This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification."
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE64-1434
Target Operating System: 64 bit Linux (x86_64 GNU/Linux)
GitHub Link: https://github.com/rtaylor777/nasm/blob/master/RevShellPass1434.nasm
Number of bytes = 78
Number of nulls = 0
RevShellPass1434.nasm
Assemble:
nasm -felf64 RevShellPass1434.nasm -o RevShellPass1434.o
Link:
ld RevShellPass1434.o -o RevShellPass1434
Run:
./RevShellPass1434
But Wait
Before you run the shellcode you need to make sure that there is a client listening on port 4444, otherwise the shellcode will exit with a segmentation error.
For this you can use the netcat command (nc, ncat):
nc -l -p 4444 127.0.0.1
Then execute the shellcode in another terminal:
Also if you are new to Socket programming with assembly language you should start by reading my blog post:
http://a41l4.blogspot.ca/2017/02/assignment-1b.html
http://a41l4.blogspot.ca/2017/02/assignment-1a.html
and
http://a41l4.blogspot.ca/2017/02/assignment-2b.html
Also in the Execve section because of having overwritten the lower 4 bytes of our sockaddr structure with the password and then having popped the lower 8 bytes of that structure into RSI we have exposed the upper 8 bytes of the structure which were all set to 0. So in the Execve section we are able to push our string and it will already be terminated which saves us another byte.
You may have noticed that up in the Testing section I actually ran the compiled shellcode this time rather than running the linked RevShellPass1434. That was just to demonstrate that I do test my shellcode by running it as shellcode as well as a standalone executable.
If you missed it from my previous blog posts the shellcode.c file is auto generated by my helper scripts. See: http://a41l4.blogspot.ca/2017/02/slae-helper-scripts.html
If you wish to learn more about assembly language, I highly recommend the "SecurityTube Linux Assembly Expert course and certification."
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE64-1434
Target Operating System: 64 bit Linux (x86_64 GNU/Linux)
Assignment 2a:
Create a Shell_Reverse_TCP shellcode, that reverse connects to configured IP address and Port. This needs to prompt for the passcode, by this Vivek means that the client can send the passcode and the shell can authenticate it and only exec a shell if the passcode is correct.GitHub Link: https://github.com/rtaylor777/nasm/blob/master/RevShellPass1434.nasm
Number of bytes = 78
Number of nulls = 0
RevShellPass1434.nasm
Intro
This shellcode when executed will open a connection back to a client that is listening on port 4444. Once connected, the client sends a password back to the shellcode, the shellcode validates the password and if it is correct the shellcode will run /bin/sh and provide the client with access to interact with the command shell.Testing
Once you have downloaded the RevShellPass1434.nasm source code from the GitHub link above, you will need to assemble it. Assuming you have the NASM assembler ( http://www.nasm.us/ ):Assemble:
nasm -felf64 RevShellPass1434.nasm -o RevShellPass1434.o
Link:
ld RevShellPass1434.o -o RevShellPass1434
Run:
./RevShellPass1434
But Wait
Before you run the shellcode you need to make sure that there is a client listening on port 4444, otherwise the shellcode will exit with a segmentation error.
For this you can use the netcat command (nc, ncat):
nc -l -p 4444 127.0.0.1
Then execute the shellcode in another terminal:
Now you need to send the password and if it is correct you can interact with the /bin/sh shell.
Exit the /bin/sh shell on the client and the shellcode will also exit.
Please See
If you are new to shellcode or shellcoding you should start by reading my blog post: http://a41l4.blogspot.ca/2017/01/execvestack1434.htmlAlso if you are new to Socket programming with assembly language you should start by reading my blog post:
http://a41l4.blogspot.ca/2017/02/assignment-1b.html
Most of the code in this shellode you have seen before in my earlier blogs. See:
http://a41l4.blogspot.ca/2017/02/assignment-1a.html
and
http://a41l4.blogspot.ca/2017/02/assignment-2b.html
Discussion
Some efficiencies that we are able to gain from are in the Read section we don't have to set RDX because it is still set to 16 from where we set it on line 47.Also in the Execve section because of having overwritten the lower 4 bytes of our sockaddr structure with the password and then having popped the lower 8 bytes of that structure into RSI we have exposed the upper 8 bytes of the structure which were all set to 0. So in the Execve section we are able to push our string and it will already be terminated which saves us another byte.
Shellcode.c
You may have noticed that up in the Testing section I actually ran the compiled shellcode this time rather than running the linked RevShellPass1434. That was just to demonstrate that I do test my shellcode by running it as shellcode as well as a standalone executable.
If you missed it from my previous blog posts the shellcode.c file is auto generated by my helper scripts. See: http://a41l4.blogspot.ca/2017/02/slae-helper-scripts.html
Summary
The RevShellPass1434.nasm requires a password from the client before presenting the /bin/sh shell to it. We have eliminated NULLS and kept our shellcode fairly small.If you wish to learn more about assembly language, I highly recommend the "SecurityTube Linux Assembly Expert course and certification."
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Comments
Post a Comment