This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1290

Assignment:

The assignment consists in creating a reverse shell shellcode which reverses the connection to a specific IP and port and execute a shell on connection. The IP and port should also be easily configurable.

Following a C program that shows how a reverse shell works:

To test the example, we need to listen on a specific port and then run the reverse shell.

 

As in the previous assignment, we need to work on this to “convert” the high-level instructions in assembly. Most parts are the same, so we are going to focus on the differences. They are the sockaddr_in structure configuration and the connect syscall.

Regarding the sockaddr_in configuration, here we need to specify both the IP address and the port. This could be problematic when there are zeros in the IP, thus I decided to divide the IP setting in four different instructions; one for each byte. When a zero is encountered that byte is not set, since the IP dword has been already zeroed pushing a zero-register onto the stack. The second difference is that connect syscall is used instead of bind ( Here I am setting the IP 127.2.2.1 to describe the four instructions).

The final assembly program would look like this ( Setting the IP 127.0.0.1)

Compiling and linking the nasm file, we can obtain the shellcode with objdump.

We can use the shellcode template from the last assignment to test the shellcode.

Last piece, I decided to create a C program to generate the proper reverse shell shellcode where IP and port are configurable through command line.

 

Share it