->Navigate("

http://NameOfComputer:8008");

</script>
</body></html>

on with the real problem i am using the forking windows example script
which create sub processes of the parent and each sub process enters
a SharedInit and which then makes the spawned processes do a call
to the COM which makes the socket on that PID or it destroys the
old port 8008 and reinserts a new port 8008 but again
that is not the problem right now. the problem is that
i want to print out a list of connectable working PIDS and
be able to Connect to it, so the question is does anyone
know how to do this, along with any ideas on how to do that.
for now these will all be admin slots.
HERE is The Source For Both:

this is Telnet.PSNA
(PerlScriptNetAdmin) or my COM Component.
will be even more powerful than it looks now.
like incorparating the script-o-matics, as devious as that sounds; they
make it, we use it. Why can't WE in PERL in pl's pls's and plx's amalgamate it.
stuff like leafs and adsi and file desriptors

use Win32::OLE;
my $WSN = Win32::OLE->new("WScript.Network&quot

;
my $strComputer = "$WSN->ComputerName";
my OLE = Win32::OLE->GetObject("winmgmts:\\\\" $strComputer "\root\Cimv2&quot

CIM and more if necessary...
to attract attention to PERL requiring Win32; as the popular
thing to do

<?xml version="1.0" ?>
<package>
<comment>
Phalanx1 generated COM File
</comment>
<component id="Telnet net Admin">
<?component error="true" debug="true" ?>
<public>
<method name="TelnetSocket"/>
<method name="GetPrt"/>
<method name="GetPrtConns"/>
<method name="NTEVTLGS"/>
</public>
<script id="TPerl.wsc" language="PerlScript">
<![CDATA[
use Memoize;
memoize('TelnetSocket');
sub TelnetSocket {
use IO::Socket;
use IO::Select;
use Win32::OLE;
my $WSN = Win32::OLE->new("WScript.Network&quot

;
# Create a socket to listen on.
my $listener =
IO::Socket::INET->new('127.0.0.1:8008', Listen => 5, Reuse => 1 );
die "Can't create socket for listening: $!" unless $listener;
my $readable = IO::Select->new; # Create a new IO::Select object
$readable->add($listener); # Add the listener to it
while(1) {
# Get a list of sockets that are ready to talk to us.
my ($ready) = IO::Select->select($readable, undef, undef, undef);
foreach my $s (@$ready) {
# Is it a new connection?
if($s == $listener) {
#Accept the connection and add it to our readable list.
my $new_sock = $listener->accept;
$readable->add($new_sock) if $new_sock;
$CUser = $WSN->UserName;
$YComp = $WSN->ComputerName;
print $new_sock "###### Welcome $CUser from Computer: $YComp ##### \r\n";
print $new_sock "These are the Current Systems variables.\r\n";
$Shell = Win32::OLE->new("WScript.Shell&quot

;

@vars = $Shell->Environment("SYSTEM&quot

;

