SLAE Assignment #1 – TCP Bind Shell

Hey guys, this is post one of seven – describing my solutions for the SLAE course/certification (TCP Bind Shell in x86 Assembly language).

Disclaimer:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-890

So this one was about coding a typical we-know-it-very-well-from-Metasploit TCP Bind Shell in x86 Assembly language. It’s basically running various syscalls in the correct order with the correct arguments 🙂

The full sources for this shellcode can be found on my github Page!

Let’s start. I’ll give a brief breakdown of the necessary steps to create such bind shell. Please check the source code for more details.

Since I wanted to have an easily configurable bind port, I used the JMP-CALL-POP technique to get the port WORD all the way from the last two bytes of the shellcode. By that, we can easily modify the port in the future, simply by modifying these two bytes.

Selection_077

So, now we’re ready. Let’s create a socket.

Selection_078

Done. fd (file descriptor) gets saved into edi. Next bind this socket to 0.0.0.0 (everywhere) with port 31337. Please note that we use the port stored in bp (which we got with the JMP-CALL-POP technique).

Selection_079

Now that we have a bound socket, we need to setup a listener.

Selection_082

Once a connection to our socket is made (e.g. with nc), we need to accept the request and handle it.

Selection_083

Final bit is duplicating the three system filedescriptors 0 (STDIN), 1 (STDOUT) and 2 (STDERR) to the socket’s fd by using dup2 syscall, followed by calling execve to run our shell /bin/sh (or in our case: /bin//sh).

Selection_084.png

That’s it! We can now test this with a simple netcat. We connect to localhost port 31337 and receive a shell, which we then use to issue arbitrary system commands (I used my Kali VM to test this, hence the hostname ‘kali’ :-)).

Selection_085

Done! Mission accomplished. See you in the next assignment’s post.

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s