Friday, November 30, 2018

SLAE - Assignment 1 - Bind shell

  • Create a Shell_Bind_TCP shellcode
    • Binds to a port
    • Execs Shell on incoming connection
    • Port number should be easily configurable

First step is to view existing bind shell payload that is delivered with metasploit.
With the use of msfvenom and sctest (as part of libemu) we can emulate the existing payload to analyze the steps taken:

sudo msfvenom -p linux/x86/shell_bind_tcp R | sudo ./sctest -vvv -Ss 10000 -G Shell_bind.tcp.dot
dot Shell_bind.tcp.dot -Tpng -o Shell_bind.tcp.png



As we can see following syscalls are executed:
  • socket
  • bind
  • listen
  • accept
  • dub2 ; #define __NR_dup2 63
  • execve ; #define __NR_execve 11

When searching for socket(), we discover the socketcall , that has its own functions #define __NR_socketcall 102

http://man7.org/linux/man-pages/man2/socketcall.2.html
socketcall() is a common kernel entry point for the socket system
calls. call determines which socket function to invoke. args points
to a block containing the actual arguments, which are passed through
to the appropriate call.

User programs should call the appropriate functions by their usual
names. Only standard library implementors and kernel hackers need to
know about socketcall().


Next to the already discovered syscalls (dub2 and execve) we still need socket(), bind(), listen() and accept()
We find them in /usr/include/linux/net.h:

#define SYS_SOCKET 1 /* sys_socket(2) */
#define SYS_BIND 2 /* sys_bind(2) */
#define SYS_LISTEN 4 /* sys_listen(2) */
#define SYS_ACCEPT 5 /* sys_accept(2) */


That makes the syscalls complete for the bind shell:
socket ; #define __NR_socketcall 102 int call 1
bind ; #define __NR_socketcall 102 int call 2
listen ; #define __NR_socketcall 102 int call 4
accept ; #define __NR_socketcall 102 int call 5
dub2 ; #define __NR_dup2 63
execve ; #define __NR_execve 11


Next step would be to translate this to assembly code.

For IA32, for a syscall to invoke the registeres need to be set the following way:
EAX = System call number
EBX = 1st argument
ECX = 2nd argument
EDX = 3rd argument
ESI = 4th argument
EDI = 5th argument

For the hexing and reversing of the strings python helped me a lot:

For dumping the opcodes, following command was used from https://www.commandlinefu.com/commands/view/6051/get-all-shellcode-on-binary-file-from-objdump

Note that \x04\xd2 codes are the port numbers that can be configured here. That is the port number that can be changed to whatever port nr you want (https://hexed.it/). Mind the reverse byte order here.

Put this shellcode in shellcode running app, compile and run: (using script)
./compile.sh bindshell
./shellcode
 Setup listener and......success!




Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)