foreach $item (Win32::OLE::in(@vars)) {
print $new_sock "$item\r\n";
}
print $new_sock "Current Commands are: \r\n Quit Ghelp EVNTS Dir ChkDsk ChkRoot\r\n GetPrt GetPrtConns GIP CNet INet Net . CWork PID \r\n";
}
else { # It's an established connection
my $buf = <$s>; # Try to read a line
# Was there anyone on the other end?
if( defined $buf ) {
# If they said quit, close the socket. If not,
# do corresponding command or echo what they said to us.
if ($buf =~ /Quit/i) {
print $s "See you later!\n";
$readable->remove($s);
$s->close;
}
elsif ($buf =~ /Ghelp/i) {
print $s "Current Commands are: \r\n Quit : Closes your session\r\n GHelp : Get Help \r\n EVNTS: Backs up All Win32_NTEventLogFiles(to C:\BACKUP.LOG)\r\n and then Clears them\r\n Dir : like ls/dir command but the will become \r\n system folders files checker\r\n ChkDsk : runs Check Disk Utility with -f \r\n ChkRoot : returns 0 or 1 if C:\ is the root directory \r\n GetPrt : Get the Win32_PortResource description of each port on your system \r\n GetPrtConns : Gets the win32_PortConnectors description of each port \r\n GIP : Get IP runs ipconfig -all \r\n CNet : Shows NET Commands syntax \r\n INet : use IE to\r\n go to any site you wish \r\n Net .* : if you don't understand perl;\r\n then it is NET any old junk\r\n(any CNet syntax style command)\r\n CWork : type this as CWork.htm \r\nadd the .htm extension \r\n or .mht or .hta extensions \r\n PID : shows the PID of the program \r\n";
}
elsif ($buf =~ /GIP/i) {
my @IP = `ipconfig -all` or die "No Such Command: $!";
print $s "@IP";
}
elsif ($buf =~ /Dir/i) {
chdir "C:/" or die "cannot chdir to root Directory: $!";
@Dirs = `dir`;
foreach $Dir (@Dirs) {
chomp $Dir;
print $s "$Dir \r\n";
}
chdir "C:/Progra~1/Common~1/Micros~1" or die "cannot Find Microsofts Shared Files Folder: $!";
#Are You A Server Check For A
#Web Server Extensions Folder
#there is Probably a better way
@Dirs = `dir`;
foreach $Dir (@Dirs) {
chomp $Dir;
print $s "$Dir \r\n";
}
chdir "C:/Windows" or "C:/winnt" or die "Mabye not windows: $!";
@Dirs = `dir`;
foreach $Dir (@Dirs) {
chomp $Dir;
print $s "$Dir \r\n";
}
}
elsif ($buf =~ /CNet/i) {
my $Netchk = "NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |\r\n HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT |\r\n SEND | SESSION | SHARE | START | STATISTICS |\r\n STOP | TIME | USE | USER | VIEW ]";
print $s "$Netchk\r\n";
}
elsif ($buf =~/net .*/i){
chomp $buf;
my @Command =`$buf`;
foreach (@Command) {
chomp;
chop;
print $s "$_\r\n";
}
}
elsif ($buf =~ /ChkRoot/i) {
$chk = chdir "C:/" or die "can't find C:\ $!";
print $s "$chk \r\n";
}
elsif ($buf =~ /CWork/i) {
my $File_With_Ext = $buf;
chomp $File_With_Ext;
print $s "$File_With_Ext almost done.\r\n";
open CWork, ">>C:/docume~1/Admini~1/Desktop/$File_With_Ext" or die "Can't Open a FileHandle: $!";
print CWork '<html><head><title>Test Environment</title></head><body bgcolor="black" text="ffffff"><h1>For PhantomX Developers.</h1><input type="button" onclick="VBExec()" value="Execute VBScript"><textarea id="EVBS"></textarea><br><input type="button" onclick="PSEval" value="Eval PerlScript"><textarea id="EPS"></textarea><br><input type="button" onclick="JSEval()" value="Eval JScript"><textarea id="EJS"></textarea></body><script language="VBScript">Function VBExec() : Execute(document.getElementById("EVBS&quot

.innerText) : End Function </script><script language="PerlScript">sub PSEval {eval($window->document->getElementById("EPS&quot

->innerText);}</script><script language="JavaScript">function JSEval() {eval(document.getElementById("EJS&quot

.innerText);}</script></html>' or die "can't write to filehandle: $!";
use HTML::TreeBuilder;
my $tree = HTML::TreeBuilder->new();
$tree->parse_file(CWork);
$html = $tree->as_HTML or die "Can't Parse: $!";
print $s "checking ...$html..( File Done. ) \r\n";
$tree->delete;
close CWork;
}
elsif ($buf =~ /PID/i) {
@PIDS = $$;
foreach $pid (@PIDS){
print $s "$pid \r\n";
}
}
elsif ($buf =~ /INet/i) {
$buf =~ s/INet//; #remove INet and go to the

http://www.the_site_you_wish_to_go_to.com

use Win32::OLE;
my $IE = Win32::OLE->new('InternetExplorer.Application');
$IE->{'Visible'} = 1;# if you want to see what's going on
$IE->Navigate("about:blank&quot

