SLAE Assignment #1 – TCP Bind Shell

Hey guys, this is post one of seven – describing my solutions for the SLAE course/certification (TCP Bind Shell in x86 Assembly language).

Disclaimer:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-890

So this one was about coding a typical we-know-it-very-well-from-Metasploit TCP Bind Shell in x86 Assembly language. It’s basically running various syscalls in the correct order with the correct arguments 🙂

The full sources for this shellcode can be found on my github Page!

Let’s start. I’ll give a brief breakdown of the necessary steps to create such bind shell. Please check the source code for more details.

Since I wanted to have an easily configurable bind port, I used the JMP-CALL-POP technique to get the port WORD all the way from the last two bytes of the shellcode. By that, we can easily modify the port in the future, simply by modifying these two bytes.

So, now we’re ready. Let’s create a socket.

Done. fd (file descriptor) gets saved into edi. Next bind this socket to 0.0.0.0 (everywhere) with port 31337. Please note that we use the port stored in bp (which we got with the JMP-CALL-POP technique).

Now that we have a bound socket, we need to setup a listener.

Once a connection to our socket is made (e.g. with nc), we need to accept the request and handle it.

Final bit is duplicating the three system filedescriptors 0 (STDIN), 1 (STDOUT) and 2 (STDERR) to the socket’s fd by using dup2 syscall, followed by calling execve to run our shell /bin/sh (or in our case: /bin//sh).

That’s it! We can now test this with a simple netcat. We connect to localhost port 31337 and receive a shell, which we then use to issue arbitrary system commands (I used my Kali VM to test this, hence the hostname ‘kali’ :-)).

Done! Mission accomplished. See you in the next assignment’s post.