I'm trying to write some custom shellcode to obtain a shell from a program. Looking at the program intermodular calls, I found a call to socket(), and my initial plan was to use that to create a new socket, connect back and spawn a shell.
I am able to to get a connection back, but unfortunately when I call CreateProcessA, I don't get any shell.
After the call to socket() I have the socket descriptor in EAX:
And then, after connect() (which works, I get the connection back on my netcat listener), I call CreateProcessA() and this are the parameters:
InheritHandles is correctly set to TRUE. On the left panel I have dumped the StartUpInfo structure and as you can see the file descriptor is correctly added for all handles (first 3 bytes of the structure are all set to 200). Also the flag STARTF_USESTDHANDLES is correctly set.
Unfortunately, this doesn't work. What surprises me is that if instead of using the address of the intermodular call to socket(), I use the address of WSASocketA (found using arwin), and without changing anything else (apart from adding the extra null arguments required for WSASocketA), I can get my shell.
I don't understand why this is not happening with socket(), in fact, according to the documentation for the flag WSA_FLAG_NO_HANDLE_INHERIT of the WSASocketA:
Create a socket that is non-inheritable.
A socket handle created by the WSASocket or the socket function is inheritable by default. When this flag is set, the socket handle is non-inheritable.
So I assumed that by default it should work with both functions.
I don't know if this is relevant, but I'm testing it against a Windows 7 machine.