;# in other words go to any site...
}
elsif ($buf =~ /eval .*/i) {
$buf =~ s/eval//;
eval($buf);
}
elsif ($buf =~ /GetPrt/i) {
&GetPrt;
}
elsif ($buf =~ /GetPrtConns/i) {
&GetPrtConns;
}
elsif ($buf =~ /EVNTS/i) {
&NTEVTLGS;
}
else {
print $s "You said: $buf \r\n";
}
}
else { # The client disconnected.
$readable->remove($s);
$s->close;
print STDERR "Client Connection closed\n";
}
}
}
}
}
]]>
</script>
<script language="VBScript">
<![CDATA[
sub GetPrt()
On Error Resume Next
Dim strComputer
Dim objWMIService
Dim propValue
Dim colItems

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2&quot

Set colItems = objWMIService.ExecQuery("Select * from Win32_PortResource",,48)
For Each objItem in colItems
MsgBox("Alias: " & objItem.Alias & vbCRLF & "Caption: " & objItem.Caption & vbCRLF & "CreationClassName: " & objItem.CreationClassName & vbCRLF & "CSCreationClassName: " & objItem.CSCreationClassName & vbCRLF & "CSName: " & objItem.CSName & vbCRLF & "Description: " & objItem.Description & vbCRLF & "EndingAddress: " & objItem.EndingAddress & vbCRLF & "InstallDate: " & objItem.InstallDate & vbCRLF & "Name: " & objItem.Name & vbCRLF & "StartingAddress: " & objItem.StartingAddress & vbCRLF & "Status: " & objItem.Status)
Next
End Sub
Sub GetPrtConns()
On Error Resume Next
Dim strComputer
Dim objWMIService
Dim propValue
Dim colItems

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2&quot

Set colItems = objWMIService.ExecQuery("Select * from Win32_PortConnector",,48)
For Each objItem in colItems
MsgBox("Caption: " & objItem.Caption & vbCRLF & "ConnectorPinout: " & objItem.ConnectorPinout)
for each propValue in objItem.ConnectorType
MsgBox("ConnectorType: " & propValue)
next
MsgBox("CreationClassName: " & objItem.CreationClassName & _
vbCRLF & "Description: " & objItem.Description & vbCRLF & _
"ExternalReferenceDesignator: " & objItem.ExternalReferenceDesignator & _
vbCRLF & "InstallDate: " & objItem.InstallDate & vbCRLF & _
"InternalReferenceDesignator: " & objItem.InternalReferenceDesignator & _
vbCRLF & "Manufacturer: " & objItem.Manufacturer & vbCRLF & "Model: " & _
objItem.Model & vbCRLF & "Name: " & objItem.Name & vbCRLF & _
"OtherIdentifyingInfo: " & objItem.OtherIdentifyingInfo & vbCRLF & _
"PartNumber: " & objItem.PartNumber & vbCRLF & "PortType: " & _
objItem.PortType & vbCRLF & "PoweredOn: " & objItem.PoweredOn & vbCRLF & _
"SerialNumber: " & objItem.SerialNumber & vbCRLF & "SKU: " & _
objItem.SKU & vbCRLF & "Status: " & objItem.Status & vbCRLF & "Tag: " & _
objItem.Tag & vbCRLF & "Version: " & objItem.Version)
Next
End Sub
Sub NTEVTLGS()
set LogFileSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup)}&quot

.ExecQuery("select * from Win32_NTEventLogFile&quot

For each Logfile in LogFileSet
RetVal = LogFile.BackupEventlog("c:\BACKUP.LOG&quot

if RetVal = 0 then MsgBox("Log Backed Up&quot

RetVal = LogFile.ClearEventlog()
if RetVal = 0 then MsgBox("Log Cleared&quot

Next
End Sub
]]>
</script>
<registration progid="Telnet.PSNA" classid="{E2BFEBC6-9586-415F-8DBA-31378EFB9D23}" description="Telnet NET Admin" version="1.5">
</registration>
</component>
</package>

and this is the Forker run this in a debugger like Script Debugger
or primalScript to see what really is going on.

