Skip to main content

Reverse TCP Shellcode x86 - SLAE Assignment 0x2

Reverse TCP Shellcode - Linux x86  (Null free[assuming port no. to be null free]/PI)
Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding - http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

AGENDA : :
1. Introduction to Reverse Shell
2. Analysis of Reverse Shell
3. Writing Reverse Tcp Shellcode
4. Wrapper Script to generate shellcode with custom ip and port 

1. Introduction to Reverse shell

Reverse Shell
 :-
With a reverse shell,target system connects back your system.Your system has a listener port on which it receives the connection back from the target system.


2. Analysis of Metasploit Reverse Shell through Libemu


 From above diagram it is clear that main syscalls are :
 socket,,dup2,connect and execve 

3. Writing Reverse TCP Shellcode

 Lets look for syscalls number and arguements from following link :
 http://man7.org/linux/man-pages/man2/socketcall.2.html



Let's start writing :
For socket,dup2 and execve -Check my last post here which contains explanation of these sys calls .
We will only discuss Connect sys call because rest all are derived or taken from bind shell (last post) .

SYS_CONNECT
For Connect :
EAX should contain socket call number i.e 0x66
EBX should contain SYS_CONNECT sys call number i.e 0x3
ECX should contain (s, (struct sockaddr *)&sa, sizeof(sa))
So FInally connect(s, (struct sockaddr *)&sa, sizeof(sa));

[x] All together ;)
Let's compile using my script and test the shellcode .



4. Wrapper Script to generate shellcode with custom ip and port

I have written a wrapper script to change port and ip for generating reverse_tcp shellcode . (Poor , ugly ,messed code but solves the purpose :p PS: Sorry,I am not a good programmer :( )

[x] C code here - https://github.com/hexachordanu/SLAE/blob/master/Assignment-2/shellcode.c
[x] reverse_tcp.nasm - https://github.com/hexachordanu/SLAE/blob/master/Assignment-2/reverse_tcp.nasm [73 bytes]
[x] Wrapper Script to change port can be found here - https://github.com/hexachordanu/SLAE/blob/master/Assignment-2/reverse_tcp_generator.sh
Proof of Concept :



This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student-ID: SLAE-1219

Comments

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu

Hacking Thick Clients – Authorization Bypass

Hello Readers, This post will be focused on setting up a vulnerable thick client application and finding vulnerabilities. The blog post is an unofficial part of the on going series of post by NetSPI. NetSPI has released a vulnerable thick client app called BetaFast which has two versions - BetaBank and BetaFast based on 2-tier and 3-tier architecture respectively. The app is coded by Austin Altmann  and he is writing the walk-through series. Note: At the time of writing this blog, the walk-through/write-up for authorization bypass vulnerability was yet to be published by NetSPI and therefore I decided to create this blog post. All the credit for developing and maintaining this app goes to Austin and NetSPI team. You can find some of the cool write-ups here . Let's start. Setting up Betafast - 1. Download the files from github -  https://github.com/NetSPI/BetaFast  . 2. Extract and open the .sln file with