SLAE Assignment #2 – TCP Reverse Shell

And here we go again! This is post two of seven – describing my solutions for the SLAE course/certification (TCP Bind Shell in x86 Assembly language).

Disclaimer:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-890

All right. This time we develop a TCP Reverse Shell in x86 Assembly language.

Template for the code had been the TCP Bind Shell from the previous blog post. I just had to do minor changes in order to change it to a reverse shell 😉

As usual you’ll find the source codes on my github page!

First of all, I had to find a smart (= easy to change later) way to store connection config parameters (ip and port) in the shellcode and decided to go a similar way as before – and just to extend it a bit.

So the last 6 bytes of the shellcode now carry the port (byte 1+2) and the ip address (bytes 3-6). It looks like this:

Selection_001

Next we create our socket (same as in bind shell):

Selection_002.png

We then map our three system fd’s STDIN (1), STDOUT (2) and STDERR (3) to the socket’s fd.

Selection_003

Looking good. Now the new stuff. We’ll use the socket function connect() to connect to the remote host. Please note the bit of code where we pull the config (ip and port) from the popped config struct (ebp!).

Selection_004.png

And finally.. Our old friend execve.

Selection_005.png

That’s it! After setting up a local listener with netcat and running the shellcode, we get a shell served remotely. Pretty handy when hacking a system that’s behind a NAT or Firewall 🙂

Selection_007

Thanks for reading! See you in the next assignment blog post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s