Telnet.pl
use strict;
use warnings;

use constant CLIENTS => 32;
use constant DEBUG => 1;
$|=1; #buffering a bad idea when fork()ing

my @kids=();
my $pid=$$;
my $parentpid=0;

#script starts here
SharedInit();

Forker(CLIENTS);

if ($parentpid) {
Work();
}
else { #the original parent only does cleanup duty
Reaper();
}

warn "$$ exiting\n" if DEBUG;

if ($parentpid) {
#kids exit here
exit(0);
}
else {
#parent exits here
exit(0);
}
die; #wont happen

sub Forker {
my $clients=shift;
my $i=0;
while ($i++ < $clients) {
my $newpid = fork();
if (! defined $newpid) { #hosed
die "fork() error: $!\n";
}
elsif ($newpid == 0) { #child
$parentpid = $pid;
$pid = $$;
#don't inhert the kids
warn "$$ child of $parentpid\n" if DEBUG;
last;
}
else { #parent (defined $newpid)
#@kids = ();#
warn "$$ spawned $newpid\n" if DEBUG;
push(@kids, $newpid);
}
}
}

sub SharedInit {
warn "Entering SharedInit()\n" if DEBUG;

}

sub Work {
warn "$$ Entering Work() and is ready for connection \n" if DEBUG;
#use Win32::OLE;
#my $Telnet = Win32::OLE->new("Telnet.PSNA&quot

;
#$Telnet->TelnetSocket();
warn "in task $$\r\n $!" if DEBUG;
#never Prints unless run in script debugger and caught as output
}

sub Reaper {
while (my $kid = shift(@kids)) {
warn "$$ to reap $kid\n" if DEBUG;
my $reaped = waitpid($kid,0);
unless ($reaped == $kid) {
warn "waitpid $reaped: $?\n" if DEBUG;
}
}
}

__END__

use POSIX ":sys_wait_h";
do {
$kid = waitpid(-1,&WNOHANG);
}

until $kid == -1;

the output of this is different when you remove the ### 3 tags
reap isn't called on any process and no process exits after work is
started unless errors occurs of course...

