Skip to main content

SLAEx86 : Coding a custom TCP Reverse Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode. So how does TCP Reverse exploit shell work ?

In a TCP Reverse shell exploit shellcode is more effective than bind shell. It might happen the victim firewall may block the incoming connection. So instead of opening the port at the victim side we will open a port at the attacker side. We ask the victim machine to connect back to us on successfull execution of the shellcode. So we on attacker side will listen for an incoming connection and when the attacker connect to the listening port,  on the victim side it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands.

So there are few points I need to make clear while I write this post
1. The code that I have written went through  lot of  debugging and modification and I am still modifying ( to minimize , to remove bad characters like  PUSH 0x0 can introduce bad characters so I replaced them with something that had the value NULL and then pushed them to on stack like PUSH ECX )

2. Some code which I have written might look STUPID (for example mov eax,edx  followed by mov edx,eax). I just wrote them to remember few things like ( X will always hold Y data before the operation ) and I am optimizing them still to remove them. As I will keep updating my code , I will continue to remove them)

3. I will try to keep the documentation and the details in the code itself , so that I can constantly modify them from the github instead of modifying them twice , i.e here and in the github again.

First we will code the reverse shell with C and later use the same concept using Assembly.
At any point of time we can use man command to look into the API implementation  e.g man socket



TCP Reverse Shell Written in NASM , but this has a drawback ( only connect to hardcoded 127.0.0.1 which we will fix in the next code below this code)

We made some changes from the above code so that it can connect to any IP address

Shellcode with configurable IP and Port



This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification:
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-1191

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more