(HELP) Windows Reverse tcp connection shellcode inside Code-cave


Hello guys
hope you all doing good :slight_smile:

I’m trying to create a windows reverse tcp connection shellcode using direct call to the windows API to use it inside Code-Cave . using ollydebugger

what I understand is the following:
to create a reverse connection shellcode you need:
4-CreateProcess() with cmd.

The connection (socket) part works fine with me and I open netcat on my attacking machine and works fine I got connection :smiley:
But my problem in CreateProcess() with cmd :rage: here is what I did :slightly_smiling_face::

I split the shellcode into two parts because long:

Connection part:
Part 1 Image

CreateProcess part:

Here is when Calling CreateProcess():

And I got this error after calling it:
> ERROR_NO_MORE_FILES (00000012)

I tried to change the Argument (ModuleFileName) to the path of cmd.exe and remove (cmd) from (CommandLine) argument , the execute complete fine and I got no error but I don’t Receive any shell on my attacking machine :pensive:

I even trace the “shell_reverse_tcp” of metasploit and it use the same arguments I use in Createprocess() and works fine , The only diffrenet I guss that it use LoadLibrary() to load the dll responsple for the socket and get the function address by name , but for me the dll which is ws2_32.dll is already loaded and I search for the address of the function I want in that dll and call it.

Please Help

(Command-Line Ninja) #2

@dtm WinAPI God + Windows Reverser Summoned.


Does it connect? Also, it doesn’t look like you provided a loop to send and receive to and from the socket.


yes it does , I don’t need a loop to send and receive , I’m sending a cmd.exe over socket , similar to netcat


call CreateProcess() with cmd , and make the stdin,stdout,stderror = socket file descriptor


when I use a C++ version of the shellcode above it works fine and I got shell on my attacking machine


How will you get the input and output if you don’t use a send and receive loop? Show me the C++ code?

(system) #8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.