example output with tags there
Entering SharedInit()
4948 spawned -3848
4948 spawned -1732
4948 spawned -5052
4948 spawned -3324
4948 spawned -4516
4948 spawned -1520
-3848 child of 4948
-3848 Entering Work() and is ready for connection
-3848 exiting
4948 spawned -4348
4948 spawned -5992
4948 spawned -5804
4948 spawned -4484
4948 spawned -2976
-1732 child of 4948
4948 spawned -656
4948 spawned -4072
-1732 Entering Work() and is ready for connection
4948 spawned -4784
4948 spawned -5520
4948 spawned -3972
4948 spawned -4920
-1732 exiting
4948 spawned -2576
4948 spawned -632
4948 spawned -4600
4948 spawned -3060
4948 spawned -992
4948 spawned -3800
4948 spawned -5752
4948 spawned -2612
4948 spawned -2876
4948 spawned -952
4948 spawned -4196
4948 spawned -2120
4948 spawned -4856
4948 spawned -3160
4948 spawned -2528
4948 to reap -3848
4948 to reap -1732
4948 to reap -5052
-5052 child of 4948
-5052 Entering Work() and is ready for connection
-5052 exiting
4948 to reap -3324
-4516 child of 4948
-4516 Entering Work() and is ready for connection
-4516 exiting
-3324 child of 4948
-3324 Entering Work() and is ready for connection
-3324 exiting
4948 to reap -4516
4948 to reap -1520
-1520 child of 4948
-1520 Entering Work() and is ready for connection
-1520 exiting
4948 to reap -4348
-5992 child of 4948
-5992 Entering Work() and is ready for connection
-5992 exiting
-4348 child of 4948
-4348 Entering Work() and is ready for connection
-4348 exiting
4948 to reap -5992
4948 to reap -5804
-4484 child of 4948
-4484 Entering Work() and is ready for connection
-4484 exiting
-5804 child of 4948
-5804 Entering Work() and is ready for connection
-5804 exiting
4948 to reap -4484
4948 to reap -2976
-2976 child of 4948
-2976 Entering Work() and is ready for connection
-2976 exiting
4948 to reap -656
-4072 child of 4948
-4072 Entering Work() and is ready for connection
-4072 exiting
-656 child of 4948
-656 Entering Work() and is ready for connection
-656 exiting
4948 to reap -4072
4948 to reap -4784
-5520 child of 4948
-5520 Entering Work() and is ready for connection
-5520 exiting
-4784 child of 4948
-4784 Entering Work() and is ready for connection
-4784 exiting
4948 to reap -5520
4948 to reap -3972
-4920 child of 4948
-4920 Entering Work() and is ready for connection
-4920 exiting
-3972 child of 4948
-3972 Entering Work() and is ready for connection
-3972 exiting
4948 to reap -4920
4948 to reap -2576
-632 child of 4948
-632 Entering Work() and is ready for connection
-632 exiting
-2576 child of 4948
-2576 Entering Work() and is ready for connection
-2576 exiting
4948 to reap -632
4948 to reap -4600
-3060 child of 4948
-3060 Entering Work() and is ready for connection
-3060 exiting
-4600 child of 4948
-4600 Entering Work() and is ready for connection
-4600 exiting
4948 to reap -3060
4948 to reap -992
-3800 child of 4948
-3800 Entering Work() and is ready for connection
-3800 exiting
-992 child of 4948
-992 Entering Work() and is ready for connection
-992 exiting
4948 to reap -3800
4948 to reap -5752
-5752 child of 4948
-5752 Entering Work() and is ready for connection
-5752 exiting
4948 to reap -2612
-2612 child of 4948
-2612 Entering Work() and is ready for connection
-2612 exiting
4948 to reap -2876
-2876 child of 4948
-2876 Entering Work() and is ready for connection
-2876 exiting
4948 to reap -952
-4196 child of 4948
-4196 Entering Work() and is ready for connection
-4196 exiting
-952 child of 4948
-952 Entering Work() and is ready for connection
-952 exiting
4948 to reap -4196
4948 to reap -2120
-4856 child of 4948
-4856 Entering Work() and is ready for connection
-4856 exiting
-2120 child of 4948
-2120 Entering Work() and is ready for connection
-2120 exiting
4948 to reap -4856
-2528 child of 4948
-2528 Entering Work() and is ready for connection
-2528 exiting
-3160 child of 4948
-3160 Entering Work() and is ready for connection
-3160 exiting
4948 to reap -3160
4948 to reap -2528
4948 exiting
Exit code: 0 , 0000h

and now with the tags not there...

Entering SharedInit()
3680 spawned -1680
3680 spawned -1316
3680 spawned -4884
3680 spawned -1132
3680 spawned -5384
3680 spawned -5028
3680 spawned -4568
3680 spawned -4136
3680 spawned -252
3680 spawned -5732
3680 spawned -4040
3680 spawned -3456
3680 spawned -4420
3680 spawned -3516
3680 spawned -4220
3680 spawned -3668
3680 spawned -3896
3680 spawned -4408
3680 spawned -3488
3680 spawned -4208
3680 spawned -5788
3680 spawned -5652
3680 spawned -2748
3680 spawned -5128
3680 spawned -5148
3680 spawned -2504
3680 spawned -4504
3680 spawned -4532
3680 spawned -764
3680 spawned -5144
3680 spawned -2416
3680 spawned -5224
3680 to reap -1680 <-no idea why that happened!!!!
-1680 child of 3680
-1680 Entering Work() and is ready for connection port 8008
-4884 child of 3680
-4884 Entering Work() and is ready for connection d8008c8008
-1316 child of 3680
-1316 Entering Work() and is ready for connection .
-5384 child of 3680
-5384 Entering Work() and is ready for connection .
-1132 child of 3680
-1132 Entering Work() and is ready for connection .
-4568 child of 3680
-4568 Entering Work() and is ready for connection .
-5028 child of 3680
-5028 Entering Work() and is ready for connection .
-252 child of 3680
-252 Entering Work() and is ready for connection .
-4136 child of 3680
-4136 Entering Work() and is ready for connection .
-5732 child of 3680
-5732 Entering Work() and is ready for connection .
-4040 child of 3680
-4040 Entering Work() and is ready for connection .
-4420 child of 3680
-4420 Entering Work() and is ready for connection .
-3456 child of 3680.
-3456 Entering Work() and is ready for connection .
-4220 child of 3680
-4220 Entering Work() and is ready for connection .
-3516 child of 3680
-3516 Entering Work() and is ready for connection .
-3896 child of 3680
-3896 Entering Work() and is ready for connection .
-3668 child of 3680
-3668 Entering Work() and is ready for connection .
-3488 child of 3680
-3488 Entering Work() and is ready for connection .
-4408 child of 3680
-4408 Entering Work() and is ready for connection .
-5788 child of 3680
-5788 Entering Work() and is ready for connection .
-4208 child of 3680
-4208 Entering Work() and is ready for connection .
-5652 child of 3680
-5652 Entering Work() and is ready for connection .
-2748 child of 3680
-2748 Entering Work() and is ready for connection .
-5128 child of 3680
-5128 Entering Work() and is ready for connection .
-2504 child of 3680
-2504 Entering Work() and is ready for connection .
-5148 child of 3680
-5148 Entering Work() and is ready for connection .
-4532 child of 3680
-4532 Entering Work() and is ready for connection .
-4504 child of 3680
-4504 Entering Work() and is ready for connection .
-764 child of 3680
-764 Entering Work() and is ready for connection
-5144 child of 3680
-5144 Entering Work() and is ready for connection .
-2416 child of 3680
-2416 Entering Work() and is ready for connection .
-5224 child of 3680
-5224 Entering Work() and is ready for connection d8008c8008

d8008c8008 d=destroy c=Create in other words it ends on the last pid
created. mabye we can use this to our advantage.

needless to say i waited 2 days on my windows 2003 server
that is not connected to the internet as of the writing of this
and it still did not exit or have any more reaps
(this is with me using it on and off and of course adding more
and changing the port as to not effect it).

One Idea is:

[autoincrement the port on each PID] then designate each port to a
specific pseudo Task that will be a emulated honey pot
with no functionality except memoized datatable returns all powerful
command will be removed and replaced with emulated versions printing
false information but looks correct and all the while each command
they do the more info we will pull or the more we can do to them.
so of course it wont work unless you have used the
actual non-honeypot version of it. the honey pots will collect
and store any hack attemp by retrieving the http header. registry info
like current IP address username computername mabye we will issue
the blaster like Win32::initiateSystemShutDown() with this info,
that says save all current data becuase and then send an abort
with the message don't try it again!
except that of GetPrt, and GetPrtConn and others secluded
for security reasons(obviously net .* will be removed...)
this version will have to Win32::MsgBox(its port in some way)
need help here to and only be activate once on a
random ProcessID and random port from 8008-8040 or (8008+31 separate
dummie ports and 8039 + 1 AdminPort.
something like this

use Win32::OLE qw( 'in' );
foreach $$ ( in(`Perl.exe`) ) {
my $listener =
IO::Socket::INET->new(IO::Socket::INET->new('127.0.0.1:' .+ 8000 .+ 8++, Listen => 5, Reuse => 1 );
die "Can't create socket for listening: $!" unless $listener;
...

Please tell me if You
don't understand some of this. copy and paste the section and
i will try to explain it better...

Phalanx1.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

IO::Socket for System Administration of windows 2003 server

Phalanx1

Programmer

Similar threads

Part and Inventory Search

Sponsor